Accepting request 408692 from security:SELinux

1 OBS-URL: https://build.opensuse.org/request/show/408692 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libsepol?expand=0&rev=35
2016-07-18 19:17:19 +00:00 · 2016-07-18 19:17:19 +00:00 · ab00af05c1
commit ab00af05c1
parent dd793f471e fb01341895
4 changed files with 115 additions and 27 deletions
--- a/libsepol-2.3.tar.gz
+++ b/libsepol-2.3.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:cc8d8642c3b7b95d6928d65dcbca2ab0627abc1c05166637851e63c1a6eae68f
-size 209570
--- a/libsepol-2.5.tar.gz
+++ b/libsepol-2.5.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2bdeec56d0a08b082b93b40703b4b3329cc5562152f7254d8f6ef6b56afe850a
+size 438730
--- a/libsepol.changes
+++ b/libsepol.changes
@ -1,3 +1,77 @@
+-------------------------------------------------------------------
+Thu Jul 14 14:38:09 UTC 2016 - mpluskal@suse.com
+
+- Cleanup spec file with spec-cleaner
+- Make spec file a bit more easy
+- Ship new supbackage (-tools)
+
+-------------------------------------------------------------------
+Thu Jul 14 14:21:46 UTC 2016 - jsegitz@novell.com
+
+- Without bug number no submit to SLE 12 SP2 is possible, so to make
+  sle-changelog-checker happy: bsc#988977
+
+-------------------------------------------------------------------
+Thu Jul 14 07:57:35 UTC 2016 - jsegitz@novell.com
+
+- Adjusted source link
+
+-------------------------------------------------------------------
+Tue Jul  5 17:11:44 UTC 2016 - i@marguerite.su
+
+- update version 2.5
+  * Fix unused variable annotations
+  * Fix uninitialized variable in CIL
+  * Validate extended avrules and permissionxs in CIL
+  * Add support in CIL for neverallowx
+  * Fully expand neverallowxperm rules
+  * Add support for unordered classes to CIL
+  * Add neverallow support for ioctl extended permissions
+  * Improve CIL block and macro call recursion detection
+  * Fix CIL uninitialized false positive in cil_binary
+  * Provide error in CIL if classperms are empty
+  * Add userattribute{set} functionality to CIL
+  * fix CIL blockinherit copying segfault and add macro restrictions
+  * fix CIL NULL pointer dereference when copying classpermission/set
+  * Add CIL support for ioctl whitelists
+  * Fix memory leak when destroying avtab
+  * Replace sscanf in module_to_cil
+  * Improve CIL resolution error messages
+  * Fix policydb_read for policy versions < 24
+  * Added CIL bounds checking and refactored CIL Neverallow checking
+  * Refactored libsepol Neverallow and bounds (hierarchy) checking
+  * Treat types like an attribute in the attr_type_map
+  * Add new ebitmap function named ebitmap_match_any()
+  * switch operations to extended perms
+  * Write auditadm_r and secadm_r roles to base module when writing CIL
+  * Fix module to CIL to only associate declared roleattributes with in-scope types
+  * Don't allow categories/sensitivities inside blocks in CIL
+  * Replace fmemopen() with internal function in libsepol
+  * Verify users prior to evaluating users in cil
+  * Binary modules do not support ioctl rules
+  * Add support for ioctl command whitelisting
+  * Don't use symbol versioning for static object files
+  * Add sepol_module_policydb_to_cil(), sepol_module_package_to_cil(), 
+    and sepol_ppfile_to_module_package()
+  * Move secilc out of libsepol
+  * fix building Xen policy with devicetreecon, and add devicetreecon
+    CIL documentation
+  * bool_copy_callback set state on creation
+  * Add device tree ocontext nodes to Xen policy
+  * Widen Xen IOMEM context entries
+  * Fix error path in mls_semantic_level_expand()
+  * Update to latest CIL, includes new name resolution and fixes ordering
+    issues with blockinherit statements, and bug fixes
+- changes in 2.4
+  * Remove assumption that SHLIBDIR is ../../ relative to LIBDIR
+  * Fix bugs found by hardened gcc flags
+  * Build CIL into libsepol. libsepol can be built without CIL by setting the
+    DISABLE_CIL flag to 'y'
+  * Add an API function to set target_platform
+  * Report all neverallow violations
+  * Improve check_assertions performance
+  * Allow libsepol C++ static library on device
+
 -------------------------------------------------------------------
 Fri May 16 13:06:12 UTC 2014 - vcizek@suse.com

--- a/libsepol.spec
+++ b/libsepol.spec
@ -1,7 +1,7 @@
 #
 # spec file for package libsepol
 #
-# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -17,16 +17,17 @@


 Name:           libsepol
-Version:        2.3
+Version:        2.5
 Release:        0
-Url:            http://www.nsa.gov/selinux/
 Summary:        SELinux binary policy manipulation library
 License:        LGPL-2.1+
 Group:          System/Libraries
-Source:         http://userspace.selinuxproject.org/releases/20140506/%{name}-%{version}.tar.gz
+Url:            http://www.nsa.gov/selinux/
+Source:         https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/%{name}-%{version}.tar.gz
 Source2:        baselibs.conf
+BuildRequires:  flex
+BuildRequires:  pkgconfig
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
-BuildRequires:  pkg-config

 %description
 Security-enhanced Linux is a feature of the Linux(R) kernel and a
@ -45,7 +46,26 @@ tools, as well as by programs like load_policy that need to perform
 specific transformations on binary policies such as customizing policy
 boolean settings.

+%package utils
+Summary:        SELinux binary policy manipulation tools
+Group:          System/Base

+%description utils
+Security-enhanced Linux is a feature of the Linux(R) kernel and a
+number of utilities with enhanced security functionality designed to
+add mandatory access controls to Linux.  The Security-enhanced Linux
+kernel contains new architectural components originally developed to
+improve the security of the Flask operating system. These architectural
+components provide general support for the enforcement of many kinds of
+mandatory access control policies, including those based on the
+concepts of Type Enforcement(R), Role-based Access Control, and
+Multi-level Security.
+
+libsepol provides an API for the manipulation of SELinux binary
+policies. It is used by checkpolicy (the policy compiler) and similar
+tools, as well as by programs like load_policy that need to perform
+specific transformations on binary policies such as customizing policy
+boolean settings.

 %package -n libsepol1
 Summary:        SELinux binary policy manipulation library
@ -68,22 +88,18 @@ tools, as well as by programs like load_policy that need to perform
 specific transformations on binary policies such as customizing policy
 boolean settings.

-
-
 %package devel
 Summary:        Development Include Files and Libraries for SELinux policy manipulation
 Group:          Development/Libraries/C and C++
 Requires:       glibc-devel
 Requires:       libsepol1 = %{version}
-Requires:       pkg-config
+Requires:       pkgconfig

 %description devel
 The libsepol-devel package contains the libraries and header
 files needed for developing applications that manipulate binary
 policies.

-
-
 %package devel-static
 Summary:        Development Include Files and Libraries for SELinux policy manipulation
 Group:          Development/Libraries/C and C++
@ -94,30 +110,26 @@ The libsepol-devel-static package contains the static libraries
 needed for developing applications that manipulate binary
 policies.

-
-
 %prep
 %setup -q

 %build
-make %{?_smp_mflags} CC="%{__cc}" CFLAGS="$RPM_OPT_FLAGS $(getconf LFS_CFLAGS)"
+export CFLAGS="%{optflags}"
+make %{?_smp_mflags}

 %install
-mkdir -p $RPM_BUILD_ROOT/%{_lib}
-mkdir -p $RPM_BUILD_ROOT%{_libdir}
-mkdir -p $RPM_BUILD_ROOT%{_includedir}
-mkdir -p $RPM_BUILD_ROOT%{_bindir}
-mkdir -p $RPM_BUILD_ROOT%{_mandir}/man{3,8}
-make DESTDIR="$RPM_BUILD_ROOT" LIBDIR="$RPM_BUILD_ROOT%{_libdir}" SHLIBDIR="$RPM_BUILD_ROOT/%{_lib}" install
-rm -f $RPM_BUILD_ROOT%{_bindir}/genpolbools
-rm -f $RPM_BUILD_ROOT%{_bindir}/genpolusers
-rm -f $RPM_BUILD_ROOT%{_bindir}/chkcon
-rm -rf $RPM_BUILD_ROOT%{_mandir}/man8
+make DESTDIR=%{buildroot} LIBDIR="%{buildroot}%{_libdir}" SHLIBDIR="%{buildroot}/%{_lib}" install

 %post -n libsepol1 -p /sbin/ldconfig
-
 %postun -n libsepol1 -p /sbin/ldconfig

+%files utils
+%defattr(-,root,root)
+%{_bindir}/chkcon
+%{_mandir}/man8/chkcon.8%{ext_man}
+%{_mandir}/man8/genpolbools.8%{ext_man}
+%{_mandir}/man8/genpolusers.8%{ext_man}
+
 %files -n libsepol1
 %defattr(-,root,root)
 /%{_lib}/libsepol.so.*
@ -127,7 +139,9 @@ rm -rf $RPM_BUILD_ROOT%{_mandir}/man8
 %{_libdir}/libsepol.so
 %{_mandir}/man3/*
 %dir %{_includedir}/sepol
+%dir %{_includedir}/sepol/cil
 %{_includedir}/sepol/*.h
+%{_includedir}/sepol/cil/cil.h
 %dir %{_includedir}/sepol/policydb
 %{_includedir}/sepol/policydb/*.h
 %{_libdir}/pkgconfig/libsepol.pc