diff --git a/.gitignore b/.gitignore index de90a81..01eae6f 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/libselinux-2.9.tar.gz +libselinux-3.8.tar.gz diff --git a/.libselinux.metadata b/.libselinux.metadata deleted file mode 100644 index 16a9b42..0000000 --- a/.libselinux.metadata +++ /dev/null @@ -1 +0,0 @@ -c53911ee9da673f7653ab1afe66c0b2bf5fb5ac9 SOURCES/libselinux-2.9.tar.gz diff --git a/0001-Use-SHA-2-instead-of-SHA-1.patch b/0001-Use-SHA-2-instead-of-SHA-1.patch new file mode 100644 index 0000000..7ae78c2 --- /dev/null +++ b/0001-Use-SHA-2-instead-of-SHA-1.patch @@ -0,0 +1,1362 @@ +From 4780b755bb1171f5aa4cd7545535839d451a2070 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Fri, 30 Jul 2021 14:14:37 +0200 +Subject: [PATCH] Use SHA-2 instead of SHA-1 +Content-type: text/plain + +The use of SHA-1 in RHEL9 is deprecated +--- + libselinux/include/selinux/label.h | 6 +- + libselinux/include/selinux/restorecon.h | 4 +- + libselinux/man/man3/selabel_digest.3 | 4 +- + libselinux/man/man3/selabel_open.3 | 2 +- + libselinux/man/man3/selinux_restorecon.3 | 18 +- + .../man/man3/selinux_restorecon_xattr.3 | 2 +- + libselinux/src/Makefile | 2 +- + libselinux/src/label_file.c | 40 +-- + libselinux/src/label_internal.h | 10 +- + libselinux/src/label_support.c | 10 +- + libselinux/src/selinux_restorecon.c | 24 +- + libselinux/src/sha1.c | 223 ------------- + libselinux/src/sha1.h | 85 ----- + libselinux/src/sha256.c | 294 ++++++++++++++++++ + libselinux/src/sha256.h | 89 ++++++ + libselinux/utils/selabel_digest.c | 26 +- + .../selabel_get_digests_all_partial_matches.c | 28 +- + 17 files changed, 471 insertions(+), 396 deletions(-) + delete mode 100644 libselinux/src/sha1.c + delete mode 100644 libselinux/src/sha1.h + create mode 100644 libselinux/src/sha256.c + create mode 100644 libselinux/src/sha256.h + +diff --git a/libselinux/include/selinux/label.h b/libselinux/include/selinux/label.h +index ce189a3ae2fe..ce77d32dfed1 100644 +--- a/libselinux/include/selinux/label.h ++++ b/libselinux/include/selinux/label.h +@@ -120,13 +120,13 @@ extern int selabel_lookup_best_match_raw(struct selabel_handle *rec, char **con, + const char *key, const char **aliases, int type); + + /** +- * selabel_digest - Retrieve the SHA1 digest and the list of specfiles used to ++ * selabel_digest - Retrieve the SHA256 digest and the list of specfiles used to + * generate the digest. The SELABEL_OPT_DIGEST option must + * be set in selabel_open() to initiate the digest generation. + * @handle: specifies backend instance to query +- * @digest: returns a pointer to the SHA1 digest. ++ * @digest: returns a pointer to the SHA256 digest. + * @digest_len: returns length of digest in bytes. +- * @specfiles: a list of specfiles used in the SHA1 digest generation. ++ * @specfiles: a list of specfiles used in the SHA256 digest generation. + * The list is NULL terminated and will hold @num_specfiles entries. + * @num_specfiles: number of specfiles in the list. + * +diff --git a/libselinux/include/selinux/restorecon.h b/libselinux/include/selinux/restorecon.h +index 5be6542c2a91..210f65fdb709 100644 +--- a/libselinux/include/selinux/restorecon.h ++++ b/libselinux/include/selinux/restorecon.h +@@ -43,8 +43,8 @@ extern int selinux_restorecon_parallel(const char *pathname, + * restorecon_flags options + */ + /* +- * Force the checking of labels even if the stored SHA1 digest +- * matches the specfiles SHA1 digest (requires CAP_SYS_ADMIN). ++ * Force the checking of labels even if the stored SHA256 digest ++ * matches the specfiles SHA256 digest (requires CAP_SYS_ADMIN). + */ + #define SELINUX_RESTORECON_IGNORE_DIGEST 0x00001 + /* +diff --git a/libselinux/man/man3/selabel_digest.3 b/libselinux/man/man3/selabel_digest.3 +index 56a008f00df0..5f7c42533d0e 100644 +--- a/libselinux/man/man3/selabel_digest.3 ++++ b/libselinux/man/man3/selabel_digest.3 +@@ -20,11 +20,11 @@ selabel_digest \- Return digest of specfiles and list of files used + .BR selabel_digest () + performs an operation on the handle + .IR hnd , +-returning the results of the SHA1 digest pointed to by ++returning the results of the SHA256 digest pointed to by + .IR digest , + whose length will be + .IR digest_len . +-The list of specfiles used in the SHA1 digest calculation is returned in ++The list of specfiles used in the SHA256 digest calculation is returned in + .I specfiles + with the number of entries in + .IR num_specfiles . +diff --git a/libselinux/man/man3/selabel_open.3 b/libselinux/man/man3/selabel_open.3 +index 0e03e1be111e..14ab888d2e03 100644 +--- a/libselinux/man/man3/selabel_open.3 ++++ b/libselinux/man/man3/selabel_open.3 +@@ -69,7 +69,7 @@ is used; a custom validation function can be provided via + Note that an invalid context may not be treated as an error unless it is actually encountered during a lookup operation. + .TP + .B SELABEL_OPT_DIGEST +-A non-null value for this option enables the generation of an SHA1 digest of ++A non-null value for this option enables the generation of an SHA256 digest of + the spec files loaded as described in + .BR selabel_digest (3) + . +diff --git a/libselinux/man/man3/selinux_restorecon.3 b/libselinux/man/man3/selinux_restorecon.3 +index 218aaf6d2ae5..5f6d4b386429 100644 +--- a/libselinux/man/man3/selinux_restorecon.3 ++++ b/libselinux/man/man3/selinux_restorecon.3 +@@ -36,7 +36,7 @@ If this is a directory and the + .B SELINUX_RESTORECON_RECURSE + has been set (for descending through directories), then + .BR selinux_restorecon () +-will write an SHA1 digest of specfile entries calculated by ++will write an SHA256 digest of specfile entries calculated by + .BR selabel_get_digests_all_partial_matches (3) + to an extended attribute of + .IR security.sehash +@@ -55,7 +55,7 @@ will take place. + .br + The + .IR restorecon_flags +-that can be used to manage the usage of the SHA1 digest are: ++that can be used to manage the usage of the SHA256 digest are: + .RS + .B SELINUX_RESTORECON_SKIP_DIGEST + .br +@@ -73,8 +73,8 @@ Do not check or update any extended attribute + entries. + .sp + .B SELINUX_RESTORECON_IGNORE_DIGEST +-force the checking of labels even if the stored SHA1 digest matches the +-specfile entries SHA1 digest. The specfile entries digest will be written to the ++force the checking of labels even if the stored SHA256 digest matches the ++specfile entries SHA256 digest. The specfile entries digest will be written to the + .IR security.sehash + extended attribute once relabeling has been completed successfully provided the + .B SELINUX_RESTORECON_NOCHANGE +@@ -95,7 +95,7 @@ default specfile context. + .sp + .B SELINUX_RESTORECON_RECURSE + change file and directory labels recursively (descend directories) +-and if successful write an SHA1 digest of the specfile entries to an ++and if successful write an SHA256 digest of the specfile entries to an + extended attribute as described in the + .B NOTES + section. +@@ -179,12 +179,12 @@ for fetching the ignored (skipped) error count after + or + .BR selinux_restorecon_parallel (3) + completes with success. In case any errors were skipped during the file tree +-walk, the specfile entries SHA1 digest will not have been written to the ++walk, the specfile entries SHA256 digest will not have been written to the + .IR security.sehash + extended attribute. + .RE + .sp +-The behavior regarding the checking and updating of the SHA1 digest described ++The behavior regarding the checking and updating of the SHA256 digest described + above is the default behavior. It is possible to change this by first calling + .BR selabel_open (3) + and not enabling the +@@ -247,7 +247,7 @@ To improve performance when relabeling file systems recursively (e.g. the + .B SELINUX_RESTORECON_RECURSE + flag is set) + .BR selinux_restorecon () +-will write a calculated SHA1 digest of the specfile entries returned by ++will write a calculated SHA256 digest of the specfile entries returned by + .BR selabel_get_digests_all_partial_matches (3) + to an extended attribute named + .IR security.sehash +@@ -269,7 +269,7 @@ Should any of the specfile entries have changed, then when + .BR selinux_restorecon () + is run again with the + .B SELINUX_RESTORECON_RECURSE +-flag set, new SHA1 digests will be calculated and all files automatically ++flag set, new SHA256 digests will be calculated and all files automatically + relabeled depending on the settings of the + .B SELINUX_RESTORECON_SET_SPECFILE_CTX + flag (provided +diff --git a/libselinux/man/man3/selinux_restorecon_xattr.3 b/libselinux/man/man3/selinux_restorecon_xattr.3 +index c56326814b94..098c840fc59b 100644 +--- a/libselinux/man/man3/selinux_restorecon_xattr.3 ++++ b/libselinux/man/man3/selinux_restorecon_xattr.3 +@@ -119,7 +119,7 @@ By default + .BR selinux_restorecon_xattr (3) + will use the default set of specfiles described in + .BR files_contexts (5) +-to calculate the SHA1 digests to be used for comparison. ++to calculate the SHA256 digests to be used for comparison. + To change this default behavior + .BR selabel_open (3) + must be called specifying the required +diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile +index 41cfbdca490c..658a4c3d80e0 100644 +--- a/libselinux/src/Makefile ++++ b/libselinux/src/Makefile +@@ -130,7 +130,7 @@ DISABLE_FLAGS+= -DNO_MEDIA_BACKEND -DNO_DB_BACKEND -DNO_X_BACKEND \ + -DBUILD_HOST + SRCS= callbacks.c freecon.c label.c label_file.c \ + label_backends_android.c regex.c label_support.c \ +- matchpathcon.c setrans_client.c sha1.c booleans.c ++ matchpathcon.c setrans_client.c sha256.c booleans.c + LABEL_BACKEND_ANDROID=y + endif + +diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c +index 189a5ed26eb7..312bb584d6b4 100644 +--- a/libselinux/src/label_file.c ++++ b/libselinux/src/label_file.c +@@ -1780,7 +1780,7 @@ static struct lookup_result *lookup_common(struct selabel_handle *rec, + + /* + * Returns true if the digest of all partial matched contexts is the same as +- * the one saved by setxattr, otherwise returns false. The length of the SHA1 ++ * the one saved by setxattr, otherwise returns false. The length of the SHA256 + * digest will always be returned. The caller must free any returned digests. + */ + static bool get_digests_all_partial_matches(struct selabel_handle *rec, +@@ -1789,39 +1789,39 @@ static bool get_digests_all_partial_matches(struct selabel_handle *rec, + uint8_t **xattr_digest, + size_t *digest_len) + { +- uint8_t read_digest[SHA1_HASH_SIZE]; ++ uint8_t read_digest[SHA256_HASH_SIZE]; + ssize_t read_size = getxattr(pathname, RESTORECON_PARTIAL_MATCH_DIGEST, +- read_digest, SHA1_HASH_SIZE ++ read_digest, SHA256_HASH_SIZE + #ifdef __APPLE__ + , 0, 0 + #endif /* __APPLE __ */ + ); +- uint8_t hash_digest[SHA1_HASH_SIZE]; ++ uint8_t hash_digest[SHA256_HASH_SIZE]; + bool status = selabel_hash_all_partial_matches(rec, pathname, + hash_digest); + + *xattr_digest = NULL; + *calculated_digest = NULL; +- *digest_len = SHA1_HASH_SIZE; ++ *digest_len = SHA256_HASH_SIZE; + +- if (read_size == SHA1_HASH_SIZE) { +- *xattr_digest = calloc(1, SHA1_HASH_SIZE + 1); ++ if (read_size == SHA256_HASH_SIZE) { ++ *xattr_digest = calloc(1, SHA256_HASH_SIZE + 1); + if (!*xattr_digest) + goto oom; + +- memcpy(*xattr_digest, read_digest, SHA1_HASH_SIZE); ++ memcpy(*xattr_digest, read_digest, SHA256_HASH_SIZE); + } + + if (status) { +- *calculated_digest = calloc(1, SHA1_HASH_SIZE + 1); ++ *calculated_digest = calloc(1, SHA256_HASH_SIZE + 1); + if (!*calculated_digest) + goto oom; + +- memcpy(*calculated_digest, hash_digest, SHA1_HASH_SIZE); ++ memcpy(*calculated_digest, hash_digest, SHA256_HASH_SIZE); + } + +- if (status && read_size == SHA1_HASH_SIZE && +- memcmp(read_digest, hash_digest, SHA1_HASH_SIZE) == 0) ++ if (status && read_size == SHA256_HASH_SIZE && ++ memcmp(read_digest, hash_digest, SHA256_HASH_SIZE) == 0) + return true; + + return false; +@@ -1840,22 +1840,22 @@ static bool hash_all_partial_matches(struct selabel_handle *rec, const char *key + return false; + } + +- Sha1Context context; +- Sha1Initialise(&context); ++ Sha256Context context; ++ Sha256Initialise(&context); + + for (const struct lookup_result *m = matches; m; m = m->next) { + const char* regex_str = m->regex_str; + uint8_t file_kind = m->file_kind; + const char* ctx_raw = m->lr->ctx_raw; + +- Sha1Update(&context, regex_str, strlen(regex_str) + 1); +- Sha1Update(&context, &file_kind, sizeof(file_kind)); +- Sha1Update(&context, ctx_raw, strlen(ctx_raw) + 1); ++ Sha256Update(&context, regex_str, strlen(regex_str) + 1); ++ Sha256Update(&context, &file_kind, sizeof(file_kind)); ++ Sha256Update(&context, ctx_raw, strlen(ctx_raw) + 1); + } + +- SHA1_HASH sha1_hash; +- Sha1Finalise(&context, &sha1_hash); +- memcpy(digest, sha1_hash.bytes, SHA1_HASH_SIZE); ++ SHA256_HASH sha256_hash; ++ Sha256Finalise(&context, &sha256_hash); ++ memcpy(digest, sha256_hash.bytes, SHA256_HASH_SIZE); + + free_lookup_result(matches); + return true; +diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h +index 743dbf9472cf..4180df92f405 100644 +--- a/libselinux/src/label_internal.h ++++ b/libselinux/src/label_internal.h +@@ -13,7 +13,7 @@ + #include + #include + #include +-#include "sha1.h" ++#include "sha256.h" + + #if defined(ANDROID) || defined(__APPLE__) + // Android and Mac do not have fgets_unlocked() +@@ -47,15 +47,15 @@ int selabel_service_init(struct selabel_handle *rec, + */ + + /* +- * Calculate an SHA1 hash of all the files used to build the specs. ++ * Calculate an SHA256 hash of all the files used to build the specs. + * The hash value is held in rec->digest if SELABEL_OPT_DIGEST set. To + * calculate the hash the hashbuf will hold a concatenation of all the files + * used. This is released once the value has been calculated. + */ +-#define DIGEST_SPECFILE_SIZE SHA1_HASH_SIZE ++#define DIGEST_SPECFILE_SIZE SHA256_HASH_SIZE + #define DIGEST_FILES_MAX 8 + struct selabel_digest { +- unsigned char *digest; /* SHA1 digest of specfiles */ ++ unsigned char *digest; /* SHA256 digest of specfiles */ + unsigned char *hashbuf; /* buffer to hold specfiles */ + size_t hashbuf_size; /* buffer size */ + size_t specfile_cnt; /* how many specfiles processed */ +@@ -111,7 +111,7 @@ struct selabel_handle { + */ + char *spec_file; + +- /* ptr to SHA1 hash information if SELABEL_OPT_DIGEST set */ ++ /* ptr to SHA256 hash information if SELABEL_OPT_DIGEST set */ + struct selabel_digest *digest; + }; + +diff --git a/libselinux/src/label_support.c b/libselinux/src/label_support.c +index 978ba828c159..daba26941ae7 100644 +--- a/libselinux/src/label_support.c ++++ b/libselinux/src/label_support.c +@@ -120,7 +120,7 @@ int read_spec_entries(char *line_buf, size_t nread, const char **errbuf, int nu + /* Once all the specfiles are in the hash_buf, generate the hash. */ + void digest_gen_hash(struct selabel_digest *digest) + { +- Sha1Context context; ++ Sha256Context context; + size_t remaining_size; + const unsigned char *ptr; + +@@ -128,19 +128,19 @@ void digest_gen_hash(struct selabel_digest *digest) + if (!digest) + return; + +- Sha1Initialise(&context); ++ Sha256Initialise(&context); + + /* Process in blocks of UINT32_MAX bytes */ + remaining_size = digest->hashbuf_size; + ptr = digest->hashbuf; + while (remaining_size > UINT32_MAX) { +- Sha1Update(&context, ptr, UINT32_MAX); ++ Sha256Update(&context, ptr, UINT32_MAX); + remaining_size -= UINT32_MAX; + ptr += UINT32_MAX; + } +- Sha1Update(&context, ptr, remaining_size); ++ Sha256Update(&context, ptr, remaining_size); + +- Sha1Finalise(&context, (SHA1_HASH *)digest->digest); ++ Sha256Finalise(&context, (SHA256_HASH *)digest->digest); + free(digest->hashbuf); + digest->hashbuf = NULL; + } +diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c +index bc6ed935a4ad..93bd7779249b 100644 +--- a/libselinux/src/selinux_restorecon.c ++++ b/libselinux/src/selinux_restorecon.c +@@ -37,7 +37,7 @@ + #include "callbacks.h" + #include "selinux_internal.h" + #include "label_file.h" +-#include "sha1.h" ++#include "sha256.h" + + #define STAR_COUNT 1024 + +@@ -306,7 +306,7 @@ static uint64_t exclude_non_seclabel_mounts(void) + static int add_xattr_entry(const char *directory, bool delete_nonmatch, + bool delete_all) + { +- char *sha1_buf = NULL; ++ char *sha256_buf = NULL; + size_t i, digest_len = 0; + int rc; + enum digest_result digest_result; +@@ -330,15 +330,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch, + } + + /* Convert entry to a hex encoded string. */ +- sha1_buf = malloc(digest_len * 2 + 1); +- if (!sha1_buf) { ++ sha256_buf = malloc(digest_len * 2 + 1); ++ if (!sha256_buf) { + free(xattr_digest); + free(calculated_digest); + goto oom; + } + + for (i = 0; i < digest_len; i++) +- sprintf((&sha1_buf[i * 2]), "%02x", xattr_digest[i]); ++ sprintf((&sha256_buf[i * 2]), "%02x", xattr_digest[i]); + + digest_result = match ? MATCH : NOMATCH; + +@@ -358,7 +358,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch, + /* Now add entries to link list. */ + new_entry = malloc(sizeof(struct dir_xattr)); + if (!new_entry) { +- free(sha1_buf); ++ free(sha256_buf); + goto oom; + } + new_entry->next = NULL; +@@ -366,15 +366,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch, + new_entry->directory = strdup(directory); + if (!new_entry->directory) { + free(new_entry); +- free(sha1_buf); ++ free(sha256_buf); + goto oom; + } + +- new_entry->digest = strdup(sha1_buf); ++ new_entry->digest = strdup(sha256_buf); + if (!new_entry->digest) { + free(new_entry->directory); + free(new_entry); +- free(sha1_buf); ++ free(sha256_buf); + goto oom; + } + +@@ -388,7 +388,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch, + dir_xattr_last = new_entry; + } + +- free(sha1_buf); ++ free(sha256_buf); + return 0; + + oom: +@@ -778,7 +778,7 @@ err: + + struct dir_hash_node { + char *path; +- uint8_t digest[SHA1_HASH_SIZE]; ++ uint8_t digest[SHA256_HASH_SIZE]; + struct dir_hash_node *next; + }; + /* +@@ -1284,7 +1284,7 @@ static int selinux_restorecon_common(const char *pathname_orig, + if (setxattr(current->path, + RESTORECON_PARTIAL_MATCH_DIGEST, + current->digest, +- SHA1_HASH_SIZE, 0) < 0) { ++ SHA256_HASH_SIZE, 0) < 0) { + selinux_log(SELINUX_ERROR, + "setxattr failed: %s: %m\n", + current->path); +diff --git a/libselinux/src/sha1.c b/libselinux/src/sha1.c +deleted file mode 100644 +index 452b0cc2ad5a..000000000000 +--- a/libselinux/src/sha1.c ++++ /dev/null +@@ -1,223 +0,0 @@ +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// LibSha1 +-// +-// Implementation of SHA1 hash function. +-// Original author: Steve Reid +-// Contributions by: James H. Brown , Saul Kravitz , +-// and Ralph Giles +-// Modified by WaterJuice retaining Public Domain license. +-// +-// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org +-// Modified to: +-// - stop symbols being exported for libselinux shared library - October 2015 +-// Richard Haines +-// - Not cast the workspace from a byte array to a CHAR64LONG16 due to alignment issues. +-// Fixes: +-// sha1.c:73:33: error: cast from 'uint8_t *' (aka 'unsigned char *') to 'CHAR64LONG16 *' increases required alignment from 1 to 4 [-Werror,-Wcast-align] +-// CHAR64LONG16* block = (CHAR64LONG16*) workspace; +-// William Roberts +-// - Silence clang's -Wextra-semi-stmt warning - July 2021, Nicolas Iooss +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// IMPORTS +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-#include "sha1.h" +-#include +- +-#include "selinux_internal.h" +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// TYPES +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-typedef union +-{ +- uint8_t c [64]; +- uint32_t l [16]; +-} CHAR64LONG16; +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// INTERNAL FUNCTIONS +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits)))) +- +-// blk0() and blk() perform the initial expand. +-#define blk0(i) (block->l[i] = (rol(block->l[i],24)&0xFF00FF00) \ +- |(rol(block->l[i],8)&0x00FF00FF)) +- +-#define blk(i) (block->l[i&15] = rol(block->l[(i+13)&15]^block->l[(i+8)&15] \ +- ^block->l[(i+2)&15]^block->l[i&15],1)) +- +-// (R0+R1), R2, R3, R4 are the different operations used in SHA1 +-#define R0(v,w,x,y,z,i) do { z += ((w&(x^y))^y) + blk0(i)+ 0x5A827999 + rol(v,5); w=rol(w,30); } while (0) +-#define R1(v,w,x,y,z,i) do { z += ((w&(x^y))^y) + blk(i) + 0x5A827999 + rol(v,5); w=rol(w,30); } while (0) +-#define R2(v,w,x,y,z,i) do { z += (w^x^y) + blk(i) + 0x6ED9EBA1 + rol(v,5); w=rol(w,30); } while (0) +-#define R3(v,w,x,y,z,i) do { z += (((w|x)&y)|(w&x)) + blk(i) + 0x8F1BBCDC + rol(v,5); w=rol(w,30); } while (0) +-#define R4(v,w,x,y,z,i) do { z += (w^x^y) + blk(i) + 0xCA62C1D6 + rol(v,5); w=rol(w,30); } while (0) +- +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// TransformFunction +-// +-// Hash a single 512-bit block. This is the core of the algorithm +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-ignore_unsigned_overflow_ +-static +-void +- TransformFunction +- ( +- uint32_t state[5], +- const uint8_t buffer[64] +- ) +-{ +- uint32_t a; +- uint32_t b; +- uint32_t c; +- uint32_t d; +- uint32_t e; +- CHAR64LONG16 workspace; +- CHAR64LONG16* block = &workspace; +- +- memcpy(block, buffer, 64); +- +- // Copy context->state[] to working vars +- a = state[0]; +- b = state[1]; +- c = state[2]; +- d = state[3]; +- e = state[4]; +- +- // 4 rounds of 20 operations each. Loop unrolled. +- R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3); +- R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7); +- R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11); +- R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15); +- R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19); +- R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23); +- R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27); +- R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31); +- R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35); +- R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39); +- R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43); +- R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47); +- R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51); +- R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55); +- R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59); +- R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63); +- R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67); +- R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71); +- R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75); +- R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79); +- +- // Add the working vars back into context.state[] +- state[0] += a; +- state[1] += b; +- state[2] += c; +- state[3] += d; +- state[4] += e; +-} +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// PUBLIC FUNCTIONS +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// Sha1Initialise +-// +-// Initialises an SHA1 Context. Use this to initialise/reset a context. +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-void +- Sha1Initialise +- ( +- Sha1Context* Context +- ) +-{ +- // SHA1 initialization constants +- Context->State[0] = 0x67452301; +- Context->State[1] = 0xEFCDAB89; +- Context->State[2] = 0x98BADCFE; +- Context->State[3] = 0x10325476; +- Context->State[4] = 0xC3D2E1F0; +- Context->Count[0] = 0; +- Context->Count[1] = 0; +-} +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// Sha1Update +-// +-// Adds data to the SHA1 context. This will process the data and update the internal state of the context. Keep on +-// calling this function until all the data has been added. Then call Sha1Finalise to calculate the hash. +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-void +- Sha1Update +- ( +- Sha1Context* Context, +- const void* Buffer, +- uint32_t BufferSize +- ) +-{ +- uint32_t i; +- uint32_t j; +- +- j = (Context->Count[0] >> 3) & 63; +- if ((Context->Count[0] += BufferSize << 3) < (BufferSize << 3)) +- { +- Context->Count[1]++; +- } +- +- Context->Count[1] += (BufferSize >> 29); +- if ((j + BufferSize) > 63) +- { +- i = 64 - j; +- memcpy(&Context->Buffer[j], Buffer, i); +- TransformFunction(Context->State, Context->Buffer); +- for (; i + 63 < BufferSize; i += 64) +- { +- TransformFunction(Context->State, (const uint8_t*)Buffer + i); +- } +- j = 0; +- } +- else +- { +- i = 0; +- } +- +- memcpy(&Context->Buffer[j], &((const uint8_t*)Buffer)[i], BufferSize - i); +-} +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// Sha1Finalise +-// +-// Performs the final calculation of the hash and returns the digest (20 byte buffer containing 160bit hash). After +-// calling this, Sha1Initialised must be used to reuse the context. +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-void +- Sha1Finalise +- ( +- Sha1Context* Context, +- SHA1_HASH* Digest +- ) +-{ +- uint32_t i; +- uint8_t finalcount[8]; +- +- for (i = 0; i < 8; i++) +- { +- finalcount[i] = (unsigned char)((Context->Count[(i >= 4 ? 0 : 1)] +- >> ((3-(i & 3)) * 8) ) & 255); // Endian independent +- } +- Sha1Update(Context, (const uint8_t*)"\x80", 1); +- while ((Context->Count[0] & 504) != 448) +- { +- Sha1Update(Context, (const uint8_t*)"\0", 1); +- } +- +- Sha1Update(Context, finalcount, 8); // Should cause a Sha1TransformFunction() +- for (i = 0; i < SHA1_HASH_SIZE; i++) +- { +- Digest->bytes[i] = (uint8_t)((Context->State[i>>2] >> ((3-(i & 3)) * 8) ) & 255); +- } +-} +diff --git a/libselinux/src/sha1.h b/libselinux/src/sha1.h +deleted file mode 100644 +index f83a6e7ed7ba..000000000000 +--- a/libselinux/src/sha1.h ++++ /dev/null +@@ -1,85 +0,0 @@ +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// LibSha1 +-// +-// Implementation of SHA1 hash function. +-// Original author: Steve Reid +-// Contributions by: James H. Brown , Saul Kravitz , +-// and Ralph Giles +-// Modified by WaterJuice retaining Public Domain license. +-// +-// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-#ifndef _sha1_h_ +-#define _sha1_h_ +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// IMPORTS +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-#include +-#include +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// TYPES +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-// Sha1Context - This must be initialised using Sha1Initialised. Do not modify the contents of this structure directly. +-typedef struct +-{ +- uint32_t State[5]; +- uint32_t Count[2]; +- uint8_t Buffer[64]; +-} Sha1Context; +- +-#define SHA1_HASH_SIZE ( 160 / 8 ) +- +-typedef struct +-{ +- uint8_t bytes [SHA1_HASH_SIZE]; +-} SHA1_HASH; +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// PUBLIC FUNCTIONS +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// Sha1Initialise +-// +-// Initialises an SHA1 Context. Use this to initialise/reset a context. +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-void +- Sha1Initialise +- ( +- Sha1Context* Context +- ); +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// Sha1Update +-// +-// Adds data to the SHA1 context. This will process the data and update the internal state of the context. Keep on +-// calling this function until all the data has been added. Then call Sha1Finalise to calculate the hash. +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-void +- Sha1Update +- ( +- Sha1Context* Context, +- const void* Buffer, +- uint32_t BufferSize +- ); +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-// Sha1Finalise +-// +-// Performs the final calculation of the hash and returns the digest (20 byte buffer containing 160bit hash). After +-// calling this, Sha1Initialised must be used to reuse the context. +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-void +- Sha1Finalise +- ( +- Sha1Context* Context, +- SHA1_HASH* Digest +- ); +- +-/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// +-#endif //_sha1_h_ +diff --git a/libselinux/src/sha256.c b/libselinux/src/sha256.c +new file mode 100644 +index 000000000000..fe2aeef07f53 +--- /dev/null ++++ b/libselinux/src/sha256.c +@@ -0,0 +1,294 @@ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// WjCryptLib_Sha256 ++// ++// Implementation of SHA256 hash function. ++// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org ++// Modified by WaterJuice retaining Public Domain license. ++// ++// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// IMPORTS ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++#include "sha256.h" ++#include ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// MACROS ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++#define ror(value, bits) (((value) >> (bits)) | ((value) << (32 - (bits)))) ++ ++#define MIN(x, y) ( ((x)<(y))?(x):(y) ) ++ ++#define STORE32H(x, y) \ ++ { (y)[0] = (uint8_t)(((x)>>24)&255); (y)[1] = (uint8_t)(((x)>>16)&255); \ ++ (y)[2] = (uint8_t)(((x)>>8)&255); (y)[3] = (uint8_t)((x)&255); } ++ ++#define LOAD32H(x, y) \ ++ { x = ((uint32_t)((y)[0] & 255)<<24) | \ ++ ((uint32_t)((y)[1] & 255)<<16) | \ ++ ((uint32_t)((y)[2] & 255)<<8) | \ ++ ((uint32_t)((y)[3] & 255)); } ++ ++#define STORE64H(x, y) \ ++ { (y)[0] = (uint8_t)(((x)>>56)&255); (y)[1] = (uint8_t)(((x)>>48)&255); \ ++ (y)[2] = (uint8_t)(((x)>>40)&255); (y)[3] = (uint8_t)(((x)>>32)&255); \ ++ (y)[4] = (uint8_t)(((x)>>24)&255); (y)[5] = (uint8_t)(((x)>>16)&255); \ ++ (y)[6] = (uint8_t)(((x)>>8)&255); (y)[7] = (uint8_t)((x)&255); } ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// CONSTANTS ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++// The K array ++static const uint32_t K[64] = { ++ 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL, ++ 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL, ++ 0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, ++ 0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, ++ 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL, ++ 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL, ++ 0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, ++ 0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, ++ 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL, ++ 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL, ++ 0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, ++ 0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, ++ 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL ++}; ++ ++#define BLOCK_SIZE 64 ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// INTERNAL FUNCTIONS ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++// Various logical functions ++#define Ch( x, y, z ) (z ^ (x & (y ^ z))) ++#define Maj( x, y, z ) (((x | y) & z) | (x & y)) ++#define S( x, n ) ror((x),(n)) ++#define R( x, n ) (((x)&0xFFFFFFFFUL)>>(n)) ++#define Sigma0( x ) (S(x, 2) ^ S(x, 13) ^ S(x, 22)) ++#define Sigma1( x ) (S(x, 6) ^ S(x, 11) ^ S(x, 25)) ++#define Gamma0( x ) (S(x, 7) ^ S(x, 18) ^ R(x, 3)) ++#define Gamma1( x ) (S(x, 17) ^ S(x, 19) ^ R(x, 10)) ++ ++#define Sha256Round( a, b, c, d, e, f, g, h, i ) \ ++ t0 = h + Sigma1(e) + Ch(e, f, g) + K[i] + W[i]; \ ++ t1 = Sigma0(a) + Maj(a, b, c); \ ++ d += t0; \ ++ h = t0 + t1; ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// TransformFunction ++// ++// Compress 512-bits ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++static ++void ++ TransformFunction ++ ( ++ Sha256Context* Context, ++ uint8_t const* Buffer ++ ) ++{ ++ uint32_t S[8]; ++ uint32_t W[64]; ++ uint32_t t0; ++ uint32_t t1; ++ uint32_t t; ++ int i; ++ ++ // Copy state into S ++ for( i=0; i<8; i++ ) ++ { ++ S[i] = Context->state[i]; ++ } ++ ++ // Copy the state into 512-bits into W[0..15] ++ for( i=0; i<16; i++ ) ++ { ++ LOAD32H( W[i], Buffer + (4*i) ); ++ } ++ ++ // Fill W[16..63] ++ for( i=16; i<64; i++ ) ++ { ++ W[i] = Gamma1( W[i-2]) + W[i-7] + Gamma0( W[i-15] ) + W[i-16]; ++ } ++ ++ // Compress ++ for( i=0; i<64; i++ ) ++ { ++ Sha256Round( S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], i ); ++ t = S[7]; ++ S[7] = S[6]; ++ S[6] = S[5]; ++ S[5] = S[4]; ++ S[4] = S[3]; ++ S[3] = S[2]; ++ S[2] = S[1]; ++ S[1] = S[0]; ++ S[0] = t; ++ } ++ ++ // Feedback ++ for( i=0; i<8; i++ ) ++ { ++ Context->state[i] = Context->state[i] + S[i]; ++ } ++} ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// PUBLIC FUNCTIONS ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// Sha256Initialise ++// ++// Initialises a SHA256 Context. Use this to initialise/reset a context. ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++void ++ Sha256Initialise ++ ( ++ Sha256Context* Context // [out] ++ ) ++{ ++ Context->curlen = 0; ++ Context->length = 0; ++ Context->state[0] = 0x6A09E667UL; ++ Context->state[1] = 0xBB67AE85UL; ++ Context->state[2] = 0x3C6EF372UL; ++ Context->state[3] = 0xA54FF53AUL; ++ Context->state[4] = 0x510E527FUL; ++ Context->state[5] = 0x9B05688CUL; ++ Context->state[6] = 0x1F83D9ABUL; ++ Context->state[7] = 0x5BE0CD19UL; ++} ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// Sha256Update ++// ++// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on ++// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash. ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++void ++ Sha256Update ++ ( ++ Sha256Context* Context, // [in out] ++ void const* Buffer, // [in] ++ uint32_t BufferSize // [in] ++ ) ++{ ++ uint32_t n; ++ ++ if( Context->curlen > sizeof(Context->buf) ) ++ { ++ return; ++ } ++ ++ while( BufferSize > 0 ) ++ { ++ if( Context->curlen == 0 && BufferSize >= BLOCK_SIZE ) ++ { ++ TransformFunction( Context, (uint8_t*)Buffer ); ++ Context->length += BLOCK_SIZE * 8; ++ Buffer = (uint8_t*)Buffer + BLOCK_SIZE; ++ BufferSize -= BLOCK_SIZE; ++ } ++ else ++ { ++ n = MIN( BufferSize, (BLOCK_SIZE - Context->curlen) ); ++ memcpy( Context->buf + Context->curlen, Buffer, (size_t)n ); ++ Context->curlen += n; ++ Buffer = (uint8_t*)Buffer + n; ++ BufferSize -= n; ++ if( Context->curlen == BLOCK_SIZE ) ++ { ++ TransformFunction( Context, Context->buf ); ++ Context->length += 8*BLOCK_SIZE; ++ Context->curlen = 0; ++ } ++ } ++ } ++} ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// Sha256Finalise ++// ++// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After ++// calling this, Sha256Initialised must be used to reuse the context. ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++void ++ Sha256Finalise ++ ( ++ Sha256Context* Context, // [in out] ++ SHA256_HASH* Digest // [out] ++ ) ++{ ++ int i; ++ ++ if( Context->curlen >= sizeof(Context->buf) ) ++ { ++ return; ++ } ++ ++ // Increase the length of the message ++ Context->length += Context->curlen * 8; ++ ++ // Append the '1' bit ++ Context->buf[Context->curlen++] = (uint8_t)0x80; ++ ++ // if the length is currently above 56 bytes we append zeros ++ // then compress. Then we can fall back to padding zeros and length ++ // encoding like normal. ++ if( Context->curlen > 56 ) ++ { ++ while( Context->curlen < 64 ) ++ { ++ Context->buf[Context->curlen++] = (uint8_t)0; ++ } ++ TransformFunction(Context, Context->buf); ++ Context->curlen = 0; ++ } ++ ++ // Pad up to 56 bytes of zeroes ++ while( Context->curlen < 56 ) ++ { ++ Context->buf[Context->curlen++] = (uint8_t)0; ++ } ++ ++ // Store length ++ STORE64H( Context->length, Context->buf+56 ); ++ TransformFunction( Context, Context->buf ); ++ ++ // Copy output ++ for( i=0; i<8; i++ ) ++ { ++ STORE32H( Context->state[i], Digest->bytes+(4*i) ); ++ } ++} ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// Sha256Calculate ++// ++// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the ++// buffer. ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++void ++ Sha256Calculate ++ ( ++ void const* Buffer, // [in] ++ uint32_t BufferSize, // [in] ++ SHA256_HASH* Digest // [in] ++ ) ++{ ++ Sha256Context context; ++ ++ Sha256Initialise( &context ); ++ Sha256Update( &context, Buffer, BufferSize ); ++ Sha256Finalise( &context, Digest ); ++} +diff --git a/libselinux/src/sha256.h b/libselinux/src/sha256.h +new file mode 100644 +index 000000000000..406ed869cd82 +--- /dev/null ++++ b/libselinux/src/sha256.h +@@ -0,0 +1,89 @@ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// WjCryptLib_Sha256 ++// ++// Implementation of SHA256 hash function. ++// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org ++// Modified by WaterJuice retaining Public Domain license. ++// ++// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++#pragma once ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// IMPORTS ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++#include ++#include ++ ++typedef struct ++{ ++ uint64_t length; ++ uint32_t state[8]; ++ uint32_t curlen; ++ uint8_t buf[64]; ++} Sha256Context; ++ ++#define SHA256_HASH_SIZE ( 256 / 8 ) ++ ++typedef struct ++{ ++ uint8_t bytes [SHA256_HASH_SIZE]; ++} SHA256_HASH; ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// PUBLIC FUNCTIONS ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// Sha256Initialise ++// ++// Initialises a SHA256 Context. Use this to initialise/reset a context. ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++void ++ Sha256Initialise ++ ( ++ Sha256Context* Context // [out] ++ ); ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// Sha256Update ++// ++// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on ++// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash. ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++void ++ Sha256Update ++ ( ++ Sha256Context* Context, // [in out] ++ void const* Buffer, // [in] ++ uint32_t BufferSize // [in] ++ ); ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// Sha256Finalise ++// ++// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After ++// calling this, Sha256Initialised must be used to reuse the context. ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++void ++ Sha256Finalise ++ ( ++ Sha256Context* Context, // [in out] ++ SHA256_HASH* Digest // [out] ++ ); ++ ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++// Sha256Calculate ++// ++// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the ++// buffer. ++//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ++void ++ Sha256Calculate ++ ( ++ void const* Buffer, // [in] ++ uint32_t BufferSize, // [in] ++ SHA256_HASH* Digest // [in] ++ ); +diff --git a/libselinux/utils/selabel_digest.c b/libselinux/utils/selabel_digest.c +index 47aad21ff1fb..8bcd44a1dc73 100644 +--- a/libselinux/utils/selabel_digest.c ++++ b/libselinux/utils/selabel_digest.c +@@ -13,8 +13,8 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname) + "Where:\n\t" + "-b The backend - \"file\", \"media\", \"x\", \"db\" or " + "\"prop\"\n\t" +- "-v Run \"cat | openssl dgst -sha1 -hex\"\n\t" +- " on the list of specfiles to compare the SHA1 digests.\n\t" ++ "-v Run \"cat | openssl dgst -sha256 -hex\"\n\t" ++ " on the list of specfiles to compare the SHA256 digests.\n\t" + "-B Use base specfiles only (valid for \"-b file\" only).\n\t" + "-i Do not request a digest.\n\t" + "-f Optional file containing the specs (defaults to\n\t" +@@ -61,12 +61,12 @@ int main(int argc, char **argv) + int rc, opt, validate = 0; + char *baseonly = NULL, *file = NULL, *digest = (char *)1; + char **specfiles = NULL; +- unsigned char *sha1_digest = NULL; ++ unsigned char *sha256_digest = NULL; + size_t digest_len, i, num_specfiles; + + char cmd_buf[4096]; + char *cmd_ptr; +- char *sha1_buf = NULL; ++ char *sha256_buf = NULL; + + struct selabel_handle *hnd; + struct selinux_opt selabel_option[] = { +@@ -136,7 +136,7 @@ int main(int argc, char **argv) + return -1; + } + +- rc = selabel_digest(hnd, &sha1_digest, &digest_len, &specfiles, ++ rc = selabel_digest(hnd, &sha256_digest, &digest_len, &specfiles, + &num_specfiles); + + if (rc) { +@@ -151,19 +151,19 @@ int main(int argc, char **argv) + goto err; + } + +- sha1_buf = malloc(digest_len * 2 + 1); +- if (!sha1_buf) { ++ sha256_buf = malloc(digest_len * 2 + 1); ++ if (!sha256_buf) { + fprintf(stderr, "Could not malloc buffer ERROR: %s\n", + strerror(errno)); + rc = -1; + goto err; + } + +- printf("SHA1 digest: "); ++ printf("SHA256 digest: "); + for (i = 0; i < digest_len; i++) +- sprintf(&(sha1_buf[i * 2]), "%02x", sha1_digest[i]); ++ sprintf(&(sha256_buf[i * 2]), "%02x", sha256_digest[i]); + +- printf("%s\n", sha1_buf); ++ printf("%s\n", sha256_buf); + printf("calculated using the following specfile(s):\n"); + + if (specfiles) { +@@ -198,19 +198,19 @@ int main(int argc, char **argv) + } + + if (validate) { +- ret = snprintf(cmd_ptr, cmd_rem, "| /usr/bin/openssl dgst -sha1 -hex"); ++ ret = snprintf(cmd_ptr, cmd_rem, "| /usr/bin/openssl dgst -sha256 -hex"); + if (ret < 0 || (size_t)ret >= cmd_rem) { + fprintf(stderr, "Could not format validate command\n"); + rc = -1; + goto err; + } + +- rc = run_check_digest(cmd_buf, sha1_buf, digest_len); ++ rc = run_check_digest(cmd_buf, sha256_buf, digest_len); + } + } + + err: +- free(sha1_buf); ++ free(sha256_buf); + selabel_close(hnd); + return rc; + } +diff --git a/libselinux/utils/selabel_get_digests_all_partial_matches.c b/libselinux/utils/selabel_get_digests_all_partial_matches.c +index e2733b4195ff..98e533dc2692 100644 +--- a/libselinux/utils/selabel_get_digests_all_partial_matches.c ++++ b/libselinux/utils/selabel_get_digests_all_partial_matches.c +@@ -16,8 +16,8 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname) + "-v Validate file_contxts entries against loaded policy.\n\t" + "-r Recursively descend directories.\n\t" + "-f Optional file_contexts file (defaults to current policy).\n\t" +- "path Path to check current SHA1 digest against file_contexts entries.\n\n" +- "This will check the directory selinux.sehash SHA1 digest for " ++ "path Path to check current SHA256 digest against file_contexts entries.\n\n" ++ "This will check the directory selinux.sehash SHA256 digest for " + " against\na newly generated digest based on the " + "file_context entries for that node\n(using the regx, mode " + "and path entries).\n", progname); +@@ -35,7 +35,7 @@ int main(int argc, char **argv) + char *paths[2] = { NULL, NULL }; + uint8_t *xattr_digest = NULL; + uint8_t *calculated_digest = NULL; +- char *sha1_buf = NULL; ++ char *sha256_buf = NULL; + + struct selabel_handle *hnd; + struct selinux_opt selabel_option[] = { +@@ -104,27 +104,27 @@ int main(int argc, char **argv) + &xattr_digest, + &digest_len); + +- sha1_buf = calloc(1, digest_len * 2 + 1); +- if (!sha1_buf) { ++ sha256_buf = calloc(1, digest_len * 2 + 1); ++ if (!sha256_buf) { + fprintf(stderr, "Could not calloc buffer ERROR: %s\n", + strerror(errno)); + return -1; + } + + if (status) { /* They match */ +- printf("xattr and file_contexts SHA1 digests match for: %s\n", ++ printf("xattr and file_contexts SHA256 digests match for: %s\n", + ftsent->fts_path); + + if (calculated_digest) { + for (i = 0; i < digest_len; i++) +- sprintf((&sha1_buf[i * 2]), ++ sprintf((&sha256_buf[i * 2]), + "%02x", + calculated_digest[i]); +- printf("SHA1 digest: %s\n", sha1_buf); ++ printf("SHA256 digest: %s\n", sha256_buf); + } + } else { + if (!calculated_digest) { +- printf("No SHA1 digest available for: %s\n", ++ printf("No SHA256 digest available for: %s\n", + ftsent->fts_path); + printf("as file_context entry is \"<>\"\n"); + goto cleanup; +@@ -134,25 +134,25 @@ int main(int argc, char **argv) + ftsent->fts_path); + + for (i = 0; i < digest_len; i++) +- sprintf((&sha1_buf[i * 2]), "%02x", ++ sprintf((&sha256_buf[i * 2]), "%02x", + calculated_digest[i]); +- printf("generated SHA1 digest: %s\n", sha1_buf); ++ printf("generated SHA256 digest: %s\n", sha256_buf); + + if (!xattr_digest) { + printf("however there is no selinux.sehash xattr entry.\n"); + } else { + printf("however it does NOT match the current entry of:\n"); + for (i = 0; i < digest_len; i++) +- sprintf((&sha1_buf[i * 2]), ++ sprintf((&sha256_buf[i * 2]), + "%02x", + xattr_digest[i]); +- printf("%s\n", sha1_buf); ++ printf("%s\n", sha256_buf); + } + } + cleanup: + free(xattr_digest); + free(calculated_digest); +- free(sha1_buf); ++ free(sha256_buf); + break; + } + default: +-- +2.47.0 + diff --git a/SOURCES/0001-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch b/SOURCES/0001-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch deleted file mode 100644 index f6343b4..0000000 --- a/SOURCES/0001-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch +++ /dev/null @@ -1,31 +0,0 @@ -From f71fc47524bef3c4cd8a412e43d13daebd1c418b Mon Sep 17 00:00:00 2001 -From: Miroslav Grepl -Date: Wed, 16 Jul 2014 08:28:03 +0200 -Subject: [PATCH] Fix selinux man page to refer seinfo and sesearch tools. - ---- - libselinux/man/man8/selinux.8 | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8 -index e37aee68..bf23b655 100644 ---- a/libselinux/man/man8/selinux.8 -+++ b/libselinux/man/man8/selinux.8 -@@ -91,11 +91,13 @@ This manual page was written by Dan Walsh . - .BR sepolicy (8), - .BR system-config-selinux (8), - .BR togglesebool (8), --.BR restorecon (8), - .BR fixfiles (8), -+.BR restorecon (8), - .BR setfiles (8), - .BR semanage (8), - .BR sepolicy (8) -+.BR seinfo (8), -+.BR sesearch (8) - - Every confined service on the system has a man page in the following format: - .br --- -2.21.0 - diff --git a/SOURCES/0002-Verify-context-input-to-funtions-to-make-sure-the-co.patch b/SOURCES/0002-Verify-context-input-to-funtions-to-make-sure-the-co.patch deleted file mode 100644 index 24f28e6..0000000 --- a/SOURCES/0002-Verify-context-input-to-funtions-to-make-sure-the-co.patch +++ /dev/null @@ -1,214 +0,0 @@ -From ad3d3a0bf819f5895a6884357c2d0e18ea1ef314 Mon Sep 17 00:00:00 2001 -From: Dan Walsh -Date: Mon, 23 Dec 2013 09:50:54 -0500 -Subject: [PATCH] Verify context input to funtions to make sure the context - field is not null. - -Return errno EINVAL, to prevent segfault. - -Rejected by upstream https://marc.info/?l=selinux&m=145036088424584&w=2 - -FIXME: use __attribute__(nonnull (arg-index, ...)) ---- - libselinux/src/avc_sidtab.c | 5 +++++ - libselinux/src/canonicalize_context.c | 5 +++++ - libselinux/src/check_context.c | 5 +++++ - libselinux/src/compute_av.c | 5 +++++ - libselinux/src/compute_create.c | 5 +++++ - libselinux/src/compute_member.c | 5 +++++ - libselinux/src/compute_relabel.c | 5 +++++ - libselinux/src/compute_user.c | 5 +++++ - libselinux/src/fsetfilecon.c | 8 ++++++-- - libselinux/src/lsetfilecon.c | 9 +++++++-- - libselinux/src/setfilecon.c | 8 ++++++-- - 11 files changed, 59 insertions(+), 6 deletions(-) - -diff --git a/libselinux/src/avc_sidtab.c b/libselinux/src/avc_sidtab.c -index 9669264d..c7754305 100644 ---- a/libselinux/src/avc_sidtab.c -+++ b/libselinux/src/avc_sidtab.c -@@ -81,6 +81,11 @@ sidtab_context_to_sid(struct sidtab *s, - int hvalue, rc = 0; - struct sidtab_node *cur; - -+ if (! ctx) { -+ errno=EINVAL; -+ return -1; -+ } -+ - *sid = NULL; - hvalue = sidtab_hash(ctx); - -diff --git a/libselinux/src/canonicalize_context.c b/libselinux/src/canonicalize_context.c -index ba4c9a2c..c8158725 100644 ---- a/libselinux/src/canonicalize_context.c -+++ b/libselinux/src/canonicalize_context.c -@@ -17,6 +17,11 @@ int security_canonicalize_context_raw(const char * con, - size_t size; - int fd, ret; - -+ if (! con) { -+ errno=EINVAL; -+ return -1; -+ } -+ - if (!selinux_mnt) { - errno = ENOENT; - return -1; -diff --git a/libselinux/src/check_context.c b/libselinux/src/check_context.c -index 8a7997f0..5be84348 100644 ---- a/libselinux/src/check_context.c -+++ b/libselinux/src/check_context.c -@@ -14,6 +14,11 @@ int security_check_context_raw(const char * con) - char path[PATH_MAX]; - int fd, ret; - -+ if (! con) { -+ errno=EINVAL; -+ return -1; -+ } -+ - if (!selinux_mnt) { - errno = ENOENT; - return -1; -diff --git a/libselinux/src/compute_av.c b/libselinux/src/compute_av.c -index a47cffe9..6d285a2e 100644 ---- a/libselinux/src/compute_av.c -+++ b/libselinux/src/compute_av.c -@@ -27,6 +27,11 @@ int security_compute_av_flags_raw(const char * scon, - return -1; - } - -+ if ((! scon) || (! tcon)) { -+ errno=EINVAL; -+ return -1; -+ } -+ - snprintf(path, sizeof path, "%s/access", selinux_mnt); - fd = open(path, O_RDWR | O_CLOEXEC); - if (fd < 0) -diff --git a/libselinux/src/compute_create.c b/libselinux/src/compute_create.c -index 0975aeac..3e6a48c1 100644 ---- a/libselinux/src/compute_create.c -+++ b/libselinux/src/compute_create.c -@@ -64,6 +64,11 @@ int security_compute_create_name_raw(const char * scon, - return -1; - } - -+ if ((! scon) || (! tcon)) { -+ errno=EINVAL; -+ return -1; -+ } -+ - snprintf(path, sizeof path, "%s/create", selinux_mnt); - fd = open(path, O_RDWR | O_CLOEXEC); - if (fd < 0) -diff --git a/libselinux/src/compute_member.c b/libselinux/src/compute_member.c -index 4e2d221e..d1dd9772 100644 ---- a/libselinux/src/compute_member.c -+++ b/libselinux/src/compute_member.c -@@ -25,6 +25,11 @@ int security_compute_member_raw(const char * scon, - return -1; - } - -+ if ((! scon) || (! tcon)) { -+ errno=EINVAL; -+ return -1; -+ } -+ - snprintf(path, sizeof path, "%s/member", selinux_mnt); - fd = open(path, O_RDWR | O_CLOEXEC); - if (fd < 0) -diff --git a/libselinux/src/compute_relabel.c b/libselinux/src/compute_relabel.c -index 49f77ef3..c3db7c0a 100644 ---- a/libselinux/src/compute_relabel.c -+++ b/libselinux/src/compute_relabel.c -@@ -25,6 +25,11 @@ int security_compute_relabel_raw(const char * scon, - return -1; - } - -+ if ((! scon) || (! tcon)) { -+ errno=EINVAL; -+ return -1; -+ } -+ - snprintf(path, sizeof path, "%s/relabel", selinux_mnt); - fd = open(path, O_RDWR | O_CLOEXEC); - if (fd < 0) -diff --git a/libselinux/src/compute_user.c b/libselinux/src/compute_user.c -index 7b881215..401fd107 100644 ---- a/libselinux/src/compute_user.c -+++ b/libselinux/src/compute_user.c -@@ -24,6 +24,11 @@ int security_compute_user_raw(const char * scon, - return -1; - } - -+ if (! scon) { -+ errno=EINVAL; -+ return -1; -+ } -+ - snprintf(path, sizeof path, "%s/user", selinux_mnt); - fd = open(path, O_RDWR | O_CLOEXEC); - if (fd < 0) -diff --git a/libselinux/src/fsetfilecon.c b/libselinux/src/fsetfilecon.c -index 52707d05..0cbe12d8 100644 ---- a/libselinux/src/fsetfilecon.c -+++ b/libselinux/src/fsetfilecon.c -@@ -9,8 +9,12 @@ - - int fsetfilecon_raw(int fd, const char * context) - { -- int rc = fsetxattr(fd, XATTR_NAME_SELINUX, context, strlen(context) + 1, -- 0); -+ int rc; -+ if (! context) { -+ errno=EINVAL; -+ return -1; -+ } -+ rc = fsetxattr(fd, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0); - if (rc < 0 && errno == ENOTSUP) { - char * ccontext = NULL; - int err = errno; -diff --git a/libselinux/src/lsetfilecon.c b/libselinux/src/lsetfilecon.c -index 1d3b28a1..ea6d70b7 100644 ---- a/libselinux/src/lsetfilecon.c -+++ b/libselinux/src/lsetfilecon.c -@@ -9,8 +9,13 @@ - - int lsetfilecon_raw(const char *path, const char * context) - { -- int rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, -- 0); -+ int rc; -+ if (! context) { -+ errno=EINVAL; -+ return -1; -+ } -+ -+ rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0); - if (rc < 0 && errno == ENOTSUP) { - char * ccontext = NULL; - int err = errno; -diff --git a/libselinux/src/setfilecon.c b/libselinux/src/setfilecon.c -index d05969c6..3f0200e8 100644 ---- a/libselinux/src/setfilecon.c -+++ b/libselinux/src/setfilecon.c -@@ -9,8 +9,12 @@ - - int setfilecon_raw(const char *path, const char * context) - { -- int rc = setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, -- 0); -+ int rc; -+ if (! context) { -+ errno=EINVAL; -+ return -1; -+ } -+ rc = setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0); - if (rc < 0 && errno == ENOTSUP) { - char * ccontext = NULL; - int err = errno; --- -2.21.0 - diff --git a/SOURCES/0003-libselinux-Allow-to-override-OVERRIDE_GETTID-from-co.patch b/SOURCES/0003-libselinux-Allow-to-override-OVERRIDE_GETTID-from-co.patch deleted file mode 100644 index 9a11fa7..0000000 --- a/SOURCES/0003-libselinux-Allow-to-override-OVERRIDE_GETTID-from-co.patch +++ /dev/null @@ -1,39 +0,0 @@ -From a6e839be2c5a77c22a8c72cad001e3f87eaedf2e Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Mon, 11 Mar 2019 15:26:43 +0100 -Subject: [PATCH] libselinux: Allow to override OVERRIDE_GETTID from command - line - -$ make CFLAGS="$CFLAGS -DOVERRIDE_GETTID=0" ... - -Drop this as soon as glibc-2.30 will become real 2.30 version, see -https://bugzilla.redhat.com/show_bug.cgi?id=1685594 - -Signed-off-by: Petr Lautrbach ---- - libselinux/src/procattr.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/libselinux/src/procattr.c b/libselinux/src/procattr.c -index c6799ef2..cbb6824e 100644 ---- a/libselinux/src/procattr.c -+++ b/libselinux/src/procattr.c -@@ -24,6 +24,7 @@ static __thread char destructor_initialized; - - /* Bionic and glibc >= 2.30 declare gettid() system call wrapper in unistd.h and - * has a definition for it */ -+#ifndef OVERRIDE_GETTID - #ifdef __BIONIC__ - #define OVERRIDE_GETTID 0 - #elif !defined(__GLIBC_PREREQ) -@@ -33,6 +34,7 @@ static __thread char destructor_initialized; - #else - #define OVERRIDE_GETTID 0 - #endif -+#endif - - #if OVERRIDE_GETTID - static pid_t gettid(void) --- -2.21.0 - diff --git a/SOURCES/0004-Bring-some-old-permission-and-flask-constants-back-t.patch b/SOURCES/0004-Bring-some-old-permission-and-flask-constants-back-t.patch deleted file mode 100644 index f238dd0..0000000 --- a/SOURCES/0004-Bring-some-old-permission-and-flask-constants-back-t.patch +++ /dev/null @@ -1,55 +0,0 @@ -From be420729fbf4adc8b32ca3722fa6ca46bb51413d Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Wed, 27 Feb 2019 09:37:17 +0100 -Subject: [PATCH] Bring some old permission and flask constants back to Python - bindings - ---- - libselinux/src/selinuxswig.i | 4 ++++ - libselinux/src/selinuxswig_python.i | 3 ++- - 2 files changed, 6 insertions(+), 1 deletion(-) - -diff --git a/libselinux/src/selinuxswig.i b/libselinux/src/selinuxswig.i -index dbdb4c3d..9c5b9263 100644 ---- a/libselinux/src/selinuxswig.i -+++ b/libselinux/src/selinuxswig.i -@@ -5,7 +5,9 @@ - %module selinux - %{ - #include "../include/selinux/avc.h" -+ #include "../include/selinux/av_permissions.h" - #include "../include/selinux/context.h" -+ #include "../include/selinux/flask.h" - #include "../include/selinux/get_context_list.h" - #include "../include/selinux/get_default_type.h" - #include "../include/selinux/label.h" -@@ -58,7 +60,9 @@ - %ignore avc_netlink_check_nb; - - %include "../include/selinux/avc.h" -+%include "../include/selinux/av_permissions.h" - %include "../include/selinux/context.h" -+%include "../include/selinux/flask.h" - %include "../include/selinux/get_context_list.h" - %include "../include/selinux/get_default_type.h" - %include "../include/selinux/label.h" -diff --git a/libselinux/src/selinuxswig_python.i b/libselinux/src/selinuxswig_python.i -index 4c73bf92..6eaab081 100644 ---- a/libselinux/src/selinuxswig_python.i -+++ b/libselinux/src/selinuxswig_python.i -@@ -1,10 +1,11 @@ - /* Author: James Athey - */ - --/* Never build rpm_execcon interface */ -+/* Never build rpm_execcon interface unless you need to have ACG compatibility - #ifndef DISABLE_RPM - #define DISABLE_RPM - #endif -+*/ - - %module selinux - %{ --- -2.21.0 - diff --git a/SOURCES/0005-libselinux-add-missing-av_permission-values.patch b/SOURCES/0005-libselinux-add-missing-av_permission-values.patch deleted file mode 100644 index 34acc85..0000000 --- a/SOURCES/0005-libselinux-add-missing-av_permission-values.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 903c54bf62ffba3c95e22e74c9c43838cd3935a0 Mon Sep 17 00:00:00 2001 -From: Vit Mojzis -Date: Tue, 28 Feb 2017 16:12:43 +0100 -Subject: [PATCH] libselinux: add missing av_permission values - -Add missing av_permission values to av_permissions.h for the sake of -completeness (this interface is obsolete - these values are now -obtained at runtime). - -Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1025931 - -Signed-off-by: Vit Mojzis ---- - libselinux/include/selinux/av_permissions.h | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/libselinux/include/selinux/av_permissions.h b/libselinux/include/selinux/av_permissions.h -index c1269af9..631f0276 100644 ---- a/libselinux/include/selinux/av_permissions.h -+++ b/libselinux/include/selinux/av_permissions.h -@@ -876,6 +876,8 @@ - #define NSCD__SHMEMHOST 0x00000080UL - #define NSCD__GETSERV 0x00000100UL - #define NSCD__SHMEMSERV 0x00000200UL -+#define NSCD__GETNETGRP 0x00000400UL -+#define NSCD__SHMEMNETGRP 0x00000800UL - #define ASSOCIATION__SENDTO 0x00000001UL - #define ASSOCIATION__RECVFROM 0x00000002UL - #define ASSOCIATION__SETCONTEXT 0x00000004UL --- -2.21.0 - diff --git a/SOURCES/0006-libselinux-Use-Python-distutils-to-install-SELinux-p.patch b/SOURCES/0006-libselinux-Use-Python-distutils-to-install-SELinux-p.patch deleted file mode 100644 index b4306d8..0000000 --- a/SOURCES/0006-libselinux-Use-Python-distutils-to-install-SELinux-p.patch +++ /dev/null @@ -1,177 +0,0 @@ -From 67d490a38a319126f371eaf66a5fc922d7005b1f Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Thu, 16 May 2019 15:01:59 +0200 -Subject: [PATCH] libselinux: Use Python distutils to install SELinux python - bindings - -SWIG-4.0 changed its behavior so that it uses: from . import _selinux which -looks for _selinux module in the same directory as where __init__.py is - -$(PYLIBDIR)/site-packages/selinux. But _selinux module is installed into -$(PYLIBDIR)/site-packages/ since a9604c30a5e2f ("libselinux: Change the location -of _selinux.so"). - -In order to prevent such breakage in future use Python's distutils instead of -building and installing python bindings manually in Makefile. - -Fixes: ->>> import selinux -Traceback (most recent call last): - File "", line 1, in - File "/usr/lib64/python3.7/site-packages/selinux/__init__.py", line 13, in - from . import _selinux -ImportError: cannot import name '_selinux' from 'selinux' (/usr/lib64/python3.7/site-packages/selinux/__init__.py) ->>> - -Signed-off-by: Petr Lautrbach ---- - libselinux/src/.gitignore | 2 +- - libselinux/src/Makefile | 37 ++++++++----------------------------- - libselinux/src/setup.py | 24 ++++++++++++++++++++++++ - 3 files changed, 33 insertions(+), 30 deletions(-) - create mode 100644 libselinux/src/setup.py - -diff --git a/libselinux/src/.gitignore b/libselinux/src/.gitignore -index 4dcc3b3b..428afe5a 100644 ---- a/libselinux/src/.gitignore -+++ b/libselinux/src/.gitignore -@@ -1,4 +1,4 @@ - selinux.py --selinuxswig_wrap.c -+selinuxswig_python_wrap.c - selinuxswig_python_exception.i - selinuxswig_ruby_wrap.c -diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile -index e9ed0383..826c830c 100644 ---- a/libselinux/src/Makefile -+++ b/libselinux/src/Makefile -@@ -36,7 +36,7 @@ TARGET=libselinux.so - LIBPC=libselinux.pc - SWIGIF= selinuxswig_python.i selinuxswig_python_exception.i - SWIGRUBYIF= selinuxswig_ruby.i --SWIGCOUT= selinuxswig_wrap.c -+SWIGCOUT= selinuxswig_python_wrap.c - SWIGPYOUT= selinux.py - SWIGRUBYCOUT= selinuxswig_ruby_wrap.c - SWIGLOBJ:= $(patsubst %.c,$(PYPREFIX)%.lo,$(SWIGCOUT)) -@@ -55,7 +55,7 @@ ifeq ($(LIBSEPOLA),) - LDLIBS_LIBSEPOLA := -l:libsepol.a - endif - --GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) selinuxswig_python_exception.i -+GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) $(SWIGCOUT) selinuxswig_python_exception.i - SRCS= $(filter-out $(GENERATED) audit2why.c, $(sort $(wildcard *.c))) - - MAX_STACK_SIZE=32768 -@@ -125,25 +125,18 @@ DISABLE_FLAGS+= -DNO_ANDROID_BACKEND - SRCS:= $(filter-out label_backends_android.c, $(SRCS)) - endif - --SWIG = swig -Wall -python -o $(SWIGCOUT) -outdir ./ $(DISABLE_FLAGS) -- - SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./ $(DISABLE_FLAGS) - - all: $(LIBA) $(LIBSO) $(LIBPC) - --pywrap: all $(SWIGFILES) $(AUDIT2WHYSO) -+pywrap: all selinuxswig_python_exception.i -+ CFLAGS="$(SWIG_CFLAGS)" $(PYTHON) setup.py build_ext -I $(DESTDIR)$(INCLUDEDIR) -L $(DESTDIR)$(LIBDIR) - - rubywrap: all $(SWIGRUBYSO) - --$(SWIGLOBJ): $(SWIGCOUT) -- $(CC) $(CFLAGS) $(SWIG_CFLAGS) $(PYINC) -fPIC -DSHARED -c -o $@ $< -- - $(SWIGRUBYLOBJ): $(SWIGRUBYCOUT) - $(CC) $(CFLAGS) $(SWIG_CFLAGS) $(RUBYINC) -fPIC -DSHARED -c -o $@ $< - --$(SWIGSO): $(SWIGLOBJ) -- $(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $< -lselinux $(PYLIBS) -- - $(SWIGRUBYSO): $(SWIGRUBYLOBJ) - $(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $^ -lselinux $(RUBYLIBS) - -@@ -161,29 +154,15 @@ $(LIBPC): $(LIBPC).in ../VERSION - selinuxswig_python_exception.i: ../include/selinux/selinux.h - bash -e exception.sh > $@ || (rm -f $@ ; false) - --$(AUDIT2WHYLOBJ): audit2why.c -- $(CC) $(filter-out -Werror, $(CFLAGS)) $(PYINC) -fPIC -DSHARED -c -o $@ $< -- --$(AUDIT2WHYSO): $(AUDIT2WHYLOBJ) $(LIBSEPOLA) -- $(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $^ -lselinux $(LDLIBS_LIBSEPOLA) $(PYLIBS) -Wl,-soname,audit2why.so,--version-script=audit2why.map,-z,defs -- - %.o: %.c policy.h - $(CC) $(CFLAGS) $(TLSFLAGS) -c -o $@ $< - - %.lo: %.c policy.h - $(CC) $(CFLAGS) -fPIC -DSHARED -c -o $@ $< - --$(SWIGCOUT): $(SWIGIF) -- $(SWIG) $< -- --$(SWIGPYOUT): $(SWIGCOUT) -- - $(SWIGRUBYCOUT): $(SWIGRUBYIF) - $(SWIGRUBY) $< - --swigify: $(SWIGIF) -- $(SWIG) $< -- - install: all - test -d $(DESTDIR)$(LIBDIR) || install -m 755 -d $(DESTDIR)$(LIBDIR) - install -m 644 $(LIBA) $(DESTDIR)$(LIBDIR) -@@ -194,10 +173,8 @@ install: all - ln -sf --relative $(DESTDIR)$(SHLIBDIR)/$(LIBSO) $(DESTDIR)$(LIBDIR)/$(TARGET) - - install-pywrap: pywrap -- test -d $(DESTDIR)$(PYTHONLIBDIR)/selinux || install -m 755 -d $(DESTDIR)$(PYTHONLIBDIR)/selinux -- install -m 755 $(SWIGSO) $(DESTDIR)$(PYTHONLIBDIR)/_selinux$(PYCEXT) -- install -m 755 $(AUDIT2WHYSO) $(DESTDIR)$(PYTHONLIBDIR)/selinux/audit2why$(PYCEXT) -- install -m 644 $(SWIGPYOUT) $(DESTDIR)$(PYTHONLIBDIR)/selinux/__init__.py -+ $(PYTHON) setup.py install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR)` -+ install -m 644 selinux.py $(DESTDIR)$(PYTHONLIBDIR)/selinux/__init__.py - - install-rubywrap: rubywrap - test -d $(DESTDIR)$(RUBYINSTALL) || install -m 755 -d $(DESTDIR)$(RUBYINSTALL) -@@ -208,6 +185,8 @@ relabel: - - clean-pywrap: - -rm -f $(SWIGLOBJ) $(SWIGSO) $(AUDIT2WHYLOBJ) $(AUDIT2WHYSO) -+ $(PYTHON) setup.py clean -+ -rm -rf build *~ \#* *pyc .#* - - clean-rubywrap: - -rm -f $(SWIGRUBYLOBJ) $(SWIGRUBYSO) -diff --git a/libselinux/src/setup.py b/libselinux/src/setup.py -new file mode 100644 -index 00000000..b12e7869 ---- /dev/null -+++ b/libselinux/src/setup.py -@@ -0,0 +1,24 @@ -+#!/usr/bin/python3 -+ -+from distutils.core import Extension, setup -+ -+setup( -+ name="selinux", -+ version="2.9", -+ description="SELinux python 3 bindings", -+ author="SELinux Project", -+ author_email="selinux@vger.kernel.org", -+ ext_modules=[ -+ Extension('selinux._selinux', -+ sources=['selinuxswig_python.i'], -+ include_dirs=['../include'], -+ library_dirs=['.'], -+ libraries=['selinux']), -+ Extension('selinux.audit2why', -+ sources=['audit2why.c'], -+ include_dirs=['../include'], -+ library_dirs=['.'], -+ libraries=['selinux'], -+ extra_link_args=['-l:libsepol.a']) -+ ], -+) --- -2.21.0 - diff --git a/SOURCES/0007-libselinux-Do-not-use-SWIG_CFLAGS-when-Python-bindin.patch b/SOURCES/0007-libselinux-Do-not-use-SWIG_CFLAGS-when-Python-bindin.patch deleted file mode 100644 index a064418..0000000 --- a/SOURCES/0007-libselinux-Do-not-use-SWIG_CFLAGS-when-Python-bindin.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 6ec8116ee64a25a0c5eb543f0b12ed25f1348c45 Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Thu, 27 Jun 2019 11:17:13 +0200 -Subject: [PATCH] libselinux: Do not use SWIG_CFLAGS when Python bindings are - built - -Fixes: -https://rpmdiff.engineering.redhat.com/run/410372/7/ - -Detecting usr/lib64/python3.6/site-packages/selinux/audit2why.cpython-36m-x86_64-linux-gnu.so with not-hardened warnings ' -Hardened: audit2why.cpython-36m-x86_64-linux-gnu.so: FAIL: Gaps were detected in the annobin coverage. Run with -v to list. -' on x86_64 - -Signed-off-by: Petr Lautrbach ---- - libselinux/src/Makefile | 5 +---- - 1 file changed, 1 insertion(+), 4 deletions(-) - -diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile -index 826c830c..f64f23a8 100644 ---- a/libselinux/src/Makefile -+++ b/libselinux/src/Makefile -@@ -104,9 +104,6 @@ FTS_LDLIBS ?= - - override CFLAGS += -I../include -D_GNU_SOURCE $(DISABLE_FLAGS) $(PCRE_CFLAGS) - --SWIG_CFLAGS += -Wno-error -Wno-unused-variable -Wno-unused-but-set-variable -Wno-unused-parameter \ -- -Wno-shadow -Wno-uninitialized -Wno-missing-prototypes -Wno-missing-declarations -- - RANLIB ?= ranlib - - ARCH := $(patsubst i%86,i386,$(shell uname -m)) -@@ -130,7 +127,7 @@ SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./ $(DISABLE_FLAGS) - all: $(LIBA) $(LIBSO) $(LIBPC) - - pywrap: all selinuxswig_python_exception.i -- CFLAGS="$(SWIG_CFLAGS)" $(PYTHON) setup.py build_ext -I $(DESTDIR)$(INCLUDEDIR) -L $(DESTDIR)$(LIBDIR) -+ $(PYTHON) setup.py build_ext -I $(DESTDIR)$(INCLUDEDIR) -L $(DESTDIR)$(LIBDIR) - - rubywrap: all $(SWIGRUBYSO) - --- -2.21.0 - diff --git a/SOURCES/0008-Fix-mcstrans-secolor-examples.patch b/SOURCES/0008-Fix-mcstrans-secolor-examples.patch deleted file mode 100644 index d2c91ef..0000000 --- a/SOURCES/0008-Fix-mcstrans-secolor-examples.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 90a4f2b9a5194a2d1ab4c45b7a90bbb6c8099a68 Mon Sep 17 00:00:00 2001 -From: Vit Mojzis -Date: Tue, 2 Jul 2019 14:09:05 +0200 -Subject: [PATCH] Fix mcstrans secolor examples - -According to "check_dominance" function: -Range defined as "s15:c0.c1023" does not dominate any other range than - "s15:c0.c1023" (does not dominate "s15", "s15:c0.c200", etc.). -While range defined as "s15-s15:c0.c1023" dominates all of the above. - -This is either a bug, or "s15:c0.c1023" should not be used in the -examples. - -Signed-off-by: Vit Mojzis ---- - libselinux/man/man5/secolor.conf.5 | 4 ++-- - libselinux/man/ru/man5/secolor.conf.5 | 4 ++-- - 2 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/libselinux/man/man5/secolor.conf.5 b/libselinux/man/man5/secolor.conf.5 -index b834577a..a3bf2da1 100644 ---- a/libselinux/man/man5/secolor.conf.5 -+++ b/libselinux/man/man5/secolor.conf.5 -@@ -123,7 +123,7 @@ range s7\-s7:c0.c1023 = black red - .br - range s9\-s9:c0.c1023 = black orange - .br --range s15:c0.c1023 = black yellow -+range s15\-s15:c0.c1023 = black yellow - .RE - - .sp -@@ -165,7 +165,7 @@ type xguest_t = black green - .br - user sysadm_u = white black - .br --range s0:c0.c1023 = black white -+range s0-s0:c0.c1023 = black white - .br - user * = black white - .br -diff --git a/libselinux/man/ru/man5/secolor.conf.5 b/libselinux/man/ru/man5/secolor.conf.5 -index 4c1236ae..bcae80c1 100644 ---- a/libselinux/man/ru/man5/secolor.conf.5 -+++ b/libselinux/man/ru/man5/secolor.conf.5 -@@ -121,7 +121,7 @@ range s7\-s7:c0.c1023 = black red - .br - range s9\-s9:c0.c1023 = black orange - .br --range s15:c0.c1023 = black yellow -+range s15\-s15:c0.c1023 = black yellow - .RE - - .sp -@@ -163,7 +163,7 @@ type xguest_t = black green - .br - user sysadm_u = white black - .br --range s0:c0.c1023 = black white -+range s0\-s0:c0.c1023 = black white - .br - user * = black white - .br --- -2.21.0 - diff --git a/SOURCES/0009-libselinux-Eliminate-use-of-security_compute_user.patch b/SOURCES/0009-libselinux-Eliminate-use-of-security_compute_user.patch deleted file mode 100644 index 68085cf..0000000 --- a/SOURCES/0009-libselinux-Eliminate-use-of-security_compute_user.patch +++ /dev/null @@ -1,354 +0,0 @@ -From bfee1a3131580a7b9d8a7366764b8e78d99a9f1b Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Mon, 17 Feb 2020 21:47:35 +0100 -Subject: [PATCH] libselinux: Eliminate use of security_compute_user() - -get_ordered_context_list() code used to ask the kernel to compute the complete -set of reachable contexts using /sys/fs/selinux/user aka -security_compute_user(). This set can be so huge so that it doesn't fit into a -kernel page and security_compute_user() fails. Even if it doesn't fail, -get_ordered_context_list() throws away the vast majority of the returned -contexts because they don't match anything in -/etc/selinux/targeted/contexts/default_contexts or -/etc/selinux/targeted/contexts/users/ - -get_ordered_context_list() is rewritten to compute set of contexts based on -/etc/selinux/targeted/contexts/users/ and -/etc/selinux/targeted/contexts/default_contexts files and to return only valid -contexts, using security_check_context(), from this set. - -Fixes: https://github.com/SELinuxProject/selinux/issues/28 - -Signed-off-by: Petr Lautrbach ---- - libselinux/src/get_context_list.c | 212 +++++++++++++----------------- - 1 file changed, 93 insertions(+), 119 deletions(-) - -diff --git a/libselinux/src/get_context_list.c b/libselinux/src/get_context_list.c -index 689e4658..26d7b3b9 100644 ---- a/libselinux/src/get_context_list.c -+++ b/libselinux/src/get_context_list.c -@@ -2,6 +2,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -114,64 +115,41 @@ int get_default_context(const char *user, - return 0; - } - --static int find_partialcon(char ** list, -- unsigned int nreach, char *part) -+static int is_in_reachable(char **reachable, const char *usercon_str) - { -- const char *conrole, *contype; -- char *partrole, *parttype, *ptr; -- context_t con; -- unsigned int i; -+ if (!reachable) -+ return 0; - -- partrole = part; -- ptr = part; -- while (*ptr && !isspace(*ptr) && *ptr != ':') -- ptr++; -- if (*ptr != ':') -- return -1; -- *ptr++ = 0; -- parttype = ptr; -- while (*ptr && !isspace(*ptr) && *ptr != ':') -- ptr++; -- *ptr = 0; -- -- for (i = 0; i < nreach; i++) { -- con = context_new(list[i]); -- if (!con) -- return -1; -- conrole = context_role_get(con); -- contype = context_type_get(con); -- if (!conrole || !contype) { -- context_free(con); -- return -1; -- } -- if (!strcmp(conrole, partrole) && !strcmp(contype, parttype)) { -- context_free(con); -- return i; -+ for (; *reachable != NULL; reachable++) { -+ if (strcmp(*reachable, usercon_str) == 0) { -+ return 1; - } -- context_free(con); - } -- -- return -1; -+ return 0; - } - --static int get_context_order(FILE * fp, -+static int get_context_user(FILE * fp, - char * fromcon, -- char ** reachable, -- unsigned int nreach, -- unsigned int *ordering, unsigned int *nordered) -+ const char * user, -+ char ***reachable, -+ unsigned int *nreachable) - { - char *start, *end = NULL; - char *line = NULL; -- size_t line_len = 0; -+ size_t line_len = 0, usercon_len; -+ size_t user_len = strlen(user); - ssize_t len; - int found = 0; -- const char *fromrole, *fromtype; -+ const char *fromrole, *fromtype, *fromlevel; - char *linerole, *linetype; -- unsigned int i; -+ char **new_reachable = NULL; -+ char *usercon_str; - context_t con; -+ context_t usercon; -+ - int rc; - -- errno = -EINVAL; -+ errno = EINVAL; - - /* Extract the role and type of the fromcon for matching. - User identity and MLS range can be variable. */ -@@ -180,6 +158,7 @@ static int get_context_order(FILE * fp, - return -1; - fromrole = context_role_get(con); - fromtype = context_type_get(con); -+ fromlevel = context_range_get(con); - if (!fromrole || !fromtype) { - context_free(con); - return -1; -@@ -243,23 +222,75 @@ static int get_context_order(FILE * fp, - if (*end) - *end++ = 0; - -- /* Check for a match in the reachable list. */ -- rc = find_partialcon(reachable, nreach, start); -- if (rc < 0) { -- /* No match, skip it. */ -+ /* Check whether a new context is valid */ -+ if (SIZE_MAX - user_len < strlen(start) + 2) { -+ fprintf(stderr, "%s: one of partial contexts is too big\n", __FUNCTION__); -+ errno = EINVAL; -+ rc = -1; -+ goto out; -+ } -+ usercon_len = user_len + strlen(start) + 2; -+ usercon_str = malloc(usercon_len); -+ if (!usercon_str) { -+ rc = -1; -+ goto out; -+ } -+ -+ /* set range from fromcon in the new usercon */ -+ snprintf(usercon_str, usercon_len, "%s:%s", user, start); -+ usercon = context_new(usercon_str); -+ if (!usercon) { -+ if (errno != EINVAL) { -+ free(usercon_str); -+ rc = -1; -+ goto out; -+ } -+ fprintf(stderr, -+ "%s: can't create a context from %s, skipping\n", -+ __FUNCTION__, usercon_str); -+ free(usercon_str); - start = end; - continue; - } -+ free(usercon_str); -+ if (context_range_set(usercon, fromlevel) != 0) { -+ context_free(usercon); -+ rc = -1; -+ goto out; -+ } -+ usercon_str = context_str(usercon); -+ if (!usercon_str) { -+ context_free(usercon); -+ rc = -1; -+ goto out; -+ } - -- /* If a match is found and the entry is not already ordered -- (e.g. due to prior match in prior config file), then set -- the ordering for it. */ -- i = rc; -- if (ordering[i] == nreach) -- ordering[i] = (*nordered)++; -+ /* check whether usercon is already in reachable */ -+ if (is_in_reachable(*reachable, usercon_str)) { -+ context_free(usercon); -+ start = end; -+ continue; -+ } -+ if (security_check_context(usercon_str) == 0) { -+ new_reachable = realloc(*reachable, (*nreachable + 2) * sizeof(char *)); -+ if (!new_reachable) { -+ context_free(usercon); -+ rc = -1; -+ goto out; -+ } -+ *reachable = new_reachable; -+ new_reachable[*nreachable] = strdup(usercon_str); -+ if (new_reachable[*nreachable] == NULL) { -+ context_free(usercon); -+ rc = -1; -+ goto out; -+ } -+ new_reachable[*nreachable + 1] = 0; -+ *nreachable += 1; -+ } -+ context_free(usercon); - start = end; - } -- - rc = 0; - - out: -@@ -313,21 +344,6 @@ static int get_failsafe_context(const char *user, char ** newcon) - return 0; - } - --struct context_order { -- char * con; -- unsigned int order; --}; -- --static int order_compare(const void *A, const void *B) --{ -- const struct context_order *c1 = A, *c2 = B; -- if (c1->order < c2->order) -- return -1; -- else if (c1->order > c2->order) -- return 1; -- return strcmp(c1->con, c2->con); --} -- - int get_ordered_context_list_with_level(const char *user, - const char *level, - char * fromcon, -@@ -395,11 +411,8 @@ int get_ordered_context_list(const char *user, - char *** list) - { - char **reachable = NULL; -- unsigned int *ordering = NULL; -- struct context_order *co = NULL; -- char **ptr; - int rc = 0; -- unsigned int nreach = 0, nordered = 0, freefrom = 0, i; -+ unsigned nreachable = 0, freefrom = 0; - FILE *fp; - char *fname = NULL; - size_t fname_len; -@@ -413,23 +426,6 @@ int get_ordered_context_list(const char *user, - freefrom = 1; - } - -- /* Determine the set of reachable contexts for the user. */ -- rc = security_compute_user(fromcon, user, &reachable); -- if (rc < 0) -- goto failsafe; -- nreach = 0; -- for (ptr = reachable; *ptr; ptr++) -- nreach++; -- if (!nreach) -- goto failsafe; -- -- /* Initialize ordering array. */ -- ordering = malloc(nreach * sizeof(unsigned int)); -- if (!ordering) -- goto failsafe; -- for (i = 0; i < nreach; i++) -- ordering[i] = nreach; -- - /* Determine the ordering to apply from the optional per-user config - and from the global config. */ - fname_len = strlen(user_contexts_path) + strlen(user) + 2; -@@ -440,8 +436,8 @@ int get_ordered_context_list(const char *user, - fp = fopen(fname, "re"); - if (fp) { - __fsetlocking(fp, FSETLOCKING_BYCALLER); -- rc = get_context_order(fp, fromcon, reachable, nreach, ordering, -- &nordered); -+ rc = get_context_user(fp, fromcon, user, &reachable, &nreachable); -+ - fclose(fp); - if (rc < 0 && errno != ENOENT) { - fprintf(stderr, -@@ -454,8 +450,7 @@ int get_ordered_context_list(const char *user, - fp = fopen(selinux_default_context_path(), "re"); - if (fp) { - __fsetlocking(fp, FSETLOCKING_BYCALLER); -- rc = get_context_order(fp, fromcon, reachable, nreach, ordering, -- &nordered); -+ rc = get_context_user(fp, fromcon, user, &reachable, &nreachable); - fclose(fp); - if (rc < 0 && errno != ENOENT) { - fprintf(stderr, -@@ -463,40 +458,19 @@ int get_ordered_context_list(const char *user, - __FUNCTION__, selinux_default_context_path()); - /* Fall through */ - } -- rc = 0; - } - -- if (!nordered) -+ if (!nreachable) - goto failsafe; - -- /* Apply the ordering. */ -- co = malloc(nreach * sizeof(struct context_order)); -- if (!co) -- goto failsafe; -- for (i = 0; i < nreach; i++) { -- co[i].con = reachable[i]; -- co[i].order = ordering[i]; -- } -- qsort(co, nreach, sizeof(struct context_order), order_compare); -- for (i = 0; i < nreach; i++) -- reachable[i] = co[i].con; -- free(co); -- -- /* Only report the ordered entries to the caller. */ -- if (nordered <= nreach) { -- for (i = nordered; i < nreach; i++) -- free(reachable[i]); -- reachable[nordered] = NULL; -- rc = nordered; -- } -- - out: -- if (rc > 0) -+ if (nreachable > 0) { - *list = reachable; -+ rc = nreachable; -+ } - else - freeconary(reachable); - -- free(ordering); - if (freefrom) - freecon(fromcon); - -@@ -519,7 +493,7 @@ int get_ordered_context_list(const char *user, - reachable = NULL; - goto out; - } -- rc = 1; /* one context in the list */ -+ nreachable = 1; /* one context in the list */ - goto out; - } - --- -2.25.4 - diff --git a/SOURCES/0010-libselinux-deprecate-security_compute_user-update-ma.patch b/SOURCES/0010-libselinux-deprecate-security_compute_user-update-ma.patch deleted file mode 100644 index 7e782b4..0000000 --- a/SOURCES/0010-libselinux-deprecate-security_compute_user-update-ma.patch +++ /dev/null @@ -1,168 +0,0 @@ -From d4c22fcd5943fe35db648dee971f631d40b3eb94 Mon Sep 17 00:00:00 2001 -From: Stephen Smalley -Date: Thu, 20 Feb 2020 10:40:19 -0500 -Subject: [PATCH] libselinux: deprecate security_compute_user(), update man - pages - -commit 1f89c4e7879fcf6da5d8d1b025dcc03371f30fc9 ("libselinux: Eliminate -use of security_compute_user()") eliminated the use of -security_compute_user() by get_ordered_context_list(). Deprecate -all use of security_compute_user() by updating the headers and man -pages and logging a warning message on any calls to it. Remove -the example utility that called the interface. While here, also -fix the documentation of correct usage of the user argument to these -interfaces. - -Fixes: https://github.com/SELinuxProject/selinux/issues/70 -Signed-off-by: Stephen Smalley -Acked-by: Petr Lautrbach ---- - libselinux/include/selinux/selinux.h | 8 +++- - .../man/man3/get_ordered_context_list.3 | 24 +++++++++--- - libselinux/man/man3/security_compute_av.3 | 5 ++- - libselinux/src/compute_user.c | 3 ++ - libselinux/utils/compute_user.c | 38 ------------------- - 5 files changed, 31 insertions(+), 47 deletions(-) - delete mode 100644 libselinux/utils/compute_user.c - -diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h -index a34d54fc..a5ada324 100644 ---- a/libselinux/include/selinux/selinux.h -+++ b/libselinux/include/selinux/selinux.h -@@ -246,8 +246,12 @@ extern int security_compute_member_raw(const char * scon, - security_class_t tclass, - char ** newcon); - --/* Compute the set of reachable user contexts and set *con to refer to -- the NULL-terminated array of contexts. Caller must free via freeconary. */ -+/* -+ * Compute the set of reachable user contexts and set *con to refer to -+ * the NULL-terminated array of contexts. Caller must free via freeconary. -+ * These interfaces are deprecated. Use get_ordered_context_list() or -+ * one of its variant interfaces instead. -+ */ - extern int security_compute_user(const char * scon, - const char *username, - char *** con); -diff --git a/libselinux/man/man3/get_ordered_context_list.3 b/libselinux/man/man3/get_ordered_context_list.3 -index e084da40..3ed14a96 100644 ---- a/libselinux/man/man3/get_ordered_context_list.3 -+++ b/libselinux/man/man3/get_ordered_context_list.3 -@@ -26,14 +26,28 @@ get_ordered_context_list, get_ordered_context_list_with_level, get_default_conte - .BI "int get_default_type(const char *" role ", char **" type ); - . - .SH "DESCRIPTION" -+ -+This family of functions can be used to obtain either a prioritized list of -+all reachable security contexts for a given SELinux user or a single default -+(highest priority) context for a given SELinux user for use by login-like -+programs. These functions takes a SELinux user identity that must -+be defined in the SELinux policy as their input, not a Linux username. -+Most callers should typically first call -+.BR getseuserbyname(3) -+to look up the SELinux user identity and level for a given -+Linux username and then invoke one of -+.BR get_ordered_context_list_with_level () -+or -+.BR get_default_context_with_level () -+with the returned SELinux user and level as inputs. -+ - .BR get_ordered_context_list () --invokes the --.BR security_compute_user (3) --function to obtain the list of contexts for the specified -+obtains the list of contexts for the specified -+SELinux - .I user --that are reachable from the specified -+identity that are reachable from the specified - .I fromcon --context. The function then orders the resulting list based on the global -+context based on the global - .I \%/etc/selinux/{SELINUXTYPE}/contexts/default_contexts - file and the per-user - .I \%/etc/selinux/{SELINUXTYPE}/contexts/users/ -diff --git a/libselinux/man/man3/security_compute_av.3 b/libselinux/man/man3/security_compute_av.3 -index 2aade5fe..8e1f746a 100644 ---- a/libselinux/man/man3/security_compute_av.3 -+++ b/libselinux/man/man3/security_compute_av.3 -@@ -97,8 +97,9 @@ instance. - - .BR security_compute_user () - is used to determine the set of user contexts that can be reached from a --source context. It is mainly used by --.BR get_ordered_context_list (). -+source context. This function is deprecated; use -+.BR get_ordered_context_list (3) -+instead. - - .BR security_get_initial_context () - is used to get the context of a kernel initial security identifier specified by -diff --git a/libselinux/src/compute_user.c b/libselinux/src/compute_user.c -index 401fd107..0f55de84 100644 ---- a/libselinux/src/compute_user.c -+++ b/libselinux/src/compute_user.c -@@ -8,6 +8,7 @@ - #include "selinux_internal.h" - #include "policy.h" - #include -+#include "callbacks.h" - - int security_compute_user_raw(const char * scon, - const char *user, char *** con) -@@ -24,6 +25,8 @@ int security_compute_user_raw(const char * scon, - return -1; - } - -+ selinux_log(SELINUX_WARNING, "Direct use of security_compute_user() is deprecated, switch to get_ordered_context_list()\n"); -+ - if (! scon) { - errno=EINVAL; - return -1; -diff --git a/libselinux/utils/compute_user.c b/libselinux/utils/compute_user.c -deleted file mode 100644 -index cae62b26..00000000 ---- a/libselinux/utils/compute_user.c -+++ /dev/null -@@ -1,38 +0,0 @@ --#include --#include --#include --#include --#include --#include --#include --#include --#include -- --int main(int argc, char **argv) --{ -- char **buf, **ptr; -- int ret; -- -- if (argc != 3) { -- fprintf(stderr, "usage: %s context user\n", argv[0]); -- exit(1); -- } -- -- ret = security_compute_user(argv[1], argv[2], &buf); -- if (ret < 0) { -- fprintf(stderr, "%s: security_compute_user(%s,%s) failed\n", -- argv[0], argv[1], argv[2]); -- exit(2); -- } -- -- if (!buf[0]) { -- printf("none\n"); -- exit(0); -- } -- -- for (ptr = buf; *ptr; ptr++) { -- printf("%s\n", *ptr); -- } -- freeconary(buf); -- exit(0); --} --- -2.25.4 - diff --git a/SOURCES/0011-selinux-8-5-Describe-fcontext-regular-expressions.patch b/SOURCES/0011-selinux-8-5-Describe-fcontext-regular-expressions.patch deleted file mode 100644 index b0e712b..0000000 --- a/SOURCES/0011-selinux-8-5-Describe-fcontext-regular-expressions.patch +++ /dev/null @@ -1,39 +0,0 @@ -From c556c6ad0b94cf3ba4b441a1a0930f2468434227 Mon Sep 17 00:00:00 2001 -From: Vit Mojzis -Date: Wed, 10 Feb 2021 18:05:29 +0100 -Subject: [PATCH] selinux(8,5): Describe fcontext regular expressions - -Describe which type of regular expression is used in file context -definitions and which flags are in effect. - -Explain how local file context modifications are processed. - -Signed-off-by: Vit Mojzis -Acked-by: Petr Lautrbach ---- - libselinux/man/man5/selabel_file.5 | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/libselinux/man/man5/selabel_file.5 b/libselinux/man/man5/selabel_file.5 -index e97bd826..baba7776 100644 ---- a/libselinux/man/man5/selabel_file.5 -+++ b/libselinux/man/man5/selabel_file.5 -@@ -125,7 +125,14 @@ Where: - .RS - .I pathname - .RS --An entry that defines the pathname that may be in the form of a regular expression. -+An entry that defines the path to be labeled. -+May contain either a fully qualified path, -+or a Perl compatible regular expression (PCRE), -+describing fully qualified path(s). -+The only PCRE flag in use is PCRE2_DOTALL, -+which causes a wildcard '.' to match anything, including a new line. -+Strings representing paths are processed as bytes (as opposed to Unicode), -+meaning that non-ASCII characters are not matched by a single wildcard. - .RE - .I file_type - .RS --- -2.35.3 - diff --git a/SOURCES/0012-libselinux-Strip-spaces-before-values-in-config.patch b/SOURCES/0012-libselinux-Strip-spaces-before-values-in-config.patch deleted file mode 100644 index 21aa845..0000000 --- a/SOURCES/0012-libselinux-Strip-spaces-before-values-in-config.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 9bf63bb85d4d2cab73181ee1d8d0b07961ce4a80 Mon Sep 17 00:00:00 2001 -From: Vit Mojzis -Date: Thu, 17 Feb 2022 14:14:15 +0100 -Subject: [PATCH] libselinux: Strip spaces before values in config - -Spaces before values in /etc/selinux/config should be ignored just as -spaces after them are. - -E.g. "SELINUXTYPE= targeted" should be a valid value. - -Fixes: - # sed -i 's/^SELINUXTYPE=/SELINUXTYPE= /g' /etc/selinux/config - # dnf install - ... - RPM: error: selabel_open: (/etc/selinux/ targeted/contexts/files/file_contexts) No such file or directory - RPM: error: Plugin selinux: hook tsm_pre failed - ... - Error: Could not run transaction. - -Signed-off-by: Vit Mojzis ---- - libselinux/src/selinux_config.c | 17 +++++++++++++---- - 1 file changed, 13 insertions(+), 4 deletions(-) - -diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c -index b06cb63b..0892b87c 100644 ---- a/libselinux/src/selinux_config.c -+++ b/libselinux/src/selinux_config.c -@@ -91,6 +91,7 @@ int selinux_getenforcemode(int *enforce) - FILE *cfg = fopen(SELINUXCONFIG, "re"); - if (cfg) { - char *buf; -+ char *tag; - int len = sizeof(SELINUXTAG) - 1; - buf = malloc(selinux_page_size); - if (!buf) { -@@ -100,21 +101,24 @@ int selinux_getenforcemode(int *enforce) - while (fgets_unlocked(buf, selinux_page_size, cfg)) { - if (strncmp(buf, SELINUXTAG, len)) - continue; -+ tag = buf+len; -+ while (isspace(*tag)) -+ tag++; - if (!strncasecmp -- (buf + len, "enforcing", sizeof("enforcing") - 1)) { -+ (tag, "enforcing", sizeof("enforcing") - 1)) { - *enforce = 1; - ret = 0; - break; - } else - if (!strncasecmp -- (buf + len, "permissive", -+ (tag, "permissive", - sizeof("permissive") - 1)) { - *enforce = 0; - ret = 0; - break; - } else - if (!strncasecmp -- (buf + len, "disabled", -+ (tag, "disabled", - sizeof("disabled") - 1)) { - *enforce = -1; - ret = 0; -@@ -177,7 +181,10 @@ static void init_selinux_config(void) - - if (!strncasecmp(buf_p, SELINUXTYPETAG, - sizeof(SELINUXTYPETAG) - 1)) { -- type = strdup(buf_p + sizeof(SELINUXTYPETAG) - 1); -+ buf_p += sizeof(SELINUXTYPETAG) - 1; -+ while (isspace(*buf_p)) -+ buf_p++; -+ type = strdup(buf_p); - if (!type) - return; - end = type + strlen(type) - 1; -@@ -199,6 +206,8 @@ static void init_selinux_config(void) - } else if (!strncmp(buf_p, REQUIRESEUSERS, - sizeof(REQUIRESEUSERS) - 1)) { - value = buf_p + sizeof(REQUIRESEUSERS) - 1; -+ while (isspace(*value)) -+ value++; - intptr = &require_seusers; - } else { - continue; --- -2.35.3 - diff --git a/SOURCES/0013-libselinux-Ignore-missing-directories-when-i-is-used.patch b/SOURCES/0013-libselinux-Ignore-missing-directories-when-i-is-used.patch deleted file mode 100644 index a5a48a0..0000000 --- a/SOURCES/0013-libselinux-Ignore-missing-directories-when-i-is-used.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 9a04499cebedac3f585c0240e6cf68f786ae62b7 Mon Sep 17 00:00:00 2001 -From: Vit Mojzis -Date: Mon, 31 Oct 2022 17:00:43 +0100 -Subject: [PATCH] libselinux: Ignore missing directories when -i is used - -Currently "-i" only ignores a file whose parent directory exists. Start also -ignoring paths with missing components. - -Fixes: - # restorecon -i -v -R /var/log/missingdir/missingfile; echo $? - 255 - restorecon: SELinux: Could not get canonical path for /var/log/missingdir/missingfile restorecon: No such file or directory. - -Signed-off-by: Vit Mojzis ---- - libselinux/src/selinux_restorecon.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c -index 5f189235..2ff73db6 100644 ---- a/libselinux/src/selinux_restorecon.c -+++ b/libselinux/src/selinux_restorecon.c -@@ -820,6 +820,10 @@ int selinux_restorecon(const char *pathname_orig, - pathname = realpath(pathname_orig, NULL); - if (!pathname) { - free(basename_cpy); -+ /* missing parent directory */ -+ if (flags.ignore_noent && errno == ENOENT) { -+ return 0; -+ } - goto realpatherr; - } - } else { -@@ -833,6 +837,9 @@ int selinux_restorecon(const char *pathname_orig, - free(dirname_cpy); - if (!pathdnamer) { - free(basename_cpy); -+ if (flags.ignore_noent && errno == ENOENT) { -+ return 0; -+ } - goto realpatherr; - } - if (!strcmp(pathdnamer, "/")) --- -2.37.3 - diff --git a/SOURCES/0014-libselinux-restorecon-Fix-memory-leak-xattr_value.patch b/SOURCES/0014-libselinux-restorecon-Fix-memory-leak-xattr_value.patch deleted file mode 100644 index 8cfcc2b..0000000 --- a/SOURCES/0014-libselinux-restorecon-Fix-memory-leak-xattr_value.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 599f1ec818d50ffc9690fea8c03b5fe278f30ed4 Mon Sep 17 00:00:00 2001 -From: Vit Mojzis -Date: Wed, 7 Dec 2022 09:19:29 +0100 -Subject: [PATCH] libselinux/restorecon: Fix memory leak - xattr_value - -Fix memory leak introduced by commit - 9a04499cebedac3f585c0240e6cf68f786ae62b7 - libselinux: Ignore missing directories when -i is used - -Error: RESOURCE_LEAK: - selinux_restorecon.c:804: alloc_fn: Storage is returned from allocation function "malloc". - selinux_restorecon.c:804: var_assign: Assigning: "xattr_value" = storage returned from "malloc(fc_digest_len)". - selinux_restorecon.c:825: leaked_storage: Variable "xattr_value" going out of scope leaks the storage it points to. - -Resolves: rhbz#2137965 ---- - libselinux/src/selinux_restorecon.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c -index 2ff73db6..b3702764 100644 ---- a/libselinux/src/selinux_restorecon.c -+++ b/libselinux/src/selinux_restorecon.c -@@ -822,6 +822,7 @@ int selinux_restorecon(const char *pathname_orig, - free(basename_cpy); - /* missing parent directory */ - if (flags.ignore_noent && errno == ENOENT) { -+ free(xattr_value); - return 0; - } - goto realpatherr; -@@ -838,6 +839,7 @@ int selinux_restorecon(const char *pathname_orig, - if (!pathdnamer) { - free(basename_cpy); - if (flags.ignore_noent && errno == ENOENT) { -+ free(xattr_value); - return 0; - } - goto realpatherr; --- -2.37.3 - diff --git a/SOURCES/0015-libselinux-restorecon-Include-selinux-label.h.patch b/SOURCES/0015-libselinux-restorecon-Include-selinux-label.h.patch deleted file mode 100644 index 6550010..0000000 --- a/SOURCES/0015-libselinux-restorecon-Include-selinux-label.h.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 92afdbb47859ac019b8a4a6d6a597744582786b3 Mon Sep 17 00:00:00 2001 -From: Vit Mojzis -Date: Fri, 26 Jul 2024 17:59:15 +0200 -Subject: [PATCH] libselinux/restorecon: Include -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -restorecon.h uses types defined in label.h, so it needs to include -label.h (or code using restorecon.h also needs to include label.h, -which is not practical). - -Fixes: - $ make DESTDIR=~/obj install > make.out -In file included from semanage_store.c:39: -/home/sdsmall/obj/usr/include/selinux/restorecon.h:137:52: error: -‘struct selabel_handle’ declared inside parameter list will not be -visible outside of this definition or declaration [-Werror] - 137 | extern void selinux_restorecon_set_sehandle(struct -selabel_handle *hndl); - | ^~~~~~~~~~~~~~ -cc1: all warnings being treated as errors -make[2]: *** [Makefile:111: semanage_store.o] Error 1 -make[1]: *** [Makefile:15: install] Error 2 -make: *** [Makefile:40: install] Error 1 - -Signed-off-by: Vit Mojzis -Acked-by: Stephen Smalley ---- - libselinux/include/selinux/restorecon.h | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/libselinux/include/selinux/restorecon.h b/libselinux/include/selinux/restorecon.h -index 595e7728..faa84eb2 100644 ---- a/libselinux/include/selinux/restorecon.h -+++ b/libselinux/include/selinux/restorecon.h -@@ -1,6 +1,8 @@ - #ifndef _RESTORECON_H_ - #define _RESTORECON_H_ - -+#include -+ - #include - #include - --- -2.43.0 - diff --git a/SOURCES/0016-libselinux-Fix-NULL-pointer-use-in-selinux_restoreco.patch b/SOURCES/0016-libselinux-Fix-NULL-pointer-use-in-selinux_restoreco.patch deleted file mode 100644 index 7af42c9..0000000 --- a/SOURCES/0016-libselinux-Fix-NULL-pointer-use-in-selinux_restoreco.patch +++ /dev/null @@ -1,34 +0,0 @@ -From f232f9013f04234f0c9a457499ccc9ee2254d7b3 Mon Sep 17 00:00:00 2001 -From: Ji Qin -Date: Sun, 14 Jun 2020 21:20:23 -0400 -Subject: [PATCH] libselinux: Fix NULL pointer use in - selinux_restorecon_set_sehandle -Content-type: text/plain - -error occur when selinux_restorecon_default_handle return NULL in -restorecon_init. - -fixes: https://github.com/SELinuxProject/selinux/issues/249 - -Signed-off-by: Ji Qin -Acked-by: Stephen Smalley ---- - libselinux/src/selinux_restorecon.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c -index b37027640926..a57932c0602b 100644 ---- a/libselinux/src/selinux_restorecon.c -+++ b/libselinux/src/selinux_restorecon.c -@@ -1062,6 +1062,8 @@ void selinux_restorecon_set_sehandle(struct selabel_handle *hndl) - size_t num_specfiles; - - fc_sehandle = (struct selabel_handle *) hndl; -+ if (!fc_sehandle) -+ return; - - /* - * Read digest if requested in selabel_open(3) and set global params. --- -2.48.1 - diff --git a/SOURCES/0017-libselinux-Close-old-selabel-handle-when-setting-a-n.patch b/SOURCES/0017-libselinux-Close-old-selabel-handle-when-setting-a-n.patch deleted file mode 100644 index 3a8b7fb..0000000 --- a/SOURCES/0017-libselinux-Close-old-selabel-handle-when-setting-a-n.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 2bbacbb31d18d9856ca13b6e49a2bfeb34b22b1b Mon Sep 17 00:00:00 2001 -From: James Carter -Date: Wed, 22 Jan 2025 10:58:27 -0500 -Subject: [PATCH] libselinux: Close old selabel handle when setting a new one -Content-type: text/plain - -In selinux_restorecon_set_sehandle(), close the old selabel handle -(if it exists) before setting the new one. - -Signed-off-by: James Carter ---- - libselinux/src/selinux_restorecon.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c -index a57932c0602b..db56cc7e587b 100644 ---- a/libselinux/src/selinux_restorecon.c -+++ b/libselinux/src/selinux_restorecon.c -@@ -1061,7 +1061,11 @@ void selinux_restorecon_set_sehandle(struct selabel_handle *hndl) - char **specfiles; - size_t num_specfiles; - -- fc_sehandle = (struct selabel_handle *) hndl; -+ if (fc_sehandle) { -+ selabel_close(fc_sehandle); -+ } -+ -+ fc_sehandle = (struct selabel_handle *) hndl; - if (!fc_sehandle) - return; - --- -2.48.1 - diff --git a/bachradsusi.gpg b/bachradsusi.gpg new file mode 100644 index 0000000..aa060bb --- /dev/null +++ b/bachradsusi.gpg @@ -0,0 +1,438 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBE97JQcBEAC/aeBxbuToAJokMiVxtMVFoUMgCbcVQDB21YhMq4i5a/HDzFno +qVPhQjGViGTKXQYR7SnT8CCfC3ggG7hqU0oaWKN3D003V6e/ivTJwMKrQRFqf5/A +vN7ELulXFxEt/ZjYmvTukpW5Li2AU7JBD0aO243Ld9jYdZOZn2zdfA8IpnE9Bmm3 +K/LO1Xb2F9ujF9faI5/IlJvdUFk3uiCKTSvM8kGwOmAwBI921Z5x/CYvy5kKEazU +lUxMqECl+Tu2YS6NDhWYNkifAIZ7lsUvGjW3/wfh7AvmAQyt/CxOXu9LL2nGzFhw +CIS4jVIxy5bDswNfHcaMX7B5WEyqTPtjzPAEMiLL4yHJZrHDPd26QHSaqtilVA4K +AeTYbME8iZIdacquFEq02PO9qAM21O48OknCTSolF7z6nBkk6l26W3EL+Gz5I2Et +3S9pab3FMjiiKVavM6UA5D0DQkNxxDn9blDXZyhX4HFrk+NnoETcGYFymPbbijgi +kFC4339/Z1aK31aJLkxiana5mqLthD4jCeg3B8Cp5IurqPr8QEh3FH8ZZhtdx2fX +TXHTmGQF/lXG4tg1eH5cb6wWGU93wD+5mf6czJlUZTY+kdevKtZCQnA0/2ENCOFW +Jdm/oMTUw6ozPd474ctzWKeO78e8yMvZst/Zp3Gq6SD9kcoPgiuMQ+BOkwARAQAB +tCRQZXRyIExhdXRyYmFjaCA8cGxhdXRyYmFAcmVkaGF0LmNvbT6JAjgEEwECACIF +Ak97JQcCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEGOorUuYLENzy1MP +/2c4fH8eXWbqoot/vLE+hJ14k0leYOQhVSo4lNlxRlbKNd5MQSX/QjkQgJNECbB3 +LM0KxE/zwVOZ+umvmxLxNskOxjubE6NzoF7Sm9ydoqjwzenIpR9BVtg71mfjBOoL +PNrst7tHRE5btSnnnOS9ddt/y9JOIvQpkjtBTI2TfVcp2b4Domg7i4qU/hJ7hu45 +5oAi6rPPkr0pcGiDKTqi46l7+9orsj9Mxs1XTmrTMMB/eV6PCU7Fo4WJNXS8SXd3 +sEVxXvpyYjUTTnDuewjT1q8NL7anrsckS16WYSVGKzRhqtP1Vudt1F/D5cWKVqQp +vQl/XW/uQS2IsgEWsbRmIAEZIUOy4TnuF494C/A+1BbJBdUr4Nl9zPH2bjrJeqYk +TsvGQr1icgO4pUg5oC456htkqCxCuPRqqrGDAZBx54TldgPwvCo31+aPQJlOlWvI +uWD/depp0De3oTK9FDnHh3swE0vyn4Ht96+vM+KNnDYgJ1FEaw1efYePFACobvEB +o2ZpLbnDyqAT4MzfHpHSbwzUOk52ZOnkl/KrUIOxhXtf4dxRS6J70Rzb+HWS3rY/ +LgaMO5Q0BJfbvknguKmE8dO8jx0pTlVER9ujqp+bVPXmFMha1j8vyGhJ3eLJZaRL +k3jgfRjiUUb4lNp+hXpvBwIYeFWl5kFVKg2aPywgnnFWiEYEExECAAYFAlBq4WgA +CgkQ4J/vJdlkhKxmjQCfevlawFaGTx58nDFN+4j/2U6uaGcAn2g1sZcTUrEEYHdL +byAyw1GNLksOiF4EEBEIAAYFAk99mCMACgkQ/2iSBAM3HxDivAD+Lu8U54iGgL5+ +h9KpeV+ZlHgIpj4cD+BVL85L6AQ3GP0A/1TwZ1tS6Ag3ut2G6AL2wewR3v9Mgu68 +E0M5esz5of4oiQEcBBMBAgAGBQJPh9ZuAAoJEBliWhMliBCHMSUH/30V/E930OTT +oWeq+QKkTJuMF0lrA5NaAy+xWtrynMKoiAuM0KFNGPfrPehkoxR4D+MKXH+xh0j2 +bHl6fXOHJCKZLhCtsC/o8j7kkjIJjixBlwYMul21rxecke7Zt4XpxHARJx4208Lk +ztpzOd7ZnDP6KYav3itpxK8Eyj4g8N2omoTQ2Dcd+sCa0jgRkyskpPxdt0fK0D04 +XW7b1LZkxwzwrAGSpjAZVzpKBXANcSmUQDAaIhGvYSKoiwVe2eaE5lUmvAaJQaTr +Ud/LCIwFofTLSaBRX8fEOe+UwvW36VtynPyETyROeTMp//Cm5e2CQVPoDv79soyi +E/oUW9DFDhCJARwEEwECAAYFAk+Oe6EACgkQlGXZM5TcxIlIRwf/VjfbN3eVf648 +vXvDctsXfucl37i6Yue2COJiGYuZOrN7wYxVvH2to8P3V53YV9OqDpJl2NXUro1V +iUjFHuIKp23VbtyBAYsrLeTMmHLjnXlaUPSr6JUDHUQhCF34BTk17e9y7tXlEshF +YVyPlGum7JhyarHB2rRdjQk8kyTqmQ4yHjw/nP/HlvVxdgb+mTmudTPVBafOT1R9 +MJ/SN2x4bclT4cQ0hjNEy/TsFzVduQj8yNOMFG9r6p1Vb+u1wn3BTANIh55R9aDh +3JFFIV/jBTkxukxR5iyGQiR53nl0e0qnQFxpfhFGclh0RktjrHZ3DBAzcuYXp540 +Vu9aq9QuPIkCHAQQAQIABgUCT4bdRgAKCRDCPZG7HYJE34FtEACfqPwWSItk1lNX +E0HOM1YuHXFfMGURF1AotskJatwtjGy9oDUQkjfsPROnWjgH9s0xD2UmlTrjJfWi +BdH0kTLiExVUOmvnM9VFMRhYxQZMwiHecm4FZ5IWUz4e05oGCkHFbMswXEoEG+qq +btOfLNpX67yy/JM6We+8PiXV/c2vaErpH5S8YChb5wD9lEWNM2aPBOUmbzONM1/f +EFd8AF6fUVYN7htuyG1n5zTv+oowmO2c0terJRGmMgVuLugIEnKKhaQ+H1K6bdZJ +7mX4xxx5izEyYeYhi9DhBHSwCLhWR+Yilqkc5U0nrF+3Z+Cb9THHppi071OIQ7pX +rGsQSpDzGRXCw0nKEBm0Li13re8cOoHMlPD0RHWZEIRZGSYX1YKBtVuv4kpSq8GN +85lZSDKGRNtbJBS7Qj4vyOlOrBO1eyyd4lepQCe2Ri3gU97rek52tOM+fAIibz7V +b4a0qbbphrz6PVMbDGiBxM92+YpdDyZGyL7wJ4g6DhRRcEUQahlZ1n7y+YQ60ETs +zt7+kD08Zi2BoJpiMHsFfoas2pot7VePFxGutwvq0p+OHSVlwkLgOaORPHumLA8u +J3BGlJTHsErUB2EEgdc/Tv1vsZzEI3Zi+hqw1gcbke21Ii8aDfshbeKW9hYJAhnW +m8VdF3n80UX5Eg56iybrLCjEyiAEYYkCHAQQAQIABgUCT7yYRAAKCRBOBfZjp6Qb +nnyTD/4gVbq8H5ka7fVdSAnX65/kFn5xkqGzbpCkjcqe/5uI2CvdYtjeQ4K6sm7I +5RLoyu/EE/JPbCRHiucsEak42WAZSRte/Wn2yTQpIb0mQ0wXJvuM+Hx7DSx2R12P +9rIZ4mGo/rEtdG7Y9Vog9M/XGx7w5IqSw2DF2yiYQJXsOzHjphfYB8JfoqjW/73k +n4E2IRJtCuWhfiJZJ+GEGceSBIredH3o01ThtbAeh/gzPRF3FU1361zyA1sXtmGe +qwnhNL1spHRlpub3cvAXQ8RSYrNdiFZB5zohNt+iL+qzVWaUJo+vYZal1Co5/roI +HN5nJef8kp1ngaYKvf1hIVvsdQsilVQIXKFWMd47aU6W8gPr1W2+U4yw+q+OXari +eo7gpH7/OvMSe/3wOhGVD8KJrMwAVnr3M4wo2CM6zlwxPGdltQI+IxDD8NTGTmNT +rRARYRQaFQyqd1SrVt4sSkeoegrpOG4oWXya/v4SeXHD4vt8vvvX3A4szB73a355 +IfbyRXDER3EfFfW5c+BnR3bxhfATTE6T0AKz1Gq30Xm2ycTGYCAZ2yBKewaegTpx +3O/E6APTXUnVWTIPQay8T4iVUiLFs7W1UFMY/RvmIvKKFIQWcm5O0L+27PJK+YSx +Uoo1Ivt1pclTuetbRbN8VnR3K9Pp5uZ4KLz6ZkffmJg2sOSu74kCHAQSAQgABgUC +WWMlagAKCRAyfirUINN1OOtFD/4jW0ZMGigpruCnvY0nr47rA12X6dJ6+KIBE+XB +QxuaQRjM5u44geksDwrqZ0nXrNvsa4SVwAhKVOrgMJVdzvUa1m2yeNCFHOTjln6Q +GjZ5f3a6aj6n/X5tlPptdklUr9ucEwXVd5fFMpWAiwaqZt38I2u0Pi+/qHDt0kLy +RSukmRPzRuS/kO1ugGO4aoO+sanVDl2Pq6LIwubL1Unk2HUerg8VCAyQrxYtZtHc +coyhmBTlAb+EmZnUVbQZ3Uy3eA89OuNTBhJWCk8vqROFm257MiH6gvG/V8CTrJfz +lpE+s9E6kxXhXpQWZUwtwWObq7vrJVkJhRwBsO9N2erxe+biBauFErYQPw3bg6xL +1BJLxDWnKUlMWs5o+h7lyjp+1B/gbnnlrUIlpW8IKVZRHwRUPGRN07SbbEO1lDk5 +uJDMk+r2KrOUNVYCEp794P014xodkLvB8X7ml6tcABE4V9d4uVDX3SsktOLMvtWg +nL6xWMoBYiVOXi3Rsm8vESBOb8JFQL/ItciUyAioM4Zjq5eqotVq90HMBO9kqcjC +YsYEs6RACRmyE+TNmzGoucIPTwPEi5Ib4gj+LG6iPOBprk5DSjD7F0/wnQPoq8PY +HIufb4+PgOXKf/ROQXDRLeD6eZBtPcDUJOgW19m7QcXZ8fvo6B91COe9jTF/H/i3 +A7NjR4kCHAQTAQgABgUCUQZ8hwAKCRDZsFd72T6Y/MoUD/9xxmXbPL2Zto6qECXs +Q1GFuydiYlURxDsVUiuc1tSgEoDb8XcXl37l/IKX1QmcpvHMPzeT0g8sNwIXSnL6 +BNCnFcfrd0tEz8uBPxVnzMiGwaHP1kB6Vs6sNV31+CJcTz8BHHbOdXZnhHqXSb02 +SonqAYeWVSlE08Ejvq0HIWRn6NIGdGqv6icBExryJjS3ZChRFpvgAJwsVO5f6BKH +oZnEn79uQR4XPHwuxRbm4hf6iYEbOhE7Hod6kTzS9vYIhyuTFTz5Kz/YxlMoZX/j +TIYsX0nZ3r+Tshur8iUXJhKvvXVlGyrGO2HXfEuIpJqEx4/qM9jUNP0EE7aPzZ6f +BP7Xq49Dx9lnZuSQ1jeXxEEpO+AND2xmnjCHr3EfgYZrrhCSxMQhvJh7wypkzu30 +D41BHPOPSotmM7WLceHWmYui0Wuq9X2hom5jq11XwACEtmNiP/odXjF0ovfK0d8l +j/kivgrXAZdN/ONJapVSLkRMS71S6eln+urR9HfswEfM7IPt0cRwN1oNIhXmK14+ +XBWvvwvalfuxG2UfxD8K0JXMwARlpGlV8lXpuzDV8EcrvLipKpqiQWaJer64kaQb +8qHEtT6+JNoGkymohrfeVagxKmPzDWR4v1a9lgZwY1FTRHNVPM0P8LWlN9q0CrYc +poBwkhTMV1YJ1OBSrkM9IM2vsokCMwQTAQgAHRYhBGMZHOlBgwmGicq4237xN+yT +Ww6vBQJjLRkzAAoJEH7xN+yTWw6vZSYP/36Bt4QhRtIh6HPWbHraFSl4omnuISu6 +lTHsqhik81nbIUiLZ5e/KN6ONSgD2jfMVQOLiPTQFOoxVZvOjaHmHvMuF7BCbr90 +Afh1qXW9txuPbVkhtC6hqIMn87b8UHEnt1l5MiafQnPHhoociqaqwfls/iu0nJGu +Jf5eVMXpdeWRk+ckGkqP+tXp/0G933jibSdYqwG1Tsw9D98xnGV3a/+zIqRtJflp +HPEjHPT6rVKAZxk7gkYSSsv6ONBwZHqwe9W1I+U4t6OPkGo5kNbMPBORB6/7B2Qo +LHx3+KYZs1j6glI+F/8IX2+JSFs07saMnsDhE7w5FzmwWV2JcUt42RSf8DVub438 +jgA/Ht5yPROEJ87de78aD/t/gPq/Gm3bnUz1BW0jxBidjqg1qPOMYjC7n4dH8X0N +cRfX6tWOdSXmDBbPg/vQi6CEIhsGVisKlnrgYi1wDZExU6UVMnBNvllUu9PXye+7 +51cIbrb+fwAWiwmu+AsL0qsjxZYo+9ozOLh9wLUhxOY5MZM82alN/mlUGzEiXN3R +i7D3rDrNFHdI4LGGLbO2hjPYrG4hdNHS+6WbU6qYcpBEhrqBtnUjoVqIKP2boBLR +ara7hHqVO120s8kgGtf/AoYpggD0H4qqUy4EFNjVdcL5T08w6ldQIYo7CEa1iHFt +ML4bsPcJh8lciQIzBBIBCAAdFiEEcQCq365ubpQNLgrWVeRaWujKfIoFAmMsvIwA +CgkQVeRaWujKfIqNXA//fjCpyIPPd6RnJhagWH8XCp5NB4cCT+LqAIR5yZfz1QE8 +Qbzpoobz9ysgXZ5XjLp/lbVffGyg986j0wUtSW1+g3kJcYXBUKjSWoBwwmZgyZky +95U+uklY8CdPjSeuzr2I5X/LogHNH1378d9aEmQXBfX1uW5g4Aqgnl0OOgkCVzgs +FFOO2o1j6svrrDVG52/mwXhNRm0yYK/hFB8T3PO2IvMQGDGJLHl6N5Kl7P2jtkyF +Isi4AEzJeop/2GJYXQ+VkUTSNRKQj8oOS5qe9/0RkF9uqeamoc81n2But8MZN2fv +R7ug2EuG2LHp9/pwu5ekohXmY8EtMbVbU7TYKgduK0FMBaK36jXN4Bapakfxr1z5 +pwdDjN4QiqUefBQlG1CJ6fGrqbdAupzRRDqN974rs5HafnbxioYRYjoo4H0zC8XN +UwgmA2wrwIIY/cyNCSnUuT8yVAnroPiFgmMoL8RM7C5pHQYh0u3fXPfvNBswjXmR +pJ6mhTqG6SS4qIaPhqoZqA1iyA6+Ua3YLBDT5wqvuqNMnfLtLUvMuridmlj97cRc +srQIr022NdpafDQVAiVhZO0CRyFd/++XT35iiDoiv20+LewC0VVza466AE1fkAme +rKlurlET8U/+U0JB6IP77ErjMgCzotV8e1DJkp/M37nMeNzazAb//ovsdkNM6P6J +AjMEEwEIAB0WIQRFaBEoRJtl+IDGF5c6hKlGtLpirgUCYy3RvAAKCRA6hKlGtLpi +rvhHD/99Lvgf+CjbhwC87CoKX84MyAyBlYACCSuySQBnEsVigz8sCVyTYDx52h1h +/SEj7XfTylAfIl1CjUedH4w3hk+7IN4scmhf5eeEMvQd8q+Q/hWQcXIUpwgKOcVD +NbUgYcbakJAPtilK1CeQvDdBD+aYoMsJTsII/f7FJzwjPM1XGf5EoODUC8BtQf/W +KAVoESwwAUwN6Y5XeYSwMqu1s7IHs3yNYLV8C6A7EQPVaVVlORqI+33rKyqAhK5X +ErNvAREQPYJMfRnQlIW7alSORwdG0JBgVLgV+jvoFo4a1AQImHDDtKxs2X5BCVG1 +I687uYDBy5Assl/VxRMIUpx5+zWvXyDZX/6nlL7AMokTlyosgP4iiifBS+5KMhan +phMgnDXYIJE10V46Bdw2tjd7wMKey6BcKgfbZSvU5z+SuVnQXCyl3/blRML54I5o +EomXPg6lgVxSb6BBnaJXzx4JKgLer5uom1OGsLgPMqEHRoO3bucr2xFdtq1Zegw4 +9S3qDhQ3bn8pg9JlYwmAAhBd3Xy5cPv01mV6ompOQ38SlMCJzcAGASdMw5scaxUl +7MloV2Nl32HIzPjK47bF7aVOFX7Tz+rEFLmJCchqmUSdxi42rJyHKVRqiAlNfZ9S +9FeaEfU+vBxOHsLNqVO7ErvrTafT5fjphZqvUTqZGCUiJUjPnYkCMwQTAQgAHRYh +BOJeJUyO5NMDVUv1r+xwGh2klMXrBQJjL1NOAAoJEOxwGh2klMXrYaIP/ifHM9eU +UT6JD0m6Oa3P3T161NhOvNqr71LDSztClsWo3XX0+ZK3wpjoC6vKqgx0Cc8OL1S2 +GqwCaxb5JqWpsoqR3NW6bTqTTUGREj/e0JHDeBzv57OEUTe4ea7qzqjhCX6iyzHa +qDP9fiAogMQ7uT2oCghDV5yo4JUrG5brw8GkMLEvRSs2BEv7xFAySRaGwNj+oziZ +VzL7sBzp1bCr5cwNZVYxoo3VAv6FUcExp1TydxzPVB8/VvxOa4zrht+hFTn6mjUi +NHBc7DYECgh4jlDR6TnAdvpg0FsujTXiN6A0obOUl9jGz2uFmdY+2ojlVtzqKXoP ++PDz8o2zMrRoQYkni9VyIc536E4OFIhfO6CrThMjJjPNn22Tq+fzRYkWTrlJom9b +nOldQ1BdUXQt2QNigdzqjhZTIgF5OEOTERh80dvwIbZ+7vN00BOsuncR5GUBQerU +F6+SksVRAaOg2lyoDdxUQ+Z28RU8R/n7VjMV8ctFkQvHHLBqKkpET8LRh0C/jSNh +gB8zLPc3Oa4wTf2xZWO58S18esbYMr74vRYrsACbmwxH5Tz+L6Br70Fmcz608+IQ +ESKW3657gemZgFud3AGokzKG5AuWykSinydiZbK8MRGLsdfPUojaVIgXFqnWKtkH +At9gkD8YbqGYzuVwBnljBNRdTUMk0ClgV6pjuQINBFom2R0BEAC9k1Ky6AIe9sPP +xrgsrXRe0dyYcoHufzeU3jFssl3+S4cRuvYCzdZfRfdjfHa4n+CxTaOd7xkefwJg +GpaR9KJbu8dqHm61GIiS5ZbMCRU8FAW6ohVeDqEwFrPAzZjtO41OTpeXCrPu5H5A +Tg/kDnabzlD2H8JWAqr0DYRRhFtJUihXUey9zK03wSjUi5E1+YHUC/fOpbS+msNN +945CeQNBN4Ljap9Q183Fkh0Wm4Q8C0OS1WN8a0XtqSALRCGAZ+EV6UrmQVP9PCC4 +/J0hoKQPv2bfpBAsrUGAO3Fnsw7804i2TY7O3JA8gGDYX6fwOVJMUXdD7FX7LM2P +pESqAdPrjqmPqHT8cPfq27GYgqHv3N4hP9Rjt9wxmHYFbJT0YCHw2ZMiAO/VcvvN +miGr590ZFiQEb1MJN1r+h5UDE1CtF6nTieirSXi9oMilHlo2NY5nAItv/T9PKk4X ++kaH3UoicMxrkT34tACGwxi4VIRYWL+ZquxE+bwXqAvbGJ0p3XbyREURCaO96J/2 +w951EvZErpFRQu4zzClmoMiNbwkQ8QdesSaqjMirlHyFI8T9BZrXbPazdVNUwfyR +LFil1q/kgXjXeJDoje73UiyGhqhlVOlEbunGzCwEBzrtQdPTDeFQr476/4pe0v4u +gdNYkL/gY8Izodn47d1XH68AuRSrzwARAQABiQI2BBgBCgAgFiEE6FPBhIsBhc9C +hk3zY6itS5gsQ3MFAlom2R0CGyAACgkQY6itS5gsQ3PQSA/8CZGTxQDbD2oLkGb6 +tyECIs5A1RsfwJ9aj0R/HuEO39ki8yM88fwi8F5AfzNcmYwp0rxyYDDYM0itObSv +A9WBB8YFZ2PKT1YHrwTzWbne+spmQYDRdFt+0Kx0JLvgv7SYvQ1jNdCazixH1SAM +9O+Tn5oFybVHjRavWsQYHp1CvXY5kOHOEDHhz37pGwFvyVyFdSYS5PWT0+0XU/g6 +Uq2HeFCurhUGuDXJ6WA6Ipvmu0vbi8GpyeiWCRoG76sqbBfQ7dd0oDMUHitewWGq +LP1Kioke9hu5p9CbkjYwGZjJWZEV6WHxOmICfFcBRPeIJyO8Kfa/vVBfQZj9fhqs +3sHSfAGIdKIB3tX0qKhMRdu/QoM14YQ1yK80JTUUOcrKLDt6QJinF1UQ/OcYQqGB +CXaRk1OKGFuuij16QudnX56+aYbNPltf7cLs1O7aodQcRxmMSgxSE/2ckthPYBsX +PWuDMYZCb3e6JMWsdnCI7iPpoPFAJmId7SWJebXZxntoX6YwZ7Tx58/QMLEqxMfE +ExQTAFg8/owvxCG12KaharLr4GpLx0aU39QEJenG1LqGLwiQh9Vxsejw+MkebZJE +6zhs7XBpenrd5c9OFOtb/Goxwal/6UXz7a62jZ7wDNpJw9xOfC3/eX/56+6dLVef +RFj/LOIu9reM4boTiY2dmGj1QC25Ag0EWibSSgEQAMhQB2Q329FSozPk7V6dYBO+ +jDBMr1jHWvNMCR/2DkwXfDAKK3haSWSqr51/wua9skFRezQvc9PhgvOIJi1jsxRf +xNoM82a2OpYJdj16FG5RVQ/ApojiywNvp1YPJbmq4DfXSuUA6q+OephsFLrx2cPY +nyDQaI6mrqTBecET4cdQTZK0nKKUPj3U2bI96zTBIYK8Kr7GMKXm8R1eV8bktwHT +HyDjI7hN5EjZViYqZYDQ3jt2vC1Aj6XpFw5K7Sv6f0l91zyjfcu6Llsfo8xtRhAl +lub8EBuO6ljJ5uWqDgjqTOkDXcIAUkhUCg8ztweR15zgJQQ/On0XDcHLtyi7zuQd +xNaKYKkD3oROTqce+YbNN3qnP4bV0qa0JLlTOrE/0/zmif7Q1zYOidcmMgGeF6Gp +pGQkkxY4gSKet8kD8h4AZXGlpFu4e9sue1ENDRmgWaqSzIWudMRZ3z0/s9EGNNiW +60nwJ1NBoySeQEmnwMzAHXneRM9pRGQ1S3/CKttq/0eWEH3Y/Td9xi4DNvTXcvgJ +uUUwoclWP2PCPg3zE+EQ1q/Kt2oYrT8NcemM9EO8btNzJ/Y1wSDLFAFNikHwYjTM +86jWoeGhSM3fD9HJjfqoB41gDKvNIVlhQavhe6df4+AoCo/mGosLYAPFaHHdkmqn +eT0Y0BnTRIS9yLcO8CBVABEBAAGJBGwEGAEIACAWIQToU8GEiwGFz0KGTfNjqK1L +mCxDcwUCWibSSgIbAgJACRBjqK1LmCxDc8F0IAQZAQgAHRYhBNalthyaVTQWgpLb +Z74iCR4+9iJ1BQJaJtJKAAoJEL4iCR4+9iJ1D2AP/1VMC8KOmzPYyiFY+1xHu2rv +siB0f80GH1jXwDSM/IKvsH1axCD0hMV5sSi52epCov37czSlR3MpQjo0xK32wJB9 +26AgbzJYZO48qulDUXUhPWJ9bxiyIcxI/3KEspY1RMoWv8AfYA/qSma1cSdT4IMo +SGJzPh3RyrUpeFP5QT02oGa5TuSQPiJwy/b9u+RVOi1SSqzHMJdKzZehGays65Pd +jC8Xtf4ipdYRBr6mIyUISOB+FBkY2MttFzNDUBdDrOepyjStQLZ1vUXnYKIiSRHX +o3XTW/W8fh72o26zeDbQcALywQMZqnwtrZluzKHZxF07whKmXvw9pUHXX6hbJDvm +GVMxnB/F6grPNi/V+Bv75sKOdImgnJBUp1Jz7288SPbNQwrqFKV2ZD3f0PFmolFj +Cz/Oc+UUk+swfnsT3pV6LClTThsOH8WlKJYxZLneX75HuVx4CmT+qv6GlFQuixjc +H0LtsbbSjAx7J2LRNVtfI+2DfMcIi8KJxe69MAKGqqxDyDPSWeFrs0MHmyD6/6m+ +GTovgUT5jOZbR6GVKelW054bmby0zQevWnRieANVeFoFsnwclJnqKIRzQiGod1p1 +b8HhSCw4nOeOQSifaOf3zcnFhYyByDMOtl3/AqGoLp/61u3Bk9h+BP4VPR3RUWzc +ggjmxJM0MrLzjaSXSedjzuQQAIq9g35FGpnaB8d/EjufED1TVSOkvNK/qJ+dD4Xz +f5RvnbprofMnzfEyy8jJ1Vqc3QZQU3IDQt/Un2ZywX0OboKGAIn/gyfwdkpnxJ0j +JoxRBuMplNpfNBw+oe0nFuozO9idFozKM+SWoE051/jvGHp1FqEPLnAAGeSbWB0L +RlAsnMjc5u6+SKHeFGRKYg7U0sO7ZKbVIT4ZmRnsQLDakHwbAgfcIakh9Whj0Ou5 +r78Cs+DcM3XAdtZ04d81jV5TsveR8/Cn473c6dvPIfnA2P4uClTCaCDv+jXG2f9a +FIuJhYCO+TdYs7qjAsXWngJUebRFiHbfSuYDw92/eqLdKD1Hoff4MnW5YOtDpp6E +sdCDuINeRtUtnidw2vIPezX+xdmycXIq9Fb+GvKrIDsKu0VO8HObVviLa/RE11ds +EHYlrarj4mqzS2MhvmU79Bazg9rDDB4WVs502n3uJaf6Sod/+ke1c3ff7AUPox2n +pjH/bVmkZJsOq5EqcvlH3m2FZUHSFWS/yTR1rPuJoHBMHVc4OPlTuSqT3qmKL2vb +vD1l3D4zHZs1paRLddYXiaex4qPU/0YpP61XU070MmFGYE8Z43TbMPHu/6LYBpw9 +p5Vj3VZwn2edNl4LGx+05hIABzM23I7JoQ44uPoTbohmYXF/DUGJ6h2LYdp81AVC +lSFWuQINBE97JQcBEACpbBqvDl8J65jEhPjOWczcDVB+WfG7GBHB7T6RxSNFIahy +mDqzx73zZD6n4NnZogPDPopYdRJ56u5AfF0bDZlgebl8+VEgPHGoay74Gf6k0B+c +pEkp5PaWQHHEqXINotVg29hTsf1u0sb+yjgcc+9WHw3MtpChsgk8Rc5N8Xvr1FJc +L+xynSvUCcLIwfgvLHYPPBYGIRpvz4ek/zgHvaGftDfnyMwrMbgi8kadrSb7PQgc +eWeTL7CQN1B88TPJFqKt/QxMdXaPy+Cr3P4XVy5V3/QEVFUizrtCCqJgxHMAeCP5 +QxwYEWmA2zxUzGA/t/QUDFbccKt2BdpdKBFtHLliE+yn9FHw98JayjhAJxxeCkrp +MED9N2aGHI1q44sbmeLKQ8EuIbCamfq7fqLXgkEy8jgivv2J9YfXejjjEobGLkss +Jlxaq9JeQgFEVl6f0jJ0PgkYPd11RxTcVLy4RB417cxc9LHcoKdAtcgBTcZXPPYO +L+eM9S7rTvFTna9IdF4bbnJFNjHDMhb/9XomxxBsekpTUXEm2DGoTpO2W/jwWcZY +LVrdhikkkF8b88EdWk94fUTcFA90I+Ch0YbS8XGM/WIklrMGa0JpA4OQW5oMhKDn +gqAcV7gxRYt6ylBPVh94/AIMz++wmfqBxETFP8HMgTVEApLBLjwru9B/4lRStwAR +AQABiQIfBBgBAgAJBQJPeyUHAhsMAAoJEGOorUuYLENzegsQAL6NuhGuzQf2GELc +O5J8/BW2yF9sxHWDLrw0Pntq8D35kgGfZLB52tN3DI4NwL0vE931bXC7ovi4kHPS +sazv+WPUckYfJ7qskWVD1yDtHsADduwudJpAflfZ4VIvMJqJ7FUw5Fy9ennw/Idp +H7LC+ubn6XT6Kh9oKvVmp+BQEOsdisjVw848Thik+gS08WvAjK9m+g7++FFwKy08 +5iXuuqZpvi94eU1QPvzxzzRZz6M4gQaz+pCq/5yf6I+Hu8G+5nq2foFN+G7FRkx7 +KJmJ3SAEsG3M23V9MKWON49ZbhTe5xW+1at/TKKoNGzNIYs07jApR2/E4J57yMWj +zsAqg77hTDRiV0jhHl0DJw3RHFi3z+SrK+6ie6mrq8WEPj62q9qdM8dFs+y5X3UT +x0nxly7GjOxxhi+Nt83PAG2wVFpqmhVLuyPnruvxzyrVFc8Dvx46DiKCzt4PPK/Y ++jnVIQ7Jr2Jm2ZCpzZZT5QNJuDp46mKHlNBkvSy3q3+pM6cM8vKSuCFd9+dw3dX/ +GptLebMrPOvLVDl4Bm9hSmG7rLpJy8U8Ns8pYSS1zaxHM8KqMaPuS/Zlx1SRIj/E +afefnHd5fIlmsH9C2O5fb18SFjmD14FCLcVTG7bwh3ZfbGo9sOJSShPxppPW2OoT +jwfANmj1cSg/VFr1d4HAEc83jFgumQINBGNZjyYBEACk7biPgvCVldNWq1CwVoJa +/Fvc4T49tqxcc/sY4uVlGo6oSi4fQcXE9XKPPBuRLmvpmMWvODQLzPxJMWUfJq6L +yYFmX2U9VRTcyITdmJs8itkEaDwq8BtXkeQfUDAVSFy6V6/uvVmNWD7pGXqJE1Gx +uV44Ihlh6v2YyqSzDG/rZur771hke8VZmlKMVMs1RSeOBA3nUmvZQ58+uqkhJNYq +OeQhxGIxDOHo7QhzTG+SlX+uQq6mzACKygVJJl33toaUwVAX5R02a0u67A5wC0wh +AoLSHInc3P7ayivWV/iESAz+gMIkuvJWns/Ak14J7MTGgjD6rle7PNMsPDCCwQSc +qA8F0x4OChCixbZGZn6Mr0u8+01VCEe2IjJwVUfFI/G4n1FZ1RAdqjkHfZJeD20L +GHSbjJLcnqLLFx3LDpI5dAxo5K2kFvz0VowrB58aHoofW8/g8yZygGQ4Zpw4JnpU +maPnMTiD5yvnFzEihM5L9DuaWqSK3sb9qzoaXABYRYI7OmX4B5nmMzFteHHq0tMt +aKWf0HkAsCP0BLJcS9Oc1/0I0+gC4oKLRD8a4+kaEpNr6BXvWnj7Y1h0Zr/CZS6+ +gi34CxWMl2Q34OSqtS37mzzBu+UZxffPR0aV2RXcEpc0c5HW550Thq1NF9EmFOoy +eG4J2ox9JRANZXLh/i7mNwARAQABtCVQZXRyIExhdXRyYmFjaCA8bGF1dHJiYWNo +QHJlZGhhdC5jb20+iQJXBBMBCABBFiEEuGgoR3ZN9g31LZksvDkF8jUXnPEFAmNZ +jyYCGwMFCQPCZwAFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQvDkF8jUX +nPGeAA//ScQ3kJMqI6FRULXo0aF7CpafPXVWdvj+mfQMlZzuGwXXTmM42T0DXnXR +BSjstWkmOXP/UqkN7bNeXH/S3D3GCJ2l0qx8Qp6fP0FloJIbemyxNtzl7yvAE7kW +vuBuLvUdm23cntv49gAzj+ElDqCxtT6A6qaqM6r7DLUvw+G+r6gkeu1hNQbtRpEK +9Dt8tHriQyI410qFRMbi3QxU+iTJ79HXwrXiYpX7V7T+ugiU9lgIiC/hWJCo6SY4 +knt9E6zhegUWN6zErl2HY8FBM2P9eHOTqToEOAhKeM1fXZvxe3m49fGq/spmRM1R +UUl1V9WFEaMiLg/Z2rmbD8LX9YtfYlQCbEwyX2nkIP1QIcr/DEfcmCA2MXCQCgsq +I/2XS3BTLPyjuqAYnXxrk+T/Cydcg4W3ZBYI/wT56GH02TQzB/wJsn0cW6EMG46V +SDY/mZ2/gwi54G/Pqb2R3ZC9I7wQ6/FFxuu8myI/QVmEiTlvTxBoyOdNlliBQxCk +Dczs1rxd/o8Wfjo1vwRHW84jZrCP3xr7xPJWuzsrmPU8kFHTgepGoY+4b/h3jGwl +V103RpRUK4JidwHsmYDVk6pgeUH69hf0iVcbFfKiViFTR+DwjbAOxTdsFgsYYn+7 +hBj2l+pV/uzeA0akL2dkgfJc9pAf6ItRUnGC+RlntZ0Pf2NbwIS5Ag0EY1mPJgEQ +AMRQDbNHBQ376nDF8miBZOAV1txpmbHc5D/X63PNapP0P1/I7SfcJU9D3wX8c4vm +xkjEYtH23s4lmT1VLsU7PisS3MacRemm9pL2bD53hs9XQEuU9OtJsZn1ZJ+Ynh6i +5sfW1bG3OiV/TWgYXW66GwE1hn9PuP8arodUmhEft+64G2u8Xtxr5yqlQJEUThV6 +280OJrxVbduaMi5C6UNeeGE5wuhfrQ0TNYZiwQ4KYbU3QhlWhHVjJlJ5hCLiktwF +DyR24P+wlTIziWA407mo2enQT+mz3bO7Paf4mBionGsJMoADqBThf4B69BxjJ7Yg +7oQVIZ7560YIRRmNo4tk5Mhep11OtQgZjZJR6MhWDaUO17w1qScrOPRj6G1IXP1R +5NarydJpLyAVb/5WFZ5jxUGMGtq3mYn4nKbbHUg2WzvCJvPctDE6EV2vaiRy5N1f +QjsHgSa29F2feh14p4ngFCmHjpdbcdjfv6rWL8tgkSpQlDdeHRRd1q03TKAg/byP +auAHKzvV+iWlmw1f6KBWjeTn0fofmk9eeQ+P1j0a3/XTxMOjB34SzqPRWzmLPLF6 +YmujBK2gymM+JLirJFFzao1i4lgmxqkDhQoNYHXmVYEd7w+/qUYbfKwO9eJOWzuU +WajxvJ1Vgv6z4CPy9if0gwfhrx0OOcIpBE/xZU+SwQQpABEBAAGJAjwEGAEIACYW +IQS4aChHdk32DfUtmSy8OQXyNRec8QUCY1mPJgIbDAUJA8JnAAAKCRC8OQXyNRec +8a+qD/4whGQ9J+td1iLFMpNRAqvuGtTnM6shZJNnC5CB56Cu7ElIpr74sk0R98Ia +1pJlBcLALbYSrqwluZaLiRVDPdub6tGSRVssqQdZcKThz33waTru9IfLhCrRSNd0 +ZMHJaOG1ErU0noWw2d4ifVJK+vvuvMeEyNm4H5pZOYzYeikqVUYzS143cSzMEwtv +PSdP5JkTQi4WNF09khH1D+QpJoXEgVEQla7Sr955Zdt3q5OlpYxxw+X62vslZ2OM +iKZ14kWVSRbVQ+WdnjtRYS4vivB6ko9QL770jZ131hKhC/BcWpEYSjfPpVua2oKb +ccKHXheIFEJ06kGkMeeoQPxmzPRBYIw/E+d5sZp7YXDyBGOAxBeiOaOnZ8vLBzy7 +2HFng3oB3hkVGTTHq+PsHdSSaRME3QrNpDsaGeSjw62FG3I4zK985GtrXAHEzN/F +fd17srl4mcRQ+8QM/a+XbF/8ugjE/RHhhFf8sWVAPutYzVE8lF+uqcduPuq/rTcU +BuzSVjnSRfXWqCokjh+ypUpHNUO8fZDzkTLuE5rwMG1xpPueDBTzvoGDQRqc2eoX +pJnDBmdlz83zHsoR2gIHcdqyc/hCV+fTvR8E0v9ZG3Jr6RFgWdD008PsGxUevIDg +MAYFwasZSTofEnzg49/WeIFU1rGB5HZVlmOJKZnKRuBiTakEP7kCDQRjWY9xARAA +rEkjlUH4hoSQAkVJCWWk+nF+daAP5IszrGEQH7TyOVwXbRZndSPFSUqKU2kEgHbM +m+wFYoZe95h9tjDh2sLCs338pVu5Chhz3dNseTF7/rbckw2rCU+JbalEiwck7tKL +qobvbh77jnrbQnkrZNc+nMeHHLrYyc5gHW6cSn4UlU42MKmTlSeOG4Ly9wXhgaKC +heIXNX3U/D682Tffl7Gopcm7pPZF92dwY4nIpCxU2ATimkSyulbhzk2CjZ1JYUJ1 +LHctMHm9F0LEGtc1GxDShzVZP8dOWpDs9BBwZDLXxCzC4rvZ+z5BJCDFbuNTKZQ5 +JEoW2sM8yP1LLZGXz44hsab1aPrvB3vcdS5ETP6bqT5267ZiotdhUifU/pTV5ze4 +7wNuaZenQtGd9olyh2dAqOk2DQrcBQFA0gRp55b4U62hLTYXxT+7jEbSVAxeXDPR +qPvqh/4kVn86llYjV6dAoASN1wWz423QH3u4ZK+S6g8HZ0HrY2+NBYgqthb6H/X6 +FiF5VcHWstkk967g4Xt0PgN/rlCtpXh4WK9sScX/CFdOURsHlb78ZN2LexaYaVBq +QuqvfHaAPJaIElXqMheZ8aYrO6Df4yzJ+6eTs3s4PqM6EMir5waFonx5Gh50X4xL +9p7IVqgNPhQsU8Z5U5hGYbmUH766GtENv4CI1upFA1cAEQEAAYkCPAQYAQgAJhYh +BLhoKEd2TfYN9S2ZLLw5BfI1F5zxBQJjWY9xAhsgBQkDwmcAAAoJELw5BfI1F5zx +4cMP+wbjKu2xCr63oyn+lo7NqMDLBYl4zHunYTZhG/egDakVWp5Ikj5/k3i+hVSY +fUyUhqQ/b/H096ropB7GA6EzS44GS+hLMdQOJOmEbjvAP/9dJDX2FQnYZzaA2f/e +Ikgaw283oOLnmYz0x7YAW/oxlnPn+7Sg7DGGqqn3nKofDUUrowfX0tQGwkGmJJqQ +gOH/ZfU4t51UCKzF6hWRbberBI8ezp24vYngA2kGef1fCUC+EIFhoYcdHHCtC1Ti +KmOUaeB9ZMiVXkP60fmCLKObwcKTyYpAFPqM05xgsMPFaXN+fQ7YVAGpCdthk53N +5Go+QqehwLoJk77CHZxIWJIf43p3UiuH1FsuXF7OdExzIhUSiUum6MoCI8BpVwn9 +uSKfXKLOdGDR6IJI8jqdC9LYoXqxZtDhpcqD70hFWJwJzZg+U2SvxZyhOqwtKXtD +TDtee3yGzPacSAJD7mFURc/DRi62UBMiFcqO1YW/5LgC4yjtzo7MTQPkaGbQLduH +IlCKa8pHWPqaLFdMawwqNrTNHWXCD4XxijJYwdAue3NUG/utekNm82mqnbbWw/AX +URIzefQsbyqiNYMztudJ9hAS8yCdkfb9SKVIvWYPQ77tHltOZF7K/NzOGeJaJr8l +vqZCfXpWmOduTpWaD2kIvU2Kx7gB4jXdMa2ai9N+/Hdr3lLouQINBGNZj8YBEADg +Y6HOawiThxQVI+0uvAAU9yisew1SSVO6mAsQtZM7s7BpLA3RGPj3UGojZIeejA+k +fq7A+PVLBhz/kSBTtw9/s3o4rlqNzz7SLaix6XKWCpHOBs84n3/LF6u9KMMVk9vT +sjKz8iDF9mBR2bmCfLvEk0HDiMyApv5SbOsZMB8k5PWyK8HYPyMI5umEaOsaC3tA +eihO3nzAxEf3oZl53J1pIw+ecdrQLbWbH0aqKngfCddD8Q0oMr/Iwly3W49+5eqJ +oelR9/dut/dg0a3Nn1wIGYRzC62CCsF5IZwKdyPh7nilEUFpA5Vlz+HfIFch2LfR +F3Q/GZD8fKzKxhjDIdgyaWSTsMbityKxX2G/pcjshyMsZT7I3Hx7SwQfFro58s2D +FsFLEZgBhJv+nW/HckeedaveXmXdHKjtsa8+rvGADti4wohOl+N5tbpYW3/zR3AY +qlh47hG0ikUJ8Tusnu865j3Z5mE+KqS68ypRVBMRrdJl2lGPDCnXGhl2720VPNMC +/jB2Mgm/L1mvQM1jPfdC3KgokDAH5NMzKvav6A71aLSUJli3UdkGHkX5d5urs3k3 +WmCt7XeTb30MBvNzBcSYTbw2UGIRE8G0CFc3wtiWWiQKPeFXYhn0+COCoW/EXpIC +VaAuMPMgcsldM13bKGyGo3NngsNEdopNFfr0KKW5XwARAQABiQRyBBgBCAAmFiEE +uGgoR3ZN9g31LZksvDkF8jUXnPEFAmNZj8YCGwIFCQPCZwACQAkQvDkF8jUXnPHB +dCAEGQEIAB0WIQQb4sD/CJSWIxAv0lZGlYgcJUUI0QUCY1mPxgAKCRBGlYgcJUUI +0ZkHD/9TlRvAaZETf+pv4/IceeL3KHwj5lrC/gojXxN0AjhAXljLSRCu0EyICxZy +3158h4k0vwjdv8699yHEN97PdF84m81mqxOz+juKBRHFK/EwAAgOdSlzGnUYgNkm +mCROFWtjeneNWaFdEnq9MItx1OascPeyxnWMjq7LLYMSESP4tgUV5KdlaVAXR6q/ +833u27/NodkDcNH2UK+IyT+Kt/uCOoIIL4ttxo/PvZTphzV8n6s0sJJE3/BrRxgv +CTkVU6zosyJsyau8/vayQYGPuBuEQVs4Tr+vZ42izbkHgElcZv9oYjJsxaqZqqMz +fWPte7m6Pl/pvtmlhPmpZ+ej7y8SRysBV+3aHNXaE1J3sIOmYxighlgZapSjHl/A +9N/KXdoLAjIZtBAOQ2ZFyRz/c2+VUqJgwiwdxoaFaYn2eUM+HSTbZfdGXBS/yyZL +YsM+L4M2aizQvDIRXzy8vG0vpHQEvPlXL0Gg0gyk0fox0OsAP5CfXmHC/AvYOHM8 +y81X2QqDf33Au1RIgog4cLqq2wpXEARWbAj0BAMIeJoCDCu9Mz2juK1ui2wr8AZ0 +42PCUgZK6CdUI18AsvApUhPsNunF7ZOc5mFMuaEGjjWJvrTG3qyrCY73ySBiGXWo +92ZB7FXu2MzgujPBEigByqeF6IV2x0EBHw/VrcxXq6Slgmik6G0SD/48l5mGCxM0 +Wr91raB9zQlwDbtD3PCbjA6DtkMrRyAq+81g75N6uiztGPCVw9n1HoGOSjN1hAhe +SgQQlcXbDLpzfdPFowDEHclFFfUODCIOuF+FgmxlAz5Exr9JkJdozBFqRZ4iF/tf +E5sHB0rzeUcY3J6VjTsjULjE4GSg5trsOc8GHUnFn9wwwkf9nR/Mr1RYcX0GkTcy +iUskw+AoRz6svOfAWIDJY450wgD0MHZK08IfUUsYTGecoXcvWf/hITtv/Af5MpQA +wuGEDltVDeu9EAu65SZlMkkMuQD1h3KOQjUJ6nY4a4M2CQ51ggs/c+vsemxsuYlG +vSuhrfXt6HGD3dhsOEeyEvIcjjpP1Ku5mqrPhqXFli1swfohhYGGVO+fM7G3l7wF +kAIi0B1szn0K13qRqBIwjnWL+orP1KLzvczCH6yD0FZY90CDdMtM0VB6AqT4BFh6 +5+ygjA4YiA7fFYBm8510ybUcNfzU3gUIJ5pF8MdGizO54tCPSK6U+iVRY4qfCFdu +IiOZ7FUUn78VIxQUMYMrozy7kn/0PQZa7KKRbXJ8sg0sgrQapwpgUjdMwuYZPGGv +1Jw5/+WUGWMbGxmlpHcEOmsPZpITH557M/kHyk9Ud0iKwciBI2mGLxiafCuLrUY4 +TknzOqbZgjdllcUG4cDBEQuBO/GSj1LUfpkCDQRnKRF7ARAAo5H9/6cStbyjWFeb +G6qDn6pT+4v1rlbRZo0rYwWkDmEAjOZMRC9SJipTCdQeNFlv6HEiiCvl3bmZIqrZ ++zvLI6U1+2dH7k06xNqIFLTV0zbr+tUkOwspg5nr59KsuNP01WBS0ELzunO/zHj+ +BOEdPg1KvB0IQFtqAwaAfuny67YvTr9O7Yz07ZCfTxPtHf6FJ80FPeRa0LoZYnW4 +UmSGtm1f59VD9+qe4yhRtNanamXUKjf8BTw0rQwjoJhVT5Mg0Z6hW6fhFrD57Lgd +8fBi5ZHHUlR4z1+nqGCUoHlHjc0JVyK8j8fofKafow/79ITaOqBzv+P3psY9ecBg +7wGaOHrqzRzRxAfKYRO2IaFHRGnsEE8FnwSEL00uPVxpiiTavrLJFEjku9GmP3OY +3rbwIPXbw1m9mZG1yAVbSEEf58WSWeoBp0O6qrwAdIbdgUX4BkQ8bX5MtUjXp5tm +0StmjQiZ7O91cg0VuWtrfj/I4E3xtloNzhtG2QLI4s7iAL1orhClxEuZRO9alUCS +cnRvhmw2Dh6sB6i56evcZdUFwxMXOByxfWr0fxX4QlR8jYqMPj7UMNj2PccTBOQX +umIW2cdGEeni9vrE9cLfZRSNCwPWAXWtr1zQW54Jx5DjCGHobQk53Z7kE+MZVAje +gOaT0u50cljBNfJootuln4+gbGMAEQEAAbQlUGV0ciBMYXV0cmJhY2ggPGxhdXRy +YmFjaEByZWRoYXQuY29tPokCVwQTAQgAQRYhBGjSGCM0KhNoOus+TvtMaFtdwcE+ +BQJnKRF7AhsDBQkDwmcABQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEPtM +aFtdwcE+doMQAI5mnNA8aH0dfeOZnz/NrMwY6H7jK/+lYatCx05e1TfK+zz9feRK +sxgP3Pjj0p9igo3jIdPcN5/YnlmVEeplDmSiKOOdendviy+sA8sukMo07Q+m1pYW +NzFtyiZd+c44mp9I1l7h6rktIY9XDedrlAkNog1VlUet9eNpmgXt2OmJNDmYftWc +KIpyw/ZLaubjRcAmxwsn7I6dWnT66Ffg9H8trcRlWipVWP8imO0EIpwC8RbhuNgk +xjt/cVf3CEpzokF4n0k3nqYmt90NNtGc0kG5QAlTvlUuHpNWzuzvdAPtMy3KEaXI +fu3IEZeIKCxSgWXTm7zRKUn0F6jKAsLXhK/WOA1Aa7NdAUwMxrEndfNoqBrusaLD +lpzWU7USv2YT+Pf3aQ7u1szg2J8V5eqRP+E8wwe54RNCgQrcDgUq5abyncsvull3 +GqJvzvZC7/Q3Th/g5Wc+dRaGBz0O9FBuRPQwjrnB932xW1fDf17cScpVKAvV/jwn +tpWXf7nSv2M0o9fihnTBl4d2c2EBKtTdp5W0IpeRl5uLad3AYoouP6RoZ+/Id/Zg +NeaQKH/ZlCxk5S9GLzYhm665ysOYRkh7NfoThRtvAqAeDcTKWGDG1nQok2KKOSyq +S81PT2AlMz7A26R0vsH/9lQ1uZFIhIGbxZXlGERZwXd1s+lgfWTbB5K+iQIzBBAB +CAAdFiEEuGgoR3ZN9g31LZksvDkF8jUXnPEFAmcpGAUACgkQvDkF8jUXnPFdGQ/+ +L7uA7EMB+Yh0urhZuOltZSNtge6b+UbLZTd8DRsf044e+Z0NJWdQ2saLBptGhIcn +as4Qd0gS+QkWB7lMrJ31uux15ZBjFsGtyqK+VoH8JIPvV8Mr5XojqA+UYUpXP6ns +ILrdkUvNzpeA51IxYuVMWcut8SUVYzjD11YG1P8LFzydsImaYe7se+RE85F3/2Po +kZNe0d0Gh36uyfJSND80XrrxLpROgabQgHNG0drL/DHjdoa3F0V5EUoG7NBwUrmB +RlWKYCLUFfW+8mQn6RVK8JIV9WaHrzi/KAZLonZb5dCjO0e+Ol16pyUofLA8SN7B +aqjens8ho297GtE3darkXmj5p3p4YPur/D+oZCNIH+BYMsht46VtE3v6V10P8KA2 +6MgNo5qME1Q0kC1DUYi68cPeDgrQBMWa+nF+m9i2aGeAyi3qDhZu03JLhOYAhv45 +OVRawm9vFqyKiBRANVogTRr+ch4zywaapwfVLQ+xiwVLqlT5n/iIzWCQ0hA15eKZ +gJV0kTXL4OWKBeJqSNnnLVm4AhZ2OpKHMsjE7BEopvCe9JZWFIrjtQ9TrriByOx0 +3anWkmm7b4lZ1HKDOI/Cxyz8BZvYizo7hSOdGjLrFBTD/Wk0swvpzB4NKh5I6N7k +gppXMTaWp36+KmQx66JzaZjepGl1VMNFdgiP6Sw6pO+5Ag0EZykRewEQAK4EY+06 +GeuX4wLlUqAMWCnbFELuhBZGWFLEIvP6WJS1WOvee45RVcpVfYMp3AqymiNRahAl +RMtSQ9YtXSdlBPkhtNcoV/hqjcNywMdbsy+Rs27pRk/DJVC0yVL4ABrSSlwhfNa4 +6X4ZvPr8GGDvjAUhK6NXQ7WrZJxYR9/U0nqRGtGuPBLhFey1H60n5axP8+2f9pFC +NbDJ13HbrhVju+RUeE8Gq5WJI5dea5SfYnXFERsT/zO+pw7ZaaSDmWKR1a88P6Bk +DD7e63ZIaAa849M/Dz+OgzNEgbyRjvgbO0OEIrS2x61lGoW7F9prEgzj97NIiBu6 +qpNCYJefkpfPENrk+wmOUthJfh6E7uphlliQams6dqXAc3Z+xBN9jFf74RpzVmIP +K/MFNr0EcUMFgURpBtaTrk4dGMh++v5i4qKxxwJHf4RsGCDsgH9ZZDemKz5q8uFN +TI1kbTnsKNt+d7L45U+3/mRm4l22g8eu+AvD6R4GfKjsyzEFCyGK7TmVYj0Y+EGR +9+YbRQ1GahXqtrR/aLC09LSyxQTqYfKU8KusnoceEbBOigEZUNPybpzibwHl1VEV +9crR5eT8MPHgs8xdpjQ7gRuPi12fvc83unpUsNIHSCxZqXoilGsz2+zpX2si3PxB +tK/tTo6ZFRLijhHs250Y1agp4MyXYq91A2VTABEBAAGJAjwEGAEIACYWIQRo0hgj +NCoTaDrrPk77TGhbXcHBPgUCZykRewIbDAUJA8JnAAAKCRD7TGhbXcHBPozGD/0Y +fkktGwGq2vPZUI/Fscv+VnEqVt94dBnS0/6GyYvhI7Tf81v+72URlQeX8TUQox9B +8d3Aru5b2+iSkPcvH70PbY8jt/yTwHtSlFzf6+YPIl+oyTz7DoiILSjrO51ntl8g +KmIb8Q9W74xV6VFIJ4m8rH04MKFpIlzUDq660JYQIGtOUFugSfg7aLVU/0j4WKKE +KfAfg93wYTKKd+JgRFy4FZPriem7HvlUSi2VKffdrrUF/PX35X74iKdPQoEADZi8 +KkMZULDtyQ6ZOu2hiDpArjo5hDadKM314Z65VnM11hjiEhmTF3IyGBllb0qBIk0L +nBVHuMYmiqBNJEbaqHLqIju8/RvFlYV+AMISeA7B68knbJcao13ogtDpuJ4hpgCj +j2B1n0NWMcju0gteu1sfsIaQbWHevH2vgl5LJDCNtUJN/NoWB2Uov27wEvsongwY +3du40TnM+5ejwf4r8D3wX+JpVCAhfr3Oc0knw14nRqFPAe1E7DNURJ8xfEV9iPRA +swo6qoh7IIxNETUG1rywRExNt6tHsojx0Wb0I0IB7CnWRK9F6oNRp0S4kVgp+Jeh +a9NGXFK2hn8qBD/rpUPsj/OdkiBN+C7Ai07rCNez+IKdnUfXkOJqLCOyeUwC9WPl +uFPB9RnnghYM4xhMWf8XvSLOOk/vgPxiqR5ANLObsbkCDQRnKRLhARAAuh+b2Oxj +9q+RRZ+pkDVf/M6P01yDmDhwtYHzi/LW8PFHC6iQlzMReyv1R5n3uCEpAZ++mdUe +Cgo2TmFnYdpmxEgdaMIW98uqe4fuHhoXU2Mh4eiN7jyJvXQCsijCDYzifoj03HY7 +nTVjw4+BSSu9kA3/vEqU9A5YjG01MmVSMaIaTrqZqsnypK6r2exJa7YVRYwRqpLY +C5ksikDVK9ftdfhjnsnYGS4pYyfMNSHY1KBMpHjT7wEkM+KZ2WRpjTZZ7nP9u4Lf +fJMKgcclRgf+13CeSaJfVIhjJlxGVLkloE8XJbOeh2vkK257e9BenEFgQnyLCpGJ +8YNsnsJVhxU1aA62dT7jmnOVMBhnGoNhMyzzfvUw0REz2VbpZBkiwZRfZ9MWUBsy +bneH8NwzZMQQLCc/yo/jnPrmDS+tgl4CXGzBtpxPUZSMuY4tHZZ2vBb0zcfhY7P1 +CrHuylXLFzkOO/XRP3w1F8I1UqJCjdTKjdjCDF/VWtedHee1iEsSHxPGH8fHp4Qp +rBDDwZ4NnfilYNHMDWm6U1bzhX2ynqcGArQSd1Ny/oL7JzE1qoH/nNrwVvOSSNWF +UTXFXeLy+SOXJdFJpGP+/wV+gYfyczoUP6vmCdK1Hs15WQvKzyP/nmLS5uLilfxV +KrxZDI6SNrS4f/XkHcGnYByFKUhq5gVN0ZcAEQEAAYkEcgQYAQgAJhYhBGjSGCM0 +KhNoOus+TvtMaFtdwcE+BQJnKRLhAhsCBQkDwmcAAkAJEPtMaFtdwcE+wXQgBBkB +CAAdFiEEcgDrLD9eSIRjwM6ezcroySfGvjEFAmcpEuEACgkQzcroySfGvjExiQ// +TKQ2Ci+sqNSVIcwg/k0Go1i4cA7lhKNdYRBCaIThB9jMqNg2zgPzgELBcaVJL8xw +0E2x2ZvBejM4X+eTrmkdufcxHR8B/zBF8oPlD2pgs/zZmZEO1gq4Cdab7yIoVNNr +foCZShxOCPR2wIixcYZtt5f7Z3zSXqkjIec6sTOedT75ZXrpQbvINeUkvOJfMCOi +ailauvDfv8k5iJUVbP+Dx1vOc88bvewVJcbLID4HIRr/PS+k1D10zGbnF71TnxGZ +r7anMZCSFCHJ5WV+BSwHHKtxRy+bJ1x9ML45Jcr1anTXeaHIeSKNzFBigJQSgHv0 +euegkD3Rmw+IcxNb4l536selaNR0UAwx1DC1qpjBtnE9/pXdTEsZQxq9kMrj0d+f +VKFjOKADVIpkx7o0dZ1jmbUmdjQVyGDgHE+Emgdd726/2ftWriW2uPeUC6YZiqbt +vBnCnwF+aV6P1nrE0BWJchLyBjDCe5Y2oXBAYF6xwpDPfMPr4oscqzPV4TWVULBi +brtRWgSxmvinIGFx9T9wQCVfX254dqBaAEhRMImoT/YP+6evRZKqQODRhI44OG7u +V71IVAJ8BHEBN8hxvQM3WPs1fhwMBFCyGfr/x/U4/c78R9JhxkU9VwmMbLGQP7VP +1QgfiHqZpHMk8ZUmQn6KLeurzWcnwPFkwgFPZED8OQOMXxAAio3DhWr5KDd3mICH +ALNY0A2ipb/JH6LSHxu0S3MLa/bF6PbqRY1+fKMT/cFVxln99rNUrX+hDRbc7qbh +KkxvGmcnXnkcTHah9bfUghEanlKkBr1g1ik3zgEnpO/x3+X39Ov+ge92MDawV0nq +k9R/9tS+ZD/ph72Q9kx3ZfVNSL0eWxjuwBzFW0Zwh5TAX4raSmyQCmAXi05O3YmN +iq4arSUg5oAOMRZ+d96DsrAS4Sdtlx6/CuKTBzEaGPQLQ9wJNB0Vmd/eQWTP99KY +cAdIwj5BJ5P0Z7+xhsVjQOntn4otnP6vN6RuDtYrS6M7TCN/ZeKCvN/G0nRac4D+ +IJX3CYYtYXgaoDuoetUWtc7O5PzHRETaBt/46ob2lzf6cT5QyVujTfz+i0rGEc63 +pvXK8mV+K7BFY/DHpdEhl1pDw2YYLbBmUthQWdsL6/TVvpMe/wZadvJ/by3AeRzQ +eusUucuSo9UNN7Yj8u3dRhxNgsSiU96A/SFlAoB5s3Onh5K4WEVCBu/INjdi+r2B +LJePSnA3I7VkRE9Haf1D28jtBzm3Xbft2rs3lO18FcCqw6kd7Ih3e0tZ8uUG9UDv +qTDHTUHLAWvwrq38gKKAu2RMaU06A5kR87RcQiizxOwBIwiHuUWMU4/Hyx6fXsOD +hEs0O6AFDarNDZGee2amKTAyZpG5Ag0EZykTxQEQAOwGV1boBD3vDLsoAT62nGxb +SqXiBsObxnpWbNifOzM9BUGPOIpHsSH32PZGG/+LNjNdECfyyP1RysH5OT7j92Q8 +vgRQoG3X985gbOjYyZc0xvAkTSvWxOiy5CuF3X8sJ3NSerQDXwjP9qVqLVj/3FB8 +nka1HFS7KzC3Zo/kzCoxeZ3/hV3PTWIjcoJvtBSCKPZyOJxnRqWfi5BNJo3S2SR1 +mxV967zawXiZ8MeeBl6rLhOfCBtz9g+bqrXZYoenuMn5Js2mcH0haYeMSV3UWIC4 +kinzr1EJxs+L1/hVCVBNiiDc6DXcFXoz9ZVc9kjpZTOMoZVDkRkyOeen+5Sya9wK +4teLmDLME4+pgeHCS/Wa4KrYyEWe7NpG1VTkSJnRS+fyYGTWtwEiuwT6J9U0t1d5 +hbxhM7YAhlnOEnNVmqa3Bq3yqJs9G/7gicZ7CIJ9JBHKTJzOnKfpGhxBSOgOoCOa +WW6uVCzDqfrYPmCUIKQmanB441xJFGuHVPMLBjVjswoMKGkK3gM6KMRCDYQ53u6s +FK+Jcl8HobBSezVIUKpKVX3IW9d506cE0FhSW/NvWJv0FIMVloyC2BpOjSWVgEwX +tk/m3SKPsgCAcCqzi7xlloR8+E9C2xci9cdGG5faghgSjaP6j0qDww/slRPQJc5A +DIeukkOYTCiSiDwQtblJABEBAAGJAjMEGAEIACcWIQRo0hgjNCoTaDrrPk77TGhb +XcHBPgUCZykTxQMbIAQFCQPCZwAAADcWD/4qJRLn7TcMtRMF43Yn+dX+O13YrxBC +T4n1QVmiPsGrUca4Vg1J+trV6IMsGrhktpiaV0qeL/km0h02m4gEDZKDyWWXdeWh +EXFaTVy9yCpSXUWJl5gSXTSwxrqBWyWLlLLk4UT9l9sk5mMdy0JA8unobV4M/eXQ +ggR11DL3ji7aO0hsqxyxXkJcawWjVGW5KL1EaoDKIJ/CwxOI5ipFueMIRQjQvw9A +o/w2fq11qVXY9zknk6pFkp/RDHLes+wVHDtebZfJ9xV7Mb1mf/k03dT56GaA/U3E +XvJ2FdgWR+zf+YMEa9MPDHYo2UNEvk9mOk247M8s+OeexdlkPgyKW5A8mtYuY/dR +j8W6C4pLcMWa+d/vIUpm5Guw0F5q0AWk9/FbBe9HLztEevvRnuHXmfTZeto/nCAi +Yg4pCj6p3JoN5CLebR8YtWm9AJBbX1kgVvqSU2VgwYIFsxBEz8Wu2h7z/eSCSeIg +ARFbTlJ6cBrRkXCVyhbv0LPWWUfAUqiEtdGxrA4Xx/jKrI02JjRdW/bZkXjSka8K ++cDlpcr9ixBWW5LkWsOdiL8jExfTGw25FA7Wd1HiHnBv36Mu/zb+0/I63d+fLq93 +e3lmmVx9qQF8p5Okf4ojY9YoIHVkLS7t9AgFjm/ucmpEGbXxyPk2Cr3l+b5R41x3 +dBW9kxiuWpZN3Q== +=iuRK +-----END PGP PUBLIC KEY BLOCK----- \ No newline at end of file diff --git a/libselinux-3.8.tar.gz.asc b/libselinux-3.8.tar.gz.asc new file mode 100644 index 0000000..d9fcece --- /dev/null +++ b/libselinux-3.8.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEcgDrLD9eSIRjwM6ezcroySfGvjEFAmeaa/0ACgkQzcroySfG +vjFQkg//T/nkfDTyjP/PNqZaya3gxbWBwRBhUCGXQTjaGCfcZDgcnphXnwhj5gkE +ATCrTAYixg5apjWvH8faToo8ds3hVhdgpOL0ew5mx3M0PBTqBKReL6Y5YxQDDgLj +fPF+ISai4xywv4MIUm0tQjOPbsuN1b5HhCP3/n+oUcvAehJqEZ471sB+o4EW7kHT +L4v9vouhaaYWEpC0eLUnb4kaEaf6qWPrIZ+2td0Mwc4+KHl2P1v5siVzL3uNwoUR +CL3EpnzEFHiKOGw8ymBL879RBCUG68noYGO22Fzk+Zw1WAsoDJqSYpGTdcnHlwB5 +dJFspO+41jy7OYneslji+sfKgUej8ZvK7ohn4xTw96fHp9cGmh+4We52//ZdnZMn +AXinyIMeDCr29JE1XnWsJd48LqRJHcBx0Tm6pf5sA59giFiv4pYAvntafFu28yqP +gPdyfRShVEeVSyE59O4YS0hYs7lsl/4pIzlgNOZwkKtzMwwwBLPZSWn57KqoUxNZ +7IlKx80AKWbK6hASjt60PQnWKQE4Hm94HJOv4cbOFsYkUBeQfv4+4P+5FhU608fp +oz/UK9VEl6QhvzIO7bIsTD+2h8jz3ecsjjrRRVsAuI34VJBF/8OOchMqp0w6WZ13 +IhSdwNypCZtAVv9fjgFhVmYxAZtHuy+7BGjGgEVKatteIhAVEic= +=C5fM +-----END PGP SIGNATURE----- diff --git a/SPECS/libselinux.spec b/libselinux.spec similarity index 88% rename from SPECS/libselinux.spec rename to libselinux.spec index e962c72..100e0bb 100644 --- a/SPECS/libselinux.spec +++ b/libselinux.spec @@ -1,53 +1,36 @@ +## START: Set by rpmautospec +## (rpmautospec version 0.6.5) +## RPMAUTOSPEC: autochangelog +## END: Set by rpmautospec -%global with_ruby 1 - -%if 0%{?with_ruby} -%global ruby_inc %(pkg-config --cflags ruby) -%endif - -%define libsepolver 2.9-1 -%define libselinuxrelease 10 +%define ruby_inc %(pkg-config --cflags ruby) +%define libsepolver 3.8-1 Summary: SELinux library and simple utilities Name: libselinux -Version: 2.9 -Release: %{libselinuxrelease}%{?dist} -License: Public Domain +Version: 3.8 +Release: 1%{?dist} +License: LicenseRef-Fedora-Public-Domain # https://github.com/SELinuxProject/selinux/wiki/Releases -Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/libselinux-2.9.tar.gz -Source1: selinuxconlist.8 -Source2: selinuxdefcon.8 -Url: https://github.com/SELinuxProject/selinux/wiki -# i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done -Patch0001: 0001-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch -Patch0002: 0002-Verify-context-input-to-funtions-to-make-sure-the-co.patch -Patch0003: 0003-libselinux-Allow-to-override-OVERRIDE_GETTID-from-co.patch -Patch0004: 0004-Bring-some-old-permission-and-flask-constants-back-t.patch -Patch0005: 0005-libselinux-add-missing-av_permission-values.patch -Patch0006: 0006-libselinux-Use-Python-distutils-to-install-SELinux-p.patch -Patch0007: 0007-libselinux-Do-not-use-SWIG_CFLAGS-when-Python-bindin.patch -Patch0008: 0008-Fix-mcstrans-secolor-examples.patch -Patch0009: 0009-libselinux-Eliminate-use-of-security_compute_user.patch -Patch0010: 0010-libselinux-deprecate-security_compute_user-update-ma.patch -Patch0011: 0011-selinux-8-5-Describe-fcontext-regular-expressions.patch -Patch0012: 0012-libselinux-Strip-spaces-before-values-in-config.patch -Patch0013: 0013-libselinux-Ignore-missing-directories-when-i-is-used.patch -Patch0014: 0014-libselinux-restorecon-Fix-memory-leak-xattr_value.patch -Patch0015: 0015-libselinux-restorecon-Include-selinux-label.h.patch -Patch0016: 0016-libselinux-Fix-NULL-pointer-use-in-selinux_restoreco.patch -Patch0017: 0017-libselinux-Close-old-selabel-handle-when-setting-a-n.patch +Source0: https://github.com/SELinuxProject/selinux/releases/download/%{version}/libselinux-%{version}.tar.gz +Source1: https://github.com/SELinuxProject/selinux/releases/download/%{version}/libselinux-%{version}.tar.gz.asc +Source2: https://github.com/bachradsusi.gpg +Source3: selinuxconlist.8 +Source4: selinuxdefcon.8 -BuildRequires: gcc -%if 0%{?with_ruby} -BuildRequires: ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel xz-devel -%else -BuildRequires: libsepol-static >= %{libsepolver} swig pcre2-devel xz-devel -%endif -BuildRequires: python3 python3-devel -%if 0%{?with_python2} -BuildRequires: python2 python2-devel -%endif +Url: https://github.com/SELinuxProject/selinux/wiki +# $ git clone https://github.com/fedora-selinux/selinux.git +# $ cd selinux +# $ git format-patch -N 3.8 -- libselinux +# $ i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done +# Patch list start +Patch0001: 0001-Use-SHA-2-instead-of-SHA-1.patch +# Patch list end +BuildRequires: gcc make +BuildRequires: ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel +BuildRequires: python3 python3-devel python3-setuptools python3-wheel python3-pip BuildRequires: systemd +BuildRequires: gnupg2 Requires: libsepol%{?_isa} >= %{libsepolver} pcre2 Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138 @@ -73,20 +56,6 @@ Requires: %{name}%{?_isa} = %{version}-%{release} %description utils The libselinux-utils package contains the utilities -%if 0%{?with_python2} -%package -n libselinux-python -%{?python_provide:%python_provide python2-libselinux} -Provides: python2-%{name} = %{version}-%{release} -Provides: python2-%{name}%{?_isa} = %{version}-%{release} -Obsoletes: %{name}-python < %{version}-%{release} -Summary: SELinux python bindings for libselinux -Requires: %{name}%{?_isa} >= %{version}-%{libselinuxrelease} - -%description -n libselinux-python -The libselinux-python package contains the python bindings for developing -SELinux applications. -%endif - %package -n python3-libselinux Summary: SELinux python 3 bindings for libselinux Requires: %{name}%{?_isa} = %{version}-%{release} @@ -100,7 +69,6 @@ Obsoletes: %{name}-python3 < %{version}-%{release} The libselinux-python3 package contains python 3 bindings for developing SELinux applications. -%if 0%{?with_ruby} %package ruby Summary: SELinux ruby bindings for libselinux Requires: %{name}%{?_isa} = %{version}-%{release} @@ -109,7 +77,6 @@ Provides: ruby(selinux) %description ruby The libselinux-ruby package contains the ruby bindings for developing SELinux applications. -%endif # with_ruby %package devel Summary: Header files and libraries used to build SELinux @@ -129,13 +96,15 @@ The libselinux-static package contains the static libraries needed for developing SELinux applications. %prep +%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -p 2 -n libselinux-%{version} %build -export DISABLE_RPM="n" +export DISABLE_RPM="y" export USE_PCRE2="y" %set_build_flags +CFLAGS="$CFLAGS -fno-semantic-interposition" # To support building the Python wrapper against multiple Python runtimes # Define a function, for how to perform a "build" of the python wrapper against @@ -144,36 +113,23 @@ BuildPythonWrapper() { BinaryName=$1 # Perform the build from the upstream Makefile: - make \ + %make_build \ PYTHON=$BinaryName \ - LIBDIR="%{_libdir}" %{?_smp_mflags} \ + LIBDIR="%{_libdir}" \ pywrap } -make clean -make LIBDIR="%{_libdir}" %{?_smp_mflags} swigify -make LIBDIR="%{_libdir}" %{?_smp_mflags} all +%make_build LIBDIR="%{_libdir}" swigify +%make_build LIBDIR="%{_libdir}" all -%if 0%{?with_python2} -export RHEL_ALLOW_PYTHON2_FOR_BUILD=1 -BuildPythonWrapper %{__python2} -%endif BuildPythonWrapper %{__python3} -%if 0%{?with_ruby} -make RUBYINC="%{ruby_inc}" SHLIBDIR="%{_libdir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" %{?_smp_mflags} rubywrap -%endif +%make_build RUBYINC="%{ruby_inc}" SHLIBDIR="%{_libdir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" rubywrap %install InstallPythonWrapper() { BinaryName=$1 - make \ - PYTHON=$BinaryName \ - LIBDIR="%{_libdir}" %{?_smp_mflags} \ - LIBSEPOLA="%{_libdir}/libsepol.a" \ - pywrap - make \ PYTHON=$BinaryName \ DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" \ @@ -191,19 +147,10 @@ mkdir -p %{buildroot}%{_sbindir} install -d -m 0755 %{buildroot}%{_rundir}/setrans echo "d %{_rundir}/setrans 0755 root root" > %{buildroot}%{_tmpfilesdir}/libselinux.conf -%if 0%{?with_python2} -export RHEL_ALLOW_PYTHON2_FOR_BUILD=1 -InstallPythonWrapper %{__python2} -mv %{buildroot}%{python2_sitearch}/selinux/_selinux.so %{buildroot}%{python2_sitearch}/ -%endif InstallPythonWrapper %{__python3} -mv %{buildroot}%{python3_sitearch}/selinux/_selinux.*.so %{buildroot}%{python3_sitearch}/ -%if 0%{?with_ruby} -make DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" BINDIR="%{_bindir}" SBINDIR="%{_sbindir}" RUBYINSTALL=%{ruby_vendorarchdir} install install-rubywrap -%else -make DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" BINDIR="%{_bindir}" SBINDIR="%{_sbindir}" install -%endif +%make_install LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" BINDIR="%{_bindir}" SBINDIR="%{_sbindir}" +make DESTDIR="%{buildroot}" RUBYINSTALL=%{ruby_vendorarchdir} install-rubywrap # Nuke the files we don't want to distribute rm -f %{buildroot}%{_sbindir}/compute_* @@ -223,8 +170,8 @@ rm -f %{buildroot}%{_sbindir}/selinux_check_securetty_context mv %{buildroot}%{_sbindir}/getdefaultcon %{buildroot}%{_sbindir}/selinuxdefcon mv %{buildroot}%{_sbindir}/getconlist %{buildroot}%{_sbindir}/selinuxconlist install -d %{buildroot}%{_mandir}/man8/ -install -m 644 %{SOURCE1} %{buildroot}%{_mandir}/man8/ -install -m 644 %{SOURCE2} %{buildroot}%{_mandir}/man8/ +install -m 644 %{SOURCE3} %{buildroot}%{_mandir}/man8/ +install -m 644 %{SOURCE4} %{buildroot}%{_mandir}/man8/ rm -f %{buildroot}%{_mandir}/man8/togglesebool* %ldconfig_scriptlets @@ -238,6 +185,8 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool* %files utils %{_sbindir}/avcstat %{_sbindir}/getenforce +%{_sbindir}/getpidprevcon +%{_sbindir}/getpolicyload %{_sbindir}/getsebool %{_sbindir}/matchpathcon %{_sbindir}/sefcontext_compile @@ -246,15 +195,16 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool* %{_sbindir}/selinuxexeccon %{_sbindir}/selinuxenabled %{_sbindir}/setenforce +%{_sbindir}/selabel_compare %{_sbindir}/selabel_digest %{_sbindir}/selabel_lookup %{_sbindir}/selabel_lookup_best_match %{_sbindir}/selabel_partial_match %{_sbindir}/selinux_check_access +%{_sbindir}/selabel_get_digests_all_partial_matches +%{_sbindir}/validatetrans %{_mandir}/man5/* %{_mandir}/man8/* -%{_mandir}/ru/man5/* -%{_mandir}/ru/man8/* %files devel %{_libdir}/libselinux.so @@ -265,72 +215,269 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool* %files static %{_libdir}/libselinux.a -%if 0%{?with_python2} -%files -n libselinux-python -%{python2_sitearch}/selinux/ -%{python2_sitearch}/_selinux.so -%{python2_sitearch}/selinux-%{version}-* -%endif - %files -n python3-libselinux %{python3_sitearch}/selinux/ -%{python3_sitearch}/_selinux.*.so -%{python3_sitearch}/selinux-%{version}-* +%{python3_sitearch}/selinux-%{version}* +%{python3_sitearch}/_selinux* -%if 0%{?with_ruby} %files ruby %{ruby_vendorarchdir}/selinux.so -%endif %changelog -* Fri Jan 24 2025 Petr Lautrbach - 2.9-10 -- Close old selabel handle when setting a new one (RHEL-73348) -- Fix NULL pointer use in selinux_restorecon_set_sehandle (RHEL-74252) +## START: Generated by rpmautospec +* Thu Jan 30 2025 Petr Lautrbach - 3.8-1 +- SELinux userspace 3.8 release -* Mon Jul 29 2024 Vit Mojzis - 2.9-9 -- restorecon: Include (RHEL-50830) +* Wed Dec 18 2024 Petr Lautrbach - 3.8-0.rc3.1 +- SELinux userspace 3.8-rc3 release -* Wed Dec 07 2022 Vit Mojzis - 2.9-8 -- restorecon: Fix memory leak - xattr_value (#2137965) +* Wed Dec 04 2024 Petr Lautrbach - 3.8-0.rc1.2 +- libselinux/utils: drop reachable assert in sefcontext_compile -* Tue Dec 06 2022 Vit Mojzis - 2.9-7 -- Restorecon: Ignore missing directories when -i is used (#2137965) +* Thu Nov 28 2024 Petr Lautrbach - 3.8-0.rc1.1 +- SELinux userspace 3.8-rc1 release -* Thu Jul 07 2022 Vit Mojzis - 2.9-6 -- Describe fcontext regular expressions (#1904059) -- Strip spaces before values in config (#2012145) +* Tue Nov 12 2024 Vit Mojzis - 3.7-5 +- setexecfilecon: Remove useless rc check (RHEL-35586) +- matchpathcon: RESOURCE_LEAK: Variable "con" (RHEL-35584) -* Tue Oct 20 2020 Vit Mojzis - 2.9-5 -- Deprecate security_compute_user(), update man pages (#1879368) +* Tue Oct 29 2024 Troy Dawson - 3.7-4 +- Bump release for October 2024 mass rebuild (RHEL-64018) -* Thu Sep 24 2020 Vit Mojzis - 2.9-4 -- Eliminate use of security_compute_user() (#1879368) +* Thu Oct 17 2024 Petr Lautrbach - 3.7-3.1 +- fix swig bindings for 4.3.0 +- deprecate security_disable(3) -* Fri Nov 08 2019 Vit Mojzis - 2.9-3 -- Fix mcstrans secolor examples in secolor.conf man page (#1770270) +* Fri Aug 09 2024 Vit Mojzis - 3.7-3 +- restorecon: Include (RHEL-53852) +- Fix integer comparison issues when compiling for 32-bit -* Mon Jun 24 2019 Petr Lautrbach - 2.9-2.1 -- Use Python distutils to install SELinux python bindings (#1719771) -- Move sefcontext_compile to -utils package (#1612518) +* Tue Jul 09 2024 Petr Lautrbach - 3.7-2 +- set free'd data to NULL (#2295428) + +* Thu Jun 27 2024 Petr Lautrbach - 3.7-1 +- SELinux userspace 3.7 release + +* Mon Jun 24 2024 Troy Dawson - 3.6-6 +- Bump release for June 2024 mass rebuild + +* Mon Apr 01 2024 Christoph Erhardt - 3.6-5 +- Drop unused `xz-devel` build dependency + +* Thu Jan 25 2024 Fedora Release Engineering - 3.6-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Sun Jan 21 2024 Fedora Release Engineering - 3.6-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Wed Jan 03 2024 Mamoru TASAKA - 3.6-2 +- Rebuild for https://fedoraproject.org/wiki/Changes/Ruby_3.3 + +* Thu Dec 14 2023 Petr Lautrbach - 3.6-1 +- SELinux userspace 3.6 release + +* Thu Nov 23 2023 Petr Lautrbach - 3.6-0.rc2.1 +- SELinux userspace 3.6-rc2 release + +* Mon Nov 13 2023 Petr Lautrbach - 3.6-0.rc1.1 +- SELinux userspace 3.6-rc1 release + +* Thu Jul 20 2023 Fedora Release Engineering - 3.5-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Thu Jun 22 2023 Vit Mojzis - 3.5-4 +- Add examples to man pages + +* Tue Jun 13 2023 Python Maint - 3.5-3 +- Rebuilt for Python 3.12 + +* Fri May 26 2023 Miro Hrončok - 3.5-2 +- Fix build with pip 23.1.2+ +- Fixes: rhbz#2209019 + +* Fri Feb 24 2023 Petr Lautrbach - 3.5-1 +- SELinux userspace 3.5 release + +* Mon Feb 13 2023 Petr Lautrbach - 3.5-0.rc3.1 +- SELinux userspace 3.5-rc3 release + +* Thu Jan 19 2023 Fedora Release Engineering - 3.5-0.rc2.1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Mon Jan 16 2023 Petr Lautrbach - 3.5-0.rc2.1 +- SELinux userspace 3.5-rc2 release + +* Wed Jan 04 2023 Mamoru TASAKA - 3.5-0.rc1.1.1 +- Rebuild for https://fedoraproject.org/wiki/Changes/Ruby_3.2 + +* Fri Dec 23 2022 Petr Lautrbach - 3.5-0.rc1.1 +- SELinux userspace 3.5-rc1 release + +* Mon Nov 21 2022 Petr Lautrbach - 3.4-6 +- Rebase on upstream f56a72ac9e86 + +* Thu Jul 21 2022 Fedora Release Engineering - 3.4-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Mon Jun 13 2022 Python Maint - 3.4-4 +- Rebuilt for Python 3.11 + +* Tue May 31 2022 Petr Lautrbach - 3.4-3 +- Revert "libselinux: restorecon: pin file to avoid TOCTOU issues" + +* Wed May 25 2022 Petr Lautrbach - 3.4-2 +- rebuilt + +* Thu May 19 2022 Petr Lautrbach - 3.4-1 +- SELinux userspace 3.4 release + +* Tue May 10 2022 Petr Lautrbach - 3.4-0.rc3.1 +- SELinux userspace 3.4-rc3 release + +* Thu Apr 21 2022 Petr Lautrbach - 3.4-0.rc2.1 +- SELinux userspace 3.4-rc2 release + +* Tue Apr 12 2022 Petr Lautrbach - 3.4-0.rc1.1 +- SELinux userspace 3.4-rc1 release + +* Thu Jan 27 2022 Mamoru TASAKA - 3.3-4 +- F-36: rebuild against ruby31 + +* Thu Jan 20 2022 Fedora Release Engineering - 3.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Mon Nov 29 2021 Petr Lautrbach - 3.3-2 +- Introduce selinux_restorecon_parallel(3) + +* Fri Oct 22 2021 Petr Lautrbach - 3.3-1 +- SELinux userspace 3.3 release + +* Fri Oct 8 2021 Petr Lautrbach - 3.3-0.rc3.1 +- SELinux userspace 3.3-rc3 release + +* Wed Sep 29 2021 Petr Lautrbach - 3.3-0.rc2.1 +- SELinux userspace 3.3-rc2 release + +* Wed Jul 28 2021 Petr Lautrbach - 3.2-4 +- Rebase on upstream commit 32611aea6543 + +* Thu Jul 22 2021 Fedora Release Engineering - 3.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Thu Jun 03 2021 Python Maint - 3.2-2 +- Rebuilt for Python 3.10 + +* Mon Mar 8 2021 Petr Lautrbach - 3.2-1 +- SELinux userspace 3.2 release + +* Fri Feb 5 2021 Petr Lautrbach - 3.2-0.rc2.1 +- SELinux userspace 3.2-rc2 release + +* Tue Jan 26 2021 Fedora Release Engineering - 3.2-0.rc1.1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Wed Jan 20 2021 Petr Lautrbach - 3.2-0.rc1.1 +- SELinux userspace 3.2-rc1 release + +* Thu Jan 07 2021 Mamoru TASAKA - 3.1-6 +- F-34: rebuild against ruby 3.0 + +* Fri Nov 20 2020 Petr Lautrbach - 3.1-5 +- selinux(8): explain that runtime disable is deprecated + +* Fri Oct 30 2020 Petr Lautrbach - 3.1-4 +- Use libsepol.so.2 +- Convert matchpathcon to selabel_lookup() +- Change userspace AVC setenforce and policy load messages to audit + format +- Remove trailing slash on selabel_file lookups +- Use kernel status page by default + +* Wed Sep 02 2020 Jeff Law - 3.1-3 +- Re-enable LTO + +* Mon Jul 13 2020 Tom Stellard - 3.1-2 +- Use make macros +- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro +- Use -fno-semantic-interposition and more make macros + +* Fri Jul 10 2020 Petr Lautrbach - 3.1-1 +- SELinux userspace 3.1 release + +* Wed Jul 1 2020 Jeff Law - 3.0-6 +- Disable LTO + +* Sat May 23 2020 Miro Hrončok - 3.0-5 +- Rebuilt for Python 3.9 + +* Thu Mar 5 2020 Petr Lautrbach - 3.0-4 +- Eliminate use of security_compute_user() + +* Wed Jan 29 2020 Fedora Release Engineering - 3.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Sat Jan 18 2020 Mamoru TASAKA - 3.0-2 +- F-32: rebuild against ruby27 + +* Fri Dec 6 2019 Petr Lautrbach - 3.0-1 +- SELinux userspace 3.0 release + +* Mon Nov 11 2019 Petr Lautrbach - 3.0-0.r1.1 +- SELinux userspace 3.0-rc1 release candidate + +* Thu Oct 03 2019 Miro Hrončok - 2.9-7 +- Rebuilt for Python 3.8.0rc1 (#1748018) + +* Fri Aug 16 2019 Miro Hrončok - 2.9-6 +- Rebuilt for Python 3.8 + +* Mon Aug 12 2019 Petr Lautrbach - 2.9-5 +- Drop python2-libselinux (#1739646) + +* Thu Jul 25 2019 Fedora Release Engineering - 2.9-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Fri Jun 28 2019 Petr Lautrbach - 2.9-3 +- Use standard build flags for Python bindings + +* Fri May 24 2019 Petr Lautrbach - 2.9-2 +- Use Python distutils to install SELinux python bindings * Mon Mar 18 2019 Petr Lautrbach - 2.9-1 - SELinux userspace 2.9 release -* Tue Nov 6 2018 Petr Lautrbach - 2.8-6 +* Wed Mar 6 2019 Petr Lautrbach - 2.9-0.rc2.1 +- SELinux userspace 2.9-rc2 release + +* Fri Feb 01 2019 Fedora Release Engineering - 2.9-0.rc1.1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Jan 25 2019 Petr Lautrbach - 2.9-0.rc1.1 +- SELinux userspace 2.9-rc1 release + +* Tue Jan 22 2019 Mamoru TASAKA - 2.8-8 +- F-30: again rebuild against ruby26 + +* Mon Jan 21 2019 Petr Lautrbach - 2.8-7 +- selinux_restorecon: Skip customized files also without -v +- Do not dereference symlink with statfs in selinux_restorecon + +* Mon Jan 21 2019 Mamoru TASAKA - 2.8-6 +- F-30: rebuild against ruby26 + +* Tue Nov 13 2018 Petr Lautrbach - 2.8-5 - Fix RESOURCE_LEAK coverity scan defects -* Mon Oct 15 2018 Petr Lautrbach - 2.8-5 -- selinux_restorecon: Skip customized files also without -v -- man pages fixes +* Tue Sep 4 2018 Petr Lautrbach - 2.8-4 +- Fix the whatis line for the selinux_boolean_sub.3 manpage +- Fix line wrapping in selabel_file.5 +- Fix spelling errors in manpages -* Mon Oct 1 2018 Petr Lautrbach - 2.8-4 -- Build libselinux-python when %with_python2 macro is set to non-zero value +* Fri Jul 13 2018 Fedora Release Engineering - 2.8-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild -* Fri Jun 22 2018 Petr Lautrbach - 2.8-3 -- Build libselinux-ruby (#1581322) - -* Thu Jun 7 2018 Petr Lautrbach - 2.8-2 -- Don't build the Python 2 subpackage (#1567358) +* Fri Jun 15 2018 Miro Hrončok - 2.8-2 +- Rebuilt for Python 3.7 * Fri May 25 2018 Petr Lautrbach - 2.8-1 - SELinux userspace 2.8 release @@ -344,9 +491,6 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool* * Mon Apr 23 2018 Petr Lautrbach - 2.8-0.rc1.1 - SELinux userspace 2.8-rc1 release candidate -* Mon Apr 23 2018 Petr Lautrbach - 2.7-14 -- Do not build libselinux-ruby - * Wed Mar 21 2018 Petr Lautrbach - 2.7-13 - build: Replace PYSITEDIR with PYTHONLIBDIR @@ -560,7 +704,7 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool* - Rebuilt for https://fedoraproject.org/wiki/Changes/Python_3.4 * Tue May 6 2014 Dan Walsh - 2.3-1 -- Update to upstream +- Update to upstream * Get rid of security_context_t and fix const declarations. * Refactor rpm_execcon() into a new setexecfilecon() from Guillem Jover. @@ -590,7 +734,7 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool* - Add ghost flag for /var/run/setrans * Mon Jan 6 2014 Dan Walsh - 2.2.2-1 -- Update to upstream +- Update to upstream * Fix userspace AVC handling of per-domain permissive mode. - Verify context is not null when passed into *setfilecon_raw @@ -610,12 +754,12 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool* - Remove togglesebool man page * Mon Nov 25 2013 Dan Walsh - 2.2.1-1 -- Update to upstream +- Update to upstream * Remove -lpthread from pkg-config file; it is not required. - Add support for policy compressed with xv * Thu Oct 31 2013 Dan Walsh - 2.2-1 -- Update to upstream +- Update to upstream * Fix avc_has_perm() returns -1 even when SELinux is in permissive mode. * Support overriding Makefile RANLIB from Sven Vermeulen. * Update pkgconfig definition from Sven Vermeulen. @@ -645,7 +789,7 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool* - Do substitutions on a local sub followed by a dist sub * Thu Oct 3 2013 Dan Walsh - 2.1.13-20 -- Eliminate requirement on pthread library, by applying patch for Jakub Jelinek +- Eliminate requirement on pthread library, by applying patch for Jakub Jelinek Resolves #1013801 * Mon Sep 16 2013 Dan Walsh - 2.1.13-19 @@ -674,7 +818,7 @@ Resolves #1013801 - Add Eric Paris patch to fix procattr calls after a fork. * Tue Mar 26 2013 Dan Walsh - 2.1.13-12 -- Move secolor.conf.5 into mcstrans package and out of libselinux +- Move secolor.conf.5 into mcstrans package and out of libselinux * Wed Mar 20 2013 Dan Walsh - 2.1.13-11 - Fix python bindings for selinux_check_access @@ -710,7 +854,7 @@ Resolves #1013801 - Revert some changes which are causing the wrong policy version file to be created * Thu Feb 7 2013 Dan Walsh - 2.1.13-1 -- Update to upstream +- Update to upstream * audit2why: make sure path is nul terminated * utils: new file context regex compiler * label_file: use precompiled filecontext when possible @@ -736,7 +880,7 @@ Resolves #1013801 * unmap file contexts on selabel_close() * do not leak file contexts with mmap'd backend * sefcontext_compile: do not leak fd on error - * matchmediacon: do not leak fd + * matchmediacon: do not leak fd * src/label_android_property: do not leak fd on error * Sun Jan 27 2013 Dan Walsh - 2.1.12-20 @@ -805,7 +949,7 @@ Resolves #1013801 - Rebuild with fixed libsepol * Thu Sep 13 2012 Dan Walsh - 2.1.12-1 -- Update to upstream +- Update to upstream * Add support for lxc_contexts_path * utils: add service to getdefaultcon * libsemanage: do not set soname needlessly @@ -854,7 +998,7 @@ Resolves #1013801 - Revert Eric Paris Patch for selinux_binary_policy_path * Wed Jul 4 2012 Dan Walsh - 2.1.11-1 -- Update to upstream +- Update to upstream * Fortify source now requires all code to be compiled with -O flag * asprintf return code must be checked * avc_netlink_recieve handle EINTR @@ -868,7 +1012,7 @@ Resolves #1013801 * additional makefile support for rubywrap * Mon Jun 11 2012 Dan Walsh - 2.1.10-5 -- Fix booleans.subs name, change function name to selinux_boolean_sub, +- Fix booleans.subs name, change function name to selinux_boolean_sub, add man page, minor fixes to the function * Fri May 25 2012 Dan Walsh - 2.1.10-4 @@ -884,7 +1028,7 @@ Resolves #1013801 - Add support fot boolean subs file * Thu Mar 29 2012 Dan Walsh - 2.1.10-1 -- Update to upstream +- Update to upstream * Fix dead links to www.nsa.gov/selinux * Remove jump over variable declaration * Fix old style function definitions @@ -920,7 +1064,7 @@ Resolves #1013801 - Make work with ruby-1.9 * Fri Feb 3 2012 Dan Walsh - 2.1.9-7 -- avc_netlink_recieve should continue to poll if it receinves an EINTR rather +- avc_netlink_recieve should continue to poll if it receinves an EINTR rather * Sun Jan 29 2012 Kay Sievers - 2.1.9-6 - use /sbin/ldconfig, glibc does not provide @@ -1000,7 +1144,7 @@ Resolves #1013801 - Add selinux_check_access function. Needed for passwd, chfn, chsh * Thu Sep 22 2011 Dan Walsh - 2.1.6-2 -- Handle situation where selinux=0 passed to the kernel and both /selinux and +- Handle situation where selinux=0 passed to the kernel and both /selinux and * Mon Sep 19 2011 Dan Walsh - 2.1.6-1 -Update to upstream @@ -1020,8 +1164,8 @@ Resolves #1013801 - Fix handling of subset labeling that is causing segfault in restorecon * Fri Sep 2 2011 Dan Walsh - 2.1.5-2 -- Change matchpathcon_init_prefix and selabel_open to allow multiple initial -prefixes. Now you can specify a ";" separated list of prefixes and the +- Change matchpathcon_init_prefix and selabel_open to allow multiple initial +prefixes. Now you can specify a ";" separated list of prefixes and the labeling system will only load regular expressions that match these prefixes. * Tue Aug 30 2011 Dan Walsh - 2.1.5-1 @@ -1074,7 +1218,7 @@ labeling system will only load regular expressions that match these prefixes. * Update man pages for selinux_color_* functions by Richard Haines. * Mon Jun 13 2011 Dan Walsh - 2.0.102-6 -- Only call dups check within selabel/matchpathcon if you are validating the +- Only call dups check within selabel/matchpathcon if you are validating the context - This seems to speed the loading of labels by 4 times. @@ -1113,15 +1257,15 @@ context * Tue Apr 5 2011 Dan Walsh - 2.0.99-4 Add patch from dbhole@redhat.com to initialize thread keys to -1 Errors were being seen in libpthread/libdl that were related -to corrupt thread specific keys. Global destructors that are called on dl -unload. During destruction delete a thread specific key without checking -if it has been initialized. Since the constructor is not called each time -(i.e. key is not initialized with pthread_key_create each time), and the -default is 0, there is a possibility that key 0 for an active thread gets +to corrupt thread specific keys. Global destructors that are called on dl +unload. During destruction delete a thread specific key without checking +if it has been initialized. Since the constructor is not called each time +(i.e. key is not initialized with pthread_key_create each time), and the +default is 0, there is a possibility that key 0 for an active thread gets deleted. This is exactly what is happening in case of OpenJDK. Workaround patch that initializes the key to -1. Thus if the constructor is not -called, the destructor tries to delete key -1 which is deemed invalid by +called, the destructor tries to delete key -1 which is deemed invalid by pthread_key_delete, and is ignored. * Tue Apr 5 2011 Dan Walsh - 2.0.99-3 @@ -1144,11 +1288,11 @@ pthread_key_delete, and is ignored. - Fix Makefile to use pkg-config --cflags python3 to discover include paths * Tue Dec 21 2010 Dan Walsh - 2.0.98-1 -- Update to upstream +- Update to upstream - Turn off fallback in to SELINUX_DEFAULTUSER in get_context_list * Mon Dec 6 2010 Dan Walsh - 2.0.97-1 -- Update to upstream +- Update to upstream * Thread local storage fixes from Eamon Walsh. * Sat Dec 4 2010 Dan Walsh - 2.0.96-9 @@ -1176,31 +1320,31 @@ pthread_key_delete, and is ignored. - Turn off messages in audit2why * Wed Mar 24 2010 Dan Walsh - 2.0.96-1 -- Update to upstream +- Update to upstream * Add const qualifiers to public API where appropriate by KaiGai Kohei. 2.0.95 2010-06-10 * Remove duplicate slashes in paths in selabel_lookup from Chad Sellers * Adds a chcon method to the libselinux python bindings from Steve Lawrence -- add python3 subpackage from David Malcolm +- add python3 subpackage from David Malcolm * Wed Mar 24 2010 Dan Walsh - 2.0.94-1 * Set errno=EINVAL for invalid contexts from Dan Walsh. * Tue Mar 16 2010 Dan Walsh - 2.0.93-1 -- Update to upstream +- Update to upstream * Show strerror for security_getenforce() by Colin Waters. * Merged selabel database support by KaiGai Kohei. * Modify netlink socket blocking code by KaiGai Kohei. * Sun Mar 7 2010 Dan Walsh - 2.0.92-1 -- Update to upstream +- Update to upstream * Fix from Eric Paris to fix leak on non-selinux systems. * regenerate swig wrappers * pkgconfig fix to respect LIBDIR from Dan Walsh. * Wed Feb 24 2010 Dan Walsh - 2.0.91-1 -- Update to upstream +- Update to upstream * Change the AVC to only audit the permissions specified by the policy, excluding any permissions specified via dontaudit or not specified via auditallow. @@ -1219,7 +1363,7 @@ pthread_key_delete, and is ignored. - Free memory on disabled selinux boxes * Tue Dec 1 2009 Dan Walsh - 2.0.90-1 -- Update to upstream +- Update to upstream * add/reformat man pages by Guido Trentalancia . * Change exception.sh to be called with bash by Manoj Srivastava @@ -1227,15 +1371,15 @@ pthread_key_delete, and is ignored. - Fix selinuxdefcon man page * Mon Nov 2 2009 Dan Walsh - 2.0.89-1 -- Update to upstream +- Update to upstream * Add pkgconfig file from Eamon Walsh. * Thu Oct 29 2009 Dan Walsh - 2.0.88-1 -- Update to upstream +- Update to upstream * Rename and export selinux_reset_config() * Tue Sep 8 2009 Dan Walsh - 2.0.87-1 -- Update to upstream +- Update to upstream * Add exception handling in libselinux from Dan Walsh. This uses a shell script called exception.sh to generate a swig interface file. * make swigify @@ -1245,14 +1389,14 @@ pthread_key_delete, and is ignored. - Eliminate -pthread switch in Makefile * Tue Sep 8 2009 Dan Walsh - 2.0.86-1 -- Update to upstream +- Update to upstream * Removal of reference counting on userspace AVC SID's. * Sat Jul 25 2009 Fedora Release Engineering - 2.0.85-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild * Tue Jul 7 2009 Dan Walsh - 2.0.85-1 -- Update to upstream +- Update to upstream * Reverted Tomas Mraz's fix for freeing thread local storage to avoid pthread dependency. * Removed fini_context_translations() altogether. @@ -1260,7 +1404,7 @@ pthread_key_delete, and is ignored. by Steve Grubb. * Tue Jul 7 2009 Dan Walsh - 2.0.84-1 -- Update to upstream +- Update to upstream * Add per-service seuser support from Dan Walsh. * Let load_policy gracefully handle selinuxfs being mounted from Stephen Smalley. * Check /proc/filesystems before /proc/mounts for selinuxfs from Eric @@ -1270,20 +1414,20 @@ pthread_key_delete, and is ignored. - Add provices ruby(selinux) * Tue Jun 23 2009 Dan Walsh - 2.0.82-1 -- Update to upstream +- Update to upstream * Fix improper use of thread local storage from Tomas Mraz . * Label substitution support from Dan Walsh. * Support for labeling virtual machine images from Dan Walsh. * Mon May 18 2009 Dan Walsh - 2.0.81-1 -- Update to upstream +- Update to upstream * Trim / from the end of input paths to matchpathcon from Dan Walsh. * Fix leak in process_line in label_file.c from Hiroshi Shinji. * Move matchpathcon to /sbin, add matchpathcon to clean target from Dan Walsh. * getdefaultcon to print just the correct match and add verbose option from Dan Walsh. * Wed Apr 8 2009 Dan Walsh - 2.0.80-1 -- Update to upstream +- Update to upstream * deny_unknown wrapper function from KaiGai Kohei. * security_compute_av_flags API from KaiGai Kohei. * Netlink socket management and callbacks from KaiGai Kohei. @@ -1301,22 +1445,22 @@ pthread_key_delete, and is ignored. - Add back in av_decision to python swig * Thu Mar 12 2009 Dan Walsh - 2.0.79-1 -- Update to upstream +- Update to upstream * Netlink socket handoff patch from Adam Jackson. * AVC caching of compute_create results by Eric Paris. * Tue Mar 10 2009 Dan Walsh - 2.0.78-5 -- Add patch from ajax to accellerate X SELinux +- Add patch from ajax to accellerate X SELinux - Update eparis patch * Mon Mar 9 2009 Dan Walsh - 2.0.78-4 - Add eparis patch to accellerate Xwindows performance * Mon Mar 9 2009 Dan Walsh - 2.0.78-3 -- Fix URL +- Fix URL * Fri Mar 6 2009 Dan Walsh - 2.0.78-2 -- Add substitute pattern +- Add substitute pattern - matchpathcon output <> on ENOENT * Mon Mar 2 2009 Dan Walsh - 2.0.78-1 @@ -1327,7 +1471,7 @@ pthread_key_delete, and is ignored. - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild * Wed Feb 18 2009 Dan Walsh - 2.0.77-5 -- Add +- Add - selinux_virtual_domain_context_path - selinux_virtual_image_context_path @@ -1374,7 +1518,7 @@ pthread_key_delete, and is ignored. * Update flask headers from refpolicy trunk from Dan Walsh. * Fri Sep 26 2008 Dan Walsh - 2.0.71-6 -- Fix matchpathcon -V call +- Fix matchpathcon -V call * Tue Sep 9 2008 Dan Walsh - 2.0.71-5 - Add flask definitions for open, X and nlmsg_tty_audit @@ -1534,7 +1678,7 @@ pthread_key_delete, and is ignored. - smp_mflag * Thu Jan 3 2008 Dan Walsh - 2.0.46-2 -- Fix spec file caused by spec review +- Fix spec file caused by spec review * Fri Nov 30 2007 Dan Walsh - 2.0.46-1 - Upgrade to upstream @@ -1576,7 +1720,7 @@ pthread_key_delete, and is ignored. * Wed Sep 26 2007 Dan Walsh - 2.0.35-1 - Upgrade to upstream * Make netlink socket close-on-exec to avoid descriptor leakage from Dan Walsh. - * Pass CFLAGS when using gcc for linking from Dennis Gilmore. + * Pass CFLAGS when using gcc for linking from Dennis Gilmore. * Mon Sep 24 2007 Dan Walsh - 2.0.34-3 - Add sparc patch to from Dennis Gilmore to build on Sparc platform @@ -1608,7 +1752,7 @@ pthread_key_delete, and is ignored. * Fix file_contexts.homedirs path from Todd Miller. * Tue Aug 21 2007 Dan Walsh - 2.0.30-2 -- Remove requirement on setransd, Moved to selinux-policy-mls +- Remove requirement on setransd, Moved to selinux-policy-mls * Fri Aug 10 2007 Dan Walsh - 2.0.30-1 - Move libselinux.so into devel package @@ -1620,7 +1764,7 @@ pthread_key_delete, and is ignored. * Fri Aug 3 2007 Dan Walsh - 2.0.29-1 - Upgrade to upstream - * Updated version for stable branch. + * Updated version for stable branch. * Added x_contexts path function patch from Eamon Walsh. * Fix build for EMBEDDED=y from Yuichi Nakamura. * Fix markup problems in selinux man pages from Dan Walsh. @@ -1741,13 +1885,13 @@ pthread_key_delete, and is ignored. of the use of the non-standard format (original patch changed for style). - Merged patch from Todd Miller to fix memory leak in matchpathcon.c. - + * Fri Jan 19 2007 Dan Walsh - 1.34.0-2 - Add context function to python to split context into 4 parts * Fri Jan 19 2007 Dan Walsh - 1.34.0-1 - Upgrade to upstream - * Updated version for stable branch. + * Updated version for stable branch. * Wed Jan 17 2007 Dan Walsh - 1.33.6-1 - Upgrade to upstream @@ -1868,8 +2012,8 @@ Resolves: #200110 - only build non-fpic objects with -mno-tls-direct-seg-refs * Tue Aug 1 2006 Jeremy Katz - 1.30.19-4 -- build with -mno-tls-direct-seg-refs on x86 to avoid triggering - segfaults with xen (#200783) +- build with -mno-tls-direct-seg-refs on x86 to avoid triggering + segfaults with xen (#200783) * Mon Jul 17 2006 Dan Walsh 1.30.19-3 - Rebuild for new gcc @@ -1921,7 +2065,7 @@ Resolves: #200110 - Check for selinux_mnt == NULL * Tue May 30 2006 Dan Walsh 1.30.11-1 -- Merged matchmediacon and trans_to_raw_context fixes from +- Merged matchmediacon and trans_to_raw_context fixes from Serge Hallyn. * Fri May 26 2006 Dan Walsh 1.30.10-4 @@ -1965,7 +2109,7 @@ Resolves: #200110 * Mon May 8 2006 Dan Walsh 1.30.5-1 - Upgrade to latest from NSA - * Merged fix warnings patch from Karl MacMillan. + * Merged fix warnings patch from Karl MacMillan. * Merged setrans client support from Dan Walsh. This removes use of libsetrans. * Merged patch to eliminate use of PAGE_SIZE constant from Dan Walsh. @@ -2057,7 +2201,7 @@ Resolves: #200110 allocated by libsetrans. * Sun Dec 11 2005 Dan Walsh 1.29.1-3 -- update to latest libsetrans +- update to latest libsetrans - Fix potential memory leak * Fri Dec 09 2005 Jesse Keating @@ -2192,7 +2336,7 @@ Resolves: #200110 * Fri Oct 7 2005 Dan Walsh 1.27.7-1 - Update to latest from NSA * Changed getseuserbyname to fall back to the Linux username and - NULL level if seusers config file doesn't exist unless + NULL level if seusers config file doesn't exist unless REQUIRESEUSERS=1 is set in /etc/selinux/config. * Moved seusers.conf under $SELINUXTYPE and renamed to seusers. @@ -2200,7 +2344,7 @@ Resolves: #200110 - Update to latest from NSA * Added selinux_init_load_policy() function as an even higher level interface for the initial policy load by /sbin/init. This obsoletes - the load_policy() function in the sysvinit-selinux.patch. + the load_policy() function in the sysvinit-selinux.patch. * Added selinux_mkload_policy() function as a higher level interface for loading policy than the security_load_policy() interface. @@ -2258,7 +2402,7 @@ Resolves: #200110 * Thu Aug 25 2005 Dan Walsh 1.25.4-1 - Update from NSA - * Hid translation-related symbols entirely and ensured that + * Hid translation-related symbols entirely and ensured that raw functions have hidden definitions for internal use. * Allowed setting NULL via context_set* functions. * Allowed whitespace in MLS component of context. @@ -2282,7 +2426,7 @@ Resolves: #200110 code from Serge Hallyn (IBM). Bugs found by Coverity. * Removed setupns; migrated to pam. * Merged patches to rename checkPasswdAccess() from Joshua Brindle. - Original symbol is temporarily retained for compatibility until + Original symbol is temporarily retained for compatibility until all callers are updated. * Mon Jul 18 2005 Dan Walsh 1.24.2-1 @@ -2296,9 +2440,9 @@ Resolves: #200110 * Fri May 20 2005 Dan Walsh 1.23.11-1 - Update from NSA * Merged avcstat and selinux man page from Dan Walsh. - * Changed security_load_booleans to process booleans.local + * Changed security_load_booleans to process booleans.local even if booleans file doesn't exist. - + * Fri Apr 29 2005 Dan Walsh 1.23.10-3 - Fix avcstat to clear totals @@ -2350,7 +2494,7 @@ Resolves: #200110 - Update from NSA * Added set_matchpathcon_flags() function for setting flags controlling operation of matchpathcon. MATCHPATHCON_BASEONLY - means only process the base file_contexts file, not + means only process the base file_contexts file, not file_contexts.homedirs or file_contexts.local, and is for use by setfiles -c. * Updated matchpathcon.3 man page. @@ -2438,7 +2582,7 @@ Resolves: #200110 * Wed Dec 29 2004 Dan Walsh 1.19.4-1 - Update to latest from upstream - * Changed matchpathcon to return -1 with errno ENOENT for + * Changed matchpathcon to return -1 with errno ENOENT for <> entries, and also for an empty file_contexts configuration. * Tue Dec 28 2004 Dan Walsh 1.19.3-3 @@ -2470,7 +2614,7 @@ Resolves: #200110 - Update from upstream, fix setsebool -P segfault * Fri Nov 5 2004 Steve Grubb 1.18.1-5 -- Add a patch from upstream. Fixes signed/unsigned issues, and +- Add a patch from upstream. Fixes signed/unsigned issues, and incomplete structure copy. * Thu Nov 4 2004 Dan Walsh 1.18.1-4 @@ -2542,11 +2686,11 @@ Resolves: #200110 * Thu Sep 2 2004 Dan Walsh 1.17.8-1 - Update from NSA - * Added set_matchpathcon_printf. + * Added set_matchpathcon_printf. * Wed Sep 1 2004 Dan Walsh 1.17.7-1 - Update from NSA - * Reworked av_inherit.h to allow easier re-use by kernel. + * Reworked av_inherit.h to allow easier re-use by kernel. * Tue Aug 31 2004 Dan Walsh 1.17.6-1 - Add strcasecmp in selinux_config @@ -2671,11 +2815,11 @@ Resolves: #200110 - Update with latest from NSA * Thu Apr 22 2004 Dan Walsh 1.11.3-1 -- Add changes for relaxed policy -- Update to match NSA +- Add changes for relaxed policy +- Update to match NSA * Thu Apr 15 2004 Dan Walsh 1.11.2-1 -- Add relaxed policy changes +- Add relaxed policy changes * Thu Apr 15 2004 Dan Walsh 1.11-4 - Sync with NSA @@ -2748,7 +2892,7 @@ Resolves: #200110 - Add mntpoint patch for SysVinit * Fri Dec 12 2003 Dan Walsh 1.4-2 -- Add -r -u -t to getcon +- Add -r -u -t to getcon * Sat Dec 6 2003 Dan Walsh 1.4-1 - Upgrade to latest from NSA @@ -2788,3 +2932,5 @@ Resolves: #200110 * Tue May 27 2003 Dan Walsh 1.0-1 - Initial version + +## END: Generated by rpmautospec diff --git a/SOURCES/selinuxconlist.8 b/selinuxconlist.8 similarity index 100% rename from SOURCES/selinuxconlist.8 rename to selinuxconlist.8 diff --git a/SOURCES/selinuxdefcon.8 b/selinuxdefcon.8 similarity index 100% rename from SOURCES/selinuxdefcon.8 rename to selinuxdefcon.8 diff --git a/sources b/sources new file mode 100644 index 0000000..7414748 --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (libselinux-3.8.tar.gz) = e36edec33c3960679a8975f839a4d64d4b1f82d51346fba21082c2686136259040099c7fee2c947ac2ca180d61d10356c9b3d359a1c5f1242b6ecdd7c036005e