From 901595e7a3ae003e5aec4da81dd784b8badcd394 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 5 Nov 2019 15:21:01 -0500 Subject: [PATCH] import mcstrans-2.9-1.2.el8 --- .gitignore | 2 +- .mcstrans.metadata | 2 +- ...OURCE_LEAK-and-USE_AFTER_FREE-coveri.patch | 126 ++++++++++ ...ns-Do-not-accept-incomplete-contexts.patch | 59 +++++ SOURCES/mcstrans-fedora.patch | 238 ------------------ SPECS/mcstrans.spec | 27 +- 6 files changed, 202 insertions(+), 252 deletions(-) create mode 100644 SOURCES/0001-mcstrans-Fir-RESOURCE_LEAK-and-USE_AFTER_FREE-coveri.patch create mode 100644 SOURCES/0002-mcstrans-Do-not-accept-incomplete-contexts.patch delete mode 100644 SOURCES/mcstrans-fedora.patch diff --git a/.gitignore b/.gitignore index 1b33386..fc37203 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/mcstrans-2.8.tar.gz +SOURCES/mcstrans-2.9.tar.gz diff --git a/.mcstrans.metadata b/.mcstrans.metadata index 40ca1ed..c872327 100644 --- a/.mcstrans.metadata +++ b/.mcstrans.metadata @@ -1 +1 @@ -a52d02609e81fbfcc6de54457cc5f9c6da727c48 SOURCES/mcstrans-2.8.tar.gz +64bea2c1cd56e0550049a548dde0ac2e53f71714 SOURCES/mcstrans-2.9.tar.gz diff --git a/SOURCES/0001-mcstrans-Fir-RESOURCE_LEAK-and-USE_AFTER_FREE-coveri.patch b/SOURCES/0001-mcstrans-Fir-RESOURCE_LEAK-and-USE_AFTER_FREE-coveri.patch new file mode 100644 index 0000000..b12c2b8 --- /dev/null +++ b/SOURCES/0001-mcstrans-Fir-RESOURCE_LEAK-and-USE_AFTER_FREE-coveri.patch @@ -0,0 +1,126 @@ +From eeac35fa98b8b2d323741703a2e59593d1ad200a Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Wed, 28 Nov 2018 18:28:05 +0100 +Subject: [PATCH] mcstrans: Fir RESOURCE_LEAK and USE_AFTER_FREE coverity scan + defects + +--- + mcstrans/src/mcstrans.c | 17 ++++++++++++++++- + mcstrans/src/mcstransd.c | 4 +++- + 2 files changed, 19 insertions(+), 2 deletions(-) + +diff --git a/mcstrans/src/mcstrans.c b/mcstrans/src/mcstrans.c +index 96bdbdff..29cadb78 100644 +--- a/mcstrans/src/mcstrans.c ++++ b/mcstrans/src/mcstrans.c +@@ -633,16 +633,23 @@ add_cache(domain_t *domain, char *raw, char *trans) { + + map->raw = strdup(raw); + if (!map->raw) { ++ free(map); + goto err; + } + map->trans = strdup(trans); + if (!map->trans) { ++ free(map->raw); ++ free(map); + goto err; + } + + log_debug(" add_cache (%s,%s)\n", raw, trans); +- if (add_to_hashtable(domain->raw_to_trans, map->raw, map) < 0) ++ if (add_to_hashtable(domain->raw_to_trans, map->raw, map) < 0) { ++ free(map->trans); ++ free(map->raw); ++ free(map); + goto err; ++ } + + if (add_to_hashtable(domain->trans_to_raw, map->trans, map) < 0) + goto err; +@@ -1519,6 +1526,7 @@ trans_context(const security_context_t incon, security_context_t *rcon) { + trans = compute_trans_from_raw(range, domain); + if (trans) + if (add_cache(domain, range, trans) < 0) { ++ free(trans); + free(range); + return -1; + } +@@ -1530,6 +1538,7 @@ trans_context(const security_context_t incon, security_context_t *rcon) { + ltrans = compute_trans_from_raw(lrange, domain); + if (ltrans) { + if (add_cache(domain, lrange, ltrans) < 0) { ++ free(ltrans); + free(range); + return -1; + } +@@ -1548,6 +1557,7 @@ trans_context(const security_context_t incon, security_context_t *rcon) { + utrans = compute_trans_from_raw(urange, domain); + if (utrans) { + if (add_cache(domain, urange, utrans) < 0) { ++ free(utrans); + free(ltrans); + free(range); + return -1; +@@ -1647,7 +1657,9 @@ untrans_context(const security_context_t incon, security_context_t *rcon) { + canonical = compute_trans_from_raw(raw, domain); + if (canonical && strcmp(canonical, range)) + if (add_cache(domain, raw, canonical) < 0) { ++ free(canonical); + free(range); ++ free(raw); + return -1; + } + } +@@ -1655,6 +1667,7 @@ untrans_context(const security_context_t incon, security_context_t *rcon) { + free(canonical); + if (add_cache(domain, raw, range) < 0) { + free(range); ++ free(raw); + return -1; + } + } else { +@@ -1672,6 +1685,7 @@ untrans_context(const security_context_t incon, security_context_t *rcon) { + canonical = compute_trans_from_raw(lraw, domain); + if (canonical) + if (add_cache(domain, lraw, canonical) < 0) { ++ free(canonical); + free(lraw); + free(range); + return -1; +@@ -1703,6 +1717,7 @@ untrans_context(const security_context_t incon, security_context_t *rcon) { + canonical = compute_trans_from_raw(uraw, domain); + if (canonical) + if (add_cache(domain, uraw, canonical) < 0) { ++ free(canonical); + free(uraw); + free(lraw); + free(range); +diff --git a/mcstrans/src/mcstransd.c b/mcstrans/src/mcstransd.c +index 85899493..a1ec81ac 100644 +--- a/mcstrans/src/mcstransd.c ++++ b/mcstrans/src/mcstransd.c +@@ -335,6 +335,7 @@ process_events(struct pollfd **ufds, int *nfds) + /* Setup pollfd for deletion later. */ + (*ufds)[ii].fd = -1; + close(connfd); ++ connfd = -1; + /* So we don't get bothered later */ + revents = revents & ~(POLLHUP); + } +@@ -348,10 +349,11 @@ process_events(struct pollfd **ufds, int *nfds) + /* Set the pollfd up for deletion later. */ + (*ufds)[ii].fd = -1; + close(connfd); ++ connfd = -1; + + revents = revents & ~(POLLHUP); + } +- if (revents) { ++ if (revents && connfd != -1) { + syslog(LOG_ERR, "Unknown/error events (%x) encountered" + " for fd (%d)\n", revents, connfd); + +-- +2.21.0 + diff --git a/SOURCES/0002-mcstrans-Do-not-accept-incomplete-contexts.patch b/SOURCES/0002-mcstrans-Do-not-accept-incomplete-contexts.patch new file mode 100644 index 0000000..3135c30 --- /dev/null +++ b/SOURCES/0002-mcstrans-Do-not-accept-incomplete-contexts.patch @@ -0,0 +1,59 @@ +From 659cb59cd6cfe36c954c77f945c06a0cd8218287 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Mon, 15 Apr 2019 15:22:51 +0200 +Subject: [PATCH 2/2] mcstrans: Do not accept incomplete contexts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: +$ python3 +> import selinux +> selinux.selinux_raw_context_to_color("xyz_u:xyz_r:xyz_t:") + +Traceback (most recent call last): + File "", line 2, in +OSError: [Errno 0] Error + +:: [ 10:25:45 ] :: [ BEGIN ] :: Running 'service mcstransd status' +Redirecting to /bin/systemctl status mcstransd.service +● mcstrans.service - Translates SELinux MCS/MLS labels to human readable form + Loaded: loaded (/usr/lib/systemd/system/mcstrans.service; disabled; vendor preset: disabled) + Active: failed (Result: core-dump) since Fri 2019-04-12 10:25:44 EDT; 1s ago + Process: 16681 ExecStart=/sbin/mcstransd -f (code=dumped, signal=SEGV) + Main PID: 16681 (code=dumped, signal=SEGV) + +systemd[1]: mcstrans.service: Main process exited, code=dumped, status=11/SEGV +systemd[1]: mcstrans.service: Failed with result 'core-dump'. + +Signed-off-by: Petr Lautrbach +--- + mcstrans/src/mcscolor.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/mcstrans/src/mcscolor.c b/mcstrans/src/mcscolor.c +index 6ea1aa97..79fc1c8b 100644 +--- a/mcstrans/src/mcscolor.c ++++ b/mcstrans/src/mcscolor.c +@@ -272,10 +272,14 @@ static const unsigned precedence[N_COLOR][N_COLOR - 1] = { + static const secolor_t default_color = { 0x000000, 0xffffff }; + + static int parse_components(context_t con, char **components) { +- components[COLOR_USER] = (char *)context_user_get(con); +- components[COLOR_ROLE] = (char *)context_role_get(con); +- components[COLOR_TYPE] = (char *)context_type_get(con); +- components[COLOR_RANGE] = (char *)context_range_get(con); ++ if ((components[COLOR_USER] = (char *)context_user_get(con)) == NULL) ++ return -1; ++ if ((components[COLOR_ROLE] = (char *)context_role_get(con)) == NULL) ++ return -1; ++ if ((components[COLOR_TYPE] = (char *)context_type_get(con)) == NULL) ++ return -1; ++ if ((components[COLOR_RANGE] = (char *)context_range_get(con)) == NULL) ++ return -1; + + return 0; + } +-- +2.21.0 + diff --git a/SOURCES/mcstrans-fedora.patch b/SOURCES/mcstrans-fedora.patch deleted file mode 100644 index 4c515af..0000000 --- a/SOURCES/mcstrans-fedora.patch +++ /dev/null @@ -1,238 +0,0 @@ -diff --git mcstrans-2.8/src/mcstrans.c mcstrans-2.8/src/mcstrans.c -index 00fb808..0d9d0f3 100644 ---- mcstrans-2.8/src/mcstrans.c -+++ mcstrans-2.8/src/mcstrans.c -@@ -633,16 +633,23 @@ add_cache(domain_t *domain, char *raw, char *trans) { - - map->raw = strdup(raw); - if (!map->raw) { -+ free(map); - goto err; - } - map->trans = strdup(trans); - if (!map->trans) { -+ free(map->raw); -+ free(map); - goto err; - } - - log_debug(" add_cache (%s,%s)\n", raw, trans); -- if (add_to_hashtable(domain->raw_to_trans, map->raw, map) < 0) -+ if (add_to_hashtable(domain->raw_to_trans, map->raw, map) < 0) { -+ free(map->trans); -+ free(map->raw); -+ free(map); - goto err; -+ } - - if (add_to_hashtable(domain->trans_to_raw, map->trans, map) < 0) - goto err; -@@ -708,6 +715,7 @@ append(affix_t **affixes, const char *val) { - - err: - log_error("allocation error %s", strerror(errno)); -+ free(affix); - return -1; - } - -@@ -1517,8 +1525,11 @@ trans_context(const security_context_t incon, security_context_t *rcon) { - } else { - trans = compute_trans_from_raw(range, domain); - if (trans) -- if (add_cache(domain, range, trans) < 0) -+ if (add_cache(domain, range, trans) < 0) { -+ free(trans); -+ free(range); - return -1; -+ } - } - - if (lrange && urange) { -@@ -1526,12 +1537,16 @@ trans_context(const security_context_t incon, security_context_t *rcon) { - if (! ltrans) { - ltrans = compute_trans_from_raw(lrange, domain); - if (ltrans) { -- if (add_cache(domain, lrange, ltrans) < 0) -+ if (add_cache(domain, lrange, ltrans) < 0) { -+ free(ltrans); -+ free(range); - return -1; -+ } - } else { - ltrans = strdup(lrange); - if (! ltrans) { - log_error("strdup failed %s", strerror(errno)); -+ free(range); - return -1; - } - } -@@ -1541,25 +1556,37 @@ trans_context(const security_context_t incon, security_context_t *rcon) { - if (! utrans) { - utrans = compute_trans_from_raw(urange, domain); - if (utrans) { -- if (add_cache(domain, urange, utrans) < 0) -+ if (add_cache(domain, urange, utrans) < 0) { -+ free(utrans); -+ free(ltrans); -+ free(range); - return -1; -+ } - } else { - utrans = strdup(urange); - if (! utrans) { - log_error("strdup failed %s", strerror(errno)); -- return -1; -- } -- } -+ free(ltrans); -+ free(range); -+ return -1; -+ } -+ } - } - - if (strcmp(ltrans, utrans) == 0) { - if (asprintf(&trans, "%s", ltrans) < 0) { - log_error("asprintf failed %s", strerror(errno)); -+ free(utrans); -+ free(ltrans); -+ free(range); - return -1; - } - } else { - if (asprintf(&trans, "%s-%s", ltrans, utrans) < 0) { - log_error("asprintf failed %s", strerror(errno)); -+ free(utrans); -+ free(ltrans); -+ free(range); - return -1; - } - } -@@ -1629,13 +1656,22 @@ untrans_context(const security_context_t incon, security_context_t *rcon) { - if (!canonical) { - canonical = compute_trans_from_raw(raw, domain); - if (canonical && strcmp(canonical, range)) -- if (add_cache(domain, raw, canonical) < 0) -+ if (add_cache(domain, raw, canonical) < 0) { -+ free(canonical); -+ free(range); -+ free(raw); - return -1; -+ } - } -- if (canonical) -+ if (canonical) { - free(canonical); -- if (add_cache(domain, raw, range) < 0) -+ free(raw); -+ } -+ if (add_cache(domain, raw, range) < 0) { -+ free(range); -+ free(raw); - return -1; -+ } - } else { - log_debug("untrans_context unable to compute raw context %s\n", range); - } -@@ -1650,17 +1686,25 @@ untrans_context(const security_context_t incon, security_context_t *rcon) { - if (!canonical) { - canonical = compute_trans_from_raw(lraw, domain); - if (canonical) -- if (add_cache(domain, lraw, canonical) < 0) -+ if (add_cache(domain, lraw, canonical) < 0) { -+ free(canonical); -+ free(lraw); -+ free(range); - return -1; -+ } - } - if (canonical) - free(canonical); -- if (add_cache(domain, lraw, lrange) < 0) -+ if (add_cache(domain, lraw, lrange) < 0) { -+ free(lraw); -+ free(range); - return -1; -+ } - } else { - lraw = strdup(lrange); - if (! lraw) { - log_error("strdup failed %s", strerror(errno)); -+ free(range); - return -1; - } - } -@@ -1674,17 +1718,28 @@ untrans_context(const security_context_t incon, security_context_t *rcon) { - if (!canonical) { - canonical = compute_trans_from_raw(uraw, domain); - if (canonical) -- if (add_cache(domain, uraw, canonical) < 0) -+ if (add_cache(domain, uraw, canonical) < 0) { -+ free(canonical); -+ free(uraw); -+ free(lraw); -+ free(range); - return -1; - } -+ } - if (canonical) - free(canonical); -- if (add_cache(domain, uraw, urange) < 0) -+ if (add_cache(domain, uraw, urange) < 0) { -+ free(uraw); -+ free(lraw); -+ free(range); - return -1; -+ } - } else { - uraw = strdup(urange); - if (! uraw) { - log_error("strdup failed %s", strerror(errno)); -+ free(lraw); -+ free(range); - return -1; - } - } -@@ -1694,11 +1749,17 @@ untrans_context(const security_context_t incon, security_context_t *rcon) { - if (strcmp(lraw, uraw) == 0) { - if (asprintf(&raw, "%s", lraw) < 0) { - log_error("asprintf failed %s", strerror(errno)); -+ free(uraw); -+ free(lraw); -+ free(range); - return -1; - } - } else { - if (asprintf(&raw, "%s-%s", lraw, uraw) < 0) { - log_error("asprintf failed %s", strerror(errno)); -+ free(uraw); -+ free(lraw); -+ free(range); - return -1; - } - } -diff --git mcstrans-2.8/src/mcstransd.c mcstrans-2.8/src/mcstransd.c -index d7fc5de..a5a63d7 100644 ---- mcstrans-2.8/src/mcstransd.c -+++ mcstrans-2.8/src/mcstransd.c -@@ -345,6 +345,7 @@ process_events(struct pollfd **ufds, int *nfds) - /* Setup pollfd for deletion later. */ - (*ufds)[ii].fd = -1; - close(connfd); -+ connfd = -1; - /* So we don't get bothered later */ - revents = revents & ~(POLLHUP); - } -@@ -358,10 +359,11 @@ process_events(struct pollfd **ufds, int *nfds) - /* Set the pollfd up for deletion later. */ - (*ufds)[ii].fd = -1; - close(connfd); -+ connfd = -1; - - revents = revents & ~(POLLHUP); - } -- if (revents) { -+ if (revents && connfd != -1) { - syslog(LOG_ERR, "Unknown/error events (%x) encountered" - " for fd (%d)\n", revents, connfd); - diff --git a/SPECS/mcstrans.spec b/SPECS/mcstrans.spec index 855c5af..14b576e 100644 --- a/SPECS/mcstrans.spec +++ b/SPECS/mcstrans.spec @@ -1,16 +1,14 @@ Summary: SELinux Translation Daemon Name: mcstrans -Version: 2.8 -Release: 2%{?dist} +Version: 2.9 +Release: 1.2%{?dist} License: GPL+ Url: https://github.com/SELinuxProject/selinux/wiki -Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/mcstrans-2.8.tar.gz +Source: https://github.com/SELinuxProject/selinux/releases/download/20190315/mcstrans-2.9.tar.gz Source2: secolor.conf.8 -# download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh -# run: -# $ VERSION=2.8 ./make-fedora-selinux-patch.sh mcstrans -# HEAD 2b4b29f00e5f0746ff10e09686a23c6e96a11d5f -Patch1: mcstrans-fedora.patch +# i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done +Patch0001: 0001-mcstrans-Fir-RESOURCE_LEAK-and-USE_AFTER_FREE-coveri.patch +Patch0002: 0002-mcstrans-Do-not-accept-incomplete-contexts.patch BuildRequires: gcc BuildRequires: libselinux-devel >= %{version} BuildRequires: libcap-devel pcre-devel libsepol-devel libsepol-static @@ -36,14 +34,13 @@ mcstrans provides an translation daemon to translate SELinux categories from internal representations to user defined representation. %prep -%autosetup -p 1 -n mcstrans-%{version} +%autosetup -p 2 -n mcstrans-%{version} %build -make clean -make LIBDIR="%{_libdir}" LDFLAGS="%{?__global_ldflags}" CFLAGS="%{__global_cflags}" %{?_smp_mflags} +%set_build_flags +make LIBDIR="%{_libdir}" %{?_smp_mflags} %install -rm -rf %{buildroot} mkdir -p %{buildroot}/%{_lib} mkdir -p %{buildroot}/%{_libdir} mkdir -p %{buildroot}%{_usr}/share/mcstrans @@ -75,6 +72,9 @@ rm -rf %{buildroot} %{_mandir}/man8/mcs.8.gz %{_mandir}/man8/mcstransd.8.gz %{_mandir}/man8/setrans.conf.8.gz +%{_mandir}/ru/man8/mcs.8.gz +%{_mandir}/ru/man8/mcstransd.8.gz +%{_mandir}/ru/man8/setrans.conf.8.gz %{_mandir}/man8/secolor.conf.8.gz /usr/sbin/mcstransd %{_unitdir}/mcstrans.service @@ -92,6 +92,9 @@ rm -rf %{buildroot} %{_usr}/share/mcstrans/util/* %changelog +* Fri Apr 12 2019 Petr Lautrbach - 2.9-1.2 +- SELinux userspace 2.9 release + * Sun Dec 16 2018 Petr Lautrbach - 2.8-2 - Fix RESOURCE_LEAK and USE_AFTER_FREE coverity scan defects