Merged update from upstream sources

This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/libselinux.git#93aa02b877ab3de1c71fbf52e63689760aaaf3ae
2020-11-24 10:23:59 +00:00 · 2020-11-24 10:23:59 +00:00 · c18e55e40f
commit c18e55e40f
parent 286b5423e6
5 changed files with 192 additions and 3 deletions
--- a/0015-libselinux-LABEL_BACKEND_ANDROID-add-option-to-enabl.patch
+++ b/0015-libselinux-LABEL_BACKEND_ANDROID-add-option-to-enabl.patch
@ -0,0 +1,59 @@
+From f870bd1ea6847840f1878490e090ef96ed708ac4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B6rn=20Bidar?= <bjorn.bidar@jolla.com>
+Date: Mon, 12 Oct 2020 19:07:22 +0300
+Subject: [PATCH] libselinux: LABEL_BACKEND_ANDROID add option to enable
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Add option to just enable the android label backend without disabling
+anything else eg. using ANDROID_HOST. Enable by default when using ANDROID_HOST.
+
+Signed-off-by: Björn Bidar <bjorn.bidar@jolla.com>
+---
+ libselinux/Makefile     | 3 ++-
+ libselinux/src/Makefile | 6 +++++-
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/libselinux/Makefile b/libselinux/Makefile
+index cb5872b7b090..ac16c15e8d0a 100644
+--- a/libselinux/Makefile
+++ b/libselinux/Makefile
+@@ -4,6 +4,7 @@ PKG_CONFIG ?= pkg-config
+ DISABLE_SETRANS ?= n
+ DISABLE_RPM ?= n
+ ANDROID_HOST ?= n
+LABEL_BACKEND_ANDROID ?= n
+ ifeq ($(ANDROID_HOST),y)
+ 	override DISABLE_SETRANS=y
+ 	override DISABLE_BOOL=y
+@@ -20,7 +21,7 @@ endif
+ ifeq ($(DISABLE_X11),y)
+ 	DISABLE_FLAGS+= -DNO_X_BACKEND
+ endif
+-export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST DISABLE_X11
+export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST DISABLE_X11 LABEL_BACKEND_ANDROID
+ 
+ USE_PCRE2 ?= n
+ ifeq ($(USE_PCRE2),y)
+diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
+index be0b6eec6f6d..52c40f018f51 100644
+--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
+@@ -122,8 +122,12 @@ SRCS= callbacks.c freecon.c label.c label_file.c \
+ 	label_backends_android.c regex.c label_support.c \
+ 	matchpathcon.c setrans_client.c sha1.c booleans.c
+ else
+-DISABLE_FLAGS+= -DNO_ANDROID_BACKEND
+LABEL_BACKEND_ANDROID=y
+endif
+
+ifneq ($(LABEL_BACKEND_ANDROIDT),y)
+ SRCS:= $(filter-out label_backends_android.c, $(SRCS))
+DISABLE_FLAGS+= -DNO_ANDROID_BACKEND
+ endif
+ 
+ ifeq ($(DISABLE_X11),y)
+-- 
+2.29.2
+
--- a/0016-selinux-8-mark-up-SELINUX-values.patch
+++ b/0016-selinux-8-mark-up-SELINUX-values.patch
@ -0,0 +1,51 @@
+From c698cd8cbc98ab2f795d3c353c9f978c1758106d Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Wed, 11 Nov 2020 17:23:38 +0100
+Subject: [PATCH] selinux(8): mark up SELINUX values
+
+Mark up the possible values of SELINUX (disabled, permissive, enforcing)
+for better readability.
+
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+---
+ libselinux/man/man8/selinux.8 | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
+index 8b4fc3706989..522d45960bf3 100644
+--- a/libselinux/man/man8/selinux.8
+++ b/libselinux/man/man8/selinux.8
+@@ -19,18 +19,18 @@ enabled or disabled, and if enabled, whether SELinux operates in
+ permissive mode or enforcing mode.  The
+ .B SELINUX
+ variable may be set to
+-any one of disabled, permissive, or enforcing to select one of these
+-options.  The disabled option completely disables the SELinux kernel
+-and application code, leaving the system running without any SELinux
+-protection.  The permissive option enables the SELinux code, but
+-causes it to operate in a mode where accesses that would be denied by
+-policy are permitted but audited.  The enforcing option enables the
+-SELinux code and causes it to enforce access denials as well as
+-auditing them.  Permissive mode may yield a different set of denials
+-than enforcing mode, both because enforcing mode will prevent an
+-operation from proceeding past the first denial and because some
+-application code will fall back to a less privileged mode of operation
+-if denied access.
+any one of \fIdisabled\fR, \fIpermissive\fR, or \fIenforcing\fR to
+select one of these options.  The \fIdisabled\fR option completely
+disables the SELinux kernel and application code, leaving the system
+running without any SELinux protection.  The \fIpermissive\fR option
+enables the SELinux code, but causes it to operate in a mode where
+accesses that would be denied by policy are permitted but audited.  The
+\fIenforcing\fR option enables the SELinux code and causes it to enforce
+access denials as well as auditing them.  \fIpermissive\fR mode may
+yield a different set of denials than enforcing mode, both because
+enforcing mode will prevent an operation from proceeding past the first
+denial and because some application code will fall back to a less
+privileged mode of operation if denied access.
+ 
+ The
+ .I /etc/selinux/config
+-- 
+2.29.2
+
--- a/0017-selinux-8-explain-that-runtime-disable-is-deprecated.patch
+++ b/0017-selinux-8-explain-that-runtime-disable-is-deprecated.patch
@ -0,0 +1,57 @@
+From 225486048881d429e4b92ad24b65af7a1fc4c3a9 Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Wed, 11 Nov 2020 17:23:39 +0100
+Subject: [PATCH] selinux(8): explain that runtime disable is deprecated
+
+Update the main SELinux manpage to explain that runtime disable (i.e.
+disabling SELinux using SELINUX=Disabled) is deprecated and recommend
+disabling SELinux only via the kernel boot parameter.
+
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+---
+ libselinux/man/man8/selinux.8 | 22 ++++++++++++++++++++--
+ 1 file changed, 20 insertions(+), 2 deletions(-)
+
+diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
+index 522d45960bf3..a36e286b1409 100644
+--- a/libselinux/man/man8/selinux.8
+++ b/libselinux/man/man8/selinux.8
+@@ -20,8 +20,8 @@ permissive mode or enforcing mode.  The
+ .B SELINUX
+ variable may be set to
+ any one of \fIdisabled\fR, \fIpermissive\fR, or \fIenforcing\fR to
+-select one of these options.  The \fIdisabled\fR option completely
+-disables the SELinux kernel and application code, leaving the system
+select one of these options.  The \fIdisabled\fR disables most of the
+SELinux kernel and application code, leaving the system
+ running without any SELinux protection.  The \fIpermissive\fR option
+ enables the SELinux code, but causes it to operate in a mode where
+ accesses that would be denied by policy are permitted but audited.  The
+@@ -32,6 +32,24 @@ enforcing mode will prevent an operation from proceeding past the first
+ denial and because some application code will fall back to a less
+ privileged mode of operation if denied access.
+ 
+.B NOTE:
+Disabling SELinux by setting
+.B SELINUX=disabled
+in
+.I /etc/selinux/config
+is deprecated and depending on kernel version and configuration it might
+not lead to SELinux being completely disabled.  Specifically, the
+SELinux hooks will still be executed internally, but the SELinux policy
+will not be loaded and no operation will be denied.  In such state, the
+system will act as if SELinux was disabled, although some operations
+might behave slightly differently.  To properly disable SELinux, it is
+recommended to use the
+.B selinux=0
+kernel boot option instead.  In that case SELinux will be disabled
+regardless of what is set in the
+.I /etc/selinux/config
+file.
+
+ The
+ .I /etc/selinux/config
+ configuration file also controls what policy
+-- 
+2.29.2
+
--- a/gating.yaml
+++ b/gating.yaml
@ -0,0 +1,16 @@
+--- !Policy
+product_versions:
+  - fedora-*
+decision_context: bodhi_update_push_testing
+subject_type: koji_build
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
+
+--- !Policy
+product_versions:
+  - fedora-*
+decision_context: bodhi_update_push_stable
+subject_type: koji_build
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
+
--- a/libselinux.spec
+++ b/libselinux.spec
@ -1,10 +1,10 @@
 %define ruby_inc %(pkg-config --cflags ruby)
-%define libsepolver 3.1-4
+%define libsepolver 3.1-5

 Summary: SELinux library and simple utilities
 Name: libselinux
 Version: 3.1
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: Public Domain
 # https://github.com/SELinuxProject/selinux/wiki/Releases
 Source0: https://github.com/SELinuxProject/selinux/releases/download/20200710/libselinux-3.1.tar.gz
@ -30,8 +30,11 @@ Patch0011: 0011-libselinux-convert-matchpathcon-to-selabel_lookup.patch
 Patch0012: 0012-libsepol-Bump-libsepol.so-version.patch
 Patch0013: 0013-libselinux-Add-build-option-to-disable-X11-backend.patch
 Patch0014: 0014-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch
+Patch0015: 0015-libselinux-LABEL_BACKEND_ANDROID-add-option-to-enabl.patch
+Patch0016: 0016-selinux-8-mark-up-SELINUX-values.patch
+Patch0017: 0017-selinux-8-explain-that-runtime-disable-is-deprecated.patch
 # Patch list end
-BuildRequires: gcc
+BuildRequires: gcc make
 BuildRequires: ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel xz-devel
 BuildRequires: python3 python3-devel
 BuildRequires: systemd
@ -226,6 +229,9 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
 %{ruby_vendorarchdir}/selinux.so

 %changelog
+* Fri Nov 20 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-5
+- selinux(8): explain that runtime disable is deprecated
+
 * Fri Oct 30 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-4
 - Use libsepol.so.2
 - Convert matchpathcon to selabel_lookup()