import policycoreutils-2.9-20.el8

2022-11-08 02:00:07 -05:00 · 2022-11-08 02:00:07 -05:00 · 38a35bd038
parent 795910f1eb
commit 38a35bd038
4 changed files with 154 additions and 2 deletions
--- a/SOURCES/0047-python-Split-semanage-import-into-two-transactions.patch
+++ b/SOURCES/0047-python-Split-semanage-import-into-two-transactions.patch
@ -0,0 +1,64 @@
+From 09c944561c76146b1fc11e99e95b6a674366cddf Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Mon, 30 May 2022 14:20:21 +0200
+Subject: [PATCH] python: Split "semanage import" into two transactions
+
+First transaction applies all deletion operations, so that there are no
+collisions when applying the rest of the changes.
+
+Fixes:
+  # semanage port -a -t http_cache_port_t -r s0 -p tcp 3024
+  # semanage export | semanage import
+  ValueError: Port tcp/3024 already defined
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+---
+ python/semanage/semanage | 21 +++++++++++++++++++--
+ 1 file changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/python/semanage/semanage b/python/semanage/semanage
+index ebb93ea5..b8842d28 100644
+--- a/python/semanage/semanage
+++ b/python/semanage/semanage
+@@ -841,10 +841,29 @@ def handleImport(args):
+     trans = seobject.semanageRecords(args)
+     trans.start()
+ 
+    deleteCommands = []
+    commands = []
+    # separate commands for deletion from the rest so they can be
+    # applied in a separate transaction
+     for l in sys.stdin.readlines():
+         if len(l.strip()) == 0:
+             continue
+        if "-d" in l or "-D" in l:
+            deleteCommands.append(l)
+        else:
+            commands.append(l)
+
+    if deleteCommands:
+        importHelper(deleteCommands)
+        trans.finish()
+        trans.start()
+
+    importHelper(commands)
+    trans.finish()
+ 
+
+def importHelper(commands):
+    for l in commands:
+         try:
+             commandParser = createCommandParser()
+             args = commandParser.parse_args(mkargv(l))
+@@ -858,8 +877,6 @@ def handleImport(args):
+         except KeyboardInterrupt:
+             sys.exit(0)
+ 
+-    trans.finish()
+-
+ 
+ def setupImportParser(subparsers):
+     importParser = subparsers.add_parser('import', help=_('Import local customizations'))
+-- 
+2.35.3
+
--- a/SOURCES/0048-semodule-rename-rebuild-if-modules-changed-to-refres.patch
+++ b/SOURCES/0048-semodule-rename-rebuild-if-modules-changed-to-refres.patch
@ -0,0 +1,81 @@
+From c0ca652dce6b1d5d11e697cc3a4695d87944f9ad Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Wed, 8 Jun 2022 19:09:54 +0200
+Subject: [PATCH] semodule: rename --rebuild-if-modules-changed to --refresh
+
+After the last commit this option's name and description no longer
+matches the semantic, so give it a new one and update the descriptions.
+The old name is still recognized and aliased to the new one for
+backwards compatibility.
+
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
+---
+ policycoreutils/semodule/semodule.8 | 12 ++++++------
+ policycoreutils/semodule/semodule.c | 13 ++++++++++---
+ 2 files changed, 16 insertions(+), 9 deletions(-)
+
+diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8
+index d1735d21..c56e580f 100644
+--- a/policycoreutils/semodule/semodule.8
+++ b/policycoreutils/semodule/semodule.8
+@@ -23,12 +23,12 @@ force a reload of policy
+ .B \-B, \-\-build
+ force a rebuild of policy (also reloads unless \-n is used)
+ .TP
+-.B \-\-rebuild-if-modules-changed
+-Force a rebuild of the policy if any changes to module content are detected
+-(by comparing with checksum from the last transaction).  One can use this
+-instead of \-B to ensure that any changes to the module store done by an
+-external tool (e.g. a package manager) are applied, while automatically
+-skipping the rebuild if there are no new changes.
+.B \-\-refresh
+Like \-\-build, but reuses existing linked policy if no changes to module
+files are detected (by comparing with checksum from the last transaction).
+One can use this instead of \-B to ensure that any changes to the module
+store done by an external tool (e.g. a package manager) are applied, while
+automatically skipping the module re-linking if there are no module changes.
+ .TP
+ .B \-D, \-\-disable_dontaudit
+ Temporarily remove dontaudits from policy.  Reverts whenever policy is rebuilt
+diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
+index 22a42a75..324ec9fb 100644
+--- a/policycoreutils/semodule/semodule.c
+++ b/policycoreutils/semodule/semodule.c
+@@ -149,9 +149,12 @@ static void usage(char *progname)
+ 	printf("  -c, --cil extract module as cil. This only affects module extraction.\n");
+ 	printf("  -H, --hll extract module as hll. This only affects module extraction.\n");
+ 	printf("  -m, --checksum   print module checksum (SHA256).\n");
+-	printf("      --rebuild-if-modules-changed\n"
+-	       "                   force policy rebuild if module content changed since\n"
+-	       "                   last rebuild (based on checksum)\n");
+	printf("      --refresh    like --build, but reuses existing linked policy if no\n"
+	       "                   changes to module files are detected (via checksum)\n");
+	printf("Deprecated options:\n");
+	printf("  -b,--base	   same as --install\n");
+	printf("  --rebuild-if-modules-changed\n"
+	       "                   same as --refresh\n");
+ }
+ 
+ /* Sets the global mode variable to new_mode, but only if no other
+@@ -184,6 +187,7 @@ static void parse_command_line(int argc, char **argv)
+ {
+ 	static struct option opts[] = {
+ 		{"rebuild-if-modules-changed", 0, NULL, '\0'},
+		{"refresh", 0, NULL, '\0'},
+ 		{"store", required_argument, NULL, 's'},
+ 		{"base", required_argument, NULL, 'b'},
+ 		{"help", 0, NULL, 'h'},
+@@ -224,6 +228,9 @@ static void parse_command_line(int argc, char **argv)
+ 		case '\0':
+ 			switch(longind) {
+ 			case 0: /* --rebuild-if-modules-changed */
+				fprintf(stderr, "The --rebuild-if-modules-changed option is deprecated. Use --refresh instead.\n");
+				/* fallthrough */
+			case 1: /* --refresh */
+ 				check_ext_changes = 1;
+ 				break;
+ 			default:
+-- 
+2.35.3
+
--- a/SOURCES/selinux-autorelabel
+++ b/SOURCES/selinux-autorelabel
@ -63,7 +63,7 @@ relabel_selinux() {
        grub2-editenv - incr boot_indeterminate >/dev/null 2>&1
    fi
    sync
-    systemctl --force reboot
+    systemctl reboot
 }

 # Check to see if a full relabel is needed
--- a/SPECS/policycoreutils.spec
+++ b/SPECS/policycoreutils.spec
@ -12,7 +12,7 @@
 Summary: SELinux policy core utilities
 Name:    policycoreutils
 Version: 2.9
-Release: 19%{?dist}
+Release: 20%{?dist}
 License: GPLv2
 # https://github.com/SELinuxProject/selinux/wiki/Releases
 Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/policycoreutils-2.9.tar.gz
@ -84,6 +84,8 @@ Patch0043: 0043-semodule-Don-t-forget-to-munmap-data.patch
 Patch0044: 0044-policycoreutils-Improve-error-message-when-selabel_o.patch
 Patch0045: 0045-semodule-libsemanage-move-module-hashing-into-libsem.patch
 Patch0046: 0046-semodule-add-command-line-option-to-detect-module-ch.patch
+Patch0047: 0047-python-Split-semanage-import-into-two-transactions.patch
+Patch0048: 0048-semodule-rename-rebuild-if-modules-changed-to-refres.patch

 Obsoletes: policycoreutils < 2.0.61-2
 Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
@ -523,6 +525,11 @@ The policycoreutils-restorecond package contains the restorecond service.
 %systemd_postun_with_restart restorecond.service

 %changelog
+* Thu Jul 07 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-20
+- python: Split "semanage import" into two transactions (#2063353)
+- semodule: rename --rebuild-if-modules-changed to --refresh (#2089802)
+- selinux-autorelabel: Do not force reboot (#2093133)
+
 * Thu Feb 17 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-19
 - semodule: move module hashing into libsemanage (requires libsemanage-2.9-7)
 - semodule: add command-line option to detect module changes (#2049189)