!51 backport patches from upstream

From: @godvi 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee

backport-newrole-check-for-crypt-3-failure.patch

@@ -0,0 +1,35 @@
+From 1af808982460ec74a23820dcc4d582bb39e2b223 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Tue, 22 Feb 2022 14:51:42 +0100
+Subject: [PATCH] newrole: check for crypt(3) failure
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Depending on the implementation crypt(3) can fail either by returning
+NULL, or returning a pointer to an invalid hash and setting errno.
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+---
+ policycoreutils/newrole/newrole.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c
+index c99898635..781f99b63 100644
+--- a/policycoreutils/newrole/newrole.c
++++ b/policycoreutils/newrole/newrole.c
+@@ -368,9 +368,14 @@ static int authenticate_via_shadow_passwd(const char *uname)
+ 	}
+ 
+ 	/* Use crypt() to encrypt user's input password. */
++	errno = 0;
+ 	encrypted_password_s = crypt(unencrypted_password_s,
+ 				     p_shadow_line->sp_pwdp);
+ 	memset(unencrypted_password_s, 0, strlen(unencrypted_password_s));
++	if (errno || !encrypted_password_s) {
++		fprintf(stderr, _("Cannot encrypt password.\n"));
++		return 0;
++	}
+ 	return (!strcmp(encrypted_password_s, p_shadow_line->sp_pwdp));
+ }
+ #endif				/* if/else USE_PAM */

backport-newrole-ensure-password-memory-erasure.patch

@@ -0,0 +1,63 @@
+From c71d14e824e965e42493f5275d90272ab0c6825c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Tue, 22 Feb 2022 14:51:43 +0100
+Subject: [PATCH] newrole: ensure password memory erasure
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Compiler can optimize calls to memset(3), due to the as-if rule, away if
+the object is not accessed later on.  Use a wrapper using volatile
+pointers to ensure the memory is guaranteed to be erased.  Also erase
+the encrypted password.
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+---
+ policycoreutils/newrole/newrole.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c
+index 781f99b63..ae37d7253 100644
+--- a/policycoreutils/newrole/newrole.c
++++ b/policycoreutils/newrole/newrole.c
+@@ -333,6 +333,14 @@ static int read_pam_config(void)
+ 
+ #define PASSWORD_PROMPT _("Password:")	/* prompt for getpass() */
+ 
++static void memzero(void *ptr, size_t size)
++{
++	volatile unsigned char * volatile p = ptr;
++	while (size--) {
++		*p++ = '\0';
++	}
++}
++
+ /* authenticate_via_shadow_passwd()
+  *
+  * in:     uname - the calling user's user name
+@@ -351,6 +359,7 @@ static int authenticate_via_shadow_passwd(const char *uname)
+ 	struct spwd *p_shadow_line;
+ 	char *unencrypted_password_s;
+ 	char *encrypted_password_s;
++	int ret;
+ 
+ 	setspent();
+ 	p_shadow_line = getspnam(uname);
+@@ -371,12 +380,15 @@ static int authenticate_via_shadow_passwd(const char *uname)
+ 	errno = 0;
+ 	encrypted_password_s = crypt(unencrypted_password_s,
+ 				     p_shadow_line->sp_pwdp);
+-	memset(unencrypted_password_s, 0, strlen(unencrypted_password_s));
++	memzero(unencrypted_password_s, strlen(unencrypted_password_s));
+ 	if (errno || !encrypted_password_s) {
+ 		fprintf(stderr, _("Cannot encrypt password.\n"));
+ 		return 0;
+ 	}
+-	return (!strcmp(encrypted_password_s, p_shadow_line->sp_pwdp));
++
++	ret = !strcmp(encrypted_password_s, p_shadow_line->sp_pwdp);
++	memzero(encrypted_password_s, strlen(encrypted_password_s));
++	return ret;
+ }
+ #endif				/* if/else USE_PAM */
+ 

backport-policycoreutils-handle-argument-counter-of-zero.patch

@@ -0,0 +1,73 @@
+From 9229f8b3b7348e4990c8493365d68ff241cfbeb7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Wed, 26 Jan 2022 15:56:45 +0100
+Subject: [PATCH] policycoreutils: handle argument counter of zero
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The number of arguments passed to main(), argc, can be zero if the
+pathname passed to execve(2) is NULL, e.g. via:
+
+    execve("/path/to/exe", {NULL}, {NULL});
+
+Also avoid NULL pointer dereferences on the argument value.
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+---
+ policycoreutils/run_init/open_init_pty.c | 2 +-
+ policycoreutils/secon/secon.c            | 3 +++
+ policycoreutils/setfiles/setfiles.c      | 6 +++++-
+ 3 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/policycoreutils/run_init/open_init_pty.c b/policycoreutils/run_init/open_init_pty.c
+index 150cb45ee..19101c506 100644
+--- a/policycoreutils/run_init/open_init_pty.c
++++ b/policycoreutils/run_init/open_init_pty.c
+@@ -244,7 +244,7 @@ int main(int argc, char *argv[])
+ 	rb_init(&inbuf, inbuf_mem, sizeof(inbuf_mem));
+ 	rb_init(&outbuf, outbuf_mem, sizeof(outbuf_mem));
+ 
+-	if (argc == 1) {
++	if (argc < 2) {
+ 		printf("usage: %s PROGRAM [ARGS]...\n", argv[0]);
+ 		exit(1);
+ 	}
+diff --git a/policycoreutils/secon/secon.c b/policycoreutils/secon/secon.c
+index a0957d091..d624fa136 100644
+--- a/policycoreutils/secon/secon.c
++++ b/policycoreutils/secon/secon.c
+@@ -333,6 +333,9 @@ static void cmd_line(int argc, char *argv[])
+ 		opts->from_type = OPTS_FROM_CUR;
+ 
+ 	if (opts->from_type == OPTS_FROM_ARG) {
++		if (!argv[0])
++			errx(EXIT_FAILURE, "No argument given");
++
+ 		opts->f.arg = argv[0];
+ 
+ 		if (xstreq(argv[0], "-"))
+diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
+index 44cab46d0..ab7016aca 100644
+--- a/policycoreutils/setfiles/setfiles.c
++++ b/policycoreutils/setfiles/setfiles.c
+@@ -163,6 +163,10 @@ int main(int argc, char **argv)
+ 	policyfile = NULL;
+ 
+ 	r_opts.abort_on_error = 0;
++	if (!argv[0]) {
++		fprintf(stderr, "Called without required program name!\n");
++		exit(-1);
++	}
+ 	r_opts.progname = strdup(argv[0]);
+ 	if (!r_opts.progname) {
+ 		fprintf(stderr, "%s:  Out of memory!\n", argv[0]);
+@@ -423,7 +427,7 @@ int main(int argc, char **argv)
+ 
+ 		altpath = argv[optind];
+ 		optind++;
+-	} else if (argc == 1)
++	} else if (argc < 2)
+ 		usage(argv[0]);
+ 
+ 	/* Set selabel_open options. */

backport-python-Split-semanage-import-into-two-transactions.patch

@@ -0,0 +1,63 @@
+From abaf812c3877f6b595eb8643582eacef2dd4df3f Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Mon, 30 May 2022 14:20:21 +0200
+Subject: [PATCH] python: Split "semanage import" into two transactions
+
+First transaction applies all deletion operations, so that there are no
+collisions when applying the rest of the changes.
+
+Fixes:
+  # semanage port -a -t http_cache_port_t -r s0 -p tcp 3024
+  # semanage export | semanage import
+  ValueError: Port tcp/3024 already defined
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+---
+ python/semanage/semanage | 21 +++++++++++++++++++--
+ 1 file changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/python/semanage/semanage b/python/semanage/semanage
+index 8f4e44a7..1d828128 100644
+--- a/python/semanage/semanage
++++ b/python/semanage/semanage
+@@ -852,10 +852,29 @@ def handleImport(args):
+     trans = seobject.semanageRecords(args)
+     trans.start()
+ 
++    deleteCommands = []
++    commands = []
++    # separate commands for deletion from the rest so they can be
++    # applied in a separate transaction
+     for l in sys.stdin.readlines():
+         if len(l.strip()) == 0:
+             continue
++        if "-d" in l or "-D" in l:
++            deleteCommands.append(l)
++        else:
++            commands.append(l)
++
++    if deleteCommands:
++        importHelper(deleteCommands)
++        trans.finish()
++        trans.start()
++
++    importHelper(commands)
++    trans.finish()
+ 
++
++def importHelper(commands):
++    for l in commands:
+         try:
+             commandParser = createCommandParser()
+             args = commandParser.parse_args(mkargv(l))
+@@ -869,8 +888,6 @@ def handleImport(args):
+         except KeyboardInterrupt:
+             sys.exit(0)
+ 
+-    trans.finish()
+-
+ 
+ def setupImportParser(subparsers):
+     importParser = subparsers.add_parser('import', help=_('Import local customizations'))
+-- 
+2.23.0

backport-python-audit2allow-close-file-stream-on-error.patch

@@ -0,0 +1,48 @@
+From c14a86af9a2304175e54897634f808b42345325b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Fri, 20 May 2022 14:51:07 +0200
+Subject: [PATCH] python/audit2allow: close file stream on error
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+    sepolgen-ifgen-attr-helper.c: In function ‘load_policy’:
+    sepolgen-ifgen-attr-helper.c:196:17: warning: leak of FILE ‘fp’ [CWE-775] [-Wanalyzer-file-leak]
+      196 |                 fprintf(stderr, "Out of memory!\n");
+          |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ python/audit2allow/sepolgen-ifgen-attr-helper.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/python/audit2allow/sepolgen-ifgen-attr-helper.c b/python/audit2allow/sepolgen-ifgen-attr-helper.c
+index 6f3ba962..5e6cffc1 100644
+--- a/python/audit2allow/sepolgen-ifgen-attr-helper.c
++++ b/python/audit2allow/sepolgen-ifgen-attr-helper.c
+@@ -194,12 +194,14 @@ static policydb_t *load_policy(const char *filename)
+ 	policydb = malloc(sizeof(policydb_t));
+ 	if (policydb == NULL) {
+ 		fprintf(stderr, "Out of memory!\n");
++		fclose(fp);
+ 		return NULL;
+ 	}
+ 
+ 	if (policydb_init(policydb)) {
+ 		fprintf(stderr, "Out of memory!\n");
+ 		free(policydb);
++		fclose(fp);
+ 		return NULL;
+ 	}
+ 
+@@ -208,6 +210,7 @@ static policydb_t *load_policy(const char *filename)
+ 		fprintf(stderr,
+ 			"error(s) encountered while parsing configuration\n");
+ 		free(policydb);
++		fclose(fp);
+ 		return NULL;
+ 	}
+ 
+-- 
+2.23.0

backport-semodule_package-Close-leaking-fd.patch

@@ -0,0 +1,24 @@
+From ac16531b5ab6c40bdf5eae91c8cf7ae25355d61a Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Fri, 1 Apr 2022 15:35:48 +0200
+Subject: [PATCH] semodule_package: Close leaking fd
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ semodule-utils/semodule_package/semodule_package.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/semodule-utils/semodule_package/semodule_package.c b/semodule-utils/semodule_package/semodule_package.c
+index 3515234e..bc8584b5 100644
+--- a/semodule-utils/semodule_package/semodule_package.c
++++ b/semodule-utils/semodule_package/semodule_package.c
+@@ -73,6 +73,7 @@ static int file_to_data(const char *path, char **data, size_t * len)
+ 		goto err;
+ 	}
+ 	if (!sb.st_size) {
++		close(fd);
+ 		*len = 0;
+ 		return 0;
+ 	}
+-- 
+2.23.0

policycoreutils.spec

@@ -3,7 +3,7 @@
 
 Name:      policycoreutils
 Version:   3.3
-Release:   2
+Release:   3
 Summary:   Policy core utilities of selinux
 License:   GPLv2
 URL:       https://github.com/SELinuxProject
@@ -16,6 +16,11 @@ Source11:  selinux-autorelabel-generator.sh
 
 Patch0:    fix-fixfiles-N-date-function.patch
 Patch1:    fix-fixfiles-N-date-function-two.patch 
+Patch2:    backport-newrole-check-for-crypt-3-failure.patch
+Patch3:    backport-newrole-ensure-password-memory-erasure.patch
+Patch4:    backport-semodule_package-Close-leaking-fd.patch
+Patch5:    backport-python-Split-semanage-import-into-two-transactions.patch
+Patch6:    backport-python-audit2allow-close-file-stream-on-error.patch
 
 BuildRequires: gcc
 BuildRequires: pam-devel libsepol-static >= 3.3 libsemanage-static >= 3.3 libselinux-devel >= 3.3  libcap-devel audit-libs-devel  gettext
@@ -256,6 +261,9 @@ find %{buildroot}%{python3_sitelib} %{buildroot}%{python3_sitearch} \
 %{_mandir}/*
 
 %changelog
+* Tue Nov 15 2022 shenxiangwei <shenxiangwei1@huawei.com> - 3.3-3
+- backport patches from upstream
+
 * Thu Jun 30 2022 lujie <lujie54@huawei.com> - 3.3-2
 - update policycoreutils tar.gz