Accepting request 1184295 from home:cahu:security:SELinux:userspace37

- Update to version 3.7
  https://github.com/SELinuxProject/selinux/releases/tag/3.7
  * User-visible changes:
    * libsepol: improve policy lookup failure message
    * libsepol: include prefix for module policy versions
    * libsepol: validate type-attribute-map for old policies
    * libsepol: only exempt gaps checking for kernel policies
  * Bugfixes:
    * libsepol/src/Makefile: fix reallocarray detection
    * libsepol/cil: Fix detected RESOURCE_LEAK (CWE-772)
    * libsepol: ensure transitivity in compare functions
  * oss-fuzz fixes:
    * libsepol: check scope permissions refer to valid class
    * libsepol: validate attribute-type maps
    * libsepol: reject self flag in type rules in old policies
    * libsepol: validate class permissions
    * libsepol: validate access vector permissions
    * libsepol: reject MLS support in pre-MLS policies
    * libsepol: Fix buffer overflow when using sepol_av_to_string()
    * libsepol: Use a dynamic buffer in sepol_av_to_string()

OBS-URL: https://build.opensuse.org/request/show/1184295
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libsepol?expand=0&rev=98

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

.gitignore

@@ -0,0 +1 @@
+.osc

baselibs.conf

@@ -0,0 +1 @@
+libsepol2

libsepol-3.6.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c9dc585ea94903d784d597c861cd5dce6459168f95e22b31a0eab1cdd800975a
+size 509100

libsepol-3.6.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEG+LA/wiUliMQL9JWRpWIHCVFCNEFAmV5xAMACgkQRpWIHCVF
+CNEEfg//aHKtL3/mMdGCf8nJDizS0WisFmw3wx+z6R2r0Zs6umouzv9YgjmL3pUg
+LRrSgSyqYAZKXipooK0vyXhhZOnOh6kmOY3sEjR2I+4kwWQx7IzN0DFO7p/NVUo6
+GnNmGmxFhc6mEgu6926D5ACyigoB9gysyZcQxjWGQyrRM9oAlw2bBuvN+pyic+g/
+hX7KcHgki64nNXA6dfPkoTzKE+wQ83Ni0uQmo6fzNNf+XVrb1Qw6IL3cj52Iocja
+IB91wOjSJ3WyCdYxuZ2UZu2FBJbS7DNFQCDwIskdecX2gsTrrjYF2spKK1+9Uiny
+I4nt+9H7rHg/bZltnWIMUekBKKO58DmZziJ6oEUkHkc4vRBWrNJP74DHSPSA617v
+q6y7RBP8bavehOGIfqvQ7ChXxGzGXwhjpchAOAQJ7gPEXzqnI8UgzqoXKZ1Pnyod
+mUfteWBLuJlmyPcJeZ1wXBFo3G8l7ec/3nOwZ91Fn+Aw0Tx3/HS6Sm7GOYhI/uqy
+TMk29w2tpL5LS7XEQnYgxzLEY0EH4QXHuVrR08zKbDfX+UnVSePzSGqNdaXfJyI+
+sTz9d0Uaa3LK3wucPFAGTJyeszYk8FuQi7JMfq4jh3GPtC7qCwKCkrgwPQpB1coo
+WKgd/OodA2ZzTkjT28DERI7adUYjfDxXb7HQr/oW8poWePoD7yA=
+=D1Md
+-----END PGP SIGNATURE-----

libsepol-3.7.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cd741e25244e7ef6cd934d633614131a266c3eaeab33d8bfa45e8a93b45cc901
+size 511487

libsepol-3.7.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEG+LA/wiUliMQL9JWRpWIHCVFCNEFAmZ8NeEACgkQRpWIHCVF
+CNGuSQ//cFEkvjL9a7cTSPE7HI66nyYK7Kd0qj9IZfZ0356U8tC17FwBgHs4PGd5
+o2k7fMBgF9cK8Eycj5JHeu5XmyfVnn+opWn+T6K8UeostDSLxSgqaUqQ5HxK6e0E
+fR5NOR/SgNs6NDZPTAp61nXPVpUng0+N73FLDAyU9Yygy3Y3bF89elLzL0M2l9lB
+CrKv79F5WSGDG8h5YBmXloCBFiT2pzSe3D1Yse8eq34AeJAoVArz1KgQgU+dBVjW
+cldkFvzvCnOkuEoFW5M4dRpc8MEXChRVEM0RmGnzamxIpnK99qN/dlgDe3sTCYi7
+Sl42IOQuFsbVVo3Tk9Nx61oQuoPqWGe+V61ZlOTryawKm84svJ6aP74E7x0bT3KD
+V1964Yw+SbPqLYXTVHG2lpBvB2O79XjQQ00AZXys7d5b2CAallNXwTeK0HrcUT5T
+CzsBCEX4i/PLxJte6MNTIbCC4lMiyvf6AOUpus949m1WEQCtFDv/3fyHfM91uA5g
+TsGzkupwqXGepDSFZyU5lyhsCup2VC/5qh9x4zhAs4SoUb/JLTpobwiW4TwBy4mp
+xijH5y7g50u3y1k9rNcW0wNDMot+ROOdTwCRqyAzpC8rzfmaVhD7qcu4zry2CeI1
+AbGP1KH319s1Ae7wygj+/xGAiYHKR4NwL/SgdenNV4xsw/sn2gg=
+=YJy0
+-----END PGP SIGNATURE-----

libsepol.changes

@@ -0,0 +1,455 @@
+-------------------------------------------------------------------
+Mon Jul  1 08:01:08 UTC 2024 - Cathy Hu <cathy.hu@suse.com>
+
+- Update to version 3.7
+  https://github.com/SELinuxProject/selinux/releases/tag/3.7
+  * User-visible changes:
+    * libsepol: improve policy lookup failure message
+    * libsepol: include prefix for module policy versions
+    * libsepol: validate type-attribute-map for old policies
+    * libsepol: only exempt gaps checking for kernel policies
+  * Bugfixes:
+    * libsepol/src/Makefile: fix reallocarray detection
+    * libsepol/cil: Fix detected RESOURCE_LEAK (CWE-772)
+    * libsepol: ensure transitivity in compare functions
+  * oss-fuzz fixes:
+    * libsepol: check scope permissions refer to valid class
+    * libsepol: validate attribute-type maps
+    * libsepol: reject self flag in type rules in old policies
+    * libsepol: validate class permissions
+    * libsepol: validate access vector permissions
+    * libsepol: reject MLS support in pre-MLS policies
+    * libsepol: Fix buffer overflow when using sepol_av_to_string()
+    * libsepol: Use a dynamic buffer in sepol_av_to_string()
+
+-------------------------------------------------------------------
+Tue Dec 19 09:20:58 UTC 2023 - Cathy Hu <cathy.hu@suse.com>
+
+- Update to version 3.6
+  https://github.com/SELinuxProject/selinux/releases/tag/3.6
+  * struct cond_expr_t bool renamed to boolean
+    The change is indicated by COND_EXPR_T_RENAME_BOOL_BOOLEAN macro 
+  * Add notself support for neverallow rules
+  * Improve man pages
+  * man pages: Remove the Russian translations
+  * Add notself and other support to CIL
+  * Add support for deny rules
+  * Translations updated from
+    https://translate.fedoraproject.org/projects/selinux/
+  * Bug fixes
+- Remove keys from keyring since they expired:
+  - E853C1848B0185CF42864DF363A8AD4B982C4373
+    Petr Lautrbach <plautrba@redhat.com>
+  - 63191CE94183098689CAB8DB7EF137EC935B0EAF
+    Jason Zaman <jasonzaman@gmail.com>
+- Add key to keyring: 
+  - B8682847764DF60DF52D992CBC3905F235179CF1 
+    Petr Lautrbach <lautrbach@redhat.com> 
+
+-------------------------------------------------------------------
+Thu Mar 23 16:06:02 UTC 2023 - Martin Liška <mliska@suse.cz>
+
+- Enable LTO now (boo#1138813).
+
+-------------------------------------------------------------------
+Fri Feb 24 07:50:14 UTC 2023 - Johannes Segitz <jsegitz@suse.com>
+
+- Update to version 3.5
+  * Stricter policy validation
+  * do not write empty class definitions to allow simpler round-trip tests
+  * reject attributes in type av rules for kernel policies
+- Added additional developer key (Jason Zaman)
+
+-------------------------------------------------------------------
+Mon May  9 10:27:53 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
+
+- Update to version 3.4
+  * Add 'ioctl_skip_cloexec' policy capability
+  * Add sepol_av_perm_to_string
+  * Add policy utilities
+  * Support IPv4/IPv6 address embedding
+  * Hardened/added many validations
+  * Add support for file types in writing out policy.conf
+  * Allow optional file type in genfscon rules
+
+-------------------------------------------------------------------
+Thu Nov 11 13:28:14 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Update to version 3.3
+  * Dropped CVE-2021-36085.patch, CVE-2021-36086.patch, CVE-2021-36087.patch
+    are all included
+  * Lot of smaller fixes identified by fuzzing
+
+-------------------------------------------------------------------
+Wed Jul 21 13:16:54 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Fix heap-based buffer over-read in ebitmap_match_any (CVE-2021-36087, 1187928.
+  Added CVE-2021-36087.patch
+
+-------------------------------------------------------------------
+Mon Jul  5 11:31:07 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Fix use-after-free in __cil_verify_classperms (CVE-2021-36085, 1187965).
+  Added CVE-2021-36085.patch
+- Fix use-after-free in cil_reset_classpermission (CVE-2021-36086, 1187964).
+  Added CVE-2021-36086.patch
+
+-------------------------------------------------------------------
+Tue Mar  9 09:11:42 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Update to version 3.2
+  * more space-efficient form of storing filename transitions in the binary
+    policy and reduced the size of the binary policy
+  * dropped old and deprecated symbols and functions. Version was bumped to
+    libsepol.so.2
+
+-------------------------------------------------------------------
+Thu Oct 29 10:40:16 UTC 2020 - Ludwig Nussel <lnussel@suse.de>
+
+- install to /usr (boo#1029961)
+
+-------------------------------------------------------------------
+Tue Jul 14 08:39:58 UTC 2020 - Johannes Segitz <jsegitz@suse.com>
+
+- Update to version 3.1
+  * Add support for new polcap genfs_seclabel_symlinks
+  * Initialize the multiple_decls field of the cil db
+  * Return error when identifier declared as both type and attribute
+  * Write CIL default MLS rules on separate lines
+  * Sort portcon rules consistently
+  * Remove leftovers of cil_mem_error_handler
+  * Drop remove_cil_mem_error_handler.patch, is included
+
+-------------------------------------------------------------------
+Mon Apr 27 19:35:18 UTC 2020 - Martin Liška <mliska@suse.cz>
+
+- Enable -fcommon in order to fix boo#1160874.
+
+-------------------------------------------------------------------
+Tue Mar  3 12:17:04 UTC 2020 - Johannes Segitz <jsegitz@suse.de>
+
+- Update to version 3.0
+  * cil: Allow validatetrans rules to be resolved
+  * cil: Report disabling an optional block only at high verbose levels
+  * cil: do not dereference perm_value_to_cil when it has not been allocated
+  * cil: fix mlsconstrain segfault
+  * Further improve binary policy optimization
+  * Make an unknown permission an error in CIL
+  * Remove cil_mem_error_handler() function pointer
+  * Use LIBSEPOL_3.0 and fix sepol_policydb_optimize symbol mapping
+  * Add a function to optimize kernel policy
+  * Add ebitmap_for_each_set_bit macro
+
+  Dropped fnocommon.patch as it's included upstream
+
+-------------------------------------------------------------------
+Thu Jan 30 14:11:56 UTC 2020 - Johannes Segitz <jsegitz@suse.de>
+
+- Add fnocommon.patch to prevent build failures on gcc10 and
+  remove_cil_mem_error_handler.patch to prevent build failures due to 
+  leftovers from the removal of cil_mem_error_handler (bsc#1160874)
+
+-------------------------------------------------------------------
+Thu Jun 20 10:25:00 UTC 2019 - Martin Liška <mliska@suse.cz>
+
+- Disable LTO due to symbol versioning (boo#1138813).
+
+-------------------------------------------------------------------
+Wed Mar 20 15:12:34 UTC 2019 - jsegitz@suse.com
+
+- Update to version 2.9
+  * Add two new Xen initial SIDs
+  * Check that initial sid indexes are within the valid range
+  * Create policydb_sort_ocontexts()
+  * Eliminate initial sid string definitions in module_to_cil.c
+  * Rename kernel_to_common.c stack functions
+  * add missing ibendport port validity check
+  * destroy the copied va_list
+  * do not call malloc with 0 byte
+  * do not leak memory if list_prepend fails
+  * do not use uninitialized value for low_value
+  * fix endianity in ibpkey range checks
+  * ibpkeys.c: fix printf format string specifiers for subnet_prefix
+  * mark permissive types when loading a binary policy
+
+-------------------------------------------------------------------
+Thu Nov  8 09:34:54 UTC 2018 - Jan Engelhardt <jengelh@inai.de>
+
+- Use more %make_install.
+
+-------------------------------------------------------------------
+Thu Nov  8 07:19:24 UTC 2018 - jsegitz@suse.com
+
+- Adjusted source urls (bsc#1115052)
+
+-------------------------------------------------------------------
+Wed Oct 17 11:54:52 UTC 2018 - jsegitz@suse.com
+
+- Update to version 2.8 (bsc#1111732)
+  For changes please see
+  https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/RELEASE-20180524.txt
+
+-------------------------------------------------------------------
+Wed May 16 07:13:18 UTC 2018 - mcepl@suse.com
+
+- Rebase to 2.7
+  For changes please see
+  https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20170804/RELEASE-20170804.txt
+
+-------------------------------------------------------------------
+Fri Nov 24 09:16:47 UTC 2017 - jsegitz@suse.com
+
+- Update to version 2.6. Notable changes:
+  * Add support for converting extended permissions to CIL
+  * Create user and role caches when building binary policy
+  * Check for too many permissions in classes and commons in CIL
+  * Fix xperm mapping between avrule and avtab
+  * Produce more meaningful error messages for conflicting type rules in CIL
+  * Change which attributes CIL keeps in the binary policy
+  * Warn instead of fail if permission is not resolved
+  * Ignore object_r when adding userrole mappings to policydb
+  * Correctly detect unknown classes in sepol_string_to_security_class
+  * Fix neverallowxperm checking on attributes
+  * Only apply bounds checking to source types in rules
+  * Fix CIL and not add an attribute as a type in the attr_type_map
+  * Fix extended permissions neverallow checking
+  * Fix CIL neverallow and bounds checking
+  * Add support for portcon dccp protocol
+
+-------------------------------------------------------------------
+Fri Jul 15 14:29:28 UTC 2016 - jengelh@inai.de
+
+- Update RPM groups, trim description and combine filelist entries.
+
+-------------------------------------------------------------------
+Thu Jul 14 14:38:09 UTC 2016 - mpluskal@suse.com
+
+- Cleanup spec file with spec-cleaner
+- Make spec file a bit more easy
+- Ship new supbackage (-tools)
+
+-------------------------------------------------------------------
+Thu Jul 14 14:21:46 UTC 2016 - jsegitz@novell.com
+
+- Without bug number no submit to SLE 12 SP2 is possible, so to make
+  sle-changelog-checker happy: bsc#988977
+
+-------------------------------------------------------------------
+Thu Jul 14 07:57:35 UTC 2016 - jsegitz@novell.com
+
+- Adjusted source link
+
+-------------------------------------------------------------------
+Tue Jul  5 17:11:44 UTC 2016 - i@marguerite.su
+
+- update version 2.5
+  * Fix unused variable annotations
+  * Fix uninitialized variable in CIL
+  * Validate extended avrules and permissionxs in CIL
+  * Add support in CIL for neverallowx
+  * Fully expand neverallowxperm rules
+  * Add support for unordered classes to CIL
+  * Add neverallow support for ioctl extended permissions
+  * Improve CIL block and macro call recursion detection
+  * Fix CIL uninitialized false positive in cil_binary
+  * Provide error in CIL if classperms are empty
+  * Add userattribute{set} functionality to CIL
+  * fix CIL blockinherit copying segfault and add macro restrictions
+  * fix CIL NULL pointer dereference when copying classpermission/set
+  * Add CIL support for ioctl whitelists
+  * Fix memory leak when destroying avtab
+  * Replace sscanf in module_to_cil
+  * Improve CIL resolution error messages
+  * Fix policydb_read for policy versions < 24
+  * Added CIL bounds checking and refactored CIL Neverallow checking
+  * Refactored libsepol Neverallow and bounds (hierarchy) checking
+  * Treat types like an attribute in the attr_type_map
+  * Add new ebitmap function named ebitmap_match_any()
+  * switch operations to extended perms
+  * Write auditadm_r and secadm_r roles to base module when writing CIL
+  * Fix module to CIL to only associate declared roleattributes with in-scope types
+  * Don't allow categories/sensitivities inside blocks in CIL
+  * Replace fmemopen() with internal function in libsepol
+  * Verify users prior to evaluating users in cil
+  * Binary modules do not support ioctl rules
+  * Add support for ioctl command whitelisting
+  * Don't use symbol versioning for static object files
+  * Add sepol_module_policydb_to_cil(), sepol_module_package_to_cil(), 
+    and sepol_ppfile_to_module_package()
+  * Move secilc out of libsepol
+  * fix building Xen policy with devicetreecon, and add devicetreecon
+    CIL documentation
+  * bool_copy_callback set state on creation
+  * Add device tree ocontext nodes to Xen policy
+  * Widen Xen IOMEM context entries
+  * Fix error path in mls_semantic_level_expand()
+  * Update to latest CIL, includes new name resolution and fixes ordering
+    issues with blockinherit statements, and bug fixes
+- changes in 2.4
+  * Remove assumption that SHLIBDIR is ../../ relative to LIBDIR
+  * Fix bugs found by hardened gcc flags
+  * Build CIL into libsepol. libsepol can be built without CIL by setting the
+    DISABLE_CIL flag to 'y'
+  * Add an API function to set target_platform
+  * Report all neverallow violations
+  * Improve check_assertions performance
+  * Allow libsepol C++ static library on device
+
+-------------------------------------------------------------------
+Fri May 16 13:06:12 UTC 2014 - vcizek@suse.com
+
+- update to 2.3
+  * Improve error message for name-based transition conflicts.
+  * Revert libsepol: filename_trans: use some better sorting to compare and merge.
+  * Report source file and line information for neverallow failures.
+  * Fix valgrind errors in constraint_expr_eval_reason from Richard Haines.
+  * Add sepol_validate_transition_reason_buffer function from Richard Haines.
+- dropped libsepol-2.1.4-role_fix_callback.patch (upstream)
+
+-------------------------------------------------------------------
+Thu Oct 31 13:36:48 UTC 2013 - p.drouand@gmail.com
+
+- Update to version 2.2
+  * Allow constraint denial cause to be determined
+	  - Add kernel policy version 29.
+	  - Add modular policy version 17.
+	  - Add sepol_compute_av_reason_buffer(), sepol_string_to_security
+       _class(), sepol_string_to_av_perm().
+  * Support overriding Makefile RANLIB
+  * Fix man pages
+- Remove libsepol-rhat.patch; merged on upstream
+
+-------------------------------------------------------------------
+Thu Jun 27 14:37:12 UTC 2013 - vcizek@suse.com
+
+- change the source url to the official 2.1.9 release tarball
+
+-------------------------------------------------------------------
+Sat Jun 22 01:40:19 UTC 2013 - crrodriguez@opensuse.org
+
+- Build with LFS_CFLAGS for 32 bit archs 
+
+-------------------------------------------------------------------
+Fri Apr  5 15:31:13 UTC 2013 - vcizek@suse.com
+
+- remove a debugging artifact in spec
+
+-------------------------------------------------------------------
+Thu Apr  4 19:26:35 UTC 2013 - vcizek@suse.com
+
+- fixed source url
+
+-------------------------------------------------------------------
+Wed Feb 13 14:34:39 UTC 2013 - vcizek@suse.com
+
+- update to 2.1.9
+  * filename_trans: use some better sorting to compare and merge
+  * coverity fixes
+  * implement default type policy syntax
+  * Fix memory leak issues found by Klocwork
+- added libsepol-rhat.patch
+
+-------------------------------------------------------------------
+Mon Jan  7 22:46:48 UTC 2013 - jengelh@inai.de
+
+- Remove obsolete defines/sections
+
+-------------------------------------------------------------------
+Mon Dec 10 17:34:14 UTC 2012 - p.drouand@gmail.com
+
+- Update to 2.1.8 version:
+  * fix neverallow checking on attributes
+  * Move context_copy() after switch block in ocontext_copy_*().
+  * check for missing initial SID labeling statement.
+  * Add always_check_network policy capability
+  * role_fix_callback skips out-of-scope roles during expansion.
+
+-------------------------------------------------------------------
+Thu Oct 25 10:47:00 UTC 2012 - vcizek@suse.com
+
+- skip roles which are out of scope when expanding attributes
+- needed for building selinux-policy
+
+-------------------------------------------------------------------
+Wed Jul 25 11:16:59 UTC 2012 - meissner@suse.com
+
+- updated to 2.1.4
+  - lots of updates
+
+-------------------------------------------------------------------
+Wed Oct  5 15:11:06 UTC 2011 - uli@suse.com
+
+- cross-build fix: use %__cc macro
+
+-------------------------------------------------------------------
+Mon Jun 28 06:38:35 UTC 2010 - jengelh@medozas.de
+
+- use %_smp_mflags
+
+-------------------------------------------------------------------
+Sat Apr 24 11:38:22 UTC 2010 - coolo@novell.com
+
+- buildrequire pkg-config to fix provides
+
+-------------------------------------------------------------------
+Thu Feb 25 15:00:29 UTC 2010 - prusnak@suse.cz
+
+- updated to 2.0.41
+  * changes too numerous to list
+
+-------------------------------------------------------------------
+Sun Dec 13 01:35:55 CET 2009 - jengelh@medozas.de
+
+- add baselibs.conf as a source
+
+-------------------------------------------------------------------
+Wed Nov 11 18:18:22 UTC 2009 - crrodriguez@opensuse.org
+
+- libsepol-devel Requires glibc-devel
+
+-------------------------------------------------------------------
+Fri Jun 19 13:26:45 CEST 2009 - prusnak@suse.cz
+
+- put static library in libsepol-devel-static
+
+-------------------------------------------------------------------
+Wed May 27 13:56:59 CEST 2009 - prusnak@suse.cz
+
+- updated to 2.0.36
+  * fix alias field in module format, caused by boundary format
+    change from Caleb Case
+  * fix boolean state smashing from Joshua Brindle
+
+-------------------------------------------------------------------
+Mon Dec  1 11:37:58 CET 2008 - prusnak@suse.cz
+
+- updated to 2.0.34
+  * add bounds support
+  * fix invalid aliases bug
+
+-------------------------------------------------------------------
+Wed Oct 22 16:17:24 CEST 2008 - mrueckert@suse.de
+
+- fix debug_packages_requires define
+
+-------------------------------------------------------------------
+Tue Sep 23 12:53:01 CEST 2008 - prusnak@suse.cz
+
+- require only version, not release [bnc#429053]
+
+-------------------------------------------------------------------
+Fri Aug 22 14:45:33 CEST 2008 - prusnak@suse.cz
+
+- added baselibs.conf file
+
+-------------------------------------------------------------------
+Fri Aug  1 17:32:23 CEST 2008 - ro@suse.de
+
+- fix requires for debuginfo package
+
+-------------------------------------------------------------------
+Tue Jul 15 15:35:54 CEST 2008 - prusnak@suse.cz
+
+- initial version 2.0.32
+  * based on Fedora package by Dan Walsh <dwalsh@redhat.com>
+

libsepol.keyring

@@ -0,0 +1,110 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGNZjyYBEACk7biPgvCVldNWq1CwVoJa/Fvc4T49tqxcc/sY4uVlGo6oSi4f
+QcXE9XKPPBuRLmvpmMWvODQLzPxJMWUfJq6LyYFmX2U9VRTcyITdmJs8itkEaDwq
+8BtXkeQfUDAVSFy6V6/uvVmNWD7pGXqJE1GxuV44Ihlh6v2YyqSzDG/rZur771hk
+e8VZmlKMVMs1RSeOBA3nUmvZQ58+uqkhJNYqOeQhxGIxDOHo7QhzTG+SlX+uQq6m
+zACKygVJJl33toaUwVAX5R02a0u67A5wC0whAoLSHInc3P7ayivWV/iESAz+gMIk
+uvJWns/Ak14J7MTGgjD6rle7PNMsPDCCwQScqA8F0x4OChCixbZGZn6Mr0u8+01V
+CEe2IjJwVUfFI/G4n1FZ1RAdqjkHfZJeD20LGHSbjJLcnqLLFx3LDpI5dAxo5K2k
+Fvz0VowrB58aHoofW8/g8yZygGQ4Zpw4JnpUmaPnMTiD5yvnFzEihM5L9DuaWqSK
+3sb9qzoaXABYRYI7OmX4B5nmMzFteHHq0tMtaKWf0HkAsCP0BLJcS9Oc1/0I0+gC
+4oKLRD8a4+kaEpNr6BXvWnj7Y1h0Zr/CZS6+gi34CxWMl2Q34OSqtS37mzzBu+UZ
+xffPR0aV2RXcEpc0c5HW550Thq1NF9EmFOoyeG4J2ox9JRANZXLh/i7mNwARAQAB
+tCVQZXRyIExhdXRyYmFjaCA8bGF1dHJiYWNoQHJlZGhhdC5jb20+iQJXBBMBCABB
+FiEEuGgoR3ZN9g31LZksvDkF8jUXnPEFAmNZjyYCGwMFCQPCZwAFCwkIBwICIgIG
+FQoJCAsCBBYCAwECHgcCF4AACgkQvDkF8jUXnPGeAA//ScQ3kJMqI6FRULXo0aF7
+CpafPXVWdvj+mfQMlZzuGwXXTmM42T0DXnXRBSjstWkmOXP/UqkN7bNeXH/S3D3G
+CJ2l0qx8Qp6fP0FloJIbemyxNtzl7yvAE7kWvuBuLvUdm23cntv49gAzj+ElDqCx
+tT6A6qaqM6r7DLUvw+G+r6gkeu1hNQbtRpEK9Dt8tHriQyI410qFRMbi3QxU+iTJ
+79HXwrXiYpX7V7T+ugiU9lgIiC/hWJCo6SY4knt9E6zhegUWN6zErl2HY8FBM2P9
+eHOTqToEOAhKeM1fXZvxe3m49fGq/spmRM1RUUl1V9WFEaMiLg/Z2rmbD8LX9Ytf
+YlQCbEwyX2nkIP1QIcr/DEfcmCA2MXCQCgsqI/2XS3BTLPyjuqAYnXxrk+T/Cydc
+g4W3ZBYI/wT56GH02TQzB/wJsn0cW6EMG46VSDY/mZ2/gwi54G/Pqb2R3ZC9I7wQ
+6/FFxuu8myI/QVmEiTlvTxBoyOdNlliBQxCkDczs1rxd/o8Wfjo1vwRHW84jZrCP
+3xr7xPJWuzsrmPU8kFHTgepGoY+4b/h3jGwlV103RpRUK4JidwHsmYDVk6pgeUH6
+9hf0iVcbFfKiViFTR+DwjbAOxTdsFgsYYn+7hBj2l+pV/uzeA0akL2dkgfJc9pAf
+6ItRUnGC+RlntZ0Pf2NbwIS5Ag0EY1mPxgEQAOBjoc5rCJOHFBUj7S68ABT3KKx7
+DVJJU7qYCxC1kzuzsGksDdEY+PdQaiNkh56MD6R+rsD49UsGHP+RIFO3D3+zejiu
+Wo3PPtItqLHpcpYKkc4Gzziff8sXq70owxWT29OyMrPyIMX2YFHZuYJ8u8STQcOI
+zICm/lJs6xkwHyTk9bIrwdg/Iwjm6YRo6xoLe0B6KE7efMDER/ehmXncnWkjD55x
+2tAttZsfRqoqeB8J10PxDSgyv8jCXLdbj37l6omh6VH3926392DRrc2fXAgZhHML
+rYIKwXkhnAp3I+HueKURQWkDlWXP4d8gVyHYt9EXdD8ZkPx8rMrGGMMh2DJpZJOw
+xuK3IrFfYb+lyOyHIyxlPsjcfHtLBB8WujnyzYMWwUsRmAGEm/6db8dyR551q95e
+Zd0cqO2xrz6u8YAO2LjCiE6X43m1ulhbf/NHcBiqWHjuEbSKRQnxO6ye7zrmPdnm
+YT4qpLrzKlFUExGt0mXaUY8MKdcaGXbvbRU80wL+MHYyCb8vWa9AzWM990LcqCiQ
+MAfk0zMq9q/oDvVotJQmWLdR2QYeRfl3m6uzeTdaYK3td5NvfQwG83MFxJhNvDZQ
+YhETwbQIVzfC2JZaJAo94VdiGfT4I4Khb8RekgJVoC4w8yByyV0zXdsobIajc2eC
+w0R2ik0V+vQopblfABEBAAGJBHIEGAEIACYWIQS4aChHdk32DfUtmSy8OQXyNRec
+8QUCY1mPxgIbAgUJA8JnAAJACRC8OQXyNRec8cF0IAQZAQgAHRYhBBviwP8IlJYj
+EC/SVkaViBwlRQjRBQJjWY/GAAoJEEaViBwlRQjRmQcP/1OVG8BpkRN/6m/j8hx5
+4vcofCPmWsL+CiNfE3QCOEBeWMtJEK7QTIgLFnLfXnyHiTS/CN2/zr33IcQ33s90
+XzibzWarE7P6O4oFEcUr8TAACA51KXMadRiA2SaYJE4Va2N6d41ZoV0Ser0wi3HU
+5qxw97LGdYyOrsstgxIRI/i2BRXkp2VpUBdHqr/zfe7bv82h2QNw0fZQr4jJP4q3
++4I6gggvi23Gj8+9lOmHNXyfqzSwkkTf8GtHGC8JORVTrOizImzJq7z+9rJBgY+4
+G4RBWzhOv69njaLNuQeASVxm/2hiMmzFqpmqozN9Y+17ubo+X+m+2aWE+aln56Pv
+LxJHKwFX7doc1doTUnewg6ZjGKCGWBlqlKMeX8D038pd2gsCMhm0EA5DZkXJHP9z
+b5VSomDCLB3GhoVpifZ5Qz4dJNtl90ZcFL/LJktiwz4vgzZqLNC8MhFfPLy8bS+k
+dAS8+VcvQaDSDKTR+jHQ6wA/kJ9eYcL8C9g4czzLzVfZCoN/fcC7VEiCiDhwuqrb
+ClcQBFZsCPQEAwh4mgIMK70zPaO4rW6LbCvwBnTjY8JSBkroJ1QjXwCy8ClSE+w2
+6cXtk5zmYUy5oQaONYm+tMberKsJjvfJIGIZdaj3ZkHsVe7YzOC6M8ESKAHKp4Xo
+hXbHQQEfD9WtzFerpKWCaKTobRIP/jyXmYYLEzRav3WtoH3NCXANu0Pc8JuMDoO2
+QytHICr7zWDvk3q6LO0Y8JXD2fUegY5KM3WECF5KBBCVxdsMunN908WjAMQdyUUV
+9Q4MIg64X4WCbGUDPkTGv0mQl2jMEWpFniIX+18TmwcHSvN5RxjcnpWNOyNQuMTg
+ZKDm2uw5zwYdScWf3DDCR/2dH8yvVFhxfQaRNzKJSyTD4ChHPqy858BYgMljjnTC
+APQwdkrTwh9RSxhMZ5yhdy9Z/+EhO2/8B/kylADC4YQOW1UN670QC7rlJmUySQy5
+APWHco5CNQnqdjhrgzYJDnWCCz9z6+x6bGy5iUa9K6Gt9e3ocYPd2Gw4R7IS8hyO
+Ok/Uq7maqs+GpcWWLWzB+iGFgYZU758zsbeXvAWQAiLQHWzOfQrXepGoEjCOdYv6
+is/UovO9zMIfrIPQVlj3QIN0y0zRUHoCpPgEWHrn7KCMDhiIDt8VgGbznXTJtRw1
+/NTeBQgnmkXwx0aLM7ni0I9IrpT6JVFjip8IV24iI5nsVRSfvxUjFBQxgyujPLuS
+f/Q9BlrsopFtcnyyDSyCtBqnCmBSN0zC5hk8Ya/UnDn/5ZQZYxsbGaWkdwQ6aw9m
+khMfnnsz+QfKT1R3SIrByIEjaYYvGJp8K4utRjhOSfM6ptmCN2WVxQbhwMERC4E7
+8ZKPUtR+uQINBGNZj3EBEACsSSOVQfiGhJACRUkJZaT6cX51oA/kizOsYRAftPI5
+XBdtFmd1I8VJSopTaQSAdsyb7AVihl73mH22MOHawsKzffylW7kKGHPd02x5MXv+
+ttyTDasJT4ltqUSLByTu0ouqhu9uHvuOettCeStk1z6cx4ccutjJzmAdbpxKfhSV
+TjYwqZOVJ44bgvL3BeGBooKF4hc1fdT8PrzZN9+Xsailybuk9kX3Z3BjicikLFTY
+BOKaRLK6VuHOTYKNnUlhQnUsdy0web0XQsQa1zUbENKHNVk/x05akOz0EHBkMtfE
+LMLiu9n7PkEkIMVu41MplDkkShbawzzI/UstkZfPjiGxpvVo+u8He9x1LkRM/pup
+PnbrtmKi12FSJ9T+lNXnN7jvA25pl6dC0Z32iXKHZ0Co6TYNCtwFAUDSBGnnlvhT
+raEtNhfFP7uMRtJUDF5cM9Go++qH/iRWfzqWViNXp0CgBI3XBbPjbdAfe7hkr5Lq
+DwdnQetjb40FiCq2Fvof9foWIXlVwday2ST3ruDhe3Q+A3+uUK2leHhYr2xJxf8I
+V05RGweVvvxk3Yt7FphpUGpC6q98doA8logSVeoyF5nxpis7oN/jLMn7p5Ozezg+
+ozoQyKvnBoWifHkaHnRfjEv2nshWqA0+FCxTxnlTmEZhuZQfvroa0Q2/gIjW6kUD
+VwARAQABiQI8BBgBCAAmFiEEuGgoR3ZN9g31LZksvDkF8jUXnPEFAmNZj3ECGyAF
+CQPCZwAACgkQvDkF8jUXnPHhww/7BuMq7bEKvrejKf6Wjs2owMsFiXjMe6dhNmEb
+96ANqRVankiSPn+TeL6FVJh9TJSGpD9v8fT3quikHsYDoTNLjgZL6Esx1A4k6YRu
+O8A//10kNfYVCdhnNoDZ/94iSBrDbzeg4ueZjPTHtgBb+jGWc+f7tKDsMYaqqfec
+qh8NRSujB9fS1AbCQaYkmpCA4f9l9Ti3nVQIrMXqFZFtt6sEjx7Onbi9ieADaQZ5
+/V8JQL4QgWGhhx0ccK0LVOIqY5Rp4H1kyJVeQ/rR+YIso5vBwpPJikAU+ozTnGCw
+w8Vpc359DthUAakJ22GTnc3kaj5Cp6HAugmTvsIdnEhYkh/jendSK4fUWy5cXs50
+THMiFRKJS6boygIjwGlXCf25Ip9cos50YNHogkjyOp0L0tiherFm0OGlyoPvSEVY
+nAnNmD5TZK/FnKE6rC0pe0NMO157fIbM9pxIAkPuYVRFz8NGLrZQEyIVyo7Vhb/k
+uALjKO3OjsxNA+RoZtAt24ciUIprykdY+posV0xrDCo2tM0dZcIPhfGKMljB0C57
+c1Qb+616Q2bzaaqdttbD8BdREjN59CxvKqI1gzO250n2EBLzIJ2R9v1IpUi9Zg9D
+vu0eW05kXsr83M4Z4lomvyW+pkJ9elaY525OlZoPaQi9TYrHuAHiNd0xrZqL0378
+d2veUui5Ag0EY1mPJgEQAMRQDbNHBQ376nDF8miBZOAV1txpmbHc5D/X63PNapP0
+P1/I7SfcJU9D3wX8c4vmxkjEYtH23s4lmT1VLsU7PisS3MacRemm9pL2bD53hs9X
+QEuU9OtJsZn1ZJ+Ynh6i5sfW1bG3OiV/TWgYXW66GwE1hn9PuP8arodUmhEft+64
+G2u8Xtxr5yqlQJEUThV6280OJrxVbduaMi5C6UNeeGE5wuhfrQ0TNYZiwQ4KYbU3
+QhlWhHVjJlJ5hCLiktwFDyR24P+wlTIziWA407mo2enQT+mz3bO7Paf4mBionGsJ
+MoADqBThf4B69BxjJ7Yg7oQVIZ7560YIRRmNo4tk5Mhep11OtQgZjZJR6MhWDaUO
+17w1qScrOPRj6G1IXP1R5NarydJpLyAVb/5WFZ5jxUGMGtq3mYn4nKbbHUg2WzvC
+JvPctDE6EV2vaiRy5N1fQjsHgSa29F2feh14p4ngFCmHjpdbcdjfv6rWL8tgkSpQ
+lDdeHRRd1q03TKAg/byPauAHKzvV+iWlmw1f6KBWjeTn0fofmk9eeQ+P1j0a3/XT
+xMOjB34SzqPRWzmLPLF6YmujBK2gymM+JLirJFFzao1i4lgmxqkDhQoNYHXmVYEd
+7w+/qUYbfKwO9eJOWzuUWajxvJ1Vgv6z4CPy9if0gwfhrx0OOcIpBE/xZU+SwQQp
+ABEBAAGJAjwEGAEIACYWIQS4aChHdk32DfUtmSy8OQXyNRec8QUCY1mPJgIbDAUJ
+A8JnAAAKCRC8OQXyNRec8a+qD/4whGQ9J+td1iLFMpNRAqvuGtTnM6shZJNnC5CB
+56Cu7ElIpr74sk0R98Ia1pJlBcLALbYSrqwluZaLiRVDPdub6tGSRVssqQdZcKTh
+z33waTru9IfLhCrRSNd0ZMHJaOG1ErU0noWw2d4ifVJK+vvuvMeEyNm4H5pZOYzY
+eikqVUYzS143cSzMEwtvPSdP5JkTQi4WNF09khH1D+QpJoXEgVEQla7Sr955Zdt3
+q5OlpYxxw+X62vslZ2OMiKZ14kWVSRbVQ+WdnjtRYS4vivB6ko9QL770jZ131hKh
+C/BcWpEYSjfPpVua2oKbccKHXheIFEJ06kGkMeeoQPxmzPRBYIw/E+d5sZp7YXDy
+BGOAxBeiOaOnZ8vLBzy72HFng3oB3hkVGTTHq+PsHdSSaRME3QrNpDsaGeSjw62F
+G3I4zK985GtrXAHEzN/Ffd17srl4mcRQ+8QM/a+XbF/8ugjE/RHhhFf8sWVAPutY
+zVE8lF+uqcduPuq/rTcUBuzSVjnSRfXWqCokjh+ypUpHNUO8fZDzkTLuE5rwMG1x
+pPueDBTzvoGDQRqc2eoXpJnDBmdlz83zHsoR2gIHcdqyc/hCV+fTvR8E0v9ZG3Jr
+6RFgWdD008PsGxUevIDgMAYFwasZSTofEnzg49/WeIFU1rGB5HZVlmOJKZnKRuBi
+TakEPw==
+=odM9
+-----END PGP PUBLIC KEY BLOCK-----

libsepol.spec

@@ -0,0 +1,130 @@
+#
+# spec file for package libsepol
+#
+# Copyright (c) 2024 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%define libname libsepol2
+
+Name:           libsepol
+Version:        3.7
+Release:        0
+Summary:        SELinux binary policy manipulation library
+License:        LGPL-2.1-or-later
+Group:          Development/Libraries/C and C++
+URL:            https://github.com/SELinuxProject/selinux/wiki/Releases
+Source0:        https://github.com/SELinuxProject/selinux/releases/download/%{version}/%{name}-%{version}.tar.gz
+Source1:        https://github.com/SELinuxProject/selinux/releases/download/%{version}/%{name}-%{version}.tar.gz.asc
+Source2:        libsepol.keyring
+Source3:        baselibs.conf
+BuildRequires:  flex
+BuildRequires:  pkgconfig
+BuildRoot:      %{_tmppath}/%{name}-%{version}-build
+
+%description
+libsepol provides an API for the manipulation of SELinux binary
+policies. It is used by checkpolicy (the policy compiler) and similar
+tools, as well as by programs like load_policy that need to perform
+specific transformations on binary policies such as customizing
+policy boolean settings.
+
+%package utils
+Summary:        SELinux binary policy manipulation tools
+Group:          System/Base
+
+%description utils
+libsepol provides an API for the manipulation of SELinux binary
+policies. It is used by checkpolicy (the policy compiler) and similar
+tools, as well as by programs like load_policy that need to perform
+specific transformations on binary policies such as customizing
+policy boolean settings.
+
+%package -n %{libname}
+Summary:        SELinux binary policy manipulation library
+Group:          System/Libraries
+
+%description -n %{libname}
+libsepol provides an API for the manipulation of SELinux binary
+policies. It is used by checkpolicy (the policy compiler) and similar
+tools, as well as by programs like load_policy that need to perform
+specific transformations on binary policies such as customizing
+policy boolean settings.
+
+(Security-enhanced Linux is a feature of the kernel and some
+utilities that implement mandatory access control policies, such as
+Type Enforcement, Role-based Access Control and Multi-Level
+Security.)
+
+%package devel
+Summary:        Development files for SELinux's binary policy manipulation library
+Group:          Development/Libraries/C and C++
+Requires:       %{libname} = %{version}
+Requires:       glibc-devel
+
+%description devel
+The libsepol-devel package contains the libraries and header files
+needed for developing applications that manipulate binary SELinux
+policies.
+
+%package devel-static
+Summary:        Static archives for SELinux's binary policy manipulation library
+Group:          Development/Libraries/C and C++
+Requires:       libsepol-devel = %{version}
+
+%description devel-static
+The libsepol-devel-static package contains the static libraries
+needed for developing applications that manipulate binary SELinux
+policies.
+
+%prep
+%setup -q
+
+%build
+%global _lto_cflags %{_lto_cflags} -ffat-lto-objects
+export CFLAGS="%{optflags} -fcommon"
+make %{?_smp_mflags}
+
+%install
+%make_install LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}"
+
+%post -n %{libname} -p /sbin/ldconfig
+%postun -n %{libname} -p /sbin/ldconfig
+
+%files utils
+%defattr(-,root,root)
+%{_bindir}/chkcon
+%{_bindir}/sepol_check_access
+%{_bindir}/sepol_compute_av
+%{_bindir}/sepol_compute_member
+%{_bindir}/sepol_compute_relabel
+%{_bindir}/sepol_validate_transition
+%{_mandir}/man8/*.8%{ext_man}
+
+%files -n %{libname}
+%defattr(-,root,root)
+%{_libdir}/libsepol.so.*
+
+%files devel
+%defattr(-,root,root)
+%{_libdir}/libsepol.so
+%{_mandir}/man3/*.3%{ext_man}
+%{_includedir}/sepol/
+%{_libdir}/pkgconfig/libsepol.pc
+
+%files devel-static
+%defattr(-,root,root)
+%{_libdir}/libsepol.a
+
+%changelog