Update libselinux-rhat.patch from abdc02a720

-  is_selinux_enabled: Add /etc/selinux/config test (#1219045)
 -  matchpathcon/selabel_file: Fix man pages (#1219718)

libselinux-rhat.patch

@@ -528,6 +528,107 @@ index 4dd8f30..26086d9 100644
  .SH "RETURN VALUE"
  On error \-1 is returned.
  On success 0 is returned.
+diff --git libselinux-2.3/man/man3/matchpathcon.3 libselinux-2.3/man/man3/matchpathcon.3
+index 1bc7ba1..177f15d 100644
+--- libselinux-2.3/man/man3/matchpathcon.3
++++ libselinux-2.3/man/man3/matchpathcon.3
+@@ -7,7 +7,7 @@ matchpathcon, matchpathcon_index \- get the default SELinux security context for
+ .sp
+ .BI "int matchpathcon_init(const char *" path ");"
+ .sp
+-.BI "int matchpathcon_init_prefix(const char *" path ", const char *" subset ");"
++.BI "int matchpathcon_init_prefix(const char *" path ", const char *" prefix ");"
+ .sp
+ .BI "int matchpathcon_fini(void);"
+ .sp
+@@ -16,6 +16,24 @@ matchpathcon, matchpathcon_index \- get the default SELinux security context for
+ .BI "int matchpathcon_index(const char *" name ", mode_t " mode ", char **" con ");"
+ .
+ .SH "DESCRIPTION"
++
++This family of functions is deprecated.  For new code, please use
++.BR selabel_open (3)
++with the
++.B SELABEL_CTX_FILE
++backend in place of
++.BR matchpathcon_init (),
++use
++.BR selabel_close (3)
++in place of
++.BR matchpathcon_fini (),
++and use
++.BR selabel_lookup (3)
++in place of
++.BR matchpathcon ().
++
++The remaining description below is for the legacy interface.
++
+ .BR matchpathcon_init ()
+ loads the file contexts configuration specified by
+ .I path
+@@ -41,9 +59,16 @@ customizations.
+ .BR matchpathcon_init_prefix ()
+ is the same as
+ .BR matchpathcon_init ()
+-but only loads entries with regular expressions that have stems prefixed
+-by
+-.I \%prefix.
++but only loads entries with regular expressions whose first pathname
++component is a prefix of
++.I \%prefix
++, e.g. pass "/dev" if you only intend to call
++.BR matchpathcon ()
++with pathnames beginning with /dev.
++However, this optimization is no longer necessary due to the use of
++.I file_contexts.bin
++files with precompiled regular expressions, so use of this interface
++is deprecated.
+ 
+ .BR matchpathcon_fini ()
+ frees the memory allocated by a prior call to
+@@ -54,7 +79,17 @@ calls, or to free memory when finished using
+ .BR matchpathcon ().
+ 
+ .BR matchpathcon ()
+-matches the specified pathname and mode against the file contexts
++matches the specified
++.I pathname,
++after transformation via
++.BR realpath (3)
++excepting any final symbolic link component if S_IFLNK was
++specified as the
++.I mode,
++and
++.I mode
++against the
++.I file contexts
+ configuration and sets the security context 
+ .I con 
+ to refer to the
+diff --git libselinux-2.3/man/man5/selabel_file.5 libselinux-2.3/man/man5/selabel_file.5
+index 79eca95..e738824 100644
+--- libselinux-2.3/man/man5/selabel_file.5
++++ libselinux-2.3/man/man5/selabel_file.5
+@@ -55,7 +55,9 @@ A non-null value for this option specifies a path to a file that will be opened
+ A non-null value for this option indicates that any local customizations to the file contexts mapping should be ignored.
+ .TP
+ .B SELABEL_OPT_SUBSET
+-A non-null value for this option is interpreted as a path prefix, for example "/etc".  Only file context specifications starting with the given prefix are loaded.  This may increase lookup performance, however any attempt to look up a path not starting with the given prefix will fail.
++A non-null value for this option is interpreted as a path prefix, for example "/etc".  Only file context specifications with starting with a first component that prefix matches the given prefix are loaded.  This may increase lookup performance, however any attempt to look up a path not starting with the given prefix may fail.  This optimization is no longer required due to the use of
++.I file_contexts.bin
++files and is deprecated.
+ .RE
+ .
+ .SH "FILES"
+@@ -206,7 +208,7 @@ component with \fI/var/www\fR, therefore the path used is:
+ If contexts are to be validated, then the global option \fBSELABEL_OPT_VALIDATE\fR must be set before calling \fBselabel_open\fR(3). If this is not set, then it is possible for an invalid context to be returned.
+ .IP "2." 4
+ If the size of file contexts series of files contain many entries, then \fBselabel_open\fR(3) may have a delay as it reads in the files, and if
+-requested validates the entries. If possible use the \fBSELABEL_OPT_SUBSET\fR option to reduce the number of entries processed.
++requested validates the entries.
+ .IP "3." 4
+ Depending on the version of SELinux it is possible that a \fIfile_contexts.template\fR file may also be present, however this is now deprecated.
+ .br
 diff --git libselinux-2.3/man/man8/selinux.8 libselinux-2.3/man/man8/selinux.8
 index e89b1ef..fd20363 100644
 --- libselinux-2.3/man/man8/selinux.8
@@ -760,10 +861,10 @@ index b37c5d3..7703c26 100644
  	fd = open(path, O_RDWR);
  	if (fd < 0)
 diff --git libselinux-2.3/src/enabled.c libselinux-2.3/src/enabled.c
-index 5c252dd..1731ac3 100644
+index 5c252dd..bb659a9 100644
 --- libselinux-2.3/src/enabled.c
 +++ libselinux-2.3/src/enabled.c
-@@ -11,26 +11,10 @@
+@@ -11,26 +11,14 @@
  
  int is_selinux_enabled(void)
  {
@@ -787,7 +888,11 @@ index 5c252dd..1731ac3 100644
 -        }
 -
 -	return enabled;
++#ifdef ANDROID
 +	return (selinux_mnt ? 1 : 0);
++#else
++	return (selinux_mnt && has_selinux_config);
++#endif
  }
  
  hidden_def(is_selinux_enabled)
@@ -822,6 +927,29 @@ index 52707d0..0cbe12d 100644
  	if (rc < 0 && errno == ENOTSUP) {
  		char * ccontext = NULL;
  		int err = errno;
+diff --git libselinux-2.3/src/init.c libselinux-2.3/src/init.c
+index 6d1ef33..3c687a2 100644
+--- libselinux-2.3/src/init.c
++++ libselinux-2.3/src/init.c
+@@ -21,6 +21,8 @@ char *selinux_mnt = NULL;
+ int selinux_page_size = 0;
+ int obj_class_compat = 1;
+ 
++int has_selinux_config = 0;
++
+ /* Verify the mount point for selinux file system has a selinuxfs.
+    If the file system:
+    * Exist,
+@@ -151,6 +153,9 @@ static void init_lib(void)
+ {
+ 	selinux_page_size = sysconf(_SC_PAGE_SIZE);
+ 	init_selinuxmnt();
++#ifndef ANDROID
++	has_selinux_config = (access(SELINUXCONFIG, F_OK) == 0);
++#endif
+ }
+ 
+ static void fini_lib(void) __attribute__ ((destructor));
 diff --git libselinux-2.3/src/label_android_property.c libselinux-2.3/src/label_android_property.c
 index b00eb07..5e1b76e 100644
 --- libselinux-2.3/src/label_android_property.c
@@ -1010,10 +1138,19 @@ index 3b96b1d..3868711 100644
  			} else {
  				COMPAT_LOG(SELINUX_WARNING,
 diff --git libselinux-2.3/src/selinux_config.c libselinux-2.3/src/selinux_config.c
-index 30e9dc7..1bfe500 100644
+index 30e9dc7..bec5f3b 100644
 --- libselinux-2.3/src/selinux_config.c
 +++ libselinux-2.3/src/selinux_config.c
-@@ -50,8 +50,9 @@
+@@ -13,8 +13,6 @@
+ #include "selinux_internal.h"
+ #include "get_default_type_internal.h"
+ 
+-#define SELINUXDIR "/etc/selinux/"
+-#define SELINUXCONFIG SELINUXDIR "config"
+ #define SELINUXDEFAULT "targeted"
+ #define SELINUXTYPETAG "SELINUXTYPE="
+ #define SELINUXTAG "SELINUX="
+@@ -50,8 +48,9 @@
  #define FILE_CONTEXT_SUBS_DIST 25
  #define LXC_CONTEXTS      26
  #define BOOLEAN_SUBS      27
@@ -1025,7 +1162,7 @@ index 30e9dc7..1bfe500 100644
  
  /* Part of one-time lazy init */
  static pthread_once_t once = PTHREAD_ONCE_INIT;
-@@ -493,6 +494,13 @@ const char *selinux_lxc_contexts_path(void)
+@@ -493,6 +492,13 @@ const char *selinux_lxc_contexts_path(void)
  
  hidden_def(selinux_lxc_contexts_path)
  
@@ -1040,7 +1177,7 @@ index 30e9dc7..1bfe500 100644
  {
  	return get_path(SYSTEMD_CONTEXTS);
 diff --git libselinux-2.3/src/selinux_internal.h libselinux-2.3/src/selinux_internal.h
-index afb2170..fe8eb67 100644
+index afb2170..9b1ca4d 100644
 --- libselinux-2.3/src/selinux_internal.h
 +++ libselinux-2.3/src/selinux_internal.h
 @@ -82,6 +82,7 @@ hidden_proto(selinux_mkload_policy)
@@ -1051,6 +1188,15 @@ index afb2170..fe8eb67 100644
      hidden_proto(selinux_sepgsql_context_path)
      hidden_proto(selinux_systemd_contexts_path)
      hidden_proto(selinux_path)
+@@ -137,3 +138,8 @@ extern int selinux_page_size hidden;
+ 		if (pthread_setspecific != NULL)		\
+ 			pthread_setspecific(KEY, VALUE);	\
+ 	} while (0)
++
++#define SELINUXDIR "/etc/selinux/"
++#define SELINUXCONFIG SELINUXDIR "config"
++
++extern int has_selinux_config hidden;
 diff --git libselinux-2.3/src/selinuxswig_python.i libselinux-2.3/src/selinuxswig_python.i
 index ae72246..c9a2341 100644
 --- libselinux-2.3/src/selinuxswig_python.i

libselinux.spec

@@ -18,7 +18,7 @@ Source1: selinuxconlist.8
 Source2: selinuxdefcon.8
 Url: https://github.com/SELinuxProject/selinux/wiki
 # use make-rhat-patches.sh to create following patches from https://github.com/fedora-selinux/selinux/
-# https://github.com/fedora-selinux/selinux/commit/4395ef2b8bb086878b5fad80321ac9d32f424f51
+# HEAD https://github.com/fedora-selinux/selinux/commit/abdc02a720ed5ff430887758ec254b104f2d727d
 Patch1: libselinux-rhat.patch
 BuildRequires: pkgconfig python-devel ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre-devel xz-devel
 %if 0%{?with_python3}