From 3676918c07fb4491457e7b29e7649f5c2ed51056 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Mon, 21 Jan 2019 17:34:55 +0100
Subject: [PATCH] libsemanage-2.8-8

- Always set errno to 0 before calling getpwent()
- Set selinux policy root around calls to selinux_boolean_sub
---
 libsemanage-fedora.patch | 144 ++++++++++++++++++++++++++++++++++++++-
 libsemanage.spec         |  10 ++-
 2 files changed, 149 insertions(+), 5 deletions(-)

diff --git a/libsemanage-fedora.patch b/libsemanage-fedora.patch
index 001bbde..c309484 100644
--- a/libsemanage-fedora.patch
+++ b/libsemanage-fedora.patch
@@ -1,3 +1,78 @@
+diff --git libsemanage-2.8/src/boolean_record.c libsemanage-2.8/src/boolean_record.c
+index 665c022..c234094 100644
+--- libsemanage-2.8/src/boolean_record.c
++++ libsemanage-2.8/src/boolean_record.c
+@@ -6,7 +6,9 @@
+  * Implements: record_key_t (Database Record Key)
+  */
+ 
++#include <string.h>
+ #include <sepol/boolean_record.h>
++#include "handle_internal.h"
+ 
+ typedef sepol_bool_t semanage_bool_t;
+ typedef sepol_bool_key_t semanage_bool_key_t;
+@@ -84,10 +86,58 @@ hidden_def(semanage_bool_get_name)
+ int semanage_bool_set_name(semanage_handle_t * handle,
+ 			   semanage_bool_t * boolean, const char *name)
+ {
+-	int rc;
+-	char *subname = selinux_boolean_sub(name);
++	int rc = -1;
++	const char *prefix = semanage_root();
++	const char *storename = handle->conf->store_path;
++	const char *selinux_root = selinux_policy_root();
++	char *oldroot;
++	char *olddir;
++	char *subname = NULL;
++	char *newroot = NULL;
++	char *end;
++
++	if (!selinux_root)
++		return -1;
++
++	oldroot = strdup(selinux_root);
++	if (!oldroot)
++		return -1;
++	olddir = strdup(oldroot);
++	if (!olddir)
++		goto out;
++	end = strrchr(olddir, '/');
++	if (!end)
++		goto out;
++	end++;
++	*end = '\0';
++	rc = asprintf(&newroot, "%s%s%s", prefix, olddir, storename);
++	if (rc < 0)
++		goto out;
++
++	if (strcmp(oldroot, newroot)) {
++		rc = selinux_set_policy_root(newroot);
++		if (rc)
++			goto out;
++	}
++
++	subname = selinux_boolean_sub(name);
++	if (!subname) {
++		rc = -1;
++		goto out;
++	}
++
++	if (strcmp(oldroot, newroot)) {
++		rc = selinux_set_policy_root(oldroot);
++		if (rc)
++			goto out;
++	}
++
+ 	rc = sepol_bool_set_name(handle->sepolh, boolean, subname);
++out:
+ 	free(subname);
++	free(oldroot);
++	free(olddir);
++	free(newroot);
+ 	return rc;
+ }
+ 
 diff --git libsemanage-2.8/src/direct_api.c libsemanage-2.8/src/direct_api.c
 index c58961b..8e4d116 100644
 --- libsemanage-2.8/src/direct_api.c
@@ -52,10 +127,31 @@ index c58961b..8e4d116 100644
  }
  
 diff --git libsemanage-2.8/src/genhomedircon.c libsemanage-2.8/src/genhomedircon.c
-index 3e61b51..c35f878 100644
+index 3e61b51..ac37667 100644
 --- libsemanage-2.8/src/genhomedircon.c
 +++ libsemanage-2.8/src/genhomedircon.c
-@@ -1074,10 +1074,20 @@ static int get_group_users(genhomedircon_settings_t * s,
+@@ -361,7 +361,11 @@ static semanage_list_t *get_home_dirs(genhomedircon_settings_t * s)
+ 
+ 	errno = 0;
+ 	setpwent();
+-	while ((pwbuf = getpwent()) != NULL) {
++	while (1) {
++		errno = 0;
++		pwbuf = getpwent();
++		if (pwbuf == NULL)
++			break;
+ 		if (pwbuf->pw_uid < minuid || pwbuf->pw_uid > maxuid)
+ 			continue;
+ 		if (!semanage_list_find(shells, pwbuf->pw_shell))
+@@ -403,7 +407,6 @@ static semanage_list_t *get_home_dirs(genhomedircon_settings_t * s)
+ 		}
+ 		free(path);
+ 		path = NULL;
+-		errno = 0;
+ 	}
+ 
+ 	if (errno) {
+@@ -1074,10 +1077,20 @@ static int get_group_users(genhomedircon_settings_t * s,
  
  	const char *grname = selogin + 1;
  
@@ -79,6 +175,50 @@ index 3e61b51..c35f878 100644
  
  	if (group == NULL) {
  		ERR(s->h_semanage, "Can't find group named %s\n", grname);
+@@ -1101,7 +1114,11 @@ static int get_group_users(genhomedircon_settings_t * s,
+ 	}
+ 
+ 	setpwent();
+-	while ((pw = getpwent()) != NULL) {
++	while (1) {
++		errno = 0;
++		pw = getpwent();
++		if (pw == NULL)
++			break;
+ 		// skip users who also have this group as their
+ 		// primary group
+ 		if (lfind(pw->pw_name, group->gr_mem, &nmembers,
+diff --git libsemanage-2.8/src/handle.c libsemanage-2.8/src/handle.c
+index a6567bd..e5109ae 100644
+--- libsemanage-2.8/src/handle.c
++++ libsemanage-2.8/src/handle.c
+@@ -58,6 +58,8 @@ const char * semanage_root(void)
+ 	return private_semanage_root;
+ }
+ 
++hidden_def(semanage_root);
++
+ semanage_handle_t *semanage_handle_create(void)
+ {
+ 	semanage_handle_t *sh = NULL;
+diff --git libsemanage-2.8/src/handle_internal.h libsemanage-2.8/src/handle_internal.h
+index 66ce270..d4b4d9c 100644
+--- libsemanage-2.8/src/handle_internal.h
++++ libsemanage-2.8/src/handle_internal.h
+@@ -5,8 +5,9 @@
+ #include "dso.h"
+ 
+ hidden_proto(semanage_begin_transaction)
+-    hidden_proto(semanage_handle_destroy)
+-    hidden_proto(semanage_reload_policy)
+-    hidden_proto(semanage_access_check)
+-    hidden_proto(semanage_set_root)
++hidden_proto(semanage_handle_destroy)
++hidden_proto(semanage_reload_policy)
++hidden_proto(semanage_access_check)
++hidden_proto(semanage_set_root)
++hidden_proto(semanage_root)
+ #endif
 diff --git libsemanage-2.8/src/semanage_store.c libsemanage-2.8/src/semanage_store.c
 index f1984c5..58dded6 100644
 --- libsemanage-2.8/src/semanage_store.c
diff --git a/libsemanage.spec b/libsemanage.spec
index 9619447..2739ae6 100644
--- a/libsemanage.spec
+++ b/libsemanage.spec
@@ -1,16 +1,16 @@
 %define libsepolver 2.8-3
-%define libselinuxver 2.8-5
+%define libselinuxver 2.8-6
 
 Summary: SELinux binary policy manipulation library 
 Name: libsemanage
 Version: 2.8
-Release: 7%{?dist}
+Release: 8%{?dist}
 License: LGPLv2+
 Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/libsemanage-2.8.tar.gz
 # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
 # run:
 # $ VERSION=2.8 ./make-fedora-selinux-patch.sh libsemanage
-# HEAD https://github.com/fedora-selinux/selinux/commit/2fee0bccb66a6cafcf0d178b8c75c23ebd3f9924
+# HEAD https://github.com/fedora-selinux/selinux/commit/10767636b5d9b8f3fa3cf3815e860f4ca4fcb247
 Patch1: libsemanage-fedora.patch
 URL: https://github.com/SELinuxProject/selinux/wiki
 Source1: semanage.conf
@@ -179,6 +179,10 @@ sed -i '1s%\(#! */usr/bin/python\)\([^3].*\|\)$%\13\2%' %{buildroot}%{_libexecdi
 %{_libexecdir}/selinux/semanage_migrate_store
 
 %changelog
+* Mon Jan 21 2019 Petr Lautrbach <plautrba@redhat.com> - 2.8-8
+- Always set errno to 0 before calling getpwent()
+- Set selinux policy root around calls to selinux_boolean_sub
+
 * Mon Dec 10 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-7
 - genhomedircon - improve handling large groups