import policycoreutils-2.9-15.el8

This commit is contained in:
CentOS Sources 2021-10-06 06:45:26 -04:00 committed by Stepan Oksanichenko
parent 4b4e34d750
commit 762ad8a1fa
3 changed files with 83 additions and 5 deletions

View File

@ -1,9 +1,9 @@
2acf5c696e1e60cf405b0cadcc090b79269f8812 SOURCES/gui-po.tgz
3b2b219d260791ac448dff7c2e169cb493c78cb0 SOURCES/gui-po.tgz
6e64d9a38fb516738023eb429eef29af5383f443 SOURCES/policycoreutils-2.9.tar.gz
af5375db35a33f9daf4b06e61566c92d0d4f6792 SOURCES/policycoreutils-po.tgz
aac18d02363be7c03fad4ed35f5367f9ca0e397f SOURCES/python-po.tgz
d609be1fbc8824f4b4643c5f51ac250ad1a13e33 SOURCES/policycoreutils-po.tgz
e9509bc5c150069a1045c97b2293c4a8d3a65022 SOURCES/python-po.tgz
0a34ef54394972870203832c8ce52d4405bd5330 SOURCES/restorecond-2.9.tar.gz
76d7357f34e062dce330d2a97031b1b64dea775f SOURCES/sandbox-po.tgz
2dfbf280ec17c1755b93426678dc885a0cf8909b SOURCES/sandbox-po.tgz
8645509cdfc433278c2e4d29ee8f511625c7edcc SOURCES/selinux-dbus-2.9.tar.gz
5c155ae47692389d9fabaa154195e7f978f2a3f0 SOURCES/selinux-gui-2.9.tar.gz
660e1ab824ef80f7a69f0b70f61e231957fd398e SOURCES/selinux-python-2.9.tar.gz

View File

@ -0,0 +1,69 @@
From d10e773c014a12b17fefd9caef0bd02528d75d18 Mon Sep 17 00:00:00 2001
From: Antoine Tenart <antoine.tenart@bootlin.com>
Date: Tue, 7 Jul 2020 16:35:01 +0200
Subject: [PATCH] policycoreutils: setfiles: do not restrict checks against a
binary policy
The -c option allows to check the validity of contexts against a
specified binary policy. Its use is restricted: no pathname can be used
when a binary policy is given to setfiles. It's not clear if this is
intentional as the built-in help and the man page are not stating the
same thing about this (the man page document -c as a normal option,
while the built-in help shows it is restricted).
When generating full system images later used with SELinux in enforcing
mode, the extended attributed of files have to be set by the build
machine. The issue is setfiles always checks the contexts against a
policy (ctx_validate = 1) and using an external binary policy is not
currently possible when using a pathname. This ends up in setfiles
failing early as the contexts of the target image are not always
compatible with the ones of the build machine.
This patch reworks a check on optind only made when -c is used, that
enforced the use of a single argument to allow 1+ arguments, allowing to
use setfiles with an external binary policy and pathnames. The following
command is then allowed, as already documented in the man page:
$ setfiles -m -r target/ -c policy.32 file_contexts target/
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
(cherry-picked from SElinuxProject
commit: c94e542c98da2f26863c1cbd9d7ad9bc5cca6aff )
---
policycoreutils/setfiles/setfiles.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
index 82d0aaa7..4fd3d756 100644
--- a/policycoreutils/setfiles/setfiles.c
+++ b/policycoreutils/setfiles/setfiles.c
@@ -39,11 +39,10 @@ static __attribute__((__noreturn__)) void usage(const char *const name)
name, name);
} else {
fprintf(stderr,
- "usage: %s [-diIDlmnpqvFW] [-e excludedir] [-r alt_root_path] spec_file pathname...\n"
- "usage: %s [-diIDlmnpqvFW] [-e excludedir] [-r alt_root_path] spec_file -f filename\n"
- "usage: %s -s [-diIDlmnpqvFW] spec_file\n"
- "usage: %s -c policyfile spec_file\n",
- name, name, name, name);
+ "usage: %s [-diIDlmnpqvEFW] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file pathname...\n"
+ "usage: %s [-diIDlmnpqvEFW] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file -f filename\n"
+ "usage: %s -s [-diIDlmnpqvFW] spec_file\n",
+ name, name, name);
}
exit(-1);
}
@@ -376,7 +375,7 @@ int main(int argc, char **argv)
if (!iamrestorecon) {
if (policyfile) {
- if (optind != (argc - 1))
+ if (optind > (argc - 1))
usage(argv[0]);
} else if (use_input_file) {
if (optind != (argc - 1)) {
--
2.30.2

View File

@ -12,7 +12,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.9
Release: 13%{?dist}
Release: 15%{?dist}
License: GPLv2
# https://github.com/SELinuxProject/selinux/wiki/Releases
Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/policycoreutils-2.9.tar.gz
@ -77,6 +77,7 @@ Patch0036: 0036-setfiles-Do-not-abort-on-labeling-error.patch
Patch0037: 0037-setfiles-drop-ABORT_ON_ERRORS-and-related-code.patch
Patch0038: 0038-policycoreutils-setfiles-Drop-unused-nerr-variable.patch
Patch0039: 0039-selinux-8-5-Describe-fcontext-regular-expressions.patch
Patch0040: 0040-policycoreutils-setfiles-do-not-restrict-checks-agai.patch
Obsoletes: policycoreutils < 2.0.61-2
Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
@ -137,6 +138,8 @@ tar -xvf %{SOURCE14} -C python/sepolicy/
# Since patches containing translation changes were too big, translations were moved to separate tarballs
# For more information see README.translations
# First remove old translation files
rm -f policycoreutils/po/*.po python/po/*.po gui/po/*.po sandbox/po/*.po
tar -x -f %{SOURCE20} -C policycoreutils -z
tar -x -f %{SOURCE21} -C python -z
tar -x -f %{SOURCE22} -C gui -z
@ -514,6 +517,12 @@ The policycoreutils-restorecond package contains the restorecond service.
%systemd_postun_with_restart restorecond.service
%changelog
* Mon Jul 19 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-15
- setfiles: do not restrict checks against a binary policy (#1973754)
* Tue Mar 09 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-14
- Update translations (#1899695)
* Mon Feb 22 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-13
- selinux(8,5): Describe fcontext regular expressions (#1904059)