From a41726c8428003c720b4acbb4004794e601d3c04 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 28 Mar 2023 09:12:41 +0000 Subject: [PATCH] import libselinux-3.5-1.el9 --- .gitignore | 2 +- .libselinux.metadata | 2 +- SOURCES/0001-Use-SHA-2-instead-of-SHA-1.patch | 18 +- ...x-restorecon-pin-file-to-avoid-TOCTO.patch | 172 ------------------ SPECS/libselinux.spec | 26 ++- 5 files changed, 30 insertions(+), 190 deletions(-) delete mode 100644 SOURCES/0002-Revert-libselinux-restorecon-pin-file-to-avoid-TOCTO.patch diff --git a/.gitignore b/.gitignore index 609ac99..9efbd3a 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/libselinux-3.4.tar.gz +SOURCES/libselinux-3.5.tar.gz diff --git a/.libselinux.metadata b/.libselinux.metadata index 5d9e33b..e076e9a 100644 --- a/.libselinux.metadata +++ b/.libselinux.metadata @@ -1 +1 @@ -1fff75ad31eca7979740af01279d868ca8cbd249 SOURCES/libselinux-3.4.tar.gz +9f1ca79a767b2a69e63e01b82d13cff9bc712f4a SOURCES/libselinux-3.5.tar.gz diff --git a/SOURCES/0001-Use-SHA-2-instead-of-SHA-1.patch b/SOURCES/0001-Use-SHA-2-instead-of-SHA-1.patch index fcd15a6..a65d9cb 100644 --- a/SOURCES/0001-Use-SHA-2-instead-of-SHA-1.patch +++ b/SOURCES/0001-Use-SHA-2-instead-of-SHA-1.patch @@ -1,4 +1,4 @@ -From 04f73fee2892753b3e81923d2ac3d338acfdbc4c Mon Sep 17 00:00:00 2001 +From 1dbd23dc2566b3fe9113bf09fd9e190dfd4651b6 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Fri, 30 Jul 2021 14:14:37 +0200 Subject: [PATCH] Use SHA-2 instead of SHA-1 @@ -185,10 +185,10 @@ index c56326814b94..098c840fc59b 100644 .BR selabel_open (3) must be called specifying the required diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile -index 04bf4f240168..222c3fa2d7c3 100644 +index 70ba063ada5d..0c803d8d4aae 100644 --- a/libselinux/src/Makefile +++ b/libselinux/src/Makefile -@@ -119,7 +119,7 @@ DISABLE_FLAGS+= -DNO_MEDIA_BACKEND -DNO_DB_BACKEND -DNO_X_BACKEND \ +@@ -125,7 +125,7 @@ DISABLE_FLAGS+= -DNO_MEDIA_BACKEND -DNO_DB_BACKEND -DNO_X_BACKEND \ -DBUILD_HOST SRCS= callbacks.c freecon.c label.c label_file.c \ label_backends_android.c regex.c label_support.c \ @@ -371,7 +371,7 @@ index 54fd49a5b7b9..4003eb8dc7af 100644 digest->hashbuf = NULL; return; diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c -index 9dd6be817832..dc222b425c95 100644 +index 6b5f6921b82b..24604776974e 100644 --- a/libselinux/src/selinux_restorecon.c +++ b/libselinux/src/selinux_restorecon.c @@ -37,7 +37,7 @@ @@ -448,7 +448,7 @@ index 9dd6be817832..dc222b425c95 100644 return 0; oom: -@@ -781,7 +781,7 @@ err: +@@ -775,7 +775,7 @@ err: struct dir_hash_node { char *path; @@ -457,7 +457,7 @@ index 9dd6be817832..dc222b425c95 100644 struct dir_hash_node *next; }; /* -@@ -1270,7 +1270,7 @@ static int selinux_restorecon_common(const char *pathname_orig, +@@ -1281,7 +1281,7 @@ static int selinux_restorecon_common(const char *pathname_orig, if (setxattr(current->path, RESTORECON_PARTIAL_MATCH_DIGEST, current->digest, @@ -468,7 +468,7 @@ index 9dd6be817832..dc222b425c95 100644 current->path); diff --git a/libselinux/src/sha1.c b/libselinux/src/sha1.c deleted file mode 100644 -index a848467785f3..000000000000 +index 9d51e04ac331..000000000000 --- a/libselinux/src/sha1.c +++ /dev/null @@ -1,220 +0,0 @@ @@ -485,7 +485,7 @@ index a848467785f3..000000000000 -// Modified to: -// - stop symbols being exported for libselinux shared library - October 2015 -// Richard Haines --// - Not cast the workspace from a byte array to a CHAR64LONG16 due to alignment isses. +-// - Not cast the workspace from a byte array to a CHAR64LONG16 due to alignment issues. -// Fixes: -// sha1.c:73:33: error: cast from 'uint8_t *' (aka 'unsigned char *') to 'CHAR64LONG16 *' increases required alignment from 1 to 4 [-Werror,-Wcast-align] -// CHAR64LONG16* block = (CHAR64LONG16*) workspace; @@ -1349,5 +1349,5 @@ index c4e0f836b260..80723f714264 100644 } default: -- -2.36.1 +2.39.0 diff --git a/SOURCES/0002-Revert-libselinux-restorecon-pin-file-to-avoid-TOCTO.patch b/SOURCES/0002-Revert-libselinux-restorecon-pin-file-to-avoid-TOCTO.patch deleted file mode 100644 index f586640..0000000 --- a/SOURCES/0002-Revert-libselinux-restorecon-pin-file-to-avoid-TOCTO.patch +++ /dev/null @@ -1,172 +0,0 @@ -From f785c53174fd0ebad913e105382360f9d46205d8 Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Tue, 31 May 2022 13:37:12 +0200 -Subject: [PATCH] Revert "libselinux: restorecon: pin file to avoid TOCTOU - issues" -Content-type: text/plain - -This reverts commit 7e979b56fd2cee28f647376a7233d2ac2d12ca50. - -The reverted commit broke `setfiles` when it's run from a chroot -without /proc mounted, e.g. - - # chroot /mnt/sysimage - - chroot# setfiles -e /proc -e /sys /sys /etc/selinux/targeted/contexts/files/file_contexts / - [strace] - openat(AT_FDCWD, "/", O_RDONLY|O_EXCL|O_NOFOLLOW|O_PATH) = 3 - newfstatat(3, "", {st_mode=S_IFDIR|0555, st_size=4096, ...}, AT_EMPTY_PATH) = 0 - mmap(NULL, 2101248, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f1697c91000 - fgetxattr(3, "security.selinux", 0x55be8881d3f0, 255) = -1 EBADF (Bad file descriptor) - fcntl(3, F_GETFL) = 0x220000 (flags O_RDONLY|O_NOFOLLOW|O_PATH) - getxattr("/proc/self/fd/3", "security.selinux", 0x55be8881d3f0, 255) = -1 ENOENT (No such file or directory) - [/strace] - setfiles: Could not set context for /: No such file or directory - -Signed-off-by: Petr Lautrbach ---- - libselinux/src/selinux_restorecon.c | 43 ++++++++++++----------------- - 1 file changed, 18 insertions(+), 25 deletions(-) - -diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c -index dc222b425c95..a50005353265 100644 ---- a/libselinux/src/selinux_restorecon.c -+++ b/libselinux/src/selinux_restorecon.c -@@ -623,13 +623,13 @@ out: - return rc; - } - --static int restorecon_sb(const char *pathname, struct rest_flags *flags, bool first) -+static int restorecon_sb(const char *pathname, const struct stat *sb, -+ struct rest_flags *flags, bool first) - { - char *newcon = NULL; - char *curcon = NULL; - char *newtypecon = NULL; -- int fd = -1, rc; -- struct stat stat_buf; -+ int rc; - bool updated = false; - const char *lookup_path = pathname; - float pc; -@@ -644,21 +644,13 @@ static int restorecon_sb(const char *pathname, struct rest_flags *flags, bool fi - lookup_path += rootpathlen; - } - -- fd = open(pathname, O_PATH | O_NOFOLLOW | O_EXCL); -- if (fd < 0) -- goto err; -- -- rc = fstat(fd, &stat_buf); -- if (rc < 0) -- goto err; -- - if (rootpath != NULL && lookup_path[0] == '\0') - /* this is actually the root dir of the alt root. */ - rc = selabel_lookup_raw(fc_sehandle, &newcon, "/", -- stat_buf.st_mode); -+ sb->st_mode); - else - rc = selabel_lookup_raw(fc_sehandle, &newcon, lookup_path, -- stat_buf.st_mode); -+ sb->st_mode); - - if (rc < 0) { - if (errno == ENOENT) { -@@ -667,10 +659,10 @@ static int restorecon_sb(const char *pathname, struct rest_flags *flags, bool fi - "Warning no default label for %s\n", - lookup_path); - -- goto out; /* no match, but not an error */ -+ return 0; /* no match, but not an error */ - } - -- goto err; -+ return -1; - } - - if (flags->progress) { -@@ -690,17 +682,19 @@ static int restorecon_sb(const char *pathname, struct rest_flags *flags, bool fi - } - - if (flags->add_assoc) { -- rc = filespec_add(stat_buf.st_ino, newcon, pathname, flags); -+ rc = filespec_add(sb->st_ino, newcon, pathname, flags); - - if (rc < 0) { - selinux_log(SELINUX_ERROR, - "filespec_add error: %s\n", pathname); -- goto out1; -+ freecon(newcon); -+ return -1; - } - - if (rc > 0) { - /* Already an association and it took precedence. */ -- goto out; -+ freecon(newcon); -+ return 0; - } - } - -@@ -708,7 +702,7 @@ static int restorecon_sb(const char *pathname, struct rest_flags *flags, bool fi - selinux_log(SELINUX_INFO, "%s matched by %s\n", - pathname, newcon); - -- if (fgetfilecon_raw(fd, &curcon) < 0) { -+ if (lgetfilecon_raw(pathname, &curcon) < 0) { - if (errno != ENODATA) - goto err; - -@@ -741,7 +735,7 @@ static int restorecon_sb(const char *pathname, struct rest_flags *flags, bool fi - } - - if (!flags->nochange) { -- if (fsetfilecon(fd, newcon) < 0) -+ if (lsetfilecon(pathname, newcon) < 0) - goto err; - updated = true; - } -@@ -766,8 +760,6 @@ static int restorecon_sb(const char *pathname, struct rest_flags *flags, bool fi - out: - rc = 0; - out1: -- if (fd >= 0) -- close(fd); - freecon(curcon); - freecon(newcon); - return rc; -@@ -865,6 +857,7 @@ static void *selinux_restorecon_thread(void *arg) - FTSENT *ftsent; - int error; - char ent_path[PATH_MAX]; -+ struct stat ent_st; - bool first = false; - - if (state->parallel) -@@ -962,11 +955,11 @@ loop_body: - /* fall through */ - default: - strcpy(ent_path, ftsent->fts_path); -- -+ ent_st = *ftsent->fts_statp; - if (state->parallel) - pthread_mutex_unlock(&state->mutex); - -- error = restorecon_sb(ent_path, &state->flags, -+ error = restorecon_sb(ent_path, &ent_st, &state->flags, - first); - - if (state->parallel) { -@@ -1162,7 +1155,7 @@ static int selinux_restorecon_common(const char *pathname_orig, - goto cleanup; - } - -- error = restorecon_sb(pathname, &state.flags, true); -+ error = restorecon_sb(pathname, &sb, &state.flags, true); - goto cleanup; - } - --- -2.36.1 - diff --git a/SPECS/libselinux.spec b/SPECS/libselinux.spec index 026015f..22f2ee4 100644 --- a/SPECS/libselinux.spec +++ b/SPECS/libselinux.spec @@ -1,27 +1,26 @@ %define ruby_inc %(pkg-config --cflags ruby) -%define libsepolver 3.4-1 +%define libsepolver 3.5-1 Summary: SELinux library and simple utilities Name: libselinux -Version: 3.4 -Release: 3%{?dist} +Version: 3.5 +Release: 1%{?dist} License: Public Domain # https://github.com/SELinuxProject/selinux/wiki/Releases -Source0: https://github.com/SELinuxProject/selinux/releases/download/3.4/libselinux-3.4.tar.gz +Source0: https://github.com/SELinuxProject/selinux/releases/download/3.5/libselinux-3.5.tar.gz Source1: selinuxconlist.8 Source2: selinuxdefcon.8 Url: https://github.com/SELinuxProject/selinux/wiki # $ git clone https://github.com/fedora-selinux/selinux.git # $ cd selinux -# $ git format-patch -N 3.4 -- libselinux +# $ git format-patch -N 3.5 -- libselinux # $ i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done # Patch list start Patch0001: 0001-Use-SHA-2-instead-of-SHA-1.patch -Patch0002: 0002-Revert-libselinux-restorecon-pin-file-to-avoid-TOCTO.patch # Patch list end BuildRequires: gcc make BuildRequires: ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel xz-devel -BuildRequires: python3 python3-devel +BuildRequires: python3 python3-devel python3-pip BuildRequires: systemd Requires: libsepol%{?_isa} >= %{libsepolver} pcre2 Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138 @@ -176,6 +175,7 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool* %files utils %{_sbindir}/avcstat %{_sbindir}/getenforce +%{_sbindir}/getpidprevcon %{_sbindir}/getsebool %{_sbindir}/matchpathcon %{_sbindir}/sefcontext_compile @@ -214,6 +214,18 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool* %{ruby_vendorarchdir}/selinux.so %changelog +* Thu Feb 23 2023 Petr Lautrbach - 3.5-1 +- SELinux userspace 3.5 release + +* Tue Feb 14 2023 Petr Lautrbach - 3.5-0.rc3.1 +- SELinux userspace 3.5-rc3 release + +* Mon Jan 16 2023 Petr Lautrbach - 3.5-0.rc2.1 +- SELinux userspace 3.5-rc2 release + +* Mon Jan 2 2023 Petr Lautrbach - 3.5-0.rc1.1 +- SELinux userspace 3.5-rc1 release + * Mon Jul 18 2022 Petr Lautrbach - 3.4-3 - Drop SHA-1 from selinux_restorecon.3