From ec54dec5eda806fb9b72762bb6da9862cf608d41 Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Tue, 11 Nov 2025 15:41:23 +0000
Subject: [PATCH] import UBI policycoreutils-3.6-3.el9

---
 ...xfiles-drop-unnecessary-line-endings.patch | 78 +++++++++++++++++++
 ...-restorecond-always-add-0-to-ut_user.patch | 49 ++++++++++++
 SPECS/policycoreutils.spec                    |  7 +-
 3 files changed, 133 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/0020-fixfiles-drop-unnecessary-line-endings.patch
 create mode 100644 SOURCES/0021-restorecond-always-add-0-to-ut_user.patch

diff --git a/SOURCES/0020-fixfiles-drop-unnecessary-line-endings.patch b/SOURCES/0020-fixfiles-drop-unnecessary-line-endings.patch
new file mode 100644
index 0000000..44bfc59
--- /dev/null
+++ b/SOURCES/0020-fixfiles-drop-unnecessary-line-endings.patch
@@ -0,0 +1,78 @@
+From be02ae5d861e4a80bb80f9b1a659315efb5b2aab Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <lautrbach@redhat.com>
+Date: Thu, 6 Jun 2024 11:50:39 +0200
+Subject: [PATCH] fixfiles: drop unnecessary \ line endings
+Content-type: text/plain
+
+See https://github.com/koalaman/shellcheck/issues/2769
+
+Fixes:
+    $ shellcheck -S error fixfiles
+
+    In fixfiles line 189:
+            # These two sorts need to be separate commands \
+                                                            ^-- SC1143 (error): This backslash is part of a comment and does not continue the line.
+
+    For more information:
+      https://www.shellcheck.net/wiki/SC1143 -- This backslash is part of a comme...
+
+Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ policycoreutils/scripts/fixfiles | 32 ++++++++++++++++----------------
+ 1 file changed, 16 insertions(+), 16 deletions(-)
+
+diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
+index ebe64563c7d7..13ac07414c14 100755
+--- a/policycoreutils/scripts/fixfiles
++++ b/policycoreutils/scripts/fixfiles
+@@ -174,10 +174,10 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
+ 	test -z "$TEMPFILE" && exit
+ 	PREFCTEMPFILE=`mktemp ${PREFC}.XXXXXXXXXX`
+ 	sed -r -e 's,:s0, ,g' $PREFC | sort -u > ${PREFCTEMPFILE}
+-	sed -r -e 's,:s0, ,g' $FC | sort -u | \
+-	/usr/bin/diff -b ${PREFCTEMPFILE} - | \
+-	    grep '^[<>]'|cut -c3-| grep ^/ | \
+-	    grep -Ev '(^/home|^/root|^/tmp)' |\
++	sed -r -e 's,:s0, ,g' $FC | sort -u |
++	/usr/bin/diff -b ${PREFCTEMPFILE} - |
++	    grep '^[<>]'|cut -c3-| grep ^/ |
++	    grep -Ev '(^/home|^/root|^/tmp)' |
+ 	sed -r -e 's,[[:blank:]].*,,g' \
+ 	       -e 's|\(([/[:alnum:]]+)\)\?|{\1,}|g' \
+ 	       -e 's|([/[:alnum:]])\?|{\1,}|g' \
+@@ -186,19 +186,19 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
+ 	       -e 's|\(.*|*|g' \
+ 	       -e 's|\[.*|*|g' \
+ 	       -e 's|\.\*.*|*|g' \
+-	       -e 's|\.\+.*|*|g' | \
+-	    # These two sorts need to be separate commands \
+-	sort -u | \
+-	sort -d | \
+-	while read pattern ; \
+-	    do if ! echo "$pattern" | grep -q -f ${TEMPFILE} 2>/dev/null; then \
+-		  echo "$pattern"; \
+-		  case "$pattern" in *"*") \
++	       -e 's|\.\+.*|*|g' |
++	    # These two sorts need to be separate commands
++	sort -u |
++	sort -d |
++	while read pattern ;
++	    do if ! echo "$pattern" | grep -q -f ${TEMPFILE} 2>/dev/null; then
++		  echo "$pattern";
++		  case "$pattern" in *"*")
+ 		       echo "$pattern" | sed -e 's,^,^,' -e 's,\*$,,g' >> ${TEMPFILE};;
+-		  esac; \
+-	       fi; \
+-	    done | \
+-	${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} ${THREADS} $* -i -R -f -; \
++		  esac;
++	       fi;
++	    done |
++	${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} ${THREADS} $* -i -R -f -;
+ 	rm -f ${TEMPFILE} ${PREFCTEMPFILE}
+ fi
+ }
+-- 
+2.44.0
+
diff --git a/SOURCES/0021-restorecond-always-add-0-to-ut_user.patch b/SOURCES/0021-restorecond-always-add-0-to-ut_user.patch
new file mode 100644
index 0000000..3f30001
--- /dev/null
+++ b/SOURCES/0021-restorecond-always-add-0-to-ut_user.patch
@@ -0,0 +1,49 @@
+From 98fd27a995442f413ea606619bca6ffa3ddbbf53 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <lautrbach@redhat.com>
+Date: Mon, 28 Apr 2025 11:07:31 +0200
+Subject: [PATCH] restorecond: always add '\0' to ut_user
+Content-type: text/plain
+
+Fixes:
+    Error: STRING_NULL (CWE-170): [#def5]
+    selinux-3.6/restorecond/utmpwatcher.c:62: string_null_source: Function "fread" does not terminate string "u". [Note: The source code implementation of the function has been overridden by a builtin model.]
+    selinux-3.6/restorecond/utmpwatcher.c:64: string_null: Passing unterminated string "u.ut_user" to "strings_list_add", which expects a null-terminated string.
+    #   62|   	while (fread(&u, sizeof(struct utmp), 1, cfg) > 0) {
+    #   63|   		if (u.ut_type == USER_PROCESS)
+    #   64|-> 			strings_list_add(&utmp_ptr, u.ut_user);
+    #   65|   	}
+    #   66|   	fclose(cfg);
+---
+ restorecond/utmpwatcher.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/restorecond/utmpwatcher.c b/restorecond/utmpwatcher.c
+index 8660520370de..c9d666862c11 100644
+--- a/restorecond/utmpwatcher.c
++++ b/restorecond/utmpwatcher.c
+@@ -50,6 +50,8 @@ unsigned int utmpwatcher_handle(int inotify_fd, int wd)
+ 	int changed = 0;
+ 	struct utmp u;
+ 	const char *utmp_path = "/run/utmp";
++	char utmp_user[UT_NAMESIZE + 1];
++
+ 	struct stringsList *prev_utmp_ptr = utmp_ptr;
+ 	if (wd != utmp_wd)
+ 		return -1;
+@@ -60,8 +62,11 @@ unsigned int utmpwatcher_handle(int inotify_fd, int wd)
+ 		exitApp("Error reading utmp file.");
+ 
+ 	while (fread(&u, sizeof(struct utmp), 1, cfg) > 0) {
+-		if (u.ut_type == USER_PROCESS)
+-			strings_list_add(&utmp_ptr, u.ut_user);
++		if (u.ut_type == USER_PROCESS) {
++			strncpy(utmp_user, u.ut_user, UT_NAMESIZE);
++			utmp_user[UT_NAMESIZE] = '\0';
++			strings_list_add(&utmp_ptr, utmp_user);
++		}
+ 	}
+ 	fclose(cfg);
+ 	if (utmp_wd >= 0)
+-- 
+2.49.0
+
diff --git a/SPECS/policycoreutils.spec b/SPECS/policycoreutils.spec
index 15daab1..ce9d9f6 100644
--- a/SPECS/policycoreutils.spec
+++ b/SPECS/policycoreutils.spec
@@ -11,7 +11,7 @@
 Summary: SELinux policy core utilities
 Name:    policycoreutils
 Version: 3.6
-Release: 2.1%{?dist}
+Release: 3%{?dist}
 License: GPL-2.0-or-later
 # https://github.com/SELinuxProject/selinux/wiki/Releases
 Source0: https://github.com/SELinuxProject/selinux/releases/download/3.6/selinux-3.6.tar.gz
@@ -55,6 +55,8 @@ Patch0016: 0016-Revert-policycoreutils-Remove-the-Russian-translatio.patch
 Patch0017: 0017-Revert-gui-Remove-the-Russian-translations.patch
 Patch0018: 0018-python-semanage-Allow-modifying-records-on-add.patch
 Patch0019: 0019-python-semanage-Do-not-sort-local-fcontext-definitio.patch
+Patch0020: 0020-fixfiles-drop-unnecessary-line-endings.patch
+Patch0021: 0021-restorecond-always-add-0-to-ut_user.patch
 # Patch list end
 Obsoletes: policycoreutils < 2.0.61-2
 Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
@@ -464,6 +466,9 @@ The policycoreutils-restorecond package contains the restorecond service.
 %systemd_postun_with_restart restorecond.service
 
 %changelog
+* Mon Apr 28 2025 Petr Lautrbach <lautrbach@redhat.com> - 3.6-3
+- restorecond: always add '\0' to ut_user
+
 * Mon Feb 19 2024 Petr Lautrbach <lautrbach@redhat.com> - 3.6-2.1
 - semanage: Allow modifying records on "add"
 - semanage: Do not sort local fcontext definitions