diff --git a/backport-libsemanage-drop-duplicate-newlines-and-error-descriptions-in-error-messages.patch b/backport-libsemanage-drop-duplicate-newlines-and-error-descriptions-in-error-messages.patch new file mode 100644 index 0000000000000000000000000000000000000000..d5b65e084fb61314bc5edb2c578ead5308b5d89f --- /dev/null +++ b/backport-libsemanage-drop-duplicate-newlines-and-error-descriptions-in-error-messages.patch @@ -0,0 +1,527 @@ +From 4a8407a2ee9cc3b458eb1f71cc3820bce728a5b7 Mon Sep 17 00:00:00 2001 +From: changhan +Date: Fri, 18 Apr 2025 16:07:23 +0800 +Subject: [PATCH] + libsemanage-drop-duplicate-newlines-and-error-descriptions-in-error-messages + +Reference: https://github.com/SELinuxProject/selinux/commit/d3a5ae39bee42eac520a3d07f252251a2167a323 + +--- + src/compressed_file.c | 4 +- + src/database_file.c | 4 +- + src/database_policydb.c | 4 +- + src/direct_api.c | 98 ++++++++++++++++++++--------------------- + src/genhomedircon.c | 2 +- + src/handle.c | 2 +- + src/parse_utils.c | 4 +- + src/semanage_store.c | 6 +-- + 8 files changed, 60 insertions(+), 64 deletions(-) + +diff --git a/src/compressed_file.c b/src/compressed_file.c +index d6a8526..3718ad9 100644 +--- a/src/compressed_file.c ++++ b/src/compressed_file.c +@@ -174,13 +174,13 @@ int map_compressed_file(semanage_handle_t *sh, const char *path, + + fd = open(path, O_RDONLY | O_CLOEXEC); + if (fd == -1) { +- ERR(sh, "Unable to open %s\n", path); ++ ERR(sh, "Unable to open %s.", path); + return -1; + } + + file = fdopen(fd, "r"); + if (file == NULL) { +- ERR(sh, "Unable to open %s\n", path); ++ ERR(sh, "Unable to open %s.", path); + close(fd); + return -1; + } +diff --git a/src/database_file.c b/src/database_file.c +index 4737d57..0ee5d39 100644 +--- a/src/database_file.c ++++ b/src/database_file.c +@@ -130,8 +130,8 @@ static int dbase_file_flush(semanage_handle_t * handle, dbase_file_t * dbase) + str = fopen(fname, "we"); + umask(mask); + if (!str) { +- ERR(handle, "could not open %s for writing: %s", +- fname, strerror(errno)); ++ ERR(handle, "could not open %s for writing", ++ fname); + goto err; + } + __fsetlocking(str, FSETLOCKING_BYCALLER); +diff --git a/src/database_policydb.c b/src/database_policydb.c +index 079d573..d1472a2 100644 +--- a/src/database_policydb.c ++++ b/src/database_policydb.c +@@ -113,8 +113,8 @@ static int dbase_policydb_cache(semanage_handle_t * handle, + * ENOENT is not fatal - we just create an empty policydb */ + fp = fopen(fname, "rbe"); + if (fp == NULL && errno != ENOENT) { +- ERR(handle, "could not open %s for reading: %s", +- fname, strerror(errno)); ++ ERR(handle, "could not open %s for reading", ++ fname); + goto err; + } + +diff --git a/src/direct_api.c b/src/direct_api.c +index 9c35bc0..025b26e 100644 +--- a/src/direct_api.c ++++ b/src/direct_api.c +@@ -313,7 +313,7 @@ int semanage_direct_connect(semanage_handle_t * sh) + /* The file does not exist */ + sepol_set_disable_dontaudit(sh->sepolh, 0); + } else { +- ERR(sh, "Unable to access %s: %s\n", path, strerror(errno)); ++ ERR(sh, "Unable to access %s.", path); + goto err; + } + +@@ -595,7 +595,7 @@ static int read_from_pipe_to_data(semanage_handle_t *sh, size_t initial_len, int + } + data_read = malloc(max_len * sizeof(*data_read)); + if (data_read == NULL) { +- ERR(sh, "Failed to malloc, out of memory.\n"); ++ ERR(sh, "Failed to malloc, out of memory."); + return -1; + } + +@@ -607,7 +607,7 @@ static int read_from_pipe_to_data(semanage_handle_t *sh, size_t initial_len, int + max_len *= 2; + tmp = realloc(data_read, max_len); + if (tmp == NULL) { +- ERR(sh, "Failed to realloc, out of memory.\n"); ++ ERR(sh, "Failed to realloc, out of memory."); + free(data_read); + return -1; + } +@@ -649,93 +649,93 @@ static int semanage_pipe_data(semanage_handle_t *sh, char *path, char *in_data, + + retval = pipe2(input_fd, O_CLOEXEC); + if (retval == -1) { +- ERR(sh, "Unable to create pipe for input pipe: %s\n", strerror(errno)); ++ ERR(sh, "Unable to create pipe for input pipe."); + goto cleanup; + } + retval = pipe2(output_fd, O_CLOEXEC); + if (retval == -1) { +- ERR(sh, "Unable to create pipe for output pipe: %s\n", strerror(errno)); ++ ERR(sh, "Unable to create pipe for output pipe."); + goto cleanup; + } + retval = pipe2(err_fd, O_CLOEXEC); + if (retval == -1) { +- ERR(sh, "Unable to create pipe for error pipe: %s\n", strerror(errno)); ++ ERR(sh, "Unable to create pipe for error pipe."); + goto cleanup; + } + + pid = fork(); + if (pid == -1) { +- ERR(sh, "Unable to fork from parent: %s.", strerror(errno)); ++ ERR(sh, "Unable to fork from parent."); + retval = -1; + goto cleanup; + } else if (pid == 0) { + retval = dup2(input_fd[PIPE_READ], STDIN_FILENO); + if (retval == -1) { +- ERR(sh, "Unable to dup2 input pipe: %s\n", strerror(errno)); ++ ERR(sh, "Unable to dup2 input pipe."); + goto cleanup; + } + retval = dup2(output_fd[PIPE_WRITE], STDOUT_FILENO); + if (retval == -1) { +- ERR(sh, "Unable to dup2 output pipe: %s\n", strerror(errno)); ++ ERR(sh, "Unable to dup2 output pipe."); + goto cleanup; + } + retval = dup2(err_fd[PIPE_WRITE], STDERR_FILENO); + if (retval == -1) { +- ERR(sh, "Unable to dup2 error pipe: %s\n", strerror(errno)); ++ ERR(sh, "Unable to dup2 error pipe."); + goto cleanup; + } + + retval = close(input_fd[PIPE_WRITE]); + if (retval == -1) { +- ERR(sh, "Unable to close input pipe: %s\n", strerror(errno)); ++ ERR(sh, "Unable to close input pipe."); + goto cleanup; + } + retval = close(output_fd[PIPE_READ]); + if (retval == -1) { +- ERR(sh, "Unable to close output pipe: %s\n", strerror(errno)); ++ ERR(sh, "Unable to close output pipe."); + goto cleanup; + } + retval = close(err_fd[PIPE_READ]); + if (retval == -1) { +- ERR(sh, "Unable to close error pipe: %s\n", strerror(errno)); ++ ERR(sh, "Unable to close error pipe."); + goto cleanup; + } + retval = execl(path, path, NULL); + if (retval == -1) { +- ERR(sh, "Unable to execute %s : %s\n", path, strerror(errno)); ++ ERR(sh, "Unable to execute %s.", path); + _exit(EXIT_FAILURE); + } + } else { + retval = close(input_fd[PIPE_READ]); + input_fd[PIPE_READ] = -1; + if (retval == -1) { +- ERR(sh, "Unable to close read end of input pipe: %s\n", strerror(errno)); ++ ERR(sh, "Unable to close read end of input pipe."); + goto cleanup; + } + + retval = close(output_fd[PIPE_WRITE]); + output_fd[PIPE_WRITE] = -1; + if (retval == -1) { +- ERR(sh, "Unable to close write end of output pipe: %s\n", strerror(errno)); ++ ERR(sh, "Unable to close write end of output pipe."); + goto cleanup; + } + + retval = close(err_fd[PIPE_WRITE]); + err_fd[PIPE_WRITE] = -1; + if (retval == -1) { +- ERR(sh, "Unable to close write end of error pipe: %s\n", strerror(errno)); ++ ERR(sh, "Unable to close write end of error pipe."); + goto cleanup; + } + + retval = write(input_fd[PIPE_WRITE], in_data, in_data_len); + if (retval == -1) { +- ERR(sh, "Failed to write data to input pipe: %s\n", strerror(errno)); ++ ERR(sh, "Failed to write data to input pipe."); + goto cleanup; + } + retval = close(input_fd[PIPE_WRITE]); + input_fd[PIPE_WRITE] = -1; + if (retval == -1) { +- ERR(sh, "Unable to close write end of input pipe: %s\n", strerror(errno)); ++ ERR(sh, "Unable to close write end of input pipe."); + goto cleanup; + } + +@@ -747,7 +747,7 @@ static int semanage_pipe_data(semanage_handle_t *sh, char *path, char *in_data, + retval = close(output_fd[PIPE_READ]); + output_fd[PIPE_READ] = -1; + if (retval == -1) { +- ERR(sh, "Unable to close read end of output pipe: %s\n", strerror(errno)); ++ ERR(sh, "Unable to close read end of output pipe."); + goto cleanup; + } + +@@ -759,7 +759,7 @@ static int semanage_pipe_data(semanage_handle_t *sh, char *path, char *in_data, + retval = close(err_fd[PIPE_READ]); + err_fd[PIPE_READ] = -1; + if (retval == -1) { +- ERR(sh, "Unable to close read end of error pipe: %s\n", strerror(errno)); ++ ERR(sh, "Unable to close read end of error pipe."); + goto cleanup; + } + +@@ -918,7 +918,7 @@ static int semanage_compile_module(semanage_handle_t *sh, + + status = map_compressed_file(sh, hll_path, &hll_contents); + if (status < 0) { +- ERR(sh, "Unable to read file %s\n", hll_path); ++ ERR(sh, "Unable to read file %s.", hll_path); + goto cleanup; + } + +@@ -928,16 +928,13 @@ static int semanage_compile_module(semanage_handle_t *sh, + if (err_data_len > 0) { + for (start = end = err_data; end < err_data + err_data_len; end++) { + if (*end == '\n') { +- fprintf(stderr, "%s: ", modinfo->name); +- fwrite(start, 1, end - start + 1, stderr); ++ ERR(sh, "%s: %.*s.", modinfo->name, (int)(end - start + 1), start); + start = end + 1; + } + } + + if (end != start) { +- fprintf(stderr, "%s: ", modinfo->name); +- fwrite(start, 1, end - start, stderr); +- fprintf(stderr, "\n"); ++ ERR(sh, "%s: %.*s.", modinfo->name, (int)(end - start), start); + } + } + if (status != 0) { +@@ -951,14 +948,14 @@ static int semanage_compile_module(semanage_handle_t *sh, + + status = write_compressed_file(sh, cil_path, cil_data, cil_data_len); + if (status == -1) { +- ERR(sh, "Failed to write %s\n", cil_path); ++ ERR(sh, "Failed to write %s.", cil_path); + goto cleanup; + } + + if (sh->conf->remove_hll == 1) { + status = unlink(hll_path); + if (status != 0) { +- ERR(sh, "Error while removing HLL file %s: %s", hll_path, strerror(errno)); ++ ERR(sh, "Error while removing HLL file %s.", hll_path); + goto cleanup; + } + +@@ -1037,8 +1034,7 @@ static int semanage_compile_hll_modules(semanage_handle_t *sh, + unmap_compressed_file(&contents); + continue; + } else if (errno != ENOENT) { +- ERR(sh, "Unable to access %s: %s\n", cil_path, +- strerror(errno)); ++ ERR(sh, "Unable to access %s.", cil_path); + return -1; //an error in the "stat" call + } + } +@@ -1063,7 +1059,7 @@ static int semanage_compare_checksum(semanage_handle_t *sh, const char *referenc + fd = open(path, O_RDONLY | O_CLOEXEC); + if (fd == -1) { + if (errno != ENOENT) { +- ERR(sh, "Unable to open %s: %s\n", path, strerror(errno)); ++ ERR(sh, "Unable to open %s.", path); + return -1; + } + /* Checksum file not present - force a rebuild. */ +@@ -1071,21 +1067,21 @@ static int semanage_compare_checksum(semanage_handle_t *sh, const char *referenc + } + + if (fstat(fd, &sb) == -1) { +- ERR(sh, "Unable to stat %s\n", path); ++ ERR(sh, "Unable to stat %s.", path); + retval = -1; + goto out_close; + } + + if (sb.st_size != (off_t)CHECKSUM_CONTENT_SIZE) { + /* Incompatible/invalid hash type - just force a rebuild. */ +- WARN(sh, "Module checksum invalid - forcing a rebuild\n"); ++ WARN(sh, "Module checksum invalid - forcing a rebuild."); + retval = 1; + goto out_close; + } + + data = mmap(NULL, CHECKSUM_CONTENT_SIZE, PROT_READ, MAP_PRIVATE, fd, 0); + if (data == MAP_FAILED) { +- ERR(sh, "Unable to mmap %s\n", path); ++ ERR(sh, "Unable to mmap %s.", path); + retval = -1; + goto out_close; + } +@@ -1194,7 +1190,7 @@ static int semanage_direct_commit(semanage_handle_t * sh) + /* The file does not exist */ + do_rebuild |= (sepol_get_disable_dontaudit(sh->sepolh) == 1); + } else { +- ERR(sh, "Unable to access %s: %s\n", path, strerror(errno)); ++ ERR(sh, "Unable to access %s.", path); + retval = -1; + goto cleanup; + } +@@ -1225,7 +1221,7 @@ static int semanage_direct_commit(semanage_handle_t * sh) + /* The file does not exist */ + do_rebuild |= (sepol_get_preserve_tunables(sh->sepolh) == 1); + } else { +- ERR(sh, "Unable to access %s: %s\n", path, strerror(errno)); ++ ERR(sh, "Unable to access %s.", path); + retval = -1; + goto cleanup; + } +@@ -1261,7 +1257,7 @@ static int semanage_direct_commit(semanage_handle_t * sh) + path = semanage_path(SEMANAGE_TMP, semanage_computed_files[i]); + if (stat(path, &sb) != 0) { + if (errno != ENOENT) { +- ERR(sh, "Unable to access %s: %s\n", path, strerror(errno)); ++ ERR(sh, "Unable to access %s.", path); + retval = -1; + goto cleanup; + } +@@ -1285,7 +1281,7 @@ static int semanage_direct_commit(semanage_handle_t * sh) + retval = semanage_compile_hll_modules(sh, modinfos, num_modinfos, + modules_checksum); + if (retval < 0) { +- ERR(sh, "Failed to compile hll files into cil files.\n"); ++ ERR(sh, "Failed to compile hll files into cil files."); + goto cleanup; + } + +@@ -1298,7 +1294,7 @@ static int semanage_direct_commit(semanage_handle_t * sh) + + retval = semanage_write_modules_checksum(sh, modules_checksum); + if (retval < 0) { +- ERR(sh, "Failed to write module checksum file.\n"); ++ ERR(sh, "Failed to write module checksum file."); + goto cleanup; + } + } +@@ -1419,7 +1415,7 @@ static int semanage_direct_commit(semanage_handle_t * sh) + /* The file does not exist */ + pseusers->dtable->clear(sh, pseusers->dbase); + } else { +- ERR(sh, "Unable to access %s: %s\n", path, strerror(errno)); ++ ERR(sh, "Unable to access %s.", path); + retval = -1; + goto cleanup; + } +@@ -1707,13 +1703,13 @@ static int semanage_direct_install_file(semanage_handle_t * sh, + + retval = map_compressed_file(sh, install_filename, &contents); + if (retval < 0) { +- ERR(sh, "Unable to read file %s\n", install_filename); ++ ERR(sh, "Unable to read file %s", install_filename); + goto cleanup; + } + + path = strdup(install_filename); + if (path == NULL) { +- ERR(sh, "No memory available for strdup.\n"); ++ ERR(sh, "No memory available for strdup."); + retval = -1; + goto cleanup; + } +@@ -1754,12 +1750,12 @@ static int semanage_direct_install_file(semanage_handle_t * sh, + if (module_name == NULL) { + module_name = strdup(filename); + if (module_name == NULL) { +- ERR(sh, "No memory available for module_name.\n"); ++ ERR(sh, "No memory available for module_name."); + retval = -1; + goto cleanup; + } + } else if (strcmp(module_name, filename) != 0) { +- fprintf(stderr, "Warning: SELinux userspace will refer to the module from %s as %s rather than %s\n", install_filename, module_name, filename); ++ ERR(sh, "Warning: SELinux userspace will refer to the module from %s as %s rather than %s\n", install_filename, module_name, filename); + } + + retval = semanage_direct_install(sh, contents.data, contents.len, +@@ -1800,7 +1796,7 @@ static int semanage_direct_extract(semanage_handle_t * sh, + } + + if (stat(module_path, &sb) != 0) { +- ERR(sh, "Unable to access %s: %s\n", module_path, strerror(errno)); ++ ERR(sh, "Unable to access %s.", module_path); + rc = -1; + goto cleanup; + } +@@ -1831,7 +1827,7 @@ static int semanage_direct_extract(semanage_handle_t * sh, + + if (extract_cil == 1 && strcmp(_modinfo->lang_ext, "cil") && stat(input_file, &sb) != 0) { + if (errno != ENOENT) { +- ERR(sh, "Unable to access %s: %s\n", input_file, strerror(errno)); ++ ERR(sh, "Unable to access %s.", input_file); + rc = -1; + goto cleanup; + } +@@ -1996,7 +1992,7 @@ static int semanage_direct_get_enabled(semanage_handle_t *sh, + + if (stat(path, &sb) < 0) { + if (errno != ENOENT) { +- ERR(sh, "Unable to access %s: %s\n", path, strerror(errno)); ++ ERR(sh, "Unable to access %s.", path); + status = -1; + goto cleanup; + } +@@ -2329,7 +2325,7 @@ static int semanage_direct_get_module_info(semanage_handle_t *sh, + /* set enabled/disabled status */ + if (stat(fn, &sb) < 0) { + if (errno != ENOENT) { +- ERR(sh, "Unable to access %s: %s\n", fn, strerror(errno)); ++ ERR(sh, "Unable to access %s.", fn); + status = -1; + goto cleanup; + } +@@ -2758,7 +2754,7 @@ static int semanage_direct_install_info(semanage_handle_t *sh, + /* validate module info */ + ret = semanage_module_info_validate(modinfo); + if (ret != 0) { +- ERR(sh, "%s failed module validation.\n", modinfo->name); ++ ERR(sh, "%s failed module validation.", modinfo->name); + status = -2; + goto cleanup; + } +@@ -2846,7 +2842,7 @@ static int semanage_direct_install_info(semanage_handle_t *sh, + if (stat(path, &sb) == 0) { + ret = unlink(path); + if (ret != 0) { +- ERR(sh, "Error while removing cached CIL file %s: %s", path, strerror(errno)); ++ ERR(sh, "Error while removing cached CIL file %s.", path); + status = -3; + goto cleanup; + } +diff --git a/src/genhomedircon.c b/src/genhomedircon.c +index 230015c..9f128d9 100644 +--- a/src/genhomedircon.c ++++ b/src/genhomedircon.c +@@ -1105,7 +1105,7 @@ static int get_group_users(genhomedircon_settings_t * s, + goto cleanup; + + if (group == NULL) { +- ERR(s->h_semanage, "Can't find group named %s\n", grname); ++ ERR(s->h_semanage, "Can't find group named %s", grname); + goto cleanup; + } + +diff --git a/src/handle.c b/src/handle.c +index 710d922..7f99c4e 100644 +--- a/src/handle.c ++++ b/src/handle.c +@@ -153,7 +153,7 @@ int semanage_get_hll_compiler_path(semanage_handle_t *sh, + + lower_lang_ext = strdup(lang_ext); + if (lower_lang_ext == NULL) { +- ERR(sh, "Could not create copy of lang_ext. Out of memory.\n"); ++ ERR(sh, "Could not create copy of lang_ext. Out of memory."); + status = -1; + goto cleanup; + } +diff --git a/src/parse_utils.c b/src/parse_utils.c +index 13837c8..cf7f7df 100644 +--- a/src/parse_utils.c ++++ b/src/parse_utils.c +@@ -47,8 +47,8 @@ int parse_open(semanage_handle_t * handle, parse_info_t * info) + + info->file_stream = fopen(info->filename, "re"); + if (!info->file_stream && (errno != ENOENT)) { +- ERR(handle, "could not open file %s: %s", +- info->filename, strerror(errno)); ++ ERR(handle, "could not open file %s.", ++ info->filename); + return STATUS_ERR; + } + if (info->file_stream) +diff --git a/src/semanage_store.c b/src/semanage_store.c +index 69d2f70..8c7bc31 100644 +--- a/src/semanage_store.c ++++ b/src/semanage_store.c +@@ -1590,7 +1590,7 @@ static int sefcontext_compile(semanage_handle_t * sh, const char *path) { + + if (stat(path, &sb) < 0) { + if (errno != ENOENT) { +- ERR(sh, "Unable to access %s: %s\n", path, strerror(errno)); ++ ERR(sh, "Unable to access %s.", path); + return -1; + } + +@@ -1777,11 +1777,11 @@ static int semanage_commit_sandbox(semanage_handle_t * sh) + /* sync changes in sandbox to filesystem */ + fd = open(sandbox, O_DIRECTORY | O_CLOEXEC); + if (fd == -1) { +- ERR(sh, "Error while opening %s for syncfs(): %d", sandbox, errno); ++ ERR(sh, "Error while opening %s for syncfs().", sandbox); + return -1; + } + if (syncfs(fd) == -1) { +- ERR(sh, "Error while syncing %s to filesystem: %d", sandbox, errno); ++ ERR(sh, "Error while syncing %s to filesystem.", sandbox); + close(fd); + return -1; + } +-- +2.33.0 + diff --git a/backport-libsemanage-handle-shell-allocation-failure.patch b/backport-libsemanage-handle-shell-allocation-failure.patch new file mode 100644 index 0000000000000000000000000000000000000000..5dee717c0d63a92b0d2d7f02caa894a59d1f8a37 --- /dev/null +++ b/backport-libsemanage-handle-shell-allocation-failure.patch @@ -0,0 +1,47 @@ +From 9bde761fcb912fded145a16de767afe8a8a3977f Mon Sep 17 00:00:00 2001 +From: changhan +Date: Fri, 18 Apr 2025 11:47:37 +0800 +Subject: [PATCH] libsemanage-handle-shell-allocation-failure + +Reference:https://github.com/SELinuxProject/selinux/commit/dcd755abdde87abdbb43855b7b1bc28d56a21c51 + +--- + src/genhomedircon.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/genhomedircon.c b/src/genhomedircon.c +index b35d7ba..230015c 100644 +--- a/src/genhomedircon.c ++++ b/src/genhomedircon.c +@@ -228,7 +228,7 @@ static semanage_list_t *get_shell_list(void) + free(temp); + semanage_list_destroy(&list); + fclose(shells); +- return default_shell_list(); ++ return NULL; + } + } + } +@@ -333,14 +333,18 @@ static semanage_list_t *get_home_dirs(genhomedircon_settings_t * s) + return homedir_list; + + shells = get_shell_list(); +- assert(shells); + ++ if (!shells) { ++ ERR(s->h_semanage, "Allocation failure!"); ++ goto fail; ++ } + path = semanage_findval(PATH_ETC_LOGIN_DEFS, "UID_MIN", NULL); + if (path && *path) { + temp = atoi(path); + minuid = temp; + minuid_set = 1; + } ++ + free(path); + path = NULL; + +-- +2.33.0 + diff --git a/backport-libsemanage-optimize-policy-by-default.patch b/backport-libsemanage-optimize-policy-by-default.patch new file mode 100644 index 0000000000000000000000000000000000000000..e81ade051fea6e5ea16b57fd09880264c1c77ae4 --- /dev/null +++ b/backport-libsemanage-optimize-policy-by-default.patch @@ -0,0 +1,41 @@ +From 22e2743d22ed6159feee1831046872641cd5ad0c Mon Sep 17 00:00:00 2001 +From: changhan +Date: Fri, 18 Apr 2025 17:18:02 +0800 +Subject: [PATCH] libsemanage-optimize-policy-by-default + +Reference:https://github.com/SELinuxProject/selinux/commit/66da657a094a725d5f9d8e2441410afaa44bb7f3 + +--- + man/man5/semanage.conf.5 | 2 +- + src/conf-parse.y | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/man/man5/semanage.conf.5 b/man/man5/semanage.conf.5 +index 380b58b..b043fe5 100644 +--- a/man/man5/semanage.conf.5 ++++ b/man/man5/semanage.conf.5 +@@ -124,7 +124,7 @@ In order to compile the original HLL file into CIL, the same HLL file will need + .TP + .B optimize-policy + When set to "true", the kernel policy will be optimized upon rebuilds. +-It can be set to either "true" or "false" and by default it is set to "false". ++It can be set to either "true" or "false" and by default it is set to "true". + + .SH "SEE ALSO" + .TP +diff --git a/src/conf-parse.y b/src/conf-parse.y +index 343fbf8..12f94b7 100644 +--- a/src/conf-parse.y ++++ b/src/conf-parse.y +@@ -364,7 +364,7 @@ static int semanage_conf_init(semanage_conf_t * conf) + conf->bzip_small = 0; + conf->ignore_module_cache = 0; + conf->remove_hll = 0; +- conf->optimize_policy = 0; ++ conf->optimize_policy = 1; + + conf->save_previous = 0; + conf->save_linked = 0; +-- +2.33.0 + diff --git a/backport-libsemanage-simplify-file-deletion.patch b/backport-libsemanage-simplify-file-deletion.patch new file mode 100644 index 0000000000000000000000000000000000000000..29620828451c584ea98e9f637f1c8ef8f881aa1c --- /dev/null +++ b/backport-libsemanage-simplify-file-deletion.patch @@ -0,0 +1,63 @@ +From 46b6d4593fd0bf3286977a9fe7d48f849524543c Mon Sep 17 00:00:00 2001 +From: changhan +Date: Fri, 18 Apr 2025 16:43:48 +0800 +Subject: [PATCH] libsemanage-simplify-file-deletion + +Reference: https://github.com/SELinuxProject/selinux/commit/d3a5ae39bee42eac520a3d07f252251a2167a323 + +--- + src/direct_api.c | 24 +++++++++--------------- + 1 file changed, 9 insertions(+), 15 deletions(-) + +diff --git a/src/direct_api.c b/src/direct_api.c +index 025b26e..03fc6ad 100644 +--- a/src/direct_api.c ++++ b/src/direct_api.c +@@ -2738,7 +2738,6 @@ static int semanage_direct_install_info(semanage_handle_t *sh, + int status = 0; + int ret = 0; + int type; +- struct stat sb; + + char path[PATH_MAX]; + mode_t mask = umask(0077); +@@ -2839,13 +2838,11 @@ static int semanage_direct_install_info(semanage_handle_t *sh, + goto cleanup; + } + +- if (stat(path, &sb) == 0) { +- ret = unlink(path); +- if (ret != 0) { +- ERR(sh, "Error while removing cached CIL file %s.", path); +- status = -3; +- goto cleanup; +- } ++ ret = unlink(path); ++ if (ret != 0 && errno != ENOENT) { ++ ERR(sh, "Error while removing cached CIL file %s.", path); ++ status = -3; ++ goto cleanup; + } + } + +@@ -2942,13 +2939,10 @@ static int semanage_direct_remove_key(semanage_handle_t *sh, + goto cleanup; + } + +- struct stat sb; +- if (stat(path, &sb) == 0) { +- ret = unlink(path); +- if (ret != 0) { +- status = -1; +- goto cleanup; +- } ++ ret = unlink(path); ++ if (ret != 0 && errno != ENOENT) { ++ status = -1; ++ goto cleanup; + } + } + else { +-- +2.33.0 + diff --git a/libsemanage.spec b/libsemanage.spec index a906496debefa8488b79270dfe54c1c549c4ce73..a5ecd245d31ea5d0d584b85a35ee8cec5dcc2383 100644 --- a/libsemanage.spec +++ b/libsemanage.spec @@ -3,7 +3,7 @@ Name: libsemanage Version: 3.5 -Release: 2 +Release: 6 License: LGPLv2+ Summary: SELinux binary policy manipulation library URL: https://github.com/SELinuxProject/selinux/wiki @@ -21,6 +21,10 @@ Patch6007: backport-libsemanage-check-for-path-formatting-failures.patch Patch6008: backport-libsemanage-set-O_CLOEXEC-flag-for-file-descriptors.patch Patch6009: backport-libsemanage-check-closing-written-files.patch Patch6010: backport-libsemanage-handle-cil_set_handle_unknown-failure.patch +Patch6011: backport-libsemanage-handle-shell-allocation-failure.patch +Patch6012: backport-libsemanage-drop-duplicate-newlines-and-error-descriptions-in-error-messages.patch +Patch6013: backport-libsemanage-simplify-file-deletion.patch +Patch6014: backport-libsemanage-optimize-policy-by-default.patch Patch9000: fix-test-failure-with-secilc.patch @@ -116,6 +120,18 @@ make test %changelog +* Sun Apr 20 2025 changhan - 3.5-6 +- backport libsemanage: optimize policy by default + +* Sat Apr 19 2025 changhan - 3.5-5 +- backport libsemanage: simplify file deletion + +* Fri Apr 18 2025 changhan - 3.5-4 +- backport libsemanage: drop duplicate newlines and error descriptions in error messages + +* Fri Apr 18 2025 changhan - 3.5-3 +- backport libsemanage: handle shell allocation failure + * Mon Mar 17 2025 hugel - 3.5-2 - backport patches from upstream