From a6fa92ade7431eadb31523f03e113f7946433646 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <lautrbach@redhat.com>
Date: Fri, 24 Jan 2025 11:23:05 +0100
Subject: [PATCH] libsemanage-2.9-11

- Set new restorecon handle before doing restorecon (RHEL-73348)
- Mute error messages from selinux_restorecon

Resolves: RHEL-73348
---
 ...-error-messages-from-selinux_restore.patch | 64 +++++++++++++++++++
 ...new-restorecon-handle-before-doing-r.patch | 37 +++++++++++
 libsemanage.spec                              | 10 ++-
 3 files changed, 109 insertions(+), 2 deletions(-)
 create mode 100644 0016-libsemanage-Mute-error-messages-from-selinux_restore.patch
 create mode 100644 0017-libsemanage-Set-new-restorecon-handle-before-doing-r.patch

diff --git a/0016-libsemanage-Mute-error-messages-from-selinux_restore.patch b/0016-libsemanage-Mute-error-messages-from-selinux_restore.patch
new file mode 100644
index 0000000..6ac2c27
--- /dev/null
+++ b/0016-libsemanage-Mute-error-messages-from-selinux_restore.patch
@@ -0,0 +1,64 @@
+From a0895d4219af61a56294ffca101d1d6fc2d0531c Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Thu, 12 Dec 2024 19:44:25 +0100
+Subject: [PATCH] libsemanage: Mute error messages from selinux_restorecon
+Content-type: text/plain
+
+Mute error messages produced by selinux_restorecon when rebuilding the
+policy store to avoid error messages in containers, image mode, etc.
+
+Fixes:
+ #podman build --security-opt=label=disable --cap-add=all --device /dev/fuse -t quay.io/jlebon/fedora-bootc:tier-x . --build-arg MANIFEST=fedora-tier-x.yaml --from quay.io/fedora/fedora:rawhide
+...
+Could not set context for /etc/selinux/targeted/tmp/modules/100/rtas/lang_ext:  Operation not supported
+Could not set context for /etc/selinux/targeted/tmp/modules/100/rtas:  Operation not supported
+Could not set context for /etc/selinux/targeted/tmp/modules/100/rtkit/cil:  Operation not supported
+Could not set context for /etc/selinux/targeted/tmp/modules/100/rtkit/hll:  Operation not supported
+...
+
+https://bugzilla.redhat.com/show_bug.cgi?id=2326348
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ libsemanage/src/semanage_store.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
+index 52cc72d7391c..29abbd0e6b6f 100644
+--- a/libsemanage/src/semanage_store.c
++++ b/libsemanage/src/semanage_store.c
+@@ -3011,15 +3011,29 @@ int semanage_nc_sort(semanage_handle_t * sh, const char *buf, size_t buf_len,
+ 	return 0;
+ }
+ 
++/* log_callback muting all logs */
++static int __attribute__ ((format(printf, 2, 3)))
++log_callback_mute(__attribute__((unused)) int type, __attribute__((unused)) const char *fmt, ...)
++{
++	return 0;
++}
++
+ /* Make sure the file context and ownership of files in the policy
+  * store does not change */
+ void semanage_setfiles(const char *path){
+ 	struct stat sb;
+ 	int fd;
++	union selinux_callback cb_orig = selinux_get_callback(SELINUX_CB_LOG);
++	union selinux_callback cb = { .func_log = log_callback_mute };
++
++	/* Mute all logs */
++	selinux_set_callback(SELINUX_CB_LOG, cb);
++
+ 	/* Fix the user and role portions of the context, ignore errors
+ 	 * since this is not a critical operation */
+ 	selinux_restorecon(path, SELINUX_RESTORECON_SET_SPECFILE_CTX | SELINUX_RESTORECON_IGNORE_NOENTRY);
+-
++	/* restore log_logging */
++	selinux_set_callback(SELINUX_CB_LOG, cb_orig);
+ 	/* Make sure "path" is owned by root */
+ 	if ((geteuid() != 0 || getegid() != 0) &&
+ 	    ((fd = open(path, O_RDONLY)) != -1)){
+-- 
+2.48.1
+
diff --git a/0017-libsemanage-Set-new-restorecon-handle-before-doing-r.patch b/0017-libsemanage-Set-new-restorecon-handle-before-doing-r.patch
new file mode 100644
index 0000000..512e44c
--- /dev/null
+++ b/0017-libsemanage-Set-new-restorecon-handle-before-doing-r.patch
@@ -0,0 +1,37 @@
+From 6d5a1d424508f9554e92d6aac5eeca424503d028 Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Wed, 22 Jan 2025 10:58:28 -0500
+Subject: [PATCH] libsemanage: Set new restorecon handle before doing
+ restorecon
+Content-type: text/plain
+
+In semanage_setfiles(), need to reset the restorecon handle to make
+sure restorecon is not operating on old selabel data.
+
+Signed-off-by: James Carter <jwcart2@gmail.com>
+---
+ libsemanage/src/semanage_store.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
+index 29abbd0e6b6f..33b950ff5451 100644
+--- a/libsemanage/src/semanage_store.c
++++ b/libsemanage/src/semanage_store.c
+@@ -3023,9 +3023,14 @@ log_callback_mute(__attribute__((unused)) int type, __attribute__((unused)) cons
+ void semanage_setfiles(const char *path){
+ 	struct stat sb;
+ 	int fd;
++	struct selabel_handle *sehandle;
++
+ 	union selinux_callback cb_orig = selinux_get_callback(SELINUX_CB_LOG);
+ 	union selinux_callback cb = { .func_log = log_callback_mute };
+ 
++	sehandle = selinux_restorecon_default_handle();
++	selinux_restorecon_set_sehandle(sehandle);
++
+ 	/* Mute all logs */
+ 	selinux_set_callback(SELINUX_CB_LOG, cb);
+ 
+-- 
+2.48.1
+
diff --git a/libsemanage.spec b/libsemanage.spec
index fdf509d..5205cdd 100644
--- a/libsemanage.spec
+++ b/libsemanage.spec
@@ -1,10 +1,10 @@
 %define libsepolver 2.9-1
-%define libselinuxver 2.9-1
+%define libselinuxver 2.9-10
 
 Summary: SELinux binary policy manipulation library 
 Name: libsemanage
 Version: 2.9
-Release: 10%{?dist}
+Release: 11%{?dist}
 License: LGPLv2+
 Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/libsemanage-2.9.tar.gz
 # i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
@@ -23,6 +23,8 @@ Patch0012: 0012-libsemanage-optionally-rebuild-policy-when-modules-a.patch
 Patch0013: 0013-libsemanage-allow-spaces-in-user-group-names.patch
 Patch0014: 0014-libsemanage-always-write-kernel-policy-when-check_ex.patch
 Patch0015: 0015-libsemanage-Preserve-file-context-and-ownership-in-p.patch
+Patch0016: 0016-libsemanage-Mute-error-messages-from-selinux_restore.patch
+Patch0017: 0017-libsemanage-Set-new-restorecon-handle-before-doing-r.patch
 
 URL: https://github.com/SELinuxProject/selinux/wiki
 Source1: semanage.conf
@@ -169,6 +171,10 @@ rm %{buildroot}%{_libexecdir}/selinux/semanage_migrate_store~
 %{_libexecdir}/selinux/semanage_migrate_store
 
 %changelog
+* Fri Jan 24 2025 Petr Lautrbach <lautrbach@redhat.com> - 2.9-11
+- Set new restorecon handle before doing restorecon (RHEL-73348)
+- Mute error messages from selinux_restorecon
+
 * Mon Jul 29 2024 Vit Mojzis <vmojzis@redhat.com> - 2.9-10
 - Preserve file context and ownership in policy store (RHEL-17509)