Accepting request 415273 from security:SELinux

1

OBS-URL: https://build.opensuse.org/request/show/415273
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=46

libselinux-bindings.changes

@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Sun Jul 17 15:30:05 UTC 2016 - jengelh@inai.de
+
+- Update RPM groups, trim description and combine filelist entries.
+
 -------------------------------------------------------------------
 Thu Jul 14 07:59:04 UTC 2016 - jsegitz@novell.com
 

libselinux-bindings.spec

@@ -21,10 +21,10 @@
 Name:           libselinux-bindings
 Version:        2.5
 Release:        0
-Url:            http://userspace.selinuxproject.org/
-Summary:        SELinux library and simple utilities
+Summary:        SELinux runtime library and simple utilities
 License:        GPL-2.0 and SUSE-Public-Domain
-Group:          System/Libraries
+Group:          Development/Libraries/C and C++
+Url:            https://github.com/SELinuxProject/selinux/wiki/Releases
 
 # embedded is the MD5
 Source:         https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/libselinux-%{version}.tar.gz
@@ -41,69 +41,36 @@ BuildRequires:  ruby-devel
 BuildRequires:  swig
 
 %description
-Security-enhanced Linux is a feature of the Linux(R) kernel and a
-number of utilities with enhanced security functionality designed to
-add mandatory access controls to Linux.  The Security-enhanced Linux
-kernel contains new architectural components originally developed to
-improve the security of the Flask operating system. These architectural
-components provide general support for the enforcement of many kinds of
-mandatory access control policies, including those based on the
-concepts of Type Enforcement(R), Role-based Access Control, and
-Multi-level Security.
-
-libselinux provides an API for SELinux applications to get and set
-process and file security contexts and to obtain security policy
-decisions.  Required for any applications that use the SELinux API.
-
-
+libselinux provides an interface to get and set process and file
+security contexts and to obtain security policy decisions.
 
 %package -n python-selinux
-Summary:        SELinux library and simple utilities
+Summary:        Python bindings for the SELinux runtime library
 License:        SUSE-Public-Domain
 Group:          Development/Libraries/Python
 Requires:       libselinux1 = %{version}
 Requires:       python
 
 %description -n python-selinux
-Security-enhanced Linux is a feature of the Linux(R) kernel and a
-number of utilities with enhanced security functionality designed to
-add mandatory access controls to Linux.  The Security-enhanced Linux
-kernel contains new architectural components originally developed to
-improve the security of the Flask operating system. These architectural
-components provide general support for the enforcement of many kinds of
-mandatory access control policies, including those based on the
-concepts of Type Enforcement(R), Role-based Access Control, and
-Multi-level Security.
-
-libselinux provides an API for SELinux applications to get and set
-process and file security contexts and to obtain security policy
-decisions.  Required for any applications that use the SELinux API.
-
+libselinux provides an interface to get and set process and file
+security contexts and to obtain security policy decisions.
 
+This subpackage contains Python extensions to use SELinux from that
+language.
 
 %package -n ruby-selinux
-Summary:        SELinux library and simple utilities
+Summary:        Ruby bindings for the SELinux runtime library
 License:        SUSE-Public-Domain
 Group:          Development/Languages/Ruby
 Requires:       libselinux1 = %{version}
 Requires:       ruby
 
 %description -n ruby-selinux
-Security-enhanced Linux is a feature of the Linux(R) kernel and a
-number of utilities with enhanced security functionality designed to
-add mandatory access controls to Linux.  The Security-enhanced Linux
-kernel contains new architectural components originally developed to
-improve the security of the Flask operating system. These architectural
-components provide general support for the enforcement of many kinds of
-mandatory access control policies, including those based on the
-concepts of Type Enforcement(R), Role-based Access Control, and
-Multi-level Security.
-
-libselinux provides an API for SELinux applications to get and set
-process and file security contexts and to obtain security policy
-decisions.  Required for any applications that use the SELinux API.
-
+libselinux provides an interface to get and set process and file
+security contexts and to obtain security policy decisions.
 
+This subpackage contains Ruby extensions to use SELinux from that
+language.
 
 %prep
 %setup -q -n libselinux-%{version}
@@ -124,9 +91,8 @@ rm -rf $RPM_BUILD_ROOT/%{_lib} $RPM_BUILD_ROOT%{_libdir}/libselinux.* $RPM_BUILD
 
 %files -n python-selinux
 %defattr(-,root,root,-)
-%dir %{py_sitedir}/selinux
+%{py_sitedir}/selinux/
 %{py_sitedir}/_selinux.so
-%{py_sitedir}/selinux/*
 
 %files -n ruby-selinux
 %defattr(-,root,root,-)

libselinux-proc-mount-only-if-needed.patch

@@ -0,0 +1,93 @@
+Index: libselinux-2.5/src/init.c
+===================================================================
+--- libselinux-2.5.orig/src/init.c
++++ libselinux-2.5/src/init.c
+@@ -11,7 +11,6 @@
+ #include <sys/vfs.h>
+ #include <stdint.h>
+ #include <limits.h>
+-#include <sys/mount.h>
+ 
+ #include "dso.h"
+ #include "policy.h"
+@@ -57,20 +56,18 @@ static int verify_selinuxmnt(const char
+ 
+ int selinuxfs_exists(void)
+ {
+-	int exists = 0, mnt_rc = 0;
++	int exists = 0;
+ 	FILE *fp = NULL;
+ 	char *buf = NULL;
+ 	size_t len;
+ 	ssize_t num;
+ 
+-	mnt_rc = mount("proc", "/proc", "proc", 0, 0);
+ 
+ 	fp = fopen("/proc/filesystems", "r");
+-	if (!fp) {
+-		exists = 1; /* Fail as if it exists */
+-		goto out;
+-	}
+ 
++	if (!fp)
++		return 1; /* Fail as if it exists */
++	
+ 	__fsetlocking(fp, FSETLOCKING_BYCALLER);
+ 
+ 	num = getline(&buf, &len, fp);
+@@ -85,13 +82,6 @@ int selinuxfs_exists(void)
+ 	free(buf);
+ 	fclose(fp);
+ 
+-out:
+-#ifndef MNT_DETACH
+-#define MNT_DETACH 2
+-#endif
+-	if (mnt_rc == 0)
+-		umount2("/proc", MNT_DETACH);
+-
+ 	return exists;
+ }
+ hidden_def(selinuxfs_exists)
+Index: libselinux-2.5/src/load_policy.c
+===================================================================
+--- libselinux-2.5.orig/src/load_policy.c
++++ libselinux-2.5/src/load_policy.c
+@@ -17,6 +17,10 @@
+ #include "policy.h"
+ #include <limits.h>
+ 
++#ifndef MNT_DETACH
++#define MNT_DETACH 2
++#endif
++
+ int security_load_policy(void *data, size_t len)
+ {
+ 	char path[PATH_MAX];
+@@ -348,11 +352,6 @@ int selinux_init_load_policy(int *enforc
+ 		fclose(cfg);
+ 		free(buf);
+ 	}
+-#ifndef MNT_DETACH
+-#define MNT_DETACH 2
+-#endif
+-	if (rc == 0)
+-		umount2("/proc", MNT_DETACH);
+ 
+ 	/* 
+ 	 * Determine the final desired mode.
+@@ -402,9 +401,13 @@ int selinux_init_load_policy(int *enforc
+ 		}
+                 
+ 		goto noload;
++		if (rc == 0)
++			umount2("/proc", MNT_DETACH);
+ 	}
+ 	set_selinuxmnt(mntpoint);
+-
++	
++		if (rc == 0)
++			umount2("/proc", MNT_DETACH);
+ 	/*
+ 	 * Note:  The following code depends on having selinuxfs 
+ 	 * already mounted and selinuxmnt set above.

libselinux.changes

@@ -1,3 +1,23 @@
+-------------------------------------------------------------------
+Sun Jul 24 19:33:42 UTC 2016 - crrodriguez@opensuse.org
+
+- -devel static subpackage requires libpcre-devel and libsepol-devel
+
+
+-------------------------------------------------------------------
+Sun Jul 24 19:05:35 UTC 2016 - crrodriguez@opensuse.org
+
+- Avoid mounting /proc outside of selinux_init_load_policy().
+  (Stephen Smalley) reverts upstream 5a8d8c4, 9df4988, fixes
+  among other things systemd seccomp sandboxing otherwise all
+  filters must allow mount(2)
+  (libselinux-proc-mount-only-if-needed.patch)
+
+-------------------------------------------------------------------
+Sun Jul 17 15:30:05 UTC 2016 - jengelh@inai.de
+
+- Update RPM groups, trim description and combine filelist entries.
+
 -------------------------------------------------------------------
 Thu Jul 14 07:58:49 UTC 2016 - jsegitz@novell.com
 

libselinux.spec

@@ -21,10 +21,10 @@
 Name:           libselinux
 Version:        2.5
 Release:        0
-Url:            http://userspace.selinuxproject.org/
-Summary:        SELinux library and simple utilities
+Summary:        SELinux runtime library and utilities
 License:        GPL-2.0 and SUSE-Public-Domain
-Group:          System/Libraries
+Group:          Development/Libraries/C and C++
+Url:            https://github.com/SELinuxProject/selinux/wiki/Releases
 
 Source:         https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/%{name}-%{version}.tar.gz
 Source1:        selinux-ready
@@ -32,6 +32,8 @@ Source2:        baselibs.conf
 Patch1:         %{name}-2.2-ruby.patch
 # PATCH-FIX-UPSTREAM swig-3.10 use importlib which not search the directory __init__.py is in but standard path
 Patch2:         python-selinux-swig-3.10.patch
+# PATCH-FIX-UPSTREAM Avoid mounting /proc outside of selinux_init_load_policy().
+Patch3:         libselinux-proc-mount-only-if-needed.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  fdupes
 BuildRequires:  libsepol-devel >= %{libsepol_ver}
@@ -39,91 +41,68 @@ BuildRequires:  pcre-devel
 BuildRequires:  pkg-config
 
 %description
-Security-enhanced Linux is a feature of the Linux(R) kernel and a
-number of utilities with enhanced security functionality designed to
-add mandatory access controls to Linux.  The Security-enhanced Linux
-kernel contains new architectural components originally developed to
-improve the security of the Flask operating system. These architectural
-components provide general support for the enforcement of many kinds of
-mandatory access control policies, including those based on the
-concepts of Type Enforcement(R), Role-based Access Control, and
-Multi-level Security.
-
-libselinux provides an API for SELinux applications to get and set
-process and file security contexts and to obtain security policy
-decisions.  Required for any applications that use the SELinux API.
-
-
+libselinux provides an interface to get and set process and file
+security contexts and to obtain security policy decisions.
 
 %package -n libselinux1
-Summary:        SELinux library and simple utilities
+Summary:        SELinux runtime library
 Group:          System/Libraries
 
 %description -n libselinux1
-Security-enhanced Linux is a feature of the Linux(R) kernel and a
-number of utilities with enhanced security functionality designed to
-add mandatory access controls to Linux.  The Security-enhanced Linux
-kernel contains new architectural components originally developed to
-improve the security of the Flask operating system. These architectural
-components provide general support for the enforcement of many kinds of
-mandatory access control policies, including those based on the
-concepts of Type Enforcement(R), Role-based Access Control, and
-Multi-level Security.
-
-libselinux provides an API for SELinux applications to get and set
-process and file security contexts and to obtain security policy
-decisions.  Required for any applications that use the SELinux API.
-
+libselinux provides an interface to get and set process and file
+security contexts and to obtain security policy decisions.
 
+(Security-enhanced Linux is a feature of the kernel and some
+utilities that implement mandatory access control policies, such as
+Type Enforcement, Role-based Access Control and Multi-Level
+Security.)
 
 %package -n selinux-tools
-Summary:        SELinux library and simple utilities
+Summary:        SELinux command-line utilities
 Group:          System/Base
 
 %description -n selinux-tools
-Security-enhanced Linux is a feature of the Linux(R) kernel and a
-number of utilities with enhanced security functionality designed to
-add mandatory access controls to Linux.  The Security-enhanced Linux
-kernel contains new architectural components originally developed to
-improve the security of the Flask operating system. These architectural
-components provide general support for the enforcement of many kinds of
-mandatory access control policies, including those based on the
-concepts of Type Enforcement(R), Role-based Access Control, and
-Multi-level Security.
-
-libselinux provides an API for SELinux applications to get and set
-process and file security contexts and to obtain security policy
-decisions.  Required for any applications that use the SELinux API.
-
+Security-enhanced Linux is a feature of the kernel and some
+utilities that implement mandatory access control policies, such as
+Type Enforcement, Role-based Access Control and Multi-Level
+Security.
 
+This subpackage contains utilities to inspect and administer the
+system's SELinux state.
 
 %package devel
-Summary:        Development Include Files and Libraries for SELinux
+Summary:        Development files for the SELinux runtime library
 Group:          Development/Libraries/C and C++
 Requires:       glibc-devel
 Requires:       libselinux1 = %{version}
 #Automatic dependency on libsepol-devel via pkgconfig
 
 %description devel
+libselinux provides an interface to get and set process and file
+security contexts and to obtain security policy decisions.
+
 This package contains the development files, which are
 necessary to develop your own software using libselinux.
 
-
 %package devel-static
-Summary:        Static development Include Files and Libraries for SELinux
+Summary:        Static archives for the SELinux runtime
 Group:          Development/Libraries/C and C++
 Requires:       libselinux-devel = %{version}
+Requires:       pkgconfig(libpcre)
+Requires:       pkgconfig(libsepol)
 
 %description devel-static
+libselinux provides an interface to get and set process and file
+security contexts and to obtain security policy decisions.
+
 This package contains the static development files, which are
 necessary to develop your own software using libselinux.
 
-
 %prep
 %setup -q
 %patch1
 %patch2 -p1
-
+%patch3 -p1
 %build
 make %{?_smp_mflags} LIBDIR="%{_libdir}" CC="%{__cc}" CFLAGS="$RPM_OPT_FLAGS"
 
@@ -185,8 +164,7 @@ install -m 0755 %{SOURCE1} $RPM_BUILD_ROOT%{_sbindir}/selinux-ready
 %files devel
 %defattr(-,root,root,-)
 %{_libdir}/libselinux.so
-%dir %{_includedir}/selinux
-%{_includedir}/selinux/*
+%{_includedir}/selinux/
 %{_mandir}/man3/*
 %{_libdir}/pkgconfig/libselinux.pc