From 7308b68a0b02415badb656d8bc2f5cacac758a1d257f37ec4004564ed0034fa5 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Wed, 3 Aug 2016 09:36:44 +0000 Subject: [PATCH] Accepting request 415273 from security:SELinux 1 OBS-URL: https://build.opensuse.org/request/show/415273 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=46 --- libselinux-bindings.changes | 5 ++ libselinux-bindings.spec | 66 ++++----------- libselinux-proc-mount-only-if-needed.patch | 93 ++++++++++++++++++++++ libselinux.changes | 20 +++++ libselinux.spec | 88 ++++++++------------ 5 files changed, 167 insertions(+), 105 deletions(-) create mode 100644 libselinux-proc-mount-only-if-needed.patch diff --git a/libselinux-bindings.changes b/libselinux-bindings.changes index 590b354..ff07546 100644 --- a/libselinux-bindings.changes +++ b/libselinux-bindings.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Sun Jul 17 15:30:05 UTC 2016 - jengelh@inai.de + +- Update RPM groups, trim description and combine filelist entries. + ------------------------------------------------------------------- Thu Jul 14 07:59:04 UTC 2016 - jsegitz@novell.com diff --git a/libselinux-bindings.spec b/libselinux-bindings.spec index 7a4216b..0cbc371 100644 --- a/libselinux-bindings.spec +++ b/libselinux-bindings.spec @@ -21,10 +21,10 @@ Name: libselinux-bindings Version: 2.5 Release: 0 -Url: http://userspace.selinuxproject.org/ -Summary: SELinux library and simple utilities +Summary: SELinux runtime library and simple utilities License: GPL-2.0 and SUSE-Public-Domain -Group: System/Libraries +Group: Development/Libraries/C and C++ +Url: https://github.com/SELinuxProject/selinux/wiki/Releases # embedded is the MD5 Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/libselinux-%{version}.tar.gz @@ -41,69 +41,36 @@ BuildRequires: ruby-devel BuildRequires: swig %description -Security-enhanced Linux is a feature of the Linux(R) kernel and a -number of utilities with enhanced security functionality designed to -add mandatory access controls to Linux. The Security-enhanced Linux -kernel contains new architectural components originally developed to -improve the security of the Flask operating system. These architectural -components provide general support for the enforcement of many kinds of -mandatory access control policies, including those based on the -concepts of Type Enforcement(R), Role-based Access Control, and -Multi-level Security. - -libselinux provides an API for SELinux applications to get and set -process and file security contexts and to obtain security policy -decisions. Required for any applications that use the SELinux API. - - +libselinux provides an interface to get and set process and file +security contexts and to obtain security policy decisions. %package -n python-selinux -Summary: SELinux library and simple utilities +Summary: Python bindings for the SELinux runtime library License: SUSE-Public-Domain Group: Development/Libraries/Python Requires: libselinux1 = %{version} Requires: python %description -n python-selinux -Security-enhanced Linux is a feature of the Linux(R) kernel and a -number of utilities with enhanced security functionality designed to -add mandatory access controls to Linux. The Security-enhanced Linux -kernel contains new architectural components originally developed to -improve the security of the Flask operating system. These architectural -components provide general support for the enforcement of many kinds of -mandatory access control policies, including those based on the -concepts of Type Enforcement(R), Role-based Access Control, and -Multi-level Security. - -libselinux provides an API for SELinux applications to get and set -process and file security contexts and to obtain security policy -decisions. Required for any applications that use the SELinux API. - +libselinux provides an interface to get and set process and file +security contexts and to obtain security policy decisions. +This subpackage contains Python extensions to use SELinux from that +language. %package -n ruby-selinux -Summary: SELinux library and simple utilities +Summary: Ruby bindings for the SELinux runtime library License: SUSE-Public-Domain Group: Development/Languages/Ruby Requires: libselinux1 = %{version} Requires: ruby %description -n ruby-selinux -Security-enhanced Linux is a feature of the Linux(R) kernel and a -number of utilities with enhanced security functionality designed to -add mandatory access controls to Linux. The Security-enhanced Linux -kernel contains new architectural components originally developed to -improve the security of the Flask operating system. These architectural -components provide general support for the enforcement of many kinds of -mandatory access control policies, including those based on the -concepts of Type Enforcement(R), Role-based Access Control, and -Multi-level Security. - -libselinux provides an API for SELinux applications to get and set -process and file security contexts and to obtain security policy -decisions. Required for any applications that use the SELinux API. - +libselinux provides an interface to get and set process and file +security contexts and to obtain security policy decisions. +This subpackage contains Ruby extensions to use SELinux from that +language. %prep %setup -q -n libselinux-%{version} @@ -124,9 +91,8 @@ rm -rf $RPM_BUILD_ROOT/%{_lib} $RPM_BUILD_ROOT%{_libdir}/libselinux.* $RPM_BUILD %files -n python-selinux %defattr(-,root,root,-) -%dir %{py_sitedir}/selinux +%{py_sitedir}/selinux/ %{py_sitedir}/_selinux.so -%{py_sitedir}/selinux/* %files -n ruby-selinux %defattr(-,root,root,-) diff --git a/libselinux-proc-mount-only-if-needed.patch b/libselinux-proc-mount-only-if-needed.patch new file mode 100644 index 0000000..383e72c --- /dev/null +++ b/libselinux-proc-mount-only-if-needed.patch @@ -0,0 +1,93 @@ +Index: libselinux-2.5/src/init.c +=================================================================== +--- libselinux-2.5.orig/src/init.c ++++ libselinux-2.5/src/init.c +@@ -11,7 +11,6 @@ + #include + #include + #include +-#include + + #include "dso.h" + #include "policy.h" +@@ -57,20 +56,18 @@ static int verify_selinuxmnt(const char + + int selinuxfs_exists(void) + { +- int exists = 0, mnt_rc = 0; ++ int exists = 0; + FILE *fp = NULL; + char *buf = NULL; + size_t len; + ssize_t num; + +- mnt_rc = mount("proc", "/proc", "proc", 0, 0); + + fp = fopen("/proc/filesystems", "r"); +- if (!fp) { +- exists = 1; /* Fail as if it exists */ +- goto out; +- } + ++ if (!fp) ++ return 1; /* Fail as if it exists */ ++ + __fsetlocking(fp, FSETLOCKING_BYCALLER); + + num = getline(&buf, &len, fp); +@@ -85,13 +82,6 @@ int selinuxfs_exists(void) + free(buf); + fclose(fp); + +-out: +-#ifndef MNT_DETACH +-#define MNT_DETACH 2 +-#endif +- if (mnt_rc == 0) +- umount2("/proc", MNT_DETACH); +- + return exists; + } + hidden_def(selinuxfs_exists) +Index: libselinux-2.5/src/load_policy.c +=================================================================== +--- libselinux-2.5.orig/src/load_policy.c ++++ libselinux-2.5/src/load_policy.c +@@ -17,6 +17,10 @@ + #include "policy.h" + #include + ++#ifndef MNT_DETACH ++#define MNT_DETACH 2 ++#endif ++ + int security_load_policy(void *data, size_t len) + { + char path[PATH_MAX]; +@@ -348,11 +352,6 @@ int selinux_init_load_policy(int *enforc + fclose(cfg); + free(buf); + } +-#ifndef MNT_DETACH +-#define MNT_DETACH 2 +-#endif +- if (rc == 0) +- umount2("/proc", MNT_DETACH); + + /* + * Determine the final desired mode. +@@ -402,9 +401,13 @@ int selinux_init_load_policy(int *enforc + } + + goto noload; ++ if (rc == 0) ++ umount2("/proc", MNT_DETACH); + } + set_selinuxmnt(mntpoint); +- ++ ++ if (rc == 0) ++ umount2("/proc", MNT_DETACH); + /* + * Note: The following code depends on having selinuxfs + * already mounted and selinuxmnt set above. diff --git a/libselinux.changes b/libselinux.changes index c08ec5a..04d8e8f 100644 --- a/libselinux.changes +++ b/libselinux.changes @@ -1,3 +1,23 @@ +------------------------------------------------------------------- +Sun Jul 24 19:33:42 UTC 2016 - crrodriguez@opensuse.org + +- -devel static subpackage requires libpcre-devel and libsepol-devel + + +------------------------------------------------------------------- +Sun Jul 24 19:05:35 UTC 2016 - crrodriguez@opensuse.org + +- Avoid mounting /proc outside of selinux_init_load_policy(). + (Stephen Smalley) reverts upstream 5a8d8c4, 9df4988, fixes + among other things systemd seccomp sandboxing otherwise all + filters must allow mount(2) + (libselinux-proc-mount-only-if-needed.patch) + +------------------------------------------------------------------- +Sun Jul 17 15:30:05 UTC 2016 - jengelh@inai.de + +- Update RPM groups, trim description and combine filelist entries. + ------------------------------------------------------------------- Thu Jul 14 07:58:49 UTC 2016 - jsegitz@novell.com diff --git a/libselinux.spec b/libselinux.spec index e8071bc..5a7ab25 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -21,10 +21,10 @@ Name: libselinux Version: 2.5 Release: 0 -Url: http://userspace.selinuxproject.org/ -Summary: SELinux library and simple utilities +Summary: SELinux runtime library and utilities License: GPL-2.0 and SUSE-Public-Domain -Group: System/Libraries +Group: Development/Libraries/C and C++ +Url: https://github.com/SELinuxProject/selinux/wiki/Releases Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/%{name}-%{version}.tar.gz Source1: selinux-ready @@ -32,6 +32,8 @@ Source2: baselibs.conf Patch1: %{name}-2.2-ruby.patch # PATCH-FIX-UPSTREAM swig-3.10 use importlib which not search the directory __init__.py is in but standard path Patch2: python-selinux-swig-3.10.patch +# PATCH-FIX-UPSTREAM Avoid mounting /proc outside of selinux_init_load_policy(). +Patch3: libselinux-proc-mount-only-if-needed.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: fdupes BuildRequires: libsepol-devel >= %{libsepol_ver} @@ -39,91 +41,68 @@ BuildRequires: pcre-devel BuildRequires: pkg-config %description -Security-enhanced Linux is a feature of the Linux(R) kernel and a -number of utilities with enhanced security functionality designed to -add mandatory access controls to Linux. The Security-enhanced Linux -kernel contains new architectural components originally developed to -improve the security of the Flask operating system. These architectural -components provide general support for the enforcement of many kinds of -mandatory access control policies, including those based on the -concepts of Type Enforcement(R), Role-based Access Control, and -Multi-level Security. - -libselinux provides an API for SELinux applications to get and set -process and file security contexts and to obtain security policy -decisions. Required for any applications that use the SELinux API. - - +libselinux provides an interface to get and set process and file +security contexts and to obtain security policy decisions. %package -n libselinux1 -Summary: SELinux library and simple utilities +Summary: SELinux runtime library Group: System/Libraries %description -n libselinux1 -Security-enhanced Linux is a feature of the Linux(R) kernel and a -number of utilities with enhanced security functionality designed to -add mandatory access controls to Linux. The Security-enhanced Linux -kernel contains new architectural components originally developed to -improve the security of the Flask operating system. These architectural -components provide general support for the enforcement of many kinds of -mandatory access control policies, including those based on the -concepts of Type Enforcement(R), Role-based Access Control, and -Multi-level Security. - -libselinux provides an API for SELinux applications to get and set -process and file security contexts and to obtain security policy -decisions. Required for any applications that use the SELinux API. - +libselinux provides an interface to get and set process and file +security contexts and to obtain security policy decisions. +(Security-enhanced Linux is a feature of the kernel and some +utilities that implement mandatory access control policies, such as +Type Enforcement, Role-based Access Control and Multi-Level +Security.) %package -n selinux-tools -Summary: SELinux library and simple utilities +Summary: SELinux command-line utilities Group: System/Base %description -n selinux-tools -Security-enhanced Linux is a feature of the Linux(R) kernel and a -number of utilities with enhanced security functionality designed to -add mandatory access controls to Linux. The Security-enhanced Linux -kernel contains new architectural components originally developed to -improve the security of the Flask operating system. These architectural -components provide general support for the enforcement of many kinds of -mandatory access control policies, including those based on the -concepts of Type Enforcement(R), Role-based Access Control, and -Multi-level Security. - -libselinux provides an API for SELinux applications to get and set -process and file security contexts and to obtain security policy -decisions. Required for any applications that use the SELinux API. - +Security-enhanced Linux is a feature of the kernel and some +utilities that implement mandatory access control policies, such as +Type Enforcement, Role-based Access Control and Multi-Level +Security. +This subpackage contains utilities to inspect and administer the +system's SELinux state. %package devel -Summary: Development Include Files and Libraries for SELinux +Summary: Development files for the SELinux runtime library Group: Development/Libraries/C and C++ Requires: glibc-devel Requires: libselinux1 = %{version} #Automatic dependency on libsepol-devel via pkgconfig %description devel +libselinux provides an interface to get and set process and file +security contexts and to obtain security policy decisions. + This package contains the development files, which are necessary to develop your own software using libselinux. - %package devel-static -Summary: Static development Include Files and Libraries for SELinux +Summary: Static archives for the SELinux runtime Group: Development/Libraries/C and C++ Requires: libselinux-devel = %{version} +Requires: pkgconfig(libpcre) +Requires: pkgconfig(libsepol) %description devel-static +libselinux provides an interface to get and set process and file +security contexts and to obtain security policy decisions. + This package contains the static development files, which are necessary to develop your own software using libselinux. - %prep %setup -q %patch1 %patch2 -p1 - +%patch3 -p1 %build make %{?_smp_mflags} LIBDIR="%{_libdir}" CC="%{__cc}" CFLAGS="$RPM_OPT_FLAGS" @@ -185,8 +164,7 @@ install -m 0755 %{SOURCE1} $RPM_BUILD_ROOT%{_sbindir}/selinux-ready %files devel %defattr(-,root,root,-) %{_libdir}/libselinux.so -%dir %{_includedir}/selinux -%{_includedir}/selinux/* +%{_includedir}/selinux/ %{_mandir}/man3/* %{_libdir}/pkgconfig/libselinux.pc