From 4f04451af1f19050b625ad9e4194e96dc0d72b6e Mon Sep 17 00:00:00 2001 From: Terje Røsten Date: Sep 19 2019 16:36:12 +0000 Subject: [PATCH 1/2] /etc/selinux/config might be missing[1]: protect all scripts for this problem. Protection is required as a failure in scriptlet will cause havoc in a (possibly) large package set transaction (during e.g. initial install). [1]: /etc/selinux/config is not shipped as a normal file, it's created by selinux-policy %post scriptlet. There no way for other packages to make sure their post scriptlets is run before selinux-policy post scriptlets is done executing. If selinux-policy is large and slow, creation of required file will be after other packages scripts needs it. With current design it's not possible to handle race condition without protection added here. "Solution" here is a just stop gap to reduce impact. --- diff --git a/rpm.macros b/rpm.macros index d86e729..5bb0e71 100644 --- a/rpm.macros +++ b/rpm.macros @@ -48,7 +48,9 @@ Requires(post): policycoreutils-python \ # %selinux_modules_install [-s ] [-p ] module [module]... %selinux_modules_install("s:p:") \ -. /etc/selinux/config \ +if [ -e /etc/selinux/config ]; then \ + . /etc/selinux/config \ +fi; \ _policytype=%{-s*} \ if [ -z "${_policytype}" ]; then \ _policytype="targeted" \ @@ -61,7 +63,9 @@ fi \ # %selinux_modules_uninstall [-s ] [-p ] module [module]... %selinux_modules_uninstall("s:p:") \ +if [ -e /etc/selinux/config ]; then \ . /etc/selinux/config \ +fi; \ _policytype=%{-s*} \ if [ -z "${_policytype}" ]; then \ _policytype="targeted" \ @@ -76,7 +80,9 @@ fi \ # %selinux_relabel_pre [-s ] %selinux_relabel_pre("s:") \ -. /etc/selinux/config \ +if [ -e /etc/selinux/config ]; then \ + . /etc/selinux/config \ +fi; \ _policytype=%{-s*} \ if [ -z "${_policytype}" ]; then \ _policytype="targeted" \ @@ -89,7 +95,9 @@ fi \ # %selinux_relabel_post [-s ] %selinux_relabel_post("s:") \ -. /etc/selinux/config \ +if [ -e /etc/selinux/config ]; then \ + . /etc/selinux/config \ +fi; \ _policytype=%{-s*} \ if [ -z "${_policytype}" ]; then \ _policytype="targeted" \ @@ -143,7 +151,9 @@ fi \ # %selinux_unset_booleans [-s ] boolean [boolean]... %selinux_unset_booleans("s:") \ -. /etc/selinux/config \ +if [ -e /etc/selinux/config ]; then \ + . /etc/selinux/config \ +fi; \ _policytype=%{-s*} \ if [ -z "${_policytype}" ]; then \ _policytype="targeted" \ diff --git a/selinux-policy.spec b/selinux-policy.spec index e06cf2f..3e9754d 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -270,7 +270,9 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \ %nil %define relabel() \ -. %{_sysconfdir}/selinux/config; \ +if [ -e %{_sysconfdir}/selinux/config ]; then \ + . %{_sysconfdir}/selinux/config; \ +fi; \ FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ /usr/sbin/selinuxenabled; \ if [ $? = 0 -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \ @@ -286,7 +288,9 @@ if [ $1 -ne 1 ] && [ -s /etc/selinux/config ]; then \ if [ -d %{_sharedstatedir}/selinux/%1/active/modules/100/ganesha ]; then \ %{_sbindir}/semodule -n -d ganesha; \ fi; \ - . %{_sysconfdir}/selinux/config; \ + if [ -e %{_sysconfdir}/selinux/config ]; then \ + . %{_sysconfdir}/selinux/config; \ + fi; \ FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \ [ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \ @@ -303,7 +307,9 @@ if [ $1 -ne 1 ] && [ -s /etc/selinux/config ]; then \ fi; %define postInstall() \ -. %{_sysconfdir}/selinux/config; \ +if [ -e %{_sysconfdir}/selinux/config ]; then \ + . %{_sysconfdir}/selinux/config; \ +fi; \ if [ -e /etc/selinux/%2/.rebuild ]; then \ rm /etc/selinux/%2/.rebuild; \ /usr/sbin/semodule -B -n -s %2; \ @@ -569,7 +575,7 @@ exit 0 %postun targeted if [ $1 = 0 ]; then - source /etc/selinux/config + [ -e /etc/selinux/config ] && source /etc/selinux/config if [ "$SELINUXTYPE" = "targeted" ]; then setenforce 0 2> /dev/null if [ ! -s /etc/selinux/config ]; then @@ -679,7 +685,7 @@ exit 0 %postun minimum if [ $1 = 0 ]; then - source /etc/selinux/config + [ -e /etc/selinux/config ] && source /etc/selinux/config if [ "$SELINUXTYPE" = "minimum" ]; then setenforce 0 2> /dev/null if [ ! -s /etc/selinux/config ]; then @@ -750,7 +756,7 @@ exit 0 %postun mls if [ $1 = 0 ]; then - source /etc/selinux/config + [ -e /etc/selinux/config ] && source /etc/selinux/config if [ "$SELINUXTYPE" = "mls" ]; then setenforce 0 2> /dev/null if [ ! -s /etc/selinux/config ]; then From 6cce725151886a4b548e0c26f269ba71282fd206 Mon Sep 17 00:00:00 2001 From: Terje Røsten Date: Sep 21 2019 10:47:51 +0000 Subject: [PATCH 2/2] Fix indentation --- diff --git a/rpm.macros b/rpm.macros index 5bb0e71..07e24a9 100644 --- a/rpm.macros +++ b/rpm.macros @@ -64,7 +64,7 @@ fi \ # %selinux_modules_uninstall [-s ] [-p ] module [module]... %selinux_modules_uninstall("s:p:") \ if [ -e /etc/selinux/config ]; then \ -. /etc/selinux/config \ + . /etc/selinux/config \ fi; \ _policytype=%{-s*} \ if [ -z "${_policytype}" ]; then \