|
Zbigniew Jędrzejewski-Szmek |
7f93bc |
From ee83fe9779c6f1f1d082f7b8e91cb0cfd40201c9 Mon Sep 17 00:00:00 2001
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
From: Will Woods <wwoods@redhat.com>
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
Date: Fri, 25 Apr 2014 18:26:34 -0400
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
Subject: [PATCH] core: let selinux_setup() load policy more than once
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
When you switch-root into a new root that has SELinux policy, you're
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
supposed to to run selinux_init_load_policy() to set up SELinux and load
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
policy. Normally this gets handled by selinux_setup().
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
But if SELinux was already initialized, selinux_setup() skips loading
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
policy and returns 0. So if you load policy normally, and then you
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
switch-root to a new root that has new policy, selinux_setup() never
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
loads the new policy. What gives?
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
As far as I can tell, this check is an artifact of how selinux_setup()
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
worked when it was first written (see commit c4dcdb9 / systemd v12):
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
* when systemd starts, run selinux_setup()
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
* if selinux_setup() loads policy OK, restart systemd
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
So the "if policy already loaded, skip load and return 0" check was
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
there to prevent an infinite re-exec loop.
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
Modern systemd only calls selinux_setup() on initial load and after
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
switch-root, and selinux_setup() no longer restarts systemd, so we don't
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
need that check to guard against the infinite loop anymore.
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
So: this patch removes the "return 0", thus allowing selinux_setup() to
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
actually perform SELinux setup after switch-root.
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
We still want to check to see if SELinux is initialized, because if
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
selinux_init_load_policy() fails *but* SELinux is initialized that means
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
we still have (old) policy active. So we don't need to halt if
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
enforce=1.
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
(cherry picked from commit 68d3acaccbd26ecfbc5881fea75968fa4abcc565)
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
(cherry picked from commit f5ad306cb9ea1dea38a934b6b07901de1257a3fa)
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
---
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
src/core/selinux-setup.c | 14 +++++++-------
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
1 file changed, 7 insertions(+), 7 deletions(-)
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
diff --git a/src/core/selinux-setup.c b/src/core/selinux-setup.c
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
index 6d8bc89..b419a27 100644
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
--- a/src/core/selinux-setup.c
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
+++ b/src/core/selinux-setup.c
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
@@ -51,6 +51,7 @@ int selinux_setup(bool *loaded_policy) {
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
security_context_t con;
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
int r;
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
union selinux_callback cb;
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
+ bool initialized = false;
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
assert(loaded_policy);
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
@@ -68,13 +69,8 @@ int selinux_setup(bool *loaded_policy) {
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
/* Already initialized by somebody else? */
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
r = getcon_raw(&con);
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
if (r == 0) {
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
- bool initialized;
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
-
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
initialized = !streq(con, "kernel");
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
freecon(con);
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
-
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
- if (initialized)
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
- return 0;
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
}
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
/* Make sure we have no fds open while loading the policy and
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
@@ -116,8 +112,12 @@ int selinux_setup(bool *loaded_policy) {
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
log_open();
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
if (enforce > 0) {
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
- log_error("Failed to load SELinux policy. Freezing.");
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
- return -EIO;
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
+ if (!initialized) {
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
+ log_error("Failed to load SELinux policy. Freezing.");
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
+ return -EIO;
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
+ }
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
+
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
+ log_warning("Failed to load new SELinux policy. Continuing with old policy.");
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
} else
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
log_debug("Unable to load SELinux policy. Ignoring.");
|
|
Zbigniew Jędrzejewski-Szmek |
a59965 |
}
|