Skip to content

Commit

Permalink
libsemanage: Mute error messages from selinux_restorecon
Browse files Browse the repository at this point in the history
Mute error messages produced by selinux_restorecon when rebuilding the
policy store to avoid error messages in containers, image mode, etc.

Fixes:
 #podman build --security-opt=label=disable --cap-add=all --device /dev/fuse -t quay.io/jlebon/fedora-bootc:tier-x . --build-arg MANIFEST=fedora-tier-x.yaml --from quay.io/fedora/fedora:rawhide
...
Could not set context for /etc/selinux/targeted/tmp/modules/100/rtas/lang_ext:  Operation not supported
Could not set context for /etc/selinux/targeted/tmp/modules/100/rtas:  Operation not supported
Could not set context for /etc/selinux/targeted/tmp/modules/100/rtkit/cil:  Operation not supported
Could not set context for /etc/selinux/targeted/tmp/modules/100/rtkit/hll:  Operation not supported
...

https://bugzilla.redhat.com/show_bug.cgi?id=2326348

Signed-off-by: Vit Mojzis <[email protected]>
Acked-by: James Carter <[email protected]>
  • Loading branch information
vmojzis authored and jwcart2 committed Dec 17, 2024
1 parent 8ebb502 commit 5363e1a
Showing 1 changed file with 15 additions and 1 deletion.
16 changes: 15 additions & 1 deletion libsemanage/src/semanage_store.c
Original file line number Diff line number Diff line change
Expand Up @@ -3000,15 +3000,29 @@ int semanage_nc_sort(semanage_handle_t * sh, const char *buf, size_t buf_len,
return 0;
}

/* log_callback muting all logs */
static int __attribute__ ((format(printf, 2, 3)))
log_callback_mute(__attribute__((unused)) int type, __attribute__((unused)) const char *fmt, ...)
{
return 0;
}

/* Make sure the file context and ownership of files in the policy
* store does not change */
void semanage_setfiles(semanage_handle_t * sh, const char *path){
struct stat sb;
int fd;
union selinux_callback cb_orig = selinux_get_callback(SELINUX_CB_LOG);
union selinux_callback cb = { .func_log = log_callback_mute };

/* Mute all logs */
selinux_set_callback(SELINUX_CB_LOG, cb);

/* Fix the user and role portions of the context, ignore errors
* since this is not a critical operation */
selinux_restorecon(path, SELINUX_RESTORECON_SET_SPECFILE_CTX | SELINUX_RESTORECON_IGNORE_NOENTRY);

/* restore log_logging */
selinux_set_callback(SELINUX_CB_LOG, cb_orig);
/* Make sure "path" is owned by root */
if ((geteuid() != 0 || getegid() != 0) &&
((fd = open(path, O_RDONLY | O_CLOEXEC)) != -1)){
Expand Down

0 comments on commit 5363e1a

Please sign in to comment.