packages/libselinux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Backport upstream patches

Browse Source
This commit is contained in:
yixiangzhike 2025-03-14 16:19:44 +08:00
parent 2348cc687f
commit e2042de448
10 changed files with 635 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
backport-libselinux-Close-old-selabel-handle-when-setting-a-n.patch Normal file
View File

@ -0,0 +1,32 @@
From 45fdf23c7b37cfc776def253c0d5bfa1b0758c24 Mon Sep 17 00:00:00 2001
From: James Carter <jwcart2@gmail.com>
Date: Wed, 22 Jan 2025 10:58:27 -0500
Subject: [PATCH] libselinux: Close old selabel handle when setting a new one
In selinux_restorecon_set_sehandle(), close the old selabel handle
(if it exists) before setting the new one.
Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
---
src/selinux_restorecon.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/selinux_restorecon.c b/src/selinux_restorecon.c
index bc6ed935..ab1c5216 100644
--- a/src/selinux_restorecon.c
+++ b/src/selinux_restorecon.c
@@ -1367,6 +1367,10 @@ void selinux_restorecon_set_sehandle(struct selabel_handle *hndl)
unsigned char *fc_digest;
size_t num_specfiles, fc_digest_len;
+ if (fc_sehandle) {
+ selabel_close(fc_sehandle);
+ }
+
fc_sehandle = hndl;
if (!fc_sehandle)
return;
--
2.33.0

120
backport-libselinux-avoid-logs-in-get_ordered_context_list-wi.patch Normal file
View File

@ -0,0 +1,120 @@
From 6e2f7033406aeccc1fb93e580be8120f113520a6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Fri, 22 Mar 2024 15:50:19 +0100
Subject: [PATCH] libselinux: avoid logs in get_ordered_context_list() without
policy
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If no policy has been loaded yet and thus the current context is still
"kernel" avoid logging failures in get_ordered_context_list(), like:
get_ordered_context_list: error in processing configuration file /etc/selinux/debian/contexts/users/root
get_ordered_context_list: error in processing configuration file /etc/selinux/debian/contexts/default_contexts
Move the context parsing from get_context_user() to its caller
get_ordered_context_list(), so an invalid context is not treated as an
get_context_user() failure and not logged.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
src/get_context_list.c | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/src/get_context_list.c b/src/get_context_list.c
index 7e23be05..0ad24654 100644
--- a/src/get_context_list.c
+++ b/src/get_context_list.c
@@ -130,7 +130,7 @@ static int is_in_reachable(char **reachable, const char *usercon_str)
}
static int get_context_user(FILE * fp,
- const char * fromcon,
+ context_t fromcon,
const char * user,
char ***reachable,
unsigned int *nreachable)
@@ -146,7 +146,6 @@ static int get_context_user(FILE * fp,
char **new_reachable = NULL;
char *usercon_str;
const char *usercon_str2;
- context_t con;
context_t usercon;
int rc;
@@ -155,14 +154,10 @@ static int get_context_user(FILE * fp,
/* Extract the role and type of the fromcon for matching.
User identity and MLS range can be variable. */
- con = context_new(fromcon);
- if (!con)
- return -1;
- fromrole = context_role_get(con);
- fromtype = context_type_get(con);
- fromlevel = context_range_get(con);
+ fromrole = context_role_get(fromcon);
+ fromtype = context_type_get(fromcon);
+ fromlevel = context_range_get(fromcon);
if (!fromrole || !fromtype) {
- context_free(con);
return -1;
}
@@ -296,7 +291,6 @@ static int get_context_user(FILE * fp,
rc = 0;
out:
- context_free(con);
free(line);
return rc;
}
@@ -418,6 +412,7 @@ int get_ordered_context_list(const char *user,
char *fname = NULL;
size_t fname_len;
const char *user_contexts_path = selinux_user_contexts_path();
+ context_t con = NULL;
if (!fromcon) {
/* Get the current context and use it for the starting context */
@@ -427,6 +422,10 @@ int get_ordered_context_list(const char *user,
fromcon = backup_fromcon;
}
+ con = context_new(fromcon);
+ if (!con)
+ goto failsafe;
+
/* Determine the ordering to apply from the optional per-user config
and from the global config. */
fname_len = strlen(user_contexts_path) + strlen(user) + 2;
@@ -437,7 +436,7 @@ int get_ordered_context_list(const char *user,
fp = fopen(fname, "re");
if (fp) {
__fsetlocking(fp, FSETLOCKING_BYCALLER);
- rc = get_context_user(fp, fromcon, user, &reachable, &nreachable);
+ rc = get_context_user(fp, con, user, &reachable, &nreachable);
fclose(fp);
if (rc < 0 && errno != ENOENT) {
@@ -451,7 +450,7 @@ int get_ordered_context_list(const char *user,
fp = fopen(selinux_default_context_path(), "re");
if (fp) {
__fsetlocking(fp, FSETLOCKING_BYCALLER);
- rc = get_context_user(fp, fromcon, user, &reachable, &nreachable);
+ rc = get_context_user(fp, con, user, &reachable, &nreachable);
fclose(fp);
if (rc < 0 && errno != ENOENT) {
fprintf(stderr,
@@ -472,6 +471,7 @@ int get_ordered_context_list(const char *user,
else
freeconary(reachable);
+ context_free(con);
freecon(backup_fromcon);
return rc;
--
2.33.0

67
backport-libselinux-avoid-pointer-dereference-before-check.patch Normal file
View File

@ -0,0 +1,67 @@
From 2b6f639a5209f70a6c065f57bfd4b2bf3e28dbe4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Mon, 29 Apr 2024 18:39:00 +0200
Subject: [PATCH] libselinux: avoid pointer dereference before check
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Since commit 5876aca0 ("libselinux: free data on selabel open failure")
the close handler of label backends must support partial initialized
state, e.g. ->data being NULL. Thus checks for NULL were added, but in
two cases the pointers in question were already dereferenced before.
Reorder the dereference after the NULL-checks.
Fixes: 5876aca0 ("libselinux: free data on selabel open failure")
Reported-by: Cppcheck
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
src/label_media.c | 4 +++-
src/label_x.c | 4 +++-
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/label_media.c b/src/label_media.c
index 94a58062..852aeada 100644
--- a/src/label_media.c
+++ b/src/label_media.c
@@ -164,12 +164,14 @@ finish:
static void close(struct selabel_handle *rec)
{
struct saved_data *data = (struct saved_data *)rec->data;
- struct spec *spec, *spec_arr = data->spec_arr;
+ struct spec *spec, *spec_arr;
unsigned int i;
if (!data)
return;
+ spec_arr = data->spec_arr;
+
for (i = 0; i < data->nspec; i++) {
spec = &spec_arr[i];
free(spec->key);
diff --git a/src/label_x.c b/src/label_x.c
index f994eefa..a8decc7a 100644
--- a/src/label_x.c
+++ b/src/label_x.c
@@ -191,12 +191,14 @@ finish:
static void close(struct selabel_handle *rec)
{
struct saved_data *data = (struct saved_data *)rec->data;
- struct spec *spec, *spec_arr = data->spec_arr;
+ struct spec *spec, *spec_arr;
unsigned int i;
if (!data)
return;
+ spec_arr = data->spec_arr;
+
for (i = 0; i < data->nspec; i++) {
spec = &spec_arr[i];
free(spec->key);
--
2.33.0

120
backport-libselinux-free-data-on-selabel-open-failure.patch Normal file
View File

@ -0,0 +1,120 @@
From 5876aca0484f3b45636ef6337f06b914a8769cb4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Wed, 13 Mar 2024 12:10:24 +0100
Subject: [PATCH] libselinux: free data on selabel open failure
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
In case the init function for a selabel backend fails, free the possible
already allocated data:
Direct leak of 16 byte(s) in 1 object(s) allocated from:
#0 0x5e7e2bf001e3 in malloc (/tmp/destdir/usr/sbin/selabel_digest+0xc71e3)
#1 0x7233764baa65 in selabel_media_init /home/christian/Coding/workspaces/selinux/libselinux/src/label_media.c:226:30
#2 0x7233764ac1fe in selabel_open /home/christian/Coding/workspaces/selinux/libselinux/src/label.c:227:6
#3 0x5e7e2bf3ebfc in main /home/christian/Coding/workspaces/selinux/libselinux/utils/selabel_digest.c:125:8
#4 0x7233761856c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: 16 byte(s) leaked in 1 allocation(s).
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
src/label.c | 5 +----
src/label_backends_android.c | 3 +++
src/label_db.c | 3 +++
src/label_file.c | 3 +++
src/label_media.c | 3 +++
src/label_x.c | 3 +++
6 files changed, 16 insertions(+), 4 deletions(-)
diff --git a/src/label.c b/src/label.c
index d2e703ef..06d743ec 100644
--- a/src/label.c
+++ b/src/label.c
@@ -225,10 +225,7 @@ struct selabel_handle *selabel_open(unsigned int backend,
rec->digest = selabel_is_digest_set(opts, nopts, rec->digest);
if ((*initfuncs[backend])(rec, opts, nopts)) {
- if (rec->digest)
- selabel_digest_fini(rec->digest);
- free(rec->spec_file);
- free(rec);
+ selabel_close(rec);
rec = NULL;
}
diff --git a/src/label_backends_android.c b/src/label_backends_android.c
index 33a17236..49a87686 100644
--- a/src/label_backends_android.c
+++ b/src/label_backends_android.c
@@ -246,6 +246,9 @@ static void closef(struct selabel_handle *rec)
struct spec *spec;
unsigned int i;
+ if (!data)
+ return;
+
for (i = 0; i < data->nspec; i++) {
spec = &data->spec_arr[i];
free(spec->property_key);
diff --git a/src/label_db.c b/src/label_db.c
index 2ff10b2f..40d5fc4a 100644
--- a/src/label_db.c
+++ b/src/label_db.c
@@ -178,6 +178,9 @@ db_close(struct selabel_handle *rec)
spec_t *spec;
unsigned int i;
+ if (!catalog)
+ return;
+
for (i = 0; i < catalog->nspec; i++) {
spec = &catalog->specs[i];
free(spec->key);
diff --git a/src/label_file.c b/src/label_file.c
index 3b2bda97..2732972e 100644
--- a/src/label_file.c
+++ b/src/label_file.c
@@ -904,6 +904,9 @@ static void closef(struct selabel_handle *rec)
struct stem *stem;
unsigned int i;
+ if (!data)
+ return;
+
selabel_subs_fini(data->subs);
selabel_subs_fini(data->dist_subs);
diff --git a/src/label_media.c b/src/label_media.c
index fad5ea6d..94a58062 100644
--- a/src/label_media.c
+++ b/src/label_media.c
@@ -167,6 +167,9 @@ static void close(struct selabel_handle *rec)
struct spec *spec, *spec_arr = data->spec_arr;
unsigned int i;
+ if (!data)
+ return;
+
for (i = 0; i < data->nspec; i++) {
spec = &spec_arr[i];
free(spec->key);
diff --git a/src/label_x.c b/src/label_x.c
index bf569ca5..f994eefa 100644
--- a/src/label_x.c
+++ b/src/label_x.c
@@ -194,6 +194,9 @@ static void close(struct selabel_handle *rec)
struct spec *spec, *spec_arr = data->spec_arr;
unsigned int i;
+ if (!data)
+ return;
+
for (i = 0; i < data->nspec; i++) {
spec = &spec_arr[i];
free(spec->key);
--
2.33.0

41
backport-libselinux-free-empty-scandir-3-result.patch Normal file
View File

@ -0,0 +1,41 @@
From c8b1f5928236e9ed3192a4393cb563cb718ccca4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Mon, 29 Apr 2024 18:38:59 +0200
Subject: [PATCH] libselinux: free empty scandir(3) result
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
In case scandir(3) finds no entries still free the returned result to
avoid leaking it.
Also do not override errno in case of a failure.
Reported.by: Cppcheck
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
src/booleans.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/booleans.c b/src/booleans.c
index c557df65..1ede8e2d 100644
--- a/src/booleans.c
+++ b/src/booleans.c
@@ -53,7 +53,11 @@ int security_get_boolean_names(char ***names, int *len)
snprintf(path, sizeof path, "%s%s", selinux_mnt, SELINUX_BOOL_DIR);
*len = scandir(path, &namelist, &filename_select, alphasort);
- if (*len <= 0) {
+ if (*len < 0) {
+ return -1;
+ }
+ if (*len == 0) {
+ free(namelist);
errno = ENOENT;
return -1;
}
--
2.33.0

40
backport-libselinux-matchpathcon-RESOURCE_LEAK-Variable-con.patch Normal file
View File

@ -0,0 +1,40 @@
From f18f9e5ea155015b4b2ad6c9ba6ce5e0e3b30646 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Fri, 25 Oct 2024 20:30:14 +0200
Subject: [PATCH] libselinux/matchpathcon: RESOURCE_LEAK: Variable "con"
Fixes:
Error: RESOURCE_LEAK (CWE-772):
libselinux-3.6/src/matchpathcon.c:519: alloc_arg: "lgetfilecon_raw" allocates memory that is stored into "con". [Note: The source code implementation of the function has been overridden by a user model.]
libselinux-3.6/src/matchpathcon.c:528: leaked_storage: Variable "con" going out of scope leaks the storage it points to.
\# 526|
\# 527| if (!hnd && (matchpathcon_init_prefix(NULL, NULL) < 0))
\# 528|-> return -1;
\# 529|
\# 530| if (selabel_lookup_raw(hnd, &fcontext, path, mode) != 0) {
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
src/matchpathcon.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/matchpathcon.c b/src/matchpathcon.c
index e44734c3..967520e4 100644
--- a/src/matchpathcon.c
+++ b/src/matchpathcon.c
@@ -524,8 +524,10 @@ int selinux_file_context_verify(const char *path, mode_t mode)
return 0;
}
- if (!hnd && (matchpathcon_init_prefix(NULL, NULL) < 0))
+ if (!hnd && (matchpathcon_init_prefix(NULL, NULL) < 0)){
+ freecon(con);
return -1;
+ }
if (selabel_lookup_raw(hnd, &fcontext, path, mode) != 0) {
if (errno != ENOENT)
--
2.33.0

78
backport-libselinux-set-free-d-data-to-NULL.patch Normal file
View File

@ -0,0 +1,78 @@
From f398662ea19d2cf6db6cb791e3b787889e5af883 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <lautrbach@redhat.com>
Date: Tue, 9 Jul 2024 21:23:46 +0200
Subject: [PATCH] libselinux: set free'd data to NULL
Fixes segfault in selabel_open() on systems with SELinux disabled and without any
SELinux policy installed introduced by commit 5876aca0484f ("libselinux: free
data on selabel open failure"):
$ sestatus
SELinux status: disabled
$ cat /etc/selinux/config
cat: /etc/selinux/config: No such file or directory
$ matchpathcon /abc
[1] 907999 segmentation fault (core dumped) matchpathcon /abc
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
src/label_backends_android.c | 1 +
src/label_file.c | 1 +
src/label_media.c | 1 +
src/label_x.c | 1 +
4 files changed, 4 insertions(+)
diff --git a/src/label_backends_android.c b/src/label_backends_android.c
index 49a87686..5bad24f2 100644
--- a/src/label_backends_android.c
+++ b/src/label_backends_android.c
@@ -260,6 +260,7 @@ static void closef(struct selabel_handle *rec)
free(data->spec_arr);
free(data);
+ rec->data = NULL;
}
static struct selabel_lookup_rec *property_lookup(struct selabel_handle *rec,
diff --git a/src/label_file.c b/src/label_file.c
index 2732972e..59c9f2ef 100644
--- a/src/label_file.c
+++ b/src/label_file.c
@@ -942,6 +942,7 @@ static void closef(struct selabel_handle *rec)
free(last_area);
}
free(data);
+ rec->data = NULL;
}
// Finds all the matches of |key| in the given context. Returns the result in
diff --git a/src/label_media.c b/src/label_media.c
index 852aeada..bae065c1 100644
--- a/src/label_media.c
+++ b/src/label_media.c
@@ -183,6 +183,7 @@ static void close(struct selabel_handle *rec)
free(spec_arr);
free(data);
+ rec->data = NULL;
}
static struct selabel_lookup_rec *lookup(struct selabel_handle *rec,
diff --git a/src/label_x.c b/src/label_x.c
index a8decc7a..ddae4f6c 100644
--- a/src/label_x.c
+++ b/src/label_x.c
@@ -210,6 +210,7 @@ static void close(struct selabel_handle *rec)
free(spec_arr);
free(data);
+ rec->data = NULL;
}
static struct selabel_lookup_rec *lookup(struct selabel_handle *rec,
--
2.33.0

92
backport-libselinux-utils-selabel_digest-avoid-buffer-overflo.patch Normal file
View File

@ -0,0 +1,92 @@
From 994b9b205e36f3cc849b75f075e057686f3f9cd8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Wed, 13 Mar 2024 12:10:23 +0100
Subject: [PATCH] libselinux/utils/selabel_digest: avoid buffer overflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
In case the specfiles have very long paths or there are too many abort
instead of writing past the stack buffer.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
utils/selabel_digest.c | 45 ++++++++++++++++++++++++-------
1 file changed, 36 insertions(+), 9 deletions(-)
diff --git a/utils/selabel_digest.c b/utils/selabel_digest.c
index db0d443a..64051070 100644
--- a/utils/selabel_digest.c
+++ b/utils/selabel_digest.c
@@ -66,7 +66,7 @@ int main(int argc, char **argv)
char cmd_buf[4096];
char *cmd_ptr;
- char *sha1_buf;
+ char *sha1_buf = NULL;
struct selabel_handle *hnd;
struct selinux_opt selabel_option[] = {
@@ -167,23 +167,50 @@ int main(int argc, char **argv)
printf("calculated using the following specfile(s):\n");
if (specfiles) {
- cmd_ptr = &cmd_buf[0];
- sprintf(cmd_ptr, "/usr/bin/cat ");
- cmd_ptr = &cmd_buf[0] + strlen(cmd_buf);
+ size_t cmd_rem = sizeof(cmd_buf);
+ int ret;
+
+ if (validate) {
+ cmd_ptr = &cmd_buf[0];
+ ret = snprintf(cmd_ptr, cmd_rem, "/usr/bin/cat ");
+ if (ret < 0 || (size_t)ret >= cmd_rem) {
+ fprintf(stderr, "Could not format validate command\n");
+ rc = -1;
+ goto err;
+ }
+ cmd_ptr += ret;
+ cmd_rem -= ret;
+ }
for (i = 0; i < num_specfiles; i++) {
- sprintf(cmd_ptr, "%s ", specfiles[i]);
- cmd_ptr += strlen(specfiles[i]) + 1;
+ if (validate) {
+ ret = snprintf(cmd_ptr, cmd_rem, "%s ", specfiles[i]);
+ if (ret < 0 || (size_t)ret >= cmd_rem) {
+ fprintf(stderr, "Could not format validate command\n");
+ rc = -1;
+ goto err;
+ }
+ cmd_ptr += ret;
+ cmd_rem -= ret;
+ }
+
printf("%s\n", specfiles[i]);
}
- sprintf(cmd_ptr, "| /usr/bin/openssl dgst -sha1 -hex");
- if (validate)
+ if (validate) {
+ ret = snprintf(cmd_ptr, cmd_rem, "| /usr/bin/openssl dgst -sha1 -hex");
+ if (ret < 0 || (size_t)ret >= cmd_rem) {
+ fprintf(stderr, "Could not format validate command\n");
+ rc = -1;
+ goto err;
+ }
+
rc = run_check_digest(cmd_buf, sha1_buf);
+ }
}
- free(sha1_buf);
err:
+ free(sha1_buf);
selabel_close(hnd);
return rc;
}
--
2.33.0

32
backport-libselinux-utils-selabel_digest-drop-unsupported-opt.patch Normal file
View File

@ -0,0 +1,32 @@
From c774f15a4a726eb57b9815a55980eb81d09ad9c2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Wed, 13 Mar 2024 12:10:21 +0100
Subject: [PATCH] libselinux/utils/selabel_digest: drop unsupported option -d
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The command line option -d is not supported, drop from usage message.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
utils/selabel_digest.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/utils/selabel_digest.c b/utils/selabel_digest.c
index bf22b472..50f55311 100644
--- a/utils/selabel_digest.c
+++ b/utils/selabel_digest.c
@@ -11,7 +11,7 @@ static size_t digest_len;
static __attribute__ ((__noreturn__)) void usage(const char *progname)
{
fprintf(stderr,
- "usage: %s -b backend [-d] [-v] [-B] [-i] [-f file]\n\n"
+ "usage: %s -b backend [-v] [-B] [-i] [-f file]\n\n"
"Where:\n\t"
"-b The backend - \"file\", \"media\", \"x\", \"db\" or "
"\"prop\"\n\t"
--
2.33.0

14
libselinux.spec
View File

@ -3,7 +3,7 @@
Name: libselinux
Version: 3.5
Release: 3
Release: 4
License: Public Domain
Summary: SELinux library and simple utilities
Url: https://github.com/SELinuxProject/selinux/wiki
@ -15,6 +15,15 @@ Patch0003: backport-libselinux-enable-usage-with-pedantic-UB-sanitizers.patch
Patch0004: backport-libselinux-reorder-calloc-3-arguments.patch
Patch0005: backport-libselinux-Fix-ordering-of-arguments-to-calloc.patch
Patch0006: backport-libselinux-use-reentrant-strtok_r-3.patch
Patch0007: backport-libselinux-utils-selabel_digest-drop-unsupported-opt.patch
Patch0008: backport-libselinux-utils-selabel_digest-avoid-buffer-overflo.patch
Patch0009: backport-libselinux-free-data-on-selabel-open-failure.patch
Patch0010: backport-libselinux-avoid-logs-in-get_ordered_context_list-wi.patch
Patch0011: backport-libselinux-free-empty-scandir-3-result.patch
Patch0012: backport-libselinux-avoid-pointer-dereference-before-check.patch
Patch0013: backport-libselinux-set-free-d-data-to-NULL.patch
Patch0014: backport-libselinux-matchpathcon-RESOURCE_LEAK-Variable-con.patch
Patch0015: backport-libselinux-Close-old-selabel-handle-when-setting-a-n.patch
Patch9000: do-malloc-trim-after-load-policy.patch
@ -135,6 +144,9 @@ mv %{buildroot}%{_sbindir}/getconlist %{buildroot}%{_sbindir}/selinuxconlist
%{_mandir}/ru/man8/*
%changelog
* Fri Mar 14 2025 yixiangzhike <yixiangzhike007@163.com> - 3.5-4
- backport upstream patches
* Mon Mar 25 2024 fuanan <fuanan3@h-partners.com> - 3.5-3
- backport upstream patches