backport patches

2023-04-11 14:35:44 +08:00 · 2023-04-11 14:35:44 +08:00 · 0c7bbc5fd4
commit 0c7bbc5fd4
parent 738a48aaaf
6 changed files with 263 additions and 1 deletions
--- a/backport-policycoreutils-fix-potential-NULL-reference-in-load_checks.patch
+++ b/backport-policycoreutils-fix-potential-NULL-reference-in-load_checks.patch
@ -0,0 +1,38 @@
 From 1fe82e5cf581158cdfa184c64218b0bade82b01a Mon Sep 17 00:00:00 2001
 From: Jie Lu <lujie54@huawei.com>
 Date: Mon, 5 Dec 2022 17:36:44 +0800
 Subject: [PATCH] policycoreutils: fix potential NULL reference in load_checks
 In load_checks(), add return check for malloc() to avoid NULL reference.
 Signed-off-by: Jie Lu <lujie54@huawei.com>
 Acked-by: James Carter <jwcart2@gmail.com>
 ---
 policycoreutils/sestatus/sestatus.c | 4 ++++
 1 file changed, 4 insertions(+)
 diff --git a/policycoreutils-3.1/sestatus/sestatus.c b/policycoreutils-3.1/sestatus/sestatus.c
 index 7dcc9944..6c95828e 100644
 --- a/policycoreutils-3.1/sestatus/sestatus.c
 +++ b/policycoreutils-3.1/sestatus/sestatus.c
@@ -140,6 +140,8 @@ static void load_checks(char *pc[], int *npc, char *fc[], int *nfc)
 					pc[*npc] =
 					    (char *)malloc((buf_len) *
 							   sizeof(char));
 +					if (!pc[*npc])
 +						break;
 					memcpy(pc[*npc], bufp, buf_len);
 					(*npc)++;
 					bufp = NULL;
@@ -150,6 +152,8 @@ static void load_checks(char *pc[], int *npc, char *fc[], int *nfc)
 					fc[*nfc] =
 					    (char *)malloc((buf_len) *
 							   sizeof(char));
 +					if (!fc[*nfc])
 +						break;
 					memcpy(fc[*nfc], bufp, buf_len);
 					(*nfc)++;
 					bufp = NULL;
 -- 
 2.27.0
--- a/backport-python-Do-not-query-the-local-database-if-the-fcontext-is-non-local.patch
+++ b/backport-python-Do-not-query-the-local-database-if-the-fcontext-is-non-local.patch
@ -0,0 +1,65 @@
 From 7238ad32a3171d82bba9b99660e55399161236fc Mon Sep 17 00:00:00 2001
 From: James Carter <jwcart2@gmail.com>
 Date: Wed, 19 Oct 2022 14:20:11 -0400
 Subject: [PATCH] python: Do not query the local database if the fcontext is
 non-local
 Vit Mojzis reports that an error message is produced when modifying
 a non-local fcontext.
 He gives the following example:
  # semanage fcontext -f f -m -t passwd_file_t /etc/security/opasswd
  libsemanage.dbase_llist_query: could not query record value (No such file or directory).
 When modifying an fcontext, the non-local database is checked for the
 key and then, if it is not found there, the local database is checked.
 If the key doesn't exist, then an error is raised. If the key exists
 then the local database is queried first and, if that fails, the non-
 local database is queried.
 The error is from querying the local database when the fcontext is in
 the non-local database.
 Instead, if the fcontext is in the non-local database, just query
 the non-local database. Only query the local database if the
 fcontext was found in it.
 Reported-by: Vit Mojzis <vmojzis@redhat.com>
 Signed-off-by: James Carter <jwcart2@gmail.com>
 ---
 selinux-python-3.1/semanage/seobject.py | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)
 diff --git a/selinux-python-3.1/semanage/seobject.py b/selinux-python-3.1/semanage/seobject.py
 index 0782c082..d82da494 100644
 --- a/selinux-python-3.1/semanage/seobject.py
 +++ b/selinux-python-3.1/semanage/seobject.py
@@ -2504,16 +2504,19 @@ class fcontextRecords(semanageRecords):
         (rc, exists) = semanage_fcontext_exists(self.sh, k)
         if rc < 0:
             raise ValueError(_("Could not check if file context for %s is defined") % target)
 -        if not exists:
 +        if exists:
 +            try:
 +                (rc, fcontext) = semanage_fcontext_query(self.sh, k)
 +            except OSError:
 +                raise ValueError(_("Could not query file context for %s") % target)
 +        else:
             (rc, exists) = semanage_fcontext_exists_local(self.sh, k)
 +            if rc < 0:
 +                raise ValueError(_("Could not check if file context for %s is defined") % target)
             if not exists:
                 raise ValueError(_("File context for %s is not defined") % target)
 -
 -        try:
 -            (rc, fcontext) = semanage_fcontext_query_local(self.sh, k)
 -        except OSError:
             try:
 -                (rc, fcontext) = semanage_fcontext_query(self.sh, k)
 +                (rc, fcontext) = semanage_fcontext_query_local(self.sh, k)
             except OSError:
                 raise ValueError(_("Could not query file context for %s") % target)
 -- 
 2.27.0
--- a/backport-python-Split-semanage-import-into-two-transactions.patch
+++ b/backport-python-Split-semanage-import-into-two-transactions.patch
@ -0,0 +1,63 @@
 From abaf812c3877f6b595eb8643582eacef2dd4df3f Mon Sep 17 00:00:00 2001
 From: Vit Mojzis <vmojzis@redhat.com>
 Date: Mon, 30 May 2022 14:20:21 +0200
 Subject: [PATCH] python: Split "semanage import" into two transactions
 First transaction applies all deletion operations, so that there are no
 collisions when applying the rest of the changes.
 Fixes:
  # semanage port -a -t http_cache_port_t -r s0 -p tcp 3024
  # semanage export | semanage import
  ValueError: Port tcp/3024 already defined
 Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
 ---
 selinux-python-3.1/semanage/semanage | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)
 diff --git a/selinux-python-3.1/semanage/semanage b/selinux-python-3.1/semanage/semanage
 index 8f4e44a7..1d828128 100644
 --- a/selinux-python-3.1/semanage/semanage
 +++ b/selinux-python-3.1/semanage/semanage
@@ -852,10 +852,29 @@ def handleImport(args):
     trans = seobject.semanageRecords(args)
     trans.start()
 +    deleteCommands = []
 +    commands = []
 +    # separate commands for deletion from the rest so they can be
 +    # applied in a separate transaction
     for l in sys.stdin.readlines():
         if len(l.strip()) == 0:
             continue
 +        if "-d" in l or "-D" in l:
 +            deleteCommands.append(l)
 +        else:
 +            commands.append(l)
 +
 +    if deleteCommands:
 +        importHelper(deleteCommands)
 +        trans.finish()
 +        trans.start()
 +
 +    importHelper(commands)
 +    trans.finish()
 +
 +def importHelper(commands):
 +    for l in commands:
         try:
             commandParser = createCommandParser()
             args = commandParser.parse_args(mkargv(l))
@@ -869,8 +888,6 @@ def handleImport(args):
         except KeyboardInterrupt:
             sys.exit(0)
 -    trans.finish()
 -
 def setupImportParser(subparsers):
     importParser = subparsers.add_parser('import', help=_('Import local customizations'))
 -- 
 2.23.0
--- a/backport-python-audit2allow-close-file-stream-on-error.patch
+++ b/backport-python-audit2allow-close-file-stream-on-error.patch
@ -0,0 +1,48 @@
 From c14a86af9a2304175e54897634f808b42345325b Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
 Date: Fri, 20 May 2022 14:51:07 +0200
 Subject: [PATCH] python/audit2allow: close file stream on error
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
    sepolgen-ifgen-attr-helper.c: In function ‘load_policy’:
    sepolgen-ifgen-attr-helper.c:196:17: warning: leak of FILE ‘fp’ [CWE-775] [-Wanalyzer-file-leak]
      196 |                 fprintf(stderr, "Out of memory!\n");
          |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 Acked-by: James Carter <jwcart2@gmail.com>
 ---
 selinux-python-3.1/audit2allow/sepolgen-ifgen-attr-helper.c | 3 +++
 1 file changed, 3 insertions(+)
 diff --git a/selinux-python-3.1/audit2allow/sepolgen-ifgen-attr-helper.c b/selinux-python-3.1/audit2allow/sepolgen-ifgen-attr-helper.c
 index 6f3ba962..5e6cffc1 100644
 --- a/selinux-python-3.1/audit2allow/sepolgen-ifgen-attr-helper.c
 +++ b/selinux-python-3.1/audit2allow/sepolgen-ifgen-attr-helper.c
@@ -194,12 +194,14 @@ static policydb_t *load_policy(const char *filename)
 	policydb = malloc(sizeof(policydb_t));
 	if (policydb == NULL) {
 		fprintf(stderr, "Out of memory!\n");
 +		fclose(fp);
 		return NULL;
 	}
 	if (policydb_init(policydb)) {
 		fprintf(stderr, "Out of memory!\n");
 		free(policydb);
 +		fclose(fp);
 		return NULL;
 	}
@@ -208,6 +210,7 @@ static policydb_t *load_policy(const char *filename)
 		fprintf(stderr,
 			"error(s) encountered while parsing configuration\n");
 		free(policydb);
 +		fclose(fp);
 		return NULL;
 	}
 -- 
 2.23.0
--- a/backport-sepolicy-Call-os.makedirs-with-exist_ok-True.patch
+++ b/backport-sepolicy-Call-os.makedirs-with-exist_ok-True.patch
@ -0,0 +1,39 @@
 From 7ff1d7f1c2a141a24a2af5db01fff07754ba18bc Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <lautrbach@redhat.com>
 Date: Mon, 12 Dec 2022 18:43:49 +0100
 Subject: [PATCH] sepolicy: Call os.makedirs() with exist_ok=True
 Since commit 7494bb1298b3 ("sepolicy: generate man pages in parallel")
 man pages are generated in parallel and there's a race between
 os.path.exists() and os.makedirs().
 The check os.path.exists() is not necessary when os.makedirs() is called
 with exist_ok=True.
 Fixes:
 /usr/bin/sepolicy manpage -a -p /__w/usr/share/man/man8/ -w -r /__w/
 FileExistsError: [Errno 17] File exists: '/__w/usr/share/man/man8/'
 Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
 Acked-by: James Carter <jwcart2@gmail.com>
 ---
 selinux-python-3.1/sepolicy/sepolicy/manpage.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)
 diff --git a/selinux-python-3.1/sepolicy/sepolicy/manpage.py b/selinux-python-3.1/sepolicy/sepolicy/manpage.py
 index edeb3b77..1bff8f9a 100755
 --- a/selinux-python-3.1/sepolicy/sepolicy/manpage.py
 +++ b/selinux-python-3.1/sepolicy/sepolicy/manpage.py
@@ -376,8 +376,7 @@ class ManPage:
         self.fcdict = sepolicy.get_fcdict(self.fcpath)
 -        if not os.path.exists(path):
 -            os.makedirs(path)
 +        os.makedirs(path, exist_ok=True)
         self.path = path
 -- 
 2.27.0
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@ -3,7 +3,7 @@
 Name:      policycoreutils
 Version:   3.1
-Release:   8
+Release:   9
 Summary:   Policy core utilities of selinux
 License:   GPLv2
 URL:       https://github.com/SELinuxProject
@ -23,6 +23,12 @@ Patch0:    fix-fixfiles-N-date-function.patch
 Patch1:    fix-fixfiles-N-date-function-two.patch
 Patch2:    add-ExecStartPost-option-to-restorecond-service.patch
 Patch6001:    backport-python-Split-semanage-import-into-two-transactions.patch
 Patch6002:    backport-python-audit2allow-close-file-stream-on-error.patch
 Patch6003:    backport-python-Do-not-query-the-local-database-if-the-fcontext-is-non-local.patch
 Patch6004:    backport-sepolicy-Call-os.makedirs-with-exist_ok-True.patch
 Patch6005:    backport-policycoreutils-fix-potential-NULL-reference-in-load_checks.patch
 BuildRequires: gcc
 BuildRequires: pam-devel libsepol-static >= 3.1 libsemanage-static >= 3.1 libselinux-devel >= 3.1  libcap-devel audit-libs-devel  gettext
 BuildRequires: desktop-file-utils dbus-devel dbus-glib-devel python3-devel libcap-ng-devel
@ -267,6 +273,9 @@ find %{buildroot}%{python3_sitelib} %{buildroot}%{python3_sitearch} \
 %{_mandir}/*
 %changelog
 * Tue Apr 11 2023 zhangguangzhi <zhangguangzhi3@huawei.com> - 3.1-9
 - backport patches
 * Tue Aug 9 2022 panxiaohe <panxh.life@foxmail.com> - 3.1-8
 - add ExecStartPost option to restorecond.service