From 2a8fa07d1468e55d6946ce1cdbf46f75afcdf018 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 20 Nov 2024 13:43:05 +0000 Subject: [PATCH] import RHEL 10 Beta libsemanage-3.7-1.el10 --- .gitignore | 2 +- .libsemanage.metadata | 1 - ...RESOURCE_LEAK-and-USE_AFTER_FREE-cov.patch | 66 -- ...-support-for-DCCP-and-SCTP-protocols.patch | 48 - ...nage-fsync-final-files-before-rename.patch | 156 ---- ...emanage-sync-filesystem-with-sandbox.patch | 55 -- SOURCES/0005-Trivial-style-fixes.patch | 76 -- ...-contents-of-modkey-in-semanage_dire.patch | 31 - ...USE_AFTER_FREE-CWE-672-in-semanage_d.patch | 42 - ...-missing-include-to-boolean_record.c.patch | 37 - ...nage-move-module-hashing-into-libsem.patch | 555 ------------ ...-compressed-file-handling-into-a-sep.patch | 824 ------------------ ...lean-up-semanage_direct_commit-a-bit.patch | 150 ---- ...onally-rebuild-policy-when-modules-a.patch | 492 ----------- ...ys-write-kernel-policy-when-check_ex.patch | 59 -- bachradsusi.gpg | 321 +++++++ libsemanage-3.7.tar.gz.asc | 16 + SPECS/libsemanage.spec => libsemanage.spec | 343 +++++--- SOURCES/semanage.conf => semanage.conf | 1 + sources | 1 + 20 files changed, 583 insertions(+), 2693 deletions(-) delete mode 100644 .libsemanage.metadata delete mode 100644 SOURCES/0001-libsemanage-Fix-RESOURCE_LEAK-and-USE_AFTER_FREE-cov.patch delete mode 100644 SOURCES/0002-libsemanage-Add-support-for-DCCP-and-SCTP-protocols.patch delete mode 100644 SOURCES/0003-libsemanage-fsync-final-files-before-rename.patch delete mode 100644 SOURCES/0004-libsemanage-sync-filesystem-with-sandbox.patch delete mode 100644 SOURCES/0005-Trivial-style-fixes.patch delete mode 100644 SOURCES/0006-libsemanage-Free-contents-of-modkey-in-semanage_dire.patch delete mode 100644 SOURCES/0007-libsemanage-Fix-USE_AFTER_FREE-CWE-672-in-semanage_d.patch delete mode 100644 SOURCES/0008-libsemanage-add-missing-include-to-boolean_record.c.patch delete mode 100644 SOURCES/0009-semodule-libsemanage-move-module-hashing-into-libsem.patch delete mode 100644 SOURCES/0010-libsemanage-move-compressed-file-handling-into-a-sep.patch delete mode 100644 SOURCES/0011-libsemanage-clean-up-semanage_direct_commit-a-bit.patch delete mode 100644 SOURCES/0012-libsemanage-optionally-rebuild-policy-when-modules-a.patch delete mode 100644 SOURCES/0013-libsemanage-always-write-kernel-policy-when-check_ex.patch create mode 100644 bachradsusi.gpg create mode 100644 libsemanage-3.7.tar.gz.asc rename SPECS/libsemanage.spec => libsemanage.spec (85%) rename SOURCES/semanage.conf => semanage.conf (99%) create mode 100644 sources diff --git a/.gitignore b/.gitignore index fdd9f35..d07e725 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/libsemanage-2.9.tar.gz +libsemanage-3.7.tar.gz diff --git a/.libsemanage.metadata b/.libsemanage.metadata deleted file mode 100644 index e4baac8..0000000 --- a/.libsemanage.metadata +++ /dev/null @@ -1 +0,0 @@ -4c669c72c4626391d67e5c7e69be8397d71ee31e SOURCES/libsemanage-2.9.tar.gz diff --git a/SOURCES/0001-libsemanage-Fix-RESOURCE_LEAK-and-USE_AFTER_FREE-cov.patch b/SOURCES/0001-libsemanage-Fix-RESOURCE_LEAK-and-USE_AFTER_FREE-cov.patch deleted file mode 100644 index 06e9c8e..0000000 --- a/SOURCES/0001-libsemanage-Fix-RESOURCE_LEAK-and-USE_AFTER_FREE-cov.patch +++ /dev/null @@ -1,66 +0,0 @@ -From dc105dcb5e34e256bcbcf547fea590cfcee06933 Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Wed, 7 Nov 2018 18:17:34 +0100 -Subject: [PATCH] libsemanage: Fix RESOURCE_LEAK and USE_AFTER_FREE coverity - scan defects - ---- - libsemanage/src/direct_api.c | 21 ++++++++------------- - 1 file changed, 8 insertions(+), 13 deletions(-) - -diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c -index c58961be..8e4d116d 100644 ---- a/libsemanage/src/direct_api.c -+++ b/libsemanage/src/direct_api.c -@@ -1028,7 +1028,7 @@ static int semanage_direct_write_langext(semanage_handle_t *sh, - - fp = NULL; - -- ret = 0; -+ return 0; - - cleanup: - if (fp != NULL) fclose(fp); -@@ -2177,7 +2177,6 @@ cleanup: - semanage_module_info_destroy(sh, modinfo); - free(modinfo); - -- if (fp != NULL) fclose(fp); - return status; - } - -@@ -2342,16 +2341,6 @@ static int semanage_direct_get_module_info(semanage_handle_t *sh, - free(tmp); - tmp = NULL; - -- if (fclose(fp) != 0) { -- ERR(sh, -- "Unable to close %s module lang ext file.", -- (*modinfo)->name); -- status = -1; -- goto cleanup; -- } -- -- fp = NULL; -- - /* lookup enabled/disabled status */ - ret = semanage_module_get_path(sh, - *modinfo, -@@ -2395,7 +2384,13 @@ cleanup: - free(modinfos); - } - -- if (fp != NULL) fclose(fp); -+ if (fp != NULL && fclose(fp) != 0) { -+ ERR(sh, -+ "Unable to close %s module lang ext file.", -+ (*modinfo)->name); -+ status = -1; -+ } -+ - return status; - } - --- -2.21.0 - diff --git a/SOURCES/0002-libsemanage-Add-support-for-DCCP-and-SCTP-protocols.patch b/SOURCES/0002-libsemanage-Add-support-for-DCCP-and-SCTP-protocols.patch deleted file mode 100644 index c94d9fc..0000000 --- a/SOURCES/0002-libsemanage-Add-support-for-DCCP-and-SCTP-protocols.patch +++ /dev/null @@ -1,48 +0,0 @@ -From d68976d353bf334c43fd084f9cc4535874860006 Mon Sep 17 00:00:00 2001 -From: Vit Mojzis -Date: Tue, 8 Oct 2019 14:22:12 +0200 -Subject: [PATCH] libsemanage: Add support for DCCP and SCTP protocols - -This is necessary for "semanage port" to be able to handle DCCP and SCTP -protocols. - -Fixes: - "port_parse" only handles TCP and UDP protocols - -Signed-off-by: Vit Mojzis ---- - libsemanage/include/semanage/port_record.h | 2 ++ - libsemanage/src/ports_file.c | 4 ++++ - 2 files changed, 6 insertions(+) - -diff --git a/libsemanage/include/semanage/port_record.h b/libsemanage/include/semanage/port_record.h -index 20ae4bd9..71074800 100644 ---- a/libsemanage/include/semanage/port_record.h -+++ b/libsemanage/include/semanage/port_record.h -@@ -16,6 +16,8 @@ typedef struct semanage_port_key semanage_port_key_t; - - #define SEMANAGE_PROTO_UDP 0 - #define SEMANAGE_PROTO_TCP 1 -+#define SEMANAGE_PROTO_DCCP 2 -+#define SEMANAGE_PROTO_SCTP 3 - - /* Key */ - extern int semanage_port_compare(const semanage_port_t * port, -diff --git a/libsemanage/src/ports_file.c b/libsemanage/src/ports_file.c -index 46ee2f00..4738d467 100644 ---- a/libsemanage/src/ports_file.c -+++ b/libsemanage/src/ports_file.c -@@ -84,6 +84,10 @@ static int port_parse(semanage_handle_t * handle, - semanage_port_set_proto(port, SEMANAGE_PROTO_TCP); - else if (!strcasecmp(str, "udp")) - semanage_port_set_proto(port, SEMANAGE_PROTO_UDP); -+ else if (!strcasecmp(str, "dccp")) -+ semanage_port_set_proto(port, SEMANAGE_PROTO_DCCP); -+ else if (!strcasecmp(str, "sctp")) -+ semanage_port_set_proto(port, SEMANAGE_PROTO_SCTP); - else { - ERR(handle, "invalid protocol \"%s\" (%s: %u):\n%s", str, - info->filename, info->lineno, info->orig_line); --- -2.21.0 - diff --git a/SOURCES/0003-libsemanage-fsync-final-files-before-rename.patch b/SOURCES/0003-libsemanage-fsync-final-files-before-rename.patch deleted file mode 100644 index b40686e..0000000 --- a/SOURCES/0003-libsemanage-fsync-final-files-before-rename.patch +++ /dev/null @@ -1,156 +0,0 @@ -From dc4f1d03d6e17d851283f9b10b2faeeca9b10e14 Mon Sep 17 00:00:00 2001 -From: Stephen Smalley -Date: Wed, 13 May 2020 15:34:19 -0400 -Subject: [PATCH] libsemanage: fsync final files before rename - -Prior to rename(2)'ing the final selinux policy files into place, -fsync(2) them to ensure the contents will be fully written prior to -rename. While we are here, also fix checking of write(2) to detect -short writes and treat them as an error. This code could be more -generally improved but keeping to the minimal changes required to fix -this bug. - -Fixes: https://github.com/SELinuxProject/selinux/issues/237 -Signed-off-by: Stephen Smalley -Acked-by: Nicolas Iooss - -Source: -https://github.com/SELinuxProject/selinux/commit/331a109f91ea46473fd858c2494f6eab1ef43f66 ---- - libsemanage/src/direct_api.c | 10 +++++----- - libsemanage/src/semanage_store.c | 20 +++++++++++++++----- - libsemanage/src/semanage_store.h | 4 +++- - 3 files changed, 23 insertions(+), 11 deletions(-) - -diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c -index 8e4d116d..abc3a4cb 100644 ---- a/libsemanage/src/direct_api.c -+++ b/libsemanage/src/direct_api.c -@@ -1188,7 +1188,7 @@ cleanup: - * overwrite it. If source doesn't exist then return success. - * Returns 0 on success, -1 on error. */ - static int copy_file_if_exists(const char *src, const char *dst, mode_t mode){ -- int rc = semanage_copy_file(src, dst, mode); -+ int rc = semanage_copy_file(src, dst, mode, false); - return (rc < 0 && errno != ENOENT) ? rc : 0; - } - -@@ -1481,7 +1481,7 @@ rebuild: - retval = semanage_copy_file(path, - semanage_path(SEMANAGE_TMP, - SEMANAGE_STORE_SEUSERS), -- 0); -+ 0, false); - if (retval < 0) - goto cleanup; - pseusers->dtable->drop_cache(pseusers->dbase); -@@ -1499,7 +1499,7 @@ rebuild: - retval = semanage_copy_file(path, - semanage_path(SEMANAGE_TMP, - SEMANAGE_USERS_EXTRA), -- 0); -+ 0, false); - if (retval < 0) - goto cleanup; - pusers_extra->dtable->drop_cache(pusers_extra->dbase); -@@ -1588,7 +1588,7 @@ rebuild: - - retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_KERNEL), - semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_KERNEL), -- sh->conf->file_mode); -+ sh->conf->file_mode, false); - if (retval < 0) { - goto cleanup; - } -@@ -1627,7 +1627,7 @@ rebuild: - retval = semanage_copy_file( - semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_HOMEDIRS), - semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_HOMEDIRS), -- sh->conf->file_mode); -+ sh->conf->file_mode, false); - if (retval < 0) { - goto cleanup; - } -diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c -index 58dded6e..733df8da 100644 ---- a/libsemanage/src/semanage_store.c -+++ b/libsemanage/src/semanage_store.c -@@ -707,7 +707,8 @@ static int semanage_filename_select(const struct dirent *d) - - /* Copies a file from src to dst. If dst already exists then - * overwrite it. Returns 0 on success, -1 on error. */ --int semanage_copy_file(const char *src, const char *dst, mode_t mode) -+int semanage_copy_file(const char *src, const char *dst, mode_t mode, -+ bool syncrequired) - { - int in, out, retval = 0, amount_read, n, errsv = errno; - char tmp[PATH_MAX]; -@@ -735,8 +736,11 @@ int semanage_copy_file(const char *src, const char *dst, mode_t mode) - } - umask(mask); - while (retval == 0 && (amount_read = read(in, buf, sizeof(buf))) > 0) { -- if (write(out, buf, amount_read) < 0) { -- errsv = errno; -+ if (write(out, buf, amount_read) != amount_read) { -+ if (errno) -+ errsv = errno; -+ else -+ errsv = EIO; - retval = -1; - } - } -@@ -745,6 +749,10 @@ int semanage_copy_file(const char *src, const char *dst, mode_t mode) - retval = -1; - } - close(in); -+ if (syncrequired && fsync(out) < 0) { -+ errsv = errno; -+ retval = -1; -+ } - if (close(out) < 0) { - errsv = errno; - retval = -1; -@@ -811,7 +819,8 @@ static int semanage_copy_dir_flags(const char *src, const char *dst, int flag) - umask(mask); - } else if (S_ISREG(sb.st_mode) && flag == 1) { - mask = umask(0077); -- if (semanage_copy_file(path, path2, sb.st_mode) < 0) { -+ if (semanage_copy_file(path, path2, sb.st_mode, -+ false) < 0) { - umask(mask); - goto cleanup; - } -@@ -1640,7 +1649,8 @@ static int semanage_install_final_tmp(semanage_handle_t * sh) - goto cleanup; - } - -- ret = semanage_copy_file(src, dst, sh->conf->file_mode); -+ ret = semanage_copy_file(src, dst, sh->conf->file_mode, -+ true); - if (ret < 0) { - ERR(sh, "Could not copy %s to %s.", src, dst); - goto cleanup; -diff --git a/libsemanage/src/semanage_store.h b/libsemanage/src/semanage_store.h -index 34bf8523..b9ec5664 100644 ---- a/libsemanage/src/semanage_store.h -+++ b/libsemanage/src/semanage_store.h -@@ -24,6 +24,7 @@ - #ifndef SEMANAGE_MODULE_STORE_H - #define SEMANAGE_MODULE_STORE_H - -+#include - #include - #include - #include -@@ -162,6 +163,7 @@ int semanage_nc_sort(semanage_handle_t * sh, - size_t buf_len, - char **sorted_buf, size_t * sorted_buf_len); - --int semanage_copy_file(const char *src, const char *dst, mode_t mode); -+int semanage_copy_file(const char *src, const char *dst, mode_t mode, -+ bool syncrequired); - - #endif --- -2.25.4 - diff --git a/SOURCES/0004-libsemanage-sync-filesystem-with-sandbox.patch b/SOURCES/0004-libsemanage-sync-filesystem-with-sandbox.patch deleted file mode 100644 index 112c7ca..0000000 --- a/SOURCES/0004-libsemanage-sync-filesystem-with-sandbox.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 11e381e5aa3468aa5c2634f14706336c7824f226 Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Wed, 27 Jan 2021 12:00:55 +0100 -Subject: [PATCH] libsemanage: sync filesystem with sandbox - -Commit 331a109f91ea ("libsemanage: fsync final files before rename") -added fsync() for policy files and improved situation when something -unexpected happens right after rename(). However the module store could -be affected as well. After the following steps module files could be 0 -size: - -1. Run `semanage fcontext -a -t var_t "/tmp/abc"` -2. Force shutdown the server during the command is run, or right after - it's finished -3. Boot the system and look for empty files: - # find /var/lib/selinux/targeted/ -type f -size 0 | wc -l - 1266 - -It looks like this situation can be avoided if the filesystem with the -sandbox is sync()ed before we start to rename() directories in the -store. - -Signed-off-by: Petr Lautrbach -Acked-by: Nicolas Iooss ---- - libsemanage/src/semanage_store.c | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c -index 733df8da37c2..ae023582e907 100644 ---- a/libsemanage/src/semanage_store.c -+++ b/libsemanage/src/semanage_store.c -@@ -1737,6 +1737,19 @@ static int semanage_commit_sandbox(semanage_handle_t * sh) - } - close(fd); - -+ /* sync changes in sandbox to filesystem */ -+ fd = open(sandbox, O_DIRECTORY); -+ if (fd == -1) { -+ ERR(sh, "Error while opening %s for syncfs(): %d", sandbox, errno); -+ return -1; -+ } -+ if (syncfs(fd) == -1) { -+ ERR(sh, "Error while syncing %s to filesystem: %d", sandbox, errno); -+ close(fd); -+ return -1; -+ } -+ close(fd); -+ - retval = commit_number; - - if (semanage_get_active_lock(sh) < 0) { --- -2.30.0 - diff --git a/SOURCES/0005-Trivial-style-fixes.patch b/SOURCES/0005-Trivial-style-fixes.patch deleted file mode 100644 index f5bd700..0000000 --- a/SOURCES/0005-Trivial-style-fixes.patch +++ /dev/null @@ -1,76 +0,0 @@ -From ac10bc27090916fe8fcdaf4a9f0e8cc0165f7210 Mon Sep 17 00:00:00 2001 -From: Unto Sten -Date: Sat, 11 May 2019 01:04:16 +0300 -Subject: [PATCH] Trivial style fixes - ---- - libsemanage/src/direct_api.c | 2 +- - libsemanage/src/modules.c | 2 +- - libsemanage/src/seusers_local.c | 2 +- - libsemanage/src/users_local.c | 4 ++-- - 4 files changed, 5 insertions(+), 5 deletions(-) - -diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c -index abc3a4cb..b037890a 100644 ---- a/libsemanage/src/direct_api.c -+++ b/libsemanage/src/direct_api.c -@@ -517,7 +517,7 @@ ssize_t bunzip(semanage_handle_t *sh, FILE *f, char **data) - size_t size = 1<<18; - size_t bufsize = size; - int bzerror; -- size_t total=0; -+ size_t total = 0; - char* uncompress = NULL; - char* tmpalloc = NULL; - int ret = -1; -diff --git a/libsemanage/src/modules.c b/libsemanage/src/modules.c -index 62af1018..fa84d33e 100644 ---- a/libsemanage/src/modules.c -+++ b/libsemanage/src/modules.c -@@ -1130,7 +1130,7 @@ int semanage_module_install_info(semanage_handle_t *sh, - int semanage_module_remove_key(semanage_handle_t *sh, - const semanage_module_key_t *modkey) - { -- if (sh->funcs->remove_key== NULL) { -+ if (sh->funcs->remove_key == NULL) { - ERR(sh, - "No remove key function defined for this connection type."); - return -1; -diff --git a/libsemanage/src/seusers_local.c b/libsemanage/src/seusers_local.c -index a79e2d3d..3e2761c4 100644 ---- a/libsemanage/src/seusers_local.c -+++ b/libsemanage/src/seusers_local.c -@@ -133,7 +133,7 @@ int semanage_seuser_modify_local(semanage_handle_t * handle, - semanage_seuser_t *new = NULL; - - if (!sename) { -- errno=EINVAL; -+ errno = EINVAL; - return -1; - } - rc = semanage_seuser_clone(handle, data, &new); -diff --git a/libsemanage/src/users_local.c b/libsemanage/src/users_local.c -index 7aa43d44..8193476d 100644 ---- a/libsemanage/src/users_local.c -+++ b/libsemanage/src/users_local.c -@@ -38,7 +38,7 @@ static int lookup_seuser(semanage_handle_t * handle, const semanage_user_key_t * - semanage_seuser_list_local(handle, - &records, - &count); -- for(i=0; i -Date: Thu, 17 Dec 2020 15:59:49 +0100 -Subject: [PATCH] libsemanage: Free contents of modkey in - semanage_direct_remove - -semanage_direct_remove allocates struct semanage_module_key_t on -stack, then calls semanage_module_key_set_name which allocates -modkey->name on heap, but modkey->name wasn't free()-d anywhere, -creating a small leak. - -Signed-off-by: Jakub Hrozek ---- - libsemanage/src/direct_api.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c -index b037890a..c32939c0 100644 ---- a/libsemanage/src/direct_api.c -+++ b/libsemanage/src/direct_api.c -@@ -1944,6 +1944,7 @@ static int semanage_direct_remove(semanage_handle_t * sh, char *module_name) - status = semanage_direct_remove_key(sh, &modkey); - - cleanup: -+ semanage_module_key_destroy(sh, &modkey); - return status; - } - --- -2.30.2 - diff --git a/SOURCES/0007-libsemanage-Fix-USE_AFTER_FREE-CWE-672-in-semanage_d.patch b/SOURCES/0007-libsemanage-Fix-USE_AFTER_FREE-CWE-672-in-semanage_d.patch deleted file mode 100644 index 5d84a0d..0000000 --- a/SOURCES/0007-libsemanage-Fix-USE_AFTER_FREE-CWE-672-in-semanage_d.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 30da7a4907893bd43fe9da40728a3bcabdf3d7a4 Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Wed, 28 Jul 2021 11:21:35 +0200 -Subject: [PATCH] libsemanage: Fix USE_AFTER_FREE (CWE-672) in - semanage_direct_write_langext() - ->From fclose(3): -Upon successful completion, 0 is returned. Otherwise, EOF is returned -and errno is set to indicate the error. In either case, any further -access (including another call to fclose()) to the stream results in -undefined behavior. - -Fixes: - Error: USE_AFTER_FREE (CWE-672): [#def1] - libsemanage-3.2/src/direct_api.c:1023: freed_arg: "fclose" frees "fp". - libsemanage-3.2/src/direct_api.c:1034: use_closed_file: Calling "fclose" uses file handle "fp" after closing it. - # 1032| - # 1033| cleanup: - # 1034|-> if (fp != NULL) fclose(fp); - # 1035| - # 1036| return ret; - -Signed-off-by: Petr Lautrbach ---- - libsemanage/src/direct_api.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c -index c32939c0..7638653a 100644 ---- a/libsemanage/src/direct_api.c -+++ b/libsemanage/src/direct_api.c -@@ -1022,6 +1022,7 @@ static int semanage_direct_write_langext(semanage_handle_t *sh, - - if (fclose(fp) != 0) { - ERR(sh, "Unable to close %s module ext file.", modinfo->name); -+ fp = NULL; - ret = -1; - goto cleanup; - } --- -2.30.2 - diff --git a/SOURCES/0008-libsemanage-add-missing-include-to-boolean_record.c.patch b/SOURCES/0008-libsemanage-add-missing-include-to-boolean_record.c.patch deleted file mode 100644 index b0af48d..0000000 --- a/SOURCES/0008-libsemanage-add-missing-include-to-boolean_record.c.patch +++ /dev/null @@ -1,37 +0,0 @@ -From ecf6e6a9fda1a28cc3df36841b44326ed0c12312 Mon Sep 17 00:00:00 2001 -From: Ondrej Mosnacek -Date: Thu, 3 Feb 2022 17:53:22 +0100 -Subject: [PATCH] libsemanage: add missing include to boolean_record.c - -It uses asprintf(3), but doesn't directly include - fix it. - -Signed-off-by: Ondrej Mosnacek ---- - libsemanage/src/boolean_record.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/libsemanage/src/boolean_record.c b/libsemanage/src/boolean_record.c -index c234094e..bdddfa23 100644 ---- a/libsemanage/src/boolean_record.c -+++ b/libsemanage/src/boolean_record.c -@@ -7,6 +7,9 @@ - */ - - #include -+#include -+#include -+ - #include - #include "handle_internal.h" - -@@ -21,7 +24,6 @@ typedef semanage_bool_key_t record_key_t; - #include "boolean_internal.h" - #include "handle.h" - #include "database.h" --#include - #include - - /* Key */ --- -2.30.2 - diff --git a/SOURCES/0009-semodule-libsemanage-move-module-hashing-into-libsem.patch b/SOURCES/0009-semodule-libsemanage-move-module-hashing-into-libsem.patch deleted file mode 100644 index 06bfd12..0000000 --- a/SOURCES/0009-semodule-libsemanage-move-module-hashing-into-libsem.patch +++ /dev/null @@ -1,555 +0,0 @@ -From 066007029b3dd250305d7fac0bfd53aa1e4543cf Mon Sep 17 00:00:00 2001 -From: Ondrej Mosnacek -Date: Thu, 3 Feb 2022 17:53:23 +0100 -Subject: [PATCH] semodule,libsemanage: move module hashing into libsemanage - -The main goal of this move is to have the SHA-256 implementation under -libsemanage, since upcoming patches will make use of SHA-256 for a -different (but similar) purpose in libsemanage. Having the hashing code -in libsemanage will reduce code duplication and allow for easier hash -algorithm upgrade in the future. - -Note that libselinux currently also contains a hash function -implementation (for yet another different purpose). This patch doesn't -make any effort to address that duplicity yet. - -This patch also changes the format of the hash string printed by -semodule to include the name of the hash. The intent is to avoid -ambiguity and potential collisions when the algorithm is potentially -changed in the future. - -Signed-off-by: Ondrej Mosnacek ---- - libsemanage/include/semanage/modules.h | 26 +++ - libsemanage/src/libsemanage.map | 4 + - libsemanage/src/modules.c | 59 +++++ - libsemanage/src/sha256.c | 294 +++++++++++++++++++++++++ - libsemanage/src/sha256.h | 89 ++++++++ - 5 files changed, 472 insertions(+) - create mode 100644 libsemanage/src/sha256.c - create mode 100644 libsemanage/src/sha256.h - -diff --git a/libsemanage/include/semanage/modules.h b/libsemanage/include/semanage/modules.h -index 4b93e54e..26ac40b2 100644 ---- a/libsemanage/include/semanage/modules.h -+++ b/libsemanage/include/semanage/modules.h -@@ -282,4 +282,30 @@ int semanage_module_get_enabled(semanage_handle_t *sh, - const semanage_module_key_t *modkey, - int *enabled); - -+/* Compute checksum for @modkey module contents. -+ * -+ * If @checksum is NULL, the function will just return the length of the -+ * checksum string in @checksum_len (checksum strings are guaranteed to -+ * have a fixed length for a given libsemanage binary). @modkey and @cil -+ * are ignored in this case and should be set to NULL and 0 (respectively). -+ * -+ * If @checksum is non-NULL, on success, @checksum will point to a buffer -+ * containing the checksum string and @checksum_len will point to the -+ * length of the string (without the null terminator). The semantics of -+ * @cil are the same as for @extract_cil in semanage_module_extract(). -+ * -+ * The caller is responsible to free the buffer returned in @checksum (using -+ * free(3)). -+ * -+ * Callers may assume that if the checksum strings for two modules match, -+ * the module content is the same (collisions are theoretically possible, -+ * yet extremely unlikely). -+ * -+ * Returns 0 on success and -1 on error. -+ */ -+extern int semanage_module_compute_checksum(semanage_handle_t *sh, -+ semanage_module_key_t *modkey, -+ int cil, char **checksum, -+ size_t *checksum_len); -+ - #endif -diff --git a/libsemanage/src/libsemanage.map b/libsemanage/src/libsemanage.map -index 02036696..a986b2d2 100644 ---- a/libsemanage/src/libsemanage.map -+++ b/libsemanage/src/libsemanage.map -@@ -63,3 +63,7 @@ LIBSEMANAGE_1.1 { - semanage_module_remove_key; - semanage_set_store_root; - } LIBSEMANAGE_1.0; -+ -+LIBSEMANAGE_3.4 { -+ semanage_module_compute_checksum; -+} LIBSEMANAGE_1.1; -diff --git a/libsemanage/src/modules.c b/libsemanage/src/modules.c -index fa84d33e..3a82d275 100644 ---- a/libsemanage/src/modules.c -+++ b/libsemanage/src/modules.c -@@ -34,11 +34,13 @@ - #include - #include - #include -+#include - #include - #include - - #include "handle.h" - #include "modules.h" -+#include "sha256.h" - #include "debug.h" - - asm(".symver semanage_module_get_enabled_1_1,semanage_module_get_enabled@@LIBSEMANAGE_1.1"); -@@ -1146,3 +1148,60 @@ int semanage_module_remove_key(semanage_handle_t *sh, - return sh->funcs->remove_key(sh, modkey); - } - -+static const char CHECKSUM_TYPE[] = "sha256"; -+static const size_t CHECKSUM_CONTENT_SIZE = sizeof(CHECKSUM_TYPE) + 1 + 2 * SHA256_HASH_SIZE; -+ -+static void semanage_hash_to_checksum_string(const uint8_t *hash, char *checksum) -+{ -+ size_t i; -+ -+ checksum += sprintf(checksum, "%s:", CHECKSUM_TYPE); -+ for (i = 0; i < SHA256_HASH_SIZE; i++) { -+ checksum += sprintf(checksum, "%02x", (unsigned)hash[i]); -+ } -+} -+ -+int semanage_module_compute_checksum(semanage_handle_t *sh, -+ semanage_module_key_t *modkey, -+ int cil, char **checksum, -+ size_t *checksum_len) -+{ -+ semanage_module_info_t *extract_info = NULL; -+ Sha256Context context; -+ SHA256_HASH sha256_hash; -+ char *checksum_str; -+ void *data; -+ size_t data_len = 0; -+ int result; -+ -+ if (!checksum_len) -+ return -1; -+ -+ if (!checksum) { -+ *checksum_len = CHECKSUM_CONTENT_SIZE; -+ return 0; -+ } -+ -+ result = semanage_module_extract(sh, modkey, cil, &data, &data_len, &extract_info); -+ if (result != 0) -+ return -1; -+ -+ semanage_module_info_destroy(sh, extract_info); -+ free(extract_info); -+ -+ Sha256Initialise(&context); -+ Sha256Update(&context, data, data_len); -+ Sha256Finalise(&context, &sha256_hash); -+ -+ munmap(data, data_len); -+ -+ checksum_str = malloc(CHECKSUM_CONTENT_SIZE + 1 /* '\0' */); -+ if (!checksum_str) -+ return -1; -+ -+ semanage_hash_to_checksum_string(sha256_hash.bytes, checksum_str); -+ -+ *checksum = checksum_str; -+ *checksum_len = CHECKSUM_CONTENT_SIZE; -+ return 0; -+} -diff --git a/libsemanage/src/sha256.c b/libsemanage/src/sha256.c -new file mode 100644 -index 00000000..fe2aeef0 ---- /dev/null -+++ b/libsemanage/src/sha256.c -@@ -0,0 +1,294 @@ -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+// WjCryptLib_Sha256 -+// -+// Implementation of SHA256 hash function. -+// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org -+// Modified by WaterJuice retaining Public Domain license. -+// -+// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+ -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+// IMPORTS -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+ -+#include "sha256.h" -+#include -+ -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+// MACROS -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+ -+#define ror(value, bits) (((value) >> (bits)) | ((value) << (32 - (bits)))) -+ -+#define MIN(x, y) ( ((x)<(y))?(x):(y) ) -+ -+#define STORE32H(x, y) \ -+ { (y)[0] = (uint8_t)(((x)>>24)&255); (y)[1] = (uint8_t)(((x)>>16)&255); \ -+ (y)[2] = (uint8_t)(((x)>>8)&255); (y)[3] = (uint8_t)((x)&255); } -+ -+#define LOAD32H(x, y) \ -+ { x = ((uint32_t)((y)[0] & 255)<<24) | \ -+ ((uint32_t)((y)[1] & 255)<<16) | \ -+ ((uint32_t)((y)[2] & 255)<<8) | \ -+ ((uint32_t)((y)[3] & 255)); } -+ -+#define STORE64H(x, y) \ -+ { (y)[0] = (uint8_t)(((x)>>56)&255); (y)[1] = (uint8_t)(((x)>>48)&255); \ -+ (y)[2] = (uint8_t)(((x)>>40)&255); (y)[3] = (uint8_t)(((x)>>32)&255); \ -+ (y)[4] = (uint8_t)(((x)>>24)&255); (y)[5] = (uint8_t)(((x)>>16)&255); \ -+ (y)[6] = (uint8_t)(((x)>>8)&255); (y)[7] = (uint8_t)((x)&255); } -+ -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+// CONSTANTS -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+ -+// The K array -+static const uint32_t K[64] = { -+ 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL, -+ 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL, -+ 0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, -+ 0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, -+ 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL, -+ 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL, -+ 0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, -+ 0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, -+ 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL, -+ 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL, -+ 0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, -+ 0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, -+ 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL -+}; -+ -+#define BLOCK_SIZE 64 -+ -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+// INTERNAL FUNCTIONS -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+ -+// Various logical functions -+#define Ch( x, y, z ) (z ^ (x & (y ^ z))) -+#define Maj( x, y, z ) (((x | y) & z) | (x & y)) -+#define S( x, n ) ror((x),(n)) -+#define R( x, n ) (((x)&0xFFFFFFFFUL)>>(n)) -+#define Sigma0( x ) (S(x, 2) ^ S(x, 13) ^ S(x, 22)) -+#define Sigma1( x ) (S(x, 6) ^ S(x, 11) ^ S(x, 25)) -+#define Gamma0( x ) (S(x, 7) ^ S(x, 18) ^ R(x, 3)) -+#define Gamma1( x ) (S(x, 17) ^ S(x, 19) ^ R(x, 10)) -+ -+#define Sha256Round( a, b, c, d, e, f, g, h, i ) \ -+ t0 = h + Sigma1(e) + Ch(e, f, g) + K[i] + W[i]; \ -+ t1 = Sigma0(a) + Maj(a, b, c); \ -+ d += t0; \ -+ h = t0 + t1; -+ -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+// TransformFunction -+// -+// Compress 512-bits -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+static -+void -+ TransformFunction -+ ( -+ Sha256Context* Context, -+ uint8_t const* Buffer -+ ) -+{ -+ uint32_t S[8]; -+ uint32_t W[64]; -+ uint32_t t0; -+ uint32_t t1; -+ uint32_t t; -+ int i; -+ -+ // Copy state into S -+ for( i=0; i<8; i++ ) -+ { -+ S[i] = Context->state[i]; -+ } -+ -+ // Copy the state into 512-bits into W[0..15] -+ for( i=0; i<16; i++ ) -+ { -+ LOAD32H( W[i], Buffer + (4*i) ); -+ } -+ -+ // Fill W[16..63] -+ for( i=16; i<64; i++ ) -+ { -+ W[i] = Gamma1( W[i-2]) + W[i-7] + Gamma0( W[i-15] ) + W[i-16]; -+ } -+ -+ // Compress -+ for( i=0; i<64; i++ ) -+ { -+ Sha256Round( S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], i ); -+ t = S[7]; -+ S[7] = S[6]; -+ S[6] = S[5]; -+ S[5] = S[4]; -+ S[4] = S[3]; -+ S[3] = S[2]; -+ S[2] = S[1]; -+ S[1] = S[0]; -+ S[0] = t; -+ } -+ -+ // Feedback -+ for( i=0; i<8; i++ ) -+ { -+ Context->state[i] = Context->state[i] + S[i]; -+ } -+} -+ -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+// PUBLIC FUNCTIONS -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+ -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+// Sha256Initialise -+// -+// Initialises a SHA256 Context. Use this to initialise/reset a context. -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+void -+ Sha256Initialise -+ ( -+ Sha256Context* Context // [out] -+ ) -+{ -+ Context->curlen = 0; -+ Context->length = 0; -+ Context->state[0] = 0x6A09E667UL; -+ Context->state[1] = 0xBB67AE85UL; -+ Context->state[2] = 0x3C6EF372UL; -+ Context->state[3] = 0xA54FF53AUL; -+ Context->state[4] = 0x510E527FUL; -+ Context->state[5] = 0x9B05688CUL; -+ Context->state[6] = 0x1F83D9ABUL; -+ Context->state[7] = 0x5BE0CD19UL; -+} -+ -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+// Sha256Update -+// -+// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on -+// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash. -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+void -+ Sha256Update -+ ( -+ Sha256Context* Context, // [in out] -+ void const* Buffer, // [in] -+ uint32_t BufferSize // [in] -+ ) -+{ -+ uint32_t n; -+ -+ if( Context->curlen > sizeof(Context->buf) ) -+ { -+ return; -+ } -+ -+ while( BufferSize > 0 ) -+ { -+ if( Context->curlen == 0 && BufferSize >= BLOCK_SIZE ) -+ { -+ TransformFunction( Context, (uint8_t*)Buffer ); -+ Context->length += BLOCK_SIZE * 8; -+ Buffer = (uint8_t*)Buffer + BLOCK_SIZE; -+ BufferSize -= BLOCK_SIZE; -+ } -+ else -+ { -+ n = MIN( BufferSize, (BLOCK_SIZE - Context->curlen) ); -+ memcpy( Context->buf + Context->curlen, Buffer, (size_t)n ); -+ Context->curlen += n; -+ Buffer = (uint8_t*)Buffer + n; -+ BufferSize -= n; -+ if( Context->curlen == BLOCK_SIZE ) -+ { -+ TransformFunction( Context, Context->buf ); -+ Context->length += 8*BLOCK_SIZE; -+ Context->curlen = 0; -+ } -+ } -+ } -+} -+ -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+// Sha256Finalise -+// -+// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After -+// calling this, Sha256Initialised must be used to reuse the context. -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+void -+ Sha256Finalise -+ ( -+ Sha256Context* Context, // [in out] -+ SHA256_HASH* Digest // [out] -+ ) -+{ -+ int i; -+ -+ if( Context->curlen >= sizeof(Context->buf) ) -+ { -+ return; -+ } -+ -+ // Increase the length of the message -+ Context->length += Context->curlen * 8; -+ -+ // Append the '1' bit -+ Context->buf[Context->curlen++] = (uint8_t)0x80; -+ -+ // if the length is currently above 56 bytes we append zeros -+ // then compress. Then we can fall back to padding zeros and length -+ // encoding like normal. -+ if( Context->curlen > 56 ) -+ { -+ while( Context->curlen < 64 ) -+ { -+ Context->buf[Context->curlen++] = (uint8_t)0; -+ } -+ TransformFunction(Context, Context->buf); -+ Context->curlen = 0; -+ } -+ -+ // Pad up to 56 bytes of zeroes -+ while( Context->curlen < 56 ) -+ { -+ Context->buf[Context->curlen++] = (uint8_t)0; -+ } -+ -+ // Store length -+ STORE64H( Context->length, Context->buf+56 ); -+ TransformFunction( Context, Context->buf ); -+ -+ // Copy output -+ for( i=0; i<8; i++ ) -+ { -+ STORE32H( Context->state[i], Digest->bytes+(4*i) ); -+ } -+} -+ -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+// Sha256Calculate -+// -+// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the -+// buffer. -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+void -+ Sha256Calculate -+ ( -+ void const* Buffer, // [in] -+ uint32_t BufferSize, // [in] -+ SHA256_HASH* Digest // [in] -+ ) -+{ -+ Sha256Context context; -+ -+ Sha256Initialise( &context ); -+ Sha256Update( &context, Buffer, BufferSize ); -+ Sha256Finalise( &context, Digest ); -+} -diff --git a/libsemanage/src/sha256.h b/libsemanage/src/sha256.h -new file mode 100644 -index 00000000..406ed869 ---- /dev/null -+++ b/libsemanage/src/sha256.h -@@ -0,0 +1,89 @@ -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+// WjCryptLib_Sha256 -+// -+// Implementation of SHA256 hash function. -+// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org -+// Modified by WaterJuice retaining Public Domain license. -+// -+// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+ -+#pragma once -+ -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+// IMPORTS -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+ -+#include -+#include -+ -+typedef struct -+{ -+ uint64_t length; -+ uint32_t state[8]; -+ uint32_t curlen; -+ uint8_t buf[64]; -+} Sha256Context; -+ -+#define SHA256_HASH_SIZE ( 256 / 8 ) -+ -+typedef struct -+{ -+ uint8_t bytes [SHA256_HASH_SIZE]; -+} SHA256_HASH; -+ -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+// PUBLIC FUNCTIONS -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+ -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+// Sha256Initialise -+// -+// Initialises a SHA256 Context. Use this to initialise/reset a context. -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+void -+ Sha256Initialise -+ ( -+ Sha256Context* Context // [out] -+ ); -+ -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+// Sha256Update -+// -+// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on -+// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash. -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+void -+ Sha256Update -+ ( -+ Sha256Context* Context, // [in out] -+ void const* Buffer, // [in] -+ uint32_t BufferSize // [in] -+ ); -+ -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+// Sha256Finalise -+// -+// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After -+// calling this, Sha256Initialised must be used to reuse the context. -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+void -+ Sha256Finalise -+ ( -+ Sha256Context* Context, // [in out] -+ SHA256_HASH* Digest // [out] -+ ); -+ -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+// Sha256Calculate -+// -+// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the -+// buffer. -+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// -+void -+ Sha256Calculate -+ ( -+ void const* Buffer, // [in] -+ uint32_t BufferSize, // [in] -+ SHA256_HASH* Digest // [in] -+ ); --- -2.30.2 - diff --git a/SOURCES/0010-libsemanage-move-compressed-file-handling-into-a-sep.patch b/SOURCES/0010-libsemanage-move-compressed-file-handling-into-a-sep.patch deleted file mode 100644 index 1a49ac4..0000000 --- a/SOURCES/0010-libsemanage-move-compressed-file-handling-into-a-sep.patch +++ /dev/null @@ -1,824 +0,0 @@ -From f8c74eaf19df123deabe9e2c71bd5b3c2beba06a Mon Sep 17 00:00:00 2001 -From: Ondrej Mosnacek -Date: Thu, 3 Feb 2022 17:53:24 +0100 -Subject: [PATCH] libsemanage: move compressed file handling into a separate - object - -In order to reduce exisiting and future code duplication and to avoid -some unnecessary allocations and copying, factor the compressed file -utility functions out into a separate C/header file and refactor their -interface. - -Note that this change effectively removes the __fsetlocking(3) call from -semanage_load_files() - I haven't been able to figure out what purpose -it serves, but it seems pointless... - -Signed-off-by: Ondrej Mosnacek ---- - libsemanage/src/compressed_file.c | 224 +++++++++++++++++++++++++ - libsemanage/src/compressed_file.h | 78 +++++++++ - libsemanage/src/direct_api.c | 263 +++++------------------------- - libsemanage/src/direct_api.h | 4 - - libsemanage/src/semanage_store.c | 52 ++---- - 5 files changed, 354 insertions(+), 267 deletions(-) - create mode 100644 libsemanage/src/compressed_file.c - create mode 100644 libsemanage/src/compressed_file.h - -diff --git a/libsemanage/src/compressed_file.c b/libsemanage/src/compressed_file.c -new file mode 100644 -index 00000000..5546b830 ---- /dev/null -+++ b/libsemanage/src/compressed_file.c -@@ -0,0 +1,224 @@ -+/* Author: Jason Tang -+ * Christopher Ashworth -+ * Ondrej Mosnacek -+ * -+ * Copyright (C) 2004-2006 Tresys Technology, LLC -+ * Copyright (C) 2005-2021 Red Hat, Inc. -+ * -+ * This library is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public -+ * License as published by the Free Software Foundation; either -+ * version 2.1 of the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public -+ * License along with this library; if not, write to the Free Software -+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA -+ */ -+ -+#include -+#include -+#include -+ -+#include -+#include -+ -+#include -+ -+#include "compressed_file.h" -+ -+#include "debug.h" -+ -+#define BZ2_MAGICSTR "BZh" -+#define BZ2_MAGICLEN (sizeof(BZ2_MAGICSTR)-1) -+ -+/* bzip() a data to a file, returning the total number of compressed bytes -+ * in the file. Returns -1 if file could not be compressed. */ -+static int bzip(semanage_handle_t *sh, const char *filename, void *data, -+ size_t num_bytes) -+{ -+ BZFILE* b; -+ size_t size = 1<<16; -+ int bzerror; -+ size_t total = 0; -+ size_t len = 0; -+ FILE *f; -+ -+ if ((f = fopen(filename, "wb")) == NULL) { -+ return -1; -+ } -+ -+ if (!sh->conf->bzip_blocksize) { -+ if (fwrite(data, 1, num_bytes, f) < num_bytes) { -+ fclose(f); -+ return -1; -+ } -+ fclose(f); -+ return 0; -+ } -+ -+ b = BZ2_bzWriteOpen( &bzerror, f, sh->conf->bzip_blocksize, 0, 0); -+ if (bzerror != BZ_OK) { -+ BZ2_bzWriteClose ( &bzerror, b, 1, 0, 0 ); -+ fclose(f); -+ return -1; -+ } -+ -+ while ( num_bytes > total ) { -+ if (num_bytes - total > size) { -+ len = size; -+ } else { -+ len = num_bytes - total; -+ } -+ BZ2_bzWrite ( &bzerror, b, (uint8_t *)data + total, len ); -+ if (bzerror == BZ_IO_ERROR) { -+ BZ2_bzWriteClose ( &bzerror, b, 1, 0, 0 ); -+ fclose(f); -+ return -1; -+ } -+ total += len; -+ } -+ -+ BZ2_bzWriteClose ( &bzerror, b, 0, 0, 0 ); -+ fclose(f); -+ if (bzerror == BZ_IO_ERROR) { -+ return -1; -+ } -+ return 0; -+} -+ -+/* bunzip() a file to '*data', returning the total number of uncompressed bytes -+ * in the file. Returns -1 if file could not be decompressed. */ -+static ssize_t bunzip(semanage_handle_t *sh, FILE *f, void **data) -+{ -+ BZFILE* b = NULL; -+ size_t nBuf; -+ uint8_t* buf = NULL; -+ size_t size = 1<<18; -+ size_t bufsize = size; -+ int bzerror; -+ size_t total = 0; -+ uint8_t* uncompress = NULL; -+ uint8_t* tmpalloc = NULL; -+ int ret = -1; -+ -+ buf = malloc(bufsize); -+ if (buf == NULL) { -+ ERR(sh, "Failure allocating memory."); -+ goto exit; -+ } -+ -+ /* Check if the file is bzipped */ -+ bzerror = fread(buf, 1, BZ2_MAGICLEN, f); -+ rewind(f); -+ if ((bzerror != BZ2_MAGICLEN) || memcmp(buf, BZ2_MAGICSTR, BZ2_MAGICLEN)) { -+ goto exit; -+ } -+ -+ b = BZ2_bzReadOpen ( &bzerror, f, 0, sh->conf->bzip_small, NULL, 0 ); -+ if ( bzerror != BZ_OK ) { -+ ERR(sh, "Failure opening bz2 archive."); -+ goto exit; -+ } -+ -+ uncompress = malloc(size); -+ if (uncompress == NULL) { -+ ERR(sh, "Failure allocating memory."); -+ goto exit; -+ } -+ -+ while ( bzerror == BZ_OK) { -+ nBuf = BZ2_bzRead ( &bzerror, b, buf, bufsize); -+ if (( bzerror == BZ_OK ) || ( bzerror == BZ_STREAM_END )) { -+ if (total + nBuf > size) { -+ size *= 2; -+ tmpalloc = realloc(uncompress, size); -+ if (tmpalloc == NULL) { -+ ERR(sh, "Failure allocating memory."); -+ goto exit; -+ } -+ uncompress = tmpalloc; -+ } -+ memcpy(&uncompress[total], buf, nBuf); -+ total += nBuf; -+ } -+ } -+ if ( bzerror != BZ_STREAM_END ) { -+ ERR(sh, "Failure reading bz2 archive."); -+ goto exit; -+ } -+ -+ ret = total; -+ *data = uncompress; -+ -+exit: -+ BZ2_bzReadClose ( &bzerror, b ); -+ free(buf); -+ if ( ret < 0 ) { -+ free(uncompress); -+ } -+ return ret; -+} -+ -+int map_compressed_file(semanage_handle_t *sh, const char *path, -+ struct file_contents *contents) -+{ -+ ssize_t size = -1; -+ void *uncompress; -+ int ret = 0, fd = -1; -+ FILE *file = NULL; -+ -+ fd = open(path, O_RDONLY); -+ if (fd == -1) { -+ ERR(sh, "Unable to open %s\n", path); -+ return -1; -+ } -+ -+ file = fdopen(fd, "r"); -+ if (file == NULL) { -+ ERR(sh, "Unable to open %s\n", path); -+ close(fd); -+ return -1; -+ } -+ -+ if ((size = bunzip(sh, file, &uncompress)) >= 0) { -+ contents->data = uncompress; -+ contents->len = size; -+ contents->compressed = 1; -+ } else { -+ struct stat sb; -+ if (fstat(fd, &sb) == -1 || -+ (uncompress = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0)) == -+ MAP_FAILED) { -+ ret = -1; -+ } else { -+ contents->data = uncompress; -+ contents->len = sb.st_size; -+ contents->compressed = 0; -+ } -+ } -+ fclose(file); -+ return ret; -+} -+ -+void unmap_compressed_file(struct file_contents *contents) -+{ -+ if (!contents->data) -+ return; -+ -+ if (contents->compressed) { -+ free(contents->data); -+ } else { -+ munmap(contents->data, contents->len); -+ } -+} -+ -+int write_compressed_file(semanage_handle_t *sh, const char *path, -+ void *data, size_t len) -+{ -+ return bzip(sh, path, data, len); -+} -diff --git a/libsemanage/src/compressed_file.h b/libsemanage/src/compressed_file.h -new file mode 100644 -index 00000000..96cfb4b6 ---- /dev/null -+++ b/libsemanage/src/compressed_file.h -@@ -0,0 +1,78 @@ -+/* Author: Jason Tang -+ * Christopher Ashworth -+ * Ondrej Mosnacek -+ * -+ * Copyright (C) 2004-2006 Tresys Technology, LLC -+ * Copyright (C) 2005-2021 Red Hat, Inc. -+ * -+ * This library is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public -+ * License as published by the Free Software Foundation; either -+ * version 2.1 of the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public -+ * License along with this library; if not, write to the Free Software -+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA -+ */ -+ -+#ifndef _SEMANAGE_CIL_FILE_H_ -+#define _SEMANAGE_CIL_FILE_H_ -+ -+#include -+#include -+ -+#include "handle.h" -+ -+struct file_contents { -+ void *data; /** file contents (uncompressed) */ -+ size_t len; /** length of contents */ -+ int compressed; /** whether file was compressed */ -+}; -+ -+/** -+ * Map/read a possibly-compressed file into memory. -+ * -+ * If the file is bzip compressed map_file will uncompress the file into -+ * @p contents. The caller is responsible for calling -+ * @ref unmap_compressed_file on @p contents on success. -+ * -+ * @param sh semanage handle -+ * @param path path to the file -+ * @param contents pointer to struct file_contents, which will be -+ * populated with data pointer, size, and an indication whether -+ * the file was compressed or not -+ * -+ * @return 0 on success, -1 otherwise. -+ */ -+int map_compressed_file(semanage_handle_t *sh, const char *path, -+ struct file_contents *contents); -+ -+/** -+ * Destroy a previously mapped possibly-compressed file. -+ * -+ * If all fields of @p contents are zero/NULL, the function is -+ * guaranteed to do nothing. -+ * -+ * @param contents pointer to struct file_contents to destroy -+ */ -+void unmap_compressed_file(struct file_contents *contents); -+ -+/** -+ * Write bytes into a file, using compression if configured. -+ * -+ * @param sh semanage handle -+ * @param path path to the file -+ * @param data pointer to the data -+ * @param len length of the data -+ * -+ * @return 0 on success, -1 otherwise. -+ */ -+int write_compressed_file(semanage_handle_t *sh, const char *path, -+ void *data, size_t len); -+ -+#endif -diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c -index 7638653a..63a18808 100644 ---- a/libsemanage/src/direct_api.c -+++ b/libsemanage/src/direct_api.c -@@ -50,6 +50,7 @@ - - #include "debug.h" - #include "handle.h" -+#include "compressed_file.h" - #include "modules.h" - #include "direct_api.h" - #include "semanage_store.h" -@@ -446,194 +447,6 @@ static int parse_module_headers(semanage_handle_t * sh, char *module_data, - return 0; - } - --#include --#include --#include --#include -- --/* bzip() a data to a file, returning the total number of compressed bytes -- * in the file. Returns -1 if file could not be compressed. */ --static ssize_t bzip(semanage_handle_t *sh, const char *filename, char *data, -- size_t num_bytes) --{ -- BZFILE* b; -- size_t size = 1<<16; -- int bzerror; -- size_t total = 0; -- size_t len = 0; -- FILE *f; -- -- if ((f = fopen(filename, "wb")) == NULL) { -- return -1; -- } -- -- if (!sh->conf->bzip_blocksize) { -- if (fwrite(data, 1, num_bytes, f) < num_bytes) { -- fclose(f); -- return -1; -- } -- fclose(f); -- return num_bytes; -- } -- -- b = BZ2_bzWriteOpen( &bzerror, f, sh->conf->bzip_blocksize, 0, 0); -- if (bzerror != BZ_OK) { -- BZ2_bzWriteClose ( &bzerror, b, 1, 0, 0 ); -- return -1; -- } -- -- while ( num_bytes > total ) { -- if (num_bytes - total > size) { -- len = size; -- } else { -- len = num_bytes - total; -- } -- BZ2_bzWrite ( &bzerror, b, &data[total], len ); -- if (bzerror == BZ_IO_ERROR) { -- BZ2_bzWriteClose ( &bzerror, b, 1, 0, 0 ); -- return -1; -- } -- total += len; -- } -- -- BZ2_bzWriteClose ( &bzerror, b, 0, 0, 0 ); -- fclose(f); -- if (bzerror == BZ_IO_ERROR) { -- return -1; -- } -- return total; --} -- --#define BZ2_MAGICSTR "BZh" --#define BZ2_MAGICLEN (sizeof(BZ2_MAGICSTR)-1) -- --/* bunzip() a file to '*data', returning the total number of uncompressed bytes -- * in the file. Returns -1 if file could not be decompressed. */ --ssize_t bunzip(semanage_handle_t *sh, FILE *f, char **data) --{ -- BZFILE* b = NULL; -- size_t nBuf; -- char* buf = NULL; -- size_t size = 1<<18; -- size_t bufsize = size; -- int bzerror; -- size_t total = 0; -- char* uncompress = NULL; -- char* tmpalloc = NULL; -- int ret = -1; -- -- buf = malloc(bufsize); -- if (buf == NULL) { -- ERR(sh, "Failure allocating memory."); -- goto exit; -- } -- -- /* Check if the file is bzipped */ -- bzerror = fread(buf, 1, BZ2_MAGICLEN, f); -- rewind(f); -- if ((bzerror != BZ2_MAGICLEN) || memcmp(buf, BZ2_MAGICSTR, BZ2_MAGICLEN)) { -- goto exit; -- } -- -- b = BZ2_bzReadOpen ( &bzerror, f, 0, sh->conf->bzip_small, NULL, 0 ); -- if ( bzerror != BZ_OK ) { -- ERR(sh, "Failure opening bz2 archive."); -- goto exit; -- } -- -- uncompress = malloc(size); -- if (uncompress == NULL) { -- ERR(sh, "Failure allocating memory."); -- goto exit; -- } -- -- while ( bzerror == BZ_OK) { -- nBuf = BZ2_bzRead ( &bzerror, b, buf, bufsize); -- if (( bzerror == BZ_OK ) || ( bzerror == BZ_STREAM_END )) { -- if (total + nBuf > size) { -- size *= 2; -- tmpalloc = realloc(uncompress, size); -- if (tmpalloc == NULL) { -- ERR(sh, "Failure allocating memory."); -- goto exit; -- } -- uncompress = tmpalloc; -- } -- memcpy(&uncompress[total], buf, nBuf); -- total += nBuf; -- } -- } -- if ( bzerror != BZ_STREAM_END ) { -- ERR(sh, "Failure reading bz2 archive."); -- goto exit; -- } -- -- ret = total; -- *data = uncompress; -- --exit: -- BZ2_bzReadClose ( &bzerror, b ); -- free(buf); -- if ( ret < 0 ) { -- free(uncompress); -- } -- return ret; --} -- --/* mmap() a file to '*data', -- * If the file is bzip compressed map_file will uncompress -- * the file into '*data'. -- * Returns the total number of bytes in memory . -- * Returns -1 if file could not be opened or mapped. */ --static ssize_t map_file(semanage_handle_t *sh, const char *path, char **data, -- int *compressed) --{ -- ssize_t size = -1; -- char *uncompress; -- int fd = -1; -- FILE *file = NULL; -- -- fd = open(path, O_RDONLY); -- if (fd == -1) { -- ERR(sh, "Unable to open %s\n", path); -- return -1; -- } -- -- file = fdopen(fd, "r"); -- if (file == NULL) { -- ERR(sh, "Unable to open %s\n", path); -- close(fd); -- return -1; -- } -- -- if ((size = bunzip(sh, file, &uncompress)) > 0) { -- *data = mmap(0, size, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0); -- if (*data == MAP_FAILED) { -- free(uncompress); -- fclose(file); -- return -1; -- } else { -- memcpy(*data, uncompress, size); -- } -- free(uncompress); -- *compressed = 1; -- } else { -- struct stat sb; -- if (fstat(fd, &sb) == -1 || -- (*data = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0)) == -- MAP_FAILED) { -- size = -1; -- } else { -- size = sb.st_size; -- } -- *compressed = 0; -- } -- -- fclose(file); -- -- return size; --} -- - /* Writes a block of data to a file. Returns 0 on success, -1 on - * error. */ - static int write_file(semanage_handle_t * sh, -@@ -1045,15 +858,12 @@ static int semanage_compile_module(semanage_handle_t *sh, - char *compiler_path = NULL; - char *cil_data = NULL; - char *err_data = NULL; -- char *hll_data = NULL; - char *start = NULL; - char *end = NULL; -- ssize_t hll_data_len = 0; -- ssize_t bzip_status; - int status = 0; -- int compressed; - size_t cil_data_len = 0; - size_t err_data_len = 0; -+ struct file_contents hll_contents = {}; - - if (!strcasecmp(modinfo->lang_ext, "cil")) { - goto cleanup; -@@ -1084,13 +894,15 @@ static int semanage_compile_module(semanage_handle_t *sh, - goto cleanup; - } - -- if ((hll_data_len = map_file(sh, hll_path, &hll_data, &compressed)) <= 0) { -+ status = map_compressed_file(sh, hll_path, &hll_contents); -+ if (status < 0) { - ERR(sh, "Unable to read file %s\n", hll_path); -- status = -1; - goto cleanup; - } - -- status = semanage_pipe_data(sh, compiler_path, hll_data, (size_t)hll_data_len, &cil_data, &cil_data_len, &err_data, &err_data_len); -+ status = semanage_pipe_data(sh, compiler_path, hll_contents.data, -+ hll_contents.len, &cil_data, &cil_data_len, -+ &err_data, &err_data_len); - if (err_data_len > 0) { - for (start = end = err_data; end < err_data + err_data_len; end++) { - if (*end == '\n') { -@@ -1110,10 +922,9 @@ static int semanage_compile_module(semanage_handle_t *sh, - goto cleanup; - } - -- bzip_status = bzip(sh, cil_path, cil_data, cil_data_len); -- if (bzip_status == -1) { -- ERR(sh, "Failed to bzip %s\n", cil_path); -- status = -1; -+ status = write_compressed_file(sh, cil_path, cil_data, cil_data_len); -+ if (status == -1) { -+ ERR(sh, "Failed to write %s\n", cil_path); - goto cleanup; - } - -@@ -1131,9 +942,7 @@ static int semanage_compile_module(semanage_handle_t *sh, - } - - cleanup: -- if (hll_data_len > 0) { -- munmap(hll_data, hll_data_len); -- } -+ unmap_compressed_file(&hll_contents); - free(cil_data); - free(err_data); - free(compiler_path); -@@ -1749,19 +1558,17 @@ static int semanage_direct_install_file(semanage_handle_t * sh, - { - - int retval = -1; -- char *data = NULL; -- ssize_t data_len = 0; -- int compressed = 0; - char *path = NULL; - char *filename; - char *lang_ext = NULL; - char *module_name = NULL; - char *separator; - char *version = NULL; -+ struct file_contents contents = {}; - -- if ((data_len = map_file(sh, install_filename, &data, &compressed)) <= 0) { -+ retval = map_compressed_file(sh, install_filename, &contents); -+ if (retval < 0) { - ERR(sh, "Unable to read file %s\n", install_filename); -- retval = -1; - goto cleanup; - } - -@@ -1774,7 +1581,7 @@ static int semanage_direct_install_file(semanage_handle_t * sh, - - filename = basename(path); - -- if (compressed) { -+ if (contents.compressed) { - separator = strrchr(filename, '.'); - if (separator == NULL) { - ERR(sh, "Compressed module does not have a valid extension."); -@@ -1798,7 +1605,8 @@ static int semanage_direct_install_file(semanage_handle_t * sh, - } - - if (strcmp(lang_ext, "pp") == 0) { -- retval = parse_module_headers(sh, data, data_len, &module_name, &version); -+ retval = parse_module_headers(sh, contents.data, contents.len, -+ &module_name, &version); - free(version); - if (retval != 0) - goto cleanup; -@@ -1815,10 +1623,11 @@ static int semanage_direct_install_file(semanage_handle_t * sh, - fprintf(stderr, "Warning: SELinux userspace will refer to the module from %s as %s rather than %s\n", install_filename, module_name, filename); - } - -- retval = semanage_direct_install(sh, data, data_len, module_name, lang_ext); -+ retval = semanage_direct_install(sh, contents.data, contents.len, -+ module_name, lang_ext); - - cleanup: -- if (data_len > 0) munmap(data, data_len); -+ unmap_compressed_file(&contents); - free(module_name); - free(path); - -@@ -1837,10 +1646,8 @@ static int semanage_direct_extract(semanage_handle_t * sh, - enum semanage_module_path_type file_type; - int rc = -1; - semanage_module_info_t *_modinfo = NULL; -- ssize_t _data_len; -- char *_data; -- int compressed; - struct stat sb; -+ struct file_contents contents = {}; - - /* get path of module */ - rc = semanage_module_get_path( -@@ -1896,19 +1703,33 @@ static int semanage_direct_extract(semanage_handle_t * sh, - } - } - -- _data_len = map_file(sh, input_file, &_data, &compressed); -- if (_data_len <= 0) { -+ rc = map_compressed_file(sh, input_file, &contents); -+ if (rc < 0) { - ERR(sh, "Error mapping file: %s", input_file); -- rc = -1; - goto cleanup; - } - -+ /* The API promises an mmap'ed pointer */ -+ if (contents.compressed) { -+ *mapped_data = mmap(NULL, contents.len, PROT_READ|PROT_WRITE, -+ MAP_PRIVATE|MAP_ANONYMOUS, 0, 0); -+ if (*mapped_data == MAP_FAILED) { -+ ERR(sh, "Unable to map memory"); -+ rc = -1; -+ goto cleanup; -+ } -+ memcpy(*mapped_data, contents.data, contents.len); -+ free(contents.data); -+ } else { -+ *mapped_data = contents.data; -+ } -+ - *modinfo = _modinfo; -- *data_len = (size_t)_data_len; -- *mapped_data = _data; -+ *data_len = contents.len; - - cleanup: - if (rc != 0) { -+ unmap_compressed_file(&contents); - semanage_module_info_destroy(sh, _modinfo); - free(_modinfo); - } -@@ -2857,8 +2678,8 @@ static int semanage_direct_install_info(semanage_handle_t *sh, - goto cleanup; - } - -- ret = bzip(sh, path, data, data_len); -- if (ret <= 0) { -+ ret = write_compressed_file(sh, path, data, data_len); -+ if (ret < 0) { - ERR(sh, "Error while writing to %s.", path); - status = -3; - goto cleanup; -diff --git a/libsemanage/src/direct_api.h b/libsemanage/src/direct_api.h -index e56107b2..ffd428eb 100644 ---- a/libsemanage/src/direct_api.h -+++ b/libsemanage/src/direct_api.h -@@ -39,8 +39,4 @@ int semanage_direct_access_check(struct semanage_handle *sh); - - int semanage_direct_mls_enabled(struct semanage_handle *sh); - --#include --#include --ssize_t bunzip(struct semanage_handle *sh, FILE *f, char **data); -- - #endif -diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c -index ae023582..c5ce071c 100644 ---- a/libsemanage/src/semanage_store.c -+++ b/libsemanage/src/semanage_store.c -@@ -59,6 +59,7 @@ typedef struct dbase_policydb dbase_t; - - #include "debug.h" - #include "utilities.h" -+#include "compressed_file.h" - - #define SEMANAGE_CONF_FILE "semanage.conf" - /* relative path names to enum semanage_paths to special files and -@@ -2055,60 +2056,27 @@ int semanage_direct_get_serial(semanage_handle_t * sh) - - int semanage_load_files(semanage_handle_t * sh, cil_db_t *cildb, char **filenames, int numfiles) - { -- int retval = 0; -- FILE *fp; -- ssize_t size; -- char *data = NULL; -+ int i, retval = 0; - char *filename; -- int i; -+ struct file_contents contents = {}; - - for (i = 0; i < numfiles; i++) { - filename = filenames[i]; - -- if ((fp = fopen(filename, "rb")) == NULL) { -- ERR(sh, "Could not open module file %s for reading.", filename); -- goto cleanup; -- } -- -- if ((size = bunzip(sh, fp, &data)) <= 0) { -- rewind(fp); -- __fsetlocking(fp, FSETLOCKING_BYCALLER); -- -- if (fseek(fp, 0, SEEK_END) != 0) { -- ERR(sh, "Failed to determine size of file %s.", filename); -- goto cleanup; -- } -- size = ftell(fp); -- rewind(fp); -- -- data = malloc(size); -- if (fread(data, size, 1, fp) != 1) { -- ERR(sh, "Failed to read file %s.", filename); -- goto cleanup; -- } -- } -+ retval = map_compressed_file(sh, filename, &contents); -+ if (retval < 0) -+ return -1; - -- fclose(fp); -- fp = NULL; -+ retval = cil_add_file(cildb, filename, contents.data, contents.len); -+ unmap_compressed_file(&contents); - -- retval = cil_add_file(cildb, filename, data, size); - if (retval != SEPOL_OK) { - ERR(sh, "Error while reading from file %s.", filename); -- goto cleanup; -+ return -1; - } -- -- free(data); -- data = NULL; - } - -- return retval; -- -- cleanup: -- if (fp != NULL) { -- fclose(fp); -- } -- free(data); -- return -1; -+ return 0; - } - - /* --- -2.30.2 - diff --git a/SOURCES/0011-libsemanage-clean-up-semanage_direct_commit-a-bit.patch b/SOURCES/0011-libsemanage-clean-up-semanage_direct_commit-a-bit.patch deleted file mode 100644 index 7fa31f7..0000000 --- a/SOURCES/0011-libsemanage-clean-up-semanage_direct_commit-a-bit.patch +++ /dev/null @@ -1,150 +0,0 @@ -From 129e121c9ab17f726a9a6294cfe04db97016e7ef Mon Sep 17 00:00:00 2001 -From: Ondrej Mosnacek -Date: Thu, 3 Feb 2022 17:53:25 +0100 -Subject: [PATCH] libsemanage: clean up semanage_direct_commit() a bit - -Do some minor cosmetic cleanup, mainly to eliminate the 'rebuilt' goto -label. - -Signed-off-by: Ondrej Mosnacek ---- - libsemanage/src/direct_api.c | 91 ++++++++++++++++++------------------ - 1 file changed, 45 insertions(+), 46 deletions(-) - -diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c -index 63a18808..7e99a59f 100644 ---- a/libsemanage/src/direct_api.c -+++ b/libsemanage/src/direct_api.c -@@ -994,6 +994,16 @@ cleanup: - return status; - } - -+/* Files that must exist in order to skip policy rebuild. */ -+static const int semanage_computed_files[] = { -+ SEMANAGE_STORE_KERNEL, -+ SEMANAGE_STORE_FC, -+ SEMANAGE_STORE_SEUSERS, -+ SEMANAGE_LINKED, -+ SEMANAGE_SEUSERS_LINKED, -+ SEMANAGE_USERS_EXTRA_LINKED -+}; -+ - /* Copies a file from src to dst. If dst already exists then - * overwrite it. If source doesn't exist then return success. - * Returns 0 on success, -1 on error. */ -@@ -1053,6 +1063,14 @@ static int semanage_direct_commit(semanage_handle_t * sh) - seusers_modified = seusers->dtable->is_modified(seusers->dbase); - fcontexts_modified = fcontexts->dtable->is_modified(fcontexts->dbase); - -+ /* Before we do anything else, flush the join to its component parts. -+ * This *does not* flush to disk automatically */ -+ if (users->dtable->is_modified(users->dbase)) { -+ retval = users->dtable->flush(sh, users->dbase); -+ if (retval < 0) -+ goto cleanup; -+ } -+ - /* Rebuild if explicitly requested or any module changes occurred. */ - do_rebuild = sh->do_rebuild | sh->modules_modified; - -@@ -1119,14 +1137,6 @@ static int semanage_direct_commit(semanage_handle_t * sh) - } - } - -- /* Before we do anything else, flush the join to its component parts. -- * This *does not* flush to disk automatically */ -- if (users->dtable->is_modified(users->dbase)) { -- retval = users->dtable->flush(sh, users->dbase); -- if (retval < 0) -- goto cleanup; -- } -- - /* - * This is for systems that have already migrated with an older version - * of semanage_migrate_store. The older version did not copy -@@ -1135,48 +1145,20 @@ static int semanage_direct_commit(semanage_handle_t * sh) - * in order to skip re-linking are present; otherwise, we force - * a rebuild. - */ -- if (!do_rebuild) { -- int files[] = {SEMANAGE_STORE_KERNEL, -- SEMANAGE_STORE_FC, -- SEMANAGE_STORE_SEUSERS, -- SEMANAGE_LINKED, -- SEMANAGE_SEUSERS_LINKED, -- SEMANAGE_USERS_EXTRA_LINKED}; -- -- for (i = 0; i < (int) ARRAY_SIZE(files); i++) { -- path = semanage_path(SEMANAGE_TMP, files[i]); -- if (stat(path, &sb) != 0) { -- if (errno != ENOENT) { -- ERR(sh, "Unable to access %s: %s\n", path, strerror(errno)); -- retval = -1; -- goto cleanup; -- } -- -- do_rebuild = 1; -- goto rebuild; -+ for (i = 0; !do_rebuild && i < (int)ARRAY_SIZE(semanage_computed_files); i++) { -+ path = semanage_path(SEMANAGE_TMP, semanage_computed_files[i]); -+ if (stat(path, &sb) != 0) { -+ if (errno != ENOENT) { -+ ERR(sh, "Unable to access %s: %s\n", path, strerror(errno)); -+ retval = -1; -+ goto cleanup; - } -+ -+ do_rebuild = 1; -+ break; - } - } - --rebuild: -- /* -- * Now that we know whether or not a rebuild is required, -- * we can determine what else needs to be done. -- * We need to write the kernel policy if we are rebuilding -- * or if any other policy component that lives in the kernel -- * policy has been modified. -- * We need to install the policy files if any of the managed files -- * that live under /etc/selinux (kernel policy, seusers, file contexts) -- * will be modified. -- */ -- do_write_kernel = do_rebuild | ports_modified | ibpkeys_modified | -- ibendports_modified | -- bools->dtable->is_modified(bools->dbase) | -- ifaces->dtable->is_modified(ifaces->dbase) | -- nodes->dtable->is_modified(nodes->dbase) | -- users->dtable->is_modified(users_base->dbase); -- do_install = do_write_kernel | seusers_modified | fcontexts_modified; -- - /* - * If there were policy changes, or explicitly requested, or - * any required files are missing, rebuild the policy. -@@ -1323,6 +1305,23 @@ rebuild: - } - } - -+ /* -+ * Determine what else needs to be done. -+ * We need to write the kernel policy if we are rebuilding -+ * or if any other policy component that lives in the kernel -+ * policy has been modified. -+ * We need to install the policy files if any of the managed files -+ * that live under /etc/selinux (kernel policy, seusers, file contexts) -+ * will be modified. -+ */ -+ do_write_kernel = do_rebuild | ports_modified | ibpkeys_modified | -+ ibendports_modified | -+ bools->dtable->is_modified(bools->dbase) | -+ ifaces->dtable->is_modified(ifaces->dbase) | -+ nodes->dtable->is_modified(nodes->dbase) | -+ users->dtable->is_modified(users_base->dbase); -+ do_install = do_write_kernel | seusers_modified | fcontexts_modified; -+ - /* Attach our databases to the policydb we just created or loaded. */ - dbase_policydb_attach((dbase_policydb_t *) pusers_base->dbase, out); - dbase_policydb_attach((dbase_policydb_t *) pports->dbase, out); --- -2.30.2 - diff --git a/SOURCES/0012-libsemanage-optionally-rebuild-policy-when-modules-a.patch b/SOURCES/0012-libsemanage-optionally-rebuild-policy-when-modules-a.patch deleted file mode 100644 index 251a08e..0000000 --- a/SOURCES/0012-libsemanage-optionally-rebuild-policy-when-modules-a.patch +++ /dev/null @@ -1,492 +0,0 @@ -From 090a82e33be97d42eaa75bec85a32ccb6b7a13e8 Mon Sep 17 00:00:00 2001 -From: Ondrej Mosnacek -Date: Thu, 3 Feb 2022 17:53:26 +0100 -Subject: [PATCH] libsemanage: optionally rebuild policy when modules are - changed externally - -In Fedora/RHEL's selinux-policy package we ship a pre-built SELinux -policy store in the RPMs. When updating the main policy RPM, care must -be taken to rebuild the policy using `semodule -B` if there are any -other SELinux modules installed (whether shipped via another RPM or -manually installed locally). - -However, this way of shipping/managing the policy creates complications -on systems, where system files are managed by rpm-ostree (such as Fedora -CoreOS or Red Hat CoreOS), where the "package update" process is more -sophisticated. - -(Disclaimer: The following is written according to my current limited -understanding of rpm-ostree and may not be entirely accurate, but the -gist of it should match the reality.) - -Basically, one can think of rpm-ostree as a kind of Git for system -files. The package content is provided on a "branch", where each -"commit" represents a set of package updates layered on top of the -previous commit (i.e. it is a rolling release with some defined -package content snapshots). The user can then maintain their own branch -with additional package updates/installations/... and "rebase" it on top -of the main branch as needed. On top of that, the user can also have -additional configuration files (or modifications to existing files) in -/etc, which represent an additional layer on top of the package content. - -When updating the system (i.e. rebasing on a new "commit" of the "main -branch"), the files on the running system are not touched and the new -system state is prepared under a new root directory, which is chrooted -into on the next reboot. - -When an rpm-ostree system is updated, there are three moments when the -SELinux module store needs to be rebuilt to ensure that all modules are -included in the binary policy: -1. When the local RPM installations are applied on top of the base - system snapshot. -2. When local user configuartion is applied on top of that. -3. On system shutdown, to ensure that any changes in local configuration - performed since (2.) are reflected in the final new system image. - -Forcing a full rebuild at each step is not optimal and in many cases is -not necessary, as the user may not have any custom modules installed. - -Thus, this patch extends libsemanage to compute a checksum of the -content of all enabled modules, which is stored in the store, and adds a -flag to the libsemanage handle that instructs it to check the module -content checksum against the one from the last successful transaction -and force a full policy rebuild if they don't match. - -This will allow rpm-ostree systems to potentially reduce delays when -reconciling the module store when applying updates. - -I wasn't able to measure any noticeable overhead of the hash -computation, which is now added for every transaction (both before and -after this change a full policy rebuild took about 7 seconds on my test -x86 VM). With the new option check_ext_changes enabled, rebuilding a -policy store with unchanged modules took only about 0.96 seconds. - -Signed-off-by: Ondrej Mosnacek ---- - libsemanage/include/semanage/handle.h | 5 + - libsemanage/src/direct_api.c | 187 +++++++++++++++++++++----- - libsemanage/src/handle.c | 11 +- - libsemanage/src/handle.h | 1 + - libsemanage/src/libsemanage.map | 1 + - libsemanage/src/modules.c | 4 +- - libsemanage/src/modules.h | 3 + - libsemanage/src/semanage_store.c | 1 + - libsemanage/src/semanage_store.h | 1 + - 9 files changed, 175 insertions(+), 39 deletions(-) - -diff --git a/libsemanage/include/semanage/handle.h b/libsemanage/include/semanage/handle.h -index c8165900..7f298a49 100644 ---- a/libsemanage/include/semanage/handle.h -+++ b/libsemanage/include/semanage/handle.h -@@ -66,6 +66,11 @@ void semanage_set_reload(semanage_handle_t * handle, int do_reload); - * 1 for yes, 0 for no (default) */ - void semanage_set_rebuild(semanage_handle_t * handle, int do_rebuild); - -+/* set whether to rebuild the policy on commit when potential changes -+ * to module files since last rebuild are detected, -+ * 1 for yes (default), 0 for no */ -+extern void semanage_set_check_ext_changes(semanage_handle_t * handle, int do_check); -+ - /* Fills *compiler_path with the location of the hll compiler sh->conf->compiler_directory_path - * corresponding to lang_ext. - * Upon success returns 0, -1 on error. */ -diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c -index 7e99a59f..bbdca2b2 100644 ---- a/libsemanage/src/direct_api.c -+++ b/libsemanage/src/direct_api.c -@@ -33,6 +33,8 @@ - #include - #include - #include -+#include -+#include - #include - #include - #include -@@ -56,8 +58,7 @@ - #include "semanage_store.h" - #include "database_policydb.h" - #include "policy.h" --#include --#include -+#include "sha256.h" - - #define PIPE_READ 0 - #define PIPE_WRITE 1 -@@ -450,7 +451,7 @@ static int parse_module_headers(semanage_handle_t * sh, char *module_data, - /* Writes a block of data to a file. Returns 0 on success, -1 on - * error. */ - static int write_file(semanage_handle_t * sh, -- const char *filename, char *data, size_t num_bytes) -+ const char *filename, const char *data, size_t num_bytes) - { - int out; - -@@ -850,8 +851,21 @@ cleanup: - return ret; - } - -+static void update_checksum_with_len(Sha256Context *context, size_t s) -+{ -+ int i; -+ uint8_t buffer[8]; -+ -+ for (i = 0; i < 8; i++) { -+ buffer[i] = s & 0xff; -+ s >>= 8; -+ } -+ Sha256Update(context, buffer, 8); -+} -+ - static int semanage_compile_module(semanage_handle_t *sh, -- semanage_module_info_t *modinfo) -+ semanage_module_info_t *modinfo, -+ Sha256Context *context) - { - char cil_path[PATH_MAX]; - char hll_path[PATH_MAX]; -@@ -922,6 +936,11 @@ static int semanage_compile_module(semanage_handle_t *sh, - goto cleanup; - } - -+ if (context) { -+ update_checksum_with_len(context, cil_data_len); -+ Sha256Update(context, cil_data, cil_data_len); -+ } -+ - status = write_compressed_file(sh, cil_path, cil_data, cil_data_len); - if (status == -1) { - ERR(sh, "Failed to write %s\n", cil_path); -@@ -950,18 +969,40 @@ cleanup: - return status; - } - -+static int modinfo_cmp(const void *a, const void *b) -+{ -+ const semanage_module_info_t *ma = a; -+ const semanage_module_info_t *mb = b; -+ -+ return strcmp(ma->name, mb->name); -+} -+ - static int semanage_compile_hll_modules(semanage_handle_t *sh, -- semanage_module_info_t *modinfos, -- int num_modinfos) -+ semanage_module_info_t *modinfos, -+ int num_modinfos, -+ char *cil_checksum) - { -- int status = 0; -- int i; -+ /* to be incremented when checksum input data format changes */ -+ static const size_t CHECKSUM_EPOCH = 1; -+ -+ int i, status = 0; - char cil_path[PATH_MAX]; - struct stat sb; -+ Sha256Context context; -+ SHA256_HASH hash; -+ struct file_contents contents = {}; - - assert(sh); - assert(modinfos); - -+ /* Sort modules by name to get consistent ordering. */ -+ qsort(modinfos, num_modinfos, sizeof(*modinfos), &modinfo_cmp); -+ -+ Sha256Initialise(&context); -+ update_checksum_with_len(&context, CHECKSUM_EPOCH); -+ -+ /* prefix with module count to avoid collisions */ -+ update_checksum_with_len(&context, num_modinfos); - for (i = 0; i < num_modinfos; i++) { - status = semanage_module_get_path( - sh, -@@ -969,29 +1010,91 @@ static int semanage_compile_hll_modules(semanage_handle_t *sh, - SEMANAGE_MODULE_PATH_CIL, - cil_path, - sizeof(cil_path)); -- if (status != 0) { -- goto cleanup; -- } -+ if (status != 0) -+ return -1; - -- if (semanage_get_ignore_module_cache(sh) == 0 && -- (status = stat(cil_path, &sb)) == 0) { -- continue; -- } -- if (status != 0 && errno != ENOENT) { -- ERR(sh, "Unable to access %s: %s\n", cil_path, strerror(errno)); -- goto cleanup; //an error in the "stat" call -+ if (!semanage_get_ignore_module_cache(sh)) { -+ status = stat(cil_path, &sb); -+ if (status == 0) { -+ status = map_compressed_file(sh, cil_path, &contents); -+ if (status < 0) { -+ ERR(sh, "Error mapping file: %s", cil_path); -+ return -1; -+ } -+ -+ /* prefix with length to avoid collisions */ -+ update_checksum_with_len(&context, contents.len); -+ Sha256Update(&context, contents.data, contents.len); -+ -+ unmap_compressed_file(&contents); -+ continue; -+ } else if (errno != ENOENT) { -+ ERR(sh, "Unable to access %s: %s\n", cil_path, -+ strerror(errno)); -+ return -1; //an error in the "stat" call -+ } - } - -- status = semanage_compile_module(sh, &modinfos[i]); -- if (status < 0) { -- goto cleanup; -+ status = semanage_compile_module(sh, &modinfos[i], &context); -+ if (status < 0) -+ return -1; -+ } -+ Sha256Finalise(&context, &hash); -+ -+ semanage_hash_to_checksum_string(hash.bytes, cil_checksum); -+ return 0; -+} -+ -+static int semanage_compare_checksum(semanage_handle_t *sh, const char *reference) -+{ -+ const char *path = semanage_path(SEMANAGE_TMP, SEMANAGE_MODULES_CHECKSUM); -+ struct stat sb; -+ int fd, retval; -+ char *data; -+ -+ fd = open(path, O_RDONLY); -+ if (fd == -1) { -+ if (errno != ENOENT) { -+ ERR(sh, "Unable to open %s: %s\n", path, strerror(errno)); -+ return -1; - } -+ /* Checksum file not present - force a rebuild. */ -+ return 1; -+ } -+ -+ if (fstat(fd, &sb) == -1) { -+ ERR(sh, "Unable to stat %s\n", path); -+ retval = -1; -+ goto out_close; - } - -- status = 0; -+ if (sb.st_size != (off_t)CHECKSUM_CONTENT_SIZE) { -+ /* Incompatible/invalid hash type - just force a rebuild. */ -+ WARN(sh, "Module checksum invalid - forcing a rebuild\n"); -+ retval = 1; -+ goto out_close; -+ } - --cleanup: -- return status; -+ data = mmap(NULL, CHECKSUM_CONTENT_SIZE, PROT_READ, MAP_PRIVATE, fd, 0); -+ if (data == MAP_FAILED) { -+ ERR(sh, "Unable to mmap %s\n", path); -+ retval = -1; -+ goto out_close; -+ } -+ -+ retval = memcmp(data, reference, CHECKSUM_CONTENT_SIZE) != 0; -+ munmap(data, sb.st_size); -+out_close: -+ close(fd); -+ return retval; -+} -+ -+static int semanage_write_modules_checksum(semanage_handle_t *sh, -+ const char *checksum) -+{ -+ const char *path = semanage_path(SEMANAGE_TMP, SEMANAGE_MODULES_CHECKSUM); -+ -+ return write_file(sh, path, checksum, CHECKSUM_CONTENT_SIZE); - } - - /* Files that must exist in order to skip policy rebuild. */ -@@ -1030,6 +1133,7 @@ static int semanage_direct_commit(semanage_handle_t * sh) - semanage_module_info_t *modinfos = NULL; - mode_t mask = umask(0077); - struct stat sb; -+ char modules_checksum[CHECKSUM_CONTENT_SIZE + 1 /* '\0' */]; - - int do_rebuild, do_write_kernel, do_install; - int fcontexts_modified, ports_modified, seusers_modified, -@@ -1159,28 +1263,45 @@ static int semanage_direct_commit(semanage_handle_t * sh) - } - } - -- /* -- * If there were policy changes, or explicitly requested, or -- * any required files are missing, rebuild the policy. -- */ -- if (do_rebuild) { -- /* =================== Module expansion =============== */ -- -+ if (do_rebuild || sh->check_ext_changes) { - retval = semanage_get_active_modules(sh, &modinfos, &num_modinfos); - if (retval < 0) { - goto cleanup; - } - -+ /* No modules - nothing to rebuild. */ - if (num_modinfos == 0) { - goto cleanup; - } - -- retval = semanage_compile_hll_modules(sh, modinfos, num_modinfos); -+ retval = semanage_compile_hll_modules(sh, modinfos, num_modinfos, -+ modules_checksum); - if (retval < 0) { - ERR(sh, "Failed to compile hll files into cil files.\n"); - goto cleanup; - } - -+ if (!do_rebuild && sh->check_ext_changes) { -+ retval = semanage_compare_checksum(sh, modules_checksum); -+ if (retval < 0) -+ goto cleanup; -+ do_rebuild = retval; -+ } -+ -+ retval = semanage_write_modules_checksum(sh, modules_checksum); -+ if (retval < 0) { -+ ERR(sh, "Failed to write module checksum file.\n"); -+ goto cleanup; -+ } -+ } -+ -+ /* -+ * If there were policy changes, or explicitly requested, or -+ * any required files are missing, rebuild the policy. -+ */ -+ if (do_rebuild) { -+ /* =================== Module expansion =============== */ -+ - retval = semanage_get_cil_paths(sh, modinfos, num_modinfos, &mod_filenames); - if (retval < 0) - goto cleanup; -@@ -1696,7 +1817,7 @@ static int semanage_direct_extract(semanage_handle_t * sh, - goto cleanup; - } - -- rc = semanage_compile_module(sh, _modinfo); -+ rc = semanage_compile_module(sh, _modinfo, NULL); - if (rc < 0) { - goto cleanup; - } -diff --git a/libsemanage/src/handle.c b/libsemanage/src/handle.c -index e5109aef..8a01c53a 100644 ---- a/libsemanage/src/handle.c -+++ b/libsemanage/src/handle.c -@@ -118,20 +118,23 @@ semanage_handle_t *semanage_handle_create(void) - - void semanage_set_rebuild(semanage_handle_t * sh, int do_rebuild) - { -- - assert(sh != NULL); - - sh->do_rebuild = do_rebuild; -- return; - } - - void semanage_set_reload(semanage_handle_t * sh, int do_reload) - { -- - assert(sh != NULL); - - sh->do_reload = do_reload; -- return; -+} -+ -+void semanage_set_check_ext_changes(semanage_handle_t * sh, int do_check) -+{ -+ assert(sh != NULL); -+ -+ sh->check_ext_changes = do_check; - } - - int semanage_get_hll_compiler_path(semanage_handle_t *sh, -diff --git a/libsemanage/src/handle.h b/libsemanage/src/handle.h -index a91907b0..c4a6e7ea 100644 ---- a/libsemanage/src/handle.h -+++ b/libsemanage/src/handle.h -@@ -62,6 +62,7 @@ struct semanage_handle { - int is_in_transaction; - int do_reload; /* whether to reload policy after commit */ - int do_rebuild; /* whether to rebuild policy if there were no changes */ -+ int check_ext_changes; /* whether to rebuild if external changes are detected via checksum */ - int commit_err; /* set by semanage_direct_commit() if there are - * any errors when building or committing the - * sandbox to kernel policy at /etc/selinux -diff --git a/libsemanage/src/libsemanage.map b/libsemanage/src/libsemanage.map -index a986b2d2..1ef664be 100644 ---- a/libsemanage/src/libsemanage.map -+++ b/libsemanage/src/libsemanage.map -@@ -66,4 +66,5 @@ LIBSEMANAGE_1.1 { - - LIBSEMANAGE_3.4 { - semanage_module_compute_checksum; -+ semanage_set_check_ext_changes; - } LIBSEMANAGE_1.1; -diff --git a/libsemanage/src/modules.c b/libsemanage/src/modules.c -index 3a82d275..f1fe160d 100644 ---- a/libsemanage/src/modules.c -+++ b/libsemanage/src/modules.c -@@ -1149,9 +1149,9 @@ int semanage_module_remove_key(semanage_handle_t *sh, - } - - static const char CHECKSUM_TYPE[] = "sha256"; --static const size_t CHECKSUM_CONTENT_SIZE = sizeof(CHECKSUM_TYPE) + 1 + 2 * SHA256_HASH_SIZE; -+const size_t CHECKSUM_CONTENT_SIZE = sizeof(CHECKSUM_TYPE) + 1 + 2 * SHA256_HASH_SIZE; - --static void semanage_hash_to_checksum_string(const uint8_t *hash, char *checksum) -+void semanage_hash_to_checksum_string(const uint8_t *hash, char *checksum) - { - size_t i; - -diff --git a/libsemanage/src/modules.h b/libsemanage/src/modules.h -index 8a5c01f4..b828a534 100644 ---- a/libsemanage/src/modules.h -+++ b/libsemanage/src/modules.h -@@ -109,4 +109,7 @@ int semanage_module_get_path(semanage_handle_t *sh, - char *path, - size_t len); - -+extern const size_t CHECKSUM_CONTENT_SIZE; -+void semanage_hash_to_checksum_string(const uint8_t *hash, char *checksum); -+ - #endif -diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c -index c5ce071c..1fff667d 100644 ---- a/libsemanage/src/semanage_store.c -+++ b/libsemanage/src/semanage_store.c -@@ -115,6 +115,7 @@ static const char *semanage_sandbox_paths[SEMANAGE_STORE_NUM_PATHS] = { - "/disable_dontaudit", - "/preserve_tunables", - "/modules/disabled", -+ "/modules_checksum", - "/policy.kern", - "/file_contexts.local", - "/file_contexts.homedirs", -diff --git a/libsemanage/src/semanage_store.h b/libsemanage/src/semanage_store.h -index b9ec5664..1fc77da8 100644 ---- a/libsemanage/src/semanage_store.h -+++ b/libsemanage/src/semanage_store.h -@@ -60,6 +60,7 @@ enum semanage_sandbox_defs { - SEMANAGE_DISABLE_DONTAUDIT, - SEMANAGE_PRESERVE_TUNABLES, - SEMANAGE_MODULES_DISABLED, -+ SEMANAGE_MODULES_CHECKSUM, - SEMANAGE_STORE_KERNEL, - SEMANAGE_STORE_FC_LOCAL, - SEMANAGE_STORE_FC_HOMEDIRS, --- -2.30.2 - diff --git a/SOURCES/0013-libsemanage-always-write-kernel-policy-when-check_ex.patch b/SOURCES/0013-libsemanage-always-write-kernel-policy-when-check_ex.patch deleted file mode 100644 index b9d932f..0000000 --- a/SOURCES/0013-libsemanage-always-write-kernel-policy-when-check_ex.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 330b6efa010b3dac732beb49c98894a99dab0545 Mon Sep 17 00:00:00 2001 -From: Ondrej Mosnacek -Date: Wed, 8 Jun 2022 19:09:53 +0200 -Subject: [PATCH] libsemanage: always write kernel policy when - check_ext_changes is specified - -For the use case of rebuilding the policy after package updates, we need -the check_ext_changes operation to always do at least the do_write_kernel -step, because the various semanage dbs may have also changed content -relative to the current binary policy. As this step is itself relatively -fast, we can do it unconditionally. - -Fixes: 286a679fadc4 ("libsemanage: optionally rebuild policy when modules are changed externally") -Signed-off-by: Ondrej Mosnacek -Acked-by: Nicolas Iooss ---- - libsemanage/include/semanage/handle.h | 2 +- - libsemanage/src/direct_api.c | 8 +++++--- - 2 files changed, 6 insertions(+), 4 deletions(-) - -diff --git a/libsemanage/include/semanage/handle.h b/libsemanage/include/semanage/handle.h -index 7f298a49..df919a14 100644 ---- a/libsemanage/include/semanage/handle.h -+++ b/libsemanage/include/semanage/handle.h -@@ -67,7 +67,7 @@ void semanage_set_reload(semanage_handle_t * handle, int do_reload); - void semanage_set_rebuild(semanage_handle_t * handle, int do_rebuild); - - /* set whether to rebuild the policy on commit when potential changes -- * to module files since last rebuild are detected, -+ * to store files since last rebuild are detected, - * 1 for yes (default), 0 for no */ - extern void semanage_set_check_ext_changes(semanage_handle_t * handle, int do_check); - -diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c -index bbdca2b2..252fc5bb 100644 ---- a/libsemanage/src/direct_api.c -+++ b/libsemanage/src/direct_api.c -@@ -1430,13 +1430,15 @@ static int semanage_direct_commit(semanage_handle_t * sh) - * Determine what else needs to be done. - * We need to write the kernel policy if we are rebuilding - * or if any other policy component that lives in the kernel -- * policy has been modified. -+ * policy has been modified. We also want to force it when -+ * check_ext_changes was specified as the various dbases may have -+ * changes as well. - * We need to install the policy files if any of the managed files - * that live under /etc/selinux (kernel policy, seusers, file contexts) - * will be modified. - */ -- do_write_kernel = do_rebuild | ports_modified | ibpkeys_modified | -- ibendports_modified | -+ do_write_kernel = do_rebuild | sh->check_ext_changes | -+ ports_modified | ibpkeys_modified | ibendports_modified | - bools->dtable->is_modified(bools->dbase) | - ifaces->dtable->is_modified(ifaces->dbase) | - nodes->dtable->is_modified(nodes->dbase) | --- -2.37.3 - diff --git a/bachradsusi.gpg b/bachradsusi.gpg new file mode 100644 index 0000000..ff4e382 --- /dev/null +++ b/bachradsusi.gpg @@ -0,0 +1,321 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBE97JQcBEAC/aeBxbuToAJokMiVxtMVFoUMgCbcVQDB21YhMq4i5a/HDzFno +qVPhQjGViGTKXQYR7SnT8CCfC3ggG7hqU0oaWKN3D003V6e/ivTJwMKrQRFqf5/A +vN7ELulXFxEt/ZjYmvTukpW5Li2AU7JBD0aO243Ld9jYdZOZn2zdfA8IpnE9Bmm3 +K/LO1Xb2F9ujF9faI5/IlJvdUFk3uiCKTSvM8kGwOmAwBI921Z5x/CYvy5kKEazU +lUxMqECl+Tu2YS6NDhWYNkifAIZ7lsUvGjW3/wfh7AvmAQyt/CxOXu9LL2nGzFhw +CIS4jVIxy5bDswNfHcaMX7B5WEyqTPtjzPAEMiLL4yHJZrHDPd26QHSaqtilVA4K +AeTYbME8iZIdacquFEq02PO9qAM21O48OknCTSolF7z6nBkk6l26W3EL+Gz5I2Et +3S9pab3FMjiiKVavM6UA5D0DQkNxxDn9blDXZyhX4HFrk+NnoETcGYFymPbbijgi +kFC4339/Z1aK31aJLkxiana5mqLthD4jCeg3B8Cp5IurqPr8QEh3FH8ZZhtdx2fX +TXHTmGQF/lXG4tg1eH5cb6wWGU93wD+5mf6czJlUZTY+kdevKtZCQnA0/2ENCOFW +Jdm/oMTUw6ozPd474ctzWKeO78e8yMvZst/Zp3Gq6SD9kcoPgiuMQ+BOkwARAQAB +tCRQZXRyIExhdXRyYmFjaCA8cGxhdXRyYmFAcmVkaGF0LmNvbT6JAjgEEwECACIF +Ak97JQcCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEGOorUuYLENzy1MP +/2c4fH8eXWbqoot/vLE+hJ14k0leYOQhVSo4lNlxRlbKNd5MQSX/QjkQgJNECbB3 +LM0KxE/zwVOZ+umvmxLxNskOxjubE6NzoF7Sm9ydoqjwzenIpR9BVtg71mfjBOoL +PNrst7tHRE5btSnnnOS9ddt/y9JOIvQpkjtBTI2TfVcp2b4Domg7i4qU/hJ7hu45 +5oAi6rPPkr0pcGiDKTqi46l7+9orsj9Mxs1XTmrTMMB/eV6PCU7Fo4WJNXS8SXd3 +sEVxXvpyYjUTTnDuewjT1q8NL7anrsckS16WYSVGKzRhqtP1Vudt1F/D5cWKVqQp +vQl/XW/uQS2IsgEWsbRmIAEZIUOy4TnuF494C/A+1BbJBdUr4Nl9zPH2bjrJeqYk +TsvGQr1icgO4pUg5oC456htkqCxCuPRqqrGDAZBx54TldgPwvCo31+aPQJlOlWvI +uWD/depp0De3oTK9FDnHh3swE0vyn4Ht96+vM+KNnDYgJ1FEaw1efYePFACobvEB +o2ZpLbnDyqAT4MzfHpHSbwzUOk52ZOnkl/KrUIOxhXtf4dxRS6J70Rzb+HWS3rY/ +LgaMO5Q0BJfbvknguKmE8dO8jx0pTlVER9ujqp+bVPXmFMha1j8vyGhJ3eLJZaRL +k3jgfRjiUUb4lNp+hXpvBwIYeFWl5kFVKg2aPywgnnFWiEYEExECAAYFAlBq4WgA +CgkQ4J/vJdlkhKxmjQCfevlawFaGTx58nDFN+4j/2U6uaGcAn2g1sZcTUrEEYHdL +byAyw1GNLksOiF4EEBEIAAYFAk99mCMACgkQ/2iSBAM3HxDivAD+Lu8U54iGgL5+ +h9KpeV+ZlHgIpj4cD+BVL85L6AQ3GP0A/1TwZ1tS6Ag3ut2G6AL2wewR3v9Mgu68 +E0M5esz5of4oiQEcBBMBAgAGBQJPh9ZuAAoJEBliWhMliBCHMSUH/30V/E930OTT +oWeq+QKkTJuMF0lrA5NaAy+xWtrynMKoiAuM0KFNGPfrPehkoxR4D+MKXH+xh0j2 +bHl6fXOHJCKZLhCtsC/o8j7kkjIJjixBlwYMul21rxecke7Zt4XpxHARJx4208Lk +ztpzOd7ZnDP6KYav3itpxK8Eyj4g8N2omoTQ2Dcd+sCa0jgRkyskpPxdt0fK0D04 +XW7b1LZkxwzwrAGSpjAZVzpKBXANcSmUQDAaIhGvYSKoiwVe2eaE5lUmvAaJQaTr +Ud/LCIwFofTLSaBRX8fEOe+UwvW36VtynPyETyROeTMp//Cm5e2CQVPoDv79soyi +E/oUW9DFDhCJARwEEwECAAYFAk+Oe6EACgkQlGXZM5TcxIlIRwf/VjfbN3eVf648 +vXvDctsXfucl37i6Yue2COJiGYuZOrN7wYxVvH2to8P3V53YV9OqDpJl2NXUro1V +iUjFHuIKp23VbtyBAYsrLeTMmHLjnXlaUPSr6JUDHUQhCF34BTk17e9y7tXlEshF +YVyPlGum7JhyarHB2rRdjQk8kyTqmQ4yHjw/nP/HlvVxdgb+mTmudTPVBafOT1R9 +MJ/SN2x4bclT4cQ0hjNEy/TsFzVduQj8yNOMFG9r6p1Vb+u1wn3BTANIh55R9aDh +3JFFIV/jBTkxukxR5iyGQiR53nl0e0qnQFxpfhFGclh0RktjrHZ3DBAzcuYXp540 +Vu9aq9QuPIkCHAQQAQIABgUCT4bdRgAKCRDCPZG7HYJE34FtEACfqPwWSItk1lNX +E0HOM1YuHXFfMGURF1AotskJatwtjGy9oDUQkjfsPROnWjgH9s0xD2UmlTrjJfWi +BdH0kTLiExVUOmvnM9VFMRhYxQZMwiHecm4FZ5IWUz4e05oGCkHFbMswXEoEG+qq +btOfLNpX67yy/JM6We+8PiXV/c2vaErpH5S8YChb5wD9lEWNM2aPBOUmbzONM1/f +EFd8AF6fUVYN7htuyG1n5zTv+oowmO2c0terJRGmMgVuLugIEnKKhaQ+H1K6bdZJ +7mX4xxx5izEyYeYhi9DhBHSwCLhWR+Yilqkc5U0nrF+3Z+Cb9THHppi071OIQ7pX +rGsQSpDzGRXCw0nKEBm0Li13re8cOoHMlPD0RHWZEIRZGSYX1YKBtVuv4kpSq8GN +85lZSDKGRNtbJBS7Qj4vyOlOrBO1eyyd4lepQCe2Ri3gU97rek52tOM+fAIibz7V +b4a0qbbphrz6PVMbDGiBxM92+YpdDyZGyL7wJ4g6DhRRcEUQahlZ1n7y+YQ60ETs +zt7+kD08Zi2BoJpiMHsFfoas2pot7VePFxGutwvq0p+OHSVlwkLgOaORPHumLA8u +J3BGlJTHsErUB2EEgdc/Tv1vsZzEI3Zi+hqw1gcbke21Ii8aDfshbeKW9hYJAhnW +m8VdF3n80UX5Eg56iybrLCjEyiAEYYkCHAQQAQIABgUCT7yYRAAKCRBOBfZjp6Qb +nnyTD/4gVbq8H5ka7fVdSAnX65/kFn5xkqGzbpCkjcqe/5uI2CvdYtjeQ4K6sm7I +5RLoyu/EE/JPbCRHiucsEak42WAZSRte/Wn2yTQpIb0mQ0wXJvuM+Hx7DSx2R12P +9rIZ4mGo/rEtdG7Y9Vog9M/XGx7w5IqSw2DF2yiYQJXsOzHjphfYB8JfoqjW/73k +n4E2IRJtCuWhfiJZJ+GEGceSBIredH3o01ThtbAeh/gzPRF3FU1361zyA1sXtmGe +qwnhNL1spHRlpub3cvAXQ8RSYrNdiFZB5zohNt+iL+qzVWaUJo+vYZal1Co5/roI +HN5nJef8kp1ngaYKvf1hIVvsdQsilVQIXKFWMd47aU6W8gPr1W2+U4yw+q+OXari +eo7gpH7/OvMSe/3wOhGVD8KJrMwAVnr3M4wo2CM6zlwxPGdltQI+IxDD8NTGTmNT +rRARYRQaFQyqd1SrVt4sSkeoegrpOG4oWXya/v4SeXHD4vt8vvvX3A4szB73a355 +IfbyRXDER3EfFfW5c+BnR3bxhfATTE6T0AKz1Gq30Xm2ycTGYCAZ2yBKewaegTpx +3O/E6APTXUnVWTIPQay8T4iVUiLFs7W1UFMY/RvmIvKKFIQWcm5O0L+27PJK+YSx +Uoo1Ivt1pclTuetbRbN8VnR3K9Pp5uZ4KLz6ZkffmJg2sOSu74kCHAQSAQgABgUC +WWMlagAKCRAyfirUINN1OOtFD/4jW0ZMGigpruCnvY0nr47rA12X6dJ6+KIBE+XB +QxuaQRjM5u44geksDwrqZ0nXrNvsa4SVwAhKVOrgMJVdzvUa1m2yeNCFHOTjln6Q +GjZ5f3a6aj6n/X5tlPptdklUr9ucEwXVd5fFMpWAiwaqZt38I2u0Pi+/qHDt0kLy +RSukmRPzRuS/kO1ugGO4aoO+sanVDl2Pq6LIwubL1Unk2HUerg8VCAyQrxYtZtHc +coyhmBTlAb+EmZnUVbQZ3Uy3eA89OuNTBhJWCk8vqROFm257MiH6gvG/V8CTrJfz +lpE+s9E6kxXhXpQWZUwtwWObq7vrJVkJhRwBsO9N2erxe+biBauFErYQPw3bg6xL +1BJLxDWnKUlMWs5o+h7lyjp+1B/gbnnlrUIlpW8IKVZRHwRUPGRN07SbbEO1lDk5 +uJDMk+r2KrOUNVYCEp794P014xodkLvB8X7ml6tcABE4V9d4uVDX3SsktOLMvtWg +nL6xWMoBYiVOXi3Rsm8vESBOb8JFQL/ItciUyAioM4Zjq5eqotVq90HMBO9kqcjC +YsYEs6RACRmyE+TNmzGoucIPTwPEi5Ib4gj+LG6iPOBprk5DSjD7F0/wnQPoq8PY +HIufb4+PgOXKf/ROQXDRLeD6eZBtPcDUJOgW19m7QcXZ8fvo6B91COe9jTF/H/i3 +A7NjR4kCHAQTAQgABgUCUQZ8hwAKCRDZsFd72T6Y/MoUD/9xxmXbPL2Zto6qECXs +Q1GFuydiYlURxDsVUiuc1tSgEoDb8XcXl37l/IKX1QmcpvHMPzeT0g8sNwIXSnL6 +BNCnFcfrd0tEz8uBPxVnzMiGwaHP1kB6Vs6sNV31+CJcTz8BHHbOdXZnhHqXSb02 +SonqAYeWVSlE08Ejvq0HIWRn6NIGdGqv6icBExryJjS3ZChRFpvgAJwsVO5f6BKH +oZnEn79uQR4XPHwuxRbm4hf6iYEbOhE7Hod6kTzS9vYIhyuTFTz5Kz/YxlMoZX/j +TIYsX0nZ3r+Tshur8iUXJhKvvXVlGyrGO2HXfEuIpJqEx4/qM9jUNP0EE7aPzZ6f +BP7Xq49Dx9lnZuSQ1jeXxEEpO+AND2xmnjCHr3EfgYZrrhCSxMQhvJh7wypkzu30 +D41BHPOPSotmM7WLceHWmYui0Wuq9X2hom5jq11XwACEtmNiP/odXjF0ovfK0d8l +j/kivgrXAZdN/ONJapVSLkRMS71S6eln+urR9HfswEfM7IPt0cRwN1oNIhXmK14+ +XBWvvwvalfuxG2UfxD8K0JXMwARlpGlV8lXpuzDV8EcrvLipKpqiQWaJer64kaQb +8qHEtT6+JNoGkymohrfeVagxKmPzDWR4v1a9lgZwY1FTRHNVPM0P8LWlN9q0CrYc +poBwkhTMV1YJ1OBSrkM9IM2vsokCMwQTAQgAHRYhBGMZHOlBgwmGicq4237xN+yT +Ww6vBQJjLRkzAAoJEH7xN+yTWw6vZSYP/36Bt4QhRtIh6HPWbHraFSl4omnuISu6 +lTHsqhik81nbIUiLZ5e/KN6ONSgD2jfMVQOLiPTQFOoxVZvOjaHmHvMuF7BCbr90 +Afh1qXW9txuPbVkhtC6hqIMn87b8UHEnt1l5MiafQnPHhoociqaqwfls/iu0nJGu +Jf5eVMXpdeWRk+ckGkqP+tXp/0G933jibSdYqwG1Tsw9D98xnGV3a/+zIqRtJflp +HPEjHPT6rVKAZxk7gkYSSsv6ONBwZHqwe9W1I+U4t6OPkGo5kNbMPBORB6/7B2Qo +LHx3+KYZs1j6glI+F/8IX2+JSFs07saMnsDhE7w5FzmwWV2JcUt42RSf8DVub438 +jgA/Ht5yPROEJ87de78aD/t/gPq/Gm3bnUz1BW0jxBidjqg1qPOMYjC7n4dH8X0N +cRfX6tWOdSXmDBbPg/vQi6CEIhsGVisKlnrgYi1wDZExU6UVMnBNvllUu9PXye+7 +51cIbrb+fwAWiwmu+AsL0qsjxZYo+9ozOLh9wLUhxOY5MZM82alN/mlUGzEiXN3R +i7D3rDrNFHdI4LGGLbO2hjPYrG4hdNHS+6WbU6qYcpBEhrqBtnUjoVqIKP2boBLR +ara7hHqVO120s8kgGtf/AoYpggD0H4qqUy4EFNjVdcL5T08w6ldQIYo7CEa1iHFt +ML4bsPcJh8lciQIzBBIBCAAdFiEEcQCq365ubpQNLgrWVeRaWujKfIoFAmMsvIwA +CgkQVeRaWujKfIqNXA//fjCpyIPPd6RnJhagWH8XCp5NB4cCT+LqAIR5yZfz1QE8 +Qbzpoobz9ysgXZ5XjLp/lbVffGyg986j0wUtSW1+g3kJcYXBUKjSWoBwwmZgyZky +95U+uklY8CdPjSeuzr2I5X/LogHNH1378d9aEmQXBfX1uW5g4Aqgnl0OOgkCVzgs +FFOO2o1j6svrrDVG52/mwXhNRm0yYK/hFB8T3PO2IvMQGDGJLHl6N5Kl7P2jtkyF +Isi4AEzJeop/2GJYXQ+VkUTSNRKQj8oOS5qe9/0RkF9uqeamoc81n2But8MZN2fv +R7ug2EuG2LHp9/pwu5ekohXmY8EtMbVbU7TYKgduK0FMBaK36jXN4Bapakfxr1z5 +pwdDjN4QiqUefBQlG1CJ6fGrqbdAupzRRDqN974rs5HafnbxioYRYjoo4H0zC8XN +UwgmA2wrwIIY/cyNCSnUuT8yVAnroPiFgmMoL8RM7C5pHQYh0u3fXPfvNBswjXmR +pJ6mhTqG6SS4qIaPhqoZqA1iyA6+Ua3YLBDT5wqvuqNMnfLtLUvMuridmlj97cRc +srQIr022NdpafDQVAiVhZO0CRyFd/++XT35iiDoiv20+LewC0VVza466AE1fkAme +rKlurlET8U/+U0JB6IP77ErjMgCzotV8e1DJkp/M37nMeNzazAb//ovsdkNM6P6J +AjMEEwEIAB0WIQRFaBEoRJtl+IDGF5c6hKlGtLpirgUCYy3RvAAKCRA6hKlGtLpi +rvhHD/99Lvgf+CjbhwC87CoKX84MyAyBlYACCSuySQBnEsVigz8sCVyTYDx52h1h +/SEj7XfTylAfIl1CjUedH4w3hk+7IN4scmhf5eeEMvQd8q+Q/hWQcXIUpwgKOcVD +NbUgYcbakJAPtilK1CeQvDdBD+aYoMsJTsII/f7FJzwjPM1XGf5EoODUC8BtQf/W +KAVoESwwAUwN6Y5XeYSwMqu1s7IHs3yNYLV8C6A7EQPVaVVlORqI+33rKyqAhK5X +ErNvAREQPYJMfRnQlIW7alSORwdG0JBgVLgV+jvoFo4a1AQImHDDtKxs2X5BCVG1 +I687uYDBy5Assl/VxRMIUpx5+zWvXyDZX/6nlL7AMokTlyosgP4iiifBS+5KMhan +phMgnDXYIJE10V46Bdw2tjd7wMKey6BcKgfbZSvU5z+SuVnQXCyl3/blRML54I5o +EomXPg6lgVxSb6BBnaJXzx4JKgLer5uom1OGsLgPMqEHRoO3bucr2xFdtq1Zegw4 +9S3qDhQ3bn8pg9JlYwmAAhBd3Xy5cPv01mV6ompOQ38SlMCJzcAGASdMw5scaxUl +7MloV2Nl32HIzPjK47bF7aVOFX7Tz+rEFLmJCchqmUSdxi42rJyHKVRqiAlNfZ9S +9FeaEfU+vBxOHsLNqVO7ErvrTafT5fjphZqvUTqZGCUiJUjPnYkCMwQTAQgAHRYh +BOJeJUyO5NMDVUv1r+xwGh2klMXrBQJjL1NOAAoJEOxwGh2klMXrYaIP/ifHM9eU +UT6JD0m6Oa3P3T161NhOvNqr71LDSztClsWo3XX0+ZK3wpjoC6vKqgx0Cc8OL1S2 +GqwCaxb5JqWpsoqR3NW6bTqTTUGREj/e0JHDeBzv57OEUTe4ea7qzqjhCX6iyzHa +qDP9fiAogMQ7uT2oCghDV5yo4JUrG5brw8GkMLEvRSs2BEv7xFAySRaGwNj+oziZ +VzL7sBzp1bCr5cwNZVYxoo3VAv6FUcExp1TydxzPVB8/VvxOa4zrht+hFTn6mjUi +NHBc7DYECgh4jlDR6TnAdvpg0FsujTXiN6A0obOUl9jGz2uFmdY+2ojlVtzqKXoP ++PDz8o2zMrRoQYkni9VyIc536E4OFIhfO6CrThMjJjPNn22Tq+fzRYkWTrlJom9b +nOldQ1BdUXQt2QNigdzqjhZTIgF5OEOTERh80dvwIbZ+7vN00BOsuncR5GUBQerU +F6+SksVRAaOg2lyoDdxUQ+Z28RU8R/n7VjMV8ctFkQvHHLBqKkpET8LRh0C/jSNh +gB8zLPc3Oa4wTf2xZWO58S18esbYMr74vRYrsACbmwxH5Tz+L6Br70Fmcz608+IQ +ESKW3657gemZgFud3AGokzKG5AuWykSinydiZbK8MRGLsdfPUojaVIgXFqnWKtkH +At9gkD8YbqGYzuVwBnljBNRdTUMk0ClgV6pjuQINBFom2R0BEAC9k1Ky6AIe9sPP +xrgsrXRe0dyYcoHufzeU3jFssl3+S4cRuvYCzdZfRfdjfHa4n+CxTaOd7xkefwJg +GpaR9KJbu8dqHm61GIiS5ZbMCRU8FAW6ohVeDqEwFrPAzZjtO41OTpeXCrPu5H5A +Tg/kDnabzlD2H8JWAqr0DYRRhFtJUihXUey9zK03wSjUi5E1+YHUC/fOpbS+msNN +945CeQNBN4Ljap9Q183Fkh0Wm4Q8C0OS1WN8a0XtqSALRCGAZ+EV6UrmQVP9PCC4 +/J0hoKQPv2bfpBAsrUGAO3Fnsw7804i2TY7O3JA8gGDYX6fwOVJMUXdD7FX7LM2P +pESqAdPrjqmPqHT8cPfq27GYgqHv3N4hP9Rjt9wxmHYFbJT0YCHw2ZMiAO/VcvvN +miGr590ZFiQEb1MJN1r+h5UDE1CtF6nTieirSXi9oMilHlo2NY5nAItv/T9PKk4X ++kaH3UoicMxrkT34tACGwxi4VIRYWL+ZquxE+bwXqAvbGJ0p3XbyREURCaO96J/2 +w951EvZErpFRQu4zzClmoMiNbwkQ8QdesSaqjMirlHyFI8T9BZrXbPazdVNUwfyR +LFil1q/kgXjXeJDoje73UiyGhqhlVOlEbunGzCwEBzrtQdPTDeFQr476/4pe0v4u +gdNYkL/gY8Izodn47d1XH68AuRSrzwARAQABiQI2BBgBCgAgFiEE6FPBhIsBhc9C +hk3zY6itS5gsQ3MFAlom2R0CGyAACgkQY6itS5gsQ3PQSA/8CZGTxQDbD2oLkGb6 +tyECIs5A1RsfwJ9aj0R/HuEO39ki8yM88fwi8F5AfzNcmYwp0rxyYDDYM0itObSv +A9WBB8YFZ2PKT1YHrwTzWbne+spmQYDRdFt+0Kx0JLvgv7SYvQ1jNdCazixH1SAM +9O+Tn5oFybVHjRavWsQYHp1CvXY5kOHOEDHhz37pGwFvyVyFdSYS5PWT0+0XU/g6 +Uq2HeFCurhUGuDXJ6WA6Ipvmu0vbi8GpyeiWCRoG76sqbBfQ7dd0oDMUHitewWGq +LP1Kioke9hu5p9CbkjYwGZjJWZEV6WHxOmICfFcBRPeIJyO8Kfa/vVBfQZj9fhqs +3sHSfAGIdKIB3tX0qKhMRdu/QoM14YQ1yK80JTUUOcrKLDt6QJinF1UQ/OcYQqGB +CXaRk1OKGFuuij16QudnX56+aYbNPltf7cLs1O7aodQcRxmMSgxSE/2ckthPYBsX +PWuDMYZCb3e6JMWsdnCI7iPpoPFAJmId7SWJebXZxntoX6YwZ7Tx58/QMLEqxMfE +ExQTAFg8/owvxCG12KaharLr4GpLx0aU39QEJenG1LqGLwiQh9Vxsejw+MkebZJE +6zhs7XBpenrd5c9OFOtb/Goxwal/6UXz7a62jZ7wDNpJw9xOfC3/eX/56+6dLVef +RFj/LOIu9reM4boTiY2dmGj1QC25Ag0EWibSSgEQAMhQB2Q329FSozPk7V6dYBO+ +jDBMr1jHWvNMCR/2DkwXfDAKK3haSWSqr51/wua9skFRezQvc9PhgvOIJi1jsxRf +xNoM82a2OpYJdj16FG5RVQ/ApojiywNvp1YPJbmq4DfXSuUA6q+OephsFLrx2cPY +nyDQaI6mrqTBecET4cdQTZK0nKKUPj3U2bI96zTBIYK8Kr7GMKXm8R1eV8bktwHT +HyDjI7hN5EjZViYqZYDQ3jt2vC1Aj6XpFw5K7Sv6f0l91zyjfcu6Llsfo8xtRhAl +lub8EBuO6ljJ5uWqDgjqTOkDXcIAUkhUCg8ztweR15zgJQQ/On0XDcHLtyi7zuQd +xNaKYKkD3oROTqce+YbNN3qnP4bV0qa0JLlTOrE/0/zmif7Q1zYOidcmMgGeF6Gp +pGQkkxY4gSKet8kD8h4AZXGlpFu4e9sue1ENDRmgWaqSzIWudMRZ3z0/s9EGNNiW +60nwJ1NBoySeQEmnwMzAHXneRM9pRGQ1S3/CKttq/0eWEH3Y/Td9xi4DNvTXcvgJ +uUUwoclWP2PCPg3zE+EQ1q/Kt2oYrT8NcemM9EO8btNzJ/Y1wSDLFAFNikHwYjTM +86jWoeGhSM3fD9HJjfqoB41gDKvNIVlhQavhe6df4+AoCo/mGosLYAPFaHHdkmqn +eT0Y0BnTRIS9yLcO8CBVABEBAAGJBGwEGAEIACAWIQToU8GEiwGFz0KGTfNjqK1L +mCxDcwUCWibSSgIbAgJACRBjqK1LmCxDc8F0IAQZAQgAHRYhBNalthyaVTQWgpLb +Z74iCR4+9iJ1BQJaJtJKAAoJEL4iCR4+9iJ1D2AP/1VMC8KOmzPYyiFY+1xHu2rv +siB0f80GH1jXwDSM/IKvsH1axCD0hMV5sSi52epCov37czSlR3MpQjo0xK32wJB9 +26AgbzJYZO48qulDUXUhPWJ9bxiyIcxI/3KEspY1RMoWv8AfYA/qSma1cSdT4IMo +SGJzPh3RyrUpeFP5QT02oGa5TuSQPiJwy/b9u+RVOi1SSqzHMJdKzZehGays65Pd +jC8Xtf4ipdYRBr6mIyUISOB+FBkY2MttFzNDUBdDrOepyjStQLZ1vUXnYKIiSRHX +o3XTW/W8fh72o26zeDbQcALywQMZqnwtrZluzKHZxF07whKmXvw9pUHXX6hbJDvm +GVMxnB/F6grPNi/V+Bv75sKOdImgnJBUp1Jz7288SPbNQwrqFKV2ZD3f0PFmolFj +Cz/Oc+UUk+swfnsT3pV6LClTThsOH8WlKJYxZLneX75HuVx4CmT+qv6GlFQuixjc +H0LtsbbSjAx7J2LRNVtfI+2DfMcIi8KJxe69MAKGqqxDyDPSWeFrs0MHmyD6/6m+ +GTovgUT5jOZbR6GVKelW054bmby0zQevWnRieANVeFoFsnwclJnqKIRzQiGod1p1 +b8HhSCw4nOeOQSifaOf3zcnFhYyByDMOtl3/AqGoLp/61u3Bk9h+BP4VPR3RUWzc +ggjmxJM0MrLzjaSXSedjzuQQAIq9g35FGpnaB8d/EjufED1TVSOkvNK/qJ+dD4Xz +f5RvnbprofMnzfEyy8jJ1Vqc3QZQU3IDQt/Un2ZywX0OboKGAIn/gyfwdkpnxJ0j +JoxRBuMplNpfNBw+oe0nFuozO9idFozKM+SWoE051/jvGHp1FqEPLnAAGeSbWB0L +RlAsnMjc5u6+SKHeFGRKYg7U0sO7ZKbVIT4ZmRnsQLDakHwbAgfcIakh9Whj0Ou5 +r78Cs+DcM3XAdtZ04d81jV5TsveR8/Cn473c6dvPIfnA2P4uClTCaCDv+jXG2f9a +FIuJhYCO+TdYs7qjAsXWngJUebRFiHbfSuYDw92/eqLdKD1Hoff4MnW5YOtDpp6E +sdCDuINeRtUtnidw2vIPezX+xdmycXIq9Fb+GvKrIDsKu0VO8HObVviLa/RE11ds +EHYlrarj4mqzS2MhvmU79Bazg9rDDB4WVs502n3uJaf6Sod/+ke1c3ff7AUPox2n +pjH/bVmkZJsOq5EqcvlH3m2FZUHSFWS/yTR1rPuJoHBMHVc4OPlTuSqT3qmKL2vb +vD1l3D4zHZs1paRLddYXiaex4qPU/0YpP61XU070MmFGYE8Z43TbMPHu/6LYBpw9 +p5Vj3VZwn2edNl4LGx+05hIABzM23I7JoQ44uPoTbohmYXF/DUGJ6h2LYdp81AVC +lSFWuQINBE97JQcBEACpbBqvDl8J65jEhPjOWczcDVB+WfG7GBHB7T6RxSNFIahy +mDqzx73zZD6n4NnZogPDPopYdRJ56u5AfF0bDZlgebl8+VEgPHGoay74Gf6k0B+c +pEkp5PaWQHHEqXINotVg29hTsf1u0sb+yjgcc+9WHw3MtpChsgk8Rc5N8Xvr1FJc +L+xynSvUCcLIwfgvLHYPPBYGIRpvz4ek/zgHvaGftDfnyMwrMbgi8kadrSb7PQgc +eWeTL7CQN1B88TPJFqKt/QxMdXaPy+Cr3P4XVy5V3/QEVFUizrtCCqJgxHMAeCP5 +QxwYEWmA2zxUzGA/t/QUDFbccKt2BdpdKBFtHLliE+yn9FHw98JayjhAJxxeCkrp +MED9N2aGHI1q44sbmeLKQ8EuIbCamfq7fqLXgkEy8jgivv2J9YfXejjjEobGLkss +Jlxaq9JeQgFEVl6f0jJ0PgkYPd11RxTcVLy4RB417cxc9LHcoKdAtcgBTcZXPPYO +L+eM9S7rTvFTna9IdF4bbnJFNjHDMhb/9XomxxBsekpTUXEm2DGoTpO2W/jwWcZY +LVrdhikkkF8b88EdWk94fUTcFA90I+Ch0YbS8XGM/WIklrMGa0JpA4OQW5oMhKDn +gqAcV7gxRYt6ylBPVh94/AIMz++wmfqBxETFP8HMgTVEApLBLjwru9B/4lRStwAR +AQABiQIfBBgBAgAJBQJPeyUHAhsMAAoJEGOorUuYLENzegsQAL6NuhGuzQf2GELc +O5J8/BW2yF9sxHWDLrw0Pntq8D35kgGfZLB52tN3DI4NwL0vE931bXC7ovi4kHPS +sazv+WPUckYfJ7qskWVD1yDtHsADduwudJpAflfZ4VIvMJqJ7FUw5Fy9ennw/Idp +H7LC+ubn6XT6Kh9oKvVmp+BQEOsdisjVw848Thik+gS08WvAjK9m+g7++FFwKy08 +5iXuuqZpvi94eU1QPvzxzzRZz6M4gQaz+pCq/5yf6I+Hu8G+5nq2foFN+G7FRkx7 +KJmJ3SAEsG3M23V9MKWON49ZbhTe5xW+1at/TKKoNGzNIYs07jApR2/E4J57yMWj +zsAqg77hTDRiV0jhHl0DJw3RHFi3z+SrK+6ie6mrq8WEPj62q9qdM8dFs+y5X3UT +x0nxly7GjOxxhi+Nt83PAG2wVFpqmhVLuyPnruvxzyrVFc8Dvx46DiKCzt4PPK/Y ++jnVIQ7Jr2Jm2ZCpzZZT5QNJuDp46mKHlNBkvSy3q3+pM6cM8vKSuCFd9+dw3dX/ +GptLebMrPOvLVDl4Bm9hSmG7rLpJy8U8Ns8pYSS1zaxHM8KqMaPuS/Zlx1SRIj/E +afefnHd5fIlmsH9C2O5fb18SFjmD14FCLcVTG7bwh3ZfbGo9sOJSShPxppPW2OoT +jwfANmj1cSg/VFr1d4HAEc83jFgumQINBGNZjyYBEACk7biPgvCVldNWq1CwVoJa +/Fvc4T49tqxcc/sY4uVlGo6oSi4fQcXE9XKPPBuRLmvpmMWvODQLzPxJMWUfJq6L +yYFmX2U9VRTcyITdmJs8itkEaDwq8BtXkeQfUDAVSFy6V6/uvVmNWD7pGXqJE1Gx +uV44Ihlh6v2YyqSzDG/rZur771hke8VZmlKMVMs1RSeOBA3nUmvZQ58+uqkhJNYq +OeQhxGIxDOHo7QhzTG+SlX+uQq6mzACKygVJJl33toaUwVAX5R02a0u67A5wC0wh +AoLSHInc3P7ayivWV/iESAz+gMIkuvJWns/Ak14J7MTGgjD6rle7PNMsPDCCwQSc +qA8F0x4OChCixbZGZn6Mr0u8+01VCEe2IjJwVUfFI/G4n1FZ1RAdqjkHfZJeD20L +GHSbjJLcnqLLFx3LDpI5dAxo5K2kFvz0VowrB58aHoofW8/g8yZygGQ4Zpw4JnpU +maPnMTiD5yvnFzEihM5L9DuaWqSK3sb9qzoaXABYRYI7OmX4B5nmMzFteHHq0tMt +aKWf0HkAsCP0BLJcS9Oc1/0I0+gC4oKLRD8a4+kaEpNr6BXvWnj7Y1h0Zr/CZS6+ +gi34CxWMl2Q34OSqtS37mzzBu+UZxffPR0aV2RXcEpc0c5HW550Thq1NF9EmFOoy +eG4J2ox9JRANZXLh/i7mNwARAQABtCVQZXRyIExhdXRyYmFjaCA8bGF1dHJiYWNo +QHJlZGhhdC5jb20+iQJXBBMBCABBFiEEuGgoR3ZN9g31LZksvDkF8jUXnPEFAmNZ +jyYCGwMFCQPCZwAFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQvDkF8jUX +nPGeAA//ScQ3kJMqI6FRULXo0aF7CpafPXVWdvj+mfQMlZzuGwXXTmM42T0DXnXR +BSjstWkmOXP/UqkN7bNeXH/S3D3GCJ2l0qx8Qp6fP0FloJIbemyxNtzl7yvAE7kW +vuBuLvUdm23cntv49gAzj+ElDqCxtT6A6qaqM6r7DLUvw+G+r6gkeu1hNQbtRpEK +9Dt8tHriQyI410qFRMbi3QxU+iTJ79HXwrXiYpX7V7T+ugiU9lgIiC/hWJCo6SY4 +knt9E6zhegUWN6zErl2HY8FBM2P9eHOTqToEOAhKeM1fXZvxe3m49fGq/spmRM1R +UUl1V9WFEaMiLg/Z2rmbD8LX9YtfYlQCbEwyX2nkIP1QIcr/DEfcmCA2MXCQCgsq +I/2XS3BTLPyjuqAYnXxrk+T/Cydcg4W3ZBYI/wT56GH02TQzB/wJsn0cW6EMG46V +SDY/mZ2/gwi54G/Pqb2R3ZC9I7wQ6/FFxuu8myI/QVmEiTlvTxBoyOdNlliBQxCk +Dczs1rxd/o8Wfjo1vwRHW84jZrCP3xr7xPJWuzsrmPU8kFHTgepGoY+4b/h3jGwl +V103RpRUK4JidwHsmYDVk6pgeUH69hf0iVcbFfKiViFTR+DwjbAOxTdsFgsYYn+7 +hBj2l+pV/uzeA0akL2dkgfJc9pAf6ItRUnGC+RlntZ0Pf2NbwIS5Ag0EY1mPJgEQ +AMRQDbNHBQ376nDF8miBZOAV1txpmbHc5D/X63PNapP0P1/I7SfcJU9D3wX8c4vm +xkjEYtH23s4lmT1VLsU7PisS3MacRemm9pL2bD53hs9XQEuU9OtJsZn1ZJ+Ynh6i +5sfW1bG3OiV/TWgYXW66GwE1hn9PuP8arodUmhEft+64G2u8Xtxr5yqlQJEUThV6 +280OJrxVbduaMi5C6UNeeGE5wuhfrQ0TNYZiwQ4KYbU3QhlWhHVjJlJ5hCLiktwF +DyR24P+wlTIziWA407mo2enQT+mz3bO7Paf4mBionGsJMoADqBThf4B69BxjJ7Yg +7oQVIZ7560YIRRmNo4tk5Mhep11OtQgZjZJR6MhWDaUO17w1qScrOPRj6G1IXP1R +5NarydJpLyAVb/5WFZ5jxUGMGtq3mYn4nKbbHUg2WzvCJvPctDE6EV2vaiRy5N1f +QjsHgSa29F2feh14p4ngFCmHjpdbcdjfv6rWL8tgkSpQlDdeHRRd1q03TKAg/byP +auAHKzvV+iWlmw1f6KBWjeTn0fofmk9eeQ+P1j0a3/XTxMOjB34SzqPRWzmLPLF6 +YmujBK2gymM+JLirJFFzao1i4lgmxqkDhQoNYHXmVYEd7w+/qUYbfKwO9eJOWzuU +WajxvJ1Vgv6z4CPy9if0gwfhrx0OOcIpBE/xZU+SwQQpABEBAAGJAjwEGAEIACYW +IQS4aChHdk32DfUtmSy8OQXyNRec8QUCY1mPJgIbDAUJA8JnAAAKCRC8OQXyNRec +8a+qD/4whGQ9J+td1iLFMpNRAqvuGtTnM6shZJNnC5CB56Cu7ElIpr74sk0R98Ia +1pJlBcLALbYSrqwluZaLiRVDPdub6tGSRVssqQdZcKThz33waTru9IfLhCrRSNd0 +ZMHJaOG1ErU0noWw2d4ifVJK+vvuvMeEyNm4H5pZOYzYeikqVUYzS143cSzMEwtv +PSdP5JkTQi4WNF09khH1D+QpJoXEgVEQla7Sr955Zdt3q5OlpYxxw+X62vslZ2OM +iKZ14kWVSRbVQ+WdnjtRYS4vivB6ko9QL770jZ131hKhC/BcWpEYSjfPpVua2oKb +ccKHXheIFEJ06kGkMeeoQPxmzPRBYIw/E+d5sZp7YXDyBGOAxBeiOaOnZ8vLBzy7 +2HFng3oB3hkVGTTHq+PsHdSSaRME3QrNpDsaGeSjw62FG3I4zK985GtrXAHEzN/F +fd17srl4mcRQ+8QM/a+XbF/8ugjE/RHhhFf8sWVAPutYzVE8lF+uqcduPuq/rTcU +BuzSVjnSRfXWqCokjh+ypUpHNUO8fZDzkTLuE5rwMG1xpPueDBTzvoGDQRqc2eoX +pJnDBmdlz83zHsoR2gIHcdqyc/hCV+fTvR8E0v9ZG3Jr6RFgWdD008PsGxUevIDg +MAYFwasZSTofEnzg49/WeIFU1rGB5HZVlmOJKZnKRuBiTakEP7kCDQRjWY9xARAA +rEkjlUH4hoSQAkVJCWWk+nF+daAP5IszrGEQH7TyOVwXbRZndSPFSUqKU2kEgHbM +m+wFYoZe95h9tjDh2sLCs338pVu5Chhz3dNseTF7/rbckw2rCU+JbalEiwck7tKL +qobvbh77jnrbQnkrZNc+nMeHHLrYyc5gHW6cSn4UlU42MKmTlSeOG4Ly9wXhgaKC +heIXNX3U/D682Tffl7Gopcm7pPZF92dwY4nIpCxU2ATimkSyulbhzk2CjZ1JYUJ1 +LHctMHm9F0LEGtc1GxDShzVZP8dOWpDs9BBwZDLXxCzC4rvZ+z5BJCDFbuNTKZQ5 +JEoW2sM8yP1LLZGXz44hsab1aPrvB3vcdS5ETP6bqT5267ZiotdhUifU/pTV5ze4 +7wNuaZenQtGd9olyh2dAqOk2DQrcBQFA0gRp55b4U62hLTYXxT+7jEbSVAxeXDPR +qPvqh/4kVn86llYjV6dAoASN1wWz423QH3u4ZK+S6g8HZ0HrY2+NBYgqthb6H/X6 +FiF5VcHWstkk967g4Xt0PgN/rlCtpXh4WK9sScX/CFdOURsHlb78ZN2LexaYaVBq +QuqvfHaAPJaIElXqMheZ8aYrO6Df4yzJ+6eTs3s4PqM6EMir5waFonx5Gh50X4xL +9p7IVqgNPhQsU8Z5U5hGYbmUH766GtENv4CI1upFA1cAEQEAAYkCPAQYAQgAJhYh +BLhoKEd2TfYN9S2ZLLw5BfI1F5zxBQJjWY9xAhsgBQkDwmcAAAoJELw5BfI1F5zx +4cMP+wbjKu2xCr63oyn+lo7NqMDLBYl4zHunYTZhG/egDakVWp5Ikj5/k3i+hVSY +fUyUhqQ/b/H096ropB7GA6EzS44GS+hLMdQOJOmEbjvAP/9dJDX2FQnYZzaA2f/e +Ikgaw283oOLnmYz0x7YAW/oxlnPn+7Sg7DGGqqn3nKofDUUrowfX0tQGwkGmJJqQ +gOH/ZfU4t51UCKzF6hWRbberBI8ezp24vYngA2kGef1fCUC+EIFhoYcdHHCtC1Ti +KmOUaeB9ZMiVXkP60fmCLKObwcKTyYpAFPqM05xgsMPFaXN+fQ7YVAGpCdthk53N +5Go+QqehwLoJk77CHZxIWJIf43p3UiuH1FsuXF7OdExzIhUSiUum6MoCI8BpVwn9 +uSKfXKLOdGDR6IJI8jqdC9LYoXqxZtDhpcqD70hFWJwJzZg+U2SvxZyhOqwtKXtD +TDtee3yGzPacSAJD7mFURc/DRi62UBMiFcqO1YW/5LgC4yjtzo7MTQPkaGbQLduH +IlCKa8pHWPqaLFdMawwqNrTNHWXCD4XxijJYwdAue3NUG/utekNm82mqnbbWw/AX +URIzefQsbyqiNYMztudJ9hAS8yCdkfb9SKVIvWYPQ77tHltOZF7K/NzOGeJaJr8l +vqZCfXpWmOduTpWaD2kIvU2Kx7gB4jXdMa2ai9N+/Hdr3lLouQINBGNZj8YBEADg +Y6HOawiThxQVI+0uvAAU9yisew1SSVO6mAsQtZM7s7BpLA3RGPj3UGojZIeejA+k +fq7A+PVLBhz/kSBTtw9/s3o4rlqNzz7SLaix6XKWCpHOBs84n3/LF6u9KMMVk9vT +sjKz8iDF9mBR2bmCfLvEk0HDiMyApv5SbOsZMB8k5PWyK8HYPyMI5umEaOsaC3tA +eihO3nzAxEf3oZl53J1pIw+ecdrQLbWbH0aqKngfCddD8Q0oMr/Iwly3W49+5eqJ +oelR9/dut/dg0a3Nn1wIGYRzC62CCsF5IZwKdyPh7nilEUFpA5Vlz+HfIFch2LfR +F3Q/GZD8fKzKxhjDIdgyaWSTsMbityKxX2G/pcjshyMsZT7I3Hx7SwQfFro58s2D +FsFLEZgBhJv+nW/HckeedaveXmXdHKjtsa8+rvGADti4wohOl+N5tbpYW3/zR3AY +qlh47hG0ikUJ8Tusnu865j3Z5mE+KqS68ypRVBMRrdJl2lGPDCnXGhl2720VPNMC +/jB2Mgm/L1mvQM1jPfdC3KgokDAH5NMzKvav6A71aLSUJli3UdkGHkX5d5urs3k3 +WmCt7XeTb30MBvNzBcSYTbw2UGIRE8G0CFc3wtiWWiQKPeFXYhn0+COCoW/EXpIC +VaAuMPMgcsldM13bKGyGo3NngsNEdopNFfr0KKW5XwARAQABiQRyBBgBCAAmFiEE +uGgoR3ZN9g31LZksvDkF8jUXnPEFAmNZj8YCGwIFCQPCZwACQAkQvDkF8jUXnPHB +dCAEGQEIAB0WIQQb4sD/CJSWIxAv0lZGlYgcJUUI0QUCY1mPxgAKCRBGlYgcJUUI +0ZkHD/9TlRvAaZETf+pv4/IceeL3KHwj5lrC/gojXxN0AjhAXljLSRCu0EyICxZy +3158h4k0vwjdv8699yHEN97PdF84m81mqxOz+juKBRHFK/EwAAgOdSlzGnUYgNkm +mCROFWtjeneNWaFdEnq9MItx1OascPeyxnWMjq7LLYMSESP4tgUV5KdlaVAXR6q/ +833u27/NodkDcNH2UK+IyT+Kt/uCOoIIL4ttxo/PvZTphzV8n6s0sJJE3/BrRxgv +CTkVU6zosyJsyau8/vayQYGPuBuEQVs4Tr+vZ42izbkHgElcZv9oYjJsxaqZqqMz +fWPte7m6Pl/pvtmlhPmpZ+ej7y8SRysBV+3aHNXaE1J3sIOmYxighlgZapSjHl/A +9N/KXdoLAjIZtBAOQ2ZFyRz/c2+VUqJgwiwdxoaFaYn2eUM+HSTbZfdGXBS/yyZL +YsM+L4M2aizQvDIRXzy8vG0vpHQEvPlXL0Gg0gyk0fox0OsAP5CfXmHC/AvYOHM8 +y81X2QqDf33Au1RIgog4cLqq2wpXEARWbAj0BAMIeJoCDCu9Mz2juK1ui2wr8AZ0 +42PCUgZK6CdUI18AsvApUhPsNunF7ZOc5mFMuaEGjjWJvrTG3qyrCY73ySBiGXWo +92ZB7FXu2MzgujPBEigByqeF6IV2x0EBHw/VrcxXq6Slgmik6G0SD/48l5mGCxM0 +Wr91raB9zQlwDbtD3PCbjA6DtkMrRyAq+81g75N6uiztGPCVw9n1HoGOSjN1hAhe +SgQQlcXbDLpzfdPFowDEHclFFfUODCIOuF+FgmxlAz5Exr9JkJdozBFqRZ4iF/tf +E5sHB0rzeUcY3J6VjTsjULjE4GSg5trsOc8GHUnFn9wwwkf9nR/Mr1RYcX0GkTcy +iUskw+AoRz6svOfAWIDJY450wgD0MHZK08IfUUsYTGecoXcvWf/hITtv/Af5MpQA +wuGEDltVDeu9EAu65SZlMkkMuQD1h3KOQjUJ6nY4a4M2CQ51ggs/c+vsemxsuYlG +vSuhrfXt6HGD3dhsOEeyEvIcjjpP1Ku5mqrPhqXFli1swfohhYGGVO+fM7G3l7wF +kAIi0B1szn0K13qRqBIwjnWL+orP1KLzvczCH6yD0FZY90CDdMtM0VB6AqT4BFh6 +5+ygjA4YiA7fFYBm8510ybUcNfzU3gUIJ5pF8MdGizO54tCPSK6U+iVRY4qfCFdu +IiOZ7FUUn78VIxQUMYMrozy7kn/0PQZa7KKRbXJ8sg0sgrQapwpgUjdMwuYZPGGv +1Jw5/+WUGWMbGxmlpHcEOmsPZpITH557M/kHyk9Ud0iKwciBI2mGLxiafCuLrUY4 +TknzOqbZgjdllcUG4cDBEQuBO/GSj1LUfg== +=I8Dr +-----END PGP PUBLIC KEY BLOCK----- \ No newline at end of file diff --git a/libsemanage-3.7.tar.gz.asc b/libsemanage-3.7.tar.gz.asc new file mode 100644 index 0000000..746509d --- /dev/null +++ b/libsemanage-3.7.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEG+LA/wiUliMQL9JWRpWIHCVFCNEFAmZ8NeEACgkQRpWIHCVF +CNF7iw/+J/RkUBGyWCTPpjTxycgsM32jroIqhekik2VkAAoSSfIy2DNsV9W1LhjX +8wdTIbohbVIV4iVjzvd8H5ee0XpywPYQ18bgvYmpHmjC+0pp3wZy5T1igbE1ePCq +r/MheAHIn4zj68qZZxCXZs5Fc1PC910jsEOM8Wwdyyo8VGpPp4EfO6y3aFIkbeoQ +kC4rNtXtXy5USKUtQ8QbKqyr+/YuSfVgYeZCexBqL0GJ4jwP413xiwKXL+RAzDeL +j5Z9m0j911LTer/KUoDL+jdlkX1YTf4qK+VEcHjlQBLUoS6atsNKSMJftqKkATfP +AZqlBuka6RheBL54eNHc+slIKEJvhfuTFWItM/3o8+lnW/2d7dYh1WxQhXJBFDM7 +dbButzqAL9dKNRjTNlBpMPe8oj13wLK890eVLOlnMIJUW4dZURoNNbs3Q2OlhuHQ +kyuPOegi2ZaNz4TvjlI1egY3h9lVYjUv/l/AtscqWfutZfD+e7n93mLOiXmZFmHI +G56cIUHfT13CEPq9D8moVTLM1bSibEDGe2GUqalpk9YcbQ3wBBXgUF8XcGuQFYZt +Bl42k6VvolZ6net+FxBoUhprBDtkPJQSD5DyT0OF4uucdZiDbsZT7vsYMjndiZVd +D1FyYekdvzb6x6li4nLLkxyj2WV96vPvqRKK+zvIldFem1Nllps= +=aE6b +-----END PGP SIGNATURE----- diff --git a/SPECS/libsemanage.spec b/libsemanage.spec similarity index 85% rename from SPECS/libsemanage.spec rename to libsemanage.spec index c1d0d11..0d26ae1 100644 --- a/SPECS/libsemanage.spec +++ b/libsemanage.spec @@ -1,40 +1,40 @@ -%define libsepolver 2.9-1 -%define libselinuxver 2.9-1 +## START: Set by rpmautospec +## (rpmautospec version 0.6.5) +## RPMAUTOSPEC: autochangelog +## END: Set by rpmautospec -Summary: SELinux binary policy manipulation library +%define libsepolver 3.7-1 +%define libselinuxver 3.7-1 + +Summary: SELinux binary policy manipulation library Name: libsemanage -Version: 2.9 -Release: 9%{?dist} -License: LGPLv2+ -Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/libsemanage-2.9.tar.gz +Version: 3.7 +Release: 1%{?dist} +License: LGPL-2.1-or-later +Source0: https://github.com/SELinuxProject/selinux/releases/download/3.7/libsemanage-3.7.tar.gz +Source1: https://github.com/SELinuxProject/selinux/releases/download/3.7/libsemanage-3.7.tar.gz.asc +Source2: https://github.com/bachradsusi.gpg +# git format-patch -N 3.7 -- libsemanage # i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done -Patch0001: 0001-libsemanage-Fix-RESOURCE_LEAK-and-USE_AFTER_FREE-cov.patch -Patch0002: 0002-libsemanage-Add-support-for-DCCP-and-SCTP-protocols.patch -Patch0003: 0003-libsemanage-fsync-final-files-before-rename.patch -Patch0004: 0004-libsemanage-sync-filesystem-with-sandbox.patch -Patch0005: 0005-Trivial-style-fixes.patch -Patch0006: 0006-libsemanage-Free-contents-of-modkey-in-semanage_dire.patch -Patch0007: 0007-libsemanage-Fix-USE_AFTER_FREE-CWE-672-in-semanage_d.patch -Patch0008: 0008-libsemanage-add-missing-include-to-boolean_record.c.patch -Patch0009: 0009-semodule-libsemanage-move-module-hashing-into-libsem.patch -Patch0010: 0010-libsemanage-move-compressed-file-handling-into-a-sep.patch -Patch0011: 0011-libsemanage-clean-up-semanage_direct_commit-a-bit.patch -Patch0012: 0012-libsemanage-optionally-rebuild-policy-when-modules-a.patch -Patch0013: 0013-libsemanage-always-write-kernel-policy-when-check_ex.patch +# Patch list start +# Patch list end URL: https://github.com/SELinuxProject/selinux/wiki -Source1: semanage.conf +Source3: semanage.conf -BuildRequires: gcc +BuildRequires: gcc make BuildRequires: libselinux-devel >= %{libselinuxver} swig BuildRequires: libsepol-devel >= %{libsepolver} BuildRequires: audit-libs-devel BuildRequires: bison flex bzip2-devel +BuildRequires: gnupg2 BuildRequires: python3 BuildRequires: python3-devel +BuildRequires: python3-setuptools Requires: bzip2-libs audit-libs Requires: libselinux%{?_isa} >= %{libselinuxver} +Obsoletes: libsemanage-compat = 3.1-4 %description Security-enhanced Linux is a feature of the Linux® kernel and a number @@ -83,11 +83,13 @@ The libsemanage-python3 package contains the python 3 bindings for developing SELinux management applications. %prep -%autosetup -n libsemanage-%{version} -p 2 +%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' +%autosetup -p 2 -n libsemanage-%{version} %build %set_build_flags +CFLAGS="$CFLAGS -fno-semantic-interposition" # To support building the Python wrapper against multiple Python runtimes # Define a function, for how to perform a "build" of the python wrapper against @@ -104,7 +106,7 @@ BuildPythonWrapper() { make clean make swigify -make LIBDIR="%{_libdir}" SHLIBDIR="%{_lib}" all +%make_build LIBDIR="%{_libdir}" SHLIBDIR="%{_lib}" all BuildPythonWrapper \ %{__python3} @@ -123,26 +125,20 @@ mkdir -p ${RPM_BUILD_ROOT}%{_libdir} mkdir -p ${RPM_BUILD_ROOT}%{_includedir} mkdir -p ${RPM_BUILD_ROOT}%{_sharedstatedir}/selinux mkdir -p ${RPM_BUILD_ROOT}%{_sharedstatedir}/selinux/tmp -make DESTDIR="${RPM_BUILD_ROOT}" LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" install +%make_install LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" InstallPythonWrapper \ %{__python3} \ $(python3-config --extension-suffix) -cp %{SOURCE1} ${RPM_BUILD_ROOT}/etc/selinux/semanage.conf -ln -sf %{_libdir}/libsemanage.so.1 ${RPM_BUILD_ROOT}/%{_libdir}/libsemanage.so - -pathfix.py -i "%{__python3} -E" -p %{buildroot}%{_libexecdir}/selinux/semanage_migrate_store -rm %{buildroot}%{_libexecdir}/selinux/semanage_migrate_store~ +cp %{SOURCE3} ${RPM_BUILD_ROOT}%{_sysconfdir}/selinux/semanage.conf %files -%{!?_licensedir:%global license %%doc} -%license COPYING +%license LICENSE %dir %{_sysconfdir}/selinux %config(noreplace) %{_sysconfdir}/selinux/semanage.conf -%{_libdir}/libsemanage.so.1 +%{_libdir}/libsemanage.so.2 %{_mandir}/man5/* -%{_mandir}/ru/man5/* %dir %{_libexecdir}/selinux %dir %{_sharedstatedir}/selinux %dir %{_sharedstatedir}/selinux/tmp @@ -166,55 +162,200 @@ rm %{buildroot}%{_libexecdir}/selinux/semanage_migrate_store~ %{_libexecdir}/selinux/semanage_migrate_store %changelog -* Tue Oct 11 2022 Vit Mojzis - 2.9-9 -- always write kernel policy when check_ext_changes is specified (#2129139) +## START: Generated by rpmautospec +* Thu Jun 27 2024 Petr Lautrbach - 3.7-1 +- SELinux userspace 3.7 release -* Tue Feb 22 2022 Vit Mojzis - 2.9-8 -- Bump release to get around OSCI issues +* Mon Jun 24 2024 Troy Dawson - 3.6-4 +- Bump release for June 2024 mass rebuild -* Thu Feb 17 2022 Vit Mojzis - 2.9-7 -- Trivial style fixes -- Free contents of modkey in semanage_direct_remove -- Fix USE_AFTER_FREE (CWE-672) in semanage_direct_write_langext() -- add missing include to boolean_record.c -- move module hashing into libsemanage -- move compressed file handling into a separate object -- clean up semanage_direct_commit() a bit +* Thu Jan 25 2024 Fedora Release Engineering - 3.6-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Sun Jan 21 2024 Fedora Release Engineering - 3.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Thu Dec 14 2023 Petr Lautrbach - 3.6-1 +- SELinux userspace 3.6 release + +* Thu Nov 23 2023 Petr Lautrbach - 3.6-0.rc2.1 +- SELinux userspace 3.6-rc2 release + +* Tue Nov 14 2023 Petr Lautrbach - 3.6-0.rc1.1 +- SELinux userspace 3.6-rc1 release + +* Thu Jul 20 2023 Fedora Release Engineering - 3.5-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Tue Jun 13 2023 Python Maint - 3.5-3 +- Rebuilt for Python 3.12 + +* Fri Mar 24 2023 Petr Lautrbach - 3.5-2 +- Include more parameters in the module checksum (#2173959) + +* Fri Feb 24 2023 Petr Lautrbach - 3.5-1 +- SELinux userspace 3.5 release + +* Mon Feb 13 2023 Petr Lautrbach - 3.5-0.rc3.1 +- SELinux userspace 3.5-rc3 release + +* Thu Jan 19 2023 Fedora Release Engineering - 3.5-0.rc2.1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Mon Jan 16 2023 Petr Lautrbach - 3.5-0.rc2.1 +- SELinux userspace 3.5-rc2 release + +* Fri Dec 23 2022 Petr Lautrbach - 3.5-0.rc1.1 +- SELinux userspace 3.5-rc1 release + +* Mon Nov 21 2022 Petr Lautrbach - 3.4-6 +- Rebase on upstream f56a72ac9e86 + +* Mon Jul 25 2022 Petr Lautrbach - 3.4-5 +- Always write kernel policy when check_ext_changes is specified (#2104935) + +* Thu Jul 21 2022 Fedora Release Engineering - 3.4-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Mon Jun 13 2022 Python Maint - 3.4-3 +- Rebuilt for Python 3.11 + +* Wed May 25 2022 Petr Lautrbach - 3.4-2 +- rebuilt + +* Thu May 19 2022 Petr Lautrbach - 3.4-1 +- SELinux userspace 3.4 release + +* Tue May 10 2022 Petr Lautrbach - 3.4-0.rc3.1 +- SELinux userspace 3.4-rc3 release + +* Thu Apr 21 2022 Petr Lautrbach - 3.4-0.rc2.1 +- SELinux userspace 3.4-rc2 release + +* Wed Apr 13 2022 Petr Lautrbach - 3.4-0.rc1.1 +- SELinux userspace 3.4-rc1 release + +* Tue Feb 15 2022 Petr Lautrbach - 3.3-3 - optionally rebuild policy when modules are changed externally -- add command-line option to detect module changes (#2049186) -* Mon Feb 1 2021 Petr Lautrbach - 2.9-6 -- sync filesystem with sandbox (#1913224) +* Thu Jan 20 2022 Fedora Release Engineering - 3.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild -* Mon Dec 21 2020 Petr Lautrbach - 2.9-5 -- Revert "genhomedircon: check usepasswd" (rhbz#1871786) -- semanage.conf - improve usepasswd=False explanation (rhbz#1871786) -- semanage.conf - expand list of ignoredirs (rhbz#1871786) +* Fri Oct 22 2021 Petr Lautrbach - 3.3-1 +- SELinux userspace 3.3 release -* Sun Nov 22 2020 Vit Mojzis - 2.9-4 -- genhomedircon: check usepasswd (rhbz#1871786) +* Sun Oct 10 2021 Petr Lautrbach - 3.3-0.rc3.1 +- SELinux userspace 3.3-rc3 release -* Mon Jun 29 2020 Vit Mojzis - 2.9-3 -- Fsync final files before rename (#1838762) +* Wed Sep 29 2021 Petr Lautrbach - 3.3-0.rc2.1 +- SELinux userspace 3.3-rc2 release -* Wed Nov 06 2019 Vit Mojzis - 2.9-2 -- Add support for DCCP and SCTP protocols (#1563742) +* Wed Jul 28 2021 Petr Lautrbach - 3.2-4 +- Rebase on upstream commit 32611aea6543 + +* Thu Jul 22 2021 Fedora Release Engineering - 3.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Fri Jun 04 2021 Python Maint - 3.2-2 +- Rebuilt for Python 3.10 + +* Mon Mar 8 2021 Petr Lautrbach - 3.2-1 +- SELinux userspace 3.2 release + +* Fri Feb 5 2021 Petr Lautrbach - 3.2-0.rc2.1 +- SELinux userspace 3.2-rc2 release + +* Tue Jan 26 2021 Fedora Release Engineering - 3.2-0.rc1.1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Wed Jan 20 2021 Petr Lautrbach - 3.2-0.rc1.1 +- SELinux userspace 3.2-rc1 release + +* Fri Dec 18 2020 Petr Lautrbach - 3.1-6 +- Drop "genhomedircon: check usepasswd" patch +- genhomedircon to ignore + /root;/bin;/boot;/dev;/etc;/lib;/lib64;/proc;/run;/sbin;/sys;/tmp;/usr;/var by default +- Fix usepasswd=False explanation in semanage.conf + +* Fri Nov 20 2020 Petr Lautrbach - 3.1-5 +- Drop and obsolete libsemanage-compat +- genhomedircon: check usepasswd + +* Fri Oct 30 2020 Petr Lautrbach - 3.1-4 +- Drop deprecated functions and duplicated symbols +- Change library version to libsemanage.so.2 +- Temporary ship -compat with libsemanage.so.1 +- Based on upstream db0f2f382e31 +- Re-enable lto flags + +* Mon Jul 13 2020 Tom Stellard - 3.1-2 +- Use make macros +- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro +- Use -fno-semantic-interposition and more make macros + +* Fri Jul 10 2020 Petr Lautrbach - 3.1-1 +- SELinux userspace 3.1 release + +* Tue May 26 2020 Miro Hrončok - 3.0-4 +- Rebuilt for Python 3.9 + +* Wed Jan 29 2020 Fedora Release Engineering - 3.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Wed Jan 22 2020 Ondrej Mosnacek - 3.0-2 +- Enable policy optimization + +* Fri Dec 6 2019 Petr Lautrbach - 3.0-1 +- SELinux userspace 3.0 release + +* Mon Nov 11 2019 Petr Lautrbach - 3.0-0.rc1.1 +- SELinux userspace 3.0-rc1 release candidate + +* Thu Oct 03 2019 Miro Hrončok - 2.9-5 +- Rebuilt for Python 3.8.0rc1 (#1748018) + +* Sun Aug 18 2019 Zbigniew Jędrzejewski-Szmek - 2.9-4 +- Rebuilt for Python 3.8 + +* Tue Aug 13 2019 Petr Lautrbach - 2.9-3 +- Drop python2-libsemanage (#1738466) + +* Thu Jul 25 2019 Fedora Release Engineering - 2.9-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild * Mon Mar 18 2019 Petr Lautrbach - 2.9-1 - SELinux userspace 2.9 release -* Thu Dec 6 2018 Petr Lautrbach - 2.8-5 +* Mon Mar 11 2019 Petr Lautrbach - 2.9-0.rc2.1 +- SELinux userspace 2.9-rc2 release + +* Fri Feb 01 2019 Fedora Release Engineering - 2.9-0.rc1.1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Jan 25 2019 Petr Lautrbach - 2.9-0.rc1.1 +- SELinux userspace 2.9-rc1 release + +* Mon Jan 21 2019 Petr Lautrbach - 2.8-8 +- Always set errno to 0 before calling getpwent() +- Set selinux policy root around calls to selinux_boolean_sub + +* Mon Dec 10 2018 Petr Lautrbach - 2.8-7 - genhomedircon - improve handling large groups -* Thu Nov 8 2018 Petr Lautrbach - 2.8-4 +* Tue Nov 13 2018 Petr Lautrbach - 2.8-6 - Fix RESOURCE_LEAK and USE_AFTER_FREE coverity scan defects -* Mon Sep 17 2018 Petr Lautrbach - 2.8-3.1 -- reset umask before creating directories +* Mon Sep 17 2018 Petr Lautrbach - 2.8-5 - Include user name in ROLE_REMOVE audit events -* Wed Jun 6 2018 Petr Lautrbach - 2.8-2 -- Don't build the Python 2 subpackage (#1567359) +* Tue Sep 4 2018 Petr Lautrbach - 2.8-4 +- Reset umask before creating directories (#1186422) + +* Fri Jul 13 2018 Fedora Release Engineering - 2.8-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Tue Jun 19 2018 Miro Hrončok - 2.8-2 +- Rebuilt for Python 3.7 * Fri May 25 2018 Petr Lautrbach - 2.8-1 - SELinux userspace 2.8 release @@ -389,7 +530,7 @@ rm %{buildroot}%{_libexecdir}/selinux/semanage_migrate_store~ - Rebuilt for https://fedoraproject.org/wiki/Changes/Python_3.4 * Tue May 6 2014 Dan Walsh - 2.3-1 -- Update to upstream +- Update to upstream * Fix memory leak in semanage_genhomedircon from Thomas Hurd. * Sun Mar 30 2014 Dan Walsh - 2.2-3 @@ -400,7 +541,7 @@ rm %{buildroot}%{_libexecdir}/selinux/semanage_migrate_store~ - Move semanage.conf man page from devel package to main package * Thu Oct 31 2013 Dan Walsh - 2.2-1 -- Update to upstream +- Update to upstream * Avoid duplicate list entries from Dan Walsh. * Add audit support to libsemanage from Dan Walsh. * Remove policy.kern and replace with symlink from Dan Walsh. @@ -444,7 +585,7 @@ Resolves: #952237 - Allways build python3 version * Mon Apr 22 2013 Dan Walsh - 2.1.10-4 -- +- * Thu Apr 11 2013 Dan Walsh - 2.1.10-3 - Fix test suite to build @@ -453,7 +594,7 @@ Resolves: #952237 - Revert some changes which are causing the wrong policy version file to be created * Thu Feb 7 2013 Dan Walsh - 2.1.10-1 -- Update to upstream +- Update to upstream * Add sefcontext_compile to compile regex everytime policy is rebuilt * Cleanup/fix enable/disable/remove module. * redo genhomedircon minuid @@ -463,9 +604,9 @@ Resolves: #952237 * genhomedircon: double free in get_home_dirs * fcontext_record: do not leak on error in semanage_fcontext_key_create * genhomedircon: do not leak on failure in write_gen_home_dir_context - * semanage_store: do not leak fd + * semanage_store: do not leak fd * genhomedircon: do not leak shells list - * semanage_store: do not leak on strdup failure + * semanage_store: do not leak on strdup failure * semanage_store: rewrite for readability * Wed Jan 16 2013 Dan Walsh 2.1.9-4 @@ -481,7 +622,7 @@ Resolves: #952237 - Previous to this fix the first module beginning with foo would get deleted. * Thu Sep 13 2012 Dan Walsh - 2.1.9-1 -- Update to upstream +- Update to upstream * libsemanage: do not set soname needlessly * libsemanage: remove PYTHONLIBDIR and ruby equivalent * do boolean name substitution @@ -497,14 +638,14 @@ Resolves: #952237 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild * Fri Jul 13 2012 Dan Walsh - 2.1.8-3 -- Attempt to allocate memory for selinux_binary_policy_path and free memory +- Attempt to allocate memory for selinux_binary_policy_path and free memory - allocated by asprintf. * Thu Jul 12 2012 Dan Walsh - 2.1.8-2 - Fix asprintf within an asprintf call * Wed Jul 4 2012 Dan Walsh - 2.1.8-1 -- Update to upstream +- Update to upstream * remove build warning when build swig c files * additional makefile support for rubywrap * ignore 80 column limit for readability @@ -516,7 +657,7 @@ Resolves: #952237 - Apply patch from Sven Vermeulen to fix problem with python3 bindings. * Thu Mar 29 2012 Dan Walsh - 2.1.7-1 -- Update to upstream +- Update to upstream * Alternate path for semanage.conf * do not link against libpython, this is considered bad in Debian * Allow to build for several ruby version @@ -529,7 +670,7 @@ Resolves: #952237 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild * Fri Jan 6 2012 Dan Walsh - 2.1.6-2 -- Add patch form Xin Ouyang to make library use private semanage.conf +- Add patch form Xin Ouyang to make library use private semanage.conf * Wed Dec 21 2011 Dan Walsh - 2.1.6-1 -Update to upstream @@ -592,7 +733,7 @@ Resolves: #952237 - More fixes for disabled modules * Tue Jun 7 2011 Dan Walsh - 2.0.46-5 -- Change libsemanage mechanism for handling disabled modules. Now it will only create a flag for a module +- Change libsemanage mechanism for handling disabled modules. Now it will only create a flag for a module indicating the module is disabled. MODULE.pp.disabled, it will no longer rename the module. This way we can ship active modules in rpm. @@ -688,7 +829,7 @@ invoking the appropriate config tool (or by hardcoding the old value for * Wed Sep 9 2009 Dan Walsh - 2.0.37-1 - Update to upstream - * Fix persistent dontaudit support to rebuild policy if the + * Fix persistent dontaudit support to rebuild policy if the dontaudit state is changed from Chad Sellers. - Move load_policy to /sbin @@ -933,7 +1074,7 @@ invoking the appropriate config tool (or by hardcoding the old value for * Fri Dec 22 2006 Dan Walsh - 1.9.2-1 - Upgrade to latest from NSA - * Merged patch to optionally reduce disk usage by removing + * Merged patch to optionally reduce disk usage by removing the backup module store and linked policy from Karl MacMillan * Merged patch to correctly propagate return values in libsemanage @@ -961,7 +1102,7 @@ invoking the appropriate config tool (or by hardcoding the old value for * Merged patch to not destroy sepol handle on error path of connect from James Athey. * Merged patch to add genhomedircon path to semanage.conf from - James Athey. + James Athey. * Thu Aug 31 2006 Dan Walsh - 1.6.16-3 - Fix semanage to not load if is not the correct policy type and it is installing @@ -995,7 +1136,7 @@ invoking the appropriate config tool (or by hardcoding the old value for * Tue Jul 11 2006 Dan Walsh - 1.6.12-1 - Upgrade to latest from NSA - * Merged support for read operations on read-only fs from + * Merged support for read operations on read-only fs from Caleb Case (Tresys Technology). * Tue Jul 4 2006 Dan Walsh - 1.6.11-1 @@ -1016,7 +1157,7 @@ invoking the appropriate config tool (or by hardcoding the old value for * Mon May 15 2006 Dan Walsh - 1.6.8-1 - Upgrade to latest from NSA * Updated default location for setfiles to /sbin to - match policycoreutils. This can also be adjusted via + match policycoreutils. This can also be adjusted via semanage.conf using the syntax: [setfiles] path = /path/to/setfiles @@ -1037,7 +1178,7 @@ invoking the appropriate config tool (or by hardcoding the old value for - Upgrade to latest from NSA * Merged updated file context sorting patch from Christopher Ashworth, with bug fix for escaped character flag. - * Merged file context sorting code from Christopher Ashworth + * Merged file context sorting code from Christopher Ashworth (Tresys Technology), based on fc_sort.c code in refpolicy. * Merged python binding t_output_helper removal patch from Dan Walsh. * Regenerated swig files. @@ -1073,7 +1214,7 @@ invoking the appropriate config tool (or by hardcoding the old value for * Merged paths array patch from Ivan Gyurdiev. * Merged bug fix patch from Ivan Gyurdiev. * Merged improve bindings patch from Ivan Gyurdiev. - * Merged use PyList patch from Ivan Gyurdiev. + * Merged use PyList patch from Ivan Gyurdiev. * Merged memory leak fix patch from Ivan Gyurdiev. * Merged nodecon support patch from Ivan Gyurdiev. * Merged cleanups patch from Ivan Gyurdiev. @@ -1095,21 +1236,21 @@ invoking the appropriate config tool (or by hardcoding the old value for * Tue Feb 07 2006 Dan Walsh - 1.5.21-1 - Upgrade to latest from NSA * Merged seuser/user_extra support patch from Joshua Brindle. - * Merged remote system dbase patch from Ivan Gyurdiev. + * Merged remote system dbase patch from Ivan Gyurdiev. * Tue Feb 07 2006 Jesse Keating - 1.5.20-1.1 - rebuilt for new gcc4.1 snapshot and glibc changes * Thu Feb 2 2006 Dan Walsh 1.5.20-1 - Upgrade to latest from NSA - * Merged clone record on set_con patch from Ivan Gyurdiev. + * Merged clone record on set_con patch from Ivan Gyurdiev. * Mon Jan 30 2006 Dan Walsh 1.5.19-1 - Upgrade to latest from NSA * Merged fname parameter patch from Ivan Gyurdiev. * Merged more size_t -> unsigned int fixes from Ivan Gyurdiev. * Merged seusers.system patch from Ivan Gyurdiev. - * Merged improve port/fcontext API patch from Ivan Gyurdiev. + * Merged improve port/fcontext API patch from Ivan Gyurdiev. * Fri Jan 27 2006 Dan Walsh 1.5.18-1 - Upgrade to latest from NSA @@ -1161,12 +1302,12 @@ invoking the appropriate config tool (or by hardcoding the old value for * Re-applied string and file optimization patch from Russell Coker, with bug fix. * Reverted string and file optimization patch from Russell Coker. - * Clarified error messages from parse_module_headers and + * Clarified error messages from parse_module_headers and parse_base_headers for base/module mismatches. * Fri Jan 6 2006 Dan Walsh 1.5.6-1 - Upgrade to latest from NSA - * Clarified error messages from parse_module_headers and + * Clarified error messages from parse_module_headers and parse_base_headers for base/module mismatches. * Merged string and file optimization patch from Russell Coker. * Merged swig header reordering patch from Ivan Gyurdiev. @@ -1246,7 +1387,7 @@ invoking the appropriate config tool (or by hardcoding the old value for - Upgrade to latest from NSA * Merged Makefile python definitions patch from Dan Walsh. * Removed is_selinux_mls_enabled() conditionals in seusers and users - file parsers. + file parsers. * Wed Nov 23 2005 Dan Walsh 1.3.59-1 - Add additional swig objects @@ -1261,7 +1402,7 @@ invoking the appropriate config tool (or by hardcoding the old value for - Upgrade to latest from NSA * Fixed free->key_free bug. * Merged clear obsolete patch from Ivan Gyurdiev. - * Merged modified swigify patch from Dan Walsh + * Merged modified swigify patch from Dan Walsh (original patch from Joshua Brindle). * Merged move genhomedircon call patch from Chad Sellers. @@ -1298,7 +1439,7 @@ invoking the appropriate config tool (or by hardcoding the old value for * Disabled calls to port dbase for merge and commit and stubbed out calls to sepol_port interfaces since they are not exported. * Merged rename instead of copy patch from Joshua Brindle (Tresys). - * Added hidden_def/hidden_proto for exported symbols used within + * Added hidden_def/hidden_proto for exported symbols used within libsemanage to eliminate relocations. Wrapped type definitions in exported headers as needed to avoid conflicts. Added src/context_internal.h and src/iface_internal.h. @@ -1347,7 +1488,7 @@ invoking the appropriate config tool (or by hardcoding the old value for * Tue Oct 25 2005 Dan Walsh 1.3.34-1 - Update from NSA - * Merged resync to sepol changes and booleans fixes/improvements + * Merged resync to sepol changes and booleans fixes/improvements patches from Ivan Gyurdiev. * Merged support for genhomedircon/homedir template, store selection, explicit policy reload, and semanage.conf relocation from Joshua @@ -1371,11 +1512,11 @@ invoking the appropriate config tool (or by hardcoding the old value for - Update from NSA * Merged interface renaming patch from Ivan Gyurdiev. * Merged policy component patch from Ivan Gyurdiev. - * Renamed 'check=' configuration value to 'expand-check=' for + * Renamed 'check=' configuration value to 'expand-check=' for clarity. - * Changed semanage_commit_sandbox to check for and report errors + * Changed semanage_commit_sandbox to check for and report errors on rename(2) calls performed during rollback. - * Added optional check= configuration value to semanage.conf + * Added optional check= configuration value to semanage.conf and updated call to sepol_expand_module to pass its value to control assertion and hierarchy checking on module expansion. * Merged fixes for make DESTDIR= builds from Joshua Brindle. @@ -1413,7 +1554,7 @@ invoking the appropriate config tool (or by hardcoding the old value for * Merged user and port APIs - policy database patch from Ivan Gyurdiev. * Converted calls to sepol link_packages and expand_module interfaces - from using buffers to using sepol handles for error reporting, and + from using buffers to using sepol handles for error reporting, and changed direct_connect/disconnect to create/destroy sepol handles. * Sat Oct 15 2005 Dan Walsh 1.3.18-1 @@ -1480,7 +1621,7 @@ invoking the appropriate config tool (or by hardcoding the old value for * Wed Sep 21 2005 Dan Walsh 1.3.3-1 - Update from NSA - * Merged boolean record, stub record handler, and status codes + * Merged boolean record, stub record handler, and status codes patches from Ivan Gyurdiev. * Tue Sep 20 2005 Dan Walsh 1.3.2-1 @@ -1513,9 +1654,11 @@ invoking the appropriate config tool (or by hardcoding the old value for Coverity. * Fixed several other bugs and warnings. * Merged patch to move module read/write code from libsemanage - to libsepol from Jason Tang (Tresys). + to libsepol from Jason Tang (Tresys). * Merged relay records patch from Ivan Gyurdiev. * Merged key extract patch from Ivan Gyurdiev. - Initial version -- Created by Stephen Smalley +- Created by Stephen Smalley + +## END: Generated by rpmautospec diff --git a/SOURCES/semanage.conf b/semanage.conf similarity index 99% rename from SOURCES/semanage.conf rename to semanage.conf index 8d30db4..406f16f 100644 --- a/SOURCES/semanage.conf +++ b/semanage.conf @@ -52,6 +52,7 @@ usepasswd=False bzip-small=true bzip-blocksize=5 ignoredirs=/root;/bin;/boot;/dev;/etc;/lib;/lib64;/proc;/run;/sbin;/sys;/tmp;/usr;/var +optimize-policy=true [sefcontext_compile] path = /usr/sbin/sefcontext_compile diff --git a/sources b/sources new file mode 100644 index 0000000..9d15d1b --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (libsemanage-3.7.tar.gz) = 4b6370b02116364964ff24b93fb6629c885611de78419f649a027db38b4f1c3b3adf3b438efb34a92b49407ab8f9446ed4091fe4c99fa4752f0f5e3e31589415