diff --git a/SOURCES/0001-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch b/SOURCES/0001-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch index f68a699..f6343b4 100644 --- a/SOURCES/0001-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch +++ b/SOURCES/0001-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch @@ -1,7 +1,7 @@ From f71fc47524bef3c4cd8a412e43d13daebd1c418b Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Wed, 16 Jul 2014 08:28:03 +0200 -Subject: [PATCH 1/5] Fix selinux man page to refer seinfo and sesearch tools. +Subject: [PATCH] Fix selinux man page to refer seinfo and sesearch tools. --- libselinux/man/man8/selinux.8 | 4 +++- diff --git a/SOURCES/0002-Verify-context-input-to-funtions-to-make-sure-the-co.patch b/SOURCES/0002-Verify-context-input-to-funtions-to-make-sure-the-co.patch index 7a0a001..24f28e6 100644 --- a/SOURCES/0002-Verify-context-input-to-funtions-to-make-sure-the-co.patch +++ b/SOURCES/0002-Verify-context-input-to-funtions-to-make-sure-the-co.patch @@ -1,7 +1,7 @@ From ad3d3a0bf819f5895a6884357c2d0e18ea1ef314 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Mon, 23 Dec 2013 09:50:54 -0500 -Subject: [PATCH 2/5] Verify context input to funtions to make sure the context +Subject: [PATCH] Verify context input to funtions to make sure the context field is not null. Return errno EINVAL, to prevent segfault. diff --git a/SOURCES/0003-libselinux-Allow-to-override-OVERRIDE_GETTID-from-co.patch b/SOURCES/0003-libselinux-Allow-to-override-OVERRIDE_GETTID-from-co.patch index 0c8d92c..9a11fa7 100644 --- a/SOURCES/0003-libselinux-Allow-to-override-OVERRIDE_GETTID-from-co.patch +++ b/SOURCES/0003-libselinux-Allow-to-override-OVERRIDE_GETTID-from-co.patch @@ -1,8 +1,8 @@ -From 431f72836d6c02450725cf6ffb1c7223b9fa6acc Mon Sep 17 00:00:00 2001 +From a6e839be2c5a77c22a8c72cad001e3f87eaedf2e Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Mon, 11 Mar 2019 15:26:43 +0100 -Subject: [PATCH 3/5] libselinux: Allow to override OVERRIDE_GETTID from - command line +Subject: [PATCH] libselinux: Allow to override OVERRIDE_GETTID from command + line $ make CFLAGS="$CFLAGS -DOVERRIDE_GETTID=0" ... diff --git a/SOURCES/0004-Bring-some-old-permission-and-flask-constants-back-t.patch b/SOURCES/0004-Bring-some-old-permission-and-flask-constants-back-t.patch index c0d7f6a..f238dd0 100644 --- a/SOURCES/0004-Bring-some-old-permission-and-flask-constants-back-t.patch +++ b/SOURCES/0004-Bring-some-old-permission-and-flask-constants-back-t.patch @@ -1,8 +1,8 @@ -From dca54ca1a8ab0b256e7834f7f5e97375427fbfd9 Mon Sep 17 00:00:00 2001 +From be420729fbf4adc8b32ca3722fa6ca46bb51413d Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Wed, 27 Feb 2019 09:37:17 +0100 -Subject: [PATCH 4/5] Bring some old permission and flask constants back to - Python bindings +Subject: [PATCH] Bring some old permission and flask constants back to Python + bindings --- libselinux/src/selinuxswig.i | 4 ++++ diff --git a/SOURCES/0005-libselinux-add-missing-av_permission-values.patch b/SOURCES/0005-libselinux-add-missing-av_permission-values.patch index 721e127..34acc85 100644 --- a/SOURCES/0005-libselinux-add-missing-av_permission-values.patch +++ b/SOURCES/0005-libselinux-add-missing-av_permission-values.patch @@ -1,7 +1,7 @@ -From 8384ffa7a371c8845c145951363da5d978ab98b5 Mon Sep 17 00:00:00 2001 +From 903c54bf62ffba3c95e22e74c9c43838cd3935a0 Mon Sep 17 00:00:00 2001 From: Vit Mojzis Date: Tue, 28 Feb 2017 16:12:43 +0100 -Subject: [PATCH 5/5] libselinux: add missing av_permission values +Subject: [PATCH] libselinux: add missing av_permission values Add missing av_permission values to av_permissions.h for the sake of completeness (this interface is obsolete - these values are now diff --git a/SOURCES/0006-libselinux-Use-Python-distutils-to-install-SELinux-p.patch b/SOURCES/0006-libselinux-Use-Python-distutils-to-install-SELinux-p.patch new file mode 100644 index 0000000..b4306d8 --- /dev/null +++ b/SOURCES/0006-libselinux-Use-Python-distutils-to-install-SELinux-p.patch @@ -0,0 +1,177 @@ +From 67d490a38a319126f371eaf66a5fc922d7005b1f Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Thu, 16 May 2019 15:01:59 +0200 +Subject: [PATCH] libselinux: Use Python distutils to install SELinux python + bindings + +SWIG-4.0 changed its behavior so that it uses: from . import _selinux which +looks for _selinux module in the same directory as where __init__.py is - +$(PYLIBDIR)/site-packages/selinux. But _selinux module is installed into +$(PYLIBDIR)/site-packages/ since a9604c30a5e2f ("libselinux: Change the location +of _selinux.so"). + +In order to prevent such breakage in future use Python's distutils instead of +building and installing python bindings manually in Makefile. + +Fixes: +>>> import selinux +Traceback (most recent call last): + File "", line 1, in + File "/usr/lib64/python3.7/site-packages/selinux/__init__.py", line 13, in + from . import _selinux +ImportError: cannot import name '_selinux' from 'selinux' (/usr/lib64/python3.7/site-packages/selinux/__init__.py) +>>> + +Signed-off-by: Petr Lautrbach +--- + libselinux/src/.gitignore | 2 +- + libselinux/src/Makefile | 37 ++++++++----------------------------- + libselinux/src/setup.py | 24 ++++++++++++++++++++++++ + 3 files changed, 33 insertions(+), 30 deletions(-) + create mode 100644 libselinux/src/setup.py + +diff --git a/libselinux/src/.gitignore b/libselinux/src/.gitignore +index 4dcc3b3b..428afe5a 100644 +--- a/libselinux/src/.gitignore ++++ b/libselinux/src/.gitignore +@@ -1,4 +1,4 @@ + selinux.py +-selinuxswig_wrap.c ++selinuxswig_python_wrap.c + selinuxswig_python_exception.i + selinuxswig_ruby_wrap.c +diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile +index e9ed0383..826c830c 100644 +--- a/libselinux/src/Makefile ++++ b/libselinux/src/Makefile +@@ -36,7 +36,7 @@ TARGET=libselinux.so + LIBPC=libselinux.pc + SWIGIF= selinuxswig_python.i selinuxswig_python_exception.i + SWIGRUBYIF= selinuxswig_ruby.i +-SWIGCOUT= selinuxswig_wrap.c ++SWIGCOUT= selinuxswig_python_wrap.c + SWIGPYOUT= selinux.py + SWIGRUBYCOUT= selinuxswig_ruby_wrap.c + SWIGLOBJ:= $(patsubst %.c,$(PYPREFIX)%.lo,$(SWIGCOUT)) +@@ -55,7 +55,7 @@ ifeq ($(LIBSEPOLA),) + LDLIBS_LIBSEPOLA := -l:libsepol.a + endif + +-GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) selinuxswig_python_exception.i ++GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) $(SWIGCOUT) selinuxswig_python_exception.i + SRCS= $(filter-out $(GENERATED) audit2why.c, $(sort $(wildcard *.c))) + + MAX_STACK_SIZE=32768 +@@ -125,25 +125,18 @@ DISABLE_FLAGS+= -DNO_ANDROID_BACKEND + SRCS:= $(filter-out label_backends_android.c, $(SRCS)) + endif + +-SWIG = swig -Wall -python -o $(SWIGCOUT) -outdir ./ $(DISABLE_FLAGS) +- + SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./ $(DISABLE_FLAGS) + + all: $(LIBA) $(LIBSO) $(LIBPC) + +-pywrap: all $(SWIGFILES) $(AUDIT2WHYSO) ++pywrap: all selinuxswig_python_exception.i ++ CFLAGS="$(SWIG_CFLAGS)" $(PYTHON) setup.py build_ext -I $(DESTDIR)$(INCLUDEDIR) -L $(DESTDIR)$(LIBDIR) + + rubywrap: all $(SWIGRUBYSO) + +-$(SWIGLOBJ): $(SWIGCOUT) +- $(CC) $(CFLAGS) $(SWIG_CFLAGS) $(PYINC) -fPIC -DSHARED -c -o $@ $< +- + $(SWIGRUBYLOBJ): $(SWIGRUBYCOUT) + $(CC) $(CFLAGS) $(SWIG_CFLAGS) $(RUBYINC) -fPIC -DSHARED -c -o $@ $< + +-$(SWIGSO): $(SWIGLOBJ) +- $(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $< -lselinux $(PYLIBS) +- + $(SWIGRUBYSO): $(SWIGRUBYLOBJ) + $(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $^ -lselinux $(RUBYLIBS) + +@@ -161,29 +154,15 @@ $(LIBPC): $(LIBPC).in ../VERSION + selinuxswig_python_exception.i: ../include/selinux/selinux.h + bash -e exception.sh > $@ || (rm -f $@ ; false) + +-$(AUDIT2WHYLOBJ): audit2why.c +- $(CC) $(filter-out -Werror, $(CFLAGS)) $(PYINC) -fPIC -DSHARED -c -o $@ $< +- +-$(AUDIT2WHYSO): $(AUDIT2WHYLOBJ) $(LIBSEPOLA) +- $(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $^ -lselinux $(LDLIBS_LIBSEPOLA) $(PYLIBS) -Wl,-soname,audit2why.so,--version-script=audit2why.map,-z,defs +- + %.o: %.c policy.h + $(CC) $(CFLAGS) $(TLSFLAGS) -c -o $@ $< + + %.lo: %.c policy.h + $(CC) $(CFLAGS) -fPIC -DSHARED -c -o $@ $< + +-$(SWIGCOUT): $(SWIGIF) +- $(SWIG) $< +- +-$(SWIGPYOUT): $(SWIGCOUT) +- + $(SWIGRUBYCOUT): $(SWIGRUBYIF) + $(SWIGRUBY) $< + +-swigify: $(SWIGIF) +- $(SWIG) $< +- + install: all + test -d $(DESTDIR)$(LIBDIR) || install -m 755 -d $(DESTDIR)$(LIBDIR) + install -m 644 $(LIBA) $(DESTDIR)$(LIBDIR) +@@ -194,10 +173,8 @@ install: all + ln -sf --relative $(DESTDIR)$(SHLIBDIR)/$(LIBSO) $(DESTDIR)$(LIBDIR)/$(TARGET) + + install-pywrap: pywrap +- test -d $(DESTDIR)$(PYTHONLIBDIR)/selinux || install -m 755 -d $(DESTDIR)$(PYTHONLIBDIR)/selinux +- install -m 755 $(SWIGSO) $(DESTDIR)$(PYTHONLIBDIR)/_selinux$(PYCEXT) +- install -m 755 $(AUDIT2WHYSO) $(DESTDIR)$(PYTHONLIBDIR)/selinux/audit2why$(PYCEXT) +- install -m 644 $(SWIGPYOUT) $(DESTDIR)$(PYTHONLIBDIR)/selinux/__init__.py ++ $(PYTHON) setup.py install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR)` ++ install -m 644 selinux.py $(DESTDIR)$(PYTHONLIBDIR)/selinux/__init__.py + + install-rubywrap: rubywrap + test -d $(DESTDIR)$(RUBYINSTALL) || install -m 755 -d $(DESTDIR)$(RUBYINSTALL) +@@ -208,6 +185,8 @@ relabel: + + clean-pywrap: + -rm -f $(SWIGLOBJ) $(SWIGSO) $(AUDIT2WHYLOBJ) $(AUDIT2WHYSO) ++ $(PYTHON) setup.py clean ++ -rm -rf build *~ \#* *pyc .#* + + clean-rubywrap: + -rm -f $(SWIGRUBYLOBJ) $(SWIGRUBYSO) +diff --git a/libselinux/src/setup.py b/libselinux/src/setup.py +new file mode 100644 +index 00000000..b12e7869 +--- /dev/null ++++ b/libselinux/src/setup.py +@@ -0,0 +1,24 @@ ++#!/usr/bin/python3 ++ ++from distutils.core import Extension, setup ++ ++setup( ++ name="selinux", ++ version="2.9", ++ description="SELinux python 3 bindings", ++ author="SELinux Project", ++ author_email="selinux@vger.kernel.org", ++ ext_modules=[ ++ Extension('selinux._selinux', ++ sources=['selinuxswig_python.i'], ++ include_dirs=['../include'], ++ library_dirs=['.'], ++ libraries=['selinux']), ++ Extension('selinux.audit2why', ++ sources=['audit2why.c'], ++ include_dirs=['../include'], ++ library_dirs=['.'], ++ libraries=['selinux'], ++ extra_link_args=['-l:libsepol.a']) ++ ], ++) +-- +2.21.0 + diff --git a/SOURCES/0007-libselinux-Do-not-use-SWIG_CFLAGS-when-Python-bindin.patch b/SOURCES/0007-libselinux-Do-not-use-SWIG_CFLAGS-when-Python-bindin.patch new file mode 100644 index 0000000..a064418 --- /dev/null +++ b/SOURCES/0007-libselinux-Do-not-use-SWIG_CFLAGS-when-Python-bindin.patch @@ -0,0 +1,44 @@ +From 6ec8116ee64a25a0c5eb543f0b12ed25f1348c45 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Thu, 27 Jun 2019 11:17:13 +0200 +Subject: [PATCH] libselinux: Do not use SWIG_CFLAGS when Python bindings are + built + +Fixes: +https://rpmdiff.engineering.redhat.com/run/410372/7/ + +Detecting usr/lib64/python3.6/site-packages/selinux/audit2why.cpython-36m-x86_64-linux-gnu.so with not-hardened warnings ' +Hardened: audit2why.cpython-36m-x86_64-linux-gnu.so: FAIL: Gaps were detected in the annobin coverage. Run with -v to list. +' on x86_64 + +Signed-off-by: Petr Lautrbach +--- + libselinux/src/Makefile | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile +index 826c830c..f64f23a8 100644 +--- a/libselinux/src/Makefile ++++ b/libselinux/src/Makefile +@@ -104,9 +104,6 @@ FTS_LDLIBS ?= + + override CFLAGS += -I../include -D_GNU_SOURCE $(DISABLE_FLAGS) $(PCRE_CFLAGS) + +-SWIG_CFLAGS += -Wno-error -Wno-unused-variable -Wno-unused-but-set-variable -Wno-unused-parameter \ +- -Wno-shadow -Wno-uninitialized -Wno-missing-prototypes -Wno-missing-declarations +- + RANLIB ?= ranlib + + ARCH := $(patsubst i%86,i386,$(shell uname -m)) +@@ -130,7 +127,7 @@ SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./ $(DISABLE_FLAGS) + all: $(LIBA) $(LIBSO) $(LIBPC) + + pywrap: all selinuxswig_python_exception.i +- CFLAGS="$(SWIG_CFLAGS)" $(PYTHON) setup.py build_ext -I $(DESTDIR)$(INCLUDEDIR) -L $(DESTDIR)$(LIBDIR) ++ $(PYTHON) setup.py build_ext -I $(DESTDIR)$(INCLUDEDIR) -L $(DESTDIR)$(LIBDIR) + + rubywrap: all $(SWIGRUBYSO) + +-- +2.21.0 + diff --git a/SOURCES/0008-Fix-mcstrans-secolor-examples.patch b/SOURCES/0008-Fix-mcstrans-secolor-examples.patch new file mode 100644 index 0000000..d2c91ef --- /dev/null +++ b/SOURCES/0008-Fix-mcstrans-secolor-examples.patch @@ -0,0 +1,66 @@ +From 90a4f2b9a5194a2d1ab4c45b7a90bbb6c8099a68 Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Tue, 2 Jul 2019 14:09:05 +0200 +Subject: [PATCH] Fix mcstrans secolor examples + +According to "check_dominance" function: +Range defined as "s15:c0.c1023" does not dominate any other range than + "s15:c0.c1023" (does not dominate "s15", "s15:c0.c200", etc.). +While range defined as "s15-s15:c0.c1023" dominates all of the above. + +This is either a bug, or "s15:c0.c1023" should not be used in the +examples. + +Signed-off-by: Vit Mojzis +--- + libselinux/man/man5/secolor.conf.5 | 4 ++-- + libselinux/man/ru/man5/secolor.conf.5 | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/libselinux/man/man5/secolor.conf.5 b/libselinux/man/man5/secolor.conf.5 +index b834577a..a3bf2da1 100644 +--- a/libselinux/man/man5/secolor.conf.5 ++++ b/libselinux/man/man5/secolor.conf.5 +@@ -123,7 +123,7 @@ range s7\-s7:c0.c1023 = black red + .br + range s9\-s9:c0.c1023 = black orange + .br +-range s15:c0.c1023 = black yellow ++range s15\-s15:c0.c1023 = black yellow + .RE + + .sp +@@ -165,7 +165,7 @@ type xguest_t = black green + .br + user sysadm_u = white black + .br +-range s0:c0.c1023 = black white ++range s0-s0:c0.c1023 = black white + .br + user * = black white + .br +diff --git a/libselinux/man/ru/man5/secolor.conf.5 b/libselinux/man/ru/man5/secolor.conf.5 +index 4c1236ae..bcae80c1 100644 +--- a/libselinux/man/ru/man5/secolor.conf.5 ++++ b/libselinux/man/ru/man5/secolor.conf.5 +@@ -121,7 +121,7 @@ range s7\-s7:c0.c1023 = black red + .br + range s9\-s9:c0.c1023 = black orange + .br +-range s15:c0.c1023 = black yellow ++range s15\-s15:c0.c1023 = black yellow + .RE + + .sp +@@ -163,7 +163,7 @@ type xguest_t = black green + .br + user sysadm_u = white black + .br +-range s0:c0.c1023 = black white ++range s0\-s0:c0.c1023 = black white + .br + user * = black white + .br +-- +2.21.0 + diff --git a/SPECS/libselinux.spec b/SPECS/libselinux.spec index 5205b43..83af24c 100644 --- a/SPECS/libselinux.spec +++ b/SPECS/libselinux.spec @@ -6,7 +6,7 @@ %endif %define libsepolver 2.9-1 -%define libselinuxrelease 1 +%define libselinuxrelease 3 Summary: SELinux library and simple utilities Name: libselinux @@ -24,6 +24,9 @@ Patch0002: 0002-Verify-context-input-to-funtions-to-make-sure-the-co.patch Patch0003: 0003-libselinux-Allow-to-override-OVERRIDE_GETTID-from-co.patch Patch0004: 0004-Bring-some-old-permission-and-flask-constants-back-t.patch Patch0005: 0005-libselinux-add-missing-av_permission-values.patch +Patch0006: 0006-libselinux-Use-Python-distutils-to-install-SELinux-p.patch +Patch0007: 0007-libselinux-Do-not-use-SWIG_CFLAGS-when-Python-bindin.patch +Patch0008: 0008-Fix-mcstrans-secolor-examples.patch BuildRequires: gcc %if 0%{?with_ruby} @@ -55,7 +58,7 @@ process and file security contexts and to obtain security policy decisions. Required for any applications that use the SELinux API. %package utils -Summary: SELinux libselinux utilies +Summary: SELinux libselinux utilities Requires: %{name}%{?_isa} = %{version}-%{release} %description utils @@ -182,8 +185,10 @@ echo "d %{_rundir}/setrans 0755 root root" > %{buildroot}%{_tmpfilesdir}/libseli %if 0%{?with_python2} export RHEL_ALLOW_PYTHON2_FOR_BUILD=1 InstallPythonWrapper %{__python2} +mv %{buildroot}%{python2_sitearch}/selinux/_selinux.so %{buildroot}%{python2_sitearch}/ %endif InstallPythonWrapper %{__python3} +mv %{buildroot}%{python3_sitearch}/selinux/_selinux.*.so %{buildroot}%{python3_sitearch}/ %if 0%{?with_ruby} make DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" BINDIR="%{_bindir}" SBINDIR="%{_sbindir}" RUBYINSTALL=%{ruby_vendorarchdir} install install-rubywrap @@ -219,7 +224,6 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool* %license LICENSE %{_libdir}/libselinux.so.* %dir %{_rundir}/setrans/ -%{_sbindir}/sefcontext_compile %{_tmpfilesdir}/libselinux.conf %files utils @@ -227,6 +231,7 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool* %{_sbindir}/getenforce %{_sbindir}/getsebool %{_sbindir}/matchpathcon +%{_sbindir}/sefcontext_compile %{_sbindir}/selinuxconlist %{_sbindir}/selinuxdefcon %{_sbindir}/selinuxexeccon @@ -255,11 +260,13 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool* %files -n libselinux-python %{python2_sitearch}/selinux/ %{python2_sitearch}/_selinux.so +%{python2_sitearch}/selinux-%{version}-* %endif %files -n python3-libselinux %{python3_sitearch}/selinux/ %{python3_sitearch}/_selinux.*.so +%{python3_sitearch}/selinux-%{version}-* %if 0%{?with_ruby} %files ruby @@ -267,6 +274,13 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool* %endif %changelog +* Fri Nov 08 2019 Vit Mojzis - 2.9-3 +- Fix mcstrans secolor examples in secolor.conf man page (#1770270) + +* Mon Jun 24 2019 Petr Lautrbach - 2.9-2.1 +- Use Python distutils to install SELinux python bindings (#1719771) +- Move sefcontext_compile to -utils package (#1612518) + * Mon Mar 18 2019 Petr Lautrbach - 2.9-1 - SELinux userspace 2.9 release