diff --git a/backport-newrole-check-for-crypt-3-failure.patch b/backport-newrole-check-for-crypt-3-failure.patch deleted file mode 100644 index 1d061d26d36e6dbfc9b5882f358842dd7fd39e18..0000000000000000000000000000000000000000 --- a/backport-newrole-check-for-crypt-3-failure.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 1af808982460ec74a23820dcc4d582bb39e2b223 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Tue, 22 Feb 2022 14:51:42 +0100 -Subject: [PATCH] newrole: check for crypt(3) failure -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Depending on the implementation crypt(3) can fail either by returning -NULL, or returning a pointer to an invalid hash and setting errno. - -Signed-off-by: Christian Göttsche ---- - policycoreutils/newrole/newrole.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c -index c99898635..781f99b63 100644 ---- a/policycoreutils/newrole/newrole.c -+++ b/policycoreutils/newrole/newrole.c -@@ -368,9 +368,14 @@ static int authenticate_via_shadow_passwd(const char *uname) - } - - /* Use crypt() to encrypt user's input password. */ -+ errno = 0; - encrypted_password_s = crypt(unencrypted_password_s, - p_shadow_line->sp_pwdp); - memset(unencrypted_password_s, 0, strlen(unencrypted_password_s)); -+ if (errno || !encrypted_password_s) { -+ fprintf(stderr, _("Cannot encrypt password.\n")); -+ return 0; -+ } - return (!strcmp(encrypted_password_s, p_shadow_line->sp_pwdp)); - } - #endif /* if/else USE_PAM */ diff --git a/backport-newrole-ensure-password-memory-erasure.patch b/backport-newrole-ensure-password-memory-erasure.patch deleted file mode 100644 index 2536e6bd30f979eebf95de027723965d23744b8f..0000000000000000000000000000000000000000 --- a/backport-newrole-ensure-password-memory-erasure.patch +++ /dev/null @@ -1,63 +0,0 @@ -From c71d14e824e965e42493f5275d90272ab0c6825c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Tue, 22 Feb 2022 14:51:43 +0100 -Subject: [PATCH] newrole: ensure password memory erasure -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Compiler can optimize calls to memset(3), due to the as-if rule, away if -the object is not accessed later on. Use a wrapper using volatile -pointers to ensure the memory is guaranteed to be erased. Also erase -the encrypted password. - -Signed-off-by: Christian Göttsche ---- - policycoreutils/newrole/newrole.c | 16 ++++++++++++++-- - 1 file changed, 14 insertions(+), 2 deletions(-) - -diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c -index 781f99b63..ae37d7253 100644 ---- a/policycoreutils/newrole/newrole.c -+++ b/policycoreutils/newrole/newrole.c -@@ -333,6 +333,14 @@ static int read_pam_config(void) - - #define PASSWORD_PROMPT _("Password:") /* prompt for getpass() */ - -+static void memzero(void *ptr, size_t size) -+{ -+ volatile unsigned char * volatile p = ptr; -+ while (size--) { -+ *p++ = '\0'; -+ } -+} -+ - /* authenticate_via_shadow_passwd() - * - * in: uname - the calling user's user name -@@ -351,6 +359,7 @@ static int authenticate_via_shadow_passwd(const char *uname) - struct spwd *p_shadow_line; - char *unencrypted_password_s; - char *encrypted_password_s; -+ int ret; - - setspent(); - p_shadow_line = getspnam(uname); -@@ -371,12 +380,15 @@ static int authenticate_via_shadow_passwd(const char *uname) - errno = 0; - encrypted_password_s = crypt(unencrypted_password_s, - p_shadow_line->sp_pwdp); -- memset(unencrypted_password_s, 0, strlen(unencrypted_password_s)); -+ memzero(unencrypted_password_s, strlen(unencrypted_password_s)); - if (errno || !encrypted_password_s) { - fprintf(stderr, _("Cannot encrypt password.\n")); - return 0; - } -- return (!strcmp(encrypted_password_s, p_shadow_line->sp_pwdp)); -+ -+ ret = !strcmp(encrypted_password_s, p_shadow_line->sp_pwdp); -+ memzero(encrypted_password_s, strlen(encrypted_password_s)); -+ return ret; - } - #endif /* if/else USE_PAM */ - diff --git a/backport-semodule_package-Close-leaking-fd.patch b/backport-semodule_package-Close-leaking-fd.patch deleted file mode 100644 index 586ac6b662930a0c727f7b32efbbfe59eca42ce3..0000000000000000000000000000000000000000 --- a/backport-semodule_package-Close-leaking-fd.patch +++ /dev/null @@ -1,24 +0,0 @@ -From ac16531b5ab6c40bdf5eae91c8cf7ae25355d61a Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Fri, 1 Apr 2022 15:35:48 +0200 -Subject: [PATCH] semodule_package: Close leaking fd - -Signed-off-by: Petr Lautrbach ---- - semodule-utils/semodule_package/semodule_package.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/semodule-utils/semodule_package/semodule_package.c b/semodule-utils/semodule_package/semodule_package.c -index 3515234e..bc8584b5 100644 ---- a/semodule-utils/semodule_package/semodule_package.c -+++ b/semodule-utils/semodule_package/semodule_package.c -@@ -73,6 +73,7 @@ static int file_to_data(const char *path, char **data, size_t * len) - goto err; - } - if (!sb.st_size) { -+ close(fd); - *len = 0; - return 0; - } --- -2.23.0 diff --git a/fix-fixfiles-N-date-function-two.patch b/fix-fixfiles-N-date-function-two.patch index 92cbd7c8f1f0bba4230be14ad86d5d71d31ff303..efce74dac592fd13c1c3eb62df0dac7356ae5715 100644 --- a/fix-fixfiles-N-date-function-two.patch +++ b/fix-fixfiles-N-date-function-two.patch @@ -15,8 +15,8 @@ index 8f5926a..21a1152 100755 shift LogReadOnly for m in `echo $FILESYSTEMSRW`; do -- find $m -mount -newermt $DATE -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} $* -i -0 -f - -+ find $m -mount -newermt "$DATE" -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} $* -i -0 -f - +- find $m -mount -newermt $DATE -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} ${THREADS} $* -i -0 -f - ++ find $m -mount -newermt "$DATE" -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} ${THREADS} $* -i -0 -f - done; } diff --git a/policycoreutils-3.3.tar.gz b/policycoreutils-3.4.tar.gz similarity index 43% rename from policycoreutils-3.3.tar.gz rename to policycoreutils-3.4.tar.gz index bdd96523e490de5c51aa1003ed502a85ee9f574d..403ac52e289f9202b05c86821e107ed21517ebe8 100644 Binary files a/policycoreutils-3.3.tar.gz and b/policycoreutils-3.4.tar.gz differ diff --git a/policycoreutils.spec b/policycoreutils.spec index c6d8bbe8e5d0927812768d9aaaa12151e9397d32..33bfe5d5b3004d15fb7c4341d50c61d9622d6f18 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -2,8 +2,8 @@ %bcond_with sandbox Name: policycoreutils -Version: 3.3 -Release: 3 +Version: 3.4 +Release: 1 Summary: Policy core utilities of selinux License: GPLv2 URL: https://github.com/SELinuxProject @@ -16,15 +16,12 @@ Source11: selinux-autorelabel-generator.sh Patch0: fix-fixfiles-N-date-function.patch Patch1: fix-fixfiles-N-date-function-two.patch -Patch2: backport-newrole-check-for-crypt-3-failure.patch -Patch3: backport-newrole-ensure-password-memory-erasure.patch -Patch4: backport-semodule_package-Close-leaking-fd.patch -Patch5: backport-python-Split-semanage-import-into-two-transactions.patch -Patch6: backport-python-audit2allow-close-file-stream-on-error.patch -Patch7: backport-semodule-avoid-toctou-on-output-module.patch +Patch2: backport-python-Split-semanage-import-into-two-transactions.patch +Patch3: backport-python-audit2allow-close-file-stream-on-error.patch +Patch4: backport-semodule-avoid-toctou-on-output-module.patch BuildRequires: gcc -BuildRequires: pam-devel libsepol-static >= 3.3 libsemanage-static >= 3.3 libselinux-devel >= 3.3 libcap-devel audit-libs-devel gettext +BuildRequires: pam-devel libsepol-static >= %{version} libsemanage-static >= %{version} libselinux-devel >= %{version} libcap-devel audit-libs-devel gettext BuildRequires: desktop-file-utils dbus-devel dbus-glib-devel python3-devel libcap-ng-devel BuildRequires: systemd systemd-units Requires: libsepol >= 3.3 libselinux-utils util-linux grep gawk diffutils rpm sed coreutils @@ -44,7 +41,7 @@ It contains the selinux policy core utilities Summary: python3 utilities for seLinux policy core %{?python_provide:%python_provide python3-policycoreutils} Requires: policycoreutils = %{version}-%{release} -Requires: python3-libselinux python3-libsemanage >= 3.3 +Requires: python3-libselinux python3-libsemanage >= %{version} Requires: audit-libs-python3 >= 2.8.5 Requires: python3-IPy Requires: checkpolicy @@ -164,6 +161,7 @@ find %{buildroot}%{python3_sitelib} %{buildroot}%{python3_sitearch} \ %py_byte_compile %{__python3} %{buildroot}%{_datadir}/system-config-selinux %find_lang policycoreutils +%find_lang selinux-python %post %systemd_post selinux-autorelabel-mark.service restorecond.service @@ -223,7 +221,7 @@ find %{buildroot}%{python3_sitelib} %{buildroot}%{python3_sitearch} \ %dir %{_datadir}/system-config-selinux/__pycache__ %{_datadir}/system-config-selinux/__pycache__/selinux_server.* -%files -n python3-policycoreutils +%files -f selinux-python.lang -n python3-policycoreutils %{python3_sitelib}/__pycache__ %{python3_sitelib}/sepolgen %dir %{python3_sitelib}/sepolicy @@ -262,7 +260,10 @@ find %{buildroot}%{python3_sitelib} %{buildroot}%{python3_sitearch} \ %{_mandir}/* %changelog -* Thu Dec 1 2022 wanghuizhao - 3.3-3 +* Thu Feb 2 2023 zhangguangzhi - 3.4-1 +- update version to 3.4 + +* Thu Dec 1 2022 wanghuizhao - 3.3-4 - backport patches from upstream * Tue Nov 15 2022 shenxiangwei - 3.3-3