Accepting request 1218003 from security:SELinux

- Fix issue where inotify events are not being handled properly
  * added: 1231512-Set-GLib-IO-channels-to-binary-mode.patch
- Fix issue where restorecond -u is not terminating with SIGTERM (bsc#1231512)
  * added: 1231512-Set-GLib-IO-channels-to-nonblocking.patch

OBS-URL: https://build.opensuse.org/request/show/1218003
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/restorecond?expand=0&rev=16

1231512-Set-GLib-IO-channels-to-binary-mode.patch

@@ -0,0 +1,30 @@
+By default, GIO channels use UTF-8 as encoding, which causes issues when
+reading binary data such as inotify events.
+
+Signed-off-by: Fabian Vogt <fvogt@suse.de>
+---
+ restorecond/user.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/restorecond/user.c b/restorecond/user.c
+index 3ae3ebbb7230..7188c22e3119 100644
+--- a/restorecond/user.c
++++ b/restorecond/user.c
+@@ -238,6 +238,7 @@ static int local_server(void) {
+ 	}
+ 	/* watch for stdin/terminal going away */
+ 	GIOChannel *in = g_io_channel_unix_new(0);
++	g_io_channel_set_encoding(in, NULL, NULL);
+ 	g_io_add_watch_full( in,
+ 			     G_PRIORITY_HIGH,
+ 			     G_IO_IN|G_IO_ERR|G_IO_HUP,
+@@ -282,6 +283,7 @@ int server(int master_fd, const char *watch_file) {
+ 	set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
+ 
+ 	GIOChannel *c = g_io_channel_unix_new(master_fd);
++	g_io_channel_set_encoding(c, NULL, NULL);
+ 
+ 	g_io_add_watch_full(c,
+ 			    G_PRIORITY_HIGH,
+--
+2.47.0

1231512-Set-GLib-IO-channels-to-nonblocking.patch

@@ -0,0 +1,32 @@
+Without nonblocking IO, g_io_channel_read_chars waits indefinitely for more
+data without ever returning control to the event loop.
+
+Set the IO channels to nonblocking to fix SIGTERM handling.
+
+Signed-off-by: Fabian Vogt <fvogt@suse.de>
+---
+ restorecond/user.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/restorecond/user.c b/restorecond/user.c
+index 7188c22e3119..25e70ae15b94 100644
+--- a/restorecond/user.c
++++ b/restorecond/user.c
+@@ -239,6 +239,7 @@ static int local_server(void) {
+ 	/* watch for stdin/terminal going away */
+ 	GIOChannel *in = g_io_channel_unix_new(0);
+ 	g_io_channel_set_encoding(in, NULL, NULL);
++	g_io_channel_set_flags(in, g_io_channel_get_flags(in) | G_IO_FLAG_NONBLOCK, NULL);
+ 	g_io_add_watch_full( in,
+ 			     G_PRIORITY_HIGH,
+ 			     G_IO_IN|G_IO_ERR|G_IO_HUP,
+@@ -284,6 +285,7 @@ int server(int master_fd, const char *watch_file) {
+ 
+ 	GIOChannel *c = g_io_channel_unix_new(master_fd);
+ 	g_io_channel_set_encoding(c, NULL, NULL);
++	g_io_channel_set_flags(c, g_io_channel_get_flags(c) | G_IO_FLAG_NONBLOCK, NULL);
+ 
+ 	g_io_add_watch_full(c,
+ 			    G_PRIORITY_HIGH,
+--
+2.47.0

restorecond.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu Oct 24 09:58:41 UTC 2024 - Cathy Hu <cathy.hu@suse.com>
+
+- Fix issue where inotify events are not being handled properly
+  * added: 1231512-Set-GLib-IO-channels-to-binary-mode.patch
+- Fix issue where restorecond -u is not terminating with SIGTERM (bsc#1231512)
+  * added: 1231512-Set-GLib-IO-channels-to-nonblocking.patch
+
 -------------------------------------------------------------------
 Mon Jul  1 08:12:59 UTC 2024 - Cathy Hu <cathy.hu@suse.com>
 

restorecond.spec

@@ -28,6 +28,8 @@ Source0:        https://github.com/SELinuxProject/selinux/releases/download/%{ve
 Source1:        https://github.com/SELinuxProject/selinux/releases/download/%{version}/%{name}-%{version}.tar.gz.asc
 Source2:        restorecond.keyring
 Patch0:         harden_restorecond.service.patch
+Patch1:         1231512-Set-GLib-IO-channels-to-binary-mode.patch
+Patch2:         1231512-Set-GLib-IO-channels-to-nonblocking.patch
 BuildRequires:  dbus-1-glib-devel
 BuildRequires:  libselinux-devel >= %{libselinux_ver}
 Requires:       libselinux1 >= %{libselinux_ver}
@@ -39,6 +41,8 @@ Daemon that watches for file creation and then sets the default SELinux file con
 %prep
 %setup -q
 %patch -P0 -p1
+%patch -P1 -p2
+%patch -P2 -p2
 
 %build
 export CFLAGS="%optflags"