- Drop varrun-convert.sh script as it causes issues with

container-selinux update (bsc#1228951)

OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=252

selinux-policy.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Wed Aug 14 07:00:34 UTC 2024 - Cathy Hu <cathy.hu@suse.com>
+
+- Drop varrun-convert.sh script as it causes issues with
+  container-selinux update (bsc#1228951)
+
 -------------------------------------------------------------------
 Mon Aug 12 15:30:47 UTC 2024 - cathy.hu@suse.com
 

selinux-policy.spec

@@ -61,9 +61,6 @@ Source30:       setrans-targeted.conf
 Source31:       setrans-mls.conf
 Source32:       setrans-minimum.conf
 
-# Script to convert /var/run file context entries to /run
-Source37:       varrun-convert.sh
-
 Source40:       securetty_types-targeted
 Source41:       securetty_types-mls
 Source42:       securetty_types-minimum
@@ -221,7 +218,6 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
 %ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \
 %ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \
 %ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \
-%ghost %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun \
 %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \
 %nil
 
@@ -258,7 +254,6 @@ fi;
 
 %define postInstall() \
 . %{_sysconfdir}/selinux/config; \
-%{_libexecdir}/selinux/varrun-convert.sh %2; \
 if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \
   rm %{_sysconfdir}/selinux/%2/.rebuild; \
   /usr/sbin/semodule -B -n -s %2; \
@@ -315,7 +310,6 @@ of systems and used as the basis for creating other policies.
 %ghost %config(noreplace) %{_sysconfdir}/selinux/config
 %{_tmpfilesdir}/selinux-policy.conf
 %{_rpmconfigdir}/macros.d/macros.selinux-policy
-%{_libexecdir}/selinux/varrun-convert.sh
 
 %package sandbox
 Summary:        SELinux policy sandbox
@@ -383,9 +377,6 @@ for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15}
  cp $i selinux_config
 done
 
-mkdir -p %{buildroot}%{_libexecdir}/selinux
-install -m 755  %{SOURCE37} %{buildroot}%{_libexecdir}/selinux
-
 make clean
 %if %{BUILD_TARGETED}
 %makeCmds targeted mcs allow

varrun-convert.sh

@@ -1,105 +0,0 @@
-#!/bin/bash
-### varrun-convert.sh
-### convert legacy filecontext entries containing /var/run to /run
-### and load an extra selinux module with the new content
-### the script takes a policy name as an argument
-
-# Set DEBUG=yes before running the script to get more verbose output
-# on the terminal and to the $LOG file
-if [ "${DEBUG}" = "yes" ]; then
-  set -x
-fi
-
-# Auxiliary and log files will be created in OUTPUTDIR
-OUTPUTDIR="/run/selinux-policy"
-LOG="$OUTPUTDIR/log"
-mkdir -p ${OUTPUTDIR}
-
-if [ -z ${1} ]; then
-  [ "${DEBUG}" = "yes" ] && echo "Error: Policy name required as an argument (e.g. targeted)" >> $LOG
-  exit
-fi
-
-SEMODULEOPT="-s ${1}"
-[ "${DEBUG}" = "yes" ] && SEMODULEOPT="-v ${SEMODULEOPT}"
-
-# Take current file_contexts and unify whitespace separators
-FILE_CONTEXTS="/etc/selinux/${1}/contexts/files/file_contexts"
-FILE_CONTEXTS_UNIFIED="$OUTPUTDIR/file_contexts_unified"
-if [ ! -f ${FILE_CONTEXTS} ]; then
-  [ "${DEBUG}" = "yes" ] && echo "Error: File context database file does not exist" >> $LOG
-  exit
-fi
-
-if ! grep -q ^/var/run ${FILE_CONTEXTS}; then
-  [ "${DEBUG}" = "yes" ] && echo "Info: No entries containing /var/run" >> $LOG
-  exit 0
-fi
-
-EXTRA_VARRUN_ENTRIES_WITHDUP="$OUTPUTDIR/extra_varrun_entries_dup.txt"
-EXTRA_VARRUN_ENTRIES_WITHDUP_TMP="$OUTPUTDIR/extra_varrun_entries_dup.tmp"
-EXTRA_VARRUN_ENTRIES="$OUTPUTDIR/extra_varrun_entries.txt"
-EXTRA_VARRUN_CIL="$OUTPUTDIR/extra_varrun.cil"
-
-# Print only /var/run entries
-grep ^/var/run ${FILE_CONTEXTS} > ${EXTRA_VARRUN_ENTRIES_WITHDUP}
-
-# Unify whitespace separators
-sed -i 's/[ \t]\+/ /g' ${EXTRA_VARRUN_ENTRIES_WITHDUP}
-sed 's/[ \t]\+/ /g' ${FILE_CONTEXTS} > ${FILE_CONTEXTS_UNIFIED}
-
-rm -f $EXTRA_VARRUN_ENTRIES_WITHDUP_TMP
-touch $EXTRA_VARRUN_ENTRIES_WITHDUP_TMP
-# Deduplicate already existing /var/run=/run entries
-while read line
-do
-  subline="${line#/var}"
-  if ! grep -q "^${subline}" ${FILE_CONTEXTS_UNIFIED}; then
-    # check for overal duplicate entries
-    subline2=$(echo $line | sed -E -e 's/ \S+$//')
-    if ! grep -q "^${subline2}" ${EXTRA_VARRUN_ENTRIES_WITHDUP_TMP}; then
-      echo "$line"
-      echo "$line" >> $EXTRA_VARRUN_ENTRIES_WITHDUP_TMP
-    else
-      >&2 echo "DUP: $line"
-    fi
-  fi
-done < ${EXTRA_VARRUN_ENTRIES_WITHDUP} > ${EXTRA_VARRUN_ENTRIES}
-
-# Change /var/run to /run
-sed -i 's|^/var/run|/run|' ${EXTRA_VARRUN_ENTRIES}
-
-# Exception handling: packages with already duplicate entries
-sed -i '/^\/run\/snapd/d' ${EXTRA_VARRUN_ENTRIES}
-sed -i '/^\/run\/vfrnav/d' ${EXTRA_VARRUN_ENTRIES}
-sed -i '/^\/run\/waydroid/d' ${EXTRA_VARRUN_ENTRIES}
-
-# Change format to cil
-sed -i 's/^\([^ ]\+\) \([^-]\)/\1 any \2/' ${EXTRA_VARRUN_ENTRIES}
-sed -i 's/^\([^ ]\+\) -- /\1 file /' ${EXTRA_VARRUN_ENTRIES}
-sed -i 's/^\([^ ]\+\) -b /\1 block /' ${EXTRA_VARRUN_ENTRIES}
-sed -i 's/^\([^ ]\+\) -c /\1 char /' ${EXTRA_VARRUN_ENTRIES}
-sed -i 's/^\([^ ]\+\) -d /\1 dir /' ${EXTRA_VARRUN_ENTRIES}
-sed -i 's/^\([^ ]\+\) -l /\1 symlink /' ${EXTRA_VARRUN_ENTRIES}
-sed -i 's/^\([^ ]\+\) -p /\1 pipe /' ${EXTRA_VARRUN_ENTRIES}
-sed -i 's/^\([^ ]\+\) -s /\1 socket /' ${EXTRA_VARRUN_ENTRIES}
-sed -i 's/^\([^ ]\+\) /(filecon "\1" /' ${EXTRA_VARRUN_ENTRIES}
-sed -i 's/system_u:object_r:\([^:]*\):\(.*\)$/(system_u object_r \1 ((\2) (\2))))/' ${EXTRA_VARRUN_ENTRIES}
-
-# Handle entries with <<none>> which do not match previous regexps
-sed -i s'/ <<none>>$/ ())/' ${EXTRA_VARRUN_ENTRIES}
-
-# Wrap each line with an optional block
-i=1
-while read line
-do
-  echo "(optional extra_var_run_${i}"
-  echo "  $line"
-  echo ")"
-  ((i++))
-done < ${EXTRA_VARRUN_ENTRIES} > ${EXTRA_VARRUN_CIL}
-
-# Load module
-[ -s ${EXTRA_VARRUN_CIL} ] &&
-/usr/sbin/semodule ${SEMODULEOPT} -i ${EXTRA_VARRUN_CIL}
-