import policycoreutils-2.9-16.el8

2021-11-09 05:10:45 -05:00 · 2021-11-09 05:10:45 -05:00 · 4c644254d2
commit 4c644254d2
parent 986bf96d77
3 changed files with 81 additions and 5 deletions
--- a/.policycoreutils.metadata
+++ b/.policycoreutils.metadata
@ -1,9 +1,9 @@
-3b2b219d260791ac448dff7c2e169cb493c78cb0 SOURCES/gui-po.tgz
+ab60ee590bb04c6172c12f60fd8fd730bb906dd6 SOURCES/gui-po.tgz
 6e64d9a38fb516738023eb429eef29af5383f443 SOURCES/policycoreutils-2.9.tar.gz
-d609be1fbc8824f4b4643c5f51ac250ad1a13e33 SOURCES/policycoreutils-po.tgz
+7bc3c564bdf9929ef396101d9bbcf366817f6b02 SOURCES/policycoreutils-po.tgz
-e9509bc5c150069a1045c97b2293c4a8d3a65022 SOURCES/python-po.tgz
+37703412bf6e9d3ecc7a896ef0cc833bf4fa9426 SOURCES/python-po.tgz
 0a34ef54394972870203832c8ce52d4405bd5330 SOURCES/restorecond-2.9.tar.gz
-2dfbf280ec17c1755b93426678dc885a0cf8909b SOURCES/sandbox-po.tgz
+221c505bfd2cb67b87dd2c95001c4a7bbb072571 SOURCES/sandbox-po.tgz
 8645509cdfc433278c2e4d29ee8f511625c7edcc SOURCES/selinux-dbus-2.9.tar.gz
 5c155ae47692389d9fabaa154195e7f978f2a3f0 SOURCES/selinux-gui-2.9.tar.gz
 660e1ab824ef80f7a69f0b70f61e231957fd398e SOURCES/selinux-python-2.9.tar.gz
--- a/SOURCES/0040-policycoreutils-setfiles-do-not-restrict-checks-agai.patch
+++ b/SOURCES/0040-policycoreutils-setfiles-do-not-restrict-checks-agai.patch
@ -0,0 +1,69 @@
 From d10e773c014a12b17fefd9caef0bd02528d75d18 Mon Sep 17 00:00:00 2001
 From: Antoine Tenart <antoine.tenart@bootlin.com>
 Date: Tue, 7 Jul 2020 16:35:01 +0200
 Subject: [PATCH] policycoreutils: setfiles: do not restrict checks against a
 binary policy
 The -c option allows to check the validity of contexts against a
 specified binary policy. Its use is restricted: no pathname can be used
 when a binary policy is given to setfiles. It's not clear if this is
 intentional as the built-in help and the man page are not stating the
 same thing about this (the man page document -c as a normal option,
 while the built-in help shows it is restricted).
 When generating full system images later used with SELinux in enforcing
 mode, the extended attributed of files have to be set by the build
 machine. The issue is setfiles always checks the contexts against a
 policy (ctx_validate = 1) and using an external binary policy is not
 currently possible when using a pathname. This ends up in setfiles
 failing early as the contexts of the target image are not always
 compatible with the ones of the build machine.
 This patch reworks a check on optind only made when -c is used, that
 enforced the use of a single argument to allow 1+ arguments, allowing to
 use setfiles with an external binary policy and pathnames. The following
 command is then allowed, as already documented in the man page:
  $ setfiles -m -r target/ -c policy.32 file_contexts target/
 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
 (cherry-picked from SElinuxProject
 commit: c94e542c98da2f26863c1cbd9d7ad9bc5cca6aff )
 ---
 policycoreutils/setfiles/setfiles.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)
 diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
 index 82d0aaa7..4fd3d756 100644
 --- a/policycoreutils/setfiles/setfiles.c
 +++ b/policycoreutils/setfiles/setfiles.c
@@ -39,11 +39,10 @@ static __attribute__((__noreturn__)) void usage(const char *const name)
 			name, name);
 	} else {
 		fprintf(stderr,
 -			"usage:  %s [-diIDlmnpqvFW] [-e excludedir] [-r alt_root_path] spec_file pathname...\n"
 -			"usage:  %s [-diIDlmnpqvFW] [-e excludedir] [-r alt_root_path] spec_file -f filename\n"
 -			"usage:  %s -s [-diIDlmnpqvFW] spec_file\n"
 -			"usage:  %s -c policyfile spec_file\n",
 -			name, name, name, name);
 +			"usage:  %s [-diIDlmnpqvEFW] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file pathname...\n"
 +			"usage:  %s [-diIDlmnpqvEFW] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file -f filename\n"
 +			"usage:  %s -s [-diIDlmnpqvFW] spec_file\n",
 +			name, name, name);
 	}
 	exit(-1);
 }
@@ -376,7 +375,7 @@ int main(int argc, char **argv)
 	if (!iamrestorecon) {
 		if (policyfile) {
 -			if (optind != (argc - 1))
 +			if (optind > (argc - 1))
 				usage(argv[0]);
 		} else if (use_input_file) {
 			if (optind != (argc - 1)) {
 -- 
 2.30.2
--- a/SPECS/policycoreutils.spec
+++ b/SPECS/policycoreutils.spec
@ -12,7 +12,7 @@
 Summary: SELinux policy core utilities
 Name:    policycoreutils
 Version: 2.9
-Release: 14%{?dist}
+Release: 16%{?dist}
 License: GPLv2
 # https://github.com/SELinuxProject/selinux/wiki/Releases
 Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/policycoreutils-2.9.tar.gz
@ -77,6 +77,7 @@ Patch0036: 0036-setfiles-Do-not-abort-on-labeling-error.patch
 Patch0037: 0037-setfiles-drop-ABORT_ON_ERRORS-and-related-code.patch
 Patch0038: 0038-policycoreutils-setfiles-Drop-unused-nerr-variable.patch
 Patch0039: 0039-selinux-8-5-Describe-fcontext-regular-expressions.patch
 Patch0040: 0040-policycoreutils-setfiles-do-not-restrict-checks-agai.patch
 Obsoletes: policycoreutils < 2.0.61-2
 Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
@ -516,6 +517,12 @@ The policycoreutils-restorecond package contains the restorecond service.
 %systemd_postun_with_restart restorecond.service
 %changelog
 * Thu Sep 16 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-16
 - Update translations (#1962009)
 * Mon Jul 19 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-15
 - setfiles: do not restrict checks against a binary policy (#1973754)
 * Tue Mar 09 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-14
 - Update translations (#1899695)