Nicolas Iooss <nicolas.iooss@xxxxxxx> writes: > On Sun, Jan 31, 2021 at 12:53 PM Petr Lautrbach <plautrba@xxxxxxxxxx> wrote: >> >> Commit 331a109f91ea ("libsemanage: fsync final files before rename") >> added fsync() for policy files and improved situation when something >> unexpected happens right after rename(). However the module store could >> be affected as well. After the following steps module files could be 0 >> size: >> >> 1. Run `semanage fcontext -a -t var_t "/tmp/abc"` >> 2. Force shutdown the server during the command is run, or right after >> it's finished >> 3. Boot the system and look for empty files: >> # find /var/lib/selinux/targeted/ -type f -size 0 | wc -l >> 1266 >> >> It looks like this situation can be avoided if the filesystem with the >> sandbox is sync()ed before we start to rename() directories in the >> store. >> >> Signed-off-by: Petr Lautrbach <plautrba@xxxxxxxxxx> > > Acked-by: Nicolas Iooss <nicolas.iooss@xxxxxxx> > Merged. > Thanks! > Nicolas > >> --- >> >> - syncfs() moved before rename() dance >> >> libsemanage/src/semanage_store.c | 13 +++++++++++++ >> 1 file changed, 13 insertions(+) >> >> diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c >> index cd5e46bb2401..c6a736fe2d26 100644 >> --- a/libsemanage/src/semanage_store.c >> +++ b/libsemanage/src/semanage_store.c >> @@ -1736,6 +1736,19 @@ static int semanage_commit_sandbox(semanage_handle_t * sh) >> } >> close(fd); >> >> + /* sync changes in sandbox to filesystem */ >> + fd = open(sandbox, O_DIRECTORY); >> + if (fd == -1) { >> + ERR(sh, "Error while opening %s for syncfs(): %d", sandbox, errno); >> + return -1; >> + } >> + if (syncfs(fd) == -1) { >> + ERR(sh, "Error while syncing %s to filesystem: %d", sandbox, errno); >> + close(fd); >> + return -1; >> + } >> + close(fd); >> + >> retval = commit_number; >> >> if (semanage_get_active_lock(sh) < 0) { >> -- >> 2.30.0 >>