From: Sebastien Buisson <sbuisson@ddn.com>
Date: Wed, 9 Dec 2020 12:34:05 +0000 (+0100)
Subject: LU-14199 sec: find policy version in use for sepol
X-Git-Tag: 2.14.0-RC1~67
X-Git-Url: https://git.whamcloud.com/?p=fs%2Flustre-release.git;a=commitdiff_plain;h=e39d6451efb1d05ce7bb62eb0a91aebe7af302d9;hp=803a59b87d9b0de8c059447902db176dfd37a24a

LU-14199 sec: find policy version in use for sepol

SELinux exports the maximum kernel policy version that can be used.
When building SELinux status checking representation 'sepol', we need
to look for all possible versions of the policy, not only the max one.

Test-Parameters: clientdistro=el8.3 serverdistro=el8.2 testgroup=review-dne-selinux
Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Change-Id: Iae4b66403ce953e5a7c0df585900713c597ff033
Reviewed-on: https://review.whamcloud.com/40918
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: James Nunez <jnunez@whamcloud.com>
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
---

diff --git a/lustre/tests/sanity-selinux.sh b/lustre/tests/sanity-selinux.sh
index 0897b79..191333e 100755
--- a/lustre/tests/sanity-selinux.sh
+++ b/lustre/tests/sanity-selinux.sh
@@ -544,7 +544,9 @@ create_nodemap() {
 	check_nodemap $nm trusted_nodemap 1
 
 	sleep 10
+	l_getsepol || error "cannot get sepol"
 	sepol=$(l_getsepol | cut -d':' -f2- | xargs)
+	[ -n "$sepol" ] || error "sepol is empty"
 	do_facet mgs $LCTL set_param -P nodemap.$nm.sepol="$sepol"
 
 	check_nodemap $nm sepol $sepol
@@ -749,7 +751,9 @@ test_21b() {
 	ln $DIR/$tdir/toopen $DIR/$tdir/toopen_hl3 && error "hardlink (3)"
 
 	# reset correct sepol
+	l_getsepol || error "cannot get sepol"
 	sepol=$(l_getsepol | cut -d':' -f2- | xargs)
+	[ -n "$sepol" ] || error "sepol is empty"
 	do_facet mgs $LCTL set_param -P nodemap.c0.sepol="$sepol"
 	check_nodemap c0 sepol $sepol
 
diff --git a/lustre/utils/l_getsepol.c b/lustre/utils/l_getsepol.c
index effa8e10..a3e07c4 100644
--- a/lustre/utils/l_getsepol.c
+++ b/lustre/utils/l_getsepol.c
@@ -329,7 +329,7 @@ int main(int argc, char **argv)
 	int policyver = 0;
 	char pol_bin_path[PATH_MAX + 1];
 	struct stat st;
-	time_t policymtime;
+	time_t policymtime = 0;
 	int enforce;
 	char *policy_type = NULL;
 	unsigned char *mdval = NULL;
@@ -342,7 +342,7 @@ int main(int argc, char **argv)
 	if (rc < 0)
 		goto out;
 
-	/* Version of loaded policy */
+	/* Max version of loaded policy */
 	policyver = security_policyvers();
 	if (policyver < 0) {
 		errlog("unknown policy version: %s\n", strerror(errno));
@@ -350,17 +350,26 @@ int main(int argc, char **argv)
 		goto out;
 	}
 
-	/* Path of binary policy file */
-	snprintf(pol_bin_path, sizeof(pol_bin_path), "%s.%d",
-		 selinux_binary_policy_path(), policyver);
-
-	/* Stat binary policy file */
-	if (stat(pol_bin_path, &st)) {
-		errlog("can't stat %s: %s\n", pol_bin_path, strerror(errno));
-		rc = -errno;
-		goto out;
+	while (policymtime == 0) {
+		/* Path of binary policy file */
+		snprintf(pol_bin_path, sizeof(pol_bin_path), "%s.%d",
+			 selinux_binary_policy_path(), policyver);
+
+		/* Stat binary policy file */
+		if (stat(pol_bin_path, &st)) {
+			if (policyver > 0) {
+				policyver--;
+			} else {
+				errlog("can't stat %s.*: %s\n",
+				       selinux_binary_policy_path(),
+				       strerror(errno));
+				rc = -errno;
+				goto out;
+			}
+		} else {
+			policymtime = st.st_mtime;
+		}
 	}
-	policymtime = st.st_mtime;
 
 	/* Determine if SELinux is in permissive or enforcing mode */
 	enforce = security_getenforce();