Compare commits

..

No commits in common. "c8" and "imports/c8-beta/libselinux-2.9-3.el8" have entirely different histories.

7 changed files with 1 additions and 760 deletions

View File

@ -1,354 +0,0 @@
From bfee1a3131580a7b9d8a7366764b8e78d99a9f1b Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Mon, 17 Feb 2020 21:47:35 +0100
Subject: [PATCH] libselinux: Eliminate use of security_compute_user()
get_ordered_context_list() code used to ask the kernel to compute the complete
set of reachable contexts using /sys/fs/selinux/user aka
security_compute_user(). This set can be so huge so that it doesn't fit into a
kernel page and security_compute_user() fails. Even if it doesn't fail,
get_ordered_context_list() throws away the vast majority of the returned
contexts because they don't match anything in
/etc/selinux/targeted/contexts/default_contexts or
/etc/selinux/targeted/contexts/users/
get_ordered_context_list() is rewritten to compute set of contexts based on
/etc/selinux/targeted/contexts/users/ and
/etc/selinux/targeted/contexts/default_contexts files and to return only valid
contexts, using security_check_context(), from this set.
Fixes: https://github.com/SELinuxProject/selinux/issues/28
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
libselinux/src/get_context_list.c | 212 +++++++++++++-----------------
1 file changed, 93 insertions(+), 119 deletions(-)
diff --git a/libselinux/src/get_context_list.c b/libselinux/src/get_context_list.c
index 689e4658..26d7b3b9 100644
--- a/libselinux/src/get_context_list.c
+++ b/libselinux/src/get_context_list.c
@@ -2,6 +2,7 @@
#include <errno.h>
#include <stdio.h>
#include <stdio_ext.h>
+#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
@@ -114,64 +115,41 @@ int get_default_context(const char *user,
return 0;
}
-static int find_partialcon(char ** list,
- unsigned int nreach, char *part)
+static int is_in_reachable(char **reachable, const char *usercon_str)
{
- const char *conrole, *contype;
- char *partrole, *parttype, *ptr;
- context_t con;
- unsigned int i;
+ if (!reachable)
+ return 0;
- partrole = part;
- ptr = part;
- while (*ptr && !isspace(*ptr) && *ptr != ':')
- ptr++;
- if (*ptr != ':')
- return -1;
- *ptr++ = 0;
- parttype = ptr;
- while (*ptr && !isspace(*ptr) && *ptr != ':')
- ptr++;
- *ptr = 0;
-
- for (i = 0; i < nreach; i++) {
- con = context_new(list[i]);
- if (!con)
- return -1;
- conrole = context_role_get(con);
- contype = context_type_get(con);
- if (!conrole || !contype) {
- context_free(con);
- return -1;
- }
- if (!strcmp(conrole, partrole) && !strcmp(contype, parttype)) {
- context_free(con);
- return i;
+ for (; *reachable != NULL; reachable++) {
+ if (strcmp(*reachable, usercon_str) == 0) {
+ return 1;
}
- context_free(con);
}
-
- return -1;
+ return 0;
}
-static int get_context_order(FILE * fp,
+static int get_context_user(FILE * fp,
char * fromcon,
- char ** reachable,
- unsigned int nreach,
- unsigned int *ordering, unsigned int *nordered)
+ const char * user,
+ char ***reachable,
+ unsigned int *nreachable)
{
char *start, *end = NULL;
char *line = NULL;
- size_t line_len = 0;
+ size_t line_len = 0, usercon_len;
+ size_t user_len = strlen(user);
ssize_t len;
int found = 0;
- const char *fromrole, *fromtype;
+ const char *fromrole, *fromtype, *fromlevel;
char *linerole, *linetype;
- unsigned int i;
+ char **new_reachable = NULL;
+ char *usercon_str;
context_t con;
+ context_t usercon;
+
int rc;
- errno = -EINVAL;
+ errno = EINVAL;
/* Extract the role and type of the fromcon for matching.
User identity and MLS range can be variable. */
@@ -180,6 +158,7 @@ static int get_context_order(FILE * fp,
return -1;
fromrole = context_role_get(con);
fromtype = context_type_get(con);
+ fromlevel = context_range_get(con);
if (!fromrole || !fromtype) {
context_free(con);
return -1;
@@ -243,23 +222,75 @@ static int get_context_order(FILE * fp,
if (*end)
*end++ = 0;
- /* Check for a match in the reachable list. */
- rc = find_partialcon(reachable, nreach, start);
- if (rc < 0) {
- /* No match, skip it. */
+ /* Check whether a new context is valid */
+ if (SIZE_MAX - user_len < strlen(start) + 2) {
+ fprintf(stderr, "%s: one of partial contexts is too big\n", __FUNCTION__);
+ errno = EINVAL;
+ rc = -1;
+ goto out;
+ }
+ usercon_len = user_len + strlen(start) + 2;
+ usercon_str = malloc(usercon_len);
+ if (!usercon_str) {
+ rc = -1;
+ goto out;
+ }
+
+ /* set range from fromcon in the new usercon */
+ snprintf(usercon_str, usercon_len, "%s:%s", user, start);
+ usercon = context_new(usercon_str);
+ if (!usercon) {
+ if (errno != EINVAL) {
+ free(usercon_str);
+ rc = -1;
+ goto out;
+ }
+ fprintf(stderr,
+ "%s: can't create a context from %s, skipping\n",
+ __FUNCTION__, usercon_str);
+ free(usercon_str);
start = end;
continue;
}
+ free(usercon_str);
+ if (context_range_set(usercon, fromlevel) != 0) {
+ context_free(usercon);
+ rc = -1;
+ goto out;
+ }
+ usercon_str = context_str(usercon);
+ if (!usercon_str) {
+ context_free(usercon);
+ rc = -1;
+ goto out;
+ }
- /* If a match is found and the entry is not already ordered
- (e.g. due to prior match in prior config file), then set
- the ordering for it. */
- i = rc;
- if (ordering[i] == nreach)
- ordering[i] = (*nordered)++;
+ /* check whether usercon is already in reachable */
+ if (is_in_reachable(*reachable, usercon_str)) {
+ context_free(usercon);
+ start = end;
+ continue;
+ }
+ if (security_check_context(usercon_str) == 0) {
+ new_reachable = realloc(*reachable, (*nreachable + 2) * sizeof(char *));
+ if (!new_reachable) {
+ context_free(usercon);
+ rc = -1;
+ goto out;
+ }
+ *reachable = new_reachable;
+ new_reachable[*nreachable] = strdup(usercon_str);
+ if (new_reachable[*nreachable] == NULL) {
+ context_free(usercon);
+ rc = -1;
+ goto out;
+ }
+ new_reachable[*nreachable + 1] = 0;
+ *nreachable += 1;
+ }
+ context_free(usercon);
start = end;
}
-
rc = 0;
out:
@@ -313,21 +344,6 @@ static int get_failsafe_context(const char *user, char ** newcon)
return 0;
}
-struct context_order {
- char * con;
- unsigned int order;
-};
-
-static int order_compare(const void *A, const void *B)
-{
- const struct context_order *c1 = A, *c2 = B;
- if (c1->order < c2->order)
- return -1;
- else if (c1->order > c2->order)
- return 1;
- return strcmp(c1->con, c2->con);
-}
-
int get_ordered_context_list_with_level(const char *user,
const char *level,
char * fromcon,
@@ -395,11 +411,8 @@ int get_ordered_context_list(const char *user,
char *** list)
{
char **reachable = NULL;
- unsigned int *ordering = NULL;
- struct context_order *co = NULL;
- char **ptr;
int rc = 0;
- unsigned int nreach = 0, nordered = 0, freefrom = 0, i;
+ unsigned nreachable = 0, freefrom = 0;
FILE *fp;
char *fname = NULL;
size_t fname_len;
@@ -413,23 +426,6 @@ int get_ordered_context_list(const char *user,
freefrom = 1;
}
- /* Determine the set of reachable contexts for the user. */
- rc = security_compute_user(fromcon, user, &reachable);
- if (rc < 0)
- goto failsafe;
- nreach = 0;
- for (ptr = reachable; *ptr; ptr++)
- nreach++;
- if (!nreach)
- goto failsafe;
-
- /* Initialize ordering array. */
- ordering = malloc(nreach * sizeof(unsigned int));
- if (!ordering)
- goto failsafe;
- for (i = 0; i < nreach; i++)
- ordering[i] = nreach;
-
/* Determine the ordering to apply from the optional per-user config
and from the global config. */
fname_len = strlen(user_contexts_path) + strlen(user) + 2;
@@ -440,8 +436,8 @@ int get_ordered_context_list(const char *user,
fp = fopen(fname, "re");
if (fp) {
__fsetlocking(fp, FSETLOCKING_BYCALLER);
- rc = get_context_order(fp, fromcon, reachable, nreach, ordering,
- &nordered);
+ rc = get_context_user(fp, fromcon, user, &reachable, &nreachable);
+
fclose(fp);
if (rc < 0 && errno != ENOENT) {
fprintf(stderr,
@@ -454,8 +450,7 @@ int get_ordered_context_list(const char *user,
fp = fopen(selinux_default_context_path(), "re");
if (fp) {
__fsetlocking(fp, FSETLOCKING_BYCALLER);
- rc = get_context_order(fp, fromcon, reachable, nreach, ordering,
- &nordered);
+ rc = get_context_user(fp, fromcon, user, &reachable, &nreachable);
fclose(fp);
if (rc < 0 && errno != ENOENT) {
fprintf(stderr,
@@ -463,40 +458,19 @@ int get_ordered_context_list(const char *user,
__FUNCTION__, selinux_default_context_path());
/* Fall through */
}
- rc = 0;
}
- if (!nordered)
+ if (!nreachable)
goto failsafe;
- /* Apply the ordering. */
- co = malloc(nreach * sizeof(struct context_order));
- if (!co)
- goto failsafe;
- for (i = 0; i < nreach; i++) {
- co[i].con = reachable[i];
- co[i].order = ordering[i];
- }
- qsort(co, nreach, sizeof(struct context_order), order_compare);
- for (i = 0; i < nreach; i++)
- reachable[i] = co[i].con;
- free(co);
-
- /* Only report the ordered entries to the caller. */
- if (nordered <= nreach) {
- for (i = nordered; i < nreach; i++)
- free(reachable[i]);
- reachable[nordered] = NULL;
- rc = nordered;
- }
-
out:
- if (rc > 0)
+ if (nreachable > 0) {
*list = reachable;
+ rc = nreachable;
+ }
else
freeconary(reachable);
- free(ordering);
if (freefrom)
freecon(fromcon);
@@ -519,7 +493,7 @@ int get_ordered_context_list(const char *user,
reachable = NULL;
goto out;
}
- rc = 1; /* one context in the list */
+ nreachable = 1; /* one context in the list */
goto out;
}
--
2.25.4

View File

@ -1,168 +0,0 @@
From d4c22fcd5943fe35db648dee971f631d40b3eb94 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Thu, 20 Feb 2020 10:40:19 -0500
Subject: [PATCH] libselinux: deprecate security_compute_user(), update man
pages
commit 1f89c4e7879fcf6da5d8d1b025dcc03371f30fc9 ("libselinux: Eliminate
use of security_compute_user()") eliminated the use of
security_compute_user() by get_ordered_context_list(). Deprecate
all use of security_compute_user() by updating the headers and man
pages and logging a warning message on any calls to it. Remove
the example utility that called the interface. While here, also
fix the documentation of correct usage of the user argument to these
interfaces.
Fixes: https://github.com/SELinuxProject/selinux/issues/70
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
---
libselinux/include/selinux/selinux.h | 8 +++-
.../man/man3/get_ordered_context_list.3 | 24 +++++++++---
libselinux/man/man3/security_compute_av.3 | 5 ++-
libselinux/src/compute_user.c | 3 ++
libselinux/utils/compute_user.c | 38 -------------------
5 files changed, 31 insertions(+), 47 deletions(-)
delete mode 100644 libselinux/utils/compute_user.c
diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index a34d54fc..a5ada324 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -246,8 +246,12 @@ extern int security_compute_member_raw(const char * scon,
security_class_t tclass,
char ** newcon);
-/* Compute the set of reachable user contexts and set *con to refer to
- the NULL-terminated array of contexts. Caller must free via freeconary. */
+/*
+ * Compute the set of reachable user contexts and set *con to refer to
+ * the NULL-terminated array of contexts. Caller must free via freeconary.
+ * These interfaces are deprecated. Use get_ordered_context_list() or
+ * one of its variant interfaces instead.
+ */
extern int security_compute_user(const char * scon,
const char *username,
char *** con);
diff --git a/libselinux/man/man3/get_ordered_context_list.3 b/libselinux/man/man3/get_ordered_context_list.3
index e084da40..3ed14a96 100644
--- a/libselinux/man/man3/get_ordered_context_list.3
+++ b/libselinux/man/man3/get_ordered_context_list.3
@@ -26,14 +26,28 @@ get_ordered_context_list, get_ordered_context_list_with_level, get_default_conte
.BI "int get_default_type(const char *" role ", char **" type );
.
.SH "DESCRIPTION"
+
+This family of functions can be used to obtain either a prioritized list of
+all reachable security contexts for a given SELinux user or a single default
+(highest priority) context for a given SELinux user for use by login-like
+programs. These functions takes a SELinux user identity that must
+be defined in the SELinux policy as their input, not a Linux username.
+Most callers should typically first call
+.BR getseuserbyname(3)
+to look up the SELinux user identity and level for a given
+Linux username and then invoke one of
+.BR get_ordered_context_list_with_level ()
+or
+.BR get_default_context_with_level ()
+with the returned SELinux user and level as inputs.
+
.BR get_ordered_context_list ()
-invokes the
-.BR security_compute_user (3)
-function to obtain the list of contexts for the specified
+obtains the list of contexts for the specified
+SELinux
.I user
-that are reachable from the specified
+identity that are reachable from the specified
.I fromcon
-context. The function then orders the resulting list based on the global
+context based on the global
.I \%/etc/selinux/{SELINUXTYPE}/contexts/default_contexts
file and the per-user
.I \%/etc/selinux/{SELINUXTYPE}/contexts/users/<username>
diff --git a/libselinux/man/man3/security_compute_av.3 b/libselinux/man/man3/security_compute_av.3
index 2aade5fe..8e1f746a 100644
--- a/libselinux/man/man3/security_compute_av.3
+++ b/libselinux/man/man3/security_compute_av.3
@@ -97,8 +97,9 @@ instance.
.BR security_compute_user ()
is used to determine the set of user contexts that can be reached from a
-source context. It is mainly used by
-.BR get_ordered_context_list ().
+source context. This function is deprecated; use
+.BR get_ordered_context_list (3)
+instead.
.BR security_get_initial_context ()
is used to get the context of a kernel initial security identifier specified by
diff --git a/libselinux/src/compute_user.c b/libselinux/src/compute_user.c
index 401fd107..0f55de84 100644
--- a/libselinux/src/compute_user.c
+++ b/libselinux/src/compute_user.c
@@ -8,6 +8,7 @@
#include "selinux_internal.h"
#include "policy.h"
#include <limits.h>
+#include "callbacks.h"
int security_compute_user_raw(const char * scon,
const char *user, char *** con)
@@ -24,6 +25,8 @@ int security_compute_user_raw(const char * scon,
return -1;
}
+ selinux_log(SELINUX_WARNING, "Direct use of security_compute_user() is deprecated, switch to get_ordered_context_list()\n");
+
if (! scon) {
errno=EINVAL;
return -1;
diff --git a/libselinux/utils/compute_user.c b/libselinux/utils/compute_user.c
deleted file mode 100644
index cae62b26..00000000
--- a/libselinux/utils/compute_user.c
+++ /dev/null
@@ -1,38 +0,0 @@
-#include <unistd.h>
-#include <sys/types.h>
-#include <fcntl.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <errno.h>
-#include <string.h>
-#include <ctype.h>
-#include <selinux/selinux.h>
-
-int main(int argc, char **argv)
-{
- char **buf, **ptr;
- int ret;
-
- if (argc != 3) {
- fprintf(stderr, "usage: %s context user\n", argv[0]);
- exit(1);
- }
-
- ret = security_compute_user(argv[1], argv[2], &buf);
- if (ret < 0) {
- fprintf(stderr, "%s: security_compute_user(%s,%s) failed\n",
- argv[0], argv[1], argv[2]);
- exit(2);
- }
-
- if (!buf[0]) {
- printf("none\n");
- exit(0);
- }
-
- for (ptr = buf; *ptr; ptr++) {
- printf("%s\n", *ptr);
- }
- freeconary(buf);
- exit(0);
-}
--
2.25.4

View File

@ -1,39 +0,0 @@
From c556c6ad0b94cf3ba4b441a1a0930f2468434227 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Wed, 10 Feb 2021 18:05:29 +0100
Subject: [PATCH] selinux(8,5): Describe fcontext regular expressions
Describe which type of regular expression is used in file context
definitions and which flags are in effect.
Explain how local file context modifications are processed.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
---
libselinux/man/man5/selabel_file.5 | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/libselinux/man/man5/selabel_file.5 b/libselinux/man/man5/selabel_file.5
index e97bd826..baba7776 100644
--- a/libselinux/man/man5/selabel_file.5
+++ b/libselinux/man/man5/selabel_file.5
@@ -125,7 +125,14 @@ Where:
.RS
.I pathname
.RS
-An entry that defines the pathname that may be in the form of a regular expression.
+An entry that defines the path to be labeled.
+May contain either a fully qualified path,
+or a Perl compatible regular expression (PCRE),
+describing fully qualified path(s).
+The only PCRE flag in use is PCRE2_DOTALL,
+which causes a wildcard '.' to match anything, including a new line.
+Strings representing paths are processed as bytes (as opposed to Unicode),
+meaning that non-ASCII characters are not matched by a single wildcard.
.RE
.I file_type
.RS
--
2.35.3

View File

@ -1,88 +0,0 @@
From 9bf63bb85d4d2cab73181ee1d8d0b07961ce4a80 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Thu, 17 Feb 2022 14:14:15 +0100
Subject: [PATCH] libselinux: Strip spaces before values in config
Spaces before values in /etc/selinux/config should be ignored just as
spaces after them are.
E.g. "SELINUXTYPE= targeted" should be a valid value.
Fixes:
# sed -i 's/^SELINUXTYPE=/SELINUXTYPE= /g' /etc/selinux/config
# dnf install <any_package>
...
RPM: error: selabel_open: (/etc/selinux/ targeted/contexts/files/file_contexts) No such file or directory
RPM: error: Plugin selinux: hook tsm_pre failed
...
Error: Could not run transaction.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
libselinux/src/selinux_config.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c
index b06cb63b..0892b87c 100644
--- a/libselinux/src/selinux_config.c
+++ b/libselinux/src/selinux_config.c
@@ -91,6 +91,7 @@ int selinux_getenforcemode(int *enforce)
FILE *cfg = fopen(SELINUXCONFIG, "re");
if (cfg) {
char *buf;
+ char *tag;
int len = sizeof(SELINUXTAG) - 1;
buf = malloc(selinux_page_size);
if (!buf) {
@@ -100,21 +101,24 @@ int selinux_getenforcemode(int *enforce)
while (fgets_unlocked(buf, selinux_page_size, cfg)) {
if (strncmp(buf, SELINUXTAG, len))
continue;
+ tag = buf+len;
+ while (isspace(*tag))
+ tag++;
if (!strncasecmp
- (buf + len, "enforcing", sizeof("enforcing") - 1)) {
+ (tag, "enforcing", sizeof("enforcing") - 1)) {
*enforce = 1;
ret = 0;
break;
} else
if (!strncasecmp
- (buf + len, "permissive",
+ (tag, "permissive",
sizeof("permissive") - 1)) {
*enforce = 0;
ret = 0;
break;
} else
if (!strncasecmp
- (buf + len, "disabled",
+ (tag, "disabled",
sizeof("disabled") - 1)) {
*enforce = -1;
ret = 0;
@@ -177,7 +181,10 @@ static void init_selinux_config(void)
if (!strncasecmp(buf_p, SELINUXTYPETAG,
sizeof(SELINUXTYPETAG) - 1)) {
- type = strdup(buf_p + sizeof(SELINUXTYPETAG) - 1);
+ buf_p += sizeof(SELINUXTYPETAG) - 1;
+ while (isspace(*buf_p))
+ buf_p++;
+ type = strdup(buf_p);
if (!type)
return;
end = type + strlen(type) - 1;
@@ -199,6 +206,8 @@ static void init_selinux_config(void)
} else if (!strncmp(buf_p, REQUIRESEUSERS,
sizeof(REQUIRESEUSERS) - 1)) {
value = buf_p + sizeof(REQUIRESEUSERS) - 1;
+ while (isspace(*value))
+ value++;
intptr = &require_seusers;
} else {
continue;
--
2.35.3

View File

@ -1,46 +0,0 @@
From 9a04499cebedac3f585c0240e6cf68f786ae62b7 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Mon, 31 Oct 2022 17:00:43 +0100
Subject: [PATCH] libselinux: Ignore missing directories when -i is used
Currently "-i" only ignores a file whose parent directory exists. Start also
ignoring paths with missing components.
Fixes:
# restorecon -i -v -R /var/log/missingdir/missingfile; echo $?
255
restorecon: SELinux: Could not get canonical path for /var/log/missingdir/missingfile restorecon: No such file or directory.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
libselinux/src/selinux_restorecon.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
index 5f189235..2ff73db6 100644
--- a/libselinux/src/selinux_restorecon.c
+++ b/libselinux/src/selinux_restorecon.c
@@ -820,6 +820,10 @@ int selinux_restorecon(const char *pathname_orig,
pathname = realpath(pathname_orig, NULL);
if (!pathname) {
free(basename_cpy);
+ /* missing parent directory */
+ if (flags.ignore_noent && errno == ENOENT) {
+ return 0;
+ }
goto realpatherr;
}
} else {
@@ -833,6 +837,9 @@ int selinux_restorecon(const char *pathname_orig,
free(dirname_cpy);
if (!pathdnamer) {
free(basename_cpy);
+ if (flags.ignore_noent && errno == ENOENT) {
+ return 0;
+ }
goto realpatherr;
}
if (!strcmp(pathdnamer, "/"))
--
2.37.3

View File

@ -1,42 +0,0 @@
From 599f1ec818d50ffc9690fea8c03b5fe278f30ed4 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Wed, 7 Dec 2022 09:19:29 +0100
Subject: [PATCH] libselinux/restorecon: Fix memory leak - xattr_value
Fix memory leak introduced by commit
9a04499cebedac3f585c0240e6cf68f786ae62b7
libselinux: Ignore missing directories when -i is used
Error: RESOURCE_LEAK:
selinux_restorecon.c:804: alloc_fn: Storage is returned from allocation function "malloc".
selinux_restorecon.c:804: var_assign: Assigning: "xattr_value" = storage returned from "malloc(fc_digest_len)".
selinux_restorecon.c:825: leaked_storage: Variable "xattr_value" going out of scope leaks the storage it points to.
Resolves: rhbz#2137965
---
libselinux/src/selinux_restorecon.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
index 2ff73db6..b3702764 100644
--- a/libselinux/src/selinux_restorecon.c
+++ b/libselinux/src/selinux_restorecon.c
@@ -822,6 +822,7 @@ int selinux_restorecon(const char *pathname_orig,
free(basename_cpy);
/* missing parent directory */
if (flags.ignore_noent && errno == ENOENT) {
+ free(xattr_value);
return 0;
}
goto realpatherr;
@@ -838,6 +839,7 @@ int selinux_restorecon(const char *pathname_orig,
if (!pathdnamer) {
free(basename_cpy);
if (flags.ignore_noent && errno == ENOENT) {
+ free(xattr_value);
return 0;
}
goto realpatherr;
--
2.37.3

View File

@ -6,7 +6,7 @@
%endif
%define libsepolver 2.9-1
%define libselinuxrelease 8
%define libselinuxrelease 3
Summary: SELinux library and simple utilities
Name: libselinux
@ -27,12 +27,6 @@ Patch0005: 0005-libselinux-add-missing-av_permission-values.patch
Patch0006: 0006-libselinux-Use-Python-distutils-to-install-SELinux-p.patch
Patch0007: 0007-libselinux-Do-not-use-SWIG_CFLAGS-when-Python-bindin.patch
Patch0008: 0008-Fix-mcstrans-secolor-examples.patch
Patch0009: 0009-libselinux-Eliminate-use-of-security_compute_user.patch
Patch0010: 0010-libselinux-deprecate-security_compute_user-update-ma.patch
Patch0011: 0011-selinux-8-5-Describe-fcontext-regular-expressions.patch
Patch0012: 0012-libselinux-Strip-spaces-before-values-in-config.patch
Patch0013: 0013-libselinux-Ignore-missing-directories-when-i-is-used.patch
Patch0014: 0014-libselinux-restorecon-Fix-memory-leak-xattr_value.patch
BuildRequires: gcc
%if 0%{?with_ruby}
@ -280,22 +274,6 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
%endif
%changelog
* Wed Dec 07 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-8
- restorecon: Fix memory leak - xattr_value (#2137965)
* Tue Dec 06 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-7
- Restorecon: Ignore missing directories when -i is used (#2137965)
* Thu Jul 07 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-6
- Describe fcontext regular expressions (#1904059)
- Strip spaces before values in config (#2012145)
* Tue Oct 20 2020 Vit Mojzis <vmojzis@redhat.com> - 2.9-5
- Deprecate security_compute_user(), update man pages (#1879368)
* Thu Sep 24 2020 Vit Mojzis <vmojzis@redhat.com> - 2.9-4
- Eliminate use of security_compute_user() (#1879368)
* Fri Nov 08 2019 Vit Mojzis <vmojzis@redhat.com> - 2.9-3
- Fix mcstrans secolor examples in secolor.conf man page (#1770270)