From e9c707725b24998781f3b4624f7f12cdcaf02e5c Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Sat, 10 May 2025 09:34:14 +0200 Subject: [PATCH] policycoreutils-3.8-2 - sepolicy: Fix detection of writeable locations Resolves: RHEL-54020 --- ...Fix-detection-of-writeable-locations.patch | 66 +++++++++++++++++++ changelog | 3 + policycoreutils.spec | 3 +- 3 files changed, 71 insertions(+), 1 deletion(-) create mode 100644 0006-sepolicy-Fix-detection-of-writeable-locations.patch diff --git a/0006-sepolicy-Fix-detection-of-writeable-locations.patch b/0006-sepolicy-Fix-detection-of-writeable-locations.patch new file mode 100644 index 0000000..6f85430 --- /dev/null +++ b/0006-sepolicy-Fix-detection-of-writeable-locations.patch @@ -0,0 +1,66 @@ +From f6630f61e5f4e7771eda0c1a1c5c95afc7f497f8 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Mon, 5 May 2025 18:28:40 +0200 +Subject: [PATCH] sepolicy: Fix detection of writeable locations +Content-type: text/plain + +- update substitutions from /etc/dnf/var + +It seems that by default dnf api does not read /etc/dnf/var/* files to +update substitutions and so it can't resolve correct mirror list when a +variable is part of the link. + +- alway run query.run() + +Fixes: + Traceback (most recent call last): + File "/usr/lib/python3.12/site-packages/dnf/repo.py", line 574, in load + ret = self._repo.load() + ^^^^^^^^^^^^^^^^^ + File "/usr/lib64/python3.12/site-packages/libdnf/repo.py", line 467, in load + return _repo.Repo_load(self) + ^^^^^^^^^^^^^^^^^^^^^ + libdnf._error.Error: Failed to download metadata for repo 'baseos': + Cannot prepare internal mirrorlist: Status code: 404 for + https://mirrors.centos.org/metalink?repo=centos-baseos-$stream&arch=x86_64&protocol=https,http (IP:152.19.134.198) + +Signed-off-by: Petr Lautrbach +--- + python/sepolicy/sepolicy/generate.py | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py +index f726ad51b775..a0314a7060cc 100644 +--- a/python/sepolicy/sepolicy/generate.py ++++ b/python/sepolicy/sepolicy/generate.py +@@ -1267,15 +1267,15 @@ allow %s_t %s_t:%s_socket name_%s; + import dnf + + with dnf.Base() as base: ++ base.conf.substitutions.update_from_etc('/') + base.read_all_repos() + base.fill_sack(load_system_repo=True) + + query = base.sack.query() + +- pq = query.available() +- pq = pq.filter(file=self.program) ++ pq = query.filter(file=self.program) + +- for pkg in pq: ++ for pkg in pq.run(): + self.rpms.append(pkg.name) + for fname in pkg.files: + for b in self.DEFAULT_DIRS: +@@ -1288,7 +1288,7 @@ allow %s_t %s_t:%s_socket name_%s; + self.add_dir(fname) + sq = query.available() + sq = sq.filter(provides=pkg.source_name) +- for bpkg in sq: ++ for bpkg in sq.run(): + for fname in bpkg.files: + for b in self.DEFAULT_DIRS: + if b == "/etc": +-- +2.49.0 + diff --git a/changelog b/changelog index ee45042..1043b31 100644 --- a/changelog +++ b/changelog @@ -1,3 +1,6 @@ +* Sat May 10 2025 Petr Lautrbach - 3.8-2 +- sepolicy: Fix detection of writeable locations + * Fri Jan 31 2025 Petr Lautrbach - 3.8-1 - SELinux userspace 3.8 release diff --git a/policycoreutils.spec b/policycoreutils.spec index 212ff5f..d6f4638 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -11,7 +11,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 3.8 -Release: 1%{?dist} +Release: 2%{?dist} License: GPL-2.0-or-later # https://github.com/SELinuxProject/selinux/wiki/Releases Source0: https://github.com/SELinuxProject/selinux/releases/download/%{version}/selinux-%{version}.tar.gz @@ -43,6 +43,7 @@ Patch0002: 0002-sepolicy-generate-Handle-more-reserved-port-types.patch Patch0003: 0003-sandbox-Use-matchbox-window-manager-instead-of-openb.patch Patch0004: 0004-Use-SHA-2-instead-of-SHA-1.patch Patch0005: 0005-python-sepolicy-Fix-spec-file-dependencies.patch +Patch0006: 0006-sepolicy-Fix-detection-of-writeable-locations.patch # Patch list end Obsoletes: policycoreutils < 2.0.61-2