rpms/libselinux
6
0
Fork 0
Code Issues Pull Requests Releases Activity

libselinux-3.8-2

Browse Source 
- Prioritize local literal fcontext definitions (rhbz#2360183)
Resolves: RHEL-88220
This commit is contained in:
Petr Lautrbach 2025-05-27 14:27:31 +02:00
parent 6231168403
commit 9677d2b7a5
4 changed files with 145 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

101
0002-libselinux-prioritize-local-literal-fcontext-definit.patch Normal file
View File

@ -0,0 +1,101 @@
From 6a9958d504853efa4e36900398490afe05a1134c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Thu, 17 Apr 2025 21:08:11 +0200
Subject: [PATCH] libselinux: prioritize local literal fcontext definitions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Content-type: text/plain
For literal file context definitions respect overrides from homedirs or
local configurations by ordering them first.
Fixes: 92306daf ("libselinux: rework selabel_file(5) database")
Reported-by: Paul Holzinger
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2360183
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
libselinux/src/label_file.c | 5 +++--
libselinux/src/label_file.h | 10 +++++++++-
libselinux/src/selinux_internal.h | 2 ++
3 files changed, 14 insertions(+), 3 deletions(-)
diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
index 2c7615174e5f..d1d1d01c769f 100644
--- a/libselinux/src/label_file.c
+++ b/libselinux/src/label_file.c
@@ -480,7 +480,7 @@ static int load_mmap_ctxarray(struct mmap_area *mmap_area, const char *path, str
return 0;
}
-static int load_mmap_literal_spec(struct mmap_area *mmap_area, bool validating,
+static int load_mmap_literal_spec(struct mmap_area *mmap_area, bool validating, uint8_t inputno,
struct literal_spec *lspec, const struct context_array *ctx_array)
{
uint32_t data_u32, ctx_id;
@@ -489,6 +489,7 @@ static int load_mmap_literal_spec(struct mmap_area *mmap_area, bool validating,
int rc;
lspec->from_mmap = true;
+ lspec->inputno = inputno;
/*
@@ -732,7 +733,7 @@ static int load_mmap_spec_node(struct mmap_area *mmap_area, const char *path, bo
node->literal_specs_alloc = lspec_num;
for (uint32_t i = 0; i < lspec_num; i++) {
- rc = load_mmap_literal_spec(mmap_area, validating, &node->literal_specs[i], ctx_array);
+ rc = load_mmap_literal_spec(mmap_area, validating, inputno, &node->literal_specs[i], ctx_array);
if (rc)
return -1;
}
diff --git a/libselinux/src/label_file.h b/libselinux/src/label_file.h
index 60ebbb472dda..eb7239719a85 100644
--- a/libselinux/src/label_file.h
+++ b/libselinux/src/label_file.h
@@ -96,6 +96,7 @@ struct literal_spec {
char *regex_str; /* original regular expression string for diagnostics */
char *literal_match; /* simplified string from regular expression */
uint16_t prefix_len; /* length of fixed path prefix, i.e. length of the literal match */
+ uint8_t inputno; /* Input number of source file */
uint8_t file_kind; /* file type */
bool any_matches; /* whether any pathname match */
bool from_mmap; /* whether this spec is from an mmap of the data */
@@ -368,7 +369,13 @@ static inline int compare_literal_spec(const void *p1, const void *p2)
return ret;
/* Order wildcard mode (0) last */
- return (l1->file_kind < l2->file_kind) - (l1->file_kind > l2->file_kind);
+ ret = spaceship_cmp(l1->file_kind, l2->file_kind);
+ if (ret)
+ return -ret;
+
+ /* Order by input number (higher number means added later, means higher priority) */
+ ret = spaceship_cmp(l1->inputno, l2->inputno);
+ return -ret;
}
static inline int compare_spec_node(const void *p1, const void *p2)
@@ -746,6 +753,7 @@ static int insert_spec(const struct selabel_handle *rec, struct saved_data *data
.regex_str = regex,
.prefix_len = prefix_len,
.literal_match = literal_regex,
+ .inputno = inputno,
.file_kind = file_kind,
.any_matches = false,
.lr.ctx_raw = context,
diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
index 964b84189649..3fe7d4c3953a 100644
--- a/libselinux/src/selinux_internal.h
+++ b/libselinux/src/selinux_internal.h
@@ -150,4 +150,6 @@ static inline void fclose_errno_safe(FILE *stream)
# define unlikely(x) (x)
#endif /* __GNUC__ */
+#define spaceship_cmp(a, b) (((a) > (b)) - ((a) < (b)))
+
#endif /* SELINUX_INTERNAL_H_ */
--
2.49.0

38
0003-libselinux-Revert-part-of-previous-patch.patch Normal file
View File

@ -0,0 +1,38 @@
From 3d7fb67ad45a7fa7efe24ca81ce6abceaa3a7d64 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <lautrbach@redhat.com>
Date: Tue, 27 May 2025 14:17:49 +0200
Subject: [PATCH] libselinux: Revert part of previous patch
Content-type: text/plain
These four lines should be removed. It makes sense to consider the
wildcard mode as less specific and give priority to a rule that is not
using a wildcard, but that is not how it was done in the past and that
is not (from my testing) what is being done if a regex is involved. So
for both consistency and in keeping with past practice, we should not
use the file kind to sort here.
Proposed-by: James Carter <jwcart2@gmail.com>
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
---
libselinux/src/label_file.h | 5 -----
1 file changed, 5 deletions(-)
diff --git a/libselinux/src/label_file.h b/libselinux/src/label_file.h
index eb7239719a85..284028a054ce 100644
--- a/libselinux/src/label_file.h
+++ b/libselinux/src/label_file.h
@@ -368,11 +368,6 @@ static inline int compare_literal_spec(const void *p1, const void *p2)
if (ret)
return ret;
- /* Order wildcard mode (0) last */
- ret = spaceship_cmp(l1->file_kind, l2->file_kind);
- if (ret)
- return -ret;
-
/* Order by input number (higher number means added later, means higher priority) */
ret = spaceship_cmp(l1->inputno, l2->inputno);
return -ret;
--
2.49.0

3
changelog
View File

@ -1,3 +1,6 @@
* Tue May 27 2025 Petr Lautrbach <lautrbach@redhat.com> - 3.8-2
- Prioritize local literal fcontext definitions (rhbz#2360183)
* Thu Jan 30 2025 Petr Lautrbach <lautrbach@redhat.com> - 3.8-1 * Thu Jan 30 2025 Petr Lautrbach <lautrbach@redhat.com> - 3.8-1
- SELinux userspace 3.8 release - SELinux userspace 3.8 release

4
libselinux.spec
View File

@ -4,7 +4,7 @@
Summary: SELinux library and simple utilities Summary: SELinux library and simple utilities
Name: libselinux Name: libselinux
Version: 3.8 Version: 3.8
Release: 1%{?dist} Release: 2%{?dist}
License: LicenseRef-Fedora-Public-Domain License: LicenseRef-Fedora-Public-Domain
# https://github.com/SELinuxProject/selinux/wiki/Releases # https://github.com/SELinuxProject/selinux/wiki/Releases
Source0: https://github.com/SELinuxProject/selinux/releases/download/%{version}/libselinux-%{version}.tar.gz Source0: https://github.com/SELinuxProject/selinux/releases/download/%{version}/libselinux-%{version}.tar.gz
@ -20,6 +20,8 @@ Url: https://github.com/SELinuxProject/selinux/wiki
# $ i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done # $ i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
# Patch list start # Patch list start
Patch0001: 0001-Use-SHA-2-instead-of-SHA-1.patch Patch0001: 0001-Use-SHA-2-instead-of-SHA-1.patch
Patch0002: 0002-libselinux-prioritize-local-literal-fcontext-definit.patch
Patch0003: 0003-libselinux-Revert-part-of-previous-patch.patch
# Patch list end # Patch list end
BuildRequires: gcc make BuildRequires: gcc make
BuildRequires: ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel BuildRequires: ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel