import libselinux-2.9-6.el8

SOURCES/0011-selinux-8-5-Describe-fcontext-regular-expressions.patch

@@ -0,0 +1,39 @@
+From c556c6ad0b94cf3ba4b441a1a0930f2468434227 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Wed, 10 Feb 2021 18:05:29 +0100
+Subject: [PATCH] selinux(8,5): Describe fcontext regular expressions
+
+Describe which type of regular expression is used in file context
+definitions and which flags are in effect.
+
+Explain how local file context modifications are processed.
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+Acked-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ libselinux/man/man5/selabel_file.5 | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/libselinux/man/man5/selabel_file.5 b/libselinux/man/man5/selabel_file.5
+index e97bd826..baba7776 100644
+--- a/libselinux/man/man5/selabel_file.5
++++ b/libselinux/man/man5/selabel_file.5
+@@ -125,7 +125,14 @@ Where:
+ .RS
+ .I pathname
+ .RS
+-An entry that defines the pathname that may be in the form of a regular expression.
++An entry that defines the path to be labeled.
++May contain either a fully qualified path,
++or a Perl compatible regular expression (PCRE),
++describing fully qualified path(s).
++The only PCRE flag in use is PCRE2_DOTALL,
++which causes a wildcard '.' to match anything, including a new line.
++Strings representing paths are processed as bytes (as opposed to Unicode),
++meaning that non-ASCII characters are not matched by a single wildcard.
+ .RE
+ .I file_type
+ .RS
+-- 
+2.35.3
+

SOURCES/0012-libselinux-Strip-spaces-before-values-in-config.patch

@@ -0,0 +1,88 @@
+From 9bf63bb85d4d2cab73181ee1d8d0b07961ce4a80 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Thu, 17 Feb 2022 14:14:15 +0100
+Subject: [PATCH] libselinux: Strip spaces before values in config
+
+Spaces before values in /etc/selinux/config should be ignored just as
+spaces after them are.
+
+E.g. "SELINUXTYPE= targeted" should be a valid value.
+
+Fixes:
+   # sed -i 's/^SELINUXTYPE=/SELINUXTYPE= /g' /etc/selinux/config
+   # dnf install <any_package>
+   ...
+   RPM: error: selabel_open: (/etc/selinux/ targeted/contexts/files/file_contexts) No such file or directory
+   RPM: error: Plugin selinux: hook tsm_pre failed
+   ...
+   Error: Could not run transaction.
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+---
+ libselinux/src/selinux_config.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c
+index b06cb63b..0892b87c 100644
+--- a/libselinux/src/selinux_config.c
++++ b/libselinux/src/selinux_config.c
+@@ -91,6 +91,7 @@ int selinux_getenforcemode(int *enforce)
+ 	FILE *cfg = fopen(SELINUXCONFIG, "re");
+ 	if (cfg) {
+ 		char *buf;
++		char *tag;
+ 		int len = sizeof(SELINUXTAG) - 1;
+ 		buf = malloc(selinux_page_size);
+ 		if (!buf) {
+@@ -100,21 +101,24 @@ int selinux_getenforcemode(int *enforce)
+ 		while (fgets_unlocked(buf, selinux_page_size, cfg)) {
+ 			if (strncmp(buf, SELINUXTAG, len))
+ 				continue;
++			tag = buf+len;
++			while (isspace(*tag))
++				tag++;
+ 			if (!strncasecmp
+-			    (buf + len, "enforcing", sizeof("enforcing") - 1)) {
++			    (tag, "enforcing", sizeof("enforcing") - 1)) {
+ 				*enforce = 1;
+ 				ret = 0;
+ 				break;
+ 			} else
+ 			    if (!strncasecmp
+-				(buf + len, "permissive",
++				(tag, "permissive",
+ 				 sizeof("permissive") - 1)) {
+ 				*enforce = 0;
+ 				ret = 0;
+ 				break;
+ 			} else
+ 			    if (!strncasecmp
+-				(buf + len, "disabled",
++				(tag, "disabled",
+ 				 sizeof("disabled") - 1)) {
+ 				*enforce = -1;
+ 				ret = 0;
+@@ -177,7 +181,10 @@ static void init_selinux_config(void)
+ 
+ 			if (!strncasecmp(buf_p, SELINUXTYPETAG,
+ 					 sizeof(SELINUXTYPETAG) - 1)) {
+-				type = strdup(buf_p + sizeof(SELINUXTYPETAG) - 1);
++				buf_p += sizeof(SELINUXTYPETAG) - 1;
++				while (isspace(*buf_p))
++					buf_p++;
++				type = strdup(buf_p);
+ 				if (!type)
+ 					return;
+ 				end = type + strlen(type) - 1;
+@@ -199,6 +206,8 @@ static void init_selinux_config(void)
+ 			} else if (!strncmp(buf_p, REQUIRESEUSERS,
+ 					    sizeof(REQUIRESEUSERS) - 1)) {
+ 				value = buf_p + sizeof(REQUIRESEUSERS) - 1;
++				while (isspace(*value))
++					value++;
+ 				intptr = &require_seusers;
+ 			} else {
+ 				continue;
+-- 
+2.35.3
+

SPECS/libselinux.spec

@@ -6,7 +6,7 @@
 %endif
 
 %define libsepolver 2.9-1
-%define libselinuxrelease 5
+%define libselinuxrelease 6
 
 Summary: SELinux library and simple utilities
 Name: libselinux
@@ -29,6 +29,8 @@ Patch0007: 0007-libselinux-Do-not-use-SWIG_CFLAGS-when-Python-bindin.patch
 Patch0008: 0008-Fix-mcstrans-secolor-examples.patch
 Patch0009: 0009-libselinux-Eliminate-use-of-security_compute_user.patch
 Patch0010: 0010-libselinux-deprecate-security_compute_user-update-ma.patch
+Patch0011: 0011-selinux-8-5-Describe-fcontext-regular-expressions.patch
+Patch0012: 0012-libselinux-Strip-spaces-before-values-in-config.patch
 
 BuildRequires: gcc
 %if 0%{?with_ruby}
@@ -276,6 +278,10 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
 %endif
 
 %changelog
+* Thu Jul 07 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-6
+- Describe fcontext regular expressions (#1904059)
+- Strip spaces before values in config (#2012145)
+
 * Tue Oct 20 2020 Vit Mojzis <vmojzis@redhat.com> - 2.9-5
 - Deprecate security_compute_user(), update man pages (#1879368)