policycoreutils-2.9-27

- semodule: Enable CIL logging

Resolves: RHEL-139145

0057-policycoreutils-semodule-Enable-CIL-logging.patch

@@ -0,0 +1,68 @@
+From 58d216e18e1c2732368aaee0beb44f6508f77476 Mon Sep 17 00:00:00 2001
+From: Jason Zaman <jason@perfinion.com>
+Date: Mon, 21 Oct 2019 13:55:05 +0800
+Subject: [PATCH] policycoreutils: semodule: Enable CIL logging
+
+semodule -v will turn on semodule's own verbose logging but not logging
+from CIL. This change makes the verbose flag also set cil's log level.
+
+By default (ie no -v flag), this will enable CIL_ERR, and each -v will
+increase the level from there.
+
+Tested with a duplicated fcontext in the policy.
+Before this change:
+    # semodule -v -B
+    Committing changes:
+    Problems processing filecon rules
+    Failed post db handling
+    semodule:  Failed!
+
+After this change:
+    # semodule -v -B
+    [ ... snip ... ]
+    Found conflicting filecon rules
+      at /var/lib/selinux/mcs/tmp/modules/400/mycustom/cil:159
+      at /var/lib/selinux/mcs/tmp/modules/400/mycustom/cil:158
+    Problems processing filecon rules
+    Failed post db handling
+    semodule:  Failed!
+
+Closes: https://github.com/SELinuxProject/selinux/issues/176
+Signed-off-by: Jason Zaman <jason@perfinion.com>
+---
+ policycoreutils/semodule/semodule.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
+index 324ec9fb..bd689837 100644
+--- a/policycoreutils/semodule/semodule.c
++++ b/policycoreutils/semodule/semodule.c
+@@ -22,6 +22,7 @@
+ #include <libgen.h>
+ #include <limits.h>
+ 
++#include <sepol/cil/cil.h>
+ #include <semanage/modules.h>
+ 
+ enum client_modes {
+@@ -264,7 +265,7 @@ static void parse_command_line(int argc, char **argv)
+ 			set_mode(LIST_M, optarg);
+ 			break;
+ 		case 'v':
+-			verbose = 1;
++			verbose++;
+ 			break;
+ 		case 'r':
+ 			set_mode(REMOVE_M, optarg);
+@@ -415,6 +416,8 @@ int main(int argc, char *argv[])
+ 	}
+ 	parse_command_line(argc, argv);
+ 
++	cil_set_log_level(CIL_ERR + verbose);
++
+ 	if (build || check_ext_changes)
+ 		commit = 1;
+ 
+-- 
+2.52.0
+

policycoreutils.spec

@@ -12,7 +12,7 @@
 Summary: SELinux policy core utilities
 Name:    policycoreutils
 Version: 2.9
-Release: 26.1%{?dist}
+Release: 27%{?dist}
 License: GPLv2
 # https://github.com/SELinuxProject/selinux/wiki/Releases
 Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/policycoreutils-2.9.tar.gz
@@ -92,8 +92,9 @@ Patch0051: 0051-python-sepolicy-add-missing-booleans-to-man-pages.patch
 Patch0052: 0052-python-sepolicy-Cache-conditional-rule-queries.patch
 Patch0053: 0053-python-Harden-more-tools-against-rogue-modules.patch
 Patch0054: 0054-sepolicy-port-to-dnf4-python-API.patch
-Patch0056: 0055-python-semanage-Do-not-sort-local-fcontext-definitio.patch
-Patch0057: 0056-python-semanage-Allow-modifying-records-on-add.patch
+Patch0055: 0055-python-semanage-Do-not-sort-local-fcontext-definitio.patch
+Patch0056: 0056-python-semanage-Allow-modifying-records-on-add.patch
+Patch0057: 0057-policycoreutils-semodule-Enable-CIL-logging.patch
 
 Obsoletes: policycoreutils < 2.0.61-2
 Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
@@ -533,6 +534,9 @@ The policycoreutils-restorecond package contains the restorecond service.
 %systemd_postun_with_restart restorecond.service
 
 %changelog
+* Tue Mar 03 2026 Vit Mojzis <vmojzis@redhat.com> - 2.9-27
+- semodule: Enable CIL logging (RHEL-139145)
+
 * Wed Mar 06 2024 Vit Mojzis <vmojzis@redhat.com> - 2.9-26
 - python/semanage: Allow modifying records on "add" (RHEL-28167)
 - python/semanage: Do not sort local fcontext definitions (RHEL-24461)