rpms/util-linux-ng/devel util-linux-ng-2.14-mount-file_t.patch, NONE, 1.1 util-linux-ng.spec, 1.26, 1.27 util-linux-ng-2.13-login-audit.patch, 1.1, NONE

Karel Zak (kzak) fedora-extras-commits at redhat.com
Tue Jul 1 12:54:10 UTC 2008 

Author: kzak

Update of /cvs/pkgs/rpms/util-linux-ng/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv17324

Modified Files:
	util-linux-ng.spec 
Added Files:
	util-linux-ng-2.14-mount-file_t.patch 
Removed Files:
	util-linux-ng-2.13-login-audit.patch 
Log Message:
* Tue Jul  1 2008 Karel Zak <kzak at redhat.com> 2.14-2
- fix #390691 - mount should check selinux context on mount, and warn on file_t


util-linux-ng-2.14-mount-file_t.patch:

--- NEW FILE util-linux-ng-2.14-mount-file_t.patch ---
>From 4edebc1486133231e38b3881325c374eda567f74 Mon Sep 17 00:00:00 2001
From: Karel Zak <kzak at redhat.com>
Date: Mon, 23 Jun 2008 13:00:00 +0200
Subject: [PATCH] mount: warn on "file_t" selinux context

Currently if I mount a file system without labels, it works fine, but
later or SELinux will start printing denials and stopping certain
applications from working. It would be nice if the mount command
checked it in selinux mode.

Addresses-Red-Hat-Bugzilla: #390691
Signed-off-by: Karel Zak <kzak at redhat.com>
---
 mount/mount.c |   29 ++++++++++++++++++++++++++---
 1 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/mount/mount.c b/mount/mount.c
index bed792d..30688ac 100644
--- a/mount/mount.c
+++ b/mount/mount.c
@@ -327,7 +327,7 @@ append_context(const char *optname, char *optdata, char **extra_opts)
 	security_context_t raw = NULL;
 	char *data = NULL;
 
-	if (!is_selinux_enabled())
+	if (is_selinux_enabled() != 1)
 		/* ignore the option if we running without selinux */
 		return 0;
 
@@ -338,8 +338,8 @@ append_context(const char *optname, char *optdata, char **extra_opts)
 	data = *optdata =='"' ? strip_quotes(optdata) : optdata;
 
 	if (selinux_trans_to_raw_context(
-			(security_context_t) data, &raw)==-1 ||
-			raw==NULL)
+			(security_context_t) data, &raw) == -1 ||
+			raw == NULL)
 		return -1;
 
 	if (verbose)
@@ -1370,6 +1370,29 @@ try_mount_one (const char *spec0, const char *node0, const char *types0,
   res = EX_FAIL;
 
  out:
+
+#ifdef HAVE_LIBSELINUX
+  if (res != EX_FAIL && is_selinux_enabled() > 0) {
+      security_context_t raw = NULL, def = NULL;
+
+      if (getfilecon(node, &raw) > 0 &&
+		     security_get_initial_context("file", &def) == 0) {
+
+	  if (!selinux_file_context_cmp(raw, def))
+	      printf(_("mount: %s does not contain SELinux labels.\n"
+                   "       You just mounted an file system that supports labels which does not\n"
+                   "       contain labels, onto an SELinux box. It is likely that confined\n"
+                   "       applications will generate AVC messages and not be allowed access to\n"
+                   "       this file system.  You can add labels to this file system by executing\n"
+                   "       restorecon(8). If you do not want to add labels to this file system,\n"
+                   "       you should mount the file system using one of the \"context\" mount\n"
+                   "       option."), node);
+      }
+      freecon(raw);
+      freecon(def);
+  }
+#endif
+
   my_free(extra_opts1);
   my_free(spec1);
   my_free(node1);
-- 
1.5.4.1



Index: util-linux-ng.spec
===================================================================
RCS file: /cvs/pkgs/rpms/util-linux-ng/devel/util-linux-ng.spec,v
retrieving revision 1.26
retrieving revision 1.27
diff -u -r1.26 -r1.27
--- util-linux-ng.spec	9 Jun 2008 13:21:22 -0000	1.26
+++ util-linux-ng.spec	1 Jul 2008 12:53:26 -0000	1.27
@@ -2,7 +2,7 @@
 Summary: A collection of basic system utilities
 Name: util-linux-ng
 Version: 2.14
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2 and GPLv2+ and BSD with advertising and Public Domain
 Group: System Environment/Base
 URL: ftp://ftp.kernel.org/pub/linux/utils/util-linux-ng
@@ -98,6 +98,8 @@
 Patch9: util-linux-ng-2.13-floppy-locale.patch
 # remove partitions
 Patch10: util-linux-ng-2.14-blockdev-rmpart.patch
+# 390691: mount should check selinux context on mount, and warn on file_t
+Patch11: util-linux-ng-2.14-mount-file_t.patch
 
 %description
 The util-linux-ng package contains a large variety of low-level system
@@ -120,6 +122,7 @@
 %patch8 -p1
 %patch9 -p1
 %patch10 -p1
+%patch11 -p1
 
 %build
 unset LINGUAS || :
@@ -512,6 +515,9 @@
 /sbin/losetup
 
 %changelog
+* Tue Jul  1 2008 Karel Zak <kzak at redhat.com> 2.14-2
+- fix #390691 - mount should check selinux context on mount, and warn on file_t
+
 * Mon Jun  9 2008 Karel Zak <kzak at redhat.com> 2.14-1
 - upgrade to stable util-linux-ng release
 


--- util-linux-ng-2.13-login-audit.patch DELETED ---

More information about the scm-commits mailing list