Compare commits
No commits in common. "imports/c8-beta/libselinux-2.9-5.el8" and "c8" have entirely different histories.
imports/c8
...
c8
@ -0,0 +1,39 @@
|
|||||||
|
From c556c6ad0b94cf3ba4b441a1a0930f2468434227 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vit Mojzis <vmojzis@redhat.com>
|
||||||
|
Date: Wed, 10 Feb 2021 18:05:29 +0100
|
||||||
|
Subject: [PATCH] selinux(8,5): Describe fcontext regular expressions
|
||||||
|
|
||||||
|
Describe which type of regular expression is used in file context
|
||||||
|
definitions and which flags are in effect.
|
||||||
|
|
||||||
|
Explain how local file context modifications are processed.
|
||||||
|
|
||||||
|
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
|
||||||
|
Acked-by: Petr Lautrbach <plautrba@redhat.com>
|
||||||
|
---
|
||||||
|
libselinux/man/man5/selabel_file.5 | 9 ++++++++-
|
||||||
|
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/libselinux/man/man5/selabel_file.5 b/libselinux/man/man5/selabel_file.5
|
||||||
|
index e97bd826..baba7776 100644
|
||||||
|
--- a/libselinux/man/man5/selabel_file.5
|
||||||
|
+++ b/libselinux/man/man5/selabel_file.5
|
||||||
|
@@ -125,7 +125,14 @@ Where:
|
||||||
|
.RS
|
||||||
|
.I pathname
|
||||||
|
.RS
|
||||||
|
-An entry that defines the pathname that may be in the form of a regular expression.
|
||||||
|
+An entry that defines the path to be labeled.
|
||||||
|
+May contain either a fully qualified path,
|
||||||
|
+or a Perl compatible regular expression (PCRE),
|
||||||
|
+describing fully qualified path(s).
|
||||||
|
+The only PCRE flag in use is PCRE2_DOTALL,
|
||||||
|
+which causes a wildcard '.' to match anything, including a new line.
|
||||||
|
+Strings representing paths are processed as bytes (as opposed to Unicode),
|
||||||
|
+meaning that non-ASCII characters are not matched by a single wildcard.
|
||||||
|
.RE
|
||||||
|
.I file_type
|
||||||
|
.RS
|
||||||
|
--
|
||||||
|
2.35.3
|
||||||
|
|
@ -0,0 +1,88 @@
|
|||||||
|
From 9bf63bb85d4d2cab73181ee1d8d0b07961ce4a80 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vit Mojzis <vmojzis@redhat.com>
|
||||||
|
Date: Thu, 17 Feb 2022 14:14:15 +0100
|
||||||
|
Subject: [PATCH] libselinux: Strip spaces before values in config
|
||||||
|
|
||||||
|
Spaces before values in /etc/selinux/config should be ignored just as
|
||||||
|
spaces after them are.
|
||||||
|
|
||||||
|
E.g. "SELINUXTYPE= targeted" should be a valid value.
|
||||||
|
|
||||||
|
Fixes:
|
||||||
|
# sed -i 's/^SELINUXTYPE=/SELINUXTYPE= /g' /etc/selinux/config
|
||||||
|
# dnf install <any_package>
|
||||||
|
...
|
||||||
|
RPM: error: selabel_open: (/etc/selinux/ targeted/contexts/files/file_contexts) No such file or directory
|
||||||
|
RPM: error: Plugin selinux: hook tsm_pre failed
|
||||||
|
...
|
||||||
|
Error: Could not run transaction.
|
||||||
|
|
||||||
|
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
|
||||||
|
---
|
||||||
|
libselinux/src/selinux_config.c | 17 +++++++++++++----
|
||||||
|
1 file changed, 13 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c
|
||||||
|
index b06cb63b..0892b87c 100644
|
||||||
|
--- a/libselinux/src/selinux_config.c
|
||||||
|
+++ b/libselinux/src/selinux_config.c
|
||||||
|
@@ -91,6 +91,7 @@ int selinux_getenforcemode(int *enforce)
|
||||||
|
FILE *cfg = fopen(SELINUXCONFIG, "re");
|
||||||
|
if (cfg) {
|
||||||
|
char *buf;
|
||||||
|
+ char *tag;
|
||||||
|
int len = sizeof(SELINUXTAG) - 1;
|
||||||
|
buf = malloc(selinux_page_size);
|
||||||
|
if (!buf) {
|
||||||
|
@@ -100,21 +101,24 @@ int selinux_getenforcemode(int *enforce)
|
||||||
|
while (fgets_unlocked(buf, selinux_page_size, cfg)) {
|
||||||
|
if (strncmp(buf, SELINUXTAG, len))
|
||||||
|
continue;
|
||||||
|
+ tag = buf+len;
|
||||||
|
+ while (isspace(*tag))
|
||||||
|
+ tag++;
|
||||||
|
if (!strncasecmp
|
||||||
|
- (buf + len, "enforcing", sizeof("enforcing") - 1)) {
|
||||||
|
+ (tag, "enforcing", sizeof("enforcing") - 1)) {
|
||||||
|
*enforce = 1;
|
||||||
|
ret = 0;
|
||||||
|
break;
|
||||||
|
} else
|
||||||
|
if (!strncasecmp
|
||||||
|
- (buf + len, "permissive",
|
||||||
|
+ (tag, "permissive",
|
||||||
|
sizeof("permissive") - 1)) {
|
||||||
|
*enforce = 0;
|
||||||
|
ret = 0;
|
||||||
|
break;
|
||||||
|
} else
|
||||||
|
if (!strncasecmp
|
||||||
|
- (buf + len, "disabled",
|
||||||
|
+ (tag, "disabled",
|
||||||
|
sizeof("disabled") - 1)) {
|
||||||
|
*enforce = -1;
|
||||||
|
ret = 0;
|
||||||
|
@@ -177,7 +181,10 @@ static void init_selinux_config(void)
|
||||||
|
|
||||||
|
if (!strncasecmp(buf_p, SELINUXTYPETAG,
|
||||||
|
sizeof(SELINUXTYPETAG) - 1)) {
|
||||||
|
- type = strdup(buf_p + sizeof(SELINUXTYPETAG) - 1);
|
||||||
|
+ buf_p += sizeof(SELINUXTYPETAG) - 1;
|
||||||
|
+ while (isspace(*buf_p))
|
||||||
|
+ buf_p++;
|
||||||
|
+ type = strdup(buf_p);
|
||||||
|
if (!type)
|
||||||
|
return;
|
||||||
|
end = type + strlen(type) - 1;
|
||||||
|
@@ -199,6 +206,8 @@ static void init_selinux_config(void)
|
||||||
|
} else if (!strncmp(buf_p, REQUIRESEUSERS,
|
||||||
|
sizeof(REQUIRESEUSERS) - 1)) {
|
||||||
|
value = buf_p + sizeof(REQUIRESEUSERS) - 1;
|
||||||
|
+ while (isspace(*value))
|
||||||
|
+ value++;
|
||||||
|
intptr = &require_seusers;
|
||||||
|
} else {
|
||||||
|
continue;
|
||||||
|
--
|
||||||
|
2.35.3
|
||||||
|
|
@ -0,0 +1,46 @@
|
|||||||
|
From 9a04499cebedac3f585c0240e6cf68f786ae62b7 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vit Mojzis <vmojzis@redhat.com>
|
||||||
|
Date: Mon, 31 Oct 2022 17:00:43 +0100
|
||||||
|
Subject: [PATCH] libselinux: Ignore missing directories when -i is used
|
||||||
|
|
||||||
|
Currently "-i" only ignores a file whose parent directory exists. Start also
|
||||||
|
ignoring paths with missing components.
|
||||||
|
|
||||||
|
Fixes:
|
||||||
|
# restorecon -i -v -R /var/log/missingdir/missingfile; echo $?
|
||||||
|
255
|
||||||
|
restorecon: SELinux: Could not get canonical path for /var/log/missingdir/missingfile restorecon: No such file or directory.
|
||||||
|
|
||||||
|
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
|
||||||
|
---
|
||||||
|
libselinux/src/selinux_restorecon.c | 7 +++++++
|
||||||
|
1 file changed, 7 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
|
||||||
|
index 5f189235..2ff73db6 100644
|
||||||
|
--- a/libselinux/src/selinux_restorecon.c
|
||||||
|
+++ b/libselinux/src/selinux_restorecon.c
|
||||||
|
@@ -820,6 +820,10 @@ int selinux_restorecon(const char *pathname_orig,
|
||||||
|
pathname = realpath(pathname_orig, NULL);
|
||||||
|
if (!pathname) {
|
||||||
|
free(basename_cpy);
|
||||||
|
+ /* missing parent directory */
|
||||||
|
+ if (flags.ignore_noent && errno == ENOENT) {
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
goto realpatherr;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
@@ -833,6 +837,9 @@ int selinux_restorecon(const char *pathname_orig,
|
||||||
|
free(dirname_cpy);
|
||||||
|
if (!pathdnamer) {
|
||||||
|
free(basename_cpy);
|
||||||
|
+ if (flags.ignore_noent && errno == ENOENT) {
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
goto realpatherr;
|
||||||
|
}
|
||||||
|
if (!strcmp(pathdnamer, "/"))
|
||||||
|
--
|
||||||
|
2.37.3
|
||||||
|
|
@ -0,0 +1,42 @@
|
|||||||
|
From 599f1ec818d50ffc9690fea8c03b5fe278f30ed4 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vit Mojzis <vmojzis@redhat.com>
|
||||||
|
Date: Wed, 7 Dec 2022 09:19:29 +0100
|
||||||
|
Subject: [PATCH] libselinux/restorecon: Fix memory leak - xattr_value
|
||||||
|
|
||||||
|
Fix memory leak introduced by commit
|
||||||
|
9a04499cebedac3f585c0240e6cf68f786ae62b7
|
||||||
|
libselinux: Ignore missing directories when -i is used
|
||||||
|
|
||||||
|
Error: RESOURCE_LEAK:
|
||||||
|
selinux_restorecon.c:804: alloc_fn: Storage is returned from allocation function "malloc".
|
||||||
|
selinux_restorecon.c:804: var_assign: Assigning: "xattr_value" = storage returned from "malloc(fc_digest_len)".
|
||||||
|
selinux_restorecon.c:825: leaked_storage: Variable "xattr_value" going out of scope leaks the storage it points to.
|
||||||
|
|
||||||
|
Resolves: rhbz#2137965
|
||||||
|
---
|
||||||
|
libselinux/src/selinux_restorecon.c | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
|
||||||
|
index 2ff73db6..b3702764 100644
|
||||||
|
--- a/libselinux/src/selinux_restorecon.c
|
||||||
|
+++ b/libselinux/src/selinux_restorecon.c
|
||||||
|
@@ -822,6 +822,7 @@ int selinux_restorecon(const char *pathname_orig,
|
||||||
|
free(basename_cpy);
|
||||||
|
/* missing parent directory */
|
||||||
|
if (flags.ignore_noent && errno == ENOENT) {
|
||||||
|
+ free(xattr_value);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
goto realpatherr;
|
||||||
|
@@ -838,6 +839,7 @@ int selinux_restorecon(const char *pathname_orig,
|
||||||
|
if (!pathdnamer) {
|
||||||
|
free(basename_cpy);
|
||||||
|
if (flags.ignore_noent && errno == ENOENT) {
|
||||||
|
+ free(xattr_value);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
goto realpatherr;
|
||||||
|
--
|
||||||
|
2.37.3
|
||||||
|
|
@ -6,7 +6,7 @@
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%define libsepolver 2.9-1
|
%define libsepolver 2.9-1
|
||||||
%define libselinuxrelease 5
|
%define libselinuxrelease 8
|
||||||
|
|
||||||
Summary: SELinux library and simple utilities
|
Summary: SELinux library and simple utilities
|
||||||
Name: libselinux
|
Name: libselinux
|
||||||
@ -29,6 +29,10 @@ Patch0007: 0007-libselinux-Do-not-use-SWIG_CFLAGS-when-Python-bindin.patch
|
|||||||
Patch0008: 0008-Fix-mcstrans-secolor-examples.patch
|
Patch0008: 0008-Fix-mcstrans-secolor-examples.patch
|
||||||
Patch0009: 0009-libselinux-Eliminate-use-of-security_compute_user.patch
|
Patch0009: 0009-libselinux-Eliminate-use-of-security_compute_user.patch
|
||||||
Patch0010: 0010-libselinux-deprecate-security_compute_user-update-ma.patch
|
Patch0010: 0010-libselinux-deprecate-security_compute_user-update-ma.patch
|
||||||
|
Patch0011: 0011-selinux-8-5-Describe-fcontext-regular-expressions.patch
|
||||||
|
Patch0012: 0012-libselinux-Strip-spaces-before-values-in-config.patch
|
||||||
|
Patch0013: 0013-libselinux-Ignore-missing-directories-when-i-is-used.patch
|
||||||
|
Patch0014: 0014-libselinux-restorecon-Fix-memory-leak-xattr_value.patch
|
||||||
|
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
%if 0%{?with_ruby}
|
%if 0%{?with_ruby}
|
||||||
@ -276,6 +280,16 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Dec 07 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-8
|
||||||
|
- restorecon: Fix memory leak - xattr_value (#2137965)
|
||||||
|
|
||||||
|
* Tue Dec 06 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-7
|
||||||
|
- Restorecon: Ignore missing directories when -i is used (#2137965)
|
||||||
|
|
||||||
|
* Thu Jul 07 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-6
|
||||||
|
- Describe fcontext regular expressions (#1904059)
|
||||||
|
- Strip spaces before values in config (#2012145)
|
||||||
|
|
||||||
* Tue Oct 20 2020 Vit Mojzis <vmojzis@redhat.com> - 2.9-5
|
* Tue Oct 20 2020 Vit Mojzis <vmojzis@redhat.com> - 2.9-5
|
||||||
- Deprecate security_compute_user(), update man pages (#1879368)
|
- Deprecate security_compute_user(), update man pages (#1879368)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user