backport patches

2023-04-11 14:35:44 +08:00 · 2023-04-11 14:35:44 +08:00 · 0c7bbc5fd4
commit 0c7bbc5fd4
parent 738a48aaaf
6 changed files with 263 additions and 1 deletions
--- a/backport-policycoreutils-fix-potential-NULL-reference-in-load_checks.patch
+++ b/backport-policycoreutils-fix-potential-NULL-reference-in-load_checks.patch
@ -0,0 +1,38 @@
+From 1fe82e5cf581158cdfa184c64218b0bade82b01a Mon Sep 17 00:00:00 2001
+From: Jie Lu <lujie54@huawei.com>
+Date: Mon, 5 Dec 2022 17:36:44 +0800
+Subject: [PATCH] policycoreutils: fix potential NULL reference in load_checks
+
+In load_checks(), add return check for malloc() to avoid NULL reference.
+
+Signed-off-by: Jie Lu <lujie54@huawei.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ policycoreutils/sestatus/sestatus.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/policycoreutils-3.1/sestatus/sestatus.c b/policycoreutils-3.1/sestatus/sestatus.c
+index 7dcc9944..6c95828e 100644
+--- a/policycoreutils-3.1/sestatus/sestatus.c
+++ b/policycoreutils-3.1/sestatus/sestatus.c
+@@ -140,6 +140,8 @@ static void load_checks(char *pc[], int *npc, char *fc[], int *nfc)
+ 					pc[*npc] =
+ 					    (char *)malloc((buf_len) *
+ 							   sizeof(char));
+					if (!pc[*npc])
+						break;
+ 					memcpy(pc[*npc], bufp, buf_len);
+ 					(*npc)++;
+ 					bufp = NULL;
+@@ -150,6 +152,8 @@ static void load_checks(char *pc[], int *npc, char *fc[], int *nfc)
+ 					fc[*nfc] =
+ 					    (char *)malloc((buf_len) *
+ 							   sizeof(char));
+					if (!fc[*nfc])
+						break;
+ 					memcpy(fc[*nfc], bufp, buf_len);
+ 					(*nfc)++;
+ 					bufp = NULL;
+-- 
+2.27.0
+
--- a/backport-python-Do-not-query-the-local-database-if-the-fcontext-is-non-local.patch
+++ b/backport-python-Do-not-query-the-local-database-if-the-fcontext-is-non-local.patch
@ -0,0 +1,65 @@
+From 7238ad32a3171d82bba9b99660e55399161236fc Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Wed, 19 Oct 2022 14:20:11 -0400
+Subject: [PATCH] python: Do not query the local database if the fcontext is
+ non-local
+
+Vit Mojzis reports that an error message is produced when modifying
+a non-local fcontext.
+
+He gives the following example:
+  # semanage fcontext -f f -m -t passwd_file_t /etc/security/opasswd
+  libsemanage.dbase_llist_query: could not query record value (No such file or directory).
+
+When modifying an fcontext, the non-local database is checked for the
+key and then, if it is not found there, the local database is checked.
+If the key doesn't exist, then an error is raised. If the key exists
+then the local database is queried first and, if that fails, the non-
+local database is queried.
+
+The error is from querying the local database when the fcontext is in
+the non-local database.
+
+Instead, if the fcontext is in the non-local database, just query
+the non-local database. Only query the local database if the
+fcontext was found in it.
+
+Reported-by: Vit Mojzis <vmojzis@redhat.com>
+Signed-off-by: James Carter <jwcart2@gmail.com>
+---
+ selinux-python-3.1/semanage/seobject.py | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/selinux-python-3.1/semanage/seobject.py b/selinux-python-3.1/semanage/seobject.py
+index 0782c082..d82da494 100644
+--- a/selinux-python-3.1/semanage/seobject.py
+++ b/selinux-python-3.1/semanage/seobject.py
+@@ -2504,16 +2504,19 @@ class fcontextRecords(semanageRecords):
+         (rc, exists) = semanage_fcontext_exists(self.sh, k)
+         if rc < 0:
+             raise ValueError(_("Could not check if file context for %s is defined") % target)
+-        if not exists:
+        if exists:
+            try:
+                (rc, fcontext) = semanage_fcontext_query(self.sh, k)
+            except OSError:
+                raise ValueError(_("Could not query file context for %s") % target)
+        else:
+             (rc, exists) = semanage_fcontext_exists_local(self.sh, k)
+            if rc < 0:
+                raise ValueError(_("Could not check if file context for %s is defined") % target)
+             if not exists:
+                 raise ValueError(_("File context for %s is not defined") % target)
+-
+-        try:
+-            (rc, fcontext) = semanage_fcontext_query_local(self.sh, k)
+-        except OSError:
+             try:
+-                (rc, fcontext) = semanage_fcontext_query(self.sh, k)
+                (rc, fcontext) = semanage_fcontext_query_local(self.sh, k)
+             except OSError:
+                 raise ValueError(_("Could not query file context for %s") % target)
+ 
+-- 
+2.27.0
+
--- a/backport-python-Split-semanage-import-into-two-transactions.patch
+++ b/backport-python-Split-semanage-import-into-two-transactions.patch
@ -0,0 +1,63 @@
+From abaf812c3877f6b595eb8643582eacef2dd4df3f Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Mon, 30 May 2022 14:20:21 +0200
+Subject: [PATCH] python: Split "semanage import" into two transactions
+
+First transaction applies all deletion operations, so that there are no
+collisions when applying the rest of the changes.
+
+Fixes:
+  # semanage port -a -t http_cache_port_t -r s0 -p tcp 3024
+  # semanage export | semanage import
+  ValueError: Port tcp/3024 already defined
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+---
+ selinux-python-3.1/semanage/semanage | 21 +++++++++++++++++++--
+ 1 file changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/selinux-python-3.1/semanage/semanage b/selinux-python-3.1/semanage/semanage
+index 8f4e44a7..1d828128 100644
+--- a/selinux-python-3.1/semanage/semanage
+++ b/selinux-python-3.1/semanage/semanage
+@@ -852,10 +852,29 @@ def handleImport(args):
+     trans = seobject.semanageRecords(args)
+     trans.start()
+ 
+    deleteCommands = []
+    commands = []
+    # separate commands for deletion from the rest so they can be
+    # applied in a separate transaction
+     for l in sys.stdin.readlines():
+         if len(l.strip()) == 0:
+             continue
+        if "-d" in l or "-D" in l:
+            deleteCommands.append(l)
+        else:
+            commands.append(l)
+
+    if deleteCommands:
+        importHelper(deleteCommands)
+        trans.finish()
+        trans.start()
+
+    importHelper(commands)
+    trans.finish()
+ 
+
+def importHelper(commands):
+    for l in commands:
+         try:
+             commandParser = createCommandParser()
+             args = commandParser.parse_args(mkargv(l))
+@@ -869,8 +888,6 @@ def handleImport(args):
+         except KeyboardInterrupt:
+             sys.exit(0)
+ 
+-    trans.finish()
+-
+ 
+ def setupImportParser(subparsers):
+     importParser = subparsers.add_parser('import', help=_('Import local customizations'))
+-- 
+2.23.0
--- a/backport-python-audit2allow-close-file-stream-on-error.patch
+++ b/backport-python-audit2allow-close-file-stream-on-error.patch
@ -0,0 +1,48 @@
+From c14a86af9a2304175e54897634f808b42345325b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Fri, 20 May 2022 14:51:07 +0200
+Subject: [PATCH] python/audit2allow: close file stream on error
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+    sepolgen-ifgen-attr-helper.c: In function ‘load_policy’:
+    sepolgen-ifgen-attr-helper.c:196:17: warning: leak of FILE ‘fp’ [CWE-775] [-Wanalyzer-file-leak]
+      196 |                 fprintf(stderr, "Out of memory!\n");
+          |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ selinux-python-3.1/audit2allow/sepolgen-ifgen-attr-helper.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/selinux-python-3.1/audit2allow/sepolgen-ifgen-attr-helper.c b/selinux-python-3.1/audit2allow/sepolgen-ifgen-attr-helper.c
+index 6f3ba962..5e6cffc1 100644
+--- a/selinux-python-3.1/audit2allow/sepolgen-ifgen-attr-helper.c
+++ b/selinux-python-3.1/audit2allow/sepolgen-ifgen-attr-helper.c
+@@ -194,12 +194,14 @@ static policydb_t *load_policy(const char *filename)
+ 	policydb = malloc(sizeof(policydb_t));
+ 	if (policydb == NULL) {
+ 		fprintf(stderr, "Out of memory!\n");
+		fclose(fp);
+ 		return NULL;
+ 	}
+ 
+ 	if (policydb_init(policydb)) {
+ 		fprintf(stderr, "Out of memory!\n");
+ 		free(policydb);
+		fclose(fp);
+ 		return NULL;
+ 	}
+ 
+@@ -208,6 +210,7 @@ static policydb_t *load_policy(const char *filename)
+ 		fprintf(stderr,
+ 			"error(s) encountered while parsing configuration\n");
+ 		free(policydb);
+		fclose(fp);
+ 		return NULL;
+ 	}
+ 
+-- 
+2.23.0
--- a/backport-sepolicy-Call-os.makedirs-with-exist_ok-True.patch
+++ b/backport-sepolicy-Call-os.makedirs-with-exist_ok-True.patch
@ -0,0 +1,39 @@
+From 7ff1d7f1c2a141a24a2af5db01fff07754ba18bc Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <lautrbach@redhat.com>
+Date: Mon, 12 Dec 2022 18:43:49 +0100
+Subject: [PATCH] sepolicy: Call os.makedirs() with exist_ok=True
+
+Since commit 7494bb1298b3 ("sepolicy: generate man pages in parallel")
+man pages are generated in parallel and there's a race between
+os.path.exists() and os.makedirs().
+
+The check os.path.exists() is not necessary when os.makedirs() is called
+with exist_ok=True.
+
+Fixes:
+/usr/bin/sepolicy manpage -a -p /__w/usr/share/man/man8/ -w -r /__w/
+FileExistsError: [Errno 17] File exists: '/__w/usr/share/man/man8/'
+
+Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ selinux-python-3.1/sepolicy/sepolicy/manpage.py | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/selinux-python-3.1/sepolicy/sepolicy/manpage.py b/selinux-python-3.1/sepolicy/sepolicy/manpage.py
+index edeb3b77..1bff8f9a 100755
+--- a/selinux-python-3.1/sepolicy/sepolicy/manpage.py
+++ b/selinux-python-3.1/sepolicy/sepolicy/manpage.py
+@@ -376,8 +376,7 @@ class ManPage:
+ 
+         self.fcdict = sepolicy.get_fcdict(self.fcpath)
+ 
+-        if not os.path.exists(path):
+-            os.makedirs(path)
+        os.makedirs(path, exist_ok=True)
+ 
+         self.path = path
+ 
+-- 
+2.27.0
+
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@ -3,7 +3,7 @@

 Name:      policycoreutils
 Version:   3.1
-Release:   8
+Release:   9
 Summary:   Policy core utilities of selinux
 License:   GPLv2
 URL:       https://github.com/SELinuxProject
@ -23,6 +23,12 @@ Patch0:    fix-fixfiles-N-date-function.patch
 Patch1:    fix-fixfiles-N-date-function-two.patch
 Patch2:    add-ExecStartPost-option-to-restorecond-service.patch

+Patch6001:    backport-python-Split-semanage-import-into-two-transactions.patch
+Patch6002:    backport-python-audit2allow-close-file-stream-on-error.patch
+Patch6003:    backport-python-Do-not-query-the-local-database-if-the-fcontext-is-non-local.patch
+Patch6004:    backport-sepolicy-Call-os.makedirs-with-exist_ok-True.patch
+Patch6005:    backport-policycoreutils-fix-potential-NULL-reference-in-load_checks.patch
+
 BuildRequires: gcc
 BuildRequires: pam-devel libsepol-static >= 3.1 libsemanage-static >= 3.1 libselinux-devel >= 3.1  libcap-devel audit-libs-devel  gettext
 BuildRequires: desktop-file-utils dbus-devel dbus-glib-devel python3-devel libcap-ng-devel
@ -267,6 +273,9 @@ find %{buildroot}%{python3_sitelib} %{buildroot}%{python3_sitearch} \
 %{_mandir}/*

 %changelog
+* Tue Apr 11 2023 zhangguangzhi <zhangguangzhi3@huawei.com> - 3.1-9
+- backport patches
+
 * Tue Aug 9 2022 panxiaohe <panxh.life@foxmail.com> - 3.1-8
 - add ExecStartPost option to restorecond.service