From 4c644254d259a583abd81f8f3c5612d1aad70ef5 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 9 Nov 2021 05:10:45 -0500 Subject: [PATCH] import policycoreutils-2.9-16.el8 --- .policycoreutils.metadata | 8 +-- ...setfiles-do-not-restrict-checks-agai.patch | 69 +++++++++++++++++++ SPECS/policycoreutils.spec | 9 ++- 3 files changed, 81 insertions(+), 5 deletions(-) create mode 100644 SOURCES/0040-policycoreutils-setfiles-do-not-restrict-checks-agai.patch diff --git a/.policycoreutils.metadata b/.policycoreutils.metadata index 5ef1737..f13ed2e 100644 --- a/.policycoreutils.metadata +++ b/.policycoreutils.metadata @@ -1,9 +1,9 @@ -3b2b219d260791ac448dff7c2e169cb493c78cb0 SOURCES/gui-po.tgz +ab60ee590bb04c6172c12f60fd8fd730bb906dd6 SOURCES/gui-po.tgz 6e64d9a38fb516738023eb429eef29af5383f443 SOURCES/policycoreutils-2.9.tar.gz -d609be1fbc8824f4b4643c5f51ac250ad1a13e33 SOURCES/policycoreutils-po.tgz -e9509bc5c150069a1045c97b2293c4a8d3a65022 SOURCES/python-po.tgz +7bc3c564bdf9929ef396101d9bbcf366817f6b02 SOURCES/policycoreutils-po.tgz +37703412bf6e9d3ecc7a896ef0cc833bf4fa9426 SOURCES/python-po.tgz 0a34ef54394972870203832c8ce52d4405bd5330 SOURCES/restorecond-2.9.tar.gz -2dfbf280ec17c1755b93426678dc885a0cf8909b SOURCES/sandbox-po.tgz +221c505bfd2cb67b87dd2c95001c4a7bbb072571 SOURCES/sandbox-po.tgz 8645509cdfc433278c2e4d29ee8f511625c7edcc SOURCES/selinux-dbus-2.9.tar.gz 5c155ae47692389d9fabaa154195e7f978f2a3f0 SOURCES/selinux-gui-2.9.tar.gz 660e1ab824ef80f7a69f0b70f61e231957fd398e SOURCES/selinux-python-2.9.tar.gz diff --git a/SOURCES/0040-policycoreutils-setfiles-do-not-restrict-checks-agai.patch b/SOURCES/0040-policycoreutils-setfiles-do-not-restrict-checks-agai.patch new file mode 100644 index 0000000..3f7a839 --- /dev/null +++ b/SOURCES/0040-policycoreutils-setfiles-do-not-restrict-checks-agai.patch @@ -0,0 +1,69 @@ +From d10e773c014a12b17fefd9caef0bd02528d75d18 Mon Sep 17 00:00:00 2001 +From: Antoine Tenart +Date: Tue, 7 Jul 2020 16:35:01 +0200 +Subject: [PATCH] policycoreutils: setfiles: do not restrict checks against a + binary policy + +The -c option allows to check the validity of contexts against a +specified binary policy. Its use is restricted: no pathname can be used +when a binary policy is given to setfiles. It's not clear if this is +intentional as the built-in help and the man page are not stating the +same thing about this (the man page document -c as a normal option, +while the built-in help shows it is restricted). + +When generating full system images later used with SELinux in enforcing +mode, the extended attributed of files have to be set by the build +machine. The issue is setfiles always checks the contexts against a +policy (ctx_validate = 1) and using an external binary policy is not +currently possible when using a pathname. This ends up in setfiles +failing early as the contexts of the target image are not always +compatible with the ones of the build machine. + +This patch reworks a check on optind only made when -c is used, that +enforced the use of a single argument to allow 1+ arguments, allowing to +use setfiles with an external binary policy and pathnames. The following +command is then allowed, as already documented in the man page: + + $ setfiles -m -r target/ -c policy.32 file_contexts target/ + +Signed-off-by: Antoine Tenart +Acked-by: Stephen Smalley + +(cherry-picked from SElinuxProject + commit: c94e542c98da2f26863c1cbd9d7ad9bc5cca6aff ) +--- + policycoreutils/setfiles/setfiles.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c +index 82d0aaa7..4fd3d756 100644 +--- a/policycoreutils/setfiles/setfiles.c ++++ b/policycoreutils/setfiles/setfiles.c +@@ -39,11 +39,10 @@ static __attribute__((__noreturn__)) void usage(const char *const name) + name, name); + } else { + fprintf(stderr, +- "usage: %s [-diIDlmnpqvFW] [-e excludedir] [-r alt_root_path] spec_file pathname...\n" +- "usage: %s [-diIDlmnpqvFW] [-e excludedir] [-r alt_root_path] spec_file -f filename\n" +- "usage: %s -s [-diIDlmnpqvFW] spec_file\n" +- "usage: %s -c policyfile spec_file\n", +- name, name, name, name); ++ "usage: %s [-diIDlmnpqvEFW] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file pathname...\n" ++ "usage: %s [-diIDlmnpqvEFW] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file -f filename\n" ++ "usage: %s -s [-diIDlmnpqvFW] spec_file\n", ++ name, name, name); + } + exit(-1); + } +@@ -376,7 +375,7 @@ int main(int argc, char **argv) + + if (!iamrestorecon) { + if (policyfile) { +- if (optind != (argc - 1)) ++ if (optind > (argc - 1)) + usage(argv[0]); + } else if (use_input_file) { + if (optind != (argc - 1)) { +-- +2.30.2 + diff --git a/SPECS/policycoreutils.spec b/SPECS/policycoreutils.spec index 06896f4..926f331 100644 --- a/SPECS/policycoreutils.spec +++ b/SPECS/policycoreutils.spec @@ -12,7 +12,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.9 -Release: 14%{?dist} +Release: 16%{?dist} License: GPLv2 # https://github.com/SELinuxProject/selinux/wiki/Releases Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/policycoreutils-2.9.tar.gz @@ -77,6 +77,7 @@ Patch0036: 0036-setfiles-Do-not-abort-on-labeling-error.patch Patch0037: 0037-setfiles-drop-ABORT_ON_ERRORS-and-related-code.patch Patch0038: 0038-policycoreutils-setfiles-Drop-unused-nerr-variable.patch Patch0039: 0039-selinux-8-5-Describe-fcontext-regular-expressions.patch +Patch0040: 0040-policycoreutils-setfiles-do-not-restrict-checks-agai.patch Obsoletes: policycoreutils < 2.0.61-2 Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138 @@ -516,6 +517,12 @@ The policycoreutils-restorecond package contains the restorecond service. %systemd_postun_with_restart restorecond.service %changelog +* Thu Sep 16 2021 Vit Mojzis - 2.9-16 +- Update translations (#1962009) + +* Mon Jul 19 2021 Vit Mojzis - 2.9-15 +- setfiles: do not restrict checks against a binary policy (#1973754) + * Tue Mar 09 2021 Vit Mojzis - 2.9-14 - Update translations (#1899695)