diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000000000000000000000000000000000000..c9a618551d7d788cde5f4326178966a3917277e9 --- /dev/null +++ b/.gitattributes @@ -0,0 +1 @@ +*.gz filter=lfs diff=lfs merge=lfs -text diff --git a/.lfsconfig b/.lfsconfig new file mode 100644 index 0000000000000000000000000000000000000000..c7f89adee7f18b7d181ec5566bb06cdbcfe609fa --- /dev/null +++ b/.lfsconfig @@ -0,0 +1,2 @@ +[lfs] + url = https://artlfs.openeuler.openatom.cn/src-openEuler/policycoreutils diff --git a/backport-fixfiles-use-grep-F-when-search-in-mounts.patch b/backport-fixfiles-use-grep-F-when-search-in-mounts.patch deleted file mode 100644 index 95f385f7fe6ac73d6e22520e77c68f862f5eb727..0000000000000000000000000000000000000000 --- a/backport-fixfiles-use-grep-F-when-search-in-mounts.patch +++ /dev/null @@ -1,56 +0,0 @@ -From cd8d6c7f827845399ff7b5176dbc4496d48a0814 Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Wed, 13 Nov 2024 14:02:00 +0100 -Subject: [PATCH] fixfiles: use `grep -F` when search in mounts - -systemd escapes luks uid so that mount points contain '\' and grep -should not consider this as regexp -Fixes: - $ cat /proc/self/mounts | sort | uniq | awk '{print $2}' - /run/credentials/systemd-cryptsetup@luks\134x2d6d1f41e6\134x2d5538\134x2d41a0\134x2db383\134x2cd41c2ddcacaa.service - - $ sudo fixfiles -B onboot - grep: Invalid back reference - grep: Invalid back reference - System will relabel on next boot - -Suggested-by: Christopher Tubbs -Signed-off-by: Petr Lautrbach -Acked-by: James Carter ---- - policycoreutils/scripts/fixfiles | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles -index cb50fef3c..b7cd765c1 100755 ---- a/policycoreutils/scripts/fixfiles -+++ b/policycoreutils/scripts/fixfiles -@@ -45,9 +45,9 @@ FS="`cat /proc/self/mounts | sort | uniq | awk '{print $2}'`" - for i in $FS; do - if [ `useseclabel` -ge 0 ] - then -- grep " $i " /proc/self/mounts | awk '{print $4}' | grep -E --silent '(^|,)seclabel(,|$)' && echo $i -+ grep -F " $i " /proc/self/mounts | awk '{print $4}' | grep -E --silent '(^|,)seclabel(,|$)' && echo $i - else -- grep " $i " /proc/self/mounts | grep -v "context=" | grep -E --silent '(ext[234]| ext4dev | gfs2 | xfs | jfs | btrfs )' && echo $i -+ grep -F " $i " /proc/self/mounts | grep -v "context=" | grep -E --silent '(ext[234]| ext4dev | gfs2 | xfs | jfs | btrfs )' && echo $i - fi - done - } -@@ -55,14 +55,14 @@ done - get_rw_labeled_mounts() { - FS=`get_all_labeled_mounts | sort | uniq` - for i in $FS; do -- grep " $i " /proc/self/mounts | awk '{print $4}' | grep -E --silent '(^|,)rw(,|$)' && echo $i -+ grep -F " $i " /proc/self/mounts | awk '{print $4}' | grep -E --silent '(^|,)rw(,|$)' && echo $i - done - } - - get_ro_labeled_mounts() { - FS=`get_all_labeled_mounts | sort | uniq` - for i in $FS; do -- grep " $i " /proc/self/mounts | awk '{print $4}' | grep -E --silent '(^|,)ro(,|$)' && echo $i -+ grep -F " $i " /proc/self/mounts | awk '{print $4}' | grep -E --silent '(^|,)ro(,|$)' && echo $i - done - } - diff --git a/backport-python-semanage-Allow-modifying-records-on-add.patch b/backport-python-semanage-Allow-modifying-records-on-add.patch deleted file mode 100644 index 29b7509d9ae78f1954d5c1425b937029d729bc67..0000000000000000000000000000000000000000 --- a/backport-python-semanage-Allow-modifying-records-on-add.patch +++ /dev/null @@ -1,395 +0,0 @@ -From f5d4b60e69e818d561ab645ff27b9bba68d5163e Mon Sep 17 00:00:00 2001 -From: Vit Mojzis -Date: Wed, 14 Feb 2024 13:08:40 +0100 -Subject: [PATCH] python/semanage: Allow modifying records on "add" - -When trying to add a record with a key that already exists, modify -the existing record instead. - -Also, fix "semanage -m -e" (add_equal was called instead of -modify_equal), which meant that existing local equivalency couldn't be -modified (though a user could remove it and add a modified -equivalency). - -Fixes: - https://github.com/SELinuxProject/selinux/issues/412 - When a port or login definition present in the policy is modified - using "semanage port -m", "semanage export" exports the command as - "port -a" instead of "port -m". This results in "semanage import" - failing (port already defined). The same is true for port, user, - login, ibpkey, ibendport, node, interface and fcontext. - -Signed-off-by: Vit Mojzis -Acked-by: James Carter ---- - python/semanage/semanage | 2 +- - python/semanage/seobject.py | 208 +++++++++++++++++++++++++----------- - 2 files changed, 147 insertions(+), 63 deletions(-) - -diff --git a/python/semanage/semanage b/python/semanage/semanage -index 4fdb490f..b269b9fc 100644 ---- a/python/semanage/semanage -+++ b/python/semanage/semanage -@@ -322,7 +322,7 @@ def handleFcontext(args): - OBJECT.add(args.file_spec, args.type, args.ftype, args.range, args.seuser) - if args.action == "modify": - if args.equal: -- OBJECT.add_equal(args.file_spec, args.equal) -+ OBJECT.modify_equal(args.file_spec, args.equal) - else: - OBJECT.modify(args.file_spec, args.type, args.ftype, args.range, args.seuser) - if args.action == "delete": -diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py -index 8769a1f..adb0b59 100644 ---- a/python/semanage/seobject.py -+++ b/python/semanage/seobject.py -@@ -561,11 +561,6 @@ class loginRecords(semanageRecords): - if rc < 0: - raise ValueError(_("Could not create a key for %s") % name) - -- (rc, exists) = semanage_seuser_exists(self.sh, k) -- if rc < 0: -- raise ValueError(_("Could not check if login mapping for %s is defined") % name) -- if exists: -- raise ValueError(_("Login mapping for %s is already defined") % name) - if name[0] == '%': - try: - grp.getgrnam(name[1:]) -@@ -604,11 +599,29 @@ class loginRecords(semanageRecords): - def add(self, name, sename, serange): - try: - self.begin() -- self.__add(name, sename, serange) -+ # Add a new mapping, or modify an existing one -+ if self.__exists(name): -+ print(_("Login mapping for %s is already defined, modifying instead") % name) -+ self.__modify(name, sename, serange) -+ else: -+ self.__add(name, sename, serange) - self.commit() - except ValueError as error: - raise error - -+ # check if login mapping for given user exists -+ def __exists(self, name): -+ (rc, k) = semanage_seuser_key_create(self.sh, name) -+ if rc < 0: -+ raise ValueError(_("Could not create a key for %s") % name) -+ -+ (rc, exists) = semanage_seuser_exists(self.sh, k) -+ if rc < 0: -+ raise ValueError(_("Could not check if login mapping for %s is defined") % name) -+ semanage_seuser_key_free(k) -+ -+ return exists -+ - def __modify(self, name, sename="", serange=""): - rec, self.oldsename, self.oldserange = selinux.getseuserbyname(name) - if sename == "" and serange == "": -@@ -825,12 +838,6 @@ class seluserRecords(semanageRecords): - if rc < 0: - raise ValueError(_("Could not create a key for %s") % name) - -- (rc, exists) = semanage_user_exists(self.sh, k) -- if rc < 0: -- raise ValueError(_("Could not check if SELinux user %s is defined") % name) -- if exists: -- raise ValueError(_("SELinux user %s is already defined") % name) -- - (rc, u) = semanage_user_create(self.sh) - if rc < 0: - raise ValueError(_("Could not create SELinux user for %s") % name) -@@ -870,12 +877,28 @@ class seluserRecords(semanageRecords): - def add(self, name, roles, selevel, serange, prefix): - try: - self.begin() -- self.__add(name, roles, selevel, serange, prefix) -+ if self.__exists(name): -+ print(_("SELinux user %s is already defined, modifying instead") % name) -+ self.__modify(name, roles, selevel, serange, prefix) -+ else: -+ self.__add(name, roles, selevel, serange, prefix) - self.commit() - except ValueError as error: - self.mylog.commit(0) - raise error - -+ def __exists(self, name): -+ (rc, k) = semanage_user_key_create(self.sh, name) -+ if rc < 0: -+ raise ValueError(_("Could not create a key for %s") % name) -+ -+ (rc, exists) = semanage_user_exists(self.sh, k) -+ if rc < 0: -+ raise ValueError(_("Could not check if SELinux user %s is defined") % name) -+ semanage_user_key_free(k) -+ -+ return exists -+ - def __modify(self, name, roles=[], selevel="", serange="", prefix=""): - oldserole = "" - oldserange = "" -@@ -1107,12 +1130,6 @@ class portRecords(semanageRecords): - - (k, proto_d, low, high) = self.__genkey(port, proto) - -- (rc, exists) = semanage_port_exists(self.sh, k) -- if rc < 0: -- raise ValueError(_("Could not check if port %s/%s is defined") % (proto, port)) -- if exists: -- raise ValueError(_("Port %s/%s already defined") % (proto, port)) -- - (rc, p) = semanage_port_create(self.sh) - if rc < 0: - raise ValueError(_("Could not create port for %s/%s") % (proto, port)) -@@ -1156,9 +1173,23 @@ class portRecords(semanageRecords): - - def add(self, port, proto, serange, type): - self.begin() -- self.__add(port, proto, serange, type) -+ if self.__exists(port, proto): -+ print(_("Port {proto}/{port} already defined, modifying instead").format(proto=proto, port=port)) -+ self.__modify(port, proto, serange, type) -+ else: -+ self.__add(port, proto, serange, type) - self.commit() - -+ def __exists(self, port, proto): -+ (k, proto_d, low, high) = self.__genkey(port, proto) -+ -+ (rc, exists) = semanage_port_exists(self.sh, k) -+ if rc < 0: -+ raise ValueError(_("Could not check if port {proto}/{port} is defined").format(proto=proto, port=port)) -+ semanage_port_key_free(k) -+ -+ return exists -+ - def __modify(self, port, proto, serange, setype): - if serange == "" and setype == "": - if is_mls_enabled == 1: -@@ -1381,12 +1412,6 @@ class ibpkeyRecords(semanageRecords): - - (k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix) - -- (rc, exists) = semanage_ibpkey_exists(self.sh, k) -- if rc < 0: -- raise ValueError(_("Could not check if ibpkey %s/%s is defined") % (subnet_prefix, pkey)) -- if exists: -- raise ValueError(_("ibpkey %s/%s already defined") % (subnet_prefix, pkey)) -- - (rc, p) = semanage_ibpkey_create(self.sh) - if rc < 0: - raise ValueError(_("Could not create ibpkey for %s/%s") % (subnet_prefix, pkey)) -@@ -1428,9 +1453,23 @@ class ibpkeyRecords(semanageRecords): - - def add(self, pkey, subnet_prefix, serange, type): - self.begin() -- self.__add(pkey, subnet_prefix, serange, type) -+ if self.__exists(pkey, subnet_prefix): -+ print(_("ibpkey {subnet_prefix}/{pkey} already defined, modifying instead").format(subnet_prefix=subnet_prefix, pkey=pkey)) -+ self.__modify(pkey, subnet_prefix, serange, type) -+ else: -+ self.__add(pkey, subnet_prefix, serange, type) - self.commit() - -+ def __exists(self, pkey, subnet_prefix): -+ (k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix) -+ -+ (rc, exists) = semanage_ibpkey_exists(self.sh, k) -+ if rc < 0: -+ raise ValueError(_("Could not check if ibpkey {subnet_prefix}/{pkey} is defined").formnat(subnet_prefix=subnet_prefix, pkey=pkey)) -+ semanage_ibpkey_key_free(k) -+ -+ return exists -+ - def __modify(self, pkey, subnet_prefix, serange, setype): - if serange == "" and setype == "": - if is_mls_enabled == 1: -@@ -1635,12 +1674,6 @@ class ibendportRecords(semanageRecords): - raise ValueError(_("Type %s is invalid, must be an ibendport type") % type) - (k, ibendport, port) = self.__genkey(ibendport, ibdev_name) - -- (rc, exists) = semanage_ibendport_exists(self.sh, k) -- if rc < 0: -- raise ValueError(_("Could not check if ibendport %s/%s is defined") % (ibdev_name, port)) -- if exists: -- raise ValueError(_("ibendport %s/%s already defined") % (ibdev_name, port)) -- - (rc, p) = semanage_ibendport_create(self.sh) - if rc < 0: - raise ValueError(_("Could not create ibendport for %s/%s") % (ibdev_name, port)) -@@ -1682,9 +1715,23 @@ class ibendportRecords(semanageRecords): - - def add(self, ibendport, ibdev_name, serange, type): - self.begin() -- self.__add(ibendport, ibdev_name, serange, type) -+ if self.__exists(ibendport, ibdev_name): -+ print(_("ibendport {ibdev_name}/{port} already defined, modifying instead").format(ibdev_name=ibdev_name, port=port)) -+ self.__modify(ibendport, ibdev_name, serange, type) -+ else: -+ self.__add(ibendport, ibdev_name, serange, type) - self.commit() - -+ def __exists(self, ibendport, ibdev_name): -+ (k, ibendport, port) = self.__genkey(ibendport, ibdev_name) -+ -+ (rc, exists) = semanage_ibendport_exists(self.sh, k) -+ if rc < 0: -+ raise ValueError(_("Could not check if ibendport {ibdev_name}/{port} is defined").format(ibdev_name=ibdev_name, port=port)) -+ semanage_ibendport_key_free(k) -+ -+ return exists -+ - def __modify(self, ibendport, ibdev_name, serange, setype): - if serange == "" and setype == "": - if is_mls_enabled == 1: -@@ -1906,12 +1953,6 @@ class nodeRecords(semanageRecords): - if rc < 0: - raise ValueError(_("Could not create key for %s") % addr) - -- (rc, exists) = semanage_node_exists(self.sh, k) -- if rc < 0: -- raise ValueError(_("Could not check if addr %s is defined") % addr) -- if exists: -- raise ValueError(_("Addr %s already defined") % addr) -- - (rc, node) = semanage_node_create(self.sh) - if rc < 0: - raise ValueError(_("Could not create addr for %s") % addr) -@@ -1959,9 +2000,27 @@ class nodeRecords(semanageRecords): - - def add(self, addr, mask, proto, serange, ctype): - self.begin() -- self.__add(addr, mask, proto, serange, ctype) -+ if self.__exists(addr, mask, proto): -+ print(_("Addr %s already defined, modifying instead") % addr) -+ self.__modify(addr, mask, proto, serange, ctype) -+ else: -+ self.__add(addr, mask, proto, serange, ctype) - self.commit() - -+ def __exists(self, addr, mask, proto): -+ addr, mask, proto, audit_proto = self.validate(addr, mask, proto) -+ -+ (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto) -+ if rc < 0: -+ raise ValueError(_("Could not create key for %s") % addr) -+ -+ (rc, exists) = semanage_node_exists(self.sh, k) -+ if rc < 0: -+ raise ValueError(_("Could not check if addr %s is defined") % addr) -+ semanage_node_key_free(k) -+ -+ return exists -+ - def __modify(self, addr, mask, proto, serange, setype): - addr, mask, proto, audit_proto = self.validate(addr, mask, proto) - -@@ -2115,12 +2174,6 @@ class interfaceRecords(semanageRecords): - if rc < 0: - raise ValueError(_("Could not create key for %s") % interface) - -- (rc, exists) = semanage_iface_exists(self.sh, k) -- if rc < 0: -- raise ValueError(_("Could not check if interface %s is defined") % interface) -- if exists: -- raise ValueError(_("Interface %s already defined") % interface) -- - (rc, iface) = semanage_iface_create(self.sh) - if rc < 0: - raise ValueError(_("Could not create interface for %s") % interface) -@@ -2167,9 +2220,25 @@ class interfaceRecords(semanageRecords): - - def add(self, interface, serange, ctype): - self.begin() -- self.__add(interface, serange, ctype) -+ if self.__exists(interface): -+ print(_("Interface %s already defined, modifying instead") % interface) -+ self.__modify(interface, serange, ctype) -+ else: -+ self.__add(interface, serange, ctype) - self.commit() - -+ def __exists(self, interface): -+ (rc, k) = semanage_iface_key_create(self.sh, interface) -+ if rc < 0: -+ raise ValueError(_("Could not create key for %s") % interface) -+ -+ (rc, exists) = semanage_iface_exists(self.sh, k) -+ if rc < 0: -+ raise ValueError(_("Could not check if interface %s is defined") % interface) -+ semanage_iface_key_free(k) -+ -+ return exists -+ - def __modify(self, interface, serange, setype): - if serange == "" and setype == "": - raise ValueError(_("Requires setype or serange")) -@@ -2357,7 +2426,13 @@ class fcontextRecords(semanageRecords): - raise ValueError(_("Substitute %s is not valid. Substitute is not allowed to end with '/'") % substitute) - - if target in self.equiv.keys(): -- raise ValueError(_("Equivalence class for %s already exists") % target) -+ print(_("Equivalence class for %s already exists, modifying instead") % target) -+ self.equiv[target] = substitute -+ self.equal_ind = True -+ self.mylog.log_change("resrc=fcontext op=modify-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0))) -+ self.commit() -+ return -+ - self.validate(target) - - for fdict in (self.equiv, self.equiv_dist): -@@ -2433,18 +2508,6 @@ class fcontextRecords(semanageRecords): - if rc < 0: - raise ValueError(_("Could not create key for %s") % target) - -- (rc, exists) = semanage_fcontext_exists(self.sh, k) -- if rc < 0: -- raise ValueError(_("Could not check if file context for %s is defined") % target) -- -- if not exists: -- (rc, exists) = semanage_fcontext_exists_local(self.sh, k) -- if rc < 0: -- raise ValueError(_("Could not check if file context for %s is defined") % target) -- -- if exists: -- raise ValueError(_("File context for %s already defined") % target) -- - (rc, fcontext) = semanage_fcontext_create(self.sh) - if rc < 0: - raise ValueError(_("Could not create file context for %s") % target) -@@ -2483,9 +2546,30 @@ class fcontextRecords(semanageRecords): - - def add(self, target, type, ftype="", serange="", seuser="system_u"): - self.begin() -- self.__add(target, type, ftype, serange, seuser) -+ if self.__exists(target, ftype): -+ print(_("File context for %s already defined, modifying instead") % target) -+ self.__modify(target, type, ftype, serange, seuser) -+ else: -+ self.__add(target, type, ftype, serange, seuser) - self.commit() - -+ def __exists(self, target, ftype): -+ (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype]) -+ if rc < 0: -+ raise ValueError(_("Could not create key for %s") % target) -+ -+ (rc, exists) = semanage_fcontext_exists(self.sh, k) -+ if rc < 0: -+ raise ValueError(_("Could not check if file context for %s is defined") % target) -+ -+ if not exists: -+ (rc, exists) = semanage_fcontext_exists_local(self.sh, k) -+ if rc < 0: -+ raise ValueError(_("Could not check if file context for %s is defined") % target) -+ semanage_fcontext_key_free(k) -+ -+ return exists -+ - def __modify(self, target, setype, ftype, serange, seuser): - if serange == "" and setype == "" and seuser == "": - raise ValueError(_("Requires setype, serange or seuser")) --- - diff --git a/backport-restorecond-Set-GLib-IO-channels-to-binary-mode.patch b/backport-restorecond-Set-GLib-IO-channels-to-binary-mode.patch deleted file mode 100644 index aef02edbc2d01e3e9089d2fa28ed3704aa30691d..0000000000000000000000000000000000000000 --- a/backport-restorecond-Set-GLib-IO-channels-to-binary-mode.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 5131c4794d3ae4631b24fb4c5e4027f1aeb3f966 Mon Sep 17 00:00:00 2001 -From: Fabian Vogt -Date: Thu, 24 Oct 2024 10:48:15 +0200 -Subject: [PATCH] restorecond: Set GLib IO channels to binary mode - -By default, GIO channels use UTF-8 as encoding, which causes issues when -reading binary data such as inotify events. - -Signed-off-by: Fabian Vogt -Acked-by: James Carter ---- - restorecond/user.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/restorecond/user.c b/restorecond/user.c -index 3ae3ebbb72..7188c22e31 100644 ---- a/restorecond/user.c -+++ b/restorecond/user.c -@@ -238,6 +238,7 @@ static int local_server(void) { - } - /* watch for stdin/terminal going away */ - GIOChannel *in = g_io_channel_unix_new(0); -+ g_io_channel_set_encoding(in, NULL, NULL); - g_io_add_watch_full( in, - G_PRIORITY_HIGH, - G_IO_IN|G_IO_ERR|G_IO_HUP, -@@ -282,6 +283,7 @@ int server(int master_fd, const char *watch_file) { - set_matchpathcon_flags(MATCHPATHCON_NOTRANS); - - GIOChannel *c = g_io_channel_unix_new(master_fd); -+ g_io_channel_set_encoding(c, NULL, NULL); - - g_io_add_watch_full(c, - G_PRIORITY_HIGH, diff --git a/backport-restorecond-Set-GLib-IO-channels-to-nonblocking.patch b/backport-restorecond-Set-GLib-IO-channels-to-nonblocking.patch deleted file mode 100644 index 5a16539dc25aa0a80c8bd993072aa09acd9eb849..0000000000000000000000000000000000000000 --- a/backport-restorecond-Set-GLib-IO-channels-to-nonblocking.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 271eb4fe449dc9fd233f7e8d577f1c2897a13e2f Mon Sep 17 00:00:00 2001 -From: Fabian Vogt -Date: Thu, 24 Oct 2024 10:48:16 +0200 -Subject: [PATCH] restorecond: Set GLib IO channels to nonblocking - -Without nonblocking IO, g_io_channel_read_chars waits indefinitely for more -data without ever returning control to the event loop. - -Set the IO channels to nonblocking to fix SIGTERM handling. - -Signed-off-by: Fabian Vogt -Acked-by: James Carter ---- - restorecond/user.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/restorecond/user.c b/restorecond/user.c -index 7188c22e3..25e70ae15 100644 ---- a/restorecond/user.c -+++ b/restorecond/user.c -@@ -239,6 +239,7 @@ static int local_server(void) { - /* watch for stdin/terminal going away */ - GIOChannel *in = g_io_channel_unix_new(0); - g_io_channel_set_encoding(in, NULL, NULL); -+ g_io_channel_set_flags(in, g_io_channel_get_flags(in) | G_IO_FLAG_NONBLOCK, NULL); - g_io_add_watch_full( in, - G_PRIORITY_HIGH, - G_IO_IN|G_IO_ERR|G_IO_HUP, -@@ -284,6 +285,7 @@ int server(int master_fd, const char *watch_file) { - - GIOChannel *c = g_io_channel_unix_new(master_fd); - g_io_channel_set_encoding(c, NULL, NULL); -+ g_io_channel_set_flags(c, g_io_channel_get_flags(c) | G_IO_FLAG_NONBLOCK, NULL); - - g_io_add_watch_full(c, - G_PRIORITY_HIGH, diff --git a/backport-sepolgen-ifgen-allow-M4-escaped-filenames.patch b/backport-sepolgen-ifgen-allow-M4-escaped-filenames.patch deleted file mode 100644 index 748995a9a0a8284b9764c73fcaf47868f8d8d072..0000000000000000000000000000000000000000 --- a/backport-sepolgen-ifgen-allow-M4-escaped-filenames.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 2fc29ae7971070b27552140174d460dabd35fa0d Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Tue, 27 Aug 2024 13:28:13 +0200 -Subject: [PATCH] sepolgen-ifgen: allow M4 escaped filenames - -When a file name in type transition rule used in an interface is same as -a keyword, it needs to be M4 escaped so that the keyword is not expanded -by M4, e.g. - -- filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, "interface") -+ filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, ``"interface"'') - -But sepolgen-ifgen could not parse such string: - - # sepolgen-ifgen - Illegal character '`' - -This change allows M4 escaping inside quoted strings and fixed described -problem. - -https://bugzilla.redhat.com/show_bug.cgi?id=2254206 - -Signed-off-by: Petr Lautrbach -Acked-by: James Carter ---- - python/sepolgen/src/sepolgen/refparser.py | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/python/sepolgen/src/sepolgen/refparser.py b/python/sepolgen/src/sepolgen/refparser.py -index e261d3f78..c8a3eb54d 100644 ---- a/python/sepolgen/src/sepolgen/refparser.py -+++ b/python/sepolgen/src/sepolgen/refparser.py -@@ -486,7 +486,7 @@ def p_interface_call_param(p): - | nested_id_set - | TRUE - | FALSE -- | FILENAME -+ | quoted_filename - ''' - # Intentionally let single identifiers pass through - # List means set, non-list identifier -@@ -1027,6 +1027,11 @@ def p_optional_semi(p): - | empty''' - pass - -+def p_quoted_filename(p): -+ '''quoted_filename : TICK quoted_filename SQUOTE -+ | FILENAME -+ ''' -+ p[0] = p[1] - - # - # Interface to the parser diff --git a/backport-sepolgen-initialize-gen_cil.patch b/backport-sepolgen-initialize-gen_cil.patch deleted file mode 100644 index 02348c24066e0f7c4b51ff54cd2dc8eb8405c70d..0000000000000000000000000000000000000000 --- a/backport-sepolgen-initialize-gen_cil.patch +++ /dev/null @@ -1,25 +0,0 @@ -From b6910aa68a0e3968935557c39ae1b89634bc9945 Mon Sep 17 00:00:00 2001 -From: Dmitry Sharshakov -Date: Thu, 1 Aug 2024 22:32:40 +0300 -Subject: [PATCH] sepolgen: initialize gen_cil - -Avoid errors when adding comments to CIL output like in audit2allow - -Signed-off-by: Dmitry Sharshakov -Acked-by: James Carter ---- - python/sepolgen/src/sepolgen/refpolicy.py | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/python/sepolgen/src/sepolgen/refpolicy.py b/python/sepolgen/src/sepolgen/refpolicy.py -index 2ec75fbad..32278896c 100644 ---- a/python/sepolgen/src/sepolgen/refpolicy.py -+++ b/python/sepolgen/src/sepolgen/refpolicy.py -@@ -1217,6 +1217,7 @@ def __init__(self, l=None): - self.lines = l - else: - self.lines = [] -+ self.gen_cil = False - - def to_string(self): - # If there are no lines, treat this as a spacer between diff --git a/backport-setfiles-avoid-unsigned-integer-underflow.patch b/backport-setfiles-avoid-unsigned-integer-underflow.patch deleted file mode 100644 index 67292aa5eb0a0f88b7ba25229c536f16d9c2ad3c..0000000000000000000000000000000000000000 --- a/backport-setfiles-avoid-unsigned-integer-underflow.patch +++ /dev/null @@ -1,52 +0,0 @@ -From fc2e9318d0a1b2ec331f6af25e70358f130d003b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Tue, 19 Dec 2023 17:09:33 +0100 -Subject: [PATCH] setfiles: avoid unsigned integer underflow -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -While well-defined unsigned integer underflow might signal a logic -mistake or processing of unchecked user input. Please Clang's undefined -behavior sanitizer: - - restore.c:91:37: runtime error: unsigned integer overflow: 1 - 2 cannot be represented in type 'unsigned long' - -Signed-off-by: Christian Göttsche -Acked-by: James Carter ---- - policycoreutils/setfiles/restore.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c -index 6131f46a..d045e948 100644 ---- a/policycoreutils/setfiles/restore.c -+++ b/policycoreutils/setfiles/restore.c -@@ -77,8 +77,8 @@ int process_glob(char *name, struct restore_opts *opts, size_t nthreads, - long unsigned *skipped_errors) - { - glob_t globbuf; -- size_t i = 0; -- int len, rc, errors; -+ size_t i, len; -+ int rc, errors; - - memset(&globbuf, 0, sizeof(globbuf)); - -@@ -88,10 +88,10 @@ int process_glob(char *name, struct restore_opts *opts, size_t nthreads, - return errors; - - for (i = 0; i < globbuf.gl_pathc; i++) { -- len = strlen(globbuf.gl_pathv[i]) - 2; -- if (len > 0 && strcmp(&globbuf.gl_pathv[i][len--], "/.") == 0) -+ len = strlen(globbuf.gl_pathv[i]); -+ if (len > 2 && strcmp(&globbuf.gl_pathv[i][len - 2], "/.") == 0) - continue; -- if (len > 0 && strcmp(&globbuf.gl_pathv[i][len], "/..") == 0) -+ if (len > 3 && strcmp(&globbuf.gl_pathv[i][len - 3], "/..") == 0) - continue; - rc = selinux_restorecon_parallel(globbuf.gl_pathv[i], - opts->restorecon_flags, --- -2.33.0 - diff --git a/policycoreutils-3.5.tar.gz b/policycoreutils-3.5.tar.gz deleted file mode 100644 index fc432fe6053d580a3b11391c3f7f93d51d6e91dc..0000000000000000000000000000000000000000 Binary files a/policycoreutils-3.5.tar.gz and /dev/null differ diff --git a/policycoreutils-3.9.tar.gz b/policycoreutils-3.9.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..6af5084cc1db0e64cdceb940870e5d1f9c414d47 --- /dev/null +++ b/policycoreutils-3.9.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9bf426b49eb9cfb027e85dccc965798ad54fa8d73eacdcecbdfa7f3826503dcc +size 6047313 diff --git a/policycoreutils.spec b/policycoreutils.spec index e9f5ca9b42ebcef1eb9d31dbe7a52fc76e746853..321e06bef588a5828bb8fd8a2176538bf82dc611 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -2,10 +2,10 @@ %bcond_with sandbox Name: policycoreutils -Version: 3.5 -Release: 4 +Version: 3.9 +Release: 1 Summary: Policy core utilities of selinux -License: GPLv2 +License: GPL-2.0-or-later URL: https://github.com/SELinuxProject Source0: https://github.com/SELinuxProject/selinux/archive/refs/tags/policycoreutils-%{version}.tar.gz Source7: selinux-autorelabel @@ -16,13 +16,6 @@ Source11: selinux-autorelabel-generator.sh Patch0: fix-fixfiles-N-date-function.patch Patch1: fix-fixfiles-N-date-function-two.patch -Patch2: backport-setfiles-avoid-unsigned-integer-underflow.patch -Patch3: backport-python-semanage-Allow-modifying-records-on-add.patch -Patch4: backport-sepolgen-initialize-gen_cil.patch -Patch5: backport-restorecond-Set-GLib-IO-channels-to-binary-mode.patch -Patch6: backport-restorecond-Set-GLib-IO-channels-to-nonblocking.patch -Patch7: backport-fixfiles-use-grep-F-when-search-in-mounts.patch -Patch8: backport-sepolgen-ifgen-allow-M4-escaped-filenames.patch BuildRequires: gcc BuildRequires: pam-devel libsepol-static >= %{version} libsemanage-static >= %{version} libselinux-devel >= %{version} libcap-devel audit-libs-devel gettext @@ -95,16 +88,10 @@ Requires: openbox It contains sandbox utilities for selinux %endif -%package help -Summary: Including man files for selinux -Requires: man - -%description help -This contains man files for the using of selinux. - +%package_help %prep -%autosetup -p 1 -n selinux-policycoreutils-%{version} +%autosetup -p 1 -n selinux-policycoreutils-%{version} %build %set_build_flags @@ -176,7 +163,6 @@ find %{buildroot}%{python3_sitelib} %{buildroot}%{python3_sitearch} \ %postun %systemd_postun_with_restart restorecond.service - %files -f %{name}.lang %license policycoreutils/LICENSE %doc %{_usr}/share/doc/%{name} @@ -264,6 +250,9 @@ find %{buildroot}%{python3_sitelib} %{buildroot}%{python3_sitearch} \ %{_mandir}/* %changelog +* Mon Oct 20 2025 Funda Wang - 3.9-1 +- update to 3.9 + * Tue Mar 18 2025 yanglongkang - 3.5-4 - backport patches from upstream