When a file name in type transition rule used in an interface is same as
a keyword, it needs to be M4 escaped so that the keyword is not expanded
by M4, e.g.
- filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, "interface")
+ filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, "``interface''")
But sepolgen-ifgen could not parse such string:
# sepolgen-ifgen
Illegal character '`'
This change allows M4 escaping inside quoted strings and fixed described
problem.
https://bugzilla.redhat.com/show_bug.cgi?id=2254206
Resolves: RHEL-45544
- use XWayland for X application if it's run in Wayland session
- run Wayland apps directly if it's run in Wayland session
- add sandbox -Y option to run run Wayland application
Resolves: RHEL-35984
- python: improve format strings for proper localization
- python: Drop hard formating from localized strings
- sepolicy: port to dnf4 python API (rhbz#2209404)
Fixes:
$ shellcheck -S warning selinux-autorelabel-generator.sh
In selinux-autorelabel-generator.sh line 22:
source /etc/selinux/config
^------------------------^ SC3046 (warning): In POSIX sh, 'source' in place of '.' is undefined.
For more information:
https://www.shellcheck.net/wiki/SC3046 -- In POSIX sh, 'source' in place of...
https://bugzilla.redhat.com/show_bug.cgi?id=2210593
The project has moved away from dbus-glib in version 3.2[0] and the BR
is not needed at all. Explicitly add the glib2-devel to BR to fix the
build after this change (it got there previously through
dbus-glib-devel).
[0] - 252925ccdf
selinux-autorelabel service can be configured to drop to a shell to allow
administrator to manually relabel a filesystem, see selinux_config(5). In
this case, the service needs to have a tty attached to stdin. Given that
tty should not be attached to the service by default, see
https://bugzilla.redhat.com/show_bug.cgi?id=1634661 , the
selinux-autorelabel-generator.sh will configure the service to attach
tty only if AUTORELABEL=0
Resolves: rhbz#2165508
- gettext: handle unsupported languages properly (#2100378)
- semodule: rename --rebuild-if-modules-changed to --refresh
- python: Split "semanage import" into two transactions (#2063353)
- selinux-autorelabel: Do not force reboot (#2093133)
Forced reboot ends up NOT triggering normal unit shutdown, but only
sends TERM signal, then KILL later. Some processes such as dmeventd
do not quit on receiving TERM signal (protected), which means they
are killed after a long delay by systemd using the KILL signal.
In case the normal reboot doesn't go through, "reboot.target" will be
triggered after a timeout and send the KILL signal anyway.
Resolves: rhbz#2093133
