packages/policycoreutils
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update version to 3.5

Browse Source
This commit is contained in:
zgzxx 2023-07-17 20:56:07 +08:00
parent 8720438c6a
commit d2d9376398
7 changed files with 7 additions and 239 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
backport-policycoreutils-handle-argument-counter-of-zero.patch
View File

@ -1,73 +0,0 @@
From 9229f8b3b7348e4990c8493365d68ff241cfbeb7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Wed, 26 Jan 2022 15:56:45 +0100
Subject: [PATCH] policycoreutils: handle argument counter of zero
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The number of arguments passed to main(), argc, can be zero if the
pathname passed to execve(2) is NULL, e.g. via:
execve("/path/to/exe", {NULL}, {NULL});
Also avoid NULL pointer dereferences on the argument value.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
policycoreutils/run_init/open_init_pty.c | 2 +-
policycoreutils/secon/secon.c | 3 +++
policycoreutils/setfiles/setfiles.c | 6 +++++-
3 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/policycoreutils/run_init/open_init_pty.c b/policycoreutils/run_init/open_init_pty.c
index 150cb45ee..19101c506 100644
--- a/policycoreutils/run_init/open_init_pty.c
+++ b/policycoreutils/run_init/open_init_pty.c
@@ -244,7 +244,7 @@ int main(int argc, char *argv[])
rb_init(&inbuf, inbuf_mem, sizeof(inbuf_mem));
rb_init(&outbuf, outbuf_mem, sizeof(outbuf_mem));
- if (argc == 1) {
+ if (argc < 2) {
printf("usage: %s PROGRAM [ARGS]...\n", argv[0]);
exit(1);
}
diff --git a/policycoreutils/secon/secon.c b/policycoreutils/secon/secon.c
index a0957d091..d624fa136 100644
--- a/policycoreutils/secon/secon.c
+++ b/policycoreutils/secon/secon.c
@@ -333,6 +333,9 @@ static void cmd_line(int argc, char *argv[])
opts->from_type = OPTS_FROM_CUR;
if (opts->from_type == OPTS_FROM_ARG) {
+ if (!argv[0])
+ errx(EXIT_FAILURE, "No argument given");
+
opts->f.arg = argv[0];
if (xstreq(argv[0], "-"))
diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
index 44cab46d0..ab7016aca 100644
--- a/policycoreutils/setfiles/setfiles.c
+++ b/policycoreutils/setfiles/setfiles.c
@@ -163,6 +163,10 @@ int main(int argc, char **argv)
policyfile = NULL;
r_opts.abort_on_error = 0;
+ if (!argv[0]) {
+ fprintf(stderr, "Called without required program name!\n");
+ exit(-1);
+ }
r_opts.progname = strdup(argv[0]);
if (!r_opts.progname) {
fprintf(stderr, "%s: Out of memory!\n", argv[0]);
@@ -423,7 +427,7 @@ int main(int argc, char **argv)
altpath = argv[optind];
optind++;
- } else if (argc == 1)
+ } else if (argc < 2)
usage(argv[0]);
/* Set selabel_open options. */

63
backport-python-Split-semanage-import-into-two-transactions.patch
View File

@ -1,63 +0,0 @@
From abaf812c3877f6b595eb8643582eacef2dd4df3f Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Mon, 30 May 2022 14:20:21 +0200
Subject: [PATCH] python: Split "semanage import" into two transactions
First transaction applies all deletion operations, so that there are no
collisions when applying the rest of the changes.
Fixes:
# semanage port -a -t http_cache_port_t -r s0 -p tcp 3024
# semanage export | semanage import
ValueError: Port tcp/3024 already defined
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
python/semanage/semanage | 21 +++++++++++++++++++--
1 file changed, 19 insertions(+), 2 deletions(-)
diff --git a/python/semanage/semanage b/python/semanage/semanage
index 8f4e44a7..1d828128 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -852,10 +852,29 @@ def handleImport(args):
trans = seobject.semanageRecords(args)
trans.start()
+ deleteCommands = []
+ commands = []
+ # separate commands for deletion from the rest so they can be
+ # applied in a separate transaction
for l in sys.stdin.readlines():
if len(l.strip()) == 0:
continue
+ if "-d" in l or "-D" in l:
+ deleteCommands.append(l)
+ else:
+ commands.append(l)
+
+ if deleteCommands:
+ importHelper(deleteCommands)
+ trans.finish()
+ trans.start()
+
+ importHelper(commands)
+ trans.finish()
+
+def importHelper(commands):
+ for l in commands:
try:
commandParser = createCommandParser()
args = commandParser.parse_args(mkargv(l))
@@ -869,8 +888,6 @@ def handleImport(args):
except KeyboardInterrupt:
sys.exit(0)
- trans.finish()
-
def setupImportParser(subparsers):
importParser = subparsers.add_parser('import', help=_('Import local customizations'))
--
2.23.0

48
backport-python-audit2allow-close-file-stream-on-error.patch
View File

@ -1,48 +0,0 @@
From c14a86af9a2304175e54897634f808b42345325b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Fri, 20 May 2022 14:51:07 +0200
Subject: [PATCH] python/audit2allow: close file stream on error
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
sepolgen-ifgen-attr-helper.c: In function load_policy:
sepolgen-ifgen-attr-helper.c:196:17: warning: leak of FILE fp [CWE-775] [-Wanalyzer-file-leak]
196 | fprintf(stderr, "Out of memory!\n");
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
python/audit2allow/sepolgen-ifgen-attr-helper.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/python/audit2allow/sepolgen-ifgen-attr-helper.c b/python/audit2allow/sepolgen-ifgen-attr-helper.c
index 6f3ba962..5e6cffc1 100644
--- a/python/audit2allow/sepolgen-ifgen-attr-helper.c
+++ b/python/audit2allow/sepolgen-ifgen-attr-helper.c
@@ -194,12 +194,14 @@ static policydb_t *load_policy(const char *filename)
policydb = malloc(sizeof(policydb_t));
if (policydb == NULL) {
fprintf(stderr, "Out of memory!\n");
+ fclose(fp);
return NULL;
}
if (policydb_init(policydb)) {
fprintf(stderr, "Out of memory!\n");
free(policydb);
+ fclose(fp);
return NULL;
}
@@ -208,6 +210,7 @@ static policydb_t *load_policy(const char *filename)
fprintf(stderr,
"error(s) encountered while parsing configuration\n");
free(policydb);
+ fclose(fp);
return NULL;
}
--
2.23.0

48
backport-semodule-avoid-toctou-on-output-module.patch
View File

@ -1,48 +0,0 @@
From 6d02b2fa29954e239721907e1fce238f25ea4f2f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Fri, 20 May 2022 15:19:52 +0200
Subject: [PATCH] semodule: avoid toctou on output module
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Do not check for file existence and open afterwards, open with the
exclusive flag (supported in Glibc and musl 0.9.6 and also standardized
in C11).
Found by GitHub CodeQL.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
policycoreutils/semodule/semodule.c | 13 +++++--------
1 file changed, 5 insertions(+), 8 deletions(-)
diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
index 1ed8e690..48bc28dd 100644
--- a/policycoreutils/semodule/semodule.c
+++ b/policycoreutils/semodule/semodule.c
@@ -550,15 +550,12 @@ int main(int argc, char *argv[])
goto cleanup_extract;
}
- if (access(output_path, F_OK) == 0) {
- fprintf(stderr, "%s: %s is already extracted with extension %s.\n", argv[0], mode_arg, lang_ext);
- result = -1;
- goto cleanup_extract;
- }
-
- output_fd = fopen(output_path, "w");
+ output_fd = fopen(output_path, "wx");
if (output_fd == NULL) {
- fprintf(stderr, "%s: Unable to open %s\n", argv[0], output_path);
+ if (errno == EEXIST)
+ fprintf(stderr, "%s: %s is already extracted with extension %s.\n", argv[0], mode_arg, lang_ext);
+ else
+ fprintf(stderr, "%s: Unable to open %s: %s\n", argv[0], output_path, strerror(errno));
result = -1;
goto cleanup_extract;
}
--
2.12.3

BIN
policycoreutils-3.4.tar.gz
View File

Binary file not shown.

BIN
policycoreutils-3.5.tar.gz Normal file
View File

Binary file not shown.

14
policycoreutils.spec
View File

@ -2,7 +2,7 @@
%bcond_with sandbox
Name: policycoreutils
Version: 3.4
Version: 3.5
Release: 1
Summary: Policy core utilities of selinux
License: GPLv2
@ -16,14 +16,11 @@ Source11: selinux-autorelabel-generator.sh
Patch0: fix-fixfiles-N-date-function.patch
Patch1: fix-fixfiles-N-date-function-two.patch
Patch2: backport-python-Split-semanage-import-into-two-transactions.patch
Patch3: backport-python-audit2allow-close-file-stream-on-error.patch
Patch4: backport-semodule-avoid-toctou-on-output-module.patch
BuildRequires: gcc
BuildRequires: pam-devel libsepol-static >= %{version} libsemanage-static >= %{version} libselinux-devel >= %{version} libcap-devel audit-libs-devel gettext
BuildRequires: desktop-file-utils dbus-devel dbus-glib-devel python3-devel libcap-ng-devel
BuildRequires: systemd systemd-units
BuildRequires: systemd systemd-units python3-pip
Requires: libsepol >= 3.3 libselinux-utils util-linux grep gawk diffutils rpm sed coreutils
Provides: %{name}-restorecond = %{version}-%{release}
@ -174,7 +171,7 @@ find %{buildroot}%{python3_sitelib} %{buildroot}%{python3_sitearch} \
%files -f %{name}.lang
%license policycoreutils/COPYING
%license policycoreutils/LICENSE
%doc %{_usr}/share/doc/%{name}
%config(noreplace) %{_sysconfdir}/sestatus.conf
%config(noreplace) %{_sysconfdir}/pam.d/newrole
@ -234,7 +231,7 @@ find %{buildroot}%{python3_sitelib} %{buildroot}%{python3_sitearch} \
%{python3_sitelib}/sepolicy/network.py*
%{python3_sitelib}/sepolicy/transition.py*
%{python3_sitelib}/sepolicy/sedbus.py*
%{python3_sitelib}/sepolicy*.egg-info
%{python3_sitelib}/sepolicy*.dist-info
%{python3_sitelib}/sepolicy/booleans.py*
%{python3_sitelib}/sepolicy/communicate.py*
%{python3_sitelib}/sepolicy/generate.py*
@ -260,6 +257,9 @@ find %{buildroot}%{python3_sitelib} %{buildroot}%{python3_sitearch} \
%{_mandir}/*
%changelog
* Mon Jul 17 2023 zhangguangzhi <zhangguangzhi3@huawei.com> - 3.5-1
- update version to 3.5
* Thu Feb 2 2023 zhangguangzhi <zhangguangzhi3@huawei.com> - 3.4-1
- update version to 3.4