From 8be71ebc82962747017651071e8f03c8004f88f0 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Feb 19 2022 10:10:59 +0000 Subject: policycoreutils-3.3-4 - semodule: add command-line option to detect module changes - fixfiles: Use parallel relabeling --- diff --git a/0023-semodule-libsemanage-move-module-hashing-into-libsem.patch b/0023-semodule-libsemanage-move-module-hashing-into-libsem.patch new file mode 100644 index 0000000..8fcd481 --- /dev/null +++ b/0023-semodule-libsemanage-move-module-hashing-into-libsem.patch @@ -0,0 +1,539 @@ +From 7809f29b68e17a455478990ae9b22728381a126b Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Thu, 3 Feb 2022 17:53:23 +0100 +Subject: [PATCH] semodule,libsemanage: move module hashing into libsemanage + +The main goal of this move is to have the SHA-256 implementation under +libsemanage, since upcoming patches will make use of SHA-256 for a +different (but similar) purpose in libsemanage. Having the hashing code +in libsemanage will reduce code duplication and allow for easier hash +algorithm upgrade in the future. + +Note that libselinux currently also contains a hash function +implementation (for yet another different purpose). This patch doesn't +make any effort to address that duplicity yet. + +This patch also changes the format of the hash string printed by +semodule to include the name of the hash. The intent is to avoid +ambiguity and potential collisions when the algorithm is potentially +changed in the future. + +Signed-off-by: Ondrej Mosnacek +--- + policycoreutils/semodule/Makefile | 2 +- + policycoreutils/semodule/semodule.c | 53 ++--- + policycoreutils/semodule/sha256.c | 294 ---------------------------- + policycoreutils/semodule/sha256.h | 89 --------- + 4 files changed, 17 insertions(+), 421 deletions(-) + delete mode 100644 policycoreutils/semodule/sha256.c + delete mode 100644 policycoreutils/semodule/sha256.h + +diff --git a/policycoreutils/semodule/Makefile b/policycoreutils/semodule/Makefile +index 9875ac383280..73801e487a76 100644 +--- a/policycoreutils/semodule/Makefile ++++ b/policycoreutils/semodule/Makefile +@@ -6,7 +6,7 @@ MANDIR = $(PREFIX)/share/man + + CFLAGS ?= -Werror -Wall -W + override LDLIBS += -lsepol -lselinux -lsemanage +-SEMODULE_OBJS = semodule.o sha256.o ++SEMODULE_OBJS = semodule.o + + all: semodule genhomedircon + +diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c +index 94a9d131bb79..f4a76289efa3 100644 +--- a/policycoreutils/semodule/semodule.c ++++ b/policycoreutils/semodule/semodule.c +@@ -25,8 +25,6 @@ + #include + #include + +-#include "sha256.h" +- + enum client_modes { + NO_MODE, INSTALL_M, REMOVE_M, EXTRACT_M, CIL_M, HLL_M, + LIST_M, RELOAD, PRIORITY_M, ENABLE_M, DISABLE_M +@@ -348,60 +346,38 @@ static void parse_command_line(int argc, char **argv) + + /* Get module checksum */ + static char *hash_module_data(const char *module_name, const int prio) { +- semanage_module_info_t *extract_info = NULL; + semanage_module_key_t *modkey = NULL; +- Sha256Context context; +- uint8_t sha256_hash[SHA256_HASH_SIZE]; +- char *sha256_buf = NULL; +- void *data; +- size_t data_len = 0, i; ++ char *hash_str = NULL; ++ void *hash = NULL; ++ size_t hash_len = 0; + int result; + + result = semanage_module_key_create(sh, &modkey); + if (result != 0) { +- goto cleanup_extract; ++ goto cleanup; + } + + result = semanage_module_key_set_name(sh, modkey, module_name); + if (result != 0) { +- goto cleanup_extract; ++ goto cleanup; + } + + result = semanage_module_key_set_priority(sh, modkey, prio); + if (result != 0) { +- goto cleanup_extract; ++ goto cleanup; + } + +- result = semanage_module_extract(sh, modkey, 1, &data, &data_len, +- &extract_info); ++ result = semanage_module_compute_checksum(sh, modkey, 1, &hash_str, ++ &hash_len); + if (result != 0) { +- goto cleanup_extract; +- } +- +- Sha256Initialise(&context); +- Sha256Update(&context, data, data_len); +- +- Sha256Finalise(&context, (SHA256_HASH *)sha256_hash); +- +- sha256_buf = calloc(1, SHA256_HASH_SIZE * 2 + 1); +- +- if (sha256_buf == NULL) +- goto cleanup_extract; +- +- for (i = 0; i < SHA256_HASH_SIZE; i++) { +- sprintf((&sha256_buf[i * 2]), "%02x", sha256_hash[i]); ++ goto cleanup; + } +- sha256_buf[i * 2] = 0; + +-cleanup_extract: +- if (data_len > 0) { +- munmap(data, data_len); +- } +- semanage_module_info_destroy(sh, extract_info); +- free(extract_info); ++cleanup: ++ free(hash); + semanage_module_key_destroy(sh, modkey); + free(modkey); +- return sha256_buf; ++ return hash_str; + } + + int main(int argc, char *argv[]) +@@ -669,7 +645,10 @@ cleanup_extract: + /* fixed width columns */ + column[0] = sizeof("000") - 1; + column[3] = sizeof("disabled") - 1; +- column[4] = 64; /* SHA256_HASH_SIZE * 2 */ ++ ++ result = semanage_module_compute_checksum(sh, NULL, 0, NULL, ++ &column[4]); ++ if (result != 0) goto cleanup_list; + + /* variable width columns */ + const char *tmp = NULL; +diff --git a/policycoreutils/semodule/sha256.c b/policycoreutils/semodule/sha256.c +deleted file mode 100644 +index fe2aeef07f53..000000000000 +--- a/policycoreutils/semodule/sha256.c ++++ /dev/null +@@ -1,294 +0,0 @@ +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// WjCryptLib_Sha256 +-// +-// Implementation of SHA256 hash function. +-// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org +-// Modified by WaterJuice retaining Public Domain license. +-// +-// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// IMPORTS +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-#include "sha256.h" +-#include +- +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// MACROS +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-#define ror(value, bits) (((value) >> (bits)) | ((value) << (32 - (bits)))) +- +-#define MIN(x, y) ( ((x)<(y))?(x):(y) ) +- +-#define STORE32H(x, y) \ +- { (y)[0] = (uint8_t)(((x)>>24)&255); (y)[1] = (uint8_t)(((x)>>16)&255); \ +- (y)[2] = (uint8_t)(((x)>>8)&255); (y)[3] = (uint8_t)((x)&255); } +- +-#define LOAD32H(x, y) \ +- { x = ((uint32_t)((y)[0] & 255)<<24) | \ +- ((uint32_t)((y)[1] & 255)<<16) | \ +- ((uint32_t)((y)[2] & 255)<<8) | \ +- ((uint32_t)((y)[3] & 255)); } +- +-#define STORE64H(x, y) \ +- { (y)[0] = (uint8_t)(((x)>>56)&255); (y)[1] = (uint8_t)(((x)>>48)&255); \ +- (y)[2] = (uint8_t)(((x)>>40)&255); (y)[3] = (uint8_t)(((x)>>32)&255); \ +- (y)[4] = (uint8_t)(((x)>>24)&255); (y)[5] = (uint8_t)(((x)>>16)&255); \ +- (y)[6] = (uint8_t)(((x)>>8)&255); (y)[7] = (uint8_t)((x)&255); } +- +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// CONSTANTS +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-// The K array +-static const uint32_t K[64] = { +- 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL, +- 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL, +- 0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, +- 0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, +- 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL, +- 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL, +- 0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, +- 0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, +- 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL, +- 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL, +- 0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, +- 0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, +- 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL +-}; +- +-#define BLOCK_SIZE 64 +- +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// INTERNAL FUNCTIONS +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-// Various logical functions +-#define Ch( x, y, z ) (z ^ (x & (y ^ z))) +-#define Maj( x, y, z ) (((x | y) & z) | (x & y)) +-#define S( x, n ) ror((x),(n)) +-#define R( x, n ) (((x)&0xFFFFFFFFUL)>>(n)) +-#define Sigma0( x ) (S(x, 2) ^ S(x, 13) ^ S(x, 22)) +-#define Sigma1( x ) (S(x, 6) ^ S(x, 11) ^ S(x, 25)) +-#define Gamma0( x ) (S(x, 7) ^ S(x, 18) ^ R(x, 3)) +-#define Gamma1( x ) (S(x, 17) ^ S(x, 19) ^ R(x, 10)) +- +-#define Sha256Round( a, b, c, d, e, f, g, h, i ) \ +- t0 = h + Sigma1(e) + Ch(e, f, g) + K[i] + W[i]; \ +- t1 = Sigma0(a) + Maj(a, b, c); \ +- d += t0; \ +- h = t0 + t1; +- +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// TransformFunction +-// +-// Compress 512-bits +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-static +-void +- TransformFunction +- ( +- Sha256Context* Context, +- uint8_t const* Buffer +- ) +-{ +- uint32_t S[8]; +- uint32_t W[64]; +- uint32_t t0; +- uint32_t t1; +- uint32_t t; +- int i; +- +- // Copy state into S +- for( i=0; i<8; i++ ) +- { +- S[i] = Context->state[i]; +- } +- +- // Copy the state into 512-bits into W[0..15] +- for( i=0; i<16; i++ ) +- { +- LOAD32H( W[i], Buffer + (4*i) ); +- } +- +- // Fill W[16..63] +- for( i=16; i<64; i++ ) +- { +- W[i] = Gamma1( W[i-2]) + W[i-7] + Gamma0( W[i-15] ) + W[i-16]; +- } +- +- // Compress +- for( i=0; i<64; i++ ) +- { +- Sha256Round( S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], i ); +- t = S[7]; +- S[7] = S[6]; +- S[6] = S[5]; +- S[5] = S[4]; +- S[4] = S[3]; +- S[3] = S[2]; +- S[2] = S[1]; +- S[1] = S[0]; +- S[0] = t; +- } +- +- // Feedback +- for( i=0; i<8; i++ ) +- { +- Context->state[i] = Context->state[i] + S[i]; +- } +-} +- +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// PUBLIC FUNCTIONS +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// Sha256Initialise +-// +-// Initialises a SHA256 Context. Use this to initialise/reset a context. +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-void +- Sha256Initialise +- ( +- Sha256Context* Context // [out] +- ) +-{ +- Context->curlen = 0; +- Context->length = 0; +- Context->state[0] = 0x6A09E667UL; +- Context->state[1] = 0xBB67AE85UL; +- Context->state[2] = 0x3C6EF372UL; +- Context->state[3] = 0xA54FF53AUL; +- Context->state[4] = 0x510E527FUL; +- Context->state[5] = 0x9B05688CUL; +- Context->state[6] = 0x1F83D9ABUL; +- Context->state[7] = 0x5BE0CD19UL; +-} +- +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// Sha256Update +-// +-// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on +-// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash. +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-void +- Sha256Update +- ( +- Sha256Context* Context, // [in out] +- void const* Buffer, // [in] +- uint32_t BufferSize // [in] +- ) +-{ +- uint32_t n; +- +- if( Context->curlen > sizeof(Context->buf) ) +- { +- return; +- } +- +- while( BufferSize > 0 ) +- { +- if( Context->curlen == 0 && BufferSize >= BLOCK_SIZE ) +- { +- TransformFunction( Context, (uint8_t*)Buffer ); +- Context->length += BLOCK_SIZE * 8; +- Buffer = (uint8_t*)Buffer + BLOCK_SIZE; +- BufferSize -= BLOCK_SIZE; +- } +- else +- { +- n = MIN( BufferSize, (BLOCK_SIZE - Context->curlen) ); +- memcpy( Context->buf + Context->curlen, Buffer, (size_t)n ); +- Context->curlen += n; +- Buffer = (uint8_t*)Buffer + n; +- BufferSize -= n; +- if( Context->curlen == BLOCK_SIZE ) +- { +- TransformFunction( Context, Context->buf ); +- Context->length += 8*BLOCK_SIZE; +- Context->curlen = 0; +- } +- } +- } +-} +- +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// Sha256Finalise +-// +-// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After +-// calling this, Sha256Initialised must be used to reuse the context. +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-void +- Sha256Finalise +- ( +- Sha256Context* Context, // [in out] +- SHA256_HASH* Digest // [out] +- ) +-{ +- int i; +- +- if( Context->curlen >= sizeof(Context->buf) ) +- { +- return; +- } +- +- // Increase the length of the message +- Context->length += Context->curlen * 8; +- +- // Append the '1' bit +- Context->buf[Context->curlen++] = (uint8_t)0x80; +- +- // if the length is currently above 56 bytes we append zeros +- // then compress. Then we can fall back to padding zeros and length +- // encoding like normal. +- if( Context->curlen > 56 ) +- { +- while( Context->curlen < 64 ) +- { +- Context->buf[Context->curlen++] = (uint8_t)0; +- } +- TransformFunction(Context, Context->buf); +- Context->curlen = 0; +- } +- +- // Pad up to 56 bytes of zeroes +- while( Context->curlen < 56 ) +- { +- Context->buf[Context->curlen++] = (uint8_t)0; +- } +- +- // Store length +- STORE64H( Context->length, Context->buf+56 ); +- TransformFunction( Context, Context->buf ); +- +- // Copy output +- for( i=0; i<8; i++ ) +- { +- STORE32H( Context->state[i], Digest->bytes+(4*i) ); +- } +-} +- +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// Sha256Calculate +-// +-// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the +-// buffer. +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-void +- Sha256Calculate +- ( +- void const* Buffer, // [in] +- uint32_t BufferSize, // [in] +- SHA256_HASH* Digest // [in] +- ) +-{ +- Sha256Context context; +- +- Sha256Initialise( &context ); +- Sha256Update( &context, Buffer, BufferSize ); +- Sha256Finalise( &context, Digest ); +-} +diff --git a/policycoreutils/semodule/sha256.h b/policycoreutils/semodule/sha256.h +deleted file mode 100644 +index 406ed869cd82..000000000000 +--- a/policycoreutils/semodule/sha256.h ++++ /dev/null +@@ -1,89 +0,0 @@ +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// WjCryptLib_Sha256 +-// +-// Implementation of SHA256 hash function. +-// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org +-// Modified by WaterJuice retaining Public Domain license. +-// +-// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-#pragma once +- +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// IMPORTS +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-#include +-#include +- +-typedef struct +-{ +- uint64_t length; +- uint32_t state[8]; +- uint32_t curlen; +- uint8_t buf[64]; +-} Sha256Context; +- +-#define SHA256_HASH_SIZE ( 256 / 8 ) +- +-typedef struct +-{ +- uint8_t bytes [SHA256_HASH_SIZE]; +-} SHA256_HASH; +- +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// PUBLIC FUNCTIONS +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// Sha256Initialise +-// +-// Initialises a SHA256 Context. Use this to initialise/reset a context. +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-void +- Sha256Initialise +- ( +- Sha256Context* Context // [out] +- ); +- +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// Sha256Update +-// +-// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on +-// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash. +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-void +- Sha256Update +- ( +- Sha256Context* Context, // [in out] +- void const* Buffer, // [in] +- uint32_t BufferSize // [in] +- ); +- +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// Sha256Finalise +-// +-// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After +-// calling this, Sha256Initialised must be used to reuse the context. +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-void +- Sha256Finalise +- ( +- Sha256Context* Context, // [in out] +- SHA256_HASH* Digest // [out] +- ); +- +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// Sha256Calculate +-// +-// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the +-// buffer. +-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-void +- Sha256Calculate +- ( +- void const* Buffer, // [in] +- uint32_t BufferSize, // [in] +- SHA256_HASH* Digest // [in] +- ); +-- +2.34.1 + diff --git a/0024-semodule-add-command-line-option-to-detect-module-ch.patch b/0024-semodule-add-command-line-option-to-detect-module-ch.patch new file mode 100644 index 0000000..93b5421 --- /dev/null +++ b/0024-semodule-add-command-line-option-to-detect-module-ch.patch @@ -0,0 +1,144 @@ +From 9341da3478625bb2ba2e7d4f3e227735cc9c8198 Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Thu, 3 Feb 2022 17:53:27 +0100 +Subject: [PATCH] semodule: add command-line option to detect module changes + +Add a new command-line option "--rebuild-if-modules-changed" to control +the newly introduced check_ext_changes libsemanage flag. + +For example, running `semodule --rebuild-if-modules-changed` will ensure +that any externally added/removed modules (e.g. by an RPM transaction) +are reflected in the compiled policy, while skipping the most expensive +part of the rebuild if no module change was deteceted since the last +libsemanage transaction. + +Signed-off-by: Ondrej Mosnacek +--- + policycoreutils/semodule/semodule.8 | 7 +++++++ + policycoreutils/semodule/semodule.c | 32 ++++++++++++++++++++++------- + 2 files changed, 32 insertions(+), 7 deletions(-) + +diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8 +index 3a2fb21c2481..d1735d216276 100644 +--- a/policycoreutils/semodule/semodule.8 ++++ b/policycoreutils/semodule/semodule.8 +@@ -23,6 +23,13 @@ force a reload of policy + .B \-B, \-\-build + force a rebuild of policy (also reloads unless \-n is used) + .TP ++.B \-\-rebuild-if-modules-changed ++Force a rebuild of the policy if any changes to module content are detected ++(by comparing with checksum from the last transaction). One can use this ++instead of \-B to ensure that any changes to the module store done by an ++external tool (e.g. a package manager) are applied, while automatically ++skipping the rebuild if there are no new changes. ++.TP + .B \-D, \-\-disable_dontaudit + Temporarily remove dontaudits from policy. Reverts whenever policy is rebuilt + .TP +diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c +index f4a76289efa3..1ed8e69054e0 100644 +--- a/policycoreutils/semodule/semodule.c ++++ b/policycoreutils/semodule/semodule.c +@@ -47,6 +47,7 @@ static int verbose; + static int reload; + static int no_reload; + static int build; ++static int check_ext_changes; + static int disable_dontaudit; + static int preserve_tunables; + static int ignore_module_cache; +@@ -149,6 +150,9 @@ static void usage(char *progname) + printf(" -c, --cil extract module as cil. This only affects module extraction.\n"); + printf(" -H, --hll extract module as hll. This only affects module extraction.\n"); + printf(" -m, --checksum print module checksum (SHA256).\n"); ++ printf(" --rebuild-if-modules-changed\n" ++ " force policy rebuild if module content changed since\n" ++ " last rebuild (based on checksum)\n"); + } + + /* Sets the global mode variable to new_mode, but only if no other +@@ -180,6 +184,7 @@ static void set_mode(enum client_modes new_mode, char *arg) + static void parse_command_line(int argc, char **argv) + { + static struct option opts[] = { ++ {"rebuild-if-modules-changed", 0, NULL, '\0'}, + {"store", required_argument, NULL, 's'}, + {"base", required_argument, NULL, 'b'}, + {"help", 0, NULL, 'h'}, +@@ -207,15 +212,26 @@ static void parse_command_line(int argc, char **argv) + }; + int extract_selected = 0; + int cil_hll_set = 0; +- int i; ++ int i, longind; + verbose = 0; + reload = 0; + no_reload = 0; ++ check_ext_changes = 0; + priority = 400; + while ((i = +- getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cHm", opts, +- NULL)) != -1) { ++ getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cHm", ++ opts, &longind)) != -1) { + switch (i) { ++ case '\0': ++ switch(longind) { ++ case 0: /* --rebuild-if-modules-changed */ ++ check_ext_changes = 1; ++ break; ++ default: ++ usage(argv[0]); ++ exit(1); ++ } ++ break; + case 'b': + fprintf(stderr, "The --base option is deprecated. Use --install instead.\n"); + set_mode(INSTALL_M, optarg); +@@ -300,13 +316,13 @@ static void parse_command_line(int argc, char **argv) + } + } + } +- if ((build || reload) && num_commands) { ++ if ((build || reload || check_ext_changes) && num_commands) { + fprintf(stderr, + "build or reload should not be used with other commands\n"); + usage(argv[0]); + exit(1); + } +- if (num_commands == 0 && reload == 0 && build == 0) { ++ if (num_commands == 0 && reload == 0 && build == 0 && check_ext_changes == 0) { + fprintf(stderr, "At least one mode must be specified.\n"); + usage(argv[0]); + exit(1); +@@ -395,7 +411,7 @@ int main(int argc, char *argv[]) + + cil_set_log_level(CIL_ERR + verbose); + +- if (build) ++ if (build || check_ext_changes) + commit = 1; + + sh = semanage_handle_create(); +@@ -434,7 +450,7 @@ int main(int argc, char *argv[]) + } + } + +- if (build) { ++ if (build || check_ext_changes) { + if ((result = semanage_begin_transaction(sh)) < 0) { + fprintf(stderr, "%s: Could not begin transaction: %s\n", + argv[0], errno ? strerror(errno) : ""); +@@ -807,6 +823,8 @@ cleanup_disable: + semanage_set_reload(sh, 0); + if (build) + semanage_set_rebuild(sh, 1); ++ if (check_ext_changes) ++ semanage_set_check_ext_changes(sh, 1); + if (disable_dontaudit) + semanage_set_disable_dontaudit(sh, 1); + else if (build) +-- +2.34.1 + diff --git a/0025-policycoreutils-fixfiles-Use-parallel-relabeling.patch b/0025-policycoreutils-fixfiles-Use-parallel-relabeling.patch new file mode 100644 index 0000000..ff2de09 --- /dev/null +++ b/0025-policycoreutils-fixfiles-Use-parallel-relabeling.patch @@ -0,0 +1,180 @@ +From 09f700e9f953769d1697c46179faba32e4b80c0f Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Fri, 4 Feb 2022 13:41:12 +0100 +Subject: [PATCH] policycoreutils/fixfiles: Use parallel relabeling + +Commit 93902fc8340f ("setfiles/restorecon: support parallel relabeling") +implemented support for parallel relabeling in setfiles. This is +available for fixfiles now. + +Signed-off-by: Petr Lautrbach +--- + policycoreutils/scripts/fixfiles | 35 +++++++++++++++++------------- + policycoreutils/scripts/fixfiles.8 | 17 ++++++++++----- + 2 files changed, 31 insertions(+), 21 deletions(-) + +diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles +index cb20002ab613..a4a419ab62de 100755 +--- a/policycoreutils/scripts/fixfiles ++++ b/policycoreutils/scripts/fixfiles +@@ -110,6 +110,7 @@ BOOTTIME="" + VERBOSE="-p" + [ -t 1 ] || VERBOSE="" + FORCEFLAG="" ++THREADS="" + RPMFILES="" + PREFC="" + RESTORE_MODE="" +@@ -153,7 +154,7 @@ newer() { + shift + LogReadOnly + for m in `echo $FILESYSTEMSRW`; do +- find $m -mount -newermt $DATE -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} $* -i -0 -f - ++ find $m -mount -newermt $DATE -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} ${THREADS} $* -i -0 -f - + done; + } + +@@ -197,7 +198,7 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then + esac; \ + fi; \ + done | \ +- ${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -i -R -f -; \ ++ ${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} ${THREADS} $* -i -R -f -; \ + rm -f ${TEMPFILE} ${PREFCTEMPFILE} + fi + } +@@ -235,11 +236,11 @@ LogExcluded + case "$RESTORE_MODE" in + RPMFILES) + for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do +- rpmlist $i | ${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -i -R -f - ++ rpmlist $i | ${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} ${THREADS} $* -i -R -f - + done + ;; + FILEPATH) +- ${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -R -- "$FILEPATH" ++ ${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} ${THREADS} $* -R -- "$FILEPATH" + ;; + *) + if [ -n "${FILESYSTEMSRW}" ]; then +@@ -247,7 +248,7 @@ case "$RESTORE_MODE" in + echo "${OPTION}ing `echo ${FILESYSTEMSRW}`" + + if [ -z "$BIND_MOUNT_FILESYSTEMS" ]; then +- ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW} ++ ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${THREADS} ${FC} ${FILESYSTEMSRW} + else + # we bind mount so we can fix the labels of files that have already been + # mounted over +@@ -257,7 +258,7 @@ case "$RESTORE_MODE" in + + mkdir -p "${TMP_MOUNT}${m}" || exit 1 + mount --bind "${m}" "${TMP_MOUNT}${m}" || exit 1 +- ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} -r "${TMP_MOUNT}" "${TMP_MOUNT}${m}" ++ ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} ${THREADS} $* -q ${FC} -r "${TMP_MOUNT}" "${TMP_MOUNT}${m}" + umount "${TMP_MOUNT}${m}" || exit 1 + rm -rf "${TMP_MOUNT}" || echo "Error cleaning up." + done; +@@ -330,8 +331,9 @@ case "$1" in + fi + > /.autorelabel || exit $? + [ -z "$FORCEFLAG" ] || echo -n "$FORCEFLAG " >> /.autorelabel +- [ -z "$BOOTTIME" ] || echo -N $BOOTTIME >> /.autorelabel +- [ -z "$BIND_MOUNT_FILESYSTEMS" ] || echo "-M" >> /.autorelabel ++ [ -z "$BOOTTIME" ] || echo -n "-N $BOOTTIME " >> /.autorelabel ++ [ -z "$BIND_MOUNT_FILESYSTEMS" ] || echo -n "-M " >> /.autorelabel ++ [ -z "$THREADS" ] || echo -n "$THREADS " >> /.autorelabel + # Force full relabel if SELinux is not enabled + selinuxenabled || echo -F > /.autorelabel + echo "System will relabel on next boot" +@@ -343,17 +345,17 @@ esac + } + usage() { + echo $""" +-Usage: $0 [-v] [-F] [-M] [-f] relabel ++Usage: $0 [-v] [-F] [-M] [-f] [-T nthreads] relabel + or +-Usage: $0 [-v] [-F] [-B | -N time ] { check | restore | verify } ++Usage: $0 [-v] [-F] [-B | -N time ] [-T nthreads] { check | restore | verify } + or +-Usage: $0 [-v] [-F] { check | restore | verify } dir/file ... ++Usage: $0 [-v] [-F] [-T nthreads] { check | restore | verify } dir/file ... + or +-Usage: $0 [-v] [-F] -R rpmpackage[,rpmpackage...] { check | restore | verify } ++Usage: $0 [-v] [-F] [-T nthreads] -R rpmpackage[,rpmpackage...] { check | restore | verify } + or +-Usage: $0 [-v] [-F] -C PREVIOUS_FILECONTEXT { check | restore | verify } ++Usage: $0 [-v] [-F] [-T nthreads] -C PREVIOUS_FILECONTEXT { check | restore | verify } + or +-Usage: $0 [-F] [-M] [-B] onboot ++Usage: $0 [-F] [-M] [-B] [-T nthreads] onboot + """ + } + +@@ -372,7 +374,7 @@ set_restore_mode() { + } + + # See how we were called. +-while getopts "N:BC:FfR:l:vM" i; do ++while getopts "N:BC:FfR:l:vMT:" i; do + case "$i" in + B) + BOOTTIME=`/bin/who -b | awk '{print $3}'` +@@ -407,6 +409,9 @@ while getopts "N:BC:FfR:l:vM" i; do + f) + fullFlag=1 + ;; ++ T) ++ THREADS="-T $OPTARG" ++ ;; + *) + usage + exit 1 +diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8 +index c4e894e56e8f..9a317d9181e2 100644 +--- a/policycoreutils/scripts/fixfiles.8 ++++ b/policycoreutils/scripts/fixfiles.8 +@@ -6,22 +6,22 @@ fixfiles \- fix file SELinux security contexts. + .na + + .B fixfiles +-.I [\-v] [\-F] [-M] [\-f] relabel ++.I [\-v] [\-F] [-M] [\-f] [\-T nthreads] relabel + + .B fixfiles +-.I [\-v] [\-F] { check | restore | verify } dir/file ... ++.I [\-v] [\-F] [\-T nthreads] { check | restore | verify } dir/file ... + + .B fixfiles +-.I [\-v] [\-F] [\-B | \-N time ] { check | restore | verify } ++.I [\-v] [\-F] [\-B | \-N time ] [\-T nthreads] { check | restore | verify } + + .B fixfiles +-.I [\-v] [\-F] \-R rpmpackagename[,rpmpackagename...] { check | restore | verify } ++.I [\-v] [\-F] [\-T nthreads] \-R rpmpackagename[,rpmpackagename...] { check | restore | verify } + + .B fixfiles +-.I [\-v] [\-F] \-C PREVIOUS_FILECONTEXT { check | restore | verify } ++.I [\-v] [\-F] [\-T nthreads] \-C PREVIOUS_FILECONTEXT { check | restore | verify } + + .B fixfiles +-.I [-F] [-M] [-B] onboot ++.I [-F] [-M] [-B] [\-T nthreads] onboot + + .ad + +@@ -76,6 +76,11 @@ Bind mount filesystems before relabeling them, this allows fixing the context of + .B -v + Modify verbosity from progress to verbose. (Run restorecon with \-v instead of \-p) + ++.TP ++.B \-T nthreads ++Use parallel relabeling, see ++.B setfiles(8) ++ + .SH "ARGUMENTS" + One of: + .TP +-- +2.34.1 + diff --git a/policycoreutils.spec b/policycoreutils.spec index eafda84..bff54d6 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -1,6 +1,6 @@ %global libauditver 3.0 %global libsepolver 3.3-1 -%global libsemanagever 3.3-1 +%global libsemanagever 3.3-3 %global libselinuxver 3.3-2 %global generatorsdir %{_prefix}/lib/systemd/system-generators @@ -11,7 +11,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 3.3 -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv2 # https://github.com/SELinuxProject/selinux/wiki/Releases Source0: https://github.com/SELinuxProject/selinux/releases/download/3.3/selinux-3.3.tar.gz @@ -53,6 +53,9 @@ Patch0019: 0019-setfiles-restorecon-support-parallel-relabeling.patch Patch0020: 0020-semodule-add-m-checksum-option.patch Patch0021: 0021-semodule-Fix-lang_ext-column-index.patch Patch0022: 0022-semodule-Don-t-forget-to-munmap-data.patch +Patch0023: 0023-semodule-libsemanage-move-module-hashing-into-libsem.patch +Patch0024: 0024-semodule-add-command-line-option-to-detect-module-ch.patch +Patch0025: 0025-policycoreutils-fixfiles-Use-parallel-relabeling.patch # Patch list end Obsoletes: policycoreutils < 2.0.61-2 @@ -479,6 +482,10 @@ The policycoreutils-restorecond package contains the restorecond service. %systemd_postun_with_restart restorecond.service %changelog +* Sat Feb 19 2022 Petr Lautrbach - 3.3-4 +- semodule: add command-line option to detect module changes +- fixfiles: Use parallel relabeling + * Fri Jan 21 2022 Fedora Release Engineering - 3.3-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild