import policycoreutils-2.9-15.el8
This commit is contained in:
parent
4b4e34d750
commit
762ad8a1fa
@ -1,9 +1,9 @@
|
||||
2acf5c696e1e60cf405b0cadcc090b79269f8812 SOURCES/gui-po.tgz
|
||||
3b2b219d260791ac448dff7c2e169cb493c78cb0 SOURCES/gui-po.tgz
|
||||
6e64d9a38fb516738023eb429eef29af5383f443 SOURCES/policycoreutils-2.9.tar.gz
|
||||
af5375db35a33f9daf4b06e61566c92d0d4f6792 SOURCES/policycoreutils-po.tgz
|
||||
aac18d02363be7c03fad4ed35f5367f9ca0e397f SOURCES/python-po.tgz
|
||||
d609be1fbc8824f4b4643c5f51ac250ad1a13e33 SOURCES/policycoreutils-po.tgz
|
||||
e9509bc5c150069a1045c97b2293c4a8d3a65022 SOURCES/python-po.tgz
|
||||
0a34ef54394972870203832c8ce52d4405bd5330 SOURCES/restorecond-2.9.tar.gz
|
||||
76d7357f34e062dce330d2a97031b1b64dea775f SOURCES/sandbox-po.tgz
|
||||
2dfbf280ec17c1755b93426678dc885a0cf8909b SOURCES/sandbox-po.tgz
|
||||
8645509cdfc433278c2e4d29ee8f511625c7edcc SOURCES/selinux-dbus-2.9.tar.gz
|
||||
5c155ae47692389d9fabaa154195e7f978f2a3f0 SOURCES/selinux-gui-2.9.tar.gz
|
||||
660e1ab824ef80f7a69f0b70f61e231957fd398e SOURCES/selinux-python-2.9.tar.gz
|
||||
|
@ -0,0 +1,69 @@
|
||||
From d10e773c014a12b17fefd9caef0bd02528d75d18 Mon Sep 17 00:00:00 2001
|
||||
From: Antoine Tenart <antoine.tenart@bootlin.com>
|
||||
Date: Tue, 7 Jul 2020 16:35:01 +0200
|
||||
Subject: [PATCH] policycoreutils: setfiles: do not restrict checks against a
|
||||
binary policy
|
||||
|
||||
The -c option allows to check the validity of contexts against a
|
||||
specified binary policy. Its use is restricted: no pathname can be used
|
||||
when a binary policy is given to setfiles. It's not clear if this is
|
||||
intentional as the built-in help and the man page are not stating the
|
||||
same thing about this (the man page document -c as a normal option,
|
||||
while the built-in help shows it is restricted).
|
||||
|
||||
When generating full system images later used with SELinux in enforcing
|
||||
mode, the extended attributed of files have to be set by the build
|
||||
machine. The issue is setfiles always checks the contexts against a
|
||||
policy (ctx_validate = 1) and using an external binary policy is not
|
||||
currently possible when using a pathname. This ends up in setfiles
|
||||
failing early as the contexts of the target image are not always
|
||||
compatible with the ones of the build machine.
|
||||
|
||||
This patch reworks a check on optind only made when -c is used, that
|
||||
enforced the use of a single argument to allow 1+ arguments, allowing to
|
||||
use setfiles with an external binary policy and pathnames. The following
|
||||
command is then allowed, as already documented in the man page:
|
||||
|
||||
$ setfiles -m -r target/ -c policy.32 file_contexts target/
|
||||
|
||||
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
|
||||
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
|
||||
|
||||
(cherry-picked from SElinuxProject
|
||||
commit: c94e542c98da2f26863c1cbd9d7ad9bc5cca6aff )
|
||||
---
|
||||
policycoreutils/setfiles/setfiles.c | 11 +++++------
|
||||
1 file changed, 5 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
|
||||
index 82d0aaa7..4fd3d756 100644
|
||||
--- a/policycoreutils/setfiles/setfiles.c
|
||||
+++ b/policycoreutils/setfiles/setfiles.c
|
||||
@@ -39,11 +39,10 @@ static __attribute__((__noreturn__)) void usage(const char *const name)
|
||||
name, name);
|
||||
} else {
|
||||
fprintf(stderr,
|
||||
- "usage: %s [-diIDlmnpqvFW] [-e excludedir] [-r alt_root_path] spec_file pathname...\n"
|
||||
- "usage: %s [-diIDlmnpqvFW] [-e excludedir] [-r alt_root_path] spec_file -f filename\n"
|
||||
- "usage: %s -s [-diIDlmnpqvFW] spec_file\n"
|
||||
- "usage: %s -c policyfile spec_file\n",
|
||||
- name, name, name, name);
|
||||
+ "usage: %s [-diIDlmnpqvEFW] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file pathname...\n"
|
||||
+ "usage: %s [-diIDlmnpqvEFW] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file -f filename\n"
|
||||
+ "usage: %s -s [-diIDlmnpqvFW] spec_file\n",
|
||||
+ name, name, name);
|
||||
}
|
||||
exit(-1);
|
||||
}
|
||||
@@ -376,7 +375,7 @@ int main(int argc, char **argv)
|
||||
|
||||
if (!iamrestorecon) {
|
||||
if (policyfile) {
|
||||
- if (optind != (argc - 1))
|
||||
+ if (optind > (argc - 1))
|
||||
usage(argv[0]);
|
||||
} else if (use_input_file) {
|
||||
if (optind != (argc - 1)) {
|
||||
--
|
||||
2.30.2
|
||||
|
@ -12,7 +12,7 @@
|
||||
Summary: SELinux policy core utilities
|
||||
Name: policycoreutils
|
||||
Version: 2.9
|
||||
Release: 13%{?dist}
|
||||
Release: 15%{?dist}
|
||||
License: GPLv2
|
||||
# https://github.com/SELinuxProject/selinux/wiki/Releases
|
||||
Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/policycoreutils-2.9.tar.gz
|
||||
@ -77,6 +77,7 @@ Patch0036: 0036-setfiles-Do-not-abort-on-labeling-error.patch
|
||||
Patch0037: 0037-setfiles-drop-ABORT_ON_ERRORS-and-related-code.patch
|
||||
Patch0038: 0038-policycoreutils-setfiles-Drop-unused-nerr-variable.patch
|
||||
Patch0039: 0039-selinux-8-5-Describe-fcontext-regular-expressions.patch
|
||||
Patch0040: 0040-policycoreutils-setfiles-do-not-restrict-checks-agai.patch
|
||||
|
||||
Obsoletes: policycoreutils < 2.0.61-2
|
||||
Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
|
||||
@ -137,6 +138,8 @@ tar -xvf %{SOURCE14} -C python/sepolicy/
|
||||
|
||||
# Since patches containing translation changes were too big, translations were moved to separate tarballs
|
||||
# For more information see README.translations
|
||||
# First remove old translation files
|
||||
rm -f policycoreutils/po/*.po python/po/*.po gui/po/*.po sandbox/po/*.po
|
||||
tar -x -f %{SOURCE20} -C policycoreutils -z
|
||||
tar -x -f %{SOURCE21} -C python -z
|
||||
tar -x -f %{SOURCE22} -C gui -z
|
||||
@ -514,6 +517,12 @@ The policycoreutils-restorecond package contains the restorecond service.
|
||||
%systemd_postun_with_restart restorecond.service
|
||||
|
||||
%changelog
|
||||
* Mon Jul 19 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-15
|
||||
- setfiles: do not restrict checks against a binary policy (#1973754)
|
||||
|
||||
* Tue Mar 09 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-14
|
||||
- Update translations (#1899695)
|
||||
|
||||
* Mon Feb 22 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-13
|
||||
- selinux(8,5): Describe fcontext regular expressions (#1904059)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user