From c18e55e40f6e2f379002b8985fc71958cb43013c Mon Sep 17 00:00:00 2001 From: DistroBaker Date: Tue, 24 Nov 2020 10:23:59 +0000 Subject: [PATCH] Merged update from upstream sources This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/libselinux.git#93aa02b877ab3de1c71fbf52e63689760aaaf3ae --- ..._BACKEND_ANDROID-add-option-to-enabl.patch | 59 +++++++++++++++++++ 0016-selinux-8-mark-up-SELINUX-values.patch | 51 ++++++++++++++++ ...n-that-runtime-disable-is-deprecated.patch | 57 ++++++++++++++++++ gating.yaml | 16 +++++ libselinux.spec | 12 +++- 5 files changed, 192 insertions(+), 3 deletions(-) create mode 100644 0015-libselinux-LABEL_BACKEND_ANDROID-add-option-to-enabl.patch create mode 100644 0016-selinux-8-mark-up-SELINUX-values.patch create mode 100644 0017-selinux-8-explain-that-runtime-disable-is-deprecated.patch create mode 100644 gating.yaml diff --git a/0015-libselinux-LABEL_BACKEND_ANDROID-add-option-to-enabl.patch b/0015-libselinux-LABEL_BACKEND_ANDROID-add-option-to-enabl.patch new file mode 100644 index 0000000..2fb4f30 --- /dev/null +++ b/0015-libselinux-LABEL_BACKEND_ANDROID-add-option-to-enabl.patch @@ -0,0 +1,59 @@ +From f870bd1ea6847840f1878490e090ef96ed708ac4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B6rn=20Bidar?= +Date: Mon, 12 Oct 2020 19:07:22 +0300 +Subject: [PATCH] libselinux: LABEL_BACKEND_ANDROID add option to enable +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Add option to just enable the android label backend without disabling +anything else eg. using ANDROID_HOST. Enable by default when using ANDROID_HOST. + +Signed-off-by: Björn Bidar +--- + libselinux/Makefile | 3 ++- + libselinux/src/Makefile | 6 +++++- + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/libselinux/Makefile b/libselinux/Makefile +index cb5872b7b090..ac16c15e8d0a 100644 +--- a/libselinux/Makefile ++++ b/libselinux/Makefile +@@ -4,6 +4,7 @@ PKG_CONFIG ?= pkg-config + DISABLE_SETRANS ?= n + DISABLE_RPM ?= n + ANDROID_HOST ?= n ++LABEL_BACKEND_ANDROID ?= n + ifeq ($(ANDROID_HOST),y) + override DISABLE_SETRANS=y + override DISABLE_BOOL=y +@@ -20,7 +21,7 @@ endif + ifeq ($(DISABLE_X11),y) + DISABLE_FLAGS+= -DNO_X_BACKEND + endif +-export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST DISABLE_X11 ++export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST DISABLE_X11 LABEL_BACKEND_ANDROID + + USE_PCRE2 ?= n + ifeq ($(USE_PCRE2),y) +diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile +index be0b6eec6f6d..52c40f018f51 100644 +--- a/libselinux/src/Makefile ++++ b/libselinux/src/Makefile +@@ -122,8 +122,12 @@ SRCS= callbacks.c freecon.c label.c label_file.c \ + label_backends_android.c regex.c label_support.c \ + matchpathcon.c setrans_client.c sha1.c booleans.c + else +-DISABLE_FLAGS+= -DNO_ANDROID_BACKEND ++LABEL_BACKEND_ANDROID=y ++endif ++ ++ifneq ($(LABEL_BACKEND_ANDROIDT),y) + SRCS:= $(filter-out label_backends_android.c, $(SRCS)) ++DISABLE_FLAGS+= -DNO_ANDROID_BACKEND + endif + + ifeq ($(DISABLE_X11),y) +-- +2.29.2 + diff --git a/0016-selinux-8-mark-up-SELINUX-values.patch b/0016-selinux-8-mark-up-SELINUX-values.patch new file mode 100644 index 0000000..12efd4a --- /dev/null +++ b/0016-selinux-8-mark-up-SELINUX-values.patch @@ -0,0 +1,51 @@ +From c698cd8cbc98ab2f795d3c353c9f978c1758106d Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Wed, 11 Nov 2020 17:23:38 +0100 +Subject: [PATCH] selinux(8): mark up SELINUX values + +Mark up the possible values of SELINUX (disabled, permissive, enforcing) +for better readability. + +Signed-off-by: Ondrej Mosnacek +--- + libselinux/man/man8/selinux.8 | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8 +index 8b4fc3706989..522d45960bf3 100644 +--- a/libselinux/man/man8/selinux.8 ++++ b/libselinux/man/man8/selinux.8 +@@ -19,18 +19,18 @@ enabled or disabled, and if enabled, whether SELinux operates in + permissive mode or enforcing mode. The + .B SELINUX + variable may be set to +-any one of disabled, permissive, or enforcing to select one of these +-options. The disabled option completely disables the SELinux kernel +-and application code, leaving the system running without any SELinux +-protection. The permissive option enables the SELinux code, but +-causes it to operate in a mode where accesses that would be denied by +-policy are permitted but audited. The enforcing option enables the +-SELinux code and causes it to enforce access denials as well as +-auditing them. Permissive mode may yield a different set of denials +-than enforcing mode, both because enforcing mode will prevent an +-operation from proceeding past the first denial and because some +-application code will fall back to a less privileged mode of operation +-if denied access. ++any one of \fIdisabled\fR, \fIpermissive\fR, or \fIenforcing\fR to ++select one of these options. The \fIdisabled\fR option completely ++disables the SELinux kernel and application code, leaving the system ++running without any SELinux protection. The \fIpermissive\fR option ++enables the SELinux code, but causes it to operate in a mode where ++accesses that would be denied by policy are permitted but audited. The ++\fIenforcing\fR option enables the SELinux code and causes it to enforce ++access denials as well as auditing them. \fIpermissive\fR mode may ++yield a different set of denials than enforcing mode, both because ++enforcing mode will prevent an operation from proceeding past the first ++denial and because some application code will fall back to a less ++privileged mode of operation if denied access. + + The + .I /etc/selinux/config +-- +2.29.2 + diff --git a/0017-selinux-8-explain-that-runtime-disable-is-deprecated.patch b/0017-selinux-8-explain-that-runtime-disable-is-deprecated.patch new file mode 100644 index 0000000..2b2dd43 --- /dev/null +++ b/0017-selinux-8-explain-that-runtime-disable-is-deprecated.patch @@ -0,0 +1,57 @@ +From 225486048881d429e4b92ad24b65af7a1fc4c3a9 Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Wed, 11 Nov 2020 17:23:39 +0100 +Subject: [PATCH] selinux(8): explain that runtime disable is deprecated + +Update the main SELinux manpage to explain that runtime disable (i.e. +disabling SELinux using SELINUX=Disabled) is deprecated and recommend +disabling SELinux only via the kernel boot parameter. + +Signed-off-by: Ondrej Mosnacek +--- + libselinux/man/man8/selinux.8 | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8 +index 522d45960bf3..a36e286b1409 100644 +--- a/libselinux/man/man8/selinux.8 ++++ b/libselinux/man/man8/selinux.8 +@@ -20,8 +20,8 @@ permissive mode or enforcing mode. The + .B SELINUX + variable may be set to + any one of \fIdisabled\fR, \fIpermissive\fR, or \fIenforcing\fR to +-select one of these options. The \fIdisabled\fR option completely +-disables the SELinux kernel and application code, leaving the system ++select one of these options. The \fIdisabled\fR disables most of the ++SELinux kernel and application code, leaving the system + running without any SELinux protection. The \fIpermissive\fR option + enables the SELinux code, but causes it to operate in a mode where + accesses that would be denied by policy are permitted but audited. The +@@ -32,6 +32,24 @@ enforcing mode will prevent an operation from proceeding past the first + denial and because some application code will fall back to a less + privileged mode of operation if denied access. + ++.B NOTE: ++Disabling SELinux by setting ++.B SELINUX=disabled ++in ++.I /etc/selinux/config ++is deprecated and depending on kernel version and configuration it might ++not lead to SELinux being completely disabled. Specifically, the ++SELinux hooks will still be executed internally, but the SELinux policy ++will not be loaded and no operation will be denied. In such state, the ++system will act as if SELinux was disabled, although some operations ++might behave slightly differently. To properly disable SELinux, it is ++recommended to use the ++.B selinux=0 ++kernel boot option instead. In that case SELinux will be disabled ++regardless of what is set in the ++.I /etc/selinux/config ++file. ++ + The + .I /etc/selinux/config + configuration file also controls what policy +-- +2.29.2 + diff --git a/gating.yaml b/gating.yaml new file mode 100644 index 0000000..af6eb32 --- /dev/null +++ b/gating.yaml @@ -0,0 +1,16 @@ +--- !Policy +product_versions: + - fedora-* +decision_context: bodhi_update_push_testing +subject_type: koji_build +rules: + - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional} + +--- !Policy +product_versions: + - fedora-* +decision_context: bodhi_update_push_stable +subject_type: koji_build +rules: + - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional} + diff --git a/libselinux.spec b/libselinux.spec index 9572b14..853feb9 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -1,10 +1,10 @@ %define ruby_inc %(pkg-config --cflags ruby) -%define libsepolver 3.1-4 +%define libsepolver 3.1-5 Summary: SELinux library and simple utilities Name: libselinux Version: 3.1 -Release: 4%{?dist} +Release: 5%{?dist} License: Public Domain # https://github.com/SELinuxProject/selinux/wiki/Releases Source0: https://github.com/SELinuxProject/selinux/releases/download/20200710/libselinux-3.1.tar.gz @@ -30,8 +30,11 @@ Patch0011: 0011-libselinux-convert-matchpathcon-to-selabel_lookup.patch Patch0012: 0012-libsepol-Bump-libsepol.so-version.patch Patch0013: 0013-libselinux-Add-build-option-to-disable-X11-backend.patch Patch0014: 0014-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch +Patch0015: 0015-libselinux-LABEL_BACKEND_ANDROID-add-option-to-enabl.patch +Patch0016: 0016-selinux-8-mark-up-SELINUX-values.patch +Patch0017: 0017-selinux-8-explain-that-runtime-disable-is-deprecated.patch # Patch list end -BuildRequires: gcc +BuildRequires: gcc make BuildRequires: ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel xz-devel BuildRequires: python3 python3-devel BuildRequires: systemd @@ -226,6 +229,9 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool* %{ruby_vendorarchdir}/selinux.so %changelog +* Fri Nov 20 2020 Petr Lautrbach - 3.1-5 +- selinux(8): explain that runtime disable is deprecated + * Fri Oct 30 2020 Petr Lautrbach - 3.1-4 - Use libsepol.so.2 - Convert matchpathcon to selabel_lookup()