packages/policycoreutils
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update version to 3.4

Browse Source
This commit is contained in:
zgzxx 2023-01-31 10:06:55 +08:00
parent 9d97f5ab49
commit d9793abc88
7 changed files with 15 additions and 136 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
backport-newrole-check-for-crypt-3-failure.patch
View File

@ -1,35 +0,0 @@
From 1af808982460ec74a23820dcc4d582bb39e2b223 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Tue, 22 Feb 2022 14:51:42 +0100
Subject: [PATCH] newrole: check for crypt(3) failure
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Depending on the implementation crypt(3) can fail either by returning
NULL, or returning a pointer to an invalid hash and setting errno.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
policycoreutils/newrole/newrole.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c
index c99898635..781f99b63 100644
--- a/policycoreutils/newrole/newrole.c
+++ b/policycoreutils/newrole/newrole.c
@@ -368,9 +368,14 @@ static int authenticate_via_shadow_passwd(const char *uname)
}
/* Use crypt() to encrypt user's input password. */
+ errno = 0;
encrypted_password_s = crypt(unencrypted_password_s,
p_shadow_line->sp_pwdp);
memset(unencrypted_password_s, 0, strlen(unencrypted_password_s));
+ if (errno || !encrypted_password_s) {
+ fprintf(stderr, _("Cannot encrypt password.\n"));
+ return 0;
+ }
return (!strcmp(encrypted_password_s, p_shadow_line->sp_pwdp));
}
#endif /* if/else USE_PAM */

63
backport-newrole-ensure-password-memory-erasure.patch
View File

@ -1,63 +0,0 @@
From c71d14e824e965e42493f5275d90272ab0c6825c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Tue, 22 Feb 2022 14:51:43 +0100
Subject: [PATCH] newrole: ensure password memory erasure
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Compiler can optimize calls to memset(3), due to the as-if rule, away if
the object is not accessed later on. Use a wrapper using volatile
pointers to ensure the memory is guaranteed to be erased. Also erase
the encrypted password.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
policycoreutils/newrole/newrole.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c
index 781f99b63..ae37d7253 100644
--- a/policycoreutils/newrole/newrole.c
+++ b/policycoreutils/newrole/newrole.c
@@ -333,6 +333,14 @@ static int read_pam_config(void)
#define PASSWORD_PROMPT _("Password:") /* prompt for getpass() */
+static void memzero(void *ptr, size_t size)
+{
+ volatile unsigned char * volatile p = ptr;
+ while (size--) {
+ *p++ = '\0';
+ }
+}
+
/* authenticate_via_shadow_passwd()
*
* in: uname - the calling user's user name
@@ -351,6 +359,7 @@ static int authenticate_via_shadow_passwd(const char *uname)
struct spwd *p_shadow_line;
char *unencrypted_password_s;
char *encrypted_password_s;
+ int ret;
setspent();
p_shadow_line = getspnam(uname);
@@ -371,12 +380,15 @@ static int authenticate_via_shadow_passwd(const char *uname)
errno = 0;
encrypted_password_s = crypt(unencrypted_password_s,
p_shadow_line->sp_pwdp);
- memset(unencrypted_password_s, 0, strlen(unencrypted_password_s));
+ memzero(unencrypted_password_s, strlen(unencrypted_password_s));
if (errno || !encrypted_password_s) {
fprintf(stderr, _("Cannot encrypt password.\n"));
return 0;
}
- return (!strcmp(encrypted_password_s, p_shadow_line->sp_pwdp));
+
+ ret = !strcmp(encrypted_password_s, p_shadow_line->sp_pwdp);
+ memzero(encrypted_password_s, strlen(encrypted_password_s));
+ return ret;
}
#endif /* if/else USE_PAM */

24
backport-semodule_package-Close-leaking-fd.patch
View File

@ -1,24 +0,0 @@
From ac16531b5ab6c40bdf5eae91c8cf7ae25355d61a Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Fri, 1 Apr 2022 15:35:48 +0200
Subject: [PATCH] semodule_package: Close leaking fd
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
semodule-utils/semodule_package/semodule_package.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/semodule-utils/semodule_package/semodule_package.c b/semodule-utils/semodule_package/semodule_package.c
index 3515234e..bc8584b5 100644
--- a/semodule-utils/semodule_package/semodule_package.c
+++ b/semodule-utils/semodule_package/semodule_package.c
@@ -73,6 +73,7 @@ static int file_to_data(const char *path, char **data, size_t * len)
goto err;
}
if (!sb.st_size) {
+ close(fd);
*len = 0;
return 0;
}
--
2.23.0

4
fix-fixfiles-N-date-function-two.patch
View File

@ -15,8 +15,8 @@ index 8f5926a..21a1152 100755
shift shift
LogReadOnly LogReadOnly
for m in `echo $FILESYSTEMSRW`; do for m in `echo $FILESYSTEMSRW`; do
- find $m -mount -newermt $DATE -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} $* -i -0 -f - - find $m -mount -newermt $DATE -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} ${THREADS} $* -i -0 -f -
+ find $m -mount -newermt "$DATE" -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} $* -i -0 -f - + find $m -mount -newermt "$DATE" -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} ${THREADS} $* -i -0 -f -
done; done;
} }

BIN
policycoreutils-3.3.tar.gz
View File

Binary file not shown.

BIN
policycoreutils-3.4.tar.gz Normal file
View File

Binary file not shown.

25
policycoreutils.spec
View File

@ -2,8 +2,8 @@
%bcond_with sandbox %bcond_with sandbox
Name: policycoreutils Name: policycoreutils
Version: 3.3 Version: 3.4
Release: 3 Release: 1
Summary: Policy core utilities of selinux Summary: Policy core utilities of selinux
License: GPLv2 License: GPLv2
URL: https://github.com/SELinuxProject URL: https://github.com/SELinuxProject
@ -16,15 +16,12 @@ Source11: selinux-autorelabel-generator.sh
Patch0: fix-fixfiles-N-date-function.patch Patch0: fix-fixfiles-N-date-function.patch
Patch1: fix-fixfiles-N-date-function-two.patch Patch1: fix-fixfiles-N-date-function-two.patch
Patch2: backport-newrole-check-for-crypt-3-failure.patch Patch2: backport-python-Split-semanage-import-into-two-transactions.patch
Patch3: backport-newrole-ensure-password-memory-erasure.patch Patch3: backport-python-audit2allow-close-file-stream-on-error.patch
Patch4: backport-semodule_package-Close-leaking-fd.patch Patch4: backport-semodule-avoid-toctou-on-output-module.patch
Patch5: backport-python-Split-semanage-import-into-two-transactions.patch
Patch6: backport-python-audit2allow-close-file-stream-on-error.patch
Patch7: backport-semodule-avoid-toctou-on-output-module.patch
BuildRequires: gcc BuildRequires: gcc
BuildRequires: pam-devel libsepol-static >= 3.3 libsemanage-static >= 3.3 libselinux-devel >= 3.3 libcap-devel audit-libs-devel gettext BuildRequires: pam-devel libsepol-static >= %{version} libsemanage-static >= %{version} libselinux-devel >= %{version} libcap-devel audit-libs-devel gettext
BuildRequires: desktop-file-utils dbus-devel dbus-glib-devel python3-devel libcap-ng-devel BuildRequires: desktop-file-utils dbus-devel dbus-glib-devel python3-devel libcap-ng-devel
BuildRequires: systemd systemd-units BuildRequires: systemd systemd-units
Requires: libsepol >= 3.3 libselinux-utils util-linux grep gawk diffutils rpm sed coreutils Requires: libsepol >= 3.3 libselinux-utils util-linux grep gawk diffutils rpm sed coreutils
@ -44,7 +41,7 @@ It contains the selinux policy core utilities
Summary: python3 utilities for seLinux policy core Summary: python3 utilities for seLinux policy core
%{?python_provide:%python_provide python3-policycoreutils} %{?python_provide:%python_provide python3-policycoreutils}
Requires: policycoreutils = %{version}-%{release} Requires: policycoreutils = %{version}-%{release}
Requires: python3-libselinux python3-libsemanage >= 3.3 Requires: python3-libselinux python3-libsemanage >= %{version}
Requires: audit-libs-python3 >= 2.8.5 Requires: audit-libs-python3 >= 2.8.5
Requires: python3-IPy Requires: python3-IPy
Requires: checkpolicy Requires: checkpolicy
@ -164,6 +161,7 @@ find %{buildroot}%{python3_sitelib} %{buildroot}%{python3_sitearch} \
%py_byte_compile %{__python3} %{buildroot}%{_datadir}/system-config-selinux %py_byte_compile %{__python3} %{buildroot}%{_datadir}/system-config-selinux
%find_lang policycoreutils %find_lang policycoreutils
%find_lang selinux-python
%post %post
%systemd_post selinux-autorelabel-mark.service restorecond.service %systemd_post selinux-autorelabel-mark.service restorecond.service
@ -223,7 +221,7 @@ find %{buildroot}%{python3_sitelib} %{buildroot}%{python3_sitearch} \
%dir %{_datadir}/system-config-selinux/__pycache__ %dir %{_datadir}/system-config-selinux/__pycache__
%{_datadir}/system-config-selinux/__pycache__/selinux_server.* %{_datadir}/system-config-selinux/__pycache__/selinux_server.*
%files -n python3-policycoreutils %files -f selinux-python.lang -n python3-policycoreutils
%{python3_sitelib}/__pycache__ %{python3_sitelib}/__pycache__
%{python3_sitelib}/sepolgen %{python3_sitelib}/sepolgen
%dir %{python3_sitelib}/sepolicy %dir %{python3_sitelib}/sepolicy
@ -262,7 +260,10 @@ find %{buildroot}%{python3_sitelib} %{buildroot}%{python3_sitearch} \
%{_mandir}/* %{_mandir}/*
%changelog %changelog
* Thu Dec 1 2022 wanghuizhao <wanghuizhao1@huawei.com> - 3.3-3 * Thu Feb 2 2023 zhangguangzhi <zhangguangzhi3@huawei.com> - 3.4-1
- update version to 3.4
* Thu Dec 1 2022 wanghuizhao <wanghuizhao1@huawei.com> - 3.3-4
- backport patches from upstream - backport patches from upstream
* Tue Nov 15 2022 shenxiangwei <shenxiangwei1@huawei.com> - 3.3-3 * Tue Nov 15 2022 shenxiangwei <shenxiangwei1@huawei.com> - 3.3-3