Accepting request 988988 from security:SELinux

OBS-URL: https://build.opensuse.org/request/show/988988 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=71
2022-07-18 16:32:42 +00:00 · 2022-07-18 16:32:42 +00:00 · 7a7e3bbc03
commit 7a7e3bbc03
parent 3cdf9f8d26 e9ab567ff0
5 changed files with 184 additions and 38 deletions
--- a/libselinux-bindings.spec
+++ b/libselinux-bindings.spec
@ -36,6 +36,7 @@ Patch4:         readv-proto.patch
 # Make linking working even when default pkg-config doesn’t provide -lpython<ver>
 Patch5:         python3.8-compat.patch
 Patch6:         swig4_moduleimport.patch
 Patch7:         restorecon_pin_file.patch
 BuildRequires:  libsepol-devel-static >= %{libsepol_ver}
 BuildRequires:  python-rpm-macros
 BuildRequires:  python3-devel
--- a/libselinux.changes
+++ b/libselinux.changes
@ -1,3 +1,14 @@
 -------------------------------------------------------------------
 Thu Jul  7 12:16:45 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
 - Fixed initrd check in selinux-ready (bnc#1186127)
 -------------------------------------------------------------------
 Tue May 31 15:10:26 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
 - Added restorecon_pin_file.patch. Fixes issus when running 
  fixfiles/restorecon
 -------------------------------------------------------------------
 Mon May  9 10:23:32 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
--- a/libselinux.spec
+++ b/libselinux.spec
@ -32,6 +32,7 @@ Source4:        baselibs.conf
 # PATCH-FIX-UPSTREAM Include <sys/uio.h> for readv prototype
 Patch4:         readv-proto.patch
 Patch5:         skip_cycles.patch
 Patch7:         restorecon_pin_file.patch
 BuildRequires:  fdupes
 BuildRequires:  libsepol-devel >= %{libsepol_ver}
 BuildRequires:  pkgconfig
@ -101,6 +102,7 @@ necessary to develop your own software using libselinux.
 %setup -q -n libselinux-%{version}
 %patch4 -p1
 %patch5 -p1
 %patch7 -p1
 %build
 %define _lto_cflags %{nil}
--- a/restorecon_pin_file.patch
+++ b/restorecon_pin_file.patch
@ -0,0 +1,139 @@
 Index: libselinux-3.4/src/selinux_restorecon.c
 ===================================================================
 --- libselinux-3.4.orig/src/selinux_restorecon.c
 +++ libselinux-3.4/src/selinux_restorecon.c
@@ -623,13 +623,13 @@ out:
 	return rc;
 }
 -static int restorecon_sb(const char *pathname, struct rest_flags *flags, bool first)
 +static int restorecon_sb(const char *pathname, const struct stat *sb,
 +			    struct rest_flags *flags, bool first)
 {
 	char *newcon = NULL;
 	char *curcon = NULL;
 	char *newtypecon = NULL;
 -	int fd = -1, rc;
 -	struct stat stat_buf;
 +	int rc;
 	bool updated = false;
 	const char *lookup_path = pathname;
 	float pc;
@@ -644,21 +644,13 @@ static int restorecon_sb(const char *pat
 		lookup_path += rootpathlen;
 	}
 -	fd = open(pathname, O_PATH | O_NOFOLLOW | O_EXCL);
 -	if (fd < 0)
 -		goto err;
 -
 -	rc = fstat(fd, &stat_buf);
 -	if (rc < 0)
 -		goto err;
 -
 	if (rootpath != NULL && lookup_path[0] == '\0')
 		/* this is actually the root dir of the alt root. */
 		rc = selabel_lookup_raw(fc_sehandle, &newcon, "/",
 -						    stat_buf.st_mode);
 +						    sb->st_mode);
 	else
 		rc = selabel_lookup_raw(fc_sehandle, &newcon, lookup_path,
 -						    stat_buf.st_mode);
 +						    sb->st_mode);
 	if (rc < 0) {
 		if (errno == ENOENT) {
@@ -667,10 +659,10 @@ static int restorecon_sb(const char *pat
 					    "Warning no default label for %s\n",
 					    lookup_path);
 -			goto out; /* no match, but not an error */
 +			return 0; /* no match, but not an error */
 		}
 -		goto err;
 +		return -1;
 	}
 	if (flags->progress) {
@@ -690,17 +682,19 @@ static int restorecon_sb(const char *pat
 	}
 	if (flags->add_assoc) {
 -		rc = filespec_add(stat_buf.st_ino, newcon, pathname, flags);
 +		rc = filespec_add(sb->st_ino, newcon, pathname, flags);
 		if (rc < 0) {
 			selinux_log(SELINUX_ERROR,
 				    "filespec_add error: %s\n", pathname);
 -			goto out1;
 +			freecon(newcon);
 +			return -1;
 		}
 		if (rc > 0) {
 			/* Already an association and it took precedence. */
 -			goto out;
 +			freecon(newcon);
 +			return 0;
 		}
 	}
@@ -708,7 +702,7 @@ static int restorecon_sb(const char *pat
 		selinux_log(SELINUX_INFO, "%s matched by %s\n",
 			    pathname, newcon);
 -	if (fgetfilecon_raw(fd, &curcon) < 0) {
 +	if (lgetfilecon_raw(pathname, &curcon) < 0) {
 		if (errno != ENODATA)
 			goto err;
@@ -741,7 +735,7 @@ static int restorecon_sb(const char *pat
 		}
 		if (!flags->nochange) {
 -			if (fsetfilecon(fd, newcon) < 0)
 +			if (lsetfilecon(pathname, newcon) < 0)
 				goto err;
 			updated = true;
 		}
@@ -766,8 +760,6 @@ static int restorecon_sb(const char *pat
 out:
 	rc = 0;
 out1:
 -	if (fd >= 0)
 -		close(fd);
 	freecon(curcon);
 	freecon(newcon);
 	return rc;
@@ -865,6 +857,7 @@ static void *selinux_restorecon_thread(v
 	FTSENT *ftsent;
 	int error;
 	char ent_path[PATH_MAX];
 +	struct stat ent_st;
 	bool first = false;
 	if (state->parallel)
@@ -963,11 +956,11 @@ loop_body:
 			/* fall through */
 		default:
 			strcpy(ent_path, ftsent->fts_path);
 -
 +			ent_st = *ftsent->fts_statp;
 			if (state->parallel)
 				pthread_mutex_unlock(&state->mutex);
 -			error = restorecon_sb(ent_path, &state->flags,
 +			error = restorecon_sb(ent_path, &ent_st, &state->flags,
 					      first);
 			if (state->parallel) {
@@ -1163,7 +1156,7 @@ static int selinux_restorecon_common(con
 			goto cleanup;
 		}
 -		error = restorecon_sb(pathname, &state.flags, true);
 +		error = restorecon_sb(pathname, &sb, &state.flags, true);
 		goto cleanup;
 	}
--- a/69
+++ b/69
@ -67,54 +67,47 @@ check_boot()
 check_mkinitrd()
 {
 	if [ "$INITRD" == "unknown" ]; then
 		return 1
 	fi
 	MCMD="mount.*/root/proc.*"
-	if ! [ -f "/boot/$INITRD" ];then
+	if ! [ -f "/boot/initrd" ];then
-		printf "\tcheck_mkinitrd: ERR. Unable to locate '/boot/$INITRD'\n"
+		printf "\tcheck_mkinitrd: ERR. Unable to locate '/boot/initrd'\n"
 		return 2
 	fi
 	cp /boot/$INITRD $TD/ 2>/dev/null
 	if ! [ -f "$TD/$INITRD" ];then
 		printf "\tcheck_mkinitrd: ERR. Error while copying initrd file.'\n"
 		return 2
 	fi
 	cp /boot/initrd $TD/ 2>/dev/null
 	pushd . 2>&1>/dev/null
 	cd $TD
 	mkdir initrd-extracted
 	cd initrd-extracted
-	INITRD_FORMAT=$(file $TD/$INITRD | awk -F' ' '{print $2}')
+	INITRD_FORMAT=$(file $TD/initrd | awk -F' ' '{print $2}')
-  case $INITRD_FORMAT in
+	case $INITRD_FORMAT in
-  'XZ' )
+	  'XZ' )
-    xz -d -c $TD/$INITRD | cpio -i --force-local --no-absolute-filenames 2>/dev/null ;;
+	     xz -d -c $TD/initrd | cpio -i --force-local --no-absolute-filenames 2>/dev/null ;;
-  'ASCII' )
+	  'ASCII' )
-    /usr/lib/dracut/skipcpio $TD/$INITRD | xz -d | cpio -i --force-local --no-absolute-filenames 2>/dev/null ;;
+	    /usr/lib/dracut/skipcpio $TD/initrd | zstd -d | cpio -i --force-local --no-absolute-filenames 2>/dev/null ;;
-  'gzip' )
+	  'gzip' )
-    gzip -d -c $TD/$INITRD | cpio -i --force-local --no-absolute-filenames 2>/dev/null ;;
+	    gzip -d -c $TD/initrd | cpio -i --force-local --no-absolute-filenames 2>/dev/null ;;
-  * )
+          'Zstandard' )
-		printf "\tcheck_mkinitrd: ERR. Error while extracting initrd file.'\n"
+            zstd -d -c $TD/initrd | cpio -i --force-local --no-absolute-filenames 2>/dev/null ;;
-    return 2
+	  * )
-  esac
+	    printf "\tcheck_mkinitrd: ERR. Error while extracting initrd file.'\n"
-  if [ -d boot ]; then 
+	    return 2
-    grep -E -- $MCMD boot/* 2>&1 >/dev/null
+	esac
-    FLG1=$?
+	if [ -d boot ]; then 
-    grep -E -- load_policy boot/* 2>&1 >/dev/null
+	  grep -E -- $MCMD boot/* 2>&1 >/dev/null
-    FLG2=$?
+	  FLG1=$?
-  else
+	  grep -E -- load_policy boot/* 2>&1 >/dev/null
-    # looks like we're using dracut/systemd. We can only check if libselinux1
+	  FLG2=$?
-    # exists
+	else
-    if [ -f lib64/libselinux.so.1 ]; then
+	  # looks like we're using dracut/systemd. We can only check if libselinux1
-      # if this exists 
+	  # exists
-      FLG1=0
+	  if [ -f lib64/libselinux.so.1 ]; then
-      FLG2=0
+	    # if this exists 
-    fi
+	    FLG1=0
-  fi
+	    FLG2=0
 	  fi
 	fi
 	popd 2>&1>/dev/null
 	if [ $FLG1 == 0 -a $FLG2 == 0 ];then