From 844dc82ee51fe6df9368c7abb8726c2432df36ed38ecfb203014a020c4224d05 Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Sun, 3 Aug 2008 02:41:25 +0000 Subject: [PATCH 01/42] OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=1 --- baselibs.conf | 1 - libselinux-2.0.67-rhat.patch | 369 +++++++++++++++++++++++++ libselinux-2.0.67.tar.bz2 | 3 + libselinux-2.8.tar.gz | 3 - libselinux.changes | 508 ----------------------------------- libselinux.spec | 322 ++++++++++------------ python3.patch | 13 - readv-proto.patch | 12 - ready | 0 selinux-ready | 272 ------------------- 10 files changed, 521 insertions(+), 982 deletions(-) delete mode 100644 baselibs.conf create mode 100644 libselinux-2.0.67-rhat.patch create mode 100644 libselinux-2.0.67.tar.bz2 delete mode 100644 libselinux-2.8.tar.gz delete mode 100644 python3.patch delete mode 100644 readv-proto.patch create mode 100644 ready delete mode 100644 selinux-ready diff --git a/baselibs.conf b/baselibs.conf deleted file mode 100644 index 115b88a..0000000 --- a/baselibs.conf +++ /dev/null @@ -1 +0,0 @@ -libselinux1 diff --git a/libselinux-2.0.67-rhat.patch b/libselinux-2.0.67-rhat.patch new file mode 100644 index 0000000..b0dbffc --- /dev/null +++ b/libselinux-2.0.67-rhat.patch @@ -0,0 +1,369 @@ +diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/freecon.3 libselinux-2.0.67/man/man3/freecon.3 +--- nsalibselinux/man/man3/freecon.3 2008-06-12 23:25:12.000000000 -0400 ++++ libselinux-2.0.67/man/man3/freecon.3 2008-07-09 16:52:33.000000000 -0400 +@@ -15,6 +15,11 @@ + .B freeconary + frees the memory allocated for a context array. + ++If ++.I con ++is NULL, no operation is performed. ++ ++ + .SH "SEE ALSO" + .BR selinux "(8)" + +diff --exclude-from=exclude -N -u -r nsalibselinux/man/man8/selinuxconlist.8 libselinux-2.0.67/man/man8/selinuxconlist.8 +--- nsalibselinux/man/man8/selinuxconlist.8 1969-12-31 19:00:00.000000000 -0500 ++++ libselinux-2.0.67/man/man8/selinuxconlist.8 2008-07-09 16:52:33.000000000 -0400 +@@ -0,0 +1,18 @@ ++.TH "selinuxconlist" "1" "7 May 2008" "dwalsh@redhat.com" "SELinux Command Line documentation" ++.SH "NAME" ++selinuxconlist \- list all SELinux context reachable for user ++.SH "SYNOPSIS" ++.B selinuxconlist [-l level] user [context] ++ ++.SH "DESCRIPTION" ++.B selinuxconlist ++reports the list of context reachable for user from the current context or specified context ++ ++.B \-l level ++mcs/mls level ++ ++.SH AUTHOR ++This manual page was written by Dan Walsh . ++ ++.SH "SEE ALSO" ++secon(8), selinuxdefcon(8) +diff --exclude-from=exclude -N -u -r nsalibselinux/man/man8/selinuxdefcon.8 libselinux-2.0.67/man/man8/selinuxdefcon.8 +--- nsalibselinux/man/man8/selinuxdefcon.8 1969-12-31 19:00:00.000000000 -0500 ++++ libselinux-2.0.67/man/man8/selinuxdefcon.8 2008-07-09 16:52:33.000000000 -0400 +@@ -0,0 +1,19 @@ ++.TH "selinuxdefcon" "1" "7 May 2008" "dwalsh@redhat.com" "SELinux Command Line documentation" ++.SH "NAME" ++selinuxdefcon \- list default SELinux context for user ++ ++.SH "SYNOPSIS" ++.B selinuxdefcon [-l level] user [fromcon] ++ ++.SH "DESCRIPTION" ++.B seconlist ++reports the default context for the specified user from current context or specified context ++ ++.B \-l level ++mcs/mls level ++ ++.SH AUTHOR ++This manual page was written by Dan Walsh . ++ ++.SH "SEE ALSO" ++secon(8), selinuxconlist(8) +diff --exclude-from=exclude -N -u -r nsalibselinux/src/Makefile libselinux-2.0.67/src/Makefile +--- nsalibselinux/src/Makefile 2008-06-22 09:40:25.000000000 -0400 ++++ libselinux-2.0.67/src/Makefile 2008-07-09 16:56:37.000000000 -0400 +@@ -7,16 +7,24 @@ + PYINC ?= /usr/include/$(PYLIBVER) + PYLIB ?= /usr/lib/$(PYLIBVER) + PYTHONLIBDIR ?= $(LIBDIR)/$(PYLIBVER) ++RUBYLIBVER ?= $(shell ruby -e 'print RUBY_VERSION.split(".")[0..1].join(".")') ++RUBYPLATFORM ?= $(shell ruby -e 'print RUBY_PLATFORM') ++RUBYINC ?= $(LIBDIR)/ruby/$(RUBYLIBVER)/$(RUBYPLATFORM) ++RUBYINSTALL ?= $(LIBDIR)/ruby/site_ruby/$(RUBYLIBVER)/$(RUBYPLATFORM) + + LIBVERSION = 1 + + LIBA=libselinux.a + TARGET=libselinux.so + SWIGIF= selinuxswig_python.i ++SWIGRUBYIF= selinuxswig_ruby.i + SWIGCOUT= selinuxswig_wrap.c ++SWIGRUBYCOUT= selinuxswig_ruby_wrap.c + SWIGLOBJ:= $(patsubst %.c,%.lo,$(SWIGCOUT)) ++SWIGRUBYLOBJ:= $(patsubst %.c,%.lo,$(SWIGRUBYCOUT)) + SWIGSO=_selinux.so + SWIGFILES=$(SWIGSO) selinux.py ++SWIGRUBYSO=_rubyselinux.so + LIBSO=$(TARGET).$(LIBVERSION) + AUDIT2WHYSO=audit2why.so + +@@ -29,7 +37,9 @@ + ifeq ($(DISABLE_RPM),y) + UNUSED_SRCS+=rpm.c + endif +-SRCS= $(filter-out $(UNUSED_SRCS), $(filter-out audit2why.c $(SWIGCOUT),$(wildcard *.c))) ++ ++GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) ++SRCS= $(filter-out $(UNUSED_SRCS), $(filter-out audit2why.c $(GENERATED),$(wildcard *.c))) + + OBJS= $(patsubst %.c,%.o,$(SRCS)) + LOBJS= $(patsubst %.c,%.lo,$(SRCS)) +@@ -44,11 +54,11 @@ + + SWIG = swig -Wall -python -o $(SWIGCOUT) -outdir ./ + +-GENERATED=$(SWIGCOUT) ++SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./ + + all: $(LIBA) $(LIBSO) + +-pywrap: all $(SWIGSO) $(AUDIT2WHYSO) ++pywrap: all $(SWIGSO) $(AUDIT2WHYSO) $(SWIGRUBYSO) + + $(LIBA): $(OBJS) + $(AR) rcs $@ $^ +@@ -57,8 +67,14 @@ + $(SWIGLOBJ): $(SWIGCOUT) + $(CC) $(filter-out -Werror,$(CFLAGS)) -I$(PYINC) -fPIC -DSHARED -c -o $@ $< + ++$(SWIGRUBYLOBJ): $(SWIGRUBYCOUT) ++ $(CC) $(filter-out -Werror,$(CFLAGS)) -I$(RUBYINC) -fPIC -DSHARED -c -o $@ $< ++ + $(SWIGSO): $(SWIGLOBJ) +- $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $< -L. -lselinux -L$(LIBDIR) -Wl,-soname,$@ ++ $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -L. -lselinux -L$(LIBDIR) -Wl,-soname,$@ ++ ++$(SWIGRUBYSO): $(SWIGRUBYLOBJ) ++ $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -L. -lselinux -L$(LIBDIR) -Wl,-soname,$@ + + $(LIBSO): $(LOBJS) + $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -ldl -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro +@@ -79,6 +95,9 @@ + $(SWIGCOUT): $(SWIGIF) + $(SWIG) $^ + ++$(SWIGRUBYCOUT): $(SWIGRUBYIF) ++ $(SWIGRUBY) $^ ++ + swigify: $(SWIGIF) + $(SWIG) $^ + +@@ -95,6 +114,9 @@ + install -m 755 $(AUDIT2WHYSO) $(PYTHONLIBDIR)/site-packages/selinux + install -m 644 selinux.py $(PYTHONLIBDIR)/site-packages/selinux/__init__.py + ++ test -d $(RUBYINSTALL) || install -m 755 -d $(RUBYINSTALL) ++ install -m 755 $(SWIGRUBYSO) $(RUBYINSTALL)/selinux.so ++ + relabel: + /sbin/restorecon $(SHLIBDIR)/$(LIBSO) + +@@ -102,7 +124,7 @@ + -rm -f $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(SWIGLOBJ) $(SWIGSO) $(TARGET) $(AUDIT2WHYSO) *.o *.lo *~ + + distclean: clean +- rm -f $(SWIGCOUT) $(SWIGFILES) ++ rm -f $(GENERATED) $(SWIGFILES) + + indent: + ../../scripts/Lindent $(filter-out $(GENERATED),$(wildcard *.[ch])) +diff --exclude-from=exclude -N -u -r nsalibselinux/src/audit2why.c libselinux-2.0.67/src/audit2why.c +--- nsalibselinux/src/audit2why.c 2008-06-12 23:25:14.000000000 -0400 ++++ libselinux-2.0.67/src/audit2why.c 2008-07-09 16:52:33.000000000 -0400 +@@ -55,7 +55,7 @@ + return 0; + } + +-static int check_booleans(struct avc_t *avc, struct boolean_t **bools) ++static int check_booleans(struct boolean_t **bools) + { + char errormsg[PATH_MAX]; + struct sepol_av_decision avd; +@@ -376,7 +376,7 @@ + avc->tsid = tsid; + avc->tclass = tclass; + avc->av = av; +- if (check_booleans(avc, &bools) == 0) { ++ if (check_booleans(&bools) == 0) { + if (av & ~avd.auditdeny) { + RETURN(DONTAUDIT) + } else { +@@ -390,15 +390,15 @@ + len++; b++; + } + b = bools; +- PyObject *boollist = PyTuple_New(len); ++ PyObject *outboollist = PyTuple_New(len); + len=0; + while(b->name) { + PyObject *bool = Py_BuildValue("(si)", b->name, b->active); +- PyTuple_SetItem(boollist, len++, bool); ++ PyTuple_SetItem(outboollist, len++, bool); + b++; + } + free(bools); +- PyTuple_SetItem(result, 1, boollist); ++ PyTuple_SetItem(result, 1, outboollist); + return result; + } + } +diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux-2.0.67/src/matchpathcon.c +--- nsalibselinux/src/matchpathcon.c 2008-06-12 23:25:14.000000000 -0400 ++++ libselinux-2.0.67/src/matchpathcon.c 2008-07-09 16:52:33.000000000 -0400 +@@ -2,6 +2,7 @@ + #include + #include + #include ++#include + #include "selinux_internal.h" + #include "label_internal.h" + #include "callbacks.h" +@@ -57,7 +58,7 @@ + { + va_list ap; + va_start(ap, fmt); +- vfprintf(stderr, fmt, ap); ++ vsyslog(LOG_ERR, fmt, ap); + va_end(ap); + } + +diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig_ruby.i libselinux-2.0.67/src/selinuxswig_ruby.i +--- nsalibselinux/src/selinuxswig_ruby.i 1969-12-31 19:00:00.000000000 -0500 ++++ libselinux-2.0.67/src/selinuxswig_ruby.i 2008-07-09 16:52:33.000000000 -0400 +@@ -0,0 +1,147 @@ ++/* Author: James Athey ++ */ ++ ++%module selinux ++%{ ++ #include "selinux/selinux.h" ++%} ++ ++/* security_get_boolean_names() typemap */ ++/* ++%typemap(argout) (char ***names, int *len) { ++ PyObject* list = PyList_New(*$2); ++ int i; ++ for (i = 0; i < *$2; i++) { ++ PyList_SetItem(list, i, PyString_FromString((*$1)[i])); ++ } ++ $result = SWIG_Python_AppendOutput($result, list); ++} ++*/ ++/* return a sid along with the result */ ++%typemap(argout) (security_id_t * sid) { ++ if (*$1) { ++ %append_output(SWIG_NewPointerObj(*$1, $descriptor(security_id_t), 0)); ++ } ++/* else { ++ Py_INCREF(Py_None); ++ %append_output(Py_None); ++ } ++*/ ++} ++ ++%typemap(in,numinputs=0) security_id_t *(security_id_t temp) { ++ $1 = &temp; ++} ++ ++/* Makes security_compute_user() return a Python list of contexts */ ++/* ++%typemap(argout) (security_context_t **con) { ++ PyObject* plist; ++ int i, len = 0; ++ ++ if (*$1) { ++ while((*$1)[len]) ++ len++; ++ plist = PyList_New(len); ++ for (i = 0; i < len; i++) { ++ PyList_SetItem(plist, i, PyString_FromString((*$1)[i])); ++ } ++ } else { ++ plist = PyList_New(0); ++ } ++ ++ $result = SWIG_Python_AppendOutput($result, plist); ++} ++*/ ++/* Makes functions in get_context_list.h return a Python list of contexts */ ++ ++#ifdef fixme ++%typemap(argout) (security_context_t **list) { ++ PyObject* plist; ++ int i; ++ ++ if (*$1) { ++ plist = PyList_New(result); ++ for (i = 0; i < result; i++) { ++ PyList_SetItem(plist, i, PyString_FromString((*$1)[i])); ++ } ++ } else { ++ plist = PyList_New(0); ++ } ++ /* Only return the Python list, don't need to return the length anymore */ ++ $result = plist; ++} ++#endif ++ ++%typemap(in,noblock=1,numinputs=0) security_context_t * (security_context_t temp = 0) { ++ $1 = &temp; ++} ++%typemap(freearg,match="in") security_context_t * ""; ++%typemap(argout,noblock=1) security_context_t * { ++ if (*$1) { ++ %append_output(SWIG_FromCharPtr(*$1)); ++ freecon(*$1); ++ } ++/* ++ else { ++ Py_INCREF(Py_None); ++ %append_output(Py_None); ++ } ++*/ ++} ++ ++%typemap(in,noblock=1,numinputs=0) char ** (char * temp = 0) { ++ $1 = &temp; ++} ++%typemap(freearg,match="in") char ** ""; ++%typemap(argout,noblock=1) char ** { ++ if (*$1) { ++ %append_output(SWIG_FromCharPtr(*$1)); ++ free(*$1); ++ } ++/* ++ else { ++ Py_INCREF(Py_None); ++ %append_output(Py_None); ++ } ++*/ ++} ++/* ++%typemap(in) char * const [] { ++ int i, size; ++ PyObject * s; ++ ++ if (!PySequence_Check($input)) { ++ PyErr_SetString(PyExc_ValueError, "Expected a sequence"); ++ return NULL; ++ } ++ ++ size = PySequence_Size($input); ++ ++ $1 = (char**) malloc(size + 1); ++ for(i = 0; i < size; i++) { ++ if (!PyString_Check(PySequence_GetItem($input, i))) { ++ PyErr_SetString(PyExc_ValueError, "Sequence must contain only strings"); ++ return NULL; ++ } ++ } ++ ++ for(i = 0; i < size; i++) { ++ s = PySequence_GetItem($input, i); ++ $1[i] = (char*) malloc(PyString_Size(s) + 1); ++ strcpy($1[i], PyString_AsString(s)); ++ } ++ $1[size] = NULL; ++} ++*/ ++ ++%typemap(freearg,match="in") char * const [] { ++ int i = 0; ++ while($1[i]) { ++ free($1[i]); ++ i++; ++ } ++ free($1); ++} ++ ++%include "selinuxswig.i" diff --git a/libselinux-2.0.67.tar.bz2 b/libselinux-2.0.67.tar.bz2 new file mode 100644 index 0000000..6146ab7 --- /dev/null +++ b/libselinux-2.0.67.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c6044bb0e9531dfa21aa297b28fcef26df16c46f6d33b567942833524e96a92d +size 135165 diff --git a/libselinux-2.8.tar.gz b/libselinux-2.8.tar.gz deleted file mode 100644 index 8bfdf6e..0000000 --- a/libselinux-2.8.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:31db96ec7643ce10912b3c3f98506a08a9116dcfe151855fd349c3fda96187e1 -size 187759 diff --git a/libselinux.changes b/libselinux.changes index a94eadd..652a2bc 100644 --- a/libselinux.changes +++ b/libselinux.changes @@ -1,511 +1,3 @@ -------------------------------------------------------------------- -Thu Nov 29 19:10:14 UTC 2018 - Jan Engelhardt - -- Replace old $RPM_* shell vars. - -------------------------------------------------------------------- -Wed Nov 21 10:38:23 UTC 2018 - jsegitz@suse.com - -- Merged libselinux-bindings back into main spec file - -------------------------------------------------------------------- -Wed Oct 17 11:48:30 UTC 2018 - jsegitz@suse.com - -- Update to version 2.8 (bsc#1111732). - For changes please see - https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/RELEASE-20180524.txt - -------------------------------------------------------------------- -Mon May 14 22:45:54 UTC 2018 - mcepl@cepl.eu - -- Update to version 2.7. - * %files needed to be heavily modified - * Based expressly on python3, not just python - For changes please see - https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20170804/RELEASE-20170804.txt - -------------------------------------------------------------------- -Fri Nov 24 09:09:02 UTC 2017 - jsegitz@suse.com - -- Update to version 2.6. Notable changes: - * selinux_restorecon: fix realpath logic - * sefcontext_compile: invert semantics of "-r" flag - * sefcontext_compile: Add "-i" flag - * Introduce configurable backends - * Add function to find security.restorecon_last entries - * Add openrc_contexts functions - * Add support for pcre2 - * Handle NULL pcre study data - * Add setfiles support to selinux_restorecon(3) - * Evaluate inodes in selinux_restorecon(3) - * Change the location of _selinux.so - * Explain how to free policy type from selinux_getpolicytype() - * Compare absolute pathname in matchpathcon -V - * Add selinux_snapperd_contexts_path() - * Modify audit2why analyze function to use loaded policy - * Avoid mounting /proc outside of selinux_init_load_policy() - * Fix location of selinuxfs mount point - * Only mount /proc if necessary - * procattr: return einval for <= 0 pid args - * procattr: return error on invalid pid_t input -- Dropped - * libselinux-2.2-ruby.patch - * libselinux-proc-mount-only-if-needed.patch - * python-selinux-swig-3.10.patch - -------------------------------------------------------------------- -Wed Jul 5 10:30:57 UTC 2017 - schwab@suse.de - -- readv-proto.patch: include for readv prototype - -------------------------------------------------------------------- -Sun Jul 24 19:33:42 UTC 2016 - crrodriguez@opensuse.org - -- -devel static subpackage requires libpcre-devel and libsepol-devel - -------------------------------------------------------------------- -Sun Jul 24 19:05:35 UTC 2016 - crrodriguez@opensuse.org - -- Avoid mounting /proc outside of selinux_init_load_policy(). - (Stephen Smalley) reverts upstream 5a8d8c4, 9df4988, fixes - among other things systemd seccomp sandboxing otherwise all - filters must allow mount(2) - (libselinux-proc-mount-only-if-needed.patch) - -------------------------------------------------------------------- -Sun Jul 17 15:30:05 UTC 2016 - jengelh@inai.de - -- Update RPM groups, trim description and combine filelist entries. - -------------------------------------------------------------------- -Thu Jul 14 07:58:49 UTC 2016 - jsegitz@novell.com - -- Adjusted source link - -------------------------------------------------------------------- -Tue Jul 5 16:42:03 UTC 2016 - i@marguerite.su - -- add patch: python-selinux-swig-3.10.patch, fixed boo#985368 - * swig-3.10 in Factory use importlib instead of imp to find - _selinux.so. imp searched the same directory as __init__.py - is while importlib searchs only standard paths. so we have - to move _selinux.so. fixed by upstream -- update version 2.5 - * Add selinux_restorecon function - * read_spec_entry: fail on non-ascii - * Add man information about thread specific functions - * Don't wrap rpm_execcon with DISABLE_RPM with SWIG - * Correct line count for property and service context files - * label_file: fix memory leaks and uninitialized jump - * Replace selabel_digest hash function - * Fix selabel_open(3) services if no digest requested - * Add selabel_digest function - * Flush the class/perm string mapping cache on policy reload - * Fix restorecon when path has no context - * Free memory when processing media and x specfiles - * Fix mmap memory release for file labeling - * Add policy context validation to sefcontext_compile - * Do not treat an empty file_contexts(.local) as an error - * Fail hard on invalid property_contexts entries - * Fail hard on invalid file_contexts entries - * Support context validation on file_contexts.bin - * Add selabel_cmp interface and label_file backend - * Support specifying file_contexts.bin file path - * Support file_contexts.bin without file_contexts - * Simplify procattr cache - * Use /proc/thread-self when available - * Add const to selinux_opt for label backends - * Fix binary file labels for regexes with metachars - * Fix file labels for regexes with metachars - * Fix if file_contexts not '\n' terminated - * Enhance file context support - * Fix property processing and cleanup formatting - * Add read_spec_entries function to replace sscanf - * Support consistent mode size for bin files - * Fix more bin file processing core dumps - * add selinux_openssh_contexts_path() - * setrans_client: minimize overhead when mcstransd is not present - * Ensure selabel_lookup_best_match links NULL terminated - * Fix core dumps with corrupt *.bin files - * Add selabel partial and best match APIs - * Use os.walk() instead of the deprecated os.path.walk() - * Remove deprecated mudflap option - * Mount procfs before checking /proc/filesystems - * Fix -Wformat errors with gcc-5.0.0 - * label_file: handle newlines in file names - * Fix audit2why error handling if SELinux is disabled - * pcre_study can return NULL without error - * Only check SELinux enabled status once in selinux_check_access -- changes in 2.4 - * Remove assumption that SHLIBDIR is ../../ relative to LIBDIR - * Fix bugs found by hardened gcc flags - * Set the system to permissive if failing to disable SELinux because - policy has already been loaded - * Add db_exception and db_datatype support to label_db backend - * Log an error on unknown classes and permissions - * Add pcre version string to the compiled file_contexts format - * Deprecate use of flask.h and av_permissions.h - * Compiled file_context files and the original should have the same DAC - permissions - -------------------------------------------------------------------- -Thu Jul 30 12:00:27 UTC 2015 - jsegitz@novell.com - -- fixed selinux-ready to work with initrd files created by dracut (bsc#940006) - -------------------------------------------------------------------- -Mon Sep 8 08:25:11 UTC 2014 - jsegitz@suse.com - -- updated selinux-ready script to handle initrd files compressed with xz - -------------------------------------------------------------------- -Sun May 18 00:15:17 UTC 2014 - crrodriguez@opensuse.org - -- Update to version 2.3 -* Get rid of security_context_t and fix const declarations. -* Refactor rpm_execcon() into a new setexecfilecon() from Guillem Jover. - -------------------------------------------------------------------- -Thu Oct 31 13:43:41 UTC 2013 - p.drouand@gmail.com - -- Update to version 2.2 - * Fix avc_has_perm() returns -1 even when SELinux is in permissive mode. - * Support overriding Makefile RANLIB - * Update pkgconfig definition - * Mount sysfs before trying to mount selinuxfs. - * Fix man pages - * Support overriding PATH and LIBBASE in Makefile - * Fix LDFLAGS usage - * Avoid shadowing stat in load_mmap - * Support building on older PCRE libraries - * Fix handling of temporary file in sefcontext_compile - * Fix procattr cache - * Define python constants for getenforce result - * Fix label substitution handling of / - * Add selinux_current_policy_path from - * Change get_context_list to only return good matches - * Support udev-197 and higher - * Add support for local substitutions - * Change setfilecon to not return ENOSUP if context is already correct - * Python wrapper leak fixes - * Export SELINUX_TRANS_DIR definition in selinux.h - * Add selinux_systemd_contexts_path - * Add selinux_set_policy_root - * Add man page for sefcontext_compile -- Remove libselinux-rhat.patch; merged on upstream -- Adapt libselinux-ruby.patch to upstream changes -- Use fdupes to symlink duplicate manpages - -------------------------------------------------------------------- -Thu Jun 27 14:42:01 UTC 2013 - vcizek@suse.com - -- change the source url to the official 2.1.13 release tarball - -------------------------------------------------------------------- -Wed May 22 23:50:58 UTC 2013 - jengelh@inai.de - -- Reuse implicit dependencies injected by pkgconfig - -------------------------------------------------------------------- -Thu Apr 4 19:16:35 UTC 2013 - vcizek@suse.com - -- fixed source url in libselinux-bindings.spec -- removed old tarball - -------------------------------------------------------------------- -Wed Apr 3 10:17:21 UTC 2013 - vcizek@suse.com - -- fix source url -- document changes in libselinux-rhat.patch from previous submission: - (most code of the removed code was integrated upstream) - * Add matchpathcon -P /etc/selinux/mls support by allowing users - to set alternate root - * Add new constant SETRANS_DIR which points to the directory - where mstransd can find the socket and libvirt can write its - translations files - -------------------------------------------------------------------- -Fri Mar 29 15:12:50 UTC 2013 - vcizek@suse.com - --update to 2.1.13 - * audit2why: make sure path is nul terminated - * utils: new file context regex compiler - * label_file: use precompiled filecontext when possible - * do not leak mmapfd - * sefcontontext_compile: Add error handling to help debug problems in libsemanage. - * man: make selinux.8 mention service man pages - * audit2why: Fix segfault if finish() called twice - * audit2why: do not leak on multiple init() calls - * mode_to_security_class: interface to translate a mode_t in to a security class - * audit2why: Cleanup audit2why analysys function - * man: Fix program synopsis and function prototypes in man pages - * man: Fix man pages formatting - * man: Fix typo in man page - * man: Add references and man page links to _raw function variants - * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions - * man: context_new(3): fix the return value description - * selinux_status_open: handle error from sysconf - * selinux_status_open: do not leak statusfd on exec - * Fix errors found by coverity - * Change boooleans.subs to booleans.subs_dist. - * optimize set*con functions - * pkg-config do not specifc ruby version - * unmap file contexts on selabel_close() - * do not leak file contexts with mmap'd backend - * sefcontext_compile: do not leak fd on error - * matchmediacon: do not leak fd - * src/label_android_property: do not leak fd on error - -------------------------------------------------------------------- -Wed Jan 30 11:44:45 UTC 2013 - vcizek@suse.com - -- update to 2.1.12 - - added the recent libselinux-rhat.patch - * Add support for lxc_contexts_path - * utils: add service to getdefaultcon - * libsemanage: do not set soname needlessly - * libsemanage: remove PYTHONLIBDIR and ruby equivalent - * boolean name equivalency - * getsebool: support boolean name substitution - * Add man page for new selinux_boolean_sub function. - * expose selinux_boolean_sub - * matchpathcon: add -m option to force file type check - * utils: avcstat: clear sa_mask set - * seusers: Check for strchr failure - * booleans: initialize pointer to silence coveriety - * stop messages when SELinux disabled - * Ensure that we only close the selinux netlink socket once. - * improve the file_contexts.5 manual page - * Fortify source now requires all code to be compiled with -O flag - * asprintf return code must be checked - * avc_netlink_recieve handle EINTR - * audit2why: silence -Wmissing-prototypes warning - * libsemanage: remove build warning when build swig c files - * matchpathcon: bad handling of symlinks in / - * seusers: remove unused lineno - * seusers: getseuser: gracefully handle NULL service - * New Android property labeling backend - * label_android_property whitespace cleanups - * additional makefile support for rubywrap - * Remove jump over variable declaration - * Fix old style function definitions - * Fix const-correctness - * Remove unused flush_class_cache method - * Add prototype decl for destructor - * Add more printf format annotations - * Add printf format attribute annotation to die() method - * Fix const-ness of parameters & make usage() methods static - * Enable many more gcc warnings for libselinux/src/ builds - * utils: Enable many more gcc warnings for libselinux/utils builds - * Change annotation on include/selinux/avc.h to avoid upsetting SWIG - * Ensure there is a prototype for 'matchpathcon_lib_destructor' - * Update Makefiles to handle /usrmove - * utils: Stop separating out matchpathcon as something special - * pkg-config to figure out where ruby include files are located - * build with either ruby 1.9 or ruby 1.8 - * assert if avc_init() not called - * take security_deny_unknown into account - * security_compute_create_name(3) - * Do not link against python library, this is considered - * bad practice in debian - * Hide unnecessarily-exported library destructors - -------------------------------------------------------------------- -Mon Jan 7 22:34:03 UTC 2013 - jengelh@inai.de - -- Remove obsolete defines/sections - -------------------------------------------------------------------- -Tue Dec 11 16:15:52 UTC 2012 - vcizek@suse.com - -- update selinux-ready script - * use -L when stat()ing /etc/selinux/config - * make sure that SELINUX isn't disabled in /etc/selinux/config - * look for either of /sys/fs/selinux and /selinux directory - * use systemctl to check for restorecond - * don't look for booleans file (deprecated) - -------------------------------------------------------------------- -Tue Nov 27 12:38:29 UTC 2012 - vcizek@suse.com - -- update selinux-ready script - -------------------------------------------------------------------- -Wed Jul 25 11:15:02 UTC 2012 - meissner@suse.com - -- updated to 2.1.9 again (see below) - -------------------------------------------------------------------- -Wed Jun 13 08:56:36 UTC 2012 - coolo@suse.com - -- go back even more - everything else requires the full SELinux stack - (too late for 12.2) - -------------------------------------------------------------------- -Mon Jun 11 09:06:55 UTC 2012 - factory-maintainer@kulow.org - -- revert back to 2.0.98 for 12.2 - -------------------------------------------------------------------- -Fri Jun 1 18:34:04 CEST 2012 - mls@suse.de - -- update to libselinux-2.1.9 - * better man pages - * selinux_status interfaces - * simple interface for access checks - * multiple bug fixes - -------------------------------------------------------------------- -Wed Oct 5 15:09:25 UTC 2011 - uli@suse.com - -- cross-build fix: use %__cc macro - -------------------------------------------------------------------- -Mon Jun 28 06:38:35 UTC 2010 - jengelh@medozas.de - -- use %_smp_mflags - -------------------------------------------------------------------- -Mon May 3 10:30:40 UTC 2010 - prusnak@suse.cz - -- don't package /var/run/setrans in libselinux1 package - - Feature#303793 - - the directory will be created in initscript of mcstrans package - -------------------------------------------------------------------- -Sat Apr 24 09:53:28 UTC 2010 - coolo@novell.com - -- buildrequire pkg-config to fix provides - -------------------------------------------------------------------- -Fri Apr 9 07:27:27 UTC 2010 - thomas@novell.com - -- selinux-ready: added function to check for restorecond in - runlevel 3/5 - -------------------------------------------------------------------- -Thu Apr 8 06:37:34 UTC 2010 - thomas@novell.com - -- selinux-ready: added functions for checking PAM config and - policy boolean init_upstart - -------------------------------------------------------------------- -Wed Apr 7 13:26:59 UTC 2010 - thomas@novell.com - -- selinux-ready: fixed init ramfs checking - -------------------------------------------------------------------- -Wed Apr 7 12:59:41 UTC 2010 - thomas@novell.com - -- added new selinux-ready script - -------------------------------------------------------------------- -Thu Feb 25 14:57:16 UTC 2010 - prusnak@suse.cz - -- updated to 2.0.91 - * changes too numerous to list - -------------------------------------------------------------------- -Sat Dec 12 16:43:54 CET 2009 - jengelh@medozas.de - -- add baselibs.conf as a source - -------------------------------------------------------------------- -Fri Jul 24 17:09:50 CEST 2009 - thomas@novell.com - -- updated selinux-ready script - -------------------------------------------------------------------- -Wed Jul 22 15:17:25 CEST 2009 - prusnak@suse.cz - -- change libsepol-devel to libsepol-devel-static in dependencies - of python bindings - -------------------------------------------------------------------- -Wed Jul 1 12:26:48 CEST 2009 - prusnak@suse.cz - -- put libsepol-devel back to Requires of libselinux-devel - -------------------------------------------------------------------- -Mon Jun 29 21:24:16 CEST 2009 - prusnak@suse.cz - -- added selinux-ready tool to selinux-tools package - -------------------------------------------------------------------- -Tue Jun 9 20:17:54 CEST 2009 - crrodriguez@suse.de - -- remove static libraries -- libselinux-devel does not require libsepol-devel - -------------------------------------------------------------------- -Wed May 27 14:06:14 CEST 2009 - prusnak@suse.cz - -- updated to 2.0.80 - * deny_unknown wrapper function from KaiGai Kohei - * security_compute_av_flags API from KaiGai Kohei - * Netlink socket management and callbacks from KaiGai Kohei - * Netlink socket handoff patch from Adam Jackson - * AVC caching of compute_create results by Eric Paris - * fix incorrect conversion in discover_class code - -------------------------------------------------------------------- -Fri Apr 17 17:12:06 CEST 2009 - prusnak@suse.cz - -- fixed memory leak (memleak.patch) - -------------------------------------------------------------------- -Wed Jan 14 14:04:30 CET 2009 - prusnak@suse.cz - -- updated to 2.0.77 - * add new function getseuser which will take username and service - and return seuser and level; ipa will populate file in future - * change selinuxdefcon to return just the context by default - * fix segfault if seusers file does not work - * strip trailing / for matchpathcon - * fix restorecon python code - -------------------------------------------------------------------- -Mon Dec 1 11:32:50 CET 2008 - prusnak@suse.cz - -- updated to 2.0.76 - * allow shell-style wildcarding in X names - * add Restorecon/Install python functions - * correct message types in AVC log messages - * make matchpathcon -V pass mode - * add man page for selinux_file_context_cmp - * update flask headers from refpolicy trunk - -------------------------------------------------------------------- -Wed Oct 22 16:28:59 CEST 2008 - mrueckert@suse.de - -- fix debug_packages_requires define - -------------------------------------------------------------------- -Tue Sep 23 12:51:10 CEST 2008 - prusnak@suse.cz - -- require only version, not release [bnc#429053] - -------------------------------------------------------------------- -Tue Sep 2 12:09:22 CEST 2008 - prusnak@suse.cz - -- updated to 2.0.71 - * Add group support to seusers using %groupname syntax from Dan Walsh. - * Mark setrans socket close-on-exec from Stephen Smalley. - * Only apply nodups checking to base file contexts from Stephen Smalley. - * Merge ruby bindings from Dan Walsh. - -------------------------------------------------------------------- -Mon Sep 1 07:35:00 CEST 2008 - aj@suse.de - -- Fix build of debuginfo. - -------------------------------------------------------------------- -Fri Aug 22 14:45:29 CEST 2008 - prusnak@suse.cz - -- added baselibs.conf file -- split bindings into separate subpackage (libselinux-bindings) -- split tools into separate subpackage (selinux-tools) - ------------------------------------------------------------------- Fri Aug 1 17:32:20 CEST 2008 - ro@suse.de diff --git a/libselinux.spec b/libselinux.spec index c517097..120aaff 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -1,239 +1,215 @@ # -# spec file for package libselinux +# spec file for package libselinux (Version 2.0.67) # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. +# This file and all modifications and additions to the pristine +# package are under the same license as the package itself. # -# All modifications and additions to the file contributed by third parties -# remain the property of their copyright owners, unless otherwise agreed -# upon. The license for this file, and modifications and additions to the -# file, is the same license as for the pristine package itself (unless the -# license for the pristine package is not an Open Source License, in which -# case the license is the MIT License). An "Open Source License" is a -# license that conforms to the Open Source Definition (Version 1.9) -# published by the Open Source Initiative. - # Please submit bugfixes or comments via http://bugs.opensuse.org/ # +# norootforbuild -%define libsepol_ver 2.8 -%{?!python_module:%define python_module() python-%{**} python3-%{**}} +%define libsepol_ver 2.0.32 +BuildRequires: python-devel ruby-devel swig +BuildRequires: libsepol-devel >= %{libsepol_ver} Name: libselinux -Version: 2.8 -Release: 0 -Summary: SELinux runtime library and utilities -License: GPL-2.0-only AND SUSE-Public-Domain -Group: Development/Libraries/C and C++ -Url: https://github.com/SELinuxProject/selinux/wiki/Releases -Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/libselinux-%{version}.tar.gz -Source1: selinux-ready -Source2: baselibs.conf -Patch3: python3.patch -# PATCH-FIX-UPSTREAM Include for readv prototype -Patch4: readv-proto.patch +Version: 2.0.67 +Release: 2 +Url: http://www.nsa.gov/selinux/ +License: GPL v2 only; Public Domain, Freeware +Group: System/Libraries +Summary: SELinux library and simple utilities +Source: %{name}-%{version}.tar.bz2 +Patch0: %{name}-%{version}-rhat.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build -BuildRequires: fdupes -BuildRequires: libsepol-devel >= %{libsepol_ver} -BuildRequires: libsepol-devel-static >= %{libsepol_ver} -BuildRequires: pcre-devel -BuildRequires: pkg-config -BuildRequires: python-rpm-macros -BuildRequires: python3 -BuildRequires: python3-devel -BuildRequires: ruby-devel -BuildRequires: swig +%define debug_package_requires libselinux1 = %{version} %description -libselinux provides an interface to get and set process and file -security contexts and to obtain security policy decisions. +Security-enhanced Linux is a feature of the Linux® kernel and a number +of utilities with enhanced security functionality designed to add +mandatory access controls to Linux. The Security-enhanced Linux kernel +contains new architectural components originally developed to improve +the security of the Flask operating system. These architectural +components provide general support for the enforcement of many kinds of +mandatory access control policies, including those based on the +concepts of Type Enforcement®, Role-based Access Control, and +Multi-level Security. + +libselinux provides an API for SELinux applications to get and set +process and file security contexts and to obtain security policy +decisions. Required for any applications that use the SELinux API. + + %package -n libselinux1 -Summary: SELinux runtime library -License: GPL-2.0-only AND SUSE-Public-Domain +License: GPL v2 only; Public Domain, Freeware Group: System/Libraries +Summary: SELinux library and simple utilities %description -n libselinux1 -libselinux provides an interface to get and set process and file -security contexts and to obtain security policy decisions. +Security-enhanced Linux is a feature of the Linux® kernel and a number +of utilities with enhanced security functionality designed to add +mandatory access controls to Linux. The Security-enhanced Linux kernel +contains new architectural components originally developed to improve +the security of the Flask operating system. These architectural +components provide general support for the enforcement of many kinds of +mandatory access control policies, including those based on the +concepts of Type Enforcement®, Role-based Access Control, and +Multi-level Security. -(Security-enhanced Linux is a feature of the kernel and some -utilities that implement mandatory access control policies, such as -Type Enforcement, Role-based Access Control and Multi-Level -Security.) +libselinux provides an API for SELinux applications to get and set +process and file security contexts and to obtain security policy +decisions. Required for any applications that use the SELinux API. -%package -n selinux-tools -Summary: SELinux command-line utilities -License: GPL-2.0-only AND SUSE-Public-Domain -Group: System/Base -%description -n selinux-tools -Security-enhanced Linux is a feature of the kernel and some -utilities that implement mandatory access control policies, such as -Type Enforcement, Role-based Access Control and Multi-Level -Security. - -This subpackage contains utilities to inspect and administer the -system's SELinux state. %package devel -Summary: Development files for the SELinux runtime library -License: GPL-2.0-only AND SUSE-Public-Domain +License: GPL v2 only; Public Domain, Freeware +Summary: Development Include Files and Libraries for SELinux Group: Development/Libraries/C and C++ -Requires: glibc-devel -Requires: libselinux1 = %{version} -#Automatic dependency on libsepol-devel via pkgconfig +Requires: libselinux1 = %{version}-%{release} +Requires: libsepol-devel >= %{libsepol_ver} %description devel -libselinux provides an interface to get and set process and file -security contexts and to obtain security policy decisions. +Security-enhanced Linux is a patch of the Linux kernel and a number of +utilities with enhanced security functionality designed to add +mandatory access controls to Linux. The Security-enhanced Linux kernel +contains new architectural components originally developed to improve +the security of the Flask operating system. These architectural +components provide general support for the enforcement of many kinds of +mandatory access control policies, including those based on the +concepts of Type Enforcement®, Role-based Access Control, and +Multi-level Security. -This package contains the development files, which are +This package contains the header files and static libraries, which are necessary to develop your own software using libselinux. -%package devel-static -Summary: Static archives for the SELinux runtime -License: GPL-2.0-only AND SUSE-Public-Domain -Group: Development/Libraries/C and C++ -Requires: libselinux-devel = %{version} -Requires: pkgconfig(libpcre) -Requires: pkgconfig(libsepol) -%description devel-static -libselinux provides an interface to get and set process and file -security contexts and to obtain security policy decisions. -This package contains the static development files, which are -necessary to develop your own software using libselinux. +%package -n python-selinux +License: Public Domain, Freeware +Summary: SELinux library and simple utilities +Group: System/Libraries +Requires: libselinux1 = %{version}-%{release} +Requires: python + +%description -n python-selinux +Security-enhanced Linux is a feature of the Linux® kernel and a number +of utilities with enhanced security functionality designed to add +mandatory access controls to Linux. The Security-enhanced Linux kernel +contains new architectural components originally developed to improve +the security of the Flask operating system. These architectural +components provide general support for the enforcement of many kinds of +mandatory access control policies, including those based on the +concepts of Type Enforcement®, Role-based Access Control, and +Multi-level Security. + +libselinux provides an API for SELinux applications to get and set +process and file security contexts and to obtain security policy +decisions. Required for any applications that use the SELinux API. + + + +%package -n ruby-selinux +License: Public Domain, Freeware +Summary: SELinux library and simple utilities +Group: System/Libraries +Requires: libselinux1 = %{version}-%{release} +Requires: ruby + +%description -n ruby-selinux +Security-enhanced Linux is a feature of the Linux® kernel and a number +of utilities with enhanced security functionality designed to add +mandatory access controls to Linux. The Security-enhanced Linux kernel +contains new architectural components originally developed to improve +the security of the Flask operating system. These architectural +components provide general support for the enforcement of many kinds of +mandatory access control policies, including those based on the +concepts of Type Enforcement®, Role-based Access Control, and +Multi-level Security. + +libselinux provides an API for SELinux applications to get and set +process and file security contexts and to obtain security policy +decisions. Required for any applications that use the SELinux API. + + %prep -%setup -q -n libselinux-%{version} -%patch3 -p1 -%patch4 -p1 +%setup -q +%patch0 -p1 %build -make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="%{optflags}" CC="%{__cc}" -make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="%{optflags}" -C src V=1 -make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="%{optflags}" -C src swigify V=1 -make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="%{optflags}" -C src pywrap V=1 -make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="%{optflags}" -C src rubywrap V=1 +make %{?jobs:-j%jobs} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" swigify +make %{?jobs:-j%jobs} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" all pywrap %install -mkdir -p %{buildroot}/%{_lib} -mkdir -p %{buildroot}/%{_libdir} -mkdir -p %{buildroot}/%{_includedir} -mkdir -p %{buildroot}/%{_sbindir} -%make_install LIBDIR="%{_libdir}" SHLIBDIR="/%{_lib}" BINDIR="%{_sbindir}" -rm -f %{buildroot}/%{_sbindir}/compute_* -rm -f %{buildroot}/%{_sbindir}/deftype -rm -f %{buildroot}/%{_sbindir}/execcon -rm -f %{buildroot}/%{_sbindir}/getenforcemode -rm -f %{buildroot}/%{_sbindir}/getfilecon -rm -f %{buildroot}/%{_sbindir}/getpidcon -rm -f %{buildroot}/%{_sbindir}/mkdircon -rm -f %{buildroot}/%{_sbindir}/policyvers -rm -f %{buildroot}/%{_sbindir}/setfilecon -rm -f %{buildroot}/%{_sbindir}/selinuxconfig -rm -f %{buildroot}/%{_sbindir}/selinuxdisable -rm -f %{buildroot}/%{_sbindir}/getseuser -rm -f %{buildroot}/%{_sbindir}/selinux_check_securetty_context -mv %{buildroot}/%{_sbindir}/getdefaultcon %{buildroot}/%{_sbindir}/selinuxdefcon -mv %{buildroot}/%{_sbindir}/getconlist %{buildroot}/%{_sbindir}/selinuxconlist -install -m 0755 %{SOURCE1} %{buildroot}/%{_sbindir}/selinux-ready +mkdir -p $RPM_BUILD_ROOT/%{_lib} +mkdir -p $RPM_BUILD_ROOT%{_libdir} +mkdir -p $RPM_BUILD_ROOT%{_includedir} +mkdir -p $RPM_BUILD_ROOT%{_sbindir} +mkdir -p $RPM_BUILD_ROOT/var/run/setrans +make DESTDIR="$RPM_BUILD_ROOT" LIBDIR="$RPM_BUILD_ROOT%{_libdir}" SHLIBDIR="$RPM_BUILD_ROOT/%{_lib}" BINDIR="$RPM_BUILD_ROOT%{_sbindir}" install install-pywrap +rm -f $RPM_BUILD_ROOT%{_sbindir}/compute_* +rm -f $RPM_BUILD_ROOT%{_sbindir}/deftype +rm -f $RPM_BUILD_ROOT%{_sbindir}/execcon +rm -f $RPM_BUILD_ROOT%{_sbindir}/getenforcemode +rm -f $RPM_BUILD_ROOT%{_sbindir}/getfilecon +rm -f $RPM_BUILD_ROOT%{_sbindir}/getpidcon +rm -f $RPM_BUILD_ROOT%{_sbindir}/mkdircon +rm -f $RPM_BUILD_ROOT%{_sbindir}/policyvers +rm -f $RPM_BUILD_ROOT%{_sbindir}/setfilecon +rm -f $RPM_BUILD_ROOT%{_sbindir}/selinuxconfig +rm -f $RPM_BUILD_ROOT%{_sbindir}/selinuxdisable +rm -f $RPM_BUILD_ROOT%{_sbindir}/getseuser +rm -f $RPM_BUILD_ROOT%{_sbindir}/selinux_check_securetty_context +mv $RPM_BUILD_ROOT%{_sbindir}/getdefaultcon $RPM_BUILD_ROOT%{_sbindir}/selinuxdefcon +mv $RPM_BUILD_ROOT%{_sbindir}/getconlist $RPM_BUILD_ROOT%{_sbindir}/selinuxconlist -%make_install LIBDIR="%{_libdir}" \ - SHLIBDIR="/%{_lib}" LIBSEPOLA=%{_libdir}/libsepol.a \ - -C src V=1 -make DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" \ - SHLIBDIR="/%{_lib}" LIBSEPOLA=%{_libdir}/libsepol.a \ - -C src install-pywrap V=1 -make DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" \ - SHLIBDIR="/%{_lib}" LIBSEPOLA=%{_libdir}/libsepol.a \ - -C src install-rubywrap V=1 -# Remove duplicate files -%fdupes -s %{buildroot}%{_mandir} +%clean +rm -rf $RPM_BUILD_ROOT %post -n libselinux1 -p /sbin/ldconfig %postun -n libselinux1 -p /sbin/ldconfig -%files -n selinux-tools +%files -n libselinux1 %defattr(-,root,root,-) +/%{_lib}/libselinux.so.* %{_sbindir}/avcstat %{_sbindir}/getenforce %{_sbindir}/getsebool %{_sbindir}/matchpathcon -%{_sbindir}/selabel_digest -%{_sbindir}/selabel_lookup -%{_sbindir}/selinux_check_access -%{_sbindir}/selabel_lookup_best_match -%{_sbindir}/selabel_partial_match %{_sbindir}/selinuxconlist %{_sbindir}/selinuxdefcon %{_sbindir}/selinuxenabled %{_sbindir}/setenforce %{_sbindir}/togglesebool -#%#{_sbindir}/selinux_restorecon -%{_sbindir}/selinux-ready -%{_sbindir}/selinuxexeccon -%{_sbindir}/sefcontext_compile %{_mandir}/man5/* %{_mandir}/man8/* - -%files -n libselinux1 -%defattr(-,root,root,-) -/%{_lib}/libselinux.so.* +/var/run/setrans %files devel %defattr(-,root,root,-) %{_libdir}/libselinux.so -%{_includedir}/selinux/ -%{_mandir}/man3/* -%{_libdir}/pkgconfig/libselinux.pc - -%files devel-static -%defattr(-,root,root,-) %{_libdir}/libselinux.a +%dir %{_includedir}/selinux +%{_includedir}/selinux/* +%{_mandir}/man3/* -%package -n python3-selinux -Summary: Python bindings for the SELinux runtime library -License: SUSE-Public-Domain -Group: Development/Libraries/Python -%define oldpython python -%ifpython2 -Obsoletes: %{oldpython}-selinux < %{version} -Provides: %{oldpython}-selinux = %{version} -%endif -Requires: libselinux1 = %{version} -Requires: python3 - -%description -n python3-selinux -libselinux provides an interface to get and set process and file -security contexts and to obtain security policy decisions. - -This subpackage contains Python extensions to use SELinux from that -language. - -%package -n ruby-selinux -Summary: Ruby bindings for the SELinux runtime library -License: SUSE-Public-Domain -Group: Development/Languages/Ruby -Requires: libselinux1 = %{version} -Requires: ruby - -%description -n ruby-selinux -libselinux provides an interface to get and set process and file -security contexts and to obtain security policy decisions. - -This subpackage contains Ruby extensions to use SELinux from that -language. - -%files -n python3-selinux +%files -n python-selinux %defattr(-,root,root,-) -%{python3_sitearch}/*selinux* +%dir %{py_sitedir}/selinux +%{py_sitedir}/selinux/* %files -n ruby-selinux %defattr(-,root,root,-) -%{_libdir}/ruby/vendor_ruby/%{rb_ver}/%{rb_arch}/selinux.so +%{_libdir}/ruby/site_ruby/%{rb_ver}/%{rb_arch}/selinux.so %changelog +* Fri Aug 01 2008 ro@suse.de +- fix requires for debuginfo package +* Tue Jul 15 2008 prusnak@suse.cz +- initial version 2.0.67 + * based on Fedora package by Dan Walsh diff --git a/python3.patch b/python3.patch deleted file mode 100644 index 58a2136..0000000 --- a/python3.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: libselinux-2.7/src/Makefile -=================================================================== ---- libselinux-2.7.orig/src/Makefile -+++ libselinux-2.7/src/Makefile -@@ -1,7 +1,7 @@ - # Support building the Python bindings multiple times, against various Python - # runtimes (e.g. Python 2 vs Python 3) by optionally prefixing the build - # targets with "PYPREFIX": --PYTHON ?= python -+PYTHON ?= python3 - PYPREFIX ?= $(shell $(PYTHON) -c 'import sys;print("python-%d.%d" % sys.version_info[:2])') - RUBY ?= ruby - RUBYPREFIX ?= $(notdir $(RUBY)) diff --git a/readv-proto.patch b/readv-proto.patch deleted file mode 100644 index 795c9b2..0000000 --- a/readv-proto.patch +++ /dev/null @@ -1,12 +0,0 @@ -Index: libselinux-2.5/src/setrans_client.c -=================================================================== ---- libselinux-2.5.orig/src/setrans_client.c -+++ libselinux-2.5/src/setrans_client.c -@@ -9,6 +9,7 @@ - #include - #include - #include -+#include - - #include - #include diff --git a/ready b/ready new file mode 100644 index 0000000..473a0f4 diff --git a/selinux-ready b/selinux-ready deleted file mode 100644 index 163489b..0000000 --- a/selinux-ready +++ /dev/null @@ -1,272 +0,0 @@ -#!/bin/bash - -KERNEL="unknown" -INITRD="unknown" -TD="" - - -# init needs /selinux to be there -check_dir() -{ - SLDIRS="/selinux /sys/fs/selinux" - FOUND="no" - - for DIR in $SLDIRS; do - if [ -d $DIR ]; then - printf "\tcheck_dir: OK. $DIR exists.\n" - FOUND="yes" - fi - done - - if [ $FOUND == "yes" ]; then - return 0 - else - printf "\tcheck_dir: ERR. Neither of $SLDIRS does exist. Please execute 'mkdir /sys/fs/selinux' as root\n" - return 1 - fi -} - -check_filesystem() -{ - FSPATH="/proc/filesystems" - FSNAMES="securityfs selinuxfs" - OK="O" - - for FSNAME in $FSNAMES; do - grep -w $FSNAME $FSPATH 1>&2 >/dev/null - - if [ $? == 0 ]; then - printf "\tcheck_filesystem: OK. Filesystem '$FSNAME' exists.\n" - else - printf "\tcheck_filesystem: ERR. Filesystem '$FSNAME' is missing. Please enable SELinux while compiling the kernel.\n" - OK="1" - fi - done - if [ "$OK" == "0" ]; then - return 0; - else - return 1; - fi -} - -check_boot() -{ - BPARAM1="security=selinux" - BPARAM2="selinux=1" - - printf "\tcheck_boot: Assuming GRUB2 as bootloader.\n" - - # look for parameters of the current kernel - CURRENT_KERNEL=$(uname -r) - OTHERS="" - RETVAL="FAIL" - while read BLINE - do - K=$(echo $BLINE | awk -F' ' '{print $2}') - KERNEL=$(basename $K) - K=$(echo $KERNEL | sed s/vmlinuz-//) - - if [ "$K" == "$CURRENT_KERNEL" ]; then - INITRD=initrd-$K - RETVAL="OK" - else - OTHERS="$KERNEL $OTHERS" - fi - done < <(grep -- $BPARAM1 /boot/grub2/grub.cfg 2>/dev/null | grep -- $BPARAM2) - - if [ "$RETVAL" == OK ]; then - printf "\tcheck_boot: OK. Current kernel '$KERNEL' has boot-parameters '$BPARAM1 $BPARAM2'\n" - printf "\tcheck_boot: OK. Other kernels with correct parameters: $OTHERS\n" - return 0 - else - printf "\tcheck_boot: ERR. Boot-parameter missing for booting the kernel.\n" - printf "\t Please use YaST2 to add 'security=selinux selinux=1' to the kernel boot-parameter list.\n" - return 1 - fi -} - -check_mkinitrd() -{ - if [ "$INITRD" == "unknown" ]; then - return 1 - fi - MCMD="mount.*/root/proc.*" - - if ! [ -f "/boot/$INITRD" ];then - printf "\tcheck_mkinitrd: ERR. Unable to locate '/boot/$INITRD'\n" - return 2 - fi - - cp /boot/$INITRD $TD/ 2>/dev/null - - if ! [ -f "$TD/$INITRD" ];then - printf "\tcheck_mkinitrd: ERR. Error while copying initrd file.'\n" - return 2 - fi - - - pushd . 2>&1>/dev/null - cd $TD - mkdir initrd-extracted - cd initrd-extracted - INITRD_FORMAT=$(file $TD/$INITRD | awk -F' ' '{print $2}') - case $INITRD_FORMAT in - 'XZ' ) - xz -d -c $TD/$INITRD | cpio -i --force-local --no-absolute-filenames 2>/dev/null ;; - 'ASCII' ) - /usr/lib/dracut/skipcpio $TD/$INITRD | xz -d | cpio -i --force-local --no-absolute-filenames 2>/dev/null ;; - 'gzip' ) - gzip -d -c $TD/$INITRD | cpio -i --force-local --no-absolute-filenames 2>/dev/null ;; - * ) - printf "\tcheck_mkinitrd: ERR. Error while extracting initrd file.'\n" - return 2 - esac - if [ -d boot ]; then - grep -E -- $MCMD boot/* 2>&1 >/dev/null - FLG1=$? - grep -E -- load_policy boot/* 2>&1 >/dev/null - FLG2=$? - else - # looks like we're using dracut/systemd. We can only check if libselinux1 - # exists - if [ -f lib64/libselinux.so.1 ]; then - # if this exists - FLG1=0 - FLG2=0 - fi - fi - popd 2>&1>/dev/null - - if [ $FLG1 == 0 -a $FLG2 == 0 ];then - printf "\tcheck_mkinitrd: OK. Your initrd seems to be correct.\n" - return 0 - else - printf "\tcheck_mkinitrd: ERR. Your initrd seems not to mount /proc of\n" - printf "\t the root filesystem during boot and/or load_policy\n" - printf "\t is missing,\n" - printf "\t this may be a reason for SELinux not working.\n" - return 1 - fi -} - -check_pam() -{ - AA_PAM=0 - SE_PAM=0 - - # test for AA pam module - grep apparmor /etc/pam.d/* 2>&1 >/dev/null - FLG=$? - if [ $FLG == 0 ]; then - AA_PAM=1 - fi - - # test for SELinux pam module - grep selinux /etc/pam.d/* 2>&1 >/dev/null - FLG=$? - if [ $FLG == 0 ]; then - SE_PAM=1 - fi - - # suggest config - if [ $SE_PAM == 1 ] && [ $AA_PAM == 0 ]; then - printf "\tcheck_pam: OK. Your PAM configuration seems to be correct.\n" - return 0 - fi - printf "\tcheck_pam: ERR. Your PAM configuration seems to be incorrect.\n" - if [ $AA_PAM == 1 ]; then - printf " execute 'pam-config -d --apparmor' as root\n" - fi - if [ $SE_PAM == 0 ]; then - printf " execute 'pam-config -a --selinux' as root\n" - fi - - return 1 -} - -check_initupstart() -{ - CFGFILE="/etc/selinux/config" - - if ! [ -f $CFGFILE ]; then - printf "\tcheck_initupstart: ERR. $CFGFILE does not exist.\n" - return 1; - fi -} - -check_runlevel() -{ - if [ "$(systemctl is-enabled restorecond.service)" == "enabled" ]; then - printf "\tcheck_runlevel: OK. restorecond is enabled on your system\n" - return 0; - fi - printf "\tcheck_runlevel: ERR. please execute 'yast2 runlevel' and enable restorecond.\n" - return 1 -} - -check_packages() -{ - PKGLST="checkpolicy policycoreutils selinux-tools libselinux1 libsepol1 libsemanage1 selinux-policy" - FAIL=0 - - for i in $PKGLST - do - rpm -q $i 1>&2 >/dev/null - if [ $? == 1 ];then - printf "\tcheck_packages: ERR. Package '$i' not installed, please run 'zypper in $i' as root\n" - FAIL=1 - fi - done - - if [ $FAIL == 0 ]; then - printf "\tcheck_packages: OK. All essential packages are installed\n" - return 0 - else - return 1 - fi -} - -check_config() -{ - CF="/etc/selinux/config" - - if [ -f $CF ];then - printf "\tcheck_config: OK. Config file seems to be there.\n" - # with -L because /etc/selinux/config is now a link to /etc/sysconfig/selinux-policy - if ! [ $(stat -L --printf=%a $CF) -eq "644" ]; then - printf "\tcheck_config: ERR. Config file '$CF' has wrong permissions.\n" - return 1 - fi - - # check that SELINUX is not disabled there - SELINUX_MODE=$(grep "^\s*SELINUX\s*=" $CF | sed "s/SELINUX\s*=\(\S*\)\s*"/\\1/) - case "$SELINUX_MODE" in - permissive | enforcing ) - printf "\tcheck_config: OK. SELINUX is set to '$SELINUX_MODE'.\n" - return 0 - ;; - * ) - printf "\tcheck_config: ERR. SELINUX is set to '$SELINUX_MODE' in '$CF'. Should be either 'permissive' or 'enforcing'\n" - return 1 - ;; - esac - else - printf "\tcheck_config: ERR. Config file '$CF' is missing.\n" - return 1 - fi -} - -TD=$(mktemp -q -d /tmp/selinux-ready.XXXXXX) - -echo "Start checking your system if it is selinux-ready or not:" -check_dir -check_filesystem -check_boot -check_mkinitrd -check_packages -check_config -check_initupstart -check_pam -check_runlevel - -rm -rf $TD From 39d425612ad1f0172cd543f1cd6a3eb0b41aea716aca36e212a70a1848922a6c Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Fri, 22 Aug 2008 17:31:21 +0000 Subject: [PATCH 02/42] OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=2 --- baselibs.conf | 1 + libselinux-bindings.changes | 18 +++++ libselinux-bindings.spec | 135 ++++++++++++++++++++++++++++++++++ libselinux.changes | 7 ++ libselinux.spec | 143 +++++++++++++++--------------------- 5 files changed, 221 insertions(+), 83 deletions(-) create mode 100644 baselibs.conf create mode 100644 libselinux-bindings.changes create mode 100644 libselinux-bindings.spec diff --git a/baselibs.conf b/baselibs.conf new file mode 100644 index 0000000..115b88a --- /dev/null +++ b/baselibs.conf @@ -0,0 +1 @@ +libselinux1 diff --git a/libselinux-bindings.changes b/libselinux-bindings.changes new file mode 100644 index 0000000..ccdc99a --- /dev/null +++ b/libselinux-bindings.changes @@ -0,0 +1,18 @@ +------------------------------------------------------------------- +Fri Aug 22 14:45:29 CEST 2008 - prusnak@suse.cz + +- added baselibs.conf file +- split bindings into separate subpackage (libselinux-bindings) +- split tools into separate subpackage (selinux-tools) + +------------------------------------------------------------------- +Fri Aug 1 17:32:20 CEST 2008 - ro@suse.de + +- fix requires for debuginfo package + +------------------------------------------------------------------- +Tue Jul 15 16:26:31 CEST 2008 - prusnak@suse.cz + +- initial version 2.0.67 + * based on Fedora package by Dan Walsh + diff --git a/libselinux-bindings.spec b/libselinux-bindings.spec new file mode 100644 index 0000000..ae129b0 --- /dev/null +++ b/libselinux-bindings.spec @@ -0,0 +1,135 @@ +# +# spec file for package libselinux-bindings (Version 2.0.67) +# +# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# + +# norootforbuild + +%define libsepol_ver 2.0.32 +BuildRequires: python-devel ruby-devel swig +BuildRequires: libsepol-devel >= %{libsepol_ver} + +Name: libselinux-bindings +Version: 2.0.67 +Release: 1 +Url: http://www.nsa.gov/selinux/ +License: GPL v2 only; Public Domain, Freeware +Group: System/Libraries +Summary: SELinux library and simple utilities +Source: libselinux-%{version}.tar.bz2 +Patch0: libselinux-%{version}-rhat.patch +BuildRoot: %{_tmppath}/%{name}-%{version}-build + +%description +Security-enhanced Linux is a feature of the Linux(R) kernel and a +number of utilities with enhanced security functionality designed to +add mandatory access controls to Linux. The Security-enhanced Linux +kernel contains new architectural components originally developed to +improve the security of the Flask operating system. These architectural +components provide general support for the enforcement of many kinds of +mandatory access control policies, including those based on the +concepts of Type Enforcement(R), Role-based Access Control, and +Multi-level Security. + +libselinux provides an API for SELinux applications to get and set +process and file security contexts and to obtain security policy +decisions. Required for any applications that use the SELinux API. + + + +%package -n python-selinux +License: Public Domain, Freeware +Summary: SELinux library and simple utilities +Group: System/Libraries +Requires: libselinux1 = %{version}-%{release} +Requires: python + +%description -n python-selinux +Security-enhanced Linux is a feature of the Linux(R) kernel and a +number of utilities with enhanced security functionality designed to +add mandatory access controls to Linux. The Security-enhanced Linux +kernel contains new architectural components originally developed to +improve the security of the Flask operating system. These architectural +components provide general support for the enforcement of many kinds of +mandatory access control policies, including those based on the +concepts of Type Enforcement(R), Role-based Access Control, and +Multi-level Security. + +libselinux provides an API for SELinux applications to get and set +process and file security contexts and to obtain security policy +decisions. Required for any applications that use the SELinux API. + + + +%package -n ruby-selinux +License: Public Domain, Freeware +Summary: SELinux library and simple utilities +Group: System/Libraries +Requires: libselinux1 = %{version}-%{release} +Requires: ruby + +%description -n ruby-selinux +Security-enhanced Linux is a feature of the Linux(R) kernel and a +number of utilities with enhanced security functionality designed to +add mandatory access controls to Linux. The Security-enhanced Linux +kernel contains new architectural components originally developed to +improve the security of the Flask operating system. These architectural +components provide general support for the enforcement of many kinds of +mandatory access control policies, including those based on the +concepts of Type Enforcement(R), Role-based Access Control, and +Multi-level Security. + +libselinux provides an API for SELinux applications to get and set +process and file security contexts and to obtain security policy +decisions. Required for any applications that use the SELinux API. + + + +%prep +%setup -q -n libselinux-%{version} +%patch0 -p1 + +%build +make %{?jobs:-j%jobs} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" -C src +make %{?jobs:-j%jobs} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" -C src swigify +make %{?jobs:-j%jobs} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" -C src pywrap + +%install +make DESTDIR="$RPM_BUILD_ROOT" LIBDIR="$RPM_BUILD_ROOT%{_libdir}" SHLIBDIR="$RPM_BUILD_ROOT/%{_lib}" -C src install +make DESTDIR="$RPM_BUILD_ROOT" LIBDIR="$RPM_BUILD_ROOT%{_libdir}" SHLIBDIR="$RPM_BUILD_ROOT/%{_lib}" -C src install-pywrap +rm -rf $RPM_BUILD_ROOT/%{_lib} $RPM_BUILD_ROOT%{_libdir}/libselinux.* + +%clean +rm -rf $RPM_BUILD_ROOT + +%files -n python-selinux +%defattr(-,root,root,-) +%dir %{py_sitedir}/selinux +%{py_sitedir}/selinux/* + +%files -n ruby-selinux +%defattr(-,root,root,-) +%{_libdir}/ruby/site_ruby/%{rb_ver}/%{rb_arch}/selinux.so + +%changelog +* Fri Aug 22 2008 prusnak@suse.cz +- added baselibs.conf file +- split bindings into separate subpackage (libselinux-bindings) +- split tools into separate subpackage (selinux-tools) +* Fri Aug 01 2008 ro@suse.de +- fix requires for debuginfo package +* Tue Jul 15 2008 prusnak@suse.cz +- initial version 2.0.67 + * based on Fedora package by Dan Walsh diff --git a/libselinux.changes b/libselinux.changes index 652a2bc..ccdc99a 100644 --- a/libselinux.changes +++ b/libselinux.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Fri Aug 22 14:45:29 CEST 2008 - prusnak@suse.cz + +- added baselibs.conf file +- split bindings into separate subpackage (libselinux-bindings) +- split tools into separate subpackage (selinux-tools) + ------------------------------------------------------------------- Fri Aug 1 17:32:20 CEST 2008 - ro@suse.de diff --git a/libselinux.spec b/libselinux.spec index 120aaff..86e0c0b 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -2,21 +2,27 @@ # spec file for package libselinux (Version 2.0.67) # # Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. -# This file and all modifications and additions to the pristine -# package are under the same license as the package itself. # +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + # Please submit bugfixes or comments via http://bugs.opensuse.org/ # # norootforbuild %define libsepol_ver 2.0.32 -BuildRequires: python-devel ruby-devel swig BuildRequires: libsepol-devel >= %{libsepol_ver} Name: libselinux Version: 2.0.67 -Release: 2 +Release: 3 Url: http://www.nsa.gov/selinux/ License: GPL v2 only; Public Domain, Freeware Group: System/Libraries @@ -27,14 +33,14 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-build %define debug_package_requires libselinux1 = %{version} %description -Security-enhanced Linux is a feature of the Linux® kernel and a number -of utilities with enhanced security functionality designed to add -mandatory access controls to Linux. The Security-enhanced Linux kernel -contains new architectural components originally developed to improve -the security of the Flask operating system. These architectural +Security-enhanced Linux is a feature of the Linux(R) kernel and a +number of utilities with enhanced security functionality designed to +add mandatory access controls to Linux. The Security-enhanced Linux +kernel contains new architectural components originally developed to +improve the security of the Flask operating system. These architectural components provide general support for the enforcement of many kinds of mandatory access control policies, including those based on the -concepts of Type Enforcement®, Role-based Access Control, and +concepts of Type Enforcement(R), Role-based Access Control, and Multi-level Security. libselinux provides an API for SELinux applications to get and set @@ -49,14 +55,36 @@ Group: System/Libraries Summary: SELinux library and simple utilities %description -n libselinux1 -Security-enhanced Linux is a feature of the Linux® kernel and a number -of utilities with enhanced security functionality designed to add -mandatory access controls to Linux. The Security-enhanced Linux kernel -contains new architectural components originally developed to improve -the security of the Flask operating system. These architectural +Security-enhanced Linux is a feature of the Linux(R) kernel and a +number of utilities with enhanced security functionality designed to +add mandatory access controls to Linux. The Security-enhanced Linux +kernel contains new architectural components originally developed to +improve the security of the Flask operating system. These architectural components provide general support for the enforcement of many kinds of mandatory access control policies, including those based on the -concepts of Type Enforcement®, Role-based Access Control, and +concepts of Type Enforcement(R), Role-based Access Control, and +Multi-level Security. + +libselinux provides an API for SELinux applications to get and set +process and file security contexts and to obtain security policy +decisions. Required for any applications that use the SELinux API. + + + +%package -n selinux-tools +License: GPL v2 only; Public Domain, Freeware +Group: System/Base +Summary: SELinux library and simple utilities + +%description -n selinux-tools +Security-enhanced Linux is a feature of the Linux(R) kernel and a +number of utilities with enhanced security functionality designed to +add mandatory access controls to Linux. The Security-enhanced Linux +kernel contains new architectural components originally developed to +improve the security of the Flask operating system. These architectural +components provide general support for the enforcement of many kinds of +mandatory access control policies, including those based on the +concepts of Type Enforcement(R), Role-based Access Control, and Multi-level Security. libselinux provides an API for SELinux applications to get and set @@ -73,14 +101,14 @@ Requires: libselinux1 = %{version}-%{release} Requires: libsepol-devel >= %{libsepol_ver} %description devel -Security-enhanced Linux is a patch of the Linux kernel and a number of -utilities with enhanced security functionality designed to add +Security-enhanced Linux is a patch of the Linux(R) kernel and a number +of utilities with enhanced security functionality designed to add mandatory access controls to Linux. The Security-enhanced Linux kernel contains new architectural components originally developed to improve the security of the Flask operating system. These architectural components provide general support for the enforcement of many kinds of mandatory access control policies, including those based on the -concepts of Type Enforcement®, Role-based Access Control, and +concepts of Type Enforcement(R), Role-based Access Control, and Multi-level Security. This package contains the header files and static libraries, which are @@ -88,69 +116,20 @@ necessary to develop your own software using libselinux. -%package -n python-selinux -License: Public Domain, Freeware -Summary: SELinux library and simple utilities -Group: System/Libraries -Requires: libselinux1 = %{version}-%{release} -Requires: python - -%description -n python-selinux -Security-enhanced Linux is a feature of the Linux® kernel and a number -of utilities with enhanced security functionality designed to add -mandatory access controls to Linux. The Security-enhanced Linux kernel -contains new architectural components originally developed to improve -the security of the Flask operating system. These architectural -components provide general support for the enforcement of many kinds of -mandatory access control policies, including those based on the -concepts of Type Enforcement®, Role-based Access Control, and -Multi-level Security. - -libselinux provides an API for SELinux applications to get and set -process and file security contexts and to obtain security policy -decisions. Required for any applications that use the SELinux API. - - - -%package -n ruby-selinux -License: Public Domain, Freeware -Summary: SELinux library and simple utilities -Group: System/Libraries -Requires: libselinux1 = %{version}-%{release} -Requires: ruby - -%description -n ruby-selinux -Security-enhanced Linux is a feature of the Linux® kernel and a number -of utilities with enhanced security functionality designed to add -mandatory access controls to Linux. The Security-enhanced Linux kernel -contains new architectural components originally developed to improve -the security of the Flask operating system. These architectural -components provide general support for the enforcement of many kinds of -mandatory access control policies, including those based on the -concepts of Type Enforcement®, Role-based Access Control, and -Multi-level Security. - -libselinux provides an API for SELinux applications to get and set -process and file security contexts and to obtain security policy -decisions. Required for any applications that use the SELinux API. - - - %prep %setup -q %patch0 -p1 %build -make %{?jobs:-j%jobs} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" swigify -make %{?jobs:-j%jobs} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" all pywrap +make %{?jobs:-j%jobs} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" %install mkdir -p $RPM_BUILD_ROOT/%{_lib} mkdir -p $RPM_BUILD_ROOT%{_libdir} mkdir -p $RPM_BUILD_ROOT%{_includedir} mkdir -p $RPM_BUILD_ROOT%{_sbindir} -mkdir -p $RPM_BUILD_ROOT/var/run/setrans -make DESTDIR="$RPM_BUILD_ROOT" LIBDIR="$RPM_BUILD_ROOT%{_libdir}" SHLIBDIR="$RPM_BUILD_ROOT/%{_lib}" BINDIR="$RPM_BUILD_ROOT%{_sbindir}" install install-pywrap +mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/run/setrans +make DESTDIR="$RPM_BUILD_ROOT" LIBDIR="$RPM_BUILD_ROOT%{_libdir}" SHLIBDIR="$RPM_BUILD_ROOT/%{_lib}" BINDIR="$RPM_BUILD_ROOT%{_sbindir}" install rm -f $RPM_BUILD_ROOT%{_sbindir}/compute_* rm -f $RPM_BUILD_ROOT%{_sbindir}/deftype rm -f $RPM_BUILD_ROOT%{_sbindir}/execcon @@ -174,9 +153,8 @@ rm -rf $RPM_BUILD_ROOT %postun -n libselinux1 -p /sbin/ldconfig -%files -n libselinux1 +%files -n selinux-tools %defattr(-,root,root,-) -/%{_lib}/libselinux.so.* %{_sbindir}/avcstat %{_sbindir}/getenforce %{_sbindir}/getsebool @@ -188,7 +166,11 @@ rm -rf $RPM_BUILD_ROOT %{_sbindir}/togglesebool %{_mandir}/man5/* %{_mandir}/man8/* -/var/run/setrans + +%files -n libselinux1 +%defattr(-,root,root,-) +/%{_lib}/libselinux.so.* +%{_localstatedir}/run/setrans %files devel %defattr(-,root,root,-) @@ -198,16 +180,11 @@ rm -rf $RPM_BUILD_ROOT %{_includedir}/selinux/* %{_mandir}/man3/* -%files -n python-selinux -%defattr(-,root,root,-) -%dir %{py_sitedir}/selinux -%{py_sitedir}/selinux/* - -%files -n ruby-selinux -%defattr(-,root,root,-) -%{_libdir}/ruby/site_ruby/%{rb_ver}/%{rb_arch}/selinux.so - %changelog +* Fri Aug 22 2008 prusnak@suse.cz +- added baselibs.conf file +- split bindings into separate subpackage (libselinux-bindings) +- split tools into separate subpackage (selinux-tools) * Fri Aug 01 2008 ro@suse.de - fix requires for debuginfo package * Tue Jul 15 2008 prusnak@suse.cz From 210dbda63242fa241852ca89da038f16699034db2b418fb8f0cc9729ae625762 Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Fri, 5 Sep 2008 19:50:58 +0000 Subject: [PATCH 03/42] OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=3 --- libselinux-2.0.67-rhat.patch | 369 ----------------------------------- libselinux-2.0.67.tar.bz2 | 3 - libselinux-2.0.71-rhat.patch | 97 +++++++++ libselinux-2.0.71.tar.bz2 | 3 + libselinux-bindings.changes | 11 ++ libselinux-bindings.spec | 12 +- libselinux.changes | 8 + libselinux.spec | 13 +- 8 files changed, 138 insertions(+), 378 deletions(-) delete mode 100644 libselinux-2.0.67-rhat.patch delete mode 100644 libselinux-2.0.67.tar.bz2 create mode 100644 libselinux-2.0.71-rhat.patch create mode 100644 libselinux-2.0.71.tar.bz2 diff --git a/libselinux-2.0.67-rhat.patch b/libselinux-2.0.67-rhat.patch deleted file mode 100644 index b0dbffc..0000000 --- a/libselinux-2.0.67-rhat.patch +++ /dev/null @@ -1,369 +0,0 @@ -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/freecon.3 libselinux-2.0.67/man/man3/freecon.3 ---- nsalibselinux/man/man3/freecon.3 2008-06-12 23:25:12.000000000 -0400 -+++ libselinux-2.0.67/man/man3/freecon.3 2008-07-09 16:52:33.000000000 -0400 -@@ -15,6 +15,11 @@ - .B freeconary - frees the memory allocated for a context array. - -+If -+.I con -+is NULL, no operation is performed. -+ -+ - .SH "SEE ALSO" - .BR selinux "(8)" - -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man8/selinuxconlist.8 libselinux-2.0.67/man/man8/selinuxconlist.8 ---- nsalibselinux/man/man8/selinuxconlist.8 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-2.0.67/man/man8/selinuxconlist.8 2008-07-09 16:52:33.000000000 -0400 -@@ -0,0 +1,18 @@ -+.TH "selinuxconlist" "1" "7 May 2008" "dwalsh@redhat.com" "SELinux Command Line documentation" -+.SH "NAME" -+selinuxconlist \- list all SELinux context reachable for user -+.SH "SYNOPSIS" -+.B selinuxconlist [-l level] user [context] -+ -+.SH "DESCRIPTION" -+.B selinuxconlist -+reports the list of context reachable for user from the current context or specified context -+ -+.B \-l level -+mcs/mls level -+ -+.SH AUTHOR -+This manual page was written by Dan Walsh . -+ -+.SH "SEE ALSO" -+secon(8), selinuxdefcon(8) -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man8/selinuxdefcon.8 libselinux-2.0.67/man/man8/selinuxdefcon.8 ---- nsalibselinux/man/man8/selinuxdefcon.8 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-2.0.67/man/man8/selinuxdefcon.8 2008-07-09 16:52:33.000000000 -0400 -@@ -0,0 +1,19 @@ -+.TH "selinuxdefcon" "1" "7 May 2008" "dwalsh@redhat.com" "SELinux Command Line documentation" -+.SH "NAME" -+selinuxdefcon \- list default SELinux context for user -+ -+.SH "SYNOPSIS" -+.B selinuxdefcon [-l level] user [fromcon] -+ -+.SH "DESCRIPTION" -+.B seconlist -+reports the default context for the specified user from current context or specified context -+ -+.B \-l level -+mcs/mls level -+ -+.SH AUTHOR -+This manual page was written by Dan Walsh . -+ -+.SH "SEE ALSO" -+secon(8), selinuxconlist(8) -diff --exclude-from=exclude -N -u -r nsalibselinux/src/Makefile libselinux-2.0.67/src/Makefile ---- nsalibselinux/src/Makefile 2008-06-22 09:40:25.000000000 -0400 -+++ libselinux-2.0.67/src/Makefile 2008-07-09 16:56:37.000000000 -0400 -@@ -7,16 +7,24 @@ - PYINC ?= /usr/include/$(PYLIBVER) - PYLIB ?= /usr/lib/$(PYLIBVER) - PYTHONLIBDIR ?= $(LIBDIR)/$(PYLIBVER) -+RUBYLIBVER ?= $(shell ruby -e 'print RUBY_VERSION.split(".")[0..1].join(".")') -+RUBYPLATFORM ?= $(shell ruby -e 'print RUBY_PLATFORM') -+RUBYINC ?= $(LIBDIR)/ruby/$(RUBYLIBVER)/$(RUBYPLATFORM) -+RUBYINSTALL ?= $(LIBDIR)/ruby/site_ruby/$(RUBYLIBVER)/$(RUBYPLATFORM) - - LIBVERSION = 1 - - LIBA=libselinux.a - TARGET=libselinux.so - SWIGIF= selinuxswig_python.i -+SWIGRUBYIF= selinuxswig_ruby.i - SWIGCOUT= selinuxswig_wrap.c -+SWIGRUBYCOUT= selinuxswig_ruby_wrap.c - SWIGLOBJ:= $(patsubst %.c,%.lo,$(SWIGCOUT)) -+SWIGRUBYLOBJ:= $(patsubst %.c,%.lo,$(SWIGRUBYCOUT)) - SWIGSO=_selinux.so - SWIGFILES=$(SWIGSO) selinux.py -+SWIGRUBYSO=_rubyselinux.so - LIBSO=$(TARGET).$(LIBVERSION) - AUDIT2WHYSO=audit2why.so - -@@ -29,7 +37,9 @@ - ifeq ($(DISABLE_RPM),y) - UNUSED_SRCS+=rpm.c - endif --SRCS= $(filter-out $(UNUSED_SRCS), $(filter-out audit2why.c $(SWIGCOUT),$(wildcard *.c))) -+ -+GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) -+SRCS= $(filter-out $(UNUSED_SRCS), $(filter-out audit2why.c $(GENERATED),$(wildcard *.c))) - - OBJS= $(patsubst %.c,%.o,$(SRCS)) - LOBJS= $(patsubst %.c,%.lo,$(SRCS)) -@@ -44,11 +54,11 @@ - - SWIG = swig -Wall -python -o $(SWIGCOUT) -outdir ./ - --GENERATED=$(SWIGCOUT) -+SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./ - - all: $(LIBA) $(LIBSO) - --pywrap: all $(SWIGSO) $(AUDIT2WHYSO) -+pywrap: all $(SWIGSO) $(AUDIT2WHYSO) $(SWIGRUBYSO) - - $(LIBA): $(OBJS) - $(AR) rcs $@ $^ -@@ -57,8 +67,14 @@ - $(SWIGLOBJ): $(SWIGCOUT) - $(CC) $(filter-out -Werror,$(CFLAGS)) -I$(PYINC) -fPIC -DSHARED -c -o $@ $< - -+$(SWIGRUBYLOBJ): $(SWIGRUBYCOUT) -+ $(CC) $(filter-out -Werror,$(CFLAGS)) -I$(RUBYINC) -fPIC -DSHARED -c -o $@ $< -+ - $(SWIGSO): $(SWIGLOBJ) -- $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $< -L. -lselinux -L$(LIBDIR) -Wl,-soname,$@ -+ $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -L. -lselinux -L$(LIBDIR) -Wl,-soname,$@ -+ -+$(SWIGRUBYSO): $(SWIGRUBYLOBJ) -+ $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -L. -lselinux -L$(LIBDIR) -Wl,-soname,$@ - - $(LIBSO): $(LOBJS) - $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -ldl -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro -@@ -79,6 +95,9 @@ - $(SWIGCOUT): $(SWIGIF) - $(SWIG) $^ - -+$(SWIGRUBYCOUT): $(SWIGRUBYIF) -+ $(SWIGRUBY) $^ -+ - swigify: $(SWIGIF) - $(SWIG) $^ - -@@ -95,6 +114,9 @@ - install -m 755 $(AUDIT2WHYSO) $(PYTHONLIBDIR)/site-packages/selinux - install -m 644 selinux.py $(PYTHONLIBDIR)/site-packages/selinux/__init__.py - -+ test -d $(RUBYINSTALL) || install -m 755 -d $(RUBYINSTALL) -+ install -m 755 $(SWIGRUBYSO) $(RUBYINSTALL)/selinux.so -+ - relabel: - /sbin/restorecon $(SHLIBDIR)/$(LIBSO) - -@@ -102,7 +124,7 @@ - -rm -f $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(SWIGLOBJ) $(SWIGSO) $(TARGET) $(AUDIT2WHYSO) *.o *.lo *~ - - distclean: clean -- rm -f $(SWIGCOUT) $(SWIGFILES) -+ rm -f $(GENERATED) $(SWIGFILES) - - indent: - ../../scripts/Lindent $(filter-out $(GENERATED),$(wildcard *.[ch])) -diff --exclude-from=exclude -N -u -r nsalibselinux/src/audit2why.c libselinux-2.0.67/src/audit2why.c ---- nsalibselinux/src/audit2why.c 2008-06-12 23:25:14.000000000 -0400 -+++ libselinux-2.0.67/src/audit2why.c 2008-07-09 16:52:33.000000000 -0400 -@@ -55,7 +55,7 @@ - return 0; - } - --static int check_booleans(struct avc_t *avc, struct boolean_t **bools) -+static int check_booleans(struct boolean_t **bools) - { - char errormsg[PATH_MAX]; - struct sepol_av_decision avd; -@@ -376,7 +376,7 @@ - avc->tsid = tsid; - avc->tclass = tclass; - avc->av = av; -- if (check_booleans(avc, &bools) == 0) { -+ if (check_booleans(&bools) == 0) { - if (av & ~avd.auditdeny) { - RETURN(DONTAUDIT) - } else { -@@ -390,15 +390,15 @@ - len++; b++; - } - b = bools; -- PyObject *boollist = PyTuple_New(len); -+ PyObject *outboollist = PyTuple_New(len); - len=0; - while(b->name) { - PyObject *bool = Py_BuildValue("(si)", b->name, b->active); -- PyTuple_SetItem(boollist, len++, bool); -+ PyTuple_SetItem(outboollist, len++, bool); - b++; - } - free(bools); -- PyTuple_SetItem(result, 1, boollist); -+ PyTuple_SetItem(result, 1, outboollist); - return result; - } - } -diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux-2.0.67/src/matchpathcon.c ---- nsalibselinux/src/matchpathcon.c 2008-06-12 23:25:14.000000000 -0400 -+++ libselinux-2.0.67/src/matchpathcon.c 2008-07-09 16:52:33.000000000 -0400 -@@ -2,6 +2,7 @@ - #include - #include - #include -+#include - #include "selinux_internal.h" - #include "label_internal.h" - #include "callbacks.h" -@@ -57,7 +58,7 @@ - { - va_list ap; - va_start(ap, fmt); -- vfprintf(stderr, fmt, ap); -+ vsyslog(LOG_ERR, fmt, ap); - va_end(ap); - } - -diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig_ruby.i libselinux-2.0.67/src/selinuxswig_ruby.i ---- nsalibselinux/src/selinuxswig_ruby.i 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-2.0.67/src/selinuxswig_ruby.i 2008-07-09 16:52:33.000000000 -0400 -@@ -0,0 +1,147 @@ -+/* Author: James Athey -+ */ -+ -+%module selinux -+%{ -+ #include "selinux/selinux.h" -+%} -+ -+/* security_get_boolean_names() typemap */ -+/* -+%typemap(argout) (char ***names, int *len) { -+ PyObject* list = PyList_New(*$2); -+ int i; -+ for (i = 0; i < *$2; i++) { -+ PyList_SetItem(list, i, PyString_FromString((*$1)[i])); -+ } -+ $result = SWIG_Python_AppendOutput($result, list); -+} -+*/ -+/* return a sid along with the result */ -+%typemap(argout) (security_id_t * sid) { -+ if (*$1) { -+ %append_output(SWIG_NewPointerObj(*$1, $descriptor(security_id_t), 0)); -+ } -+/* else { -+ Py_INCREF(Py_None); -+ %append_output(Py_None); -+ } -+*/ -+} -+ -+%typemap(in,numinputs=0) security_id_t *(security_id_t temp) { -+ $1 = &temp; -+} -+ -+/* Makes security_compute_user() return a Python list of contexts */ -+/* -+%typemap(argout) (security_context_t **con) { -+ PyObject* plist; -+ int i, len = 0; -+ -+ if (*$1) { -+ while((*$1)[len]) -+ len++; -+ plist = PyList_New(len); -+ for (i = 0; i < len; i++) { -+ PyList_SetItem(plist, i, PyString_FromString((*$1)[i])); -+ } -+ } else { -+ plist = PyList_New(0); -+ } -+ -+ $result = SWIG_Python_AppendOutput($result, plist); -+} -+*/ -+/* Makes functions in get_context_list.h return a Python list of contexts */ -+ -+#ifdef fixme -+%typemap(argout) (security_context_t **list) { -+ PyObject* plist; -+ int i; -+ -+ if (*$1) { -+ plist = PyList_New(result); -+ for (i = 0; i < result; i++) { -+ PyList_SetItem(plist, i, PyString_FromString((*$1)[i])); -+ } -+ } else { -+ plist = PyList_New(0); -+ } -+ /* Only return the Python list, don't need to return the length anymore */ -+ $result = plist; -+} -+#endif -+ -+%typemap(in,noblock=1,numinputs=0) security_context_t * (security_context_t temp = 0) { -+ $1 = &temp; -+} -+%typemap(freearg,match="in") security_context_t * ""; -+%typemap(argout,noblock=1) security_context_t * { -+ if (*$1) { -+ %append_output(SWIG_FromCharPtr(*$1)); -+ freecon(*$1); -+ } -+/* -+ else { -+ Py_INCREF(Py_None); -+ %append_output(Py_None); -+ } -+*/ -+} -+ -+%typemap(in,noblock=1,numinputs=0) char ** (char * temp = 0) { -+ $1 = &temp; -+} -+%typemap(freearg,match="in") char ** ""; -+%typemap(argout,noblock=1) char ** { -+ if (*$1) { -+ %append_output(SWIG_FromCharPtr(*$1)); -+ free(*$1); -+ } -+/* -+ else { -+ Py_INCREF(Py_None); -+ %append_output(Py_None); -+ } -+*/ -+} -+/* -+%typemap(in) char * const [] { -+ int i, size; -+ PyObject * s; -+ -+ if (!PySequence_Check($input)) { -+ PyErr_SetString(PyExc_ValueError, "Expected a sequence"); -+ return NULL; -+ } -+ -+ size = PySequence_Size($input); -+ -+ $1 = (char**) malloc(size + 1); -+ for(i = 0; i < size; i++) { -+ if (!PyString_Check(PySequence_GetItem($input, i))) { -+ PyErr_SetString(PyExc_ValueError, "Sequence must contain only strings"); -+ return NULL; -+ } -+ } -+ -+ for(i = 0; i < size; i++) { -+ s = PySequence_GetItem($input, i); -+ $1[i] = (char*) malloc(PyString_Size(s) + 1); -+ strcpy($1[i], PyString_AsString(s)); -+ } -+ $1[size] = NULL; -+} -+*/ -+ -+%typemap(freearg,match="in") char * const [] { -+ int i = 0; -+ while($1[i]) { -+ free($1[i]); -+ i++; -+ } -+ free($1); -+} -+ -+%include "selinuxswig.i" diff --git a/libselinux-2.0.67.tar.bz2 b/libselinux-2.0.67.tar.bz2 deleted file mode 100644 index 6146ab7..0000000 --- a/libselinux-2.0.67.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:c6044bb0e9531dfa21aa297b28fcef26df16c46f6d33b567942833524e96a92d -size 135165 diff --git a/libselinux-2.0.71-rhat.patch b/libselinux-2.0.71-rhat.patch new file mode 100644 index 0000000..15ec9f3 --- /dev/null +++ b/libselinux-2.0.71-rhat.patch @@ -0,0 +1,97 @@ +diff --exclude-from=exclude -N -u -r nsalibselinux/ChangeLog libselinux-2.0.70/ChangeLog +--- nsalibselinux/ChangeLog 2008-08-05 09:58:25.000000000 -0400 ++++ libselinux-2.0.70/ChangeLog 2008-08-01 06:51:25.000000000 -0400 +@@ -1,11 +1,3 @@ +-2.0.71 2008-08-05 +- * Add group support to seusers using %groupname syntax from Dan Walsh. +- * Mark setrans socket close-on-exec from Stephen Smalley. +- * Only apply nodups checking to base file contexts from Stephen Smalley. +- +-2.0.70 2008-07-30 +- * Merge ruby bindings from Dan Walsh. +- + 2.0.69 2008-07-29 + * Handle duplicate file context regexes as a fatal error from Stephen Smalley. + This prevents adding them via semanage. +diff --exclude-from=exclude -N -u -r nsalibselinux/VERSION libselinux-2.0.70/VERSION +--- nsalibselinux/VERSION 2008-08-05 09:58:25.000000000 -0400 ++++ libselinux-2.0.70/VERSION 2008-08-01 06:51:25.000000000 -0400 +@@ -1 +1 @@ +-2.0.71 ++2.0.69 +diff --exclude-from=exclude -N -u -r nsalibselinux/man/man8/selinuxconlist.8 libselinux-2.0.70/man/man8/selinuxconlist.8 +--- nsalibselinux/man/man8/selinuxconlist.8 1969-12-31 19:00:00.000000000 -0500 ++++ libselinux-2.0.70/man/man8/selinuxconlist.8 2008-08-01 06:51:25.000000000 -0400 +@@ -0,0 +1,18 @@ ++.TH "selinuxconlist" "1" "7 May 2008" "dwalsh@redhat.com" "SELinux Command Line documentation" ++.SH "NAME" ++selinuxconlist \- list all SELinux context reachable for user ++.SH "SYNOPSIS" ++.B selinuxconlist [-l level] user [context] ++ ++.SH "DESCRIPTION" ++.B selinuxconlist ++reports the list of context reachable for user from the current context or specified context ++ ++.B \-l level ++mcs/mls level ++ ++.SH AUTHOR ++This manual page was written by Dan Walsh . ++ ++.SH "SEE ALSO" ++secon(8), selinuxdefcon(8) +diff --exclude-from=exclude -N -u -r nsalibselinux/man/man8/selinuxdefcon.8 libselinux-2.0.70/man/man8/selinuxdefcon.8 +--- nsalibselinux/man/man8/selinuxdefcon.8 1969-12-31 19:00:00.000000000 -0500 ++++ libselinux-2.0.70/man/man8/selinuxdefcon.8 2008-08-01 06:51:25.000000000 -0400 +@@ -0,0 +1,19 @@ ++.TH "selinuxdefcon" "1" "7 May 2008" "dwalsh@redhat.com" "SELinux Command Line documentation" ++.SH "NAME" ++selinuxdefcon \- list default SELinux context for user ++ ++.SH "SYNOPSIS" ++.B selinuxdefcon [-l level] user [fromcon] ++ ++.SH "DESCRIPTION" ++.B seconlist ++reports the default context for the specified user from current context or specified context ++ ++.B \-l level ++mcs/mls level ++ ++.SH AUTHOR ++This manual page was written by Dan Walsh . ++ ++.SH "SEE ALSO" ++secon(8), selinuxconlist(8) +diff --exclude-from=exclude -N -u -r nsalibselinux/src/callbacks.c libselinux-2.0.70/src/callbacks.c +--- nsalibselinux/src/callbacks.c 2008-06-12 23:25:14.000000000 -0400 ++++ libselinux-2.0.70/src/callbacks.c 2008-08-01 06:51:25.000000000 -0400 +@@ -16,6 +16,7 @@ + { + int rc; + va_list ap; ++ if (is_selinux_enabled() == 0) return 0; + va_start(ap, fmt); + rc = vfprintf(stderr, fmt, ap); + va_end(ap); +diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux-2.0.70/src/matchpathcon.c +--- nsalibselinux/src/matchpathcon.c 2008-06-12 23:25:14.000000000 -0400 ++++ libselinux-2.0.70/src/matchpathcon.c 2008-08-01 06:51:25.000000000 -0400 +@@ -2,6 +2,7 @@ + #include + #include + #include ++#include + #include "selinux_internal.h" + #include "label_internal.h" + #include "callbacks.h" +@@ -57,7 +58,7 @@ + { + va_list ap; + va_start(ap, fmt); +- vfprintf(stderr, fmt, ap); ++ vsyslog(LOG_ERR, fmt, ap); + va_end(ap); + } + diff --git a/libselinux-2.0.71.tar.bz2 b/libselinux-2.0.71.tar.bz2 new file mode 100644 index 0000000..5dbd9f9 --- /dev/null +++ b/libselinux-2.0.71.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5b5201c6be9863f767774b96c2f008f66eaf24a131e3a4732102cbf4842c4ebd +size 136931 diff --git a/libselinux-bindings.changes b/libselinux-bindings.changes index ccdc99a..d32b399 100644 --- a/libselinux-bindings.changes +++ b/libselinux-bindings.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Tue Sep 2 12:10:05 CEST 2008 - prusnak@suse.cz + +- updated to 2.0.71 + * Merge ruby bindings from Dan Walsh. + +------------------------------------------------------------------- +Mon Sep 1 07:35:00 CEST 2008 - aj@suse.de + +- Fix build of debuginfo. + ------------------------------------------------------------------- Fri Aug 22 14:45:29 CEST 2008 - prusnak@suse.cz diff --git a/libselinux-bindings.spec b/libselinux-bindings.spec index ae129b0..438cd78 100644 --- a/libselinux-bindings.spec +++ b/libselinux-bindings.spec @@ -1,5 +1,5 @@ # -# spec file for package libselinux-bindings (Version 2.0.67) +# spec file for package libselinux-bindings (Version 2.0.71) # # Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -22,7 +22,7 @@ BuildRequires: python-devel ruby-devel swig BuildRequires: libsepol-devel >= %{libsepol_ver} Name: libselinux-bindings -Version: 2.0.67 +Version: 2.0.71 Release: 1 Url: http://www.nsa.gov/selinux/ License: GPL v2 only; Public Domain, Freeware @@ -31,6 +31,7 @@ Summary: SELinux library and simple utilities Source: libselinux-%{version}.tar.bz2 Patch0: libselinux-%{version}-rhat.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build +%define debug_package_requires python-selinux = %{version}-%{version} %description Security-enhanced Linux is a feature of the Linux(R) kernel and a @@ -105,10 +106,12 @@ decisions. Required for any applications that use the SELinux API. make %{?jobs:-j%jobs} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" -C src make %{?jobs:-j%jobs} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" -C src swigify make %{?jobs:-j%jobs} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" -C src pywrap +make %{?jobs:-j%jobs} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" -C src rubywrap %install make DESTDIR="$RPM_BUILD_ROOT" LIBDIR="$RPM_BUILD_ROOT%{_libdir}" SHLIBDIR="$RPM_BUILD_ROOT/%{_lib}" -C src install make DESTDIR="$RPM_BUILD_ROOT" LIBDIR="$RPM_BUILD_ROOT%{_libdir}" SHLIBDIR="$RPM_BUILD_ROOT/%{_lib}" -C src install-pywrap +make DESTDIR="$RPM_BUILD_ROOT" LIBDIR="$RPM_BUILD_ROOT%{_libdir}" SHLIBDIR="$RPM_BUILD_ROOT/%{_lib}" -C src install-rubywrap rm -rf $RPM_BUILD_ROOT/%{_lib} $RPM_BUILD_ROOT%{_libdir}/libselinux.* %clean @@ -124,6 +127,11 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/ruby/site_ruby/%{rb_ver}/%{rb_arch}/selinux.so %changelog +* Tue Sep 02 2008 prusnak@suse.cz +- updated to 2.0.71 + * Merge ruby bindings from Dan Walsh. +* Mon Sep 01 2008 aj@suse.de +- Fix build of debuginfo. * Fri Aug 22 2008 prusnak@suse.cz - added baselibs.conf file - split bindings into separate subpackage (libselinux-bindings) diff --git a/libselinux.changes b/libselinux.changes index ccdc99a..db1eba1 100644 --- a/libselinux.changes +++ b/libselinux.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Tue Sep 2 12:09:22 CEST 2008 - prusnak@suse.cz + +- updated to 2.0.71 + * Add group support to seusers using %groupname syntax from Dan Walsh. + * Mark setrans socket close-on-exec from Stephen Smalley. + * Only apply nodups checking to base file contexts from Stephen Smalley. + ------------------------------------------------------------------- Fri Aug 22 14:45:29 CEST 2008 - prusnak@suse.cz diff --git a/libselinux.spec b/libselinux.spec index 86e0c0b..251704c 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -1,5 +1,5 @@ # -# spec file for package libselinux (Version 2.0.67) +# spec file for package libselinux (Version 2.0.71) # # Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -21,8 +21,8 @@ BuildRequires: libsepol-devel >= %{libsepol_ver} Name: libselinux -Version: 2.0.67 -Release: 3 +Version: 2.0.71 +Release: 1 Url: http://www.nsa.gov/selinux/ License: GPL v2 only; Public Domain, Freeware Group: System/Libraries @@ -30,7 +30,7 @@ Summary: SELinux library and simple utilities Source: %{name}-%{version}.tar.bz2 Patch0: %{name}-%{version}-rhat.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build -%define debug_package_requires libselinux1 = %{version} +%define debug_package_requires libselinux1 = %{version}-%{release} %description Security-enhanced Linux is a feature of the Linux(R) kernel and a @@ -181,6 +181,11 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man3/* %changelog +* Tue Sep 02 2008 prusnak@suse.cz +- updated to 2.0.71 + * Add group support to seusers using %%groupname syntax from Dan Walsh. + * Mark setrans socket close-on-exec from Stephen Smalley. + * Only apply nodups checking to base file contexts from Stephen Smalley. * Fri Aug 22 2008 prusnak@suse.cz - added baselibs.conf file - split bindings into separate subpackage (libselinux-bindings) From 20e6506faa589fc2e56a4121b022e0e5a3fcfe3ac1d37af2e68e68b83abac8aa Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Tue, 23 Sep 2008 22:33:39 +0000 Subject: [PATCH 04/42] OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=4 --- libselinux-bindings.changes | 5 +++++ libselinux-bindings.spec | 8 +++++--- libselinux.changes | 5 +++++ libselinux.spec | 8 +++++--- 4 files changed, 20 insertions(+), 6 deletions(-) diff --git a/libselinux-bindings.changes b/libselinux-bindings.changes index d32b399..9e698aa 100644 --- a/libselinux-bindings.changes +++ b/libselinux-bindings.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Tue Sep 23 12:51:33 CEST 2008 - prusnak@suse.cz + +- require only version, not release [bnc#429053] + ------------------------------------------------------------------- Tue Sep 2 12:10:05 CEST 2008 - prusnak@suse.cz diff --git a/libselinux-bindings.spec b/libselinux-bindings.spec index 438cd78..6715554 100644 --- a/libselinux-bindings.spec +++ b/libselinux-bindings.spec @@ -23,7 +23,7 @@ BuildRequires: libsepol-devel >= %{libsepol_ver} Name: libselinux-bindings Version: 2.0.71 -Release: 1 +Release: 2 Url: http://www.nsa.gov/selinux/ License: GPL v2 only; Public Domain, Freeware Group: System/Libraries @@ -54,7 +54,7 @@ decisions. Required for any applications that use the SELinux API. License: Public Domain, Freeware Summary: SELinux library and simple utilities Group: System/Libraries -Requires: libselinux1 = %{version}-%{release} +Requires: libselinux1 = %{version} Requires: python %description -n python-selinux @@ -78,7 +78,7 @@ decisions. Required for any applications that use the SELinux API. License: Public Domain, Freeware Summary: SELinux library and simple utilities Group: System/Libraries -Requires: libselinux1 = %{version}-%{release} +Requires: libselinux1 = %{version} Requires: ruby %description -n ruby-selinux @@ -127,6 +127,8 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/ruby/site_ruby/%{rb_ver}/%{rb_arch}/selinux.so %changelog +* Tue Sep 23 2008 prusnak@suse.cz +- require only version, not release [bnc#429053] * Tue Sep 02 2008 prusnak@suse.cz - updated to 2.0.71 * Merge ruby bindings from Dan Walsh. diff --git a/libselinux.changes b/libselinux.changes index db1eba1..1d42790 100644 --- a/libselinux.changes +++ b/libselinux.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Tue Sep 23 12:51:10 CEST 2008 - prusnak@suse.cz + +- require only version, not release [bnc#429053] + ------------------------------------------------------------------- Tue Sep 2 12:09:22 CEST 2008 - prusnak@suse.cz diff --git a/libselinux.spec b/libselinux.spec index 251704c..f85d9ed 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -22,7 +22,7 @@ BuildRequires: libsepol-devel >= %{libsepol_ver} Name: libselinux Version: 2.0.71 -Release: 1 +Release: 2 Url: http://www.nsa.gov/selinux/ License: GPL v2 only; Public Domain, Freeware Group: System/Libraries @@ -30,7 +30,7 @@ Summary: SELinux library and simple utilities Source: %{name}-%{version}.tar.bz2 Patch0: %{name}-%{version}-rhat.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build -%define debug_package_requires libselinux1 = %{version}-%{release} +%define debug_package_requires libselinux1 = %{version} %description Security-enhanced Linux is a feature of the Linux(R) kernel and a @@ -97,7 +97,7 @@ decisions. Required for any applications that use the SELinux API. License: GPL v2 only; Public Domain, Freeware Summary: Development Include Files and Libraries for SELinux Group: Development/Libraries/C and C++ -Requires: libselinux1 = %{version}-%{release} +Requires: libselinux1 = %{version} Requires: libsepol-devel >= %{libsepol_ver} %description devel @@ -181,6 +181,8 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man3/* %changelog +* Tue Sep 23 2008 prusnak@suse.cz +- require only version, not release [bnc#429053] * Tue Sep 02 2008 prusnak@suse.cz - updated to 2.0.71 * Add group support to seusers using %%groupname syntax from Dan Walsh. From 5460926b186fba9da0664771c33d71c0bf49e75204e3805ee2e1821918204b81 Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Wed, 22 Oct 2008 23:17:46 +0000 Subject: [PATCH 05/42] OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=5 --- libselinux-bindings.changes | 5 +++++ libselinux-bindings.spec | 6 ++++-- libselinux.changes | 5 +++++ libselinux.spec | 6 ++++-- 4 files changed, 18 insertions(+), 4 deletions(-) diff --git a/libselinux-bindings.changes b/libselinux-bindings.changes index 9e698aa..444c888 100644 --- a/libselinux-bindings.changes +++ b/libselinux-bindings.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Wed Oct 22 16:28:48 CEST 2008 - mrueckert@suse.de + +- fix debug_packages_requires define + ------------------------------------------------------------------- Tue Sep 23 12:51:33 CEST 2008 - prusnak@suse.cz diff --git a/libselinux-bindings.spec b/libselinux-bindings.spec index 6715554..beeac0b 100644 --- a/libselinux-bindings.spec +++ b/libselinux-bindings.spec @@ -23,7 +23,7 @@ BuildRequires: libsepol-devel >= %{libsepol_ver} Name: libselinux-bindings Version: 2.0.71 -Release: 2 +Release: 3 Url: http://www.nsa.gov/selinux/ License: GPL v2 only; Public Domain, Freeware Group: System/Libraries @@ -31,7 +31,7 @@ Summary: SELinux library and simple utilities Source: libselinux-%{version}.tar.bz2 Patch0: libselinux-%{version}-rhat.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build -%define debug_package_requires python-selinux = %{version}-%{version} +%define debug_package_requires python-selinux = %{version}-%{release} %description Security-enhanced Linux is a feature of the Linux(R) kernel and a @@ -127,6 +127,8 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/ruby/site_ruby/%{rb_ver}/%{rb_arch}/selinux.so %changelog +* Wed Oct 22 2008 mrueckert@suse.de +- fix debug_packages_requires define * Tue Sep 23 2008 prusnak@suse.cz - require only version, not release [bnc#429053] * Tue Sep 02 2008 prusnak@suse.cz diff --git a/libselinux.changes b/libselinux.changes index 1d42790..eee16a3 100644 --- a/libselinux.changes +++ b/libselinux.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Wed Oct 22 16:28:59 CEST 2008 - mrueckert@suse.de + +- fix debug_packages_requires define + ------------------------------------------------------------------- Tue Sep 23 12:51:10 CEST 2008 - prusnak@suse.cz diff --git a/libselinux.spec b/libselinux.spec index f85d9ed..478cbe3 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -22,7 +22,7 @@ BuildRequires: libsepol-devel >= %{libsepol_ver} Name: libselinux Version: 2.0.71 -Release: 2 +Release: 3 Url: http://www.nsa.gov/selinux/ License: GPL v2 only; Public Domain, Freeware Group: System/Libraries @@ -30,7 +30,7 @@ Summary: SELinux library and simple utilities Source: %{name}-%{version}.tar.bz2 Patch0: %{name}-%{version}-rhat.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build -%define debug_package_requires libselinux1 = %{version} +%define debug_package_requires libselinux1 = %{version}-%{release} %description Security-enhanced Linux is a feature of the Linux(R) kernel and a @@ -181,6 +181,8 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man3/* %changelog +* Wed Oct 22 2008 mrueckert@suse.de +- fix debug_packages_requires define * Tue Sep 23 2008 prusnak@suse.cz - require only version, not release [bnc#429053] * Tue Sep 02 2008 prusnak@suse.cz From 107f24b3bf2c86c316e00cf2e43a30d99ceab23d755be55cdf3b30dc1a121bae Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Mon, 19 Jan 2009 01:22:32 +0000 Subject: [PATCH 06/42] OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=6 --- libselinux-2.0.71-rhat.patch | 97 -------------------------------- libselinux-2.0.71.tar.bz2 | 3 - libselinux-2.0.77-rhat.patch.bz2 | 3 + libselinux-2.0.77.tar.bz2 | 3 + libselinux-bindings.changes | 31 +++++++++- libselinux-bindings.spec | 29 ++++++++-- libselinux.changes | 28 +++++++++ libselinux.spec | 30 ++++++++-- 8 files changed, 111 insertions(+), 113 deletions(-) delete mode 100644 libselinux-2.0.71-rhat.patch delete mode 100644 libselinux-2.0.71.tar.bz2 create mode 100644 libselinux-2.0.77-rhat.patch.bz2 create mode 100644 libselinux-2.0.77.tar.bz2 diff --git a/libselinux-2.0.71-rhat.patch b/libselinux-2.0.71-rhat.patch deleted file mode 100644 index 15ec9f3..0000000 --- a/libselinux-2.0.71-rhat.patch +++ /dev/null @@ -1,97 +0,0 @@ -diff --exclude-from=exclude -N -u -r nsalibselinux/ChangeLog libselinux-2.0.70/ChangeLog ---- nsalibselinux/ChangeLog 2008-08-05 09:58:25.000000000 -0400 -+++ libselinux-2.0.70/ChangeLog 2008-08-01 06:51:25.000000000 -0400 -@@ -1,11 +1,3 @@ --2.0.71 2008-08-05 -- * Add group support to seusers using %groupname syntax from Dan Walsh. -- * Mark setrans socket close-on-exec from Stephen Smalley. -- * Only apply nodups checking to base file contexts from Stephen Smalley. -- --2.0.70 2008-07-30 -- * Merge ruby bindings from Dan Walsh. -- - 2.0.69 2008-07-29 - * Handle duplicate file context regexes as a fatal error from Stephen Smalley. - This prevents adding them via semanage. -diff --exclude-from=exclude -N -u -r nsalibselinux/VERSION libselinux-2.0.70/VERSION ---- nsalibselinux/VERSION 2008-08-05 09:58:25.000000000 -0400 -+++ libselinux-2.0.70/VERSION 2008-08-01 06:51:25.000000000 -0400 -@@ -1 +1 @@ --2.0.71 -+2.0.69 -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man8/selinuxconlist.8 libselinux-2.0.70/man/man8/selinuxconlist.8 ---- nsalibselinux/man/man8/selinuxconlist.8 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-2.0.70/man/man8/selinuxconlist.8 2008-08-01 06:51:25.000000000 -0400 -@@ -0,0 +1,18 @@ -+.TH "selinuxconlist" "1" "7 May 2008" "dwalsh@redhat.com" "SELinux Command Line documentation" -+.SH "NAME" -+selinuxconlist \- list all SELinux context reachable for user -+.SH "SYNOPSIS" -+.B selinuxconlist [-l level] user [context] -+ -+.SH "DESCRIPTION" -+.B selinuxconlist -+reports the list of context reachable for user from the current context or specified context -+ -+.B \-l level -+mcs/mls level -+ -+.SH AUTHOR -+This manual page was written by Dan Walsh . -+ -+.SH "SEE ALSO" -+secon(8), selinuxdefcon(8) -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man8/selinuxdefcon.8 libselinux-2.0.70/man/man8/selinuxdefcon.8 ---- nsalibselinux/man/man8/selinuxdefcon.8 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-2.0.70/man/man8/selinuxdefcon.8 2008-08-01 06:51:25.000000000 -0400 -@@ -0,0 +1,19 @@ -+.TH "selinuxdefcon" "1" "7 May 2008" "dwalsh@redhat.com" "SELinux Command Line documentation" -+.SH "NAME" -+selinuxdefcon \- list default SELinux context for user -+ -+.SH "SYNOPSIS" -+.B selinuxdefcon [-l level] user [fromcon] -+ -+.SH "DESCRIPTION" -+.B seconlist -+reports the default context for the specified user from current context or specified context -+ -+.B \-l level -+mcs/mls level -+ -+.SH AUTHOR -+This manual page was written by Dan Walsh . -+ -+.SH "SEE ALSO" -+secon(8), selinuxconlist(8) -diff --exclude-from=exclude -N -u -r nsalibselinux/src/callbacks.c libselinux-2.0.70/src/callbacks.c ---- nsalibselinux/src/callbacks.c 2008-06-12 23:25:14.000000000 -0400 -+++ libselinux-2.0.70/src/callbacks.c 2008-08-01 06:51:25.000000000 -0400 -@@ -16,6 +16,7 @@ - { - int rc; - va_list ap; -+ if (is_selinux_enabled() == 0) return 0; - va_start(ap, fmt); - rc = vfprintf(stderr, fmt, ap); - va_end(ap); -diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux-2.0.70/src/matchpathcon.c ---- nsalibselinux/src/matchpathcon.c 2008-06-12 23:25:14.000000000 -0400 -+++ libselinux-2.0.70/src/matchpathcon.c 2008-08-01 06:51:25.000000000 -0400 -@@ -2,6 +2,7 @@ - #include - #include - #include -+#include - #include "selinux_internal.h" - #include "label_internal.h" - #include "callbacks.h" -@@ -57,7 +58,7 @@ - { - va_list ap; - va_start(ap, fmt); -- vfprintf(stderr, fmt, ap); -+ vsyslog(LOG_ERR, fmt, ap); - va_end(ap); - } - diff --git a/libselinux-2.0.71.tar.bz2 b/libselinux-2.0.71.tar.bz2 deleted file mode 100644 index 5dbd9f9..0000000 --- a/libselinux-2.0.71.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:5b5201c6be9863f767774b96c2f008f66eaf24a131e3a4732102cbf4842c4ebd -size 136931 diff --git a/libselinux-2.0.77-rhat.patch.bz2 b/libselinux-2.0.77-rhat.patch.bz2 new file mode 100644 index 0000000..34ce6ac --- /dev/null +++ b/libselinux-2.0.77-rhat.patch.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fcc6064a69aec8a348bc7140add3f1332381fa17b1ab389eb49bb25d09627d66 +size 11402 diff --git a/libselinux-2.0.77.tar.bz2 b/libselinux-2.0.77.tar.bz2 new file mode 100644 index 0000000..fbb3c24 --- /dev/null +++ b/libselinux-2.0.77.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:586232612b5699ba8e5990fc8b90b9012512e70e47c315b1d8e16c6c0cf32ef1 +size 131380 diff --git a/libselinux-bindings.changes b/libselinux-bindings.changes index 444c888..480e36c 100644 --- a/libselinux-bindings.changes +++ b/libselinux-bindings.changes @@ -1,17 +1,42 @@ ------------------------------------------------------------------- -Wed Oct 22 16:28:48 CEST 2008 - mrueckert@suse.de +Wed Jan 14 14:04:30 CET 2009 - prusnak@suse.cz + +- updated to 2.0.77 + * add new function getseuser which will take username and service + and return seuser and level; ipa will populate file in future + * change selinuxdefcon to return just the context by default + * fix segfault if seusers file does not work + * strip trailing / for matchpathcon + * fix restorecon python code + +------------------------------------------------------------------- +Mon Dec 1 11:32:50 CET 2008 - prusnak@suse.cz + +- updated to 2.0.76 + * allow shell-style wildcarding in X names + * add Restorecon/Install python functions + * correct message types in AVC log messages + * make matchpathcon -V pass mode + * add man page for selinux_file_context_cmp + * update flask headers from refpolicy trunk + +------------------------------------------------------------------- +Wed Oct 22 16:28:59 CEST 2008 - mrueckert@suse.de - fix debug_packages_requires define ------------------------------------------------------------------- -Tue Sep 23 12:51:33 CEST 2008 - prusnak@suse.cz +Tue Sep 23 12:51:10 CEST 2008 - prusnak@suse.cz - require only version, not release [bnc#429053] ------------------------------------------------------------------- -Tue Sep 2 12:10:05 CEST 2008 - prusnak@suse.cz +Tue Sep 2 12:09:22 CEST 2008 - prusnak@suse.cz - updated to 2.0.71 + * Add group support to seusers using %groupname syntax from Dan Walsh. + * Mark setrans socket close-on-exec from Stephen Smalley. + * Only apply nodups checking to base file contexts from Stephen Smalley. * Merge ruby bindings from Dan Walsh. ------------------------------------------------------------------- diff --git a/libselinux-bindings.spec b/libselinux-bindings.spec index beeac0b..3d33973 100644 --- a/libselinux-bindings.spec +++ b/libselinux-bindings.spec @@ -1,7 +1,7 @@ # -# spec file for package libselinux-bindings (Version 2.0.71) +# spec file for package libselinux-bindings (Version 2.0.77) # -# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -22,14 +22,14 @@ BuildRequires: python-devel ruby-devel swig BuildRequires: libsepol-devel >= %{libsepol_ver} Name: libselinux-bindings -Version: 2.0.71 -Release: 3 +Version: 2.0.77 +Release: 1 Url: http://www.nsa.gov/selinux/ License: GPL v2 only; Public Domain, Freeware Group: System/Libraries Summary: SELinux library and simple utilities Source: libselinux-%{version}.tar.bz2 -Patch0: libselinux-%{version}-rhat.patch +Patch0: libselinux-%{version}-rhat.patch.bz2 BuildRoot: %{_tmppath}/%{name}-%{version}-build %define debug_package_requires python-selinux = %{version}-%{release} @@ -127,12 +127,31 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/ruby/site_ruby/%{rb_ver}/%{rb_arch}/selinux.so %changelog +* Wed Jan 14 2009 prusnak@suse.cz +- updated to 2.0.77 + * add new function getseuser which will take username and service + and return seuser and level; ipa will populate file in future + * change selinuxdefcon to return just the context by default + * fix segfault if seusers file does not work + * strip trailing / for matchpathcon + * fix restorecon python code +* Mon Dec 01 2008 prusnak@suse.cz +- updated to 2.0.76 + * allow shell-style wildcarding in X names + * add Restorecon/Install python functions + * correct message types in AVC log messages + * make matchpathcon -V pass mode + * add man page for selinux_file_context_cmp + * update flask headers from refpolicy trunk * Wed Oct 22 2008 mrueckert@suse.de - fix debug_packages_requires define * Tue Sep 23 2008 prusnak@suse.cz - require only version, not release [bnc#429053] * Tue Sep 02 2008 prusnak@suse.cz - updated to 2.0.71 + * Add group support to seusers using %%groupname syntax from Dan Walsh. + * Mark setrans socket close-on-exec from Stephen Smalley. + * Only apply nodups checking to base file contexts from Stephen Smalley. * Merge ruby bindings from Dan Walsh. * Mon Sep 01 2008 aj@suse.de - Fix build of debuginfo. diff --git a/libselinux.changes b/libselinux.changes index eee16a3..480e36c 100644 --- a/libselinux.changes +++ b/libselinux.changes @@ -1,3 +1,25 @@ +------------------------------------------------------------------- +Wed Jan 14 14:04:30 CET 2009 - prusnak@suse.cz + +- updated to 2.0.77 + * add new function getseuser which will take username and service + and return seuser and level; ipa will populate file in future + * change selinuxdefcon to return just the context by default + * fix segfault if seusers file does not work + * strip trailing / for matchpathcon + * fix restorecon python code + +------------------------------------------------------------------- +Mon Dec 1 11:32:50 CET 2008 - prusnak@suse.cz + +- updated to 2.0.76 + * allow shell-style wildcarding in X names + * add Restorecon/Install python functions + * correct message types in AVC log messages + * make matchpathcon -V pass mode + * add man page for selinux_file_context_cmp + * update flask headers from refpolicy trunk + ------------------------------------------------------------------- Wed Oct 22 16:28:59 CEST 2008 - mrueckert@suse.de @@ -15,6 +37,12 @@ Tue Sep 2 12:09:22 CEST 2008 - prusnak@suse.cz * Add group support to seusers using %groupname syntax from Dan Walsh. * Mark setrans socket close-on-exec from Stephen Smalley. * Only apply nodups checking to base file contexts from Stephen Smalley. + * Merge ruby bindings from Dan Walsh. + +------------------------------------------------------------------- +Mon Sep 1 07:35:00 CEST 2008 - aj@suse.de + +- Fix build of debuginfo. ------------------------------------------------------------------- Fri Aug 22 14:45:29 CEST 2008 - prusnak@suse.cz diff --git a/libselinux.spec b/libselinux.spec index 478cbe3..b5a9b1c 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -1,7 +1,7 @@ # -# spec file for package libselinux (Version 2.0.71) +# spec file for package libselinux (Version 2.0.77) # -# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -21,14 +21,14 @@ BuildRequires: libsepol-devel >= %{libsepol_ver} Name: libselinux -Version: 2.0.71 -Release: 3 +Version: 2.0.77 +Release: 1 Url: http://www.nsa.gov/selinux/ License: GPL v2 only; Public Domain, Freeware Group: System/Libraries Summary: SELinux library and simple utilities Source: %{name}-%{version}.tar.bz2 -Patch0: %{name}-%{version}-rhat.patch +Patch0: %{name}-%{version}-rhat.patch.bz2 BuildRoot: %{_tmppath}/%{name}-%{version}-build %define debug_package_requires libselinux1 = %{version}-%{release} @@ -158,6 +158,7 @@ rm -rf $RPM_BUILD_ROOT %{_sbindir}/avcstat %{_sbindir}/getenforce %{_sbindir}/getsebool +/sbin/matchpathcon %{_sbindir}/matchpathcon %{_sbindir}/selinuxconlist %{_sbindir}/selinuxdefcon @@ -181,6 +182,22 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man3/* %changelog +* Wed Jan 14 2009 prusnak@suse.cz +- updated to 2.0.77 + * add new function getseuser which will take username and service + and return seuser and level; ipa will populate file in future + * change selinuxdefcon to return just the context by default + * fix segfault if seusers file does not work + * strip trailing / for matchpathcon + * fix restorecon python code +* Mon Dec 01 2008 prusnak@suse.cz +- updated to 2.0.76 + * allow shell-style wildcarding in X names + * add Restorecon/Install python functions + * correct message types in AVC log messages + * make matchpathcon -V pass mode + * add man page for selinux_file_context_cmp + * update flask headers from refpolicy trunk * Wed Oct 22 2008 mrueckert@suse.de - fix debug_packages_requires define * Tue Sep 23 2008 prusnak@suse.cz @@ -190,6 +207,9 @@ rm -rf $RPM_BUILD_ROOT * Add group support to seusers using %%groupname syntax from Dan Walsh. * Mark setrans socket close-on-exec from Stephen Smalley. * Only apply nodups checking to base file contexts from Stephen Smalley. + * Merge ruby bindings from Dan Walsh. +* Mon Sep 01 2008 aj@suse.de +- Fix build of debuginfo. * Fri Aug 22 2008 prusnak@suse.cz - added baselibs.conf file - split bindings into separate subpackage (libselinux-bindings) From 6fa62e4d8ab3e5108de7cb4389f22528ec255f91e4aef13316adaf1d50e1e63c Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Thu, 23 Apr 2009 16:30:16 +0000 Subject: [PATCH 07/42] OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=7 --- libselinux-2.0.77-memleak.patch | 11 +++++++++++ libselinux-bindings.changes | 5 +++++ libselinux-bindings.spec | 6 +++++- libselinux.changes | 5 +++++ libselinux.spec | 6 +++++- 5 files changed, 31 insertions(+), 2 deletions(-) create mode 100644 libselinux-2.0.77-memleak.patch diff --git a/libselinux-2.0.77-memleak.patch b/libselinux-2.0.77-memleak.patch new file mode 100644 index 0000000..81d3f25 --- /dev/null +++ b/libselinux-2.0.77-memleak.patch @@ -0,0 +1,11 @@ +--- src/label_file.c ++++ src/label_file.c +@@ -299,6 +299,8 @@ + COMPAT_LOG(SELINUX_WARNING, + "%s: line %d is missing fields, skipping\n", path, + lineno); ++ if (items == 1) ++ free(regex); + return 0; + } else if (items == 2) { + /* The type field is optional. */ diff --git a/libselinux-bindings.changes b/libselinux-bindings.changes index 480e36c..0eb7c58 100644 --- a/libselinux-bindings.changes +++ b/libselinux-bindings.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Apr 17 17:12:06 CEST 2009 - prusnak@suse.cz + +- fixed memory leak (memleak.patch) + ------------------------------------------------------------------- Wed Jan 14 14:04:30 CET 2009 - prusnak@suse.cz diff --git a/libselinux-bindings.spec b/libselinux-bindings.spec index 3d33973..4d474aa 100644 --- a/libselinux-bindings.spec +++ b/libselinux-bindings.spec @@ -23,13 +23,14 @@ BuildRequires: libsepol-devel >= %{libsepol_ver} Name: libselinux-bindings Version: 2.0.77 -Release: 1 +Release: 2 Url: http://www.nsa.gov/selinux/ License: GPL v2 only; Public Domain, Freeware Group: System/Libraries Summary: SELinux library and simple utilities Source: libselinux-%{version}.tar.bz2 Patch0: libselinux-%{version}-rhat.patch.bz2 +Patch1: libselinux-%{version}-memleak.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %define debug_package_requires python-selinux = %{version}-%{release} @@ -101,6 +102,7 @@ decisions. Required for any applications that use the SELinux API. %prep %setup -q -n libselinux-%{version} %patch0 -p1 +%patch1 %build make %{?jobs:-j%jobs} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" -C src @@ -127,6 +129,8 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/ruby/site_ruby/%{rb_ver}/%{rb_arch}/selinux.so %changelog +* Fri Apr 17 2009 prusnak@suse.cz +- fixed memory leak (memleak.patch) * Wed Jan 14 2009 prusnak@suse.cz - updated to 2.0.77 * add new function getseuser which will take username and service diff --git a/libselinux.changes b/libselinux.changes index 480e36c..0eb7c58 100644 --- a/libselinux.changes +++ b/libselinux.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Apr 17 17:12:06 CEST 2009 - prusnak@suse.cz + +- fixed memory leak (memleak.patch) + ------------------------------------------------------------------- Wed Jan 14 14:04:30 CET 2009 - prusnak@suse.cz diff --git a/libselinux.spec b/libselinux.spec index b5a9b1c..8ec1b7a 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -22,13 +22,14 @@ BuildRequires: libsepol-devel >= %{libsepol_ver} Name: libselinux Version: 2.0.77 -Release: 1 +Release: 2 Url: http://www.nsa.gov/selinux/ License: GPL v2 only; Public Domain, Freeware Group: System/Libraries Summary: SELinux library and simple utilities Source: %{name}-%{version}.tar.bz2 Patch0: %{name}-%{version}-rhat.patch.bz2 +Patch1: %{name}-%{version}-memleak.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %define debug_package_requires libselinux1 = %{version}-%{release} @@ -119,6 +120,7 @@ necessary to develop your own software using libselinux. %prep %setup -q %patch0 -p1 +%patch1 %build make %{?jobs:-j%jobs} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" @@ -182,6 +184,8 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man3/* %changelog +* Fri Apr 17 2009 prusnak@suse.cz +- fixed memory leak (memleak.patch) * Wed Jan 14 2009 prusnak@suse.cz - updated to 2.0.77 * add new function getseuser which will take username and service From c003672eed3e7a32abc28632ce87a246c6ebf20139636dbcfbb78fda7556ca03 Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Mon, 29 Jun 2009 12:18:50 +0000 Subject: [PATCH 08/42] OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=8 --- libselinux-2.0.77-memleak.patch | 11 ------ libselinux-2.0.77-rhat.patch.bz2 | 3 -- libselinux-2.0.77.tar.bz2 | 3 -- libselinux-2.0.80-rhat.patch.bz2 | 3 ++ libselinux-2.0.80.tar.bz2 | 3 ++ libselinux-bindings.changes | 11 ++++++ libselinux-bindings.spec | 49 +++----------------------- libselinux.changes | 17 +++++++++ libselinux.spec | 60 +++++--------------------------- 9 files changed, 47 insertions(+), 113 deletions(-) delete mode 100644 libselinux-2.0.77-memleak.patch delete mode 100644 libselinux-2.0.77-rhat.patch.bz2 delete mode 100644 libselinux-2.0.77.tar.bz2 create mode 100644 libselinux-2.0.80-rhat.patch.bz2 create mode 100644 libselinux-2.0.80.tar.bz2 diff --git a/libselinux-2.0.77-memleak.patch b/libselinux-2.0.77-memleak.patch deleted file mode 100644 index 81d3f25..0000000 --- a/libselinux-2.0.77-memleak.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- src/label_file.c -+++ src/label_file.c -@@ -299,6 +299,8 @@ - COMPAT_LOG(SELINUX_WARNING, - "%s: line %d is missing fields, skipping\n", path, - lineno); -+ if (items == 1) -+ free(regex); - return 0; - } else if (items == 2) { - /* The type field is optional. */ diff --git a/libselinux-2.0.77-rhat.patch.bz2 b/libselinux-2.0.77-rhat.patch.bz2 deleted file mode 100644 index 34ce6ac..0000000 --- a/libselinux-2.0.77-rhat.patch.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:fcc6064a69aec8a348bc7140add3f1332381fa17b1ab389eb49bb25d09627d66 -size 11402 diff --git a/libselinux-2.0.77.tar.bz2 b/libselinux-2.0.77.tar.bz2 deleted file mode 100644 index fbb3c24..0000000 --- a/libselinux-2.0.77.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:586232612b5699ba8e5990fc8b90b9012512e70e47c315b1d8e16c6c0cf32ef1 -size 131380 diff --git a/libselinux-2.0.80-rhat.patch.bz2 b/libselinux-2.0.80-rhat.patch.bz2 new file mode 100644 index 0000000..e94a61a --- /dev/null +++ b/libselinux-2.0.80-rhat.patch.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5c899b1b2708e28d9a46b3590c8d0d35bcafb911667319ba5895a2a8ab8eaf77 +size 48225 diff --git a/libselinux-2.0.80.tar.bz2 b/libselinux-2.0.80.tar.bz2 new file mode 100644 index 0000000..5b339e4 --- /dev/null +++ b/libselinux-2.0.80.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1a37fa19bfa6e34e5de0664324b2c14a1aa6a135cf33d55d30b6dc4f392416c3 +size 134184 diff --git a/libselinux-bindings.changes b/libselinux-bindings.changes index 0eb7c58..747284b 100644 --- a/libselinux-bindings.changes +++ b/libselinux-bindings.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Wed May 27 14:06:14 CEST 2009 - prusnak@suse.cz + +- updated to 2.0.80 + * deny_unknown wrapper function from KaiGai Kohei + * security_compute_av_flags API from KaiGai Kohei + * Netlink socket management and callbacks from KaiGai Kohei + * Netlink socket handoff patch from Adam Jackson + * AVC caching of compute_create results by Eric Paris + * fix incorrect conversion in discover_class code + ------------------------------------------------------------------- Fri Apr 17 17:12:06 CEST 2009 - prusnak@suse.cz diff --git a/libselinux-bindings.spec b/libselinux-bindings.spec index 4d474aa..b716e16 100644 --- a/libselinux-bindings.spec +++ b/libselinux-bindings.spec @@ -1,5 +1,5 @@ # -# spec file for package libselinux-bindings (Version 2.0.77) +# spec file for package libselinux-bindings (Version 2.0.80) # # Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -22,15 +22,14 @@ BuildRequires: python-devel ruby-devel swig BuildRequires: libsepol-devel >= %{libsepol_ver} Name: libselinux-bindings -Version: 2.0.77 -Release: 2 +Version: 2.0.80 +Release: 1 Url: http://www.nsa.gov/selinux/ -License: GPL v2 only; Public Domain, Freeware +License: GPL v2 only ; Public Domain, Freeware Group: System/Libraries Summary: SELinux library and simple utilities Source: libselinux-%{version}.tar.bz2 Patch0: libselinux-%{version}-rhat.patch.bz2 -Patch1: libselinux-%{version}-memleak.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %define debug_package_requires python-selinux = %{version}-%{release} @@ -102,7 +101,6 @@ decisions. Required for any applications that use the SELinux API. %prep %setup -q -n libselinux-%{version} %patch0 -p1 -%patch1 %build make %{?jobs:-j%jobs} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" -C src @@ -129,42 +127,3 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/ruby/site_ruby/%{rb_ver}/%{rb_arch}/selinux.so %changelog -* Fri Apr 17 2009 prusnak@suse.cz -- fixed memory leak (memleak.patch) -* Wed Jan 14 2009 prusnak@suse.cz -- updated to 2.0.77 - * add new function getseuser which will take username and service - and return seuser and level; ipa will populate file in future - * change selinuxdefcon to return just the context by default - * fix segfault if seusers file does not work - * strip trailing / for matchpathcon - * fix restorecon python code -* Mon Dec 01 2008 prusnak@suse.cz -- updated to 2.0.76 - * allow shell-style wildcarding in X names - * add Restorecon/Install python functions - * correct message types in AVC log messages - * make matchpathcon -V pass mode - * add man page for selinux_file_context_cmp - * update flask headers from refpolicy trunk -* Wed Oct 22 2008 mrueckert@suse.de -- fix debug_packages_requires define -* Tue Sep 23 2008 prusnak@suse.cz -- require only version, not release [bnc#429053] -* Tue Sep 02 2008 prusnak@suse.cz -- updated to 2.0.71 - * Add group support to seusers using %%groupname syntax from Dan Walsh. - * Mark setrans socket close-on-exec from Stephen Smalley. - * Only apply nodups checking to base file contexts from Stephen Smalley. - * Merge ruby bindings from Dan Walsh. -* Mon Sep 01 2008 aj@suse.de -- Fix build of debuginfo. -* Fri Aug 22 2008 prusnak@suse.cz -- added baselibs.conf file -- split bindings into separate subpackage (libselinux-bindings) -- split tools into separate subpackage (selinux-tools) -* Fri Aug 01 2008 ro@suse.de -- fix requires for debuginfo package -* Tue Jul 15 2008 prusnak@suse.cz -- initial version 2.0.67 - * based on Fedora package by Dan Walsh diff --git a/libselinux.changes b/libselinux.changes index 0eb7c58..79b9a3d 100644 --- a/libselinux.changes +++ b/libselinux.changes @@ -1,3 +1,20 @@ +------------------------------------------------------------------- +Tue Jun 9 20:17:54 CEST 2009 - crrodriguez@suse.de + +- remove static libraries +- libselinux-devel does not require libsepol-devel + +------------------------------------------------------------------- +Wed May 27 14:06:14 CEST 2009 - prusnak@suse.cz + +- updated to 2.0.80 + * deny_unknown wrapper function from KaiGai Kohei + * security_compute_av_flags API from KaiGai Kohei + * Netlink socket management and callbacks from KaiGai Kohei + * Netlink socket handoff patch from Adam Jackson + * AVC caching of compute_create results by Eric Paris + * fix incorrect conversion in discover_class code + ------------------------------------------------------------------- Fri Apr 17 17:12:06 CEST 2009 - prusnak@suse.cz diff --git a/libselinux.spec b/libselinux.spec index 8ec1b7a..748fda4 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -1,5 +1,5 @@ # -# spec file for package libselinux (Version 2.0.77) +# spec file for package libselinux (Version 2.0.80) # # Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -21,15 +21,14 @@ BuildRequires: libsepol-devel >= %{libsepol_ver} Name: libselinux -Version: 2.0.77 -Release: 2 +Version: 2.0.80 +Release: 1 Url: http://www.nsa.gov/selinux/ -License: GPL v2 only; Public Domain, Freeware +License: GPL v2 only ; Public Domain, Freeware Group: System/Libraries Summary: SELinux library and simple utilities Source: %{name}-%{version}.tar.bz2 Patch0: %{name}-%{version}-rhat.patch.bz2 -Patch1: %{name}-%{version}-memleak.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %define debug_package_requires libselinux1 = %{version}-%{release} @@ -51,7 +50,7 @@ decisions. Required for any applications that use the SELinux API. %package -n libselinux1 -License: GPL v2 only; Public Domain, Freeware +License: GPL v2 only ; Public Domain, Freeware Group: System/Libraries Summary: SELinux library and simple utilities @@ -73,7 +72,7 @@ decisions. Required for any applications that use the SELinux API. %package -n selinux-tools -License: GPL v2 only; Public Domain, Freeware +License: GPL v2 only ; Public Domain, Freeware Group: System/Base Summary: SELinux library and simple utilities @@ -95,11 +94,10 @@ decisions. Required for any applications that use the SELinux API. %package devel -License: GPL v2 only; Public Domain, Freeware +License: GPL v2 only ; Public Domain, Freeware Summary: Development Include Files and Libraries for SELinux Group: Development/Libraries/C and C++ -Requires: libselinux1 = %{version} -Requires: libsepol-devel >= %{libsepol_ver} +Requires: libselinux1 = %{version} glibc-devel %description devel Security-enhanced Linux is a patch of the Linux(R) kernel and a number @@ -120,7 +118,6 @@ necessary to develop your own software using libselinux. %prep %setup -q %patch0 -p1 -%patch1 %build make %{?jobs:-j%jobs} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" @@ -147,6 +144,7 @@ rm -f $RPM_BUILD_ROOT%{_sbindir}/getseuser rm -f $RPM_BUILD_ROOT%{_sbindir}/selinux_check_securetty_context mv $RPM_BUILD_ROOT%{_sbindir}/getdefaultcon $RPM_BUILD_ROOT%{_sbindir}/selinuxdefcon mv $RPM_BUILD_ROOT%{_sbindir}/getconlist $RPM_BUILD_ROOT%{_sbindir}/selinuxconlist +rm -f %{buildroot}%{_libdir}/*.a %clean rm -rf $RPM_BUILD_ROOT @@ -178,48 +176,8 @@ rm -rf $RPM_BUILD_ROOT %files devel %defattr(-,root,root,-) %{_libdir}/libselinux.so -%{_libdir}/libselinux.a %dir %{_includedir}/selinux %{_includedir}/selinux/* %{_mandir}/man3/* %changelog -* Fri Apr 17 2009 prusnak@suse.cz -- fixed memory leak (memleak.patch) -* Wed Jan 14 2009 prusnak@suse.cz -- updated to 2.0.77 - * add new function getseuser which will take username and service - and return seuser and level; ipa will populate file in future - * change selinuxdefcon to return just the context by default - * fix segfault if seusers file does not work - * strip trailing / for matchpathcon - * fix restorecon python code -* Mon Dec 01 2008 prusnak@suse.cz -- updated to 2.0.76 - * allow shell-style wildcarding in X names - * add Restorecon/Install python functions - * correct message types in AVC log messages - * make matchpathcon -V pass mode - * add man page for selinux_file_context_cmp - * update flask headers from refpolicy trunk -* Wed Oct 22 2008 mrueckert@suse.de -- fix debug_packages_requires define -* Tue Sep 23 2008 prusnak@suse.cz -- require only version, not release [bnc#429053] -* Tue Sep 02 2008 prusnak@suse.cz -- updated to 2.0.71 - * Add group support to seusers using %%groupname syntax from Dan Walsh. - * Mark setrans socket close-on-exec from Stephen Smalley. - * Only apply nodups checking to base file contexts from Stephen Smalley. - * Merge ruby bindings from Dan Walsh. -* Mon Sep 01 2008 aj@suse.de -- Fix build of debuginfo. -* Fri Aug 22 2008 prusnak@suse.cz -- added baselibs.conf file -- split bindings into separate subpackage (libselinux-bindings) -- split tools into separate subpackage (selinux-tools) -* Fri Aug 01 2008 ro@suse.de -- fix requires for debuginfo package -* Tue Jul 15 2008 prusnak@suse.cz -- initial version 2.0.67 - * based on Fedora package by Dan Walsh From 19bb8da37c1ede27e811f896b44e74bd0bd787345c98f4feccf7cf20baaa8d0f Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Fri, 3 Jul 2009 14:04:45 +0000 Subject: [PATCH 09/42] OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=9 --- libselinux-bindings.changes | 16 ++++ libselinux-bindings.spec | 4 +- libselinux.changes | 12 ++- libselinux.spec | 17 +++-- selinux-ready | 143 ++++++++++++++++++++++++++++++++++++ 5 files changed, 183 insertions(+), 9 deletions(-) create mode 100644 selinux-ready diff --git a/libselinux-bindings.changes b/libselinux-bindings.changes index 747284b..d1e7edf 100644 --- a/libselinux-bindings.changes +++ b/libselinux-bindings.changes @@ -1,3 +1,19 @@ +------------------------------------------------------------------- +Wed Jul 1 12:26:48 CEST 2009 - prusnak@suse.cz + +- put libsepol-devel back to Requires of libselinux-devel + +------------------------------------------------------------------- +Mon Jun 29 21:24:16 CEST 2009 - prusnak@suse.cz + +- added selinux-ready tool to selinux-tools package + +------------------------------------------------------------------- +Tue Jun 9 20:17:54 CEST 2009 - crrodriguez@suse.de + +- remove static libraries +- libselinux-devel does not require libsepol-devel + ------------------------------------------------------------------- Wed May 27 14:06:14 CEST 2009 - prusnak@suse.cz diff --git a/libselinux-bindings.spec b/libselinux-bindings.spec index b716e16..16e61d1 100644 --- a/libselinux-bindings.spec +++ b/libselinux-bindings.spec @@ -23,9 +23,9 @@ BuildRequires: libsepol-devel >= %{libsepol_ver} Name: libselinux-bindings Version: 2.0.80 -Release: 1 +Release: 2 Url: http://www.nsa.gov/selinux/ -License: GPL v2 only ; Public Domain, Freeware +License: GPL v2 only ; Public Domain, Freeware Group: System/Libraries Summary: SELinux library and simple utilities Source: libselinux-%{version}.tar.bz2 diff --git a/libselinux.changes b/libselinux.changes index 79b9a3d..d1e7edf 100644 --- a/libselinux.changes +++ b/libselinux.changes @@ -1,8 +1,18 @@ +------------------------------------------------------------------- +Wed Jul 1 12:26:48 CEST 2009 - prusnak@suse.cz + +- put libsepol-devel back to Requires of libselinux-devel + +------------------------------------------------------------------- +Mon Jun 29 21:24:16 CEST 2009 - prusnak@suse.cz + +- added selinux-ready tool to selinux-tools package + ------------------------------------------------------------------- Tue Jun 9 20:17:54 CEST 2009 - crrodriguez@suse.de - remove static libraries -- libselinux-devel does not require libsepol-devel +- libselinux-devel does not require libsepol-devel ------------------------------------------------------------------- Wed May 27 14:06:14 CEST 2009 - prusnak@suse.cz diff --git a/libselinux.spec b/libselinux.spec index 748fda4..bb4dc96 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -22,12 +22,13 @@ BuildRequires: libsepol-devel >= %{libsepol_ver} Name: libselinux Version: 2.0.80 -Release: 1 +Release: 2 Url: http://www.nsa.gov/selinux/ -License: GPL v2 only ; Public Domain, Freeware +License: GPL v2 only ; Public Domain, Freeware Group: System/Libraries Summary: SELinux library and simple utilities Source: %{name}-%{version}.tar.bz2 +Source1: selinux-ready Patch0: %{name}-%{version}-rhat.patch.bz2 BuildRoot: %{_tmppath}/%{name}-%{version}-build %define debug_package_requires libselinux1 = %{version}-%{release} @@ -50,7 +51,7 @@ decisions. Required for any applications that use the SELinux API. %package -n libselinux1 -License: GPL v2 only ; Public Domain, Freeware +License: GPL v2 only ; Public Domain, Freeware Group: System/Libraries Summary: SELinux library and simple utilities @@ -72,7 +73,7 @@ decisions. Required for any applications that use the SELinux API. %package -n selinux-tools -License: GPL v2 only ; Public Domain, Freeware +License: GPL v2 only ; Public Domain, Freeware Group: System/Base Summary: SELinux library and simple utilities @@ -94,10 +95,12 @@ decisions. Required for any applications that use the SELinux API. %package devel -License: GPL v2 only ; Public Domain, Freeware +License: GPL v2 only ; Public Domain, Freeware Summary: Development Include Files and Libraries for SELinux Group: Development/Libraries/C and C++ -Requires: libselinux1 = %{version} glibc-devel +Requires: libselinux1 = %{version} +Requires: libsepol-devel >= %{libsepol_ver} +Requires: glibc-devel %description devel Security-enhanced Linux is a patch of the Linux(R) kernel and a number @@ -144,6 +147,7 @@ rm -f $RPM_BUILD_ROOT%{_sbindir}/getseuser rm -f $RPM_BUILD_ROOT%{_sbindir}/selinux_check_securetty_context mv $RPM_BUILD_ROOT%{_sbindir}/getdefaultcon $RPM_BUILD_ROOT%{_sbindir}/selinuxdefcon mv $RPM_BUILD_ROOT%{_sbindir}/getconlist $RPM_BUILD_ROOT%{_sbindir}/selinuxconlist +install -m 0755 %{SOURCE1} $RPM_BUILD_ROOT%{_sbindir}/selinux-ready rm -f %{buildroot}%{_libdir}/*.a %clean @@ -165,6 +169,7 @@ rm -rf $RPM_BUILD_ROOT %{_sbindir}/selinuxenabled %{_sbindir}/setenforce %{_sbindir}/togglesebool +%{_sbindir}/selinux-ready %{_mandir}/man5/* %{_mandir}/man8/* diff --git a/selinux-ready b/selinux-ready new file mode 100644 index 0000000..de0fbc7 --- /dev/null +++ b/selinux-ready @@ -0,0 +1,143 @@ +#!/bin/bash + +KERNEL="unknown" +INITRD="unknown" +TD="" + + +# init needs /selinux to be there +check_dir() +{ + SLDIR="/selinux" + + if [ -d $SLDIR ];then + printf "\tcheck_dir: OK. $SLDIR exists.\n" + return 0 + else + printf "\tcheck_dir: ERR. $SLDIR does not exists, please execute 'mkdir $SLDIR' as root.\n" + return 1 + fi +} + +check_filesystem() +{ + FSPATH="/proc/filesystems" + FSNAME="securityfs" + + grep -w $FSNAME $FSPATH 1>&2 >/dev/null + + if [ $? == 0 ]; then + printf "\tcheck_filesystem: OK. Filesystem '$FSNAME' exists.\n" + return 0 + else + printf "\tcheck_filesystem: ERR. Filesystem '$FSNAME' is missing. Please enable SELinux while compiling the kernel.\n" + return 0 + fi +} + +check_boot() +{ + BPARAM="selinux=1" + + printf "\tcheck_boot: Assuming GRUB as bootloader.\n" + + BLINE=$(grep -- $BPARAM /boot/grub/menu.lst 2>/dev/null) # XXX check for multiple lines in config + + if [ $? == 0 ]; then + K=$(echo $BLINE | awk -F' ' '{print $2}') + KERNEL=$(basename $K) + K=$(echo $KERNEL | sed s/vmlinuz-//) + INITRD=initrd-$K + printf "\tcheck_boot: OK. Kernel '$KERNEL' has boot-parameter '$BPARAM'\n" + return 0 + else + printf "\tcheck_boot: ERR. Boot-parameter missing for booting the kernel.\n" + printf "\t Please use YaST2 to add 'selinux=1' to the kernel boot-parameter list.\n" + return 1 + fi +} + +check_mkinitrd() +{ + MCMD="mount.*/root/proc.*" + + if ! [ -f "/boot/$INITRD" ];then + printf "\tcheck_mkinitrd: ERR. Unable to locate '/boot/$INITRD'\n" + return 2 + fi + + cp /boot/$INITRD $TD/i.cpio.gz 2>/dev/null + + if ! [ -f "$TD/i.cpio.gz" ];then + printf "\tcheck_mkinitrd: ERR. Error while copying initrd file.'\n" + return 2 + fi + + + pushd . 2>&1>/dev/null + cd $TD + mkdir initrd-extracted + cd initrd-extracted + gunzip -c $TD/i.cpio.gz | cpio -i --force-local --no-absolute-filenames 2>/dev/null + grep -E -- $MCMD boot/* 2>&1 >/dev/null + FLG=$? + popd 2>&1>/dev/null + + if [ $FLG == 0 ];then + printf "\tcheck_mkinitrd: OK. Your initrd seems to be correct.\n" + return 0 + else + printf "\tcheck_mkinitrd: ERR. Your initrd seems not to mount /proc of\n" + printf "\t the root filesystem during boot, this may be a\n" + printf "\t reason for SELinux not working.\n" + return 1 + fi +} + +check_packages() +{ + PKGLST="checkpolicy policycoreutils selinux-tools libselinux1 libsepol1 libsemanage1 selinux-policy" + FAIL=0 + + for i in $PKGLST + do + rpm -q $i 1>&2 >/dev/null + if [ $? == 1 ];then + printf "\tcheck_packages: ERR. Package '$i' not installed, please run 'zypper in $i' as root\n" + FAIL=1 + fi + done + + if [ $FAIL == 0 ]; then + printf "\tcheck_packages: OK. All essential packages are installed\n" + return 0 + else + return 1 + fi +} + +check_config() +{ + CF="/etc/selinux/config" + + if [ -f $CF ];then + printf "\tcheck_config: OK. Config file seems to be there.\n" + return 0 + else + printf "\tcheck_config: ERR. Config file '$CF' is missing.\n" + return 1 + fi +} + +TD=$(mktemp -q -d /tmp/selinux-ready.XXXXXX) + +echo "Start checking your system if it is selinux-ready or not:" +check_dir +check_filesystem +check_boot +check_mkinitrd +check_packages +check_config + +rm -rf $TD + From d3e61412cfe83c42d06da87601e40f669bebd8b8bfbf85755b5d04d8ab8bb587 Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Thu, 23 Jul 2009 13:32:36 +0000 Subject: [PATCH 10/42] OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=10 --- libselinux-bindings.changes | 6 ++++++ libselinux-bindings.spec | 6 +++--- libselinux.changes | 6 ++++++ libselinux.spec | 10 +++++----- 4 files changed, 20 insertions(+), 8 deletions(-) diff --git a/libselinux-bindings.changes b/libselinux-bindings.changes index d1e7edf..17a027b 100644 --- a/libselinux-bindings.changes +++ b/libselinux-bindings.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Jul 22 15:17:25 CEST 2009 - prusnak@suse.cz + +- change libsepol-devel to libsepol-devel-static in dependencies + of python bindings + ------------------------------------------------------------------- Wed Jul 1 12:26:48 CEST 2009 - prusnak@suse.cz diff --git a/libselinux-bindings.spec b/libselinux-bindings.spec index 16e61d1..86cf56b 100644 --- a/libselinux-bindings.spec +++ b/libselinux-bindings.spec @@ -19,13 +19,13 @@ %define libsepol_ver 2.0.32 BuildRequires: python-devel ruby-devel swig -BuildRequires: libsepol-devel >= %{libsepol_ver} +BuildRequires: libsepol-devel-static >= %{libsepol_ver} Name: libselinux-bindings Version: 2.0.80 -Release: 2 +Release: 3 Url: http://www.nsa.gov/selinux/ -License: GPL v2 only ; Public Domain, Freeware +License: GPL v2 only ; Public Domain, Freeware Group: System/Libraries Summary: SELinux library and simple utilities Source: libselinux-%{version}.tar.bz2 diff --git a/libselinux.changes b/libselinux.changes index d1e7edf..17a027b 100644 --- a/libselinux.changes +++ b/libselinux.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Jul 22 15:17:25 CEST 2009 - prusnak@suse.cz + +- change libsepol-devel to libsepol-devel-static in dependencies + of python bindings + ------------------------------------------------------------------- Wed Jul 1 12:26:48 CEST 2009 - prusnak@suse.cz diff --git a/libselinux.spec b/libselinux.spec index bb4dc96..ef1ec12 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -22,9 +22,9 @@ BuildRequires: libsepol-devel >= %{libsepol_ver} Name: libselinux Version: 2.0.80 -Release: 2 +Release: 3 Url: http://www.nsa.gov/selinux/ -License: GPL v2 only ; Public Domain, Freeware +License: GPL v2 only ; Public Domain, Freeware Group: System/Libraries Summary: SELinux library and simple utilities Source: %{name}-%{version}.tar.bz2 @@ -51,7 +51,7 @@ decisions. Required for any applications that use the SELinux API. %package -n libselinux1 -License: GPL v2 only ; Public Domain, Freeware +License: GPL v2 only ; Public Domain, Freeware Group: System/Libraries Summary: SELinux library and simple utilities @@ -73,7 +73,7 @@ decisions. Required for any applications that use the SELinux API. %package -n selinux-tools -License: GPL v2 only ; Public Domain, Freeware +License: GPL v2 only ; Public Domain, Freeware Group: System/Base Summary: SELinux library and simple utilities @@ -95,7 +95,7 @@ decisions. Required for any applications that use the SELinux API. %package devel -License: GPL v2 only ; Public Domain, Freeware +License: GPL v2 only ; Public Domain, Freeware Summary: Development Include Files and Libraries for SELinux Group: Development/Libraries/C and C++ Requires: libselinux1 = %{version} From b42729f31c1d6483c399197f877496d09ce60f0a41754a8260f953dfc2efeb03 Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Fri, 24 Jul 2009 15:24:37 +0000 Subject: [PATCH 11/42] OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=11 --- libselinux-bindings.spec | 4 ++-- libselinux.changes | 5 +++++ libselinux.spec | 10 +++++----- selinux-ready | 6 +++--- 4 files changed, 15 insertions(+), 10 deletions(-) diff --git a/libselinux-bindings.spec b/libselinux-bindings.spec index 86cf56b..f0bdc61 100644 --- a/libselinux-bindings.spec +++ b/libselinux-bindings.spec @@ -23,9 +23,9 @@ BuildRequires: libsepol-devel-static >= %{libsepol_ver} Name: libselinux-bindings Version: 2.0.80 -Release: 3 +Release: 4 Url: http://www.nsa.gov/selinux/ -License: GPL v2 only ; Public Domain, Freeware +License: GPL v2 only ; Public Domain, Freeware Group: System/Libraries Summary: SELinux library and simple utilities Source: libselinux-%{version}.tar.bz2 diff --git a/libselinux.changes b/libselinux.changes index 17a027b..4d0bf5f 100644 --- a/libselinux.changes +++ b/libselinux.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Jul 24 17:09:50 CEST 2009 - thomas@novell.com + +- updated selinux-ready script + ------------------------------------------------------------------- Wed Jul 22 15:17:25 CEST 2009 - prusnak@suse.cz diff --git a/libselinux.spec b/libselinux.spec index ef1ec12..914ab8a 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -22,9 +22,9 @@ BuildRequires: libsepol-devel >= %{libsepol_ver} Name: libselinux Version: 2.0.80 -Release: 3 +Release: 4 Url: http://www.nsa.gov/selinux/ -License: GPL v2 only ; Public Domain, Freeware +License: GPL v2 only ; Public Domain, Freeware Group: System/Libraries Summary: SELinux library and simple utilities Source: %{name}-%{version}.tar.bz2 @@ -51,7 +51,7 @@ decisions. Required for any applications that use the SELinux API. %package -n libselinux1 -License: GPL v2 only ; Public Domain, Freeware +License: GPL v2 only ; Public Domain, Freeware Group: System/Libraries Summary: SELinux library and simple utilities @@ -73,7 +73,7 @@ decisions. Required for any applications that use the SELinux API. %package -n selinux-tools -License: GPL v2 only ; Public Domain, Freeware +License: GPL v2 only ; Public Domain, Freeware Group: System/Base Summary: SELinux library and simple utilities @@ -95,7 +95,7 @@ decisions. Required for any applications that use the SELinux API. %package devel -License: GPL v2 only ; Public Domain, Freeware +License: GPL v2 only ; Public Domain, Freeware Summary: Development Include Files and Libraries for SELinux Group: Development/Libraries/C and C++ Requires: libselinux1 = %{version} diff --git a/selinux-ready b/selinux-ready index de0fbc7..3139506 100644 --- a/selinux-ready +++ b/selinux-ready @@ -22,7 +22,7 @@ check_dir() check_filesystem() { FSPATH="/proc/filesystems" - FSNAME="securityfs" + FSNAME="selinuxfs" grep -w $FSNAME $FSPATH 1>&2 >/dev/null @@ -37,11 +37,11 @@ check_filesystem() check_boot() { - BPARAM="selinux=1" + BPARAM="security=selinux.*selinux=1.*enforcing=?" # XXX order not mandatory printf "\tcheck_boot: Assuming GRUB as bootloader.\n" - BLINE=$(grep -- $BPARAM /boot/grub/menu.lst 2>/dev/null) # XXX check for multiple lines in config + BLINE=$(grep -E $BPARAM /boot/grub/menu.lst 2>/dev/null) # XXX check for multiple lines in config if [ $? == 0 ]; then K=$(echo $BLINE | awk -F' ' '{print $2}') From 3d228f79b83fb5fceeb99e30deef32307bb27a322b27a56b5ab3088489011218 Mon Sep 17 00:00:00 2001 From: OBS User autobuild Date: Thu, 14 Jan 2010 14:19:14 +0000 Subject: [PATCH 12/42] Accepting request 29158 from security:SELinux Copy from security:SELinux/libselinux based on submit request 29158 from user coolo OBS-URL: https://build.opensuse.org/request/show/29158 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=13 --- libselinux-bindings.spec | 6 +++--- libselinux.changes | 5 +++++ libselinux.spec | 13 +++++++------ 3 files changed, 15 insertions(+), 9 deletions(-) diff --git a/libselinux-bindings.spec b/libselinux-bindings.spec index f0bdc61..0090577 100644 --- a/libselinux-bindings.spec +++ b/libselinux-bindings.spec @@ -1,7 +1,7 @@ # # spec file for package libselinux-bindings (Version 2.0.80) # -# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -23,9 +23,9 @@ BuildRequires: libsepol-devel-static >= %{libsepol_ver} Name: libselinux-bindings Version: 2.0.80 -Release: 4 +Release: 5 Url: http://www.nsa.gov/selinux/ -License: GPL v2 only ; Public Domain, Freeware +License: GPLv2 ; Public Domain, Freeware Group: System/Libraries Summary: SELinux library and simple utilities Source: libselinux-%{version}.tar.bz2 diff --git a/libselinux.changes b/libselinux.changes index 4d0bf5f..c92bcd1 100644 --- a/libselinux.changes +++ b/libselinux.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Sat Dec 12 16:43:54 CET 2009 - jengelh@medozas.de + +- add baselibs.conf as a source + ------------------------------------------------------------------- Fri Jul 24 17:09:50 CEST 2009 - thomas@novell.com diff --git a/libselinux.spec b/libselinux.spec index 914ab8a..6ddb59e 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -1,7 +1,7 @@ # # spec file for package libselinux (Version 2.0.80) # -# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -22,13 +22,14 @@ BuildRequires: libsepol-devel >= %{libsepol_ver} Name: libselinux Version: 2.0.80 -Release: 4 +Release: 5 Url: http://www.nsa.gov/selinux/ -License: GPL v2 only ; Public Domain, Freeware +License: GPLv2 ; Public Domain, Freeware Group: System/Libraries Summary: SELinux library and simple utilities Source: %{name}-%{version}.tar.bz2 Source1: selinux-ready +Source2: baselibs.conf Patch0: %{name}-%{version}-rhat.patch.bz2 BuildRoot: %{_tmppath}/%{name}-%{version}-build %define debug_package_requires libselinux1 = %{version}-%{release} @@ -51,7 +52,7 @@ decisions. Required for any applications that use the SELinux API. %package -n libselinux1 -License: GPL v2 only ; Public Domain, Freeware +License: GPLv2 ; Public Domain, Freeware Group: System/Libraries Summary: SELinux library and simple utilities @@ -73,7 +74,7 @@ decisions. Required for any applications that use the SELinux API. %package -n selinux-tools -License: GPL v2 only ; Public Domain, Freeware +License: GPLv2 ; Public Domain, Freeware Group: System/Base Summary: SELinux library and simple utilities @@ -95,7 +96,7 @@ decisions. Required for any applications that use the SELinux API. %package devel -License: GPL v2 only ; Public Domain, Freeware +License: GPLv2 ; Public Domain, Freeware Summary: Development Include Files and Libraries for SELinux Group: Development/Libraries/C and C++ Requires: libselinux1 = %{version} From fb1c860743b5aed7fe41a5a18e1f45331bf6e91983a0447b3f2cc8030021fe83 Mon Sep 17 00:00:00 2001 From: OBS User autobuild Date: Fri, 12 Mar 2010 16:35:22 +0000 Subject: [PATCH 13/42] Accepting request 34369 from security:SELinux Copy from security:SELinux/libselinux based on submit request 34369 from user prusnak OBS-URL: https://build.opensuse.org/request/show/34369 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=14 --- libselinux-2.0.80-rhat.patch.bz2 | 3 - libselinux-2.0.80.tar.bz2 | 3 - libselinux-2.0.91.tar.bz2 | 3 + libselinux-bindings.changes | 16 ++++ libselinux-bindings.spec | 12 ++- libselinux-rhat.patch | 156 +++++++++++++++++++++++++++++++ libselinux.changes | 8 +- libselinux.spec | 36 +++---- 8 files changed, 209 insertions(+), 28 deletions(-) delete mode 100644 libselinux-2.0.80-rhat.patch.bz2 delete mode 100644 libselinux-2.0.80.tar.bz2 create mode 100644 libselinux-2.0.91.tar.bz2 create mode 100644 libselinux-rhat.patch diff --git a/libselinux-2.0.80-rhat.patch.bz2 b/libselinux-2.0.80-rhat.patch.bz2 deleted file mode 100644 index e94a61a..0000000 --- a/libselinux-2.0.80-rhat.patch.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:5c899b1b2708e28d9a46b3590c8d0d35bcafb911667319ba5895a2a8ab8eaf77 -size 48225 diff --git a/libselinux-2.0.80.tar.bz2 b/libselinux-2.0.80.tar.bz2 deleted file mode 100644 index 5b339e4..0000000 --- a/libselinux-2.0.80.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:1a37fa19bfa6e34e5de0664324b2c14a1aa6a135cf33d55d30b6dc4f392416c3 -size 134184 diff --git a/libselinux-2.0.91.tar.bz2 b/libselinux-2.0.91.tar.bz2 new file mode 100644 index 0000000..20528dc --- /dev/null +++ b/libselinux-2.0.91.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:67a89821c9cd01288af5e6c784cc963fd13cc7c5d2a06ae8e7241ce187682ea1 +size 156090 diff --git a/libselinux-bindings.changes b/libselinux-bindings.changes index 17a027b..5abd001 100644 --- a/libselinux-bindings.changes +++ b/libselinux-bindings.changes @@ -1,3 +1,19 @@ +------------------------------------------------------------------- +Thu Feb 25 14:57:16 UTC 2010 - prusnak@suse.cz + +- updated to 2.0.91 + * changes too numerous to list + +------------------------------------------------------------------- +Sat Dec 12 16:43:54 CET 2009 - jengelh@medozas.de + +- add baselibs.conf as a source + +------------------------------------------------------------------- +Fri Jul 24 17:09:50 CEST 2009 - thomas@novell.com + +- updated selinux-ready script + ------------------------------------------------------------------- Wed Jul 22 15:17:25 CEST 2009 - prusnak@suse.cz diff --git a/libselinux-bindings.spec b/libselinux-bindings.spec index 0090577..c0b1253 100644 --- a/libselinux-bindings.spec +++ b/libselinux-bindings.spec @@ -1,5 +1,5 @@ # -# spec file for package libselinux-bindings (Version 2.0.80) +# spec file for package libselinux-bindings (Version 2.0.91) # # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -22,14 +22,16 @@ BuildRequires: python-devel ruby-devel swig BuildRequires: libsepol-devel-static >= %{libsepol_ver} Name: libselinux-bindings -Version: 2.0.80 -Release: 5 +Version: 2.0.91 +Release: 1 Url: http://www.nsa.gov/selinux/ License: GPLv2 ; Public Domain, Freeware Group: System/Libraries Summary: SELinux library and simple utilities Source: libselinux-%{version}.tar.bz2 -Patch0: libselinux-%{version}-rhat.patch.bz2 +Source1: selinux-ready +Source2: baselibs.conf +Patch0: libselinux-rhat.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %define debug_package_requires python-selinux = %{version}-%{release} @@ -112,7 +114,7 @@ make %{?jobs:-j%jobs} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" -C src rubywra make DESTDIR="$RPM_BUILD_ROOT" LIBDIR="$RPM_BUILD_ROOT%{_libdir}" SHLIBDIR="$RPM_BUILD_ROOT/%{_lib}" -C src install make DESTDIR="$RPM_BUILD_ROOT" LIBDIR="$RPM_BUILD_ROOT%{_libdir}" SHLIBDIR="$RPM_BUILD_ROOT/%{_lib}" -C src install-pywrap make DESTDIR="$RPM_BUILD_ROOT" LIBDIR="$RPM_BUILD_ROOT%{_libdir}" SHLIBDIR="$RPM_BUILD_ROOT/%{_lib}" -C src install-rubywrap -rm -rf $RPM_BUILD_ROOT/%{_lib} $RPM_BUILD_ROOT%{_libdir}/libselinux.* +rm -rf $RPM_BUILD_ROOT/%{_lib} $RPM_BUILD_ROOT%{_libdir}/libselinux.* $RPM_BUILD_ROOT%{_libdir}/pkgconfig %clean rm -rf $RPM_BUILD_ROOT diff --git a/libselinux-rhat.patch b/libselinux-rhat.patch new file mode 100644 index 0000000..cbd9279 --- /dev/null +++ b/libselinux-rhat.patch @@ -0,0 +1,156 @@ +diff --exclude-from=exclude -N -u -r nsalibselinux/man/man8/selinuxconlist.8 libselinux-2.0.90/man/man8/selinuxconlist.8 +--- nsalibselinux/man/man8/selinuxconlist.8 1969-12-31 19:00:00.000000000 -0500 ++++ libselinux-2.0.90/man/man8/selinuxconlist.8 2010-01-18 16:52:28.000000000 -0500 +@@ -0,0 +1,18 @@ ++.TH "selinuxconlist" "1" "7 May 2008" "dwalsh@redhat.com" "SELinux Command Line documentation" ++.SH "NAME" ++selinuxconlist \- list all SELinux context reachable for user ++.SH "SYNOPSIS" ++.B selinuxconlist [-l level] user [context] ++ ++.SH "DESCRIPTION" ++.B selinuxconlist ++reports the list of context reachable for user from the current context or specified context ++ ++.B \-l level ++mcs/mls level ++ ++.SH AUTHOR ++This manual page was written by Dan Walsh . ++ ++.SH "SEE ALSO" ++secon(8), selinuxdefcon(8) +diff --exclude-from=exclude -N -u -r nsalibselinux/man/man8/selinuxdefcon.8 libselinux-2.0.90/man/man8/selinuxdefcon.8 +--- nsalibselinux/man/man8/selinuxdefcon.8 1969-12-31 19:00:00.000000000 -0500 ++++ libselinux-2.0.90/man/man8/selinuxdefcon.8 2010-01-18 16:52:28.000000000 -0500 +@@ -0,0 +1,24 @@ ++.TH "selinuxdefcon" "1" "7 May 2008" "dwalsh@redhat.com" "SELinux Command Line documentation" ++.SH "NAME" ++selinuxdefcon \- report default SELinux context for user ++ ++.SH "SYNOPSIS" ++.B selinuxdefcon [-l level] user fromcon ++ ++.SH "DESCRIPTION" ++.B selinuxdefcon ++reports the default context for the specified user from the specified context ++ ++.B \-l level ++mcs/mls level ++ ++.SH EXAMPLE ++# selinuxdefcon jsmith system_u:system_r:sshd_t:s0 ++.br ++unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 ++ ++.SH AUTHOR ++This manual page was written by Dan Walsh . ++ ++.SH "SEE ALSO" ++secon(8), selinuxconlist(8) +diff --exclude-from=exclude -N -u -r nsalibselinux/src/callbacks.c libselinux-2.0.90/src/callbacks.c +--- nsalibselinux/src/callbacks.c 2009-04-08 09:06:23.000000000 -0400 ++++ libselinux-2.0.90/src/callbacks.c 2010-01-18 16:52:28.000000000 -0500 +@@ -16,6 +16,7 @@ + { + int rc; + va_list ap; ++ if (is_selinux_enabled() == 0) return 0; + va_start(ap, fmt); + rc = vfprintf(stderr, fmt, ap); + va_end(ap); +diff --exclude-from=exclude -N -u -r nsalibselinux/src/init.c libselinux-2.0.90/src/init.c +--- nsalibselinux/src/init.c 2009-07-14 11:16:03.000000000 -0400 ++++ libselinux-2.0.90/src/init.c 2010-02-22 11:04:16.000000000 -0500 +@@ -23,7 +23,7 @@ + static void init_selinuxmnt(void) + { + char *buf=NULL, *p; +- FILE *fp; ++ FILE *fp=NULL; + struct statfs sfbuf; + int rc; + size_t len; +@@ -57,16 +57,17 @@ + break; + } + } +- fclose(fp); + +- if (!exists) +- return; ++ if (!exists) ++ goto out; ++ ++ fclose(fp); + + /* At this point, the usual spot doesn't have an selinuxfs so + * we look around for it */ + fp = fopen("/proc/mounts", "r"); + if (!fp) +- return; ++ goto out; + + __fsetlocking(fp, FSETLOCKING_BYCALLER); + while ((num = getline(&buf, &len, fp)) != -1) { +@@ -90,7 +91,8 @@ + + out: + free(buf); +- fclose(fp); ++ if (fp) ++ fclose(fp); + return; + } + +diff --exclude-from=exclude -N -u -r nsalibselinux/src/libselinux.pc.in libselinux-2.0.90/src/libselinux.pc.in +--- nsalibselinux/src/libselinux.pc.in 2009-11-02 12:58:30.000000000 -0500 ++++ libselinux-2.0.90/src/libselinux.pc.in 2010-02-18 10:02:46.000000000 -0500 +@@ -1,6 +1,6 @@ + prefix=@prefix@ + exec_prefix=${prefix} +-libdir=${exec_prefix}/lib ++libdir=${exec_prefix}/@libdir@ + includedir=@includedir@ + + Name: libselinux +diff --exclude-from=exclude -N -u -r nsalibselinux/src/Makefile libselinux-2.0.90/src/Makefile +--- nsalibselinux/src/Makefile 2009-12-01 15:46:50.000000000 -0500 ++++ libselinux-2.0.90/src/Makefile 2010-02-18 10:20:27.000000000 -0500 +@@ -11,6 +11,7 @@ + RUBYPLATFORM ?= $(shell ruby -e 'print RUBY_PLATFORM') + RUBYINC ?= $(LIBDIR)/ruby/$(RUBYLIBVER)/$(RUBYPLATFORM) + RUBYINSTALL ?= $(LIBDIR)/ruby/site_ruby/$(RUBYLIBVER)/$(RUBYPLATFORM) ++LIBBASE=$(shell basename $(LIBDIR)) + + VERSION = $(shell cat ../VERSION) + LIBVERSION = 1 +@@ -85,7 +86,7 @@ + ln -sf $@ $(TARGET) + + $(LIBPC): $(LIBPC).in +- sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBDIR):; s:@includedir@:$(INCLUDEDIR):' < $< > $@ ++ sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBBASE):; s:@includedir@:$(INCLUDEDIR):' < $< > $@ + + selinuxswig_python_exception.i: ../include/selinux/selinux.h + bash exception.sh > $@ +diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux-2.0.90/src/matchpathcon.c +--- nsalibselinux/src/matchpathcon.c 2009-03-06 14:41:45.000000000 -0500 ++++ libselinux-2.0.90/src/matchpathcon.c 2010-01-18 16:52:28.000000000 -0500 +@@ -2,6 +2,7 @@ + #include + #include + #include ++#include + #include "selinux_internal.h" + #include "label_internal.h" + #include "callbacks.h" +@@ -57,7 +58,7 @@ + { + va_list ap; + va_start(ap, fmt); +- vfprintf(stderr, fmt, ap); ++ vsyslog(LOG_ERR, fmt, ap); + va_end(ap); + } + diff --git a/libselinux.changes b/libselinux.changes index c92bcd1..5abd001 100644 --- a/libselinux.changes +++ b/libselinux.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Feb 25 14:57:16 UTC 2010 - prusnak@suse.cz + +- updated to 2.0.91 + * changes too numerous to list + ------------------------------------------------------------------- Sat Dec 12 16:43:54 CET 2009 - jengelh@medozas.de @@ -6,7 +12,7 @@ Sat Dec 12 16:43:54 CET 2009 - jengelh@medozas.de ------------------------------------------------------------------- Fri Jul 24 17:09:50 CEST 2009 - thomas@novell.com -- updated selinux-ready script +- updated selinux-ready script ------------------------------------------------------------------- Wed Jul 22 15:17:25 CEST 2009 - prusnak@suse.cz diff --git a/libselinux.spec b/libselinux.spec index 6ddb59e..ad409a4 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -1,5 +1,5 @@ # -# spec file for package libselinux (Version 2.0.80) +# spec file for package libselinux (Version 2.0.91) # # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -21,8 +21,8 @@ BuildRequires: libsepol-devel >= %{libsepol_ver} Name: libselinux -Version: 2.0.80 -Release: 5 +Version: 2.0.91 +Release: 1 Url: http://www.nsa.gov/selinux/ License: GPLv2 ; Public Domain, Freeware Group: System/Libraries @@ -30,7 +30,7 @@ Summary: SELinux library and simple utilities Source: %{name}-%{version}.tar.bz2 Source1: selinux-ready Source2: baselibs.conf -Patch0: %{name}-%{version}-rhat.patch.bz2 +Patch0: %{name}-rhat.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %define debug_package_requires libselinux1 = %{version}-%{release} @@ -104,20 +104,20 @@ Requires: libsepol-devel >= %{libsepol_ver} Requires: glibc-devel %description devel -Security-enhanced Linux is a patch of the Linux(R) kernel and a number -of utilities with enhanced security functionality designed to add -mandatory access controls to Linux. The Security-enhanced Linux kernel -contains new architectural components originally developed to improve -the security of the Flask operating system. These architectural -components provide general support for the enforcement of many kinds of -mandatory access control policies, including those based on the -concepts of Type Enforcement(R), Role-based Access Control, and -Multi-level Security. - -This package contains the header files and static libraries, which are +This package contains the development files, which are necessary to develop your own software using libselinux. +%package devel-static +License: GPLv2 ; Public Domain, Freeware +Summary: Static development Include Files and Libraries for SELinux +Group: Development/Libraries/C and C++ +Requires: libselinux-devel = %{version} + +%description devel-static +This package contains the static development files, which are +necessary to develop your own software using libselinux. + %prep %setup -q @@ -149,7 +149,6 @@ rm -f $RPM_BUILD_ROOT%{_sbindir}/selinux_check_securetty_context mv $RPM_BUILD_ROOT%{_sbindir}/getdefaultcon $RPM_BUILD_ROOT%{_sbindir}/selinuxdefcon mv $RPM_BUILD_ROOT%{_sbindir}/getconlist $RPM_BUILD_ROOT%{_sbindir}/selinuxconlist install -m 0755 %{SOURCE1} $RPM_BUILD_ROOT%{_sbindir}/selinux-ready -rm -f %{buildroot}%{_libdir}/*.a %clean rm -rf $RPM_BUILD_ROOT @@ -185,5 +184,10 @@ rm -rf $RPM_BUILD_ROOT %dir %{_includedir}/selinux %{_includedir}/selinux/* %{_mandir}/man3/* +%{_libdir}/pkgconfig/libselinux.pc + +%files devel-static +%defattr(-,root,root,-) +%{_libdir}/libselinux.a %changelog From ff92a8cd8b3c9a8a8edeff1638e5aa95bc39ea17e42f7efb74bf068fc79d34f5 Mon Sep 17 00:00:00 2001 From: OBS User autobuild Date: Thu, 18 Mar 2010 15:05:19 +0000 Subject: [PATCH 14/42] OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=15 --- ready | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 ready diff --git a/ready b/ready deleted file mode 100644 index 473a0f4..0000000 From 48ac1bce555ee93b0e3cc209a21119a48c3b78df5a985847048720c078622099 Mon Sep 17 00:00:00 2001 From: OBS User autobuild Date: Fri, 23 Apr 2010 17:09:34 +0000 Subject: [PATCH 15/42] Accepting request 38022 from security:SELinux Copy from security:SELinux/libselinux based on submit request 38022 from user thomasbiege OBS-URL: https://build.opensuse.org/request/show/38022 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=16 --- libselinux-bindings.spec | 2 +- libselinux.changes | 22 +++++++++ libselinux.spec | 2 +- selinux-ready | 102 ++++++++++++++++++++++++++++++++++++--- 4 files changed, 118 insertions(+), 10 deletions(-) diff --git a/libselinux-bindings.spec b/libselinux-bindings.spec index c0b1253..06211c0 100644 --- a/libselinux-bindings.spec +++ b/libselinux-bindings.spec @@ -23,7 +23,7 @@ BuildRequires: libsepol-devel-static >= %{libsepol_ver} Name: libselinux-bindings Version: 2.0.91 -Release: 1 +Release: 2 Url: http://www.nsa.gov/selinux/ License: GPLv2 ; Public Domain, Freeware Group: System/Libraries diff --git a/libselinux.changes b/libselinux.changes index 5abd001..407a06c 100644 --- a/libselinux.changes +++ b/libselinux.changes @@ -1,3 +1,25 @@ +------------------------------------------------------------------- +Fri Apr 9 07:27:27 UTC 2010 - thomas@novell.com + +- selinux-ready: added function to check for restorecond in + runlevel 3/5 + +------------------------------------------------------------------- +Thu Apr 8 06:37:34 UTC 2010 - thomas@novell.com + +- selinux-ready: added functions for checking PAM config and + policy boolean init_upstart + +------------------------------------------------------------------- +Wed Apr 7 13:26:59 UTC 2010 - thomas@novell.com + +- selinux-ready: fixed init ramfs checking + +------------------------------------------------------------------- +Wed Apr 7 12:59:41 UTC 2010 - thomas@novell.com + +- added new selinux-ready script + ------------------------------------------------------------------- Thu Feb 25 14:57:16 UTC 2010 - prusnak@suse.cz diff --git a/libselinux.spec b/libselinux.spec index ad409a4..94abc5b 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -22,7 +22,7 @@ BuildRequires: libsepol-devel >= %{libsepol_ver} Name: libselinux Version: 2.0.91 -Release: 1 +Release: 2 Url: http://www.nsa.gov/selinux/ License: GPLv2 ; Public Domain, Freeware Group: System/Libraries diff --git a/selinux-ready b/selinux-ready index 3139506..48b59a3 100644 --- a/selinux-ready +++ b/selinux-ready @@ -22,7 +22,7 @@ check_dir() check_filesystem() { FSPATH="/proc/filesystems" - FSNAME="selinuxfs" + FSNAME="securityfs" grep -w $FSNAME $FSPATH 1>&2 >/dev/null @@ -37,11 +37,11 @@ check_filesystem() check_boot() { - BPARAM="security=selinux.*selinux=1.*enforcing=?" # XXX order not mandatory + BPARAM="selinux=1" printf "\tcheck_boot: Assuming GRUB as bootloader.\n" - BLINE=$(grep -E $BPARAM /boot/grub/menu.lst 2>/dev/null) # XXX check for multiple lines in config + BLINE=$(grep -- $BPARAM /boot/grub/menu.lst 2>/dev/null) # XXX check for multiple lines in config if [ $? == 0 ]; then K=$(echo $BLINE | awk -F' ' '{print $2}') @@ -80,20 +80,99 @@ check_mkinitrd() cd initrd-extracted gunzip -c $TD/i.cpio.gz | cpio -i --force-local --no-absolute-filenames 2>/dev/null grep -E -- $MCMD boot/* 2>&1 >/dev/null - FLG=$? + FLG1=$? + grep -E -- load_policy boot/* 2>&1 >/dev/null + FLG2=$? popd 2>&1>/dev/null - if [ $FLG == 0 ];then + if [ $FLG1 == 0 -a $FLG2 == 0 ];then printf "\tcheck_mkinitrd: OK. Your initrd seems to be correct.\n" return 0 else printf "\tcheck_mkinitrd: ERR. Your initrd seems not to mount /proc of\n" - printf "\t the root filesystem during boot, this may be a\n" - printf "\t reason for SELinux not working.\n" + printf "\t the root filesystem during boot and/or load_policy\n" + printf "\t is missing,\n" + printf "\t this may be a reason for SELinux not working.\n" return 1 fi } +check_pam() +{ + AA_PAM=0 + SE_PAM=0 + + # test for AA pam module + grep apparmor /etc/pam.d/* 2>&1 >/dev/null + FLG=$? + if [ $FLG == 0 ]; then + AA_PAM=1 + fi + + # test for SELinux pam module + grep selinux /etc/pam.d/* 2>&1 >/dev/null + FLG=$? + if [ $FLG == 0 ]; then + SE_PAM=1 + fi + + # suggest config + if [ $SE_PAM == 1 ] && [ $AA_PAM == 0 ]; then + printf "\tcheck_pam: OK. Your PAM configuration seems to be correct.\n" + return 0 + fi + printf "\tcheck_pam: ERR. Your PAM configuration seems to be incorrect.\n" + if [ $AA_PAM == 1 ]; then + printf " execute 'pam-config -d --apparmor' as root\n" + fi + if [ $SE_PAM == 0 ]; then + printf " execute 'pam-config -a --selinux' as root\n" + fi + + return 1 +} + +check_initupstart() +{ + CFGFILE="/etc/selinux/config" + + if ! [ -f $CFGFILE ]; then + printf "\tcheck_initupstart: ERR. $CFGFILE does not exist.\n" + return 1; + fi + + POL=$(grep SELINUXTYPE $CFGFILE | sed "s/SELINUXTYPE\s*=\s*"//) + + if ! [ -f /etc/selinux/$POL/booleans ]; then + printf "\tcheck_initupstart: ERR. booleans file for policy $POL does not exist.\n" + return 1 + fi + + INITUS=$(grep init_upstart /etc/selinux/$POL/booleans | sed "s/.*init_upstart\s*=\s*//") + + if [ "$INITUS" == 1 ]; then + printf "\tcheck_initupstart: OK. init_upstart in $POL/booleans is set to 1.\n" + return 0 + else + printf "\tcheck_initupstart: ERR. init_upstart in $POL/booleans is NOT set to 1 ($INITUS).\n" + return 1 + fi + +} + +check_runlevel() +{ + #ls -q /etc/rc.d/rc[35].d/S*restorecond 1>&2 >/dev/null + + #if [ $? == 0 ]; then + if [ -x /etc/rc.d/rc3.d/S*restorecond ] || [ -x /etc/rc.d/rc5.d/S*restorecond ]; then + printf "\tcheck_runlevel: OK. your system is using restorecond in runlevel 3 and/or 5.\n" + return 0; + fi + printf "\tcheck_runlevel: ERR. please execute 'yast2 runlevel' and enable restorecond.\n" + return 1 +} + check_packages() { PKGLST="checkpolicy policycoreutils selinux-tools libselinux1 libsepol1 libsemanage1 selinux-policy" @@ -120,8 +199,13 @@ check_config() { CF="/etc/selinux/config" + if [ -f $CF ];then printf "\tcheck_config: OK. Config file seems to be there.\n" + if ! [ $(stat --printf=%a $CF) -eq "644" ]; then + printf "\tcheck_config: ERR. Config file '$CF' has wrong permissions.\n" + return 1 + fi return 0 else printf "\tcheck_config: ERR. Config file '$CF' is missing.\n" @@ -138,6 +222,8 @@ check_boot check_mkinitrd check_packages check_config +check_initupstart +check_pam +check_runlevel rm -rf $TD - From 24797b61ab71aee9ba890dc954d32684eedce350e8d6cbf92a4337b213163ab0 Mon Sep 17 00:00:00 2001 From: OBS User autobuild Date: Sat, 24 Apr 2010 10:21:00 +0000 Subject: [PATCH 16/42] Accepting request 38664 from security:SELinux Copy from security:SELinux/libselinux based on submit request 38664 from user coolo OBS-URL: https://build.opensuse.org/request/show/38664 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=17 --- libselinux-bindings.spec | 2 +- libselinux.changes | 5 +++++ libselinux.spec | 4 ++-- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/libselinux-bindings.spec b/libselinux-bindings.spec index 06211c0..36cd5b8 100644 --- a/libselinux-bindings.spec +++ b/libselinux-bindings.spec @@ -23,7 +23,7 @@ BuildRequires: libsepol-devel-static >= %{libsepol_ver} Name: libselinux-bindings Version: 2.0.91 -Release: 2 +Release: 3 Url: http://www.nsa.gov/selinux/ License: GPLv2 ; Public Domain, Freeware Group: System/Libraries diff --git a/libselinux.changes b/libselinux.changes index 407a06c..74f24ca 100644 --- a/libselinux.changes +++ b/libselinux.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Sat Apr 24 09:53:28 UTC 2010 - coolo@novell.com + +- buildrequire pkg-config to fix provides + ------------------------------------------------------------------- Fri Apr 9 07:27:27 UTC 2010 - thomas@novell.com diff --git a/libselinux.spec b/libselinux.spec index 94abc5b..2855195 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -18,11 +18,11 @@ # norootforbuild %define libsepol_ver 2.0.32 -BuildRequires: libsepol-devel >= %{libsepol_ver} +BuildRequires: libsepol-devel >= %{libsepol_ver} pkg-config Name: libselinux Version: 2.0.91 -Release: 2 +Release: 3 Url: http://www.nsa.gov/selinux/ License: GPLv2 ; Public Domain, Freeware Group: System/Libraries From 746edb72540d6e009c8114f3b5616ac3a93dbcc5ff8491316713ffcfbfb1d427 Mon Sep 17 00:00:00 2001 From: OBS User autobuild Date: Mon, 3 May 2010 15:33:38 +0000 Subject: [PATCH 17/42] Accepting request 39299 from security:SELinux Copy from security:SELinux/libselinux based on submit request 39299 from user prusnak OBS-URL: https://build.opensuse.org/request/show/39299 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=18 --- libselinux-bindings.spec | 2 +- libselinux.changes | 7 +++++++ libselinux.spec | 4 +--- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/libselinux-bindings.spec b/libselinux-bindings.spec index 36cd5b8..7e6cb99 100644 --- a/libselinux-bindings.spec +++ b/libselinux-bindings.spec @@ -23,7 +23,7 @@ BuildRequires: libsepol-devel-static >= %{libsepol_ver} Name: libselinux-bindings Version: 2.0.91 -Release: 3 +Release: 4 Url: http://www.nsa.gov/selinux/ License: GPLv2 ; Public Domain, Freeware Group: System/Libraries diff --git a/libselinux.changes b/libselinux.changes index 74f24ca..1bd0523 100644 --- a/libselinux.changes +++ b/libselinux.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon May 3 10:30:40 UTC 2010 - prusnak@suse.cz + +- don't package /var/run/setrans in libselinux1 package + - Feature#303793 + - the directory will be created in initscript of mcstrans package + ------------------------------------------------------------------- Sat Apr 24 09:53:28 UTC 2010 - coolo@novell.com diff --git a/libselinux.spec b/libselinux.spec index 2855195..1c5b892 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -22,7 +22,7 @@ BuildRequires: libsepol-devel >= %{libsepol_ver} pkg-config Name: libselinux Version: 2.0.91 -Release: 3 +Release: 4 Url: http://www.nsa.gov/selinux/ License: GPLv2 ; Public Domain, Freeware Group: System/Libraries @@ -131,7 +131,6 @@ mkdir -p $RPM_BUILD_ROOT/%{_lib} mkdir -p $RPM_BUILD_ROOT%{_libdir} mkdir -p $RPM_BUILD_ROOT%{_includedir} mkdir -p $RPM_BUILD_ROOT%{_sbindir} -mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/run/setrans make DESTDIR="$RPM_BUILD_ROOT" LIBDIR="$RPM_BUILD_ROOT%{_libdir}" SHLIBDIR="$RPM_BUILD_ROOT/%{_lib}" BINDIR="$RPM_BUILD_ROOT%{_sbindir}" install rm -f $RPM_BUILD_ROOT%{_sbindir}/compute_* rm -f $RPM_BUILD_ROOT%{_sbindir}/deftype @@ -176,7 +175,6 @@ rm -rf $RPM_BUILD_ROOT %files -n libselinux1 %defattr(-,root,root,-) /%{_lib}/libselinux.so.* -%{_localstatedir}/run/setrans %files devel %defattr(-,root,root,-) From 4b165cf6acf21c07f9f5a1cdca029da7c5eadaf63f9509d17bd970afdb1825b1 Mon Sep 17 00:00:00 2001 From: OBS User autobuild Date: Thu, 7 Oct 2010 23:22:33 +0000 Subject: [PATCH 18/42] Accepting request 49868 from security:SELinux Copy from security:SELinux/libselinux based on submit request 49868 from user coolo OBS-URL: https://build.opensuse.org/request/show/49868 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=21 --- libselinux-bindings.changes | 5 +++++ libselinux-bindings.spec | 10 +++++----- libselinux.changes | 5 +++++ libselinux.spec | 4 ++-- 4 files changed, 17 insertions(+), 7 deletions(-) diff --git a/libselinux-bindings.changes b/libselinux-bindings.changes index 5abd001..97b364a 100644 --- a/libselinux-bindings.changes +++ b/libselinux-bindings.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Mon Jun 28 06:38:35 UTC 2010 - jengelh@medozas.de + +- use %_smp_mflags + ------------------------------------------------------------------- Thu Feb 25 14:57:16 UTC 2010 - prusnak@suse.cz diff --git a/libselinux-bindings.spec b/libselinux-bindings.spec index 7e6cb99..4d45933 100644 --- a/libselinux-bindings.spec +++ b/libselinux-bindings.spec @@ -23,7 +23,7 @@ BuildRequires: libsepol-devel-static >= %{libsepol_ver} Name: libselinux-bindings Version: 2.0.91 -Release: 4 +Release: 9 Url: http://www.nsa.gov/selinux/ License: GPLv2 ; Public Domain, Freeware Group: System/Libraries @@ -105,10 +105,10 @@ decisions. Required for any applications that use the SELinux API. %patch0 -p1 %build -make %{?jobs:-j%jobs} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" -C src -make %{?jobs:-j%jobs} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" -C src swigify -make %{?jobs:-j%jobs} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" -C src pywrap -make %{?jobs:-j%jobs} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" -C src rubywrap +make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" -C src +make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" -C src swigify +make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" -C src pywrap +make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" -C src rubywrap %install make DESTDIR="$RPM_BUILD_ROOT" LIBDIR="$RPM_BUILD_ROOT%{_libdir}" SHLIBDIR="$RPM_BUILD_ROOT/%{_lib}" -C src install diff --git a/libselinux.changes b/libselinux.changes index 1bd0523..b5905d2 100644 --- a/libselinux.changes +++ b/libselinux.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Mon Jun 28 06:38:35 UTC 2010 - jengelh@medozas.de + +- use %_smp_mflags + ------------------------------------------------------------------- Mon May 3 10:30:40 UTC 2010 - prusnak@suse.cz diff --git a/libselinux.spec b/libselinux.spec index 1c5b892..aa6139c 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -22,7 +22,7 @@ BuildRequires: libsepol-devel >= %{libsepol_ver} pkg-config Name: libselinux Version: 2.0.91 -Release: 4 +Release: 9 Url: http://www.nsa.gov/selinux/ License: GPLv2 ; Public Domain, Freeware Group: System/Libraries @@ -124,7 +124,7 @@ necessary to develop your own software using libselinux. %patch0 -p1 %build -make %{?jobs:-j%jobs} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" +make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" %install mkdir -p $RPM_BUILD_ROOT/%{_lib} From 89027e0c72456035b1999a4036526d547cdce54e52b54ad5a5dc076d196b16f3 Mon Sep 17 00:00:00 2001 From: Lars Vogdt Date: Thu, 6 Oct 2011 22:49:06 +0000 Subject: [PATCH 19/42] Accepting request 86934 from security:SELinux - cross-build fix: use %__cc macro (forwarded request 86730 from uli_suse) OBS-URL: https://build.opensuse.org/request/show/86934 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=23 --- libselinux-bindings.spec | 4 ++-- libselinux.changes | 5 +++++ libselinux.spec | 6 +++--- 3 files changed, 10 insertions(+), 5 deletions(-) diff --git a/libselinux-bindings.spec b/libselinux-bindings.spec index 4d45933..756ae60 100644 --- a/libselinux-bindings.spec +++ b/libselinux-bindings.spec @@ -1,7 +1,7 @@ # -# spec file for package libselinux-bindings (Version 2.0.91) +# spec file for package libselinux-bindings # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed diff --git a/libselinux.changes b/libselinux.changes index b5905d2..192bde9 100644 --- a/libselinux.changes +++ b/libselinux.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Wed Oct 5 15:09:25 UTC 2011 - uli@suse.com + +- cross-build fix: use %__cc macro + ------------------------------------------------------------------- Mon Jun 28 06:38:35 UTC 2010 - jengelh@medozas.de diff --git a/libselinux.spec b/libselinux.spec index aa6139c..25d4e0d 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -1,7 +1,7 @@ # -# spec file for package libselinux (Version 2.0.91) +# spec file for package libselinux # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -124,7 +124,7 @@ necessary to develop your own software using libselinux. %patch0 -p1 %build -make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" +make %{?_smp_mflags} LIBDIR="%{_libdir}" CC="%{__cc}" CFLAGS="$RPM_OPT_FLAGS" %install mkdir -p $RPM_BUILD_ROOT/%{_lib} From efc8bc5d951d77d58f38db484f258d640ef870f5caccd59a5b56131dbdf96e21 Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Tue, 6 Dec 2011 17:25:35 +0000 Subject: [PATCH 20/42] replace license with spdx.org variant OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=25 --- libselinux-bindings.spec | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libselinux-bindings.spec b/libselinux-bindings.spec index 756ae60..64b1ff0 100644 --- a/libselinux-bindings.spec +++ b/libselinux-bindings.spec @@ -25,7 +25,7 @@ Name: libselinux-bindings Version: 2.0.91 Release: 9 Url: http://www.nsa.gov/selinux/ -License: GPLv2 ; Public Domain, Freeware +License: GPL-2.0 ; SUSE-Public-Domain Group: System/Libraries Summary: SELinux library and simple utilities Source: libselinux-%{version}.tar.bz2 @@ -53,7 +53,7 @@ decisions. Required for any applications that use the SELinux API. %package -n python-selinux -License: Public Domain, Freeware +License: SUSE-Public-Domain Summary: SELinux library and simple utilities Group: System/Libraries Requires: libselinux1 = %{version} @@ -77,7 +77,7 @@ decisions. Required for any applications that use the SELinux API. %package -n ruby-selinux -License: Public Domain, Freeware +License: SUSE-Public-Domain Summary: SELinux library and simple utilities Group: System/Libraries Requires: libselinux1 = %{version} From b1a21f4faa2007c02af0596f674a1edeb11a85782db6a02ed9f29beb8d57a6d4 Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Tue, 6 Dec 2011 17:25:36 +0000 Subject: [PATCH 21/42] replace license with spdx.org variant OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=26 --- libselinux.spec | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/libselinux.spec b/libselinux.spec index 25d4e0d..9af4223 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -24,7 +24,7 @@ Name: libselinux Version: 2.0.91 Release: 9 Url: http://www.nsa.gov/selinux/ -License: GPLv2 ; Public Domain, Freeware +License: GPL-2.0 ; SUSE-Public-Domain Group: System/Libraries Summary: SELinux library and simple utilities Source: %{name}-%{version}.tar.bz2 @@ -52,7 +52,7 @@ decisions. Required for any applications that use the SELinux API. %package -n libselinux1 -License: GPLv2 ; Public Domain, Freeware +License: GPL-2.0 ; SUSE-Public-Domain Group: System/Libraries Summary: SELinux library and simple utilities @@ -74,7 +74,7 @@ decisions. Required for any applications that use the SELinux API. %package -n selinux-tools -License: GPLv2 ; Public Domain, Freeware +License: GPL-2.0 ; SUSE-Public-Domain Group: System/Base Summary: SELinux library and simple utilities @@ -96,7 +96,7 @@ decisions. Required for any applications that use the SELinux API. %package devel -License: GPLv2 ; Public Domain, Freeware +License: GPL-2.0 ; SUSE-Public-Domain Summary: Development Include Files and Libraries for SELinux Group: Development/Libraries/C and C++ Requires: libselinux1 = %{version} @@ -109,7 +109,7 @@ necessary to develop your own software using libselinux. %package devel-static -License: GPLv2 ; Public Domain, Freeware +License: GPL-2.0 ; SUSE-Public-Domain Summary: Static development Include Files and Libraries for SELinux Group: Development/Libraries/C and C++ Requires: libselinux-devel = %{version} From b3aa01c6665ab9f29281639e3fff49209b0822ab239ddffff1ce0e17ef7fa5ff Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Tue, 5 Jun 2012 14:00:35 +0000 Subject: [PATCH 22/42] Accepting request 123490 from security:SELinux update to libselinux-2.1.9, needed for rpm-4.10.0 update (forwarded request 123445 from mlschroe) OBS-URL: https://build.opensuse.org/request/show/123490 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=27 --- libselinux-2.0.91.tar.bz2 | 3 -- libselinux-2.1.9.tar.gz | 3 ++ libselinux-bindings.changes | 10 +++++ libselinux-bindings.spec | 27 +++++++------ libselinux-rhat.patch | 75 ------------------------------------- libselinux-ruby.patch | 22 +++++++++++ libselinux.changes | 9 +++++ libselinux.spec | 25 ++++++------- 8 files changed, 71 insertions(+), 103 deletions(-) delete mode 100644 libselinux-2.0.91.tar.bz2 create mode 100644 libselinux-2.1.9.tar.gz create mode 100644 libselinux-ruby.patch diff --git a/libselinux-2.0.91.tar.bz2 b/libselinux-2.0.91.tar.bz2 deleted file mode 100644 index 20528dc..0000000 --- a/libselinux-2.0.91.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:67a89821c9cd01288af5e6c784cc963fd13cc7c5d2a06ae8e7241ce187682ea1 -size 156090 diff --git a/libselinux-2.1.9.tar.gz b/libselinux-2.1.9.tar.gz new file mode 100644 index 0000000..e2f2d43 --- /dev/null +++ b/libselinux-2.1.9.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:749d4b39c80aa9df8247b8b3187ab72442c0dbad6e70bf312e25052bd4e7063f +size 155840 diff --git a/libselinux-bindings.changes b/libselinux-bindings.changes index 97b364a..d2ab0c4 100644 --- a/libselinux-bindings.changes +++ b/libselinux-bindings.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Fri Jun 1 18:34:04 CEST 2012 - mls@suse.de + +- update to libselinux-2.1.9 + * better man pages + * selinux_status interfaces + * simple interface for access checks + * multiple bug fixes +- fix build for ruby-1.9 + ------------------------------------------------------------------- Mon Jun 28 06:38:35 UTC 2010 - jengelh@medozas.de diff --git a/libselinux-bindings.spec b/libselinux-bindings.spec index 64b1ff0..42c236b 100644 --- a/libselinux-bindings.spec +++ b/libselinux-bindings.spec @@ -1,7 +1,7 @@ # # spec file for package libselinux-bindings # -# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -15,23 +15,25 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # -# norootforbuild %define libsepol_ver 2.0.32 -BuildRequires: python-devel ruby-devel swig BuildRequires: libsepol-devel-static >= %{libsepol_ver} +BuildRequires: python-devel +BuildRequires: ruby-devel +BuildRequires: swig Name: libselinux-bindings -Version: 2.0.91 -Release: 9 +Version: 2.1.9 +Release: 0 Url: http://www.nsa.gov/selinux/ +Summary: SELinux library and simple utilities License: GPL-2.0 ; SUSE-Public-Domain Group: System/Libraries -Summary: SELinux library and simple utilities -Source: libselinux-%{version}.tar.bz2 +Source: libselinux-%{version}.tar.gz Source1: selinux-ready Source2: baselibs.conf Patch0: libselinux-rhat.patch +Patch1: libselinux-ruby.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %define debug_package_requires python-selinux = %{version}-%{release} @@ -53,9 +55,9 @@ decisions. Required for any applications that use the SELinux API. %package -n python-selinux -License: SUSE-Public-Domain Summary: SELinux library and simple utilities -Group: System/Libraries +License: SUSE-Public-Domain +Group: Development/Libraries/Python Requires: libselinux1 = %{version} Requires: python @@ -77,9 +79,9 @@ decisions. Required for any applications that use the SELinux API. %package -n ruby-selinux -License: SUSE-Public-Domain Summary: SELinux library and simple utilities -Group: System/Libraries +License: SUSE-Public-Domain +Group: Development/Languages/Ruby Requires: libselinux1 = %{version} Requires: ruby @@ -103,6 +105,7 @@ decisions. Required for any applications that use the SELinux API. %prep %setup -q -n libselinux-%{version} %patch0 -p1 +%patch1 %build make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" -C src @@ -126,6 +129,6 @@ rm -rf $RPM_BUILD_ROOT %files -n ruby-selinux %defattr(-,root,root,-) -%{_libdir}/ruby/site_ruby/%{rb_ver}/%{rb_arch}/selinux.so +%{_libdir}/ruby/vendor_ruby/%{rb_ver}/%{rb_arch}/selinux.so %changelog diff --git a/libselinux-rhat.patch b/libselinux-rhat.patch index cbd9279..5c6370b 100644 --- a/libselinux-rhat.patch +++ b/libselinux-rhat.patch @@ -59,81 +59,6 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/callbacks.c libselinux-2. va_start(ap, fmt); rc = vfprintf(stderr, fmt, ap); va_end(ap); -diff --exclude-from=exclude -N -u -r nsalibselinux/src/init.c libselinux-2.0.90/src/init.c ---- nsalibselinux/src/init.c 2009-07-14 11:16:03.000000000 -0400 -+++ libselinux-2.0.90/src/init.c 2010-02-22 11:04:16.000000000 -0500 -@@ -23,7 +23,7 @@ - static void init_selinuxmnt(void) - { - char *buf=NULL, *p; -- FILE *fp; -+ FILE *fp=NULL; - struct statfs sfbuf; - int rc; - size_t len; -@@ -57,16 +57,17 @@ - break; - } - } -- fclose(fp); - -- if (!exists) -- return; -+ if (!exists) -+ goto out; -+ -+ fclose(fp); - - /* At this point, the usual spot doesn't have an selinuxfs so - * we look around for it */ - fp = fopen("/proc/mounts", "r"); - if (!fp) -- return; -+ goto out; - - __fsetlocking(fp, FSETLOCKING_BYCALLER); - while ((num = getline(&buf, &len, fp)) != -1) { -@@ -90,7 +91,8 @@ - - out: - free(buf); -- fclose(fp); -+ if (fp) -+ fclose(fp); - return; - } - -diff --exclude-from=exclude -N -u -r nsalibselinux/src/libselinux.pc.in libselinux-2.0.90/src/libselinux.pc.in ---- nsalibselinux/src/libselinux.pc.in 2009-11-02 12:58:30.000000000 -0500 -+++ libselinux-2.0.90/src/libselinux.pc.in 2010-02-18 10:02:46.000000000 -0500 -@@ -1,6 +1,6 @@ - prefix=@prefix@ - exec_prefix=${prefix} --libdir=${exec_prefix}/lib -+libdir=${exec_prefix}/@libdir@ - includedir=@includedir@ - - Name: libselinux -diff --exclude-from=exclude -N -u -r nsalibselinux/src/Makefile libselinux-2.0.90/src/Makefile ---- nsalibselinux/src/Makefile 2009-12-01 15:46:50.000000000 -0500 -+++ libselinux-2.0.90/src/Makefile 2010-02-18 10:20:27.000000000 -0500 -@@ -11,6 +11,7 @@ - RUBYPLATFORM ?= $(shell ruby -e 'print RUBY_PLATFORM') - RUBYINC ?= $(LIBDIR)/ruby/$(RUBYLIBVER)/$(RUBYPLATFORM) - RUBYINSTALL ?= $(LIBDIR)/ruby/site_ruby/$(RUBYLIBVER)/$(RUBYPLATFORM) -+LIBBASE=$(shell basename $(LIBDIR)) - - VERSION = $(shell cat ../VERSION) - LIBVERSION = 1 -@@ -85,7 +86,7 @@ - ln -sf $@ $(TARGET) - - $(LIBPC): $(LIBPC).in -- sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBDIR):; s:@includedir@:$(INCLUDEDIR):' < $< > $@ -+ sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBBASE):; s:@includedir@:$(INCLUDEDIR):' < $< > $@ - - selinuxswig_python_exception.i: ../include/selinux/selinux.h - bash exception.sh > $@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux-2.0.90/src/matchpathcon.c --- nsalibselinux/src/matchpathcon.c 2009-03-06 14:41:45.000000000 -0500 +++ libselinux-2.0.90/src/matchpathcon.c 2010-01-18 16:52:28.000000000 -0500 diff --git a/libselinux-ruby.patch b/libselinux-ruby.patch new file mode 100644 index 0000000..151e6c9 --- /dev/null +++ b/libselinux-ruby.patch @@ -0,0 +1,22 @@ +--- ./src/Makefile.orig 2012-06-04 08:20:19.000000000 +0000 ++++ ./src/Makefile 2012-06-04 09:43:23.000000000 +0000 +@@ -15,8 +15,8 @@ PYTHONLIBDIR ?= $(shell pkg-config --lib + PYLIBDIR ?= $(LIBDIR)/$(PYLIBVER) + RUBYLIBVER ?= $(shell ruby -e 'print RUBY_VERSION.split(".")[0..1].join(".")') + RUBYPLATFORM ?= $(shell ruby -e 'print RUBY_PLATFORM') +-RUBYINC ?= $(LIBDIR)/ruby/$(RUBYLIBVER)/$(RUBYPLATFORM) +-RUBYINSTALL ?= $(LIBDIR)/ruby/site_ruby/$(RUBYLIBVER)/$(RUBYPLATFORM) ++RUBYINC ?= $(shell ruby -r rbconfig -e "print Config::CONFIG['rubyhdrdir'].nil? ? '$(LIBDIR)/ruby/$(RUBYLIBVER)' : Config::CONFIG['rubyhdrdir']") ++RUBYINSTALL ?= $(shell ruby -r rbconfig -e "print Config::CONFIG['vendorarchdir'].nil? ? '$(DESTDIR)'+Config::CONFIG['sitearchdir'] : '$(DESTDIR)'+Config::CONFIG['vendorarchdir']") + LIBBASE=$(shell basename $(LIBDIR)) + + VERSION = $(shell cat ../VERSION) +@@ -76,7 +76,7 @@ $(SWIGLOBJ): $(SWIGCOUT) + $(CC) $(filter-out -Werror, $(CFLAGS)) $(PYINC) -fPIC -DSHARED -c -o $@ $< + + $(SWIGRUBYLOBJ): $(SWIGRUBYCOUT) +- $(CC) $(filter-out -Werror, $(CFLAGS)) -I$(RUBYINC) -fPIC -DSHARED -c -o $@ $< ++ $(CC) $(filter-out -Werror, $(CFLAGS)) -I$(RUBYINC) -I$(RUBYINC)/$(RUBYPLATFORM) -fPIC -DSHARED -c -o $@ $< + + $(SWIGSO): $(SWIGLOBJ) + $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $< -L. -lselinux -L$(LIBDIR) $(PYTHONLIBDIR) -Wl,-soname,$@,-z,defs diff --git a/libselinux.changes b/libselinux.changes index 192bde9..cab0529 100644 --- a/libselinux.changes +++ b/libselinux.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Fri Jun 1 18:34:04 CEST 2012 - mls@suse.de + +- update to libselinux-2.1.9 + * better man pages + * selinux_status interfaces + * simple interface for access checks + * multiple bug fixes + ------------------------------------------------------------------- Wed Oct 5 15:09:25 UTC 2011 - uli@suse.com diff --git a/libselinux.spec b/libselinux.spec index 9af4223..14c150f 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -1,7 +1,7 @@ # # spec file for package libselinux # -# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -15,22 +15,23 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # -# norootforbuild %define libsepol_ver 2.0.32 -BuildRequires: libsepol-devel >= %{libsepol_ver} pkg-config +BuildRequires: libsepol-devel >= %{libsepol_ver} +BuildRequires: pkg-config Name: libselinux -Version: 2.0.91 -Release: 9 +Version: 2.1.9 +Release: 0 Url: http://www.nsa.gov/selinux/ +Summary: SELinux library and simple utilities License: GPL-2.0 ; SUSE-Public-Domain Group: System/Libraries -Summary: SELinux library and simple utilities -Source: %{name}-%{version}.tar.bz2 +Source: %{name}-%{version}.tar.gz Source1: selinux-ready Source2: baselibs.conf Patch0: %{name}-rhat.patch +Patch1: %{name}-ruby.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %define debug_package_requires libselinux1 = %{version}-%{release} @@ -52,9 +53,8 @@ decisions. Required for any applications that use the SELinux API. %package -n libselinux1 -License: GPL-2.0 ; SUSE-Public-Domain -Group: System/Libraries Summary: SELinux library and simple utilities +Group: System/Libraries %description -n libselinux1 Security-enhanced Linux is a feature of the Linux(R) kernel and a @@ -74,9 +74,8 @@ decisions. Required for any applications that use the SELinux API. %package -n selinux-tools -License: GPL-2.0 ; SUSE-Public-Domain -Group: System/Base Summary: SELinux library and simple utilities +Group: System/Base %description -n selinux-tools Security-enhanced Linux is a feature of the Linux(R) kernel and a @@ -96,7 +95,6 @@ decisions. Required for any applications that use the SELinux API. %package devel -License: GPL-2.0 ; SUSE-Public-Domain Summary: Development Include Files and Libraries for SELinux Group: Development/Libraries/C and C++ Requires: libselinux1 = %{version} @@ -109,7 +107,6 @@ necessary to develop your own software using libselinux. %package devel-static -License: GPL-2.0 ; SUSE-Public-Domain Summary: Static development Include Files and Libraries for SELinux Group: Development/Libraries/C and C++ Requires: libselinux-devel = %{version} @@ -122,6 +119,7 @@ necessary to develop your own software using libselinux. %prep %setup -q %patch0 -p1 +%patch1 %build make %{?_smp_mflags} LIBDIR="%{_libdir}" CC="%{__cc}" CFLAGS="$RPM_OPT_FLAGS" @@ -166,6 +164,7 @@ rm -rf $RPM_BUILD_ROOT %{_sbindir}/selinuxconlist %{_sbindir}/selinuxdefcon %{_sbindir}/selinuxenabled +%{_sbindir}/selinuxexeccon %{_sbindir}/setenforce %{_sbindir}/togglesebool %{_sbindir}/selinux-ready From cb482ca1b478711a53e660d4f215c14760fd55ff6214e785200d57652ee18cdb Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Tue, 12 Jun 2012 05:16:39 +0000 Subject: [PATCH 23/42] Accepting request 124408 from security:SELinux - revert back to 2.0.98 for 12.2 OBS-URL: https://build.opensuse.org/request/show/124408 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=28 --- libselinux-2.0.98.tar.gz | 3 +++ libselinux-2.1.9.tar.gz | 3 --- libselinux-bindings.spec | 6 +++--- libselinux-ruby.patch | 20 +++++++++++--------- libselinux.changes | 5 +++++ libselinux.spec | 7 +++---- 6 files changed, 25 insertions(+), 19 deletions(-) create mode 100644 libselinux-2.0.98.tar.gz delete mode 100644 libselinux-2.1.9.tar.gz diff --git a/libselinux-2.0.98.tar.gz b/libselinux-2.0.98.tar.gz new file mode 100644 index 0000000..8e86ab7 --- /dev/null +++ b/libselinux-2.0.98.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9f36d000f7c41426bc053cf0327f36744d070e339536d3d027f14de5eda93902 +size 206574 diff --git a/libselinux-2.1.9.tar.gz b/libselinux-2.1.9.tar.gz deleted file mode 100644 index e2f2d43..0000000 --- a/libselinux-2.1.9.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:749d4b39c80aa9df8247b8b3187ab72442c0dbad6e70bf312e25052bd4e7063f -size 155840 diff --git a/libselinux-bindings.spec b/libselinux-bindings.spec index 42c236b..1623eaa 100644 --- a/libselinux-bindings.spec +++ b/libselinux-bindings.spec @@ -23,13 +23,13 @@ BuildRequires: ruby-devel BuildRequires: swig Name: libselinux-bindings -Version: 2.1.9 +Version: 2.0.98 Release: 0 -Url: http://www.nsa.gov/selinux/ +Url: http://www.nsa.gov/research/selinux/ Summary: SELinux library and simple utilities License: GPL-2.0 ; SUSE-Public-Domain Group: System/Libraries -Source: libselinux-%{version}.tar.gz +Source: http://userspace.selinuxproject.org/releases/20101221/devel/libselinux-%{version}.tar.gz Source1: selinux-ready Source2: baselibs.conf Patch0: libselinux-rhat.patch diff --git a/libselinux-ruby.patch b/libselinux-ruby.patch index 151e6c9..164db8f 100644 --- a/libselinux-ruby.patch +++ b/libselinux-ruby.patch @@ -1,7 +1,9 @@ ---- ./src/Makefile.orig 2012-06-04 08:20:19.000000000 +0000 -+++ ./src/Makefile 2012-06-04 09:43:23.000000000 +0000 -@@ -15,8 +15,8 @@ PYTHONLIBDIR ?= $(shell pkg-config --lib - PYLIBDIR ?= $(LIBDIR)/$(PYLIBVER) +Index: src/Makefile +=================================================================== +--- src/Makefile.orig 2010-12-20 21:13:33.000000000 +0100 ++++ src/Makefile 2012-06-11 11:17:42.465960993 +0200 +@@ -9,8 +9,8 @@ PYLIB ?= /usr/lib/$(PYLIBVER) + PYTHONLIBDIR ?= $(LIBDIR)/$(PYLIBVER) RUBYLIBVER ?= $(shell ruby -e 'print RUBY_VERSION.split(".")[0..1].join(".")') RUBYPLATFORM ?= $(shell ruby -e 'print RUBY_PLATFORM') -RUBYINC ?= $(LIBDIR)/ruby/$(RUBYLIBVER)/$(RUBYPLATFORM) @@ -11,12 +13,12 @@ LIBBASE=$(shell basename $(LIBDIR)) VERSION = $(shell cat ../VERSION) -@@ -76,7 +76,7 @@ $(SWIGLOBJ): $(SWIGCOUT) - $(CC) $(filter-out -Werror, $(CFLAGS)) $(PYINC) -fPIC -DSHARED -c -o $@ $< +@@ -73,7 +73,7 @@ $(SWIGLOBJ): $(SWIGCOUT) + $(CC) $(filter-out -Werror,$(CFLAGS)) -I$(PYINC) -fPIC -DSHARED -c -o $@ $< $(SWIGRUBYLOBJ): $(SWIGRUBYCOUT) -- $(CC) $(filter-out -Werror, $(CFLAGS)) -I$(RUBYINC) -fPIC -DSHARED -c -o $@ $< -+ $(CC) $(filter-out -Werror, $(CFLAGS)) -I$(RUBYINC) -I$(RUBYINC)/$(RUBYPLATFORM) -fPIC -DSHARED -c -o $@ $< +- $(CC) $(filter-out -Werror,$(CFLAGS)) -I$(RUBYINC) -fPIC -DSHARED -c -o $@ $< ++ $(CC) $(filter-out -Werror,$(CFLAGS)) -I$(RUBYINC) -I$(RUBYINC)/$(RUBYPLATFORM) -fPIC -DSHARED -c -o $@ $< $(SWIGSO): $(SWIGLOBJ) - $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $< -L. -lselinux -L$(LIBDIR) $(PYTHONLIBDIR) -Wl,-soname,$@,-z,defs + $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $< -L. -lselinux -L$(LIBDIR) -Wl,-soname,$@ diff --git a/libselinux.changes b/libselinux.changes index cab0529..a17009d 100644 --- a/libselinux.changes +++ b/libselinux.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Mon Jun 11 09:06:55 UTC 2012 - factory-maintainer@kulow.org + +- revert back to 2.0.98 for 12.2 + ------------------------------------------------------------------- Fri Jun 1 18:34:04 CEST 2012 - mls@suse.de diff --git a/libselinux.spec b/libselinux.spec index 14c150f..aea768b 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -21,13 +21,13 @@ BuildRequires: libsepol-devel >= %{libsepol_ver} BuildRequires: pkg-config Name: libselinux -Version: 2.1.9 +Version: 2.0.98 Release: 0 Url: http://www.nsa.gov/selinux/ Summary: SELinux library and simple utilities License: GPL-2.0 ; SUSE-Public-Domain Group: System/Libraries -Source: %{name}-%{version}.tar.gz +Source: http://userspace.selinuxproject.org/releases/20101221/devel/%{name}-%{version}.tar.gz Source1: selinux-ready Source2: baselibs.conf Patch0: %{name}-rhat.patch @@ -97,9 +97,9 @@ decisions. Required for any applications that use the SELinux API. %package devel Summary: Development Include Files and Libraries for SELinux Group: Development/Libraries/C and C++ +Requires: glibc-devel Requires: libselinux1 = %{version} Requires: libsepol-devel >= %{libsepol_ver} -Requires: glibc-devel %description devel This package contains the development files, which are @@ -164,7 +164,6 @@ rm -rf $RPM_BUILD_ROOT %{_sbindir}/selinuxconlist %{_sbindir}/selinuxdefcon %{_sbindir}/selinuxenabled -%{_sbindir}/selinuxexeccon %{_sbindir}/setenforce %{_sbindir}/togglesebool %{_sbindir}/selinux-ready From c8a897f7ce06acee3a30b6bf0d5382274e74002b9e31e1678e39754f6a5f35ee Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Wed, 13 Jun 2012 15:07:18 +0000 Subject: [PATCH 24/42] Accepting request 124807 from security:SELinux - go back even more - everything else requires the full SELinux stack (too late for 12.2) OBS-URL: https://build.opensuse.org/request/show/124807 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=29 --- libselinux-2.0.91.tar.bz2 | 3 +++ libselinux-2.0.98.tar.gz | 3 --- libselinux-bindings.spec | 4 ++-- libselinux-ruby.patch | 8 ++++---- libselinux.changes | 6 ++++++ libselinux.spec | 4 ++-- 6 files changed, 17 insertions(+), 11 deletions(-) create mode 100644 libselinux-2.0.91.tar.bz2 delete mode 100644 libselinux-2.0.98.tar.gz diff --git a/libselinux-2.0.91.tar.bz2 b/libselinux-2.0.91.tar.bz2 new file mode 100644 index 0000000..20528dc --- /dev/null +++ b/libselinux-2.0.91.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:67a89821c9cd01288af5e6c784cc963fd13cc7c5d2a06ae8e7241ce187682ea1 +size 156090 diff --git a/libselinux-2.0.98.tar.gz b/libselinux-2.0.98.tar.gz deleted file mode 100644 index 8e86ab7..0000000 --- a/libselinux-2.0.98.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:9f36d000f7c41426bc053cf0327f36744d070e339536d3d027f14de5eda93902 -size 206574 diff --git a/libselinux-bindings.spec b/libselinux-bindings.spec index 1623eaa..76958bd 100644 --- a/libselinux-bindings.spec +++ b/libselinux-bindings.spec @@ -23,13 +23,13 @@ BuildRequires: ruby-devel BuildRequires: swig Name: libselinux-bindings -Version: 2.0.98 +Version: 2.0.91 Release: 0 Url: http://www.nsa.gov/research/selinux/ Summary: SELinux library and simple utilities License: GPL-2.0 ; SUSE-Public-Domain Group: System/Libraries -Source: http://userspace.selinuxproject.org/releases/20101221/devel/libselinux-%{version}.tar.gz +Source: libselinux-%{version}.tar.bz2 Source1: selinux-ready Source2: baselibs.conf Patch0: libselinux-rhat.patch diff --git a/libselinux-ruby.patch b/libselinux-ruby.patch index 164db8f..d87b4b9 100644 --- a/libselinux-ruby.patch +++ b/libselinux-ruby.patch @@ -1,7 +1,7 @@ Index: src/Makefile =================================================================== ---- src/Makefile.orig 2010-12-20 21:13:33.000000000 +0100 -+++ src/Makefile 2012-06-11 11:17:42.465960993 +0200 +--- src/Makefile.orig 2010-02-24 20:05:41.000000000 +0100 ++++ src/Makefile 2012-06-13 10:56:04.477254689 +0200 @@ -9,8 +9,8 @@ PYLIB ?= /usr/lib/$(PYLIBVER) PYTHONLIBDIR ?= $(LIBDIR)/$(PYLIBVER) RUBYLIBVER ?= $(shell ruby -e 'print RUBY_VERSION.split(".")[0..1].join(".")') @@ -10,10 +10,10 @@ Index: src/Makefile -RUBYINSTALL ?= $(LIBDIR)/ruby/site_ruby/$(RUBYLIBVER)/$(RUBYPLATFORM) +RUBYINC ?= $(shell ruby -r rbconfig -e "print Config::CONFIG['rubyhdrdir'].nil? ? '$(LIBDIR)/ruby/$(RUBYLIBVER)' : Config::CONFIG['rubyhdrdir']") +RUBYINSTALL ?= $(shell ruby -r rbconfig -e "print Config::CONFIG['vendorarchdir'].nil? ? '$(DESTDIR)'+Config::CONFIG['sitearchdir'] : '$(DESTDIR)'+Config::CONFIG['vendorarchdir']") - LIBBASE=$(shell basename $(LIBDIR)) VERSION = $(shell cat ../VERSION) -@@ -73,7 +73,7 @@ $(SWIGLOBJ): $(SWIGCOUT) + LIBVERSION = 1 +@@ -72,7 +72,7 @@ $(SWIGLOBJ): $(SWIGCOUT) $(CC) $(filter-out -Werror,$(CFLAGS)) -I$(PYINC) -fPIC -DSHARED -c -o $@ $< $(SWIGRUBYLOBJ): $(SWIGRUBYCOUT) diff --git a/libselinux.changes b/libselinux.changes index a17009d..df5138d 100644 --- a/libselinux.changes +++ b/libselinux.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Jun 13 08:56:36 UTC 2012 - coolo@suse.com + +- go back even more - everything else requires the full SELinux stack + (too late for 12.2) + ------------------------------------------------------------------- Mon Jun 11 09:06:55 UTC 2012 - factory-maintainer@kulow.org diff --git a/libselinux.spec b/libselinux.spec index aea768b..092155e 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -21,13 +21,13 @@ BuildRequires: libsepol-devel >= %{libsepol_ver} BuildRequires: pkg-config Name: libselinux -Version: 2.0.98 +Version: 2.0.91 Release: 0 Url: http://www.nsa.gov/selinux/ Summary: SELinux library and simple utilities License: GPL-2.0 ; SUSE-Public-Domain Group: System/Libraries -Source: http://userspace.selinuxproject.org/releases/20101221/devel/%{name}-%{version}.tar.gz +Source: %{name}-%{version}.tar.bz2 Source1: selinux-ready Source2: baselibs.conf Patch0: %{name}-rhat.patch From 8a1e764b29363d92d6fba7b6362d4aed214c774950259da9eca5f6ac155c9156 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ismail=20D=C3=B6nmez?= Date: Sun, 12 Aug 2012 13:26:33 +0000 Subject: [PATCH 25/42] Accepting request 130613 from security:SELinux - updated to 2.1.9 again (see below) - updated to 2.1.9 again (see below) OBS-URL: https://build.opensuse.org/request/show/130613 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=31 --- libselinux-2.0.91.tar.bz2 | 3 --- libselinux-2.1.9.tar.gz | 3 +++ libselinux-bindings.changes | 5 +++++ libselinux-bindings.spec | 8 ++++---- libselinux-ruby.patch | 20 ++++++++++---------- libselinux.changes | 5 +++++ libselinux.spec | 9 +++++---- 7 files changed, 32 insertions(+), 21 deletions(-) delete mode 100644 libselinux-2.0.91.tar.bz2 create mode 100644 libselinux-2.1.9.tar.gz diff --git a/libselinux-2.0.91.tar.bz2 b/libselinux-2.0.91.tar.bz2 deleted file mode 100644 index 20528dc..0000000 --- a/libselinux-2.0.91.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:67a89821c9cd01288af5e6c784cc963fd13cc7c5d2a06ae8e7241ce187682ea1 -size 156090 diff --git a/libselinux-2.1.9.tar.gz b/libselinux-2.1.9.tar.gz new file mode 100644 index 0000000..e2f2d43 --- /dev/null +++ b/libselinux-2.1.9.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:749d4b39c80aa9df8247b8b3187ab72442c0dbad6e70bf312e25052bd4e7063f +size 155840 diff --git a/libselinux-bindings.changes b/libselinux-bindings.changes index d2ab0c4..d542a5b 100644 --- a/libselinux-bindings.changes +++ b/libselinux-bindings.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Wed Jul 25 11:15:02 UTC 2012 - meissner@suse.com + +- updated to 2.1.9 again (see below) + ------------------------------------------------------------------- Fri Jun 1 18:34:04 CEST 2012 - mls@suse.de diff --git a/libselinux-bindings.spec b/libselinux-bindings.spec index 76958bd..94b03bd 100644 --- a/libselinux-bindings.spec +++ b/libselinux-bindings.spec @@ -16,20 +16,20 @@ # -%define libsepol_ver 2.0.32 +%define libsepol_ver 2.1.4 BuildRequires: libsepol-devel-static >= %{libsepol_ver} BuildRequires: python-devel BuildRequires: ruby-devel BuildRequires: swig Name: libselinux-bindings -Version: 2.0.91 +Version: 2.1.9 Release: 0 -Url: http://www.nsa.gov/research/selinux/ +Url: http://userspace.selinuxproject.org/ Summary: SELinux library and simple utilities License: GPL-2.0 ; SUSE-Public-Domain Group: System/Libraries -Source: libselinux-%{version}.tar.bz2 +Source: http://userspace.selinuxproject.org/releases/20120216/libselinux-%{version}.tar.gz Source1: selinux-ready Source2: baselibs.conf Patch0: libselinux-rhat.patch diff --git a/libselinux-ruby.patch b/libselinux-ruby.patch index d87b4b9..ba01a31 100644 --- a/libselinux-ruby.patch +++ b/libselinux-ruby.patch @@ -1,24 +1,24 @@ Index: src/Makefile =================================================================== ---- src/Makefile.orig 2010-02-24 20:05:41.000000000 +0100 -+++ src/Makefile 2012-06-13 10:56:04.477254689 +0200 -@@ -9,8 +9,8 @@ PYLIB ?= /usr/lib/$(PYLIBVER) - PYTHONLIBDIR ?= $(LIBDIR)/$(PYLIBVER) +--- src/Makefile.orig ++++ src/Makefile +@@ -15,8 +15,8 @@ PYTHONLIBDIR ?= $(shell pkg-config --lib + PYLIBDIR ?= $(LIBDIR)/$(PYLIBVER) RUBYLIBVER ?= $(shell ruby -e 'print RUBY_VERSION.split(".")[0..1].join(".")') RUBYPLATFORM ?= $(shell ruby -e 'print RUBY_PLATFORM') -RUBYINC ?= $(LIBDIR)/ruby/$(RUBYLIBVER)/$(RUBYPLATFORM) -RUBYINSTALL ?= $(LIBDIR)/ruby/site_ruby/$(RUBYLIBVER)/$(RUBYPLATFORM) +RUBYINC ?= $(shell ruby -r rbconfig -e "print Config::CONFIG['rubyhdrdir'].nil? ? '$(LIBDIR)/ruby/$(RUBYLIBVER)' : Config::CONFIG['rubyhdrdir']") +RUBYINSTALL ?= $(shell ruby -r rbconfig -e "print Config::CONFIG['vendorarchdir'].nil? ? '$(DESTDIR)'+Config::CONFIG['sitearchdir'] : '$(DESTDIR)'+Config::CONFIG['vendorarchdir']") + LIBBASE=$(shell basename $(LIBDIR)) VERSION = $(shell cat ../VERSION) - LIBVERSION = 1 -@@ -72,7 +72,7 @@ $(SWIGLOBJ): $(SWIGCOUT) - $(CC) $(filter-out -Werror,$(CFLAGS)) -I$(PYINC) -fPIC -DSHARED -c -o $@ $< +@@ -76,7 +76,7 @@ $(SWIGLOBJ): $(SWIGCOUT) + $(CC) $(filter-out -Werror, $(CFLAGS)) $(PYINC) -fPIC -DSHARED -c -o $@ $< $(SWIGRUBYLOBJ): $(SWIGRUBYCOUT) -- $(CC) $(filter-out -Werror,$(CFLAGS)) -I$(RUBYINC) -fPIC -DSHARED -c -o $@ $< -+ $(CC) $(filter-out -Werror,$(CFLAGS)) -I$(RUBYINC) -I$(RUBYINC)/$(RUBYPLATFORM) -fPIC -DSHARED -c -o $@ $< +- $(CC) $(filter-out -Werror, $(CFLAGS)) -I$(RUBYINC) -fPIC -DSHARED -c -o $@ $< ++ $(CC) $(filter-out -Werror, $(CFLAGS)) -I$(RUBYINC) -I$(RUBYINC)/$(RUBYPLATFORM) -fPIC -DSHARED -c -o $@ $< $(SWIGSO): $(SWIGLOBJ) - $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $< -L. -lselinux -L$(LIBDIR) -Wl,-soname,$@ + $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $< -L. -lselinux -L$(LIBDIR) $(PYTHONLIBDIR) -Wl,-soname,$@,-z,defs diff --git a/libselinux.changes b/libselinux.changes index df5138d..94ba4c1 100644 --- a/libselinux.changes +++ b/libselinux.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Wed Jul 25 11:15:02 UTC 2012 - meissner@suse.com + +- updated to 2.1.9 again (see below) + ------------------------------------------------------------------- Wed Jun 13 08:56:36 UTC 2012 - coolo@suse.com diff --git a/libselinux.spec b/libselinux.spec index 092155e..8294833 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -16,18 +16,18 @@ # -%define libsepol_ver 2.0.32 +%define libsepol_ver 2.1.4 BuildRequires: libsepol-devel >= %{libsepol_ver} BuildRequires: pkg-config Name: libselinux -Version: 2.0.91 +Version: 2.1.9 Release: 0 -Url: http://www.nsa.gov/selinux/ +Url: http://userspace.selinuxproject.org/ Summary: SELinux library and simple utilities License: GPL-2.0 ; SUSE-Public-Domain Group: System/Libraries -Source: %{name}-%{version}.tar.bz2 +Source: http://userspace.selinuxproject.org/releases/20120216/%{name}-%{version}.tar.gz Source1: selinux-ready Source2: baselibs.conf Patch0: %{name}-rhat.patch @@ -167,6 +167,7 @@ rm -rf $RPM_BUILD_ROOT %{_sbindir}/setenforce %{_sbindir}/togglesebool %{_sbindir}/selinux-ready +%{_sbindir}/selinuxexeccon %{_mandir}/man5/* %{_mandir}/man8/* From c103ffa55b8cf52e4b813d4e87f689d3d2d0dba65866e5aebe6676303393827b Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Wed, 28 Nov 2012 10:07:37 +0000 Subject: [PATCH 26/42] Accepting request 143256 from security:SELinux - update selinux-ready script (forwarded request 143038 from vitezslav_cizek) OBS-URL: https://build.opensuse.org/request/show/143256 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=32 --- libselinux-bindings.spec | 2 +- libselinux.changes | 5 ++++ libselinux.spec | 2 +- selinux-ready | 53 ++++++++++++++++++++++++++++------------ 4 files changed, 44 insertions(+), 18 deletions(-) diff --git a/libselinux-bindings.spec b/libselinux-bindings.spec index 94b03bd..663e9f8 100644 --- a/libselinux-bindings.spec +++ b/libselinux-bindings.spec @@ -27,7 +27,7 @@ Version: 2.1.9 Release: 0 Url: http://userspace.selinuxproject.org/ Summary: SELinux library and simple utilities -License: GPL-2.0 ; SUSE-Public-Domain +License: GPL-2.0 and SUSE-Public-Domain Group: System/Libraries Source: http://userspace.selinuxproject.org/releases/20120216/libselinux-%{version}.tar.gz Source1: selinux-ready diff --git a/libselinux.changes b/libselinux.changes index 94ba4c1..985d442 100644 --- a/libselinux.changes +++ b/libselinux.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Tue Nov 27 12:38:29 UTC 2012 - vcizek@suse.com + +- update selinux-ready script + ------------------------------------------------------------------- Wed Jul 25 11:15:02 UTC 2012 - meissner@suse.com diff --git a/libselinux.spec b/libselinux.spec index 8294833..270fb95 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -25,7 +25,7 @@ Version: 2.1.9 Release: 0 Url: http://userspace.selinuxproject.org/ Summary: SELinux library and simple utilities -License: GPL-2.0 ; SUSE-Public-Domain +License: GPL-2.0 and SUSE-Public-Domain Group: System/Libraries Source: http://userspace.selinuxproject.org/releases/20120216/%{name}-%{version}.tar.gz Source1: selinux-ready diff --git a/selinux-ready b/selinux-ready index 48b59a3..8c202c7 100644 --- a/selinux-ready +++ b/selinux-ready @@ -22,37 +22,58 @@ check_dir() check_filesystem() { FSPATH="/proc/filesystems" - FSNAME="securityfs" + FSNAMES="securityfs selinuxfs" + OK="O" - grep -w $FSNAME $FSPATH 1>&2 >/dev/null + for FSNAME in $FSNAMES; do + grep -w $FSNAME $FSPATH 1>&2 >/dev/null - if [ $? == 0 ]; then - printf "\tcheck_filesystem: OK. Filesystem '$FSNAME' exists.\n" - return 0 + if [ $? == 0 ]; then + printf "\tcheck_filesystem: OK. Filesystem '$FSNAME' exists.\n" + else + printf "\tcheck_filesystem: ERR. Filesystem '$FSNAME' is missing. Please enable SELinux while compiling the kernel.\n" + OK="1" + fi + done + if [ "$OK" == "0" ]; then + return 0; else - printf "\tcheck_filesystem: ERR. Filesystem '$FSNAME' is missing. Please enable SELinux while compiling the kernel.\n" - return 0 + return 1; fi } check_boot() { - BPARAM="selinux=1" + BPARAM1="security=selinux" + BPARAM2="selinux=1" - printf "\tcheck_boot: Assuming GRUB as bootloader.\n" + printf "\tcheck_boot: Assuming GRUB2 as bootloader.\n" - BLINE=$(grep -- $BPARAM /boot/grub/menu.lst 2>/dev/null) # XXX check for multiple lines in config - - if [ $? == 0 ]; then + # look for parameters of the current kernel + CURRENT_KERNEL=$(uname -r) + OTHERS="" + RETVAL="FAIL" + while read BLINE + do K=$(echo $BLINE | awk -F' ' '{print $2}') KERNEL=$(basename $K) K=$(echo $KERNEL | sed s/vmlinuz-//) - INITRD=initrd-$K - printf "\tcheck_boot: OK. Kernel '$KERNEL' has boot-parameter '$BPARAM'\n" + + if [ "$K" == "$CURRENT_KERNEL" ]; then + INITRD=initrd-$K + RETVAL="OK" + else + OTHERS="$KERNEL $OTHERS" + fi + done < <(grep -- $BPARAM1 /boot/grub2/grub.cfg 2>/dev/null | grep -- $BPARAM2) + + if [ "$RETVAL" == OK ]; then + printf "\tcheck_boot: OK. Current kernel '$KERNEL' has boot-parameters '$BPARAM1 $BPARAM2'\n" + printf "\tcheck_boot: OK. Other kernels with correct parameters: $OTHERS\n" return 0 else printf "\tcheck_boot: ERR. Boot-parameter missing for booting the kernel.\n" - printf "\t Please use YaST2 to add 'selinux=1' to the kernel boot-parameter list.\n" + printf "\t Please use YaST2 to add 'security=selinux selinux=1' to the kernel boot-parameter list.\n" return 1 fi } @@ -141,7 +162,7 @@ check_initupstart() return 1; fi - POL=$(grep SELINUXTYPE $CFGFILE | sed "s/SELINUXTYPE\s*=\s*"//) + POL=$(grep "^\s*SELINUXTYPE" $CFGFILE | sed "s/SELINUXTYPE\s*=\(\S*\)\s*"/\\1/) if ! [ -f /etc/selinux/$POL/booleans ]; then printf "\tcheck_initupstart: ERR. booleans file for policy $POL does not exist.\n" From 6063f618e558063326312bd5503a19acc3157beda70d7ed982ec19c1a1fc9234 Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Mon, 17 Dec 2012 08:34:47 +0000 Subject: [PATCH 27/42] Accepting request 145499 from security:SELinux - update selinux-ready script * use -L when stat()ing /etc/selinux/config * make sure that SELINUX isn't disabled in /etc/selinux/config * look for either of /sys/fs/selinux and /selinux directory * use systemctl to check for restorecond * don't look for booleans file (deprecated) (forwarded request 145303 from vitezslav_cizek) OBS-URL: https://build.opensuse.org/request/show/145499 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=33 --- libselinux.changes | 10 ++++++++ selinux-ready | 63 +++++++++++++++++++++++----------------------- 2 files changed, 42 insertions(+), 31 deletions(-) diff --git a/libselinux.changes b/libselinux.changes index 985d442..2b0749d 100644 --- a/libselinux.changes +++ b/libselinux.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Tue Dec 11 16:15:52 UTC 2012 - vcizek@suse.com + +- update selinux-ready script + * use -L when stat()ing /etc/selinux/config + * make sure that SELINUX isn't disabled in /etc/selinux/config + * look for either of /sys/fs/selinux and /selinux directory + * use systemctl to check for restorecond + * don't look for booleans file (deprecated) + ------------------------------------------------------------------- Tue Nov 27 12:38:29 UTC 2012 - vcizek@suse.com diff --git a/selinux-ready b/selinux-ready index 8c202c7..278276d 100644 --- a/selinux-ready +++ b/selinux-ready @@ -8,13 +8,20 @@ TD="" # init needs /selinux to be there check_dir() { - SLDIR="/selinux" + SLDIRS="/selinux /sys/fs/selinux" + FOUND="no" - if [ -d $SLDIR ];then - printf "\tcheck_dir: OK. $SLDIR exists.\n" + for DIR in $SLDIRS; do + if [ -d $DIR ]; then + printf "\tcheck_dir: OK. $DIR exists.\n" + FOUND="yes" + fi + done + + if [ $FOUND == "yes" ]; then return 0 else - printf "\tcheck_dir: ERR. $SLDIR does not exists, please execute 'mkdir $SLDIR' as root.\n" + printf "\tcheck_dir: ERR. Neither of $SLDIRS does exist. Please execute 'mkdir /sys/fs/selinux' as root\n" return 1 fi } @@ -58,7 +65,7 @@ check_boot() K=$(echo $BLINE | awk -F' ' '{print $2}') KERNEL=$(basename $K) K=$(echo $KERNEL | sed s/vmlinuz-//) - + if [ "$K" == "$CURRENT_KERNEL" ]; then INITRD=initrd-$K RETVAL="OK" @@ -80,6 +87,9 @@ check_boot() check_mkinitrd() { + if [ "$INITRD" == "unknown" ]; then + return 1 + fi MCMD="mount.*/root/proc.*" if ! [ -f "/boot/$INITRD" ];then @@ -161,33 +171,12 @@ check_initupstart() printf "\tcheck_initupstart: ERR. $CFGFILE does not exist.\n" return 1; fi - - POL=$(grep "^\s*SELINUXTYPE" $CFGFILE | sed "s/SELINUXTYPE\s*=\(\S*\)\s*"/\\1/) - - if ! [ -f /etc/selinux/$POL/booleans ]; then - printf "\tcheck_initupstart: ERR. booleans file for policy $POL does not exist.\n" - return 1 - fi - - INITUS=$(grep init_upstart /etc/selinux/$POL/booleans | sed "s/.*init_upstart\s*=\s*//") - - if [ "$INITUS" == 1 ]; then - printf "\tcheck_initupstart: OK. init_upstart in $POL/booleans is set to 1.\n" - return 0 - else - printf "\tcheck_initupstart: ERR. init_upstart in $POL/booleans is NOT set to 1 ($INITUS).\n" - return 1 - fi - } check_runlevel() { - #ls -q /etc/rc.d/rc[35].d/S*restorecond 1>&2 >/dev/null - - #if [ $? == 0 ]; then - if [ -x /etc/rc.d/rc3.d/S*restorecond ] || [ -x /etc/rc.d/rc5.d/S*restorecond ]; then - printf "\tcheck_runlevel: OK. your system is using restorecond in runlevel 3 and/or 5.\n" + if [ "$(systemctl is-enabled restorecond.service)" == "enabled" ]; then + printf "\tcheck_runlevel: OK. restorecond is enabled on your system\n" return 0; fi printf "\tcheck_runlevel: ERR. please execute 'yast2 runlevel' and enable restorecond.\n" @@ -220,14 +209,26 @@ check_config() { CF="/etc/selinux/config" - if [ -f $CF ];then printf "\tcheck_config: OK. Config file seems to be there.\n" - if ! [ $(stat --printf=%a $CF) -eq "644" ]; then + # with -L because /etc/selinux/config is now a link to /etc/sysconfig/selinux-policy + if ! [ $(stat -L --printf=%a $CF) -eq "644" ]; then printf "\tcheck_config: ERR. Config file '$CF' has wrong permissions.\n" return 1 fi - return 0 + + # check that SELINUX is not disabled there + SELINUX_MODE=$(grep "^\s*SELINUX\s*=" $CF | sed "s/SELINUX\s*=\(\S*\)\s*"/\\1/) + case "$SELINUX_MODE" in + permissive | enforcing ) + printf "\tcheck_config: OK. SELINUX is set to '$SELINUX_MODE'.\n" + return 0 + ;; + * ) + printf "\tcheck_config: ERR. SELINUX is set to '$SELINUX_MODE' in '$CF'. Should be either 'permissive' or 'enforcing'\n" + return 1 + ;; + esac else printf "\tcheck_config: ERR. Config file '$CF' is missing.\n" return 1 From 3a07a64d194e01b52bf5642fc617b2d599da6bddc987a237e756d2e231ca62e7 Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Fri, 8 Mar 2013 09:52:39 +0000 Subject: [PATCH 28/42] Accepting request 157813 from security:SELinux Automatic submission by obs-autosubmit OBS-URL: https://build.opensuse.org/request/show/157813 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=35 --- libselinux-2.1.12.tar.gz | 3 + libselinux-2.1.9.tar.gz | 3 - libselinux-bindings.changes | 11 + libselinux-bindings.spec | 13 +- libselinux-rhat.patch | 7758 ++++++++++++++++++++++++++++++++++- libselinux-ruby.patch | 22 +- libselinux.changes | 59 + libselinux.spec | 15 +- 8 files changed, 7794 insertions(+), 90 deletions(-) create mode 100644 libselinux-2.1.12.tar.gz delete mode 100644 libselinux-2.1.9.tar.gz diff --git a/libselinux-2.1.12.tar.gz b/libselinux-2.1.12.tar.gz new file mode 100644 index 0000000..fca51e2 --- /dev/null +++ b/libselinux-2.1.12.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8dad879380e0ce1e4ab67195a08f6052c1396493bcb12fe92a033f49f7dbca9e +size 162162 diff --git a/libselinux-2.1.9.tar.gz b/libselinux-2.1.9.tar.gz deleted file mode 100644 index e2f2d43..0000000 --- a/libselinux-2.1.9.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:749d4b39c80aa9df8247b8b3187ab72442c0dbad6e70bf312e25052bd4e7063f -size 155840 diff --git a/libselinux-bindings.changes b/libselinux-bindings.changes index d542a5b..501ffd9 100644 --- a/libselinux-bindings.changes +++ b/libselinux-bindings.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Wed Jan 30 12:33:45 UTC 2013 - vcizek@suse.com + +- update to 2.1.12 +- added BuildRequires: pcre-devel + +------------------------------------------------------------------- +Mon Jan 7 22:34:03 UTC 2013 - jengelh@inai.de + +- Remove obsolete defines/sections + ------------------------------------------------------------------- Wed Jul 25 11:15:02 UTC 2012 - meissner@suse.com diff --git a/libselinux-bindings.spec b/libselinux-bindings.spec index 663e9f8..e9617f7 100644 --- a/libselinux-bindings.spec +++ b/libselinux-bindings.spec @@ -1,7 +1,7 @@ # # spec file for package libselinux-bindings # -# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,14 +16,15 @@ # -%define libsepol_ver 2.1.4 +%define libsepol_ver 2.1.8 BuildRequires: libsepol-devel-static >= %{libsepol_ver} +BuildRequires: pcre-devel BuildRequires: python-devel BuildRequires: ruby-devel BuildRequires: swig Name: libselinux-bindings -Version: 2.1.9 +Version: 2.1.12 Release: 0 Url: http://userspace.selinuxproject.org/ Summary: SELinux library and simple utilities @@ -35,7 +36,6 @@ Source2: baselibs.conf Patch0: libselinux-rhat.patch Patch1: libselinux-ruby.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build -%define debug_package_requires python-selinux = %{version}-%{release} %description Security-enhanced Linux is a feature of the Linux(R) kernel and a @@ -104,7 +104,7 @@ decisions. Required for any applications that use the SELinux API. %prep %setup -q -n libselinux-%{version} -%patch0 -p1 +%patch0 -p2 %patch1 %build @@ -119,9 +119,6 @@ make DESTDIR="$RPM_BUILD_ROOT" LIBDIR="$RPM_BUILD_ROOT%{_libdir}" SHLIBDIR="$RPM make DESTDIR="$RPM_BUILD_ROOT" LIBDIR="$RPM_BUILD_ROOT%{_libdir}" SHLIBDIR="$RPM_BUILD_ROOT/%{_lib}" -C src install-rubywrap rm -rf $RPM_BUILD_ROOT/%{_lib} $RPM_BUILD_ROOT%{_libdir}/libselinux.* $RPM_BUILD_ROOT%{_libdir}/pkgconfig -%clean -rm -rf $RPM_BUILD_ROOT - %files -n python-selinux %defattr(-,root,root,-) %dir %{py_sitedir}/selinux diff --git a/libselinux-rhat.patch b/libselinux-rhat.patch index 5c6370b..61cea24 100644 --- a/libselinux-rhat.patch +++ b/libselinux-rhat.patch @@ -1,67 +1,6808 @@ -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man8/selinuxconlist.8 libselinux-2.0.90/man/man8/selinuxconlist.8 ---- nsalibselinux/man/man8/selinuxconlist.8 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-2.0.90/man/man8/selinuxconlist.8 2010-01-18 16:52:28.000000000 -0500 -@@ -0,0 +1,18 @@ -+.TH "selinuxconlist" "1" "7 May 2008" "dwalsh@redhat.com" "SELinux Command Line documentation" -+.SH "NAME" -+selinuxconlist \- list all SELinux context reachable for user -+.SH "SYNOPSIS" -+.B selinuxconlist [-l level] user [context] -+ -+.SH "DESCRIPTION" -+.B selinuxconlist -+reports the list of context reachable for user from the current context or specified context -+ -+.B \-l level -+mcs/mls level -+ -+.SH AUTHOR -+This manual page was written by Dan Walsh . -+ -+.SH "SEE ALSO" -+secon(8), selinuxdefcon(8) -diff --exclude-from=exclude -N -u -r nsalibselinux/man/man8/selinuxdefcon.8 libselinux-2.0.90/man/man8/selinuxdefcon.8 ---- nsalibselinux/man/man8/selinuxdefcon.8 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-2.0.90/man/man8/selinuxdefcon.8 2010-01-18 16:52:28.000000000 -0500 -@@ -0,0 +1,24 @@ -+.TH "selinuxdefcon" "1" "7 May 2008" "dwalsh@redhat.com" "SELinux Command Line documentation" -+.SH "NAME" -+selinuxdefcon \- report default SELinux context for user -+ -+.SH "SYNOPSIS" -+.B selinuxdefcon [-l level] user fromcon -+ -+.SH "DESCRIPTION" -+.B selinuxdefcon -+reports the default context for the specified user from the specified context -+ -+.B \-l level -+mcs/mls level -+ -+.SH EXAMPLE -+# selinuxdefcon jsmith system_u:system_r:sshd_t:s0 +diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h +index 6b9089d..aba6e33 100644 +--- a/libselinux/include/selinux/selinux.h ++++ b/libselinux/include/selinux/selinux.h +@@ -360,6 +360,8 @@ extern int selinux_set_mapping(struct security_class_mapping *map); + + /* Common helpers */ + ++/* Convert between mode and security class values */ ++extern security_class_t mode_to_security_class(mode_t mode); + /* Convert between security class values and string names */ + extern security_class_t string_to_security_class(const char *name); + extern const char *security_class_to_string(security_class_t cls); +@@ -496,7 +498,9 @@ extern const char *selinux_policy_root(void); + + /* These functions return the paths to specific files under the + policy root directory. */ ++extern const char *selinux_current_policy_path(void); + extern const char *selinux_binary_policy_path(void); ++extern char *selinux_binary_policy_path_min_max(int min, int *max); + extern const char *selinux_failsafe_context_path(void); + extern const char *selinux_removable_context_path(void); + extern const char *selinux_default_context_path(void); +diff --git a/libselinux/man/man3/avc_add_callback.3 b/libselinux/man/man3/avc_add_callback.3 +index 9c83cac..dbfe72d 100644 +--- a/libselinux/man/man3/avc_add_callback.3 ++++ b/libselinux/man/man3/avc_add_callback.3 +@@ -3,33 +3,35 @@ + .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2004 + .TH "avc_add_callback" "3" "9 June 2004" "" "SELinux API documentation" + .SH "NAME" +-avc_add_callback \- additional event notification for SELinux userspace object managers. ++avc_add_callback \- additional event notification for SELinux userspace object managers ++. + .SH "SYNOPSIS" + .B #include +- +.br -+unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 + .B #include + .sp + .BI "int avc_add_callback(int (*" callback ")(uint32_t " event , + .in +\w'int avc_add_callback(int (*callback)('u + .BI "security_id_t " ssid , +- ++.br + .BI "security_id_t " tsid , +- ++.br + .BI "security_class_t " tclass , +- ++.br + .BI "access_vector_t " perms , +- ++.br + .BI "access_vector_t *" out_retained ")," + .in + .in +\w'int avc_add_callback('u + .BI "uint32_t " events ", security_id_t " ssid , +- ++.br + .BI "security_id_t " tsid ", security_class_t " tclass , +- ++.br + .BI "access_vector_t " perms ");" + .in ++. + .SH "DESCRIPTION" +-.B avc_add_callback ++.BR avc_add_callback () + is used to register callback functions on security events. The purpose of this functionality is to allow userspace object managers to take additional action when a policy change, usually a policy reload, causes permissions to be granted or revoked. + + .I events +@@ -55,10 +57,14 @@ and will cause any SID to match. + .I callback + is the callback function provided by the userspace object manager. The + .I event +-argument indicates the security event which occured; the remaining arguments are interpreted according to the event as described below. The return value of the callback should be zero on success, \-1 on error with errno set appropriately (but see ++argument indicates the security event which occured; the remaining arguments ++are interpreted according to the event as described below. The return value ++of the callback should be zero on success, \-1 on error with ++.I errno ++set appropriately (but see + .B RETURN VALUE + below). +- ++. + .SH "SECURITY EVENTS" + In all cases below, + .I ssid +@@ -69,7 +75,7 @@ may be set to + indicating that the change applies to all source and/or target SID's. Unless otherwise indicated, the + .I out_retained + parameter is unused. +- ++. + .TP + .B AVC_CALLBACK_GRANT + Previously denied permissions are now granted for +@@ -142,10 +148,10 @@ should no longer be audited when denied for + .I tsid + with respect to + .IR tclass . +- ++. + .SH "RETURN VALUE" + On success, +-.B avc_add_callback ++.BR avc_add_callback () + returns zero. On error, \-1 is returned and + .I errno + is set appropriately. +@@ -157,25 +163,27 @@ on all further permission checks until + is called. In non-threaded mode, the permission check on which the error occurred will return \-1 and the value of + .I errno + encountered to the caller. In both cases, a log message is produced and the kernel may be notified of the error. +- ++. + .SH "ERRORS" + .TP + .B ENOMEM + An attempt to allocate memory failed. +- ++. + .SH "NOTES" + If the userspace AVC is running in threaded mode, callbacks registered via +-.B avc_add_callback ++.BR avc_add_callback () + may be executed in the context of the netlink handler thread. This will likely introduce synchronization issues requiring the use of locks. See + .BR avc_init (3). + + Support for dynamic revocation and retained permissions is mostly unimplemented in the SELinux kernel module. The only security event that currently gets excercised is + .BR AVC_CALLBACK_RESET . +- ++. + .SH "AUTHOR" + Eamon Walsh +- ++. + .SH "SEE ALSO" ++.ad l ++.nh + .BR avc_init (3), + .BR avc_has_perm (3), + .BR avc_context_to_sid (3), +diff --git a/libselinux/man/man3/avc_cache_stats.3 b/libselinux/man/man3/avc_cache_stats.3 +index 96f2b21..c00f090 100644 +--- a/libselinux/man/man3/avc_cache_stats.3 ++++ b/libselinux/man/man3/avc_cache_stats.3 +@@ -3,10 +3,11 @@ + .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2004 + .TH "avc_cache_stats" "3" "27 May 2004" "" "SELinux API documentation" + .SH "NAME" +-avc_cache_stats, avc_av_stats, avc_sid_stats \- obtain userspace SELinux AVC statistics. ++avc_cache_stats, avc_av_stats, avc_sid_stats \- obtain userspace SELinux AVC statistics ++. + .SH "SYNOPSIS" + .B #include +- ++.br + .B #include + .sp + .BI "void avc_av_stats(void);" +@@ -14,15 +15,16 @@ avc_cache_stats, avc_av_stats, avc_sid_stats \- obtain userspace SELinux AVC sta + .BI "void avc_sid_stats(void);" + .sp + .BI "void avc_cache_stats(struct avc_cache_stats *" stats ");" ++. + .SH "DESCRIPTION" + The userspace AVC maintains two internal hash tables, one to store security ID's and one to cache access decisions. + +-.B avc_av_stats ++.BR avc_av_stats () + and +-.B avc_sid_stats ++.BR avc_sid_stats () + produce log messages indicating the status of the access decision and SID tables, respectively. The messages contain the number of entries in the table, number of hash buckets and number of buckets used, and maximum number of entries in a single bucket. + +-.B avc_cache_stats ++.BR avc_cache_stats () + populates a structure whose fields reflect cache activity: + + .RS +@@ -74,26 +76,28 @@ Number of cache misses. + .TP + .I cav_probes + Number of entries examined while searching the cache. +- ++. + .SH "NOTES" + When the cache is flushed as a result of a call to +-.B avc_reset ++.BR avc_reset () + or a policy change notification, + the statistics returned by +-.B avc_cache_stats ++.BR avc_cache_stats () + are reset to zero. The SID table, however, is left + unchanged. + + When a policy change notification is received, a call to +-.B avc_av_stats ++.BR avc_av_stats () + is made before the cache is flushed. +- ++. + .SH "AUTHOR" + Eamon Walsh +- ++. + .SH "SEE ALSO" ++.ad l ++.nh + .BR avc_init (3), + .BR avc_has_perm (3), + .BR avc_context_to_sid (3), +-.BR avc_add_callback (3) ++.BR avc_add_callback (3), + .BR selinux (8) +diff --git a/libselinux/man/man3/avc_compute_create.3 b/libselinux/man/man3/avc_compute_create.3 +index 52d09b5..ce615bf 100644 +--- a/libselinux/man/man3/avc_compute_create.3 ++++ b/libselinux/man/man3/avc_compute_create.3 +@@ -3,10 +3,11 @@ + .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2007 + .TH "avc_compute_create" "3" "30 Mar 2007" "" "SELinux API documentation" + .SH "NAME" +-avc_compute_create, avc_compute_member \- obtain SELinux label for new object. ++avc_compute_create, avc_compute_member \- obtain SELinux label for new object ++. + .SH "SYNOPSIS" + .B #include +- ++.br + .B #include + .sp + .BI "int avc_compute_create(security_id_t " ssid ", security_id_t " tsid , +@@ -18,26 +19,27 @@ avc_compute_create, avc_compute_member \- obtain SELinux label for new object. + .in +\w'int avc_compute_member('u + .BI "security_class_t " tclass ", security_id_t *" newsid ");" + .in ++. + .SH "DESCRIPTION" +-.B avc_compute_create ++.BR avc_compute_create () + is used to compute a SID to use for labeling a new object in a particular class based on a SID pair. This call is identical to +-.BR security_compute_create , ++.BR security_compute_create (), + but does not require converting from userspace SID's to contexts and back again. + +-.B avc_compute_member ++.BR avc_compute_member () + is used to compute a SID to use for labeling a polyinstantiated object instance of a particular class based on a SID pair. This call is identical to +-.BR security_compute_member , ++.BR security_compute_member (), + but does not require converting from userspace SID's to contexts and back again. + + These functions + return a SID for the computed context in the memory referenced by + .IR sid . +- ++. + .SH "RETURN VALUE" + On success, zero is returned. On error, \-1 is returned and + .I errno + is set appropriately. +- ++. + .SH "ERRORS" + .TP + .B EINVAL +@@ -48,14 +50,13 @@ and/or the security contexts referenced by + and + .I tsid + are not recognized by the currently loaded policy. +- + .TP + .B ENOMEM + An attempt to allocate memory failed. +- ++. + .SH "AUTHOR" + Eamon Walsh +- ++. + .SH "SEE ALSO" + .BR avc_init (3), + .BR avc_context_to_sid (3), +diff --git a/libselinux/man/man3/avc_context_to_sid.3 b/libselinux/man/man3/avc_context_to_sid.3 +index 1caf5ec..e416b09 100644 +--- a/libselinux/man/man3/avc_context_to_sid.3 ++++ b/libselinux/man/man3/avc_context_to_sid.3 +@@ -3,10 +3,11 @@ + .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2004 + .TH "avc_context_to_sid" "3" "27 May 2004" "" "SELinux API documentation" + .SH "NAME" +-avc_context_to_sid, avc_sid_to_context, avc_get_initial_sid \- obtain and manipulate SELinux security ID's. ++avc_context_to_sid, avc_sid_to_context, avc_get_initial_sid \- obtain and manipulate SELinux security ID's ++. + .SH "SYNOPSIS" + .B #include +- ++.br + .B #include + .sp + .BI "int avc_context_to_sid(security_context_t " ctx ", security_id_t *" sid ");" +@@ -14,17 +15,17 @@ avc_context_to_sid, avc_sid_to_context, avc_get_initial_sid \- obtain and manipu + .BI "int avc_sid_to_context(security_id_t " sid ", security_context_t *" ctx ");" + .sp + .BI "int avc_get_initial_sid(const char *" name ", security_id_t *" sid ");" +-.sp ++. + .SH "DESCRIPTION" + Security ID's (SID's) are opaque representations of security contexts, managed by the userspace AVC. + +-.B avc_context_to_sid ++.BR avc_context_to_sid () + returns a SID for the given + .I context + in the memory referenced by + .IR sid . + +-.B avc_sid_to_context ++.BR avc_sid_to_context () + returns a copy of the context represented by + .I sid + in the memory referenced by +@@ -32,40 +33,41 @@ in the memory referenced by + The user must free the copy with + .BR freecon (3). + +-.B avc_get_initial_sid ++.BR avc_get_initial_sid () + returns a SID for the kernel initial security identifier specified by + .IR name . +- ++. + .SH "RETURN VALUE" +-.B avc_context_to_sid ++.BR avc_context_to_sid () + and +-.B avc_sid_to_context ++.BR avc_sid_to_context () + return zero on success. On error, \-1 is returned and + .I errno + is set appropriately. +- ++. + .SH "ERRORS" + .TP + .B ENOMEM + An attempt to allocate memory failed. +- + .SH "NOTES" + As of libselinux version 2.0.86, SID's are no longer reference counted. A SID will be valid from the time it is first obtained until the next call to + .BR avc_destroy (3). + The +-.B sidget ++.BR sidget (3) + and +-.B sidput ++.BR sidput (3) + functions, formerly used to adjust the reference count, are no-ops and are deprecated. +- ++. + .SH "AUTHOR" + Eamon Walsh +- ++. + .SH "SEE ALSO" ++.ad l ++.nh + .BR avc_init (3), + .BR avc_has_perm (3), + .BR avc_cache_stats (3), + .BR avc_add_callback (3), + .BR getcon (3), +-.BR freecon (3) ++.BR freecon (3), + .BR selinux (8) +diff --git a/libselinux/man/man3/avc_has_perm.3 b/libselinux/man/man3/avc_has_perm.3 +index 50f4d44..7353952 100644 +--- a/libselinux/man/man3/avc_has_perm.3 ++++ b/libselinux/man/man3/avc_has_perm.3 +@@ -3,10 +3,11 @@ + .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2004 + .TH "avc_has_perm" "3" "27 May 2004" "" "SELinux API documentation" + .SH "NAME" +-avc_has_perm, avc_has_perm_noaudit, avc_audit, avc_entry_ref_init \- obtain and audit SELinux access decisions. ++avc_has_perm, avc_has_perm_noaudit, avc_audit, avc_entry_ref_init \- obtain and audit SELinux access decisions ++. + .SH "SYNOPSIS" + .B #include +- ++.br + .B #include + .sp + .BI "void avc_entry_ref_init(struct avc_entry_ref *" aeref ");" +@@ -14,32 +15,33 @@ avc_has_perm, avc_has_perm_noaudit, avc_audit, avc_entry_ref_init \- obtain and + .BI "int avc_has_perm(security_id_t " ssid ", security_id_t " tsid , + .in +\w'int avc_has_perm('u + .BI "security_class_t " tclass ", access_vector_t " requested , +- ++.br + .BI "struct avc_entry_ref *" aeref ", void *" auditdata ");" + .in + .sp + .BI "int avc_has_perm_noaudit(security_id_t " ssid ", security_id_t " tsid , + .in +\w'int avc_has_perm('u + .BI "security_class_t " tclass ", access_vector_t " requested , +- ++.br + .BI "struct avc_entry_ref *" aeref ", struct av_decision *" avd ");" + .in + .sp + .BI "void avc_audit(security_id_t " ssid ", security_id_t " tsid , + .in +\w'void avc_audit('u + .BI "security_class_t " tclass ", access_vector_t " requested , +- ++.br + .BI "struct av_decision *" avd ", int " result ", void *" auditdata ");" + .in ++. + .SH "DESCRIPTION" +-.B avc_entry_ref_init ++.BR avc_entry_ref_init () + initializes an + .B avc_entry_ref + structure; see + .B ENTRY REFERENCES + below. This function may be implemented as a macro. + +-.B avc_has_perm ++.BR avc_has_perm () + checks whether the + .I requested + permissions are granted +@@ -55,19 +57,19 @@ and updating + if non-NULL, to refer to a cache entry with the resulting decision. The granting or denial of permissions is audited in accordance with the policy. The + .I auditdata + parameter is for supplemental auditing; see +-.B avc_audit ++.BR avc_audit () + below. + +-.B avc_has_perm_noaudit ++.BR avc_has_perm_noaudit () + behaves as +-.B avc_has_perm ++.BR avc_has_perm () + without producing an audit message. The access decision is returned in + .I avd + and can be passed to +-.B avc_audit ++.BR avc_audit () + explicitly. + +-.B avc_audit ++.BR avc_audit () + produces an audit message for the access query represented by + .IR ssid , + .IR tsid , +@@ -77,7 +79,7 @@ and + with a decision represented by + .IR avd . + Pass the value returned by +-.B avc_has_perm_noaudit ++.BR avc_has_perm_noaudit () + as + .IR result . + The +@@ -86,7 +88,7 @@ parameter is passed to the user-supplied + .B func_audit + callback and can be used to add supplemental information to the audit message; see + .BR avc_init (3). +- ++. + .SH "ENTRY REFERENCES" + Entry references can be used to speed cache performance for repeated queries on the same subject and target. The userspace AVC will check the + .I aeref +@@ -97,14 +99,14 @@ will be updated to reference the cache entry for that query. A subsequent query + After declaring an + .B avc_entry_ref + structure, use +-.B avc_entry_ref_init ++.BR avc_entry_ref_init () + to initialize it before passing it to +-.B avc_has_perm ++.BR avc_has_perm () + or +-.B avc_has_perm_noaudit ++.BR \%avc_has_perm_noaudit () + for the first time. + Using an uninitialized structure will produce undefined behavior. +- ++. + .SH "RETURN VALUE" + If requested permissions are granted, zero is returned. If requested permissions are denied or an error occured, \-1 is returned and + .I errno +@@ -113,9 +115,9 @@ is set appropriately. + In permissive mode, zero will be returned and + .I errno + unchanged even if permissions were denied. +-.B avc_has_perm ++.BR avc_has_perm () + will still produce an audit message in this case. +- ++. + .SH "ERRORS" + .TP + .B EACCES +@@ -132,7 +134,7 @@ are not recognized by the currently loaded policy. + .TP + .B ENOMEM + An attempt to allocate memory failed. +- ++. + .SH "NOTES" + Internal errors encountered by the userspace AVC may cause certain values of + .I errno +@@ -142,14 +144,16 @@ or + .BR EINVAL . + Make sure that userspace object managers are granted appropriate access to + netlink by the policy. +- ++. + .SH "AUTHOR" + Eamon Walsh +- ++. + .SH "SEE ALSO" ++.ad l ++.nh + .BR avc_init (3), + .BR avc_context_to_sid (3), + .BR avc_cache_stats (3), + .BR avc_add_callback (3), +-.BR security_compute_av (3) +-.BR selinux(8) ++.BR security_compute_av (3), ++.BR selinux (8) +diff --git a/libselinux/man/man3/avc_init.3 b/libselinux/man/man3/avc_init.3 +index 331a665..e26c3be 100644 +--- a/libselinux/man/man3/avc_init.3 ++++ b/libselinux/man/man3/avc_init.3 +@@ -3,37 +3,39 @@ + .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2004 + .TH "avc_init" "3" "27 May 2004" "" "SELinux API documentation" + .SH "NAME" +-avc_init - legacy userspace SELinux AVC setup. ++avc_init \- legacy userspace SELinux AVC setup ++. + .SH "SYNOPSIS" + .B #include +- ++.br + .B #include + .sp + .BI "int avc_init(const char *" msgprefix , + .in +\w'int avc_init('u + .BI "const struct avc_memory_callback *" mem_callbacks , +- ++.br + .BI "const struct avc_log_callback *" log_callbacks , +- ++.br + .BI "const struct avc_thread_callback *" thread_callbacks , +- ++.br + .BI "const struct avc_lock_callback *" lock_callbacks ");" ++. + .SH "DESCRIPTION" +-.B avc_init ++.BR avc_init () + is deprecated; please use + .BR avc_open (3) + in conjunction with + .BR selinux_set_callback (3) + in all new code. + +-.B avc_init ++.BR avc_init () + initializes the userspace AVC and must be called before any other AVC operation can be performed. A non-NULL + .I msgprefix + will be prepended to all audit messages produced by the userspace AVC. The default is `uavc'. The remaining arguments, if non-NULL, specify callbacks to be used by the userspace AVC. +- ++. + .SH "CALLBACKS" + The userspace AVC can be directed how to perform memory allocation, logging, thread creation, and locking via callback functions passed to +-.BR avc_init . ++.BR avc_init (). + The purpose of this functionality is to allow the userspace AVC to be smoothly integrated into existing userspace object managers. + + Use an +@@ -150,26 +152,26 @@ The + callback should destroy + .IR lock , + freeing any resources associated with it. The default behavior is not to perform any locking. Note that undefined behavior may result if threading is used without appropriate locking. +- ++. + .SH "NETLINK NOTIFICATION" + Beginning with version 2.6.4, the Linux kernel supports SELinux status change notification via netlink. Two message types are currently implemented, indicating changes to the enforcing mode and to the loaded policy in the kernel, respectively. The userspace AVC listens for these messages and takes the appropriate action, modifying the behavior of + .BR avc_has_perm (3) + to reflect the current enforcing mode and flushing the cache on receipt of a policy load notification. Audit messages are produced when netlink notifications are processed. + + In the default single-threaded mode, the userspace AVC checks for new netlink messages at the start of each permission query. If threading and locking callbacks are passed to +-.B avc_init ++.BR avc_init () + however, a dedicated thread will be started to listen on the netlink socket. This may increase performance and will ensure that log messages are generated immediately rather than at the time of the next permission query. +- ++. + .SH "RETURN VALUE" + Functions with a return value return zero on success. On error, \-1 is returned and + .I errno + is set appropriately. +- ++. + .SH "NOTES" + The + .I msgprefix + argument to +-.B avc_init ++.BR avc_init () + currently has a length limit of 15 characters and will be truncated if necessary. + + If a provided +@@ -184,12 +186,11 @@ If a netlink thread has been created and an error occurs on the socket (such as + on all further permission checks until + .B avc_destroy + is called. +- ++. + .SH "AUTHOR" + Eamon Walsh +- ++. + .SH "SEE ALSO" + .BR avc_open (3), + .BR selinux_set_callback (3), + .BR selinux (8) +- +diff --git a/libselinux/man/man3/avc_netlink_loop.3 b/libselinux/man/man3/avc_netlink_loop.3 +index 785be4c..c8268a1 100644 +--- a/libselinux/man/man3/avc_netlink_loop.3 ++++ b/libselinux/man/man3/avc_netlink_loop.3 +@@ -5,24 +5,25 @@ + .SH "NAME" + avc_netlink_open, avc_netlink_close, avc_netlink_acquire_fd, + avc_netlink_release_fd, avc_netlink_check_nb, avc_netlink_loop \- SELinux +-netlink processing. ++netlink processing ++. + .SH "SYNOPSIS" + .B #include +- ++.br + .B #include + .sp + .BI "int avc_netlink_open(int " blocking ");" + .sp +-.BI "void avc_netlink_close(void);" +-.sp +-.BI "int avc_netlink_acquire_fd(void);" ++.B void avc_netlink_close(void); + .sp +-.BI "void avc_netlink_release_fd(void);" ++.B int avc_netlink_acquire_fd(void); + .sp +-.BI "void avc_netlink_loop(void);" ++.B void avc_netlink_release_fd(void); + .sp +-.BI "int avc_netlink_check_nb(void);" ++.B void avc_netlink_loop(void); + .sp ++.B int avc_netlink_check_nb(void); ++. + .SH "DESCRIPTION" + These functions enable applications to handle notification of SELinux events + via netlink. The userspace AVC normally checks for netlink messages on each +@@ -35,7 +36,7 @@ loop. These functions also permit netlink monitoring without requiring a + call to + .BR avc_open (3). + +-.B avc_netlink_open ++.BR avc_netlink_open () + opens a netlink socket to receive SELinux notifications. The socket + descriptor is stored internally; use + .BR avc_netlink_acquire_fd (3) +@@ -45,38 +46,38 @@ argument controls whether the O_NONBLOCK flag is set on the socket descriptor. + .BR avc_open (3) + calls this function internally, specifying non-blocking behavior. + +-.B avc_netlink_close ++.BR avc_netlink_close () + closes the netlink socket. This function is called automatically by + .BR avc_destroy (3). + +-.B avc_netlink_acquire_fd ++.BR avc_netlink_acquire_fd () + returns the netlink socket descriptor number and informs the userspace AVC + not to check the socket descriptor automatically on calls to + .BR avc_has_perm (3). + +-.B avc_netlink_release_fd ++.BR avc_netlink_release_fd () + returns control of the netlink socket to the userspace AVC, re-enabling + automatic processing of notifications. + +-.B avc_netlink_check_nb ++.BR avc_netlink_check_nb () + checks the netlink socket for pending messages and processes them. + Callbacks for policyload and enforcing changes will be called; + see + .BR selinux_set_callback (3). + This function does not block. + +-.B avc_netlink_loop ++.BR avc_netlink_loop () + enters a loop blocking on the netlink socket and processing messages as they + are received. This function will not return unless an error occurs on + the socket, in which case the socket is closed. +- ++. + .SH "RETURN VALUE" +-.B avc_netlink_acquire_fd ++.BR avc_netlink_acquire_fd () + returns a non-negative file descriptor number on success. Other functions +-with a return value return zero on success. On error, -1 is returned and ++with a return value return zero on success. On error, \-1 is returned and + .I errno + is set appropriately. +- ++. + .SH "SEE ALSO" + .BR avc_open (3), + .BR selinux_set_callback (3), +diff --git a/libselinux/man/man3/avc_open.3 b/libselinux/man/man3/avc_open.3 +index d1dab8f..5b275a8 100644 +--- a/libselinux/man/man3/avc_open.3 ++++ b/libselinux/man/man3/avc_open.3 +@@ -3,10 +3,11 @@ + .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2008 + .TH "avc_open" "3" "12 Jun 2008" "" "SELinux API documentation" + .SH "NAME" +-avc_open, avc_destroy, avc_reset, avc_cleanup \- userspace SELinux AVC setup and teardown. ++avc_open, avc_destroy, avc_reset, avc_cleanup \- userspace SELinux AVC setup and teardown ++. + .SH "SYNOPSIS" + .B #include +- ++.br + .B #include + .sp + .BI "int avc_open(struct selinux_opt *" options ", unsigned " nopt ");" +@@ -16,49 +17,48 @@ avc_open, avc_destroy, avc_reset, avc_cleanup \- userspace SELinux AVC setup and + .BI "int avc_reset(void);" + .sp + .BI "void avc_cleanup(void);" ++. + .SH "DESCRIPTION" +-.B avc_open ++.BR avc_open () + initializes the userspace AVC and must be called before any other AVC operation can be performed. + +-.B avc_destroy ++.BR avc_destroy () + destroys the userspace AVC, freeing all internal memory structures. After this call has been made, +-.B avc_open ++.BR avc_open () + must be called again before any AVC operations can be performed. + +-.B avc_reset ++.BR avc_reset () + flushes the userspace AVC, causing it to forget any cached access decisions. The userspace AVC normally calls this function automatically when needed, see + .B NETLINK NOTIFICATION + below. + +-.B avc_cleanup ++.BR avc_cleanup () + attempts to free unused memory within the userspace AVC, but does not flush any cached access decisions. Under normal operation, calling this function should not be necessary. +- + .SH "OPTIONS" + The userspace AVC obeys callbacks set via + .BR selinux_set_callback (3), + in particular the logging and audit callbacks. + + The options which may be passed to +-.B avc_open ++.BR avc_open () + include the following: +- + .TP + .B AVC_OPT_SETENFORCE + This option forces the userspace AVC into enforcing mode if the option value is non-NULL; permissive mode otherwise. The system enforcing mode will be ignored. +- ++. + .SH "NETLINK NOTIFICATION" + Beginning with version 2.6.4, the Linux kernel supports SELinux status change notification via netlink. Two message types are currently implemented, indicating changes to the enforcing mode and to the loaded policy in the kernel, respectively. The userspace AVC listens for these messages and takes the appropriate action, modifying the behavior of + .BR avc_has_perm (3) + to reflect the current enforcing mode and flushing the cache on receipt of a policy load notification. Audit messages are produced when netlink notifications are processed. +- ++. + .SH "RETURN VALUE" + Functions with a return value return zero on success. On error, \-1 is returned and + .I errno + is set appropriately. +- ++. + .SH "AUTHOR" + Eamon Walsh +- ++. + .SH "SEE ALSO" + .BR selinux (8), + .BR avc_has_perm (3), +@@ -67,4 +67,3 @@ Eamon Walsh + .BR avc_add_callback (3), + .BR selinux_set_callback (3), + .BR security_compute_av (3) +- +diff --git a/libselinux/man/man3/context_new.3 b/libselinux/man/man3/context_new.3 +index 820f927..3dabac3 100644 +--- a/libselinux/man/man3/context_new.3 ++++ b/libselinux/man/man3/context_new.3 +@@ -1,61 +1,83 @@ + .TH "context_new" "3" "20 December 2011" "dwalsh@redhat.com" "SELinux API documentation" + .SH "NAME" + context_new, context_str, context_free, context_type_get, context_type_set, context_range_get, context_range_set,context_role_get, context_role_set, context_user_get, context_user_set \- Routines to manipulate SELinux security contexts +- ++. + .SH "SYNOPSIS" + .B #include +- ++.sp + .BI "context_t context_new(const char *" context_str ); +- ++.sp + .BI "const char * context_str(context_t " con ); +- ++.sp + .BI "void context_free(context_t " con ); +- ++.sp + .BI "const char * context_type_get(context_t " con ); +- ++.sp + .BI "const char * context_range_get(context_t " con ); +- ++.sp + .BI "const char * context_role_get(context_t " con ); +- ++.sp + .BI "const char * context_user_get(context_t " con ); +- ++.sp + .BI "int context_type_set(context_t " con ", const char *" type ); +- ++.sp + .BI "int context_range_set(context_t " con ", const char *" range ); +- ++.sp + .BI "int context_role_set(context_t " con ", const char *" role ); +- ++.sp + .BI "int context_user_set(context_t " con ", const char *" user ); +- ++. + .SH "DESCRIPTION" + These functions allow an application to manipulate the fields of a + security context string without requiring it to know the format of the + string. + +-context_new +- Return a new context initialized to a context string +- +-context_str +- Return a pointer to the string value of the context_t +-Valid until the next call to context_str or context_free +-for the same context_t* +- +-context_free +- Free the storage used by a context +- +-context_type_get, context_range_get, context_role_get, context_user_get +- Get a pointer to the string value of a context component +- +-.B NOTE: ++.BR context_new () ++returns a new context initialized to a context string. + -+.SH AUTHOR -+This manual page was written by Dan Walsh . ++.BR context_str () ++returns a pointer to the string value of the ++.BR context_t , ++valid until the next call to ++.BR context_str () ++or ++.BR context_free () ++for the same ++.BR context_t* . + ++.BR context_free () ++frees the storage used by a context. ++ ++.BR context_type_get (), ++.BR context_range_get (), ++.BR context_role_get (), ++.BR \%context_user_get () ++get a pointer to the string value of a context component. ++ ++.B Note: + Values returned by the get functions are only valid until the next call +-to a set function or context_free() for the same context_t structure. +- +-context_type_set, context_range_set, context_role_set, context_user_set +- Set a context component +- ++to a set function or ++.BR context_free () ++for the same ++.B context_t ++structure. ++ ++.BR context_type_set (), ++.BR context_range_set (), ++.BR context_role_set (), ++.BR \%context_user_set () ++set a context component. ++. + .SH "RETURN VALUE" +-On success, zero is returned. On failure, -1 is returned and errno is +-set appropriately. ++On failure ++.BR context_*_set () ++functions return non-zero and 0 on success. ++ ++The other functions return NULL on failure and non-NULL on success. + ++On failure ++.I errno ++is set appropriately. ++. + .SH "SEE ALSO" + .BR selinux "(8)" +diff --git a/libselinux/man/man3/fgetfilecon_raw.3 b/libselinux/man/man3/fgetfilecon_raw.3 +new file mode 100644 +index 0000000..ae6dfcf +--- /dev/null ++++ b/libselinux/man/man3/fgetfilecon_raw.3 +@@ -0,0 +1 @@ ++.so man3/getfilecon.3 +diff --git a/libselinux/man/man3/fsetfilecon_raw.3 b/libselinux/man/man3/fsetfilecon_raw.3 +new file mode 100644 +index 0000000..33c321a +--- /dev/null ++++ b/libselinux/man/man3/fsetfilecon_raw.3 +@@ -0,0 +1 @@ ++.so man3/setfilecon.3 +diff --git a/libselinux/man/man3/get_ordered_context_list.3 b/libselinux/man/man3/get_ordered_context_list.3 +index c3fa956..63cba81 100644 +--- a/libselinux/man/man3/get_ordered_context_list.3 ++++ b/libselinux/man/man3/get_ordered_context_list.3 +@@ -1,10 +1,10 @@ + .TH "get_ordered_context_list" "3" "1 January 2004" "russell@coker.com.au" "SELinux" + .SH "NAME" + get_ordered_context_list, get_ordered_context_list_with_level, get_default_context, get_default_context_with_level, get_default_context_with_role, get_default_context_with_rolelevel, query_user_context, manual_user_enter_context, get_default_role \- determine SELinux context(s) for user sessions +- ++. + .SH "SYNOPSIS" + .B #include +- ++.br + .B #include + .sp + .BI "int get_ordered_context_list(const char *" user ", security_context_t "fromcon ", security_context_t **" list ); +@@ -15,66 +15,94 @@ get_ordered_context_list, get_ordered_context_list_with_level, get_default_conte + .sp + .BI "int get_default_context_with_level(const char *" user ", const char *" level ", security_context_t "fromcon ", security_context_t *" newcon ); + .sp +-.BI "int get_default_context_with_role(const char* " user ", const char *" role ", security_context_t " fromcon ", security_context_t *" newcon "); ++.BI "int get_default_context_with_role(const char *" user ", const char *" role ", security_context_t " fromcon ", security_context_t *" newcon "); + .sp +-.BI "int get_default_context_with_rolelevel(const char* " user ", const char* " level ", const char *" role ", security_context_t " fromcon ", security_context_t *" newcon "); ++.BI "int get_default_context_with_rolelevel(const char *" user ", const char *" level ", const char *" role ", security_context_t " fromcon ", security_context_t *" newcon "); + .sp + .BI "int query_user_context(security_context_t *" list ", security_context_t *" newcon ); + .sp + .BI "int manual_user_enter_context(const char *" user ", security_context_t *" newcon ); + .sp + .BI "int get_default_type(const char *" role ", char **" type ); +- ++. + .SH "DESCRIPTION" +-.B get_ordered_context_list ++.BR get_ordered_context_list () + invokes the +-.B security_compute_user ++.BR security_compute_user (3) + function to obtain the list of contexts for the specified + .I user + that are reachable from the specified + .I fromcon + context. The function then orders the resulting list based on the global +-.B /etc/selinux//contexts/default_contexts ++.I \%/etc/selinux/{SELINUXTYPE}/contexts/default_contexts + file and the per-user +-.B /etc/selinux//contexts/users/ ++.I \%/etc/selinux/{SELINUXTYPE}/contexts/users/ + file if it exists. The + .I fromcon + parameter may be NULL to indicate that the current context should + be used. The function returns the number of contexts in the +-list, or -1 upon errors. The list must be freed using the +-.B freeconary ++list, or \-1 upon errors. The list must be freed using the ++.BR freeconary (3) + function. + +-.B get_ordered_context_list_with_level +-invokes the get_ordered_context_list function and applies the specified level. ++.BR get_ordered_context_list_with_level () ++invokes the ++.BR \%get_ordered_context_list () ++function and applies the specified level. + +-.B get_default_context +-is the same as get_ordered_context_list but only returns a single context +-which has to be freed with freecon. ++.BR get_default_context () ++is the same as ++.BR get_ordered_context_list () ++but only returns a single context ++which has to be freed with ++.BR freecon (3). + +-.B get_default_context_with_level +-invokes the get_default_context function and applies the specified level. ++.BR get_default_context_with_level () ++invokes the ++.BR get_default_context () ++function and applies the specified level. + +-.B get_default_context_with_role +-is the same as get_default_context but only returns a context with the specified role, returning -1 if no such context is reachable for the user. ++.BR get_default_context_with_role () ++is the same as ++.BR get_default_context () ++but only returns a context with the specified role, returning \-1 if no ++such context is reachable for the user. + +-.B get_default_context_with_rolelevel +-invokes the get_default_context_with_role function and applies the specified level. ++.BR get_default_context_with_rolelevel () ++invokes the ++.BR \%get_default_context_with_role () ++function and applies the specified level. + +-.B query_user_context ++.BR query_user_context () + takes a list of contexts, queries the user via stdin/stdout as to which context + they want, and returns a new context as selected by the user (which has to be +-freed with freecon). ++freed with ++.BR freecon (3)). + +-.B manual_user_enter_context +-allows the user to manually enter a context as a fallback if a list of authorized contexts could not be obtained. Caller must free via freecon. +- +-.B get_default_type +-Get the default type (domain) for 'role' and set 'type' to refer to it, which has to be freed with free. ++.BR manual_user_enter_context () ++allows the user to manually enter a context as a fallback if a list of ++authorized contexts could not be obtained. Caller must free via ++.BR freecon (3). + ++.BR get_default_type () ++Get the default type (domain) for ++.I role ++and set ++.I type ++to refer to it, which has to be freed with free. ++. + .SH "RETURN VALUE" +-get_ordered_context_list and get_ordered_context_list_with_level return the number of contexts in the list upon success or -1 upon errors. +-The other functions return 0 for success or -1 for errors. +- ++.BR get_ordered_context_list () ++and ++.BR get_ordered_context_list_with_level () ++return the number of contexts in the list upon success or \-1 upon errors. ++The other functions return 0 for success or \-1 for errors. ++. + .SH "SEE ALSO" +-.BR selinux "(8), " freeconary "(3), " freecon "(3), " security_compute_av "(3)", getseuserbyname"(3)" ++.ad l ++.nh ++.BR selinux (8), ++.BR freeconary (3), ++.BR freecon (3), ++.BR security_compute_av (3), ++.BR getseuserbyname (3) +diff --git a/libselinux/man/man3/getcon.3 b/libselinux/man/man3/getcon.3 +index c620c51..239bb7d 100644 +--- a/libselinux/man/man3/getcon.3 ++++ b/libselinux/man/man3/getcon.3 +@@ -1,78 +1,118 @@ + .TH "getcon" "3" "21 December 2011" "russell@coker.com.au" "SELinux API documentation" + .SH "NAME" +-getcon, getprevcon, getpidcon \- get SELinux security context of a process. ++getcon, getprevcon, getpidcon \- get SELinux security context of a process + +-freecon, freeconary \- free memory associated with SELinux security contexts. ++freecon, freeconary \- free memory associated with SELinux security contexts + +-getpeercon - get security context of a peer socket. ++getpeercon \- get security context of a peer socket + +-setcon - set current security context of a process. ++setcon \- set current security context of a process ++. + .SH "SYNOPSIS" + .B #include + .sp + .BI "int getcon(security_context_t *" context ); +- ++.sp ++.BI "int getcon_raw(security_context_t *" context ); ++.sp + .BI "int getprevcon(security_context_t *" context ); +- ++.sp ++.BI "int getprevcon_raw(security_context_t *" context ); ++.sp + .BI "int getpidcon(pid_t " pid ", security_context_t *" context ); +- +-.BI "int getpeercon(int " fd ", security_context_t *" context); +- ++.sp ++.BI "int getpidcon_raw(pid_t " pid ", security_context_t *" context ); ++.sp ++.BI "int getpeercon(int " fd ", security_context_t *" context ); ++.sp ++.BI "int getpeercon_raw(int " fd ", security_context_t *" context ); ++.sp + .BI "void freecon(security_context_t "con ); +- ++.sp + .BI "void freeconary(security_context_t *" con ); +- +-.BI "int setcon(security_context_t " context); +- ++.sp ++.BI "int setcon(security_context_t " context ); ++.sp ++.BI "int setcon_raw(security_context_t " context ); ++. + .SH "DESCRIPTION" +-.B getcon ++.BR getcon () + retrieves the context of the current process, which must be free'd with + freecon. + +-.B getprevcon ++.BR getprevcon () + same as getcon but gets the context before the last exec. + +-.B getpidcon ++.BR getpidcon () + returns the process context for the specified PID. + +-.B getpeercon +-retrieves context of peer socket, and set *context to refer to it, which must be free'd with freecon. ++.BR getpeercon () ++retrieves context of peer socket, and set ++.BI * context ++to refer to it, which must be free'd with ++.BR freecon (). + +-.B freecon ++.BR freecon () + frees the memory allocated for a security context. + +-.B freeconary ++.BR freeconary () + frees the memory allocated for a context array. + + If + .I con + is NULL, no operation is performed. + +-.B setcon ++.BR setcon () + sets the current security context of the process to a new value. Note + that use of this function requires that the entire application be + trusted to maintain any desired separation between the old and new + security contexts, unlike exec-based transitions performed via +-setexeccon(3). When possible, decompose your application and use +-setexeccon() and execve() instead. ++.BR setexeccon (3). ++When possible, decompose your application and use ++.BR setexeccon (3) ++and ++.BR execve (3) ++instead. + + Since access to file descriptors is revalidated upon use by SELinux, + the new context must be explicitly authorized in the policy to use the + descriptors opened by the old context if that is desired. Otherwise, + attempts by the process to use any existing descriptors (including +-stdin, stdout, and stderr) after performing the setcon() will fail. +- +-A multi-threaded application can perform a setcon() prior to creating ++.IR stdin , ++.IR stdout , ++and ++.IR stderr ) ++after performing the ++.BR setcon () ++will fail. ++ ++A multi-threaded application can perform a ++.BR setcon () ++prior to creating + any child threads, in which case all of the child threads will inherit +-the new context. However, setcon() will fail if there are any other ++the new context. However, ++.BR setcon () ++will fail if there are any other + threads running in the same process. + +-If the process was being ptraced at the time of the setcon() ++If the process was being ptraced at the time of the ++.BR setcon () + operation, ptrace permission will be revalidated against the new +-context and the setcon() will fail if it is not allowed by policy. +- ++context and the ++.BR setcon () ++will fail if it is not allowed by policy. ++ ++.BR getcon_raw (), ++.BR getprevcon_raw (), ++.BR getpidcon_raw (), ++.BR getpeercon_raw () ++and ++.BR setcon_raw () ++behave identically to their non-raw counterparts but do not perform context ++translation. ++. + .SH "RETURN VALUE" +-On error -1 is returned. On success 0 is returned. +- ++On error \-1 is returned. On success 0 is returned. ++. + .SH "SEE ALSO" + .BR selinux "(8), " setexeccon "(3)" +diff --git a/libselinux/man/man3/getcon_raw.3 b/libselinux/man/man3/getcon_raw.3 +new file mode 100644 +index 0000000..1210b5a +--- /dev/null ++++ b/libselinux/man/man3/getcon_raw.3 +@@ -0,0 +1 @@ ++.so man3/getcon.3 +diff --git a/libselinux/man/man3/getexeccon.3 b/libselinux/man/man3/getexeccon.3 +index 4b832a2..c188a3a 100644 +--- a/libselinux/man/man3/getexeccon.3 ++++ b/libselinux/man/man3/getexeccon.3 +@@ -1,43 +1,68 @@ + .TH "getexeccon" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation" + .SH "NAME" +-getexeccon, setexeccon \- get or set the SELinux security context used for executing a new process. ++getexeccon, setexeccon \- get or set the SELinux security context used for executing a new process + + rpm_execcon \- run a helper for rpm in an appropriate security context +- ++. + .SH "SYNOPSIS" + .B #include + .sp + .BI "int getexeccon(security_context_t *" context ); +- ++.sp ++.BI "int getexeccon_raw(security_context_t *" context ); ++.sp + .BI "int setexeccon(security_context_t "context ); +- ++.sp ++.BI "int setexeccon_raw(security_context_t "context ); ++.sp + .BI "int rpm_execcon(unsigned int " verified ", const char *" filename ", char *const " argv "[] , char *const " envp "[]); +- ++. + .SH "DESCRIPTION" +-.B getexeccon ++.BR getexeccon () + retrieves the context used for executing a new process. +-This returned context should be freed with freecon if non-NULL. +-getexeccon sets *con to NULL if no exec context has been explicitly ++This returned context should be freed with ++.BR freecon (3) ++if non-NULL. ++.BR getexeccon () ++sets ++.BI * context ++to NULL if no exec context has been explicitly + set by the program (i.e. using the default policy behavior). + +-.B setexeccon +-sets the context used for the next execve call. ++.BR setexeccon () ++sets the context used for the next ++.BR execve (2) ++call. + NULL can be passed to +-setexeccon to reset to the default policy behavior. +-The exec context is automatically reset after the next execve, so a +-program doesn't need to explicitly sanitize it upon startup. +- +- +-setexeccon can be applied prior to library +-functions that internally perform an execve, e.g. execl*, execv*, popen, ++.BR setexeccon () ++to reset to the default policy behavior. ++The exec context is automatically reset after the next ++.BR execve (2), ++so a program doesn't need to explicitly sanitize it upon startup. ++ ++.BR setexeccon () ++can be applied prior to library ++functions that internally perform an ++.BR execve (2), ++e.g. ++.BR execl *(3), ++.BR execv *(3), ++.BR popen (3), + in order to set an exec context for that operation. + ++.BR getexeccon_raw () ++and ++.BR setexeccon_raw () ++behave identically to their non-raw counterparts but do not perform context ++translation. + +-Note: Signal handlers that perform an execve must take care to ++.B Note: ++Signal handlers that perform an ++.BR execve (2) ++must take care to + save, reset, and restore the exec context to avoid unexpected behavior. + +- +-.B rpm_execcon ++.BR rpm_execcon () + runs a helper for rpm in an appropriate security context. The + verified parameter should contain the return code from the signature + verification (0 == ok, 1 == notfound, 2 == verifyfail, 3 == +@@ -46,15 +71,18 @@ the function. The function determines the proper security context for + the helper based on policy, sets the exec context accordingly, and + then executes the specified filename with the provided argument and + environment arrays. +- +- ++. + .SH "RETURN VALUE" +-On error -1 is returned. +- +-On success getexeccon and setexeccon returns 0. +-rpm_execcon only returns upon errors, as it calls execve(2). +- ++On error \-1 is returned. ++ ++On success ++.BR getexeccon () ++and ++.BR setexeccon () ++returns 0. ++.BR rpm_execcon () ++only returns upon errors, as it calls ++.BR execve (2). ++. + .SH "SEE ALSO" + .BR selinux "(8), " freecon "(3), " getcon "(3)" +- +- +diff --git a/libselinux/man/man3/getexeccon_raw.3 b/libselinux/man/man3/getexeccon_raw.3 +new file mode 100644 +index 0000000..b2e6ab8 +--- /dev/null ++++ b/libselinux/man/man3/getexeccon_raw.3 +@@ -0,0 +1 @@ ++.so man3/getexeccon.3 +diff --git a/libselinux/man/man3/getfilecon.3 b/libselinux/man/man3/getfilecon.3 +index 61b216f..ea79b31 100644 +--- a/libselinux/man/man3/getfilecon.3 ++++ b/libselinux/man/man3/getfilecon.3 +@@ -1,42 +1,72 @@ + .TH "getfilecon" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation" + .SH "NAME" + getfilecon, fgetfilecon, lgetfilecon \- get SELinux security context of a file ++. + .SH "SYNOPSIS" + .B #include + .sp + .BI "int getfilecon(const char *" path ", security_context_t *" con ); +- ++.sp ++.BI "int getfilecon_raw(const char *" path ", security_context_t *" con ); ++.sp + .BI "int lgetfilecon(const char *" path ", security_context_t *" con ); +- ++.sp ++.BI "int lgetfilecon_raw(const char *" path ", security_context_t *" con ); ++.sp + .BI "int fgetfilecon(int "fd ", security_context_t *" con ); ++.sp ++.BI "int fgetfilecon_raw(int "fd ", security_context_t *" con ); ++. + .SH "DESCRIPTION" +-.B getfilecon ++.BR getfilecon () + retrieves the context associated with the given path in the file system, the + length of the context is returned. + +-.B lgetfilecon +-is identical to getfilecon, except in the case of a symbolic link, where the ++.BR lgetfilecon () ++is identical to ++.BR getfilecon (), ++except in the case of a symbolic link, where the + link itself is interrogated, not the file that it refers to. + +-.B fgetfilecon +-is identical to getfilecon, only the open file pointed to by filedes (as +-returned by open(2)) is interrogated in place of path. ++.BR fgetfilecon () ++is identical to ++.BR getfilecon (), ++only the open file pointed to by filedes (as returned by ++.BR open (2)) ++is interrogated in place of path. + ++.BR getfilecon_raw (), ++.BR lgetfilecon_raw () ++and ++.BR fgetfilecon_raw () ++behave identically to their non-raw counterparts but do not perform context ++translation. + +-The returned context should be freed with freecon if non-NULL. ++The returned context should be freed with ++.BR freecon (3) ++if non-NULL. ++. + .SH "RETURN VALUE" + On success, a positive number is returned indicating the size of the +-extended attribute value. On failure, \-1 is returned and errno is set +-appropriately. ++extended attribute value. On failure, \-1 is returned and ++.I errno ++is set appropriately. + + If the context does not exist, or the process has no access to +-this attribute, errno is set to ENODATA. +- +-If extended attributes are not supported by the filesystem, or are dis\- +-abled, errno is set to ENOTSUP. ++this attribute, ++.I errno ++is set to ++.BR ENODATA . + +-The errors documented for the stat(2) system call are also applicable +-here. ++If extended attributes are not supported by the filesystem, or are ++disabled, ++.I errno ++is set to ++.BR ENOTSUP . + ++The errors documented for the ++.BR stat (2) ++system call are also applicable here. ++. + .SH "SEE ALSO" + .BR selinux "(8), " freecon "(3), " setfilecon "(3), " setfscreatecon "(3)" +diff --git a/libselinux/man/man3/getfilecon_raw.3 b/libselinux/man/man3/getfilecon_raw.3 +new file mode 100644 +index 0000000..ae6dfcf +--- /dev/null ++++ b/libselinux/man/man3/getfilecon_raw.3 +@@ -0,0 +1 @@ ++.so man3/getfilecon.3 +diff --git a/libselinux/man/man3/getfscreatecon.3 b/libselinux/man/man3/getfscreatecon.3 +index 474aa28..c7675be 100644 +--- a/libselinux/man/man3/getfscreatecon.3 ++++ b/libselinux/man/man3/getfscreatecon.3 +@@ -1,38 +1,57 @@ + .TH "getfscreatecon" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation" + .SH "NAME" +-getfscreatecon, setfscreatecon \- get or set the SELinux security context used for creating a new file system object. +- ++getfscreatecon, setfscreatecon \- get or set the SELinux security context used for creating a new file system object ++. + .SH "SYNOPSIS" + .B #include + .sp + .BI "int getfscreatecon(security_context_t *" con ); +- ++.sp ++.BI "int getfscreatecon_raw(security_context_t *" con ); ++.sp + .BI "int setfscreatecon(security_context_t "context ); +- ++.sp ++.BI "int setfscreatecon_raw(security_context_t "context ); ++. + .SH "DESCRIPTION" +-.B getfscreatecon ++.BR getfscreatecon () + retrieves the context used for creating a new file system object. +-This returned context should be freed with freecon if non-NULL. +-getfscreatecon sets *con to NULL if no fscreate context has been explicitly ++This returned context should be freed with ++.BR freecon (3) ++if non-NULL. ++.BR getfscreatecon () ++sets *con to NULL if no fscreate context has been explicitly + set by the program (i.e. using the default policy behavior). + +-.B setfscreatecon ++.BR setfscreatecon () + sets the context used for creating a new file system object. + NULL can be passed to +-setfscreatecon to reset to the default policy behavior. +-The fscreate context is automatically reset after the next execve, so a +-program doesn't need to explicitly sanitize it upon startup. +- +-setfscreatecon can be applied prior to library ++.BR setfscreatecon () ++to reset to the default policy behavior. ++The fscreate context is automatically reset after the next ++.BR execve (2), ++so a program doesn't need to explicitly sanitize it upon startup. ++ ++.BR setfscreatecon () ++can be applied prior to library + functions that internally perform an file creation, + in order to set an file context on the objects. + ++.BR getfscreatecon_raw () ++and ++.BR setfscreatecon_raw () ++behave identically to their non-raw counterparts but do not perform context ++translation. + +-Note: Signal handlers that perform an setfscreate must take care to ++.B Note: ++Signal handlers that perform a ++.BR setfscreatecon () ++must take care to + save, reset, and restore the fscreate context to avoid unexpected behavior. ++. + .SH "RETURN VALUE" +-On error -1 is returned. ++On error \-1 is returned. + On success 0 is returned. +- ++. + .SH "SEE ALSO" + .BR selinux "(8), " freecon "(3), " getcon "(3), " getexeccon "(3)" +diff --git a/libselinux/man/man3/getfscreatecon_raw.3 b/libselinux/man/man3/getfscreatecon_raw.3 +new file mode 100644 +index 0000000..21aeebd +--- /dev/null ++++ b/libselinux/man/man3/getfscreatecon_raw.3 +@@ -0,0 +1 @@ ++.so man3/getfscreatecon.3 +diff --git a/libselinux/man/man3/getkeycreatecon.3 b/libselinux/man/man3/getkeycreatecon.3 +index 3b594a0..d6a118c 100644 +--- a/libselinux/man/man3/getkeycreatecon.3 ++++ b/libselinux/man/man3/getkeycreatecon.3 +@@ -1,38 +1,57 @@ +-.TH "getkeycreatecon" "3" "9 September 2008" "dwalsh@redhat.com from russell@coker.com.au" "SELinux API documentation" ++.TH "getkeycreatecon" "3" "9 September 2008" "dwalsh@redhat.com" "SELinux API documentation" + .SH "NAME" +-getkeycreatecon, setkeycreatecon \- get or set the SELinux security context used for creating a new kernel keyrings. +- ++getkeycreatecon, setkeycreatecon \- get or set the SELinux security context used for creating a new kernel keyrings ++. + .SH "SYNOPSIS" + .B #include + .sp + .BI "int getkeycreatecon(security_context_t *" con ); +- ++.sp ++.BI "int getkeycreatecon_raw(security_context_t *" con ); ++.sp + .BI "int setkeycreatecon(security_context_t "context ); +- ++.sp ++.BI "int setkeycreatecon_raw(security_context_t "context ); ++. + .SH "DESCRIPTION" +-.B getkeycreatecon ++.BR getkeycreatecon () + retrieves the context used for creating a new kernel keyring. +-This returned context should be freed with freecon if non-NULL. +-getkeycreatecon sets *con to NULL if no keycreate context has been explicitly ++This returned context should be freed with ++.BR freecon (3) ++if non-NULL. ++.BR getkeycreatecon () ++sets *con to NULL if no keycreate context has been explicitly + set by the program (i.e. using the default policy behavior). + +-.B setkeycreatecon ++.BR setkeycreatecon () + sets the context used for creating a new kernel keyring. + NULL can be passed to +-setkeycreatecon to reset to the default policy behavior. +-The keycreate context is automatically reset after the next execve, so a +-program doesn't need to explicitly sanitize it upon startup. +- +-setkeycreatecon can be applied prior to library ++.BR setkeycreatecon () ++to reset to the default policy behavior. ++The keycreate context is automatically reset after the next ++.BR execve (2), ++so a program doesn't need to explicitly sanitize it upon startup. ++ ++.BR setkeycreatecon () ++can be applied prior to library + functions that internally perform an file creation, + in order to set an file context on the objects. + ++.BR getkeycreatecon_raw () ++and ++.BR setkeycreatecon_raw () ++behave identically to their non-raw counterparts but do not perform context ++translation. + +-Note: Signal handlers that perform an setkeycreate must take care to ++.B Note: ++Signal handlers that perform a ++.BR setkeycreatecon () ++must take care to + save, reset, and restore the keycreate context to avoid unexpected behavior. ++. + .SH "RETURN VALUE" +-On error -1 is returned. ++On error \-1 is returned. + On success 0 is returned. +- ++. + .SH "SEE ALSO" + .BR selinux "(8), " freecon "(3), " getcon "(3), " getexeccon "(3)" +diff --git a/libselinux/man/man3/getkeycreatecon_raw.3 b/libselinux/man/man3/getkeycreatecon_raw.3 +new file mode 100644 +index 0000000..1e0ec5f +--- /dev/null ++++ b/libselinux/man/man3/getkeycreatecon_raw.3 +@@ -0,0 +1 @@ ++.so man3/getkeycreatecon.3 +diff --git a/libselinux/man/man3/getpeercon_raw.3 b/libselinux/man/man3/getpeercon_raw.3 +new file mode 100644 +index 0000000..1210b5a +--- /dev/null ++++ b/libselinux/man/man3/getpeercon_raw.3 +@@ -0,0 +1 @@ ++.so man3/getcon.3 +diff --git a/libselinux/man/man3/getpidcon_raw.3 b/libselinux/man/man3/getpidcon_raw.3 +new file mode 100644 +index 0000000..1210b5a +--- /dev/null ++++ b/libselinux/man/man3/getpidcon_raw.3 +@@ -0,0 +1 @@ ++.so man3/getcon.3 +diff --git a/libselinux/man/man3/getprevcon_raw.3 b/libselinux/man/man3/getprevcon_raw.3 +new file mode 100644 +index 0000000..1210b5a +--- /dev/null ++++ b/libselinux/man/man3/getprevcon_raw.3 +@@ -0,0 +1 @@ ++.so man3/getcon.3 +diff --git a/libselinux/man/man3/getseuserbyname.3 b/libselinux/man/man3/getseuserbyname.3 +index 1630356..c231e65 100644 +--- a/libselinux/man/man3/getseuserbyname.3 ++++ b/libselinux/man/man3/getseuserbyname.3 +@@ -1,28 +1,33 @@ + .TH "getseuserbyname" "3" "29 September 2005" "dwalsh@redhat.com" "SELinux API documentation" + .SH "NAME" + getseuserbyname \- get SELinux username and level for a given Linux username ++. + .SH "SYNOPSIS" + .B #include + .sp + .BI "int getseuserbyname(const char *" linuxuser ", char **" selinuxuser ", char **" level "); ++. + .SH "DESCRIPTION" +-.B getseuserbyname ++.BR getseuserbyname () + retrieves the SELinux username and security level associated with + a given Linux username. The SELinux username and security level can + then be passed to other libselinux functions such as +-get_ordered_context_list_with_level and get_default_context_with_level. +- +- ++.BR \%get_ordered_context_list_with_level (3) ++and ++.BR \%get_default_context_with_level (3). + + The returned SELinux username and level should be freed by the caller + using free. ++. + .SH "RETURN VALUE" + On success, 0 is returned. +-On failure, \-1 is returned and errno is set appropriately. +- +-The errors documented for the stat(2) system call are also applicable +-here. ++On failure, \-1 is returned and ++.I errno ++is set appropriately. + ++The errors documented for the ++.BR stat (2) ++system call are also applicable here. ++. + .SH "SEE ALSO" + .BR selinux "(8)" +- +diff --git a/libselinux/man/man3/getsockcreatecon.3 b/libselinux/man/man3/getsockcreatecon.3 +index 24f2cc0..99e9436 100644 +--- a/libselinux/man/man3/getsockcreatecon.3 ++++ b/libselinux/man/man3/getsockcreatecon.3 +@@ -1,38 +1,57 @@ +-.TH "getsockcreatecon" "3" "24 September 2008" "dwalsh@redhat.com from russell@coker.com.au" "SELinux API documentation" ++.TH "getsockcreatecon" "3" "24 September 2008" "dwalsh@redhat.com" "SELinux API documentation" + .SH "NAME" +-getsockcreatecon, setsockcreatecon \- get or set the SELinux security context used for creating a new labeled sockets. +- ++getsockcreatecon, setsockcreatecon \- get or set the SELinux security context used for creating a new labeled sockets ++. + .SH "SYNOPSIS" + .B #include + .sp + .BI "int getsockcreatecon(security_context_t *" con ); +- ++.sp ++.BI "int getsockcreatecon_raw(security_context_t *" con ); ++.sp + .BI "int setsockcreatecon(security_context_t "context ); +- ++.sp ++.BI "int setsockcreatecon_raw(security_context_t "context ); ++. + .SH "DESCRIPTION" +-.B getsockcreatecon ++.BR getsockcreatecon () + retrieves the context used for creating a new labeled network socket. +-This returned context should be freed with freecon if non-NULL. +-getsockcreatecon sets *con to NULL if no sockcreate context has been explicitly ++This returned context should be freed with ++.BR freecon (3) ++if non-NULL. ++.BR getsockcreatecon () ++sets *con to NULL if no sockcreate context has been explicitly + set by the program (i.e. using the default policy behavior). + +-.B setsockcreatecon ++.BR setsockcreatecon () + sets the context used for creating a new labeled network sockets + NULL can be passed to +-setsockcreatecon to reset to the default policy behavior. +-The sockcreate context is automatically reset after the next execve, so a +-program doesn't need to explicitly sanitize it upon startup. +- +-setsockcreatecon can be applied prior to library ++.BR setsockcreatecon () ++to reset to the default policy behavior. ++The sockcreate context is automatically reset after the next ++.BR execve (2), ++so a program doesn't need to explicitly sanitize it upon startup. ++ ++.BR setsockcreatecon () ++can be applied prior to library + functions that internally perform an file creation, + in order to set an file context on the objects. + ++.BR getsockcreatecon_raw () ++and ++.BR setsockcreatecon_raw () ++behave identically to their non-raw counterparts but do not perform context ++translation. + +-Note: Signal handlers that perform an setsockcreate must take care to ++.B Note: ++Signal handlers that perform a ++.BR setsockcreatecon () ++must take care to + save, reset, and restore the sockcreate context to avoid unexpected behavior. ++. + .SH "RETURN VALUE" +-On error -1 is returned. ++On error \-1 is returned. + On success 0 is returned. +- ++. + .SH "SEE ALSO" + .BR selinux "(8), " freecon "(3), " getcon "(3) +diff --git a/libselinux/man/man3/getsockcreatecon_raw.3 b/libselinux/man/man3/getsockcreatecon_raw.3 +new file mode 100644 +index 0000000..ed1a371 +--- /dev/null ++++ b/libselinux/man/man3/getsockcreatecon_raw.3 +@@ -0,0 +1 @@ ++.so man3/getsockcreatecon.3 +diff --git a/libselinux/man/man3/init_selinuxmnt.3 b/libselinux/man/man3/init_selinuxmnt.3 +index e70098b..8466f9f 100644 +--- a/libselinux/man/man3/init_selinuxmnt.3 ++++ b/libselinux/man/man3/init_selinuxmnt.3 +@@ -1,28 +1,31 @@ + .TH "init_selinuxmnt" "3" "21 Nov 2009" "" "SELinux API documentation" + .SH "NAME" +-init_selinuxmnt \- initialize the global variable selinux_mnt. +- ++init_selinuxmnt \- initialize the global variable selinux_mnt ++. + .SH "SYNOPSIS" + .BI "static void init_selinuxmnt(void);" + .sp + .BI "static void fini_selinuxmnt(void);" + .sp + .BI "void set_selinuxmnt(char *" mnt ");" +- ++. + .SH "DESCRIPTION" +-.B init_selinuxmnt +-initializes the global variable selinux_mnt to the selinuxfs mountpoint. ++.BR init_selinuxmnt () ++initializes the global variable ++.I selinux_mnt ++to the selinuxfs mountpoint. + +-.B fini_selinuxmnt +-deinitializes the global variable selinux_mnt that stores the selinuxfs +-mountpoint. ++.BR fini_selinuxmnt () ++deinitializes the global variable ++.I selinux_mnt ++that stores the selinuxfs mountpoint. + +-.B set_selinuxmnt ++.BR set_selinuxmnt () + changes the selinuxfs mountpoint to +-.I mnt. +- ++.IR mnt . ++. + .SH "AUTHOR" + This manual page has been written by Guido Trentalancia +- ++. + .SH "SEE ALSO" + .BR selinux (8), +diff --git a/libselinux/man/man3/is_context_customizable.3 b/libselinux/man/man3/is_context_customizable.3 +index d230ace..0f748b6 100644 +--- a/libselinux/man/man3/is_context_customizable.3 ++++ b/libselinux/man/man3/is_context_customizable.3 +@@ -1,25 +1,24 @@ + .TH "is_context_customizable" "3" "10 January 2005" "dwalsh@redhat.com" "SELinux API documentation" + .SH "NAME" +-is_context_customizable \- check whether SELinux context type is customizable by the administrator. ++is_context_customizable \- check whether SELinux context type is customizable by the administrator ++. + .SH "SYNOPSIS" + .B #include + .sp +-.B int is_context_customizable(security_context_t scon); +- ++.BI "int is_context_customizable(security_context_t " scon ); ++. + .SH "DESCRIPTION" +-.B is_context_customizable +- +-This function checks whether the type of scon is in the /etc/selinux/SELINUXTYPE/context/customizable_types file. A customizable type is a file context type that ++This function checks whether the type of scon is in the ++.I /etc/selinux/{SELINUXTYPE}/context/customizable_types ++file. A customizable type is a file context type that + administrators set on files, usually to allow certain domains to share the file content. restorecon and setfiles, by default, leave these context in place. +- +- ++. + .SH "RETURN VALUE" +-returns 1 if security context is customizable or 0 if it is not. +-returns -1 on error +- ++Returns 1 if security context is customizable or 0 if it is not. ++Returns \-1 on error. ++. + .SH "FILE" +-/etc/selinux/SELINUXTYPE/context/customizable_types +- ++.I /etc/selinux/{SELINUXTYPE}/context/customizable_types ++. + .SH "SEE ALSO" + .BR selinux "(8)" +- +diff --git a/libselinux/man/man3/is_selinux_enabled.3 b/libselinux/man/man3/is_selinux_enabled.3 +index d744c0b..f02052c 100644 +--- a/libselinux/man/man3/is_selinux_enabled.3 ++++ b/libselinux/man/man3/is_selinux_enabled.3 +@@ -1,24 +1,24 @@ + .TH "is_selinux_enabled" "3" "7 Mar 2010" "russell@coker.com.au" "SELinux API documentation" + .SH "NAME" + is_selinux_enabled \- check whether SELinux is enabled +- ++. + .SH "NAME" + is_selinux_mls_enabled \- check whether SELinux is enabled for (Multi Level Securty) MLS ++. + .SH "SYNOPSIS" + .B #include + .sp + .B int is_selinux_enabled(); +- ++.sp + .B int is_selinux_mls_enabled(); +- ++. + .SH "DESCRIPTION" +-.B is_selinux_enabled ++.BR is_selinux_enabled () + returns 1 if SELinux is running or 0 if it is not. + On error, \-1 is returned. + +-.B is_selinux_mls_enabled ++.BR is_selinux_mls_enabled () + returns 1 if SELinux is running in MLS mode or 0 if it is not. +- ++. + .SH "SEE ALSO" + .BR selinux "(8)" +- +diff --git a/libselinux/man/man3/lgetfilecon_raw.3 b/libselinux/man/man3/lgetfilecon_raw.3 +new file mode 100644 +index 0000000..ae6dfcf +--- /dev/null ++++ b/libselinux/man/man3/lgetfilecon_raw.3 +@@ -0,0 +1 @@ ++.so man3/getfilecon.3 +diff --git a/libselinux/man/man3/lsetfilecon_raw.3 b/libselinux/man/man3/lsetfilecon_raw.3 +new file mode 100644 +index 0000000..33c321a +--- /dev/null ++++ b/libselinux/man/man3/lsetfilecon_raw.3 +@@ -0,0 +1 @@ ++.so man3/setfilecon.3 +diff --git a/libselinux/man/man3/matchmediacon.3 b/libselinux/man/man3/matchmediacon.3 +index 1a3a561..f77ab5e 100644 +--- a/libselinux/man/man3/matchmediacon.3 ++++ b/libselinux/man/man3/matchmediacon.3 +@@ -1,26 +1,30 @@ + .TH "matchmediacon" "3" "15 November 2004" "dwalsh@redhat.com" "SELinux API documentation" + .SH "NAME" +-matchmediacon \- get the default SELinux security context for the specified mediatype from the policy. +- ++matchmediacon \- get the default SELinux security context for the specified mediatype from the policy ++. + .SH "SYNOPSIS" + .B #include + .sp +-.BI "int matchmediacon(const char *" media ", security_context_t *" con);" +- +- ++.BI "int matchmediacon(const char *" media ", security_context_t *" con ); ++. + .SH "DESCRIPTION" +- +-.B matchmediacon +-matches the specified media type with the media contexts configuration and sets the security context "con" to refer to the resulting context. ++.BR matchmediacon () ++matches the specified media type with the media contexts configuration and ++sets the security context ++.I con ++to refer to the resulting context. + .sp +- +-.B Note: +- Caller must free returned security context "con" using freecon. ++.B Note: ++Caller must free returned security context ++.I con ++using ++.BR freecon (3). ++. + .SH "RETURN VALUE" +-Returns 0 on success or -1 otherwise. +- ++Returns 0 on success or \-1 otherwise. ++. + .SH Files +-/etc/selinux/POLICYTYPE/contexts/files/media +- ++.I /etc/selinux/{POLICYTYPE}/contexts/files/media ++. + .SH "SEE ALSO" + .BR selinux "(8), " freecon "(3) +diff --git a/libselinux/man/man3/matchpathcon.3 b/libselinux/man/man3/matchpathcon.3 +index cdbb252..4c320ab 100644 +--- a/libselinux/man/man3/matchpathcon.3 ++++ b/libselinux/man/man3/matchpathcon.3 +@@ -1,65 +1,59 @@ + .TH "matchpathcon" "3" "21 November 2009" "sds@tycho.nsa.gov" "SELinux API documentation" + .SH "NAME" +-matchpathcon, matchpathcon_index \- get the default SELinux security context for the specified path from the file contexts configuration. +- ++matchpathcon, matchpathcon_index \- get the default SELinux security context for the specified path from the file contexts configuration ++. + .SH "SYNOPSIS" + .B #include + .sp +- + .BI "int matchpathcon_init(const char *" path ");" +- ++.sp + .BI "int matchpathcon_init_prefix(const char *" path ", const char *" subset ");" +- ++.sp + .BI "int matchpathcon_fini(void);" + .sp +- + .BI "int matchpathcon(const char *" path ", mode_t " mode ", security_context_t *" con "); + .sp +- +-.BI "int matchpathcon_index(const char *" name ", mode_t " mode ", security_context_t * " con ");" +- ++.BI "int matchpathcon_index(const char *" name ", mode_t " mode ", security_context_t *" con ");" ++. + .SH "DESCRIPTION" +-.B matchpathcon_init ++.BR matchpathcon_init () + loads the file contexts configuration specified by + .I path + into memory for use by subsequent +-.B matchpathcon ++.BR matchpathcon () + calls. If + .I path + is NULL, then the active file contexts configuration is loaded by default, + i.e. the path returned by +-.B selinux_file_context_path(3). ++.BR selinux_file_context_path (3). + Unless the + .B MATCHPATHCON_BASEONLY + flag has been set via +-.B set_matchpathcon_flags(3), ++.BR \%set_matchpathcon_flags (3), + files with the same path prefix but a +-.B .homedirs ++.B \%.homedirs + and + .B .local + suffix are also looked up and loaded if present. These files provide + dynamically generated entries for user home directories and for local + customizations. + +-.sp +-.B matchpathcon_init_prefix ++.BR matchpathcon_init_prefix () + is the same as +-.B matchpathcon_init ++.BR matchpathcon_init () + but only loads entries with regular expressions that have stems prefixed + by +-.I prefix. ++.I \%prefix. + +-.sp +-.B matchpathcon_fini ++.BR matchpathcon_fini () + frees the memory allocated by a prior call to +-.B matchpathcon_init. ++.BR matchpathcon_init. () + This function can be used to free and reset the internal state between multiple +-.B matchpathcon_init ++.BR matchpathcon_init () + calls, or to free memory when finished using +-.B matchpathcon. ++.BR matchpathcon (). + +-.sp +-.B matchpathcon ++.BR matchpathcon () + matches the specified pathname and mode against the file contexts + configuration and sets the security context + .I con +@@ -67,7 +61,7 @@ to refer to the + resulting context. The caller must free the returned security context + .I con + using +-.B freecon(3) ++.BR freecon (3) + when finished using it. + .I mode + can be 0 to disable mode matching, but +@@ -76,23 +70,23 @@ Only the file format bits (i.e. the file type) of the + .I mode + are used. + If +-.B matchpathcon_init ++.BR matchpathcon_init () + has not already been called, then this function will call it upon + its first invocation with a NULL + .I path, + defaulting to the active file contexts configuration. +-.sp + +-.B matchpathcon_index ++.BR matchpathcon_index () + is the same as +-.B matchpathcon ++.BR matchpathcon () + but returns a specification index that can later be used in a +-.B matchpathcon_filespec_add(3) ++.BR matchpathcon_filespec_add (3) + call. +-.sp +- ++. + .SH "RETURN VALUE" + Returns zero on success or \-1 otherwise. +- ++. + .SH "SEE ALSO" ++.ad l ++.nh + .BR selinux "(8), " set_matchpathcon_flags "(3), " set_matchpathcon_invalidcon "(3), " set_matchpathcon_printf "(3), " matchpathcon_filespec_add "(3), " matchpathcon_checkmatches "(3), " freecon "(3), " setfilecon "(3), " setfscreatecon "(3)" +diff --git a/libselinux/man/man3/matchpathcon_checkmatches.3 b/libselinux/man/man3/matchpathcon_checkmatches.3 +index 47ee94c..6bbee44 100644 +--- a/libselinux/man/man3/matchpathcon_checkmatches.3 ++++ b/libselinux/man/man3/matchpathcon_checkmatches.3 +@@ -1,33 +1,30 @@ + .TH "matchpathcon_checkmatches" "3" "21 November 2009" "sds@tycho.nsa.gov" "SELinux API documentation" + .SH "NAME" +-matchpathcon_checkmatches, matchpathcon_filespec_add, matchpathcon_filespec_destroy, matchpathcon_filespec_eval \- check and report whether any specification index has no matches with any inode. Maintenance and statistics on inode associations. +- ++matchpathcon_checkmatches, matchpathcon_filespec_add, matchpathcon_filespec_destroy, matchpathcon_filespec_eval \- check and report whether any specification index has no matches with any inode. Maintenance and statistics on inode associations ++. + .SH "SYNOPSIS" + .B #include + .sp +- + .BI "void matchpathcon_checkmatches(char *" str ");" + .sp +- + .BI "int matchpathcon_filespec_add(ino_t " ino ", int " specind ", const char *" file ");" +- ++.sp + .BI "void matchpathcon_filespec_destroy(void);" +- ++.sp + .BI "void matchpathcon_filespec_eval(void);" +- ++. + .SH "DESCRIPTION" +-.B matchpathcon_checkmatches ++.BR matchpathcon_checkmatches () + checks whether any specification has no matches and reports them. + The + .I str + argument is used as a prefix for any warning messages. + .sp +- +-.B matchpathcon_filespec_add ++.BR matchpathcon_filespec_add () + maintains an association between an inode + .I ino + and a specification index +-.I specind, ++.IR specind , + and checks whether a conflicting specification is already associated + with the same inode (e.g. due to multiple hard links). If so, then + it uses the latter of the two specifications based on their order in the +@@ -35,18 +32,17 @@ it uses the latter of the two specifications based on their order in the + context configuration. Returns the specification index used or \-1 on + error. + .sp +- +-.B matchpathcon_filespec_destroy ++.BR matchpathcon_filespec_destroy () + destroys any inode associations that have been added, e.g. to restart + for a new filesystem. + .sp +- +-.B matchpathcon_filespec_eval ++.BR matchpathcon_filespec_eval () + displays statistics on the hash table usage for the inode associations. +- +-.sp ++. + .SH "RETURN VALUE" + Returns zero on success or \-1 otherwise. +- ++. + .SH "SEE ALSO" ++.ad l ++.nh + .BR selinux "(8), " matchpathcon "(3), " matchpathcon_index "(3), " freecon "(3), " setfilecon "(3), " setfscreatecon "(3)" +diff --git a/libselinux/man/man3/mode_to_security_class.3 b/libselinux/man/man3/mode_to_security_class.3 +new file mode 100644 +index 0000000..bda9daf +--- /dev/null ++++ b/libselinux/man/man3/mode_to_security_class.3 +@@ -0,0 +1 @@ ++.so man3/security_class_to_string.3 +diff --git a/libselinux/man/man3/security_check_context.3 b/libselinux/man/man3/security_check_context.3 +index af55f06..7ba4ead 100644 +--- a/libselinux/man/man3/security_check_context.3 ++++ b/libselinux/man/man3/security_check_context.3 +@@ -1,16 +1,23 @@ + .TH "security_check_context" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation" + .SH "NAME" + security_check_context \- check the validity of a SELinux context ++. + .SH "SYNOPSIS" + .B #include + .sp + .BI "int security_check_context(security_context_t "con ); +- ++.sp ++.BI "int security_check_context_raw(security_context_t "con ); ++. + .SH "DESCRIPTION" +-.B security_check_context ++.BR security_check_context () + returns 0 if SELinux is running and the context is valid, otherwise it +-returns -1. ++returns \-1. + ++.BR security_check_context_raw () ++behaves identically to ++.BR \%security_check_context () ++but does not perform context translation. ++. + .SH "SEE ALSO" + .BR selinux "(8)" +- +diff --git a/libselinux/man/man3/security_check_context_raw.3 b/libselinux/man/man3/security_check_context_raw.3 +new file mode 100644 +index 0000000..ee93986 +--- /dev/null ++++ b/libselinux/man/man3/security_check_context_raw.3 +@@ -0,0 +1 @@ ++.so man3/security_check_context.3 +diff --git a/libselinux/man/man3/security_class_to_string.3 b/libselinux/man/man3/security_class_to_string.3 +index 140737e..0e9f01d 100644 +--- a/libselinux/man/man3/security_class_to_string.3 ++++ b/libselinux/man/man3/security_class_to_string.3 +@@ -3,42 +3,44 @@ + .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2007 + .TH "security_class_to_string" "3" "30 Mar 2007" "" "SELinux API documentation" + .SH "NAME" +-security_class_to_string, security_av_perm_to_string, string_to_security_class, string_to_av_perm, security_av_string \- convert ++security_class_to_string, security_av_perm_to_string, string_to_security_class, string_to_av_perm, security_av_string, mode_to_security_class \- convert + between SELinux class and permission values and string names. +- ++. + print_access_vector \- display an access vector in human-readable form. +- ++. + .SH "SYNOPSIS" + .B #include +- ++.br + .B #include + .sp +-.BI "const char * security_class_to_string(security_class_t " tclass ");" ++.BI "const char *security_class_to_string(security_class_t " tclass ");" + .sp +-.BI "const char * security_av_perm_to_string(security_class_t " tclass ", access_vector_t " av ");" ++.BI "const char *security_av_perm_to_string(security_class_t " tclass ", access_vector_t " av ");" + .sp + .BI "int security_av_string(security_class_t " tclass ", access_vector_t " av ", char **" result ");" + .sp + .BI "security_class_t string_to_security_class(const char *" name ");" + .sp ++.BI "security_class_t mode_to_security_class(mode_t " mode ");" ++.sp + .BI "access_vector_t string_to_av_perm(security_class_t " tclass ", const char *" name ");" + .sp + .BI "void print_access_vector(security_class_t " tclass ", access_vector_t " av ");" +- ++. + .SH "DESCRIPTION" +-.B security_class_to_string ++.BR security_class_to_string () + returns a string name for class + .IR tclass , + or NULL if the class is invalid. The returned string must not be modified or freed. + +-.B security_av_perm_to_string ++.BR security_av_perm_to_string () + returns a string name for the access vector bit + .I av + of class + .IR tclass , + or NULL if either argument is invalid. The returned string must not be modified or freed. + +-.B security_av_string ++.BR security_av_string () + computes a full access vector string representation using + .I tclass + and +@@ -48,30 +50,35 @@ which may have multiple bits set. The string is returned in the memory pointed + and should be freed by the caller using + .BR free (3). + +-.B string_to_security_class ++.BR string_to_security_class () + returns the class value corresponding to the string name + .IR name , + or zero if no such class exists. + +-.B string_to_av_perm ++.BR mode_to_security_class () ++returns the class value corresponding to the specified ++.IR mode , ++or zero if no such class exists. ++ ++.BR string_to_av_perm () + returns the access vector bit corresponding to the string name + .I name + and security class + .IR tclass , + or zero if no such value exists. + +-.B print_access_vector ++.BR print_access_vector () + displays an access vector in human-readable form on the standard output + stream. +- ++. + .SH "RETURN VALUE" +-.B security_av_string ++.BR security_av_string () + returns zero on success or \-1 on error with + .I errno + set appropriately. +-.B print_access_vector ++.BR print_access_vector () + does not return a value. All other functions return zero or NULL on error. +- ++. + .SH "ERRORS" + .TP + .B EINVAL +@@ -80,11 +87,12 @@ A class or access vector argument is not recognized by the currently loaded poli + .TP + .B ENOMEM + An attempt to allocate memory failed. +- ++. + .SH "AUTHOR" + Eamon Walsh +- ++. + .SH "SEE ALSO" + .BR selinux (8), + .BR getcon (3), + .BR getfilecon (3) ++.BR stat (3) +diff --git a/libselinux/man/man3/security_compute_av.3 b/libselinux/man/man3/security_compute_av.3 +index 468831a..c6837fc 100644 +--- a/libselinux/man/man3/security_compute_av.3 ++++ b/libselinux/man/man3/security_compute_av.3 +@@ -2,112 +2,139 @@ + .SH "NAME" + security_compute_av, security_compute_av_flags, security_compute_create, security_compute_create_name, security_compute_relabel, + security_compute_member, security_compute_user, security_get_initial_context \- query +-the SELinux policy database in the kernel. +- ++the SELinux policy database in the kernel ++. + .SH "SYNOPSIS" + .B #include +- ++.br + .B #include + .sp + .BI "int security_compute_av(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", access_vector_t "requested ", struct av_decision *" avd ); + .sp ++.BI "int security_compute_av_raw(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", access_vector_t "requested ", struct av_decision *" avd ); ++.sp + .BI "int security_compute_av_flags(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", access_vector_t "requested ", struct av_decision *" avd ); + .sp ++.BI "int security_compute_av_flags_raw(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", access_vector_t "requested ", struct av_decision *" avd ); ++.sp + .BI "int security_compute_create(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", security_context_t *" newcon ); + .sp ++.BI "int security_compute_create_raw(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", security_context_t *" newcon ); ++.sp + .BI "int security_compute_create_name(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", const char *"objname ", security_context_t *" newcon ); + .sp ++.BI "int security_compute_create_name_raw(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", const char *"objname ", security_context_t *" newcon ); ++.sp + .BI "int security_compute_relabel(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", security_context_t *" newcon ); + .sp ++.BI "int security_compute_relabel_raw(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", security_context_t *" newcon ); ++.sp + .BI "int security_compute_member(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", security_context_t *" newcon ); + .sp ++.BI "int security_compute_member_raw(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", security_context_t *" newcon ); ++.sp + .BI "int security_compute_user(security_context_t "scon ", const char *" username ", security_context_t **" con ); + .sp +-.BI "int security_get_initial_context(const char *" name ", security_context_t +-"con ); ++.BI "int security_compute_user_raw(security_context_t "scon ", const char *" username ", security_context_t **" con ); + .sp +-.BI "int selinux_check_access(const security_context_t " scon, " const security_context_t " tcon, " const char *" class, " const char *" perm, "void *" auditdata); ++.BI "int security_get_initial_context(const char *" name ", security_context_t " con ); ++.sp ++.BI "int security_get_initial_context_raw(const char *" name ", security_context_t " con ); ++.sp ++.BI "int selinux_check_access(const security_context_t " scon ", const security_context_t " tcon ", const char *" class ", const char *" perm ", void *" auditdata); + .sp + .BI "int selinux_check_passwd_access(access_vector_t " requested ); + .sp + .BI "int checkPasswdAccess(access_vector_t " requested ); +- ++. + .SH "DESCRIPTION" +-.B security_compute_av ++.BR security_compute_av () + queries whether the policy permits the source context +-.B scon ++.I scon + to access the target context +-.B tcon ++.I tcon + via class +-.B tclass ++.I tclass + with the +-.B requested ++.I requested + access vector. The decision is returned in +-.BR avd . ++.IR avd . + +-.B security_compute_av_flags ++.BR security_compute_av_flags () + is identical to + .B security_compute_av + but additionally sets the +-.B flags ++.I flags + field of +-.BR avd . ++.IR avd . + Currently one flag is supported: + .BR SELINUX_AVD_FLAGS_PERMISSIVE , + which indicates the decision is computed on a permissive domain. + +-.B security_compute_create ++.BR security_compute_create () + is used to compute a context to use for labeling a new object in a particular + class based on a SID pair. + +-.B security_compute_create_name ++.BR security_compute_create_name () + is identical to +-.B security_compute_create ++.BR \%security_compute_create () + but also takes name of the new object in creation as an argument. + When +-.BR TYPE_TRANSITION ++.B TYPE_TRANSITION + rule on the given class and a SID pair has object name extension, + we shall be able to obtain a correct +-.BR newcon ++.I newcon + according to the security policy. Note that this interface is only + supported on the linux 2.6.40 or later. + In the older kernel, the object name will be simply ignored. + +-.B security_compute_relabel ++.BR security_compute_relabel () + is used to compute the new context to use when relabeling an object, it is used + in the pam_selinux.so source and the newrole source to determine the correct + label for the tty at login time, but can be used for other things. + +-.B security_compute_member ++.BR security_compute_member () + is used to compute the context to use when labeling a polyinstantiated object + instance. + +-.B security_compute_user ++.BR security_compute_user () + is used to determine the set of user contexts that can be reached from a + source context. It is mainly used by +-.B get_ordered_context_list. ++.BR get_ordered_context_list (). + +-.B security_get_initial_context ++.BR security_get_initial_context () + is used to get the context of a kernel initial security identifier specified by + .I name + +-.B selinux_check_access ++.BR security_compute_av_raw (), ++.BR security_compute_av_flags_raw (), ++.BR \%security_compute_create_raw (), ++.BR \%security_compute_create_name_raw (), ++.BR \%security_compute_relabel_raw (), ++.BR \%security_compute_member_raw (), ++.BR \%security_compute_user_raw () ++and ++.BR \%security_get_initial_context_raw () ++behave identically to their non-raw counterparts but do not perform context ++translation. ++ ++.BR selinux_check_access () + is used to check if the source context has the access permission for the specified class on the target context. + +-.B selinux_check_passwd_access ++.BR selinux_check_passwd_access () + is used to check for a permission in the + .I passwd + class. +-.B selinux_check_passwd_access ++.BR selinux_check_passwd_access () + uses getprevcon() for the source and target security contexts. + +-.B checkPasswdAccess ++.BR checkPasswdAccess () + is a deprecated alias of the +-.B selinux_check_passwd_access ++.BR selinux_check_passwd_access () + function. +- ++. + .SH "RETURN VALUE" + Returns zero on success or \-1 on error. +- ++. + .SH "SEE ALSO" + .BR selinux "(8), " getcon "(3), " getfilecon "(3), " get_ordered_context_list "(3)" +diff --git a/libselinux/man/man3/security_compute_av_flags_raw.3 b/libselinux/man/man3/security_compute_av_flags_raw.3 +new file mode 100644 +index 0000000..a60bca4 +--- /dev/null ++++ b/libselinux/man/man3/security_compute_av_flags_raw.3 +@@ -0,0 +1 @@ ++.so man3/security_compute_av.3 +diff --git a/libselinux/man/man3/security_compute_av_raw.3 b/libselinux/man/man3/security_compute_av_raw.3 +new file mode 100644 +index 0000000..a60bca4 +--- /dev/null ++++ b/libselinux/man/man3/security_compute_av_raw.3 +@@ -0,0 +1 @@ ++.so man3/security_compute_av.3 +diff --git a/libselinux/man/man3/security_compute_create_name_raw.3 b/libselinux/man/man3/security_compute_create_name_raw.3 +new file mode 100644 +index 0000000..a60bca4 +--- /dev/null ++++ b/libselinux/man/man3/security_compute_create_name_raw.3 +@@ -0,0 +1 @@ ++.so man3/security_compute_av.3 +diff --git a/libselinux/man/man3/security_compute_create_raw.3 b/libselinux/man/man3/security_compute_create_raw.3 +new file mode 100644 +index 0000000..a60bca4 +--- /dev/null ++++ b/libselinux/man/man3/security_compute_create_raw.3 +@@ -0,0 +1 @@ ++.so man3/security_compute_av.3 +diff --git a/libselinux/man/man3/security_compute_member_raw.3 b/libselinux/man/man3/security_compute_member_raw.3 +new file mode 100644 +index 0000000..a60bca4 +--- /dev/null ++++ b/libselinux/man/man3/security_compute_member_raw.3 +@@ -0,0 +1 @@ ++.so man3/security_compute_av.3 +diff --git a/libselinux/man/man3/security_compute_relabel_raw.3 b/libselinux/man/man3/security_compute_relabel_raw.3 +new file mode 100644 +index 0000000..a60bca4 +--- /dev/null ++++ b/libselinux/man/man3/security_compute_relabel_raw.3 +@@ -0,0 +1 @@ ++.so man3/security_compute_av.3 +diff --git a/libselinux/man/man3/security_compute_user_raw.3 b/libselinux/man/man3/security_compute_user_raw.3 +new file mode 100644 +index 0000000..a60bca4 +--- /dev/null ++++ b/libselinux/man/man3/security_compute_user_raw.3 +@@ -0,0 +1 @@ ++.so man3/security_compute_av.3 +diff --git a/libselinux/man/man3/security_disable.3 b/libselinux/man/man3/security_disable.3 +index 6725bde..aeb78da 100644 +--- a/libselinux/man/man3/security_disable.3 ++++ b/libselinux/man/man3/security_disable.3 +@@ -1,28 +1,30 @@ + .TH "security_disable" "3" "21 Nov 2009" "" "SELinux API documentation" + .SH "NAME" +-security_disable \- disable the SELinux kernel code at runtime. +- ++security_disable \- disable the SELinux kernel code at runtime ++. + .SH "SYNOPSIS" + .B #include + .sp + .BI "int security_disable(void);" +- ++. + .SH "DESCRIPTION" +-.B security_disable +-disables the SELinux kernel code, unregisters selinuxfs from /proc/filesystems, +-and then unmounts /selinux. ++.BR security_disable () ++disables the SELinux kernel code, unregisters selinuxfs from ++.IR /proc/filesystems , ++and then unmounts ++.IR /selinux . + .sp + This function can only be called at runtime and prior to the initial policy + load. After the initial policy load, the SELinux kernel code cannot be disabled, + but only placed in "permissive" mode by using +-.B setenforce(1). +- ++.BR setenforce (1). ++. + .SH "RETURN VALUE" +-.B security_disable ++.BR security_disable () + returns zero on success or \-1 on error. +- ++. + .SH "AUTHOR" + This manual page has been written by Guido Trentalancia +- ++. + .SH "SEE ALSO" + .BR selinux (8), " setenforce "(3) +diff --git a/libselinux/man/man3/security_get_initial_context_raw.3 b/libselinux/man/man3/security_get_initial_context_raw.3 +new file mode 100644 +index 0000000..a60bca4 +--- /dev/null ++++ b/libselinux/man/man3/security_get_initial_context_raw.3 +@@ -0,0 +1 @@ ++.so man3/security_compute_av.3 +diff --git a/libselinux/man/man3/security_getenforce.3 b/libselinux/man/man3/security_getenforce.3 +index 86771b5..7658014 100644 +--- a/libselinux/man/man3/security_getenforce.3 ++++ b/libselinux/man/man3/security_getenforce.3 +@@ -1,29 +1,29 @@ + .TH "security_getenforce" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation" + .SH "NAME" + security_getenforce, security_setenforce, security_deny_unknown \- get or set the enforcing state of SELinux ++. + .SH "SYNOPSIS" + .B #include + .sp + .B int security_getenforce(void); +- ++.sp + .BI "int security_setenforce(int "value ); +- ++.sp + .B int security_deny_unknown(void); +- ++. + .SH "DESCRIPTION" +-.B security_getenforce ++.BR security_getenforce () + returns 0 if SELinux is running in permissive mode, 1 if it is running in +-enforcing mode, and -1 on error. ++enforcing mode, and \-1 on error. + +-.B security_setenforce ++.BR security_setenforce () + sets SELinux to enforcing mode if the value 1 is passed in, and sets it to +-permissive mode if 0 is passed in. On success 0 is returned, on error -1 is ++permissive mode if 0 is passed in. On success 0 is returned, on error \-1 is + returned. + +-.B security_deny_unknown ++.BR security_deny_unknown () + returns 0 if SELinux treats policy queries on undefined object classes or +-permissions as being allowed, 1 if such queries are denied, and -1 on error. +- ++permissions as being allowed, 1 if such queries are denied, and \-1 on error. ++. + .SH "SEE ALSO" + .BR selinux "(8)" +- +diff --git a/libselinux/man/man3/security_load_booleans.3 b/libselinux/man/man3/security_load_booleans.3 +index 40e91bc..3dc963d 100644 +--- a/libselinux/man/man3/security_load_booleans.3 ++++ b/libselinux/man/man3/security_load_booleans.3 +@@ -3,6 +3,7 @@ + security_load_booleans, security_set_boolean, security_commit_booleans, + security_get_boolean_names, security_get_boolean_active, + security_get_boolean_pending \- routines for manipulating SELinux boolean values ++. + .SH "SYNOPSIS" + .B #include + .sp +@@ -19,10 +20,8 @@ security_get_boolean_pending \- routines for manipulating SELinux boolean values + .BI "int security_set_boolean_list(size_t " boolcnt ", SELboolean *" boollist ", int " permanent ");" + .sp + .BI "int security_commit_booleans(void);" +- +- ++. + .SH "DESCRIPTION" +- + The SELinux policy can include conditional rules that are enabled or + disabled based on the current values of a set of policy booleans. + These policy booleans allow runtime modification of the security +@@ -31,41 +30,37 @@ policy without having to load a new policy. + The SELinux API allows for a transaction based update. So you can + set several boolean values and then commit them all at once. + +-.B security_load_booleans +- ++.BR security_load_booleans () + loads policy boolean settings. Path may be NULL, in which case the + booleans are loaded from the active policy boolean configuration file. + +-.B security_get_boolean_names +- ++.BR security_get_boolean_names () + provides a list of boolean names, currently supported by the loaded policy. + +-.B security_get_boolean_pending +- ++.BR security_get_boolean_pending () + returns the pending value for boolean or \-1 on failure. + +-.B security_get_boolean_active +- ++.BR security_get_boolean_active () + returns the active value for boolean or \-1 on failure. + +-.B security_set_boolean +- ++.BR security_set_boolean () + sets the pending value for boolean + +-.B security_set_boolean_list +- ++.BR security_set_boolean_list () + saves a list of booleans in a single transaction. + +-.B security_commit_booleans +- ++.BR security_commit_booleans () + commits all pending values for the booleans. +- ++. + .SH "RETURN VALUE" + Where not otherwise stated, functions described in this manual page return + zero on success or \-1 on error. +- ++. + .SH AUTHOR + This manual page was written by Dan Walsh . +- ++. + .SH "SEE ALSO" +-selinux(8), getsebool(8), booleans(8), togglesebool(8) ++.BR selinux (8), ++.BR getsebool (8), ++.BR booleans (8), ++.BR togglesebool (8) +diff --git a/libselinux/man/man3/security_load_policy.3 b/libselinux/man/man3/security_load_policy.3 +index 163503e..c4439bf 100644 +--- a/libselinux/man/man3/security_load_policy.3 ++++ b/libselinux/man/man3/security_load_policy.3 +@@ -1,7 +1,7 @@ + .TH "security_load_policy" "3" "3 November 2009" "guido@trentalancia.com" "SELinux API documentation" + .SH "NAME" + security_load_policy \- load a new SELinux policy +- ++. + .SH "SYNOPSIS" + .B #include + .sp +@@ -10,15 +10,15 @@ security_load_policy \- load a new SELinux policy + .BI "int selinux_mkload_policy(int " preservebools ");" + .sp + .BI "int selinux_init_load_policy(int *" enforce ");" +- ++. + .SH "DESCRIPTION" +-.B security_load_policy ++.BR security_load_policy () + loads a new policy, returns 0 for success and \-1 for error. + +-.B selinux_mkload_policy ++.BR selinux_mkload_policy () + makes a policy image and loads it. This function provides a higher level + interface for loading policy than +-.B security_load_policy, ++.BR \%security_load_policy (), + internally determining the right policy version, locating and opening + the policy file, mapping it into memory, manipulating it as needed for + current boolean settings and/or local definitions, and then calling +@@ -29,7 +29,7 @@ be preserved into the new policy (if 1) or reset to the saved policy + settings (if 0). The former case is the default for policy reloads, while + the latter case is an option for policy reloads but is primarily used for + the initial policy load. +-.B selinux_init_load_policy ++.BR selinux_init_load_policy () + performs the initial policy load. This function determines the desired + enforcing mode, sets the + .I enforce +@@ -40,19 +40,18 @@ handles the initial selinuxfs mount required to perform these actions. + It should also be noted that after the initial policy load, the SELinux + kernel code cannot anymore be disabled and the selinuxfs cannot be + unmounted using a call to +-.B security_disable(3). ++.BR security_disable (3). + Therefore, after the initial policy load, the only operational changes + are those permitted by +-.B setenforce(3) ++.BR setenforce (3) + (i.e. eventually setting the framework in permissive mode rather than + in enforcing one). +- ++. + .SH "RETURN VALUE" +-returns zero on success or \-1 on error. +- ++Returns zero on success or \-1 on error. ++. + .SH "AUTHOR" + This manual page has been written by Guido Trentalancia +- ++. + .SH "SEE ALSO" + .BR selinux "(8), " security_disable "(3), " setenforce "(1) +- +diff --git a/libselinux/man/man3/security_policyvers.3 b/libselinux/man/man3/security_policyvers.3 +index 9e5dfd2..041ff3a 100644 +--- a/libselinux/man/man3/security_policyvers.3 ++++ b/libselinux/man/man3/security_policyvers.3 +@@ -5,12 +5,11 @@ security_policyvers \- get the version of the SELinux policy + .B #include + .sp + .B int security_policyvers(); +- ++. + .SH "DESCRIPTION" +-.B security_policyvers +-returns the version of the policy (a positive integer) on success, or -1 on ++.BR security_policyvers () ++returns the version of the policy (a positive integer) on success, or \-1 on + error. +- ++. + .SH "SEE ALSO" + .BR selinux "(8)" +- +diff --git a/libselinux/man/man3/selabel_lookup.3 b/libselinux/man/man3/selabel_lookup.3 +index ab792bb..08b3161 100644 +--- a/libselinux/man/man3/selabel_lookup.3 ++++ b/libselinux/man/man3/selabel_lookup.3 +@@ -3,27 +3,29 @@ + .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2007 + .TH "selabel_lookup" "3" "18 Jun 2007" "" "SELinux API documentation" + .SH "NAME" +-selabel_lookup \- obtain SELinux security context from a string label. ++selabel_lookup \- obtain SELinux security context from a string label ++. + .SH "SYNOPSIS" + .B #include +- ++.br + .B #include + .sp + .BI "int selabel_lookup(struct selabel_handle *" hnd , + .in +\w'int selabel_lookup('u + .BI "security_context_t *" context , +- ++.br + .BI "const char *" key ", int " type ");" + .in + .sp + .BI "int selabel_lookup_raw(struct selabel_handle *" hnd , + .in +\w'int selabel_lookup_raw('u + .BI "security_context_t *" context , +- ++.br + .BI "const char *" key ", int " type ");" +- ++.in ++. + .SH "DESCRIPTION" +-.B selabel_lookup ++.BR selabel_lookup () + performs a lookup operation on the handle + .IR hnd , + returning the result in the memory pointed to by +@@ -38,16 +40,16 @@ parameters are the inputs to the lookup operation and are interpreted according + .I handle + is open on. + +-.B selabel_lookup_raw ++.BR selabel_lookup_raw () + behaves identically to +-.B selabel_lookup ++.BR selabel_lookup () + but does not perform context translation. +- ++. + .SH "RETURN VALUE" + On success, zero is returned. On error, \-1 is returned and + .I errno + is set appropriately. +- ++. + .SH "ERRORS" + .TP + .B ENOENT +@@ -66,13 +68,12 @@ inputs are invalid, or the context being returned failed validation. + .TP + .B ENOMEM + An attempt to allocate memory failed. +- ++. + .SH "AUTHOR" + Eamon Walsh +- ++. + .SH "SEE ALSO" + .BR selabel_open (3), + .BR selabel_stats (3), + .BR selinux_set_callback (3), + .BR selinux (8) +- +diff --git a/libselinux/man/man3/selabel_lookup_raw.3 b/libselinux/man/man3/selabel_lookup_raw.3 +new file mode 100644 +index 0000000..64e003e +--- /dev/null ++++ b/libselinux/man/man3/selabel_lookup_raw.3 +@@ -0,0 +1 @@ ++.so man3/selabel_lookup.3 +diff --git a/libselinux/man/man3/selabel_open.3 b/libselinux/man/man3/selabel_open.3 +index 8674e37..00f2828 100644 +--- a/libselinux/man/man3/selabel_open.3 ++++ b/libselinux/man/man3/selabel_open.3 +@@ -3,23 +3,24 @@ + .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2007 + .TH "selabel_open" "3" "18 Jun 2007" "" "SELinux API documentation" + .SH "NAME" +-selabel_open, selabel_close \- userspace SELinux labeling interface. ++selabel_open, selabel_close \- userspace SELinux labeling interface ++. + .SH "SYNOPSIS" + .B #include +- ++.br + .B #include + .sp + .BI "struct selabel_handle *selabel_open(int " backend , + .in +\w'struct selabel_handle *selabel_open('u + .BI "struct selinux_opt *" options , +- ++.br + .BI "unsigned " nopt ");" + .in + .sp + .BI "void selabel_close(struct selabel_handle *" hnd ");" +- ++. + .SH "DESCRIPTION" +-.B selabel_open ++.BR selabel_open () + is used to initialize a labeling handle to be used for lookup operations. The + .I backend + argument specifies which backend is to be opened; the list of current backends appears in +@@ -48,14 +49,14 @@ The available option types are described in + .B GLOBAL OPTIONS + below as well as in the documentation for each individual backend. The return value on success is a non-NULL value for use in subsequent label operations. + +-.B selabel_close ++.BR selabel_close () + terminates use of a handle, freeing any internal resources associated with it. After this call has been made, the handle must not be used again. +- ++. + .SH "GLOBAL OPTIONS" + Global options which may be passed to +-.B selabel_open ++.BR selabel_open () + include the following: +- ++. + .TP + .B SELABEL_OPT_UNUSED + The option with a type code of zero is a no-op. Thus an array of options may be initizalized to zero and any untouched elements will not cause an error. +@@ -66,9 +67,8 @@ A non-null value for this option enables context validation. By default, + is used; a custom validation function can be provided via + .BR selinux_set_callback (3). + Note that an invalid context may not be treated as an error unless it is actually encountered during a lookup operation. +- ++. + .SH "BACKENDS" +- + .TP + .B SELABEL_CTX_FILE + File contexts backend, described in +@@ -85,18 +85,19 @@ X Windows contexts backend, described in + .B SELABEL_CTX_DB + Database objects contexts backend, described in + .BR selabel_db (5). +- ++. + .SH "RETURN VALUE" + A non-NULL handle value is returned on success. On error, NULL is returned and + .I errno + is set appropriately. +- ++. + .SH "AUTHOR" + Eamon Walsh +- ++. + .SH "SEE ALSO" ++.ad l ++.nh + .BR selabel_lookup (3), + .BR selabel_stats (3), + .BR selinux_set_callback (3), + .BR selinux (8) +- +diff --git a/libselinux/man/man3/selabel_stats.3 b/libselinux/man/man3/selabel_stats.3 +index 441f422..44e1a65 100644 +--- a/libselinux/man/man3/selabel_stats.3 ++++ b/libselinux/man/man3/selabel_stats.3 +@@ -3,33 +3,33 @@ + .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2007 + .TH "selabel_stats" "3" "18 Jun 2007" "" "SELinux API documentation" + .SH "NAME" +-selabel_stats \- obtain SELinux labeling statistics. ++selabel_stats \- obtain SELinux labeling statistics ++. + .SH "SYNOPSIS" + .B #include +- ++.br + .B #include + .sp +-.BI "void selabel_lookup(struct selabel_handle *" hnd ");" +- ++.BI "void selabel_stats(struct selabel_handle *" hnd ");" ++. + .SH "DESCRIPTION" +-.B selabel_stats ++.BR selabel_stats () + causes zero or more messages to be printed containing backend-specific information about number of queries performed, number of unused entries, or other operational information. + + The messages are printed to standard error by default; a custom logging function can be provided via + .BR selinux_set_callback (3). +- ++. + .SH "RETURN VALUE" + None. +- ++. + .SH "ERRORS" + None. +- ++. + .SH "AUTHOR" + Eamon Walsh +- ++. + .SH "SEE ALSO" + .BR selabel_open (3), + .BR selabel_lookup (3), + .BR selinux_set_callback (3), + .BR selinux (8) +- +diff --git a/libselinux/man/man3/selinux_binary_policy_path.3 b/libselinux/man/man3/selinux_binary_policy_path.3 +index 8ead1a4..1870f05 100644 +--- a/libselinux/man/man3/selinux_binary_policy_path.3 ++++ b/libselinux/man/man3/selinux_binary_policy_path.3 +@@ -5,89 +5,110 @@ selinux_failsafe_context_path, selinux_removable_context_path, + selinux_default_context_path, selinux_user_contexts_path, + selinux_file_context_path, selinux_media_context_path, + selinux_contexts_path, selinux_booleans_path \- These functions return the paths to the active SELinux policy configuration +-directories and files. +- ++directories and files ++. + .SH "SYNOPSIS" + .B #include + .sp +- +-extern const char *selinux_path(void); +- +-extern const char *selinux_policy_root(void); +- +-extern const char *selinux_binary_policy_path(void); +- +-extern const char *selinux_failsafe_context_path(void); +- +-extern const char *selinux_removable_context_path(void); +- +-extern const char *selinux_default_context_path(void); +- +-extern const char *selinux_user_contexts_path(void); +- +-extern const char *selinux_usersconf_path(void); +- +-extern const char *selinux_x_context_path(void); +- +-extern const char *selinux_sepgsql_context_path(void); +- +-extern const char *selinux_file_context_path(void); +- +-extern const char *selinux_media_context_path(void); +- +-extern const char *selinux_securetty_types_path(void); +- +-extern const char *selinux_contexts_path(void); +- +-extern const char *selinux_booleans_path(void); +- +- ++.B const char *selinux_path(void); ++.sp ++.B const char *selinux_policy_root(void); ++.sp ++.B const char *selinux_binary_policy_path(void); ++.sp ++.B const char *selinux_current_policy_path(void); ++.sp ++.B const char *selinux_failsafe_context_path(void); ++.sp ++.B const char *selinux_removable_context_path(void); ++.sp ++.B const char *selinux_default_context_path(void); ++.sp ++.B const char *selinux_user_contexts_path(void); ++.sp ++.B const char *selinux_usersconf_path(void); ++.sp ++.B const char *selinux_x_context_path(void); ++.sp ++.B const char *selinux_sepgsql_context_path(void); ++.sp ++.B const char *selinux_file_context_path(void); ++.sp ++.B const char *selinux_media_context_path(void); ++.sp ++.B const char *selinux_securetty_types_path(void); ++.sp ++.B const char *selinux_contexts_path(void); ++.sp ++.B const char *selinux_booleans_path(void); ++. + .SH "DESCRIPTION" +- + These functions return the paths to the active policy configuration +-directories and files based on the settings in /etc/selinux/config. +- ++directories and files based on the settings in ++.IR /etc/selinux/config . ++.sp ++.BR selinux_path () ++returns the top-level SELinux configuration directory. + .sp +-selinux_path() - top-level SELinux configuration directory ++.BR selinux_policy_root () ++returns the top-level policy directory. + .sp +-selinux_policy_root() - top-level policy directory ++.BR selinux_binary_policy_path () ++returns the binary policy file loaded into kernel. + .sp +-selinux_binary_policy_path() - binary policy file loaded into kernel ++.BR selinux_current_policy_path () ++returns binary policy file loaded into kernel + .sp +-selinux_default_type_path - context file mapping roles to default types. ++.BR selinux_default_type_path () ++returns the context file mapping roles to default types. + .sp +-selinux_failsafe_context_path() - failsafe context for emergency logins ++.BR selinux_failsafe_context_path () ++returns the failsafe context for emergency logins. + .sp +-selinux_removable_context_path() - filesystem context for removable media ++.BR selinux_removable_context_path () ++returns the filesystem context for removable media. + .sp +-selinux_default_context_path() - system-wide default contexts for user sessions ++.BR selinux_default_context_path () ++returns the system-wide default contexts for user sessions. + .sp +-selinux_user_contexts_path() - directory containing per-user default contexts ++.BR selinux_user_contexts_path () ++returns the directory containing per-user default contexts. + .sp +-selinux_usersconf_path() - file containing mapping between Linux Users and SELinux users ++.BR selinux_usersconf_path () ++returns the file containing mapping between Linux Users and SELinux users. + .sp +-selinux_x_context_path() - file containing configuration for XSELinux extension ++.BR selinux_x_context_path () ++returns the file containing configuration for XSELinux extension. + .sp +-selinux_sepgsql_context_path() - file containing configuration for SE-PostgreSQL ++.BR selinux_sepgsql_context_path () ++returns the file containing configuration for SE-PostgreSQL. + .sp +-selinux_netfilter_context_path - default netfilter context ++.BR selinux_netfilter_context_path () ++returns the default netfilter context. + .sp +-selinux_file_context_path() - default system file contexts configuration ++.BR selinux_file_context_path () ++returns the default system file contexts configuration. + .sp +-selinux_file_context_local_path() - local customization file contexts configuration ++.BR selinux_file_context_local_path () ++returns the local customization file contexts configuration. + .sp +-selinux_file_context_homedir_path() - home directory file contexts configuration ++.BR selinux_file_context_homedir_path () ++returns the home directory file contexts configuration. + .sp +-selinux_media_context_path() - file contexts for media device nodes ++.BR selinux_media_context_path () ++returns the file contexts for media device nodes. + .sp +-selinux_contexts_path() - directory containing all of the context configuration files ++.BR selinux_contexts_path () ++returns the directory containing all of the context configuration files. + .sp +-selinux_securetty_types_path() - defines tty types for newrole securettys ++.BR selinux_securetty_types_path () ++returns the defines tty types for newrole securettys. + .sp +-selinux_booleans_path() - initial policy boolean settings +- ++.BR selinux_booleans_path () ++returns the initial policy boolean settings. ++. + .SH AUTHOR + This manual page was written by Dan Walsh . +- ++. + .SH "SEE ALSO" + .BR selinux "(8)" +diff --git a/libselinux/man/man3/selinux_boolean_sub.3 b/libselinux/man/man3/selinux_boolean_sub.3 +index 8d54c88..308c268 100644 +--- a/libselinux/man/man3/selinux_boolean_sub.3 ++++ b/libselinux/man/man3/selinux_boolean_sub.3 +@@ -1,25 +1,29 @@ +-.TH "selinux_boolean_subs" "3" "11 June 2012" "dwalsh@redhat.com" "SELinux API documentation" ++.TH "selinux_boolean_sub" "3" "11 June 2012" "dwalsh@redhat.com" "SELinux API documentation" + .SH "NAME" +-selinux_boolean_subs ++selinux_boolean_sub \- ++. + .SH "SYNOPSIS" + .B #include + .sp +-.BI "char *selinux_boolean_subs(const char * " boolean_name, ");" ++.BI "char *selinux_boolean_sub(const char *" boolean_name ");" + .sp + .SH "DESCRIPTION" +-.B selinux_boolean_sub +-searches the /etc/selinux/POLICYTYPE/booleans.subs_dist file ++.BR selinux_boolean_sub () ++searches the ++.I \%/etc/selinux/{POLICYTYPE}/booleans.subs_dist ++file + for a maching boolean_name record. If the record exists the boolean substitution name is returned. If not +-.B selinux_boolean_sub +-returns the original boolean_name. ++.BR \%selinux_boolean_sub () ++returns the original ++.IR \%boolean_name . + + .SH "RETURN VALUE" +-.BR selinux_boolean_subs ++.BR selinux_boolean_sub () + returns the + .I boolean_name + or the substituted name on success. The returned value must be freed with + .BR free "(3)." +-.BR selinux_boolean_subs ++.BR selinux_boolean_sub () + returns NULL on error. + .SH "SEE ALSO" +-security_get_boolean_names.3 ++.BR security_get_boolean_names (3) +diff --git a/libselinux/man/man3/selinux_check_securetty_context.3 b/libselinux/man/man3/selinux_check_securetty_context.3 +index 65a10d3..22e8533 100644 +--- a/libselinux/man/man3/selinux_check_securetty_context.3 ++++ b/libselinux/man/man3/selinux_check_securetty_context.3 +@@ -1,16 +1,16 @@ + .TH "selinux_check_securetty_context" "3" "1 January 2007" "dwalsh@redhat.com" "SELinux API documentation" + .SH "NAME" + selinux_check_securetty_context \- check whether a SELinux tty security context is defined as a securetty context ++. + .SH "SYNOPSIS" + .B #include + .sp + .BI "int selinux_check_securetty_context(security_context_t "tty_context ); +- ++. + .SH "DESCRIPTION" +-.B selinux_check_securetty_context +-returns 0 if tty_context is a securetty context ++.BR selinux_check_securetty_context () ++returns 0 if tty_context is a securetty context, + returns < 0 otherwise. +- ++. + .SH "SEE ALSO" + .BR selinux "(8)" +- +diff --git a/libselinux/man/man3/selinux_colors_path.3 b/libselinux/man/man3/selinux_colors_path.3 +index 851d81d..cc57e43 100644 +--- a/libselinux/man/man3/selinux_colors_path.3 ++++ b/libselinux/man/man3/selinux_colors_path.3 +@@ -1,36 +1,37 @@ + .TH "selinux_colors_path" "3" "08 April 2011" "SELinux API documentation" +- + .SH "NAME" +-selinux_colors_path \- Return a path to the active SELinux policy color configuration file. ++selinux_colors_path \- Return a path to the active SELinux policy color configuration file ++. + .SH "SYNOPSIS" + .B #include + .sp + .B const char *selinux_colors_path(void); +- ++. + .SH "DESCRIPTION" +-.B selinux_colors_path ++.BR selinux_colors_path () + returns the path to the active policy color configuration file. + .sp + The path is built from the path returned by + .BR selinux_policy_root "(3)" + with +-.B /secolor.conf ++.I /secolor.conf + appended. + .sp + This optional configuration file whose format is shown in +-.BR secolor.conf "(5)," ++.BR \%secolor.conf (5), + controls the colors to be associated with the + .I raw + context components of the + .BR selinux_raw_context_to_color "(3)" + function when information is to be displayed by an SELinux color-aware application. +- ++. + .SH "RETURN VALUE" + On success, the path to the active policy color configuration file is returned. If a path is not available NULL is returned. +- ++. + .SH "ERRORS" + None. +- ++. + .SH "SEE ALSO" ++.ad l ++.nh + .BR selinux "(8), " selinux_policy_root "(3), " selinux_config "(5), " selinux_raw_context_to_color "(3), " secolor.conf "(5)" +- +diff --git a/libselinux/man/man3/selinux_file_context_cmp.3 b/libselinux/man/man3/selinux_file_context_cmp.3 +index cd67188..30bbaa3 100644 +--- a/libselinux/man/man3/selinux_file_context_cmp.3 ++++ b/libselinux/man/man3/selinux_file_context_cmp.3 +@@ -1,8 +1,7 @@ + .TH "selinux_file_context_cmp" "3" "08 March 2011" "SELinux API documentation" +- + .SH "NAME" +-selinux_file_context_cmp \- Compare two SELinux security contexts excluding the 'user' component. +- ++selinux_file_context_cmp \- Compare two SELinux security contexts excluding the 'user' component ++. + .SH "SYNOPSIS" + .B #include + .sp +@@ -10,20 +9,20 @@ selinux_file_context_cmp \- Compare two SELinux security contexts excluding the + .RS + .BI "const security_context_t " b ");" + .RE +- ++. + .SH "DESCRIPTION" +-.B selinux_file_context_cmp ++.BR selinux_file_context_cmp () + compares two context strings excluding the user component with +-.B strcmp(3) ++.BR strcmp (3) + as shown in the + .B EXAMPLE + section. + .sp + This is useful as for most object contexts, the user component is not relevant. +- ++. + .SH "RETURN VALUE" + The return values follow the +-.B strcmp(3) ++.BR strcmp (3) + function, where: + .RS + 0 if they are equal. +@@ -40,13 +39,13 @@ is greater than + is less than + .I b + .RE +- ++. + .SH "ERRORS" + None. +- ++. + .SH "NOTES" + The contexts being compared do not specifically need to be file contexts. +- ++. + .SH "EXAMPLE" + If context + .I a +@@ -68,8 +67,8 @@ then the actual strings compared are: + .RE + .sp + Therefore they will match and +-.B selinux_file_context_cmp ++.BR selinux_file_context_cmp () + will return zero. +- ++. + .SH "SEE ALSO" + .BR selinux "(8)" +diff --git a/libselinux/man/man3/selinux_file_context_verify.3 b/libselinux/man/man3/selinux_file_context_verify.3 +index e22be70..893949f 100644 +--- a/libselinux/man/man3/selinux_file_context_verify.3 ++++ b/libselinux/man/man3/selinux_file_context_verify.3 +@@ -1,15 +1,14 @@ + .TH "selinux_file_context_verify" "3" "08 March 2011" "SELinux API documentation" +- + .SH "NAME" +-selinux_file_context_verify \- Compare the SELinux security context on disk to the default security context required by the policy file contexts file. +- ++selinux_file_context_verify \- Compare the SELinux security context on disk to the default security context required by the policy file contexts file ++. + .SH "SYNOPSIS" + .B #include + .sp + .BI "int selinux_file_context_verify(const char *" path ", mode_t " mode ");" +- ++. + .SH "DESCRIPTION" +-.B selinux_file_context_verify ++.BR selinux_file_context_verify () + compares the context of the specified + .I path + that is held on disk (in the extended attribute), to the system default entry held in the file contexts series of files. +@@ -21,7 +20,7 @@ may be zero. + Note that the two contexts are compared for "significant" differences (i.e. the user component of the contexts are ignored) as shown in the + .B EXAMPLE + section. +- ++. + .SH "RETURN VALUE" + If the contexts significantly match, 1 (one) is returned. + .sp +@@ -40,7 +39,7 @@ section, or if + On failure \-1 is returned and + .I errno + set appropriately. +- ++. + .SH "ERRORS" + .TP + .B ENOTSUP +@@ -58,22 +57,26 @@ are invalid, or the returned context fails validation. + .TP + .B ENOMEM + if attempt to allocate memory failed. +- ++. + .SH "FILES" + The following configuration files (the file contexts series of files) supporting the active policy will be used (should they exist) to determine the + .I path + default context: + .sp + .RS +-contexts/files/file_contexts - This file must exist. ++.I contexts/files/file_contexts ++- This file must exist. + .sp +-contexts/files/file_contexts.local - If exists has local customizations. ++.I contexts/files/file_contexts.local ++- If exists has local customizations. + .sp +-contexts/files/file_contexts.homedirs - If exists has users home directory customizations. ++.I contexts/files/file_contexts.homedirs ++- If exists has users home directory customizations. + .sp +-contexts/files/file_contexts.subs - If exists has substitutions that are then applied to the 'in memory' version of the file contexts files. ++.I contexts/files/file_contexts.subs ++- If exists has substitutions that are then applied to the 'in memory' version of the file contexts files. + .RE +- ++. + .SH "EXAMPLE" + If the files context is: + .RS +@@ -91,8 +94,8 @@ then the actual strings compared are: + .RE + .sp + Therefore they will match and +-.B selinux_file_context_verify ++.BR selinux_file_context_verify () + will return 1. +- ++. + .SH "SEE ALSO" + .BR selinux "(8)" +diff --git a/libselinux/man/man3/selinux_getenforcemode.3 b/libselinux/man/man3/selinux_getenforcemode.3 +index a6a753e..7ed94c1 100644 +--- a/libselinux/man/man3/selinux_getenforcemode.3 ++++ b/libselinux/man/man3/selinux_getenforcemode.3 +@@ -1,25 +1,31 @@ + .TH "selinux_getenforcemode" "3" "25 May 2004" "dwalsh@redhat.com" "SELinux API documentation" + .SH "NAME" + selinux_getenforcemode \- get the enforcing state of SELinux ++. + .SH "SYNOPSIS" + .B #include + .sp +-.B int selinux_getenforcemode(int *enforce); +- +- ++.BI "int selinux_getenforcemode(int *" enforce ); ++. + .SH "DESCRIPTION" +-.B selinux_getenforcemode +-Reads the contents of the /etc/selinux/config file to determine how the +-system was setup to run SELinux. ++.BR selinux_getenforcemode () ++Reads the contents of the ++.I /etc/selinux/config ++file to determine how the system was setup to run SELinux. + +-Sets the value of enforce to 1 if SELinux should be run in enforcing mode. +-Sets the value of enforce to 0 if SELinux should be run in permissive mode. +-Sets the value of enforce to -1 if SELinux should be disabled. ++Sets the value of ++.I enforce ++to 1 if SELinux should be run in enforcing mode. ++Sets the value of ++.I enforce ++to 0 if SELinux should be run in permissive mode. ++Sets the value of ++.I enforce ++to \-1 if SELinux should be disabled. ++. + .SH "RETURN VALUE" + On success, zero is returned. +-On failure, -1 is returned. +- ++On failure, \-1 is returned. ++. + .SH "SEE ALSO" + .BR selinux "(8)" +- +- +diff --git a/libselinux/man/man3/selinux_getpolicytype.3 b/libselinux/man/man3/selinux_getpolicytype.3 +index 67f9518..c947e2c 100644 +--- a/libselinux/man/man3/selinux_getpolicytype.3 ++++ b/libselinux/man/man3/selinux_getpolicytype.3 +@@ -1,21 +1,23 @@ + .TH "selinux_getpolicytype" "3" "24 Sep 2008" "dwalsh@redhat.com" "SELinux API documentation" + .SH "NAME" + selinux_getpolicytype \- get the type of SELinux policy running on the system ++. + .SH "SYNOPSIS" + .B #include + .sp +-.B int selinux_getpolicytype(); +- +- ++.BI "int selinux_getpolicytype(char **" policytype ); ++. + .SH "DESCRIPTION" +-.B selinux_getpolicytype +-Reads the contents of the /etc/selinux/config file to determine the SELinux policy used on the system. +- ++.BR selinux_getpolicytype () ++Reads the contents of the ++.I /etc/selinux/config ++file to determine the SELinux policy used on the system, and sets ++.I \%policytype ++accordinly. ++. + .SH "RETURN VALUE" + On success, zero is returned. +-On failure, -1 is returned. +- ++On failure, \-1 is returned. ++. + .SH "SEE ALSO" + .BR selinux "(8)" +- +- +diff --git a/libselinux/man/man3/selinux_lsetfilecon_default.3 b/libselinux/man/man3/selinux_lsetfilecon_default.3 +index 0589c7a..d4fc658 100644 +--- a/libselinux/man/man3/selinux_lsetfilecon_default.3 ++++ b/libselinux/man/man3/selinux_lsetfilecon_default.3 +@@ -1,20 +1,20 @@ + .TH "selinux_lsetfilecon_default" "3" "21 November 2009" "sds@tycho.nsa.gov" "SELinux API documentation" + .SH "NAME" +-selinux_lsetfilecon_default \- set the file context to the system defaults. +- ++selinux_lsetfilecon_default \- set the file context to the system defaults ++. + .SH "SYNOPSIS" + .B #include + .sp +- + .BI "int selinux_lsetfilecon_default(const char *" path ");" +- ++. + .SH "DESCRIPTION" +-.B selinux_lsetfilecon_default ++.BR selinux_lsetfilecon_default () + sets the file context to the system defaults. +-.sp +- ++. + .SH "RETURN VALUE" + Returns zero on success or \-1 otherwise. +- ++. + .SH "SEE ALSO" ++.ad l ++.nh + .BR selinux "(8), " selinux_file_context_cmp "(3), " selinux_file_context_verify "(3), " matchpathcon "(3), " freecon "(3), " setfilecon "(3), " setfscreatecon "(3)" +diff --git a/libselinux/man/man3/selinux_policy_root.3 b/libselinux/man/man3/selinux_policy_root.3 +index 7499c75..a6ccf86 100644 +--- a/libselinux/man/man3/selinux_policy_root.3 ++++ b/libselinux/man/man3/selinux_policy_root.3 +@@ -1,20 +1,21 @@ + .TH "selinux_policy_root" "3" "25 May 2004" "dwalsh@redhat.com" "SELinux API documentation" + .SH "NAME" +-selinux_policy_root \- return the path of the SELinux policy files for this machine. ++selinux_policy_root \- return the path of the SELinux policy files for this machine ++. + .SH "SYNOPSIS" + .B #include + .sp +-.B char *selinux_policy_root(); +- +- ++.B const char *selinux_policy_root(void); ++. + .SH "DESCRIPTION" +-.B selinux_policy_root +-Reads the contents of the /etc/selinux/config file to determine which policy files should be used for this machine. ++.BR selinux_policy_root () ++reads the contents of the ++.I /etc/selinux/config ++file to determine which policy files should be used for this machine. ++. + .SH "RETURN VALUE" + On success, returns a directory path containing the SELinux policy files. + On failure, NULL is returned. +- ++. + .SH "SEE ALSO" + .BR selinux "(8)" +- +- +diff --git a/libselinux/man/man3/selinux_raw_context_to_color.3 b/libselinux/man/man3/selinux_raw_context_to_color.3 +index d3ca83b..3737f60 100644 +--- a/libselinux/man/man3/selinux_raw_context_to_color.3 ++++ b/libselinux/man/man3/selinux_raw_context_to_color.3 +@@ -1,8 +1,7 @@ + .TH "selinux_raw_context_to_color" "3" "08 April 2011" "SELinux API documentation" +- + .SH "NAME" +-selinux_raw_context_to_color \- Return RGB color string for an SELinux security context. +- ++selinux_raw_context_to_color \- Return RGB color string for an SELinux security context ++. + .SH "SYNOPSIS" + .B #include + .sp +@@ -10,9 +9,9 @@ selinux_raw_context_to_color \- Return RGB color string for an SELinux security + .RS + .BI "char **" color_str ");" + .RE +- ++. + .SH "DESCRIPTION" +-.B selinux_raw_context_to_color ++.BR selinux_raw_context_to_color () + returns a + .I color_str + associated to the raw context +@@ -20,7 +19,7 @@ associated to the raw context + provided that the + .BR mcstransd "(8)" + daemon is running, the policy is an MLS type policy (MCS or MLS) and there is a color configuration file +-.BR secolor.conf "(5)" ++.BR \%secolor.conf (5) + (see the + .B FILES + section). +@@ -39,7 +38,7 @@ string must be freed with + If a color has not been configured for a specific user, role, type and/or range component of context + .IR raw "," + then +-.B selinux_raw_context_to_color ++.BR \%selinux_raw_context_to_color () + will select the color returned in + .I color_str + in order of precedence as follows: +@@ -55,7 +54,7 @@ user, role, type + .RE + + If there are no entries in the +-.B secolor.conf ++.BR secolor.conf (5) + file for any of the components of context + .I raw + (or the file is not present), then the default string returned in +@@ -68,32 +67,32 @@ is: + #000000 #ffffff #000000 #ffffff #000000 #ffffff #000000 #ffffff + .sp + .RE +- ++. + .SH "RETURN VALUE" + On success, zero is returned. + .br + On failure, \-1 is returned with + .I errno + set appropriately. +- ++. + .SH "ERRORS" + .B ENOENT + If the + .BR mcstransd "(8)" + daemon is not running. +- ++. + .SH "FILES" +-.B selinux_raw_context_to_color ++.BR selinux_raw_context_to_color () + obtains the translated entry from the active policy + .BR secolor.conf "(5)" + file as returned by +-.BR selinux_colors_path "(3)." ++.BR \%selinux_colors_path (3). + The file format is described in +-.BR secolor.conf "(5)." +- ++.BR \%secolor.conf (5). ++. + .SH "NOTES" + 1. The primary use of +-.B selinux_raw_context_to_color ++.BR selinux_raw_context_to_color () + is to return a color that corresponds to a range, that can then be used to highlight information at different MLS levels. + .sp + 2. The +@@ -101,11 +100,11 @@ is to return a color that corresponds to a range, that can then be used to highl + daemon process security level must dominate the + .I raw + security level passed to it by the +-.B selinux_raw_context_to_color ++.BR selinux_raw_context_to_color () + function. If not, the range color selected will be as defined by the order of precedence. +- ++. + .SH "EXAMPLE" +-.B selinux_raw_context_to_color ++.BR selinux_raw_context_to_color () + returns the foreground and background colors of the context string components (user:role:type:range) as RGB triples as follows: + .sp + +@@ -117,8 +116,8 @@ returns the foreground and background colors of the context string components (u + .br + black white : white black : tan orange : black green + .br +- ++. + .SH "SEE ALSO" ++.ad l ++.nh + .BR selinux "(8), " selinux_colors_path "(3), " mcstransd "(8), " secolor.conf "(5), " selinux_raw_to_trans_context "(3), " selinux_trans_to_raw_context "(3), " free "(3)" +- +- +diff --git a/libselinux/man/man3/selinux_set_callback.3 b/libselinux/man/man3/selinux_set_callback.3 +index 4f8d74d..073e135 100644 +--- a/libselinux/man/man3/selinux_set_callback.3 ++++ b/libselinux/man/man3/selinux_set_callback.3 +@@ -3,14 +3,15 @@ + .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2007 + .TH "selinux_set_callback" "3" "20 Jun 2007" "" "SELinux API documentation" + .SH "NAME" +-selinux_set_callback \- userspace SELinux callback facilities. ++selinux_set_callback \- userspace SELinux callback facilities ++. + .SH "SYNOPSIS" + .B #include + .sp + .BI "void selinux_set_callback(int " type ", union selinux_callback " callback ");" +- ++. + .SH "DESCRIPTION" +-.B selinux_set_callback ++.BR selinux_set_callback () + sets the callback indicated by + .I type + to the value of +@@ -45,7 +46,7 @@ argument indicates the type of message and will be set to one of the following: + .B SELINUX_INFO + + .B SELINUX_AVC +- ++. + .TP + .B SELINUX_CB_AUDIT + .BI "int (*" func_audit ") (void *" auditdata ", security_class_t " cls , +@@ -64,7 +65,7 @@ A human-readable interpretation should be printed to + using no more than + .I msgbufsize + characters. +- ++. + .TP + .B SELINUX_CB_VALIDATE + .BI "int (*" func_validate ") (security_context_t *" ctx ");" +@@ -78,7 +79,7 @@ The value of + should be set to + .B EINVAL + to indicate an invalid context. +- ++. + .TP + .B SELINUX_CB_SETENFORCE + .BI "int (*" func_setenforce ") (int " enforcing ");" +@@ -91,7 +92,7 @@ argument indicates the new value and is set to + for enforcing mode, and + .I 0 + for permissive mode. +- ++. + .TP + .B SELINUX_CB_POLICYLOAD + .BI "int (*" func_policyload ") (int " seqno ");" +@@ -100,19 +101,18 @@ This callback is invoked when the system security policy is reloaded. + The + .I seqno + argument is the current sequential number of the policy generation in the system. +- ++. + .SH "RETURN VALUE" + None. +- ++. + .SH "ERRORS" + None. +- ++. + .SH "AUTHOR" + Eamon Walsh +- ++. + .SH "SEE ALSO" + .BR selabel_open (3), + .BR avc_init (3), +-.BR avc_netlink_open(3), ++.BR avc_netlink_open (3), + .BR selinux (8) +- +diff --git a/libselinux/man/man3/selinux_set_mapping.3 b/libselinux/man/man3/selinux_set_mapping.3 +index 7ac069a..a93f7b2 100644 +--- a/libselinux/man/man3/selinux_set_mapping.3 ++++ b/libselinux/man/man3/selinux_set_mapping.3 +@@ -3,7 +3,8 @@ + .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2008 + .TH "selinux_set_mapping" "3" "12 Jun 2008" "" "SELinux API documentation" + .SH "NAME" +-selinux_set_mapping \- establish dynamic object class and permission mapping. ++selinux_set_mapping \- establish dynamic object class and permission mapping ++. + .SH "SYNOPSIS" + .B #include + .sp +@@ -15,9 +16,9 @@ struct security_class_mapping { + .fi + .sp + .BI "int selinux_set_mapping(struct security_class_mapping *" map ");" +- ++. + .SH "DESCRIPTION" +-.B selinux_set_mapping ++.BR selinux_set_mapping () + establishes a mapping from a user-provided ordering of object classes and permissions to the numbers actually used by the loaded system policy. Use of this function is highly preferred over the generated constants in the libselinux header files, as this method allows the policy's class and permission values to change over time. + + After the mapping is established, all libselinux functions that operate on class and permission values take the user-provided numbers, which are determined as follows: +@@ -33,12 +34,12 @@ field should refer to the string name of an object class, and the corresponding + field should refer to an array of permission bit names terminated by a NULL string. + + The object classes named in the mapping and the bit indexes of each set of permission bits named in the mapping are numbered in order starting from 1. These numbers are the values that should be passed to subsequent libselinux calls. +- ++. + .SH "RETURN VALUE" +-Zero is returned on success. On error, -1 is returned and ++Zero is returned on success. On error, \-1 is returned and + .I errno + is set appropriately. +- ++. + .SH "ERRORS" + .TP + .B EINVAL +@@ -46,7 +47,7 @@ One of the class or permission names requested in the mapping is not present in + .TP + .B ENOMEM + An attempt to allocate memory failed. +- ++. + .SH "EXAMPLE" + .RS + .ta 4n 10n +@@ -78,10 +79,10 @@ and + (for the + .B file + class) will be identified by 1, 2, 4, and 8 respectively. Classes and permissions not listed in the mapping cannot be used. +- ++. + .SH "AUTHOR" + Eamon Walsh +- ++. + .SH "SEE ALSO" + .BR avc_open (8), + .BR selinux (8) +diff --git a/libselinux/man/man3/selinux_status_open.3 b/libselinux/man/man3/selinux_status_open.3 +index e897939..f779dd9 100644 +--- a/libselinux/man/man3/selinux_status_open.3 ++++ b/libselinux/man/man3/selinux_status_open.3 +@@ -3,11 +3,12 @@ + selinux_status_open, selinux_status_close, selinux_status_updated, + selinux_status_getenforce, selinux_status_policyload and + selinux_status_deny_unknown \- reference the SELinux kernel status +-without invocation of system calls. ++without invocation of system calls ++. + .SH "SYNOPSIS" + .B #include + .sp +-.BI "int selinux_status_open(int " fallback, ");" ++.BI "int selinux_status_open(int " fallback ");" + .sp + .BI "void selinux_status_close(void);" + .sp +@@ -18,7 +19,7 @@ without invocation of system calls. + .BI "int selinux_status_policyload(void);" + .sp + .BI "int selinux_status_deny_unknown(void);" +-.sp ++. + .SH "DESCRIPTION" + Linux 2.6.37 or later provides a SELinux kernel status page; being mostly + placed on +@@ -26,15 +27,15 @@ placed on + entry. It enables userspace applications to mmap this page with read-only + mode, then it informs some status without system call invocations. + .sp +-In some cases that a userspace application tries to apply heavy frequest +-access control; such as row\-level security in databases, it will face ++In some cases that a userspace application tries to apply heavy frequent ++access control; such as row-level security in databases, it will face + unignorable cost to communicate with kernel space to check invalidation + of userspace avc. + .sp + These functions provides applications a way to know some kernel events +-without system\-call invocation or worker thread for monitoring. ++without system-call invocation or worker thread for monitoring. + .sp +-.BR selinux_status_open ++.BR selinux_status_open () + tries to + .BR open (2) + .I /selinux/status +@@ -51,46 +52,49 @@ and overwrite corresponding callbacks ( setenforce and policyload). + Thus, we need to pay attention to the interaction with these interfaces, + when fallback mode is enabled. + .sp +-.BR selinux_status_close ++.BR selinux_status_close () + unmap the kernel status page and close its file descriptor, or close the + netlink socket if fallbacked. + .sp +-.BR selinux_status_updated ++.BR selinux_status_updated () + informs us whether something has been updated since the last call. + It returns 0 if nothing was happened, however, 1 if something has been +-updated in this duration, or -1 on error. ++updated in this duration, or \-1 on error. + .sp +-.BR selinux_status_getenforce ++.BR selinux_status_getenforce () + returns 0 if SELinux is running in permissive mode, 1 if enforcing mode, +-or -1 on error. ++or \-1 on error. + Same as + .BR security_getenforce (3) + except with or without system call invocation. + .sp +-.BR selinux_status_policyload +-returns times of policy reloaded on the running system, or -1 on error. ++.BR selinux_status_policyload () ++returns times of policy reloaded on the running system, or \-1 on error. + Note that it is not a reliable value on fallback-mode until it receive + the first event message via netlink socket. + Thus, don't use this value to know actual times of policy reloaded. + .sp +-.BR selinux_status_deny_unknown ++.BR selinux_status_deny_unknown () + returns 0 if SELinux treats policy queries on undefined object classes or +-permissions as being allowed, 1 if such queries are denied, or -1 on error. ++permissions as being allowed, 1 if such queries are denied, or \-1 on error. + .sp + Also note that these interfaces are not thread-safe, so you have to protect + them from concurrent calls using exclusive locks when multiple threads are + performing. ++. + .SH "RETURN VALUE" +-.BR selinux_status_open ++.BR selinux_status_open () + returns 0 or 1 on success. 1 means we are ready to use these interfaces, + but netlink socket was opened as fallback instead of the kernel status page. +-On error, -1 shall be returned. ++On error, \-1 shall be returned. + .sp + Any other functions with a return value shall return its characteristic +-value as described above, or -1 on errors. +-.sp ++value as described above, or \-1 on errors. ++. + .SH "SEE ALSO" +-.BR mmap (2) +-.BR avc_netlink_open (3) +-.BR security_getenforce (3) ++.ad l ++.nh ++.BR mmap (2), ++.BR avc_netlink_open (3), ++.BR security_getenforce (3), + .BR security_deny_unknown (3) +diff --git a/libselinux/man/man3/set_matchpathcon_flags.3 b/libselinux/man/man3/set_matchpathcon_flags.3 +index 037fe05..2841bec 100644 +--- a/libselinux/man/man3/set_matchpathcon_flags.3 ++++ b/libselinux/man/man3/set_matchpathcon_flags.3 +@@ -1,42 +1,41 @@ + .TH "set_matchpathcon_flags" "3" "21 November 2009" "sds@tycho.nsa.gov" "SELinux API documentation" + .SH "NAME" +-set_matchpathcon_flags, set_matchpathcon_invalidcon, set_matchpathcon_printf \- set flags controlling the operation of matchpathcon or matchpathcon_index and configure the behaviour of validity checking and error displaying. +- ++set_matchpathcon_flags, set_matchpathcon_invalidcon, set_matchpathcon_printf \- set flags controlling the operation of matchpathcon or matchpathcon_index and configure the behaviour of validity checking and error displaying ++. + .SH "SYNOPSIS" + .B #include + .sp +- + .BI "void set_matchpathcon_flags(unsigned int " flags ");" +- +-.BI "void set_matchpathcon_invalidcon(int (*" f ")(const char *" path ", unsigned " lineno ", char * " context "));" +- ++.sp ++.BI "void set_matchpathcon_invalidcon(int (*" f ")(const char *" path ", unsigned " lineno ", char *" context "));" ++.sp + .BI "void set_matchpathcon_printf(void (*" f ")(const char *" fmt ", ...));" +- ++. + .SH "DESCRIPTION" +-.B set_matchpathcon_flags ++.BR set_matchpathcon_flags () + sets the flags controlling the operation of +-.B matchpathcon_init ++.BR matchpathcon_init (3) + and subsequently +-.B matchpathcon_index ++.BR matchpathcon_index (3) + or +-.B matchpathcon. ++.BR matchpathcon (3). + If the + .B MATCHPATHCON_BASEONLY + flag is set, then only the base file contexts configuration file + will be processed, not any dynamically generated entries or local customizations. + .sp + +-.B set_matchpathcon_invalidcon ++.BR set_matchpathcon_invalidcon () + sets the function used by +-.B matchpathcon_init ++.BR matchpathcon_init (3) + when checking the validity of a context in the file contexts + configuration. If not set, then this defaults to a test based + on +-.B security_check_context(3), ++.BR security_check_context (3), + which checks validity against the active policy on a SELinux system. + This can be set to instead perform checking based on a binary policy file, + e.g. using +-.B sepol_check_context(3), ++.BR sepol_check_context (3), + as is done by + .B setfiles \-c. + The function is also responsible for reporting any such error, and +@@ -47,16 +46,17 @@ and + in such error messages. + .sp + +-.B set_matchpathcon_printf ++.BR set_matchpathcon_printf () + sets the function used by +-.B matchpathcon_init ++.BR matchpathcon_init (3) + when displaying errors about the file contexts configuration. If not set, + then this defaults to fprintf(stderr, fmt, ...). This can be set to redirect + error reporting to a different destination. +-.sp +- ++. + .SH "RETURN VALUE" + Returns zero on success or \-1 otherwise. +- ++. + .SH "SEE ALSO" ++.ad l ++.nh + .BR selinux "(8), " matchpathcon "(3), " matchpathcon_index "(3), " set_matchpathcon_invalidcon "(3), " set_matchpathcon_printf "(3), " freecon "(3), " setfilecon "(3), " setfscreatecon "(3)" +diff --git a/libselinux/man/man3/setcon_raw.3 b/libselinux/man/man3/setcon_raw.3 +new file mode 100644 +index 0000000..1210b5a +--- /dev/null ++++ b/libselinux/man/man3/setcon_raw.3 +@@ -0,0 +1 @@ ++.so man3/getcon.3 +diff --git a/libselinux/man/man3/setexeccon_raw.3 b/libselinux/man/man3/setexeccon_raw.3 +new file mode 100644 +index 0000000..b2e6ab8 +--- /dev/null ++++ b/libselinux/man/man3/setexeccon_raw.3 +@@ -0,0 +1 @@ ++.so man3/getexeccon.3 +diff --git a/libselinux/man/man3/setfilecon.3 b/libselinux/man/man3/setfilecon.3 +index 18030cd..5acc9bb 100644 +--- a/libselinux/man/man3/setfilecon.3 ++++ b/libselinux/man/man3/setfilecon.3 +@@ -1,41 +1,66 @@ + .TH "setfilecon" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation" + .SH "NAME" + setfilecon, fsetfilecon, lsetfilecon \- set SELinux security context of a file +- ++. + .SH "SYNOPSIS" + .B #include + .sp + .BI "int setfilecon(const char *" path ", security_context_t "con ); +- ++.sp ++.BI "int setfilecon_raw(const char *" path ", security_context_t "con ); ++.sp + .BI "int lsetfilecon(const char *" path ", security_context_t "con ); +- ++.sp ++.BI "int lsetfilecon_raw(const char *" path ", security_context_t "con ); ++.sp + .BI "int fsetfilecon(int "fd ", security_context_t "con ); +- ++.sp ++.BI "int fsetfilecon_raw(int "fd ", security_context_t "con ); ++. + .SH "DESCRIPTION" +-.B setfilecon ++.BR setfilecon () + sets the security context of the file system object. + +-.B lsetfilecon ++.BR lsetfilecon () + is identical to setfilecon, except in the case of a symbolic link, where the + link itself has it's context set, not the file that it refers to. + +-.B fsetfilecon ++.BR fsetfilecon () + is identical to setfilecon, only the open file pointed to by filedes (as +-returned by open(2)) has it's context set in place of path. ++returned by ++.BR open (2)) ++has it's context set in place of path. + ++.BR setfilecon_raw (), ++.BR lsetfilecon_raw (), ++and ++.BR fsetfilecon_raw () ++behave identically to their non-raw counterparts but do not perform context ++translation. ++. + .SH "RETURN VALUE" +-On success, zero is returned. On failure, -1 is returned and errno is +-set appropriately. +- ++On success, zero is returned. On failure, \-1 is returned and ++.I errno ++is set appropriately. ++. ++.SH "ERRORS" + If there is insufficient space remaining to store the extended +-attribute, errno is set to either ENOSPC, or EDQUOT if quota enforce- +-ment was the cause. +- +-If extended attributes are not supported by the filesystem, or are dis- +-abled, errno is set to ENOTSUP. ++attribute, ++.I errno ++is set to either ++.BR ENOSPC , ++or ++.B EDQUOT ++if quota enforcement was the cause. + +-The errors documented for the stat(2) system call are also applicable +-here. ++If extended attributes are not supported by the filesystem, or are disabled, ++.I errno ++is set to ++.BR ENOTSUP . + ++The errors documented for the ++.BR stat (2) ++system call are also applicable here. ++. + .SH "SEE ALSO" + .BR selinux "(3), " freecon "(3), " getfilecon "(3), " setfscreatecon "(3)" +diff --git a/libselinux/man/man3/setfilecon_raw.3 b/libselinux/man/man3/setfilecon_raw.3 +new file mode 100644 +index 0000000..33c321a +--- /dev/null ++++ b/libselinux/man/man3/setfilecon_raw.3 +@@ -0,0 +1 @@ ++.so man3/setfilecon.3 +diff --git a/libselinux/man/man3/setfscreatecon_raw.3 b/libselinux/man/man3/setfscreatecon_raw.3 +new file mode 100644 +index 0000000..21aeebd +--- /dev/null ++++ b/libselinux/man/man3/setfscreatecon_raw.3 +@@ -0,0 +1 @@ ++.so man3/getfscreatecon.3 +diff --git a/libselinux/man/man3/setkeycreatecon_raw.3 b/libselinux/man/man3/setkeycreatecon_raw.3 +new file mode 100644 +index 0000000..1e0ec5f +--- /dev/null ++++ b/libselinux/man/man3/setkeycreatecon_raw.3 +@@ -0,0 +1 @@ ++.so man3/getkeycreatecon.3 +diff --git a/libselinux/man/man3/setsockcreatecon_raw.3 b/libselinux/man/man3/setsockcreatecon_raw.3 +new file mode 100644 +index 0000000..ed1a371 +--- /dev/null ++++ b/libselinux/man/man3/setsockcreatecon_raw.3 +@@ -0,0 +1 @@ ++.so man3/getsockcreatecon.3 +diff --git a/libselinux/man/man5/booleans.5 b/libselinux/man/man5/booleans.5 +index 8efc889..2e9caa7 100644 +--- a/libselinux/man/man5/booleans.5 ++++ b/libselinux/man/man5/booleans.5 +@@ -1,8 +1,7 @@ + .TH "booleans" "5" "28-Nov-2011" "Security Enhanced Linux" "SELinux configuration" +- + .SH "NAME" +-booleans \- The SELinux booleans configuration files. +- ++booleans \- The SELinux booleans configuration files ++. + .SH "DESCRIPTION" + The \fIbooleans\fR file, if present contains booleans to support a specific distribution. + .sp +@@ -36,7 +35,7 @@ Looks for a \fIbooleans\fR and/or \fIbooleans.local\fR file at \fBselinux_boolea + .RE + .sp + Where \fI{SELINUXTYPE}\fR is the entry from the selinux configuration file \fIconfig\fR (see \fBselinux_config\fR(5)). +- ++. + .SH "FILE FORMAT" + Both boolean files have the same format and contain one or more boolean names and their value. + .sp +@@ -69,11 +68,13 @@ file (see + .BR selinux_config "(5)), then " selinux_mkload_policy "(3) will check for a " + .I booleans.local + file in the +-.B selinux_booleans_path ++.BR selinux_booleans_path (3) + and also a + .I local.users + file (see + .BR local.users "(5)) in the " selinux_users_path "(3). " +- ++. + .SH "SEE ALSO" ++.ad l ++.nh + .BR selinux "(8), " booleans "(8), " setsebool "(8), " semanage "(8), " selinux_booleans_path "(3), " security_set_boolean_list "(3), " security_load_booleans "(3), " selinux_mkload_policy "(3), " selinux_users_path "(3), " selinux_config "(5), " local.users "(5) " +diff --git a/libselinux/man/man5/customizable_types.5 b/libselinux/man/man5/customizable_types.5 +index c2180f9..4924f7b 100644 +--- a/libselinux/man/man5/customizable_types.5 ++++ b/libselinux/man/man5/customizable_types.5 +@@ -1,20 +1,21 @@ + .TH "customizable_types" "5" "28-Nov-2011" "Security Enhanced Linux" "SELinux configuration" +- + .SH "NAME" +-customizable_types \- The SELinux customizable types configuration file. +- ++customizable_types \- The SELinux customizable types configuration file ++. + .SH "DESCRIPTION" + The \fIcustomizable_types\fR file contains a list of types that can be customised in some way by SELinux-aware applications. + .sp + Generally this is a file context type that is usually set on files that need to be shared among certain domains and where the administrator wants to manually manage the type. + .sp + The use of customizable types is deprecated as the preferred approach is to use +-.B semanage fcontext ... +-(8). However, SELinux-aware applications such as +-.BR setfiles "(8) " ++.BR semanage (8) ++.BR fcontext (8) ++.BR ... (8). ++However, SELinux-aware applications such as ++.BR setfiles (8) + will use this information to obtain a list of types relating to files that should not be relabeled. + .sp +-.BR selinux_customizable_types_path "(3) " ++.BR selinux_customizable_types_path (3) + will return the active policy path to this file. The default customizable types file is: + .RS + .I /etc/selinux/{SELINUXTYPE}/contexts/customizable_types +@@ -22,9 +23,9 @@ will return the active policy path to this file. The default customizable types + .sp + Where \fI{SELINUXTYPE}\fR is the entry from the selinux configuration file \fIconfig\fR (see \fBselinux_config\fR(5)). + .sp +-.BR is_context_customizable "(3) " ++.BR is_context_customizable (3) + reads this file to determine if a context is customisable or not for the active policy. +- ++. + .SH "FILE FORMAT" + Each line in the file consists of the following: + .RS +@@ -38,7 +39,7 @@ Where: + The type defined in the policy that can be customised. + .RE + .RE +- ++. + .SH "EXAMPLE" + # ./contexts/customizable_types + .br +@@ -51,6 +52,8 @@ public_content_t + swapfile_t + .br + sysadm_untrusted_content_t +- ++. + .SH "SEE ALSO" ++.ad l ++.nh + .BR selinux "(8), " selinux_customizable_types_path "(3), " is_context_customizable "(3), " semanage "(8), " setfiles "(8), " selinux_config "(5) " +diff --git a/libselinux/man/man5/default_contexts.5 b/libselinux/man/man5/default_contexts.5 +index e377e55..f63d24a 100644 +--- a/libselinux/man/man5/default_contexts.5 ++++ b/libselinux/man/man5/default_contexts.5 +@@ -1,8 +1,7 @@ + .TH "default_contexts" "5" "28-Nov-2011" "Security Enhanced Linux" "SELinux configuration" +- + .SH "NAME" +-default_contexts \- The SELinux default contexts configuration file. +- ++default_contexts \- The SELinux default contexts configuration file ++. + .SH "DESCRIPTION" + The default contexts configuration file \fIdefault_contexts\fR contains entries that allow SELinux-aware login applications such as + .BR PAM "(8) " +@@ -32,7 +31,7 @@ The default context configuration file path for the active policy is returned by + .RE + .sp + Where \fI{SELINUXTYPE}\fR is the entry from the selinux configuration file \fIconfig\fR (see \fBselinux_config\fR(5)). +- ++. + .SH "FILE FORMAT" + Each line in the default configuration file consists of the following: + .RS +@@ -50,7 +49,7 @@ This consists of a \fIrole\fB:\fItype\fR[\fB:\fIrange\fR] entry that represents + This consists of one or more \fIrole\fB:\fItype\fR[\fB:\fIrange\fR] entries that represent the user login process context defined in the policy. + .RE + .RE +- ++. + .SH "EXAMPLE" + # ./contexts/default_contexts + .br +@@ -65,6 +64,8 @@ system_r:sshd_t:s0 user_r:user_t:s0 + system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0 + .br + system_r:xdm_t:s0 user_r:user_t:s0 +- ++. + .SH "SEE ALSO" ++.ad l ++.nh + .BR selinux "(8), " selinux_default_contexts_path "(3), " PAM "(8), " selinux_default_type_path "(3), " get_default_context "(3), " get_ordered_context_list "(3), " get_ordered_context_list_with_level "(3), " get_default_context_with_level "(3), " get_default_context_with_role "(3), " get_default_context_with_rolelevel "(3), " query_user_context "(3), " manual_user_enter_context "(3), " selinux_config "(5) " +diff --git a/libselinux/man/man5/default_type.5 b/libselinux/man/man5/default_type.5 +index 45f4806..082a5f0 100644 +--- a/libselinux/man/man5/default_type.5 ++++ b/libselinux/man/man5/default_type.5 +@@ -1,8 +1,7 @@ + .TH "default_type" "5" "28-Nov-2011" "Security Enhanced Linux" "SELinux configuration" +- + .SH "NAME" +-default_type \- The SELinux default type configuration file. +- ++default_type \- The SELinux default type configuration file ++. + .SH "DESCRIPTION" + The \fIdefault_type\fR file contains entries that allow SELinux-aware applications such as \fBnewrole\fR(1) to select a default type for a role if one is not supplied. + .sp +@@ -14,7 +13,7 @@ The \fIdefault_type\fR file contains entries that allow SELinux-aware applicatio + Where \fI{SELINUXTYPE}\fR is the entry from the selinux configuration file \fIconfig\fR (see \fBselinux_config\fR(5)). + .sp + \fBget_default_type\fR(3) reads this file to determine a type for the active policy. +- ++. + .SH "FILE FORMAT" + Each line within the \fIdefault_type\fR file is formatted with \fIrole\fB:\fItype\fR entries where: + .RS +@@ -26,13 +25,15 @@ The SELinux role. + .RS + The domain type that is returned for this role. + .RE +- ++. + .SH "EXAMPLE" + # ./contexts/default_type + .br + auditadm_r:auditadm_t + .br + user_r:user_t +- ++. + .SH "SEE ALSO" ++.ad l ++.nh + .BR selinux "(8), " get_default_type "(3), " newrole "(1), " selinux_default_type_path "(3), " selinux_config "(5) " +diff --git a/libselinux/man/man5/failsafe_context.5 b/libselinux/man/man5/failsafe_context.5 +index ef8e9ac..e7032e5 100644 +--- a/libselinux/man/man5/failsafe_context.5 ++++ b/libselinux/man/man5/failsafe_context.5 +@@ -1,8 +1,7 @@ + .TH "failsafe_context" "5" "28-Nov-2011" "Security Enhanced Linux" "SELinux configuration" +- + .SH "NAME" +-failsafe_context \- The SELinux fail safe context configuration file. +- ++failsafe_context \- The SELinux fail safe context configuration file ++. + .SH "DESCRIPTION" + The + .I failsafe_context +@@ -37,7 +36,7 @@ The following functions read this file from the active policy path if they canno + .br + .BR manual_user_enter_context "(3) " + .RE +- ++. + .SH "FILE FORMAT" + The file consists of a single line entry as follows: + .RS +@@ -53,11 +52,13 @@ Where: + A role, type and optional range (for MCS/MLS), separated by colons (:) to form a valid login process context for an administrator to access the system. + .RE + .RE +- ++. + .SH "EXAMPLE" + # ./contexts/failsafe_context + .br + unconfined_r:unconfined_t:s0 +- ++. + .SH "SEE ALSO" ++.ad l ++.nh + .BR selinux "(8), " selinux_failsafe_context_path "(3), " PAM "(8), " selinux_default_type_path "(3), " get_default_context "(3), " get_ordered_context_list "(3), " get_ordered_context_list_with_level "(3), " get_default_context_with_level "(3), " get_default_context_with_role "(3), " get_default_context_with_rolelevel "(3), " query_user_context "(3), " manual_user_enter_context "(3), " selinux_config "(5) " +diff --git a/libselinux/man/man5/local.users.5 b/libselinux/man/man5/local.users.5 +index 8347ae8..94d4673 100644 +--- a/libselinux/man/man5/local.users.5 ++++ b/libselinux/man/man5/local.users.5 +@@ -1,8 +1,7 @@ + .TH "local.users" "5" "28-Nov-2011" "Security Enhanced Linux" "SELinux configuration" +- + .SH "NAME" +-local.users \- The SELinux local users configuration file. +- ++local.users \- The SELinux local users configuration file ++. + .SH "DESCRIPTION" + The file contains local user definitions in the form of policy language user statements and is only found on older SELinux systems as it has been deprecated and replaced by the \fBsemange\fR(8) services. + .sp +@@ -15,7 +14,7 @@ will return the active policy path to the directory where this file is located. + .RE + .sp + Where \fI{SELINUXTYPE}\fR is the entry from the selinux configuration file \fIconfig\fR (see \fBselinux_config\fR(5)). +- ++. + .SH "FILE FORMAT" + The file consists of one or more entries terminated with '\fB;\fR', each on a separate line as follows: + .RS +@@ -57,11 +56,13 @@ If MLS/MCS is configured, the range keyword. + The current and clearance levels that the user can run. These are separated by a hyphen '\fB-\fR' as shown in the \fBEXAMPLE\fR section. + .RE + .RE +- ++. + .SH "EXAMPLE" + # ./users/local.users + .br +-user test_u roles staff_r level s0 range s0 - s15:c0.c1023; +- ++user test_u roles staff_r level s0 range s0 \- s15:c0.c1023; ++. + .SH "SEE ALSO" ++.ad l ++.nh + .BR selinux "(8), " semanage "(8), " selinux_users_path "(3), " selinux_config "(5), " selinux_mkload_policy "(3) " +diff --git a/libselinux/man/man5/removable_context.5 b/libselinux/man/man5/removable_context.5 +index 72d3d4c..60aaa93 100644 +--- a/libselinux/man/man5/removable_context.5 ++++ b/libselinux/man/man5/removable_context.5 +@@ -1,8 +1,7 @@ + .TH "removable_context" "5" "28-Nov-2011" "Security Enhanced Linux" "SELinux configuration" +- + .SH "NAME" +-removable_context \- The SELinux removable devices context configuration file. +- ++removable_context \- The SELinux removable devices context configuration file ++. + .SH "DESCRIPTION" + This file contains the default label that should be used for removable devices that are not defined in the \fImedia\fR file (that is described in + .BR selabel_media "(5)). " +@@ -14,7 +13,7 @@ will return the active policy path to this file. The default removable context f + .RE + .sp + Where \fI{SELINUXTYPE}\fR is the entry from the selinux configuration file \fIconfig\fR (see \fBselinux_config\fR(5)). +- ++. + .SH "FILE FORMAT" + The file consists of a single line entry as follows: + .RS +@@ -28,10 +27,11 @@ Where: + A user, role, type and optional range (for MCS/MLS) separated by colons (:) that will be applied to removable devices. + .RE + .RE ++. + .SH "EXAMPLE" + # ./contexts/removable_contexts + .br + system_u:object_r:removable_t:s0 +- ++. + .SH "SEE ALSO" + .BR selinux "(8), " selinux_removable_context_path "(3), " selabel_media "(5), " selinux_config "(5) " +diff --git a/libselinux/man/man5/secolor.conf.5 b/libselinux/man/man5/secolor.conf.5 +index e50d560..b834577 100644 +--- a/libselinux/man/man5/secolor.conf.5 ++++ b/libselinux/man/man5/secolor.conf.5 +@@ -1,8 +1,7 @@ + .TH "secolor.conf" "5" "08 April 2011" "SELinux API documentation" +- + .SH "NAME" +-secolor.conf \- The SELinux color configuration file. +- ++secolor.conf \- The SELinux color configuration file ++. + .SH "DESCRIPTION" + This optional file controls the color to be associated to the context components associated to the + .I raw +@@ -15,7 +14,7 @@ obtains this color information from the active policy + .B secolor.conf + file as returned by + .BR selinux_colors_path "(3)." +- ++. + .SH "FILE FORMAT" + The file format is as follows: + .RS +@@ -86,7 +85,7 @@ A + .I color_mask + may also be used. + .RE +- ++. + .SH "EXAMPLES" + Example 1 entries are: + .RS +@@ -112,17 +111,17 @@ role * = white black + .br + type * = tan orange + .br +-range s0-s0:c0.c1023 = black green ++range s0\-s0:c0.c1023 = black green + .br +-range s1-s1:c0.c1023 = white green ++range s1\-s1:c0.c1023 = white green + .br +-range s3-s3:c0.c1023 = black tan ++range s3\-s3:c0.c1023 = black tan + .br +-range s5-s5:c0.c1023 = white blue ++range s5\-s5:c0.c1023 = white blue + .br +-range s7-s7:c0.c1023 = black red ++range s7\-s7:c0.c1023 = black red + .br +-range s9-s9:c0.c1023 = black orange ++range s9\-s9:c0.c1023 = black orange + .br + range s15:c0.c1023 = black yellow + .RE +@@ -174,8 +173,6 @@ role * = black white + .br + type * = black white + .RE +- ++. + .SH "SEE ALSO" + .BR selinux "(8), " selinux_raw_context_to_color "(3), " selinux_colors_path "(3)" +- +- +diff --git a/libselinux/man/man5/securetty_types.5 b/libselinux/man/man5/securetty_types.5 +index 3f13fdd..dbc5c2e 100644 +--- a/libselinux/man/man5/securetty_types.5 ++++ b/libselinux/man/man5/securetty_types.5 +@@ -1,8 +1,7 @@ + .TH "securetty_types" "5" "28-Nov-2011" "Security Enhanced Linux" "SELinux configuration" +- + .SH "NAME" +-securetty_types \- The SELinux secure tty type configuration file. +- ++securetty_types \- The SELinux secure tty type configuration file ++. + .SH "DESCRIPTION" + The + .I securetty_types +@@ -20,7 +19,7 @@ Where \fI{SELINUXTYPE}\fR is the entry from the selinux configuration file \fIco + .sp + SELinux-aware applications such as + .BR newrole "(1) use this information to check the status of a tty. " +- ++. + .SH "FILE FORMAT" + Each line in the file consists of the following entry: + .sp +@@ -30,7 +29,7 @@ Each line in the file consists of the following entry: + One or more type entries that are defined in the policy for secure tty devices. + .RE + .RE +- ++. + .SH "EXAMPLE" + # ./contexts/securetty_types + .br +@@ -39,6 +38,8 @@ sysadm_tty_device_t + user_tty_device_t + .br + staff_tty_device_t +- ++. + .SH "SEE ALSO" ++.ad l ++.nh + .BR selinux "(8), " selinux_securetty_types_path "(3), " newrole "(1), " selinux_check_securetty_context "(3), " selinux_config "(5) " +diff --git a/libselinux/man/man5/selabel_db.5 b/libselinux/man/man5/selabel_db.5 +index c809d18..b3342f6 100644 +--- a/libselinux/man/man5/selabel_db.5 ++++ b/libselinux/man/man5/selabel_db.5 +@@ -3,9 +3,10 @@ + .\" Author: KaiGai Kohei 2009 + .TH "selabel_db" "5" "01 DEC 2011" "Security Enhanced Linux" "SELinux API documentation" + .SH "NAME" +-selabel_db \- userspace SELinux labeling interface and configuration file format for the RDBMS objects context backend. ++selabel_db \- userspace SELinux labeling interface and configuration file format for the RDBMS objects context backend ++. + .SH "SYNOPSIS" +-..B #include ++.B #include + .sp + .BI "int selabel_lookup(struct selabel_handle *" hnd , + .in +\w'int selabel_lookup('u +@@ -19,7 +20,7 @@ selabel_db \- userspace SELinux labeling interface and configuration file format + .BI "security_context_t *" context , + .br + .BI "const char *" object_name ", int " object_type ");" +- ++. + .SH "DESCRIPTION" + The DB contexts backend maps from a pair of object name and class into security contexts. It is used to find the appropriate context for database objects when relabeling a certain database. The returned \fIcontext\fR must be freed using \fBfreecon\fR(3). + .br +@@ -87,13 +88,15 @@ The + argument specifies the name of a language object, such as "postgres.public.tcl". + .RE + .sp +-Any messages generated by \fBselabel_lookup\fR are sent to \fIstderr\fR by default, although this can be changed by \fBselinux_set_callback\fR(3). ++Any messages generated by \fBselabel_lookup\fR(3) are sent to \fIstderr\fR ++by default, although this can be changed by \fBselinux_set_callback\fR(3). + .sp +-.B selabel_lookup_raw +-behaves identically to \fBselabel_lookup\fR but does not perform context translation. ++.BR selabel_lookup_raw (3) ++behaves identically to \fBselabel_lookup\fR(3) but does not perform context ++translation. + .sp + The \fBFILES\fR section details the configuration files used to determine the database object context. +- ++. + .SH "OPTIONS" + In addition to the global options described in \fBselabel_open\fR(3), this backend recognizes the following options: + .RS +@@ -102,7 +105,7 @@ In addition to the global options described in \fBselabel_open\fR(3), this backe + A non-null value for this option specifies a path to a file that will be opened in lieu of the standard DB contexts file. + It tries to open the specfile designed for SE-PostgreSQL as default, so if another RDBMS uses this interface, it needs to give an explicit specfile designed for that RDBMS (see the \fBFILES\fR section for details). + .RE +- ++. + .SH "FILES" + The database context file used to retrieve a context depends on the \fBSELABEL_OPT_PATH\fR parameter passed to \fBselabel_open\fR(3). If \fINULL\fR, then the \fBSELABEL_OPT_PATH\fR value will default to the active policy database contexts location (as returned by \fBselinux_sepgsql_context_path\fR(3)), otherwise the actual \fBSELABEL_OPT_PATH\fR value specified is used (this option must be used to support databases other than SE-PostgreSQL). + .sp +@@ -114,7 +117,7 @@ The default database object contexts file is: + Where \fI{SELINUXTYPE}\fR is the entry from the selinux configuration file \fIconfig\fR (see \fBselinux_config\fR(5)). + .sp + The entries within the database contexts file are shown in the \fBObject Name String Values\fR and \fBFILE FORMAT\fR sections. +- ++. + .SH "Object Name String Values" + The string name assigned to each \fIobject_type\fR argument that can be present in the database contexts file are: + .TS +@@ -133,7 +136,7 @@ SELABEL_DB_PROCEDURE@db_procedure + SELABEL_DB_SEQUENCE@db_sequence + SELABEL_DB_BLOB@db_blob + .TE +- ++. + .SH "FILE FORMAT" + Each line within the database contexts file is as follows: + .RS +@@ -177,7 +180,7 @@ db_tuple row_low system_u:object_r:sepgsql_table_t:s0 + db_tuple row_high system_u:object_r:sepgsql_table_t:s0:c1023 + .br + db_tuple *.*.* system_u:object_r:sepgsql_table_t:s0 +- ++. + .SH "NOTES" + .IP "1." 4 + A suitable database contexts file needs to be written for the target RDBMS and the \fBSELABEL_OPT_PATH\fR option must be used in \fBselabel_open\fR(3) to load it. +@@ -188,11 +191,17 @@ SE-PostgreSQL has a namespace hierarchy where a database is the top level object + .RS + .RS + .sp +-If a security context is required for "my_table" table in the "public" schema within the "postgres" database, then the \fBselabel_lookup\fR parameters for \fIobject_type\fR would be \fBSELABEL_DB_TABLE\fR and the \fIobject_name\fR would be "postgres.public.my_table", the security context (if available), would be returned in \fIcontext\fR. ++If a security context is required for "my_table" table in the "public" ++schema within the "postgres" database, then the \fBselabel_lookup\fR(3) ++parameters for \fIobject_type\fR would be \fBSELABEL_DB_TABLE\fR and the ++\fIobject_name\fR would be "postgres.public.my_table", the security ++context (if available), would be returned in \fIcontext\fR. + .RE + .RE + .IP "3." 4 + If contexts are to be validated, then the global option \fBSELABEL_OPT_VALIDATE\fR must be set before calling \fBselabel_open\fR(3). If this is not set, then it is possible for an invalid context to be returned. +- ++. + .SH "SEE ALSO" ++.ad l ++.nh + .BR selinux "(8), " selabel_open "(3), " selabel_lookup "(3), " selabel_stats "(3), " selabel_close "(3), " selinux_set_callback "(3), " selinux_sepgsql_context_path "(3), " freecon "(3), " selinux_config "(5) " +diff --git a/libselinux/man/man5/selabel_file.5 b/libselinux/man/man5/selabel_file.5 +index 8a1f826..5703f27 100644 +--- a/libselinux/man/man5/selabel_file.5 ++++ b/libselinux/man/man5/selabel_file.5 +@@ -3,7 +3,8 @@ + .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2007 + .TH "selabel_file" "5" "01 Dec 2011" "Security Enhanced Linux" "SELinux API documentation" + .SH "NAME" +-selabel_file \- userspace SELinux labeling interface and configuration file format for the file contexts backend. ++selabel_file \- userspace SELinux labeling interface and configuration file format for the file contexts backend ++. + .SH "SYNOPSIS" + .B #include + .sp +@@ -19,7 +20,7 @@ selabel_file \- userspace SELinux labeling interface and configuration file form + .BI "security_context_t *" context , + .br + .BI "const char *" path ", int " mode ");" +- ++. + .SH "DESCRIPTION" + The file contexts backend maps from pathname/mode combinations into security contexts. It is used to find the appropriate context for each file when relabeling a file system. The returned \fIcontext\fR must be freed using \fBfreecon\fR(3). + .br +@@ -32,13 +33,15 @@ No context corresponding to the \fIpath\fR and \fImode\fR was found - This will + .sp + The \fIpath\fR argument should be set to the full pathname of the file whose assigned context is being checked. The \fImode\fR argument should be set to the mode bits of the file, as determined by \fBlstat\fR(2). \fImode\fR may be zero, however full matching may not occur. + .sp +-Any messages generated by \fBselabel_lookup\fR are sent to \fIstderr\fR by default, although this can be changed by \fBselinux_set_callback\fR(3). ++Any messages generated by \fBselabel_lookup\fR(3) are sent to \fIstderr\fR ++by default, although this can be changed by \fBselinux_set_callback\fR(3). + .sp +-.B selabel_lookup_raw +-behaves identically to \fBselabel_lookup\fR but does not perform context translation. ++.BR selabel_lookup_raw (3) ++behaves identically to \fBselabel_lookup\fR(3) but does not perform context ++translation. + .sp + The \fBFILES\fR section details the configuration files used to determine a file context. +- ++. + .SH "OPTIONS" + In addition to the global options described in + .BR selabel_open (3), +@@ -54,7 +57,7 @@ A non-null value for this option indicates that any local customizations to the + .B SELABEL_OPT_SUBSET + A non-null value for this option is interpreted as a path prefix, for example "/etc". Only file context specifications starting with the given prefix are loaded. This may increase lookup performance, however any attempt to look up a path not starting with the given prefix will fail. + .RE +- ++. + .SH "FILES" + The file context files used to retrieve the default context depends on the \fBSELABEL_OPT_PATH\fR parameter passed to \fBselabel_open\fR(3). If \fINULL\fR, then the \fBSELABEL_OPT_PATH\fR value will default to the active policy file contexts location (as returned by \fBselinux_file_context_path\fR(3)), otherwise the actual \fBSELABEL_OPT_PATH\fR value specified is used. + .sp +@@ -104,7 +107,7 @@ Where \fI{SELINUXTYPE}\fR is the entry from the selinux configuration file \fIco + Only the \fIfile_contexts\fR file is mandatory, the remainder are optional. + .sp + The entries within the file contexts series of files are shown in the \fBFILE FORMAT\fR section. +- ++. + .SH "FILE FORMAT" + .sp + .SH "File Contexts Format" +@@ -126,13 +129,13 @@ An entry that defines the pathname that may be in the form of a regular expressi + .RS + An optional file type consisting of: + .RS +-\fI\-b\fR \- Block Device \fI\-c\fR \- Character Device ++\fI\-b\fR - Block Device \fI\-c\fR - Character Device + .br +-\fI\-d\fR \- Directory \fI\-p\fR \- Named Pipe ++\fI\-d\fR - Directory \fI\-p\fR - Named Pipe + .br +-\fI\-l\fR \- Symbolic Link \fI\-s\fR \- Socket ++\fI\-l\fR - Symbolic Link \fI\-s\fR - Socket + .br +-\fI\-\-\fR \- Ordinary file ++\fI\-\-\fR - Ordinary file + .RE + .RE + .I context +@@ -155,12 +158,11 @@ Example: + .br + /.* system_u:object_r:default_t:s0 + .br +-/[^/]+ -- system_u:object_r:etc_runtime_t:s0 ++/[^/]+ \-\- system_u:object_r:etc_runtime_t:s0 + .br + /tmp/.* <> + .RE + .sp +- + .SH "Substitution File Format" + .sp + Each line within the substitution files (\fI.subs\fR and \fI.subs_dist\fR) has the form: +@@ -190,14 +192,15 @@ Example: + .br + /myspool /var/spool/mail + .sp +-Using the above example, when \fBselabel_lookup\fR is passed a path of \fI/myweb/index.html\fR the function will substitute the \fI/myweb\fR component with \fI/var/www\fR, therefore the path used is: ++Using the above example, when \fBselabel_lookup\fR(3) is passed a path of ++\fI/myweb/index.html\fR the function will substitute the \fI/myweb\fR ++component with \fI/var/www\fR, therefore the path used is: + .sp + .RS + .I /var/www/index.html + .RE + .RE +-.sp +- ++. + .SH "NOTES" + .IP "1." 4 + If contexts are to be validated, then the global option \fBSELABEL_OPT_VALIDATE\fR must be set before calling \fBselabel_open\fR(3). If this is not set, then it is possible for an invalid context to be returned. +@@ -208,6 +211,8 @@ requested validates the entries. If possible use the \fBSELABEL_OPT_SUBSET\fR op + Depending on the version of SELinux it is possible that a \fIfile_contexts.template\fR file may also be present, however this is now deprecated. + .br + The template file has the same format as the \fIfile_contexts\fR file and may also contain the keywords \fBHOME_ROOT\fR, \fBHOME_DIR\fR, \fBROLE\fR and \fBUSER\fR. This functionality has now been moved to the policy store and managed by \fBsemodule\fR(8) and \fBgenhomedircon\fR(8). +- ++. + .SH "SEE ALSO" ++.ad l ++.nh + .BR selinux "(8), " selabel_open "(3), " selabel_lookup "(3), " selabel_stats "(3), " selabel_close "(3), " selinux_set_callback "(3), " selinux_file_context_path "(3), " freecon "(3), " selinux_config "(5), " lstat "(2), "selinux_file_context_subs_path "(3), " selinux_file_context_subs_dist_path "(3), " selinux_file_context_homedir_path "(3), "selinux_file_context_local_path "(3), " semodule "(8), " genhomedircon "(8) " +diff --git a/libselinux/man/man5/selabel_media.5 b/libselinux/man/man5/selabel_media.5 +index 0df1961..398f0fc 100644 +--- a/libselinux/man/man5/selabel_media.5 ++++ b/libselinux/man/man5/selabel_media.5 +@@ -3,8 +3,8 @@ + .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2007 + .TH "selabel_media" "5" "29 Nov 2011" "Security Enhanced Linux" "SELinux API documentation" + .SH "NAME" +-selabel_media \- userspace SELinux labeling interface and configuration file format for the media contexts backend. +- ++selabel_media \- userspace SELinux labeling interface and configuration file format for the media contexts backend ++. + .SH "SYNOPSIS" + .B #include + .sp +@@ -20,7 +20,7 @@ selabel_media \- userspace SELinux labeling interface and configuration file for + .BI "security_context_t *" context , + .br + .BI "const char *" device_name ", int " unused ");" +- ++. + .SH "DESCRIPTION" + The media contexts backend maps from media device names such as "cdrom" or "floppy" into security contexts. It is used to find the appropriate context for establishing context mounts on these devices. The returned \fIcontext\fR must be freed using \fBfreecon\fR(3). + .br +@@ -28,19 +28,21 @@ The media contexts backend maps from media device names such as "cdrom" or "flop + .sp + The integer lookup argument is currently unused and should be set to zero. + .sp +-Any messages generated by \fBselabel_lookup\fR are sent to \fIstderr\fR by default, although this can be changed by \fBselinux_set_callback\fR(3). ++Any messages generated by \fBselabel_lookup\fR(3) are sent to \fIstderr\fR ++by default, although this can be changed by \fBselinux_set_callback\fR(3). + .sp +-.B selabel_lookup_raw +-behaves identically to \fBselabel_lookup\fR but does not perform context translation. ++.BR selabel_lookup_raw (3) ++behaves identically to \fBselabel_lookup\fR(3) but does not perform context ++translation. + .sp + The \fBFILES\fR section details the configuration files used to determine the media context. +- ++. + .SH "OPTIONS" + In addition to the global options described in \fBselabel_open\fR(3), this backend recognizes the following options: + .TP + .B SELABEL_OPT_PATH + A non-null value for this option specifies a path to a file that will be opened in lieu of the standard \fImedia\fR contexts file. +- ++. + .SH "FILES" + The media context file used to retrieve a default context depends on the \fBSELABEL_OPT_PATH\fR parameter passed to \fBselabel_open\FR(3). If \fINULL\fR, then the \fBSELABEL_OPT_PATH\fR value will default to the active policy media contexts location (as returned by \fBselinux_media_context_path\fR(3)), otherwise the actual \fBSELABEL_OPT_PATH\fR value specified is used. + .sp +@@ -52,7 +54,7 @@ The default media contexts file is: + Where \fI{SELINUXTYPE}\fR is the entry from the selinux configuration file \fIconfig\fR (see \fBselinux_config\fR(5)). + .sp + Should there not be a valid entry in the \fImedia\fR file, then the default \fIremovable_context\fR file will be read (see \fBremovable_context\fR(5)). +- ++. + .SH "FILE FORMAT" + Each line within the \fImedia\fR file is as follows: + .RS +@@ -80,10 +82,12 @@ cdrom system_u:object_r:removable_device_t + floppy system_u:object_r:removable_device_t + .br + disk system_u:object_r:fixed_disk_device_t +- ++. + .SH "NOTES" + If contexts are to be validated, then the global option \fBSELABEL_OPT_VALIDATE\fR must be set before calling \fBselabel_open\fR(3). If + this is not set, then it is possible for an invalid context to be returned. +- ++. + .SH "SEE ALSO" ++.ad l ++.nh + .BR selinux "(8), " selabel_open "(3), " selabel_lookup "(3), " selabel_stats "(3), " selabel_close "(3), " selinux_set_callback "(3), " selinux_media_context_path "(3), " freecon "(3), " selinux_config "(5), " removable_context "(5) " +diff --git a/libselinux/man/man5/selabel_x.5 b/libselinux/man/man5/selabel_x.5 +index 60bf3f2..5a38a8d 100644 +--- a/libselinux/man/man5/selabel_x.5 ++++ b/libselinux/man/man5/selabel_x.5 +@@ -2,10 +2,9 @@ + .\" + .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2007 + .TH "selabel_x" "5" "29 Nov 2011" "Security Enhanced Linux" "SELinux API documentation" +- + .SH "NAME" +-selabel_x \- userspace SELinux labeling interface and configuration file format for the X Window System contexts backend. This backend is also used to determine the default context for labeling remotely connected X clients. +- ++selabel_x \- userspace SELinux labeling interface and configuration file format for the X Window System contexts backend. This backend is also used to determine the default context for labeling remotely connected X clients ++. + .SH "SYNOPSIS" + .B #include + .sp +@@ -21,7 +20,7 @@ selabel_x \- userspace SELinux labeling interface and configuration file format + .BI "security_context_t *" context , + .br + .BI "const char *" object_name ", int " object_type ");" +- ++. + .SH "DESCRIPTION" + The X contexts backend maps from X Window System object names into security contexts. It is used to find the appropriate context for X Window System objects whose significance and/or usage semantics are determined primarily by name. The returned \fIcontext\fR must be freed using \fBfreecon\fR(3). + .br +@@ -74,7 +73,7 @@ Any messages generated by \fBselabel_lookup\fR(3) are sent to \fIstderr\fR by de + behaves identically to \fBselabel_lookup\fR but does not perform context translation. + .sp + The \fBFILES\fR section details the configuration files used to determine the X object context. +- ++. + .SH "OPTIONS" + In addition to the global options described in \fBselabel_open\fR(3), this backend recognizes the following options: + .RS +@@ -82,7 +81,7 @@ In addition to the global options described in \fBselabel_open\fR(3), this backe + .B SELABEL_OPT_PATH + A non-null value for this option specifies a path to a file that will be opened in lieu of the standard X contexts file (see the \fBFILES\fR section for details). + .RE +- ++. + .SH "FILES" + The X context file used to retrieve a default context depends on the \fBSELABEL_OPT_PATH\fR parameter passed to \fBselabel_open\fR(3). If \fINULL\fR, then the \fBSELABEL_OPT_PATH\fR value will default to the active policy X contexts location (as returned by \fBselinux_x_context_path\fR(3)), otherwise the actual \fBSELABEL_OPT_PATH\fR value specified is used. + .sp +@@ -94,7 +93,7 @@ The default X object contexts file is: + Where \fI{SELINUXTYPE}\fR is the entry from the selinux configuration file \fIconfig\fR (see \fBselinux_config\fR(5)). + .sp + The entries within the X contexts file are shown in the \fBObject Name String Values\fR and \fBFILE FORMAT\fR sections. +- ++. + .SH "Object Name String Values" + The string name assigned to each \fIobject_type\fR argument that can be present in the X contexts file are: + .TS +@@ -110,7 +109,7 @@ SELABEL_X_CLIENT@client + SELABEL_X_POLYPROP@poly_property + SELABEL_X_POLYSELN@poly_selection + .TE +- ++. + .SH "FILE FORMAT" + Each line within the X contexts file is as follows: + .RS +@@ -126,7 +125,10 @@ There can be multiple lines with the same \fIobject_type\fR string that will for + .RE + .I object_name + .RS +-These are the object names of the specific X-server resource such as \fBPRIMARY\fR, \fBCUT_BUFFER0\fR etc. They are generally defined in the X\-server source code (\fIprotocol.txt\fR and \fIBuiltInAtoms\fR in the dix directory of the xorg\-server source package). ++These are the object names of the specific X-server resource such as ++\fBPRIMARY\fR, \fBCUT_BUFFER0\fR etc. They are generally defined in the ++X-server source code (\fIprotocol.txt\fR and \fIBuiltInAtoms\fR in the ++dix directory of the xorg\-server source package). + The entry can contain '*' for wildcard matching or '?' for substitution. + Note that if the '*' is used, then be aware that the order of entries in the file is important. The '*' on its own is used to ensure a default fallback context is assigned and should be the last entry in the \fIobject_type\fR block. + .RE +@@ -138,23 +140,27 @@ The security context that will be applied to the object. + .sp + Example 1: + .sp ++.nf + # object_type object_name context +-.br + selection PRIMARY system_u:object_r:clipboard_xselection_t:s0 +-.br + selection * system_u:object_r:xselection_t:s0 ++.fi + .sp +-Example 2 \- This example shows how a client entry can be configured to ensure an entry is always found: ++Example 2 - This example shows how a client entry can be configured to ++ensure an entry is always found: + .sp ++.nf + # object_type object_name context +-.br + client * system_u:object_r:remote_t:s0 +- ++.fi ++. + .SH "NOTES" + .IP "1." 4 + Properties and selections are marked as either polyinstantiated or not. For these name types, the "POLY" option searches only the names marked as being polyinstantiated, while the other option searches only the names marked as not being polyinstantiated. Users of the interface should check both mappings, optionally taking action based on the result (e.g. polyinstantiating the object). + .IP "2." 4 + If contexts are to be validated, then the global option \fBSELABEL_OPT_VALIDATE\fR must be set before calling \fBselabel_open\fR(3). If this is not set, then it is possible for an invalid context to be returned. +- ++. + .SH "SEE ALSO" ++.ad l ++.nh + .BR selinux "(8), " selabel_open "(3), " selabel_lookup "(3), " selabel_stats "(3), " selabel_close "(3), " selinux_set_callback "(3), " selinux_x_context_path "(3), " freecon "(3), " selinux_config "(5) " +diff --git a/libselinux/man/man5/service_seusers.5 b/libselinux/man/man5/service_seusers.5 +index 59a135a..385a326 100644 +--- a/libselinux/man/man5/service_seusers.5 ++++ b/libselinux/man/man5/service_seusers.5 +@@ -1,8 +1,7 @@ + .TH "service_seusers" "5" "28-Nov-2011" "Security Enhanced Linux" "SELinux configuration" +- + .SH "NAME" +-service_seusers \- The SELinux GNU/Linux user and service to SELinux user mapping configuration files. +- ++service_seusers \- The SELinux GNU/Linux user and service to SELinux user mapping configuration files ++. + .SH "DESCRIPTION" + These are optional files that allow services to define an SELinux user when authenticating via SELinux-aware login applications such as + .BR PAM "(8). " +@@ -20,7 +19,7 @@ appended (where \fIusername\fR is a file representing the GNU/Linux user name). + Where \fI{SELINUXTYPE}\fR is the entry from the selinux configuration file \fIconfig\fR (see \fBselinux_config\fR(5)). + .sp + .BR getseuser "(3) reads this file to map services to an SELinux user. " +- ++. + .SH "FILE FORMAT" + Each line within the \fIusername\fR file is formatted as follows with each component separated by a colon: + .RS +@@ -42,9 +41,9 @@ The SELinux user name. + The range for MCS/MLS policies. + .RE + .RE +- ++. + .SH "EXAMPLES" +-Example 1 \- for the 'root' user: ++Example 1 - for the 'root' user: + .RS + # ./logins/root + .br +@@ -53,7 +52,7 @@ ipa:user_u:s0 + this_service:unconfined_u:s0 + .RE + .sp +-Example 2 \- for GNU/Linux user 'rch': ++Example 2 - for GNU/Linux user 'rch': + .RS + # ./logins/rch + .br +@@ -61,6 +60,8 @@ ipa:unconfined_u:s0 + .br + that_service:unconfined_u:s0 + .RE +- ++. + .SH "SEE ALSO" ++.ad l ++.nh + .BR selinux "(8), " PAM "(8), " selinux_policy_root "(3), " getseuser "(3), " selinux_config "(5) " +diff --git a/libselinux/man/man5/seusers.5 b/libselinux/man/man5/seusers.5 +index 8c99ee8..2512560 100644 +--- a/libselinux/man/man5/seusers.5 ++++ b/libselinux/man/man5/seusers.5 +@@ -1,8 +1,7 @@ + .TH "seusers" "5" "28-Nov-2011" "Security Enhanced Linux" "SELinux configuration" +- + .SH "NAME" +-seusers \- The SELinux GNU/Linux user to SELinux user mapping configuration file. +- ++seusers \- The SELinux GNU/Linux user to SELinux user mapping configuration file ++. + .SH "DESCRIPTION" + The + .I seusers +@@ -17,7 +16,7 @@ will return the active policy path to this file. The default SELinux users mappi + Where \fI{SELINUXTYPE}\fR is the entry from the selinux configuration file \fIconfig\fR (see \fBselinux_config\fR(5)). + .sp + .BR getseuserbyname "(3) reads this file to map a GNU/Linux user or group to an SELinux user. " +- ++. + .SH "FILE FORMAT" + Each line of the + .I seusers +@@ -44,19 +43,21 @@ The SELinux user identity. + The optional level or range for an MLS/MCS policy. + .RE + .RE +- ++. + .SH "EXAMPLE" + # ./seusers + .br + system_u:system_u:s0\-s15:c0.c255 + .br +-root:root:s0-s15:c0.c255 ++root:root:s0\-s15:c0.c255 + .br + fred:user_u:s0 + .br + __default__:user_u:s0 + .br + %user_group:user_u:s0 +- ++. + .SH "SEE ALSO" ++.ad l ++.nh + .BR selinux "(8), " PAM "(8), " selinux_usersconf_path "(3), " getseuserbyname "(3), " selinux_config "(5) " +diff --git a/libselinux/man/man5/user_contexts.5 b/libselinux/man/man5/user_contexts.5 +index 2b3df7a..fc53d6c 100644 +--- a/libselinux/man/man5/user_contexts.5 ++++ b/libselinux/man/man5/user_contexts.5 +@@ -1,8 +1,7 @@ + .TH "user_contexts" "5" "28-Nov-2011" "Security Enhanced Linux" "SELinux configuration" +- + .SH "NAME" +-user_contexts \- The SELinux user contexts configuration files. +- ++user_contexts \- The SELinux user contexts configuration files ++. + .SH "DESCRIPTION" + These optional user context configuration files contain entries that allow SELinux-aware login applications such as + .BR PAM (8) +@@ -28,7 +27,7 @@ SELinux-aware login applications generally use one or more of the following libs + .RE + .sp + There can be one file for each SELinux user configured on the system. The file path is formed using the path returned by +-.BR selinux_user_contexts_path (3) ++.BR \%selinux_user_contexts_path (3) + for the active policy, with the SELinux user name appended, for example: + .RS + .I /etc/selinux/{SELINUXTYPE}/contexts/users/unconfined_u +@@ -41,7 +40,7 @@ Where \fI{SELINUXTYPE}\fR is the entry from the selinux configuration file \fIco + These files contain context information as described in the + .B FILE FORMAT + section. +- ++. + .SH "FILE FORMAT" + Each line in the user context configuration file consists of the following: + .RS +@@ -59,7 +58,7 @@ This consists of a \fIrole\fB:\fItype\fR[\fB:\fIrange\fR] entry that represents + This consists of a \fIrole\fB:\fItype\fR[\fB:\fIrange\fR] entry that represents the user login process context. + .RE + .RE +- ++. + .SH "EXAMPLE" + # Example for xguest_u at /etc/selinux/targeted/contexts/users/xguest_u + .br +@@ -76,6 +75,8 @@ system_r:sshd_t:s0 xguest_r:xguest_t:s0 + system_r:xdm_t:s0 xguest_r:xguest_t:s0 + .br + xguest_r:xguest_t:s0 xguest_r:xguest_t:s0 +- ++. + .SH "SEE ALSO" ++.ad l ++.nh + .BR selinux "(8), " selinux_user_contexts_path "(3), " PAM "(8), " get_ordered_context_list "(3), " get_ordered_context_list_with_level "(3), " get_default_context_with_level "(3), " get_default_context_with_role "(3), " get_default_context_with_rolelevel "(3), " query_user_context "(3), " manual_user_enter_context "(3), " selinux_config "(5) " +diff --git a/libselinux/man/man5/virtual_domain_context.5 b/libselinux/man/man5/virtual_domain_context.5 +index 6048f98..2f555a0 100644 +--- a/libselinux/man/man5/virtual_domain_context.5 ++++ b/libselinux/man/man5/virtual_domain_context.5 +@@ -1,8 +1,7 @@ + .TH "virtual_domain_context" "5" "28-Nov-2011" "Security Enhanced Linux" "SELinux configuration" +- + .SH "NAME" +-virtual_domain_context \- The SELinux virtual machine domain context configuration file. +- ++virtual_domain_context \- The SELinux virtual machine domain context configuration file ++. + .SH "DESCRIPTION" + The + .I virtual_domain_context +@@ -15,7 +14,7 @@ will return the active policy path to this file. The default virtual domain cont + .RE + .sp + Where \fI{SELINUXTYPE}\fR is the entry from the selinux configuration file \fIconfig\fR (see \fBselinux_config\fR(5)). +- ++. + .SH "FILE FORMAT" + Each line in the file consists of an entry as follows: + .RS +@@ -29,11 +28,13 @@ Where: + A user, role, type and optional range (for MCS/MLS) separated by colons (:) that can be used as a virtual domain context. + .RE + .RE +- ++. + .SH "EXAMPLE" + # ./contexts/virtual_domain_context + .br + system_u:object_r:svirt_t:s0 +- ++. + .SH "SEE ALSO" ++.ad l ++.nh + .BR selinux "(8), " libvirtd "(8), " selinux_virtual_domain_context_path "(3), " selinux_config "(5) " +diff --git a/libselinux/man/man5/virtual_image_context.5 b/libselinux/man/man5/virtual_image_context.5 +index 4e9809b..04cbd79 100644 +--- a/libselinux/man/man5/virtual_image_context.5 ++++ b/libselinux/man/man5/virtual_image_context.5 +@@ -1,8 +1,7 @@ + .TH "virtual_image_context" "5" "28-Nov-2011" "Security Enhanced Linux" "SELinux configuration" +- + .SH "NAME" +-virtual_image_context \- The SELinux virtual machine image context configuration file. +- ++virtual_image_context \- The SELinux virtual machine image context configuration file ++. + .SH "DESCRIPTION" + The + .I virtual_image_context +@@ -15,7 +14,7 @@ will return the active policy path to this file. The default virtual image conte + .RE + .sp + Where \fI{SELINUXTYPE}\fR is the entry from the selinux configuration file \fIconfig\fR (see \fBselinux_config\fR(5)). +- ++. + .SH "FILE FORMAT" + Each line in the file consists of an entry as follows: + .RS +@@ -29,13 +28,15 @@ Where: + A user, role, type and optional range (for MCS/MLS) separated by colons (:) that can be used as a virtual image context. + .RE + .RE +- ++. + .SH "EXAMPLE" + # ./contexts/virtual_image_context + .br + system_u:object_r:svirt_image_t:s0 + .br + system_u:object_r:svirt_content_t:s0 +- ++. + .SH "SEE ALSO" ++.ad l ++.nh + .BR selinux "(8), " libvirtd "(8), " selinux_virtual_image_context_path "(3), " selinux_config "(5) " +diff --git a/libselinux/man/man8/avcstat.8 b/libselinux/man/man8/avcstat.8 +index 1035331..6251591 100644 +--- a/libselinux/man/man8/avcstat.8 ++++ b/libselinux/man/man8/avcstat.8 +@@ -1,31 +1,35 @@ + .TH "avcstat" "8" "18 Nov 2004" "dwalsh@redhat.com" "SELinux Command Line documentation" + .SH "NAME" + avcstat \- Display SELinux AVC statistics +- ++. + .SH "SYNOPSIS" + .B avcstat +-.I [-c] [-f status_file] [interval] +- ++.RB [ \-c ] ++.RB [ \-f ++.IR status_file ] ++.RI [ interval ] ++. + .SH "DESCRIPTION" +-.B avcstat +- +-Display SELinux AVC statistics. If the interval parameter is specified, the +-program will loop, displaying updated statistics every 'interval' seconds. ++Display SELinux AVC statistics. If the ++.I interval ++parameter is specified, the program will loop, displaying updated ++statistics every ++.I interval ++seconds. + Relative values are displayed by default. +- ++. + .SH OPTIONS + .TP + .B \-c + Display the cumulative values. +- + .TP + .B \-f +-Specifies the location of the AVC statistics file, defaulting to '/selinux/avc/cache_stats'. +- +-.SH "SEE ALSO" +-selinux(8) +- ++Specifies the location of the AVC statistics file, defaulting to ++.IR /selinux/avc/cache_stats . ++. + .SH AUTHOR + This manual page was written by Dan Walsh . + The program was written by James Morris . +- ++. +.SH "SEE ALSO" -+secon(8), selinuxconlist(8) -diff --exclude-from=exclude -N -u -r nsalibselinux/src/callbacks.c libselinux-2.0.90/src/callbacks.c ---- nsalibselinux/src/callbacks.c 2009-04-08 09:06:23.000000000 -0400 -+++ libselinux-2.0.90/src/callbacks.c 2010-01-18 16:52:28.000000000 -0500 -@@ -16,6 +16,7 @@ ++.BR selinux (8) +diff --git a/libselinux/man/man8/booleans.8 b/libselinux/man/man8/booleans.8 +index 89c7654..9c4dbc3 100644 +--- a/libselinux/man/man8/booleans.8 ++++ b/libselinux/man/man8/booleans.8 +@@ -1,11 +1,10 @@ + .TH "booleans" "8" "11 Aug 2004" "dwalsh@redhat.com" "SELinux Command Line documentation" + .SH "NAME" +-booleans \- Policy booleans enable runtime customization of SELinux policy. +- ++booleans \- Policy booleans enable runtime customization of SELinux policy ++. + .SH "DESCRIPTION" + This manual page describes SELinux policy booleans. + .BR +- + The SELinux policy can include conditional rules that are enabled or + disabled based on the current values of a set of policy booleans. + These policy booleans allow runtime modification of the security +@@ -18,32 +17,42 @@ value. + + The policy defines a default value for each boolean, typically false. + These default values can be overridden via local settings created via the +-.B setsebool(8) +-utility, using -P to make the setting persistent across reboots. +-The +-.B system-config-securitylevel ++.BR setsebool (8) ++utility, using ++.B \-P ++to make the setting persistent across reboots. The ++.B system\-config\-securitylevel + tool provides a graphical interface for altering + the settings. The +-.B load_policy(8) ++.BR load_policy (8) + program will preserve + current boolean settings upon a policy reload by default, or can +-optionally reset booleans to the boot-time defaults via the -b option. ++optionally reset booleans to the boot-time defaults via the ++.B \-b ++option. + + Boolean values can be listed by using the +-.B getsebool(8) +-utility and passing it the -a option. ++.BR getsebool (8) ++utility and passing it the ++.B \-a ++option. + + Boolean values can also be changed at runtime via the +-.B setsebool(8) ++.BR setsebool (8) + utility or the +-.B togglesebool ++.BR togglesebool (8) + utility. By default, these utilities only change the + current boolean value and do not affect the persistent settings, +-unless the -P option is used to setsebool. +- ++unless the ++.B \-P ++option is used to setsebool. ++. + .SH AUTHOR + This manual page was written by Dan Walsh . + The SELinux conditional policy support was developed by Tresys Technology. +- ++. + .SH "SEE ALSO" +-getsebool(8), setsebool(8), selinux(8), togglesebool(8) ++.BR getsebool (8), ++.BR setsebool (8), ++.BR selinux (8), ++.BR togglesebool (8) +diff --git a/libselinux/man/man8/getenforce.8 b/libselinux/man/man8/getenforce.8 +index 8dc63c8..906279f 100644 +--- a/libselinux/man/man8/getenforce.8 ++++ b/libselinux/man/man8/getenforce.8 +@@ -1,15 +1,18 @@ + .TH "getenforce" "1" "7 April 2004" "dwalsh@redhat.com" "SELinux Command Line documentation" + .SH "NAME" + getenforce \- get the current mode of SELinux ++. + .SH "SYNOPSIS" + .B getenforce +- ++. + .SH "DESCRIPTION" + .B getenforce + reports whether SELinux is enforcing, permissive, or disabled. +- ++. + .SH AUTHOR + Dan Walsh, +- ++. + .SH "SEE ALSO" +-selinux(8), setenforce(8), selinuxenabled(8) ++.BR selinux (8), ++.BR setenforce (8), ++.BR selinuxenabled (8) +diff --git a/libselinux/man/man8/getsebool.8 b/libselinux/man/man8/getsebool.8 +index a4200ee..6353a2a 100644 +--- a/libselinux/man/man8/getsebool.8 ++++ b/libselinux/man/man8/getsebool.8 +@@ -1,11 +1,12 @@ + .TH "getsebool" "8" "11 Aug 2004" "dwalsh@redhat.com" "SELinux Command Line documentation" + .SH "NAME" + getsebool \- get SELinux boolean value(s) +- ++. + .SH "SYNOPSIS" + .B getsebool +-.I "[-a] [boolean]" +- ++.RB [ \-a ] ++.RI [ boolean ] ++. + .SH "DESCRIPTION" + .B getsebool + reports where a particular SELinux boolean or +@@ -20,16 +21,17 @@ value is changed, then the booleans are committed, causing their + active values to become their pending values. This allows a group of + booleans to be changed in a single transaction, by setting all of + their pending values as desired and then committing once. +- ++. + .SH OPTIONS + .TP + .B \-a + Show all SELinux booleans. +- +-.SH "SEE ALSO" +-selinux(8), setsebool(8), booleans(8) +- ++. + .SH AUTHOR + This manual page was written by Dan Walsh . + The program was written by Tresys Technology. +- ++. ++.SH "SEE ALSO" ++.BR selinux (8), ++.BR setsebool (8), ++.BR booleans (8) +diff --git a/libselinux/man/man8/matchpathcon.8 b/libselinux/man/man8/matchpathcon.8 +index 26ce74c..368991f 100644 +--- a/libselinux/man/man8/matchpathcon.8 ++++ b/libselinux/man/man8/matchpathcon.8 +@@ -1,41 +1,57 @@ + .TH "matchpathcon" "8" "21 April 2005" "dwalsh@redhat.com" "SELinux Command Line documentation" + .SH "NAME" +-matchpathcon \- get the default SELinux security context for the specified path from the file contexts configuration. +- ++matchpathcon \- get the default SELinux security context for the specified path from the file contexts configuration ++. + .SH "SYNOPSIS" +-.B matchpathcon [-V] [-N] [-n] [-m type] [-f file_contexts_file ] [-p prefix ] filepath... +-.SH "DESCRIPTION" + .B matchpathcon ++.RB [ \-V ] ++.RB [ \-N ] ++.RB [ \-n ] ++.RB [ \-m ++.IR type ] ++.RB [ \-f ++.IR file_contexts_file ] ++.RB [ \-p ++.IR prefix ] ++.I filepath... ++. ++.SH "DESCRIPTION" ++.BR matchpathcon + queries the system policy and outputs the default security context associated with the filepath. + +-Note: Identical paths can have different security contexts, depending on the file type. (regular file, directory, link file, char file ...) ++.B Note: ++Identical paths can have different security contexts, depending on the file ++type (regular file, directory, link file, char file ...). + + .B matchpathcon + will also take the file type into consideration in determining the default security context if the file exists. If the file does not exist, no file type matching will occur. +- ++. + .SH OPTIONS +-.B \-m type ++.TP ++.BI \-m " type" + Force file type for the lookup. +-Valid types are file, dir, pipe, chr_file, blk_file, lnk_file, sock_file +- ++Valid types are ++.BR file ", " dir ", "pipe ", " chr_file ", " blk_file ", " ++.BR lnk_file ", " sock_file . ++.TP + .B \-n + Do not display path. +- ++.TP + .B \-N + Do not use translations. +- +-.B \-f file_context_file ++.TP ++.BI \-f " file_context_file" + Use alternate file_context file +- +-.B \-p prefix ++.TP ++.BI \-p " prefix" + Use prefix to speed translations +- ++.TP + .B \-V + Verify file context on disk matches defaults +- ++. + .SH AUTHOR + This manual page was written by Dan Walsh . +- ++. + .SH "SEE ALSO" + .BR selinux "(8), " +-.BR matchpathcon "(3), " ++.BR matchpathcon (3) +diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8 +index 9f16f77..a328866 100644 +--- a/libselinux/man/man8/selinux.8 ++++ b/libselinux/man/man8/selinux.8 +@@ -1,10 +1,8 @@ + .TH "selinux" "8" "29 Apr 2005" "dwalsh@redhat.com" "SELinux Command Line documentation" +- + .SH "NAME" + SELinux \- NSA Security-Enhanced Linux (SELinux) +- ++. + .SH "DESCRIPTION" +- + NSA Security-Enhanced Linux (SELinux) is an implementation of a + flexible mandatory access control architecture in the Linux operating + system. The SELinux architecture provides general support for the +@@ -52,31 +50,58 @@ policies will be created (Multi-Level Security for example). You can + define which policy you will run by setting the + .B SELINUXTYPE + environment variable within +-.I /etc/selinux/config. ++.IR /etc/selinux/config . + The corresponding + policy configuration for each such policy must be installed in the +-/etc/selinux/SELINUXTYPE/ directories. ++.I /etc/selinux/{SELINUXTYPE}/ ++directories. + + A given SELinux policy can be customized further based on a set of + compile-time tunable options and a set of runtime policy booleans. +-.B system-config-securitylevel ++.B \%system\-config\-securitylevel + allows customization of these booleans and tunables. + + Many domains that are protected by SELinux also include SELinux man pages explaining how to customize their policy. +- +-.SH FILE LABELING +- ++. ++.SH "FILE LABELING" + All files, directories, devices ... have a security context/label associated with them. These context are stored in the extended attributes of the file system. + Problems with SELinux often arise from the file system being mislabeled. This can be caused by booting the machine with a non SELinux kernel. If you see an error message containing file_t, that is usually a good indicator that you have a serious problem with file system labeling. + +-The best way to relabel the file system is to create the flag file /.autorelabel and reboot. system-config-securitylevel, also has this capability. The restorcon/fixfiles commands are also available for relabeling files. +- ++The best way to relabel the file system is to create the flag file ++.I /.autorelabel ++and reboot. ++.BR system\-config\-selinux , ++also has this capability. The ++.BR restorcon / fixfiles ++commands are also available for relabeling files. ++. + .SH AUTHOR + This manual page was written by Dan Walsh . +- ++. ++.SH FILES ++.I /etc/selinux/config ++. + .SH "SEE ALSO" +-booleans(8), setsebool(8), selinuxenabled(8), togglesebool(8), restorecon(8), setfiles(8), ftpd_selinux(8), named_selinux(8), rsync_selinux(8), httpd_selinux(8), nfs_selinux(8), samba_selinux(8), kerberos_selinux(8), nis_selinux(8), ypbind_selinux(8) ++.ad l ++.nh ++.BR booleans (8), ++.BR setsebool (8), ++.BR selinuxenabled (8), ++.BR togglesebool (8), ++.BR restorecon (8), ++.BR setfiles (8), ++.BR semange (8), ++.BR sepolicy(8) + ++Every confined service on the system has a man page in the following format: ++.br + +-.SH FILES +-/etc/selinux/config ++.B _selinux(8) ++ ++For example, httpd has the ++.B httpd_selinux(8) ++man page. ++ ++.B man -k selinux ++ ++Will list all SELinux man pages. +diff --git a/libselinux/man/man8/selinuxenabled.8 b/libselinux/man/man8/selinuxenabled.8 +index b25431f..e0b5201 100644 +--- a/libselinux/man/man8/selinuxenabled.8 ++++ b/libselinux/man/man8/selinuxenabled.8 +@@ -1,16 +1,20 @@ + .TH "selinuxenabled" "1" "7 April 2004" "dwalsh@redhat.com" "SELinux Command Line documentation" + .SH "NAME" + selinuxenabled \- tool to be used within shell scripts to determine if selinux is enabled ++. + .SH "SYNOPSIS" + .B selinuxenabled +- ++. + .SH "DESCRIPTION" +-.B selinuxenabled +-Indicates whether SELinux is enabled or disabled. It exits with status 0 +-if SELinux is enabled and 1 if it is not enabled. +- ++Indicates whether SELinux is enabled or disabled. ++. ++.SH "EXIT STATUS" ++It exits with status 0 if SELinux is enabled and 1 if it is not enabled. ++. + .SH AUTHOR + Dan Walsh, +- ++. + .SH "SEE ALSO" +-selinux(8), setenforce(8), getenforce(8) ++.BR selinux (8), ++.BR setenforce (8), ++.BR getenforce (8) +diff --git a/libselinux/man/man8/selinuxexeccon.8 b/libselinux/man/man8/selinuxexeccon.8 +index 6482d74..765cf8c 100644 +--- a/libselinux/man/man8/selinuxexeccon.8 ++++ b/libselinux/man/man8/selinuxexeccon.8 +@@ -1,24 +1,27 @@ + .TH "selinuxexeccon" "1" "14 May 2011" "dwalsh@redhat.com" "SELinux Command Line documentation" + .SH "NAME" + selinuxexeccon \- report SELinux context used for this executable +- ++. + .SH "SYNOPSIS" +-.B selinuxexeccon command [ fromcon] o +- ++.B selinuxexeccon ++.I command ++.RI [ fromcon ] ++. + .SH "DESCRIPTION" + .B selinuxexeccon + reports the SELinux process context for the specified command from the specified context or the current context. +- ++. + .SH EXAMPLE ++.nf + # selinuxexeccon /usr/bin/passwd + staff_u:staff_r:passwd_t:s0-s0:c0.c1023 + +-.br + # selinuxexeccon /usr/sbin/sendmail system_u:system_r:httpd_t:s0 + system_u:system_r:system_mail_t:s0 +- ++.fi ++. + .SH AUTHOR + This manual page was written by Dan Walsh . +- ++. + .SH "SEE ALSO" +-secon(8) ++.BR secon (8) +diff --git a/libselinux/man/man8/setenforce.8 b/libselinux/man/man8/setenforce.8 +index 639883e..b038da0 100644 +--- a/libselinux/man/man8/setenforce.8 ++++ b/libselinux/man/man8/setenforce.8 +@@ -1,19 +1,31 @@ + .TH "setenforce" "1" "7 April 2004" "dwalsh@redhat.com" "SELinux Command Line documentation" + .SH "NAME" +-setenforce \- modify the mode SELinux is running in. ++setenforce \- modify the mode SELinux is running in ++. + .SH "SYNOPSIS" +-.B setenforce [ Enforcing | Permissive | 1 | 0 ] +- ++.B setenforce ++.RB [ Enforcing | Permissive | 1 | 0 ] ++. + .SH "DESCRIPTION" +-Use Enforcing or 1 to put SELinux in enforcing mode. ++Use ++.B Enforcing ++or ++.B 1 ++to put SELinux in enforcing mode. + .br +-Use Permissive or 0 to put SELinux in permissive mode. ++Use ++.B Permissive ++or ++.B 0 ++to put SELinux in permissive mode. + + If SELinux is disabled and you want to enable it, or SELinux is enabled and you want to disable it, please see +-.B selinux(8). +- ++.BR selinux (8). ++. + .SH AUTHOR + Dan Walsh, +- ++. + .SH "SEE ALSO" +-selinux(8), getenforce(8), selinuxenabled(8) ++.BR selinux (8), ++.BR getenforce (8), ++.BR selinuxenabled (8) +diff --git a/libselinux/man/man8/togglesebool.8 b/libselinux/man/man8/togglesebool.8 +index ae21175..948aff1 100644 +--- a/libselinux/man/man8/togglesebool.8 ++++ b/libselinux/man/man8/togglesebool.8 +@@ -1,17 +1,22 @@ + .TH "togglesebool" "1" "26 Oct 2004" "sgrubb@redhat.com" "SELinux Command Line documentation" + .SH "NAME" + togglesebool \- flip the current value of a SELinux boolean ++. + .SH "SYNOPSIS" +-.B togglesebool boolean... +- ++.B togglesebool ++.I boolean... ++. + .SH "DESCRIPTION" + .B togglesebool + flips the current value of a list of booleans. If the value is currently a 1, + then it will be changed to a 0 and vice versa. Only the "in memory" values are + changed; the boot-time settings are unaffected. +- ++. + .SH AUTHOR + This man page was written by Steve Grubb +- ++. + .SH "SEE ALSO" +-selinux(8), booleans(8), getsebool(8), setsebool(8) ++.BR selinux (8), ++.BR booleans (8), ++.BR getsebool (8), ++.BR setsebool (8) +diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile +index ac019df..c4f5d4c 100644 +--- a/libselinux/src/Makefile ++++ b/libselinux/src/Makefile +@@ -16,11 +16,11 @@ PYINC ?= $(shell pkg-config --cflags $(PYPREFIX)) + PYLIBDIR ?= $(LIBDIR)/$(PYLIBVER) + RUBYLIBVER ?= $(shell $(RUBY) -e 'print RUBY_VERSION.split(".")[0..1].join(".")') + RUBYPLATFORM ?= $(shell $(RUBY) -e 'print RUBY_PLATFORM') +-RUBYINC ?= $(shell pkg-config --cflags ruby-$(RUBYLIBVER)) ++RUBYINC ?= $(shell pkg-config --cflags ruby) + RUBYINSTALL ?= $(LIBDIR)/ruby/site_ruby/$(RUBYLIBVER)/$(RUBYPLATFORM) + LIBBASE=$(shell basename $(LIBDIR)) + +-LDFLAGS ?= -lpcre ++LDFLAGS ?= -lpcre -lpthread + + VERSION = $(shell cat ../VERSION) + LIBVERSION = 1 +@@ -106,17 +106,17 @@ $(SWIGRUBYLOBJ): $(SWIGRUBYCOUT) + $(CC) $(CFLAGS) $(SWIG_CFLAGS) $(RUBYINC) -fPIC -DSHARED -c -o $@ $< + + $(SWIGSO): $(SWIGLOBJ) +- $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $< -L. -lselinux -L$(LIBDIR) ++ $(CC) $(CFLAGS) -shared -o $@ $< -L. -lselinux $(LDFLAGS) -L$(LIBDIR) + + $(SWIGRUBYSO): $(SWIGRUBYLOBJ) +- $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -L. -lselinux -L$(LIBDIR) ++ $(CC) $(CFLAGS) -shared -o $@ $^ -L. -lselinux $(LDFLAGS) -L$(LIBDIR) + + $(LIBA): $(OBJS) + $(AR) rcs $@ $^ + $(RANLIB) $@ + + $(LIBSO): $(LOBJS) +- $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -ldl -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro ++ $(CC) $(CFLAGS) -shared -o $@ $^ -ldl $(LDFLAGS) -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro + ln -sf $@ $(TARGET) + + $(LIBPC): $(LIBPC).in ../VERSION +@@ -129,7 +129,7 @@ $(AUDIT2WHYLOBJ): audit2why.c + $(CC) $(filter-out -Werror, $(CFLAGS)) $(PYINC) -fPIC -DSHARED -c -o $@ $< + + $(AUDIT2WHYSO): $(AUDIT2WHYLOBJ) +- $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -L. -lselinux $(LIBDIR)/libsepol.a -L$(LIBDIR) ++ $(CC) $(CFLAGS) -shared -o $@ $^ -L. $(LDFLAGS) -lselinux $(LIBDIR)/libsepol.a -L$(LIBDIR) + + %.o: %.c policy.h + $(CC) $(CFLAGS) $(TLSFLAGS) -c -o $@ $< +diff --git a/libselinux/src/audit2why.c b/libselinux/src/audit2why.c +index 02483a3..73c07aa 100644 +--- a/libselinux/src/audit2why.c ++++ b/libselinux/src/audit2why.c +@@ -164,6 +164,9 @@ static PyObject *finish(PyObject *self __attribute__((unused)), PyObject *args) + + if (PyArg_ParseTuple(args,(char *)":finish")) { + int i = 0; ++ if (! avc) ++ Py_RETURN_NONE; ++ + for (i = 0; i < boolcnt; i++) { + free(boollist[i]->name); + free(boollist[i]); +@@ -177,7 +180,7 @@ static PyObject *finish(PyObject *self __attribute__((unused)), PyObject *args) + avc = NULL; + boollist = NULL; + boolcnt = 0; +- ++ + /* Boilerplate to return "None" */ + Py_RETURN_NONE; + } +@@ -188,48 +191,24 @@ static PyObject *finish(PyObject *self __attribute__((unused)), PyObject *args) + static int __policy_init(const char *init_path) { + FILE *fp; +- int vers = 0; +- char path[PATH_MAX]; ++ const char *path; + char errormsg[PATH_MAX]; + struct sepol_policy_file *pf = NULL; int rc; - va_list ap; -+ if (is_selinux_enabled() == 0) return 0; - va_start(ap, fmt); - rc = vfprintf(stderr, fmt, ap); - va_end(ap); -diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux-2.0.90/src/matchpathcon.c ---- nsalibselinux/src/matchpathcon.c 2009-03-06 14:41:45.000000000 -0500 -+++ libselinux-2.0.90/src/matchpathcon.c 2010-01-18 16:52:28.000000000 -0500 + unsigned int cnt; + +- if (init_path) { +- strncpy(path, init_path, PATH_MAX); +- fp = fopen(path, "r"); +- if (!fp) { +- snprintf(errormsg, sizeof(errormsg), +- "unable to open %s: %s\n", +- path, strerror(errno)); +- PyErr_SetString( PyExc_ValueError, errormsg); +- return 1; +- } +- } else { +- vers = sepol_policy_kern_vers_max(); +- if (vers < 0) { +- snprintf(errormsg, sizeof(errormsg), +- "Could not get policy version: %s\n", +- strerror(errno)); +- PyErr_SetString( PyExc_ValueError, errormsg); +- return 1; +- } +- snprintf(path, PATH_MAX, "%s.%d", +- selinux_binary_policy_path(), vers); +- fp = fopen(path, "r"); +- while (!fp && errno == ENOENT && --vers) { +- snprintf(path, PATH_MAX, "%s.%d", +- selinux_binary_policy_path(), vers); +- fp = fopen(path, "r"); +- } +- if (!fp) { +- snprintf(errormsg, sizeof(errormsg), +- "unable to open %s.%d: %s\n", +- selinux_binary_policy_path(), +- security_policyvers(), strerror(errno)); +- PyErr_SetString( PyExc_ValueError, errormsg); +- return 1; +- } ++ if (init_path) ++ path = init_path; ++ else ++ path = selinux_current_policy_path(); ++ ++ fp = fopen(path, "r"); ++ if (!fp) { ++ snprintf(errormsg, sizeof(errormsg), ++ "unable to open %s: %s\n", ++ path, strerror(errno)); ++ PyErr_SetString( PyExc_ValueError, errormsg); ++ return 1; + } + + avc = calloc(sizeof(struct avc_t), 1); +@@ -271,7 +250,7 @@ static int __policy_init(const char *init_path) + return 1; + } + +- boollist = calloc(cnt, sizeof(struct boolean_t)); ++ boollist = calloc(cnt, sizeof(*boollist)); + if (!boollist) { + PyErr_SetString( PyExc_MemoryError, "Out of memory\n"); + return 1; +@@ -295,6 +274,10 @@ static int __policy_init(const char *init_path) + static PyObject *init(PyObject *self __attribute__((unused)), PyObject *args) { + int result; + char *init_path=NULL; ++ if (avc) { ++ PyErr_SetString( PyExc_RuntimeError, "init called multiple times"); ++ return NULL; ++ } + if (!PyArg_ParseTuple(args,(char *)"|s:policy_init",&init_path)) + return NULL; + result = __policy_init(init_path); +@@ -302,10 +285,12 @@ static PyObject *init(PyObject *self __attribute__((unused)), PyObject *args) { + } + + #define RETURN(X) \ +- PyTuple_SetItem(result, 0, Py_BuildValue("i", X)); \ +- return result; ++ { \ ++ return Py_BuildValue("iO", (X), Py_None); \ ++ } + + static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args) { ++ char *reason_buf = NULL; + security_context_t scon; + security_context_t tcon; + char *tclassstr; +@@ -320,10 +305,6 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args + struct sepol_av_decision avd; + int rc; + int i=0; +- PyObject *result = PyTuple_New(2); +- if (!result) return NULL; +- Py_INCREF(Py_None); +- PyTuple_SetItem(result, 1, Py_None); + + if (!PyArg_ParseTuple(args,(char *)"sssO!:audit2why",&scon,&tcon,&tclassstr,&PyList_Type, &listObj)) + return NULL; +@@ -334,22 +315,21 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args + /* should raise an error here. */ + if (numlines < 0) return NULL; /* Not a list */ + +- if (!avc) { ++ if (!avc) + RETURN(NOPOLICY) +- } + + rc = sepol_context_to_sid(scon, strlen(scon) + 1, &ssid); +- if (rc < 0) { ++ if (rc < 0) + RETURN(BADSCON) +- } ++ + rc = sepol_context_to_sid(tcon, strlen(tcon) + 1, &tsid); +- if (rc < 0) { ++ if (rc < 0) + RETURN(BADTCON) +- } ++ + tclass = string_to_security_class(tclassstr); +- if (!tclass) { ++ if (!tclass) + RETURN(BADTCLASS) +- } ++ + /* Convert the permission list to an AV. */ + av = 0; + +@@ -369,21 +349,20 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args + #endif + + perm = string_to_av_perm(tclass, permstr); +- if (!perm) { ++ if (!perm) + RETURN(BADPERM) +- } ++ + av |= perm; + } + + /* Reproduce the computation. */ +- rc = sepol_compute_av_reason(ssid, tsid, tclass, av, &avd, &reason); +- if (rc < 0) { ++ rc = sepol_compute_av_reason_buffer(ssid, tsid, tclass, av, &avd, &reason, &reason_buf, 0); ++ if (rc < 0) + RETURN(BADCOMPUTE) +- } + +- if (!reason) { ++ if (!reason) + RETURN(ALLOW) +- } ++ + if (reason & SEPOL_COMPUTEAV_TE) { + avc->ssid = ssid; + avc->tsid = tsid; +@@ -396,33 +375,39 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args + RETURN(TERULE) + } + } else { +- PyTuple_SetItem(result, 0, Py_BuildValue("i", BOOLEAN)); ++ PyObject *outboollist; + struct boolean_t *b = bools; + int len=0; + while (b->name) { + len++; b++; + } + b = bools; +- PyObject *outboollist = PyTuple_New(len); ++ outboollist = PyList_New(len); + len=0; + while(b->name) { +- PyObject *bool = Py_BuildValue("(si)", b->name, b->active); +- PyTuple_SetItem(outboollist, len++, bool); ++ PyObject *bool_ = Py_BuildValue("(si)", b->name, b->active); ++ PyList_SetItem(outboollist, len++, bool_); + b++; + } + free(bools); +- PyTuple_SetItem(result, 1, outboollist); +- return result; ++ /* 'N' steals the reference to outboollist */ ++ return Py_BuildValue("iN", BOOLEAN, outboollist); + } + } + + if (reason & SEPOL_COMPUTEAV_CONS) { +- RETURN(CONSTRAINT); ++ if (reason_buf) { ++ PyObject *result = NULL; ++ result = Py_BuildValue("is", CONSTRAINT, reason_buf); ++ free(reason_buf); ++ return result; ++ } ++ RETURN(CONSTRAINT) + } + +- if (reason & SEPOL_COMPUTEAV_RBAC) { ++ if (reason & SEPOL_COMPUTEAV_RBAC) + RETURN(RBAC) +- } ++ + RETURN(BADCOMPUTE) + } + +diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c +index 802a07f..6ff83a7 100644 +--- a/libselinux/src/avc.c ++++ b/libselinux/src/avc.c +@@ -827,6 +827,7 @@ int avc_has_perm(security_id_t ssid, security_id_t tsid, + errsave = errno; + avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata); + errno = errsave; ++ if (!avc_enforcing) return 0; + return rc; + } + +diff --git a/libselinux/src/avc_internal.c b/libselinux/src/avc_internal.c +index 6d508ee..f735e73 100644 +--- a/libselinux/src/avc_internal.c ++++ b/libselinux/src/avc_internal.c +@@ -60,13 +60,12 @@ int avc_netlink_open(int blocking) + int len, rc = 0; + struct sockaddr_nl addr; + +- fd = socket(PF_NETLINK, SOCK_RAW, NETLINK_SELINUX); ++ fd = socket(PF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, NETLINK_SELINUX); + if (fd < 0) { + rc = fd; + goto out; + } + +- fcntl(fd, F_SETFD, FD_CLOEXEC); + if (!blocking && fcntl(fd, F_SETFL, O_NONBLOCK)) { + close(fd); + fd = -1; +diff --git a/libselinux/src/fgetfilecon.c b/libselinux/src/fgetfilecon.c +index c88d515..3395c9f 100644 +--- a/libselinux/src/fgetfilecon.c ++++ b/libselinux/src/fgetfilecon.c +@@ -39,7 +39,7 @@ int fgetfilecon_raw(int fd, security_context_t * context) + out: + if (ret == 0) { + /* Re-map empty attribute values to errors. */ +- errno = EOPNOTSUPP; ++ errno = ENOTSUP; + ret = -1; + } + if (ret < 0) +diff --git a/libselinux/src/file_path_suffixes.h b/libselinux/src/file_path_suffixes.h +index 825f295..d11c8dc 100644 +--- a/libselinux/src/file_path_suffixes.h ++++ b/libselinux/src/file_path_suffixes.h +@@ -26,4 +26,4 @@ S_(BINPOLICY, "/policy/policy") + S_(FILE_CONTEXT_SUBS, "/contexts/files/file_contexts.subs") + S_(FILE_CONTEXT_SUBS_DIST, "/contexts/files/file_contexts.subs_dist") + S_(SEPGSQL_CONTEXTS, "/contexts/sepgsql_contexts") +- S_(BOOLEAN_SUBS, "/booleans.subs") ++ S_(BOOLEAN_SUBS, "/booleans.subs_dist") +diff --git a/libselinux/src/get_context_list.c b/libselinux/src/get_context_list.c +index e02157c..355730a 100644 +--- a/libselinux/src/get_context_list.c ++++ b/libselinux/src/get_context_list.c +@@ -426,7 +426,7 @@ int get_ordered_context_list(const char *user, + /* Initialize ordering array. */ + ordering = malloc(nreach * sizeof(unsigned int)); + if (!ordering) +- goto oom_order; ++ goto failsafe; + for (i = 0; i < nreach; i++) + ordering[i] = nreach; + +@@ -435,7 +435,7 @@ int get_ordered_context_list(const char *user, + fname_len = strlen(user_contexts_path) + strlen(user) + 2; + fname = malloc(fname_len); + if (!fname) +- goto oom_order; ++ goto failsafe; + snprintf(fname, fname_len, "%s%s", user_contexts_path, user); + fp = fopen(fname, "r"); + if (fp) { +@@ -465,35 +465,35 @@ int get_ordered_context_list(const char *user, + } + } + ++ if (!nordered) ++ goto failsafe; ++ + /* Apply the ordering. */ +- if (nordered) { +- co = malloc(nreach * sizeof(struct context_order)); +- if (!co) +- goto oom_order; +- for (i = 0; i < nreach; i++) { +- co[i].con = reachable[i]; +- co[i].order = ordering[i]; +- } +- qsort(co, nreach, sizeof(struct context_order), order_compare); +- for (i = 0; i < nreach; i++) +- reachable[i] = co[i].con; +- free(co); ++ co = malloc(nreach * sizeof(struct context_order)); ++ if (!co) ++ goto failsafe; ++ for (i = 0; i < nreach; i++) { ++ co[i].con = reachable[i]; ++ co[i].order = ordering[i]; + } ++ qsort(co, nreach, sizeof(struct context_order), order_compare); ++ for (i = 0; i < nreach; i++) ++ reachable[i] = co[i].con; ++ free(co); + +- /* Return the ordered list. +- If we successfully ordered it, then only report the ordered entries +- to the caller. Otherwise, fall back to the entire reachable list. */ +- if (nordered && nordered < nreach) { ++ /* Only report the ordered entries to the caller. */ ++ if (nordered < nreach) { + for (i = nordered; i < nreach; i++) + free(reachable[i]); + reachable[nordered] = NULL; + rc = nordered; +- } else { +- rc = nreach; + } + + out: +- *list = reachable; ++ if (rc > 0) ++ *list = reachable; ++ else ++ freeconary(reachable); + + free(ordering); + if (freefrom) +@@ -520,14 +520,6 @@ int get_ordered_context_list(const char *user, + } + rc = 1; /* one context in the list */ + goto out; +- +- oom_order: +- /* Unable to order context list due to OOM condition. +- Fall back to unordered reachable context list. */ +- fprintf(stderr, "%s: out of memory, unable to order list\n", +- __FUNCTION__); +- rc = nreach; +- goto out; + } + + hidden_def(get_ordered_context_list) +diff --git a/libselinux/src/getfilecon.c b/libselinux/src/getfilecon.c +index 67e4463..eb2ce8a 100644 +--- a/libselinux/src/getfilecon.c ++++ b/libselinux/src/getfilecon.c +@@ -39,7 +39,7 @@ int getfilecon_raw(const char *path, security_context_t * context) + out: + if (ret == 0) { + /* Re-map empty attribute values to errors. */ +- errno = EOPNOTSUPP; ++ errno = ENOTSUP; + ret = -1; + } + if (ret < 0) +diff --git a/libselinux/src/label_android_property.c b/libselinux/src/label_android_property.c +index 79bf923..e11ccf8 100644 +--- a/libselinux/src/label_android_property.c ++++ b/libselinux/src/label_android_property.c +@@ -153,6 +153,9 @@ static int init(struct selabel_handle *rec, struct selinux_opt *opts, + break; + } + ++ if (!path) ++ return -1; ++ + /* Open the specification file. */ + if ((fp = fopen(path, "r")) == NULL) + return -1; +diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c +index 02b3cd2..5f697f3 100644 +--- a/libselinux/src/label_file.c ++++ b/libselinux/src/label_file.c +@@ -8,6 +8,7 @@ + * developed by Secure Computing Corporation. + */ + ++#include + #include + #include + #include +@@ -16,7 +17,12 @@ + #include + #include + #include ++#include + #include ++ ++#include ++ ++#include + #include + #include + #include +@@ -229,6 +235,190 @@ static int process_line(struct selabel_handle *rec, + return 0; + } + ++static int load_mmap(struct selabel_handle *rec, const char *path, struct stat *stat) ++{ ++ struct saved_data *data = (struct saved_data *)rec->data; ++ char mmap_path[PATH_MAX + 1]; ++ int mmapfd; ++ int rc, i; ++ struct stat mmap_stat; ++ char *addr; ++ size_t len; ++ int stem_map_len, *stem_map; ++ struct mmap_area *mmap_area; ++ ++ uint32_t *magic; ++ uint32_t *section_len; ++ uint32_t *plen; ++ ++ rc = snprintf(mmap_path, sizeof(mmap_path), "%s.bin", path); ++ if (rc >= sizeof(mmap_path)) ++ return -1; ++ ++ mmapfd = open(mmap_path, O_RDONLY | O_CLOEXEC); ++ if (mmapfd < 0) ++ return -1; ++ ++ rc = fstat(mmapfd, &mmap_stat); ++ if (rc < 0) { ++ close(mmapfd); ++ return -1; ++ } ++ ++ /* if mmap is old, ignore it */ ++ if (mmap_stat.st_mtime < stat->st_mtime) { ++ close(mmapfd); ++ return -1; ++ } ++ ++ if (mmap_stat.st_mtime == stat->st_mtime && ++ mmap_stat.st_mtim.tv_nsec < stat->st_mtim.tv_nsec) { ++ close(mmapfd); ++ return -1; ++ } ++ ++ /* ok, read it in... */ ++ len = mmap_stat.st_size; ++ len += (sysconf(_SC_PAGE_SIZE) - 1); ++ len &= ~(sysconf(_SC_PAGE_SIZE) - 1); ++ ++ mmap_area = malloc(sizeof(*mmap_area)); ++ if (!mmap_area) { ++ close(mmapfd); ++ return -1; ++ } ++ ++ addr = mmap(NULL, len, PROT_READ, MAP_PRIVATE, mmapfd, 0); ++ close(mmapfd); ++ if (addr == MAP_FAILED) { ++ free(mmap_area); ++ perror("mmap"); ++ return -1; ++ } ++ ++ /* save where we mmap'd the file to cleanup on close() */ ++ mmap_area->addr = addr; ++ mmap_area->len = len; ++ mmap_area->next = data->mmap_areas; ++ data->mmap_areas = mmap_area; ++ ++ /* check if this looks like an fcontext file */ ++ magic = (uint32_t *)addr; ++ if (*magic != SELINUX_MAGIC_COMPILED_FCONTEXT) ++ return -1; ++ addr += sizeof(uint32_t); ++ ++ /* check if this version is higher than we understand */ ++ section_len = (uint32_t *)addr; ++ if (*section_len > SELINUX_COMPILED_FCONTEXT_MAX_VERS) ++ return -1; ++ addr += sizeof(uint32_t); ++ ++ /* allocate the stems_data array */ ++ section_len = (uint32_t *)addr; ++ addr += sizeof(uint32_t); ++ ++ /* ++ * map indexed by the stem # in the mmap file and contains the stem ++ * number in the data stem_arr ++ */ ++ stem_map_len = *section_len; ++ stem_map = calloc(stem_map_len, sizeof(*stem_map)); ++ if (!stem_map) ++ return -1; ++ ++ for (i = 0; i < *section_len; i++) { ++ char *buf; ++ uint32_t stem_len; ++ int newid; ++ ++ /* the length does not inlude the nul */ ++ plen = (uint32_t *)addr; ++ addr += sizeof(uint32_t); ++ ++ stem_len = *plen; ++ buf = (char *)addr; ++ addr += (stem_len + 1); // +1 is the nul ++ ++ /* store the mapping between old and new */ ++ newid = find_stem(data, buf, stem_len); ++ if (newid < 0) { ++ newid = store_stem(data, buf, stem_len); ++ if (newid < 0) { ++ rc = newid; ++ goto err; ++ } ++ data->stem_arr[newid].from_mmap = 1; ++ } ++ stem_map[i] = newid; ++ } ++ ++ /* allocate the regex array */ ++ section_len = (uint32_t *)addr; ++ addr += sizeof(*section_len); ++ ++ for (i = 0; i < *section_len; i++) { ++ struct spec *spec; ++ int32_t stem_id; ++ ++ rc = grow_specs(data); ++ if (rc < 0) ++ goto err; ++ ++ spec = &data->spec_arr[data->nspec]; ++ spec->from_mmap = 1; ++ spec->regcomp = 1; ++ ++ plen = (uint32_t *)addr; ++ addr += sizeof(uint32_t); ++ rc = -1; ++ spec->lr.ctx_raw = strdup((char *)addr); ++ if (!spec->lr.ctx_raw) ++ goto err; ++ ++ addr += *plen; ++ ++ plen = (uint32_t *)addr; ++ addr += sizeof(uint32_t); ++ spec->regex_str = (char *)addr; ++ addr += *plen; ++ ++ spec->mode = *(mode_t *)addr; ++ addr += sizeof(mode_t); ++ ++ /* map the stem id from the mmap file to the data->stem_arr */ ++ stem_id = *(int32_t *)addr; ++ if (stem_id == -1 || stem_id >= stem_map_len) ++ spec->stem_id = -1; ++ else ++ spec->stem_id = stem_map[stem_id]; ++ addr += sizeof(int32_t); ++ ++ /* retrieve the hasMetaChars bit */ ++ spec->hasMetaChars = *(uint32_t *)addr; ++ addr += sizeof(uint32_t); ++ ++ plen = (uint32_t *)addr; ++ addr += sizeof(uint32_t); ++ spec->regex = (pcre *)addr; ++ addr += *plen; ++ ++ plen = (uint32_t *)addr; ++ addr += sizeof(uint32_t); ++ spec->lsd.study_data = (void *)addr; ++ spec->lsd.flags |= PCRE_EXTRA_STUDY_DATA; ++ addr += *plen; ++ ++ data->nspec++; ++ } ++ /* win */ ++ rc = 0; ++err: ++ free(stem_map); ++ ++ return rc; ++} ++ + static int process_file(const char *path, const char *suffix, struct selabel_handle *rec, const char *prefix) + { + FILE *fp; +@@ -261,6 +451,10 @@ static int process_file(const char *path, const char *suffix, struct selabel_han + return -1; + } + ++ rc = load_mmap(rec, path, &sb); ++ if (rc == 0) ++ goto out; ++ + /* + * The do detailed validation of the input and fill the spec array + */ +@@ -270,6 +464,7 @@ static int process_file(const char *path, const char *suffix, struct selabel_han + if (rc) + return rc; + } ++out: + free(line_buf); + fclose(fp); + +@@ -351,16 +546,19 @@ finish: + static void closef(struct selabel_handle *rec) + { + struct saved_data *data = (struct saved_data *)rec->data; ++ struct mmap_area *area, *last_area; + struct spec *spec; + struct stem *stem; + unsigned int i; + + for (i = 0; i < data->nspec; i++) { + spec = &data->spec_arr[i]; ++ free(spec->lr.ctx_trans); ++ free(spec->lr.ctx_raw); ++ if (spec->from_mmap) ++ continue; + free(spec->regex_str); + free(spec->type_str); +- free(spec->lr.ctx_raw); +- free(spec->lr.ctx_trans); + if (spec->regcomp) { + pcre_free(spec->regex); + pcre_free_study(spec->sd); +@@ -369,6 +567,8 @@ static void closef(struct selabel_handle *rec) + + for (i = 0; i < (unsigned int)data->num_stems; i++) { + stem = &data->stem_arr[i]; ++ if (stem->from_mmap) ++ continue; + free(stem->buf); + } + +@@ -376,7 +576,14 @@ static void closef(struct selabel_handle *rec) + free(data->spec_arr); + if (data->stem_arr) + free(data->stem_arr); +- ++ ++ area = data->mmap_areas; ++ while (area) { ++ munmap(area->addr, area->len); ++ last_area = area; ++ area = area->next; ++ free(last_area); ++ } + free(data); + } + +diff --git a/libselinux/src/label_file.h b/libselinux/src/label_file.h +index cb5633b..bf0c9e2 100644 +--- a/libselinux/src/label_file.h ++++ b/libselinux/src/label_file.h +@@ -5,24 +5,39 @@ + + #include "label_internal.h" + ++#define SELINUX_MAGIC_COMPILED_FCONTEXT 0xf97cff8a ++#define SELINUX_COMPILED_FCONTEXT_MAX_VERS 1 ++ + /* A file security context specification. */ + struct spec { + struct selabel_lookup_rec lr; /* holds contexts for lookup result */ + char *regex_str; /* regular expession string for diagnostics */ + char *type_str; /* type string for diagnostic messages */ + pcre *regex; /* compiled regular expression */ +- pcre_extra *sd; /* extra compiled stuff */ ++ union { ++ pcre_extra *sd; /* pointer to extra compiled stuff */ ++ pcre_extra lsd; /* used to hold the mmap'd version */ ++ }; + mode_t mode; /* mode format value */ + int matches; /* number of matching pathnames */ + int stem_id; /* indicates which stem-compression item */ + char hasMetaChars; /* regular expression has meta-chars */ + char regcomp; /* regex_str has been compiled to regex */ ++ char from_mmap; /* this spec is from an mmap of the data */ + }; + + /* A regular expression stem */ + struct stem { + char *buf; + int len; ++ char from_mmap; ++}; ++ ++/* Where we map the file in during selabel_open() */ ++struct mmap_area { ++ void *addr; ++ size_t len; ++ struct mmap_area *next; + }; + + /* Our stored configuration */ +@@ -41,11 +56,15 @@ struct saved_data { + struct stem *stem_arr; + int num_stems; + int alloc_stems; ++ struct mmap_area *mmap_areas; + }; + + static inline pcre_extra *get_pcre_extra(struct spec *spec) + { +- return spec->sd; ++ if (spec->from_mmap) ++ return &spec->lsd; ++ else ++ return spec->sd; + } + + static inline mode_t string_to_mode(char *mode) +diff --git a/libselinux/src/lgetfilecon.c b/libselinux/src/lgetfilecon.c +index a53f56e..58dc807 100644 +--- a/libselinux/src/lgetfilecon.c ++++ b/libselinux/src/lgetfilecon.c +@@ -39,7 +39,7 @@ int lgetfilecon_raw(const char *path, security_context_t * context) + out: + if (ret == 0) { + /* Re-map empty attribute values to errors. */ +- errno = EOPNOTSUPP; ++ errno = ENOTSUP; + ret = -1; + } + if (ret < 0) +diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c +index 10e29b9..888dab5 100644 +--- a/libselinux/src/load_policy.c ++++ b/libselinux/src/load_policy.c +@@ -49,8 +49,9 @@ int load_setlocaldefs hidden = 1; + int selinux_mkload_policy(int preservebools) + { + int kernvers = security_policyvers(); +- int maxvers = kernvers, minvers = DEFAULT_POLICY_VERSION, vers; ++ int maxvers = kernvers, minvers = DEFAULT_POLICY_VERSION; + int setlocaldefs = load_setlocaldefs; ++ char *pol_path = NULL; + char path[PATH_MAX]; + struct stat sb; + struct utsname uts; +@@ -162,29 +163,24 @@ checkbool: + maxvers = max(kernvers, maxvers); + } + +- vers = maxvers; +- search: +- snprintf(path, sizeof(path), "%s.%d", +- selinux_binary_policy_path(), vers); +- fd = open(path, O_RDONLY); +- while (fd < 0 && errno == ENOENT +- && --vers >= minvers) { +- /* Check prior versions to see if old policy is available */ +- snprintf(path, sizeof(path), "%s.%d", +- selinux_binary_policy_path(), vers); +- fd = open(path, O_RDONLY); ++search: ++ pol_path = selinux_binary_policy_path_min_max(minvers, &maxvers); ++ if (!pol_path) { ++ fprintf(stderr, "SELinux: unable to find usable policy file: %s\n", ++ strerror(errno)); ++ goto dlclose; + } ++ ++ fd = open(pol_path, O_RDONLY); + if (fd < 0) { +- fprintf(stderr, +- "SELinux: Could not open policy file <= %s.%d: %s\n", +- selinux_binary_policy_path(), maxvers, strerror(errno)); ++ fprintf(stderr, "SELinux: Could not open policy file %s: %s\n", ++ pol_path, strerror(errno)); + goto dlclose; + } + + if (fstat(fd, &sb) < 0) { +- fprintf(stderr, +- "SELinux: Could not stat policy file %s: %s\n", +- path, strerror(errno)); ++ fprintf(stderr, "SELinux: Could not stat policy file %s: %s\n", ++ pol_path, strerror(errno)); + goto close; + } + +@@ -195,13 +191,12 @@ checkbool: + size = sb.st_size; + data = map = mmap(NULL, size, prot, MAP_PRIVATE, fd, 0); + if (map == MAP_FAILED) { +- fprintf(stderr, +- "SELinux: Could not map policy file %s: %s\n", +- path, strerror(errno)); ++ fprintf(stderr, "SELinux: Could not map policy file %s: %s\n", ++ pol_path, strerror(errno)); + goto close; + } + +- if (vers > kernvers && usesepol) { ++ if (maxvers > kernvers && usesepol) { + /* Need to downgrade to kernel-supported version. */ + if (policy_file_create(&pf)) + goto unmap; +@@ -220,12 +215,12 @@ checkbool: + /* Downgrade failed, keep searching. */ + fprintf(stderr, + "SELinux: Could not downgrade policy file %s, searching for an older version.\n", +- path); ++ pol_path); + policy_file_free(pf); + policydb_free(policydb); + munmap(map, sb.st_size); + close(fd); +- vers--; ++ maxvers--; + goto search; + } + policy_file_free(pf); +@@ -281,7 +276,7 @@ checkbool: + if (rc) + fprintf(stderr, + "SELinux: Could not load policy file %s: %s\n", +- path, strerror(errno)); ++ pol_path, strerror(errno)); + + unmap: + if (data != map) +@@ -296,6 +291,7 @@ checkbool: + if (libsepolh) + dlclose(libsepolh); + #endif ++ free(pol_path); + return rc; + } + +diff --git a/libselinux/src/mapping.c b/libselinux/src/mapping.c +index b0264e7..f205804 100644 +--- a/libselinux/src/mapping.c ++++ b/libselinux/src/mapping.c +@@ -66,7 +66,7 @@ selinux_set_mapping(struct security_class_mapping *map) + goto err2; + + k = 0; +- while (p_in->perms && p_in->perms[k]) { ++ while (p_in->perms[k]) { + /* An empty permission string skips ahead */ + if (!*p_in->perms[k]) { + k++; +diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c +index 2d7369e..2a00807 100644 +--- a/libselinux/src/matchpathcon.c ++++ b/libselinux/src/matchpathcon.c @@ -2,6 +2,7 @@ #include #include @@ -70,7 +6811,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux #include "selinux_internal.h" #include "label_internal.h" #include "callbacks.h" -@@ -57,7 +58,7 @@ +@@ -62,7 +63,7 @@ static void { va_list ap; va_start(ap, fmt); @@ -79,3 +6820,902 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux va_end(ap); } +diff --git a/libselinux/src/procattr.c b/libselinux/src/procattr.c +index 83381e4..6c5b45a 100644 +--- a/libselinux/src/procattr.c ++++ b/libselinux/src/procattr.c +@@ -1,6 +1,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -8,32 +9,137 @@ + #include "selinux_internal.h" + #include "policy.h" + ++static __thread pid_t cpid; ++static __thread pid_t tid; ++static __thread security_context_t prev_current; ++static __thread security_context_t prev_exec; ++static __thread security_context_t prev_fscreate; ++static __thread security_context_t prev_keycreate; ++static __thread security_context_t prev_sockcreate; ++ ++static pthread_once_t once = PTHREAD_ONCE_INIT; ++static pthread_key_t destructor_key; ++static int destructor_key_initialized = 0; ++static __thread char destructor_initialized; ++ + static pid_t gettid(void) + { + return syscall(__NR_gettid); + } + +-static int getprocattrcon_raw(security_context_t * context, +- pid_t pid, const char *attr) ++static void procattr_thread_destructor(void __attribute__((unused)) *unused) ++{ ++ free(prev_current); ++ free(prev_exec); ++ free(prev_fscreate); ++ free(prev_keycreate); ++ free(prev_sockcreate); ++} ++ ++static void free_procattr(void) ++{ ++ procattr_thread_destructor(NULL); ++ tid = 0; ++ cpid = getpid(); ++ prev_current = prev_exec = prev_fscreate = prev_keycreate = prev_sockcreate = NULL; ++} ++ ++void __attribute__((destructor)) procattr_destructor(void); ++ ++void hidden __attribute__((destructor)) procattr_destructor(void) ++{ ++ if (destructor_key_initialized) ++ __selinux_key_delete(destructor_key); ++} ++ ++static inline void init_thread_destructor(void) ++{ ++ if (destructor_initialized == 0) { ++ __selinux_setspecific(destructor_key, (void *)1); ++ destructor_initialized = 1; ++ } ++} ++ ++static void init_procattr(void) ++{ ++ if (__selinux_key_create(&destructor_key, procattr_thread_destructor) == 0) { ++ pthread_atfork(NULL, NULL, free_procattr); ++ destructor_key_initialized = 1; ++ } ++} ++ ++static int openattr(pid_t pid, const char *attr, int flags) + { +- char *path, *buf; +- size_t size; + int fd, rc; +- ssize_t ret; +- pid_t tid; +- int errno_hold; ++ char *path; ++ ++ if (cpid != getpid()) ++ free_procattr(); + + if (pid > 0) + rc = asprintf(&path, "/proc/%d/attr/%s", pid, attr); + else { +- tid = gettid(); ++ if (!tid) ++ tid = gettid(); + rc = asprintf(&path, "/proc/self/task/%d/attr/%s", tid, attr); + } + if (rc < 0) + return -1; + +- fd = open(path, O_RDONLY); ++ fd = open(path, flags | O_CLOEXEC); + free(path); ++ return fd; ++} ++ ++static int getprocattrcon_raw(security_context_t * context, ++ pid_t pid, const char *attr) ++{ ++ char *buf; ++ size_t size; ++ int fd; ++ ssize_t ret; ++ int errno_hold; ++ security_context_t prev_context; ++ ++ __selinux_once(once, init_procattr); ++ init_thread_destructor(); ++ ++ if (cpid != getpid()) ++ free_procattr(); ++ ++ switch (attr[0]) { ++ case 'c': ++ prev_context = prev_current; ++ break; ++ case 'e': ++ prev_context = prev_exec; ++ break; ++ case 'f': ++ prev_context = prev_fscreate; ++ break; ++ case 'k': ++ prev_context = prev_keycreate; ++ break; ++ case 's': ++ prev_context = prev_sockcreate; ++ break; ++ case 'p': ++ prev_context = NULL; ++ break; ++ default: ++ errno = ENOENT; ++ return -1; ++ }; ++ ++ if (prev_context) { ++ *context = strdup(prev_context); ++ if (!(*context)) { ++ return -1; ++ } ++ return 0; ++ } ++ ++ fd = openattr(pid, attr, O_RDONLY); + if (fd < 0) + return -1; + +@@ -90,40 +196,70 @@ static int getprocattrcon(security_context_t * context, + static int setprocattrcon_raw(security_context_t context, + pid_t pid, const char *attr) + { +- char *path; +- int fd, rc; +- pid_t tid; ++ int fd; + ssize_t ret; + int errno_hold; ++ security_context_t *prev_context; + +- if (pid > 0) +- rc = asprintf(&path, "/proc/%d/attr/%s", pid, attr); +- else { +- tid = gettid(); +- rc = asprintf(&path, "/proc/self/task/%d/attr/%s", tid, attr); +- } +- if (rc < 0) +- return -1; ++ __selinux_once(once, init_procattr); ++ init_thread_destructor(); + +- fd = open(path, O_RDWR); +- free(path); ++ if (cpid != getpid()) ++ free_procattr(); ++ ++ switch (attr[0]) { ++ case 'c': ++ prev_context = &prev_current; ++ break; ++ case 'e': ++ prev_context = &prev_exec; ++ break; ++ case 'f': ++ prev_context = &prev_fscreate; ++ break; ++ case 'k': ++ prev_context = &prev_keycreate; ++ break; ++ case 's': ++ prev_context = &prev_sockcreate; ++ break; ++ default: ++ errno = ENOENT; ++ return -1; ++ }; ++ ++ if (!context && !*prev_context) ++ return 0; ++ if (context && *prev_context && !strcmp(context, *prev_context)) ++ return 0; ++ ++ fd = openattr(pid, attr, O_RDWR); + if (fd < 0) + return -1; +- if (context) ++ if (context) { ++ ret = -1; ++ context = strdup(context); ++ if (!context) ++ goto out; + do { + ret = write(fd, context, strlen(context) + 1); + } while (ret < 0 && errno == EINTR); +- else ++ } else { + do { + ret = write(fd, NULL, 0); /* clear */ + } while (ret < 0 && errno == EINTR); ++ } ++out: + errno_hold = errno; + close(fd); + errno = errno_hold; +- if (ret < 0) ++ if (ret < 0) { ++ free(context); + return -1; +- else ++ } else { ++ *prev_context = context; + return 0; ++ } + } + + static int setprocattrcon(const security_context_t context, +diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c +index 296f357..cb65666 100644 +--- a/libselinux/src/selinux_config.c ++++ b/libselinux/src/selinux_config.c +@@ -9,6 +9,7 @@ + #include + #include + #include "selinux_internal.h" ++#include "policy.h" + #include "get_default_type_internal.h" + + #define SELINUXDIR "/etc/selinux/" +@@ -296,13 +297,57 @@ const char *selinux_removable_context_path(void) + + hidden_def(selinux_removable_context_path) + ++char *selinux_binary_policy_path_min_max(int min, int *max) ++{ ++ int ret; ++ char *path = NULL; ++ ++ while(*max >= min) { ++ ret = asprintf(&path, "%s.%d", get_path(BINPOLICY), *max); ++ if (ret < 0) ++ goto err; ++ ret = access(path, R_OK); ++ if (!ret) ++ return path; ++ free(path); ++ path = NULL; ++ *max = *max - 1; ++ } ++err: ++ free(path); ++ return NULL; ++} ++hidden_def(selinux_binary_policy_path_min_max) ++ + const char *selinux_binary_policy_path(void) + { + return get_path(BINPOLICY); + } +- + hidden_def(selinux_binary_policy_path) + ++const char *selinux_current_policy_path(void) ++{ ++ int rc = 0; ++ int vers = 0; ++ static char policy_path[PATH_MAX]; ++ ++ snprintf(policy_path, sizeof(policy_path), "%s/policy", selinux_mnt); ++ if (access(policy_path, F_OK) != 0 ) { ++ vers = security_policyvers(); ++ do { ++ /* Check prior versions to see if old policy is available */ ++ snprintf(policy_path, sizeof(policy_path), "%s.%d", ++ selinux_binary_policy_path(), vers); ++ } while ((rc = access(policy_path, F_OK)) && --vers > 0); ++ ++ if (rc) return NULL; ++ } ++ ++ return policy_path; ++} ++ ++hidden_def(selinux_current_policy_path) ++ + const char *selinux_file_context_path(void) + { + return get_path(FILE_CONTEXTS); +diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h +index 2c7c85c..008aa6d 100644 +--- a/libselinux/src/selinux_internal.h ++++ b/libselinux/src/selinux_internal.h +@@ -61,7 +61,9 @@ hidden_proto(selinux_mkload_policy) + hidden_proto(security_deny_unknown) + hidden_proto(selinux_boolean_sub) + hidden_proto(selinux_binary_policy_path) ++ hidden_proto(selinux_binary_policy_path_min_max) + hidden_proto(selinux_booleans_subs_path) ++ hidden_proto(selinux_current_policy_path) + hidden_proto(selinux_default_context_path) + hidden_proto(selinux_securetty_types_path) + hidden_proto(selinux_failsafe_context_path) +diff --git a/libselinux/src/sestatus.c b/libselinux/src/sestatus.c +index 10a6495..ed29dc5 100644 +--- a/libselinux/src/sestatus.c ++++ b/libselinux/src/sestatus.c +@@ -256,19 +256,23 @@ int selinux_status_open(int fallback) + { + int fd; + char path[PATH_MAX]; ++ long pagesize; + + if (!selinux_mnt) { + errno = ENOENT; + return -1; + } + ++ pagesize = sysconf(_SC_PAGESIZE); ++ if (pagesize < 0) ++ return -1; ++ + snprintf(path, sizeof(path), "%s/status", selinux_mnt); +- fd = open(path, O_RDONLY); ++ fd = open(path, O_RDONLY | O_CLOEXEC); + if (fd < 0) + goto error; + +- selinux_status = mmap(NULL, sysconf(_SC_PAGESIZE), +- PROT_READ, MAP_SHARED, fd, 0); ++ selinux_status = mmap(NULL, pagesize, PROT_READ, MAP_SHARED, fd, 0); + if (selinux_status == MAP_FAILED) { + close(fd); + goto error; +@@ -318,6 +322,8 @@ error: + */ + void selinux_status_close(void) + { ++ long pagesize; ++ + /* not opened */ + if (selinux_status == NULL) + return; +@@ -331,7 +337,10 @@ void selinux_status_close(void) + return; + } + +- munmap(selinux_status, sysconf(_SC_PAGESIZE)); ++ pagesize = sysconf(_SC_PAGESIZE); ++ /* not much we can do other than leak memory */ ++ if (pagesize > 0) ++ munmap(selinux_status, pagesize); + selinux_status = NULL; + + close(selinux_status_fd); +diff --git a/libselinux/src/setrans_client.c b/libselinux/src/setrans_client.c +index 502e9db..f9065bd 100644 +--- a/libselinux/src/setrans_client.c ++++ b/libselinux/src/setrans_client.c +@@ -56,7 +56,10 @@ static int setransd_open(void) + { + fd = socket(PF_UNIX, SOCK_STREAM, 0); + if (fd >= 0) +- fcntl(fd, F_SETFD, FD_CLOEXEC); ++ if (fcntl(fd, F_SETFD, FD_CLOEXEC)) { ++ close(fd); ++ return -1; ++ } + } + if (fd < 0) + return -1; +@@ -151,9 +154,10 @@ receive_response(int fd, uint32_t function, char **outdata, int32_t * ret_val) + } + + data = malloc(data_size); +- if (!data) { ++ if (!data) + return -1; +- } ++ /* coveriety doesn't realize that data will be initialized in readv */ ++ memset(data, 0, data_size); + + resp_data.iov_base = data; + resp_data.iov_len = data_size; +diff --git a/libselinux/src/seusers.c b/libselinux/src/seusers.c +index cfea186..09e704b 100644 +--- a/libselinux/src/seusers.c ++++ b/libselinux/src/seusers.c +@@ -141,9 +141,16 @@ static int check_group(const char *group, const char *name, const gid_t gid) { + } + + if (getgrouplist(name, gid, NULL, &ng) < 0) { +- groups = (gid_t *) malloc(sizeof (gid_t) * ng); +- if (!groups) goto done; +- if (getgrouplist(name, gid, groups, &ng) < 0) goto done; ++ if (ng == 0) ++ goto done; ++ groups = calloc(ng, sizeof(*groups)); ++ if (!groups) ++ goto done; ++ if (getgrouplist(name, gid, groups, &ng) < 0) ++ goto done; ++ } else { ++ /* WTF? ng was 0 and we didn't fail? Are we in 0 groups? */ ++ goto done; + } + + for (i = 0; i < ng; i++) { +diff --git a/libselinux/src/stringrep.c b/libselinux/src/stringrep.c +index 176ac34..ba75ccd 100644 +--- a/libselinux/src/stringrep.c ++++ b/libselinux/src/stringrep.c +@@ -258,18 +258,21 @@ static struct discover_class_node * discover_class(const char *s) + struct stat m; + + snprintf(path, sizeof path, "%s/class/%s/perms/%s", selinux_mnt,s,dentry->d_name); +- if (stat(path,&m) < 0) ++ fd = open(path, O_RDONLY | O_CLOEXEC); ++ if (fd < 0) ++ goto err4; ++ ++ if (fstat(fd, &m) < 0) { ++ close(fd); + goto err4; ++ } + + if (m.st_mode & S_IFDIR) { ++ close(fd); + dentry = readdir(dir); + continue; + } + +- fd = open(path, O_RDONLY); +- if (fd < 0) +- goto err4; +- + memset(buf, 0, sizeof(buf)); + ret = read(fd, buf, sizeof(buf) - 1); + close(fd); +@@ -279,6 +282,9 @@ static struct discover_class_node * discover_class(const char *s) + if (sscanf(buf, "%u", &value) != 1) + goto err4; + ++ if (value == 0 || value > NVECTORS) ++ goto err4; ++ + node->perms[value-1] = strdup(dentry->d_name); + if (node->perms[value-1] == NULL) + goto err4; +@@ -436,6 +442,27 @@ security_class_t string_to_security_class(const char *s) + return map_class(node->value); + } + ++security_class_t mode_to_security_class(mode_t m) { ++ ++ if (S_ISREG(m)) ++ return string_to_security_class("file"); ++ if (S_ISDIR(m)) ++ return string_to_security_class("dir"); ++ if (S_ISCHR(m)) ++ return string_to_security_class("chr_file"); ++ if (S_ISBLK(m)) ++ return string_to_security_class("blk_file"); ++ if (S_ISFIFO(m)) ++ return string_to_security_class("fifo_file"); ++ if (S_ISLNK(m)) ++ return string_to_security_class("lnk_file"); ++ if (S_ISSOCK(m)) ++ return string_to_security_class("sock_file"); ++ ++ errno=EINVAL; ++ return 0; ++} ++ + access_vector_t string_to_av_perm(security_class_t tclass, const char *s) + { + struct discover_class_node *node; +diff --git a/libselinux/utils/.gitignore b/libselinux/utils/.gitignore +index 8b9294d..060eaab 100644 +--- a/libselinux/utils/.gitignore ++++ b/libselinux/utils/.gitignore +@@ -13,6 +13,7 @@ getsebool + getseuser + matchpathcon + policyvers ++sefcontext_compile + selinux_check_securetty_context + selinuxenabled + selinuxexeccon +diff --git a/libselinux/utils/Makefile b/libselinux/utils/Makefile +index 5f3e047..f469924 100644 +--- a/libselinux/utils/Makefile ++++ b/libselinux/utils/Makefile +@@ -28,6 +28,7 @@ LDLIBS += -L../src -lselinux -L$(LIBDIR) + + TARGETS=$(patsubst %.c,%,$(wildcard *.c)) + ++sefcontext_compile: LDLIBS += -lpcre + + ifeq ($(DISABLE_AVC),y) + UNUSED_TARGETS+=compute_av compute_create compute_member compute_relabel +diff --git a/libselinux/utils/avcstat.c b/libselinux/utils/avcstat.c +index 73432f2..1d4d5c8 100644 +--- a/libselinux/utils/avcstat.c ++++ b/libselinux/utils/avcstat.c +@@ -155,7 +155,7 @@ int main(int argc, char **argv) + ssize_t ret, parsed = 0; + + memset(buf, 0, DEF_BUF_SIZE); +- ret = read(fd, buf, DEF_BUF_SIZE); ++ ret = read(fd, buf, DEF_BUF_SIZE-1); + if (ret < 0) + die("read"); + +diff --git a/libselinux/utils/sefcontext_compile.c b/libselinux/utils/sefcontext_compile.c +new file mode 100644 +index 0000000..15cc836 +--- /dev/null ++++ b/libselinux/utils/sefcontext_compile.c +@@ -0,0 +1,350 @@ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++ ++#include "../src/label_file.h" ++ ++static int process_file(struct saved_data *data, const char *filename) ++{ ++ struct spec *spec; ++ unsigned int line_num; ++ char *line_buf = NULL; ++ size_t line_len; ++ ssize_t len; ++ FILE *context_file; ++ ++ context_file = fopen(filename, "r"); ++ if (!context_file) { ++ fprintf(stderr, "Error opening %s: %s\n", filename, strerror(errno)); ++ return -1; ++ } ++ ++ line_num = 0; ++ while ((len = getline(&line_buf, &line_len, context_file)) != -1) { ++ char *context; ++ char *mode; ++ char *regex; ++ char *cp, *anchored_regex; ++ char *buf_p; ++ pcre *re; ++ pcre_extra *sd; ++ const char *err; ++ int items, erroff, rc; ++ size_t regex_len; ++ int32_t stem_id; ++ ++ len = strlen(line_buf); ++ if (line_buf[len - 1] == '\n') ++ line_buf[len - 1] = 0; ++ buf_p = line_buf; ++ while (isspace(*buf_p)) ++ buf_p++; ++ /* Skip comment lines and empty lines. */ ++ if (*buf_p == '#' || *buf_p == 0) ++ continue; ++ ++ items = sscanf(line_buf, "%ms %ms %ms", ®ex, &mode, &context); ++ if (items < 2 || items > 3) { ++ fprintf(stderr, "invalid entry, skipping:%s", line_buf); ++ continue; ++ } ++ ++ if (items == 2) { ++ context = mode; ++ mode = NULL; ++ } ++ ++ rc = grow_specs(data); ++ if (rc) { ++ fprintf(stderr, "grow_specs failed: %s\n", strerror(errno)); ++ return rc; ++ } ++ ++ spec = &data->spec_arr[data->nspec]; ++ ++ spec->lr.ctx_raw = context; ++ spec->mode = string_to_mode(mode); ++ if (spec->mode == -1) { ++ fprintf(stderr, "%s: line %d has invalid file type %s\n", ++ regex, line_num + 1, mode); ++ spec->mode = 0; ++ } ++ free(mode); ++ spec->regex_str = regex; ++ ++ stem_id = find_stem_from_spec(data, regex); ++ spec->stem_id = stem_id; ++ /* skip past the fixed stem part */ ++ if (stem_id != -1) ++ regex += data->stem_arr[stem_id].len; ++ ++ regex_len = strlen(regex); ++ cp = anchored_regex = malloc(regex_len + 3); ++ if (!cp) { ++ fprintf(stderr, "Malloc Failed: %s\n", strerror(errno)); ++ return -1; ++ } ++ *cp++ = '^'; ++ memcpy(cp, regex, regex_len); ++ cp += regex_len; ++ *cp++ = '$'; ++ *cp = '\0'; ++ ++ spec_hasMetaChars(spec); ++ ++ re = pcre_compile(anchored_regex, 0, &err, &erroff, NULL); ++ if (!re) { ++ fprintf(stderr, "PCRE compilation failed for %s at offset %d: %s\n", anchored_regex, erroff, err); ++ return -1; ++ } ++ spec->regex = re; ++ ++ sd = pcre_study(re, 0, &err); ++ if (!sd) { ++ fprintf(stderr, "PCRE study failed for %s: %s\n", anchored_regex, err); ++ return -1; ++ } ++ free(anchored_regex); ++ spec->sd = sd; ++ ++ line_num++; ++ data->nspec++; ++ } ++ ++ free(line_buf); ++ fclose(context_file); ++ ++ return 0; ++} ++ ++/* ++ * File Format ++ * ++ * u32 - magic number ++ * u32 - version ++ * u32 - number of stems ++ * ** Stems ++ * u32 - length of stem EXCLUDING nul ++ * char - stem char array INCLUDING nul ++ * u32 - number of regexs ++ * ** Regexes ++ * u32 - length of upcoming context INCLUDING nul ++ * char - char array of the raw context ++ * u32 - length of the upcoming regex_str ++ * char - char array of the original regex string including the stem. ++ * mode_t - mode bits ++ * s32 - stemid associated with the regex ++ * u32 - spec has meta characters ++ * u32 - data length of the pcre regex ++ * char - a bufer holding the raw pcre regex info ++ * u32 - data length of the pcre regex study daya ++ * char - a buffer holding the raw pcre regex study data ++ */ ++static int write_binary_file(struct saved_data *data, char *filename) ++{ ++ struct spec *specs = data->spec_arr; ++ FILE *bin_file; ++ size_t len; ++ uint32_t magic = SELINUX_MAGIC_COMPILED_FCONTEXT; ++ uint32_t section_len; ++ uint32_t i; ++ ++ bin_file = fopen(filename, "w"); ++ if (!bin_file) { ++ perror("fopen output_file"); ++ exit(EXIT_FAILURE); ++ } ++ ++ /* write some magic number */ ++ len = fwrite(&magic, sizeof(uint32_t), 1, bin_file); ++ if (len != 1) ++ return -1; ++ ++ /* write the version */ ++ section_len = SELINUX_COMPILED_FCONTEXT_MAX_VERS; ++ len = fwrite(§ion_len, sizeof(uint32_t), 1, bin_file); ++ if (len != 1) ++ return -1; ++ ++ /* write the number of stems coming */ ++ section_len = data->num_stems; ++ len = fwrite(§ion_len, sizeof(uint32_t), 1, bin_file); ++ if (len != 1) ++ return -1; ++ ++ for (i = 0; i < section_len; i++) { ++ char *stem = data->stem_arr[i].buf; ++ uint32_t stem_len = data->stem_arr[i].len; ++ ++ /* write the strlen (aka no nul) */ ++ len = fwrite(&stem_len, sizeof(uint32_t), 1, bin_file); ++ if (len != 1) ++ return -1; ++ ++ /* include the nul in the file */ ++ stem_len += 1; ++ len = fwrite(stem, sizeof(char), stem_len, bin_file); ++ if (len != stem_len) ++ return -1; ++ } ++ ++ /* write the number of regexes coming */ ++ section_len = data->nspec; ++ len = fwrite(§ion_len, sizeof(uint32_t), 1, bin_file); ++ if (len != 1) ++ return -1; ++ ++ for (i = 0; i < section_len; i++) { ++ char *context = specs[i].lr.ctx_raw; ++ char *regex_str = specs[i].regex_str; ++ mode_t mode = specs[i].mode; ++ int32_t stem_id = specs[i].stem_id; ++ pcre *re = specs[i].regex; ++ pcre_extra *sd = get_pcre_extra(&specs[i]); ++ uint32_t to_write; ++ size_t size; ++ int rc; ++ ++ /* length of the context string (including nul) */ ++ to_write = strlen(context) + 1; ++ len = fwrite(&to_write, sizeof(uint32_t), 1, bin_file); ++ if (len != 1) ++ return -1; ++ ++ /* original context strin (including nul) */ ++ len = fwrite(context, sizeof(char), to_write, bin_file); ++ if (len != to_write) ++ return -1; ++ ++ /* length of the original regex string (including nul) */ ++ to_write = strlen(regex_str) + 1; ++ len = fwrite(&to_write, sizeof(uint32_t), 1, bin_file); ++ if (len != 1) ++ return -1; ++ ++ /* original regex string */ ++ len = fwrite(regex_str, sizeof(char), to_write, bin_file); ++ if (len != to_write) ++ return -1; ++ ++ /* binary F_MODE bits */ ++ len = fwrite(&mode, sizeof(mode), 1, bin_file); ++ if (len != 1) ++ return -1; ++ ++ /* stem for this regex (could be -1) */ ++ len = fwrite(&stem_id, sizeof(stem_id), 1, bin_file); ++ if (len != 1) ++ return -1; ++ ++ /* does this spec have a metaChar? */ ++ to_write = specs[i].hasMetaChars; ++ len = fwrite(&to_write, sizeof(to_write), 1, bin_file); ++ if (len != 1) ++ return -1; ++ ++ /* determine the size of the pcre data in bytes */ ++ rc = pcre_fullinfo(re, NULL, PCRE_INFO_SIZE, &size); ++ if (rc < 0) ++ return -1; ++ ++ /* write the number of bytes in the pcre data */ ++ to_write = size; ++ len = fwrite(&to_write, sizeof(uint32_t), 1, bin_file); ++ if (len != 1) ++ return -1; ++ ++ /* write the actual pcre data as a char array */ ++ len = fwrite(re, 1, to_write, bin_file); ++ if (len != to_write) ++ return -1; ++ ++ /* determine the size of the pcre study info */ ++ rc = pcre_fullinfo(re, sd, PCRE_INFO_STUDYSIZE, &size); ++ if (rc < 0) ++ return -1; ++ ++ /* write the number of bytes in the pcre study data */ ++ to_write = size; ++ len = fwrite(&to_write, sizeof(uint32_t), 1, bin_file); ++ if (len != 1) ++ return -1; ++ ++ /* write the actual pcre study data as a char array */ ++ len = fwrite(sd->study_data, 1, to_write, bin_file); ++ if (len != to_write) ++ return -1; ++ } ++ ++ fclose(bin_file); ++ ++ return 0; ++} ++ ++static int free_specs(struct saved_data *data) ++{ ++ struct spec *specs = data->spec_arr; ++ unsigned int num_entries = data->nspec; ++ unsigned int i; ++ ++ for (i = 0; i < num_entries; i++) { ++ free(specs[i].lr.ctx_raw); ++ free(specs[i].lr.ctx_trans); ++ free(specs[i].regex_str); ++ pcre_free(specs[i].regex); ++ pcre_free_study(specs[i].sd); ++ } ++ free(specs); ++ ++ num_entries = data->num_stems; ++ for (i = 0; i < num_entries; i++) { ++ free(data->stem_arr[i].buf); ++ } ++ free(data->stem_arr); ++ ++ memset(data, 0, sizeof(*data)); ++ return 0; ++} ++ ++int main(int argc, char *argv[]) ++{ ++ struct saved_data data; ++ const char *path; ++ char stack_path[PATH_MAX + 1]; ++ int rc; ++ ++ if (argc != 2) { ++ fprintf(stderr, "usage: %s input_file\n", argv[0]); ++ exit(EXIT_FAILURE); ++ } ++ ++ memset(&data, 0, sizeof(data)); ++ ++ path = argv[1]; ++ ++ rc = process_file(&data, path); ++ if (rc < 0) ++ return rc; ++ ++ rc = sort_specs(&data); ++ if (rc) ++ return rc; ++ ++ rc = snprintf(stack_path, sizeof(stack_path), "%s.bin", path); ++ if (rc < 0 || rc >= sizeof(stack_path)) ++ return rc; ++ rc = write_binary_file(&data, stack_path); ++ if (rc < 0) ++ return rc; ++ ++ rc = free_specs(&data); ++ if (rc < 0) ++ return rc; ++ ++ return 0; ++} diff --git a/libselinux-ruby.patch b/libselinux-ruby.patch index ba01a31..b46802e 100644 --- a/libselinux-ruby.patch +++ b/libselinux-ruby.patch @@ -1,24 +1,24 @@ Index: src/Makefile =================================================================== ---- src/Makefile.orig -+++ src/Makefile -@@ -15,8 +15,8 @@ PYTHONLIBDIR ?= $(shell pkg-config --lib +--- src/Makefile.orig 2013-01-30 13:24:55.549631752 +0100 ++++ src/Makefile 2013-01-30 13:25:56.148209843 +0100 +@@ -16,8 +16,8 @@ PYINC ?= $(shell pkg-config --cflags $(P PYLIBDIR ?= $(LIBDIR)/$(PYLIBVER) - RUBYLIBVER ?= $(shell ruby -e 'print RUBY_VERSION.split(".")[0..1].join(".")') - RUBYPLATFORM ?= $(shell ruby -e 'print RUBY_PLATFORM') --RUBYINC ?= $(LIBDIR)/ruby/$(RUBYLIBVER)/$(RUBYPLATFORM) + RUBYLIBVER ?= $(shell $(RUBY) -e 'print RUBY_VERSION.split(".")[0..1].join(".")') + RUBYPLATFORM ?= $(shell $(RUBY) -e 'print RUBY_PLATFORM') +-RUBYINC ?= $(shell pkg-config --cflags ruby) -RUBYINSTALL ?= $(LIBDIR)/ruby/site_ruby/$(RUBYLIBVER)/$(RUBYPLATFORM) +RUBYINC ?= $(shell ruby -r rbconfig -e "print Config::CONFIG['rubyhdrdir'].nil? ? '$(LIBDIR)/ruby/$(RUBYLIBVER)' : Config::CONFIG['rubyhdrdir']") +RUBYINSTALL ?= $(shell ruby -r rbconfig -e "print Config::CONFIG['vendorarchdir'].nil? ? '$(DESTDIR)'+Config::CONFIG['sitearchdir'] : '$(DESTDIR)'+Config::CONFIG['vendorarchdir']") LIBBASE=$(shell basename $(LIBDIR)) - VERSION = $(shell cat ../VERSION) -@@ -76,7 +76,7 @@ $(SWIGLOBJ): $(SWIGCOUT) - $(CC) $(filter-out -Werror, $(CFLAGS)) $(PYINC) -fPIC -DSHARED -c -o $@ $< + LDFLAGS ?= -lpcre -lpthread +@@ -103,7 +103,7 @@ $(SWIGLOBJ): $(SWIGCOUT) + $(CC) $(CFLAGS) $(SWIG_CFLAGS) $(PYINC) -fPIC -DSHARED -c -o $@ $< $(SWIGRUBYLOBJ): $(SWIGRUBYCOUT) -- $(CC) $(filter-out -Werror, $(CFLAGS)) -I$(RUBYINC) -fPIC -DSHARED -c -o $@ $< +- $(CC) $(CFLAGS) $(SWIG_CFLAGS) $(RUBYINC) -fPIC -DSHARED -c -o $@ $< + $(CC) $(filter-out -Werror, $(CFLAGS)) -I$(RUBYINC) -I$(RUBYINC)/$(RUBYPLATFORM) -fPIC -DSHARED -c -o $@ $< $(SWIGSO): $(SWIGLOBJ) - $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $< -L. -lselinux -L$(LIBDIR) $(PYTHONLIBDIR) -Wl,-soname,$@,-z,defs + $(CC) $(CFLAGS) -shared -o $@ $< -L. -lselinux $(LDFLAGS) -L$(LIBDIR) diff --git a/libselinux.changes b/libselinux.changes index 2b0749d..5bbf7ae 100644 --- a/libselinux.changes +++ b/libselinux.changes @@ -1,3 +1,62 @@ +------------------------------------------------------------------- +Wed Jan 30 11:44:45 UTC 2013 - vcizek@suse.com + +- update to 2.1.12 + - added the recent libselinux-rhat.patch + * Add support for lxc_contexts_path + * utils: add service to getdefaultcon + * libsemanage: do not set soname needlessly + * libsemanage: remove PYTHONLIBDIR and ruby equivalent + * boolean name equivalency + * getsebool: support boolean name substitution + * Add man page for new selinux_boolean_sub function. + * expose selinux_boolean_sub + * matchpathcon: add -m option to force file type check + * utils: avcstat: clear sa_mask set + * seusers: Check for strchr failure + * booleans: initialize pointer to silence coveriety + * stop messages when SELinux disabled + * Ensure that we only close the selinux netlink socket once. + * improve the file_contexts.5 manual page + * Fortify source now requires all code to be compiled with -O flag + * asprintf return code must be checked + * avc_netlink_recieve handle EINTR + * audit2why: silence -Wmissing-prototypes warning + * libsemanage: remove build warning when build swig c files + * matchpathcon: bad handling of symlinks in / + * seusers: remove unused lineno + * seusers: getseuser: gracefully handle NULL service + * New Android property labeling backend + * label_android_property whitespace cleanups + * additional makefile support for rubywrap + * Remove jump over variable declaration + * Fix old style function definitions + * Fix const-correctness + * Remove unused flush_class_cache method + * Add prototype decl for destructor + * Add more printf format annotations + * Add printf format attribute annotation to die() method + * Fix const-ness of parameters & make usage() methods static + * Enable many more gcc warnings for libselinux/src/ builds + * utils: Enable many more gcc warnings for libselinux/utils builds + * Change annotation on include/selinux/avc.h to avoid upsetting SWIG + * Ensure there is a prototype for 'matchpathcon_lib_destructor' + * Update Makefiles to handle /usrmove + * utils: Stop separating out matchpathcon as something special + * pkg-config to figure out where ruby include files are located + * build with either ruby 1.9 or ruby 1.8 + * assert if avc_init() not called + * take security_deny_unknown into account + * security_compute_create_name(3) + * Do not link against python library, this is considered + * bad practice in debian + * Hide unnecessarily-exported library destructors + +------------------------------------------------------------------- +Mon Jan 7 22:34:03 UTC 2013 - jengelh@inai.de + +- Remove obsolete defines/sections + ------------------------------------------------------------------- Tue Dec 11 16:15:52 UTC 2012 - vcizek@suse.com diff --git a/libselinux.spec b/libselinux.spec index 270fb95..95cfca5 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -1,7 +1,7 @@ # # spec file for package libselinux # -# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,12 +16,13 @@ # -%define libsepol_ver 2.1.4 +%define libsepol_ver 2.1.8 BuildRequires: libsepol-devel >= %{libsepol_ver} +BuildRequires: pcre-devel BuildRequires: pkg-config Name: libselinux -Version: 2.1.9 +Version: 2.1.12 Release: 0 Url: http://userspace.selinuxproject.org/ Summary: SELinux library and simple utilities @@ -33,7 +34,6 @@ Source2: baselibs.conf Patch0: %{name}-rhat.patch Patch1: %{name}-ruby.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build -%define debug_package_requires libselinux1 = %{version}-%{release} %description Security-enhanced Linux is a feature of the Linux(R) kernel and a @@ -118,7 +118,7 @@ necessary to develop your own software using libselinux. %prep %setup -q -%patch0 -p1 +%patch0 -p2 %patch1 %build @@ -147,9 +147,6 @@ mv $RPM_BUILD_ROOT%{_sbindir}/getdefaultcon $RPM_BUILD_ROOT%{_sbindir}/selinuxde mv $RPM_BUILD_ROOT%{_sbindir}/getconlist $RPM_BUILD_ROOT%{_sbindir}/selinuxconlist install -m 0755 %{SOURCE1} $RPM_BUILD_ROOT%{_sbindir}/selinux-ready -%clean -rm -rf $RPM_BUILD_ROOT - %post -n libselinux1 -p /sbin/ldconfig %postun -n libselinux1 -p /sbin/ldconfig @@ -159,7 +156,6 @@ rm -rf $RPM_BUILD_ROOT %{_sbindir}/avcstat %{_sbindir}/getenforce %{_sbindir}/getsebool -/sbin/matchpathcon %{_sbindir}/matchpathcon %{_sbindir}/selinuxconlist %{_sbindir}/selinuxdefcon @@ -168,6 +164,7 @@ rm -rf $RPM_BUILD_ROOT %{_sbindir}/togglesebool %{_sbindir}/selinux-ready %{_sbindir}/selinuxexeccon +%{_sbindir}/sefcontext_compile %{_mandir}/man5/* %{_mandir}/man8/* From 10843516a2e6b160e07935e53b397fc36472501976058a3622d2a19fb29f7ea3 Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Sun, 7 Apr 2013 12:23:14 +0000 Subject: [PATCH 29/42] Accepting request 162719 from security:SELinux - fixed source url in libselinux-bindings.spec - removed old tarball - fix source url - document changes in libselinux-rhat.patch from previous submission: (most code of the removed code was integrated upstream) * Add matchpathcon -P /etc/selinux/mls support by allowing users to set alternate root * Add new constant SETRANS_DIR which points to the directory where mstransd can find the socket and libvirt can write its translations files -update to 2.1.13 * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible * do not leak mmapfd * sefcontontext_compile: Add error handling to help debug problems in libsemanage. * man: make selinux.8 mention service man pages * audit2why: Fix segfault if finish() called twice * audit2why: do not leak on multiple init() calls * mode_to_security_class: interface to translate a mode_t in to a security class * audit2why: Cleanup audit2why analysys function * man: Fix program synopsis and function prototypes in man pages * man: Fix man pages formatting * man: Fix typo in man page * man: Add references and man page links to _raw function variants * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions * man: context_new(3): fix the return value description * selinux_status_open: handle error from sysconf OBS-URL: https://build.opensuse.org/request/show/162719 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=36 --- libselinux-2.1.12.tar.gz | 3 - libselinux-2.1.13.tgz | 3 + libselinux-bindings.spec | 7 +- libselinux-rhat.patch | 7694 ++------------------------------------ libselinux.changes | 50 + libselinux.spec | 6 +- 6 files changed, 424 insertions(+), 7339 deletions(-) delete mode 100644 libselinux-2.1.12.tar.gz create mode 100644 libselinux-2.1.13.tgz diff --git a/libselinux-2.1.12.tar.gz b/libselinux-2.1.12.tar.gz deleted file mode 100644 index fca51e2..0000000 --- a/libselinux-2.1.12.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:8dad879380e0ce1e4ab67195a08f6052c1396493bcb12fe92a033f49f7dbca9e -size 162162 diff --git a/libselinux-2.1.13.tgz b/libselinux-2.1.13.tgz new file mode 100644 index 0000000..ba5ba70 --- /dev/null +++ b/libselinux-2.1.13.tgz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:919b9b52adf042d000dbd43cacc5d307e532a3ac17ee54347fed506d20b59464 +size 175010 diff --git a/libselinux-bindings.spec b/libselinux-bindings.spec index e9617f7..fb57327 100644 --- a/libselinux-bindings.spec +++ b/libselinux-bindings.spec @@ -16,7 +16,7 @@ # -%define libsepol_ver 2.1.8 +%define libsepol_ver 2.1.9 BuildRequires: libsepol-devel-static >= %{libsepol_ver} BuildRequires: pcre-devel BuildRequires: python-devel @@ -24,13 +24,14 @@ BuildRequires: ruby-devel BuildRequires: swig Name: libselinux-bindings -Version: 2.1.12 +Version: 2.1.13 Release: 0 Url: http://userspace.selinuxproject.org/ Summary: SELinux library and simple utilities License: GPL-2.0 and SUSE-Public-Domain Group: System/Libraries -Source: http://userspace.selinuxproject.org/releases/20120216/libselinux-%{version}.tar.gz +# embedded is the MD5 +Source: http://pkgs.fedoraproject.org/lookaside/pkgs/libselinux/libselinux-%{version}.tgz/44be70732a33b8e1fbe2f422e93fb8b3/libselinux-%{version}.tgz Source1: selinux-ready Source2: baselibs.conf Patch0: libselinux-rhat.patch diff --git a/libselinux-rhat.patch b/libselinux-rhat.patch index 61cea24..2de6a34 100644 --- a/libselinux-rhat.patch +++ b/libselinux-rhat.patch @@ -1,5963 +1,223 @@ diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h -index 6b9089d..aba6e33 100644 +index a4079aa..0b122af 100644 --- a/libselinux/include/selinux/selinux.h +++ b/libselinux/include/selinux/selinux.h -@@ -360,6 +360,8 @@ extern int selinux_set_mapping(struct security_class_mapping *map); +@@ -177,6 +177,7 @@ extern void selinux_set_callback(int type, union selinux_callback cb); + #define SELINUX_WARNING 1 + #define SELINUX_INFO 2 + #define SELINUX_AVC 3 ++#define SELINUX_TRANS_DIR "/var/run/setrans" - /* Common helpers */ - -+/* Convert between mode and security class values */ -+extern security_class_t mode_to_security_class(mode_t mode); - /* Convert between security class values and string names */ - extern security_class_t string_to_security_class(const char *name); - extern const char *security_class_to_string(security_class_t cls); -@@ -496,7 +498,9 @@ extern const char *selinux_policy_root(void); + /* Compute an access decision. */ + extern int security_compute_av(const security_context_t scon, +@@ -496,8 +497,15 @@ extern int selinux_getpolicytype(char **policytype); + */ + extern const char *selinux_policy_root(void); ++/* ++ selinux_set_policy_root sets an alternate policy root directory path under ++ which the compiled policy file and context configuration files exist. ++ */ ++extern int selinux_set_policy_root(const char *rootpath); ++ /* These functions return the paths to specific files under the policy root directory. */ +extern const char *selinux_current_policy_path(void); extern const char *selinux_binary_policy_path(void); -+extern char *selinux_binary_policy_path_min_max(int min, int *max); extern const char *selinux_failsafe_context_path(void); extern const char *selinux_removable_context_path(void); - extern const char *selinux_default_context_path(void); -diff --git a/libselinux/man/man3/avc_add_callback.3 b/libselinux/man/man3/avc_add_callback.3 -index 9c83cac..dbfe72d 100644 ---- a/libselinux/man/man3/avc_add_callback.3 -+++ b/libselinux/man/man3/avc_add_callback.3 -@@ -3,33 +3,35 @@ - .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2004 - .TH "avc_add_callback" "3" "9 June 2004" "" "SELinux API documentation" - .SH "NAME" --avc_add_callback \- additional event notification for SELinux userspace object managers. -+avc_add_callback \- additional event notification for SELinux userspace object managers -+. - .SH "SYNOPSIS" - .B #include -- -+.br - .B #include - .sp - .BI "int avc_add_callback(int (*" callback ")(uint32_t " event , - .in +\w'int avc_add_callback(int (*callback)('u - .BI "security_id_t " ssid , -- -+.br - .BI "security_id_t " tsid , -- -+.br - .BI "security_class_t " tclass , -- -+.br - .BI "access_vector_t " perms , -- -+.br - .BI "access_vector_t *" out_retained ")," - .in - .in +\w'int avc_add_callback('u - .BI "uint32_t " events ", security_id_t " ssid , -- -+.br - .BI "security_id_t " tsid ", security_class_t " tclass , -- -+.br - .BI "access_vector_t " perms ");" - .in -+. - .SH "DESCRIPTION" --.B avc_add_callback -+.BR avc_add_callback () - is used to register callback functions on security events. The purpose of this functionality is to allow userspace object managers to take additional action when a policy change, usually a policy reload, causes permissions to be granted or revoked. - - .I events -@@ -55,10 +57,14 @@ and will cause any SID to match. - .I callback - is the callback function provided by the userspace object manager. The - .I event --argument indicates the security event which occured; the remaining arguments are interpreted according to the event as described below. The return value of the callback should be zero on success, \-1 on error with errno set appropriately (but see -+argument indicates the security event which occured; the remaining arguments -+are interpreted according to the event as described below. The return value -+of the callback should be zero on success, \-1 on error with -+.I errno -+set appropriately (but see - .B RETURN VALUE - below). -- -+. - .SH "SECURITY EVENTS" - In all cases below, - .I ssid -@@ -69,7 +75,7 @@ may be set to - indicating that the change applies to all source and/or target SID's. Unless otherwise indicated, the - .I out_retained - parameter is unused. -- -+. - .TP - .B AVC_CALLBACK_GRANT - Previously denied permissions are now granted for -@@ -142,10 +148,10 @@ should no longer be audited when denied for - .I tsid - with respect to - .IR tclass . -- -+. - .SH "RETURN VALUE" - On success, --.B avc_add_callback -+.BR avc_add_callback () - returns zero. On error, \-1 is returned and - .I errno - is set appropriately. -@@ -157,25 +163,27 @@ on all further permission checks until - is called. In non-threaded mode, the permission check on which the error occurred will return \-1 and the value of - .I errno - encountered to the caller. In both cases, a log message is produced and the kernel may be notified of the error. -- -+. - .SH "ERRORS" - .TP - .B ENOMEM - An attempt to allocate memory failed. -- -+. - .SH "NOTES" - If the userspace AVC is running in threaded mode, callbacks registered via --.B avc_add_callback -+.BR avc_add_callback () - may be executed in the context of the netlink handler thread. This will likely introduce synchronization issues requiring the use of locks. See - .BR avc_init (3). - - Support for dynamic revocation and retained permissions is mostly unimplemented in the SELinux kernel module. The only security event that currently gets excercised is - .BR AVC_CALLBACK_RESET . -- -+. - .SH "AUTHOR" - Eamon Walsh -- -+. - .SH "SEE ALSO" -+.ad l -+.nh - .BR avc_init (3), - .BR avc_has_perm (3), - .BR avc_context_to_sid (3), -diff --git a/libselinux/man/man3/avc_cache_stats.3 b/libselinux/man/man3/avc_cache_stats.3 -index 96f2b21..c00f090 100644 ---- a/libselinux/man/man3/avc_cache_stats.3 -+++ b/libselinux/man/man3/avc_cache_stats.3 -@@ -3,10 +3,11 @@ - .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2004 - .TH "avc_cache_stats" "3" "27 May 2004" "" "SELinux API documentation" - .SH "NAME" --avc_cache_stats, avc_av_stats, avc_sid_stats \- obtain userspace SELinux AVC statistics. -+avc_cache_stats, avc_av_stats, avc_sid_stats \- obtain userspace SELinux AVC statistics -+. - .SH "SYNOPSIS" - .B #include -- -+.br - .B #include - .sp - .BI "void avc_av_stats(void);" -@@ -14,15 +15,16 @@ avc_cache_stats, avc_av_stats, avc_sid_stats \- obtain userspace SELinux AVC sta - .BI "void avc_sid_stats(void);" - .sp - .BI "void avc_cache_stats(struct avc_cache_stats *" stats ");" -+. - .SH "DESCRIPTION" - The userspace AVC maintains two internal hash tables, one to store security ID's and one to cache access decisions. - --.B avc_av_stats -+.BR avc_av_stats () - and --.B avc_sid_stats -+.BR avc_sid_stats () - produce log messages indicating the status of the access decision and SID tables, respectively. The messages contain the number of entries in the table, number of hash buckets and number of buckets used, and maximum number of entries in a single bucket. - --.B avc_cache_stats -+.BR avc_cache_stats () - populates a structure whose fields reflect cache activity: - - .RS -@@ -74,26 +76,28 @@ Number of cache misses. - .TP - .I cav_probes - Number of entries examined while searching the cache. -- -+. - .SH "NOTES" - When the cache is flushed as a result of a call to --.B avc_reset -+.BR avc_reset () - or a policy change notification, - the statistics returned by --.B avc_cache_stats -+.BR avc_cache_stats () - are reset to zero. The SID table, however, is left - unchanged. - - When a policy change notification is received, a call to --.B avc_av_stats -+.BR avc_av_stats () - is made before the cache is flushed. -- -+. - .SH "AUTHOR" - Eamon Walsh -- -+. - .SH "SEE ALSO" -+.ad l -+.nh - .BR avc_init (3), - .BR avc_has_perm (3), - .BR avc_context_to_sid (3), --.BR avc_add_callback (3) -+.BR avc_add_callback (3), - .BR selinux (8) -diff --git a/libselinux/man/man3/avc_compute_create.3 b/libselinux/man/man3/avc_compute_create.3 -index 52d09b5..ce615bf 100644 ---- a/libselinux/man/man3/avc_compute_create.3 -+++ b/libselinux/man/man3/avc_compute_create.3 -@@ -3,10 +3,11 @@ - .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2007 - .TH "avc_compute_create" "3" "30 Mar 2007" "" "SELinux API documentation" - .SH "NAME" --avc_compute_create, avc_compute_member \- obtain SELinux label for new object. -+avc_compute_create, avc_compute_member \- obtain SELinux label for new object -+. - .SH "SYNOPSIS" - .B #include -- -+.br - .B #include - .sp - .BI "int avc_compute_create(security_id_t " ssid ", security_id_t " tsid , -@@ -18,26 +19,27 @@ avc_compute_create, avc_compute_member \- obtain SELinux label for new object. - .in +\w'int avc_compute_member('u - .BI "security_class_t " tclass ", security_id_t *" newsid ");" - .in -+. - .SH "DESCRIPTION" --.B avc_compute_create -+.BR avc_compute_create () - is used to compute a SID to use for labeling a new object in a particular class based on a SID pair. This call is identical to --.BR security_compute_create , -+.BR security_compute_create (), - but does not require converting from userspace SID's to contexts and back again. - --.B avc_compute_member -+.BR avc_compute_member () - is used to compute a SID to use for labeling a polyinstantiated object instance of a particular class based on a SID pair. This call is identical to --.BR security_compute_member , -+.BR security_compute_member (), - but does not require converting from userspace SID's to contexts and back again. - - These functions - return a SID for the computed context in the memory referenced by - .IR sid . -- -+. - .SH "RETURN VALUE" - On success, zero is returned. On error, \-1 is returned and - .I errno - is set appropriately. -- -+. - .SH "ERRORS" - .TP - .B EINVAL -@@ -48,14 +50,13 @@ and/or the security contexts referenced by - and - .I tsid - are not recognized by the currently loaded policy. -- - .TP - .B ENOMEM - An attempt to allocate memory failed. -- -+. - .SH "AUTHOR" - Eamon Walsh -- -+. - .SH "SEE ALSO" - .BR avc_init (3), - .BR avc_context_to_sid (3), -diff --git a/libselinux/man/man3/avc_context_to_sid.3 b/libselinux/man/man3/avc_context_to_sid.3 -index 1caf5ec..e416b09 100644 ---- a/libselinux/man/man3/avc_context_to_sid.3 -+++ b/libselinux/man/man3/avc_context_to_sid.3 -@@ -3,10 +3,11 @@ - .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2004 - .TH "avc_context_to_sid" "3" "27 May 2004" "" "SELinux API documentation" - .SH "NAME" --avc_context_to_sid, avc_sid_to_context, avc_get_initial_sid \- obtain and manipulate SELinux security ID's. -+avc_context_to_sid, avc_sid_to_context, avc_get_initial_sid \- obtain and manipulate SELinux security ID's -+. - .SH "SYNOPSIS" - .B #include -- -+.br - .B #include - .sp - .BI "int avc_context_to_sid(security_context_t " ctx ", security_id_t *" sid ");" -@@ -14,17 +15,17 @@ avc_context_to_sid, avc_sid_to_context, avc_get_initial_sid \- obtain and manipu - .BI "int avc_sid_to_context(security_id_t " sid ", security_context_t *" ctx ");" - .sp - .BI "int avc_get_initial_sid(const char *" name ", security_id_t *" sid ");" --.sp -+. - .SH "DESCRIPTION" - Security ID's (SID's) are opaque representations of security contexts, managed by the userspace AVC. - --.B avc_context_to_sid -+.BR avc_context_to_sid () - returns a SID for the given - .I context - in the memory referenced by - .IR sid . - --.B avc_sid_to_context -+.BR avc_sid_to_context () - returns a copy of the context represented by - .I sid - in the memory referenced by -@@ -32,40 +33,41 @@ in the memory referenced by - The user must free the copy with - .BR freecon (3). - --.B avc_get_initial_sid -+.BR avc_get_initial_sid () - returns a SID for the kernel initial security identifier specified by - .IR name . -- -+. - .SH "RETURN VALUE" --.B avc_context_to_sid -+.BR avc_context_to_sid () - and --.B avc_sid_to_context -+.BR avc_sid_to_context () - return zero on success. On error, \-1 is returned and - .I errno - is set appropriately. -- -+. - .SH "ERRORS" - .TP - .B ENOMEM - An attempt to allocate memory failed. -- - .SH "NOTES" - As of libselinux version 2.0.86, SID's are no longer reference counted. A SID will be valid from the time it is first obtained until the next call to - .BR avc_destroy (3). - The --.B sidget -+.BR sidget (3) - and --.B sidput -+.BR sidput (3) - functions, formerly used to adjust the reference count, are no-ops and are deprecated. -- -+. - .SH "AUTHOR" - Eamon Walsh -- -+. - .SH "SEE ALSO" -+.ad l -+.nh - .BR avc_init (3), - .BR avc_has_perm (3), - .BR avc_cache_stats (3), - .BR avc_add_callback (3), - .BR getcon (3), --.BR freecon (3) -+.BR freecon (3), - .BR selinux (8) -diff --git a/libselinux/man/man3/avc_has_perm.3 b/libselinux/man/man3/avc_has_perm.3 -index 50f4d44..7353952 100644 ---- a/libselinux/man/man3/avc_has_perm.3 -+++ b/libselinux/man/man3/avc_has_perm.3 -@@ -3,10 +3,11 @@ - .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2004 - .TH "avc_has_perm" "3" "27 May 2004" "" "SELinux API documentation" - .SH "NAME" --avc_has_perm, avc_has_perm_noaudit, avc_audit, avc_entry_ref_init \- obtain and audit SELinux access decisions. -+avc_has_perm, avc_has_perm_noaudit, avc_audit, avc_entry_ref_init \- obtain and audit SELinux access decisions -+. - .SH "SYNOPSIS" - .B #include -- -+.br - .B #include - .sp - .BI "void avc_entry_ref_init(struct avc_entry_ref *" aeref ");" -@@ -14,32 +15,33 @@ avc_has_perm, avc_has_perm_noaudit, avc_audit, avc_entry_ref_init \- obtain and - .BI "int avc_has_perm(security_id_t " ssid ", security_id_t " tsid , - .in +\w'int avc_has_perm('u - .BI "security_class_t " tclass ", access_vector_t " requested , -- -+.br - .BI "struct avc_entry_ref *" aeref ", void *" auditdata ");" - .in - .sp - .BI "int avc_has_perm_noaudit(security_id_t " ssid ", security_id_t " tsid , - .in +\w'int avc_has_perm('u - .BI "security_class_t " tclass ", access_vector_t " requested , -- -+.br - .BI "struct avc_entry_ref *" aeref ", struct av_decision *" avd ");" - .in - .sp - .BI "void avc_audit(security_id_t " ssid ", security_id_t " tsid , - .in +\w'void avc_audit('u - .BI "security_class_t " tclass ", access_vector_t " requested , -- -+.br - .BI "struct av_decision *" avd ", int " result ", void *" auditdata ");" - .in -+. - .SH "DESCRIPTION" --.B avc_entry_ref_init -+.BR avc_entry_ref_init () - initializes an - .B avc_entry_ref - structure; see - .B ENTRY REFERENCES - below. This function may be implemented as a macro. - --.B avc_has_perm -+.BR avc_has_perm () - checks whether the - .I requested - permissions are granted -@@ -55,19 +57,19 @@ and updating - if non-NULL, to refer to a cache entry with the resulting decision. The granting or denial of permissions is audited in accordance with the policy. The - .I auditdata - parameter is for supplemental auditing; see --.B avc_audit -+.BR avc_audit () - below. - --.B avc_has_perm_noaudit -+.BR avc_has_perm_noaudit () - behaves as --.B avc_has_perm -+.BR avc_has_perm () - without producing an audit message. The access decision is returned in - .I avd - and can be passed to --.B avc_audit -+.BR avc_audit () - explicitly. - --.B avc_audit -+.BR avc_audit () - produces an audit message for the access query represented by - .IR ssid , - .IR tsid , -@@ -77,7 +79,7 @@ and - with a decision represented by - .IR avd . - Pass the value returned by --.B avc_has_perm_noaudit -+.BR avc_has_perm_noaudit () - as - .IR result . - The -@@ -86,7 +88,7 @@ parameter is passed to the user-supplied - .B func_audit - callback and can be used to add supplemental information to the audit message; see - .BR avc_init (3). -- -+. - .SH "ENTRY REFERENCES" - Entry references can be used to speed cache performance for repeated queries on the same subject and target. The userspace AVC will check the - .I aeref -@@ -97,14 +99,14 @@ will be updated to reference the cache entry for that query. A subsequent query - After declaring an - .B avc_entry_ref - structure, use --.B avc_entry_ref_init -+.BR avc_entry_ref_init () - to initialize it before passing it to --.B avc_has_perm -+.BR avc_has_perm () - or --.B avc_has_perm_noaudit -+.BR \%avc_has_perm_noaudit () - for the first time. - Using an uninitialized structure will produce undefined behavior. -- -+. - .SH "RETURN VALUE" - If requested permissions are granted, zero is returned. If requested permissions are denied or an error occured, \-1 is returned and - .I errno -@@ -113,9 +115,9 @@ is set appropriately. - In permissive mode, zero will be returned and - .I errno - unchanged even if permissions were denied. --.B avc_has_perm -+.BR avc_has_perm () - will still produce an audit message in this case. -- -+. - .SH "ERRORS" - .TP - .B EACCES -@@ -132,7 +134,7 @@ are not recognized by the currently loaded policy. - .TP - .B ENOMEM - An attempt to allocate memory failed. -- -+. - .SH "NOTES" - Internal errors encountered by the userspace AVC may cause certain values of - .I errno -@@ -142,14 +144,16 @@ or - .BR EINVAL . - Make sure that userspace object managers are granted appropriate access to - netlink by the policy. -- -+. - .SH "AUTHOR" - Eamon Walsh -- -+. - .SH "SEE ALSO" -+.ad l -+.nh - .BR avc_init (3), - .BR avc_context_to_sid (3), - .BR avc_cache_stats (3), - .BR avc_add_callback (3), --.BR security_compute_av (3) --.BR selinux(8) -+.BR security_compute_av (3), -+.BR selinux (8) -diff --git a/libselinux/man/man3/avc_init.3 b/libselinux/man/man3/avc_init.3 -index 331a665..e26c3be 100644 ---- a/libselinux/man/man3/avc_init.3 -+++ b/libselinux/man/man3/avc_init.3 -@@ -3,37 +3,39 @@ - .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2004 - .TH "avc_init" "3" "27 May 2004" "" "SELinux API documentation" - .SH "NAME" --avc_init - legacy userspace SELinux AVC setup. -+avc_init \- legacy userspace SELinux AVC setup -+. - .SH "SYNOPSIS" - .B #include -- -+.br - .B #include - .sp - .BI "int avc_init(const char *" msgprefix , - .in +\w'int avc_init('u - .BI "const struct avc_memory_callback *" mem_callbacks , -- -+.br - .BI "const struct avc_log_callback *" log_callbacks , -- -+.br - .BI "const struct avc_thread_callback *" thread_callbacks , -- -+.br - .BI "const struct avc_lock_callback *" lock_callbacks ");" -+. - .SH "DESCRIPTION" --.B avc_init -+.BR avc_init () - is deprecated; please use - .BR avc_open (3) - in conjunction with - .BR selinux_set_callback (3) - in all new code. - --.B avc_init -+.BR avc_init () - initializes the userspace AVC and must be called before any other AVC operation can be performed. A non-NULL - .I msgprefix - will be prepended to all audit messages produced by the userspace AVC. The default is `uavc'. The remaining arguments, if non-NULL, specify callbacks to be used by the userspace AVC. -- -+. - .SH "CALLBACKS" - The userspace AVC can be directed how to perform memory allocation, logging, thread creation, and locking via callback functions passed to --.BR avc_init . -+.BR avc_init (). - The purpose of this functionality is to allow the userspace AVC to be smoothly integrated into existing userspace object managers. - - Use an -@@ -150,26 +152,26 @@ The - callback should destroy - .IR lock , - freeing any resources associated with it. The default behavior is not to perform any locking. Note that undefined behavior may result if threading is used without appropriate locking. -- -+. - .SH "NETLINK NOTIFICATION" - Beginning with version 2.6.4, the Linux kernel supports SELinux status change notification via netlink. Two message types are currently implemented, indicating changes to the enforcing mode and to the loaded policy in the kernel, respectively. The userspace AVC listens for these messages and takes the appropriate action, modifying the behavior of - .BR avc_has_perm (3) - to reflect the current enforcing mode and flushing the cache on receipt of a policy load notification. Audit messages are produced when netlink notifications are processed. - - In the default single-threaded mode, the userspace AVC checks for new netlink messages at the start of each permission query. If threading and locking callbacks are passed to --.B avc_init -+.BR avc_init () - however, a dedicated thread will be started to listen on the netlink socket. This may increase performance and will ensure that log messages are generated immediately rather than at the time of the next permission query. -- -+. - .SH "RETURN VALUE" - Functions with a return value return zero on success. On error, \-1 is returned and - .I errno - is set appropriately. -- -+. - .SH "NOTES" - The - .I msgprefix - argument to --.B avc_init -+.BR avc_init () - currently has a length limit of 15 characters and will be truncated if necessary. - - If a provided -@@ -184,12 +186,11 @@ If a netlink thread has been created and an error occurs on the socket (such as - on all further permission checks until - .B avc_destroy - is called. -- -+. - .SH "AUTHOR" - Eamon Walsh -- -+. - .SH "SEE ALSO" - .BR avc_open (3), - .BR selinux_set_callback (3), - .BR selinux (8) -- -diff --git a/libselinux/man/man3/avc_netlink_loop.3 b/libselinux/man/man3/avc_netlink_loop.3 -index 785be4c..c8268a1 100644 ---- a/libselinux/man/man3/avc_netlink_loop.3 -+++ b/libselinux/man/man3/avc_netlink_loop.3 -@@ -5,24 +5,25 @@ - .SH "NAME" - avc_netlink_open, avc_netlink_close, avc_netlink_acquire_fd, - avc_netlink_release_fd, avc_netlink_check_nb, avc_netlink_loop \- SELinux --netlink processing. -+netlink processing -+. - .SH "SYNOPSIS" - .B #include -- -+.br - .B #include - .sp - .BI "int avc_netlink_open(int " blocking ");" - .sp --.BI "void avc_netlink_close(void);" --.sp --.BI "int avc_netlink_acquire_fd(void);" -+.B void avc_netlink_close(void); - .sp --.BI "void avc_netlink_release_fd(void);" -+.B int avc_netlink_acquire_fd(void); - .sp --.BI "void avc_netlink_loop(void);" -+.B void avc_netlink_release_fd(void); - .sp --.BI "int avc_netlink_check_nb(void);" -+.B void avc_netlink_loop(void); - .sp -+.B int avc_netlink_check_nb(void); -+. - .SH "DESCRIPTION" - These functions enable applications to handle notification of SELinux events - via netlink. The userspace AVC normally checks for netlink messages on each -@@ -35,7 +36,7 @@ loop. These functions also permit netlink monitoring without requiring a - call to - .BR avc_open (3). - --.B avc_netlink_open -+.BR avc_netlink_open () - opens a netlink socket to receive SELinux notifications. The socket - descriptor is stored internally; use - .BR avc_netlink_acquire_fd (3) -@@ -45,38 +46,38 @@ argument controls whether the O_NONBLOCK flag is set on the socket descriptor. - .BR avc_open (3) - calls this function internally, specifying non-blocking behavior. - --.B avc_netlink_close -+.BR avc_netlink_close () - closes the netlink socket. This function is called automatically by - .BR avc_destroy (3). - --.B avc_netlink_acquire_fd -+.BR avc_netlink_acquire_fd () - returns the netlink socket descriptor number and informs the userspace AVC - not to check the socket descriptor automatically on calls to - .BR avc_has_perm (3). - --.B avc_netlink_release_fd -+.BR avc_netlink_release_fd () - returns control of the netlink socket to the userspace AVC, re-enabling - automatic processing of notifications. - --.B avc_netlink_check_nb -+.BR avc_netlink_check_nb () - checks the netlink socket for pending messages and processes them. - Callbacks for policyload and enforcing changes will be called; - see - .BR selinux_set_callback (3). - This function does not block. - --.B avc_netlink_loop -+.BR avc_netlink_loop () - enters a loop blocking on the netlink socket and processing messages as they - are received. This function will not return unless an error occurs on - the socket, in which case the socket is closed. -- -+. - .SH "RETURN VALUE" --.B avc_netlink_acquire_fd -+.BR avc_netlink_acquire_fd () - returns a non-negative file descriptor number on success. Other functions --with a return value return zero on success. On error, -1 is returned and -+with a return value return zero on success. On error, \-1 is returned and - .I errno - is set appropriately. -- -+. - .SH "SEE ALSO" - .BR avc_open (3), - .BR selinux_set_callback (3), -diff --git a/libselinux/man/man3/avc_open.3 b/libselinux/man/man3/avc_open.3 -index d1dab8f..5b275a8 100644 ---- a/libselinux/man/man3/avc_open.3 -+++ b/libselinux/man/man3/avc_open.3 -@@ -3,10 +3,11 @@ - .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2008 - .TH "avc_open" "3" "12 Jun 2008" "" "SELinux API documentation" - .SH "NAME" --avc_open, avc_destroy, avc_reset, avc_cleanup \- userspace SELinux AVC setup and teardown. -+avc_open, avc_destroy, avc_reset, avc_cleanup \- userspace SELinux AVC setup and teardown -+. - .SH "SYNOPSIS" - .B #include -- -+.br - .B #include - .sp - .BI "int avc_open(struct selinux_opt *" options ", unsigned " nopt ");" -@@ -16,49 +17,48 @@ avc_open, avc_destroy, avc_reset, avc_cleanup \- userspace SELinux AVC setup and - .BI "int avc_reset(void);" - .sp - .BI "void avc_cleanup(void);" -+. - .SH "DESCRIPTION" --.B avc_open -+.BR avc_open () - initializes the userspace AVC and must be called before any other AVC operation can be performed. - --.B avc_destroy -+.BR avc_destroy () - destroys the userspace AVC, freeing all internal memory structures. After this call has been made, --.B avc_open -+.BR avc_open () - must be called again before any AVC operations can be performed. - --.B avc_reset -+.BR avc_reset () - flushes the userspace AVC, causing it to forget any cached access decisions. The userspace AVC normally calls this function automatically when needed, see - .B NETLINK NOTIFICATION - below. - --.B avc_cleanup -+.BR avc_cleanup () - attempts to free unused memory within the userspace AVC, but does not flush any cached access decisions. Under normal operation, calling this function should not be necessary. -- - .SH "OPTIONS" - The userspace AVC obeys callbacks set via - .BR selinux_set_callback (3), - in particular the logging and audit callbacks. - - The options which may be passed to --.B avc_open -+.BR avc_open () - include the following: -- - .TP - .B AVC_OPT_SETENFORCE - This option forces the userspace AVC into enforcing mode if the option value is non-NULL; permissive mode otherwise. The system enforcing mode will be ignored. -- -+. - .SH "NETLINK NOTIFICATION" - Beginning with version 2.6.4, the Linux kernel supports SELinux status change notification via netlink. Two message types are currently implemented, indicating changes to the enforcing mode and to the loaded policy in the kernel, respectively. The userspace AVC listens for these messages and takes the appropriate action, modifying the behavior of - .BR avc_has_perm (3) - to reflect the current enforcing mode and flushing the cache on receipt of a policy load notification. Audit messages are produced when netlink notifications are processed. -- -+. - .SH "RETURN VALUE" - Functions with a return value return zero on success. On error, \-1 is returned and - .I errno - is set appropriately. -- -+. - .SH "AUTHOR" - Eamon Walsh -- -+. - .SH "SEE ALSO" - .BR selinux (8), - .BR avc_has_perm (3), -@@ -67,4 +67,3 @@ Eamon Walsh - .BR avc_add_callback (3), - .BR selinux_set_callback (3), - .BR security_compute_av (3) -- -diff --git a/libselinux/man/man3/context_new.3 b/libselinux/man/man3/context_new.3 -index 820f927..3dabac3 100644 ---- a/libselinux/man/man3/context_new.3 -+++ b/libselinux/man/man3/context_new.3 -@@ -1,61 +1,83 @@ - .TH "context_new" "3" "20 December 2011" "dwalsh@redhat.com" "SELinux API documentation" - .SH "NAME" - context_new, context_str, context_free, context_type_get, context_type_set, context_range_get, context_range_set,context_role_get, context_role_set, context_user_get, context_user_set \- Routines to manipulate SELinux security contexts -- -+. - .SH "SYNOPSIS" - .B #include -- -+.sp - .BI "context_t context_new(const char *" context_str ); -- -+.sp - .BI "const char * context_str(context_t " con ); -- -+.sp - .BI "void context_free(context_t " con ); -- -+.sp - .BI "const char * context_type_get(context_t " con ); -- -+.sp - .BI "const char * context_range_get(context_t " con ); -- -+.sp - .BI "const char * context_role_get(context_t " con ); -- -+.sp - .BI "const char * context_user_get(context_t " con ); -- -+.sp - .BI "int context_type_set(context_t " con ", const char *" type ); -- -+.sp - .BI "int context_range_set(context_t " con ", const char *" range ); -- -+.sp - .BI "int context_role_set(context_t " con ", const char *" role ); -- -+.sp - .BI "int context_user_set(context_t " con ", const char *" user ); -- -+. - .SH "DESCRIPTION" - These functions allow an application to manipulate the fields of a - security context string without requiring it to know the format of the - string. - --context_new -- Return a new context initialized to a context string -- --context_str -- Return a pointer to the string value of the context_t --Valid until the next call to context_str or context_free --for the same context_t* -- --context_free -- Free the storage used by a context -- --context_type_get, context_range_get, context_role_get, context_user_get -- Get a pointer to the string value of a context component -- --.B NOTE: -+.BR context_new () -+returns a new context initialized to a context string. -+ -+.BR context_str () -+returns a pointer to the string value of the -+.BR context_t , -+valid until the next call to -+.BR context_str () -+or -+.BR context_free () -+for the same -+.BR context_t* . -+ -+.BR context_free () -+frees the storage used by a context. -+ -+.BR context_type_get (), -+.BR context_range_get (), -+.BR context_role_get (), -+.BR \%context_user_get () -+get a pointer to the string value of a context component. -+ -+.B Note: - Values returned by the get functions are only valid until the next call --to a set function or context_free() for the same context_t structure. -- --context_type_set, context_range_set, context_role_set, context_user_set -- Set a context component -- -+to a set function or -+.BR context_free () -+for the same -+.B context_t -+structure. -+ -+.BR context_type_set (), -+.BR context_range_set (), -+.BR context_role_set (), -+.BR \%context_user_set () -+set a context component. -+. - .SH "RETURN VALUE" --On success, zero is returned. On failure, -1 is returned and errno is --set appropriately. -+On failure -+.BR context_*_set () -+functions return non-zero and 0 on success. -+ -+The other functions return NULL on failure and non-NULL on success. - -+On failure -+.I errno -+is set appropriately. -+. - .SH "SEE ALSO" - .BR selinux "(8)" -diff --git a/libselinux/man/man3/fgetfilecon_raw.3 b/libselinux/man/man3/fgetfilecon_raw.3 -new file mode 100644 -index 0000000..ae6dfcf ---- /dev/null -+++ b/libselinux/man/man3/fgetfilecon_raw.3 -@@ -0,0 +1 @@ -+.so man3/getfilecon.3 -diff --git a/libselinux/man/man3/fsetfilecon_raw.3 b/libselinux/man/man3/fsetfilecon_raw.3 -new file mode 100644 -index 0000000..33c321a ---- /dev/null -+++ b/libselinux/man/man3/fsetfilecon_raw.3 -@@ -0,0 +1 @@ -+.so man3/setfilecon.3 -diff --git a/libselinux/man/man3/get_ordered_context_list.3 b/libselinux/man/man3/get_ordered_context_list.3 -index c3fa956..63cba81 100644 ---- a/libselinux/man/man3/get_ordered_context_list.3 -+++ b/libselinux/man/man3/get_ordered_context_list.3 -@@ -1,10 +1,10 @@ - .TH "get_ordered_context_list" "3" "1 January 2004" "russell@coker.com.au" "SELinux" - .SH "NAME" - get_ordered_context_list, get_ordered_context_list_with_level, get_default_context, get_default_context_with_level, get_default_context_with_role, get_default_context_with_rolelevel, query_user_context, manual_user_enter_context, get_default_role \- determine SELinux context(s) for user sessions -- -+. - .SH "SYNOPSIS" - .B #include -- -+.br - .B #include - .sp - .BI "int get_ordered_context_list(const char *" user ", security_context_t "fromcon ", security_context_t **" list ); -@@ -15,66 +15,94 @@ get_ordered_context_list, get_ordered_context_list_with_level, get_default_conte - .sp - .BI "int get_default_context_with_level(const char *" user ", const char *" level ", security_context_t "fromcon ", security_context_t *" newcon ); - .sp --.BI "int get_default_context_with_role(const char* " user ", const char *" role ", security_context_t " fromcon ", security_context_t *" newcon "); -+.BI "int get_default_context_with_role(const char *" user ", const char *" role ", security_context_t " fromcon ", security_context_t *" newcon "); - .sp --.BI "int get_default_context_with_rolelevel(const char* " user ", const char* " level ", const char *" role ", security_context_t " fromcon ", security_context_t *" newcon "); -+.BI "int get_default_context_with_rolelevel(const char *" user ", const char *" level ", const char *" role ", security_context_t " fromcon ", security_context_t *" newcon "); - .sp - .BI "int query_user_context(security_context_t *" list ", security_context_t *" newcon ); - .sp - .BI "int manual_user_enter_context(const char *" user ", security_context_t *" newcon ); - .sp - .BI "int get_default_type(const char *" role ", char **" type ); -- -+. - .SH "DESCRIPTION" --.B get_ordered_context_list -+.BR get_ordered_context_list () - invokes the --.B security_compute_user -+.BR security_compute_user (3) - function to obtain the list of contexts for the specified - .I user - that are reachable from the specified - .I fromcon - context. The function then orders the resulting list based on the global --.B /etc/selinux//contexts/default_contexts -+.I \%/etc/selinux/{SELINUXTYPE}/contexts/default_contexts - file and the per-user --.B /etc/selinux//contexts/users/ -+.I \%/etc/selinux/{SELINUXTYPE}/contexts/users/ - file if it exists. The - .I fromcon - parameter may be NULL to indicate that the current context should - be used. The function returns the number of contexts in the --list, or -1 upon errors. The list must be freed using the --.B freeconary -+list, or \-1 upon errors. The list must be freed using the -+.BR freeconary (3) - function. - --.B get_ordered_context_list_with_level --invokes the get_ordered_context_list function and applies the specified level. -+.BR get_ordered_context_list_with_level () -+invokes the -+.BR \%get_ordered_context_list () -+function and applies the specified level. - --.B get_default_context --is the same as get_ordered_context_list but only returns a single context --which has to be freed with freecon. -+.BR get_default_context () -+is the same as -+.BR get_ordered_context_list () -+but only returns a single context -+which has to be freed with -+.BR freecon (3). - --.B get_default_context_with_level --invokes the get_default_context function and applies the specified level. -+.BR get_default_context_with_level () -+invokes the -+.BR get_default_context () -+function and applies the specified level. - --.B get_default_context_with_role --is the same as get_default_context but only returns a context with the specified role, returning -1 if no such context is reachable for the user. -+.BR get_default_context_with_role () -+is the same as -+.BR get_default_context () -+but only returns a context with the specified role, returning \-1 if no -+such context is reachable for the user. - --.B get_default_context_with_rolelevel --invokes the get_default_context_with_role function and applies the specified level. -+.BR get_default_context_with_rolelevel () -+invokes the -+.BR \%get_default_context_with_role () -+function and applies the specified level. - --.B query_user_context -+.BR query_user_context () - takes a list of contexts, queries the user via stdin/stdout as to which context - they want, and returns a new context as selected by the user (which has to be --freed with freecon). -+freed with -+.BR freecon (3)). - --.B manual_user_enter_context --allows the user to manually enter a context as a fallback if a list of authorized contexts could not be obtained. Caller must free via freecon. -- --.B get_default_type --Get the default type (domain) for 'role' and set 'type' to refer to it, which has to be freed with free. -+.BR manual_user_enter_context () -+allows the user to manually enter a context as a fallback if a list of -+authorized contexts could not be obtained. Caller must free via -+.BR freecon (3). - -+.BR get_default_type () -+Get the default type (domain) for -+.I role -+and set -+.I type -+to refer to it, which has to be freed with free. -+. - .SH "RETURN VALUE" --get_ordered_context_list and get_ordered_context_list_with_level return the number of contexts in the list upon success or -1 upon errors. --The other functions return 0 for success or -1 for errors. -- -+.BR get_ordered_context_list () -+and -+.BR get_ordered_context_list_with_level () -+return the number of contexts in the list upon success or \-1 upon errors. -+The other functions return 0 for success or \-1 for errors. -+. - .SH "SEE ALSO" --.BR selinux "(8), " freeconary "(3), " freecon "(3), " security_compute_av "(3)", getseuserbyname"(3)" -+.ad l -+.nh -+.BR selinux (8), -+.BR freeconary (3), -+.BR freecon (3), -+.BR security_compute_av (3), -+.BR getseuserbyname (3) -diff --git a/libselinux/man/man3/getcon.3 b/libselinux/man/man3/getcon.3 -index c620c51..239bb7d 100644 ---- a/libselinux/man/man3/getcon.3 -+++ b/libselinux/man/man3/getcon.3 -@@ -1,78 +1,118 @@ - .TH "getcon" "3" "21 December 2011" "russell@coker.com.au" "SELinux API documentation" - .SH "NAME" --getcon, getprevcon, getpidcon \- get SELinux security context of a process. -+getcon, getprevcon, getpidcon \- get SELinux security context of a process - --freecon, freeconary \- free memory associated with SELinux security contexts. -+freecon, freeconary \- free memory associated with SELinux security contexts - --getpeercon - get security context of a peer socket. -+getpeercon \- get security context of a peer socket - --setcon - set current security context of a process. -+setcon \- set current security context of a process -+. - .SH "SYNOPSIS" - .B #include - .sp - .BI "int getcon(security_context_t *" context ); -- -+.sp -+.BI "int getcon_raw(security_context_t *" context ); -+.sp - .BI "int getprevcon(security_context_t *" context ); -- -+.sp -+.BI "int getprevcon_raw(security_context_t *" context ); -+.sp - .BI "int getpidcon(pid_t " pid ", security_context_t *" context ); -- --.BI "int getpeercon(int " fd ", security_context_t *" context); -- -+.sp -+.BI "int getpidcon_raw(pid_t " pid ", security_context_t *" context ); -+.sp -+.BI "int getpeercon(int " fd ", security_context_t *" context ); -+.sp -+.BI "int getpeercon_raw(int " fd ", security_context_t *" context ); -+.sp - .BI "void freecon(security_context_t "con ); -- -+.sp - .BI "void freeconary(security_context_t *" con ); -- --.BI "int setcon(security_context_t " context); -- -+.sp -+.BI "int setcon(security_context_t " context ); -+.sp -+.BI "int setcon_raw(security_context_t " context ); -+. - .SH "DESCRIPTION" --.B getcon -+.BR getcon () - retrieves the context of the current process, which must be free'd with - freecon. - --.B getprevcon -+.BR getprevcon () - same as getcon but gets the context before the last exec. - --.B getpidcon -+.BR getpidcon () - returns the process context for the specified PID. - --.B getpeercon --retrieves context of peer socket, and set *context to refer to it, which must be free'd with freecon. -+.BR getpeercon () -+retrieves context of peer socket, and set -+.BI * context -+to refer to it, which must be free'd with -+.BR freecon (). - --.B freecon -+.BR freecon () - frees the memory allocated for a security context. - --.B freeconary -+.BR freeconary () - frees the memory allocated for a context array. - - If - .I con - is NULL, no operation is performed. - --.B setcon -+.BR setcon () - sets the current security context of the process to a new value. Note - that use of this function requires that the entire application be - trusted to maintain any desired separation between the old and new - security contexts, unlike exec-based transitions performed via --setexeccon(3). When possible, decompose your application and use --setexeccon() and execve() instead. -+.BR setexeccon (3). -+When possible, decompose your application and use -+.BR setexeccon (3) -+and -+.BR execve (3) -+instead. - - Since access to file descriptors is revalidated upon use by SELinux, - the new context must be explicitly authorized in the policy to use the - descriptors opened by the old context if that is desired. Otherwise, - attempts by the process to use any existing descriptors (including --stdin, stdout, and stderr) after performing the setcon() will fail. -- --A multi-threaded application can perform a setcon() prior to creating -+.IR stdin , -+.IR stdout , -+and -+.IR stderr ) -+after performing the -+.BR setcon () -+will fail. -+ -+A multi-threaded application can perform a -+.BR setcon () -+prior to creating - any child threads, in which case all of the child threads will inherit --the new context. However, setcon() will fail if there are any other -+the new context. However, -+.BR setcon () -+will fail if there are any other - threads running in the same process. - --If the process was being ptraced at the time of the setcon() -+If the process was being ptraced at the time of the -+.BR setcon () - operation, ptrace permission will be revalidated against the new --context and the setcon() will fail if it is not allowed by policy. -- -+context and the -+.BR setcon () -+will fail if it is not allowed by policy. -+ -+.BR getcon_raw (), -+.BR getprevcon_raw (), -+.BR getpidcon_raw (), -+.BR getpeercon_raw () -+and -+.BR setcon_raw () -+behave identically to their non-raw counterparts but do not perform context -+translation. -+. - .SH "RETURN VALUE" --On error -1 is returned. On success 0 is returned. -- -+On error \-1 is returned. On success 0 is returned. -+. - .SH "SEE ALSO" - .BR selinux "(8), " setexeccon "(3)" -diff --git a/libselinux/man/man3/getcon_raw.3 b/libselinux/man/man3/getcon_raw.3 -new file mode 100644 -index 0000000..1210b5a ---- /dev/null -+++ b/libselinux/man/man3/getcon_raw.3 -@@ -0,0 +1 @@ -+.so man3/getcon.3 -diff --git a/libselinux/man/man3/getexeccon.3 b/libselinux/man/man3/getexeccon.3 -index 4b832a2..c188a3a 100644 ---- a/libselinux/man/man3/getexeccon.3 -+++ b/libselinux/man/man3/getexeccon.3 -@@ -1,43 +1,68 @@ - .TH "getexeccon" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation" - .SH "NAME" --getexeccon, setexeccon \- get or set the SELinux security context used for executing a new process. -+getexeccon, setexeccon \- get or set the SELinux security context used for executing a new process - - rpm_execcon \- run a helper for rpm in an appropriate security context -- -+. - .SH "SYNOPSIS" - .B #include - .sp - .BI "int getexeccon(security_context_t *" context ); -- -+.sp -+.BI "int getexeccon_raw(security_context_t *" context ); -+.sp - .BI "int setexeccon(security_context_t "context ); -- -+.sp -+.BI "int setexeccon_raw(security_context_t "context ); -+.sp - .BI "int rpm_execcon(unsigned int " verified ", const char *" filename ", char *const " argv "[] , char *const " envp "[]); -- -+. - .SH "DESCRIPTION" --.B getexeccon -+.BR getexeccon () - retrieves the context used for executing a new process. --This returned context should be freed with freecon if non-NULL. --getexeccon sets *con to NULL if no exec context has been explicitly -+This returned context should be freed with -+.BR freecon (3) -+if non-NULL. -+.BR getexeccon () -+sets -+.BI * context -+to NULL if no exec context has been explicitly - set by the program (i.e. using the default policy behavior). - --.B setexeccon --sets the context used for the next execve call. -+.BR setexeccon () -+sets the context used for the next -+.BR execve (2) -+call. - NULL can be passed to --setexeccon to reset to the default policy behavior. --The exec context is automatically reset after the next execve, so a --program doesn't need to explicitly sanitize it upon startup. -- -- --setexeccon can be applied prior to library --functions that internally perform an execve, e.g. execl*, execv*, popen, -+.BR setexeccon () -+to reset to the default policy behavior. -+The exec context is automatically reset after the next -+.BR execve (2), -+so a program doesn't need to explicitly sanitize it upon startup. -+ -+.BR setexeccon () -+can be applied prior to library -+functions that internally perform an -+.BR execve (2), -+e.g. -+.BR execl *(3), -+.BR execv *(3), -+.BR popen (3), - in order to set an exec context for that operation. - -+.BR getexeccon_raw () -+and -+.BR setexeccon_raw () -+behave identically to their non-raw counterparts but do not perform context -+translation. - --Note: Signal handlers that perform an execve must take care to -+.B Note: -+Signal handlers that perform an -+.BR execve (2) -+must take care to - save, reset, and restore the exec context to avoid unexpected behavior. - -- --.B rpm_execcon -+.BR rpm_execcon () - runs a helper for rpm in an appropriate security context. The - verified parameter should contain the return code from the signature - verification (0 == ok, 1 == notfound, 2 == verifyfail, 3 == -@@ -46,15 +71,18 @@ the function. The function determines the proper security context for - the helper based on policy, sets the exec context accordingly, and - then executes the specified filename with the provided argument and - environment arrays. -- -- -+. - .SH "RETURN VALUE" --On error -1 is returned. -- --On success getexeccon and setexeccon returns 0. --rpm_execcon only returns upon errors, as it calls execve(2). -- -+On error \-1 is returned. -+ -+On success -+.BR getexeccon () -+and -+.BR setexeccon () -+returns 0. -+.BR rpm_execcon () -+only returns upon errors, as it calls -+.BR execve (2). -+. - .SH "SEE ALSO" - .BR selinux "(8), " freecon "(3), " getcon "(3)" -- -- -diff --git a/libselinux/man/man3/getexeccon_raw.3 b/libselinux/man/man3/getexeccon_raw.3 -new file mode 100644 -index 0000000..b2e6ab8 ---- /dev/null -+++ b/libselinux/man/man3/getexeccon_raw.3 -@@ -0,0 +1 @@ -+.so man3/getexeccon.3 -diff --git a/libselinux/man/man3/getfilecon.3 b/libselinux/man/man3/getfilecon.3 -index 61b216f..ea79b31 100644 ---- a/libselinux/man/man3/getfilecon.3 -+++ b/libselinux/man/man3/getfilecon.3 -@@ -1,42 +1,72 @@ - .TH "getfilecon" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation" - .SH "NAME" - getfilecon, fgetfilecon, lgetfilecon \- get SELinux security context of a file -+. - .SH "SYNOPSIS" - .B #include - .sp - .BI "int getfilecon(const char *" path ", security_context_t *" con ); -- -+.sp -+.BI "int getfilecon_raw(const char *" path ", security_context_t *" con ); -+.sp - .BI "int lgetfilecon(const char *" path ", security_context_t *" con ); -- -+.sp -+.BI "int lgetfilecon_raw(const char *" path ", security_context_t *" con ); -+.sp - .BI "int fgetfilecon(int "fd ", security_context_t *" con ); -+.sp -+.BI "int fgetfilecon_raw(int "fd ", security_context_t *" con ); -+. - .SH "DESCRIPTION" --.B getfilecon -+.BR getfilecon () - retrieves the context associated with the given path in the file system, the - length of the context is returned. - --.B lgetfilecon --is identical to getfilecon, except in the case of a symbolic link, where the -+.BR lgetfilecon () -+is identical to -+.BR getfilecon (), -+except in the case of a symbolic link, where the - link itself is interrogated, not the file that it refers to. - --.B fgetfilecon --is identical to getfilecon, only the open file pointed to by filedes (as --returned by open(2)) is interrogated in place of path. -+.BR fgetfilecon () -+is identical to -+.BR getfilecon (), -+only the open file pointed to by filedes (as returned by -+.BR open (2)) -+is interrogated in place of path. - -+.BR getfilecon_raw (), -+.BR lgetfilecon_raw () -+and -+.BR fgetfilecon_raw () -+behave identically to their non-raw counterparts but do not perform context -+translation. - --The returned context should be freed with freecon if non-NULL. -+The returned context should be freed with -+.BR freecon (3) -+if non-NULL. -+. - .SH "RETURN VALUE" - On success, a positive number is returned indicating the size of the --extended attribute value. On failure, \-1 is returned and errno is set --appropriately. -+extended attribute value. On failure, \-1 is returned and -+.I errno -+is set appropriately. - - If the context does not exist, or the process has no access to --this attribute, errno is set to ENODATA. -- --If extended attributes are not supported by the filesystem, or are dis\- --abled, errno is set to ENOTSUP. -+this attribute, -+.I errno -+is set to -+.BR ENODATA . - --The errors documented for the stat(2) system call are also applicable --here. -+If extended attributes are not supported by the filesystem, or are -+disabled, -+.I errno -+is set to -+.BR ENOTSUP . - -+The errors documented for the -+.BR stat (2) -+system call are also applicable here. -+. - .SH "SEE ALSO" - .BR selinux "(8), " freecon "(3), " setfilecon "(3), " setfscreatecon "(3)" -diff --git a/libselinux/man/man3/getfilecon_raw.3 b/libselinux/man/man3/getfilecon_raw.3 -new file mode 100644 -index 0000000..ae6dfcf ---- /dev/null -+++ b/libselinux/man/man3/getfilecon_raw.3 -@@ -0,0 +1 @@ -+.so man3/getfilecon.3 -diff --git a/libselinux/man/man3/getfscreatecon.3 b/libselinux/man/man3/getfscreatecon.3 -index 474aa28..c7675be 100644 ---- a/libselinux/man/man3/getfscreatecon.3 -+++ b/libselinux/man/man3/getfscreatecon.3 -@@ -1,38 +1,57 @@ - .TH "getfscreatecon" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation" - .SH "NAME" --getfscreatecon, setfscreatecon \- get or set the SELinux security context used for creating a new file system object. -- -+getfscreatecon, setfscreatecon \- get or set the SELinux security context used for creating a new file system object -+. - .SH "SYNOPSIS" - .B #include - .sp - .BI "int getfscreatecon(security_context_t *" con ); -- -+.sp -+.BI "int getfscreatecon_raw(security_context_t *" con ); -+.sp - .BI "int setfscreatecon(security_context_t "context ); -- -+.sp -+.BI "int setfscreatecon_raw(security_context_t "context ); -+. - .SH "DESCRIPTION" --.B getfscreatecon -+.BR getfscreatecon () - retrieves the context used for creating a new file system object. --This returned context should be freed with freecon if non-NULL. --getfscreatecon sets *con to NULL if no fscreate context has been explicitly -+This returned context should be freed with -+.BR freecon (3) -+if non-NULL. -+.BR getfscreatecon () -+sets *con to NULL if no fscreate context has been explicitly - set by the program (i.e. using the default policy behavior). - --.B setfscreatecon -+.BR setfscreatecon () - sets the context used for creating a new file system object. - NULL can be passed to --setfscreatecon to reset to the default policy behavior. --The fscreate context is automatically reset after the next execve, so a --program doesn't need to explicitly sanitize it upon startup. -- --setfscreatecon can be applied prior to library -+.BR setfscreatecon () -+to reset to the default policy behavior. -+The fscreate context is automatically reset after the next -+.BR execve (2), -+so a program doesn't need to explicitly sanitize it upon startup. -+ -+.BR setfscreatecon () -+can be applied prior to library - functions that internally perform an file creation, - in order to set an file context on the objects. - -+.BR getfscreatecon_raw () -+and -+.BR setfscreatecon_raw () -+behave identically to their non-raw counterparts but do not perform context -+translation. - --Note: Signal handlers that perform an setfscreate must take care to -+.B Note: -+Signal handlers that perform a -+.BR setfscreatecon () -+must take care to - save, reset, and restore the fscreate context to avoid unexpected behavior. -+. - .SH "RETURN VALUE" --On error -1 is returned. -+On error \-1 is returned. - On success 0 is returned. -- -+. - .SH "SEE ALSO" - .BR selinux "(8), " freecon "(3), " getcon "(3), " getexeccon "(3)" -diff --git a/libselinux/man/man3/getfscreatecon_raw.3 b/libselinux/man/man3/getfscreatecon_raw.3 -new file mode 100644 -index 0000000..21aeebd ---- /dev/null -+++ b/libselinux/man/man3/getfscreatecon_raw.3 -@@ -0,0 +1 @@ -+.so man3/getfscreatecon.3 -diff --git a/libselinux/man/man3/getkeycreatecon.3 b/libselinux/man/man3/getkeycreatecon.3 -index 3b594a0..d6a118c 100644 ---- a/libselinux/man/man3/getkeycreatecon.3 -+++ b/libselinux/man/man3/getkeycreatecon.3 -@@ -1,38 +1,57 @@ --.TH "getkeycreatecon" "3" "9 September 2008" "dwalsh@redhat.com from russell@coker.com.au" "SELinux API documentation" -+.TH "getkeycreatecon" "3" "9 September 2008" "dwalsh@redhat.com" "SELinux API documentation" - .SH "NAME" --getkeycreatecon, setkeycreatecon \- get or set the SELinux security context used for creating a new kernel keyrings. -- -+getkeycreatecon, setkeycreatecon \- get or set the SELinux security context used for creating a new kernel keyrings -+. - .SH "SYNOPSIS" - .B #include - .sp - .BI "int getkeycreatecon(security_context_t *" con ); -- -+.sp -+.BI "int getkeycreatecon_raw(security_context_t *" con ); -+.sp - .BI "int setkeycreatecon(security_context_t "context ); -- -+.sp -+.BI "int setkeycreatecon_raw(security_context_t "context ); -+. - .SH "DESCRIPTION" --.B getkeycreatecon -+.BR getkeycreatecon () - retrieves the context used for creating a new kernel keyring. --This returned context should be freed with freecon if non-NULL. --getkeycreatecon sets *con to NULL if no keycreate context has been explicitly -+This returned context should be freed with -+.BR freecon (3) -+if non-NULL. -+.BR getkeycreatecon () -+sets *con to NULL if no keycreate context has been explicitly - set by the program (i.e. using the default policy behavior). - --.B setkeycreatecon -+.BR setkeycreatecon () - sets the context used for creating a new kernel keyring. - NULL can be passed to --setkeycreatecon to reset to the default policy behavior. --The keycreate context is automatically reset after the next execve, so a --program doesn't need to explicitly sanitize it upon startup. -- --setkeycreatecon can be applied prior to library -+.BR setkeycreatecon () -+to reset to the default policy behavior. -+The keycreate context is automatically reset after the next -+.BR execve (2), -+so a program doesn't need to explicitly sanitize it upon startup. -+ -+.BR setkeycreatecon () -+can be applied prior to library - functions that internally perform an file creation, - in order to set an file context on the objects. - -+.BR getkeycreatecon_raw () -+and -+.BR setkeycreatecon_raw () -+behave identically to their non-raw counterparts but do not perform context -+translation. - --Note: Signal handlers that perform an setkeycreate must take care to -+.B Note: -+Signal handlers that perform a -+.BR setkeycreatecon () -+must take care to - save, reset, and restore the keycreate context to avoid unexpected behavior. -+. - .SH "RETURN VALUE" --On error -1 is returned. -+On error \-1 is returned. - On success 0 is returned. -- -+. - .SH "SEE ALSO" - .BR selinux "(8), " freecon "(3), " getcon "(3), " getexeccon "(3)" -diff --git a/libselinux/man/man3/getkeycreatecon_raw.3 b/libselinux/man/man3/getkeycreatecon_raw.3 -new file mode 100644 -index 0000000..1e0ec5f ---- /dev/null -+++ b/libselinux/man/man3/getkeycreatecon_raw.3 -@@ -0,0 +1 @@ -+.so man3/getkeycreatecon.3 -diff --git a/libselinux/man/man3/getpeercon_raw.3 b/libselinux/man/man3/getpeercon_raw.3 -new file mode 100644 -index 0000000..1210b5a ---- /dev/null -+++ b/libselinux/man/man3/getpeercon_raw.3 -@@ -0,0 +1 @@ -+.so man3/getcon.3 -diff --git a/libselinux/man/man3/getpidcon_raw.3 b/libselinux/man/man3/getpidcon_raw.3 -new file mode 100644 -index 0000000..1210b5a ---- /dev/null -+++ b/libselinux/man/man3/getpidcon_raw.3 -@@ -0,0 +1 @@ -+.so man3/getcon.3 -diff --git a/libselinux/man/man3/getprevcon_raw.3 b/libselinux/man/man3/getprevcon_raw.3 -new file mode 100644 -index 0000000..1210b5a ---- /dev/null -+++ b/libselinux/man/man3/getprevcon_raw.3 -@@ -0,0 +1 @@ -+.so man3/getcon.3 -diff --git a/libselinux/man/man3/getseuserbyname.3 b/libselinux/man/man3/getseuserbyname.3 -index 1630356..c231e65 100644 ---- a/libselinux/man/man3/getseuserbyname.3 -+++ b/libselinux/man/man3/getseuserbyname.3 -@@ -1,28 +1,33 @@ - .TH "getseuserbyname" "3" "29 September 2005" "dwalsh@redhat.com" "SELinux API documentation" - .SH "NAME" - getseuserbyname \- get SELinux username and level for a given Linux username -+. - .SH "SYNOPSIS" - .B #include - .sp - .BI "int getseuserbyname(const char *" linuxuser ", char **" selinuxuser ", char **" level "); -+. - .SH "DESCRIPTION" --.B getseuserbyname -+.BR getseuserbyname () - retrieves the SELinux username and security level associated with - a given Linux username. The SELinux username and security level can - then be passed to other libselinux functions such as --get_ordered_context_list_with_level and get_default_context_with_level. -- -- -+.BR \%get_ordered_context_list_with_level (3) -+and -+.BR \%get_default_context_with_level (3). - - The returned SELinux username and level should be freed by the caller - using free. -+. - .SH "RETURN VALUE" - On success, 0 is returned. --On failure, \-1 is returned and errno is set appropriately. -- --The errors documented for the stat(2) system call are also applicable --here. -+On failure, \-1 is returned and -+.I errno -+is set appropriately. - -+The errors documented for the -+.BR stat (2) -+system call are also applicable here. -+. - .SH "SEE ALSO" - .BR selinux "(8)" -- -diff --git a/libselinux/man/man3/getsockcreatecon.3 b/libselinux/man/man3/getsockcreatecon.3 -index 24f2cc0..99e9436 100644 ---- a/libselinux/man/man3/getsockcreatecon.3 -+++ b/libselinux/man/man3/getsockcreatecon.3 -@@ -1,38 +1,57 @@ --.TH "getsockcreatecon" "3" "24 September 2008" "dwalsh@redhat.com from russell@coker.com.au" "SELinux API documentation" -+.TH "getsockcreatecon" "3" "24 September 2008" "dwalsh@redhat.com" "SELinux API documentation" - .SH "NAME" --getsockcreatecon, setsockcreatecon \- get or set the SELinux security context used for creating a new labeled sockets. -- -+getsockcreatecon, setsockcreatecon \- get or set the SELinux security context used for creating a new labeled sockets -+. - .SH "SYNOPSIS" - .B #include - .sp - .BI "int getsockcreatecon(security_context_t *" con ); -- -+.sp -+.BI "int getsockcreatecon_raw(security_context_t *" con ); -+.sp - .BI "int setsockcreatecon(security_context_t "context ); -- -+.sp -+.BI "int setsockcreatecon_raw(security_context_t "context ); -+. - .SH "DESCRIPTION" --.B getsockcreatecon -+.BR getsockcreatecon () - retrieves the context used for creating a new labeled network socket. --This returned context should be freed with freecon if non-NULL. --getsockcreatecon sets *con to NULL if no sockcreate context has been explicitly -+This returned context should be freed with -+.BR freecon (3) -+if non-NULL. -+.BR getsockcreatecon () -+sets *con to NULL if no sockcreate context has been explicitly - set by the program (i.e. using the default policy behavior). - --.B setsockcreatecon -+.BR setsockcreatecon () - sets the context used for creating a new labeled network sockets - NULL can be passed to --setsockcreatecon to reset to the default policy behavior. --The sockcreate context is automatically reset after the next execve, so a --program doesn't need to explicitly sanitize it upon startup. -- --setsockcreatecon can be applied prior to library -+.BR setsockcreatecon () -+to reset to the default policy behavior. -+The sockcreate context is automatically reset after the next -+.BR execve (2), -+so a program doesn't need to explicitly sanitize it upon startup. -+ -+.BR setsockcreatecon () -+can be applied prior to library - functions that internally perform an file creation, - in order to set an file context on the objects. - -+.BR getsockcreatecon_raw () -+and -+.BR setsockcreatecon_raw () -+behave identically to their non-raw counterparts but do not perform context -+translation. - --Note: Signal handlers that perform an setsockcreate must take care to -+.B Note: -+Signal handlers that perform a -+.BR setsockcreatecon () -+must take care to - save, reset, and restore the sockcreate context to avoid unexpected behavior. -+. - .SH "RETURN VALUE" --On error -1 is returned. -+On error \-1 is returned. - On success 0 is returned. -- -+. - .SH "SEE ALSO" - .BR selinux "(8), " freecon "(3), " getcon "(3) -diff --git a/libselinux/man/man3/getsockcreatecon_raw.3 b/libselinux/man/man3/getsockcreatecon_raw.3 -new file mode 100644 -index 0000000..ed1a371 ---- /dev/null -+++ b/libselinux/man/man3/getsockcreatecon_raw.3 -@@ -0,0 +1 @@ -+.so man3/getsockcreatecon.3 -diff --git a/libselinux/man/man3/init_selinuxmnt.3 b/libselinux/man/man3/init_selinuxmnt.3 -index e70098b..8466f9f 100644 ---- a/libselinux/man/man3/init_selinuxmnt.3 -+++ b/libselinux/man/man3/init_selinuxmnt.3 -@@ -1,28 +1,31 @@ - .TH "init_selinuxmnt" "3" "21 Nov 2009" "" "SELinux API documentation" - .SH "NAME" --init_selinuxmnt \- initialize the global variable selinux_mnt. -- -+init_selinuxmnt \- initialize the global variable selinux_mnt -+. - .SH "SYNOPSIS" - .BI "static void init_selinuxmnt(void);" - .sp - .BI "static void fini_selinuxmnt(void);" - .sp - .BI "void set_selinuxmnt(char *" mnt ");" -- -+. - .SH "DESCRIPTION" --.B init_selinuxmnt --initializes the global variable selinux_mnt to the selinuxfs mountpoint. -+.BR init_selinuxmnt () -+initializes the global variable -+.I selinux_mnt -+to the selinuxfs mountpoint. - --.B fini_selinuxmnt --deinitializes the global variable selinux_mnt that stores the selinuxfs --mountpoint. -+.BR fini_selinuxmnt () -+deinitializes the global variable -+.I selinux_mnt -+that stores the selinuxfs mountpoint. - --.B set_selinuxmnt -+.BR set_selinuxmnt () - changes the selinuxfs mountpoint to --.I mnt. -- -+.IR mnt . -+. - .SH "AUTHOR" - This manual page has been written by Guido Trentalancia -- -+. - .SH "SEE ALSO" - .BR selinux (8), -diff --git a/libselinux/man/man3/is_context_customizable.3 b/libselinux/man/man3/is_context_customizable.3 -index d230ace..0f748b6 100644 ---- a/libselinux/man/man3/is_context_customizable.3 -+++ b/libselinux/man/man3/is_context_customizable.3 -@@ -1,25 +1,24 @@ - .TH "is_context_customizable" "3" "10 January 2005" "dwalsh@redhat.com" "SELinux API documentation" - .SH "NAME" --is_context_customizable \- check whether SELinux context type is customizable by the administrator. -+is_context_customizable \- check whether SELinux context type is customizable by the administrator -+. - .SH "SYNOPSIS" - .B #include - .sp --.B int is_context_customizable(security_context_t scon); -- -+.BI "int is_context_customizable(security_context_t " scon ); -+. - .SH "DESCRIPTION" --.B is_context_customizable -- --This function checks whether the type of scon is in the /etc/selinux/SELINUXTYPE/context/customizable_types file. A customizable type is a file context type that -+This function checks whether the type of scon is in the -+.I /etc/selinux/{SELINUXTYPE}/context/customizable_types -+file. A customizable type is a file context type that - administrators set on files, usually to allow certain domains to share the file content. restorecon and setfiles, by default, leave these context in place. -- -- -+. - .SH "RETURN VALUE" --returns 1 if security context is customizable or 0 if it is not. --returns -1 on error -- -+Returns 1 if security context is customizable or 0 if it is not. -+Returns \-1 on error. -+. - .SH "FILE" --/etc/selinux/SELINUXTYPE/context/customizable_types -- -+.I /etc/selinux/{SELINUXTYPE}/context/customizable_types -+. - .SH "SEE ALSO" - .BR selinux "(8)" -- -diff --git a/libselinux/man/man3/is_selinux_enabled.3 b/libselinux/man/man3/is_selinux_enabled.3 -index d744c0b..f02052c 100644 ---- a/libselinux/man/man3/is_selinux_enabled.3 -+++ b/libselinux/man/man3/is_selinux_enabled.3 -@@ -1,24 +1,24 @@ - .TH "is_selinux_enabled" "3" "7 Mar 2010" "russell@coker.com.au" "SELinux API documentation" - .SH "NAME" - is_selinux_enabled \- check whether SELinux is enabled -- -+. - .SH "NAME" - is_selinux_mls_enabled \- check whether SELinux is enabled for (Multi Level Securty) MLS -+. - .SH "SYNOPSIS" - .B #include - .sp - .B int is_selinux_enabled(); -- -+.sp - .B int is_selinux_mls_enabled(); -- -+. - .SH "DESCRIPTION" --.B is_selinux_enabled -+.BR is_selinux_enabled () - returns 1 if SELinux is running or 0 if it is not. - On error, \-1 is returned. - --.B is_selinux_mls_enabled -+.BR is_selinux_mls_enabled () - returns 1 if SELinux is running in MLS mode or 0 if it is not. -- -+. - .SH "SEE ALSO" - .BR selinux "(8)" -- -diff --git a/libselinux/man/man3/lgetfilecon_raw.3 b/libselinux/man/man3/lgetfilecon_raw.3 -new file mode 100644 -index 0000000..ae6dfcf ---- /dev/null -+++ b/libselinux/man/man3/lgetfilecon_raw.3 -@@ -0,0 +1 @@ -+.so man3/getfilecon.3 -diff --git a/libselinux/man/man3/lsetfilecon_raw.3 b/libselinux/man/man3/lsetfilecon_raw.3 -new file mode 100644 -index 0000000..33c321a ---- /dev/null -+++ b/libselinux/man/man3/lsetfilecon_raw.3 -@@ -0,0 +1 @@ -+.so man3/setfilecon.3 -diff --git a/libselinux/man/man3/matchmediacon.3 b/libselinux/man/man3/matchmediacon.3 -index 1a3a561..f77ab5e 100644 ---- a/libselinux/man/man3/matchmediacon.3 -+++ b/libselinux/man/man3/matchmediacon.3 -@@ -1,26 +1,30 @@ - .TH "matchmediacon" "3" "15 November 2004" "dwalsh@redhat.com" "SELinux API documentation" - .SH "NAME" --matchmediacon \- get the default SELinux security context for the specified mediatype from the policy. -- -+matchmediacon \- get the default SELinux security context for the specified mediatype from the policy -+. - .SH "SYNOPSIS" - .B #include - .sp --.BI "int matchmediacon(const char *" media ", security_context_t *" con);" -- -- -+.BI "int matchmediacon(const char *" media ", security_context_t *" con ); -+. - .SH "DESCRIPTION" -- --.B matchmediacon --matches the specified media type with the media contexts configuration and sets the security context "con" to refer to the resulting context. -+.BR matchmediacon () -+matches the specified media type with the media contexts configuration and -+sets the security context -+.I con -+to refer to the resulting context. - .sp -- --.B Note: -- Caller must free returned security context "con" using freecon. -+.B Note: -+Caller must free returned security context -+.I con -+using -+.BR freecon (3). -+. - .SH "RETURN VALUE" --Returns 0 on success or -1 otherwise. -- -+Returns 0 on success or \-1 otherwise. -+. - .SH Files --/etc/selinux/POLICYTYPE/contexts/files/media -- -+.I /etc/selinux/{POLICYTYPE}/contexts/files/media -+. - .SH "SEE ALSO" - .BR selinux "(8), " freecon "(3) -diff --git a/libselinux/man/man3/matchpathcon.3 b/libselinux/man/man3/matchpathcon.3 -index cdbb252..4c320ab 100644 ---- a/libselinux/man/man3/matchpathcon.3 -+++ b/libselinux/man/man3/matchpathcon.3 -@@ -1,65 +1,59 @@ - .TH "matchpathcon" "3" "21 November 2009" "sds@tycho.nsa.gov" "SELinux API documentation" - .SH "NAME" --matchpathcon, matchpathcon_index \- get the default SELinux security context for the specified path from the file contexts configuration. -- -+matchpathcon, matchpathcon_index \- get the default SELinux security context for the specified path from the file contexts configuration -+. - .SH "SYNOPSIS" - .B #include - .sp -- - .BI "int matchpathcon_init(const char *" path ");" -- -+.sp - .BI "int matchpathcon_init_prefix(const char *" path ", const char *" subset ");" -- -+.sp - .BI "int matchpathcon_fini(void);" - .sp -- - .BI "int matchpathcon(const char *" path ", mode_t " mode ", security_context_t *" con "); - .sp -- --.BI "int matchpathcon_index(const char *" name ", mode_t " mode ", security_context_t * " con ");" -- -+.BI "int matchpathcon_index(const char *" name ", mode_t " mode ", security_context_t *" con ");" -+. - .SH "DESCRIPTION" --.B matchpathcon_init -+.BR matchpathcon_init () - loads the file contexts configuration specified by - .I path - into memory for use by subsequent --.B matchpathcon -+.BR matchpathcon () - calls. If - .I path - is NULL, then the active file contexts configuration is loaded by default, - i.e. the path returned by --.B selinux_file_context_path(3). -+.BR selinux_file_context_path (3). - Unless the - .B MATCHPATHCON_BASEONLY - flag has been set via --.B set_matchpathcon_flags(3), -+.BR \%set_matchpathcon_flags (3), - files with the same path prefix but a --.B .homedirs -+.B \%.homedirs - and - .B .local - suffix are also looked up and loaded if present. These files provide - dynamically generated entries for user home directories and for local - customizations. - --.sp --.B matchpathcon_init_prefix -+.BR matchpathcon_init_prefix () - is the same as --.B matchpathcon_init -+.BR matchpathcon_init () - but only loads entries with regular expressions that have stems prefixed - by --.I prefix. -+.I \%prefix. - --.sp --.B matchpathcon_fini -+.BR matchpathcon_fini () - frees the memory allocated by a prior call to --.B matchpathcon_init. -+.BR matchpathcon_init. () - This function can be used to free and reset the internal state between multiple --.B matchpathcon_init -+.BR matchpathcon_init () - calls, or to free memory when finished using --.B matchpathcon. -+.BR matchpathcon (). - --.sp --.B matchpathcon -+.BR matchpathcon () - matches the specified pathname and mode against the file contexts - configuration and sets the security context - .I con -@@ -67,7 +61,7 @@ to refer to the - resulting context. The caller must free the returned security context - .I con - using --.B freecon(3) -+.BR freecon (3) - when finished using it. - .I mode - can be 0 to disable mode matching, but -@@ -76,23 +70,23 @@ Only the file format bits (i.e. the file type) of the - .I mode - are used. - If --.B matchpathcon_init -+.BR matchpathcon_init () - has not already been called, then this function will call it upon - its first invocation with a NULL - .I path, - defaulting to the active file contexts configuration. --.sp - --.B matchpathcon_index -+.BR matchpathcon_index () - is the same as --.B matchpathcon -+.BR matchpathcon () - but returns a specification index that can later be used in a --.B matchpathcon_filespec_add(3) -+.BR matchpathcon_filespec_add (3) - call. --.sp -- -+. - .SH "RETURN VALUE" - Returns zero on success or \-1 otherwise. -- -+. - .SH "SEE ALSO" -+.ad l -+.nh - .BR selinux "(8), " set_matchpathcon_flags "(3), " set_matchpathcon_invalidcon "(3), " set_matchpathcon_printf "(3), " matchpathcon_filespec_add "(3), " matchpathcon_checkmatches "(3), " freecon "(3), " setfilecon "(3), " setfscreatecon "(3)" -diff --git a/libselinux/man/man3/matchpathcon_checkmatches.3 b/libselinux/man/man3/matchpathcon_checkmatches.3 -index 47ee94c..6bbee44 100644 ---- a/libselinux/man/man3/matchpathcon_checkmatches.3 -+++ b/libselinux/man/man3/matchpathcon_checkmatches.3 -@@ -1,33 +1,30 @@ - .TH "matchpathcon_checkmatches" "3" "21 November 2009" "sds@tycho.nsa.gov" "SELinux API documentation" - .SH "NAME" --matchpathcon_checkmatches, matchpathcon_filespec_add, matchpathcon_filespec_destroy, matchpathcon_filespec_eval \- check and report whether any specification index has no matches with any inode. Maintenance and statistics on inode associations. -- -+matchpathcon_checkmatches, matchpathcon_filespec_add, matchpathcon_filespec_destroy, matchpathcon_filespec_eval \- check and report whether any specification index has no matches with any inode. Maintenance and statistics on inode associations -+. - .SH "SYNOPSIS" - .B #include - .sp -- - .BI "void matchpathcon_checkmatches(char *" str ");" - .sp -- - .BI "int matchpathcon_filespec_add(ino_t " ino ", int " specind ", const char *" file ");" -- -+.sp - .BI "void matchpathcon_filespec_destroy(void);" -- -+.sp - .BI "void matchpathcon_filespec_eval(void);" -- -+. - .SH "DESCRIPTION" --.B matchpathcon_checkmatches -+.BR matchpathcon_checkmatches () - checks whether any specification has no matches and reports them. - The - .I str - argument is used as a prefix for any warning messages. - .sp -- --.B matchpathcon_filespec_add -+.BR matchpathcon_filespec_add () - maintains an association between an inode - .I ino - and a specification index --.I specind, -+.IR specind , - and checks whether a conflicting specification is already associated - with the same inode (e.g. due to multiple hard links). If so, then - it uses the latter of the two specifications based on their order in the -@@ -35,18 +32,17 @@ it uses the latter of the two specifications based on their order in the - context configuration. Returns the specification index used or \-1 on - error. - .sp -- --.B matchpathcon_filespec_destroy -+.BR matchpathcon_filespec_destroy () - destroys any inode associations that have been added, e.g. to restart - for a new filesystem. - .sp -- --.B matchpathcon_filespec_eval -+.BR matchpathcon_filespec_eval () - displays statistics on the hash table usage for the inode associations. -- --.sp -+. - .SH "RETURN VALUE" - Returns zero on success or \-1 otherwise. -- -+. - .SH "SEE ALSO" -+.ad l -+.nh - .BR selinux "(8), " matchpathcon "(3), " matchpathcon_index "(3), " freecon "(3), " setfilecon "(3), " setfscreatecon "(3)" -diff --git a/libselinux/man/man3/mode_to_security_class.3 b/libselinux/man/man3/mode_to_security_class.3 -new file mode 100644 -index 0000000..bda9daf ---- /dev/null -+++ b/libselinux/man/man3/mode_to_security_class.3 -@@ -0,0 +1 @@ -+.so man3/security_class_to_string.3 -diff --git a/libselinux/man/man3/security_check_context.3 b/libselinux/man/man3/security_check_context.3 -index af55f06..7ba4ead 100644 ---- a/libselinux/man/man3/security_check_context.3 -+++ b/libselinux/man/man3/security_check_context.3 -@@ -1,16 +1,23 @@ - .TH "security_check_context" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation" - .SH "NAME" - security_check_context \- check the validity of a SELinux context -+. - .SH "SYNOPSIS" - .B #include - .sp - .BI "int security_check_context(security_context_t "con ); -- -+.sp -+.BI "int security_check_context_raw(security_context_t "con ); -+. - .SH "DESCRIPTION" --.B security_check_context -+.BR security_check_context () - returns 0 if SELinux is running and the context is valid, otherwise it --returns -1. -+returns \-1. - -+.BR security_check_context_raw () -+behaves identically to -+.BR \%security_check_context () -+but does not perform context translation. -+. - .SH "SEE ALSO" - .BR selinux "(8)" -- -diff --git a/libselinux/man/man3/security_check_context_raw.3 b/libselinux/man/man3/security_check_context_raw.3 -new file mode 100644 -index 0000000..ee93986 ---- /dev/null -+++ b/libselinux/man/man3/security_check_context_raw.3 -@@ -0,0 +1 @@ -+.so man3/security_check_context.3 -diff --git a/libselinux/man/man3/security_class_to_string.3 b/libselinux/man/man3/security_class_to_string.3 -index 140737e..0e9f01d 100644 ---- a/libselinux/man/man3/security_class_to_string.3 -+++ b/libselinux/man/man3/security_class_to_string.3 -@@ -3,42 +3,44 @@ - .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2007 - .TH "security_class_to_string" "3" "30 Mar 2007" "" "SELinux API documentation" - .SH "NAME" --security_class_to_string, security_av_perm_to_string, string_to_security_class, string_to_av_perm, security_av_string \- convert -+security_class_to_string, security_av_perm_to_string, string_to_security_class, string_to_av_perm, security_av_string, mode_to_security_class \- convert - between SELinux class and permission values and string names. -- -+. - print_access_vector \- display an access vector in human-readable form. -- -+. - .SH "SYNOPSIS" - .B #include -- -+.br - .B #include - .sp --.BI "const char * security_class_to_string(security_class_t " tclass ");" -+.BI "const char *security_class_to_string(security_class_t " tclass ");" - .sp --.BI "const char * security_av_perm_to_string(security_class_t " tclass ", access_vector_t " av ");" -+.BI "const char *security_av_perm_to_string(security_class_t " tclass ", access_vector_t " av ");" - .sp - .BI "int security_av_string(security_class_t " tclass ", access_vector_t " av ", char **" result ");" - .sp - .BI "security_class_t string_to_security_class(const char *" name ");" - .sp -+.BI "security_class_t mode_to_security_class(mode_t " mode ");" -+.sp - .BI "access_vector_t string_to_av_perm(security_class_t " tclass ", const char *" name ");" - .sp - .BI "void print_access_vector(security_class_t " tclass ", access_vector_t " av ");" -- -+. - .SH "DESCRIPTION" --.B security_class_to_string -+.BR security_class_to_string () - returns a string name for class - .IR tclass , - or NULL if the class is invalid. The returned string must not be modified or freed. - --.B security_av_perm_to_string -+.BR security_av_perm_to_string () - returns a string name for the access vector bit - .I av - of class - .IR tclass , - or NULL if either argument is invalid. The returned string must not be modified or freed. - --.B security_av_string -+.BR security_av_string () - computes a full access vector string representation using - .I tclass - and -@@ -48,30 +50,35 @@ which may have multiple bits set. The string is returned in the memory pointed - and should be freed by the caller using - .BR free (3). - --.B string_to_security_class -+.BR string_to_security_class () - returns the class value corresponding to the string name - .IR name , - or zero if no such class exists. - --.B string_to_av_perm -+.BR mode_to_security_class () -+returns the class value corresponding to the specified -+.IR mode , -+or zero if no such class exists. -+ -+.BR string_to_av_perm () - returns the access vector bit corresponding to the string name - .I name - and security class - .IR tclass , - or zero if no such value exists. - --.B print_access_vector -+.BR print_access_vector () - displays an access vector in human-readable form on the standard output - stream. -- -+. - .SH "RETURN VALUE" --.B security_av_string -+.BR security_av_string () - returns zero on success or \-1 on error with - .I errno - set appropriately. --.B print_access_vector -+.BR print_access_vector () - does not return a value. All other functions return zero or NULL on error. -- -+. - .SH "ERRORS" - .TP - .B EINVAL -@@ -80,11 +87,12 @@ A class or access vector argument is not recognized by the currently loaded poli - .TP - .B ENOMEM - An attempt to allocate memory failed. -- -+. - .SH "AUTHOR" - Eamon Walsh -- -+. - .SH "SEE ALSO" - .BR selinux (8), - .BR getcon (3), - .BR getfilecon (3) -+.BR stat (3) diff --git a/libselinux/man/man3/security_compute_av.3 b/libselinux/man/man3/security_compute_av.3 -index 468831a..c6837fc 100644 +index c6837fc..de62d26 100644 --- a/libselinux/man/man3/security_compute_av.3 +++ b/libselinux/man/man3/security_compute_av.3 -@@ -2,112 +2,139 @@ - .SH "NAME" - security_compute_av, security_compute_av_flags, security_compute_create, security_compute_create_name, security_compute_relabel, - security_compute_member, security_compute_user, security_get_initial_context \- query --the SELinux policy database in the kernel. -- -+the SELinux policy database in the kernel -+. - .SH "SYNOPSIS" - .B #include -- -+.br - .B #include +@@ -37,9 +37,9 @@ the SELinux policy database in the kernel .sp - .BI "int security_compute_av(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", access_vector_t "requested ", struct av_decision *" avd ); + .BI "int security_compute_user_raw(security_context_t "scon ", const char *" username ", security_context_t **" con ); .sp -+.BI "int security_compute_av_raw(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", access_vector_t "requested ", struct av_decision *" avd ); -+.sp - .BI "int security_compute_av_flags(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", access_vector_t "requested ", struct av_decision *" avd ); +-.BI "int security_get_initial_context(const char *" name ", security_context_t " con ); ++.BI "int security_get_initial_context(const char *" name ", security_context_t *" con ); .sp -+.BI "int security_compute_av_flags_raw(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", access_vector_t "requested ", struct av_decision *" avd ); -+.sp - .BI "int security_compute_create(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", security_context_t *" newcon ); +-.BI "int security_get_initial_context_raw(const char *" name ", security_context_t " con ); ++.BI "int security_get_initial_context_raw(const char *" name ", security_context_t *" con ); .sp -+.BI "int security_compute_create_raw(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", security_context_t *" newcon ); -+.sp - .BI "int security_compute_create_name(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", const char *"objname ", security_context_t *" newcon ); + .BI "int selinux_check_access(const security_context_t " scon ", const security_context_t " tcon ", const char *" class ", const char *" perm ", void *" auditdata); .sp -+.BI "int security_compute_create_name_raw(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", const char *"objname ", security_context_t *" newcon ); -+.sp - .BI "int security_compute_relabel(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", security_context_t *" newcon ); - .sp -+.BI "int security_compute_relabel_raw(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", security_context_t *" newcon ); -+.sp - .BI "int security_compute_member(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", security_context_t *" newcon ); - .sp -+.BI "int security_compute_member_raw(security_context_t "scon ", security_context_t "tcon ", security_class_t "tclass ", security_context_t *" newcon ); -+.sp - .BI "int security_compute_user(security_context_t "scon ", const char *" username ", security_context_t **" con ); - .sp --.BI "int security_get_initial_context(const char *" name ", security_context_t --"con ); -+.BI "int security_compute_user_raw(security_context_t "scon ", const char *" username ", security_context_t **" con ); - .sp --.BI "int selinux_check_access(const security_context_t " scon, " const security_context_t " tcon, " const char *" class, " const char *" perm, "void *" auditdata); -+.BI "int security_get_initial_context(const char *" name ", security_context_t " con ); -+.sp -+.BI "int security_get_initial_context_raw(const char *" name ", security_context_t " con ); -+.sp -+.BI "int selinux_check_access(const security_context_t " scon ", const security_context_t " tcon ", const char *" class ", const char *" perm ", void *" auditdata); - .sp - .BI "int selinux_check_passwd_access(access_vector_t " requested ); - .sp - .BI "int checkPasswdAccess(access_vector_t " requested ); -- -+. - .SH "DESCRIPTION" --.B security_compute_av -+.BR security_compute_av () - queries whether the policy permits the source context --.B scon -+.I scon - to access the target context --.B tcon -+.I tcon - via class --.B tclass -+.I tclass - with the --.B requested -+.I requested - access vector. The decision is returned in --.BR avd . -+.IR avd . - --.B security_compute_av_flags -+.BR security_compute_av_flags () - is identical to - .B security_compute_av - but additionally sets the --.B flags -+.I flags - field of --.BR avd . -+.IR avd . - Currently one flag is supported: - .BR SELINUX_AVD_FLAGS_PERMISSIVE , - which indicates the decision is computed on a permissive domain. - --.B security_compute_create -+.BR security_compute_create () - is used to compute a context to use for labeling a new object in a particular - class based on a SID pair. - --.B security_compute_create_name -+.BR security_compute_create_name () - is identical to --.B security_compute_create -+.BR \%security_compute_create () - but also takes name of the new object in creation as an argument. - When --.BR TYPE_TRANSITION -+.B TYPE_TRANSITION - rule on the given class and a SID pair has object name extension, - we shall be able to obtain a correct --.BR newcon -+.I newcon - according to the security policy. Note that this interface is only - supported on the linux 2.6.40 or later. - In the older kernel, the object name will be simply ignored. - --.B security_compute_relabel -+.BR security_compute_relabel () - is used to compute the new context to use when relabeling an object, it is used - in the pam_selinux.so source and the newrole source to determine the correct - label for the tty at login time, but can be used for other things. - --.B security_compute_member -+.BR security_compute_member () - is used to compute the context to use when labeling a polyinstantiated object - instance. - --.B security_compute_user -+.BR security_compute_user () - is used to determine the set of user contexts that can be reached from a - source context. It is mainly used by --.B get_ordered_context_list. -+.BR get_ordered_context_list (). - --.B security_get_initial_context -+.BR security_get_initial_context () - is used to get the context of a kernel initial security identifier specified by - .I name - --.B selinux_check_access -+.BR security_compute_av_raw (), -+.BR security_compute_av_flags_raw (), -+.BR \%security_compute_create_raw (), -+.BR \%security_compute_create_name_raw (), -+.BR \%security_compute_relabel_raw (), -+.BR \%security_compute_member_raw (), -+.BR \%security_compute_user_raw () -+and -+.BR \%security_get_initial_context_raw () -+behave identically to their non-raw counterparts but do not perform context -+translation. -+ -+.BR selinux_check_access () - is used to check if the source context has the access permission for the specified class on the target context. - --.B selinux_check_passwd_access -+.BR selinux_check_passwd_access () - is used to check for a permission in the - .I passwd - class. --.B selinux_check_passwd_access -+.BR selinux_check_passwd_access () - uses getprevcon() for the source and target security contexts. - --.B checkPasswdAccess -+.BR checkPasswdAccess () - is a deprecated alias of the --.B selinux_check_passwd_access -+.BR selinux_check_passwd_access () - function. -- -+. - .SH "RETURN VALUE" - Returns zero on success or \-1 on error. -- -+. - .SH "SEE ALSO" - .BR selinux "(8), " getcon "(3), " getfilecon "(3), " get_ordered_context_list "(3)" -diff --git a/libselinux/man/man3/security_compute_av_flags_raw.3 b/libselinux/man/man3/security_compute_av_flags_raw.3 -new file mode 100644 -index 0000000..a60bca4 ---- /dev/null -+++ b/libselinux/man/man3/security_compute_av_flags_raw.3 -@@ -0,0 +1 @@ -+.so man3/security_compute_av.3 -diff --git a/libselinux/man/man3/security_compute_av_raw.3 b/libselinux/man/man3/security_compute_av_raw.3 -new file mode 100644 -index 0000000..a60bca4 ---- /dev/null -+++ b/libselinux/man/man3/security_compute_av_raw.3 -@@ -0,0 +1 @@ -+.so man3/security_compute_av.3 -diff --git a/libselinux/man/man3/security_compute_create_name_raw.3 b/libselinux/man/man3/security_compute_create_name_raw.3 -new file mode 100644 -index 0000000..a60bca4 ---- /dev/null -+++ b/libselinux/man/man3/security_compute_create_name_raw.3 -@@ -0,0 +1 @@ -+.so man3/security_compute_av.3 -diff --git a/libselinux/man/man3/security_compute_create_raw.3 b/libselinux/man/man3/security_compute_create_raw.3 -new file mode 100644 -index 0000000..a60bca4 ---- /dev/null -+++ b/libselinux/man/man3/security_compute_create_raw.3 -@@ -0,0 +1 @@ -+.so man3/security_compute_av.3 -diff --git a/libselinux/man/man3/security_compute_member_raw.3 b/libselinux/man/man3/security_compute_member_raw.3 -new file mode 100644 -index 0000000..a60bca4 ---- /dev/null -+++ b/libselinux/man/man3/security_compute_member_raw.3 -@@ -0,0 +1 @@ -+.so man3/security_compute_av.3 -diff --git a/libselinux/man/man3/security_compute_relabel_raw.3 b/libselinux/man/man3/security_compute_relabel_raw.3 -new file mode 100644 -index 0000000..a60bca4 ---- /dev/null -+++ b/libselinux/man/man3/security_compute_relabel_raw.3 -@@ -0,0 +1 @@ -+.so man3/security_compute_av.3 -diff --git a/libselinux/man/man3/security_compute_user_raw.3 b/libselinux/man/man3/security_compute_user_raw.3 -new file mode 100644 -index 0000000..a60bca4 ---- /dev/null -+++ b/libselinux/man/man3/security_compute_user_raw.3 -@@ -0,0 +1 @@ -+.so man3/security_compute_av.3 -diff --git a/libselinux/man/man3/security_disable.3 b/libselinux/man/man3/security_disable.3 -index 6725bde..aeb78da 100644 ---- a/libselinux/man/man3/security_disable.3 -+++ b/libselinux/man/man3/security_disable.3 -@@ -1,28 +1,30 @@ - .TH "security_disable" "3" "21 Nov 2009" "" "SELinux API documentation" - .SH "NAME" --security_disable \- disable the SELinux kernel code at runtime. -- -+security_disable \- disable the SELinux kernel code at runtime -+. - .SH "SYNOPSIS" - .B #include - .sp - .BI "int security_disable(void);" -- -+. - .SH "DESCRIPTION" --.B security_disable --disables the SELinux kernel code, unregisters selinuxfs from /proc/filesystems, --and then unmounts /selinux. -+.BR security_disable () -+disables the SELinux kernel code, unregisters selinuxfs from -+.IR /proc/filesystems , -+and then unmounts -+.IR /selinux . - .sp - This function can only be called at runtime and prior to the initial policy - load. After the initial policy load, the SELinux kernel code cannot be disabled, - but only placed in "permissive" mode by using --.B setenforce(1). -- -+.BR setenforce (1). -+. - .SH "RETURN VALUE" --.B security_disable -+.BR security_disable () - returns zero on success or \-1 on error. -- -+. - .SH "AUTHOR" - This manual page has been written by Guido Trentalancia -- -+. - .SH "SEE ALSO" - .BR selinux (8), " setenforce "(3) -diff --git a/libselinux/man/man3/security_get_initial_context_raw.3 b/libselinux/man/man3/security_get_initial_context_raw.3 -new file mode 100644 -index 0000000..a60bca4 ---- /dev/null -+++ b/libselinux/man/man3/security_get_initial_context_raw.3 -@@ -0,0 +1 @@ -+.so man3/security_compute_av.3 -diff --git a/libselinux/man/man3/security_getenforce.3 b/libselinux/man/man3/security_getenforce.3 -index 86771b5..7658014 100644 ---- a/libselinux/man/man3/security_getenforce.3 -+++ b/libselinux/man/man3/security_getenforce.3 -@@ -1,29 +1,29 @@ - .TH "security_getenforce" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation" - .SH "NAME" - security_getenforce, security_setenforce, security_deny_unknown \- get or set the enforcing state of SELinux -+. - .SH "SYNOPSIS" - .B #include - .sp - .B int security_getenforce(void); -- -+.sp - .BI "int security_setenforce(int "value ); -- -+.sp - .B int security_deny_unknown(void); -- -+. - .SH "DESCRIPTION" --.B security_getenforce -+.BR security_getenforce () - returns 0 if SELinux is running in permissive mode, 1 if it is running in --enforcing mode, and -1 on error. -+enforcing mode, and \-1 on error. - --.B security_setenforce -+.BR security_setenforce () - sets SELinux to enforcing mode if the value 1 is passed in, and sets it to --permissive mode if 0 is passed in. On success 0 is returned, on error -1 is -+permissive mode if 0 is passed in. On success 0 is returned, on error \-1 is - returned. - --.B security_deny_unknown -+.BR security_deny_unknown () - returns 0 if SELinux treats policy queries on undefined object classes or --permissions as being allowed, 1 if such queries are denied, and -1 on error. -- -+permissions as being allowed, 1 if such queries are denied, and \-1 on error. -+. - .SH "SEE ALSO" - .BR selinux "(8)" -- -diff --git a/libselinux/man/man3/security_load_booleans.3 b/libselinux/man/man3/security_load_booleans.3 -index 40e91bc..3dc963d 100644 ---- a/libselinux/man/man3/security_load_booleans.3 -+++ b/libselinux/man/man3/security_load_booleans.3 -@@ -3,6 +3,7 @@ - security_load_booleans, security_set_boolean, security_commit_booleans, - security_get_boolean_names, security_get_boolean_active, - security_get_boolean_pending \- routines for manipulating SELinux boolean values -+. - .SH "SYNOPSIS" - .B #include - .sp -@@ -19,10 +20,8 @@ security_get_boolean_pending \- routines for manipulating SELinux boolean values - .BI "int security_set_boolean_list(size_t " boolcnt ", SELboolean *" boollist ", int " permanent ");" - .sp - .BI "int security_commit_booleans(void);" -- -- -+. - .SH "DESCRIPTION" -- - The SELinux policy can include conditional rules that are enabled or - disabled based on the current values of a set of policy booleans. - These policy booleans allow runtime modification of the security -@@ -31,41 +30,37 @@ policy without having to load a new policy. - The SELinux API allows for a transaction based update. So you can - set several boolean values and then commit them all at once. - --.B security_load_booleans -- -+.BR security_load_booleans () - loads policy boolean settings. Path may be NULL, in which case the - booleans are loaded from the active policy boolean configuration file. - --.B security_get_boolean_names -- -+.BR security_get_boolean_names () - provides a list of boolean names, currently supported by the loaded policy. - --.B security_get_boolean_pending -- -+.BR security_get_boolean_pending () - returns the pending value for boolean or \-1 on failure. - --.B security_get_boolean_active -- -+.BR security_get_boolean_active () - returns the active value for boolean or \-1 on failure. - --.B security_set_boolean -- -+.BR security_set_boolean () - sets the pending value for boolean - --.B security_set_boolean_list -- -+.BR security_set_boolean_list () - saves a list of booleans in a single transaction. - --.B security_commit_booleans -- -+.BR security_commit_booleans () - commits all pending values for the booleans. -- -+. - .SH "RETURN VALUE" - Where not otherwise stated, functions described in this manual page return - zero on success or \-1 on error. -- -+. - .SH AUTHOR - This manual page was written by Dan Walsh . -- -+. - .SH "SEE ALSO" --selinux(8), getsebool(8), booleans(8), togglesebool(8) -+.BR selinux (8), -+.BR getsebool (8), -+.BR booleans (8), -+.BR togglesebool (8) -diff --git a/libselinux/man/man3/security_load_policy.3 b/libselinux/man/man3/security_load_policy.3 -index 163503e..c4439bf 100644 ---- a/libselinux/man/man3/security_load_policy.3 -+++ b/libselinux/man/man3/security_load_policy.3 -@@ -1,7 +1,7 @@ - .TH "security_load_policy" "3" "3 November 2009" "guido@trentalancia.com" "SELinux API documentation" - .SH "NAME" - security_load_policy \- load a new SELinux policy -- -+. - .SH "SYNOPSIS" - .B #include - .sp -@@ -10,15 +10,15 @@ security_load_policy \- load a new SELinux policy - .BI "int selinux_mkload_policy(int " preservebools ");" - .sp - .BI "int selinux_init_load_policy(int *" enforce ");" -- -+. - .SH "DESCRIPTION" --.B security_load_policy -+.BR security_load_policy () - loads a new policy, returns 0 for success and \-1 for error. - --.B selinux_mkload_policy -+.BR selinux_mkload_policy () - makes a policy image and loads it. This function provides a higher level - interface for loading policy than --.B security_load_policy, -+.BR \%security_load_policy (), - internally determining the right policy version, locating and opening - the policy file, mapping it into memory, manipulating it as needed for - current boolean settings and/or local definitions, and then calling -@@ -29,7 +29,7 @@ be preserved into the new policy (if 1) or reset to the saved policy - settings (if 0). The former case is the default for policy reloads, while - the latter case is an option for policy reloads but is primarily used for - the initial policy load. --.B selinux_init_load_policy -+.BR selinux_init_load_policy () - performs the initial policy load. This function determines the desired - enforcing mode, sets the - .I enforce -@@ -40,19 +40,18 @@ handles the initial selinuxfs mount required to perform these actions. - It should also be noted that after the initial policy load, the SELinux - kernel code cannot anymore be disabled and the selinuxfs cannot be - unmounted using a call to --.B security_disable(3). -+.BR security_disable (3). - Therefore, after the initial policy load, the only operational changes - are those permitted by --.B setenforce(3) -+.BR setenforce (3) - (i.e. eventually setting the framework in permissive mode rather than - in enforcing one). -- -+. - .SH "RETURN VALUE" --returns zero on success or \-1 on error. -- -+Returns zero on success or \-1 on error. -+. - .SH "AUTHOR" - This manual page has been written by Guido Trentalancia -- -+. - .SH "SEE ALSO" - .BR selinux "(8), " security_disable "(3), " setenforce "(1) -- -diff --git a/libselinux/man/man3/security_policyvers.3 b/libselinux/man/man3/security_policyvers.3 -index 9e5dfd2..041ff3a 100644 ---- a/libselinux/man/man3/security_policyvers.3 -+++ b/libselinux/man/man3/security_policyvers.3 -@@ -5,12 +5,11 @@ security_policyvers \- get the version of the SELinux policy - .B #include - .sp - .B int security_policyvers(); -- -+. - .SH "DESCRIPTION" --.B security_policyvers --returns the version of the policy (a positive integer) on success, or -1 on -+.BR security_policyvers () -+returns the version of the policy (a positive integer) on success, or \-1 on - error. -- -+. - .SH "SEE ALSO" - .BR selinux "(8)" -- -diff --git a/libselinux/man/man3/selabel_lookup.3 b/libselinux/man/man3/selabel_lookup.3 -index ab792bb..08b3161 100644 ---- a/libselinux/man/man3/selabel_lookup.3 -+++ b/libselinux/man/man3/selabel_lookup.3 -@@ -3,27 +3,29 @@ - .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2007 - .TH "selabel_lookup" "3" "18 Jun 2007" "" "SELinux API documentation" - .SH "NAME" --selabel_lookup \- obtain SELinux security context from a string label. -+selabel_lookup \- obtain SELinux security context from a string label -+. - .SH "SYNOPSIS" - .B #include -- -+.br - .B #include - .sp - .BI "int selabel_lookup(struct selabel_handle *" hnd , - .in +\w'int selabel_lookup('u - .BI "security_context_t *" context , -- -+.br - .BI "const char *" key ", int " type ");" - .in - .sp - .BI "int selabel_lookup_raw(struct selabel_handle *" hnd , - .in +\w'int selabel_lookup_raw('u - .BI "security_context_t *" context , -- -+.br - .BI "const char *" key ", int " type ");" -- -+.in -+. - .SH "DESCRIPTION" --.B selabel_lookup -+.BR selabel_lookup () - performs a lookup operation on the handle - .IR hnd , - returning the result in the memory pointed to by -@@ -38,16 +40,16 @@ parameters are the inputs to the lookup operation and are interpreted according - .I handle - is open on. - --.B selabel_lookup_raw -+.BR selabel_lookup_raw () - behaves identically to --.B selabel_lookup -+.BR selabel_lookup () - but does not perform context translation. -- -+. - .SH "RETURN VALUE" - On success, zero is returned. On error, \-1 is returned and - .I errno - is set appropriately. -- -+. - .SH "ERRORS" - .TP - .B ENOENT -@@ -66,13 +68,12 @@ inputs are invalid, or the context being returned failed validation. - .TP - .B ENOMEM - An attempt to allocate memory failed. -- -+. - .SH "AUTHOR" - Eamon Walsh -- -+. - .SH "SEE ALSO" - .BR selabel_open (3), - .BR selabel_stats (3), - .BR selinux_set_callback (3), - .BR selinux (8) -- -diff --git a/libselinux/man/man3/selabel_lookup_raw.3 b/libselinux/man/man3/selabel_lookup_raw.3 -new file mode 100644 -index 0000000..64e003e ---- /dev/null -+++ b/libselinux/man/man3/selabel_lookup_raw.3 -@@ -0,0 +1 @@ -+.so man3/selabel_lookup.3 -diff --git a/libselinux/man/man3/selabel_open.3 b/libselinux/man/man3/selabel_open.3 -index 8674e37..00f2828 100644 ---- a/libselinux/man/man3/selabel_open.3 -+++ b/libselinux/man/man3/selabel_open.3 -@@ -3,23 +3,24 @@ - .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2007 - .TH "selabel_open" "3" "18 Jun 2007" "" "SELinux API documentation" - .SH "NAME" --selabel_open, selabel_close \- userspace SELinux labeling interface. -+selabel_open, selabel_close \- userspace SELinux labeling interface -+. - .SH "SYNOPSIS" - .B #include -- -+.br - .B #include - .sp - .BI "struct selabel_handle *selabel_open(int " backend , - .in +\w'struct selabel_handle *selabel_open('u - .BI "struct selinux_opt *" options , -- -+.br - .BI "unsigned " nopt ");" - .in - .sp - .BI "void selabel_close(struct selabel_handle *" hnd ");" -- -+. - .SH "DESCRIPTION" --.B selabel_open -+.BR selabel_open () - is used to initialize a labeling handle to be used for lookup operations. The - .I backend - argument specifies which backend is to be opened; the list of current backends appears in -@@ -48,14 +49,14 @@ The available option types are described in - .B GLOBAL OPTIONS - below as well as in the documentation for each individual backend. The return value on success is a non-NULL value for use in subsequent label operations. - --.B selabel_close -+.BR selabel_close () - terminates use of a handle, freeing any internal resources associated with it. After this call has been made, the handle must not be used again. -- -+. - .SH "GLOBAL OPTIONS" - Global options which may be passed to --.B selabel_open -+.BR selabel_open () - include the following: -- -+. - .TP - .B SELABEL_OPT_UNUSED - The option with a type code of zero is a no-op. Thus an array of options may be initizalized to zero and any untouched elements will not cause an error. -@@ -66,9 +67,8 @@ A non-null value for this option enables context validation. By default, - is used; a custom validation function can be provided via - .BR selinux_set_callback (3). - Note that an invalid context may not be treated as an error unless it is actually encountered during a lookup operation. -- -+. - .SH "BACKENDS" -- - .TP - .B SELABEL_CTX_FILE - File contexts backend, described in -@@ -85,18 +85,19 @@ X Windows contexts backend, described in - .B SELABEL_CTX_DB - Database objects contexts backend, described in - .BR selabel_db (5). -- -+. - .SH "RETURN VALUE" - A non-NULL handle value is returned on success. On error, NULL is returned and - .I errno - is set appropriately. -- -+. - .SH "AUTHOR" - Eamon Walsh -- -+. - .SH "SEE ALSO" -+.ad l -+.nh - .BR selabel_lookup (3), - .BR selabel_stats (3), - .BR selinux_set_callback (3), - .BR selinux (8) -- -diff --git a/libselinux/man/man3/selabel_stats.3 b/libselinux/man/man3/selabel_stats.3 -index 441f422..44e1a65 100644 ---- a/libselinux/man/man3/selabel_stats.3 -+++ b/libselinux/man/man3/selabel_stats.3 -@@ -3,33 +3,33 @@ - .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2007 - .TH "selabel_stats" "3" "18 Jun 2007" "" "SELinux API documentation" - .SH "NAME" --selabel_stats \- obtain SELinux labeling statistics. -+selabel_stats \- obtain SELinux labeling statistics -+. - .SH "SYNOPSIS" - .B #include -- -+.br - .B #include - .sp --.BI "void selabel_lookup(struct selabel_handle *" hnd ");" -- -+.BI "void selabel_stats(struct selabel_handle *" hnd ");" -+. - .SH "DESCRIPTION" --.B selabel_stats -+.BR selabel_stats () - causes zero or more messages to be printed containing backend-specific information about number of queries performed, number of unused entries, or other operational information. - - The messages are printed to standard error by default; a custom logging function can be provided via - .BR selinux_set_callback (3). -- -+. - .SH "RETURN VALUE" - None. -- -+. - .SH "ERRORS" - None. -- -+. - .SH "AUTHOR" - Eamon Walsh -- -+. - .SH "SEE ALSO" - .BR selabel_open (3), - .BR selabel_lookup (3), - .BR selinux_set_callback (3), - .BR selinux (8) -- diff --git a/libselinux/man/man3/selinux_binary_policy_path.3 b/libselinux/man/man3/selinux_binary_policy_path.3 -index 8ead1a4..1870f05 100644 +index ec97dcf..503c52c 100644 --- a/libselinux/man/man3/selinux_binary_policy_path.3 +++ b/libselinux/man/man3/selinux_binary_policy_path.3 -@@ -5,89 +5,110 @@ selinux_failsafe_context_path, selinux_removable_context_path, +@@ -1,6 +1,6 @@ + .TH "selinux_binary_policy_path" "3" "15 November 2004" "dwalsh@redhat.com" "SELinux API Documentation" + .SH "NAME" +-selinux_path, selinux_policy_root, selinux_binary_policy_path, ++selinux_path, selinux_policy_root, selinux_binary_policy_path, selinux_current_policy_path, + selinux_failsafe_context_path, selinux_removable_context_path, selinux_default_context_path, selinux_user_contexts_path, selinux_file_context_path, selinux_media_context_path, - selinux_contexts_path, selinux_booleans_path \- These functions return the paths to the active SELinux policy configuration --directories and files. -- -+directories and files -+. - .SH "SYNOPSIS" - .B #include +@@ -17,6 +17,8 @@ directories and files + .sp + .B const char *selinux_binary_policy_path(void); .sp -- --extern const char *selinux_path(void); -- --extern const char *selinux_policy_root(void); -- --extern const char *selinux_binary_policy_path(void); -- --extern const char *selinux_failsafe_context_path(void); -- --extern const char *selinux_removable_context_path(void); -- --extern const char *selinux_default_context_path(void); -- --extern const char *selinux_user_contexts_path(void); -- --extern const char *selinux_usersconf_path(void); -- --extern const char *selinux_x_context_path(void); -- --extern const char *selinux_sepgsql_context_path(void); -- --extern const char *selinux_file_context_path(void); -- --extern const char *selinux_media_context_path(void); -- --extern const char *selinux_securetty_types_path(void); -- --extern const char *selinux_contexts_path(void); -- --extern const char *selinux_booleans_path(void); -- -- -+.B const char *selinux_path(void); -+.sp -+.B const char *selinux_policy_root(void); -+.sp -+.B const char *selinux_binary_policy_path(void); -+.sp +.B const char *selinux_current_policy_path(void); +.sp -+.B const char *selinux_failsafe_context_path(void); -+.sp -+.B const char *selinux_removable_context_path(void); -+.sp -+.B const char *selinux_default_context_path(void); -+.sp -+.B const char *selinux_user_contexts_path(void); -+.sp -+.B const char *selinux_usersconf_path(void); -+.sp -+.B const char *selinux_x_context_path(void); -+.sp -+.B const char *selinux_sepgsql_context_path(void); -+.sp -+.B const char *selinux_file_context_path(void); -+.sp -+.B const char *selinux_media_context_path(void); -+.sp -+.B const char *selinux_securetty_types_path(void); -+.sp -+.B const char *selinux_contexts_path(void); -+.sp -+.B const char *selinux_booleans_path(void); -+. - .SH "DESCRIPTION" -- - These functions return the paths to the active policy configuration --directories and files based on the settings in /etc/selinux/config. -- -+directories and files based on the settings in -+.IR /etc/selinux/config . -+.sp -+.BR selinux_path () -+returns the top-level SELinux configuration directory. + .B const char *selinux_failsafe_context_path(void); .sp --selinux_path() - top-level SELinux configuration directory -+.BR selinux_policy_root () -+returns the top-level policy directory. + .B const char *selinux_removable_context_path(void); +@@ -55,6 +57,9 @@ returns the top-level policy directory. + .BR selinux_binary_policy_path () + returns the binary policy file loaded into kernel. .sp --selinux_policy_root() - top-level policy directory -+.BR selinux_binary_policy_path () -+returns the binary policy file loaded into kernel. - .sp --selinux_binary_policy_path() - binary policy file loaded into kernel +.BR selinux_current_policy_path () -+returns binary policy file loaded into kernel ++returns the currently loaded policy file from the kernel. ++.sp + .BR selinux_default_type_path () + returns the context file mapping roles to default types. .sp --selinux_default_type_path - context file mapping roles to default types. -+.BR selinux_default_type_path () -+returns the context file mapping roles to default types. - .sp --selinux_failsafe_context_path() - failsafe context for emergency logins -+.BR selinux_failsafe_context_path () -+returns the failsafe context for emergency logins. - .sp --selinux_removable_context_path() - filesystem context for removable media -+.BR selinux_removable_context_path () -+returns the filesystem context for removable media. - .sp --selinux_default_context_path() - system-wide default contexts for user sessions -+.BR selinux_default_context_path () -+returns the system-wide default contexts for user sessions. - .sp --selinux_user_contexts_path() - directory containing per-user default contexts -+.BR selinux_user_contexts_path () -+returns the directory containing per-user default contexts. - .sp --selinux_usersconf_path() - file containing mapping between Linux Users and SELinux users -+.BR selinux_usersconf_path () -+returns the file containing mapping between Linux Users and SELinux users. - .sp --selinux_x_context_path() - file containing configuration for XSELinux extension -+.BR selinux_x_context_path () -+returns the file containing configuration for XSELinux extension. - .sp --selinux_sepgsql_context_path() - file containing configuration for SE-PostgreSQL -+.BR selinux_sepgsql_context_path () -+returns the file containing configuration for SE-PostgreSQL. - .sp --selinux_netfilter_context_path - default netfilter context -+.BR selinux_netfilter_context_path () -+returns the default netfilter context. - .sp --selinux_file_context_path() - default system file contexts configuration -+.BR selinux_file_context_path () -+returns the default system file contexts configuration. - .sp --selinux_file_context_local_path() - local customization file contexts configuration -+.BR selinux_file_context_local_path () -+returns the local customization file contexts configuration. - .sp --selinux_file_context_homedir_path() - home directory file contexts configuration -+.BR selinux_file_context_homedir_path () -+returns the home directory file contexts configuration. - .sp --selinux_media_context_path() - file contexts for media device nodes -+.BR selinux_media_context_path () -+returns the file contexts for media device nodes. - .sp --selinux_contexts_path() - directory containing all of the context configuration files -+.BR selinux_contexts_path () -+returns the directory containing all of the context configuration files. - .sp --selinux_securetty_types_path() - defines tty types for newrole securettys -+.BR selinux_securetty_types_path () -+returns the defines tty types for newrole securettys. - .sp --selinux_booleans_path() - initial policy boolean settings -- -+.BR selinux_booleans_path () -+returns the initial policy boolean settings. -+. - .SH AUTHOR - This manual page was written by Dan Walsh . -- -+. - .SH "SEE ALSO" - .BR selinux "(8)" -diff --git a/libselinux/man/man3/selinux_boolean_sub.3 b/libselinux/man/man3/selinux_boolean_sub.3 -index 8d54c88..308c268 100644 ---- a/libselinux/man/man3/selinux_boolean_sub.3 -+++ b/libselinux/man/man3/selinux_boolean_sub.3 -@@ -1,25 +1,29 @@ --.TH "selinux_boolean_subs" "3" "11 June 2012" "dwalsh@redhat.com" "SELinux API documentation" -+.TH "selinux_boolean_sub" "3" "11 June 2012" "dwalsh@redhat.com" "SELinux API documentation" - .SH "NAME" --selinux_boolean_subs -+selinux_boolean_sub \- -+. - .SH "SYNOPSIS" - .B #include - .sp --.BI "char *selinux_boolean_subs(const char * " boolean_name, ");" -+.BI "char *selinux_boolean_sub(const char *" boolean_name ");" - .sp - .SH "DESCRIPTION" --.B selinux_boolean_sub --searches the /etc/selinux/POLICYTYPE/booleans.subs_dist file -+.BR selinux_boolean_sub () -+searches the -+.I \%/etc/selinux/{POLICYTYPE}/booleans.subs_dist -+file - for a maching boolean_name record. If the record exists the boolean substitution name is returned. If not --.B selinux_boolean_sub --returns the original boolean_name. -+.BR \%selinux_boolean_sub () -+returns the original -+.IR \%boolean_name . - - .SH "RETURN VALUE" --.BR selinux_boolean_subs -+.BR selinux_boolean_sub () - returns the - .I boolean_name - or the substituted name on success. The returned value must be freed with - .BR free "(3)." --.BR selinux_boolean_subs -+.BR selinux_boolean_sub () - returns NULL on error. - .SH "SEE ALSO" --security_get_boolean_names.3 -+.BR security_get_boolean_names (3) -diff --git a/libselinux/man/man3/selinux_check_securetty_context.3 b/libselinux/man/man3/selinux_check_securetty_context.3 -index 65a10d3..22e8533 100644 ---- a/libselinux/man/man3/selinux_check_securetty_context.3 -+++ b/libselinux/man/man3/selinux_check_securetty_context.3 -@@ -1,16 +1,16 @@ - .TH "selinux_check_securetty_context" "3" "1 January 2007" "dwalsh@redhat.com" "SELinux API documentation" - .SH "NAME" - selinux_check_securetty_context \- check whether a SELinux tty security context is defined as a securetty context -+. - .SH "SYNOPSIS" - .B #include - .sp - .BI "int selinux_check_securetty_context(security_context_t "tty_context ); -- -+. - .SH "DESCRIPTION" --.B selinux_check_securetty_context --returns 0 if tty_context is a securetty context -+.BR selinux_check_securetty_context () -+returns 0 if tty_context is a securetty context, - returns < 0 otherwise. -- -+. - .SH "SEE ALSO" - .BR selinux "(8)" -- -diff --git a/libselinux/man/man3/selinux_colors_path.3 b/libselinux/man/man3/selinux_colors_path.3 -index 851d81d..cc57e43 100644 ---- a/libselinux/man/man3/selinux_colors_path.3 -+++ b/libselinux/man/man3/selinux_colors_path.3 -@@ -1,36 +1,37 @@ - .TH "selinux_colors_path" "3" "08 April 2011" "SELinux API documentation" -- - .SH "NAME" --selinux_colors_path \- Return a path to the active SELinux policy color configuration file. -+selinux_colors_path \- Return a path to the active SELinux policy color configuration file -+. - .SH "SYNOPSIS" - .B #include - .sp - .B const char *selinux_colors_path(void); -- -+. - .SH "DESCRIPTION" --.B selinux_colors_path -+.BR selinux_colors_path () - returns the path to the active policy color configuration file. - .sp - The path is built from the path returned by - .BR selinux_policy_root "(3)" - with --.B /secolor.conf -+.I /secolor.conf - appended. - .sp - This optional configuration file whose format is shown in --.BR secolor.conf "(5)," -+.BR \%secolor.conf (5), - controls the colors to be associated with the - .I raw - context components of the - .BR selinux_raw_context_to_color "(3)" - function when information is to be displayed by an SELinux color-aware application. -- -+. - .SH "RETURN VALUE" - On success, the path to the active policy color configuration file is returned. If a path is not available NULL is returned. -- -+. - .SH "ERRORS" - None. -- -+. - .SH "SEE ALSO" -+.ad l -+.nh - .BR selinux "(8), " selinux_policy_root "(3), " selinux_config "(5), " selinux_raw_context_to_color "(3), " secolor.conf "(5)" -- -diff --git a/libselinux/man/man3/selinux_file_context_cmp.3 b/libselinux/man/man3/selinux_file_context_cmp.3 -index cd67188..30bbaa3 100644 ---- a/libselinux/man/man3/selinux_file_context_cmp.3 -+++ b/libselinux/man/man3/selinux_file_context_cmp.3 -@@ -1,8 +1,7 @@ - .TH "selinux_file_context_cmp" "3" "08 March 2011" "SELinux API documentation" -- - .SH "NAME" --selinux_file_context_cmp \- Compare two SELinux security contexts excluding the 'user' component. -- -+selinux_file_context_cmp \- Compare two SELinux security contexts excluding the 'user' component -+. - .SH "SYNOPSIS" - .B #include - .sp -@@ -10,20 +9,20 @@ selinux_file_context_cmp \- Compare two SELinux security contexts excluding the - .RS - .BI "const security_context_t " b ");" - .RE -- -+. - .SH "DESCRIPTION" --.B selinux_file_context_cmp -+.BR selinux_file_context_cmp () - compares two context strings excluding the user component with --.B strcmp(3) -+.BR strcmp (3) - as shown in the - .B EXAMPLE - section. - .sp - This is useful as for most object contexts, the user component is not relevant. -- -+. - .SH "RETURN VALUE" - The return values follow the --.B strcmp(3) -+.BR strcmp (3) - function, where: - .RS - 0 if they are equal. -@@ -40,13 +39,13 @@ is greater than - is less than - .I b - .RE -- -+. - .SH "ERRORS" - None. -- -+. - .SH "NOTES" - The contexts being compared do not specifically need to be file contexts. -- -+. - .SH "EXAMPLE" - If context - .I a -@@ -68,8 +67,8 @@ then the actual strings compared are: - .RE - .sp - Therefore they will match and --.B selinux_file_context_cmp -+.BR selinux_file_context_cmp () - will return zero. -- -+. - .SH "SEE ALSO" - .BR selinux "(8)" -diff --git a/libselinux/man/man3/selinux_file_context_verify.3 b/libselinux/man/man3/selinux_file_context_verify.3 -index e22be70..893949f 100644 ---- a/libselinux/man/man3/selinux_file_context_verify.3 -+++ b/libselinux/man/man3/selinux_file_context_verify.3 -@@ -1,15 +1,14 @@ - .TH "selinux_file_context_verify" "3" "08 March 2011" "SELinux API documentation" -- - .SH "NAME" --selinux_file_context_verify \- Compare the SELinux security context on disk to the default security context required by the policy file contexts file. -- -+selinux_file_context_verify \- Compare the SELinux security context on disk to the default security context required by the policy file contexts file -+. - .SH "SYNOPSIS" - .B #include - .sp - .BI "int selinux_file_context_verify(const char *" path ", mode_t " mode ");" -- -+. - .SH "DESCRIPTION" --.B selinux_file_context_verify -+.BR selinux_file_context_verify () - compares the context of the specified - .I path - that is held on disk (in the extended attribute), to the system default entry held in the file contexts series of files. -@@ -21,7 +20,7 @@ may be zero. - Note that the two contexts are compared for "significant" differences (i.e. the user component of the contexts are ignored) as shown in the - .B EXAMPLE - section. -- -+. - .SH "RETURN VALUE" - If the contexts significantly match, 1 (one) is returned. - .sp -@@ -40,7 +39,7 @@ section, or if - On failure \-1 is returned and - .I errno - set appropriately. -- -+. - .SH "ERRORS" - .TP - .B ENOTSUP -@@ -58,22 +57,26 @@ are invalid, or the returned context fails validation. - .TP - .B ENOMEM - if attempt to allocate memory failed. -- -+. - .SH "FILES" - The following configuration files (the file contexts series of files) supporting the active policy will be used (should they exist) to determine the - .I path - default context: - .sp - .RS --contexts/files/file_contexts - This file must exist. -+.I contexts/files/file_contexts -+- This file must exist. - .sp --contexts/files/file_contexts.local - If exists has local customizations. -+.I contexts/files/file_contexts.local -+- If exists has local customizations. - .sp --contexts/files/file_contexts.homedirs - If exists has users home directory customizations. -+.I contexts/files/file_contexts.homedirs -+- If exists has users home directory customizations. - .sp --contexts/files/file_contexts.subs - If exists has substitutions that are then applied to the 'in memory' version of the file contexts files. -+.I contexts/files/file_contexts.subs -+- If exists has substitutions that are then applied to the 'in memory' version of the file contexts files. - .RE -- -+. - .SH "EXAMPLE" - If the files context is: - .RS -@@ -91,8 +94,8 @@ then the actual strings compared are: - .RE - .sp - Therefore they will match and --.B selinux_file_context_verify -+.BR selinux_file_context_verify () - will return 1. -- -+. - .SH "SEE ALSO" - .BR selinux "(8)" -diff --git a/libselinux/man/man3/selinux_getenforcemode.3 b/libselinux/man/man3/selinux_getenforcemode.3 -index a6a753e..7ed94c1 100644 ---- a/libselinux/man/man3/selinux_getenforcemode.3 -+++ b/libselinux/man/man3/selinux_getenforcemode.3 -@@ -1,25 +1,31 @@ - .TH "selinux_getenforcemode" "3" "25 May 2004" "dwalsh@redhat.com" "SELinux API documentation" - .SH "NAME" - selinux_getenforcemode \- get the enforcing state of SELinux -+. - .SH "SYNOPSIS" - .B #include - .sp --.B int selinux_getenforcemode(int *enforce); -- -- -+.BI "int selinux_getenforcemode(int *" enforce ); -+. - .SH "DESCRIPTION" --.B selinux_getenforcemode --Reads the contents of the /etc/selinux/config file to determine how the --system was setup to run SELinux. -+.BR selinux_getenforcemode () -+Reads the contents of the -+.I /etc/selinux/config -+file to determine how the system was setup to run SELinux. - --Sets the value of enforce to 1 if SELinux should be run in enforcing mode. --Sets the value of enforce to 0 if SELinux should be run in permissive mode. --Sets the value of enforce to -1 if SELinux should be disabled. -+Sets the value of -+.I enforce -+to 1 if SELinux should be run in enforcing mode. -+Sets the value of -+.I enforce -+to 0 if SELinux should be run in permissive mode. -+Sets the value of -+.I enforce -+to \-1 if SELinux should be disabled. -+. - .SH "RETURN VALUE" - On success, zero is returned. --On failure, -1 is returned. -- -+On failure, \-1 is returned. -+. - .SH "SEE ALSO" - .BR selinux "(8)" -- -- -diff --git a/libselinux/man/man3/selinux_getpolicytype.3 b/libselinux/man/man3/selinux_getpolicytype.3 -index 67f9518..c947e2c 100644 ---- a/libselinux/man/man3/selinux_getpolicytype.3 -+++ b/libselinux/man/man3/selinux_getpolicytype.3 -@@ -1,21 +1,23 @@ - .TH "selinux_getpolicytype" "3" "24 Sep 2008" "dwalsh@redhat.com" "SELinux API documentation" - .SH "NAME" - selinux_getpolicytype \- get the type of SELinux policy running on the system -+. - .SH "SYNOPSIS" - .B #include - .sp --.B int selinux_getpolicytype(); -- -- -+.BI "int selinux_getpolicytype(char **" policytype ); -+. - .SH "DESCRIPTION" --.B selinux_getpolicytype --Reads the contents of the /etc/selinux/config file to determine the SELinux policy used on the system. -- -+.BR selinux_getpolicytype () -+Reads the contents of the -+.I /etc/selinux/config -+file to determine the SELinux policy used on the system, and sets -+.I \%policytype -+accordinly. -+. - .SH "RETURN VALUE" - On success, zero is returned. --On failure, -1 is returned. -- -+On failure, \-1 is returned. -+. - .SH "SEE ALSO" - .BR selinux "(8)" -- -- -diff --git a/libselinux/man/man3/selinux_lsetfilecon_default.3 b/libselinux/man/man3/selinux_lsetfilecon_default.3 -index 0589c7a..d4fc658 100644 ---- a/libselinux/man/man3/selinux_lsetfilecon_default.3 -+++ b/libselinux/man/man3/selinux_lsetfilecon_default.3 -@@ -1,20 +1,20 @@ - .TH "selinux_lsetfilecon_default" "3" "21 November 2009" "sds@tycho.nsa.gov" "SELinux API documentation" - .SH "NAME" --selinux_lsetfilecon_default \- set the file context to the system defaults. -- -+selinux_lsetfilecon_default \- set the file context to the system defaults -+. - .SH "SYNOPSIS" - .B #include - .sp -- - .BI "int selinux_lsetfilecon_default(const char *" path ");" -- -+. - .SH "DESCRIPTION" --.B selinux_lsetfilecon_default -+.BR selinux_lsetfilecon_default () - sets the file context to the system defaults. --.sp -- -+. - .SH "RETURN VALUE" - Returns zero on success or \-1 otherwise. -- -+. - .SH "SEE ALSO" -+.ad l -+.nh - .BR selinux "(8), " selinux_file_context_cmp "(3), " selinux_file_context_verify "(3), " matchpathcon "(3), " freecon "(3), " setfilecon "(3), " setfscreatecon "(3)" +diff --git a/libselinux/man/man3/selinux_current_policy_path.3 b/libselinux/man/man3/selinux_current_policy_path.3 +new file mode 100644 +index 0000000..175a611 +--- /dev/null ++++ b/libselinux/man/man3/selinux_current_policy_path.3 +@@ -0,0 +1 @@ ++.so man3/selinux_binary_policy_path.3 diff --git a/libselinux/man/man3/selinux_policy_root.3 b/libselinux/man/man3/selinux_policy_root.3 -index 7499c75..a6ccf86 100644 +index a6ccf86..63dc901 100644 --- a/libselinux/man/man3/selinux_policy_root.3 +++ b/libselinux/man/man3/selinux_policy_root.3 -@@ -1,20 +1,21 @@ +@@ -1,21 +1,34 @@ .TH "selinux_policy_root" "3" "25 May 2004" "dwalsh@redhat.com" "SELinux API documentation" .SH "NAME" --selinux_policy_root \- return the path of the SELinux policy files for this machine. -+selinux_policy_root \- return the path of the SELinux policy files for this machine -+. + selinux_policy_root \- return the path of the SELinux policy files for this machine ++selinux_set_policy_root \- Set an alternate SELinux root path for the SELinux policy files for this machine. + . .SH "SYNOPSIS" .B #include .sp --.B char *selinux_policy_root(); -- -- -+.B const char *selinux_policy_root(void); + .B const char *selinux_policy_root(void); + . ++.sp ++.B int selinux_set_policy_root(const char *policypath); +. .SH "DESCRIPTION" --.B selinux_policy_root --Reads the contents of the /etc/selinux/config file to determine which policy files should be used for this machine. -+.BR selinux_policy_root () -+reads the contents of the + .BR selinux_policy_root () + reads the contents of the + .I /etc/selinux/config + file to determine which policy files should be used for this machine. + . ++.BR selinux_set_policy_root () ++sets up all all policy paths based on the alternate root ++ +.I /etc/selinux/config +file to determine which policy files should be used for this machine. +. .SH "RETURN VALUE" - On success, returns a directory path containing the SELinux policy files. - On failure, NULL is returned. -- -+. +-On success, returns a directory path containing the SELinux policy files. +-On failure, NULL is returned. ++On success, selinux_policy_root returns a directory path containing the SELinux policy files. ++On failure, selinux_policy_root returns NULL. ++ ++On success, selinux_set_policy_root returns 0 on success -1 on failure. ++ + . .SH "SEE ALSO" .BR selinux "(8)" -- -- -diff --git a/libselinux/man/man3/selinux_raw_context_to_color.3 b/libselinux/man/man3/selinux_raw_context_to_color.3 -index d3ca83b..3737f60 100644 ---- a/libselinux/man/man3/selinux_raw_context_to_color.3 -+++ b/libselinux/man/man3/selinux_raw_context_to_color.3 -@@ -1,8 +1,7 @@ - .TH "selinux_raw_context_to_color" "3" "08 April 2011" "SELinux API documentation" -- - .SH "NAME" --selinux_raw_context_to_color \- Return RGB color string for an SELinux security context. -- -+selinux_raw_context_to_color \- Return RGB color string for an SELinux security context -+. - .SH "SYNOPSIS" - .B #include - .sp -@@ -10,9 +9,9 @@ selinux_raw_context_to_color \- Return RGB color string for an SELinux security - .RS - .BI "char **" color_str ");" - .RE -- -+. - .SH "DESCRIPTION" --.B selinux_raw_context_to_color -+.BR selinux_raw_context_to_color () - returns a - .I color_str - associated to the raw context -@@ -20,7 +19,7 @@ associated to the raw context - provided that the - .BR mcstransd "(8)" - daemon is running, the policy is an MLS type policy (MCS or MLS) and there is a color configuration file --.BR secolor.conf "(5)" -+.BR \%secolor.conf (5) - (see the - .B FILES - section). -@@ -39,7 +38,7 @@ string must be freed with - If a color has not been configured for a specific user, role, type and/or range component of context - .IR raw "," - then --.B selinux_raw_context_to_color -+.BR \%selinux_raw_context_to_color () - will select the color returned in - .I color_str - in order of precedence as follows: -@@ -55,7 +54,7 @@ user, role, type - .RE - - If there are no entries in the --.B secolor.conf -+.BR secolor.conf (5) - file for any of the components of context - .I raw - (or the file is not present), then the default string returned in -@@ -68,32 +67,32 @@ is: - #000000 #ffffff #000000 #ffffff #000000 #ffffff #000000 #ffffff - .sp - .RE -- -+. - .SH "RETURN VALUE" - On success, zero is returned. - .br - On failure, \-1 is returned with - .I errno - set appropriately. -- -+. - .SH "ERRORS" - .B ENOENT - If the - .BR mcstransd "(8)" - daemon is not running. -- -+. - .SH "FILES" --.B selinux_raw_context_to_color -+.BR selinux_raw_context_to_color () - obtains the translated entry from the active policy - .BR secolor.conf "(5)" - file as returned by --.BR selinux_colors_path "(3)." -+.BR \%selinux_colors_path (3). - The file format is described in --.BR secolor.conf "(5)." -- -+.BR \%secolor.conf (5). -+. - .SH "NOTES" - 1. The primary use of --.B selinux_raw_context_to_color -+.BR selinux_raw_context_to_color () - is to return a color that corresponds to a range, that can then be used to highlight information at different MLS levels. - .sp - 2. The -@@ -101,11 +100,11 @@ is to return a color that corresponds to a range, that can then be used to highl - daemon process security level must dominate the - .I raw - security level passed to it by the --.B selinux_raw_context_to_color -+.BR selinux_raw_context_to_color () - function. If not, the range color selected will be as defined by the order of precedence. -- -+. - .SH "EXAMPLE" --.B selinux_raw_context_to_color -+.BR selinux_raw_context_to_color () - returns the foreground and background colors of the context string components (user:role:type:range) as RGB triples as follows: - .sp - -@@ -117,8 +116,8 @@ returns the foreground and background colors of the context string components (u - .br - black white : white black : tan orange : black green - .br -- -+. - .SH "SEE ALSO" -+.ad l -+.nh - .BR selinux "(8), " selinux_colors_path "(3), " mcstransd "(8), " secolor.conf "(5), " selinux_raw_to_trans_context "(3), " selinux_trans_to_raw_context "(3), " free "(3)" -- -- -diff --git a/libselinux/man/man3/selinux_set_callback.3 b/libselinux/man/man3/selinux_set_callback.3 -index 4f8d74d..073e135 100644 ---- a/libselinux/man/man3/selinux_set_callback.3 -+++ b/libselinux/man/man3/selinux_set_callback.3 -@@ -3,14 +3,15 @@ - .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2007 - .TH "selinux_set_callback" "3" "20 Jun 2007" "" "SELinux API documentation" - .SH "NAME" --selinux_set_callback \- userspace SELinux callback facilities. -+selinux_set_callback \- userspace SELinux callback facilities -+. - .SH "SYNOPSIS" - .B #include - .sp - .BI "void selinux_set_callback(int " type ", union selinux_callback " callback ");" -- -+. - .SH "DESCRIPTION" --.B selinux_set_callback -+.BR selinux_set_callback () - sets the callback indicated by - .I type - to the value of -@@ -45,7 +46,7 @@ argument indicates the type of message and will be set to one of the following: - .B SELINUX_INFO - - .B SELINUX_AVC -- -+. - .TP - .B SELINUX_CB_AUDIT - .BI "int (*" func_audit ") (void *" auditdata ", security_class_t " cls , -@@ -64,7 +65,7 @@ A human-readable interpretation should be printed to - using no more than - .I msgbufsize - characters. -- -+. - .TP - .B SELINUX_CB_VALIDATE - .BI "int (*" func_validate ") (security_context_t *" ctx ");" -@@ -78,7 +79,7 @@ The value of - should be set to - .B EINVAL - to indicate an invalid context. -- -+. - .TP - .B SELINUX_CB_SETENFORCE - .BI "int (*" func_setenforce ") (int " enforcing ");" -@@ -91,7 +92,7 @@ argument indicates the new value and is set to - for enforcing mode, and - .I 0 - for permissive mode. -- -+. - .TP - .B SELINUX_CB_POLICYLOAD - .BI "int (*" func_policyload ") (int " seqno ");" -@@ -100,19 +101,18 @@ This callback is invoked when the system security policy is reloaded. - The - .I seqno - argument is the current sequential number of the policy generation in the system. -- -+. - .SH "RETURN VALUE" - None. -- -+. - .SH "ERRORS" - None. -- -+. - .SH "AUTHOR" - Eamon Walsh -- -+. - .SH "SEE ALSO" - .BR selabel_open (3), - .BR avc_init (3), --.BR avc_netlink_open(3), -+.BR avc_netlink_open (3), - .BR selinux (8) -- -diff --git a/libselinux/man/man3/selinux_set_mapping.3 b/libselinux/man/man3/selinux_set_mapping.3 -index 7ac069a..a93f7b2 100644 ---- a/libselinux/man/man3/selinux_set_mapping.3 -+++ b/libselinux/man/man3/selinux_set_mapping.3 -@@ -3,7 +3,8 @@ - .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2008 - .TH "selinux_set_mapping" "3" "12 Jun 2008" "" "SELinux API documentation" - .SH "NAME" --selinux_set_mapping \- establish dynamic object class and permission mapping. -+selinux_set_mapping \- establish dynamic object class and permission mapping -+. - .SH "SYNOPSIS" - .B #include - .sp -@@ -15,9 +16,9 @@ struct security_class_mapping { - .fi - .sp - .BI "int selinux_set_mapping(struct security_class_mapping *" map ");" -- -+. - .SH "DESCRIPTION" --.B selinux_set_mapping -+.BR selinux_set_mapping () - establishes a mapping from a user-provided ordering of object classes and permissions to the numbers actually used by the loaded system policy. Use of this function is highly preferred over the generated constants in the libselinux header files, as this method allows the policy's class and permission values to change over time. - - After the mapping is established, all libselinux functions that operate on class and permission values take the user-provided numbers, which are determined as follows: -@@ -33,12 +34,12 @@ field should refer to the string name of an object class, and the corresponding - field should refer to an array of permission bit names terminated by a NULL string. - - The object classes named in the mapping and the bit indexes of each set of permission bits named in the mapping are numbered in order starting from 1. These numbers are the values that should be passed to subsequent libselinux calls. -- -+. - .SH "RETURN VALUE" --Zero is returned on success. On error, -1 is returned and -+Zero is returned on success. On error, \-1 is returned and - .I errno - is set appropriately. -- -+. - .SH "ERRORS" - .TP - .B EINVAL -@@ -46,7 +47,7 @@ One of the class or permission names requested in the mapping is not present in - .TP - .B ENOMEM - An attempt to allocate memory failed. -- -+. - .SH "EXAMPLE" - .RS - .ta 4n 10n -@@ -78,10 +79,10 @@ and - (for the - .B file - class) will be identified by 1, 2, 4, and 8 respectively. Classes and permissions not listed in the mapping cannot be used. -- -+. - .SH "AUTHOR" - Eamon Walsh -- -+. - .SH "SEE ALSO" - .BR avc_open (8), - .BR selinux (8) -diff --git a/libselinux/man/man3/selinux_status_open.3 b/libselinux/man/man3/selinux_status_open.3 -index e897939..f779dd9 100644 ---- a/libselinux/man/man3/selinux_status_open.3 -+++ b/libselinux/man/man3/selinux_status_open.3 -@@ -3,11 +3,12 @@ - selinux_status_open, selinux_status_close, selinux_status_updated, - selinux_status_getenforce, selinux_status_policyload and - selinux_status_deny_unknown \- reference the SELinux kernel status --without invocation of system calls. -+without invocation of system calls -+. - .SH "SYNOPSIS" - .B #include - .sp --.BI "int selinux_status_open(int " fallback, ");" -+.BI "int selinux_status_open(int " fallback ");" - .sp - .BI "void selinux_status_close(void);" - .sp -@@ -18,7 +19,7 @@ without invocation of system calls. - .BI "int selinux_status_policyload(void);" - .sp - .BI "int selinux_status_deny_unknown(void);" --.sp -+. - .SH "DESCRIPTION" - Linux 2.6.37 or later provides a SELinux kernel status page; being mostly - placed on -@@ -26,15 +27,15 @@ placed on - entry. It enables userspace applications to mmap this page with read-only - mode, then it informs some status without system call invocations. - .sp --In some cases that a userspace application tries to apply heavy frequest --access control; such as row\-level security in databases, it will face -+In some cases that a userspace application tries to apply heavy frequent -+access control; such as row-level security in databases, it will face - unignorable cost to communicate with kernel space to check invalidation - of userspace avc. - .sp - These functions provides applications a way to know some kernel events --without system\-call invocation or worker thread for monitoring. -+without system-call invocation or worker thread for monitoring. - .sp --.BR selinux_status_open -+.BR selinux_status_open () - tries to - .BR open (2) - .I /selinux/status -@@ -51,46 +52,49 @@ and overwrite corresponding callbacks ( setenforce and policyload). - Thus, we need to pay attention to the interaction with these interfaces, - when fallback mode is enabled. - .sp --.BR selinux_status_close -+.BR selinux_status_close () - unmap the kernel status page and close its file descriptor, or close the - netlink socket if fallbacked. - .sp --.BR selinux_status_updated -+.BR selinux_status_updated () - informs us whether something has been updated since the last call. - It returns 0 if nothing was happened, however, 1 if something has been --updated in this duration, or -1 on error. -+updated in this duration, or \-1 on error. - .sp --.BR selinux_status_getenforce -+.BR selinux_status_getenforce () - returns 0 if SELinux is running in permissive mode, 1 if enforcing mode, --or -1 on error. -+or \-1 on error. - Same as - .BR security_getenforce (3) - except with or without system call invocation. - .sp --.BR selinux_status_policyload --returns times of policy reloaded on the running system, or -1 on error. -+.BR selinux_status_policyload () -+returns times of policy reloaded on the running system, or \-1 on error. - Note that it is not a reliable value on fallback-mode until it receive - the first event message via netlink socket. - Thus, don't use this value to know actual times of policy reloaded. - .sp --.BR selinux_status_deny_unknown -+.BR selinux_status_deny_unknown () - returns 0 if SELinux treats policy queries on undefined object classes or --permissions as being allowed, 1 if such queries are denied, or -1 on error. -+permissions as being allowed, 1 if such queries are denied, or \-1 on error. - .sp - Also note that these interfaces are not thread-safe, so you have to protect - them from concurrent calls using exclusive locks when multiple threads are - performing. -+. - .SH "RETURN VALUE" --.BR selinux_status_open -+.BR selinux_status_open () - returns 0 or 1 on success. 1 means we are ready to use these interfaces, - but netlink socket was opened as fallback instead of the kernel status page. --On error, -1 shall be returned. -+On error, \-1 shall be returned. - .sp - Any other functions with a return value shall return its characteristic --value as described above, or -1 on errors. --.sp -+value as described above, or \-1 on errors. -+. - .SH "SEE ALSO" --.BR mmap (2) --.BR avc_netlink_open (3) --.BR security_getenforce (3) -+.ad l -+.nh -+.BR mmap (2), -+.BR avc_netlink_open (3), -+.BR security_getenforce (3), - .BR security_deny_unknown (3) -diff --git a/libselinux/man/man3/set_matchpathcon_flags.3 b/libselinux/man/man3/set_matchpathcon_flags.3 -index 037fe05..2841bec 100644 ---- a/libselinux/man/man3/set_matchpathcon_flags.3 -+++ b/libselinux/man/man3/set_matchpathcon_flags.3 -@@ -1,42 +1,41 @@ - .TH "set_matchpathcon_flags" "3" "21 November 2009" "sds@tycho.nsa.gov" "SELinux API documentation" - .SH "NAME" --set_matchpathcon_flags, set_matchpathcon_invalidcon, set_matchpathcon_printf \- set flags controlling the operation of matchpathcon or matchpathcon_index and configure the behaviour of validity checking and error displaying. -- -+set_matchpathcon_flags, set_matchpathcon_invalidcon, set_matchpathcon_printf \- set flags controlling the operation of matchpathcon or matchpathcon_index and configure the behaviour of validity checking and error displaying -+. - .SH "SYNOPSIS" - .B #include - .sp -- - .BI "void set_matchpathcon_flags(unsigned int " flags ");" -- --.BI "void set_matchpathcon_invalidcon(int (*" f ")(const char *" path ", unsigned " lineno ", char * " context "));" -- -+.sp -+.BI "void set_matchpathcon_invalidcon(int (*" f ")(const char *" path ", unsigned " lineno ", char *" context "));" -+.sp - .BI "void set_matchpathcon_printf(void (*" f ")(const char *" fmt ", ...));" -- -+. - .SH "DESCRIPTION" --.B set_matchpathcon_flags -+.BR set_matchpathcon_flags () - sets the flags controlling the operation of --.B matchpathcon_init -+.BR matchpathcon_init (3) - and subsequently --.B matchpathcon_index -+.BR matchpathcon_index (3) - or --.B matchpathcon. -+.BR matchpathcon (3). - If the - .B MATCHPATHCON_BASEONLY - flag is set, then only the base file contexts configuration file - will be processed, not any dynamically generated entries or local customizations. - .sp - --.B set_matchpathcon_invalidcon -+.BR set_matchpathcon_invalidcon () - sets the function used by --.B matchpathcon_init -+.BR matchpathcon_init (3) - when checking the validity of a context in the file contexts - configuration. If not set, then this defaults to a test based - on --.B security_check_context(3), -+.BR security_check_context (3), - which checks validity against the active policy on a SELinux system. - This can be set to instead perform checking based on a binary policy file, - e.g. using --.B sepol_check_context(3), -+.BR sepol_check_context (3), - as is done by - .B setfiles \-c. - The function is also responsible for reporting any such error, and -@@ -47,16 +46,17 @@ and - in such error messages. - .sp - --.B set_matchpathcon_printf -+.BR set_matchpathcon_printf () - sets the function used by --.B matchpathcon_init -+.BR matchpathcon_init (3) - when displaying errors about the file contexts configuration. If not set, - then this defaults to fprintf(stderr, fmt, ...). This can be set to redirect - error reporting to a different destination. --.sp -- -+. - .SH "RETURN VALUE" - Returns zero on success or \-1 otherwise. -- -+. - .SH "SEE ALSO" -+.ad l -+.nh - .BR selinux "(8), " matchpathcon "(3), " matchpathcon_index "(3), " set_matchpathcon_invalidcon "(3), " set_matchpathcon_printf "(3), " freecon "(3), " setfilecon "(3), " setfscreatecon "(3)" -diff --git a/libselinux/man/man3/setcon_raw.3 b/libselinux/man/man3/setcon_raw.3 +diff --git a/libselinux/man/man3/selinux_set_policy_root.3 b/libselinux/man/man3/selinux_set_policy_root.3 new file mode 100644 -index 0000000..1210b5a +index 0000000..8077658 --- /dev/null -+++ b/libselinux/man/man3/setcon_raw.3 ++++ b/libselinux/man/man3/selinux_set_policy_root.3 @@ -0,0 +1 @@ -+.so man3/getcon.3 -diff --git a/libselinux/man/man3/setexeccon_raw.3 b/libselinux/man/man3/setexeccon_raw.3 -new file mode 100644 -index 0000000..b2e6ab8 ---- /dev/null -+++ b/libselinux/man/man3/setexeccon_raw.3 -@@ -0,0 +1 @@ -+.so man3/getexeccon.3 -diff --git a/libselinux/man/man3/setfilecon.3 b/libselinux/man/man3/setfilecon.3 -index 18030cd..5acc9bb 100644 ---- a/libselinux/man/man3/setfilecon.3 -+++ b/libselinux/man/man3/setfilecon.3 -@@ -1,41 +1,66 @@ - .TH "setfilecon" "3" "1 January 2004" "russell@coker.com.au" "SELinux API documentation" - .SH "NAME" - setfilecon, fsetfilecon, lsetfilecon \- set SELinux security context of a file -- -+. - .SH "SYNOPSIS" - .B #include - .sp - .BI "int setfilecon(const char *" path ", security_context_t "con ); -- -+.sp -+.BI "int setfilecon_raw(const char *" path ", security_context_t "con ); -+.sp - .BI "int lsetfilecon(const char *" path ", security_context_t "con ); -- -+.sp -+.BI "int lsetfilecon_raw(const char *" path ", security_context_t "con ); -+.sp - .BI "int fsetfilecon(int "fd ", security_context_t "con ); -- -+.sp -+.BI "int fsetfilecon_raw(int "fd ", security_context_t "con ); -+. - .SH "DESCRIPTION" --.B setfilecon -+.BR setfilecon () - sets the security context of the file system object. - --.B lsetfilecon -+.BR lsetfilecon () - is identical to setfilecon, except in the case of a symbolic link, where the - link itself has it's context set, not the file that it refers to. - --.B fsetfilecon -+.BR fsetfilecon () - is identical to setfilecon, only the open file pointed to by filedes (as --returned by open(2)) has it's context set in place of path. -+returned by -+.BR open (2)) -+has it's context set in place of path. - -+.BR setfilecon_raw (), -+.BR lsetfilecon_raw (), -+and -+.BR fsetfilecon_raw () -+behave identically to their non-raw counterparts but do not perform context -+translation. -+. - .SH "RETURN VALUE" --On success, zero is returned. On failure, -1 is returned and errno is --set appropriately. -- -+On success, zero is returned. On failure, \-1 is returned and -+.I errno -+is set appropriately. -+. -+.SH "ERRORS" - If there is insufficient space remaining to store the extended --attribute, errno is set to either ENOSPC, or EDQUOT if quota enforce- --ment was the cause. -- --If extended attributes are not supported by the filesystem, or are dis- --abled, errno is set to ENOTSUP. -+attribute, -+.I errno -+is set to either -+.BR ENOSPC , -+or -+.B EDQUOT -+if quota enforcement was the cause. - --The errors documented for the stat(2) system call are also applicable --here. -+If extended attributes are not supported by the filesystem, or are disabled, -+.I errno -+is set to -+.BR ENOTSUP . - -+The errors documented for the -+.BR stat (2) -+system call are also applicable here. -+. - .SH "SEE ALSO" - .BR selinux "(3), " freecon "(3), " getfilecon "(3), " setfscreatecon "(3)" -diff --git a/libselinux/man/man3/setfilecon_raw.3 b/libselinux/man/man3/setfilecon_raw.3 -new file mode 100644 -index 0000000..33c321a ---- /dev/null -+++ b/libselinux/man/man3/setfilecon_raw.3 -@@ -0,0 +1 @@ -+.so man3/setfilecon.3 -diff --git a/libselinux/man/man3/setfscreatecon_raw.3 b/libselinux/man/man3/setfscreatecon_raw.3 -new file mode 100644 -index 0000000..21aeebd ---- /dev/null -+++ b/libselinux/man/man3/setfscreatecon_raw.3 -@@ -0,0 +1 @@ -+.so man3/getfscreatecon.3 -diff --git a/libselinux/man/man3/setkeycreatecon_raw.3 b/libselinux/man/man3/setkeycreatecon_raw.3 -new file mode 100644 -index 0000000..1e0ec5f ---- /dev/null -+++ b/libselinux/man/man3/setkeycreatecon_raw.3 -@@ -0,0 +1 @@ -+.so man3/getkeycreatecon.3 -diff --git a/libselinux/man/man3/setsockcreatecon_raw.3 b/libselinux/man/man3/setsockcreatecon_raw.3 -new file mode 100644 -index 0000000..ed1a371 ---- /dev/null -+++ b/libselinux/man/man3/setsockcreatecon_raw.3 -@@ -0,0 +1 @@ -+.so man3/getsockcreatecon.3 -diff --git a/libselinux/man/man5/booleans.5 b/libselinux/man/man5/booleans.5 -index 8efc889..2e9caa7 100644 ---- a/libselinux/man/man5/booleans.5 -+++ b/libselinux/man/man5/booleans.5 -@@ -1,8 +1,7 @@ - .TH "booleans" "5" "28-Nov-2011" "Security Enhanced Linux" "SELinux configuration" -- - .SH "NAME" --booleans \- The SELinux booleans configuration files. -- -+booleans \- The SELinux booleans configuration files -+. - .SH "DESCRIPTION" - The \fIbooleans\fR file, if present contains booleans to support a specific distribution. - .sp -@@ -36,7 +35,7 @@ Looks for a \fIbooleans\fR and/or \fIbooleans.local\fR file at \fBselinux_boolea - .RE - .sp - Where \fI{SELINUXTYPE}\fR is the entry from the selinux configuration file \fIconfig\fR (see \fBselinux_config\fR(5)). -- -+. - .SH "FILE FORMAT" - Both boolean files have the same format and contain one or more boolean names and their value. - .sp -@@ -69,11 +68,13 @@ file (see - .BR selinux_config "(5)), then " selinux_mkload_policy "(3) will check for a " - .I booleans.local - file in the --.B selinux_booleans_path -+.BR selinux_booleans_path (3) - and also a - .I local.users - file (see - .BR local.users "(5)) in the " selinux_users_path "(3). " -- -+. - .SH "SEE ALSO" -+.ad l -+.nh - .BR selinux "(8), " booleans "(8), " setsebool "(8), " semanage "(8), " selinux_booleans_path "(3), " security_set_boolean_list "(3), " security_load_booleans "(3), " selinux_mkload_policy "(3), " selinux_users_path "(3), " selinux_config "(5), " local.users "(5) " -diff --git a/libselinux/man/man5/customizable_types.5 b/libselinux/man/man5/customizable_types.5 -index c2180f9..4924f7b 100644 ---- a/libselinux/man/man5/customizable_types.5 -+++ b/libselinux/man/man5/customizable_types.5 -@@ -1,20 +1,21 @@ - .TH "customizable_types" "5" "28-Nov-2011" "Security Enhanced Linux" "SELinux configuration" -- - .SH "NAME" --customizable_types \- The SELinux customizable types configuration file. -- -+customizable_types \- The SELinux customizable types configuration file -+. - .SH "DESCRIPTION" - The \fIcustomizable_types\fR file contains a list of types that can be customised in some way by SELinux-aware applications. - .sp - Generally this is a file context type that is usually set on files that need to be shared among certain domains and where the administrator wants to manually manage the type. - .sp - The use of customizable types is deprecated as the preferred approach is to use --.B semanage fcontext ... --(8). However, SELinux-aware applications such as --.BR setfiles "(8) " -+.BR semanage (8) -+.BR fcontext (8) -+.BR ... (8). -+However, SELinux-aware applications such as -+.BR setfiles (8) - will use this information to obtain a list of types relating to files that should not be relabeled. - .sp --.BR selinux_customizable_types_path "(3) " -+.BR selinux_customizable_types_path (3) - will return the active policy path to this file. The default customizable types file is: - .RS - .I /etc/selinux/{SELINUXTYPE}/contexts/customizable_types -@@ -22,9 +23,9 @@ will return the active policy path to this file. The default customizable types - .sp - Where \fI{SELINUXTYPE}\fR is the entry from the selinux configuration file \fIconfig\fR (see \fBselinux_config\fR(5)). - .sp --.BR is_context_customizable "(3) " -+.BR is_context_customizable (3) - reads this file to determine if a context is customisable or not for the active policy. -- -+. - .SH "FILE FORMAT" - Each line in the file consists of the following: - .RS -@@ -38,7 +39,7 @@ Where: - The type defined in the policy that can be customised. - .RE - .RE -- -+. - .SH "EXAMPLE" - # ./contexts/customizable_types - .br -@@ -51,6 +52,8 @@ public_content_t - swapfile_t - .br - sysadm_untrusted_content_t -- -+. - .SH "SEE ALSO" -+.ad l -+.nh - .BR selinux "(8), " selinux_customizable_types_path "(3), " is_context_customizable "(3), " semanage "(8), " setfiles "(8), " selinux_config "(5) " -diff --git a/libselinux/man/man5/default_contexts.5 b/libselinux/man/man5/default_contexts.5 -index e377e55..f63d24a 100644 ---- a/libselinux/man/man5/default_contexts.5 -+++ b/libselinux/man/man5/default_contexts.5 -@@ -1,8 +1,7 @@ - .TH "default_contexts" "5" "28-Nov-2011" "Security Enhanced Linux" "SELinux configuration" -- - .SH "NAME" --default_contexts \- The SELinux default contexts configuration file. -- -+default_contexts \- The SELinux default contexts configuration file -+. - .SH "DESCRIPTION" - The default contexts configuration file \fIdefault_contexts\fR contains entries that allow SELinux-aware login applications such as - .BR PAM "(8) " -@@ -32,7 +31,7 @@ The default context configuration file path for the active policy is returned by - .RE - .sp - Where \fI{SELINUXTYPE}\fR is the entry from the selinux configuration file \fIconfig\fR (see \fBselinux_config\fR(5)). -- -+. - .SH "FILE FORMAT" - Each line in the default configuration file consists of the following: - .RS -@@ -50,7 +49,7 @@ This consists of a \fIrole\fB:\fItype\fR[\fB:\fIrange\fR] entry that represents - This consists of one or more \fIrole\fB:\fItype\fR[\fB:\fIrange\fR] entries that represent the user login process context defined in the policy. - .RE - .RE -- -+. - .SH "EXAMPLE" - # ./contexts/default_contexts - .br -@@ -65,6 +64,8 @@ system_r:sshd_t:s0 user_r:user_t:s0 - system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0 - .br - system_r:xdm_t:s0 user_r:user_t:s0 -- -+. - .SH "SEE ALSO" -+.ad l -+.nh - .BR selinux "(8), " selinux_default_contexts_path "(3), " PAM "(8), " selinux_default_type_path "(3), " get_default_context "(3), " get_ordered_context_list "(3), " get_ordered_context_list_with_level "(3), " get_default_context_with_level "(3), " get_default_context_with_role "(3), " get_default_context_with_rolelevel "(3), " query_user_context "(3), " manual_user_enter_context "(3), " selinux_config "(5) " -diff --git a/libselinux/man/man5/default_type.5 b/libselinux/man/man5/default_type.5 -index 45f4806..082a5f0 100644 ---- a/libselinux/man/man5/default_type.5 -+++ b/libselinux/man/man5/default_type.5 -@@ -1,8 +1,7 @@ - .TH "default_type" "5" "28-Nov-2011" "Security Enhanced Linux" "SELinux configuration" -- - .SH "NAME" --default_type \- The SELinux default type configuration file. -- -+default_type \- The SELinux default type configuration file -+. - .SH "DESCRIPTION" - The \fIdefault_type\fR file contains entries that allow SELinux-aware applications such as \fBnewrole\fR(1) to select a default type for a role if one is not supplied. - .sp -@@ -14,7 +13,7 @@ The \fIdefault_type\fR file contains entries that allow SELinux-aware applicatio - Where \fI{SELINUXTYPE}\fR is the entry from the selinux configuration file \fIconfig\fR (see \fBselinux_config\fR(5)). - .sp - \fBget_default_type\fR(3) reads this file to determine a type for the active policy. -- -+. - .SH "FILE FORMAT" - Each line within the \fIdefault_type\fR file is formatted with \fIrole\fB:\fItype\fR entries where: - .RS -@@ -26,13 +25,15 @@ The SELinux role. - .RS - The domain type that is returned for this role. - .RE -- -+. - .SH "EXAMPLE" - # ./contexts/default_type - .br - auditadm_r:auditadm_t - .br - user_r:user_t -- -+. - .SH "SEE ALSO" -+.ad l -+.nh - .BR selinux "(8), " get_default_type "(3), " newrole "(1), " selinux_default_type_path "(3), " selinux_config "(5) " -diff --git a/libselinux/man/man5/failsafe_context.5 b/libselinux/man/man5/failsafe_context.5 -index ef8e9ac..e7032e5 100644 ---- a/libselinux/man/man5/failsafe_context.5 -+++ b/libselinux/man/man5/failsafe_context.5 -@@ -1,8 +1,7 @@ - .TH "failsafe_context" "5" "28-Nov-2011" "Security Enhanced Linux" "SELinux configuration" -- - .SH "NAME" --failsafe_context \- The SELinux fail safe context configuration file. -- -+failsafe_context \- The SELinux fail safe context configuration file -+. - .SH "DESCRIPTION" - The - .I failsafe_context -@@ -37,7 +36,7 @@ The following functions read this file from the active policy path if they canno - .br - .BR manual_user_enter_context "(3) " - .RE -- -+. - .SH "FILE FORMAT" - The file consists of a single line entry as follows: - .RS -@@ -53,11 +52,13 @@ Where: - A role, type and optional range (for MCS/MLS), separated by colons (:) to form a valid login process context for an administrator to access the system. - .RE - .RE -- -+. - .SH "EXAMPLE" - # ./contexts/failsafe_context - .br - unconfined_r:unconfined_t:s0 -- -+. - .SH "SEE ALSO" -+.ad l -+.nh - .BR selinux "(8), " selinux_failsafe_context_path "(3), " PAM "(8), " selinux_default_type_path "(3), " get_default_context "(3), " get_ordered_context_list "(3), " get_ordered_context_list_with_level "(3), " get_default_context_with_level "(3), " get_default_context_with_role "(3), " get_default_context_with_rolelevel "(3), " query_user_context "(3), " manual_user_enter_context "(3), " selinux_config "(5) " -diff --git a/libselinux/man/man5/local.users.5 b/libselinux/man/man5/local.users.5 -index 8347ae8..94d4673 100644 ---- a/libselinux/man/man5/local.users.5 -+++ b/libselinux/man/man5/local.users.5 -@@ -1,8 +1,7 @@ - .TH "local.users" "5" "28-Nov-2011" "Security Enhanced Linux" "SELinux configuration" -- - .SH "NAME" --local.users \- The SELinux local users configuration file. -- -+local.users \- The SELinux local users configuration file -+. - .SH "DESCRIPTION" - The file contains local user definitions in the form of policy language user statements and is only found on older SELinux systems as it has been deprecated and replaced by the \fBsemange\fR(8) services. - .sp -@@ -15,7 +14,7 @@ will return the active policy path to the directory where this file is located. - .RE - .sp - Where \fI{SELINUXTYPE}\fR is the entry from the selinux configuration file \fIconfig\fR (see \fBselinux_config\fR(5)). -- -+. - .SH "FILE FORMAT" - The file consists of one or more entries terminated with '\fB;\fR', each on a separate line as follows: - .RS -@@ -57,11 +56,13 @@ If MLS/MCS is configured, the range keyword. - The current and clearance levels that the user can run. These are separated by a hyphen '\fB-\fR' as shown in the \fBEXAMPLE\fR section. - .RE - .RE -- -+. - .SH "EXAMPLE" - # ./users/local.users - .br --user test_u roles staff_r level s0 range s0 - s15:c0.c1023; -- -+user test_u roles staff_r level s0 range s0 \- s15:c0.c1023; -+. - .SH "SEE ALSO" -+.ad l -+.nh - .BR selinux "(8), " semanage "(8), " selinux_users_path "(3), " selinux_config "(5), " selinux_mkload_policy "(3) " -diff --git a/libselinux/man/man5/removable_context.5 b/libselinux/man/man5/removable_context.5 -index 72d3d4c..60aaa93 100644 ---- a/libselinux/man/man5/removable_context.5 -+++ b/libselinux/man/man5/removable_context.5 -@@ -1,8 +1,7 @@ - .TH "removable_context" "5" "28-Nov-2011" "Security Enhanced Linux" "SELinux configuration" -- - .SH "NAME" --removable_context \- The SELinux removable devices context configuration file. -- -+removable_context \- The SELinux removable devices context configuration file -+. - .SH "DESCRIPTION" - This file contains the default label that should be used for removable devices that are not defined in the \fImedia\fR file (that is described in - .BR selabel_media "(5)). " -@@ -14,7 +13,7 @@ will return the active policy path to this file. The default removable context f - .RE - .sp - Where \fI{SELINUXTYPE}\fR is the entry from the selinux configuration file \fIconfig\fR (see \fBselinux_config\fR(5)). -- -+. - .SH "FILE FORMAT" - The file consists of a single line entry as follows: - .RS -@@ -28,10 +27,11 @@ Where: - A user, role, type and optional range (for MCS/MLS) separated by colons (:) that will be applied to removable devices. - .RE - .RE -+. - .SH "EXAMPLE" - # ./contexts/removable_contexts - .br - system_u:object_r:removable_t:s0 -- -+. - .SH "SEE ALSO" - .BR selinux "(8), " selinux_removable_context_path "(3), " selabel_media "(5), " selinux_config "(5) " -diff --git a/libselinux/man/man5/secolor.conf.5 b/libselinux/man/man5/secolor.conf.5 -index e50d560..b834577 100644 ---- a/libselinux/man/man5/secolor.conf.5 -+++ b/libselinux/man/man5/secolor.conf.5 -@@ -1,8 +1,7 @@ - .TH "secolor.conf" "5" "08 April 2011" "SELinux API documentation" -- - .SH "NAME" --secolor.conf \- The SELinux color configuration file. -- -+secolor.conf \- The SELinux color configuration file -+. - .SH "DESCRIPTION" - This optional file controls the color to be associated to the context components associated to the - .I raw -@@ -15,7 +14,7 @@ obtains this color information from the active policy - .B secolor.conf - file as returned by - .BR selinux_colors_path "(3)." -- -+. - .SH "FILE FORMAT" - The file format is as follows: - .RS -@@ -86,7 +85,7 @@ A - .I color_mask - may also be used. - .RE -- -+. - .SH "EXAMPLES" - Example 1 entries are: - .RS -@@ -112,17 +111,17 @@ role * = white black - .br - type * = tan orange - .br --range s0-s0:c0.c1023 = black green -+range s0\-s0:c0.c1023 = black green - .br --range s1-s1:c0.c1023 = white green -+range s1\-s1:c0.c1023 = white green - .br --range s3-s3:c0.c1023 = black tan -+range s3\-s3:c0.c1023 = black tan - .br --range s5-s5:c0.c1023 = white blue -+range s5\-s5:c0.c1023 = white blue - .br --range s7-s7:c0.c1023 = black red -+range s7\-s7:c0.c1023 = black red - .br --range s9-s9:c0.c1023 = black orange -+range s9\-s9:c0.c1023 = black orange - .br - range s15:c0.c1023 = black yellow - .RE -@@ -174,8 +173,6 @@ role * = black white - .br - type * = black white - .RE -- -+. - .SH "SEE ALSO" - .BR selinux "(8), " selinux_raw_context_to_color "(3), " selinux_colors_path "(3)" -- -- -diff --git a/libselinux/man/man5/securetty_types.5 b/libselinux/man/man5/securetty_types.5 -index 3f13fdd..dbc5c2e 100644 ---- a/libselinux/man/man5/securetty_types.5 -+++ b/libselinux/man/man5/securetty_types.5 -@@ -1,8 +1,7 @@ - .TH "securetty_types" "5" "28-Nov-2011" "Security Enhanced Linux" "SELinux configuration" -- - .SH "NAME" --securetty_types \- The SELinux secure tty type configuration file. -- -+securetty_types \- The SELinux secure tty type configuration file -+. - .SH "DESCRIPTION" - The - .I securetty_types -@@ -20,7 +19,7 @@ Where \fI{SELINUXTYPE}\fR is the entry from the selinux configuration file \fIco - .sp - SELinux-aware applications such as - .BR newrole "(1) use this information to check the status of a tty. " -- -+. - .SH "FILE FORMAT" - Each line in the file consists of the following entry: - .sp -@@ -30,7 +29,7 @@ Each line in the file consists of the following entry: - One or more type entries that are defined in the policy for secure tty devices. - .RE - .RE -- -+. - .SH "EXAMPLE" - # ./contexts/securetty_types - .br -@@ -39,6 +38,8 @@ sysadm_tty_device_t - user_tty_device_t - .br - staff_tty_device_t -- -+. - .SH "SEE ALSO" -+.ad l -+.nh - .BR selinux "(8), " selinux_securetty_types_path "(3), " newrole "(1), " selinux_check_securetty_context "(3), " selinux_config "(5) " -diff --git a/libselinux/man/man5/selabel_db.5 b/libselinux/man/man5/selabel_db.5 -index c809d18..b3342f6 100644 ---- a/libselinux/man/man5/selabel_db.5 -+++ b/libselinux/man/man5/selabel_db.5 -@@ -3,9 +3,10 @@ - .\" Author: KaiGai Kohei 2009 - .TH "selabel_db" "5" "01 DEC 2011" "Security Enhanced Linux" "SELinux API documentation" - .SH "NAME" --selabel_db \- userspace SELinux labeling interface and configuration file format for the RDBMS objects context backend. -+selabel_db \- userspace SELinux labeling interface and configuration file format for the RDBMS objects context backend -+. - .SH "SYNOPSIS" --..B #include -+.B #include - .sp - .BI "int selabel_lookup(struct selabel_handle *" hnd , - .in +\w'int selabel_lookup('u -@@ -19,7 +20,7 @@ selabel_db \- userspace SELinux labeling interface and configuration file format - .BI "security_context_t *" context , - .br - .BI "const char *" object_name ", int " object_type ");" -- -+. - .SH "DESCRIPTION" - The DB contexts backend maps from a pair of object name and class into security contexts. It is used to find the appropriate context for database objects when relabeling a certain database. The returned \fIcontext\fR must be freed using \fBfreecon\fR(3). - .br -@@ -87,13 +88,15 @@ The - argument specifies the name of a language object, such as "postgres.public.tcl". - .RE - .sp --Any messages generated by \fBselabel_lookup\fR are sent to \fIstderr\fR by default, although this can be changed by \fBselinux_set_callback\fR(3). -+Any messages generated by \fBselabel_lookup\fR(3) are sent to \fIstderr\fR -+by default, although this can be changed by \fBselinux_set_callback\fR(3). - .sp --.B selabel_lookup_raw --behaves identically to \fBselabel_lookup\fR but does not perform context translation. -+.BR selabel_lookup_raw (3) -+behaves identically to \fBselabel_lookup\fR(3) but does not perform context -+translation. - .sp - The \fBFILES\fR section details the configuration files used to determine the database object context. -- -+. - .SH "OPTIONS" - In addition to the global options described in \fBselabel_open\fR(3), this backend recognizes the following options: - .RS -@@ -102,7 +105,7 @@ In addition to the global options described in \fBselabel_open\fR(3), this backe - A non-null value for this option specifies a path to a file that will be opened in lieu of the standard DB contexts file. - It tries to open the specfile designed for SE-PostgreSQL as default, so if another RDBMS uses this interface, it needs to give an explicit specfile designed for that RDBMS (see the \fBFILES\fR section for details). - .RE -- -+. - .SH "FILES" - The database context file used to retrieve a context depends on the \fBSELABEL_OPT_PATH\fR parameter passed to \fBselabel_open\fR(3). If \fINULL\fR, then the \fBSELABEL_OPT_PATH\fR value will default to the active policy database contexts location (as returned by \fBselinux_sepgsql_context_path\fR(3)), otherwise the actual \fBSELABEL_OPT_PATH\fR value specified is used (this option must be used to support databases other than SE-PostgreSQL). - .sp -@@ -114,7 +117,7 @@ The default database object contexts file is: - Where \fI{SELINUXTYPE}\fR is the entry from the selinux configuration file \fIconfig\fR (see \fBselinux_config\fR(5)). - .sp - The entries within the database contexts file are shown in the \fBObject Name String Values\fR and \fBFILE FORMAT\fR sections. -- -+. - .SH "Object Name String Values" - The string name assigned to each \fIobject_type\fR argument that can be present in the database contexts file are: - .TS -@@ -133,7 +136,7 @@ SELABEL_DB_PROCEDURE@db_procedure - SELABEL_DB_SEQUENCE@db_sequence - SELABEL_DB_BLOB@db_blob - .TE -- -+. - .SH "FILE FORMAT" - Each line within the database contexts file is as follows: - .RS -@@ -177,7 +180,7 @@ db_tuple row_low system_u:object_r:sepgsql_table_t:s0 - db_tuple row_high system_u:object_r:sepgsql_table_t:s0:c1023 - .br - db_tuple *.*.* system_u:object_r:sepgsql_table_t:s0 -- -+. - .SH "NOTES" - .IP "1." 4 - A suitable database contexts file needs to be written for the target RDBMS and the \fBSELABEL_OPT_PATH\fR option must be used in \fBselabel_open\fR(3) to load it. -@@ -188,11 +191,17 @@ SE-PostgreSQL has a namespace hierarchy where a database is the top level object - .RS - .RS - .sp --If a security context is required for "my_table" table in the "public" schema within the "postgres" database, then the \fBselabel_lookup\fR parameters for \fIobject_type\fR would be \fBSELABEL_DB_TABLE\fR and the \fIobject_name\fR would be "postgres.public.my_table", the security context (if available), would be returned in \fIcontext\fR. -+If a security context is required for "my_table" table in the "public" -+schema within the "postgres" database, then the \fBselabel_lookup\fR(3) -+parameters for \fIobject_type\fR would be \fBSELABEL_DB_TABLE\fR and the -+\fIobject_name\fR would be "postgres.public.my_table", the security -+context (if available), would be returned in \fIcontext\fR. - .RE - .RE - .IP "3." 4 - If contexts are to be validated, then the global option \fBSELABEL_OPT_VALIDATE\fR must be set before calling \fBselabel_open\fR(3). If this is not set, then it is possible for an invalid context to be returned. -- -+. - .SH "SEE ALSO" -+.ad l -+.nh - .BR selinux "(8), " selabel_open "(3), " selabel_lookup "(3), " selabel_stats "(3), " selabel_close "(3), " selinux_set_callback "(3), " selinux_sepgsql_context_path "(3), " freecon "(3), " selinux_config "(5) " -diff --git a/libselinux/man/man5/selabel_file.5 b/libselinux/man/man5/selabel_file.5 -index 8a1f826..5703f27 100644 ---- a/libselinux/man/man5/selabel_file.5 -+++ b/libselinux/man/man5/selabel_file.5 -@@ -3,7 +3,8 @@ - .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2007 - .TH "selabel_file" "5" "01 Dec 2011" "Security Enhanced Linux" "SELinux API documentation" - .SH "NAME" --selabel_file \- userspace SELinux labeling interface and configuration file format for the file contexts backend. -+selabel_file \- userspace SELinux labeling interface and configuration file format for the file contexts backend -+. - .SH "SYNOPSIS" - .B #include - .sp -@@ -19,7 +20,7 @@ selabel_file \- userspace SELinux labeling interface and configuration file form - .BI "security_context_t *" context , - .br - .BI "const char *" path ", int " mode ");" -- -+. - .SH "DESCRIPTION" - The file contexts backend maps from pathname/mode combinations into security contexts. It is used to find the appropriate context for each file when relabeling a file system. The returned \fIcontext\fR must be freed using \fBfreecon\fR(3). - .br -@@ -32,13 +33,15 @@ No context corresponding to the \fIpath\fR and \fImode\fR was found - This will - .sp - The \fIpath\fR argument should be set to the full pathname of the file whose assigned context is being checked. The \fImode\fR argument should be set to the mode bits of the file, as determined by \fBlstat\fR(2). \fImode\fR may be zero, however full matching may not occur. - .sp --Any messages generated by \fBselabel_lookup\fR are sent to \fIstderr\fR by default, although this can be changed by \fBselinux_set_callback\fR(3). -+Any messages generated by \fBselabel_lookup\fR(3) are sent to \fIstderr\fR -+by default, although this can be changed by \fBselinux_set_callback\fR(3). - .sp --.B selabel_lookup_raw --behaves identically to \fBselabel_lookup\fR but does not perform context translation. -+.BR selabel_lookup_raw (3) -+behaves identically to \fBselabel_lookup\fR(3) but does not perform context -+translation. - .sp - The \fBFILES\fR section details the configuration files used to determine a file context. -- -+. - .SH "OPTIONS" - In addition to the global options described in - .BR selabel_open (3), -@@ -54,7 +57,7 @@ A non-null value for this option indicates that any local customizations to the - .B SELABEL_OPT_SUBSET - A non-null value for this option is interpreted as a path prefix, for example "/etc". Only file context specifications starting with the given prefix are loaded. This may increase lookup performance, however any attempt to look up a path not starting with the given prefix will fail. - .RE -- -+. - .SH "FILES" - The file context files used to retrieve the default context depends on the \fBSELABEL_OPT_PATH\fR parameter passed to \fBselabel_open\fR(3). If \fINULL\fR, then the \fBSELABEL_OPT_PATH\fR value will default to the active policy file contexts location (as returned by \fBselinux_file_context_path\fR(3)), otherwise the actual \fBSELABEL_OPT_PATH\fR value specified is used. - .sp -@@ -104,7 +107,7 @@ Where \fI{SELINUXTYPE}\fR is the entry from the selinux configuration file \fIco - Only the \fIfile_contexts\fR file is mandatory, the remainder are optional. - .sp - The entries within the file contexts series of files are shown in the \fBFILE FORMAT\fR section. -- -+. - .SH "FILE FORMAT" - .sp - .SH "File Contexts Format" -@@ -126,13 +129,13 @@ An entry that defines the pathname that may be in the form of a regular expressi - .RS - An optional file type consisting of: - .RS --\fI\-b\fR \- Block Device \fI\-c\fR \- Character Device -+\fI\-b\fR - Block Device \fI\-c\fR - Character Device - .br --\fI\-d\fR \- Directory \fI\-p\fR \- Named Pipe -+\fI\-d\fR - Directory \fI\-p\fR - Named Pipe - .br --\fI\-l\fR \- Symbolic Link \fI\-s\fR \- Socket -+\fI\-l\fR - Symbolic Link \fI\-s\fR - Socket - .br --\fI\-\-\fR \- Ordinary file -+\fI\-\-\fR - Ordinary file - .RE - .RE - .I context -@@ -155,12 +158,11 @@ Example: - .br - /.* system_u:object_r:default_t:s0 - .br --/[^/]+ -- system_u:object_r:etc_runtime_t:s0 -+/[^/]+ \-\- system_u:object_r:etc_runtime_t:s0 - .br - /tmp/.* <> - .RE - .sp -- - .SH "Substitution File Format" - .sp - Each line within the substitution files (\fI.subs\fR and \fI.subs_dist\fR) has the form: -@@ -190,14 +192,15 @@ Example: - .br - /myspool /var/spool/mail - .sp --Using the above example, when \fBselabel_lookup\fR is passed a path of \fI/myweb/index.html\fR the function will substitute the \fI/myweb\fR component with \fI/var/www\fR, therefore the path used is: -+Using the above example, when \fBselabel_lookup\fR(3) is passed a path of -+\fI/myweb/index.html\fR the function will substitute the \fI/myweb\fR -+component with \fI/var/www\fR, therefore the path used is: - .sp - .RS - .I /var/www/index.html - .RE - .RE --.sp -- -+. - .SH "NOTES" - .IP "1." 4 - If contexts are to be validated, then the global option \fBSELABEL_OPT_VALIDATE\fR must be set before calling \fBselabel_open\fR(3). If this is not set, then it is possible for an invalid context to be returned. -@@ -208,6 +211,8 @@ requested validates the entries. If possible use the \fBSELABEL_OPT_SUBSET\fR op - Depending on the version of SELinux it is possible that a \fIfile_contexts.template\fR file may also be present, however this is now deprecated. - .br - The template file has the same format as the \fIfile_contexts\fR file and may also contain the keywords \fBHOME_ROOT\fR, \fBHOME_DIR\fR, \fBROLE\fR and \fBUSER\fR. This functionality has now been moved to the policy store and managed by \fBsemodule\fR(8) and \fBgenhomedircon\fR(8). -- -+. - .SH "SEE ALSO" -+.ad l -+.nh - .BR selinux "(8), " selabel_open "(3), " selabel_lookup "(3), " selabel_stats "(3), " selabel_close "(3), " selinux_set_callback "(3), " selinux_file_context_path "(3), " freecon "(3), " selinux_config "(5), " lstat "(2), "selinux_file_context_subs_path "(3), " selinux_file_context_subs_dist_path "(3), " selinux_file_context_homedir_path "(3), "selinux_file_context_local_path "(3), " semodule "(8), " genhomedircon "(8) " -diff --git a/libselinux/man/man5/selabel_media.5 b/libselinux/man/man5/selabel_media.5 -index 0df1961..398f0fc 100644 ---- a/libselinux/man/man5/selabel_media.5 -+++ b/libselinux/man/man5/selabel_media.5 -@@ -3,8 +3,8 @@ - .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2007 - .TH "selabel_media" "5" "29 Nov 2011" "Security Enhanced Linux" "SELinux API documentation" - .SH "NAME" --selabel_media \- userspace SELinux labeling interface and configuration file format for the media contexts backend. -- -+selabel_media \- userspace SELinux labeling interface and configuration file format for the media contexts backend -+. - .SH "SYNOPSIS" - .B #include - .sp -@@ -20,7 +20,7 @@ selabel_media \- userspace SELinux labeling interface and configuration file for - .BI "security_context_t *" context , - .br - .BI "const char *" device_name ", int " unused ");" -- -+. - .SH "DESCRIPTION" - The media contexts backend maps from media device names such as "cdrom" or "floppy" into security contexts. It is used to find the appropriate context for establishing context mounts on these devices. The returned \fIcontext\fR must be freed using \fBfreecon\fR(3). - .br -@@ -28,19 +28,21 @@ The media contexts backend maps from media device names such as "cdrom" or "flop - .sp - The integer lookup argument is currently unused and should be set to zero. - .sp --Any messages generated by \fBselabel_lookup\fR are sent to \fIstderr\fR by default, although this can be changed by \fBselinux_set_callback\fR(3). -+Any messages generated by \fBselabel_lookup\fR(3) are sent to \fIstderr\fR -+by default, although this can be changed by \fBselinux_set_callback\fR(3). - .sp --.B selabel_lookup_raw --behaves identically to \fBselabel_lookup\fR but does not perform context translation. -+.BR selabel_lookup_raw (3) -+behaves identically to \fBselabel_lookup\fR(3) but does not perform context -+translation. - .sp - The \fBFILES\fR section details the configuration files used to determine the media context. -- -+. - .SH "OPTIONS" - In addition to the global options described in \fBselabel_open\fR(3), this backend recognizes the following options: - .TP - .B SELABEL_OPT_PATH - A non-null value for this option specifies a path to a file that will be opened in lieu of the standard \fImedia\fR contexts file. -- -+. - .SH "FILES" - The media context file used to retrieve a default context depends on the \fBSELABEL_OPT_PATH\fR parameter passed to \fBselabel_open\FR(3). If \fINULL\fR, then the \fBSELABEL_OPT_PATH\fR value will default to the active policy media contexts location (as returned by \fBselinux_media_context_path\fR(3)), otherwise the actual \fBSELABEL_OPT_PATH\fR value specified is used. - .sp -@@ -52,7 +54,7 @@ The default media contexts file is: - Where \fI{SELINUXTYPE}\fR is the entry from the selinux configuration file \fIconfig\fR (see \fBselinux_config\fR(5)). - .sp - Should there not be a valid entry in the \fImedia\fR file, then the default \fIremovable_context\fR file will be read (see \fBremovable_context\fR(5)). -- -+. - .SH "FILE FORMAT" - Each line within the \fImedia\fR file is as follows: - .RS -@@ -80,10 +82,12 @@ cdrom system_u:object_r:removable_device_t - floppy system_u:object_r:removable_device_t - .br - disk system_u:object_r:fixed_disk_device_t -- -+. - .SH "NOTES" - If contexts are to be validated, then the global option \fBSELABEL_OPT_VALIDATE\fR must be set before calling \fBselabel_open\fR(3). If - this is not set, then it is possible for an invalid context to be returned. -- -+. - .SH "SEE ALSO" -+.ad l -+.nh - .BR selinux "(8), " selabel_open "(3), " selabel_lookup "(3), " selabel_stats "(3), " selabel_close "(3), " selinux_set_callback "(3), " selinux_media_context_path "(3), " freecon "(3), " selinux_config "(5), " removable_context "(5) " -diff --git a/libselinux/man/man5/selabel_x.5 b/libselinux/man/man5/selabel_x.5 -index 60bf3f2..5a38a8d 100644 ---- a/libselinux/man/man5/selabel_x.5 -+++ b/libselinux/man/man5/selabel_x.5 -@@ -2,10 +2,9 @@ - .\" - .\" Author: Eamon Walsh (ewalsh@tycho.nsa.gov) 2007 - .TH "selabel_x" "5" "29 Nov 2011" "Security Enhanced Linux" "SELinux API documentation" -- - .SH "NAME" --selabel_x \- userspace SELinux labeling interface and configuration file format for the X Window System contexts backend. This backend is also used to determine the default context for labeling remotely connected X clients. -- -+selabel_x \- userspace SELinux labeling interface and configuration file format for the X Window System contexts backend. This backend is also used to determine the default context for labeling remotely connected X clients -+. - .SH "SYNOPSIS" - .B #include - .sp -@@ -21,7 +20,7 @@ selabel_x \- userspace SELinux labeling interface and configuration file format - .BI "security_context_t *" context , - .br - .BI "const char *" object_name ", int " object_type ");" -- -+. - .SH "DESCRIPTION" - The X contexts backend maps from X Window System object names into security contexts. It is used to find the appropriate context for X Window System objects whose significance and/or usage semantics are determined primarily by name. The returned \fIcontext\fR must be freed using \fBfreecon\fR(3). - .br -@@ -74,7 +73,7 @@ Any messages generated by \fBselabel_lookup\fR(3) are sent to \fIstderr\fR by de - behaves identically to \fBselabel_lookup\fR but does not perform context translation. - .sp - The \fBFILES\fR section details the configuration files used to determine the X object context. -- -+. - .SH "OPTIONS" - In addition to the global options described in \fBselabel_open\fR(3), this backend recognizes the following options: - .RS -@@ -82,7 +81,7 @@ In addition to the global options described in \fBselabel_open\fR(3), this backe - .B SELABEL_OPT_PATH - A non-null value for this option specifies a path to a file that will be opened in lieu of the standard X contexts file (see the \fBFILES\fR section for details). - .RE -- -+. - .SH "FILES" - The X context file used to retrieve a default context depends on the \fBSELABEL_OPT_PATH\fR parameter passed to \fBselabel_open\fR(3). If \fINULL\fR, then the \fBSELABEL_OPT_PATH\fR value will default to the active policy X contexts location (as returned by \fBselinux_x_context_path\fR(3)), otherwise the actual \fBSELABEL_OPT_PATH\fR value specified is used. - .sp -@@ -94,7 +93,7 @@ The default X object contexts file is: - Where \fI{SELINUXTYPE}\fR is the entry from the selinux configuration file \fIconfig\fR (see \fBselinux_config\fR(5)). - .sp - The entries within the X contexts file are shown in the \fBObject Name String Values\fR and \fBFILE FORMAT\fR sections. -- -+. - .SH "Object Name String Values" - The string name assigned to each \fIobject_type\fR argument that can be present in the X contexts file are: - .TS -@@ -110,7 +109,7 @@ SELABEL_X_CLIENT@client - SELABEL_X_POLYPROP@poly_property - SELABEL_X_POLYSELN@poly_selection - .TE -- -+. - .SH "FILE FORMAT" - Each line within the X contexts file is as follows: - .RS -@@ -126,7 +125,10 @@ There can be multiple lines with the same \fIobject_type\fR string that will for - .RE - .I object_name - .RS --These are the object names of the specific X-server resource such as \fBPRIMARY\fR, \fBCUT_BUFFER0\fR etc. They are generally defined in the X\-server source code (\fIprotocol.txt\fR and \fIBuiltInAtoms\fR in the dix directory of the xorg\-server source package). -+These are the object names of the specific X-server resource such as -+\fBPRIMARY\fR, \fBCUT_BUFFER0\fR etc. They are generally defined in the -+X-server source code (\fIprotocol.txt\fR and \fIBuiltInAtoms\fR in the -+dix directory of the xorg\-server source package). - The entry can contain '*' for wildcard matching or '?' for substitution. - Note that if the '*' is used, then be aware that the order of entries in the file is important. The '*' on its own is used to ensure a default fallback context is assigned and should be the last entry in the \fIobject_type\fR block. - .RE -@@ -138,23 +140,27 @@ The security context that will be applied to the object. - .sp - Example 1: - .sp -+.nf - # object_type object_name context --.br - selection PRIMARY system_u:object_r:clipboard_xselection_t:s0 --.br - selection * system_u:object_r:xselection_t:s0 -+.fi - .sp --Example 2 \- This example shows how a client entry can be configured to ensure an entry is always found: -+Example 2 - This example shows how a client entry can be configured to -+ensure an entry is always found: - .sp -+.nf - # object_type object_name context --.br - client * system_u:object_r:remote_t:s0 -- -+.fi -+. - .SH "NOTES" - .IP "1." 4 - Properties and selections are marked as either polyinstantiated or not. For these name types, the "POLY" option searches only the names marked as being polyinstantiated, while the other option searches only the names marked as not being polyinstantiated. Users of the interface should check both mappings, optionally taking action based on the result (e.g. polyinstantiating the object). - .IP "2." 4 - If contexts are to be validated, then the global option \fBSELABEL_OPT_VALIDATE\fR must be set before calling \fBselabel_open\fR(3). If this is not set, then it is possible for an invalid context to be returned. -- -+. - .SH "SEE ALSO" -+.ad l -+.nh - .BR selinux "(8), " selabel_open "(3), " selabel_lookup "(3), " selabel_stats "(3), " selabel_close "(3), " selinux_set_callback "(3), " selinux_x_context_path "(3), " freecon "(3), " selinux_config "(5) " -diff --git a/libselinux/man/man5/service_seusers.5 b/libselinux/man/man5/service_seusers.5 -index 59a135a..385a326 100644 ---- a/libselinux/man/man5/service_seusers.5 -+++ b/libselinux/man/man5/service_seusers.5 -@@ -1,8 +1,7 @@ - .TH "service_seusers" "5" "28-Nov-2011" "Security Enhanced Linux" "SELinux configuration" -- - .SH "NAME" --service_seusers \- The SELinux GNU/Linux user and service to SELinux user mapping configuration files. -- -+service_seusers \- The SELinux GNU/Linux user and service to SELinux user mapping configuration files -+. - .SH "DESCRIPTION" - These are optional files that allow services to define an SELinux user when authenticating via SELinux-aware login applications such as - .BR PAM "(8). " -@@ -20,7 +19,7 @@ appended (where \fIusername\fR is a file representing the GNU/Linux user name). - Where \fI{SELINUXTYPE}\fR is the entry from the selinux configuration file \fIconfig\fR (see \fBselinux_config\fR(5)). - .sp - .BR getseuser "(3) reads this file to map services to an SELinux user. " -- -+. - .SH "FILE FORMAT" - Each line within the \fIusername\fR file is formatted as follows with each component separated by a colon: - .RS -@@ -42,9 +41,9 @@ The SELinux user name. - The range for MCS/MLS policies. - .RE - .RE -- -+. - .SH "EXAMPLES" --Example 1 \- for the 'root' user: -+Example 1 - for the 'root' user: - .RS - # ./logins/root - .br -@@ -53,7 +52,7 @@ ipa:user_u:s0 - this_service:unconfined_u:s0 - .RE - .sp --Example 2 \- for GNU/Linux user 'rch': -+Example 2 - for GNU/Linux user 'rch': - .RS - # ./logins/rch - .br -@@ -61,6 +60,8 @@ ipa:unconfined_u:s0 - .br - that_service:unconfined_u:s0 - .RE -- -+. - .SH "SEE ALSO" -+.ad l -+.nh - .BR selinux "(8), " PAM "(8), " selinux_policy_root "(3), " getseuser "(3), " selinux_config "(5) " -diff --git a/libselinux/man/man5/seusers.5 b/libselinux/man/man5/seusers.5 -index 8c99ee8..2512560 100644 ---- a/libselinux/man/man5/seusers.5 -+++ b/libselinux/man/man5/seusers.5 -@@ -1,8 +1,7 @@ - .TH "seusers" "5" "28-Nov-2011" "Security Enhanced Linux" "SELinux configuration" -- - .SH "NAME" --seusers \- The SELinux GNU/Linux user to SELinux user mapping configuration file. -- -+seusers \- The SELinux GNU/Linux user to SELinux user mapping configuration file -+. - .SH "DESCRIPTION" - The - .I seusers -@@ -17,7 +16,7 @@ will return the active policy path to this file. The default SELinux users mappi - Where \fI{SELINUXTYPE}\fR is the entry from the selinux configuration file \fIconfig\fR (see \fBselinux_config\fR(5)). - .sp - .BR getseuserbyname "(3) reads this file to map a GNU/Linux user or group to an SELinux user. " -- -+. - .SH "FILE FORMAT" - Each line of the - .I seusers -@@ -44,19 +43,21 @@ The SELinux user identity. - The optional level or range for an MLS/MCS policy. - .RE - .RE -- -+. - .SH "EXAMPLE" - # ./seusers - .br - system_u:system_u:s0\-s15:c0.c255 - .br --root:root:s0-s15:c0.c255 -+root:root:s0\-s15:c0.c255 - .br - fred:user_u:s0 - .br - __default__:user_u:s0 - .br - %user_group:user_u:s0 -- -+. - .SH "SEE ALSO" -+.ad l -+.nh - .BR selinux "(8), " PAM "(8), " selinux_usersconf_path "(3), " getseuserbyname "(3), " selinux_config "(5) " -diff --git a/libselinux/man/man5/user_contexts.5 b/libselinux/man/man5/user_contexts.5 -index 2b3df7a..fc53d6c 100644 ---- a/libselinux/man/man5/user_contexts.5 -+++ b/libselinux/man/man5/user_contexts.5 -@@ -1,8 +1,7 @@ - .TH "user_contexts" "5" "28-Nov-2011" "Security Enhanced Linux" "SELinux configuration" -- - .SH "NAME" --user_contexts \- The SELinux user contexts configuration files. -- -+user_contexts \- The SELinux user contexts configuration files -+. - .SH "DESCRIPTION" - These optional user context configuration files contain entries that allow SELinux-aware login applications such as - .BR PAM (8) -@@ -28,7 +27,7 @@ SELinux-aware login applications generally use one or more of the following libs - .RE - .sp - There can be one file for each SELinux user configured on the system. The file path is formed using the path returned by --.BR selinux_user_contexts_path (3) -+.BR \%selinux_user_contexts_path (3) - for the active policy, with the SELinux user name appended, for example: - .RS - .I /etc/selinux/{SELINUXTYPE}/contexts/users/unconfined_u -@@ -41,7 +40,7 @@ Where \fI{SELINUXTYPE}\fR is the entry from the selinux configuration file \fIco - These files contain context information as described in the - .B FILE FORMAT - section. -- -+. - .SH "FILE FORMAT" - Each line in the user context configuration file consists of the following: - .RS -@@ -59,7 +58,7 @@ This consists of a \fIrole\fB:\fItype\fR[\fB:\fIrange\fR] entry that represents - This consists of a \fIrole\fB:\fItype\fR[\fB:\fIrange\fR] entry that represents the user login process context. - .RE - .RE -- -+. - .SH "EXAMPLE" - # Example for xguest_u at /etc/selinux/targeted/contexts/users/xguest_u - .br -@@ -76,6 +75,8 @@ system_r:sshd_t:s0 xguest_r:xguest_t:s0 - system_r:xdm_t:s0 xguest_r:xguest_t:s0 - .br - xguest_r:xguest_t:s0 xguest_r:xguest_t:s0 -- -+. - .SH "SEE ALSO" -+.ad l -+.nh - .BR selinux "(8), " selinux_user_contexts_path "(3), " PAM "(8), " get_ordered_context_list "(3), " get_ordered_context_list_with_level "(3), " get_default_context_with_level "(3), " get_default_context_with_role "(3), " get_default_context_with_rolelevel "(3), " query_user_context "(3), " manual_user_enter_context "(3), " selinux_config "(5) " -diff --git a/libselinux/man/man5/virtual_domain_context.5 b/libselinux/man/man5/virtual_domain_context.5 -index 6048f98..2f555a0 100644 ---- a/libselinux/man/man5/virtual_domain_context.5 -+++ b/libselinux/man/man5/virtual_domain_context.5 -@@ -1,8 +1,7 @@ - .TH "virtual_domain_context" "5" "28-Nov-2011" "Security Enhanced Linux" "SELinux configuration" -- - .SH "NAME" --virtual_domain_context \- The SELinux virtual machine domain context configuration file. -- -+virtual_domain_context \- The SELinux virtual machine domain context configuration file -+. - .SH "DESCRIPTION" - The - .I virtual_domain_context -@@ -15,7 +14,7 @@ will return the active policy path to this file. The default virtual domain cont - .RE - .sp - Where \fI{SELINUXTYPE}\fR is the entry from the selinux configuration file \fIconfig\fR (see \fBselinux_config\fR(5)). -- -+. - .SH "FILE FORMAT" - Each line in the file consists of an entry as follows: - .RS -@@ -29,11 +28,13 @@ Where: - A user, role, type and optional range (for MCS/MLS) separated by colons (:) that can be used as a virtual domain context. - .RE - .RE -- -+. - .SH "EXAMPLE" - # ./contexts/virtual_domain_context - .br - system_u:object_r:svirt_t:s0 -- -+. - .SH "SEE ALSO" -+.ad l -+.nh - .BR selinux "(8), " libvirtd "(8), " selinux_virtual_domain_context_path "(3), " selinux_config "(5) " -diff --git a/libselinux/man/man5/virtual_image_context.5 b/libselinux/man/man5/virtual_image_context.5 -index 4e9809b..04cbd79 100644 ---- a/libselinux/man/man5/virtual_image_context.5 -+++ b/libselinux/man/man5/virtual_image_context.5 -@@ -1,8 +1,7 @@ - .TH "virtual_image_context" "5" "28-Nov-2011" "Security Enhanced Linux" "SELinux configuration" -- - .SH "NAME" --virtual_image_context \- The SELinux virtual machine image context configuration file. -- -+virtual_image_context \- The SELinux virtual machine image context configuration file -+. - .SH "DESCRIPTION" - The - .I virtual_image_context -@@ -15,7 +14,7 @@ will return the active policy path to this file. The default virtual image conte - .RE - .sp - Where \fI{SELINUXTYPE}\fR is the entry from the selinux configuration file \fIconfig\fR (see \fBselinux_config\fR(5)). -- -+. - .SH "FILE FORMAT" - Each line in the file consists of an entry as follows: - .RS -@@ -29,13 +28,15 @@ Where: - A user, role, type and optional range (for MCS/MLS) separated by colons (:) that can be used as a virtual image context. - .RE - .RE -- -+. - .SH "EXAMPLE" - # ./contexts/virtual_image_context - .br - system_u:object_r:svirt_image_t:s0 - .br - system_u:object_r:svirt_content_t:s0 -- -+. - .SH "SEE ALSO" -+.ad l -+.nh - .BR selinux "(8), " libvirtd "(8), " selinux_virtual_image_context_path "(3), " selinux_config "(5) " -diff --git a/libselinux/man/man8/avcstat.8 b/libselinux/man/man8/avcstat.8 -index 1035331..6251591 100644 ---- a/libselinux/man/man8/avcstat.8 -+++ b/libselinux/man/man8/avcstat.8 -@@ -1,31 +1,35 @@ - .TH "avcstat" "8" "18 Nov 2004" "dwalsh@redhat.com" "SELinux Command Line documentation" - .SH "NAME" - avcstat \- Display SELinux AVC statistics -- -+. - .SH "SYNOPSIS" - .B avcstat --.I [-c] [-f status_file] [interval] -- -+.RB [ \-c ] -+.RB [ \-f -+.IR status_file ] -+.RI [ interval ] -+. - .SH "DESCRIPTION" --.B avcstat -- --Display SELinux AVC statistics. If the interval parameter is specified, the --program will loop, displaying updated statistics every 'interval' seconds. -+Display SELinux AVC statistics. If the -+.I interval -+parameter is specified, the program will loop, displaying updated -+statistics every -+.I interval -+seconds. - Relative values are displayed by default. -- -+. - .SH OPTIONS - .TP - .B \-c - Display the cumulative values. -- - .TP - .B \-f --Specifies the location of the AVC statistics file, defaulting to '/selinux/avc/cache_stats'. -- --.SH "SEE ALSO" --selinux(8) -- -+Specifies the location of the AVC statistics file, defaulting to -+.IR /selinux/avc/cache_stats . -+. - .SH AUTHOR - This manual page was written by Dan Walsh . - The program was written by James Morris . -- -+. -+.SH "SEE ALSO" -+.BR selinux (8) -diff --git a/libselinux/man/man8/booleans.8 b/libselinux/man/man8/booleans.8 -index 89c7654..9c4dbc3 100644 ---- a/libselinux/man/man8/booleans.8 -+++ b/libselinux/man/man8/booleans.8 -@@ -1,11 +1,10 @@ - .TH "booleans" "8" "11 Aug 2004" "dwalsh@redhat.com" "SELinux Command Line documentation" - .SH "NAME" --booleans \- Policy booleans enable runtime customization of SELinux policy. -- -+booleans \- Policy booleans enable runtime customization of SELinux policy -+. - .SH "DESCRIPTION" - This manual page describes SELinux policy booleans. - .BR -- - The SELinux policy can include conditional rules that are enabled or - disabled based on the current values of a set of policy booleans. - These policy booleans allow runtime modification of the security -@@ -18,32 +17,42 @@ value. - - The policy defines a default value for each boolean, typically false. - These default values can be overridden via local settings created via the --.B setsebool(8) --utility, using -P to make the setting persistent across reboots. --The --.B system-config-securitylevel -+.BR setsebool (8) -+utility, using -+.B \-P -+to make the setting persistent across reboots. The -+.B system\-config\-securitylevel - tool provides a graphical interface for altering - the settings. The --.B load_policy(8) -+.BR load_policy (8) - program will preserve - current boolean settings upon a policy reload by default, or can --optionally reset booleans to the boot-time defaults via the -b option. -+optionally reset booleans to the boot-time defaults via the -+.B \-b -+option. - - Boolean values can be listed by using the --.B getsebool(8) --utility and passing it the -a option. -+.BR getsebool (8) -+utility and passing it the -+.B \-a -+option. - - Boolean values can also be changed at runtime via the --.B setsebool(8) -+.BR setsebool (8) - utility or the --.B togglesebool -+.BR togglesebool (8) - utility. By default, these utilities only change the - current boolean value and do not affect the persistent settings, --unless the -P option is used to setsebool. -- -+unless the -+.B \-P -+option is used to setsebool. -+. - .SH AUTHOR - This manual page was written by Dan Walsh . - The SELinux conditional policy support was developed by Tresys Technology. -- -+. - .SH "SEE ALSO" --getsebool(8), setsebool(8), selinux(8), togglesebool(8) -+.BR getsebool (8), -+.BR setsebool (8), -+.BR selinux (8), -+.BR togglesebool (8) -diff --git a/libselinux/man/man8/getenforce.8 b/libselinux/man/man8/getenforce.8 -index 8dc63c8..906279f 100644 ---- a/libselinux/man/man8/getenforce.8 -+++ b/libselinux/man/man8/getenforce.8 -@@ -1,15 +1,18 @@ - .TH "getenforce" "1" "7 April 2004" "dwalsh@redhat.com" "SELinux Command Line documentation" - .SH "NAME" - getenforce \- get the current mode of SELinux -+. - .SH "SYNOPSIS" - .B getenforce -- -+. - .SH "DESCRIPTION" - .B getenforce - reports whether SELinux is enforcing, permissive, or disabled. -- -+. - .SH AUTHOR - Dan Walsh, -- -+. - .SH "SEE ALSO" --selinux(8), setenforce(8), selinuxenabled(8) -+.BR selinux (8), -+.BR setenforce (8), -+.BR selinuxenabled (8) -diff --git a/libselinux/man/man8/getsebool.8 b/libselinux/man/man8/getsebool.8 -index a4200ee..6353a2a 100644 ---- a/libselinux/man/man8/getsebool.8 -+++ b/libselinux/man/man8/getsebool.8 -@@ -1,11 +1,12 @@ - .TH "getsebool" "8" "11 Aug 2004" "dwalsh@redhat.com" "SELinux Command Line documentation" - .SH "NAME" - getsebool \- get SELinux boolean value(s) -- -+. - .SH "SYNOPSIS" - .B getsebool --.I "[-a] [boolean]" -- -+.RB [ \-a ] -+.RI [ boolean ] -+. - .SH "DESCRIPTION" - .B getsebool - reports where a particular SELinux boolean or -@@ -20,16 +21,17 @@ value is changed, then the booleans are committed, causing their - active values to become their pending values. This allows a group of - booleans to be changed in a single transaction, by setting all of - their pending values as desired and then committing once. -- -+. - .SH OPTIONS - .TP - .B \-a - Show all SELinux booleans. -- --.SH "SEE ALSO" --selinux(8), setsebool(8), booleans(8) -- -+. - .SH AUTHOR - This manual page was written by Dan Walsh . - The program was written by Tresys Technology. -- -+. -+.SH "SEE ALSO" -+.BR selinux (8), -+.BR setsebool (8), -+.BR booleans (8) ++.so man3/selinux_policy_root.3 diff --git a/libselinux/man/man8/matchpathcon.8 b/libselinux/man/man8/matchpathcon.8 -index 26ce74c..368991f 100644 +index 368991f..5d60789 100644 --- a/libselinux/man/man8/matchpathcon.8 +++ b/libselinux/man/man8/matchpathcon.8 -@@ -1,41 +1,57 @@ - .TH "matchpathcon" "8" "21 April 2005" "dwalsh@redhat.com" "SELinux Command Line documentation" - .SH "NAME" --matchpathcon \- get the default SELinux security context for the specified path from the file contexts configuration. -- -+matchpathcon \- get the default SELinux security context for the specified path from the file contexts configuration -+. - .SH "SYNOPSIS" --.B matchpathcon [-V] [-N] [-n] [-m type] [-f file_contexts_file ] [-p prefix ] filepath... --.SH "DESCRIPTION" - .B matchpathcon -+.RB [ \-V ] -+.RB [ \-N ] -+.RB [ \-n ] -+.RB [ \-m -+.IR type ] -+.RB [ \-f -+.IR file_contexts_file ] -+.RB [ \-p -+.IR prefix ] -+.I filepath... -+. -+.SH "DESCRIPTION" -+.BR matchpathcon - queries the system policy and outputs the default security context associated with the filepath. - --Note: Identical paths can have different security contexts, depending on the file type. (regular file, directory, link file, char file ...) -+.B Note: -+Identical paths can have different security contexts, depending on the file -+type (regular file, directory, link file, char file ...). - - .B matchpathcon - will also take the file type into consideration in determining the default security context if the file exists. If the file does not exist, no file type matching will occur. -- -+. - .SH OPTIONS --.B \-m type -+.TP -+.BI \-m " type" - Force file type for the lookup. --Valid types are file, dir, pipe, chr_file, blk_file, lnk_file, sock_file -- -+Valid types are -+.BR file ", " dir ", "pipe ", " chr_file ", " blk_file ", " -+.BR lnk_file ", " sock_file . -+.TP - .B \-n - Do not display path. -- -+.TP - .B \-N - Do not use translations. -- --.B \-f file_context_file -+.TP -+.BI \-f " file_context_file" - Use alternate file_context file -- --.B \-p prefix -+.TP -+.BI \-p " prefix" +@@ -13,6 +13,8 @@ matchpathcon \- get the default SELinux security context for the specified path + .IR file_contexts_file ] + .RB [ \-p + .IR prefix ] ++.RB [ \-P ++.IR policy_root_path ] + .I filepath... + . + .SH "DESCRIPTION" +@@ -46,6 +48,9 @@ Use alternate file_context file + .BI \-p " prefix" Use prefix to speed translations -- + .TP ++.BI \-P " policy_root_path" ++Use alternate policy root path +.TP .B \-V Verify file context on disk matches defaults -- -+. - .SH AUTHOR - This manual page was written by Dan Walsh . -- -+. - .SH "SEE ALSO" - .BR selinux "(8), " --.BR matchpathcon "(3), " -+.BR matchpathcon (3) + . diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8 -index 9f16f77..a328866 100644 +index a328866..50868e4 100644 --- a/libselinux/man/man8/selinux.8 +++ b/libselinux/man/man8/selinux.8 -@@ -1,10 +1,8 @@ - .TH "selinux" "8" "29 Apr 2005" "dwalsh@redhat.com" "SELinux Command Line documentation" -- - .SH "NAME" - SELinux \- NSA Security-Enhanced Linux (SELinux) -- -+. - .SH "DESCRIPTION" -- - NSA Security-Enhanced Linux (SELinux) is an implementation of a - flexible mandatory access control architecture in the Linux operating - system. The SELinux architecture provides general support for the -@@ -52,31 +50,58 @@ policies will be created (Multi-Level Security for example). You can +@@ -37,20 +37,22 @@ The + configuration file also controls what policy + is active on the system. SELinux allows for multiple policies to be + installed on the system, but only one policy may be active at any +-given time. At present, two kinds of SELinux policy exist: targeted +-and strict. The targeted policy is designed as a policy where most +-processes operate without restrictions, and only specific services are ++given time. At present, multiple kinds of SELinux policy exist: targeted, ++mls for example. The targeted policy is designed as a policy where most ++user processes operate without restrictions, and only specific services are + placed into distinct security domains that are confined by the policy. + For example, the user would run in a completely unconfined domain + while the named daemon or apache daemon would run in a specific domain +-tailored to its operation. The strict policy is designed as a policy +-where all processes are partitioned into fine-grained security domains +-and confined by policy. It is anticipated in the future that other +-policies will be created (Multi-Level Security for example). You can ++tailored to its operation. The MLS (Multi-Level Security) policy is designed ++as a policy where all processes are partitioned into fine-grained security ++domains and confined by policy. MLS also supports the Bell And LaPadula model, where processes are not only confined by the type but also the level of the data. ++ ++You can define which policy you will run by setting the .B SELINUXTYPE environment variable within --.I /etc/selinux/config. -+.IR /etc/selinux/config . + .IR /etc/selinux/config . ++You must reboot and possibly relabel if you change the policy type to have it take effect on the system. The corresponding policy configuration for each such policy must be installed in the --/etc/selinux/SELINUXTYPE/ directories. -+.I /etc/selinux/{SELINUXTYPE}/ -+directories. + .I /etc/selinux/{SELINUXTYPE}/ +@@ -58,7 +60,7 @@ directories. A given SELinux policy can be customized further based on a set of compile-time tunable options and a set of runtime policy booleans. --.B system-config-securitylevel -+.B \%system\-config\-securitylevel +-.B \%system\-config\-securitylevel ++.B \%system\-config\-selinux allows customization of these booleans and tunables. Many domains that are protected by SELinux also include SELinux man pages explaining how to customize their policy. -- --.SH FILE LABELING -- -+. -+.SH "FILE LABELING" - All files, directories, devices ... have a security context/label associated with them. These context are stored in the extended attributes of the file system. - Problems with SELinux often arise from the file system being mislabeled. This can be caused by booting the machine with a non SELinux kernel. If you see an error message containing file_t, that is usually a good indicator that you have a serious problem with file system labeling. +@@ -86,11 +88,13 @@ This manual page was written by Dan Walsh . + .nh + .BR booleans (8), + .BR setsebool (8), +-.BR selinuxenabled (8), ++.BR sepolicy (8), ++.BR system-config-selinux (8), + .BR togglesebool (8), + .BR restorecon (8), ++.BR fixfiles (8), + .BR setfiles (8), +-.BR semange (8), ++.BR semanage (8), + .BR sepolicy(8) --The best way to relabel the file system is to create the flag file /.autorelabel and reboot. system-config-securitylevel, also has this capability. The restorcon/fixfiles commands are also available for relabeling files. -- -+The best way to relabel the file system is to create the flag file -+.I /.autorelabel -+and reboot. -+.BR system\-config\-selinux , -+also has this capability. The -+.BR restorcon / fixfiles -+commands are also available for relabeling files. -+. - .SH AUTHOR - This manual page was written by Dan Walsh . -- -+. -+.SH FILES -+.I /etc/selinux/config -+. - .SH "SEE ALSO" --booleans(8), setsebool(8), selinuxenabled(8), togglesebool(8), restorecon(8), setfiles(8), ftpd_selinux(8), named_selinux(8), rsync_selinux(8), httpd_selinux(8), nfs_selinux(8), samba_selinux(8), kerberos_selinux(8), nis_selinux(8), ypbind_selinux(8) -+.ad l -+.nh -+.BR booleans (8), -+.BR setsebool (8), -+.BR selinuxenabled (8), -+.BR togglesebool (8), -+.BR restorecon (8), -+.BR setfiles (8), -+.BR semange (8), -+.BR sepolicy(8) - -+Every confined service on the system has a man page in the following format: -+.br - --.SH FILES --/etc/selinux/config -+.B _selinux(8) -+ -+For example, httpd has the -+.B httpd_selinux(8) -+man page. -+ -+.B man -k selinux -+ -+Will list all SELinux man pages. -diff --git a/libselinux/man/man8/selinuxenabled.8 b/libselinux/man/man8/selinuxenabled.8 -index b25431f..e0b5201 100644 ---- a/libselinux/man/man8/selinuxenabled.8 -+++ b/libselinux/man/man8/selinuxenabled.8 -@@ -1,16 +1,20 @@ - .TH "selinuxenabled" "1" "7 April 2004" "dwalsh@redhat.com" "SELinux Command Line documentation" - .SH "NAME" - selinuxenabled \- tool to be used within shell scripts to determine if selinux is enabled -+. - .SH "SYNOPSIS" - .B selinuxenabled -- -+. - .SH "DESCRIPTION" --.B selinuxenabled --Indicates whether SELinux is enabled or disabled. It exits with status 0 --if SELinux is enabled and 1 if it is not enabled. -- -+Indicates whether SELinux is enabled or disabled. -+. -+.SH "EXIT STATUS" -+It exits with status 0 if SELinux is enabled and 1 if it is not enabled. -+. - .SH AUTHOR - Dan Walsh, -- -+. - .SH "SEE ALSO" --selinux(8), setenforce(8), getenforce(8) -+.BR selinux (8), -+.BR setenforce (8), -+.BR getenforce (8) -diff --git a/libselinux/man/man8/selinuxexeccon.8 b/libselinux/man/man8/selinuxexeccon.8 -index 6482d74..765cf8c 100644 ---- a/libselinux/man/man8/selinuxexeccon.8 -+++ b/libselinux/man/man8/selinuxexeccon.8 -@@ -1,24 +1,27 @@ - .TH "selinuxexeccon" "1" "14 May 2011" "dwalsh@redhat.com" "SELinux Command Line documentation" - .SH "NAME" - selinuxexeccon \- report SELinux context used for this executable -- -+. - .SH "SYNOPSIS" --.B selinuxexeccon command [ fromcon] o -- -+.B selinuxexeccon -+.I command -+.RI [ fromcon ] -+. - .SH "DESCRIPTION" - .B selinuxexeccon - reports the SELinux process context for the specified command from the specified context or the current context. -- -+. - .SH EXAMPLE -+.nf - # selinuxexeccon /usr/bin/passwd - staff_u:staff_r:passwd_t:s0-s0:c0.c1023 - --.br - # selinuxexeccon /usr/sbin/sendmail system_u:system_r:httpd_t:s0 - system_u:system_r:system_mail_t:s0 -- -+.fi -+. - .SH AUTHOR - This manual page was written by Dan Walsh . -- -+. - .SH "SEE ALSO" --secon(8) -+.BR secon (8) -diff --git a/libselinux/man/man8/setenforce.8 b/libselinux/man/man8/setenforce.8 -index 639883e..b038da0 100644 ---- a/libselinux/man/man8/setenforce.8 -+++ b/libselinux/man/man8/setenforce.8 -@@ -1,19 +1,31 @@ - .TH "setenforce" "1" "7 April 2004" "dwalsh@redhat.com" "SELinux Command Line documentation" - .SH "NAME" --setenforce \- modify the mode SELinux is running in. -+setenforce \- modify the mode SELinux is running in -+. - .SH "SYNOPSIS" --.B setenforce [ Enforcing | Permissive | 1 | 0 ] -- -+.B setenforce -+.RB [ Enforcing | Permissive | 1 | 0 ] -+. - .SH "DESCRIPTION" --Use Enforcing or 1 to put SELinux in enforcing mode. -+Use -+.B Enforcing -+or -+.B 1 -+to put SELinux in enforcing mode. - .br --Use Permissive or 0 to put SELinux in permissive mode. -+Use -+.B Permissive -+or -+.B 0 -+to put SELinux in permissive mode. - - If SELinux is disabled and you want to enable it, or SELinux is enabled and you want to disable it, please see --.B selinux(8). -- -+.BR selinux (8). -+. - .SH AUTHOR - Dan Walsh, -- -+. - .SH "SEE ALSO" --selinux(8), getenforce(8), selinuxenabled(8) -+.BR selinux (8), -+.BR getenforce (8), -+.BR selinuxenabled (8) -diff --git a/libselinux/man/man8/togglesebool.8 b/libselinux/man/man8/togglesebool.8 -index ae21175..948aff1 100644 ---- a/libselinux/man/man8/togglesebool.8 -+++ b/libselinux/man/man8/togglesebool.8 -@@ -1,17 +1,22 @@ - .TH "togglesebool" "1" "26 Oct 2004" "sgrubb@redhat.com" "SELinux Command Line documentation" - .SH "NAME" - togglesebool \- flip the current value of a SELinux boolean -+. - .SH "SYNOPSIS" --.B togglesebool boolean... -- -+.B togglesebool -+.I boolean... -+. - .SH "DESCRIPTION" - .B togglesebool - flips the current value of a list of booleans. If the value is currently a 1, - then it will be changed to a 0 and vice versa. Only the "in memory" values are - changed; the boot-time settings are unaffected. -- -+. - .SH AUTHOR - This man page was written by Steve Grubb -- -+. - .SH "SEE ALSO" --selinux(8), booleans(8), getsebool(8), setsebool(8) -+.BR selinux (8), -+.BR booleans (8), -+.BR getsebool (8), -+.BR setsebool (8) -diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile -index ac019df..c4f5d4c 100644 ---- a/libselinux/src/Makefile -+++ b/libselinux/src/Makefile -@@ -16,11 +16,11 @@ PYINC ?= $(shell pkg-config --cflags $(PYPREFIX)) - PYLIBDIR ?= $(LIBDIR)/$(PYLIBVER) - RUBYLIBVER ?= $(shell $(RUBY) -e 'print RUBY_VERSION.split(".")[0..1].join(".")') - RUBYPLATFORM ?= $(shell $(RUBY) -e 'print RUBY_PLATFORM') --RUBYINC ?= $(shell pkg-config --cflags ruby-$(RUBYLIBVER)) -+RUBYINC ?= $(shell pkg-config --cflags ruby) - RUBYINSTALL ?= $(LIBDIR)/ruby/site_ruby/$(RUBYLIBVER)/$(RUBYPLATFORM) - LIBBASE=$(shell basename $(LIBDIR)) - --LDFLAGS ?= -lpcre -+LDFLAGS ?= -lpcre -lpthread - - VERSION = $(shell cat ../VERSION) - LIBVERSION = 1 -@@ -106,17 +106,17 @@ $(SWIGRUBYLOBJ): $(SWIGRUBYCOUT) - $(CC) $(CFLAGS) $(SWIG_CFLAGS) $(RUBYINC) -fPIC -DSHARED -c -o $@ $< - - $(SWIGSO): $(SWIGLOBJ) -- $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $< -L. -lselinux -L$(LIBDIR) -+ $(CC) $(CFLAGS) -shared -o $@ $< -L. -lselinux $(LDFLAGS) -L$(LIBDIR) - - $(SWIGRUBYSO): $(SWIGRUBYLOBJ) -- $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -L. -lselinux -L$(LIBDIR) -+ $(CC) $(CFLAGS) -shared -o $@ $^ -L. -lselinux $(LDFLAGS) -L$(LIBDIR) - - $(LIBA): $(OBJS) - $(AR) rcs $@ $^ - $(RANLIB) $@ - - $(LIBSO): $(LOBJS) -- $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -ldl -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro -+ $(CC) $(CFLAGS) -shared -o $@ $^ -ldl $(LDFLAGS) -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro - ln -sf $@ $(TARGET) - - $(LIBPC): $(LIBPC).in ../VERSION -@@ -129,7 +129,7 @@ $(AUDIT2WHYLOBJ): audit2why.c - $(CC) $(filter-out -Werror, $(CFLAGS)) $(PYINC) -fPIC -DSHARED -c -o $@ $< - - $(AUDIT2WHYSO): $(AUDIT2WHYLOBJ) -- $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -L. -lselinux $(LIBDIR)/libsepol.a -L$(LIBDIR) -+ $(CC) $(CFLAGS) -shared -o $@ $^ -L. $(LDFLAGS) -lselinux $(LIBDIR)/libsepol.a -L$(LIBDIR) - - %.o: %.c policy.h - $(CC) $(CFLAGS) $(TLSFLAGS) -c -o $@ $< + Every confined service on the system has a man page in the following format: diff --git a/libselinux/src/audit2why.c b/libselinux/src/audit2why.c -index 02483a3..73c07aa 100644 +index ffe381b..560bc25 100644 --- a/libselinux/src/audit2why.c +++ b/libselinux/src/audit2why.c -@@ -164,6 +164,9 @@ static PyObject *finish(PyObject *self __attribute__((unused)), PyObject *args) - - if (PyArg_ParseTuple(args,(char *)":finish")) { - int i = 0; -+ if (! avc) -+ Py_RETURN_NONE; -+ - for (i = 0; i < boolcnt; i++) { - free(boollist[i]->name); - free(boollist[i]); -@@ -177,7 +180,7 @@ static PyObject *finish(PyObject *self __attribute__((unused)), PyObject *args) - avc = NULL; - boollist = NULL; - boolcnt = 0; -- -+ - /* Boilerplate to return "None" */ - Py_RETURN_NONE; - } -@@ -188,48 +191,24 @@ static PyObject *finish(PyObject *self __attribute__((unused)), PyObject *args) - static int __policy_init(const char *init_path) - { - FILE *fp; -- int vers = 0; -- char path[PATH_MAX]; -+ const char *path; - char errormsg[PATH_MAX]; - struct sepol_policy_file *pf = NULL; - int rc; - unsigned int cnt; - -- if (init_path) { -- strncpy(path, init_path, PATH_MAX); -- fp = fopen(path, "r"); -- if (!fp) { -- snprintf(errormsg, sizeof(errormsg), -- "unable to open %s: %s\n", -- path, strerror(errno)); -- PyErr_SetString( PyExc_ValueError, errormsg); -- return 1; -- } -- } else { +@@ -210,27 +210,12 @@ static int __policy_init(const char *init_path) + return 1; + } + } else { - vers = sepol_policy_kern_vers_max(); - if (vers < 0) { - snprintf(errormsg, sizeof(errormsg), @@ -5974,50 +234,19 @@ index 02483a3..73c07aa 100644 - selinux_binary_policy_path(), vers); - fp = fopen(path, "r"); - } -- if (!fp) { -- snprintf(errormsg, sizeof(errormsg), ++ fp = fopen(selinux_current_policy_path(), "r"); + if (!fp) { + snprintf(errormsg, sizeof(errormsg), - "unable to open %s.%d: %s\n", - selinux_binary_policy_path(), - security_policyvers(), strerror(errno)); -- PyErr_SetString( PyExc_ValueError, errormsg); -- return 1; -- } -+ if (init_path) -+ path = init_path; -+ else -+ path = selinux_current_policy_path(); -+ -+ fp = fopen(path, "r"); -+ if (!fp) { -+ snprintf(errormsg, sizeof(errormsg), -+ "unable to open %s: %s\n", -+ path, strerror(errno)); -+ PyErr_SetString( PyExc_ValueError, errormsg); -+ return 1; - } - - avc = calloc(sizeof(struct avc_t), 1); -@@ -271,7 +250,7 @@ static int __policy_init(const char *init_path) - return 1; - } - -- boollist = calloc(cnt, sizeof(struct boolean_t)); -+ boollist = calloc(cnt, sizeof(*boollist)); - if (!boollist) { - PyErr_SetString( PyExc_MemoryError, "Out of memory\n"); - return 1; -@@ -295,6 +274,10 @@ static int __policy_init(const char *init_path) - static PyObject *init(PyObject *self __attribute__((unused)), PyObject *args) { - int result; - char *init_path=NULL; -+ if (avc) { -+ PyErr_SetString( PyExc_RuntimeError, "init called multiple times"); -+ return NULL; -+ } - if (!PyArg_ParseTuple(args,(char *)"|s:policy_init",&init_path)) - return NULL; - result = __policy_init(init_path); -@@ -302,10 +285,12 @@ static PyObject *init(PyObject *self __attribute__((unused)), PyObject *args) { ++ "unable to open %s: %s\n", ++ selinux_current_policy_path(), ++ strerror(errno)); + PyErr_SetString( PyExc_ValueError, errormsg); + return 1; + } +@@ -310,10 +295,12 @@ static PyObject *init(PyObject *self __attribute__((unused)), PyObject *args) { } #define RETURN(X) \ @@ -6032,7 +261,7 @@ index 02483a3..73c07aa 100644 security_context_t scon; security_context_t tcon; char *tclassstr; -@@ -320,10 +305,6 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args +@@ -328,10 +315,6 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args struct sepol_av_decision avd; int rc; int i=0; @@ -6043,7 +272,7 @@ index 02483a3..73c07aa 100644 if (!PyArg_ParseTuple(args,(char *)"sssO!:audit2why",&scon,&tcon,&tclassstr,&PyList_Type, &listObj)) return NULL; -@@ -334,22 +315,21 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args +@@ -342,22 +325,21 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args /* should raise an error here. */ if (numlines < 0) return NULL; /* Not a list */ @@ -6073,7 +302,7 @@ index 02483a3..73c07aa 100644 /* Convert the permission list to an AV. */ av = 0; -@@ -369,21 +349,20 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args +@@ -377,21 +359,20 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args #endif perm = string_to_av_perm(tclass, permstr); @@ -6101,7 +330,7 @@ index 02483a3..73c07aa 100644 if (reason & SEPOL_COMPUTEAV_TE) { avc->ssid = ssid; avc->tsid = tsid; -@@ -396,33 +375,39 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args +@@ -404,28 +385,34 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args RETURN(TERULE) } } else { @@ -6142,14 +371,7 @@ index 02483a3..73c07aa 100644 + RETURN(CONSTRAINT) } -- if (reason & SEPOL_COMPUTEAV_RBAC) { -+ if (reason & SEPOL_COMPUTEAV_RBAC) - RETURN(RBAC) -- } -+ - RETURN(BADCOMPUTE) - } - + if (reason & SEPOL_COMPUTEAV_RBAC) diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c index 802a07f..6ff83a7 100644 --- a/libselinux/src/avc.c @@ -6162,50 +384,8 @@ index 802a07f..6ff83a7 100644 return rc; } -diff --git a/libselinux/src/avc_internal.c b/libselinux/src/avc_internal.c -index 6d508ee..f735e73 100644 ---- a/libselinux/src/avc_internal.c -+++ b/libselinux/src/avc_internal.c -@@ -60,13 +60,12 @@ int avc_netlink_open(int blocking) - int len, rc = 0; - struct sockaddr_nl addr; - -- fd = socket(PF_NETLINK, SOCK_RAW, NETLINK_SELINUX); -+ fd = socket(PF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, NETLINK_SELINUX); - if (fd < 0) { - rc = fd; - goto out; - } - -- fcntl(fd, F_SETFD, FD_CLOEXEC); - if (!blocking && fcntl(fd, F_SETFL, O_NONBLOCK)) { - close(fd); - fd = -1; -diff --git a/libselinux/src/fgetfilecon.c b/libselinux/src/fgetfilecon.c -index c88d515..3395c9f 100644 ---- a/libselinux/src/fgetfilecon.c -+++ b/libselinux/src/fgetfilecon.c -@@ -39,7 +39,7 @@ int fgetfilecon_raw(int fd, security_context_t * context) - out: - if (ret == 0) { - /* Re-map empty attribute values to errors. */ -- errno = EOPNOTSUPP; -+ errno = ENOTSUP; - ret = -1; - } - if (ret < 0) -diff --git a/libselinux/src/file_path_suffixes.h b/libselinux/src/file_path_suffixes.h -index 825f295..d11c8dc 100644 ---- a/libselinux/src/file_path_suffixes.h -+++ b/libselinux/src/file_path_suffixes.h -@@ -26,4 +26,4 @@ S_(BINPOLICY, "/policy/policy") - S_(FILE_CONTEXT_SUBS, "/contexts/files/file_contexts.subs") - S_(FILE_CONTEXT_SUBS_DIST, "/contexts/files/file_contexts.subs_dist") - S_(SEPGSQL_CONTEXTS, "/contexts/sepgsql_contexts") -- S_(BOOLEAN_SUBS, "/booleans.subs") -+ S_(BOOLEAN_SUBS, "/booleans.subs_dist") diff --git a/libselinux/src/get_context_list.c b/libselinux/src/get_context_list.c -index e02157c..355730a 100644 +index b9e8002..355730a 100644 --- a/libselinux/src/get_context_list.c +++ b/libselinux/src/get_context_list.c @@ -426,7 +426,7 @@ int get_ordered_context_list(const char *user, @@ -6226,7 +406,7 @@ index e02157c..355730a 100644 snprintf(fname, fname_len, "%s%s", user_contexts_path, user); fp = fopen(fname, "r"); if (fp) { -@@ -465,35 +465,35 @@ int get_ordered_context_list(const char *user, +@@ -465,31 +465,28 @@ int get_ordered_context_list(const char *user, } } @@ -6273,15 +453,7 @@ index e02157c..355730a 100644 } out: -- *list = reachable; -+ if (rc > 0) -+ *list = reachable; -+ else -+ freeconary(reachable); - - free(ordering); - if (freefrom) -@@ -520,14 +520,6 @@ int get_ordered_context_list(const char *user, +@@ -523,14 +520,6 @@ int get_ordered_context_list(const char *user, } rc = 1; /* one context in the list */ goto out; @@ -6296,509 +468,27 @@ index e02157c..355730a 100644 } hidden_def(get_ordered_context_list) -diff --git a/libselinux/src/getfilecon.c b/libselinux/src/getfilecon.c -index 67e4463..eb2ce8a 100644 ---- a/libselinux/src/getfilecon.c -+++ b/libselinux/src/getfilecon.c -@@ -39,7 +39,7 @@ int getfilecon_raw(const char *path, security_context_t * context) - out: - if (ret == 0) { - /* Re-map empty attribute values to errors. */ -- errno = EOPNOTSUPP; -+ errno = ENOTSUP; - ret = -1; - } - if (ret < 0) -diff --git a/libselinux/src/label_android_property.c b/libselinux/src/label_android_property.c -index 79bf923..e11ccf8 100644 ---- a/libselinux/src/label_android_property.c -+++ b/libselinux/src/label_android_property.c -@@ -153,6 +153,9 @@ static int init(struct selabel_handle *rec, struct selinux_opt *opts, - break; - } - -+ if (!path) -+ return -1; -+ - /* Open the specification file. */ - if ((fp = fopen(path, "r")) == NULL) - return -1; diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c -index 02b3cd2..5f697f3 100644 +index 5f697f3..9b0d6b0 100644 --- a/libselinux/src/label_file.c +++ b/libselinux/src/label_file.c -@@ -8,6 +8,7 @@ - * developed by Secure Computing Corporation. - */ - -+#include - #include - #include - #include -@@ -16,7 +17,12 @@ - #include - #include - #include -+#include - #include +@@ -649,6 +649,8 @@ static struct selabel_lookup_rec *lookup(struct selabel_handle *rec, + break; + } else if (rc == PCRE_ERROR_NOMATCH) + continue; + -+#include -+ -+#include - #include - #include - #include -@@ -229,6 +235,190 @@ static int process_line(struct selabel_handle *rec, - return 0; - } - -+static int load_mmap(struct selabel_handle *rec, const char *path, struct stat *stat) -+{ -+ struct saved_data *data = (struct saved_data *)rec->data; -+ char mmap_path[PATH_MAX + 1]; -+ int mmapfd; -+ int rc, i; -+ struct stat mmap_stat; -+ char *addr; -+ size_t len; -+ int stem_map_len, *stem_map; -+ struct mmap_area *mmap_area; -+ -+ uint32_t *magic; -+ uint32_t *section_len; -+ uint32_t *plen; -+ -+ rc = snprintf(mmap_path, sizeof(mmap_path), "%s.bin", path); -+ if (rc >= sizeof(mmap_path)) -+ return -1; -+ -+ mmapfd = open(mmap_path, O_RDONLY | O_CLOEXEC); -+ if (mmapfd < 0) -+ return -1; -+ -+ rc = fstat(mmapfd, &mmap_stat); -+ if (rc < 0) { -+ close(mmapfd); -+ return -1; -+ } -+ -+ /* if mmap is old, ignore it */ -+ if (mmap_stat.st_mtime < stat->st_mtime) { -+ close(mmapfd); -+ return -1; -+ } -+ -+ if (mmap_stat.st_mtime == stat->st_mtime && -+ mmap_stat.st_mtim.tv_nsec < stat->st_mtim.tv_nsec) { -+ close(mmapfd); -+ return -1; -+ } -+ -+ /* ok, read it in... */ -+ len = mmap_stat.st_size; -+ len += (sysconf(_SC_PAGE_SIZE) - 1); -+ len &= ~(sysconf(_SC_PAGE_SIZE) - 1); -+ -+ mmap_area = malloc(sizeof(*mmap_area)); -+ if (!mmap_area) { -+ close(mmapfd); -+ return -1; -+ } -+ -+ addr = mmap(NULL, len, PROT_READ, MAP_PRIVATE, mmapfd, 0); -+ close(mmapfd); -+ if (addr == MAP_FAILED) { -+ free(mmap_area); -+ perror("mmap"); -+ return -1; -+ } -+ -+ /* save where we mmap'd the file to cleanup on close() */ -+ mmap_area->addr = addr; -+ mmap_area->len = len; -+ mmap_area->next = data->mmap_areas; -+ data->mmap_areas = mmap_area; -+ -+ /* check if this looks like an fcontext file */ -+ magic = (uint32_t *)addr; -+ if (*magic != SELINUX_MAGIC_COMPILED_FCONTEXT) -+ return -1; -+ addr += sizeof(uint32_t); -+ -+ /* check if this version is higher than we understand */ -+ section_len = (uint32_t *)addr; -+ if (*section_len > SELINUX_COMPILED_FCONTEXT_MAX_VERS) -+ return -1; -+ addr += sizeof(uint32_t); -+ -+ /* allocate the stems_data array */ -+ section_len = (uint32_t *)addr; -+ addr += sizeof(uint32_t); -+ -+ /* -+ * map indexed by the stem # in the mmap file and contains the stem -+ * number in the data stem_arr -+ */ -+ stem_map_len = *section_len; -+ stem_map = calloc(stem_map_len, sizeof(*stem_map)); -+ if (!stem_map) -+ return -1; -+ -+ for (i = 0; i < *section_len; i++) { -+ char *buf; -+ uint32_t stem_len; -+ int newid; -+ -+ /* the length does not inlude the nul */ -+ plen = (uint32_t *)addr; -+ addr += sizeof(uint32_t); -+ -+ stem_len = *plen; -+ buf = (char *)addr; -+ addr += (stem_len + 1); // +1 is the nul -+ -+ /* store the mapping between old and new */ -+ newid = find_stem(data, buf, stem_len); -+ if (newid < 0) { -+ newid = store_stem(data, buf, stem_len); -+ if (newid < 0) { -+ rc = newid; -+ goto err; -+ } -+ data->stem_arr[newid].from_mmap = 1; -+ } -+ stem_map[i] = newid; -+ } -+ -+ /* allocate the regex array */ -+ section_len = (uint32_t *)addr; -+ addr += sizeof(*section_len); -+ -+ for (i = 0; i < *section_len; i++) { -+ struct spec *spec; -+ int32_t stem_id; -+ -+ rc = grow_specs(data); -+ if (rc < 0) -+ goto err; -+ -+ spec = &data->spec_arr[data->nspec]; -+ spec->from_mmap = 1; -+ spec->regcomp = 1; -+ -+ plen = (uint32_t *)addr; -+ addr += sizeof(uint32_t); -+ rc = -1; -+ spec->lr.ctx_raw = strdup((char *)addr); -+ if (!spec->lr.ctx_raw) -+ goto err; -+ -+ addr += *plen; -+ -+ plen = (uint32_t *)addr; -+ addr += sizeof(uint32_t); -+ spec->regex_str = (char *)addr; -+ addr += *plen; -+ -+ spec->mode = *(mode_t *)addr; -+ addr += sizeof(mode_t); -+ -+ /* map the stem id from the mmap file to the data->stem_arr */ -+ stem_id = *(int32_t *)addr; -+ if (stem_id == -1 || stem_id >= stem_map_len) -+ spec->stem_id = -1; -+ else -+ spec->stem_id = stem_map[stem_id]; -+ addr += sizeof(int32_t); -+ -+ /* retrieve the hasMetaChars bit */ -+ spec->hasMetaChars = *(uint32_t *)addr; -+ addr += sizeof(uint32_t); -+ -+ plen = (uint32_t *)addr; -+ addr += sizeof(uint32_t); -+ spec->regex = (pcre *)addr; -+ addr += *plen; -+ -+ plen = (uint32_t *)addr; -+ addr += sizeof(uint32_t); -+ spec->lsd.study_data = (void *)addr; -+ spec->lsd.flags |= PCRE_EXTRA_STUDY_DATA; -+ addr += *plen; -+ -+ data->nspec++; -+ } -+ /* win */ -+ rc = 0; -+err: -+ free(stem_map); -+ -+ return rc; -+} -+ - static int process_file(const char *path, const char *suffix, struct selabel_handle *rec, const char *prefix) - { - FILE *fp; -@@ -261,6 +451,10 @@ static int process_file(const char *path, const char *suffix, struct selabel_han - return -1; - } - -+ rc = load_mmap(rec, path, &sb); -+ if (rc == 0) -+ goto out; -+ - /* - * The do detailed validation of the input and fill the spec array - */ -@@ -270,6 +464,7 @@ static int process_file(const char *path, const char *suffix, struct selabel_han - if (rc) - return rc; - } -+out: - free(line_buf); - fclose(fp); - -@@ -351,16 +546,19 @@ finish: - static void closef(struct selabel_handle *rec) - { - struct saved_data *data = (struct saved_data *)rec->data; -+ struct mmap_area *area, *last_area; - struct spec *spec; - struct stem *stem; - unsigned int i; - - for (i = 0; i < data->nspec; i++) { - spec = &data->spec_arr[i]; -+ free(spec->lr.ctx_trans); -+ free(spec->lr.ctx_raw); -+ if (spec->from_mmap) -+ continue; - free(spec->regex_str); - free(spec->type_str); -- free(spec->lr.ctx_raw); -- free(spec->lr.ctx_trans); - if (spec->regcomp) { - pcre_free(spec->regex); - pcre_free_study(spec->sd); -@@ -369,6 +567,8 @@ static void closef(struct selabel_handle *rec) - - for (i = 0; i < (unsigned int)data->num_stems; i++) { - stem = &data->stem_arr[i]; -+ if (stem->from_mmap) -+ continue; - free(stem->buf); - } - -@@ -376,7 +576,14 @@ static void closef(struct selabel_handle *rec) - free(data->spec_arr); - if (data->stem_arr) - free(data->stem_arr); -- -+ -+ area = data->mmap_areas; -+ while (area) { -+ munmap(area->addr, area->len); -+ last_area = area; -+ area = area->next; -+ free(last_area); -+ } - free(data); - } - -diff --git a/libselinux/src/label_file.h b/libselinux/src/label_file.h -index cb5633b..bf0c9e2 100644 ---- a/libselinux/src/label_file.h -+++ b/libselinux/src/label_file.h -@@ -5,24 +5,39 @@ - - #include "label_internal.h" - -+#define SELINUX_MAGIC_COMPILED_FCONTEXT 0xf97cff8a -+#define SELINUX_COMPILED_FCONTEXT_MAX_VERS 1 -+ - /* A file security context specification. */ - struct spec { - struct selabel_lookup_rec lr; /* holds contexts for lookup result */ - char *regex_str; /* regular expession string for diagnostics */ - char *type_str; /* type string for diagnostic messages */ - pcre *regex; /* compiled regular expression */ -- pcre_extra *sd; /* extra compiled stuff */ -+ union { -+ pcre_extra *sd; /* pointer to extra compiled stuff */ -+ pcre_extra lsd; /* used to hold the mmap'd version */ -+ }; - mode_t mode; /* mode format value */ - int matches; /* number of matching pathnames */ - int stem_id; /* indicates which stem-compression item */ - char hasMetaChars; /* regular expression has meta-chars */ - char regcomp; /* regex_str has been compiled to regex */ -+ char from_mmap; /* this spec is from an mmap of the data */ - }; - - /* A regular expression stem */ - struct stem { - char *buf; - int len; -+ char from_mmap; -+}; -+ -+/* Where we map the file in during selabel_open() */ -+struct mmap_area { -+ void *addr; -+ size_t len; -+ struct mmap_area *next; - }; - - /* Our stored configuration */ -@@ -41,11 +56,15 @@ struct saved_data { - struct stem *stem_arr; - int num_stems; - int alloc_stems; -+ struct mmap_area *mmap_areas; - }; - - static inline pcre_extra *get_pcre_extra(struct spec *spec) - { -- return spec->sd; -+ if (spec->from_mmap) -+ return &spec->lsd; -+ else -+ return spec->sd; - } - - static inline mode_t string_to_mode(char *mode) -diff --git a/libselinux/src/lgetfilecon.c b/libselinux/src/lgetfilecon.c -index a53f56e..58dc807 100644 ---- a/libselinux/src/lgetfilecon.c -+++ b/libselinux/src/lgetfilecon.c -@@ -39,7 +39,7 @@ int lgetfilecon_raw(const char *path, security_context_t * context) - out: - if (ret == 0) { - /* Re-map empty attribute values to errors. */ -- errno = EOPNOTSUPP; -+ errno = ENOTSUP; - ret = -1; - } - if (ret < 0) -diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c -index 10e29b9..888dab5 100644 ---- a/libselinux/src/load_policy.c -+++ b/libselinux/src/load_policy.c -@@ -49,8 +49,9 @@ int load_setlocaldefs hidden = 1; - int selinux_mkload_policy(int preservebools) - { - int kernvers = security_policyvers(); -- int maxvers = kernvers, minvers = DEFAULT_POLICY_VERSION, vers; -+ int maxvers = kernvers, minvers = DEFAULT_POLICY_VERSION; - int setlocaldefs = load_setlocaldefs; -+ char *pol_path = NULL; - char path[PATH_MAX]; - struct stat sb; - struct utsname uts; -@@ -162,29 +163,24 @@ checkbool: - maxvers = max(kernvers, maxvers); - } - -- vers = maxvers; -- search: -- snprintf(path, sizeof(path), "%s.%d", -- selinux_binary_policy_path(), vers); -- fd = open(path, O_RDONLY); -- while (fd < 0 && errno == ENOENT -- && --vers >= minvers) { -- /* Check prior versions to see if old policy is available */ -- snprintf(path, sizeof(path), "%s.%d", -- selinux_binary_policy_path(), vers); -- fd = open(path, O_RDONLY); -+search: -+ pol_path = selinux_binary_policy_path_min_max(minvers, &maxvers); -+ if (!pol_path) { -+ fprintf(stderr, "SELinux: unable to find usable policy file: %s\n", -+ strerror(errno)); -+ goto dlclose; - } -+ -+ fd = open(pol_path, O_RDONLY); - if (fd < 0) { -- fprintf(stderr, -- "SELinux: Could not open policy file <= %s.%d: %s\n", -- selinux_binary_policy_path(), maxvers, strerror(errno)); -+ fprintf(stderr, "SELinux: Could not open policy file %s: %s\n", -+ pol_path, strerror(errno)); - goto dlclose; - } - - if (fstat(fd, &sb) < 0) { -- fprintf(stderr, -- "SELinux: Could not stat policy file %s: %s\n", -- path, strerror(errno)); -+ fprintf(stderr, "SELinux: Could not stat policy file %s: %s\n", -+ pol_path, strerror(errno)); - goto close; - } - -@@ -195,13 +191,12 @@ checkbool: - size = sb.st_size; - data = map = mmap(NULL, size, prot, MAP_PRIVATE, fd, 0); - if (map == MAP_FAILED) { -- fprintf(stderr, -- "SELinux: Could not map policy file %s: %s\n", -- path, strerror(errno)); -+ fprintf(stderr, "SELinux: Could not map policy file %s: %s\n", -+ pol_path, strerror(errno)); - goto close; - } - -- if (vers > kernvers && usesepol) { -+ if (maxvers > kernvers && usesepol) { - /* Need to downgrade to kernel-supported version. */ - if (policy_file_create(&pf)) - goto unmap; -@@ -220,12 +215,12 @@ checkbool: - /* Downgrade failed, keep searching. */ - fprintf(stderr, - "SELinux: Could not downgrade policy file %s, searching for an older version.\n", -- path); -+ pol_path); - policy_file_free(pf); - policydb_free(policydb); - munmap(map, sb.st_size); - close(fd); -- vers--; -+ maxvers--; - goto search; ++ errno = ENOENT; + /* else it's an error */ + goto finish; } - policy_file_free(pf); -@@ -281,7 +276,7 @@ checkbool: - if (rc) - fprintf(stderr, - "SELinux: Could not load policy file %s: %s\n", -- path, strerror(errno)); -+ pol_path, strerror(errno)); +@@ -660,6 +662,7 @@ static struct selabel_lookup_rec *lookup(struct selabel_handle *rec, + goto finish; + } - unmap: - if (data != map) -@@ -296,6 +291,7 @@ checkbool: - if (libsepolh) - dlclose(libsepolh); - #endif -+ free(pol_path); - return rc; - } ++ errno = 0; + ret = &spec_arr[i].lr; -diff --git a/libselinux/src/mapping.c b/libselinux/src/mapping.c -index b0264e7..f205804 100644 ---- a/libselinux/src/mapping.c -+++ b/libselinux/src/mapping.c -@@ -66,7 +66,7 @@ selinux_set_mapping(struct security_class_mapping *map) - goto err2; - - k = 0; -- while (p_in->perms && p_in->perms[k]) { -+ while (p_in->perms[k]) { - /* An empty permission string skips ahead */ - if (!*p_in->perms[k]) { - k++; + finish: diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c index 2d7369e..2a00807 100644 --- a/libselinux/src/matchpathcon.c @@ -6821,295 +511,84 @@ index 2d7369e..2a00807 100644 } diff --git a/libselinux/src/procattr.c b/libselinux/src/procattr.c -index 83381e4..6c5b45a 100644 +index 6c5b45a..0a0dd3e 100644 --- a/libselinux/src/procattr.c +++ b/libselinux/src/procattr.c -@@ -1,6 +1,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -8,32 +9,137 @@ - #include "selinux_internal.h" - #include "policy.h" - -+static __thread pid_t cpid; -+static __thread pid_t tid; -+static __thread security_context_t prev_current; -+static __thread security_context_t prev_exec; -+static __thread security_context_t prev_fscreate; -+static __thread security_context_t prev_keycreate; -+static __thread security_context_t prev_sockcreate; -+ -+static pthread_once_t once = PTHREAD_ONCE_INIT; -+static pthread_key_t destructor_key; -+static int destructor_key_initialized = 0; -+static __thread char destructor_initialized; -+ - static pid_t gettid(void) - { - return syscall(__NR_gettid); - } - --static int getprocattrcon_raw(security_context_t * context, -- pid_t pid, const char *attr) -+static void procattr_thread_destructor(void __attribute__((unused)) *unused) -+{ -+ free(prev_current); -+ free(prev_exec); -+ free(prev_fscreate); -+ free(prev_keycreate); -+ free(prev_sockcreate); -+} -+ -+static void free_procattr(void) -+{ -+ procattr_thread_destructor(NULL); -+ tid = 0; -+ cpid = getpid(); -+ prev_current = prev_exec = prev_fscreate = prev_keycreate = prev_sockcreate = NULL; -+} -+ -+void __attribute__((destructor)) procattr_destructor(void); -+ -+void hidden __attribute__((destructor)) procattr_destructor(void) -+{ -+ if (destructor_key_initialized) -+ __selinux_key_delete(destructor_key); -+} -+ -+static inline void init_thread_destructor(void) -+{ -+ if (destructor_initialized == 0) { -+ __selinux_setspecific(destructor_key, (void *)1); -+ destructor_initialized = 1; -+ } -+} -+ -+static void init_procattr(void) -+{ -+ if (__selinux_key_create(&destructor_key, procattr_thread_destructor) == 0) { -+ pthread_atfork(NULL, NULL, free_procattr); -+ destructor_key_initialized = 1; -+ } -+} -+ -+static int openattr(pid_t pid, const char *attr, int flags) - { -- char *path, *buf; -- size_t size; - int fd, rc; -- ssize_t ret; -- pid_t tid; -- int errno_hold; -+ char *path; -+ -+ if (cpid != getpid()) -+ free_procattr(); - - if (pid > 0) - rc = asprintf(&path, "/proc/%d/attr/%s", pid, attr); - else { -- tid = gettid(); -+ if (!tid) -+ tid = gettid(); - rc = asprintf(&path, "/proc/self/task/%d/attr/%s", tid, attr); - } - if (rc < 0) +@@ -257,6 +257,7 @@ out: + free(context); return -1; - -- fd = open(path, O_RDONLY); -+ fd = open(path, flags | O_CLOEXEC); - free(path); -+ return fd; -+} -+ -+static int getprocattrcon_raw(security_context_t * context, -+ pid_t pid, const char *attr) -+{ -+ char *buf; -+ size_t size; -+ int fd; -+ ssize_t ret; -+ int errno_hold; -+ security_context_t prev_context; -+ -+ __selinux_once(once, init_procattr); -+ init_thread_destructor(); -+ -+ if (cpid != getpid()) -+ free_procattr(); -+ -+ switch (attr[0]) { -+ case 'c': -+ prev_context = prev_current; -+ break; -+ case 'e': -+ prev_context = prev_exec; -+ break; -+ case 'f': -+ prev_context = prev_fscreate; -+ break; -+ case 'k': -+ prev_context = prev_keycreate; -+ break; -+ case 's': -+ prev_context = prev_sockcreate; -+ break; -+ case 'p': -+ prev_context = NULL; -+ break; -+ default: -+ errno = ENOENT; -+ return -1; -+ }; -+ -+ if (prev_context) { -+ *context = strdup(prev_context); -+ if (!(*context)) { -+ return -1; -+ } -+ return 0; -+ } -+ -+ fd = openattr(pid, attr, O_RDONLY); - if (fd < 0) - return -1; - -@@ -90,40 +196,70 @@ static int getprocattrcon(security_context_t * context, - static int setprocattrcon_raw(security_context_t context, - pid_t pid, const char *attr) - { -- char *path; -- int fd, rc; -- pid_t tid; -+ int fd; - ssize_t ret; - int errno_hold; -+ security_context_t *prev_context; - -- if (pid > 0) -- rc = asprintf(&path, "/proc/%d/attr/%s", pid, attr); -- else { -- tid = gettid(); -- rc = asprintf(&path, "/proc/self/task/%d/attr/%s", tid, attr); -- } -- if (rc < 0) -- return -1; -+ __selinux_once(once, init_procattr); -+ init_thread_destructor(); - -- fd = open(path, O_RDWR); -- free(path); -+ if (cpid != getpid()) -+ free_procattr(); -+ -+ switch (attr[0]) { -+ case 'c': -+ prev_context = &prev_current; -+ break; -+ case 'e': -+ prev_context = &prev_exec; -+ break; -+ case 'f': -+ prev_context = &prev_fscreate; -+ break; -+ case 'k': -+ prev_context = &prev_keycreate; -+ break; -+ case 's': -+ prev_context = &prev_sockcreate; -+ break; -+ default: -+ errno = ENOENT; -+ return -1; -+ }; -+ -+ if (!context && !*prev_context) -+ return 0; -+ if (context && *prev_context && !strcmp(context, *prev_context)) -+ return 0; -+ -+ fd = openattr(pid, attr, O_RDWR); - if (fd < 0) - return -1; -- if (context) -+ if (context) { -+ ret = -1; -+ context = strdup(context); -+ if (!context) -+ goto out; - do { - ret = write(fd, context, strlen(context) + 1); - } while (ret < 0 && errno == EINTR); -- else -+ } else { - do { - ret = write(fd, NULL, 0); /* clear */ - } while (ret < 0 && errno == EINTR); -+ } -+out: - errno_hold = errno; - close(fd); - errno = errno_hold; -- if (ret < 0) -+ if (ret < 0) { -+ free(context); - return -1; -- else -+ } else { -+ *prev_context = context; + } else { ++ free(*prev_context); + *prev_context = context; return 0; -+ } - } - - static int setprocattrcon(const security_context_t context, + } diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c -index 296f357..cb65666 100644 +index 296f357..0040524 100644 --- a/libselinux/src/selinux_config.c +++ b/libselinux/src/selinux_config.c -@@ -9,6 +9,7 @@ +@@ -8,6 +8,8 @@ + #include #include #include - #include "selinux_internal.h" ++#include +#include "policy.h" + #include "selinux_internal.h" #include "get_default_type_internal.h" - #define SELINUXDIR "/etc/selinux/" -@@ -296,13 +297,57 @@ const char *selinux_removable_context_path(void) +@@ -138,6 +140,13 @@ int selinux_getpolicytype(char **type) - hidden_def(selinux_removable_context_path) + hidden_def(selinux_getpolicytype) -+char *selinux_binary_policy_path_min_max(int min, int *max) ++static int setpolicytype(const char *type) +{ -+ int ret; -+ char *path = NULL; -+ -+ while(*max >= min) { -+ ret = asprintf(&path, "%s.%d", get_path(BINPOLICY), *max); -+ if (ret < 0) -+ goto err; -+ ret = access(path, R_OK); -+ if (!ret) -+ return path; -+ free(path); -+ path = NULL; -+ *max = *max - 1; -+ } -+err: -+ free(path); -+ return NULL; ++ free(selinux_policytype); ++ selinux_policytype = strdup(type); ++ return selinux_policytype ? 0 : -1; +} -+hidden_def(selinux_binary_policy_path_min_max) + - const char *selinux_binary_policy_path(void) - { - return get_path(BINPOLICY); + static char *selinux_policyroot = NULL; + static const char *selinux_rootpath = SELINUXDIR; + +@@ -261,6 +270,37 @@ const char *selinux_policy_root(void) + return selinux_policyroot; } -- + ++int selinux_set_policy_root(const char *path) ++{ ++ int i; ++ char *policy_type = strchr(selinux_policyroot, '/'); ++ if (!policy_type) { ++ errno = EINVAL; ++ return -1; ++ } ++ policy_type++; ++ ++ fini_selinuxmnt(); ++ fini_selinux_policyroot(); ++ ++ selinux_policyroot = strdup(path); ++ if (! selinux_policyroot) ++ return -1; ++ ++ if (setpolicytype(policy_type) != 0) ++ return -1; ++ ++ for (i = 0; i < NEL; i++) ++ if (asprintf(&file_paths[i], "%s%s", ++ selinux_policyroot, ++ file_path_suffixes_data.str + ++ file_path_suffixes_idx[i]) ++ == -1) ++ return -1; ++ ++ return 0; ++} ++ + const char *selinux_path(void) + { + return selinux_rootpath; +@@ -303,6 +343,31 @@ const char *selinux_binary_policy_path(void) + hidden_def(selinux_binary_policy_path) +const char *selinux_current_policy_path(void) @@ -7118,18 +597,20 @@ index 296f357..cb65666 100644 + int vers = 0; + static char policy_path[PATH_MAX]; + -+ snprintf(policy_path, sizeof(policy_path), "%s/policy", selinux_mnt); -+ if (access(policy_path, F_OK) != 0 ) { -+ vers = security_policyvers(); -+ do { -+ /* Check prior versions to see if old policy is available */ -+ snprintf(policy_path, sizeof(policy_path), "%s.%d", -+ selinux_binary_policy_path(), vers); -+ } while ((rc = access(policy_path, F_OK)) && --vers > 0); -+ -+ if (rc) return NULL; ++ if (selinux_mnt) { ++ snprintf(policy_path, sizeof(policy_path), "%s/policy", selinux_mnt); ++ if (access(policy_path, F_OK) == 0 ) { ++ return policy_path; ++ } + } -+ ++ vers = security_policyvers(); ++ do { ++ /* Check prior versions to see if old policy is available */ ++ snprintf(policy_path, sizeof(policy_path), "%s.%d", ++ selinux_binary_policy_path(), vers); ++ } while ((rc = access(policy_path, F_OK)) && --vers > 0); ++ ++ if (rc) return NULL; + return policy_path; +} + @@ -7139,583 +620,136 @@ index 296f357..cb65666 100644 { return get_path(FILE_CONTEXTS); diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h -index 2c7c85c..008aa6d 100644 +index 2c7c85c..4a4aebc 100644 --- a/libselinux/src/selinux_internal.h +++ b/libselinux/src/selinux_internal.h -@@ -61,7 +61,9 @@ hidden_proto(selinux_mkload_policy) +@@ -60,6 +60,7 @@ hidden_proto(selinux_mkload_policy) + hidden_proto(security_setenforce) hidden_proto(security_deny_unknown) hidden_proto(selinux_boolean_sub) - hidden_proto(selinux_binary_policy_path) -+ hidden_proto(selinux_binary_policy_path_min_max) - hidden_proto(selinux_booleans_subs_path) + hidden_proto(selinux_current_policy_path) + hidden_proto(selinux_binary_policy_path) + hidden_proto(selinux_booleans_subs_path) hidden_proto(selinux_default_context_path) - hidden_proto(selinux_securetty_types_path) - hidden_proto(selinux_failsafe_context_path) -diff --git a/libselinux/src/sestatus.c b/libselinux/src/sestatus.c -index 10a6495..ed29dc5 100644 ---- a/libselinux/src/sestatus.c -+++ b/libselinux/src/sestatus.c -@@ -256,19 +256,23 @@ int selinux_status_open(int fallback) - { - int fd; - char path[PATH_MAX]; -+ long pagesize; +diff --git a/libselinux/src/setrans_internal.h b/libselinux/src/setrans_internal.h +index a801ee8..b3bdca2 100644 +--- a/libselinux/src/setrans_internal.h ++++ b/libselinux/src/setrans_internal.h +@@ -1,6 +1,7 @@ + /* Author: Trusted Computer Solutions, Inc. */ ++#include - if (!selinux_mnt) { - errno = ENOENT; - return -1; - } +-#define SETRANS_UNIX_SOCKET "/var/run/setrans/.setrans-unix" ++#define SETRANS_UNIX_SOCKET SELINUX_TRANS_DIR "/.setrans-unix" -+ pagesize = sysconf(_SC_PAGESIZE); -+ if (pagesize < 0) -+ return -1; -+ - snprintf(path, sizeof(path), "%s/status", selinux_mnt); -- fd = open(path, O_RDONLY); -+ fd = open(path, O_RDONLY | O_CLOEXEC); - if (fd < 0) - goto error; + #define RAW_TO_TRANS_CONTEXT 2 + #define TRANS_TO_RAW_CONTEXT 3 +diff --git a/libselinux/utils/matchpathcon.c b/libselinux/utils/matchpathcon.c +index dd5aaa3..9d3ff3a 100644 +--- a/libselinux/utils/matchpathcon.c ++++ b/libselinux/utils/matchpathcon.c +@@ -12,11 +12,10 @@ + #include + #include -- selinux_status = mmap(NULL, sysconf(_SC_PAGESIZE), -- PROT_READ, MAP_SHARED, fd, 0); -+ selinux_status = mmap(NULL, pagesize, PROT_READ, MAP_SHARED, fd, 0); - if (selinux_status == MAP_FAILED) { - close(fd); - goto error; -@@ -318,6 +322,8 @@ error: - */ - void selinux_status_close(void) - { -+ long pagesize; -+ - /* not opened */ - if (selinux_status == NULL) - return; -@@ -331,7 +337,10 @@ void selinux_status_close(void) - return; - } - -- munmap(selinux_status, sysconf(_SC_PAGESIZE)); -+ pagesize = sysconf(_SC_PAGESIZE); -+ /* not much we can do other than leak memory */ -+ if (pagesize > 0) -+ munmap(selinux_status, pagesize); - selinux_status = NULL; - - close(selinux_status_fd); -diff --git a/libselinux/src/setrans_client.c b/libselinux/src/setrans_client.c -index 502e9db..f9065bd 100644 ---- a/libselinux/src/setrans_client.c -+++ b/libselinux/src/setrans_client.c -@@ -56,7 +56,10 @@ static int setransd_open(void) - { - fd = socket(PF_UNIX, SOCK_STREAM, 0); - if (fd >= 0) -- fcntl(fd, F_SETFD, FD_CLOEXEC); -+ if (fcntl(fd, F_SETFD, FD_CLOEXEC)) { -+ close(fd); -+ return -1; -+ } - } - if (fd < 0) - return -1; -@@ -151,9 +154,10 @@ receive_response(int fd, uint32_t function, char **outdata, int32_t * ret_val) - } - - data = malloc(data_size); -- if (!data) { -+ if (!data) - return -1; -- } -+ /* coveriety doesn't realize that data will be initialized in readv */ -+ memset(data, 0, data_size); - - resp_data.iov_base = data; - resp_data.iov_len = data_size; -diff --git a/libselinux/src/seusers.c b/libselinux/src/seusers.c -index cfea186..09e704b 100644 ---- a/libselinux/src/seusers.c -+++ b/libselinux/src/seusers.c -@@ -141,9 +141,16 @@ static int check_group(const char *group, const char *name, const gid_t gid) { - } - - if (getgrouplist(name, gid, NULL, &ng) < 0) { -- groups = (gid_t *) malloc(sizeof (gid_t) * ng); -- if (!groups) goto done; -- if (getgrouplist(name, gid, groups, &ng) < 0) goto done; -+ if (ng == 0) -+ goto done; -+ groups = calloc(ng, sizeof(*groups)); -+ if (!groups) -+ goto done; -+ if (getgrouplist(name, gid, groups, &ng) < 0) -+ goto done; -+ } else { -+ /* WTF? ng was 0 and we didn't fail? Are we in 0 groups? */ -+ goto done; - } - - for (i = 0; i < ng; i++) { -diff --git a/libselinux/src/stringrep.c b/libselinux/src/stringrep.c -index 176ac34..ba75ccd 100644 ---- a/libselinux/src/stringrep.c -+++ b/libselinux/src/stringrep.c -@@ -258,18 +258,21 @@ static struct discover_class_node * discover_class(const char *s) - struct stat m; - - snprintf(path, sizeof path, "%s/class/%s/perms/%s", selinux_mnt,s,dentry->d_name); -- if (stat(path,&m) < 0) -+ fd = open(path, O_RDONLY | O_CLOEXEC); -+ if (fd < 0) -+ goto err4; -+ -+ if (fstat(fd, &m) < 0) { -+ close(fd); - goto err4; -+ } - - if (m.st_mode & S_IFDIR) { -+ close(fd); - dentry = readdir(dir); - continue; - } - -- fd = open(path, O_RDONLY); -- if (fd < 0) -- goto err4; - - memset(buf, 0, sizeof(buf)); - ret = read(fd, buf, sizeof(buf) - 1); - close(fd); -@@ -279,6 +282,9 @@ static struct discover_class_node * discover_class(const char *s) - if (sscanf(buf, "%u", &value) != 1) - goto err4; - -+ if (value == 0 || value > NVECTORS) -+ goto err4; -+ - node->perms[value-1] = strdup(dentry->d_name); - if (node->perms[value-1] == NULL) - goto err4; -@@ -436,6 +442,27 @@ security_class_t string_to_security_class(const char *s) - return map_class(node->value); - } - -+security_class_t mode_to_security_class(mode_t m) { -+ -+ if (S_ISREG(m)) -+ return string_to_security_class("file"); -+ if (S_ISDIR(m)) -+ return string_to_security_class("dir"); -+ if (S_ISCHR(m)) -+ return string_to_security_class("chr_file"); -+ if (S_ISBLK(m)) -+ return string_to_security_class("blk_file"); -+ if (S_ISFIFO(m)) -+ return string_to_security_class("fifo_file"); -+ if (S_ISLNK(m)) -+ return string_to_security_class("lnk_file"); -+ if (S_ISSOCK(m)) -+ return string_to_security_class("sock_file"); -+ -+ errno=EINVAL; -+ return 0; -+} -+ - access_vector_t string_to_av_perm(security_class_t tclass, const char *s) + static void usage(const char *progname) { - struct discover_class_node *node; -diff --git a/libselinux/utils/.gitignore b/libselinux/utils/.gitignore -index 8b9294d..060eaab 100644 ---- a/libselinux/utils/.gitignore -+++ b/libselinux/utils/.gitignore -@@ -13,6 +13,7 @@ getsebool - getseuser - matchpathcon - policyvers -+sefcontext_compile - selinux_check_securetty_context - selinuxenabled - selinuxexeccon -diff --git a/libselinux/utils/Makefile b/libselinux/utils/Makefile -index 5f3e047..f469924 100644 ---- a/libselinux/utils/Makefile -+++ b/libselinux/utils/Makefile -@@ -28,6 +28,7 @@ LDLIBS += -L../src -lselinux -L$(LIBDIR) - - TARGETS=$(patsubst %.c,%,$(wildcard *.c)) - -+sefcontext_compile: LDLIBS += -lpcre - - ifeq ($(DISABLE_AVC),y) - UNUSED_TARGETS+=compute_av compute_create compute_member compute_relabel -diff --git a/libselinux/utils/avcstat.c b/libselinux/utils/avcstat.c -index 73432f2..1d4d5c8 100644 ---- a/libselinux/utils/avcstat.c -+++ b/libselinux/utils/avcstat.c -@@ -155,7 +155,7 @@ int main(int argc, char **argv) - ssize_t ret, parsed = 0; - - memset(buf, 0, DEF_BUF_SIZE); -- ret = read(fd, buf, DEF_BUF_SIZE); -+ ret = read(fd, buf, DEF_BUF_SIZE-1); - if (ret < 0) - die("read"); + fprintf(stderr, +- "usage: %s [-N] [-n] [-f file_contexts] [-p prefix] [-Vq] path...\n", ++ "usage: %s [-N] [-n] [-f file_contexts] [ -P policy_root_path ] [-p prefix] [-Vq] path...\n", + progname); + exit(1); + } +@@ -78,7 +77,7 @@ int main(int argc, char **argv) + if (argc < 2) + usage(argv[0]); +- while ((opt = getopt(argc, argv, "m:Nnf:p:Vq")) > 0) { ++ while ((opt = getopt(argc, argv, "m:Nnf:P:p:Vq")) > 0) { + switch (opt) { + case 'n': + header = 0; +@@ -113,6 +112,15 @@ int main(int argc, char **argv) + exit(1); + } + break; ++ case 'P': ++ if (selinux_set_policy_root(optarg) < 0 ) { ++ fprintf(stderr, ++ "Error setting policy root %s: %s\n", ++ optarg, ++ errno ? strerror(errno) : "invalid"); ++ exit(1); ++ } ++ break; + case 'p': + if (init) { + fprintf(stderr, diff --git a/libselinux/utils/sefcontext_compile.c b/libselinux/utils/sefcontext_compile.c -new file mode 100644 -index 0000000..15cc836 ---- /dev/null +index 6f79dd6..e019a07 100644 +--- a/libselinux/utils/sefcontext_compile.c +++ b/libselinux/utils/sefcontext_compile.c -@@ -0,0 +1,350 @@ -+#include -+#include -+#include -+#include -+#include -+#include +@@ -145,7 +145,7 @@ static int process_file(struct saved_data *data, const char *filename) + * u32 - data length of the pcre regex study daya + * char - a buffer holding the raw pcre regex study data + */ +-static int write_binary_file(struct saved_data *data, char *filename) ++static int write_binary_file(struct saved_data *data, int fd) + { + struct spec *specs = data->spec_arr; + FILE *bin_file; +@@ -155,7 +155,7 @@ static int write_binary_file(struct saved_data *data, char *filename) + uint32_t i; + int rc; + +- bin_file = fopen(filename, "w"); ++ bin_file = fdopen(fd, "w"); + if (!bin_file) { + perror("fopen output_file"); + exit(EXIT_FAILURE); +@@ -321,7 +321,9 @@ int main(int argc, char *argv[]) + const char *path; + char stack_path[PATH_MAX + 1]; + int rc; +- ++ char *tmp= NULL; ++ int fd; ++ + if (argc != 2) { + fprintf(stderr, "usage: %s input_file\n", argv[0]); + exit(EXIT_FAILURE); +@@ -342,13 +344,29 @@ int main(int argc, char *argv[]) + rc = snprintf(stack_path, sizeof(stack_path), "%s.bin", path); + if (rc < 0 || rc >= sizeof(stack_path)) + return rc; +- rc = write_binary_file(&data, stack_path); + -+#include -+ -+#include "../src/label_file.h" -+ -+static int process_file(struct saved_data *data, const char *filename) -+{ -+ struct spec *spec; -+ unsigned int line_num; -+ char *line_buf = NULL; -+ size_t line_len; -+ ssize_t len; -+ FILE *context_file; -+ -+ context_file = fopen(filename, "r"); -+ if (!context_file) { -+ fprintf(stderr, "Error opening %s: %s\n", filename, strerror(errno)); -+ return -1; -+ } -+ -+ line_num = 0; -+ while ((len = getline(&line_buf, &line_len, context_file)) != -1) { -+ char *context; -+ char *mode; -+ char *regex; -+ char *cp, *anchored_regex; -+ char *buf_p; -+ pcre *re; -+ pcre_extra *sd; -+ const char *err; -+ int items, erroff, rc; -+ size_t regex_len; -+ int32_t stem_id; -+ -+ len = strlen(line_buf); -+ if (line_buf[len - 1] == '\n') -+ line_buf[len - 1] = 0; -+ buf_p = line_buf; -+ while (isspace(*buf_p)) -+ buf_p++; -+ /* Skip comment lines and empty lines. */ -+ if (*buf_p == '#' || *buf_p == 0) -+ continue; -+ -+ items = sscanf(line_buf, "%ms %ms %ms", ®ex, &mode, &context); -+ if (items < 2 || items > 3) { -+ fprintf(stderr, "invalid entry, skipping:%s", line_buf); -+ continue; -+ } -+ -+ if (items == 2) { -+ context = mode; -+ mode = NULL; -+ } -+ -+ rc = grow_specs(data); -+ if (rc) { -+ fprintf(stderr, "grow_specs failed: %s\n", strerror(errno)); -+ return rc; -+ } -+ -+ spec = &data->spec_arr[data->nspec]; -+ -+ spec->lr.ctx_raw = context; -+ spec->mode = string_to_mode(mode); -+ if (spec->mode == -1) { -+ fprintf(stderr, "%s: line %d has invalid file type %s\n", -+ regex, line_num + 1, mode); -+ spec->mode = 0; -+ } -+ free(mode); -+ spec->regex_str = regex; -+ -+ stem_id = find_stem_from_spec(data, regex); -+ spec->stem_id = stem_id; -+ /* skip past the fixed stem part */ -+ if (stem_id != -1) -+ regex += data->stem_arr[stem_id].len; -+ -+ regex_len = strlen(regex); -+ cp = anchored_regex = malloc(regex_len + 3); -+ if (!cp) { -+ fprintf(stderr, "Malloc Failed: %s\n", strerror(errno)); -+ return -1; -+ } -+ *cp++ = '^'; -+ memcpy(cp, regex, regex_len); -+ cp += regex_len; -+ *cp++ = '$'; -+ *cp = '\0'; -+ -+ spec_hasMetaChars(spec); -+ -+ re = pcre_compile(anchored_regex, 0, &err, &erroff, NULL); -+ if (!re) { -+ fprintf(stderr, "PCRE compilation failed for %s at offset %d: %s\n", anchored_regex, erroff, err); -+ return -1; -+ } -+ spec->regex = re; -+ -+ sd = pcre_study(re, 0, &err); -+ if (!sd) { -+ fprintf(stderr, "PCRE study failed for %s: %s\n", anchored_regex, err); -+ return -1; -+ } -+ free(anchored_regex); -+ spec->sd = sd; -+ -+ line_num++; -+ data->nspec++; -+ } -+ -+ free(line_buf); -+ fclose(context_file); -+ -+ return 0; -+} -+ -+/* -+ * File Format -+ * -+ * u32 - magic number -+ * u32 - version -+ * u32 - number of stems -+ * ** Stems -+ * u32 - length of stem EXCLUDING nul -+ * char - stem char array INCLUDING nul -+ * u32 - number of regexs -+ * ** Regexes -+ * u32 - length of upcoming context INCLUDING nul -+ * char - char array of the raw context -+ * u32 - length of the upcoming regex_str -+ * char - char array of the original regex string including the stem. -+ * mode_t - mode bits -+ * s32 - stemid associated with the regex -+ * u32 - spec has meta characters -+ * u32 - data length of the pcre regex -+ * char - a bufer holding the raw pcre regex info -+ * u32 - data length of the pcre regex study daya -+ * char - a buffer holding the raw pcre regex study data -+ */ -+static int write_binary_file(struct saved_data *data, char *filename) -+{ -+ struct spec *specs = data->spec_arr; -+ FILE *bin_file; -+ size_t len; -+ uint32_t magic = SELINUX_MAGIC_COMPILED_FCONTEXT; -+ uint32_t section_len; -+ uint32_t i; -+ -+ bin_file = fopen(filename, "w"); -+ if (!bin_file) { -+ perror("fopen output_file"); -+ exit(EXIT_FAILURE); -+ } -+ -+ /* write some magic number */ -+ len = fwrite(&magic, sizeof(uint32_t), 1, bin_file); -+ if (len != 1) ++ if (asprintf(&tmp, "%sXXXXXX", stack_path) < 0) + return -1; + -+ /* write the version */ -+ section_len = SELINUX_COMPILED_FCONTEXT_MAX_VERS; -+ len = fwrite(§ion_len, sizeof(uint32_t), 1, bin_file); -+ if (len != 1) -+ return -1; ++ fd = mkstemp(tmp); ++ if (fd < 0) ++ goto err; + -+ /* write the number of stems coming */ -+ section_len = data->num_stems; -+ len = fwrite(§ion_len, sizeof(uint32_t), 1, bin_file); -+ if (len != 1) -+ return -1; ++ rc = write_binary_file(&data, fd); + -+ for (i = 0; i < section_len; i++) { -+ char *stem = data->stem_arr[i].buf; -+ uint32_t stem_len = data->stem_arr[i].len; -+ -+ /* write the strlen (aka no nul) */ -+ len = fwrite(&stem_len, sizeof(uint32_t), 1, bin_file); -+ if (len != 1) -+ return -1; -+ -+ /* include the nul in the file */ -+ stem_len += 1; -+ len = fwrite(stem, sizeof(char), stem_len, bin_file); -+ if (len != stem_len) -+ return -1; -+ } -+ -+ /* write the number of regexes coming */ -+ section_len = data->nspec; -+ len = fwrite(§ion_len, sizeof(uint32_t), 1, bin_file); -+ if (len != 1) -+ return -1; -+ -+ for (i = 0; i < section_len; i++) { -+ char *context = specs[i].lr.ctx_raw; -+ char *regex_str = specs[i].regex_str; -+ mode_t mode = specs[i].mode; -+ int32_t stem_id = specs[i].stem_id; -+ pcre *re = specs[i].regex; -+ pcre_extra *sd = get_pcre_extra(&specs[i]); -+ uint32_t to_write; -+ size_t size; -+ int rc; -+ -+ /* length of the context string (including nul) */ -+ to_write = strlen(context) + 1; -+ len = fwrite(&to_write, sizeof(uint32_t), 1, bin_file); -+ if (len != 1) -+ return -1; -+ -+ /* original context strin (including nul) */ -+ len = fwrite(context, sizeof(char), to_write, bin_file); -+ if (len != to_write) -+ return -1; -+ -+ /* length of the original regex string (including nul) */ -+ to_write = strlen(regex_str) + 1; -+ len = fwrite(&to_write, sizeof(uint32_t), 1, bin_file); -+ if (len != 1) -+ return -1; -+ -+ /* original regex string */ -+ len = fwrite(regex_str, sizeof(char), to_write, bin_file); -+ if (len != to_write) -+ return -1; -+ -+ /* binary F_MODE bits */ -+ len = fwrite(&mode, sizeof(mode), 1, bin_file); -+ if (len != 1) -+ return -1; -+ -+ /* stem for this regex (could be -1) */ -+ len = fwrite(&stem_id, sizeof(stem_id), 1, bin_file); -+ if (len != 1) -+ return -1; -+ -+ /* does this spec have a metaChar? */ -+ to_write = specs[i].hasMetaChars; -+ len = fwrite(&to_write, sizeof(to_write), 1, bin_file); -+ if (len != 1) -+ return -1; -+ -+ /* determine the size of the pcre data in bytes */ -+ rc = pcre_fullinfo(re, NULL, PCRE_INFO_SIZE, &size); -+ if (rc < 0) -+ return -1; -+ -+ /* write the number of bytes in the pcre data */ -+ to_write = size; -+ len = fwrite(&to_write, sizeof(uint32_t), 1, bin_file); -+ if (len != 1) -+ return -1; -+ -+ /* write the actual pcre data as a char array */ -+ len = fwrite(re, 1, to_write, bin_file); -+ if (len != to_write) -+ return -1; -+ -+ /* determine the size of the pcre study info */ -+ rc = pcre_fullinfo(re, sd, PCRE_INFO_STUDYSIZE, &size); -+ if (rc < 0) -+ return -1; -+ -+ /* write the number of bytes in the pcre study data */ -+ to_write = size; -+ len = fwrite(&to_write, sizeof(uint32_t), 1, bin_file); -+ if (len != 1) -+ return -1; -+ -+ /* write the actual pcre study data as a char array */ -+ len = fwrite(sd->study_data, 1, to_write, bin_file); -+ if (len != to_write) -+ return -1; -+ } -+ -+ fclose(bin_file); -+ -+ return 0; -+} -+ -+static int free_specs(struct saved_data *data) -+{ -+ struct spec *specs = data->spec_arr; -+ unsigned int num_entries = data->nspec; -+ unsigned int i; -+ -+ for (i = 0; i < num_entries; i++) { -+ free(specs[i].lr.ctx_raw); -+ free(specs[i].lr.ctx_trans); -+ free(specs[i].regex_str); -+ pcre_free(specs[i].regex); -+ pcre_free_study(specs[i].sd); -+ } -+ free(specs); -+ -+ num_entries = data->num_stems; -+ for (i = 0; i < num_entries; i++) { -+ free(data->stem_arr[i].buf); -+ } -+ free(data->stem_arr); -+ -+ memset(data, 0, sizeof(*data)); -+ return 0; -+} -+ -+int main(int argc, char *argv[]) -+{ -+ struct saved_data data; -+ const char *path; -+ char stack_path[PATH_MAX + 1]; -+ int rc; -+ -+ if (argc != 2) { -+ fprintf(stderr, "usage: %s input_file\n", argv[0]); -+ exit(EXIT_FAILURE); -+ } -+ -+ memset(&data, 0, sizeof(data)); -+ -+ path = argv[1]; -+ -+ rc = process_file(&data, path); -+ if (rc < 0) -+ return rc; -+ -+ rc = sort_specs(&data); -+ if (rc) -+ return rc; -+ -+ rc = snprintf(stack_path, sizeof(stack_path), "%s.bin", path); -+ if (rc < 0 || rc >= sizeof(stack_path)) -+ return rc; -+ rc = write_binary_file(&data, stack_path); -+ if (rc < 0) -+ return rc; -+ -+ rc = free_specs(&data); -+ if (rc < 0) -+ return rc; -+ -+ return 0; -+} + if (rc < 0) +- return rc; ++ goto err; + ++ rename(tmp, stack_path); + rc = free_specs(&data); + if (rc < 0) +- return rc; ++ goto err; + +- return 0; ++ rc = 0; ++out: ++ free(tmp); ++ return rc; ++err: ++ rc = -1; ++ goto out; + } diff --git a/libselinux.changes b/libselinux.changes index 5bbf7ae..361076d 100644 --- a/libselinux.changes +++ b/libselinux.changes @@ -1,3 +1,53 @@ +------------------------------------------------------------------- +Thu Apr 4 19:16:35 UTC 2013 - vcizek@suse.com + +- fixed source url in libselinux-bindings.spec +- removed old tarball + +------------------------------------------------------------------- +Wed Apr 3 10:17:21 UTC 2013 - vcizek@suse.com + +- fix source url +- document changes in libselinux-rhat.patch from previous submission: + (most code of the removed code was integrated upstream) + * Add matchpathcon -P /etc/selinux/mls support by allowing users + to set alternate root + * Add new constant SETRANS_DIR which points to the directory + where mstransd can find the socket and libvirt can write its + translations files + +------------------------------------------------------------------- +Fri Mar 29 15:12:50 UTC 2013 - vcizek@suse.com + +-update to 2.1.13 + * audit2why: make sure path is nul terminated + * utils: new file context regex compiler + * label_file: use precompiled filecontext when possible + * do not leak mmapfd + * sefcontontext_compile: Add error handling to help debug problems in libsemanage. + * man: make selinux.8 mention service man pages + * audit2why: Fix segfault if finish() called twice + * audit2why: do not leak on multiple init() calls + * mode_to_security_class: interface to translate a mode_t in to a security class + * audit2why: Cleanup audit2why analysys function + * man: Fix program synopsis and function prototypes in man pages + * man: Fix man pages formatting + * man: Fix typo in man page + * man: Add references and man page links to _raw function variants + * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions + * man: context_new(3): fix the return value description + * selinux_status_open: handle error from sysconf + * selinux_status_open: do not leak statusfd on exec + * Fix errors found by coverity + * Change boooleans.subs to booleans.subs_dist. + * optimize set*con functions + * pkg-config do not specifc ruby version + * unmap file contexts on selabel_close() + * do not leak file contexts with mmap'd backend + * sefcontext_compile: do not leak fd on error + * matchmediacon: do not leak fd + * src/label_android_property: do not leak fd on error + ------------------------------------------------------------------- Wed Jan 30 11:44:45 UTC 2013 - vcizek@suse.com diff --git a/libselinux.spec b/libselinux.spec index 95cfca5..c04cc2d 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -16,19 +16,19 @@ # -%define libsepol_ver 2.1.8 +%define libsepol_ver 2.1.9 BuildRequires: libsepol-devel >= %{libsepol_ver} BuildRequires: pcre-devel BuildRequires: pkg-config Name: libselinux -Version: 2.1.12 +Version: 2.1.13 Release: 0 Url: http://userspace.selinuxproject.org/ Summary: SELinux library and simple utilities License: GPL-2.0 and SUSE-Public-Domain Group: System/Libraries -Source: http://userspace.selinuxproject.org/releases/20120216/%{name}-%{version}.tar.gz +Source: http://pkgs.fedoraproject.org/lookaside/pkgs/%{name}/%{name}-%{version}.tgz/44be70732a33b8e1fbe2f422e93fb8b3/%{name}-%{version}.tgz Source1: selinux-ready Source2: baselibs.conf Patch0: %{name}-rhat.patch From ea8716432951a5f2583cd70136057f3742f26d33c0b0086007ea01d7b1d2bd7b Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Tue, 28 May 2013 05:40:49 +0000 Subject: [PATCH 30/42] Accepting request 176675 from security:SELinux - Reuse implicit dependencies injected by pkgconfig (forwarded request 176378 from jengelh) OBS-URL: https://build.opensuse.org/request/show/176675 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=37 --- libselinux-bindings.spec | 11 ++++++----- libselinux.changes | 5 +++++ libselinux.spec | 9 +++++---- 3 files changed, 16 insertions(+), 9 deletions(-) diff --git a/libselinux-bindings.spec b/libselinux-bindings.spec index fb57327..a6856cd 100644 --- a/libselinux-bindings.spec +++ b/libselinux-bindings.spec @@ -17,11 +17,6 @@ %define libsepol_ver 2.1.9 -BuildRequires: libsepol-devel-static >= %{libsepol_ver} -BuildRequires: pcre-devel -BuildRequires: python-devel -BuildRequires: ruby-devel -BuildRequires: swig Name: libselinux-bindings Version: 2.1.13 @@ -30,6 +25,7 @@ Url: http://userspace.selinuxproject.org/ Summary: SELinux library and simple utilities License: GPL-2.0 and SUSE-Public-Domain Group: System/Libraries + # embedded is the MD5 Source: http://pkgs.fedoraproject.org/lookaside/pkgs/libselinux/libselinux-%{version}.tgz/44be70732a33b8e1fbe2f422e93fb8b3/libselinux-%{version}.tgz Source1: selinux-ready @@ -37,6 +33,11 @@ Source2: baselibs.conf Patch0: libselinux-rhat.patch Patch1: libselinux-ruby.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build +BuildRequires: libsepol-devel-static >= %{libsepol_ver} +BuildRequires: pcre-devel +BuildRequires: python-devel +BuildRequires: ruby-devel +BuildRequires: swig %description Security-enhanced Linux is a feature of the Linux(R) kernel and a diff --git a/libselinux.changes b/libselinux.changes index 361076d..ddb0803 100644 --- a/libselinux.changes +++ b/libselinux.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Wed May 22 23:50:58 UTC 2013 - jengelh@inai.de + +- Reuse implicit dependencies injected by pkgconfig + ------------------------------------------------------------------- Thu Apr 4 19:16:35 UTC 2013 - vcizek@suse.com diff --git a/libselinux.spec b/libselinux.spec index c04cc2d..bf4dd81 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -17,9 +17,6 @@ %define libsepol_ver 2.1.9 -BuildRequires: libsepol-devel >= %{libsepol_ver} -BuildRequires: pcre-devel -BuildRequires: pkg-config Name: libselinux Version: 2.1.13 @@ -28,12 +25,16 @@ Url: http://userspace.selinuxproject.org/ Summary: SELinux library and simple utilities License: GPL-2.0 and SUSE-Public-Domain Group: System/Libraries + Source: http://pkgs.fedoraproject.org/lookaside/pkgs/%{name}/%{name}-%{version}.tgz/44be70732a33b8e1fbe2f422e93fb8b3/%{name}-%{version}.tgz Source1: selinux-ready Source2: baselibs.conf Patch0: %{name}-rhat.patch Patch1: %{name}-ruby.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build +BuildRequires: libsepol-devel >= %{libsepol_ver} +BuildRequires: pcre-devel +BuildRequires: pkg-config %description Security-enhanced Linux is a feature of the Linux(R) kernel and a @@ -99,7 +100,7 @@ Summary: Development Include Files and Libraries for SELinux Group: Development/Libraries/C and C++ Requires: glibc-devel Requires: libselinux1 = %{version} -Requires: libsepol-devel >= %{libsepol_ver} +#Automatic dependency on libsepol-devel via pkgconfig %description devel This package contains the development files, which are From 67ae8d716cae39c952e747f091b2e0ee56e84d89951d43f2438bbad5a25eae4a Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Tue, 2 Jul 2013 05:38:31 +0000 Subject: [PATCH 31/42] Accepting request 181589 from security:SELinux - change the source url to the official 2.1.13 release tarball - change the source url to the official 2.1.13 release tarball (forwarded request 181179 from vitezslav_cizek) OBS-URL: https://build.opensuse.org/request/show/181589 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=38 --- libselinux-2.1.13.tar.gz | 3 +++ libselinux-2.1.13.tgz | 3 --- libselinux-bindings.changes | 5 +++++ libselinux-bindings.spec | 2 +- libselinux.changes | 5 +++++ libselinux.spec | 2 +- 6 files changed, 15 insertions(+), 5 deletions(-) create mode 100644 libselinux-2.1.13.tar.gz delete mode 100644 libselinux-2.1.13.tgz diff --git a/libselinux-2.1.13.tar.gz b/libselinux-2.1.13.tar.gz new file mode 100644 index 0000000..2f32d86 --- /dev/null +++ b/libselinux-2.1.13.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:57aad47c06b7ec18a76e8d9870539277a84cb40109cfdcf70ed3260bdb04447a +size 168931 diff --git a/libselinux-2.1.13.tgz b/libselinux-2.1.13.tgz deleted file mode 100644 index ba5ba70..0000000 --- a/libselinux-2.1.13.tgz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:919b9b52adf042d000dbd43cacc5d307e532a3ac17ee54347fed506d20b59464 -size 175010 diff --git a/libselinux-bindings.changes b/libselinux-bindings.changes index 501ffd9..89e9fc6 100644 --- a/libselinux-bindings.changes +++ b/libselinux-bindings.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Thu Jun 27 14:57:53 UTC 2013 - vcizek@suse.com + +- change the source url to the official 2.1.13 release tarball + ------------------------------------------------------------------- Wed Jan 30 12:33:45 UTC 2013 - vcizek@suse.com diff --git a/libselinux-bindings.spec b/libselinux-bindings.spec index a6856cd..04ec2a6 100644 --- a/libselinux-bindings.spec +++ b/libselinux-bindings.spec @@ -27,7 +27,7 @@ License: GPL-2.0 and SUSE-Public-Domain Group: System/Libraries # embedded is the MD5 -Source: http://pkgs.fedoraproject.org/lookaside/pkgs/libselinux/libselinux-%{version}.tgz/44be70732a33b8e1fbe2f422e93fb8b3/libselinux-%{version}.tgz +Source: http://userspace.selinuxproject.org/releases/20130423/libselinux-%{version}.tar.gz Source1: selinux-ready Source2: baselibs.conf Patch0: libselinux-rhat.patch diff --git a/libselinux.changes b/libselinux.changes index ddb0803..898571c 100644 --- a/libselinux.changes +++ b/libselinux.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Thu Jun 27 14:42:01 UTC 2013 - vcizek@suse.com + +- change the source url to the official 2.1.13 release tarball + ------------------------------------------------------------------- Wed May 22 23:50:58 UTC 2013 - jengelh@inai.de diff --git a/libselinux.spec b/libselinux.spec index bf4dd81..f39463f 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -26,7 +26,7 @@ Summary: SELinux library and simple utilities License: GPL-2.0 and SUSE-Public-Domain Group: System/Libraries -Source: http://pkgs.fedoraproject.org/lookaside/pkgs/%{name}/%{name}-%{version}.tgz/44be70732a33b8e1fbe2f422e93fb8b3/%{name}-%{version}.tgz +Source: http://userspace.selinuxproject.org/releases/20130423/%{name}-%{version}.tar.gz Source1: selinux-ready Source2: baselibs.conf Patch0: %{name}-rhat.patch From c03c35a252aef101b51c7ed43b62c148610815808b64ec437533fdad2cd41722 Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Thu, 7 Nov 2013 16:37:06 +0000 Subject: [PATCH 32/42] Accepting request 206078 from security:SELinux - Update to version 2.2 * Fix avc_has_perm() returns -1 even when SELinux is in permissive mode. * Support overriding Makefile RANLIB * Update pkgconfig definition * Mount sysfs before trying to mount selinuxfs. * Fix man pages * Support overriding PATH and LIBBASE in Makefile * Fix LDFLAGS usage * Avoid shadowing stat in load_mmap * Support building on older PCRE libraries * Fix handling of temporary file in sefcontext_compile * Fix procattr cache * Define python constants for getenforce result * Fix label substitution handling of / * Add selinux_current_policy_path from * Change get_context_list to only return good matches * Support udev-197 and higher * Add support for local substitutions * Change setfilecon to not return ENOSUP if context is already correct * Python wrapper leak fixes * Export SELINUX_TRANS_DIR definition in selinux.h * Add selinux_systemd_contexts_path * Add selinux_set_policy_root * Add man page for sefcontext_compile - Remove libselinux-rhat.patch; merged on upstream - Adapt libselinux-ruby.patch to upstream changes - Use fdupes to symlink duplicate manpages (forwarded request 205373 from posophe) OBS-URL: https://build.opensuse.org/request/show/206078 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=40 --- libselinux-2.1.13.tar.gz | 3 - ...ux-ruby.patch => libselinux-2.2-ruby.patch | 6 +- libselinux-2.2.tar.gz | 3 + libselinux-bindings.changes | 31 + libselinux-bindings.spec | 10 +- libselinux-rhat.patch | 755 ------------------ libselinux.changes | 31 + libselinux.spec | 13 +- 8 files changed, 79 insertions(+), 773 deletions(-) delete mode 100644 libselinux-2.1.13.tar.gz rename libselinux-ruby.patch => libselinux-2.2-ruby.patch (90%) create mode 100644 libselinux-2.2.tar.gz delete mode 100644 libselinux-rhat.patch diff --git a/libselinux-2.1.13.tar.gz b/libselinux-2.1.13.tar.gz deleted file mode 100644 index 2f32d86..0000000 --- a/libselinux-2.1.13.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:57aad47c06b7ec18a76e8d9870539277a84cb40109cfdcf70ed3260bdb04447a -size 168931 diff --git a/libselinux-ruby.patch b/libselinux-2.2-ruby.patch similarity index 90% rename from libselinux-ruby.patch rename to libselinux-2.2-ruby.patch index b46802e..345ca3a 100644 --- a/libselinux-ruby.patch +++ b/libselinux-2.2-ruby.patch @@ -2,7 +2,7 @@ Index: src/Makefile =================================================================== --- src/Makefile.orig 2013-01-30 13:24:55.549631752 +0100 +++ src/Makefile 2013-01-30 13:25:56.148209843 +0100 -@@ -16,8 +16,8 @@ PYINC ?= $(shell pkg-config --cflags $(P +@@ -16,8 +16,8 @@ PYLIBDIR ?= $(LIBDIR)/$(PYLIBVER) RUBYLIBVER ?= $(shell $(RUBY) -e 'print RUBY_VERSION.split(".")[0..1].join(".")') RUBYPLATFORM ?= $(shell $(RUBY) -e 'print RUBY_PLATFORM') @@ -10,9 +10,9 @@ Index: src/Makefile -RUBYINSTALL ?= $(LIBDIR)/ruby/site_ruby/$(RUBYLIBVER)/$(RUBYPLATFORM) +RUBYINC ?= $(shell ruby -r rbconfig -e "print Config::CONFIG['rubyhdrdir'].nil? ? '$(LIBDIR)/ruby/$(RUBYLIBVER)' : Config::CONFIG['rubyhdrdir']") +RUBYINSTALL ?= $(shell ruby -r rbconfig -e "print Config::CONFIG['vendorarchdir'].nil? ? '$(DESTDIR)'+Config::CONFIG['sitearchdir'] : '$(DESTDIR)'+Config::CONFIG['vendorarchdir']") - LIBBASE=$(shell basename $(LIBDIR)) + LIBBASE ?= $(shell basename $(LIBDIR)) - LDFLAGS ?= -lpcre -lpthread + VERSION = $(shell cat ../VERSION) @@ -103,7 +103,7 @@ $(SWIGLOBJ): $(SWIGCOUT) $(CC) $(CFLAGS) $(SWIG_CFLAGS) $(PYINC) -fPIC -DSHARED -c -o $@ $< diff --git a/libselinux-2.2.tar.gz b/libselinux-2.2.tar.gz new file mode 100644 index 0000000..27662d1 --- /dev/null +++ b/libselinux-2.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e9dc64216543a7283d786f623ac28e8867f8794138e7deba474a3aa8d02dce33 +size 171011 diff --git a/libselinux-bindings.changes b/libselinux-bindings.changes index 89e9fc6..ecb0baa 100644 --- a/libselinux-bindings.changes +++ b/libselinux-bindings.changes @@ -1,3 +1,34 @@ +------------------------------------------------------------------- +Thu Oct 31 13:43:41 UTC 2013 - p.drouand@gmail.com + +- Update to version 2.2 + * Fix avc_has_perm() returns -1 even when SELinux is in permissive mode. + * Support overriding Makefile RANLIB + * Update pkgconfig definition + * Mount sysfs before trying to mount selinuxfs. + * Fix man pages + * Support overriding PATH and LIBBASE in Makefile + * Fix LDFLAGS usage + * Avoid shadowing stat in load_mmap + * Support building on older PCRE libraries + * Fix handling of temporary file in sefcontext_compile + * Fix procattr cache + * Define python constants for getenforce result + * Fix label substitution handling of / + * Add selinux_current_policy_path from + * Change get_context_list to only return good matches + * Support udev-197 and higher + * Add support for local substitutions + * Change setfilecon to not return ENOSUP if context is already correct + * Python wrapper leak fixes + * Export SELINUX_TRANS_DIR definition in selinux.h + * Add selinux_systemd_contexts_path + * Add selinux_set_policy_root + * Add man page for sefcontext_compile +- Remove libselinux-rhat.patch; merged on upstream +- Adapt libselinux-ruby.patch to upstream changes +- Use fdupes to symlink duplicate manpages + ------------------------------------------------------------------- Thu Jun 27 14:57:53 UTC 2013 - vcizek@suse.com diff --git a/libselinux-bindings.spec b/libselinux-bindings.spec index 04ec2a6..a0b5576 100644 --- a/libselinux-bindings.spec +++ b/libselinux-bindings.spec @@ -16,10 +16,10 @@ # -%define libsepol_ver 2.1.9 +%define libsepol_ver 2.2 Name: libselinux-bindings -Version: 2.1.13 +Version: 2.2 Release: 0 Url: http://userspace.selinuxproject.org/ Summary: SELinux library and simple utilities @@ -27,11 +27,10 @@ License: GPL-2.0 and SUSE-Public-Domain Group: System/Libraries # embedded is the MD5 -Source: http://userspace.selinuxproject.org/releases/20130423/libselinux-%{version}.tar.gz +Source: http://userspace.selinuxproject.org/releases/20131030/libselinux-%{version}.tar.gz Source1: selinux-ready Source2: baselibs.conf -Patch0: libselinux-rhat.patch -Patch1: libselinux-ruby.patch +Patch1: libselinux-2.2-ruby.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: libsepol-devel-static >= %{libsepol_ver} BuildRequires: pcre-devel @@ -106,7 +105,6 @@ decisions. Required for any applications that use the SELinux API. %prep %setup -q -n libselinux-%{version} -%patch0 -p2 %patch1 %build diff --git a/libselinux-rhat.patch b/libselinux-rhat.patch deleted file mode 100644 index 2de6a34..0000000 --- a/libselinux-rhat.patch +++ /dev/null @@ -1,755 +0,0 @@ -diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h -index a4079aa..0b122af 100644 ---- a/libselinux/include/selinux/selinux.h -+++ b/libselinux/include/selinux/selinux.h -@@ -177,6 +177,7 @@ extern void selinux_set_callback(int type, union selinux_callback cb); - #define SELINUX_WARNING 1 - #define SELINUX_INFO 2 - #define SELINUX_AVC 3 -+#define SELINUX_TRANS_DIR "/var/run/setrans" - - /* Compute an access decision. */ - extern int security_compute_av(const security_context_t scon, -@@ -496,8 +497,15 @@ extern int selinux_getpolicytype(char **policytype); - */ - extern const char *selinux_policy_root(void); - -+/* -+ selinux_set_policy_root sets an alternate policy root directory path under -+ which the compiled policy file and context configuration files exist. -+ */ -+extern int selinux_set_policy_root(const char *rootpath); -+ - /* These functions return the paths to specific files under the - policy root directory. */ -+extern const char *selinux_current_policy_path(void); - extern const char *selinux_binary_policy_path(void); - extern const char *selinux_failsafe_context_path(void); - extern const char *selinux_removable_context_path(void); -diff --git a/libselinux/man/man3/security_compute_av.3 b/libselinux/man/man3/security_compute_av.3 -index c6837fc..de62d26 100644 ---- a/libselinux/man/man3/security_compute_av.3 -+++ b/libselinux/man/man3/security_compute_av.3 -@@ -37,9 +37,9 @@ the SELinux policy database in the kernel - .sp - .BI "int security_compute_user_raw(security_context_t "scon ", const char *" username ", security_context_t **" con ); - .sp --.BI "int security_get_initial_context(const char *" name ", security_context_t " con ); -+.BI "int security_get_initial_context(const char *" name ", security_context_t *" con ); - .sp --.BI "int security_get_initial_context_raw(const char *" name ", security_context_t " con ); -+.BI "int security_get_initial_context_raw(const char *" name ", security_context_t *" con ); - .sp - .BI "int selinux_check_access(const security_context_t " scon ", const security_context_t " tcon ", const char *" class ", const char *" perm ", void *" auditdata); - .sp -diff --git a/libselinux/man/man3/selinux_binary_policy_path.3 b/libselinux/man/man3/selinux_binary_policy_path.3 -index ec97dcf..503c52c 100644 ---- a/libselinux/man/man3/selinux_binary_policy_path.3 -+++ b/libselinux/man/man3/selinux_binary_policy_path.3 -@@ -1,6 +1,6 @@ - .TH "selinux_binary_policy_path" "3" "15 November 2004" "dwalsh@redhat.com" "SELinux API Documentation" - .SH "NAME" --selinux_path, selinux_policy_root, selinux_binary_policy_path, -+selinux_path, selinux_policy_root, selinux_binary_policy_path, selinux_current_policy_path, - selinux_failsafe_context_path, selinux_removable_context_path, - selinux_default_context_path, selinux_user_contexts_path, - selinux_file_context_path, selinux_media_context_path, -@@ -17,6 +17,8 @@ directories and files - .sp - .B const char *selinux_binary_policy_path(void); - .sp -+.B const char *selinux_current_policy_path(void); -+.sp - .B const char *selinux_failsafe_context_path(void); - .sp - .B const char *selinux_removable_context_path(void); -@@ -55,6 +57,9 @@ returns the top-level policy directory. - .BR selinux_binary_policy_path () - returns the binary policy file loaded into kernel. - .sp -+.BR selinux_current_policy_path () -+returns the currently loaded policy file from the kernel. -+.sp - .BR selinux_default_type_path () - returns the context file mapping roles to default types. - .sp -diff --git a/libselinux/man/man3/selinux_current_policy_path.3 b/libselinux/man/man3/selinux_current_policy_path.3 -new file mode 100644 -index 0000000..175a611 ---- /dev/null -+++ b/libselinux/man/man3/selinux_current_policy_path.3 -@@ -0,0 +1 @@ -+.so man3/selinux_binary_policy_path.3 -diff --git a/libselinux/man/man3/selinux_policy_root.3 b/libselinux/man/man3/selinux_policy_root.3 -index a6ccf86..63dc901 100644 ---- a/libselinux/man/man3/selinux_policy_root.3 -+++ b/libselinux/man/man3/selinux_policy_root.3 -@@ -1,21 +1,34 @@ - .TH "selinux_policy_root" "3" "25 May 2004" "dwalsh@redhat.com" "SELinux API documentation" - .SH "NAME" - selinux_policy_root \- return the path of the SELinux policy files for this machine -+selinux_set_policy_root \- Set an alternate SELinux root path for the SELinux policy files for this machine. - . - .SH "SYNOPSIS" - .B #include - .sp - .B const char *selinux_policy_root(void); - . -+.sp -+.B int selinux_set_policy_root(const char *policypath); -+. - .SH "DESCRIPTION" - .BR selinux_policy_root () - reads the contents of the - .I /etc/selinux/config - file to determine which policy files should be used for this machine. - . -+.BR selinux_set_policy_root () -+sets up all all policy paths based on the alternate root -+ -+.I /etc/selinux/config -+file to determine which policy files should be used for this machine. -+. - .SH "RETURN VALUE" --On success, returns a directory path containing the SELinux policy files. --On failure, NULL is returned. -+On success, selinux_policy_root returns a directory path containing the SELinux policy files. -+On failure, selinux_policy_root returns NULL. -+ -+On success, selinux_set_policy_root returns 0 on success -1 on failure. -+ - . - .SH "SEE ALSO" - .BR selinux "(8)" -diff --git a/libselinux/man/man3/selinux_set_policy_root.3 b/libselinux/man/man3/selinux_set_policy_root.3 -new file mode 100644 -index 0000000..8077658 ---- /dev/null -+++ b/libselinux/man/man3/selinux_set_policy_root.3 -@@ -0,0 +1 @@ -+.so man3/selinux_policy_root.3 -diff --git a/libselinux/man/man8/matchpathcon.8 b/libselinux/man/man8/matchpathcon.8 -index 368991f..5d60789 100644 ---- a/libselinux/man/man8/matchpathcon.8 -+++ b/libselinux/man/man8/matchpathcon.8 -@@ -13,6 +13,8 @@ matchpathcon \- get the default SELinux security context for the specified path - .IR file_contexts_file ] - .RB [ \-p - .IR prefix ] -+.RB [ \-P -+.IR policy_root_path ] - .I filepath... - . - .SH "DESCRIPTION" -@@ -46,6 +48,9 @@ Use alternate file_context file - .BI \-p " prefix" - Use prefix to speed translations - .TP -+.BI \-P " policy_root_path" -+Use alternate policy root path -+.TP - .B \-V - Verify file context on disk matches defaults - . -diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8 -index a328866..50868e4 100644 ---- a/libselinux/man/man8/selinux.8 -+++ b/libselinux/man/man8/selinux.8 -@@ -37,20 +37,22 @@ The - configuration file also controls what policy - is active on the system. SELinux allows for multiple policies to be - installed on the system, but only one policy may be active at any --given time. At present, two kinds of SELinux policy exist: targeted --and strict. The targeted policy is designed as a policy where most --processes operate without restrictions, and only specific services are -+given time. At present, multiple kinds of SELinux policy exist: targeted, -+mls for example. The targeted policy is designed as a policy where most -+user processes operate without restrictions, and only specific services are - placed into distinct security domains that are confined by the policy. - For example, the user would run in a completely unconfined domain - while the named daemon or apache daemon would run in a specific domain --tailored to its operation. The strict policy is designed as a policy --where all processes are partitioned into fine-grained security domains --and confined by policy. It is anticipated in the future that other --policies will be created (Multi-Level Security for example). You can -+tailored to its operation. The MLS (Multi-Level Security) policy is designed -+as a policy where all processes are partitioned into fine-grained security -+domains and confined by policy. MLS also supports the Bell And LaPadula model, where processes are not only confined by the type but also the level of the data. -+ -+You can - define which policy you will run by setting the - .B SELINUXTYPE - environment variable within - .IR /etc/selinux/config . -+You must reboot and possibly relabel if you change the policy type to have it take effect on the system. - The corresponding - policy configuration for each such policy must be installed in the - .I /etc/selinux/{SELINUXTYPE}/ -@@ -58,7 +60,7 @@ directories. - - A given SELinux policy can be customized further based on a set of - compile-time tunable options and a set of runtime policy booleans. --.B \%system\-config\-securitylevel -+.B \%system\-config\-selinux - allows customization of these booleans and tunables. - - Many domains that are protected by SELinux also include SELinux man pages explaining how to customize their policy. -@@ -86,11 +88,13 @@ This manual page was written by Dan Walsh . - .nh - .BR booleans (8), - .BR setsebool (8), --.BR selinuxenabled (8), -+.BR sepolicy (8), -+.BR system-config-selinux (8), - .BR togglesebool (8), - .BR restorecon (8), -+.BR fixfiles (8), - .BR setfiles (8), --.BR semange (8), -+.BR semanage (8), - .BR sepolicy(8) - - Every confined service on the system has a man page in the following format: -diff --git a/libselinux/src/audit2why.c b/libselinux/src/audit2why.c -index ffe381b..560bc25 100644 ---- a/libselinux/src/audit2why.c -+++ b/libselinux/src/audit2why.c -@@ -210,27 +210,12 @@ static int __policy_init(const char *init_path) - return 1; - } - } else { -- vers = sepol_policy_kern_vers_max(); -- if (vers < 0) { -- snprintf(errormsg, sizeof(errormsg), -- "Could not get policy version: %s\n", -- strerror(errno)); -- PyErr_SetString( PyExc_ValueError, errormsg); -- return 1; -- } -- snprintf(path, PATH_MAX, "%s.%d", -- selinux_binary_policy_path(), vers); -- fp = fopen(path, "r"); -- while (!fp && errno == ENOENT && --vers) { -- snprintf(path, PATH_MAX, "%s.%d", -- selinux_binary_policy_path(), vers); -- fp = fopen(path, "r"); -- } -+ fp = fopen(selinux_current_policy_path(), "r"); - if (!fp) { - snprintf(errormsg, sizeof(errormsg), -- "unable to open %s.%d: %s\n", -- selinux_binary_policy_path(), -- security_policyvers(), strerror(errno)); -+ "unable to open %s: %s\n", -+ selinux_current_policy_path(), -+ strerror(errno)); - PyErr_SetString( PyExc_ValueError, errormsg); - return 1; - } -@@ -310,10 +295,12 @@ static PyObject *init(PyObject *self __attribute__((unused)), PyObject *args) { - } - - #define RETURN(X) \ -- PyTuple_SetItem(result, 0, Py_BuildValue("i", X)); \ -- return result; -+ { \ -+ return Py_BuildValue("iO", (X), Py_None); \ -+ } - - static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args) { -+ char *reason_buf = NULL; - security_context_t scon; - security_context_t tcon; - char *tclassstr; -@@ -328,10 +315,6 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args - struct sepol_av_decision avd; - int rc; - int i=0; -- PyObject *result = PyTuple_New(2); -- if (!result) return NULL; -- Py_INCREF(Py_None); -- PyTuple_SetItem(result, 1, Py_None); - - if (!PyArg_ParseTuple(args,(char *)"sssO!:audit2why",&scon,&tcon,&tclassstr,&PyList_Type, &listObj)) - return NULL; -@@ -342,22 +325,21 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args - /* should raise an error here. */ - if (numlines < 0) return NULL; /* Not a list */ - -- if (!avc) { -+ if (!avc) - RETURN(NOPOLICY) -- } - - rc = sepol_context_to_sid(scon, strlen(scon) + 1, &ssid); -- if (rc < 0) { -+ if (rc < 0) - RETURN(BADSCON) -- } -+ - rc = sepol_context_to_sid(tcon, strlen(tcon) + 1, &tsid); -- if (rc < 0) { -+ if (rc < 0) - RETURN(BADTCON) -- } -+ - tclass = string_to_security_class(tclassstr); -- if (!tclass) { -+ if (!tclass) - RETURN(BADTCLASS) -- } -+ - /* Convert the permission list to an AV. */ - av = 0; - -@@ -377,21 +359,20 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args - #endif - - perm = string_to_av_perm(tclass, permstr); -- if (!perm) { -+ if (!perm) - RETURN(BADPERM) -- } -+ - av |= perm; - } - - /* Reproduce the computation. */ -- rc = sepol_compute_av_reason(ssid, tsid, tclass, av, &avd, &reason); -- if (rc < 0) { -+ rc = sepol_compute_av_reason_buffer(ssid, tsid, tclass, av, &avd, &reason, &reason_buf, 0); -+ if (rc < 0) - RETURN(BADCOMPUTE) -- } - -- if (!reason) { -+ if (!reason) - RETURN(ALLOW) -- } -+ - if (reason & SEPOL_COMPUTEAV_TE) { - avc->ssid = ssid; - avc->tsid = tsid; -@@ -404,28 +385,34 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args - RETURN(TERULE) - } - } else { -- PyTuple_SetItem(result, 0, Py_BuildValue("i", BOOLEAN)); -+ PyObject *outboollist; - struct boolean_t *b = bools; - int len=0; - while (b->name) { - len++; b++; - } - b = bools; -- PyObject *outboollist = PyTuple_New(len); -+ outboollist = PyList_New(len); - len=0; - while(b->name) { -- PyObject *bool = Py_BuildValue("(si)", b->name, b->active); -- PyTuple_SetItem(outboollist, len++, bool); -+ PyObject *bool_ = Py_BuildValue("(si)", b->name, b->active); -+ PyList_SetItem(outboollist, len++, bool_); - b++; - } - free(bools); -- PyTuple_SetItem(result, 1, outboollist); -- return result; -+ /* 'N' steals the reference to outboollist */ -+ return Py_BuildValue("iN", BOOLEAN, outboollist); - } - } - - if (reason & SEPOL_COMPUTEAV_CONS) { -- RETURN(CONSTRAINT); -+ if (reason_buf) { -+ PyObject *result = NULL; -+ result = Py_BuildValue("is", CONSTRAINT, reason_buf); -+ free(reason_buf); -+ return result; -+ } -+ RETURN(CONSTRAINT) - } - - if (reason & SEPOL_COMPUTEAV_RBAC) -diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c -index 802a07f..6ff83a7 100644 ---- a/libselinux/src/avc.c -+++ b/libselinux/src/avc.c -@@ -827,6 +827,7 @@ int avc_has_perm(security_id_t ssid, security_id_t tsid, - errsave = errno; - avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata); - errno = errsave; -+ if (!avc_enforcing) return 0; - return rc; - } - -diff --git a/libselinux/src/get_context_list.c b/libselinux/src/get_context_list.c -index b9e8002..355730a 100644 ---- a/libselinux/src/get_context_list.c -+++ b/libselinux/src/get_context_list.c -@@ -426,7 +426,7 @@ int get_ordered_context_list(const char *user, - /* Initialize ordering array. */ - ordering = malloc(nreach * sizeof(unsigned int)); - if (!ordering) -- goto oom_order; -+ goto failsafe; - for (i = 0; i < nreach; i++) - ordering[i] = nreach; - -@@ -435,7 +435,7 @@ int get_ordered_context_list(const char *user, - fname_len = strlen(user_contexts_path) + strlen(user) + 2; - fname = malloc(fname_len); - if (!fname) -- goto oom_order; -+ goto failsafe; - snprintf(fname, fname_len, "%s%s", user_contexts_path, user); - fp = fopen(fname, "r"); - if (fp) { -@@ -465,31 +465,28 @@ int get_ordered_context_list(const char *user, - } - } - -+ if (!nordered) -+ goto failsafe; -+ - /* Apply the ordering. */ -- if (nordered) { -- co = malloc(nreach * sizeof(struct context_order)); -- if (!co) -- goto oom_order; -- for (i = 0; i < nreach; i++) { -- co[i].con = reachable[i]; -- co[i].order = ordering[i]; -- } -- qsort(co, nreach, sizeof(struct context_order), order_compare); -- for (i = 0; i < nreach; i++) -- reachable[i] = co[i].con; -- free(co); -+ co = malloc(nreach * sizeof(struct context_order)); -+ if (!co) -+ goto failsafe; -+ for (i = 0; i < nreach; i++) { -+ co[i].con = reachable[i]; -+ co[i].order = ordering[i]; - } -+ qsort(co, nreach, sizeof(struct context_order), order_compare); -+ for (i = 0; i < nreach; i++) -+ reachable[i] = co[i].con; -+ free(co); - -- /* Return the ordered list. -- If we successfully ordered it, then only report the ordered entries -- to the caller. Otherwise, fall back to the entire reachable list. */ -- if (nordered && nordered < nreach) { -+ /* Only report the ordered entries to the caller. */ -+ if (nordered < nreach) { - for (i = nordered; i < nreach; i++) - free(reachable[i]); - reachable[nordered] = NULL; - rc = nordered; -- } else { -- rc = nreach; - } - - out: -@@ -523,14 +520,6 @@ int get_ordered_context_list(const char *user, - } - rc = 1; /* one context in the list */ - goto out; -- -- oom_order: -- /* Unable to order context list due to OOM condition. -- Fall back to unordered reachable context list. */ -- fprintf(stderr, "%s: out of memory, unable to order list\n", -- __FUNCTION__); -- rc = nreach; -- goto out; - } - - hidden_def(get_ordered_context_list) -diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c -index 5f697f3..9b0d6b0 100644 ---- a/libselinux/src/label_file.c -+++ b/libselinux/src/label_file.c -@@ -649,6 +649,8 @@ static struct selabel_lookup_rec *lookup(struct selabel_handle *rec, - break; - } else if (rc == PCRE_ERROR_NOMATCH) - continue; -+ -+ errno = ENOENT; - /* else it's an error */ - goto finish; - } -@@ -660,6 +662,7 @@ static struct selabel_lookup_rec *lookup(struct selabel_handle *rec, - goto finish; - } - -+ errno = 0; - ret = &spec_arr[i].lr; - - finish: -diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c -index 2d7369e..2a00807 100644 ---- a/libselinux/src/matchpathcon.c -+++ b/libselinux/src/matchpathcon.c -@@ -2,6 +2,7 @@ - #include - #include - #include -+#include - #include "selinux_internal.h" - #include "label_internal.h" - #include "callbacks.h" -@@ -62,7 +63,7 @@ static void - { - va_list ap; - va_start(ap, fmt); -- vfprintf(stderr, fmt, ap); -+ vsyslog(LOG_ERR, fmt, ap); - va_end(ap); - } - -diff --git a/libselinux/src/procattr.c b/libselinux/src/procattr.c -index 6c5b45a..0a0dd3e 100644 ---- a/libselinux/src/procattr.c -+++ b/libselinux/src/procattr.c -@@ -257,6 +257,7 @@ out: - free(context); - return -1; - } else { -+ free(*prev_context); - *prev_context = context; - return 0; - } -diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c -index 296f357..0040524 100644 ---- a/libselinux/src/selinux_config.c -+++ b/libselinux/src/selinux_config.c -@@ -8,6 +8,8 @@ - #include - #include - #include -+#include -+#include "policy.h" - #include "selinux_internal.h" - #include "get_default_type_internal.h" - -@@ -138,6 +140,13 @@ int selinux_getpolicytype(char **type) - - hidden_def(selinux_getpolicytype) - -+static int setpolicytype(const char *type) -+{ -+ free(selinux_policytype); -+ selinux_policytype = strdup(type); -+ return selinux_policytype ? 0 : -1; -+} -+ - static char *selinux_policyroot = NULL; - static const char *selinux_rootpath = SELINUXDIR; - -@@ -261,6 +270,37 @@ const char *selinux_policy_root(void) - return selinux_policyroot; - } - -+int selinux_set_policy_root(const char *path) -+{ -+ int i; -+ char *policy_type = strchr(selinux_policyroot, '/'); -+ if (!policy_type) { -+ errno = EINVAL; -+ return -1; -+ } -+ policy_type++; -+ -+ fini_selinuxmnt(); -+ fini_selinux_policyroot(); -+ -+ selinux_policyroot = strdup(path); -+ if (! selinux_policyroot) -+ return -1; -+ -+ if (setpolicytype(policy_type) != 0) -+ return -1; -+ -+ for (i = 0; i < NEL; i++) -+ if (asprintf(&file_paths[i], "%s%s", -+ selinux_policyroot, -+ file_path_suffixes_data.str + -+ file_path_suffixes_idx[i]) -+ == -1) -+ return -1; -+ -+ return 0; -+} -+ - const char *selinux_path(void) - { - return selinux_rootpath; -@@ -303,6 +343,31 @@ const char *selinux_binary_policy_path(void) - - hidden_def(selinux_binary_policy_path) - -+const char *selinux_current_policy_path(void) -+{ -+ int rc = 0; -+ int vers = 0; -+ static char policy_path[PATH_MAX]; -+ -+ if (selinux_mnt) { -+ snprintf(policy_path, sizeof(policy_path), "%s/policy", selinux_mnt); -+ if (access(policy_path, F_OK) == 0 ) { -+ return policy_path; -+ } -+ } -+ vers = security_policyvers(); -+ do { -+ /* Check prior versions to see if old policy is available */ -+ snprintf(policy_path, sizeof(policy_path), "%s.%d", -+ selinux_binary_policy_path(), vers); -+ } while ((rc = access(policy_path, F_OK)) && --vers > 0); -+ -+ if (rc) return NULL; -+ return policy_path; -+} -+ -+hidden_def(selinux_current_policy_path) -+ - const char *selinux_file_context_path(void) - { - return get_path(FILE_CONTEXTS); -diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h -index 2c7c85c..4a4aebc 100644 ---- a/libselinux/src/selinux_internal.h -+++ b/libselinux/src/selinux_internal.h -@@ -60,6 +60,7 @@ hidden_proto(selinux_mkload_policy) - hidden_proto(security_setenforce) - hidden_proto(security_deny_unknown) - hidden_proto(selinux_boolean_sub) -+ hidden_proto(selinux_current_policy_path) - hidden_proto(selinux_binary_policy_path) - hidden_proto(selinux_booleans_subs_path) - hidden_proto(selinux_default_context_path) -diff --git a/libselinux/src/setrans_internal.h b/libselinux/src/setrans_internal.h -index a801ee8..b3bdca2 100644 ---- a/libselinux/src/setrans_internal.h -+++ b/libselinux/src/setrans_internal.h -@@ -1,6 +1,7 @@ - /* Author: Trusted Computer Solutions, Inc. */ -+#include - --#define SETRANS_UNIX_SOCKET "/var/run/setrans/.setrans-unix" -+#define SETRANS_UNIX_SOCKET SELINUX_TRANS_DIR "/.setrans-unix" - - #define RAW_TO_TRANS_CONTEXT 2 - #define TRANS_TO_RAW_CONTEXT 3 -diff --git a/libselinux/utils/matchpathcon.c b/libselinux/utils/matchpathcon.c -index dd5aaa3..9d3ff3a 100644 ---- a/libselinux/utils/matchpathcon.c -+++ b/libselinux/utils/matchpathcon.c -@@ -12,11 +12,10 @@ - #include - #include - -- - static void usage(const char *progname) - { - fprintf(stderr, -- "usage: %s [-N] [-n] [-f file_contexts] [-p prefix] [-Vq] path...\n", -+ "usage: %s [-N] [-n] [-f file_contexts] [ -P policy_root_path ] [-p prefix] [-Vq] path...\n", - progname); - exit(1); - } -@@ -78,7 +77,7 @@ int main(int argc, char **argv) - if (argc < 2) - usage(argv[0]); - -- while ((opt = getopt(argc, argv, "m:Nnf:p:Vq")) > 0) { -+ while ((opt = getopt(argc, argv, "m:Nnf:P:p:Vq")) > 0) { - switch (opt) { - case 'n': - header = 0; -@@ -113,6 +112,15 @@ int main(int argc, char **argv) - exit(1); - } - break; -+ case 'P': -+ if (selinux_set_policy_root(optarg) < 0 ) { -+ fprintf(stderr, -+ "Error setting policy root %s: %s\n", -+ optarg, -+ errno ? strerror(errno) : "invalid"); -+ exit(1); -+ } -+ break; - case 'p': - if (init) { - fprintf(stderr, -diff --git a/libselinux/utils/sefcontext_compile.c b/libselinux/utils/sefcontext_compile.c -index 6f79dd6..e019a07 100644 ---- a/libselinux/utils/sefcontext_compile.c -+++ b/libselinux/utils/sefcontext_compile.c -@@ -145,7 +145,7 @@ static int process_file(struct saved_data *data, const char *filename) - * u32 - data length of the pcre regex study daya - * char - a buffer holding the raw pcre regex study data - */ --static int write_binary_file(struct saved_data *data, char *filename) -+static int write_binary_file(struct saved_data *data, int fd) - { - struct spec *specs = data->spec_arr; - FILE *bin_file; -@@ -155,7 +155,7 @@ static int write_binary_file(struct saved_data *data, char *filename) - uint32_t i; - int rc; - -- bin_file = fopen(filename, "w"); -+ bin_file = fdopen(fd, "w"); - if (!bin_file) { - perror("fopen output_file"); - exit(EXIT_FAILURE); -@@ -321,7 +321,9 @@ int main(int argc, char *argv[]) - const char *path; - char stack_path[PATH_MAX + 1]; - int rc; -- -+ char *tmp= NULL; -+ int fd; -+ - if (argc != 2) { - fprintf(stderr, "usage: %s input_file\n", argv[0]); - exit(EXIT_FAILURE); -@@ -342,13 +344,29 @@ int main(int argc, char *argv[]) - rc = snprintf(stack_path, sizeof(stack_path), "%s.bin", path); - if (rc < 0 || rc >= sizeof(stack_path)) - return rc; -- rc = write_binary_file(&data, stack_path); -+ -+ if (asprintf(&tmp, "%sXXXXXX", stack_path) < 0) -+ return -1; -+ -+ fd = mkstemp(tmp); -+ if (fd < 0) -+ goto err; -+ -+ rc = write_binary_file(&data, fd); -+ - if (rc < 0) -- return rc; -+ goto err; - -+ rename(tmp, stack_path); - rc = free_specs(&data); - if (rc < 0) -- return rc; -+ goto err; - -- return 0; -+ rc = 0; -+out: -+ free(tmp); -+ return rc; -+err: -+ rc = -1; -+ goto out; - } diff --git a/libselinux.changes b/libselinux.changes index 898571c..4ec15ca 100644 --- a/libselinux.changes +++ b/libselinux.changes @@ -1,3 +1,34 @@ +------------------------------------------------------------------- +Thu Oct 31 13:43:41 UTC 2013 - p.drouand@gmail.com + +- Update to version 2.2 + * Fix avc_has_perm() returns -1 even when SELinux is in permissive mode. + * Support overriding Makefile RANLIB + * Update pkgconfig definition + * Mount sysfs before trying to mount selinuxfs. + * Fix man pages + * Support overriding PATH and LIBBASE in Makefile + * Fix LDFLAGS usage + * Avoid shadowing stat in load_mmap + * Support building on older PCRE libraries + * Fix handling of temporary file in sefcontext_compile + * Fix procattr cache + * Define python constants for getenforce result + * Fix label substitution handling of / + * Add selinux_current_policy_path from + * Change get_context_list to only return good matches + * Support udev-197 and higher + * Add support for local substitutions + * Change setfilecon to not return ENOSUP if context is already correct + * Python wrapper leak fixes + * Export SELINUX_TRANS_DIR definition in selinux.h + * Add selinux_systemd_contexts_path + * Add selinux_set_policy_root + * Add man page for sefcontext_compile +- Remove libselinux-rhat.patch; merged on upstream +- Adapt libselinux-ruby.patch to upstream changes +- Use fdupes to symlink duplicate manpages + ------------------------------------------------------------------- Thu Jun 27 14:42:01 UTC 2013 - vcizek@suse.com diff --git a/libselinux.spec b/libselinux.spec index f39463f..c56ecca 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -16,22 +16,22 @@ # -%define libsepol_ver 2.1.9 +%define libsepol_ver 2.2 Name: libselinux -Version: 2.1.13 +Version: 2.2 Release: 0 Url: http://userspace.selinuxproject.org/ Summary: SELinux library and simple utilities License: GPL-2.0 and SUSE-Public-Domain Group: System/Libraries -Source: http://userspace.selinuxproject.org/releases/20130423/%{name}-%{version}.tar.gz +Source: http://userspace.selinuxproject.org/releases/20131030/%{name}-%{version}.tar.gz Source1: selinux-ready Source2: baselibs.conf -Patch0: %{name}-rhat.patch -Patch1: %{name}-ruby.patch +Patch1: %{name}-2.2-ruby.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build +BuildRequires: fdupes BuildRequires: libsepol-devel >= %{libsepol_ver} BuildRequires: pcre-devel BuildRequires: pkg-config @@ -119,7 +119,6 @@ necessary to develop your own software using libselinux. %prep %setup -q -%patch0 -p2 %patch1 %build @@ -147,6 +146,8 @@ rm -f $RPM_BUILD_ROOT%{_sbindir}/selinux_check_securetty_context mv $RPM_BUILD_ROOT%{_sbindir}/getdefaultcon $RPM_BUILD_ROOT%{_sbindir}/selinuxdefcon mv $RPM_BUILD_ROOT%{_sbindir}/getconlist $RPM_BUILD_ROOT%{_sbindir}/selinuxconlist install -m 0755 %{SOURCE1} $RPM_BUILD_ROOT%{_sbindir}/selinux-ready +# Remove duplicate files +%fdupes -s %{buildroot}%{_mandir} %post -n libselinux1 -p /sbin/ldconfig From f2ef6d4392bd650314bfca94593c52a37e43f25eef35bc213728abad778c4956 Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Thu, 22 May 2014 18:38:32 +0000 Subject: [PATCH 33/42] Accepting request 234707 from security:SELinux update to version 2.3 OBS-URL: https://build.opensuse.org/request/show/234707 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=41 --- libselinux-2.2.tar.gz | 3 --- libselinux-2.3.tar.gz | 3 +++ libselinux-bindings.spec | 8 ++++---- libselinux.changes | 7 +++++++ libselinux.spec | 8 ++++---- 5 files changed, 18 insertions(+), 11 deletions(-) delete mode 100644 libselinux-2.2.tar.gz create mode 100644 libselinux-2.3.tar.gz diff --git a/libselinux-2.2.tar.gz b/libselinux-2.2.tar.gz deleted file mode 100644 index 27662d1..0000000 --- a/libselinux-2.2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:e9dc64216543a7283d786f623ac28e8867f8794138e7deba474a3aa8d02dce33 -size 171011 diff --git a/libselinux-2.3.tar.gz b/libselinux-2.3.tar.gz new file mode 100644 index 0000000..42e4bd4 --- /dev/null +++ b/libselinux-2.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0b1e0b43ecd84a812713d09564019b08e7c205d89072b5cbcd07b052cd8e77b2 +size 171254 diff --git a/libselinux-bindings.spec b/libselinux-bindings.spec index a0b5576..0695fb5 100644 --- a/libselinux-bindings.spec +++ b/libselinux-bindings.spec @@ -1,7 +1,7 @@ # # spec file for package libselinux-bindings # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,10 +16,10 @@ # -%define libsepol_ver 2.2 +%define libsepol_ver 2.3 Name: libselinux-bindings -Version: 2.2 +Version: 2.3 Release: 0 Url: http://userspace.selinuxproject.org/ Summary: SELinux library and simple utilities @@ -27,7 +27,7 @@ License: GPL-2.0 and SUSE-Public-Domain Group: System/Libraries # embedded is the MD5 -Source: http://userspace.selinuxproject.org/releases/20131030/libselinux-%{version}.tar.gz +Source: http://userspace.selinuxproject.org/releases/20140506/libselinux-%{version}.tar.gz Source1: selinux-ready Source2: baselibs.conf Patch1: libselinux-2.2-ruby.patch diff --git a/libselinux.changes b/libselinux.changes index 4ec15ca..96bae57 100644 --- a/libselinux.changes +++ b/libselinux.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Sun May 18 00:15:17 UTC 2014 - crrodriguez@opensuse.org + +- Update to version 2.3 +* Get rid of security_context_t and fix const declarations. +* Refactor rpm_execcon() into a new setexecfilecon() from Guillem Jover. + ------------------------------------------------------------------- Thu Oct 31 13:43:41 UTC 2013 - p.drouand@gmail.com diff --git a/libselinux.spec b/libselinux.spec index c56ecca..65a55c9 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -1,7 +1,7 @@ # # spec file for package libselinux # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,17 +16,17 @@ # -%define libsepol_ver 2.2 +%define libsepol_ver 2.3 Name: libselinux -Version: 2.2 +Version: 2.3 Release: 0 Url: http://userspace.selinuxproject.org/ Summary: SELinux library and simple utilities License: GPL-2.0 and SUSE-Public-Domain Group: System/Libraries -Source: http://userspace.selinuxproject.org/releases/20131030/%{name}-%{version}.tar.gz +Source: http://userspace.selinuxproject.org/releases/20140506/%{name}-%{version}.tar.gz Source1: selinux-ready Source2: baselibs.conf Patch1: %{name}-2.2-ruby.patch From 09b70635c0d93d2221bd93353561d23a6120036f75750ae8733bb1fddb2dc270 Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Tue, 9 Sep 2014 16:59:15 +0000 Subject: [PATCH 34/42] Accepting request 247985 from security:SELinux 1 OBS-URL: https://build.opensuse.org/request/show/247985 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=43 --- libselinux.changes | 5 +++++ selinux-ready | 33 ++++++++++++++++++++++++++------- 2 files changed, 31 insertions(+), 7 deletions(-) diff --git a/libselinux.changes b/libselinux.changes index 96bae57..496afd0 100644 --- a/libselinux.changes +++ b/libselinux.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Mon Sep 8 08:25:11 UTC 2014 - jsegitz@suse.com + +- updated selinux-ready script to handle initrd files compressed with xz + ------------------------------------------------------------------- Sun May 18 00:15:17 UTC 2014 - crrodriguez@opensuse.org diff --git a/selinux-ready b/selinux-ready index 278276d..667c95e 100644 --- a/selinux-ready +++ b/selinux-ready @@ -97,9 +97,9 @@ check_mkinitrd() return 2 fi - cp /boot/$INITRD $TD/i.cpio.gz 2>/dev/null + cp /boot/$INITRD $TD/ 2>/dev/null - if ! [ -f "$TD/i.cpio.gz" ];then + if ! [ -f "$TD/$INITRD" ];then printf "\tcheck_mkinitrd: ERR. Error while copying initrd file.'\n" return 2 fi @@ -109,11 +109,30 @@ check_mkinitrd() cd $TD mkdir initrd-extracted cd initrd-extracted - gunzip -c $TD/i.cpio.gz | cpio -i --force-local --no-absolute-filenames 2>/dev/null - grep -E -- $MCMD boot/* 2>&1 >/dev/null - FLG1=$? - grep -E -- load_policy boot/* 2>&1 >/dev/null - FLG2=$? + INITRD_FORMAT=$(file $TD/$INITRD | awk -F' ' '{print $2}') + case $INITRD_FORMAT in + 'XZ' ) + xz -d -c $TD/$INITRD | cpio -i --force-local --no-absolute-filenames 2>/dev/null ;; + 'gzip' ) + gzip -d -c $TD/$INITRD | cpio -i --force-local --no-absolute-filenames 2>/dev/null ;; + * ) + printf "\tcheck_mkinitrd: ERR. Error while extracting initrd file.'\n" + return 2 + esac + if [ -d boot ]; then + grep -E -- $MCMD boot/* 2>&1 >/dev/null + FLG1=$? + grep -E -- load_policy boot/* 2>&1 >/dev/null + FLG2=$? + else + # looks like we're using dracut/systemd. We can only check if libselinux1 + # exists + if [ -f lib64/libselinux.so.1 ]; then + # if this exists + FLG1=0 + FLG2=0 + fi + fi popd 2>&1>/dev/null if [ $FLG1 == 0 -a $FLG2 == 0 ];then From 0715c81986426b73cae23fb46958b7f37a57bf7981fd2115d20c5906fb4d7e85 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Sat, 30 May 2015 10:32:56 +0000 Subject: [PATCH 35/42] Accepting request 309049 from security:SELinux 1 OBS-URL: https://build.opensuse.org/request/show/309049 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=44 --- libselinux-2.2-ruby.patch | 12 ++++++------ libselinux-bindings.changes | 6 ++++++ libselinux-bindings.spec | 2 +- libselinux.spec | 2 +- 4 files changed, 14 insertions(+), 8 deletions(-) diff --git a/libselinux-2.2-ruby.patch b/libselinux-2.2-ruby.patch index 345ca3a..4ee9d20 100644 --- a/libselinux-2.2-ruby.patch +++ b/libselinux-2.2-ruby.patch @@ -1,19 +1,19 @@ Index: src/Makefile =================================================================== ---- src/Makefile.orig 2013-01-30 13:24:55.549631752 +0100 -+++ src/Makefile 2013-01-30 13:25:56.148209843 +0100 -@@ -16,8 +16,8 @@ +--- src/Makefile.orig ++++ src/Makefile +@@ -16,8 +16,8 @@ PYINC ?= $(shell pkg-config --cflags $(P PYLIBDIR ?= $(LIBDIR)/$(PYLIBVER) RUBYLIBVER ?= $(shell $(RUBY) -e 'print RUBY_VERSION.split(".")[0..1].join(".")') RUBYPLATFORM ?= $(shell $(RUBY) -e 'print RUBY_PLATFORM') -RUBYINC ?= $(shell pkg-config --cflags ruby) -RUBYINSTALL ?= $(LIBDIR)/ruby/site_ruby/$(RUBYLIBVER)/$(RUBYPLATFORM) -+RUBYINC ?= $(shell ruby -r rbconfig -e "print Config::CONFIG['rubyhdrdir'].nil? ? '$(LIBDIR)/ruby/$(RUBYLIBVER)' : Config::CONFIG['rubyhdrdir']") -+RUBYINSTALL ?= $(shell ruby -r rbconfig -e "print Config::CONFIG['vendorarchdir'].nil? ? '$(DESTDIR)'+Config::CONFIG['sitearchdir'] : '$(DESTDIR)'+Config::CONFIG['vendorarchdir']") ++RUBYINC ?= $(shell ruby -r rbconfig -e "print RbConfig::CONFIG['rubyhdrdir'].nil? ? '$(LIBDIR)/ruby/$(RUBYLIBVER)' : RbConfig::CONFIG['rubyhdrdir']") ++RUBYINSTALL ?= $(shell ruby -r rbconfig -e "print RbConfig::CONFIG['vendorarchdir'].nil? ? '$(DESTDIR)'+RbConfig::CONFIG['sitearchdir'] : '$(DESTDIR)'+RbConfig::CONFIG['vendorarchdir']") LIBBASE ?= $(shell basename $(LIBDIR)) VERSION = $(shell cat ../VERSION) -@@ -103,7 +103,7 @@ $(SWIGLOBJ): $(SWIGCOUT) +@@ -98,7 +98,7 @@ $(SWIGLOBJ): $(SWIGCOUT) $(CC) $(CFLAGS) $(SWIG_CFLAGS) $(PYINC) -fPIC -DSHARED -c -o $@ $< $(SWIGRUBYLOBJ): $(SWIGRUBYCOUT) diff --git a/libselinux-bindings.changes b/libselinux-bindings.changes index ecb0baa..533efff 100644 --- a/libselinux-bindings.changes +++ b/libselinux-bindings.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed May 27 11:53:54 UTC 2015 - dimstar@opensuse.org + +- Update libselinux-2.2-ruby.patch: use RbConfig instead of + deprecated Config. + ------------------------------------------------------------------- Thu Oct 31 13:43:41 UTC 2013 - p.drouand@gmail.com diff --git a/libselinux-bindings.spec b/libselinux-bindings.spec index 0695fb5..26506d7 100644 --- a/libselinux-bindings.spec +++ b/libselinux-bindings.spec @@ -1,7 +1,7 @@ # # spec file for package libselinux-bindings # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed diff --git a/libselinux.spec b/libselinux.spec index 65a55c9..fc7d615 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -1,7 +1,7 @@ # # spec file for package libselinux # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed From e69a6c77a7642d3c5f72832af7a495deb3f17c51afbf24d1d7213c497fe36000 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Mon, 18 Jul 2016 19:16:39 +0000 Subject: [PATCH 36/42] Accepting request 408437 from security:SELinux 1 OBS-URL: https://build.opensuse.org/request/show/408437 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=45 --- libselinux-2.3.tar.gz | 3 -- libselinux-2.5.tar.gz | 3 ++ libselinux-bindings.changes | 77 ++++++++++++++++++++++++++++++++++ libselinux-bindings.spec | 12 ++++-- libselinux.changes | 76 +++++++++++++++++++++++++++++++++ libselinux.spec | 16 +++++-- python-selinux-swig-3.10.patch | 13 ++++++ selinux-ready | 2 + 8 files changed, 191 insertions(+), 11 deletions(-) delete mode 100644 libselinux-2.3.tar.gz create mode 100644 libselinux-2.5.tar.gz create mode 100644 python-selinux-swig-3.10.patch diff --git a/libselinux-2.3.tar.gz b/libselinux-2.3.tar.gz deleted file mode 100644 index 42e4bd4..0000000 --- a/libselinux-2.3.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:0b1e0b43ecd84a812713d09564019b08e7c205d89072b5cbcd07b052cd8e77b2 -size 171254 diff --git a/libselinux-2.5.tar.gz b/libselinux-2.5.tar.gz new file mode 100644 index 0000000..38881dc --- /dev/null +++ b/libselinux-2.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:94c9e97706280bedcc288f784f67f2b9d3d6136c192b2c9f812115edba58514f +size 189019 diff --git a/libselinux-bindings.changes b/libselinux-bindings.changes index 533efff..590b354 100644 --- a/libselinux-bindings.changes +++ b/libselinux-bindings.changes @@ -1,9 +1,86 @@ ------------------------------------------------------------------- +Thu Jul 14 07:59:04 UTC 2016 - jsegitz@novell.com + +- Adjusted source link + +------------------------------------------------------------------- +Tue Jul 5 16:44:44 UTC 2016 - i@marguerite.su + +- add patch: python-selinux-swig-3.10.patch, fixed boo#985368 + * swig-3.10 in Factory use importlib instead of imp to find + _selinux.so. imp searched the same directory as __init__.py + is while importlib searchs only standard paths. so we have + to move _selinux.so. fixed by upstream +- update version 2.5 + * Add selinux_restorecon function + * read_spec_entry: fail on non-ascii + * Add man information about thread specific functions + * Don't wrap rpm_execcon with DISABLE_RPM with SWIG + * Correct line count for property and service context files + * label_file: fix memory leaks and uninitialized jump + * Replace selabel_digest hash function + * Fix selabel_open(3) services if no digest requested + * Add selabel_digest function + * Flush the class/perm string mapping cache on policy reload + * Fix restorecon when path has no context + * Free memory when processing media and x specfiles + * Fix mmap memory release for file labeling + * Add policy context validation to sefcontext_compile + * Do not treat an empty file_contexts(.local) as an error + * Fail hard on invalid property_contexts entries + * Fail hard on invalid file_contexts entries + * Support context validation on file_contexts.bin + * Add selabel_cmp interface and label_file backend + * Support specifying file_contexts.bin file path + * Support file_contexts.bin without file_contexts + * Simplify procattr cache + * Use /proc/thread-self when available + * Add const to selinux_opt for label backends + * Fix binary file labels for regexes with metachars + * Fix file labels for regexes with metachars + * Fix if file_contexts not '\n' terminated + * Enhance file context support + * Fix property processing and cleanup formatting + * Add read_spec_entries function to replace sscanf + * Support consistent mode size for bin files + * Fix more bin file processing core dumps + * add selinux_openssh_contexts_path() + * setrans_client: minimize overhead when mcstransd is not present + * Ensure selabel_lookup_best_match links NULL terminated + * Fix core dumps with corrupt *.bin files + * Add selabel partial and best match APIs + * Use os.walk() instead of the deprecated os.path.walk() + * Remove deprecated mudflap option + * Mount procfs before checking /proc/filesystems + * Fix -Wformat errors with gcc-5.0.0 + * label_file: handle newlines in file names + * Fix audit2why error handling if SELinux is disabled + * pcre_study can return NULL without error + * Only check SELinux enabled status once in selinux_check_access +- changes in 2.4 + * Remove assumption that SHLIBDIR is ../../ relative to LIBDIR + * Fix bugs found by hardened gcc flags + * Set the system to permissive if failing to disable SELinux because + policy has already been loaded + * Add db_exception and db_datatype support to label_db backend + * Log an error on unknown classes and permissions + * Add pcre version string to the compiled file_contexts format + * Deprecate use of flask.h and av_permissions.h + * Compiled file_context files and the original should have the same DAC + permissions +------------------------------------------------------------------- Wed May 27 11:53:54 UTC 2015 - dimstar@opensuse.org - Update libselinux-2.2-ruby.patch: use RbConfig instead of deprecated Config. +------------------------------------------------------------------- +Sun May 18 00:15:17 UTC 2014 - crrodriguez@opensuse.org + +- Update to version 2.3 +* Get rid of security_context_t and fix const declarations. +* Refactor rpm_execcon() into a new setexecfilecon() from Guillem Jover. + ------------------------------------------------------------------- Thu Oct 31 13:43:41 UTC 2013 - p.drouand@gmail.com diff --git a/libselinux-bindings.spec b/libselinux-bindings.spec index 26506d7..7a4216b 100644 --- a/libselinux-bindings.spec +++ b/libselinux-bindings.spec @@ -1,7 +1,7 @@ # # spec file for package libselinux-bindings # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,10 +16,10 @@ # -%define libsepol_ver 2.3 +%define libsepol_ver 2.5 Name: libselinux-bindings -Version: 2.3 +Version: 2.5 Release: 0 Url: http://userspace.selinuxproject.org/ Summary: SELinux library and simple utilities @@ -27,10 +27,12 @@ License: GPL-2.0 and SUSE-Public-Domain Group: System/Libraries # embedded is the MD5 -Source: http://userspace.selinuxproject.org/releases/20140506/libselinux-%{version}.tar.gz +Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/libselinux-%{version}.tar.gz Source1: selinux-ready Source2: baselibs.conf Patch1: libselinux-2.2-ruby.patch +# PATCH-FIX-UPSTREAM swig-3.10 use importlib which not search the directory __init__.py is in but standard path +Patch2: python-selinux-swig-3.10.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: libsepol-devel-static >= %{libsepol_ver} BuildRequires: pcre-devel @@ -106,6 +108,7 @@ decisions. Required for any applications that use the SELinux API. %prep %setup -q -n libselinux-%{version} %patch1 +%patch2 -p1 %build make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" -C src @@ -122,6 +125,7 @@ rm -rf $RPM_BUILD_ROOT/%{_lib} $RPM_BUILD_ROOT%{_libdir}/libselinux.* $RPM_BUILD %files -n python-selinux %defattr(-,root,root,-) %dir %{py_sitedir}/selinux +%{py_sitedir}/_selinux.so %{py_sitedir}/selinux/* %files -n ruby-selinux diff --git a/libselinux.changes b/libselinux.changes index 496afd0..c08ec5a 100644 --- a/libselinux.changes +++ b/libselinux.changes @@ -1,3 +1,79 @@ +------------------------------------------------------------------- +Thu Jul 14 07:58:49 UTC 2016 - jsegitz@novell.com + +- Adjusted source link + +------------------------------------------------------------------- +Tue Jul 5 16:42:03 UTC 2016 - i@marguerite.su + +- add patch: python-selinux-swig-3.10.patch, fixed boo#985368 + * swig-3.10 in Factory use importlib instead of imp to find + _selinux.so. imp searched the same directory as __init__.py + is while importlib searchs only standard paths. so we have + to move _selinux.so. fixed by upstream +- update version 2.5 + * Add selinux_restorecon function + * read_spec_entry: fail on non-ascii + * Add man information about thread specific functions + * Don't wrap rpm_execcon with DISABLE_RPM with SWIG + * Correct line count for property and service context files + * label_file: fix memory leaks and uninitialized jump + * Replace selabel_digest hash function + * Fix selabel_open(3) services if no digest requested + * Add selabel_digest function + * Flush the class/perm string mapping cache on policy reload + * Fix restorecon when path has no context + * Free memory when processing media and x specfiles + * Fix mmap memory release for file labeling + * Add policy context validation to sefcontext_compile + * Do not treat an empty file_contexts(.local) as an error + * Fail hard on invalid property_contexts entries + * Fail hard on invalid file_contexts entries + * Support context validation on file_contexts.bin + * Add selabel_cmp interface and label_file backend + * Support specifying file_contexts.bin file path + * Support file_contexts.bin without file_contexts + * Simplify procattr cache + * Use /proc/thread-self when available + * Add const to selinux_opt for label backends + * Fix binary file labels for regexes with metachars + * Fix file labels for regexes with metachars + * Fix if file_contexts not '\n' terminated + * Enhance file context support + * Fix property processing and cleanup formatting + * Add read_spec_entries function to replace sscanf + * Support consistent mode size for bin files + * Fix more bin file processing core dumps + * add selinux_openssh_contexts_path() + * setrans_client: minimize overhead when mcstransd is not present + * Ensure selabel_lookup_best_match links NULL terminated + * Fix core dumps with corrupt *.bin files + * Add selabel partial and best match APIs + * Use os.walk() instead of the deprecated os.path.walk() + * Remove deprecated mudflap option + * Mount procfs before checking /proc/filesystems + * Fix -Wformat errors with gcc-5.0.0 + * label_file: handle newlines in file names + * Fix audit2why error handling if SELinux is disabled + * pcre_study can return NULL without error + * Only check SELinux enabled status once in selinux_check_access +- changes in 2.4 + * Remove assumption that SHLIBDIR is ../../ relative to LIBDIR + * Fix bugs found by hardened gcc flags + * Set the system to permissive if failing to disable SELinux because + policy has already been loaded + * Add db_exception and db_datatype support to label_db backend + * Log an error on unknown classes and permissions + * Add pcre version string to the compiled file_contexts format + * Deprecate use of flask.h and av_permissions.h + * Compiled file_context files and the original should have the same DAC + permissions + +------------------------------------------------------------------- +Thu Jul 30 12:00:27 UTC 2015 - jsegitz@novell.com + +- fixed selinux-ready to work with initrd files created by dracut (bsc#940006) + ------------------------------------------------------------------- Mon Sep 8 08:25:11 UTC 2014 - jsegitz@suse.com diff --git a/libselinux.spec b/libselinux.spec index fc7d615..e8071bc 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -1,7 +1,7 @@ # # spec file for package libselinux # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,20 +16,22 @@ # -%define libsepol_ver 2.3 +%define libsepol_ver 2.5 Name: libselinux -Version: 2.3 +Version: 2.5 Release: 0 Url: http://userspace.selinuxproject.org/ Summary: SELinux library and simple utilities License: GPL-2.0 and SUSE-Public-Domain Group: System/Libraries -Source: http://userspace.selinuxproject.org/releases/20140506/%{name}-%{version}.tar.gz +Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/%{name}-%{version}.tar.gz Source1: selinux-ready Source2: baselibs.conf Patch1: %{name}-2.2-ruby.patch +# PATCH-FIX-UPSTREAM swig-3.10 use importlib which not search the directory __init__.py is in but standard path +Patch2: python-selinux-swig-3.10.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: fdupes BuildRequires: libsepol-devel >= %{libsepol_ver} @@ -120,6 +122,7 @@ necessary to develop your own software using libselinux. %prep %setup -q %patch1 +%patch2 -p1 %build make %{?_smp_mflags} LIBDIR="%{_libdir}" CC="%{__cc}" CFLAGS="$RPM_OPT_FLAGS" @@ -159,11 +162,16 @@ install -m 0755 %{SOURCE1} $RPM_BUILD_ROOT%{_sbindir}/selinux-ready %{_sbindir}/getenforce %{_sbindir}/getsebool %{_sbindir}/matchpathcon +%{_sbindir}/selabel_digest +%{_sbindir}/selabel_lookup +%{_sbindir}/selabel_lookup_best_match +%{_sbindir}/selabel_partial_match %{_sbindir}/selinuxconlist %{_sbindir}/selinuxdefcon %{_sbindir}/selinuxenabled %{_sbindir}/setenforce %{_sbindir}/togglesebool +%{_sbindir}/selinux_restorecon %{_sbindir}/selinux-ready %{_sbindir}/selinuxexeccon %{_sbindir}/sefcontext_compile diff --git a/python-selinux-swig-3.10.patch b/python-selinux-swig-3.10.patch new file mode 100644 index 0000000..20897e3 --- /dev/null +++ b/python-selinux-swig-3.10.patch @@ -0,0 +1,13 @@ +Index: b/src/Makefile +=================================================================== +--- a/src/Makefile ++++ b/src/Makefile +@@ -155,7 +155,7 @@ install: all + + install-pywrap: pywrap + test -d $(PYLIBDIR)/site-packages/selinux || install -m 755 -d $(PYLIBDIR)/site-packages/selinux +- install -m 755 $(SWIGSO) $(PYLIBDIR)/site-packages/selinux/_selinux.so ++ install -m 755 $(SWIGSO) $(PYLIBDIR)/site-packages/_selinux.so + install -m 755 $(AUDIT2WHYSO) $(PYLIBDIR)/site-packages/selinux/audit2why.so + install -m 644 $(SWIGPYOUT) $(PYLIBDIR)/site-packages/selinux/__init__.py + diff --git a/selinux-ready b/selinux-ready index 667c95e..163489b 100644 --- a/selinux-ready +++ b/selinux-ready @@ -113,6 +113,8 @@ check_mkinitrd() case $INITRD_FORMAT in 'XZ' ) xz -d -c $TD/$INITRD | cpio -i --force-local --no-absolute-filenames 2>/dev/null ;; + 'ASCII' ) + /usr/lib/dracut/skipcpio $TD/$INITRD | xz -d | cpio -i --force-local --no-absolute-filenames 2>/dev/null ;; 'gzip' ) gzip -d -c $TD/$INITRD | cpio -i --force-local --no-absolute-filenames 2>/dev/null ;; * ) From 7308b68a0b02415badb656d8bc2f5cacac758a1d257f37ec4004564ed0034fa5 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Wed, 3 Aug 2016 09:36:44 +0000 Subject: [PATCH 37/42] Accepting request 415273 from security:SELinux 1 OBS-URL: https://build.opensuse.org/request/show/415273 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=46 --- libselinux-bindings.changes | 5 ++ libselinux-bindings.spec | 66 ++++----------- libselinux-proc-mount-only-if-needed.patch | 93 ++++++++++++++++++++++ libselinux.changes | 20 +++++ libselinux.spec | 88 ++++++++------------ 5 files changed, 167 insertions(+), 105 deletions(-) create mode 100644 libselinux-proc-mount-only-if-needed.patch diff --git a/libselinux-bindings.changes b/libselinux-bindings.changes index 590b354..ff07546 100644 --- a/libselinux-bindings.changes +++ b/libselinux-bindings.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Sun Jul 17 15:30:05 UTC 2016 - jengelh@inai.de + +- Update RPM groups, trim description and combine filelist entries. + ------------------------------------------------------------------- Thu Jul 14 07:59:04 UTC 2016 - jsegitz@novell.com diff --git a/libselinux-bindings.spec b/libselinux-bindings.spec index 7a4216b..0cbc371 100644 --- a/libselinux-bindings.spec +++ b/libselinux-bindings.spec @@ -21,10 +21,10 @@ Name: libselinux-bindings Version: 2.5 Release: 0 -Url: http://userspace.selinuxproject.org/ -Summary: SELinux library and simple utilities +Summary: SELinux runtime library and simple utilities License: GPL-2.0 and SUSE-Public-Domain -Group: System/Libraries +Group: Development/Libraries/C and C++ +Url: https://github.com/SELinuxProject/selinux/wiki/Releases # embedded is the MD5 Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/libselinux-%{version}.tar.gz @@ -41,69 +41,36 @@ BuildRequires: ruby-devel BuildRequires: swig %description -Security-enhanced Linux is a feature of the Linux(R) kernel and a -number of utilities with enhanced security functionality designed to -add mandatory access controls to Linux. The Security-enhanced Linux -kernel contains new architectural components originally developed to -improve the security of the Flask operating system. These architectural -components provide general support for the enforcement of many kinds of -mandatory access control policies, including those based on the -concepts of Type Enforcement(R), Role-based Access Control, and -Multi-level Security. - -libselinux provides an API for SELinux applications to get and set -process and file security contexts and to obtain security policy -decisions. Required for any applications that use the SELinux API. - - +libselinux provides an interface to get and set process and file +security contexts and to obtain security policy decisions. %package -n python-selinux -Summary: SELinux library and simple utilities +Summary: Python bindings for the SELinux runtime library License: SUSE-Public-Domain Group: Development/Libraries/Python Requires: libselinux1 = %{version} Requires: python %description -n python-selinux -Security-enhanced Linux is a feature of the Linux(R) kernel and a -number of utilities with enhanced security functionality designed to -add mandatory access controls to Linux. The Security-enhanced Linux -kernel contains new architectural components originally developed to -improve the security of the Flask operating system. These architectural -components provide general support for the enforcement of many kinds of -mandatory access control policies, including those based on the -concepts of Type Enforcement(R), Role-based Access Control, and -Multi-level Security. - -libselinux provides an API for SELinux applications to get and set -process and file security contexts and to obtain security policy -decisions. Required for any applications that use the SELinux API. - +libselinux provides an interface to get and set process and file +security contexts and to obtain security policy decisions. +This subpackage contains Python extensions to use SELinux from that +language. %package -n ruby-selinux -Summary: SELinux library and simple utilities +Summary: Ruby bindings for the SELinux runtime library License: SUSE-Public-Domain Group: Development/Languages/Ruby Requires: libselinux1 = %{version} Requires: ruby %description -n ruby-selinux -Security-enhanced Linux is a feature of the Linux(R) kernel and a -number of utilities with enhanced security functionality designed to -add mandatory access controls to Linux. The Security-enhanced Linux -kernel contains new architectural components originally developed to -improve the security of the Flask operating system. These architectural -components provide general support for the enforcement of many kinds of -mandatory access control policies, including those based on the -concepts of Type Enforcement(R), Role-based Access Control, and -Multi-level Security. - -libselinux provides an API for SELinux applications to get and set -process and file security contexts and to obtain security policy -decisions. Required for any applications that use the SELinux API. - +libselinux provides an interface to get and set process and file +security contexts and to obtain security policy decisions. +This subpackage contains Ruby extensions to use SELinux from that +language. %prep %setup -q -n libselinux-%{version} @@ -124,9 +91,8 @@ rm -rf $RPM_BUILD_ROOT/%{_lib} $RPM_BUILD_ROOT%{_libdir}/libselinux.* $RPM_BUILD %files -n python-selinux %defattr(-,root,root,-) -%dir %{py_sitedir}/selinux +%{py_sitedir}/selinux/ %{py_sitedir}/_selinux.so -%{py_sitedir}/selinux/* %files -n ruby-selinux %defattr(-,root,root,-) diff --git a/libselinux-proc-mount-only-if-needed.patch b/libselinux-proc-mount-only-if-needed.patch new file mode 100644 index 0000000..383e72c --- /dev/null +++ b/libselinux-proc-mount-only-if-needed.patch @@ -0,0 +1,93 @@ +Index: libselinux-2.5/src/init.c +=================================================================== +--- libselinux-2.5.orig/src/init.c ++++ libselinux-2.5/src/init.c +@@ -11,7 +11,6 @@ + #include + #include + #include +-#include + + #include "dso.h" + #include "policy.h" +@@ -57,20 +56,18 @@ static int verify_selinuxmnt(const char + + int selinuxfs_exists(void) + { +- int exists = 0, mnt_rc = 0; ++ int exists = 0; + FILE *fp = NULL; + char *buf = NULL; + size_t len; + ssize_t num; + +- mnt_rc = mount("proc", "/proc", "proc", 0, 0); + + fp = fopen("/proc/filesystems", "r"); +- if (!fp) { +- exists = 1; /* Fail as if it exists */ +- goto out; +- } + ++ if (!fp) ++ return 1; /* Fail as if it exists */ ++ + __fsetlocking(fp, FSETLOCKING_BYCALLER); + + num = getline(&buf, &len, fp); +@@ -85,13 +82,6 @@ int selinuxfs_exists(void) + free(buf); + fclose(fp); + +-out: +-#ifndef MNT_DETACH +-#define MNT_DETACH 2 +-#endif +- if (mnt_rc == 0) +- umount2("/proc", MNT_DETACH); +- + return exists; + } + hidden_def(selinuxfs_exists) +Index: libselinux-2.5/src/load_policy.c +=================================================================== +--- libselinux-2.5.orig/src/load_policy.c ++++ libselinux-2.5/src/load_policy.c +@@ -17,6 +17,10 @@ + #include "policy.h" + #include + ++#ifndef MNT_DETACH ++#define MNT_DETACH 2 ++#endif ++ + int security_load_policy(void *data, size_t len) + { + char path[PATH_MAX]; +@@ -348,11 +352,6 @@ int selinux_init_load_policy(int *enforc + fclose(cfg); + free(buf); + } +-#ifndef MNT_DETACH +-#define MNT_DETACH 2 +-#endif +- if (rc == 0) +- umount2("/proc", MNT_DETACH); + + /* + * Determine the final desired mode. +@@ -402,9 +401,13 @@ int selinux_init_load_policy(int *enforc + } + + goto noload; ++ if (rc == 0) ++ umount2("/proc", MNT_DETACH); + } + set_selinuxmnt(mntpoint); +- ++ ++ if (rc == 0) ++ umount2("/proc", MNT_DETACH); + /* + * Note: The following code depends on having selinuxfs + * already mounted and selinuxmnt set above. diff --git a/libselinux.changes b/libselinux.changes index c08ec5a..04d8e8f 100644 --- a/libselinux.changes +++ b/libselinux.changes @@ -1,3 +1,23 @@ +------------------------------------------------------------------- +Sun Jul 24 19:33:42 UTC 2016 - crrodriguez@opensuse.org + +- -devel static subpackage requires libpcre-devel and libsepol-devel + + +------------------------------------------------------------------- +Sun Jul 24 19:05:35 UTC 2016 - crrodriguez@opensuse.org + +- Avoid mounting /proc outside of selinux_init_load_policy(). + (Stephen Smalley) reverts upstream 5a8d8c4, 9df4988, fixes + among other things systemd seccomp sandboxing otherwise all + filters must allow mount(2) + (libselinux-proc-mount-only-if-needed.patch) + +------------------------------------------------------------------- +Sun Jul 17 15:30:05 UTC 2016 - jengelh@inai.de + +- Update RPM groups, trim description and combine filelist entries. + ------------------------------------------------------------------- Thu Jul 14 07:58:49 UTC 2016 - jsegitz@novell.com diff --git a/libselinux.spec b/libselinux.spec index e8071bc..5a7ab25 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -21,10 +21,10 @@ Name: libselinux Version: 2.5 Release: 0 -Url: http://userspace.selinuxproject.org/ -Summary: SELinux library and simple utilities +Summary: SELinux runtime library and utilities License: GPL-2.0 and SUSE-Public-Domain -Group: System/Libraries +Group: Development/Libraries/C and C++ +Url: https://github.com/SELinuxProject/selinux/wiki/Releases Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/%{name}-%{version}.tar.gz Source1: selinux-ready @@ -32,6 +32,8 @@ Source2: baselibs.conf Patch1: %{name}-2.2-ruby.patch # PATCH-FIX-UPSTREAM swig-3.10 use importlib which not search the directory __init__.py is in but standard path Patch2: python-selinux-swig-3.10.patch +# PATCH-FIX-UPSTREAM Avoid mounting /proc outside of selinux_init_load_policy(). +Patch3: libselinux-proc-mount-only-if-needed.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: fdupes BuildRequires: libsepol-devel >= %{libsepol_ver} @@ -39,91 +41,68 @@ BuildRequires: pcre-devel BuildRequires: pkg-config %description -Security-enhanced Linux is a feature of the Linux(R) kernel and a -number of utilities with enhanced security functionality designed to -add mandatory access controls to Linux. The Security-enhanced Linux -kernel contains new architectural components originally developed to -improve the security of the Flask operating system. These architectural -components provide general support for the enforcement of many kinds of -mandatory access control policies, including those based on the -concepts of Type Enforcement(R), Role-based Access Control, and -Multi-level Security. - -libselinux provides an API for SELinux applications to get and set -process and file security contexts and to obtain security policy -decisions. Required for any applications that use the SELinux API. - - +libselinux provides an interface to get and set process and file +security contexts and to obtain security policy decisions. %package -n libselinux1 -Summary: SELinux library and simple utilities +Summary: SELinux runtime library Group: System/Libraries %description -n libselinux1 -Security-enhanced Linux is a feature of the Linux(R) kernel and a -number of utilities with enhanced security functionality designed to -add mandatory access controls to Linux. The Security-enhanced Linux -kernel contains new architectural components originally developed to -improve the security of the Flask operating system. These architectural -components provide general support for the enforcement of many kinds of -mandatory access control policies, including those based on the -concepts of Type Enforcement(R), Role-based Access Control, and -Multi-level Security. - -libselinux provides an API for SELinux applications to get and set -process and file security contexts and to obtain security policy -decisions. Required for any applications that use the SELinux API. - +libselinux provides an interface to get and set process and file +security contexts and to obtain security policy decisions. +(Security-enhanced Linux is a feature of the kernel and some +utilities that implement mandatory access control policies, such as +Type Enforcement, Role-based Access Control and Multi-Level +Security.) %package -n selinux-tools -Summary: SELinux library and simple utilities +Summary: SELinux command-line utilities Group: System/Base %description -n selinux-tools -Security-enhanced Linux is a feature of the Linux(R) kernel and a -number of utilities with enhanced security functionality designed to -add mandatory access controls to Linux. The Security-enhanced Linux -kernel contains new architectural components originally developed to -improve the security of the Flask operating system. These architectural -components provide general support for the enforcement of many kinds of -mandatory access control policies, including those based on the -concepts of Type Enforcement(R), Role-based Access Control, and -Multi-level Security. - -libselinux provides an API for SELinux applications to get and set -process and file security contexts and to obtain security policy -decisions. Required for any applications that use the SELinux API. - +Security-enhanced Linux is a feature of the kernel and some +utilities that implement mandatory access control policies, such as +Type Enforcement, Role-based Access Control and Multi-Level +Security. +This subpackage contains utilities to inspect and administer the +system's SELinux state. %package devel -Summary: Development Include Files and Libraries for SELinux +Summary: Development files for the SELinux runtime library Group: Development/Libraries/C and C++ Requires: glibc-devel Requires: libselinux1 = %{version} #Automatic dependency on libsepol-devel via pkgconfig %description devel +libselinux provides an interface to get and set process and file +security contexts and to obtain security policy decisions. + This package contains the development files, which are necessary to develop your own software using libselinux. - %package devel-static -Summary: Static development Include Files and Libraries for SELinux +Summary: Static archives for the SELinux runtime Group: Development/Libraries/C and C++ Requires: libselinux-devel = %{version} +Requires: pkgconfig(libpcre) +Requires: pkgconfig(libsepol) %description devel-static +libselinux provides an interface to get and set process and file +security contexts and to obtain security policy decisions. + This package contains the static development files, which are necessary to develop your own software using libselinux. - %prep %setup -q %patch1 %patch2 -p1 - +%patch3 -p1 %build make %{?_smp_mflags} LIBDIR="%{_libdir}" CC="%{__cc}" CFLAGS="$RPM_OPT_FLAGS" @@ -185,8 +164,7 @@ install -m 0755 %{SOURCE1} $RPM_BUILD_ROOT%{_sbindir}/selinux-ready %files devel %defattr(-,root,root,-) %{_libdir}/libselinux.so -%dir %{_includedir}/selinux -%{_includedir}/selinux/* +%{_includedir}/selinux/ %{_mandir}/man3/* %{_libdir}/pkgconfig/libselinux.pc From 359794f652a67b42696796243d115cd5709f2b8b3e177ce5b91ddc4449f6190a Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Thu, 24 Aug 2017 15:38:46 +0000 Subject: [PATCH 38/42] Accepting request 514179 from security:SELinux 1 OBS-URL: https://build.opensuse.org/request/show/514179 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=47 --- libselinux-bindings.changes | 5 +++++ libselinux-bindings.spec | 3 +++ libselinux.changes | 6 +++++- libselinux.spec | 4 ++++ readv-proto.patch | 12 ++++++++++++ 5 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 readv-proto.patch diff --git a/libselinux-bindings.changes b/libselinux-bindings.changes index ff07546..6c0226a 100644 --- a/libselinux-bindings.changes +++ b/libselinux-bindings.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Wed Jul 5 10:30:57 UTC 2017 - schwab@suse.de + +- readv-proto.patch: include for readv prototype + ------------------------------------------------------------------- Sun Jul 17 15:30:05 UTC 2016 - jengelh@inai.de diff --git a/libselinux-bindings.spec b/libselinux-bindings.spec index 0cbc371..fc96fc2 100644 --- a/libselinux-bindings.spec +++ b/libselinux-bindings.spec @@ -33,6 +33,8 @@ Source2: baselibs.conf Patch1: libselinux-2.2-ruby.patch # PATCH-FIX-UPSTREAM swig-3.10 use importlib which not search the directory __init__.py is in but standard path Patch2: python-selinux-swig-3.10.patch +# PATCH-FIX-UPSTREAM Include for readv prototype +Patch4: readv-proto.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: libsepol-devel-static >= %{libsepol_ver} BuildRequires: pcre-devel @@ -76,6 +78,7 @@ language. %setup -q -n libselinux-%{version} %patch1 %patch2 -p1 +%patch4 -p1 %build make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" -C src diff --git a/libselinux.changes b/libselinux.changes index 04d8e8f..764c089 100644 --- a/libselinux.changes +++ b/libselinux.changes @@ -1,9 +1,13 @@ +------------------------------------------------------------------- +Wed Jul 5 10:30:57 UTC 2017 - schwab@suse.de + +- readv-proto.patch: include for readv prototype + ------------------------------------------------------------------- Sun Jul 24 19:33:42 UTC 2016 - crrodriguez@opensuse.org - -devel static subpackage requires libpcre-devel and libsepol-devel - ------------------------------------------------------------------- Sun Jul 24 19:05:35 UTC 2016 - crrodriguez@opensuse.org diff --git a/libselinux.spec b/libselinux.spec index 5a7ab25..a7049f4 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -34,6 +34,8 @@ Patch1: %{name}-2.2-ruby.patch Patch2: python-selinux-swig-3.10.patch # PATCH-FIX-UPSTREAM Avoid mounting /proc outside of selinux_init_load_policy(). Patch3: libselinux-proc-mount-only-if-needed.patch +# PATCH-FIX-UPSTREAM Include for readv prototype +Patch4: readv-proto.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: fdupes BuildRequires: libsepol-devel >= %{libsepol_ver} @@ -103,6 +105,8 @@ necessary to develop your own software using libselinux. %patch1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 + %build make %{?_smp_mflags} LIBDIR="%{_libdir}" CC="%{__cc}" CFLAGS="$RPM_OPT_FLAGS" diff --git a/readv-proto.patch b/readv-proto.patch new file mode 100644 index 0000000..795c9b2 --- /dev/null +++ b/readv-proto.patch @@ -0,0 +1,12 @@ +Index: libselinux-2.5/src/setrans_client.c +=================================================================== +--- libselinux-2.5.orig/src/setrans_client.c ++++ libselinux-2.5/src/setrans_client.c +@@ -9,6 +9,7 @@ + #include + #include + #include ++#include + + #include + #include From 7955f8dffa4b324eb7e85f042d71f004d3457c483cca406d70591e6084238d16 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Wed, 6 Dec 2017 07:46:37 +0000 Subject: [PATCH 39/42] Accepting request 545897 from security:SELinux please combine checkpolicy libselinux libsemanage libsepol policycoreutils OBS-URL: https://build.opensuse.org/request/show/545897 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=48 --- libselinux-2.2-ruby.patch | 24 ------ libselinux-2.5.tar.gz | 3 - libselinux-2.6.tar.gz | 3 + libselinux-bindings.changes | 29 +++++++ libselinux-bindings.spec | 13 +-- libselinux-proc-mount-only-if-needed.patch | 93 ---------------------- libselinux.changes | 29 +++++++ libselinux.spec | 16 +--- python-selinux-swig-3.10.patch | 13 --- 9 files changed, 69 insertions(+), 154 deletions(-) delete mode 100644 libselinux-2.2-ruby.patch delete mode 100644 libselinux-2.5.tar.gz create mode 100644 libselinux-2.6.tar.gz delete mode 100644 libselinux-proc-mount-only-if-needed.patch delete mode 100644 python-selinux-swig-3.10.patch diff --git a/libselinux-2.2-ruby.patch b/libselinux-2.2-ruby.patch deleted file mode 100644 index 4ee9d20..0000000 --- a/libselinux-2.2-ruby.patch +++ /dev/null @@ -1,24 +0,0 @@ -Index: src/Makefile -=================================================================== ---- src/Makefile.orig -+++ src/Makefile -@@ -16,8 +16,8 @@ PYINC ?= $(shell pkg-config --cflags $(P - PYLIBDIR ?= $(LIBDIR)/$(PYLIBVER) - RUBYLIBVER ?= $(shell $(RUBY) -e 'print RUBY_VERSION.split(".")[0..1].join(".")') - RUBYPLATFORM ?= $(shell $(RUBY) -e 'print RUBY_PLATFORM') --RUBYINC ?= $(shell pkg-config --cflags ruby) --RUBYINSTALL ?= $(LIBDIR)/ruby/site_ruby/$(RUBYLIBVER)/$(RUBYPLATFORM) -+RUBYINC ?= $(shell ruby -r rbconfig -e "print RbConfig::CONFIG['rubyhdrdir'].nil? ? '$(LIBDIR)/ruby/$(RUBYLIBVER)' : RbConfig::CONFIG['rubyhdrdir']") -+RUBYINSTALL ?= $(shell ruby -r rbconfig -e "print RbConfig::CONFIG['vendorarchdir'].nil? ? '$(DESTDIR)'+RbConfig::CONFIG['sitearchdir'] : '$(DESTDIR)'+RbConfig::CONFIG['vendorarchdir']") - LIBBASE ?= $(shell basename $(LIBDIR)) - - VERSION = $(shell cat ../VERSION) -@@ -98,7 +98,7 @@ $(SWIGLOBJ): $(SWIGCOUT) - $(CC) $(CFLAGS) $(SWIG_CFLAGS) $(PYINC) -fPIC -DSHARED -c -o $@ $< - - $(SWIGRUBYLOBJ): $(SWIGRUBYCOUT) -- $(CC) $(CFLAGS) $(SWIG_CFLAGS) $(RUBYINC) -fPIC -DSHARED -c -o $@ $< -+ $(CC) $(filter-out -Werror, $(CFLAGS)) -I$(RUBYINC) -I$(RUBYINC)/$(RUBYPLATFORM) -fPIC -DSHARED -c -o $@ $< - - $(SWIGSO): $(SWIGLOBJ) - $(CC) $(CFLAGS) -shared -o $@ $< -L. -lselinux $(LDFLAGS) -L$(LIBDIR) diff --git a/libselinux-2.5.tar.gz b/libselinux-2.5.tar.gz deleted file mode 100644 index 38881dc..0000000 --- a/libselinux-2.5.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:94c9e97706280bedcc288f784f67f2b9d3d6136c192b2c9f812115edba58514f -size 189019 diff --git a/libselinux-2.6.tar.gz b/libselinux-2.6.tar.gz new file mode 100644 index 0000000..7602e2b --- /dev/null +++ b/libselinux-2.6.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4ea2dde50665c202253ba5caac7738370ea0337c47b251ba981c60d24e1a118a +size 203119 diff --git a/libselinux-bindings.changes b/libselinux-bindings.changes index 6c0226a..3674448 100644 --- a/libselinux-bindings.changes +++ b/libselinux-bindings.changes @@ -1,3 +1,32 @@ +------------------------------------------------------------------- +Fri Nov 24 09:09:02 UTC 2017 - jsegitz@suse.com + +- Update to version 2.6. Notable changes: + * selinux_restorecon: fix realpath logic + * sefcontext_compile: invert semantics of "-r" flag + * sefcontext_compile: Add "-i" flag + * Introduce configurable backends + * Add function to find security.restorecon_last entries + * Add openrc_contexts functions + * Add support for pcre2 + * Handle NULL pcre study data + * Add setfiles support to selinux_restorecon(3) + * Evaluate inodes in selinux_restorecon(3) + * Change the location of _selinux.so + * Explain how to free policy type from selinux_getpolicytype() + * Compare absolute pathname in matchpathcon -V + * Add selinux_snapperd_contexts_path() + * Modify audit2why analyze function to use loaded policy + * Avoid mounting /proc outside of selinux_init_load_policy() + * Fix location of selinuxfs mount point + * Only mount /proc if necessary + * procattr: return einval for <= 0 pid args + * procattr: return error on invalid pid_t input +- Dropped + * libselinux-2.2-ruby.patch + * libselinux-proc-mount-only-if-needed.patch + * python-selinux-swig-3.10.patch + ------------------------------------------------------------------- Wed Jul 5 10:30:57 UTC 2017 - schwab@suse.de diff --git a/libselinux-bindings.spec b/libselinux-bindings.spec index fc96fc2..612c00f 100644 --- a/libselinux-bindings.spec +++ b/libselinux-bindings.spec @@ -1,7 +1,7 @@ # # spec file for package libselinux-bindings # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,10 +16,10 @@ # -%define libsepol_ver 2.5 +%define libsepol_ver 2.6 Name: libselinux-bindings -Version: 2.5 +Version: 2.6 Release: 0 Summary: SELinux runtime library and simple utilities License: GPL-2.0 and SUSE-Public-Domain @@ -27,12 +27,9 @@ Group: Development/Libraries/C and C++ Url: https://github.com/SELinuxProject/selinux/wiki/Releases # embedded is the MD5 -Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/libselinux-%{version}.tar.gz +Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20161014/libselinux-%{version}.tar.gz Source1: selinux-ready Source2: baselibs.conf -Patch1: libselinux-2.2-ruby.patch -# PATCH-FIX-UPSTREAM swig-3.10 use importlib which not search the directory __init__.py is in but standard path -Patch2: python-selinux-swig-3.10.patch # PATCH-FIX-UPSTREAM Include for readv prototype Patch4: readv-proto.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -76,8 +73,6 @@ language. %prep %setup -q -n libselinux-%{version} -%patch1 -%patch2 -p1 %patch4 -p1 %build diff --git a/libselinux-proc-mount-only-if-needed.patch b/libselinux-proc-mount-only-if-needed.patch deleted file mode 100644 index 383e72c..0000000 --- a/libselinux-proc-mount-only-if-needed.patch +++ /dev/null @@ -1,93 +0,0 @@ -Index: libselinux-2.5/src/init.c -=================================================================== ---- libselinux-2.5.orig/src/init.c -+++ libselinux-2.5/src/init.c -@@ -11,7 +11,6 @@ - #include - #include - #include --#include - - #include "dso.h" - #include "policy.h" -@@ -57,20 +56,18 @@ static int verify_selinuxmnt(const char - - int selinuxfs_exists(void) - { -- int exists = 0, mnt_rc = 0; -+ int exists = 0; - FILE *fp = NULL; - char *buf = NULL; - size_t len; - ssize_t num; - -- mnt_rc = mount("proc", "/proc", "proc", 0, 0); - - fp = fopen("/proc/filesystems", "r"); -- if (!fp) { -- exists = 1; /* Fail as if it exists */ -- goto out; -- } - -+ if (!fp) -+ return 1; /* Fail as if it exists */ -+ - __fsetlocking(fp, FSETLOCKING_BYCALLER); - - num = getline(&buf, &len, fp); -@@ -85,13 +82,6 @@ int selinuxfs_exists(void) - free(buf); - fclose(fp); - --out: --#ifndef MNT_DETACH --#define MNT_DETACH 2 --#endif -- if (mnt_rc == 0) -- umount2("/proc", MNT_DETACH); -- - return exists; - } - hidden_def(selinuxfs_exists) -Index: libselinux-2.5/src/load_policy.c -=================================================================== ---- libselinux-2.5.orig/src/load_policy.c -+++ libselinux-2.5/src/load_policy.c -@@ -17,6 +17,10 @@ - #include "policy.h" - #include - -+#ifndef MNT_DETACH -+#define MNT_DETACH 2 -+#endif -+ - int security_load_policy(void *data, size_t len) - { - char path[PATH_MAX]; -@@ -348,11 +352,6 @@ int selinux_init_load_policy(int *enforc - fclose(cfg); - free(buf); - } --#ifndef MNT_DETACH --#define MNT_DETACH 2 --#endif -- if (rc == 0) -- umount2("/proc", MNT_DETACH); - - /* - * Determine the final desired mode. -@@ -402,9 +401,13 @@ int selinux_init_load_policy(int *enforc - } - - goto noload; -+ if (rc == 0) -+ umount2("/proc", MNT_DETACH); - } - set_selinuxmnt(mntpoint); -- -+ -+ if (rc == 0) -+ umount2("/proc", MNT_DETACH); - /* - * Note: The following code depends on having selinuxfs - * already mounted and selinuxmnt set above. diff --git a/libselinux.changes b/libselinux.changes index 764c089..fdc217a 100644 --- a/libselinux.changes +++ b/libselinux.changes @@ -1,3 +1,32 @@ +------------------------------------------------------------------- +Fri Nov 24 09:09:02 UTC 2017 - jsegitz@suse.com + +- Update to version 2.6. Notable changes: + * selinux_restorecon: fix realpath logic + * sefcontext_compile: invert semantics of "-r" flag + * sefcontext_compile: Add "-i" flag + * Introduce configurable backends + * Add function to find security.restorecon_last entries + * Add openrc_contexts functions + * Add support for pcre2 + * Handle NULL pcre study data + * Add setfiles support to selinux_restorecon(3) + * Evaluate inodes in selinux_restorecon(3) + * Change the location of _selinux.so + * Explain how to free policy type from selinux_getpolicytype() + * Compare absolute pathname in matchpathcon -V + * Add selinux_snapperd_contexts_path() + * Modify audit2why analyze function to use loaded policy + * Avoid mounting /proc outside of selinux_init_load_policy() + * Fix location of selinuxfs mount point + * Only mount /proc if necessary + * procattr: return einval for <= 0 pid args + * procattr: return error on invalid pid_t input +- Dropped + * libselinux-2.2-ruby.patch + * libselinux-proc-mount-only-if-needed.patch + * python-selinux-swig-3.10.patch + ------------------------------------------------------------------- Wed Jul 5 10:30:57 UTC 2017 - schwab@suse.de diff --git a/libselinux.spec b/libselinux.spec index a7049f4..459890f 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -1,7 +1,7 @@ # # spec file for package libselinux # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,24 +16,19 @@ # -%define libsepol_ver 2.5 +%define libsepol_ver 2.6 Name: libselinux -Version: 2.5 +Version: 2.6 Release: 0 Summary: SELinux runtime library and utilities License: GPL-2.0 and SUSE-Public-Domain Group: Development/Libraries/C and C++ Url: https://github.com/SELinuxProject/selinux/wiki/Releases -Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/%{name}-%{version}.tar.gz +Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20161014/%{name}-%{version}.tar.gz Source1: selinux-ready Source2: baselibs.conf -Patch1: %{name}-2.2-ruby.patch -# PATCH-FIX-UPSTREAM swig-3.10 use importlib which not search the directory __init__.py is in but standard path -Patch2: python-selinux-swig-3.10.patch -# PATCH-FIX-UPSTREAM Avoid mounting /proc outside of selinux_init_load_policy(). -Patch3: libselinux-proc-mount-only-if-needed.patch # PATCH-FIX-UPSTREAM Include for readv prototype Patch4: readv-proto.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -102,9 +97,6 @@ necessary to develop your own software using libselinux. %prep %setup -q -%patch1 -%patch2 -p1 -%patch3 -p1 %patch4 -p1 %build diff --git a/python-selinux-swig-3.10.patch b/python-selinux-swig-3.10.patch deleted file mode 100644 index 20897e3..0000000 --- a/python-selinux-swig-3.10.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: b/src/Makefile -=================================================================== ---- a/src/Makefile -+++ b/src/Makefile -@@ -155,7 +155,7 @@ install: all - - install-pywrap: pywrap - test -d $(PYLIBDIR)/site-packages/selinux || install -m 755 -d $(PYLIBDIR)/site-packages/selinux -- install -m 755 $(SWIGSO) $(PYLIBDIR)/site-packages/selinux/_selinux.so -+ install -m 755 $(SWIGSO) $(PYLIBDIR)/site-packages/_selinux.so - install -m 755 $(AUDIT2WHYSO) $(PYLIBDIR)/site-packages/selinux/audit2why.so - install -m 644 $(SWIGPYOUT) $(PYLIBDIR)/site-packages/selinux/__init__.py - From 73565031e47315730f3fffd350e9ae6cfcb8b5b905eaa522e06abe1d302a7462 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Fri, 30 Mar 2018 09:54:55 +0000 Subject: [PATCH 40/42] Accepting request 590074 from security:SELinux OBS-URL: https://build.opensuse.org/request/show/590074 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=49 --- libselinux-bindings.changes | 6 ++++++ libselinux-bindings.spec | 28 +++++++++++++++++++--------- libselinux.spec | 2 +- python3.patch | 13 +++++++++++++ 4 files changed, 39 insertions(+), 10 deletions(-) create mode 100644 python3.patch diff --git a/libselinux-bindings.changes b/libselinux-bindings.changes index 3674448..e23b0dc 100644 --- a/libselinux-bindings.changes +++ b/libselinux-bindings.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri Mar 16 15:25:10 UTC 2018 - jsegitz@suse.com + +- Updated spec file to use python3. Added python3.patch to fix + build + ------------------------------------------------------------------- Fri Nov 24 09:09:02 UTC 2017 - jsegitz@suse.com diff --git a/libselinux-bindings.spec b/libselinux-bindings.spec index 612c00f..29a2990 100644 --- a/libselinux-bindings.spec +++ b/libselinux-bindings.spec @@ -1,7 +1,7 @@ # # spec file for package libselinux-bindings # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,6 +16,8 @@ # +%{?!python_module:%define python_module() python-%{**} python3-%{**}} + %define libsepol_ver 2.6 Name: libselinux-bindings @@ -32,10 +34,12 @@ Source1: selinux-ready Source2: baselibs.conf # PATCH-FIX-UPSTREAM Include for readv prototype Patch4: readv-proto.patch +Patch5: python3.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: libsepol-devel-static >= %{libsepol_ver} BuildRequires: pcre-devel -BuildRequires: python-devel +BuildRequires: python-rpm-macros +BuildRequires: python3-devel BuildRequires: ruby-devel BuildRequires: swig @@ -43,14 +47,19 @@ BuildRequires: swig libselinux provides an interface to get and set process and file security contexts and to obtain security policy decisions. -%package -n python-selinux +%package -n python3-selinux Summary: Python bindings for the SELinux runtime library License: SUSE-Public-Domain Group: Development/Libraries/Python +%define oldpython python +%ifpython2 +Obsoletes: %{oldpython}-selinux < %{version} +Provides: %{oldpython}-selinux = %{version} +%endif Requires: libselinux1 = %{version} -Requires: python +Requires: python3 -%description -n python-selinux +%description -n python3-selinux libselinux provides an interface to get and set process and file security contexts and to obtain security policy decisions. @@ -74,11 +83,12 @@ language. %prep %setup -q -n libselinux-%{version} %patch4 -p1 +%patch5 -p1 %build make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" -C src make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" -C src swigify -make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" -C src pywrap +make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" PYTHON=/usr/bin/python3 -C src pywrap make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" -C src rubywrap %install @@ -87,10 +97,10 @@ make DESTDIR="$RPM_BUILD_ROOT" LIBDIR="$RPM_BUILD_ROOT%{_libdir}" SHLIBDIR="$RPM make DESTDIR="$RPM_BUILD_ROOT" LIBDIR="$RPM_BUILD_ROOT%{_libdir}" SHLIBDIR="$RPM_BUILD_ROOT/%{_lib}" -C src install-rubywrap rm -rf $RPM_BUILD_ROOT/%{_lib} $RPM_BUILD_ROOT%{_libdir}/libselinux.* $RPM_BUILD_ROOT%{_libdir}/pkgconfig -%files -n python-selinux +%files -n python3-selinux %defattr(-,root,root,-) -%{py_sitedir}/selinux/ -%{py_sitedir}/_selinux.so +%{python3_sitearch}/selinux/ +%{python3_sitearch}/_selinux.so %files -n ruby-selinux %defattr(-,root,root,-) diff --git a/libselinux.spec b/libselinux.spec index 459890f..08a338e 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -1,7 +1,7 @@ # # spec file for package libselinux # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed diff --git a/python3.patch b/python3.patch new file mode 100644 index 0000000..ae023b5 --- /dev/null +++ b/python3.patch @@ -0,0 +1,13 @@ +Index: libselinux-2.6/src/Makefile +=================================================================== +--- libselinux-2.6.orig/src/Makefile 2016-10-14 17:31:26.000000000 +0200 ++++ libselinux-2.6/src/Makefile 2018-03-22 11:33:36.527385495 +0100 +@@ -1,7 +1,7 @@ + # Support building the Python bindings multiple times, against various Python + # runtimes (e.g. Python 2 vs Python 3) by optionally prefixing the build + # targets with "PYPREFIX": +-PYTHON ?= python ++PYTHON ?= python3 + PYPREFIX ?= $(notdir $(PYTHON)) + RUBY ?= ruby + RUBYPREFIX ?= $(notdir $(RUBY)) From 8da59021aa465db2ed0bf41a7441938f8e5f9f73aa2347e7c37fd1426ad57347 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Mon, 10 Dec 2018 11:22:27 +0000 Subject: [PATCH 41/42] Accepting request 655712 from security:SELinux - Replace old $RPM_* shell vars. - Merged libselinux-bindings back into main spec file - Update to version 2.8 (bsc#1111732). For changes please see https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/RELEASE-20180524.txt - Update to version 2.7. * %files needed to be heavily modified * Based expressly on python3, not just python For changes please see https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20170804/RELEASE-20170804.txt OBS-URL: https://build.opensuse.org/request/show/655712 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=50 --- libselinux-2.6.tar.gz | 3 - libselinux-2.8.tar.gz | 3 + libselinux-bindings.changes | 313 ------------------------------------ libselinux-bindings.spec | 109 ------------- libselinux.changes | 26 +++ libselinux.spec | 126 +++++++++++---- python3.patch | 8 +- 7 files changed, 130 insertions(+), 458 deletions(-) delete mode 100644 libselinux-2.6.tar.gz create mode 100644 libselinux-2.8.tar.gz delete mode 100644 libselinux-bindings.changes delete mode 100644 libselinux-bindings.spec diff --git a/libselinux-2.6.tar.gz b/libselinux-2.6.tar.gz deleted file mode 100644 index 7602e2b..0000000 --- a/libselinux-2.6.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:4ea2dde50665c202253ba5caac7738370ea0337c47b251ba981c60d24e1a118a -size 203119 diff --git a/libselinux-2.8.tar.gz b/libselinux-2.8.tar.gz new file mode 100644 index 0000000..8bfdf6e --- /dev/null +++ b/libselinux-2.8.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:31db96ec7643ce10912b3c3f98506a08a9116dcfe151855fd349c3fda96187e1 +size 187759 diff --git a/libselinux-bindings.changes b/libselinux-bindings.changes deleted file mode 100644 index e23b0dc..0000000 --- a/libselinux-bindings.changes +++ /dev/null @@ -1,313 +0,0 @@ -------------------------------------------------------------------- -Fri Mar 16 15:25:10 UTC 2018 - jsegitz@suse.com - -- Updated spec file to use python3. Added python3.patch to fix - build - -------------------------------------------------------------------- -Fri Nov 24 09:09:02 UTC 2017 - jsegitz@suse.com - -- Update to version 2.6. Notable changes: - * selinux_restorecon: fix realpath logic - * sefcontext_compile: invert semantics of "-r" flag - * sefcontext_compile: Add "-i" flag - * Introduce configurable backends - * Add function to find security.restorecon_last entries - * Add openrc_contexts functions - * Add support for pcre2 - * Handle NULL pcre study data - * Add setfiles support to selinux_restorecon(3) - * Evaluate inodes in selinux_restorecon(3) - * Change the location of _selinux.so - * Explain how to free policy type from selinux_getpolicytype() - * Compare absolute pathname in matchpathcon -V - * Add selinux_snapperd_contexts_path() - * Modify audit2why analyze function to use loaded policy - * Avoid mounting /proc outside of selinux_init_load_policy() - * Fix location of selinuxfs mount point - * Only mount /proc if necessary - * procattr: return einval for <= 0 pid args - * procattr: return error on invalid pid_t input -- Dropped - * libselinux-2.2-ruby.patch - * libselinux-proc-mount-only-if-needed.patch - * python-selinux-swig-3.10.patch - -------------------------------------------------------------------- -Wed Jul 5 10:30:57 UTC 2017 - schwab@suse.de - -- readv-proto.patch: include for readv prototype - -------------------------------------------------------------------- -Sun Jul 17 15:30:05 UTC 2016 - jengelh@inai.de - -- Update RPM groups, trim description and combine filelist entries. - -------------------------------------------------------------------- -Thu Jul 14 07:59:04 UTC 2016 - jsegitz@novell.com - -- Adjusted source link - -------------------------------------------------------------------- -Tue Jul 5 16:44:44 UTC 2016 - i@marguerite.su - -- add patch: python-selinux-swig-3.10.patch, fixed boo#985368 - * swig-3.10 in Factory use importlib instead of imp to find - _selinux.so. imp searched the same directory as __init__.py - is while importlib searchs only standard paths. so we have - to move _selinux.so. fixed by upstream -- update version 2.5 - * Add selinux_restorecon function - * read_spec_entry: fail on non-ascii - * Add man information about thread specific functions - * Don't wrap rpm_execcon with DISABLE_RPM with SWIG - * Correct line count for property and service context files - * label_file: fix memory leaks and uninitialized jump - * Replace selabel_digest hash function - * Fix selabel_open(3) services if no digest requested - * Add selabel_digest function - * Flush the class/perm string mapping cache on policy reload - * Fix restorecon when path has no context - * Free memory when processing media and x specfiles - * Fix mmap memory release for file labeling - * Add policy context validation to sefcontext_compile - * Do not treat an empty file_contexts(.local) as an error - * Fail hard on invalid property_contexts entries - * Fail hard on invalid file_contexts entries - * Support context validation on file_contexts.bin - * Add selabel_cmp interface and label_file backend - * Support specifying file_contexts.bin file path - * Support file_contexts.bin without file_contexts - * Simplify procattr cache - * Use /proc/thread-self when available - * Add const to selinux_opt for label backends - * Fix binary file labels for regexes with metachars - * Fix file labels for regexes with metachars - * Fix if file_contexts not '\n' terminated - * Enhance file context support - * Fix property processing and cleanup formatting - * Add read_spec_entries function to replace sscanf - * Support consistent mode size for bin files - * Fix more bin file processing core dumps - * add selinux_openssh_contexts_path() - * setrans_client: minimize overhead when mcstransd is not present - * Ensure selabel_lookup_best_match links NULL terminated - * Fix core dumps with corrupt *.bin files - * Add selabel partial and best match APIs - * Use os.walk() instead of the deprecated os.path.walk() - * Remove deprecated mudflap option - * Mount procfs before checking /proc/filesystems - * Fix -Wformat errors with gcc-5.0.0 - * label_file: handle newlines in file names - * Fix audit2why error handling if SELinux is disabled - * pcre_study can return NULL without error - * Only check SELinux enabled status once in selinux_check_access -- changes in 2.4 - * Remove assumption that SHLIBDIR is ../../ relative to LIBDIR - * Fix bugs found by hardened gcc flags - * Set the system to permissive if failing to disable SELinux because - policy has already been loaded - * Add db_exception and db_datatype support to label_db backend - * Log an error on unknown classes and permissions - * Add pcre version string to the compiled file_contexts format - * Deprecate use of flask.h and av_permissions.h - * Compiled file_context files and the original should have the same DAC - permissions -------------------------------------------------------------------- -Wed May 27 11:53:54 UTC 2015 - dimstar@opensuse.org - -- Update libselinux-2.2-ruby.patch: use RbConfig instead of - deprecated Config. - -------------------------------------------------------------------- -Sun May 18 00:15:17 UTC 2014 - crrodriguez@opensuse.org - -- Update to version 2.3 -* Get rid of security_context_t and fix const declarations. -* Refactor rpm_execcon() into a new setexecfilecon() from Guillem Jover. - -------------------------------------------------------------------- -Thu Oct 31 13:43:41 UTC 2013 - p.drouand@gmail.com - -- Update to version 2.2 - * Fix avc_has_perm() returns -1 even when SELinux is in permissive mode. - * Support overriding Makefile RANLIB - * Update pkgconfig definition - * Mount sysfs before trying to mount selinuxfs. - * Fix man pages - * Support overriding PATH and LIBBASE in Makefile - * Fix LDFLAGS usage - * Avoid shadowing stat in load_mmap - * Support building on older PCRE libraries - * Fix handling of temporary file in sefcontext_compile - * Fix procattr cache - * Define python constants for getenforce result - * Fix label substitution handling of / - * Add selinux_current_policy_path from - * Change get_context_list to only return good matches - * Support udev-197 and higher - * Add support for local substitutions - * Change setfilecon to not return ENOSUP if context is already correct - * Python wrapper leak fixes - * Export SELINUX_TRANS_DIR definition in selinux.h - * Add selinux_systemd_contexts_path - * Add selinux_set_policy_root - * Add man page for sefcontext_compile -- Remove libselinux-rhat.patch; merged on upstream -- Adapt libselinux-ruby.patch to upstream changes -- Use fdupes to symlink duplicate manpages - -------------------------------------------------------------------- -Thu Jun 27 14:57:53 UTC 2013 - vcizek@suse.com - -- change the source url to the official 2.1.13 release tarball - -------------------------------------------------------------------- -Wed Jan 30 12:33:45 UTC 2013 - vcizek@suse.com - -- update to 2.1.12 -- added BuildRequires: pcre-devel - -------------------------------------------------------------------- -Mon Jan 7 22:34:03 UTC 2013 - jengelh@inai.de - -- Remove obsolete defines/sections - -------------------------------------------------------------------- -Wed Jul 25 11:15:02 UTC 2012 - meissner@suse.com - -- updated to 2.1.9 again (see below) - -------------------------------------------------------------------- -Fri Jun 1 18:34:04 CEST 2012 - mls@suse.de - -- update to libselinux-2.1.9 - * better man pages - * selinux_status interfaces - * simple interface for access checks - * multiple bug fixes -- fix build for ruby-1.9 - -------------------------------------------------------------------- -Mon Jun 28 06:38:35 UTC 2010 - jengelh@medozas.de - -- use %_smp_mflags - -------------------------------------------------------------------- -Thu Feb 25 14:57:16 UTC 2010 - prusnak@suse.cz - -- updated to 2.0.91 - * changes too numerous to list - -------------------------------------------------------------------- -Sat Dec 12 16:43:54 CET 2009 - jengelh@medozas.de - -- add baselibs.conf as a source - -------------------------------------------------------------------- -Fri Jul 24 17:09:50 CEST 2009 - thomas@novell.com - -- updated selinux-ready script - -------------------------------------------------------------------- -Wed Jul 22 15:17:25 CEST 2009 - prusnak@suse.cz - -- change libsepol-devel to libsepol-devel-static in dependencies - of python bindings - -------------------------------------------------------------------- -Wed Jul 1 12:26:48 CEST 2009 - prusnak@suse.cz - -- put libsepol-devel back to Requires of libselinux-devel - -------------------------------------------------------------------- -Mon Jun 29 21:24:16 CEST 2009 - prusnak@suse.cz - -- added selinux-ready tool to selinux-tools package - -------------------------------------------------------------------- -Tue Jun 9 20:17:54 CEST 2009 - crrodriguez@suse.de - -- remove static libraries -- libselinux-devel does not require libsepol-devel - -------------------------------------------------------------------- -Wed May 27 14:06:14 CEST 2009 - prusnak@suse.cz - -- updated to 2.0.80 - * deny_unknown wrapper function from KaiGai Kohei - * security_compute_av_flags API from KaiGai Kohei - * Netlink socket management and callbacks from KaiGai Kohei - * Netlink socket handoff patch from Adam Jackson - * AVC caching of compute_create results by Eric Paris - * fix incorrect conversion in discover_class code - -------------------------------------------------------------------- -Fri Apr 17 17:12:06 CEST 2009 - prusnak@suse.cz - -- fixed memory leak (memleak.patch) - -------------------------------------------------------------------- -Wed Jan 14 14:04:30 CET 2009 - prusnak@suse.cz - -- updated to 2.0.77 - * add new function getseuser which will take username and service - and return seuser and level; ipa will populate file in future - * change selinuxdefcon to return just the context by default - * fix segfault if seusers file does not work - * strip trailing / for matchpathcon - * fix restorecon python code - -------------------------------------------------------------------- -Mon Dec 1 11:32:50 CET 2008 - prusnak@suse.cz - -- updated to 2.0.76 - * allow shell-style wildcarding in X names - * add Restorecon/Install python functions - * correct message types in AVC log messages - * make matchpathcon -V pass mode - * add man page for selinux_file_context_cmp - * update flask headers from refpolicy trunk - -------------------------------------------------------------------- -Wed Oct 22 16:28:59 CEST 2008 - mrueckert@suse.de - -- fix debug_packages_requires define - -------------------------------------------------------------------- -Tue Sep 23 12:51:10 CEST 2008 - prusnak@suse.cz - -- require only version, not release [bnc#429053] - -------------------------------------------------------------------- -Tue Sep 2 12:09:22 CEST 2008 - prusnak@suse.cz - -- updated to 2.0.71 - * Add group support to seusers using %groupname syntax from Dan Walsh. - * Mark setrans socket close-on-exec from Stephen Smalley. - * Only apply nodups checking to base file contexts from Stephen Smalley. - * Merge ruby bindings from Dan Walsh. - -------------------------------------------------------------------- -Mon Sep 1 07:35:00 CEST 2008 - aj@suse.de - -- Fix build of debuginfo. - -------------------------------------------------------------------- -Fri Aug 22 14:45:29 CEST 2008 - prusnak@suse.cz - -- added baselibs.conf file -- split bindings into separate subpackage (libselinux-bindings) -- split tools into separate subpackage (selinux-tools) - -------------------------------------------------------------------- -Fri Aug 1 17:32:20 CEST 2008 - ro@suse.de - -- fix requires for debuginfo package - -------------------------------------------------------------------- -Tue Jul 15 16:26:31 CEST 2008 - prusnak@suse.cz - -- initial version 2.0.67 - * based on Fedora package by Dan Walsh - diff --git a/libselinux-bindings.spec b/libselinux-bindings.spec deleted file mode 100644 index 29a2990..0000000 --- a/libselinux-bindings.spec +++ /dev/null @@ -1,109 +0,0 @@ -# -# spec file for package libselinux-bindings -# -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. -# -# All modifications and additions to the file contributed by third parties -# remain the property of their copyright owners, unless otherwise agreed -# upon. The license for this file, and modifications and additions to the -# file, is the same license as for the pristine package itself (unless the -# license for the pristine package is not an Open Source License, in which -# case the license is the MIT License). An "Open Source License" is a -# license that conforms to the Open Source Definition (Version 1.9) -# published by the Open Source Initiative. - -# Please submit bugfixes or comments via http://bugs.opensuse.org/ -# - - -%{?!python_module:%define python_module() python-%{**} python3-%{**}} - -%define libsepol_ver 2.6 - -Name: libselinux-bindings -Version: 2.6 -Release: 0 -Summary: SELinux runtime library and simple utilities -License: GPL-2.0 and SUSE-Public-Domain -Group: Development/Libraries/C and C++ -Url: https://github.com/SELinuxProject/selinux/wiki/Releases - -# embedded is the MD5 -Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20161014/libselinux-%{version}.tar.gz -Source1: selinux-ready -Source2: baselibs.conf -# PATCH-FIX-UPSTREAM Include for readv prototype -Patch4: readv-proto.patch -Patch5: python3.patch -BuildRoot: %{_tmppath}/%{name}-%{version}-build -BuildRequires: libsepol-devel-static >= %{libsepol_ver} -BuildRequires: pcre-devel -BuildRequires: python-rpm-macros -BuildRequires: python3-devel -BuildRequires: ruby-devel -BuildRequires: swig - -%description -libselinux provides an interface to get and set process and file -security contexts and to obtain security policy decisions. - -%package -n python3-selinux -Summary: Python bindings for the SELinux runtime library -License: SUSE-Public-Domain -Group: Development/Libraries/Python -%define oldpython python -%ifpython2 -Obsoletes: %{oldpython}-selinux < %{version} -Provides: %{oldpython}-selinux = %{version} -%endif -Requires: libselinux1 = %{version} -Requires: python3 - -%description -n python3-selinux -libselinux provides an interface to get and set process and file -security contexts and to obtain security policy decisions. - -This subpackage contains Python extensions to use SELinux from that -language. - -%package -n ruby-selinux -Summary: Ruby bindings for the SELinux runtime library -License: SUSE-Public-Domain -Group: Development/Languages/Ruby -Requires: libselinux1 = %{version} -Requires: ruby - -%description -n ruby-selinux -libselinux provides an interface to get and set process and file -security contexts and to obtain security policy decisions. - -This subpackage contains Ruby extensions to use SELinux from that -language. - -%prep -%setup -q -n libselinux-%{version} -%patch4 -p1 -%patch5 -p1 - -%build -make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" -C src -make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" -C src swigify -make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" PYTHON=/usr/bin/python3 -C src pywrap -make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" -C src rubywrap - -%install -make DESTDIR="$RPM_BUILD_ROOT" LIBDIR="$RPM_BUILD_ROOT%{_libdir}" SHLIBDIR="$RPM_BUILD_ROOT/%{_lib}" -C src install -make DESTDIR="$RPM_BUILD_ROOT" LIBDIR="$RPM_BUILD_ROOT%{_libdir}" SHLIBDIR="$RPM_BUILD_ROOT/%{_lib}" -C src install-pywrap -make DESTDIR="$RPM_BUILD_ROOT" LIBDIR="$RPM_BUILD_ROOT%{_libdir}" SHLIBDIR="$RPM_BUILD_ROOT/%{_lib}" -C src install-rubywrap -rm -rf $RPM_BUILD_ROOT/%{_lib} $RPM_BUILD_ROOT%{_libdir}/libselinux.* $RPM_BUILD_ROOT%{_libdir}/pkgconfig - -%files -n python3-selinux -%defattr(-,root,root,-) -%{python3_sitearch}/selinux/ -%{python3_sitearch}/_selinux.so - -%files -n ruby-selinux -%defattr(-,root,root,-) -%{_libdir}/ruby/vendor_ruby/%{rb_ver}/%{rb_arch}/selinux.so - -%changelog diff --git a/libselinux.changes b/libselinux.changes index fdc217a..a94eadd 100644 --- a/libselinux.changes +++ b/libselinux.changes @@ -1,3 +1,29 @@ +------------------------------------------------------------------- +Thu Nov 29 19:10:14 UTC 2018 - Jan Engelhardt + +- Replace old $RPM_* shell vars. + +------------------------------------------------------------------- +Wed Nov 21 10:38:23 UTC 2018 - jsegitz@suse.com + +- Merged libselinux-bindings back into main spec file + +------------------------------------------------------------------- +Wed Oct 17 11:48:30 UTC 2018 - jsegitz@suse.com + +- Update to version 2.8 (bsc#1111732). + For changes please see + https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/RELEASE-20180524.txt + +------------------------------------------------------------------- +Mon May 14 22:45:54 UTC 2018 - mcepl@cepl.eu + +- Update to version 2.7. + * %files needed to be heavily modified + * Based expressly on python3, not just python + For changes please see + https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20170804/RELEASE-20170804.txt + ------------------------------------------------------------------- Fri Nov 24 09:09:02 UTC 2017 - jsegitz@suse.com diff --git a/libselinux.spec b/libselinux.spec index 08a338e..c517097 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -16,26 +16,33 @@ # -%define libsepol_ver 2.6 +%define libsepol_ver 2.8 +%{?!python_module:%define python_module() python-%{**} python3-%{**}} Name: libselinux -Version: 2.6 +Version: 2.8 Release: 0 Summary: SELinux runtime library and utilities -License: GPL-2.0 and SUSE-Public-Domain +License: GPL-2.0-only AND SUSE-Public-Domain Group: Development/Libraries/C and C++ Url: https://github.com/SELinuxProject/selinux/wiki/Releases - -Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20161014/%{name}-%{version}.tar.gz +Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/libselinux-%{version}.tar.gz Source1: selinux-ready Source2: baselibs.conf +Patch3: python3.patch # PATCH-FIX-UPSTREAM Include for readv prototype Patch4: readv-proto.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: fdupes BuildRequires: libsepol-devel >= %{libsepol_ver} +BuildRequires: libsepol-devel-static >= %{libsepol_ver} BuildRequires: pcre-devel BuildRequires: pkg-config +BuildRequires: python-rpm-macros +BuildRequires: python3 +BuildRequires: python3-devel +BuildRequires: ruby-devel +BuildRequires: swig %description libselinux provides an interface to get and set process and file @@ -43,6 +50,7 @@ security contexts and to obtain security policy decisions. %package -n libselinux1 Summary: SELinux runtime library +License: GPL-2.0-only AND SUSE-Public-Domain Group: System/Libraries %description -n libselinux1 @@ -56,6 +64,7 @@ Security.) %package -n selinux-tools Summary: SELinux command-line utilities +License: GPL-2.0-only AND SUSE-Public-Domain Group: System/Base %description -n selinux-tools @@ -69,6 +78,7 @@ system's SELinux state. %package devel Summary: Development files for the SELinux runtime library +License: GPL-2.0-only AND SUSE-Public-Domain Group: Development/Libraries/C and C++ Requires: glibc-devel Requires: libselinux1 = %{version} @@ -83,6 +93,7 @@ necessary to develop your own software using libselinux. %package devel-static Summary: Static archives for the SELinux runtime +License: GPL-2.0-only AND SUSE-Public-Domain Group: Development/Libraries/C and C++ Requires: libselinux-devel = %{version} Requires: pkgconfig(libpcre) @@ -96,34 +107,49 @@ This package contains the static development files, which are necessary to develop your own software using libselinux. %prep -%setup -q +%setup -q -n libselinux-%{version} +%patch3 -p1 %patch4 -p1 %build -make %{?_smp_mflags} LIBDIR="%{_libdir}" CC="%{__cc}" CFLAGS="$RPM_OPT_FLAGS" +make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="%{optflags}" CC="%{__cc}" +make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="%{optflags}" -C src V=1 +make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="%{optflags}" -C src swigify V=1 +make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="%{optflags}" -C src pywrap V=1 +make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="%{optflags}" -C src rubywrap V=1 %install -mkdir -p $RPM_BUILD_ROOT/%{_lib} -mkdir -p $RPM_BUILD_ROOT%{_libdir} -mkdir -p $RPM_BUILD_ROOT%{_includedir} -mkdir -p $RPM_BUILD_ROOT%{_sbindir} -make DESTDIR="$RPM_BUILD_ROOT" LIBDIR="$RPM_BUILD_ROOT%{_libdir}" SHLIBDIR="$RPM_BUILD_ROOT/%{_lib}" BINDIR="$RPM_BUILD_ROOT%{_sbindir}" install -rm -f $RPM_BUILD_ROOT%{_sbindir}/compute_* -rm -f $RPM_BUILD_ROOT%{_sbindir}/deftype -rm -f $RPM_BUILD_ROOT%{_sbindir}/execcon -rm -f $RPM_BUILD_ROOT%{_sbindir}/getenforcemode -rm -f $RPM_BUILD_ROOT%{_sbindir}/getfilecon -rm -f $RPM_BUILD_ROOT%{_sbindir}/getpidcon -rm -f $RPM_BUILD_ROOT%{_sbindir}/mkdircon -rm -f $RPM_BUILD_ROOT%{_sbindir}/policyvers -rm -f $RPM_BUILD_ROOT%{_sbindir}/setfilecon -rm -f $RPM_BUILD_ROOT%{_sbindir}/selinuxconfig -rm -f $RPM_BUILD_ROOT%{_sbindir}/selinuxdisable -rm -f $RPM_BUILD_ROOT%{_sbindir}/getseuser -rm -f $RPM_BUILD_ROOT%{_sbindir}/selinux_check_securetty_context -mv $RPM_BUILD_ROOT%{_sbindir}/getdefaultcon $RPM_BUILD_ROOT%{_sbindir}/selinuxdefcon -mv $RPM_BUILD_ROOT%{_sbindir}/getconlist $RPM_BUILD_ROOT%{_sbindir}/selinuxconlist -install -m 0755 %{SOURCE1} $RPM_BUILD_ROOT%{_sbindir}/selinux-ready +mkdir -p %{buildroot}/%{_lib} +mkdir -p %{buildroot}/%{_libdir} +mkdir -p %{buildroot}/%{_includedir} +mkdir -p %{buildroot}/%{_sbindir} +%make_install LIBDIR="%{_libdir}" SHLIBDIR="/%{_lib}" BINDIR="%{_sbindir}" +rm -f %{buildroot}/%{_sbindir}/compute_* +rm -f %{buildroot}/%{_sbindir}/deftype +rm -f %{buildroot}/%{_sbindir}/execcon +rm -f %{buildroot}/%{_sbindir}/getenforcemode +rm -f %{buildroot}/%{_sbindir}/getfilecon +rm -f %{buildroot}/%{_sbindir}/getpidcon +rm -f %{buildroot}/%{_sbindir}/mkdircon +rm -f %{buildroot}/%{_sbindir}/policyvers +rm -f %{buildroot}/%{_sbindir}/setfilecon +rm -f %{buildroot}/%{_sbindir}/selinuxconfig +rm -f %{buildroot}/%{_sbindir}/selinuxdisable +rm -f %{buildroot}/%{_sbindir}/getseuser +rm -f %{buildroot}/%{_sbindir}/selinux_check_securetty_context +mv %{buildroot}/%{_sbindir}/getdefaultcon %{buildroot}/%{_sbindir}/selinuxdefcon +mv %{buildroot}/%{_sbindir}/getconlist %{buildroot}/%{_sbindir}/selinuxconlist +install -m 0755 %{SOURCE1} %{buildroot}/%{_sbindir}/selinux-ready + +%make_install LIBDIR="%{_libdir}" \ + SHLIBDIR="/%{_lib}" LIBSEPOLA=%{_libdir}/libsepol.a \ + -C src V=1 +make DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" \ + SHLIBDIR="/%{_lib}" LIBSEPOLA=%{_libdir}/libsepol.a \ + -C src install-pywrap V=1 +make DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" \ + SHLIBDIR="/%{_lib}" LIBSEPOLA=%{_libdir}/libsepol.a \ + -C src install-rubywrap V=1 # Remove duplicate files %fdupes -s %{buildroot}%{_mandir} @@ -139,6 +165,7 @@ install -m 0755 %{SOURCE1} $RPM_BUILD_ROOT%{_sbindir}/selinux-ready %{_sbindir}/matchpathcon %{_sbindir}/selabel_digest %{_sbindir}/selabel_lookup +%{_sbindir}/selinux_check_access %{_sbindir}/selabel_lookup_best_match %{_sbindir}/selabel_partial_match %{_sbindir}/selinuxconlist @@ -146,7 +173,7 @@ install -m 0755 %{SOURCE1} $RPM_BUILD_ROOT%{_sbindir}/selinux-ready %{_sbindir}/selinuxenabled %{_sbindir}/setenforce %{_sbindir}/togglesebool -%{_sbindir}/selinux_restorecon +#%#{_sbindir}/selinux_restorecon %{_sbindir}/selinux-ready %{_sbindir}/selinuxexeccon %{_sbindir}/sefcontext_compile @@ -168,4 +195,45 @@ install -m 0755 %{SOURCE1} $RPM_BUILD_ROOT%{_sbindir}/selinux-ready %defattr(-,root,root,-) %{_libdir}/libselinux.a +%package -n python3-selinux +Summary: Python bindings for the SELinux runtime library +License: SUSE-Public-Domain +Group: Development/Libraries/Python +%define oldpython python +%ifpython2 +Obsoletes: %{oldpython}-selinux < %{version} +Provides: %{oldpython}-selinux = %{version} +%endif +Requires: libselinux1 = %{version} +Requires: python3 + +%description -n python3-selinux +libselinux provides an interface to get and set process and file +security contexts and to obtain security policy decisions. + +This subpackage contains Python extensions to use SELinux from that +language. + +%package -n ruby-selinux +Summary: Ruby bindings for the SELinux runtime library +License: SUSE-Public-Domain +Group: Development/Languages/Ruby +Requires: libselinux1 = %{version} +Requires: ruby + +%description -n ruby-selinux +libselinux provides an interface to get and set process and file +security contexts and to obtain security policy decisions. + +This subpackage contains Ruby extensions to use SELinux from that +language. + +%files -n python3-selinux +%defattr(-,root,root,-) +%{python3_sitearch}/*selinux* + +%files -n ruby-selinux +%defattr(-,root,root,-) +%{_libdir}/ruby/vendor_ruby/%{rb_ver}/%{rb_arch}/selinux.so + %changelog diff --git a/python3.patch b/python3.patch index ae023b5..58a2136 100644 --- a/python3.patch +++ b/python3.patch @@ -1,13 +1,13 @@ -Index: libselinux-2.6/src/Makefile +Index: libselinux-2.7/src/Makefile =================================================================== ---- libselinux-2.6.orig/src/Makefile 2016-10-14 17:31:26.000000000 +0200 -+++ libselinux-2.6/src/Makefile 2018-03-22 11:33:36.527385495 +0100 +--- libselinux-2.7.orig/src/Makefile ++++ libselinux-2.7/src/Makefile @@ -1,7 +1,7 @@ # Support building the Python bindings multiple times, against various Python # runtimes (e.g. Python 2 vs Python 3) by optionally prefixing the build # targets with "PYPREFIX": -PYTHON ?= python +PYTHON ?= python3 - PYPREFIX ?= $(notdir $(PYTHON)) + PYPREFIX ?= $(shell $(PYTHON) -c 'import sys;print("python-%d.%d" % sys.version_info[:2])') RUBY ?= ruby RUBYPREFIX ?= $(notdir $(RUBY)) From 085241904e90be2d435bd9feee6bf4dc588e81878ec471d55b9377626a905c92 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Mon, 10 Dec 2018 21:42:31 +0000 Subject: [PATCH 42/42] Accepting request 656944 from openSUSE:Factory Revert to previous rev - merged bindings would require python[23] in ring0, which is inacceptable OBS-URL: https://build.opensuse.org/request/show/656944 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=51 --- libselinux-2.6.tar.gz | 3 + libselinux-2.8.tar.gz | 3 - libselinux-bindings.changes | 313 ++++++++++++++++++++++++++++++++++++ libselinux-bindings.spec | 109 +++++++++++++ libselinux.changes | 26 --- libselinux.spec | 126 ++++----------- python3.patch | 8 +- 7 files changed, 458 insertions(+), 130 deletions(-) create mode 100644 libselinux-2.6.tar.gz delete mode 100644 libselinux-2.8.tar.gz create mode 100644 libselinux-bindings.changes create mode 100644 libselinux-bindings.spec diff --git a/libselinux-2.6.tar.gz b/libselinux-2.6.tar.gz new file mode 100644 index 0000000..7602e2b --- /dev/null +++ b/libselinux-2.6.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4ea2dde50665c202253ba5caac7738370ea0337c47b251ba981c60d24e1a118a +size 203119 diff --git a/libselinux-2.8.tar.gz b/libselinux-2.8.tar.gz deleted file mode 100644 index 8bfdf6e..0000000 --- a/libselinux-2.8.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:31db96ec7643ce10912b3c3f98506a08a9116dcfe151855fd349c3fda96187e1 -size 187759 diff --git a/libselinux-bindings.changes b/libselinux-bindings.changes new file mode 100644 index 0000000..e23b0dc --- /dev/null +++ b/libselinux-bindings.changes @@ -0,0 +1,313 @@ +------------------------------------------------------------------- +Fri Mar 16 15:25:10 UTC 2018 - jsegitz@suse.com + +- Updated spec file to use python3. Added python3.patch to fix + build + +------------------------------------------------------------------- +Fri Nov 24 09:09:02 UTC 2017 - jsegitz@suse.com + +- Update to version 2.6. Notable changes: + * selinux_restorecon: fix realpath logic + * sefcontext_compile: invert semantics of "-r" flag + * sefcontext_compile: Add "-i" flag + * Introduce configurable backends + * Add function to find security.restorecon_last entries + * Add openrc_contexts functions + * Add support for pcre2 + * Handle NULL pcre study data + * Add setfiles support to selinux_restorecon(3) + * Evaluate inodes in selinux_restorecon(3) + * Change the location of _selinux.so + * Explain how to free policy type from selinux_getpolicytype() + * Compare absolute pathname in matchpathcon -V + * Add selinux_snapperd_contexts_path() + * Modify audit2why analyze function to use loaded policy + * Avoid mounting /proc outside of selinux_init_load_policy() + * Fix location of selinuxfs mount point + * Only mount /proc if necessary + * procattr: return einval for <= 0 pid args + * procattr: return error on invalid pid_t input +- Dropped + * libselinux-2.2-ruby.patch + * libselinux-proc-mount-only-if-needed.patch + * python-selinux-swig-3.10.patch + +------------------------------------------------------------------- +Wed Jul 5 10:30:57 UTC 2017 - schwab@suse.de + +- readv-proto.patch: include for readv prototype + +------------------------------------------------------------------- +Sun Jul 17 15:30:05 UTC 2016 - jengelh@inai.de + +- Update RPM groups, trim description and combine filelist entries. + +------------------------------------------------------------------- +Thu Jul 14 07:59:04 UTC 2016 - jsegitz@novell.com + +- Adjusted source link + +------------------------------------------------------------------- +Tue Jul 5 16:44:44 UTC 2016 - i@marguerite.su + +- add patch: python-selinux-swig-3.10.patch, fixed boo#985368 + * swig-3.10 in Factory use importlib instead of imp to find + _selinux.so. imp searched the same directory as __init__.py + is while importlib searchs only standard paths. so we have + to move _selinux.so. fixed by upstream +- update version 2.5 + * Add selinux_restorecon function + * read_spec_entry: fail on non-ascii + * Add man information about thread specific functions + * Don't wrap rpm_execcon with DISABLE_RPM with SWIG + * Correct line count for property and service context files + * label_file: fix memory leaks and uninitialized jump + * Replace selabel_digest hash function + * Fix selabel_open(3) services if no digest requested + * Add selabel_digest function + * Flush the class/perm string mapping cache on policy reload + * Fix restorecon when path has no context + * Free memory when processing media and x specfiles + * Fix mmap memory release for file labeling + * Add policy context validation to sefcontext_compile + * Do not treat an empty file_contexts(.local) as an error + * Fail hard on invalid property_contexts entries + * Fail hard on invalid file_contexts entries + * Support context validation on file_contexts.bin + * Add selabel_cmp interface and label_file backend + * Support specifying file_contexts.bin file path + * Support file_contexts.bin without file_contexts + * Simplify procattr cache + * Use /proc/thread-self when available + * Add const to selinux_opt for label backends + * Fix binary file labels for regexes with metachars + * Fix file labels for regexes with metachars + * Fix if file_contexts not '\n' terminated + * Enhance file context support + * Fix property processing and cleanup formatting + * Add read_spec_entries function to replace sscanf + * Support consistent mode size for bin files + * Fix more bin file processing core dumps + * add selinux_openssh_contexts_path() + * setrans_client: minimize overhead when mcstransd is not present + * Ensure selabel_lookup_best_match links NULL terminated + * Fix core dumps with corrupt *.bin files + * Add selabel partial and best match APIs + * Use os.walk() instead of the deprecated os.path.walk() + * Remove deprecated mudflap option + * Mount procfs before checking /proc/filesystems + * Fix -Wformat errors with gcc-5.0.0 + * label_file: handle newlines in file names + * Fix audit2why error handling if SELinux is disabled + * pcre_study can return NULL without error + * Only check SELinux enabled status once in selinux_check_access +- changes in 2.4 + * Remove assumption that SHLIBDIR is ../../ relative to LIBDIR + * Fix bugs found by hardened gcc flags + * Set the system to permissive if failing to disable SELinux because + policy has already been loaded + * Add db_exception and db_datatype support to label_db backend + * Log an error on unknown classes and permissions + * Add pcre version string to the compiled file_contexts format + * Deprecate use of flask.h and av_permissions.h + * Compiled file_context files and the original should have the same DAC + permissions +------------------------------------------------------------------- +Wed May 27 11:53:54 UTC 2015 - dimstar@opensuse.org + +- Update libselinux-2.2-ruby.patch: use RbConfig instead of + deprecated Config. + +------------------------------------------------------------------- +Sun May 18 00:15:17 UTC 2014 - crrodriguez@opensuse.org + +- Update to version 2.3 +* Get rid of security_context_t and fix const declarations. +* Refactor rpm_execcon() into a new setexecfilecon() from Guillem Jover. + +------------------------------------------------------------------- +Thu Oct 31 13:43:41 UTC 2013 - p.drouand@gmail.com + +- Update to version 2.2 + * Fix avc_has_perm() returns -1 even when SELinux is in permissive mode. + * Support overriding Makefile RANLIB + * Update pkgconfig definition + * Mount sysfs before trying to mount selinuxfs. + * Fix man pages + * Support overriding PATH and LIBBASE in Makefile + * Fix LDFLAGS usage + * Avoid shadowing stat in load_mmap + * Support building on older PCRE libraries + * Fix handling of temporary file in sefcontext_compile + * Fix procattr cache + * Define python constants for getenforce result + * Fix label substitution handling of / + * Add selinux_current_policy_path from + * Change get_context_list to only return good matches + * Support udev-197 and higher + * Add support for local substitutions + * Change setfilecon to not return ENOSUP if context is already correct + * Python wrapper leak fixes + * Export SELINUX_TRANS_DIR definition in selinux.h + * Add selinux_systemd_contexts_path + * Add selinux_set_policy_root + * Add man page for sefcontext_compile +- Remove libselinux-rhat.patch; merged on upstream +- Adapt libselinux-ruby.patch to upstream changes +- Use fdupes to symlink duplicate manpages + +------------------------------------------------------------------- +Thu Jun 27 14:57:53 UTC 2013 - vcizek@suse.com + +- change the source url to the official 2.1.13 release tarball + +------------------------------------------------------------------- +Wed Jan 30 12:33:45 UTC 2013 - vcizek@suse.com + +- update to 2.1.12 +- added BuildRequires: pcre-devel + +------------------------------------------------------------------- +Mon Jan 7 22:34:03 UTC 2013 - jengelh@inai.de + +- Remove obsolete defines/sections + +------------------------------------------------------------------- +Wed Jul 25 11:15:02 UTC 2012 - meissner@suse.com + +- updated to 2.1.9 again (see below) + +------------------------------------------------------------------- +Fri Jun 1 18:34:04 CEST 2012 - mls@suse.de + +- update to libselinux-2.1.9 + * better man pages + * selinux_status interfaces + * simple interface for access checks + * multiple bug fixes +- fix build for ruby-1.9 + +------------------------------------------------------------------- +Mon Jun 28 06:38:35 UTC 2010 - jengelh@medozas.de + +- use %_smp_mflags + +------------------------------------------------------------------- +Thu Feb 25 14:57:16 UTC 2010 - prusnak@suse.cz + +- updated to 2.0.91 + * changes too numerous to list + +------------------------------------------------------------------- +Sat Dec 12 16:43:54 CET 2009 - jengelh@medozas.de + +- add baselibs.conf as a source + +------------------------------------------------------------------- +Fri Jul 24 17:09:50 CEST 2009 - thomas@novell.com + +- updated selinux-ready script + +------------------------------------------------------------------- +Wed Jul 22 15:17:25 CEST 2009 - prusnak@suse.cz + +- change libsepol-devel to libsepol-devel-static in dependencies + of python bindings + +------------------------------------------------------------------- +Wed Jul 1 12:26:48 CEST 2009 - prusnak@suse.cz + +- put libsepol-devel back to Requires of libselinux-devel + +------------------------------------------------------------------- +Mon Jun 29 21:24:16 CEST 2009 - prusnak@suse.cz + +- added selinux-ready tool to selinux-tools package + +------------------------------------------------------------------- +Tue Jun 9 20:17:54 CEST 2009 - crrodriguez@suse.de + +- remove static libraries +- libselinux-devel does not require libsepol-devel + +------------------------------------------------------------------- +Wed May 27 14:06:14 CEST 2009 - prusnak@suse.cz + +- updated to 2.0.80 + * deny_unknown wrapper function from KaiGai Kohei + * security_compute_av_flags API from KaiGai Kohei + * Netlink socket management and callbacks from KaiGai Kohei + * Netlink socket handoff patch from Adam Jackson + * AVC caching of compute_create results by Eric Paris + * fix incorrect conversion in discover_class code + +------------------------------------------------------------------- +Fri Apr 17 17:12:06 CEST 2009 - prusnak@suse.cz + +- fixed memory leak (memleak.patch) + +------------------------------------------------------------------- +Wed Jan 14 14:04:30 CET 2009 - prusnak@suse.cz + +- updated to 2.0.77 + * add new function getseuser which will take username and service + and return seuser and level; ipa will populate file in future + * change selinuxdefcon to return just the context by default + * fix segfault if seusers file does not work + * strip trailing / for matchpathcon + * fix restorecon python code + +------------------------------------------------------------------- +Mon Dec 1 11:32:50 CET 2008 - prusnak@suse.cz + +- updated to 2.0.76 + * allow shell-style wildcarding in X names + * add Restorecon/Install python functions + * correct message types in AVC log messages + * make matchpathcon -V pass mode + * add man page for selinux_file_context_cmp + * update flask headers from refpolicy trunk + +------------------------------------------------------------------- +Wed Oct 22 16:28:59 CEST 2008 - mrueckert@suse.de + +- fix debug_packages_requires define + +------------------------------------------------------------------- +Tue Sep 23 12:51:10 CEST 2008 - prusnak@suse.cz + +- require only version, not release [bnc#429053] + +------------------------------------------------------------------- +Tue Sep 2 12:09:22 CEST 2008 - prusnak@suse.cz + +- updated to 2.0.71 + * Add group support to seusers using %groupname syntax from Dan Walsh. + * Mark setrans socket close-on-exec from Stephen Smalley. + * Only apply nodups checking to base file contexts from Stephen Smalley. + * Merge ruby bindings from Dan Walsh. + +------------------------------------------------------------------- +Mon Sep 1 07:35:00 CEST 2008 - aj@suse.de + +- Fix build of debuginfo. + +------------------------------------------------------------------- +Fri Aug 22 14:45:29 CEST 2008 - prusnak@suse.cz + +- added baselibs.conf file +- split bindings into separate subpackage (libselinux-bindings) +- split tools into separate subpackage (selinux-tools) + +------------------------------------------------------------------- +Fri Aug 1 17:32:20 CEST 2008 - ro@suse.de + +- fix requires for debuginfo package + +------------------------------------------------------------------- +Tue Jul 15 16:26:31 CEST 2008 - prusnak@suse.cz + +- initial version 2.0.67 + * based on Fedora package by Dan Walsh + diff --git a/libselinux-bindings.spec b/libselinux-bindings.spec new file mode 100644 index 0000000..29a2990 --- /dev/null +++ b/libselinux-bindings.spec @@ -0,0 +1,109 @@ +# +# spec file for package libselinux-bindings +# +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# + + +%{?!python_module:%define python_module() python-%{**} python3-%{**}} + +%define libsepol_ver 2.6 + +Name: libselinux-bindings +Version: 2.6 +Release: 0 +Summary: SELinux runtime library and simple utilities +License: GPL-2.0 and SUSE-Public-Domain +Group: Development/Libraries/C and C++ +Url: https://github.com/SELinuxProject/selinux/wiki/Releases + +# embedded is the MD5 +Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20161014/libselinux-%{version}.tar.gz +Source1: selinux-ready +Source2: baselibs.conf +# PATCH-FIX-UPSTREAM Include for readv prototype +Patch4: readv-proto.patch +Patch5: python3.patch +BuildRoot: %{_tmppath}/%{name}-%{version}-build +BuildRequires: libsepol-devel-static >= %{libsepol_ver} +BuildRequires: pcre-devel +BuildRequires: python-rpm-macros +BuildRequires: python3-devel +BuildRequires: ruby-devel +BuildRequires: swig + +%description +libselinux provides an interface to get and set process and file +security contexts and to obtain security policy decisions. + +%package -n python3-selinux +Summary: Python bindings for the SELinux runtime library +License: SUSE-Public-Domain +Group: Development/Libraries/Python +%define oldpython python +%ifpython2 +Obsoletes: %{oldpython}-selinux < %{version} +Provides: %{oldpython}-selinux = %{version} +%endif +Requires: libselinux1 = %{version} +Requires: python3 + +%description -n python3-selinux +libselinux provides an interface to get and set process and file +security contexts and to obtain security policy decisions. + +This subpackage contains Python extensions to use SELinux from that +language. + +%package -n ruby-selinux +Summary: Ruby bindings for the SELinux runtime library +License: SUSE-Public-Domain +Group: Development/Languages/Ruby +Requires: libselinux1 = %{version} +Requires: ruby + +%description -n ruby-selinux +libselinux provides an interface to get and set process and file +security contexts and to obtain security policy decisions. + +This subpackage contains Ruby extensions to use SELinux from that +language. + +%prep +%setup -q -n libselinux-%{version} +%patch4 -p1 +%patch5 -p1 + +%build +make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" -C src +make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" -C src swigify +make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" PYTHON=/usr/bin/python3 -C src pywrap +make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" -C src rubywrap + +%install +make DESTDIR="$RPM_BUILD_ROOT" LIBDIR="$RPM_BUILD_ROOT%{_libdir}" SHLIBDIR="$RPM_BUILD_ROOT/%{_lib}" -C src install +make DESTDIR="$RPM_BUILD_ROOT" LIBDIR="$RPM_BUILD_ROOT%{_libdir}" SHLIBDIR="$RPM_BUILD_ROOT/%{_lib}" -C src install-pywrap +make DESTDIR="$RPM_BUILD_ROOT" LIBDIR="$RPM_BUILD_ROOT%{_libdir}" SHLIBDIR="$RPM_BUILD_ROOT/%{_lib}" -C src install-rubywrap +rm -rf $RPM_BUILD_ROOT/%{_lib} $RPM_BUILD_ROOT%{_libdir}/libselinux.* $RPM_BUILD_ROOT%{_libdir}/pkgconfig + +%files -n python3-selinux +%defattr(-,root,root,-) +%{python3_sitearch}/selinux/ +%{python3_sitearch}/_selinux.so + +%files -n ruby-selinux +%defattr(-,root,root,-) +%{_libdir}/ruby/vendor_ruby/%{rb_ver}/%{rb_arch}/selinux.so + +%changelog diff --git a/libselinux.changes b/libselinux.changes index a94eadd..fdc217a 100644 --- a/libselinux.changes +++ b/libselinux.changes @@ -1,29 +1,3 @@ -------------------------------------------------------------------- -Thu Nov 29 19:10:14 UTC 2018 - Jan Engelhardt - -- Replace old $RPM_* shell vars. - -------------------------------------------------------------------- -Wed Nov 21 10:38:23 UTC 2018 - jsegitz@suse.com - -- Merged libselinux-bindings back into main spec file - -------------------------------------------------------------------- -Wed Oct 17 11:48:30 UTC 2018 - jsegitz@suse.com - -- Update to version 2.8 (bsc#1111732). - For changes please see - https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/RELEASE-20180524.txt - -------------------------------------------------------------------- -Mon May 14 22:45:54 UTC 2018 - mcepl@cepl.eu - -- Update to version 2.7. - * %files needed to be heavily modified - * Based expressly on python3, not just python - For changes please see - https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20170804/RELEASE-20170804.txt - ------------------------------------------------------------------- Fri Nov 24 09:09:02 UTC 2017 - jsegitz@suse.com diff --git a/libselinux.spec b/libselinux.spec index c517097..08a338e 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -16,33 +16,26 @@ # -%define libsepol_ver 2.8 -%{?!python_module:%define python_module() python-%{**} python3-%{**}} +%define libsepol_ver 2.6 Name: libselinux -Version: 2.8 +Version: 2.6 Release: 0 Summary: SELinux runtime library and utilities -License: GPL-2.0-only AND SUSE-Public-Domain +License: GPL-2.0 and SUSE-Public-Domain Group: Development/Libraries/C and C++ Url: https://github.com/SELinuxProject/selinux/wiki/Releases -Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/libselinux-%{version}.tar.gz + +Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20161014/%{name}-%{version}.tar.gz Source1: selinux-ready Source2: baselibs.conf -Patch3: python3.patch # PATCH-FIX-UPSTREAM Include for readv prototype Patch4: readv-proto.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: fdupes BuildRequires: libsepol-devel >= %{libsepol_ver} -BuildRequires: libsepol-devel-static >= %{libsepol_ver} BuildRequires: pcre-devel BuildRequires: pkg-config -BuildRequires: python-rpm-macros -BuildRequires: python3 -BuildRequires: python3-devel -BuildRequires: ruby-devel -BuildRequires: swig %description libselinux provides an interface to get and set process and file @@ -50,7 +43,6 @@ security contexts and to obtain security policy decisions. %package -n libselinux1 Summary: SELinux runtime library -License: GPL-2.0-only AND SUSE-Public-Domain Group: System/Libraries %description -n libselinux1 @@ -64,7 +56,6 @@ Security.) %package -n selinux-tools Summary: SELinux command-line utilities -License: GPL-2.0-only AND SUSE-Public-Domain Group: System/Base %description -n selinux-tools @@ -78,7 +69,6 @@ system's SELinux state. %package devel Summary: Development files for the SELinux runtime library -License: GPL-2.0-only AND SUSE-Public-Domain Group: Development/Libraries/C and C++ Requires: glibc-devel Requires: libselinux1 = %{version} @@ -93,7 +83,6 @@ necessary to develop your own software using libselinux. %package devel-static Summary: Static archives for the SELinux runtime -License: GPL-2.0-only AND SUSE-Public-Domain Group: Development/Libraries/C and C++ Requires: libselinux-devel = %{version} Requires: pkgconfig(libpcre) @@ -107,49 +96,34 @@ This package contains the static development files, which are necessary to develop your own software using libselinux. %prep -%setup -q -n libselinux-%{version} -%patch3 -p1 +%setup -q %patch4 -p1 %build -make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="%{optflags}" CC="%{__cc}" -make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="%{optflags}" -C src V=1 -make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="%{optflags}" -C src swigify V=1 -make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="%{optflags}" -C src pywrap V=1 -make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="%{optflags}" -C src rubywrap V=1 +make %{?_smp_mflags} LIBDIR="%{_libdir}" CC="%{__cc}" CFLAGS="$RPM_OPT_FLAGS" %install -mkdir -p %{buildroot}/%{_lib} -mkdir -p %{buildroot}/%{_libdir} -mkdir -p %{buildroot}/%{_includedir} -mkdir -p %{buildroot}/%{_sbindir} -%make_install LIBDIR="%{_libdir}" SHLIBDIR="/%{_lib}" BINDIR="%{_sbindir}" -rm -f %{buildroot}/%{_sbindir}/compute_* -rm -f %{buildroot}/%{_sbindir}/deftype -rm -f %{buildroot}/%{_sbindir}/execcon -rm -f %{buildroot}/%{_sbindir}/getenforcemode -rm -f %{buildroot}/%{_sbindir}/getfilecon -rm -f %{buildroot}/%{_sbindir}/getpidcon -rm -f %{buildroot}/%{_sbindir}/mkdircon -rm -f %{buildroot}/%{_sbindir}/policyvers -rm -f %{buildroot}/%{_sbindir}/setfilecon -rm -f %{buildroot}/%{_sbindir}/selinuxconfig -rm -f %{buildroot}/%{_sbindir}/selinuxdisable -rm -f %{buildroot}/%{_sbindir}/getseuser -rm -f %{buildroot}/%{_sbindir}/selinux_check_securetty_context -mv %{buildroot}/%{_sbindir}/getdefaultcon %{buildroot}/%{_sbindir}/selinuxdefcon -mv %{buildroot}/%{_sbindir}/getconlist %{buildroot}/%{_sbindir}/selinuxconlist -install -m 0755 %{SOURCE1} %{buildroot}/%{_sbindir}/selinux-ready - -%make_install LIBDIR="%{_libdir}" \ - SHLIBDIR="/%{_lib}" LIBSEPOLA=%{_libdir}/libsepol.a \ - -C src V=1 -make DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" \ - SHLIBDIR="/%{_lib}" LIBSEPOLA=%{_libdir}/libsepol.a \ - -C src install-pywrap V=1 -make DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" \ - SHLIBDIR="/%{_lib}" LIBSEPOLA=%{_libdir}/libsepol.a \ - -C src install-rubywrap V=1 +mkdir -p $RPM_BUILD_ROOT/%{_lib} +mkdir -p $RPM_BUILD_ROOT%{_libdir} +mkdir -p $RPM_BUILD_ROOT%{_includedir} +mkdir -p $RPM_BUILD_ROOT%{_sbindir} +make DESTDIR="$RPM_BUILD_ROOT" LIBDIR="$RPM_BUILD_ROOT%{_libdir}" SHLIBDIR="$RPM_BUILD_ROOT/%{_lib}" BINDIR="$RPM_BUILD_ROOT%{_sbindir}" install +rm -f $RPM_BUILD_ROOT%{_sbindir}/compute_* +rm -f $RPM_BUILD_ROOT%{_sbindir}/deftype +rm -f $RPM_BUILD_ROOT%{_sbindir}/execcon +rm -f $RPM_BUILD_ROOT%{_sbindir}/getenforcemode +rm -f $RPM_BUILD_ROOT%{_sbindir}/getfilecon +rm -f $RPM_BUILD_ROOT%{_sbindir}/getpidcon +rm -f $RPM_BUILD_ROOT%{_sbindir}/mkdircon +rm -f $RPM_BUILD_ROOT%{_sbindir}/policyvers +rm -f $RPM_BUILD_ROOT%{_sbindir}/setfilecon +rm -f $RPM_BUILD_ROOT%{_sbindir}/selinuxconfig +rm -f $RPM_BUILD_ROOT%{_sbindir}/selinuxdisable +rm -f $RPM_BUILD_ROOT%{_sbindir}/getseuser +rm -f $RPM_BUILD_ROOT%{_sbindir}/selinux_check_securetty_context +mv $RPM_BUILD_ROOT%{_sbindir}/getdefaultcon $RPM_BUILD_ROOT%{_sbindir}/selinuxdefcon +mv $RPM_BUILD_ROOT%{_sbindir}/getconlist $RPM_BUILD_ROOT%{_sbindir}/selinuxconlist +install -m 0755 %{SOURCE1} $RPM_BUILD_ROOT%{_sbindir}/selinux-ready # Remove duplicate files %fdupes -s %{buildroot}%{_mandir} @@ -165,7 +139,6 @@ make DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" \ %{_sbindir}/matchpathcon %{_sbindir}/selabel_digest %{_sbindir}/selabel_lookup -%{_sbindir}/selinux_check_access %{_sbindir}/selabel_lookup_best_match %{_sbindir}/selabel_partial_match %{_sbindir}/selinuxconlist @@ -173,7 +146,7 @@ make DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" \ %{_sbindir}/selinuxenabled %{_sbindir}/setenforce %{_sbindir}/togglesebool -#%#{_sbindir}/selinux_restorecon +%{_sbindir}/selinux_restorecon %{_sbindir}/selinux-ready %{_sbindir}/selinuxexeccon %{_sbindir}/sefcontext_compile @@ -195,45 +168,4 @@ make DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" \ %defattr(-,root,root,-) %{_libdir}/libselinux.a -%package -n python3-selinux -Summary: Python bindings for the SELinux runtime library -License: SUSE-Public-Domain -Group: Development/Libraries/Python -%define oldpython python -%ifpython2 -Obsoletes: %{oldpython}-selinux < %{version} -Provides: %{oldpython}-selinux = %{version} -%endif -Requires: libselinux1 = %{version} -Requires: python3 - -%description -n python3-selinux -libselinux provides an interface to get and set process and file -security contexts and to obtain security policy decisions. - -This subpackage contains Python extensions to use SELinux from that -language. - -%package -n ruby-selinux -Summary: Ruby bindings for the SELinux runtime library -License: SUSE-Public-Domain -Group: Development/Languages/Ruby -Requires: libselinux1 = %{version} -Requires: ruby - -%description -n ruby-selinux -libselinux provides an interface to get and set process and file -security contexts and to obtain security policy decisions. - -This subpackage contains Ruby extensions to use SELinux from that -language. - -%files -n python3-selinux -%defattr(-,root,root,-) -%{python3_sitearch}/*selinux* - -%files -n ruby-selinux -%defattr(-,root,root,-) -%{_libdir}/ruby/vendor_ruby/%{rb_ver}/%{rb_arch}/selinux.so - %changelog diff --git a/python3.patch b/python3.patch index 58a2136..ae023b5 100644 --- a/python3.patch +++ b/python3.patch @@ -1,13 +1,13 @@ -Index: libselinux-2.7/src/Makefile +Index: libselinux-2.6/src/Makefile =================================================================== ---- libselinux-2.7.orig/src/Makefile -+++ libselinux-2.7/src/Makefile +--- libselinux-2.6.orig/src/Makefile 2016-10-14 17:31:26.000000000 +0200 ++++ libselinux-2.6/src/Makefile 2018-03-22 11:33:36.527385495 +0100 @@ -1,7 +1,7 @@ # Support building the Python bindings multiple times, against various Python # runtimes (e.g. Python 2 vs Python 3) by optionally prefixing the build # targets with "PYPREFIX": -PYTHON ?= python +PYTHON ?= python3 - PYPREFIX ?= $(shell $(PYTHON) -c 'import sys;print("python-%d.%d" % sys.version_info[:2])') + PYPREFIX ?= $(notdir $(PYTHON)) RUBY ?= ruby RUBYPREFIX ?= $(notdir $(RUBY))