libselinux-3.8-2

- Prioritize local literal fcontext definitions (rhbz#2360183)
Resolves: RHEL-88220

0002-libselinux-prioritize-local-literal-fcontext-definit.patch

@@ -0,0 +1,101 @@
+From 6a9958d504853efa4e36900398490afe05a1134c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Thu, 17 Apr 2025 21:08:11 +0200
+Subject: [PATCH] libselinux: prioritize local literal fcontext definitions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Content-type: text/plain
+
+For literal file context definitions respect overrides from homedirs or
+local configurations by ordering them first.
+
+Fixes: 92306daf ("libselinux: rework selabel_file(5) database")
+Reported-by: Paul Holzinger
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=2360183
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+---
+ libselinux/src/label_file.c       |  5 +++--
+ libselinux/src/label_file.h       | 10 +++++++++-
+ libselinux/src/selinux_internal.h |  2 ++
+ 3 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
+index 2c7615174e5f..d1d1d01c769f 100644
+--- a/libselinux/src/label_file.c
++++ b/libselinux/src/label_file.c
+@@ -480,7 +480,7 @@ static int load_mmap_ctxarray(struct mmap_area *mmap_area, const char *path, str
+ 	return 0;
+ }
+ 
+-static int load_mmap_literal_spec(struct mmap_area *mmap_area, bool validating,
++static int load_mmap_literal_spec(struct mmap_area *mmap_area, bool validating, uint8_t inputno,
+ 				  struct literal_spec *lspec, const struct context_array *ctx_array)
+ {
+ 	uint32_t data_u32, ctx_id;
+@@ -489,6 +489,7 @@ static int load_mmap_literal_spec(struct mmap_area *mmap_area, bool validating,
+ 	int rc;
+ 
+ 	lspec->from_mmap = true;
++	lspec->inputno = inputno;
+ 
+ 
+ 	/*
+@@ -732,7 +733,7 @@ static int load_mmap_spec_node(struct mmap_area *mmap_area, const char *path, bo
+ 		node->literal_specs_alloc = lspec_num;
+ 
+ 		for (uint32_t i = 0; i < lspec_num; i++) {
+-			rc = load_mmap_literal_spec(mmap_area, validating, &node->literal_specs[i], ctx_array);
++			rc = load_mmap_literal_spec(mmap_area, validating, inputno, &node->literal_specs[i], ctx_array);
+ 			if (rc)
+ 				return -1;
+ 		}
+diff --git a/libselinux/src/label_file.h b/libselinux/src/label_file.h
+index 60ebbb472dda..eb7239719a85 100644
+--- a/libselinux/src/label_file.h
++++ b/libselinux/src/label_file.h
+@@ -96,6 +96,7 @@ struct literal_spec {
+ 	char *regex_str;			/* original regular expression string for diagnostics */
+ 	char *literal_match;			/* simplified string from regular expression */
+ 	uint16_t prefix_len;			/* length of fixed path prefix, i.e. length of the literal match */
++	uint8_t inputno;			/* Input number of source file */
+ 	uint8_t file_kind;			/* file type */
+ 	bool any_matches;			/* whether any pathname match */
+ 	bool from_mmap;				/* whether this spec is from an mmap of the data */
+@@ -368,7 +369,13 @@ static inline int compare_literal_spec(const void *p1, const void *p2)
+ 		return ret;
+ 
+ 	/* Order wildcard mode (0) last */
+-	return (l1->file_kind < l2->file_kind) - (l1->file_kind > l2->file_kind);
++	ret = spaceship_cmp(l1->file_kind, l2->file_kind);
++	if (ret)
++		return -ret;
++
++	/* Order by input number (higher number means added later, means higher priority) */
++	ret = spaceship_cmp(l1->inputno, l2->inputno);
++	return -ret;
+ }
+ 
+ static inline int compare_spec_node(const void *p1, const void *p2)
+@@ -746,6 +753,7 @@ static int insert_spec(const struct selabel_handle *rec, struct saved_data *data
+ 			.regex_str = regex,
+ 			.prefix_len = prefix_len,
+ 			.literal_match = literal_regex,
++			.inputno = inputno,
+ 			.file_kind = file_kind,
+ 			.any_matches = false,
+ 			.lr.ctx_raw = context,
+diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
+index 964b84189649..3fe7d4c3953a 100644
+--- a/libselinux/src/selinux_internal.h
++++ b/libselinux/src/selinux_internal.h
+@@ -150,4 +150,6 @@ static inline void fclose_errno_safe(FILE *stream)
+ # define unlikely(x)			(x)
+ #endif /* __GNUC__ */
+ 
++#define spaceship_cmp(a, b)		(((a) > (b)) - ((a) < (b)))
++
+ #endif /* SELINUX_INTERNAL_H_ */
+-- 
+2.49.0
+

0003-libselinux-Revert-part-of-previous-patch.patch

@@ -0,0 +1,38 @@
+From 3d7fb67ad45a7fa7efe24ca81ce6abceaa3a7d64 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <lautrbach@redhat.com>
+Date: Tue, 27 May 2025 14:17:49 +0200
+Subject: [PATCH] libselinux: Revert part of previous patch
+Content-type: text/plain
+
+These four lines should be removed. It makes sense to consider the
+wildcard mode as less specific and give priority to a rule that is not
+using a wildcard, but that is not how it was done in the past and that
+is not (from my testing) what is being done if a regex is involved. So
+for both consistency and in keeping with past practice, we should not
+use the file kind to sort here.
+
+Proposed-by: James Carter <jwcart2@gmail.com>
+Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
+---
+ libselinux/src/label_file.h | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/libselinux/src/label_file.h b/libselinux/src/label_file.h
+index eb7239719a85..284028a054ce 100644
+--- a/libselinux/src/label_file.h
++++ b/libselinux/src/label_file.h
+@@ -368,11 +368,6 @@ static inline int compare_literal_spec(const void *p1, const void *p2)
+ 	if (ret)
+ 		return ret;
+ 
+-	/* Order wildcard mode (0) last */
+-	ret = spaceship_cmp(l1->file_kind, l2->file_kind);
+-	if (ret)
+-		return -ret;
+-
+ 	/* Order by input number (higher number means added later, means higher priority) */
+ 	ret = spaceship_cmp(l1->inputno, l2->inputno);
+ 	return -ret;
+-- 
+2.49.0
+

changelog

@@ -1,3 +1,6 @@
+* Tue May 27 2025 Petr Lautrbach <lautrbach@redhat.com> - 3.8-2
+- Prioritize local literal fcontext definitions (rhbz#2360183)
+
 * Thu Jan 30 2025 Petr Lautrbach <lautrbach@redhat.com> - 3.8-1
 - SELinux userspace 3.8 release
 

libselinux.spec

@@ -4,7 +4,7 @@
 Summary: SELinux library and simple utilities
 Name: libselinux
 Version: 3.8
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: LicenseRef-Fedora-Public-Domain
 # https://github.com/SELinuxProject/selinux/wiki/Releases
 Source0: https://github.com/SELinuxProject/selinux/releases/download/%{version}/libselinux-%{version}.tar.gz
@@ -20,6 +20,8 @@ Url: https://github.com/SELinuxProject/selinux/wiki
 # $ i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
 # Patch list start
 Patch0001: 0001-Use-SHA-2-instead-of-SHA-1.patch
+Patch0002: 0002-libselinux-prioritize-local-literal-fcontext-definit.patch
+Patch0003: 0003-libselinux-Revert-part-of-previous-patch.patch
 # Patch list end
 BuildRequires: gcc make
 BuildRequires: ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel