libselinux/utils: drop reachable assert in sefcontext_compile

Resolves: RHEL-69451

0002-libselinux-utils-drop-reachable-assert-in-sefcontext.patch

@@ -0,0 +1,54 @@
+From ac0fc6d50077a6f33df9859322e13a2434070d4c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Tue, 3 Dec 2024 16:54:48 +0100
+Subject: [PATCH] libselinux/utils: drop reachable assert in sefcontext_compile
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Content-type: text/plain
+
+The two asserts following qsort(3) where useful during development to
+ensure the comparison function and the corresponding pointer handling
+were correct.  They however do not take into account an empty file
+context definition file containing no definitions and thus `stab->nel`
+being NULL.  Drop the two asserts.
+
+Also return early to not depend on whether calloc(3) called with a size
+of zero returns NULL or a special value.
+
+Reported-by: Petr Lautrbach <lautrbach@redhat.com>
+Closes: https://lore.kernel.org/selinux/87jzchqck5.fsf@redhat.com/
+Fixes: 92306daf ("libselinux: rework selabel_file(5) database")
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Tested-by: Petr Lautrbach <lautrbach@redhat.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ libselinux/utils/sefcontext_compile.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/libselinux/utils/sefcontext_compile.c b/libselinux/utils/sefcontext_compile.c
+index 23d312744016..e5da51ea12df 100644
+--- a/libselinux/utils/sefcontext_compile.c
++++ b/libselinux/utils/sefcontext_compile.c
+@@ -188,6 +188,9 @@ static int write_sidtab(FILE *bin_file, const struct sidtab *stab)
+ 	if (len != 1)
+ 		return -1;
+ 
++	if (stab->nel == 0)
++		return 0;
++
+ 	/* sort entries by id */
+ 	sids = calloc(stab->nel, sizeof(*sids));
+ 	if (!sids)
+@@ -203,8 +206,6 @@ static int write_sidtab(FILE *bin_file, const struct sidtab *stab)
+ 	}
+ 	assert(index == stab->nel);
+ 	qsort(sids, stab->nel, sizeof(struct security_id), security_id_compare);
+-	assert(sids[0].id == 1);
+-	assert(sids[stab->nel - 1].id == stab->nel);
+ 
+ 	/* write raw contexts sorted by id */
+ 	for (uint32_t i = 0; i < stab->nel; i++) {
+-- 
+2.47.0
+

changelog

@@ -1,3 +1,9 @@
+* Wed Dec 04 2024 Petr Lautrbach <lautrbach@redhat.com> - 3.8-0.rc1.2
+- libselinux/utils: drop reachable assert in sefcontext_compile
+
+* Thu Nov 28 2024 Petr Lautrbach <lautrbach@redhat.com> - 3.8-0.rc1.1
+- SELinux userspace 3.8-rc1 release
+
 * Tue Nov 12 2024 Vit Mojzis <vmojzis@redhat.com> - 3.7-5
 - setexecfilecon: Remove useless rc check (RHEL-35586)
 - matchpathcon: RESOURCE_LEAK: Variable "con" (RHEL-35584)

libselinux.spec

@@ -4,7 +4,7 @@
 Summary: SELinux library and simple utilities
 Name: libselinux
 Version: 3.8
-Release: 0.rc1.1%{?dist}
+Release: 0.rc1.2%{?dist}
 License: LicenseRef-Fedora-Public-Domain
 # https://github.com/SELinuxProject/selinux/wiki/Releases
 Source0: https://github.com/SELinuxProject/selinux/releases/download/%{version}-rc1/libselinux-%{version}-rc1.tar.gz
@@ -20,6 +20,7 @@ Url: https://github.com/SELinuxProject/selinux/wiki
 # $ i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
 # Patch list start
 Patch0001: 0001-Use-SHA-2-instead-of-SHA-1.patch
+Patch0002: 0002-libselinux-utils-drop-reachable-assert-in-sefcontext.patch
 # Patch list end
 BuildRequires: gcc make
 BuildRequires: ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel