From: Petr Lautrbach <plautrba@redhat.com>
To: SElinux list <selinux@vger.kernel.org>
Cc: Joseph Marrero Corchado <jmarrero@redhat.com>,
Ondrej Mosnacek <omosnace@redhat.com>
Subject: Re: [PATCH v3] libsemanage: Fall back to semanage_copy_dir when rename() fails
Date: Wed, 06 Apr 2022 11:24:04 +0200 [thread overview]
Message-ID: <87pmlupnt7.fsf@redhat.com> (raw)
In-Reply-To: <CAFqZXNstUu0s4P2iXPmdvdu-86_tajuV+RQKzMK_+xYBk-y+bw@mail.gmail.com>
Ondrej Mosnacek <omosnace@redhat.com> writes:
> On Thu, Mar 24, 2022 at 1:01 PM Petr Lautrbach <plautrba@redhat.com> wrote:
>> In some circumstances, like semanage-store being on overlayfs, rename()
>> could fail with EXDEV - Invalid cross-device link. This is due to the
>> fact that overlays doesn't support rename() if source and target are not
>> on the same layer, e.g. in containers built from several layers. Even
>> though it's not atomic operation, it's better to try to copy files from
>> src to dst on our own in this case. Next rebuild will probably not fail
>> as the new directories will be on the same layer.
>>
>> Fixes: https://github.com/SELinuxProject/selinux/issues/343
>>
>> Reproducer:
>>
>> $ cd selinux1
>>
>> $ cat Dockerfile
>> FROM fedora:35
>> RUN dnf install -y selinux-policy selinux-policy-targeted
>>
>> $ podman build -t localhost/selinux . --no-cache
>>
>> $ cd ../selinux2
>>
>> $ cat Dockerfile
>> FROM localhost/selinux
>> RUN semodule -B
>>
>> $ podman build -t localhost/selinux2 . --no-cache
>> STEP 2/2: RUN semodule -B
>> libsemanage.semanage_commit_sandbox: Error while renaming /var/lib/selinux/targeted/active to /var/lib/selinux/targeted/previous. (Invalid cross-device link).
>> semodule: Failed!
>> Error: error building at STEP "RUN semodule -B": error while running runtime: exit status 1
>>
>> With the fix:
>>
>> $ podman build -t localhost/selinux2 . --no-cache
>> STEP 2/2: RUN semodule -B
>> libsemanage.semanage_rename: Warning: rename(/var/lib/selinux/targeted/active, /var/lib/selinux/targeted/previous) failed: Invalid cross-device link, fall back to non-atomic semanage_copy_dir_flags()
>>
>> COMMIT localhost/selinux2
>> --> d2cfcebc1a1
>> Successfully tagged localhost/selinux2:latest
>> d2cfcebc1a1b34f1c2cd661ac18292b0612c3e5fa71d6fa1441be244da91b1af
>>
>> Reported-by: Joseph Marrero Corchado <jmarrero@redhat.com>
>> Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
>> ---
>>
>> v2
>> - improve the commit message
>> - use WARN() instead of fprintf(stderr,
>>
>> v3
>> - WARN without \n at the end
>> - split long line
>
> Acked-by: Ondrej Mosnacek <omosnace@redhat.com>
>
> Note that I didn't give the logic a thorough review, so I'd prefer
> someone else to give it a final look and merge it.
Merged.
> --
> Ondrej Mosnacek
> Software Engineer, Linux Security - SELinux kernel
> Red Hat, Inc.
next prev parent reply other threads:[~2022-04-06 13:02 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-23 17:34 [PATCH] libsemanage: Fallback to semanage_copy_dir when rename() failed Petr Lautrbach
2022-03-23 18:11 ` Ondrej Mosnacek
2022-03-24 9:52 ` [PATCH v2] libsemanage: Fall back to semanage_copy_dir when rename() fails Petr Lautrbach
2022-03-24 12:00 ` [PATCH v3] " Petr Lautrbach
2022-03-30 15:42 ` Ondrej Mosnacek
2022-04-06 9:24 ` Petr Lautrbach [this message]
2022-04-01 13:37 ` [PATCH v2 3/3] mcstrans: Fir RESOURCE_LEAK and USE_AFTER_FREE coverity scan defects Petr Lautrbach
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87pmlupnt7.fsf@redhat.com \
--to=plautrba@redhat.com \
--cc=jmarrero@redhat.com \
--cc=omosnace@redhat.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.