SOURCES/0009-libselinux-Eliminate-use-of-security_compute_user.patch

@@ -0,0 +1,354 @@
+From bfee1a3131580a7b9d8a7366764b8e78d99a9f1b Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Mon, 17 Feb 2020 21:47:35 +0100
+Subject: [PATCH] libselinux: Eliminate use of security_compute_user()
+
+get_ordered_context_list() code used to ask the kernel to compute the complete
+set of reachable contexts using /sys/fs/selinux/user aka
+security_compute_user(). This set can be so huge so that it doesn't fit into a
+kernel page and security_compute_user() fails. Even if it doesn't fail,
+get_ordered_context_list() throws away the vast majority of the returned
+contexts because they don't match anything in
+/etc/selinux/targeted/contexts/default_contexts or
+/etc/selinux/targeted/contexts/users/
+
+get_ordered_context_list() is rewritten to compute set of contexts based on
+/etc/selinux/targeted/contexts/users/ and
+/etc/selinux/targeted/contexts/default_contexts files and to return only valid
+contexts, using security_check_context(), from this set.
+
+Fixes: https://github.com/SELinuxProject/selinux/issues/28
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ libselinux/src/get_context_list.c | 212 +++++++++++++-----------------
+ 1 file changed, 93 insertions(+), 119 deletions(-)
+
+diff --git a/libselinux/src/get_context_list.c b/libselinux/src/get_context_list.c
+index 689e4658..26d7b3b9 100644
+--- a/libselinux/src/get_context_list.c
++++ b/libselinux/src/get_context_list.c
+@@ -2,6 +2,7 @@
+ #include <errno.h>
+ #include <stdio.h>
+ #include <stdio_ext.h>
++#include <stdint.h>
+ #include <stdlib.h>
+ #include <string.h>
+ #include <ctype.h>
+@@ -114,64 +115,41 @@ int get_default_context(const char *user,
+ 	return 0;
+ }
+ 
+-static int find_partialcon(char ** list,
+-			   unsigned int nreach, char *part)
++static int is_in_reachable(char **reachable, const char *usercon_str)
+ {
+-	const char *conrole, *contype;
+-	char *partrole, *parttype, *ptr;
+-	context_t con;
+-	unsigned int i;
++	if (!reachable)
++		return 0;
+ 
+-	partrole = part;
+-	ptr = part;
+-	while (*ptr && !isspace(*ptr) && *ptr != ':')
+-		ptr++;
+-	if (*ptr != ':')
+-		return -1;
+-	*ptr++ = 0;
+-	parttype = ptr;
+-	while (*ptr && !isspace(*ptr) && *ptr != ':')
+-		ptr++;
+-	*ptr = 0;
+-
+-	for (i = 0; i < nreach; i++) {
+-		con = context_new(list[i]);
+-		if (!con)
+-			return -1;
+-		conrole = context_role_get(con);
+-		contype = context_type_get(con);
+-		if (!conrole || !contype) {
+-			context_free(con);
+-			return -1;
+-		}
+-		if (!strcmp(conrole, partrole) && !strcmp(contype, parttype)) {
+-			context_free(con);
+-			return i;
++	for (; *reachable != NULL; reachable++) {
++		if (strcmp(*reachable, usercon_str) == 0) {
++			return 1;
+ 		}
+-		context_free(con);
+ 	}
+-
+-	return -1;
++	return 0;
+ }
+ 
+-static int get_context_order(FILE * fp,
++static int get_context_user(FILE * fp,
+ 			     char * fromcon,
+-			     char ** reachable,
+-			     unsigned int nreach,
+-			     unsigned int *ordering, unsigned int *nordered)
++			     const char * user,
++			     char ***reachable,
++			     unsigned int *nreachable)
+ {
+ 	char *start, *end = NULL;
+ 	char *line = NULL;
+-	size_t line_len = 0;
++	size_t line_len = 0, usercon_len;
++	size_t user_len = strlen(user);
+ 	ssize_t len;
+ 	int found = 0;
+-	const char *fromrole, *fromtype;
++	const char *fromrole, *fromtype, *fromlevel;
+ 	char *linerole, *linetype;
+-	unsigned int i;
++	char **new_reachable = NULL;
++	char *usercon_str;
+ 	context_t con;
++	context_t usercon;
++
+ 	int rc;
+ 
+-	errno = -EINVAL;
++	errno = EINVAL;
+ 
+ 	/* Extract the role and type of the fromcon for matching.
+ 	   User identity and MLS range can be variable. */
+@@ -180,6 +158,7 @@ static int get_context_order(FILE * fp,
+ 		return -1;
+ 	fromrole = context_role_get(con);
+ 	fromtype = context_type_get(con);
++	fromlevel = context_range_get(con);
+ 	if (!fromrole || !fromtype) {
+ 		context_free(con);
+ 		return -1;
+@@ -243,23 +222,75 @@ static int get_context_order(FILE * fp,
+ 		if (*end)
+ 			*end++ = 0;
+ 
+-		/* Check for a match in the reachable list. */
+-		rc = find_partialcon(reachable, nreach, start);
+-		if (rc < 0) {
+-			/* No match, skip it. */
++		/* Check whether a new context is valid */
++		if (SIZE_MAX - user_len < strlen(start) + 2) {
++			fprintf(stderr, "%s: one of partial contexts is too big\n", __FUNCTION__);
++			errno = EINVAL;
++			rc = -1;
++			goto out;
++		}
++		usercon_len = user_len + strlen(start) + 2;
++		usercon_str = malloc(usercon_len);
++		if (!usercon_str) {
++			rc = -1;
++			goto out;
++		}
++
++		/* set range from fromcon in the new usercon */
++		snprintf(usercon_str, usercon_len, "%s:%s", user, start);
++		usercon = context_new(usercon_str);
++		if (!usercon) {
++			if (errno != EINVAL) {
++				free(usercon_str);
++				rc = -1;
++				goto out;
++			}
++			fprintf(stderr,
++				"%s: can't create a context from %s, skipping\n",
++				__FUNCTION__, usercon_str);
++			free(usercon_str);
+ 			start = end;
+ 			continue;
+ 		}
++		free(usercon_str);
++		if (context_range_set(usercon, fromlevel) != 0) {
++			context_free(usercon);
++			rc = -1;
++			goto out;
++		}
++		usercon_str = context_str(usercon);
++		if (!usercon_str) {
++			context_free(usercon);
++			rc = -1;
++			goto out;
++		}
+ 
+-		/* If a match is found and the entry is not already ordered
+-		   (e.g. due to prior match in prior config file), then set
+-		   the ordering for it. */
+-		i = rc;
+-		if (ordering[i] == nreach)
+-			ordering[i] = (*nordered)++;
++		/* check whether usercon is already in reachable */
++		if (is_in_reachable(*reachable, usercon_str)) {
++			context_free(usercon);
++			start = end;
++			continue;
++		}
++		if (security_check_context(usercon_str) == 0) {
++			new_reachable = realloc(*reachable, (*nreachable + 2) * sizeof(char *));
++			if (!new_reachable) {
++				context_free(usercon);
++				rc = -1;
++				goto out;
++			}
++			*reachable = new_reachable;
++			new_reachable[*nreachable] = strdup(usercon_str);
++			if (new_reachable[*nreachable] == NULL) {
++				context_free(usercon);
++				rc = -1;
++				goto out;
++			}
++			new_reachable[*nreachable + 1] = 0;
++			*nreachable += 1;
++		}
++		context_free(usercon);
+ 		start = end;
+ 	}
+-
+ 	rc = 0;
+ 
+       out:
+@@ -313,21 +344,6 @@ static int get_failsafe_context(const char *user, char ** newcon)
+ 	return 0;
+ }
+ 
+-struct context_order {
+-	char * con;
+-	unsigned int order;
+-};
+-
+-static int order_compare(const void *A, const void *B)
+-{
+-	const struct context_order *c1 = A, *c2 = B;
+-	if (c1->order < c2->order)
+-		return -1;
+-	else if (c1->order > c2->order)
+-		return 1;
+-	return strcmp(c1->con, c2->con);
+-}
+-
+ int get_ordered_context_list_with_level(const char *user,
+ 					const char *level,
+ 					char * fromcon,
+@@ -395,11 +411,8 @@ int get_ordered_context_list(const char *user,
+ 			     char *** list)
+ {
+ 	char **reachable = NULL;
+-	unsigned int *ordering = NULL;
+-	struct context_order *co = NULL;
+-	char **ptr;
+ 	int rc = 0;
+-	unsigned int nreach = 0, nordered = 0, freefrom = 0, i;
++	unsigned nreachable = 0, freefrom = 0;
+ 	FILE *fp;
+ 	char *fname = NULL;
+ 	size_t fname_len;
+@@ -413,23 +426,6 @@ int get_ordered_context_list(const char *user,
+ 		freefrom = 1;
+ 	}
+ 
+-	/* Determine the set of reachable contexts for the user. */
+-	rc = security_compute_user(fromcon, user, &reachable);
+-	if (rc < 0)
+-		goto failsafe;
+-	nreach = 0;
+-	for (ptr = reachable; *ptr; ptr++)
+-		nreach++;
+-	if (!nreach)
+-		goto failsafe;
+-
+-	/* Initialize ordering array. */
+-	ordering = malloc(nreach * sizeof(unsigned int));
+-	if (!ordering)
+-		goto failsafe;
+-	for (i = 0; i < nreach; i++)
+-		ordering[i] = nreach;
+-
+ 	/* Determine the ordering to apply from the optional per-user config
+ 	   and from the global config. */
+ 	fname_len = strlen(user_contexts_path) + strlen(user) + 2;
+@@ -440,8 +436,8 @@ int get_ordered_context_list(const char *user,
+ 	fp = fopen(fname, "re");
+ 	if (fp) {
+ 		__fsetlocking(fp, FSETLOCKING_BYCALLER);
+-		rc = get_context_order(fp, fromcon, reachable, nreach, ordering,
+-				       &nordered);
++		rc = get_context_user(fp, fromcon, user, &reachable, &nreachable);
++
+ 		fclose(fp);
+ 		if (rc < 0 && errno != ENOENT) {
+ 			fprintf(stderr,
+@@ -454,8 +450,7 @@ int get_ordered_context_list(const char *user,
+ 	fp = fopen(selinux_default_context_path(), "re");
+ 	if (fp) {
+ 		__fsetlocking(fp, FSETLOCKING_BYCALLER);
+-		rc = get_context_order(fp, fromcon, reachable, nreach, ordering,
+-				       &nordered);
++		rc = get_context_user(fp, fromcon, user, &reachable, &nreachable);
+ 		fclose(fp);
+ 		if (rc < 0 && errno != ENOENT) {
+ 			fprintf(stderr,
+@@ -463,40 +458,19 @@ int get_ordered_context_list(const char *user,
+ 				__FUNCTION__, selinux_default_context_path());
+ 			/* Fall through */
+ 		}
+-		rc = 0;
+ 	}
+ 
+-	if (!nordered)
++	if (!nreachable)
+ 		goto failsafe;
+ 
+-	/* Apply the ordering. */
+-	co = malloc(nreach * sizeof(struct context_order));
+-	if (!co)
+-		goto failsafe;
+-	for (i = 0; i < nreach; i++) {
+-		co[i].con = reachable[i];
+-		co[i].order = ordering[i];
+-	}
+-	qsort(co, nreach, sizeof(struct context_order), order_compare);
+-	for (i = 0; i < nreach; i++)
+-		reachable[i] = co[i].con;
+-	free(co);
+-
+-	/* Only report the ordered entries to the caller. */
+-	if (nordered <= nreach) {
+-		for (i = nordered; i < nreach; i++)
+-			free(reachable[i]);
+-		reachable[nordered] = NULL;
+-		rc = nordered;
+-	}
+-
+       out:
+-	if (rc > 0)
++	if (nreachable > 0) {
+ 		*list = reachable;
++		rc = nreachable;
++	}
+ 	else
+ 		freeconary(reachable);
+ 
+-	free(ordering);
+ 	if (freefrom)
+ 		freecon(fromcon);
+ 
+@@ -519,7 +493,7 @@ int get_ordered_context_list(const char *user,
+ 		reachable = NULL;
+ 		goto out;
+ 	}
+-	rc = 1;			/* one context in the list */
++	nreachable = 1;			/* one context in the list */
+ 	goto out;
+ }
+ 
+-- 
+2.25.4
+

SOURCES/0010-libselinux-deprecate-security_compute_user-update-ma.patch

@@ -0,0 +1,168 @@
+From d4c22fcd5943fe35db648dee971f631d40b3eb94 Mon Sep 17 00:00:00 2001
+From: Stephen Smalley <sds@tycho.nsa.gov>
+Date: Thu, 20 Feb 2020 10:40:19 -0500
+Subject: [PATCH] libselinux: deprecate security_compute_user(), update man
+ pages
+
+commit 1f89c4e7879fcf6da5d8d1b025dcc03371f30fc9 ("libselinux: Eliminate
+use of security_compute_user()") eliminated the use of
+security_compute_user() by get_ordered_context_list().  Deprecate
+all use of security_compute_user() by updating the headers and man
+pages and logging a warning message on any calls to it.  Remove
+the example utility that called the interface. While here, also
+fix the documentation of correct usage of the user argument to these
+interfaces.
+
+Fixes: https://github.com/SELinuxProject/selinux/issues/70
+Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
+Acked-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ libselinux/include/selinux/selinux.h          |  8 +++-
+ .../man/man3/get_ordered_context_list.3       | 24 +++++++++---
+ libselinux/man/man3/security_compute_av.3     |  5 ++-
+ libselinux/src/compute_user.c                 |  3 ++
+ libselinux/utils/compute_user.c               | 38 -------------------
+ 5 files changed, 31 insertions(+), 47 deletions(-)
+ delete mode 100644 libselinux/utils/compute_user.c
+
+diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
+index a34d54fc..a5ada324 100644
+--- a/libselinux/include/selinux/selinux.h
++++ b/libselinux/include/selinux/selinux.h
+@@ -246,8 +246,12 @@ extern int security_compute_member_raw(const char * scon,
+ 				       security_class_t tclass,
+ 				       char ** newcon);
+ 
+-/* Compute the set of reachable user contexts and set *con to refer to 
+-   the NULL-terminated array of contexts.  Caller must free via freeconary. */
++/*
++ * Compute the set of reachable user contexts and set *con to refer to
++ * the NULL-terminated array of contexts.  Caller must free via freeconary.
++ * These interfaces are deprecated.  Use get_ordered_context_list() or
++ * one of its variant interfaces instead.
++ */
+ extern int security_compute_user(const char * scon,
+ 				 const char *username,
+ 				 char *** con);
+diff --git a/libselinux/man/man3/get_ordered_context_list.3 b/libselinux/man/man3/get_ordered_context_list.3
+index e084da40..3ed14a96 100644
+--- a/libselinux/man/man3/get_ordered_context_list.3
++++ b/libselinux/man/man3/get_ordered_context_list.3
+@@ -26,14 +26,28 @@ get_ordered_context_list, get_ordered_context_list_with_level, get_default_conte
+ .BI "int get_default_type(const char *" role ", char **" type );
+ .
+ .SH "DESCRIPTION"
++
++This family of functions can be used to obtain either a prioritized list of
++all reachable security contexts for a given SELinux user or a single default
++(highest priority) context for a given SELinux user for use by login-like
++programs.  These functions takes a SELinux user identity that must
++be defined in the SELinux policy as their input, not a Linux username.
++Most callers should typically first call
++.BR getseuserbyname(3)
++to look up the SELinux user identity and level for a given
++Linux username and then invoke one of
++.BR get_ordered_context_list_with_level ()
++or
++.BR get_default_context_with_level ()
++with the returned SELinux user and level as inputs.
++
+ .BR get_ordered_context_list ()
+-invokes the 
+-.BR security_compute_user (3)
+-function to obtain the list of contexts for the specified
++obtains the list of contexts for the specified
++SELinux
+ .I user
+-that are reachable from the specified
++identity that are reachable from the specified
+ .I fromcon
+-context.  The function then orders the resulting list based on the global
++context based on the global
+ .I \%/etc/selinux/{SELINUXTYPE}/contexts/default_contexts
+ file and the per-user
+ .I \%/etc/selinux/{SELINUXTYPE}/contexts/users/<username>
+diff --git a/libselinux/man/man3/security_compute_av.3 b/libselinux/man/man3/security_compute_av.3
+index 2aade5fe..8e1f746a 100644
+--- a/libselinux/man/man3/security_compute_av.3
++++ b/libselinux/man/man3/security_compute_av.3
+@@ -97,8 +97,9 @@ instance.
+ 
+ .BR security_compute_user ()
+ is used to determine the set of user contexts that can be reached from a
+-source context. It is mainly used by
+-.BR get_ordered_context_list ().
++source context. This function is deprecated; use
++.BR get_ordered_context_list (3)
++instead.
+ 
+ .BR security_get_initial_context ()
+ is used to get the context of a kernel initial security identifier specified by 
+diff --git a/libselinux/src/compute_user.c b/libselinux/src/compute_user.c
+index 401fd107..0f55de84 100644
+--- a/libselinux/src/compute_user.c
++++ b/libselinux/src/compute_user.c
+@@ -8,6 +8,7 @@
+ #include "selinux_internal.h"
+ #include "policy.h"
+ #include <limits.h>
++#include "callbacks.h"
+ 
+ int security_compute_user_raw(const char * scon,
+ 			      const char *user, char *** con)
+@@ -24,6 +25,8 @@ int security_compute_user_raw(const char * scon,
+ 		return -1;
+ 	}
+ 
++	selinux_log(SELINUX_WARNING, "Direct use of security_compute_user() is deprecated, switch to get_ordered_context_list()\n");
++
+ 	if (! scon) {
+ 		errno=EINVAL;
+ 		return -1;
+diff --git a/libselinux/utils/compute_user.c b/libselinux/utils/compute_user.c
+deleted file mode 100644
+index cae62b26..00000000
+--- a/libselinux/utils/compute_user.c
++++ /dev/null
+@@ -1,38 +0,0 @@
+-#include <unistd.h>
+-#include <sys/types.h>
+-#include <fcntl.h>
+-#include <stdio.h>
+-#include <stdlib.h>
+-#include <errno.h>
+-#include <string.h>
+-#include <ctype.h>
+-#include <selinux/selinux.h>
+-
+-int main(int argc, char **argv)
+-{
+-	char **buf, **ptr;
+-	int ret;
+-
+-	if (argc != 3) {
+-		fprintf(stderr, "usage:  %s context user\n", argv[0]);
+-		exit(1);
+-	}
+-
+-	ret = security_compute_user(argv[1], argv[2], &buf);
+-	if (ret < 0) {
+-		fprintf(stderr, "%s:  security_compute_user(%s,%s) failed\n",
+-			argv[0], argv[1], argv[2]);
+-		exit(2);
+-	}
+-
+-	if (!buf[0]) {
+-		printf("none\n");
+-		exit(0);
+-	}
+-
+-	for (ptr = buf; *ptr; ptr++) {
+-		printf("%s\n", *ptr);
+-	}
+-	freeconary(buf);
+-	exit(0);
+-}
+-- 
+2.25.4
+

SOURCES/0011-selinux-8-5-Describe-fcontext-regular-expressions.patch

@@ -0,0 +1,39 @@
+From c556c6ad0b94cf3ba4b441a1a0930f2468434227 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Wed, 10 Feb 2021 18:05:29 +0100
+Subject: [PATCH] selinux(8,5): Describe fcontext regular expressions
+
+Describe which type of regular expression is used in file context
+definitions and which flags are in effect.
+
+Explain how local file context modifications are processed.
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+Acked-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ libselinux/man/man5/selabel_file.5 | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/libselinux/man/man5/selabel_file.5 b/libselinux/man/man5/selabel_file.5
+index e97bd826..baba7776 100644
+--- a/libselinux/man/man5/selabel_file.5
++++ b/libselinux/man/man5/selabel_file.5
+@@ -125,7 +125,14 @@ Where:
+ .RS
+ .I pathname
+ .RS
+-An entry that defines the pathname that may be in the form of a regular expression.
++An entry that defines the path to be labeled.
++May contain either a fully qualified path,
++or a Perl compatible regular expression (PCRE),
++describing fully qualified path(s).
++The only PCRE flag in use is PCRE2_DOTALL,
++which causes a wildcard '.' to match anything, including a new line.
++Strings representing paths are processed as bytes (as opposed to Unicode),
++meaning that non-ASCII characters are not matched by a single wildcard.
+ .RE
+ .I file_type
+ .RS
+-- 
+2.35.3
+

SOURCES/0012-libselinux-Strip-spaces-before-values-in-config.patch

@@ -0,0 +1,88 @@
+From 9bf63bb85d4d2cab73181ee1d8d0b07961ce4a80 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Thu, 17 Feb 2022 14:14:15 +0100
+Subject: [PATCH] libselinux: Strip spaces before values in config
+
+Spaces before values in /etc/selinux/config should be ignored just as
+spaces after them are.
+
+E.g. "SELINUXTYPE= targeted" should be a valid value.
+
+Fixes:
+   # sed -i 's/^SELINUXTYPE=/SELINUXTYPE= /g' /etc/selinux/config
+   # dnf install <any_package>
+   ...
+   RPM: error: selabel_open: (/etc/selinux/ targeted/contexts/files/file_contexts) No such file or directory
+   RPM: error: Plugin selinux: hook tsm_pre failed
+   ...
+   Error: Could not run transaction.
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+---
+ libselinux/src/selinux_config.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c
+index b06cb63b..0892b87c 100644
+--- a/libselinux/src/selinux_config.c
++++ b/libselinux/src/selinux_config.c
+@@ -91,6 +91,7 @@ int selinux_getenforcemode(int *enforce)
+ 	FILE *cfg = fopen(SELINUXCONFIG, "re");
+ 	if (cfg) {
+ 		char *buf;
++		char *tag;
+ 		int len = sizeof(SELINUXTAG) - 1;
+ 		buf = malloc(selinux_page_size);
+ 		if (!buf) {
+@@ -100,21 +101,24 @@ int selinux_getenforcemode(int *enforce)
+ 		while (fgets_unlocked(buf, selinux_page_size, cfg)) {
+ 			if (strncmp(buf, SELINUXTAG, len))
+ 				continue;
++			tag = buf+len;
++			while (isspace(*tag))
++				tag++;
+ 			if (!strncasecmp
+-			    (buf + len, "enforcing", sizeof("enforcing") - 1)) {
++			    (tag, "enforcing", sizeof("enforcing") - 1)) {
+ 				*enforce = 1;
+ 				ret = 0;
+ 				break;
+ 			} else
+ 			    if (!strncasecmp
+-				(buf + len, "permissive",
++				(tag, "permissive",
+ 				 sizeof("permissive") - 1)) {
+ 				*enforce = 0;
+ 				ret = 0;
+ 				break;
+ 			} else
+ 			    if (!strncasecmp
+-				(buf + len, "disabled",
++				(tag, "disabled",
+ 				 sizeof("disabled") - 1)) {
+ 				*enforce = -1;
+ 				ret = 0;
+@@ -177,7 +181,10 @@ static void init_selinux_config(void)
+ 
+ 			if (!strncasecmp(buf_p, SELINUXTYPETAG,
+ 					 sizeof(SELINUXTYPETAG) - 1)) {
+-				type = strdup(buf_p + sizeof(SELINUXTYPETAG) - 1);
++				buf_p += sizeof(SELINUXTYPETAG) - 1;
++				while (isspace(*buf_p))
++					buf_p++;
++				type = strdup(buf_p);
+ 				if (!type)
+ 					return;
+ 				end = type + strlen(type) - 1;
+@@ -199,6 +206,8 @@ static void init_selinux_config(void)
+ 			} else if (!strncmp(buf_p, REQUIRESEUSERS,
+ 					    sizeof(REQUIRESEUSERS) - 1)) {
+ 				value = buf_p + sizeof(REQUIRESEUSERS) - 1;
++				while (isspace(*value))
++					value++;
+ 				intptr = &require_seusers;
+ 			} else {
+ 				continue;
+-- 
+2.35.3
+

SOURCES/0013-libselinux-Ignore-missing-directories-when-i-is-used.patch

@@ -0,0 +1,46 @@
+From 9a04499cebedac3f585c0240e6cf68f786ae62b7 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Mon, 31 Oct 2022 17:00:43 +0100
+Subject: [PATCH] libselinux: Ignore missing directories when -i is used
+
+Currently "-i" only ignores a file whose parent directory exists. Start also
+ignoring paths with missing components.
+
+Fixes:
+  # restorecon -i -v -R /var/log/missingdir/missingfile; echo $?
+  255
+  restorecon: SELinux: Could not get canonical path for /var/log/missingdir/missingfile restorecon: No such file or directory.
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+---
+ libselinux/src/selinux_restorecon.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
+index 5f189235..2ff73db6 100644
+--- a/libselinux/src/selinux_restorecon.c
++++ b/libselinux/src/selinux_restorecon.c
+@@ -820,6 +820,10 @@ int selinux_restorecon(const char *pathname_orig,
+ 			pathname = realpath(pathname_orig, NULL);
+ 			if (!pathname) {
+ 				free(basename_cpy);
++				/* missing parent directory */
++				if (flags.ignore_noent && errno == ENOENT) {
++					return 0;
++				}
+ 				goto realpatherr;
+ 			}
+ 		} else {
+@@ -833,6 +837,9 @@ int selinux_restorecon(const char *pathname_orig,
+ 			free(dirname_cpy);
+ 			if (!pathdnamer) {
+ 				free(basename_cpy);
++				if (flags.ignore_noent && errno == ENOENT) {
++					return 0;
++				}
+ 				goto realpatherr;
+ 			}
+ 			if (!strcmp(pathdnamer, "/"))
+-- 
+2.37.3
+

SOURCES/0014-libselinux-restorecon-Fix-memory-leak-xattr_value.patch

@@ -0,0 +1,42 @@
+From 599f1ec818d50ffc9690fea8c03b5fe278f30ed4 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Wed, 7 Dec 2022 09:19:29 +0100
+Subject: [PATCH] libselinux/restorecon: Fix memory leak - xattr_value
+
+Fix memory leak introduced by commit
+ 9a04499cebedac3f585c0240e6cf68f786ae62b7
+ libselinux: Ignore missing directories when -i is used
+
+Error: RESOURCE_LEAK:
+ selinux_restorecon.c:804: alloc_fn: Storage is returned from allocation function "malloc".
+ selinux_restorecon.c:804: var_assign: Assigning: "xattr_value" = storage returned from "malloc(fc_digest_len)".
+ selinux_restorecon.c:825: leaked_storage: Variable "xattr_value" going out of scope leaks the storage it points to.
+
+Resolves: rhbz#2137965
+---
+ libselinux/src/selinux_restorecon.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
+index 2ff73db6..b3702764 100644
+--- a/libselinux/src/selinux_restorecon.c
++++ b/libselinux/src/selinux_restorecon.c
+@@ -822,6 +822,7 @@ int selinux_restorecon(const char *pathname_orig,
+ 				free(basename_cpy);
+ 				/* missing parent directory */
+ 				if (flags.ignore_noent && errno == ENOENT) {
++					free(xattr_value);
+ 					return 0;
+ 				}
+ 				goto realpatherr;
+@@ -838,6 +839,7 @@ int selinux_restorecon(const char *pathname_orig,
+ 			if (!pathdnamer) {
+ 				free(basename_cpy);
+ 				if (flags.ignore_noent && errno == ENOENT) {
++					free(xattr_value);
+ 					return 0;
+ 				}
+ 				goto realpatherr;
+-- 
+2.37.3
+

SPECS/libselinux.spec

@@ -6,7 +6,7 @@
 %endif
 
 %define libsepolver 2.9-1
-%define libselinuxrelease 3
+%define libselinuxrelease 8
 
 Summary: SELinux library and simple utilities
 Name: libselinux
@@ -27,6 +27,12 @@ Patch0005: 0005-libselinux-add-missing-av_permission-values.patch
 Patch0006: 0006-libselinux-Use-Python-distutils-to-install-SELinux-p.patch
 Patch0007: 0007-libselinux-Do-not-use-SWIG_CFLAGS-when-Python-bindin.patch
 Patch0008: 0008-Fix-mcstrans-secolor-examples.patch
+Patch0009: 0009-libselinux-Eliminate-use-of-security_compute_user.patch
+Patch0010: 0010-libselinux-deprecate-security_compute_user-update-ma.patch
+Patch0011: 0011-selinux-8-5-Describe-fcontext-regular-expressions.patch
+Patch0012: 0012-libselinux-Strip-spaces-before-values-in-config.patch
+Patch0013: 0013-libselinux-Ignore-missing-directories-when-i-is-used.patch
+Patch0014: 0014-libselinux-restorecon-Fix-memory-leak-xattr_value.patch
 
 BuildRequires: gcc
 %if 0%{?with_ruby}
@@ -274,6 +280,22 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
 %endif
 
 %changelog
+* Wed Dec 07 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-8
+- restorecon: Fix memory leak - xattr_value (#2137965)
+
+* Tue Dec 06 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-7
+- Restorecon: Ignore missing directories when -i is used (#2137965)
+
+* Thu Jul 07 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-6
+- Describe fcontext regular expressions (#1904059)
+- Strip spaces before values in config (#2012145)
+
+* Tue Oct 20 2020 Vit Mojzis <vmojzis@redhat.com> - 2.9-5
+- Deprecate security_compute_user(), update man pages (#1879368)
+
+* Thu Sep 24 2020 Vit Mojzis <vmojzis@redhat.com> - 2.9-4
+- Eliminate use of security_compute_user() (#1879368)
+
 * Fri Nov 08 2019 Vit Mojzis <vmojzis@redhat.com> - 2.9-3
 - Fix mcstrans secolor examples in secolor.conf man page (#1770270)