import policycoreutils-2.9-20.el8

This commit is contained in:
CentOS Sources 2022-11-08 02:00:07 -05:00 committed by Stepan Oksanichenko
parent 795910f1eb
commit 38a35bd038
4 changed files with 154 additions and 2 deletions

View File

@ -0,0 +1,64 @@
From 09c944561c76146b1fc11e99e95b6a674366cddf Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Mon, 30 May 2022 14:20:21 +0200
Subject: [PATCH] python: Split "semanage import" into two transactions
First transaction applies all deletion operations, so that there are no
collisions when applying the rest of the changes.
Fixes:
# semanage port -a -t http_cache_port_t -r s0 -p tcp 3024
# semanage export | semanage import
ValueError: Port tcp/3024 already defined
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
python/semanage/semanage | 21 +++++++++++++++++++--
1 file changed, 19 insertions(+), 2 deletions(-)
diff --git a/python/semanage/semanage b/python/semanage/semanage
index ebb93ea5..b8842d28 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -841,10 +841,29 @@ def handleImport(args):
trans = seobject.semanageRecords(args)
trans.start()
+ deleteCommands = []
+ commands = []
+ # separate commands for deletion from the rest so they can be
+ # applied in a separate transaction
for l in sys.stdin.readlines():
if len(l.strip()) == 0:
continue
+ if "-d" in l or "-D" in l:
+ deleteCommands.append(l)
+ else:
+ commands.append(l)
+
+ if deleteCommands:
+ importHelper(deleteCommands)
+ trans.finish()
+ trans.start()
+
+ importHelper(commands)
+ trans.finish()
+
+def importHelper(commands):
+ for l in commands:
try:
commandParser = createCommandParser()
args = commandParser.parse_args(mkargv(l))
@@ -858,8 +877,6 @@ def handleImport(args):
except KeyboardInterrupt:
sys.exit(0)
- trans.finish()
-
def setupImportParser(subparsers):
importParser = subparsers.add_parser('import', help=_('Import local customizations'))
--
2.35.3

View File

@ -0,0 +1,81 @@
From c0ca652dce6b1d5d11e697cc3a4695d87944f9ad Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Wed, 8 Jun 2022 19:09:54 +0200
Subject: [PATCH] semodule: rename --rebuild-if-modules-changed to --refresh
After the last commit this option's name and description no longer
matches the semantic, so give it a new one and update the descriptions.
The old name is still recognized and aliased to the new one for
backwards compatibility.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
policycoreutils/semodule/semodule.8 | 12 ++++++------
policycoreutils/semodule/semodule.c | 13 ++++++++++---
2 files changed, 16 insertions(+), 9 deletions(-)
diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8
index d1735d21..c56e580f 100644
--- a/policycoreutils/semodule/semodule.8
+++ b/policycoreutils/semodule/semodule.8
@@ -23,12 +23,12 @@ force a reload of policy
.B \-B, \-\-build
force a rebuild of policy (also reloads unless \-n is used)
.TP
-.B \-\-rebuild-if-modules-changed
-Force a rebuild of the policy if any changes to module content are detected
-(by comparing with checksum from the last transaction). One can use this
-instead of \-B to ensure that any changes to the module store done by an
-external tool (e.g. a package manager) are applied, while automatically
-skipping the rebuild if there are no new changes.
+.B \-\-refresh
+Like \-\-build, but reuses existing linked policy if no changes to module
+files are detected (by comparing with checksum from the last transaction).
+One can use this instead of \-B to ensure that any changes to the module
+store done by an external tool (e.g. a package manager) are applied, while
+automatically skipping the module re-linking if there are no module changes.
.TP
.B \-D, \-\-disable_dontaudit
Temporarily remove dontaudits from policy. Reverts whenever policy is rebuilt
diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
index 22a42a75..324ec9fb 100644
--- a/policycoreutils/semodule/semodule.c
+++ b/policycoreutils/semodule/semodule.c
@@ -149,9 +149,12 @@ static void usage(char *progname)
printf(" -c, --cil extract module as cil. This only affects module extraction.\n");
printf(" -H, --hll extract module as hll. This only affects module extraction.\n");
printf(" -m, --checksum print module checksum (SHA256).\n");
- printf(" --rebuild-if-modules-changed\n"
- " force policy rebuild if module content changed since\n"
- " last rebuild (based on checksum)\n");
+ printf(" --refresh like --build, but reuses existing linked policy if no\n"
+ " changes to module files are detected (via checksum)\n");
+ printf("Deprecated options:\n");
+ printf(" -b,--base same as --install\n");
+ printf(" --rebuild-if-modules-changed\n"
+ " same as --refresh\n");
}
/* Sets the global mode variable to new_mode, but only if no other
@@ -184,6 +187,7 @@ static void parse_command_line(int argc, char **argv)
{
static struct option opts[] = {
{"rebuild-if-modules-changed", 0, NULL, '\0'},
+ {"refresh", 0, NULL, '\0'},
{"store", required_argument, NULL, 's'},
{"base", required_argument, NULL, 'b'},
{"help", 0, NULL, 'h'},
@@ -224,6 +228,9 @@ static void parse_command_line(int argc, char **argv)
case '\0':
switch(longind) {
case 0: /* --rebuild-if-modules-changed */
+ fprintf(stderr, "The --rebuild-if-modules-changed option is deprecated. Use --refresh instead.\n");
+ /* fallthrough */
+ case 1: /* --refresh */
check_ext_changes = 1;
break;
default:
--
2.35.3

View File

@ -63,7 +63,7 @@ relabel_selinux() {
grub2-editenv - incr boot_indeterminate >/dev/null 2>&1
fi
sync
systemctl --force reboot
systemctl reboot
}
# Check to see if a full relabel is needed

View File

@ -12,7 +12,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.9
Release: 19%{?dist}
Release: 20%{?dist}
License: GPLv2
# https://github.com/SELinuxProject/selinux/wiki/Releases
Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/policycoreutils-2.9.tar.gz
@ -84,6 +84,8 @@ Patch0043: 0043-semodule-Don-t-forget-to-munmap-data.patch
Patch0044: 0044-policycoreutils-Improve-error-message-when-selabel_o.patch
Patch0045: 0045-semodule-libsemanage-move-module-hashing-into-libsem.patch
Patch0046: 0046-semodule-add-command-line-option-to-detect-module-ch.patch
Patch0047: 0047-python-Split-semanage-import-into-two-transactions.patch
Patch0048: 0048-semodule-rename-rebuild-if-modules-changed-to-refres.patch
Obsoletes: policycoreutils < 2.0.61-2
Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
@ -523,6 +525,11 @@ The policycoreutils-restorecond package contains the restorecond service.
%systemd_postun_with_restart restorecond.service
%changelog
* Thu Jul 07 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-20
- python: Split "semanage import" into two transactions (#2063353)
- semodule: rename --rebuild-if-modules-changed to --refresh (#2089802)
- selinux-autorelabel: Do not force reboot (#2093133)
* Thu Feb 17 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-19
- semodule: move module hashing into libsemanage (requires libsemanage-2.9-7)
- semodule: add command-line option to detect module changes (#2049189)