diff --git a/.gitignore b/.gitignore index c78337d..de90a81 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/libselinux-2.8.tar.gz +SOURCES/libselinux-2.9.tar.gz diff --git a/.libselinux.metadata b/.libselinux.metadata index 89ceb8a..16a9b42 100644 --- a/.libselinux.metadata +++ b/.libselinux.metadata @@ -1 +1 @@ -d45f2db91dbec82ef5a153aca247acc04234e8af SOURCES/libselinux-2.8.tar.gz +c53911ee9da673f7653ab1afe66c0b2bf5fb5ac9 SOURCES/libselinux-2.9.tar.gz diff --git a/SOURCES/0001-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch b/SOURCES/0001-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch new file mode 100644 index 0000000..f68a699 --- /dev/null +++ b/SOURCES/0001-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch @@ -0,0 +1,31 @@ +From f71fc47524bef3c4cd8a412e43d13daebd1c418b Mon Sep 17 00:00:00 2001 +From: Miroslav Grepl +Date: Wed, 16 Jul 2014 08:28:03 +0200 +Subject: [PATCH 1/5] Fix selinux man page to refer seinfo and sesearch tools. + +--- + libselinux/man/man8/selinux.8 | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8 +index e37aee68..bf23b655 100644 +--- a/libselinux/man/man8/selinux.8 ++++ b/libselinux/man/man8/selinux.8 +@@ -91,11 +91,13 @@ This manual page was written by Dan Walsh . + .BR sepolicy (8), + .BR system-config-selinux (8), + .BR togglesebool (8), +-.BR restorecon (8), + .BR fixfiles (8), ++.BR restorecon (8), + .BR setfiles (8), + .BR semanage (8), + .BR sepolicy (8) ++.BR seinfo (8), ++.BR sesearch (8) + + Every confined service on the system has a man page in the following format: + .br +-- +2.21.0 + diff --git a/SOURCES/0002-Verify-context-input-to-funtions-to-make-sure-the-co.patch b/SOURCES/0002-Verify-context-input-to-funtions-to-make-sure-the-co.patch new file mode 100644 index 0000000..7a0a001 --- /dev/null +++ b/SOURCES/0002-Verify-context-input-to-funtions-to-make-sure-the-co.patch @@ -0,0 +1,214 @@ +From ad3d3a0bf819f5895a6884357c2d0e18ea1ef314 Mon Sep 17 00:00:00 2001 +From: Dan Walsh +Date: Mon, 23 Dec 2013 09:50:54 -0500 +Subject: [PATCH 2/5] Verify context input to funtions to make sure the context + field is not null. + +Return errno EINVAL, to prevent segfault. + +Rejected by upstream https://marc.info/?l=selinux&m=145036088424584&w=2 + +FIXME: use __attribute__(nonnull (arg-index, ...)) +--- + libselinux/src/avc_sidtab.c | 5 +++++ + libselinux/src/canonicalize_context.c | 5 +++++ + libselinux/src/check_context.c | 5 +++++ + libselinux/src/compute_av.c | 5 +++++ + libselinux/src/compute_create.c | 5 +++++ + libselinux/src/compute_member.c | 5 +++++ + libselinux/src/compute_relabel.c | 5 +++++ + libselinux/src/compute_user.c | 5 +++++ + libselinux/src/fsetfilecon.c | 8 ++++++-- + libselinux/src/lsetfilecon.c | 9 +++++++-- + libselinux/src/setfilecon.c | 8 ++++++-- + 11 files changed, 59 insertions(+), 6 deletions(-) + +diff --git a/libselinux/src/avc_sidtab.c b/libselinux/src/avc_sidtab.c +index 9669264d..c7754305 100644 +--- a/libselinux/src/avc_sidtab.c ++++ b/libselinux/src/avc_sidtab.c +@@ -81,6 +81,11 @@ sidtab_context_to_sid(struct sidtab *s, + int hvalue, rc = 0; + struct sidtab_node *cur; + ++ if (! ctx) { ++ errno=EINVAL; ++ return -1; ++ } ++ + *sid = NULL; + hvalue = sidtab_hash(ctx); + +diff --git a/libselinux/src/canonicalize_context.c b/libselinux/src/canonicalize_context.c +index ba4c9a2c..c8158725 100644 +--- a/libselinux/src/canonicalize_context.c ++++ b/libselinux/src/canonicalize_context.c +@@ -17,6 +17,11 @@ int security_canonicalize_context_raw(const char * con, + size_t size; + int fd, ret; + ++ if (! con) { ++ errno=EINVAL; ++ return -1; ++ } ++ + if (!selinux_mnt) { + errno = ENOENT; + return -1; +diff --git a/libselinux/src/check_context.c b/libselinux/src/check_context.c +index 8a7997f0..5be84348 100644 +--- a/libselinux/src/check_context.c ++++ b/libselinux/src/check_context.c +@@ -14,6 +14,11 @@ int security_check_context_raw(const char * con) + char path[PATH_MAX]; + int fd, ret; + ++ if (! con) { ++ errno=EINVAL; ++ return -1; ++ } ++ + if (!selinux_mnt) { + errno = ENOENT; + return -1; +diff --git a/libselinux/src/compute_av.c b/libselinux/src/compute_av.c +index a47cffe9..6d285a2e 100644 +--- a/libselinux/src/compute_av.c ++++ b/libselinux/src/compute_av.c +@@ -27,6 +27,11 @@ int security_compute_av_flags_raw(const char * scon, + return -1; + } + ++ if ((! scon) || (! tcon)) { ++ errno=EINVAL; ++ return -1; ++ } ++ + snprintf(path, sizeof path, "%s/access", selinux_mnt); + fd = open(path, O_RDWR | O_CLOEXEC); + if (fd < 0) +diff --git a/libselinux/src/compute_create.c b/libselinux/src/compute_create.c +index 0975aeac..3e6a48c1 100644 +--- a/libselinux/src/compute_create.c ++++ b/libselinux/src/compute_create.c +@@ -64,6 +64,11 @@ int security_compute_create_name_raw(const char * scon, + return -1; + } + ++ if ((! scon) || (! tcon)) { ++ errno=EINVAL; ++ return -1; ++ } ++ + snprintf(path, sizeof path, "%s/create", selinux_mnt); + fd = open(path, O_RDWR | O_CLOEXEC); + if (fd < 0) +diff --git a/libselinux/src/compute_member.c b/libselinux/src/compute_member.c +index 4e2d221e..d1dd9772 100644 +--- a/libselinux/src/compute_member.c ++++ b/libselinux/src/compute_member.c +@@ -25,6 +25,11 @@ int security_compute_member_raw(const char * scon, + return -1; + } + ++ if ((! scon) || (! tcon)) { ++ errno=EINVAL; ++ return -1; ++ } ++ + snprintf(path, sizeof path, "%s/member", selinux_mnt); + fd = open(path, O_RDWR | O_CLOEXEC); + if (fd < 0) +diff --git a/libselinux/src/compute_relabel.c b/libselinux/src/compute_relabel.c +index 49f77ef3..c3db7c0a 100644 +--- a/libselinux/src/compute_relabel.c ++++ b/libselinux/src/compute_relabel.c +@@ -25,6 +25,11 @@ int security_compute_relabel_raw(const char * scon, + return -1; + } + ++ if ((! scon) || (! tcon)) { ++ errno=EINVAL; ++ return -1; ++ } ++ + snprintf(path, sizeof path, "%s/relabel", selinux_mnt); + fd = open(path, O_RDWR | O_CLOEXEC); + if (fd < 0) +diff --git a/libselinux/src/compute_user.c b/libselinux/src/compute_user.c +index 7b881215..401fd107 100644 +--- a/libselinux/src/compute_user.c ++++ b/libselinux/src/compute_user.c +@@ -24,6 +24,11 @@ int security_compute_user_raw(const char * scon, + return -1; + } + ++ if (! scon) { ++ errno=EINVAL; ++ return -1; ++ } ++ + snprintf(path, sizeof path, "%s/user", selinux_mnt); + fd = open(path, O_RDWR | O_CLOEXEC); + if (fd < 0) +diff --git a/libselinux/src/fsetfilecon.c b/libselinux/src/fsetfilecon.c +index 52707d05..0cbe12d8 100644 +--- a/libselinux/src/fsetfilecon.c ++++ b/libselinux/src/fsetfilecon.c +@@ -9,8 +9,12 @@ + + int fsetfilecon_raw(int fd, const char * context) + { +- int rc = fsetxattr(fd, XATTR_NAME_SELINUX, context, strlen(context) + 1, +- 0); ++ int rc; ++ if (! context) { ++ errno=EINVAL; ++ return -1; ++ } ++ rc = fsetxattr(fd, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0); + if (rc < 0 && errno == ENOTSUP) { + char * ccontext = NULL; + int err = errno; +diff --git a/libselinux/src/lsetfilecon.c b/libselinux/src/lsetfilecon.c +index 1d3b28a1..ea6d70b7 100644 +--- a/libselinux/src/lsetfilecon.c ++++ b/libselinux/src/lsetfilecon.c +@@ -9,8 +9,13 @@ + + int lsetfilecon_raw(const char *path, const char * context) + { +- int rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, +- 0); ++ int rc; ++ if (! context) { ++ errno=EINVAL; ++ return -1; ++ } ++ ++ rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0); + if (rc < 0 && errno == ENOTSUP) { + char * ccontext = NULL; + int err = errno; +diff --git a/libselinux/src/setfilecon.c b/libselinux/src/setfilecon.c +index d05969c6..3f0200e8 100644 +--- a/libselinux/src/setfilecon.c ++++ b/libselinux/src/setfilecon.c +@@ -9,8 +9,12 @@ + + int setfilecon_raw(const char *path, const char * context) + { +- int rc = setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, +- 0); ++ int rc; ++ if (! context) { ++ errno=EINVAL; ++ return -1; ++ } ++ rc = setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0); + if (rc < 0 && errno == ENOTSUP) { + char * ccontext = NULL; + int err = errno; +-- +2.21.0 + diff --git a/SOURCES/0003-libselinux-Allow-to-override-OVERRIDE_GETTID-from-co.patch b/SOURCES/0003-libselinux-Allow-to-override-OVERRIDE_GETTID-from-co.patch new file mode 100644 index 0000000..0c8d92c --- /dev/null +++ b/SOURCES/0003-libselinux-Allow-to-override-OVERRIDE_GETTID-from-co.patch @@ -0,0 +1,39 @@ +From 431f72836d6c02450725cf6ffb1c7223b9fa6acc Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Mon, 11 Mar 2019 15:26:43 +0100 +Subject: [PATCH 3/5] libselinux: Allow to override OVERRIDE_GETTID from + command line + +$ make CFLAGS="$CFLAGS -DOVERRIDE_GETTID=0" ... + +Drop this as soon as glibc-2.30 will become real 2.30 version, see +https://bugzilla.redhat.com/show_bug.cgi?id=1685594 + +Signed-off-by: Petr Lautrbach +--- + libselinux/src/procattr.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libselinux/src/procattr.c b/libselinux/src/procattr.c +index c6799ef2..cbb6824e 100644 +--- a/libselinux/src/procattr.c ++++ b/libselinux/src/procattr.c +@@ -24,6 +24,7 @@ static __thread char destructor_initialized; + + /* Bionic and glibc >= 2.30 declare gettid() system call wrapper in unistd.h and + * has a definition for it */ ++#ifndef OVERRIDE_GETTID + #ifdef __BIONIC__ + #define OVERRIDE_GETTID 0 + #elif !defined(__GLIBC_PREREQ) +@@ -33,6 +34,7 @@ static __thread char destructor_initialized; + #else + #define OVERRIDE_GETTID 0 + #endif ++#endif + + #if OVERRIDE_GETTID + static pid_t gettid(void) +-- +2.21.0 + diff --git a/SOURCES/0004-Bring-some-old-permission-and-flask-constants-back-t.patch b/SOURCES/0004-Bring-some-old-permission-and-flask-constants-back-t.patch new file mode 100644 index 0000000..c0d7f6a --- /dev/null +++ b/SOURCES/0004-Bring-some-old-permission-and-flask-constants-back-t.patch @@ -0,0 +1,55 @@ +From dca54ca1a8ab0b256e7834f7f5e97375427fbfd9 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Wed, 27 Feb 2019 09:37:17 +0100 +Subject: [PATCH 4/5] Bring some old permission and flask constants back to + Python bindings + +--- + libselinux/src/selinuxswig.i | 4 ++++ + libselinux/src/selinuxswig_python.i | 3 ++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/libselinux/src/selinuxswig.i b/libselinux/src/selinuxswig.i +index dbdb4c3d..9c5b9263 100644 +--- a/libselinux/src/selinuxswig.i ++++ b/libselinux/src/selinuxswig.i +@@ -5,7 +5,9 @@ + %module selinux + %{ + #include "../include/selinux/avc.h" ++ #include "../include/selinux/av_permissions.h" + #include "../include/selinux/context.h" ++ #include "../include/selinux/flask.h" + #include "../include/selinux/get_context_list.h" + #include "../include/selinux/get_default_type.h" + #include "../include/selinux/label.h" +@@ -58,7 +60,9 @@ + %ignore avc_netlink_check_nb; + + %include "../include/selinux/avc.h" ++%include "../include/selinux/av_permissions.h" + %include "../include/selinux/context.h" ++%include "../include/selinux/flask.h" + %include "../include/selinux/get_context_list.h" + %include "../include/selinux/get_default_type.h" + %include "../include/selinux/label.h" +diff --git a/libselinux/src/selinuxswig_python.i b/libselinux/src/selinuxswig_python.i +index 4c73bf92..6eaab081 100644 +--- a/libselinux/src/selinuxswig_python.i ++++ b/libselinux/src/selinuxswig_python.i +@@ -1,10 +1,11 @@ + /* Author: James Athey + */ + +-/* Never build rpm_execcon interface */ ++/* Never build rpm_execcon interface unless you need to have ACG compatibility + #ifndef DISABLE_RPM + #define DISABLE_RPM + #endif ++*/ + + %module selinux + %{ +-- +2.21.0 + diff --git a/SOURCES/0005-libselinux-add-missing-av_permission-values.patch b/SOURCES/0005-libselinux-add-missing-av_permission-values.patch new file mode 100644 index 0000000..721e127 --- /dev/null +++ b/SOURCES/0005-libselinux-add-missing-av_permission-values.patch @@ -0,0 +1,32 @@ +From 8384ffa7a371c8845c145951363da5d978ab98b5 Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Tue, 28 Feb 2017 16:12:43 +0100 +Subject: [PATCH 5/5] libselinux: add missing av_permission values + +Add missing av_permission values to av_permissions.h for the sake of +completeness (this interface is obsolete - these values are now +obtained at runtime). + +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1025931 + +Signed-off-by: Vit Mojzis +--- + libselinux/include/selinux/av_permissions.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/libselinux/include/selinux/av_permissions.h b/libselinux/include/selinux/av_permissions.h +index c1269af9..631f0276 100644 +--- a/libselinux/include/selinux/av_permissions.h ++++ b/libselinux/include/selinux/av_permissions.h +@@ -876,6 +876,8 @@ + #define NSCD__SHMEMHOST 0x00000080UL + #define NSCD__GETSERV 0x00000100UL + #define NSCD__SHMEMSERV 0x00000200UL ++#define NSCD__GETNETGRP 0x00000400UL ++#define NSCD__SHMEMNETGRP 0x00000800UL + #define ASSOCIATION__SENDTO 0x00000001UL + #define ASSOCIATION__RECVFROM 0x00000002UL + #define ASSOCIATION__SETCONTEXT 0x00000004UL +-- +2.21.0 + diff --git a/SOURCES/0006-libselinux-Use-Python-distutils-to-install-SELinux-p.patch b/SOURCES/0006-libselinux-Use-Python-distutils-to-install-SELinux-p.patch new file mode 100644 index 0000000..d239d93 --- /dev/null +++ b/SOURCES/0006-libselinux-Use-Python-distutils-to-install-SELinux-p.patch @@ -0,0 +1,177 @@ +From 67d490a38a319126f371eaf66a5fc922d7005b1f Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Thu, 16 May 2019 15:01:59 +0200 +Subject: [PATCH 6/6] libselinux: Use Python distutils to install SELinux + python bindings + +SWIG-4.0 changed its behavior so that it uses: from . import _selinux which +looks for _selinux module in the same directory as where __init__.py is - +$(PYLIBDIR)/site-packages/selinux. But _selinux module is installed into +$(PYLIBDIR)/site-packages/ since a9604c30a5e2f ("libselinux: Change the location +of _selinux.so"). + +In order to prevent such breakage in future use Python's distutils instead of +building and installing python bindings manually in Makefile. + +Fixes: +>>> import selinux +Traceback (most recent call last): + File "", line 1, in + File "/usr/lib64/python3.7/site-packages/selinux/__init__.py", line 13, in + from . import _selinux +ImportError: cannot import name '_selinux' from 'selinux' (/usr/lib64/python3.7/site-packages/selinux/__init__.py) +>>> + +Signed-off-by: Petr Lautrbach +--- + libselinux/src/.gitignore | 2 +- + libselinux/src/Makefile | 37 ++++++++----------------------------- + libselinux/src/setup.py | 24 ++++++++++++++++++++++++ + 3 files changed, 33 insertions(+), 30 deletions(-) + create mode 100644 libselinux/src/setup.py + +diff --git a/libselinux/src/.gitignore b/libselinux/src/.gitignore +index 4dcc3b3b..428afe5a 100644 +--- a/libselinux/src/.gitignore ++++ b/libselinux/src/.gitignore +@@ -1,4 +1,4 @@ + selinux.py +-selinuxswig_wrap.c ++selinuxswig_python_wrap.c + selinuxswig_python_exception.i + selinuxswig_ruby_wrap.c +diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile +index e9ed0383..826c830c 100644 +--- a/libselinux/src/Makefile ++++ b/libselinux/src/Makefile +@@ -36,7 +36,7 @@ TARGET=libselinux.so + LIBPC=libselinux.pc + SWIGIF= selinuxswig_python.i selinuxswig_python_exception.i + SWIGRUBYIF= selinuxswig_ruby.i +-SWIGCOUT= selinuxswig_wrap.c ++SWIGCOUT= selinuxswig_python_wrap.c + SWIGPYOUT= selinux.py + SWIGRUBYCOUT= selinuxswig_ruby_wrap.c + SWIGLOBJ:= $(patsubst %.c,$(PYPREFIX)%.lo,$(SWIGCOUT)) +@@ -55,7 +55,7 @@ ifeq ($(LIBSEPOLA),) + LDLIBS_LIBSEPOLA := -l:libsepol.a + endif + +-GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) selinuxswig_python_exception.i ++GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) $(SWIGCOUT) selinuxswig_python_exception.i + SRCS= $(filter-out $(GENERATED) audit2why.c, $(sort $(wildcard *.c))) + + MAX_STACK_SIZE=32768 +@@ -125,25 +125,18 @@ DISABLE_FLAGS+= -DNO_ANDROID_BACKEND + SRCS:= $(filter-out label_backends_android.c, $(SRCS)) + endif + +-SWIG = swig -Wall -python -o $(SWIGCOUT) -outdir ./ $(DISABLE_FLAGS) +- + SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./ $(DISABLE_FLAGS) + + all: $(LIBA) $(LIBSO) $(LIBPC) + +-pywrap: all $(SWIGFILES) $(AUDIT2WHYSO) ++pywrap: all selinuxswig_python_exception.i ++ CFLAGS="$(SWIG_CFLAGS)" $(PYTHON) setup.py build_ext -I $(DESTDIR)$(INCLUDEDIR) -L $(DESTDIR)$(LIBDIR) + + rubywrap: all $(SWIGRUBYSO) + +-$(SWIGLOBJ): $(SWIGCOUT) +- $(CC) $(CFLAGS) $(SWIG_CFLAGS) $(PYINC) -fPIC -DSHARED -c -o $@ $< +- + $(SWIGRUBYLOBJ): $(SWIGRUBYCOUT) + $(CC) $(CFLAGS) $(SWIG_CFLAGS) $(RUBYINC) -fPIC -DSHARED -c -o $@ $< + +-$(SWIGSO): $(SWIGLOBJ) +- $(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $< -lselinux $(PYLIBS) +- + $(SWIGRUBYSO): $(SWIGRUBYLOBJ) + $(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $^ -lselinux $(RUBYLIBS) + +@@ -161,29 +154,15 @@ $(LIBPC): $(LIBPC).in ../VERSION + selinuxswig_python_exception.i: ../include/selinux/selinux.h + bash -e exception.sh > $@ || (rm -f $@ ; false) + +-$(AUDIT2WHYLOBJ): audit2why.c +- $(CC) $(filter-out -Werror, $(CFLAGS)) $(PYINC) -fPIC -DSHARED -c -o $@ $< +- +-$(AUDIT2WHYSO): $(AUDIT2WHYLOBJ) $(LIBSEPOLA) +- $(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $^ -lselinux $(LDLIBS_LIBSEPOLA) $(PYLIBS) -Wl,-soname,audit2why.so,--version-script=audit2why.map,-z,defs +- + %.o: %.c policy.h + $(CC) $(CFLAGS) $(TLSFLAGS) -c -o $@ $< + + %.lo: %.c policy.h + $(CC) $(CFLAGS) -fPIC -DSHARED -c -o $@ $< + +-$(SWIGCOUT): $(SWIGIF) +- $(SWIG) $< +- +-$(SWIGPYOUT): $(SWIGCOUT) +- + $(SWIGRUBYCOUT): $(SWIGRUBYIF) + $(SWIGRUBY) $< + +-swigify: $(SWIGIF) +- $(SWIG) $< +- + install: all + test -d $(DESTDIR)$(LIBDIR) || install -m 755 -d $(DESTDIR)$(LIBDIR) + install -m 644 $(LIBA) $(DESTDIR)$(LIBDIR) +@@ -194,10 +173,8 @@ install: all + ln -sf --relative $(DESTDIR)$(SHLIBDIR)/$(LIBSO) $(DESTDIR)$(LIBDIR)/$(TARGET) + + install-pywrap: pywrap +- test -d $(DESTDIR)$(PYTHONLIBDIR)/selinux || install -m 755 -d $(DESTDIR)$(PYTHONLIBDIR)/selinux +- install -m 755 $(SWIGSO) $(DESTDIR)$(PYTHONLIBDIR)/_selinux$(PYCEXT) +- install -m 755 $(AUDIT2WHYSO) $(DESTDIR)$(PYTHONLIBDIR)/selinux/audit2why$(PYCEXT) +- install -m 644 $(SWIGPYOUT) $(DESTDIR)$(PYTHONLIBDIR)/selinux/__init__.py ++ $(PYTHON) setup.py install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR)` ++ install -m 644 selinux.py $(DESTDIR)$(PYTHONLIBDIR)/selinux/__init__.py + + install-rubywrap: rubywrap + test -d $(DESTDIR)$(RUBYINSTALL) || install -m 755 -d $(DESTDIR)$(RUBYINSTALL) +@@ -208,6 +185,8 @@ relabel: + + clean-pywrap: + -rm -f $(SWIGLOBJ) $(SWIGSO) $(AUDIT2WHYLOBJ) $(AUDIT2WHYSO) ++ $(PYTHON) setup.py clean ++ -rm -rf build *~ \#* *pyc .#* + + clean-rubywrap: + -rm -f $(SWIGRUBYLOBJ) $(SWIGRUBYSO) +diff --git a/libselinux/src/setup.py b/libselinux/src/setup.py +new file mode 100644 +index 00000000..b12e7869 +--- /dev/null ++++ b/libselinux/src/setup.py +@@ -0,0 +1,24 @@ ++#!/usr/bin/python3 ++ ++from distutils.core import Extension, setup ++ ++setup( ++ name="selinux", ++ version="2.9", ++ description="SELinux python 3 bindings", ++ author="SELinux Project", ++ author_email="selinux@vger.kernel.org", ++ ext_modules=[ ++ Extension('selinux._selinux', ++ sources=['selinuxswig_python.i'], ++ include_dirs=['../include'], ++ library_dirs=['.'], ++ libraries=['selinux']), ++ Extension('selinux.audit2why', ++ sources=['audit2why.c'], ++ include_dirs=['../include'], ++ library_dirs=['.'], ++ libraries=['selinux'], ++ extra_link_args=['-l:libsepol.a']) ++ ], ++) +-- +2.22.0 + diff --git a/SOURCES/0007-libselinux-Do-not-use-SWIG_CFLAGS-when-Python-bindin.patch b/SOURCES/0007-libselinux-Do-not-use-SWIG_CFLAGS-when-Python-bindin.patch new file mode 100644 index 0000000..044ffac --- /dev/null +++ b/SOURCES/0007-libselinux-Do-not-use-SWIG_CFLAGS-when-Python-bindin.patch @@ -0,0 +1,44 @@ +From 6ec8116ee64a25a0c5eb543f0b12ed25f1348c45 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Thu, 27 Jun 2019 11:17:13 +0200 +Subject: [PATCH 7/7] libselinux: Do not use SWIG_CFLAGS when Python bindings + are built + +Fixes: +https://rpmdiff.engineering.redhat.com/run/410372/7/ + +Detecting usr/lib64/python3.6/site-packages/selinux/audit2why.cpython-36m-x86_64-linux-gnu.so with not-hardened warnings ' +Hardened: audit2why.cpython-36m-x86_64-linux-gnu.so: FAIL: Gaps were detected in the annobin coverage. Run with -v to list. +' on x86_64 + +Signed-off-by: Petr Lautrbach +--- + libselinux/src/Makefile | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile +index 826c830c..f64f23a8 100644 +--- a/libselinux/src/Makefile ++++ b/libselinux/src/Makefile +@@ -104,9 +104,6 @@ FTS_LDLIBS ?= + + override CFLAGS += -I../include -D_GNU_SOURCE $(DISABLE_FLAGS) $(PCRE_CFLAGS) + +-SWIG_CFLAGS += -Wno-error -Wno-unused-variable -Wno-unused-but-set-variable -Wno-unused-parameter \ +- -Wno-shadow -Wno-uninitialized -Wno-missing-prototypes -Wno-missing-declarations +- + RANLIB ?= ranlib + + ARCH := $(patsubst i%86,i386,$(shell uname -m)) +@@ -130,7 +127,7 @@ SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./ $(DISABLE_FLAGS) + all: $(LIBA) $(LIBSO) $(LIBPC) + + pywrap: all selinuxswig_python_exception.i +- CFLAGS="$(SWIG_CFLAGS)" $(PYTHON) setup.py build_ext -I $(DESTDIR)$(INCLUDEDIR) -L $(DESTDIR)$(LIBDIR) ++ $(PYTHON) setup.py build_ext -I $(DESTDIR)$(INCLUDEDIR) -L $(DESTDIR)$(LIBDIR) + + rubywrap: all $(SWIGRUBYSO) + +-- +2.22.0 + diff --git a/SOURCES/libselinux-fedora.patch b/SOURCES/libselinux-fedora.patch deleted file mode 100644 index 32075a7..0000000 --- a/SOURCES/libselinux-fedora.patch +++ /dev/null @@ -1,450 +0,0 @@ -diff --git libselinux-2.8/man/man3/selinux_boolean_sub.3 libselinux-2.8/man/man3/selinux_boolean_sub.3 -index 308c268..a29a38d 100644 ---- libselinux-2.8/man/man3/selinux_boolean_sub.3 -+++ libselinux-2.8/man/man3/selinux_boolean_sub.3 -@@ -1,6 +1,6 @@ - .TH "selinux_boolean_sub" "3" "11 June 2012" "dwalsh@redhat.com" "SELinux API documentation" - .SH "NAME" --selinux_boolean_sub \- -+selinux_boolean_sub \- Search the translated name for a boolean_name record - . - .SH "SYNOPSIS" - .B #include -@@ -12,7 +12,7 @@ selinux_boolean_sub \- - searches the - .I \%/etc/selinux/{POLICYTYPE}/booleans.subs_dist - file --for a maching boolean_name record. If the record exists the boolean substitution name is returned. If not -+for a matching boolean_name record. If the record exists the boolean substitution name is returned. If not - .BR \%selinux_boolean_sub () - returns the original - .IR \%boolean_name . -diff --git libselinux-2.8/man/man3/selinux_restorecon_xattr.3 libselinux-2.8/man/man3/selinux_restorecon_xattr.3 -index 7280c95..516d266 100644 ---- libselinux-2.8/man/man3/selinux_restorecon_xattr.3 -+++ libselinux-2.8/man/man3/selinux_restorecon_xattr.3 -@@ -119,7 +119,7 @@ By default - .BR selinux_restorecon_xattr (3) - will use the default set of specfiles described in - .BR files_contexts (5) --to calculate the initial SHA1 digest to be used for comparision. -+to calculate the initial SHA1 digest to be used for comparison. - To change this default behavior - .BR selabel_open (3) - must be called specifying the required -diff --git libselinux-2.8/man/man5/selabel_file.5 libselinux-2.8/man/man5/selabel_file.5 -index e738824..e97bd82 100644 ---- libselinux-2.8/man/man5/selabel_file.5 -+++ libselinux-2.8/man/man5/selabel_file.5 -@@ -92,7 +92,7 @@ The optional local and distribution substitution files that perform any path ali - .RE - .sp - The default file context series of files are: --.RS -+.RS 6 - .I /etc/selinux/{SELINUXTYPE}/contexts/files/file_contexts - .br - .I /etc/selinux/{SELINUXTYPE}/contexts/files/file_contexts.local -diff --git libselinux-2.8/man/man8/selinux.8 libselinux-2.8/man/man8/selinux.8 -index e37aee6..bf23b65 100644 ---- libselinux-2.8/man/man8/selinux.8 -+++ libselinux-2.8/man/man8/selinux.8 -@@ -91,11 +91,13 @@ This manual page was written by Dan Walsh . - .BR sepolicy (8), - .BR system-config-selinux (8), - .BR togglesebool (8), --.BR restorecon (8), - .BR fixfiles (8), -+.BR restorecon (8), - .BR setfiles (8), - .BR semanage (8), - .BR sepolicy (8) -+.BR seinfo (8), -+.BR sesearch (8) - - Every confined service on the system has a man page in the following format: - .br -diff --git libselinux-2.8/src/audit2why.c libselinux-2.8/src/audit2why.c -index 0331fdf..5a1e69a 100644 ---- libselinux-2.8/src/audit2why.c -+++ libselinux-2.8/src/audit2why.c -@@ -354,7 +354,7 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args - /* iterate over items of the list, grabbing strings, and parsing - for numbers */ - for (i=0; ilr.ctx_trans); - } - free(catalog); -+ fclose(filp); - - return NULL; - } -diff --git libselinux-2.8/src/label_file.c libselinux-2.8/src/label_file.c -index 560d8c3..21c8d36 100644 ---- libselinux-2.8/src/label_file.c -+++ libselinux-2.8/src/label_file.c -@@ -317,8 +317,10 @@ end_arch_check: - goto out; - } - rc = next_entry(str_buf, mmap_area, entry_len); -- if (rc < 0) -+ if (rc < 0) { -+ free(str_buf); - goto out; -+ } - - if (str_buf[entry_len - 1] != '\0') { - free(str_buf); -diff --git libselinux-2.8/src/load_policy.c libselinux-2.8/src/load_policy.c -index e9f1264..20052be 100644 ---- libselinux-2.8/src/load_policy.c -+++ libselinux-2.8/src/load_policy.c -@@ -262,8 +262,10 @@ checkbool: - rc = security_get_boolean_names(&names, &len); - if (!rc) { - values = malloc(sizeof(int) * len); -- if (!values) -+ if (!values) { -+ free(names); - goto unmap; -+ } - for (i = 0; i < len; i++) - values[i] = - security_get_boolean_active(names[i]); -diff --git libselinux-2.8/src/lsetfilecon.c libselinux-2.8/src/lsetfilecon.c -index 1d3b28a..ea6d70b 100644 ---- libselinux-2.8/src/lsetfilecon.c -+++ libselinux-2.8/src/lsetfilecon.c -@@ -9,8 +9,13 @@ - - int lsetfilecon_raw(const char *path, const char * context) - { -- int rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, -- 0); -+ int rc; -+ if (! context) { -+ errno=EINVAL; -+ return -1; -+ } -+ -+ rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0); - if (rc < 0 && errno == ENOTSUP) { - char * ccontext = NULL; - int err = errno; -diff --git libselinux-2.8/src/selinux_config.c libselinux-2.8/src/selinux_config.c -index 292728f..b06cb63 100644 ---- libselinux-2.8/src/selinux_config.c -+++ libselinux-2.8/src/selinux_config.c -@@ -177,8 +177,7 @@ static void init_selinux_config(void) - - if (!strncasecmp(buf_p, SELINUXTYPETAG, - sizeof(SELINUXTYPETAG) - 1)) { -- selinux_policytype = type = -- strdup(buf_p + sizeof(SELINUXTYPETAG) - 1); -+ type = strdup(buf_p + sizeof(SELINUXTYPETAG) - 1); - if (!type) - return; - end = type + strlen(type) - 1; -@@ -187,6 +186,11 @@ static void init_selinux_config(void) - *end = 0; - end--; - } -+ if (setpolicytype(type) != 0) { -+ free(type); -+ return; -+ } -+ free(type); - continue; - } else if (!strncmp(buf_p, SETLOCALDEFS, - sizeof(SETLOCALDEFS) - 1)) { -@@ -212,13 +216,10 @@ static void init_selinux_config(void) - fclose(fp); - } - -- if (!type) { -- selinux_policytype = type = strdup(SELINUXDEFAULT); -- if (!type) -- return; -- } -+ if (!selinux_policytype && setpolicytype(SELINUXDEFAULT) != 0) -+ return; - -- if (asprintf(&selinux_policyroot, "%s%s", SELINUXDIR, type) == -1) -+ if (asprintf(&selinux_policyroot, "%s%s", SELINUXDIR, selinux_policytype) == -1) - return; - - for (i = 0; i < NEL; i++) -diff --git libselinux-2.8/src/selinux_restorecon.c libselinux-2.8/src/selinux_restorecon.c -index ced4115..8fa4875 100644 ---- libselinux-2.8/src/selinux_restorecon.c -+++ libselinux-2.8/src/selinux_restorecon.c -@@ -350,12 +350,19 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch, - new_entry->next = NULL; - - new_entry->directory = strdup(directory); -- if (!new_entry->directory) -+ if (!new_entry->directory) { -+ free(new_entry); -+ free(sha1_buf); - goto oom; -+ } - - new_entry->digest = strdup(sha1_buf); -- if (!new_entry->digest) -+ if (!new_entry->digest) { -+ free(new_entry->directory); -+ free(new_entry); -+ free(sha1_buf); - goto oom; -+ } - - new_entry->result = digest_result; - -@@ -671,8 +678,8 @@ static int restorecon_sb(const char *pathname, const struct stat *sb, - selinux_log(SELINUX_INFO, - "%s not reset as customized by admin to %s\n", - pathname, curcon); -- goto out; - } -+ goto out; - } - - if (!flags->set_specctx && curcon) { -@@ -849,6 +856,7 @@ int selinux_restorecon(const char *pathname_orig, - - if (lstat(pathname, &sb) < 0) { - if (flags.ignore_noent && errno == ENOENT) { -+ free(xattr_value); - free(pathdnamer); - free(pathname); - return 0; -diff --git libselinux-2.8/src/setfilecon.c libselinux-2.8/src/setfilecon.c -index d05969c..3f0200e 100644 ---- libselinux-2.8/src/setfilecon.c -+++ libselinux-2.8/src/setfilecon.c -@@ -9,8 +9,12 @@ - - int setfilecon_raw(const char *path, const char * context) - { -- int rc = setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, -- 0); -+ int rc; -+ if (! context) { -+ errno=EINVAL; -+ return -1; -+ } -+ rc = setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0); - if (rc < 0 && errno == ENOTSUP) { - char * ccontext = NULL; - int err = errno; -diff --git libselinux-2.8/utils/matchpathcon.c libselinux-2.8/utils/matchpathcon.c -index 67e4a43..9756d7d 100644 ---- libselinux-2.8/utils/matchpathcon.c -+++ libselinux-2.8/utils/matchpathcon.c -@@ -14,7 +14,7 @@ - static __attribute__ ((__noreturn__)) void usage(const char *progname) - { - fprintf(stderr, -- "usage: %s [-N] [-n] [-f file_contexts] [ -P policy_root_path ] [-p prefix] [-Vq] path...\n", -+ "usage: %s [-V] [-N] [-n] [-m type] [-f file_contexts_file] [-p prefix] [-P policy_root_path] filepath...\n", - progname); - exit(1); - } diff --git a/SPECS/libselinux.spec b/SPECS/libselinux.spec index e0e45b2..2a1eff5 100644 --- a/SPECS/libselinux.spec +++ b/SPECS/libselinux.spec @@ -5,23 +5,28 @@ %global ruby_inc %(pkg-config --cflags ruby) %endif -%define libsepolver 2.8-2 +%define libsepolver 2.9-1 +%define libselinuxrelease 2.1 Summary: SELinux library and simple utilities Name: libselinux -Version: 2.8 -Release: 6%{?dist} +Version: 2.9 +Release: %{libselinuxrelease}%{?dist} License: Public Domain # https://github.com/SELinuxProject/selinux/wiki/Releases -Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/libselinux-2.8.tar.gz +Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/libselinux-2.9.tar.gz Source1: selinuxconlist.8 Source2: selinuxdefcon.8 Url: https://github.com/SELinuxProject/selinux/wiki -# download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh -# run: -# $ VERSION=2.8 ./make-fedora-selinux-patch.sh libselinux -# HEAD 06620610bbe23bc88adebd38c007fa5f2e95e079 -Patch1: libselinux-fedora.patch +# i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done +Patch0001: 0001-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch +Patch0002: 0002-Verify-context-input-to-funtions-to-make-sure-the-co.patch +Patch0003: 0003-libselinux-Allow-to-override-OVERRIDE_GETTID-from-co.patch +Patch0004: 0004-Bring-some-old-permission-and-flask-constants-back-t.patch +Patch0005: 0005-libselinux-add-missing-av_permission-values.patch +Patch0006: 0006-libselinux-Use-Python-distutils-to-install-SELinux-p.patch +Patch0007: 0007-libselinux-Do-not-use-SWIG_CFLAGS-when-Python-bindin.patch + BuildRequires: gcc %if 0%{?with_ruby} BuildRequires: ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel xz-devel @@ -52,7 +57,7 @@ process and file security contexts and to obtain security policy decisions. Required for any applications that use the SELinux API. %package utils -Summary: SELinux libselinux utilies +Summary: SELinux libselinux utilities Requires: %{name}%{?_isa} = %{version}-%{release} %description utils @@ -65,7 +70,7 @@ Provides: python2-%{name} = %{version}-%{release} Provides: python2-%{name}%{?_isa} = %{version}-%{release} Obsoletes: %{name}-python < %{version}-%{release} Summary: SELinux python bindings for libselinux -Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: %{name}%{?_isa} >= %{version}-%{libselinuxrelease} %description -n libselinux-python The libselinux-python package contains the python bindings for developing @@ -114,13 +119,14 @@ The libselinux-static package contains the static libraries needed for developing SELinux applications. %prep -%autosetup -p 1 -n libselinux-%{version} +%autosetup -p 2 -n libselinux-%{version} %build -export LDFLAGS="%{?__global_ldflags}" -export DISABLE_RPM="y" +export DISABLE_RPM="n" export USE_PCRE2="y" +%set_build_flags + # To support building the Python wrapper against multiple Python runtimes # Define a function, for how to perform a "build" of the python wrapper against # a specific runtime: @@ -130,13 +136,13 @@ BuildPythonWrapper() { # Perform the build from the upstream Makefile: make \ PYTHON=$BinaryName \ - LIBDIR="%{_libdir}" CFLAGS="-g %{optflags}" %{?_smp_mflags} \ + LIBDIR="%{_libdir}" %{?_smp_mflags} \ pywrap } make clean -make LIBDIR="%{_libdir}" CFLAGS="-g %{optflags}" %{?_smp_mflags} swigify -make LIBDIR="%{_libdir}" CFLAGS="-g %{optflags}" %{?_smp_mflags} all +make LIBDIR="%{_libdir}" %{?_smp_mflags} swigify +make LIBDIR="%{_libdir}" %{?_smp_mflags} all %if 0%{?with_python2} export RHEL_ALLOW_PYTHON2_FOR_BUILD=1 @@ -145,7 +151,7 @@ BuildPythonWrapper %{__python2} BuildPythonWrapper %{__python3} %if 0%{?with_ruby} -make RUBYINC="%{ruby_inc}" SHLIBDIR="%{_libdir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" CFLAGS="-g %{optflags}" %{?_smp_mflags} rubywrap +make RUBYINC="%{ruby_inc}" SHLIBDIR="%{_libdir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" %{?_smp_mflags} rubywrap %endif %install @@ -154,7 +160,7 @@ InstallPythonWrapper() { make \ PYTHON=$BinaryName \ - LIBDIR="%{_libdir}" CFLAGS="-g %{optflags}" %{?_smp_mflags} \ + LIBDIR="%{_libdir}" %{?_smp_mflags} \ LIBSEPOLA="%{_libdir}/libsepol.a" \ pywrap @@ -178,8 +184,10 @@ echo "d %{_rundir}/setrans 0755 root root" > %{buildroot}%{_tmpfilesdir}/libseli %if 0%{?with_python2} export RHEL_ALLOW_PYTHON2_FOR_BUILD=1 InstallPythonWrapper %{__python2} +mv %{buildroot}%{python2_sitearch}/selinux/_selinux.so %{buildroot}%{python2_sitearch}/ %endif InstallPythonWrapper %{__python3} +mv %{buildroot}%{python3_sitearch}/selinux/_selinux.*.so %{buildroot}%{python3_sitearch}/ %if 0%{?with_ruby} make DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" BINDIR="%{_bindir}" SBINDIR="%{_sbindir}" RUBYINSTALL=%{ruby_vendorarchdir} install install-rubywrap @@ -215,7 +223,6 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool* %license LICENSE %{_libdir}/libselinux.so.* %dir %{_rundir}/setrans/ -%{_sbindir}/sefcontext_compile %{_tmpfilesdir}/libselinux.conf %files utils @@ -223,6 +230,7 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool* %{_sbindir}/getenforce %{_sbindir}/getsebool %{_sbindir}/matchpathcon +%{_sbindir}/sefcontext_compile %{_sbindir}/selinuxconlist %{_sbindir}/selinuxdefcon %{_sbindir}/selinuxexeccon @@ -235,6 +243,8 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool* %{_sbindir}/selinux_check_access %{_mandir}/man5/* %{_mandir}/man8/* +%{_mandir}/ru/man5/* +%{_mandir}/ru/man8/* %files devel %{_libdir}/libselinux.so @@ -249,11 +259,13 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool* %files -n libselinux-python %{python2_sitearch}/selinux/ %{python2_sitearch}/_selinux.so +%{python2_sitearch}/selinux-%{version}-* %endif %files -n python3-libselinux %{python3_sitearch}/selinux/ %{python3_sitearch}/_selinux.*.so +%{python3_sitearch}/selinux-%{version}-* %if 0%{?with_ruby} %files ruby @@ -261,6 +273,13 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool* %endif %changelog +* Mon Jun 24 2019 Petr Lautrbach - 2.9-2.1 +- Use Python distutils to install SELinux python bindings (#1719771) +- Move sefcontext_compile to -utils package (#1612518) + +* Mon Mar 18 2019 Petr Lautrbach - 2.9-1 +- SELinux userspace 2.9 release + * Tue Nov 6 2018 Petr Lautrbach - 2.8-6 - Fix RESOURCE_LEAK coverity scan defects