Merged update from upstream sources

This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/libselinux.git#a749a265bd4a0122f5f7b676c77c0cd498e63c6a
This commit is contained in:
DistroBaker 2021-01-21 16:44:11 +00:00
parent 33c1f125a7
commit 4468da8e97
20 changed files with 10 additions and 1467 deletions

1
.gitignore vendored
View File

@ -215,3 +215,4 @@ libselinux-2.0.96.tgz
/libselinux-3.0-rc1.tar.gz
/libselinux-3.0.tar.gz
/libselinux-3.1.tar.gz
/libselinux-3.2-rc1.tar.gz

View File

@ -1,506 +0,0 @@
From 05bdc03130d741e53e1fb45a958d0a2c184be503 Mon Sep 17 00:00:00 2001
From: Mike Palmiotto <mike.palmiotto@crunchydata.com>
Date: Wed, 5 Aug 2020 15:43:12 -0400
Subject: [PATCH] libselinux: use kernel status page by default
Commit bc2a8f418e3b ("libselinux: add selinux_status_* interfaces for
/selinux/status") introduced the sestatus mechanism, which allows for
mmap()'ing of the kernel status page as a replacement for avc_netlink.
The mechanism was initially intended for userspace object managers that
were calculating access decisions within their application and did not
rely on the libselinux AVC implementation. In order to properly make use
of sestatus within avc_has_perm(), the status mechanism needs to
properly set avc internals during status events; else, avc_enforcing is
never updated upon sestatus changes.
This commit gets rid of the default avc_netlink_open() in
avc_init_internal(), replacing it with selinux_status_open(). In the
event that the kernel status page cannot be mapped, the netlink fallback
will be used. By default, avc_has_perm_noaudit() and
selinux_check_access() will now attempt to read the kernel status page,
which removes a system call from two critical code paths.
Since the AVC thread create/stop callbacks were intended to avoid a
system call in the critical code path, they no longer need to be created
by default. In the event that the kernel status page is successfully
mapped, threads will not be created. Threads will still be
created/stopped for the sestatus fallback codepaths.
Userspace object managers that still need a netlink socket can call
avc_netlink_acquire_fd() to open and/or obtain one.
Update the manpage to reflect the new avc_netlink_acquire_fd()
functionality.
Signed-off-by: Mike Palmiotto <mike.palmiotto@crunchydata.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
libselinux/man/man3/avc_init.3 | 51 ++++++++++++--
libselinux/man/man3/avc_netlink_loop.3 | 8 +++
libselinux/man/man3/avc_open.3 | 36 +++++++++-
libselinux/man/man3/selinux_status_open.3 | 13 ++--
libselinux/src/avc.c | 15 ++---
libselinux/src/avc_internal.c | 82 ++++++++++++++++-------
libselinux/src/avc_internal.h | 4 ++
libselinux/src/checkAccess.c | 2 +-
libselinux/src/sestatus.c | 24 +++++++
9 files changed, 184 insertions(+), 51 deletions(-)
diff --git a/libselinux/man/man3/avc_init.3 b/libselinux/man/man3/avc_init.3
index e26c3be6071c..a5dc7c93c703 100644
--- a/libselinux/man/man3/avc_init.3
+++ b/libselinux/man/man3/avc_init.3
@@ -117,6 +117,8 @@ argument, which does not return under normal conditions. The
callback should cancel the running thread referenced by
.IR thread .
By default, threading is not used; see
+.B KERNEL STATUS PAGE
+and
.B NETLINK NOTIFICATION
below.
@@ -153,14 +155,49 @@ callback should destroy
.IR lock ,
freeing any resources associated with it. The default behavior is not to perform any locking. Note that undefined behavior may result if threading is used without appropriate locking.
.
-.SH "NETLINK NOTIFICATION"
-Beginning with version 2.6.4, the Linux kernel supports SELinux status change notification via netlink. Two message types are currently implemented, indicating changes to the enforcing mode and to the loaded policy in the kernel, respectively. The userspace AVC listens for these messages and takes the appropriate action, modifying the behavior of
-.BR avc_has_perm (3)
-to reflect the current enforcing mode and flushing the cache on receipt of a policy load notification. Audit messages are produced when netlink notifications are processed.
+.SH "KERNEL STATUS PAGE"
+Linux kernel version 2.6.37 supports the SELinux kernel status page, enabling userspace applications to
+.BR mmap (2)
+SELinux status state in read-only mode to avoid system calls during the cache hit code path.
-In the default single-threaded mode, the userspace AVC checks for new netlink messages at the start of each permission query. If threading and locking callbacks are passed to
.BR avc_init ()
-however, a dedicated thread will be started to listen on the netlink socket. This may increase performance and will ensure that log messages are generated immediately rather than at the time of the next permission query.
+calls
+.BR selinux_status_open (3)
+to initialize the selinux status state. If successfully initialized, the userspace AVC will default to single-threaded mode and ignore the
+.B func_create_thread
+and
+.B func_stop_thread
+callbacks. All callbacks set via
+.BR selinux_set_callback (3)
+will still be honored.
+
+.BR avc_has_perm (3)
+and
+.BR selinux_check_access (3)
+both check for status updates through calls to
+.BR selinux_status_updated (3)
+at the start of each permission query and take the appropriate action.
+
+Two status types are currently implemented.
+.B setenforce
+events will change the effective enforcing state used within the AVC, and
+.B policyload
+events will result in a cache flush.
+.
+.SH "NETLINK NOTIFICATION"
+In the event that the kernel status page is not successfully
+.BR mmap (2)'ed
+the AVC will default to the netlink fallback mechanism, which opens a netlink socket for receiving status updates.
+.B setenforce
+and
+.B policyload
+events will have the same results as for the status page implementation, but all status update checks will now require a system call.
+
+By default,
+.BR avc_open (3)
+does not set threading or locking callbacks. In the fallback case, the userspace AVC checks for new netlink messages at the start of each permission query. If threading and locking callbacks are passed to
+.BR avc_init (),
+a dedicated thread will be started to listen on the netlink socket. This may increase performance in the absence of the status page and will ensure that log messages are generated immediately rather than at the time of the next permission query.
.
.SH "RETURN VALUE"
Functions with a return value return zero on success. On error, \-1 is returned and
@@ -192,5 +229,7 @@ Eamon Walsh <ewalsh@tycho.nsa.gov>
.
.SH "SEE ALSO"
.BR avc_open (3),
+.BR selinux_status_open (3),
+.BR selinux_status_updated (3),
.BR selinux_set_callback (3),
.BR selinux (8)
diff --git a/libselinux/man/man3/avc_netlink_loop.3 b/libselinux/man/man3/avc_netlink_loop.3
index c8268a124df0..f03d78138d8c 100644
--- a/libselinux/man/man3/avc_netlink_loop.3
+++ b/libselinux/man/man3/avc_netlink_loop.3
@@ -54,6 +54,11 @@ closes the netlink socket. This function is called automatically by
returns the netlink socket descriptor number and informs the userspace AVC
not to check the socket descriptor automatically on calls to
.BR avc_has_perm (3).
+If no such socket descriptor exists,
+.BR avc_netlink_acquire_fd (3)
+will first call
+.BR avc_netlink_open (3)
+and then return the resulting fd.
.BR avc_netlink_release_fd ()
returns control of the netlink socket to the userspace AVC, re-enabling
@@ -78,6 +83,9 @@ with a return value return zero on success. On error, \-1 is returned and
.I errno
is set appropriately.
.
+.SH "AUTHOR"
+Originally KaiGai Kohei. Updated by Mike Palmiotto <mike.palmiotto@crunchydata.com>
+.
.SH "SEE ALSO"
.BR avc_open (3),
.BR selinux_set_callback (3),
diff --git a/libselinux/man/man3/avc_open.3 b/libselinux/man/man3/avc_open.3
index 5b275a8ee040..3090dd5077c7 100644
--- a/libselinux/man/man3/avc_open.3
+++ b/libselinux/man/man3/avc_open.3
@@ -46,10 +46,37 @@ include the following:
.B AVC_OPT_SETENFORCE
This option forces the userspace AVC into enforcing mode if the option value is non-NULL; permissive mode otherwise. The system enforcing mode will be ignored.
.
-.SH "NETLINK NOTIFICATION"
-Beginning with version 2.6.4, the Linux kernel supports SELinux status change notification via netlink. Two message types are currently implemented, indicating changes to the enforcing mode and to the loaded policy in the kernel, respectively. The userspace AVC listens for these messages and takes the appropriate action, modifying the behavior of
+.SH "KERNEL STATUS PAGE"
+Linux kernel version 2.6.37 supports the SELinux kernel status page, enabling userspace applications to
+.BR mmap (2)
+SELinux status state in read-only mode to avoid system calls during the cache hit code path.
+
+.BR avc_open ()
+calls
+.BR selinux_status_open (3)
+to initialize the selinux status state.
+
.BR avc_has_perm (3)
-to reflect the current enforcing mode and flushing the cache on receipt of a policy load notification. Audit messages are produced when netlink notifications are processed.
+and
+.BR selinux_check_access (3)
+both check for status updates through calls to
+.BR selinux_status_updated (3)
+at the start of each permission query and take the appropriate action.
+
+Two status types are currently implemented.
+.B setenforce
+events will change the effective enforcing state used within the AVC, and
+.B policyload
+events will result in a cache flush.
+.
+.SH "NETLINK NOTIFICATION"
+In the event that the kernel status page is not successfully
+.BR mmap (2)'ed
+the AVC will default to the netlink fallback mechanism, which opens a netlink socket for receiving status updates.
+.B setenforce
+and
+.B policyload
+events will have the same results as for the status page implementation, but all status update checks will now require a system call.
.
.SH "RETURN VALUE"
Functions with a return value return zero on success. On error, \-1 is returned and
@@ -61,9 +88,12 @@ Eamon Walsh <ewalsh@tycho.nsa.gov>
.
.SH "SEE ALSO"
.BR selinux (8),
+.BR selinux_check_access (3),
.BR avc_has_perm (3),
.BR avc_context_to_sid (3),
.BR avc_cache_stats (3),
.BR avc_add_callback (3),
+.BR selinux_status_open (3),
+.BR selinux_status_updated (3),
.BR selinux_set_callback (3),
.BR security_compute_av (3)
diff --git a/libselinux/man/man3/selinux_status_open.3 b/libselinux/man/man3/selinux_status_open.3
index 2d44be57cbbc..5c9da2f61d19 100644
--- a/libselinux/man/man3/selinux_status_open.3
+++ b/libselinux/man/man3/selinux_status_open.3
@@ -48,7 +48,7 @@ Set 1 on the
argument to handle a case of older kernels without kernel status page support.
In this case, this function tries to open a netlink socket using
.BR avc_netlink_open (3)
-and overwrite corresponding callbacks ( setenforce and policyload).
+and overwrite corresponding callbacks (setenforce and policyload).
Thus, we need to pay attention to the interaction with these interfaces,
when fallback mode is enabled.
.sp
@@ -57,9 +57,14 @@ unmap the kernel status page and close its file descriptor, or close the
netlink socket if fallbacked.
.sp
.BR selinux_status_updated ()
-informs us whether something has been updated since the last call.
-It returns 0 if nothing was happened, however, 1 if something has been
-updated in this duration, or \-1 on error.
+processes status update events. There are two kinds of status updates.
+.B setenforce
+events will change the effective enforcing state used within the AVC, and
+.B policyload
+events will result in a cache flush.
+
+This function returns 0 if there have been no updates since the last call,
+1 if there have been updates since the last call, or \-1 on error.
.sp
.BR selinux_status_getenforce ()
returns 0 if SELinux is running in permissive mode, 1 if enforcing mode,
diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
index b4648b2de170..8314d7ba3de6 100644
--- a/libselinux/src/avc.c
+++ b/libselinux/src/avc.c
@@ -50,7 +50,6 @@ struct avc_callback_node {
struct avc_callback_node *next;
};
-static void *avc_netlink_thread = NULL;
static void *avc_lock = NULL;
static void *avc_log_lock = NULL;
static struct avc_node *avc_node_freelist = NULL;
@@ -215,17 +214,13 @@ static int avc_init_internal(const char *prefix,
avc_enforcing = rc;
}
- rc = avc_netlink_open(0);
+ rc = selinux_status_open(1);
if (rc < 0) {
avc_log(SELINUX_ERROR,
- "%s: can't open netlink socket: %d (%s)\n",
+ "%s: could not open selinux status page: %d (%s)\n",
avc_prefix, errno, strerror(errno));
goto out;
}
- if (avc_using_threads) {
- avc_netlink_thread = avc_create_thread(&avc_netlink_loop);
- avc_netlink_trouble = 0;
- }
avc_running = 1;
out:
return rc;
@@ -557,9 +552,7 @@ void avc_destroy(void)
avc_get_lock(avc_lock);
- if (avc_using_threads)
- avc_stop_thread(avc_netlink_thread);
- avc_netlink_close();
+ selinux_status_close();
for (i = 0; i < AVC_CACHE_SLOTS; i++) {
node = avc_cache.slots[i];
@@ -766,7 +759,7 @@ int avc_has_perm_noaudit(security_id_t ssid,
avd_init(avd);
if (!avc_using_threads && !avc_app_main_loop) {
- (void)avc_netlink_check_nb();
+ (void) selinux_status_updated();
}
if (!aeref) {
diff --git a/libselinux/src/avc_internal.c b/libselinux/src/avc_internal.c
index 568a3d928ac1..4ef924527e10 100644
--- a/libselinux/src/avc_internal.c
+++ b/libselinux/src/avc_internal.c
@@ -53,6 +53,49 @@ int avc_enforcing = 1;
int avc_setenforce = 0;
int avc_netlink_trouble = 0;
+/* process setenforce events for netlink and sestatus */
+int avc_process_setenforce(int enforcing)
+{
+ int rc = 0;
+
+ avc_log(SELINUX_INFO,
+ "%s: received setenforce notice (enforcing=%d)\n",
+ avc_prefix, enforcing);
+ if (avc_setenforce)
+ goto out;
+ avc_enforcing = enforcing;
+ if (avc_enforcing && (rc = avc_ss_reset(0)) < 0) {
+ avc_log(SELINUX_ERROR,
+ "%s: cache reset returned %d (errno %d)\n",
+ avc_prefix, rc, errno);
+ return rc;
+ }
+
+out:
+ return selinux_netlink_setenforce(enforcing);
+}
+
+/* process policyload events for netlink and sestatus */
+int avc_process_policyload(uint32_t seqno)
+{
+ int rc = 0;
+
+ avc_log(SELINUX_INFO,
+ "%s: received policyload notice (seqno=%u)\n",
+ avc_prefix, seqno);
+ rc = avc_ss_reset(seqno);
+ if (rc < 0) {
+ avc_log(SELINUX_ERROR,
+ "%s: cache reset returned %d (errno %d)\n",
+ avc_prefix, rc, errno);
+ return rc;
+ }
+
+ selinux_flush_class_cache();
+
+ return selinux_netlink_policyload(seqno);
+}
+
/* netlink socket code */
static int fd = -1;
@@ -177,20 +220,7 @@ static int avc_netlink_process(void *buf)
case SELNL_MSG_SETENFORCE:{
struct selnl_msg_setenforce *msg = NLMSG_DATA(nlh);
- msg->val = !!msg->val;
- avc_log(SELINUX_INFO,
- "%s: received setenforce notice (enforcing=%d)\n",
- avc_prefix, msg->val);
- if (avc_setenforce)
- break;
- avc_enforcing = msg->val;
- if (avc_enforcing && (rc = avc_ss_reset(0)) < 0) {
- avc_log(SELINUX_ERROR,
- "%s: cache reset returned %d (errno %d)\n",
- avc_prefix, rc, errno);
- return rc;
- }
- rc = selinux_netlink_setenforce(msg->val);
+ rc = avc_process_setenforce(!!msg->val);
if (rc < 0)
return rc;
break;
@@ -198,18 +228,7 @@ static int avc_netlink_process(void *buf)
case SELNL_MSG_POLICYLOAD:{
struct selnl_msg_policyload *msg = NLMSG_DATA(nlh);
- avc_log(SELINUX_INFO,
- "%s: received policyload notice (seqno=%u)\n",
- avc_prefix, msg->seqno);
- rc = avc_ss_reset(msg->seqno);
- if (rc < 0) {
- avc_log(SELINUX_ERROR,
- "%s: cache reset returned %d (errno %d)\n",
- avc_prefix, rc, errno);
- return rc;
- }
- selinux_flush_class_cache();
- rc = selinux_netlink_policyload(msg->seqno);
+ rc = avc_process_policyload(msg->seqno);
if (rc < 0)
return rc;
break;
@@ -284,6 +303,17 @@ void avc_netlink_loop(void)
int avc_netlink_acquire_fd(void)
{
+ if (fd < 0) {
+ int rc = 0;
+ rc = avc_netlink_open(0);
+ if (rc < 0) {
+ avc_log(SELINUX_ERROR,
+ "%s: could not open netlink socket: %d (%s)\n",
+ avc_prefix, errno, strerror(errno));
+ return rc;
+ }
+ }
+
avc_app_main_loop = 1;
return fd;
diff --git a/libselinux/src/avc_internal.h b/libselinux/src/avc_internal.h
index 3f8a6bb1cf84..da67affc9307 100644
--- a/libselinux/src/avc_internal.h
+++ b/libselinux/src/avc_internal.h
@@ -32,6 +32,10 @@ extern void (*avc_func_get_lock) (void *);
extern void (*avc_func_release_lock) (void *);
extern void (*avc_func_free_lock) (void *);
+/* selinux status processing for netlink and sestatus */
+extern int avc_process_setenforce(int enforcing);
+extern int avc_process_policyload(uint32_t seqno);
+
static inline void set_callbacks(const struct avc_memory_callback *mem_cb,
const struct avc_log_callback *log_cb,
const struct avc_thread_callback *thread_cb,
diff --git a/libselinux/src/checkAccess.c b/libselinux/src/checkAccess.c
index 3491fded7895..b337ea64f977 100644
--- a/libselinux/src/checkAccess.c
+++ b/libselinux/src/checkAccess.c
@@ -39,7 +39,7 @@ int selinux_check_access(const char *scon, const char *tcon, const char *class,
if (rc < 0)
return rc;
- (void) avc_netlink_check_nb();
+ (void) selinux_status_updated();
sclass = string_to_security_class(class);
if (sclass == 0) {
diff --git a/libselinux/src/sestatus.c b/libselinux/src/sestatus.c
index 86267ff89646..814e86ee10e7 100644
--- a/libselinux/src/sestatus.c
+++ b/libselinux/src/sestatus.c
@@ -39,11 +39,14 @@ struct selinux_status_t
static struct selinux_status_t *selinux_status = NULL;
static int selinux_status_fd;
static uint32_t last_seqno;
+static uint32_t last_policyload;
static uint32_t fallback_sequence;
static int fallback_enforcing;
static int fallback_policyload;
+static void *fallback_netlink_thread = NULL;
+
/*
* read_sequence
*
@@ -116,6 +119,15 @@ int selinux_status_updated(void)
if (last_seqno != curr_seqno)
{
+ if (avc_enforcing != (int) selinux_status->enforcing) {
+ if (avc_process_setenforce(selinux_status->enforcing) < 0)
+ return -1;
+ }
+ if (last_policyload != selinux_status->policyload) {
+ if (avc_process_policyload(selinux_status->policyload) < 0)
+ return -1;
+ last_policyload = selinux_status->policyload;
+ }
last_seqno = curr_seqno;
result = 1;
}
@@ -282,6 +294,9 @@ int selinux_status_open(int fallback)
selinux_status_fd = fd;
last_seqno = (uint32_t)(-1);
+ /* No need to use avc threads if the kernel status page is available */
+ avc_using_threads = 0;
+
return 0;
error:
@@ -305,6 +320,12 @@ error:
selinux_status_fd = avc_netlink_acquire_fd();
last_seqno = (uint32_t)(-1);
+ if (avc_using_threads)
+ {
+ fallback_netlink_thread = avc_create_thread(&avc_netlink_loop);
+ avc_netlink_trouble = 0;
+ }
+
fallback_sequence = 0;
fallback_enforcing = security_getenforce();
fallback_policyload = 0;
@@ -333,6 +354,9 @@ void selinux_status_close(void)
/* fallback-mode */
if (selinux_status == MAP_FAILED)
{
+ if (avc_using_threads)
+ avc_stop_thread(fallback_netlink_thread);
+
avc_netlink_release_fd();
avc_netlink_close();
selinux_status = NULL;
--
2.29.0

View File

@ -1,27 +0,0 @@
From e7abd802d4d8541627c590424a6578348ee6032b Mon Sep 17 00:00:00 2001
From: Stephen Smalley <stephen.smalley.work@gmail.com>
Date: Thu, 6 Aug 2020 10:46:38 -0400
Subject: [PATCH] libselinux: fix build order
We need to install the include files before we try to build the source.
Otherwise, make DESTDIR=~/obj install can fail if there are older
headers under /usr/include.
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
libselinux/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libselinux/Makefile b/libselinux/Makefile
index 16531fe95bf5..6a43b243f4da 100644
--- a/libselinux/Makefile
+++ b/libselinux/Makefile
@@ -1,4 +1,4 @@
-SUBDIRS = src include utils man
+SUBDIRS = include src utils man
PKG_CONFIG ?= pkg-config
DISABLE_SETRANS ?= n
--
2.29.0

View File

@ -1,38 +0,0 @@
From 21fb5f20da225cff23fd811f57cdaec5e9d7badb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Thu, 20 Aug 2020 17:15:51 +0200
Subject: [PATCH] libselinux: use full argument specifiers for
security_check_context in man page
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The argument for security_check_context(_raw) is defined as `const char *`.
Say so in the man page.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
libselinux/man/man3/security_check_context.3 | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libselinux/man/man3/security_check_context.3 b/libselinux/man/man3/security_check_context.3
index 2b9a2d4c8b6a..213ac282588f 100644
--- a/libselinux/man/man3/security_check_context.3
+++ b/libselinux/man/man3/security_check_context.3
@@ -5,9 +5,9 @@ security_check_context \- check the validity of a SELinux context
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.sp
-.BI "int security_check_context(char *" con );
+.BI "int security_check_context(const char *" con );
.sp
-.BI "int security_check_context_raw(char *" con );
+.BI "int security_check_context_raw(const char *" con );
.
.SH "DESCRIPTION"
.BR security_check_context ()
--
2.29.0

View File

@ -1,64 +0,0 @@
From 9e4480b921bb50f59b064e842362b26b87e36bbd Mon Sep 17 00:00:00 2001
From: Chris PeBenito <chpebeni@linux.microsoft.com>
Date: Mon, 24 Aug 2020 09:44:16 -0400
Subject: [PATCH] libselinux: Remove trailing slash on selabel_file lookups.
Having a trailing slash on a file lookup, e.g. "/some/path/", can
cause a different result, for example, when file contexts are written to have
the directory have a different label than the contents. This is inconsistent
with normal Linux behaviors where trailing slashes are ignored.
Many callers already strip the trailing slash before the lookup or users
revise the file contexts to work around this. This fixes it comprehensively.
v2: fix length issues
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
libselinux/src/label_file.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
index 412904d14c06..6eeeea68aea4 100644
--- a/libselinux/src/label_file.c
+++ b/libselinux/src/label_file.c
@@ -854,6 +854,7 @@ static const struct spec **lookup_all(struct selabel_handle *rec,
struct saved_data *data = (struct saved_data *)rec->data;
struct spec *spec_arr = data->spec_arr;
int i, rc, file_stem;
+ size_t len;
mode_t mode = (mode_t)type;
char *clean_key = NULL;
const char *prev_slash, *next_slash;
@@ -894,6 +895,27 @@ static const struct spec **lookup_all(struct selabel_handle *rec,
key = clean_key;
}
+ /* remove trailing slash */
+ len = strlen(key);
+ if (len == 0) {
+ errno = EINVAL;
+ goto finish;
+ }
+
+ if (key[len - 1] == '/') {
+ /* reuse clean_key from above if available */
+ if (!clean_key) {
+ clean_key = (char *) malloc(len);
+ if (!clean_key)
+ goto finish;
+
+ strncpy(clean_key, key, len - 1);
+ }
+
+ clean_key[len - 1] = '\0';
+ key = clean_key;
+ }
+
sub = selabel_sub_key(data, key);
if (sub)
key = sub;
--
2.29.0

View File

@ -1,80 +0,0 @@
From ef902db9c842553fd1a6a81068f3d844d487f2fb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Tue, 25 Aug 2020 17:32:04 +0200
Subject: [PATCH] libselinux: safely access shared memory in
selinux_status_updated()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Access the shared nenory safe in regard to consistent view of the SELinux
kernel status page - not in regard to thread-safety.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
libselinux/src/sestatus.c | 40 ++++++++++++++++++++++++---------------
1 file changed, 25 insertions(+), 15 deletions(-)
diff --git a/libselinux/src/sestatus.c b/libselinux/src/sestatus.c
index 814e86ee10e7..ca2d3bbf9cb2 100644
--- a/libselinux/src/sestatus.c
+++ b/libselinux/src/sestatus.c
@@ -91,7 +91,9 @@ static inline uint32_t read_sequence(struct selinux_status_t *status)
int selinux_status_updated(void)
{
uint32_t curr_seqno;
- int result = 0;
+ uint32_t tmp_seqno;
+ uint32_t enforcing;
+ uint32_t policyload;
if (selinux_status == NULL) {
errno = EINVAL;
@@ -117,21 +119,29 @@ int selinux_status_updated(void)
if (last_seqno & 0x0001)
last_seqno = curr_seqno;
- if (last_seqno != curr_seqno)
- {
- if (avc_enforcing != (int) selinux_status->enforcing) {
- if (avc_process_setenforce(selinux_status->enforcing) < 0)
- return -1;
- }
- if (last_policyload != selinux_status->policyload) {
- if (avc_process_policyload(selinux_status->policyload) < 0)
- return -1;
- last_policyload = selinux_status->policyload;
- }
- last_seqno = curr_seqno;
- result = 1;
+ if (last_seqno == curr_seqno)
+ return 0;
+
+ /* sequence must not be changed during references */
+ do {
+ enforcing = selinux_status->enforcing;
+ policyload = selinux_status->policyload;
+ tmp_seqno = curr_seqno;
+ curr_seqno = read_sequence(selinux_status);
+ } while (tmp_seqno != curr_seqno);
+
+ if (avc_enforcing != (int) enforcing) {
+ if (avc_process_setenforce(enforcing) < 0)
+ return -1;
+ }
+ if (last_policyload != policyload) {
+ if (avc_process_policyload(policyload) < 0)
+ return -1;
+ last_policyload = policyload;
}
- return result;
+ last_seqno = curr_seqno;
+
+ return 1;
}
/*
--
2.29.0

View File

@ -1,54 +0,0 @@
From a63f93d83b57f1a10712c5fcd29be246e8eff20d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Tue, 25 Aug 2020 17:32:05 +0200
Subject: [PATCH] libselinux: initialize last_policyload in
selinux_status_open()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If not initialized to the current policyload count, an enforcing change
will trigger policyload-callbacks in selinux_status_updated().
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
libselinux/src/sestatus.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/libselinux/src/sestatus.c b/libselinux/src/sestatus.c
index ca2d3bbf9cb2..9ff2785d876a 100644
--- a/libselinux/src/sestatus.c
+++ b/libselinux/src/sestatus.c
@@ -278,9 +278,10 @@ static int fallback_cb_policyload(int policyload)
*/
int selinux_status_open(int fallback)
{
- int fd;
- char path[PATH_MAX];
- long pagesize;
+ int fd;
+ char path[PATH_MAX];
+ long pagesize;
+ uint32_t seqno;
if (!selinux_mnt) {
errno = ENOENT;
@@ -304,6 +305,14 @@ int selinux_status_open(int fallback)
selinux_status_fd = fd;
last_seqno = (uint32_t)(-1);
+ /* sequence must not be changed during references */
+ do {
+ seqno = read_sequence(selinux_status);
+
+ last_policyload = selinux_status->policyload;
+
+ } while (seqno != read_sequence(selinux_status));
+
/* No need to use avc threads if the kernel status page is available */
avc_using_threads = 0;
--
2.29.0

View File

@ -1,71 +0,0 @@
From a4149e0eab50092699f05217cbf10a60d84d8d20 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <chpebeni@linux.microsoft.com>
Date: Thu, 27 Aug 2020 08:58:39 -0400
Subject: [PATCH] libselinux: Add new log callback levels for enforcing and
policy load notices.
This will enable userspace object managers to send proper audits for policy
loads and setenforce messages generated by the userspace AVC code.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
libselinux/include/selinux/selinux.h | 2 ++
libselinux/man/man3/selinux_set_callback.3 | 5 +++++
libselinux/src/avc_internal.c | 4 ++--
3 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index c22834e58418..ae98a92e393e 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -182,6 +182,8 @@ extern void selinux_set_callback(int type, union selinux_callback cb);
#define SELINUX_WARNING 1
#define SELINUX_INFO 2
#define SELINUX_AVC 3
+#define SELINUX_POLICYLOAD 4
+#define SELINUX_SETENFORCE 5
#define SELINUX_TRANS_DIR "/var/run/setrans"
/* Compute an access decision. */
diff --git a/libselinux/man/man3/selinux_set_callback.3 b/libselinux/man/man3/selinux_set_callback.3
index a4c613ad5d85..6dfe5ff6050f 100644
--- a/libselinux/man/man3/selinux_set_callback.3
+++ b/libselinux/man/man3/selinux_set_callback.3
@@ -46,6 +46,11 @@ argument indicates the type of message and will be set to one of the following:
.B SELINUX_INFO
.B SELINUX_AVC
+
+.B SELINUX_POLICYLOAD
+
+.B SELINUX_SETENFORCE
+
.
.TP
.B SELINUX_CB_AUDIT
diff --git a/libselinux/src/avc_internal.c b/libselinux/src/avc_internal.c
index 4ef924527e10..572b2159c3ed 100644
--- a/libselinux/src/avc_internal.c
+++ b/libselinux/src/avc_internal.c
@@ -58,7 +58,7 @@ int avc_process_setenforce(int enforcing)
{
int rc = 0;
- avc_log(SELINUX_INFO,
+ avc_log(SELINUX_SETENFORCE,
"%s: received setenforce notice (enforcing=%d)\n",
avc_prefix, enforcing);
if (avc_setenforce)
@@ -80,7 +80,7 @@ int avc_process_policyload(uint32_t seqno)
{
int rc = 0;
- avc_log(SELINUX_INFO,
+ avc_log(SELINUX_POLICYLOAD,
"%s: received policyload notice (seqno=%u)\n",
avc_prefix, seqno);
rc = avc_ss_reset(seqno);
--
2.29.0

View File

@ -1,30 +0,0 @@
From 075f9cfe7a0105e14e878b5617e80d391d016e08 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <chpebeni@linux.microsoft.com>
Date: Fri, 11 Sep 2020 15:56:14 -0400
Subject: [PATCH] libselinux: Fix selabel_lookup() for the root dir.
9e4480b921bb ("Remove trailing slash on selabel_file lookups.") introduced
a bug which turns the root directory lookup "/" into an empty string.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
libselinux/src/label_file.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
index 6eeeea68aea4..726394ca4332 100644
--- a/libselinux/src/label_file.c
+++ b/libselinux/src/label_file.c
@@ -902,7 +902,7 @@ static const struct spec **lookup_all(struct selabel_handle *rec,
goto finish;
}
- if (key[len - 1] == '/') {
+ if (len > 1 && key[len - 1] == '/') {
/* reuse clean_key from above if available */
if (!clean_key) {
clean_key = (char *) malloc(len);
--
2.29.0

View File

@ -1,38 +0,0 @@
From f5d644c7e633042b04189bfa428d88b9bb985f36 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <chpebeni@linux.microsoft.com>
Date: Tue, 15 Sep 2020 13:33:31 -0400
Subject: [PATCH] libselinux: Add additional log callback details in man page
for auditing.
Add additional information about the log callback message types. Indicate
which types could be audited and the relevant audit record types for them.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
libselinux/man/man3/selinux_set_callback.3 | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/libselinux/man/man3/selinux_set_callback.3 b/libselinux/man/man3/selinux_set_callback.3
index 6dfe5ff6050f..75f49b06d836 100644
--- a/libselinux/man/man3/selinux_set_callback.3
+++ b/libselinux/man/man3/selinux_set_callback.3
@@ -51,6 +51,15 @@ argument indicates the type of message and will be set to one of the following:
.B SELINUX_SETENFORCE
+SELINUX_ERROR, SELINUX_WARNING, and SELINUX_INFO indicate standard log severity
+levels and are not auditable messages.
+
+The SELINUX_AVC, SELINUX_POLICYLOAD, and SELINUX_SETENFORCE message types can be
+audited with AUDIT_USER_AVC, AUDIT_USER_MAC_POLICY_LOAD, and AUDIT_USER_MAC_STATUS
+values from libaudit, respectively. If they are not audited, SELINUX_AVC should be
+considered equivalent to SELINUX_ERROR; similarly, SELINUX_POLICYLOAD and
+SELINUX_SETENFORCE should be considered equivalent to SELINUX_INFO.
+
.
.TP
.B SELINUX_CB_AUDIT
--
2.29.0

View File

@ -1,37 +0,0 @@
From 7ef5b1854f75056d23e60aabc86706dfed622669 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <chpebeni@linux.microsoft.com>
Date: Tue, 15 Sep 2020 13:33:32 -0400
Subject: [PATCH] libselinux: Change userspace AVC setenforce and policy load
messages to audit format.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
libselinux/src/avc_internal.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libselinux/src/avc_internal.c b/libselinux/src/avc_internal.c
index 572b2159c3ed..53a99a1fe957 100644
--- a/libselinux/src/avc_internal.c
+++ b/libselinux/src/avc_internal.c
@@ -59,7 +59,7 @@ int avc_process_setenforce(int enforcing)
int rc = 0;
avc_log(SELINUX_SETENFORCE,
- "%s: received setenforce notice (enforcing=%d)\n",
+ "%s: op=setenforce lsm=selinux enforcing=%d res=1",
avc_prefix, enforcing);
if (avc_setenforce)
goto out;
@@ -81,7 +81,7 @@ int avc_process_policyload(uint32_t seqno)
int rc = 0;
avc_log(SELINUX_POLICYLOAD,
- "%s: received policyload notice (seqno=%u)\n",
+ "%s: op=load_policy lsm=selinux seqno=%u res=1",
avc_prefix, seqno);
rc = avc_ss_reset(seqno);
if (rc < 0) {
--
2.29.0

View File

@ -1,208 +0,0 @@
From d23342a9de2c30f72a3edb13455753caaf259589 Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Sun, 4 Oct 2020 16:03:39 +0200
Subject: [PATCH] libselinux: convert matchpathcon to selabel_lookup()
Function matchpathcon() is deprecated in favor of selabel_lookup() but
program "matchpathcon" is much easier to use than "selabel_loopkup" to
find the file context which would be applied to some files and
directories.
More precisely:
matchpathcon /path/to/my/file
is easier to type and remember than:
selabel_lookup -b file -k /path/to/my/file
It also allows performing multiple context searches in one command,
where selabel_lookup cannot use multiple -k options.
Migrate matchpathcon to the preferred API.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
---
libselinux/utils/Makefile | 2 -
libselinux/utils/matchpathcon.c | 87 ++++++++++++++-------------------
2 files changed, 38 insertions(+), 51 deletions(-)
diff --git a/libselinux/utils/Makefile b/libselinux/utils/Makefile
index aa2d3e1b144f..b018a08acbe0 100644
--- a/libselinux/utils/Makefile
+++ b/libselinux/utils/Makefile
@@ -56,8 +56,6 @@ sefcontext_compile: LDLIBS += $(PCRE_LDLIBS) ../src/libselinux.a -lsepol
sefcontext_compile: sefcontext_compile.o ../src/regex.o
-matchpathcon: CFLAGS += -Wno-deprecated-declarations
-
all: $(TARGETS)
install: all
diff --git a/libselinux/utils/matchpathcon.c b/libselinux/utils/matchpathcon.c
index cc018d213f4c..a07e160dee71 100644
--- a/libselinux/utils/matchpathcon.c
+++ b/libselinux/utils/matchpathcon.c
@@ -1,15 +1,14 @@
-#include <unistd.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <getopt.h>
#include <errno.h>
-#include <string.h>
+#include <getopt.h>
#include <limits.h>
-#include <sys/types.h>
-#include <sys/stat.h>
+#include <selinux/label.h>
#include <selinux/selinux.h>
-#include <limits.h>
+#include <stdio.h>
#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
static __attribute__ ((__noreturn__)) void usage(const char *progname)
{
@@ -19,15 +18,21 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname)
exit(1);
}
-static int printmatchpathcon(const char *path, int header, int mode)
+static int printmatchpathcon(struct selabel_handle *hnd, const char *path, int header, int mode, int notrans)
{
- char *buf;
- int rc = matchpathcon(path, mode, &buf);
+ char *buf = NULL;
+ int rc;
+
+ if (notrans) {
+ rc = selabel_lookup_raw(hnd, &buf, path, mode);
+ } else {
+ rc = selabel_lookup(hnd, &buf, path, mode);
+ }
if (rc < 0) {
if (errno == ENOENT) {
buf = strdup("<<none>>");
} else {
- fprintf(stderr, "matchpathcon(%s) failed: %s\n", path,
+ fprintf(stderr, "selabel_lookup(%s) failed: %s\n", path,
strerror(errno));
return 1;
}
@@ -66,15 +71,14 @@ static mode_t string_to_mode(char *s)
int main(int argc, char **argv)
{
- int i, init = 0, force_mode = 0;
+ int i, force_mode = 0;
int header = 1, opt;
int verify = 0;
int notrans = 0;
int error = 0;
int quiet = 0;
-
- fprintf(stderr,
- "Deprecated, use selabel_lookup\n");
+ struct selabel_handle *hnd;
+ struct selinux_opt options[SELABEL_NOPT] = {};
if (argc < 2)
usage(argv[0]);
@@ -96,23 +100,10 @@ int main(int argc, char **argv)
break;
case 'N':
notrans = 1;
- set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
break;
case 'f':
- if (init) {
- fprintf(stderr,
- "%s: -f and -p are exclusive\n",
- argv[0]);
- exit(1);
- }
- init = 1;
- if (matchpathcon_init(optarg)) {
- fprintf(stderr,
- "Error while processing %s: %s\n",
- optarg,
- errno ? strerror(errno) : "invalid");
- exit(1);
- }
+ options[SELABEL_OPT_PATH].type = SELABEL_OPT_PATH;
+ options[SELABEL_OPT_PATH].value = optarg;
break;
case 'P':
if (selinux_set_policy_root(optarg) < 0 ) {
@@ -124,20 +115,11 @@ int main(int argc, char **argv)
}
break;
case 'p':
- if (init) {
- fprintf(stderr,
- "%s: -f and -p are exclusive\n",
- argv[0]);
- exit(1);
- }
- init = 1;
- if (matchpathcon_init_prefix(NULL, optarg)) {
- fprintf(stderr,
- "Error while processing %s: %s\n",
- optarg,
- errno ? strerror(errno) : "invalid");
- exit(1);
- }
+ // This option has been deprecated since libselinux 2.5 (2016):
+ // https://github.com/SELinuxProject/selinux/commit/26e05da0fc2d0a4bd274320968a88f8acbb3b6a6
+ fprintf(stderr, "Warning: using %s -p is deprecated\n", argv[0]);
+ options[SELABEL_OPT_SUBSET].type = SELABEL_OPT_SUBSET;
+ options[SELABEL_OPT_SUBSET].value = optarg;
break;
case 'q':
quiet = 1;
@@ -146,6 +128,13 @@ int main(int argc, char **argv)
usage(argv[0]);
}
}
+ hnd = selabel_open(SELABEL_CTX_FILE, options, SELABEL_NOPT);
+ if (!hnd) {
+ fprintf(stderr,
+ "Error while opening file contexts database: %s\n",
+ strerror(errno));
+ return -1;
+ }
for (i = optind; i < argc; i++) {
int rc, mode = 0;
struct stat buf;
@@ -185,19 +174,19 @@ int main(int argc, char **argv)
if (rc >= 0) {
printf("%s has context %s, should be ",
path, con);
- printmatchpathcon(path, 0, mode);
+ printmatchpathcon(hnd, path, 0, mode, notrans);
freecon(con);
} else {
printf
("actual context unknown: %s, should be ",
strerror(errno));
- printmatchpathcon(path, 0, mode);
+ printmatchpathcon(hnd, path, 0, mode, notrans);
}
}
} else {
- error |= printmatchpathcon(path, header, mode);
+ error |= printmatchpathcon(hnd, path, header, mode, notrans);
}
}
- matchpathcon_fini();
+ selabel_close(hnd);
return error;
}
--
2.29.0

View File

@ -1,45 +0,0 @@
From 4a142ac46a116feb9f978eaec68a30efef979c73 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Fri, 9 Oct 2020 15:00:49 +0200
Subject: [PATCH] libsepol: Bump libsepol.so version
Previous commits removed some symbols and broke ABI, therefore we need to change
SONAME.
See the following quotes from distribution guidelines:
https://www.debian.org/doc/debian-policy/ch-sharedlibs.html#run-time-shared-libraries
Every time the shared library ABI changes in a way that may break
binaries linked against older versions of the shared library, the SONAME
of the library and the corresponding name for the binary package
containing the runtime shared library should change.
https://docs.fedoraproject.org/en-US/packaging-guidelines/#_downstream_so_name_versioning
When new versions of the library are released, you should use an ABI
comparison tool to check for ABI differences in the built shared
libraries. If it detects any incompatibilities, bump the n number by
one.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
libselinux/src/load_policy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
index 2aea826f863e..0034fa53d6e6 100644
--- a/libselinux/src/load_policy.c
+++ b/libselinux/src/load_policy.c
@@ -76,7 +76,7 @@ int selinux_mkload_policy(int preservebools __attribute__((unused)))
#ifdef SHARED
char *errormsg = NULL;
void *libsepolh = NULL;
- libsepolh = dlopen("libsepol.so.1", RTLD_NOW);
+ libsepolh = dlopen("libsepol.so.2", RTLD_NOW);
if (libsepolh) {
usesepol = 1;
dlerror();
--
2.29.0

View File

@ -1,48 +0,0 @@
From db0f2f382e31c44eef8f636d5698f9f4b11b4eeb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Bidar?= <bjorn.bidar@jolla.com>
Date: Mon, 12 Oct 2020 17:46:16 +0300
Subject: [PATCH] libselinux: Add build option to disable X11 backend
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Björn Bidar <bjorn.bidar@jolla.com>
---
libselinux/Makefile | 5 ++++-
libselinux/src/Makefile | 4 ++++
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/libselinux/Makefile b/libselinux/Makefile
index 6a43b243f4da..cb5872b7b090 100644
--- a/libselinux/Makefile
+++ b/libselinux/Makefile
@@ -17,7 +17,10 @@ endif
ifeq ($(DISABLE_BOOL),y)
DISABLE_FLAGS+= -DDISABLE_BOOL
endif
-export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST
+ifeq ($(DISABLE_X11),y)
+ DISABLE_FLAGS+= -DNO_X_BACKEND
+endif
+export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST DISABLE_X11
USE_PCRE2 ?= n
ifeq ($(USE_PCRE2),y)
diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index 190016e2af34..be0b6eec6f6d 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -126,6 +126,10 @@ DISABLE_FLAGS+= -DNO_ANDROID_BACKEND
SRCS:= $(filter-out label_backends_android.c, $(SRCS))
endif
+ifeq ($(DISABLE_X11),y)
+SRCS:= $(filter-out label_x.c, $(SRCS))
+endif
+
SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./ $(DISABLE_FLAGS)
all: $(LIBA) $(LIBSO) $(LIBPC)
--
2.29.0

View File

@ -1,31 +0,0 @@
From a2f09a2faf2950d15fad34f23c65df62ec0d942c Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Wed, 16 Jul 2014 08:28:03 +0200
Subject: [PATCH] Fix selinux man page to refer seinfo and sesearch tools.
---
libselinux/man/man8/selinux.8 | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
index 31364271eed2..8b4fc3706989 100644
--- a/libselinux/man/man8/selinux.8
+++ b/libselinux/man/man8/selinux.8
@@ -91,11 +91,13 @@ This manual page was written by Dan Walsh <dwalsh@redhat.com>.
.BR sepolicy (8),
.BR system-config-selinux (8),
.BR togglesebool (8),
-.BR restorecon (8),
.BR fixfiles (8),
+.BR restorecon (8),
.BR setfiles (8),
.BR semanage (8),
.BR sepolicy (8)
+.BR seinfo (8),
+.BR sesearch (8)
Every confined service on the system has a man page in the following format:
.br
--
2.29.0

View File

@ -1,59 +0,0 @@
From f870bd1ea6847840f1878490e090ef96ed708ac4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Bidar?= <bjorn.bidar@jolla.com>
Date: Mon, 12 Oct 2020 19:07:22 +0300
Subject: [PATCH] libselinux: LABEL_BACKEND_ANDROID add option to enable
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Add option to just enable the android label backend without disabling
anything else eg. using ANDROID_HOST. Enable by default when using ANDROID_HOST.
Signed-off-by: Björn Bidar <bjorn.bidar@jolla.com>
---
libselinux/Makefile | 3 ++-
libselinux/src/Makefile | 6 +++++-
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/libselinux/Makefile b/libselinux/Makefile
index cb5872b7b090..ac16c15e8d0a 100644
--- a/libselinux/Makefile
+++ b/libselinux/Makefile
@@ -4,6 +4,7 @@ PKG_CONFIG ?= pkg-config
DISABLE_SETRANS ?= n
DISABLE_RPM ?= n
ANDROID_HOST ?= n
+LABEL_BACKEND_ANDROID ?= n
ifeq ($(ANDROID_HOST),y)
override DISABLE_SETRANS=y
override DISABLE_BOOL=y
@@ -20,7 +21,7 @@ endif
ifeq ($(DISABLE_X11),y)
DISABLE_FLAGS+= -DNO_X_BACKEND
endif
-export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST DISABLE_X11
+export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST DISABLE_X11 LABEL_BACKEND_ANDROID
USE_PCRE2 ?= n
ifeq ($(USE_PCRE2),y)
diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index be0b6eec6f6d..52c40f018f51 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -122,8 +122,12 @@ SRCS= callbacks.c freecon.c label.c label_file.c \
label_backends_android.c regex.c label_support.c \
matchpathcon.c setrans_client.c sha1.c booleans.c
else
-DISABLE_FLAGS+= -DNO_ANDROID_BACKEND
+LABEL_BACKEND_ANDROID=y
+endif
+
+ifneq ($(LABEL_BACKEND_ANDROIDT),y)
SRCS:= $(filter-out label_backends_android.c, $(SRCS))
+DISABLE_FLAGS+= -DNO_ANDROID_BACKEND
endif
ifeq ($(DISABLE_X11),y)
--
2.29.2

View File

@ -1,51 +0,0 @@
From c698cd8cbc98ab2f795d3c353c9f978c1758106d Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Wed, 11 Nov 2020 17:23:38 +0100
Subject: [PATCH] selinux(8): mark up SELINUX values
Mark up the possible values of SELINUX (disabled, permissive, enforcing)
for better readability.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
libselinux/man/man8/selinux.8 | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
index 8b4fc3706989..522d45960bf3 100644
--- a/libselinux/man/man8/selinux.8
+++ b/libselinux/man/man8/selinux.8
@@ -19,18 +19,18 @@ enabled or disabled, and if enabled, whether SELinux operates in
permissive mode or enforcing mode. The
.B SELINUX
variable may be set to
-any one of disabled, permissive, or enforcing to select one of these
-options. The disabled option completely disables the SELinux kernel
-and application code, leaving the system running without any SELinux
-protection. The permissive option enables the SELinux code, but
-causes it to operate in a mode where accesses that would be denied by
-policy are permitted but audited. The enforcing option enables the
-SELinux code and causes it to enforce access denials as well as
-auditing them. Permissive mode may yield a different set of denials
-than enforcing mode, both because enforcing mode will prevent an
-operation from proceeding past the first denial and because some
-application code will fall back to a less privileged mode of operation
-if denied access.
+any one of \fIdisabled\fR, \fIpermissive\fR, or \fIenforcing\fR to
+select one of these options. The \fIdisabled\fR option completely
+disables the SELinux kernel and application code, leaving the system
+running without any SELinux protection. The \fIpermissive\fR option
+enables the SELinux code, but causes it to operate in a mode where
+accesses that would be denied by policy are permitted but audited. The
+\fIenforcing\fR option enables the SELinux code and causes it to enforce
+access denials as well as auditing them. \fIpermissive\fR mode may
+yield a different set of denials than enforcing mode, both because
+enforcing mode will prevent an operation from proceeding past the first
+denial and because some application code will fall back to a less
+privileged mode of operation if denied access.
The
.I /etc/selinux/config
--
2.29.2

View File

@ -1,57 +0,0 @@
From 225486048881d429e4b92ad24b65af7a1fc4c3a9 Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Wed, 11 Nov 2020 17:23:39 +0100
Subject: [PATCH] selinux(8): explain that runtime disable is deprecated
Update the main SELinux manpage to explain that runtime disable (i.e.
disabling SELinux using SELINUX=Disabled) is deprecated and recommend
disabling SELinux only via the kernel boot parameter.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
libselinux/man/man8/selinux.8 | 22 ++++++++++++++++++++--
1 file changed, 20 insertions(+), 2 deletions(-)
diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
index 522d45960bf3..a36e286b1409 100644
--- a/libselinux/man/man8/selinux.8
+++ b/libselinux/man/man8/selinux.8
@@ -20,8 +20,8 @@ permissive mode or enforcing mode. The
.B SELINUX
variable may be set to
any one of \fIdisabled\fR, \fIpermissive\fR, or \fIenforcing\fR to
-select one of these options. The \fIdisabled\fR option completely
-disables the SELinux kernel and application code, leaving the system
+select one of these options. The \fIdisabled\fR disables most of the
+SELinux kernel and application code, leaving the system
running without any SELinux protection. The \fIpermissive\fR option
enables the SELinux code, but causes it to operate in a mode where
accesses that would be denied by policy are permitted but audited. The
@@ -32,6 +32,24 @@ enforcing mode will prevent an operation from proceeding past the first
denial and because some application code will fall back to a less
privileged mode of operation if denied access.
+.B NOTE:
+Disabling SELinux by setting
+.B SELINUX=disabled
+in
+.I /etc/selinux/config
+is deprecated and depending on kernel version and configuration it might
+not lead to SELinux being completely disabled. Specifically, the
+SELinux hooks will still be executed internally, but the SELinux policy
+will not be loaded and no operation will be denied. In such state, the
+system will act as if SELinux was disabled, although some operations
+might behave slightly differently. To properly disable SELinux, it is
+recommended to use the
+.B selinux=0
+kernel boot option instead. In that case SELinux will be disabled
+regardless of what is set in the
+.I /etc/selinux/config
+file.
+
The
.I /etc/selinux/config
configuration file also controls what policy
--
2.29.2

View File

@ -1,13 +1,13 @@
%define ruby_inc %(pkg-config --cflags ruby)
%define libsepolver 3.1-5
%define libsepolver 3.2-0.rc1.1
Summary: SELinux library and simple utilities
Name: libselinux
Version: 3.1
Release: 6%{?dist}
Version: 3.2
Release: 0.rc1.1%{?dist}
License: Public Domain
# https://github.com/SELinuxProject/selinux/wiki/Releases
Source0: https://github.com/SELinuxProject/selinux/releases/download/20200710/libselinux-3.1.tar.gz
Source0: https://github.com/SELinuxProject/selinux/releases/download/3.2-rc1/libselinux-3.2-rc1.tar.gz
Source1: selinuxconlist.8
Source2: selinuxdefcon.8
Url: https://github.com/SELinuxProject/selinux/wiki
@ -16,23 +16,6 @@ Url: https://github.com/SELinuxProject/selinux/wiki
# $ git format-patch -N libselinux-3.1 -- libselinux
# $ i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
# Patch list start
Patch0001: 0001-libselinux-use-kernel-status-page-by-default.patch
Patch0002: 0002-libselinux-fix-build-order.patch
Patch0003: 0003-libselinux-use-full-argument-specifiers-for-security.patch
Patch0004: 0004-libselinux-Remove-trailing-slash-on-selabel_file-loo.patch
Patch0005: 0005-libselinux-safely-access-shared-memory-in-selinux_st.patch
Patch0006: 0006-libselinux-initialize-last_policyload-in-selinux_sta.patch
Patch0007: 0007-libselinux-Add-new-log-callback-levels-for-enforcing.patch
Patch0008: 0008-libselinux-Fix-selabel_lookup-for-the-root-dir.patch
Patch0009: 0009-libselinux-Add-additional-log-callback-details-in-ma.patch
Patch0010: 0010-libselinux-Change-userspace-AVC-setenforce-and-polic.patch
Patch0011: 0011-libselinux-convert-matchpathcon-to-selabel_lookup.patch
Patch0012: 0012-libsepol-Bump-libsepol.so-version.patch
Patch0013: 0013-libselinux-Add-build-option-to-disable-X11-backend.patch
Patch0014: 0014-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch
Patch0015: 0015-libselinux-LABEL_BACKEND_ANDROID-add-option-to-enabl.patch
Patch0016: 0016-selinux-8-mark-up-SELINUX-values.patch
Patch0017: 0017-selinux-8-explain-that-runtime-disable-is-deprecated.patch
# Patch list end
BuildRequires: gcc make
BuildRequires: ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel xz-devel
@ -103,7 +86,7 @@ The libselinux-static package contains the static libraries
needed for developing SELinux applications.
%prep
%autosetup -p 2 -n libselinux-%{version}
%autosetup -p 2 -n libselinux-%{version}-rc1
%build
export DISABLE_RPM="y"
@ -229,6 +212,9 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
%{ruby_vendorarchdir}/selinux.so
%changelog
* Wed Jan 20 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-0.rc1.1
- SELinux userspace 3.2-rc1 release
* Thu Jan 07 2021 Mamoru TASAKA <mtasaka@fedoraproject.org> - 3.1-6
- F-34: rebuild against ruby 3.0

View File

@ -1 +1 @@
SHA512 (libselinux-3.1.tar.gz) = 57730cddd2d4751556d9e1f207c0f85119c81848f0620c16239e997150989e3f9a586a8c23861fd51ed89f7e084ad441190a58a288258a49a95f7beef7dbbb13
SHA512 (libselinux-3.2-rc1.tar.gz) = 76f80a4774e81abc5b1fcf54a7dfb72b2b1f7811f91767cff81118c0c515915b39a0dd950051d143a3b77c62d05bba2d538b04561f2e404960eff57e7181b741