import UBI libsemanage-2.9-11.el8_10

2025-03-11 08:34:19 +00:00 · 2025-03-11 08:34:19 +00:00 · c9c44d3ffb
commit c9c44d3ffb
parent 67f6962810
3 changed files with 109 additions and 2 deletions
--- a/SOURCES/0016-libsemanage-Mute-error-messages-from-selinux_restore.patch
+++ b/SOURCES/0016-libsemanage-Mute-error-messages-from-selinux_restore.patch
@ -0,0 +1,64 @@
 From a0895d4219af61a56294ffca101d1d6fc2d0531c Mon Sep 17 00:00:00 2001
 From: Vit Mojzis <vmojzis@redhat.com>
 Date: Thu, 12 Dec 2024 19:44:25 +0100
 Subject: [PATCH] libsemanage: Mute error messages from selinux_restorecon
 Content-type: text/plain
 Mute error messages produced by selinux_restorecon when rebuilding the
 policy store to avoid error messages in containers, image mode, etc.
 Fixes:
 #podman build --security-opt=label=disable --cap-add=all --device /dev/fuse -t quay.io/jlebon/fedora-bootc:tier-x . --build-arg MANIFEST=fedora-tier-x.yaml --from quay.io/fedora/fedora:rawhide
 ...
 Could not set context for /etc/selinux/targeted/tmp/modules/100/rtas/lang_ext:  Operation not supported
 Could not set context for /etc/selinux/targeted/tmp/modules/100/rtas:  Operation not supported
 Could not set context for /etc/selinux/targeted/tmp/modules/100/rtkit/cil:  Operation not supported
 Could not set context for /etc/selinux/targeted/tmp/modules/100/rtkit/hll:  Operation not supported
 ...
 https://bugzilla.redhat.com/show_bug.cgi?id=2326348
 Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
 Acked-by: James Carter <jwcart2@gmail.com>
 ---
 libsemanage/src/semanage_store.c | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)
 diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
 index 52cc72d7391c..29abbd0e6b6f 100644
 --- a/libsemanage/src/semanage_store.c
 +++ b/libsemanage/src/semanage_store.c
@@ -3011,15 +3011,29 @@ int semanage_nc_sort(semanage_handle_t * sh, const char *buf, size_t buf_len,
 	return 0;
 }
 +/* log_callback muting all logs */
 +static int __attribute__ ((format(printf, 2, 3)))
 +log_callback_mute(__attribute__((unused)) int type, __attribute__((unused)) const char *fmt, ...)
 +{
 +	return 0;
 +}
 +
 /* Make sure the file context and ownership of files in the policy
  * store does not change */
 void semanage_setfiles(const char *path){
 	struct stat sb;
 	int fd;
 +	union selinux_callback cb_orig = selinux_get_callback(SELINUX_CB_LOG);
 +	union selinux_callback cb = { .func_log = log_callback_mute };
 +
 +	/* Mute all logs */
 +	selinux_set_callback(SELINUX_CB_LOG, cb);
 +
 	/* Fix the user and role portions of the context, ignore errors
 	 * since this is not a critical operation */
 	selinux_restorecon(path, SELINUX_RESTORECON_SET_SPECFILE_CTX | SELINUX_RESTORECON_IGNORE_NOENTRY);
 -
 +	/* restore log_logging */
 +	selinux_set_callback(SELINUX_CB_LOG, cb_orig);
 	/* Make sure "path" is owned by root */
 	if ((geteuid() != 0 || getegid() != 0) &&
 	    ((fd = open(path, O_RDONLY)) != -1)){
 -- 
 2.48.1
--- a/SOURCES/0017-libsemanage-Set-new-restorecon-handle-before-doing-r.patch
+++ b/SOURCES/0017-libsemanage-Set-new-restorecon-handle-before-doing-r.patch
@ -0,0 +1,37 @@
 From 6d5a1d424508f9554e92d6aac5eeca424503d028 Mon Sep 17 00:00:00 2001
 From: James Carter <jwcart2@gmail.com>
 Date: Wed, 22 Jan 2025 10:58:28 -0500
 Subject: [PATCH] libsemanage: Set new restorecon handle before doing
 restorecon
 Content-type: text/plain
 In semanage_setfiles(), need to reset the restorecon handle to make
 sure restorecon is not operating on old selabel data.
 Signed-off-by: James Carter <jwcart2@gmail.com>
 ---
 libsemanage/src/semanage_store.c | 5 +++++
 1 file changed, 5 insertions(+)
 diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
 index 29abbd0e6b6f..33b950ff5451 100644
 --- a/libsemanage/src/semanage_store.c
 +++ b/libsemanage/src/semanage_store.c
@@ -3023,9 +3023,14 @@ log_callback_mute(__attribute__((unused)) int type, __attribute__((unused)) cons
 void semanage_setfiles(const char *path){
 	struct stat sb;
 	int fd;
 +	struct selabel_handle *sehandle;
 +
 	union selinux_callback cb_orig = selinux_get_callback(SELINUX_CB_LOG);
 	union selinux_callback cb = { .func_log = log_callback_mute };
 +	sehandle = selinux_restorecon_default_handle();
 +	selinux_restorecon_set_sehandle(sehandle);
 +
 	/* Mute all logs */
 	selinux_set_callback(SELINUX_CB_LOG, cb);
 -- 
 2.48.1
--- a/SPECS/libsemanage.spec
+++ b/SPECS/libsemanage.spec
@ -1,10 +1,10 @@
 %define libsepolver 2.9-1
-%define libselinuxver 2.9-1
+%define libselinuxver 2.9-10
 Summary: SELinux binary policy manipulation library 
 Name: libsemanage
 Version: 2.9
-Release: 10%{?dist}
+Release: 11%{?dist}
 License: LGPLv2+
 Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/libsemanage-2.9.tar.gz
 # i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
@ -23,6 +23,8 @@ Patch0012: 0012-libsemanage-optionally-rebuild-policy-when-modules-a.patch
 Patch0013: 0013-libsemanage-allow-spaces-in-user-group-names.patch
 Patch0014: 0014-libsemanage-always-write-kernel-policy-when-check_ex.patch
 Patch0015: 0015-libsemanage-Preserve-file-context-and-ownership-in-p.patch
 Patch0016: 0016-libsemanage-Mute-error-messages-from-selinux_restore.patch
 Patch0017: 0017-libsemanage-Set-new-restorecon-handle-before-doing-r.patch
 URL: https://github.com/SELinuxProject/selinux/wiki
 Source1: semanage.conf
@ -169,6 +171,10 @@ rm %{buildroot}%{_libexecdir}/selinux/semanage_migrate_store~
 %{_libexecdir}/selinux/semanage_migrate_store
 %changelog
 * Fri Jan 24 2025 Petr Lautrbach <lautrbach@redhat.com> - 2.9-11
 - Set new restorecon handle before doing restorecon (RHEL-73348)
 - Mute error messages from selinux_restorecon
 * Mon Jul 29 2024 Vit Mojzis <vmojzis@redhat.com> - 2.9-10
 - Preserve file context and ownership in policy store (RHEL-17509)