From ba6bbc6102c0a921b247bab2825f279b1a3a0e73 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 27 Sep 2022 15:53:50 -0400 Subject: [PATCH] import libsemanage-2.9-9.el8 --- ...age-allow-spaces-in-user-group-names.patch | 361 ++++++++++++++++++ ...ys-write-kernel-policy-when-check_ex.patch | 59 +++ SPECS/libsemanage.spec | 9 +- 3 files changed, 428 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0013-libsemanage-allow-spaces-in-user-group-names.patch create mode 100644 SOURCES/0014-libsemanage-always-write-kernel-policy-when-check_ex.patch diff --git a/SOURCES/0013-libsemanage-allow-spaces-in-user-group-names.patch b/SOURCES/0013-libsemanage-allow-spaces-in-user-group-names.patch new file mode 100644 index 0000000..ccd5105 --- /dev/null +++ b/SOURCES/0013-libsemanage-allow-spaces-in-user-group-names.patch @@ -0,0 +1,361 @@ +From f4a0e563dfff91d308d1738bbabdddc9ab672098 Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Thu, 17 Feb 2022 13:49:23 +0100 +Subject: [PATCH] libsemanage: allow spaces in user/group names + +"semanage login -a" accepts whitespaces in user/group name +(e.g. users/groups from Active Directory), which may lead to issues down +the line since libsemanage doesn't expect whitespaces in +/var/lib/selinux/targeted/active/seusers and other config files. + +Fixes: + Artificial but simple reproducer + # groupadd server_admins + # sed -i "s/^server_admins/server admins/" /etc/group + # semanage login -a -s staff_u %server\ admins + # semanage login -l (or "semodule -B") + libsemanage.parse_assert_ch: expected character ':', but found 'a' (/var/lib/selinux/targeted/active/seusers: 6): + %server admins:staff_u:s0-s0:c0.c1023 (No such file or directory). + libsemanage.seuser_parse: could not parse seuser record (No such file or directory). + libsemanage.dbase_file_cache: could not cache file database (No such file or directory). + libsemanage.enter_ro: could not enter read-only section (No such file or directory). + FileNotFoundError: [Errno 2] No such file or directory + +Signed-off-by: Vit Mojzis +--- + libsemanage/src/booleans_file.c | 2 +- + libsemanage/src/fcontexts_file.c | 6 +++--- + libsemanage/src/ibendports_file.c | 4 ++-- + libsemanage/src/ibpkeys_file.c | 4 ++-- + libsemanage/src/interfaces_file.c | 6 +++--- + libsemanage/src/nodes_file.c | 8 ++++---- + libsemanage/src/parse_utils.c | 6 +++--- + libsemanage/src/parse_utils.h | 11 +++++------ + libsemanage/src/ports_file.c | 4 ++-- + libsemanage/src/seusers_file.c | 6 +++--- + libsemanage/src/users_base_file.c | 7 +++---- + libsemanage/src/users_extra_file.c | 4 ++-- + 12 files changed, 33 insertions(+), 35 deletions(-) + +diff --git a/libsemanage/src/booleans_file.c b/libsemanage/src/booleans_file.c +index f79d0b44..6d600bbc 100644 +--- a/libsemanage/src/booleans_file.c ++++ b/libsemanage/src/booleans_file.c +@@ -48,7 +48,7 @@ static int bool_parse(semanage_handle_t * handle, + goto last; + + /* Extract name */ +- if (parse_fetch_string(handle, info, &str, '=') < 0) ++ if (parse_fetch_string(handle, info, &str, '=', 0) < 0) + goto err; + + if (semanage_bool_set_name(handle, boolean, str) < 0) +diff --git a/libsemanage/src/fcontexts_file.c b/libsemanage/src/fcontexts_file.c +index 1e596519..ad177208 100644 +--- a/libsemanage/src/fcontexts_file.c ++++ b/libsemanage/src/fcontexts_file.c +@@ -91,7 +91,7 @@ static int fcontext_parse(semanage_handle_t * handle, + goto last; + + /* Regexp */ +- if (parse_fetch_string(handle, info, &str, ' ') < 0) ++ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0) + goto err; + if (semanage_fcontext_set_expr(handle, fcontext, str) < 0) + goto err; +@@ -101,7 +101,7 @@ static int fcontext_parse(semanage_handle_t * handle, + /* Type */ + if (parse_assert_space(handle, info) < 0) + goto err; +- if (parse_fetch_string(handle, info, &str, ' ') < 0) ++ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0) + goto err; + if (!strcasecmp(str, "-s")) + semanage_fcontext_set_type(fcontext, SEMANAGE_FCONTEXT_SOCK); +@@ -125,7 +125,7 @@ static int fcontext_parse(semanage_handle_t * handle, + /* Context */ + if (parse_assert_space(handle, info) < 0) + goto err; +- if (parse_fetch_string(handle, info, &str, ' ') < 0) ++ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0) + goto err; + + process_context: +diff --git a/libsemanage/src/ibendports_file.c b/libsemanage/src/ibendports_file.c +index 402c7a5e..47a62429 100644 +--- a/libsemanage/src/ibendports_file.c ++++ b/libsemanage/src/ibendports_file.c +@@ -76,7 +76,7 @@ static int ibendport_parse(semanage_handle_t *handle, + goto err; + + /* IB Device Name */ +- if (parse_fetch_string(handle, info, &str, ' ') < 0) ++ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0) + goto err; + if (semanage_ibendport_set_ibdev_name(handle, ibendport, str) < 0) + goto err; +@@ -93,7 +93,7 @@ static int ibendport_parse(semanage_handle_t *handle, + /* context */ + if (parse_assert_space(handle, info) < 0) + goto err; +- if (parse_fetch_string(handle, info, &str, ' ') < 0) ++ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0) + goto err; + if (semanage_context_from_string(handle, str, &con) < 0) { + ERR(handle, "invalid security context \"%s\" (%s: %u)\n%s", +diff --git a/libsemanage/src/ibpkeys_file.c b/libsemanage/src/ibpkeys_file.c +index ceaea7ad..5424e279 100644 +--- a/libsemanage/src/ibpkeys_file.c ++++ b/libsemanage/src/ibpkeys_file.c +@@ -81,7 +81,7 @@ static int ibpkey_parse(semanage_handle_t *handle, + goto err; + + /* Subnet Prefix */ +- if (parse_fetch_string(handle, info, &str, ' ') < 0) ++ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0) + goto err; + if (semanage_ibpkey_set_subnet_prefix(handle, ibpkey, str) < 0) + goto err; +@@ -116,7 +116,7 @@ static int ibpkey_parse(semanage_handle_t *handle, + semanage_ibpkey_set_pkey(ibpkey, low); + } + /* Pkey context */ +- if (parse_fetch_string(handle, info, &str, ' ') < 0) ++ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0) + goto err; + if (semanage_context_from_string(handle, str, &con) < 0) { + ERR(handle, "invalid security context \"%s\" (%s: %u)\n%s", +diff --git a/libsemanage/src/interfaces_file.c b/libsemanage/src/interfaces_file.c +index 1478af97..b105f807 100644 +--- a/libsemanage/src/interfaces_file.c ++++ b/libsemanage/src/interfaces_file.c +@@ -73,7 +73,7 @@ static int iface_parse(semanage_handle_t * handle, + goto err; + + /* Name */ +- if (parse_fetch_string(handle, info, &str, ' ') < 0) ++ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0) + goto err; + if (semanage_iface_set_name(handle, iface, str) < 0) + goto err; +@@ -83,7 +83,7 @@ static int iface_parse(semanage_handle_t * handle, + /* Interface context */ + if (parse_assert_space(handle, info) < 0) + goto err; +- if (parse_fetch_string(handle, info, &str, ' ') < 0) ++ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0) + goto err; + if (semanage_context_from_string(handle, str, &con) < 0) { + ERR(handle, "invalid security context \"%s\" (%s: %u)\n%s", +@@ -107,7 +107,7 @@ static int iface_parse(semanage_handle_t * handle, + /* Message context */ + if (parse_assert_space(handle, info) < 0) + goto err; +- if (parse_fetch_string(handle, info, &str, ' ') < 0) ++ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0) + goto err; + if (semanage_context_from_string(handle, str, &con) < 0) { + ERR(handle, "invalid security context \"%s\" (%s: %u)\n%s", +diff --git a/libsemanage/src/nodes_file.c b/libsemanage/src/nodes_file.c +index f6c8895d..922355dd 100644 +--- a/libsemanage/src/nodes_file.c ++++ b/libsemanage/src/nodes_file.c +@@ -78,7 +78,7 @@ static int node_parse(semanage_handle_t * handle, + goto err; + + /* Protocol */ +- if (parse_fetch_string(handle, info, &str, ' ') < 0) ++ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0) + goto err; + if (!strcasecmp(str, "ipv4")) + proto = SEMANAGE_PROTO_IP4; +@@ -97,7 +97,7 @@ static int node_parse(semanage_handle_t * handle, + /* Address */ + if (parse_assert_space(handle, info) < 0) + goto err; +- if (parse_fetch_string(handle, info, &str, ' ') < 0) ++ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0) + goto err; + if (semanage_node_set_addr(handle, node, proto, str) < 0) + goto err; +@@ -107,7 +107,7 @@ static int node_parse(semanage_handle_t * handle, + str = NULL; + + /* Netmask */ +- if (parse_fetch_string(handle, info, &str, ' ') < 0) ++ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0) + goto err; + if (semanage_node_set_mask(handle, node, proto, str) < 0) + goto err; +@@ -117,7 +117,7 @@ static int node_parse(semanage_handle_t * handle, + str = NULL; + + /* Port context */ +- if (parse_fetch_string(handle, info, &str, ' ') < 0) ++ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0) + goto err; + if (semanage_context_from_string(handle, str, &con) < 0) { + ERR(handle, "invalid security context \"%s\" (%s: %u)\n%s", +diff --git a/libsemanage/src/parse_utils.c b/libsemanage/src/parse_utils.c +index 4fb54fc3..918dee43 100644 +--- a/libsemanage/src/parse_utils.c ++++ b/libsemanage/src/parse_utils.c +@@ -239,7 +239,7 @@ int parse_fetch_int(semanage_handle_t * handle, + char *test = NULL; + int value = 0; + +- if (parse_fetch_string(handle, info, &str, delim) < 0) ++ if (parse_fetch_string(handle, info, &str, delim, 0) < 0) + goto err; + + if (!isdigit((int)*str)) { +@@ -267,7 +267,7 @@ int parse_fetch_int(semanage_handle_t * handle, + } + + int parse_fetch_string(semanage_handle_t * handle, +- parse_info_t * info, char **str, char delim) ++ parse_info_t * info, char **str, char delim, int allow_spaces) + { + + char *start = info->ptr; +@@ -277,7 +277,7 @@ int parse_fetch_string(semanage_handle_t * handle, + if (parse_assert_noeof(handle, info) < 0) + goto err; + +- while (*(info->ptr) && !isspace(*(info->ptr)) && ++ while (*(info->ptr) && (allow_spaces || !isspace(*(info->ptr))) && + (*(info->ptr) != delim)) { + info->ptr++; + len++; +diff --git a/libsemanage/src/parse_utils.h b/libsemanage/src/parse_utils.h +index 0f334860..3e44aca1 100644 +--- a/libsemanage/src/parse_utils.h ++++ b/libsemanage/src/parse_utils.h +@@ -71,12 +71,11 @@ extern int parse_optional_str(parse_info_t * info, const char *str); + int parse_fetch_int(semanage_handle_t * hgandle, + parse_info_t * info, int *num, char delim); + +-/* Extract the next string (delimited by +- * whitespace), and move the read pointer past it. +- * Stop of the optional character delim is encountered, +- * or if whitespace/eof is encountered. Fail if the +- * string is of length 0. */ ++/* Extract the next string and move the read pointer past it. ++ * Stop if the optional character delim (or eof) is encountered, ++ * or if whitespace is encountered and allow_spaces is 0. ++ * Fail if the string is of length 0. */ + extern int parse_fetch_string(semanage_handle_t * handle, +- parse_info_t * info, char **str_ptr, char delim); ++ parse_info_t * info, char **str_ptr, char delim, int allow_spaces); + + #endif +diff --git a/libsemanage/src/ports_file.c b/libsemanage/src/ports_file.c +index 4738d467..0c151089 100644 +--- a/libsemanage/src/ports_file.c ++++ b/libsemanage/src/ports_file.c +@@ -78,7 +78,7 @@ static int port_parse(semanage_handle_t * handle, + goto err; + + /* Protocol */ +- if (parse_fetch_string(handle, info, &str, ' ') < 0) ++ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0) + goto err; + if (!strcasecmp(str, "tcp")) + semanage_port_set_proto(port, SEMANAGE_PROTO_TCP); +@@ -124,7 +124,7 @@ static int port_parse(semanage_handle_t * handle, + semanage_port_set_port(port, low); + + /* Port context */ +- if (parse_fetch_string(handle, info, &str, ' ') < 0) ++ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0) + goto err; + if (semanage_context_from_string(handle, str, &con) < 0) { + ERR(handle, "invalid security context \"%s\" (%s: %u)\n%s", +diff --git a/libsemanage/src/seusers_file.c b/libsemanage/src/seusers_file.c +index 910bedf4..21b970ac 100644 +--- a/libsemanage/src/seusers_file.c ++++ b/libsemanage/src/seusers_file.c +@@ -53,7 +53,7 @@ static int seuser_parse(semanage_handle_t * handle, + goto last; + + /* Extract name */ +- if (parse_fetch_string(handle, info, &str, ':') < 0) ++ if (parse_fetch_string(handle, info, &str, ':', 1) < 0) + goto err; + if (semanage_seuser_set_name(handle, seuser, str) < 0) + goto err; +@@ -68,7 +68,7 @@ static int seuser_parse(semanage_handle_t * handle, + goto err; + + /* Extract sename */ +- if (parse_fetch_string(handle, info, &str, ':') < 0) ++ if (parse_fetch_string(handle, info, &str, ':', 1) < 0) + goto err; + if (semanage_seuser_set_sename(handle, seuser, str) < 0) + goto err; +@@ -83,7 +83,7 @@ static int seuser_parse(semanage_handle_t * handle, + goto err; + + /* NOTE: does not allow spaces/multiline */ +- if (parse_fetch_string(handle, info, &str, ' ') < 0) ++ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0) + goto err; + + if (semanage_seuser_set_mlsrange(handle, seuser, str) < 0) +diff --git a/libsemanage/src/users_base_file.c b/libsemanage/src/users_base_file.c +index 0f0a8fdb..a0f8cd7e 100644 +--- a/libsemanage/src/users_base_file.c ++++ b/libsemanage/src/users_base_file.c +@@ -83,7 +83,7 @@ static int user_base_parse(semanage_handle_t * handle, + goto err; + + /* Parse user name */ +- if (parse_fetch_string(handle, info, &name_str, ' ') < 0) ++ if (parse_fetch_string(handle, info, &name_str, ' ', 0) < 0) + goto err; + + if (semanage_user_base_set_name(handle, user, name_str) < 0) { +@@ -150,7 +150,7 @@ static int user_base_parse(semanage_handle_t * handle, + goto err; + + /* NOTE: does not allow spaces/multiline */ +- if (parse_fetch_string(handle, info, &str, ' ') < 0) ++ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0) + goto err; + if (semanage_user_base_set_mlslevel(handle, user, str) < 0) + goto err; +@@ -165,8 +165,7 @@ static int user_base_parse(semanage_handle_t * handle, + if (parse_assert_space(handle, info) < 0) + goto err; + +- /* NOTE: does not allow spaces/multiline */ +- if (parse_fetch_string(handle, info, &str, ';') < 0) ++ if (parse_fetch_string(handle, info, &str, ';', 1) < 0) + goto err; + if (semanage_user_base_set_mlsrange(handle, user, str) < 0) + goto err; +diff --git a/libsemanage/src/users_extra_file.c b/libsemanage/src/users_extra_file.c +index 8f2bebd6..7aa9df3c 100644 +--- a/libsemanage/src/users_extra_file.c ++++ b/libsemanage/src/users_extra_file.c +@@ -57,7 +57,7 @@ static int user_extra_parse(semanage_handle_t * handle, + goto err; + + /* Extract name */ +- if (parse_fetch_string(handle, info, &str, ' ') < 0) ++ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0) + goto err; + if (semanage_user_extra_set_name(handle, user_extra, str) < 0) + goto err; +@@ -73,7 +73,7 @@ static int user_extra_parse(semanage_handle_t * handle, + goto err; + + /* Extract prefix */ +- if (parse_fetch_string(handle, info, &str, ';') < 0) ++ if (parse_fetch_string(handle, info, &str, ';', 1) < 0) + goto err; + if (semanage_user_extra_set_prefix(handle, user_extra, str) < 0) + goto err; +-- +2.35.3 + diff --git a/SOURCES/0014-libsemanage-always-write-kernel-policy-when-check_ex.patch b/SOURCES/0014-libsemanage-always-write-kernel-policy-when-check_ex.patch new file mode 100644 index 0000000..ac9d2f4 --- /dev/null +++ b/SOURCES/0014-libsemanage-always-write-kernel-policy-when-check_ex.patch @@ -0,0 +1,59 @@ +From db81de97febc8c79bfe7c54f57ae313cc5ba0728 Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Wed, 8 Jun 2022 19:09:53 +0200 +Subject: [PATCH] libsemanage: always write kernel policy when + check_ext_changes is specified + +For the use case of rebuilding the policy after package updates, we need +the check_ext_changes operation to always do at least the do_write_kernel +step, because the various semanage dbs may have also changed content +relative to the current binary policy. As this step is itself relatively +fast, we can do it unconditionally. + +Fixes: 286a679fadc4 ("libsemanage: optionally rebuild policy when modules are changed externally") +Signed-off-by: Ondrej Mosnacek +Acked-by: Nicolas Iooss +--- + libsemanage/include/semanage/handle.h | 2 +- + libsemanage/src/direct_api.c | 8 +++++--- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/libsemanage/include/semanage/handle.h b/libsemanage/include/semanage/handle.h +index 7f298a49..df919a14 100644 +--- a/libsemanage/include/semanage/handle.h ++++ b/libsemanage/include/semanage/handle.h +@@ -67,7 +67,7 @@ void semanage_set_reload(semanage_handle_t * handle, int do_reload); + void semanage_set_rebuild(semanage_handle_t * handle, int do_rebuild); + + /* set whether to rebuild the policy on commit when potential changes +- * to module files since last rebuild are detected, ++ * to store files since last rebuild are detected, + * 1 for yes (default), 0 for no */ + extern void semanage_set_check_ext_changes(semanage_handle_t * handle, int do_check); + +diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c +index bbdca2b2..252fc5bb 100644 +--- a/libsemanage/src/direct_api.c ++++ b/libsemanage/src/direct_api.c +@@ -1430,13 +1430,15 @@ static int semanage_direct_commit(semanage_handle_t * sh) + * Determine what else needs to be done. + * We need to write the kernel policy if we are rebuilding + * or if any other policy component that lives in the kernel +- * policy has been modified. ++ * policy has been modified. We also want to force it when ++ * check_ext_changes was specified as the various dbases may have ++ * changes as well. + * We need to install the policy files if any of the managed files + * that live under /etc/selinux (kernel policy, seusers, file contexts) + * will be modified. + */ +- do_write_kernel = do_rebuild | ports_modified | ibpkeys_modified | +- ibendports_modified | ++ do_write_kernel = do_rebuild | sh->check_ext_changes | ++ ports_modified | ibpkeys_modified | ibendports_modified | + bools->dtable->is_modified(bools->dbase) | + ifaces->dtable->is_modified(ifaces->dbase) | + nodes->dtable->is_modified(nodes->dbase) | +-- +2.35.3 + diff --git a/SPECS/libsemanage.spec b/SPECS/libsemanage.spec index 8347d9e..bbe808a 100644 --- a/SPECS/libsemanage.spec +++ b/SPECS/libsemanage.spec @@ -4,7 +4,7 @@ Summary: SELinux binary policy manipulation library Name: libsemanage Version: 2.9 -Release: 8%{?dist} +Release: 9%{?dist} License: LGPLv2+ Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/libsemanage-2.9.tar.gz # i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done @@ -20,6 +20,9 @@ Patch0009: 0009-semodule-libsemanage-move-module-hashing-into-libsem.patch Patch0010: 0010-libsemanage-move-compressed-file-handling-into-a-sep.patch Patch0011: 0011-libsemanage-clean-up-semanage_direct_commit-a-bit.patch Patch0012: 0012-libsemanage-optionally-rebuild-policy-when-modules-a.patch +Patch0013: 0013-libsemanage-allow-spaces-in-user-group-names.patch +Patch0014: 0014-libsemanage-always-write-kernel-policy-when-check_ex.patch + URL: https://github.com/SELinuxProject/selinux/wiki Source1: semanage.conf @@ -165,6 +168,10 @@ rm %{buildroot}%{_libexecdir}/selinux/semanage_migrate_store~ %{_libexecdir}/selinux/semanage_migrate_store %changelog +* Thu Jul 07 2022 Vit Mojzis - 2.9-9 +- allow spaces in user/group names (#2042408) +- always write kernel policy when check_ext_changes is specified (#2089802) + * Tue Feb 22 2022 Vit Mojzis - 2.9-8 - Bump release to get around OSCI issues