Always install selinux modules regardless of selinuxenabled status

This resolves bsc#1236057 by moving the selinux policies in cockpit-ws
to cockpit-selinux-policies allowing them to be conditionally installed
when selinux-policy-base is installed.

0008-pybridge-endian-flag.patch

@@ -0,0 +1,62 @@
+From 388870cfef754dd6f23d13abad2f10dc05758384 Mon Sep 17 00:00:00 2001
+From: Miika Alikirri <miika.alikirri@suse.com>
+Date: Wed, 19 Mar 2025 08:50:40 +0200
+Subject: pybridge: Stop hard-coding endian flag in DBusChannel
+
+When you issue sd_bus_read() you'll always get the data returned to in
+the machines native endianness. Therefore the endianness flag can be set
+based on the machines architecture.
+
+This is apparently "undertested" on systemd's end so this may have to
+fixed in the future if we run into real world cases where sd_bus_read()
+doesn't return data in native endianness.
+
+https://github.com/systemd/systemd/pull/36784#issuecomment-2734771532
+---
+ src/cockpit/channels/dbus.py | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/cockpit/channels/dbus.py b/src/cockpit/channels/dbus.py
+index 5fc52c3a8..3ebc6404a 100644
+--- a/src/cockpit/channels/dbus.py
++++ b/src/cockpit/channels/dbus.py
+@@ -38,6 +38,7 @@ import asyncio
+ import errno
+ import json
+ import logging
++import sys
+ import traceback
+ import xml.etree.ElementTree as ET
+ 
+@@ -48,6 +49,8 @@ from ..channel import Channel, ChannelError
+ 
+ logger = logging.getLogger(__name__)
+ 
++IS_LITTLE_ENDIAN_MACHINE = sys.byteorder == 'little'
++
+ # The dbusjson3 payload
+ #
+ # This channel payload type translates JSON encoded messages on a
+@@ -174,6 +177,7 @@ class DBusChannel(Channel):
+     name = None
+     bus = None
+     owner = None
++    endianness = "<" if IS_LITTLE_ENDIAN_MACHINE else ">"
+ 
+     async def setup_name_owner_tracking(self):
+         def send_owner(owner):
+@@ -346,10 +350,9 @@ class DBusChannel(Channel):
+             # If the method call has kicked off any signals related to
+             # watch processing, wait for that to be done.
+             async with self.watch_processing_lock:
+-                # TODO: stop hard-coding the endian flag here.
+                 self.send_json(
+                     reply=[reply.get_body()], id=cookie,
+-                    flags="<" if flags is not None else None,
++                    flags=self.endianness,
+                     type=reply.get_signature(True))  # noqa: FBT003
+         except BusError as error:
+             # actually, should send the fields from the message body
+-- 
+2.48.1
+

cockpit.changes

@@ -1,9 +1,28 @@
+-------------------------------------------------------------------
+Mon Apr  7 10:41:09 UTC 2025 - Alice Brooks <alice.brooks@suse.com>
+
+- Ensure cockpit-selinux-policies always installs the selinux policy
+  regardless of selinuxenabled status (bsc#1240787 and bsc#1240421)
+
+-------------------------------------------------------------------
+Wed Mar 19 06:56:06 UTC 2025 - Miika Alikirri <miika.alikirri@suse.com>
+
+- Patch python bridge to handle dbus message endianness correctly
+  - added 0008-pybridge-endian-flag.patch
+  (bsc#1220477)
+
+-------------------------------------------------------------------
+Wed Mar 12 04:23:06 UTC 2025 - Luna D Dragon <luna.dragon@suse.com>
+
+- move selinux policies to cockpit-selinux-policies bsc#1236057 
+
 -------------------------------------------------------------------
 Mon Mar 10 11:41:28 UTC 2025 - Alice Brooks <alice.brooks@suse.com>
 
 - Update to 334.1
   - Various bug fixes and improvements
   - Translation updates
+- npm modules updated, since new version
 
 -------------------------------------------------------------------
 Mon Feb 24 17:02:38 UTC 2025 - Adam Majer <adam.majer@suse.de>

cockpit.spec

@@ -77,6 +77,7 @@ Patch103:       0004-leap-gnu18-removal.patch
 Patch104:       selinux_libdir.patch
 Patch105:       fix-libexecdir.patch
 Patch106:       packagekit-single-install.patch
+Patch109:       0008-pybridge-endian-flag.patch
 
 Patch201:       remove_rh_links.patch
 
@@ -215,6 +216,7 @@ BuildRequires:  python3-pytest-timeout
 %patch -P 5 -p1
 %patch -P 106 -p1
 %patch -P 108 -p1
+%patch -P 109 -p1
 
 # SLE Micro specific patches
 %if 0%{?is_smo}
@@ -546,6 +548,7 @@ Requires(post): (policycoreutils if selinux-policy-%{selinuxtype})
 Conflicts: firewalld < 0.6.0-1
 Recommends: sscg >= 2.3
 Recommends: system-logos
+Requires:  (%{name}-selinux-policies if selinux-policy-base)
 Suggests: sssd-dbus
 %if 0%{?suse_version}
 Requires(pre): permissions
@@ -624,12 +627,6 @@ authentication via sssd/FreeIPA.
 %{_libexecdir}/cockpit-certificate-helper
 %{?suse_version:%verify(not mode) }%attr(4750, root, cockpit-wsinstance-socket) %{_libexecdir}/cockpit-session
 %{_datadir}/cockpit/branding
-%if 0%{?with_selinux}
-%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
-%{_mandir}/man8/%{name}_session_selinux.8cockpit.*
-%{_mandir}/man8/%{name}_ws_selinux.8cockpit.*
-%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
-%endif
 
 %pre ws
 # HACK: old RPM and even Fedora's current RPM don't properly support sysusers
@@ -640,9 +637,6 @@ getent passwd cockpit-wsinstance-socket >/dev/null || useradd -r -g cockpit-wsin
 getent passwd cockpit-session-socket >/dev/null || useradd -r -g cockpit-session-socket -d /nonexisting -s /sbin/nologin -c "User for cockpit-session instances" cockpit-session-socket
 getent passwd cockpit-systemd-service >/dev/null || useradd -r -g cockpit-wsinstance-socket -d /nonexisting -s /sbin/nologin -c "User for cockpit.service" cockpit-systemd-service
 
-if %{_sbindir}/selinuxenabled 2>/dev/null; then
-    %selinux_relabel_pre -s %{selinuxtype}
-fi
 %if 0%{?suse_version} > 1500
 # Prepare for migration to /usr/lib; save any old .rpmsave
 for i in pam.d/cockpit ; do
@@ -651,11 +645,6 @@ done
 %endif
 
 %post ws
-if [ -x %{_sbindir}/selinuxenabled ]; then
-    %selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
-    %selinux_relabel_post -s %{selinuxtype}
-fi
-
 # set up dynamic motd/issue symlinks on first-time install; don't bring them back on upgrades if admin removed them
 # disable root login on first-time install; so existing installations aren't changed
 if [ "$1" = 1 ]; then
@@ -706,10 +695,6 @@ fi
 %systemd_preun cockpit.socket cockpit.service
 
 %postun ws
-if [ -x %{_sbindir}/selinuxenabled ]; then
-    %selinux_modules_uninstall -s %{selinuxtype} %{name}
-    %selinux_relabel_post -s %{selinuxtype}
-fi
 %systemd_postun_with_restart cockpit.socket cockpit.service
 
 %if 0%{?suse_version}
@@ -724,6 +709,37 @@ for i in pam.d/cockpit ; do
      test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||:
 done
 %endif
+%if 0%{?with_selinux}
+%package selinux-policies
+Summary: selinux policies required by cockpit
+
+%description selinux-policies
+package that contains selinux rules/policies needed by cockpit when selinux is enabled
+
+%files selinux-policies
+%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
+%{_mandir}/man8/%{name}_session_selinux.8cockpit.*
+%{_mandir}/man8/%{name}_ws_selinux.8cockpit.*
+%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
+
+%pre selinux-policies
+if %{_sbindir}/selinuxenabled 2>/dev/null; then
+    %selinux_relabel_pre -s %{selinuxtype}
+fi
+
+%post selinux-policies
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
+if [ -x %{_sbindir}/selinuxenabled ]; then
+    %selinux_relabel_post -s %{selinuxtype}
+fi
+
+%postun selinux-policies
+%selinux_modules_uninstall -s %{selinuxtype} %{name}
+if [ -x %{_sbindir}/selinuxenabled ]; then
+    %selinux_relabel_post -s %{selinuxtype}
+fi
+%endif
+
 
 # -------------------------------------------------------------------------------
 # Sub-packages that are part of cockpit-system in RHEL/CentOS, but separate in Fedora