Bug#984642: unblock: policycoreutils/3.1-3

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#984642: unblock: policycoreutils/3.1-3
From: Russell Coker <russell@coker.com.au>
Date: Sat, 06 Mar 2021 21:27:18 +1100
Message-id: <[🔎] 161502643877.423192.9752639522887211525.reportbug@liv>
Reply-to: Russell Coker <russell@coker.com.au>, 984642@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package policycoreutils

(Please provide enough (but not too much) information to help
the release team to judge the request efficiently. E.g. by
filling in the sections below.)

[ Reason ]
This version fixes bug #983447 which is grave and risks kicking the package
out of Bullseye.  It also closes bug #922448 and avoids trying to relabel
non-persistent filesystems on reboot.

[ Impact ]
All SE Linux packages get removed from Debian I guess, catastrophic for all
SE Linux users in Debian.

[ Tests ]
Manual test is to create an empty file /.autorelabel and reboot the system
and verify that it causes a relabel, then create a file /.autorelabel with
the contents "-F" and verify that it works.

[ Risks ]
The changed code is pretty simple, and in day to day usage it isn't even
used.  It's only used for corner cases of an initial installation.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

[ Other info ]
(Anything else the release team should know.)

unblock policycoreutils/3.1-3

Here is the debdiff:

diff -Nru policycoreutils-3.1/debian/changelog policycoreutils-3.1/debian/changelog
--- policycoreutils-3.1/debian/changelog	2021-02-11 02:46:48.000000000 +1100
+++ policycoreutils-3.1/debian/changelog	2021-03-05 20:45:24.000000000 +1100
@@ -1,3 +1,16 @@
+policycoreutils (3.1-3) unstable; urgency=medium
+
+  * Remove needless quotes around $FORCE variable in
+    /lib/systemd/selinux-autorelabel to avoid shell error on empty file
+    Closes: #983447
+  * Add check for noautorelabel command line option to prevent relabeling
+    Closes: #922448
+  * Make fixfiles avoid trying to relabel tmpfs and other non-permanent
+    filesystems
+    Closes: #984567
+
+ -- Russell Coker <russell@coker.com.au>  Fri, 05 Mar 2021 20:45:24 +1100
+
 policycoreutils (3.1-2) unstable; urgency=medium
 
   [ Laurent Bigonville ]
diff -Nru policycoreutils-3.1/debian/local/selinux-autorelabel policycoreutils-3.1/debian/local/selinux-autorelabel
--- policycoreutils-3.1/debian/local/selinux-autorelabel	2021-02-11 02:46:48.000000000 +1100
+++ policycoreutils-3.1/debian/local/selinux-autorelabel	2021-03-05 20:32:47.000000000 +1100
@@ -29,7 +29,7 @@
 
 	FORCE=$(cat /.autorelabel)
 	[ -x "/sbin/quotaoff" ] && /sbin/quotaoff -aug
-	/sbin/fixfiles "$FORCE" restore
+	/sbin/fixfiles $FORCE restore
     fi
     rm -f  /.autorelabel
     [ -x /usr/lib/dracut/dracut-initramfs-restore ] && /usr/lib/dracut/dracut-initramfs-restore
diff -Nru policycoreutils-3.1/debian/local/selinux-autorelabel-generator.sh policycoreutils-3.1/debian/local/selinux-autorelabel-generator.sh
--- policycoreutils-3.1/debian/local/selinux-autorelabel-generator.sh	2021-02-11 02:46:48.000000000 +1100
+++ policycoreutils-3.1/debian/local/selinux-autorelabel-generator.sh	2021-03-05 20:05:29.000000000 +1100
@@ -21,6 +21,9 @@
 }
 
 if selinuxenabled; then
+    if grep -sqE "\bnoautorelabel\b" /proc/cmdline; then
+        exit 0
+    fi
     if test -f /.autorelabel; then
         set_target
     elif grep -sqE "\bautorelabel\b" /proc/cmdline; then
diff -Nru policycoreutils-3.1/debian/patches/fixfiles-remove-extras policycoreutils-3.1/debian/patches/fixfiles-remove-extras
--- policycoreutils-3.1/debian/patches/fixfiles-remove-extras	1970-01-01 10:00:00.000000000 +1000
+++ policycoreutils-3.1/debian/patches/fixfiles-remove-extras	2021-03-05 20:37:08.000000000 +1100
@@ -0,0 +1,13 @@
+Index: policycoreutils-3.1/scripts/fixfiles
+===================================================================
+--- policycoreutils-3.1.orig/scripts/fixfiles
++++ policycoreutils-3.1/scripts/fixfiles
+@@ -45,7 +45,7 @@ FS="`cat /proc/self/mounts | sort | uniq
+ for i in $FS; do
+ 	if [ `useseclabel` -ge 0 ]
+ 	then
+-		grep " $i " /proc/self/mounts | awk '{print $4}' | egrep --silent '(^|,)seclabel(,|$)' && echo $i
++		grep " $i " /proc/self/mounts | egrep -v "(tmpfs)|( /sys)|(^devpts)|(^hugetlbfs)|(^mqueue)" | awk '{print $4}' | egrep --silent '(^|,)seclabel(,|$)' && echo $i
+ 	else
+ 		grep " $i " /proc/self/mounts | grep -v "context=" | egrep --silent '(ext[234]| ext4dev | gfs2 | xfs | jfs | btrfs )' && echo $i
+ 	fi
diff -Nru policycoreutils-3.1/debian/patches/series policycoreutils-3.1/debian/patches/series
--- policycoreutils-3.1/debian/patches/series	2021-02-11 02:46:48.000000000 +1100
+++ policycoreutils-3.1/debian/patches/series	2021-03-05 20:33:22.000000000 +1100
@@ -1 +1,2 @@
 fixfiles-correctly-restore-context-of-mountpoints.patch
+fixfiles-remove-extras

Reply to:

Follow-Ups:
- Bug#984642: unblock refpolicy / policycoreutils
  - From: Graham Inggs <ginggs@debian.org>
- Bug#984642: marked as done (unblock: policycoreutils/3.1-3)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#984635: unblock: tqdm/4.57.0-2
Next by Date: Bug#984645: unblock: refpolicy/2:2.20210203-4
Previous by thread: Bug#984635: marked as done (unblock: tqdm/4.57.0-2)
Next by thread: Bug#984642: unblock refpolicy / policycoreutils
Index(es):
- Date
- Thread