Accepting request 1218003 from security:SELinux

- Fix issue where inotify events are not being handled properly
  * added: 1231512-Set-GLib-IO-channels-to-binary-mode.patch
- Fix issue where restorecond -u is not terminating with SIGTERM (bsc#1231512)
  * added: 1231512-Set-GLib-IO-channels-to-nonblocking.patch

OBS-URL: https://build.opensuse.org/request/show/1218003
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/restorecond?expand=0&rev=16

1231512-Set-GLib-IO-channels-to-binary-mode.patch

@@ -0,0 +1,30 @@
+By default, GIO channels use UTF-8 as encoding, which causes issues when
+reading binary data such as inotify events.
+
+Signed-off-by: Fabian Vogt <fvogt@suse.de>
+---
+ restorecond/user.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/restorecond/user.c b/restorecond/user.c
+index 3ae3ebbb7230..7188c22e3119 100644
+--- a/restorecond/user.c
++++ b/restorecond/user.c
+@@ -238,6 +238,7 @@ static int local_server(void) {
+ 	}
+ 	/* watch for stdin/terminal going away */
+ 	GIOChannel *in = g_io_channel_unix_new(0);
++	g_io_channel_set_encoding(in, NULL, NULL);
+ 	g_io_add_watch_full( in,
+ 			     G_PRIORITY_HIGH,
+ 			     G_IO_IN|G_IO_ERR|G_IO_HUP,
+@@ -282,6 +283,7 @@ int server(int master_fd, const char *watch_file) {
+ 	set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
+ 
+ 	GIOChannel *c = g_io_channel_unix_new(master_fd);
++	g_io_channel_set_encoding(c, NULL, NULL);
+ 
+ 	g_io_add_watch_full(c,
+ 			    G_PRIORITY_HIGH,
+--
+2.47.0

1231512-Set-GLib-IO-channels-to-nonblocking.patch

@@ -0,0 +1,32 @@
+Without nonblocking IO, g_io_channel_read_chars waits indefinitely for more
+data without ever returning control to the event loop.
+
+Set the IO channels to nonblocking to fix SIGTERM handling.
+
+Signed-off-by: Fabian Vogt <fvogt@suse.de>
+---
+ restorecond/user.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/restorecond/user.c b/restorecond/user.c
+index 7188c22e3119..25e70ae15b94 100644
+--- a/restorecond/user.c
++++ b/restorecond/user.c
+@@ -239,6 +239,7 @@ static int local_server(void) {
+ 	/* watch for stdin/terminal going away */
+ 	GIOChannel *in = g_io_channel_unix_new(0);
+ 	g_io_channel_set_encoding(in, NULL, NULL);
++	g_io_channel_set_flags(in, g_io_channel_get_flags(in) | G_IO_FLAG_NONBLOCK, NULL);
+ 	g_io_add_watch_full( in,
+ 			     G_PRIORITY_HIGH,
+ 			     G_IO_IN|G_IO_ERR|G_IO_HUP,
+@@ -284,6 +285,7 @@ int server(int master_fd, const char *watch_file) {
+ 
+ 	GIOChannel *c = g_io_channel_unix_new(master_fd);
+ 	g_io_channel_set_encoding(c, NULL, NULL);
++	g_io_channel_set_flags(c, g_io_channel_get_flags(c) | G_IO_FLAG_NONBLOCK, NULL);
+ 
+ 	g_io_add_watch_full(c,
+ 			    G_PRIORITY_HIGH,
+--
+2.47.0

restorecond-3.6.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:8f8aa2c6c66bcc6d91c6edd63913e5d738de6428928f27d1019d89c31cf347b1
-size 18020

restorecond-3.6.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEG+LA/wiUliMQL9JWRpWIHCVFCNEFAmV5xAMACgkQRpWIHCVF
-CNFXsw//RSQSkQcUwzxy+sVlv5IQnKNfc45b8xgsVmIkxfA5prVEPaQf+SAcuaQj
-PQ9ukDHBr07vtfyPRYm/eRmPZW/6s6FLrGEwhu4mnIJMuL84nB229IraSQeHRK5n
-53G+xuCMz3+fm8fZqyyr8XN1QS+ReVTeE1rFEGYTceAW2R+bYTfAoJXA+ExsQO/R
-d7U23+JyrLY5xADbaszvE1v2fDyTxhaGrdT+QmqySqcnrt8BF1sGbX46sEoyIUyh
-jgVy5dOfI11TxxZ3+uJovZmD6K1pQKcHuC7X/9LlGsoIOjdVz42DJlAcr2nGdPjc
-8GyC6dgCnWhisl1ePZMY7cW2LYXQvKnf7YH0KXRVtywuGX4mKD+PXmekJgfP20vz
-EeXkPMuRsHpnWhUcvPzxpVtlqsdVLKKVIhsKBQ/m5q8aplxM21xr5Ed/SZ+t2BA1
-H5G2L7wwGU88AOmRfYqkC/ebjozSS7e0htAm92gdC3g8hUbm04XsHJSRXfDHkqNu
-wkQJ6Y6A0M33Pc3YZFg+YnLL2Bb3F9+SxOh28YilEDtqgMBVyzlUhN2T4/oegABn
-G77GRVV3HG9e7kMpA/Oek77r055RN/E684NfpqN8pfoA/6LvtVh+LO2twT6YjO6t
-BpZWuPGPvlnjZiKUanDs9zNVshngq8gOuGhFqSt6uvMf+lO+BAE=
-=hHoX
------END PGP SIGNATURE-----

restorecond.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu Oct 24 09:58:41 UTC 2024 - Cathy Hu <cathy.hu@suse.com>
+
+- Fix issue where inotify events are not being handled properly
+  * added: 1231512-Set-GLib-IO-channels-to-binary-mode.patch
+- Fix issue where restorecond -u is not terminating with SIGTERM (bsc#1231512)
+  * added: 1231512-Set-GLib-IO-channels-to-nonblocking.patch
+
 -------------------------------------------------------------------
 Mon Jul  1 08:12:59 UTC 2024 - Cathy Hu <cathy.hu@suse.com>
 

restorecond.spec

@@ -28,6 +28,8 @@ Source0:        https://github.com/SELinuxProject/selinux/releases/download/%{ve
 Source1:        https://github.com/SELinuxProject/selinux/releases/download/%{version}/%{name}-%{version}.tar.gz.asc
 Source2:        restorecond.keyring
 Patch0:         harden_restorecond.service.patch
+Patch1:         1231512-Set-GLib-IO-channels-to-binary-mode.patch
+Patch2:         1231512-Set-GLib-IO-channels-to-nonblocking.patch
 BuildRequires:  dbus-1-glib-devel
 BuildRequires:  libselinux-devel >= %{libselinux_ver}
 Requires:       libselinux1 >= %{libselinux_ver}
@@ -39,6 +41,8 @@ Daemon that watches for file creation and then sets the default SELinux file con
 %prep
 %setup -q
 %patch -P0 -p1
+%patch -P1 -p2
+%patch -P2 -p2
 
 %build
 export CFLAGS="%optflags"