diff --git a/0001-Use-SHA-2-instead-of-SHA-1.patch b/0001-Use-SHA-2-instead-of-SHA-1.patch index 7ae78c2..0ee7ba4 100644 --- a/0001-Use-SHA-2-instead-of-SHA-1.patch +++ b/0001-Use-SHA-2-instead-of-SHA-1.patch @@ -1,8 +1,7 @@ -From 4780b755bb1171f5aa4cd7545535839d451a2070 Mon Sep 17 00:00:00 2001 +From 1a3fc195c6dc7fe51ef76e4484910f7b41161ccc Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Fri, 30 Jul 2021 14:14:37 +0200 Subject: [PATCH] Use SHA-2 instead of SHA-1 -Content-type: text/plain The use of SHA-1 in RHEL9 is deprecated --- @@ -30,7 +29,7 @@ The use of SHA-1 in RHEL9 is deprecated create mode 100644 libselinux/src/sha256.h diff --git a/libselinux/include/selinux/label.h b/libselinux/include/selinux/label.h -index ce189a3ae2fe..ce77d32dfed1 100644 +index ce189a3a..ce77d32d 100644 --- a/libselinux/include/selinux/label.h +++ b/libselinux/include/selinux/label.h @@ -120,13 +120,13 @@ extern int selabel_lookup_best_match_raw(struct selabel_handle *rec, char **con, @@ -51,7 +50,7 @@ index ce189a3ae2fe..ce77d32dfed1 100644 * @num_specfiles: number of specfiles in the list. * diff --git a/libselinux/include/selinux/restorecon.h b/libselinux/include/selinux/restorecon.h -index 5be6542c2a91..210f65fdb709 100644 +index 0ccf73a6..8dcc831b 100644 --- a/libselinux/include/selinux/restorecon.h +++ b/libselinux/include/selinux/restorecon.h @@ -43,8 +43,8 @@ extern int selinux_restorecon_parallel(const char *pathname, @@ -66,7 +65,7 @@ index 5be6542c2a91..210f65fdb709 100644 #define SELINUX_RESTORECON_IGNORE_DIGEST 0x00001 /* diff --git a/libselinux/man/man3/selabel_digest.3 b/libselinux/man/man3/selabel_digest.3 -index 56a008f00df0..5f7c42533d0e 100644 +index 56a008f0..5f7c4253 100644 --- a/libselinux/man/man3/selabel_digest.3 +++ b/libselinux/man/man3/selabel_digest.3 @@ -20,11 +20,11 @@ selabel_digest \- Return digest of specfiles and list of files used @@ -84,7 +83,7 @@ index 56a008f00df0..5f7c42533d0e 100644 with the number of entries in .IR num_specfiles . diff --git a/libselinux/man/man3/selabel_open.3 b/libselinux/man/man3/selabel_open.3 -index 0e03e1be111e..14ab888d2e03 100644 +index 0e03e1be..14ab888d 100644 --- a/libselinux/man/man3/selabel_open.3 +++ b/libselinux/man/man3/selabel_open.3 @@ -69,7 +69,7 @@ is used; a custom validation function can be provided via @@ -97,7 +96,7 @@ index 0e03e1be111e..14ab888d2e03 100644 .BR selabel_digest (3) . diff --git a/libselinux/man/man3/selinux_restorecon.3 b/libselinux/man/man3/selinux_restorecon.3 -index 218aaf6d2ae5..5f6d4b386429 100644 +index 218aaf6d..5f6d4b38 100644 --- a/libselinux/man/man3/selinux_restorecon.3 +++ b/libselinux/man/man3/selinux_restorecon.3 @@ -36,7 +36,7 @@ If this is a directory and the @@ -172,7 +171,7 @@ index 218aaf6d2ae5..5f6d4b386429 100644 .B SELINUX_RESTORECON_SET_SPECFILE_CTX flag (provided diff --git a/libselinux/man/man3/selinux_restorecon_xattr.3 b/libselinux/man/man3/selinux_restorecon_xattr.3 -index c56326814b94..098c840fc59b 100644 +index c5632681..098c840f 100644 --- a/libselinux/man/man3/selinux_restorecon_xattr.3 +++ b/libselinux/man/man3/selinux_restorecon_xattr.3 @@ -119,7 +119,7 @@ By default @@ -185,10 +184,10 @@ index c56326814b94..098c840fc59b 100644 .BR selabel_open (3) must be called specifying the required diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile -index 41cfbdca490c..658a4c3d80e0 100644 +index 261c22d4..3eea5341 100644 --- a/libselinux/src/Makefile +++ b/libselinux/src/Makefile -@@ -130,7 +130,7 @@ DISABLE_FLAGS+= -DNO_MEDIA_BACKEND -DNO_DB_BACKEND -DNO_X_BACKEND \ +@@ -132,7 +132,7 @@ DISABLE_FLAGS+= -DNO_MEDIA_BACKEND -DNO_DB_BACKEND -DNO_X_BACKEND \ -DBUILD_HOST SRCS= callbacks.c freecon.c label.c label_file.c \ label_backends_android.c regex.c label_support.c \ @@ -198,10 +197,10 @@ index 41cfbdca490c..658a4c3d80e0 100644 endif diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c -index 189a5ed26eb7..312bb584d6b4 100644 +index b785eab6..4c87de15 100644 --- a/libselinux/src/label_file.c +++ b/libselinux/src/label_file.c -@@ -1780,7 +1780,7 @@ static struct lookup_result *lookup_common(struct selabel_handle *rec, +@@ -1958,7 +1958,7 @@ static struct lookup_result *lookup_common(struct selabel_handle *rec, /* * Returns true if the digest of all partial matched contexts is the same as @@ -210,7 +209,7 @@ index 189a5ed26eb7..312bb584d6b4 100644 * digest will always be returned. The caller must free any returned digests. */ static bool get_digests_all_partial_matches(struct selabel_handle *rec, -@@ -1789,39 +1789,39 @@ static bool get_digests_all_partial_matches(struct selabel_handle *rec, +@@ -1967,39 +1967,39 @@ static bool get_digests_all_partial_matches(struct selabel_handle *rec, uint8_t **xattr_digest, size_t *digest_len) { @@ -261,7 +260,7 @@ index 189a5ed26eb7..312bb584d6b4 100644 return true; return false; -@@ -1840,22 +1840,22 @@ static bool hash_all_partial_matches(struct selabel_handle *rec, const char *key +@@ -2018,22 +2018,22 @@ static bool hash_all_partial_matches(struct selabel_handle *rec, const char *key return false; } @@ -293,7 +292,7 @@ index 189a5ed26eb7..312bb584d6b4 100644 free_lookup_result(matches); return true; diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h -index 743dbf9472cf..4180df92f405 100644 +index 743dbf94..4180df92 100644 --- a/libselinux/src/label_internal.h +++ b/libselinux/src/label_internal.h @@ -13,7 +13,7 @@ @@ -334,10 +333,10 @@ index 743dbf9472cf..4180df92f405 100644 }; diff --git a/libselinux/src/label_support.c b/libselinux/src/label_support.c -index 978ba828c159..daba26941ae7 100644 +index 57e191c8..1b6fabca 100644 --- a/libselinux/src/label_support.c +++ b/libselinux/src/label_support.c -@@ -120,7 +120,7 @@ int read_spec_entries(char *line_buf, size_t nread, const char **errbuf, int nu +@@ -123,7 +123,7 @@ int read_spec_entries(char *line_buf, size_t nread, const char **errbuf, int nu /* Once all the specfiles are in the hash_buf, generate the hash. */ void digest_gen_hash(struct selabel_digest *digest) { @@ -346,7 +345,7 @@ index 978ba828c159..daba26941ae7 100644 size_t remaining_size; const unsigned char *ptr; -@@ -128,19 +128,19 @@ void digest_gen_hash(struct selabel_digest *digest) +@@ -131,19 +131,19 @@ void digest_gen_hash(struct selabel_digest *digest) if (!digest) return; @@ -371,7 +370,7 @@ index 978ba828c159..daba26941ae7 100644 digest->hashbuf = NULL; } diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c -index bc6ed935a4ad..93bd7779249b 100644 +index 39eabeb9..702ad8d9 100644 --- a/libselinux/src/selinux_restorecon.c +++ b/libselinux/src/selinux_restorecon.c @@ -37,7 +37,7 @@ @@ -383,7 +382,7 @@ index bc6ed935a4ad..93bd7779249b 100644 #define STAR_COUNT 1024 -@@ -306,7 +306,7 @@ static uint64_t exclude_non_seclabel_mounts(void) +@@ -307,7 +307,7 @@ static uint64_t exclude_non_seclabel_mounts(void) static int add_xattr_entry(const char *directory, bool delete_nonmatch, bool delete_all) { @@ -392,7 +391,7 @@ index bc6ed935a4ad..93bd7779249b 100644 size_t i, digest_len = 0; int rc; enum digest_result digest_result; -@@ -330,15 +330,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch, +@@ -331,15 +331,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch, } /* Convert entry to a hex encoded string. */ @@ -411,7 +410,7 @@ index bc6ed935a4ad..93bd7779249b 100644 digest_result = match ? MATCH : NOMATCH; -@@ -358,7 +358,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch, +@@ -359,7 +359,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch, /* Now add entries to link list. */ new_entry = malloc(sizeof(struct dir_xattr)); if (!new_entry) { @@ -420,7 +419,7 @@ index bc6ed935a4ad..93bd7779249b 100644 goto oom; } new_entry->next = NULL; -@@ -366,15 +366,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch, +@@ -367,15 +367,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch, new_entry->directory = strdup(directory); if (!new_entry->directory) { free(new_entry); @@ -439,7 +438,7 @@ index bc6ed935a4ad..93bd7779249b 100644 goto oom; } -@@ -388,7 +388,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch, +@@ -389,7 +389,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch, dir_xattr_last = new_entry; } @@ -448,7 +447,7 @@ index bc6ed935a4ad..93bd7779249b 100644 return 0; oom: -@@ -778,7 +778,7 @@ err: +@@ -805,7 +805,7 @@ err: struct dir_hash_node { char *path; @@ -457,7 +456,7 @@ index bc6ed935a4ad..93bd7779249b 100644 struct dir_hash_node *next; }; /* -@@ -1284,7 +1284,7 @@ static int selinux_restorecon_common(const char *pathname_orig, +@@ -1313,7 +1313,7 @@ static int selinux_restorecon_common(const char *pathname_orig, if (setxattr(current->path, RESTORECON_PARTIAL_MATCH_DIGEST, current->digest, @@ -468,7 +467,7 @@ index bc6ed935a4ad..93bd7779249b 100644 current->path); diff --git a/libselinux/src/sha1.c b/libselinux/src/sha1.c deleted file mode 100644 -index 452b0cc2ad5a..000000000000 +index 452b0cc2..00000000 --- a/libselinux/src/sha1.c +++ /dev/null @@ -1,223 +0,0 @@ @@ -697,7 +696,7 @@ index 452b0cc2ad5a..000000000000 -} diff --git a/libselinux/src/sha1.h b/libselinux/src/sha1.h deleted file mode 100644 -index f83a6e7ed7ba..000000000000 +index f83a6e7e..00000000 --- a/libselinux/src/sha1.h +++ /dev/null @@ -1,85 +0,0 @@ @@ -788,7 +787,7 @@ index f83a6e7ed7ba..000000000000 -#endif //_sha1_h_ diff --git a/libselinux/src/sha256.c b/libselinux/src/sha256.c new file mode 100644 -index 000000000000..fe2aeef07f53 +index 00000000..fe2aeef0 --- /dev/null +++ b/libselinux/src/sha256.c @@ -0,0 +1,294 @@ @@ -1088,7 +1087,7 @@ index 000000000000..fe2aeef07f53 +} diff --git a/libselinux/src/sha256.h b/libselinux/src/sha256.h new file mode 100644 -index 000000000000..406ed869cd82 +index 00000000..406ed869 --- /dev/null +++ b/libselinux/src/sha256.h @@ -0,0 +1,89 @@ @@ -1182,7 +1181,7 @@ index 000000000000..406ed869cd82 + SHA256_HASH* Digest // [in] + ); diff --git a/libselinux/utils/selabel_digest.c b/libselinux/utils/selabel_digest.c -index 47aad21ff1fb..8bcd44a1dc73 100644 +index 47aad21f..8bcd44a1 100644 --- a/libselinux/utils/selabel_digest.c +++ b/libselinux/utils/selabel_digest.c @@ -13,8 +13,8 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname) @@ -1269,7 +1268,7 @@ index 47aad21ff1fb..8bcd44a1dc73 100644 return rc; } diff --git a/libselinux/utils/selabel_get_digests_all_partial_matches.c b/libselinux/utils/selabel_get_digests_all_partial_matches.c -index e2733b4195ff..98e533dc2692 100644 +index e2733b41..98e533dc 100644 --- a/libselinux/utils/selabel_get_digests_all_partial_matches.c +++ b/libselinux/utils/selabel_get_digests_all_partial_matches.c @@ -16,8 +16,8 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname) @@ -1358,5 +1357,5 @@ index e2733b4195ff..98e533dc2692 100644 } default: -- -2.47.0 +2.51.0 diff --git a/0002-libselinux-Ignore-files-removed-during-relabeling.patch b/0002-libselinux-Ignore-files-removed-during-relabeling.patch new file mode 100644 index 0000000..a3928e0 --- /dev/null +++ b/0002-libselinux-Ignore-files-removed-during-relabeling.patch @@ -0,0 +1,63 @@ +From d12756eb12696962458d9c4dc727da248664286f Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Fri, 17 Oct 2025 17:08:34 +0200 +Subject: [PATCH] libselinux: Ignore files removed during relabeling + +In case ignore_noent is specified, ignore files removed during +relabeling (race condition between folder read, file read and label +set). + +Signed-off-by: Vit Mojzis +Acked-by: Stephen Smalley +--- + libselinux/src/selinux_restorecon.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c +index 702ad8d9..23546cb0 100644 +--- a/libselinux/src/selinux_restorecon.c ++++ b/libselinux/src/selinux_restorecon.c +@@ -726,6 +726,9 @@ static int restorecon_sb(const char *pathname, const struct stat *sb, + pathname, newcon); + + if (lgetfilecon_raw(pathname, &curcon) < 0) { ++ /* Ignore files removed during relabeling if ignore_noent is set */ ++ if (flags->ignore_noent && errno == ENOENT) ++ goto out; + if (errno != ENODATA) + goto err; + +@@ -765,8 +768,14 @@ static int restorecon_sb(const char *pathname, const struct stat *sb, + } + + if (!flags->nochange) { +- if (lsetfilecon(pathname, newcon) < 0) +- goto err; ++ if (lsetfilecon(pathname, newcon) < 0) { ++ /* Ignore files removed during relabeling if ignore_noent is set */ ++ if (flags->ignore_noent && errno == ENOENT) ++ goto out; ++ else ++ goto err; ++ } ++ + updated = true; + } + +@@ -932,9 +941,10 @@ loop_body: + case FTS_NS: + error = errno; + errno = ftsent->fts_errno; +- selinux_log(SELINUX_ERROR, +- "Could not stat %s: %m.\n", +- ftsent->fts_path); ++ if (!state->flags.ignore_noent || errno != ENOENT) ++ selinux_log(SELINUX_ERROR, ++ "Could not stat %s: %m.\n", ++ ftsent->fts_path); + errno = error; + fts_set(fts, ftsent, FTS_SKIP); + continue; +-- +2.51.0 + diff --git a/changelog b/changelog index ec1ab70..42aa3b0 100644 --- a/changelog +++ b/changelog @@ -1,3 +1,6 @@ +* Wed Oct 22 2025 Vit Mojzis - 3.9-2 +- Ignore files removed during relabeling (RHEL-110181) + * Tue Jul 22 2025 Vit Mojzis - 3.9-1 - SELinux userspace 3.9 release diff --git a/libselinux.spec b/libselinux.spec index f1461c6..57c8414 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -4,7 +4,7 @@ Summary: SELinux library and simple utilities Name: libselinux Version: 3.9 -Release: 1%{?dist} +Release: 2%{?dist} License: LicenseRef-Fedora-Public-Domain # https://github.com/SELinuxProject/selinux/wiki/Releases Source0: https://github.com/SELinuxProject/selinux/releases/download/%{version}/libselinux-%{version}.tar.gz @@ -20,6 +20,7 @@ Url: https://github.com/SELinuxProject/selinux/wiki # $ i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done # Patch list start Patch0001: 0001-Use-SHA-2-instead-of-SHA-1.patch +Patch0002: 0002-libselinux-Ignore-files-removed-during-relabeling.patch # Patch list end BuildRequires: gcc make BuildRequires: ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel