import policycoreutils-2.9-16.el8
This commit is contained in:
parent
986bf96d77
commit
4c644254d2
@ -1,9 +1,9 @@
|
||||
3b2b219d260791ac448dff7c2e169cb493c78cb0 SOURCES/gui-po.tgz
|
||||
ab60ee590bb04c6172c12f60fd8fd730bb906dd6 SOURCES/gui-po.tgz
|
||||
6e64d9a38fb516738023eb429eef29af5383f443 SOURCES/policycoreutils-2.9.tar.gz
|
||||
d609be1fbc8824f4b4643c5f51ac250ad1a13e33 SOURCES/policycoreutils-po.tgz
|
||||
e9509bc5c150069a1045c97b2293c4a8d3a65022 SOURCES/python-po.tgz
|
||||
7bc3c564bdf9929ef396101d9bbcf366817f6b02 SOURCES/policycoreutils-po.tgz
|
||||
37703412bf6e9d3ecc7a896ef0cc833bf4fa9426 SOURCES/python-po.tgz
|
||||
0a34ef54394972870203832c8ce52d4405bd5330 SOURCES/restorecond-2.9.tar.gz
|
||||
2dfbf280ec17c1755b93426678dc885a0cf8909b SOURCES/sandbox-po.tgz
|
||||
221c505bfd2cb67b87dd2c95001c4a7bbb072571 SOURCES/sandbox-po.tgz
|
||||
8645509cdfc433278c2e4d29ee8f511625c7edcc SOURCES/selinux-dbus-2.9.tar.gz
|
||||
5c155ae47692389d9fabaa154195e7f978f2a3f0 SOURCES/selinux-gui-2.9.tar.gz
|
||||
660e1ab824ef80f7a69f0b70f61e231957fd398e SOURCES/selinux-python-2.9.tar.gz
|
||||
|
@ -0,0 +1,69 @@
|
||||
From d10e773c014a12b17fefd9caef0bd02528d75d18 Mon Sep 17 00:00:00 2001
|
||||
From: Antoine Tenart <antoine.tenart@bootlin.com>
|
||||
Date: Tue, 7 Jul 2020 16:35:01 +0200
|
||||
Subject: [PATCH] policycoreutils: setfiles: do not restrict checks against a
|
||||
binary policy
|
||||
|
||||
The -c option allows to check the validity of contexts against a
|
||||
specified binary policy. Its use is restricted: no pathname can be used
|
||||
when a binary policy is given to setfiles. It's not clear if this is
|
||||
intentional as the built-in help and the man page are not stating the
|
||||
same thing about this (the man page document -c as a normal option,
|
||||
while the built-in help shows it is restricted).
|
||||
|
||||
When generating full system images later used with SELinux in enforcing
|
||||
mode, the extended attributed of files have to be set by the build
|
||||
machine. The issue is setfiles always checks the contexts against a
|
||||
policy (ctx_validate = 1) and using an external binary policy is not
|
||||
currently possible when using a pathname. This ends up in setfiles
|
||||
failing early as the contexts of the target image are not always
|
||||
compatible with the ones of the build machine.
|
||||
|
||||
This patch reworks a check on optind only made when -c is used, that
|
||||
enforced the use of a single argument to allow 1+ arguments, allowing to
|
||||
use setfiles with an external binary policy and pathnames. The following
|
||||
command is then allowed, as already documented in the man page:
|
||||
|
||||
$ setfiles -m -r target/ -c policy.32 file_contexts target/
|
||||
|
||||
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
|
||||
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
|
||||
|
||||
(cherry-picked from SElinuxProject
|
||||
commit: c94e542c98da2f26863c1cbd9d7ad9bc5cca6aff )
|
||||
---
|
||||
policycoreutils/setfiles/setfiles.c | 11 +++++------
|
||||
1 file changed, 5 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
|
||||
index 82d0aaa7..4fd3d756 100644
|
||||
--- a/policycoreutils/setfiles/setfiles.c
|
||||
+++ b/policycoreutils/setfiles/setfiles.c
|
||||
@@ -39,11 +39,10 @@ static __attribute__((__noreturn__)) void usage(const char *const name)
|
||||
name, name);
|
||||
} else {
|
||||
fprintf(stderr,
|
||||
- "usage: %s [-diIDlmnpqvFW] [-e excludedir] [-r alt_root_path] spec_file pathname...\n"
|
||||
- "usage: %s [-diIDlmnpqvFW] [-e excludedir] [-r alt_root_path] spec_file -f filename\n"
|
||||
- "usage: %s -s [-diIDlmnpqvFW] spec_file\n"
|
||||
- "usage: %s -c policyfile spec_file\n",
|
||||
- name, name, name, name);
|
||||
+ "usage: %s [-diIDlmnpqvEFW] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file pathname...\n"
|
||||
+ "usage: %s [-diIDlmnpqvEFW] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file -f filename\n"
|
||||
+ "usage: %s -s [-diIDlmnpqvFW] spec_file\n",
|
||||
+ name, name, name);
|
||||
}
|
||||
exit(-1);
|
||||
}
|
||||
@@ -376,7 +375,7 @@ int main(int argc, char **argv)
|
||||
|
||||
if (!iamrestorecon) {
|
||||
if (policyfile) {
|
||||
- if (optind != (argc - 1))
|
||||
+ if (optind > (argc - 1))
|
||||
usage(argv[0]);
|
||||
} else if (use_input_file) {
|
||||
if (optind != (argc - 1)) {
|
||||
--
|
||||
2.30.2
|
||||
|
@ -12,7 +12,7 @@
|
||||
Summary: SELinux policy core utilities
|
||||
Name: policycoreutils
|
||||
Version: 2.9
|
||||
Release: 14%{?dist}
|
||||
Release: 16%{?dist}
|
||||
License: GPLv2
|
||||
# https://github.com/SELinuxProject/selinux/wiki/Releases
|
||||
Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/policycoreutils-2.9.tar.gz
|
||||
@ -77,6 +77,7 @@ Patch0036: 0036-setfiles-Do-not-abort-on-labeling-error.patch
|
||||
Patch0037: 0037-setfiles-drop-ABORT_ON_ERRORS-and-related-code.patch
|
||||
Patch0038: 0038-policycoreutils-setfiles-Drop-unused-nerr-variable.patch
|
||||
Patch0039: 0039-selinux-8-5-Describe-fcontext-regular-expressions.patch
|
||||
Patch0040: 0040-policycoreutils-setfiles-do-not-restrict-checks-agai.patch
|
||||
|
||||
Obsoletes: policycoreutils < 2.0.61-2
|
||||
Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
|
||||
@ -516,6 +517,12 @@ The policycoreutils-restorecond package contains the restorecond service.
|
||||
%systemd_postun_with_restart restorecond.service
|
||||
|
||||
%changelog
|
||||
* Thu Sep 16 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-16
|
||||
- Update translations (#1962009)
|
||||
|
||||
* Mon Jul 19 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-15
|
||||
- setfiles: do not restrict checks against a binary policy (#1973754)
|
||||
|
||||
* Tue Mar 09 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-14
|
||||
- Update translations (#1899695)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user