From 86e6cb0ca7f9e2bb55495a82f11d2669210558bd Mon Sep 17 00:00:00 2001 From: zgzxx Date: Tue, 11 Apr 2023 14:35:44 +0800 Subject: [PATCH] backport patches (cherry picked from commit 0c7bbc5fd4ac32358f1de55e6f629c7d4037f1ee) --- ...ential-NULL-reference-in-load_checks.patch | 38 +++++++++++ ...atabase-if-the-fcontext-is-non-local.patch | 65 +++++++++++++++++++ ...emanage-import-into-two-transactions.patch | 63 ++++++++++++++++++ ...dit2allow-close-file-stream-on-error.patch | 48 ++++++++++++++ ...-Call-os.makedirs-with-exist_ok-True.patch | 39 +++++++++++ policycoreutils.spec | 11 +++- 6 files changed, 263 insertions(+), 1 deletion(-) create mode 100644 backport-policycoreutils-fix-potential-NULL-reference-in-load_checks.patch create mode 100644 backport-python-Do-not-query-the-local-database-if-the-fcontext-is-non-local.patch create mode 100644 backport-python-Split-semanage-import-into-two-transactions.patch create mode 100644 backport-python-audit2allow-close-file-stream-on-error.patch create mode 100644 backport-sepolicy-Call-os.makedirs-with-exist_ok-True.patch diff --git a/backport-policycoreutils-fix-potential-NULL-reference-in-load_checks.patch b/backport-policycoreutils-fix-potential-NULL-reference-in-load_checks.patch new file mode 100644 index 0000000..df0e46c --- /dev/null +++ b/backport-policycoreutils-fix-potential-NULL-reference-in-load_checks.patch @@ -0,0 +1,38 @@ +From 1fe82e5cf581158cdfa184c64218b0bade82b01a Mon Sep 17 00:00:00 2001 +From: Jie Lu +Date: Mon, 5 Dec 2022 17:36:44 +0800 +Subject: [PATCH] policycoreutils: fix potential NULL reference in load_checks + +In load_checks(), add return check for malloc() to avoid NULL reference. + +Signed-off-by: Jie Lu +Acked-by: James Carter +--- + policycoreutils/sestatus/sestatus.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policycoreutils-3.1/sestatus/sestatus.c b/policycoreutils-3.1/sestatus/sestatus.c +index 7dcc9944..6c95828e 100644 +--- a/policycoreutils-3.1/sestatus/sestatus.c ++++ b/policycoreutils-3.1/sestatus/sestatus.c +@@ -140,6 +140,8 @@ static void load_checks(char *pc[], int *npc, char *fc[], int *nfc) + pc[*npc] = + (char *)malloc((buf_len) * + sizeof(char)); ++ if (!pc[*npc]) ++ break; + memcpy(pc[*npc], bufp, buf_len); + (*npc)++; + bufp = NULL; +@@ -150,6 +152,8 @@ static void load_checks(char *pc[], int *npc, char *fc[], int *nfc) + fc[*nfc] = + (char *)malloc((buf_len) * + sizeof(char)); ++ if (!fc[*nfc]) ++ break; + memcpy(fc[*nfc], bufp, buf_len); + (*nfc)++; + bufp = NULL; +-- +2.27.0 + diff --git a/backport-python-Do-not-query-the-local-database-if-the-fcontext-is-non-local.patch b/backport-python-Do-not-query-the-local-database-if-the-fcontext-is-non-local.patch new file mode 100644 index 0000000..92693a6 --- /dev/null +++ b/backport-python-Do-not-query-the-local-database-if-the-fcontext-is-non-local.patch @@ -0,0 +1,65 @@ +From 7238ad32a3171d82bba9b99660e55399161236fc Mon Sep 17 00:00:00 2001 +From: James Carter +Date: Wed, 19 Oct 2022 14:20:11 -0400 +Subject: [PATCH] python: Do not query the local database if the fcontext is + non-local + +Vit Mojzis reports that an error message is produced when modifying +a non-local fcontext. + +He gives the following example: + # semanage fcontext -f f -m -t passwd_file_t /etc/security/opasswd + libsemanage.dbase_llist_query: could not query record value (No such file or directory). + +When modifying an fcontext, the non-local database is checked for the +key and then, if it is not found there, the local database is checked. +If the key doesn't exist, then an error is raised. If the key exists +then the local database is queried first and, if that fails, the non- +local database is queried. + +The error is from querying the local database when the fcontext is in +the non-local database. + +Instead, if the fcontext is in the non-local database, just query +the non-local database. Only query the local database if the +fcontext was found in it. + +Reported-by: Vit Mojzis +Signed-off-by: James Carter +--- + selinux-python-3.1/semanage/seobject.py | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/selinux-python-3.1/semanage/seobject.py b/selinux-python-3.1/semanage/seobject.py +index 0782c082..d82da494 100644 +--- a/selinux-python-3.1/semanage/seobject.py ++++ b/selinux-python-3.1/semanage/seobject.py +@@ -2504,16 +2504,19 @@ class fcontextRecords(semanageRecords): + (rc, exists) = semanage_fcontext_exists(self.sh, k) + if rc < 0: + raise ValueError(_("Could not check if file context for %s is defined") % target) +- if not exists: ++ if exists: ++ try: ++ (rc, fcontext) = semanage_fcontext_query(self.sh, k) ++ except OSError: ++ raise ValueError(_("Could not query file context for %s") % target) ++ else: + (rc, exists) = semanage_fcontext_exists_local(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if file context for %s is defined") % target) + if not exists: + raise ValueError(_("File context for %s is not defined") % target) +- +- try: +- (rc, fcontext) = semanage_fcontext_query_local(self.sh, k) +- except OSError: + try: +- (rc, fcontext) = semanage_fcontext_query(self.sh, k) ++ (rc, fcontext) = semanage_fcontext_query_local(self.sh, k) + except OSError: + raise ValueError(_("Could not query file context for %s") % target) + +-- +2.27.0 + diff --git a/backport-python-Split-semanage-import-into-two-transactions.patch b/backport-python-Split-semanage-import-into-two-transactions.patch new file mode 100644 index 0000000..e635040 --- /dev/null +++ b/backport-python-Split-semanage-import-into-two-transactions.patch @@ -0,0 +1,63 @@ +From abaf812c3877f6b595eb8643582eacef2dd4df3f Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Mon, 30 May 2022 14:20:21 +0200 +Subject: [PATCH] python: Split "semanage import" into two transactions + +First transaction applies all deletion operations, so that there are no +collisions when applying the rest of the changes. + +Fixes: + # semanage port -a -t http_cache_port_t -r s0 -p tcp 3024 + # semanage export | semanage import + ValueError: Port tcp/3024 already defined + +Signed-off-by: Vit Mojzis +--- + selinux-python-3.1/semanage/semanage | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/selinux-python-3.1/semanage/semanage b/selinux-python-3.1/semanage/semanage +index 8f4e44a7..1d828128 100644 +--- a/selinux-python-3.1/semanage/semanage ++++ b/selinux-python-3.1/semanage/semanage +@@ -852,10 +852,29 @@ def handleImport(args): + trans = seobject.semanageRecords(args) + trans.start() + ++ deleteCommands = [] ++ commands = [] ++ # separate commands for deletion from the rest so they can be ++ # applied in a separate transaction + for l in sys.stdin.readlines(): + if len(l.strip()) == 0: + continue ++ if "-d" in l or "-D" in l: ++ deleteCommands.append(l) ++ else: ++ commands.append(l) ++ ++ if deleteCommands: ++ importHelper(deleteCommands) ++ trans.finish() ++ trans.start() ++ ++ importHelper(commands) ++ trans.finish() + ++ ++def importHelper(commands): ++ for l in commands: + try: + commandParser = createCommandParser() + args = commandParser.parse_args(mkargv(l)) +@@ -869,8 +888,6 @@ def handleImport(args): + except KeyboardInterrupt: + sys.exit(0) + +- trans.finish() +- + + def setupImportParser(subparsers): + importParser = subparsers.add_parser('import', help=_('Import local customizations')) +-- +2.23.0 diff --git a/backport-python-audit2allow-close-file-stream-on-error.patch b/backport-python-audit2allow-close-file-stream-on-error.patch new file mode 100644 index 0000000..b0b7e0e --- /dev/null +++ b/backport-python-audit2allow-close-file-stream-on-error.patch @@ -0,0 +1,48 @@ +From c14a86af9a2304175e54897634f808b42345325b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Fri, 20 May 2022 14:51:07 +0200 +Subject: [PATCH] python/audit2allow: close file stream on error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + + sepolgen-ifgen-attr-helper.c: In function ‘load_policy’: + sepolgen-ifgen-attr-helper.c:196:17: warning: leak of FILE ‘fp’ [CWE-775] [-Wanalyzer-file-leak] + 196 | fprintf(stderr, "Out of memory!\n"); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Signed-off-by: Christian Göttsche +Acked-by: James Carter +--- + selinux-python-3.1/audit2allow/sepolgen-ifgen-attr-helper.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/selinux-python-3.1/audit2allow/sepolgen-ifgen-attr-helper.c b/selinux-python-3.1/audit2allow/sepolgen-ifgen-attr-helper.c +index 6f3ba962..5e6cffc1 100644 +--- a/selinux-python-3.1/audit2allow/sepolgen-ifgen-attr-helper.c ++++ b/selinux-python-3.1/audit2allow/sepolgen-ifgen-attr-helper.c +@@ -194,12 +194,14 @@ static policydb_t *load_policy(const char *filename) + policydb = malloc(sizeof(policydb_t)); + if (policydb == NULL) { + fprintf(stderr, "Out of memory!\n"); ++ fclose(fp); + return NULL; + } + + if (policydb_init(policydb)) { + fprintf(stderr, "Out of memory!\n"); + free(policydb); ++ fclose(fp); + return NULL; + } + +@@ -208,6 +210,7 @@ static policydb_t *load_policy(const char *filename) + fprintf(stderr, + "error(s) encountered while parsing configuration\n"); + free(policydb); ++ fclose(fp); + return NULL; + } + +-- +2.23.0 diff --git a/backport-sepolicy-Call-os.makedirs-with-exist_ok-True.patch b/backport-sepolicy-Call-os.makedirs-with-exist_ok-True.patch new file mode 100644 index 0000000..6b9b2ef --- /dev/null +++ b/backport-sepolicy-Call-os.makedirs-with-exist_ok-True.patch @@ -0,0 +1,39 @@ +From 7ff1d7f1c2a141a24a2af5db01fff07754ba18bc Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Mon, 12 Dec 2022 18:43:49 +0100 +Subject: [PATCH] sepolicy: Call os.makedirs() with exist_ok=True + +Since commit 7494bb1298b3 ("sepolicy: generate man pages in parallel") +man pages are generated in parallel and there's a race between +os.path.exists() and os.makedirs(). + +The check os.path.exists() is not necessary when os.makedirs() is called +with exist_ok=True. + +Fixes: +/usr/bin/sepolicy manpage -a -p /__w/usr/share/man/man8/ -w -r /__w/ +FileExistsError: [Errno 17] File exists: '/__w/usr/share/man/man8/' + +Signed-off-by: Petr Lautrbach +Acked-by: James Carter +--- + selinux-python-3.1/sepolicy/sepolicy/manpage.py | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/selinux-python-3.1/sepolicy/sepolicy/manpage.py b/selinux-python-3.1/sepolicy/sepolicy/manpage.py +index edeb3b77..1bff8f9a 100755 +--- a/selinux-python-3.1/sepolicy/sepolicy/manpage.py ++++ b/selinux-python-3.1/sepolicy/sepolicy/manpage.py +@@ -376,8 +376,7 @@ class ManPage: + + self.fcdict = sepolicy.get_fcdict(self.fcpath) + +- if not os.path.exists(path): +- os.makedirs(path) ++ os.makedirs(path, exist_ok=True) + + self.path = path + +-- +2.27.0 + diff --git a/policycoreutils.spec b/policycoreutils.spec index 3183f81..a0581dd 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -3,7 +3,7 @@ Name: policycoreutils Version: 3.1 -Release: 8 +Release: 9 Summary: Policy core utilities of selinux License: GPLv2 URL: https://github.com/SELinuxProject @@ -23,6 +23,12 @@ Patch0: fix-fixfiles-N-date-function.patch Patch1: fix-fixfiles-N-date-function-two.patch Patch2: add-ExecStartPost-option-to-restorecond-service.patch +Patch6001: backport-python-Split-semanage-import-into-two-transactions.patch +Patch6002: backport-python-audit2allow-close-file-stream-on-error.patch +Patch6003: backport-python-Do-not-query-the-local-database-if-the-fcontext-is-non-local.patch +Patch6004: backport-sepolicy-Call-os.makedirs-with-exist_ok-True.patch +Patch6005: backport-policycoreutils-fix-potential-NULL-reference-in-load_checks.patch + BuildRequires: gcc BuildRequires: pam-devel libsepol-static >= 3.1 libsemanage-static >= 3.1 libselinux-devel >= 3.1 libcap-devel audit-libs-devel gettext BuildRequires: desktop-file-utils dbus-devel dbus-glib-devel python3-devel libcap-ng-devel @@ -267,6 +273,9 @@ find %{buildroot}%{python3_sitelib} %{buildroot}%{python3_sitearch} \ %{_mandir}/* %changelog +* Tue Apr 11 2023 zhangguangzhi - 3.1-9 +- backport patches + * Tue Aug 9 2022 panxiaohe - 3.1-8 - add ExecStartPost option to restorecond.service -- Gitee