SELinux userspace 3.7 release

Resolves: RHEL-40233

.gitignore

@@ -232,3 +232,4 @@ libselinux-2.0.96.tgz
 /libselinux-3.6-rc1.tar.gz
 /libselinux-3.6-rc2.tar.gz
 /libselinux-3.6.tar.gz
+/libselinux-3.7.tar.gz

0001-Use-SHA-2-instead-of-SHA-1.patch

@@ -1,4 +1,4 @@
-From 94859162dbf9d2ccd4ffb923720c654a4cb9150a Mon Sep 17 00:00:00 2001
+From 4884c917237e53e34d3fc75dcf4f07217cfd7584 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Fri, 30 Jul 2021 14:14:37 +0200
 Subject: [PATCH] Use SHA-2 instead of SHA-1
@@ -17,13 +17,13 @@ The use of SHA-1 in RHEL9 is deprecated
  libselinux/src/label_internal.h               |  10 +-
  libselinux/src/label_support.c                |  10 +-
  libselinux/src/selinux_restorecon.c           |  24 +-
- libselinux/src/sha1.c                         | 220 -------------
+ libselinux/src/sha1.c                         | 223 -------------
  libselinux/src/sha1.h                         |  85 -----
  libselinux/src/sha256.c                       | 294 ++++++++++++++++++
  libselinux/src/sha256.h                       |  89 ++++++
  libselinux/utils/selabel_digest.c             |  26 +-
  .../selabel_get_digests_all_partial_matches.c |  28 +-
- 17 files changed, 471 insertions(+), 393 deletions(-)
+ 17 files changed, 471 insertions(+), 396 deletions(-)
  delete mode 100644 libselinux/src/sha1.c
  delete mode 100644 libselinux/src/sha1.h
  create mode 100644 libselinux/src/sha256.c
@@ -185,7 +185,7 @@ index c56326814b94..098c840fc59b 100644
  .BR selabel_open (3)
  must be called specifying the required
 diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
-index 7aadb822afb0..d906c8811017 100644
+index 41cfbdca490c..658a4c3d80e0 100644
 --- a/libselinux/src/Makefile
 +++ b/libselinux/src/Makefile
 @@ -130,7 +130,7 @@ DISABLE_FLAGS+= -DNO_MEDIA_BACKEND -DNO_DB_BACKEND -DNO_X_BACKEND \
@@ -198,10 +198,10 @@ index 7aadb822afb0..d906c8811017 100644
  endif
  
 diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
-index 4778f8f8cd4a..b902ff06a502 100644
+index 2732972e61cf..6c6fe328b353 100644
 --- a/libselinux/src/label_file.c
 +++ b/libselinux/src/label_file.c
-@@ -1093,7 +1093,7 @@ static struct spec *lookup_common(struct selabel_handle *rec,
+@@ -1105,7 +1105,7 @@ static struct spec *lookup_common(struct selabel_handle *rec,
  
  /*
   * Returns true if the digest of all partial matched contexts is the same as
@@ -210,7 +210,7 @@ index 4778f8f8cd4a..b902ff06a502 100644
   * digest will always be returned. The caller must free any returned digests.
   */
  static bool get_digests_all_partial_matches(struct selabel_handle *rec,
-@@ -1102,39 +1102,39 @@ static bool get_digests_all_partial_matches(struct selabel_handle *rec,
+@@ -1114,39 +1114,39 @@ static bool get_digests_all_partial_matches(struct selabel_handle *rec,
  					    uint8_t **xattr_digest,
  					    size_t *digest_len)
  {
@@ -261,7 +261,7 @@ index 4778f8f8cd4a..b902ff06a502 100644
  		return true;
  
  	return false;
-@@ -1154,22 +1154,22 @@ static bool hash_all_partial_matches(struct selabel_handle *rec, const char *key
+@@ -1166,22 +1166,22 @@ static bool hash_all_partial_matches(struct selabel_handle *rec, const char *key
  		return false;
  	}
  
@@ -371,7 +371,7 @@ index f7ab9292562e..1c3c1728f6ba 100644
  	digest->hashbuf = NULL;
  }
 diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
-index 38f10f1c7edd..111b89aa8dc9 100644
+index acb729c8ad96..2422b415008e 100644
 --- a/libselinux/src/selinux_restorecon.c
 +++ b/libselinux/src/selinux_restorecon.c
 @@ -37,7 +37,7 @@
@@ -383,7 +383,7 @@ index 38f10f1c7edd..111b89aa8dc9 100644
  
  #define STAR_COUNT 1024
  
-@@ -304,7 +304,7 @@ static uint64_t exclude_non_seclabel_mounts(void)
+@@ -306,7 +306,7 @@ static uint64_t exclude_non_seclabel_mounts(void)
  static int add_xattr_entry(const char *directory, bool delete_nonmatch,
  			   bool delete_all)
  {
@@ -392,7 +392,7 @@ index 38f10f1c7edd..111b89aa8dc9 100644
  	size_t i, digest_len = 0;
  	int rc;
  	enum digest_result digest_result;
-@@ -328,15 +328,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
+@@ -330,15 +330,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
  	}
  
  	/* Convert entry to a hex encoded string. */
@@ -411,7 +411,7 @@ index 38f10f1c7edd..111b89aa8dc9 100644
  
  	digest_result = match ? MATCH : NOMATCH;
  
-@@ -356,7 +356,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
+@@ -358,7 +358,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
  	/* Now add entries to link list. */
  	new_entry = malloc(sizeof(struct dir_xattr));
  	if (!new_entry) {
@@ -420,7 +420,7 @@ index 38f10f1c7edd..111b89aa8dc9 100644
  		goto oom;
  	}
  	new_entry->next = NULL;
-@@ -364,15 +364,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
+@@ -366,15 +366,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
  	new_entry->directory = strdup(directory);
  	if (!new_entry->directory) {
  		free(new_entry);
@@ -439,7 +439,7 @@ index 38f10f1c7edd..111b89aa8dc9 100644
  		goto oom;
  	}
  
-@@ -386,7 +386,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
+@@ -388,7 +388,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
  		dir_xattr_last = new_entry;
  	}
  
@@ -448,7 +448,7 @@ index 38f10f1c7edd..111b89aa8dc9 100644
  	return 0;
  
  oom:
-@@ -776,7 +776,7 @@ err:
+@@ -778,7 +778,7 @@ err:
  
  struct dir_hash_node {
  	char *path;
@@ -457,7 +457,7 @@ index 38f10f1c7edd..111b89aa8dc9 100644
  	struct dir_hash_node *next;
  };
  /*
-@@ -1282,7 +1282,7 @@ static int selinux_restorecon_common(const char *pathname_orig,
+@@ -1284,7 +1284,7 @@ static int selinux_restorecon_common(const char *pathname_orig,
  			if (setxattr(current->path,
  			    RESTORECON_PARTIAL_MATCH_DIGEST,
  			    current->digest,
@@ -468,10 +468,10 @@ index 38f10f1c7edd..111b89aa8dc9 100644
  					    current->path);
 diff --git a/libselinux/src/sha1.c b/libselinux/src/sha1.c
 deleted file mode 100644
-index 9d51e04ac331..000000000000
+index 452b0cc2ad5a..000000000000
 --- a/libselinux/src/sha1.c
 +++ /dev/null
-@@ -1,220 +0,0 @@
+@@ -1,223 +0,0 @@
 -///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 -//  LibSha1
 -//
@@ -500,6 +500,8 @@ index 9d51e04ac331..000000000000
 -#include "sha1.h"
 -#include <memory.h>
 -
+-#include "selinux_internal.h"
+-
 -///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 -//  TYPES
 -///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
@@ -536,6 +538,7 @@ index 9d51e04ac331..000000000000
 -//
 -//  Hash a single 512-bit block. This is the core of the algorithm
 -///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-ignore_unsigned_overflow_
 -static
 -void
 -    TransformFunction
@@ -1179,10 +1182,10 @@ index 000000000000..406ed869cd82
 +        SHA256_HASH*        Digest          // [in]
 +    );
 diff --git a/libselinux/utils/selabel_digest.c b/libselinux/utils/selabel_digest.c
-index bf22b472856c..b992d4230eb3 100644
+index 47aad21ff1fb..8bcd44a1dc73 100644
 --- a/libselinux/utils/selabel_digest.c
 +++ b/libselinux/utils/selabel_digest.c
-@@ -15,8 +15,8 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname)
+@@ -13,8 +13,8 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname)
  		"Where:\n\t"
  		"-b  The backend - \"file\", \"media\", \"x\", \"db\" or "
  			"\"prop\"\n\t"
@@ -1193,22 +1196,22 @@ index bf22b472856c..b992d4230eb3 100644
  		"-B  Use base specfiles only (valid for \"-b file\" only).\n\t"
  		"-i  Do not request a digest.\n\t"
  		"-f  Optional file containing the specs (defaults to\n\t"
-@@ -63,12 +63,12 @@ int main(int argc, char **argv)
+@@ -61,12 +61,12 @@ int main(int argc, char **argv)
  	int rc, opt, validate = 0;
  	char *baseonly = NULL, *file = NULL, *digest = (char *)1;
  	char **specfiles = NULL;
 -	unsigned char *sha1_digest = NULL;
 +	unsigned char *sha256_digest = NULL;
- 	size_t i, num_specfiles;
+ 	size_t digest_len, i, num_specfiles;
  
  	char cmd_buf[4096];
  	char *cmd_ptr;
--	char *sha1_buf;
+-	char *sha1_buf = NULL;
-+	char *sha256_buf;
++	char *sha256_buf = NULL;
  
  	struct selabel_handle *hnd;
  	struct selinux_opt selabel_option[] = {
-@@ -138,7 +138,7 @@ int main(int argc, char **argv)
+@@ -136,7 +136,7 @@ int main(int argc, char **argv)
  		return -1;
  	}
  
@@ -1217,7 +1220,7 @@ index bf22b472856c..b992d4230eb3 100644
  							    &num_specfiles);
  
  	if (rc) {
-@@ -153,19 +153,19 @@ int main(int argc, char **argv)
+@@ -151,19 +151,19 @@ int main(int argc, char **argv)
  		goto err;
  	}
  
@@ -1242,23 +1245,29 @@ index bf22b472856c..b992d4230eb3 100644
  	printf("calculated using the following specfile(s):\n");
  
  	if (specfiles) {
-@@ -178,13 +178,13 @@ int main(int argc, char **argv)
+@@ -198,19 +198,19 @@ int main(int argc, char **argv)
- 			cmd_ptr += strlen(specfiles[i]) + 1;
- 			printf("%s\n", specfiles[i]);
  		}
--		sprintf(cmd_ptr, "| /usr/bin/openssl dgst -sha1 -hex");
-+		sprintf(cmd_ptr, "| /usr/bin/openssl dgst -sha256 -hex");
  
- 		if (validate)
+ 		if (validate) {
--			rc = run_check_digest(cmd_buf, sha1_buf);
+-			ret = snprintf(cmd_ptr, cmd_rem, "| /usr/bin/openssl dgst -sha1 -hex");
-+			rc = run_check_digest(cmd_buf, sha256_buf);
++			ret = snprintf(cmd_ptr, cmd_rem, "| /usr/bin/openssl dgst -sha256 -hex");
+ 			if (ret < 0 || (size_t)ret >= cmd_rem) {
+ 				fprintf(stderr, "Could not format validate command\n");
+ 				rc = -1;
+ 				goto err;
+ 			}
+ 
+-			rc = run_check_digest(cmd_buf, sha1_buf, digest_len);
++			rc = run_check_digest(cmd_buf, sha256_buf, digest_len);
+ 		}
  	}
  
+ err:
 -	free(sha1_buf);
 +	free(sha256_buf);
- err:
  	selabel_close(hnd);
  	return rc;
+ }
 diff --git a/libselinux/utils/selabel_get_digests_all_partial_matches.c b/libselinux/utils/selabel_get_digests_all_partial_matches.c
 index e2733b4195ff..98e533dc2692 100644
 --- a/libselinux/utils/selabel_get_digests_all_partial_matches.c
@@ -1349,5 +1358,5 @@ index e2733b4195ff..98e533dc2692 100644
  		}
  		default:
 -- 
-2.41.0
+2.45.2
 

libselinux.spec

@@ -1,19 +1,19 @@
 %define ruby_inc %(pkg-config --cflags ruby)
-%define libsepolver 3.6-1
+%define libsepolver 3.7-1
 
 Summary: SELinux library and simple utilities
 Name: libselinux
-Version: 3.6
+Version: 3.7
-Release: 6%{?dist}
+Release: 1%{?dist}
 License: LicenseRef-Fedora-Public-Domain
 # https://github.com/SELinuxProject/selinux/wiki/Releases
-Source0: https://github.com/SELinuxProject/selinux/releases/download/3.6/libselinux-3.6.tar.gz
+Source0: https://github.com/SELinuxProject/selinux/releases/download/3.7/libselinux-3.7.tar.gz
 Source1: selinuxconlist.8
 Source2: selinuxdefcon.8
 Url: https://github.com/SELinuxProject/selinux/wiki
 # $ git clone https://github.com/fedora-selinux/selinux.git
 # $ cd selinux
-# $ git format-patch -N 3.6 -- libselinux
+# $ git format-patch -N 3.7 -- libselinux
 # $ i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
 # Patch list start
 Patch0001: 0001-Use-SHA-2-instead-of-SHA-1.patch
@@ -213,6 +213,9 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
 %{ruby_vendorarchdir}/selinux.so
 
 %changelog
+* Thu Jun 27 2024 Petr Lautrbach <lautrbach@redhat.com> - 3.7-1
+- SELinux userspace 3.7 release
+
 * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 3.6-6
 - Bump release for June 2024 mass rebuild
 

sources

@@ -1 +1 @@
-SHA512 (libselinux-3.6.tar.gz) = 182dcdf3510083ff4b9376a4a6d6a7b33905ac3c5e974c188bf3965686c54b663162c543ecf15eab75102f3c91a2502d33d0f1104dec01dd9b14737ef3f2b544
+SHA512 (libselinux-3.7.tar.gz) = e949c20b606c50ad521b9592ce55ad6658e8c4b24d9838028f5aba0a4fc762b6d0d0d0d207f5bef7a2e41485e12d91382fa6090df27152dbb40071b273419352