libsemanage-3.5-2

- Include more parameters in the module checksum

.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -156,3 +156,7 @@ libsemanage-2.0.45.tgz
 /libsemanage-3.4-rc2.tar.gz
 /libsemanage-3.4-rc3.tar.gz
 /libsemanage-3.4.tar.gz
+/libsemanage-3.5-rc1.tar.gz
+/libsemanage-3.5-rc2.tar.gz
+/libsemanage-3.5-rc3.tar.gz
+/libsemanage-3.5.tar.gz

0001-libsemanage-always-write-kernel-policy-when-check_ex.patch

@@ -1,60 +0,0 @@
-From 19bfd1fb713df01e470ed295a3a8c7afd64ce981 Mon Sep 17 00:00:00 2001
-From: Ondrej Mosnacek <omosnace@redhat.com>
-Date: Wed, 8 Jun 2022 19:09:53 +0200
-Subject: [PATCH] libsemanage: always write kernel policy when
- check_ext_changes is specified
-Content-type: text/plain
-
-For the use case of rebuilding the policy after package updates, we need
-the check_ext_changes operation to always do at least the do_write_kernel
-step, because the various semanage dbs may have also changed content
-relative to the current binary policy. As this step is itself relatively
-fast, we can do it unconditionally.
-
-Fixes: 286a679fadc4 ("libsemanage: optionally rebuild policy when modules are changed externally")
-Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
-Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
----
- libsemanage/include/semanage/handle.h | 2 +-
- libsemanage/src/direct_api.c          | 8 +++++---
- 2 files changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/libsemanage/include/semanage/handle.h b/libsemanage/include/semanage/handle.h
-index 0157be4fbc46..4cf30815d803 100644
---- a/libsemanage/include/semanage/handle.h
-+++ b/libsemanage/include/semanage/handle.h
-@@ -67,7 +67,7 @@ extern void semanage_set_reload(semanage_handle_t * handle, int do_reload);
- extern void semanage_set_rebuild(semanage_handle_t * handle, int do_rebuild);
- 
- /* set whether to rebuild the policy on commit when potential changes
-- * to module files since last rebuild are detected,
-+ * to store files since last rebuild are detected,
-  * 1 for yes (default), 0 for no */
- extern void semanage_set_check_ext_changes(semanage_handle_t * handle, int do_check);
- 
-diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
-index 7206483a3ebb..7aa081abb3b7 100644
---- a/libsemanage/src/direct_api.c
-+++ b/libsemanage/src/direct_api.c
-@@ -1437,13 +1437,15 @@ static int semanage_direct_commit(semanage_handle_t * sh)
- 	 * Determine what else needs to be done.
- 	 * We need to write the kernel policy if we are rebuilding
- 	 * or if any other policy component that lives in the kernel
--	 * policy has been modified.
-+	 * policy has been modified. We also want to force it when
-+	 * check_ext_changes was specified as the various dbases may have
-+	 * changes as well.
- 	 * We need to install the policy files if any of the managed files
- 	 * that live under /etc/selinux (kernel policy, seusers, file contexts)
- 	 * will be modified.
- 	 */
--	do_write_kernel = do_rebuild | ports_modified | ibpkeys_modified |
--		ibendports_modified |
-+	do_write_kernel = do_rebuild | sh->check_ext_changes |
-+		ports_modified | ibpkeys_modified | ibendports_modified |
- 		bools->dtable->is_modified(bools->dbase) |
- 		ifaces->dtable->is_modified(ifaces->dbase) |
- 		nodes->dtable->is_modified(nodes->dbase) |
--- 
-2.36.1
-

0001-libsemanage-include-more-parameters-in-the-module-ch.patch

@@ -0,0 +1,103 @@
+From a6b472835502d5fc9fc263db07de69527943ac91 Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Wed, 8 Mar 2023 10:46:42 +0100
+Subject: [PATCH] libsemanage: include more parameters in the module checksum
+Content-type: text/plain
+
+The check_ext_changes option currently assumes that as long as the
+module content is unchanged, it is safe to assume that the policy.linked
+file doesn't need to be rebuilt. However, there are some additional
+parameters that can affect the content of this policy file, namely:
+* the disable_dontaudit and preserve_tunables flags
+* the target_platform and policyvers configuration values
+
+Include these in the checksum so that the option works correctly when
+only some of these input values are changed versus the current state.
+
+Fixes: 286a679fadc4 ("libsemanage: optionally rebuild policy when modules are changed externally")
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+---
+ libsemanage/src/direct_api.c | 31 +++++++++++++++++++++++++++++--
+ 1 file changed, 29 insertions(+), 2 deletions(-)
+
+diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
+index 7aa081abb3b7..d740070d538e 100644
+--- a/libsemanage/src/direct_api.c
++++ b/libsemanage/src/direct_api.c
+@@ -863,6 +863,14 @@ static void update_checksum_with_len(Sha256Context *context, size_t s)
+ 	Sha256Update(context, buffer, 8);
+ }
+ 
++static void update_checksum_with_bool(Sha256Context *context, bool b)
++{
++	uint8_t byte;
++
++	byte = b ? UINT8_C(1) : UINT8_C(0);
++	Sha256Update(context, &byte, 1);
++}
++
+ static int semanage_compile_module(semanage_handle_t *sh,
+ 				   semanage_module_info_t *modinfo,
+ 				   Sha256Context *context)
+@@ -977,13 +985,21 @@ static int modinfo_cmp(const void *a, const void *b)
+ 	return strcmp(ma->name, mb->name);
+ }
+ 
++struct extra_checksum_params {
++	int disable_dontaudit;
++	int preserve_tunables;
++	int target_platform;
++	int policyvers;
++};
++
+ static int semanage_compile_hll_modules(semanage_handle_t *sh,
+ 					semanage_module_info_t *modinfos,
+ 					int num_modinfos,
++					const struct extra_checksum_params *extra,
+ 					char *cil_checksum)
+ {
+ 	/* to be incremented when checksum input data format changes */
+-	static const size_t CHECKSUM_EPOCH = 1;
++	static const size_t CHECKSUM_EPOCH = 2;
+ 
+ 	int i, status = 0;
+ 	char cil_path[PATH_MAX];
+@@ -1000,6 +1016,10 @@ static int semanage_compile_hll_modules(semanage_handle_t *sh,
+ 
+ 	Sha256Initialise(&context);
+ 	update_checksum_with_len(&context, CHECKSUM_EPOCH);
++	update_checksum_with_bool(&context, !!extra->disable_dontaudit);
++	update_checksum_with_bool(&context, !!extra->preserve_tunables);
++	update_checksum_with_len(&context, (size_t)extra->target_platform);
++	update_checksum_with_len(&context, (size_t)extra->policyvers);
+ 
+ 	/* prefix with module count to avoid collisions */
+ 	update_checksum_with_len(&context, num_modinfos);
+@@ -1134,6 +1154,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
+ 	mode_t mask = umask(0077);
+ 	struct stat sb;
+ 	char modules_checksum[CHECKSUM_CONTENT_SIZE + 1 /* '\0' */];
++	struct extra_checksum_params extra;
+ 
+ 	int do_rebuild, do_write_kernel, do_install;
+ 	int fcontexts_modified, ports_modified, seusers_modified,
+@@ -1274,8 +1295,14 @@ static int semanage_direct_commit(semanage_handle_t * sh)
+ 			goto cleanup;
+ 		}
+ 
++		extra = (struct extra_checksum_params){
++			.disable_dontaudit = sepol_get_disable_dontaudit(sh->sepolh),
++			.preserve_tunables = sepol_get_preserve_tunables(sh->sepolh),
++			.target_platform = sh->conf->target_platform,
++			.policyvers = sh->conf->policyvers,
++		};
+ 		retval = semanage_compile_hll_modules(sh, modinfos, num_modinfos,
+-						      modules_checksum);
++						      &extra, modules_checksum);
+ 		if (retval < 0) {
+ 			ERR(sh, "Failed to compile hll files into cil files.\n");
+ 			goto cleanup;
+-- 
+2.40.0
+

libsemanage.spec

@@ -1,16 +1,16 @@
-%define libsepolver 3.4-1
-%define libselinuxver 3.4-1
+%define libsepolver 3.5-1
+%define libselinuxver 3.5-1
 
 Summary: SELinux binary policy manipulation library
 Name: libsemanage
-Version: 3.4
-Release: 5%{?dist}
-License: LGPLv2+
-Source0: https://github.com/SELinuxProject/selinux/releases/download/3.4/libsemanage-3.4.tar.gz
-# fedora-selinux/selinux: git format-patch -N 3.4 -- libsemanage
+Version: 3.5
+Release: 2%{?dist}
+License: LGPL-2.1-or-later
+Source0: https://github.com/SELinuxProject/selinux/releases/download/3.5/libsemanage-3.5.tar.gz
+# git format-patch -N 3.5 -- libsemanage
 # i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
 # Patch list start
-Patch0001: 0001-libsemanage-always-write-kernel-policy-when-check_ex.patch
+Patch0001: 0001-libsemanage-include-more-parameters-in-the-module-ch.patch
 # Patch list end
 URL: https://github.com/SELinuxProject/selinux/wiki
 Source1: semanage.conf
@@ -23,6 +23,7 @@ BuildRequires: bison flex bzip2-devel
 
 BuildRequires: python3
 BuildRequires: python3-devel
+BuildRequires: python3-setuptools
 
 Requires: bzip2-libs audit-libs
 Requires: libselinux%{?_isa} >= %{libselinuxver}
@@ -75,7 +76,7 @@ The libsemanage-python3 package contains the python 3 bindings for developing
 SELinux management applications.
 
 %prep
-%autosetup -n libsemanage-%{version} -p 2
+%autosetup -p 2 -n libsemanage-%{version}
 
 
 %build
@@ -125,7 +126,7 @@ InstallPythonWrapper \
 cp %{SOURCE1} ${RPM_BUILD_ROOT}%{_sysconfdir}/selinux/semanage.conf
 
 %files
-%license COPYING
+%license LICENSE
 %dir %{_sysconfdir}/selinux
 %config(noreplace) %{_sysconfdir}/selinux/semanage.conf
 %{_libdir}/libsemanage.so.2
@@ -154,6 +155,27 @@ cp %{SOURCE1} ${RPM_BUILD_ROOT}%{_sysconfdir}/selinux/semanage.conf
 %{_libexecdir}/selinux/semanage_migrate_store
 
 %changelog
+* Fri Mar 24 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-2
+- Include more parameters in the module checksum (#2173959)
+
+* Fri Feb 24 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-1
+- SELinux userspace 3.5 release
+
+* Mon Feb 13 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc3.1
+- SELinux userspace 3.5-rc3 release
+
+* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.5-0.rc2.1.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Mon Jan 16 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc2.1
+- SELinux userspace 3.5-rc2 release
+
+* Fri Dec 23 2022 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc1.1
+- SELinux userspace 3.5-rc1 release
+
+* Mon Nov 21 2022 Petr Lautrbach <lautrbach@redhat.com> - 3.4-6
+- Rebase on upstream f56a72ac9e86
+
 * Mon Jul 25 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-5
 - Always write kernel policy when check_ext_changes is specified (#2104935)
 

plans/selinux.fmf

@@ -0,0 +1,7 @@
+summary: selinux tests - Tier 1 | libsemanage
+discover:
+    how: fmf
+    url: https://src.fedoraproject.org/tests/selinux
+    filter: "tier: 1 | component: libsemanage"
+execute:
+    how: tmt

sources

@@ -1 +1 @@
-SHA512 (libsemanage-3.4.tar.gz) = 831dc789545bb9a0b009bdb4f7fe52f6197ad8325946640f886a960d08e40b8a69eccd5a70cce51466bb5cb7f742feb78d19a9ec63383fbd03aa451508677e73
+SHA512 (libsemanage-3.5.tar.gz) = 959fbd0d6bc6849da6caa13dc41c3f8818cbbd29f04b5d2ac7246c4b395b4f370f113a04cc9cfcb52be2afebfa636013ac4ad4011384c58c7ce066a45cae2751

tests/tests.yml

@@ -1,25 +0,0 @@
----
-# Tests that run in all contexts
-- hosts: localhost
-  roles:
-  - role: standard-test-beakerlib
-    tags:
-    - classic
-    repositories:
-      - repo: "https://src.fedoraproject.org/tests/selinux.git"
-        dest: "selinux"
-        fmf_filter: "tier: 1 | component: libsemanage & tags: generic"
-    required_packages:
-    - libsemanage             # Required for sanity-tests
-    - libsemanage-devel       # Required for sanity-tests
-    - glibc                   # Required for sanity-tests
-    - gcc                     # Required for sanity-tests
-    - CUnit-devel             # Required for sanity-tests
-    - libselinux              # Required for verify-options-in-semanage-conf
-    - libselinux-utils        # Required for verify-options-in-semanage-conf
-    - policycoreutils         # Required for verify-options-in-semanage-conf
-    - policycoreutils-python-utils  # Required for verify-options-in-semanage-conf
-    - selinux-policy          # Required for verify-options-in-semanage-conf
-    - selinux-policy-devel    # Required for verify-options-in-semanage-conf
-    - lksctp-tools            # sctp_test
-    - psmisc                  # sctp_test