Sync with Fedora Rawhide

- deprecate security_disable(3) - fix swig bindings for 4.3.0 Resolves: RHEL-64293 [skip changelog]
2024-10-17 08:44:31 +02:00 · 2024-10-17 08:44:31 +02:00 · 0bbd6a4b3a
commit 0bbd6a4b3a
parent ff3f9cdc7d
4 changed files with 187 additions and 4 deletions
--- a/0005-libselinux-deprecate-security_disable-3.patch
+++ b/0005-libselinux-deprecate-security_disable-3.patch
@ -0,0 +1,95 @@
+From b4b002ffef9431cc3af8409a32e243cd7b057feb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Sun, 23 Jun 2024 14:26:04 +0200
+Subject: [PATCH] libselinux: deprecate security_disable(3)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The runtime disable functionality has been removed in Linux 6.4.  Thus
+security_disable(3) will no longer work on these kernels.
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ libselinux/include/selinux/selinux.h   |  6 +++++-
+ libselinux/man/man3/security_disable.3 |  3 ++-
+ libselinux/src/load_policy.c           |  2 ++
+ libselinux/src/selinux_internal.h      | 18 ++++++++++++++++++
+ 4 files changed, 27 insertions(+), 2 deletions(-)
+
+diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
+index 61c1422b..1318a66a 100644
+--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
+@@ -367,7 +367,11 @@ extern int security_deny_unknown(void);
+ /* Get the checkreqprot value */
+ extern int security_get_checkreqprot(void);
+ 
+-/* Disable SELinux at runtime (must be done prior to initial policy load). */
+/* Disable SELinux at runtime (must be done prior to initial policy load).
+   Unsupported since Linux 6.4. */
+#ifdef __GNUC__
+__attribute__ ((deprecated))
+#endif
+ extern int security_disable(void);
+ 
+ /* Get the policy version number. */
+diff --git a/libselinux/man/man3/security_disable.3 b/libselinux/man/man3/security_disable.3
+index 072923ce..5ad8b778 100644
+--- a/libselinux/man/man3/security_disable.3
+++ b/libselinux/man/man3/security_disable.3
+@@ -14,7 +14,8 @@ disables the SELinux kernel code, unregisters selinuxfs from
+ and then unmounts
+ .IR /sys/fs/selinux .
+ .sp
+-This function can only be called at runtime and prior to the initial policy
+This function is only supported on Linux 6.3 and earlier, and can only be
+called at runtime and prior to the initial policy
+ load. After the initial policy load, the SELinux kernel code cannot be disabled,
+ but only placed in "permissive" mode by using
+ .BR security_setenforce(3).
+diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
+index 57d7aaef..dc1e4b6e 100644
+--- a/libselinux/src/load_policy.c
+++ b/libselinux/src/load_policy.c
+@@ -326,7 +326,9 @@ int selinux_init_load_policy(int *enforce)
+ 
+ 	if (seconfig == -1) {
+ 		/* Runtime disable of SELinux. */
+		IGNORE_DEPRECATED_DECLARATION_BEGIN
+ 		rc = security_disable();
+		IGNORE_DEPRECATED_DECLARATION_END
+ 		if (rc == 0) {
+ 			/* Successfully disabled, so umount selinuxfs too. */
+ 			umount(selinux_mnt);
+diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
+index b134808e..450a42c2 100644
+--- a/libselinux/src/selinux_internal.h
+++ b/libselinux/src/selinux_internal.h
+@@ -113,4 +113,22 @@ void *reallocarray(void *ptr, size_t nmemb, size_t size);
+ #define ignore_unsigned_overflow_
+ #endif
+ 
+/* Ignore usage of deprecated declaration */
+#ifdef __clang__
+#define IGNORE_DEPRECATED_DECLARATION_BEGIN \
+	_Pragma("clang diagnostic push") \
+	_Pragma("clang diagnostic ignored \"-Wdeprecated-declarations\"")
+#define IGNORE_DEPRECATED_DECLARATION_END \
+	_Pragma("clang diagnostic pop")
+#elif defined __GNUC__
+#define IGNORE_DEPRECATED_DECLARATION_BEGIN \
+	_Pragma("GCC diagnostic push") \
+	_Pragma("GCC diagnostic ignored \"-Wdeprecated-declarations\"")
+#define IGNORE_DEPRECATED_DECLARATION_END \
+	_Pragma("GCC diagnostic pop")
+#else
+#define IGNORE_DEPRECATED_DECLARATION_BEGIN
+#define IGNORE_DEPRECATED_DECLARATION_END
+#endif
+
+ #endif /* SELINUX_INTERNAL_H_ */
+-- 
+2.46.0
+
--- a/0006-libselinux-fix-swig-bindings-for-4.3.0.patch
+++ b/0006-libselinux-fix-swig-bindings-for-4.3.0.patch
@ -0,0 +1,86 @@
+From 2ce1276a0476c7c44d3dad0423f1fde3a0f6d2ce Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <lautrbach@redhat.com>
+Date: Wed, 16 Oct 2024 19:57:10 +0200
+Subject: [PATCH] libselinux: fix swig bindings for 4.3.0
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Content-type: text/plain
+
+https://github.com/swig/swig/blob/master/CHANGES.current
+
+"[Python] #2907 Fix returning null from functions with output
+parameters.  Ensures OUTPUT and INOUT typemaps are handled
+consistently wrt return type.
+
+New declaration of SWIG_Python_AppendOutput is now:
+
+  SWIG_Python_AppendOutput(PyObject* result, PyObject* obj, int is_void);
+
+The 3rd parameter is new and the new $isvoid special variable
+should be passed to it, indicating whether or not the wrapped
+function returns void.
+
+Also consider replacing with:
+
+  SWIG_AppendOutput(PyObject* result, PyObject* obj);
+
+which calls SWIG_Python_AppendOutput with same parameters but adding $isvoid
+for final parameter."
+
+Fixes: https://github.com/SELinuxProject/selinux/issues/447
+
+    selinuxswig_python_wrap.c: In function ‘_wrap_security_compute_user’:
+    selinuxswig_python_wrap.c:11499:17: error: too few arguments to function ‘SWIG_Python_AppendOutput’
+    11499 |     resultobj = SWIG_Python_AppendOutput(resultobj, plist);
+          |                 ^~~~~~~~~~~~~~~~~~~~~~~~
+    selinuxswig_python_wrap.c:1248:1: note: declared here
+     1248 | SWIG_Python_AppendOutput(PyObject* result, PyObject* obj, int is_void) {
+          | ^~~~~~~~~~~~~~~~~~~~~~~~
+    selinuxswig_python_wrap.c: In function ‘_wrap_security_compute_user_raw’:
+    selinuxswig_python_wrap.c:11570:17: error: too few arguments to function ‘SWIG_Python_AppendOutput’
+    11570 |     resultobj = SWIG_Python_AppendOutput(resultobj, plist);
+          |                 ^~~~~~~~~~~~~~~~~~~~~~~~
+    selinuxswig_python_wrap.c:1248:1: note: declared here
+     1248 | SWIG_Python_AppendOutput(PyObject* result, PyObject* obj, int is_void) {
+          | ^~~~~~~~~~~~~~~~~~~~~~~~
+    selinuxswig_python_wrap.c: In function ‘_wrap_security_get_boolean_names’:
+    selinuxswig_python_wrap.c:12470:17: error: too few arguments to function ‘SWIG_Python_AppendOutput’
+    12470 |     resultobj = SWIG_Python_AppendOutput(resultobj, list);
+          |                 ^~~~~~~~~~~~~~~~~~~~~~~~
+    selinuxswig_python_wrap.c:1248:1: note: declared here
+     1248 | SWIG_Python_AppendOutput(PyObject* result, PyObject* obj, int is_void) {
+          | ^~~~~~~~~~~~~~~~~~~~~~~~
+    error: command '/usr/bin/gcc' failed with exit code 1
+
+Suggested-by: Jitka Plesnikova <jplesnik@redhat.com>
+Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
+---
+ libselinux/src/selinuxswig_python.i | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libselinux/src/selinuxswig_python.i b/libselinux/src/selinuxswig_python.i
+index 17e03b9e36a5..03ed296d5b85 100644
+--- a/libselinux/src/selinuxswig_python.i
+++ b/libselinux/src/selinuxswig_python.i
+@@ -71,7 +71,7 @@ def install(src, dest):
+ 	for (i = 0; i < *$2; i++) {
+ 		PyList_SetItem(list, i, PyString_FromString((*$1)[i]));
+ 	}
+-	$result = SWIG_Python_AppendOutput($result, list);
+	$result = SWIG_AppendOutput($result, list);
+ }
+ 
+ /* return a sid along with the result */
+@@ -108,7 +108,7 @@ def install(src, dest):
+ 		plist = PyList_New(0);
+ 	}
+ 
+-	$result = SWIG_Python_AppendOutput($result, plist);
+	$result = SWIG_AppendOutput($result, plist);
+ }
+ 
+ /* Makes functions in get_context_list.h return a Python list of contexts */
+-- 
+2.47.0
+
--- a/4
+++ b/4
@ -1,3 +1,7 @@
+* Fri Aug 09 2024 Vit Mojzis <vmojzis@redhat.com> - 3.7-3
+- restorecon: Include <selinux/label.h> (RHEL-53852)
+- Fix integer comparison issues when compiling for 32-bit
+
 * Tue Jul 09 2024 Petr Lautrbach <lautrbach@redhat.com> - 3.7-2
 - set free'd data to NULL (#2295428)

--- a/libselinux.spec
+++ b/libselinux.spec
@ -23,6 +23,8 @@ Patch0001: 0001-Use-SHA-2-instead-of-SHA-1.patch
 Patch0002: 0002-libselinux-set-free-d-data-to-NULL.patch
 Patch0003: 0003-libselinux-restorecon-Include-selinux-label.h.patch
 Patch0004: 0004-libselinux-Fix-integer-comparison-issues-when-compil.patch
+Patch0005: 0005-libselinux-deprecate-security_disable-3.patch
+Patch0006: 0006-libselinux-fix-swig-bindings-for-4.3.0.patch
 # Patch list end
 BuildRequires: gcc make
 BuildRequires: ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel
@ -221,8 +223,4 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
 %{ruby_vendorarchdir}/selinux.so

 %changelog
-* Fri Aug 09 2024 Vit Mojzis <vmojzis@redhat.com> - 3.7-3
- restorecon: Include <selinux/label.h> (RHEL-53852)
- Fix integer comparison issues when compiling for 32-bit
-
 %autochangelog