diff --git a/SOURCES/0013-libsemanage-always-write-kernel-policy-when-check_ex.patch b/SOURCES/0013-libsemanage-always-write-kernel-policy-when-check_ex.patch new file mode 100644 index 0000000..b9d932f --- /dev/null +++ b/SOURCES/0013-libsemanage-always-write-kernel-policy-when-check_ex.patch @@ -0,0 +1,59 @@ +From 330b6efa010b3dac732beb49c98894a99dab0545 Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Wed, 8 Jun 2022 19:09:53 +0200 +Subject: [PATCH] libsemanage: always write kernel policy when + check_ext_changes is specified + +For the use case of rebuilding the policy after package updates, we need +the check_ext_changes operation to always do at least the do_write_kernel +step, because the various semanage dbs may have also changed content +relative to the current binary policy. As this step is itself relatively +fast, we can do it unconditionally. + +Fixes: 286a679fadc4 ("libsemanage: optionally rebuild policy when modules are changed externally") +Signed-off-by: Ondrej Mosnacek +Acked-by: Nicolas Iooss +--- + libsemanage/include/semanage/handle.h | 2 +- + libsemanage/src/direct_api.c | 8 +++++--- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/libsemanage/include/semanage/handle.h b/libsemanage/include/semanage/handle.h +index 7f298a49..df919a14 100644 +--- a/libsemanage/include/semanage/handle.h ++++ b/libsemanage/include/semanage/handle.h +@@ -67,7 +67,7 @@ void semanage_set_reload(semanage_handle_t * handle, int do_reload); + void semanage_set_rebuild(semanage_handle_t * handle, int do_rebuild); + + /* set whether to rebuild the policy on commit when potential changes +- * to module files since last rebuild are detected, ++ * to store files since last rebuild are detected, + * 1 for yes (default), 0 for no */ + extern void semanage_set_check_ext_changes(semanage_handle_t * handle, int do_check); + +diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c +index bbdca2b2..252fc5bb 100644 +--- a/libsemanage/src/direct_api.c ++++ b/libsemanage/src/direct_api.c +@@ -1430,13 +1430,15 @@ static int semanage_direct_commit(semanage_handle_t * sh) + * Determine what else needs to be done. + * We need to write the kernel policy if we are rebuilding + * or if any other policy component that lives in the kernel +- * policy has been modified. ++ * policy has been modified. We also want to force it when ++ * check_ext_changes was specified as the various dbases may have ++ * changes as well. + * We need to install the policy files if any of the managed files + * that live under /etc/selinux (kernel policy, seusers, file contexts) + * will be modified. + */ +- do_write_kernel = do_rebuild | ports_modified | ibpkeys_modified | +- ibendports_modified | ++ do_write_kernel = do_rebuild | sh->check_ext_changes | ++ ports_modified | ibpkeys_modified | ibendports_modified | + bools->dtable->is_modified(bools->dbase) | + ifaces->dtable->is_modified(ifaces->dbase) | + nodes->dtable->is_modified(nodes->dbase) | +-- +2.37.3 + diff --git a/SPECS/libsemanage.spec b/SPECS/libsemanage.spec index 8347d9e..c1d0d11 100644 --- a/SPECS/libsemanage.spec +++ b/SPECS/libsemanage.spec @@ -4,7 +4,7 @@ Summary: SELinux binary policy manipulation library Name: libsemanage Version: 2.9 -Release: 8%{?dist} +Release: 9%{?dist} License: LGPLv2+ Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/libsemanage-2.9.tar.gz # i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done @@ -20,6 +20,7 @@ Patch0009: 0009-semodule-libsemanage-move-module-hashing-into-libsem.patch Patch0010: 0010-libsemanage-move-compressed-file-handling-into-a-sep.patch Patch0011: 0011-libsemanage-clean-up-semanage_direct_commit-a-bit.patch Patch0012: 0012-libsemanage-optionally-rebuild-policy-when-modules-a.patch +Patch0013: 0013-libsemanage-always-write-kernel-policy-when-check_ex.patch URL: https://github.com/SELinuxProject/selinux/wiki Source1: semanage.conf @@ -165,6 +166,9 @@ rm %{buildroot}%{_libexecdir}/selinux/semanage_migrate_store~ %{_libexecdir}/selinux/semanage_migrate_store %changelog +* Tue Oct 11 2022 Vit Mojzis - 2.9-9 +- always write kernel policy when check_ext_changes is specified (#2129139) + * Tue Feb 22 2022 Vit Mojzis - 2.9-8 - Bump release to get around OSCI issues