Accepting request 820925 from home:jsegitz:branches:security:SELinux

- Update to version 3.1:
  * selinux/flask.h, selinux/av_permissions.h and sepol/policydb/flask.h were
    removed. All userspace object managers should have been updated to use the
    dynamic class/perm mapping support.
    Use string_to_security_class(3) and string_to_av_perm(3) to map the class
    and permission names to their policy values, or selinux_set_mapping(3) to
    create a mapping from class and permission index values used by the
    application to the policy values.
  * Removed restrictions in libsepol and checkpolicy that required all declared
    initial SIDs to be assigned a context.
  * Support for new policy capability genfs_seclabel_symlinks
  * selinuxfs is mounted with noexec and nosuid
  * `security_compute_user()` was deprecated
  * Refreshed python3.8-compat.patch

- Update to version 3.1:
  * selinux/flask.h, selinux/av_permissions.h and sepol/policydb/flask.h were
    removed. All userspace object managers should have been updated to use the
    dynamic class/perm mapping support.
    Use string_to_security_class(3) and string_to_av_perm(3) to map the class
    and permission names to their policy values, or selinux_set_mapping(3) to
    create a mapping from class and permission index values used by the
    application to the policy values.
  * Removed restrictions in libsepol and checkpolicy that required all declared
    initial SIDs to be assigned a context.
  * Support for new policy capability genfs_seclabel_symlinks
  * selinuxfs is mounted with noexec and nosuid
  * `security_compute_user()` was deprecated

OBS-URL: https://build.opensuse.org/request/show/820925
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=126

libselinux-3.0.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:2ea2b30f671dae9d6b1391cbe8fb2ce5d36a3ee4fb1cd3c32f0d933c31b82433
-size 212096

libselinux-3.1.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ea5dcbb4d859e3f999c26a13c630da2f16dff9462e3cc8cb7b458ac157d112e7
+size 204703

libselinux-bindings.changes

@@ -1,3 +1,22 @@
+-------------------------------------------------------------------
+Tue Jul 14 08:24:20 UTC 2020 - Johannes Segitz <jsegitz@suse.com>
+
+- Update to version 3.1:
+  * selinux/flask.h, selinux/av_permissions.h and sepol/policydb/flask.h were
+    removed. All userspace object managers should have been updated to use the
+    dynamic class/perm mapping support.
+
+    Use string_to_security_class(3) and string_to_av_perm(3) to map the class
+    and permission names to their policy values, or selinux_set_mapping(3) to
+    create a mapping from class and permission index values used by the
+    application to the policy values.
+  * Removed restrictions in libsepol and checkpolicy that required all declared
+    initial SIDs to be assigned a context.
+  * Support for new policy capability genfs_seclabel_symlinks
+  * selinuxfs is mounted with noexec and nosuid
+  * `security_compute_user()` was deprecated
+  * Refreshed python3.8-compat.patch
+
 -------------------------------------------------------------------
 Tue Mar  3 11:13:12 UTC 2020 - Johannes Segitz <jsegitz@suse.de>
 

libselinux-bindings.spec

@@ -17,9 +17,9 @@
 
 
 %{?!python_module:%define python_module() python-%{**} python3-%{**}}
-%define libsepol_ver 3.0
+%define libsepol_ver 3.1
 Name:           libselinux-bindings
-Version:        3.0
+Version:        3.1
 Release:        0
 Summary:        SELinux runtime library and simple utilities
 License:        SUSE-Public-Domain
@@ -83,10 +83,10 @@ language.
 
 %build
 %define _lto_cflags %{nil}
-make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="%{optflags}" -C src V=1
+make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fno-semantic-interposition" -C src V=1
-make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="%{optflags}" -C src swigify V=1
+make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fno-semantic-interposition" -C src swigify V=1
-make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="%{optflags}" -C src pywrap V=1
+make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fno-semantic-interposition" -C src pywrap V=1
-make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="%{optflags}" -C src rubywrap V=1
+make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fno-semantic-interposition" -C src rubywrap V=1
 
 %install
 make DESTDIR=%{buildroot} LIBDIR="%{_libdir}" SHLIBDIR="/%{_lib}" LIBSEPOLA=%{_libdir}/libsepol.a -C src install V=1

libselinux.changes

@@ -1,3 +1,21 @@
+-------------------------------------------------------------------
+Tue Jul 14 08:24:20 UTC 2020 - Johannes Segitz <jsegitz@suse.com>
+
+- Update to version 3.1:
+  * selinux/flask.h, selinux/av_permissions.h and sepol/policydb/flask.h were
+    removed. All userspace object managers should have been updated to use the
+    dynamic class/perm mapping support.
+
+    Use string_to_security_class(3) and string_to_av_perm(3) to map the class
+    and permission names to their policy values, or selinux_set_mapping(3) to
+    create a mapping from class and permission index values used by the
+    application to the policy values.
+  * Removed restrictions in libsepol and checkpolicy that required all declared
+    initial SIDs to be assigned a context.
+  * Support for new policy capability genfs_seclabel_symlinks
+  * selinuxfs is mounted with noexec and nosuid
+  * `security_compute_user()` was deprecated
+
 -------------------------------------------------------------------
 Thu Mar 26 15:43:41 UTC 2020 - Johannes Segitz <jsegitz@suse.de>
 

libselinux.spec

@@ -16,15 +16,15 @@
 #
 
 
-%define libsepol_ver 3.0
+%define libsepol_ver 3.1
 Name:           libselinux
-Version:        3.0
+Version:        3.1
 Release:        0
 Summary:        SELinux runtime library and utilities
 License:        SUSE-Public-Domain
 Group:          Development/Libraries/C and C++
 URL:            https://github.com/SELinuxProject/selinux/wiki/Releases
-Source:         https://github.com/SELinuxProject/selinux/releases/download/20191204/%{name}-%{version}.tar.gz
+Source:         https://github.com/SELinuxProject/selinux/releases/download/20200710/%{name}-%{version}.tar.gz
 Source1:        selinux-ready
 Source2:        baselibs.conf
 # PATCH-FIX-UPSTREAM Include <sys/uio.h> for readv prototype
@@ -100,7 +100,7 @@ necessary to develop your own software using libselinux.
 
 %build
 %define _lto_cflags %{nil}
-make %{?_smp_mflags} LIBDIR="%{_libdir}" CC="gcc" CFLAGS="%{optflags}"
+make %{?_smp_mflags} LIBDIR="%{_libdir}" CC="gcc" CFLAGS="%{optflags} -fno-semantic-interposition"
 
 %install
 mkdir -p %{buildroot}/%{_lib}

python3.8-compat.patch

@@ -1,5 +1,7 @@
---- a/src/Makefile
+Index: libselinux-3.1/src/Makefile
-+++ b/src/Makefile
+===================================================================
+--- libselinux-3.1.orig/src/Makefile
++++ libselinux-3.1/src/Makefile
 @@ -13,7 +13,11 @@ LIBDIR ?= $(PREFIX)/lib
  SHLIBDIR ?= /lib
  INCLUDEDIR ?= $(PREFIX)/include
@@ -10,5 +12,5 @@
  PYLIBS ?= $(shell $(PKG_CONFIG) --libs $(PYPREFIX))
 +endif
  PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; print(get_python_lib(plat_specific=1, prefix='$(PREFIX)'))")
- PYCEXT ?= $(shell $(PYTHON) -c 'import imp;print([s for s,m,t in imp.get_suffixes() if t == imp.C_EXTENSION][0])')
+ PYCEXT ?= $(shell $(PYTHON) -c 'import importlib.machinery;print(importlib.machinery.EXTENSION_SUFFIXES[0])')
  RUBYINC ?= $(shell $(RUBY) -e 'puts "-I" + RbConfig::CONFIG["rubyarchhdrdir"] + " -I" + RbConfig::CONFIG["rubyhdrdir"]')