summary |
shortlog |
log |
commit | commitdiff |
tree
raw |
patch |
inline | side by side (from parent 1:
803a59b)
SELinux exports the maximum kernel policy version that can be used.
When building SELinux status checking representation 'sepol', we need
to look for all possible versions of the policy, not only the max one.
Test-Parameters: clientdistro=el8.3 serverdistro=el8.2 testgroup=review-dne-selinux
Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Change-Id: Iae4b66403ce953e5a7c0df585900713c597ff033
Reviewed-on: https://review.whamcloud.com/40918
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: James Nunez <jnunez@whamcloud.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
check_nodemap $nm trusted_nodemap 1
sleep 10
check_nodemap $nm trusted_nodemap 1
sleep 10
+ l_getsepol || error "cannot get sepol"
sepol=$(l_getsepol | cut -d':' -f2- | xargs)
sepol=$(l_getsepol | cut -d':' -f2- | xargs)
+ [ -n "$sepol" ] || error "sepol is empty"
do_facet mgs $LCTL set_param -P nodemap.$nm.sepol="$sepol"
check_nodemap $nm sepol $sepol
do_facet mgs $LCTL set_param -P nodemap.$nm.sepol="$sepol"
check_nodemap $nm sepol $sepol
ln $DIR/$tdir/toopen $DIR/$tdir/toopen_hl3 && error "hardlink (3)"
# reset correct sepol
ln $DIR/$tdir/toopen $DIR/$tdir/toopen_hl3 && error "hardlink (3)"
# reset correct sepol
+ l_getsepol || error "cannot get sepol"
sepol=$(l_getsepol | cut -d':' -f2- | xargs)
sepol=$(l_getsepol | cut -d':' -f2- | xargs)
+ [ -n "$sepol" ] || error "sepol is empty"
do_facet mgs $LCTL set_param -P nodemap.c0.sepol="$sepol"
check_nodemap c0 sepol $sepol
do_facet mgs $LCTL set_param -P nodemap.c0.sepol="$sepol"
check_nodemap c0 sepol $sepol
int policyver = 0;
char pol_bin_path[PATH_MAX + 1];
struct stat st;
int policyver = 0;
char pol_bin_path[PATH_MAX + 1];
struct stat st;
+ time_t policymtime = 0;
int enforce;
char *policy_type = NULL;
unsigned char *mdval = NULL;
int enforce;
char *policy_type = NULL;
unsigned char *mdval = NULL;
- /* Version of loaded policy */
+ /* Max version of loaded policy */
policyver = security_policyvers();
if (policyver < 0) {
errlog("unknown policy version: %s\n", strerror(errno));
policyver = security_policyvers();
if (policyver < 0) {
errlog("unknown policy version: %s\n", strerror(errno));
- /* Path of binary policy file */
- snprintf(pol_bin_path, sizeof(pol_bin_path), "%s.%d",
- selinux_binary_policy_path(), policyver);
-
- /* Stat binary policy file */
- if (stat(pol_bin_path, &st)) {
- errlog("can't stat %s: %s\n", pol_bin_path, strerror(errno));
- rc = -errno;
- goto out;
+ while (policymtime == 0) {
+ /* Path of binary policy file */
+ snprintf(pol_bin_path, sizeof(pol_bin_path), "%s.%d",
+ selinux_binary_policy_path(), policyver);
+
+ /* Stat binary policy file */
+ if (stat(pol_bin_path, &st)) {
+ if (policyver > 0) {
+ policyver--;
+ } else {
+ errlog("can't stat %s.*: %s\n",
+ selinux_binary_policy_path(),
+ strerror(errno));
+ rc = -errno;
+ goto out;
+ }
+ } else {
+ policymtime = st.st_mtime;
+ }
- policymtime = st.st_mtime;
/* Determine if SELinux is in permissive or enforcing mode */
enforce = security_getenforce();
/* Determine if SELinux is in permissive or enforcing mode */
enforce = security_getenforce();