diff --git a/selinux-policy.spec b/selinux-policy.spec index 32e04e1..7865884 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -24,7 +24,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 40.14 -Release: 1%{?dist} +Release: 2%{?dist} License: GPL-2.0-or-later Source: %{giturl}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz Source1: modules-targeted-base.conf @@ -824,6 +824,9 @@ exit 0 %endif %changelog +* Thu Mar 07 2024 Zdenek Pytela - 40.14-2 +- Update varrun-convert.sh script to check for existing duplicate entries + * Mon Feb 26 2024 Zdenek Pytela - 40.14-1 - Allow userdomain get attributes of files on an nsfs filesystem - Allow opafm create NFS files and directories diff --git a/sources b/sources index 5624833..45f32fc 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ SHA512 (selinux-policy-a3eca1d.tar.gz) = 5ab037401bfa1b56bef115eb40f9efc22672bff72df20198245bcbf30519721c342db10d049e44871451943cced4c7d89cc18ff968635b7258889cafb3a55df7 -SHA512 (container-selinux.tgz) = 23b5f325990ec53f01d15ce9115abe9af36f43eed2a34adee010e3f2e542f0235bb667c37dc00b8c3a773a17da223ccc18a2b2f69b3e06b48b2f1e2c74fd6d2e SHA512 (macro-expander) = 243ee49f1185b78ac47e56ca9a3f3592f8975fab1a2401c0fcc7f88217be614fe31805bacec602b728e7fcfc21dcc17d90e9a54ce87f3a0c97624d9ad885aea4 +SHA512 (container-selinux.tgz) = 8b1bd65b23ee2c5b25c39b382f259300b16063e2b1ec9ea8b234fcfc449761ee32dcfa5d998f82ffa568fe3de8e384fedd27d3849963aa083ca3ac26f9e48cc0 diff --git a/varrun-convert.sh b/varrun-convert.sh index 5dbd0d6..9ec978d 100755 --- a/varrun-convert.sh +++ b/varrun-convert.sh @@ -5,11 +5,12 @@ ### the script takes a policy name as an argument # Set DEBUG=yes before running the script to get more verbose output +# on the terminal and to the $LOG file if [ "${DEBUG}" = "yes" ]; then set -x fi -# Look for working files and log in OUTPUTDIR +# Auxiliary and log files will be created in OUTPUTDIR OUTPUTDIR="/run/selinux-policy" LOG="$OUTPUTDIR/log" mkdir -p ${OUTPUTDIR} @@ -19,28 +20,41 @@ if [ -z ${1} ]; then exit fi +SEMODULEOPT="-s ${1}" +[ "${DEBUG}" = "yes" ] && SEMODULEOPT="-v ${SEMODULEOPT}" + +# Take current file_contexts and unify whitespace separators FILE_CONTEXTS="/etc/selinux/${1}/contexts/files/file_contexts" +FILE_CONTEXTS_UNIFIED="$OUTPUTDIR/file_contexts_unified" if [ ! -f ${FILE_CONTEXTS} ]; then [ "${DEBUG}" = "yes" ] && echo "Error: File context database file does not exist" >> $LOG exit fi -SEMODULEOPT="-s ${1}" -[ "${DEBUG}" = "yes" ] && SEMODULEOPT="-v ${SEMODULEOPT}" - if ! grep -q ^/var/run ${FILE_CONTEXTS}; then [ "${DEBUG}" = "yes" ] && echo "Info: No entries containing /var/run" >> $LOG exit fi +EXTRA_VARRUN_ENTRIES_WITHDUP="$OUTPUTDIR/extra_varrun_entries_dup.txt" EXTRA_VARRUN_ENTRIES="$OUTPUTDIR/extra_varrun_entries.txt" -EXTRA_VARRUN_CIL="/$OUTPUTDIR/extra_varrun.cil" +EXTRA_VARRUN_CIL="$OUTPUTDIR/extra_varrun.cil" # Print only /var/run entries -grep ^/var/run ${FILE_CONTEXTS} > ${EXTRA_VARRUN_ENTRIES} +grep ^/var/run ${FILE_CONTEXTS} > ${EXTRA_VARRUN_ENTRIES_WITHDUP} # Unify whitespace separators -sed -i 's/[ \t]\+/ /g' ${EXTRA_VARRUN_ENTRIES} +sed -i 's/[ \t]\+/ /g' ${EXTRA_VARRUN_ENTRIES_WITHDUP} +sed 's/[ \t]\+/ /g' ${FILE_CONTEXTS} > ${FILE_CONTEXTS_UNIFIED} + +# Deduplicate already existing /var/run=/run entries +while read line +do + subline="${line#/var}" + if ! grep -q "^${subline}" ${FILE_CONTEXTS_UNIFIED}; then + echo "$line" + fi +done < ${EXTRA_VARRUN_ENTRIES_WITHDUP} > ${EXTRA_VARRUN_ENTRIES} # Change /var/run to /run sed -i 's|^/var/run|/run|' ${EXTRA_VARRUN_ENTRIES} @@ -66,7 +80,7 @@ sed -i 's/system_u:object_r:\([^:]*\):\(.*\)$/(system_u object_r \1 ((\2) (\2))) sed -i s'/ <>$/ ())/' ${EXTRA_VARRUN_ENTRIES} # Wrap each line with an optional block -i=1 +local i=1 while read line do echo "(optional extra_var_run_${i}" @@ -76,5 +90,6 @@ do done < ${EXTRA_VARRUN_ENTRIES} > ${EXTRA_VARRUN_CIL} # Load module +[ -s ${EXTRA_VARRUN_CIL} ] && /usr/sbin/semodule ${SEMODULEOPT} -i ${EXTRA_VARRUN_CIL}