From d5da37c390e38759f6b3e77764dde9459843984b Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Tue, 7 Apr 2026 16:59:12 +0200 Subject: [PATCH] policycoreutils-3.10-2 - restorecond.service: Use Type=simple Resolves: RHEL-165247 --- ...torecond-Add-F-for-run-in-foreground.patch | 94 +++++++++++++++++++ ...-restorecond.service-Use-Type-simple.patch | 39 ++++++++ changelog | 3 + policycoreutils.spec | 4 +- 4 files changed, 139 insertions(+), 1 deletion(-) create mode 100644 0007-restorecond-Add-F-for-run-in-foreground.patch create mode 100644 0008-restorecond.service-Use-Type-simple.patch diff --git a/0007-restorecond-Add-F-for-run-in-foreground.patch b/0007-restorecond-Add-F-for-run-in-foreground.patch new file mode 100644 index 0000000..09502b8 --- /dev/null +++ b/0007-restorecond-Add-F-for-run-in-foreground.patch @@ -0,0 +1,94 @@ +From 8f63d68747c38b2d2301afbdaeca88c1cf020552 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Thu, 2 Apr 2026 17:17:12 +0200 +Subject: [PATCH] restorecond: Add -F for run in foreground +Content-type: text/plain + +Signed-off-by: Petr Lautrbach +--- + restorecond/restorecond.8 | 5 ++++- + restorecond/restorecond.c | 13 ++++++++----- + 2 files changed, 12 insertions(+), 6 deletions(-) + +diff --git a/restorecond/restorecond.8 b/restorecond/restorecond.8 +index bf8ec87562f8..bb99b24a2d69 100644 +--- a/restorecond/restorecond.8 ++++ b/restorecond/restorecond.8 +@@ -3,7 +3,7 @@ + restorecond \- daemon that watches for file creation and then sets the default SELinux file context + + .SH "SYNOPSIS" +-.B restorecond [\-d] [-h] [\-f restorecond_file ] [\-u] [\-v] ++.B restorecond [\-d] [-h] [\-f restorecond_file ] [\-F] [\-u] [\-v] + .P + + .SH "DESCRIPTION" +@@ -26,6 +26,9 @@ Print usage statement. + .B \-f restorecond_file + Use alternative restorecond.conf file. + .TP ++.B \-F ++Run in foreground, do not become a daemon. ++.TP + .B \-u + Turns on user mode. Runs restorecond in the user session and reads /etc/selinux/restorecond_user.conf. Uses dbus to make sure only one restorecond is running per user session. + .TP +diff --git a/restorecond/restorecond.c b/restorecond/restorecond.c +index d5f70fc2e2c1..36f82ae5e9cb 100644 +--- a/restorecond/restorecond.c ++++ b/restorecond/restorecond.c +@@ -76,6 +76,7 @@ int debug_mode = 0; + int terminate = 0; + int master_wd = -1; + int run_as_user = 0; ++int foreground_mode = 0; + + static void done(void) { + watch_list_free(master_fd); +@@ -124,7 +125,7 @@ static void term_handler(int s __attribute__ ((unused))) + + static void usage(char *program) + { +- printf("%s [-d] [-f restorecond_file ] [-u] [-v] \n", program); ++ printf("%s [-d] [-f restorecond_file ] [-F] [-n] [-u] [-v] \n", program); + } + + void exitApp(const char *msg) +@@ -165,7 +166,7 @@ int main(int argc, char **argv) + sigaction(SIGTERM, &sa, NULL); + + atexit( done ); +- while ((opt = getopt(argc, argv, "hdf:uv")) > 0) { ++ while ((opt = getopt(argc, argv, "hdf:Fuv")) > 0) { + switch (opt) { + case 'd': + debug_mode = 1; +@@ -173,6 +174,9 @@ int main(int argc, char **argv) + case 'f': + watch_file = optarg; + break; ++ case 'F': ++ foreground_mode = 1; ++ break; + case 'u': + run_as_user = 1; + break; +@@ -209,13 +213,12 @@ int main(int argc, char **argv) + + read_config(master_fd, watch_file); + +- if (!debug_mode) { ++ if (!debug_mode && !foreground_mode) { + if (daemon(0, 0) < 0) + exitApp("daemon"); ++ write_pid_file(); + } + +- write_pid_file(); +- + while (watch(master_fd, watch_file) == 0) { + } + +-- +2.53.0 + diff --git a/0008-restorecond.service-Use-Type-simple.patch b/0008-restorecond.service-Use-Type-simple.patch new file mode 100644 index 0000000..1beb348 --- /dev/null +++ b/0008-restorecond.service-Use-Type-simple.patch @@ -0,0 +1,39 @@ +From 9a2d20910e4f6f35a76513627b68bfbfda7f6fd0 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Thu, 2 Apr 2026 17:19:05 +0200 +Subject: [PATCH] restorecond.service: Use Type=simple +Content-type: text/plain + +There's a race condition when daemon() in parent process immediately +exits while pid file is not created or updated. Using Type=forking it +can confuse systemd which tries to open non-existing pid file. It's +better to run restocond in foreground and use Type=simple + +Fixes: + + openat(80, "restorecond.pid", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = -1 ENOENT (No such file or directory) <0.000006> + +Signed-off-by: Petr Lautrbach +--- + restorecond/restorecond.service | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/restorecond/restorecond.service b/restorecond/restorecond.service +index 0e4ea72d08ae..56f970707d93 100644 +--- a/restorecond/restorecond.service ++++ b/restorecond/restorecond.service +@@ -5,9 +5,8 @@ ConditionPathExists=/etc/selinux/restorecond.conf + ConditionSecurity=selinux + + [Service] +-Type=forking +-ExecStart=/usr/sbin/restorecond +-PIDFile=/run/restorecond.pid ++Type=simple ++ExecStart=/usr/sbin/restorecond -F + + [Install] + WantedBy=multi-user.target +-- +2.53.0 + diff --git a/changelog b/changelog index 9a5c96b..e9ad342 100644 --- a/changelog +++ b/changelog @@ -1,3 +1,6 @@ +* Tue Apr 07 2026 Petr Lautrbach - 3.10-2 +- restorecond.service: Use Type=simple + * Fri Feb 06 2026 Vit Mojzis - 3.10-1 - SELinux userspace 3.10 release diff --git a/policycoreutils.spec b/policycoreutils.spec index c107111..5b49f91 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -11,7 +11,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 3.10 -Release: 1%{?dist} +Release: 2%{?dist} License: GPL-2.0-or-later # https://github.com/SELinuxProject/selinux/wiki/Releases Source0: https://github.com/SELinuxProject/selinux/releases/download/%{version}/selinux-%{version}.tar.gz @@ -46,6 +46,8 @@ Patch0003: 0003-sandbox-Use-matchbox-window-manager-instead-of-openb.patch Patch0004: 0004-Use-SHA-2-instead-of-SHA-1.patch Patch0005: 0005-python-sepolicy-Fix-spec-file-dependencies.patch Patch0006: 0006-sepolicy-Fix-detection-of-writeable-locations.patch +Patch0007: 0007-restorecond-Add-F-for-run-in-foreground.patch +Patch0008: 0008-restorecond.service-Use-Type-simple.patch # Patch list end # gen_changelog