PR#16: libsemanage-3.5-2 - rpms/libsemanage

rpms / libsemanage

#16 libsemanage-3.5-2

Merged a year ago by plautrba. Opened a year ago by plautrba.

rpms/ plautrba/libsemanage rawhide into rawhide

Petr Lautrbach • a year ago

b124ac6

0001-libsemanage-include-more-parameters-in-the-module-ch.patch

file added

+103

		`@@ -0,0 +1,103 @@`
		`+ From a6b472835502d5fc9fc263db07de69527943ac91 Mon Sep 17 00:00:00 2001`
		`+ From: Ondrej Mosnacek <omosnace@redhat.com>`
		`+ Date: Wed, 8 Mar 2023 10:46:42 +0100`
		`+ Subject: [PATCH] libsemanage: include more parameters in the module checksum`
		`+ Content-type: text/plain`
		`+`
		`+ The check_ext_changes option currently assumes that as long as the`
		`+ module content is unchanged, it is safe to assume that the policy.linked`
		`+ file doesn't need to be rebuilt. However, there are some additional`
		`+ parameters that can affect the content of this policy file, namely:`
		`+ * the disable_dontaudit and preserve_tunables flags`
		`+ * the target_platform and policyvers configuration values`
		`+`
		`+ Include these in the checksum so that the option works correctly when`
		`+ only some of these input values are changed versus the current state.`
		`+`
		`+ Fixes: 286a679fadc4 ("libsemanage: optionally rebuild policy when modules are changed externally")`
		`+ Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>`
		`+ Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>`
		`+ ---`
		`+ libsemanage/src/direct_api.c \| 31 +++++++++++++++++++++++++++++--`
		`+ 1 file changed, 29 insertions(+), 2 deletions(-)`
		`+`
		`+ diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c`
		`+ index 7aa081abb3b7..d740070d538e 100644`
		`+ --- a/libsemanage/src/direct_api.c`
		`+ +++ b/libsemanage/src/direct_api.c`
		`+ @@ -863,6 +863,14 @@ static void update_checksum_with_len(Sha256Context *context, size_t s)`
		`+ Sha256Update(context, buffer, 8);`
		`+ }`
		`+`
		`+ +static void update_checksum_with_bool(Sha256Context *context, bool b)`
		`+ +{`
		`+ + uint8_t byte;`
		`+ +`
		`+ + byte = b ? UINT8_C(1) : UINT8_C(0);`
		`+ + Sha256Update(context, &byte, 1);`
		`+ +}`
		`+ +`
		`+ static int semanage_compile_module(semanage_handle_t *sh,`
		`+ semanage_module_info_t *modinfo,`
		`+ Sha256Context *context)`
		`+ @@ -977,13 +985,21 @@ static int modinfo_cmp(const void a, const void b)`
		`+ return strcmp(ma->name, mb->name);`
		`+ }`
		`+`
		`+ +struct extra_checksum_params {`
		`+ + int disable_dontaudit;`
		`+ + int preserve_tunables;`
		`+ + int target_platform;`
		`+ + int policyvers;`
		`+ +};`
		`+ +`
		`+ static int semanage_compile_hll_modules(semanage_handle_t *sh,`
		`+ semanage_module_info_t *modinfos,`
		`+ int num_modinfos,`
		`+ + const struct extra_checksum_params *extra,`
		`+ char *cil_checksum)`
		`+ {`
		`+ /* to be incremented when checksum input data format changes */`
		`+ - static const size_t CHECKSUM_EPOCH = 1;`
		`+ + static const size_t CHECKSUM_EPOCH = 2;`
		`+`
		`+ int i, status = 0;`
		`+ char cil_path[PATH_MAX];`
		`+ @@ -1000,6 +1016,10 @@ static int semanage_compile_hll_modules(semanage_handle_t *sh,`
		`+`
		`+ Sha256Initialise(&context);`
		`+ update_checksum_with_len(&context, CHECKSUM_EPOCH);`
		`+ + update_checksum_with_bool(&context, !!extra->disable_dontaudit);`
		`+ + update_checksum_with_bool(&context, !!extra->preserve_tunables);`
		`+ + update_checksum_with_len(&context, (size_t)extra->target_platform);`
		`+ + update_checksum_with_len(&context, (size_t)extra->policyvers);`
		`+`
		`+ /* prefix with module count to avoid collisions */`
		`+ update_checksum_with_len(&context, num_modinfos);`
		`+ @@ -1134,6 +1154,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)`
		`+ mode_t mask = umask(0077);`
		`+ struct stat sb;`
		`+ char modules_checksum[CHECKSUM_CONTENT_SIZE + 1 /* '\0' */];`
		`+ + struct extra_checksum_params extra;`
		`+`
		`+ int do_rebuild, do_write_kernel, do_install;`
		`+ int fcontexts_modified, ports_modified, seusers_modified,`
		`+ @@ -1274,8 +1295,14 @@ static int semanage_direct_commit(semanage_handle_t * sh)`
		`+ goto cleanup;`
		`+ }`
		`+`
		`+ + extra = (struct extra_checksum_params){`
		`+ + .disable_dontaudit = sepol_get_disable_dontaudit(sh->sepolh),`
		`+ + .preserve_tunables = sepol_get_preserve_tunables(sh->sepolh),`
		`+ + .target_platform = sh->conf->target_platform,`
		`+ + .policyvers = sh->conf->policyvers,`
		`+ + };`
		`+ retval = semanage_compile_hll_modules(sh, modinfos, num_modinfos,`
		`+ - modules_checksum);`
		`+ + &extra, modules_checksum);`
		`+ if (retval < 0) {`
		`+ ERR(sh, "Failed to compile hll files into cil files.\n");`
		`+ goto cleanup;`
		`+ --`
		`+ 2.40.0`
		`+`

libsemanage.spec

file modified

+5 -1

		`@@ -4,12 +4,13 @@`
		`Summary: SELinux binary policy manipulation library`
		`Name: libsemanage`
		`Version: 3.5`
		`- Release: 1%{?dist}`
		`+ Release: 2%{?dist}`
		`License: LGPL-2.1-or-later`
		`Source0: https://github.com/SELinuxProject/selinux/releases/download/3.5/libsemanage-3.5.tar.gz`
		`# git format-patch -N 3.5 -- libsemanage`
		`# i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done`
		`# Patch list start`
		`+ Patch0001: 0001-libsemanage-include-more-parameters-in-the-module-ch.patch`
		`# Patch list end`
		`URL: https://github.com/SELinuxProject/selinux/wiki`
		`Source1: semanage.conf`
		`@@ -154,6 +155,9 @@`
		`%{_libexecdir}/selinux/semanage_migrate_store`

		`%changelog`
		`+ * Fri Mar 24 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-2`
		`+ - Include more parameters in the module checksum (#2173959)`
		`+`
		`* Fri Feb 24 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-1`
		`- SELinux userspace 3.5 release`