import policycoreutils-2.9-13.el8

This commit is contained in:
CentOS Sources 2021-03-30 08:00:30 -04:00 committed by Stepan Oksanichenko
parent 818862ae1e
commit 4b4e34d750
8 changed files with 450 additions and 1 deletions

View File

@ -0,0 +1,55 @@
From 0bed778c53a4f93b1b092b3db33e8c36aabfa39d Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 5 Jan 2021 17:00:21 +0100
Subject: [PATCH] python/semanage: empty stdout before exiting on
BrokenPipeError
Empty stdout buffer before exiting when BrokenPipeError is
encountered. Otherwise python will flush the bufer during exit, which
may trigger the exception again.
https://docs.python.org/3/library/signal.html#note-on-sigpipe
Fixes:
#semanage fcontext -l | egrep -q -e '^/home'
BrokenPipeError: [Errno 32] Broken pipe
Exception ignored in: <_io.TextIOWrapper name='<stdout>' mode='w' encoding='UTF-8'>
BrokenPipeError: [Errno 32] Broken pipe
Note that the error above only appears occasionally (usually only the
first line is printed).
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
python/semanage/semanage | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/python/semanage/semanage b/python/semanage/semanage
index b2bd9df9..1abe3536 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -26,6 +26,7 @@
import traceback
import argparse
import sys
+import os
PROGNAME = "selinux-python"
try:
import gettext
@@ -953,6 +954,13 @@ def do_parser():
args = commandParser.parse_args(make_args(sys.argv))
args.func(args)
sys.exit(0)
+ except BrokenPipeError as e:
+ sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e)))
+ # Python flushes standard streams on exit; redirect remaining output
+ # to devnull to avoid another BrokenPipeError at shutdown
+ devnull = os.open(os.devnull, os.O_WRONLY)
+ os.dup2(devnull, sys.stdout.fileno())
+ sys.exit(1)
except IOError as e:
sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e)))
sys.exit(1)
--
2.29.2

View File

@ -0,0 +1,41 @@
From 4b0e627d42f9a8e09dcd064a6ae897f4c2e9cf6c Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Wed, 6 Jan 2021 10:00:07 +0100
Subject: [PATCH] python/semanage: Sort imports in alphabetical order
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
python/semanage/semanage | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/python/semanage/semanage b/python/semanage/semanage
index 1abe3536..781e8645 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -23,10 +23,12 @@
#
#
-import traceback
import argparse
-import sys
import os
+import re
+import sys
+import traceback
+
PROGNAME = "selinux-python"
try:
import gettext
@@ -786,8 +788,6 @@ def setupExportParser(subparsers):
exportParser.add_argument('-f', '--output_file', dest='output_file', action=SetExportFile, help=_('Output file'))
exportParser.set_defaults(func=handleExport)
-import re
-
def mkargv(line):
dquote = "\""
--
2.29.2

View File

@ -0,0 +1,49 @@
From e0a1cdb6181bcf3a23fe63b8e67fd5020e81d05e Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Fri, 22 Jan 2021 16:25:52 +0100
Subject: [PATCH] python/sepolgen: allow any policy statement in if(n)def
"ifdef/ifndef" statements can be used to conditionally define
an interface, but this syntax is not recognised by sepolgen-ifgen.
Fix sepolgen-ifgen to allow any policy statement inside an
"ifdef/ifndef" statement.
Fixes:
$ cat <<EOF > i.if
ifndef(`apache_manage_pid_files',`
interface(`apache_manage_pid_files',`
manage_files_pattern($1, httpd_var_run_t, httpd_var_run_t)
')
')
#sepolgen-ifgen --interface=i.if
i.if: Syntax error on line 2 interface [type=INTERFACE]
i.if: Syntax error on line 4 ' [type=SQUOTE]
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
[OM: s/fidef/ifdef/]
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
python/sepolgen/src/sepolgen/refparser.py | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/python/sepolgen/src/sepolgen/refparser.py b/python/sepolgen/src/sepolgen/refparser.py
index f506dc3a..5d77e2a3 100644
--- a/python/sepolgen/src/sepolgen/refparser.py
+++ b/python/sepolgen/src/sepolgen/refparser.py
@@ -431,9 +431,9 @@ def p_ifelse(p):
def p_ifdef(p):
- '''ifdef : IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
- | IFNDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
- | IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
+ '''ifdef : IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK statements SQUOTE CPAREN optional_semi
+ | IFNDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK statements SQUOTE CPAREN optional_semi
+ | IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK statements SQUOTE COMMA TICK statements SQUOTE CPAREN optional_semi
'''
x = refpolicy.IfDef(p[4])
if p[1] == 'ifdef':
--
2.29.2

View File

@ -0,0 +1,68 @@
From 53ccdd55adfbec60fb4277286f2ad94660838504 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Wed, 13 Jan 2021 22:09:47 +0100
Subject: [PATCH] setfiles: Do not abort on labeling error
Commit 602347c7422e ("policycoreutils: setfiles - Modify to use
selinux_restorecon") changed behavior of setfiles. Original
implementation skipped files which it couldn't set context to while the
new implementation aborts on them. setfiles should abort only if it
can't validate a context from spec_file.
Reproducer:
# mkdir -p r/1 r/2 r/3
# touch r/1/1 r/2/1
# chattr +i r/2/1
# touch r/3/1
# setfiles -r r -v /etc/selinux/targeted/contexts/files/file_contexts r
Relabeled r from unconfined_u:object_r:mnt_t:s0 to unconfined_u:object_r:root_t:s0
Relabeled r/2 from unconfined_u:object_r:mnt_t:s0 to unconfined_u:object_r:default_t:s0
setfiles: Could not set context for r/2/1: Operation not permitted
r/3 and r/1 are not relabeled.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
policycoreutils/setfiles/setfiles.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
index bc83c27b4c06..68eab45aa2b4 100644
--- a/policycoreutils/setfiles/setfiles.c
+++ b/policycoreutils/setfiles/setfiles.c
@@ -182,6 +182,7 @@ int main(int argc, char **argv)
policyfile = NULL;
nerr = 0;
+ r_opts.abort_on_error = 0;
r_opts.progname = strdup(argv[0]);
if (!r_opts.progname) {
fprintf(stderr, "%s: Out of memory!\n", argv[0]);
@@ -194,7 +195,6 @@ int main(int argc, char **argv)
* setfiles:
* Recursive descent,
* Does not expand paths via realpath,
- * Aborts on errors during the file tree walk,
* Try to track inode associations for conflict detection,
* Does not follow mounts (sets SELINUX_RESTORECON_XDEV),
* Validates all file contexts at init time.
@@ -202,7 +202,6 @@ int main(int argc, char **argv)
iamrestorecon = 0;
r_opts.recurse = SELINUX_RESTORECON_RECURSE;
r_opts.userealpath = 0; /* SELINUX_RESTORECON_REALPATH */
- r_opts.abort_on_error = SELINUX_RESTORECON_ABORT_ON_ERROR;
r_opts.add_assoc = SELINUX_RESTORECON_ADD_ASSOC;
/* FTS_PHYSICAL and FTS_NOCHDIR are always set by selinux_restorecon(3) */
r_opts.xdev = SELINUX_RESTORECON_XDEV;
@@ -226,7 +225,6 @@ int main(int argc, char **argv)
iamrestorecon = 1;
r_opts.recurse = 0;
r_opts.userealpath = SELINUX_RESTORECON_REALPATH;
- r_opts.abort_on_error = 0;
r_opts.add_assoc = 0;
r_opts.xdev = 0;
r_opts.ignore_mounts = 0;
--
2.30.0

View File

@ -0,0 +1,110 @@
From 2f135022f4372dc34198c48cfd67b91044e6dfd7 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Wed, 13 Jan 2021 22:09:48 +0100
Subject: [PATCH] setfiles: drop ABORT_ON_ERRORS and related code
`setfiles -d` doesn't have any impact on number of errors before it
aborts. It always aborts on first invalid context in spec file.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
policycoreutils/setfiles/Makefile | 3 ---
policycoreutils/setfiles/ru/setfiles.8 | 2 +-
policycoreutils/setfiles/setfiles.8 | 3 +--
policycoreutils/setfiles/setfiles.c | 18 ------------------
4 files changed, 2 insertions(+), 24 deletions(-)
diff --git a/policycoreutils/setfiles/Makefile b/policycoreutils/setfiles/Makefile
index bc5a8db789a5..a3bbbe116b7f 100644
--- a/policycoreutils/setfiles/Makefile
+++ b/policycoreutils/setfiles/Makefile
@@ -5,8 +5,6 @@ SBINDIR ?= /sbin
MANDIR = $(PREFIX)/share/man
AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y)
-ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk -S '{ print $$3 }')
-
CFLAGS ?= -g -Werror -Wall -W
override LDLIBS += -lselinux -lsepol
@@ -26,7 +24,6 @@ restorecon_xattr: restorecon_xattr.o restore.o
man:
@cp -af setfiles.8 setfiles.8.man
- @sed -i "s/ABORT_ON_ERRORS/$(ABORT_ON_ERRORS)/g" setfiles.8.man
install: all
[ -d $(DESTDIR)$(MANDIR)/man8 ] || mkdir -p $(DESTDIR)$(MANDIR)/man8
diff --git a/policycoreutils/setfiles/ru/setfiles.8 b/policycoreutils/setfiles/ru/setfiles.8
index 27815a3f1eee..910101452625 100644
--- a/policycoreutils/setfiles/ru/setfiles.8
+++ b/policycoreutils/setfiles/ru/setfiles.8
@@ -47,7 +47,7 @@ setfiles \- установить SELinux-контексты безопаснос
проверить действительность контекстов относительно указанной двоичной политики.
.TP
.B \-d
-показать, какая спецификация соответствует каждому из файлов (не прекращать проверку после получения ошибок ABORT_ON_ERRORS).
+показать, какая спецификация соответствует каждому из файлов.
.TP
.BI \-e \ directory
исключить каталог (чтобы исключить более одного каталога, этот параметр необходимо использовать соответствующее количество раз).
diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
index a8a76c860dac..b7d3cefb96ff 100644
--- a/policycoreutils/setfiles/setfiles.8
+++ b/policycoreutils/setfiles/setfiles.8
@@ -56,8 +56,7 @@ option will force a replacement of the entire context.
check the validity of the contexts against the specified binary policy.
.TP
.B \-d
-show what specification matched each file (do not abort validation
-after ABORT_ON_ERRORS errors). Not affected by "\-q"
+show what specification matched each file. Not affected by "\-q"
.TP
.BI \-e \ directory
directory to exclude (repeat option for more than one directory).
diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
index 68eab45aa2b4..bcbdfbfe53e2 100644
--- a/policycoreutils/setfiles/setfiles.c
+++ b/policycoreutils/setfiles/setfiles.c
@@ -23,14 +23,6 @@ static int nerr;
#define STAT_BLOCK_SIZE 1
-/* setfiles will abort its operation after reaching the
- * following number of errors (e.g. invalid contexts),
- * unless it is used in "debug" mode (-d option).
- */
-#ifndef ABORT_ON_ERRORS
-#define ABORT_ON_ERRORS 10
-#endif
-
#define SETFILES "setfiles"
#define RESTORECON "restorecon"
static int iamrestorecon;
@@ -57,15 +49,6 @@ static __attribute__((__noreturn__)) void usage(const char *const name)
exit(-1);
}
-void inc_err(void)
-{
- nerr++;
- if (nerr > ABORT_ON_ERRORS - 1 && !r_opts.debug) {
- fprintf(stderr, "Exiting after %d errors.\n", ABORT_ON_ERRORS);
- exit(-1);
- }
-}
-
void set_rootpath(const char *arg)
{
if (strlen(arg) == 1 && strncmp(arg, "/", 1) == 0) {
@@ -98,7 +81,6 @@ int canoncon(char **contextp)
*contextp = tmpcon;
} else if (errno != ENOENT) {
rc = -1;
- inc_err();
}
return rc;
--
2.30.0

View File

@ -0,0 +1,44 @@
From a691da617a2d3c864786ff2742d9a9f87ecc7d05 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Mon, 1 Feb 2021 15:24:32 +0100
Subject: [PATCH] policycoreutils/setfiles: Drop unused nerr variable
Suggested-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
policycoreutils/setfiles/setfiles.c | 5 -----
1 file changed, 5 deletions(-)
diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
index bcbdfbfe53e2..82d0aaa75893 100644
--- a/policycoreutils/setfiles/setfiles.c
+++ b/policycoreutils/setfiles/setfiles.c
@@ -19,7 +19,6 @@ static int warn_no_match;
static int null_terminated;
static int request_digest;
static struct restore_opts r_opts;
-static int nerr;
#define STAT_BLOCK_SIZE 1
@@ -162,7 +161,6 @@ int main(int argc, char **argv)
warn_no_match = 0;
request_digest = 0;
policyfile = NULL;
- nerr = 0;
r_opts.abort_on_error = 0;
r_opts.progname = strdup(argv[0]);
@@ -417,9 +415,6 @@ int main(int argc, char **argv)
r_opts.selabel_opt_digest = (request_digest ? (char *)1 : NULL);
r_opts.selabel_opt_path = altpath;
- if (nerr)
- exit(-1);
-
restore_init(&r_opts);
if (use_input_file) {
--
2.30.0

View File

@ -0,0 +1,62 @@
From c556c6ad0b94cf3ba4b441a1a0930f2468434227 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Wed, 10 Feb 2021 18:05:29 +0100
Subject: [PATCH] selinux(8,5): Describe fcontext regular expressions
Describe which type of regular expression is used in file context
definitions and which flags are in effect.
Explain how local file context modifications are processed.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
---
python/semanage/semanage | 2 +-
python/semanage/semanage-fcontext.8 | 18 ++++++++++++++++++
2 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/python/semanage/semanage b/python/semanage/semanage
index 781e8645..ebb93ea5 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -366,7 +366,7 @@ If you do not specify a file type, the file type will default to "all files".
parser_add_seuser(fcontextParser, "fcontext")
parser_add_type(fcontextParser, "fcontext")
parser_add_range(fcontextParser, "fcontext")
- fcontextParser.add_argument('file_spec', nargs='?', default=None, help=_('file_spec'))
+ fcontextParser.add_argument('file_spec', nargs='?', default=None, help=_('Path to be labeled (may be in the form of a Perl compatible regular expression)'))
fcontextParser.set_defaults(func=handleFcontext)
diff --git a/python/semanage/semanage-fcontext.8 b/python/semanage/semanage-fcontext.8
index 561123af..49635ba7 100644
--- a/python/semanage/semanage-fcontext.8
+++ b/python/semanage/semanage-fcontext.8
@@ -11,6 +11,24 @@ SELinux policy without requiring modification to or recompilation
from policy sources. semanage fcontext is used to manage the default
file system labeling on an SELinux system. This command maps file paths using regular expressions to SELinux labels.
+FILE_SPEC may contain either a fully qualified path,
+or a Perl compatible regular expression (PCRE),
+describing fully qualified path(s). The only PCRE flag in use is PCRE2_DOTALL,
+which causes a wildcard '.' to match anything, including a new line.
+Strings representing paths are processed as bytes (as opposed to Unicode),
+meaning that non-ASCII characters are not matched by a single wildcard.
+
+Note, that file context definitions specified using 'semanage fcontext'
+(i.e. local file context modifications stored in file_contexts.local)
+have higher priority than those specified in policy modules.
+This means that whenever a match for given file path is found in
+file_contexts.local, no other file context definitions are considered.
+Entries in file_contexts.local are processed from most recent one to the oldest,
+with first match being used (as opposed to the most specific match,
+which is used when matching other file context definitions).
+All regular expressions should therefore be as specific as possible,
+to avoid unintentionally impacting other parts of the filesystem.
+
.SH "OPTIONS"
.TP
.I \-h, \-\-help
--
2.29.2

View File

@ -12,7 +12,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.9
Release: 9%{?dist}
Release: 13%{?dist}
License: GPLv2
# https://github.com/SELinuxProject/selinux/wiki/Releases
Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/policycoreutils-2.9.tar.gz
@ -70,6 +70,13 @@ Patch0029: 0029-python-semanage-fix-moduleRecords.customized.patch
Patch0030: 0030-python-semanage-Add-support-for-DCCP-and-SCTP-protoc.patch
Patch0031: 0031-dbus-Fix-FileNotFoundError-in-org.selinux.relabel_on.patch
Patch0032: 0032-restorecond-Fix-redundant-console-log-output-error.patch
Patch0033: 0033-python-semanage-empty-stdout-before-exiting-on-Broke.patch
Patch0034: 0034-python-semanage-Sort-imports-in-alphabetical-order.patch
Patch0035: 0035-python-sepolgen-allow-any-policy-statement-in-if-n-d.patch
Patch0036: 0036-setfiles-Do-not-abort-on-labeling-error.patch
Patch0037: 0037-setfiles-drop-ABORT_ON_ERRORS-and-related-code.patch
Patch0038: 0038-policycoreutils-setfiles-Drop-unused-nerr-variable.patch
Patch0039: 0039-selinux-8-5-Describe-fcontext-regular-expressions.patch
Obsoletes: policycoreutils < 2.0.61-2
Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
@ -507,6 +514,19 @@ The policycoreutils-restorecond package contains the restorecond service.
%systemd_postun_with_restart restorecond.service
%changelog
* Mon Feb 22 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-13
- selinux(8,5): Describe fcontext regular expressions (#1904059)
* Tue Feb 2 2021 Petr Lautrbach <plautrba@redhat.com> - 2.9-12
- setfiles: Do not abort on labeling error (#1794518)
* Wed Jan 27 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-11
- python/sepolgen: allow any policy statement in if(n)def (#1868717)
* Sat Jan 16 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-10
- python/semanage: Sort imports in alphabetical order
- python/semanage: empty stdout before exiting on BrokenPipeError (#1822100)
* Fri Jan 17 2020 Vit Mojzis <vmojzis@redhat.com> - 2.9-9
- Update translations (#1754978)