2023-10-04 13:55:58 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Sun Oct 1 19:17:31 UTC 2023 - Georg Pfuetzenreuter <georg.pfuetzenreuter@suse.com>
|
|
|
|
|
|
|
|
|
|
|
|
- Repair initrd libselinux check in selinux-ready
|
|
|
|
|
|
|
2023-08-08 11:22:04 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Tue Aug 8 06:59:16 UTC 2023 - Dominique Leuenberger <dimstar@opensuse.org>
|
|
|
|
|
|
|
|
|
|
|
|
- Do not BuildRequire swig and ruby-devel in the main build phase:
|
|
|
|
|
|
those are only needed for the bindings.
|
|
|
|
|
|
|
Accepting request 1102401 from home:mcepl:branches:security:SELinux
- (bsc#1212618) Divide libselinux and libselinux-bindings again.
libselinux itself is in Ring0 so it has to have absolutely
minimal dependencies, so it is better to separate
libselinux-bindings into a separate pacakge.
- Add explicit BuildRequires for python3-pip and python3-wheel on
15.5, currently the macros don't do the right thing
- allow building this with different python versions, to make this
usable for the new sle15 macro (using python3.11)
- Add python-wheel build dependency to build correctly with latest
python-pip version.
- Add _multibuild to define additional spec files as additional
flavors.
Eliminates the need for source package links in OBS.
- Enable LTO as it works fine now.
- Update to version 3.5:
* check for truncations
* avoid newline in avc message
* bail out on path truncations
* add getpidprevcon to gather the previous context before the last
exec of a given process
* Workaround for heap overhead of pcre
* fix memory leaks on the audit2why module init
* ignore invalid class name lookup
- Drop restorecon_pin_file.patch, is upstream
- Refreshed python3.8-compat.patch
- Added additional developer key (Jason Zaman)
- Update to version 3.4:
* Use PCRE2 by default
* Make selinux_log() and is_context_customizable() thread-safe
* Prevent leakeing file descriptors
* Correctly hash specfiles larger than 4G
- Refreshed skip_cycles.patch
- Update to version 3.3:
* Lots of smaller issues fixed found by fuzzing
- Switch to pcre2:
+ Replace pcre-devel BuildRequires with pkgconfig(libpcre2-8)
+ Pass USE_PCRE2=y to make.
- Update to version 3.2:
* Use mmap()'ed kernel status page instead of netlink by default.
See "KERNEL STATUS PAGE" section in avc_init(3) for more details.
* New log callback levels for enforcing and policy load notices -
SELINUX_POLICYLOAD, SELINUX_SETENFORCE
* Changed userspace AVC setenforce and policy load messages to audit
format.
- Update to version 3.1:
* selinux/flask.h, selinux/av_permissions.h and sepol/policydb/flask.h were
removed. All userspace object managers should have been updated to use the
dynamic class/perm mapping support.
Use string_to_security_class(3) and string_to_av_perm(3) to map the class
and permission names to their policy values, or selinux_set_mapping(3) to
create a mapping from class and permission index values used by the
application to the policy values.
* Removed restrictions in libsepol and checkpolicy that required all declared
initial SIDs to be assigned a context.
* Support for new policy capability genfs_seclabel_symlinks
* selinuxfs is mounted with noexec and nosuid
* `security_compute_user()` was deprecated
* Refreshed python3.8-compat.patch
- Update to version 3.0
* Ignore the stem when looking up all matches in file context
* Save digest of all partial matches for directory
* Use Python distutils to install SELinux python bindings
* ensure that digest_len is not zero
* fix string conversion of unknown perms
* mark all exported function "extern"
- Added swig4_moduleimport.patch to prevent import errors due to
SWIG 4
- Add python3.8-compat.patch which makes build possible even with
Python 3.8, which doesn’t automatically adds -lpython<ver>
- Disable LTO (boo#1133244).
- Set License: to correct value (bsc#1135710)
- Update to version 2.9
* Add security_reject_unknown(3) man page
* Change matchpathcon usage to match with matchpathcon manpage
* Do not define gettid() if glibc >= 2.30 is used
* Fix RESOURCE_LEAK defects reported by coverity scan
* Fix line wrapping in selabel_file.5
* Do not dereference symlink with statfs in selinux_restorecon
* Fix overly strict validation of file_contexts.bin
* Fix selinux_restorecon() on non-SELinux hosts
* Fix the whatis line for the selinux_boolean_sub.3 manpage
* Fix printf format string specifier for uint64_t
* Fix handling of unknown classes/perms
* Set an appropriate errno in booleans.c
- Dropped python3.patch, is now upstream
- Update to version 2.8 (bsc#1111732).
For changes please see
https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/RELEASE-20180524.txt
- ran spec-cleaner on spec files
- Update to version 2.7.
* %files needed to be heavily modified
* Based expressly on python3, not just python
For changes please see
https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20170804/RELEASE-20170804.txt
- Updated spec file to use python3. Added python3.patch to fix
build
- Update to version 2.6. Notable changes:
* selinux_restorecon: fix realpath logic
* sefcontext_compile: invert semantics of "-r" flag
* sefcontext_compile: Add "-i" flag
* Introduce configurable backends
* Add function to find security.restorecon_last entries
* Add openrc_contexts functions
* Add support for pcre2
* Handle NULL pcre study data
* Add setfiles support to selinux_restorecon(3)
* Evaluate inodes in selinux_restorecon(3)
* Change the location of _selinux.so
* Explain how to free policy type from selinux_getpolicytype()
* Compare absolute pathname in matchpathcon -V
* Add selinux_snapperd_contexts_path()
* Modify audit2why analyze function to use loaded policy
* Avoid mounting /proc outside of selinux_init_load_policy()
* Fix location of selinuxfs mount point
* Only mount /proc if necessary
* procattr: return einval for <= 0 pid args
* procattr: return error on invalid pid_t input
- Dropped
* libselinux-2.2-ruby.patch
* libselinux-proc-mount-only-if-needed.patch
* python-selinux-swig-3.10.patch
- readv-proto.patch: include <sys/uio.h> for readv prototype
- Update RPM groups, trim description and combine filelist entries.
- Adjusted source link
- add patch: python-selinux-swig-3.10.patch, fixed boo#985368
* swig-3.10 in Factory use importlib instead of imp to find
_selinux.so. imp searched the same directory as __init__.py
is while importlib searchs only standard paths. so we have
to move _selinux.so. fixed by upstream
- update version 2.5
* Add selinux_restorecon function
* read_spec_entry: fail on non-ascii
* Add man information about thread specific functions
* Don't wrap rpm_execcon with DISABLE_RPM with SWIG
* Correct line count for property and service context files
* label_file: fix memory leaks and uninitialized jump
* Replace selabel_digest hash function
* Fix selabel_open(3) services if no digest requested
* Add selabel_digest function
* Flush the class/perm string mapping cache on policy reload
* Fix restorecon when path has no context
* Free memory when processing media and x specfiles
* Fix mmap memory release for file labeling
* Add policy context validation to sefcontext_compile
* Do not treat an empty file_contexts(.local) as an error
* Fail hard on invalid property_contexts entries
* Fail hard on invalid file_contexts entries
* Support context validation on file_contexts.bin
* Add selabel_cmp interface and label_file backend
* Support specifying file_contexts.bin file path
* Support file_contexts.bin without file_contexts
* Simplify procattr cache
* Use /proc/thread-self when available
* Add const to selinux_opt for label backends
* Fix binary file labels for regexes with metachars
* Fix file labels for regexes with metachars
* Fix if file_contexts not '\n' terminated
* Enhance file context support
* Fix property processing and cleanup formatting
* Add read_spec_entries function to replace sscanf
* Support consistent mode size for bin files
* Fix more bin file processing core dumps
* add selinux_openssh_contexts_path()
* setrans_client: minimize overhead when mcstransd is not present
* Ensure selabel_lookup_best_match links NULL terminated
* Fix core dumps with corrupt *.bin files
* Add selabel partial and best match APIs
* Use os.walk() instead of the deprecated os.path.walk()
* Remove deprecated mudflap option
* Mount procfs before checking /proc/filesystems
* Fix -Wformat errors with gcc-5.0.0
* label_file: handle newlines in file names
* Fix audit2why error handling if SELinux is disabled
* pcre_study can return NULL without error
* Only check SELinux enabled status once in selinux_check_access
- changes in 2.4
* Remove assumption that SHLIBDIR is ../../ relative to LIBDIR
* Fix bugs found by hardened gcc flags
* Set the system to permissive if failing to disable SELinux because
policy has already been loaded
* Add db_exception and db_datatype support to label_db backend
* Log an error on unknown classes and permissions
* Add pcre version string to the compiled file_contexts format
* Deprecate use of flask.h and av_permissions.h
* Compiled file_context files and the original should have the same DAC
permissions
- Update libselinux-2.2-ruby.patch: use RbConfig instead of
deprecated Config.
- Update to version 2.3
* Get rid of security_context_t and fix const declarations.
* Refactor rpm_execcon() into a new setexecfilecon() from Guillem Jover.
- Update to version 2.2
* Fix avc_has_perm() returns -1 even when SELinux is in permissive mode.
* Support overriding Makefile RANLIB
* Update pkgconfig definition
* Mount sysfs before trying to mount selinuxfs.
* Fix man pages
* Support overriding PATH and LIBBASE in Makefile
* Fix LDFLAGS usage
* Avoid shadowing stat in load_mmap
* Support building on older PCRE libraries
* Fix handling of temporary file in sefcontext_compile
* Fix procattr cache
* Define python constants for getenforce result
* Fix label substitution handling of /
* Add selinux_current_policy_path from
* Change get_context_list to only return good matches
* Support udev-197 and higher
* Add support for local substitutions
* Change setfilecon to not return ENOSUP if context is already correct
* Python wrapper leak fixes
* Export SELINUX_TRANS_DIR definition in selinux.h
* Add selinux_systemd_contexts_path
* Add selinux_set_policy_root
* Add man page for sefcontext_compile
- Remove libselinux-rhat.patch; merged on upstream
- Adapt libselinux-ruby.patch to upstream changes
- Use fdupes to symlink duplicate manpages
- change the source url to the official 2.1.13 release tarball
- update to 2.1.12
- added BuildRequires: pcre-devel
- Remove obsolete defines/sections
- updated to 2.1.9 again (see below)
- update to libselinux-2.1.9
* better man pages
* selinux_status interfaces
* simple interface for access checks
* multiple bug fixes
- fix build for ruby-1.9
- use %_smp_mflags
- updated to 2.0.91
* changes too numerous to list
- add baselibs.conf as a source
- updated selinux-ready script
- change libsepol-devel to libsepol-devel-static in dependencies
of python bindings
- put libsepol-devel back to Requires of libselinux-devel
- added selinux-ready tool to selinux-tools package
- remove static libraries
- libselinux-devel does not require libsepol-devel
- updated to 2.0.80
* deny_unknown wrapper function from KaiGai Kohei
* security_compute_av_flags API from KaiGai Kohei
* Netlink socket management and callbacks from KaiGai Kohei
* Netlink socket handoff patch from Adam Jackson
* AVC caching of compute_create results by Eric Paris
* fix incorrect conversion in discover_class code
- fixed memory leak (memleak.patch)
- updated to 2.0.77
* add new function getseuser which will take username and service
and return seuser and level; ipa will populate file in future
* change selinuxdefcon to return just the context by default
* fix segfault if seusers file does not work
* strip trailing / for matchpathcon
* fix restorecon python code
- updated to 2.0.76
* allow shell-style wildcarding in X names
* add Restorecon/Install python functions
* correct message types in AVC log messages
* make matchpathcon -V pass mode
* add man page for selinux_file_context_cmp
* update flask headers from refpolicy trunk
- fix debug_packages_requires define
- require only version, not release [bnc#429053]
- updated to 2.0.71
* Add group support to seusers using %groupname syntax from Dan Walsh.
* Mark setrans socket close-on-exec from Stephen Smalley.
* Only apply nodups checking to base file contexts from Stephen Smalley.
* Merge ruby bindings from Dan Walsh.
- Fix build of debuginfo.
- added baselibs.conf file
- split bindings into separate subpackage (libselinux-bindings)
- split tools into separate subpackage (selinux-tools)
- fix requires for debuginfo package
- initial version 2.0.67
* based on Fedora package by Dan Walsh <dwalsh@redhat.com>
- (bsc#1212618) Divide libselinux and libselinux-bindings again.
libselinux itself is in Ring0 so it has to have absolutely
minimal dependencies, so it is better to separate
libselinux-bindings into a separate pacakge.
OBS-URL: https://build.opensuse.org/request/show/1102401
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=161
2023-08-07 14:24:31 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Fri Aug 4 13:14:14 UTC 2023 - Matej Cepl <mcepl@suse.com>
|
|
|
|
|
|
|
|
|
|
|
|
- (bsc#1212618) Divide libselinux and libselinux-bindings again.
|
|
|
|
|
|
libselinux itself is in Ring0 so it has to have absolutely
|
|
|
|
|
|
minimal dependencies, so it is better to separate
|
|
|
|
|
|
libselinux-bindings into a separate pacakge.
|
|
|
|
|
|
|
2023-07-04 11:22:49 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Tue Jul 4 08:32:49 UTC 2023 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
|
|
|
|
|
|
|
|
- Fix python packaging by setting the name to a fixed value
|
|
|
|
|
|
|
Accepting request 1095431 from home:mcepl:branches:security:SELinux
- Remove separate libselinux-bindings SPEC file (bsc#1212618).
- Add explicit BuildRequires for python3-pip and python3-wheel on
15.5, currently the macros don't do the right thing
- allow building this with different python versions, to make this
usable for the new sle15 macro (using python3.11)
- Add python-wheel build dependency to build correctly with latest
python-pip version.
- Add _multibuild to define additional spec files as additional
flavors.
Eliminates the need for source package links in OBS.
- Add -ffat-lto-objects to CFLAGS to prevent rpmlint errors because
of LTO
- Enable LTO as it works fine now.
- Update to version 3.5:
* check for truncations
* avoid newline in avc message
* bail out on path truncations
* add getpidprevcon to gather the previous context before the last
exec of a given process
* Workaround for heap overhead of pcre
* fix memory leaks on the audit2why module init
* ignore invalid class name lookup
- Drop restorecon_pin_file.patch, is upstream
- Refreshed python3.8-compat.patch
- Added additional developer key (Jason Zaman)
- Fixed initrd check in selinux-ready (bnc#1186127)
- Added restorecon_pin_file.patch. Fixes issus when running
fixfiles/restorecon
- Update to version 3.4:
* Use PCRE2 by default
* Make selinux_log() and is_context_customizable() thread-safe
* Prevent leakeing file descriptors
* Correctly hash specfiles larger than 4G
- Refreshed skip_cycles.patch
- Add Requires for exact libselinux1 version for selinux-tools
- Simplyfied check for correct boot paramaters in selinux-ready
(bsc#1195361)
- Update to version 3.3:
* Lots of smaller issues fixed found by fuzzing
- Add missing libselinux-utils Provides to selinux-tools so that
%selinux_requires works
- Remove Recommends for selinux-autorelabel. It's better to have this
in the policy package itself (bsc#1181837)
- Switch to pcre2:
+ Replace pcre-devel BuildRequires with pkgconfig(libpcre2-8)
+ Pass USE_PCRE2=y to make.
+ Replace pkgconfig(libpcre) Requires in -devel static with
pkgconfig(libpcre2-8).
- Update to version 3.2:
* Use mmap()'ed kernel status page instead of netlink by default.
See "KERNEL STATUS PAGE" section in avc_init(3) for more details.
* New log callback levels for enforcing and policy load notices -
SELINUX_POLICYLOAD, SELINUX_SETENFORCE
* Changed userspace AVC setenforce and policy load messages to audit
format.
- Add Recommends: selinux-autorelabel, which is very important
for healthy use of the SELinux on the system (/.autorelabel
mechanism) (bsc#1181837).
- install to /usr (boo#1029961)
- Update to version 3.1:
* selinux/flask.h, selinux/av_permissions.h and sepol/policydb/flask.h were
removed. All userspace object managers should have been updated to use the
dynamic class/perm mapping support.
Use string_to_security_class(3) and string_to_av_perm(3) to map the class
and permission names to their policy values, or selinux_set_mapping(3) to
create a mapping from class and permission index values used by the
application to the policy values.
* Removed restrictions in libsepol and checkpolicy that required all declared
initial SIDs to be assigned a context.
* Support for new policy capability genfs_seclabel_symlinks
* selinuxfs is mounted with noexec and nosuid
* `security_compute_user()` was deprecated
* Refreshed python3.8-compat.patch
- Added skip_cycles.patch to skip directory cycles and not error
out
- Update to version 3.0
* Ignore the stem when looking up all matches in file context
* Save digest of all partial matches for directory
* Use Python distutils to install SELinux python bindings
* ensure that digest_len is not zero
* fix string conversion of unknown perms
* mark all exported function "extern"
Dropped Use-Python-distutils-to-install-SELinux.patch, included
upstream
- Added swig4_moduleimport.patch to prevent import errors due to
SWIG 4
- Added Use-Python-distutils-to-install-SELinux.patch to use
Python's distutils instead of building and installing python
bindings manually
- Add python3.8-compat.patch which makes build possible even with
Python 3.8, which doesn’t automatically adds -lpython<ver>
- In selinux-ready
* Removed check for selinux-policy package as we don't ship one
(bsc#1136845)
* Add check that restorecond is installed and enabled
- Disable LTO (boo#1133244).
- Set License: to correct value (bsc#1135710)
- Disable LTO (boo#1133244).
- Update to version 2.9
* Add security_reject_unknown(3) man page
* Change matchpathcon usage to match with matchpathcon manpage
* Do not define gettid() if glibc >= 2.30 is used
* Fix RESOURCE_LEAK defects reported by coverity scan
* Fix line wrapping in selabel_file.5
* Do not dereference symlink with statfs in selinux_restorecon
* Fix overly strict validation of file_contexts.bin
* Fix selinux_restorecon() on non-SELinux hosts
* Fix the whatis line for the selinux_boolean_sub.3 manpage
* Fix printf format string specifier for uint64_t
* Fix handling of unknown classes/perms
* Set an appropriate errno in booleans.c
- Dropped python3.patch, is now upstream
- Remove unneeded build requires for python3 (bsc#1120255)
- Update to version 2.8 (bsc#1111732)
For changes please see
https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/RELEASE-20180524.txt
- ran spec-cleaner on spec files
- Update to version 2.7.
* %files needed to be heavily modified
* Based expressly on python3, not just python
For changes please see
https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20170804/RELEASE-20170804.txt
- Updated spec file to use python3. Added python3.patch to fix
build
- Update to version 2.6. Notable changes:
* selinux_restorecon: fix realpath logic
* sefcontext_compile: invert semantics of "-r" flag
* sefcontext_compile: Add "-i" flag
* Introduce configurable backends
* Add function to find security.restorecon_last entries
* Add openrc_contexts functions
* Add support for pcre2
* Handle NULL pcre study data
* Add setfiles support to selinux_restorecon(3)
* Evaluate inodes in selinux_restorecon(3)
* Change the location of _selinux.so
* Explain how to free policy type from selinux_getpolicytype()
* Compare absolute pathname in matchpathcon -V
* Add selinux_snapperd_contexts_path()
* Modify audit2why analyze function to use loaded policy
* Avoid mounting /proc outside of selinux_init_load_policy()
* Fix location of selinuxfs mount point
* Only mount /proc if necessary
* procattr: return einval for <= 0 pid args
* procattr: return error on invalid pid_t input
- Dropped
* libselinux-2.2-ruby.patch
* libselinux-proc-mount-only-if-needed.patch
* python-selinux-swig-3.10.patch
- readv-proto.patch: include <sys/uio.h> for readv prototype
- -devel static subpackage requires libpcre-devel and libsepol-devel
- Avoid mounting /proc outside of selinux_init_load_policy().
(Stephen Smalley) reverts upstream 5a8d8c4, 9df4988, fixes
among other things systemd seccomp sandboxing otherwise all
filters must allow mount(2)
(libselinux-proc-mount-only-if-needed.patch)
- Update RPM groups, trim description and combine filelist entries.
- Adjusted source link
- add patch: python-selinux-swig-3.10.patch, fixed boo#985368
* swig-3.10 in Factory use importlib instead of imp to find
_selinux.so. imp searched the same directory as __init__.py
is while importlib searchs only standard paths. so we have
to move _selinux.so. fixed by upstream
- update version 2.5
* Add selinux_restorecon function
* read_spec_entry: fail on non-ascii
* Add man information about thread specific functions
* Don't wrap rpm_execcon with DISABLE_RPM with SWIG
* Correct line count for property and service context files
* label_file: fix memory leaks and uninitialized jump
* Replace selabel_digest hash function
* Fix selabel_open(3) services if no digest requested
* Add selabel_digest function
* Flush the class/perm string mapping cache on policy reload
* Fix restorecon when path has no context
* Free memory when processing media and x specfiles
* Fix mmap memory release for file labeling
* Add policy context validation to sefcontext_compile
* Do not treat an empty file_contexts(.local) as an error
* Fail hard on invalid property_contexts entries
* Fail hard on invalid file_contexts entries
* Support context validation on file_contexts.bin
* Add selabel_cmp interface and label_file backend
* Support specifying file_contexts.bin file path
* Support file_contexts.bin without file_contexts
* Simplify procattr cache
* Use /proc/thread-self when available
* Add const to selinux_opt for label backends
* Fix binary file labels for regexes with metachars
* Fix file labels for regexes with metachars
* Fix if file_contexts not '\n' terminated
* Enhance file context support
* Fix property processing and cleanup formatting
* Add read_spec_entries function to replace sscanf
* Support consistent mode size for bin files
* Fix more bin file processing core dumps
* add selinux_openssh_contexts_path()
* setrans_client: minimize overhead when mcstransd is not present
* Ensure selabel_lookup_best_match links NULL terminated
* Fix core dumps with corrupt *.bin files
* Add selabel partial and best match APIs
* Use os.walk() instead of the deprecated os.path.walk()
* Remove deprecated mudflap option
* Mount procfs before checking /proc/filesystems
* Fix -Wformat errors with gcc-5.0.0
* label_file: handle newlines in file names
* Fix audit2why error handling if SELinux is disabled
* pcre_study can return NULL without error
* Only check SELinux enabled status once in selinux_check_access
- changes in 2.4
* Remove assumption that SHLIBDIR is ../../ relative to LIBDIR
* Fix bugs found by hardened gcc flags
* Set the system to permissive if failing to disable SELinux because
policy has already been loaded
* Add db_exception and db_datatype support to label_db backend
* Log an error on unknown classes and permissions
* Add pcre version string to the compiled file_contexts format
* Deprecate use of flask.h and av_permissions.h
* Compiled file_context files and the original should have the same DAC
permissions
- fixed selinux-ready to work with initrd files created by dracut (bsc#940006)
- Update libselinux-2.2-ruby.patch: use RbConfig instead of
deprecated Config.
- updated selinux-ready script to handle initrd files compressed with xz
- Update to version 2.3
* Get rid of security_context_t and fix const declarations.
* Refactor rpm_execcon() into a new setexecfilecon() from Guillem Jover.
- Update to version 2.2
* Fix avc_has_perm() returns -1 even when SELinux is in permissive mode.
* Support overriding Makefile RANLIB
* Update pkgconfig definition
* Mount sysfs before trying to mount selinuxfs.
* Fix man pages
* Support overriding PATH and LIBBASE in Makefile
* Fix LDFLAGS usage
* Avoid shadowing stat in load_mmap
* Support building on older PCRE libraries
* Fix handling of temporary file in sefcontext_compile
* Fix procattr cache
* Define python constants for getenforce result
* Fix label substitution handling of /
* Add selinux_current_policy_path from
* Change get_context_list to only return good matches
* Support udev-197 and higher
* Add support for local substitutions
* Change setfilecon to not return ENOSUP if context is already correct
* Python wrapper leak fixes
* Export SELINUX_TRANS_DIR definition in selinux.h
* Add selinux_systemd_contexts_path
* Add selinux_set_policy_root
* Add man page for sefcontext_compile
- Remove libselinux-rhat.patch; merged on upstream
- Adapt libselinux-ruby.patch to upstream changes
- Use fdupes to symlink duplicate manpages
- change the source url to the official 2.1.13 release tarball
- Reuse implicit dependencies injected by pkgconfig
- fixed source url in libselinux-bindings.spec
- removed old tarball
- fix source url
- document changes in libselinux-rhat.patch from previous submission:
(most code of the removed code was integrated upstream)
* Add matchpathcon -P /etc/selinux/mls support by allowing users
to set alternate root
* Add new constant SETRANS_DIR which points to the directory
where mstransd can find the socket and libvirt can write its
translations files
-update to 2.1.13
* audit2why: make sure path is nul terminated
* utils: new file context regex compiler
* label_file: use precompiled filecontext when possible
* do not leak mmapfd
* sefcontontext_compile: Add error handling to help debug problems in libsemanage.
* man: make selinux.8 mention service man pages
* audit2why: Fix segfault if finish() called twice
* audit2why: do not leak on multiple init() calls
* mode_to_security_class: interface to translate a mode_t in to a security class
* audit2why: Cleanup audit2why analysys function
* man: Fix program synopsis and function prototypes in man pages
* man: Fix man pages formatting
* man: Fix typo in man page
* man: Add references and man page links to _raw function variants
* Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions
* man: context_new(3): fix the return value description
* selinux_status_open: handle error from sysconf
* selinux_status_open: do not leak statusfd on exec
* Fix errors found by coverity
* Change boooleans.subs to booleans.subs_dist.
* optimize set*con functions
* pkg-config do not specifc ruby version
* unmap file contexts on selabel_close()
* do not leak file contexts with mmap'd backend
* sefcontext_compile: do not leak fd on error
* matchmediacon: do not leak fd
* src/label_android_property: do not leak fd on error
- update to 2.1.12
- added BuildRequires: pcre-devel
- added the recent libselinux-rhat.patch
* Add support for lxc_contexts_path
* utils: add service to getdefaultcon
* libsemanage: do not set soname needlessly
* libsemanage: remove PYTHONLIBDIR and ruby equivalent
* boolean name equivalency
* getsebool: support boolean name substitution
* Add man page for new selinux_boolean_sub function.
* expose selinux_boolean_sub
* matchpathcon: add -m option to force file type check
* utils: avcstat: clear sa_mask set
* seusers: Check for strchr failure
* booleans: initialize pointer to silence coveriety
* stop messages when SELinux disabled
* Ensure that we only close the selinux netlink socket once.
* improve the file_contexts.5 manual page
* Fortify source now requires all code to be compiled with -O flag
* asprintf return code must be checked
* avc_netlink_recieve handle EINTR
* audit2why: silence -Wmissing-prototypes warning
* libsemanage: remove build warning when build swig c files
* matchpathcon: bad handling of symlinks in /
* seusers: remove unused lineno
* seusers: getseuser: gracefully handle NULL service
* New Android property labeling backend
* label_android_property whitespace cleanups
* additional makefile support for rubywrap
* Remove jump over variable declaration
* Fix old style function definitions
* Fix const-correctness
* Remove unused flush_class_cache method
* Add prototype decl for destructor
* Add more printf format annotations
* Add printf format attribute annotation to die() method
* Fix const-ness of parameters & make usage() methods static
* Enable many more gcc warnings for libselinux/src/ builds
* utils: Enable many more gcc warnings for libselinux/utils builds
* Change annotation on include/selinux/avc.h to avoid upsetting SWIG
* Ensure there is a prototype for 'matchpathcon_lib_destructor'
* Update Makefiles to handle /usrmove
* utils: Stop separating out matchpathcon as something special
* pkg-config to figure out where ruby include files are located
* build with either ruby 1.9 or ruby 1.8
* assert if avc_init() not called
* take security_deny_unknown into account
* security_compute_create_name(3)
* Do not link against python library, this is considered
* bad practice in debian
* Hide unnecessarily-exported library destructors
- Remove obsolete defines/sections
- update selinux-ready script
* use -L when stat()ing /etc/selinux/config
* make sure that SELINUX isn't disabled in /etc/selinux/config
* look for either of /sys/fs/selinux and /selinux directory
* use systemctl to check for restorecond
* don't look for booleans file (deprecated)
- update selinux-ready script
- updated to 2.1.9 again (see below)
- go back even more - everything else requires the full SELinux stack
(too late for 12.2)
- revert back to 2.0.98 for 12.2
- update to libselinux-2.1.9
* better man pages
* selinux_status interfaces
* simple interface for access checks
* multiple bug fixes
- fix build for ruby-1.9
- cross-build fix: use %__cc macro
- use %_smp_mflags
- don't package /var/run/setrans in libselinux1 package
- Feature#303793
- the directory will be created in initscript of mcstrans package
- buildrequire pkg-config to fix provides
- selinux-ready: added function to check for restorecond in
runlevel 3/5
- selinux-ready: added functions for checking PAM config and
policy boolean init_upstart
- selinux-ready: fixed init ramfs checking
- added new selinux-ready script
- updated to 2.0.91
* changes too numerous to list
- add baselibs.conf as a source
- updated selinux-ready script
- change libsepol-devel to libsepol-devel-static in dependencies
of python bindings
- put libsepol-devel back to Requires of libselinux-devel
- added selinux-ready tool to selinux-tools package
- remove static libraries
- libselinux-devel does not require libsepol-devel
- updated to 2.0.80
* deny_unknown wrapper function from KaiGai Kohei
* security_compute_av_flags API from KaiGai Kohei
* Netlink socket management and callbacks from KaiGai Kohei
* Netlink socket handoff patch from Adam Jackson
* AVC caching of compute_create results by Eric Paris
* fix incorrect conversion in discover_class code
- fixed memory leak (memleak.patch)
- updated to 2.0.77
* add new function getseuser which will take username and service
and return seuser and level; ipa will populate file in future
* change selinuxdefcon to return just the context by default
* fix segfault if seusers file does not work
* strip trailing / for matchpathcon
* fix restorecon python code
- updated to 2.0.76
* allow shell-style wildcarding in X names
* add Restorecon/Install python functions
* correct message types in AVC log messages
* make matchpathcon -V pass mode
* add man page for selinux_file_context_cmp
* update flask headers from refpolicy trunk
- fix debug_packages_requires define
- require only version, not release [bnc#429053]
- updated to 2.0.71
* Add group support to seusers using %groupname syntax from Dan Walsh.
* Mark setrans socket close-on-exec from Stephen Smalley.
* Only apply nodups checking to base file contexts from Stephen Smalley.
* Merge ruby bindings from Dan Walsh.
- Fix build of debuginfo.
- added baselibs.conf file
- split bindings into separate subpackage (libselinux-bindings)
- split tools into separate subpackage (selinux-tools)
- fix requires for debuginfo package
- initial version 2.0.67
* based on Fedora package by Dan Walsh <dwalsh@redhat.com>
OBS-URL: https://build.opensuse.org/request/show/1095431
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=159
2023-06-27 10:15:55 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Fri Jun 23 14:50:33 UTC 2023 - Matej Cepl <mcepl@suse.com>
|
|
|
|
|
|
|
|
|
|
|
|
- Remove separate libselinux-bindings SPEC file (bsc#1212618).
|
|
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Tue Jun 20 13:34:39 UTC 2023 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
|
|
|
|
|
|
|
|
- Add explicit BuildRequires for python3-pip and python3-wheel on
|
|
|
|
|
|
15.5, currently the macros don't do the right thing
|
|
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Thu Jun 1 11:50:33 UTC 2023 - Johannes Kastl <kastl@b1-systems.de>
|
|
|
|
|
|
|
|
|
|
|
|
- allow building this with different python versions, to make this
|
|
|
|
|
|
usable for the new sle15 macro (using python3.11)
|
|
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Fri May 5 12:35:31 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>
|
|
|
|
|
|
|
|
|
|
|
|
- Add python-wheel build dependency to build correctly with latest
|
|
|
|
|
|
python-pip version.
|
|
|
|
|
|
|
2023-03-24 15:08:42 +01:00
|
|
|
|
-------------------------------------------------------------------
|
2023-05-05 09:29:50 +02:00
|
|
|
|
Thu May 4 14:04:04 UTC 2023 - Frederic Crozat <fcrozat@suse.com>
|
|
|
|
|
|
|
|
|
|
|
|
- Add _multibuild to define additional spec files as additional
|
|
|
|
|
|
flavors.
|
|
|
|
|
|
Eliminates the need for source package links in OBS.
|
|
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
2023-03-24 15:08:42 +01:00
|
|
|
|
Fri Mar 24 13:51:52 UTC 2023 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
|
|
|
|
|
|
|
|
- Add -ffat-lto-objects to CFLAGS to prevent rpmlint errors because
|
|
|
|
|
|
of LTO
|
|
|
|
|
|
|
2023-03-24 14:25:03 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Thu Mar 23 15:39:15 UTC 2023 - Martin Liška <mliska@suse.cz>
|
|
|
|
|
|
|
|
|
|
|
|
- Enable LTO as it works fine now.
|
|
|
|
|
|
|
2023-02-24 09:43:11 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Fri Feb 24 07:42:25 UTC 2023 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
|
|
|
|
|
|
|
|
- Update to version 3.5:
|
|
|
|
|
|
* check for truncations
|
|
|
|
|
|
* avoid newline in avc message
|
|
|
|
|
|
* bail out on path truncations
|
|
|
|
|
|
* add getpidprevcon to gather the previous context before the last
|
|
|
|
|
|
exec of a given process
|
|
|
|
|
|
* Workaround for heap overhead of pcre
|
|
|
|
|
|
* fix memory leaks on the audit2why module init
|
|
|
|
|
|
* ignore invalid class name lookup
|
|
|
|
|
|
- Drop restorecon_pin_file.patch, is upstream
|
Accepting request 1095431 from home:mcepl:branches:security:SELinux
- Remove separate libselinux-bindings SPEC file (bsc#1212618).
- Add explicit BuildRequires for python3-pip and python3-wheel on
15.5, currently the macros don't do the right thing
- allow building this with different python versions, to make this
usable for the new sle15 macro (using python3.11)
- Add python-wheel build dependency to build correctly with latest
python-pip version.
- Add _multibuild to define additional spec files as additional
flavors.
Eliminates the need for source package links in OBS.
- Add -ffat-lto-objects to CFLAGS to prevent rpmlint errors because
of LTO
- Enable LTO as it works fine now.
- Update to version 3.5:
* check for truncations
* avoid newline in avc message
* bail out on path truncations
* add getpidprevcon to gather the previous context before the last
exec of a given process
* Workaround for heap overhead of pcre
* fix memory leaks on the audit2why module init
* ignore invalid class name lookup
- Drop restorecon_pin_file.patch, is upstream
- Refreshed python3.8-compat.patch
- Added additional developer key (Jason Zaman)
- Fixed initrd check in selinux-ready (bnc#1186127)
- Added restorecon_pin_file.patch. Fixes issus when running
fixfiles/restorecon
- Update to version 3.4:
* Use PCRE2 by default
* Make selinux_log() and is_context_customizable() thread-safe
* Prevent leakeing file descriptors
* Correctly hash specfiles larger than 4G
- Refreshed skip_cycles.patch
- Add Requires for exact libselinux1 version for selinux-tools
- Simplyfied check for correct boot paramaters in selinux-ready
(bsc#1195361)
- Update to version 3.3:
* Lots of smaller issues fixed found by fuzzing
- Add missing libselinux-utils Provides to selinux-tools so that
%selinux_requires works
- Remove Recommends for selinux-autorelabel. It's better to have this
in the policy package itself (bsc#1181837)
- Switch to pcre2:
+ Replace pcre-devel BuildRequires with pkgconfig(libpcre2-8)
+ Pass USE_PCRE2=y to make.
+ Replace pkgconfig(libpcre) Requires in -devel static with
pkgconfig(libpcre2-8).
- Update to version 3.2:
* Use mmap()'ed kernel status page instead of netlink by default.
See "KERNEL STATUS PAGE" section in avc_init(3) for more details.
* New log callback levels for enforcing and policy load notices -
SELINUX_POLICYLOAD, SELINUX_SETENFORCE
* Changed userspace AVC setenforce and policy load messages to audit
format.
- Add Recommends: selinux-autorelabel, which is very important
for healthy use of the SELinux on the system (/.autorelabel
mechanism) (bsc#1181837).
- install to /usr (boo#1029961)
- Update to version 3.1:
* selinux/flask.h, selinux/av_permissions.h and sepol/policydb/flask.h were
removed. All userspace object managers should have been updated to use the
dynamic class/perm mapping support.
Use string_to_security_class(3) and string_to_av_perm(3) to map the class
and permission names to their policy values, or selinux_set_mapping(3) to
create a mapping from class and permission index values used by the
application to the policy values.
* Removed restrictions in libsepol and checkpolicy that required all declared
initial SIDs to be assigned a context.
* Support for new policy capability genfs_seclabel_symlinks
* selinuxfs is mounted with noexec and nosuid
* `security_compute_user()` was deprecated
* Refreshed python3.8-compat.patch
- Added skip_cycles.patch to skip directory cycles and not error
out
- Update to version 3.0
* Ignore the stem when looking up all matches in file context
* Save digest of all partial matches for directory
* Use Python distutils to install SELinux python bindings
* ensure that digest_len is not zero
* fix string conversion of unknown perms
* mark all exported function "extern"
Dropped Use-Python-distutils-to-install-SELinux.patch, included
upstream
- Added swig4_moduleimport.patch to prevent import errors due to
SWIG 4
- Added Use-Python-distutils-to-install-SELinux.patch to use
Python's distutils instead of building and installing python
bindings manually
- Add python3.8-compat.patch which makes build possible even with
Python 3.8, which doesn’t automatically adds -lpython<ver>
- In selinux-ready
* Removed check for selinux-policy package as we don't ship one
(bsc#1136845)
* Add check that restorecond is installed and enabled
- Disable LTO (boo#1133244).
- Set License: to correct value (bsc#1135710)
- Disable LTO (boo#1133244).
- Update to version 2.9
* Add security_reject_unknown(3) man page
* Change matchpathcon usage to match with matchpathcon manpage
* Do not define gettid() if glibc >= 2.30 is used
* Fix RESOURCE_LEAK defects reported by coverity scan
* Fix line wrapping in selabel_file.5
* Do not dereference symlink with statfs in selinux_restorecon
* Fix overly strict validation of file_contexts.bin
* Fix selinux_restorecon() on non-SELinux hosts
* Fix the whatis line for the selinux_boolean_sub.3 manpage
* Fix printf format string specifier for uint64_t
* Fix handling of unknown classes/perms
* Set an appropriate errno in booleans.c
- Dropped python3.patch, is now upstream
- Remove unneeded build requires for python3 (bsc#1120255)
- Update to version 2.8 (bsc#1111732)
For changes please see
https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/RELEASE-20180524.txt
- ran spec-cleaner on spec files
- Update to version 2.7.
* %files needed to be heavily modified
* Based expressly on python3, not just python
For changes please see
https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20170804/RELEASE-20170804.txt
- Updated spec file to use python3. Added python3.patch to fix
build
- Update to version 2.6. Notable changes:
* selinux_restorecon: fix realpath logic
* sefcontext_compile: invert semantics of "-r" flag
* sefcontext_compile: Add "-i" flag
* Introduce configurable backends
* Add function to find security.restorecon_last entries
* Add openrc_contexts functions
* Add support for pcre2
* Handle NULL pcre study data
* Add setfiles support to selinux_restorecon(3)
* Evaluate inodes in selinux_restorecon(3)
* Change the location of _selinux.so
* Explain how to free policy type from selinux_getpolicytype()
* Compare absolute pathname in matchpathcon -V
* Add selinux_snapperd_contexts_path()
* Modify audit2why analyze function to use loaded policy
* Avoid mounting /proc outside of selinux_init_load_policy()
* Fix location of selinuxfs mount point
* Only mount /proc if necessary
* procattr: return einval for <= 0 pid args
* procattr: return error on invalid pid_t input
- Dropped
* libselinux-2.2-ruby.patch
* libselinux-proc-mount-only-if-needed.patch
* python-selinux-swig-3.10.patch
- readv-proto.patch: include <sys/uio.h> for readv prototype
- -devel static subpackage requires libpcre-devel and libsepol-devel
- Avoid mounting /proc outside of selinux_init_load_policy().
(Stephen Smalley) reverts upstream 5a8d8c4, 9df4988, fixes
among other things systemd seccomp sandboxing otherwise all
filters must allow mount(2)
(libselinux-proc-mount-only-if-needed.patch)
- Update RPM groups, trim description and combine filelist entries.
- Adjusted source link
- add patch: python-selinux-swig-3.10.patch, fixed boo#985368
* swig-3.10 in Factory use importlib instead of imp to find
_selinux.so. imp searched the same directory as __init__.py
is while importlib searchs only standard paths. so we have
to move _selinux.so. fixed by upstream
- update version 2.5
* Add selinux_restorecon function
* read_spec_entry: fail on non-ascii
* Add man information about thread specific functions
* Don't wrap rpm_execcon with DISABLE_RPM with SWIG
* Correct line count for property and service context files
* label_file: fix memory leaks and uninitialized jump
* Replace selabel_digest hash function
* Fix selabel_open(3) services if no digest requested
* Add selabel_digest function
* Flush the class/perm string mapping cache on policy reload
* Fix restorecon when path has no context
* Free memory when processing media and x specfiles
* Fix mmap memory release for file labeling
* Add policy context validation to sefcontext_compile
* Do not treat an empty file_contexts(.local) as an error
* Fail hard on invalid property_contexts entries
* Fail hard on invalid file_contexts entries
* Support context validation on file_contexts.bin
* Add selabel_cmp interface and label_file backend
* Support specifying file_contexts.bin file path
* Support file_contexts.bin without file_contexts
* Simplify procattr cache
* Use /proc/thread-self when available
* Add const to selinux_opt for label backends
* Fix binary file labels for regexes with metachars
* Fix file labels for regexes with metachars
* Fix if file_contexts not '\n' terminated
* Enhance file context support
* Fix property processing and cleanup formatting
* Add read_spec_entries function to replace sscanf
* Support consistent mode size for bin files
* Fix more bin file processing core dumps
* add selinux_openssh_contexts_path()
* setrans_client: minimize overhead when mcstransd is not present
* Ensure selabel_lookup_best_match links NULL terminated
* Fix core dumps with corrupt *.bin files
* Add selabel partial and best match APIs
* Use os.walk() instead of the deprecated os.path.walk()
* Remove deprecated mudflap option
* Mount procfs before checking /proc/filesystems
* Fix -Wformat errors with gcc-5.0.0
* label_file: handle newlines in file names
* Fix audit2why error handling if SELinux is disabled
* pcre_study can return NULL without error
* Only check SELinux enabled status once in selinux_check_access
- changes in 2.4
* Remove assumption that SHLIBDIR is ../../ relative to LIBDIR
* Fix bugs found by hardened gcc flags
* Set the system to permissive if failing to disable SELinux because
policy has already been loaded
* Add db_exception and db_datatype support to label_db backend
* Log an error on unknown classes and permissions
* Add pcre version string to the compiled file_contexts format
* Deprecate use of flask.h and av_permissions.h
* Compiled file_context files and the original should have the same DAC
permissions
- fixed selinux-ready to work with initrd files created by dracut (bsc#940006)
- Update libselinux-2.2-ruby.patch: use RbConfig instead of
deprecated Config.
- updated selinux-ready script to handle initrd files compressed with xz
- Update to version 2.3
* Get rid of security_context_t and fix const declarations.
* Refactor rpm_execcon() into a new setexecfilecon() from Guillem Jover.
- Update to version 2.2
* Fix avc_has_perm() returns -1 even when SELinux is in permissive mode.
* Support overriding Makefile RANLIB
* Update pkgconfig definition
* Mount sysfs before trying to mount selinuxfs.
* Fix man pages
* Support overriding PATH and LIBBASE in Makefile
* Fix LDFLAGS usage
* Avoid shadowing stat in load_mmap
* Support building on older PCRE libraries
* Fix handling of temporary file in sefcontext_compile
* Fix procattr cache
* Define python constants for getenforce result
* Fix label substitution handling of /
* Add selinux_current_policy_path from
* Change get_context_list to only return good matches
* Support udev-197 and higher
* Add support for local substitutions
* Change setfilecon to not return ENOSUP if context is already correct
* Python wrapper leak fixes
* Export SELINUX_TRANS_DIR definition in selinux.h
* Add selinux_systemd_contexts_path
* Add selinux_set_policy_root
* Add man page for sefcontext_compile
- Remove libselinux-rhat.patch; merged on upstream
- Adapt libselinux-ruby.patch to upstream changes
- Use fdupes to symlink duplicate manpages
- change the source url to the official 2.1.13 release tarball
- Reuse implicit dependencies injected by pkgconfig
- fixed source url in libselinux-bindings.spec
- removed old tarball
- fix source url
- document changes in libselinux-rhat.patch from previous submission:
(most code of the removed code was integrated upstream)
* Add matchpathcon -P /etc/selinux/mls support by allowing users
to set alternate root
* Add new constant SETRANS_DIR which points to the directory
where mstransd can find the socket and libvirt can write its
translations files
-update to 2.1.13
* audit2why: make sure path is nul terminated
* utils: new file context regex compiler
* label_file: use precompiled filecontext when possible
* do not leak mmapfd
* sefcontontext_compile: Add error handling to help debug problems in libsemanage.
* man: make selinux.8 mention service man pages
* audit2why: Fix segfault if finish() called twice
* audit2why: do not leak on multiple init() calls
* mode_to_security_class: interface to translate a mode_t in to a security class
* audit2why: Cleanup audit2why analysys function
* man: Fix program synopsis and function prototypes in man pages
* man: Fix man pages formatting
* man: Fix typo in man page
* man: Add references and man page links to _raw function variants
* Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions
* man: context_new(3): fix the return value description
* selinux_status_open: handle error from sysconf
* selinux_status_open: do not leak statusfd on exec
* Fix errors found by coverity
* Change boooleans.subs to booleans.subs_dist.
* optimize set*con functions
* pkg-config do not specifc ruby version
* unmap file contexts on selabel_close()
* do not leak file contexts with mmap'd backend
* sefcontext_compile: do not leak fd on error
* matchmediacon: do not leak fd
* src/label_android_property: do not leak fd on error
- update to 2.1.12
- added BuildRequires: pcre-devel
- added the recent libselinux-rhat.patch
* Add support for lxc_contexts_path
* utils: add service to getdefaultcon
* libsemanage: do not set soname needlessly
* libsemanage: remove PYTHONLIBDIR and ruby equivalent
* boolean name equivalency
* getsebool: support boolean name substitution
* Add man page for new selinux_boolean_sub function.
* expose selinux_boolean_sub
* matchpathcon: add -m option to force file type check
* utils: avcstat: clear sa_mask set
* seusers: Check for strchr failure
* booleans: initialize pointer to silence coveriety
* stop messages when SELinux disabled
* Ensure that we only close the selinux netlink socket once.
* improve the file_contexts.5 manual page
* Fortify source now requires all code to be compiled with -O flag
* asprintf return code must be checked
* avc_netlink_recieve handle EINTR
* audit2why: silence -Wmissing-prototypes warning
* libsemanage: remove build warning when build swig c files
* matchpathcon: bad handling of symlinks in /
* seusers: remove unused lineno
* seusers: getseuser: gracefully handle NULL service
* New Android property labeling backend
* label_android_property whitespace cleanups
* additional makefile support for rubywrap
* Remove jump over variable declaration
* Fix old style function definitions
* Fix const-correctness
* Remove unused flush_class_cache method
* Add prototype decl for destructor
* Add more printf format annotations
* Add printf format attribute annotation to die() method
* Fix const-ness of parameters & make usage() methods static
* Enable many more gcc warnings for libselinux/src/ builds
* utils: Enable many more gcc warnings for libselinux/utils builds
* Change annotation on include/selinux/avc.h to avoid upsetting SWIG
* Ensure there is a prototype for 'matchpathcon_lib_destructor'
* Update Makefiles to handle /usrmove
* utils: Stop separating out matchpathcon as something special
* pkg-config to figure out where ruby include files are located
* build with either ruby 1.9 or ruby 1.8
* assert if avc_init() not called
* take security_deny_unknown into account
* security_compute_create_name(3)
* Do not link against python library, this is considered
* bad practice in debian
* Hide unnecessarily-exported library destructors
- Remove obsolete defines/sections
- update selinux-ready script
* use -L when stat()ing /etc/selinux/config
* make sure that SELINUX isn't disabled in /etc/selinux/config
* look for either of /sys/fs/selinux and /selinux directory
* use systemctl to check for restorecond
* don't look for booleans file (deprecated)
- update selinux-ready script
- updated to 2.1.9 again (see below)
- go back even more - everything else requires the full SELinux stack
(too late for 12.2)
- revert back to 2.0.98 for 12.2
- update to libselinux-2.1.9
* better man pages
* selinux_status interfaces
* simple interface for access checks
* multiple bug fixes
- fix build for ruby-1.9
- cross-build fix: use %__cc macro
- use %_smp_mflags
- don't package /var/run/setrans in libselinux1 package
- Feature#303793
- the directory will be created in initscript of mcstrans package
- buildrequire pkg-config to fix provides
- selinux-ready: added function to check for restorecond in
runlevel 3/5
- selinux-ready: added functions for checking PAM config and
policy boolean init_upstart
- selinux-ready: fixed init ramfs checking
- added new selinux-ready script
- updated to 2.0.91
* changes too numerous to list
- add baselibs.conf as a source
- updated selinux-ready script
- change libsepol-devel to libsepol-devel-static in dependencies
of python bindings
- put libsepol-devel back to Requires of libselinux-devel
- added selinux-ready tool to selinux-tools package
- remove static libraries
- libselinux-devel does not require libsepol-devel
- updated to 2.0.80
* deny_unknown wrapper function from KaiGai Kohei
* security_compute_av_flags API from KaiGai Kohei
* Netlink socket management and callbacks from KaiGai Kohei
* Netlink socket handoff patch from Adam Jackson
* AVC caching of compute_create results by Eric Paris
* fix incorrect conversion in discover_class code
- fixed memory leak (memleak.patch)
- updated to 2.0.77
* add new function getseuser which will take username and service
and return seuser and level; ipa will populate file in future
* change selinuxdefcon to return just the context by default
* fix segfault if seusers file does not work
* strip trailing / for matchpathcon
* fix restorecon python code
- updated to 2.0.76
* allow shell-style wildcarding in X names
* add Restorecon/Install python functions
* correct message types in AVC log messages
* make matchpathcon -V pass mode
* add man page for selinux_file_context_cmp
* update flask headers from refpolicy trunk
- fix debug_packages_requires define
- require only version, not release [bnc#429053]
- updated to 2.0.71
* Add group support to seusers using %groupname syntax from Dan Walsh.
* Mark setrans socket close-on-exec from Stephen Smalley.
* Only apply nodups checking to base file contexts from Stephen Smalley.
* Merge ruby bindings from Dan Walsh.
- Fix build of debuginfo.
- added baselibs.conf file
- split bindings into separate subpackage (libselinux-bindings)
- split tools into separate subpackage (selinux-tools)
- fix requires for debuginfo package
- initial version 2.0.67
* based on Fedora package by Dan Walsh <dwalsh@redhat.com>
OBS-URL: https://build.opensuse.org/request/show/1095431
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=159
2023-06-27 10:15:55 +02:00
|
|
|
|
- Refreshed python3.8-compat.patch
|
2023-02-24 09:43:11 +01:00
|
|
|
|
- Added additional developer key (Jason Zaman)
|
|
|
|
|
|
|
2022-07-13 14:17:44 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Thu Jul 7 12:16:45 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
|
|
|
|
|
|
|
|
- Fixed initrd check in selinux-ready (bnc#1186127)
|
|
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Tue May 31 15:10:26 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
|
|
|
|
|
|
|
|
- Added restorecon_pin_file.patch. Fixes issus when running
|
|
|
|
|
|
fixfiles/restorecon
|
|
|
|
|
|
|
2022-05-20 16:53:35 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Mon May 9 10:23:32 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
|
|
|
|
|
|
|
|
- Update to version 3.4:
|
|
|
|
|
|
* Use PCRE2 by default
|
|
|
|
|
|
* Make selinux_log() and is_context_customizable() thread-safe
|
|
|
|
|
|
* Prevent leakeing file descriptors
|
|
|
|
|
|
* Correctly hash specfiles larger than 4G
|
|
|
|
|
|
- Refreshed skip_cycles.patch
|
|
|
|
|
|
|
2022-02-15 08:50:34 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Tue Feb 15 07:49:43 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
|
|
|
|
|
|
|
|
- Add Requires for exact libselinux1 version for selinux-tools
|
2022-02-15 09:03:21 +01:00
|
|
|
|
- Simplyfied check for correct boot paramaters in selinux-ready
|
2022-02-15 08:50:34 +01:00
|
|
|
|
(bsc#1195361)
|
|
|
|
|
|
|
2021-11-11 17:01:53 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Thu Nov 11 13:25:30 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
|
|
|
|
|
|
|
|
- Update to version 3.3:
|
|
|
|
|
|
* Lots of smaller issues fixed found by fuzzing
|
|
|
|
|
|
|
2021-07-22 14:03:41 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Sun Jul 18 08:41:37 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>
|
|
|
|
|
|
|
|
|
|
|
|
- Add missing libselinux-utils Provides to selinux-tools so that
|
|
|
|
|
|
%selinux_requires works
|
|
|
|
|
|
|
2021-04-26 14:07:46 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Mon Apr 26 07:14:53 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
|
|
|
|
|
|
|
|
- Remove Recommends for selinux-autorelabel. It's better to have this
|
|
|
|
|
|
in the policy package itself (bsc#1181837)
|
|
|
|
|
|
|
2021-03-18 11:08:18 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Wed Mar 17 15:13:16 UTC 2021 - Dominique Leuenberger <dimstar@opensuse.org>
|
|
|
|
|
|
|
|
|
|
|
|
- Switch to pcre2:
|
|
|
|
|
|
+ Replace pcre-devel BuildRequires with pkgconfig(libpcre2-8)
|
|
|
|
|
|
+ Pass USE_PCRE2=y to make.
|
|
|
|
|
|
+ Replace pkgconfig(libpcre) Requires in -devel static with
|
|
|
|
|
|
pkgconfig(libpcre2-8).
|
|
|
|
|
|
|
2021-03-12 08:59:14 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Tue Mar 9 09:01:15 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
|
|
|
|
|
|
|
|
- Update to version 3.2:
|
|
|
|
|
|
* Use mmap()'ed kernel status page instead of netlink by default.
|
|
|
|
|
|
See "KERNEL STATUS PAGE" section in avc_init(3) for more details.
|
|
|
|
|
|
* New log callback levels for enforcing and policy load notices -
|
|
|
|
|
|
SELINUX_POLICYLOAD, SELINUX_SETENFORCE
|
2021-03-18 11:08:18 +01:00
|
|
|
|
* Changed userspace AVC setenforce and policy load messages to audit
|
2021-03-12 08:59:14 +01:00
|
|
|
|
format.
|
|
|
|
|
|
|
2021-02-08 10:39:48 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Sat Feb 6 13:54:41 UTC 2021 - Matej Cepl <mcepl@suse.com>
|
|
|
|
|
|
|
|
|
|
|
|
- Add Recommends: selinux-autorelabel, which is very important
|
|
|
|
|
|
for healthy use of the SELinux on the system (/.autorelabel
|
|
|
|
|
|
mechanism) (bsc#1181837).
|
|
|
|
|
|
|
2020-11-20 16:12:12 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Thu Oct 29 10:22:23 UTC 2020 - Ludwig Nussel <lnussel@suse.de>
|
|
|
|
|
|
|
|
|
|
|
|
- install to /usr (boo#1029961)
|
|
|
|
|
|
|
2020-07-14 16:13:39 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Tue Jul 14 08:24:20 UTC 2020 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
|
|
|
|
|
|
|
|
- Update to version 3.1:
|
|
|
|
|
|
* selinux/flask.h, selinux/av_permissions.h and sepol/policydb/flask.h were
|
|
|
|
|
|
removed. All userspace object managers should have been updated to use the
|
|
|
|
|
|
dynamic class/perm mapping support.
|
|
|
|
|
|
|
|
|
|
|
|
Use string_to_security_class(3) and string_to_av_perm(3) to map the class
|
|
|
|
|
|
and permission names to their policy values, or selinux_set_mapping(3) to
|
|
|
|
|
|
create a mapping from class and permission index values used by the
|
|
|
|
|
|
application to the policy values.
|
|
|
|
|
|
* Removed restrictions in libsepol and checkpolicy that required all declared
|
|
|
|
|
|
initial SIDs to be assigned a context.
|
|
|
|
|
|
* Support for new policy capability genfs_seclabel_symlinks
|
|
|
|
|
|
* selinuxfs is mounted with noexec and nosuid
|
|
|
|
|
|
* `security_compute_user()` was deprecated
|
Accepting request 1095431 from home:mcepl:branches:security:SELinux
- Remove separate libselinux-bindings SPEC file (bsc#1212618).
- Add explicit BuildRequires for python3-pip and python3-wheel on
15.5, currently the macros don't do the right thing
- allow building this with different python versions, to make this
usable for the new sle15 macro (using python3.11)
- Add python-wheel build dependency to build correctly with latest
python-pip version.
- Add _multibuild to define additional spec files as additional
flavors.
Eliminates the need for source package links in OBS.
- Add -ffat-lto-objects to CFLAGS to prevent rpmlint errors because
of LTO
- Enable LTO as it works fine now.
- Update to version 3.5:
* check for truncations
* avoid newline in avc message
* bail out on path truncations
* add getpidprevcon to gather the previous context before the last
exec of a given process
* Workaround for heap overhead of pcre
* fix memory leaks on the audit2why module init
* ignore invalid class name lookup
- Drop restorecon_pin_file.patch, is upstream
- Refreshed python3.8-compat.patch
- Added additional developer key (Jason Zaman)
- Fixed initrd check in selinux-ready (bnc#1186127)
- Added restorecon_pin_file.patch. Fixes issus when running
fixfiles/restorecon
- Update to version 3.4:
* Use PCRE2 by default
* Make selinux_log() and is_context_customizable() thread-safe
* Prevent leakeing file descriptors
* Correctly hash specfiles larger than 4G
- Refreshed skip_cycles.patch
- Add Requires for exact libselinux1 version for selinux-tools
- Simplyfied check for correct boot paramaters in selinux-ready
(bsc#1195361)
- Update to version 3.3:
* Lots of smaller issues fixed found by fuzzing
- Add missing libselinux-utils Provides to selinux-tools so that
%selinux_requires works
- Remove Recommends for selinux-autorelabel. It's better to have this
in the policy package itself (bsc#1181837)
- Switch to pcre2:
+ Replace pcre-devel BuildRequires with pkgconfig(libpcre2-8)
+ Pass USE_PCRE2=y to make.
+ Replace pkgconfig(libpcre) Requires in -devel static with
pkgconfig(libpcre2-8).
- Update to version 3.2:
* Use mmap()'ed kernel status page instead of netlink by default.
See "KERNEL STATUS PAGE" section in avc_init(3) for more details.
* New log callback levels for enforcing and policy load notices -
SELINUX_POLICYLOAD, SELINUX_SETENFORCE
* Changed userspace AVC setenforce and policy load messages to audit
format.
- Add Recommends: selinux-autorelabel, which is very important
for healthy use of the SELinux on the system (/.autorelabel
mechanism) (bsc#1181837).
- install to /usr (boo#1029961)
- Update to version 3.1:
* selinux/flask.h, selinux/av_permissions.h and sepol/policydb/flask.h were
removed. All userspace object managers should have been updated to use the
dynamic class/perm mapping support.
Use string_to_security_class(3) and string_to_av_perm(3) to map the class
and permission names to their policy values, or selinux_set_mapping(3) to
create a mapping from class and permission index values used by the
application to the policy values.
* Removed restrictions in libsepol and checkpolicy that required all declared
initial SIDs to be assigned a context.
* Support for new policy capability genfs_seclabel_symlinks
* selinuxfs is mounted with noexec and nosuid
* `security_compute_user()` was deprecated
* Refreshed python3.8-compat.patch
- Added skip_cycles.patch to skip directory cycles and not error
out
- Update to version 3.0
* Ignore the stem when looking up all matches in file context
* Save digest of all partial matches for directory
* Use Python distutils to install SELinux python bindings
* ensure that digest_len is not zero
* fix string conversion of unknown perms
* mark all exported function "extern"
Dropped Use-Python-distutils-to-install-SELinux.patch, included
upstream
- Added swig4_moduleimport.patch to prevent import errors due to
SWIG 4
- Added Use-Python-distutils-to-install-SELinux.patch to use
Python's distutils instead of building and installing python
bindings manually
- Add python3.8-compat.patch which makes build possible even with
Python 3.8, which doesn’t automatically adds -lpython<ver>
- In selinux-ready
* Removed check for selinux-policy package as we don't ship one
(bsc#1136845)
* Add check that restorecond is installed and enabled
- Disable LTO (boo#1133244).
- Set License: to correct value (bsc#1135710)
- Disable LTO (boo#1133244).
- Update to version 2.9
* Add security_reject_unknown(3) man page
* Change matchpathcon usage to match with matchpathcon manpage
* Do not define gettid() if glibc >= 2.30 is used
* Fix RESOURCE_LEAK defects reported by coverity scan
* Fix line wrapping in selabel_file.5
* Do not dereference symlink with statfs in selinux_restorecon
* Fix overly strict validation of file_contexts.bin
* Fix selinux_restorecon() on non-SELinux hosts
* Fix the whatis line for the selinux_boolean_sub.3 manpage
* Fix printf format string specifier for uint64_t
* Fix handling of unknown classes/perms
* Set an appropriate errno in booleans.c
- Dropped python3.patch, is now upstream
- Remove unneeded build requires for python3 (bsc#1120255)
- Update to version 2.8 (bsc#1111732)
For changes please see
https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/RELEASE-20180524.txt
- ran spec-cleaner on spec files
- Update to version 2.7.
* %files needed to be heavily modified
* Based expressly on python3, not just python
For changes please see
https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20170804/RELEASE-20170804.txt
- Updated spec file to use python3. Added python3.patch to fix
build
- Update to version 2.6. Notable changes:
* selinux_restorecon: fix realpath logic
* sefcontext_compile: invert semantics of "-r" flag
* sefcontext_compile: Add "-i" flag
* Introduce configurable backends
* Add function to find security.restorecon_last entries
* Add openrc_contexts functions
* Add support for pcre2
* Handle NULL pcre study data
* Add setfiles support to selinux_restorecon(3)
* Evaluate inodes in selinux_restorecon(3)
* Change the location of _selinux.so
* Explain how to free policy type from selinux_getpolicytype()
* Compare absolute pathname in matchpathcon -V
* Add selinux_snapperd_contexts_path()
* Modify audit2why analyze function to use loaded policy
* Avoid mounting /proc outside of selinux_init_load_policy()
* Fix location of selinuxfs mount point
* Only mount /proc if necessary
* procattr: return einval for <= 0 pid args
* procattr: return error on invalid pid_t input
- Dropped
* libselinux-2.2-ruby.patch
* libselinux-proc-mount-only-if-needed.patch
* python-selinux-swig-3.10.patch
- readv-proto.patch: include <sys/uio.h> for readv prototype
- -devel static subpackage requires libpcre-devel and libsepol-devel
- Avoid mounting /proc outside of selinux_init_load_policy().
(Stephen Smalley) reverts upstream 5a8d8c4, 9df4988, fixes
among other things systemd seccomp sandboxing otherwise all
filters must allow mount(2)
(libselinux-proc-mount-only-if-needed.patch)
- Update RPM groups, trim description and combine filelist entries.
- Adjusted source link
- add patch: python-selinux-swig-3.10.patch, fixed boo#985368
* swig-3.10 in Factory use importlib instead of imp to find
_selinux.so. imp searched the same directory as __init__.py
is while importlib searchs only standard paths. so we have
to move _selinux.so. fixed by upstream
- update version 2.5
* Add selinux_restorecon function
* read_spec_entry: fail on non-ascii
* Add man information about thread specific functions
* Don't wrap rpm_execcon with DISABLE_RPM with SWIG
* Correct line count for property and service context files
* label_file: fix memory leaks and uninitialized jump
* Replace selabel_digest hash function
* Fix selabel_open(3) services if no digest requested
* Add selabel_digest function
* Flush the class/perm string mapping cache on policy reload
* Fix restorecon when path has no context
* Free memory when processing media and x specfiles
* Fix mmap memory release for file labeling
* Add policy context validation to sefcontext_compile
* Do not treat an empty file_contexts(.local) as an error
* Fail hard on invalid property_contexts entries
* Fail hard on invalid file_contexts entries
* Support context validation on file_contexts.bin
* Add selabel_cmp interface and label_file backend
* Support specifying file_contexts.bin file path
* Support file_contexts.bin without file_contexts
* Simplify procattr cache
* Use /proc/thread-self when available
* Add const to selinux_opt for label backends
* Fix binary file labels for regexes with metachars
* Fix file labels for regexes with metachars
* Fix if file_contexts not '\n' terminated
* Enhance file context support
* Fix property processing and cleanup formatting
* Add read_spec_entries function to replace sscanf
* Support consistent mode size for bin files
* Fix more bin file processing core dumps
* add selinux_openssh_contexts_path()
* setrans_client: minimize overhead when mcstransd is not present
* Ensure selabel_lookup_best_match links NULL terminated
* Fix core dumps with corrupt *.bin files
* Add selabel partial and best match APIs
* Use os.walk() instead of the deprecated os.path.walk()
* Remove deprecated mudflap option
* Mount procfs before checking /proc/filesystems
* Fix -Wformat errors with gcc-5.0.0
* label_file: handle newlines in file names
* Fix audit2why error handling if SELinux is disabled
* pcre_study can return NULL without error
* Only check SELinux enabled status once in selinux_check_access
- changes in 2.4
* Remove assumption that SHLIBDIR is ../../ relative to LIBDIR
* Fix bugs found by hardened gcc flags
* Set the system to permissive if failing to disable SELinux because
policy has already been loaded
* Add db_exception and db_datatype support to label_db backend
* Log an error on unknown classes and permissions
* Add pcre version string to the compiled file_contexts format
* Deprecate use of flask.h and av_permissions.h
* Compiled file_context files and the original should have the same DAC
permissions
- fixed selinux-ready to work with initrd files created by dracut (bsc#940006)
- Update libselinux-2.2-ruby.patch: use RbConfig instead of
deprecated Config.
- updated selinux-ready script to handle initrd files compressed with xz
- Update to version 2.3
* Get rid of security_context_t and fix const declarations.
* Refactor rpm_execcon() into a new setexecfilecon() from Guillem Jover.
- Update to version 2.2
* Fix avc_has_perm() returns -1 even when SELinux is in permissive mode.
* Support overriding Makefile RANLIB
* Update pkgconfig definition
* Mount sysfs before trying to mount selinuxfs.
* Fix man pages
* Support overriding PATH and LIBBASE in Makefile
* Fix LDFLAGS usage
* Avoid shadowing stat in load_mmap
* Support building on older PCRE libraries
* Fix handling of temporary file in sefcontext_compile
* Fix procattr cache
* Define python constants for getenforce result
* Fix label substitution handling of /
* Add selinux_current_policy_path from
* Change get_context_list to only return good matches
* Support udev-197 and higher
* Add support for local substitutions
* Change setfilecon to not return ENOSUP if context is already correct
* Python wrapper leak fixes
* Export SELINUX_TRANS_DIR definition in selinux.h
* Add selinux_systemd_contexts_path
* Add selinux_set_policy_root
* Add man page for sefcontext_compile
- Remove libselinux-rhat.patch; merged on upstream
- Adapt libselinux-ruby.patch to upstream changes
- Use fdupes to symlink duplicate manpages
- change the source url to the official 2.1.13 release tarball
- Reuse implicit dependencies injected by pkgconfig
- fixed source url in libselinux-bindings.spec
- removed old tarball
- fix source url
- document changes in libselinux-rhat.patch from previous submission:
(most code of the removed code was integrated upstream)
* Add matchpathcon -P /etc/selinux/mls support by allowing users
to set alternate root
* Add new constant SETRANS_DIR which points to the directory
where mstransd can find the socket and libvirt can write its
translations files
-update to 2.1.13
* audit2why: make sure path is nul terminated
* utils: new file context regex compiler
* label_file: use precompiled filecontext when possible
* do not leak mmapfd
* sefcontontext_compile: Add error handling to help debug problems in libsemanage.
* man: make selinux.8 mention service man pages
* audit2why: Fix segfault if finish() called twice
* audit2why: do not leak on multiple init() calls
* mode_to_security_class: interface to translate a mode_t in to a security class
* audit2why: Cleanup audit2why analysys function
* man: Fix program synopsis and function prototypes in man pages
* man: Fix man pages formatting
* man: Fix typo in man page
* man: Add references and man page links to _raw function variants
* Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions
* man: context_new(3): fix the return value description
* selinux_status_open: handle error from sysconf
* selinux_status_open: do not leak statusfd on exec
* Fix errors found by coverity
* Change boooleans.subs to booleans.subs_dist.
* optimize set*con functions
* pkg-config do not specifc ruby version
* unmap file contexts on selabel_close()
* do not leak file contexts with mmap'd backend
* sefcontext_compile: do not leak fd on error
* matchmediacon: do not leak fd
* src/label_android_property: do not leak fd on error
- update to 2.1.12
- added BuildRequires: pcre-devel
- added the recent libselinux-rhat.patch
* Add support for lxc_contexts_path
* utils: add service to getdefaultcon
* libsemanage: do not set soname needlessly
* libsemanage: remove PYTHONLIBDIR and ruby equivalent
* boolean name equivalency
* getsebool: support boolean name substitution
* Add man page for new selinux_boolean_sub function.
* expose selinux_boolean_sub
* matchpathcon: add -m option to force file type check
* utils: avcstat: clear sa_mask set
* seusers: Check for strchr failure
* booleans: initialize pointer to silence coveriety
* stop messages when SELinux disabled
* Ensure that we only close the selinux netlink socket once.
* improve the file_contexts.5 manual page
* Fortify source now requires all code to be compiled with -O flag
* asprintf return code must be checked
* avc_netlink_recieve handle EINTR
* audit2why: silence -Wmissing-prototypes warning
* libsemanage: remove build warning when build swig c files
* matchpathcon: bad handling of symlinks in /
* seusers: remove unused lineno
* seusers: getseuser: gracefully handle NULL service
* New Android property labeling backend
* label_android_property whitespace cleanups
* additional makefile support for rubywrap
* Remove jump over variable declaration
* Fix old style function definitions
* Fix const-correctness
* Remove unused flush_class_cache method
* Add prototype decl for destructor
* Add more printf format annotations
* Add printf format attribute annotation to die() method
* Fix const-ness of parameters & make usage() methods static
* Enable many more gcc warnings for libselinux/src/ builds
* utils: Enable many more gcc warnings for libselinux/utils builds
* Change annotation on include/selinux/avc.h to avoid upsetting SWIG
* Ensure there is a prototype for 'matchpathcon_lib_destructor'
* Update Makefiles to handle /usrmove
* utils: Stop separating out matchpathcon as something special
* pkg-config to figure out where ruby include files are located
* build with either ruby 1.9 or ruby 1.8
* assert if avc_init() not called
* take security_deny_unknown into account
* security_compute_create_name(3)
* Do not link against python library, this is considered
* bad practice in debian
* Hide unnecessarily-exported library destructors
- Remove obsolete defines/sections
- update selinux-ready script
* use -L when stat()ing /etc/selinux/config
* make sure that SELINUX isn't disabled in /etc/selinux/config
* look for either of /sys/fs/selinux and /selinux directory
* use systemctl to check for restorecond
* don't look for booleans file (deprecated)
- update selinux-ready script
- updated to 2.1.9 again (see below)
- go back even more - everything else requires the full SELinux stack
(too late for 12.2)
- revert back to 2.0.98 for 12.2
- update to libselinux-2.1.9
* better man pages
* selinux_status interfaces
* simple interface for access checks
* multiple bug fixes
- fix build for ruby-1.9
- cross-build fix: use %__cc macro
- use %_smp_mflags
- don't package /var/run/setrans in libselinux1 package
- Feature#303793
- the directory will be created in initscript of mcstrans package
- buildrequire pkg-config to fix provides
- selinux-ready: added function to check for restorecond in
runlevel 3/5
- selinux-ready: added functions for checking PAM config and
policy boolean init_upstart
- selinux-ready: fixed init ramfs checking
- added new selinux-ready script
- updated to 2.0.91
* changes too numerous to list
- add baselibs.conf as a source
- updated selinux-ready script
- change libsepol-devel to libsepol-devel-static in dependencies
of python bindings
- put libsepol-devel back to Requires of libselinux-devel
- added selinux-ready tool to selinux-tools package
- remove static libraries
- libselinux-devel does not require libsepol-devel
- updated to 2.0.80
* deny_unknown wrapper function from KaiGai Kohei
* security_compute_av_flags API from KaiGai Kohei
* Netlink socket management and callbacks from KaiGai Kohei
* Netlink socket handoff patch from Adam Jackson
* AVC caching of compute_create results by Eric Paris
* fix incorrect conversion in discover_class code
- fixed memory leak (memleak.patch)
- updated to 2.0.77
* add new function getseuser which will take username and service
and return seuser and level; ipa will populate file in future
* change selinuxdefcon to return just the context by default
* fix segfault if seusers file does not work
* strip trailing / for matchpathcon
* fix restorecon python code
- updated to 2.0.76
* allow shell-style wildcarding in X names
* add Restorecon/Install python functions
* correct message types in AVC log messages
* make matchpathcon -V pass mode
* add man page for selinux_file_context_cmp
* update flask headers from refpolicy trunk
- fix debug_packages_requires define
- require only version, not release [bnc#429053]
- updated to 2.0.71
* Add group support to seusers using %groupname syntax from Dan Walsh.
* Mark setrans socket close-on-exec from Stephen Smalley.
* Only apply nodups checking to base file contexts from Stephen Smalley.
* Merge ruby bindings from Dan Walsh.
- Fix build of debuginfo.
- added baselibs.conf file
- split bindings into separate subpackage (libselinux-bindings)
- split tools into separate subpackage (selinux-tools)
- fix requires for debuginfo package
- initial version 2.0.67
* based on Fedora package by Dan Walsh <dwalsh@redhat.com>
OBS-URL: https://build.opensuse.org/request/show/1095431
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=159
2023-06-27 10:15:55 +02:00
|
|
|
|
* Refreshed python3.8-compat.patch
|
2020-07-14 16:13:39 +02:00
|
|
|
|
|
2020-06-02 17:31:13 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Thu Mar 26 15:43:41 UTC 2020 - Johannes Segitz <jsegitz@suse.de>
|
|
|
|
|
|
|
|
|
|
|
|
- Added skip_cycles.patch to skip directory cycles and not error
|
|
|
|
|
|
out
|
|
|
|
|
|
|
2020-03-05 11:13:39 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Tue Mar 3 11:13:12 UTC 2020 - Johannes Segitz <jsegitz@suse.de>
|
|
|
|
|
|
|
|
|
|
|
|
- Update to version 3.0
|
|
|
|
|
|
* Ignore the stem when looking up all matches in file context
|
|
|
|
|
|
* Save digest of all partial matches for directory
|
|
|
|
|
|
* Use Python distutils to install SELinux python bindings
|
|
|
|
|
|
* ensure that digest_len is not zero
|
|
|
|
|
|
* fix string conversion of unknown perms
|
|
|
|
|
|
* mark all exported function "extern"
|
|
|
|
|
|
Dropped Use-Python-distutils-to-install-SELinux.patch, included
|
|
|
|
|
|
upstream
|
|
|
|
|
|
|
Accepting request 1095431 from home:mcepl:branches:security:SELinux
- Remove separate libselinux-bindings SPEC file (bsc#1212618).
- Add explicit BuildRequires for python3-pip and python3-wheel on
15.5, currently the macros don't do the right thing
- allow building this with different python versions, to make this
usable for the new sle15 macro (using python3.11)
- Add python-wheel build dependency to build correctly with latest
python-pip version.
- Add _multibuild to define additional spec files as additional
flavors.
Eliminates the need for source package links in OBS.
- Add -ffat-lto-objects to CFLAGS to prevent rpmlint errors because
of LTO
- Enable LTO as it works fine now.
- Update to version 3.5:
* check for truncations
* avoid newline in avc message
* bail out on path truncations
* add getpidprevcon to gather the previous context before the last
exec of a given process
* Workaround for heap overhead of pcre
* fix memory leaks on the audit2why module init
* ignore invalid class name lookup
- Drop restorecon_pin_file.patch, is upstream
- Refreshed python3.8-compat.patch
- Added additional developer key (Jason Zaman)
- Fixed initrd check in selinux-ready (bnc#1186127)
- Added restorecon_pin_file.patch. Fixes issus when running
fixfiles/restorecon
- Update to version 3.4:
* Use PCRE2 by default
* Make selinux_log() and is_context_customizable() thread-safe
* Prevent leakeing file descriptors
* Correctly hash specfiles larger than 4G
- Refreshed skip_cycles.patch
- Add Requires for exact libselinux1 version for selinux-tools
- Simplyfied check for correct boot paramaters in selinux-ready
(bsc#1195361)
- Update to version 3.3:
* Lots of smaller issues fixed found by fuzzing
- Add missing libselinux-utils Provides to selinux-tools so that
%selinux_requires works
- Remove Recommends for selinux-autorelabel. It's better to have this
in the policy package itself (bsc#1181837)
- Switch to pcre2:
+ Replace pcre-devel BuildRequires with pkgconfig(libpcre2-8)
+ Pass USE_PCRE2=y to make.
+ Replace pkgconfig(libpcre) Requires in -devel static with
pkgconfig(libpcre2-8).
- Update to version 3.2:
* Use mmap()'ed kernel status page instead of netlink by default.
See "KERNEL STATUS PAGE" section in avc_init(3) for more details.
* New log callback levels for enforcing and policy load notices -
SELINUX_POLICYLOAD, SELINUX_SETENFORCE
* Changed userspace AVC setenforce and policy load messages to audit
format.
- Add Recommends: selinux-autorelabel, which is very important
for healthy use of the SELinux on the system (/.autorelabel
mechanism) (bsc#1181837).
- install to /usr (boo#1029961)
- Update to version 3.1:
* selinux/flask.h, selinux/av_permissions.h and sepol/policydb/flask.h were
removed. All userspace object managers should have been updated to use the
dynamic class/perm mapping support.
Use string_to_security_class(3) and string_to_av_perm(3) to map the class
and permission names to their policy values, or selinux_set_mapping(3) to
create a mapping from class and permission index values used by the
application to the policy values.
* Removed restrictions in libsepol and checkpolicy that required all declared
initial SIDs to be assigned a context.
* Support for new policy capability genfs_seclabel_symlinks
* selinuxfs is mounted with noexec and nosuid
* `security_compute_user()` was deprecated
* Refreshed python3.8-compat.patch
- Added skip_cycles.patch to skip directory cycles and not error
out
- Update to version 3.0
* Ignore the stem when looking up all matches in file context
* Save digest of all partial matches for directory
* Use Python distutils to install SELinux python bindings
* ensure that digest_len is not zero
* fix string conversion of unknown perms
* mark all exported function "extern"
Dropped Use-Python-distutils-to-install-SELinux.patch, included
upstream
- Added swig4_moduleimport.patch to prevent import errors due to
SWIG 4
- Added Use-Python-distutils-to-install-SELinux.patch to use
Python's distutils instead of building and installing python
bindings manually
- Add python3.8-compat.patch which makes build possible even with
Python 3.8, which doesn’t automatically adds -lpython<ver>
- In selinux-ready
* Removed check for selinux-policy package as we don't ship one
(bsc#1136845)
* Add check that restorecond is installed and enabled
- Disable LTO (boo#1133244).
- Set License: to correct value (bsc#1135710)
- Disable LTO (boo#1133244).
- Update to version 2.9
* Add security_reject_unknown(3) man page
* Change matchpathcon usage to match with matchpathcon manpage
* Do not define gettid() if glibc >= 2.30 is used
* Fix RESOURCE_LEAK defects reported by coverity scan
* Fix line wrapping in selabel_file.5
* Do not dereference symlink with statfs in selinux_restorecon
* Fix overly strict validation of file_contexts.bin
* Fix selinux_restorecon() on non-SELinux hosts
* Fix the whatis line for the selinux_boolean_sub.3 manpage
* Fix printf format string specifier for uint64_t
* Fix handling of unknown classes/perms
* Set an appropriate errno in booleans.c
- Dropped python3.patch, is now upstream
- Remove unneeded build requires for python3 (bsc#1120255)
- Update to version 2.8 (bsc#1111732)
For changes please see
https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/RELEASE-20180524.txt
- ran spec-cleaner on spec files
- Update to version 2.7.
* %files needed to be heavily modified
* Based expressly on python3, not just python
For changes please see
https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20170804/RELEASE-20170804.txt
- Updated spec file to use python3. Added python3.patch to fix
build
- Update to version 2.6. Notable changes:
* selinux_restorecon: fix realpath logic
* sefcontext_compile: invert semantics of "-r" flag
* sefcontext_compile: Add "-i" flag
* Introduce configurable backends
* Add function to find security.restorecon_last entries
* Add openrc_contexts functions
* Add support for pcre2
* Handle NULL pcre study data
* Add setfiles support to selinux_restorecon(3)
* Evaluate inodes in selinux_restorecon(3)
* Change the location of _selinux.so
* Explain how to free policy type from selinux_getpolicytype()
* Compare absolute pathname in matchpathcon -V
* Add selinux_snapperd_contexts_path()
* Modify audit2why analyze function to use loaded policy
* Avoid mounting /proc outside of selinux_init_load_policy()
* Fix location of selinuxfs mount point
* Only mount /proc if necessary
* procattr: return einval for <= 0 pid args
* procattr: return error on invalid pid_t input
- Dropped
* libselinux-2.2-ruby.patch
* libselinux-proc-mount-only-if-needed.patch
* python-selinux-swig-3.10.patch
- readv-proto.patch: include <sys/uio.h> for readv prototype
- -devel static subpackage requires libpcre-devel and libsepol-devel
- Avoid mounting /proc outside of selinux_init_load_policy().
(Stephen Smalley) reverts upstream 5a8d8c4, 9df4988, fixes
among other things systemd seccomp sandboxing otherwise all
filters must allow mount(2)
(libselinux-proc-mount-only-if-needed.patch)
- Update RPM groups, trim description and combine filelist entries.
- Adjusted source link
- add patch: python-selinux-swig-3.10.patch, fixed boo#985368
* swig-3.10 in Factory use importlib instead of imp to find
_selinux.so. imp searched the same directory as __init__.py
is while importlib searchs only standard paths. so we have
to move _selinux.so. fixed by upstream
- update version 2.5
* Add selinux_restorecon function
* read_spec_entry: fail on non-ascii
* Add man information about thread specific functions
* Don't wrap rpm_execcon with DISABLE_RPM with SWIG
* Correct line count for property and service context files
* label_file: fix memory leaks and uninitialized jump
* Replace selabel_digest hash function
* Fix selabel_open(3) services if no digest requested
* Add selabel_digest function
* Flush the class/perm string mapping cache on policy reload
* Fix restorecon when path has no context
* Free memory when processing media and x specfiles
* Fix mmap memory release for file labeling
* Add policy context validation to sefcontext_compile
* Do not treat an empty file_contexts(.local) as an error
* Fail hard on invalid property_contexts entries
* Fail hard on invalid file_contexts entries
* Support context validation on file_contexts.bin
* Add selabel_cmp interface and label_file backend
* Support specifying file_contexts.bin file path
* Support file_contexts.bin without file_contexts
* Simplify procattr cache
* Use /proc/thread-self when available
* Add const to selinux_opt for label backends
* Fix binary file labels for regexes with metachars
* Fix file labels for regexes with metachars
* Fix if file_contexts not '\n' terminated
* Enhance file context support
* Fix property processing and cleanup formatting
* Add read_spec_entries function to replace sscanf
* Support consistent mode size for bin files
* Fix more bin file processing core dumps
* add selinux_openssh_contexts_path()
* setrans_client: minimize overhead when mcstransd is not present
* Ensure selabel_lookup_best_match links NULL terminated
* Fix core dumps with corrupt *.bin files
* Add selabel partial and best match APIs
* Use os.walk() instead of the deprecated os.path.walk()
* Remove deprecated mudflap option
* Mount procfs before checking /proc/filesystems
* Fix -Wformat errors with gcc-5.0.0
* label_file: handle newlines in file names
* Fix audit2why error handling if SELinux is disabled
* pcre_study can return NULL without error
* Only check SELinux enabled status once in selinux_check_access
- changes in 2.4
* Remove assumption that SHLIBDIR is ../../ relative to LIBDIR
* Fix bugs found by hardened gcc flags
* Set the system to permissive if failing to disable SELinux because
policy has already been loaded
* Add db_exception and db_datatype support to label_db backend
* Log an error on unknown classes and permissions
* Add pcre version string to the compiled file_contexts format
* Deprecate use of flask.h and av_permissions.h
* Compiled file_context files and the original should have the same DAC
permissions
- fixed selinux-ready to work with initrd files created by dracut (bsc#940006)
- Update libselinux-2.2-ruby.patch: use RbConfig instead of
deprecated Config.
- updated selinux-ready script to handle initrd files compressed with xz
- Update to version 2.3
* Get rid of security_context_t and fix const declarations.
* Refactor rpm_execcon() into a new setexecfilecon() from Guillem Jover.
- Update to version 2.2
* Fix avc_has_perm() returns -1 even when SELinux is in permissive mode.
* Support overriding Makefile RANLIB
* Update pkgconfig definition
* Mount sysfs before trying to mount selinuxfs.
* Fix man pages
* Support overriding PATH and LIBBASE in Makefile
* Fix LDFLAGS usage
* Avoid shadowing stat in load_mmap
* Support building on older PCRE libraries
* Fix handling of temporary file in sefcontext_compile
* Fix procattr cache
* Define python constants for getenforce result
* Fix label substitution handling of /
* Add selinux_current_policy_path from
* Change get_context_list to only return good matches
* Support udev-197 and higher
* Add support for local substitutions
* Change setfilecon to not return ENOSUP if context is already correct
* Python wrapper leak fixes
* Export SELINUX_TRANS_DIR definition in selinux.h
* Add selinux_systemd_contexts_path
* Add selinux_set_policy_root
* Add man page for sefcontext_compile
- Remove libselinux-rhat.patch; merged on upstream
- Adapt libselinux-ruby.patch to upstream changes
- Use fdupes to symlink duplicate manpages
- change the source url to the official 2.1.13 release tarball
- Reuse implicit dependencies injected by pkgconfig
- fixed source url in libselinux-bindings.spec
- removed old tarball
- fix source url
- document changes in libselinux-rhat.patch from previous submission:
(most code of the removed code was integrated upstream)
* Add matchpathcon -P /etc/selinux/mls support by allowing users
to set alternate root
* Add new constant SETRANS_DIR which points to the directory
where mstransd can find the socket and libvirt can write its
translations files
-update to 2.1.13
* audit2why: make sure path is nul terminated
* utils: new file context regex compiler
* label_file: use precompiled filecontext when possible
* do not leak mmapfd
* sefcontontext_compile: Add error handling to help debug problems in libsemanage.
* man: make selinux.8 mention service man pages
* audit2why: Fix segfault if finish() called twice
* audit2why: do not leak on multiple init() calls
* mode_to_security_class: interface to translate a mode_t in to a security class
* audit2why: Cleanup audit2why analysys function
* man: Fix program synopsis and function prototypes in man pages
* man: Fix man pages formatting
* man: Fix typo in man page
* man: Add references and man page links to _raw function variants
* Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions
* man: context_new(3): fix the return value description
* selinux_status_open: handle error from sysconf
* selinux_status_open: do not leak statusfd on exec
* Fix errors found by coverity
* Change boooleans.subs to booleans.subs_dist.
* optimize set*con functions
* pkg-config do not specifc ruby version
* unmap file contexts on selabel_close()
* do not leak file contexts with mmap'd backend
* sefcontext_compile: do not leak fd on error
* matchmediacon: do not leak fd
* src/label_android_property: do not leak fd on error
- update to 2.1.12
- added BuildRequires: pcre-devel
- added the recent libselinux-rhat.patch
* Add support for lxc_contexts_path
* utils: add service to getdefaultcon
* libsemanage: do not set soname needlessly
* libsemanage: remove PYTHONLIBDIR and ruby equivalent
* boolean name equivalency
* getsebool: support boolean name substitution
* Add man page for new selinux_boolean_sub function.
* expose selinux_boolean_sub
* matchpathcon: add -m option to force file type check
* utils: avcstat: clear sa_mask set
* seusers: Check for strchr failure
* booleans: initialize pointer to silence coveriety
* stop messages when SELinux disabled
* Ensure that we only close the selinux netlink socket once.
* improve the file_contexts.5 manual page
* Fortify source now requires all code to be compiled with -O flag
* asprintf return code must be checked
* avc_netlink_recieve handle EINTR
* audit2why: silence -Wmissing-prototypes warning
* libsemanage: remove build warning when build swig c files
* matchpathcon: bad handling of symlinks in /
* seusers: remove unused lineno
* seusers: getseuser: gracefully handle NULL service
* New Android property labeling backend
* label_android_property whitespace cleanups
* additional makefile support for rubywrap
* Remove jump over variable declaration
* Fix old style function definitions
* Fix const-correctness
* Remove unused flush_class_cache method
* Add prototype decl for destructor
* Add more printf format annotations
* Add printf format attribute annotation to die() method
* Fix const-ness of parameters & make usage() methods static
* Enable many more gcc warnings for libselinux/src/ builds
* utils: Enable many more gcc warnings for libselinux/utils builds
* Change annotation on include/selinux/avc.h to avoid upsetting SWIG
* Ensure there is a prototype for 'matchpathcon_lib_destructor'
* Update Makefiles to handle /usrmove
* utils: Stop separating out matchpathcon as something special
* pkg-config to figure out where ruby include files are located
* build with either ruby 1.9 or ruby 1.8
* assert if avc_init() not called
* take security_deny_unknown into account
* security_compute_create_name(3)
* Do not link against python library, this is considered
* bad practice in debian
* Hide unnecessarily-exported library destructors
- Remove obsolete defines/sections
- update selinux-ready script
* use -L when stat()ing /etc/selinux/config
* make sure that SELINUX isn't disabled in /etc/selinux/config
* look for either of /sys/fs/selinux and /selinux directory
* use systemctl to check for restorecond
* don't look for booleans file (deprecated)
- update selinux-ready script
- updated to 2.1.9 again (see below)
- go back even more - everything else requires the full SELinux stack
(too late for 12.2)
- revert back to 2.0.98 for 12.2
- update to libselinux-2.1.9
* better man pages
* selinux_status interfaces
* simple interface for access checks
* multiple bug fixes
- fix build for ruby-1.9
- cross-build fix: use %__cc macro
- use %_smp_mflags
- don't package /var/run/setrans in libselinux1 package
- Feature#303793
- the directory will be created in initscript of mcstrans package
- buildrequire pkg-config to fix provides
- selinux-ready: added function to check for restorecond in
runlevel 3/5
- selinux-ready: added functions for checking PAM config and
policy boolean init_upstart
- selinux-ready: fixed init ramfs checking
- added new selinux-ready script
- updated to 2.0.91
* changes too numerous to list
- add baselibs.conf as a source
- updated selinux-ready script
- change libsepol-devel to libsepol-devel-static in dependencies
of python bindings
- put libsepol-devel back to Requires of libselinux-devel
- added selinux-ready tool to selinux-tools package
- remove static libraries
- libselinux-devel does not require libsepol-devel
- updated to 2.0.80
* deny_unknown wrapper function from KaiGai Kohei
* security_compute_av_flags API from KaiGai Kohei
* Netlink socket management and callbacks from KaiGai Kohei
* Netlink socket handoff patch from Adam Jackson
* AVC caching of compute_create results by Eric Paris
* fix incorrect conversion in discover_class code
- fixed memory leak (memleak.patch)
- updated to 2.0.77
* add new function getseuser which will take username and service
and return seuser and level; ipa will populate file in future
* change selinuxdefcon to return just the context by default
* fix segfault if seusers file does not work
* strip trailing / for matchpathcon
* fix restorecon python code
- updated to 2.0.76
* allow shell-style wildcarding in X names
* add Restorecon/Install python functions
* correct message types in AVC log messages
* make matchpathcon -V pass mode
* add man page for selinux_file_context_cmp
* update flask headers from refpolicy trunk
- fix debug_packages_requires define
- require only version, not release [bnc#429053]
- updated to 2.0.71
* Add group support to seusers using %groupname syntax from Dan Walsh.
* Mark setrans socket close-on-exec from Stephen Smalley.
* Only apply nodups checking to base file contexts from Stephen Smalley.
* Merge ruby bindings from Dan Walsh.
- Fix build of debuginfo.
- added baselibs.conf file
- split bindings into separate subpackage (libselinux-bindings)
- split tools into separate subpackage (selinux-tools)
- fix requires for debuginfo package
- initial version 2.0.67
* based on Fedora package by Dan Walsh <dwalsh@redhat.com>
OBS-URL: https://build.opensuse.org/request/show/1095431
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=159
2023-06-27 10:15:55 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Mon Dec 16 16:04:41 UTC 2019 - Johannes Segitz <jsegitz@suse.de>
|
|
|
|
|
|
|
|
|
|
|
|
- Added swig4_moduleimport.patch to prevent import errors due to
|
|
|
|
|
|
SWIG 4
|
|
|
|
|
|
|
2019-11-13 09:25:35 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Wed Nov 13 08:03:39 UTC 2019 - Johannes Segitz <jsegitz@suse.de>
|
|
|
|
|
|
|
|
|
|
|
|
- Added Use-Python-distutils-to-install-SELinux.patch to use
|
|
|
|
|
|
Python's distutils instead of building and installing python
|
|
|
|
|
|
bindings manually
|
|
|
|
|
|
|
Accepting request 1095431 from home:mcepl:branches:security:SELinux
- Remove separate libselinux-bindings SPEC file (bsc#1212618).
- Add explicit BuildRequires for python3-pip and python3-wheel on
15.5, currently the macros don't do the right thing
- allow building this with different python versions, to make this
usable for the new sle15 macro (using python3.11)
- Add python-wheel build dependency to build correctly with latest
python-pip version.
- Add _multibuild to define additional spec files as additional
flavors.
Eliminates the need for source package links in OBS.
- Add -ffat-lto-objects to CFLAGS to prevent rpmlint errors because
of LTO
- Enable LTO as it works fine now.
- Update to version 3.5:
* check for truncations
* avoid newline in avc message
* bail out on path truncations
* add getpidprevcon to gather the previous context before the last
exec of a given process
* Workaround for heap overhead of pcre
* fix memory leaks on the audit2why module init
* ignore invalid class name lookup
- Drop restorecon_pin_file.patch, is upstream
- Refreshed python3.8-compat.patch
- Added additional developer key (Jason Zaman)
- Fixed initrd check in selinux-ready (bnc#1186127)
- Added restorecon_pin_file.patch. Fixes issus when running
fixfiles/restorecon
- Update to version 3.4:
* Use PCRE2 by default
* Make selinux_log() and is_context_customizable() thread-safe
* Prevent leakeing file descriptors
* Correctly hash specfiles larger than 4G
- Refreshed skip_cycles.patch
- Add Requires for exact libselinux1 version for selinux-tools
- Simplyfied check for correct boot paramaters in selinux-ready
(bsc#1195361)
- Update to version 3.3:
* Lots of smaller issues fixed found by fuzzing
- Add missing libselinux-utils Provides to selinux-tools so that
%selinux_requires works
- Remove Recommends for selinux-autorelabel. It's better to have this
in the policy package itself (bsc#1181837)
- Switch to pcre2:
+ Replace pcre-devel BuildRequires with pkgconfig(libpcre2-8)
+ Pass USE_PCRE2=y to make.
+ Replace pkgconfig(libpcre) Requires in -devel static with
pkgconfig(libpcre2-8).
- Update to version 3.2:
* Use mmap()'ed kernel status page instead of netlink by default.
See "KERNEL STATUS PAGE" section in avc_init(3) for more details.
* New log callback levels for enforcing and policy load notices -
SELINUX_POLICYLOAD, SELINUX_SETENFORCE
* Changed userspace AVC setenforce and policy load messages to audit
format.
- Add Recommends: selinux-autorelabel, which is very important
for healthy use of the SELinux on the system (/.autorelabel
mechanism) (bsc#1181837).
- install to /usr (boo#1029961)
- Update to version 3.1:
* selinux/flask.h, selinux/av_permissions.h and sepol/policydb/flask.h were
removed. All userspace object managers should have been updated to use the
dynamic class/perm mapping support.
Use string_to_security_class(3) and string_to_av_perm(3) to map the class
and permission names to their policy values, or selinux_set_mapping(3) to
create a mapping from class and permission index values used by the
application to the policy values.
* Removed restrictions in libsepol and checkpolicy that required all declared
initial SIDs to be assigned a context.
* Support for new policy capability genfs_seclabel_symlinks
* selinuxfs is mounted with noexec and nosuid
* `security_compute_user()` was deprecated
* Refreshed python3.8-compat.patch
- Added skip_cycles.patch to skip directory cycles and not error
out
- Update to version 3.0
* Ignore the stem when looking up all matches in file context
* Save digest of all partial matches for directory
* Use Python distutils to install SELinux python bindings
* ensure that digest_len is not zero
* fix string conversion of unknown perms
* mark all exported function "extern"
Dropped Use-Python-distutils-to-install-SELinux.patch, included
upstream
- Added swig4_moduleimport.patch to prevent import errors due to
SWIG 4
- Added Use-Python-distutils-to-install-SELinux.patch to use
Python's distutils instead of building and installing python
bindings manually
- Add python3.8-compat.patch which makes build possible even with
Python 3.8, which doesn’t automatically adds -lpython<ver>
- In selinux-ready
* Removed check for selinux-policy package as we don't ship one
(bsc#1136845)
* Add check that restorecond is installed and enabled
- Disable LTO (boo#1133244).
- Set License: to correct value (bsc#1135710)
- Disable LTO (boo#1133244).
- Update to version 2.9
* Add security_reject_unknown(3) man page
* Change matchpathcon usage to match with matchpathcon manpage
* Do not define gettid() if glibc >= 2.30 is used
* Fix RESOURCE_LEAK defects reported by coverity scan
* Fix line wrapping in selabel_file.5
* Do not dereference symlink with statfs in selinux_restorecon
* Fix overly strict validation of file_contexts.bin
* Fix selinux_restorecon() on non-SELinux hosts
* Fix the whatis line for the selinux_boolean_sub.3 manpage
* Fix printf format string specifier for uint64_t
* Fix handling of unknown classes/perms
* Set an appropriate errno in booleans.c
- Dropped python3.patch, is now upstream
- Remove unneeded build requires for python3 (bsc#1120255)
- Update to version 2.8 (bsc#1111732)
For changes please see
https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/RELEASE-20180524.txt
- ran spec-cleaner on spec files
- Update to version 2.7.
* %files needed to be heavily modified
* Based expressly on python3, not just python
For changes please see
https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20170804/RELEASE-20170804.txt
- Updated spec file to use python3. Added python3.patch to fix
build
- Update to version 2.6. Notable changes:
* selinux_restorecon: fix realpath logic
* sefcontext_compile: invert semantics of "-r" flag
* sefcontext_compile: Add "-i" flag
* Introduce configurable backends
* Add function to find security.restorecon_last entries
* Add openrc_contexts functions
* Add support for pcre2
* Handle NULL pcre study data
* Add setfiles support to selinux_restorecon(3)
* Evaluate inodes in selinux_restorecon(3)
* Change the location of _selinux.so
* Explain how to free policy type from selinux_getpolicytype()
* Compare absolute pathname in matchpathcon -V
* Add selinux_snapperd_contexts_path()
* Modify audit2why analyze function to use loaded policy
* Avoid mounting /proc outside of selinux_init_load_policy()
* Fix location of selinuxfs mount point
* Only mount /proc if necessary
* procattr: return einval for <= 0 pid args
* procattr: return error on invalid pid_t input
- Dropped
* libselinux-2.2-ruby.patch
* libselinux-proc-mount-only-if-needed.patch
* python-selinux-swig-3.10.patch
- readv-proto.patch: include <sys/uio.h> for readv prototype
- -devel static subpackage requires libpcre-devel and libsepol-devel
- Avoid mounting /proc outside of selinux_init_load_policy().
(Stephen Smalley) reverts upstream 5a8d8c4, 9df4988, fixes
among other things systemd seccomp sandboxing otherwise all
filters must allow mount(2)
(libselinux-proc-mount-only-if-needed.patch)
- Update RPM groups, trim description and combine filelist entries.
- Adjusted source link
- add patch: python-selinux-swig-3.10.patch, fixed boo#985368
* swig-3.10 in Factory use importlib instead of imp to find
_selinux.so. imp searched the same directory as __init__.py
is while importlib searchs only standard paths. so we have
to move _selinux.so. fixed by upstream
- update version 2.5
* Add selinux_restorecon function
* read_spec_entry: fail on non-ascii
* Add man information about thread specific functions
* Don't wrap rpm_execcon with DISABLE_RPM with SWIG
* Correct line count for property and service context files
* label_file: fix memory leaks and uninitialized jump
* Replace selabel_digest hash function
* Fix selabel_open(3) services if no digest requested
* Add selabel_digest function
* Flush the class/perm string mapping cache on policy reload
* Fix restorecon when path has no context
* Free memory when processing media and x specfiles
* Fix mmap memory release for file labeling
* Add policy context validation to sefcontext_compile
* Do not treat an empty file_contexts(.local) as an error
* Fail hard on invalid property_contexts entries
* Fail hard on invalid file_contexts entries
* Support context validation on file_contexts.bin
* Add selabel_cmp interface and label_file backend
* Support specifying file_contexts.bin file path
* Support file_contexts.bin without file_contexts
* Simplify procattr cache
* Use /proc/thread-self when available
* Add const to selinux_opt for label backends
* Fix binary file labels for regexes with metachars
* Fix file labels for regexes with metachars
* Fix if file_contexts not '\n' terminated
* Enhance file context support
* Fix property processing and cleanup formatting
* Add read_spec_entries function to replace sscanf
* Support consistent mode size for bin files
* Fix more bin file processing core dumps
* add selinux_openssh_contexts_path()
* setrans_client: minimize overhead when mcstransd is not present
* Ensure selabel_lookup_best_match links NULL terminated
* Fix core dumps with corrupt *.bin files
* Add selabel partial and best match APIs
* Use os.walk() instead of the deprecated os.path.walk()
* Remove deprecated mudflap option
* Mount procfs before checking /proc/filesystems
* Fix -Wformat errors with gcc-5.0.0
* label_file: handle newlines in file names
* Fix audit2why error handling if SELinux is disabled
* pcre_study can return NULL without error
* Only check SELinux enabled status once in selinux_check_access
- changes in 2.4
* Remove assumption that SHLIBDIR is ../../ relative to LIBDIR
* Fix bugs found by hardened gcc flags
* Set the system to permissive if failing to disable SELinux because
policy has already been loaded
* Add db_exception and db_datatype support to label_db backend
* Log an error on unknown classes and permissions
* Add pcre version string to the compiled file_contexts format
* Deprecate use of flask.h and av_permissions.h
* Compiled file_context files and the original should have the same DAC
permissions
- fixed selinux-ready to work with initrd files created by dracut (bsc#940006)
- Update libselinux-2.2-ruby.patch: use RbConfig instead of
deprecated Config.
- updated selinux-ready script to handle initrd files compressed with xz
- Update to version 2.3
* Get rid of security_context_t and fix const declarations.
* Refactor rpm_execcon() into a new setexecfilecon() from Guillem Jover.
- Update to version 2.2
* Fix avc_has_perm() returns -1 even when SELinux is in permissive mode.
* Support overriding Makefile RANLIB
* Update pkgconfig definition
* Mount sysfs before trying to mount selinuxfs.
* Fix man pages
* Support overriding PATH and LIBBASE in Makefile
* Fix LDFLAGS usage
* Avoid shadowing stat in load_mmap
* Support building on older PCRE libraries
* Fix handling of temporary file in sefcontext_compile
* Fix procattr cache
* Define python constants for getenforce result
* Fix label substitution handling of /
* Add selinux_current_policy_path from
* Change get_context_list to only return good matches
* Support udev-197 and higher
* Add support for local substitutions
* Change setfilecon to not return ENOSUP if context is already correct
* Python wrapper leak fixes
* Export SELINUX_TRANS_DIR definition in selinux.h
* Add selinux_systemd_contexts_path
* Add selinux_set_policy_root
* Add man page for sefcontext_compile
- Remove libselinux-rhat.patch; merged on upstream
- Adapt libselinux-ruby.patch to upstream changes
- Use fdupes to symlink duplicate manpages
- change the source url to the official 2.1.13 release tarball
- Reuse implicit dependencies injected by pkgconfig
- fixed source url in libselinux-bindings.spec
- removed old tarball
- fix source url
- document changes in libselinux-rhat.patch from previous submission:
(most code of the removed code was integrated upstream)
* Add matchpathcon -P /etc/selinux/mls support by allowing users
to set alternate root
* Add new constant SETRANS_DIR which points to the directory
where mstransd can find the socket and libvirt can write its
translations files
-update to 2.1.13
* audit2why: make sure path is nul terminated
* utils: new file context regex compiler
* label_file: use precompiled filecontext when possible
* do not leak mmapfd
* sefcontontext_compile: Add error handling to help debug problems in libsemanage.
* man: make selinux.8 mention service man pages
* audit2why: Fix segfault if finish() called twice
* audit2why: do not leak on multiple init() calls
* mode_to_security_class: interface to translate a mode_t in to a security class
* audit2why: Cleanup audit2why analysys function
* man: Fix program synopsis and function prototypes in man pages
* man: Fix man pages formatting
* man: Fix typo in man page
* man: Add references and man page links to _raw function variants
* Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions
* man: context_new(3): fix the return value description
* selinux_status_open: handle error from sysconf
* selinux_status_open: do not leak statusfd on exec
* Fix errors found by coverity
* Change boooleans.subs to booleans.subs_dist.
* optimize set*con functions
* pkg-config do not specifc ruby version
* unmap file contexts on selabel_close()
* do not leak file contexts with mmap'd backend
* sefcontext_compile: do not leak fd on error
* matchmediacon: do not leak fd
* src/label_android_property: do not leak fd on error
- update to 2.1.12
- added BuildRequires: pcre-devel
- added the recent libselinux-rhat.patch
* Add support for lxc_contexts_path
* utils: add service to getdefaultcon
* libsemanage: do not set soname needlessly
* libsemanage: remove PYTHONLIBDIR and ruby equivalent
* boolean name equivalency
* getsebool: support boolean name substitution
* Add man page for new selinux_boolean_sub function.
* expose selinux_boolean_sub
* matchpathcon: add -m option to force file type check
* utils: avcstat: clear sa_mask set
* seusers: Check for strchr failure
* booleans: initialize pointer to silence coveriety
* stop messages when SELinux disabled
* Ensure that we only close the selinux netlink socket once.
* improve the file_contexts.5 manual page
* Fortify source now requires all code to be compiled with -O flag
* asprintf return code must be checked
* avc_netlink_recieve handle EINTR
* audit2why: silence -Wmissing-prototypes warning
* libsemanage: remove build warning when build swig c files
* matchpathcon: bad handling of symlinks in /
* seusers: remove unused lineno
* seusers: getseuser: gracefully handle NULL service
* New Android property labeling backend
* label_android_property whitespace cleanups
* additional makefile support for rubywrap
* Remove jump over variable declaration
* Fix old style function definitions
* Fix const-correctness
* Remove unused flush_class_cache method
* Add prototype decl for destructor
* Add more printf format annotations
* Add printf format attribute annotation to die() method
* Fix const-ness of parameters & make usage() methods static
* Enable many more gcc warnings for libselinux/src/ builds
* utils: Enable many more gcc warnings for libselinux/utils builds
* Change annotation on include/selinux/avc.h to avoid upsetting SWIG
* Ensure there is a prototype for 'matchpathcon_lib_destructor'
* Update Makefiles to handle /usrmove
* utils: Stop separating out matchpathcon as something special
* pkg-config to figure out where ruby include files are located
* build with either ruby 1.9 or ruby 1.8
* assert if avc_init() not called
* take security_deny_unknown into account
* security_compute_create_name(3)
* Do not link against python library, this is considered
* bad practice in debian
* Hide unnecessarily-exported library destructors
- Remove obsolete defines/sections
- update selinux-ready script
* use -L when stat()ing /etc/selinux/config
* make sure that SELINUX isn't disabled in /etc/selinux/config
* look for either of /sys/fs/selinux and /selinux directory
* use systemctl to check for restorecond
* don't look for booleans file (deprecated)
- update selinux-ready script
- updated to 2.1.9 again (see below)
- go back even more - everything else requires the full SELinux stack
(too late for 12.2)
- revert back to 2.0.98 for 12.2
- update to libselinux-2.1.9
* better man pages
* selinux_status interfaces
* simple interface for access checks
* multiple bug fixes
- fix build for ruby-1.9
- cross-build fix: use %__cc macro
- use %_smp_mflags
- don't package /var/run/setrans in libselinux1 package
- Feature#303793
- the directory will be created in initscript of mcstrans package
- buildrequire pkg-config to fix provides
- selinux-ready: added function to check for restorecond in
runlevel 3/5
- selinux-ready: added functions for checking PAM config and
policy boolean init_upstart
- selinux-ready: fixed init ramfs checking
- added new selinux-ready script
- updated to 2.0.91
* changes too numerous to list
- add baselibs.conf as a source
- updated selinux-ready script
- change libsepol-devel to libsepol-devel-static in dependencies
of python bindings
- put libsepol-devel back to Requires of libselinux-devel
- added selinux-ready tool to selinux-tools package
- remove static libraries
- libselinux-devel does not require libsepol-devel
- updated to 2.0.80
* deny_unknown wrapper function from KaiGai Kohei
* security_compute_av_flags API from KaiGai Kohei
* Netlink socket management and callbacks from KaiGai Kohei
* Netlink socket handoff patch from Adam Jackson
* AVC caching of compute_create results by Eric Paris
* fix incorrect conversion in discover_class code
- fixed memory leak (memleak.patch)
- updated to 2.0.77
* add new function getseuser which will take username and service
and return seuser and level; ipa will populate file in future
* change selinuxdefcon to return just the context by default
* fix segfault if seusers file does not work
* strip trailing / for matchpathcon
* fix restorecon python code
- updated to 2.0.76
* allow shell-style wildcarding in X names
* add Restorecon/Install python functions
* correct message types in AVC log messages
* make matchpathcon -V pass mode
* add man page for selinux_file_context_cmp
* update flask headers from refpolicy trunk
- fix debug_packages_requires define
- require only version, not release [bnc#429053]
- updated to 2.0.71
* Add group support to seusers using %groupname syntax from Dan Walsh.
* Mark setrans socket close-on-exec from Stephen Smalley.
* Only apply nodups checking to base file contexts from Stephen Smalley.
* Merge ruby bindings from Dan Walsh.
- Fix build of debuginfo.
- added baselibs.conf file
- split bindings into separate subpackage (libselinux-bindings)
- split tools into separate subpackage (selinux-tools)
- fix requires for debuginfo package
- initial version 2.0.67
* based on Fedora package by Dan Walsh <dwalsh@redhat.com>
OBS-URL: https://build.opensuse.org/request/show/1095431
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=159
2023-06-27 10:15:55 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Wed Oct 30 17:21:00 CET 2019 - Matej Cepl <mcepl@suse.com>
|
|
|
|
|
|
|
|
|
|
|
|
- Add python3.8-compat.patch which makes build possible even with
|
|
|
|
|
|
Python 3.8, which doesn’t automatically adds -lpython<ver>
|
|
|
|
|
|
|
2019-06-03 16:23:38 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Mon Jun 3 09:34:17 UTC 2019 - <jsegitz@suse.com>
|
|
|
|
|
|
|
|
|
|
|
|
- In selinux-ready
|
|
|
|
|
|
* Removed check for selinux-policy package as we don't ship one
|
|
|
|
|
|
(bsc#1136845)
|
|
|
|
|
|
* Add check that restorecond is installed and enabled
|
Accepting request 1095431 from home:mcepl:branches:security:SELinux
- Remove separate libselinux-bindings SPEC file (bsc#1212618).
- Add explicit BuildRequires for python3-pip and python3-wheel on
15.5, currently the macros don't do the right thing
- allow building this with different python versions, to make this
usable for the new sle15 macro (using python3.11)
- Add python-wheel build dependency to build correctly with latest
python-pip version.
- Add _multibuild to define additional spec files as additional
flavors.
Eliminates the need for source package links in OBS.
- Add -ffat-lto-objects to CFLAGS to prevent rpmlint errors because
of LTO
- Enable LTO as it works fine now.
- Update to version 3.5:
* check for truncations
* avoid newline in avc message
* bail out on path truncations
* add getpidprevcon to gather the previous context before the last
exec of a given process
* Workaround for heap overhead of pcre
* fix memory leaks on the audit2why module init
* ignore invalid class name lookup
- Drop restorecon_pin_file.patch, is upstream
- Refreshed python3.8-compat.patch
- Added additional developer key (Jason Zaman)
- Fixed initrd check in selinux-ready (bnc#1186127)
- Added restorecon_pin_file.patch. Fixes issus when running
fixfiles/restorecon
- Update to version 3.4:
* Use PCRE2 by default
* Make selinux_log() and is_context_customizable() thread-safe
* Prevent leakeing file descriptors
* Correctly hash specfiles larger than 4G
- Refreshed skip_cycles.patch
- Add Requires for exact libselinux1 version for selinux-tools
- Simplyfied check for correct boot paramaters in selinux-ready
(bsc#1195361)
- Update to version 3.3:
* Lots of smaller issues fixed found by fuzzing
- Add missing libselinux-utils Provides to selinux-tools so that
%selinux_requires works
- Remove Recommends for selinux-autorelabel. It's better to have this
in the policy package itself (bsc#1181837)
- Switch to pcre2:
+ Replace pcre-devel BuildRequires with pkgconfig(libpcre2-8)
+ Pass USE_PCRE2=y to make.
+ Replace pkgconfig(libpcre) Requires in -devel static with
pkgconfig(libpcre2-8).
- Update to version 3.2:
* Use mmap()'ed kernel status page instead of netlink by default.
See "KERNEL STATUS PAGE" section in avc_init(3) for more details.
* New log callback levels for enforcing and policy load notices -
SELINUX_POLICYLOAD, SELINUX_SETENFORCE
* Changed userspace AVC setenforce and policy load messages to audit
format.
- Add Recommends: selinux-autorelabel, which is very important
for healthy use of the SELinux on the system (/.autorelabel
mechanism) (bsc#1181837).
- install to /usr (boo#1029961)
- Update to version 3.1:
* selinux/flask.h, selinux/av_permissions.h and sepol/policydb/flask.h were
removed. All userspace object managers should have been updated to use the
dynamic class/perm mapping support.
Use string_to_security_class(3) and string_to_av_perm(3) to map the class
and permission names to their policy values, or selinux_set_mapping(3) to
create a mapping from class and permission index values used by the
application to the policy values.
* Removed restrictions in libsepol and checkpolicy that required all declared
initial SIDs to be assigned a context.
* Support for new policy capability genfs_seclabel_symlinks
* selinuxfs is mounted with noexec and nosuid
* `security_compute_user()` was deprecated
* Refreshed python3.8-compat.patch
- Added skip_cycles.patch to skip directory cycles and not error
out
- Update to version 3.0
* Ignore the stem when looking up all matches in file context
* Save digest of all partial matches for directory
* Use Python distutils to install SELinux python bindings
* ensure that digest_len is not zero
* fix string conversion of unknown perms
* mark all exported function "extern"
Dropped Use-Python-distutils-to-install-SELinux.patch, included
upstream
- Added swig4_moduleimport.patch to prevent import errors due to
SWIG 4
- Added Use-Python-distutils-to-install-SELinux.patch to use
Python's distutils instead of building and installing python
bindings manually
- Add python3.8-compat.patch which makes build possible even with
Python 3.8, which doesn’t automatically adds -lpython<ver>
- In selinux-ready
* Removed check for selinux-policy package as we don't ship one
(bsc#1136845)
* Add check that restorecond is installed and enabled
- Disable LTO (boo#1133244).
- Set License: to correct value (bsc#1135710)
- Disable LTO (boo#1133244).
- Update to version 2.9
* Add security_reject_unknown(3) man page
* Change matchpathcon usage to match with matchpathcon manpage
* Do not define gettid() if glibc >= 2.30 is used
* Fix RESOURCE_LEAK defects reported by coverity scan
* Fix line wrapping in selabel_file.5
* Do not dereference symlink with statfs in selinux_restorecon
* Fix overly strict validation of file_contexts.bin
* Fix selinux_restorecon() on non-SELinux hosts
* Fix the whatis line for the selinux_boolean_sub.3 manpage
* Fix printf format string specifier for uint64_t
* Fix handling of unknown classes/perms
* Set an appropriate errno in booleans.c
- Dropped python3.patch, is now upstream
- Remove unneeded build requires for python3 (bsc#1120255)
- Update to version 2.8 (bsc#1111732)
For changes please see
https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/RELEASE-20180524.txt
- ran spec-cleaner on spec files
- Update to version 2.7.
* %files needed to be heavily modified
* Based expressly on python3, not just python
For changes please see
https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20170804/RELEASE-20170804.txt
- Updated spec file to use python3. Added python3.patch to fix
build
- Update to version 2.6. Notable changes:
* selinux_restorecon: fix realpath logic
* sefcontext_compile: invert semantics of "-r" flag
* sefcontext_compile: Add "-i" flag
* Introduce configurable backends
* Add function to find security.restorecon_last entries
* Add openrc_contexts functions
* Add support for pcre2
* Handle NULL pcre study data
* Add setfiles support to selinux_restorecon(3)
* Evaluate inodes in selinux_restorecon(3)
* Change the location of _selinux.so
* Explain how to free policy type from selinux_getpolicytype()
* Compare absolute pathname in matchpathcon -V
* Add selinux_snapperd_contexts_path()
* Modify audit2why analyze function to use loaded policy
* Avoid mounting /proc outside of selinux_init_load_policy()
* Fix location of selinuxfs mount point
* Only mount /proc if necessary
* procattr: return einval for <= 0 pid args
* procattr: return error on invalid pid_t input
- Dropped
* libselinux-2.2-ruby.patch
* libselinux-proc-mount-only-if-needed.patch
* python-selinux-swig-3.10.patch
- readv-proto.patch: include <sys/uio.h> for readv prototype
- -devel static subpackage requires libpcre-devel and libsepol-devel
- Avoid mounting /proc outside of selinux_init_load_policy().
(Stephen Smalley) reverts upstream 5a8d8c4, 9df4988, fixes
among other things systemd seccomp sandboxing otherwise all
filters must allow mount(2)
(libselinux-proc-mount-only-if-needed.patch)
- Update RPM groups, trim description and combine filelist entries.
- Adjusted source link
- add patch: python-selinux-swig-3.10.patch, fixed boo#985368
* swig-3.10 in Factory use importlib instead of imp to find
_selinux.so. imp searched the same directory as __init__.py
is while importlib searchs only standard paths. so we have
to move _selinux.so. fixed by upstream
- update version 2.5
* Add selinux_restorecon function
* read_spec_entry: fail on non-ascii
* Add man information about thread specific functions
* Don't wrap rpm_execcon with DISABLE_RPM with SWIG
* Correct line count for property and service context files
* label_file: fix memory leaks and uninitialized jump
* Replace selabel_digest hash function
* Fix selabel_open(3) services if no digest requested
* Add selabel_digest function
* Flush the class/perm string mapping cache on policy reload
* Fix restorecon when path has no context
* Free memory when processing media and x specfiles
* Fix mmap memory release for file labeling
* Add policy context validation to sefcontext_compile
* Do not treat an empty file_contexts(.local) as an error
* Fail hard on invalid property_contexts entries
* Fail hard on invalid file_contexts entries
* Support context validation on file_contexts.bin
* Add selabel_cmp interface and label_file backend
* Support specifying file_contexts.bin file path
* Support file_contexts.bin without file_contexts
* Simplify procattr cache
* Use /proc/thread-self when available
* Add const to selinux_opt for label backends
* Fix binary file labels for regexes with metachars
* Fix file labels for regexes with metachars
* Fix if file_contexts not '\n' terminated
* Enhance file context support
* Fix property processing and cleanup formatting
* Add read_spec_entries function to replace sscanf
* Support consistent mode size for bin files
* Fix more bin file processing core dumps
* add selinux_openssh_contexts_path()
* setrans_client: minimize overhead when mcstransd is not present
* Ensure selabel_lookup_best_match links NULL terminated
* Fix core dumps with corrupt *.bin files
* Add selabel partial and best match APIs
* Use os.walk() instead of the deprecated os.path.walk()
* Remove deprecated mudflap option
* Mount procfs before checking /proc/filesystems
* Fix -Wformat errors with gcc-5.0.0
* label_file: handle newlines in file names
* Fix audit2why error handling if SELinux is disabled
* pcre_study can return NULL without error
* Only check SELinux enabled status once in selinux_check_access
- changes in 2.4
* Remove assumption that SHLIBDIR is ../../ relative to LIBDIR
* Fix bugs found by hardened gcc flags
* Set the system to permissive if failing to disable SELinux because
policy has already been loaded
* Add db_exception and db_datatype support to label_db backend
* Log an error on unknown classes and permissions
* Add pcre version string to the compiled file_contexts format
* Deprecate use of flask.h and av_permissions.h
* Compiled file_context files and the original should have the same DAC
permissions
- fixed selinux-ready to work with initrd files created by dracut (bsc#940006)
- Update libselinux-2.2-ruby.patch: use RbConfig instead of
deprecated Config.
- updated selinux-ready script to handle initrd files compressed with xz
- Update to version 2.3
* Get rid of security_context_t and fix const declarations.
* Refactor rpm_execcon() into a new setexecfilecon() from Guillem Jover.
- Update to version 2.2
* Fix avc_has_perm() returns -1 even when SELinux is in permissive mode.
* Support overriding Makefile RANLIB
* Update pkgconfig definition
* Mount sysfs before trying to mount selinuxfs.
* Fix man pages
* Support overriding PATH and LIBBASE in Makefile
* Fix LDFLAGS usage
* Avoid shadowing stat in load_mmap
* Support building on older PCRE libraries
* Fix handling of temporary file in sefcontext_compile
* Fix procattr cache
* Define python constants for getenforce result
* Fix label substitution handling of /
* Add selinux_current_policy_path from
* Change get_context_list to only return good matches
* Support udev-197 and higher
* Add support for local substitutions
* Change setfilecon to not return ENOSUP if context is already correct
* Python wrapper leak fixes
* Export SELINUX_TRANS_DIR definition in selinux.h
* Add selinux_systemd_contexts_path
* Add selinux_set_policy_root
* Add man page for sefcontext_compile
- Remove libselinux-rhat.patch; merged on upstream
- Adapt libselinux-ruby.patch to upstream changes
- Use fdupes to symlink duplicate manpages
- change the source url to the official 2.1.13 release tarball
- Reuse implicit dependencies injected by pkgconfig
- fixed source url in libselinux-bindings.spec
- removed old tarball
- fix source url
- document changes in libselinux-rhat.patch from previous submission:
(most code of the removed code was integrated upstream)
* Add matchpathcon -P /etc/selinux/mls support by allowing users
to set alternate root
* Add new constant SETRANS_DIR which points to the directory
where mstransd can find the socket and libvirt can write its
translations files
-update to 2.1.13
* audit2why: make sure path is nul terminated
* utils: new file context regex compiler
* label_file: use precompiled filecontext when possible
* do not leak mmapfd
* sefcontontext_compile: Add error handling to help debug problems in libsemanage.
* man: make selinux.8 mention service man pages
* audit2why: Fix segfault if finish() called twice
* audit2why: do not leak on multiple init() calls
* mode_to_security_class: interface to translate a mode_t in to a security class
* audit2why: Cleanup audit2why analysys function
* man: Fix program synopsis and function prototypes in man pages
* man: Fix man pages formatting
* man: Fix typo in man page
* man: Add references and man page links to _raw function variants
* Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions
* man: context_new(3): fix the return value description
* selinux_status_open: handle error from sysconf
* selinux_status_open: do not leak statusfd on exec
* Fix errors found by coverity
* Change boooleans.subs to booleans.subs_dist.
* optimize set*con functions
* pkg-config do not specifc ruby version
* unmap file contexts on selabel_close()
* do not leak file contexts with mmap'd backend
* sefcontext_compile: do not leak fd on error
* matchmediacon: do not leak fd
* src/label_android_property: do not leak fd on error
- update to 2.1.12
- added BuildRequires: pcre-devel
- added the recent libselinux-rhat.patch
* Add support for lxc_contexts_path
* utils: add service to getdefaultcon
* libsemanage: do not set soname needlessly
* libsemanage: remove PYTHONLIBDIR and ruby equivalent
* boolean name equivalency
* getsebool: support boolean name substitution
* Add man page for new selinux_boolean_sub function.
* expose selinux_boolean_sub
* matchpathcon: add -m option to force file type check
* utils: avcstat: clear sa_mask set
* seusers: Check for strchr failure
* booleans: initialize pointer to silence coveriety
* stop messages when SELinux disabled
* Ensure that we only close the selinux netlink socket once.
* improve the file_contexts.5 manual page
* Fortify source now requires all code to be compiled with -O flag
* asprintf return code must be checked
* avc_netlink_recieve handle EINTR
* audit2why: silence -Wmissing-prototypes warning
* libsemanage: remove build warning when build swig c files
* matchpathcon: bad handling of symlinks in /
* seusers: remove unused lineno
* seusers: getseuser: gracefully handle NULL service
* New Android property labeling backend
* label_android_property whitespace cleanups
* additional makefile support for rubywrap
* Remove jump over variable declaration
* Fix old style function definitions
* Fix const-correctness
* Remove unused flush_class_cache method
* Add prototype decl for destructor
* Add more printf format annotations
* Add printf format attribute annotation to die() method
* Fix const-ness of parameters & make usage() methods static
* Enable many more gcc warnings for libselinux/src/ builds
* utils: Enable many more gcc warnings for libselinux/utils builds
* Change annotation on include/selinux/avc.h to avoid upsetting SWIG
* Ensure there is a prototype for 'matchpathcon_lib_destructor'
* Update Makefiles to handle /usrmove
* utils: Stop separating out matchpathcon as something special
* pkg-config to figure out where ruby include files are located
* build with either ruby 1.9 or ruby 1.8
* assert if avc_init() not called
* take security_deny_unknown into account
* security_compute_create_name(3)
* Do not link against python library, this is considered
* bad practice in debian
* Hide unnecessarily-exported library destructors
- Remove obsolete defines/sections
- update selinux-ready script
* use -L when stat()ing /etc/selinux/config
* make sure that SELINUX isn't disabled in /etc/selinux/config
* look for either of /sys/fs/selinux and /selinux directory
* use systemctl to check for restorecond
* don't look for booleans file (deprecated)
- update selinux-ready script
- updated to 2.1.9 again (see below)
- go back even more - everything else requires the full SELinux stack
(too late for 12.2)
- revert back to 2.0.98 for 12.2
- update to libselinux-2.1.9
* better man pages
* selinux_status interfaces
* simple interface for access checks
* multiple bug fixes
- fix build for ruby-1.9
- cross-build fix: use %__cc macro
- use %_smp_mflags
- don't package /var/run/setrans in libselinux1 package
- Feature#303793
- the directory will be created in initscript of mcstrans package
- buildrequire pkg-config to fix provides
- selinux-ready: added function to check for restorecond in
runlevel 3/5
- selinux-ready: added functions for checking PAM config and
policy boolean init_upstart
- selinux-ready: fixed init ramfs checking
- added new selinux-ready script
- updated to 2.0.91
* changes too numerous to list
- add baselibs.conf as a source
- updated selinux-ready script
- change libsepol-devel to libsepol-devel-static in dependencies
of python bindings
- put libsepol-devel back to Requires of libselinux-devel
- added selinux-ready tool to selinux-tools package
- remove static libraries
- libselinux-devel does not require libsepol-devel
- updated to 2.0.80
* deny_unknown wrapper function from KaiGai Kohei
* security_compute_av_flags API from KaiGai Kohei
* Netlink socket management and callbacks from KaiGai Kohei
* Netlink socket handoff patch from Adam Jackson
* AVC caching of compute_create results by Eric Paris
* fix incorrect conversion in discover_class code
- fixed memory leak (memleak.patch)
- updated to 2.0.77
* add new function getseuser which will take username and service
and return seuser and level; ipa will populate file in future
* change selinuxdefcon to return just the context by default
* fix segfault if seusers file does not work
* strip trailing / for matchpathcon
* fix restorecon python code
- updated to 2.0.76
* allow shell-style wildcarding in X names
* add Restorecon/Install python functions
* correct message types in AVC log messages
* make matchpathcon -V pass mode
* add man page for selinux_file_context_cmp
* update flask headers from refpolicy trunk
- fix debug_packages_requires define
- require only version, not release [bnc#429053]
- updated to 2.0.71
* Add group support to seusers using %groupname syntax from Dan Walsh.
* Mark setrans socket close-on-exec from Stephen Smalley.
* Only apply nodups checking to base file contexts from Stephen Smalley.
* Merge ruby bindings from Dan Walsh.
- Fix build of debuginfo.
- added baselibs.conf file
- split bindings into separate subpackage (libselinux-bindings)
- split tools into separate subpackage (selinux-tools)
- fix requires for debuginfo package
- initial version 2.0.67
* based on Fedora package by Dan Walsh <dwalsh@redhat.com>
OBS-URL: https://build.opensuse.org/request/show/1095431
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=159
2023-06-27 10:15:55 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Tue May 28 08:28:03 UTC 2019 - Martin Liška <mliska@suse.cz>
|
|
|
|
|
|
|
|
|
|
|
|
- Disable LTO (boo#1133244).
|
2019-06-03 16:23:38 +02:00
|
|
|
|
|
2019-05-24 14:37:42 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Fri May 24 11:22:19 UTC 2019 - <jsegitz@suse.com>
|
|
|
|
|
|
|
|
|
|
|
|
- Set License: to correct value (bsc#1135710)
|
|
|
|
|
|
|
2019-04-26 09:36:49 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Thu Apr 25 07:14:10 UTC 2019 - Martin Liška <mliska@suse.cz>
|
|
|
|
|
|
|
|
|
|
|
|
- Disable LTO (boo#1133244).
|
|
|
|
|
|
|
2019-03-21 10:41:17 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Wed Mar 20 15:05:35 UTC 2019 - jsegitz@suse.com
|
|
|
|
|
|
|
|
|
|
|
|
- Update to version 2.9
|
|
|
|
|
|
* Add security_reject_unknown(3) man page
|
|
|
|
|
|
* Change matchpathcon usage to match with matchpathcon manpage
|
|
|
|
|
|
* Do not define gettid() if glibc >= 2.30 is used
|
|
|
|
|
|
* Fix RESOURCE_LEAK defects reported by coverity scan
|
|
|
|
|
|
* Fix line wrapping in selabel_file.5
|
|
|
|
|
|
* Do not dereference symlink with statfs in selinux_restorecon
|
|
|
|
|
|
* Fix overly strict validation of file_contexts.bin
|
|
|
|
|
|
* Fix selinux_restorecon() on non-SELinux hosts
|
|
|
|
|
|
* Fix the whatis line for the selinux_boolean_sub.3 manpage
|
|
|
|
|
|
* Fix printf format string specifier for uint64_t
|
|
|
|
|
|
* Fix handling of unknown classes/perms
|
|
|
|
|
|
* Set an appropriate errno in booleans.c
|
|
|
|
|
|
- Dropped python3.patch, is now upstream
|
|
|
|
|
|
|
2019-01-04 15:49:04 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Fri Jan 4 14:18:42 UTC 2019 - jsegitz@suse.com
|
|
|
|
|
|
|
|
|
|
|
|
- Remove unneeded build requires for python3 (bsc#1120255)
|
|
|
|
|
|
|
2018-12-01 08:36:52 +01:00
|
|
|
|
-------------------------------------------------------------------
|
2018-12-12 09:31:21 +01:00
|
|
|
|
Wed Oct 17 11:48:30 UTC 2018 - jsegitz@suse.com
|
|
|
|
|
|
|
|
|
|
|
|
- Update to version 2.8 (bsc#1111732)
|
2018-12-12 10:16:33 +01:00
|
|
|
|
For changes please see
|
|
|
|
|
|
https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/RELEASE-20180524.txt
|
|
|
|
|
|
- ran spec-cleaner on spec files
|
2018-12-12 09:31:21 +01:00
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Mon May 14 22:45:54 UTC 2018 - mcepl@cepl.eu
|
|
|
|
|
|
|
|
|
|
|
|
- Update to version 2.7.
|
|
|
|
|
|
* %files needed to be heavily modified
|
|
|
|
|
|
* Based expressly on python3, not just python
|
2018-12-12 10:16:33 +01:00
|
|
|
|
For changes please see
|
|
|
|
|
|
https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20170804/RELEASE-20170804.txt
|
2018-12-12 09:31:21 +01:00
|
|
|
|
|
Accepting request 1095431 from home:mcepl:branches:security:SELinux
- Remove separate libselinux-bindings SPEC file (bsc#1212618).
- Add explicit BuildRequires for python3-pip and python3-wheel on
15.5, currently the macros don't do the right thing
- allow building this with different python versions, to make this
usable for the new sle15 macro (using python3.11)
- Add python-wheel build dependency to build correctly with latest
python-pip version.
- Add _multibuild to define additional spec files as additional
flavors.
Eliminates the need for source package links in OBS.
- Add -ffat-lto-objects to CFLAGS to prevent rpmlint errors because
of LTO
- Enable LTO as it works fine now.
- Update to version 3.5:
* check for truncations
* avoid newline in avc message
* bail out on path truncations
* add getpidprevcon to gather the previous context before the last
exec of a given process
* Workaround for heap overhead of pcre
* fix memory leaks on the audit2why module init
* ignore invalid class name lookup
- Drop restorecon_pin_file.patch, is upstream
- Refreshed python3.8-compat.patch
- Added additional developer key (Jason Zaman)
- Fixed initrd check in selinux-ready (bnc#1186127)
- Added restorecon_pin_file.patch. Fixes issus when running
fixfiles/restorecon
- Update to version 3.4:
* Use PCRE2 by default
* Make selinux_log() and is_context_customizable() thread-safe
* Prevent leakeing file descriptors
* Correctly hash specfiles larger than 4G
- Refreshed skip_cycles.patch
- Add Requires for exact libselinux1 version for selinux-tools
- Simplyfied check for correct boot paramaters in selinux-ready
(bsc#1195361)
- Update to version 3.3:
* Lots of smaller issues fixed found by fuzzing
- Add missing libselinux-utils Provides to selinux-tools so that
%selinux_requires works
- Remove Recommends for selinux-autorelabel. It's better to have this
in the policy package itself (bsc#1181837)
- Switch to pcre2:
+ Replace pcre-devel BuildRequires with pkgconfig(libpcre2-8)
+ Pass USE_PCRE2=y to make.
+ Replace pkgconfig(libpcre) Requires in -devel static with
pkgconfig(libpcre2-8).
- Update to version 3.2:
* Use mmap()'ed kernel status page instead of netlink by default.
See "KERNEL STATUS PAGE" section in avc_init(3) for more details.
* New log callback levels for enforcing and policy load notices -
SELINUX_POLICYLOAD, SELINUX_SETENFORCE
* Changed userspace AVC setenforce and policy load messages to audit
format.
- Add Recommends: selinux-autorelabel, which is very important
for healthy use of the SELinux on the system (/.autorelabel
mechanism) (bsc#1181837).
- install to /usr (boo#1029961)
- Update to version 3.1:
* selinux/flask.h, selinux/av_permissions.h and sepol/policydb/flask.h were
removed. All userspace object managers should have been updated to use the
dynamic class/perm mapping support.
Use string_to_security_class(3) and string_to_av_perm(3) to map the class
and permission names to their policy values, or selinux_set_mapping(3) to
create a mapping from class and permission index values used by the
application to the policy values.
* Removed restrictions in libsepol and checkpolicy that required all declared
initial SIDs to be assigned a context.
* Support for new policy capability genfs_seclabel_symlinks
* selinuxfs is mounted with noexec and nosuid
* `security_compute_user()` was deprecated
* Refreshed python3.8-compat.patch
- Added skip_cycles.patch to skip directory cycles and not error
out
- Update to version 3.0
* Ignore the stem when looking up all matches in file context
* Save digest of all partial matches for directory
* Use Python distutils to install SELinux python bindings
* ensure that digest_len is not zero
* fix string conversion of unknown perms
* mark all exported function "extern"
Dropped Use-Python-distutils-to-install-SELinux.patch, included
upstream
- Added swig4_moduleimport.patch to prevent import errors due to
SWIG 4
- Added Use-Python-distutils-to-install-SELinux.patch to use
Python's distutils instead of building and installing python
bindings manually
- Add python3.8-compat.patch which makes build possible even with
Python 3.8, which doesn’t automatically adds -lpython<ver>
- In selinux-ready
* Removed check for selinux-policy package as we don't ship one
(bsc#1136845)
* Add check that restorecond is installed and enabled
- Disable LTO (boo#1133244).
- Set License: to correct value (bsc#1135710)
- Disable LTO (boo#1133244).
- Update to version 2.9
* Add security_reject_unknown(3) man page
* Change matchpathcon usage to match with matchpathcon manpage
* Do not define gettid() if glibc >= 2.30 is used
* Fix RESOURCE_LEAK defects reported by coverity scan
* Fix line wrapping in selabel_file.5
* Do not dereference symlink with statfs in selinux_restorecon
* Fix overly strict validation of file_contexts.bin
* Fix selinux_restorecon() on non-SELinux hosts
* Fix the whatis line for the selinux_boolean_sub.3 manpage
* Fix printf format string specifier for uint64_t
* Fix handling of unknown classes/perms
* Set an appropriate errno in booleans.c
- Dropped python3.patch, is now upstream
- Remove unneeded build requires for python3 (bsc#1120255)
- Update to version 2.8 (bsc#1111732)
For changes please see
https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/RELEASE-20180524.txt
- ran spec-cleaner on spec files
- Update to version 2.7.
* %files needed to be heavily modified
* Based expressly on python3, not just python
For changes please see
https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20170804/RELEASE-20170804.txt
- Updated spec file to use python3. Added python3.patch to fix
build
- Update to version 2.6. Notable changes:
* selinux_restorecon: fix realpath logic
* sefcontext_compile: invert semantics of "-r" flag
* sefcontext_compile: Add "-i" flag
* Introduce configurable backends
* Add function to find security.restorecon_last entries
* Add openrc_contexts functions
* Add support for pcre2
* Handle NULL pcre study data
* Add setfiles support to selinux_restorecon(3)
* Evaluate inodes in selinux_restorecon(3)
* Change the location of _selinux.so
* Explain how to free policy type from selinux_getpolicytype()
* Compare absolute pathname in matchpathcon -V
* Add selinux_snapperd_contexts_path()
* Modify audit2why analyze function to use loaded policy
* Avoid mounting /proc outside of selinux_init_load_policy()
* Fix location of selinuxfs mount point
* Only mount /proc if necessary
* procattr: return einval for <= 0 pid args
* procattr: return error on invalid pid_t input
- Dropped
* libselinux-2.2-ruby.patch
* libselinux-proc-mount-only-if-needed.patch
* python-selinux-swig-3.10.patch
- readv-proto.patch: include <sys/uio.h> for readv prototype
- -devel static subpackage requires libpcre-devel and libsepol-devel
- Avoid mounting /proc outside of selinux_init_load_policy().
(Stephen Smalley) reverts upstream 5a8d8c4, 9df4988, fixes
among other things systemd seccomp sandboxing otherwise all
filters must allow mount(2)
(libselinux-proc-mount-only-if-needed.patch)
- Update RPM groups, trim description and combine filelist entries.
- Adjusted source link
- add patch: python-selinux-swig-3.10.patch, fixed boo#985368
* swig-3.10 in Factory use importlib instead of imp to find
_selinux.so. imp searched the same directory as __init__.py
is while importlib searchs only standard paths. so we have
to move _selinux.so. fixed by upstream
- update version 2.5
* Add selinux_restorecon function
* read_spec_entry: fail on non-ascii
* Add man information about thread specific functions
* Don't wrap rpm_execcon with DISABLE_RPM with SWIG
* Correct line count for property and service context files
* label_file: fix memory leaks and uninitialized jump
* Replace selabel_digest hash function
* Fix selabel_open(3) services if no digest requested
* Add selabel_digest function
* Flush the class/perm string mapping cache on policy reload
* Fix restorecon when path has no context
* Free memory when processing media and x specfiles
* Fix mmap memory release for file labeling
* Add policy context validation to sefcontext_compile
* Do not treat an empty file_contexts(.local) as an error
* Fail hard on invalid property_contexts entries
* Fail hard on invalid file_contexts entries
* Support context validation on file_contexts.bin
* Add selabel_cmp interface and label_file backend
* Support specifying file_contexts.bin file path
* Support file_contexts.bin without file_contexts
* Simplify procattr cache
* Use /proc/thread-self when available
* Add const to selinux_opt for label backends
* Fix binary file labels for regexes with metachars
* Fix file labels for regexes with metachars
* Fix if file_contexts not '\n' terminated
* Enhance file context support
* Fix property processing and cleanup formatting
* Add read_spec_entries function to replace sscanf
* Support consistent mode size for bin files
* Fix more bin file processing core dumps
* add selinux_openssh_contexts_path()
* setrans_client: minimize overhead when mcstransd is not present
* Ensure selabel_lookup_best_match links NULL terminated
* Fix core dumps with corrupt *.bin files
* Add selabel partial and best match APIs
* Use os.walk() instead of the deprecated os.path.walk()
* Remove deprecated mudflap option
* Mount procfs before checking /proc/filesystems
* Fix -Wformat errors with gcc-5.0.0
* label_file: handle newlines in file names
* Fix audit2why error handling if SELinux is disabled
* pcre_study can return NULL without error
* Only check SELinux enabled status once in selinux_check_access
- changes in 2.4
* Remove assumption that SHLIBDIR is ../../ relative to LIBDIR
* Fix bugs found by hardened gcc flags
* Set the system to permissive if failing to disable SELinux because
policy has already been loaded
* Add db_exception and db_datatype support to label_db backend
* Log an error on unknown classes and permissions
* Add pcre version string to the compiled file_contexts format
* Deprecate use of flask.h and av_permissions.h
* Compiled file_context files and the original should have the same DAC
permissions
- fixed selinux-ready to work with initrd files created by dracut (bsc#940006)
- Update libselinux-2.2-ruby.patch: use RbConfig instead of
deprecated Config.
- updated selinux-ready script to handle initrd files compressed with xz
- Update to version 2.3
* Get rid of security_context_t and fix const declarations.
* Refactor rpm_execcon() into a new setexecfilecon() from Guillem Jover.
- Update to version 2.2
* Fix avc_has_perm() returns -1 even when SELinux is in permissive mode.
* Support overriding Makefile RANLIB
* Update pkgconfig definition
* Mount sysfs before trying to mount selinuxfs.
* Fix man pages
* Support overriding PATH and LIBBASE in Makefile
* Fix LDFLAGS usage
* Avoid shadowing stat in load_mmap
* Support building on older PCRE libraries
* Fix handling of temporary file in sefcontext_compile
* Fix procattr cache
* Define python constants for getenforce result
* Fix label substitution handling of /
* Add selinux_current_policy_path from
* Change get_context_list to only return good matches
* Support udev-197 and higher
* Add support for local substitutions
* Change setfilecon to not return ENOSUP if context is already correct
* Python wrapper leak fixes
* Export SELINUX_TRANS_DIR definition in selinux.h
* Add selinux_systemd_contexts_path
* Add selinux_set_policy_root
* Add man page for sefcontext_compile
- Remove libselinux-rhat.patch; merged on upstream
- Adapt libselinux-ruby.patch to upstream changes
- Use fdupes to symlink duplicate manpages
- change the source url to the official 2.1.13 release tarball
- Reuse implicit dependencies injected by pkgconfig
- fixed source url in libselinux-bindings.spec
- removed old tarball
- fix source url
- document changes in libselinux-rhat.patch from previous submission:
(most code of the removed code was integrated upstream)
* Add matchpathcon -P /etc/selinux/mls support by allowing users
to set alternate root
* Add new constant SETRANS_DIR which points to the directory
where mstransd can find the socket and libvirt can write its
translations files
-update to 2.1.13
* audit2why: make sure path is nul terminated
* utils: new file context regex compiler
* label_file: use precompiled filecontext when possible
* do not leak mmapfd
* sefcontontext_compile: Add error handling to help debug problems in libsemanage.
* man: make selinux.8 mention service man pages
* audit2why: Fix segfault if finish() called twice
* audit2why: do not leak on multiple init() calls
* mode_to_security_class: interface to translate a mode_t in to a security class
* audit2why: Cleanup audit2why analysys function
* man: Fix program synopsis and function prototypes in man pages
* man: Fix man pages formatting
* man: Fix typo in man page
* man: Add references and man page links to _raw function variants
* Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions
* man: context_new(3): fix the return value description
* selinux_status_open: handle error from sysconf
* selinux_status_open: do not leak statusfd on exec
* Fix errors found by coverity
* Change boooleans.subs to booleans.subs_dist.
* optimize set*con functions
* pkg-config do not specifc ruby version
* unmap file contexts on selabel_close()
* do not leak file contexts with mmap'd backend
* sefcontext_compile: do not leak fd on error
* matchmediacon: do not leak fd
* src/label_android_property: do not leak fd on error
- update to 2.1.12
- added BuildRequires: pcre-devel
- added the recent libselinux-rhat.patch
* Add support for lxc_contexts_path
* utils: add service to getdefaultcon
* libsemanage: do not set soname needlessly
* libsemanage: remove PYTHONLIBDIR and ruby equivalent
* boolean name equivalency
* getsebool: support boolean name substitution
* Add man page for new selinux_boolean_sub function.
* expose selinux_boolean_sub
* matchpathcon: add -m option to force file type check
* utils: avcstat: clear sa_mask set
* seusers: Check for strchr failure
* booleans: initialize pointer to silence coveriety
* stop messages when SELinux disabled
* Ensure that we only close the selinux netlink socket once.
* improve the file_contexts.5 manual page
* Fortify source now requires all code to be compiled with -O flag
* asprintf return code must be checked
* avc_netlink_recieve handle EINTR
* audit2why: silence -Wmissing-prototypes warning
* libsemanage: remove build warning when build swig c files
* matchpathcon: bad handling of symlinks in /
* seusers: remove unused lineno
* seusers: getseuser: gracefully handle NULL service
* New Android property labeling backend
* label_android_property whitespace cleanups
* additional makefile support for rubywrap
* Remove jump over variable declaration
* Fix old style function definitions
* Fix const-correctness
* Remove unused flush_class_cache method
* Add prototype decl for destructor
* Add more printf format annotations
* Add printf format attribute annotation to die() method
* Fix const-ness of parameters & make usage() methods static
* Enable many more gcc warnings for libselinux/src/ builds
* utils: Enable many more gcc warnings for libselinux/utils builds
* Change annotation on include/selinux/avc.h to avoid upsetting SWIG
* Ensure there is a prototype for 'matchpathcon_lib_destructor'
* Update Makefiles to handle /usrmove
* utils: Stop separating out matchpathcon as something special
* pkg-config to figure out where ruby include files are located
* build with either ruby 1.9 or ruby 1.8
* assert if avc_init() not called
* take security_deny_unknown into account
* security_compute_create_name(3)
* Do not link against python library, this is considered
* bad practice in debian
* Hide unnecessarily-exported library destructors
- Remove obsolete defines/sections
- update selinux-ready script
* use -L when stat()ing /etc/selinux/config
* make sure that SELINUX isn't disabled in /etc/selinux/config
* look for either of /sys/fs/selinux and /selinux directory
* use systemctl to check for restorecond
* don't look for booleans file (deprecated)
- update selinux-ready script
- updated to 2.1.9 again (see below)
- go back even more - everything else requires the full SELinux stack
(too late for 12.2)
- revert back to 2.0.98 for 12.2
- update to libselinux-2.1.9
* better man pages
* selinux_status interfaces
* simple interface for access checks
* multiple bug fixes
- fix build for ruby-1.9
- cross-build fix: use %__cc macro
- use %_smp_mflags
- don't package /var/run/setrans in libselinux1 package
- Feature#303793
- the directory will be created in initscript of mcstrans package
- buildrequire pkg-config to fix provides
- selinux-ready: added function to check for restorecond in
runlevel 3/5
- selinux-ready: added functions for checking PAM config and
policy boolean init_upstart
- selinux-ready: fixed init ramfs checking
- added new selinux-ready script
- updated to 2.0.91
* changes too numerous to list
- add baselibs.conf as a source
- updated selinux-ready script
- change libsepol-devel to libsepol-devel-static in dependencies
of python bindings
- put libsepol-devel back to Requires of libselinux-devel
- added selinux-ready tool to selinux-tools package
- remove static libraries
- libselinux-devel does not require libsepol-devel
- updated to 2.0.80
* deny_unknown wrapper function from KaiGai Kohei
* security_compute_av_flags API from KaiGai Kohei
* Netlink socket management and callbacks from KaiGai Kohei
* Netlink socket handoff patch from Adam Jackson
* AVC caching of compute_create results by Eric Paris
* fix incorrect conversion in discover_class code
- fixed memory leak (memleak.patch)
- updated to 2.0.77
* add new function getseuser which will take username and service
and return seuser and level; ipa will populate file in future
* change selinuxdefcon to return just the context by default
* fix segfault if seusers file does not work
* strip trailing / for matchpathcon
* fix restorecon python code
- updated to 2.0.76
* allow shell-style wildcarding in X names
* add Restorecon/Install python functions
* correct message types in AVC log messages
* make matchpathcon -V pass mode
* add man page for selinux_file_context_cmp
* update flask headers from refpolicy trunk
- fix debug_packages_requires define
- require only version, not release [bnc#429053]
- updated to 2.0.71
* Add group support to seusers using %groupname syntax from Dan Walsh.
* Mark setrans socket close-on-exec from Stephen Smalley.
* Only apply nodups checking to base file contexts from Stephen Smalley.
* Merge ruby bindings from Dan Walsh.
- Fix build of debuginfo.
- added baselibs.conf file
- split bindings into separate subpackage (libselinux-bindings)
- split tools into separate subpackage (selinux-tools)
- fix requires for debuginfo package
- initial version 2.0.67
* based on Fedora package by Dan Walsh <dwalsh@redhat.com>
OBS-URL: https://build.opensuse.org/request/show/1095431
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=159
2023-06-27 10:15:55 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Fri Mar 16 15:25:10 UTC 2018 - jsegitz@suse.com
|
|
|
|
|
|
|
|
|
|
|
|
- Updated spec file to use python3. Added python3.patch to fix
|
|
|
|
|
|
build
|
|
|
|
|
|
|
2018-12-12 09:31:21 +01:00
|
|
|
|
-------------------------------------------------------------------
|
2017-11-27 10:18:52 +01:00
|
|
|
|
Fri Nov 24 09:09:02 UTC 2017 - jsegitz@suse.com
|
|
|
|
|
|
|
|
|
|
|
|
- Update to version 2.6. Notable changes:
|
|
|
|
|
|
* selinux_restorecon: fix realpath logic
|
|
|
|
|
|
* sefcontext_compile: invert semantics of "-r" flag
|
|
|
|
|
|
* sefcontext_compile: Add "-i" flag
|
|
|
|
|
|
* Introduce configurable backends
|
|
|
|
|
|
* Add function to find security.restorecon_last entries
|
|
|
|
|
|
* Add openrc_contexts functions
|
|
|
|
|
|
* Add support for pcre2
|
|
|
|
|
|
* Handle NULL pcre study data
|
|
|
|
|
|
* Add setfiles support to selinux_restorecon(3)
|
|
|
|
|
|
* Evaluate inodes in selinux_restorecon(3)
|
|
|
|
|
|
* Change the location of _selinux.so
|
|
|
|
|
|
* Explain how to free policy type from selinux_getpolicytype()
|
|
|
|
|
|
* Compare absolute pathname in matchpathcon -V
|
|
|
|
|
|
* Add selinux_snapperd_contexts_path()
|
|
|
|
|
|
* Modify audit2why analyze function to use loaded policy
|
|
|
|
|
|
* Avoid mounting /proc outside of selinux_init_load_policy()
|
|
|
|
|
|
* Fix location of selinuxfs mount point
|
|
|
|
|
|
* Only mount /proc if necessary
|
|
|
|
|
|
* procattr: return einval for <= 0 pid args
|
|
|
|
|
|
* procattr: return error on invalid pid_t input
|
|
|
|
|
|
- Dropped
|
|
|
|
|
|
* libselinux-2.2-ruby.patch
|
|
|
|
|
|
* libselinux-proc-mount-only-if-needed.patch
|
|
|
|
|
|
* python-selinux-swig-3.10.patch
|
|
|
|
|
|
|
2017-08-03 10:16:09 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Wed Jul 5 10:30:57 UTC 2017 - schwab@suse.de
|
|
|
|
|
|
|
|
|
|
|
|
- readv-proto.patch: include <sys/uio.h> for readv prototype
|
|
|
|
|
|
|
2016-07-26 14:15:13 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Sun Jul 24 19:33:42 UTC 2016 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
|
|
- -devel static subpackage requires libpcre-devel and libsepol-devel
|
|
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Sun Jul 24 19:05:35 UTC 2016 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
|
|
- Avoid mounting /proc outside of selinux_init_load_policy().
|
|
|
|
|
|
(Stephen Smalley) reverts upstream 5a8d8c4, 9df4988, fixes
|
|
|
|
|
|
among other things systemd seccomp sandboxing otherwise all
|
|
|
|
|
|
filters must allow mount(2)
|
|
|
|
|
|
(libselinux-proc-mount-only-if-needed.patch)
|
|
|
|
|
|
|
2016-07-26 16:56:29 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Sun Jul 17 15:30:05 UTC 2016 - jengelh@inai.de
|
|
|
|
|
|
|
|
|
|
|
|
- Update RPM groups, trim description and combine filelist entries.
|
|
|
|
|
|
|
2016-07-14 10:42:04 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Thu Jul 14 07:58:49 UTC 2016 - jsegitz@novell.com
|
|
|
|
|
|
|
|
|
|
|
|
- Adjusted source link
|
|
|
|
|
|
|
2016-07-13 09:22:28 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Tue Jul 5 16:42:03 UTC 2016 - i@marguerite.su
|
|
|
|
|
|
|
|
|
|
|
|
- add patch: python-selinux-swig-3.10.patch, fixed boo#985368
|
|
|
|
|
|
* swig-3.10 in Factory use importlib instead of imp to find
|
|
|
|
|
|
_selinux.so. imp searched the same directory as __init__.py
|
|
|
|
|
|
is while importlib searchs only standard paths. so we have
|
|
|
|
|
|
to move _selinux.so. fixed by upstream
|
|
|
|
|
|
- update version 2.5
|
|
|
|
|
|
* Add selinux_restorecon function
|
|
|
|
|
|
* read_spec_entry: fail on non-ascii
|
|
|
|
|
|
* Add man information about thread specific functions
|
|
|
|
|
|
* Don't wrap rpm_execcon with DISABLE_RPM with SWIG
|
|
|
|
|
|
* Correct line count for property and service context files
|
|
|
|
|
|
* label_file: fix memory leaks and uninitialized jump
|
|
|
|
|
|
* Replace selabel_digest hash function
|
|
|
|
|
|
* Fix selabel_open(3) services if no digest requested
|
|
|
|
|
|
* Add selabel_digest function
|
|
|
|
|
|
* Flush the class/perm string mapping cache on policy reload
|
|
|
|
|
|
* Fix restorecon when path has no context
|
|
|
|
|
|
* Free memory when processing media and x specfiles
|
|
|
|
|
|
* Fix mmap memory release for file labeling
|
|
|
|
|
|
* Add policy context validation to sefcontext_compile
|
|
|
|
|
|
* Do not treat an empty file_contexts(.local) as an error
|
|
|
|
|
|
* Fail hard on invalid property_contexts entries
|
|
|
|
|
|
* Fail hard on invalid file_contexts entries
|
|
|
|
|
|
* Support context validation on file_contexts.bin
|
|
|
|
|
|
* Add selabel_cmp interface and label_file backend
|
|
|
|
|
|
* Support specifying file_contexts.bin file path
|
|
|
|
|
|
* Support file_contexts.bin without file_contexts
|
|
|
|
|
|
* Simplify procattr cache
|
|
|
|
|
|
* Use /proc/thread-self when available
|
|
|
|
|
|
* Add const to selinux_opt for label backends
|
|
|
|
|
|
* Fix binary file labels for regexes with metachars
|
|
|
|
|
|
* Fix file labels for regexes with metachars
|
|
|
|
|
|
* Fix if file_contexts not '\n' terminated
|
|
|
|
|
|
* Enhance file context support
|
|
|
|
|
|
* Fix property processing and cleanup formatting
|
|
|
|
|
|
* Add read_spec_entries function to replace sscanf
|
|
|
|
|
|
* Support consistent mode size for bin files
|
|
|
|
|
|
* Fix more bin file processing core dumps
|
|
|
|
|
|
* add selinux_openssh_contexts_path()
|
|
|
|
|
|
* setrans_client: minimize overhead when mcstransd is not present
|
|
|
|
|
|
* Ensure selabel_lookup_best_match links NULL terminated
|
|
|
|
|
|
* Fix core dumps with corrupt *.bin files
|
|
|
|
|
|
* Add selabel partial and best match APIs
|
|
|
|
|
|
* Use os.walk() instead of the deprecated os.path.walk()
|
|
|
|
|
|
* Remove deprecated mudflap option
|
|
|
|
|
|
* Mount procfs before checking /proc/filesystems
|
|
|
|
|
|
* Fix -Wformat errors with gcc-5.0.0
|
|
|
|
|
|
* label_file: handle newlines in file names
|
|
|
|
|
|
* Fix audit2why error handling if SELinux is disabled
|
|
|
|
|
|
* pcre_study can return NULL without error
|
|
|
|
|
|
* Only check SELinux enabled status once in selinux_check_access
|
|
|
|
|
|
- changes in 2.4
|
|
|
|
|
|
* Remove assumption that SHLIBDIR is ../../ relative to LIBDIR
|
|
|
|
|
|
* Fix bugs found by hardened gcc flags
|
|
|
|
|
|
* Set the system to permissive if failing to disable SELinux because
|
|
|
|
|
|
policy has already been loaded
|
|
|
|
|
|
* Add db_exception and db_datatype support to label_db backend
|
|
|
|
|
|
* Log an error on unknown classes and permissions
|
|
|
|
|
|
* Add pcre version string to the compiled file_contexts format
|
|
|
|
|
|
* Deprecate use of flask.h and av_permissions.h
|
|
|
|
|
|
* Compiled file_context files and the original should have the same DAC
|
|
|
|
|
|
permissions
|
|
|
|
|
|
|
2015-07-30 14:06:49 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Thu Jul 30 12:00:27 UTC 2015 - jsegitz@novell.com
|
|
|
|
|
|
|
|
|
|
|
|
- fixed selinux-ready to work with initrd files created by dracut (bsc#940006)
|
|
|
|
|
|
|
Accepting request 1095431 from home:mcepl:branches:security:SELinux
- Remove separate libselinux-bindings SPEC file (bsc#1212618).
- Add explicit BuildRequires for python3-pip and python3-wheel on
15.5, currently the macros don't do the right thing
- allow building this with different python versions, to make this
usable for the new sle15 macro (using python3.11)
- Add python-wheel build dependency to build correctly with latest
python-pip version.
- Add _multibuild to define additional spec files as additional
flavors.
Eliminates the need for source package links in OBS.
- Add -ffat-lto-objects to CFLAGS to prevent rpmlint errors because
of LTO
- Enable LTO as it works fine now.
- Update to version 3.5:
* check for truncations
* avoid newline in avc message
* bail out on path truncations
* add getpidprevcon to gather the previous context before the last
exec of a given process
* Workaround for heap overhead of pcre
* fix memory leaks on the audit2why module init
* ignore invalid class name lookup
- Drop restorecon_pin_file.patch, is upstream
- Refreshed python3.8-compat.patch
- Added additional developer key (Jason Zaman)
- Fixed initrd check in selinux-ready (bnc#1186127)
- Added restorecon_pin_file.patch. Fixes issus when running
fixfiles/restorecon
- Update to version 3.4:
* Use PCRE2 by default
* Make selinux_log() and is_context_customizable() thread-safe
* Prevent leakeing file descriptors
* Correctly hash specfiles larger than 4G
- Refreshed skip_cycles.patch
- Add Requires for exact libselinux1 version for selinux-tools
- Simplyfied check for correct boot paramaters in selinux-ready
(bsc#1195361)
- Update to version 3.3:
* Lots of smaller issues fixed found by fuzzing
- Add missing libselinux-utils Provides to selinux-tools so that
%selinux_requires works
- Remove Recommends for selinux-autorelabel. It's better to have this
in the policy package itself (bsc#1181837)
- Switch to pcre2:
+ Replace pcre-devel BuildRequires with pkgconfig(libpcre2-8)
+ Pass USE_PCRE2=y to make.
+ Replace pkgconfig(libpcre) Requires in -devel static with
pkgconfig(libpcre2-8).
- Update to version 3.2:
* Use mmap()'ed kernel status page instead of netlink by default.
See "KERNEL STATUS PAGE" section in avc_init(3) for more details.
* New log callback levels for enforcing and policy load notices -
SELINUX_POLICYLOAD, SELINUX_SETENFORCE
* Changed userspace AVC setenforce and policy load messages to audit
format.
- Add Recommends: selinux-autorelabel, which is very important
for healthy use of the SELinux on the system (/.autorelabel
mechanism) (bsc#1181837).
- install to /usr (boo#1029961)
- Update to version 3.1:
* selinux/flask.h, selinux/av_permissions.h and sepol/policydb/flask.h were
removed. All userspace object managers should have been updated to use the
dynamic class/perm mapping support.
Use string_to_security_class(3) and string_to_av_perm(3) to map the class
and permission names to their policy values, or selinux_set_mapping(3) to
create a mapping from class and permission index values used by the
application to the policy values.
* Removed restrictions in libsepol and checkpolicy that required all declared
initial SIDs to be assigned a context.
* Support for new policy capability genfs_seclabel_symlinks
* selinuxfs is mounted with noexec and nosuid
* `security_compute_user()` was deprecated
* Refreshed python3.8-compat.patch
- Added skip_cycles.patch to skip directory cycles and not error
out
- Update to version 3.0
* Ignore the stem when looking up all matches in file context
* Save digest of all partial matches for directory
* Use Python distutils to install SELinux python bindings
* ensure that digest_len is not zero
* fix string conversion of unknown perms
* mark all exported function "extern"
Dropped Use-Python-distutils-to-install-SELinux.patch, included
upstream
- Added swig4_moduleimport.patch to prevent import errors due to
SWIG 4
- Added Use-Python-distutils-to-install-SELinux.patch to use
Python's distutils instead of building and installing python
bindings manually
- Add python3.8-compat.patch which makes build possible even with
Python 3.8, which doesn’t automatically adds -lpython<ver>
- In selinux-ready
* Removed check for selinux-policy package as we don't ship one
(bsc#1136845)
* Add check that restorecond is installed and enabled
- Disable LTO (boo#1133244).
- Set License: to correct value (bsc#1135710)
- Disable LTO (boo#1133244).
- Update to version 2.9
* Add security_reject_unknown(3) man page
* Change matchpathcon usage to match with matchpathcon manpage
* Do not define gettid() if glibc >= 2.30 is used
* Fix RESOURCE_LEAK defects reported by coverity scan
* Fix line wrapping in selabel_file.5
* Do not dereference symlink with statfs in selinux_restorecon
* Fix overly strict validation of file_contexts.bin
* Fix selinux_restorecon() on non-SELinux hosts
* Fix the whatis line for the selinux_boolean_sub.3 manpage
* Fix printf format string specifier for uint64_t
* Fix handling of unknown classes/perms
* Set an appropriate errno in booleans.c
- Dropped python3.patch, is now upstream
- Remove unneeded build requires for python3 (bsc#1120255)
- Update to version 2.8 (bsc#1111732)
For changes please see
https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/RELEASE-20180524.txt
- ran spec-cleaner on spec files
- Update to version 2.7.
* %files needed to be heavily modified
* Based expressly on python3, not just python
For changes please see
https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20170804/RELEASE-20170804.txt
- Updated spec file to use python3. Added python3.patch to fix
build
- Update to version 2.6. Notable changes:
* selinux_restorecon: fix realpath logic
* sefcontext_compile: invert semantics of "-r" flag
* sefcontext_compile: Add "-i" flag
* Introduce configurable backends
* Add function to find security.restorecon_last entries
* Add openrc_contexts functions
* Add support for pcre2
* Handle NULL pcre study data
* Add setfiles support to selinux_restorecon(3)
* Evaluate inodes in selinux_restorecon(3)
* Change the location of _selinux.so
* Explain how to free policy type from selinux_getpolicytype()
* Compare absolute pathname in matchpathcon -V
* Add selinux_snapperd_contexts_path()
* Modify audit2why analyze function to use loaded policy
* Avoid mounting /proc outside of selinux_init_load_policy()
* Fix location of selinuxfs mount point
* Only mount /proc if necessary
* procattr: return einval for <= 0 pid args
* procattr: return error on invalid pid_t input
- Dropped
* libselinux-2.2-ruby.patch
* libselinux-proc-mount-only-if-needed.patch
* python-selinux-swig-3.10.patch
- readv-proto.patch: include <sys/uio.h> for readv prototype
- -devel static subpackage requires libpcre-devel and libsepol-devel
- Avoid mounting /proc outside of selinux_init_load_policy().
(Stephen Smalley) reverts upstream 5a8d8c4, 9df4988, fixes
among other things systemd seccomp sandboxing otherwise all
filters must allow mount(2)
(libselinux-proc-mount-only-if-needed.patch)
- Update RPM groups, trim description and combine filelist entries.
- Adjusted source link
- add patch: python-selinux-swig-3.10.patch, fixed boo#985368
* swig-3.10 in Factory use importlib instead of imp to find
_selinux.so. imp searched the same directory as __init__.py
is while importlib searchs only standard paths. so we have
to move _selinux.so. fixed by upstream
- update version 2.5
* Add selinux_restorecon function
* read_spec_entry: fail on non-ascii
* Add man information about thread specific functions
* Don't wrap rpm_execcon with DISABLE_RPM with SWIG
* Correct line count for property and service context files
* label_file: fix memory leaks and uninitialized jump
* Replace selabel_digest hash function
* Fix selabel_open(3) services if no digest requested
* Add selabel_digest function
* Flush the class/perm string mapping cache on policy reload
* Fix restorecon when path has no context
* Free memory when processing media and x specfiles
* Fix mmap memory release for file labeling
* Add policy context validation to sefcontext_compile
* Do not treat an empty file_contexts(.local) as an error
* Fail hard on invalid property_contexts entries
* Fail hard on invalid file_contexts entries
* Support context validation on file_contexts.bin
* Add selabel_cmp interface and label_file backend
* Support specifying file_contexts.bin file path
* Support file_contexts.bin without file_contexts
* Simplify procattr cache
* Use /proc/thread-self when available
* Add const to selinux_opt for label backends
* Fix binary file labels for regexes with metachars
* Fix file labels for regexes with metachars
* Fix if file_contexts not '\n' terminated
* Enhance file context support
* Fix property processing and cleanup formatting
* Add read_spec_entries function to replace sscanf
* Support consistent mode size for bin files
* Fix more bin file processing core dumps
* add selinux_openssh_contexts_path()
* setrans_client: minimize overhead when mcstransd is not present
* Ensure selabel_lookup_best_match links NULL terminated
* Fix core dumps with corrupt *.bin files
* Add selabel partial and best match APIs
* Use os.walk() instead of the deprecated os.path.walk()
* Remove deprecated mudflap option
* Mount procfs before checking /proc/filesystems
* Fix -Wformat errors with gcc-5.0.0
* label_file: handle newlines in file names
* Fix audit2why error handling if SELinux is disabled
* pcre_study can return NULL without error
* Only check SELinux enabled status once in selinux_check_access
- changes in 2.4
* Remove assumption that SHLIBDIR is ../../ relative to LIBDIR
* Fix bugs found by hardened gcc flags
* Set the system to permissive if failing to disable SELinux because
policy has already been loaded
* Add db_exception and db_datatype support to label_db backend
* Log an error on unknown classes and permissions
* Add pcre version string to the compiled file_contexts format
* Deprecate use of flask.h and av_permissions.h
* Compiled file_context files and the original should have the same DAC
permissions
- fixed selinux-ready to work with initrd files created by dracut (bsc#940006)
- Update libselinux-2.2-ruby.patch: use RbConfig instead of
deprecated Config.
- updated selinux-ready script to handle initrd files compressed with xz
- Update to version 2.3
* Get rid of security_context_t and fix const declarations.
* Refactor rpm_execcon() into a new setexecfilecon() from Guillem Jover.
- Update to version 2.2
* Fix avc_has_perm() returns -1 even when SELinux is in permissive mode.
* Support overriding Makefile RANLIB
* Update pkgconfig definition
* Mount sysfs before trying to mount selinuxfs.
* Fix man pages
* Support overriding PATH and LIBBASE in Makefile
* Fix LDFLAGS usage
* Avoid shadowing stat in load_mmap
* Support building on older PCRE libraries
* Fix handling of temporary file in sefcontext_compile
* Fix procattr cache
* Define python constants for getenforce result
* Fix label substitution handling of /
* Add selinux_current_policy_path from
* Change get_context_list to only return good matches
* Support udev-197 and higher
* Add support for local substitutions
* Change setfilecon to not return ENOSUP if context is already correct
* Python wrapper leak fixes
* Export SELINUX_TRANS_DIR definition in selinux.h
* Add selinux_systemd_contexts_path
* Add selinux_set_policy_root
* Add man page for sefcontext_compile
- Remove libselinux-rhat.patch; merged on upstream
- Adapt libselinux-ruby.patch to upstream changes
- Use fdupes to symlink duplicate manpages
- change the source url to the official 2.1.13 release tarball
- Reuse implicit dependencies injected by pkgconfig
- fixed source url in libselinux-bindings.spec
- removed old tarball
- fix source url
- document changes in libselinux-rhat.patch from previous submission:
(most code of the removed code was integrated upstream)
* Add matchpathcon -P /etc/selinux/mls support by allowing users
to set alternate root
* Add new constant SETRANS_DIR which points to the directory
where mstransd can find the socket and libvirt can write its
translations files
-update to 2.1.13
* audit2why: make sure path is nul terminated
* utils: new file context regex compiler
* label_file: use precompiled filecontext when possible
* do not leak mmapfd
* sefcontontext_compile: Add error handling to help debug problems in libsemanage.
* man: make selinux.8 mention service man pages
* audit2why: Fix segfault if finish() called twice
* audit2why: do not leak on multiple init() calls
* mode_to_security_class: interface to translate a mode_t in to a security class
* audit2why: Cleanup audit2why analysys function
* man: Fix program synopsis and function prototypes in man pages
* man: Fix man pages formatting
* man: Fix typo in man page
* man: Add references and man page links to _raw function variants
* Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions
* man: context_new(3): fix the return value description
* selinux_status_open: handle error from sysconf
* selinux_status_open: do not leak statusfd on exec
* Fix errors found by coverity
* Change boooleans.subs to booleans.subs_dist.
* optimize set*con functions
* pkg-config do not specifc ruby version
* unmap file contexts on selabel_close()
* do not leak file contexts with mmap'd backend
* sefcontext_compile: do not leak fd on error
* matchmediacon: do not leak fd
* src/label_android_property: do not leak fd on error
- update to 2.1.12
- added BuildRequires: pcre-devel
- added the recent libselinux-rhat.patch
* Add support for lxc_contexts_path
* utils: add service to getdefaultcon
* libsemanage: do not set soname needlessly
* libsemanage: remove PYTHONLIBDIR and ruby equivalent
* boolean name equivalency
* getsebool: support boolean name substitution
* Add man page for new selinux_boolean_sub function.
* expose selinux_boolean_sub
* matchpathcon: add -m option to force file type check
* utils: avcstat: clear sa_mask set
* seusers: Check for strchr failure
* booleans: initialize pointer to silence coveriety
* stop messages when SELinux disabled
* Ensure that we only close the selinux netlink socket once.
* improve the file_contexts.5 manual page
* Fortify source now requires all code to be compiled with -O flag
* asprintf return code must be checked
* avc_netlink_recieve handle EINTR
* audit2why: silence -Wmissing-prototypes warning
* libsemanage: remove build warning when build swig c files
* matchpathcon: bad handling of symlinks in /
* seusers: remove unused lineno
* seusers: getseuser: gracefully handle NULL service
* New Android property labeling backend
* label_android_property whitespace cleanups
* additional makefile support for rubywrap
* Remove jump over variable declaration
* Fix old style function definitions
* Fix const-correctness
* Remove unused flush_class_cache method
* Add prototype decl for destructor
* Add more printf format annotations
* Add printf format attribute annotation to die() method
* Fix const-ness of parameters & make usage() methods static
* Enable many more gcc warnings for libselinux/src/ builds
* utils: Enable many more gcc warnings for libselinux/utils builds
* Change annotation on include/selinux/avc.h to avoid upsetting SWIG
* Ensure there is a prototype for 'matchpathcon_lib_destructor'
* Update Makefiles to handle /usrmove
* utils: Stop separating out matchpathcon as something special
* pkg-config to figure out where ruby include files are located
* build with either ruby 1.9 or ruby 1.8
* assert if avc_init() not called
* take security_deny_unknown into account
* security_compute_create_name(3)
* Do not link against python library, this is considered
* bad practice in debian
* Hide unnecessarily-exported library destructors
- Remove obsolete defines/sections
- update selinux-ready script
* use -L when stat()ing /etc/selinux/config
* make sure that SELINUX isn't disabled in /etc/selinux/config
* look for either of /sys/fs/selinux and /selinux directory
* use systemctl to check for restorecond
* don't look for booleans file (deprecated)
- update selinux-ready script
- updated to 2.1.9 again (see below)
- go back even more - everything else requires the full SELinux stack
(too late for 12.2)
- revert back to 2.0.98 for 12.2
- update to libselinux-2.1.9
* better man pages
* selinux_status interfaces
* simple interface for access checks
* multiple bug fixes
- fix build for ruby-1.9
- cross-build fix: use %__cc macro
- use %_smp_mflags
- don't package /var/run/setrans in libselinux1 package
- Feature#303793
- the directory will be created in initscript of mcstrans package
- buildrequire pkg-config to fix provides
- selinux-ready: added function to check for restorecond in
runlevel 3/5
- selinux-ready: added functions for checking PAM config and
policy boolean init_upstart
- selinux-ready: fixed init ramfs checking
- added new selinux-ready script
- updated to 2.0.91
* changes too numerous to list
- add baselibs.conf as a source
- updated selinux-ready script
- change libsepol-devel to libsepol-devel-static in dependencies
of python bindings
- put libsepol-devel back to Requires of libselinux-devel
- added selinux-ready tool to selinux-tools package
- remove static libraries
- libselinux-devel does not require libsepol-devel
- updated to 2.0.80
* deny_unknown wrapper function from KaiGai Kohei
* security_compute_av_flags API from KaiGai Kohei
* Netlink socket management and callbacks from KaiGai Kohei
* Netlink socket handoff patch from Adam Jackson
* AVC caching of compute_create results by Eric Paris
* fix incorrect conversion in discover_class code
- fixed memory leak (memleak.patch)
- updated to 2.0.77
* add new function getseuser which will take username and service
and return seuser and level; ipa will populate file in future
* change selinuxdefcon to return just the context by default
* fix segfault if seusers file does not work
* strip trailing / for matchpathcon
* fix restorecon python code
- updated to 2.0.76
* allow shell-style wildcarding in X names
* add Restorecon/Install python functions
* correct message types in AVC log messages
* make matchpathcon -V pass mode
* add man page for selinux_file_context_cmp
* update flask headers from refpolicy trunk
- fix debug_packages_requires define
- require only version, not release [bnc#429053]
- updated to 2.0.71
* Add group support to seusers using %groupname syntax from Dan Walsh.
* Mark setrans socket close-on-exec from Stephen Smalley.
* Only apply nodups checking to base file contexts from Stephen Smalley.
* Merge ruby bindings from Dan Walsh.
- Fix build of debuginfo.
- added baselibs.conf file
- split bindings into separate subpackage (libselinux-bindings)
- split tools into separate subpackage (selinux-tools)
- fix requires for debuginfo package
- initial version 2.0.67
* based on Fedora package by Dan Walsh <dwalsh@redhat.com>
OBS-URL: https://build.opensuse.org/request/show/1095431
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=159
2023-06-27 10:15:55 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Wed May 27 11:53:54 UTC 2015 - dimstar@opensuse.org
|
|
|
|
|
|
|
|
|
|
|
|
- Update libselinux-2.2-ruby.patch: use RbConfig instead of
|
|
|
|
|
|
deprecated Config.
|
|
|
|
|
|
|
2014-09-08 11:42:21 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Mon Sep 8 08:25:11 UTC 2014 - jsegitz@suse.com
|
|
|
|
|
|
|
|
|
|
|
|
- updated selinux-ready script to handle initrd files compressed with xz
|
|
|
|
|
|
|
2013-11-07 11:18:12 +01:00
|
|
|
|
-------------------------------------------------------------------
|
2014-05-19 09:31:10 +02:00
|
|
|
|
Sun May 18 00:15:17 UTC 2014 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
|
|
- Update to version 2.3
|
|
|
|
|
|
* Get rid of security_context_t and fix const declarations.
|
|
|
|
|
|
* Refactor rpm_execcon() into a new setexecfilecon() from Guillem Jover.
|
|
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
2013-11-07 11:18:12 +01:00
|
|
|
|
Thu Oct 31 13:43:41 UTC 2013 - p.drouand@gmail.com
|
|
|
|
|
|
|
|
|
|
|
|
- Update to version 2.2
|
|
|
|
|
|
* Fix avc_has_perm() returns -1 even when SELinux is in permissive mode.
|
|
|
|
|
|
* Support overriding Makefile RANLIB
|
|
|
|
|
|
* Update pkgconfig definition
|
|
|
|
|
|
* Mount sysfs before trying to mount selinuxfs.
|
|
|
|
|
|
* Fix man pages
|
|
|
|
|
|
* Support overriding PATH and LIBBASE in Makefile
|
|
|
|
|
|
* Fix LDFLAGS usage
|
|
|
|
|
|
* Avoid shadowing stat in load_mmap
|
|
|
|
|
|
* Support building on older PCRE libraries
|
|
|
|
|
|
* Fix handling of temporary file in sefcontext_compile
|
|
|
|
|
|
* Fix procattr cache
|
|
|
|
|
|
* Define python constants for getenforce result
|
|
|
|
|
|
* Fix label substitution handling of /
|
|
|
|
|
|
* Add selinux_current_policy_path from
|
|
|
|
|
|
* Change get_context_list to only return good matches
|
|
|
|
|
|
* Support udev-197 and higher
|
|
|
|
|
|
* Add support for local substitutions
|
|
|
|
|
|
* Change setfilecon to not return ENOSUP if context is already correct
|
|
|
|
|
|
* Python wrapper leak fixes
|
|
|
|
|
|
* Export SELINUX_TRANS_DIR definition in selinux.h
|
|
|
|
|
|
* Add selinux_systemd_contexts_path
|
|
|
|
|
|
* Add selinux_set_policy_root
|
|
|
|
|
|
* Add man page for sefcontext_compile
|
|
|
|
|
|
- Remove libselinux-rhat.patch; merged on upstream
|
|
|
|
|
|
- Adapt libselinux-ruby.patch to upstream changes
|
|
|
|
|
|
- Use fdupes to symlink duplicate manpages
|
|
|
|
|
|
|
2013-07-01 11:25:36 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Thu Jun 27 14:42:01 UTC 2013 - vcizek@suse.com
|
|
|
|
|
|
|
|
|
|
|
|
- change the source url to the official 2.1.13 release tarball
|
|
|
|
|
|
|
2013-05-27 10:46:56 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Wed May 22 23:50:58 UTC 2013 - jengelh@inai.de
|
|
|
|
|
|
|
|
|
|
|
|
- Reuse implicit dependencies injected by pkgconfig
|
|
|
|
|
|
|
2013-04-05 09:46:43 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Thu Apr 4 19:16:35 UTC 2013 - vcizek@suse.com
|
|
|
|
|
|
|
|
|
|
|
|
- fixed source url in libselinux-bindings.spec
|
|
|
|
|
|
- removed old tarball
|
|
|
|
|
|
|
2013-04-03 15:10:52 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Wed Apr 3 10:17:21 UTC 2013 - vcizek@suse.com
|
|
|
|
|
|
|
|
|
|
|
|
- fix source url
|
|
|
|
|
|
- document changes in libselinux-rhat.patch from previous submission:
|
|
|
|
|
|
(most code of the removed code was integrated upstream)
|
|
|
|
|
|
* Add matchpathcon -P /etc/selinux/mls support by allowing users
|
|
|
|
|
|
to set alternate root
|
|
|
|
|
|
* Add new constant SETRANS_DIR which points to the directory
|
|
|
|
|
|
where mstransd can find the socket and libvirt can write its
|
|
|
|
|
|
translations files
|
|
|
|
|
|
|
2013-04-02 13:49:27 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Fri Mar 29 15:12:50 UTC 2013 - vcizek@suse.com
|
|
|
|
|
|
|
|
|
|
|
|
-update to 2.1.13
|
|
|
|
|
|
* audit2why: make sure path is nul terminated
|
|
|
|
|
|
* utils: new file context regex compiler
|
|
|
|
|
|
* label_file: use precompiled filecontext when possible
|
|
|
|
|
|
* do not leak mmapfd
|
|
|
|
|
|
* sefcontontext_compile: Add error handling to help debug problems in libsemanage.
|
|
|
|
|
|
* man: make selinux.8 mention service man pages
|
|
|
|
|
|
* audit2why: Fix segfault if finish() called twice
|
|
|
|
|
|
* audit2why: do not leak on multiple init() calls
|
|
|
|
|
|
* mode_to_security_class: interface to translate a mode_t in to a security class
|
|
|
|
|
|
* audit2why: Cleanup audit2why analysys function
|
|
|
|
|
|
* man: Fix program synopsis and function prototypes in man pages
|
|
|
|
|
|
* man: Fix man pages formatting
|
|
|
|
|
|
* man: Fix typo in man page
|
|
|
|
|
|
* man: Add references and man page links to _raw function variants
|
|
|
|
|
|
* Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions
|
|
|
|
|
|
* man: context_new(3): fix the return value description
|
|
|
|
|
|
* selinux_status_open: handle error from sysconf
|
|
|
|
|
|
* selinux_status_open: do not leak statusfd on exec
|
|
|
|
|
|
* Fix errors found by coverity
|
|
|
|
|
|
* Change boooleans.subs to booleans.subs_dist.
|
|
|
|
|
|
* optimize set*con functions
|
|
|
|
|
|
* pkg-config do not specifc ruby version
|
|
|
|
|
|
* unmap file contexts on selabel_close()
|
|
|
|
|
|
* do not leak file contexts with mmap'd backend
|
|
|
|
|
|
* sefcontext_compile: do not leak fd on error
|
|
|
|
|
|
* matchmediacon: do not leak fd
|
|
|
|
|
|
* src/label_android_property: do not leak fd on error
|
|
|
|
|
|
|
2013-01-31 16:22:24 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Wed Jan 30 11:44:45 UTC 2013 - vcizek@suse.com
|
|
|
|
|
|
|
|
|
|
|
|
- update to 2.1.12
|
Accepting request 1095431 from home:mcepl:branches:security:SELinux
- Remove separate libselinux-bindings SPEC file (bsc#1212618).
- Add explicit BuildRequires for python3-pip and python3-wheel on
15.5, currently the macros don't do the right thing
- allow building this with different python versions, to make this
usable for the new sle15 macro (using python3.11)
- Add python-wheel build dependency to build correctly with latest
python-pip version.
- Add _multibuild to define additional spec files as additional
flavors.
Eliminates the need for source package links in OBS.
- Add -ffat-lto-objects to CFLAGS to prevent rpmlint errors because
of LTO
- Enable LTO as it works fine now.
- Update to version 3.5:
* check for truncations
* avoid newline in avc message
* bail out on path truncations
* add getpidprevcon to gather the previous context before the last
exec of a given process
* Workaround for heap overhead of pcre
* fix memory leaks on the audit2why module init
* ignore invalid class name lookup
- Drop restorecon_pin_file.patch, is upstream
- Refreshed python3.8-compat.patch
- Added additional developer key (Jason Zaman)
- Fixed initrd check in selinux-ready (bnc#1186127)
- Added restorecon_pin_file.patch. Fixes issus when running
fixfiles/restorecon
- Update to version 3.4:
* Use PCRE2 by default
* Make selinux_log() and is_context_customizable() thread-safe
* Prevent leakeing file descriptors
* Correctly hash specfiles larger than 4G
- Refreshed skip_cycles.patch
- Add Requires for exact libselinux1 version for selinux-tools
- Simplyfied check for correct boot paramaters in selinux-ready
(bsc#1195361)
- Update to version 3.3:
* Lots of smaller issues fixed found by fuzzing
- Add missing libselinux-utils Provides to selinux-tools so that
%selinux_requires works
- Remove Recommends for selinux-autorelabel. It's better to have this
in the policy package itself (bsc#1181837)
- Switch to pcre2:
+ Replace pcre-devel BuildRequires with pkgconfig(libpcre2-8)
+ Pass USE_PCRE2=y to make.
+ Replace pkgconfig(libpcre) Requires in -devel static with
pkgconfig(libpcre2-8).
- Update to version 3.2:
* Use mmap()'ed kernel status page instead of netlink by default.
See "KERNEL STATUS PAGE" section in avc_init(3) for more details.
* New log callback levels for enforcing and policy load notices -
SELINUX_POLICYLOAD, SELINUX_SETENFORCE
* Changed userspace AVC setenforce and policy load messages to audit
format.
- Add Recommends: selinux-autorelabel, which is very important
for healthy use of the SELinux on the system (/.autorelabel
mechanism) (bsc#1181837).
- install to /usr (boo#1029961)
- Update to version 3.1:
* selinux/flask.h, selinux/av_permissions.h and sepol/policydb/flask.h were
removed. All userspace object managers should have been updated to use the
dynamic class/perm mapping support.
Use string_to_security_class(3) and string_to_av_perm(3) to map the class
and permission names to their policy values, or selinux_set_mapping(3) to
create a mapping from class and permission index values used by the
application to the policy values.
* Removed restrictions in libsepol and checkpolicy that required all declared
initial SIDs to be assigned a context.
* Support for new policy capability genfs_seclabel_symlinks
* selinuxfs is mounted with noexec and nosuid
* `security_compute_user()` was deprecated
* Refreshed python3.8-compat.patch
- Added skip_cycles.patch to skip directory cycles and not error
out
- Update to version 3.0
* Ignore the stem when looking up all matches in file context
* Save digest of all partial matches for directory
* Use Python distutils to install SELinux python bindings
* ensure that digest_len is not zero
* fix string conversion of unknown perms
* mark all exported function "extern"
Dropped Use-Python-distutils-to-install-SELinux.patch, included
upstream
- Added swig4_moduleimport.patch to prevent import errors due to
SWIG 4
- Added Use-Python-distutils-to-install-SELinux.patch to use
Python's distutils instead of building and installing python
bindings manually
- Add python3.8-compat.patch which makes build possible even with
Python 3.8, which doesn’t automatically adds -lpython<ver>
- In selinux-ready
* Removed check for selinux-policy package as we don't ship one
(bsc#1136845)
* Add check that restorecond is installed and enabled
- Disable LTO (boo#1133244).
- Set License: to correct value (bsc#1135710)
- Disable LTO (boo#1133244).
- Update to version 2.9
* Add security_reject_unknown(3) man page
* Change matchpathcon usage to match with matchpathcon manpage
* Do not define gettid() if glibc >= 2.30 is used
* Fix RESOURCE_LEAK defects reported by coverity scan
* Fix line wrapping in selabel_file.5
* Do not dereference symlink with statfs in selinux_restorecon
* Fix overly strict validation of file_contexts.bin
* Fix selinux_restorecon() on non-SELinux hosts
* Fix the whatis line for the selinux_boolean_sub.3 manpage
* Fix printf format string specifier for uint64_t
* Fix handling of unknown classes/perms
* Set an appropriate errno in booleans.c
- Dropped python3.patch, is now upstream
- Remove unneeded build requires for python3 (bsc#1120255)
- Update to version 2.8 (bsc#1111732)
For changes please see
https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/RELEASE-20180524.txt
- ran spec-cleaner on spec files
- Update to version 2.7.
* %files needed to be heavily modified
* Based expressly on python3, not just python
For changes please see
https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20170804/RELEASE-20170804.txt
- Updated spec file to use python3. Added python3.patch to fix
build
- Update to version 2.6. Notable changes:
* selinux_restorecon: fix realpath logic
* sefcontext_compile: invert semantics of "-r" flag
* sefcontext_compile: Add "-i" flag
* Introduce configurable backends
* Add function to find security.restorecon_last entries
* Add openrc_contexts functions
* Add support for pcre2
* Handle NULL pcre study data
* Add setfiles support to selinux_restorecon(3)
* Evaluate inodes in selinux_restorecon(3)
* Change the location of _selinux.so
* Explain how to free policy type from selinux_getpolicytype()
* Compare absolute pathname in matchpathcon -V
* Add selinux_snapperd_contexts_path()
* Modify audit2why analyze function to use loaded policy
* Avoid mounting /proc outside of selinux_init_load_policy()
* Fix location of selinuxfs mount point
* Only mount /proc if necessary
* procattr: return einval for <= 0 pid args
* procattr: return error on invalid pid_t input
- Dropped
* libselinux-2.2-ruby.patch
* libselinux-proc-mount-only-if-needed.patch
* python-selinux-swig-3.10.patch
- readv-proto.patch: include <sys/uio.h> for readv prototype
- -devel static subpackage requires libpcre-devel and libsepol-devel
- Avoid mounting /proc outside of selinux_init_load_policy().
(Stephen Smalley) reverts upstream 5a8d8c4, 9df4988, fixes
among other things systemd seccomp sandboxing otherwise all
filters must allow mount(2)
(libselinux-proc-mount-only-if-needed.patch)
- Update RPM groups, trim description and combine filelist entries.
- Adjusted source link
- add patch: python-selinux-swig-3.10.patch, fixed boo#985368
* swig-3.10 in Factory use importlib instead of imp to find
_selinux.so. imp searched the same directory as __init__.py
is while importlib searchs only standard paths. so we have
to move _selinux.so. fixed by upstream
- update version 2.5
* Add selinux_restorecon function
* read_spec_entry: fail on non-ascii
* Add man information about thread specific functions
* Don't wrap rpm_execcon with DISABLE_RPM with SWIG
* Correct line count for property and service context files
* label_file: fix memory leaks and uninitialized jump
* Replace selabel_digest hash function
* Fix selabel_open(3) services if no digest requested
* Add selabel_digest function
* Flush the class/perm string mapping cache on policy reload
* Fix restorecon when path has no context
* Free memory when processing media and x specfiles
* Fix mmap memory release for file labeling
* Add policy context validation to sefcontext_compile
* Do not treat an empty file_contexts(.local) as an error
* Fail hard on invalid property_contexts entries
* Fail hard on invalid file_contexts entries
* Support context validation on file_contexts.bin
* Add selabel_cmp interface and label_file backend
* Support specifying file_contexts.bin file path
* Support file_contexts.bin without file_contexts
* Simplify procattr cache
* Use /proc/thread-self when available
* Add const to selinux_opt for label backends
* Fix binary file labels for regexes with metachars
* Fix file labels for regexes with metachars
* Fix if file_contexts not '\n' terminated
* Enhance file context support
* Fix property processing and cleanup formatting
* Add read_spec_entries function to replace sscanf
* Support consistent mode size for bin files
* Fix more bin file processing core dumps
* add selinux_openssh_contexts_path()
* setrans_client: minimize overhead when mcstransd is not present
* Ensure selabel_lookup_best_match links NULL terminated
* Fix core dumps with corrupt *.bin files
* Add selabel partial and best match APIs
* Use os.walk() instead of the deprecated os.path.walk()
* Remove deprecated mudflap option
* Mount procfs before checking /proc/filesystems
* Fix -Wformat errors with gcc-5.0.0
* label_file: handle newlines in file names
* Fix audit2why error handling if SELinux is disabled
* pcre_study can return NULL without error
* Only check SELinux enabled status once in selinux_check_access
- changes in 2.4
* Remove assumption that SHLIBDIR is ../../ relative to LIBDIR
* Fix bugs found by hardened gcc flags
* Set the system to permissive if failing to disable SELinux because
policy has already been loaded
* Add db_exception and db_datatype support to label_db backend
* Log an error on unknown classes and permissions
* Add pcre version string to the compiled file_contexts format
* Deprecate use of flask.h and av_permissions.h
* Compiled file_context files and the original should have the same DAC
permissions
- fixed selinux-ready to work with initrd files created by dracut (bsc#940006)
- Update libselinux-2.2-ruby.patch: use RbConfig instead of
deprecated Config.
- updated selinux-ready script to handle initrd files compressed with xz
- Update to version 2.3
* Get rid of security_context_t and fix const declarations.
* Refactor rpm_execcon() into a new setexecfilecon() from Guillem Jover.
- Update to version 2.2
* Fix avc_has_perm() returns -1 even when SELinux is in permissive mode.
* Support overriding Makefile RANLIB
* Update pkgconfig definition
* Mount sysfs before trying to mount selinuxfs.
* Fix man pages
* Support overriding PATH and LIBBASE in Makefile
* Fix LDFLAGS usage
* Avoid shadowing stat in load_mmap
* Support building on older PCRE libraries
* Fix handling of temporary file in sefcontext_compile
* Fix procattr cache
* Define python constants for getenforce result
* Fix label substitution handling of /
* Add selinux_current_policy_path from
* Change get_context_list to only return good matches
* Support udev-197 and higher
* Add support for local substitutions
* Change setfilecon to not return ENOSUP if context is already correct
* Python wrapper leak fixes
* Export SELINUX_TRANS_DIR definition in selinux.h
* Add selinux_systemd_contexts_path
* Add selinux_set_policy_root
* Add man page for sefcontext_compile
- Remove libselinux-rhat.patch; merged on upstream
- Adapt libselinux-ruby.patch to upstream changes
- Use fdupes to symlink duplicate manpages
- change the source url to the official 2.1.13 release tarball
- Reuse implicit dependencies injected by pkgconfig
- fixed source url in libselinux-bindings.spec
- removed old tarball
- fix source url
- document changes in libselinux-rhat.patch from previous submission:
(most code of the removed code was integrated upstream)
* Add matchpathcon -P /etc/selinux/mls support by allowing users
to set alternate root
* Add new constant SETRANS_DIR which points to the directory
where mstransd can find the socket and libvirt can write its
translations files
-update to 2.1.13
* audit2why: make sure path is nul terminated
* utils: new file context regex compiler
* label_file: use precompiled filecontext when possible
* do not leak mmapfd
* sefcontontext_compile: Add error handling to help debug problems in libsemanage.
* man: make selinux.8 mention service man pages
* audit2why: Fix segfault if finish() called twice
* audit2why: do not leak on multiple init() calls
* mode_to_security_class: interface to translate a mode_t in to a security class
* audit2why: Cleanup audit2why analysys function
* man: Fix program synopsis and function prototypes in man pages
* man: Fix man pages formatting
* man: Fix typo in man page
* man: Add references and man page links to _raw function variants
* Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions
* man: context_new(3): fix the return value description
* selinux_status_open: handle error from sysconf
* selinux_status_open: do not leak statusfd on exec
* Fix errors found by coverity
* Change boooleans.subs to booleans.subs_dist.
* optimize set*con functions
* pkg-config do not specifc ruby version
* unmap file contexts on selabel_close()
* do not leak file contexts with mmap'd backend
* sefcontext_compile: do not leak fd on error
* matchmediacon: do not leak fd
* src/label_android_property: do not leak fd on error
- update to 2.1.12
- added BuildRequires: pcre-devel
- added the recent libselinux-rhat.patch
* Add support for lxc_contexts_path
* utils: add service to getdefaultcon
* libsemanage: do not set soname needlessly
* libsemanage: remove PYTHONLIBDIR and ruby equivalent
* boolean name equivalency
* getsebool: support boolean name substitution
* Add man page for new selinux_boolean_sub function.
* expose selinux_boolean_sub
* matchpathcon: add -m option to force file type check
* utils: avcstat: clear sa_mask set
* seusers: Check for strchr failure
* booleans: initialize pointer to silence coveriety
* stop messages when SELinux disabled
* Ensure that we only close the selinux netlink socket once.
* improve the file_contexts.5 manual page
* Fortify source now requires all code to be compiled with -O flag
* asprintf return code must be checked
* avc_netlink_recieve handle EINTR
* audit2why: silence -Wmissing-prototypes warning
* libsemanage: remove build warning when build swig c files
* matchpathcon: bad handling of symlinks in /
* seusers: remove unused lineno
* seusers: getseuser: gracefully handle NULL service
* New Android property labeling backend
* label_android_property whitespace cleanups
* additional makefile support for rubywrap
* Remove jump over variable declaration
* Fix old style function definitions
* Fix const-correctness
* Remove unused flush_class_cache method
* Add prototype decl for destructor
* Add more printf format annotations
* Add printf format attribute annotation to die() method
* Fix const-ness of parameters & make usage() methods static
* Enable many more gcc warnings for libselinux/src/ builds
* utils: Enable many more gcc warnings for libselinux/utils builds
* Change annotation on include/selinux/avc.h to avoid upsetting SWIG
* Ensure there is a prototype for 'matchpathcon_lib_destructor'
* Update Makefiles to handle /usrmove
* utils: Stop separating out matchpathcon as something special
* pkg-config to figure out where ruby include files are located
* build with either ruby 1.9 or ruby 1.8
* assert if avc_init() not called
* take security_deny_unknown into account
* security_compute_create_name(3)
* Do not link against python library, this is considered
* bad practice in debian
* Hide unnecessarily-exported library destructors
- Remove obsolete defines/sections
- update selinux-ready script
* use -L when stat()ing /etc/selinux/config
* make sure that SELINUX isn't disabled in /etc/selinux/config
* look for either of /sys/fs/selinux and /selinux directory
* use systemctl to check for restorecond
* don't look for booleans file (deprecated)
- update selinux-ready script
- updated to 2.1.9 again (see below)
- go back even more - everything else requires the full SELinux stack
(too late for 12.2)
- revert back to 2.0.98 for 12.2
- update to libselinux-2.1.9
* better man pages
* selinux_status interfaces
* simple interface for access checks
* multiple bug fixes
- fix build for ruby-1.9
- cross-build fix: use %__cc macro
- use %_smp_mflags
- don't package /var/run/setrans in libselinux1 package
- Feature#303793
- the directory will be created in initscript of mcstrans package
- buildrequire pkg-config to fix provides
- selinux-ready: added function to check for restorecond in
runlevel 3/5
- selinux-ready: added functions for checking PAM config and
policy boolean init_upstart
- selinux-ready: fixed init ramfs checking
- added new selinux-ready script
- updated to 2.0.91
* changes too numerous to list
- add baselibs.conf as a source
- updated selinux-ready script
- change libsepol-devel to libsepol-devel-static in dependencies
of python bindings
- put libsepol-devel back to Requires of libselinux-devel
- added selinux-ready tool to selinux-tools package
- remove static libraries
- libselinux-devel does not require libsepol-devel
- updated to 2.0.80
* deny_unknown wrapper function from KaiGai Kohei
* security_compute_av_flags API from KaiGai Kohei
* Netlink socket management and callbacks from KaiGai Kohei
* Netlink socket handoff patch from Adam Jackson
* AVC caching of compute_create results by Eric Paris
* fix incorrect conversion in discover_class code
- fixed memory leak (memleak.patch)
- updated to 2.0.77
* add new function getseuser which will take username and service
and return seuser and level; ipa will populate file in future
* change selinuxdefcon to return just the context by default
* fix segfault if seusers file does not work
* strip trailing / for matchpathcon
* fix restorecon python code
- updated to 2.0.76
* allow shell-style wildcarding in X names
* add Restorecon/Install python functions
* correct message types in AVC log messages
* make matchpathcon -V pass mode
* add man page for selinux_file_context_cmp
* update flask headers from refpolicy trunk
- fix debug_packages_requires define
- require only version, not release [bnc#429053]
- updated to 2.0.71
* Add group support to seusers using %groupname syntax from Dan Walsh.
* Mark setrans socket close-on-exec from Stephen Smalley.
* Only apply nodups checking to base file contexts from Stephen Smalley.
* Merge ruby bindings from Dan Walsh.
- Fix build of debuginfo.
- added baselibs.conf file
- split bindings into separate subpackage (libselinux-bindings)
- split tools into separate subpackage (selinux-tools)
- fix requires for debuginfo package
- initial version 2.0.67
* based on Fedora package by Dan Walsh <dwalsh@redhat.com>
OBS-URL: https://build.opensuse.org/request/show/1095431
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=159
2023-06-27 10:15:55 +02:00
|
|
|
|
- added BuildRequires: pcre-devel
|
2013-01-31 16:22:24 +01:00
|
|
|
|
- added the recent libselinux-rhat.patch
|
|
|
|
|
|
* Add support for lxc_contexts_path
|
|
|
|
|
|
* utils: add service to getdefaultcon
|
|
|
|
|
|
* libsemanage: do not set soname needlessly
|
|
|
|
|
|
* libsemanage: remove PYTHONLIBDIR and ruby equivalent
|
|
|
|
|
|
* boolean name equivalency
|
|
|
|
|
|
* getsebool: support boolean name substitution
|
|
|
|
|
|
* Add man page for new selinux_boolean_sub function.
|
|
|
|
|
|
* expose selinux_boolean_sub
|
|
|
|
|
|
* matchpathcon: add -m option to force file type check
|
|
|
|
|
|
* utils: avcstat: clear sa_mask set
|
|
|
|
|
|
* seusers: Check for strchr failure
|
|
|
|
|
|
* booleans: initialize pointer to silence coveriety
|
|
|
|
|
|
* stop messages when SELinux disabled
|
|
|
|
|
|
* Ensure that we only close the selinux netlink socket once.
|
|
|
|
|
|
* improve the file_contexts.5 manual page
|
|
|
|
|
|
* Fortify source now requires all code to be compiled with -O flag
|
|
|
|
|
|
* asprintf return code must be checked
|
|
|
|
|
|
* avc_netlink_recieve handle EINTR
|
|
|
|
|
|
* audit2why: silence -Wmissing-prototypes warning
|
|
|
|
|
|
* libsemanage: remove build warning when build swig c files
|
|
|
|
|
|
* matchpathcon: bad handling of symlinks in /
|
|
|
|
|
|
* seusers: remove unused lineno
|
|
|
|
|
|
* seusers: getseuser: gracefully handle NULL service
|
|
|
|
|
|
* New Android property labeling backend
|
|
|
|
|
|
* label_android_property whitespace cleanups
|
|
|
|
|
|
* additional makefile support for rubywrap
|
|
|
|
|
|
* Remove jump over variable declaration
|
|
|
|
|
|
* Fix old style function definitions
|
|
|
|
|
|
* Fix const-correctness
|
|
|
|
|
|
* Remove unused flush_class_cache method
|
|
|
|
|
|
* Add prototype decl for destructor
|
|
|
|
|
|
* Add more printf format annotations
|
|
|
|
|
|
* Add printf format attribute annotation to die() method
|
|
|
|
|
|
* Fix const-ness of parameters & make usage() methods static
|
|
|
|
|
|
* Enable many more gcc warnings for libselinux/src/ builds
|
|
|
|
|
|
* utils: Enable many more gcc warnings for libselinux/utils builds
|
|
|
|
|
|
* Change annotation on include/selinux/avc.h to avoid upsetting SWIG
|
|
|
|
|
|
* Ensure there is a prototype for 'matchpathcon_lib_destructor'
|
|
|
|
|
|
* Update Makefiles to handle /usrmove
|
|
|
|
|
|
* utils: Stop separating out matchpathcon as something special
|
|
|
|
|
|
* pkg-config to figure out where ruby include files are located
|
|
|
|
|
|
* build with either ruby 1.9 or ruby 1.8
|
|
|
|
|
|
* assert if avc_init() not called
|
|
|
|
|
|
* take security_deny_unknown into account
|
|
|
|
|
|
* security_compute_create_name(3)
|
|
|
|
|
|
* Do not link against python library, this is considered
|
|
|
|
|
|
* bad practice in debian
|
|
|
|
|
|
* Hide unnecessarily-exported library destructors
|
|
|
|
|
|
|
2013-01-08 11:50:42 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Mon Jan 7 22:34:03 UTC 2013 - jengelh@inai.de
|
|
|
|
|
|
|
|
|
|
|
|
- Remove obsolete defines/sections
|
|
|
|
|
|
|
2012-12-14 15:01:01 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Tue Dec 11 16:15:52 UTC 2012 - vcizek@suse.com
|
|
|
|
|
|
|
|
|
|
|
|
- update selinux-ready script
|
|
|
|
|
|
* use -L when stat()ing /etc/selinux/config
|
|
|
|
|
|
* make sure that SELINUX isn't disabled in /etc/selinux/config
|
|
|
|
|
|
* look for either of /sys/fs/selinux and /selinux directory
|
|
|
|
|
|
* use systemctl to check for restorecond
|
|
|
|
|
|
* don't look for booleans file (deprecated)
|
|
|
|
|
|
|
2012-11-27 15:46:54 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Tue Nov 27 12:38:29 UTC 2012 - vcizek@suse.com
|
|
|
|
|
|
|
|
|
|
|
|
- update selinux-ready script
|
|
|
|
|
|
|
2012-07-25 13:15:17 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Wed Jul 25 11:15:02 UTC 2012 - meissner@suse.com
|
|
|
|
|
|
|
|
|
|
|
|
- updated to 2.1.9 again (see below)
|
|
|
|
|
|
|
2012-06-13 10:57:05 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Wed Jun 13 08:56:36 UTC 2012 - coolo@suse.com
|
|
|
|
|
|
|
|
|
|
|
|
- go back even more - everything else requires the full SELinux stack
|
|
|
|
|
|
(too late for 12.2)
|
|
|
|
|
|
|
2012-06-11 11:09:02 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Mon Jun 11 09:06:55 UTC 2012 - factory-maintainer@kulow.org
|
|
|
|
|
|
|
|
|
|
|
|
- revert back to 2.0.98 for 12.2
|
|
|
|
|
|
|
2012-06-04 15:46:09 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Fri Jun 1 18:34:04 CEST 2012 - mls@suse.de
|
|
|
|
|
|
|
|
|
|
|
|
- update to libselinux-2.1.9
|
|
|
|
|
|
* better man pages
|
|
|
|
|
|
* selinux_status interfaces
|
|
|
|
|
|
* simple interface for access checks
|
|
|
|
|
|
* multiple bug fixes
|
Accepting request 1095431 from home:mcepl:branches:security:SELinux
- Remove separate libselinux-bindings SPEC file (bsc#1212618).
- Add explicit BuildRequires for python3-pip and python3-wheel on
15.5, currently the macros don't do the right thing
- allow building this with different python versions, to make this
usable for the new sle15 macro (using python3.11)
- Add python-wheel build dependency to build correctly with latest
python-pip version.
- Add _multibuild to define additional spec files as additional
flavors.
Eliminates the need for source package links in OBS.
- Add -ffat-lto-objects to CFLAGS to prevent rpmlint errors because
of LTO
- Enable LTO as it works fine now.
- Update to version 3.5:
* check for truncations
* avoid newline in avc message
* bail out on path truncations
* add getpidprevcon to gather the previous context before the last
exec of a given process
* Workaround for heap overhead of pcre
* fix memory leaks on the audit2why module init
* ignore invalid class name lookup
- Drop restorecon_pin_file.patch, is upstream
- Refreshed python3.8-compat.patch
- Added additional developer key (Jason Zaman)
- Fixed initrd check in selinux-ready (bnc#1186127)
- Added restorecon_pin_file.patch. Fixes issus when running
fixfiles/restorecon
- Update to version 3.4:
* Use PCRE2 by default
* Make selinux_log() and is_context_customizable() thread-safe
* Prevent leakeing file descriptors
* Correctly hash specfiles larger than 4G
- Refreshed skip_cycles.patch
- Add Requires for exact libselinux1 version for selinux-tools
- Simplyfied check for correct boot paramaters in selinux-ready
(bsc#1195361)
- Update to version 3.3:
* Lots of smaller issues fixed found by fuzzing
- Add missing libselinux-utils Provides to selinux-tools so that
%selinux_requires works
- Remove Recommends for selinux-autorelabel. It's better to have this
in the policy package itself (bsc#1181837)
- Switch to pcre2:
+ Replace pcre-devel BuildRequires with pkgconfig(libpcre2-8)
+ Pass USE_PCRE2=y to make.
+ Replace pkgconfig(libpcre) Requires in -devel static with
pkgconfig(libpcre2-8).
- Update to version 3.2:
* Use mmap()'ed kernel status page instead of netlink by default.
See "KERNEL STATUS PAGE" section in avc_init(3) for more details.
* New log callback levels for enforcing and policy load notices -
SELINUX_POLICYLOAD, SELINUX_SETENFORCE
* Changed userspace AVC setenforce and policy load messages to audit
format.
- Add Recommends: selinux-autorelabel, which is very important
for healthy use of the SELinux on the system (/.autorelabel
mechanism) (bsc#1181837).
- install to /usr (boo#1029961)
- Update to version 3.1:
* selinux/flask.h, selinux/av_permissions.h and sepol/policydb/flask.h were
removed. All userspace object managers should have been updated to use the
dynamic class/perm mapping support.
Use string_to_security_class(3) and string_to_av_perm(3) to map the class
and permission names to their policy values, or selinux_set_mapping(3) to
create a mapping from class and permission index values used by the
application to the policy values.
* Removed restrictions in libsepol and checkpolicy that required all declared
initial SIDs to be assigned a context.
* Support for new policy capability genfs_seclabel_symlinks
* selinuxfs is mounted with noexec and nosuid
* `security_compute_user()` was deprecated
* Refreshed python3.8-compat.patch
- Added skip_cycles.patch to skip directory cycles and not error
out
- Update to version 3.0
* Ignore the stem when looking up all matches in file context
* Save digest of all partial matches for directory
* Use Python distutils to install SELinux python bindings
* ensure that digest_len is not zero
* fix string conversion of unknown perms
* mark all exported function "extern"
Dropped Use-Python-distutils-to-install-SELinux.patch, included
upstream
- Added swig4_moduleimport.patch to prevent import errors due to
SWIG 4
- Added Use-Python-distutils-to-install-SELinux.patch to use
Python's distutils instead of building and installing python
bindings manually
- Add python3.8-compat.patch which makes build possible even with
Python 3.8, which doesn’t automatically adds -lpython<ver>
- In selinux-ready
* Removed check for selinux-policy package as we don't ship one
(bsc#1136845)
* Add check that restorecond is installed and enabled
- Disable LTO (boo#1133244).
- Set License: to correct value (bsc#1135710)
- Disable LTO (boo#1133244).
- Update to version 2.9
* Add security_reject_unknown(3) man page
* Change matchpathcon usage to match with matchpathcon manpage
* Do not define gettid() if glibc >= 2.30 is used
* Fix RESOURCE_LEAK defects reported by coverity scan
* Fix line wrapping in selabel_file.5
* Do not dereference symlink with statfs in selinux_restorecon
* Fix overly strict validation of file_contexts.bin
* Fix selinux_restorecon() on non-SELinux hosts
* Fix the whatis line for the selinux_boolean_sub.3 manpage
* Fix printf format string specifier for uint64_t
* Fix handling of unknown classes/perms
* Set an appropriate errno in booleans.c
- Dropped python3.patch, is now upstream
- Remove unneeded build requires for python3 (bsc#1120255)
- Update to version 2.8 (bsc#1111732)
For changes please see
https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/RELEASE-20180524.txt
- ran spec-cleaner on spec files
- Update to version 2.7.
* %files needed to be heavily modified
* Based expressly on python3, not just python
For changes please see
https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20170804/RELEASE-20170804.txt
- Updated spec file to use python3. Added python3.patch to fix
build
- Update to version 2.6. Notable changes:
* selinux_restorecon: fix realpath logic
* sefcontext_compile: invert semantics of "-r" flag
* sefcontext_compile: Add "-i" flag
* Introduce configurable backends
* Add function to find security.restorecon_last entries
* Add openrc_contexts functions
* Add support for pcre2
* Handle NULL pcre study data
* Add setfiles support to selinux_restorecon(3)
* Evaluate inodes in selinux_restorecon(3)
* Change the location of _selinux.so
* Explain how to free policy type from selinux_getpolicytype()
* Compare absolute pathname in matchpathcon -V
* Add selinux_snapperd_contexts_path()
* Modify audit2why analyze function to use loaded policy
* Avoid mounting /proc outside of selinux_init_load_policy()
* Fix location of selinuxfs mount point
* Only mount /proc if necessary
* procattr: return einval for <= 0 pid args
* procattr: return error on invalid pid_t input
- Dropped
* libselinux-2.2-ruby.patch
* libselinux-proc-mount-only-if-needed.patch
* python-selinux-swig-3.10.patch
- readv-proto.patch: include <sys/uio.h> for readv prototype
- -devel static subpackage requires libpcre-devel and libsepol-devel
- Avoid mounting /proc outside of selinux_init_load_policy().
(Stephen Smalley) reverts upstream 5a8d8c4, 9df4988, fixes
among other things systemd seccomp sandboxing otherwise all
filters must allow mount(2)
(libselinux-proc-mount-only-if-needed.patch)
- Update RPM groups, trim description and combine filelist entries.
- Adjusted source link
- add patch: python-selinux-swig-3.10.patch, fixed boo#985368
* swig-3.10 in Factory use importlib instead of imp to find
_selinux.so. imp searched the same directory as __init__.py
is while importlib searchs only standard paths. so we have
to move _selinux.so. fixed by upstream
- update version 2.5
* Add selinux_restorecon function
* read_spec_entry: fail on non-ascii
* Add man information about thread specific functions
* Don't wrap rpm_execcon with DISABLE_RPM with SWIG
* Correct line count for property and service context files
* label_file: fix memory leaks and uninitialized jump
* Replace selabel_digest hash function
* Fix selabel_open(3) services if no digest requested
* Add selabel_digest function
* Flush the class/perm string mapping cache on policy reload
* Fix restorecon when path has no context
* Free memory when processing media and x specfiles
* Fix mmap memory release for file labeling
* Add policy context validation to sefcontext_compile
* Do not treat an empty file_contexts(.local) as an error
* Fail hard on invalid property_contexts entries
* Fail hard on invalid file_contexts entries
* Support context validation on file_contexts.bin
* Add selabel_cmp interface and label_file backend
* Support specifying file_contexts.bin file path
* Support file_contexts.bin without file_contexts
* Simplify procattr cache
* Use /proc/thread-self when available
* Add const to selinux_opt for label backends
* Fix binary file labels for regexes with metachars
* Fix file labels for regexes with metachars
* Fix if file_contexts not '\n' terminated
* Enhance file context support
* Fix property processing and cleanup formatting
* Add read_spec_entries function to replace sscanf
* Support consistent mode size for bin files
* Fix more bin file processing core dumps
* add selinux_openssh_contexts_path()
* setrans_client: minimize overhead when mcstransd is not present
* Ensure selabel_lookup_best_match links NULL terminated
* Fix core dumps with corrupt *.bin files
* Add selabel partial and best match APIs
* Use os.walk() instead of the deprecated os.path.walk()
* Remove deprecated mudflap option
* Mount procfs before checking /proc/filesystems
* Fix -Wformat errors with gcc-5.0.0
* label_file: handle newlines in file names
* Fix audit2why error handling if SELinux is disabled
* pcre_study can return NULL without error
* Only check SELinux enabled status once in selinux_check_access
- changes in 2.4
* Remove assumption that SHLIBDIR is ../../ relative to LIBDIR
* Fix bugs found by hardened gcc flags
* Set the system to permissive if failing to disable SELinux because
policy has already been loaded
* Add db_exception and db_datatype support to label_db backend
* Log an error on unknown classes and permissions
* Add pcre version string to the compiled file_contexts format
* Deprecate use of flask.h and av_permissions.h
* Compiled file_context files and the original should have the same DAC
permissions
- fixed selinux-ready to work with initrd files created by dracut (bsc#940006)
- Update libselinux-2.2-ruby.patch: use RbConfig instead of
deprecated Config.
- updated selinux-ready script to handle initrd files compressed with xz
- Update to version 2.3
* Get rid of security_context_t and fix const declarations.
* Refactor rpm_execcon() into a new setexecfilecon() from Guillem Jover.
- Update to version 2.2
* Fix avc_has_perm() returns -1 even when SELinux is in permissive mode.
* Support overriding Makefile RANLIB
* Update pkgconfig definition
* Mount sysfs before trying to mount selinuxfs.
* Fix man pages
* Support overriding PATH and LIBBASE in Makefile
* Fix LDFLAGS usage
* Avoid shadowing stat in load_mmap
* Support building on older PCRE libraries
* Fix handling of temporary file in sefcontext_compile
* Fix procattr cache
* Define python constants for getenforce result
* Fix label substitution handling of /
* Add selinux_current_policy_path from
* Change get_context_list to only return good matches
* Support udev-197 and higher
* Add support for local substitutions
* Change setfilecon to not return ENOSUP if context is already correct
* Python wrapper leak fixes
* Export SELINUX_TRANS_DIR definition in selinux.h
* Add selinux_systemd_contexts_path
* Add selinux_set_policy_root
* Add man page for sefcontext_compile
- Remove libselinux-rhat.patch; merged on upstream
- Adapt libselinux-ruby.patch to upstream changes
- Use fdupes to symlink duplicate manpages
- change the source url to the official 2.1.13 release tarball
- Reuse implicit dependencies injected by pkgconfig
- fixed source url in libselinux-bindings.spec
- removed old tarball
- fix source url
- document changes in libselinux-rhat.patch from previous submission:
(most code of the removed code was integrated upstream)
* Add matchpathcon -P /etc/selinux/mls support by allowing users
to set alternate root
* Add new constant SETRANS_DIR which points to the directory
where mstransd can find the socket and libvirt can write its
translations files
-update to 2.1.13
* audit2why: make sure path is nul terminated
* utils: new file context regex compiler
* label_file: use precompiled filecontext when possible
* do not leak mmapfd
* sefcontontext_compile: Add error handling to help debug problems in libsemanage.
* man: make selinux.8 mention service man pages
* audit2why: Fix segfault if finish() called twice
* audit2why: do not leak on multiple init() calls
* mode_to_security_class: interface to translate a mode_t in to a security class
* audit2why: Cleanup audit2why analysys function
* man: Fix program synopsis and function prototypes in man pages
* man: Fix man pages formatting
* man: Fix typo in man page
* man: Add references and man page links to _raw function variants
* Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions
* man: context_new(3): fix the return value description
* selinux_status_open: handle error from sysconf
* selinux_status_open: do not leak statusfd on exec
* Fix errors found by coverity
* Change boooleans.subs to booleans.subs_dist.
* optimize set*con functions
* pkg-config do not specifc ruby version
* unmap file contexts on selabel_close()
* do not leak file contexts with mmap'd backend
* sefcontext_compile: do not leak fd on error
* matchmediacon: do not leak fd
* src/label_android_property: do not leak fd on error
- update to 2.1.12
- added BuildRequires: pcre-devel
- added the recent libselinux-rhat.patch
* Add support for lxc_contexts_path
* utils: add service to getdefaultcon
* libsemanage: do not set soname needlessly
* libsemanage: remove PYTHONLIBDIR and ruby equivalent
* boolean name equivalency
* getsebool: support boolean name substitution
* Add man page for new selinux_boolean_sub function.
* expose selinux_boolean_sub
* matchpathcon: add -m option to force file type check
* utils: avcstat: clear sa_mask set
* seusers: Check for strchr failure
* booleans: initialize pointer to silence coveriety
* stop messages when SELinux disabled
* Ensure that we only close the selinux netlink socket once.
* improve the file_contexts.5 manual page
* Fortify source now requires all code to be compiled with -O flag
* asprintf return code must be checked
* avc_netlink_recieve handle EINTR
* audit2why: silence -Wmissing-prototypes warning
* libsemanage: remove build warning when build swig c files
* matchpathcon: bad handling of symlinks in /
* seusers: remove unused lineno
* seusers: getseuser: gracefully handle NULL service
* New Android property labeling backend
* label_android_property whitespace cleanups
* additional makefile support for rubywrap
* Remove jump over variable declaration
* Fix old style function definitions
* Fix const-correctness
* Remove unused flush_class_cache method
* Add prototype decl for destructor
* Add more printf format annotations
* Add printf format attribute annotation to die() method
* Fix const-ness of parameters & make usage() methods static
* Enable many more gcc warnings for libselinux/src/ builds
* utils: Enable many more gcc warnings for libselinux/utils builds
* Change annotation on include/selinux/avc.h to avoid upsetting SWIG
* Ensure there is a prototype for 'matchpathcon_lib_destructor'
* Update Makefiles to handle /usrmove
* utils: Stop separating out matchpathcon as something special
* pkg-config to figure out where ruby include files are located
* build with either ruby 1.9 or ruby 1.8
* assert if avc_init() not called
* take security_deny_unknown into account
* security_compute_create_name(3)
* Do not link against python library, this is considered
* bad practice in debian
* Hide unnecessarily-exported library destructors
- Remove obsolete defines/sections
- update selinux-ready script
* use -L when stat()ing /etc/selinux/config
* make sure that SELINUX isn't disabled in /etc/selinux/config
* look for either of /sys/fs/selinux and /selinux directory
* use systemctl to check for restorecond
* don't look for booleans file (deprecated)
- update selinux-ready script
- updated to 2.1.9 again (see below)
- go back even more - everything else requires the full SELinux stack
(too late for 12.2)
- revert back to 2.0.98 for 12.2
- update to libselinux-2.1.9
* better man pages
* selinux_status interfaces
* simple interface for access checks
* multiple bug fixes
- fix build for ruby-1.9
- cross-build fix: use %__cc macro
- use %_smp_mflags
- don't package /var/run/setrans in libselinux1 package
- Feature#303793
- the directory will be created in initscript of mcstrans package
- buildrequire pkg-config to fix provides
- selinux-ready: added function to check for restorecond in
runlevel 3/5
- selinux-ready: added functions for checking PAM config and
policy boolean init_upstart
- selinux-ready: fixed init ramfs checking
- added new selinux-ready script
- updated to 2.0.91
* changes too numerous to list
- add baselibs.conf as a source
- updated selinux-ready script
- change libsepol-devel to libsepol-devel-static in dependencies
of python bindings
- put libsepol-devel back to Requires of libselinux-devel
- added selinux-ready tool to selinux-tools package
- remove static libraries
- libselinux-devel does not require libsepol-devel
- updated to 2.0.80
* deny_unknown wrapper function from KaiGai Kohei
* security_compute_av_flags API from KaiGai Kohei
* Netlink socket management and callbacks from KaiGai Kohei
* Netlink socket handoff patch from Adam Jackson
* AVC caching of compute_create results by Eric Paris
* fix incorrect conversion in discover_class code
- fixed memory leak (memleak.patch)
- updated to 2.0.77
* add new function getseuser which will take username and service
and return seuser and level; ipa will populate file in future
* change selinuxdefcon to return just the context by default
* fix segfault if seusers file does not work
* strip trailing / for matchpathcon
* fix restorecon python code
- updated to 2.0.76
* allow shell-style wildcarding in X names
* add Restorecon/Install python functions
* correct message types in AVC log messages
* make matchpathcon -V pass mode
* add man page for selinux_file_context_cmp
* update flask headers from refpolicy trunk
- fix debug_packages_requires define
- require only version, not release [bnc#429053]
- updated to 2.0.71
* Add group support to seusers using %groupname syntax from Dan Walsh.
* Mark setrans socket close-on-exec from Stephen Smalley.
* Only apply nodups checking to base file contexts from Stephen Smalley.
* Merge ruby bindings from Dan Walsh.
- Fix build of debuginfo.
- added baselibs.conf file
- split bindings into separate subpackage (libselinux-bindings)
- split tools into separate subpackage (selinux-tools)
- fix requires for debuginfo package
- initial version 2.0.67
* based on Fedora package by Dan Walsh <dwalsh@redhat.com>
OBS-URL: https://build.opensuse.org/request/show/1095431
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=159
2023-06-27 10:15:55 +02:00
|
|
|
|
- fix build for ruby-1.9
|
2012-06-04 15:46:09 +02:00
|
|
|
|
|
2011-10-06 17:08:08 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Wed Oct 5 15:09:25 UTC 2011 - uli@suse.com
|
|
|
|
|
|
|
|
|
|
|
|
- cross-build fix: use %__cc macro
|
|
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Mon Jun 28 06:38:35 UTC 2010 - jengelh@medozas.de
|
|
|
|
|
|
|
|
|
|
|
|
- use %_smp_mflags
|
|
|
|
|
|
|
2010-05-03 17:33:38 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Mon May 3 10:30:40 UTC 2010 - prusnak@suse.cz
|
|
|
|
|
|
|
|
|
|
|
|
- don't package /var/run/setrans in libselinux1 package
|
|
|
|
|
|
- Feature#303793
|
|
|
|
|
|
- the directory will be created in initscript of mcstrans package
|
|
|
|
|
|
|
2010-04-24 12:21:00 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Sat Apr 24 09:53:28 UTC 2010 - coolo@novell.com
|
|
|
|
|
|
|
|
|
|
|
|
- buildrequire pkg-config to fix provides
|
|
|
|
|
|
|
2010-04-09 09:41:21 +02:00
|
|
|
|
-------------------------------------------------------------------
|
2010-04-23 19:09:34 +02:00
|
|
|
|
Fri Apr 9 07:27:27 UTC 2010 - thomas@novell.com
|
|
|
|
|
|
|
|
|
|
|
|
- selinux-ready: added function to check for restorecond in
|
|
|
|
|
|
runlevel 3/5
|
|
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Thu Apr 8 06:37:34 UTC 2010 - thomas@novell.com
|
|
|
|
|
|
|
|
|
|
|
|
- selinux-ready: added functions for checking PAM config and
|
|
|
|
|
|
policy boolean init_upstart
|
|
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Wed Apr 7 13:26:59 UTC 2010 - thomas@novell.com
|
|
|
|
|
|
|
|
|
|
|
|
- selinux-ready: fixed init ramfs checking
|
|
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Wed Apr 7 12:59:41 UTC 2010 - thomas@novell.com
|
|
|
|
|
|
|
|
|
|
|
|
- added new selinux-ready script
|
|
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
2010-03-12 17:35:22 +01:00
|
|
|
|
Thu Feb 25 14:57:16 UTC 2010 - prusnak@suse.cz
|
|
|
|
|
|
|
|
|
|
|
|
- updated to 2.0.91
|
|
|
|
|
|
* changes too numerous to list
|
|
|
|
|
|
|
2010-01-14 15:19:14 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Sat Dec 12 16:43:54 CET 2009 - jengelh@medozas.de
|
|
|
|
|
|
|
|
|
|
|
|
- add baselibs.conf as a source
|
|
|
|
|
|
|
2009-07-24 17:24:37 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Fri Jul 24 17:09:50 CEST 2009 - thomas@novell.com
|
|
|
|
|
|
|
2010-03-12 17:35:22 +01:00
|
|
|
|
- updated selinux-ready script
|
2009-07-24 17:24:37 +02:00
|
|
|
|
|
2009-07-23 15:32:36 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Wed Jul 22 15:17:25 CEST 2009 - prusnak@suse.cz
|
|
|
|
|
|
|
|
|
|
|
|
- change libsepol-devel to libsepol-devel-static in dependencies
|
|
|
|
|
|
of python bindings
|
|
|
|
|
|
|
2009-07-03 16:04:45 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Wed Jul 1 12:26:48 CEST 2009 - prusnak@suse.cz
|
|
|
|
|
|
|
|
|
|
|
|
- put libsepol-devel back to Requires of libselinux-devel
|
|
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Mon Jun 29 21:24:16 CEST 2009 - prusnak@suse.cz
|
|
|
|
|
|
|
|
|
|
|
|
- added selinux-ready tool to selinux-tools package
|
|
|
|
|
|
|
2009-06-29 14:18:50 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Tue Jun 9 20:17:54 CEST 2009 - crrodriguez@suse.de
|
|
|
|
|
|
|
|
|
|
|
|
- remove static libraries
|
2009-07-03 16:04:45 +02:00
|
|
|
|
- libselinux-devel does not require libsepol-devel
|
2009-06-29 14:18:50 +02:00
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Wed May 27 14:06:14 CEST 2009 - prusnak@suse.cz
|
|
|
|
|
|
|
|
|
|
|
|
- updated to 2.0.80
|
|
|
|
|
|
* deny_unknown wrapper function from KaiGai Kohei
|
|
|
|
|
|
* security_compute_av_flags API from KaiGai Kohei
|
|
|
|
|
|
* Netlink socket management and callbacks from KaiGai Kohei
|
|
|
|
|
|
* Netlink socket handoff patch from Adam Jackson
|
|
|
|
|
|
* AVC caching of compute_create results by Eric Paris
|
|
|
|
|
|
* fix incorrect conversion in discover_class code
|
|
|
|
|
|
|
2009-04-23 18:30:16 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Fri Apr 17 17:12:06 CEST 2009 - prusnak@suse.cz
|
|
|
|
|
|
|
|
|
|
|
|
- fixed memory leak (memleak.patch)
|
|
|
|
|
|
|
2009-01-19 02:22:32 +01:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Wed Jan 14 14:04:30 CET 2009 - prusnak@suse.cz
|
|
|
|
|
|
|
|
|
|
|
|
- updated to 2.0.77
|
|
|
|
|
|
* add new function getseuser which will take username and service
|
|
|
|
|
|
and return seuser and level; ipa will populate file in future
|
|
|
|
|
|
* change selinuxdefcon to return just the context by default
|
|
|
|
|
|
* fix segfault if seusers file does not work
|
|
|
|
|
|
* strip trailing / for matchpathcon
|
|
|
|
|
|
* fix restorecon python code
|
|
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Mon Dec 1 11:32:50 CET 2008 - prusnak@suse.cz
|
|
|
|
|
|
|
|
|
|
|
|
- updated to 2.0.76
|
|
|
|
|
|
* allow shell-style wildcarding in X names
|
|
|
|
|
|
* add Restorecon/Install python functions
|
|
|
|
|
|
* correct message types in AVC log messages
|
|
|
|
|
|
* make matchpathcon -V pass mode
|
|
|
|
|
|
* add man page for selinux_file_context_cmp
|
|
|
|
|
|
* update flask headers from refpolicy trunk
|
|
|
|
|
|
|
2008-10-23 01:17:46 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Wed Oct 22 16:28:59 CEST 2008 - mrueckert@suse.de
|
|
|
|
|
|
|
|
|
|
|
|
- fix debug_packages_requires define
|
|
|
|
|
|
|
2008-09-24 00:33:39 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Tue Sep 23 12:51:10 CEST 2008 - prusnak@suse.cz
|
|
|
|
|
|
|
|
|
|
|
|
- require only version, not release [bnc#429053]
|
|
|
|
|
|
|
2008-09-05 21:50:58 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Tue Sep 2 12:09:22 CEST 2008 - prusnak@suse.cz
|
|
|
|
|
|
|
|
|
|
|
|
- updated to 2.0.71
|
|
|
|
|
|
* Add group support to seusers using %groupname syntax from Dan Walsh.
|
|
|
|
|
|
* Mark setrans socket close-on-exec from Stephen Smalley.
|
|
|
|
|
|
* Only apply nodups checking to base file contexts from Stephen Smalley.
|
2009-01-19 02:22:32 +01:00
|
|
|
|
* Merge ruby bindings from Dan Walsh.
|
|
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Mon Sep 1 07:35:00 CEST 2008 - aj@suse.de
|
|
|
|
|
|
|
|
|
|
|
|
- Fix build of debuginfo.
|
2008-09-05 21:50:58 +02:00
|
|
|
|
|
2008-08-22 19:31:21 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Fri Aug 22 14:45:29 CEST 2008 - prusnak@suse.cz
|
|
|
|
|
|
|
|
|
|
|
|
- added baselibs.conf file
|
|
|
|
|
|
- split bindings into separate subpackage (libselinux-bindings)
|
|
|
|
|
|
- split tools into separate subpackage (selinux-tools)
|
|
|
|
|
|
|
2008-08-03 04:41:25 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Fri Aug 1 17:32:20 CEST 2008 - ro@suse.de
|
|
|
|
|
|
|
|
|
|
|
|
- fix requires for debuginfo package
|
|
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
|
Tue Jul 15 16:26:31 CEST 2008 - prusnak@suse.cz
|
|
|
|
|
|
|
|
|
|
|
|
- initial version 2.0.67
|
|
|
|
|
|
* based on Fedora package by Dan Walsh <dwalsh@redhat.com>
|
|
|
|
|
|
|
