!107 backport patches from upstream

From: @markeryang 
Reviewed-by: @zhengxiaoxiaoGitee, @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee

backport-fixfiles-use-grep-F-when-search-in-mounts.patch

@@ -0,0 +1,56 @@
+From cd8d6c7f827845399ff7b5176dbc4496d48a0814 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <lautrbach@redhat.com>
+Date: Wed, 13 Nov 2024 14:02:00 +0100
+Subject: [PATCH] fixfiles: use `grep -F` when search in mounts
+
+systemd escapes luks uid so that mount points contain '\' and grep
+should not consider this as regexp
+Fixes:
+    $ cat /proc/self/mounts | sort | uniq | awk '{print $2}'
+    /run/credentials/systemd-cryptsetup@luks\134x2d6d1f41e6\134x2d5538\134x2d41a0\134x2db383\134x2cd41c2ddcacaa.service
+
+    $ sudo fixfiles -B onboot
+    grep: Invalid back reference
+    grep: Invalid back reference
+    System will relabel on next boot
+
+Suggested-by: Christopher Tubbs <ctubbsii@fedoraproject.org>
+Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ policycoreutils/scripts/fixfiles | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
+index 9e6610e..2133cb8 100755
+--- a/policycoreutils/scripts/fixfiles
++++ b/policycoreutils/scripts/fixfiles
+@@ -45,9 +45,9 @@ FS="`cat /proc/self/mounts | sort | uniq | awk '{print $2}'`"
+ for i in $FS; do
+ 	if [ `useseclabel` -ge 0 ]
+ 	then
+-		grep " $i " /proc/self/mounts | awk '{print $4}' | egrep --silent '(^|,)seclabel(,|$)' && echo $i
++		grep -F " $i " /proc/self/mounts | awk '{print $4}' | grep -E --silent '(^|,)seclabel(,|$)' && echo $i
+ 	else
+-		grep " $i " /proc/self/mounts | grep -v "context=" | egrep --silent '(ext[234]| ext4dev | gfs2 | xfs | jfs | btrfs )' && echo $i
++		grep -F " $i " /proc/self/mounts | grep -v "context=" | grep -E --silent '(ext[234]| ext4dev | gfs2 | xfs | jfs | btrfs )' && echo $i
+ 	fi
+ done
+ }
+@@ -55,14 +55,14 @@ done
+ get_rw_labeled_mounts() {
+ FS=`get_all_labeled_mounts | sort | uniq`
+ for i in $FS; do
+-	grep " $i " /proc/self/mounts | awk '{print $4}' | egrep --silent '(^|,)rw(,|$)' && echo $i
++	grep -F " $i " /proc/self/mounts | awk '{print $4}' | grep -E --silent '(^|,)rw(,|$)' && echo $i
+ done
+ }
+ 
+ get_ro_labeled_mounts() {
+ FS=`get_all_labeled_mounts | sort | uniq`
+ for i in $FS; do
+-	grep " $i " /proc/self/mounts | awk '{print $4}' | egrep --silent '(^|,)ro(,|$)' && echo $i
++	grep -F " $i " /proc/self/mounts | awk '{print $4}' | grep -E --silent '(^|,)ro(,|$)' && echo $i
+ done
+ }
+ 

backport-newrole-silence-compiler-warnings.patch

@@ -0,0 +1,156 @@
+From 29e167a448eff9aaee13d3c51c56641959d4ca7f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Tue, 22 Feb 2022 14:51:41 +0100
+Subject: [PATCH] newrole: silence compiler warnings
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+    newrole.c:636:12: warning: function declaration isn’t a prototype [-Wstrict-prototypes]
+      636 | static int transition_to_caller_uid()
+          |            ^~~~~~~~~~~~~~~~~~~~~~~~
+
+    newrole.c:103:9: warning: macro is not used [-Wunused-macros]
+    #define DEFAULT_CONTEXT_SIZE 255        /* first guess at context size */
+            ^
+
+    newrole.c:862:4: warning: 'break' will never be executed [-Wunreachable-code-break]
+                            break;
+                            ^~~~~
+
+    newrole.c:168:13: warning: no previous extern declaration for non-static variable 'service_name' [-Wmissing-variable-declarations]
+    const char *service_name = "newrole";
+                ^
+
+    hashtab.c:53:11: warning: implicit conversion changes signedness: 'unsigned int' to 'int' [-Wsign-conversion]
+            hvalue = h->hash_value(h, key);
+                   ~ ^~~~~~~~~~~~~~~~~~~~~
+    hashtab.c:92:11: warning: implicit conversion changes signedness: 'unsigned int' to 'int' [-Wsign-conversion]
+            hvalue = h->hash_value(h, key);
+                   ~ ^~~~~~~~~~~~~~~~~~~~~
+    hashtab.c:124:11: warning: implicit conversion changes signedness: 'unsigned int' to 'int' [-Wsign-conversion]
+            hvalue = h->hash_value(h, key);
+                   ~ ^~~~~~~~~~~~~~~~~~~~~
+    hashtab.c:172:10: warning: implicit conversion changes signedness: 'int' to 'unsigned int' [-Wsign-conversion]
+                            ret = apply(cur->key, cur->datum, args);
+                                ~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+    hashtab.c:174:12: warning: implicit conversion changes signedness: 'unsigned int' to 'int' [-Wsign-conversion]
+                                    return ret;
+                                    ~~~~~~ ^~~
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+---
+ policycoreutils/newrole/hashtab.c |  9 +++++----
+ policycoreutils/newrole/newrole.c | 15 ++++++---------
+ 2 files changed, 11 insertions(+), 13 deletions(-)
+
+diff --git a/policycoreutils/newrole/hashtab.c b/policycoreutils/newrole/hashtab.c
+index bc502836..26d4f4c7 100644
+--- a/policycoreutils/newrole/hashtab.c
++++ b/policycoreutils/newrole/hashtab.c
+@@ -44,7 +44,7 @@ hashtab_t hashtab_create(unsigned int (*hash_value) (hashtab_t h,
+ 
+ int hashtab_insert(hashtab_t h, hashtab_key_t key, hashtab_datum_t datum)
+ {
+-	int hvalue;
++	unsigned int hvalue;
+ 	hashtab_ptr_t prev, cur, newnode;
+ 
+ 	if (!h)
+@@ -83,7 +83,7 @@ int hashtab_remove(hashtab_t h, hashtab_key_t key,
+ 		   void (*destroy) (hashtab_key_t k,
+ 				    hashtab_datum_t d, void *args), void *args)
+ {
+-	int hvalue;
++	unsigned int hvalue;
+ 	hashtab_ptr_t cur, last;
+ 
+ 	if (!h)
+@@ -115,7 +115,7 @@ int hashtab_remove(hashtab_t h, hashtab_key_t key,
+ hashtab_datum_t hashtab_search(hashtab_t h, const_hashtab_key_t key)
+ {
+ 
+-	int hvalue;
++	unsigned int hvalue;
+ 	hashtab_ptr_t cur;
+ 
+ 	if (!h)
+@@ -160,8 +160,9 @@ int hashtab_map(hashtab_t h,
+ 		int (*apply) (hashtab_key_t k,
+ 			      hashtab_datum_t d, void *args), void *args)
+ {
+-	unsigned int i, ret;
++	unsigned int i;
+ 	hashtab_ptr_t cur;
++	int ret;
+ 
+ 	if (!h)
+ 		return HASHTAB_SUCCESS;
+diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c
+index 9d68b6ab..c9989863 100644
+--- a/policycoreutils/newrole/newrole.c
++++ b/policycoreutils/newrole/newrole.c
+@@ -100,7 +100,6 @@
+ #endif
+ 
+ #define DEFAULT_PATH "/usr/bin:/bin"
+-#define DEFAULT_CONTEXT_SIZE 255	/* first guess at context size */
+ 
+ extern char **environ;
+ 
+@@ -115,7 +114,7 @@ extern char **environ;
+  *
+  * Returns malloc'd memory
+  */
+-static char *build_new_range(char *newlevel, const char *range)
++static char *build_new_range(const char *newlevel, const char *range)
+ {
+ 	char *newrangep = NULL;
+ 	const char *tmpptr;
+@@ -166,7 +165,7 @@ static char *build_new_range(char *newlevel, const char *range)
+ #include <security/pam_appl.h>	/* for PAM functions */
+ #include <security/pam_misc.h>	/* for misc_conv PAM utility function */
+ 
+-const char *service_name = "newrole";
++static const char *service_name = "newrole";
+ 
+ /* authenticate_via_pam()
+  *
+@@ -230,14 +229,13 @@ static int free_hashtab_entry(hashtab_key_t key, hashtab_datum_t d,
+ 
+ static unsigned int reqsymhash(hashtab_t h, const_hashtab_key_t key)
+ {
+-	char *p, *keyp;
++	const char *p;
+ 	size_t size;
+ 	unsigned int val;
+ 
+ 	val = 0;
+-	keyp = (char *)key;
+-	size = strlen(keyp);
+-	for (p = keyp; ((size_t) (p - keyp)) < size; p++)
++	size = strlen(key);
++	for (p = key; ((size_t) (p - key)) < size; p++)
+ 		val =
+ 		    (val << 4 | (val >> (8 * sizeof(unsigned int) - 4))) ^ (*p);
+ 	return val & (h->size - 1);
+@@ -623,7 +621,7 @@ static inline int drop_capabilities(__attribute__ ((__unused__)) int full)
+  * This function will set the uid values to be that of caller's uid, and
+  * will drop any privilege which may have been raised.
+  */
+-static int transition_to_caller_uid()
++static int transition_to_caller_uid(void)
+ {
+ 	uid_t uid = getuid();
+ 
+@@ -850,7 +848,6 @@ static int parse_command_line_arguments(int argc, char **argv, char *ttyn,
+ 		case 'V':
+ 			printf("newrole: %s version %s\n", PACKAGE, VERSION);
+ 			exit(0);
+-			break;
+ 		case 'p':
+ 			*preserve_environment = 1;
+ 			break;
+-- 
+2.33.0
+

backport-newrole-use-DJB2a-string-hash-function.patch

@@ -0,0 +1,53 @@
+From 3089f1f2fd92684372e8141f1f5dbfd97b859983 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Wed, 16 Aug 2023 14:38:45 +0200
+Subject: [PATCH] newrole: use DJB2a string hash function
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The hash table implementation uses `& (h->size - 1)` to truncate
+generated hashes to the number of buckets.  This operation is equal to
+`% h->size` if and only if the size is a power of two (which seems to be
+always the case).  One property of the binary and with a power of two
+(and probably a small one <=2048) is all higher bits are discarded.
+Thus a hash function is needed with a good avalanche effect, which the
+current one is not.
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ policycoreutils/newrole/newrole.c | 17 +++++++----------
+ 1 file changed, 7 insertions(+), 10 deletions(-)
+
+diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c
+index d9efa68a..5a1a1129 100644
+--- a/policycoreutils/newrole/newrole.c
++++ b/policycoreutils/newrole/newrole.c
+@@ -229,16 +229,13 @@ static int free_hashtab_entry(hashtab_key_t key, hashtab_datum_t d,
+ 
+ static unsigned int reqsymhash(hashtab_t h, const_hashtab_key_t key)
+ {
+-	const char *p;
+-	size_t size;
+-	unsigned int val;
+-
+-	val = 0;
+-	size = strlen(key);
+-	for (p = key; ((size_t) (p - key)) < size; p++)
+-		val =
+-		    (val << 4 | (val >> (8 * sizeof(unsigned int) - 4))) ^ (*p);
+-	return val & (h->size - 1);
++	unsigned int hash = 5381;
++	unsigned char c;
++
++	while ((c = *(unsigned const char *)key++))
++		hash = ((hash << 5) + hash) ^ c;
++
++	return hash & (h->size - 1);
+ }
+ 
+ static int reqsymcmp(hashtab_t h
+-- 
+2.33.0
+

backport-python-Harden-more-tools-against-rogue-modules.patch

@@ -0,0 +1,98 @@
+From 94389f21022be68cb048b4b76d32c0f2440b15ee Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Wed, 6 Dec 2023 15:31:51 +0100
+Subject: [PATCH] python: Harden more tools against "rogue" modules
+
+Python scripts present in the same directory as the tool
+override regular modules.
+
+Fixes:
+      #cat > /usr/bin/signal.py <<EOF
+      import sys
+      print("BAD GUY!", file=sys.stderr)
+      sys.exit(1)
+      EOF
+      #sandbox date
+      BAD GUY!
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ dbus/selinux_server.py       | 2 +-
+ gui/polgengui.py             | 2 +-
+ gui/system-config-selinux.py | 6 +++---
+ sandbox/sandbox              | 2 +-
+ sandbox/start                | 2 +-
+ 5 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py
+index a969f226..469c526f 100644
+--- a/dbus/selinux_server.py
++++ b/dbus/selinux_server.py
+@@ -1,4 +1,4 @@
+-#!/usr/bin/python3
++#!/usr/bin/python3 -EsI
+ 
+ import dbus
+ import dbus.service
+diff --git a/gui/polgengui.py b/gui/polgengui.py
+index 16116ba6..9c151a11 100644
+--- a/gui/polgengui.py
++++ b/gui/polgengui.py
+@@ -1,4 +1,4 @@
+-#!/usr/bin/python3 -Es
++#!/usr/bin/python3 -EsI
+ #
+ # polgengui.py - GUI for SELinux Config tool in system-config-selinux
+ #
+diff --git a/gui/system-config-selinux.py b/gui/system-config-selinux.py
+index 9f53b7fe..0b6ba4b5 100644
+--- a/gui/system-config-selinux.py
++++ b/gui/system-config-selinux.py
+@@ -1,4 +1,4 @@
+-#!/usr/bin/python3 -Es
++#!/usr/bin/python3 -EsI
+ #
+ # system-config-selinux.py - GUI for SELinux Config tool in system-config-selinux
+ #
+@@ -32,6 +32,8 @@ except RuntimeError as e:
+     print("This is a graphical application and requires DISPLAY to be set.")
+     sys.exit(1)
+ 
++sys.path.append('/usr/share/system-config-selinux')
++
+ from gi.repository import GObject
+ import statusPage
+ import booleansPage
+@@ -66,8 +68,6 @@ except:
+ 
+ version = "1.0"
+ 
+-sys.path.append('/usr/share/system-config-selinux')
+-
+ 
+ ##
+ ## Pull in the Glade file
+diff --git a/sandbox/sandbox b/sandbox/sandbox
+index a2762a7d..fe631a92 100644
+--- a/sandbox/sandbox
++++ b/sandbox/sandbox
+@@ -1,4 +1,4 @@
+-#!/usr/bin/python3 -Es
++#!/usr/bin/python3 -EsI
+ # Authors: Dan Walsh <dwalsh@redhat.com>
+ # Authors: Thomas Liu <tliu@fedoraproject.org>
+ # Authors: Josh Cogliati
+diff --git a/sandbox/start b/sandbox/start
+index 4ed3cb5c..3c1a1783 100644
+--- a/sandbox/start
++++ b/sandbox/start
+@@ -1,4 +1,4 @@
+-#!/usr/bin/python3 -Es
++#!/usr/bin/python3 -EsI
+ try:
+     from subprocess import getstatusoutput
+ except ImportError:
+-- 
+2.33.0
+

backport-python-semanage-Allow-modifying-records-on-add.patch

@@ -0,0 +1,395 @@
+From f5d4b60e69e818d561ab645ff27b9bba68d5163e Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Wed, 14 Feb 2024 13:08:40 +0100
+Subject: [PATCH] python/semanage: Allow modifying records on "add"
+
+When trying to add a record with a key that already exists, modify
+the existing record instead.
+
+Also, fix "semanage -m -e" (add_equal was called instead of
+modify_equal), which meant that existing local equivalency couldn't be
+modified (though a user could remove it and add a modified
+equivalency).
+
+Fixes:
+  https://github.com/SELinuxProject/selinux/issues/412
+  When a port or login definition present in the policy is modified
+  using "semanage port -m", "semanage export" exports the command as
+  "port -a" instead of "port -m". This results in "semanage import"
+  failing (port already defined). The same is true for port, user,
+  login, ibpkey, ibendport, node, interface and fcontext.
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ python/semanage/semanage    |   2 +-
+ python/semanage/seobject.py | 208 +++++++++++++++++++++++++-----------
+ 2 files changed, 147 insertions(+), 63 deletions(-)
+ 
+diff --git a/python/semanage/semanage b/python/semanage/semanage
+index 4fdb490f..b269b9fc 100644
+--- a/python/semanage/semanage
++++ b/python/semanage/semanage
+@@ -322,7 +322,7 @@ def handleFcontext(args):
+             OBJECT.add(args.file_spec, args.type, args.ftype, args.range, args.seuser)
+     if args.action == "modify":
+         if args.equal:
+-            OBJECT.add_equal(args.file_spec, args.equal)
++            OBJECT.modify_equal(args.file_spec, args.equal)
+         else:
+             OBJECT.modify(args.file_spec, args.type, args.ftype, args.range, args.seuser)
+     if args.action == "delete":
+diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
+index 8769a1f..adb0b59 100644
+--- a/python/semanage/seobject.py
++++ b/python/semanage/seobject.py
+@@ -561,11 +561,6 @@ class loginRecords(semanageRecords):
+         if rc < 0:
+             raise ValueError(_("Could not create a key for %s") % name)
+ 
+-        (rc, exists) = semanage_seuser_exists(self.sh, k)
+-        if rc < 0:
+-            raise ValueError(_("Could not check if login mapping for %s is defined") % name)
+-        if exists:
+-            raise ValueError(_("Login mapping for %s is already defined") % name)
+         if name[0] == '%':
+             try:
+                 grp.getgrnam(name[1:])
+@@ -604,11 +599,29 @@ class loginRecords(semanageRecords):
+     def add(self, name, sename, serange):
+         try:
+             self.begin()
+-            self.__add(name, sename, serange)
++            # Add a new mapping, or modify an existing one
++            if self.__exists(name):
++                print(_("Login mapping for %s is already defined, modifying instead") % name)
++                self.__modify(name, sename, serange)
++            else:
++                self.__add(name, sename, serange)
+             self.commit()
+         except ValueError as error:
+             raise error
+ 
++    # check if login mapping for given user exists
++    def __exists(self, name):
++        (rc, k) = semanage_seuser_key_create(self.sh, name)
++        if rc < 0:
++            raise ValueError(_("Could not create a key for %s") % name)
++
++        (rc, exists) = semanage_seuser_exists(self.sh, k)
++        if rc < 0:
++            raise ValueError(_("Could not check if login mapping for %s is defined") % name)
++        semanage_seuser_key_free(k)
++
++        return exists
++
+     def __modify(self, name, sename="", serange=""):
+         rec, self.oldsename, self.oldserange = selinux.getseuserbyname(name)
+         if sename == "" and serange == "":
+@@ -825,12 +838,6 @@ class seluserRecords(semanageRecords):
+         if rc < 0:
+             raise ValueError(_("Could not create a key for %s") % name)
+ 
+-        (rc, exists) = semanage_user_exists(self.sh, k)
+-        if rc < 0:
+-            raise ValueError(_("Could not check if SELinux user %s is defined") % name)
+-        if exists:
+-            raise ValueError(_("SELinux user %s is already defined") % name)
+-
+         (rc, u) = semanage_user_create(self.sh)
+         if rc < 0:
+             raise ValueError(_("Could not create SELinux user for %s") % name)
+@@ -870,12 +877,28 @@ class seluserRecords(semanageRecords):
+     def add(self, name, roles, selevel, serange, prefix):
+         try:
+             self.begin()
+-            self.__add(name, roles, selevel, serange, prefix)
++            if self.__exists(name):
++                print(_("SELinux user %s is already defined, modifying instead") % name)
++                self.__modify(name, roles, selevel, serange, prefix)
++            else:
++                self.__add(name, roles, selevel, serange, prefix)
+             self.commit()
+         except ValueError as error:
+             self.mylog.commit(0)
+             raise error
+ 
++    def __exists(self, name):
++        (rc, k) = semanage_user_key_create(self.sh, name)
++        if rc < 0:
++            raise ValueError(_("Could not create a key for %s") % name)
++
++        (rc, exists) = semanage_user_exists(self.sh, k)
++        if rc < 0:
++            raise ValueError(_("Could not check if SELinux user %s is defined") % name)
++        semanage_user_key_free(k)
++
++        return exists
++
+     def __modify(self, name, roles=[], selevel="", serange="", prefix=""):
+         oldserole = ""
+         oldserange = ""
+@@ -1107,12 +1130,6 @@ class portRecords(semanageRecords):
+ 
+         (k, proto_d, low, high) = self.__genkey(port, proto)
+ 
+-        (rc, exists) = semanage_port_exists(self.sh, k)
+-        if rc < 0:
+-            raise ValueError(_("Could not check if port %s/%s is defined") % (proto, port))
+-        if exists:
+-            raise ValueError(_("Port %s/%s already defined") % (proto, port))
+-
+         (rc, p) = semanage_port_create(self.sh)
+         if rc < 0:
+             raise ValueError(_("Could not create port for %s/%s") % (proto, port))
+@@ -1156,9 +1173,23 @@ class portRecords(semanageRecords):
+ 
+     def add(self, port, proto, serange, type):
+         self.begin()
+-        self.__add(port, proto, serange, type)
++        if self.__exists(port, proto):
++            print(_("Port {proto}/{port} already defined, modifying instead").format(proto=proto, port=port))
++            self.__modify(port, proto, serange, type)
++        else:
++            self.__add(port, proto, serange, type)
+         self.commit()
+ 
++    def __exists(self, port, proto):
++        (k, proto_d, low, high) = self.__genkey(port, proto)
++
++        (rc, exists) = semanage_port_exists(self.sh, k)
++        if rc < 0:
++            raise ValueError(_("Could not check if port {proto}/{port} is defined").format(proto=proto, port=port))
++        semanage_port_key_free(k)
++
++        return exists
++
+     def __modify(self, port, proto, serange, setype):
+         if serange == "" and setype == "":
+             if is_mls_enabled == 1:
+@@ -1381,12 +1412,6 @@ class ibpkeyRecords(semanageRecords):
+ 
+         (k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix)
+ 
+-        (rc, exists) = semanage_ibpkey_exists(self.sh, k)
+-        if rc < 0:
+-            raise ValueError(_("Could not check if ibpkey %s/%s is defined") % (subnet_prefix, pkey))
+-        if exists:
+-            raise ValueError(_("ibpkey %s/%s already defined") % (subnet_prefix, pkey))
+-
+         (rc, p) = semanage_ibpkey_create(self.sh)
+         if rc < 0:
+             raise ValueError(_("Could not create ibpkey for %s/%s") % (subnet_prefix, pkey))
+@@ -1428,9 +1453,23 @@ class ibpkeyRecords(semanageRecords):
+ 
+     def add(self, pkey, subnet_prefix, serange, type):
+         self.begin()
+-        self.__add(pkey, subnet_prefix, serange, type)
++        if self.__exists(pkey, subnet_prefix):
++            print(_("ibpkey {subnet_prefix}/{pkey} already defined, modifying instead").format(subnet_prefix=subnet_prefix, pkey=pkey))
++            self.__modify(pkey, subnet_prefix, serange, type)
++        else:
++            self.__add(pkey, subnet_prefix, serange, type)
+         self.commit()
+ 
++    def __exists(self, pkey, subnet_prefix):
++        (k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix)
++
++        (rc, exists) = semanage_ibpkey_exists(self.sh, k)
++        if rc < 0:
++            raise ValueError(_("Could not check if ibpkey {subnet_prefix}/{pkey} is defined").formnat(subnet_prefix=subnet_prefix, pkey=pkey))
++        semanage_ibpkey_key_free(k)
++
++        return exists
++
+     def __modify(self, pkey, subnet_prefix, serange, setype):
+         if serange == "" and setype == "":
+             if is_mls_enabled == 1:
+@@ -1635,12 +1674,6 @@ class ibendportRecords(semanageRecords):
+             raise ValueError(_("Type %s is invalid, must be an ibendport type") % type)
+         (k, ibendport, port) = self.__genkey(ibendport, ibdev_name)
+ 
+-        (rc, exists) = semanage_ibendport_exists(self.sh, k)
+-        if rc < 0:
+-            raise ValueError(_("Could not check if ibendport %s/%s is defined") % (ibdev_name, port))
+-        if exists:
+-            raise ValueError(_("ibendport %s/%s already defined") % (ibdev_name, port))
+-
+         (rc, p) = semanage_ibendport_create(self.sh)
+         if rc < 0:
+             raise ValueError(_("Could not create ibendport for %s/%s") % (ibdev_name, port))
+@@ -1682,9 +1715,23 @@ class ibendportRecords(semanageRecords):
+ 
+     def add(self, ibendport, ibdev_name, serange, type):
+         self.begin()
+-        self.__add(ibendport, ibdev_name, serange, type)
++        if self.__exists(ibendport, ibdev_name):
++            print(_("ibendport {ibdev_name}/{port} already defined, modifying instead").format(ibdev_name=ibdev_name, port=port))
++            self.__modify(ibendport, ibdev_name, serange, type)
++        else:
++            self.__add(ibendport, ibdev_name, serange, type)
+         self.commit()
+ 
++    def __exists(self, ibendport, ibdev_name):
++        (k, ibendport, port) = self.__genkey(ibendport, ibdev_name)
++
++        (rc, exists) = semanage_ibendport_exists(self.sh, k)
++        if rc < 0:
++            raise ValueError(_("Could not check if ibendport {ibdev_name}/{port} is defined").format(ibdev_name=ibdev_name, port=port))
++        semanage_ibendport_key_free(k)
++
++        return exists
++
+     def __modify(self, ibendport, ibdev_name, serange, setype):
+         if serange == "" and setype == "":
+             if is_mls_enabled == 1:
+@@ -1906,12 +1953,6 @@ class nodeRecords(semanageRecords):
+         if rc < 0:
+             raise ValueError(_("Could not create key for %s") % addr)
+ 
+-        (rc, exists) = semanage_node_exists(self.sh, k)
+-        if rc < 0:
+-            raise ValueError(_("Could not check if addr %s is defined") % addr)
+-        if exists:
+-            raise ValueError(_("Addr %s already defined") % addr)
+-
+         (rc, node) = semanage_node_create(self.sh)
+         if rc < 0:
+             raise ValueError(_("Could not create addr for %s") % addr)
+@@ -1959,9 +2000,27 @@ class nodeRecords(semanageRecords):
+ 
+     def add(self, addr, mask, proto, serange, ctype):
+         self.begin()
+-        self.__add(addr, mask, proto, serange, ctype)
++        if self.__exists(addr, mask, proto):
++            print(_("Addr %s already defined, modifying instead") % addr)
++            self.__modify(addr, mask, proto, serange, ctype)
++        else:
++            self.__add(addr, mask, proto, serange, ctype)
+         self.commit()
+ 
++    def __exists(self, addr, mask, proto):
++        addr, mask, proto, audit_proto = self.validate(addr, mask, proto)
++
++        (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto)
++        if rc < 0:
++            raise ValueError(_("Could not create key for %s") % addr)
++
++        (rc, exists) = semanage_node_exists(self.sh, k)
++        if rc < 0:
++            raise ValueError(_("Could not check if addr %s is defined") % addr)
++        semanage_node_key_free(k)
++
++        return exists
++
+     def __modify(self, addr, mask, proto, serange, setype):
+         addr, mask, proto, audit_proto = self.validate(addr, mask, proto)
+ 
+@@ -2115,12 +2174,6 @@ class interfaceRecords(semanageRecords):
+         if rc < 0:
+             raise ValueError(_("Could not create key for %s") % interface)
+ 
+-        (rc, exists) = semanage_iface_exists(self.sh, k)
+-        if rc < 0:
+-            raise ValueError(_("Could not check if interface %s is defined") % interface)
+-        if exists:
+-            raise ValueError(_("Interface %s already defined") % interface)
+-
+         (rc, iface) = semanage_iface_create(self.sh)
+         if rc < 0:
+             raise ValueError(_("Could not create interface for %s") % interface)
+@@ -2167,9 +2220,25 @@ class interfaceRecords(semanageRecords):
+ 
+     def add(self, interface, serange, ctype):
+         self.begin()
+-        self.__add(interface, serange, ctype)
++        if self.__exists(interface):
++            print(_("Interface %s already defined, modifying instead") % interface)
++            self.__modify(interface, serange, ctype)
++        else:
++            self.__add(interface, serange, ctype)
+         self.commit()
+ 
++    def __exists(self, interface):
++        (rc, k) = semanage_iface_key_create(self.sh, interface)
++        if rc < 0:
++            raise ValueError(_("Could not create key for %s") % interface)
++
++        (rc, exists) = semanage_iface_exists(self.sh, k)
++        if rc < 0:
++            raise ValueError(_("Could not check if interface %s is defined") % interface)
++        semanage_iface_key_free(k)
++
++        return exists
++
+     def __modify(self, interface, serange, setype):
+         if serange == "" and setype == "":
+             raise ValueError(_("Requires setype or serange"))
+@@ -2357,7 +2426,13 @@ class fcontextRecords(semanageRecords):
+             raise ValueError(_("Substitute %s is not valid. Substitute is not allowed to end with '/'") % substitute)
+ 
+         if target in self.equiv.keys():
+-            raise ValueError(_("Equivalence class for %s already exists") % target)
++            print(_("Equivalence class for %s already exists, modifying instead") % target)
++            self.equiv[target] = substitute
++            self.equal_ind = True
++            self.mylog.log_change("resrc=fcontext op=modify-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0)))
++            self.commit()
++            return
++
+         self.validate(target)
+ 
+         for fdict in (self.equiv, self.equiv_dist):
+@@ -2433,18 +2508,6 @@ class fcontextRecords(semanageRecords):
+         if rc < 0:
+             raise ValueError(_("Could not create key for %s") % target)
+ 
+-        (rc, exists) = semanage_fcontext_exists(self.sh, k)
+-        if rc < 0:
+-            raise ValueError(_("Could not check if file context for %s is defined") % target)
+-
+-        if not exists:
+-            (rc, exists) = semanage_fcontext_exists_local(self.sh, k)
+-            if rc < 0:
+-                raise ValueError(_("Could not check if file context for %s is defined") % target)
+-
+-        if exists:
+-            raise ValueError(_("File context for %s already defined") % target)
+-
+         (rc, fcontext) = semanage_fcontext_create(self.sh)
+         if rc < 0:
+             raise ValueError(_("Could not create file context for %s") % target)
+@@ -2483,9 +2546,30 @@ class fcontextRecords(semanageRecords):
+ 
+     def add(self, target, type, ftype="", serange="", seuser="system_u"):
+         self.begin()
+-        self.__add(target, type, ftype, serange, seuser)
++        if self.__exists(target, ftype):
++            print(_("File context for %s already defined, modifying instead") % target)
++            self.__modify(target, type, ftype, serange, seuser)
++        else:
++            self.__add(target, type, ftype, serange, seuser)
+         self.commit()
+ 
++    def __exists(self, target, ftype):
++        (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
++        if rc < 0:
++            raise ValueError(_("Could not create key for %s") % target)
++
++        (rc, exists) = semanage_fcontext_exists(self.sh, k)
++        if rc < 0:
++            raise ValueError(_("Could not check if file context for %s is defined") % target)
++
++        if not exists:
++            (rc, exists) = semanage_fcontext_exists_local(self.sh, k)
++            if rc < 0:
++                raise ValueError(_("Could not check if file context for %s is defined") % target)
++        semanage_fcontext_key_free(k)
++
++        return exists
++
+     def __modify(self, target, setype, ftype, serange, seuser):
+         if serange == "" and setype == "" and seuser == "":
+             raise ValueError(_("Requires setype, serange or seuser"))
+--
+

backport-restorecond-Set-GLib-IO-channels-to-binary-mode.patch

@@ -0,0 +1,34 @@
+From 5131c4794d3ae4631b24fb4c5e4027f1aeb3f966 Mon Sep 17 00:00:00 2001
+From: Fabian Vogt <fvogt@suse.de>
+Date: Thu, 24 Oct 2024 10:48:15 +0200
+Subject: [PATCH] restorecond: Set GLib IO channels to binary mode
+
+By default, GIO channels use UTF-8 as encoding, which causes issues when
+reading binary data such as inotify events.
+
+Signed-off-by: Fabian Vogt <fvogt@suse.de>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ restorecond/user.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/restorecond/user.c b/restorecond/user.c
+index 3ae3ebbb72..7188c22e31 100644
+--- a/restorecond/user.c
++++ b/restorecond/user.c
+@@ -238,6 +238,7 @@ static int local_server(void) {
+ 	}
+ 	/* watch for stdin/terminal going away */
+ 	GIOChannel *in = g_io_channel_unix_new(0);
++	g_io_channel_set_encoding(in, NULL, NULL);
+ 	g_io_add_watch_full( in,
+ 			     G_PRIORITY_HIGH,
+ 			     G_IO_IN|G_IO_ERR|G_IO_HUP,
+@@ -282,6 +283,7 @@ int server(int master_fd, const char *watch_file) {
+ 	set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
+ 
+ 	GIOChannel *c = g_io_channel_unix_new(master_fd);
++	g_io_channel_set_encoding(c, NULL, NULL);
+ 
+ 	g_io_add_watch_full(c,
+ 			    G_PRIORITY_HIGH,

backport-restorecond-Set-GLib-IO-channels-to-nonblocking.patch

@@ -0,0 +1,36 @@
+From 271eb4fe449dc9fd233f7e8d577f1c2897a13e2f Mon Sep 17 00:00:00 2001
+From: Fabian Vogt <fvogt@suse.de>
+Date: Thu, 24 Oct 2024 10:48:16 +0200
+Subject: [PATCH] restorecond: Set GLib IO channels to nonblocking
+
+Without nonblocking IO, g_io_channel_read_chars waits indefinitely for more
+data without ever returning control to the event loop.
+
+Set the IO channels to nonblocking to fix SIGTERM handling.
+
+Signed-off-by: Fabian Vogt <fvogt@suse.de>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ restorecond/user.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/restorecond/user.c b/restorecond/user.c
+index 7188c22e3..25e70ae15 100644
+--- a/restorecond/user.c
++++ b/restorecond/user.c
+@@ -239,6 +239,7 @@ static int local_server(void) {
+ 	/* watch for stdin/terminal going away */
+ 	GIOChannel *in = g_io_channel_unix_new(0);
+ 	g_io_channel_set_encoding(in, NULL, NULL);
++	g_io_channel_set_flags(in, g_io_channel_get_flags(in) | G_IO_FLAG_NONBLOCK, NULL);
+ 	g_io_add_watch_full( in,
+ 			     G_PRIORITY_HIGH,
+ 			     G_IO_IN|G_IO_ERR|G_IO_HUP,
+@@ -284,6 +285,7 @@ int server(int master_fd, const char *watch_file) {
+ 
+ 	GIOChannel *c = g_io_channel_unix_new(master_fd);
+ 	g_io_channel_set_encoding(c, NULL, NULL);
++	g_io_channel_set_flags(c, g_io_channel_get_flags(c) | G_IO_FLAG_NONBLOCK, NULL);
+ 
+ 	g_io_add_watch_full(c,
+ 			    G_PRIORITY_HIGH,

backport-restorecond-compatible-with-the-use-of-EUID.patch

@@ -0,0 +1,34 @@
+From ca76a8813e9ac9536f09b5611b09b2b21064f984 Mon Sep 17 00:00:00 2001
+From: Huizhao Wang <wanghuizhao1@huawei.com>
+Date: Sat, 5 Aug 2023 15:06:50 +0800
+Subject: [PATCH] restorecond: compatible with the use of EUID
+
+The `EUID` does not exist in some shell environments. To ensure compatibility,
+use `id -u` instead of `EUID` when `EUID` does not exist.
+
+Signed-off-by: Huizhao Wang <wanghuizhao1@huawei.com>
+Acked-by: Petr Lautrbach <lautrbach@redhat.com>
+---
+ restorecond/restorecond.init | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/restorecond/restorecond.init b/restorecond/restorecond.init
+index c1cbb247..4e71a2c6 100644
+--- a/restorecond/restorecond.init
++++ b/restorecond/restorecond.init
+@@ -29,7 +29,11 @@ PATH=/sbin:/bin:/usr/bin:/usr/sbin
+ [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled || exit 7
+ 
+ # Check that we are root ... so non-root users stop here
+-test $EUID = 0  || exit 4
++if [ $EUID  ]; then
++	test $EUID = 0  || exit 4
++else
++	test `id -u` = 0  || exit 4
++fi
+ 
+ test -x /usr/sbin/restorecond  || exit 5
+ test -f /etc/selinux/restorecond.conf  || exit 6
+-- 
+2.27.0
+

backport-sepolgen-ifgen-allow-M4-escaped-filenames.patch

@@ -0,0 +1,53 @@
+From 2fc29ae7971070b27552140174d460dabd35fa0d Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <lautrbach@redhat.com>
+Date: Tue, 27 Aug 2024 13:28:13 +0200
+Subject: [PATCH] sepolgen-ifgen: allow M4 escaped filenames
+
+When a file name in type transition rule used in an interface is same as
+a keyword, it needs to be M4 escaped so that the keyword is not expanded
+by M4, e.g.
+
+-	filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, "interface")
++	filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, ``"interface"'')
+
+But sepolgen-ifgen could not parse such string:
+
+    # sepolgen-ifgen
+    Illegal character '`'
+
+This change allows M4 escaping inside quoted strings and fixed described
+problem.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=2254206
+
+Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ python/sepolgen/src/sepolgen/refparser.py | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/python/sepolgen/src/sepolgen/refparser.py b/python/sepolgen/src/sepolgen/refparser.py
+index e261d3f78..c8a3eb54d 100644
+--- a/python/sepolgen/src/sepolgen/refparser.py
++++ b/python/sepolgen/src/sepolgen/refparser.py
+@@ -486,7 +486,7 @@ def p_interface_call_param(p):
+                             | nested_id_set
+                             | TRUE
+                             | FALSE
+-                            | FILENAME
++                            | quoted_filename
+     '''
+     # Intentionally let single identifiers pass through
+     # List means set, non-list identifier
+@@ -1027,6 +1027,11 @@ def p_optional_semi(p):
+                    | empty'''
+     pass
+ 
++def p_quoted_filename(p):
++    '''quoted_filename : TICK quoted_filename SQUOTE
++                       | FILENAME
++    '''
++    p[0] = p[1]
+ 
+ #
+ # Interface to the parser

backport-sepolgen-initialize-gen_cil.patch

@@ -0,0 +1,25 @@
+From b6910aa68a0e3968935557c39ae1b89634bc9945 Mon Sep 17 00:00:00 2001
+From: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
+Date: Thu, 1 Aug 2024 22:32:40 +0300
+Subject: [PATCH] sepolgen: initialize gen_cil
+
+Avoid errors when adding comments to CIL output like in audit2allow
+
+Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ python/sepolgen/src/sepolgen/refpolicy.py | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/python/sepolgen/src/sepolgen/refpolicy.py b/python/sepolgen/src/sepolgen/refpolicy.py
+index 2ec75fbad..32278896c 100644
+--- a/python/sepolgen/src/sepolgen/refpolicy.py
++++ b/python/sepolgen/src/sepolgen/refpolicy.py
+@@ -1217,6 +1217,7 @@ def __init__(self, l=None):
+             self.lines = l
+         else:
+             self.lines = []
++        self.gen_cil = False
+ 
+     def to_string(self):
+         # If there are no lines, treat this as a spacer between

backport-sepolicy-manpage.py-make-output-deterministic.patch

@@ -0,0 +1,37 @@
+From 84e0884260c550ef840de6d09573444d93fb209a Mon Sep 17 00:00:00 2001
+From: Cathy Hu <cahu@suse.de>
+Date: Wed, 25 Oct 2023 15:18:58 +0200
+Subject: [PATCH] sepolicy/manpage.py: make output deterministic
+
+The list entries in the alphabetically grouped dict are
+not sorted, which results in non-deterministic output for
+index.html.
+
+Sort entries of those lists to make the output deterministic
+to be able to have reproducible builds.
+
+See https://reproducible-builds.org/ for reasoning.
+This patch was done while working on reproducible builds for openSUSE.
+
+Signed-off-by: Cathy Hu <cahu@suse.de>
+Acked-by: Petr Lautrbach <lautrbach@redhat.com>
+---
+ python/sepolicy/sepolicy/manpage.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
+index a488dcbf..62999019 100755
+--- a/python/sepolicy/sepolicy/manpage.py
++++ b/python/sepolicy/sepolicy/manpage.py
+@@ -156,7 +156,7 @@ def get_alphabet_manpages(manpage_list):
+             if j.split("/")[-1][0] == i:
+                 temp.append(j.split("/")[-1])
+ 
+-        alphabet_manpages[i] = temp
++        alphabet_manpages[i] = sorted(temp)
+ 
+     return alphabet_manpages
+ 
+-- 
+2.27.0
+

backport-setfiles-avoid-unsigned-integer-underflow.patch

@@ -0,0 +1,53 @@
+From fc2e9318d0a1b2ec331f6af25e70358f130d003b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Tue, 19 Dec 2023 17:09:33 +0100
+Subject: [PATCH] setfiles: avoid unsigned integer underflow
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+While well-defined unsigned integer underflow might signal a logic
+mistake or processing of unchecked user input.  Please Clang's undefined
+behavior sanitizer:
+
+restore.c:91:37: runtime error: unsigned integer overflow: 1 - 2 cannot
+be represented in type 'unsigned long'
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ policycoreutils/setfiles/restore.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c
+index 9d688c6..612cc21 100644
+--- a/policycoreutils/setfiles/restore.c
++++ b/policycoreutils/setfiles/restore.c
+@@ -75,8 +75,8 @@ void restore_finish(void)
+ int process_glob(char *name, struct restore_opts *opts)
+ {
+ 	glob_t globbuf;
+-	size_t i = 0;
+-	int len, rc, errors;
++	size_t i, len;
++	int rc, errors;
+ 
+ 	memset(&globbuf, 0, sizeof(globbuf));
+ 
+@@ -86,10 +86,10 @@ int process_glob(char *name, struct restore_opts *opts)
+ 		return errors;
+ 
+ 	for (i = 0; i < globbuf.gl_pathc; i++) {
+-		len = strlen(globbuf.gl_pathv[i]) - 2;
+-		if (len > 0 && strcmp(&globbuf.gl_pathv[i][len--], "/.") == 0)
++		len = strlen(globbuf.gl_pathv[i]);
++		if (len > 2 && strcmp(&globbuf.gl_pathv[i][len - 2], "/.") == 0)
+ 			continue;
+-		if (len > 0 && strcmp(&globbuf.gl_pathv[i][len], "/..") == 0)
++		if (len > 3 && strcmp(&globbuf.gl_pathv[i][len - 3], "/..") == 0)
+ 			continue;
+ 		rc = selinux_restorecon(globbuf.gl_pathv[i],
+ 					opts->restorecon_flags);
+-- 
+2.33.0
+

policycoreutils.spec

@@ -3,7 +3,7 @@
 
 Name:      policycoreutils
 Version:   3.3
-Release:   7
+Release:   12
 Summary:   Policy core utilities of selinux
 License:   GPLv2
 URL:       https://github.com/SELinuxProject
@@ -31,6 +31,19 @@ Patch6010:    backport-python-sepolicy-add-missing-booleans-to-man-pages.patch
 Patch6011:    backport-python-sepolicy-Cache-conditional-rule-queries.patch
 Patch6012:    backport-restorecond-add-check-for-strdup-in-strings_list_add.patch
 Patch6013:    backport-python-Use-isinstance-instead-of-type.patch
+Patch6014:    backport-restorecond-compatible-with-the-use-of-EUID.patch
+Patch6015:    backport-sepolicy-manpage.py-make-output-deterministic.patch
+Patch6016:    restorecond-remove-dependency-of-glib2.patch
+Patch6017:    backport-newrole-silence-compiler-warnings.patch
+Patch6018:    backport-newrole-use-DJB2a-string-hash-function.patch
+Patch6019:    backport-python-Harden-more-tools-against-rogue-modules.patch
+Patch6020:    backport-setfiles-avoid-unsigned-integer-underflow.patch
+Patch6021:    backport-python-semanage-Allow-modifying-records-on-add.patch
+Patch6022:    backport-sepolgen-initialize-gen_cil.patch
+Patch6023:    backport-restorecond-Set-GLib-IO-channels-to-binary-mode.patch
+Patch6024:    backport-restorecond-Set-GLib-IO-channels-to-nonblocking.patch
+Patch6025:    backport-fixfiles-use-grep-F-when-search-in-mounts.patch
+Patch6026:    backport-sepolgen-ifgen-allow-M4-escaped-filenames.patch
 
 BuildRequires: gcc
 BuildRequires: pam-devel libsepol-static >= 3.3 libsemanage-static >= 3.3 libselinux-devel >= 3.3  libcap-devel audit-libs-devel  gettext
@@ -271,6 +284,21 @@ find %{buildroot}%{python3_sitelib} %{buildroot}%{python3_sitearch} \
 %{_mandir}/*
 
 %changelog
+* Mon Mar 17 2025 yanglongkang <yanglongkang@h-partners.com> -3.3-12
+- backport patches from upstream
+
+* Wed Mar 20 2024 yixiangzhike <yixiangzhike007@163.com> -3.3-11
+- backport patch from upstream to avoid unsigned integer underflow
+
+* Wed Jan 31 2024 zhangruifang <zhangruifang1@h-partners.com> -3.3-10
+- backport patches from upstream
+
+* Tue Dec 26 2023 wanghuizhao <wanghuizhao1@huawei.com> -3.3-9
+- submit self-developed patch
+
+* Thu Dec 14 2023 yixiangzhike <yixiangzhike007@163.com> -3.3-8
+- backport patches from upstream
+
 * Mon Sep 11 2023 zhangguangzhi <zhangguangzhi3@huawei.com> -3.3-7
 - backport patches from upstream
 

restorecond-remove-dependency-of-glib2.patch

@@ -0,0 +1,136 @@
+From 2eb9db473adf885dc0361b1967edd1781ff13b1e Mon Sep 17 00:00:00 2001
+From: wanghuizhao <wanghuizhao1@huawei.com>
+Date: Sun, 24 Dec 2023 23:23:55 +0800
+Subject: [PATCH] restorecond: remove dependency of glib2
+
+In order to remove the dependency of glib2, and in some scenarios, it is
+not necessary to use the user mode, remove the user related option.
+
+Signed-off-by: wanghuizhao <wanghuizhao1@huawei.com>
+---
+ .../restorecond/Makefile                      | 21 +++++++++++++++++++
+ .../restorecond/restorecond.c                 | 14 +++++++++++++
+ 2 files changed, 35 insertions(+)
+
+diff --git a/restorecond/Makefile b/restorecond/Makefile
+index 8e9a5ef..bebd39e 100644
+--- a/restorecond/Makefile
++++ b/restorecond/Makefile
+@@ -13,21 +13,37 @@ SYSTEMDUSERUNITDIR ?= $(shell $(PKG_CONFIG) --variable=systemduserunitdir system
+ autostart_DATA = sealertauto.desktop
+ INITDIR ?= /etc/rc.d/init.d
+ SELINUXDIR = /etc/selinux
++CONFIG_NO_GLIB2 ?= n
+ 
++ifeq ($(CONFIG_NO_GLIB2),n)
+ GIO_CFLAGS = -DHAVE_DBUS $(shell $(PKG_CONFIG) --cflags gio-2.0)
+ GIO_LIBS = $(shell $(PKG_CONFIG) --libs gio-2.0)
++endif
+ 
+ CFLAGS ?= -g -Werror -Wall -W
++
++ifeq ($(CONFIG_NO_GLIB2),y)
++	override CFLAGS += -DCONFIG_NO_GLIB2
++	override LDLIBS += -lselinux
++else
+ override CFLAGS += $(GIO_CFLAGS)
+ 
+ override LDLIBS += -lselinux $(GIO_LIBS)
++endif
+ 
+ all: restorecond
+ 
++ifeq ($(CONFIG_NO_GLIB2),y)
++restorecond.o utmpwatcher.o stringslist.o watch.o: restorecond.h
++
++restorecond:  restore.o restorecond.o utmpwatcher.o stringslist.o watch.o
++	$(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS)
++else
+ restorecond.o utmpwatcher.o stringslist.o user.o watch.o: restorecond.h
+ 
+ restorecond:  restore.o restorecond.o utmpwatcher.o stringslist.o user.o watch.o
+ 	$(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS)
++endif
+ 
+ install: all
+ 	[ -d $(DESTDIR)$(MANDIR)/man8 ] || mkdir -p $(DESTDIR)$(MANDIR)/man8
+@@ -44,15 +60,20 @@ install: all
+ 	install -m 755 restorecond.init $(DESTDIR)$(INITDIR)/restorecond
+ 	-mkdir -p $(DESTDIR)$(SELINUXDIR)
+ 	install -m 644 restorecond.conf $(DESTDIR)$(SELINUXDIR)/restorecond.conf
++ifeq ($(CONFIG_NO_GLIB2),n)
+ 	install -m 644 restorecond_user.conf $(DESTDIR)$(SELINUXDIR)/restorecond_user.conf
+ 	-mkdir -p $(DESTDIR)$(AUTOSTARTDIR)
+ 	install -m 644 restorecond.desktop $(DESTDIR)$(AUTOSTARTDIR)/restorecond.desktop
+ 	-mkdir -p $(DESTDIR)$(DBUSSERVICEDIR)
+ 	install -m 644 org.selinux.Restorecond.service  $(DESTDIR)$(DBUSSERVICEDIR)/org.selinux.Restorecond.service
++endif
+ 	-mkdir -p $(DESTDIR)$(SYSTEMDSYSTEMUNITDIR)
+ 	install -m 644 restorecond.service $(DESTDIR)$(SYSTEMDSYSTEMUNITDIR)
++ifeq ($(CONFIG_NO_GLIB2),n)
+ 	-mkdir -p $(DESTDIR)$(SYSTEMDUSERUNITDIR)
+ 	install -m 644 restorecond_user.service $(DESTDIR)$(SYSTEMDUSERUNITDIR)
++endif
++
+ relabel: install
+ 	/sbin/restorecon $(DESTDIR)$(SBINDIR)/restorecond 
+ 
+diff --git a/restorecond/restorecond.c b/restorecond/restorecond.c
+index d5f70fc..fc0594b 100644
+--- a/restorecond/restorecond.c
++++ b/restorecond/restorecond.c
+@@ -124,7 +124,11 @@ static void term_handler(int s __attribute__ ((unused)))
+ 
+ static void usage(char *program)
+ {
++#ifndef CONFIG_NO_GLIB2
+ 	printf("%s [-d] [-f restorecond_file ] [-u] [-v] \n", program);
++#else
++    printf("%s [-d] [-f restorecond_file ] [-v] \n", program);
++#endif
+ }
+ 
+ void exitApp(const char *msg)
+@@ -165,7 +169,11 @@ int main(int argc, char **argv)
+ 	sigaction(SIGTERM, &sa, NULL);
+ 
+ 	atexit( done );
++#ifndef CONFIG_NO_GLIB2
+ 	while ((opt = getopt(argc, argv, "hdf:uv")) > 0) {
++#else
++	while ((opt = getopt(argc, argv, "hdf:v")) > 0) {
++#endif
+ 		switch (opt) {
+ 		case 'd':
+ 			debug_mode = 1;
+@@ -173,9 +181,11 @@ int main(int argc, char **argv)
+ 		case 'f':
+ 			watch_file = optarg;
+ 			break;
++#ifndef CONFIG_NO_GLIB2
+ 		case 'u':
+ 			run_as_user = 1;
+ 			break;
++#endif
+ 		case 'h':
+ 			usage(argv[0]);
+ 			exit(0);
+@@ -200,11 +210,15 @@ int main(int argc, char **argv)
+ 
+ 	homedir = pwd->pw_dir;
+ 	if (uid != 0) {
++#ifndef CONFIG_NO_GLIB2
+ 		if (run_as_user)
+ 			return server(master_fd, user_watch_file);
+ 		if (start() != 0)
+ 			return server(master_fd, user_watch_file);
+ 		return 0;
++#else
++		exitApp("root_only");
++#endif
+ 	}
+ 
+ 	read_config(master_fd, watch_file);
+-- 
+2.21.0
+