testing/libselinux
SHA256
3
0
Fork 0
forked from pool/libselinux
Code Pull Requests Activity

Accepting request 1184293 from home:cahu:security:SELinux:userspace37

Browse Source 
- Update to version 3.7
  https://github.com/SELinuxProject/selinux/releases/tag/3.7
  * User-visible changes
    * libselinux/utils/selabel_digest: drop unsupported option -d
    * libselinux/utils: improve compute_av output
    * libselinux: fail selabel_open(3) on invalid option
    * Improved man pages
  * Improvements
    * libselinux, libsepol: Add CFLAGS and LDFLAGS to Makefile checks
    * libselinux: enable usage with pedantic UB sanitizers
    * libselinux: support huge passwd/group entries
  * Bugfixes:
    * libselinux/utils/selabel_digest: avoid buffer overflow
    * libselinux: avoid pointer dereference before check
    * libselinux/utils/selabel_digest: pass BASEONLY only for file backend
    * libselinux: free empty scandir(3) result
    * libselinux: free data on selabel open failure
    * libselinux: use reentrant strtok_r(3)
- Update to version 3.7
  https://github.com/SELinuxProject/selinux/releases/tag/3.7
  * User-visible changes
    * libselinux/utils/selabel_digest: drop unsupported option -d
    * libselinux/utils: improve compute_av output
    * libselinux: fail selabel_open(3) on invalid option
    * Improved man pages
  * Improvements
    * libselinux, libsepol: Add CFLAGS and LDFLAGS to Makefile checks
    * libselinux: enable usage with pedantic UB sanitizers
    * libselinux: support huge passwd/group entries
  * Bugfixes:
    * libselinux/utils/selabel_digest: avoid buffer overflow
    * libselinux: avoid pointer dereference before check
    * libselinux/utils/selabel_digest: pass BASEONLY only for file backend
    * libselinux: free empty scandir(3) result
    * libselinux: free data on selabel open failure
    * libselinux: use reentrant strtok_r(3)

OBS-URL: https://build.opensuse.org/request/show/1184293
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=171
This commit is contained in:
Cathy Hu 2024-07-02 09:43:34 +00:00 committed by Git OBS Bridge
commit f1e382eed0
18 changed files with 2151 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.osc

4
_multibuild Normal file
View File

@ -0,0 +1,4 @@
<multibuild>
<package>libselinux-bindings</package>
</multibuild>

1
baselibs.conf Normal file
View File

@ -0,0 +1 @@
libselinux1

3
libselinux-3.6.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:ba4e0ef34b270e7672a5e5f1b523fe2beab3a40bb33d9389f4ad3a8728f21b52
size 194210

16
libselinux-3.6.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEG+LA/wiUliMQL9JWRpWIHCVFCNEFAmV5xAIACgkQRpWIHCVF
CNEkQw/9Go6DkB41CAdTC/DV30zM4fUT18aQR9GzbI2TWNv0akNpu6RSyGY0zW5c
8xouAroaPovAMyZ4blIxxO3lOobuAl/wNgx47U0NMVMafFciHJXs/jBpfJkhOxiC
fywHmXlY1k+zKfyMuOOWisNv5dbw/ldJWnY+PdGN6POgvriR0/AHTjYmsk76s0PF
vpI8/ZNNqiSb+UyMVWO9ffZSJO2OufLajwIeg+RoNPXhaUZvYQzRCIJm0VwK5XTq
fBdNFNDEA8TapmGQO8UBJpZXCodXvYzUxwFCoa7255cBRnvQJPSrCCZLbCnMjV+j
0VhhhcFbhVytUYHTV67WvTbs7uqrmb1HUHUT6TuCGhUnZ36g2OYNMXwqi41zzHIf
9e1ok0rGfCjRb/fJrgEsHRaWo8HT6/jIVdtib13/jzpZttX5sgGv7WoeZcj1413r
cJmihECqxPV1+wWghnQEnGcE2XspXTueL4mzV7MqJDu8lu3itOdFxpOz4aMw4HbD
sd7Ew8zEQcyAStH9Obx9p/ri73iR9+lQgxszqAm24jemrC4FBwlhbb43RqulCafb
ieeH+1c9F8mc+R6BKvcE76Luiycy7Hm5ASUKANMWwxe6/hv1q9p3l4wKXWlkZXj7
3kBhKP+Rua+be4g1TScIUwGscpVogSN2e3AqBb7dgHt3b6Ik3U4=
=OnpU
-----END PGP SIGNATURE-----

3
libselinux-3.7.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:ea03f42d13a4f95757997dba8cf0b26321fac5d2f164418b4cc856a92d2b17bd
size 194834

16
libselinux-3.7.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEG+LA/wiUliMQL9JWRpWIHCVFCNEFAmZ8NeAACgkQRpWIHCVF
CNF3fA//Ypv/FVd6BDBmpZkWqui1kHUFv+TSKGfuObrOPfX8RXVnO4GWUKjnwJZF
u5FWu5lXZGPFGLKyZJD+OPAGofC5GGApr175eBlxqokhfj7UfZMrdK8ARUgQTuIE
QEh4LGR/7gzpc/HY8YL7rbzeAlXsFtuZoSlUfmyNs2tmXiOJ9dBQVxic91Q282Lr
Y2CLv1fAlOUT3h7fw3+YfBGALdn3CMrOJvr1npEcfnXHxAN/w4OKNAKQIcoAjZCw
w4EGA1FyvaT+hSOQZDzMBpYheSXCBxPg4OEIWNxge6jP/+J/mHqx1QHrDERa9vwA
Qpd01uI5C7LthMNc2INy1m5jrSBL7/5yjboj8O+53JSDLRH/8j2ykMXBvvje5y+Z
8optL/C7VEawaRWGVm4TCwm6adF28T2NoGWYnNymVLWc7oe/p7QpYxtNMDieeVAy
bnl9OX8S1VoDo4momyG9Ya4d9fAKCvaN+LIPeyYB6qqrmMCAzAU3J25vzLElXA+1
fNhFrQFuKt455OFy8LB94abWuwBTa/f+HkU6++6Ksr5B1ZBKsluCYVWONUHMLwDF
ZN6SHwBq37v3sz+4i+Cy0K0uYA6DQanB8yQYC98rwUtatqaTajIUCKyxJO3GIX4R
lBPwCC2/T1jOTG8u8jT5KcWFtETbjfSCePjdnhi67totbc1kST8=
=eK5w
-----END PGP SIGNATURE-----

545
libselinux-bindings.changes Normal file
View File

@ -0,0 +1,545 @@
-------------------------------------------------------------------
Mon Jul 1 07:53:14 UTC 2024 - Cathy Hu <cathy.hu@suse.com>
- Update to version 3.7
https://github.com/SELinuxProject/selinux/releases/tag/3.7
* User-visible changes
* libselinux/utils/selabel_digest: drop unsupported option -d
* libselinux/utils: improve compute_av output
* libselinux: fail selabel_open(3) on invalid option
* Improved man pages
* Improvements
* libselinux, libsepol: Add CFLAGS and LDFLAGS to Makefile checks
* libselinux: enable usage with pedantic UB sanitizers
* libselinux: support huge passwd/group entries
* Bugfixes:
* libselinux/utils/selabel_digest: avoid buffer overflow
* libselinux: avoid pointer dereference before check
* libselinux/utils/selabel_digest: pass BASEONLY only for file backend
* libselinux: free empty scandir(3) result
* libselinux: free data on selabel open failure
* libselinux: use reentrant strtok_r(3)
-------------------------------------------------------------------
Wed Jan 3 09:36:44 UTC 2024 - Ben Greiner <code@bnavigator.de>
- The PEP517 python build requires setuptools
-------------------------------------------------------------------
Tue Dec 19 11:04:55 UTC 2023 - Cathy Hu <cathy.hu@suse.com>
- Update to version 3.6
https://github.com/SELinuxProject/selinux/releases/tag/3.6
* libselinux: performance optimization for duplicate detection
* Introduce getpolicyload - a helper binary to print the number of policy reloads on the running system
* Add notself support for neverallow rules
* Improve man pages
* man pages: Remove the Russian translations
* Add notself and other support to CIL
* Add support for deny rules
* Translations updated from
https://translate.fedoraproject.org/projects/selinux/
* Bug fixes
- Remove keys from keyring since they expired:
- E853C1848B0185CF42864DF363A8AD4B982C4373
Petr Lautrbach <plautrba@redhat.com>
- 63191CE94183098689CAB8DB7EF137EC935B0EAF
Jason Zaman <jasonzaman@gmail.com>
- Add key to keyring:
- B8682847764DF60DF52D992CBC3905F235179CF1
Petr Lautrbach <lautrbach@redhat.com>
-------------------------------------------------------------------
Thu Nov 30 16:41:34 UTC 2023 - Hu <cathy.hu@suse.com>
- Also build python3-selinux for toolchain compability on SLE
-------------------------------------------------------------------
Fri Aug 4 13:14:19 UTC 2023 - Matej Cepl <mcepl@suse.com>
- (bsc#1212618) Divide libselinux and libselinux-bindings again.
libselinux itself is in Ring0 so it has to have absolutely
minimal dependencies, so it is better to separate
libselinux-bindings into a separate pacakge.
-------------------------------------------------------------------
Tue Jun 20 13:34:39 UTC 2023 - Johannes Segitz <jsegitz@suse.com>
- Add explicit BuildRequires for python3-pip and python3-wheel on
15.5, currently the macros don't do the right thing
-------------------------------------------------------------------
Thu Jun 1 11:50:33 UTC 2023 - Johannes Kastl <kastl@b1-systems.de>
- allow building this with different python versions, to make this
usable for the new sle15 macro (using python3.11)
-------------------------------------------------------------------
Fri May 5 12:35:31 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>
- Add python-wheel build dependency to build correctly with latest
python-pip version.
-------------------------------------------------------------------
Thu May 4 14:04:04 UTC 2023 - Frederic Crozat <fcrozat@suse.com>
- Add _multibuild to define additional spec files as additional
flavors.
Eliminates the need for source package links in OBS.
-------------------------------------------------------------------
Thu Mar 23 15:39:15 UTC 2023 - Martin Liška <mliska@suse.cz>
- Enable LTO as it works fine now.
-------------------------------------------------------------------
Fri Feb 24 07:42:25 UTC 2023 - Johannes Segitz <jsegitz@suse.com>
- Update to version 3.5:
* check for truncations
* avoid newline in avc message
* bail out on path truncations
* add getpidprevcon to gather the previous context before the last
exec of a given process
* Workaround for heap overhead of pcre
* fix memory leaks on the audit2why module init
* ignore invalid class name lookup
- Drop restorecon_pin_file.patch, is upstream
- Refreshed python3.8-compat.patch
- Added additional developer key (Jason Zaman)
-------------------------------------------------------------------
Mon May 9 10:23:32 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
- Update to version 3.4:
* Use PCRE2 by default
* Make selinux_log() and is_context_customizable() thread-safe
* Prevent leakeing file descriptors
* Correctly hash specfiles larger than 4G
- Refreshed skip_cycles.patch
-------------------------------------------------------------------
Thu Nov 11 13:25:30 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Update to version 3.3:
* Lots of smaller issues fixed found by fuzzing
-------------------------------------------------------------------
Wed Mar 17 15:17:27 UTC 2021 - Dominique Leuenberger <dimstar@opensuse.org>
- Switch to pcre2:
+ Replace pcre-devel BuildRequires with pkgconfig(libpcre2-8)
+ Pass USE_PCRE2=y to make.
-------------------------------------------------------------------
Tue Mar 9 09:01:15 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Update to version 3.2:
* Use mmap()'ed kernel status page instead of netlink by default.
See "KERNEL STATUS PAGE" section in avc_init(3) for more details.
* New log callback levels for enforcing and policy load notices -
SELINUX_POLICYLOAD, SELINUX_SETENFORCE
* Changed userspace AVC setenforce and policy load messages to audit
format.
-------------------------------------------------------------------
Tue Jul 14 08:24:20 UTC 2020 - Johannes Segitz <jsegitz@suse.com>
- Update to version 3.1:
* selinux/flask.h, selinux/av_permissions.h and sepol/policydb/flask.h were
removed. All userspace object managers should have been updated to use the
dynamic class/perm mapping support.
Use string_to_security_class(3) and string_to_av_perm(3) to map the class
and permission names to their policy values, or selinux_set_mapping(3) to
create a mapping from class and permission index values used by the
application to the policy values.
* Removed restrictions in libsepol and checkpolicy that required all declared
initial SIDs to be assigned a context.
* Support for new policy capability genfs_seclabel_symlinks
* selinuxfs is mounted with noexec and nosuid
* `security_compute_user()` was deprecated
* Refreshed python3.8-compat.patch
-------------------------------------------------------------------
Tue Mar 3 11:13:12 UTC 2020 - Johannes Segitz <jsegitz@suse.de>
- Update to version 3.0
* Ignore the stem when looking up all matches in file context
* Save digest of all partial matches for directory
* Use Python distutils to install SELinux python bindings
* ensure that digest_len is not zero
* fix string conversion of unknown perms
* mark all exported function "extern"
-------------------------------------------------------------------
Mon Dec 16 16:04:41 UTC 2019 - Johannes Segitz <jsegitz@suse.de>
- Added swig4_moduleimport.patch to prevent import errors due to
SWIG 4
-------------------------------------------------------------------
Wed Oct 30 17:21:00 CET 2019 - Matej Cepl <mcepl@suse.com>
- Add python3.8-compat.patch which makes build possible even with
Python 3.8, which doesnt automatically adds -lpython<ver>
-------------------------------------------------------------------
Tue May 28 08:28:03 UTC 2019 - Martin Liška <mliska@suse.cz>
- Disable LTO (boo#1133244).
-------------------------------------------------------------------
Fri May 24 11:22:19 UTC 2019 - <jsegitz@suse.com>
- Set License: to correct value (bsc#1135710)
-------------------------------------------------------------------
Wed Mar 20 15:05:35 UTC 2019 - jsegitz@suse.com
- Update to version 2.9
* Add security_reject_unknown(3) man page
* Change matchpathcon usage to match with matchpathcon manpage
* Do not define gettid() if glibc >= 2.30 is used
* Fix RESOURCE_LEAK defects reported by coverity scan
* Fix line wrapping in selabel_file.5
* Do not dereference symlink with statfs in selinux_restorecon
* Fix overly strict validation of file_contexts.bin
* Fix selinux_restorecon() on non-SELinux hosts
* Fix the whatis line for the selinux_boolean_sub.3 manpage
* Fix printf format string specifier for uint64_t
* Fix handling of unknown classes/perms
* Set an appropriate errno in booleans.c
- Dropped python3.patch, is now upstream
-------------------------------------------------------------------
Wed Oct 17 11:48:30 UTC 2018 - jsegitz@suse.com
- Update to version 2.8 (bsc#1111732).
For changes please see
https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/RELEASE-20180524.txt
- ran spec-cleaner on spec files
-------------------------------------------------------------------
Mon May 14 22:50:42 UTC 2018 - mcepl@cepl.eu
- Update to version 2.7.
* %files needed to be heavily modified
* Based expressly on python3, not just python
For changes please see
https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20170804/RELEASE-20170804.txt
-------------------------------------------------------------------
Fri Mar 16 15:25:10 UTC 2018 - jsegitz@suse.com
- Updated spec file to use python3. Added python3.patch to fix
build
-------------------------------------------------------------------
Fri Nov 24 09:09:02 UTC 2017 - jsegitz@suse.com
- Update to version 2.6. Notable changes:
* selinux_restorecon: fix realpath logic
* sefcontext_compile: invert semantics of "-r" flag
* sefcontext_compile: Add "-i" flag
* Introduce configurable backends
* Add function to find security.restorecon_last entries
* Add openrc_contexts functions
* Add support for pcre2
* Handle NULL pcre study data
* Add setfiles support to selinux_restorecon(3)
* Evaluate inodes in selinux_restorecon(3)
* Change the location of _selinux.so
* Explain how to free policy type from selinux_getpolicytype()
* Compare absolute pathname in matchpathcon -V
* Add selinux_snapperd_contexts_path()
* Modify audit2why analyze function to use loaded policy
* Avoid mounting /proc outside of selinux_init_load_policy()
* Fix location of selinuxfs mount point
* Only mount /proc if necessary
* procattr: return einval for <= 0 pid args
* procattr: return error on invalid pid_t input
- Dropped
* libselinux-2.2-ruby.patch
* libselinux-proc-mount-only-if-needed.patch
* python-selinux-swig-3.10.patch
-------------------------------------------------------------------
Wed Jul 5 10:30:57 UTC 2017 - schwab@suse.de
- readv-proto.patch: include <sys/uio.h> for readv prototype
-------------------------------------------------------------------
Sun Jul 17 15:30:05 UTC 2016 - jengelh@inai.de
- Update RPM groups, trim description and combine filelist entries.
-------------------------------------------------------------------
Thu Jul 14 07:59:04 UTC 2016 - jsegitz@novell.com
- Adjusted source link
-------------------------------------------------------------------
Tue Jul 5 16:44:44 UTC 2016 - i@marguerite.su
- add patch: python-selinux-swig-3.10.patch, fixed boo#985368
* swig-3.10 in Factory use importlib instead of imp to find
_selinux.so. imp searched the same directory as __init__.py
is while importlib searchs only standard paths. so we have
to move _selinux.so. fixed by upstream
- update version 2.5
* Add selinux_restorecon function
* read_spec_entry: fail on non-ascii
* Add man information about thread specific functions
* Don't wrap rpm_execcon with DISABLE_RPM with SWIG
* Correct line count for property and service context files
* label_file: fix memory leaks and uninitialized jump
* Replace selabel_digest hash function
* Fix selabel_open(3) services if no digest requested
* Add selabel_digest function
* Flush the class/perm string mapping cache on policy reload
* Fix restorecon when path has no context
* Free memory when processing media and x specfiles
* Fix mmap memory release for file labeling
* Add policy context validation to sefcontext_compile
* Do not treat an empty file_contexts(.local) as an error
* Fail hard on invalid property_contexts entries
* Fail hard on invalid file_contexts entries
* Support context validation on file_contexts.bin
* Add selabel_cmp interface and label_file backend
* Support specifying file_contexts.bin file path
* Support file_contexts.bin without file_contexts
* Simplify procattr cache
* Use /proc/thread-self when available
* Add const to selinux_opt for label backends
* Fix binary file labels for regexes with metachars
* Fix file labels for regexes with metachars
* Fix if file_contexts not '\n' terminated
* Enhance file context support
* Fix property processing and cleanup formatting
* Add read_spec_entries function to replace sscanf
* Support consistent mode size for bin files
* Fix more bin file processing core dumps
* add selinux_openssh_contexts_path()
* setrans_client: minimize overhead when mcstransd is not present
* Ensure selabel_lookup_best_match links NULL terminated
* Fix core dumps with corrupt *.bin files
* Add selabel partial and best match APIs
* Use os.walk() instead of the deprecated os.path.walk()
* Remove deprecated mudflap option
* Mount procfs before checking /proc/filesystems
* Fix -Wformat errors with gcc-5.0.0
* label_file: handle newlines in file names
* Fix audit2why error handling if SELinux is disabled
* pcre_study can return NULL without error
* Only check SELinux enabled status once in selinux_check_access
- changes in 2.4
* Remove assumption that SHLIBDIR is ../../ relative to LIBDIR
* Fix bugs found by hardened gcc flags
* Set the system to permissive if failing to disable SELinux because
policy has already been loaded
* Add db_exception and db_datatype support to label_db backend
* Log an error on unknown classes and permissions
* Add pcre version string to the compiled file_contexts format
* Deprecate use of flask.h and av_permissions.h
* Compiled file_context files and the original should have the same DAC
permissions
-------------------------------------------------------------------
Wed May 27 11:53:54 UTC 2015 - dimstar@opensuse.org
- Update libselinux-2.2-ruby.patch: use RbConfig instead of
deprecated Config.
-------------------------------------------------------------------
Sun May 18 00:15:17 UTC 2014 - crrodriguez@opensuse.org
- Update to version 2.3
* Get rid of security_context_t and fix const declarations.
* Refactor rpm_execcon() into a new setexecfilecon() from Guillem Jover.
-------------------------------------------------------------------
Thu Oct 31 13:43:41 UTC 2013 - p.drouand@gmail.com
- Update to version 2.2
* Fix avc_has_perm() returns -1 even when SELinux is in permissive mode.
* Support overriding Makefile RANLIB
* Update pkgconfig definition
* Mount sysfs before trying to mount selinuxfs.
* Fix man pages
* Support overriding PATH and LIBBASE in Makefile
* Fix LDFLAGS usage
* Avoid shadowing stat in load_mmap
* Support building on older PCRE libraries
* Fix handling of temporary file in sefcontext_compile
* Fix procattr cache
* Define python constants for getenforce result
* Fix label substitution handling of /
* Add selinux_current_policy_path from
* Change get_context_list to only return good matches
* Support udev-197 and higher
* Add support for local substitutions
* Change setfilecon to not return ENOSUP if context is already correct
* Python wrapper leak fixes
* Export SELINUX_TRANS_DIR definition in selinux.h
* Add selinux_systemd_contexts_path
* Add selinux_set_policy_root
* Add man page for sefcontext_compile
- Remove libselinux-rhat.patch; merged on upstream
- Adapt libselinux-ruby.patch to upstream changes
- Use fdupes to symlink duplicate manpages
-------------------------------------------------------------------
Thu Jun 27 14:57:53 UTC 2013 - vcizek@suse.com
- change the source url to the official 2.1.13 release tarball
-------------------------------------------------------------------
Wed Jan 30 12:33:45 UTC 2013 - vcizek@suse.com
- update to 2.1.12
- added BuildRequires: pcre-devel
-------------------------------------------------------------------
Mon Jan 7 22:34:03 UTC 2013 - jengelh@inai.de
- Remove obsolete defines/sections
-------------------------------------------------------------------
Wed Jul 25 11:15:02 UTC 2012 - meissner@suse.com
- updated to 2.1.9 again (see below)
-------------------------------------------------------------------
Fri Jun 1 18:34:04 CEST 2012 - mls@suse.de
- update to libselinux-2.1.9
* better man pages
* selinux_status interfaces
* simple interface for access checks
* multiple bug fixes
- fix build for ruby-1.9
-------------------------------------------------------------------
Mon Jun 28 06:38:35 UTC 2010 - jengelh@medozas.de
- use %_smp_mflags
-------------------------------------------------------------------
Thu Feb 25 14:57:16 UTC 2010 - prusnak@suse.cz
- updated to 2.0.91
* changes too numerous to list
-------------------------------------------------------------------
Sat Dec 12 16:43:54 CET 2009 - jengelh@medozas.de
- add baselibs.conf as a source
-------------------------------------------------------------------
Fri Jul 24 17:09:50 CEST 2009 - thomas@novell.com
- updated selinux-ready script
-------------------------------------------------------------------
Wed Jul 22 15:17:25 CEST 2009 - prusnak@suse.cz
- change libsepol-devel to libsepol-devel-static in dependencies
of python bindings
-------------------------------------------------------------------
Wed Jul 1 12:26:48 CEST 2009 - prusnak@suse.cz
- put libsepol-devel back to Requires of libselinux-devel
-------------------------------------------------------------------
Mon Jun 29 21:24:16 CEST 2009 - prusnak@suse.cz
- added selinux-ready tool to selinux-tools package
-------------------------------------------------------------------
Tue Jun 9 20:17:54 CEST 2009 - crrodriguez@suse.de
- remove static libraries
- libselinux-devel does not require libsepol-devel
-------------------------------------------------------------------
Wed May 27 14:06:14 CEST 2009 - prusnak@suse.cz
- updated to 2.0.80
* deny_unknown wrapper function from KaiGai Kohei
* security_compute_av_flags API from KaiGai Kohei
* Netlink socket management and callbacks from KaiGai Kohei
* Netlink socket handoff patch from Adam Jackson
* AVC caching of compute_create results by Eric Paris
* fix incorrect conversion in discover_class code
-------------------------------------------------------------------
Fri Apr 17 17:12:06 CEST 2009 - prusnak@suse.cz
- fixed memory leak (memleak.patch)
-------------------------------------------------------------------
Wed Jan 14 14:04:30 CET 2009 - prusnak@suse.cz
- updated to 2.0.77
* add new function getseuser which will take username and service
and return seuser and level; ipa will populate file in future
* change selinuxdefcon to return just the context by default
* fix segfault if seusers file does not work
* strip trailing / for matchpathcon
* fix restorecon python code
-------------------------------------------------------------------
Mon Dec 1 11:32:50 CET 2008 - prusnak@suse.cz
- updated to 2.0.76
* allow shell-style wildcarding in X names
* add Restorecon/Install python functions
* correct message types in AVC log messages
* make matchpathcon -V pass mode
* add man page for selinux_file_context_cmp
* update flask headers from refpolicy trunk
-------------------------------------------------------------------
Wed Oct 22 16:28:59 CEST 2008 - mrueckert@suse.de
- fix debug_packages_requires define
-------------------------------------------------------------------
Tue Sep 23 12:51:10 CEST 2008 - prusnak@suse.cz
- require only version, not release [bnc#429053]
-------------------------------------------------------------------
Tue Sep 2 12:09:22 CEST 2008 - prusnak@suse.cz
- updated to 2.0.71
* Add group support to seusers using %groupname syntax from Dan Walsh.
* Mark setrans socket close-on-exec from Stephen Smalley.
* Only apply nodups checking to base file contexts from Stephen Smalley.
* Merge ruby bindings from Dan Walsh.
-------------------------------------------------------------------
Mon Sep 1 07:35:00 CEST 2008 - aj@suse.de
- Fix build of debuginfo.
-------------------------------------------------------------------
Fri Aug 22 14:45:29 CEST 2008 - prusnak@suse.cz
- added baselibs.conf file
- split bindings into separate subpackage (libselinux-bindings)
- split tools into separate subpackage (selinux-tools)
-------------------------------------------------------------------
Fri Aug 1 17:32:20 CEST 2008 - ro@suse.de
- fix requires for debuginfo package
-------------------------------------------------------------------
Tue Jul 15 16:26:31 CEST 2008 - prusnak@suse.cz
- initial version 2.0.67
* based on Fedora package by Dan Walsh <dwalsh@redhat.com>

124
libselinux-bindings.spec Normal file
View File

@ -0,0 +1,124 @@
#
# spec file for package libselinux-bindings
#
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%{?sle15allpythons}
%define python_subpackage_only 1
%define libsepol_ver 3.7
%define upname libselinux
Name: libselinux-bindings
Version: 3.7
Release: 0
Summary: SELinux runtime library and utilities
License: SUSE-Public-Domain
Group: Development/Libraries/C and C++
URL: https://github.com/SELinuxProject/selinux/wiki/Releases
Source0: https://github.com/SELinuxProject/selinux/releases/download/%{version}/%{upname}-%{version}.tar.gz
Source1: https://github.com/SELinuxProject/selinux/releases/download/%{version}/%{upname}-%{version}.tar.gz.asc
Source2: libselinux.keyring
Source3: selinux-ready
Source4: baselibs.conf
# PATCH-FIX-UPSTREAM Include <sys/uio.h> for readv prototype
Patch4: readv-proto.patch
Patch5: skip_cycles.patch
# PATCH-FIX-UPSTREAM python3.8-compat.patch mcepl@suse.com
# Make linking working even when default pkg-config doesnt provide -lpython<ver>
Patch6: python3.8-compat.patch
Patch7: swig4_moduleimport.patch
BuildRequires: %{python_module devel}
BuildRequires: %{python_module pip}
BuildRequires: %{python_module setuptools}
BuildRequires: %{python_module wheel}
BuildRequires: fdupes
BuildRequires: libselinux-devel = %{version}
BuildRequires: libsepol-devel >= %{libsepol_ver}
BuildRequires: libsepol-devel-static >= %{libsepol_ver}
BuildRequires: pkgconfig
BuildRequires: python-rpm-macros
BuildRequires: ruby-devel
BuildRequires: swig
BuildRequires: pkgconfig(libpcre2-8)
%python_subpackages
%description
libselinux provides an interface to get and set process and file
security contexts and to obtain security policy decisions.
%package -n python-selinux
%define oldpython python
Summary: Python bindings for the SELinux runtime library
Group: Development/Libraries/Python
Requires: libselinux1 = %{version}
Obsoletes: python-selinux < %{version}
Provides: python-selinux = %{version}
%ifpython2
Obsoletes: %{oldpython}-selinux < %{version}
Provides: %{oldpython}-selinux = %{version}
%endif
%description -n python-selinux
libselinux provides an interface to get and set process and file
security contexts and to obtain security policy decisions.
This subpackage contains Python extensions to use SELinux from that
language.
%package -n ruby-selinux
Summary: Ruby bindings for the SELinux runtime library
Group: Development/Languages/Ruby
Requires: libselinux1 = %{version}
Requires: ruby
%description -n ruby-selinux
libselinux provides an interface to get and set process and file
security contexts and to obtain security policy decisions.
This subpackage contains Ruby extensions to use SELinux from that
language.
%prep
%autosetup -p1 -n %{upname}-%{version}
%build
%{python_expand :
%make_build LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fno-semantic-interposition" swigify USE_PCRE2=y PYTHON=$python
%make_build LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fno-semantic-interposition" pywrap USE_PCRE2=y PYTHON=$python
%make_build LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fno-semantic-interposition" rubywrap USE_PCRE2=y PYTHON=$python
}
%install
mkdir -p %{buildroot}/%{_lib}
mkdir -p %{buildroot}%{_libdir}
mkdir -p %{buildroot}%{_includedir}
mkdir -p %{buildroot}%{_sbindir}
%{python_expand :
make DESTDIR=%{buildroot} LIBDIR="%{_libdir}" SHLIBDIR="/%{_lib}" PYTHON=$python LIBSEPOLA=%{_libdir}/libsepol.a install-pywrap V=1
make DESTDIR=%{buildroot} LIBDIR="%{_libdir}" SHLIBDIR="/%{_lib}" PYTHON=$python LIBSEPOLA=%{_libdir}/libsepol.a install-rubywrap V=1
}
# Remove duplicate files
%fdupes -s %{buildroot}%{_mandir}
%files %{python_files selinux}
%{python_sitearch}/selinux
%{python_sitearch}/selinux-%{version}.dist-info
%{python_sitearch}/_selinux*
%files -n ruby-selinux
%{_libdir}/ruby/vendor_ruby/%{rb_ver}/%{rb_arch}/selinux.so
%changelog

831
libselinux.changes Normal file
View File

@ -0,0 +1,831 @@
-------------------------------------------------------------------
Mon Jul 1 07:53:14 UTC 2024 - Cathy Hu <cathy.hu@suse.com>
- Update to version 3.7
https://github.com/SELinuxProject/selinux/releases/tag/3.7
* User-visible changes
* libselinux/utils/selabel_digest: drop unsupported option -d
* libselinux/utils: improve compute_av output
* libselinux: fail selabel_open(3) on invalid option
* Improved man pages
* Improvements
* libselinux, libsepol: Add CFLAGS and LDFLAGS to Makefile checks
* libselinux: enable usage with pedantic UB sanitizers
* libselinux: support huge passwd/group entries
* Bugfixes:
* libselinux/utils/selabel_digest: avoid buffer overflow
* libselinux: avoid pointer dereference before check
* libselinux/utils/selabel_digest: pass BASEONLY only for file backend
* libselinux: free empty scandir(3) result
* libselinux: free data on selabel open failure
* libselinux: use reentrant strtok_r(3)
-------------------------------------------------------------------
Tue Dec 19 11:04:55 UTC 2023 - Cathy Hu <cathy.hu@suse.com>
- Update to version 3.6
https://github.com/SELinuxProject/selinux/releases/tag/3.6
* libselinux: performance optimization for duplicate detection
* Introduce getpolicyload - a helper binary to print the number of policy reloads on the running system
* Add notself support for neverallow rules
* Improve man pages
* man pages: Remove the Russian translations
* Add notself and other support to CIL
* Add support for deny rules
* Translations updated from
https://translate.fedoraproject.org/projects/selinux/
* Bug fixes
- Remove keys from keyring since they expired:
- E853C1848B0185CF42864DF363A8AD4B982C4373
Petr Lautrbach <plautrba@redhat.com>
- 63191CE94183098689CAB8DB7EF137EC935B0EAF
Jason Zaman <jasonzaman@gmail.com>
- Add key to keyring:
- B8682847764DF60DF52D992CBC3905F235179CF1
Petr Lautrbach <lautrbach@redhat.com>
-------------------------------------------------------------------
Sun Oct 1 19:17:31 UTC 2023 - Georg Pfuetzenreuter <georg.pfuetzenreuter@suse.com>
- Repair initrd libselinux check in selinux-ready
-------------------------------------------------------------------
Tue Aug 8 06:59:16 UTC 2023 - Dominique Leuenberger <dimstar@opensuse.org>
- Do not BuildRequire swig and ruby-devel in the main build phase:
those are only needed for the bindings.
-------------------------------------------------------------------
Fri Aug 4 13:14:14 UTC 2023 - Matej Cepl <mcepl@suse.com>
- (bsc#1212618) Divide libselinux and libselinux-bindings again.
libselinux itself is in Ring0 so it has to have absolutely
minimal dependencies, so it is better to separate
libselinux-bindings into a separate pacakge.
-------------------------------------------------------------------
Tue Jul 4 08:32:49 UTC 2023 - Johannes Segitz <jsegitz@suse.com>
- Fix python packaging by setting the name to a fixed value
-------------------------------------------------------------------
Fri Jun 23 14:50:33 UTC 2023 - Matej Cepl <mcepl@suse.com>
- Remove separate libselinux-bindings SPEC file (bsc#1212618).
-------------------------------------------------------------------
Tue Jun 20 13:34:39 UTC 2023 - Johannes Segitz <jsegitz@suse.com>
- Add explicit BuildRequires for python3-pip and python3-wheel on
15.5, currently the macros don't do the right thing
-------------------------------------------------------------------
Thu Jun 1 11:50:33 UTC 2023 - Johannes Kastl <kastl@b1-systems.de>
- allow building this with different python versions, to make this
usable for the new sle15 macro (using python3.11)
-------------------------------------------------------------------
Fri May 5 12:35:31 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>
- Add python-wheel build dependency to build correctly with latest
python-pip version.
-------------------------------------------------------------------
Thu May 4 14:04:04 UTC 2023 - Frederic Crozat <fcrozat@suse.com>
- Add _multibuild to define additional spec files as additional
flavors.
Eliminates the need for source package links in OBS.
-------------------------------------------------------------------
Fri Mar 24 13:51:52 UTC 2023 - Johannes Segitz <jsegitz@suse.com>
- Add -ffat-lto-objects to CFLAGS to prevent rpmlint errors because
of LTO
-------------------------------------------------------------------
Thu Mar 23 15:39:15 UTC 2023 - Martin Liška <mliska@suse.cz>
- Enable LTO as it works fine now.
-------------------------------------------------------------------
Fri Feb 24 07:42:25 UTC 2023 - Johannes Segitz <jsegitz@suse.com>
- Update to version 3.5:
* check for truncations
* avoid newline in avc message
* bail out on path truncations
* add getpidprevcon to gather the previous context before the last
exec of a given process
* Workaround for heap overhead of pcre
* fix memory leaks on the audit2why module init
* ignore invalid class name lookup
- Drop restorecon_pin_file.patch, is upstream
- Refreshed python3.8-compat.patch
- Added additional developer key (Jason Zaman)
-------------------------------------------------------------------
Thu Jul 7 12:16:45 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
- Fixed initrd check in selinux-ready (bnc#1186127)
-------------------------------------------------------------------
Tue May 31 15:10:26 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
- Added restorecon_pin_file.patch. Fixes issus when running
fixfiles/restorecon
-------------------------------------------------------------------
Mon May 9 10:23:32 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
- Update to version 3.4:
* Use PCRE2 by default
* Make selinux_log() and is_context_customizable() thread-safe
* Prevent leakeing file descriptors
* Correctly hash specfiles larger than 4G
- Refreshed skip_cycles.patch
-------------------------------------------------------------------
Tue Feb 15 07:49:43 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
- Add Requires for exact libselinux1 version for selinux-tools
- Simplyfied check for correct boot paramaters in selinux-ready
(bsc#1195361)
-------------------------------------------------------------------
Thu Nov 11 13:25:30 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Update to version 3.3:
* Lots of smaller issues fixed found by fuzzing
-------------------------------------------------------------------
Sun Jul 18 08:41:37 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>
- Add missing libselinux-utils Provides to selinux-tools so that
%selinux_requires works
-------------------------------------------------------------------
Mon Apr 26 07:14:53 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Remove Recommends for selinux-autorelabel. It's better to have this
in the policy package itself (bsc#1181837)
-------------------------------------------------------------------
Wed Mar 17 15:13:16 UTC 2021 - Dominique Leuenberger <dimstar@opensuse.org>
- Switch to pcre2:
+ Replace pcre-devel BuildRequires with pkgconfig(libpcre2-8)
+ Pass USE_PCRE2=y to make.
+ Replace pkgconfig(libpcre) Requires in -devel static with
pkgconfig(libpcre2-8).
-------------------------------------------------------------------
Tue Mar 9 09:01:15 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Update to version 3.2:
* Use mmap()'ed kernel status page instead of netlink by default.
See "KERNEL STATUS PAGE" section in avc_init(3) for more details.
* New log callback levels for enforcing and policy load notices -
SELINUX_POLICYLOAD, SELINUX_SETENFORCE
* Changed userspace AVC setenforce and policy load messages to audit
format.
-------------------------------------------------------------------
Sat Feb 6 13:54:41 UTC 2021 - Matej Cepl <mcepl@suse.com>
- Add Recommends: selinux-autorelabel, which is very important
for healthy use of the SELinux on the system (/.autorelabel
mechanism) (bsc#1181837).
-------------------------------------------------------------------
Thu Oct 29 10:22:23 UTC 2020 - Ludwig Nussel <lnussel@suse.de>
- install to /usr (boo#1029961)
-------------------------------------------------------------------
Tue Jul 14 08:24:20 UTC 2020 - Johannes Segitz <jsegitz@suse.com>
- Update to version 3.1:
* selinux/flask.h, selinux/av_permissions.h and sepol/policydb/flask.h were
removed. All userspace object managers should have been updated to use the
dynamic class/perm mapping support.
Use string_to_security_class(3) and string_to_av_perm(3) to map the class
and permission names to their policy values, or selinux_set_mapping(3) to
create a mapping from class and permission index values used by the
application to the policy values.
* Removed restrictions in libsepol and checkpolicy that required all declared
initial SIDs to be assigned a context.
* Support for new policy capability genfs_seclabel_symlinks
* selinuxfs is mounted with noexec and nosuid
* `security_compute_user()` was deprecated
* Refreshed python3.8-compat.patch
-------------------------------------------------------------------
Thu Mar 26 15:43:41 UTC 2020 - Johannes Segitz <jsegitz@suse.de>
- Added skip_cycles.patch to skip directory cycles and not error
out
-------------------------------------------------------------------
Tue Mar 3 11:13:12 UTC 2020 - Johannes Segitz <jsegitz@suse.de>
- Update to version 3.0
* Ignore the stem when looking up all matches in file context
* Save digest of all partial matches for directory
* Use Python distutils to install SELinux python bindings
* ensure that digest_len is not zero
* fix string conversion of unknown perms
* mark all exported function "extern"
Dropped Use-Python-distutils-to-install-SELinux.patch, included
upstream
-------------------------------------------------------------------
Mon Dec 16 16:04:41 UTC 2019 - Johannes Segitz <jsegitz@suse.de>
- Added swig4_moduleimport.patch to prevent import errors due to
SWIG 4
-------------------------------------------------------------------
Wed Nov 13 08:03:39 UTC 2019 - Johannes Segitz <jsegitz@suse.de>
- Added Use-Python-distutils-to-install-SELinux.patch to use
Python's distutils instead of building and installing python
bindings manually
-------------------------------------------------------------------
Wed Oct 30 17:21:00 CET 2019 - Matej Cepl <mcepl@suse.com>
- Add python3.8-compat.patch which makes build possible even with
Python 3.8, which doesnt automatically adds -lpython<ver>
-------------------------------------------------------------------
Mon Jun 3 09:34:17 UTC 2019 - <jsegitz@suse.com>
- In selinux-ready
* Removed check for selinux-policy package as we don't ship one
(bsc#1136845)
* Add check that restorecond is installed and enabled
-------------------------------------------------------------------
Tue May 28 08:28:03 UTC 2019 - Martin Liška <mliska@suse.cz>
- Disable LTO (boo#1133244).
-------------------------------------------------------------------
Fri May 24 11:22:19 UTC 2019 - <jsegitz@suse.com>
- Set License: to correct value (bsc#1135710)
-------------------------------------------------------------------
Thu Apr 25 07:14:10 UTC 2019 - Martin Liška <mliska@suse.cz>
- Disable LTO (boo#1133244).
-------------------------------------------------------------------
Wed Mar 20 15:05:35 UTC 2019 - jsegitz@suse.com
- Update to version 2.9
* Add security_reject_unknown(3) man page
* Change matchpathcon usage to match with matchpathcon manpage
* Do not define gettid() if glibc >= 2.30 is used
* Fix RESOURCE_LEAK defects reported by coverity scan
* Fix line wrapping in selabel_file.5
* Do not dereference symlink with statfs in selinux_restorecon
* Fix overly strict validation of file_contexts.bin
* Fix selinux_restorecon() on non-SELinux hosts
* Fix the whatis line for the selinux_boolean_sub.3 manpage
* Fix printf format string specifier for uint64_t
* Fix handling of unknown classes/perms
* Set an appropriate errno in booleans.c
- Dropped python3.patch, is now upstream
-------------------------------------------------------------------
Fri Jan 4 14:18:42 UTC 2019 - jsegitz@suse.com
- Remove unneeded build requires for python3 (bsc#1120255)
-------------------------------------------------------------------
Wed Oct 17 11:48:30 UTC 2018 - jsegitz@suse.com
- Update to version 2.8 (bsc#1111732)
For changes please see
https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/RELEASE-20180524.txt
- ran spec-cleaner on spec files
-------------------------------------------------------------------
Mon May 14 22:45:54 UTC 2018 - mcepl@cepl.eu
- Update to version 2.7.
* %files needed to be heavily modified
* Based expressly on python3, not just python
For changes please see
https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20170804/RELEASE-20170804.txt
-------------------------------------------------------------------
Fri Mar 16 15:25:10 UTC 2018 - jsegitz@suse.com
- Updated spec file to use python3. Added python3.patch to fix
build
-------------------------------------------------------------------
Fri Nov 24 09:09:02 UTC 2017 - jsegitz@suse.com
- Update to version 2.6. Notable changes:
* selinux_restorecon: fix realpath logic
* sefcontext_compile: invert semantics of "-r" flag
* sefcontext_compile: Add "-i" flag
* Introduce configurable backends
* Add function to find security.restorecon_last entries
* Add openrc_contexts functions
* Add support for pcre2
* Handle NULL pcre study data
* Add setfiles support to selinux_restorecon(3)
* Evaluate inodes in selinux_restorecon(3)
* Change the location of _selinux.so
* Explain how to free policy type from selinux_getpolicytype()
* Compare absolute pathname in matchpathcon -V
* Add selinux_snapperd_contexts_path()
* Modify audit2why analyze function to use loaded policy
* Avoid mounting /proc outside of selinux_init_load_policy()
* Fix location of selinuxfs mount point
* Only mount /proc if necessary
* procattr: return einval for <= 0 pid args
* procattr: return error on invalid pid_t input
- Dropped
* libselinux-2.2-ruby.patch
* libselinux-proc-mount-only-if-needed.patch
* python-selinux-swig-3.10.patch
-------------------------------------------------------------------
Wed Jul 5 10:30:57 UTC 2017 - schwab@suse.de
- readv-proto.patch: include <sys/uio.h> for readv prototype
-------------------------------------------------------------------
Sun Jul 24 19:33:42 UTC 2016 - crrodriguez@opensuse.org
- -devel static subpackage requires libpcre-devel and libsepol-devel
-------------------------------------------------------------------
Sun Jul 24 19:05:35 UTC 2016 - crrodriguez@opensuse.org
- Avoid mounting /proc outside of selinux_init_load_policy().
(Stephen Smalley) reverts upstream 5a8d8c4, 9df4988, fixes
among other things systemd seccomp sandboxing otherwise all
filters must allow mount(2)
(libselinux-proc-mount-only-if-needed.patch)
-------------------------------------------------------------------
Sun Jul 17 15:30:05 UTC 2016 - jengelh@inai.de
- Update RPM groups, trim description and combine filelist entries.
-------------------------------------------------------------------
Thu Jul 14 07:58:49 UTC 2016 - jsegitz@novell.com
- Adjusted source link
-------------------------------------------------------------------
Tue Jul 5 16:42:03 UTC 2016 - i@marguerite.su
- add patch: python-selinux-swig-3.10.patch, fixed boo#985368
* swig-3.10 in Factory use importlib instead of imp to find
_selinux.so. imp searched the same directory as __init__.py
is while importlib searchs only standard paths. so we have
to move _selinux.so. fixed by upstream
- update version 2.5
* Add selinux_restorecon function
* read_spec_entry: fail on non-ascii
* Add man information about thread specific functions
* Don't wrap rpm_execcon with DISABLE_RPM with SWIG
* Correct line count for property and service context files
* label_file: fix memory leaks and uninitialized jump
* Replace selabel_digest hash function
* Fix selabel_open(3) services if no digest requested
* Add selabel_digest function
* Flush the class/perm string mapping cache on policy reload
* Fix restorecon when path has no context
* Free memory when processing media and x specfiles
* Fix mmap memory release for file labeling
* Add policy context validation to sefcontext_compile
* Do not treat an empty file_contexts(.local) as an error
* Fail hard on invalid property_contexts entries
* Fail hard on invalid file_contexts entries
* Support context validation on file_contexts.bin
* Add selabel_cmp interface and label_file backend
* Support specifying file_contexts.bin file path
* Support file_contexts.bin without file_contexts
* Simplify procattr cache
* Use /proc/thread-self when available
* Add const to selinux_opt for label backends
* Fix binary file labels for regexes with metachars
* Fix file labels for regexes with metachars
* Fix if file_contexts not '\n' terminated
* Enhance file context support
* Fix property processing and cleanup formatting
* Add read_spec_entries function to replace sscanf
* Support consistent mode size for bin files
* Fix more bin file processing core dumps
* add selinux_openssh_contexts_path()
* setrans_client: minimize overhead when mcstransd is not present
* Ensure selabel_lookup_best_match links NULL terminated
* Fix core dumps with corrupt *.bin files
* Add selabel partial and best match APIs
* Use os.walk() instead of the deprecated os.path.walk()
* Remove deprecated mudflap option
* Mount procfs before checking /proc/filesystems
* Fix -Wformat errors with gcc-5.0.0
* label_file: handle newlines in file names
* Fix audit2why error handling if SELinux is disabled
* pcre_study can return NULL without error
* Only check SELinux enabled status once in selinux_check_access
- changes in 2.4
* Remove assumption that SHLIBDIR is ../../ relative to LIBDIR
* Fix bugs found by hardened gcc flags
* Set the system to permissive if failing to disable SELinux because
policy has already been loaded
* Add db_exception and db_datatype support to label_db backend
* Log an error on unknown classes and permissions
* Add pcre version string to the compiled file_contexts format
* Deprecate use of flask.h and av_permissions.h
* Compiled file_context files and the original should have the same DAC
permissions
-------------------------------------------------------------------
Thu Jul 30 12:00:27 UTC 2015 - jsegitz@novell.com
- fixed selinux-ready to work with initrd files created by dracut (bsc#940006)
-------------------------------------------------------------------
Wed May 27 11:53:54 UTC 2015 - dimstar@opensuse.org
- Update libselinux-2.2-ruby.patch: use RbConfig instead of
deprecated Config.
-------------------------------------------------------------------
Mon Sep 8 08:25:11 UTC 2014 - jsegitz@suse.com
- updated selinux-ready script to handle initrd files compressed with xz
-------------------------------------------------------------------
Sun May 18 00:15:17 UTC 2014 - crrodriguez@opensuse.org
- Update to version 2.3
* Get rid of security_context_t and fix const declarations.
* Refactor rpm_execcon() into a new setexecfilecon() from Guillem Jover.
-------------------------------------------------------------------
Thu Oct 31 13:43:41 UTC 2013 - p.drouand@gmail.com
- Update to version 2.2
* Fix avc_has_perm() returns -1 even when SELinux is in permissive mode.
* Support overriding Makefile RANLIB
* Update pkgconfig definition
* Mount sysfs before trying to mount selinuxfs.
* Fix man pages
* Support overriding PATH and LIBBASE in Makefile
* Fix LDFLAGS usage
* Avoid shadowing stat in load_mmap
* Support building on older PCRE libraries
* Fix handling of temporary file in sefcontext_compile
* Fix procattr cache
* Define python constants for getenforce result
* Fix label substitution handling of /
* Add selinux_current_policy_path from
* Change get_context_list to only return good matches
* Support udev-197 and higher
* Add support for local substitutions
* Change setfilecon to not return ENOSUP if context is already correct
* Python wrapper leak fixes
* Export SELINUX_TRANS_DIR definition in selinux.h
* Add selinux_systemd_contexts_path
* Add selinux_set_policy_root
* Add man page for sefcontext_compile
- Remove libselinux-rhat.patch; merged on upstream
- Adapt libselinux-ruby.patch to upstream changes
- Use fdupes to symlink duplicate manpages
-------------------------------------------------------------------
Thu Jun 27 14:42:01 UTC 2013 - vcizek@suse.com
- change the source url to the official 2.1.13 release tarball
-------------------------------------------------------------------
Wed May 22 23:50:58 UTC 2013 - jengelh@inai.de
- Reuse implicit dependencies injected by pkgconfig
-------------------------------------------------------------------
Thu Apr 4 19:16:35 UTC 2013 - vcizek@suse.com
- fixed source url in libselinux-bindings.spec
- removed old tarball
-------------------------------------------------------------------
Wed Apr 3 10:17:21 UTC 2013 - vcizek@suse.com
- fix source url
- document changes in libselinux-rhat.patch from previous submission:
(most code of the removed code was integrated upstream)
* Add matchpathcon -P /etc/selinux/mls support by allowing users
to set alternate root
* Add new constant SETRANS_DIR which points to the directory
where mstransd can find the socket and libvirt can write its
translations files
-------------------------------------------------------------------
Fri Mar 29 15:12:50 UTC 2013 - vcizek@suse.com
-update to 2.1.13
* audit2why: make sure path is nul terminated
* utils: new file context regex compiler
* label_file: use precompiled filecontext when possible
* do not leak mmapfd
* sefcontontext_compile: Add error handling to help debug problems in libsemanage.
* man: make selinux.8 mention service man pages
* audit2why: Fix segfault if finish() called twice
* audit2why: do not leak on multiple init() calls
* mode_to_security_class: interface to translate a mode_t in to a security class
* audit2why: Cleanup audit2why analysys function
* man: Fix program synopsis and function prototypes in man pages
* man: Fix man pages formatting
* man: Fix typo in man page
* man: Add references and man page links to _raw function variants
* Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions
* man: context_new(3): fix the return value description
* selinux_status_open: handle error from sysconf
* selinux_status_open: do not leak statusfd on exec
* Fix errors found by coverity
* Change boooleans.subs to booleans.subs_dist.
* optimize set*con functions
* pkg-config do not specifc ruby version
* unmap file contexts on selabel_close()
* do not leak file contexts with mmap'd backend
* sefcontext_compile: do not leak fd on error
* matchmediacon: do not leak fd
* src/label_android_property: do not leak fd on error
-------------------------------------------------------------------
Wed Jan 30 11:44:45 UTC 2013 - vcizek@suse.com
- update to 2.1.12
- added BuildRequires: pcre-devel
- added the recent libselinux-rhat.patch
* Add support for lxc_contexts_path
* utils: add service to getdefaultcon
* libsemanage: do not set soname needlessly
* libsemanage: remove PYTHONLIBDIR and ruby equivalent
* boolean name equivalency
* getsebool: support boolean name substitution
* Add man page for new selinux_boolean_sub function.
* expose selinux_boolean_sub
* matchpathcon: add -m option to force file type check
* utils: avcstat: clear sa_mask set
* seusers: Check for strchr failure
* booleans: initialize pointer to silence coveriety
* stop messages when SELinux disabled
* Ensure that we only close the selinux netlink socket once.
* improve the file_contexts.5 manual page
* Fortify source now requires all code to be compiled with -O flag
* asprintf return code must be checked
* avc_netlink_recieve handle EINTR
* audit2why: silence -Wmissing-prototypes warning
* libsemanage: remove build warning when build swig c files
* matchpathcon: bad handling of symlinks in /
* seusers: remove unused lineno
* seusers: getseuser: gracefully handle NULL service
* New Android property labeling backend
* label_android_property whitespace cleanups
* additional makefile support for rubywrap
* Remove jump over variable declaration
* Fix old style function definitions
* Fix const-correctness
* Remove unused flush_class_cache method
* Add prototype decl for destructor
* Add more printf format annotations
* Add printf format attribute annotation to die() method
* Fix const-ness of parameters & make usage() methods static
* Enable many more gcc warnings for libselinux/src/ builds
* utils: Enable many more gcc warnings for libselinux/utils builds
* Change annotation on include/selinux/avc.h to avoid upsetting SWIG
* Ensure there is a prototype for 'matchpathcon_lib_destructor'
* Update Makefiles to handle /usrmove
* utils: Stop separating out matchpathcon as something special
* pkg-config to figure out where ruby include files are located
* build with either ruby 1.9 or ruby 1.8
* assert if avc_init() not called
* take security_deny_unknown into account
* security_compute_create_name(3)
* Do not link against python library, this is considered
* bad practice in debian
* Hide unnecessarily-exported library destructors
-------------------------------------------------------------------
Mon Jan 7 22:34:03 UTC 2013 - jengelh@inai.de
- Remove obsolete defines/sections
-------------------------------------------------------------------
Tue Dec 11 16:15:52 UTC 2012 - vcizek@suse.com
- update selinux-ready script
* use -L when stat()ing /etc/selinux/config
* make sure that SELINUX isn't disabled in /etc/selinux/config
* look for either of /sys/fs/selinux and /selinux directory
* use systemctl to check for restorecond
* don't look for booleans file (deprecated)
-------------------------------------------------------------------
Tue Nov 27 12:38:29 UTC 2012 - vcizek@suse.com
- update selinux-ready script
-------------------------------------------------------------------
Wed Jul 25 11:15:02 UTC 2012 - meissner@suse.com
- updated to 2.1.9 again (see below)
-------------------------------------------------------------------
Wed Jun 13 08:56:36 UTC 2012 - coolo@suse.com
- go back even more - everything else requires the full SELinux stack
(too late for 12.2)
-------------------------------------------------------------------
Mon Jun 11 09:06:55 UTC 2012 - factory-maintainer@kulow.org
- revert back to 2.0.98 for 12.2
-------------------------------------------------------------------
Fri Jun 1 18:34:04 CEST 2012 - mls@suse.de
- update to libselinux-2.1.9
* better man pages
* selinux_status interfaces
* simple interface for access checks
* multiple bug fixes
- fix build for ruby-1.9
-------------------------------------------------------------------
Wed Oct 5 15:09:25 UTC 2011 - uli@suse.com
- cross-build fix: use %__cc macro
-------------------------------------------------------------------
Mon Jun 28 06:38:35 UTC 2010 - jengelh@medozas.de
- use %_smp_mflags
-------------------------------------------------------------------
Mon May 3 10:30:40 UTC 2010 - prusnak@suse.cz
- don't package /var/run/setrans in libselinux1 package
- Feature#303793
- the directory will be created in initscript of mcstrans package
-------------------------------------------------------------------
Sat Apr 24 09:53:28 UTC 2010 - coolo@novell.com
- buildrequire pkg-config to fix provides
-------------------------------------------------------------------
Fri Apr 9 07:27:27 UTC 2010 - thomas@novell.com
- selinux-ready: added function to check for restorecond in
runlevel 3/5
-------------------------------------------------------------------
Thu Apr 8 06:37:34 UTC 2010 - thomas@novell.com
- selinux-ready: added functions for checking PAM config and
policy boolean init_upstart
-------------------------------------------------------------------
Wed Apr 7 13:26:59 UTC 2010 - thomas@novell.com
- selinux-ready: fixed init ramfs checking
-------------------------------------------------------------------
Wed Apr 7 12:59:41 UTC 2010 - thomas@novell.com
- added new selinux-ready script
-------------------------------------------------------------------
Thu Feb 25 14:57:16 UTC 2010 - prusnak@suse.cz
- updated to 2.0.91
* changes too numerous to list
-------------------------------------------------------------------
Sat Dec 12 16:43:54 CET 2009 - jengelh@medozas.de
- add baselibs.conf as a source
-------------------------------------------------------------------
Fri Jul 24 17:09:50 CEST 2009 - thomas@novell.com
- updated selinux-ready script
-------------------------------------------------------------------
Wed Jul 22 15:17:25 CEST 2009 - prusnak@suse.cz
- change libsepol-devel to libsepol-devel-static in dependencies
of python bindings
-------------------------------------------------------------------
Wed Jul 1 12:26:48 CEST 2009 - prusnak@suse.cz
- put libsepol-devel back to Requires of libselinux-devel
-------------------------------------------------------------------
Mon Jun 29 21:24:16 CEST 2009 - prusnak@suse.cz
- added selinux-ready tool to selinux-tools package
-------------------------------------------------------------------
Tue Jun 9 20:17:54 CEST 2009 - crrodriguez@suse.de
- remove static libraries
- libselinux-devel does not require libsepol-devel
-------------------------------------------------------------------
Wed May 27 14:06:14 CEST 2009 - prusnak@suse.cz
- updated to 2.0.80
* deny_unknown wrapper function from KaiGai Kohei
* security_compute_av_flags API from KaiGai Kohei
* Netlink socket management and callbacks from KaiGai Kohei
* Netlink socket handoff patch from Adam Jackson
* AVC caching of compute_create results by Eric Paris
* fix incorrect conversion in discover_class code
-------------------------------------------------------------------
Fri Apr 17 17:12:06 CEST 2009 - prusnak@suse.cz
- fixed memory leak (memleak.patch)
-------------------------------------------------------------------
Wed Jan 14 14:04:30 CET 2009 - prusnak@suse.cz
- updated to 2.0.77
* add new function getseuser which will take username and service
and return seuser and level; ipa will populate file in future
* change selinuxdefcon to return just the context by default
* fix segfault if seusers file does not work
* strip trailing / for matchpathcon
* fix restorecon python code
-------------------------------------------------------------------
Mon Dec 1 11:32:50 CET 2008 - prusnak@suse.cz
- updated to 2.0.76
* allow shell-style wildcarding in X names
* add Restorecon/Install python functions
* correct message types in AVC log messages
* make matchpathcon -V pass mode
* add man page for selinux_file_context_cmp
* update flask headers from refpolicy trunk
-------------------------------------------------------------------
Wed Oct 22 16:28:59 CEST 2008 - mrueckert@suse.de
- fix debug_packages_requires define
-------------------------------------------------------------------
Tue Sep 23 12:51:10 CEST 2008 - prusnak@suse.cz
- require only version, not release [bnc#429053]
-------------------------------------------------------------------
Tue Sep 2 12:09:22 CEST 2008 - prusnak@suse.cz
- updated to 2.0.71
* Add group support to seusers using %groupname syntax from Dan Walsh.
* Mark setrans socket close-on-exec from Stephen Smalley.
* Only apply nodups checking to base file contexts from Stephen Smalley.
* Merge ruby bindings from Dan Walsh.
-------------------------------------------------------------------
Mon Sep 1 07:35:00 CEST 2008 - aj@suse.de
- Fix build of debuginfo.
-------------------------------------------------------------------
Fri Aug 22 14:45:29 CEST 2008 - prusnak@suse.cz
- added baselibs.conf file
- split bindings into separate subpackage (libselinux-bindings)
- split tools into separate subpackage (selinux-tools)
-------------------------------------------------------------------
Fri Aug 1 17:32:20 CEST 2008 - ro@suse.de
- fix requires for debuginfo package
-------------------------------------------------------------------
Tue Jul 15 16:26:31 CEST 2008 - prusnak@suse.cz
- initial version 2.0.67
* based on Fedora package by Dan Walsh <dwalsh@redhat.com>

110
libselinux.keyring Normal file
View File

@ -0,0 +1,110 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGNZjyYBEACk7biPgvCVldNWq1CwVoJa/Fvc4T49tqxcc/sY4uVlGo6oSi4f
QcXE9XKPPBuRLmvpmMWvODQLzPxJMWUfJq6LyYFmX2U9VRTcyITdmJs8itkEaDwq
8BtXkeQfUDAVSFy6V6/uvVmNWD7pGXqJE1GxuV44Ihlh6v2YyqSzDG/rZur771hk
e8VZmlKMVMs1RSeOBA3nUmvZQ58+uqkhJNYqOeQhxGIxDOHo7QhzTG+SlX+uQq6m
zACKygVJJl33toaUwVAX5R02a0u67A5wC0whAoLSHInc3P7ayivWV/iESAz+gMIk
uvJWns/Ak14J7MTGgjD6rle7PNMsPDCCwQScqA8F0x4OChCixbZGZn6Mr0u8+01V
CEe2IjJwVUfFI/G4n1FZ1RAdqjkHfZJeD20LGHSbjJLcnqLLFx3LDpI5dAxo5K2k
Fvz0VowrB58aHoofW8/g8yZygGQ4Zpw4JnpUmaPnMTiD5yvnFzEihM5L9DuaWqSK
3sb9qzoaXABYRYI7OmX4B5nmMzFteHHq0tMtaKWf0HkAsCP0BLJcS9Oc1/0I0+gC
4oKLRD8a4+kaEpNr6BXvWnj7Y1h0Zr/CZS6+gi34CxWMl2Q34OSqtS37mzzBu+UZ
xffPR0aV2RXcEpc0c5HW550Thq1NF9EmFOoyeG4J2ox9JRANZXLh/i7mNwARAQAB
tCVQZXRyIExhdXRyYmFjaCA8bGF1dHJiYWNoQHJlZGhhdC5jb20+iQJXBBMBCABB
FiEEuGgoR3ZN9g31LZksvDkF8jUXnPEFAmNZjyYCGwMFCQPCZwAFCwkIBwICIgIG
FQoJCAsCBBYCAwECHgcCF4AACgkQvDkF8jUXnPGeAA//ScQ3kJMqI6FRULXo0aF7
CpafPXVWdvj+mfQMlZzuGwXXTmM42T0DXnXRBSjstWkmOXP/UqkN7bNeXH/S3D3G
CJ2l0qx8Qp6fP0FloJIbemyxNtzl7yvAE7kWvuBuLvUdm23cntv49gAzj+ElDqCx
tT6A6qaqM6r7DLUvw+G+r6gkeu1hNQbtRpEK9Dt8tHriQyI410qFRMbi3QxU+iTJ
79HXwrXiYpX7V7T+ugiU9lgIiC/hWJCo6SY4knt9E6zhegUWN6zErl2HY8FBM2P9
eHOTqToEOAhKeM1fXZvxe3m49fGq/spmRM1RUUl1V9WFEaMiLg/Z2rmbD8LX9Ytf
YlQCbEwyX2nkIP1QIcr/DEfcmCA2MXCQCgsqI/2XS3BTLPyjuqAYnXxrk+T/Cydc
g4W3ZBYI/wT56GH02TQzB/wJsn0cW6EMG46VSDY/mZ2/gwi54G/Pqb2R3ZC9I7wQ
6/FFxuu8myI/QVmEiTlvTxBoyOdNlliBQxCkDczs1rxd/o8Wfjo1vwRHW84jZrCP
3xr7xPJWuzsrmPU8kFHTgepGoY+4b/h3jGwlV103RpRUK4JidwHsmYDVk6pgeUH6
9hf0iVcbFfKiViFTR+DwjbAOxTdsFgsYYn+7hBj2l+pV/uzeA0akL2dkgfJc9pAf
6ItRUnGC+RlntZ0Pf2NbwIS5Ag0EY1mPxgEQAOBjoc5rCJOHFBUj7S68ABT3KKx7
DVJJU7qYCxC1kzuzsGksDdEY+PdQaiNkh56MD6R+rsD49UsGHP+RIFO3D3+zejiu
Wo3PPtItqLHpcpYKkc4Gzziff8sXq70owxWT29OyMrPyIMX2YFHZuYJ8u8STQcOI
zICm/lJs6xkwHyTk9bIrwdg/Iwjm6YRo6xoLe0B6KE7efMDER/ehmXncnWkjD55x
2tAttZsfRqoqeB8J10PxDSgyv8jCXLdbj37l6omh6VH3926392DRrc2fXAgZhHML
rYIKwXkhnAp3I+HueKURQWkDlWXP4d8gVyHYt9EXdD8ZkPx8rMrGGMMh2DJpZJOw
xuK3IrFfYb+lyOyHIyxlPsjcfHtLBB8WujnyzYMWwUsRmAGEm/6db8dyR551q95e
Zd0cqO2xrz6u8YAO2LjCiE6X43m1ulhbf/NHcBiqWHjuEbSKRQnxO6ye7zrmPdnm
YT4qpLrzKlFUExGt0mXaUY8MKdcaGXbvbRU80wL+MHYyCb8vWa9AzWM990LcqCiQ
MAfk0zMq9q/oDvVotJQmWLdR2QYeRfl3m6uzeTdaYK3td5NvfQwG83MFxJhNvDZQ
YhETwbQIVzfC2JZaJAo94VdiGfT4I4Khb8RekgJVoC4w8yByyV0zXdsobIajc2eC
w0R2ik0V+vQopblfABEBAAGJBHIEGAEIACYWIQS4aChHdk32DfUtmSy8OQXyNRec
8QUCY1mPxgIbAgUJA8JnAAJACRC8OQXyNRec8cF0IAQZAQgAHRYhBBviwP8IlJYj
EC/SVkaViBwlRQjRBQJjWY/GAAoJEEaViBwlRQjRmQcP/1OVG8BpkRN/6m/j8hx5
4vcofCPmWsL+CiNfE3QCOEBeWMtJEK7QTIgLFnLfXnyHiTS/CN2/zr33IcQ33s90
XzibzWarE7P6O4oFEcUr8TAACA51KXMadRiA2SaYJE4Va2N6d41ZoV0Ser0wi3HU
5qxw97LGdYyOrsstgxIRI/i2BRXkp2VpUBdHqr/zfe7bv82h2QNw0fZQr4jJP4q3
+4I6gggvi23Gj8+9lOmHNXyfqzSwkkTf8GtHGC8JORVTrOizImzJq7z+9rJBgY+4
G4RBWzhOv69njaLNuQeASVxm/2hiMmzFqpmqozN9Y+17ubo+X+m+2aWE+aln56Pv
LxJHKwFX7doc1doTUnewg6ZjGKCGWBlqlKMeX8D038pd2gsCMhm0EA5DZkXJHP9z
b5VSomDCLB3GhoVpifZ5Qz4dJNtl90ZcFL/LJktiwz4vgzZqLNC8MhFfPLy8bS+k
dAS8+VcvQaDSDKTR+jHQ6wA/kJ9eYcL8C9g4czzLzVfZCoN/fcC7VEiCiDhwuqrb
ClcQBFZsCPQEAwh4mgIMK70zPaO4rW6LbCvwBnTjY8JSBkroJ1QjXwCy8ClSE+w2
6cXtk5zmYUy5oQaONYm+tMberKsJjvfJIGIZdaj3ZkHsVe7YzOC6M8ESKAHKp4Xo
hXbHQQEfD9WtzFerpKWCaKTobRIP/jyXmYYLEzRav3WtoH3NCXANu0Pc8JuMDoO2
QytHICr7zWDvk3q6LO0Y8JXD2fUegY5KM3WECF5KBBCVxdsMunN908WjAMQdyUUV
9Q4MIg64X4WCbGUDPkTGv0mQl2jMEWpFniIX+18TmwcHSvN5RxjcnpWNOyNQuMTg
ZKDm2uw5zwYdScWf3DDCR/2dH8yvVFhxfQaRNzKJSyTD4ChHPqy858BYgMljjnTC
APQwdkrTwh9RSxhMZ5yhdy9Z/+EhO2/8B/kylADC4YQOW1UN670QC7rlJmUySQy5
APWHco5CNQnqdjhrgzYJDnWCCz9z6+x6bGy5iUa9K6Gt9e3ocYPd2Gw4R7IS8hyO
Ok/Uq7maqs+GpcWWLWzB+iGFgYZU758zsbeXvAWQAiLQHWzOfQrXepGoEjCOdYv6
is/UovO9zMIfrIPQVlj3QIN0y0zRUHoCpPgEWHrn7KCMDhiIDt8VgGbznXTJtRw1
/NTeBQgnmkXwx0aLM7ni0I9IrpT6JVFjip8IV24iI5nsVRSfvxUjFBQxgyujPLuS
f/Q9BlrsopFtcnyyDSyCtBqnCmBSN0zC5hk8Ya/UnDn/5ZQZYxsbGaWkdwQ6aw9m
khMfnnsz+QfKT1R3SIrByIEjaYYvGJp8K4utRjhOSfM6ptmCN2WVxQbhwMERC4E7
8ZKPUtR+uQINBGNZj3EBEACsSSOVQfiGhJACRUkJZaT6cX51oA/kizOsYRAftPI5
XBdtFmd1I8VJSopTaQSAdsyb7AVihl73mH22MOHawsKzffylW7kKGHPd02x5MXv+
ttyTDasJT4ltqUSLByTu0ouqhu9uHvuOettCeStk1z6cx4ccutjJzmAdbpxKfhSV
TjYwqZOVJ44bgvL3BeGBooKF4hc1fdT8PrzZN9+Xsailybuk9kX3Z3BjicikLFTY
BOKaRLK6VuHOTYKNnUlhQnUsdy0web0XQsQa1zUbENKHNVk/x05akOz0EHBkMtfE
LMLiu9n7PkEkIMVu41MplDkkShbawzzI/UstkZfPjiGxpvVo+u8He9x1LkRM/pup
PnbrtmKi12FSJ9T+lNXnN7jvA25pl6dC0Z32iXKHZ0Co6TYNCtwFAUDSBGnnlvhT
raEtNhfFP7uMRtJUDF5cM9Go++qH/iRWfzqWViNXp0CgBI3XBbPjbdAfe7hkr5Lq
DwdnQetjb40FiCq2Fvof9foWIXlVwday2ST3ruDhe3Q+A3+uUK2leHhYr2xJxf8I
V05RGweVvvxk3Yt7FphpUGpC6q98doA8logSVeoyF5nxpis7oN/jLMn7p5Ozezg+
ozoQyKvnBoWifHkaHnRfjEv2nshWqA0+FCxTxnlTmEZhuZQfvroa0Q2/gIjW6kUD
VwARAQABiQI8BBgBCAAmFiEEuGgoR3ZN9g31LZksvDkF8jUXnPEFAmNZj3ECGyAF
CQPCZwAACgkQvDkF8jUXnPHhww/7BuMq7bEKvrejKf6Wjs2owMsFiXjMe6dhNmEb
96ANqRVankiSPn+TeL6FVJh9TJSGpD9v8fT3quikHsYDoTNLjgZL6Esx1A4k6YRu
O8A//10kNfYVCdhnNoDZ/94iSBrDbzeg4ueZjPTHtgBb+jGWc+f7tKDsMYaqqfec
qh8NRSujB9fS1AbCQaYkmpCA4f9l9Ti3nVQIrMXqFZFtt6sEjx7Onbi9ieADaQZ5
/V8JQL4QgWGhhx0ccK0LVOIqY5Rp4H1kyJVeQ/rR+YIso5vBwpPJikAU+ozTnGCw
w8Vpc359DthUAakJ22GTnc3kaj5Cp6HAugmTvsIdnEhYkh/jendSK4fUWy5cXs50
THMiFRKJS6boygIjwGlXCf25Ip9cos50YNHogkjyOp0L0tiherFm0OGlyoPvSEVY
nAnNmD5TZK/FnKE6rC0pe0NMO157fIbM9pxIAkPuYVRFz8NGLrZQEyIVyo7Vhb/k
uALjKO3OjsxNA+RoZtAt24ciUIprykdY+posV0xrDCo2tM0dZcIPhfGKMljB0C57
c1Qb+616Q2bzaaqdttbD8BdREjN59CxvKqI1gzO250n2EBLzIJ2R9v1IpUi9Zg9D
vu0eW05kXsr83M4Z4lomvyW+pkJ9elaY525OlZoPaQi9TYrHuAHiNd0xrZqL0378
d2veUui5Ag0EY1mPJgEQAMRQDbNHBQ376nDF8miBZOAV1txpmbHc5D/X63PNapP0
P1/I7SfcJU9D3wX8c4vmxkjEYtH23s4lmT1VLsU7PisS3MacRemm9pL2bD53hs9X
QEuU9OtJsZn1ZJ+Ynh6i5sfW1bG3OiV/TWgYXW66GwE1hn9PuP8arodUmhEft+64
G2u8Xtxr5yqlQJEUThV6280OJrxVbduaMi5C6UNeeGE5wuhfrQ0TNYZiwQ4KYbU3
QhlWhHVjJlJ5hCLiktwFDyR24P+wlTIziWA407mo2enQT+mz3bO7Paf4mBionGsJ
MoADqBThf4B69BxjJ7Yg7oQVIZ7560YIRRmNo4tk5Mhep11OtQgZjZJR6MhWDaUO
17w1qScrOPRj6G1IXP1R5NarydJpLyAVb/5WFZ5jxUGMGtq3mYn4nKbbHUg2WzvC
JvPctDE6EV2vaiRy5N1fQjsHgSa29F2feh14p4ngFCmHjpdbcdjfv6rWL8tgkSpQ
lDdeHRRd1q03TKAg/byPauAHKzvV+iWlmw1f6KBWjeTn0fofmk9eeQ+P1j0a3/XT
xMOjB34SzqPRWzmLPLF6YmujBK2gymM+JLirJFFzao1i4lgmxqkDhQoNYHXmVYEd
7w+/qUYbfKwO9eJOWzuUWajxvJ1Vgv6z4CPy9if0gwfhrx0OOcIpBE/xZU+SwQQp
ABEBAAGJAjwEGAEIACYWIQS4aChHdk32DfUtmSy8OQXyNRec8QUCY1mPJgIbDAUJ
A8JnAAAKCRC8OQXyNRec8a+qD/4whGQ9J+td1iLFMpNRAqvuGtTnM6shZJNnC5CB
56Cu7ElIpr74sk0R98Ia1pJlBcLALbYSrqwluZaLiRVDPdub6tGSRVssqQdZcKTh
z33waTru9IfLhCrRSNd0ZMHJaOG1ErU0noWw2d4ifVJK+vvuvMeEyNm4H5pZOYzY
eikqVUYzS143cSzMEwtvPSdP5JkTQi4WNF09khH1D+QpJoXEgVEQla7Sr955Zdt3
q5OlpYxxw+X62vslZ2OMiKZ14kWVSRbVQ+WdnjtRYS4vivB6ko9QL770jZ131hKh
C/BcWpEYSjfPpVua2oKbccKHXheIFEJ06kGkMeeoQPxmzPRBYIw/E+d5sZp7YXDy
BGOAxBeiOaOnZ8vLBzy72HFng3oB3hkVGTTHq+PsHdSSaRME3QrNpDsaGeSjw62F
G3I4zK985GtrXAHEzN/Ffd17srl4mcRQ+8QM/a+XbF/8ugjE/RHhhFf8sWVAPutY
zVE8lF+uqcduPuq/rTcUBuzSVjnSRfXWqCokjh+ypUpHNUO8fZDzkTLuE5rwMG1x
pPueDBTzvoGDQRqc2eoXpJnDBmdlz83zHsoR2gIHcdqyc/hCV+fTvR8E0v9ZG3Jr
6RFgWdD008PsGxUevIDgMAYFwasZSTofEnzg49/WeIFU1rGB5HZVlmOJKZnKRuBi
TakEPw==
=odM9
-----END PGP PUBLIC KEY BLOCK-----

174
libselinux.spec Normal file
View File

@ -0,0 +1,174 @@
#
# spec file for package libselinux
#
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%define libsepol_ver 3.7
Name: libselinux
Version: 3.7
Release: 0
Summary: SELinux runtime library and utilities
License: SUSE-Public-Domain
Group: Development/Libraries/C and C++
URL: https://github.com/SELinuxProject/selinux/wiki/Releases
Source0: https://github.com/SELinuxProject/selinux/releases/download/%{version}/%{name}-%{version}.tar.gz
Source1: https://github.com/SELinuxProject/selinux/releases/download/%{version}/%{name}-%{version}.tar.gz.asc
Source2: libselinux.keyring
Source3: selinux-ready
Source4: baselibs.conf
# PATCH-FIX-UPSTREAM Include <sys/uio.h> for readv prototype
Patch4: readv-proto.patch
Patch5: skip_cycles.patch
# PATCH-FIX-UPSTREAM python3.8-compat.patch mcepl@suse.com
# Make linking working even when default pkg-config doesnt provide -lpython<ver>
Patch6: python3.8-compat.patch
Patch7: swig4_moduleimport.patch
BuildRequires: fdupes
BuildRequires: libsepol-devel >= %{libsepol_ver}
BuildRequires: libsepol-devel-static >= %{libsepol_ver}
BuildRequires: pkgconfig
BuildRequires: pkgconfig(libpcre2-8)
%description
libselinux provides an interface to get and set process and file
security contexts and to obtain security policy decisions.
%package -n libselinux1
Summary: SELinux runtime library
Group: System/Libraries
%description -n libselinux1
libselinux provides an interface to get and set process and file
security contexts and to obtain security policy decisions.
(Security-enhanced Linux is a feature of the kernel and some
utilities that implement mandatory access control policies, such as
Type Enforcement, Role-based Access Control and Multi-Level
Security.)
%package -n selinux-tools
Summary: SELinux command-line utilities
Group: System/Base
Requires: libselinux1 = %{version}
Provides: libselinux-utils = %{version}-%{release}
%description -n selinux-tools
Security-enhanced Linux is a feature of the kernel and some
utilities that implement mandatory access control policies, such as
Type Enforcement, Role-based Access Control and Multi-Level
Security.
This subpackage contains utilities to inspect and administer the
system's SELinux state.
%package devel
Summary: Development files for the SELinux runtime library
Group: Development/Libraries/C and C++
Requires: glibc-devel
Requires: libselinux1 = %{version}
#Automatic dependency on libsepol-devel via pkgconfig
%description devel
libselinux provides an interface to get and set process and file
security contexts and to obtain security policy decisions.
This package contains the development files, which are
necessary to develop your own software using libselinux.
%package devel-static
Summary: Static archives for the SELinux runtime
Group: Development/Libraries/C and C++
Requires: libselinux-devel = %{version}
Requires: pkgconfig(libpcre2-8)
Requires: pkgconfig(libsepol)
%description devel-static
libselinux provides an interface to get and set process and file
security contexts and to obtain security policy decisions.
This package contains the static development files, which are
necessary to develop your own software using libselinux.
%prep
%autosetup -p1 -n libselinux-%{version}
%build
%make_build LIBDIR="%{_libdir}" CC="gcc" \
CFLAGS="%{optflags} -fno-semantic-interposition -ffat-lto-objects" \
USE_PCRE2=y
%install
mkdir -p %{buildroot}/%{_lib}
mkdir -p %{buildroot}%{_libdir}
mkdir -p %{buildroot}%{_includedir}
mkdir -p %{buildroot}%{_sbindir}
make DESTDIR=%{buildroot} LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" \
BINDIR="%{_sbindir}" install
mv %{buildroot}%{_sbindir}/getdefaultcon %{buildroot}%{_sbindir}/selinuxdefcon
mv %{buildroot}%{_sbindir}/getconlist %{buildroot}%{_sbindir}/selinuxconlist
install -m 0755 %{SOURCE3} %{buildroot}%{_sbindir}/selinux-ready
# Remove duplicate files
%fdupes -s %{buildroot}%{_mandir}
%post -n libselinux1 -p /sbin/ldconfig
%postun -n libselinux1 -p /sbin/ldconfig
%files -n selinux-tools
%{_sbindir}/avcstat
%{_sbindir}/getenforce
%{_sbindir}/getpolicyload
%{_sbindir}/getsebool
%{_sbindir}/matchpathcon
%{_sbindir}/selabel_digest
%{_sbindir}/selabel_lookup
%{_sbindir}/selinux_check_access
%{_sbindir}/selabel_lookup_best_match
%{_sbindir}/selabel_partial_match
%{_sbindir}/selinuxconlist
%{_sbindir}/selinuxdefcon
%{_sbindir}/selinuxenabled
%{_sbindir}/setenforce
%{_sbindir}/togglesebool
%{_sbindir}/selinux-ready
%{_sbindir}/selinuxexeccon
%{_sbindir}/sefcontext_compile
%{_sbindir}/compute_*
%{_sbindir}/getfilecon
%{_sbindir}/getpidcon
%{_sbindir}/policyvers
%{_sbindir}/setfilecon
%{_sbindir}/getseuser
%{_sbindir}/selinux_check_securetty_context
%{_sbindir}/selabel_get_digests_all_partial_matches
%{_sbindir}/validatetrans
%{_sbindir}/getpidprevcon
%{_mandir}/man5/*
%{_mandir}/man8/*
%files -n libselinux1
%{_libdir}/libselinux.so.*
%files devel
%{_libdir}/libselinux.so
%{_includedir}/selinux/
%{_mandir}/man3/*
%{_libdir}/pkgconfig/libselinux.pc
%files devel-static
%{_libdir}/libselinux.a
%changelog

16
python3.8-compat.patch Normal file
View File

@ -0,0 +1,16 @@
Index: libselinux-3.5/src/Makefile
===================================================================
--- libselinux-3.5.orig/src/Makefile
+++ libselinux-3.5/src/Makefile
@@ -13,7 +13,11 @@ LIBDIR ?= $(PREFIX)/lib
SHLIBDIR ?= /lib
INCLUDEDIR ?= $(PREFIX)/include
PYINC ?= $(shell $(PKG_CONFIG) --cflags $(PYPREFIX))
+ifeq ($(shell $(PKG_CONFIG) --exists $(PYPREFIX)-embed && echo true), true)
+PYLIBS ?= $(shell $(PKG_CONFIG) --libs $(PYPREFIX)-embed)
+else
PYLIBS ?= $(shell $(PKG_CONFIG) --libs $(PYPREFIX))
+endif
PYTHONLIBDIR ?= $(shell $(PYTHON) -c "import sysconfig; print(sysconfig.get_path('platlib', vars={'platbase': '$(PREFIX)', 'base': '$(PREFIX)'}))")
PYCEXT ?= $(shell $(PYTHON) -c 'import importlib.machinery;print(importlib.machinery.EXTENSION_SUFFIXES[0])')
RUBYINC ?= $(shell $(RUBY) -e 'puts "-I" + RbConfig::CONFIG["rubyarchhdrdir"] + " -I" + RbConfig::CONFIG["rubyhdrdir"]')

12
readv-proto.patch Normal file
View File

@ -0,0 +1,12 @@
Index: libselinux-2.5/src/setrans_client.c
===================================================================
--- libselinux-2.5.orig/src/setrans_client.c
+++ libselinux-2.5/src/setrans_client.c
@@ -9,6 +9,7 @@
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>
+#include <sys/uio.h>
#include <errno.h>
#include <stdlib.h>

245
selinux-ready Normal file
View File

@ -0,0 +1,245 @@
#!/bin/bash
KERNEL="unknown"
INITRD="unknown"
TD=""
# init needs /selinux to be there
check_dir()
{
SLDIRS="/selinux /sys/fs/selinux"
FOUND="no"
for DIR in $SLDIRS; do
if [ -d $DIR ]; then
printf "\tcheck_dir: OK. $DIR exists.\n"
FOUND="yes"
fi
done
if [ $FOUND == "yes" ]; then
return 0
else
printf "\tcheck_dir: ERR. Neither of $SLDIRS does exist. Please execute 'mkdir /sys/fs/selinux' as root\n"
return 1
fi
}
check_filesystem()
{
FSPATH="/proc/filesystems"
FSNAMES="securityfs selinuxfs"
OK="O"
for FSNAME in $FSNAMES; do
grep -w $FSNAME $FSPATH 1>&2 >/dev/null
if [ $? == 0 ]; then
printf "\tcheck_filesystem: OK. Filesystem '$FSNAME' exists.\n"
else
printf "\tcheck_filesystem: ERR. Filesystem '$FSNAME' is missing. Please enable SELinux while compiling the kernel.\n"
OK="1"
fi
done
if [ "$OK" == "0" ]; then
return 0;
else
return 1;
fi
}
check_boot()
{
printf "\tcheck_boot: Assuming GRUB2 as bootloader.\n"
BPARAM1="security=selinux"
BPARAM2="selinux=1"
if grep $BPARAM1 /proc/cmdline | grep $BPARAM2 >/dev/null; then
printf "\tcheck_boot: OK. Current kernel has boot-parameters '$BPARAM1 $BPARAM2'\n"
return 0
else
printf "\tcheck_boot: ERR. Boot-parameter missing for booting the kernel.\n"
printf "\t Please add 'security=selinux selinux=1' to the kernel boot-parameter list.\n"
return 1
fi
}
check_mkinitrd()
{
MCMD="mount.*/root/proc.*"
if ! [ -f "/boot/initrd" ];then
printf "\tcheck_mkinitrd: ERR. Unable to locate '/boot/initrd'\n"
return 2
fi
cp /boot/initrd $TD/ 2>/dev/null
pushd . 2>&1>/dev/null
cd $TD
mkdir initrd-extracted
cd initrd-extracted
INITRD_FORMAT=$(file $TD/initrd | awk -F' ' '{print $2}')
case $INITRD_FORMAT in
'XZ' )
xz -d -c $TD/initrd | cpio -i --force-local --no-absolute-filenames 2>/dev/null ;;
'ASCII' )
/usr/lib/dracut/skipcpio $TD/initrd | zstd -d | cpio -i --force-local --no-absolute-filenames 2>/dev/null ;;
'gzip' )
gzip -d -c $TD/initrd | cpio -i --force-local --no-absolute-filenames 2>/dev/null ;;
'Zstandard' )
zstd -d -c $TD/initrd | cpio -i --force-local --no-absolute-filenames 2>/dev/null ;;
* )
printf "\tcheck_mkinitrd: ERR. Error while extracting initrd file.'\n"
return 2
esac
if [ -d boot ]; then
grep -E -- $MCMD boot/* 2>&1 >/dev/null
FLG1=$?
grep -E -- load_policy boot/* 2>&1 >/dev/null
FLG2=$?
else
# looks like we're using dracut/systemd. We can only check if libselinux1
# exists
if [ -f usr/lib64/libselinux.so.1 ]; then
# if this exists
FLG1=0
FLG2=0
fi
fi
popd 2>&1>/dev/null
if [ $FLG1 == 0 -a $FLG2 == 0 ];then
printf "\tcheck_mkinitrd: OK. Your initrd seems to be correct.\n"
return 0
else
printf "\tcheck_mkinitrd: ERR. Your initrd seems not to mount /proc of\n"
printf "\t the root filesystem during boot and/or load_policy\n"
printf "\t is missing,\n"
printf "\t this may be a reason for SELinux not working.\n"
return 1
fi
}
check_pam()
{
AA_PAM=0
SE_PAM=0
# test for AA pam module
grep apparmor /etc/pam.d/* 2>&1 >/dev/null
FLG=$?
if [ $FLG == 0 ]; then
AA_PAM=1
fi
# test for SELinux pam module
grep selinux /etc/pam.d/* 2>&1 >/dev/null
FLG=$?
if [ $FLG == 0 ]; then
SE_PAM=1
fi
# suggest config
if [ $SE_PAM == 1 ] && [ $AA_PAM == 0 ]; then
printf "\tcheck_pam: OK. Your PAM configuration seems to be correct.\n"
return 0
fi
printf "\tcheck_pam: ERR. Your PAM configuration seems to be incorrect.\n"
if [ $AA_PAM == 1 ]; then
printf " execute 'pam-config -d --apparmor' as root\n"
fi
if [ $SE_PAM == 0 ]; then
printf " execute 'pam-config -a --selinux' as root\n"
fi
return 1
}
check_initupstart()
{
CFGFILE="/etc/selinux/config"
if ! [ -f $CFGFILE ]; then
printf "\tcheck_initupstart: ERR. $CFGFILE does not exist.\n"
return 1;
fi
}
check_runlevel()
{
if [ "$(systemctl is-enabled restorecond.service 2>/dev/null)" == "enabled" ]; then
printf "\tcheck_runlevel: OK. restorecond is enabled on your system\n"
return 0;
fi
printf "\tcheck_runlevel: ERR. please enable restorecond with systemctl enable restorecond.service.\n"
return 1
}
check_packages()
{
PKGLST="checkpolicy policycoreutils selinux-tools libselinux1 libsepol2 libsemanage2 restorecond"
FAIL=0
for i in $PKGLST
do
rpm -q $i 1>&2 >/dev/null
if [ $? == 1 ];then
printf "\tcheck_packages: ERR. Package '$i' not installed, please run 'zypper in $i' as root\n"
FAIL=1
fi
done
if [ $FAIL == 0 ]; then
printf "\tcheck_packages: OK. All essential packages are installed\n"
return 0
else
return 1
fi
}
check_config()
{
CF="/etc/selinux/config"
if [ -f $CF ];then
printf "\tcheck_config: OK. Config file seems to be there.\n"
# with -L because /etc/selinux/config is now a link to /etc/sysconfig/selinux-policy
if ! [ $(stat -L --printf=%a $CF) -eq "644" ]; then
printf "\tcheck_config: ERR. Config file '$CF' has wrong permissions.\n"
return 1
fi
# check that SELINUX is not disabled there
SELINUX_MODE=$(grep "^\s*SELINUX\s*=" $CF | sed "s/SELINUX\s*=\(\S*\)\s*"/\\1/)
case "$SELINUX_MODE" in
permissive | enforcing )
printf "\tcheck_config: OK. SELINUX is set to '$SELINUX_MODE'.\n"
return 0
;;
* )
printf "\tcheck_config: ERR. SELINUX is set to '$SELINUX_MODE' in '$CF'. Should be either 'permissive' or 'enforcing'\n"
return 1
;;
esac
else
printf "\tcheck_config: ERR. Config file '$CF' is missing.\n"
return 1
fi
}
TD=$(mktemp -q -d /tmp/selinux-ready.XXXXXX)
echo "Start checking your system if it is selinux-ready or not:"
check_dir
check_filesystem
check_boot
check_mkinitrd
check_packages
check_config
check_initupstart
check_pam
check_runlevel
rm -rf $TD

14
skip_cycles.patch Normal file
View File

@ -0,0 +1,14 @@
Index: libselinux-3.4-rc3/src/selinux_restorecon.c
===================================================================
--- libselinux-3.4-rc3.orig/src/selinux_restorecon.c
+++ libselinux-3.4-rc3/src/selinux_restorecon.c
@@ -871,7 +871,8 @@ loop_body:
errno = ELOOP;
state->error = -1;
state->abort = true;
- goto finish;
+ fts_set(fts, ftsent, FTS_SKIP);
+ continue;
case FTS_DP:
continue;
case FTS_DNR:

13
swig4_moduleimport.patch Normal file
View File

@ -0,0 +1,13 @@
Index: libselinux-2.9/src/selinuxswig_python.i
===================================================================
--- libselinux-2.9.orig/src/selinuxswig_python.i 2019-03-15 10:32:30.000000000 +0000
+++ libselinux-2.9/src/selinuxswig_python.i 2019-12-16 15:03:46.133451617 +0000
@@ -6,7 +6,7 @@
#define DISABLE_RPM
#endif
-%module selinux
+%module(moduleimport="import $module") selinux
%{
#include "selinux/selinux.h"
%}