From d3e7c152acb9f1814035ccdf40695f2b9b45a2fc Mon Sep 17 00:00:00 2001 From: zgzxx Date: Tue, 13 Jun 2023 15:08:08 +0800 Subject: [PATCH] backport patches from upstream (cherry picked from commit b35a0b4145912aaf1c58580ed922c68a38996158) --- ...-back-to-semanage_copy_dir-when-rena.patch | 137 +++ ...2-in-semanage_direct_get_module_info.patch | 36 + ...port-libsemanage-avoid-double-fclose.patch | 56 ++ ...ibsemanage-do-not-sort-empty-records.patch | 47 + ...x-memory-leak-in-semanage_user_roles.patch | 35 + backport-libsemanage-tests-free-memory.patch | 937 ++++++++++++++++++ libsemanage.spec | 12 +- 7 files changed, 1259 insertions(+), 1 deletion(-) create mode 100644 backport-libsemanage-Fall-back-to-semanage_copy_dir-when-rena.patch create mode 100644 backport-libsemanage-Fix-USE_AFTER_FREE-CWE-672-in-semanage_direct_get_module_info.patch create mode 100644 backport-libsemanage-avoid-double-fclose.patch create mode 100644 backport-libsemanage-do-not-sort-empty-records.patch create mode 100644 backport-libsemanage-fix-memory-leak-in-semanage_user_roles.patch create mode 100644 backport-libsemanage-tests-free-memory.patch diff --git a/backport-libsemanage-Fall-back-to-semanage_copy_dir-when-rena.patch b/backport-libsemanage-Fall-back-to-semanage_copy_dir-when-rena.patch new file mode 100644 index 0000000..e846c43 --- /dev/null +++ b/backport-libsemanage-Fall-back-to-semanage_copy_dir-when-rena.patch @@ -0,0 +1,137 @@ +From c7a3b93e31df312ed5b71436ec874054a95d4209 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Thu, 24 Mar 2022 13:00:34 +0100 +Subject: [PATCH] libsemanage: Fall back to semanage_copy_dir when rename() + fails + +In some circumstances, like semanage-store being on overlayfs, rename() +could fail with EXDEV - Invalid cross-device link. This is due to the +fact that overlays doesn't support rename() if source and target are not +on the same layer, e.g. in containers built from several layers. Even +though it's not atomic operation, it's better to try to copy files from +src to dst on our own in this case. Next rebuild will probably not fail +as the new directories will be on the same layer. + +Fixes: https://github.com/SELinuxProject/selinux/issues/343 + +Reproducer: + + $ cd selinux1 + + $ cat Dockerfile + FROM fedora:35 + RUN dnf install -y selinux-policy selinux-policy-targeted + + $ podman build -t localhost/selinux . --no-cache + + $ cd ../selinux2 + + $ cat Dockerfile + FROM localhost/selinux + RUN semodule -B + + $ podman build -t localhost/selinux2 . --no-cache + STEP 2/2: RUN semodule -B + libsemanage.semanage_commit_sandbox: Error while renaming /var/lib/selinux/targeted/active to /var/lib/selinux/targeted/previous. (Invalid cross-device link). + semodule: Failed! + Error: error building at STEP "RUN semodule -B": error while running runtime: exit status 1 + +With the fix: + + $ podman build -t localhost/selinux2 . --no-cache + STEP 2/2: RUN semodule -B + libsemanage.semanage_rename: Warning: rename(/var/lib/selinux/targeted/active, /var/lib/selinux/targeted/previous) failed: Invalid cross-device link, fall back to non-atomic semanage_copy_dir_flags() + + COMMIT localhost/selinux2 + --> d2cfcebc1a1 + Successfully tagged localhost/selinux2:latest + d2cfcebc1a1b34f1c2cd661ac18292b0612c3e5fa71d6fa1441be244da91b1af + +Reported-by: Joseph Marrero Corchado +Signed-off-by: Petr Lautrbach +Acked-by: Ondrej Mosnacek + +Reference:https://github.com/SELinuxProject/selinux/commit/c7a3b93e31df312ed5b71436ec874054a95d4209 +Conflict: Modify the file paths +--- + libsemanage/src/semanage_store.c | 30 ++++++++++++++++++++++++------ + 1 file changed, 24 insertions(+), 6 deletions(-) + +diff --git a/src/semanage_store.c b/src/semanage_store.c +index 767f05cb..c6d2c5e7 100644 +--- a/src/semanage_store.c ++++ b/src/semanage_store.c +@@ -697,6 +697,10 @@ int semanage_store_access_check(void) + + /********************* other I/O functions *********************/ + ++static int semanage_rename(semanage_handle_t * sh, const char *tmp, const char *dst); ++int semanage_remove_directory(const char *path); ++static int semanage_copy_dir_flags(const char *src, const char *dst, int flag); ++ + /* Callback used by scandir() to select files. */ + static int semanage_filename_select(const struct dirent *d) + { +@@ -768,7 +772,21 @@ out: + return retval; + } + +-static int semanage_copy_dir_flags(const char *src, const char *dst, int flag); ++static int semanage_rename(semanage_handle_t * sh, const char *src, const char *dst) { ++ int retval; ++ ++ retval = rename(src, dst); ++ if (retval == 0 || errno != EXDEV) ++ return retval; ++ ++ /* we can't use rename() due to filesystem limitation, lets try to copy files manually */ ++ WARN(sh, "WARNING: rename(%s, %s) failed: %s, fall back to non-atomic semanage_copy_dir_flags()", ++ src, dst, strerror(errno)); ++ if (semanage_copy_dir_flags(src, dst, 1) == -1) { ++ return -1; ++ } ++ return semanage_remove_directory(src); ++} + + /* Copies all of the files from src to dst, recursing into + * subdirectories. Returns 0 on success, -1 on error. */ +@@ -1770,7 +1788,7 @@ static int semanage_commit_sandbox(semanage_handle_t * sh) + goto cleanup; + } + +- if (rename(active, backup) == -1) { ++ if (semanage_rename(sh, active, backup) == -1) { + ERR(sh, "Error while renaming %s to %s.", active, backup); + retval = -1; + goto cleanup; +@@ -1779,12 +1797,12 @@ static int semanage_commit_sandbox(semanage_handle_t * sh) + /* clean up some files from the sandbox before install */ + /* remove homedir_template from sandbox */ + +- if (rename(sandbox, active) == -1) { ++ if (semanage_rename(sh, sandbox, active) == -1) { + ERR(sh, "Error while renaming %s to %s.", sandbox, active); + /* note that if an error occurs during the next + * function then the store will be left in an + * inconsistent state */ +- if (rename(backup, active) < 0) ++ if (semanage_rename(sh, backup, active) < 0) + ERR(sh, "Error while renaming %s back to %s.", backup, + active); + retval = -1; +@@ -1795,10 +1813,10 @@ static int semanage_commit_sandbox(semanage_handle_t * sh) + * function then the store will be left in an + * inconsistent state */ + int errsv = errno; +- if (rename(active, sandbox) < 0) ++ if (semanage_rename(sh, active, sandbox) < 0) + ERR(sh, "Error while renaming %s back to %s.", active, + sandbox); +- else if (rename(backup, active) < 0) ++ else if (semanage_rename(sh, backup, active) < 0) + ERR(sh, "Error while renaming %s back to %s.", backup, + active); + else +-- +2.27.0 + diff --git a/backport-libsemanage-Fix-USE_AFTER_FREE-CWE-672-in-semanage_direct_get_module_info.patch b/backport-libsemanage-Fix-USE_AFTER_FREE-CWE-672-in-semanage_direct_get_module_info.patch new file mode 100644 index 0000000..6e5e672 --- /dev/null +++ b/backport-libsemanage-Fix-USE_AFTER_FREE-CWE-672-in-semanage_direct_get_module_info.patch @@ -0,0 +1,36 @@ +From 28510556f84263219a3d1846d6e2857c91680419 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Fri, 1 Apr 2022 15:35:47 +0200 +Subject: [PATCH] libsemanage: Fix USE_AFTER_FREE (CWE-672) in + semanage_direct_get_module_info() + +>From fclose(3): +Upon successful completion, 0 is returned. Otherwise, EOF is returned +and errno is set to indicate the error. In either case, any further +access (including another call to fclose()) to the stream results in +undefined behavior. + +Signed-off-by: Petr Lautrbach +Acked-by: James Carter + +Reference: https://github.com/SELinuxProject/selinux/commit/28510556f84263219a3d1846d6e2857c91680419 +Conflict: Modify the file paths +--- + libsemanage/src/direct_api.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/direct_api.c b/src/direct_api.c +index d83941b0..d5716ce5 100644 +--- a/src/direct_api.c ++++ b/src/direct_api.c +@@ -2293,6 +2293,7 @@ static int semanage_direct_get_module_info(semanage_handle_t *sh, + tmp = NULL; + + if (fclose(fp) != 0) { ++ fp = NULL; + ERR(sh, + "Unable to close %s module lang ext file.", + (*modinfo)->name); +-- +2.27.0 + diff --git a/backport-libsemanage-avoid-double-fclose.patch b/backport-libsemanage-avoid-double-fclose.patch new file mode 100644 index 0000000..01b19a0 --- /dev/null +++ b/backport-libsemanage-avoid-double-fclose.patch @@ -0,0 +1,56 @@ +From e205e3e84a87ab0416d0d990d7534e6ea968332b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Fri, 8 Apr 2022 15:10:54 +0200 +Subject: [PATCH] libsemanage: avoid double fclose +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The cleanup goto block in `semanage_direct_set_enabled()` closes the +file stream pointer fp if not NULL. Set the stream to NULL after a +manual fclose(3), even on failure. + + direct_api.c: In function ‘semanage_direct_set_enabled’: + direct_api.c:2130:25: error: pointer ‘fp’ may be used after ‘fclose’ [-Werror=use-after-free] + 2130 | if (fp != NULL) fclose(fp); + | ^~~~~~~~~~ + direct_api.c:2092:29: note: call to ‘fclose’ here + 2092 | if (fclose(fp) != 0) { + | ^~~~~~~~~~ + +Acked-by: James Carter +Signed-off-by: Christian Göttsche + +Reference: https://github.com/SELinuxProject/selinux/commit/e205e3e84a87ab0416d0d990d7534e6ea968332b +Conflict: Modify the file paths +--- + libsemanage/src/direct_api.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/direct_api.c b/src/direct_api.c +index d5716ce5..7206483a 100644 +--- a/src/direct_api.c ++++ b/src/direct_api.c +@@ -2089,7 +2089,9 @@ static int semanage_direct_set_enabled(semanage_handle_t *sh, + goto cleanup; + } + +- if (fclose(fp) != 0) { ++ ret = fclose(fp); ++ fp = NULL; ++ if (ret != 0) { + ERR(sh, + "Unable to close disabled file for module %s", + modkey->name); +@@ -2097,8 +2099,6 @@ static int semanage_direct_set_enabled(semanage_handle_t *sh, + goto cleanup; + } + +- fp = NULL; +- + break; + case 1: /* enable the module */ + if (unlink(fn) < 0) { +-- +2.27.0 + diff --git a/backport-libsemanage-do-not-sort-empty-records.patch b/backport-libsemanage-do-not-sort-empty-records.patch new file mode 100644 index 0000000..d34affb --- /dev/null +++ b/backport-libsemanage-do-not-sort-empty-records.patch @@ -0,0 +1,47 @@ +From ea539017fbbc972a8239a7944eaa5ce4960b0903 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Tue, 19 Oct 2021 17:11:22 +0200 +Subject: [PATCH] libsemanage: do not sort empty records +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Do not sort empty records to avoid calling qsort(3) with a NULL pointer. +qsort(3) might be annotated with the function attribute nonnull and +UBSan then complains: + + database_join.c:80:2: runtime error: null pointer passed as argument 1, which is declared to never be null + +Signed-off-by: Christian Göttsche +Reference: https://github.com/SELinuxProject/selinux/commit/ea539017fbbc972a8239a7944eaa5ce4960b0903 +Conflict: Modify the file path. +--- + libsemanage/src/database_join.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/src/database_join.c b/src/database_join.c +index b9b35a61..a49a6226 100644 +--- a/src/database_join.c ++++ b/src/database_join.c +@@ -77,10 +77,14 @@ static int dbase_join_cache(semanage_handle_t * handle, dbase_join_t * dbase) + goto err; + + /* Sort for quicker merge later */ +- qsort(records1, rcount1, sizeof(record1_t *), +- (int (*)(const void *, const void *))rtable1->compare2_qsort); +- qsort(records2, rcount2, sizeof(record2_t *), +- (int (*)(const void *, const void *))rtable2->compare2_qsort); ++ if (rcount1 > 0) { ++ qsort(records1, rcount1, sizeof(record1_t *), ++ (int (*)(const void *, const void *))rtable1->compare2_qsort); ++ } ++ if (rcount2 > 0) { ++ qsort(records2, rcount2, sizeof(record2_t *), ++ (int (*)(const void *, const void *))rtable2->compare2_qsort); ++ } + + /* Now merge into this dbase */ + while (i < rcount1 || j < rcount2) { +-- +2.27.0 + diff --git a/backport-libsemanage-fix-memory-leak-in-semanage_user_roles.patch b/backport-libsemanage-fix-memory-leak-in-semanage_user_roles.patch new file mode 100644 index 0000000..16e22e5 --- /dev/null +++ b/backport-libsemanage-fix-memory-leak-in-semanage_user_roles.patch @@ -0,0 +1,35 @@ +From 3be312e0cf2c45adbe694b136f848fb62cba877e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Sat, 1 Apr 2023 14:49:02 +0200 +Subject: [PATCH] libsemanage: fix memory leak in semanage_user_roles + +The output parameter `role_arr` of semanage_user_get_roles() is an array +of non-owned role names. Since the array is never used again, as its +contents have been copied into the return value `roles`, free it. + +Example leak report from useradd(8): + + Direct leak of 8 byte(s) in 1 object(s) allocated from: + #0 0x5597624284a8 in __interceptor_calloc (./shadow/src/useradd+0xee4a8) + #1 0x7f53aefcbbf9 in sepol_user_get_roles src/user_record.c:270:21 +Reference: https://github.com/SELinuxProject/selinux/commit/3be312e0cf2c45adbe694b136f848fb62cba877e +Conflict: Modify the file paths +--- + libsemanage/src/seusers_local.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/seusers_local.c b/src/seusers_local.c +index 6508ec05..795a33d6 100644 +--- a/src/seusers_local.c ++++ b/src/seusers_local.c +@@ -47,6 +47,7 @@ static char *semanage_user_roles(semanage_handle_t * handle, const char *sename) + } + } + } ++ free(roles_arr); + } + semanage_user_free(user); + } +-- +2.27.0 + diff --git a/backport-libsemanage-tests-free-memory.patch b/backport-libsemanage-tests-free-memory.patch new file mode 100644 index 0000000..4eb9d6c --- /dev/null +++ b/backport-libsemanage-tests-free-memory.patch @@ -0,0 +1,937 @@ +From fe01a91a79574c21712fac2c58af1b54b7f3d46b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Tue, 19 Oct 2021 17:11:23 +0200 +Subject: [PATCH] libsemanage/tests: free memory +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Free all memory in test cases, reported by LeakSanitizer. + +Signed-off-by: Christian Göttsche + +Reference: https://github.com/SELinuxProject/selinux/commit/fe01a91a79574c21712fac2c58af1b54b7f3d46b +Conflict: Modify the file paths. +--- + libsemanage/tests/test_bool.c | 34 +++++++++++++++++++++++++++++- + libsemanage/tests/test_fcontext.c | 32 +++++++++++++++++++++++++++- + libsemanage/tests/test_ibendport.c | 13 ++++++++++++ + libsemanage/tests/test_iface.c | 24 +++++++++++++++++++++ + libsemanage/tests/test_node.c | 29 +++++++++++++++++++++++++ + libsemanage/tests/test_other.c | 6 ++++++ + libsemanage/tests/test_port.c | 24 +++++++++++++++++++++ + libsemanage/tests/test_user.c | 17 +++++++++++++++ + libsemanage/tests/utilities.c | 5 ++++- + libsemanage/tests/utilities.h | 2 ++ + 10 files changed, 183 insertions(+), 3 deletions(-) + +diff --git a/tests/test_bool.c b/tests/test_bool.c +index ae80d448..7bf5225b 100644 +--- a/tests/test_bool.c ++++ b/tests/test_bool.c +@@ -132,6 +132,8 @@ semanage_bool_t *get_bool_nth(int idx) + if (i != (unsigned int) idx) + semanage_bool_free(records[i]); + ++ free(records); ++ + return boolean; + } + +@@ -163,6 +165,8 @@ semanage_bool_key_t *get_bool_key_nth(int idx) + CU_ASSERT_FATAL(res >= 0); + CU_ASSERT_PTR_NOT_NULL_FATAL(key); + ++ semanage_bool_free(boolean); ++ + return key; + } + +@@ -196,6 +200,9 @@ void add_local_bool(const char *name) + CU_ASSERT_PTR_NOT_NULL_FATAL(boolean); + + CU_ASSERT_FATAL(semanage_bool_modify_local(sh, key, boolean) >= 0); ++ ++ semanage_bool_key_free(key); ++ semanage_bool_free(boolean); + } + + void delete_local_bool(const char *name) +@@ -208,6 +215,8 @@ void delete_local_bool(const char *name) + CU_ASSERT_PTR_NOT_NULL_FATAL(key); + + CU_ASSERT_FATAL(semanage_bool_del_local(sh, key) >= 0); ++ ++ semanage_bool_key_free(key); + } + + /* Function bool_key_create */ +@@ -447,6 +456,8 @@ void helper_bool_create(level_t level) + CU_ASSERT_PTR_NULL(semanage_bool_get_name(boolean)); + CU_ASSERT(semanage_bool_get_value(boolean) == 0); + ++ semanage_bool_free(boolean); ++ + cleanup_handle(level); + } + +@@ -483,6 +494,9 @@ void helper_bool_clone(level_t level, int bool_idx) + + CU_ASSERT_EQUAL(val, val_clone); + ++ semanage_bool_free(boolean_clone); ++ semanage_bool_free(boolean); ++ + cleanup_handle(level); + } + +@@ -514,6 +528,9 @@ void helper_bool_query(level_t level, const char *bool_str, int exp_res) + CU_ASSERT_PTR_NULL(resp); + } + ++ semanage_bool_free(resp); ++ semanage_bool_key_free(key); ++ + cleanup_handle(level); + } + +@@ -647,6 +664,8 @@ void helper_bool_list(level_t level) + for (unsigned int i = 0; i < count; i++) + semanage_bool_free(records[i]); + ++ free(records); ++ + cleanup_handle(level); + } + +@@ -662,7 +681,7 @@ void helper_bool_modify_del_local(level_t level, const char *name, + int old_val, int exp_res) + { + semanage_bool_t *boolean; +- semanage_bool_t *boolean_local; ++ semanage_bool_t *boolean_local = NULL; + semanage_bool_key_t *key = NULL; + int res; + int new_val; +@@ -696,6 +715,8 @@ void helper_bool_modify_del_local(level_t level, const char *name, + CU_ASSERT(semanage_bool_query_local(sh, key, + &boolean_local) >= 0); + CU_ASSERT(semanage_bool_compare2(boolean_local, boolean) == 0); ++ semanage_bool_free(boolean_local); ++ + CU_ASSERT(semanage_bool_del_local(sh, key) >= 0); + CU_ASSERT(semanage_bool_query_local(sh, key, + &boolean_local) < 0); +@@ -734,15 +755,18 @@ void test_bool_query_local(void) + + /* transaction */ + setup_handle(SH_TRANS); ++ semanage_bool_key_free(key); + CU_ASSERT(semanage_bool_key_create(sh, BOOL1_NAME, &key) >= 0); + CU_ASSERT_PTR_NOT_NULL(key); + + CU_ASSERT(semanage_bool_query_local(sh, key, &resp) < 0); + CU_ASSERT_PTR_NULL(resp); ++ semanage_bool_free(resp); + + add_local_bool(BOOL1_NAME); + CU_ASSERT(semanage_bool_query_local(sh, key, &resp) >= 0); + CU_ASSERT_PTR_NOT_NULL(resp); ++ semanage_bool_free(resp); + + semanage_bool_key_free(key); + CU_ASSERT(semanage_bool_key_create(sh, BOOL2_NAME, &key) >= 0); +@@ -751,8 +775,10 @@ void test_bool_query_local(void) + add_local_bool(BOOL2_NAME); + CU_ASSERT(semanage_bool_query_local(sh, key, &resp) >= 0); + CU_ASSERT_PTR_NOT_NULL(resp); ++ semanage_bool_free(resp); + + /* cleanup */ ++ semanage_bool_key_free(key); + delete_local_bool(BOOL1_NAME); + delete_local_bool(BOOL2_NAME); + cleanup_handle(SH_TRANS); +@@ -784,6 +810,7 @@ void test_bool_exists_local(void) + CU_ASSERT(resp == 0); + + /* cleanup */ ++ semanage_bool_key_free(key); + cleanup_handle(SH_TRANS); + } + +@@ -918,12 +945,17 @@ void test_bool_list_local(void) + CU_ASSERT(semanage_bool_list_local(sh, &records, &count) >= 0); + CU_ASSERT(count == init_count + 1); + CU_ASSERT_PTR_NOT_NULL(records[0]); ++ semanage_bool_free(records[0]); ++ free(records); + + add_local_bool(BOOL2_NAME); + CU_ASSERT(semanage_bool_list_local(sh, &records, &count) >= 0); + CU_ASSERT(count == init_count + 2); + CU_ASSERT_PTR_NOT_NULL(records[0]); + CU_ASSERT_PTR_NOT_NULL(records[1]); ++ semanage_bool_free(records[0]); ++ semanage_bool_free(records[1]); ++ free(records); + + /* cleanup */ + delete_local_bool(BOOL1_NAME); +diff --git a/tests/test_fcontext.c b/tests/test_fcontext.c +index 62af711f..a5fcf849 100644 +--- a/tests/test_fcontext.c ++++ b/tests/test_fcontext.c +@@ -214,6 +214,8 @@ semanage_fcontext_t *get_fcontext_nth(int idx) + if (i != (unsigned int) idx) + semanage_fcontext_free(records[i]); + ++ free(records); ++ + return fcontext; + } + +@@ -230,6 +232,8 @@ semanage_fcontext_key_t *get_fcontext_key_nth(int idx) + CU_ASSERT_FATAL(semanage_fcontext_key_extract(sh, fcontext, &key) >= 0); + CU_ASSERT_PTR_NOT_NULL_FATAL(key); + ++ semanage_fcontext_free(fcontext); ++ + return key; + } + +@@ -246,6 +250,10 @@ void add_local_fcontext(int fcontext_idx) + CU_ASSERT_PTR_NOT_NULL_FATAL(key); + + CU_ASSERT_FATAL(semanage_fcontext_modify_local(sh, key, fcontext) >= 0); ++ ++ /* cleanup */ ++ semanage_fcontext_key_free(key); ++ semanage_fcontext_free(fcontext); + } + + void delete_local_fcontext(int fcontext_idx) +@@ -257,6 +265,8 @@ void delete_local_fcontext(int fcontext_idx) + key = get_fcontext_key_nth(fcontext_idx); + + CU_ASSERT_FATAL(semanage_fcontext_del_local(sh, key) >= 0); ++ ++ semanage_fcontext_key_free(key); + } + + semanage_fcontext_key_t *get_fcontext_key_from_str(const char *str, int type) +@@ -477,6 +487,7 @@ void helper_fcontext_get_set_con(level_t level, int fcontext_idx, + } + + /* cleanup */ ++ semanage_context_free(con); + semanage_fcontext_free(fcontext); + cleanup_handle(level); + } +@@ -587,12 +598,14 @@ void helper_fcontext_query(level_t level, const char *fcontext_expr, + CU_ASSERT(res >= 0); + const char *expr = semanage_fcontext_get_expr(resp); + CU_ASSERT_STRING_EQUAL(expr, fcontext_expr); ++ semanage_fcontext_free(resp); + } else { + CU_ASSERT(res < 0); + CU_ASSERT(resp == (void *) 42); + } + + /* cleanup */ ++ semanage_fcontext_key_free(key); + cleanup_handle(level); + } + +@@ -752,6 +765,8 @@ void helper_fcontext_list(level_t level) + for (unsigned int i = 0; i < count; i++) + semanage_fcontext_free(records[i]); + ++ free(records); ++ + /* cleanup */ + cleanup_handle(level); + } +@@ -768,7 +783,7 @@ void helper_fcontext_modify_del_local(level_t level, int fcontext_idx, + const char *con_str, int exp_res) + { + semanage_fcontext_t *fcontext; +- semanage_fcontext_t *fcontext_local; ++ semanage_fcontext_t *fcontext_local = NULL; + semanage_fcontext_key_t *key = NULL; + semanage_context_t *con = NULL; + int res; +@@ -803,6 +818,8 @@ void helper_fcontext_modify_del_local(level_t level, int fcontext_idx, + &fcontext_local) >= 0); + CU_ASSERT(semanage_fcontext_compare2(fcontext_local, + fcontext) == 0); ++ semanage_fcontext_free(fcontext_local); ++ + CU_ASSERT(semanage_fcontext_del_local(sh, key) >= 0); + CU_ASSERT(semanage_fcontext_query_local(sh, key, + &fcontext_local) < 0); +@@ -811,6 +828,7 @@ void helper_fcontext_modify_del_local(level_t level, int fcontext_idx, + } + + /* cleanup */ ++ semanage_context_free(con); + semanage_fcontext_key_free(key); + semanage_fcontext_free(fcontext); + cleanup_handle(level); +@@ -846,6 +864,7 @@ void test_fcontext_query_local(void) + /* transaction */ + setup_handle(SH_TRANS); + ++ semanage_fcontext_key_free(key); + key = get_fcontext_key_nth(I_FIRST); + CU_ASSERT(semanage_fcontext_query_local(sh, key, &resp) < 0); + CU_ASSERT_PTR_NULL(resp); +@@ -853,14 +872,19 @@ void test_fcontext_query_local(void) + add_local_fcontext(I_FIRST); + CU_ASSERT(semanage_fcontext_query_local(sh, key, &resp) >= 0); + CU_ASSERT_PTR_NOT_NULL(resp); ++ semanage_fcontext_free(resp); ++ resp = NULL; + + semanage_fcontext_key_free(key); + key = get_fcontext_key_nth(I_SECOND); + add_local_fcontext(I_SECOND); + CU_ASSERT(semanage_fcontext_query_local(sh, key, &resp) >= 0); + CU_ASSERT_PTR_NOT_NULL(resp); ++ semanage_fcontext_free(resp); ++ resp = NULL; + + /* cleanup */ ++ semanage_fcontext_key_free(key); + delete_local_fcontext(I_FIRST); + delete_local_fcontext(I_SECOND); + cleanup_handle(SH_TRANS); +@@ -898,6 +922,7 @@ void test_fcontext_exists_local(void) + CU_ASSERT(resp == 0); + + /* cleanup */ ++ semanage_fcontext_key_free(key); + cleanup_handle(SH_TRANS); + } + +@@ -1031,12 +1056,17 @@ void test_fcontext_list_local(void) + CU_ASSERT(semanage_fcontext_list_local(sh, &records, &count) >= 0); + CU_ASSERT(count == 1); + CU_ASSERT_PTR_NOT_NULL(records[0]); ++ semanage_fcontext_free(records[0]); ++ free(records); + + add_local_fcontext(I_SECOND); + CU_ASSERT(semanage_fcontext_list_local(sh, &records, &count) >= 0); + CU_ASSERT(count == 2); + CU_ASSERT_PTR_NOT_NULL(records[0]); + CU_ASSERT_PTR_NOT_NULL(records[1]); ++ semanage_fcontext_free(records[0]); ++ semanage_fcontext_free(records[1]); ++ free(records); + + /* cleanup */ + delete_local_fcontext(I_FIRST); +diff --git a/tests/test_ibendport.c b/tests/test_ibendport.c +index 79a8e2c8..8addc908 100644 +--- a/tests/test_ibendport.c ++++ b/tests/test_ibendport.c +@@ -113,6 +113,8 @@ semanage_ibendport_t *get_ibendport_nth(int idx) + if (i != (unsigned int) idx) + semanage_ibendport_free(records[i]); + ++ free(records); ++ + return ibendport; + } + +@@ -132,6 +134,8 @@ semanage_ibendport_key_t *get_ibendport_key_nth(int idx) + CU_ASSERT_FATAL(res >= 0); + CU_ASSERT_PTR_NOT_NULL_FATAL(key); + ++ semanage_ibendport_free(ibendport); ++ + return key; + } + +@@ -148,6 +152,9 @@ void add_local_ibendport(int idx) + + CU_ASSERT_FATAL(semanage_ibendport_modify_local(sh, key, + ibendport) >= 0); ++ ++ semanage_ibendport_key_free(key); ++ semanage_ibendport_free(ibendport); + } + + void delete_local_ibendport(int idx) +@@ -155,6 +162,8 @@ void delete_local_ibendport(int idx) + semanage_ibendport_key_t *key = NULL; + key = get_ibendport_key_nth(idx); + CU_ASSERT_FATAL(semanage_ibendport_del_local(sh, key) >= 0); ++ ++ semanage_ibendport_key_free(key); + } + + /* Function semanage_ibendport_query */ +@@ -195,7 +204,9 @@ void test_ibendport_query(void) + CU_ASSERT_CONTEXT_EQUAL(con, con_exp); + + /* cleanup */ ++ free(name_exp); + free(name); ++ semanage_ibendport_key_free(key); + semanage_ibendport_free(ibendport); + semanage_ibendport_free(ibendport_exp); + cleanup_handle(SH_CONNECT); +@@ -356,12 +367,14 @@ void test_ibendport_modify_del_query_local(void) + CU_ASSERT(semanage_ibendport_query_local(sh, key, + &ibendport_local) >= 0); + CU_ASSERT_PTR_NOT_NULL_FATAL(ibendport_local); ++ semanage_ibendport_free(ibendport_local); + + CU_ASSERT(semanage_ibendport_del_local(sh, key) >= 0); + CU_ASSERT(semanage_ibendport_query_local(sh, key, + &ibendport_local) < 0); + + /* cleanup */ ++ semanage_ibendport_key_free(key); + semanage_ibendport_free(ibendport); + cleanup_handle(SH_TRANS); + } +diff --git a/tests/test_iface.c b/tests/test_iface.c +index d5d530a8..434372f8 100644 +--- a/tests/test_iface.c ++++ b/tests/test_iface.c +@@ -139,6 +139,8 @@ semanage_iface_t *get_iface_nth(int idx) + if (i != (unsigned int) idx) + semanage_iface_free(records[i]); + ++ free(records); ++ + return iface; + } + +@@ -157,6 +159,9 @@ semanage_iface_key_t *get_iface_key_nth(int idx) + CU_ASSERT_FATAL(res >= 0); + CU_ASSERT_PTR_NOT_NULL_FATAL(key); + ++ /* cleanup */ ++ semanage_iface_free(iface); ++ + return key; + } + +@@ -171,6 +176,10 @@ void add_local_iface(int idx) + CU_ASSERT_PTR_NOT_NULL_FATAL(key); + + CU_ASSERT_FATAL(semanage_iface_modify_local(sh, key, iface) >= 0); ++ ++ /* cleanup */ ++ semanage_iface_key_free(key); ++ semanage_iface_free(iface); + } + + void delete_local_iface(int idx) +@@ -178,6 +187,9 @@ void delete_local_iface(int idx) + semanage_iface_key_t *key = NULL; + key = get_iface_key_nth(idx); + CU_ASSERT_FATAL(semanage_iface_del_local(sh, key) >= 0); ++ ++ /* cleanup */ ++ semanage_iface_key_free(key); + } + + /* Function semanage_iface_compare */ +@@ -309,6 +321,7 @@ void test_iface_get_set_ifcon(void) + CU_ASSERT_CONTEXT_EQUAL(con1, con2); + + /* cleanup */ ++ semanage_context_free(con1); + semanage_iface_free(iface); + cleanup_handle(SH_CONNECT); + } +@@ -332,6 +345,7 @@ void test_iface_get_set_msgcon(void) + CU_ASSERT_CONTEXT_EQUAL(con1, con2); + + /* cleanup */ ++ semanage_context_free(con1); + semanage_iface_free(iface); + cleanup_handle(SH_CONNECT); + } +@@ -357,6 +371,8 @@ void test_iface_create(void) + CU_ASSERT(semanage_iface_set_msgcon(sh, iface, msgcon) >= 0); + + /* cleanup */ ++ semanage_context_free(msgcon); ++ semanage_context_free(ifcon); + semanage_iface_free(iface); + cleanup_handle(SH_CONNECT); + } +@@ -393,6 +409,8 @@ void test_iface_clone(void) + CU_ASSERT_CONTEXT_EQUAL(msgcon, msgcon2); + + /* cleanup */ ++ semanage_context_free(msgcon); ++ semanage_context_free(ifcon); + semanage_iface_free(iface); + semanage_iface_free(iface_clone); + cleanup_handle(SH_CONNECT); +@@ -426,6 +444,7 @@ void test_iface_query(void) + CU_ASSERT_CONTEXT_EQUAL(con, con_exp); + + /* cleanup */ ++ semanage_iface_key_free(key); + semanage_iface_free(iface); + semanage_iface_free(iface_exp); + cleanup_handle(SH_CONNECT); +@@ -513,6 +532,8 @@ void test_iface_list(void) + for (unsigned int i = 0; i < count; i++) + semanage_iface_free(records[i]); + ++ free(records); ++ + /* cleanup */ + cleanup_handle(SH_CONNECT); + } +@@ -541,11 +562,13 @@ void test_iface_modify_del_query_local(void) + + CU_ASSERT(semanage_iface_query_local(sh, key, &iface_local) >= 0); + CU_ASSERT_PTR_NOT_NULL_FATAL(iface_local); ++ semanage_iface_free(iface_local); + + CU_ASSERT(semanage_iface_del_local(sh, key) >= 0); + CU_ASSERT(semanage_iface_query_local(sh, key, &iface_local) < 0); + + /* cleanup */ ++ semanage_iface_key_free(key); + semanage_iface_free(iface); + cleanup_handle(SH_TRANS); + } +@@ -658,6 +681,7 @@ void test_iface_list_local(void) + /* cleanup */ + for (unsigned int i = 0; i < count; i++) + semanage_iface_free(records[i]); ++ free(records); + + delete_local_iface(I_FIRST); + delete_local_iface(I_SECOND); +diff --git a/tests/test_node.c b/tests/test_node.c +index 53c2eb69..e49e8c3b 100644 +--- a/tests/test_node.c ++++ b/tests/test_node.c +@@ -148,6 +148,8 @@ semanage_node_t *get_node_nth(int idx) + if (i != (unsigned int) idx) + semanage_node_free(records[i]); + ++ free(records); ++ + return node; + } + +@@ -167,6 +169,8 @@ semanage_node_key_t *get_node_key_nth(int idx) + CU_ASSERT_FATAL(res >= 0); + CU_ASSERT_PTR_NOT_NULL_FATAL(key); + ++ semanage_node_free(node); ++ + return key; + } + +@@ -181,6 +185,10 @@ void add_local_node(int idx) + CU_ASSERT_PTR_NOT_NULL_FATAL(key); + + CU_ASSERT_FATAL(semanage_node_modify_local(sh, key, node) >= 0); ++ ++ /* cleanup */ ++ semanage_node_key_free(key); ++ semanage_node_free(node); + } + + void delete_local_node(int idx) +@@ -190,6 +198,9 @@ void delete_local_node(int idx) + key = get_node_key_nth(idx); + + CU_ASSERT_FATAL(semanage_node_del_local(sh, key) >= 0); ++ ++ /* cleanup */ ++ semanage_node_key_free(key); + } + + /* Function semanage_node_compare */ +@@ -305,6 +316,7 @@ void test_node_get_set_addr(void) + CU_ASSERT_STRING_EQUAL(addr, "192.168.0.1"); + + /* cleanup */ ++ free(addr); + semanage_node_free(node); + cleanup_handle(SH_CONNECT); + } +@@ -334,6 +346,7 @@ void test_node_get_set_addr_bytes(void) + CU_ASSERT(addr1[i] == addr2[i]); + + /* cleanup */ ++ free(addr2); + semanage_node_free(node); + cleanup_handle(SH_CONNECT); + } +@@ -357,6 +370,7 @@ void test_node_get_set_mask(void) + CU_ASSERT_STRING_EQUAL(mask, "255.255.255.0"); + + /* cleanup */ ++ free(mask); + semanage_node_free(node); + cleanup_handle(SH_CONNECT); + } +@@ -386,6 +400,7 @@ void test_node_get_set_mask_bytes(void) + CU_ASSERT(mask1[i] == mask2[i]); + + /* cleanup */ ++ free(mask2); + semanage_node_free(node); + cleanup_handle(SH_CONNECT); + } +@@ -436,6 +451,7 @@ void test_node_get_set_con(void) + CU_ASSERT_CONTEXT_EQUAL(con1, con2); + + /* cleanup */ ++ semanage_context_free(con1); + semanage_node_free(node); + cleanup_handle(SH_CONNECT); + } +@@ -461,6 +477,7 @@ void test_node_create(void) + CU_ASSERT(semanage_node_set_con(sh, node, con) >= 0); + + /* cleanup */ ++ semanage_context_free(con); + semanage_node_free(node); + cleanup_handle(SH_CONNECT); + } +@@ -508,6 +525,9 @@ void test_node_clone(void) + CU_ASSERT_CONTEXT_EQUAL(con, con2); + + /* cleanup */ ++ free(mask2); ++ free(addr2); ++ semanage_context_free(con); + semanage_node_free(node); + semanage_node_free(node_clone); + cleanup_handle(SH_CONNECT); +@@ -552,6 +572,8 @@ void test_node_query(void) + CU_ASSERT_CONTEXT_EQUAL(con, con_exp); + + /* cleanup */ ++ semanage_node_key_free(key); ++ semanage_node_free(node_exp); + semanage_node_free(node); + cleanup_handle(SH_CONNECT); + } +@@ -638,6 +660,8 @@ void test_node_list(void) + for (unsigned int i = 0; i < count; i++) + semanage_node_free(records[i]); + ++ free(records); ++ + /* cleanup */ + cleanup_handle(SH_CONNECT); + } +@@ -679,6 +703,7 @@ void test_node_modify_del_query_local(void) + + CU_ASSERT(semanage_node_query_local(sh, key, &node_local) >= 0); + CU_ASSERT_PTR_NOT_NULL_FATAL(node_local); ++ semanage_node_free(node_local); + + CU_ASSERT(semanage_node_del_local(sh, key) >= 0); + CU_ASSERT(semanage_node_del_local(sh, key_tmp) >= 0); +@@ -686,6 +711,8 @@ void test_node_modify_del_query_local(void) + CU_ASSERT(semanage_node_query_local(sh, key, &node_local) < 0); + + /* cleanup */ ++ semanage_node_key_free(key_tmp); ++ semanage_node_key_free(key); + semanage_node_free(node); + semanage_node_free(node_tmp); + cleanup_handle(SH_TRANS); +@@ -800,6 +827,8 @@ void test_node_list_local(void) + for (unsigned int i = 0; i < count; i++) + semanage_node_free(records[i]); + ++ free(records); ++ + delete_local_node(I_FIRST); + delete_local_node(I_SECOND); + delete_local_node(I_THIRD); +diff --git a/tests/test_other.c b/tests/test_other.c +index c4ee0ed8..0a57e247 100644 +--- a/tests/test_other.c ++++ b/tests/test_other.c +@@ -81,6 +81,9 @@ void test_semanage_context(void) + assert(str); + CU_ASSERT_STRING_EQUAL(str, "user_u:role_r:type_t:s0"); + ++ semanage_context_free(con); ++ con = NULL; ++ + CU_ASSERT(semanage_context_from_string(sh, "my_u:my_r:my_t:s0", + &con) >= 0); + CU_ASSERT_STRING_EQUAL(semanage_context_get_user(con), "my_u"); +@@ -95,6 +98,7 @@ void test_semanage_context(void) + CU_ASSERT_STRING_EQUAL(semanage_context_get_mls(con_clone), "s0"); + + /* cleanup */ ++ free(str); + semanage_context_free(con); + semanage_context_free(con_clone); + cleanup_handle(SH_CONNECT); +@@ -115,6 +119,8 @@ void test_debug(void) + CU_ASSERT(semanage_module_info_set_priority(sh, modinfo, -42) < 0); + + /* cleanup */ ++ semanage_module_info_destroy(sh, modinfo); ++ free(modinfo); + CU_ASSERT(semanage_disconnect(sh) >= 0); + semanage_handle_destroy(sh); + } +diff --git a/tests/test_port.c b/tests/test_port.c +index 0408be4d..f4c6ec21 100644 +--- a/tests/test_port.c ++++ b/tests/test_port.c +@@ -146,6 +146,8 @@ semanage_port_t *get_port_nth(int idx) + if (i != (unsigned int) idx) + semanage_port_free(records[i]); + ++ free(records); ++ + return port; + } + +@@ -165,6 +167,9 @@ semanage_port_key_t *get_port_key_nth(int idx) + CU_ASSERT_FATAL(res >= 0); + CU_ASSERT_PTR_NOT_NULL_FATAL(key); + ++ /* cleanup */ ++ semanage_port_free(port); ++ + return key; + } + +@@ -181,6 +186,10 @@ void add_local_port(int port_idx) + CU_ASSERT_PTR_NOT_NULL_FATAL(key); + + CU_ASSERT_FATAL(semanage_port_modify_local(sh, key, port) >= 0); ++ ++ /* cleanup */ ++ semanage_port_key_free(key); ++ semanage_port_free(port); + } + + void delete_local_port(int port_idx) +@@ -192,6 +201,8 @@ void delete_local_port(int port_idx) + key = get_port_key_nth(port_idx); + + CU_ASSERT_FATAL(semanage_port_del_local(sh, key) >= 0); ++ ++ semanage_port_key_free(key); + } + + /* Function semanage_port_compare */ +@@ -447,6 +458,7 @@ void test_port_clone(void) + CU_ASSERT_CONTEXT_EQUAL(con, con2); + + /* cleanup */ ++ semanage_context_free(con); + semanage_port_free(port); + semanage_port_free(port_clone); + cleanup_handle(SH_CONNECT); +@@ -480,6 +492,7 @@ void test_port_query(void) + CU_ASSERT_CONTEXT_EQUAL(con, con_exp); + + /* cleanup */ ++ semanage_port_key_free(key); + semanage_port_free(port); + semanage_port_free(port_exp); + cleanup_handle(SH_CONNECT); +@@ -567,6 +580,8 @@ void test_port_list(void) + for (unsigned int i = 0; i < count; i++) + semanage_port_free(records[i]); + ++ free(records); ++ + cleanup_handle(SH_CONNECT); + } + +@@ -594,11 +609,14 @@ void test_port_modify_del_local(void) + + con_local = semanage_port_get_con(port_local); + CU_ASSERT_CONTEXT_EQUAL(con, con_local); ++ semanage_port_free(port_local); + + CU_ASSERT(semanage_port_del_local(sh, key) >= 0); + CU_ASSERT(semanage_port_query_local(sh, key, &port_local) < 0); + + /* cleanup */ ++ semanage_context_free(con); ++ semanage_port_key_free(key); + semanage_port_free(port); + cleanup_handle(SH_TRANS); + } +@@ -633,6 +651,7 @@ void test_port_query_local(void) + + /* cleanup */ + delete_local_port(I_FIRST); ++ semanage_port_key_free(key); + semanage_port_free(port); + semanage_port_free(port_exp); + cleanup_handle(SH_TRANS); +@@ -747,6 +766,8 @@ void test_port_list_local(void) + for (unsigned int i = 0; i < count; i++) + semanage_port_free(records[i]); + ++ free(records); ++ + delete_local_port(I_FIRST); + delete_local_port(I_SECOND); + delete_local_port(I_THIRD); +@@ -773,6 +794,7 @@ void helper_port_validate_local_noport(void) + helper_commit(); + + /* cleanup */ ++ semanage_port_key_free(key); + helper_begin_transaction(); + delete_local_port(I_FIRST); + cleanup_handle(SH_TRANS); +@@ -832,6 +854,8 @@ void helper_port_validate_local_twoports(void) + helper_begin_transaction(); + CU_ASSERT(semanage_port_del_local(sh, key1) >= 0); + CU_ASSERT(semanage_port_del_local(sh, key2) >= 0); ++ semanage_context_free(con2); ++ semanage_context_free(con1); + semanage_port_key_free(key1); + semanage_port_key_free(key2); + semanage_port_free(port1); +diff --git a/tests/test_user.c b/tests/test_user.c +index cd082030..c3835c8d 100644 +--- a/tests/test_user.c ++++ b/tests/test_user.c +@@ -130,6 +130,8 @@ semanage_user_t *get_user_nth(int idx) + if (i != (unsigned int) idx) + semanage_user_free(records[i]); + ++ free(records); ++ + return user; + } + +@@ -149,6 +151,8 @@ semanage_user_key_t *get_user_key_nth(int idx) + CU_ASSERT_FATAL(res >= 0); + CU_ASSERT_PTR_NOT_NULL_FATAL(key); + ++ semanage_user_free(user); ++ + return key; + } + +@@ -165,6 +169,9 @@ void add_local_user(int user_idx) + CU_ASSERT_PTR_NOT_NULL_FATAL(key); + + CU_ASSERT_FATAL(semanage_user_modify_local(sh, key, user) >= 0); ++ ++ semanage_user_key_free(key); ++ semanage_user_free(user); + } + + void delete_local_user(int user_idx) +@@ -176,6 +183,8 @@ void delete_local_user(int user_idx) + key = get_user_key_nth(user_idx); + + CU_ASSERT_FATAL(semanage_user_del_local(sh, key) >= 0); ++ ++ semanage_user_key_free(key); + } + + /* Function semanage_user_compare */ +@@ -391,6 +400,7 @@ void test_user_roles(void) + CU_ASSERT(semanage_user_get_num_roles(user) == 0); + + /* cleanup */ ++ free(roles_arr); + semanage_user_free(user); + cleanup_handle(SH_CONNECT); + } +@@ -459,6 +469,7 @@ void test_user_query(void) + CU_ASSERT_PTR_NOT_NULL(user); + + /* cleanup */ ++ semanage_user_key_free(key); + semanage_user_free(user); + cleanup_handle(SH_CONNECT); + } +@@ -546,6 +557,8 @@ void test_user_list(void) + for (unsigned int i = 0; i < count; i++) + semanage_user_free(records[i]); + ++ free(records); ++ + cleanup_handle(SH_CONNECT); + } + +@@ -573,10 +586,12 @@ void test_user_modify_del_query_local(void) + + CU_ASSERT(semanage_user_query_local(sh, key, &user_local) >= 0); + CU_ASSERT_PTR_NOT_NULL_FATAL(user_local); ++ semanage_user_free(user_local); + CU_ASSERT(semanage_user_del_local(sh, key) >= 0); + CU_ASSERT(semanage_user_query_local(sh, key, &user_local) < 0); + + /* cleanup */ ++ semanage_user_key_free(key); + semanage_user_free(user); + cleanup_handle(SH_TRANS); + } +@@ -683,6 +698,8 @@ void test_user_list_local(void) + for (unsigned int i = 0; i < count; i++) + semanage_user_free(records[i]); + ++ free(records); ++ + delete_local_user(I_FIRST); + delete_local_user(I_SECOND); + delete_local_user(I_THIRD); +diff --git a/tests/utilities.c b/tests/utilities.c +index 18393215..b28ae155 100644 +--- a/tests/utilities.c ++++ b/tests/utilities.c +@@ -99,6 +99,7 @@ int write_test_policy_from_file(const char *filename) { + char *buf = NULL; + size_t len = 0; + FILE *fptr = fopen(filename, "rb"); ++ int rc; + + if (!fptr) { + perror("fopen"); +@@ -120,7 +121,9 @@ int write_test_policy_from_file(const char *filename) { + fread(buf, len, 1, fptr); + fclose(fptr); + +- return write_test_policy(buf, len); ++ rc = write_test_policy(buf, len); ++ free(buf); ++ return rc; + } + + int write_test_policy_src(unsigned char *data, unsigned int data_len) { +diff --git a/tests/utilities.h b/tests/utilities.h +index db4dabf9..298b3280 100644 +--- a/tests/utilities.h ++++ b/tests/utilities.h +@@ -39,6 +39,8 @@ + CU_ASSERT(semanage_context_to_string(sh, CON1, &__str) >= 0); \ + CU_ASSERT(semanage_context_to_string(sh, CON2, &__str2) >= 0); \ + CU_ASSERT_STRING_EQUAL(__str, __str2); \ ++ free(__str2); \ ++ free(__str); \ + } while (0) + + +-- +2.27.0 + diff --git a/libsemanage.spec b/libsemanage.spec index e808578..9c993bc 100644 --- a/libsemanage.spec +++ b/libsemanage.spec @@ -3,13 +3,20 @@ Name: libsemanage Version: 3.3 -Release: 4 +Release: 5 License: LGPLv2+ Summary: SELinux binary policy manipulation library URL: https://github.com/SELinuxProject/selinux/wiki Source0: https://github.com/SELinuxProject/selinux/releases/download/3.3/libsemanage-%{version}.tar.gz Source1: semanage.conf +Patch6000: backport-libsemanage-do-not-sort-empty-records.patch +Patch6001: backport-libsemanage-tests-free-memory.patch +Patch6002: backport-libsemanage-Fall-back-to-semanage_copy_dir-when-rena.patch +Patch6003: backport-libsemanage-Fix-USE_AFTER_FREE-CWE-672-in-semanage_direct_get_module_info.patch +Patch6004: backport-libsemanage-avoid-double-fclose.patch +Patch6005: backport-libsemanage-fix-memory-leak-in-semanage_user_roles.patch + Patch9000: fix-test-failure-with-secilc.patch BuildRequires: gcc python3-devel bison flex bzip2-devel audit-libs-devel @@ -105,6 +112,9 @@ make test %changelog +* Tue Jun 13 2023 zhangguangzhi - 3.3-5 +- backport patches from upstream + * Sat Dec 17 2022 fangxiuning - 3.3-4 - add description -- Gitee