testing/libselinux
SHA256
3
0
Fork 0
forked from pool/libselinux
Code Pull Requests Activity

OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=1

Browse Source
This commit is contained in:
OBS User unknown 2008-08-03 02:41:25 +00:00 committed by Git OBS Bridge
parent 84efde44ce
commit 844dc82ee5
10 changed files with 521 additions and 982 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
baselibs.conf
View File

@ -1 +0,0 @@
libselinux1

369
libselinux-2.0.67-rhat.patch Normal file
View File

@ -0,0 +1,369 @@
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/freecon.3 libselinux-2.0.67/man/man3/freecon.3
--- nsalibselinux/man/man3/freecon.3 2008-06-12 23:25:12.000000000 -0400
+++ libselinux-2.0.67/man/man3/freecon.3 2008-07-09 16:52:33.000000000 -0400
@@ -15,6 +15,11 @@
.B freeconary
frees the memory allocated for a context array.
+If
+.I con
+is NULL, no operation is performed.
+
+
.SH "SEE ALSO"
.BR selinux "(8)"
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man8/selinuxconlist.8 libselinux-2.0.67/man/man8/selinuxconlist.8
--- nsalibselinux/man/man8/selinuxconlist.8 1969-12-31 19:00:00.000000000 -0500
+++ libselinux-2.0.67/man/man8/selinuxconlist.8 2008-07-09 16:52:33.000000000 -0400
@@ -0,0 +1,18 @@
+.TH "selinuxconlist" "1" "7 May 2008" "dwalsh@redhat.com" "SELinux Command Line documentation"
+.SH "NAME"
+selinuxconlist \- list all SELinux context reachable for user
+.SH "SYNOPSIS"
+.B selinuxconlist [-l level] user [context]
+
+.SH "DESCRIPTION"
+.B selinuxconlist
+reports the list of context reachable for user from the current context or specified context
+
+.B \-l level
+mcs/mls level
+
+.SH AUTHOR
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+secon(8), selinuxdefcon(8)
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man8/selinuxdefcon.8 libselinux-2.0.67/man/man8/selinuxdefcon.8
--- nsalibselinux/man/man8/selinuxdefcon.8 1969-12-31 19:00:00.000000000 -0500
+++ libselinux-2.0.67/man/man8/selinuxdefcon.8 2008-07-09 16:52:33.000000000 -0400
@@ -0,0 +1,19 @@
+.TH "selinuxdefcon" "1" "7 May 2008" "dwalsh@redhat.com" "SELinux Command Line documentation"
+.SH "NAME"
+selinuxdefcon \- list default SELinux context for user
+
+.SH "SYNOPSIS"
+.B selinuxdefcon [-l level] user [fromcon]
+
+.SH "DESCRIPTION"
+.B seconlist
+reports the default context for the specified user from current context or specified context
+
+.B \-l level
+mcs/mls level
+
+.SH AUTHOR
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+secon(8), selinuxconlist(8)
diff --exclude-from=exclude -N -u -r nsalibselinux/src/Makefile libselinux-2.0.67/src/Makefile
--- nsalibselinux/src/Makefile 2008-06-22 09:40:25.000000000 -0400
+++ libselinux-2.0.67/src/Makefile 2008-07-09 16:56:37.000000000 -0400
@@ -7,16 +7,24 @@
PYINC ?= /usr/include/$(PYLIBVER)
PYLIB ?= /usr/lib/$(PYLIBVER)
PYTHONLIBDIR ?= $(LIBDIR)/$(PYLIBVER)
+RUBYLIBVER ?= $(shell ruby -e 'print RUBY_VERSION.split(".")[0..1].join(".")')
+RUBYPLATFORM ?= $(shell ruby -e 'print RUBY_PLATFORM')
+RUBYINC ?= $(LIBDIR)/ruby/$(RUBYLIBVER)/$(RUBYPLATFORM)
+RUBYINSTALL ?= $(LIBDIR)/ruby/site_ruby/$(RUBYLIBVER)/$(RUBYPLATFORM)
LIBVERSION = 1
LIBA=libselinux.a
TARGET=libselinux.so
SWIGIF= selinuxswig_python.i
+SWIGRUBYIF= selinuxswig_ruby.i
SWIGCOUT= selinuxswig_wrap.c
+SWIGRUBYCOUT= selinuxswig_ruby_wrap.c
SWIGLOBJ:= $(patsubst %.c,%.lo,$(SWIGCOUT))
+SWIGRUBYLOBJ:= $(patsubst %.c,%.lo,$(SWIGRUBYCOUT))
SWIGSO=_selinux.so
SWIGFILES=$(SWIGSO) selinux.py
+SWIGRUBYSO=_rubyselinux.so
LIBSO=$(TARGET).$(LIBVERSION)
AUDIT2WHYSO=audit2why.so
@@ -29,7 +37,9 @@
ifeq ($(DISABLE_RPM),y)
UNUSED_SRCS+=rpm.c
endif
-SRCS= $(filter-out $(UNUSED_SRCS), $(filter-out audit2why.c $(SWIGCOUT),$(wildcard *.c)))
+
+GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT)
+SRCS= $(filter-out $(UNUSED_SRCS), $(filter-out audit2why.c $(GENERATED),$(wildcard *.c)))
OBJS= $(patsubst %.c,%.o,$(SRCS))
LOBJS= $(patsubst %.c,%.lo,$(SRCS))
@@ -44,11 +54,11 @@
SWIG = swig -Wall -python -o $(SWIGCOUT) -outdir ./
-GENERATED=$(SWIGCOUT)
+SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./
all: $(LIBA) $(LIBSO)
-pywrap: all $(SWIGSO) $(AUDIT2WHYSO)
+pywrap: all $(SWIGSO) $(AUDIT2WHYSO) $(SWIGRUBYSO)
$(LIBA): $(OBJS)
$(AR) rcs $@ $^
@@ -57,8 +67,14 @@
$(SWIGLOBJ): $(SWIGCOUT)
$(CC) $(filter-out -Werror,$(CFLAGS)) -I$(PYINC) -fPIC -DSHARED -c -o $@ $<
+$(SWIGRUBYLOBJ): $(SWIGRUBYCOUT)
+ $(CC) $(filter-out -Werror,$(CFLAGS)) -I$(RUBYINC) -fPIC -DSHARED -c -o $@ $<
+
$(SWIGSO): $(SWIGLOBJ)
- $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $< -L. -lselinux -L$(LIBDIR) -Wl,-soname,$@
+ $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -L. -lselinux -L$(LIBDIR) -Wl,-soname,$@
+
+$(SWIGRUBYSO): $(SWIGRUBYLOBJ)
+ $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -L. -lselinux -L$(LIBDIR) -Wl,-soname,$@
$(LIBSO): $(LOBJS)
$(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -ldl -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro
@@ -79,6 +95,9 @@
$(SWIGCOUT): $(SWIGIF)
$(SWIG) $^
+$(SWIGRUBYCOUT): $(SWIGRUBYIF)
+ $(SWIGRUBY) $^
+
swigify: $(SWIGIF)
$(SWIG) $^
@@ -95,6 +114,9 @@
install -m 755 $(AUDIT2WHYSO) $(PYTHONLIBDIR)/site-packages/selinux
install -m 644 selinux.py $(PYTHONLIBDIR)/site-packages/selinux/__init__.py
+ test -d $(RUBYINSTALL) || install -m 755 -d $(RUBYINSTALL)
+ install -m 755 $(SWIGRUBYSO) $(RUBYINSTALL)/selinux.so
+
relabel:
/sbin/restorecon $(SHLIBDIR)/$(LIBSO)
@@ -102,7 +124,7 @@
-rm -f $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(SWIGLOBJ) $(SWIGSO) $(TARGET) $(AUDIT2WHYSO) *.o *.lo *~
distclean: clean
- rm -f $(SWIGCOUT) $(SWIGFILES)
+ rm -f $(GENERATED) $(SWIGFILES)
indent:
../../scripts/Lindent $(filter-out $(GENERATED),$(wildcard *.[ch]))
diff --exclude-from=exclude -N -u -r nsalibselinux/src/audit2why.c libselinux-2.0.67/src/audit2why.c
--- nsalibselinux/src/audit2why.c 2008-06-12 23:25:14.000000000 -0400
+++ libselinux-2.0.67/src/audit2why.c 2008-07-09 16:52:33.000000000 -0400
@@ -55,7 +55,7 @@
return 0;
}
-static int check_booleans(struct avc_t *avc, struct boolean_t **bools)
+static int check_booleans(struct boolean_t **bools)
{
char errormsg[PATH_MAX];
struct sepol_av_decision avd;
@@ -376,7 +376,7 @@
avc->tsid = tsid;
avc->tclass = tclass;
avc->av = av;
- if (check_booleans(avc, &bools) == 0) {
+ if (check_booleans(&bools) == 0) {
if (av & ~avd.auditdeny) {
RETURN(DONTAUDIT)
} else {
@@ -390,15 +390,15 @@
len++; b++;
}
b = bools;
- PyObject *boollist = PyTuple_New(len);
+ PyObject *outboollist = PyTuple_New(len);
len=0;
while(b->name) {
PyObject *bool = Py_BuildValue("(si)", b->name, b->active);
- PyTuple_SetItem(boollist, len++, bool);
+ PyTuple_SetItem(outboollist, len++, bool);
b++;
}
free(bools);
- PyTuple_SetItem(result, 1, boollist);
+ PyTuple_SetItem(result, 1, outboollist);
return result;
}
}
diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux-2.0.67/src/matchpathcon.c
--- nsalibselinux/src/matchpathcon.c 2008-06-12 23:25:14.000000000 -0400
+++ libselinux-2.0.67/src/matchpathcon.c 2008-07-09 16:52:33.000000000 -0400
@@ -2,6 +2,7 @@
#include <string.h>
#include <errno.h>
#include <stdio.h>
+#include <syslog.h>
#include "selinux_internal.h"
#include "label_internal.h"
#include "callbacks.h"
@@ -57,7 +58,7 @@
{
va_list ap;
va_start(ap, fmt);
- vfprintf(stderr, fmt, ap);
+ vsyslog(LOG_ERR, fmt, ap);
va_end(ap);
}
diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig_ruby.i libselinux-2.0.67/src/selinuxswig_ruby.i
--- nsalibselinux/src/selinuxswig_ruby.i 1969-12-31 19:00:00.000000000 -0500
+++ libselinux-2.0.67/src/selinuxswig_ruby.i 2008-07-09 16:52:33.000000000 -0400
@@ -0,0 +1,147 @@
+/* Author: James Athey
+ */
+
+%module selinux
+%{
+ #include "selinux/selinux.h"
+%}
+
+/* security_get_boolean_names() typemap */
+/*
+%typemap(argout) (char ***names, int *len) {
+ PyObject* list = PyList_New(*$2);
+ int i;
+ for (i = 0; i < *$2; i++) {
+ PyList_SetItem(list, i, PyString_FromString((*$1)[i]));
+ }
+ $result = SWIG_Python_AppendOutput($result, list);
+}
+*/
+/* return a sid along with the result */
+%typemap(argout) (security_id_t * sid) {
+ if (*$1) {
+ %append_output(SWIG_NewPointerObj(*$1, $descriptor(security_id_t), 0));
+ }
+/* else {
+ Py_INCREF(Py_None);
+ %append_output(Py_None);
+ }
+*/
+}
+
+%typemap(in,numinputs=0) security_id_t *(security_id_t temp) {
+ $1 = &temp;
+}
+
+/* Makes security_compute_user() return a Python list of contexts */
+/*
+%typemap(argout) (security_context_t **con) {
+ PyObject* plist;
+ int i, len = 0;
+
+ if (*$1) {
+ while((*$1)[len])
+ len++;
+ plist = PyList_New(len);
+ for (i = 0; i < len; i++) {
+ PyList_SetItem(plist, i, PyString_FromString((*$1)[i]));
+ }
+ } else {
+ plist = PyList_New(0);
+ }
+
+ $result = SWIG_Python_AppendOutput($result, plist);
+}
+*/
+/* Makes functions in get_context_list.h return a Python list of contexts */
+
+#ifdef fixme
+%typemap(argout) (security_context_t **list) {
+ PyObject* plist;
+ int i;
+
+ if (*$1) {
+ plist = PyList_New(result);
+ for (i = 0; i < result; i++) {
+ PyList_SetItem(plist, i, PyString_FromString((*$1)[i]));
+ }
+ } else {
+ plist = PyList_New(0);
+ }
+ /* Only return the Python list, don't need to return the length anymore */
+ $result = plist;
+}
+#endif
+
+%typemap(in,noblock=1,numinputs=0) security_context_t * (security_context_t temp = 0) {
+ $1 = &temp;
+}
+%typemap(freearg,match="in") security_context_t * "";
+%typemap(argout,noblock=1) security_context_t * {
+ if (*$1) {
+ %append_output(SWIG_FromCharPtr(*$1));
+ freecon(*$1);
+ }
+/*
+ else {
+ Py_INCREF(Py_None);
+ %append_output(Py_None);
+ }
+*/
+}
+
+%typemap(in,noblock=1,numinputs=0) char ** (char * temp = 0) {
+ $1 = &temp;
+}
+%typemap(freearg,match="in") char ** "";
+%typemap(argout,noblock=1) char ** {
+ if (*$1) {
+ %append_output(SWIG_FromCharPtr(*$1));
+ free(*$1);
+ }
+/*
+ else {
+ Py_INCREF(Py_None);
+ %append_output(Py_None);
+ }
+*/
+}
+/*
+%typemap(in) char * const [] {
+ int i, size;
+ PyObject * s;
+
+ if (!PySequence_Check($input)) {
+ PyErr_SetString(PyExc_ValueError, "Expected a sequence");
+ return NULL;
+ }
+
+ size = PySequence_Size($input);
+
+ $1 = (char**) malloc(size + 1);
+ for(i = 0; i < size; i++) {
+ if (!PyString_Check(PySequence_GetItem($input, i))) {
+ PyErr_SetString(PyExc_ValueError, "Sequence must contain only strings");
+ return NULL;
+ }
+ }
+
+ for(i = 0; i < size; i++) {
+ s = PySequence_GetItem($input, i);
+ $1[i] = (char*) malloc(PyString_Size(s) + 1);
+ strcpy($1[i], PyString_AsString(s));
+ }
+ $1[size] = NULL;
+}
+*/
+
+%typemap(freearg,match="in") char * const [] {
+ int i = 0;
+ while($1[i]) {
+ free($1[i]);
+ i++;
+ }
+ free($1);
+}
+
+%include "selinuxswig.i"

3
libselinux-2.0.67.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:c6044bb0e9531dfa21aa297b28fcef26df16c46f6d33b567942833524e96a92d
size 135165

3
libselinux-2.8.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:31db96ec7643ce10912b3c3f98506a08a9116dcfe151855fd349c3fda96187e1
size 187759

508
libselinux.changes
View File

@ -1,511 +1,3 @@
-------------------------------------------------------------------
Thu Nov 29 19:10:14 UTC 2018 - Jan Engelhardt <jengelh@inai.de>
- Replace old $RPM_* shell vars.
-------------------------------------------------------------------
Wed Nov 21 10:38:23 UTC 2018 - jsegitz@suse.com
- Merged libselinux-bindings back into main spec file
-------------------------------------------------------------------
Wed Oct 17 11:48:30 UTC 2018 - jsegitz@suse.com
- Update to version 2.8 (bsc#1111732).
For changes please see
https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/RELEASE-20180524.txt
-------------------------------------------------------------------
Mon May 14 22:45:54 UTC 2018 - mcepl@cepl.eu
- Update to version 2.7.
* %files needed to be heavily modified
* Based expressly on python3, not just python
For changes please see
https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20170804/RELEASE-20170804.txt
-------------------------------------------------------------------
Fri Nov 24 09:09:02 UTC 2017 - jsegitz@suse.com
- Update to version 2.6. Notable changes:
* selinux_restorecon: fix realpath logic
* sefcontext_compile: invert semantics of "-r" flag
* sefcontext_compile: Add "-i" flag
* Introduce configurable backends
* Add function to find security.restorecon_last entries
* Add openrc_contexts functions
* Add support for pcre2
* Handle NULL pcre study data
* Add setfiles support to selinux_restorecon(3)
* Evaluate inodes in selinux_restorecon(3)
* Change the location of _selinux.so
* Explain how to free policy type from selinux_getpolicytype()
* Compare absolute pathname in matchpathcon -V
* Add selinux_snapperd_contexts_path()
* Modify audit2why analyze function to use loaded policy
* Avoid mounting /proc outside of selinux_init_load_policy()
* Fix location of selinuxfs mount point
* Only mount /proc if necessary
* procattr: return einval for <= 0 pid args
* procattr: return error on invalid pid_t input
- Dropped
* libselinux-2.2-ruby.patch
* libselinux-proc-mount-only-if-needed.patch
* python-selinux-swig-3.10.patch
-------------------------------------------------------------------
Wed Jul 5 10:30:57 UTC 2017 - schwab@suse.de
- readv-proto.patch: include <sys/uio.h> for readv prototype
-------------------------------------------------------------------
Sun Jul 24 19:33:42 UTC 2016 - crrodriguez@opensuse.org
- -devel static subpackage requires libpcre-devel and libsepol-devel
-------------------------------------------------------------------
Sun Jul 24 19:05:35 UTC 2016 - crrodriguez@opensuse.org
- Avoid mounting /proc outside of selinux_init_load_policy().
(Stephen Smalley) reverts upstream 5a8d8c4, 9df4988, fixes
among other things systemd seccomp sandboxing otherwise all
filters must allow mount(2)
(libselinux-proc-mount-only-if-needed.patch)
-------------------------------------------------------------------
Sun Jul 17 15:30:05 UTC 2016 - jengelh@inai.de
- Update RPM groups, trim description and combine filelist entries.
-------------------------------------------------------------------
Thu Jul 14 07:58:49 UTC 2016 - jsegitz@novell.com
- Adjusted source link
-------------------------------------------------------------------
Tue Jul 5 16:42:03 UTC 2016 - i@marguerite.su
- add patch: python-selinux-swig-3.10.patch, fixed boo#985368
* swig-3.10 in Factory use importlib instead of imp to find
_selinux.so. imp searched the same directory as __init__.py
is while importlib searchs only standard paths. so we have
to move _selinux.so. fixed by upstream
- update version 2.5
* Add selinux_restorecon function
* read_spec_entry: fail on non-ascii
* Add man information about thread specific functions
* Don't wrap rpm_execcon with DISABLE_RPM with SWIG
* Correct line count for property and service context files
* label_file: fix memory leaks and uninitialized jump
* Replace selabel_digest hash function
* Fix selabel_open(3) services if no digest requested
* Add selabel_digest function
* Flush the class/perm string mapping cache on policy reload
* Fix restorecon when path has no context
* Free memory when processing media and x specfiles
* Fix mmap memory release for file labeling
* Add policy context validation to sefcontext_compile
* Do not treat an empty file_contexts(.local) as an error
* Fail hard on invalid property_contexts entries
* Fail hard on invalid file_contexts entries
* Support context validation on file_contexts.bin
* Add selabel_cmp interface and label_file backend
* Support specifying file_contexts.bin file path
* Support file_contexts.bin without file_contexts
* Simplify procattr cache
* Use /proc/thread-self when available
* Add const to selinux_opt for label backends
* Fix binary file labels for regexes with metachars
* Fix file labels for regexes with metachars
* Fix if file_contexts not '\n' terminated
* Enhance file context support
* Fix property processing and cleanup formatting
* Add read_spec_entries function to replace sscanf
* Support consistent mode size for bin files
* Fix more bin file processing core dumps
* add selinux_openssh_contexts_path()
* setrans_client: minimize overhead when mcstransd is not present
* Ensure selabel_lookup_best_match links NULL terminated
* Fix core dumps with corrupt *.bin files
* Add selabel partial and best match APIs
* Use os.walk() instead of the deprecated os.path.walk()
* Remove deprecated mudflap option
* Mount procfs before checking /proc/filesystems
* Fix -Wformat errors with gcc-5.0.0
* label_file: handle newlines in file names
* Fix audit2why error handling if SELinux is disabled
* pcre_study can return NULL without error
* Only check SELinux enabled status once in selinux_check_access
- changes in 2.4
* Remove assumption that SHLIBDIR is ../../ relative to LIBDIR
* Fix bugs found by hardened gcc flags
* Set the system to permissive if failing to disable SELinux because
policy has already been loaded
* Add db_exception and db_datatype support to label_db backend
* Log an error on unknown classes and permissions
* Add pcre version string to the compiled file_contexts format
* Deprecate use of flask.h and av_permissions.h
* Compiled file_context files and the original should have the same DAC
permissions
-------------------------------------------------------------------
Thu Jul 30 12:00:27 UTC 2015 - jsegitz@novell.com
- fixed selinux-ready to work with initrd files created by dracut (bsc#940006)
-------------------------------------------------------------------
Mon Sep 8 08:25:11 UTC 2014 - jsegitz@suse.com
- updated selinux-ready script to handle initrd files compressed with xz
-------------------------------------------------------------------
Sun May 18 00:15:17 UTC 2014 - crrodriguez@opensuse.org
- Update to version 2.3
* Get rid of security_context_t and fix const declarations.
* Refactor rpm_execcon() into a new setexecfilecon() from Guillem Jover.
-------------------------------------------------------------------
Thu Oct 31 13:43:41 UTC 2013 - p.drouand@gmail.com
- Update to version 2.2
* Fix avc_has_perm() returns -1 even when SELinux is in permissive mode.
* Support overriding Makefile RANLIB
* Update pkgconfig definition
* Mount sysfs before trying to mount selinuxfs.
* Fix man pages
* Support overriding PATH and LIBBASE in Makefile
* Fix LDFLAGS usage
* Avoid shadowing stat in load_mmap
* Support building on older PCRE libraries
* Fix handling of temporary file in sefcontext_compile
* Fix procattr cache
* Define python constants for getenforce result
* Fix label substitution handling of /
* Add selinux_current_policy_path from
* Change get_context_list to only return good matches
* Support udev-197 and higher
* Add support for local substitutions
* Change setfilecon to not return ENOSUP if context is already correct
* Python wrapper leak fixes
* Export SELINUX_TRANS_DIR definition in selinux.h
* Add selinux_systemd_contexts_path
* Add selinux_set_policy_root
* Add man page for sefcontext_compile
- Remove libselinux-rhat.patch; merged on upstream
- Adapt libselinux-ruby.patch to upstream changes
- Use fdupes to symlink duplicate manpages
-------------------------------------------------------------------
Thu Jun 27 14:42:01 UTC 2013 - vcizek@suse.com
- change the source url to the official 2.1.13 release tarball
-------------------------------------------------------------------
Wed May 22 23:50:58 UTC 2013 - jengelh@inai.de
- Reuse implicit dependencies injected by pkgconfig
-------------------------------------------------------------------
Thu Apr 4 19:16:35 UTC 2013 - vcizek@suse.com
- fixed source url in libselinux-bindings.spec
- removed old tarball
-------------------------------------------------------------------
Wed Apr 3 10:17:21 UTC 2013 - vcizek@suse.com
- fix source url
- document changes in libselinux-rhat.patch from previous submission:
(most code of the removed code was integrated upstream)
* Add matchpathcon -P /etc/selinux/mls support by allowing users
to set alternate root
* Add new constant SETRANS_DIR which points to the directory
where mstransd can find the socket and libvirt can write its
translations files
-------------------------------------------------------------------
Fri Mar 29 15:12:50 UTC 2013 - vcizek@suse.com
-update to 2.1.13
* audit2why: make sure path is nul terminated
* utils: new file context regex compiler
* label_file: use precompiled filecontext when possible
* do not leak mmapfd
* sefcontontext_compile: Add error handling to help debug problems in libsemanage.
* man: make selinux.8 mention service man pages
* audit2why: Fix segfault if finish() called twice
* audit2why: do not leak on multiple init() calls
* mode_to_security_class: interface to translate a mode_t in to a security class
* audit2why: Cleanup audit2why analysys function
* man: Fix program synopsis and function prototypes in man pages
* man: Fix man pages formatting
* man: Fix typo in man page
* man: Add references and man page links to _raw function variants
* Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions
* man: context_new(3): fix the return value description
* selinux_status_open: handle error from sysconf
* selinux_status_open: do not leak statusfd on exec
* Fix errors found by coverity
* Change boooleans.subs to booleans.subs_dist.
* optimize set*con functions
* pkg-config do not specifc ruby version
* unmap file contexts on selabel_close()
* do not leak file contexts with mmap'd backend
* sefcontext_compile: do not leak fd on error
* matchmediacon: do not leak fd
* src/label_android_property: do not leak fd on error
-------------------------------------------------------------------
Wed Jan 30 11:44:45 UTC 2013 - vcizek@suse.com
- update to 2.1.12
- added the recent libselinux-rhat.patch
* Add support for lxc_contexts_path
* utils: add service to getdefaultcon
* libsemanage: do not set soname needlessly
* libsemanage: remove PYTHONLIBDIR and ruby equivalent
* boolean name equivalency
* getsebool: support boolean name substitution
* Add man page for new selinux_boolean_sub function.
* expose selinux_boolean_sub
* matchpathcon: add -m option to force file type check
* utils: avcstat: clear sa_mask set
* seusers: Check for strchr failure
* booleans: initialize pointer to silence coveriety
* stop messages when SELinux disabled
* Ensure that we only close the selinux netlink socket once.
* improve the file_contexts.5 manual page
* Fortify source now requires all code to be compiled with -O flag
* asprintf return code must be checked
* avc_netlink_recieve handle EINTR
* audit2why: silence -Wmissing-prototypes warning
* libsemanage: remove build warning when build swig c files
* matchpathcon: bad handling of symlinks in /
* seusers: remove unused lineno
* seusers: getseuser: gracefully handle NULL service
* New Android property labeling backend
* label_android_property whitespace cleanups
* additional makefile support for rubywrap
* Remove jump over variable declaration
* Fix old style function definitions
* Fix const-correctness
* Remove unused flush_class_cache method
* Add prototype decl for destructor
* Add more printf format annotations
* Add printf format attribute annotation to die() method
* Fix const-ness of parameters & make usage() methods static
* Enable many more gcc warnings for libselinux/src/ builds
* utils: Enable many more gcc warnings for libselinux/utils builds
* Change annotation on include/selinux/avc.h to avoid upsetting SWIG
* Ensure there is a prototype for 'matchpathcon_lib_destructor'
* Update Makefiles to handle /usrmove
* utils: Stop separating out matchpathcon as something special
* pkg-config to figure out where ruby include files are located
* build with either ruby 1.9 or ruby 1.8
* assert if avc_init() not called
* take security_deny_unknown into account
* security_compute_create_name(3)
* Do not link against python library, this is considered
* bad practice in debian
* Hide unnecessarily-exported library destructors
-------------------------------------------------------------------
Mon Jan 7 22:34:03 UTC 2013 - jengelh@inai.de
- Remove obsolete defines/sections
-------------------------------------------------------------------
Tue Dec 11 16:15:52 UTC 2012 - vcizek@suse.com
- update selinux-ready script
* use -L when stat()ing /etc/selinux/config
* make sure that SELINUX isn't disabled in /etc/selinux/config
* look for either of /sys/fs/selinux and /selinux directory
* use systemctl to check for restorecond
* don't look for booleans file (deprecated)
-------------------------------------------------------------------
Tue Nov 27 12:38:29 UTC 2012 - vcizek@suse.com
- update selinux-ready script
-------------------------------------------------------------------
Wed Jul 25 11:15:02 UTC 2012 - meissner@suse.com
- updated to 2.1.9 again (see below)
-------------------------------------------------------------------
Wed Jun 13 08:56:36 UTC 2012 - coolo@suse.com
- go back even more - everything else requires the full SELinux stack
(too late for 12.2)
-------------------------------------------------------------------
Mon Jun 11 09:06:55 UTC 2012 - factory-maintainer@kulow.org
- revert back to 2.0.98 for 12.2
-------------------------------------------------------------------
Fri Jun 1 18:34:04 CEST 2012 - mls@suse.de
- update to libselinux-2.1.9
* better man pages
* selinux_status interfaces
* simple interface for access checks
* multiple bug fixes
-------------------------------------------------------------------
Wed Oct 5 15:09:25 UTC 2011 - uli@suse.com
- cross-build fix: use %__cc macro
-------------------------------------------------------------------
Mon Jun 28 06:38:35 UTC 2010 - jengelh@medozas.de
- use %_smp_mflags
-------------------------------------------------------------------
Mon May 3 10:30:40 UTC 2010 - prusnak@suse.cz
- don't package /var/run/setrans in libselinux1 package
- Feature#303793
- the directory will be created in initscript of mcstrans package
-------------------------------------------------------------------
Sat Apr 24 09:53:28 UTC 2010 - coolo@novell.com
- buildrequire pkg-config to fix provides
-------------------------------------------------------------------
Fri Apr 9 07:27:27 UTC 2010 - thomas@novell.com
- selinux-ready: added function to check for restorecond in
runlevel 3/5
-------------------------------------------------------------------
Thu Apr 8 06:37:34 UTC 2010 - thomas@novell.com
- selinux-ready: added functions for checking PAM config and
policy boolean init_upstart
-------------------------------------------------------------------
Wed Apr 7 13:26:59 UTC 2010 - thomas@novell.com
- selinux-ready: fixed init ramfs checking
-------------------------------------------------------------------
Wed Apr 7 12:59:41 UTC 2010 - thomas@novell.com
- added new selinux-ready script
-------------------------------------------------------------------
Thu Feb 25 14:57:16 UTC 2010 - prusnak@suse.cz
- updated to 2.0.91
* changes too numerous to list
-------------------------------------------------------------------
Sat Dec 12 16:43:54 CET 2009 - jengelh@medozas.de
- add baselibs.conf as a source
-------------------------------------------------------------------
Fri Jul 24 17:09:50 CEST 2009 - thomas@novell.com
- updated selinux-ready script
-------------------------------------------------------------------
Wed Jul 22 15:17:25 CEST 2009 - prusnak@suse.cz
- change libsepol-devel to libsepol-devel-static in dependencies
of python bindings
-------------------------------------------------------------------
Wed Jul 1 12:26:48 CEST 2009 - prusnak@suse.cz
- put libsepol-devel back to Requires of libselinux-devel
-------------------------------------------------------------------
Mon Jun 29 21:24:16 CEST 2009 - prusnak@suse.cz
- added selinux-ready tool to selinux-tools package
-------------------------------------------------------------------
Tue Jun 9 20:17:54 CEST 2009 - crrodriguez@suse.de
- remove static libraries
- libselinux-devel does not require libsepol-devel
-------------------------------------------------------------------
Wed May 27 14:06:14 CEST 2009 - prusnak@suse.cz
- updated to 2.0.80
* deny_unknown wrapper function from KaiGai Kohei
* security_compute_av_flags API from KaiGai Kohei
* Netlink socket management and callbacks from KaiGai Kohei
* Netlink socket handoff patch from Adam Jackson
* AVC caching of compute_create results by Eric Paris
* fix incorrect conversion in discover_class code
-------------------------------------------------------------------
Fri Apr 17 17:12:06 CEST 2009 - prusnak@suse.cz
- fixed memory leak (memleak.patch)
-------------------------------------------------------------------
Wed Jan 14 14:04:30 CET 2009 - prusnak@suse.cz
- updated to 2.0.77
* add new function getseuser which will take username and service
and return seuser and level; ipa will populate file in future
* change selinuxdefcon to return just the context by default
* fix segfault if seusers file does not work
* strip trailing / for matchpathcon
* fix restorecon python code
-------------------------------------------------------------------
Mon Dec 1 11:32:50 CET 2008 - prusnak@suse.cz
- updated to 2.0.76
* allow shell-style wildcarding in X names
* add Restorecon/Install python functions
* correct message types in AVC log messages
* make matchpathcon -V pass mode
* add man page for selinux_file_context_cmp
* update flask headers from refpolicy trunk
-------------------------------------------------------------------
Wed Oct 22 16:28:59 CEST 2008 - mrueckert@suse.de
- fix debug_packages_requires define
-------------------------------------------------------------------
Tue Sep 23 12:51:10 CEST 2008 - prusnak@suse.cz
- require only version, not release [bnc#429053]
-------------------------------------------------------------------
Tue Sep 2 12:09:22 CEST 2008 - prusnak@suse.cz
- updated to 2.0.71
* Add group support to seusers using %groupname syntax from Dan Walsh.
* Mark setrans socket close-on-exec from Stephen Smalley.
* Only apply nodups checking to base file contexts from Stephen Smalley.
* Merge ruby bindings from Dan Walsh.
-------------------------------------------------------------------
Mon Sep 1 07:35:00 CEST 2008 - aj@suse.de
- Fix build of debuginfo.
-------------------------------------------------------------------
Fri Aug 22 14:45:29 CEST 2008 - prusnak@suse.cz
- added baselibs.conf file
- split bindings into separate subpackage (libselinux-bindings)
- split tools into separate subpackage (selinux-tools)
-------------------------------------------------------------------
Fri Aug 1 17:32:20 CEST 2008 - ro@suse.de

322
libselinux.spec
View File

@ -1,239 +1,215 @@
#
# spec file for package libselinux
# spec file for package libselinux (Version 2.0.67)
#
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
# package are under the same license as the package itself.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
# norootforbuild
%define libsepol_ver 2.8
%{?!python_module:%define python_module() python-%{**} python3-%{**}}
%define libsepol_ver 2.0.32
BuildRequires: python-devel ruby-devel swig
BuildRequires: libsepol-devel >= %{libsepol_ver}
Name: libselinux
Version: 2.8
Release: 0
Summary: SELinux runtime library and utilities
License: GPL-2.0-only AND SUSE-Public-Domain
Group: Development/Libraries/C and C++
Url: https://github.com/SELinuxProject/selinux/wiki/Releases
Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/libselinux-%{version}.tar.gz
Source1: selinux-ready
Source2: baselibs.conf
Patch3: python3.patch
# PATCH-FIX-UPSTREAM Include <sys/uio.h> for readv prototype
Patch4: readv-proto.patch
Version: 2.0.67
Release: 2
Url: http://www.nsa.gov/selinux/
License: GPL v2 only; Public Domain, Freeware
Group: System/Libraries
Summary: SELinux library and simple utilities
Source: %{name}-%{version}.tar.bz2
Patch0: %{name}-%{version}-rhat.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: fdupes
BuildRequires: libsepol-devel >= %{libsepol_ver}
BuildRequires: libsepol-devel-static >= %{libsepol_ver}
BuildRequires: pcre-devel
BuildRequires: pkg-config
BuildRequires: python-rpm-macros
BuildRequires: python3
BuildRequires: python3-devel
BuildRequires: ruby-devel
BuildRequires: swig
%define debug_package_requires libselinux1 = %{version}
%description
libselinux provides an interface to get and set process and file
security contexts and to obtain security policy decisions.
Security-enhanced Linux is a feature of the Linux® kernel and a number
of utilities with enhanced security functionality designed to add
mandatory access controls to Linux. The Security-enhanced Linux kernel
contains new architectural components originally developed to improve
the security of the Flask operating system. These architectural
components provide general support for the enforcement of many kinds of
mandatory access control policies, including those based on the
concepts of Type Enforcement®, Role-based Access Control, and
Multi-level Security.
libselinux provides an API for SELinux applications to get and set
process and file security contexts and to obtain security policy
decisions. Required for any applications that use the SELinux API.
%package -n libselinux1
Summary: SELinux runtime library
License: GPL-2.0-only AND SUSE-Public-Domain
License: GPL v2 only; Public Domain, Freeware
Group: System/Libraries
Summary: SELinux library and simple utilities
%description -n libselinux1
libselinux provides an interface to get and set process and file
security contexts and to obtain security policy decisions.
Security-enhanced Linux is a feature of the Linux® kernel and a number
of utilities with enhanced security functionality designed to add
mandatory access controls to Linux. The Security-enhanced Linux kernel
contains new architectural components originally developed to improve
the security of the Flask operating system. These architectural
components provide general support for the enforcement of many kinds of
mandatory access control policies, including those based on the
concepts of Type Enforcement®, Role-based Access Control, and
Multi-level Security.
(Security-enhanced Linux is a feature of the kernel and some
utilities that implement mandatory access control policies, such as
Type Enforcement, Role-based Access Control and Multi-Level
Security.)
libselinux provides an API for SELinux applications to get and set
process and file security contexts and to obtain security policy
decisions. Required for any applications that use the SELinux API.
%package -n selinux-tools
Summary: SELinux command-line utilities
License: GPL-2.0-only AND SUSE-Public-Domain
Group: System/Base
%description -n selinux-tools
Security-enhanced Linux is a feature of the kernel and some
utilities that implement mandatory access control policies, such as
Type Enforcement, Role-based Access Control and Multi-Level
Security.
This subpackage contains utilities to inspect and administer the
system's SELinux state.
%package devel
Summary: Development files for the SELinux runtime library
License: GPL-2.0-only AND SUSE-Public-Domain
License: GPL v2 only; Public Domain, Freeware
Summary: Development Include Files and Libraries for SELinux
Group: Development/Libraries/C and C++
Requires: glibc-devel
Requires: libselinux1 = %{version}
#Automatic dependency on libsepol-devel via pkgconfig
Requires: libselinux1 = %{version}-%{release}
Requires: libsepol-devel >= %{libsepol_ver}
%description devel
libselinux provides an interface to get and set process and file
security contexts and to obtain security policy decisions.
Security-enhanced Linux is a patch of the Linux kernel and a number of
utilities with enhanced security functionality designed to add
mandatory access controls to Linux. The Security-enhanced Linux kernel
contains new architectural components originally developed to improve
the security of the Flask operating system. These architectural
components provide general support for the enforcement of many kinds of
mandatory access control policies, including those based on the
concepts of Type Enforcement®, Role-based Access Control, and
Multi-level Security.
This package contains the development files, which are
This package contains the header files and static libraries, which are
necessary to develop your own software using libselinux.
%package devel-static
Summary: Static archives for the SELinux runtime
License: GPL-2.0-only AND SUSE-Public-Domain
Group: Development/Libraries/C and C++
Requires: libselinux-devel = %{version}
Requires: pkgconfig(libpcre)
Requires: pkgconfig(libsepol)
%description devel-static
libselinux provides an interface to get and set process and file
security contexts and to obtain security policy decisions.
This package contains the static development files, which are
necessary to develop your own software using libselinux.
%package -n python-selinux
License: Public Domain, Freeware
Summary: SELinux library and simple utilities
Group: System/Libraries
Requires: libselinux1 = %{version}-%{release}
Requires: python
%description -n python-selinux
Security-enhanced Linux is a feature of the Linux® kernel and a number
of utilities with enhanced security functionality designed to add
mandatory access controls to Linux. The Security-enhanced Linux kernel
contains new architectural components originally developed to improve
the security of the Flask operating system. These architectural
components provide general support for the enforcement of many kinds of
mandatory access control policies, including those based on the
concepts of Type Enforcement®, Role-based Access Control, and
Multi-level Security.
libselinux provides an API for SELinux applications to get and set
process and file security contexts and to obtain security policy
decisions. Required for any applications that use the SELinux API.
%package -n ruby-selinux
License: Public Domain, Freeware
Summary: SELinux library and simple utilities
Group: System/Libraries
Requires: libselinux1 = %{version}-%{release}
Requires: ruby
%description -n ruby-selinux
Security-enhanced Linux is a feature of the Linux® kernel and a number
of utilities with enhanced security functionality designed to add
mandatory access controls to Linux. The Security-enhanced Linux kernel
contains new architectural components originally developed to improve
the security of the Flask operating system. These architectural
components provide general support for the enforcement of many kinds of
mandatory access control policies, including those based on the
concepts of Type Enforcement®, Role-based Access Control, and
Multi-level Security.
libselinux provides an API for SELinux applications to get and set
process and file security contexts and to obtain security policy
decisions. Required for any applications that use the SELinux API.
%prep
%setup -q -n libselinux-%{version}
%patch3 -p1
%patch4 -p1
%setup -q
%patch0 -p1
%build
make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="%{optflags}" CC="%{__cc}"
make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="%{optflags}" -C src V=1
make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="%{optflags}" -C src swigify V=1
make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="%{optflags}" -C src pywrap V=1
make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="%{optflags}" -C src rubywrap V=1
make %{?jobs:-j%jobs} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" swigify
make %{?jobs:-j%jobs} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" all pywrap
%install
mkdir -p %{buildroot}/%{_lib}
mkdir -p %{buildroot}/%{_libdir}
mkdir -p %{buildroot}/%{_includedir}
mkdir -p %{buildroot}/%{_sbindir}
%make_install LIBDIR="%{_libdir}" SHLIBDIR="/%{_lib}" BINDIR="%{_sbindir}"
rm -f %{buildroot}/%{_sbindir}/compute_*
rm -f %{buildroot}/%{_sbindir}/deftype
rm -f %{buildroot}/%{_sbindir}/execcon
rm -f %{buildroot}/%{_sbindir}/getenforcemode
rm -f %{buildroot}/%{_sbindir}/getfilecon
rm -f %{buildroot}/%{_sbindir}/getpidcon
rm -f %{buildroot}/%{_sbindir}/mkdircon
rm -f %{buildroot}/%{_sbindir}/policyvers
rm -f %{buildroot}/%{_sbindir}/setfilecon
rm -f %{buildroot}/%{_sbindir}/selinuxconfig
rm -f %{buildroot}/%{_sbindir}/selinuxdisable
rm -f %{buildroot}/%{_sbindir}/getseuser
rm -f %{buildroot}/%{_sbindir}/selinux_check_securetty_context
mv %{buildroot}/%{_sbindir}/getdefaultcon %{buildroot}/%{_sbindir}/selinuxdefcon
mv %{buildroot}/%{_sbindir}/getconlist %{buildroot}/%{_sbindir}/selinuxconlist
install -m 0755 %{SOURCE1} %{buildroot}/%{_sbindir}/selinux-ready
mkdir -p $RPM_BUILD_ROOT/%{_lib}
mkdir -p $RPM_BUILD_ROOT%{_libdir}
mkdir -p $RPM_BUILD_ROOT%{_includedir}
mkdir -p $RPM_BUILD_ROOT%{_sbindir}
mkdir -p $RPM_BUILD_ROOT/var/run/setrans
make DESTDIR="$RPM_BUILD_ROOT" LIBDIR="$RPM_BUILD_ROOT%{_libdir}" SHLIBDIR="$RPM_BUILD_ROOT/%{_lib}" BINDIR="$RPM_BUILD_ROOT%{_sbindir}" install install-pywrap
rm -f $RPM_BUILD_ROOT%{_sbindir}/compute_*
rm -f $RPM_BUILD_ROOT%{_sbindir}/deftype
rm -f $RPM_BUILD_ROOT%{_sbindir}/execcon
rm -f $RPM_BUILD_ROOT%{_sbindir}/getenforcemode
rm -f $RPM_BUILD_ROOT%{_sbindir}/getfilecon
rm -f $RPM_BUILD_ROOT%{_sbindir}/getpidcon
rm -f $RPM_BUILD_ROOT%{_sbindir}/mkdircon
rm -f $RPM_BUILD_ROOT%{_sbindir}/policyvers
rm -f $RPM_BUILD_ROOT%{_sbindir}/setfilecon
rm -f $RPM_BUILD_ROOT%{_sbindir}/selinuxconfig
rm -f $RPM_BUILD_ROOT%{_sbindir}/selinuxdisable
rm -f $RPM_BUILD_ROOT%{_sbindir}/getseuser
rm -f $RPM_BUILD_ROOT%{_sbindir}/selinux_check_securetty_context
mv $RPM_BUILD_ROOT%{_sbindir}/getdefaultcon $RPM_BUILD_ROOT%{_sbindir}/selinuxdefcon
mv $RPM_BUILD_ROOT%{_sbindir}/getconlist $RPM_BUILD_ROOT%{_sbindir}/selinuxconlist
%make_install LIBDIR="%{_libdir}" \
SHLIBDIR="/%{_lib}" LIBSEPOLA=%{_libdir}/libsepol.a \
-C src V=1
make DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" \
SHLIBDIR="/%{_lib}" LIBSEPOLA=%{_libdir}/libsepol.a \
-C src install-pywrap V=1
make DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" \
SHLIBDIR="/%{_lib}" LIBSEPOLA=%{_libdir}/libsepol.a \
-C src install-rubywrap V=1
# Remove duplicate files
%fdupes -s %{buildroot}%{_mandir}
%clean
rm -rf $RPM_BUILD_ROOT
%post -n libselinux1 -p /sbin/ldconfig
%postun -n libselinux1 -p /sbin/ldconfig
%files -n selinux-tools
%files -n libselinux1
%defattr(-,root,root,-)
/%{_lib}/libselinux.so.*
%{_sbindir}/avcstat
%{_sbindir}/getenforce
%{_sbindir}/getsebool
%{_sbindir}/matchpathcon
%{_sbindir}/selabel_digest
%{_sbindir}/selabel_lookup
%{_sbindir}/selinux_check_access
%{_sbindir}/selabel_lookup_best_match
%{_sbindir}/selabel_partial_match
%{_sbindir}/selinuxconlist
%{_sbindir}/selinuxdefcon
%{_sbindir}/selinuxenabled
%{_sbindir}/setenforce
%{_sbindir}/togglesebool
#%#{_sbindir}/selinux_restorecon
%{_sbindir}/selinux-ready
%{_sbindir}/selinuxexeccon
%{_sbindir}/sefcontext_compile
%{_mandir}/man5/*
%{_mandir}/man8/*
%files -n libselinux1
%defattr(-,root,root,-)
/%{_lib}/libselinux.so.*
/var/run/setrans
%files devel
%defattr(-,root,root,-)
%{_libdir}/libselinux.so
%{_includedir}/selinux/
%{_mandir}/man3/*
%{_libdir}/pkgconfig/libselinux.pc
%files devel-static
%defattr(-,root,root,-)
%{_libdir}/libselinux.a
%dir %{_includedir}/selinux
%{_includedir}/selinux/*
%{_mandir}/man3/*
%package -n python3-selinux
Summary: Python bindings for the SELinux runtime library
License: SUSE-Public-Domain
Group: Development/Libraries/Python
%define oldpython python
%ifpython2
Obsoletes: %{oldpython}-selinux < %{version}
Provides: %{oldpython}-selinux = %{version}
%endif
Requires: libselinux1 = %{version}
Requires: python3
%description -n python3-selinux
libselinux provides an interface to get and set process and file
security contexts and to obtain security policy decisions.
This subpackage contains Python extensions to use SELinux from that
language.
%package -n ruby-selinux
Summary: Ruby bindings for the SELinux runtime library
License: SUSE-Public-Domain
Group: Development/Languages/Ruby
Requires: libselinux1 = %{version}
Requires: ruby
%description -n ruby-selinux
libselinux provides an interface to get and set process and file
security contexts and to obtain security policy decisions.
This subpackage contains Ruby extensions to use SELinux from that
language.
%files -n python3-selinux
%files -n python-selinux
%defattr(-,root,root,-)
%{python3_sitearch}/*selinux*
%dir %{py_sitedir}/selinux
%{py_sitedir}/selinux/*
%files -n ruby-selinux
%defattr(-,root,root,-)
%{_libdir}/ruby/vendor_ruby/%{rb_ver}/%{rb_arch}/selinux.so
%{_libdir}/ruby/site_ruby/%{rb_ver}/%{rb_arch}/selinux.so
%changelog
* Fri Aug 01 2008 ro@suse.de
- fix requires for debuginfo package
* Tue Jul 15 2008 prusnak@suse.cz
- initial version 2.0.67
* based on Fedora package by Dan Walsh <dwalsh@redhat.com>

13
python3.patch
View File

@ -1,13 +0,0 @@
Index: libselinux-2.7/src/Makefile
===================================================================
--- libselinux-2.7.orig/src/Makefile
+++ libselinux-2.7/src/Makefile
@@ -1,7 +1,7 @@
# Support building the Python bindings multiple times, against various Python
# runtimes (e.g. Python 2 vs Python 3) by optionally prefixing the build
# targets with "PYPREFIX":
-PYTHON ?= python
+PYTHON ?= python3
PYPREFIX ?= $(shell $(PYTHON) -c 'import sys;print("python-%d.%d" % sys.version_info[:2])')
RUBY ?= ruby
RUBYPREFIX ?= $(notdir $(RUBY))

12
readv-proto.patch
View File

@ -1,12 +0,0 @@
Index: libselinux-2.5/src/setrans_client.c
===================================================================
--- libselinux-2.5.orig/src/setrans_client.c
+++ libselinux-2.5/src/setrans_client.c
@@ -9,6 +9,7 @@
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>
+#include <sys/uio.h>
#include <errno.h>
#include <stdlib.h>

0
ready Normal file
View File

272
selinux-ready
View File

@ -1,272 +0,0 @@
#!/bin/bash
KERNEL="unknown"
INITRD="unknown"
TD=""
# init needs /selinux to be there
check_dir()
{
SLDIRS="/selinux /sys/fs/selinux"
FOUND="no"
for DIR in $SLDIRS; do
if [ -d $DIR ]; then
printf "\tcheck_dir: OK. $DIR exists.\n"
FOUND="yes"
fi
done
if [ $FOUND == "yes" ]; then
return 0
else
printf "\tcheck_dir: ERR. Neither of $SLDIRS does exist. Please execute 'mkdir /sys/fs/selinux' as root\n"
return 1
fi
}
check_filesystem()
{
FSPATH="/proc/filesystems"
FSNAMES="securityfs selinuxfs"
OK="O"
for FSNAME in $FSNAMES; do
grep -w $FSNAME $FSPATH 1>&2 >/dev/null
if [ $? == 0 ]; then
printf "\tcheck_filesystem: OK. Filesystem '$FSNAME' exists.\n"
else
printf "\tcheck_filesystem: ERR. Filesystem '$FSNAME' is missing. Please enable SELinux while compiling the kernel.\n"
OK="1"
fi
done
if [ "$OK" == "0" ]; then
return 0;
else
return 1;
fi
}
check_boot()
{
BPARAM1="security=selinux"
BPARAM2="selinux=1"
printf "\tcheck_boot: Assuming GRUB2 as bootloader.\n"
# look for parameters of the current kernel
CURRENT_KERNEL=$(uname -r)
OTHERS=""
RETVAL="FAIL"
while read BLINE
do
K=$(echo $BLINE | awk -F' ' '{print $2}')
KERNEL=$(basename $K)
K=$(echo $KERNEL | sed s/vmlinuz-//)
if [ "$K" == "$CURRENT_KERNEL" ]; then
INITRD=initrd-$K
RETVAL="OK"
else
OTHERS="$KERNEL $OTHERS"
fi
done < <(grep -- $BPARAM1 /boot/grub2/grub.cfg 2>/dev/null | grep -- $BPARAM2)
if [ "$RETVAL" == OK ]; then
printf "\tcheck_boot: OK. Current kernel '$KERNEL' has boot-parameters '$BPARAM1 $BPARAM2'\n"
printf "\tcheck_boot: OK. Other kernels with correct parameters: $OTHERS\n"
return 0
else
printf "\tcheck_boot: ERR. Boot-parameter missing for booting the kernel.\n"
printf "\t Please use YaST2 to add 'security=selinux selinux=1' to the kernel boot-parameter list.\n"
return 1
fi
}
check_mkinitrd()
{
if [ "$INITRD" == "unknown" ]; then
return 1
fi
MCMD="mount.*/root/proc.*"
if ! [ -f "/boot/$INITRD" ];then
printf "\tcheck_mkinitrd: ERR. Unable to locate '/boot/$INITRD'\n"
return 2
fi
cp /boot/$INITRD $TD/ 2>/dev/null
if ! [ -f "$TD/$INITRD" ];then
printf "\tcheck_mkinitrd: ERR. Error while copying initrd file.'\n"
return 2
fi
pushd . 2>&1>/dev/null
cd $TD
mkdir initrd-extracted
cd initrd-extracted
INITRD_FORMAT=$(file $TD/$INITRD | awk -F' ' '{print $2}')
case $INITRD_FORMAT in
'XZ' )
xz -d -c $TD/$INITRD | cpio -i --force-local --no-absolute-filenames 2>/dev/null ;;
'ASCII' )
/usr/lib/dracut/skipcpio $TD/$INITRD | xz -d | cpio -i --force-local --no-absolute-filenames 2>/dev/null ;;
'gzip' )
gzip -d -c $TD/$INITRD | cpio -i --force-local --no-absolute-filenames 2>/dev/null ;;
* )
printf "\tcheck_mkinitrd: ERR. Error while extracting initrd file.'\n"
return 2
esac
if [ -d boot ]; then
grep -E -- $MCMD boot/* 2>&1 >/dev/null
FLG1=$?
grep -E -- load_policy boot/* 2>&1 >/dev/null
FLG2=$?
else
# looks like we're using dracut/systemd. We can only check if libselinux1
# exists
if [ -f lib64/libselinux.so.1 ]; then
# if this exists
FLG1=0
FLG2=0
fi
fi
popd 2>&1>/dev/null
if [ $FLG1 == 0 -a $FLG2 == 0 ];then
printf "\tcheck_mkinitrd: OK. Your initrd seems to be correct.\n"
return 0
else
printf "\tcheck_mkinitrd: ERR. Your initrd seems not to mount /proc of\n"
printf "\t the root filesystem during boot and/or load_policy\n"
printf "\t is missing,\n"
printf "\t this may be a reason for SELinux not working.\n"
return 1
fi
}
check_pam()
{
AA_PAM=0
SE_PAM=0
# test for AA pam module
grep apparmor /etc/pam.d/* 2>&1 >/dev/null
FLG=$?
if [ $FLG == 0 ]; then
AA_PAM=1
fi
# test for SELinux pam module
grep selinux /etc/pam.d/* 2>&1 >/dev/null
FLG=$?
if [ $FLG == 0 ]; then
SE_PAM=1
fi
# suggest config
if [ $SE_PAM == 1 ] && [ $AA_PAM == 0 ]; then
printf "\tcheck_pam: OK. Your PAM configuration seems to be correct.\n"
return 0
fi
printf "\tcheck_pam: ERR. Your PAM configuration seems to be incorrect.\n"
if [ $AA_PAM == 1 ]; then
printf " execute 'pam-config -d --apparmor' as root\n"
fi
if [ $SE_PAM == 0 ]; then
printf " execute 'pam-config -a --selinux' as root\n"
fi
return 1
}
check_initupstart()
{
CFGFILE="/etc/selinux/config"
if ! [ -f $CFGFILE ]; then
printf "\tcheck_initupstart: ERR. $CFGFILE does not exist.\n"
return 1;
fi
}
check_runlevel()
{
if [ "$(systemctl is-enabled restorecond.service)" == "enabled" ]; then
printf "\tcheck_runlevel: OK. restorecond is enabled on your system\n"
return 0;
fi
printf "\tcheck_runlevel: ERR. please execute 'yast2 runlevel' and enable restorecond.\n"
return 1
}
check_packages()
{
PKGLST="checkpolicy policycoreutils selinux-tools libselinux1 libsepol1 libsemanage1 selinux-policy"
FAIL=0
for i in $PKGLST
do
rpm -q $i 1>&2 >/dev/null
if [ $? == 1 ];then
printf "\tcheck_packages: ERR. Package '$i' not installed, please run 'zypper in $i' as root\n"
FAIL=1
fi
done
if [ $FAIL == 0 ]; then
printf "\tcheck_packages: OK. All essential packages are installed\n"
return 0
else
return 1
fi
}
check_config()
{
CF="/etc/selinux/config"
if [ -f $CF ];then
printf "\tcheck_config: OK. Config file seems to be there.\n"
# with -L because /etc/selinux/config is now a link to /etc/sysconfig/selinux-policy
if ! [ $(stat -L --printf=%a $CF) -eq "644" ]; then
printf "\tcheck_config: ERR. Config file '$CF' has wrong permissions.\n"
return 1
fi
# check that SELINUX is not disabled there
SELINUX_MODE=$(grep "^\s*SELINUX\s*=" $CF | sed "s/SELINUX\s*=\(\S*\)\s*"/\\1/)
case "$SELINUX_MODE" in
permissive | enforcing )
printf "\tcheck_config: OK. SELINUX is set to '$SELINUX_MODE'.\n"
return 0
;;
* )
printf "\tcheck_config: ERR. SELINUX is set to '$SELINUX_MODE' in '$CF'. Should be either 'permissive' or 'enforcing'\n"
return 1
;;
esac
else
printf "\tcheck_config: ERR. Config file '$CF' is missing.\n"
return 1
fi
}
TD=$(mktemp -q -d /tmp/selinux-ready.XXXXXX)
echo "Start checking your system if it is selinux-ready or not:"
check_dir
check_filesystem
check_boot
check_mkinitrd
check_packages
check_config
check_initupstart
check_pam
check_runlevel
rm -rf $TD