diff options
| -rw-r--r-- | CHANGES | 7 | ||||
| -rw-r--r-- | lib/psm.c | 83 | ||||
| -rw-r--r-- | rpmdb/db3.c | 10 | ||||
| -rw-r--r-- | system.h | 7 |
4 files changed, 14 insertions, 93 deletions
@@ -28,9 +28,14 @@ - bump popt version to 1.10. - attempt dependency tree breadth, take 1. - use external libneon for http/https transport. - - python: add python 2.4 support. - add --delsign to purge packages of digital signatures. + +4.3.2 -> 4.3.3: + - bump micro version. - make peace with libtool-1.5.10 and automake-1.9.3. + - python: add python 2.4 support. + - selinux: use rpm_execcon, not execv, to run scriptlets (#136848). + - fix: segfault on --verifydb (#138589). 4.3.1 -> 4.3.2: - use /etc/selinux/targeted/contexts/files/file_contexts for now. @@ -491,83 +491,6 @@ static pid_t psmWait(rpmpsm psm) } /** - * Change selinux type prior to exec. - * @param psm package state machine data - * @param ntype new selinux type - * @return 0 on success - */ -static int switchExecType(rpmpsm psm, /*@null@*/ const char * ntype) - /*@*/ -{ - security_context_t ocon = NULL; - security_context_t ncon = NULL; - int rc = -1; /* assume failure */ - - if (psm == NULL) - goto exit; - - /* Set default exec policy if NULL specified. */ - if (ntype == NULL) - goto doit; - - /* Substitute new exec type. */ - rc = getexeccon(&ocon); - if (rc != 0) - goto exit; - - if (ocon == NULL) { - rc = getcon(&ocon); - /* XXX ocon == NULL can't happen. */ - if (rc != 0 || ocon == NULL) - goto exit; - } - - { const char * s = (const char *) ocon; - const char * se; - size_t nb; - char * t = NULL; - - if ((se = strrchr(s, ':')) == NULL) { - rc = -1; - goto exit; - } - se++; - nb = (se - s); - - t = xmalloc( nb + strlen(ntype) + 1 ); - (void) stpcpy( stpncpy(t, s, nb), ntype); - - ncon = (security_context_t) t; - } - -doit: - rc = setexeccon(ncon); - - /* - * Policy for rpm currently permits rpm_script_t establish only from - * sysadm_r or system_r. If enforcing, this is hard error, otherwise - * warn the user and continue. - */ - if (rc != 0) { - if (security_getenforce() == 1) { /* enforcing */ - rpmMessage(RPMMESS_ERROR, - _("setexeccon(%s) fails from context \"%s\": %s\n"), - (char *) ncon, (char *) ocon, strerror(errno)); - } else { /* permissive */ - rpmMessage(RPMMESS_WARNING, - _("setexeccon(%s) fails from context \"%s\": %s\nContinuing ...\n"), - (char *) ncon, (char *) ocon, strerror(errno)); - rc = 0; - } - } - -exit: - if (ncon) freecon(ncon); - if (ocon) freecon(ocon); - return rc; -} - -/** * Run internal Lua script. */ static rpmRC runLuaScript(rpmpsm psm, Header h, const char *sln, @@ -650,7 +573,6 @@ static rpmRC runLuaScript(rpmpsm psm, Header h, const char *sln, return rc; } - /** */ /*@unchecked@*/ @@ -961,10 +883,9 @@ static rpmRC runScript(rpmpsm psm, Header h, const char * sln, /* XXX Don't mtrace into children. */ unsetenv("MALLOC_CHECK_"); - /* Set "rpm_script_t" identity for scriptlets under selinux. */ + /* Permit libselinux to do the scriptlet exec. */ if (rpmtsSELinuxEnabled(ts) == 1) { - /* Set rpm_script_t for /bin/sh, default /sbin/ldconfig et al */ - xx = switchExecType(psm, "rpm_script_t"); + xx = rpm_execcon(0, argv[0], argv, environ); if (xx != 0) break; } diff --git a/rpmdb/db3.c b/rpmdb/db3.c index efbfb688b..ff2bd3186 100644 --- a/rpmdb/db3.c +++ b/rpmdb/db3.c @@ -862,13 +862,11 @@ static int db3close(/*@only@*/ dbiIndex dbi, /*@unused@*/ unsigned int flags) (dbhome ? dbhome : ""), (dbfile ? dbfile : tagName(dbi->dbi_rpmtag))); - xx = db->close(db, 0); - /* XXX ignore not found error messages. */ - _printit = (xx == ENOENT ? 0 : _debug); - xx = cvtdberr(dbi, "db->close", xx, _printit); + /* + * The DB handle may not be accessed again after + * DB->verify is called, regardless of its return. + */ db = NULL; - if (rc == 0 && xx) rc = xx; - dbf = _free(dbf); } xx = dbenv->close(dbenv, 0); @@ -301,14 +301,11 @@ typedef char * security_context_t; #define lsetfilecon(_fn, _c) (-1) #define fsetfilecon(_fd, _c) (-1) -#define getcon(_c) (-1) -#define getexeccon(_c) (-1) -#define setexeccon(_c) (-1) - #define security_check_context(_c) (0) -#define security_getenforce() (0) #define is_selinux_enabled() (-1) + +#define rpm_execcon(_v, _fn, _av, _envp) (0) #endif #if defined(__LCLINT__) |