policycoreutils-3.8-2

- sepolicy: Fix detection of writeable locations

Resolves: RHEL-54020

0006-sepolicy-Fix-detection-of-writeable-locations.patch

@@ -0,0 +1,66 @@
+From f6630f61e5f4e7771eda0c1a1c5c95afc7f497f8 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <lautrbach@redhat.com>
+Date: Mon, 5 May 2025 18:28:40 +0200
+Subject: [PATCH] sepolicy: Fix detection of writeable locations
+Content-type: text/plain
+
+- update substitutions from /etc/dnf/var
+
+It seems that by default dnf api does not read /etc/dnf/var/* files to
+update substitutions and so it can't resolve correct mirror list when a
+variable is part of the link.
+
+- alway run query.run()
+
+Fixes:
+    Traceback (most recent call last):
+      File "/usr/lib/python3.12/site-packages/dnf/repo.py", line 574, in load
+        ret = self._repo.load()
+              ^^^^^^^^^^^^^^^^^
+      File "/usr/lib64/python3.12/site-packages/libdnf/repo.py", line 467, in load
+        return _repo.Repo_load(self)
+               ^^^^^^^^^^^^^^^^^^^^^
+    libdnf._error.Error: Failed to download metadata for repo 'baseos':
+    Cannot prepare internal mirrorlist: Status code: 404 for
+    https://mirrors.centos.org/metalink?repo=centos-baseos-$stream&arch=x86_64&protocol=https,http (IP:152.19.134.198)
+
+Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
+---
+ python/sepolicy/sepolicy/generate.py | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
+index f726ad51b775..a0314a7060cc 100644
+--- a/python/sepolicy/sepolicy/generate.py
++++ b/python/sepolicy/sepolicy/generate.py
+@@ -1267,15 +1267,15 @@ allow %s_t %s_t:%s_socket name_%s;
+         import dnf
+ 
+         with dnf.Base() as base:
++            base.conf.substitutions.update_from_etc('/')
+             base.read_all_repos()
+             base.fill_sack(load_system_repo=True)
+ 
+             query = base.sack.query()
+ 
+-            pq = query.available()
+-            pq = pq.filter(file=self.program)
++            pq = query.filter(file=self.program)
+ 
+-            for pkg in pq:
++            for pkg in pq.run():
+                 self.rpms.append(pkg.name)
+                 for fname in pkg.files:
+                     for b in self.DEFAULT_DIRS:
+@@ -1288,7 +1288,7 @@ allow %s_t %s_t:%s_socket name_%s;
+                                 self.add_dir(fname)
+                 sq = query.available()
+                 sq = sq.filter(provides=pkg.source_name)
+-                for bpkg in sq:
++                for bpkg in sq.run():
+                     for fname in bpkg.files:
+                         for b in self.DEFAULT_DIRS:
+                             if b == "/etc":
+-- 
+2.49.0
+

changelog

@@ -1,3 +1,6 @@
+* Sat May 10 2025 Petr Lautrbach <lautrbach@redhat.com> - 3.8-2
+- sepolicy: Fix detection of writeable locations
+
 * Fri Jan 31 2025 Petr Lautrbach <lautrbach@redhat.com> - 3.8-1
 - SELinux userspace 3.8 release
 

policycoreutils.spec

@@ -11,7 +11,7 @@
 Summary: SELinux policy core utilities
 Name:    policycoreutils
 Version: 3.8
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPL-2.0-or-later
 # https://github.com/SELinuxProject/selinux/wiki/Releases
 Source0: https://github.com/SELinuxProject/selinux/releases/download/%{version}/selinux-%{version}.tar.gz
@@ -43,6 +43,7 @@ Patch0002: 0002-sepolicy-generate-Handle-more-reserved-port-types.patch
 Patch0003: 0003-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
 Patch0004: 0004-Use-SHA-2-instead-of-SHA-1.patch
 Patch0005: 0005-python-sepolicy-Fix-spec-file-dependencies.patch
+Patch0006: 0006-sepolicy-Fix-detection-of-writeable-locations.patch
 # Patch list end
 
 Obsoletes: policycoreutils < 2.0.61-2