import mcstrans-2.9-1.2.el8

.gitignore

@@ -1 +1 @@
-SOURCES/mcstrans-2.8.tar.gz
+SOURCES/mcstrans-2.9.tar.gz

.mcstrans.metadata

@@ -1 +1 @@
-a52d02609e81fbfcc6de54457cc5f9c6da727c48 SOURCES/mcstrans-2.8.tar.gz
+64bea2c1cd56e0550049a548dde0ac2e53f71714 SOURCES/mcstrans-2.9.tar.gz

SOURCES/0001-mcstrans-Fir-RESOURCE_LEAK-and-USE_AFTER_FREE-coveri.patch

@@ -0,0 +1,126 @@
+From eeac35fa98b8b2d323741703a2e59593d1ad200a Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Wed, 28 Nov 2018 18:28:05 +0100
+Subject: [PATCH] mcstrans: Fir RESOURCE_LEAK and USE_AFTER_FREE coverity scan
+ defects
+
+---
+ mcstrans/src/mcstrans.c  | 17 ++++++++++++++++-
+ mcstrans/src/mcstransd.c |  4 +++-
+ 2 files changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/mcstrans/src/mcstrans.c b/mcstrans/src/mcstrans.c
+index 96bdbdff..29cadb78 100644
+--- a/mcstrans/src/mcstrans.c
++++ b/mcstrans/src/mcstrans.c
+@@ -633,16 +633,23 @@ add_cache(domain_t *domain, char *raw, char *trans) {
+ 
+ 	map->raw = strdup(raw);
+ 	if (!map->raw) {
++		free(map);
+ 		goto err;
+ 	}
+ 	map->trans = strdup(trans);
+ 	if (!map->trans) {
++		free(map->raw);
++		free(map);
+ 		goto err;
+ 	}
+ 
+ 	log_debug(" add_cache (%s,%s)\n", raw, trans);
+-	if (add_to_hashtable(domain->raw_to_trans, map->raw, map) < 0)
++	if (add_to_hashtable(domain->raw_to_trans, map->raw, map) < 0) {
++		free(map->trans);
++		free(map->raw);
++		free(map);
+ 		goto err;
++	}
+ 
+ 	if (add_to_hashtable(domain->trans_to_raw, map->trans, map) < 0)
+ 		goto err;
+@@ -1519,6 +1526,7 @@ trans_context(const security_context_t incon, security_context_t *rcon) {
+ 			trans = compute_trans_from_raw(range, domain);
+ 			if (trans)
+ 				if (add_cache(domain, range, trans) < 0) {
++					free(trans);
+ 					free(range);
+ 					return -1;
+ 				}
+@@ -1530,6 +1538,7 @@ trans_context(const security_context_t incon, security_context_t *rcon) {
+ 				ltrans = compute_trans_from_raw(lrange, domain);
+ 				if (ltrans) {
+ 					if (add_cache(domain, lrange, ltrans) < 0) {
++						free(ltrans);
+ 						free(range);
+ 						return -1;
+ 					}
+@@ -1548,6 +1557,7 @@ trans_context(const security_context_t incon, security_context_t *rcon) {
+ 				utrans = compute_trans_from_raw(urange, domain);
+ 				if (utrans) {
+ 					if (add_cache(domain, urange, utrans) < 0) {
++						free(utrans);
+ 						free(ltrans);
+ 						free(range);
+ 						return -1;
+@@ -1647,7 +1657,9 @@ untrans_context(const security_context_t incon, security_context_t *rcon) {
+ 					canonical = compute_trans_from_raw(raw, domain);
+ 					if (canonical && strcmp(canonical, range))
+ 						if (add_cache(domain, raw, canonical) < 0) {
++							free(canonical);
+ 							free(range);
++							free(raw);
+ 							return -1;
+ 						}
+ 				}
+@@ -1655,6 +1667,7 @@ untrans_context(const security_context_t incon, security_context_t *rcon) {
+ 					free(canonical);
+ 				if (add_cache(domain, raw, range) < 0) {
+ 					free(range);
++					free(raw);
+ 					return -1;
+ 				}
+ 			} else {
+@@ -1672,6 +1685,7 @@ untrans_context(const security_context_t incon, security_context_t *rcon) {
+ 						canonical = compute_trans_from_raw(lraw, domain);
+ 						if (canonical)
+ 							if (add_cache(domain, lraw, canonical) < 0) {
++								free(canonical);
+ 								free(lraw);
+ 								free(range);
+ 								return -1;
+@@ -1703,6 +1717,7 @@ untrans_context(const security_context_t incon, security_context_t *rcon) {
+ 						canonical = compute_trans_from_raw(uraw, domain);
+ 						if (canonical)
+ 							if (add_cache(domain, uraw, canonical) < 0) {
++								free(canonical);
+ 								free(uraw);
+ 								free(lraw);
+ 								free(range);
+diff --git a/mcstrans/src/mcstransd.c b/mcstrans/src/mcstransd.c
+index 85899493..a1ec81ac 100644
+--- a/mcstrans/src/mcstransd.c
++++ b/mcstrans/src/mcstransd.c
+@@ -335,6 +335,7 @@ process_events(struct pollfd **ufds, int *nfds)
+ 					/* Setup pollfd for deletion later. */
+ 					(*ufds)[ii].fd = -1;
+ 					close(connfd);
++					connfd = -1;
+ 					/* So we don't get bothered later */
+ 					revents = revents & ~(POLLHUP);
+ 				}
+@@ -348,10 +349,11 @@ process_events(struct pollfd **ufds, int *nfds)
+ 			/* Set the pollfd up for deletion later. */
+ 			(*ufds)[ii].fd = -1;
+ 			close(connfd);
++			connfd = -1;
+ 
+ 			revents = revents & ~(POLLHUP);
+ 		}
+-		if (revents) {
++		if (revents && connfd != -1) {
+ 			syslog(LOG_ERR, "Unknown/error events (%x) encountered"
+ 					" for fd (%d)\n", revents, connfd);
+ 
+-- 
+2.21.0
+

SOURCES/0002-mcstrans-Do-not-accept-incomplete-contexts.patch

@@ -0,0 +1,59 @@
+From 659cb59cd6cfe36c954c77f945c06a0cd8218287 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Mon, 15 Apr 2019 15:22:51 +0200
+Subject: [PATCH 2/2] mcstrans: Do not accept incomplete contexts
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes:
+$ python3
+> import selinux
+> selinux.selinux_raw_context_to_color("xyz_u:xyz_r:xyz_t:")
+
+Traceback (most recent call last):
+  File "<stdin>", line 2, in <module>
+OSError: [Errno 0] Error
+
+:: [ 10:25:45 ] :: [  BEGIN   ] :: Running 'service mcstransd status'
+Redirecting to /bin/systemctl status mcstransd.service
+● mcstrans.service - Translates SELinux MCS/MLS labels to human readable form
+   Loaded: loaded (/usr/lib/systemd/system/mcstrans.service; disabled; vendor preset: disabled)
+   Active: failed (Result: core-dump) since Fri 2019-04-12 10:25:44 EDT; 1s ago
+  Process: 16681 ExecStart=/sbin/mcstransd -f (code=dumped, signal=SEGV)
+ Main PID: 16681 (code=dumped, signal=SEGV)
+
+systemd[1]: mcstrans.service: Main process exited, code=dumped, status=11/SEGV
+systemd[1]: mcstrans.service: Failed with result 'core-dump'.
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ mcstrans/src/mcscolor.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/mcstrans/src/mcscolor.c b/mcstrans/src/mcscolor.c
+index 6ea1aa97..79fc1c8b 100644
+--- a/mcstrans/src/mcscolor.c
++++ b/mcstrans/src/mcscolor.c
+@@ -272,10 +272,14 @@ static const unsigned precedence[N_COLOR][N_COLOR - 1] = {
+ static const secolor_t default_color = { 0x000000, 0xffffff };
+ 
+ static int parse_components(context_t con, char **components) {
+-	components[COLOR_USER] = (char *)context_user_get(con);
+-	components[COLOR_ROLE] = (char *)context_role_get(con);
+-	components[COLOR_TYPE] = (char *)context_type_get(con);
+-	components[COLOR_RANGE] = (char *)context_range_get(con);
++	if ((components[COLOR_USER] = (char *)context_user_get(con)) == NULL)
++		return -1;
++	if ((components[COLOR_ROLE] = (char *)context_role_get(con)) == NULL)
++		return -1;
++	if ((components[COLOR_TYPE] = (char *)context_type_get(con)) == NULL)
++		return -1;
++	if ((components[COLOR_RANGE] = (char *)context_range_get(con)) == NULL)
++		return -1;
+ 
+ 	return 0;
+ }
+-- 
+2.21.0
+

SOURCES/mcstrans-fedora.patch

@@ -1,238 +0,0 @@
-diff --git mcstrans-2.8/src/mcstrans.c mcstrans-2.8/src/mcstrans.c
-index 00fb808..0d9d0f3 100644
---- mcstrans-2.8/src/mcstrans.c
-+++ mcstrans-2.8/src/mcstrans.c
-@@ -633,16 +633,23 @@ add_cache(domain_t *domain, char *raw, char *trans) {
- 
- 	map->raw = strdup(raw);
- 	if (!map->raw) {
-+		free(map);
- 		goto err;
- 	}
- 	map->trans = strdup(trans);
- 	if (!map->trans) {
-+		free(map->raw);
-+		free(map);
- 		goto err;
- 	}
- 
- 	log_debug(" add_cache (%s,%s)\n", raw, trans);
--	if (add_to_hashtable(domain->raw_to_trans, map->raw, map) < 0)
-+	if (add_to_hashtable(domain->raw_to_trans, map->raw, map) < 0) {
-+		free(map->trans);
-+		free(map->raw);
-+		free(map);
- 		goto err;
-+	}
- 
- 	if (add_to_hashtable(domain->trans_to_raw, map->trans, map) < 0)
- 		goto err;
-@@ -708,6 +715,7 @@ append(affix_t **affixes, const char *val) {
- 
- err:
- 	log_error("allocation error %s", strerror(errno));
-+	free(affix);
- 	return -1;
- }
- 
-@@ -1517,8 +1525,11 @@ trans_context(const security_context_t incon, security_context_t *rcon) {
- 		} else {
- 			trans = compute_trans_from_raw(range, domain);
- 			if (trans)
--				if (add_cache(domain, range, trans) < 0)
-+				if (add_cache(domain, range, trans) < 0) {
-+					free(trans);
-+					free(range);
- 					return -1;
-+				}
- 		}
- 
- 		if (lrange && urange) {
-@@ -1526,12 +1537,16 @@ trans_context(const security_context_t incon, security_context_t *rcon) {
- 			if (! ltrans) {
- 				ltrans = compute_trans_from_raw(lrange, domain);
- 				if (ltrans) {
--					if (add_cache(domain, lrange, ltrans) < 0)
-+					if (add_cache(domain, lrange, ltrans) < 0) {
-+						free(ltrans);
-+						free(range);
- 						return -1;
-+					}
- 				} else {
- 					ltrans = strdup(lrange);
- 					if (! ltrans) {
- 						log_error("strdup failed %s", strerror(errno));
-+						free(range);
- 						return -1;
- 					}
- 				}
-@@ -1541,25 +1556,37 @@ trans_context(const security_context_t incon, security_context_t *rcon) {
- 			if (! utrans) {
- 				utrans = compute_trans_from_raw(urange, domain);
- 				if (utrans) {
--					if (add_cache(domain, urange, utrans) < 0)
-+					if (add_cache(domain, urange, utrans) < 0) {
-+						free(utrans);
-+						free(ltrans);
-+						free(range);
- 						return -1;
-+					}
- 				} else {
- 					utrans = strdup(urange);
- 					if (! utrans) {
- 						log_error("strdup failed %s", strerror(errno));
-- 						return -1;
-- 					}
-- 				}
-+						free(ltrans);
-+						free(range);
-+						return -1;
-+					}
-+				}
- 			}
- 
- 			if (strcmp(ltrans, utrans) == 0) {
- 				if (asprintf(&trans, "%s", ltrans) < 0) {
- 					log_error("asprintf failed %s", strerror(errno));
-+					free(utrans);
-+					free(ltrans);
-+					free(range);
- 					return -1;
- 				}
- 			} else {
- 				if (asprintf(&trans, "%s-%s", ltrans, utrans) < 0) {
- 					log_error("asprintf failed %s", strerror(errno));
-+					free(utrans);
-+					free(ltrans);
-+					free(range);
- 					return -1;
- 				}
- 			}
-@@ -1629,13 +1656,22 @@ untrans_context(const security_context_t incon, security_context_t *rcon) {
- 				if (!canonical) {
- 					canonical = compute_trans_from_raw(raw, domain);
- 					if (canonical && strcmp(canonical, range))
--						if (add_cache(domain, raw, canonical) < 0)
-+						if (add_cache(domain, raw, canonical) < 0) {
-+							free(canonical);
-+							free(range);
-+							free(raw);
- 							return -1;
-+						}
- 				}
--				if (canonical)
-+				if (canonical) {
- 					free(canonical);
--				if (add_cache(domain, raw, range) < 0)
-+					free(raw);
-+				}
-+				if (add_cache(domain, raw, range) < 0) {
-+					free(range);
-+					free(raw);
- 					return -1;
-+				}
- 			} else {
- 				log_debug("untrans_context unable to compute raw context %s\n", range);
- 			}
-@@ -1650,17 +1686,25 @@ untrans_context(const security_context_t incon, security_context_t *rcon) {
- 					if (!canonical) {
- 						canonical = compute_trans_from_raw(lraw, domain);
- 						if (canonical)
--							if (add_cache(domain, lraw, canonical) < 0)
-+							if (add_cache(domain, lraw, canonical) < 0) {
-+								free(canonical);
-+								free(lraw);
-+								free(range);
- 								return -1;
-+							}
- 					}
- 					if (canonical)
- 						free(canonical);
--					if (add_cache(domain, lraw, lrange) < 0)
-+					if (add_cache(domain, lraw, lrange) < 0) {
-+						free(lraw);
-+						free(range);
- 						return -1;
-+					}
- 				} else {
- 					lraw = strdup(lrange);
- 					if (! lraw) {
- 						log_error("strdup failed %s", strerror(errno));
-+						free(range);
- 						return -1;
- 					}
- 				}
-@@ -1674,17 +1718,28 @@ untrans_context(const security_context_t incon, security_context_t *rcon) {
- 					if (!canonical) {
- 						canonical = compute_trans_from_raw(uraw, domain);
- 						if (canonical)
--							if (add_cache(domain, uraw, canonical) < 0)
-+							if (add_cache(domain, uraw, canonical) < 0) {
-+								free(canonical);
-+								free(uraw);
-+								free(lraw);
-+								free(range);
- 								return -1;
- 							}
-+					}
- 					if (canonical)
- 						free(canonical);
--					if (add_cache(domain, uraw, urange) < 0)
-+					if (add_cache(domain, uraw, urange) < 0) {
-+						free(uraw);
-+						free(lraw);
-+						free(range);
- 						return -1;
-+					}
- 				} else {
- 					uraw = strdup(urange);
- 					if (! uraw) {
- 						log_error("strdup failed %s", strerror(errno));
-+						free(lraw);
-+						free(range);
- 						return -1;
- 					}
- 				}
-@@ -1694,11 +1749,17 @@ untrans_context(const security_context_t incon, security_context_t *rcon) {
- 			if (strcmp(lraw, uraw) == 0) {
- 				if (asprintf(&raw, "%s", lraw) < 0) {
- 					log_error("asprintf failed %s", strerror(errno));
-+					free(uraw);
-+					free(lraw);
-+					free(range);
- 					return -1;
- 				}
- 			} else {
- 				if (asprintf(&raw, "%s-%s", lraw, uraw) < 0) {
- 					log_error("asprintf failed %s", strerror(errno));
-+					free(uraw);
-+					free(lraw);
-+					free(range);
- 					return -1;
- 				}
- 			}
-diff --git mcstrans-2.8/src/mcstransd.c mcstrans-2.8/src/mcstransd.c
-index d7fc5de..a5a63d7 100644
---- mcstrans-2.8/src/mcstransd.c
-+++ mcstrans-2.8/src/mcstransd.c
-@@ -345,6 +345,7 @@ process_events(struct pollfd **ufds, int *nfds)
- 					/* Setup pollfd for deletion later. */
- 					(*ufds)[ii].fd = -1;
- 					close(connfd);
-+					connfd = -1;
- 					/* So we don't get bothered later */
- 					revents = revents & ~(POLLHUP);
- 				}
-@@ -358,10 +359,11 @@ process_events(struct pollfd **ufds, int *nfds)
- 			/* Set the pollfd up for deletion later. */
- 			(*ufds)[ii].fd = -1;
- 			close(connfd);
-+			connfd = -1;
- 
- 			revents = revents & ~(POLLHUP);
- 		}
--		if (revents) {
-+		if (revents && connfd != -1) {
- 			syslog(LOG_ERR, "Unknown/error events (%x) encountered"
- 					" for fd (%d)\n", revents, connfd);
- 

SPECS/mcstrans.spec

@@ -1,16 +1,14 @@
 Summary: SELinux Translation Daemon
 Name: mcstrans
-Version: 2.8
+Version: 2.9
-Release: 2%{?dist}
+Release: 1.2%{?dist}
 License: GPL+
 Url: https://github.com/SELinuxProject/selinux/wiki
-Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/mcstrans-2.8.tar.gz
+Source: https://github.com/SELinuxProject/selinux/releases/download/20190315/mcstrans-2.9.tar.gz
 Source2: secolor.conf.8
-# download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
+# i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
-# run:
+Patch0001: 0001-mcstrans-Fir-RESOURCE_LEAK-and-USE_AFTER_FREE-coveri.patch
-# $ VERSION=2.8 ./make-fedora-selinux-patch.sh mcstrans
+Patch0002: 0002-mcstrans-Do-not-accept-incomplete-contexts.patch
-# HEAD 2b4b29f00e5f0746ff10e09686a23c6e96a11d5f
-Patch1: mcstrans-fedora.patch
 BuildRequires: gcc
 BuildRequires: libselinux-devel >= %{version}
 BuildRequires: libcap-devel pcre-devel libsepol-devel libsepol-static
@@ -36,14 +34,13 @@ mcstrans provides an translation daemon to translate SELinux categories
 from internal representations to user defined representation.
 
 %prep
-%autosetup -p 1 -n mcstrans-%{version}
+%autosetup -p 2 -n mcstrans-%{version}
 
 %build
-make clean
+%set_build_flags
-make LIBDIR="%{_libdir}" LDFLAGS="%{?__global_ldflags}" CFLAGS="%{__global_cflags}" %{?_smp_mflags}
+make LIBDIR="%{_libdir}" %{?_smp_mflags}
 
 %install
-rm -rf %{buildroot}
 mkdir -p %{buildroot}/%{_lib}
 mkdir -p %{buildroot}/%{_libdir}
 mkdir -p %{buildroot}%{_usr}/share/mcstrans
@@ -75,6 +72,9 @@ rm -rf %{buildroot}
 %{_mandir}/man8/mcs.8.gz
 %{_mandir}/man8/mcstransd.8.gz
 %{_mandir}/man8/setrans.conf.8.gz
+%{_mandir}/ru/man8/mcs.8.gz
+%{_mandir}/ru/man8/mcstransd.8.gz
+%{_mandir}/ru/man8/setrans.conf.8.gz
 %{_mandir}/man8/secolor.conf.8.gz
 /usr/sbin/mcstransd
 %{_unitdir}/mcstrans.service
@@ -92,6 +92,9 @@ rm -rf %{buildroot}
 %{_usr}/share/mcstrans/util/*
 
 %changelog
+* Fri Apr 12 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-1.2
+- SELinux userspace 2.9 release
+
 * Sun Dec 16 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-2
 - Fix RESOURCE_LEAK and USE_AFTER_FREE coverity scan defects