packages/policycoreutils
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:9d97f5ab4900307e94aa45cc098c8fca39714ca8
Branches Tags
packages:main
...
compare: packages:3ee7f2ccddd86cf8284cfcf403d253bde7a1f0b5
Branches Tags
packages:main

10 Commits
9d97f5ab49 ... 3ee7f2ccdd

Author SHA1 Message Date
openeuler-ci-bot
3ee7f2ccdd
!112 [sync] PR-108: backport patches from upstream 
From: @openeuler-sync-bot 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee
 2025-03-20 02:19:22 +00:00
markeryang
4385dcb3cb backport patches from upstream 
(cherry picked from commit 7b02670e1c287366f3e0518cf3c9aee14be5046d)
 2025-03-19 14:11:35 +08:00
openeuler-ci-bot
7cfa4c5fd9
!98 Fix pip install build dependencies failure when compiling policycoreutils 
From: @zhangzikang1992 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee
 2024-05-09 06:23:08 +00:00
zhangzikang1992
886d93c7fd Fix pip install build dependencies failure when compiling policycoreutils 2024-04-16 14:15:48 +08:00
openeuler-ci-bot
5c6c2213c4
!92 [sync] PR-91: 【Mainline】Backport patch from upstream to avoid unsigned integer underflow 
From: @openeuler-sync-bot 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee
 2024-03-21 07:09:21 +00:00
yixiangzhike
d8bbafa568 Backport patch from upstream to avoid unsigned integer underflow 
(cherry picked from commit 18bf17ad48041cbf7d0b8a0e48aded97d3c06252)
 2024-03-21 14:54:42 +08:00
openeuler-ci-bot
83a63246d6
!67 update version to 3.5 
From: @zgzxx 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee
 2023-07-21 02:39:25 +00:00
zgzxx
d2d9376398 update version to 3.5 2023-07-21 09:56:58 +08:00
openeuler-ci-bot
8720438c6a
!59 update version to 3.4 
From: @zgzxx 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee
 2023-02-02 11:59:05 +00:00
zgzxx
d9793abc88 update version to 3.4 2023-02-02 19:33:12 +08:00
18 changed files with 685 additions and 371 deletions
Show Stats Expand all files Collapse all files

56
backport-fixfiles-use-grep-F-when-search-in-mounts.patch Normal file
View File

@ -0,0 +1,56 @@
From cd8d6c7f827845399ff7b5176dbc4496d48a0814 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <lautrbach@redhat.com>
Date: Wed, 13 Nov 2024 14:02:00 +0100
Subject: [PATCH] fixfiles: use `grep -F` when search in mounts
systemd escapes luks uid so that mount points contain '\' and grep
should not consider this as regexp
Fixes:
$ cat /proc/self/mounts | sort | uniq | awk '{print $2}'
/run/credentials/systemd-cryptsetup@luks\134x2d6d1f41e6\134x2d5538\134x2d41a0\134x2db383\134x2cd41c2ddcacaa.service
$ sudo fixfiles -B onboot
grep: Invalid back reference
grep: Invalid back reference
System will relabel on next boot
Suggested-by: Christopher Tubbs <ctubbsii@fedoraproject.org>
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
policycoreutils/scripts/fixfiles | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index cb50fef3c..b7cd765c1 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -45,9 +45,9 @@ FS="`cat /proc/self/mounts | sort | uniq | awk '{print $2}'`"
for i in $FS; do
if [ `useseclabel` -ge 0 ]
then
- grep " $i " /proc/self/mounts | awk '{print $4}' | grep -E --silent '(^|,)seclabel(,|$)' && echo $i
+ grep -F " $i " /proc/self/mounts | awk '{print $4}' | grep -E --silent '(^|,)seclabel(,|$)' && echo $i
else
- grep " $i " /proc/self/mounts | grep -v "context=" | grep -E --silent '(ext[234]| ext4dev | gfs2 | xfs | jfs | btrfs )' && echo $i
+ grep -F " $i " /proc/self/mounts | grep -v "context=" | grep -E --silent '(ext[234]| ext4dev | gfs2 | xfs | jfs | btrfs )' && echo $i
fi
done
}
@@ -55,14 +55,14 @@ done
get_rw_labeled_mounts() {
FS=`get_all_labeled_mounts | sort | uniq`
for i in $FS; do
- grep " $i " /proc/self/mounts | awk '{print $4}' | grep -E --silent '(^|,)rw(,|$)' && echo $i
+ grep -F " $i " /proc/self/mounts | awk '{print $4}' | grep -E --silent '(^|,)rw(,|$)' && echo $i
done
}
get_ro_labeled_mounts() {
FS=`get_all_labeled_mounts | sort | uniq`
for i in $FS; do
- grep " $i " /proc/self/mounts | awk '{print $4}' | grep -E --silent '(^|,)ro(,|$)' && echo $i
+ grep -F " $i " /proc/self/mounts | awk '{print $4}' | grep -E --silent '(^|,)ro(,|$)' && echo $i
done
}

35
backport-newrole-check-for-crypt-3-failure.patch
View File

@ -1,35 +0,0 @@
From 1af808982460ec74a23820dcc4d582bb39e2b223 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Tue, 22 Feb 2022 14:51:42 +0100
Subject: [PATCH] newrole: check for crypt(3) failure
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Depending on the implementation crypt(3) can fail either by returning
NULL, or returning a pointer to an invalid hash and setting errno.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
policycoreutils/newrole/newrole.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c
index c99898635..781f99b63 100644
--- a/policycoreutils/newrole/newrole.c
+++ b/policycoreutils/newrole/newrole.c
@@ -368,9 +368,14 @@ static int authenticate_via_shadow_passwd(const char *uname)
}
/* Use crypt() to encrypt user's input password. */
+ errno = 0;
encrypted_password_s = crypt(unencrypted_password_s,
p_shadow_line->sp_pwdp);
memset(unencrypted_password_s, 0, strlen(unencrypted_password_s));
+ if (errno || !encrypted_password_s) {
+ fprintf(stderr, _("Cannot encrypt password.\n"));
+ return 0;
+ }
return (!strcmp(encrypted_password_s, p_shadow_line->sp_pwdp));
}
#endif /* if/else USE_PAM */

63
backport-newrole-ensure-password-memory-erasure.patch
View File

@ -1,63 +0,0 @@
From c71d14e824e965e42493f5275d90272ab0c6825c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Tue, 22 Feb 2022 14:51:43 +0100
Subject: [PATCH] newrole: ensure password memory erasure
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Compiler can optimize calls to memset(3), due to the as-if rule, away if
the object is not accessed later on. Use a wrapper using volatile
pointers to ensure the memory is guaranteed to be erased. Also erase
the encrypted password.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
policycoreutils/newrole/newrole.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c
index 781f99b63..ae37d7253 100644
--- a/policycoreutils/newrole/newrole.c
+++ b/policycoreutils/newrole/newrole.c
@@ -333,6 +333,14 @@ static int read_pam_config(void)
#define PASSWORD_PROMPT _("Password:") /* prompt for getpass() */
+static void memzero(void *ptr, size_t size)
+{
+ volatile unsigned char * volatile p = ptr;
+ while (size--) {
+ *p++ = '\0';
+ }
+}
+
/* authenticate_via_shadow_passwd()
*
* in: uname - the calling user's user name
@@ -351,6 +359,7 @@ static int authenticate_via_shadow_passwd(const char *uname)
struct spwd *p_shadow_line;
char *unencrypted_password_s;
char *encrypted_password_s;
+ int ret;
setspent();
p_shadow_line = getspnam(uname);
@@ -371,12 +380,15 @@ static int authenticate_via_shadow_passwd(const char *uname)
errno = 0;
encrypted_password_s = crypt(unencrypted_password_s,
p_shadow_line->sp_pwdp);
- memset(unencrypted_password_s, 0, strlen(unencrypted_password_s));
+ memzero(unencrypted_password_s, strlen(unencrypted_password_s));
if (errno || !encrypted_password_s) {
fprintf(stderr, _("Cannot encrypt password.\n"));
return 0;
}
- return (!strcmp(encrypted_password_s, p_shadow_line->sp_pwdp));
+
+ ret = !strcmp(encrypted_password_s, p_shadow_line->sp_pwdp);
+ memzero(encrypted_password_s, strlen(encrypted_password_s));
+ return ret;
}
#endif /* if/else USE_PAM */

73
backport-policycoreutils-handle-argument-counter-of-zero.patch
View File

@ -1,73 +0,0 @@
From 9229f8b3b7348e4990c8493365d68ff241cfbeb7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Wed, 26 Jan 2022 15:56:45 +0100
Subject: [PATCH] policycoreutils: handle argument counter of zero
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The number of arguments passed to main(), argc, can be zero if the
pathname passed to execve(2) is NULL, e.g. via:
execve("/path/to/exe", {NULL}, {NULL});
Also avoid NULL pointer dereferences on the argument value.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
policycoreutils/run_init/open_init_pty.c | 2 +-
policycoreutils/secon/secon.c | 3 +++
policycoreutils/setfiles/setfiles.c | 6 +++++-
3 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/policycoreutils/run_init/open_init_pty.c b/policycoreutils/run_init/open_init_pty.c
index 150cb45ee..19101c506 100644
--- a/policycoreutils/run_init/open_init_pty.c
+++ b/policycoreutils/run_init/open_init_pty.c
@@ -244,7 +244,7 @@ int main(int argc, char *argv[])
rb_init(&inbuf, inbuf_mem, sizeof(inbuf_mem));
rb_init(&outbuf, outbuf_mem, sizeof(outbuf_mem));
- if (argc == 1) {
+ if (argc < 2) {
printf("usage: %s PROGRAM [ARGS]...\n", argv[0]);
exit(1);
}
diff --git a/policycoreutils/secon/secon.c b/policycoreutils/secon/secon.c
index a0957d091..d624fa136 100644
--- a/policycoreutils/secon/secon.c
+++ b/policycoreutils/secon/secon.c
@@ -333,6 +333,9 @@ static void cmd_line(int argc, char *argv[])
opts->from_type = OPTS_FROM_CUR;
if (opts->from_type == OPTS_FROM_ARG) {
+ if (!argv[0])
+ errx(EXIT_FAILURE, "No argument given");
+
opts->f.arg = argv[0];
if (xstreq(argv[0], "-"))
diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
index 44cab46d0..ab7016aca 100644
--- a/policycoreutils/setfiles/setfiles.c
+++ b/policycoreutils/setfiles/setfiles.c
@@ -163,6 +163,10 @@ int main(int argc, char **argv)
policyfile = NULL;
r_opts.abort_on_error = 0;
+ if (!argv[0]) {
+ fprintf(stderr, "Called without required program name!\n");
+ exit(-1);
+ }
r_opts.progname = strdup(argv[0]);
if (!r_opts.progname) {
fprintf(stderr, "%s: Out of memory!\n", argv[0]);
@@ -423,7 +427,7 @@ int main(int argc, char **argv)
altpath = argv[optind];
optind++;
- } else if (argc == 1)
+ } else if (argc < 2)
usage(argv[0]);
/* Set selabel_open options. */

63
backport-python-Split-semanage-import-into-two-transactions.patch
View File

@ -1,63 +0,0 @@
From abaf812c3877f6b595eb8643582eacef2dd4df3f Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Mon, 30 May 2022 14:20:21 +0200
Subject: [PATCH] python: Split "semanage import" into two transactions
First transaction applies all deletion operations, so that there are no
collisions when applying the rest of the changes.
Fixes:
# semanage port -a -t http_cache_port_t -r s0 -p tcp 3024
# semanage export | semanage import
ValueError: Port tcp/3024 already defined
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
python/semanage/semanage | 21 +++++++++++++++++++--
1 file changed, 19 insertions(+), 2 deletions(-)
diff --git a/python/semanage/semanage b/python/semanage/semanage
index 8f4e44a7..1d828128 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -852,10 +852,29 @@ def handleImport(args):
trans = seobject.semanageRecords(args)
trans.start()
+ deleteCommands = []
+ commands = []
+ # separate commands for deletion from the rest so they can be
+ # applied in a separate transaction
for l in sys.stdin.readlines():
if len(l.strip()) == 0:
continue
+ if "-d" in l or "-D" in l:
+ deleteCommands.append(l)
+ else:
+ commands.append(l)
+
+ if deleteCommands:
+ importHelper(deleteCommands)
+ trans.finish()
+ trans.start()
+
+ importHelper(commands)
+ trans.finish()
+
+def importHelper(commands):
+ for l in commands:
try:
commandParser = createCommandParser()
args = commandParser.parse_args(mkargv(l))
@@ -869,8 +888,6 @@ def handleImport(args):
except KeyboardInterrupt:
sys.exit(0)
- trans.finish()
-
def setupImportParser(subparsers):
importParser = subparsers.add_parser('import', help=_('Import local customizations'))
--
2.23.0

48
backport-python-audit2allow-close-file-stream-on-error.patch
View File

@ -1,48 +0,0 @@
From c14a86af9a2304175e54897634f808b42345325b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Fri, 20 May 2022 14:51:07 +0200
Subject: [PATCH] python/audit2allow: close file stream on error
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
sepolgen-ifgen-attr-helper.c: In function load_policy:
sepolgen-ifgen-attr-helper.c:196:17: warning: leak of FILE fp [CWE-775] [-Wanalyzer-file-leak]
196 | fprintf(stderr, "Out of memory!\n");
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
python/audit2allow/sepolgen-ifgen-attr-helper.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/python/audit2allow/sepolgen-ifgen-attr-helper.c b/python/audit2allow/sepolgen-ifgen-attr-helper.c
index 6f3ba962..5e6cffc1 100644
--- a/python/audit2allow/sepolgen-ifgen-attr-helper.c
+++ b/python/audit2allow/sepolgen-ifgen-attr-helper.c
@@ -194,12 +194,14 @@ static policydb_t *load_policy(const char *filename)
policydb = malloc(sizeof(policydb_t));
if (policydb == NULL) {
fprintf(stderr, "Out of memory!\n");
+ fclose(fp);
return NULL;
}
if (policydb_init(policydb)) {
fprintf(stderr, "Out of memory!\n");
free(policydb);
+ fclose(fp);
return NULL;
}
@@ -208,6 +210,7 @@ static policydb_t *load_policy(const char *filename)
fprintf(stderr,
"error(s) encountered while parsing configuration\n");
free(policydb);
+ fclose(fp);
return NULL;
}
--
2.23.0

395
backport-python-semanage-Allow-modifying-records-on-add.patch Normal file
View File

@ -0,0 +1,395 @@
From f5d4b60e69e818d561ab645ff27b9bba68d5163e Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Wed, 14 Feb 2024 13:08:40 +0100
Subject: [PATCH] python/semanage: Allow modifying records on "add"
When trying to add a record with a key that already exists, modify
the existing record instead.
Also, fix "semanage -m -e" (add_equal was called instead of
modify_equal), which meant that existing local equivalency couldn't be
modified (though a user could remove it and add a modified
equivalency).
Fixes:
https://github.com/SELinuxProject/selinux/issues/412
When a port or login definition present in the policy is modified
using "semanage port -m", "semanage export" exports the command as
"port -a" instead of "port -m". This results in "semanage import"
failing (port already defined). The same is true for port, user,
login, ibpkey, ibendport, node, interface and fcontext.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
python/semanage/semanage | 2 +-
python/semanage/seobject.py | 208 +++++++++++++++++++++++++-----------
2 files changed, 147 insertions(+), 63 deletions(-)
diff --git a/python/semanage/semanage b/python/semanage/semanage
index 4fdb490f..b269b9fc 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -322,7 +322,7 @@ def handleFcontext(args):
OBJECT.add(args.file_spec, args.type, args.ftype, args.range, args.seuser)
if args.action == "modify":
if args.equal:
- OBJECT.add_equal(args.file_spec, args.equal)
+ OBJECT.modify_equal(args.file_spec, args.equal)
else:
OBJECT.modify(args.file_spec, args.type, args.ftype, args.range, args.seuser)
if args.action == "delete":
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index 8769a1f..adb0b59 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -561,11 +561,6 @@ class loginRecords(semanageRecords):
if rc < 0:
raise ValueError(_("Could not create a key for %s") % name)
- (rc, exists) = semanage_seuser_exists(self.sh, k)
- if rc < 0:
- raise ValueError(_("Could not check if login mapping for %s is defined") % name)
- if exists:
- raise ValueError(_("Login mapping for %s is already defined") % name)
if name[0] == '%':
try:
grp.getgrnam(name[1:])
@@ -604,11 +599,29 @@ class loginRecords(semanageRecords):
def add(self, name, sename, serange):
try:
self.begin()
- self.__add(name, sename, serange)
+ # Add a new mapping, or modify an existing one
+ if self.__exists(name):
+ print(_("Login mapping for %s is already defined, modifying instead") % name)
+ self.__modify(name, sename, serange)
+ else:
+ self.__add(name, sename, serange)
self.commit()
except ValueError as error:
raise error
+ # check if login mapping for given user exists
+ def __exists(self, name):
+ (rc, k) = semanage_seuser_key_create(self.sh, name)
+ if rc < 0:
+ raise ValueError(_("Could not create a key for %s") % name)
+
+ (rc, exists) = semanage_seuser_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if login mapping for %s is defined") % name)
+ semanage_seuser_key_free(k)
+
+ return exists
+
def __modify(self, name, sename="", serange=""):
rec, self.oldsename, self.oldserange = selinux.getseuserbyname(name)
if sename == "" and serange == "":
@@ -825,12 +838,6 @@ class seluserRecords(semanageRecords):
if rc < 0:
raise ValueError(_("Could not create a key for %s") % name)
- (rc, exists) = semanage_user_exists(self.sh, k)
- if rc < 0:
- raise ValueError(_("Could not check if SELinux user %s is defined") % name)
- if exists:
- raise ValueError(_("SELinux user %s is already defined") % name)
-
(rc, u) = semanage_user_create(self.sh)
if rc < 0:
raise ValueError(_("Could not create SELinux user for %s") % name)
@@ -870,12 +877,28 @@ class seluserRecords(semanageRecords):
def add(self, name, roles, selevel, serange, prefix):
try:
self.begin()
- self.__add(name, roles, selevel, serange, prefix)
+ if self.__exists(name):
+ print(_("SELinux user %s is already defined, modifying instead") % name)
+ self.__modify(name, roles, selevel, serange, prefix)
+ else:
+ self.__add(name, roles, selevel, serange, prefix)
self.commit()
except ValueError as error:
self.mylog.commit(0)
raise error
+ def __exists(self, name):
+ (rc, k) = semanage_user_key_create(self.sh, name)
+ if rc < 0:
+ raise ValueError(_("Could not create a key for %s") % name)
+
+ (rc, exists) = semanage_user_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if SELinux user %s is defined") % name)
+ semanage_user_key_free(k)
+
+ return exists
+
def __modify(self, name, roles=[], selevel="", serange="", prefix=""):
oldserole = ""
oldserange = ""
@@ -1107,12 +1130,6 @@ class portRecords(semanageRecords):
(k, proto_d, low, high) = self.__genkey(port, proto)
- (rc, exists) = semanage_port_exists(self.sh, k)
- if rc < 0:
- raise ValueError(_("Could not check if port %s/%s is defined") % (proto, port))
- if exists:
- raise ValueError(_("Port %s/%s already defined") % (proto, port))
-
(rc, p) = semanage_port_create(self.sh)
if rc < 0:
raise ValueError(_("Could not create port for %s/%s") % (proto, port))
@@ -1156,9 +1173,23 @@ class portRecords(semanageRecords):
def add(self, port, proto, serange, type):
self.begin()
- self.__add(port, proto, serange, type)
+ if self.__exists(port, proto):
+ print(_("Port {proto}/{port} already defined, modifying instead").format(proto=proto, port=port))
+ self.__modify(port, proto, serange, type)
+ else:
+ self.__add(port, proto, serange, type)
self.commit()
+ def __exists(self, port, proto):
+ (k, proto_d, low, high) = self.__genkey(port, proto)
+
+ (rc, exists) = semanage_port_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if port {proto}/{port} is defined").format(proto=proto, port=port))
+ semanage_port_key_free(k)
+
+ return exists
+
def __modify(self, port, proto, serange, setype):
if serange == "" and setype == "":
if is_mls_enabled == 1:
@@ -1381,12 +1412,6 @@ class ibpkeyRecords(semanageRecords):
(k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix)
- (rc, exists) = semanage_ibpkey_exists(self.sh, k)
- if rc < 0:
- raise ValueError(_("Could not check if ibpkey %s/%s is defined") % (subnet_prefix, pkey))
- if exists:
- raise ValueError(_("ibpkey %s/%s already defined") % (subnet_prefix, pkey))
-
(rc, p) = semanage_ibpkey_create(self.sh)
if rc < 0:
raise ValueError(_("Could not create ibpkey for %s/%s") % (subnet_prefix, pkey))
@@ -1428,9 +1453,23 @@ class ibpkeyRecords(semanageRecords):
def add(self, pkey, subnet_prefix, serange, type):
self.begin()
- self.__add(pkey, subnet_prefix, serange, type)
+ if self.__exists(pkey, subnet_prefix):
+ print(_("ibpkey {subnet_prefix}/{pkey} already defined, modifying instead").format(subnet_prefix=subnet_prefix, pkey=pkey))
+ self.__modify(pkey, subnet_prefix, serange, type)
+ else:
+ self.__add(pkey, subnet_prefix, serange, type)
self.commit()
+ def __exists(self, pkey, subnet_prefix):
+ (k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix)
+
+ (rc, exists) = semanage_ibpkey_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if ibpkey {subnet_prefix}/{pkey} is defined").formnat(subnet_prefix=subnet_prefix, pkey=pkey))
+ semanage_ibpkey_key_free(k)
+
+ return exists
+
def __modify(self, pkey, subnet_prefix, serange, setype):
if serange == "" and setype == "":
if is_mls_enabled == 1:
@@ -1635,12 +1674,6 @@ class ibendportRecords(semanageRecords):
raise ValueError(_("Type %s is invalid, must be an ibendport type") % type)
(k, ibendport, port) = self.__genkey(ibendport, ibdev_name)
- (rc, exists) = semanage_ibendport_exists(self.sh, k)
- if rc < 0:
- raise ValueError(_("Could not check if ibendport %s/%s is defined") % (ibdev_name, port))
- if exists:
- raise ValueError(_("ibendport %s/%s already defined") % (ibdev_name, port))
-
(rc, p) = semanage_ibendport_create(self.sh)
if rc < 0:
raise ValueError(_("Could not create ibendport for %s/%s") % (ibdev_name, port))
@@ -1682,9 +1715,23 @@ class ibendportRecords(semanageRecords):
def add(self, ibendport, ibdev_name, serange, type):
self.begin()
- self.__add(ibendport, ibdev_name, serange, type)
+ if self.__exists(ibendport, ibdev_name):
+ print(_("ibendport {ibdev_name}/{port} already defined, modifying instead").format(ibdev_name=ibdev_name, port=port))
+ self.__modify(ibendport, ibdev_name, serange, type)
+ else:
+ self.__add(ibendport, ibdev_name, serange, type)
self.commit()
+ def __exists(self, ibendport, ibdev_name):
+ (k, ibendport, port) = self.__genkey(ibendport, ibdev_name)
+
+ (rc, exists) = semanage_ibendport_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if ibendport {ibdev_name}/{port} is defined").format(ibdev_name=ibdev_name, port=port))
+ semanage_ibendport_key_free(k)
+
+ return exists
+
def __modify(self, ibendport, ibdev_name, serange, setype):
if serange == "" and setype == "":
if is_mls_enabled == 1:
@@ -1906,12 +1953,6 @@ class nodeRecords(semanageRecords):
if rc < 0:
raise ValueError(_("Could not create key for %s") % addr)
- (rc, exists) = semanage_node_exists(self.sh, k)
- if rc < 0:
- raise ValueError(_("Could not check if addr %s is defined") % addr)
- if exists:
- raise ValueError(_("Addr %s already defined") % addr)
-
(rc, node) = semanage_node_create(self.sh)
if rc < 0:
raise ValueError(_("Could not create addr for %s") % addr)
@@ -1959,9 +2000,27 @@ class nodeRecords(semanageRecords):
def add(self, addr, mask, proto, serange, ctype):
self.begin()
- self.__add(addr, mask, proto, serange, ctype)
+ if self.__exists(addr, mask, proto):
+ print(_("Addr %s already defined, modifying instead") % addr)
+ self.__modify(addr, mask, proto, serange, ctype)
+ else:
+ self.__add(addr, mask, proto, serange, ctype)
self.commit()
+ def __exists(self, addr, mask, proto):
+ addr, mask, proto, audit_proto = self.validate(addr, mask, proto)
+
+ (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto)
+ if rc < 0:
+ raise ValueError(_("Could not create key for %s") % addr)
+
+ (rc, exists) = semanage_node_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if addr %s is defined") % addr)
+ semanage_node_key_free(k)
+
+ return exists
+
def __modify(self, addr, mask, proto, serange, setype):
addr, mask, proto, audit_proto = self.validate(addr, mask, proto)
@@ -2115,12 +2174,6 @@ class interfaceRecords(semanageRecords):
if rc < 0:
raise ValueError(_("Could not create key for %s") % interface)
- (rc, exists) = semanage_iface_exists(self.sh, k)
- if rc < 0:
- raise ValueError(_("Could not check if interface %s is defined") % interface)
- if exists:
- raise ValueError(_("Interface %s already defined") % interface)
-
(rc, iface) = semanage_iface_create(self.sh)
if rc < 0:
raise ValueError(_("Could not create interface for %s") % interface)
@@ -2167,9 +2220,25 @@ class interfaceRecords(semanageRecords):
def add(self, interface, serange, ctype):
self.begin()
- self.__add(interface, serange, ctype)
+ if self.__exists(interface):
+ print(_("Interface %s already defined, modifying instead") % interface)
+ self.__modify(interface, serange, ctype)
+ else:
+ self.__add(interface, serange, ctype)
self.commit()
+ def __exists(self, interface):
+ (rc, k) = semanage_iface_key_create(self.sh, interface)
+ if rc < 0:
+ raise ValueError(_("Could not create key for %s") % interface)
+
+ (rc, exists) = semanage_iface_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if interface %s is defined") % interface)
+ semanage_iface_key_free(k)
+
+ return exists
+
def __modify(self, interface, serange, setype):
if serange == "" and setype == "":
raise ValueError(_("Requires setype or serange"))
@@ -2357,7 +2426,13 @@ class fcontextRecords(semanageRecords):
raise ValueError(_("Substitute %s is not valid. Substitute is not allowed to end with '/'") % substitute)
if target in self.equiv.keys():
- raise ValueError(_("Equivalence class for %s already exists") % target)
+ print(_("Equivalence class for %s already exists, modifying instead") % target)
+ self.equiv[target] = substitute
+ self.equal_ind = True
+ self.mylog.log_change("resrc=fcontext op=modify-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0)))
+ self.commit()
+ return
+
self.validate(target)
for fdict in (self.equiv, self.equiv_dist):
@@ -2433,18 +2508,6 @@ class fcontextRecords(semanageRecords):
if rc < 0:
raise ValueError(_("Could not create key for %s") % target)
- (rc, exists) = semanage_fcontext_exists(self.sh, k)
- if rc < 0:
- raise ValueError(_("Could not check if file context for %s is defined") % target)
-
- if not exists:
- (rc, exists) = semanage_fcontext_exists_local(self.sh, k)
- if rc < 0:
- raise ValueError(_("Could not check if file context for %s is defined") % target)
-
- if exists:
- raise ValueError(_("File context for %s already defined") % target)
-
(rc, fcontext) = semanage_fcontext_create(self.sh)
if rc < 0:
raise ValueError(_("Could not create file context for %s") % target)
@@ -2483,9 +2546,30 @@ class fcontextRecords(semanageRecords):
def add(self, target, type, ftype="", serange="", seuser="system_u"):
self.begin()
- self.__add(target, type, ftype, serange, seuser)
+ if self.__exists(target, ftype):
+ print(_("File context for %s already defined, modifying instead") % target)
+ self.__modify(target, type, ftype, serange, seuser)
+ else:
+ self.__add(target, type, ftype, serange, seuser)
self.commit()
+ def __exists(self, target, ftype):
+ (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
+ if rc < 0:
+ raise ValueError(_("Could not create key for %s") % target)
+
+ (rc, exists) = semanage_fcontext_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if file context for %s is defined") % target)
+
+ if not exists:
+ (rc, exists) = semanage_fcontext_exists_local(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if file context for %s is defined") % target)
+ semanage_fcontext_key_free(k)
+
+ return exists
+
def __modify(self, target, setype, ftype, serange, seuser):
if serange == "" and setype == "" and seuser == "":
raise ValueError(_("Requires setype, serange or seuser"))
--

34
backport-restorecond-Set-GLib-IO-channels-to-binary-mode.patch Normal file
View File

@ -0,0 +1,34 @@
From 5131c4794d3ae4631b24fb4c5e4027f1aeb3f966 Mon Sep 17 00:00:00 2001
From: Fabian Vogt <fvogt@suse.de>
Date: Thu, 24 Oct 2024 10:48:15 +0200
Subject: [PATCH] restorecond: Set GLib IO channels to binary mode
By default, GIO channels use UTF-8 as encoding, which causes issues when
reading binary data such as inotify events.
Signed-off-by: Fabian Vogt <fvogt@suse.de>
Acked-by: James Carter <jwcart2@gmail.com>
---
restorecond/user.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/restorecond/user.c b/restorecond/user.c
index 3ae3ebbb72..7188c22e31 100644
--- a/restorecond/user.c
+++ b/restorecond/user.c
@@ -238,6 +238,7 @@ static int local_server(void) {
}
/* watch for stdin/terminal going away */
GIOChannel *in = g_io_channel_unix_new(0);
+ g_io_channel_set_encoding(in, NULL, NULL);
g_io_add_watch_full( in,
G_PRIORITY_HIGH,
G_IO_IN|G_IO_ERR|G_IO_HUP,
@@ -282,6 +283,7 @@ int server(int master_fd, const char *watch_file) {
set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
GIOChannel *c = g_io_channel_unix_new(master_fd);
+ g_io_channel_set_encoding(c, NULL, NULL);
g_io_add_watch_full(c,
G_PRIORITY_HIGH,

36
backport-restorecond-Set-GLib-IO-channels-to-nonblocking.patch Normal file
View File

@ -0,0 +1,36 @@
From 271eb4fe449dc9fd233f7e8d577f1c2897a13e2f Mon Sep 17 00:00:00 2001
From: Fabian Vogt <fvogt@suse.de>
Date: Thu, 24 Oct 2024 10:48:16 +0200
Subject: [PATCH] restorecond: Set GLib IO channels to nonblocking
Without nonblocking IO, g_io_channel_read_chars waits indefinitely for more
data without ever returning control to the event loop.
Set the IO channels to nonblocking to fix SIGTERM handling.
Signed-off-by: Fabian Vogt <fvogt@suse.de>
Acked-by: James Carter <jwcart2@gmail.com>
---
restorecond/user.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/restorecond/user.c b/restorecond/user.c
index 7188c22e3..25e70ae15 100644
--- a/restorecond/user.c
+++ b/restorecond/user.c
@@ -239,6 +239,7 @@ static int local_server(void) {
/* watch for stdin/terminal going away */
GIOChannel *in = g_io_channel_unix_new(0);
g_io_channel_set_encoding(in, NULL, NULL);
+ g_io_channel_set_flags(in, g_io_channel_get_flags(in) | G_IO_FLAG_NONBLOCK, NULL);
g_io_add_watch_full( in,
G_PRIORITY_HIGH,
G_IO_IN|G_IO_ERR|G_IO_HUP,
@@ -284,6 +285,7 @@ int server(int master_fd, const char *watch_file) {
GIOChannel *c = g_io_channel_unix_new(master_fd);
g_io_channel_set_encoding(c, NULL, NULL);
+ g_io_channel_set_flags(c, g_io_channel_get_flags(c) | G_IO_FLAG_NONBLOCK, NULL);
g_io_add_watch_full(c,
G_PRIORITY_HIGH,

48
backport-semodule-avoid-toctou-on-output-module.patch
View File

@ -1,48 +0,0 @@
From 6d02b2fa29954e239721907e1fce238f25ea4f2f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Fri, 20 May 2022 15:19:52 +0200
Subject: [PATCH] semodule: avoid toctou on output module
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Do not check for file existence and open afterwards, open with the
exclusive flag (supported in Glibc and musl 0.9.6 and also standardized
in C11).
Found by GitHub CodeQL.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
policycoreutils/semodule/semodule.c | 13 +++++--------
1 file changed, 5 insertions(+), 8 deletions(-)
diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
index 1ed8e690..48bc28dd 100644
--- a/policycoreutils/semodule/semodule.c
+++ b/policycoreutils/semodule/semodule.c
@@ -550,15 +550,12 @@ int main(int argc, char *argv[])
goto cleanup_extract;
}
- if (access(output_path, F_OK) == 0) {
- fprintf(stderr, "%s: %s is already extracted with extension %s.\n", argv[0], mode_arg, lang_ext);
- result = -1;
- goto cleanup_extract;
- }
-
- output_fd = fopen(output_path, "w");
+ output_fd = fopen(output_path, "wx");
if (output_fd == NULL) {
- fprintf(stderr, "%s: Unable to open %s\n", argv[0], output_path);
+ if (errno == EEXIST)
+ fprintf(stderr, "%s: %s is already extracted with extension %s.\n", argv[0], mode_arg, lang_ext);
+ else
+ fprintf(stderr, "%s: Unable to open %s: %s\n", argv[0], output_path, strerror(errno));
result = -1;
goto cleanup_extract;
}
--
2.12.3

24
backport-semodule_package-Close-leaking-fd.patch
View File

@ -1,24 +0,0 @@
From ac16531b5ab6c40bdf5eae91c8cf7ae25355d61a Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Fri, 1 Apr 2022 15:35:48 +0200
Subject: [PATCH] semodule_package: Close leaking fd
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
semodule-utils/semodule_package/semodule_package.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/semodule-utils/semodule_package/semodule_package.c b/semodule-utils/semodule_package/semodule_package.c
index 3515234e..bc8584b5 100644
--- a/semodule-utils/semodule_package/semodule_package.c
+++ b/semodule-utils/semodule_package/semodule_package.c
@@ -73,6 +73,7 @@ static int file_to_data(const char *path, char **data, size_t * len)
goto err;
}
if (!sb.st_size) {
+ close(fd);
*len = 0;
return 0;
}
--
2.23.0

53
backport-sepolgen-ifgen-allow-M4-escaped-filenames.patch Normal file
View File

@ -0,0 +1,53 @@
From 2fc29ae7971070b27552140174d460dabd35fa0d Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <lautrbach@redhat.com>
Date: Tue, 27 Aug 2024 13:28:13 +0200
Subject: [PATCH] sepolgen-ifgen: allow M4 escaped filenames
When a file name in type transition rule used in an interface is same as
a keyword, it needs to be M4 escaped so that the keyword is not expanded
by M4, e.g.
- filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, "interface")
+ filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, ``"interface"'')
But sepolgen-ifgen could not parse such string:
# sepolgen-ifgen
Illegal character '`'
This change allows M4 escaping inside quoted strings and fixed described
problem.
https://bugzilla.redhat.com/show_bug.cgi?id=2254206
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
python/sepolgen/src/sepolgen/refparser.py | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/python/sepolgen/src/sepolgen/refparser.py b/python/sepolgen/src/sepolgen/refparser.py
index e261d3f78..c8a3eb54d 100644
--- a/python/sepolgen/src/sepolgen/refparser.py
+++ b/python/sepolgen/src/sepolgen/refparser.py
@@ -486,7 +486,7 @@ def p_interface_call_param(p):
| nested_id_set
| TRUE
| FALSE
- | FILENAME
+ | quoted_filename
'''
# Intentionally let single identifiers pass through
# List means set, non-list identifier
@@ -1027,6 +1027,11 @@ def p_optional_semi(p):
| empty'''
pass
+def p_quoted_filename(p):
+ '''quoted_filename : TICK quoted_filename SQUOTE
+ | FILENAME
+ '''
+ p[0] = p[1]
#
# Interface to the parser

25
backport-sepolgen-initialize-gen_cil.patch Normal file
View File

@ -0,0 +1,25 @@
From b6910aa68a0e3968935557c39ae1b89634bc9945 Mon Sep 17 00:00:00 2001
From: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Date: Thu, 1 Aug 2024 22:32:40 +0300
Subject: [PATCH] sepolgen: initialize gen_cil
Avoid errors when adding comments to CIL output like in audit2allow
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
python/sepolgen/src/sepolgen/refpolicy.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/python/sepolgen/src/sepolgen/refpolicy.py b/python/sepolgen/src/sepolgen/refpolicy.py
index 2ec75fbad..32278896c 100644
--- a/python/sepolgen/src/sepolgen/refpolicy.py
+++ b/python/sepolgen/src/sepolgen/refpolicy.py
@@ -1217,6 +1217,7 @@ def __init__(self, l=None):
self.lines = l
else:
self.lines = []
+ self.gen_cil = False
def to_string(self):
# If there are no lines, treat this as a spacer between

52
backport-setfiles-avoid-unsigned-integer-underflow.patch Normal file
View File

@ -0,0 +1,52 @@
From fc2e9318d0a1b2ec331f6af25e70358f130d003b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Tue, 19 Dec 2023 17:09:33 +0100
Subject: [PATCH] setfiles: avoid unsigned integer underflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
While well-defined unsigned integer underflow might signal a logic
mistake or processing of unchecked user input. Please Clang's undefined
behavior sanitizer:
restore.c:91:37: runtime error: unsigned integer overflow: 1 - 2 cannot be represented in type 'unsigned long'
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
policycoreutils/setfiles/restore.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c
index 6131f46a..d045e948 100644
--- a/policycoreutils/setfiles/restore.c
+++ b/policycoreutils/setfiles/restore.c
@@ -77,8 +77,8 @@ int process_glob(char *name, struct restore_opts *opts, size_t nthreads,
long unsigned *skipped_errors)
{
glob_t globbuf;
- size_t i = 0;
- int len, rc, errors;
+ size_t i, len;
+ int rc, errors;
memset(&globbuf, 0, sizeof(globbuf));
@@ -88,10 +88,10 @@ int process_glob(char *name, struct restore_opts *opts, size_t nthreads,
return errors;
for (i = 0; i < globbuf.gl_pathc; i++) {
- len = strlen(globbuf.gl_pathv[i]) - 2;
- if (len > 0 && strcmp(&globbuf.gl_pathv[i][len--], "/.") == 0)
+ len = strlen(globbuf.gl_pathv[i]);
+ if (len > 2 && strcmp(&globbuf.gl_pathv[i][len - 2], "/.") == 0)
continue;
- if (len > 0 && strcmp(&globbuf.gl_pathv[i][len], "/..") == 0)
+ if (len > 3 && strcmp(&globbuf.gl_pathv[i][len - 3], "/..") == 0)
continue;
rc = selinux_restorecon_parallel(globbuf.gl_pathv[i],
opts->restorecon_flags,
--
2.33.0

4
fix-fixfiles-N-date-function-two.patch
View File

@ -15,8 +15,8 @@ index 8f5926a..21a1152 100755
shift
LogReadOnly
for m in `echo $FILESYSTEMSRW`; do
- find $m -mount -newermt $DATE -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} $* -i -0 -f -
+ find $m -mount -newermt "$DATE" -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} $* -i -0 -f -
- find $m -mount -newermt $DATE -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} ${THREADS} $* -i -0 -f -
+ find $m -mount -newermt "$DATE" -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} ${THREADS} $* -i -0 -f -
done;
}

BIN
policycoreutils-3.3.tar.gz
View File

Binary file not shown.

BIN
policycoreutils-3.5.tar.gz Normal file
View File

Binary file not shown.

47
policycoreutils.spec
View File

@ -2,8 +2,8 @@
%bcond_with sandbox
Name: policycoreutils
Version: 3.3
Release: 3
Version: 3.5
Release: 4
Summary: Policy core utilities of selinux
License: GPLv2
URL: https://github.com/SELinuxProject
@ -16,17 +16,18 @@ Source11: selinux-autorelabel-generator.sh
Patch0: fix-fixfiles-N-date-function.patch
Patch1: fix-fixfiles-N-date-function-two.patch
Patch2: backport-newrole-check-for-crypt-3-failure.patch
Patch3: backport-newrole-ensure-password-memory-erasure.patch
Patch4: backport-semodule_package-Close-leaking-fd.patch
Patch5: backport-python-Split-semanage-import-into-two-transactions.patch
Patch6: backport-python-audit2allow-close-file-stream-on-error.patch
Patch7: backport-semodule-avoid-toctou-on-output-module.patch
Patch2: backport-setfiles-avoid-unsigned-integer-underflow.patch
Patch3: backport-python-semanage-Allow-modifying-records-on-add.patch
Patch4: backport-sepolgen-initialize-gen_cil.patch
Patch5: backport-restorecond-Set-GLib-IO-channels-to-binary-mode.patch
Patch6: backport-restorecond-Set-GLib-IO-channels-to-nonblocking.patch
Patch7: backport-fixfiles-use-grep-F-when-search-in-mounts.patch
Patch8: backport-sepolgen-ifgen-allow-M4-escaped-filenames.patch
BuildRequires: gcc
BuildRequires: pam-devel libsepol-static >= 3.3 libsemanage-static >= 3.3 libselinux-devel >= 3.3 libcap-devel audit-libs-devel gettext
BuildRequires: pam-devel libsepol-static >= %{version} libsemanage-static >= %{version} libselinux-devel >= %{version} libcap-devel audit-libs-devel gettext
BuildRequires: desktop-file-utils dbus-devel dbus-glib-devel python3-devel libcap-ng-devel
BuildRequires: systemd systemd-units
BuildRequires: systemd systemd-units python3-pip python3-wheel
Requires: libsepol >= 3.3 libselinux-utils util-linux grep gawk diffutils rpm sed coreutils
Provides: %{name}-restorecond = %{version}-%{release}
@ -44,7 +45,7 @@ It contains the selinux policy core utilities
Summary: python3 utilities for seLinux policy core
%{?python_provide:%python_provide python3-policycoreutils}
Requires: policycoreutils = %{version}-%{release}
Requires: python3-libselinux python3-libsemanage >= 3.3
Requires: python3-libselinux python3-libsemanage >= %{version}
Requires: audit-libs-python3 >= 2.8.5
Requires: python3-IPy
Requires: checkpolicy
@ -164,6 +165,7 @@ find %{buildroot}%{python3_sitelib} %{buildroot}%{python3_sitearch} \
%py_byte_compile %{__python3} %{buildroot}%{_datadir}/system-config-selinux
%find_lang policycoreutils
%find_lang selinux-python
%post
%systemd_post selinux-autorelabel-mark.service restorecond.service
@ -176,7 +178,7 @@ find %{buildroot}%{python3_sitelib} %{buildroot}%{python3_sitearch} \
%files -f %{name}.lang
%license policycoreutils/COPYING
%license policycoreutils/LICENSE
%doc %{_usr}/share/doc/%{name}
%config(noreplace) %{_sysconfdir}/sestatus.conf
%config(noreplace) %{_sysconfdir}/pam.d/newrole
@ -223,7 +225,7 @@ find %{buildroot}%{python3_sitelib} %{buildroot}%{python3_sitearch} \
%dir %{_datadir}/system-config-selinux/__pycache__
%{_datadir}/system-config-selinux/__pycache__/selinux_server.*
%files -n python3-policycoreutils
%files -f selinux-python.lang -n python3-policycoreutils
%{python3_sitelib}/__pycache__
%{python3_sitelib}/sepolgen
%dir %{python3_sitelib}/sepolicy
@ -236,7 +238,7 @@ find %{buildroot}%{python3_sitelib} %{buildroot}%{python3_sitearch} \
%{python3_sitelib}/sepolicy/network.py*
%{python3_sitelib}/sepolicy/transition.py*
%{python3_sitelib}/sepolicy/sedbus.py*
%{python3_sitelib}/sepolicy*.egg-info
%{python3_sitelib}/sepolicy*.dist-info
%{python3_sitelib}/sepolicy/booleans.py*
%{python3_sitelib}/sepolicy/communicate.py*
%{python3_sitelib}/sepolicy/generate.py*
@ -262,7 +264,22 @@ find %{buildroot}%{python3_sitelib} %{buildroot}%{python3_sitearch} \
%{_mandir}/*
%changelog
* Thu Dec 1 2022 wanghuizhao <wanghuizhao1@huawei.com> - 3.3-3
* Tue Mar 18 2025 yanglongkang <yanglongkang@h-partners.com> - 3.5-4
- backport patches from upstream
* Tue Apr 16 2024 zhangzikang <zhangzikang@kylinos.cn> - 3.5-3
- add BuildRequires python3-wheel, fix compilation error
* Wed Mar 20 2024 yixiangzhike <yixiangzhike007@163.com> - 3.5-2
- backport patch from upstream to avoid unsigned integer underflow
* Mon Jul 17 2023 zhangguangzhi <zhangguangzhi3@huawei.com> - 3.5-1
- update version to 3.5
* Thu Feb 2 2023 zhangguangzhi <zhangguangzhi3@huawei.com> - 3.4-1
- update version to 3.4
* Thu Dec 1 2022 wanghuizhao <wanghuizhao1@huawei.com> - 3.3-4
- backport patches from upstream
* Tue Nov 15 2022 shenxiangwei <shenxiangwei1@huawei.com> - 3.3-3