Merge branch 'c8' into a8

.gitignore

@@ -1,3 +1,9 @@
 SOURCES/grub-2.02.tar.xz
+SOURCES/redhatsecureboot301.cer
+SOURCES/redhatsecureboot502.cer
+SOURCES/redhatsecureboot601.cer
+SOURCES/redhatsecureboot701.cer
+SOURCES/redhatsecurebootca3.cer
+SOURCES/redhatsecurebootca5.cer
 SOURCES/theme.tar.bz2
-SOURCES/unifont-5.1.20080820.pcf.gz
+SOURCES/unifont-5.1.20080820.pcf.gz

.grub2.metadata

@@ -1,3 +1,9 @@
 3d7eb6eaab28b88cb969ba9ab24af959f4d1b178 SOURCES/grub-2.02.tar.xz
+4a07b56e28741884b86da6ac91f8f9929541a1e4 SOURCES/redhatsecureboot301.cer
+3f94c47f1d08bacc7cb29bdd912e286b8d2f6fcf SOURCES/redhatsecureboot502.cer
+039357ef97aab3e484d1119edd4528156f5859e6 SOURCES/redhatsecureboot601.cer
+e89890ca0ded2f9058651cc5fa838b78db2e6cc2 SOURCES/redhatsecureboot701.cer
+cf9230e69000076727e5b784ec871d22716dc5da SOURCES/redhatsecurebootca3.cer
+e6f506462069aa17d2e8610503635c20f3a995c3 SOURCES/redhatsecurebootca5.cer
 cf0b7763c528902da7e8b05cfa248f20c8825ce5 SOURCES/theme.tar.bz2
 87f8600ba24e521b5d20bdf6c4b71af8ae861e3a SOURCES/unifont-5.1.20080820.pcf.gz

SOURCES/0591-grub-mkconfig.in-turn-off-executable-owner-bit.patch

@@ -0,0 +1,27 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Leo Sandoval <lsandova@redhat.com>
+Date: Thu, 19 Sep 2024 10:15:13 -0600
+Subject: [PATCH] grub-mkconfig.in: turn off executable owner bit
+
+Stricker permissions are required on the grub.cfg file, resulting in
+at most 0600 owner's file permissions. This resolves conflicting
+requirement permissions on grub2-pc package's grub2.cfg file.
+
+Signed-off-by: Leo Sandoval <lsandova@redhat.com>
+---
+ util/grub-mkconfig.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
+index a1c00776d..573004915 100644
+--- a/util/grub-mkconfig.in
++++ b/util/grub-mkconfig.in
+@@ -317,7 +317,7 @@ and /etc/grub.d/* files or please file a bug report with
+     exit 1
+   else
+     # none of the children aborted with error, install the new grub.cfg
+-    oldumask=$(umask); umask 077
++    oldumask=$(umask); umask 177
+     cat ${grub_cfg}.new > ${grub_cfg}
+     umask $oldumask
+     rm -f ${grub_cfg}.new

SOURCES/20-grub.install

@@ -90,13 +90,10 @@ case "$COMMAND" in
             [[ -d "$BLS_DIR" ]] || mkdir -m 0700 -p "$BLS_DIR"
             BLS_ID="${MACHINE_ID}-${KERNEL_VERSION}"
             BLS_TARGET="${BLS_DIR}/${BLS_ID}.conf"
-            if [[ -f "${KERNEL_DIR}/bls.conf" ]]; then
-                cp -aT "${KERNEL_DIR}/bls.conf" "${BLS_TARGET}" || exit $?
-            else
-                mkbls "${KERNEL_VERSION}" \
-                    "$(date -u +%Y%m%d%H%M%S -d "$(stat -c '%y' "${KERNEL_DIR}")")" \
-                    >"${BLS_TARGET}"
-            fi
+            mkbls "${KERNEL_VERSION}" \
+                "$(date -u +%Y%m%d%H%M%S -d "$(stat -c '%y' "${KERNEL_DIR}")")" \
+                >"${BLS_TARGET}"
+            command -v restorecon &>/dev/null && restorecon -R "${BLS_TARGET}"
 
             LINUX="$(grep '^linux[ \t]' "${BLS_TARGET}" | sed -e 's,^linux[ \t]*,,')"
             INITRD="$(grep '^initrd[ \t]' "${BLS_TARGET}" | sed -e 's,^initrd[ \t]*,,')"

SOURCES/grub.macros

@@ -595,14 +595,15 @@ install -d -m 0700 ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig	\
 touch ${RPM_BUILD_ROOT}%{_sysconfdir}/default/grub		\
 ln -sf ../default/grub						\\\
 	${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/grub		\
-touch ${RPM_BUILD_ROOT}/boot/%{name}/grub.cfg			\
+touch grub.cfg							\
+install -m 0600 grub.cfg ${RPM_BUILD_ROOT}/boot/%{name}/	\
 %{nil}
 
 %define define_legacy_variant_files()				\
 %{expand:%%files %{1}}						\
 %defattr(-,root,root,-)						\
 %config(noreplace) %{_sysconfdir}/%{name}.cfg			\
-%ghost %config(noreplace) %attr(0700,root,root)/boot/%{name}/grub.cfg	\
+%ghost %config(noreplace) %attr(0600,root,root)/boot/%{name}/grub.cfg	\
 %dir %attr(0700,root,root)/boot/loader/entries			\
 %ifarch ppc64le						\
 %dir %{_libdir}/grub/%{2}/					\

SOURCES/grub.patches

@@ -588,3 +588,4 @@ Patch0587: 0587-fs-ntfs-Fix-an-OOB-read-when-parsing-directory-entri.patch
 Patch0588: 0588-fs-ntfs-Fix-an-OOB-read-when-parsing-bitmaps-for-ind.patch
 Patch0589: 0589-fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch
 Patch0590: 0590-fs-ntfs-Make-code-more-readable.patch
+Patch0591: 0591-grub-mkconfig.in-turn-off-executable-owner-bit.patch

SPECS/grub2.spec

@@ -11,7 +11,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.02
-Release:	156%{?dist}.alma.1
+Release:	158%{?dist}.alma.1
 Summary:	Bootloader with support for Linux, Multiboot and more
 Group:		System Environment/Base
 License:	GPLv3+
@@ -312,6 +312,19 @@ if [ "$1" = 2 ]; then
 	/sbin/grub2-switch-to-blscfg --backup-suffix=.rpmsave &>/dev/null || :
 fi
 
+%posttrans common
+set -eu
+
+GRUB_HOME=/boot/%{name}
+
+if test  -f ${GRUB_HOME}/grub.cfg; then
+    # make sure GRUB_HOME/grub.cfg has 600 permissions
+    GRUB_CFG_MODE=$(stat --format="%a" ${GRUB_HOME}/grub.cfg)
+    if ! test "${GRUB_CFG_MODE}" = "600"; then
+        chmod 0600 ${GRUB_HOME}/grub.cfg
+    fi
+fi
+
 %triggerun -- grub2 < 1:1.99-4
 # grub2 < 1.99-4 removed a number of essential files in postun. To fix upgrades
 # from the affected grub2 packages, we first back up the files in triggerun and
@@ -526,9 +539,17 @@ fi
 %endif
 
 %changelog
-* Wed Apr 10 2024 Andrew Lukoshko <alukoshko@almalinux.org> - 2.02-156.alma.1
+* Tue Nov 05 2024 Eduard Abdullin <eabdullin@almalinux.org> - 2.02-158.alma.1
 - Debrand for AlmaLinux
 
+* Thu Sep 19 2024 Leo Sandoval <lsandova@redhat.com> - 2.02-158
+- grub-mkconfig.in: turn off executable owner bit
+- Resolves: #RHEL-58835
+
+* Wed Aug 14 2024 Leo Sandoval <lsandova@redhat.com> - 2.02-157
+- 20-grub-install: fix SELinux security type context for BLS
+- Resolves: #RHEL-4395
+
 * Tue Feb 20 2024 Nicolas Frayer <nfrayer@redhat.com> - 2.02-156
 - fs/ntfs: OOB write fix
 - (CVE-2023-4692)