packages/libsemanage
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:66868361f81a06e7858812427a1f5b1b3573e0c0
Branches Tags
packages:main
...
compare: packages:fdeaf0de39c629ebc5ec9592d0cd44e4c2856290
Branches Tags
packages:main

10 Commits
66868361f8 ... fdeaf0de39

Author SHA1 Message Date
openeuler-ci-bot
fdeaf0de39
!78 [sync] PR-77: Change the author's mailbox 
From: @openeuler-sync-bot 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee
 2025-05-07 06:28:07 +00:00
changhan
868210c456 Change the author's mailbox 
Signed-off-by: changhan <changhan@xfusion.com>
(cherry picked from commit 6c2d136f1fada3dd3d9c98a6979d97f2d35cdb94)
 2025-05-07 11:08:46 +08:00
openeuler-ci-bot
3ae0f4b58c
!72 [sync] PR-70: sync branch patch 
From: @openeuler-sync-bot 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee
 2025-04-24 11:41:45 +00:00
hugel
2ab6ba5221 sync branch patch 
(cherry picked from commit ec267f0f28e57f0ac719eba3a42c14233798357b)
 2025-04-23 11:12:45 +08:00
openeuler-ci-bot
ef70bf62e6
!58 [sync] PR-55: backport patches from upstream 
From: @openeuler-sync-bot 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee
 2025-03-17 11:10:27 +00:00
hugel
670213ce64 backport patches from upstream 
(cherry picked from commit a6c5156e71001ac8cf1b559ce274e5306006cede)
 2025-03-17 17:19:28 +08:00
openeuler-ci-bot
ac87612eef
!41 update version to 3.5 
From: @zgzxx 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee
 2023-07-20 13:08:50 +00:00
zgzxx
c00d17520d update version to 3.5 2023-07-20 20:31:43 +08:00
openeuler-ci-bot
3a4cded9d6
!36 update version to 3.4 
From: @zgzxx 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee
 2023-02-02 06:18:04 +00:00
zgzxx
763110c299 update version to 3.4 2023-01-31 11:03:11 +08:00
18 changed files with 1797 additions and 6 deletions
Show Stats Expand all files Collapse all files

44
backport-libsemanage-avoid-leak-on-realloc-failure.patch Normal file
View File

@ -0,0 +1,44 @@
From 73f958b01aa15c55cd69f188b8a5ed44601ac406 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Mon, 11 Nov 2024 15:16:38 +0100
Subject: [PATCH] libsemanage: avoid leak on realloc failure
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Conflict:NA
Reference:https://github.com/SELinuxProject/selinux/commit/73f958b01aa15c55cd69f188b8a5ed44601ac406
---
src/direct_api.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/direct_api.c b/src/direct_api.c
index ed4343dc..288e491a 100644
--- a/src/direct_api.c
+++ b/src/direct_api.c
@@ -599,12 +599,16 @@ static int read_from_pipe_to_data(semanage_handle_t *sh, size_t initial_len, int
while ((read_len = read(fd, data_read + data_read_len, max_len - data_read_len)) > 0) {
data_read_len += read_len;
if (data_read_len == max_len) {
+ char *tmp;
+
max_len *= 2;
- data_read = realloc(data_read, max_len);
- if (data_read == NULL) {
+ tmp = realloc(data_read, max_len);
+ if (tmp == NULL) {
ERR(sh, "Failed to realloc, out of memory.\n");
+ free(data_read);
return -1;
}
+ data_read = tmp;
}
}
--
2.33.0

168
backport-libsemanage-check-closing-written-files.patch Normal file
View File

@ -0,0 +1,168 @@
From 2cc2d1ed1fa78dfdb879f3c2a0b21fa23eeb2504 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Mon, 25 Nov 2024 12:18:36 +0100
Subject: [PATCH] libsemanage: check closing written files
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Check that closing a file that has been written to is successful, to
avoid potential unsuccessful writes/syncs.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Conflict:NA
Reference:https://github.com/SELinuxProject/selinux/commit/2cc2d1ed1fa78dfdb879f3c2a0b21fa23eeb2504
---
src/database_file.c | 5 ++++-
src/direct_api.c | 15 +++++++++------
src/genhomedircon.c | 3 ++-
src/semanage_store.c | 18 +++++++++++++-----
4 files changed, 28 insertions(+), 13 deletions(-)
diff --git a/src/database_file.c b/src/database_file.c
index 47814254..214dbe6c 100644
--- a/src/database_file.c
+++ b/src/database_file.c
@@ -149,7 +149,10 @@ static int dbase_file_flush(semanage_handle_t * handle, dbase_file_t * dbase)
}
dbase_llist_set_modified(&dbase->llist, 0);
- fclose(str);
+ if (fclose(str) != 0 && errno != EINTR) {
+ str = NULL;
+ goto err;
+ }
return STATUS_SUCCESS;
err:
diff --git a/src/direct_api.c b/src/direct_api.c
index 0e7ef4da..87c7627d 100644
--- a/src/direct_api.c
+++ b/src/direct_api.c
@@ -467,7 +467,10 @@ static int write_file(semanage_handle_t * sh,
close(out);
return -1;
}
- close(out);
+ if (close(out) == -1 && errno != EINTR) {
+ ERR(sh, "Error while closing %s.", filename);
+ return -1;
+ }
return 0;
}
@@ -839,7 +842,7 @@ static int semanage_direct_write_langext(semanage_handle_t *sh,
goto cleanup;
}
- if (fclose(fp) != 0) {
+ if (fclose(fp) != 0 && errno != EINTR) {
ERR(sh, "Unable to close %s module ext file.", modinfo->name);
fp = NULL;
ret = -1;
@@ -1216,7 +1219,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
FILE *touch;
touch = fopen(path, "we");
if (touch != NULL) {
- if (fclose(touch) != 0) {
+ if (fclose(touch) != 0 && errno != EINTR) {
ERR(sh, "Error attempting to create disable_dontaudit flag.");
goto cleanup;
}
@@ -1248,7 +1251,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
FILE *touch;
touch = fopen(path, "we");
if (touch != NULL) {
- if (fclose(touch) != 0) {
+ if (fclose(touch) != 0 && errno != EINTR) {
ERR(sh, "Error attempting to create preserve_tunable flag.");
goto cleanup;
}
@@ -2120,7 +2123,7 @@ static int semanage_direct_set_enabled(semanage_handle_t *sh,
ret = fclose(fp);
fp = NULL;
- if (ret != 0) {
+ if (ret != 0 && errno != EINTR) {
ERR(sh,
"Unable to close disabled file for module %s",
modkey->name);
@@ -2321,7 +2324,7 @@ static int semanage_direct_get_module_info(semanage_handle_t *sh,
free(tmp);
tmp = NULL;
- if (fclose(fp) != 0) {
+ if (fclose(fp) != 0 && errno != EINTR) {
fp = NULL;
ERR(sh,
"Unable to close %s module lang ext file.",
diff --git a/src/genhomedircon.c b/src/genhomedircon.c
index 4949bc75..19543799 100644
--- a/src/genhomedircon.c
+++ b/src/genhomedircon.c
@@ -1429,7 +1429,8 @@ int semanage_genhomedircon(semanage_handle_t * sh,
done:
if (out != NULL)
- fclose(out);
+ if (fclose(out) != 0 && errno != EINTR)
+ retval = STATUS_ERR;
while (s.fallback)
pop_user_entry(&(s.fallback));
diff --git a/src/semanage_store.c b/src/semanage_store.c
index cdb495cb..e44efc16 100644
--- a/src/semanage_store.c
+++ b/src/semanage_store.c
@@ -717,7 +717,7 @@ int semanage_copy_file(semanage_handle_t *sh, const char *src, const char *dst,
errsv = errno;
retval = -1;
}
- if (close(out) < 0) {
+ if (close(out) < 0 && errno != EINTR) {
errsv = errno;
retval = -1;
}
@@ -1536,9 +1536,11 @@ int semanage_split_fc(semanage_handle_t * sh)
if (file_con)
fclose(file_con);
if (fc >= 0)
- close(fc);
+ if (close(fc) == -1 && errno != EINTR)
+ retval = -1;
if (hd >= 0)
- close(hd);
+ if (close(hd) == -1 && errno != EINTR)
+ retval = -1;
return retval;
@@ -1732,7 +1734,11 @@ static int semanage_commit_sandbox(semanage_handle_t * sh)
close(fd);
return -1;
}
- close(fd);
+ if (close(fd) == -1 && errno != EINTR) {
+ ERR(sh, "Error while closing commit number file %s.",
+ commit_filename);
+ return -1;
+ }
/* sync changes in sandbox to filesystem */
fd = open(sandbox, O_DIRECTORY | O_CLOEXEC);
@@ -2157,7 +2163,9 @@ int semanage_write_policydb(semanage_handle_t * sh, sepol_policydb_t * out,
cleanup:
if (outfile != NULL) {
- fclose(outfile);
+ if (fclose(outfile) != 0 && errno != EINTR) {
+ retval = STATUS_ERR;
+ }
}
umask(mask);
sepol_policy_file_free(pf);
--
2.33.0

80
backport-libsemanage-check-for-path-formatting-failures.patch Normal file
View File

@ -0,0 +1,80 @@
From 50f3cfd27b59f1a5efdf728827974ad02472c0b2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Mon, 11 Nov 2024 15:16:43 +0100
Subject: [PATCH] libsemanage: check for path formatting failures
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Conflict:NA
Reference:https://github.com/SELinuxProject/selinux/commit/50f3cfd27b59f1a5efdf728827974ad02472c0b2
---
src/semanage_store.c | 22 +++++++++++++++++-----
1 file changed, 17 insertions(+), 5 deletions(-)
diff --git a/src/semanage_store.c b/src/semanage_store.c
index 23b91ae2..2cd992eb 100644
--- a/src/semanage_store.c
+++ b/src/semanage_store.c
@@ -798,7 +798,7 @@ static int semanage_copy_dir(const char *src, const char *dst)
* well. Returns 0 on success, -1 on error. */
static int semanage_copy_dir_flags(const char *src, const char *dst, int flag)
{
- int i, len = 0, retval = -1;
+ int i, len = 0, rc, retval = -1;
struct stat sb;
struct dirent **names = NULL;
char path[PATH_MAX], path2[PATH_MAX];
@@ -822,13 +822,21 @@ static int semanage_copy_dir_flags(const char *src, const char *dst, int flag)
}
for (i = 0; i < len; i++) {
- snprintf(path, sizeof(path), "%s/%s", src, names[i]->d_name);
+ rc = snprintf(path, sizeof(path), "%s/%s", src, names[i]->d_name);
+ if (rc < 0 || (size_t)rc >= sizeof(path)) {
+ errno = EOVERFLOW;
+ goto cleanup;
+ }
/* stat() to see if this entry is a file or not since
* d_type isn't set properly on XFS */
if (stat(path, &sb)) {
goto cleanup;
}
- snprintf(path2, sizeof(path2), "%s/%s", dst, names[i]->d_name);
+ rc = snprintf(path2, sizeof(path2), "%s/%s", dst, names[i]->d_name);
+ if (rc < 0 || (size_t)rc >= sizeof(path2)) {
+ errno = EOVERFLOW;
+ goto cleanup;
+ }
if (S_ISDIR(sb.st_mode)) {
mask = umask(0077);
if (mkdir(path2, 0700) == -1 ||
@@ -862,7 +870,7 @@ static int semanage_copy_dir_flags(const char *src, const char *dst, int flag)
int semanage_remove_directory(const char *path)
{
struct dirent **namelist = NULL;
- int num_entries, i;
+ int num_entries, i, rc;
if ((num_entries = scandir(path, &namelist, semanage_filename_select,
NULL)) == -1) {
return -1;
@@ -870,7 +878,11 @@ int semanage_remove_directory(const char *path)
for (i = 0; i < num_entries; i++) {
char s[PATH_MAX];
struct stat buf;
- snprintf(s, sizeof(s), "%s/%s", path, namelist[i]->d_name);
+ rc = snprintf(s, sizeof(s), "%s/%s", path, namelist[i]->d_name);
+ if (rc < 0 || (size_t)rc >= sizeof(s)) {
+ errno = EOVERFLOW;
+ return -2;
+ }
if (stat(s, &buf) == -1) {
return -2;
}
--
2.33.0

52
backport-libsemanage-check-memory-allocations.patch Normal file
View File

@ -0,0 +1,52 @@
From 7a35e57c64faedbb11a880652604b36dd35afad1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Mon, 11 Nov 2024 15:16:30 +0100
Subject: [PATCH] libsemanage: check memory allocations
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Conflict:NA
Reference:https://github.com/SELinuxProject/selinux/commit/7a35e57c64faedbb11a880652604b36dd35afad1
---
src/conf-parse.y | 6 ++++++
src/handle.c | 2 ++
2 files changed, 8 insertions(+)
diff --git a/src/conf-parse.y b/src/conf-parse.y
index 2b131eeb..b93080cd 100644
--- a/src/conf-parse.y
+++ b/src/conf-parse.y
@@ -382,6 +382,12 @@ static int semanage_conf_init(semanage_conf_t * conf)
conf->save_previous = 0;
conf->save_linked = 0;
+ if (!conf->store_path ||
+ !conf->store_root_path ||
+ !conf->compiler_directory_path) {
+ return -1;
+ }
+
if ((conf->load_policy =
calloc(1, sizeof(*(current_conf->load_policy)))) == NULL) {
return -1;
diff --git a/src/handle.c b/src/handle.c
index d5baa614..f048f6d7 100644
--- a/src/handle.c
+++ b/src/handle.c
@@ -45,6 +45,8 @@ int semanage_set_root(const char *root)
{
free(private_semanage_root);
private_semanage_root = strdup(root);
+ if (!private_semanage_root)
+ return -1;
return 0;
}
--
2.33.0

47
backport-libsemanage-direct_api-INTEGER_OVERFLOW-read_len-rea.patch Normal file
View File

@ -0,0 +1,47 @@
From 9b4eff9222b24d4b5f2784db281f4f53019263b0 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Fri, 25 Oct 2024 20:32:07 +0200
Subject: [PATCH] libsemanage/direct_api: INTEGER_OVERFLOW read_len = read()
The following statement is always true if read_len is unsigned:
(read_len = read(fd, data_read + data_read_len, max_len - data_read_len)) > 0
Fixes:
Error: INTEGER_OVERFLOW (CWE-190): [#def19] [important]
libsemanage-3.7/src/direct_api.c:598:2: tainted_data_return: Called function "read(fd, data_read + data_read_len, max_len - data_read_len)", and a possible return value may be less than zero.
libsemanage-3.7/src/direct_api.c:598:2: cast_underflow: An assign of a possibly negative number to an unsigned type, which might trigger an underflow.
libsemanage-3.7/src/direct_api.c:599:3: overflow: The expression "data_read_len += read_len" is deemed underflowed because at least one of its arguments has underflowed.
libsemanage-3.7/src/direct_api.c:598:2: overflow: The expression "max_len - data_read_len" is deemed underflowed because at least one of its arguments has underflowed.
libsemanage-3.7/src/direct_api.c:598:2: overflow_sink: "max_len - data_read_len", which might have underflowed, is passed to "read(fd, data_read + data_read_len, max_len - data_read_len)". [Note: The source code implementation of the function has been overridden by a builtin model.]
\# 596| }
\# 597|
\# 598|-> while ((read_len = read(fd, data_read + data_read_len, max_len - data_read_len)) > 0) {
\# 599| data_read_len += read_len;
\# 600| if (data_read_len == max_len) {
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Conflict:NA
Reference:https://github.com/SELinuxProject/selinux/commit/9b4eff9222b24d4b5f2784db281f4f53019263b0
---
src/direct_api.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/direct_api.c b/src/direct_api.c
index d740070d..7631c7bf 100644
--- a/src/direct_api.c
+++ b/src/direct_api.c
@@ -582,7 +582,7 @@ cleanup:
static int read_from_pipe_to_data(semanage_handle_t *sh, size_t initial_len, int fd, char **out_data_read, size_t *out_read_len)
{
size_t max_len = initial_len;
- size_t read_len = 0;
+ ssize_t read_len = 0;
size_t data_read_len = 0;
char *data_read = NULL;
--
2.33.0

527
backport-libsemanage-drop-duplicate-newlines-and-error-descriptions-in-error-messages.patch Normal file
View File

@ -0,0 +1,527 @@
From 4a8407a2ee9cc3b458eb1f71cc3820bce728a5b7 Mon Sep 17 00:00:00 2001
From: Christian Göttsche <cgzones@googlemail.com>
Date: Fri, 18 Apr 2025 16:07:23 +0800
Subject: [PATCH]
libsemanage-drop-duplicate-newlines-and-error-descriptions-in-error-messages
Reference: https://github.com/SELinuxProject/selinux/commit/d3a5ae39bee42eac520a3d07f252251a2167a323
---
src/compressed_file.c | 4 +-
src/database_file.c | 4 +-
src/database_policydb.c | 4 +-
src/direct_api.c | 98 ++++++++++++++++++++---------------------
src/genhomedircon.c | 2 +-
src/handle.c | 2 +-
src/parse_utils.c | 4 +-
src/semanage_store.c | 6 +--
8 files changed, 60 insertions(+), 64 deletions(-)
diff --git a/src/compressed_file.c b/src/compressed_file.c
index d6a8526..3718ad9 100644
--- a/src/compressed_file.c
+++ b/src/compressed_file.c
@@ -174,13 +174,13 @@ int map_compressed_file(semanage_handle_t *sh, const char *path,
fd = open(path, O_RDONLY | O_CLOEXEC);
if (fd == -1) {
- ERR(sh, "Unable to open %s\n", path);
+ ERR(sh, "Unable to open %s.", path);
return -1;
}
file = fdopen(fd, "r");
if (file == NULL) {
- ERR(sh, "Unable to open %s\n", path);
+ ERR(sh, "Unable to open %s.", path);
close(fd);
return -1;
}
diff --git a/src/database_file.c b/src/database_file.c
index 4737d57..0ee5d39 100644
--- a/src/database_file.c
+++ b/src/database_file.c
@@ -130,8 +130,8 @@ static int dbase_file_flush(semanage_handle_t * handle, dbase_file_t * dbase)
str = fopen(fname, "we");
umask(mask);
if (!str) {
- ERR(handle, "could not open %s for writing: %s",
- fname, strerror(errno));
+ ERR(handle, "could not open %s for writing",
+ fname);
goto err;
}
__fsetlocking(str, FSETLOCKING_BYCALLER);
diff --git a/src/database_policydb.c b/src/database_policydb.c
index 079d573..d1472a2 100644
--- a/src/database_policydb.c
+++ b/src/database_policydb.c
@@ -113,8 +113,8 @@ static int dbase_policydb_cache(semanage_handle_t * handle,
* ENOENT is not fatal - we just create an empty policydb */
fp = fopen(fname, "rbe");
if (fp == NULL && errno != ENOENT) {
- ERR(handle, "could not open %s for reading: %s",
- fname, strerror(errno));
+ ERR(handle, "could not open %s for reading",
+ fname);
goto err;
}
diff --git a/src/direct_api.c b/src/direct_api.c
index 9c35bc0..025b26e 100644
--- a/src/direct_api.c
+++ b/src/direct_api.c
@@ -313,7 +313,7 @@ int semanage_direct_connect(semanage_handle_t * sh)
/* The file does not exist */
sepol_set_disable_dontaudit(sh->sepolh, 0);
} else {
- ERR(sh, "Unable to access %s: %s\n", path, strerror(errno));
+ ERR(sh, "Unable to access %s.", path);
goto err;
}
@@ -595,7 +595,7 @@ static int read_from_pipe_to_data(semanage_handle_t *sh, size_t initial_len, int
}
data_read = malloc(max_len * sizeof(*data_read));
if (data_read == NULL) {
- ERR(sh, "Failed to malloc, out of memory.\n");
+ ERR(sh, "Failed to malloc, out of memory.");
return -1;
}
@@ -607,7 +607,7 @@ static int read_from_pipe_to_data(semanage_handle_t *sh, size_t initial_len, int
max_len *= 2;
tmp = realloc(data_read, max_len);
if (tmp == NULL) {
- ERR(sh, "Failed to realloc, out of memory.\n");
+ ERR(sh, "Failed to realloc, out of memory.");
free(data_read);
return -1;
}
@@ -649,93 +649,93 @@ static int semanage_pipe_data(semanage_handle_t *sh, char *path, char *in_data,
retval = pipe2(input_fd, O_CLOEXEC);
if (retval == -1) {
- ERR(sh, "Unable to create pipe for input pipe: %s\n", strerror(errno));
+ ERR(sh, "Unable to create pipe for input pipe.");
goto cleanup;
}
retval = pipe2(output_fd, O_CLOEXEC);
if (retval == -1) {
- ERR(sh, "Unable to create pipe for output pipe: %s\n", strerror(errno));
+ ERR(sh, "Unable to create pipe for output pipe.");
goto cleanup;
}
retval = pipe2(err_fd, O_CLOEXEC);
if (retval == -1) {
- ERR(sh, "Unable to create pipe for error pipe: %s\n", strerror(errno));
+ ERR(sh, "Unable to create pipe for error pipe.");
goto cleanup;
}
pid = fork();
if (pid == -1) {
- ERR(sh, "Unable to fork from parent: %s.", strerror(errno));
+ ERR(sh, "Unable to fork from parent.");
retval = -1;
goto cleanup;
} else if (pid == 0) {
retval = dup2(input_fd[PIPE_READ], STDIN_FILENO);
if (retval == -1) {
- ERR(sh, "Unable to dup2 input pipe: %s\n", strerror(errno));
+ ERR(sh, "Unable to dup2 input pipe.");
goto cleanup;
}
retval = dup2(output_fd[PIPE_WRITE], STDOUT_FILENO);
if (retval == -1) {
- ERR(sh, "Unable to dup2 output pipe: %s\n", strerror(errno));
+ ERR(sh, "Unable to dup2 output pipe.");
goto cleanup;
}
retval = dup2(err_fd[PIPE_WRITE], STDERR_FILENO);
if (retval == -1) {
- ERR(sh, "Unable to dup2 error pipe: %s\n", strerror(errno));
+ ERR(sh, "Unable to dup2 error pipe.");
goto cleanup;
}
retval = close(input_fd[PIPE_WRITE]);
if (retval == -1) {
- ERR(sh, "Unable to close input pipe: %s\n", strerror(errno));
+ ERR(sh, "Unable to close input pipe.");
goto cleanup;
}
retval = close(output_fd[PIPE_READ]);
if (retval == -1) {
- ERR(sh, "Unable to close output pipe: %s\n", strerror(errno));
+ ERR(sh, "Unable to close output pipe.");
goto cleanup;
}
retval = close(err_fd[PIPE_READ]);
if (retval == -1) {
- ERR(sh, "Unable to close error pipe: %s\n", strerror(errno));
+ ERR(sh, "Unable to close error pipe.");
goto cleanup;
}
retval = execl(path, path, NULL);
if (retval == -1) {
- ERR(sh, "Unable to execute %s : %s\n", path, strerror(errno));
+ ERR(sh, "Unable to execute %s.", path);
_exit(EXIT_FAILURE);
}
} else {
retval = close(input_fd[PIPE_READ]);
input_fd[PIPE_READ] = -1;
if (retval == -1) {
- ERR(sh, "Unable to close read end of input pipe: %s\n", strerror(errno));
+ ERR(sh, "Unable to close read end of input pipe.");
goto cleanup;
}
retval = close(output_fd[PIPE_WRITE]);
output_fd[PIPE_WRITE] = -1;
if (retval == -1) {
- ERR(sh, "Unable to close write end of output pipe: %s\n", strerror(errno));
+ ERR(sh, "Unable to close write end of output pipe.");
goto cleanup;
}
retval = close(err_fd[PIPE_WRITE]);
err_fd[PIPE_WRITE] = -1;
if (retval == -1) {
- ERR(sh, "Unable to close write end of error pipe: %s\n", strerror(errno));
+ ERR(sh, "Unable to close write end of error pipe.");
goto cleanup;
}
retval = write(input_fd[PIPE_WRITE], in_data, in_data_len);
if (retval == -1) {
- ERR(sh, "Failed to write data to input pipe: %s\n", strerror(errno));
+ ERR(sh, "Failed to write data to input pipe.");
goto cleanup;
}
retval = close(input_fd[PIPE_WRITE]);
input_fd[PIPE_WRITE] = -1;
if (retval == -1) {
- ERR(sh, "Unable to close write end of input pipe: %s\n", strerror(errno));
+ ERR(sh, "Unable to close write end of input pipe.");
goto cleanup;
}
@@ -747,7 +747,7 @@ static int semanage_pipe_data(semanage_handle_t *sh, char *path, char *in_data,
retval = close(output_fd[PIPE_READ]);
output_fd[PIPE_READ] = -1;
if (retval == -1) {
- ERR(sh, "Unable to close read end of output pipe: %s\n", strerror(errno));
+ ERR(sh, "Unable to close read end of output pipe.");
goto cleanup;
}
@@ -759,7 +759,7 @@ static int semanage_pipe_data(semanage_handle_t *sh, char *path, char *in_data,
retval = close(err_fd[PIPE_READ]);
err_fd[PIPE_READ] = -1;
if (retval == -1) {
- ERR(sh, "Unable to close read end of error pipe: %s\n", strerror(errno));
+ ERR(sh, "Unable to close read end of error pipe.");
goto cleanup;
}
@@ -918,7 +918,7 @@ static int semanage_compile_module(semanage_handle_t *sh,
status = map_compressed_file(sh, hll_path, &hll_contents);
if (status < 0) {
- ERR(sh, "Unable to read file %s\n", hll_path);
+ ERR(sh, "Unable to read file %s.", hll_path);
goto cleanup;
}
@@ -928,16 +928,13 @@ static int semanage_compile_module(semanage_handle_t *sh,
if (err_data_len > 0) {
for (start = end = err_data; end < err_data + err_data_len; end++) {
if (*end == '\n') {
- fprintf(stderr, "%s: ", modinfo->name);
- fwrite(start, 1, end - start + 1, stderr);
+ ERR(sh, "%s: %.*s.", modinfo->name, (int)(end - start + 1), start);
start = end + 1;
}
}
if (end != start) {
- fprintf(stderr, "%s: ", modinfo->name);
- fwrite(start, 1, end - start, stderr);
- fprintf(stderr, "\n");
+ ERR(sh, "%s: %.*s.", modinfo->name, (int)(end - start), start);
}
}
if (status != 0) {
@@ -951,14 +948,14 @@ static int semanage_compile_module(semanage_handle_t *sh,
status = write_compressed_file(sh, cil_path, cil_data, cil_data_len);
if (status == -1) {
- ERR(sh, "Failed to write %s\n", cil_path);
+ ERR(sh, "Failed to write %s.", cil_path);
goto cleanup;
}
if (sh->conf->remove_hll == 1) {
status = unlink(hll_path);
if (status != 0) {
- ERR(sh, "Error while removing HLL file %s: %s", hll_path, strerror(errno));
+ ERR(sh, "Error while removing HLL file %s.", hll_path);
goto cleanup;
}
@@ -1037,8 +1034,7 @@ static int semanage_compile_hll_modules(semanage_handle_t *sh,
unmap_compressed_file(&contents);
continue;
} else if (errno != ENOENT) {
- ERR(sh, "Unable to access %s: %s\n", cil_path,
- strerror(errno));
+ ERR(sh, "Unable to access %s.", cil_path);
return -1; //an error in the "stat" call
}
}
@@ -1063,7 +1059,7 @@ static int semanage_compare_checksum(semanage_handle_t *sh, const char *referenc
fd = open(path, O_RDONLY | O_CLOEXEC);
if (fd == -1) {
if (errno != ENOENT) {
- ERR(sh, "Unable to open %s: %s\n", path, strerror(errno));
+ ERR(sh, "Unable to open %s.", path);
return -1;
}
/* Checksum file not present - force a rebuild. */
@@ -1071,21 +1067,21 @@ static int semanage_compare_checksum(semanage_handle_t *sh, const char *referenc
}
if (fstat(fd, &sb) == -1) {
- ERR(sh, "Unable to stat %s\n", path);
+ ERR(sh, "Unable to stat %s.", path);
retval = -1;
goto out_close;
}
if (sb.st_size != (off_t)CHECKSUM_CONTENT_SIZE) {
/* Incompatible/invalid hash type - just force a rebuild. */
- WARN(sh, "Module checksum invalid - forcing a rebuild\n");
+ WARN(sh, "Module checksum invalid - forcing a rebuild.");
retval = 1;
goto out_close;
}
data = mmap(NULL, CHECKSUM_CONTENT_SIZE, PROT_READ, MAP_PRIVATE, fd, 0);
if (data == MAP_FAILED) {
- ERR(sh, "Unable to mmap %s\n", path);
+ ERR(sh, "Unable to mmap %s.", path);
retval = -1;
goto out_close;
}
@@ -1194,7 +1190,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
/* The file does not exist */
do_rebuild |= (sepol_get_disable_dontaudit(sh->sepolh) == 1);
} else {
- ERR(sh, "Unable to access %s: %s\n", path, strerror(errno));
+ ERR(sh, "Unable to access %s.", path);
retval = -1;
goto cleanup;
}
@@ -1225,7 +1221,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
/* The file does not exist */
do_rebuild |= (sepol_get_preserve_tunables(sh->sepolh) == 1);
} else {
- ERR(sh, "Unable to access %s: %s\n", path, strerror(errno));
+ ERR(sh, "Unable to access %s.", path);
retval = -1;
goto cleanup;
}
@@ -1261,7 +1257,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
path = semanage_path(SEMANAGE_TMP, semanage_computed_files[i]);
if (stat(path, &sb) != 0) {
if (errno != ENOENT) {
- ERR(sh, "Unable to access %s: %s\n", path, strerror(errno));
+ ERR(sh, "Unable to access %s.", path);
retval = -1;
goto cleanup;
}
@@ -1285,7 +1281,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
retval = semanage_compile_hll_modules(sh, modinfos, num_modinfos,
modules_checksum);
if (retval < 0) {
- ERR(sh, "Failed to compile hll files into cil files.\n");
+ ERR(sh, "Failed to compile hll files into cil files.");
goto cleanup;
}
@@ -1298,7 +1294,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
retval = semanage_write_modules_checksum(sh, modules_checksum);
if (retval < 0) {
- ERR(sh, "Failed to write module checksum file.\n");
+ ERR(sh, "Failed to write module checksum file.");
goto cleanup;
}
}
@@ -1419,7 +1415,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
/* The file does not exist */
pseusers->dtable->clear(sh, pseusers->dbase);
} else {
- ERR(sh, "Unable to access %s: %s\n", path, strerror(errno));
+ ERR(sh, "Unable to access %s.", path);
retval = -1;
goto cleanup;
}
@@ -1707,13 +1703,13 @@ static int semanage_direct_install_file(semanage_handle_t * sh,
retval = map_compressed_file(sh, install_filename, &contents);
if (retval < 0) {
- ERR(sh, "Unable to read file %s\n", install_filename);
+ ERR(sh, "Unable to read file %s", install_filename);
goto cleanup;
}
path = strdup(install_filename);
if (path == NULL) {
- ERR(sh, "No memory available for strdup.\n");
+ ERR(sh, "No memory available for strdup.");
retval = -1;
goto cleanup;
}
@@ -1754,12 +1750,12 @@ static int semanage_direct_install_file(semanage_handle_t * sh,
if (module_name == NULL) {
module_name = strdup(filename);
if (module_name == NULL) {
- ERR(sh, "No memory available for module_name.\n");
+ ERR(sh, "No memory available for module_name.");
retval = -1;
goto cleanup;
}
} else if (strcmp(module_name, filename) != 0) {
- fprintf(stderr, "Warning: SELinux userspace will refer to the module from %s as %s rather than %s\n", install_filename, module_name, filename);
+ ERR(sh, "Warning: SELinux userspace will refer to the module from %s as %s rather than %s\n", install_filename, module_name, filename);
}
retval = semanage_direct_install(sh, contents.data, contents.len,
@@ -1800,7 +1796,7 @@ static int semanage_direct_extract(semanage_handle_t * sh,
}
if (stat(module_path, &sb) != 0) {
- ERR(sh, "Unable to access %s: %s\n", module_path, strerror(errno));
+ ERR(sh, "Unable to access %s.", module_path);
rc = -1;
goto cleanup;
}
@@ -1831,7 +1827,7 @@ static int semanage_direct_extract(semanage_handle_t * sh,
if (extract_cil == 1 && strcmp(_modinfo->lang_ext, "cil") && stat(input_file, &sb) != 0) {
if (errno != ENOENT) {
- ERR(sh, "Unable to access %s: %s\n", input_file, strerror(errno));
+ ERR(sh, "Unable to access %s.", input_file);
rc = -1;
goto cleanup;
}
@@ -1996,7 +1992,7 @@ static int semanage_direct_get_enabled(semanage_handle_t *sh,
if (stat(path, &sb) < 0) {
if (errno != ENOENT) {
- ERR(sh, "Unable to access %s: %s\n", path, strerror(errno));
+ ERR(sh, "Unable to access %s.", path);
status = -1;
goto cleanup;
}
@@ -2329,7 +2325,7 @@ static int semanage_direct_get_module_info(semanage_handle_t *sh,
/* set enabled/disabled status */
if (stat(fn, &sb) < 0) {
if (errno != ENOENT) {
- ERR(sh, "Unable to access %s: %s\n", fn, strerror(errno));
+ ERR(sh, "Unable to access %s.", fn);
status = -1;
goto cleanup;
}
@@ -2758,7 +2754,7 @@ static int semanage_direct_install_info(semanage_handle_t *sh,
/* validate module info */
ret = semanage_module_info_validate(modinfo);
if (ret != 0) {
- ERR(sh, "%s failed module validation.\n", modinfo->name);
+ ERR(sh, "%s failed module validation.", modinfo->name);
status = -2;
goto cleanup;
}
@@ -2846,7 +2842,7 @@ static int semanage_direct_install_info(semanage_handle_t *sh,
if (stat(path, &sb) == 0) {
ret = unlink(path);
if (ret != 0) {
- ERR(sh, "Error while removing cached CIL file %s: %s", path, strerror(errno));
+ ERR(sh, "Error while removing cached CIL file %s.", path);
status = -3;
goto cleanup;
}
diff --git a/src/genhomedircon.c b/src/genhomedircon.c
index 230015c..9f128d9 100644
--- a/src/genhomedircon.c
+++ b/src/genhomedircon.c
@@ -1105,7 +1105,7 @@ static int get_group_users(genhomedircon_settings_t * s,
goto cleanup;
if (group == NULL) {
- ERR(s->h_semanage, "Can't find group named %s\n", grname);
+ ERR(s->h_semanage, "Can't find group named %s", grname);
goto cleanup;
}
diff --git a/src/handle.c b/src/handle.c
index 710d922..7f99c4e 100644
--- a/src/handle.c
+++ b/src/handle.c
@@ -153,7 +153,7 @@ int semanage_get_hll_compiler_path(semanage_handle_t *sh,
lower_lang_ext = strdup(lang_ext);
if (lower_lang_ext == NULL) {
- ERR(sh, "Could not create copy of lang_ext. Out of memory.\n");
+ ERR(sh, "Could not create copy of lang_ext. Out of memory.");
status = -1;
goto cleanup;
}
diff --git a/src/parse_utils.c b/src/parse_utils.c
index 13837c8..cf7f7df 100644
--- a/src/parse_utils.c
+++ b/src/parse_utils.c
@@ -47,8 +47,8 @@ int parse_open(semanage_handle_t * handle, parse_info_t * info)
info->file_stream = fopen(info->filename, "re");
if (!info->file_stream && (errno != ENOENT)) {
- ERR(handle, "could not open file %s: %s",
- info->filename, strerror(errno));
+ ERR(handle, "could not open file %s.",
+ info->filename);
return STATUS_ERR;
}
if (info->file_stream)
diff --git a/src/semanage_store.c b/src/semanage_store.c
index 69d2f70..8c7bc31 100644
--- a/src/semanage_store.c
+++ b/src/semanage_store.c
@@ -1590,7 +1590,7 @@ static int sefcontext_compile(semanage_handle_t * sh, const char *path) {
if (stat(path, &sb) < 0) {
if (errno != ENOENT) {
- ERR(sh, "Unable to access %s: %s\n", path, strerror(errno));
+ ERR(sh, "Unable to access %s.", path);
return -1;
}
@@ -1777,11 +1777,11 @@ static int semanage_commit_sandbox(semanage_handle_t * sh)
/* sync changes in sandbox to filesystem */
fd = open(sandbox, O_DIRECTORY | O_CLOEXEC);
if (fd == -1) {
- ERR(sh, "Error while opening %s for syncfs(): %d", sandbox, errno);
+ ERR(sh, "Error while opening %s for syncfs().", sandbox);
return -1;
}
if (syncfs(fd) == -1) {
- ERR(sh, "Error while syncing %s to filesystem: %d", sandbox, errno);
+ ERR(sh, "Error while syncing %s to filesystem.", sandbox);
close(fd);
return -1;
}
--
2.33.0

40
backport-libsemanage-fix-asprintf-error-branch.patch Normal file
View File

@ -0,0 +1,40 @@
From 44f1323941cd3053e2cd5cdd6995667feca5fb52 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Mon, 11 Nov 2024 15:16:37 +0100
Subject: [PATCH] libsemanage: fix asprintf error branch
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The content of the first argument after a failure of asprintf(3) is
undefined and must not be used.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Conflict:NA
Reference:https://github.com/SELinuxProject/selinux/commit/44f1323941cd3053e2cd5cdd6995667feca5fb52
---
src/boolean_record.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/boolean_record.c b/src/boolean_record.c
index 40dc6545..7878b04d 100644
--- a/src/boolean_record.c
+++ b/src/boolean_record.c
@@ -107,8 +107,10 @@ int semanage_bool_set_name(semanage_handle_t * handle,
end++;
*end = '\0';
rc = asprintf(&newroot, "%s%s%s", prefix, olddir, storename);
- if (rc < 0)
+ if (rc < 0) {
+ newroot = NULL;
goto out;
+ }
if (strcmp(oldroot, newroot)) {
rc = selinux_set_policy_root(newroot);
--
2.33.0

73
backport-libsemanage-free-ibdev-names-in-semanage_ibendport_v.patch Normal file
View File

@ -0,0 +1,73 @@
From 61856379a15a7ed311a7bc55178407d53e553d3a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Mon, 11 Nov 2024 15:16:41 +0100
Subject: [PATCH] libsemanage: free ibdev names in
semanage_ibendport_validate_local()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Conflict:NA
Reference:https://github.com/SELinuxProject/selinux/commit/61856379a15a7ed311a7bc55178407d53e553d3a
---
src/ibendports_local.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/src/ibendports_local.c b/src/ibendports_local.c
index e696fdca..feebfa63 100644
--- a/src/ibendports_local.c
+++ b/src/ibendports_local.c
@@ -80,8 +80,8 @@ int semanage_ibendport_validate_local(semanage_handle_t *handle)
semanage_ibendport_t **ibendports = NULL;
unsigned int nibendports = 0;
unsigned int i = 0, j = 0;
- char *ibdev_name;
- char *ibdev_name2;
+ char *ibdev_name = NULL;
+ char *ibdev_name2 = NULL;
int port;
int port2;
@@ -97,6 +97,8 @@ int semanage_ibendport_validate_local(semanage_handle_t *handle)
while (i < nibendports) {
int stop = 0;
+ free(ibdev_name);
+ ibdev_name = NULL;
if (STATUS_SUCCESS !=
semanage_ibendport_get_ibdev_name(handle,
ibendports[i],
@@ -114,6 +116,8 @@ int semanage_ibendport_validate_local(semanage_handle_t *handle)
if (j == nibendports - 1)
goto next;
j++;
+ free(ibdev_name2);
+ ibdev_name2 = NULL;
if (STATUS_SUCCESS !=
semanage_ibendport_get_ibdev_name(handle,
ibendports[j],
@@ -136,6 +140,8 @@ next:
j = i;
}
+ free(ibdev_name);
+ free(ibdev_name2);
for (i = 0; i < nibendports; i++)
semanage_ibendport_free(ibendports[i]);
free(ibendports);
@@ -145,6 +151,8 @@ err:
ERR(handle, "could not complete ibendports validity check");
invalid:
+ free(ibdev_name);
+ free(ibdev_name2);
for (i = 0; i < nibendports; i++)
semanage_ibendport_free(ibendports[i]);
free(ibendports);
--
2.33.0

115
backport-libsemanage-free-resources-on-failed-connect-attempt.patch Normal file
View File

@ -0,0 +1,115 @@
From e6d03452223c2404b9cfd04855ac8fca556e409d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Mon, 11 Nov 2024 15:16:32 +0100
Subject: [PATCH] libsemanage: free resources on failed connect attempt
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
In case connecting to the semanage database fails, free all already
allocated resources.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Conflict:NA
Reference:https://github.com/SELinuxProject/selinux/commit/e6d03452223c2404b9cfd04855ac8fca556e409d
---
src/database_activedb.c | 3 +++
src/database_file.c | 3 +++
src/database_join.c | 3 +++
src/database_policydb.c | 2 +-
src/direct_api.c | 1 +
src/handle.c | 5 ++---
6 files changed, 13 insertions(+), 4 deletions(-)
diff --git a/src/database_activedb.c b/src/database_activedb.c
index fa6b6105..e0369963 100644
--- a/src/database_activedb.c
+++ b/src/database_activedb.c
@@ -139,6 +139,9 @@ int dbase_activedb_init(semanage_handle_t * handle,
void dbase_activedb_release(dbase_activedb_t * dbase)
{
+ if (!dbase)
+ return;
+
dbase_llist_drop_cache(&dbase->llist);
free(dbase);
}
diff --git a/src/database_file.c b/src/database_file.c
index a7773fb5..09b32f8f 100644
--- a/src/database_file.c
+++ b/src/database_file.c
@@ -191,6 +191,9 @@ int dbase_file_init(semanage_handle_t * handle,
void dbase_file_release(dbase_file_t * dbase)
{
+ if (!dbase)
+ return;
+
dbase_llist_drop_cache(&dbase->llist);
free(dbase);
}
diff --git a/src/database_join.c b/src/database_join.c
index 2a2008e8..bf260952 100644
--- a/src/database_join.c
+++ b/src/database_join.c
@@ -271,6 +271,9 @@ int dbase_join_init(semanage_handle_t * handle,
void dbase_join_release(dbase_join_t * dbase)
{
+ if (!dbase)
+ return;
+
dbase_llist_drop_cache(&dbase->llist);
free(dbase);
}
diff --git a/src/database_policydb.c b/src/database_policydb.c
index 95418365..54b82958 100644
--- a/src/database_policydb.c
+++ b/src/database_policydb.c
@@ -44,7 +44,7 @@ struct dbase_policydb {
static void dbase_policydb_drop_cache(dbase_policydb_t * dbase)
{
- if (dbase->cache_serial >= 0) {
+ if (dbase && dbase->cache_serial >= 0) {
sepol_policydb_free(dbase->policydb);
dbase->cache_serial = -1;
dbase->modified = 0;
diff --git a/src/direct_api.c b/src/direct_api.c
index 8f8dc0da..ed4343dc 100644
--- a/src/direct_api.c
+++ b/src/direct_api.c
@@ -321,6 +321,7 @@ int semanage_direct_connect(semanage_handle_t * sh)
err:
ERR(sh, "could not establish direct connection");
+ (void) semanage_direct_disconnect(sh);
return STATUS_ERR;
}
diff --git a/src/handle.c b/src/handle.c
index f048f6d7..9bb84546 100644
--- a/src/handle.c
+++ b/src/handle.c
@@ -361,12 +361,11 @@ int semanage_access_check(semanage_handle_t * sh)
int semanage_disconnect(semanage_handle_t * sh)
{
- assert(sh != NULL && sh->funcs != NULL
- && sh->funcs->disconnect != NULL);
+ assert(sh != NULL);
if (!sh->is_connected) {
return 0;
}
- if (sh->funcs->disconnect(sh) < 0) {
+ if (sh->funcs && sh->funcs->disconnect(sh) < 0) {
return -1;
}
sh->is_in_transaction = 0;
--
2.33.0

35
backport-libsemanage-handle-cil_set_handle_unknown-failure.patch Normal file
View File

@ -0,0 +1,35 @@
From 419a76e65693affcf89746fe9b9ad20c62e541bb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Mon, 25 Nov 2024 12:18:33 +0100
Subject: [PATCH] libsemanage: handle cil_set_handle_unknown() failure
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Conflict:Context adaptation
Reference:https://github.com/SELinuxProject/selinux/commit/419a76e65693affcf89746fe9b9ad20c62e541bb
---
src/direct_api.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/direct_api.c b/src/direct_api.c
index 85876676..a271a576 100644
--- a/src/direct_api.c
+++ b/src/direct_api.c
@@ -1417,7 +1417,9 @@ rebuild:
cil_set_policy_version(cildb, sh->conf->policyvers);
if (sh->conf->handle_unknown != -1) {
- cil_set_handle_unknown(cildb, sh->conf->handle_unknown);
+ retval = cil_set_handle_unknown(cildb, sh->conf->handle_unknown);
+ if (retval < 0)
+ goto cleanup;
}
retval = semanage_load_files(sh, cildb, mod_filenames, num_modinfos);
--
2.33.0

47
backport-libsemanage-handle-shell-allocation-failure.patch Normal file
View File

@ -0,0 +1,47 @@
From 9bde761fcb912fded145a16de767afe8a8a3977f Mon Sep 17 00:00:00 2001
From: Christian Göttsche <cgzones@googlemail.com>
Date: Fri, 18 Apr 2025 11:47:37 +0800
Subject: [PATCH] libsemanage-handle-shell-allocation-failure
Reference:https://github.com/SELinuxProject/selinux/commit/dcd755abdde87abdbb43855b7b1bc28d56a21c51
---
src/genhomedircon.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/genhomedircon.c b/src/genhomedircon.c
index b35d7ba..230015c 100644
--- a/src/genhomedircon.c
+++ b/src/genhomedircon.c
@@ -228,7 +228,7 @@ static semanage_list_t *get_shell_list(void)
free(temp);
semanage_list_destroy(&list);
fclose(shells);
- return default_shell_list();
+ return NULL;
}
}
}
@@ -333,14 +333,18 @@ static semanage_list_t *get_home_dirs(genhomedircon_settings_t * s)
return homedir_list;
shells = get_shell_list();
- assert(shells);
+ if (!shells) {
+ ERR(s->h_semanage, "Allocation failure!");
+ goto fail;
+ }
path = semanage_findval(PATH_ETC_LOGIN_DEFS, "UID_MIN", NULL);
if (path && *path) {
temp = atoi(path);
minuid = temp;
minuid_set = 1;
}
+
free(path);
path = NULL;
--
2.33.0

55
backport-libsemanage-open-lock_file-with-O_RDWR.patch Normal file
View File

@ -0,0 +1,55 @@
From 267d4f9bf5bce81eaaf2192ea297db0fadc173b9 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <lautrbach@redhat.com>
Date: Mon, 11 Nov 2024 13:32:50 +0100
Subject: [PATCH] libsemanage: open lock_file with O_RDWR
man 2 flock:
Since Linux 2.6.12, NFS clients support flock() locks by emulating
them as fcntl(2) byte-range locks on the entire file. This means
that fcntl(2) and flock() locks do interact with one another
over NFS. It also means that in order to place an exclusive lock,
the file must be opened for writing.
Fixes:
# semanage fcontext -d -e /home /tmp/testdir
libsemanage.semanage_get_lock: Error obtaining direct transaction lock at /var/lib/selinux/targeted/semanage.trans.LOCK. (Bad file descriptor).
OSError: Bad file descriptor
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Conflict:NA
Reference:https://github.com/SELinuxProject/selinux/commit/267d4f9bf5bce81eaaf2192ea297db0fadc173b9
---
src/semanage_store.c | 14 ++++++--------
1 file changed, 6 insertions(+), 8 deletions(-)
diff --git a/src/semanage_store.c b/src/semanage_store.c
index 0ac2e5b2..c26f5667 100644
--- a/src/semanage_store.c
+++ b/src/semanage_store.c
@@ -1899,14 +1899,12 @@ static int semanage_get_lock(semanage_handle_t * sh,
struct timeval origtime, curtime;
int got_lock = 0;
- if ((fd = open(lock_file, O_RDONLY)) == -1) {
- if ((fd =
- open(lock_file, O_RDWR | O_CREAT | O_TRUNC,
- S_IRUSR | S_IWUSR)) == -1) {
- ERR(sh, "Could not open direct %s at %s.", lock_name,
- lock_file);
- return -1;
- }
+ if ((fd =
+ open(lock_file, O_RDWR | O_CREAT | O_TRUNC,
+ S_IRUSR | S_IWUSR)) == -1) {
+ ERR(sh, "Could not open direct %s at %s.", lock_name,
+ lock_file);
+ return -1;
}
if (fcntl(fd, F_SETFD, FD_CLOEXEC) < 0) {
ERR(sh, "Could not set close-on-exec for %s at %s.", lock_name,
--
2.33.0

41
backport-libsemanage-optimize-policy-by-default.patch Normal file
View File

@ -0,0 +1,41 @@
From 22e2743d22ed6159feee1831046872641cd5ad0c Mon Sep 17 00:00:00 2001
From: Christian Göttsche <cgzones@googlemail.com>
Date: Fri, 18 Apr 2025 17:18:02 +0800
Subject: [PATCH] libsemanage-optimize-policy-by-default
Reference:https://github.com/SELinuxProject/selinux/commit/66da657a094a725d5f9d8e2441410afaa44bb7f3
---
man/man5/semanage.conf.5 | 2 +-
src/conf-parse.y | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/man/man5/semanage.conf.5 b/man/man5/semanage.conf.5
index 380b58b..b043fe5 100644
--- a/man/man5/semanage.conf.5
+++ b/man/man5/semanage.conf.5
@@ -124,7 +124,7 @@ In order to compile the original HLL file into CIL, the same HLL file will need
.TP
.B optimize-policy
When set to "true", the kernel policy will be optimized upon rebuilds.
-It can be set to either "true" or "false" and by default it is set to "false".
+It can be set to either "true" or "false" and by default it is set to "true".
.SH "SEE ALSO"
.TP
diff --git a/src/conf-parse.y b/src/conf-parse.y
index 343fbf8..12f94b7 100644
--- a/src/conf-parse.y
+++ b/src/conf-parse.y
@@ -364,7 +364,7 @@ static int semanage_conf_init(semanage_conf_t * conf)
conf->bzip_small = 0;
conf->ignore_module_cache = 0;
conf->remove_hll = 0;
- conf->optimize_policy = 0;
+ conf->optimize_policy = 1;
conf->save_previous = 0;
conf->save_linked = 0;
--
2.33.0

364
backport-libsemanage-set-O_CLOEXEC-flag-for-file-descriptors.patch Normal file
View File

@ -0,0 +1,364 @@
From f1eb41d1061b0aafce406ac6e2352de149d4e641 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Mon, 25 Nov 2024 12:18:32 +0100
Subject: [PATCH] libsemanage: set O_CLOEXEC flag for file descriptors
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Close internal managed file descriptors in case of an concurrent execve.
Also avoid leaking file descriptors in get_shell_list().
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Conflict:Context adaptation in compressed_file.c, database_policydb.c and semanage_store.c.
There is no semanage_setfiles() function.
Reference:https://github.com/SELinuxProject/selinux/commit/f1eb41d1061b0aafce406ac6e2352de149d4e641
---
src/compressed_file.c | 4 ++--
src/conf-parse.y | 2 +-
src/database_file.c | 2 +-
src/database_policydb.c | 2 +-
src/direct_api.c | 20 ++++++++++----------
src/genhomedircon.c | 8 +++++---
src/parse_utils.c | 2 +-
src/semanage_store.c | 24 ++++++++++++------------
src/utilities.c | 2 +-
9 files changed, 34 insertions(+), 32 deletions(-)
diff --git a/src/compressed_file.c b/src/compressed_file.c
index e62d2a18..e4a1efb0 100644
--- a/src/compressed_file.c
+++ b/src/compressed_file.c
@@ -48,7 +48,7 @@ static int bzip(semanage_handle_t *sh, const char *filename, void *data,
size_t len = 0;
FILE *f;
- if ((f = fopen(filename, "wb")) == NULL) {
+ if ((f = fopen(filename, "wbe")) == NULL) {
return -1;
}
@@ -177,7 +177,7 @@ int map_compressed_file(semanage_handle_t *sh, const char *path,
int ret = 0, fd = -1;
FILE *file = NULL;
- fd = open(path, O_RDONLY);
+ fd = open(path, O_RDONLY | O_CLOEXEC);
if (fd == -1) {
ERR(sh, "Unable to open %s\n", path);
return -1;
diff --git a/src/conf-parse.y b/src/conf-parse.y
index d6481359..b2b84892 100644
--- a/src/conf-parse.y
+++ b/src/conf-parse.y
@@ -468,7 +468,7 @@ semanage_conf_t *semanage_conf_parse(const char *config_filename)
if (semanage_conf_init(current_conf) == -1) {
goto cleanup;
}
- if ((semanage_in = fopen(config_filename, "r")) == NULL) {
+ if ((semanage_in = fopen(config_filename, "re")) == NULL) {
/* configuration file does not exist or could not be
* read. THIS IS NOT AN ERROR. just rely on the
* defaults. */
diff --git a/src/database_file.c b/src/database_file.c
index 42e308d5..a54c5aee 100644
--- a/src/database_file.c
+++ b/src/database_file.c
@@ -127,7 +127,7 @@ static int dbase_file_flush(semanage_handle_t * handle, dbase_file_t * dbase)
fname = dbase->path[handle->is_in_transaction];
mask = umask(0077);
- str = fopen(fname, "w");
+ str = fopen(fname, "we");
umask(mask);
if (!str) {
ERR(handle, "could not open %s for writing: %s",
diff --git a/src/database_policydb.c b/src/database_policydb.c
index da64a3ad..62467d15 100644
--- a/src/database_policydb.c
+++ b/src/database_policydb.c
@@ -111,7 +111,7 @@ static int dbase_policydb_cache(semanage_handle_t * handle,
/* Try opening file
* ENOENT is not fatal - we just create an empty policydb */
- fp = fopen(fname, "rb");
+ fp = fopen(fname, "rbe");
if (fp == NULL && errno != ENOENT) {
ERR(handle, "could not open %s for reading: %s",
fname, strerror(errno));
diff --git a/src/direct_api.c b/src/direct_api.c
index d5299796..85876676 100644
--- a/src/direct_api.c
+++ b/src/direct_api.c
@@ -457,7 +457,7 @@ static int write_file(semanage_handle_t * sh,
int out;
if ((out =
- open(filename, O_WRONLY | O_CREAT | O_TRUNC,
+ open(filename, O_WRONLY | O_CREAT | O_TRUNC | O_CLOEXEC,
S_IRUSR | S_IWUSR)) == -1) {
ERR(sh, "Could not open %s for writing.", filename);
return -1;
@@ -644,17 +644,17 @@ static int semanage_pipe_data(semanage_handle_t *sh, const char *path, const cha
*/
sigaction(SIGPIPE, &new_signal, &old_signal);
- retval = pipe(input_fd);
+ retval = pipe2(input_fd, O_CLOEXEC);
if (retval == -1) {
ERR(sh, "Unable to create pipe for input pipe: %s\n", strerror(errno));
goto cleanup;
}
- retval = pipe(output_fd);
+ retval = pipe2(output_fd, O_CLOEXEC);
if (retval == -1) {
ERR(sh, "Unable to create pipe for output pipe: %s\n", strerror(errno));
goto cleanup;
}
- retval = pipe(err_fd);
+ retval = pipe2(err_fd, O_CLOEXEC);
if (retval == -1) {
ERR(sh, "Unable to create pipe for error pipe: %s\n", strerror(errno));
goto cleanup;
@@ -826,7 +826,7 @@ static int semanage_direct_write_langext(semanage_handle_t *sh,
goto cleanup;
}
- fp = fopen(fn, "w");
+ fp = fopen(fn, "we");
if (fp == NULL) {
ERR(sh, "Unable to open %s module ext file.", modinfo->name);
ret = -1;
@@ -1077,7 +1077,7 @@ static int semanage_compare_checksum(semanage_handle_t *sh, const char *referenc
int fd, retval;
char *data;
- fd = open(path, O_RDONLY);
+ fd = open(path, O_RDONLY | O_CLOEXEC);
if (fd == -1) {
if (errno != ENOENT) {
ERR(sh, "Unable to open %s: %s\n", path, strerror(errno));
@@ -1218,7 +1218,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
}
if (sepol_get_disable_dontaudit(sh->sepolh) == 1) {
FILE *touch;
- touch = fopen(path, "w");
+ touch = fopen(path, "we");
if (touch != NULL) {
if (fclose(touch) != 0) {
ERR(sh, "Error attempting to create disable_dontaudit flag.");
@@ -1250,7 +1250,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
if (sepol_get_preserve_tunables(sh->sepolh) == 1) {
FILE *touch;
- touch = fopen(path, "w");
+ touch = fopen(path, "we");
if (touch != NULL) {
if (fclose(touch) != 0) {
ERR(sh, "Error attempting to create preserve_tunable flag.");
@@ -2109,7 +2109,7 @@ static int semanage_direct_set_enabled(semanage_handle_t *sh,
switch (enabled) {
case 0: /* disable the module */
mask = umask(0077);
- fp = fopen(fn, "w");
+ fp = fopen(fn, "we");
umask(mask);
if (fp == NULL) {
@@ -2296,7 +2296,7 @@ static int semanage_direct_get_module_info(semanage_handle_t *sh,
goto cleanup;
}
- fp = fopen(fn, "r");
+ fp = fopen(fn, "re");
if (fp == NULL) {
ERR(sh,
diff --git a/src/genhomedircon.c b/src/genhomedircon.c
index fd2f8a89..53673645 100644
--- a/src/genhomedircon.c
+++ b/src/genhomedircon.c
@@ -218,7 +218,7 @@ static semanage_list_t *get_shell_list(void)
size_t buff_len = 0;
ssize_t len;
- shells = fopen(PATH_SHELLS_FILE, "r");
+ shells = fopen(PATH_SHELLS_FILE, "re");
if (!shells)
return default_shell_list();
while ((len = getline(&temp, &buff_len, shells)) > 0) {
@@ -227,11 +227,13 @@ static semanage_list_t *get_shell_list(void)
if (semanage_list_push(&list, temp)) {
free(temp);
semanage_list_destroy(&list);
+ fclose(shells);
return default_shell_list();
}
}
}
free(temp);
+ fclose(shells);
return list;
}
@@ -503,7 +505,7 @@ static semanage_list_t *make_template(genhomedircon_settings_t * s,
FILE *template_file = NULL;
semanage_list_t *template_data = NULL;
- template_file = fopen(s->homedir_template_path, "r");
+ template_file = fopen(s->homedir_template_path, "re");
if (!template_file)
return NULL;
template_data = semanage_slurp_file_filter(template_file, pred);
@@ -1413,7 +1415,7 @@ int semanage_genhomedircon(semanage_handle_t * sh,
s.h_semanage = sh;
s.policydb = policydb;
- if (!(out = fopen(s.fcfilepath, "w"))) {
+ if (!(out = fopen(s.fcfilepath, "we"))) {
/* couldn't open output file */
ERR(sh, "Could not open the file_context file for writing");
retval = STATUS_ERR;
diff --git a/src/parse_utils.c b/src/parse_utils.c
index 2f33f629..d1d6e930 100644
--- a/src/parse_utils.c
+++ b/src/parse_utils.c
@@ -45,7 +45,7 @@ void parse_release(parse_info_t * info)
int parse_open(semanage_handle_t * handle, parse_info_t * info)
{
- info->file_stream = fopen(info->filename, "r");
+ info->file_stream = fopen(info->filename, "re");
if (!info->file_stream && (errno != ENOENT)) {
ERR(handle, "could not open file %s: %s",
info->filename, strerror(errno));
diff --git a/src/semanage_store.c b/src/semanage_store.c
index 5cd2d219..d75aab68 100644
--- a/src/semanage_store.c
+++ b/src/semanage_store.c
@@ -585,7 +585,7 @@ int semanage_create_store(semanage_handle_t * sh, int create)
if (stat(path, &sb) == -1) {
if (errno == ENOENT && create) {
mask = umask(0077);
- if ((fd = creat(path, S_IRUSR | S_IWUSR)) == -1) {
+ if ((fd = open(path, O_CREAT | O_WRONLY | O_TRUNC | O_CLOEXEC, S_IRUSR | S_IWUSR)) == -1) {
umask(mask);
ERR(sh, "Could not create lock file at %s.",
path);
@@ -682,7 +682,7 @@ int semanage_copy_file(semanage_handle_t *sh, const char *src, const char *dst,
if (n < 0 || n >= PATH_MAX)
return -1;
- if ((in = open(src, O_RDONLY)) == -1) {
+ if ((in = open(src, O_RDONLY | O_CLOEXEC)) == -1) {
return -1;
}
@@ -690,7 +690,7 @@ int semanage_copy_file(semanage_handle_t *sh, const char *src, const char *dst,
mode = S_IRUSR | S_IWUSR;
mask = umask(0);
- if ((out = open(tmp, O_WRONLY | O_CREAT | O_TRUNC, mode)) == -1) {
+ if ((out = open(tmp, O_WRONLY | O_CREAT | O_TRUNC | O_CLOEXEC, mode)) == -1) {
umask(mask);
errsv = errno;
close(in);
@@ -1489,7 +1489,7 @@ int semanage_split_fc(semanage_handle_t * sh)
char buf[PATH_MAX] = { 0 };
/* I use fopen here instead of open so that I can use fgets which only reads a single line */
- file_con = fopen(semanage_path(SEMANAGE_TMP, SEMANAGE_FC_TMPL), "r");
+ file_con = fopen(semanage_path(SEMANAGE_TMP, SEMANAGE_FC_TMPL), "re");
if (!file_con) {
ERR(sh, "Could not open %s for reading.",
semanage_path(SEMANAGE_TMP, SEMANAGE_FC_TMPL));
@@ -1497,14 +1497,14 @@ int semanage_split_fc(semanage_handle_t * sh)
}
fc = open(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC),
- O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR);
+ O_WRONLY | O_CREAT | O_TRUNC | O_CLOEXEC, S_IRUSR | S_IWUSR);
if (fc < 0) {
ERR(sh, "Could not open %s for writing.",
semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC));
goto cleanup;
}
hd = open(semanage_path(SEMANAGE_TMP, SEMANAGE_HOMEDIR_TMPL),
- O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR);
+ O_WRONLY | O_CREAT | O_TRUNC | O_CLOEXEC, S_IRUSR | S_IWUSR);
if (hd < 0) {
ERR(sh, "Could not open %s for writing.",
semanage_path(SEMANAGE_TMP, SEMANAGE_HOMEDIR_TMPL));
@@ -1719,7 +1719,7 @@ static int semanage_commit_sandbox(semanage_handle_t * sh)
memset(write_buf, 0, sizeof(write_buf));
snprintf(write_buf, sizeof(write_buf), "%d", commit_number);
if ((fd =
- open(commit_filename, O_WRONLY | O_CREAT | O_TRUNC,
+ open(commit_filename, O_WRONLY | O_CREAT | O_TRUNC | O_CLOEXEC,
S_IRUSR | S_IWUSR)) == -1) {
ERR(sh, "Could not open commit number file %s for writing.",
commit_filename);
@@ -1735,7 +1735,7 @@ static int semanage_commit_sandbox(semanage_handle_t * sh)
close(fd);
/* sync changes in sandbox to filesystem */
- fd = open(sandbox, O_DIRECTORY);
+ fd = open(sandbox, O_DIRECTORY | O_CLOEXEC);
if (fd == -1) {
ERR(sh, "Error while opening %s for syncfs(): %d", sandbox, errno);
return -1;
@@ -1869,7 +1869,7 @@ static int semanage_get_lock(semanage_handle_t * sh,
int got_lock = 0;
if ((fd =
- open(lock_file, O_RDWR | O_CREAT | O_TRUNC,
+ open(lock_file, O_RDWR | O_CREAT | O_TRUNC | O_CLOEXEC,
S_IRUSR | S_IWUSR)) == -1) {
ERR(sh, "Could not open direct %s at %s.", lock_name,
lock_file);
@@ -2013,7 +2013,7 @@ int semanage_direct_get_serial(semanage_handle_t * sh)
semanage_path(SEMANAGE_ACTIVE, SEMANAGE_COMMIT_NUM_FILE);
}
- if ((fd = open(commit_filename, O_RDONLY)) == -1) {
+ if ((fd = open(commit_filename, O_RDONLY | O_CLOEXEC)) == -1) {
if (errno == ENOENT) {
/* the commit number file does not exist yet,
* so assume that the number is 0 */
@@ -2093,7 +2093,7 @@ int semanage_read_policydb(semanage_handle_t * sh, sepol_policydb_t * in,
semanage_path(SEMANAGE_ACTIVE, file)) == NULL) {
goto cleanup;
}
- if ((infile = fopen(kernel_filename, "r")) == NULL) {
+ if ((infile = fopen(kernel_filename, "re")) == NULL) {
ERR(sh, "Could not open kernel policy %s for reading.",
kernel_filename);
goto cleanup;
@@ -2136,7 +2136,7 @@ int semanage_write_policydb(semanage_handle_t * sh, sepol_policydb_t * out,
semanage_path(SEMANAGE_TMP, file)) == NULL) {
goto cleanup;
}
- if ((outfile = fopen(kernel_filename, "wb")) == NULL) {
+ if ((outfile = fopen(kernel_filename, "wbe")) == NULL) {
ERR(sh, "Could not open kernel policy %s for writing.",
kernel_filename);
goto cleanup;
diff --git a/src/utilities.c b/src/utilities.c
index 77b948fa..70b5b677 100644
--- a/src/utilities.c
+++ b/src/utilities.c
@@ -38,7 +38,7 @@ char *semanage_findval(const char *file, const char *var, const char *delim)
assert(file);
assert(var);
- if ((fd = fopen(file, "r")) == NULL)
+ if ((fd = fopen(file, "re")) == NULL)
return NULL;
while (getline(&buff, &buff_len, fd) > 0) {
--
2.33.0

63
backport-libsemanage-simplify-file-deletion.patch Normal file
View File

@ -0,0 +1,63 @@
From 46b6d4593fd0bf3286977a9fe7d48f849524543c Mon Sep 17 00:00:00 2001
From: Christian Göttsche <cgzones@googlemail.com>
Date: Fri, 18 Apr 2025 16:43:48 +0800
Subject: [PATCH] libsemanage-simplify-file-deletion
Reference: https://github.com/SELinuxProject/selinux/commit/d3a5ae39bee42eac520a3d07f252251a2167a323
---
src/direct_api.c | 24 +++++++++---------------
1 file changed, 9 insertions(+), 15 deletions(-)
diff --git a/src/direct_api.c b/src/direct_api.c
index 025b26e..03fc6ad 100644
--- a/src/direct_api.c
+++ b/src/direct_api.c
@@ -2738,7 +2738,6 @@ static int semanage_direct_install_info(semanage_handle_t *sh,
int status = 0;
int ret = 0;
int type;
- struct stat sb;
char path[PATH_MAX];
mode_t mask = umask(0077);
@@ -2839,13 +2838,11 @@ static int semanage_direct_install_info(semanage_handle_t *sh,
goto cleanup;
}
- if (stat(path, &sb) == 0) {
- ret = unlink(path);
- if (ret != 0) {
- ERR(sh, "Error while removing cached CIL file %s.", path);
- status = -3;
- goto cleanup;
- }
+ ret = unlink(path);
+ if (ret != 0 && errno != ENOENT) {
+ ERR(sh, "Error while removing cached CIL file %s.", path);
+ status = -3;
+ goto cleanup;
}
}
@@ -2942,13 +2939,10 @@ static int semanage_direct_remove_key(semanage_handle_t *sh,
goto cleanup;
}
- struct stat sb;
- if (stat(path, &sb) == 0) {
- ret = unlink(path);
- if (ret != 0) {
- status = -1;
- goto cleanup;
- }
+ ret = unlink(path);
+ if (ret != 0 && errno != ENOENT) {
+ status = -1;
+ goto cleanup;
}
}
else {
--
2.33.0

BIN
libsemanage-3.3.tar.gz
View File

Binary file not shown.

BIN
libsemanage-3.5.tar.gz Normal file
View File

Binary file not shown.

52
libsemanage.spec
View File

@ -1,15 +1,31 @@
%define libsepol_version 3.3-1
%define libselinux_version 3.3-1
%define libsepol_version 3.5-1
%define libselinux_version 3.5-1
Name: libsemanage
Version: 3.3
Release: 3
Version: 3.5
Release: 7
License: LGPLv2+
Summary: SELinux binary policy manipulation library
URL: https://github.com/SELinuxProject/selinux/wiki
Source0: https://github.com/SELinuxProject/selinux/releases/download/3.3/libsemanage-%{version}.tar.gz
Source0: https://github.com/SELinuxProject/selinux/releases/download/%{version}/libsemanage-%{version}.tar.gz
Source1: semanage.conf
Patch6000: backport-libsemanage-direct_api-INTEGER_OVERFLOW-read_len-rea.patch
Patch6001: backport-libsemanage-open-lock_file-with-O_RDWR.patch
Patch6002: backport-libsemanage-check-memory-allocations.patch
Patch6003: backport-libsemanage-free-resources-on-failed-connect-attempt.patch
Patch6004: backport-libsemanage-fix-asprintf-error-branch.patch
Patch6005: backport-libsemanage-avoid-leak-on-realloc-failure.patch
Patch6006: backport-libsemanage-free-ibdev-names-in-semanage_ibendport_v.patch
Patch6007: backport-libsemanage-check-for-path-formatting-failures.patch
Patch6008: backport-libsemanage-set-O_CLOEXEC-flag-for-file-descriptors.patch
Patch6009: backport-libsemanage-check-closing-written-files.patch
Patch6010: backport-libsemanage-handle-cil_set_handle_unknown-failure.patch
Patch6011: backport-libsemanage-handle-shell-allocation-failure.patch
Patch6012: backport-libsemanage-drop-duplicate-newlines-and-error-descriptions-in-error-messages.patch
Patch6013: backport-libsemanage-simplify-file-deletion.patch
Patch6014: backport-libsemanage-optimize-policy-by-default.patch
Patch9000: fix-test-failure-with-secilc.patch
BuildRequires: gcc python3-devel bison flex bzip2-devel audit-libs-devel
@ -76,7 +92,7 @@ ln -sf %{_libdir}/libsemanage.so.2 %{buildroot}/%{_libdir}/libsemanage.so
make test
%files
%license COPYING
%license LICENSE
%dir %{_sysconfdir}/selinux
%config(noreplace) %{_sysconfdir}/selinux/semanage.conf
%{_libdir}/libsemanage.so.*
@ -104,6 +120,30 @@ make test
%changelog
* Mon Apr 28 2025 changhan <changhan@xfusion.com> - 3.5-7
- Change the author's mailbox
* Sun Apr 20 2025 changhan <changhan@xfusion.com> - 3.5-6
- backport libsemanage: optimize policy by default
* Sat Apr 19 2025 changhan <changhan@xfusion.com> - 3.5-5
- backport libsemanage: simplify file deletion
* Fri Apr 18 2025 changhan <changhan@xfusion.com> - 3.5-4
- backport libsemanage: drop duplicate newlines and error descriptions in error messages
* Fri Apr 18 2025 changhan <changhan@xfusion.com> - 3.5-3
- backport libsemanage: handle shell allocation failure
* Mon Mar 17 2025 hugel<gengqihu2@h-partners.com> - 3.5-2
- backport patches from upstream
* Mon Jul 17 2023 zhangguangzhi<zhangguangzhi3@huawei.com> - 3.5-1
- update version to 3.5
* Mon Jan 30 2023 zhangguangzhi<zhangguangzhi3@huawei.com> - 3.4-1
- update version to 3.4
* Fri Mar 18 2022 panxiaohe<panxh.life@foxmail.com> - 3.3-3
- delete useless old version dynamic library