Merged update from upstream sources

This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/libselinux.git#93aa02b877ab3de1c71fbf52e63689760aaaf3ae
This commit is contained in:
DistroBaker 2020-11-24 10:23:59 +00:00
parent 286b5423e6
commit c18e55e40f
5 changed files with 192 additions and 3 deletions

View File

@ -0,0 +1,59 @@
From f870bd1ea6847840f1878490e090ef96ed708ac4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Bidar?= <bjorn.bidar@jolla.com>
Date: Mon, 12 Oct 2020 19:07:22 +0300
Subject: [PATCH] libselinux: LABEL_BACKEND_ANDROID add option to enable
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Add option to just enable the android label backend without disabling
anything else eg. using ANDROID_HOST. Enable by default when using ANDROID_HOST.
Signed-off-by: Björn Bidar <bjorn.bidar@jolla.com>
---
libselinux/Makefile | 3 ++-
libselinux/src/Makefile | 6 +++++-
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/libselinux/Makefile b/libselinux/Makefile
index cb5872b7b090..ac16c15e8d0a 100644
--- a/libselinux/Makefile
+++ b/libselinux/Makefile
@@ -4,6 +4,7 @@ PKG_CONFIG ?= pkg-config
DISABLE_SETRANS ?= n
DISABLE_RPM ?= n
ANDROID_HOST ?= n
+LABEL_BACKEND_ANDROID ?= n
ifeq ($(ANDROID_HOST),y)
override DISABLE_SETRANS=y
override DISABLE_BOOL=y
@@ -20,7 +21,7 @@ endif
ifeq ($(DISABLE_X11),y)
DISABLE_FLAGS+= -DNO_X_BACKEND
endif
-export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST DISABLE_X11
+export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST DISABLE_X11 LABEL_BACKEND_ANDROID
USE_PCRE2 ?= n
ifeq ($(USE_PCRE2),y)
diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index be0b6eec6f6d..52c40f018f51 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -122,8 +122,12 @@ SRCS= callbacks.c freecon.c label.c label_file.c \
label_backends_android.c regex.c label_support.c \
matchpathcon.c setrans_client.c sha1.c booleans.c
else
-DISABLE_FLAGS+= -DNO_ANDROID_BACKEND
+LABEL_BACKEND_ANDROID=y
+endif
+
+ifneq ($(LABEL_BACKEND_ANDROIDT),y)
SRCS:= $(filter-out label_backends_android.c, $(SRCS))
+DISABLE_FLAGS+= -DNO_ANDROID_BACKEND
endif
ifeq ($(DISABLE_X11),y)
--
2.29.2

View File

@ -0,0 +1,51 @@
From c698cd8cbc98ab2f795d3c353c9f978c1758106d Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Wed, 11 Nov 2020 17:23:38 +0100
Subject: [PATCH] selinux(8): mark up SELINUX values
Mark up the possible values of SELINUX (disabled, permissive, enforcing)
for better readability.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
libselinux/man/man8/selinux.8 | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
index 8b4fc3706989..522d45960bf3 100644
--- a/libselinux/man/man8/selinux.8
+++ b/libselinux/man/man8/selinux.8
@@ -19,18 +19,18 @@ enabled or disabled, and if enabled, whether SELinux operates in
permissive mode or enforcing mode. The
.B SELINUX
variable may be set to
-any one of disabled, permissive, or enforcing to select one of these
-options. The disabled option completely disables the SELinux kernel
-and application code, leaving the system running without any SELinux
-protection. The permissive option enables the SELinux code, but
-causes it to operate in a mode where accesses that would be denied by
-policy are permitted but audited. The enforcing option enables the
-SELinux code and causes it to enforce access denials as well as
-auditing them. Permissive mode may yield a different set of denials
-than enforcing mode, both because enforcing mode will prevent an
-operation from proceeding past the first denial and because some
-application code will fall back to a less privileged mode of operation
-if denied access.
+any one of \fIdisabled\fR, \fIpermissive\fR, or \fIenforcing\fR to
+select one of these options. The \fIdisabled\fR option completely
+disables the SELinux kernel and application code, leaving the system
+running without any SELinux protection. The \fIpermissive\fR option
+enables the SELinux code, but causes it to operate in a mode where
+accesses that would be denied by policy are permitted but audited. The
+\fIenforcing\fR option enables the SELinux code and causes it to enforce
+access denials as well as auditing them. \fIpermissive\fR mode may
+yield a different set of denials than enforcing mode, both because
+enforcing mode will prevent an operation from proceeding past the first
+denial and because some application code will fall back to a less
+privileged mode of operation if denied access.
The
.I /etc/selinux/config
--
2.29.2

View File

@ -0,0 +1,57 @@
From 225486048881d429e4b92ad24b65af7a1fc4c3a9 Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Wed, 11 Nov 2020 17:23:39 +0100
Subject: [PATCH] selinux(8): explain that runtime disable is deprecated
Update the main SELinux manpage to explain that runtime disable (i.e.
disabling SELinux using SELINUX=Disabled) is deprecated and recommend
disabling SELinux only via the kernel boot parameter.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
libselinux/man/man8/selinux.8 | 22 ++++++++++++++++++++--
1 file changed, 20 insertions(+), 2 deletions(-)
diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
index 522d45960bf3..a36e286b1409 100644
--- a/libselinux/man/man8/selinux.8
+++ b/libselinux/man/man8/selinux.8
@@ -20,8 +20,8 @@ permissive mode or enforcing mode. The
.B SELINUX
variable may be set to
any one of \fIdisabled\fR, \fIpermissive\fR, or \fIenforcing\fR to
-select one of these options. The \fIdisabled\fR option completely
-disables the SELinux kernel and application code, leaving the system
+select one of these options. The \fIdisabled\fR disables most of the
+SELinux kernel and application code, leaving the system
running without any SELinux protection. The \fIpermissive\fR option
enables the SELinux code, but causes it to operate in a mode where
accesses that would be denied by policy are permitted but audited. The
@@ -32,6 +32,24 @@ enforcing mode will prevent an operation from proceeding past the first
denial and because some application code will fall back to a less
privileged mode of operation if denied access.
+.B NOTE:
+Disabling SELinux by setting
+.B SELINUX=disabled
+in
+.I /etc/selinux/config
+is deprecated and depending on kernel version and configuration it might
+not lead to SELinux being completely disabled. Specifically, the
+SELinux hooks will still be executed internally, but the SELinux policy
+will not be loaded and no operation will be denied. In such state, the
+system will act as if SELinux was disabled, although some operations
+might behave slightly differently. To properly disable SELinux, it is
+recommended to use the
+.B selinux=0
+kernel boot option instead. In that case SELinux will be disabled
+regardless of what is set in the
+.I /etc/selinux/config
+file.
+
The
.I /etc/selinux/config
configuration file also controls what policy
--
2.29.2

16
gating.yaml Normal file
View File

@ -0,0 +1,16 @@
--- !Policy
product_versions:
- fedora-*
decision_context: bodhi_update_push_testing
subject_type: koji_build
rules:
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
--- !Policy
product_versions:
- fedora-*
decision_context: bodhi_update_push_stable
subject_type: koji_build
rules:
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}

View File

@ -1,10 +1,10 @@
%define ruby_inc %(pkg-config --cflags ruby)
%define libsepolver 3.1-4
%define libsepolver 3.1-5
Summary: SELinux library and simple utilities
Name: libselinux
Version: 3.1
Release: 4%{?dist}
Release: 5%{?dist}
License: Public Domain
# https://github.com/SELinuxProject/selinux/wiki/Releases
Source0: https://github.com/SELinuxProject/selinux/releases/download/20200710/libselinux-3.1.tar.gz
@ -30,8 +30,11 @@ Patch0011: 0011-libselinux-convert-matchpathcon-to-selabel_lookup.patch
Patch0012: 0012-libsepol-Bump-libsepol.so-version.patch
Patch0013: 0013-libselinux-Add-build-option-to-disable-X11-backend.patch
Patch0014: 0014-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch
Patch0015: 0015-libselinux-LABEL_BACKEND_ANDROID-add-option-to-enabl.patch
Patch0016: 0016-selinux-8-mark-up-SELINUX-values.patch
Patch0017: 0017-selinux-8-explain-that-runtime-disable-is-deprecated.patch
# Patch list end
BuildRequires: gcc
BuildRequires: gcc make
BuildRequires: ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel xz-devel
BuildRequires: python3 python3-devel
BuildRequires: systemd
@ -226,6 +229,9 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
%{ruby_vendorarchdir}/selinux.so
%changelog
* Fri Nov 20 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-5
- selinux(8): explain that runtime disable is deprecated
* Fri Oct 30 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-4
- Use libsepol.so.2
- Convert matchpathcon to selabel_lookup()