import libselinux-3.5-1.el9

2023-03-28 09:12:41 +00:00 · 2023-03-28 09:12:41 +00:00 · a41726c842
commit a41726c842
parent b87293c0dc
5 changed files with 30 additions and 190 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/libselinux-3.4.tar.gz
+SOURCES/libselinux-3.5.tar.gz
--- a/.libselinux.metadata
+++ b/.libselinux.metadata
@ -1 +1 @@
-1fff75ad31eca7979740af01279d868ca8cbd249 SOURCES/libselinux-3.4.tar.gz
+9f1ca79a767b2a69e63e01b82d13cff9bc712f4a SOURCES/libselinux-3.5.tar.gz
--- a/SOURCES/0001-Use-SHA-2-instead-of-SHA-1.patch
+++ b/SOURCES/0001-Use-SHA-2-instead-of-SHA-1.patch
@ -1,4 +1,4 @@
-From 04f73fee2892753b3e81923d2ac3d338acfdbc4c Mon Sep 17 00:00:00 2001
+From 1dbd23dc2566b3fe9113bf09fd9e190dfd4651b6 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Fri, 30 Jul 2021 14:14:37 +0200
 Subject: [PATCH] Use SHA-2 instead of SHA-1
@ -185,10 +185,10 @@ index c56326814b94..098c840fc59b 100644
 .BR selabel_open (3)
 must be called specifying the required
 diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
-index 04bf4f240168..222c3fa2d7c3 100644
+index 70ba063ada5d..0c803d8d4aae 100644
 --- a/libselinux/src/Makefile
 +++ b/libselinux/src/Makefile
-@@ -119,7 +119,7 @@ DISABLE_FLAGS+= -DNO_MEDIA_BACKEND -DNO_DB_BACKEND -DNO_X_BACKEND \
+@@ -125,7 +125,7 @@ DISABLE_FLAGS+= -DNO_MEDIA_BACKEND -DNO_DB_BACKEND -DNO_X_BACKEND \
 	-DBUILD_HOST
 SRCS= callbacks.c freecon.c label.c label_file.c \
 	label_backends_android.c regex.c label_support.c \
@ -371,7 +371,7 @@ index 54fd49a5b7b9..4003eb8dc7af 100644
 	digest->hashbuf = NULL;
 	return;
 diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
-index 9dd6be817832..dc222b425c95 100644
+index 6b5f6921b82b..24604776974e 100644
 --- a/libselinux/src/selinux_restorecon.c
 +++ b/libselinux/src/selinux_restorecon.c
@@ -37,7 +37,7 @@
@ -448,7 +448,7 @@ index 9dd6be817832..dc222b425c95 100644
 	return 0;
 oom:
-@@ -781,7 +781,7 @@ err:
+@@ -775,7 +775,7 @@ err:
 struct dir_hash_node {
 	char *path;
@ -457,7 +457,7 @@ index 9dd6be817832..dc222b425c95 100644
 	struct dir_hash_node *next;
 };
 /*
-@@ -1270,7 +1270,7 @@ static int selinux_restorecon_common(const char *pathname_orig,
+@@ -1281,7 +1281,7 @@ static int selinux_restorecon_common(const char *pathname_orig,
 			if (setxattr(current->path,
 			    RESTORECON_PARTIAL_MATCH_DIGEST,
 			    current->digest,
@ -468,7 +468,7 @@ index 9dd6be817832..dc222b425c95 100644
 					    current->path);
 diff --git a/libselinux/src/sha1.c b/libselinux/src/sha1.c
 deleted file mode 100644
-index a848467785f3..000000000000
+index 9d51e04ac331..000000000000
 --- a/libselinux/src/sha1.c
 +++ /dev/null
@@ -1,220 +0,0 @@
@ -485,7 +485,7 @@ index a848467785f3..000000000000
 -//  Modified to:
 -//    - stop symbols being exported for libselinux shared library - October 2015
 -//								       Richard Haines <richard_c_haines@btinternet.com>
-//    - Not cast the workspace from a byte array to a CHAR64LONG16 due to alignment isses.
+-//    - Not cast the workspace from a byte array to a CHAR64LONG16 due to alignment issues.
 -//      Fixes:
 -//        sha1.c:73:33: error: cast from 'uint8_t *' (aka 'unsigned char *') to 'CHAR64LONG16 *' increases required alignment from 1 to 4 [-Werror,-Wcast-align]
 -//             CHAR64LONG16*       block = (CHAR64LONG16*) workspace;
@ -1349,5 +1349,5 @@ index c4e0f836b260..80723f714264 100644
 		}
 		default:
 -- 
-2.36.1
+2.39.0
--- a/SOURCES/0002-Revert-libselinux-restorecon-pin-file-to-avoid-TOCTO.patch
+++ b/SOURCES/0002-Revert-libselinux-restorecon-pin-file-to-avoid-TOCTO.patch
@ -1,172 +0,0 @@
 From f785c53174fd0ebad913e105382360f9d46205d8 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Tue, 31 May 2022 13:37:12 +0200
 Subject: [PATCH] Revert "libselinux: restorecon: pin file to avoid TOCTOU
 issues"
 Content-type: text/plain
 This reverts commit 7e979b56fd2cee28f647376a7233d2ac2d12ca50.
 The reverted commit broke `setfiles` when it's run from a chroot
 without /proc mounted, e.g.
    # chroot /mnt/sysimage
    chroot# setfiles -e /proc -e /sys /sys /etc/selinux/targeted/contexts/files/file_contexts /
    [strace]
    openat(AT_FDCWD, "/", O_RDONLY|O_EXCL|O_NOFOLLOW|O_PATH) = 3
    newfstatat(3, "", {st_mode=S_IFDIR|0555, st_size=4096, ...}, AT_EMPTY_PATH) = 0
    mmap(NULL, 2101248, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f1697c91000
    fgetxattr(3, "security.selinux", 0x55be8881d3f0, 255) = -1 EBADF (Bad file descriptor)
    fcntl(3, F_GETFL)                       = 0x220000 (flags O_RDONLY|O_NOFOLLOW|O_PATH)
    getxattr("/proc/self/fd/3", "security.selinux", 0x55be8881d3f0, 255) = -1 ENOENT (No such file or directory)
    [/strace]
    setfiles: Could not set context for /:  No such file or directory
 Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
 ---
 libselinux/src/selinux_restorecon.c | 43 ++++++++++++-----------------
 1 file changed, 18 insertions(+), 25 deletions(-)
 diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
 index dc222b425c95..a50005353265 100644
 --- a/libselinux/src/selinux_restorecon.c
 +++ b/libselinux/src/selinux_restorecon.c
@@ -623,13 +623,13 @@ out:
 	return rc;
 }
 -static int restorecon_sb(const char *pathname, struct rest_flags *flags, bool first)
 +static int restorecon_sb(const char *pathname, const struct stat *sb,
 +			    struct rest_flags *flags, bool first)
 {
 	char *newcon = NULL;
 	char *curcon = NULL;
 	char *newtypecon = NULL;
 -	int fd = -1, rc;
 -	struct stat stat_buf;
 +	int rc;
 	bool updated = false;
 	const char *lookup_path = pathname;
 	float pc;
@@ -644,21 +644,13 @@ static int restorecon_sb(const char *pathname, struct rest_flags *flags, bool fi
 		lookup_path += rootpathlen;
 	}
 -	fd = open(pathname, O_PATH | O_NOFOLLOW | O_EXCL);
 -	if (fd < 0)
 -		goto err;
 -
 -	rc = fstat(fd, &stat_buf);
 -	if (rc < 0)
 -		goto err;
 -
 	if (rootpath != NULL && lookup_path[0] == '\0')
 		/* this is actually the root dir of the alt root. */
 		rc = selabel_lookup_raw(fc_sehandle, &newcon, "/",
 -						    stat_buf.st_mode);
 +						    sb->st_mode);
 	else
 		rc = selabel_lookup_raw(fc_sehandle, &newcon, lookup_path,
 -						    stat_buf.st_mode);
 +						    sb->st_mode);
 	if (rc < 0) {
 		if (errno == ENOENT) {
@@ -667,10 +659,10 @@ static int restorecon_sb(const char *pathname, struct rest_flags *flags, bool fi
 					    "Warning no default label for %s\n",
 					    lookup_path);
 -			goto out; /* no match, but not an error */
 +			return 0; /* no match, but not an error */
 		}
 -		goto err;
 +		return -1;
 	}
 	if (flags->progress) {
@@ -690,17 +682,19 @@ static int restorecon_sb(const char *pathname, struct rest_flags *flags, bool fi
 	}
 	if (flags->add_assoc) {
 -		rc = filespec_add(stat_buf.st_ino, newcon, pathname, flags);
 +		rc = filespec_add(sb->st_ino, newcon, pathname, flags);
 		if (rc < 0) {
 			selinux_log(SELINUX_ERROR,
 				    "filespec_add error: %s\n", pathname);
 -			goto out1;
 +			freecon(newcon);
 +			return -1;
 		}
 		if (rc > 0) {
 			/* Already an association and it took precedence. */
 -			goto out;
 +			freecon(newcon);
 +			return 0;
 		}
 	}
@@ -708,7 +702,7 @@ static int restorecon_sb(const char *pathname, struct rest_flags *flags, bool fi
 		selinux_log(SELINUX_INFO, "%s matched by %s\n",
 			    pathname, newcon);
 -	if (fgetfilecon_raw(fd, &curcon) < 0) {
 +	if (lgetfilecon_raw(pathname, &curcon) < 0) {
 		if (errno != ENODATA)
 			goto err;
@@ -741,7 +735,7 @@ static int restorecon_sb(const char *pathname, struct rest_flags *flags, bool fi
 		}
 		if (!flags->nochange) {
 -			if (fsetfilecon(fd, newcon) < 0)
 +			if (lsetfilecon(pathname, newcon) < 0)
 				goto err;
 			updated = true;
 		}
@@ -766,8 +760,6 @@ static int restorecon_sb(const char *pathname, struct rest_flags *flags, bool fi
 out:
 	rc = 0;
 out1:
 -	if (fd >= 0)
 -		close(fd);
 	freecon(curcon);
 	freecon(newcon);
 	return rc;
@@ -865,6 +857,7 @@ static void *selinux_restorecon_thread(void *arg)
 	FTSENT *ftsent;
 	int error;
 	char ent_path[PATH_MAX];
 +	struct stat ent_st;
 	bool first = false;
 	if (state->parallel)
@@ -962,11 +955,11 @@ loop_body:
 			/* fall through */
 		default:
 			strcpy(ent_path, ftsent->fts_path);
 -
 +			ent_st = *ftsent->fts_statp;
 			if (state->parallel)
 				pthread_mutex_unlock(&state->mutex);
 -			error = restorecon_sb(ent_path, &state->flags,
 +			error = restorecon_sb(ent_path, &ent_st, &state->flags,
 					      first);
 			if (state->parallel) {
@@ -1162,7 +1155,7 @@ static int selinux_restorecon_common(const char *pathname_orig,
 			goto cleanup;
 		}
 -		error = restorecon_sb(pathname, &state.flags, true);
 +		error = restorecon_sb(pathname, &sb, &state.flags, true);
 		goto cleanup;
 	}
 -- 
 2.36.1
--- a/SPECS/libselinux.spec
+++ b/SPECS/libselinux.spec
@ -1,27 +1,26 @@
 %define ruby_inc %(pkg-config --cflags ruby)
-%define libsepolver 3.4-1
+%define libsepolver 3.5-1
 Summary: SELinux library and simple utilities
 Name: libselinux
-Version: 3.4
+Version: 3.5
-Release: 3%{?dist}
+Release: 1%{?dist}
 License: Public Domain
 # https://github.com/SELinuxProject/selinux/wiki/Releases
-Source0: https://github.com/SELinuxProject/selinux/releases/download/3.4/libselinux-3.4.tar.gz
+Source0: https://github.com/SELinuxProject/selinux/releases/download/3.5/libselinux-3.5.tar.gz
 Source1: selinuxconlist.8
 Source2: selinuxdefcon.8
 Url: https://github.com/SELinuxProject/selinux/wiki
 # $ git clone https://github.com/fedora-selinux/selinux.git
 # $ cd selinux
-# $ git format-patch -N 3.4 -- libselinux
+# $ git format-patch -N 3.5 -- libselinux
 # $ i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
 # Patch list start
 Patch0001: 0001-Use-SHA-2-instead-of-SHA-1.patch
 Patch0002: 0002-Revert-libselinux-restorecon-pin-file-to-avoid-TOCTO.patch
 # Patch list end
 BuildRequires: gcc make
 BuildRequires: ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel xz-devel
-BuildRequires: python3 python3-devel
+BuildRequires: python3 python3-devel python3-pip
 BuildRequires: systemd
 Requires: libsepol%{?_isa} >= %{libsepolver} pcre2
 Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
@ -176,6 +175,7 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
 %files utils
 %{_sbindir}/avcstat
 %{_sbindir}/getenforce
 %{_sbindir}/getpidprevcon
 %{_sbindir}/getsebool
 %{_sbindir}/matchpathcon
 %{_sbindir}/sefcontext_compile
@ -214,6 +214,18 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
 %{ruby_vendorarchdir}/selinux.so
 %changelog
 * Thu Feb 23 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-1
 - SELinux userspace 3.5 release
 * Tue Feb 14 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc3.1
 - SELinux userspace 3.5-rc3 release
 * Mon Jan 16 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc2.1
 - SELinux userspace 3.5-rc2 release
 * Mon Jan  2 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc1.1
 - SELinux userspace 3.5-rc1 release
 * Mon Jul 18 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-3
 - Drop SHA-1 from selinux_restorecon.3
`@ -1 +1 @@`
	`SOURCES/libselinux-3.4.tar.gz`	`SOURCES/libselinux-3.5.tar.gz`
`@ -1 +1 @@`
	`1fff75ad31eca7979740af01279d868ca8cbd249 SOURCES/libselinux-3.4.tar.gz`	`9f1ca79a767b2a69e63e01b82d13cff9bc712f4a SOURCES/libselinux-3.5.tar.gz`