mcstrans-3.6-2

- Fix translation for uncached entries Resolves: RHEL-173428
2026-05-05 14:48:06 +02:00 · 2026-05-05 14:48:06 +02:00 · 4471f98292
commit 4471f98292
parent 048836340a
2 changed files with 113 additions and 1 deletions
--- a/0004-mcstrans-Fix-translation-for-uncached-entries.patch
+++ b/0004-mcstrans-Fix-translation-for-uncached-entries.patch
@ -0,0 +1,108 @@
+From 3690ceca8f1e23914655e3e514cad35c5e9006f5 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Mon, 16 Feb 2026 20:40:11 +0100
+Subject: [PATCH] mcstrans: Fix translation for uncached entries
+
+trans_context:
+In case the raw context is not found in cache (find_in_hashtable returns
+NULL) and the context does not contain a dash (dashp == NULL),
+compute_trans_from_raw gets executed, but the translation (trans) gets
+freed immediately after caching, at the end of the "for" loop.
+
+untrans_context:
+Same as trans_context, if the translation is not cached and "range" does
+not contain a dash, compute_raw_from_trans is called, but the
+translation (raw) gets freed right after the reverse translation is
+computed and cached.
+
+Also, fix the README for "nato" example and add README for "pipes"
+example of setrans configuration.
+
+Fixes:
+  Pipes/NATO examples from /usr/share/mcstrans/examples
+
+  $ /usr/share/mcstrans/util/mlstrans-test pipes.test
+untrans: 'a:b:c:Restricted Handle Via Iron Pipes Only' -> 'a:b:c:Restricted Handle Via Iron Pipes Only' != 'a:b:c:s2:c102,c200.c511' FAILED
+untrans: 'a:b:c:Restricted Handle Via Copper Pipes Only' -> 'a:b:c:Restricted Handle Via Copper Pipes Only' != 'a:b:c:s2:c103,c200.c511' FAILED
+untrans: 'a:b:c:Restricted Handle Via Plastic Pipes Only' -> 'a:b:c:Restricted Handle Via Plastic Pipes Only' != 'a:b:c:s2:c101,c200.c511' FAILED
+untrans: 'a:b:c:Restricted Handle Via Galvanized Pipes Only' -> 'a:b:c:Restricted Handle Via Galvanized Pipes Only' != 'a:b:c:s2:c104,c200.c511' FAILED
+untrans: 'a:b:c:Restricted Handle Via Plastic,Iron,Copper Pipes Only' -> 'a:b:c:Restricted Handle Via Plastic,Iron,Copper Pipes Only' != 'a:b:c:s2:c101.c103,c200.c511' FAILED
+untrans: 'a:b:c:Restricted Handle Via Iron,Plastic,Copper Pipes Only' -> 'a:b:c:Restricted Handle Via Iron,Plastic,Copper Pipes Only' != 'a:b:c:s2:c101.c103,c200.c511' FAILED
+mlstrans-test done with 6 errors
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ mcstrans/share/examples/nato/README  |  8 +++-----
+ mcstrans/share/examples/pipes/README | 10 ++++++++++
+ mcstrans/src/mcstrans.c              |  5 ++++-
+ 3 files changed, 17 insertions(+), 6 deletions(-)
+ create mode 100644 mcstrans/share/examples/pipes/README
+
+diff --git a/mcstrans/share/examples/nato/README b/mcstrans/share/examples/nato/README
+index b8b30bf7..7d75e0d6 100644
+--- a/mcstrans/share/examples/nato/README
+++ b/mcstrans/share/examples/nato/README
+@@ -1,12 +1,10 @@
+ NATO example test setrans.conf
+ 
+ To use:
+-mkdir /etc/selinux/mls/mcstrand.d
+-cp rel.conf /etc/selinux/mls/mcstrand.d
+-cp eyes-only.conf /etc/selinux/mls/mcstrand.d
+-cp constraints.conf /etc/selinux/mls/mcstrand.d
+rm -f /etc/selinux/mls/setrans.d/*
+cp setrans.d/*  /etc/selinux/mls/setrans.d
+ cp setrans.conf /etc/selinux/mls/setrans.conf
+-sudo run_init /etc/init.d/mcstrans restart
+run_init /etc/init.d/mcstrans restart
+ 
+ To test:
+ /usr/share/mcstrans/util/mlstrans-test nato.test
+diff --git a/mcstrans/share/examples/pipes/README b/mcstrans/share/examples/pipes/README
+new file mode 100644
+index 00000000..3963d300
+--- /dev/null
+++ b/mcstrans/share/examples/pipes/README
+@@ -0,0 +1,10 @@
+PIPES example test setrans.conf
+
+To use:
+rm -f /etc/selinux/mls/setrans.d/*
+cp setrans.d/*  /etc/selinux/mls/setrans.d
+cp setrans.conf /etc/selinux/mls/setrans.conf
+run_init /etc/init.d/mcstrans restart
+
+To test:
+/usr/share/mcstrans/util/mlstrans-test pipes.test
+diff --git a/mcstrans/src/mcstrans.c b/mcstrans/src/mcstrans.c
+index af3f507e..f4348aec 100644
+--- a/mcstrans/src/mcstrans.c
+++ b/mcstrans/src/mcstrans.c
+@@ -1573,12 +1573,14 @@ trans_context(const char *incon, char **rcon) {
+ 			urange = dashp+1;
+ 		} else {
+ 			trans = compute_trans_from_raw(range, domain);
+-			if (trans)
+			if (trans) {
+ 				if (add_cache(domain, range, trans) < 0) {
+ 					free(trans);
+ 					free(range);
+ 					return -1;
+ 				}
+				break;
+			}
+ 		}
+ 
+ 		if (lrange && urange) {
+@@ -1723,6 +1725,7 @@ untrans_context(const char *incon, char **rcon) {
+ 					free(raw);
+ 					return -1;
+ 				}
+				break;
+ 			} else {
+ 				log_debug("untrans_context unable to compute raw context %s\n", range);
+ 			}
+-- 
+2.53.0
+
--- a/mcstrans.spec
+++ b/mcstrans.spec
@ -1,7 +1,7 @@
 Summary: SELinux Translation Daemon
 Name: mcstrans
 Version: 3.6
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPL+
 Url: https://github.com/SELinuxProject/selinux/wiki
 Source: https://github.com/SELinuxProject/selinux/releases/download/3.6/mcstrans-3.6.tar.gz
@ -12,6 +12,7 @@ Source2: secolor.conf.8
 Patch0001: 0001-mcstrans-Do-not-accept-incomplete-contexts.patch
 Patch0002: 0002-Revert-Do-not-automatically-install-Russian-translat.patch
 Patch0003: 0003-Revert-mcstrans-Remove-the-Russian-translations.patch
+Patch0004: 0004-mcstrans-Fix-translation-for-uncached-entries.patch
 # Patch list end
 BuildRequires: gcc
 BuildRequires: make
@ -94,6 +95,9 @@ install -m644 %{SOURCE2} %{buildroot}%{_mandir}/man8/
 %{_usr}/share/mcstrans/util/*

 %changelog
+* Tue May 05 2026 Vit Mojzis <vmojzis@redhat.com> - 3.6-2
+- Fix translation for uncached entries (RHEL-173428)
+
 * Thu Dec 14 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.6-1
 - SELinux userspace 3.6 release