Compare commits
No commits in common. "c8" and "a8-beta-multiple-keys" have entirely different histories.
c8
...
a8-beta-mu
@ -1,93 +0,0 @@
|
||||
From 8eac75556d0f53f3ba6cd12d2545bc8dbebb11f4 Mon Sep 17 00:00:00 2001
|
||||
From: Colin Walters <walters@verbum.org>
|
||||
Date: Tue, 4 Jun 2024 06:57:19 -0400
|
||||
Subject: [PATCH] repo: Don't try to perform labeling if SELinux is disabled
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The default for container execution is that `/sys/fs/selinux`
|
||||
is not mounted, and the libselinux library function `is_selinux_enabled`
|
||||
should be used to dynamically check if the system should attempt to perform SELinux labeling.
|
||||
|
||||
This is how it's done by rpm, ostree, and systemd for example.
|
||||
|
||||
But this code unconditionally tries to label if it finds a policy,
|
||||
which breaks in an obscure corner case
|
||||
when executed inside a container that includes policy files (e.g.
|
||||
fedora/rhel-bootc) but when we're not using overlayfs for the backend
|
||||
(with BUILDAH_BACKEND=vfs).
|
||||
|
||||
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
||||
---
|
||||
libdnf/repo/Repo.cpp | 50 +++++++++++++++++++++++---------------------
|
||||
1 file changed, 26 insertions(+), 24 deletions(-)
|
||||
|
||||
diff --git a/libdnf/repo/Repo.cpp b/libdnf/repo/Repo.cpp
|
||||
index 68b82ccc..4f646f8c 100644
|
||||
--- a/libdnf/repo/Repo.cpp
|
||||
+++ b/libdnf/repo/Repo.cpp
|
||||
@@ -676,34 +676,36 @@ static int create_temporary_directory(char *name_template) {
|
||||
int old_default_context_was_retrieved= 0;
|
||||
struct selabel_handle *labeling_handle = NULL;
|
||||
|
||||
- /* A purpose of this piece of code is to deal with applications whose
|
||||
- * security policy overrides a file context for temporary files but don't
|
||||
- * know that libdnf executes GnuPG which expects a default file context. */
|
||||
- if (0 == getfscreatecon(&old_default_context)) {
|
||||
- old_default_context_was_retrieved = 1;
|
||||
- } else {
|
||||
- logger->debug(tfm::format("Failed to retrieve a default SELinux context"));
|
||||
- }
|
||||
+ if (is_selinux_enabled()) {
|
||||
+ /* A purpose of this piece of code is to deal with applications whose
|
||||
+ * security policy overrides a file context for temporary files but don't
|
||||
+ * know that libdnf executes GnuPG which expects a default file context. */
|
||||
+ if (0 == getfscreatecon(&old_default_context)) {
|
||||
+ old_default_context_was_retrieved = 1;
|
||||
+ } else {
|
||||
+ logger->debug(tfm::format("Failed to retrieve a default SELinux context"));
|
||||
+ }
|
||||
|
||||
- labeling_handle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
|
||||
- if (NULL == labeling_handle) {
|
||||
- logger->debug(tfm::format("Failed to open a SELinux labeling handle: %s",
|
||||
- strerror(errno)));
|
||||
- } else {
|
||||
- if (selabel_lookup(labeling_handle, &new_default_context, name_template, 0700)) {
|
||||
- /* Here we could hard-code "system_u:object_r:user_tmp_t:s0", but
|
||||
- * that value should be really defined in default file context
|
||||
- * SELinux policy. Only log that the policy is incpomplete. */
|
||||
- logger->debug(tfm::format("Failed to look up a default SELinux label for \"%s\"",
|
||||
- name_template));
|
||||
+ labeling_handle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
|
||||
+ if (NULL == labeling_handle) {
|
||||
+ logger->debug(tfm::format("Failed to open a SELinux labeling handle: %s",
|
||||
+ strerror(errno)));
|
||||
} else {
|
||||
- if (setfscreatecon(new_default_context)) {
|
||||
- logger->debug(tfm::format("Failed to set default SELinux context to \"%s\"",
|
||||
- new_default_context));
|
||||
+ if (selabel_lookup(labeling_handle, &new_default_context, name_template, 0700)) {
|
||||
+ /* Here we could hard-code "system_u:object_r:user_tmp_t:s0", but
|
||||
+ * that value should be really defined in default file context
|
||||
+ * SELinux policy. Only log that the policy is incpomplete. */
|
||||
+ logger->debug(tfm::format("Failed to look up a default SELinux label for \"%s\"",
|
||||
+ name_template));
|
||||
+ } else {
|
||||
+ if (setfscreatecon(new_default_context)) {
|
||||
+ logger->debug(tfm::format("Failed to set default SELinux context to \"%s\"",
|
||||
+ new_default_context));
|
||||
+ }
|
||||
+ freecon(new_default_context);
|
||||
}
|
||||
- freecon(new_default_context);
|
||||
+ selabel_close(labeling_handle);
|
||||
}
|
||||
- selabel_close(labeling_handle);
|
||||
}
|
||||
#endif
|
||||
|
||||
--
|
||||
2.45.2
|
||||
|
||||
23
SOURCES/almalinux_bugtracker.patch
Normal file
23
SOURCES/almalinux_bugtracker.patch
Normal file
@ -0,0 +1,23 @@
|
||||
diff -aruN libdnf-0.63.0/docs/hawkey/conf.py libdnf-0.63.0_alma/docs/hawkey/conf.py
|
||||
--- libdnf-0.63.0/docs/hawkey/conf.py 2021-05-18 17:07:23.000000000 +0300
|
||||
+++ libdnf-0.63.0_alma/docs/hawkey/conf.py 2021-12-30 11:03:39.179244600 +0300
|
||||
@@ -260,6 +260,6 @@
|
||||
rst_prolog = """
|
||||
.. default-domain:: py
|
||||
.. _libsolv: https://github.com/openSUSE/libsolv
|
||||
-.. _bugzilla: https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=hawkey
|
||||
+.. _bugzilla: https://bugs.almalinux.org/
|
||||
|
||||
"""
|
||||
diff -aruN libdnf-0.63.0/libdnf/conf/Const.hpp libdnf-0.63.0_alma/libdnf/conf/Const.hpp
|
||||
--- libdnf-0.63.0/libdnf/conf/Const.hpp 2021-05-18 17:07:23.000000000 +0300
|
||||
+++ libdnf-0.63.0_alma/libdnf/conf/Const.hpp 2021-12-30 11:03:47.004789800 +0300
|
||||
@@ -41,7 +41,7 @@
|
||||
"installonlypkg(vm)",
|
||||
"multiversion(kernel)"};
|
||||
|
||||
-constexpr const char * BUGTRACKER="https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=dnf";
|
||||
+constexpr const char * BUGTRACKER="https://bugs.almalinux.org/";
|
||||
|
||||
}
|
||||
|
||||
228
SOURCES/dnf-keyring-support-multiple-keys.patch
Normal file
228
SOURCES/dnf-keyring-support-multiple-keys.patch
Normal file
@ -0,0 +1,228 @@
|
||||
From 5b87a29c78fe7b3fce8ac167a1a650449d25f54c Mon Sep 17 00:00:00 2001
|
||||
From: Dmitriy Popov <dpopov@cloudlinux.com>
|
||||
Date: Wed, 1 May 2024 23:16:47 +0300
|
||||
Subject: [PATCH] dnf-keyring-support-multiple-keys
|
||||
|
||||
Since it is known from the bug (and practically proven) that "rpm --import"
|
||||
is capable of supporting multiple containers in one file, unlike the internal
|
||||
implementation, due to the need to globally rewrite the structure of parameters.
|
||||
|
||||
https://github.com/rpm-software-management/rpm/pull/2242
|
||||
"This does not affect rpmkeys --import because it explicitly checks
|
||||
for multiple PGPTAG_PUBLIC_KEY packets and imports them separately"
|
||||
|
||||
The patch implies the logic of the cli rpmcliImportPubkeys
|
||||
in dnf_keyring_add_public_key, except that instead of direct import,
|
||||
it continues to expand the keyring as before, and then imports it,
|
||||
making this change atomic.
|
||||
|
||||
Signed-off-by: Dmitriy Popov <dpopov@cloudlinux.com>
|
||||
---
|
||||
libdnf/dnf-keyring.cpp | 167 +++++++++++++++++++++++------------------
|
||||
1 file changed, 96 insertions(+), 71 deletions(-)
|
||||
|
||||
diff --git a/libdnf/dnf-keyring.cpp b/libdnf/dnf-keyring.cpp
|
||||
index 62a6248..f4afd35 100644
|
||||
--- a/libdnf/dnf-keyring.cpp
|
||||
+++ b/libdnf/dnf-keyring.cpp
|
||||
@@ -62,13 +62,16 @@ dnf_keyring_add_public_key(rpmKeyring keyring,
|
||||
gboolean ret = TRUE;
|
||||
int rc;
|
||||
gsize len;
|
||||
- pgpArmor armor;
|
||||
pgpDig dig = NULL;
|
||||
rpmPubkey pubkey = NULL;
|
||||
rpmPubkey *subkeys = NULL;
|
||||
int nsubkeys = 0;
|
||||
uint8_t *pkt = NULL;
|
||||
g_autofree gchar *data = NULL;
|
||||
+ char const * const pgpmark = "-----BEGIN PGP ";
|
||||
+ size_t marklen = strlen(pgpmark);
|
||||
+ int keyno = 1;
|
||||
+ char *start = NULL;
|
||||
|
||||
/* ignore symlinks and directories */
|
||||
if (!g_file_test(filename, G_FILE_TEST_IS_REGULAR))
|
||||
@@ -81,79 +84,99 @@ dnf_keyring_add_public_key(rpmKeyring keyring,
|
||||
if (!ret)
|
||||
goto out;
|
||||
|
||||
- /* rip off the ASCII armor and parse it */
|
||||
- armor = pgpParsePkts(data, &pkt, &len);
|
||||
- if (armor < 0) {
|
||||
- ret = FALSE;
|
||||
- g_set_error(error,
|
||||
- DNF_ERROR,
|
||||
- DNF_ERROR_GPG_SIGNATURE_INVALID,
|
||||
- "failed to parse PKI file %s",
|
||||
- filename);
|
||||
- goto out;
|
||||
- }
|
||||
-
|
||||
- /* make sure it's something we can add to rpm */
|
||||
- if (armor != PGPARMOR_PUBKEY) {
|
||||
- ret = FALSE;
|
||||
- g_set_error(error,
|
||||
- DNF_ERROR,
|
||||
- DNF_ERROR_GPG_SIGNATURE_INVALID,
|
||||
- "PKI file %s is not a public key",
|
||||
- filename);
|
||||
- goto out;
|
||||
- }
|
||||
+ start = strstr(data, pgpmark);
|
||||
|
||||
- /* test each one */
|
||||
- pubkey = rpmPubkeyNew(pkt, len);
|
||||
- if (pubkey == NULL) {
|
||||
- ret = FALSE;
|
||||
- g_set_error(error,
|
||||
- DNF_ERROR,
|
||||
- DNF_ERROR_GPG_SIGNATURE_INVALID,
|
||||
- "failed to parse public key for %s",
|
||||
- filename);
|
||||
- goto out;
|
||||
- }
|
||||
-
|
||||
- /* does the key exist in the keyring */
|
||||
- dig = rpmPubkeyDig(pubkey);
|
||||
- rc = rpmKeyringLookup(keyring, dig);
|
||||
- if (rc == RPMRC_OK) {
|
||||
- ret = TRUE;
|
||||
- g_debug("%s is already present", filename);
|
||||
- goto out;
|
||||
- }
|
||||
+ do {
|
||||
+ uint8_t *pkt = NULL;
|
||||
+ uint8_t *pkti = NULL;
|
||||
+ size_t pktlen = 0;
|
||||
+ size_t certlen;
|
||||
+
|
||||
+ /* Read pgp packet. */
|
||||
+ if (pgpParsePkts(start, &pkt, &pktlen) == PGPARMOR_PUBKEY) {
|
||||
+ pkti = pkt;
|
||||
+
|
||||
+ /* Iterate over certificates in pkt */
|
||||
+ while (pktlen > 0) {
|
||||
+ if (pgpPubKeyCertLen(pkti, pktlen, &certlen)) {
|
||||
+ g_debug("%s: key %d import failed.\n", filename, keyno);
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ /* test each one */
|
||||
+ pubkey = rpmPubkeyNew(pkti, certlen);
|
||||
+ if (pubkey == NULL) {
|
||||
+ ret = FALSE;
|
||||
+ g_set_error(error,
|
||||
+ DNF_ERROR,
|
||||
+ DNF_ERROR_GPG_SIGNATURE_INVALID,
|
||||
+ "failed to parse public key for %s",
|
||||
+ filename);
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ /* add to in-memory keyring */
|
||||
+ rc = rpmKeyringAddKey(keyring, pubkey);
|
||||
+ if (rc == 1) {
|
||||
+ ret = TRUE;
|
||||
+ g_debug("%s is already added", filename);
|
||||
+ goto out;
|
||||
+ } else if (rc < 0) {
|
||||
+ ret = FALSE;
|
||||
+ g_set_error(error,
|
||||
+ DNF_ERROR,
|
||||
+ DNF_ERROR_GPG_SIGNATURE_INVALID,
|
||||
+ "failed to add public key %s to rpmdb",
|
||||
+ filename);
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ subkeys = rpmGetSubkeys(pubkey, &nsubkeys);
|
||||
+ for (int i = 0; i < nsubkeys; i++) {
|
||||
+ rpmPubkey subkey = subkeys[i];
|
||||
+ if (rpmKeyringAddKey(keyring, subkey) < 0) {
|
||||
+ ret = FALSE;
|
||||
+ g_set_error(error,
|
||||
+ DNF_ERROR,
|
||||
+ DNF_ERROR_GPG_SIGNATURE_INVALID,
|
||||
+ "failed to add subkeys for %s to rpmdb",
|
||||
+ filename);
|
||||
+ goto out;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ pkti += certlen;
|
||||
+ pktlen -= certlen;
|
||||
+ }
|
||||
+ } else {
|
||||
+ g_debug("%s: key %d not an armored public key.\n", filename, keyno);
|
||||
+ }
|
||||
|
||||
- /* add to rpmdb automatically, without a prompt */
|
||||
- rc = rpmKeyringAddKey(keyring, pubkey);
|
||||
- if (rc == 1) {
|
||||
- ret = TRUE;
|
||||
- g_debug("%s is already added", filename);
|
||||
- goto out;
|
||||
- } else if (rc < 0) {
|
||||
- ret = FALSE;
|
||||
- g_set_error(error,
|
||||
- DNF_ERROR,
|
||||
- DNF_ERROR_GPG_SIGNATURE_INVALID,
|
||||
- "failed to add public key %s to rpmdb",
|
||||
- filename);
|
||||
- goto out;
|
||||
- }
|
||||
+ /* See if there are more keys in the buffer */
|
||||
+ if (start && start + marklen < data + len) {
|
||||
+ start = strstr(start + marklen, pgpmark);
|
||||
+ } else {
|
||||
+ start = NULL;
|
||||
+ }
|
||||
|
||||
- subkeys = rpmGetSubkeys(pubkey, &nsubkeys);
|
||||
- for (int i = 0; i < nsubkeys; i++) {
|
||||
- rpmPubkey subkey = subkeys[i];
|
||||
- if (rpmKeyringAddKey(keyring, subkey) < 0) {
|
||||
- ret = FALSE;
|
||||
- g_set_error(error,
|
||||
- DNF_ERROR,
|
||||
- DNF_ERROR_GPG_SIGNATURE_INVALID,
|
||||
- "failed to add subkeys for %s to rpmdb",
|
||||
- filename);
|
||||
- goto out;
|
||||
+ keyno++;
|
||||
+ if (pkt != NULL)
|
||||
+ free(pkt); /* yes, free() */
|
||||
+ pkt = NULL;
|
||||
+ if (pubkey != NULL)
|
||||
+ rpmPubkeyFree(pubkey);
|
||||
+ pubkey = NULL;
|
||||
+ if (subkeys != NULL) {
|
||||
+ for (int i = 0; i < nsubkeys; i++) {
|
||||
+ if (subkeys[i] != NULL) {
|
||||
+ rpmPubkeyFree (subkeys[i]);
|
||||
+ subkeys[i] = NULL;
|
||||
+ }
|
||||
+ }
|
||||
+ free (subkeys);
|
||||
+ subkeys = NULL;
|
||||
}
|
||||
- }
|
||||
+ } while (start != NULL);
|
||||
|
||||
/* success */
|
||||
g_debug("added missing public key %s to rpmdb", filename);
|
||||
@@ -165,7 +188,9 @@ out:
|
||||
rpmPubkeyFree(pubkey);
|
||||
if (subkeys != NULL) {
|
||||
for (int i = 0; i < nsubkeys; i++) {
|
||||
- rpmPubkeyFree(subkeys[i]);
|
||||
+ if (subkeys[i] != NULL) {
|
||||
+ rpmPubkeyFree (subkeys[i]);
|
||||
+ }
|
||||
}
|
||||
free(subkeys);
|
||||
}
|
||||
--
|
||||
2.34.1
|
||||
|
||||
@ -58,7 +58,7 @@
|
||||
|
||||
Name: libdnf
|
||||
Version: %{libdnf_major_version}.%{libdnf_minor_version}.%{libdnf_micro_version}
|
||||
Release: 20%{?dist}
|
||||
Release: 19%{?dist}.alma.2
|
||||
Summary: Library providing simplified C and Python API to libsolv
|
||||
License: LGPLv2+
|
||||
URL: https://github.com/rpm-software-management/libdnf
|
||||
@ -112,8 +112,10 @@ Patch46: 0046-Update-translations-RHEL-8.9.patch
|
||||
Patch47: 0047-filterAdvisory-installed_solvables-sort-RhBug2212838.patch
|
||||
Patch48: 0048-Avoid-reinstal-installonly-packages-marked-for-ERASE.patch
|
||||
Patch49: 0049-PGP-Set-a-default-creation-SELinux-labels-on-GnuPG-d.patch
|
||||
Patch50: 0050-repo-Don-t-try-to-perform-labeling-if-SELinux-is-dis.patch
|
||||
|
||||
# Almalinux patches
|
||||
Patch10001: almalinux_bugtracker.patch
|
||||
Patch10002: dnf-keyring-support-multiple-keys.patch
|
||||
|
||||
BuildRequires: cmake
|
||||
BuildRequires: gcc
|
||||
@ -363,20 +365,20 @@ popd
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Jun 24 2024 Petr Pisar <ppisar@redhat.com> - 0.63.0-20
|
||||
- Do not set a default SELinux creation context if SELinux appears to be
|
||||
disabled (RHEL-43231)
|
||||
* Wed Mar 27 2024 Eduard Abdullin <eabdullin@almalinux.org> - 0.63.0-19.alma.2
|
||||
- Add patch to fix issue with multiple keys in dnf-keyring
|
||||
|
||||
* Wed Mar 27 2024 Eduard Abdullin <eabdullin@almalinux.org> - 0.63.0-19.alma
|
||||
- AlmaLinux changes
|
||||
|
||||
* Wed Oct 18 2023 Petr Pisar <ppisar@redhat.com> - 0.63.0-19
|
||||
- Set default SELinux labels on GnuPG directories (RHEL-6421)
|
||||
|
||||
* Fri Oct 13 2023 Jaroslav Rohel <jrohel@redhat.com> - 0.63.0-18
|
||||
- filterAdvisory: match installed_solvables sort with lower_bound (RhBug:2212838, RHEL-1244)
|
||||
- Avoid reinstalling installonly packages marked for ERASE (RhBug:2163474, RHEL-1253)
|
||||
|
||||
* Fri Sep 08 2023 Marek Blaha <mblaha@redhat.com> - 0.63.0-17
|
||||
- Update translations
|
||||
|
||||
* Wed May 31 2023 Nicola Sella <nsella@redhat.com> - 0.63-0-16
|
||||
- Support "proxy=_none_" in main config (RhBug:2155713)
|
||||
|
||||
@ -388,7 +390,6 @@ popd
|
||||
|
||||
* Wed Oct 26 2022 Nicola Sella <nsella@redhat.com> - 0.63.0-13
|
||||
- Allow change of arch during security updates with noarch (RhBug:2124483)
|
||||
|
||||
* Tue Sep 13 2022 Lukas Hrazky <lhrazky@redhat.com> - 0.63.0-12
|
||||
- Fix listing a repository without cpeid (RhBug:2066334)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user