!64 backport patches

From: @zgzxx 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee

add-ExecStartPost-option-to-restorecond-service.patch

@@ -0,0 +1,29 @@
+From 6f7b8340fa9e8e1ca8d6b0a27a5b1c9a27cf4a85 Mon Sep 17 00:00:00 2001
+From: panxiaohe <panxh.life@foxmail.com>
+Date: Thu, 4 Aug 2022 17:01:38 +0800
+Subject: [PATCH] add ExecStartPost option to restorecond.service
+
+Add ExecStartPost option to restorecond.service in order not
+to display the following message when starting restorecond.
+"Can't open PID file /run/restorecond.pid (yet?) after start:
+No such file or directory" 
+
+---
+ restorecond-3.1/restorecond.service | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/restorecond-3.1/restorecond.service b/restorecond-3.1/restorecond.service
+index 0e4ea72..b3a8693 100644
+--- a/restorecond-3.1/restorecond.service
++++ b/restorecond-3.1/restorecond.service
+@@ -7,6 +7,7 @@ ConditionSecurity=selinux
+ [Service]
+ Type=forking
+ ExecStart=/usr/sbin/restorecond
++ExecStartPost=/usr/bin/sleep 0.1
+ PIDFile=/run/restorecond.pid
+ 
+ [Install]
+-- 
+2.27.0
+

backport-policycoreutils-fix-potential-NULL-reference-in-load_checks.patch

@@ -0,0 +1,38 @@
+From 1fe82e5cf581158cdfa184c64218b0bade82b01a Mon Sep 17 00:00:00 2001
+From: Jie Lu <lujie54@huawei.com>
+Date: Mon, 5 Dec 2022 17:36:44 +0800
+Subject: [PATCH] policycoreutils: fix potential NULL reference in load_checks
+
+In load_checks(), add return check for malloc() to avoid NULL reference.
+
+Signed-off-by: Jie Lu <lujie54@huawei.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ policycoreutils/sestatus/sestatus.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/policycoreutils-3.1/sestatus/sestatus.c b/policycoreutils-3.1/sestatus/sestatus.c
+index 7dcc9944..6c95828e 100644
+--- a/policycoreutils-3.1/sestatus/sestatus.c
++++ b/policycoreutils-3.1/sestatus/sestatus.c
+@@ -140,6 +140,8 @@ static void load_checks(char *pc[], int *npc, char *fc[], int *nfc)
+ 					pc[*npc] =
+ 					    (char *)malloc((buf_len) *
+ 							   sizeof(char));
++					if (!pc[*npc])
++						break;
+ 					memcpy(pc[*npc], bufp, buf_len);
+ 					(*npc)++;
+ 					bufp = NULL;
+@@ -150,6 +152,8 @@ static void load_checks(char *pc[], int *npc, char *fc[], int *nfc)
+ 					fc[*nfc] =
+ 					    (char *)malloc((buf_len) *
+ 							   sizeof(char));
++					if (!fc[*nfc])
++						break;
+ 					memcpy(fc[*nfc], bufp, buf_len);
+ 					(*nfc)++;
+ 					bufp = NULL;
+-- 
+2.27.0
+

backport-python-Do-not-query-the-local-database-if-the-fcontext-is-non-local.patch

@@ -0,0 +1,65 @@
+From 7238ad32a3171d82bba9b99660e55399161236fc Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Wed, 19 Oct 2022 14:20:11 -0400
+Subject: [PATCH] python: Do not query the local database if the fcontext is
+ non-local
+
+Vit Mojzis reports that an error message is produced when modifying
+a non-local fcontext.
+
+He gives the following example:
+  # semanage fcontext -f f -m -t passwd_file_t /etc/security/opasswd
+  libsemanage.dbase_llist_query: could not query record value (No such file or directory).
+
+When modifying an fcontext, the non-local database is checked for the
+key and then, if it is not found there, the local database is checked.
+If the key doesn't exist, then an error is raised. If the key exists
+then the local database is queried first and, if that fails, the non-
+local database is queried.
+
+The error is from querying the local database when the fcontext is in
+the non-local database.
+
+Instead, if the fcontext is in the non-local database, just query
+the non-local database. Only query the local database if the
+fcontext was found in it.
+
+Reported-by: Vit Mojzis <vmojzis@redhat.com>
+Signed-off-by: James Carter <jwcart2@gmail.com>
+---
+ selinux-python-3.1/semanage/seobject.py | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/selinux-python-3.1/semanage/seobject.py b/selinux-python-3.1/semanage/seobject.py
+index 0782c082..d82da494 100644
+--- a/selinux-python-3.1/semanage/seobject.py
++++ b/selinux-python-3.1/semanage/seobject.py
+@@ -2504,16 +2504,19 @@ class fcontextRecords(semanageRecords):
+         (rc, exists) = semanage_fcontext_exists(self.sh, k)
+         if rc < 0:
+             raise ValueError(_("Could not check if file context for %s is defined") % target)
+-        if not exists:
++        if exists:
++            try:
++                (rc, fcontext) = semanage_fcontext_query(self.sh, k)
++            except OSError:
++                raise ValueError(_("Could not query file context for %s") % target)
++        else:
+             (rc, exists) = semanage_fcontext_exists_local(self.sh, k)
++            if rc < 0:
++                raise ValueError(_("Could not check if file context for %s is defined") % target)
+             if not exists:
+                 raise ValueError(_("File context for %s is not defined") % target)
+-
+-        try:
+-            (rc, fcontext) = semanage_fcontext_query_local(self.sh, k)
+-        except OSError:
+             try:
+-                (rc, fcontext) = semanage_fcontext_query(self.sh, k)
++                (rc, fcontext) = semanage_fcontext_query_local(self.sh, k)
+             except OSError:
+                 raise ValueError(_("Could not query file context for %s") % target)
+ 
+-- 
+2.27.0
+

backport-python-Split-semanage-import-into-two-transactions.patch

@@ -0,0 +1,63 @@
+From abaf812c3877f6b595eb8643582eacef2dd4df3f Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Mon, 30 May 2022 14:20:21 +0200
+Subject: [PATCH] python: Split "semanage import" into two transactions
+
+First transaction applies all deletion operations, so that there are no
+collisions when applying the rest of the changes.
+
+Fixes:
+  # semanage port -a -t http_cache_port_t -r s0 -p tcp 3024
+  # semanage export | semanage import
+  ValueError: Port tcp/3024 already defined
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+---
+ selinux-python-3.1/semanage/semanage | 21 +++++++++++++++++++--
+ 1 file changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/selinux-python-3.1/semanage/semanage b/selinux-python-3.1/semanage/semanage
+index 8f4e44a7..1d828128 100644
+--- a/selinux-python-3.1/semanage/semanage
++++ b/selinux-python-3.1/semanage/semanage
+@@ -852,10 +852,29 @@ def handleImport(args):
+     trans = seobject.semanageRecords(args)
+     trans.start()
+ 
++    deleteCommands = []
++    commands = []
++    # separate commands for deletion from the rest so they can be
++    # applied in a separate transaction
+     for l in sys.stdin.readlines():
+         if len(l.strip()) == 0:
+             continue
++        if "-d" in l or "-D" in l:
++            deleteCommands.append(l)
++        else:
++            commands.append(l)
++
++    if deleteCommands:
++        importHelper(deleteCommands)
++        trans.finish()
++        trans.start()
++
++    importHelper(commands)
++    trans.finish()
+ 
++
++def importHelper(commands):
++    for l in commands:
+         try:
+             commandParser = createCommandParser()
+             args = commandParser.parse_args(mkargv(l))
+@@ -869,8 +888,6 @@ def handleImport(args):
+         except KeyboardInterrupt:
+             sys.exit(0)
+ 
+-    trans.finish()
+-
+ 
+ def setupImportParser(subparsers):
+     importParser = subparsers.add_parser('import', help=_('Import local customizations'))
+-- 
+2.23.0

backport-python-audit2allow-close-file-stream-on-error.patch

@@ -0,0 +1,48 @@
+From c14a86af9a2304175e54897634f808b42345325b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Fri, 20 May 2022 14:51:07 +0200
+Subject: [PATCH] python/audit2allow: close file stream on error
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+    sepolgen-ifgen-attr-helper.c: In function ‘load_policy’:
+    sepolgen-ifgen-attr-helper.c:196:17: warning: leak of FILE ‘fp’ [CWE-775] [-Wanalyzer-file-leak]
+      196 |                 fprintf(stderr, "Out of memory!\n");
+          |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ selinux-python-3.1/audit2allow/sepolgen-ifgen-attr-helper.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/selinux-python-3.1/audit2allow/sepolgen-ifgen-attr-helper.c b/selinux-python-3.1/audit2allow/sepolgen-ifgen-attr-helper.c
+index 6f3ba962..5e6cffc1 100644
+--- a/selinux-python-3.1/audit2allow/sepolgen-ifgen-attr-helper.c
++++ b/selinux-python-3.1/audit2allow/sepolgen-ifgen-attr-helper.c
+@@ -194,12 +194,14 @@ static policydb_t *load_policy(const char *filename)
+ 	policydb = malloc(sizeof(policydb_t));
+ 	if (policydb == NULL) {
+ 		fprintf(stderr, "Out of memory!\n");
++		fclose(fp);
+ 		return NULL;
+ 	}
+ 
+ 	if (policydb_init(policydb)) {
+ 		fprintf(stderr, "Out of memory!\n");
+ 		free(policydb);
++		fclose(fp);
+ 		return NULL;
+ 	}
+ 
+@@ -208,6 +210,7 @@ static policydb_t *load_policy(const char *filename)
+ 		fprintf(stderr,
+ 			"error(s) encountered while parsing configuration\n");
+ 		free(policydb);
++		fclose(fp);
+ 		return NULL;
+ 	}
+ 
+-- 
+2.23.0

backport-sepolicy-Call-os.makedirs-with-exist_ok-True.patch

@@ -0,0 +1,39 @@
+From 7ff1d7f1c2a141a24a2af5db01fff07754ba18bc Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <lautrbach@redhat.com>
+Date: Mon, 12 Dec 2022 18:43:49 +0100
+Subject: [PATCH] sepolicy: Call os.makedirs() with exist_ok=True
+
+Since commit 7494bb1298b3 ("sepolicy: generate man pages in parallel")
+man pages are generated in parallel and there's a race between
+os.path.exists() and os.makedirs().
+
+The check os.path.exists() is not necessary when os.makedirs() is called
+with exist_ok=True.
+
+Fixes:
+/usr/bin/sepolicy manpage -a -p /__w/usr/share/man/man8/ -w -r /__w/
+FileExistsError: [Errno 17] File exists: '/__w/usr/share/man/man8/'
+
+Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ selinux-python-3.1/sepolicy/sepolicy/manpage.py | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/selinux-python-3.1/sepolicy/sepolicy/manpage.py b/selinux-python-3.1/sepolicy/sepolicy/manpage.py
+index edeb3b77..1bff8f9a 100755
+--- a/selinux-python-3.1/sepolicy/sepolicy/manpage.py
++++ b/selinux-python-3.1/sepolicy/sepolicy/manpage.py
+@@ -376,8 +376,7 @@ class ManPage:
+ 
+         self.fcdict = sepolicy.get_fcdict(self.fcpath)
+ 
+-        if not os.path.exists(path):
+-            os.makedirs(path)
++        os.makedirs(path, exist_ok=True)
+ 
+         self.path = path
+ 
+-- 
+2.27.0
+

fix-fixfiles-N-date-function-two.patch

@@ -0,0 +1,25 @@
+From 86e2c2a2594650cc37de9f135f294df285b4678b Mon Sep 17 00:00:00 2001
+From: openEuler Buildteam <buildteam@openeuler.org>
+Date: Fri, 4 Jun 2021 15:28:24 +0800
+Subject: [PATCH] fix fixfiles -N date function
+
+---
+ policycoreutils-3.1/scripts/fixfiles | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policycoreutils-3.1/scripts/fixfiles b/policycoreutils-3.1/scripts/fixfiles
+index 8f5926a..21a1152 100755
+--- a/policycoreutils-3.1/scripts/fixfiles
++++ b/policycoreutils-3.1/scripts/fixfiles
+@@ -151,7 +151,7 @@ newer() {
+     shift
+     LogReadOnly
+     for m in `echo $FILESYSTEMSRW`; do
+-	find $m -mount -newermt $DATE -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} $* -i -0 -f -
++	find $m -mount -newermt "$DATE" -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} $* -i -0 -f -
+     done;
+ }
+ 
+-- 
+1.8.3.1
+

fix-fixfiles-N-date-function.patch

@@ -0,0 +1,25 @@
+From a1a6e90353e7a549cbe446cdecafc7eba9a1f7ca Mon Sep 17 00:00:00 2001
+From: openEuler Buildteam <buildteam@openeuler.org>
+Date: Fri, 4 Jun 2021 15:26:41 +0800
+Subject: [PATCH] fix fixfiles -N date function
+
+---
+ policycoreutils-3.1/scripts/fixfiles | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policycoreutils-3.1/scripts/fixfiles b/policycoreutils-3.1/scripts/fixfiles
+index 5d77703..8f5926a 100755
+--- a/policycoreutils-3.1/scripts/fixfiles
++++ b/policycoreutils-3.1/scripts/fixfiles
+@@ -147,7 +147,7 @@ done
+ # Find files newer then the passed in date and fix the label
+ #
+ newer() {
+-    DATE=$1
++    DATE="$1 $2"
+     shift
+     LogReadOnly
+     for m in `echo $FILESYSTEMSRW`; do
+-- 
+1.8.3.1
+

policycoreutils.spec

@@ -3,7 +3,7 @@
 
 Name:      policycoreutils
 Version:   3.1
-Release:   4
+Release:   9
 Summary:   Policy core utilities of selinux
 License:   GPLv2
 URL:       https://github.com/SELinuxProject
@@ -19,7 +19,18 @@ Source9:   selinux-autorelabel-mark.service
 Source10:  selinux-autorelabel.target
 Source11:  selinux-autorelabel-generator.sh
 
-BuildRequires: pam-devel libsepol-static >= 3.1 libsemanage-static libselinux-devel  libcap-devel audit-libs-devel gettext
+Patch0:    fix-fixfiles-N-date-function.patch
+Patch1:    fix-fixfiles-N-date-function-two.patch
+Patch2:    add-ExecStartPost-option-to-restorecond-service.patch
+
+Patch6001:    backport-python-Split-semanage-import-into-two-transactions.patch
+Patch6002:    backport-python-audit2allow-close-file-stream-on-error.patch
+Patch6003:    backport-python-Do-not-query-the-local-database-if-the-fcontext-is-non-local.patch
+Patch6004:    backport-sepolicy-Call-os.makedirs-with-exist_ok-True.patch
+Patch6005:    backport-policycoreutils-fix-potential-NULL-reference-in-load_checks.patch
+
+BuildRequires: gcc
+BuildRequires: pam-devel libsepol-static >= 3.1 libsemanage-static >= 3.1 libselinux-devel >= 3.1  libcap-devel audit-libs-devel  gettext
 BuildRequires: desktop-file-utils dbus-devel dbus-glib-devel python3-devel libcap-ng-devel
 BuildRequires: systemd systemd-units
 Requires:      libsepol >= 3.1 libselinux-utils util-linux grep gawk diffutils rpm sed coreutils
@@ -28,6 +39,7 @@ Provides:      %{name}-restorecond = %{version}-%{release}
 Obsoletes:     %{name}-restorecond < %{version}-%{release}
 Provides:      %{name}-newrole = %{version}-%{release}
 Obsoletes:     %{name}-newrole < %{version}-%{release}
+Obsoletes:     python2-policycoreutils
 Provides:      /sbin/fixfiles
 Provides:      /sbin/restorecon
 
@@ -38,11 +50,11 @@ It contains the selinux policy core utilities
 Summary:   python3 utilities for seLinux policy core
 %{?python_provide:%python_provide python3-policycoreutils}
 Requires:  policycoreutils = %{version}-%{release}
-Requires:  python3-libselinux python3-libsemanage
-Requires:  audit-libs-python3
+Requires:  python3-libselinux python3-libsemanage >= 3.1
+Requires:  audit-libs-python3 >= 2.8.5
 Requires:  python3-IPy
 Requires:  checkpolicy
-Requires:  python3-setools >= 4.1.1
+Requires:  python3-setools >= 4.3.0
 BuildArch: noarch
 
 Provides:  %{name}-python3 = %{version}-%{release}
@@ -261,7 +273,23 @@ find %{buildroot}%{python3_sitelib} %{buildroot}%{python3_sitearch} \
 %{_mandir}/*
 
 %changelog
-* Tue Nov 30 2020 openEuler Buildteam <buildteam@openeuler.org> - 3.1-4
+* Tue Apr 11 2023 zhangguangzhi <zhangguangzhi3@huawei.com> - 3.1-9
+- backport patches
+
+* Tue Aug 9 2022 panxiaohe <panxh.life@foxmail.com> - 3.1-8
+- add ExecStartPost option to restorecond.service
+
+* Fri Jun 4 2021 panxiaohe <panxiaohe@huawei.com> - 3.1-7
+- add gcc to BuildRequires
+- fix fixfiles -N date function
+
+* Sun Dec 13 2020 huaxinlu <1539327763@qq.com> - 3.1-6
+- add obsoletes of python2-policycoreutils
+
+* Tue Dec 1 2020 Liquor <lirui130@huawei.com> - 3.1-5
+- add the necessary version dependencies
+
+* Mon Nov 30 2020 openEuler Buildteam <buildteam@openeuler.org> - 3.1-4
 - add version require of libsepol
 
 * Tue Nov 17 2020 Hugel <gengqihu1@huawei.com> - 3.1-3