diff --git a/0002-libselinux-prioritize-local-literal-fcontext-definit.patch b/0002-libselinux-prioritize-local-literal-fcontext-definit.patch new file mode 100644 index 0000000..0e1eb4e --- /dev/null +++ b/0002-libselinux-prioritize-local-literal-fcontext-definit.patch @@ -0,0 +1,101 @@ +From 6a9958d504853efa4e36900398490afe05a1134c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Thu, 17 Apr 2025 21:08:11 +0200 +Subject: [PATCH] libselinux: prioritize local literal fcontext definitions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Content-type: text/plain + +For literal file context definitions respect overrides from homedirs or +local configurations by ordering them first. + +Fixes: 92306daf ("libselinux: rework selabel_file(5) database") +Reported-by: Paul Holzinger +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2360183 +Signed-off-by: Christian Göttsche +--- + libselinux/src/label_file.c | 5 +++-- + libselinux/src/label_file.h | 10 +++++++++- + libselinux/src/selinux_internal.h | 2 ++ + 3 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c +index 2c7615174e5f..d1d1d01c769f 100644 +--- a/libselinux/src/label_file.c ++++ b/libselinux/src/label_file.c +@@ -480,7 +480,7 @@ static int load_mmap_ctxarray(struct mmap_area *mmap_area, const char *path, str + return 0; + } + +-static int load_mmap_literal_spec(struct mmap_area *mmap_area, bool validating, ++static int load_mmap_literal_spec(struct mmap_area *mmap_area, bool validating, uint8_t inputno, + struct literal_spec *lspec, const struct context_array *ctx_array) + { + uint32_t data_u32, ctx_id; +@@ -489,6 +489,7 @@ static int load_mmap_literal_spec(struct mmap_area *mmap_area, bool validating, + int rc; + + lspec->from_mmap = true; ++ lspec->inputno = inputno; + + + /* +@@ -732,7 +733,7 @@ static int load_mmap_spec_node(struct mmap_area *mmap_area, const char *path, bo + node->literal_specs_alloc = lspec_num; + + for (uint32_t i = 0; i < lspec_num; i++) { +- rc = load_mmap_literal_spec(mmap_area, validating, &node->literal_specs[i], ctx_array); ++ rc = load_mmap_literal_spec(mmap_area, validating, inputno, &node->literal_specs[i], ctx_array); + if (rc) + return -1; + } +diff --git a/libselinux/src/label_file.h b/libselinux/src/label_file.h +index 60ebbb472dda..eb7239719a85 100644 +--- a/libselinux/src/label_file.h ++++ b/libselinux/src/label_file.h +@@ -96,6 +96,7 @@ struct literal_spec { + char *regex_str; /* original regular expression string for diagnostics */ + char *literal_match; /* simplified string from regular expression */ + uint16_t prefix_len; /* length of fixed path prefix, i.e. length of the literal match */ ++ uint8_t inputno; /* Input number of source file */ + uint8_t file_kind; /* file type */ + bool any_matches; /* whether any pathname match */ + bool from_mmap; /* whether this spec is from an mmap of the data */ +@@ -368,7 +369,13 @@ static inline int compare_literal_spec(const void *p1, const void *p2) + return ret; + + /* Order wildcard mode (0) last */ +- return (l1->file_kind < l2->file_kind) - (l1->file_kind > l2->file_kind); ++ ret = spaceship_cmp(l1->file_kind, l2->file_kind); ++ if (ret) ++ return -ret; ++ ++ /* Order by input number (higher number means added later, means higher priority) */ ++ ret = spaceship_cmp(l1->inputno, l2->inputno); ++ return -ret; + } + + static inline int compare_spec_node(const void *p1, const void *p2) +@@ -746,6 +753,7 @@ static int insert_spec(const struct selabel_handle *rec, struct saved_data *data + .regex_str = regex, + .prefix_len = prefix_len, + .literal_match = literal_regex, ++ .inputno = inputno, + .file_kind = file_kind, + .any_matches = false, + .lr.ctx_raw = context, +diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h +index 964b84189649..3fe7d4c3953a 100644 +--- a/libselinux/src/selinux_internal.h ++++ b/libselinux/src/selinux_internal.h +@@ -150,4 +150,6 @@ static inline void fclose_errno_safe(FILE *stream) + # define unlikely(x) (x) + #endif /* __GNUC__ */ + ++#define spaceship_cmp(a, b) (((a) > (b)) - ((a) < (b))) ++ + #endif /* SELINUX_INTERNAL_H_ */ +-- +2.49.0 + diff --git a/0003-libselinux-Revert-part-of-previous-patch.patch b/0003-libselinux-Revert-part-of-previous-patch.patch new file mode 100644 index 0000000..2be8aac --- /dev/null +++ b/0003-libselinux-Revert-part-of-previous-patch.patch @@ -0,0 +1,38 @@ +From 3d7fb67ad45a7fa7efe24ca81ce6abceaa3a7d64 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Tue, 27 May 2025 14:17:49 +0200 +Subject: [PATCH] libselinux: Revert part of previous patch +Content-type: text/plain + +These four lines should be removed. It makes sense to consider the +wildcard mode as less specific and give priority to a rule that is not +using a wildcard, but that is not how it was done in the past and that +is not (from my testing) what is being done if a regex is involved. So +for both consistency and in keeping with past practice, we should not +use the file kind to sort here. + +Proposed-by: James Carter +Signed-off-by: Petr Lautrbach +--- + libselinux/src/label_file.h | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/libselinux/src/label_file.h b/libselinux/src/label_file.h +index eb7239719a85..284028a054ce 100644 +--- a/libselinux/src/label_file.h ++++ b/libselinux/src/label_file.h +@@ -368,11 +368,6 @@ static inline int compare_literal_spec(const void *p1, const void *p2) + if (ret) + return ret; + +- /* Order wildcard mode (0) last */ +- ret = spaceship_cmp(l1->file_kind, l2->file_kind); +- if (ret) +- return -ret; +- + /* Order by input number (higher number means added later, means higher priority) */ + ret = spaceship_cmp(l1->inputno, l2->inputno); + return -ret; +-- +2.49.0 + diff --git a/changelog b/changelog index 6529f4f..329a682 100644 --- a/changelog +++ b/changelog @@ -1,3 +1,6 @@ +* Tue May 27 2025 Petr Lautrbach - 3.8-2 +- Prioritize local literal fcontext definitions (rhbz#2360183) + * Thu Jan 30 2025 Petr Lautrbach - 3.8-1 - SELinux userspace 3.8 release diff --git a/libselinux.spec b/libselinux.spec index 01f3a27..2b8c2c4 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -4,7 +4,7 @@ Summary: SELinux library and simple utilities Name: libselinux Version: 3.8 -Release: 1%{?dist} +Release: 2%{?dist} License: LicenseRef-Fedora-Public-Domain # https://github.com/SELinuxProject/selinux/wiki/Releases Source0: https://github.com/SELinuxProject/selinux/releases/download/%{version}/libselinux-%{version}.tar.gz @@ -20,6 +20,8 @@ Url: https://github.com/SELinuxProject/selinux/wiki # $ i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done # Patch list start Patch0001: 0001-Use-SHA-2-instead-of-SHA-1.patch +Patch0002: 0002-libselinux-prioritize-local-literal-fcontext-definit.patch +Patch0003: 0003-libselinux-Revert-part-of-previous-patch.patch # Patch list end BuildRequires: gcc make BuildRequires: ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel