7 changed files with 1 additions and 760 deletions
--- a/SOURCES/0009-libselinux-Eliminate-use-of-security_compute_user.patch
+++ b/SOURCES/0009-libselinux-Eliminate-use-of-security_compute_user.patch
@ -1,354 +0,0 @@
 From bfee1a3131580a7b9d8a7366764b8e78d99a9f1b Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Mon, 17 Feb 2020 21:47:35 +0100
 Subject: [PATCH] libselinux: Eliminate use of security_compute_user()
 get_ordered_context_list() code used to ask the kernel to compute the complete
 set of reachable contexts using /sys/fs/selinux/user aka
 security_compute_user(). This set can be so huge so that it doesn't fit into a
 kernel page and security_compute_user() fails. Even if it doesn't fail,
 get_ordered_context_list() throws away the vast majority of the returned
 contexts because they don't match anything in
 /etc/selinux/targeted/contexts/default_contexts or
 /etc/selinux/targeted/contexts/users/
 get_ordered_context_list() is rewritten to compute set of contexts based on
 /etc/selinux/targeted/contexts/users/ and
 /etc/selinux/targeted/contexts/default_contexts files and to return only valid
 contexts, using security_check_context(), from this set.
 Fixes: https://github.com/SELinuxProject/selinux/issues/28
 Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
 ---
 libselinux/src/get_context_list.c | 212 +++++++++++++-----------------
 1 file changed, 93 insertions(+), 119 deletions(-)
 diff --git a/libselinux/src/get_context_list.c b/libselinux/src/get_context_list.c
 index 689e4658..26d7b3b9 100644
 --- a/libselinux/src/get_context_list.c
 +++ b/libselinux/src/get_context_list.c
@@ -2,6 +2,7 @@
 #include <errno.h>
 #include <stdio.h>
 #include <stdio_ext.h>
 +#include <stdint.h>
 #include <stdlib.h>
 #include <string.h>
 #include <ctype.h>
@@ -114,64 +115,41 @@ int get_default_context(const char *user,
 	return 0;
 }
 -static int find_partialcon(char ** list,
 -			   unsigned int nreach, char *part)
 +static int is_in_reachable(char **reachable, const char *usercon_str)
 {
 -	const char *conrole, *contype;
 -	char *partrole, *parttype, *ptr;
 -	context_t con;
 -	unsigned int i;
 +	if (!reachable)
 +		return 0;
 -	partrole = part;
 -	ptr = part;
 -	while (*ptr && !isspace(*ptr) && *ptr != ':')
 -		ptr++;
 -	if (*ptr != ':')
 -		return -1;
 -	*ptr++ = 0;
 -	parttype = ptr;
 -	while (*ptr && !isspace(*ptr) && *ptr != ':')
 -		ptr++;
 -	*ptr = 0;
 -
 -	for (i = 0; i < nreach; i++) {
 -		con = context_new(list[i]);
 -		if (!con)
 -			return -1;
 -		conrole = context_role_get(con);
 -		contype = context_type_get(con);
 -		if (!conrole || !contype) {
 -			context_free(con);
 -			return -1;
 -		}
 -		if (!strcmp(conrole, partrole) && !strcmp(contype, parttype)) {
 -			context_free(con);
 -			return i;
 +	for (; *reachable != NULL; reachable++) {
 +		if (strcmp(*reachable, usercon_str) == 0) {
 +			return 1;
 		}
 -		context_free(con);
 	}
 -
 -	return -1;
 +	return 0;
 }
 -static int get_context_order(FILE * fp,
 +static int get_context_user(FILE * fp,
 			     char * fromcon,
 -			     char ** reachable,
 -			     unsigned int nreach,
 -			     unsigned int *ordering, unsigned int *nordered)
 +			     const char * user,
 +			     char ***reachable,
 +			     unsigned int *nreachable)
 {
 	char *start, *end = NULL;
 	char *line = NULL;
 -	size_t line_len = 0;
 +	size_t line_len = 0, usercon_len;
 +	size_t user_len = strlen(user);
 	ssize_t len;
 	int found = 0;
 -	const char *fromrole, *fromtype;
 +	const char *fromrole, *fromtype, *fromlevel;
 	char *linerole, *linetype;
 -	unsigned int i;
 +	char **new_reachable = NULL;
 +	char *usercon_str;
 	context_t con;
 +	context_t usercon;
 +
 	int rc;
 -	errno = -EINVAL;
 +	errno = EINVAL;
 	/* Extract the role and type of the fromcon for matching.
 	   User identity and MLS range can be variable. */
@@ -180,6 +158,7 @@ static int get_context_order(FILE * fp,
 		return -1;
 	fromrole = context_role_get(con);
 	fromtype = context_type_get(con);
 +	fromlevel = context_range_get(con);
 	if (!fromrole || !fromtype) {
 		context_free(con);
 		return -1;
@@ -243,23 +222,75 @@ static int get_context_order(FILE * fp,
 		if (*end)
 			*end++ = 0;
 -		/* Check for a match in the reachable list. */
 -		rc = find_partialcon(reachable, nreach, start);
 -		if (rc < 0) {
 -			/* No match, skip it. */
 +		/* Check whether a new context is valid */
 +		if (SIZE_MAX - user_len < strlen(start) + 2) {
 +			fprintf(stderr, "%s: one of partial contexts is too big\n", __FUNCTION__);
 +			errno = EINVAL;
 +			rc = -1;
 +			goto out;
 +		}
 +		usercon_len = user_len + strlen(start) + 2;
 +		usercon_str = malloc(usercon_len);
 +		if (!usercon_str) {
 +			rc = -1;
 +			goto out;
 +		}
 +
 +		/* set range from fromcon in the new usercon */
 +		snprintf(usercon_str, usercon_len, "%s:%s", user, start);
 +		usercon = context_new(usercon_str);
 +		if (!usercon) {
 +			if (errno != EINVAL) {
 +				free(usercon_str);
 +				rc = -1;
 +				goto out;
 +			}
 +			fprintf(stderr,
 +				"%s: can't create a context from %s, skipping\n",
 +				__FUNCTION__, usercon_str);
 +			free(usercon_str);
 			start = end;
 			continue;
 		}
 +		free(usercon_str);
 +		if (context_range_set(usercon, fromlevel) != 0) {
 +			context_free(usercon);
 +			rc = -1;
 +			goto out;
 +		}
 +		usercon_str = context_str(usercon);
 +		if (!usercon_str) {
 +			context_free(usercon);
 +			rc = -1;
 +			goto out;
 +		}
 -		/* If a match is found and the entry is not already ordered
 -		   (e.g. due to prior match in prior config file), then set
 -		   the ordering for it. */
 -		i = rc;
 -		if (ordering[i] == nreach)
 -			ordering[i] = (*nordered)++;
 +		/* check whether usercon is already in reachable */
 +		if (is_in_reachable(*reachable, usercon_str)) {
 +			context_free(usercon);
 +			start = end;
 +			continue;
 +		}
 +		if (security_check_context(usercon_str) == 0) {
 +			new_reachable = realloc(*reachable, (*nreachable + 2) * sizeof(char *));
 +			if (!new_reachable) {
 +				context_free(usercon);
 +				rc = -1;
 +				goto out;
 +			}
 +			*reachable = new_reachable;
 +			new_reachable[*nreachable] = strdup(usercon_str);
 +			if (new_reachable[*nreachable] == NULL) {
 +				context_free(usercon);
 +				rc = -1;
 +				goto out;
 +			}
 +			new_reachable[*nreachable + 1] = 0;
 +			*nreachable += 1;
 +		}
 +		context_free(usercon);
 		start = end;
 	}
 -
 	rc = 0;
       out:
@@ -313,21 +344,6 @@ static int get_failsafe_context(const char *user, char ** newcon)
 	return 0;
 }
 -struct context_order {
 -	char * con;
 -	unsigned int order;
 -};
 -
 -static int order_compare(const void *A, const void *B)
 -{
 -	const struct context_order *c1 = A, *c2 = B;
 -	if (c1->order < c2->order)
 -		return -1;
 -	else if (c1->order > c2->order)
 -		return 1;
 -	return strcmp(c1->con, c2->con);
 -}
 -
 int get_ordered_context_list_with_level(const char *user,
 					const char *level,
 					char * fromcon,
@@ -395,11 +411,8 @@ int get_ordered_context_list(const char *user,
 			     char *** list)
 {
 	char **reachable = NULL;
 -	unsigned int *ordering = NULL;
 -	struct context_order *co = NULL;
 -	char **ptr;
 	int rc = 0;
 -	unsigned int nreach = 0, nordered = 0, freefrom = 0, i;
 +	unsigned nreachable = 0, freefrom = 0;
 	FILE *fp;
 	char *fname = NULL;
 	size_t fname_len;
@@ -413,23 +426,6 @@ int get_ordered_context_list(const char *user,
 		freefrom = 1;
 	}
 -	/* Determine the set of reachable contexts for the user. */
 -	rc = security_compute_user(fromcon, user, &reachable);
 -	if (rc < 0)
 -		goto failsafe;
 -	nreach = 0;
 -	for (ptr = reachable; *ptr; ptr++)
 -		nreach++;
 -	if (!nreach)
 -		goto failsafe;
 -
 -	/* Initialize ordering array. */
 -	ordering = malloc(nreach * sizeof(unsigned int));
 -	if (!ordering)
 -		goto failsafe;
 -	for (i = 0; i < nreach; i++)
 -		ordering[i] = nreach;
 -
 	/* Determine the ordering to apply from the optional per-user config
 	   and from the global config. */
 	fname_len = strlen(user_contexts_path) + strlen(user) + 2;
@@ -440,8 +436,8 @@ int get_ordered_context_list(const char *user,
 	fp = fopen(fname, "re");
 	if (fp) {
 		__fsetlocking(fp, FSETLOCKING_BYCALLER);
 -		rc = get_context_order(fp, fromcon, reachable, nreach, ordering,
 -				       &nordered);
 +		rc = get_context_user(fp, fromcon, user, &reachable, &nreachable);
 +
 		fclose(fp);
 		if (rc < 0 && errno != ENOENT) {
 			fprintf(stderr,
@@ -454,8 +450,7 @@ int get_ordered_context_list(const char *user,
 	fp = fopen(selinux_default_context_path(), "re");
 	if (fp) {
 		__fsetlocking(fp, FSETLOCKING_BYCALLER);
 -		rc = get_context_order(fp, fromcon, reachable, nreach, ordering,
 -				       &nordered);
 +		rc = get_context_user(fp, fromcon, user, &reachable, &nreachable);
 		fclose(fp);
 		if (rc < 0 && errno != ENOENT) {
 			fprintf(stderr,
@@ -463,40 +458,19 @@ int get_ordered_context_list(const char *user,
 				__FUNCTION__, selinux_default_context_path());
 			/* Fall through */
 		}
 -		rc = 0;
 	}
 -	if (!nordered)
 +	if (!nreachable)
 		goto failsafe;
 -	/* Apply the ordering. */
 -	co = malloc(nreach * sizeof(struct context_order));
 -	if (!co)
 -		goto failsafe;
 -	for (i = 0; i < nreach; i++) {
 -		co[i].con = reachable[i];
 -		co[i].order = ordering[i];
 -	}
 -	qsort(co, nreach, sizeof(struct context_order), order_compare);
 -	for (i = 0; i < nreach; i++)
 -		reachable[i] = co[i].con;
 -	free(co);
 -
 -	/* Only report the ordered entries to the caller. */
 -	if (nordered <= nreach) {
 -		for (i = nordered; i < nreach; i++)
 -			free(reachable[i]);
 -		reachable[nordered] = NULL;
 -		rc = nordered;
 -	}
 -
       out:
 -	if (rc > 0)
 +	if (nreachable > 0) {
 		*list = reachable;
 +		rc = nreachable;
 +	}
 	else
 		freeconary(reachable);
 -	free(ordering);
 	if (freefrom)
 		freecon(fromcon);
@@ -519,7 +493,7 @@ int get_ordered_context_list(const char *user,
 		reachable = NULL;
 		goto out;
 	}
 -	rc = 1;			/* one context in the list */
 +	nreachable = 1;			/* one context in the list */
 	goto out;
 }
 -- 
 2.25.4
--- a/SOURCES/0010-libselinux-deprecate-security_compute_user-update-ma.patch
+++ b/SOURCES/0010-libselinux-deprecate-security_compute_user-update-ma.patch
@ -1,168 +0,0 @@
 From d4c22fcd5943fe35db648dee971f631d40b3eb94 Mon Sep 17 00:00:00 2001
 From: Stephen Smalley <sds@tycho.nsa.gov>
 Date: Thu, 20 Feb 2020 10:40:19 -0500
 Subject: [PATCH] libselinux: deprecate security_compute_user(), update man
 pages
 commit 1f89c4e7879fcf6da5d8d1b025dcc03371f30fc9 ("libselinux: Eliminate
 use of security_compute_user()") eliminated the use of
 security_compute_user() by get_ordered_context_list().  Deprecate
 all use of security_compute_user() by updating the headers and man
 pages and logging a warning message on any calls to it.  Remove
 the example utility that called the interface. While here, also
 fix the documentation of correct usage of the user argument to these
 interfaces.
 Fixes: https://github.com/SELinuxProject/selinux/issues/70
 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
 Acked-by: Petr Lautrbach <plautrba@redhat.com>
 ---
 libselinux/include/selinux/selinux.h          |  8 +++-
 .../man/man3/get_ordered_context_list.3       | 24 +++++++++---
 libselinux/man/man3/security_compute_av.3     |  5 ++-
 libselinux/src/compute_user.c                 |  3 ++
 libselinux/utils/compute_user.c               | 38 -------------------
 5 files changed, 31 insertions(+), 47 deletions(-)
 delete mode 100644 libselinux/utils/compute_user.c
 diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
 index a34d54fc..a5ada324 100644
 --- a/libselinux/include/selinux/selinux.h
 +++ b/libselinux/include/selinux/selinux.h
@@ -246,8 +246,12 @@ extern int security_compute_member_raw(const char * scon,
 				       security_class_t tclass,
 				       char ** newcon);
 -/* Compute the set of reachable user contexts and set *con to refer to 
 -   the NULL-terminated array of contexts.  Caller must free via freeconary. */
 +/*
 + * Compute the set of reachable user contexts and set *con to refer to
 + * the NULL-terminated array of contexts.  Caller must free via freeconary.
 + * These interfaces are deprecated.  Use get_ordered_context_list() or
 + * one of its variant interfaces instead.
 + */
 extern int security_compute_user(const char * scon,
 				 const char *username,
 				 char *** con);
 diff --git a/libselinux/man/man3/get_ordered_context_list.3 b/libselinux/man/man3/get_ordered_context_list.3
 index e084da40..3ed14a96 100644
 --- a/libselinux/man/man3/get_ordered_context_list.3
 +++ b/libselinux/man/man3/get_ordered_context_list.3
@@ -26,14 +26,28 @@ get_ordered_context_list, get_ordered_context_list_with_level, get_default_conte
 .BI "int get_default_type(const char *" role ", char **" type );
 .
 .SH "DESCRIPTION"
 +
 +This family of functions can be used to obtain either a prioritized list of
 +all reachable security contexts for a given SELinux user or a single default
 +(highest priority) context for a given SELinux user for use by login-like
 +programs.  These functions takes a SELinux user identity that must
 +be defined in the SELinux policy as their input, not a Linux username.
 +Most callers should typically first call
 +.BR getseuserbyname(3)
 +to look up the SELinux user identity and level for a given
 +Linux username and then invoke one of
 +.BR get_ordered_context_list_with_level ()
 +or
 +.BR get_default_context_with_level ()
 +with the returned SELinux user and level as inputs.
 +
 .BR get_ordered_context_list ()
 -invokes the 
 -.BR security_compute_user (3)
 -function to obtain the list of contexts for the specified
 +obtains the list of contexts for the specified
 +SELinux
 .I user
 -that are reachable from the specified
 +identity that are reachable from the specified
 .I fromcon
 -context.  The function then orders the resulting list based on the global
 +context based on the global
 .I \%/etc/selinux/{SELINUXTYPE}/contexts/default_contexts
 file and the per-user
 .I \%/etc/selinux/{SELINUXTYPE}/contexts/users/<username>
 diff --git a/libselinux/man/man3/security_compute_av.3 b/libselinux/man/man3/security_compute_av.3
 index 2aade5fe..8e1f746a 100644
 --- a/libselinux/man/man3/security_compute_av.3
 +++ b/libselinux/man/man3/security_compute_av.3
@@ -97,8 +97,9 @@ instance.
 .BR security_compute_user ()
 is used to determine the set of user contexts that can be reached from a
 -source context. It is mainly used by
 -.BR get_ordered_context_list ().
 +source context. This function is deprecated; use
 +.BR get_ordered_context_list (3)
 +instead.
 .BR security_get_initial_context ()
 is used to get the context of a kernel initial security identifier specified by 
 diff --git a/libselinux/src/compute_user.c b/libselinux/src/compute_user.c
 index 401fd107..0f55de84 100644
 --- a/libselinux/src/compute_user.c
 +++ b/libselinux/src/compute_user.c
@@ -8,6 +8,7 @@
 #include "selinux_internal.h"
 #include "policy.h"
 #include <limits.h>
 +#include "callbacks.h"
 int security_compute_user_raw(const char * scon,
 			      const char *user, char *** con)
@@ -24,6 +25,8 @@ int security_compute_user_raw(const char * scon,
 		return -1;
 	}
 +	selinux_log(SELINUX_WARNING, "Direct use of security_compute_user() is deprecated, switch to get_ordered_context_list()\n");
 +
 	if (! scon) {
 		errno=EINVAL;
 		return -1;
 diff --git a/libselinux/utils/compute_user.c b/libselinux/utils/compute_user.c
 deleted file mode 100644
 index cae62b26..00000000
 --- a/libselinux/utils/compute_user.c
 +++ /dev/null
@@ -1,38 +0,0 @@
 -#include <unistd.h>
 -#include <sys/types.h>
 -#include <fcntl.h>
 -#include <stdio.h>
 -#include <stdlib.h>
 -#include <errno.h>
 -#include <string.h>
 -#include <ctype.h>
 -#include <selinux/selinux.h>
 -
 -int main(int argc, char **argv)
 -{
 -	char **buf, **ptr;
 -	int ret;
 -
 -	if (argc != 3) {
 -		fprintf(stderr, "usage:  %s context user\n", argv[0]);
 -		exit(1);
 -	}
 -
 -	ret = security_compute_user(argv[1], argv[2], &buf);
 -	if (ret < 0) {
 -		fprintf(stderr, "%s:  security_compute_user(%s,%s) failed\n",
 -			argv[0], argv[1], argv[2]);
 -		exit(2);
 -	}
 -
 -	if (!buf[0]) {
 -		printf("none\n");
 -		exit(0);
 -	}
 -
 -	for (ptr = buf; *ptr; ptr++) {
 -		printf("%s\n", *ptr);
 -	}
 -	freeconary(buf);
 -	exit(0);
 -}
 -- 
 2.25.4
--- a/SOURCES/0011-selinux-8-5-Describe-fcontext-regular-expressions.patch
+++ b/SOURCES/0011-selinux-8-5-Describe-fcontext-regular-expressions.patch
@ -1,39 +0,0 @@
 From c556c6ad0b94cf3ba4b441a1a0930f2468434227 Mon Sep 17 00:00:00 2001
 From: Vit Mojzis <vmojzis@redhat.com>
 Date: Wed, 10 Feb 2021 18:05:29 +0100
 Subject: [PATCH] selinux(8,5): Describe fcontext regular expressions
 Describe which type of regular expression is used in file context
 definitions and which flags are in effect.
 Explain how local file context modifications are processed.
 Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
 Acked-by: Petr Lautrbach <plautrba@redhat.com>
 ---
 libselinux/man/man5/selabel_file.5 | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)
 diff --git a/libselinux/man/man5/selabel_file.5 b/libselinux/man/man5/selabel_file.5
 index e97bd826..baba7776 100644
 --- a/libselinux/man/man5/selabel_file.5
 +++ b/libselinux/man/man5/selabel_file.5
@@ -125,7 +125,14 @@ Where:
 .RS
 .I pathname
 .RS
 -An entry that defines the pathname that may be in the form of a regular expression.
 +An entry that defines the path to be labeled.
 +May contain either a fully qualified path,
 +or a Perl compatible regular expression (PCRE),
 +describing fully qualified path(s).
 +The only PCRE flag in use is PCRE2_DOTALL,
 +which causes a wildcard '.' to match anything, including a new line.
 +Strings representing paths are processed as bytes (as opposed to Unicode),
 +meaning that non-ASCII characters are not matched by a single wildcard.
 .RE
 .I file_type
 .RS
 -- 
 2.35.3
--- a/SOURCES/0012-libselinux-Strip-spaces-before-values-in-config.patch
+++ b/SOURCES/0012-libselinux-Strip-spaces-before-values-in-config.patch
@ -1,88 +0,0 @@
 From 9bf63bb85d4d2cab73181ee1d8d0b07961ce4a80 Mon Sep 17 00:00:00 2001
 From: Vit Mojzis <vmojzis@redhat.com>
 Date: Thu, 17 Feb 2022 14:14:15 +0100
 Subject: [PATCH] libselinux: Strip spaces before values in config
 Spaces before values in /etc/selinux/config should be ignored just as
 spaces after them are.
 E.g. "SELINUXTYPE= targeted" should be a valid value.
 Fixes:
   # sed -i 's/^SELINUXTYPE=/SELINUXTYPE= /g' /etc/selinux/config
   # dnf install <any_package>
   ...
   RPM: error: selabel_open: (/etc/selinux/ targeted/contexts/files/file_contexts) No such file or directory
   RPM: error: Plugin selinux: hook tsm_pre failed
   ...
   Error: Could not run transaction.
 Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
 ---
 libselinux/src/selinux_config.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)
 diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c
 index b06cb63b..0892b87c 100644
 --- a/libselinux/src/selinux_config.c
 +++ b/libselinux/src/selinux_config.c
@@ -91,6 +91,7 @@ int selinux_getenforcemode(int *enforce)
 	FILE *cfg = fopen(SELINUXCONFIG, "re");
 	if (cfg) {
 		char *buf;
 +		char *tag;
 		int len = sizeof(SELINUXTAG) - 1;
 		buf = malloc(selinux_page_size);
 		if (!buf) {
@@ -100,21 +101,24 @@ int selinux_getenforcemode(int *enforce)
 		while (fgets_unlocked(buf, selinux_page_size, cfg)) {
 			if (strncmp(buf, SELINUXTAG, len))
 				continue;
 +			tag = buf+len;
 +			while (isspace(*tag))
 +				tag++;
 			if (!strncasecmp
 -			    (buf + len, "enforcing", sizeof("enforcing") - 1)) {
 +			    (tag, "enforcing", sizeof("enforcing") - 1)) {
 				*enforce = 1;
 				ret = 0;
 				break;
 			} else
 			    if (!strncasecmp
 -				(buf + len, "permissive",
 +				(tag, "permissive",
 				 sizeof("permissive") - 1)) {
 				*enforce = 0;
 				ret = 0;
 				break;
 			} else
 			    if (!strncasecmp
 -				(buf + len, "disabled",
 +				(tag, "disabled",
 				 sizeof("disabled") - 1)) {
 				*enforce = -1;
 				ret = 0;
@@ -177,7 +181,10 @@ static void init_selinux_config(void)
 			if (!strncasecmp(buf_p, SELINUXTYPETAG,
 					 sizeof(SELINUXTYPETAG) - 1)) {
 -				type = strdup(buf_p + sizeof(SELINUXTYPETAG) - 1);
 +				buf_p += sizeof(SELINUXTYPETAG) - 1;
 +				while (isspace(*buf_p))
 +					buf_p++;
 +				type = strdup(buf_p);
 				if (!type)
 					return;
 				end = type + strlen(type) - 1;
@@ -199,6 +206,8 @@ static void init_selinux_config(void)
 			} else if (!strncmp(buf_p, REQUIRESEUSERS,
 					    sizeof(REQUIRESEUSERS) - 1)) {
 				value = buf_p + sizeof(REQUIRESEUSERS) - 1;
 +				while (isspace(*value))
 +					value++;
 				intptr = &require_seusers;
 			} else {
 				continue;
 -- 
 2.35.3
--- a/SOURCES/0013-libselinux-Ignore-missing-directories-when-i-is-used.patch
+++ b/SOURCES/0013-libselinux-Ignore-missing-directories-when-i-is-used.patch
@ -1,46 +0,0 @@
 From 9a04499cebedac3f585c0240e6cf68f786ae62b7 Mon Sep 17 00:00:00 2001
 From: Vit Mojzis <vmojzis@redhat.com>
 Date: Mon, 31 Oct 2022 17:00:43 +0100
 Subject: [PATCH] libselinux: Ignore missing directories when -i is used
 Currently "-i" only ignores a file whose parent directory exists. Start also
 ignoring paths with missing components.
 Fixes:
  # restorecon -i -v -R /var/log/missingdir/missingfile; echo $?
  255
  restorecon: SELinux: Could not get canonical path for /var/log/missingdir/missingfile restorecon: No such file or directory.
 Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
 ---
 libselinux/src/selinux_restorecon.c | 7 +++++++
 1 file changed, 7 insertions(+)
 diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
 index 5f189235..2ff73db6 100644
 --- a/libselinux/src/selinux_restorecon.c
 +++ b/libselinux/src/selinux_restorecon.c
@@ -820,6 +820,10 @@ int selinux_restorecon(const char *pathname_orig,
 			pathname = realpath(pathname_orig, NULL);
 			if (!pathname) {
 				free(basename_cpy);
 +				/* missing parent directory */
 +				if (flags.ignore_noent && errno == ENOENT) {
 +					return 0;
 +				}
 				goto realpatherr;
 			}
 		} else {
@@ -833,6 +837,9 @@ int selinux_restorecon(const char *pathname_orig,
 			free(dirname_cpy);
 			if (!pathdnamer) {
 				free(basename_cpy);
 +				if (flags.ignore_noent && errno == ENOENT) {
 +					return 0;
 +				}
 				goto realpatherr;
 			}
 			if (!strcmp(pathdnamer, "/"))
 -- 
 2.37.3
--- a/SOURCES/0014-libselinux-restorecon-Fix-memory-leak-xattr_value.patch
+++ b/SOURCES/0014-libselinux-restorecon-Fix-memory-leak-xattr_value.patch
@ -1,42 +0,0 @@
 From 599f1ec818d50ffc9690fea8c03b5fe278f30ed4 Mon Sep 17 00:00:00 2001
 From: Vit Mojzis <vmojzis@redhat.com>
 Date: Wed, 7 Dec 2022 09:19:29 +0100
 Subject: [PATCH] libselinux/restorecon: Fix memory leak - xattr_value
 Fix memory leak introduced by commit
 9a04499cebedac3f585c0240e6cf68f786ae62b7
 libselinux: Ignore missing directories when -i is used
 Error: RESOURCE_LEAK:
 selinux_restorecon.c:804: alloc_fn: Storage is returned from allocation function "malloc".
 selinux_restorecon.c:804: var_assign: Assigning: "xattr_value" = storage returned from "malloc(fc_digest_len)".
 selinux_restorecon.c:825: leaked_storage: Variable "xattr_value" going out of scope leaks the storage it points to.
 Resolves: rhbz#2137965
 ---
 libselinux/src/selinux_restorecon.c | 2 ++
 1 file changed, 2 insertions(+)
 diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
 index 2ff73db6..b3702764 100644
 --- a/libselinux/src/selinux_restorecon.c
 +++ b/libselinux/src/selinux_restorecon.c
@@ -822,6 +822,7 @@ int selinux_restorecon(const char *pathname_orig,
 				free(basename_cpy);
 				/* missing parent directory */
 				if (flags.ignore_noent && errno == ENOENT) {
 +					free(xattr_value);
 					return 0;
 				}
 				goto realpatherr;
@@ -838,6 +839,7 @@ int selinux_restorecon(const char *pathname_orig,
 			if (!pathdnamer) {
 				free(basename_cpy);
 				if (flags.ignore_noent && errno == ENOENT) {
 +					free(xattr_value);
 					return 0;
 				}
 				goto realpatherr;
 -- 
 2.37.3
--- a/SPECS/libselinux.spec
+++ b/SPECS/libselinux.spec
@ -6,7 +6,7 @@
 %endif
 %define libsepolver 2.9-1
-%define libselinuxrelease 8
+%define libselinuxrelease 3
 Summary: SELinux library and simple utilities
 Name: libselinux
@ -27,12 +27,6 @@ Patch0005: 0005-libselinux-add-missing-av_permission-values.patch
 Patch0006: 0006-libselinux-Use-Python-distutils-to-install-SELinux-p.patch
 Patch0007: 0007-libselinux-Do-not-use-SWIG_CFLAGS-when-Python-bindin.patch
 Patch0008: 0008-Fix-mcstrans-secolor-examples.patch
 Patch0009: 0009-libselinux-Eliminate-use-of-security_compute_user.patch
 Patch0010: 0010-libselinux-deprecate-security_compute_user-update-ma.patch
 Patch0011: 0011-selinux-8-5-Describe-fcontext-regular-expressions.patch
 Patch0012: 0012-libselinux-Strip-spaces-before-values-in-config.patch
 Patch0013: 0013-libselinux-Ignore-missing-directories-when-i-is-used.patch
 Patch0014: 0014-libselinux-restorecon-Fix-memory-leak-xattr_value.patch
 BuildRequires: gcc
 %if 0%{?with_ruby}
@ -280,22 +274,6 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
 %endif
 %changelog
 * Wed Dec 07 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-8
 - restorecon: Fix memory leak - xattr_value (#2137965)
 * Tue Dec 06 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-7
 - Restorecon: Ignore missing directories when -i is used (#2137965)
 * Thu Jul 07 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-6
 - Describe fcontext regular expressions (#1904059)
 - Strip spaces before values in config (#2012145)
 * Tue Oct 20 2020 Vit Mojzis <vmojzis@redhat.com> - 2.9-5
 - Deprecate security_compute_user(), update man pages (#1879368)
 * Thu Sep 24 2020 Vit Mojzis <vmojzis@redhat.com> - 2.9-4
 - Eliminate use of security_compute_user() (#1879368)
 * Fri Nov 08 2019 Vit Mojzis <vmojzis@redhat.com> - 2.9-3
 - Fix mcstrans secolor examples in secolor.conf man page (#1770270)