diff --git a/0004-mcstrans-Fix-translation-for-uncached-entries.patch b/0004-mcstrans-Fix-translation-for-uncached-entries.patch new file mode 100644 index 0000000..57d0e6a --- /dev/null +++ b/0004-mcstrans-Fix-translation-for-uncached-entries.patch @@ -0,0 +1,108 @@ +From 3690ceca8f1e23914655e3e514cad35c5e9006f5 Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Mon, 16 Feb 2026 20:40:11 +0100 +Subject: [PATCH] mcstrans: Fix translation for uncached entries + +trans_context: +In case the raw context is not found in cache (find_in_hashtable returns +NULL) and the context does not contain a dash (dashp == NULL), +compute_trans_from_raw gets executed, but the translation (trans) gets +freed immediately after caching, at the end of the "for" loop. + +untrans_context: +Same as trans_context, if the translation is not cached and "range" does +not contain a dash, compute_raw_from_trans is called, but the +translation (raw) gets freed right after the reverse translation is +computed and cached. + +Also, fix the README for "nato" example and add README for "pipes" +example of setrans configuration. + +Fixes: + Pipes/NATO examples from /usr/share/mcstrans/examples + + $ /usr/share/mcstrans/util/mlstrans-test pipes.test +untrans: 'a:b:c:Restricted Handle Via Iron Pipes Only' -> 'a:b:c:Restricted Handle Via Iron Pipes Only' != 'a:b:c:s2:c102,c200.c511' FAILED +untrans: 'a:b:c:Restricted Handle Via Copper Pipes Only' -> 'a:b:c:Restricted Handle Via Copper Pipes Only' != 'a:b:c:s2:c103,c200.c511' FAILED +untrans: 'a:b:c:Restricted Handle Via Plastic Pipes Only' -> 'a:b:c:Restricted Handle Via Plastic Pipes Only' != 'a:b:c:s2:c101,c200.c511' FAILED +untrans: 'a:b:c:Restricted Handle Via Galvanized Pipes Only' -> 'a:b:c:Restricted Handle Via Galvanized Pipes Only' != 'a:b:c:s2:c104,c200.c511' FAILED +untrans: 'a:b:c:Restricted Handle Via Plastic,Iron,Copper Pipes Only' -> 'a:b:c:Restricted Handle Via Plastic,Iron,Copper Pipes Only' != 'a:b:c:s2:c101.c103,c200.c511' FAILED +untrans: 'a:b:c:Restricted Handle Via Iron,Plastic,Copper Pipes Only' -> 'a:b:c:Restricted Handle Via Iron,Plastic,Copper Pipes Only' != 'a:b:c:s2:c101.c103,c200.c511' FAILED +mlstrans-test done with 6 errors + +Signed-off-by: Vit Mojzis +Acked-by: James Carter +--- + mcstrans/share/examples/nato/README | 8 +++----- + mcstrans/share/examples/pipes/README | 10 ++++++++++ + mcstrans/src/mcstrans.c | 5 ++++- + 3 files changed, 17 insertions(+), 6 deletions(-) + create mode 100644 mcstrans/share/examples/pipes/README + +diff --git a/mcstrans/share/examples/nato/README b/mcstrans/share/examples/nato/README +index b8b30bf7..7d75e0d6 100644 +--- a/mcstrans/share/examples/nato/README ++++ b/mcstrans/share/examples/nato/README +@@ -1,12 +1,10 @@ + NATO example test setrans.conf + + To use: +-mkdir /etc/selinux/mls/mcstrand.d +-cp rel.conf /etc/selinux/mls/mcstrand.d +-cp eyes-only.conf /etc/selinux/mls/mcstrand.d +-cp constraints.conf /etc/selinux/mls/mcstrand.d ++rm -f /etc/selinux/mls/setrans.d/* ++cp setrans.d/* /etc/selinux/mls/setrans.d + cp setrans.conf /etc/selinux/mls/setrans.conf +-sudo run_init /etc/init.d/mcstrans restart ++run_init /etc/init.d/mcstrans restart + + To test: + /usr/share/mcstrans/util/mlstrans-test nato.test +diff --git a/mcstrans/share/examples/pipes/README b/mcstrans/share/examples/pipes/README +new file mode 100644 +index 00000000..3963d300 +--- /dev/null ++++ b/mcstrans/share/examples/pipes/README +@@ -0,0 +1,10 @@ ++PIPES example test setrans.conf ++ ++To use: ++rm -f /etc/selinux/mls/setrans.d/* ++cp setrans.d/* /etc/selinux/mls/setrans.d ++cp setrans.conf /etc/selinux/mls/setrans.conf ++run_init /etc/init.d/mcstrans restart ++ ++To test: ++/usr/share/mcstrans/util/mlstrans-test pipes.test +diff --git a/mcstrans/src/mcstrans.c b/mcstrans/src/mcstrans.c +index af3f507e..f4348aec 100644 +--- a/mcstrans/src/mcstrans.c ++++ b/mcstrans/src/mcstrans.c +@@ -1573,12 +1573,14 @@ trans_context(const char *incon, char **rcon) { + urange = dashp+1; + } else { + trans = compute_trans_from_raw(range, domain); +- if (trans) ++ if (trans) { + if (add_cache(domain, range, trans) < 0) { + free(trans); + free(range); + return -1; + } ++ break; ++ } + } + + if (lrange && urange) { +@@ -1723,6 +1725,7 @@ untrans_context(const char *incon, char **rcon) { + free(raw); + return -1; + } ++ break; + } else { + log_debug("untrans_context unable to compute raw context %s\n", range); + } +-- +2.53.0 + diff --git a/mcstrans.spec b/mcstrans.spec index d581e4b..bb4498e 100644 --- a/mcstrans.spec +++ b/mcstrans.spec @@ -1,7 +1,7 @@ Summary: SELinux Translation Daemon Name: mcstrans Version: 3.6 -Release: 1%{?dist} +Release: 2%{?dist} License: GPL+ Url: https://github.com/SELinuxProject/selinux/wiki Source: https://github.com/SELinuxProject/selinux/releases/download/3.6/mcstrans-3.6.tar.gz @@ -12,6 +12,7 @@ Source2: secolor.conf.8 Patch0001: 0001-mcstrans-Do-not-accept-incomplete-contexts.patch Patch0002: 0002-Revert-Do-not-automatically-install-Russian-translat.patch Patch0003: 0003-Revert-mcstrans-Remove-the-Russian-translations.patch +Patch0004: 0004-mcstrans-Fix-translation-for-uncached-entries.patch # Patch list end BuildRequires: gcc BuildRequires: make @@ -94,6 +95,9 @@ install -m644 %{SOURCE2} %{buildroot}%{_mandir}/man8/ %{_usr}/share/mcstrans/util/* %changelog +* Tue May 05 2026 Vit Mojzis - 3.6-2 +- Fix translation for uncached entries (RHEL-173428) + * Thu Dec 14 2023 Petr Lautrbach - 3.6-1 - SELinux userspace 3.6 release