[Rpm-maint] [PATCH] selinux: reopen label between transactions if necessary (RhBug: 746073)

Ales Kozumplik akozumpl at redhat.com
Tue Dec 20 14:14:52 UTC 2011


---
 lib/rpmts.c          |    9 +++++++++
 lib/rpmts_internal.h |    8 ++++++++
 lib/transaction.c    |    9 ++++++++-
 system.h             |    6 +++++-
 4 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/lib/rpmts.c b/lib/rpmts.c
index 25ce83d..09e263a 100644
--- a/lib/rpmts.c
+++ b/lib/rpmts.c
@@ -771,6 +771,15 @@ void rpmtsSELabelFini(rpmts ts)
 #endif
 }
 
+rpmRC rpmtsSELabelReinit(rpmts ts, const char *path)
+{
+    if (rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS)
+	return RPMRC_OK;
+
+    rpmtsSELabelFini(ts);
+    return rpmtsSELabelInit(ts, path);
+}
+
 rpm_tid_t rpmtsGetTid(rpmts ts)
 {
     rpm_tid_t tid = (rpm_tid_t)-1;  /* XXX -1 is time(2) error return. */
diff --git a/lib/rpmts_internal.h b/lib/rpmts_internal.h
index 438fd46..3ff1af8 100644
--- a/lib/rpmts_internal.h
+++ b/lib/rpmts_internal.h
@@ -102,6 +102,14 @@ rpmRC rpmtsSELabelInit(rpmts ts, const char * path);
  */
 void rpmtsSELabelFini(rpmts ts);
 
+/** \ingroup rpmts
+ * Reinitialize selabel
+ * @param ts		transaction set
+ * @param path		path to contexts file
+ * @return		RPMRC_OK on success, RPMRC_FAIL otherwise
+ */
+rpmRC rpmtsSELabelReinit(rpmts ts, const char * path);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/lib/transaction.c b/lib/transaction.c
index 88219b7..a71a286 100644
--- a/lib/transaction.c
+++ b/lib/transaction.c
@@ -1254,8 +1254,10 @@ static int rpmtsSetup(rpmts ts, rpmprobFilterFlags ignoreSet)
 	(void) rpmtsSetFlags(ts, (rpmtsFlags(ts) | _noTransScripts | _noTransTriggers | RPMTRANS_FLAG_NOCOLLECTIONS));
 
     /* if SELinux isn't enabled, init fails or test run, don't bother... */
-    if (!is_selinux_enabled() || (rpmtsFlags(ts) & RPMTRANS_FLAG_TEST)) {
+    if (!is_selinux_enabled() || (rpmtsFlags(ts) & RPMTRANS_FLAG_TEST) ||
+	(selinux_status_open(0) < 0)) {
         rpmtsSetFlags(ts, (rpmtsFlags(ts) | RPMTRANS_FLAG_NOCONTEXTS));
+	rpmlog(RPMLOG_DEBUG, "Selinux disabled.\n");
     }
 
     if (!(rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS)) {
@@ -1284,6 +1286,7 @@ static int rpmtsFinish(rpmts ts)
 {
     if (!(rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS)) {
 	rpmtsSELabelFini(ts);
+	selinux_status_close();
     }
     return rpmChrootSet(NULL);
 }
@@ -1384,6 +1387,10 @@ static int rpmtsProcess(rpmts ts)
 	rpmlog(RPMLOG_DEBUG, "========== +++ %s %s-%s 0x%x\n",
 		rpmteNEVR(p), rpmteA(p), rpmteO(p), rpmteColor(p));
 
+	if (selinux_status_updated() > 0) {
+	    rpmtsSELabelReinit(ts, selinux_file_context_path());
+	}
+
 	failed = rpmteProcess(p, rpmteType(p));
 	if (failed) {
 	    rpmlog(RPMLOG_ERR, "%s: %s %s\n", rpmteNEVRA(p),
diff --git a/system.h b/system.h
index 9b23e45..228ad95 100644
--- a/system.h
+++ b/system.h
@@ -79,6 +79,7 @@ char * stpncpy(char * dest, const char * src, size_t n);
 #if WITH_SELINUX
 #include <selinux/selinux.h>
 #include <selinux/label.h>
+#include <selinux/avc.h>
 #else
 typedef	char * security_context_t;
 
@@ -95,7 +96,10 @@ typedef	char * security_context_t;
 
 #define selabel_lookup_raw(_hnd, _scon, _key,_type)	(-1)
 
-#define selinux_file_context_path() (0)
+#define selinux_file_context_path()    (0)
+#define selinux_status_open(_fallback) (-1)
+#define selinux_status_close()
+#define selinux_status_updated()       (-1)
 
 #define rpm_execcon(_v, _fn, _av, _envp)	(0)
 #endif
-- 
1.7.7.3



More information about the Rpm-maint mailing list