policycoreutils-3.10-2

- restorecond.service: Use Type=simple Resolves: RHEL-165247
2026-04-07 16:59:12 +02:00 · 2026-04-07 16:59:12 +02:00 · d5da37c390
commit d5da37c390
parent 23f1664a75
4 changed files with 139 additions and 1 deletions
--- a/0007-restorecond-Add-F-for-run-in-foreground.patch
+++ b/0007-restorecond-Add-F-for-run-in-foreground.patch
@ -0,0 +1,94 @@
+From 8f63d68747c38b2d2301afbdaeca88c1cf020552 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <lautrbach@redhat.com>
+Date: Thu, 2 Apr 2026 17:17:12 +0200
+Subject: [PATCH] restorecond: Add -F for run in foreground
+Content-type: text/plain
+
+Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
+---
+ restorecond/restorecond.8 |  5 ++++-
+ restorecond/restorecond.c | 13 ++++++++-----
+ 2 files changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/restorecond/restorecond.8 b/restorecond/restorecond.8
+index bf8ec87562f8..bb99b24a2d69 100644
+--- a/restorecond/restorecond.8
+++ b/restorecond/restorecond.8
+@@ -3,7 +3,7 @@
+ restorecond \- daemon that watches for file creation and then sets the default SELinux file context
+ 
+ .SH "SYNOPSIS"
+-.B restorecond  [\-d] [-h] [\-f restorecond_file ] [\-u] [\-v]
+.B restorecond  [\-d] [-h] [\-f restorecond_file ] [\-F] [\-u] [\-v]
+ .P
+ 
+ .SH "DESCRIPTION"
+@@ -26,6 +26,9 @@ Print usage statement.
+ .B \-f restorecond_file
+ Use alternative restorecond.conf file.
+ .TP
+.B \-F
+Run in foreground, do not become a daemon.
+.TP
+ .B \-u
+ Turns on user mode.  Runs restorecond in the user session and reads /etc/selinux/restorecond_user.conf.  Uses dbus to make sure only one restorecond is running per user session.
+ .TP
+diff --git a/restorecond/restorecond.c b/restorecond/restorecond.c
+index d5f70fc2e2c1..36f82ae5e9cb 100644
+--- a/restorecond/restorecond.c
+++ b/restorecond/restorecond.c
+@@ -76,6 +76,7 @@ int debug_mode = 0;
+ int terminate = 0;
+ int master_wd = -1;
+ int run_as_user = 0;
+int foreground_mode = 0;
+ 
+ static void done(void) {
+ 	watch_list_free(master_fd);
+@@ -124,7 +125,7 @@ static void term_handler(int s __attribute__ ((unused)))
+ 
+ static void usage(char *program)
+ {
+-	printf("%s [-d] [-f restorecond_file ] [-u] [-v] \n", program);
+	printf("%s [-d] [-f restorecond_file ] [-F] [-n] [-u] [-v] \n", program);
+ }
+ 
+ void exitApp(const char *msg)
+@@ -165,7 +166,7 @@ int main(int argc, char **argv)
+ 	sigaction(SIGTERM, &sa, NULL);
+ 
+ 	atexit( done );
+-	while ((opt = getopt(argc, argv, "hdf:uv")) > 0) {
+	while ((opt = getopt(argc, argv, "hdf:Fuv")) > 0) {
+ 		switch (opt) {
+ 		case 'd':
+ 			debug_mode = 1;
+@@ -173,6 +174,9 @@ int main(int argc, char **argv)
+ 		case 'f':
+ 			watch_file = optarg;
+ 			break;
+		case 'F':
+			foreground_mode = 1;
+			break;
+ 		case 'u':
+ 			run_as_user = 1;
+ 			break;
+@@ -209,13 +213,12 @@ int main(int argc, char **argv)
+ 
+ 	read_config(master_fd, watch_file);
+ 
+-	if (!debug_mode) {
+	if (!debug_mode && !foreground_mode) {
+ 		if (daemon(0, 0) < 0)
+ 			exitApp("daemon");
+		write_pid_file();
+ 	}
+ 
+-	write_pid_file();
+-
+ 	while (watch(master_fd, watch_file) == 0) {
+ 	}
+ 
+-- 
+2.53.0
+
--- a/0008-restorecond.service-Use-Type-simple.patch
+++ b/0008-restorecond.service-Use-Type-simple.patch
@ -0,0 +1,39 @@
+From 9a2d20910e4f6f35a76513627b68bfbfda7f6fd0 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <lautrbach@redhat.com>
+Date: Thu, 2 Apr 2026 17:19:05 +0200
+Subject: [PATCH] restorecond.service: Use Type=simple
+Content-type: text/plain
+
+There's a race condition when daemon() in parent process immediately
+exits while pid file is not created or updated. Using Type=forking it
+can confuse systemd which tries to open non-existing pid file. It's
+better to run restocond in foreground and use Type=simple
+
+Fixes:
+
+    openat(80</run>, "restorecond.pid", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = -1 ENOENT (No such file or directory) <0.000006>
+
+Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
+---
+ restorecond/restorecond.service | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/restorecond/restorecond.service b/restorecond/restorecond.service
+index 0e4ea72d08ae..56f970707d93 100644
+--- a/restorecond/restorecond.service
+++ b/restorecond/restorecond.service
+@@ -5,9 +5,8 @@ ConditionPathExists=/etc/selinux/restorecond.conf
+ ConditionSecurity=selinux
+ 
+ [Service]
+-Type=forking
+-ExecStart=/usr/sbin/restorecond
+-PIDFile=/run/restorecond.pid
+Type=simple
+ExecStart=/usr/sbin/restorecond -F
+ 
+ [Install]
+ WantedBy=multi-user.target
+-- 
+2.53.0
+
--- a/3
+++ b/3
@ -1,3 +1,6 @@
+* Tue Apr 07 2026 Petr Lautrbach <lautrbach@redhat.com> - 3.10-2
+- restorecond.service: Use Type=simple
+
 * Fri Feb 06 2026 Vit Mojzis <vmojzis@redhat.com> - 3.10-1
 - SELinux userspace 3.10 release

--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@ -11,7 +11,7 @@
 Summary: SELinux policy core utilities
 Name:    policycoreutils
 Version: 3.10
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPL-2.0-or-later
 # https://github.com/SELinuxProject/selinux/wiki/Releases
 Source0: https://github.com/SELinuxProject/selinux/releases/download/%{version}/selinux-%{version}.tar.gz
@ -46,6 +46,8 @@ Patch0003: 0003-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
 Patch0004: 0004-Use-SHA-2-instead-of-SHA-1.patch
 Patch0005: 0005-python-sepolicy-Fix-spec-file-dependencies.patch
 Patch0006: 0006-sepolicy-Fix-detection-of-writeable-locations.patch
+Patch0007: 0007-restorecond-Add-F-for-run-in-foreground.patch
+Patch0008: 0008-restorecond.service-Use-Type-simple.patch
 # Patch list end

 # gen_changelog