rpms/libselinux
7
0
Fork 0
Code Issues Pull Requests Releases Activity

libselinux-2.7-5.fc28

Browse Source 
- Drop golang bindings
- Add support for pcre2 to pkgconfig definition
This commit is contained in:
Petr Lautrbach 2017-10-20 10:50:59 +02:00
parent 85e255c58e
commit f2f46ec91f
2 changed files with 65 additions and 472 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

525
libselinux-fedora.patch
View File

@ -1,474 +1,27 @@
diff --git libselinux-2.7/Makefile libselinux-2.7/Makefile diff --git libselinux-2.7/Makefile libselinux-2.7/Makefile
index 1ecab17..1f507fb 100644 index 1ecab17..16531fe 100644
--- libselinux-2.7/Makefile --- libselinux-2.7/Makefile
+++ libselinux-2.7/Makefile +++ libselinux-2.7/Makefile
@@ -1,4 +1,4 @@ @@ -21,13 +21,14 @@ export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST
-SUBDIRS = src include utils man
+SUBDIRS = src include utils man golang
PKG_CONFIG ?= pkg-config USE_PCRE2 ?= n
DISABLE_SETRANS ?= n ifeq ($(USE_PCRE2),y)
diff --git libselinux-2.7/golang/Makefile libselinux-2.7/golang/Makefile - PCRE_CFLAGS := -DUSE_PCRE2 -DPCRE2_CODE_UNIT_WIDTH=8 $(shell $(PKG_CONFIG) --cflags libpcre2-8)
new file mode 100644 - PCRE_LDLIBS := $(shell $(PKG_CONFIG) --libs libpcre2-8)
index 0000000..b75677b + PCRE_MODULE := libpcre2-8
--- /dev/null + PCRE_CFLAGS := -DUSE_PCRE2 -DPCRE2_CODE_UNIT_WIDTH=8
+++ libselinux-2.7/golang/Makefile else
@@ -0,0 +1,22 @@ - PCRE_CFLAGS := $(shell $(PKG_CONFIG) --cflags libpcre)
+# Installation directories. - PCRE_LDLIBS := $(shell $(PKG_CONFIG) --libs libpcre)
+PREFIX ?= $(DESTDIR)/usr + PCRE_MODULE := libpcre
+LIBDIR ?= $(DESTDIR)/usr/lib endif
+GODIR ?= $(LIBDIR)/golang/src/pkg/github.com/selinux -export PCRE_CFLAGS PCRE_LDLIBS
+all: +PCRE_CFLAGS += $(shell $(PKG_CONFIG) --cflags $(PCRE_MODULE))
+ +PCRE_LDLIBS := $(shell $(PKG_CONFIG) --libs $(PCRE_MODULE))
+install: +export PCRE_MODULE PCRE_CFLAGS PCRE_LDLIBS
+ [ -d $(GODIR) ] || mkdir -p $(GODIR)
+ install -m 644 selinux.go $(GODIR) OS := $(shell uname)
+ export OS
+test:
+ @mkdir selinux
+ @cp selinux.go selinux
+ GOPATH=$(pwd) go run test.go
+ @rm -rf selinux
+
+clean:
+ @rm -f *~
+ @rm -rf selinux
+indent:
+
+relabel:
diff --git libselinux-2.7/golang/selinux.go libselinux-2.7/golang/selinux.go
new file mode 100644
index 0000000..34bf6bb
--- /dev/null
+++ libselinux-2.7/golang/selinux.go
@@ -0,0 +1,412 @@
+package selinux
+
+/*
+ The selinux package is a go bindings to libselinux required to add selinux
+ support to docker.
+
+ Author Dan Walsh <dwalsh@redhat.com>
+
+ Used some ideas/code from the go-ini packages https://github.com/vaughan0
+ By Vaughan Newton
+*/
+
+// #cgo pkg-config: libselinux
+// #include <selinux/selinux.h>
+// #include <stdlib.h>
+import "C"
+import (
+ "bufio"
+ "crypto/rand"
+ "encoding/binary"
+ "fmt"
+ "io"
+ "os"
+ "path"
+ "path/filepath"
+ "regexp"
+ "strings"
+ "unsafe"
+)
+
+var (
+ assignRegex = regexp.MustCompile(`^([^=]+)=(.*)$`)
+ mcsList = make(map[string]bool)
+)
+
+func Matchpathcon(path string, mode os.FileMode) (string, error) {
+ var con C.security_context_t
+ var scon string
+ rc, err := C.matchpathcon(C.CString(path), C.mode_t(mode), &con)
+ if rc == 0 {
+ scon = C.GoString(con)
+ C.free(unsafe.Pointer(con))
+ }
+ return scon, err
+}
+
+func Setfilecon(path, scon string) (int, error) {
+ rc, err := C.lsetfilecon(C.CString(path), C.CString(scon))
+ return int(rc), err
+}
+
+func Getfilecon(path string) (string, error) {
+ var scon C.security_context_t
+ var fcon string
+ rc, err := C.lgetfilecon(C.CString(path), &scon)
+ if rc >= 0 {
+ fcon = C.GoString(scon)
+ err = nil
+ }
+ return fcon, err
+}
+
+func Setfscreatecon(scon string) (int, error) {
+ var (
+ rc C.int
+ err error
+ )
+ if scon != "" {
+ rc, err = C.setfscreatecon(C.CString(scon))
+ } else {
+ rc, err = C.setfscreatecon(nil)
+ }
+ return int(rc), err
+}
+
+func Getfscreatecon() (string, error) {
+ var scon C.security_context_t
+ var fcon string
+ rc, err := C.getfscreatecon(&scon)
+ if rc >= 0 {
+ fcon = C.GoString(scon)
+ err = nil
+ C.freecon(scon)
+ }
+ return fcon, err
+}
+
+func Getcon() string {
+ var pcon C.security_context_t
+ C.getcon(&pcon)
+ scon := C.GoString(pcon)
+ C.freecon(pcon)
+ return scon
+}
+
+func Getpidcon(pid int) (string, error) {
+ var pcon C.security_context_t
+ var scon string
+ rc, err := C.getpidcon(C.pid_t(pid), &pcon)
+ if rc >= 0 {
+ scon = C.GoString(pcon)
+ C.freecon(pcon)
+ err = nil
+ }
+ return scon, err
+}
+
+func Getpeercon(socket int) (string, error) {
+ var pcon C.security_context_t
+ var scon string
+ rc, err := C.getpeercon(C.int(socket), &pcon)
+ if rc >= 0 {
+ scon = C.GoString(pcon)
+ C.freecon(pcon)
+ err = nil
+ }
+ return scon, err
+}
+
+func Setexeccon(scon string) error {
+ var val *C.char
+ if !SelinuxEnabled() {
+ return nil
+ }
+ if scon != "" {
+ val = C.CString(scon)
+ } else {
+ val = nil
+ }
+ _, err := C.setexeccon(val)
+ return err
+}
+
+type Context struct {
+ con []string
+}
+
+func (c *Context) SetUser(user string) {
+ c.con[0] = user
+}
+func (c *Context) GetUser() string {
+ return c.con[0]
+}
+func (c *Context) SetRole(role string) {
+ c.con[1] = role
+}
+func (c *Context) GetRole() string {
+ return c.con[1]
+}
+func (c *Context) SetType(setype string) {
+ c.con[2] = setype
+}
+func (c *Context) GetType() string {
+ return c.con[2]
+}
+func (c *Context) SetLevel(mls string) {
+ c.con[3] = mls
+}
+func (c *Context) GetLevel() string {
+ return c.con[3]
+}
+func (c *Context) Get() string {
+ return strings.Join(c.con, ":")
+}
+func (c *Context) Set(scon string) {
+ c.con = strings.SplitN(scon, ":", 4)
+}
+func NewContext(scon string) Context {
+ var con Context
+ con.Set(scon)
+ return con
+}
+
+func SelinuxEnabled() bool {
+ b := C.is_selinux_enabled()
+ if b > 0 {
+ return true
+ }
+ return false
+}
+
+const (
+ Enforcing = 1
+ Permissive = 0
+ Disabled = -1
+)
+
+func SelinuxGetEnforce() int {
+ return int(C.security_getenforce())
+}
+
+func SelinuxGetEnforceMode() int {
+ var enforce C.int
+ C.selinux_getenforcemode(&enforce)
+ return int(enforce)
+}
+
+func mcsAdd(mcs string) {
+ mcsList[mcs] = true
+}
+
+func mcsDelete(mcs string) {
+ mcsList[mcs] = false
+}
+
+func mcsExists(mcs string) bool {
+ return mcsList[mcs]
+}
+
+func IntToMcs(id int, catRange uint32) string {
+ if (id < 1) || (id > 523776) {
+ return ""
+ }
+
+ SETSIZE := int(catRange)
+ TIER := SETSIZE
+
+ ORD := id
+ for ORD > TIER {
+ ORD = ORD - TIER
+ TIER -= 1
+ }
+ TIER = SETSIZE - TIER
+ ORD = ORD + TIER
+ return fmt.Sprintf("s0:c%d,c%d", TIER, ORD)
+}
+
+func uniqMcs(catRange uint32) string {
+ var n uint32
+ var c1, c2 uint32
+ var mcs string
+ for {
+ binary.Read(rand.Reader, binary.LittleEndian, &n)
+ c1 = n % catRange
+ binary.Read(rand.Reader, binary.LittleEndian, &n)
+ c2 = n % catRange
+ if c1 == c2 {
+ continue
+ } else {
+ if c1 > c2 {
+ t := c1
+ c1 = c2
+ c2 = t
+ }
+ }
+ mcs = fmt.Sprintf("s0:c%d,c%d", c1, c2)
+ if mcsExists(mcs) {
+ continue
+ }
+ mcsAdd(mcs)
+ break
+ }
+ return mcs
+}
+func freeContext(processLabel string) {
+ var scon Context
+ scon = NewContext(processLabel)
+ mcsDelete(scon.GetLevel())
+}
+
+func GetLxcContexts() (processLabel string, fileLabel string) {
+ var val, key string
+ var bufin *bufio.Reader
+ if !SelinuxEnabled() {
+ return
+ }
+ lxcPath := C.GoString(C.selinux_lxc_contexts_path())
+ fileLabel = "system_u:object_r:svirt_sandbox_file_t:s0"
+ processLabel = "system_u:system_r:svirt_lxc_net_t:s0"
+
+ in, err := os.Open(lxcPath)
+ if err != nil {
+ goto exit
+ }
+
+ defer in.Close()
+ bufin = bufio.NewReader(in)
+
+ for done := false; !done; {
+ var line string
+ if line, err = bufin.ReadString('\n'); err != nil {
+ if err == io.EOF {
+ done = true
+ } else {
+ goto exit
+ }
+ }
+ line = strings.TrimSpace(line)
+ if len(line) == 0 {
+ // Skip blank lines
+ continue
+ }
+ if line[0] == ';' || line[0] == '#' {
+ // Skip comments
+ continue
+ }
+ if groups := assignRegex.FindStringSubmatch(line); groups != nil {
+ key, val = strings.TrimSpace(groups[1]), strings.TrimSpace(groups[2])
+ if key == "process" {
+ processLabel = strings.Trim(val, "\"")
+ }
+ if key == "file" {
+ fileLabel = strings.Trim(val, "\"")
+ }
+ }
+ }
+exit:
+ var scon Context
+ mcs := IntToMcs(os.Getpid(), 1024)
+ scon = NewContext(processLabel)
+ scon.SetLevel(mcs)
+ processLabel = scon.Get()
+ scon = NewContext(fileLabel)
+ scon.SetLevel(mcs)
+ fileLabel = scon.Get()
+ return processLabel, fileLabel
+}
+
+func CopyLevel(src, dest string) (string, error) {
+ if !SelinuxEnabled() {
+ return "", nil
+ }
+ if src == "" {
+ return "", nil
+ }
+ rc, err := C.security_check_context(C.CString(src))
+ if rc != 0 {
+ return "", err
+ }
+ rc, err = C.security_check_context(C.CString(dest))
+ if rc != 0 {
+ return "", err
+ }
+ scon := NewContext(src)
+ tcon := NewContext(dest)
+ tcon.SetLevel(scon.GetLevel())
+ return tcon.Get(), nil
+}
+
+func RestoreCon(fpath string, recurse bool) error {
+ var flabel string
+ var err error
+ var fs os.FileInfo
+
+ if !SelinuxEnabled() {
+ return nil
+ }
+
+ if recurse {
+ var paths []string
+ var err error
+
+ if paths, err = filepath.Glob(path.Join(fpath, "**", "*")); err != nil {
+ return fmt.Errorf("Unable to find directory %v: %v", fpath, err)
+ }
+
+ for _, fpath := range paths {
+ if err = RestoreCon(fpath, false); err != nil {
+ return fmt.Errorf("Unable to restore selinux context for %v: %v", fpath, err)
+ }
+ }
+ return nil
+ }
+ if fs, err = os.Stat(fpath); err != nil {
+ return fmt.Errorf("Unable stat %v: %v", fpath, err)
+ }
+
+ if flabel, err = Matchpathcon(fpath, fs.Mode()); flabel == "" {
+ return fmt.Errorf("Unable to get context for %v: %v", fpath, err)
+ }
+
+ if rc, err := Setfilecon(fpath, flabel); rc != 0 {
+ return fmt.Errorf("Unable to set selinux context for %v: %v", fpath, err)
+ }
+
+ return nil
+}
+
+func Test() {
+ var plabel, flabel string
+ if !SelinuxEnabled() {
+ return
+ }
+
+ plabel, flabel = GetLxcContexts()
+ fmt.Println(plabel)
+ fmt.Println(flabel)
+ freeContext(plabel)
+ plabel, flabel = GetLxcContexts()
+ fmt.Println(plabel)
+ fmt.Println(flabel)
+ freeContext(plabel)
+ if SelinuxEnabled() {
+ fmt.Println("Enabled")
+ } else {
+ fmt.Println("Disabled")
+ }
+ fmt.Println("getenforce ", SelinuxGetEnforce())
+ fmt.Println("getenforcemode ", SelinuxGetEnforceMode())
+ flabel, _ = Matchpathcon("/home/dwalsh/.emacs", 0)
+ fmt.Println(flabel)
+ pid := os.Getpid()
+ fmt.Printf("PID:%d MCS:%s\n", pid, IntToMcs(pid, 1023))
+ fmt.Println(Getcon())
+ fmt.Println(Getfilecon("/etc/passwd"))
+ fmt.Println(Getpidcon(1))
+ Setfscreatecon("unconfined_u:unconfined_r:unconfined_t:s0")
+ fmt.Println(Getfscreatecon())
+ Setfscreatecon("")
+ fmt.Println(Getfscreatecon())
+ fmt.Println(Getpidcon(1))
+}
diff --git libselinux-2.7/golang/test.go libselinux-2.7/golang/test.go
new file mode 100644
index 0000000..fed6de8
--- /dev/null
+++ libselinux-2.7/golang/test.go
@@ -0,0 +1,9 @@
+package main
+
+import (
+ "./selinux"
+)
+
+func main() {
+ selinux.Test()
+}
diff --git libselinux-2.7/man/man8/selinux.8 libselinux-2.7/man/man8/selinux.8 diff --git libselinux-2.7/man/man8/selinux.8 libselinux-2.7/man/man8/selinux.8
index e37aee6..bf23b65 100644 index e37aee6..bf23b65 100644
--- libselinux-2.7/man/man8/selinux.8 --- libselinux-2.7/man/man8/selinux.8
@ -488,6 +41,32 @@ index e37aee6..bf23b65 100644
Every confined service on the system has a man page in the following format: Every confined service on the system has a man page in the following format:
.br .br
diff --git libselinux-2.7/src/Makefile libselinux-2.7/src/Makefile
index 2408fae..18df75c 100644
--- libselinux-2.7/src/Makefile
+++ libselinux-2.7/src/Makefile
@@ -148,7 +148,7 @@ $(LIBSO): $(LOBJS)
ln -sf $@ $(TARGET)
$(LIBPC): $(LIBPC).in ../VERSION
- sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBBASE):; s:@includedir@:$(INCLUDEDIR):' < $< > $@
+ sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBBASE):; s:@includedir@:$(INCLUDEDIR):; s:@PCRE_MODULE@:$(PCRE_MODULE):' < $< > $@
selinuxswig_python_exception.i: ../include/selinux/selinux.h
bash -e exception.sh > $@ || (rm -f $@ ; false)
diff --git libselinux-2.7/src/avc.c libselinux-2.7/src/avc.c
index 96b2678..5230efd 100644
--- libselinux-2.7/src/avc.c
+++ libselinux-2.7/src/avc.c
@@ -4,7 +4,7 @@
* Author : Eamon Walsh <ewalsh@epoch.ncsc.mil>
*
* Derived from the kernel AVC implementation by
- * Stephen Smalley <sds@epoch.ncsc.mil> and
+ * Stephen Smalley <sds@tycho.nsa.gov> and
* James Morris <jmorris@redhat.com>.
*/
#include <selinux/avc.h>
diff --git libselinux-2.7/src/avc_sidtab.c libselinux-2.7/src/avc_sidtab.c diff --git libselinux-2.7/src/avc_sidtab.c libselinux-2.7/src/avc_sidtab.c
index 9669264..c775430 100644 index 9669264..c775430 100644
--- libselinux-2.7/src/avc_sidtab.c --- libselinux-2.7/src/avc_sidtab.c
@ -647,6 +226,18 @@ index 52707d0..0cbe12d 100644
if (rc < 0 && errno == ENOTSUP) { if (rc < 0 && errno == ENOTSUP) {
char * ccontext = NULL; char * ccontext = NULL;
int err = errno; int err = errno;
diff --git libselinux-2.7/src/libselinux.pc.in libselinux-2.7/src/libselinux.pc.in
index 2cd04d3..2e90a84 100644
--- libselinux-2.7/src/libselinux.pc.in
+++ libselinux-2.7/src/libselinux.pc.in
@@ -7,6 +7,6 @@ Name: libselinux
Description: SELinux utility library
Version: @VERSION@
URL: http://userspace.selinuxproject.org/
-Requires.private: libsepol libpcre
+Requires.private: libsepol @PCRE_MODULE@
Libs: -L${libdir} -lselinux
Cflags: -I${includedir}
diff --git libselinux-2.7/src/lsetfilecon.c libselinux-2.7/src/lsetfilecon.c diff --git libselinux-2.7/src/lsetfilecon.c libselinux-2.7/src/lsetfilecon.c
index 1d3b28a..ea6d70b 100644 index 1d3b28a..ea6d70b 100644
--- libselinux-2.7/src/lsetfilecon.c --- libselinux-2.7/src/lsetfilecon.c

12
libselinux.spec
View File

@ -3,13 +3,13 @@
%endif %endif
%define ruby_inc %(pkg-config --cflags ruby) %define ruby_inc %(pkg-config --cflags ruby)
%define libsepolver 2.7-1 %define libsepolver 2.7-2
%{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} %{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
Summary: SELinux library and simple utilities Summary: SELinux library and simple utilities
Name: libselinux Name: libselinux
Version: 2.7 Version: 2.7
Release: 4%{?dist} Release: 5%{?dist}
License: Public Domain License: Public Domain
Group: System Environment/Libraries Group: System Environment/Libraries
# https://github.com/SELinuxProject/selinux/wiki/Releases # https://github.com/SELinuxProject/selinux/wiki/Releases
@ -20,7 +20,7 @@ Url: https://github.com/SELinuxProject/selinux/wiki
# download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
# run: # run:
# $ VERSION=2.7 ./make-fedora-selinux-patch.sh libselinux # $ VERSION=2.7 ./make-fedora-selinux-patch.sh libselinux
# HEAD https://github.com/fedora-selinux/selinux/commit/70a12c5e7b56a81223d67ce2469292826b84efe9 # HEAD https://github.com/fedora-selinux/selinux/commit/4247fad665261169b430895f0ab10f56eb33dd10
Patch1: libselinux-fedora.patch Patch1: libselinux-fedora.patch
BuildRequires: python python-devel ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel xz-devel BuildRequires: python python-devel ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel xz-devel
%if 0%{?with_python3} %if 0%{?with_python3}
@ -232,8 +232,6 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
%files devel %files devel
%{_libdir}/libselinux.so %{_libdir}/libselinux.so
%{_libdir}/pkgconfig/libselinux.pc %{_libdir}/pkgconfig/libselinux.pc
%dir %{_libdir}/golang/src/pkg/github.com/selinux
%{_libdir}/golang/src/pkg/github.com/selinux/selinux.go
%{_includedir}/selinux/ %{_includedir}/selinux/
%{_mandir}/man3/* %{_mandir}/man3/*
@ -254,6 +252,10 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
%{ruby_vendorarchdir}/selinux.so %{ruby_vendorarchdir}/selinux.so
%changelog %changelog
* Fri Oct 20 2017 Petr Lautrbach <plautrba@redhat.com> - 2.7-5
- Drop golang bindings
- Add support for pcre2 to pkgconfig definition
* Wed Sep 27 2017 Petr Šabata <contyk@redhat.com> - 2.7-4 * Wed Sep 27 2017 Petr Šabata <contyk@redhat.com> - 2.7-4
- Enable the python3 subpackages on EL - Enable the python3 subpackages on EL