From 9a44e1df850eb66c7f9a122fa69db247eaf6f0701b2a668c11ce2cf9600ca36f Mon Sep 17 00:00:00 2001 From: Johannes Segitz Date: Thu, 30 Jul 2015 12:06:49 +0000 Subject: [PATCH 1/3] Accepting request 319563 from home:jsegitz:branches:security:SELinux - Update to version 2.3 * Get rid of security_context_t and fix const declarations. * Refactor rpm_execcon() into a new setexecfilecon() from Guillem Jover. - fixed selinux-ready to work with initrd files created by dracut (bsc#940006) OBS-URL: https://build.opensuse.org/request/show/319563 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=83 --- libselinux-bindings.changes | 7 +++++++ libselinux-bindings.spec | 2 +- libselinux.changes | 5 +++++ libselinux.spec | 2 +- selinux-ready | 2 ++ 5 files changed, 16 insertions(+), 2 deletions(-) diff --git a/libselinux-bindings.changes b/libselinux-bindings.changes index 533efff..b935b1b 100644 --- a/libselinux-bindings.changes +++ b/libselinux-bindings.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Sun May 18 00:15:17 UTC 2014 - crrodriguez@opensuse.org + +- Update to version 2.3 +* Get rid of security_context_t and fix const declarations. +* Refactor rpm_execcon() into a new setexecfilecon() from Guillem Jover. + ------------------------------------------------------------------- Wed May 27 11:53:54 UTC 2015 - dimstar@opensuse.org diff --git a/libselinux-bindings.spec b/libselinux-bindings.spec index 26506d7..fa7992d 100644 --- a/libselinux-bindings.spec +++ b/libselinux-bindings.spec @@ -1,7 +1,7 @@ # # spec file for package libselinux-bindings # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed diff --git a/libselinux.changes b/libselinux.changes index 496afd0..f38ca7b 100644 --- a/libselinux.changes +++ b/libselinux.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Thu Jul 30 12:00:27 UTC 2015 - jsegitz@novell.com + +- fixed selinux-ready to work with initrd files created by dracut (bsc#940006) + ------------------------------------------------------------------- Mon Sep 8 08:25:11 UTC 2014 - jsegitz@suse.com diff --git a/libselinux.spec b/libselinux.spec index fc7d615..1f14a69 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -1,7 +1,7 @@ # # spec file for package libselinux # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed diff --git a/selinux-ready b/selinux-ready index 667c95e..163489b 100644 --- a/selinux-ready +++ b/selinux-ready @@ -113,6 +113,8 @@ check_mkinitrd() case $INITRD_FORMAT in 'XZ' ) xz -d -c $TD/$INITRD | cpio -i --force-local --no-absolute-filenames 2>/dev/null ;; + 'ASCII' ) + /usr/lib/dracut/skipcpio $TD/$INITRD | xz -d | cpio -i --force-local --no-absolute-filenames 2>/dev/null ;; 'gzip' ) gzip -d -c $TD/$INITRD | cpio -i --force-local --no-absolute-filenames 2>/dev/null ;; * ) From 9503bfe5fedc337de021ee62217e2a794663ef0ea7eded584d32d72176b18fee Mon Sep 17 00:00:00 2001 From: Johannes Segitz Date: Wed, 13 Jul 2016 07:22:28 +0000 Subject: [PATCH 2/3] Accepting request 408218 from security:SELinux 1 OBS-URL: https://build.opensuse.org/request/show/408218 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=84 --- libselinux-2.3.tar.gz | 3 -- libselinux-2.5.tar.gz | 3 ++ libselinux-bindings.changes | 77 +++++++++++++++++++++++++++++++--- libselinux-bindings.spec | 10 +++-- libselinux.changes | 66 +++++++++++++++++++++++++++++ libselinux.spec | 14 +++++-- python-selinux-swig-3.10.patch | 13 ++++++ 7 files changed, 171 insertions(+), 15 deletions(-) delete mode 100644 libselinux-2.3.tar.gz create mode 100644 libselinux-2.5.tar.gz create mode 100644 python-selinux-swig-3.10.patch diff --git a/libselinux-2.3.tar.gz b/libselinux-2.3.tar.gz deleted file mode 100644 index 42e4bd4..0000000 --- a/libselinux-2.3.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:0b1e0b43ecd84a812713d09564019b08e7c205d89072b5cbcd07b052cd8e77b2 -size 171254 diff --git a/libselinux-2.5.tar.gz b/libselinux-2.5.tar.gz new file mode 100644 index 0000000..38881dc --- /dev/null +++ b/libselinux-2.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:94c9e97706280bedcc288f784f67f2b9d3d6136c192b2c9f812115edba58514f +size 189019 diff --git a/libselinux-bindings.changes b/libselinux-bindings.changes index b935b1b..4ee132a 100644 --- a/libselinux-bindings.changes +++ b/libselinux-bindings.changes @@ -1,3 +1,74 @@ +------------------------------------------------------------------- +Tue Jul 5 16:44:44 UTC 2016 - i@marguerite.su + +- add patch: python-selinux-swig-3.10.patch, fixed boo#985368 + * swig-3.10 in Factory use importlib instead of imp to find + _selinux.so. imp searched the same directory as __init__.py + is while importlib searchs only standard paths. so we have + to move _selinux.so. fixed by upstream +- update version 2.5 + * Add selinux_restorecon function + * read_spec_entry: fail on non-ascii + * Add man information about thread specific functions + * Don't wrap rpm_execcon with DISABLE_RPM with SWIG + * Correct line count for property and service context files + * label_file: fix memory leaks and uninitialized jump + * Replace selabel_digest hash function + * Fix selabel_open(3) services if no digest requested + * Add selabel_digest function + * Flush the class/perm string mapping cache on policy reload + * Fix restorecon when path has no context + * Free memory when processing media and x specfiles + * Fix mmap memory release for file labeling + * Add policy context validation to sefcontext_compile + * Do not treat an empty file_contexts(.local) as an error + * Fail hard on invalid property_contexts entries + * Fail hard on invalid file_contexts entries + * Support context validation on file_contexts.bin + * Add selabel_cmp interface and label_file backend + * Support specifying file_contexts.bin file path + * Support file_contexts.bin without file_contexts + * Simplify procattr cache + * Use /proc/thread-self when available + * Add const to selinux_opt for label backends + * Fix binary file labels for regexes with metachars + * Fix file labels for regexes with metachars + * Fix if file_contexts not '\n' terminated + * Enhance file context support + * Fix property processing and cleanup formatting + * Add read_spec_entries function to replace sscanf + * Support consistent mode size for bin files + * Fix more bin file processing core dumps + * add selinux_openssh_contexts_path() + * setrans_client: minimize overhead when mcstransd is not present + * Ensure selabel_lookup_best_match links NULL terminated + * Fix core dumps with corrupt *.bin files + * Add selabel partial and best match APIs + * Use os.walk() instead of the deprecated os.path.walk() + * Remove deprecated mudflap option + * Mount procfs before checking /proc/filesystems + * Fix -Wformat errors with gcc-5.0.0 + * label_file: handle newlines in file names + * Fix audit2why error handling if SELinux is disabled + * pcre_study can return NULL without error + * Only check SELinux enabled status once in selinux_check_access +- changes in 2.4 + * Remove assumption that SHLIBDIR is ../../ relative to LIBDIR + * Fix bugs found by hardened gcc flags + * Set the system to permissive if failing to disable SELinux because + policy has already been loaded + * Add db_exception and db_datatype support to label_db backend + * Log an error on unknown classes and permissions + * Add pcre version string to the compiled file_contexts format + * Deprecate use of flask.h and av_permissions.h + * Compiled file_context files and the original should have the same DAC + permissions +------------------------------------------------------------------- +Wed May 27 11:53:54 UTC 2015 - dimstar@opensuse.org + +- Update libselinux-2.2-ruby.patch: use RbConfig instead of + deprecated Config. + ------------------------------------------------------------------- Sun May 18 00:15:17 UTC 2014 - crrodriguez@opensuse.org @@ -5,12 +76,6 @@ Sun May 18 00:15:17 UTC 2014 - crrodriguez@opensuse.org * Get rid of security_context_t and fix const declarations. * Refactor rpm_execcon() into a new setexecfilecon() from Guillem Jover. -------------------------------------------------------------------- -Wed May 27 11:53:54 UTC 2015 - dimstar@opensuse.org - -- Update libselinux-2.2-ruby.patch: use RbConfig instead of - deprecated Config. - ------------------------------------------------------------------- Thu Oct 31 13:43:41 UTC 2013 - p.drouand@gmail.com diff --git a/libselinux-bindings.spec b/libselinux-bindings.spec index fa7992d..9d2acdf 100644 --- a/libselinux-bindings.spec +++ b/libselinux-bindings.spec @@ -16,10 +16,10 @@ # -%define libsepol_ver 2.3 +%define libsepol_ver 2.5 Name: libselinux-bindings -Version: 2.3 +Version: 2.5 Release: 0 Url: http://userspace.selinuxproject.org/ Summary: SELinux library and simple utilities @@ -27,10 +27,12 @@ License: GPL-2.0 and SUSE-Public-Domain Group: System/Libraries # embedded is the MD5 -Source: http://userspace.selinuxproject.org/releases/20140506/libselinux-%{version}.tar.gz +Source: http://userspace.selinuxproject.org/releases/20160223/libselinux-%{version}.tar.gz Source1: selinux-ready Source2: baselibs.conf Patch1: libselinux-2.2-ruby.patch +# PATCH-FIX-UPSTREAM swig-3.10 use importlib which not search the directory __init__.py is in but standard path +Patch2: python-selinux-swig-3.10.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: libsepol-devel-static >= %{libsepol_ver} BuildRequires: pcre-devel @@ -106,6 +108,7 @@ decisions. Required for any applications that use the SELinux API. %prep %setup -q -n libselinux-%{version} %patch1 +%patch2 -p1 %build make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS" -C src @@ -122,6 +125,7 @@ rm -rf $RPM_BUILD_ROOT/%{_lib} $RPM_BUILD_ROOT%{_libdir}/libselinux.* $RPM_BUILD %files -n python-selinux %defattr(-,root,root,-) %dir %{py_sitedir}/selinux +%{py_sitedir}/_selinux.so %{py_sitedir}/selinux/* %files -n ruby-selinux diff --git a/libselinux.changes b/libselinux.changes index f38ca7b..86c8074 100644 --- a/libselinux.changes +++ b/libselinux.changes @@ -1,3 +1,69 @@ +------------------------------------------------------------------- +Tue Jul 5 16:42:03 UTC 2016 - i@marguerite.su + +- add patch: python-selinux-swig-3.10.patch, fixed boo#985368 + * swig-3.10 in Factory use importlib instead of imp to find + _selinux.so. imp searched the same directory as __init__.py + is while importlib searchs only standard paths. so we have + to move _selinux.so. fixed by upstream +- update version 2.5 + * Add selinux_restorecon function + * read_spec_entry: fail on non-ascii + * Add man information about thread specific functions + * Don't wrap rpm_execcon with DISABLE_RPM with SWIG + * Correct line count for property and service context files + * label_file: fix memory leaks and uninitialized jump + * Replace selabel_digest hash function + * Fix selabel_open(3) services if no digest requested + * Add selabel_digest function + * Flush the class/perm string mapping cache on policy reload + * Fix restorecon when path has no context + * Free memory when processing media and x specfiles + * Fix mmap memory release for file labeling + * Add policy context validation to sefcontext_compile + * Do not treat an empty file_contexts(.local) as an error + * Fail hard on invalid property_contexts entries + * Fail hard on invalid file_contexts entries + * Support context validation on file_contexts.bin + * Add selabel_cmp interface and label_file backend + * Support specifying file_contexts.bin file path + * Support file_contexts.bin without file_contexts + * Simplify procattr cache + * Use /proc/thread-self when available + * Add const to selinux_opt for label backends + * Fix binary file labels for regexes with metachars + * Fix file labels for regexes with metachars + * Fix if file_contexts not '\n' terminated + * Enhance file context support + * Fix property processing and cleanup formatting + * Add read_spec_entries function to replace sscanf + * Support consistent mode size for bin files + * Fix more bin file processing core dumps + * add selinux_openssh_contexts_path() + * setrans_client: minimize overhead when mcstransd is not present + * Ensure selabel_lookup_best_match links NULL terminated + * Fix core dumps with corrupt *.bin files + * Add selabel partial and best match APIs + * Use os.walk() instead of the deprecated os.path.walk() + * Remove deprecated mudflap option + * Mount procfs before checking /proc/filesystems + * Fix -Wformat errors with gcc-5.0.0 + * label_file: handle newlines in file names + * Fix audit2why error handling if SELinux is disabled + * pcre_study can return NULL without error + * Only check SELinux enabled status once in selinux_check_access +- changes in 2.4 + * Remove assumption that SHLIBDIR is ../../ relative to LIBDIR + * Fix bugs found by hardened gcc flags + * Set the system to permissive if failing to disable SELinux because + policy has already been loaded + * Add db_exception and db_datatype support to label_db backend + * Log an error on unknown classes and permissions + * Add pcre version string to the compiled file_contexts format + * Deprecate use of flask.h and av_permissions.h + * Compiled file_context files and the original should have the same DAC + permissions + ------------------------------------------------------------------- Thu Jul 30 12:00:27 UTC 2015 - jsegitz@novell.com diff --git a/libselinux.spec b/libselinux.spec index 1f14a69..8f59f12 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -16,20 +16,22 @@ # -%define libsepol_ver 2.3 +%define libsepol_ver 2.5 Name: libselinux -Version: 2.3 +Version: 2.5 Release: 0 Url: http://userspace.selinuxproject.org/ Summary: SELinux library and simple utilities License: GPL-2.0 and SUSE-Public-Domain Group: System/Libraries -Source: http://userspace.selinuxproject.org/releases/20140506/%{name}-%{version}.tar.gz +Source: http://userspace.selinuxproject.org/releases/20160223/%{name}-%{version}.tar.gz Source1: selinux-ready Source2: baselibs.conf Patch1: %{name}-2.2-ruby.patch +# PATCH-FIX-UPSTREAM swig-3.10 use importlib which not search the directory __init__.py is in but standard path +Patch2: python-selinux-swig-3.10.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: fdupes BuildRequires: libsepol-devel >= %{libsepol_ver} @@ -120,6 +122,7 @@ necessary to develop your own software using libselinux. %prep %setup -q %patch1 +%patch2 -p1 %build make %{?_smp_mflags} LIBDIR="%{_libdir}" CC="%{__cc}" CFLAGS="$RPM_OPT_FLAGS" @@ -159,11 +162,16 @@ install -m 0755 %{SOURCE1} $RPM_BUILD_ROOT%{_sbindir}/selinux-ready %{_sbindir}/getenforce %{_sbindir}/getsebool %{_sbindir}/matchpathcon +%{_sbindir}/selabel_digest +%{_sbindir}/selabel_lookup +%{_sbindir}/selabel_lookup_best_match +%{_sbindir}/selabel_partial_match %{_sbindir}/selinuxconlist %{_sbindir}/selinuxdefcon %{_sbindir}/selinuxenabled %{_sbindir}/setenforce %{_sbindir}/togglesebool +%{_sbindir}/selinux_restorecon %{_sbindir}/selinux-ready %{_sbindir}/selinuxexeccon %{_sbindir}/sefcontext_compile diff --git a/python-selinux-swig-3.10.patch b/python-selinux-swig-3.10.patch new file mode 100644 index 0000000..20897e3 --- /dev/null +++ b/python-selinux-swig-3.10.patch @@ -0,0 +1,13 @@ +Index: b/src/Makefile +=================================================================== +--- a/src/Makefile ++++ b/src/Makefile +@@ -155,7 +155,7 @@ install: all + + install-pywrap: pywrap + test -d $(PYLIBDIR)/site-packages/selinux || install -m 755 -d $(PYLIBDIR)/site-packages/selinux +- install -m 755 $(SWIGSO) $(PYLIBDIR)/site-packages/selinux/_selinux.so ++ install -m 755 $(SWIGSO) $(PYLIBDIR)/site-packages/_selinux.so + install -m 755 $(AUDIT2WHYSO) $(PYLIBDIR)/site-packages/selinux/audit2why.so + install -m 644 $(SWIGPYOUT) $(PYLIBDIR)/site-packages/selinux/__init__.py + From 2aadb1f9f190cf47489642ac5dc881bfd7877d6c1a4af9ee1a4b75f0ae2ef5e7 Mon Sep 17 00:00:00 2001 From: Johannes Segitz Date: Thu, 14 Jul 2016 08:42:04 +0000 Subject: [PATCH 3/3] Accepting request 408436 from home:jsegitz:branches:security:SELinux - Adjusted source link - Adjusted source link OBS-URL: https://build.opensuse.org/request/show/408436 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=85 --- libselinux-bindings.changes | 5 +++++ libselinux-bindings.spec | 4 ++-- libselinux.changes | 5 +++++ libselinux.spec | 6 +++--- 4 files changed, 15 insertions(+), 5 deletions(-) diff --git a/libselinux-bindings.changes b/libselinux-bindings.changes index 4ee132a..590b354 100644 --- a/libselinux-bindings.changes +++ b/libselinux-bindings.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Thu Jul 14 07:59:04 UTC 2016 - jsegitz@novell.com + +- Adjusted source link + ------------------------------------------------------------------- Tue Jul 5 16:44:44 UTC 2016 - i@marguerite.su diff --git a/libselinux-bindings.spec b/libselinux-bindings.spec index 9d2acdf..7a4216b 100644 --- a/libselinux-bindings.spec +++ b/libselinux-bindings.spec @@ -1,7 +1,7 @@ # # spec file for package libselinux-bindings # -# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -27,7 +27,7 @@ License: GPL-2.0 and SUSE-Public-Domain Group: System/Libraries # embedded is the MD5 -Source: http://userspace.selinuxproject.org/releases/20160223/libselinux-%{version}.tar.gz +Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/libselinux-%{version}.tar.gz Source1: selinux-ready Source2: baselibs.conf Patch1: libselinux-2.2-ruby.patch diff --git a/libselinux.changes b/libselinux.changes index 86c8074..c08ec5a 100644 --- a/libselinux.changes +++ b/libselinux.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Thu Jul 14 07:58:49 UTC 2016 - jsegitz@novell.com + +- Adjusted source link + ------------------------------------------------------------------- Tue Jul 5 16:42:03 UTC 2016 - i@marguerite.su diff --git a/libselinux.spec b/libselinux.spec index 8f59f12..e8071bc 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -1,7 +1,7 @@ # # spec file for package libselinux # -# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -26,12 +26,12 @@ Summary: SELinux library and simple utilities License: GPL-2.0 and SUSE-Public-Domain Group: System/Libraries -Source: http://userspace.selinuxproject.org/releases/20160223/%{name}-%{version}.tar.gz +Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/%{name}-%{version}.tar.gz Source1: selinux-ready Source2: baselibs.conf Patch1: %{name}-2.2-ruby.patch # PATCH-FIX-UPSTREAM swig-3.10 use importlib which not search the directory __init__.py is in but standard path -Patch2: python-selinux-swig-3.10.patch +Patch2: python-selinux-swig-3.10.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: fdupes BuildRequires: libsepol-devel >= %{libsepol_ver}