From 6037cb4380b3411bbac912ceb2828cc0d324a265 Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Mon, 16 Jan 2017 15:57:13 +0100
Subject: [PATCH] Explicitly relabel hwdb.bin after writing the database

Resolves: #1395211
---
 0053-hwdb-selinuxify-a-bit-3460.patch         | 56 +++++++++++++++++++
 ...ly-relabel-etc-udev-hwdb.bin-after-r.patch | 48 ++++++++++++++++
 systemd.spec                                  |  7 ++-
 3 files changed, 110 insertions(+), 1 deletion(-)
 create mode 100644 0053-hwdb-selinuxify-a-bit-3460.patch
 create mode 100644 0054-udevadm-explicitly-relabel-etc-udev-hwdb.bin-after-r.patch

diff --git a/0053-hwdb-selinuxify-a-bit-3460.patch b/0053-hwdb-selinuxify-a-bit-3460.patch
new file mode 100644
index 0000000..81f0a6c
--- /dev/null
+++ b/0053-hwdb-selinuxify-a-bit-3460.patch
@@ -0,0 +1,56 @@
+From a28a4f85b63f7d6aa531ee01b01c9dabb01de6e9 Mon Sep 17 00:00:00 2001
+From: Evgeny Vereshchagin <evvers@ya.ru>
+Date: Tue, 7 Jun 2016 20:47:41 +0300
+Subject: [PATCH] hwdb: selinuxify a bit (#3460)
+
+-bash-4.3# rm /etc/udev/hwdb.bin
+-bash-4.3# systemd-hwdb update
+-bash-4.3# ls -Z /etc/udev/hwdb.bin
+system_u:object_r:systemd_hwdb_etc_t:s0 /etc/udev/hwdb.bin
+
+Fixes: #3458
+---
+ src/hwdb/hwdb.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/hwdb/hwdb.c b/src/hwdb/hwdb.c
+index 1160dac..e12cd93 100644
+--- a/src/hwdb/hwdb.c
++++ b/src/hwdb/hwdb.c
+@@ -29,7 +29,9 @@
+ #include "fs-util.h"
+ #include "hwdb-internal.h"
+ #include "hwdb-util.h"
++#include "label.h"
+ #include "mkdir.h"
++#include "selinux-util.h"
+ #include "strbuf.h"
+ #include "string-util.h"
+ #include "strv.h"
+@@ -643,12 +645,12 @@ static int hwdb_update(int argc, char *argv[], void *userdata) {
+         if (!hwdb_bin)
+                 return -ENOMEM;
+ 
+-        mkdir_parents(hwdb_bin, 0755);
++        mkdir_parents_label(hwdb_bin, 0755);
+         r = trie_store(trie, hwdb_bin);
+         if (r < 0)
+                 return log_error_errno(r, "Failure writing database %s: %m", hwdb_bin);
+ 
+-        return 0;
++        return label_fix(hwdb_bin, false, false);
+ }
+ 
+ static void help(void) {
+@@ -732,6 +734,8 @@ int main (int argc, char *argv[]) {
+         if (r <= 0)
+                 goto finish;
+ 
++        mac_selinux_init();
++
+         r = hwdb_main(argc, argv);
+ 
+ finish:
+-- 
+2.9.3
+
diff --git a/0054-udevadm-explicitly-relabel-etc-udev-hwdb.bin-after-r.patch b/0054-udevadm-explicitly-relabel-etc-udev-hwdb.bin-after-r.patch
new file mode 100644
index 0000000..df07d20
--- /dev/null
+++ b/0054-udevadm-explicitly-relabel-etc-udev-hwdb.bin-after-r.patch
@@ -0,0 +1,48 @@
+From 0c780236462b3e1b43de9af2339c21377b51b782 Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekletar@users.noreply.github.com>
+Date: Fri, 8 Jul 2016 17:43:05 +0200
+Subject: [PATCH] udevadm: explicitly relabel /etc/udev/hwdb.bin after rename
+ (#3686)
+
+This is basically the same change as ea68351.
+
+(cherry picked from commit 905c37e60ef653557d0354c2afa94546c31efe50)
+Resolves: #1395211
+---
+ src/udev/udevadm-hwdb.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/udev/udevadm-hwdb.c b/src/udev/udevadm-hwdb.c
+index 948ad0f..1bffe8e 100644
+--- a/src/udev/udevadm-hwdb.c
++++ b/src/udev/udevadm-hwdb.c
+@@ -28,6 +28,8 @@
+ #include "fs-util.h"
+ #include "hwdb-internal.h"
+ #include "hwdb-util.h"
++#include "label.h"
++#include "mkdir.h"
+ #include "strbuf.h"
+ #include "string-util.h"
+ #include "udev.h"
+@@ -656,12 +658,16 @@ static int adm_hwdb(struct udev *udev, int argc, char *argv[]) {
+                         rc = EXIT_FAILURE;
+                         goto out;
+                 }
+-                mkdir_parents(hwdb_bin, 0755);
++
++                mkdir_parents_label(hwdb_bin, 0755);
++
+                 err = trie_store(trie, hwdb_bin);
+                 if (err < 0) {
+                         log_error_errno(err, "Failure writing database %s: %m", hwdb_bin);
+                         rc = EXIT_FAILURE;
+                 }
++
++                label_fix(hwdb_bin, false, false);
+         }
+ 
+         if (test) {
+-- 
+2.9.3
+
diff --git a/systemd.spec b/systemd.spec
index 028ef4d..8c40db1 100644
--- a/systemd.spec
+++ b/systemd.spec
@@ -12,7 +12,7 @@
 Name:           systemd
 Url:            http://www.freedesktop.org/wiki/Software/systemd
 Version:        229
-Release:        16%{?gitcommit:.git%{gitcommitshort}}%{?dist}
+Release:        17%{?gitcommit:.git%{gitcommitshort}}%{?dist}
 # For a breakdown of the licensing, see README
 License:        LGPLv2+ and MIT and GPLv2+
 Summary:        A System and Service Manager
@@ -85,6 +85,8 @@ Patch0049:      0049-pid1-don-t-return-any-error-in-manager_dispatch_noti.patch
 Patch0050:      0050-pid1-process-zero-length-notification-messages-again.patch
 Patch0051:      0051-logind-fix-crash-when-shutdown-is-not-issued-from-a-.patch
 Patch0052:      0052-hwdb-add-axis-ranges-for-the-MacBook-4-1-4030.patch
+Patch0053:      0053-hwdb-selinuxify-a-bit-3460.patch
+Patch0054:      0054-udevadm-explicitly-relabel-etc-udev-hwdb.bin-after-r.patch
 
 Patch0999:      0999-resolved-create-etc-resolv.conf-symlink-at-runtime.patch
 
@@ -971,6 +973,9 @@ getent passwd systemd-journal-upload >/dev/null 2>&1 || useradd -r -l -g systemd
 /usr/lib/firewalld/services/*
 
 %changelog
+* Mon Jan 16 2017 Michal Sekletar <msekleta@redhat.com> - 229-17
+- explicitly relabel hwdb.bin after writing the database (#1395211)
+
 * Tue Oct  4 2016 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 229-16
 - Fixes for #1357990, #1371596, #1378974