Bug 1828855

Summary: Please remove use of hardcoded SELinux security class
Product: [Fedora] Fedora Reporter: Petr Lautrbach <plautrba>
Component: oddjobAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: nalin
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: oddjob-0.34.6-1.fc32 oddjob-0.34.6-1.fc31 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-14 02:36:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Lautrbach 2020-04-28 13:33:20 UTC 
Description of problem:
https://pagure.io/oddjob/issue/5


oddjob is using hardcoded SELinux classes, this is deprecated in libselinux for about 5 years and flask.h header file will be removed in the next selinux userspace release.

Please port to the new API (string_to_security_class()) and remove selinux/flask.h include


There's a PR - https://pagure.io/oddjob/pull-request/4 with a patch which solves this issue:



From 9648f39b2e38d8d908b9cda1f0145a9f57d19572 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy>
Date: Oct 08 2019 09:31:54 +0000
Subject: [PATCH 2/2] Remove reference to selinux/flask.h


---

diff --git a/src/oddjobd.c b/src/oddjobd.c
index 32d309c..ca78550 100644
--- a/src/oddjobd.c
+++ b/src/oddjobd.c
@@ -51,7 +51,6 @@
 #ifdef SELINUX_ACLS
 #include <selinux/selinux.h>
 #include <selinux/context.h>
-#include <selinux/flask.h>
 #endif
 #include "buffer.h"
 #include "common.h"
@@ -1973,7 +1972,7 @@ oddjobd_exec_method(struct oddjob_dbus_context *ctx,
 			}
 			if (security_compute_create((char *) client_secontext,
 						    helper_context,
-						    SECCLASS_PROCESS,
+						    string_to_security_class("process"),
 						    &exec_context) != 0) {
 				/* Failed to compute exec context? */
 				exec_errno = 0xfe;
Comment 1 Fedora Update System 2020-05-12 14:45:29 UTC 
FEDORA-2020-238bbf85d8 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-238bbf85d8
Comment 2 Fedora Update System 2020-05-12 14:45:30 UTC 
FEDORA-2020-b1fa09aa64 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-b1fa09aa64
Comment 3 Fedora Update System 2020-05-13 03:55:45 UTC 
FEDORA-2020-238bbf85d8 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-238bbf85d8`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-238bbf85d8

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 4 Fedora Update System 2020-05-13 05:51:44 UTC 
FEDORA-2020-b1fa09aa64 has been pushed to the Fedora 31 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-b1fa09aa64`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-b1fa09aa64

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 5 Fedora Update System 2020-05-14 02:36:07 UTC 
FEDORA-2020-238bbf85d8 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 6 Fedora Update System 2020-05-21 02:50:08 UTC 
FEDORA-2020-b1fa09aa64 has been pushed to the Fedora 31 stable repository.
If problem still persists, please make note of it in this bug report.