From 0bbd6a4b3aa6f00c99040ae6ab280d19416ee53d Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Thu, 17 Oct 2024 08:44:31 +0200 Subject: [PATCH] Sync with Fedora Rawhide - deprecate security_disable(3) - fix swig bindings for 4.3.0 Resolves: RHEL-64293 [skip changelog] --- ...selinux-deprecate-security_disable-3.patch | 95 +++++++++++++++++++ ...bselinux-fix-swig-bindings-for-4.3.0.patch | 86 +++++++++++++++++ changelog | 4 + libselinux.spec | 6 +- 4 files changed, 187 insertions(+), 4 deletions(-) create mode 100644 0005-libselinux-deprecate-security_disable-3.patch create mode 100644 0006-libselinux-fix-swig-bindings-for-4.3.0.patch diff --git a/0005-libselinux-deprecate-security_disable-3.patch b/0005-libselinux-deprecate-security_disable-3.patch new file mode 100644 index 0000000..fe7f217 --- /dev/null +++ b/0005-libselinux-deprecate-security_disable-3.patch @@ -0,0 +1,95 @@ +From b4b002ffef9431cc3af8409a32e243cd7b057feb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Sun, 23 Jun 2024 14:26:04 +0200 +Subject: [PATCH] libselinux: deprecate security_disable(3) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The runtime disable functionality has been removed in Linux 6.4. Thus +security_disable(3) will no longer work on these kernels. + +Signed-off-by: Christian Göttsche +Acked-by: James Carter +--- + libselinux/include/selinux/selinux.h | 6 +++++- + libselinux/man/man3/security_disable.3 | 3 ++- + libselinux/src/load_policy.c | 2 ++ + libselinux/src/selinux_internal.h | 18 ++++++++++++++++++ + 4 files changed, 27 insertions(+), 2 deletions(-) + +diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h +index 61c1422b..1318a66a 100644 +--- a/libselinux/include/selinux/selinux.h ++++ b/libselinux/include/selinux/selinux.h +@@ -367,7 +367,11 @@ extern int security_deny_unknown(void); + /* Get the checkreqprot value */ + extern int security_get_checkreqprot(void); + +-/* Disable SELinux at runtime (must be done prior to initial policy load). */ ++/* Disable SELinux at runtime (must be done prior to initial policy load). ++ Unsupported since Linux 6.4. */ ++#ifdef __GNUC__ ++__attribute__ ((deprecated)) ++#endif + extern int security_disable(void); + + /* Get the policy version number. */ +diff --git a/libselinux/man/man3/security_disable.3 b/libselinux/man/man3/security_disable.3 +index 072923ce..5ad8b778 100644 +--- a/libselinux/man/man3/security_disable.3 ++++ b/libselinux/man/man3/security_disable.3 +@@ -14,7 +14,8 @@ disables the SELinux kernel code, unregisters selinuxfs from + and then unmounts + .IR /sys/fs/selinux . + .sp +-This function can only be called at runtime and prior to the initial policy ++This function is only supported on Linux 6.3 and earlier, and can only be ++called at runtime and prior to the initial policy + load. After the initial policy load, the SELinux kernel code cannot be disabled, + but only placed in "permissive" mode by using + .BR security_setenforce(3). +diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c +index 57d7aaef..dc1e4b6e 100644 +--- a/libselinux/src/load_policy.c ++++ b/libselinux/src/load_policy.c +@@ -326,7 +326,9 @@ int selinux_init_load_policy(int *enforce) + + if (seconfig == -1) { + /* Runtime disable of SELinux. */ ++ IGNORE_DEPRECATED_DECLARATION_BEGIN + rc = security_disable(); ++ IGNORE_DEPRECATED_DECLARATION_END + if (rc == 0) { + /* Successfully disabled, so umount selinuxfs too. */ + umount(selinux_mnt); +diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h +index b134808e..450a42c2 100644 +--- a/libselinux/src/selinux_internal.h ++++ b/libselinux/src/selinux_internal.h +@@ -113,4 +113,22 @@ void *reallocarray(void *ptr, size_t nmemb, size_t size); + #define ignore_unsigned_overflow_ + #endif + ++/* Ignore usage of deprecated declaration */ ++#ifdef __clang__ ++#define IGNORE_DEPRECATED_DECLARATION_BEGIN \ ++ _Pragma("clang diagnostic push") \ ++ _Pragma("clang diagnostic ignored \"-Wdeprecated-declarations\"") ++#define IGNORE_DEPRECATED_DECLARATION_END \ ++ _Pragma("clang diagnostic pop") ++#elif defined __GNUC__ ++#define IGNORE_DEPRECATED_DECLARATION_BEGIN \ ++ _Pragma("GCC diagnostic push") \ ++ _Pragma("GCC diagnostic ignored \"-Wdeprecated-declarations\"") ++#define IGNORE_DEPRECATED_DECLARATION_END \ ++ _Pragma("GCC diagnostic pop") ++#else ++#define IGNORE_DEPRECATED_DECLARATION_BEGIN ++#define IGNORE_DEPRECATED_DECLARATION_END ++#endif ++ + #endif /* SELINUX_INTERNAL_H_ */ +-- +2.46.0 + diff --git a/0006-libselinux-fix-swig-bindings-for-4.3.0.patch b/0006-libselinux-fix-swig-bindings-for-4.3.0.patch new file mode 100644 index 0000000..6caa6d6 --- /dev/null +++ b/0006-libselinux-fix-swig-bindings-for-4.3.0.patch @@ -0,0 +1,86 @@ +From 2ce1276a0476c7c44d3dad0423f1fde3a0f6d2ce Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Wed, 16 Oct 2024 19:57:10 +0200 +Subject: [PATCH] libselinux: fix swig bindings for 4.3.0 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Content-type: text/plain + +https://github.com/swig/swig/blob/master/CHANGES.current + +"[Python] #2907 Fix returning null from functions with output +parameters. Ensures OUTPUT and INOUT typemaps are handled +consistently wrt return type. + +New declaration of SWIG_Python_AppendOutput is now: + + SWIG_Python_AppendOutput(PyObject* result, PyObject* obj, int is_void); + +The 3rd parameter is new and the new $isvoid special variable +should be passed to it, indicating whether or not the wrapped +function returns void. + +Also consider replacing with: + + SWIG_AppendOutput(PyObject* result, PyObject* obj); + +which calls SWIG_Python_AppendOutput with same parameters but adding $isvoid +for final parameter." + +Fixes: https://github.com/SELinuxProject/selinux/issues/447 + + selinuxswig_python_wrap.c: In function ‘_wrap_security_compute_user’: + selinuxswig_python_wrap.c:11499:17: error: too few arguments to function ‘SWIG_Python_AppendOutput’ + 11499 | resultobj = SWIG_Python_AppendOutput(resultobj, plist); + | ^~~~~~~~~~~~~~~~~~~~~~~~ + selinuxswig_python_wrap.c:1248:1: note: declared here + 1248 | SWIG_Python_AppendOutput(PyObject* result, PyObject* obj, int is_void) { + | ^~~~~~~~~~~~~~~~~~~~~~~~ + selinuxswig_python_wrap.c: In function ‘_wrap_security_compute_user_raw’: + selinuxswig_python_wrap.c:11570:17: error: too few arguments to function ‘SWIG_Python_AppendOutput’ + 11570 | resultobj = SWIG_Python_AppendOutput(resultobj, plist); + | ^~~~~~~~~~~~~~~~~~~~~~~~ + selinuxswig_python_wrap.c:1248:1: note: declared here + 1248 | SWIG_Python_AppendOutput(PyObject* result, PyObject* obj, int is_void) { + | ^~~~~~~~~~~~~~~~~~~~~~~~ + selinuxswig_python_wrap.c: In function ‘_wrap_security_get_boolean_names’: + selinuxswig_python_wrap.c:12470:17: error: too few arguments to function ‘SWIG_Python_AppendOutput’ + 12470 | resultobj = SWIG_Python_AppendOutput(resultobj, list); + | ^~~~~~~~~~~~~~~~~~~~~~~~ + selinuxswig_python_wrap.c:1248:1: note: declared here + 1248 | SWIG_Python_AppendOutput(PyObject* result, PyObject* obj, int is_void) { + | ^~~~~~~~~~~~~~~~~~~~~~~~ + error: command '/usr/bin/gcc' failed with exit code 1 + +Suggested-by: Jitka Plesnikova +Signed-off-by: Petr Lautrbach +--- + libselinux/src/selinuxswig_python.i | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libselinux/src/selinuxswig_python.i b/libselinux/src/selinuxswig_python.i +index 17e03b9e36a5..03ed296d5b85 100644 +--- a/libselinux/src/selinuxswig_python.i ++++ b/libselinux/src/selinuxswig_python.i +@@ -71,7 +71,7 @@ def install(src, dest): + for (i = 0; i < *$2; i++) { + PyList_SetItem(list, i, PyString_FromString((*$1)[i])); + } +- $result = SWIG_Python_AppendOutput($result, list); ++ $result = SWIG_AppendOutput($result, list); + } + + /* return a sid along with the result */ +@@ -108,7 +108,7 @@ def install(src, dest): + plist = PyList_New(0); + } + +- $result = SWIG_Python_AppendOutput($result, plist); ++ $result = SWIG_AppendOutput($result, plist); + } + + /* Makes functions in get_context_list.h return a Python list of contexts */ +-- +2.47.0 + diff --git a/changelog b/changelog index f3f2284..5a69385 100644 --- a/changelog +++ b/changelog @@ -1,3 +1,7 @@ +* Fri Aug 09 2024 Vit Mojzis - 3.7-3 +- restorecon: Include (RHEL-53852) +- Fix integer comparison issues when compiling for 32-bit + * Tue Jul 09 2024 Petr Lautrbach - 3.7-2 - set free'd data to NULL (#2295428) diff --git a/libselinux.spec b/libselinux.spec index a353fa8..ef1ce74 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -23,6 +23,8 @@ Patch0001: 0001-Use-SHA-2-instead-of-SHA-1.patch Patch0002: 0002-libselinux-set-free-d-data-to-NULL.patch Patch0003: 0003-libselinux-restorecon-Include-selinux-label.h.patch Patch0004: 0004-libselinux-Fix-integer-comparison-issues-when-compil.patch +Patch0005: 0005-libselinux-deprecate-security_disable-3.patch +Patch0006: 0006-libselinux-fix-swig-bindings-for-4.3.0.patch # Patch list end BuildRequires: gcc make BuildRequires: ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel @@ -221,8 +223,4 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool* %{ruby_vendorarchdir}/selinux.so %changelog -* Fri Aug 09 2024 Vit Mojzis - 3.7-3 -- restorecon: Include (RHEL-53852) -- Fix integer comparison issues when compiling for 32-bit - %autochangelog