rpms/libselinux
7
0
Fork 0
Code Issues Pull Requests Releases Activity

SELinux userspace 3.6-rc1 release

Browse Source
This commit is contained in:
Petr Lautrbach 2023-11-14 20:02:27 +01:00
parent f6db99ad44
commit 95eddbc54e
5 changed files with 56 additions and 170 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -229,3 +229,4 @@ libselinux-2.0.96.tgz
/libselinux-3.5-rc2.tar.gz /libselinux-3.5-rc2.tar.gz
/libselinux-3.5-rc3.tar.gz /libselinux-3.5-rc3.tar.gz
/libselinux-3.5.tar.gz /libselinux-3.5.tar.gz
/libselinux-3.6-rc1.tar.gz

87
0001-Use-SHA-2-instead-of-SHA-1.patch
View File

@ -1,7 +1,8 @@
From 3a9bb0000dd9386b80ec54ecb64a99dd07b2f93a Mon Sep 17 00:00:00 2001 From 94859162dbf9d2ccd4ffb923720c654a4cb9150a Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com> From: Petr Lautrbach <plautrba@redhat.com>
Date: Fri, 30 Jul 2021 14:14:37 +0200 Date: Fri, 30 Jul 2021 14:14:37 +0200
Subject: [PATCH] Use SHA-2 instead of SHA-1 Subject: [PATCH] Use SHA-2 instead of SHA-1
Content-type: text/plain
The use of SHA-1 in RHEL9 is deprecated The use of SHA-1 in RHEL9 is deprecated
--- ---
@ -29,7 +30,7 @@ The use of SHA-1 in RHEL9 is deprecated
create mode 100644 libselinux/src/sha256.h create mode 100644 libselinux/src/sha256.h
diff --git a/libselinux/include/selinux/label.h b/libselinux/include/selinux/label.h diff --git a/libselinux/include/selinux/label.h b/libselinux/include/selinux/label.h
index e8983606..a35d84d6 100644 index ce189a3ae2fe..ce77d32dfed1 100644
--- a/libselinux/include/selinux/label.h --- a/libselinux/include/selinux/label.h
+++ b/libselinux/include/selinux/label.h +++ b/libselinux/include/selinux/label.h
@@ -120,13 +120,13 @@ extern int selabel_lookup_best_match_raw(struct selabel_handle *rec, char **con, @@ -120,13 +120,13 @@ extern int selabel_lookup_best_match_raw(struct selabel_handle *rec, char **con,
@ -50,7 +51,7 @@ index e8983606..a35d84d6 100644
* @num_specfiles: number of specfiles in the list. * @num_specfiles: number of specfiles in the list.
* *
diff --git a/libselinux/include/selinux/restorecon.h b/libselinux/include/selinux/restorecon.h diff --git a/libselinux/include/selinux/restorecon.h b/libselinux/include/selinux/restorecon.h
index b10fe684..8df47445 100644 index b10fe684eff9..8df4744505b3 100644
--- a/libselinux/include/selinux/restorecon.h --- a/libselinux/include/selinux/restorecon.h
+++ b/libselinux/include/selinux/restorecon.h +++ b/libselinux/include/selinux/restorecon.h
@@ -41,8 +41,8 @@ extern int selinux_restorecon_parallel(const char *pathname, @@ -41,8 +41,8 @@ extern int selinux_restorecon_parallel(const char *pathname,
@ -65,7 +66,7 @@ index b10fe684..8df47445 100644
#define SELINUX_RESTORECON_IGNORE_DIGEST 0x00001 #define SELINUX_RESTORECON_IGNORE_DIGEST 0x00001
/* /*
diff --git a/libselinux/man/man3/selabel_digest.3 b/libselinux/man/man3/selabel_digest.3 diff --git a/libselinux/man/man3/selabel_digest.3 b/libselinux/man/man3/selabel_digest.3
index 56a008f0..5f7c4253 100644 index 56a008f00df0..5f7c42533d0e 100644
--- a/libselinux/man/man3/selabel_digest.3 --- a/libselinux/man/man3/selabel_digest.3
+++ b/libselinux/man/man3/selabel_digest.3 +++ b/libselinux/man/man3/selabel_digest.3
@@ -20,11 +20,11 @@ selabel_digest \- Return digest of specfiles and list of files used @@ -20,11 +20,11 @@ selabel_digest \- Return digest of specfiles and list of files used
@ -83,7 +84,7 @@ index 56a008f0..5f7c4253 100644
with the number of entries in with the number of entries in
.IR num_specfiles . .IR num_specfiles .
diff --git a/libselinux/man/man3/selabel_open.3 b/libselinux/man/man3/selabel_open.3 diff --git a/libselinux/man/man3/selabel_open.3 b/libselinux/man/man3/selabel_open.3
index 0e03e1be..14ab888d 100644 index 0e03e1be111e..14ab888d2e03 100644
--- a/libselinux/man/man3/selabel_open.3 --- a/libselinux/man/man3/selabel_open.3
+++ b/libselinux/man/man3/selabel_open.3 +++ b/libselinux/man/man3/selabel_open.3
@@ -69,7 +69,7 @@ is used; a custom validation function can be provided via @@ -69,7 +69,7 @@ is used; a custom validation function can be provided via
@ -96,7 +97,7 @@ index 0e03e1be..14ab888d 100644
.BR selabel_digest (3) .BR selabel_digest (3)
. .
diff --git a/libselinux/man/man3/selinux_restorecon.3 b/libselinux/man/man3/selinux_restorecon.3 diff --git a/libselinux/man/man3/selinux_restorecon.3 b/libselinux/man/man3/selinux_restorecon.3
index 218aaf6d..5f6d4b38 100644 index 218aaf6d2ae5..5f6d4b386429 100644
--- a/libselinux/man/man3/selinux_restorecon.3 --- a/libselinux/man/man3/selinux_restorecon.3
+++ b/libselinux/man/man3/selinux_restorecon.3 +++ b/libselinux/man/man3/selinux_restorecon.3
@@ -36,7 +36,7 @@ If this is a directory and the @@ -36,7 +36,7 @@ If this is a directory and the
@ -171,7 +172,7 @@ index 218aaf6d..5f6d4b38 100644
.B SELINUX_RESTORECON_SET_SPECFILE_CTX .B SELINUX_RESTORECON_SET_SPECFILE_CTX
flag (provided flag (provided
diff --git a/libselinux/man/man3/selinux_restorecon_xattr.3 b/libselinux/man/man3/selinux_restorecon_xattr.3 diff --git a/libselinux/man/man3/selinux_restorecon_xattr.3 b/libselinux/man/man3/selinux_restorecon_xattr.3
index c5632681..098c840f 100644 index c56326814b94..098c840fc59b 100644
--- a/libselinux/man/man3/selinux_restorecon_xattr.3 --- a/libselinux/man/man3/selinux_restorecon_xattr.3
+++ b/libselinux/man/man3/selinux_restorecon_xattr.3 +++ b/libselinux/man/man3/selinux_restorecon_xattr.3
@@ -119,7 +119,7 @@ By default @@ -119,7 +119,7 @@ By default
@ -184,23 +185,23 @@ index c5632681..098c840f 100644
.BR selabel_open (3) .BR selabel_open (3)
must be called specifying the required must be called specifying the required
diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index 36d57122..8eafced9 100644 index 7aadb822afb0..d906c8811017 100644
--- a/libselinux/src/Makefile --- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile +++ b/libselinux/src/Makefile
@@ -125,7 +125,7 @@ DISABLE_FLAGS+= -DNO_MEDIA_BACKEND -DNO_DB_BACKEND -DNO_X_BACKEND \ @@ -130,7 +130,7 @@ DISABLE_FLAGS+= -DNO_MEDIA_BACKEND -DNO_DB_BACKEND -DNO_X_BACKEND \
-DBUILD_HOST -DBUILD_HOST
SRCS= callbacks.c freecon.c label.c label_file.c \ SRCS= callbacks.c freecon.c label.c label_file.c \
label_backends_android.c regex.c label_support.c \ label_backends_android.c regex.c label_support.c \
- matchpathcon.c setrans_client.c sha1.c booleans.c - matchpathcon.c setrans_client.c sha1.c booleans.c
+ matchpathcon.c setrans_client.c sha256.c booleans.c + matchpathcon.c setrans_client.c sha256.c booleans.c
else
LABEL_BACKEND_ANDROID=y LABEL_BACKEND_ANDROID=y
endif endif
diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
index 74ae9b9f..33d395e4 100644 index 4778f8f8cd4a..b902ff06a502 100644
--- a/libselinux/src/label_file.c --- a/libselinux/src/label_file.c
+++ b/libselinux/src/label_file.c +++ b/libselinux/src/label_file.c
@@ -1010,7 +1010,7 @@ static struct spec *lookup_common(struct selabel_handle *rec, @@ -1093,7 +1093,7 @@ static struct spec *lookup_common(struct selabel_handle *rec,
/* /*
* Returns true if the digest of all partial matched contexts is the same as * Returns true if the digest of all partial matched contexts is the same as
@ -209,7 +210,7 @@ index 74ae9b9f..33d395e4 100644
* digest will always be returned. The caller must free any returned digests. * digest will always be returned. The caller must free any returned digests.
*/ */
static bool get_digests_all_partial_matches(struct selabel_handle *rec, static bool get_digests_all_partial_matches(struct selabel_handle *rec,
@@ -1019,39 +1019,39 @@ static bool get_digests_all_partial_matches(struct selabel_handle *rec, @@ -1102,39 +1102,39 @@ static bool get_digests_all_partial_matches(struct selabel_handle *rec,
uint8_t **xattr_digest, uint8_t **xattr_digest,
size_t *digest_len) size_t *digest_len)
{ {
@ -260,7 +261,7 @@ index 74ae9b9f..33d395e4 100644
return true; return true;
return false; return false;
@@ -1071,22 +1071,22 @@ static bool hash_all_partial_matches(struct selabel_handle *rec, const char *key @@ -1154,22 +1154,22 @@ static bool hash_all_partial_matches(struct selabel_handle *rec, const char *key
return false; return false;
} }
@ -292,7 +293,7 @@ index 74ae9b9f..33d395e4 100644
free(matches); free(matches);
return true; return true;
diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h
index 782c6aa8..304e8d96 100644 index ea60cd9a058f..77ac8173c7a9 100644
--- a/libselinux/src/label_internal.h --- a/libselinux/src/label_internal.h
+++ b/libselinux/src/label_internal.h +++ b/libselinux/src/label_internal.h
@@ -13,7 +13,7 @@ @@ -13,7 +13,7 @@
@ -333,10 +334,10 @@ index 782c6aa8..304e8d96 100644
}; };
diff --git a/libselinux/src/label_support.c b/libselinux/src/label_support.c diff --git a/libselinux/src/label_support.c b/libselinux/src/label_support.c
index 54fd49a5..4003eb8d 100644 index f7ab9292562e..1c3c1728f6ba 100644
--- a/libselinux/src/label_support.c --- a/libselinux/src/label_support.c
+++ b/libselinux/src/label_support.c +++ b/libselinux/src/label_support.c
@@ -115,7 +115,7 @@ int read_spec_entries(char *line_buf, const char **errbuf, int num_args, ...) @@ -114,7 +114,7 @@ int read_spec_entries(char *line_buf, const char **errbuf, int num_args, ...)
/* Once all the specfiles are in the hash_buf, generate the hash. */ /* Once all the specfiles are in the hash_buf, generate the hash. */
void digest_gen_hash(struct selabel_digest *digest) void digest_gen_hash(struct selabel_digest *digest)
{ {
@ -345,7 +346,7 @@ index 54fd49a5..4003eb8d 100644
size_t remaining_size; size_t remaining_size;
const unsigned char *ptr; const unsigned char *ptr;
@@ -123,19 +123,19 @@ void digest_gen_hash(struct selabel_digest *digest) @@ -122,19 +122,19 @@ void digest_gen_hash(struct selabel_digest *digest)
if (!digest) if (!digest)
return; return;
@ -368,9 +369,9 @@ index 54fd49a5..4003eb8d 100644
+ Sha256Finalise(&context, (SHA256_HASH *)digest->digest); + Sha256Finalise(&context, (SHA256_HASH *)digest->digest);
free(digest->hashbuf); free(digest->hashbuf);
digest->hashbuf = NULL; digest->hashbuf = NULL;
return; }
diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
index 7ef2d45d..0f7d9bc3 100644 index 38f10f1c7edd..111b89aa8dc9 100644
--- a/libselinux/src/selinux_restorecon.c --- a/libselinux/src/selinux_restorecon.c
+++ b/libselinux/src/selinux_restorecon.c +++ b/libselinux/src/selinux_restorecon.c
@@ -37,7 +37,7 @@ @@ -37,7 +37,7 @@
@ -382,7 +383,7 @@ index 7ef2d45d..0f7d9bc3 100644
#define STAR_COUNT 1024 #define STAR_COUNT 1024
@@ -305,7 +305,7 @@ static uint64_t exclude_non_seclabel_mounts(void) @@ -304,7 +304,7 @@ static uint64_t exclude_non_seclabel_mounts(void)
static int add_xattr_entry(const char *directory, bool delete_nonmatch, static int add_xattr_entry(const char *directory, bool delete_nonmatch,
bool delete_all) bool delete_all)
{ {
@ -391,7 +392,7 @@ index 7ef2d45d..0f7d9bc3 100644
size_t i, digest_len = 0; size_t i, digest_len = 0;
int rc; int rc;
enum digest_result digest_result; enum digest_result digest_result;
@@ -329,15 +329,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch, @@ -328,15 +328,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
} }
/* Convert entry to a hex encoded string. */ /* Convert entry to a hex encoded string. */
@ -410,7 +411,7 @@ index 7ef2d45d..0f7d9bc3 100644
digest_result = match ? MATCH : NOMATCH; digest_result = match ? MATCH : NOMATCH;
@@ -357,7 +357,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch, @@ -356,7 +356,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
/* Now add entries to link list. */ /* Now add entries to link list. */
new_entry = malloc(sizeof(struct dir_xattr)); new_entry = malloc(sizeof(struct dir_xattr));
if (!new_entry) { if (!new_entry) {
@ -419,7 +420,7 @@ index 7ef2d45d..0f7d9bc3 100644
goto oom; goto oom;
} }
new_entry->next = NULL; new_entry->next = NULL;
@@ -365,15 +365,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch, @@ -364,15 +364,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
new_entry->directory = strdup(directory); new_entry->directory = strdup(directory);
if (!new_entry->directory) { if (!new_entry->directory) {
free(new_entry); free(new_entry);
@ -438,7 +439,7 @@ index 7ef2d45d..0f7d9bc3 100644
goto oom; goto oom;
} }
@@ -387,7 +387,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch, @@ -386,7 +386,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
dir_xattr_last = new_entry; dir_xattr_last = new_entry;
} }
@ -447,7 +448,7 @@ index 7ef2d45d..0f7d9bc3 100644
return 0; return 0;
oom: oom:
@@ -777,7 +777,7 @@ err: @@ -776,7 +776,7 @@ err:
struct dir_hash_node { struct dir_hash_node {
char *path; char *path;
@ -456,7 +457,7 @@ index 7ef2d45d..0f7d9bc3 100644
struct dir_hash_node *next; struct dir_hash_node *next;
}; };
/* /*
@@ -1283,7 +1283,7 @@ static int selinux_restorecon_common(const char *pathname_orig, @@ -1282,7 +1282,7 @@ static int selinux_restorecon_common(const char *pathname_orig,
if (setxattr(current->path, if (setxattr(current->path,
RESTORECON_PARTIAL_MATCH_DIGEST, RESTORECON_PARTIAL_MATCH_DIGEST,
current->digest, current->digest,
@ -467,7 +468,7 @@ index 7ef2d45d..0f7d9bc3 100644
current->path); current->path);
diff --git a/libselinux/src/sha1.c b/libselinux/src/sha1.c diff --git a/libselinux/src/sha1.c b/libselinux/src/sha1.c
deleted file mode 100644 deleted file mode 100644
index 9d51e04a..00000000 index 9d51e04ac331..000000000000
--- a/libselinux/src/sha1.c --- a/libselinux/src/sha1.c
+++ /dev/null +++ /dev/null
@@ -1,220 +0,0 @@ @@ -1,220 +0,0 @@
@ -693,7 +694,7 @@ index 9d51e04a..00000000
-} -}
diff --git a/libselinux/src/sha1.h b/libselinux/src/sha1.h diff --git a/libselinux/src/sha1.h b/libselinux/src/sha1.h
deleted file mode 100644 deleted file mode 100644
index f83a6e7e..00000000 index f83a6e7ed7ba..000000000000
--- a/libselinux/src/sha1.h --- a/libselinux/src/sha1.h
+++ /dev/null +++ /dev/null
@@ -1,85 +0,0 @@ @@ -1,85 +0,0 @@
@ -784,7 +785,7 @@ index f83a6e7e..00000000
-#endif //_sha1_h_ -#endif //_sha1_h_
diff --git a/libselinux/src/sha256.c b/libselinux/src/sha256.c diff --git a/libselinux/src/sha256.c b/libselinux/src/sha256.c
new file mode 100644 new file mode 100644
index 00000000..fe2aeef0 index 000000000000..fe2aeef07f53
--- /dev/null --- /dev/null
+++ b/libselinux/src/sha256.c +++ b/libselinux/src/sha256.c
@@ -0,0 +1,294 @@ @@ -0,0 +1,294 @@
@ -1084,7 +1085,7 @@ index 00000000..fe2aeef0
+} +}
diff --git a/libselinux/src/sha256.h b/libselinux/src/sha256.h diff --git a/libselinux/src/sha256.h b/libselinux/src/sha256.h
new file mode 100644 new file mode 100644
index 00000000..406ed869 index 000000000000..406ed869cd82
--- /dev/null --- /dev/null
+++ b/libselinux/src/sha256.h +++ b/libselinux/src/sha256.h
@@ -0,0 +1,89 @@ @@ -0,0 +1,89 @@
@ -1178,7 +1179,7 @@ index 00000000..406ed869
+ SHA256_HASH* Digest // [in] + SHA256_HASH* Digest // [in]
+ ); + );
diff --git a/libselinux/utils/selabel_digest.c b/libselinux/utils/selabel_digest.c diff --git a/libselinux/utils/selabel_digest.c b/libselinux/utils/selabel_digest.c
index 6a8313a2..a69331f1 100644 index bf22b472856c..b992d4230eb3 100644
--- a/libselinux/utils/selabel_digest.c --- a/libselinux/utils/selabel_digest.c
+++ b/libselinux/utils/selabel_digest.c +++ b/libselinux/utils/selabel_digest.c
@@ -15,8 +15,8 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname) @@ -15,8 +15,8 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname)
@ -1192,8 +1193,8 @@ index 6a8313a2..a69331f1 100644
"-B Use base specfiles only (valid for \"-b file\" only).\n\t" "-B Use base specfiles only (valid for \"-b file\" only).\n\t"
"-i Do not request a digest.\n\t" "-i Do not request a digest.\n\t"
"-f Optional file containing the specs (defaults to\n\t" "-f Optional file containing the specs (defaults to\n\t"
@@ -62,12 +62,12 @@ int main(int argc, char **argv) @@ -63,12 +63,12 @@ int main(int argc, char **argv)
int backend = 0, rc, opt, validate = 0; int rc, opt, validate = 0;
char *baseonly = NULL, *file = NULL, *digest = (char *)1; char *baseonly = NULL, *file = NULL, *digest = (char *)1;
char **specfiles = NULL; char **specfiles = NULL;
- unsigned char *sha1_digest = NULL; - unsigned char *sha1_digest = NULL;
@ -1207,7 +1208,7 @@ index 6a8313a2..a69331f1 100644
struct selabel_handle *hnd; struct selabel_handle *hnd;
struct selinux_opt selabel_option[] = { struct selinux_opt selabel_option[] = {
@@ -137,7 +137,7 @@ int main(int argc, char **argv) @@ -138,7 +138,7 @@ int main(int argc, char **argv)
return -1; return -1;
} }
@ -1216,7 +1217,7 @@ index 6a8313a2..a69331f1 100644
&num_specfiles); &num_specfiles);
if (rc) { if (rc) {
@@ -152,19 +152,19 @@ int main(int argc, char **argv) @@ -153,19 +153,19 @@ int main(int argc, char **argv)
goto err; goto err;
} }
@ -1241,7 +1242,7 @@ index 6a8313a2..a69331f1 100644
printf("calculated using the following specfile(s):\n"); printf("calculated using the following specfile(s):\n");
if (specfiles) { if (specfiles) {
@@ -177,13 +177,13 @@ int main(int argc, char **argv) @@ -178,13 +178,13 @@ int main(int argc, char **argv)
cmd_ptr += strlen(specfiles[i]) + 1; cmd_ptr += strlen(specfiles[i]) + 1;
printf("%s\n", specfiles[i]); printf("%s\n", specfiles[i]);
} }
@ -1259,10 +1260,10 @@ index 6a8313a2..a69331f1 100644
selabel_close(hnd); selabel_close(hnd);
return rc; return rc;
diff --git a/libselinux/utils/selabel_get_digests_all_partial_matches.c b/libselinux/utils/selabel_get_digests_all_partial_matches.c diff --git a/libselinux/utils/selabel_get_digests_all_partial_matches.c b/libselinux/utils/selabel_get_digests_all_partial_matches.c
index c4e0f836..80723f71 100644 index e2733b4195ff..98e533dc2692 100644
--- a/libselinux/utils/selabel_get_digests_all_partial_matches.c --- a/libselinux/utils/selabel_get_digests_all_partial_matches.c
+++ b/libselinux/utils/selabel_get_digests_all_partial_matches.c +++ b/libselinux/utils/selabel_get_digests_all_partial_matches.c
@@ -18,8 +18,8 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname) @@ -16,8 +16,8 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname)
"-v Validate file_contxts entries against loaded policy.\n\t" "-v Validate file_contxts entries against loaded policy.\n\t"
"-r Recursively descend directories.\n\t" "-r Recursively descend directories.\n\t"
"-f Optional file_contexts file (defaults to current policy).\n\t" "-f Optional file_contexts file (defaults to current policy).\n\t"
@ -1273,7 +1274,7 @@ index c4e0f836..80723f71 100644
"<path> against\na newly generated digest based on the " "<path> against\na newly generated digest based on the "
"file_context entries for that node\n(using the regx, mode " "file_context entries for that node\n(using the regx, mode "
"and path entries).\n", progname); "and path entries).\n", progname);
@@ -37,7 +37,7 @@ int main(int argc, char **argv) @@ -35,7 +35,7 @@ int main(int argc, char **argv)
char *paths[2] = { NULL, NULL }; char *paths[2] = { NULL, NULL };
uint8_t *xattr_digest = NULL; uint8_t *xattr_digest = NULL;
uint8_t *calculated_digest = NULL; uint8_t *calculated_digest = NULL;
@ -1282,7 +1283,7 @@ index c4e0f836..80723f71 100644
struct selabel_handle *hnd; struct selabel_handle *hnd;
struct selinux_opt selabel_option[] = { struct selinux_opt selabel_option[] = {
@@ -106,27 +106,27 @@ int main(int argc, char **argv) @@ -104,27 +104,27 @@ int main(int argc, char **argv)
&xattr_digest, &xattr_digest,
&digest_len); &digest_len);
@ -1316,7 +1317,7 @@ index c4e0f836..80723f71 100644
ftsent->fts_path); ftsent->fts_path);
printf("as file_context entry is \"<<none>>\"\n"); printf("as file_context entry is \"<<none>>\"\n");
goto cleanup; goto cleanup;
@@ -136,25 +136,25 @@ int main(int argc, char **argv) @@ -134,25 +134,25 @@ int main(int argc, char **argv)
ftsent->fts_path); ftsent->fts_path);
for (i = 0; i < digest_len; i++) for (i = 0; i < digest_len; i++)
@ -1348,5 +1349,5 @@ index c4e0f836..80723f71 100644
} }
default: default:
-- --
2.40.0 2.41.0

117
0002-libselinux-Add-examples-to-man-pages.patch
View File

@ -1,117 +0,0 @@
From 1540d4dd89af42b6a6c66e517142a2f5bade0974 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Thu, 1 Jun 2023 16:39:15 +0200
Subject: [PATCH] libselinux: Add examples to man pages
Also fix some typos and remove trailing whitespaces.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
---
libselinux/man/man8/getsebool.8 | 18 +++++++++++-------
libselinux/man/man8/matchpathcon.8 | 19 +++++++++++++------
2 files changed, 24 insertions(+), 13 deletions(-)
diff --git a/libselinux/man/man8/getsebool.8 b/libselinux/man/man8/getsebool.8
index d70bf1e4..9e36f04f 100644
--- a/libselinux/man/man8/getsebool.8
+++ b/libselinux/man/man8/getsebool.8
@@ -1,6 +1,6 @@
.TH "getsebool" "8" "11 Aug 2004" "dwalsh@redhat.com" "SELinux Command Line documentation"
.SH "NAME"
-getsebool \- get SELinux boolean value(s)
+getsebool \- get SELinux boolean value(s)
.
.SH "SYNOPSIS"
.B getsebool
@@ -8,17 +8,16 @@ getsebool \- get SELinux boolean value(s)
.RI [ boolean ]
.
.SH "DESCRIPTION"
-.B getsebool
-reports where a particular SELinux boolean or
-all SELinux booleans are on or off
-In certain situations a boolean can be in one state with a pending
-change to the other state. getsebool will report this as a pending change.
+.B getsebool
+reports whether a particular SELinux boolean, or all SELinux booleans, are on or off.
+In certain situations a boolean can be in one state with a pending
+change to the other state. getsebool will report this as a pending change.
The pending value indicates
the value that will be applied upon the next boolean commit.
The setting of boolean values occurs in two stages; first the pending
value is changed, then the booleans are committed, causing their
-active values to become their pending values. This allows a group of
+active values to become their pending values. This allows a group of
booleans to be changed in a single transaction, by setting all of
their pending values as desired and then committing once.
.
@@ -27,6 +26,11 @@ their pending values as desired and then committing once.
.B \-a
Show all SELinux booleans.
.
+.SH EXAMPLE
+.nf
+Show current state of httpd_can_connect_ftp
+# getsebool httpd_can_connect_ftp
+.
.SH AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
The program was written by Tresys Technology.
diff --git a/libselinux/man/man8/matchpathcon.8 b/libselinux/man/man8/matchpathcon.8
index 50c0d392..6d848f43 100644
--- a/libselinux/man/man8/matchpathcon.8
+++ b/libselinux/man/man8/matchpathcon.8
@@ -25,8 +25,8 @@ queries the system policy and outputs the default security context associated wi
Identical paths can have different security contexts, depending on the file
type (regular file, directory, link file, char file ...).
-.B matchpathcon
-will also take the file type into consideration in determining the default security context if the file exists. If the file does not exist, no file type matching will occur.
+.B matchpathcon
+will also take the file type into consideration in determining the default security context if the file exists. If the file does not exist, no file type matching will occur.
.
.SH OPTIONS
.TP
@@ -34,19 +34,19 @@ will also take the file type into consideration in determining the default secur
Force file type for the lookup.
Valid types are
.BR file ", " dir ", "pipe ", " chr_file ", " blk_file ", "
-.BR lnk_file ", " sock_file .
+.BR lnk_file ", " sock_file
.TP
.B \-n
-Do not display path.
+Do not display path
.TP
.B \-N
-Do not use translations.
+Do not use translations
.TP
.BI \-f " file_context_file"
Use alternate file_context file
.TP
.BI \-p " prefix"
-Use prefix to speed translations
+Use prefix to speed up translations
.TP
.BI \-P " policy_root_path"
Use alternate policy root path
@@ -54,6 +54,13 @@ Use alternate policy root path
.B \-V
Verify file context on disk matches defaults
.
+.SH EXAMPLE
+.nf
+Show the default label of sock_file cups.sock
+# matchpathcon -m sock_file /var/run/cups/cups.sock
+Verify that /var/www/html directory is labeled correctly (the content of the folder is not checked)
+# matchpathcon -V /var/www/html
+.
.SH AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
.
--
2.40.0

19
libselinux.spec
View File

@ -1,23 +1,22 @@
%define ruby_inc %(pkg-config --cflags ruby) %define ruby_inc %(pkg-config --cflags ruby)
%define libsepolver 3.5-1 %define libsepolver 3.6-0
Summary: SELinux library and simple utilities Summary: SELinux library and simple utilities
Name: libselinux Name: libselinux
Version: 3.5 Version: 3.6
Release: 5%{?dist} Release: 0.rc1.1%{?dist}
License: LicenseRef-Fedora-Public-Domain License: LicenseRef-Fedora-Public-Domain
# https://github.com/SELinuxProject/selinux/wiki/Releases # https://github.com/SELinuxProject/selinux/wiki/Releases
Source0: https://github.com/SELinuxProject/selinux/releases/download/3.5/libselinux-3.5.tar.gz Source0: https://github.com/SELinuxProject/selinux/releases/download/3.6-rc1/libselinux-3.6-rc1.tar.gz
Source1: selinuxconlist.8 Source1: selinuxconlist.8
Source2: selinuxdefcon.8 Source2: selinuxdefcon.8
Url: https://github.com/SELinuxProject/selinux/wiki Url: https://github.com/SELinuxProject/selinux/wiki
# $ git clone https://github.com/fedora-selinux/selinux.git # $ git clone https://github.com/fedora-selinux/selinux.git
# $ cd selinux # $ cd selinux
# $ git format-patch -N 3.5 -- libselinux # $ git format-patch -N 3.6-rc1 -- libselinux
# $ i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done # $ i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
# Patch list start # Patch list start
Patch0001: 0001-Use-SHA-2-instead-of-SHA-1.patch Patch0001: 0001-Use-SHA-2-instead-of-SHA-1.patch
Patch0002: 0002-libselinux-Add-examples-to-man-pages.patch
# Patch list end # Patch list end
BuildRequires: gcc make BuildRequires: gcc make
BuildRequires: ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel xz-devel BuildRequires: ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel xz-devel
@ -88,7 +87,7 @@ The libselinux-static package contains the static libraries
needed for developing SELinux applications. needed for developing SELinux applications.
%prep %prep
%autosetup -p 2 -n libselinux-%{version} %autosetup -p 2 -n libselinux-%{version}-rc1
%build %build
export DISABLE_RPM="y" export DISABLE_RPM="y"
@ -177,6 +176,7 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
%{_sbindir}/avcstat %{_sbindir}/avcstat
%{_sbindir}/getenforce %{_sbindir}/getenforce
%{_sbindir}/getpidprevcon %{_sbindir}/getpidprevcon
%{_sbindir}/getpolicyload
%{_sbindir}/getsebool %{_sbindir}/getsebool
%{_sbindir}/matchpathcon %{_sbindir}/matchpathcon
%{_sbindir}/sefcontext_compile %{_sbindir}/sefcontext_compile
@ -194,8 +194,6 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
%{_sbindir}/validatetrans %{_sbindir}/validatetrans
%{_mandir}/man5/* %{_mandir}/man5/*
%{_mandir}/man8/* %{_mandir}/man8/*
%{_mandir}/ru/man5/*
%{_mandir}/ru/man8/*
%files devel %files devel
%{_libdir}/libselinux.so %{_libdir}/libselinux.so
@ -215,6 +213,9 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
%{ruby_vendorarchdir}/selinux.so %{ruby_vendorarchdir}/selinux.so
%changelog %changelog
* Mon Nov 13 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.6-0.rc1.1
- SELinux userspace 3.6-rc1 release
* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.5-5 * Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.5-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild

2
sources
View File

@ -1 +1 @@
SHA512 (libselinux-3.5.tar.gz) = 4e13261a5821018a5f3cdce676f180bb62e5bc225981ca8a498ece0d1c88d9ba8eaa0ce4099dd0849309a8a7c5a9a0953df841a9922f2c284e5a109e5d937ba7 SHA512 (libselinux-3.6-rc1.tar.gz) = a7a8dc9c95cfbe96700b5508ba63214d75c817f0ca90076c3171c1dc809786b9d2fd6f5b6cef458b4a0ae5969a0472c0781f84d0b330f54e6603a896665b3adb