[rpms/setroubleshoot-plugins] rawhide: setroubleshoot-plugins-3.3.15-7

[rpms/setroubleshoot-plugins] rawhide: setroubleshoot-plugins-3.3.15-7

[Vit Mojzis]

            A new commit has been pushed.

            Repo   : rpms/setroubleshoot-plugins
            Branch : rawhide
            Commit : fc34171f607d2ebb0451754b45469ca1e1f58571
            Author : Vit Mojzis <vmojzis@redhat.com>
            Date   : 2026-06-18T16:05:45+02:00
            Stats  : +120/-5 in 3 file(s)
            URL    : https://src.fedoraproject.org/rpms/setroubleshoot-plugins/c/fc34171f607d2ebb0451754b45469ca1e1f58571?branch=rawhide

            Log:
            setroubleshoot-plugins-3.3.15-7

- Split multi-command fix_cmds into lists
- catchall: Discourage creating custom policy modules

Note: Swtiched from "Requires" to "Conflicts" with setroubleshoot-server
to remove the circular dependency.

---
diff --git a/0001-Split-multi-command-fix_cmds-into-lists.patch b/0001-Split-multi-command-fix_cmds-into-lists.patch
new file mode 100644
index 0000000..476333d
--- /dev/null
+++ b/0001-Split-multi-command-fix_cmds-into-lists.patch
@@ -0,0 +1,73 @@
+From df90bf242b35a9e01f721dd7ad436f1bd5d21616 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Mon, 9 Mar 2026 22:03:31 +0100
+Subject: [PATCH] Split multi-command fix_cmds into lists
+
+This requires
+https://gitlab.com/setroubleshoot/setroubleshoot/-/merge_requests/54/diffs?commit_id=d5d13afa86c2bd03952c04a187657ed981c9be7e
+to work properly!
+---
+ src/allow_execmod.py         | 3 ++-
+ src/automount_exec_config.py | 3 ++-
+ src/cvs_data.py              | 3 ++-
+ src/file.py                  | 2 +-
+ 4 files changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/src/allow_execmod.py b/src/allow_execmod.py
+index 6e1f6bf..0a3995f 100644
+--- a/src/allow_execmod.py
++++ b/src/allow_execmod.py
+@@ -81,7 +81,8 @@ If you want this to survive a relabel, execute
+ # semanage fcontext -a -t textrel_shlib_t '$FIX_TARGET_PATH';restorecon -v '$FIX_TARGET_PATH'
+ """
+ 
+-    fix_cmd = """/usr/sbin/semanage fcontext -a -t textrel_shlib_t '$FIX_TARGET_PATH';/usr/sbin/restorecon -v '$FIX_TARGET_PATH'"""
++    fix_cmd = ["""/usr/sbin/semanage fcontext -a -t textrel_shlib_t '$FIX_TARGET_PATH'""",
++               """/usr/sbin/restorecon -v '$FIX_TARGET_PATH'"""]
+ 
+     def init_args(self, args):
+         if len(args) > 0:
+diff --git a/src/automount_exec_config.py b/src/automount_exec_config.py
+index a64eaf2..81ada8e 100644
+--- a/src/automount_exec_config.py
++++ b/src/automount_exec_config.py
+@@ -40,7 +40,8 @@ class plugin(Plugin):
+     If you want to change the file context of $TARGET_PATH so that the automounter can execute it you can execute "chcon -t bin_t $TARGET_PATH".  If you want this to survive a relabel, you need to permanently change the file context: execute  "semanage fcontext -a -t bin_t '$FIX_TARGET_PATH'".
+     ''')
+ 
+-    fix_cmd = """/usr/sbin/semanage fcontext -a -t bin_t '$FIX_TARGET_PATH';/usr/sbin/restorecon -v '$FIX_TARGET_PATH'"""
++    fix_cmd = ["""/usr/sbin/semanage fcontext -a -t bin_t '$FIX_TARGET_PATH'""",
++               """/usr/sbin/restorecon -v '$FIX_TARGET_PATH'"""]
+ 
+     if_text = 'If you want to allow automounter to execute $TARGET_PATH'
+ 
+diff --git a/src/cvs_data.py b/src/cvs_data.py
+index 7451622..1e75ead 100644
+--- a/src/cvs_data.py
++++ b/src/cvs_data.py
+@@ -46,7 +46,8 @@ class plugin(Plugin):
+     do_text = """# semanage fcontext -a -t cvs_data_t '$FIX_TARGET_PATH'
+ # restorecon -v '$FIX_TARGET_PATH'"""
+ 
+-    fix_cmd = """/usr/sbin/semanage fcontext -a -t cvs_data_t '$FIX_TARGET_PATH';/usr/sbin/restorecon -v '$FIX_TARGET_PATH'"""
++    fix_cmd = ["""/usr/sbin/semanage fcontext -a -t cvs_data_t '$FIX_TARGET_PATH'""",
++               """/usr/sbin/restorecon -v '$FIX_TARGET_PATH'"""]
+ 
+     def __init__(self):
+         Plugin.__init__(self, __name__)
+diff --git a/src/file.py b/src/file.py
+index ac24bf9..25f3a43 100644
+--- a/src/file.py
++++ b/src/file.py
+@@ -66,7 +66,7 @@ home directory from a previous installation that did not use SELinux, 'restoreco
+         if args == (1,0):
+             return '/sbin/restorecon -R -v $TARGET_PATH'
+         else:
+-            return 'touch /.autorelabel; reboot'
++            return ['touch /.autorelabel', 'reboot']
+ 
+     def init_args(self, args):
+         if args == (1,0):
+-- 
+2.53.0
+

diff --git a/0002-catchall-Discourage-creating-custom-policy-modules.patch b/0002-catchall-Discourage-creating-custom-policy-modules.patch
new file mode 100644
index 0000000..a3f28a1
--- /dev/null
+++ b/0002-catchall-Discourage-creating-custom-policy-modules.patch
@@ -0,0 +1,36 @@
+From 8ad7f4c5528fbbc52a3d391c702102c6fe262d83 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Tue, 9 Jun 2026 17:27:36 +0200
+Subject: [PATCH] catchall: Discourage creating custom policy modules
+
+Update the plugin text to discourage creating custom policy modules by
+explaining the lack of support and potential security implications.
+---
+ src/catchall.py | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/catchall.py b/src/catchall.py
+index 052d6d8..7e4a8fa 100644
+--- a/src/catchall.py
++++ b/src/catchall.py
+@@ -54,9 +54,14 @@ class plugin(Plugin):
+             return _('If you believe that $SOURCE_BASE_PATH should be allowed $ACCESS access on $TARGET_CLASS labeled $TARGET_TYPE by default.')
+         return _('If you believe that $SOURCE_BASE_PATH should be allowed $ACCESS access on the $TARGET_BASE_PATH $TARGET_CLASS by default.')
+ 
+-    then_text = _('You should report this as a bug.\nYou can generate a local policy module to allow this access.')
+-    do_text = _("""Allow this access for now by executing:
+-# ausearch -c '$SOURCE' --raw | audit2allow -M my-$MODULE_NAME
++    then_text = _('''
++    You should report this as a bug.\n
++    If you are certain this access is legitimate and not an intrusion attempt, you
++    can generate a local policy module to allow it.
++    Custom policy modules are not supported as they may weaken the system policy and expose the system to security vulnerabilities.
++    ''')
++
++    do_text = _("""# ausearch -c '$SOURCE' --raw | audit2allow -M my-$MODULE_NAME
+ # semodule -X 300 -i my-$MODULE_NAME.pp""")
+ 
+     def __init__(self):
+-- 
+2.53.0
+

diff --git a/setroubleshoot-plugins.spec b/setroubleshoot-plugins.spec
index cd440af..a931ed9 100644
--- a/setroubleshoot-plugins.spec
+++ b/setroubleshoot-plugins.spec
@@ -6,12 +6,14 @@
 Summary: Analysis plugins for use with setroubleshoot
 Name: setroubleshoot-plugins
 Version: 3.3.15
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: GPL-2.0-or-later
 URL: https://gitlab.com/setroubleshoot/plugins
 Source0: https://gitlab.com/-/project/24478430/uploads/1d856bff1c9fb16a8c6fc877d7fe91ca/setroubleshoot-plugins-3.3.15.tar.gz
-# git format-patch -N setroubleshoot-plugins-<version> -- plugins
-# i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
+# git format-patch -N setroubleshoot-plugins-<version>
+# for j in 00*patch; do printf "Patch: %s\n" $j; done
+Patch: 0001-Split-multi-command-fix_cmds-into-lists.patch
+Patch: 0002-catchall-Discourage-creating-custom-policy-modules.patch
 BuildArch: noarch
 
 # gcc is needed only for ./configure
@@ -20,8 +22,8 @@ BuildRequires: gcc
 BuildRequires: make
 BuildRequires: perl-XML-Parser
 BuildRequires: intltool gettext python3-devel
-# Introduction of get_package_nvr functions
-Requires: setroubleshoot-server >= 3.3.23
+# Support for multiple commands in fix_cmd
+Conflicts: setroubleshoot-server < 3.3.37
 
 %description
 This package provides a set of analysis plugins for use with
@@ -49,6 +51,10 @@ rm -rf %{buildroot}
 %{_datadir}/setroubleshoot/plugins
 
 %changelog
+* Thu May 07 2026 Vit Mojzis <vmojzis@redhat.com> - 3.3.15-7
+- Split multi-command fix_cmds into lists
+- catchall: Discourage creating custom policy modules
+
 * Sat Jan 17 2026 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.15-6
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild