Accepting request 415273 from security:SELinux
1 OBS-URL: https://build.opensuse.org/request/show/415273 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=46
This commit is contained in:
parent
e69a6c77a7
commit
7308b68a0b
@ -1,3 +1,8 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Sun Jul 17 15:30:05 UTC 2016 - jengelh@inai.de
|
||||||
|
|
||||||
|
- Update RPM groups, trim description and combine filelist entries.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu Jul 14 07:59:04 UTC 2016 - jsegitz@novell.com
|
Thu Jul 14 07:59:04 UTC 2016 - jsegitz@novell.com
|
||||||
|
|
||||||
|
@ -21,10 +21,10 @@
|
|||||||
Name: libselinux-bindings
|
Name: libselinux-bindings
|
||||||
Version: 2.5
|
Version: 2.5
|
||||||
Release: 0
|
Release: 0
|
||||||
Url: http://userspace.selinuxproject.org/
|
Summary: SELinux runtime library and simple utilities
|
||||||
Summary: SELinux library and simple utilities
|
|
||||||
License: GPL-2.0 and SUSE-Public-Domain
|
License: GPL-2.0 and SUSE-Public-Domain
|
||||||
Group: System/Libraries
|
Group: Development/Libraries/C and C++
|
||||||
|
Url: https://github.com/SELinuxProject/selinux/wiki/Releases
|
||||||
|
|
||||||
# embedded is the MD5
|
# embedded is the MD5
|
||||||
Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/libselinux-%{version}.tar.gz
|
Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/libselinux-%{version}.tar.gz
|
||||||
@ -41,69 +41,36 @@ BuildRequires: ruby-devel
|
|||||||
BuildRequires: swig
|
BuildRequires: swig
|
||||||
|
|
||||||
%description
|
%description
|
||||||
Security-enhanced Linux is a feature of the Linux(R) kernel and a
|
libselinux provides an interface to get and set process and file
|
||||||
number of utilities with enhanced security functionality designed to
|
security contexts and to obtain security policy decisions.
|
||||||
add mandatory access controls to Linux. The Security-enhanced Linux
|
|
||||||
kernel contains new architectural components originally developed to
|
|
||||||
improve the security of the Flask operating system. These architectural
|
|
||||||
components provide general support for the enforcement of many kinds of
|
|
||||||
mandatory access control policies, including those based on the
|
|
||||||
concepts of Type Enforcement(R), Role-based Access Control, and
|
|
||||||
Multi-level Security.
|
|
||||||
|
|
||||||
libselinux provides an API for SELinux applications to get and set
|
|
||||||
process and file security contexts and to obtain security policy
|
|
||||||
decisions. Required for any applications that use the SELinux API.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
%package -n python-selinux
|
%package -n python-selinux
|
||||||
Summary: SELinux library and simple utilities
|
Summary: Python bindings for the SELinux runtime library
|
||||||
License: SUSE-Public-Domain
|
License: SUSE-Public-Domain
|
||||||
Group: Development/Libraries/Python
|
Group: Development/Libraries/Python
|
||||||
Requires: libselinux1 = %{version}
|
Requires: libselinux1 = %{version}
|
||||||
Requires: python
|
Requires: python
|
||||||
|
|
||||||
%description -n python-selinux
|
%description -n python-selinux
|
||||||
Security-enhanced Linux is a feature of the Linux(R) kernel and a
|
libselinux provides an interface to get and set process and file
|
||||||
number of utilities with enhanced security functionality designed to
|
security contexts and to obtain security policy decisions.
|
||||||
add mandatory access controls to Linux. The Security-enhanced Linux
|
|
||||||
kernel contains new architectural components originally developed to
|
|
||||||
improve the security of the Flask operating system. These architectural
|
|
||||||
components provide general support for the enforcement of many kinds of
|
|
||||||
mandatory access control policies, including those based on the
|
|
||||||
concepts of Type Enforcement(R), Role-based Access Control, and
|
|
||||||
Multi-level Security.
|
|
||||||
|
|
||||||
libselinux provides an API for SELinux applications to get and set
|
|
||||||
process and file security contexts and to obtain security policy
|
|
||||||
decisions. Required for any applications that use the SELinux API.
|
|
||||||
|
|
||||||
|
|
||||||
|
This subpackage contains Python extensions to use SELinux from that
|
||||||
|
language.
|
||||||
|
|
||||||
%package -n ruby-selinux
|
%package -n ruby-selinux
|
||||||
Summary: SELinux library and simple utilities
|
Summary: Ruby bindings for the SELinux runtime library
|
||||||
License: SUSE-Public-Domain
|
License: SUSE-Public-Domain
|
||||||
Group: Development/Languages/Ruby
|
Group: Development/Languages/Ruby
|
||||||
Requires: libselinux1 = %{version}
|
Requires: libselinux1 = %{version}
|
||||||
Requires: ruby
|
Requires: ruby
|
||||||
|
|
||||||
%description -n ruby-selinux
|
%description -n ruby-selinux
|
||||||
Security-enhanced Linux is a feature of the Linux(R) kernel and a
|
libselinux provides an interface to get and set process and file
|
||||||
number of utilities with enhanced security functionality designed to
|
security contexts and to obtain security policy decisions.
|
||||||
add mandatory access controls to Linux. The Security-enhanced Linux
|
|
||||||
kernel contains new architectural components originally developed to
|
|
||||||
improve the security of the Flask operating system. These architectural
|
|
||||||
components provide general support for the enforcement of many kinds of
|
|
||||||
mandatory access control policies, including those based on the
|
|
||||||
concepts of Type Enforcement(R), Role-based Access Control, and
|
|
||||||
Multi-level Security.
|
|
||||||
|
|
||||||
libselinux provides an API for SELinux applications to get and set
|
|
||||||
process and file security contexts and to obtain security policy
|
|
||||||
decisions. Required for any applications that use the SELinux API.
|
|
||||||
|
|
||||||
|
|
||||||
|
This subpackage contains Ruby extensions to use SELinux from that
|
||||||
|
language.
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q -n libselinux-%{version}
|
%setup -q -n libselinux-%{version}
|
||||||
@ -124,9 +91,8 @@ rm -rf $RPM_BUILD_ROOT/%{_lib} $RPM_BUILD_ROOT%{_libdir}/libselinux.* $RPM_BUILD
|
|||||||
|
|
||||||
%files -n python-selinux
|
%files -n python-selinux
|
||||||
%defattr(-,root,root,-)
|
%defattr(-,root,root,-)
|
||||||
%dir %{py_sitedir}/selinux
|
%{py_sitedir}/selinux/
|
||||||
%{py_sitedir}/_selinux.so
|
%{py_sitedir}/_selinux.so
|
||||||
%{py_sitedir}/selinux/*
|
|
||||||
|
|
||||||
%files -n ruby-selinux
|
%files -n ruby-selinux
|
||||||
%defattr(-,root,root,-)
|
%defattr(-,root,root,-)
|
||||||
|
93
libselinux-proc-mount-only-if-needed.patch
Normal file
93
libselinux-proc-mount-only-if-needed.patch
Normal file
@ -0,0 +1,93 @@
|
|||||||
|
Index: libselinux-2.5/src/init.c
|
||||||
|
===================================================================
|
||||||
|
--- libselinux-2.5.orig/src/init.c
|
||||||
|
+++ libselinux-2.5/src/init.c
|
||||||
|
@@ -11,7 +11,6 @@
|
||||||
|
#include <sys/vfs.h>
|
||||||
|
#include <stdint.h>
|
||||||
|
#include <limits.h>
|
||||||
|
-#include <sys/mount.h>
|
||||||
|
|
||||||
|
#include "dso.h"
|
||||||
|
#include "policy.h"
|
||||||
|
@@ -57,20 +56,18 @@ static int verify_selinuxmnt(const char
|
||||||
|
|
||||||
|
int selinuxfs_exists(void)
|
||||||
|
{
|
||||||
|
- int exists = 0, mnt_rc = 0;
|
||||||
|
+ int exists = 0;
|
||||||
|
FILE *fp = NULL;
|
||||||
|
char *buf = NULL;
|
||||||
|
size_t len;
|
||||||
|
ssize_t num;
|
||||||
|
|
||||||
|
- mnt_rc = mount("proc", "/proc", "proc", 0, 0);
|
||||||
|
|
||||||
|
fp = fopen("/proc/filesystems", "r");
|
||||||
|
- if (!fp) {
|
||||||
|
- exists = 1; /* Fail as if it exists */
|
||||||
|
- goto out;
|
||||||
|
- }
|
||||||
|
|
||||||
|
+ if (!fp)
|
||||||
|
+ return 1; /* Fail as if it exists */
|
||||||
|
+
|
||||||
|
__fsetlocking(fp, FSETLOCKING_BYCALLER);
|
||||||
|
|
||||||
|
num = getline(&buf, &len, fp);
|
||||||
|
@@ -85,13 +82,6 @@ int selinuxfs_exists(void)
|
||||||
|
free(buf);
|
||||||
|
fclose(fp);
|
||||||
|
|
||||||
|
-out:
|
||||||
|
-#ifndef MNT_DETACH
|
||||||
|
-#define MNT_DETACH 2
|
||||||
|
-#endif
|
||||||
|
- if (mnt_rc == 0)
|
||||||
|
- umount2("/proc", MNT_DETACH);
|
||||||
|
-
|
||||||
|
return exists;
|
||||||
|
}
|
||||||
|
hidden_def(selinuxfs_exists)
|
||||||
|
Index: libselinux-2.5/src/load_policy.c
|
||||||
|
===================================================================
|
||||||
|
--- libselinux-2.5.orig/src/load_policy.c
|
||||||
|
+++ libselinux-2.5/src/load_policy.c
|
||||||
|
@@ -17,6 +17,10 @@
|
||||||
|
#include "policy.h"
|
||||||
|
#include <limits.h>
|
||||||
|
|
||||||
|
+#ifndef MNT_DETACH
|
||||||
|
+#define MNT_DETACH 2
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
int security_load_policy(void *data, size_t len)
|
||||||
|
{
|
||||||
|
char path[PATH_MAX];
|
||||||
|
@@ -348,11 +352,6 @@ int selinux_init_load_policy(int *enforc
|
||||||
|
fclose(cfg);
|
||||||
|
free(buf);
|
||||||
|
}
|
||||||
|
-#ifndef MNT_DETACH
|
||||||
|
-#define MNT_DETACH 2
|
||||||
|
-#endif
|
||||||
|
- if (rc == 0)
|
||||||
|
- umount2("/proc", MNT_DETACH);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Determine the final desired mode.
|
||||||
|
@@ -402,9 +401,13 @@ int selinux_init_load_policy(int *enforc
|
||||||
|
}
|
||||||
|
|
||||||
|
goto noload;
|
||||||
|
+ if (rc == 0)
|
||||||
|
+ umount2("/proc", MNT_DETACH);
|
||||||
|
}
|
||||||
|
set_selinuxmnt(mntpoint);
|
||||||
|
-
|
||||||
|
+
|
||||||
|
+ if (rc == 0)
|
||||||
|
+ umount2("/proc", MNT_DETACH);
|
||||||
|
/*
|
||||||
|
* Note: The following code depends on having selinuxfs
|
||||||
|
* already mounted and selinuxmnt set above.
|
@ -1,3 +1,23 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Sun Jul 24 19:33:42 UTC 2016 - crrodriguez@opensuse.org
|
||||||
|
|
||||||
|
- -devel static subpackage requires libpcre-devel and libsepol-devel
|
||||||
|
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Sun Jul 24 19:05:35 UTC 2016 - crrodriguez@opensuse.org
|
||||||
|
|
||||||
|
- Avoid mounting /proc outside of selinux_init_load_policy().
|
||||||
|
(Stephen Smalley) reverts upstream 5a8d8c4, 9df4988, fixes
|
||||||
|
among other things systemd seccomp sandboxing otherwise all
|
||||||
|
filters must allow mount(2)
|
||||||
|
(libselinux-proc-mount-only-if-needed.patch)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Sun Jul 17 15:30:05 UTC 2016 - jengelh@inai.de
|
||||||
|
|
||||||
|
- Update RPM groups, trim description and combine filelist entries.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu Jul 14 07:58:49 UTC 2016 - jsegitz@novell.com
|
Thu Jul 14 07:58:49 UTC 2016 - jsegitz@novell.com
|
||||||
|
|
||||||
|
@ -21,10 +21,10 @@
|
|||||||
Name: libselinux
|
Name: libselinux
|
||||||
Version: 2.5
|
Version: 2.5
|
||||||
Release: 0
|
Release: 0
|
||||||
Url: http://userspace.selinuxproject.org/
|
Summary: SELinux runtime library and utilities
|
||||||
Summary: SELinux library and simple utilities
|
|
||||||
License: GPL-2.0 and SUSE-Public-Domain
|
License: GPL-2.0 and SUSE-Public-Domain
|
||||||
Group: System/Libraries
|
Group: Development/Libraries/C and C++
|
||||||
|
Url: https://github.com/SELinuxProject/selinux/wiki/Releases
|
||||||
|
|
||||||
Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/%{name}-%{version}.tar.gz
|
Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/%{name}-%{version}.tar.gz
|
||||||
Source1: selinux-ready
|
Source1: selinux-ready
|
||||||
@ -32,6 +32,8 @@ Source2: baselibs.conf
|
|||||||
Patch1: %{name}-2.2-ruby.patch
|
Patch1: %{name}-2.2-ruby.patch
|
||||||
# PATCH-FIX-UPSTREAM swig-3.10 use importlib which not search the directory __init__.py is in but standard path
|
# PATCH-FIX-UPSTREAM swig-3.10 use importlib which not search the directory __init__.py is in but standard path
|
||||||
Patch2: python-selinux-swig-3.10.patch
|
Patch2: python-selinux-swig-3.10.patch
|
||||||
|
# PATCH-FIX-UPSTREAM Avoid mounting /proc outside of selinux_init_load_policy().
|
||||||
|
Patch3: libselinux-proc-mount-only-if-needed.patch
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
BuildRequires: fdupes
|
BuildRequires: fdupes
|
||||||
BuildRequires: libsepol-devel >= %{libsepol_ver}
|
BuildRequires: libsepol-devel >= %{libsepol_ver}
|
||||||
@ -39,91 +41,68 @@ BuildRequires: pcre-devel
|
|||||||
BuildRequires: pkg-config
|
BuildRequires: pkg-config
|
||||||
|
|
||||||
%description
|
%description
|
||||||
Security-enhanced Linux is a feature of the Linux(R) kernel and a
|
libselinux provides an interface to get and set process and file
|
||||||
number of utilities with enhanced security functionality designed to
|
security contexts and to obtain security policy decisions.
|
||||||
add mandatory access controls to Linux. The Security-enhanced Linux
|
|
||||||
kernel contains new architectural components originally developed to
|
|
||||||
improve the security of the Flask operating system. These architectural
|
|
||||||
components provide general support for the enforcement of many kinds of
|
|
||||||
mandatory access control policies, including those based on the
|
|
||||||
concepts of Type Enforcement(R), Role-based Access Control, and
|
|
||||||
Multi-level Security.
|
|
||||||
|
|
||||||
libselinux provides an API for SELinux applications to get and set
|
|
||||||
process and file security contexts and to obtain security policy
|
|
||||||
decisions. Required for any applications that use the SELinux API.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
%package -n libselinux1
|
%package -n libselinux1
|
||||||
Summary: SELinux library and simple utilities
|
Summary: SELinux runtime library
|
||||||
Group: System/Libraries
|
Group: System/Libraries
|
||||||
|
|
||||||
%description -n libselinux1
|
%description -n libselinux1
|
||||||
Security-enhanced Linux is a feature of the Linux(R) kernel and a
|
libselinux provides an interface to get and set process and file
|
||||||
number of utilities with enhanced security functionality designed to
|
security contexts and to obtain security policy decisions.
|
||||||
add mandatory access controls to Linux. The Security-enhanced Linux
|
|
||||||
kernel contains new architectural components originally developed to
|
|
||||||
improve the security of the Flask operating system. These architectural
|
|
||||||
components provide general support for the enforcement of many kinds of
|
|
||||||
mandatory access control policies, including those based on the
|
|
||||||
concepts of Type Enforcement(R), Role-based Access Control, and
|
|
||||||
Multi-level Security.
|
|
||||||
|
|
||||||
libselinux provides an API for SELinux applications to get and set
|
|
||||||
process and file security contexts and to obtain security policy
|
|
||||||
decisions. Required for any applications that use the SELinux API.
|
|
||||||
|
|
||||||
|
|
||||||
|
(Security-enhanced Linux is a feature of the kernel and some
|
||||||
|
utilities that implement mandatory access control policies, such as
|
||||||
|
Type Enforcement, Role-based Access Control and Multi-Level
|
||||||
|
Security.)
|
||||||
|
|
||||||
%package -n selinux-tools
|
%package -n selinux-tools
|
||||||
Summary: SELinux library and simple utilities
|
Summary: SELinux command-line utilities
|
||||||
Group: System/Base
|
Group: System/Base
|
||||||
|
|
||||||
%description -n selinux-tools
|
%description -n selinux-tools
|
||||||
Security-enhanced Linux is a feature of the Linux(R) kernel and a
|
Security-enhanced Linux is a feature of the kernel and some
|
||||||
number of utilities with enhanced security functionality designed to
|
utilities that implement mandatory access control policies, such as
|
||||||
add mandatory access controls to Linux. The Security-enhanced Linux
|
Type Enforcement, Role-based Access Control and Multi-Level
|
||||||
kernel contains new architectural components originally developed to
|
Security.
|
||||||
improve the security of the Flask operating system. These architectural
|
|
||||||
components provide general support for the enforcement of many kinds of
|
|
||||||
mandatory access control policies, including those based on the
|
|
||||||
concepts of Type Enforcement(R), Role-based Access Control, and
|
|
||||||
Multi-level Security.
|
|
||||||
|
|
||||||
libselinux provides an API for SELinux applications to get and set
|
|
||||||
process and file security contexts and to obtain security policy
|
|
||||||
decisions. Required for any applications that use the SELinux API.
|
|
||||||
|
|
||||||
|
|
||||||
|
This subpackage contains utilities to inspect and administer the
|
||||||
|
system's SELinux state.
|
||||||
|
|
||||||
%package devel
|
%package devel
|
||||||
Summary: Development Include Files and Libraries for SELinux
|
Summary: Development files for the SELinux runtime library
|
||||||
Group: Development/Libraries/C and C++
|
Group: Development/Libraries/C and C++
|
||||||
Requires: glibc-devel
|
Requires: glibc-devel
|
||||||
Requires: libselinux1 = %{version}
|
Requires: libselinux1 = %{version}
|
||||||
#Automatic dependency on libsepol-devel via pkgconfig
|
#Automatic dependency on libsepol-devel via pkgconfig
|
||||||
|
|
||||||
%description devel
|
%description devel
|
||||||
|
libselinux provides an interface to get and set process and file
|
||||||
|
security contexts and to obtain security policy decisions.
|
||||||
|
|
||||||
This package contains the development files, which are
|
This package contains the development files, which are
|
||||||
necessary to develop your own software using libselinux.
|
necessary to develop your own software using libselinux.
|
||||||
|
|
||||||
|
|
||||||
%package devel-static
|
%package devel-static
|
||||||
Summary: Static development Include Files and Libraries for SELinux
|
Summary: Static archives for the SELinux runtime
|
||||||
Group: Development/Libraries/C and C++
|
Group: Development/Libraries/C and C++
|
||||||
Requires: libselinux-devel = %{version}
|
Requires: libselinux-devel = %{version}
|
||||||
|
Requires: pkgconfig(libpcre)
|
||||||
|
Requires: pkgconfig(libsepol)
|
||||||
|
|
||||||
%description devel-static
|
%description devel-static
|
||||||
|
libselinux provides an interface to get and set process and file
|
||||||
|
security contexts and to obtain security policy decisions.
|
||||||
|
|
||||||
This package contains the static development files, which are
|
This package contains the static development files, which are
|
||||||
necessary to develop your own software using libselinux.
|
necessary to develop your own software using libselinux.
|
||||||
|
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
%patch1
|
%patch1
|
||||||
%patch2 -p1
|
%patch2 -p1
|
||||||
|
%patch3 -p1
|
||||||
%build
|
%build
|
||||||
make %{?_smp_mflags} LIBDIR="%{_libdir}" CC="%{__cc}" CFLAGS="$RPM_OPT_FLAGS"
|
make %{?_smp_mflags} LIBDIR="%{_libdir}" CC="%{__cc}" CFLAGS="$RPM_OPT_FLAGS"
|
||||||
|
|
||||||
@ -185,8 +164,7 @@ install -m 0755 %{SOURCE1} $RPM_BUILD_ROOT%{_sbindir}/selinux-ready
|
|||||||
%files devel
|
%files devel
|
||||||
%defattr(-,root,root,-)
|
%defattr(-,root,root,-)
|
||||||
%{_libdir}/libselinux.so
|
%{_libdir}/libselinux.so
|
||||||
%dir %{_includedir}/selinux
|
%{_includedir}/selinux/
|
||||||
%{_includedir}/selinux/*
|
|
||||||
%{_mandir}/man3/*
|
%{_mandir}/man3/*
|
||||||
%{_libdir}/pkgconfig/libselinux.pc
|
%{_libdir}/pkgconfig/libselinux.pc
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user