#22 /etc/selinux/config might be missing[1]: protect all scripts for this
Opened a month ago by terjeros. Modified a month ago
rpms/ terjeros/selinux-policy protect-scriptlets  into  master

file modified
+15 -5

@@ -48,7 +48,9 @@ 

  

  # %selinux_modules_install [-s <policytype>] [-p <modulepriority>] module [module]...

  %selinux_modules_install("s:p:") \

- . /etc/selinux/config \

+ if [ -e /etc/selinux/config ]; then \

+   . /etc/selinux/config \

+ fi; \

  _policytype=%{-s*} \

  if [ -z "${_policytype}" ]; then \

    _policytype="targeted" \

@@ -61,7 +63,9 @@ 

  

  # %selinux_modules_uninstall [-s <policytype>] [-p <modulepriority>] module [module]...

  %selinux_modules_uninstall("s:p:") \

- . /etc/selinux/config \

+ if [ -e /etc/selinux/config ]; then \

+   . /etc/selinux/config \

+ fi; \

  _policytype=%{-s*} \

  if [ -z "${_policytype}" ]; then \

    _policytype="targeted" \

@@ -76,7 +80,9 @@ 

  

  # %selinux_relabel_pre [-s <policytype>]

  %selinux_relabel_pre("s:") \

- . /etc/selinux/config \

+ if [ -e /etc/selinux/config ]; then \

+   . /etc/selinux/config \

+ fi; \

  _policytype=%{-s*} \

  if [ -z "${_policytype}" ]; then \

    _policytype="targeted" \

@@ -89,7 +95,9 @@ 

  

  # %selinux_relabel_post [-s <policytype>]

  %selinux_relabel_post("s:") \

- . /etc/selinux/config \

+ if [ -e /etc/selinux/config ]; then \

+   . /etc/selinux/config \

+ fi; \

  _policytype=%{-s*} \

  if [ -z "${_policytype}" ]; then \

    _policytype="targeted" \

@@ -143,7 +151,9 @@ 

  

  # %selinux_unset_booleans [-s <policytype>] boolean [boolean]...

  %selinux_unset_booleans("s:") \

- . /etc/selinux/config \

+ if [ -e /etc/selinux/config ]; then \

+   . /etc/selinux/config \

+ fi; \

  _policytype=%{-s*} \

  if [ -z "${_policytype}" ]; then \

    _policytype="targeted" \

file modified
+12 -6

@@ -270,7 +270,9 @@ 

  %nil

  

  %define relabel() \

- . %{_sysconfdir}/selinux/config; \

+ if [ -e %{_sysconfdir}/selinux/config ]; then \

+     . %{_sysconfdir}/selinux/config; \

+ fi; \

  FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \

  /usr/sbin/selinuxenabled; \

  if [ $? = 0  -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \

@@ -286,7 +288,9 @@ 

       if [ -d %{_sharedstatedir}/selinux/%1/active/modules/100/ganesha ]; then \

          %{_sbindir}/semodule -n -d ganesha; \

       fi; \

-      . %{_sysconfdir}/selinux/config; \

+      if [ -e %{_sysconfdir}/selinux/config ]; then \

+          . %{_sysconfdir}/selinux/config; \

+      fi; \

       FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \

       if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \

          [ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \

@@ -303,7 +307,9 @@ 

  fi;

  

  %define postInstall() \

- . %{_sysconfdir}/selinux/config; \

+ if [ -e %{_sysconfdir}/selinux/config ]; then \

+   . %{_sysconfdir}/selinux/config; \

+ fi; \

  if [ -e /etc/selinux/%2/.rebuild ]; then \

     rm /etc/selinux/%2/.rebuild; \

     /usr/sbin/semodule -B -n -s %2; \

@@ -569,7 +575,7 @@ 

  

  %postun targeted

  if [ $1 = 0 ]; then

-     source /etc/selinux/config

+     [ -e /etc/selinux/config ] && source /etc/selinux/config

      if [ "$SELINUXTYPE" = "targeted" ]; then

          setenforce 0 2> /dev/null

          if [ ! -s /etc/selinux/config ]; then

@@ -679,7 +685,7 @@ 

  

  %postun minimum

  if [ $1 = 0 ]; then

-     source /etc/selinux/config

+     [ -e /etc/selinux/config ] && source /etc/selinux/config

      if [ "$SELINUXTYPE" = "minimum" ]; then

          setenforce 0 2> /dev/null

          if [ ! -s /etc/selinux/config ]; then

@@ -750,7 +756,7 @@ 

  

  %postun mls

  if [ $1 = 0 ]; then

-     source /etc/selinux/config

+     [ -e /etc/selinux/config  ] && source /etc/selinux/config

      if [ "$SELINUXTYPE" = "mls" ]; then

          setenforce 0 2> /dev/null

          if [ ! -s /etc/selinux/config ]; then

problem.

Protection is required as a failure in scriptlet will cause havoc in a
(possibly) large package set transaction (during e.g. initial
install).

[1]: /etc/selinux/config is not shipped as a normal file, it's created
by selinux-policy %post scriptlet. There no way for other packages to
make sure their post scriptlets is run before selinux-policy post
scriptlets is done executing. If selinux-policy is large and slow,
creation of required file will be after other packages scripts needs
it. With current design it's not possible to handle race condition
without protection added here.

"Solution" here is a just stop gap to reduce impact.

Cosmetic change, but indentation is missing here.

Metadata Update from @lvrabec:
- Request assigned

a month ago

1 new commit added

  • Fix indentation
a month ago