Sync with Fedora Rawhide

- deprecate security_disable(3)
- fix swig bindings for 4.3.0

Resolves: RHEL-64293

[skip changelog]
This commit is contained in:
Petr Lautrbach 2024-10-17 08:44:31 +02:00
parent ff3f9cdc7d
commit 0bbd6a4b3a
4 changed files with 187 additions and 4 deletions

View File

@ -0,0 +1,95 @@
From b4b002ffef9431cc3af8409a32e243cd7b057feb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Sun, 23 Jun 2024 14:26:04 +0200
Subject: [PATCH] libselinux: deprecate security_disable(3)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The runtime disable functionality has been removed in Linux 6.4. Thus
security_disable(3) will no longer work on these kernels.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
libselinux/include/selinux/selinux.h | 6 +++++-
libselinux/man/man3/security_disable.3 | 3 ++-
libselinux/src/load_policy.c | 2 ++
libselinux/src/selinux_internal.h | 18 ++++++++++++++++++
4 files changed, 27 insertions(+), 2 deletions(-)
diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index 61c1422b..1318a66a 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -367,7 +367,11 @@ extern int security_deny_unknown(void);
/* Get the checkreqprot value */
extern int security_get_checkreqprot(void);
-/* Disable SELinux at runtime (must be done prior to initial policy load). */
+/* Disable SELinux at runtime (must be done prior to initial policy load).
+ Unsupported since Linux 6.4. */
+#ifdef __GNUC__
+__attribute__ ((deprecated))
+#endif
extern int security_disable(void);
/* Get the policy version number. */
diff --git a/libselinux/man/man3/security_disable.3 b/libselinux/man/man3/security_disable.3
index 072923ce..5ad8b778 100644
--- a/libselinux/man/man3/security_disable.3
+++ b/libselinux/man/man3/security_disable.3
@@ -14,7 +14,8 @@ disables the SELinux kernel code, unregisters selinuxfs from
and then unmounts
.IR /sys/fs/selinux .
.sp
-This function can only be called at runtime and prior to the initial policy
+This function is only supported on Linux 6.3 and earlier, and can only be
+called at runtime and prior to the initial policy
load. After the initial policy load, the SELinux kernel code cannot be disabled,
but only placed in "permissive" mode by using
.BR security_setenforce(3).
diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
index 57d7aaef..dc1e4b6e 100644
--- a/libselinux/src/load_policy.c
+++ b/libselinux/src/load_policy.c
@@ -326,7 +326,9 @@ int selinux_init_load_policy(int *enforce)
if (seconfig == -1) {
/* Runtime disable of SELinux. */
+ IGNORE_DEPRECATED_DECLARATION_BEGIN
rc = security_disable();
+ IGNORE_DEPRECATED_DECLARATION_END
if (rc == 0) {
/* Successfully disabled, so umount selinuxfs too. */
umount(selinux_mnt);
diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
index b134808e..450a42c2 100644
--- a/libselinux/src/selinux_internal.h
+++ b/libselinux/src/selinux_internal.h
@@ -113,4 +113,22 @@ void *reallocarray(void *ptr, size_t nmemb, size_t size);
#define ignore_unsigned_overflow_
#endif
+/* Ignore usage of deprecated declaration */
+#ifdef __clang__
+#define IGNORE_DEPRECATED_DECLARATION_BEGIN \
+ _Pragma("clang diagnostic push") \
+ _Pragma("clang diagnostic ignored \"-Wdeprecated-declarations\"")
+#define IGNORE_DEPRECATED_DECLARATION_END \
+ _Pragma("clang diagnostic pop")
+#elif defined __GNUC__
+#define IGNORE_DEPRECATED_DECLARATION_BEGIN \
+ _Pragma("GCC diagnostic push") \
+ _Pragma("GCC diagnostic ignored \"-Wdeprecated-declarations\"")
+#define IGNORE_DEPRECATED_DECLARATION_END \
+ _Pragma("GCC diagnostic pop")
+#else
+#define IGNORE_DEPRECATED_DECLARATION_BEGIN
+#define IGNORE_DEPRECATED_DECLARATION_END
+#endif
+
#endif /* SELINUX_INTERNAL_H_ */
--
2.46.0

View File

@ -0,0 +1,86 @@
From 2ce1276a0476c7c44d3dad0423f1fde3a0f6d2ce Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <lautrbach@redhat.com>
Date: Wed, 16 Oct 2024 19:57:10 +0200
Subject: [PATCH] libselinux: fix swig bindings for 4.3.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Content-type: text/plain
https://github.com/swig/swig/blob/master/CHANGES.current
"[Python] #2907 Fix returning null from functions with output
parameters. Ensures OUTPUT and INOUT typemaps are handled
consistently wrt return type.
New declaration of SWIG_Python_AppendOutput is now:
SWIG_Python_AppendOutput(PyObject* result, PyObject* obj, int is_void);
The 3rd parameter is new and the new $isvoid special variable
should be passed to it, indicating whether or not the wrapped
function returns void.
Also consider replacing with:
SWIG_AppendOutput(PyObject* result, PyObject* obj);
which calls SWIG_Python_AppendOutput with same parameters but adding $isvoid
for final parameter."
Fixes: https://github.com/SELinuxProject/selinux/issues/447
selinuxswig_python_wrap.c: In function _wrap_security_compute_user:
selinuxswig_python_wrap.c:11499:17: error: too few arguments to function SWIG_Python_AppendOutput
11499 | resultobj = SWIG_Python_AppendOutput(resultobj, plist);
| ^~~~~~~~~~~~~~~~~~~~~~~~
selinuxswig_python_wrap.c:1248:1: note: declared here
1248 | SWIG_Python_AppendOutput(PyObject* result, PyObject* obj, int is_void) {
| ^~~~~~~~~~~~~~~~~~~~~~~~
selinuxswig_python_wrap.c: In function _wrap_security_compute_user_raw:
selinuxswig_python_wrap.c:11570:17: error: too few arguments to function SWIG_Python_AppendOutput
11570 | resultobj = SWIG_Python_AppendOutput(resultobj, plist);
| ^~~~~~~~~~~~~~~~~~~~~~~~
selinuxswig_python_wrap.c:1248:1: note: declared here
1248 | SWIG_Python_AppendOutput(PyObject* result, PyObject* obj, int is_void) {
| ^~~~~~~~~~~~~~~~~~~~~~~~
selinuxswig_python_wrap.c: In function _wrap_security_get_boolean_names:
selinuxswig_python_wrap.c:12470:17: error: too few arguments to function SWIG_Python_AppendOutput
12470 | resultobj = SWIG_Python_AppendOutput(resultobj, list);
| ^~~~~~~~~~~~~~~~~~~~~~~~
selinuxswig_python_wrap.c:1248:1: note: declared here
1248 | SWIG_Python_AppendOutput(PyObject* result, PyObject* obj, int is_void) {
| ^~~~~~~~~~~~~~~~~~~~~~~~
error: command '/usr/bin/gcc' failed with exit code 1
Suggested-by: Jitka Plesnikova <jplesnik@redhat.com>
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
---
libselinux/src/selinuxswig_python.i | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libselinux/src/selinuxswig_python.i b/libselinux/src/selinuxswig_python.i
index 17e03b9e36a5..03ed296d5b85 100644
--- a/libselinux/src/selinuxswig_python.i
+++ b/libselinux/src/selinuxswig_python.i
@@ -71,7 +71,7 @@ def install(src, dest):
for (i = 0; i < *$2; i++) {
PyList_SetItem(list, i, PyString_FromString((*$1)[i]));
}
- $result = SWIG_Python_AppendOutput($result, list);
+ $result = SWIG_AppendOutput($result, list);
}
/* return a sid along with the result */
@@ -108,7 +108,7 @@ def install(src, dest):
plist = PyList_New(0);
}
- $result = SWIG_Python_AppendOutput($result, plist);
+ $result = SWIG_AppendOutput($result, plist);
}
/* Makes functions in get_context_list.h return a Python list of contexts */
--
2.47.0

View File

@ -1,3 +1,7 @@
* Fri Aug 09 2024 Vit Mojzis <vmojzis@redhat.com> - 3.7-3
- restorecon: Include <selinux/label.h> (RHEL-53852)
- Fix integer comparison issues when compiling for 32-bit
* Tue Jul 09 2024 Petr Lautrbach <lautrbach@redhat.com> - 3.7-2
- set free'd data to NULL (#2295428)

View File

@ -23,6 +23,8 @@ Patch0001: 0001-Use-SHA-2-instead-of-SHA-1.patch
Patch0002: 0002-libselinux-set-free-d-data-to-NULL.patch
Patch0003: 0003-libselinux-restorecon-Include-selinux-label.h.patch
Patch0004: 0004-libselinux-Fix-integer-comparison-issues-when-compil.patch
Patch0005: 0005-libselinux-deprecate-security_disable-3.patch
Patch0006: 0006-libselinux-fix-swig-bindings-for-4.3.0.patch
# Patch list end
BuildRequires: gcc make
BuildRequires: ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel
@ -221,8 +223,4 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
%{ruby_vendorarchdir}/selinux.so
%changelog
* Fri Aug 09 2024 Vit Mojzis <vmojzis@redhat.com> - 3.7-3
- restorecon: Include <selinux/label.h> (RHEL-53852)
- Fix integer comparison issues when compiling for 32-bit
%autochangelog