@@ -1764,6 +1764,21 @@ static int semanage_commit_sandbox(semanage_handle_t * sh)
/* clean up some files from the sandbox before install */
/* remove homedir_template from sandbox */
+ /* sync filesystem with sandbox first */
+ fd = open(sandbox, O_DIRECTORY);
+ if (fd == -1) {
+ ERR(sh, "Error while opening %s for syncfs(): %d", sandbox, errno);
+ retval = -1;
+ goto cleanup;
+ }
+ if (syncfs(fd) == -1) {
+ ERR(sh, "Error while syncing %s to filesystem: %d", sandbox, errno);
+ close(fd);
+ retval = -1;
+ goto cleanup;
+ }
+ close(fd);
+
if (rename(sandbox, active) == -1) {
ERR(sh, "Error while renaming %s to %s.", sandbox, active);
/* note that if an error occurs during the next
Commit 331a109f91ea ("libsemanage: fsync final files before rename") added fsync() for policy files and improved situation when something unexpected happens right after rename(). However the module store could be affected as well. After the following steps module files could be 0 size: 1. Run `semanage fcontext -a -t var_t "/tmp/abc"` 2. Force shutdown the server during the command is run, or right after it's finished 3. Boot the system and look for empty files: # find /var/lib/selinux/targeted/ -type f -size 0 | wc -l 1266 It looks like this situation can be avoided it the filesystem with the store is sync()ed before rename() Signed-off-by: Petr Lautrbach <plautrba@redhat.com> --- libsemanage/src/semanage_store.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+)