rpms/libselinux
6
0
Fork 0
Code Issues Pull Requests Releases Activity

libselinux-3.9-2

Browse Source 
- Ignore files removed during relabeling

Resolves: RHEL-110181
This commit is contained in:
Vit Mojzis 2025-10-22 14:37:03 +02:00
parent 75003eee07
commit c7f1cd8a0f
4 changed files with 100 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
0001-Use-SHA-2-instead-of-SHA-1.patch
View File

@ -1,8 +1,7 @@
From 4780b755bb1171f5aa4cd7545535839d451a2070 Mon Sep 17 00:00:00 2001
From 1a3fc195c6dc7fe51ef76e4484910f7b41161ccc Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Fri, 30 Jul 2021 14:14:37 +0200
Subject: [PATCH] Use SHA-2 instead of SHA-1
Content-type: text/plain
The use of SHA-1 in RHEL9 is deprecated
---
@ -30,7 +29,7 @@ The use of SHA-1 in RHEL9 is deprecated
create mode 100644 libselinux/src/sha256.h
diff --git a/libselinux/include/selinux/label.h b/libselinux/include/selinux/label.h
index ce189a3ae2fe..ce77d32dfed1 100644
index ce189a3a..ce77d32d 100644
--- a/libselinux/include/selinux/label.h
+++ b/libselinux/include/selinux/label.h
@@ -120,13 +120,13 @@ extern int selabel_lookup_best_match_raw(struct selabel_handle *rec, char **con,
@ -51,7 +50,7 @@ index ce189a3ae2fe..ce77d32dfed1 100644
* @num_specfiles: number of specfiles in the list.
*
diff --git a/libselinux/include/selinux/restorecon.h b/libselinux/include/selinux/restorecon.h
index 5be6542c2a91..210f65fdb709 100644
index 0ccf73a6..8dcc831b 100644
--- a/libselinux/include/selinux/restorecon.h
+++ b/libselinux/include/selinux/restorecon.h
@@ -43,8 +43,8 @@ extern int selinux_restorecon_parallel(const char *pathname,
@ -66,7 +65,7 @@ index 5be6542c2a91..210f65fdb709 100644
#define SELINUX_RESTORECON_IGNORE_DIGEST 0x00001
/*
diff --git a/libselinux/man/man3/selabel_digest.3 b/libselinux/man/man3/selabel_digest.3
index 56a008f00df0..5f7c42533d0e 100644
index 56a008f0..5f7c4253 100644
--- a/libselinux/man/man3/selabel_digest.3
+++ b/libselinux/man/man3/selabel_digest.3
@@ -20,11 +20,11 @@ selabel_digest \- Return digest of specfiles and list of files used
@ -84,7 +83,7 @@ index 56a008f00df0..5f7c42533d0e 100644
with the number of entries in
.IR num_specfiles .
diff --git a/libselinux/man/man3/selabel_open.3 b/libselinux/man/man3/selabel_open.3
index 0e03e1be111e..14ab888d2e03 100644
index 0e03e1be..14ab888d 100644
--- a/libselinux/man/man3/selabel_open.3
+++ b/libselinux/man/man3/selabel_open.3
@@ -69,7 +69,7 @@ is used; a custom validation function can be provided via
@ -97,7 +96,7 @@ index 0e03e1be111e..14ab888d2e03 100644
.BR selabel_digest (3)
.
diff --git a/libselinux/man/man3/selinux_restorecon.3 b/libselinux/man/man3/selinux_restorecon.3
index 218aaf6d2ae5..5f6d4b386429 100644
index 218aaf6d..5f6d4b38 100644
--- a/libselinux/man/man3/selinux_restorecon.3
+++ b/libselinux/man/man3/selinux_restorecon.3
@@ -36,7 +36,7 @@ If this is a directory and the
@ -172,7 +171,7 @@ index 218aaf6d2ae5..5f6d4b386429 100644
.B SELINUX_RESTORECON_SET_SPECFILE_CTX
flag (provided
diff --git a/libselinux/man/man3/selinux_restorecon_xattr.3 b/libselinux/man/man3/selinux_restorecon_xattr.3
index c56326814b94..098c840fc59b 100644
index c5632681..098c840f 100644
--- a/libselinux/man/man3/selinux_restorecon_xattr.3
+++ b/libselinux/man/man3/selinux_restorecon_xattr.3
@@ -119,7 +119,7 @@ By default
@ -185,10 +184,10 @@ index c56326814b94..098c840fc59b 100644
.BR selabel_open (3)
must be called specifying the required
diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index 41cfbdca490c..658a4c3d80e0 100644
index 261c22d4..3eea5341 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -130,7 +130,7 @@ DISABLE_FLAGS+= -DNO_MEDIA_BACKEND -DNO_DB_BACKEND -DNO_X_BACKEND \
@@ -132,7 +132,7 @@ DISABLE_FLAGS+= -DNO_MEDIA_BACKEND -DNO_DB_BACKEND -DNO_X_BACKEND \
-DBUILD_HOST
SRCS= callbacks.c freecon.c label.c label_file.c \
label_backends_android.c regex.c label_support.c \
@ -198,10 +197,10 @@ index 41cfbdca490c..658a4c3d80e0 100644
endif
diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
index 189a5ed26eb7..312bb584d6b4 100644
index b785eab6..4c87de15 100644
--- a/libselinux/src/label_file.c
+++ b/libselinux/src/label_file.c
@@ -1780,7 +1780,7 @@ static struct lookup_result *lookup_common(struct selabel_handle *rec,
@@ -1958,7 +1958,7 @@ static struct lookup_result *lookup_common(struct selabel_handle *rec,
/*
* Returns true if the digest of all partial matched contexts is the same as
@ -210,7 +209,7 @@ index 189a5ed26eb7..312bb584d6b4 100644
* digest will always be returned. The caller must free any returned digests.
*/
static bool get_digests_all_partial_matches(struct selabel_handle *rec,
@@ -1789,39 +1789,39 @@ static bool get_digests_all_partial_matches(struct selabel_handle *rec,
@@ -1967,39 +1967,39 @@ static bool get_digests_all_partial_matches(struct selabel_handle *rec,
uint8_t **xattr_digest,
size_t *digest_len)
{
@ -261,7 +260,7 @@ index 189a5ed26eb7..312bb584d6b4 100644
return true;
return false;
@@ -1840,22 +1840,22 @@ static bool hash_all_partial_matches(struct selabel_handle *rec, const char *key
@@ -2018,22 +2018,22 @@ static bool hash_all_partial_matches(struct selabel_handle *rec, const char *key
return false;
}
@ -293,7 +292,7 @@ index 189a5ed26eb7..312bb584d6b4 100644
free_lookup_result(matches);
return true;
diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h
index 743dbf9472cf..4180df92f405 100644
index 743dbf94..4180df92 100644
--- a/libselinux/src/label_internal.h
+++ b/libselinux/src/label_internal.h
@@ -13,7 +13,7 @@
@ -334,10 +333,10 @@ index 743dbf9472cf..4180df92f405 100644
};
diff --git a/libselinux/src/label_support.c b/libselinux/src/label_support.c
index 978ba828c159..daba26941ae7 100644
index 57e191c8..1b6fabca 100644
--- a/libselinux/src/label_support.c
+++ b/libselinux/src/label_support.c
@@ -120,7 +120,7 @@ int read_spec_entries(char *line_buf, size_t nread, const char **errbuf, int nu
@@ -123,7 +123,7 @@ int read_spec_entries(char *line_buf, size_t nread, const char **errbuf, int nu
/* Once all the specfiles are in the hash_buf, generate the hash. */
void digest_gen_hash(struct selabel_digest *digest)
{
@ -346,7 +345,7 @@ index 978ba828c159..daba26941ae7 100644
size_t remaining_size;
const unsigned char *ptr;
@@ -128,19 +128,19 @@ void digest_gen_hash(struct selabel_digest *digest)
@@ -131,19 +131,19 @@ void digest_gen_hash(struct selabel_digest *digest)
if (!digest)
return;
@ -371,7 +370,7 @@ index 978ba828c159..daba26941ae7 100644
digest->hashbuf = NULL;
}
diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
index bc6ed935a4ad..93bd7779249b 100644
index 39eabeb9..702ad8d9 100644
--- a/libselinux/src/selinux_restorecon.c
+++ b/libselinux/src/selinux_restorecon.c
@@ -37,7 +37,7 @@
@ -383,7 +382,7 @@ index bc6ed935a4ad..93bd7779249b 100644
#define STAR_COUNT 1024
@@ -306,7 +306,7 @@ static uint64_t exclude_non_seclabel_mounts(void)
@@ -307,7 +307,7 @@ static uint64_t exclude_non_seclabel_mounts(void)
static int add_xattr_entry(const char *directory, bool delete_nonmatch,
bool delete_all)
{
@ -392,7 +391,7 @@ index bc6ed935a4ad..93bd7779249b 100644
size_t i, digest_len = 0;
int rc;
enum digest_result digest_result;
@@ -330,15 +330,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
@@ -331,15 +331,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
}
/* Convert entry to a hex encoded string. */
@ -411,7 +410,7 @@ index bc6ed935a4ad..93bd7779249b 100644
digest_result = match ? MATCH : NOMATCH;
@@ -358,7 +358,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
@@ -359,7 +359,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
/* Now add entries to link list. */
new_entry = malloc(sizeof(struct dir_xattr));
if (!new_entry) {
@ -420,7 +419,7 @@ index bc6ed935a4ad..93bd7779249b 100644
goto oom;
}
new_entry->next = NULL;
@@ -366,15 +366,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
@@ -367,15 +367,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
new_entry->directory = strdup(directory);
if (!new_entry->directory) {
free(new_entry);
@ -439,7 +438,7 @@ index bc6ed935a4ad..93bd7779249b 100644
goto oom;
}
@@ -388,7 +388,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
@@ -389,7 +389,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
dir_xattr_last = new_entry;
}
@ -448,7 +447,7 @@ index bc6ed935a4ad..93bd7779249b 100644
return 0;
oom:
@@ -778,7 +778,7 @@ err:
@@ -805,7 +805,7 @@ err:
struct dir_hash_node {
char *path;
@ -457,7 +456,7 @@ index bc6ed935a4ad..93bd7779249b 100644
struct dir_hash_node *next;
};
/*
@@ -1284,7 +1284,7 @@ static int selinux_restorecon_common(const char *pathname_orig,
@@ -1313,7 +1313,7 @@ static int selinux_restorecon_common(const char *pathname_orig,
if (setxattr(current->path,
RESTORECON_PARTIAL_MATCH_DIGEST,
current->digest,
@ -468,7 +467,7 @@ index bc6ed935a4ad..93bd7779249b 100644
current->path);
diff --git a/libselinux/src/sha1.c b/libselinux/src/sha1.c
deleted file mode 100644
index 452b0cc2ad5a..000000000000
index 452b0cc2..00000000
--- a/libselinux/src/sha1.c
+++ /dev/null
@@ -1,223 +0,0 @@
@ -697,7 +696,7 @@ index 452b0cc2ad5a..000000000000
-}
diff --git a/libselinux/src/sha1.h b/libselinux/src/sha1.h
deleted file mode 100644
index f83a6e7ed7ba..000000000000
index f83a6e7e..00000000
--- a/libselinux/src/sha1.h
+++ /dev/null
@@ -1,85 +0,0 @@
@ -788,7 +787,7 @@ index f83a6e7ed7ba..000000000000
-#endif //_sha1_h_
diff --git a/libselinux/src/sha256.c b/libselinux/src/sha256.c
new file mode 100644
index 000000000000..fe2aeef07f53
index 00000000..fe2aeef0
--- /dev/null
+++ b/libselinux/src/sha256.c
@@ -0,0 +1,294 @@
@ -1088,7 +1087,7 @@ index 000000000000..fe2aeef07f53
+}
diff --git a/libselinux/src/sha256.h b/libselinux/src/sha256.h
new file mode 100644
index 000000000000..406ed869cd82
index 00000000..406ed869
--- /dev/null
+++ b/libselinux/src/sha256.h
@@ -0,0 +1,89 @@
@ -1182,7 +1181,7 @@ index 000000000000..406ed869cd82
+ SHA256_HASH* Digest // [in]
+ );
diff --git a/libselinux/utils/selabel_digest.c b/libselinux/utils/selabel_digest.c
index 47aad21ff1fb..8bcd44a1dc73 100644
index 47aad21f..8bcd44a1 100644
--- a/libselinux/utils/selabel_digest.c
+++ b/libselinux/utils/selabel_digest.c
@@ -13,8 +13,8 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname)
@ -1269,7 +1268,7 @@ index 47aad21ff1fb..8bcd44a1dc73 100644
return rc;
}
diff --git a/libselinux/utils/selabel_get_digests_all_partial_matches.c b/libselinux/utils/selabel_get_digests_all_partial_matches.c
index e2733b4195ff..98e533dc2692 100644
index e2733b41..98e533dc 100644
--- a/libselinux/utils/selabel_get_digests_all_partial_matches.c
+++ b/libselinux/utils/selabel_get_digests_all_partial_matches.c
@@ -16,8 +16,8 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname)
@ -1358,5 +1357,5 @@ index e2733b4195ff..98e533dc2692 100644
}
default:
--
2.47.0
2.51.0

63
0002-libselinux-Ignore-files-removed-during-relabeling.patch Normal file
View File

@ -0,0 +1,63 @@
From d12756eb12696962458d9c4dc727da248664286f Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Fri, 17 Oct 2025 17:08:34 +0200
Subject: [PATCH] libselinux: Ignore files removed during relabeling
In case ignore_noent is specified, ignore files removed during
relabeling (race condition between folder read, file read and label
set).
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
libselinux/src/selinux_restorecon.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
index 702ad8d9..23546cb0 100644
--- a/libselinux/src/selinux_restorecon.c
+++ b/libselinux/src/selinux_restorecon.c
@@ -726,6 +726,9 @@ static int restorecon_sb(const char *pathname, const struct stat *sb,
pathname, newcon);
if (lgetfilecon_raw(pathname, &curcon) < 0) {
+ /* Ignore files removed during relabeling if ignore_noent is set */
+ if (flags->ignore_noent && errno == ENOENT)
+ goto out;
if (errno != ENODATA)
goto err;
@@ -765,8 +768,14 @@ static int restorecon_sb(const char *pathname, const struct stat *sb,
}
if (!flags->nochange) {
- if (lsetfilecon(pathname, newcon) < 0)
- goto err;
+ if (lsetfilecon(pathname, newcon) < 0) {
+ /* Ignore files removed during relabeling if ignore_noent is set */
+ if (flags->ignore_noent && errno == ENOENT)
+ goto out;
+ else
+ goto err;
+ }
+
updated = true;
}
@@ -932,9 +941,10 @@ loop_body:
case FTS_NS:
error = errno;
errno = ftsent->fts_errno;
- selinux_log(SELINUX_ERROR,
- "Could not stat %s: %m.\n",
- ftsent->fts_path);
+ if (!state->flags.ignore_noent || errno != ENOENT)
+ selinux_log(SELINUX_ERROR,
+ "Could not stat %s: %m.\n",
+ ftsent->fts_path);
errno = error;
fts_set(fts, ftsent, FTS_SKIP);
continue;
--
2.51.0

3
changelog
View File

@ -1,3 +1,6 @@
* Wed Oct 22 2025 Vit Mojzis <vmojzis@redhat.com> - 3.9-2
- Ignore files removed during relabeling (RHEL-110181)
* Tue Jul 22 2025 Vit Mojzis <vmojzis@redhat.com> - 3.9-1
- SELinux userspace 3.9 release

3
libselinux.spec
View File

@ -4,7 +4,7 @@
Summary: SELinux library and simple utilities
Name: libselinux
Version: 3.9
Release: 1%{?dist}
Release: 2%{?dist}
License: LicenseRef-Fedora-Public-Domain
# https://github.com/SELinuxProject/selinux/wiki/Releases
Source0: https://github.com/SELinuxProject/selinux/releases/download/%{version}/libselinux-%{version}.tar.gz
@ -20,6 +20,7 @@ Url: https://github.com/SELinuxProject/selinux/wiki
# $ i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
# Patch list start
Patch0001: 0001-Use-SHA-2-instead-of-SHA-1.patch
Patch0002: 0002-libselinux-Ignore-files-removed-during-relabeling.patch
# Patch list end
BuildRequires: gcc make
BuildRequires: ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel