diff --git a/SOURCES/0035-python-sepolgen-allow-any-policy-statement-in-if-n-d.patch b/SOURCES/0035-python-sepolgen-allow-any-policy-statement-in-if-n-d.patch new file mode 100644 index 0000000..4ad47e4 --- /dev/null +++ b/SOURCES/0035-python-sepolgen-allow-any-policy-statement-in-if-n-d.patch @@ -0,0 +1,49 @@ +From e0a1cdb6181bcf3a23fe63b8e67fd5020e81d05e Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Fri, 22 Jan 2021 16:25:52 +0100 +Subject: [PATCH] python/sepolgen: allow any policy statement in if(n)def + +"ifdef/ifndef" statements can be used to conditionally define +an interface, but this syntax is not recognised by sepolgen-ifgen. +Fix sepolgen-ifgen to allow any policy statement inside an +"ifdef/ifndef" statement. + +Fixes: + $ cat < i.if +ifndef(`apache_manage_pid_files',` + interface(`apache_manage_pid_files',` + manage_files_pattern($1, httpd_var_run_t, httpd_var_run_t) + ') +') + + #sepolgen-ifgen --interface=i.if + i.if: Syntax error on line 2 interface [type=INTERFACE] + i.if: Syntax error on line 4 ' [type=SQUOTE] + +Signed-off-by: Vit Mojzis +[OM: s/fidef/ifdef/] +Signed-off-by: Ondrej Mosnacek +--- + python/sepolgen/src/sepolgen/refparser.py | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/python/sepolgen/src/sepolgen/refparser.py b/python/sepolgen/src/sepolgen/refparser.py +index f506dc3a..5d77e2a3 100644 +--- a/python/sepolgen/src/sepolgen/refparser.py ++++ b/python/sepolgen/src/sepolgen/refparser.py +@@ -431,9 +431,9 @@ def p_ifelse(p): + + + def p_ifdef(p): +- '''ifdef : IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi +- | IFNDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi +- | IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi ++ '''ifdef : IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK statements SQUOTE CPAREN optional_semi ++ | IFNDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK statements SQUOTE CPAREN optional_semi ++ | IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK statements SQUOTE COMMA TICK statements SQUOTE CPAREN optional_semi + ''' + x = refpolicy.IfDef(p[4]) + if p[1] == 'ifdef': +-- +2.29.2 + diff --git a/SOURCES/0036-setfiles-Do-not-abort-on-labeling-error.patch b/SOURCES/0036-setfiles-Do-not-abort-on-labeling-error.patch new file mode 100644 index 0000000..aab207b --- /dev/null +++ b/SOURCES/0036-setfiles-Do-not-abort-on-labeling-error.patch @@ -0,0 +1,68 @@ +From 53ccdd55adfbec60fb4277286f2ad94660838504 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Wed, 13 Jan 2021 22:09:47 +0100 +Subject: [PATCH] setfiles: Do not abort on labeling error + +Commit 602347c7422e ("policycoreutils: setfiles - Modify to use +selinux_restorecon") changed behavior of setfiles. Original +implementation skipped files which it couldn't set context to while the +new implementation aborts on them. setfiles should abort only if it +can't validate a context from spec_file. + +Reproducer: + + # mkdir -p r/1 r/2 r/3 + # touch r/1/1 r/2/1 + # chattr +i r/2/1 + # touch r/3/1 + # setfiles -r r -v /etc/selinux/targeted/contexts/files/file_contexts r + Relabeled r from unconfined_u:object_r:mnt_t:s0 to unconfined_u:object_r:root_t:s0 + Relabeled r/2 from unconfined_u:object_r:mnt_t:s0 to unconfined_u:object_r:default_t:s0 + setfiles: Could not set context for r/2/1: Operation not permitted + +r/3 and r/1 are not relabeled. + +Signed-off-by: Petr Lautrbach +--- + policycoreutils/setfiles/setfiles.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c +index bc83c27b4c06..68eab45aa2b4 100644 +--- a/policycoreutils/setfiles/setfiles.c ++++ b/policycoreutils/setfiles/setfiles.c +@@ -182,6 +182,7 @@ int main(int argc, char **argv) + policyfile = NULL; + nerr = 0; + ++ r_opts.abort_on_error = 0; + r_opts.progname = strdup(argv[0]); + if (!r_opts.progname) { + fprintf(stderr, "%s: Out of memory!\n", argv[0]); +@@ -194,7 +195,6 @@ int main(int argc, char **argv) + * setfiles: + * Recursive descent, + * Does not expand paths via realpath, +- * Aborts on errors during the file tree walk, + * Try to track inode associations for conflict detection, + * Does not follow mounts (sets SELINUX_RESTORECON_XDEV), + * Validates all file contexts at init time. +@@ -202,7 +202,6 @@ int main(int argc, char **argv) + iamrestorecon = 0; + r_opts.recurse = SELINUX_RESTORECON_RECURSE; + r_opts.userealpath = 0; /* SELINUX_RESTORECON_REALPATH */ +- r_opts.abort_on_error = SELINUX_RESTORECON_ABORT_ON_ERROR; + r_opts.add_assoc = SELINUX_RESTORECON_ADD_ASSOC; + /* FTS_PHYSICAL and FTS_NOCHDIR are always set by selinux_restorecon(3) */ + r_opts.xdev = SELINUX_RESTORECON_XDEV; +@@ -226,7 +225,6 @@ int main(int argc, char **argv) + iamrestorecon = 1; + r_opts.recurse = 0; + r_opts.userealpath = SELINUX_RESTORECON_REALPATH; +- r_opts.abort_on_error = 0; + r_opts.add_assoc = 0; + r_opts.xdev = 0; + r_opts.ignore_mounts = 0; +-- +2.30.0 + diff --git a/SOURCES/0037-setfiles-drop-ABORT_ON_ERRORS-and-related-code.patch b/SOURCES/0037-setfiles-drop-ABORT_ON_ERRORS-and-related-code.patch new file mode 100644 index 0000000..349c675 --- /dev/null +++ b/SOURCES/0037-setfiles-drop-ABORT_ON_ERRORS-and-related-code.patch @@ -0,0 +1,110 @@ +From 2f135022f4372dc34198c48cfd67b91044e6dfd7 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Wed, 13 Jan 2021 22:09:48 +0100 +Subject: [PATCH] setfiles: drop ABORT_ON_ERRORS and related code + +`setfiles -d` doesn't have any impact on number of errors before it +aborts. It always aborts on first invalid context in spec file. + +Signed-off-by: Petr Lautrbach +--- + policycoreutils/setfiles/Makefile | 3 --- + policycoreutils/setfiles/ru/setfiles.8 | 2 +- + policycoreutils/setfiles/setfiles.8 | 3 +-- + policycoreutils/setfiles/setfiles.c | 18 ------------------ + 4 files changed, 2 insertions(+), 24 deletions(-) + +diff --git a/policycoreutils/setfiles/Makefile b/policycoreutils/setfiles/Makefile +index bc5a8db789a5..a3bbbe116b7f 100644 +--- a/policycoreutils/setfiles/Makefile ++++ b/policycoreutils/setfiles/Makefile +@@ -5,8 +5,6 @@ SBINDIR ?= /sbin + MANDIR = $(PREFIX)/share/man + AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y) + +-ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk -S '{ print $$3 }') +- + CFLAGS ?= -g -Werror -Wall -W + override LDLIBS += -lselinux -lsepol + +@@ -26,7 +24,6 @@ restorecon_xattr: restorecon_xattr.o restore.o + + man: + @cp -af setfiles.8 setfiles.8.man +- @sed -i "s/ABORT_ON_ERRORS/$(ABORT_ON_ERRORS)/g" setfiles.8.man + + install: all + [ -d $(DESTDIR)$(MANDIR)/man8 ] || mkdir -p $(DESTDIR)$(MANDIR)/man8 +diff --git a/policycoreutils/setfiles/ru/setfiles.8 b/policycoreutils/setfiles/ru/setfiles.8 +index 27815a3f1eee..910101452625 100644 +--- a/policycoreutils/setfiles/ru/setfiles.8 ++++ b/policycoreutils/setfiles/ru/setfiles.8 +@@ -47,7 +47,7 @@ setfiles \- установить SELinux-контексты безопаснос + проверить действительность контекстов относительно указанной двоичной политики. + .TP + .B \-d +-показать, какая спецификация соответствует каждому из файлов (не прекращать проверку после получения ошибок ABORT_ON_ERRORS). ++показать, какая спецификация соответствует каждому из файлов. + .TP + .BI \-e \ directory + исключить каталог (чтобы исключить более одного каталога, этот параметр необходимо использовать соответствующее количество раз). +diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8 +index a8a76c860dac..b7d3cefb96ff 100644 +--- a/policycoreutils/setfiles/setfiles.8 ++++ b/policycoreutils/setfiles/setfiles.8 +@@ -56,8 +56,7 @@ option will force a replacement of the entire context. + check the validity of the contexts against the specified binary policy. + .TP + .B \-d +-show what specification matched each file (do not abort validation +-after ABORT_ON_ERRORS errors). Not affected by "\-q" ++show what specification matched each file. Not affected by "\-q" + .TP + .BI \-e \ directory + directory to exclude (repeat option for more than one directory). +diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c +index 68eab45aa2b4..bcbdfbfe53e2 100644 +--- a/policycoreutils/setfiles/setfiles.c ++++ b/policycoreutils/setfiles/setfiles.c +@@ -23,14 +23,6 @@ static int nerr; + + #define STAT_BLOCK_SIZE 1 + +-/* setfiles will abort its operation after reaching the +- * following number of errors (e.g. invalid contexts), +- * unless it is used in "debug" mode (-d option). +- */ +-#ifndef ABORT_ON_ERRORS +-#define ABORT_ON_ERRORS 10 +-#endif +- + #define SETFILES "setfiles" + #define RESTORECON "restorecon" + static int iamrestorecon; +@@ -57,15 +49,6 @@ static __attribute__((__noreturn__)) void usage(const char *const name) + exit(-1); + } + +-void inc_err(void) +-{ +- nerr++; +- if (nerr > ABORT_ON_ERRORS - 1 && !r_opts.debug) { +- fprintf(stderr, "Exiting after %d errors.\n", ABORT_ON_ERRORS); +- exit(-1); +- } +-} +- + void set_rootpath(const char *arg) + { + if (strlen(arg) == 1 && strncmp(arg, "/", 1) == 0) { +@@ -98,7 +81,6 @@ int canoncon(char **contextp) + *contextp = tmpcon; + } else if (errno != ENOENT) { + rc = -1; +- inc_err(); + } + + return rc; +-- +2.30.0 + diff --git a/SOURCES/0038-policycoreutils-setfiles-Drop-unused-nerr-variable.patch b/SOURCES/0038-policycoreutils-setfiles-Drop-unused-nerr-variable.patch new file mode 100644 index 0000000..31b9a34 --- /dev/null +++ b/SOURCES/0038-policycoreutils-setfiles-Drop-unused-nerr-variable.patch @@ -0,0 +1,44 @@ +From a691da617a2d3c864786ff2742d9a9f87ecc7d05 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Mon, 1 Feb 2021 15:24:32 +0100 +Subject: [PATCH] policycoreutils/setfiles: Drop unused nerr variable + +Suggested-by: Nicolas Iooss +Signed-off-by: Petr Lautrbach +--- + policycoreutils/setfiles/setfiles.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c +index bcbdfbfe53e2..82d0aaa75893 100644 +--- a/policycoreutils/setfiles/setfiles.c ++++ b/policycoreutils/setfiles/setfiles.c +@@ -19,7 +19,6 @@ static int warn_no_match; + static int null_terminated; + static int request_digest; + static struct restore_opts r_opts; +-static int nerr; + + #define STAT_BLOCK_SIZE 1 + +@@ -162,7 +161,6 @@ int main(int argc, char **argv) + warn_no_match = 0; + request_digest = 0; + policyfile = NULL; +- nerr = 0; + + r_opts.abort_on_error = 0; + r_opts.progname = strdup(argv[0]); +@@ -417,9 +415,6 @@ int main(int argc, char **argv) + r_opts.selabel_opt_digest = (request_digest ? (char *)1 : NULL); + r_opts.selabel_opt_path = altpath; + +- if (nerr) +- exit(-1); +- + restore_init(&r_opts); + + if (use_input_file) { +-- +2.30.0 + diff --git a/SPECS/policycoreutils.spec b/SPECS/policycoreutils.spec index e9c4cff..54bc196 100644 --- a/SPECS/policycoreutils.spec +++ b/SPECS/policycoreutils.spec @@ -12,7 +12,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.9 -Release: 10%{?dist} +Release: 12%{?dist} License: GPLv2 # https://github.com/SELinuxProject/selinux/wiki/Releases Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/policycoreutils-2.9.tar.gz @@ -72,6 +72,10 @@ Patch0031: 0031-dbus-Fix-FileNotFoundError-in-org.selinux.relabel_on.patch Patch0032: 0032-restorecond-Fix-redundant-console-log-output-error.patch Patch0033: 0033-python-semanage-empty-stdout-before-exiting-on-Broke.patch Patch0034: 0034-python-semanage-Sort-imports-in-alphabetical-order.patch +Patch0035: 0035-python-sepolgen-allow-any-policy-statement-in-if-n-d.patch +Patch0036: 0036-setfiles-Do-not-abort-on-labeling-error.patch +Patch0037: 0037-setfiles-drop-ABORT_ON_ERRORS-and-related-code.patch +Patch0038: 0038-policycoreutils-setfiles-Drop-unused-nerr-variable.patch Obsoletes: policycoreutils < 2.0.61-2 Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138 @@ -509,6 +513,12 @@ The policycoreutils-restorecond package contains the restorecond service. %systemd_postun_with_restart restorecond.service %changelog +* Tue Feb 2 2021 Petr Lautrbach - 2.9-12 +- setfiles: Do not abort on labeling error (#1794518) + +* Wed Jan 27 2021 Vit Mojzis - 2.9-11 +- python/sepolgen: allow any policy statement in if(n)def (#1868717) + * Sat Jan 16 2021 Vit Mojzis - 2.9-10 - python/semanage: Sort imports in alphabetical order - python/semanage: empty stdout before exiting on BrokenPipeError (#1822100)