* Re: [PATCH v3] libsemanage: sync filesystem with sandbox [not found] <20210131110251.300553-1-plautrba@redhat.com> @ 2021-01-31 17:45 ` Nicolas Iooss 2021-02-01 14:12 ` Petr Lautrbach 0 siblings, 1 reply; 2+ messages in thread From: Nicolas Iooss @ 2021-01-31 17:45 UTC (permalink / raw) To: Petr Lautrbach; +Cc: SElinux list On Sun, Jan 31, 2021 at 12:53 PM Petr Lautrbach <plautrba@redhat.com> wrote: > > Commit 331a109f91ea ("libsemanage: fsync final files before rename") > added fsync() for policy files and improved situation when something > unexpected happens right after rename(). However the module store could > be affected as well. After the following steps module files could be 0 > size: > > 1. Run `semanage fcontext -a -t var_t "/tmp/abc"` > 2. Force shutdown the server during the command is run, or right after > it's finished > 3. Boot the system and look for empty files: > # find /var/lib/selinux/targeted/ -type f -size 0 | wc -l > 1266 > > It looks like this situation can be avoided if the filesystem with the > sandbox is sync()ed before we start to rename() directories in the > store. > > Signed-off-by: Petr Lautrbach <plautrba@redhat.com> Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org> Thanks! Nicolas > --- > > - syncfs() moved before rename() dance > > libsemanage/src/semanage_store.c | 13 +++++++++++++ > 1 file changed, 13 insertions(+) > > diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c > index cd5e46bb2401..c6a736fe2d26 100644 > --- a/libsemanage/src/semanage_store.c > +++ b/libsemanage/src/semanage_store.c > @@ -1736,6 +1736,19 @@ static int semanage_commit_sandbox(semanage_handle_t * sh) > } > close(fd); > > + /* sync changes in sandbox to filesystem */ > + fd = open(sandbox, O_DIRECTORY); > + if (fd == -1) { > + ERR(sh, "Error while opening %s for syncfs(): %d", sandbox, errno); > + return -1; > + } > + if (syncfs(fd) == -1) { > + ERR(sh, "Error while syncing %s to filesystem: %d", sandbox, errno); > + close(fd); > + return -1; > + } > + close(fd); > + > retval = commit_number; > > if (semanage_get_active_lock(sh) < 0) { > -- > 2.30.0 > ^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH v3] libsemanage: sync filesystem with sandbox 2021-01-31 17:45 ` [PATCH v3] libsemanage: sync filesystem with sandbox Nicolas Iooss @ 2021-02-01 14:12 ` Petr Lautrbach 0 siblings, 0 replies; 2+ messages in thread From: Petr Lautrbach @ 2021-02-01 14:12 UTC (permalink / raw) To: SElinux list; +Cc: Nicolas Iooss Nicolas Iooss <nicolas.iooss@m4x.org> writes: > On Sun, Jan 31, 2021 at 12:53 PM Petr Lautrbach <plautrba@redhat.com> wrote: >> >> Commit 331a109f91ea ("libsemanage: fsync final files before rename") >> added fsync() for policy files and improved situation when something >> unexpected happens right after rename(). However the module store could >> be affected as well. After the following steps module files could be 0 >> size: >> >> 1. Run `semanage fcontext -a -t var_t "/tmp/abc"` >> 2. Force shutdown the server during the command is run, or right after >> it's finished >> 3. Boot the system and look for empty files: >> # find /var/lib/selinux/targeted/ -type f -size 0 | wc -l >> 1266 >> >> It looks like this situation can be avoided if the filesystem with the >> sandbox is sync()ed before we start to rename() directories in the >> store. >> >> Signed-off-by: Petr Lautrbach <plautrba@redhat.com> > > Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org> > Merged. > Thanks! > Nicolas > >> --- >> >> - syncfs() moved before rename() dance >> >> libsemanage/src/semanage_store.c | 13 +++++++++++++ >> 1 file changed, 13 insertions(+) >> >> diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c >> index cd5e46bb2401..c6a736fe2d26 100644 >> --- a/libsemanage/src/semanage_store.c >> +++ b/libsemanage/src/semanage_store.c >> @@ -1736,6 +1736,19 @@ static int semanage_commit_sandbox(semanage_handle_t * sh) >> } >> close(fd); >> >> + /* sync changes in sandbox to filesystem */ >> + fd = open(sandbox, O_DIRECTORY); >> + if (fd == -1) { >> + ERR(sh, "Error while opening %s for syncfs(): %d", sandbox, errno); >> + return -1; >> + } >> + if (syncfs(fd) == -1) { >> + ERR(sh, "Error while syncing %s to filesystem: %d", sandbox, errno); >> + close(fd); >> + return -1; >> + } >> + close(fd); >> + >> retval = commit_number; >> >> if (semanage_get_active_lock(sh) < 0) { >> -- >> 2.30.0 >> ^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-02-01 14:14 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20210131110251.300553-1-plautrba@redhat.com>
2021-01-31 17:45 ` [PATCH v3] libsemanage: sync filesystem with sandbox Nicolas Iooss
2021-02-01 14:12 ` Petr Lautrbach
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.