Accepting request 415273 from security:SELinux

1

OBS-URL: https://build.opensuse.org/request/show/415273
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=46
This commit is contained in:
Dominique Leuenberger 2016-08-03 09:36:44 +00:00 committed by Git OBS Bridge
parent e69a6c77a7
commit 7308b68a0b
5 changed files with 167 additions and 105 deletions

View File

@ -1,3 +1,8 @@
-------------------------------------------------------------------
Sun Jul 17 15:30:05 UTC 2016 - jengelh@inai.de
- Update RPM groups, trim description and combine filelist entries.
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Jul 14 07:59:04 UTC 2016 - jsegitz@novell.com Thu Jul 14 07:59:04 UTC 2016 - jsegitz@novell.com

View File

@ -21,10 +21,10 @@
Name: libselinux-bindings Name: libselinux-bindings
Version: 2.5 Version: 2.5
Release: 0 Release: 0
Url: http://userspace.selinuxproject.org/ Summary: SELinux runtime library and simple utilities
Summary: SELinux library and simple utilities
License: GPL-2.0 and SUSE-Public-Domain License: GPL-2.0 and SUSE-Public-Domain
Group: System/Libraries Group: Development/Libraries/C and C++
Url: https://github.com/SELinuxProject/selinux/wiki/Releases
# embedded is the MD5 # embedded is the MD5
Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/libselinux-%{version}.tar.gz Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/libselinux-%{version}.tar.gz
@ -41,69 +41,36 @@ BuildRequires: ruby-devel
BuildRequires: swig BuildRequires: swig
%description %description
Security-enhanced Linux is a feature of the Linux(R) kernel and a libselinux provides an interface to get and set process and file
number of utilities with enhanced security functionality designed to security contexts and to obtain security policy decisions.
add mandatory access controls to Linux. The Security-enhanced Linux
kernel contains new architectural components originally developed to
improve the security of the Flask operating system. These architectural
components provide general support for the enforcement of many kinds of
mandatory access control policies, including those based on the
concepts of Type Enforcement(R), Role-based Access Control, and
Multi-level Security.
libselinux provides an API for SELinux applications to get and set
process and file security contexts and to obtain security policy
decisions. Required for any applications that use the SELinux API.
%package -n python-selinux %package -n python-selinux
Summary: SELinux library and simple utilities Summary: Python bindings for the SELinux runtime library
License: SUSE-Public-Domain License: SUSE-Public-Domain
Group: Development/Libraries/Python Group: Development/Libraries/Python
Requires: libselinux1 = %{version} Requires: libselinux1 = %{version}
Requires: python Requires: python
%description -n python-selinux %description -n python-selinux
Security-enhanced Linux is a feature of the Linux(R) kernel and a libselinux provides an interface to get and set process and file
number of utilities with enhanced security functionality designed to security contexts and to obtain security policy decisions.
add mandatory access controls to Linux. The Security-enhanced Linux
kernel contains new architectural components originally developed to
improve the security of the Flask operating system. These architectural
components provide general support for the enforcement of many kinds of
mandatory access control policies, including those based on the
concepts of Type Enforcement(R), Role-based Access Control, and
Multi-level Security.
libselinux provides an API for SELinux applications to get and set
process and file security contexts and to obtain security policy
decisions. Required for any applications that use the SELinux API.
This subpackage contains Python extensions to use SELinux from that
language.
%package -n ruby-selinux %package -n ruby-selinux
Summary: SELinux library and simple utilities Summary: Ruby bindings for the SELinux runtime library
License: SUSE-Public-Domain License: SUSE-Public-Domain
Group: Development/Languages/Ruby Group: Development/Languages/Ruby
Requires: libselinux1 = %{version} Requires: libselinux1 = %{version}
Requires: ruby Requires: ruby
%description -n ruby-selinux %description -n ruby-selinux
Security-enhanced Linux is a feature of the Linux(R) kernel and a libselinux provides an interface to get and set process and file
number of utilities with enhanced security functionality designed to security contexts and to obtain security policy decisions.
add mandatory access controls to Linux. The Security-enhanced Linux
kernel contains new architectural components originally developed to
improve the security of the Flask operating system. These architectural
components provide general support for the enforcement of many kinds of
mandatory access control policies, including those based on the
concepts of Type Enforcement(R), Role-based Access Control, and
Multi-level Security.
libselinux provides an API for SELinux applications to get and set
process and file security contexts and to obtain security policy
decisions. Required for any applications that use the SELinux API.
This subpackage contains Ruby extensions to use SELinux from that
language.
%prep %prep
%setup -q -n libselinux-%{version} %setup -q -n libselinux-%{version}
@ -124,9 +91,8 @@ rm -rf $RPM_BUILD_ROOT/%{_lib} $RPM_BUILD_ROOT%{_libdir}/libselinux.* $RPM_BUILD
%files -n python-selinux %files -n python-selinux
%defattr(-,root,root,-) %defattr(-,root,root,-)
%dir %{py_sitedir}/selinux %{py_sitedir}/selinux/
%{py_sitedir}/_selinux.so %{py_sitedir}/_selinux.so
%{py_sitedir}/selinux/*
%files -n ruby-selinux %files -n ruby-selinux
%defattr(-,root,root,-) %defattr(-,root,root,-)

View File

@ -0,0 +1,93 @@
Index: libselinux-2.5/src/init.c
===================================================================
--- libselinux-2.5.orig/src/init.c
+++ libselinux-2.5/src/init.c
@@ -11,7 +11,6 @@
#include <sys/vfs.h>
#include <stdint.h>
#include <limits.h>
-#include <sys/mount.h>
#include "dso.h"
#include "policy.h"
@@ -57,20 +56,18 @@ static int verify_selinuxmnt(const char
int selinuxfs_exists(void)
{
- int exists = 0, mnt_rc = 0;
+ int exists = 0;
FILE *fp = NULL;
char *buf = NULL;
size_t len;
ssize_t num;
- mnt_rc = mount("proc", "/proc", "proc", 0, 0);
fp = fopen("/proc/filesystems", "r");
- if (!fp) {
- exists = 1; /* Fail as if it exists */
- goto out;
- }
+ if (!fp)
+ return 1; /* Fail as if it exists */
+
__fsetlocking(fp, FSETLOCKING_BYCALLER);
num = getline(&buf, &len, fp);
@@ -85,13 +82,6 @@ int selinuxfs_exists(void)
free(buf);
fclose(fp);
-out:
-#ifndef MNT_DETACH
-#define MNT_DETACH 2
-#endif
- if (mnt_rc == 0)
- umount2("/proc", MNT_DETACH);
-
return exists;
}
hidden_def(selinuxfs_exists)
Index: libselinux-2.5/src/load_policy.c
===================================================================
--- libselinux-2.5.orig/src/load_policy.c
+++ libselinux-2.5/src/load_policy.c
@@ -17,6 +17,10 @@
#include "policy.h"
#include <limits.h>
+#ifndef MNT_DETACH
+#define MNT_DETACH 2
+#endif
+
int security_load_policy(void *data, size_t len)
{
char path[PATH_MAX];
@@ -348,11 +352,6 @@ int selinux_init_load_policy(int *enforc
fclose(cfg);
free(buf);
}
-#ifndef MNT_DETACH
-#define MNT_DETACH 2
-#endif
- if (rc == 0)
- umount2("/proc", MNT_DETACH);
/*
* Determine the final desired mode.
@@ -402,9 +401,13 @@ int selinux_init_load_policy(int *enforc
}
goto noload;
+ if (rc == 0)
+ umount2("/proc", MNT_DETACH);
}
set_selinuxmnt(mntpoint);
-
+
+ if (rc == 0)
+ umount2("/proc", MNT_DETACH);
/*
* Note: The following code depends on having selinuxfs
* already mounted and selinuxmnt set above.

View File

@ -1,3 +1,23 @@
-------------------------------------------------------------------
Sun Jul 24 19:33:42 UTC 2016 - crrodriguez@opensuse.org
- -devel static subpackage requires libpcre-devel and libsepol-devel
-------------------------------------------------------------------
Sun Jul 24 19:05:35 UTC 2016 - crrodriguez@opensuse.org
- Avoid mounting /proc outside of selinux_init_load_policy().
(Stephen Smalley) reverts upstream 5a8d8c4, 9df4988, fixes
among other things systemd seccomp sandboxing otherwise all
filters must allow mount(2)
(libselinux-proc-mount-only-if-needed.patch)
-------------------------------------------------------------------
Sun Jul 17 15:30:05 UTC 2016 - jengelh@inai.de
- Update RPM groups, trim description and combine filelist entries.
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Jul 14 07:58:49 UTC 2016 - jsegitz@novell.com Thu Jul 14 07:58:49 UTC 2016 - jsegitz@novell.com

View File

@ -21,10 +21,10 @@
Name: libselinux Name: libselinux
Version: 2.5 Version: 2.5
Release: 0 Release: 0
Url: http://userspace.selinuxproject.org/ Summary: SELinux runtime library and utilities
Summary: SELinux library and simple utilities
License: GPL-2.0 and SUSE-Public-Domain License: GPL-2.0 and SUSE-Public-Domain
Group: System/Libraries Group: Development/Libraries/C and C++
Url: https://github.com/SELinuxProject/selinux/wiki/Releases
Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/%{name}-%{version}.tar.gz Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/%{name}-%{version}.tar.gz
Source1: selinux-ready Source1: selinux-ready
@ -32,6 +32,8 @@ Source2: baselibs.conf
Patch1: %{name}-2.2-ruby.patch Patch1: %{name}-2.2-ruby.patch
# PATCH-FIX-UPSTREAM swig-3.10 use importlib which not search the directory __init__.py is in but standard path # PATCH-FIX-UPSTREAM swig-3.10 use importlib which not search the directory __init__.py is in but standard path
Patch2: python-selinux-swig-3.10.patch Patch2: python-selinux-swig-3.10.patch
# PATCH-FIX-UPSTREAM Avoid mounting /proc outside of selinux_init_load_policy().
Patch3: libselinux-proc-mount-only-if-needed.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: fdupes BuildRequires: fdupes
BuildRequires: libsepol-devel >= %{libsepol_ver} BuildRequires: libsepol-devel >= %{libsepol_ver}
@ -39,91 +41,68 @@ BuildRequires: pcre-devel
BuildRequires: pkg-config BuildRequires: pkg-config
%description %description
Security-enhanced Linux is a feature of the Linux(R) kernel and a libselinux provides an interface to get and set process and file
number of utilities with enhanced security functionality designed to security contexts and to obtain security policy decisions.
add mandatory access controls to Linux. The Security-enhanced Linux
kernel contains new architectural components originally developed to
improve the security of the Flask operating system. These architectural
components provide general support for the enforcement of many kinds of
mandatory access control policies, including those based on the
concepts of Type Enforcement(R), Role-based Access Control, and
Multi-level Security.
libselinux provides an API for SELinux applications to get and set
process and file security contexts and to obtain security policy
decisions. Required for any applications that use the SELinux API.
%package -n libselinux1 %package -n libselinux1
Summary: SELinux library and simple utilities Summary: SELinux runtime library
Group: System/Libraries Group: System/Libraries
%description -n libselinux1 %description -n libselinux1
Security-enhanced Linux is a feature of the Linux(R) kernel and a libselinux provides an interface to get and set process and file
number of utilities with enhanced security functionality designed to security contexts and to obtain security policy decisions.
add mandatory access controls to Linux. The Security-enhanced Linux
kernel contains new architectural components originally developed to
improve the security of the Flask operating system. These architectural
components provide general support for the enforcement of many kinds of
mandatory access control policies, including those based on the
concepts of Type Enforcement(R), Role-based Access Control, and
Multi-level Security.
libselinux provides an API for SELinux applications to get and set
process and file security contexts and to obtain security policy
decisions. Required for any applications that use the SELinux API.
(Security-enhanced Linux is a feature of the kernel and some
utilities that implement mandatory access control policies, such as
Type Enforcement, Role-based Access Control and Multi-Level
Security.)
%package -n selinux-tools %package -n selinux-tools
Summary: SELinux library and simple utilities Summary: SELinux command-line utilities
Group: System/Base Group: System/Base
%description -n selinux-tools %description -n selinux-tools
Security-enhanced Linux is a feature of the Linux(R) kernel and a Security-enhanced Linux is a feature of the kernel and some
number of utilities with enhanced security functionality designed to utilities that implement mandatory access control policies, such as
add mandatory access controls to Linux. The Security-enhanced Linux Type Enforcement, Role-based Access Control and Multi-Level
kernel contains new architectural components originally developed to Security.
improve the security of the Flask operating system. These architectural
components provide general support for the enforcement of many kinds of
mandatory access control policies, including those based on the
concepts of Type Enforcement(R), Role-based Access Control, and
Multi-level Security.
libselinux provides an API for SELinux applications to get and set
process and file security contexts and to obtain security policy
decisions. Required for any applications that use the SELinux API.
This subpackage contains utilities to inspect and administer the
system's SELinux state.
%package devel %package devel
Summary: Development Include Files and Libraries for SELinux Summary: Development files for the SELinux runtime library
Group: Development/Libraries/C and C++ Group: Development/Libraries/C and C++
Requires: glibc-devel Requires: glibc-devel
Requires: libselinux1 = %{version} Requires: libselinux1 = %{version}
#Automatic dependency on libsepol-devel via pkgconfig #Automatic dependency on libsepol-devel via pkgconfig
%description devel %description devel
libselinux provides an interface to get and set process and file
security contexts and to obtain security policy decisions.
This package contains the development files, which are This package contains the development files, which are
necessary to develop your own software using libselinux. necessary to develop your own software using libselinux.
%package devel-static %package devel-static
Summary: Static development Include Files and Libraries for SELinux Summary: Static archives for the SELinux runtime
Group: Development/Libraries/C and C++ Group: Development/Libraries/C and C++
Requires: libselinux-devel = %{version} Requires: libselinux-devel = %{version}
Requires: pkgconfig(libpcre)
Requires: pkgconfig(libsepol)
%description devel-static %description devel-static
libselinux provides an interface to get and set process and file
security contexts and to obtain security policy decisions.
This package contains the static development files, which are This package contains the static development files, which are
necessary to develop your own software using libselinux. necessary to develop your own software using libselinux.
%prep %prep
%setup -q %setup -q
%patch1 %patch1
%patch2 -p1 %patch2 -p1
%patch3 -p1
%build %build
make %{?_smp_mflags} LIBDIR="%{_libdir}" CC="%{__cc}" CFLAGS="$RPM_OPT_FLAGS" make %{?_smp_mflags} LIBDIR="%{_libdir}" CC="%{__cc}" CFLAGS="$RPM_OPT_FLAGS"
@ -185,8 +164,7 @@ install -m 0755 %{SOURCE1} $RPM_BUILD_ROOT%{_sbindir}/selinux-ready
%files devel %files devel
%defattr(-,root,root,-) %defattr(-,root,root,-)
%{_libdir}/libselinux.so %{_libdir}/libselinux.so
%dir %{_includedir}/selinux %{_includedir}/selinux/
%{_includedir}/selinux/*
%{_mandir}/man3/* %{_mandir}/man3/*
%{_libdir}/pkgconfig/libselinux.pc %{_libdir}/pkgconfig/libselinux.pc