Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 464016 Details for
Bug 528674
[TRACKER] Support systemd with SELinux
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
systemd-231-selinux-encorcing-1.patch
systemd-231-selinux-encorcing-1.patch (text/plain), 2.37 KB, created by
Krzysztof Nowicki
on 2017-02-16 20:44:27 UTC
(
hide
)
Description:
systemd-231-selinux-encorcing-1.patch
Filename:
MIME Type:
Creator:
Krzysztof Nowicki
Created:
2017-02-16 20:44:27 UTC
Size:
2.37 KB
patch
obsolete
>diff --git a/src/basic/selinux-util.c b/src/basic/selinux-util.c >index bc07654..2c2d0bb 100644 >--- a/src/basic/selinux-util.c >+++ b/src/basic/selinux-util.c >@@ -144,6 +144,7 @@ int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) { > r = lstat(path, &st); > if (r >= 0) { > _cleanup_freecon_ char* fcon = NULL; >+ _cleanup_freecon_ char* curr_fcon = NULL; > > r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode); > >@@ -152,6 +153,15 @@ int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) { > return 0; > > if (r >= 0) { >+ r = lgetfilecon(path, &curr_fcon); >+ if ((r >= 0) && (strcmp(curr_fcon, fcon) == 0)) { >+ /* File/directory already has the right context - no need to change >+ as this may trigger a failure due to insuficcient privileges. */ >+ return 0; >+ } else { >+ log_enforcing("Unable to retrieve existing SELinux context for %s - trying to set new one anyway", path); >+ } >+ > r = lsetfilecon_raw(path, fcon); > > /* If the FS doesn't support labels, then exit without warning */ >diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c >index 5d8ab0e..42adc2e 100644 >--- a/src/core/mount-setup.c >+++ b/src/core/mount-setup.c >@@ -377,6 +377,12 @@ int mount_setup(bool loaded_policy) { > nftw("/dev/shm", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL); > nftw("/run", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL); > >+ /* Temporarily remount the root cgroup filesystem to give it a proper label. */ >+ (void) mount("tmpfs", "/sys/fs/cgroup", "tmpfs", MS_REMOUNT|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME, "mode=755"); >+ label_fix("/sys/fs/cgroup", false, false); >+ nftw("/sys/fs/cgroup", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL); >+ (void) mount("tmpfs", "/sys/fs/cgroup", "tmpfs", MS_REMOUNT|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME|MS_RDONLY, "mode=755"); >+ > after_relabel = now(CLOCK_MONOTONIC); > > log_info("Relabelled /dev and /run in %s.",
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=464016">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 528674
:
419244
| 464016
