From 3c4868da257da8aba1ff050229f9d453f61ccddb Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: May 09 2019 15:27:26 +0000
Subject: Use separate patches instead of one big fedora-selinux.patch


---

diff --git a/0001-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch b/0001-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch
new file mode 100644
index 0000000..e29e04f
--- /dev/null
+++ b/0001-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch
@@ -0,0 +1,31 @@
+From f71fc47524bef3c4cd8a412e43d13daebd1c418b Mon Sep 17 00:00:00 2001
+From: Miroslav Grepl <mgrepl@redhat.com>
+Date: Wed, 16 Jul 2014 08:28:03 +0200
+Subject: [PATCH 1/3] Fix selinux man page to refer seinfo and sesearch tools.
+
+---
+ libselinux/man/man8/selinux.8 | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
+index e37aee68..bf23b655 100644
+--- a/libselinux/man/man8/selinux.8
++++ b/libselinux/man/man8/selinux.8
+@@ -91,11 +91,13 @@ This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+ .BR sepolicy (8),
+ .BR system-config-selinux (8),
+ .BR togglesebool (8),
+-.BR restorecon (8),
+ .BR fixfiles (8),
++.BR restorecon (8),
+ .BR setfiles (8),
+ .BR semanage (8),
+ .BR sepolicy (8)
++.BR seinfo (8),
++.BR sesearch (8)
+ 
+ Every confined service on the system has a man page in the following format:
+ .br
+-- 
+2.21.0
+
diff --git a/0002-Verify-context-input-to-funtions-to-make-sure-the-co.patch b/0002-Verify-context-input-to-funtions-to-make-sure-the-co.patch
new file mode 100644
index 0000000..b7672c1
--- /dev/null
+++ b/0002-Verify-context-input-to-funtions-to-make-sure-the-co.patch
@@ -0,0 +1,214 @@
+From ad3d3a0bf819f5895a6884357c2d0e18ea1ef314 Mon Sep 17 00:00:00 2001
+From: Dan Walsh <dwalsh@redhat.com>
+Date: Mon, 23 Dec 2013 09:50:54 -0500
+Subject: [PATCH 2/3] Verify context input to funtions to make sure the context
+ field is not null.
+
+Return errno EINVAL, to prevent segfault.
+
+Rejected by upstream https://marc.info/?l=selinux&m=145036088424584&w=2
+
+FIXME: use __attribute__(nonnull (arg-index, ...))
+---
+ libselinux/src/avc_sidtab.c           | 5 +++++
+ libselinux/src/canonicalize_context.c | 5 +++++
+ libselinux/src/check_context.c        | 5 +++++
+ libselinux/src/compute_av.c           | 5 +++++
+ libselinux/src/compute_create.c       | 5 +++++
+ libselinux/src/compute_member.c       | 5 +++++
+ libselinux/src/compute_relabel.c      | 5 +++++
+ libselinux/src/compute_user.c         | 5 +++++
+ libselinux/src/fsetfilecon.c          | 8 ++++++--
+ libselinux/src/lsetfilecon.c          | 9 +++++++--
+ libselinux/src/setfilecon.c           | 8 ++++++--
+ 11 files changed, 59 insertions(+), 6 deletions(-)
+
+diff --git a/libselinux/src/avc_sidtab.c b/libselinux/src/avc_sidtab.c
+index 9669264d..c7754305 100644
+--- a/libselinux/src/avc_sidtab.c
++++ b/libselinux/src/avc_sidtab.c
+@@ -81,6 +81,11 @@ sidtab_context_to_sid(struct sidtab *s,
+ 	int hvalue, rc = 0;
+ 	struct sidtab_node *cur;
+ 
++	if (! ctx) {
++		errno=EINVAL;
++		return -1;
++	}
++
+ 	*sid = NULL;
+ 	hvalue = sidtab_hash(ctx);
+ 
+diff --git a/libselinux/src/canonicalize_context.c b/libselinux/src/canonicalize_context.c
+index ba4c9a2c..c8158725 100644
+--- a/libselinux/src/canonicalize_context.c
++++ b/libselinux/src/canonicalize_context.c
+@@ -17,6 +17,11 @@ int security_canonicalize_context_raw(const char * con,
+ 	size_t size;
+ 	int fd, ret;
+ 
++	if (! con) {
++		errno=EINVAL;
++		return -1;
++	}
++
+ 	if (!selinux_mnt) {
+ 		errno = ENOENT;
+ 		return -1;
+diff --git a/libselinux/src/check_context.c b/libselinux/src/check_context.c
+index 8a7997f0..5be84348 100644
+--- a/libselinux/src/check_context.c
++++ b/libselinux/src/check_context.c
+@@ -14,6 +14,11 @@ int security_check_context_raw(const char * con)
+ 	char path[PATH_MAX];
+ 	int fd, ret;
+ 
++	if (! con) {
++		errno=EINVAL;
++		return -1;
++	}
++
+ 	if (!selinux_mnt) {
+ 		errno = ENOENT;
+ 		return -1;
+diff --git a/libselinux/src/compute_av.c b/libselinux/src/compute_av.c
+index a47cffe9..6d285a2e 100644
+--- a/libselinux/src/compute_av.c
++++ b/libselinux/src/compute_av.c
+@@ -27,6 +27,11 @@ int security_compute_av_flags_raw(const char * scon,
+ 		return -1;
+ 	}
+ 
++	if ((! scon) || (! tcon)) {
++		errno=EINVAL;
++		return -1;
++	}
++
+ 	snprintf(path, sizeof path, "%s/access", selinux_mnt);
+ 	fd = open(path, O_RDWR | O_CLOEXEC);
+ 	if (fd < 0)
+diff --git a/libselinux/src/compute_create.c b/libselinux/src/compute_create.c
+index 0975aeac..3e6a48c1 100644
+--- a/libselinux/src/compute_create.c
++++ b/libselinux/src/compute_create.c
+@@ -64,6 +64,11 @@ int security_compute_create_name_raw(const char * scon,
+ 		return -1;
+ 	}
+ 
++	if ((! scon) || (! tcon)) {
++		errno=EINVAL;
++		return -1;
++	}
++
+ 	snprintf(path, sizeof path, "%s/create", selinux_mnt);
+ 	fd = open(path, O_RDWR | O_CLOEXEC);
+ 	if (fd < 0)
+diff --git a/libselinux/src/compute_member.c b/libselinux/src/compute_member.c
+index 4e2d221e..d1dd9772 100644
+--- a/libselinux/src/compute_member.c
++++ b/libselinux/src/compute_member.c
+@@ -25,6 +25,11 @@ int security_compute_member_raw(const char * scon,
+ 		return -1;
+ 	}
+ 
++	if ((! scon) || (! tcon)) {
++		errno=EINVAL;
++		return -1;
++	}
++
+ 	snprintf(path, sizeof path, "%s/member", selinux_mnt);
+ 	fd = open(path, O_RDWR | O_CLOEXEC);
+ 	if (fd < 0)
+diff --git a/libselinux/src/compute_relabel.c b/libselinux/src/compute_relabel.c
+index 49f77ef3..c3db7c0a 100644
+--- a/libselinux/src/compute_relabel.c
++++ b/libselinux/src/compute_relabel.c
+@@ -25,6 +25,11 @@ int security_compute_relabel_raw(const char * scon,
+ 		return -1;
+ 	}
+ 
++	if ((! scon) || (! tcon)) {
++		errno=EINVAL;
++		return -1;
++	}
++
+ 	snprintf(path, sizeof path, "%s/relabel", selinux_mnt);
+ 	fd = open(path, O_RDWR | O_CLOEXEC);
+ 	if (fd < 0)
+diff --git a/libselinux/src/compute_user.c b/libselinux/src/compute_user.c
+index 7b881215..401fd107 100644
+--- a/libselinux/src/compute_user.c
++++ b/libselinux/src/compute_user.c
+@@ -24,6 +24,11 @@ int security_compute_user_raw(const char * scon,
+ 		return -1;
+ 	}
+ 
++	if (! scon) {
++		errno=EINVAL;
++		return -1;
++	}
++
+ 	snprintf(path, sizeof path, "%s/user", selinux_mnt);
+ 	fd = open(path, O_RDWR | O_CLOEXEC);
+ 	if (fd < 0)
+diff --git a/libselinux/src/fsetfilecon.c b/libselinux/src/fsetfilecon.c
+index 52707d05..0cbe12d8 100644
+--- a/libselinux/src/fsetfilecon.c
++++ b/libselinux/src/fsetfilecon.c
+@@ -9,8 +9,12 @@
+ 
+ int fsetfilecon_raw(int fd, const char * context)
+ {
+-	int rc = fsetxattr(fd, XATTR_NAME_SELINUX, context, strlen(context) + 1,
+-			 0);
++	int rc;
++	if (! context) {
++		errno=EINVAL;
++		return -1;
++	}
++	rc = fsetxattr(fd, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
+ 	if (rc < 0 && errno == ENOTSUP) {
+ 		char * ccontext = NULL;
+ 		int err = errno;
+diff --git a/libselinux/src/lsetfilecon.c b/libselinux/src/lsetfilecon.c
+index 1d3b28a1..ea6d70b7 100644
+--- a/libselinux/src/lsetfilecon.c
++++ b/libselinux/src/lsetfilecon.c
+@@ -9,8 +9,13 @@
+ 
+ int lsetfilecon_raw(const char *path, const char * context)
+ {
+-	int rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1,
+-			 0);
++	int rc;
++	if (! context) {
++		errno=EINVAL;
++		return -1;
++	}
++
++	rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
+ 	if (rc < 0 && errno == ENOTSUP) {
+ 		char * ccontext = NULL;
+ 		int err = errno;
+diff --git a/libselinux/src/setfilecon.c b/libselinux/src/setfilecon.c
+index d05969c6..3f0200e8 100644
+--- a/libselinux/src/setfilecon.c
++++ b/libselinux/src/setfilecon.c
+@@ -9,8 +9,12 @@
+ 
+ int setfilecon_raw(const char *path, const char * context)
+ {
+-	int rc = setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1,
+-			0);
++	int rc;
++	if (! context) {
++		errno=EINVAL;
++		return -1;
++	}
++	rc = setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
+ 	if (rc < 0 && errno == ENOTSUP) {
+ 		char * ccontext = NULL;
+ 		int err = errno;
+-- 
+2.21.0
+
diff --git a/0003-libselinux-Allow-to-override-OVERRIDE_GETTID-from-co.patch b/0003-libselinux-Allow-to-override-OVERRIDE_GETTID-from-co.patch
new file mode 100644
index 0000000..5248f97
--- /dev/null
+++ b/0003-libselinux-Allow-to-override-OVERRIDE_GETTID-from-co.patch
@@ -0,0 +1,39 @@
+From 431f72836d6c02450725cf6ffb1c7223b9fa6acc Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Mon, 11 Mar 2019 15:26:43 +0100
+Subject: [PATCH 3/3] libselinux: Allow to override OVERRIDE_GETTID from
+ command line
+
+$ make CFLAGS="$CFLAGS -DOVERRIDE_GETTID=0" ...
+
+Drop this as soon as glibc-2.30 will become real 2.30 version, see
+https://bugzilla.redhat.com/show_bug.cgi?id=1685594
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ libselinux/src/procattr.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libselinux/src/procattr.c b/libselinux/src/procattr.c
+index c6799ef2..cbb6824e 100644
+--- a/libselinux/src/procattr.c
++++ b/libselinux/src/procattr.c
+@@ -24,6 +24,7 @@ static __thread char destructor_initialized;
+ 
+ /* Bionic and glibc >= 2.30 declare gettid() system call wrapper in unistd.h and
+  * has a definition for it */
++#ifndef OVERRIDE_GETTID
+ #ifdef __BIONIC__
+   #define OVERRIDE_GETTID 0
+ #elif !defined(__GLIBC_PREREQ)
+@@ -33,6 +34,7 @@ static __thread char destructor_initialized;
+ #else
+   #define OVERRIDE_GETTID 0
+ #endif
++#endif
+ 
+ #if OVERRIDE_GETTID
+ static pid_t gettid(void)
+-- 
+2.21.0
+
diff --git a/libselinux-fedora.patch b/libselinux-fedora.patch
deleted file mode 100644
index dbf43d0..0000000
--- a/libselinux-fedora.patch
+++ /dev/null
@@ -1,225 +0,0 @@
-diff --git libselinux-2.9/man/man8/selinux.8 libselinux-2.9/man/man8/selinux.8
-index e37aee6..bf23b65 100644
---- libselinux-2.9/man/man8/selinux.8
-+++ libselinux-2.9/man/man8/selinux.8
-@@ -91,11 +91,13 @@ This manual page was written by Dan Walsh <dwalsh@redhat.com>.
- .BR sepolicy (8),
- .BR system-config-selinux (8),
- .BR togglesebool (8),
--.BR restorecon (8),
- .BR fixfiles (8),
-+.BR restorecon (8),
- .BR setfiles (8),
- .BR semanage (8),
- .BR sepolicy (8)
-+.BR seinfo (8),
-+.BR sesearch (8)
- 
- Every confined service on the system has a man page in the following format:
- .br
-diff --git libselinux-2.9/src/avc_sidtab.c libselinux-2.9/src/avc_sidtab.c
-index 9669264..c775430 100644
---- libselinux-2.9/src/avc_sidtab.c
-+++ libselinux-2.9/src/avc_sidtab.c
-@@ -81,6 +81,11 @@ sidtab_context_to_sid(struct sidtab *s,
- 	int hvalue, rc = 0;
- 	struct sidtab_node *cur;
- 
-+	if (! ctx) {
-+		errno=EINVAL;
-+		return -1;
-+	}
-+
- 	*sid = NULL;
- 	hvalue = sidtab_hash(ctx);
- 
-diff --git libselinux-2.9/src/canonicalize_context.c libselinux-2.9/src/canonicalize_context.c
-index ba4c9a2..c815872 100644
---- libselinux-2.9/src/canonicalize_context.c
-+++ libselinux-2.9/src/canonicalize_context.c
-@@ -17,6 +17,11 @@ int security_canonicalize_context_raw(const char * con,
- 	size_t size;
- 	int fd, ret;
- 
-+	if (! con) {
-+		errno=EINVAL;
-+		return -1;
-+	}
-+
- 	if (!selinux_mnt) {
- 		errno = ENOENT;
- 		return -1;
-diff --git libselinux-2.9/src/check_context.c libselinux-2.9/src/check_context.c
-index 8a7997f..5be8434 100644
---- libselinux-2.9/src/check_context.c
-+++ libselinux-2.9/src/check_context.c
-@@ -14,6 +14,11 @@ int security_check_context_raw(const char * con)
- 	char path[PATH_MAX];
- 	int fd, ret;
- 
-+	if (! con) {
-+		errno=EINVAL;
-+		return -1;
-+	}
-+
- 	if (!selinux_mnt) {
- 		errno = ENOENT;
- 		return -1;
-diff --git libselinux-2.9/src/compute_av.c libselinux-2.9/src/compute_av.c
-index a47cffe..6d285a2 100644
---- libselinux-2.9/src/compute_av.c
-+++ libselinux-2.9/src/compute_av.c
-@@ -27,6 +27,11 @@ int security_compute_av_flags_raw(const char * scon,
- 		return -1;
- 	}
- 
-+	if ((! scon) || (! tcon)) {
-+		errno=EINVAL;
-+		return -1;
-+	}
-+
- 	snprintf(path, sizeof path, "%s/access", selinux_mnt);
- 	fd = open(path, O_RDWR | O_CLOEXEC);
- 	if (fd < 0)
-diff --git libselinux-2.9/src/compute_create.c libselinux-2.9/src/compute_create.c
-index 0975aea..3e6a48c 100644
---- libselinux-2.9/src/compute_create.c
-+++ libselinux-2.9/src/compute_create.c
-@@ -64,6 +64,11 @@ int security_compute_create_name_raw(const char * scon,
- 		return -1;
- 	}
- 
-+	if ((! scon) || (! tcon)) {
-+		errno=EINVAL;
-+		return -1;
-+	}
-+
- 	snprintf(path, sizeof path, "%s/create", selinux_mnt);
- 	fd = open(path, O_RDWR | O_CLOEXEC);
- 	if (fd < 0)
-diff --git libselinux-2.9/src/compute_member.c libselinux-2.9/src/compute_member.c
-index 4e2d221..d1dd977 100644
---- libselinux-2.9/src/compute_member.c
-+++ libselinux-2.9/src/compute_member.c
-@@ -25,6 +25,11 @@ int security_compute_member_raw(const char * scon,
- 		return -1;
- 	}
- 
-+	if ((! scon) || (! tcon)) {
-+		errno=EINVAL;
-+		return -1;
-+	}
-+
- 	snprintf(path, sizeof path, "%s/member", selinux_mnt);
- 	fd = open(path, O_RDWR | O_CLOEXEC);
- 	if (fd < 0)
-diff --git libselinux-2.9/src/compute_relabel.c libselinux-2.9/src/compute_relabel.c
-index 49f77ef..c3db7c0 100644
---- libselinux-2.9/src/compute_relabel.c
-+++ libselinux-2.9/src/compute_relabel.c
-@@ -25,6 +25,11 @@ int security_compute_relabel_raw(const char * scon,
- 		return -1;
- 	}
- 
-+	if ((! scon) || (! tcon)) {
-+		errno=EINVAL;
-+		return -1;
-+	}
-+
- 	snprintf(path, sizeof path, "%s/relabel", selinux_mnt);
- 	fd = open(path, O_RDWR | O_CLOEXEC);
- 	if (fd < 0)
-diff --git libselinux-2.9/src/compute_user.c libselinux-2.9/src/compute_user.c
-index 7b88121..401fd10 100644
---- libselinux-2.9/src/compute_user.c
-+++ libselinux-2.9/src/compute_user.c
-@@ -24,6 +24,11 @@ int security_compute_user_raw(const char * scon,
- 		return -1;
- 	}
- 
-+	if (! scon) {
-+		errno=EINVAL;
-+		return -1;
-+	}
-+
- 	snprintf(path, sizeof path, "%s/user", selinux_mnt);
- 	fd = open(path, O_RDWR | O_CLOEXEC);
- 	if (fd < 0)
-diff --git libselinux-2.9/src/fsetfilecon.c libselinux-2.9/src/fsetfilecon.c
-index 52707d0..0cbe12d 100644
---- libselinux-2.9/src/fsetfilecon.c
-+++ libselinux-2.9/src/fsetfilecon.c
-@@ -9,8 +9,12 @@
- 
- int fsetfilecon_raw(int fd, const char * context)
- {
--	int rc = fsetxattr(fd, XATTR_NAME_SELINUX, context, strlen(context) + 1,
--			 0);
-+	int rc;
-+	if (! context) {
-+		errno=EINVAL;
-+		return -1;
-+	}
-+	rc = fsetxattr(fd, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
- 	if (rc < 0 && errno == ENOTSUP) {
- 		char * ccontext = NULL;
- 		int err = errno;
-diff --git libselinux-2.9/src/lsetfilecon.c libselinux-2.9/src/lsetfilecon.c
-index 1d3b28a..ea6d70b 100644
---- libselinux-2.9/src/lsetfilecon.c
-+++ libselinux-2.9/src/lsetfilecon.c
-@@ -9,8 +9,13 @@
- 
- int lsetfilecon_raw(const char *path, const char * context)
- {
--	int rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1,
--			 0);
-+	int rc;
-+	if (! context) {
-+		errno=EINVAL;
-+		return -1;
-+	}
-+
-+	rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
- 	if (rc < 0 && errno == ENOTSUP) {
- 		char * ccontext = NULL;
- 		int err = errno;
-diff --git libselinux-2.9/src/procattr.c libselinux-2.9/src/procattr.c
-index c6799ef..cbb6824 100644
---- libselinux-2.9/src/procattr.c
-+++ libselinux-2.9/src/procattr.c
-@@ -24,6 +24,7 @@ static __thread char destructor_initialized;
- 
- /* Bionic and glibc >= 2.30 declare gettid() system call wrapper in unistd.h and
-  * has a definition for it */
-+#ifndef OVERRIDE_GETTID
- #ifdef __BIONIC__
-   #define OVERRIDE_GETTID 0
- #elif !defined(__GLIBC_PREREQ)
-@@ -33,6 +34,7 @@ static __thread char destructor_initialized;
- #else
-   #define OVERRIDE_GETTID 0
- #endif
-+#endif
- 
- #if OVERRIDE_GETTID
- static pid_t gettid(void)
-diff --git libselinux-2.9/src/setfilecon.c libselinux-2.9/src/setfilecon.c
-index d05969c..3f0200e 100644
---- libselinux-2.9/src/setfilecon.c
-+++ libselinux-2.9/src/setfilecon.c
-@@ -9,8 +9,12 @@
- 
- int setfilecon_raw(const char *path, const char * context)
- {
--	int rc = setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1,
--			0);
-+	int rc;
-+	if (! context) {
-+		errno=EINVAL;
-+		return -1;
-+	}
-+	rc = setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
- 	if (rc < 0 && errno == ENOTSUP) {
- 		char * ccontext = NULL;
- 		int err = errno;
diff --git a/libselinux.spec b/libselinux.spec
index c291efd..4818043 100644
--- a/libselinux.spec
+++ b/libselinux.spec
@@ -11,11 +11,13 @@ Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/li
 Source1: selinuxconlist.8
 Source2: selinuxdefcon.8
 Url: https://github.com/SELinuxProject/selinux/wiki
-# download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
-# run:
-# $ VERSION=2.9 ./make-fedora-selinux-patch.sh libselinux
-# HEAD https://github.com/fedora-selinux/selinux/commit/431f72836d6c02450725cf6ffb1c7223b9fa6acc
-Patch1: libselinux-fedora.patch
+# $ git clone https://github.com/SELinuxProject/selinux.git
+# $ cd selinux
+# $ git format-patch libselinux-2.9 -- libselinux
+# $ i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
+Patch0001: 0001-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch
+Patch0002: 0002-Verify-context-input-to-funtions-to-make-sure-the-co.patch
+Patch0003: 0003-libselinux-Allow-to-override-OVERRIDE_GETTID-from-co.patch
 BuildRequires: gcc
 BuildRequires: python2 python2-devel ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel xz-devel
 BuildRequires: python3 python3-devel
@@ -98,7 +100,7 @@ The libselinux-static package contains the static libraries
 needed for developing SELinux applications. 
 
 %prep
-%autosetup -p 1 -n libselinux-%{version}
+%autosetup -p 2 -n libselinux-%{version}
 
 %build
 export DISABLE_RPM="y"