libsepol-3.4-2

- Restore error on context rule conflicts (#2127399)
Resolves: rhbz#2127399

0002-libsepol-cil-restore-error-on-context-rule-conflicts.patch

@@ -0,0 +1,50 @@
+From 4446a0661b4113a91a2b5d693d497de939b44843 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Wed, 12 Oct 2022 16:27:51 +0200
+Subject: [PATCH] libsepol/cil: restore error on context rule conflicts
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Content-type: text/plain
+
+Commit bc26ddc59c8d ("libsepol/cil: Limit the amount of reporting for
+context rule conflicts") reworked the processing of context rule
+conflicts to limit the number of written conflicting statements to
+increase readability of the printed error message.  It forgot to set the
+return value, signaling a context conflict, in the case the logging
+level is higher than warning (e.g. in semodule(8), which defaults to
+error).
+
+Reported-by: Milos Malik <mmalik@redhat.com> [1]
+Fixes: bc26ddc59c8d ("libsepol/cil: Limit the amount of reporting for context rule conflicts")
+
+[1]: https://lore.kernel.org/selinux/87y1u1rkoo.fsf@redhat.com/
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+---
+ libsepol/cil/src/cil_post.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c
+index 6e95225f93f1..11e572e274aa 100644
+--- a/libsepol/cil/src/cil_post.c
++++ b/libsepol/cil/src/cil_post.c
+@@ -2290,6 +2290,7 @@ static int __cil_post_process_context_rules(struct cil_sort *sort, int (*compar)
+ 		} else {
+ 			removed++;
+ 			if (!db->multiple_decls || concompar(&sort->array[i], &sort->array[j]) != 0) {
++				rc = SEPOL_ERR;
+ 				conflicting++;
+ 				if (log_level >= CIL_WARN) {
+ 					struct cil_list_item li;
+@@ -2297,7 +2298,6 @@ static int __cil_post_process_context_rules(struct cil_sort *sort, int (*compar)
+ 					li.flavor = flavor;
+ 					if (conflicting == 1) {
+ 						cil_log(CIL_WARN, "Found conflicting %s rules\n", flavor_str);
+-						rc = SEPOL_ERR;
+ 						li.data = sort->array[i];
+ 						rc2 = cil_tree_walk(db->ast->root, __cil_post_report_conflict,
+ 											NULL, NULL, &li);
+-- 
+2.37.3
+

libsepol.spec

@@ -1,7 +1,7 @@
 Summary: SELinux binary policy manipulation library
 Name: libsepol
 Version: 3.4
-Release: 1.1%{?dist}
+Release: 2%{?dist}
 License: LGPLv2+
 Source0: https://github.com/SELinuxProject/selinux/releases/download/3.4/libsepol-3.4.tar.gz
 URL: https://github.com/SELinuxProject/selinux/wiki
@@ -11,6 +11,7 @@ URL: https://github.com/SELinuxProject/selinux/wiki
 # $ i=1; for j in 0*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
 # Patch list start
 Patch0001: 0001-libsepol-Bring-back-POLICYDB_CAPABILITY_-constants.patch
+Patch0002: 0002-libsepol-cil-restore-error-on-context-rule-conflicts.patch
 # Patch list end
 BuildRequires: make
 BuildRequires: gcc
@@ -107,6 +108,9 @@ rm -rf ${RPM_BUILD_ROOT}%{_mandir}/ru/man8
 %{_mandir}/man8/chkcon.8.gz
 
 %changelog
+* Wed Oct 12 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-2
+- Restore error on context rule conflicts (#2127399)
+
 * Mon May 23 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-1.1
 - SELinux userspace 3.4 release