Bug#984642: unblock: policycoreutils/3.1-3

Russell Coker Sat, 06 Mar 2021 06:30:17 -0800

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock


Please unblock package policycoreutils

(Please provide enough (but not too much) information to help
the release team to judge the request efficiently. E.g. by
filling in the sections below.)

[ Reason ]
This version fixes bug #983447 which is grave and risks kicking the package
out of Bullseye.  It also closes bug #922448 and avoids trying to relabel
non-persistent filesystems on reboot.

[ Impact ]
All SE Linux packages get removed from Debian I guess, catastrophic for all
SE Linux users in Debian.

[ Tests ]
Manual test is to create an empty file /.autorelabel and reboot the system
and verify that it causes a relabel, then create a file /.autorelabel with
the contents "-F" and verify that it works.

[ Risks ]
The changed code is pretty simple, and in day to day usage it isn't even
used.  It's only used for corner cases of an initial installation.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

[ Other info ]
(Anything else the release team should know.)

unblock policycoreutils/3.1-3

Here is the debdiff:

diff -Nru policycoreutils-3.1/debian/changelog 
policycoreutils-3.1/debian/changelog
--- policycoreutils-3.1/debian/changelog        2021-02-11 02:46:48.000000000 
+1100
+++ policycoreutils-3.1/debian/changelog        2021-03-05 20:45:24.000000000 
+1100
@@ -1,3 +1,16 @@
+policycoreutils (3.1-3) unstable; urgency=medium
+
+  * Remove needless quotes around $FORCE variable in
+    /lib/systemd/selinux-autorelabel to avoid shell error on empty file
+    Closes: #983447
+  * Add check for noautorelabel command line option to prevent relabeling
+    Closes: #922448
+  * Make fixfiles avoid trying to relabel tmpfs and other non-permanent
+    filesystems
+    Closes: #984567
+
+ -- Russell Coker <russ...@coker.com.au>  Fri, 05 Mar 2021 20:45:24 +1100
+
 policycoreutils (3.1-2) unstable; urgency=medium
 
   [ Laurent Bigonville ]
diff -Nru policycoreutils-3.1/debian/local/selinux-autorelabel 
policycoreutils-3.1/debian/local/selinux-autorelabel
--- policycoreutils-3.1/debian/local/selinux-autorelabel        2021-02-11 
02:46:48.000000000 +1100
+++ policycoreutils-3.1/debian/local/selinux-autorelabel        2021-03-05 
20:32:47.000000000 +1100
@@ -29,7 +29,7 @@
 
        FORCE=$(cat /.autorelabel)
        [ -x "/sbin/quotaoff" ] && /sbin/quotaoff -aug
-       /sbin/fixfiles "$FORCE" restore
+       /sbin/fixfiles $FORCE restore
     fi
     rm -f  /.autorelabel
     [ -x /usr/lib/dracut/dracut-initramfs-restore ] && 
/usr/lib/dracut/dracut-initramfs-restore
diff -Nru policycoreutils-3.1/debian/local/selinux-autorelabel-generator.sh 
policycoreutils-3.1/debian/local/selinux-autorelabel-generator.sh
--- policycoreutils-3.1/debian/local/selinux-autorelabel-generator.sh   
2021-02-11 02:46:48.000000000 +1100
+++ policycoreutils-3.1/debian/local/selinux-autorelabel-generator.sh   
2021-03-05 20:05:29.000000000 +1100
@@ -21,6 +21,9 @@
 }
 
 if selinuxenabled; then
+    if grep -sqE "\bnoautorelabel\b" /proc/cmdline; then
+        exit 0
+    fi
     if test -f /.autorelabel; then
         set_target
     elif grep -sqE "\bautorelabel\b" /proc/cmdline; then
diff -Nru policycoreutils-3.1/debian/patches/fixfiles-remove-extras 
policycoreutils-3.1/debian/patches/fixfiles-remove-extras
--- policycoreutils-3.1/debian/patches/fixfiles-remove-extras   1970-01-01 
10:00:00.000000000 +1000
+++ policycoreutils-3.1/debian/patches/fixfiles-remove-extras   2021-03-05 
20:37:08.000000000 +1100
@@ -0,0 +1,13 @@
+Index: policycoreutils-3.1/scripts/fixfiles
+===================================================================
+--- policycoreutils-3.1.orig/scripts/fixfiles
++++ policycoreutils-3.1/scripts/fixfiles
+@@ -45,7 +45,7 @@ FS="`cat /proc/self/mounts | sort | uniq
+ for i in $FS; do
+       if [ `useseclabel` -ge 0 ]
+       then
+-              grep " $i " /proc/self/mounts | awk '{print $4}' | egrep 
--silent '(^|,)seclabel(,|$)' && echo $i
++              grep " $i " /proc/self/mounts | egrep -v "(tmpfs)|( 
/sys)|(^devpts)|(^hugetlbfs)|(^mqueue)" | awk '{print $4}' | egrep --silent 
'(^|,)seclabel(,|$)' && echo $i
+       else
+               grep " $i " /proc/self/mounts | grep -v "context=" | egrep 
--silent '(ext[234]| ext4dev | gfs2 | xfs | jfs | btrfs )' && echo $i
+       fi
diff -Nru policycoreutils-3.1/debian/patches/series 
policycoreutils-3.1/debian/patches/series
--- policycoreutils-3.1/debian/patches/series   2021-02-11 02:46:48.000000000 
+1100
+++ policycoreutils-3.1/debian/patches/series   2021-03-05 20:33:22.000000000 
+1100
@@ -1 +1,2 @@
 fixfiles-correctly-restore-context-of-mountpoints.patch
+fixfiles-remove-extras

Bug#984642: unblock: policycoreutils/3.1-3

Reply via email to