import policycoreutils-2.9-16.el8

.policycoreutils.metadata

@@ -1,9 +1,9 @@
-3b2b219d260791ac448dff7c2e169cb493c78cb0 SOURCES/gui-po.tgz
+ab60ee590bb04c6172c12f60fd8fd730bb906dd6 SOURCES/gui-po.tgz
 6e64d9a38fb516738023eb429eef29af5383f443 SOURCES/policycoreutils-2.9.tar.gz
-d609be1fbc8824f4b4643c5f51ac250ad1a13e33 SOURCES/policycoreutils-po.tgz
-e9509bc5c150069a1045c97b2293c4a8d3a65022 SOURCES/python-po.tgz
+7bc3c564bdf9929ef396101d9bbcf366817f6b02 SOURCES/policycoreutils-po.tgz
+37703412bf6e9d3ecc7a896ef0cc833bf4fa9426 SOURCES/python-po.tgz
 0a34ef54394972870203832c8ce52d4405bd5330 SOURCES/restorecond-2.9.tar.gz
-2dfbf280ec17c1755b93426678dc885a0cf8909b SOURCES/sandbox-po.tgz
+221c505bfd2cb67b87dd2c95001c4a7bbb072571 SOURCES/sandbox-po.tgz
 8645509cdfc433278c2e4d29ee8f511625c7edcc SOURCES/selinux-dbus-2.9.tar.gz
 5c155ae47692389d9fabaa154195e7f978f2a3f0 SOURCES/selinux-gui-2.9.tar.gz
 660e1ab824ef80f7a69f0b70f61e231957fd398e SOURCES/selinux-python-2.9.tar.gz

SOURCES/0040-policycoreutils-setfiles-do-not-restrict-checks-agai.patch

@@ -0,0 +1,69 @@
+From d10e773c014a12b17fefd9caef0bd02528d75d18 Mon Sep 17 00:00:00 2001
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+Date: Tue, 7 Jul 2020 16:35:01 +0200
+Subject: [PATCH] policycoreutils: setfiles: do not restrict checks against a
+ binary policy
+
+The -c option allows to check the validity of contexts against a
+specified binary policy. Its use is restricted: no pathname can be used
+when a binary policy is given to setfiles. It's not clear if this is
+intentional as the built-in help and the man page are not stating the
+same thing about this (the man page document -c as a normal option,
+while the built-in help shows it is restricted).
+
+When generating full system images later used with SELinux in enforcing
+mode, the extended attributed of files have to be set by the build
+machine. The issue is setfiles always checks the contexts against a
+policy (ctx_validate = 1) and using an external binary policy is not
+currently possible when using a pathname. This ends up in setfiles
+failing early as the contexts of the target image are not always
+compatible with the ones of the build machine.
+
+This patch reworks a check on optind only made when -c is used, that
+enforced the use of a single argument to allow 1+ arguments, allowing to
+use setfiles with an external binary policy and pathnames. The following
+command is then allowed, as already documented in the man page:
+
+  $ setfiles -m -r target/ -c policy.32 file_contexts target/
+
+Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+
+(cherry-picked from SElinuxProject
+ commit: c94e542c98da2f26863c1cbd9d7ad9bc5cca6aff )
+---
+ policycoreutils/setfiles/setfiles.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
+index 82d0aaa7..4fd3d756 100644
+--- a/policycoreutils/setfiles/setfiles.c
++++ b/policycoreutils/setfiles/setfiles.c
+@@ -39,11 +39,10 @@ static __attribute__((__noreturn__)) void usage(const char *const name)
+ 			name, name);
+ 	} else {
+ 		fprintf(stderr,
+-			"usage:  %s [-diIDlmnpqvFW] [-e excludedir] [-r alt_root_path] spec_file pathname...\n"
+-			"usage:  %s [-diIDlmnpqvFW] [-e excludedir] [-r alt_root_path] spec_file -f filename\n"
+-			"usage:  %s -s [-diIDlmnpqvFW] spec_file\n"
+-			"usage:  %s -c policyfile spec_file\n",
+-			name, name, name, name);
++			"usage:  %s [-diIDlmnpqvEFW] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file pathname...\n"
++			"usage:  %s [-diIDlmnpqvEFW] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file -f filename\n"
++			"usage:  %s -s [-diIDlmnpqvFW] spec_file\n",
++			name, name, name);
+ 	}
+ 	exit(-1);
+ }
+@@ -376,7 +375,7 @@ int main(int argc, char **argv)
+ 
+ 	if (!iamrestorecon) {
+ 		if (policyfile) {
+-			if (optind != (argc - 1))
++			if (optind > (argc - 1))
+ 				usage(argv[0]);
+ 		} else if (use_input_file) {
+ 			if (optind != (argc - 1)) {
+-- 
+2.30.2
+

SPECS/policycoreutils.spec

@@ -12,7 +12,7 @@
 Summary: SELinux policy core utilities
 Name:    policycoreutils
 Version: 2.9
-Release: 14%{?dist}
+Release: 16%{?dist}
 License: GPLv2
 # https://github.com/SELinuxProject/selinux/wiki/Releases
 Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/policycoreutils-2.9.tar.gz
@@ -77,6 +77,7 @@ Patch0036: 0036-setfiles-Do-not-abort-on-labeling-error.patch
 Patch0037: 0037-setfiles-drop-ABORT_ON_ERRORS-and-related-code.patch
 Patch0038: 0038-policycoreutils-setfiles-Drop-unused-nerr-variable.patch
 Patch0039: 0039-selinux-8-5-Describe-fcontext-regular-expressions.patch
+Patch0040: 0040-policycoreutils-setfiles-do-not-restrict-checks-agai.patch
 
 Obsoletes: policycoreutils < 2.0.61-2
 Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
@@ -516,6 +517,12 @@ The policycoreutils-restorecond package contains the restorecond service.
 %systemd_postun_with_restart restorecond.service
 
 %changelog
+* Thu Sep 16 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-16
+- Update translations (#1962009)
+
+* Mon Jul 19 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-15
+- setfiles: do not restrict checks against a binary policy (#1973754)
+
 * Tue Mar 09 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-14
 - Update translations (#1899695)