Sync with Fedora Rawhide
- deprecate security_disable(3) - fix swig bindings for 4.3.0 Resolves: RHEL-64293 [skip changelog]
This commit is contained in:
parent
ff3f9cdc7d
commit
0bbd6a4b3a
95
0005-libselinux-deprecate-security_disable-3.patch
Normal file
95
0005-libselinux-deprecate-security_disable-3.patch
Normal file
@ -0,0 +1,95 @@
|
|||||||
|
From b4b002ffef9431cc3af8409a32e243cd7b057feb Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||||
|
Date: Sun, 23 Jun 2024 14:26:04 +0200
|
||||||
|
Subject: [PATCH] libselinux: deprecate security_disable(3)
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
The runtime disable functionality has been removed in Linux 6.4. Thus
|
||||||
|
security_disable(3) will no longer work on these kernels.
|
||||||
|
|
||||||
|
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||||
|
Acked-by: James Carter <jwcart2@gmail.com>
|
||||||
|
---
|
||||||
|
libselinux/include/selinux/selinux.h | 6 +++++-
|
||||||
|
libselinux/man/man3/security_disable.3 | 3 ++-
|
||||||
|
libselinux/src/load_policy.c | 2 ++
|
||||||
|
libselinux/src/selinux_internal.h | 18 ++++++++++++++++++
|
||||||
|
4 files changed, 27 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
|
||||||
|
index 61c1422b..1318a66a 100644
|
||||||
|
--- a/libselinux/include/selinux/selinux.h
|
||||||
|
+++ b/libselinux/include/selinux/selinux.h
|
||||||
|
@@ -367,7 +367,11 @@ extern int security_deny_unknown(void);
|
||||||
|
/* Get the checkreqprot value */
|
||||||
|
extern int security_get_checkreqprot(void);
|
||||||
|
|
||||||
|
-/* Disable SELinux at runtime (must be done prior to initial policy load). */
|
||||||
|
+/* Disable SELinux at runtime (must be done prior to initial policy load).
|
||||||
|
+ Unsupported since Linux 6.4. */
|
||||||
|
+#ifdef __GNUC__
|
||||||
|
+__attribute__ ((deprecated))
|
||||||
|
+#endif
|
||||||
|
extern int security_disable(void);
|
||||||
|
|
||||||
|
/* Get the policy version number. */
|
||||||
|
diff --git a/libselinux/man/man3/security_disable.3 b/libselinux/man/man3/security_disable.3
|
||||||
|
index 072923ce..5ad8b778 100644
|
||||||
|
--- a/libselinux/man/man3/security_disable.3
|
||||||
|
+++ b/libselinux/man/man3/security_disable.3
|
||||||
|
@@ -14,7 +14,8 @@ disables the SELinux kernel code, unregisters selinuxfs from
|
||||||
|
and then unmounts
|
||||||
|
.IR /sys/fs/selinux .
|
||||||
|
.sp
|
||||||
|
-This function can only be called at runtime and prior to the initial policy
|
||||||
|
+This function is only supported on Linux 6.3 and earlier, and can only be
|
||||||
|
+called at runtime and prior to the initial policy
|
||||||
|
load. After the initial policy load, the SELinux kernel code cannot be disabled,
|
||||||
|
but only placed in "permissive" mode by using
|
||||||
|
.BR security_setenforce(3).
|
||||||
|
diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
|
||||||
|
index 57d7aaef..dc1e4b6e 100644
|
||||||
|
--- a/libselinux/src/load_policy.c
|
||||||
|
+++ b/libselinux/src/load_policy.c
|
||||||
|
@@ -326,7 +326,9 @@ int selinux_init_load_policy(int *enforce)
|
||||||
|
|
||||||
|
if (seconfig == -1) {
|
||||||
|
/* Runtime disable of SELinux. */
|
||||||
|
+ IGNORE_DEPRECATED_DECLARATION_BEGIN
|
||||||
|
rc = security_disable();
|
||||||
|
+ IGNORE_DEPRECATED_DECLARATION_END
|
||||||
|
if (rc == 0) {
|
||||||
|
/* Successfully disabled, so umount selinuxfs too. */
|
||||||
|
umount(selinux_mnt);
|
||||||
|
diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
|
||||||
|
index b134808e..450a42c2 100644
|
||||||
|
--- a/libselinux/src/selinux_internal.h
|
||||||
|
+++ b/libselinux/src/selinux_internal.h
|
||||||
|
@@ -113,4 +113,22 @@ void *reallocarray(void *ptr, size_t nmemb, size_t size);
|
||||||
|
#define ignore_unsigned_overflow_
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+/* Ignore usage of deprecated declaration */
|
||||||
|
+#ifdef __clang__
|
||||||
|
+#define IGNORE_DEPRECATED_DECLARATION_BEGIN \
|
||||||
|
+ _Pragma("clang diagnostic push") \
|
||||||
|
+ _Pragma("clang diagnostic ignored \"-Wdeprecated-declarations\"")
|
||||||
|
+#define IGNORE_DEPRECATED_DECLARATION_END \
|
||||||
|
+ _Pragma("clang diagnostic pop")
|
||||||
|
+#elif defined __GNUC__
|
||||||
|
+#define IGNORE_DEPRECATED_DECLARATION_BEGIN \
|
||||||
|
+ _Pragma("GCC diagnostic push") \
|
||||||
|
+ _Pragma("GCC diagnostic ignored \"-Wdeprecated-declarations\"")
|
||||||
|
+#define IGNORE_DEPRECATED_DECLARATION_END \
|
||||||
|
+ _Pragma("GCC diagnostic pop")
|
||||||
|
+#else
|
||||||
|
+#define IGNORE_DEPRECATED_DECLARATION_BEGIN
|
||||||
|
+#define IGNORE_DEPRECATED_DECLARATION_END
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
#endif /* SELINUX_INTERNAL_H_ */
|
||||||
|
--
|
||||||
|
2.46.0
|
||||||
|
|
86
0006-libselinux-fix-swig-bindings-for-4.3.0.patch
Normal file
86
0006-libselinux-fix-swig-bindings-for-4.3.0.patch
Normal file
@ -0,0 +1,86 @@
|
|||||||
|
From 2ce1276a0476c7c44d3dad0423f1fde3a0f6d2ce Mon Sep 17 00:00:00 2001
|
||||||
|
From: Petr Lautrbach <lautrbach@redhat.com>
|
||||||
|
Date: Wed, 16 Oct 2024 19:57:10 +0200
|
||||||
|
Subject: [PATCH] libselinux: fix swig bindings for 4.3.0
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
Content-type: text/plain
|
||||||
|
|
||||||
|
https://github.com/swig/swig/blob/master/CHANGES.current
|
||||||
|
|
||||||
|
"[Python] #2907 Fix returning null from functions with output
|
||||||
|
parameters. Ensures OUTPUT and INOUT typemaps are handled
|
||||||
|
consistently wrt return type.
|
||||||
|
|
||||||
|
New declaration of SWIG_Python_AppendOutput is now:
|
||||||
|
|
||||||
|
SWIG_Python_AppendOutput(PyObject* result, PyObject* obj, int is_void);
|
||||||
|
|
||||||
|
The 3rd parameter is new and the new $isvoid special variable
|
||||||
|
should be passed to it, indicating whether or not the wrapped
|
||||||
|
function returns void.
|
||||||
|
|
||||||
|
Also consider replacing with:
|
||||||
|
|
||||||
|
SWIG_AppendOutput(PyObject* result, PyObject* obj);
|
||||||
|
|
||||||
|
which calls SWIG_Python_AppendOutput with same parameters but adding $isvoid
|
||||||
|
for final parameter."
|
||||||
|
|
||||||
|
Fixes: https://github.com/SELinuxProject/selinux/issues/447
|
||||||
|
|
||||||
|
selinuxswig_python_wrap.c: In function ‘_wrap_security_compute_user’:
|
||||||
|
selinuxswig_python_wrap.c:11499:17: error: too few arguments to function ‘SWIG_Python_AppendOutput’
|
||||||
|
11499 | resultobj = SWIG_Python_AppendOutput(resultobj, plist);
|
||||||
|
| ^~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
selinuxswig_python_wrap.c:1248:1: note: declared here
|
||||||
|
1248 | SWIG_Python_AppendOutput(PyObject* result, PyObject* obj, int is_void) {
|
||||||
|
| ^~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
selinuxswig_python_wrap.c: In function ‘_wrap_security_compute_user_raw’:
|
||||||
|
selinuxswig_python_wrap.c:11570:17: error: too few arguments to function ‘SWIG_Python_AppendOutput’
|
||||||
|
11570 | resultobj = SWIG_Python_AppendOutput(resultobj, plist);
|
||||||
|
| ^~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
selinuxswig_python_wrap.c:1248:1: note: declared here
|
||||||
|
1248 | SWIG_Python_AppendOutput(PyObject* result, PyObject* obj, int is_void) {
|
||||||
|
| ^~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
selinuxswig_python_wrap.c: In function ‘_wrap_security_get_boolean_names’:
|
||||||
|
selinuxswig_python_wrap.c:12470:17: error: too few arguments to function ‘SWIG_Python_AppendOutput’
|
||||||
|
12470 | resultobj = SWIG_Python_AppendOutput(resultobj, list);
|
||||||
|
| ^~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
selinuxswig_python_wrap.c:1248:1: note: declared here
|
||||||
|
1248 | SWIG_Python_AppendOutput(PyObject* result, PyObject* obj, int is_void) {
|
||||||
|
| ^~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
error: command '/usr/bin/gcc' failed with exit code 1
|
||||||
|
|
||||||
|
Suggested-by: Jitka Plesnikova <jplesnik@redhat.com>
|
||||||
|
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
|
||||||
|
---
|
||||||
|
libselinux/src/selinuxswig_python.i | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/libselinux/src/selinuxswig_python.i b/libselinux/src/selinuxswig_python.i
|
||||||
|
index 17e03b9e36a5..03ed296d5b85 100644
|
||||||
|
--- a/libselinux/src/selinuxswig_python.i
|
||||||
|
+++ b/libselinux/src/selinuxswig_python.i
|
||||||
|
@@ -71,7 +71,7 @@ def install(src, dest):
|
||||||
|
for (i = 0; i < *$2; i++) {
|
||||||
|
PyList_SetItem(list, i, PyString_FromString((*$1)[i]));
|
||||||
|
}
|
||||||
|
- $result = SWIG_Python_AppendOutput($result, list);
|
||||||
|
+ $result = SWIG_AppendOutput($result, list);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* return a sid along with the result */
|
||||||
|
@@ -108,7 +108,7 @@ def install(src, dest):
|
||||||
|
plist = PyList_New(0);
|
||||||
|
}
|
||||||
|
|
||||||
|
- $result = SWIG_Python_AppendOutput($result, plist);
|
||||||
|
+ $result = SWIG_AppendOutput($result, plist);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Makes functions in get_context_list.h return a Python list of contexts */
|
||||||
|
--
|
||||||
|
2.47.0
|
||||||
|
|
@ -1,3 +1,7 @@
|
|||||||
|
* Fri Aug 09 2024 Vit Mojzis <vmojzis@redhat.com> - 3.7-3
|
||||||
|
- restorecon: Include <selinux/label.h> (RHEL-53852)
|
||||||
|
- Fix integer comparison issues when compiling for 32-bit
|
||||||
|
|
||||||
* Tue Jul 09 2024 Petr Lautrbach <lautrbach@redhat.com> - 3.7-2
|
* Tue Jul 09 2024 Petr Lautrbach <lautrbach@redhat.com> - 3.7-2
|
||||||
- set free'd data to NULL (#2295428)
|
- set free'd data to NULL (#2295428)
|
||||||
|
|
||||||
|
@ -23,6 +23,8 @@ Patch0001: 0001-Use-SHA-2-instead-of-SHA-1.patch
|
|||||||
Patch0002: 0002-libselinux-set-free-d-data-to-NULL.patch
|
Patch0002: 0002-libselinux-set-free-d-data-to-NULL.patch
|
||||||
Patch0003: 0003-libselinux-restorecon-Include-selinux-label.h.patch
|
Patch0003: 0003-libselinux-restorecon-Include-selinux-label.h.patch
|
||||||
Patch0004: 0004-libselinux-Fix-integer-comparison-issues-when-compil.patch
|
Patch0004: 0004-libselinux-Fix-integer-comparison-issues-when-compil.patch
|
||||||
|
Patch0005: 0005-libselinux-deprecate-security_disable-3.patch
|
||||||
|
Patch0006: 0006-libselinux-fix-swig-bindings-for-4.3.0.patch
|
||||||
# Patch list end
|
# Patch list end
|
||||||
BuildRequires: gcc make
|
BuildRequires: gcc make
|
||||||
BuildRequires: ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel
|
BuildRequires: ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel
|
||||||
@ -221,8 +223,4 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
|
|||||||
%{ruby_vendorarchdir}/selinux.so
|
%{ruby_vendorarchdir}/selinux.so
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Fri Aug 09 2024 Vit Mojzis <vmojzis@redhat.com> - 3.7-3
|
|
||||||
- restorecon: Include <selinux/label.h> (RHEL-53852)
|
|
||||||
- Fix integer comparison issues when compiling for 32-bit
|
|
||||||
|
|
||||||
%autochangelog
|
%autochangelog
|
||||||
|
Loading…
Reference in New Issue
Block a user