From dc60e841f21baa5053726c86ddaaf4928b427c5a Mon Sep 17 00:00:00 2001 From: Zbigniew Jędrzejewski-Szmek Date: Jul 22 2014 03:10:32 +0000 Subject: Bugfix for selinux issue --- diff --git a/0078-Add-IFLA_VTI-defines-to-missing.h.patch b/0078-Add-IFLA_VTI-defines-to-missing.h.patch new file mode 100644 index 0000000..0780955 --- /dev/null +++ b/0078-Add-IFLA_VTI-defines-to-missing.h.patch @@ -0,0 +1,46 @@ +From 9f2dae12f4ee324e3c1cb26ce3ea382e586235b6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jean-Andr=C3=A9=20Santoni?= +Date: Mon, 21 Jul 2014 21:04:44 -0400 +Subject: [PATCH] Add IFLA_VTI defines to missing.h + +(cherry picked from commit 6589d0dba2b1ccf2406db527c2c1b51c7143e117) +--- + configure.ac | 1 + + src/shared/missing.h | 12 ++++++++++++ + 2 files changed, 13 insertions(+) + +diff --git a/configure.ac b/configure.ac +index df6b3571d1..8925eb5435 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -311,6 +311,7 @@ AC_CHECK_DECLS([gettid, pivot_root, name_to_handle_at, setns, LO_FLAGS_PARTSCAN] + ]]) + + AC_CHECK_DECLS([IFLA_MACVLAN_FLAGS, ++ IFLA_VTI_REMOTE, + IFLA_PHYS_PORT_ID, + IFLA_BOND_AD_INFO, + IFLA_VLAN_PROTOCOL, +diff --git a/src/shared/missing.h b/src/shared/missing.h +index 818d704f92..2985285409 100644 +--- a/src/shared/missing.h ++++ b/src/shared/missing.h +@@ -380,6 +380,18 @@ static inline int setns(int fd, int nstype) { + #define IFLA_MACVLAN_MAX (__IFLA_MACVLAN_MAX - 1) + #endif + ++#if !HAVE_DECL_IFLA_VTI_REMOTE ++#define IFLA_VTI_UNSPEC 0 ++#define IFLA_VTI_LINK 1 ++#define IFLA_VTI_IKEY 2 ++#define IFLA_VTI_OKEY 3 ++#define IFLA_VTI_LOCAL 4 ++#define IFLA_VTI_REMOTE 5 ++#define __IFLA_VTI_MAX 6 ++ ++#define IFLA_VTI_MAX (__IFLA_VTI_MAX - 1) ++#endif ++ + #if !HAVE_DECL_IFLA_PHYS_PORT_ID + #undef IFLA_PROMISCUITY + #define IFLA_PROMISCUITY 30 diff --git a/0079-install-systemd-timesyncd.service-is-enabled-by-sysi.patch b/0079-install-systemd-timesyncd.service-is-enabled-by-sysi.patch new file mode 100644 index 0000000..8600ec4 --- /dev/null +++ b/0079-install-systemd-timesyncd.service-is-enabled-by-sysi.patch @@ -0,0 +1,27 @@ +From 766fa6bb149ece2ed4bb0d58e4f836a86bb51893 Mon Sep 17 00:00:00 2001 +From: Michael Olbrich +Date: Fri, 18 Jul 2014 06:33:52 +0200 +Subject: [PATCH] install: systemd-timesyncd.service is enabled by + sysinit.target + +systemd-timesyncd.service has a "WantedBy=sysinit.target" so the +initially generated link should match that. + +(cherry picked from commit e9b11a8457293c553296e5d986a0bb7f86f275d5) +--- + Makefile.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile.am b/Makefile.am +index 2b0c855da2..53f82f9fce 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -4346,7 +4346,7 @@ nodist_systemunit_DATA += \ + units/systemd-timesyncd.service + + GENERAL_ALIASES += \ +- $(systemunitdir)/systemd-timesyncd.service $(pkgsysconfdir)/system/multi-user.target.wants/systemd-timesyncd.service ++ $(systemunitdir)/systemd-timesyncd.service $(pkgsysconfdir)/system/sysinit.target.wants/systemd-timesyncd.service + + EXTRA_DIST += \ + units/systemd-timesyncd.service.in diff --git a/0080-bash-completion-p-option-for-journalctl.patch b/0080-bash-completion-p-option-for-journalctl.patch new file mode 100644 index 0000000..4dd646d --- /dev/null +++ b/0080-bash-completion-p-option-for-journalctl.patch @@ -0,0 +1,44 @@ +From de92879c4fd08974b90bc73f3bd3129774486a1f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Sat, 19 Jul 2014 19:46:04 -0400 +Subject: [PATCH] bash-completion: -p option for journalctl + +(cherry picked from commit be8f4a9fa732d61e845e1ab1a62ac3a6b368d3a7) +--- + shell-completion/bash/journalctl | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/shell-completion/bash/journalctl b/shell-completion/bash/journalctl +index e4b2f4ac84..14dcd223b3 100644 +--- a/shell-completion/bash/journalctl ++++ b/shell-completion/bash/journalctl +@@ -35,6 +35,8 @@ __journal_fields=(MESSAGE{,_ID} PRIORITY CODE_{FILE,LINE,FUNC} + _UDEV_{SYSNAME,DEVNODE,DEVLINK} + __CURSOR __{REALTIME,MONOTONIC}_TIMESTAMP) + ++__syslog_priorities=(emerg alert crit err warning notice info debug) ++ + _journalctl() { + local field_vals= cur=${COMP_WORDS[COMP_CWORD]} prev=${COMP_WORDS[COMP_CWORD-1]} + local -A OPTS=( +@@ -44,8 +46,8 @@ _journalctl() { + --no-tail -q --quiet --setup-keys --this-boot --verify + --version --list-catalog --update-catalog --list-boots' + [ARG]='-b --boot --this-boot -D --directory --file -F --field +- -o --output -u --unit --user-unit' +- [ARGUNKNOWN]='-c --cursor --interval -n --lines -p --priority --since --until ++ -o --output -u --unit --user-unit -p --priority' ++ [ARGUNKNOWN]='-c --cursor --interval -n --lines --since --until + --verify-key' + ) + +@@ -68,6 +70,9 @@ _journalctl() { + --field|-F) + comps=${__journal_fields[*]} + ;; ++ --priority|-p) ++ comps=${__syslog_priorities[*]} ++ ;; + --unit|-u) + comps=$(journalctl -F '_SYSTEMD_UNIT' 2>/dev/null) + ;; diff --git a/0081-sysusers-fix-selinux-context-of-backup-files.patch b/0081-sysusers-fix-selinux-context-of-backup-files.patch new file mode 100644 index 0000000..a73f147 --- /dev/null +++ b/0081-sysusers-fix-selinux-context-of-backup-files.patch @@ -0,0 +1,122 @@ +From ec300fdabb27c41258cf5aea91dae518a3b88a04 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Mon, 21 Jul 2014 20:41:19 -0400 +Subject: [PATCH] sysusers: fix selinux context of backup files + +Also, fix fopen_temporary_label to set proper context. By chance, +all users so far used the same context, so the error didn't matter. + +Also, check return value from label_init(). + +https://bugzilla.redhat.com/show_bug.cgi?id=1121806 +(cherry picked from commit 9f1c19405a1ccaf59dcc8c32c13a1619541189ad) +--- + src/shared/fileio-label.c | 2 +- + src/sysusers/sysusers.c | 45 ++++++++++++++++++++++++--------------------- + 2 files changed, 25 insertions(+), 22 deletions(-) + +diff --git a/src/shared/fileio-label.c b/src/shared/fileio-label.c +index 417ca5695a..c3def3c568 100644 +--- a/src/shared/fileio-label.c ++++ b/src/shared/fileio-label.c +@@ -59,7 +59,7 @@ int fopen_temporary_label(const char *target, + const char *path, FILE **f, char **temp_path) { + int r; + +- r = label_context_set("/etc/passwd", S_IFREG); ++ r = label_context_set(target, S_IFREG); + if (r < 0) + return r; + +diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c +index bf2fbbc252..2387d5873a 100644 +--- a/src/sysusers/sysusers.c ++++ b/src/sysusers/sysusers.c +@@ -195,8 +195,9 @@ static int load_group_database(void) { + return 0; + } + +-static int make_backup(const char *x) { +- _cleanup_close_ int src = -1, dst = -1; ++static int make_backup(const char *target, const char *x) { ++ _cleanup_close_ int src = -1; ++ _cleanup_fclose_ FILE *dst = NULL; + char *backup, *temp; + struct timespec ts[2]; + struct stat st; +@@ -213,30 +214,30 @@ static int make_backup(const char *x) { + if (fstat(src, &st) < 0) + return -errno; + +- temp = strappenda(x, ".XXXXXX"); +- dst = mkostemp_safe(temp, O_WRONLY|O_CLOEXEC|O_NOCTTY); +- if (dst < 0) +- return dst; ++ r = fopen_temporary_label(target, x, &dst, &temp); ++ if (r < 0) ++ return r; + +- r = copy_bytes(src, dst, (off_t) -1); ++ r = copy_bytes(src, fileno(dst), (off_t) -1); + if (r < 0) + goto fail; + ++ /* Don't fail on chmod() or chown(). If it stays owned by us ++ * and/or unreadable by others, then it isn't too bad... */ ++ ++ backup = strappenda(x, "-"); ++ + /* Copy over the access mask */ +- if (fchmod(dst, st.st_mode & 07777) < 0) { +- r = -errno; +- goto fail; +- } ++ if (fchmod(fileno(dst), st.st_mode & 07777) < 0) ++ log_warning("Failed to change mode on %s: %m", backup); + +- /* Don't fail on chmod(). If it stays owned by us, then it +- * isn't too bad... */ +- fchown(dst, st.st_uid, st.st_gid); ++ if (fchown(fileno(dst), st.st_uid, st.st_gid)< 0) ++ log_warning("Failed to change ownership of %s: %m", backup); + + ts[0] = st.st_atim; + ts[1] = st.st_mtim; +- futimens(dst, ts); ++ futimens(fileno(dst), ts); + +- backup = strappenda(x, "-"); + if (rename(temp, backup) < 0) + goto fail; + +@@ -469,13 +470,13 @@ static int write_files(void) { + + /* Make a backup of the old files */ + if (group && group_changed) { +- r = make_backup(group_path); ++ r = make_backup("/etc/group", group_path); + if (r < 0) + goto finish; + } + + if (passwd) { +- r = make_backup(passwd_path); ++ r = make_backup("/etc/passwd", passwd_path); + if (r < 0) + goto finish; + } +@@ -1529,9 +1530,11 @@ int main(int argc, char *argv[]) { + + umask(0022); + +- label_init(NULL); +- +- r = 0; ++ r = label_init(NULL); ++ if (r < 0) { ++ log_error("SELinux setup failed: %s", strerror(-r)); ++ goto finish; ++ } + + if (optind < argc) { + int j; diff --git a/0082-update-done-set-proper-selinux-context-for-.updated.patch b/0082-update-done-set-proper-selinux-context-for-.updated.patch new file mode 100644 index 0000000..7d9da52 --- /dev/null +++ b/0082-update-done-set-proper-selinux-context-for-.updated.patch @@ -0,0 +1,86 @@ +From 62ae78fdcc50515d292f7622aeff7a89a5b2bfd3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Mon, 21 Jul 2014 20:56:29 -0400 +Subject: [PATCH] update-done: set proper selinux context for .updated + +https://bugzilla.redhat.com/show_bug.cgi?id=1121806 +(cherry picked from commit 7dbb1d08f66cd44b1296be3ee8e3629b989e19a8) +--- + Makefile.am | 1 + + src/update-done/update-done.c | 25 ++++++++++++++++++++----- + 2 files changed, 21 insertions(+), 5 deletions(-) + +diff --git a/Makefile.am b/Makefile.am +index 53f82f9fce..764a4fde58 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -1724,6 +1724,7 @@ systemd_update_done_SOURCES = \ + + systemd_update_done_LDADD = \ + libsystemd-internal.la \ ++ libsystemd-label.la \ + libsystemd-shared.la + + # ------------------------------------------------------------------------------ +diff --git a/src/update-done/update-done.c b/src/update-done/update-done.c +index 10ba85ca92..b199a68972 100644 +--- a/src/update-done/update-done.c ++++ b/src/update-done/update-done.c +@@ -20,6 +20,7 @@ + ***/ + + #include "util.h" ++#include "label.h" + + static int apply_timestamp(const char *path, struct timespec *ts) { + struct timespec twice[2]; +@@ -51,10 +52,20 @@ static int apply_timestamp(const char *path, struct timespec *ts) { + + } else if (errno == ENOENT) { + _cleanup_close_ int fd = -1; ++ int r; + + /* The timestamp file doesn't exist yet? Then let's create it. */ + ++ r = label_context_set(path, S_IFREG); ++ if (r < 0) { ++ log_error("Failed to set SELinux context for %s: %s", ++ path, strerror(-r)); ++ return r; ++ } ++ + fd = open(path, O_CREAT|O_EXCL|O_WRONLY|O_TRUNC|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW, 0644); ++ label_context_clear(); ++ + if (fd < 0) { + + if (errno == EROFS) { +@@ -83,7 +94,7 @@ static int apply_timestamp(const char *path, struct timespec *ts) { + + int main(int argc, char *argv[]) { + struct stat st; +- int r, q; ++ int r, q = 0; + + log_set_target(LOG_TARGET_AUTO); + log_parse_environment(); +@@ -94,11 +105,15 @@ int main(int argc, char *argv[]) { + return EXIT_FAILURE; + } + +- r = apply_timestamp("/etc/.updated", &st.st_mtim); ++ r = label_init(NULL); ++ if (r < 0) { ++ log_error("SELinux setup failed: %s", strerror(-r)); ++ goto finish; ++ } + ++ r = apply_timestamp("/etc/.updated", &st.st_mtim); + q = apply_timestamp("/var/.updated", &st.st_mtim); +- if (q < 0 && r == 0) +- r = q; + +- return r < 0 ? EXIT_FAILURE : EXIT_SUCCESS; ++finish: ++ return r < 0 || q < 0 ? EXIT_FAILURE : EXIT_SUCCESS; + } diff --git a/systemd.spec b/systemd.spec index 0ed8db1..9d4febd 100644 --- a/systemd.spec +++ b/systemd.spec @@ -16,7 +16,7 @@ Name: systemd Url: http://www.freedesktop.org/wiki/Software/systemd Version: 215 -Release: 4%{?gitcommit:.git%{gitcommit}}%{?dist} +Release: 5%{?gitcommit:.git%{gitcommit}}%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: A System and Service Manager @@ -116,6 +116,12 @@ Patch074: 0074-man-journal-add-note-about-sd_journal_get_cutoff_mon.patch Patch075: 0075-Be-more-verbose-when-bind-or-listen-fails.patch Patch076: 0076-core-show-timeouts-when-watchdog-howls.patch Patch077: 0077-escape-fix-return-code.patch +Patch078: 0078-Add-IFLA_VTI-defines-to-missing.h.patch +Patch079: 0079-install-systemd-timesyncd.service-is-enabled-by-sysi.patch +Patch080: 0080-bash-completion-p-option-for-journalctl.patch +Patch081: 0081-sysusers-fix-selinux-context-of-backup-files.patch +Patch082: 0082-update-done-set-proper-selinux-context-for-.updated.patch + # Presently not accepted upstream, but we disable systemd-resolved in # the presets anyways, and this unbreaks anaconda/lorax/livecd-creator @@ -845,6 +851,10 @@ getent passwd systemd-journal-gateway >/dev/null 2>&1 || useradd -r -l -u 191 -g %{_datadir}/systemd/gatewayd %changelog +* Mon Jul 21 2014 Zbigniew Jędrzejewski-Szmek - 215-5 +- Fix SELinux context of /etc/passwd-, /etc/group-, /etc/.updated (#1121806) +- Add missing BR so gnutls and elfutils are used + * Sat Jul 19 2014 Zbigniew Jędrzejewski-Szmek - 215-4 - Various man page updates - Static device node logic is conditionalized on CAP_SYS_MODULES instead of CAP_MKNOD