From 5219172d69a7910c2150e5402692652dc1105fe7 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Tue, 7 Apr 2026 15:56:34 +0200 Subject: [PATCH] policycoreutils-3.6-7 - restorecond.service: Use Type=simple Resolves: RHEL-142541 --- ...torecond-Add-F-for-run-in-foreground.patch | 94 +++++++++++++++++++ ...-restorecond.service-Use-Type-simple.patch | 39 ++++++++ policycoreutils.spec | 7 +- 3 files changed, 139 insertions(+), 1 deletion(-) create mode 100644 0029-restorecond-Add-F-for-run-in-foreground.patch create mode 100644 0030-restorecond.service-Use-Type-simple.patch diff --git a/0029-restorecond-Add-F-for-run-in-foreground.patch b/0029-restorecond-Add-F-for-run-in-foreground.patch new file mode 100644 index 0000000..7d2ae96 --- /dev/null +++ b/0029-restorecond-Add-F-for-run-in-foreground.patch @@ -0,0 +1,94 @@ +From 7e91c46817f113898d79326cf7b3ba8228894e42 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Thu, 2 Apr 2026 17:17:12 +0200 +Subject: [PATCH] restorecond: Add -F for run in foreground +Content-type: text/plain + +Signed-off-by: Petr Lautrbach +--- + restorecond/restorecond.8 | 5 ++++- + restorecond/restorecond.c | 13 ++++++++----- + 2 files changed, 12 insertions(+), 6 deletions(-) + +diff --git a/restorecond/restorecond.8 b/restorecond/restorecond.8 +index bf8ec87562f8..bb99b24a2d69 100644 +--- a/restorecond/restorecond.8 ++++ b/restorecond/restorecond.8 +@@ -3,7 +3,7 @@ + restorecond \- daemon that watches for file creation and then sets the default SELinux file context + + .SH "SYNOPSIS" +-.B restorecond [\-d] [-h] [\-f restorecond_file ] [\-u] [\-v] ++.B restorecond [\-d] [-h] [\-f restorecond_file ] [\-F] [\-u] [\-v] + .P + + .SH "DESCRIPTION" +@@ -26,6 +26,9 @@ Print usage statement. + .B \-f restorecond_file + Use alternative restorecond.conf file. + .TP ++.B \-F ++Run in foreground, do not become a daemon. ++.TP + .B \-u + Turns on user mode. Runs restorecond in the user session and reads /etc/selinux/restorecond_user.conf. Uses dbus to make sure only one restorecond is running per user session. + .TP +diff --git a/restorecond/restorecond.c b/restorecond/restorecond.c +index d5f70fc2e2c1..36f82ae5e9cb 100644 +--- a/restorecond/restorecond.c ++++ b/restorecond/restorecond.c +@@ -76,6 +76,7 @@ int debug_mode = 0; + int terminate = 0; + int master_wd = -1; + int run_as_user = 0; ++int foreground_mode = 0; + + static void done(void) { + watch_list_free(master_fd); +@@ -124,7 +125,7 @@ static void term_handler(int s __attribute__ ((unused))) + + static void usage(char *program) + { +- printf("%s [-d] [-f restorecond_file ] [-u] [-v] \n", program); ++ printf("%s [-d] [-f restorecond_file ] [-F] [-n] [-u] [-v] \n", program); + } + + void exitApp(const char *msg) +@@ -165,7 +166,7 @@ int main(int argc, char **argv) + sigaction(SIGTERM, &sa, NULL); + + atexit( done ); +- while ((opt = getopt(argc, argv, "hdf:uv")) > 0) { ++ while ((opt = getopt(argc, argv, "hdf:Fuv")) > 0) { + switch (opt) { + case 'd': + debug_mode = 1; +@@ -173,6 +174,9 @@ int main(int argc, char **argv) + case 'f': + watch_file = optarg; + break; ++ case 'F': ++ foreground_mode = 1; ++ break; + case 'u': + run_as_user = 1; + break; +@@ -209,13 +213,12 @@ int main(int argc, char **argv) + + read_config(master_fd, watch_file); + +- if (!debug_mode) { ++ if (!debug_mode && !foreground_mode) { + if (daemon(0, 0) < 0) + exitApp("daemon"); ++ write_pid_file(); + } + +- write_pid_file(); +- + while (watch(master_fd, watch_file) == 0) { + } + +-- +2.53.0 + diff --git a/0030-restorecond.service-Use-Type-simple.patch b/0030-restorecond.service-Use-Type-simple.patch new file mode 100644 index 0000000..2a92eee --- /dev/null +++ b/0030-restorecond.service-Use-Type-simple.patch @@ -0,0 +1,39 @@ +From dd4686ae541637671d1e2c0e8fc2f3605fd6dc4b Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Thu, 2 Apr 2026 17:19:05 +0200 +Subject: [PATCH] restorecond.service: Use Type=simple +Content-type: text/plain + +There's a race condition when daemon() in parent process immediately +exits while pid file is not created or updated. Using Type=forking it +can confuse systemd which tries to open non-existing pid file. It's +better to run restocond in foreground and use Type=simple + +Fixes: + + openat(80, "restorecond.pid", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = -1 ENOENT (No such file or directory) <0.000006> + +Signed-off-by: Petr Lautrbach +--- + restorecond/restorecond.service | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/restorecond/restorecond.service b/restorecond/restorecond.service +index 0e4ea72d08ae..56f970707d93 100644 +--- a/restorecond/restorecond.service ++++ b/restorecond/restorecond.service +@@ -5,9 +5,8 @@ ConditionPathExists=/etc/selinux/restorecond.conf + ConditionSecurity=selinux + + [Service] +-Type=forking +-ExecStart=/usr/sbin/restorecond +-PIDFile=/run/restorecond.pid ++Type=simple ++ExecStart=/usr/sbin/restorecond -F + + [Install] + WantedBy=multi-user.target +-- +2.53.0 + diff --git a/policycoreutils.spec b/policycoreutils.spec index efa26a5..183ed59 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -11,7 +11,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 3.6 -Release: 6%{?dist} +Release: 7%{?dist} License: GPL-2.0-or-later # https://github.com/SELinuxProject/selinux/wiki/Releases Source0: https://github.com/SELinuxProject/selinux/releases/download/3.6/selinux-3.6.tar.gz @@ -64,6 +64,8 @@ Patch0025: 0025-sandbox-seunshare-Replace-system-with-execv-to-preve.patch Patch0026: 0026-semanage-improve-e-documentation-and-fix-delete-oper.patch Patch0027: 0027-improve-semanage-man-pages-Add-examples-for-r-RANGE-.patch Patch0028: 0028-semanage-fcontext-8-improve-e-documentation.patch +Patch0029: 0029-restorecond-Add-F-for-run-in-foreground.patch +Patch0030: 0030-restorecond.service-Use-Type-simple.patch # Patch list end Obsoletes: policycoreutils < 2.0.61-2 Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138 @@ -473,6 +475,9 @@ The policycoreutils-restorecond package contains the restorecond service. %systemd_postun_with_restart restorecond.service %changelog +* Tue Apr 07 2026 Petr Lautrbach - 3.6-7 +- restorecond.service: Use Type=simple + * Tue Feb 24 2026 Petr Lautrbach - 3.6-6 - Improve semanage-fcontext(8) man page