From 67f696281080393b0bdfdea70a2067f58afb1566 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Tue, 17 Dec 2024 02:44:40 +0000 Subject: [PATCH] import UBI libsemanage-2.9-10.el8_10 --- ...age-allow-spaces-in-user-group-names.patch | 361 ++++++++++++++++++ ...s-write-kernel-policy-when-check_ex.patch} | 4 +- ...erve-file-context-and-ownership-in-p.patch | 146 +++++++ SPECS/libsemanage.spec | 15 +- 4 files changed, 520 insertions(+), 6 deletions(-) create mode 100644 SOURCES/0013-libsemanage-allow-spaces-in-user-group-names.patch rename SOURCES/{0013-libsemanage-always-write-kernel-policy-when-check_ex.patch => 0014-libsemanage-always-write-kernel-policy-when-check_ex.patch} (97%) create mode 100644 SOURCES/0015-libsemanage-Preserve-file-context-and-ownership-in-p.patch diff --git a/SOURCES/0013-libsemanage-allow-spaces-in-user-group-names.patch b/SOURCES/0013-libsemanage-allow-spaces-in-user-group-names.patch new file mode 100644 index 0000000..ccd5105 --- /dev/null +++ b/SOURCES/0013-libsemanage-allow-spaces-in-user-group-names.patch @@ -0,0 +1,361 @@ +From f4a0e563dfff91d308d1738bbabdddc9ab672098 Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Thu, 17 Feb 2022 13:49:23 +0100 +Subject: [PATCH] libsemanage: allow spaces in user/group names + +"semanage login -a" accepts whitespaces in user/group name +(e.g. users/groups from Active Directory), which may lead to issues down +the line since libsemanage doesn't expect whitespaces in +/var/lib/selinux/targeted/active/seusers and other config files. + +Fixes: + Artificial but simple reproducer + # groupadd server_admins + # sed -i "s/^server_admins/server admins/" /etc/group + # semanage login -a -s staff_u %server\ admins + # semanage login -l (or "semodule -B") + libsemanage.parse_assert_ch: expected character ':', but found 'a' (/var/lib/selinux/targeted/active/seusers: 6): + %server admins:staff_u:s0-s0:c0.c1023 (No such file or directory). + libsemanage.seuser_parse: could not parse seuser record (No such file or directory). + libsemanage.dbase_file_cache: could not cache file database (No such file or directory). + libsemanage.enter_ro: could not enter read-only section (No such file or directory). + FileNotFoundError: [Errno 2] No such file or directory + +Signed-off-by: Vit Mojzis +--- + libsemanage/src/booleans_file.c | 2 +- + libsemanage/src/fcontexts_file.c | 6 +++--- + libsemanage/src/ibendports_file.c | 4 ++-- + libsemanage/src/ibpkeys_file.c | 4 ++-- + libsemanage/src/interfaces_file.c | 6 +++--- + libsemanage/src/nodes_file.c | 8 ++++---- + libsemanage/src/parse_utils.c | 6 +++--- + libsemanage/src/parse_utils.h | 11 +++++------ + libsemanage/src/ports_file.c | 4 ++-- + libsemanage/src/seusers_file.c | 6 +++--- + libsemanage/src/users_base_file.c | 7 +++---- + libsemanage/src/users_extra_file.c | 4 ++-- + 12 files changed, 33 insertions(+), 35 deletions(-) + +diff --git a/libsemanage/src/booleans_file.c b/libsemanage/src/booleans_file.c +index f79d0b44..6d600bbc 100644 +--- a/libsemanage/src/booleans_file.c ++++ b/libsemanage/src/booleans_file.c +@@ -48,7 +48,7 @@ static int bool_parse(semanage_handle_t * handle, + goto last; + + /* Extract name */ +- if (parse_fetch_string(handle, info, &str, '=') < 0) ++ if (parse_fetch_string(handle, info, &str, '=', 0) < 0) + goto err; + + if (semanage_bool_set_name(handle, boolean, str) < 0) +diff --git a/libsemanage/src/fcontexts_file.c b/libsemanage/src/fcontexts_file.c +index 1e596519..ad177208 100644 +--- a/libsemanage/src/fcontexts_file.c ++++ b/libsemanage/src/fcontexts_file.c +@@ -91,7 +91,7 @@ static int fcontext_parse(semanage_handle_t * handle, + goto last; + + /* Regexp */ +- if (parse_fetch_string(handle, info, &str, ' ') < 0) ++ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0) + goto err; + if (semanage_fcontext_set_expr(handle, fcontext, str) < 0) + goto err; +@@ -101,7 +101,7 @@ static int fcontext_parse(semanage_handle_t * handle, + /* Type */ + if (parse_assert_space(handle, info) < 0) + goto err; +- if (parse_fetch_string(handle, info, &str, ' ') < 0) ++ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0) + goto err; + if (!strcasecmp(str, "-s")) + semanage_fcontext_set_type(fcontext, SEMANAGE_FCONTEXT_SOCK); +@@ -125,7 +125,7 @@ static int fcontext_parse(semanage_handle_t * handle, + /* Context */ + if (parse_assert_space(handle, info) < 0) + goto err; +- if (parse_fetch_string(handle, info, &str, ' ') < 0) ++ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0) + goto err; + + process_context: +diff --git a/libsemanage/src/ibendports_file.c b/libsemanage/src/ibendports_file.c +index 402c7a5e..47a62429 100644 +--- a/libsemanage/src/ibendports_file.c ++++ b/libsemanage/src/ibendports_file.c +@@ -76,7 +76,7 @@ static int ibendport_parse(semanage_handle_t *handle, + goto err; + + /* IB Device Name */ +- if (parse_fetch_string(handle, info, &str, ' ') < 0) ++ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0) + goto err; + if (semanage_ibendport_set_ibdev_name(handle, ibendport, str) < 0) + goto err; +@@ -93,7 +93,7 @@ static int ibendport_parse(semanage_handle_t *handle, + /* context */ + if (parse_assert_space(handle, info) < 0) + goto err; +- if (parse_fetch_string(handle, info, &str, ' ') < 0) ++ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0) + goto err; + if (semanage_context_from_string(handle, str, &con) < 0) { + ERR(handle, "invalid security context \"%s\" (%s: %u)\n%s", +diff --git a/libsemanage/src/ibpkeys_file.c b/libsemanage/src/ibpkeys_file.c +index ceaea7ad..5424e279 100644 +--- a/libsemanage/src/ibpkeys_file.c ++++ b/libsemanage/src/ibpkeys_file.c +@@ -81,7 +81,7 @@ static int ibpkey_parse(semanage_handle_t *handle, + goto err; + + /* Subnet Prefix */ +- if (parse_fetch_string(handle, info, &str, ' ') < 0) ++ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0) + goto err; + if (semanage_ibpkey_set_subnet_prefix(handle, ibpkey, str) < 0) + goto err; +@@ -116,7 +116,7 @@ static int ibpkey_parse(semanage_handle_t *handle, + semanage_ibpkey_set_pkey(ibpkey, low); + } + /* Pkey context */ +- if (parse_fetch_string(handle, info, &str, ' ') < 0) ++ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0) + goto err; + if (semanage_context_from_string(handle, str, &con) < 0) { + ERR(handle, "invalid security context \"%s\" (%s: %u)\n%s", +diff --git a/libsemanage/src/interfaces_file.c b/libsemanage/src/interfaces_file.c +index 1478af97..b105f807 100644 +--- a/libsemanage/src/interfaces_file.c ++++ b/libsemanage/src/interfaces_file.c +@@ -73,7 +73,7 @@ static int iface_parse(semanage_handle_t * handle, + goto err; + + /* Name */ +- if (parse_fetch_string(handle, info, &str, ' ') < 0) ++ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0) + goto err; + if (semanage_iface_set_name(handle, iface, str) < 0) + goto err; +@@ -83,7 +83,7 @@ static int iface_parse(semanage_handle_t * handle, + /* Interface context */ + if (parse_assert_space(handle, info) < 0) + goto err; +- if (parse_fetch_string(handle, info, &str, ' ') < 0) ++ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0) + goto err; + if (semanage_context_from_string(handle, str, &con) < 0) { + ERR(handle, "invalid security context \"%s\" (%s: %u)\n%s", +@@ -107,7 +107,7 @@ static int iface_parse(semanage_handle_t * handle, + /* Message context */ + if (parse_assert_space(handle, info) < 0) + goto err; +- if (parse_fetch_string(handle, info, &str, ' ') < 0) ++ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0) + goto err; + if (semanage_context_from_string(handle, str, &con) < 0) { + ERR(handle, "invalid security context \"%s\" (%s: %u)\n%s", +diff --git a/libsemanage/src/nodes_file.c b/libsemanage/src/nodes_file.c +index f6c8895d..922355dd 100644 +--- a/libsemanage/src/nodes_file.c ++++ b/libsemanage/src/nodes_file.c +@@ -78,7 +78,7 @@ static int node_parse(semanage_handle_t * handle, + goto err; + + /* Protocol */ +- if (parse_fetch_string(handle, info, &str, ' ') < 0) ++ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0) + goto err; + if (!strcasecmp(str, "ipv4")) + proto = SEMANAGE_PROTO_IP4; +@@ -97,7 +97,7 @@ static int node_parse(semanage_handle_t * handle, + /* Address */ + if (parse_assert_space(handle, info) < 0) + goto err; +- if (parse_fetch_string(handle, info, &str, ' ') < 0) ++ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0) + goto err; + if (semanage_node_set_addr(handle, node, proto, str) < 0) + goto err; +@@ -107,7 +107,7 @@ static int node_parse(semanage_handle_t * handle, + str = NULL; + + /* Netmask */ +- if (parse_fetch_string(handle, info, &str, ' ') < 0) ++ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0) + goto err; + if (semanage_node_set_mask(handle, node, proto, str) < 0) + goto err; +@@ -117,7 +117,7 @@ static int node_parse(semanage_handle_t * handle, + str = NULL; + + /* Port context */ +- if (parse_fetch_string(handle, info, &str, ' ') < 0) ++ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0) + goto err; + if (semanage_context_from_string(handle, str, &con) < 0) { + ERR(handle, "invalid security context \"%s\" (%s: %u)\n%s", +diff --git a/libsemanage/src/parse_utils.c b/libsemanage/src/parse_utils.c +index 4fb54fc3..918dee43 100644 +--- a/libsemanage/src/parse_utils.c ++++ b/libsemanage/src/parse_utils.c +@@ -239,7 +239,7 @@ int parse_fetch_int(semanage_handle_t * handle, + char *test = NULL; + int value = 0; + +- if (parse_fetch_string(handle, info, &str, delim) < 0) ++ if (parse_fetch_string(handle, info, &str, delim, 0) < 0) + goto err; + + if (!isdigit((int)*str)) { +@@ -267,7 +267,7 @@ int parse_fetch_int(semanage_handle_t * handle, + } + + int parse_fetch_string(semanage_handle_t * handle, +- parse_info_t * info, char **str, char delim) ++ parse_info_t * info, char **str, char delim, int allow_spaces) + { + + char *start = info->ptr; +@@ -277,7 +277,7 @@ int parse_fetch_string(semanage_handle_t * handle, + if (parse_assert_noeof(handle, info) < 0) + goto err; + +- while (*(info->ptr) && !isspace(*(info->ptr)) && ++ while (*(info->ptr) && (allow_spaces || !isspace(*(info->ptr))) && + (*(info->ptr) != delim)) { + info->ptr++; + len++; +diff --git a/libsemanage/src/parse_utils.h b/libsemanage/src/parse_utils.h +index 0f334860..3e44aca1 100644 +--- a/libsemanage/src/parse_utils.h ++++ b/libsemanage/src/parse_utils.h +@@ -71,12 +71,11 @@ extern int parse_optional_str(parse_info_t * info, const char *str); + int parse_fetch_int(semanage_handle_t * hgandle, + parse_info_t * info, int *num, char delim); + +-/* Extract the next string (delimited by +- * whitespace), and move the read pointer past it. +- * Stop of the optional character delim is encountered, +- * or if whitespace/eof is encountered. Fail if the +- * string is of length 0. */ ++/* Extract the next string and move the read pointer past it. ++ * Stop if the optional character delim (or eof) is encountered, ++ * or if whitespace is encountered and allow_spaces is 0. ++ * Fail if the string is of length 0. */ + extern int parse_fetch_string(semanage_handle_t * handle, +- parse_info_t * info, char **str_ptr, char delim); ++ parse_info_t * info, char **str_ptr, char delim, int allow_spaces); + + #endif +diff --git a/libsemanage/src/ports_file.c b/libsemanage/src/ports_file.c +index 4738d467..0c151089 100644 +--- a/libsemanage/src/ports_file.c ++++ b/libsemanage/src/ports_file.c +@@ -78,7 +78,7 @@ static int port_parse(semanage_handle_t * handle, + goto err; + + /* Protocol */ +- if (parse_fetch_string(handle, info, &str, ' ') < 0) ++ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0) + goto err; + if (!strcasecmp(str, "tcp")) + semanage_port_set_proto(port, SEMANAGE_PROTO_TCP); +@@ -124,7 +124,7 @@ static int port_parse(semanage_handle_t * handle, + semanage_port_set_port(port, low); + + /* Port context */ +- if (parse_fetch_string(handle, info, &str, ' ') < 0) ++ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0) + goto err; + if (semanage_context_from_string(handle, str, &con) < 0) { + ERR(handle, "invalid security context \"%s\" (%s: %u)\n%s", +diff --git a/libsemanage/src/seusers_file.c b/libsemanage/src/seusers_file.c +index 910bedf4..21b970ac 100644 +--- a/libsemanage/src/seusers_file.c ++++ b/libsemanage/src/seusers_file.c +@@ -53,7 +53,7 @@ static int seuser_parse(semanage_handle_t * handle, + goto last; + + /* Extract name */ +- if (parse_fetch_string(handle, info, &str, ':') < 0) ++ if (parse_fetch_string(handle, info, &str, ':', 1) < 0) + goto err; + if (semanage_seuser_set_name(handle, seuser, str) < 0) + goto err; +@@ -68,7 +68,7 @@ static int seuser_parse(semanage_handle_t * handle, + goto err; + + /* Extract sename */ +- if (parse_fetch_string(handle, info, &str, ':') < 0) ++ if (parse_fetch_string(handle, info, &str, ':', 1) < 0) + goto err; + if (semanage_seuser_set_sename(handle, seuser, str) < 0) + goto err; +@@ -83,7 +83,7 @@ static int seuser_parse(semanage_handle_t * handle, + goto err; + + /* NOTE: does not allow spaces/multiline */ +- if (parse_fetch_string(handle, info, &str, ' ') < 0) ++ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0) + goto err; + + if (semanage_seuser_set_mlsrange(handle, seuser, str) < 0) +diff --git a/libsemanage/src/users_base_file.c b/libsemanage/src/users_base_file.c +index 0f0a8fdb..a0f8cd7e 100644 +--- a/libsemanage/src/users_base_file.c ++++ b/libsemanage/src/users_base_file.c +@@ -83,7 +83,7 @@ static int user_base_parse(semanage_handle_t * handle, + goto err; + + /* Parse user name */ +- if (parse_fetch_string(handle, info, &name_str, ' ') < 0) ++ if (parse_fetch_string(handle, info, &name_str, ' ', 0) < 0) + goto err; + + if (semanage_user_base_set_name(handle, user, name_str) < 0) { +@@ -150,7 +150,7 @@ static int user_base_parse(semanage_handle_t * handle, + goto err; + + /* NOTE: does not allow spaces/multiline */ +- if (parse_fetch_string(handle, info, &str, ' ') < 0) ++ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0) + goto err; + if (semanage_user_base_set_mlslevel(handle, user, str) < 0) + goto err; +@@ -165,8 +165,7 @@ static int user_base_parse(semanage_handle_t * handle, + if (parse_assert_space(handle, info) < 0) + goto err; + +- /* NOTE: does not allow spaces/multiline */ +- if (parse_fetch_string(handle, info, &str, ';') < 0) ++ if (parse_fetch_string(handle, info, &str, ';', 1) < 0) + goto err; + if (semanage_user_base_set_mlsrange(handle, user, str) < 0) + goto err; +diff --git a/libsemanage/src/users_extra_file.c b/libsemanage/src/users_extra_file.c +index 8f2bebd6..7aa9df3c 100644 +--- a/libsemanage/src/users_extra_file.c ++++ b/libsemanage/src/users_extra_file.c +@@ -57,7 +57,7 @@ static int user_extra_parse(semanage_handle_t * handle, + goto err; + + /* Extract name */ +- if (parse_fetch_string(handle, info, &str, ' ') < 0) ++ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0) + goto err; + if (semanage_user_extra_set_name(handle, user_extra, str) < 0) + goto err; +@@ -73,7 +73,7 @@ static int user_extra_parse(semanage_handle_t * handle, + goto err; + + /* Extract prefix */ +- if (parse_fetch_string(handle, info, &str, ';') < 0) ++ if (parse_fetch_string(handle, info, &str, ';', 1) < 0) + goto err; + if (semanage_user_extra_set_prefix(handle, user_extra, str) < 0) + goto err; +-- +2.35.3 + diff --git a/SOURCES/0013-libsemanage-always-write-kernel-policy-when-check_ex.patch b/SOURCES/0014-libsemanage-always-write-kernel-policy-when-check_ex.patch similarity index 97% rename from SOURCES/0013-libsemanage-always-write-kernel-policy-when-check_ex.patch rename to SOURCES/0014-libsemanage-always-write-kernel-policy-when-check_ex.patch index b9d932f..ac9d2f4 100644 --- a/SOURCES/0013-libsemanage-always-write-kernel-policy-when-check_ex.patch +++ b/SOURCES/0014-libsemanage-always-write-kernel-policy-when-check_ex.patch @@ -1,4 +1,4 @@ -From 330b6efa010b3dac732beb49c98894a99dab0545 Mon Sep 17 00:00:00 2001 +From db81de97febc8c79bfe7c54f57ae313cc5ba0728 Mon Sep 17 00:00:00 2001 From: Ondrej Mosnacek Date: Wed, 8 Jun 2022 19:09:53 +0200 Subject: [PATCH] libsemanage: always write kernel policy when @@ -55,5 +55,5 @@ index bbdca2b2..252fc5bb 100644 ifaces->dtable->is_modified(ifaces->dbase) | nodes->dtable->is_modified(nodes->dbase) | -- -2.37.3 +2.35.3 diff --git a/SOURCES/0015-libsemanage-Preserve-file-context-and-ownership-in-p.patch b/SOURCES/0015-libsemanage-Preserve-file-context-and-ownership-in-p.patch new file mode 100644 index 0000000..b27182f --- /dev/null +++ b/SOURCES/0015-libsemanage-Preserve-file-context-and-ownership-in-p.patch @@ -0,0 +1,146 @@ +From 52f19bad2e4a3d5c7599df9afd5e3cd675ecac8c Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Mon, 29 Jul 2024 13:26:45 +0200 +Subject: [PATCH] libsemanage: Preserve file context and ownership in policy + store + +Make sure that file context (all parts) and ownership of +files/directories in policy store does not change no matter which user +and under which context executes policy rebuild. + +Fixes: + # semodule -B + # ls -lZ /etc/selinux/targeted/contexts/files + +-rw-r--r--. 1 root root unconfined_u:object_r:file_context_t:s0 421397 Jul 11 09:57 file_contexts +-rw-r--r--. 1 root root unconfined_u:object_r:file_context_t:s0 593470 Jul 11 09:57 file_contexts.bin +-rw-r--r--. 1 root root unconfined_u:object_r:file_context_t:s0 14704 Jul 11 09:57 file_contexts.homedirs +-rw-r--r--. 1 root root unconfined_u:object_r:file_context_t:s0 20289 Jul 11 09:57 file_contexts.homedirs.bin + + SELinux user changed from system_u to the user used to execute semodule + + # capsh --user=testuser --caps="cap_dac_override,cap_chown+eip" --addamb=cap_dac_override,cap_chown -- -c "semodule -B" + # ls -lZ /etc/selinux/targeted/contexts/files + +-rw-r--r--. 1 testuser testuser unconfined_u:object_r:file_context_t:s0 421397 Jul 19 09:10 file_contexts +-rw-r--r--. 1 testuser testuser unconfined_u:object_r:file_context_t:s0 593470 Jul 19 09:10 file_contexts.bin +-rw-r--r--. 1 testuser testuser unconfined_u:object_r:file_context_t:s0 14704 Jul 19 09:10 file_contexts.homedirs +-rw-r--r--. 1 testuser testuser unconfined_u:object_r:file_context_t:s0 20289 Jul 19 09:10 file_contexts.homedirs.bin + + Both file context and ownership changed -- causes remote login + failures and other issues in some scenarios. + +Signed-off-by: Vit Mojzis +Acked-by: Stephen Smalley +--- + libsemanage/src/semanage_store.c | 32 ++++++++++++++++++++++++++++++++ + libsemanage/src/semanage_store.h | 1 + + 2 files changed, 33 insertions(+) + +diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c +index 1fff667d..52cc72d7 100644 +--- a/libsemanage/src/semanage_store.c ++++ b/libsemanage/src/semanage_store.c +@@ -36,6 +36,7 @@ typedef struct dbase_policydb dbase_t; + #include "database_policydb.h" + #include "handle.h" + ++#include + #include + #include + #include +@@ -763,6 +764,7 @@ int semanage_copy_file(const char *src, const char *dst, mode_t mode, + if (!retval && rename(tmp, dst) == -1) + return -1; + ++ semanage_setfiles(dst); + out: + errno = errsv; + return retval; +@@ -801,6 +803,8 @@ static int semanage_copy_dir_flags(const char *src, const char *dst, int flag) + goto cleanup; + } + umask(mask); ++ ++ semanage_setfiles(dst); + } + + for (i = 0; i < len; i++) { +@@ -819,6 +823,7 @@ static int semanage_copy_dir_flags(const char *src, const char *dst, int flag) + goto cleanup; + } + umask(mask); ++ semanage_setfiles(path2); + } else if (S_ISREG(sb.st_mode) && flag == 1) { + mask = umask(0077); + if (semanage_copy_file(path, path2, sb.st_mode, +@@ -920,6 +925,7 @@ int semanage_mkdir(semanage_handle_t *sh, const char *path) + + } + umask(mask); ++ semanage_setfiles(path); + } + else { + /* check that it really is a directory */ +@@ -1597,16 +1603,19 @@ static int semanage_validate_and_compile_fcontexts(semanage_handle_t * sh) + semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC)) != 0) { + goto cleanup; + } ++ semanage_setfiles(semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_BIN)); + + if (sefcontext_compile(sh, + semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL)) != 0) { + goto cleanup; + } ++ semanage_setfiles(semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL_BIN)); + + if (sefcontext_compile(sh, + semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_HOMEDIRS)) != 0) { + goto cleanup; + } ++ semanage_setfiles(semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_HOMEDIRS_BIN)); + + status = 0; + cleanup: +@@ -3001,3 +3010,26 @@ int semanage_nc_sort(semanage_handle_t * sh, const char *buf, size_t buf_len, + + return 0; + } ++ ++/* Make sure the file context and ownership of files in the policy ++ * store does not change */ ++void semanage_setfiles(const char *path){ ++ struct stat sb; ++ int fd; ++ /* Fix the user and role portions of the context, ignore errors ++ * since this is not a critical operation */ ++ selinux_restorecon(path, SELINUX_RESTORECON_SET_SPECFILE_CTX | SELINUX_RESTORECON_IGNORE_NOENTRY); ++ ++ /* Make sure "path" is owned by root */ ++ if ((geteuid() != 0 || getegid() != 0) && ++ ((fd = open(path, O_RDONLY)) != -1)){ ++ /* Skip files with the SUID or SGID bit set -- abuse protection */ ++ if ((fstat(fd, &sb) != -1) && ++ !(S_ISREG(sb.st_mode) && ++ (sb.st_mode & (S_ISUID | S_ISGID))) && ++ (fchown(fd, 0, 0) == -1)) ++ fprintf(stderr, "Warning! Could not set ownership of %s to root\n", path); ++ ++ close(fd); ++ } ++} +diff --git a/libsemanage/src/semanage_store.h b/libsemanage/src/semanage_store.h +index 1fc77da8..e21dadeb 100644 +--- a/libsemanage/src/semanage_store.h ++++ b/libsemanage/src/semanage_store.h +@@ -124,6 +124,7 @@ int semanage_get_cil_paths(semanage_handle_t * sh, semanage_module_info_t *modin + int semanage_get_active_modules(semanage_handle_t *sh, + semanage_module_info_t **modinfo, int *num_modules); + ++void semanage_setfiles(const char *path); + + /* lock file routines */ + int semanage_get_trans_lock(semanage_handle_t * sh); +-- +2.43.0 + diff --git a/SPECS/libsemanage.spec b/SPECS/libsemanage.spec index c1d0d11..fdf509d 100644 --- a/SPECS/libsemanage.spec +++ b/SPECS/libsemanage.spec @@ -4,7 +4,7 @@ Summary: SELinux binary policy manipulation library Name: libsemanage Version: 2.9 -Release: 9%{?dist} +Release: 10%{?dist} License: LGPLv2+ Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/libsemanage-2.9.tar.gz # i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done @@ -20,7 +20,10 @@ Patch0009: 0009-semodule-libsemanage-move-module-hashing-into-libsem.patch Patch0010: 0010-libsemanage-move-compressed-file-handling-into-a-sep.patch Patch0011: 0011-libsemanage-clean-up-semanage_direct_commit-a-bit.patch Patch0012: 0012-libsemanage-optionally-rebuild-policy-when-modules-a.patch -Patch0013: 0013-libsemanage-always-write-kernel-policy-when-check_ex.patch +Patch0013: 0013-libsemanage-allow-spaces-in-user-group-names.patch +Patch0014: 0014-libsemanage-always-write-kernel-policy-when-check_ex.patch +Patch0015: 0015-libsemanage-Preserve-file-context-and-ownership-in-p.patch + URL: https://github.com/SELinuxProject/selinux/wiki Source1: semanage.conf @@ -166,8 +169,12 @@ rm %{buildroot}%{_libexecdir}/selinux/semanage_migrate_store~ %{_libexecdir}/selinux/semanage_migrate_store %changelog -* Tue Oct 11 2022 Vit Mojzis - 2.9-9 -- always write kernel policy when check_ext_changes is specified (#2129139) +* Mon Jul 29 2024 Vit Mojzis - 2.9-10 +- Preserve file context and ownership in policy store (RHEL-17509) + +* Thu Jul 07 2022 Vit Mojzis - 2.9-9 +- allow spaces in user/group names (#2042408) +- always write kernel policy when check_ext_changes is specified (#2089802) * Tue Feb 22 2022 Vit Mojzis - 2.9-8 - Bump release to get around OSCI issues