- Fix -Wsign-compare warnings
- Drop unused stdio_ext.h header file
- Kill logging check for selinux_enabled()
- Drop usage of _D_ALLOC_NAMLEN
- Add openrc_contexts functions
- Fix redefinition of XATTR_NAME_SELINUX
- Correct error path to always try text
- Clean up process_file()
- Handle NULL pcre study data
- Fix in tree compilation of utils that depend on libsepol
- Clarify is_selinux_mls_enabled() description
- Explain how to free policy type from selinux_getpolicytype()
- Compare absolute pathname in matchpathcon -V
- Add selinux_snapperd_contexts_path()
There was a change in swig-3.10 to use importlib instead of imp. While
the implementation with imp looked for _selinux.so also in the directory
where __init__.py was, importlib search only standard paths. It means that we
need to move _selinux.so from $(PYLIBDIR)/site-packages/selinux/
to $(PYLIBDIR)/site-packages/
Fixes:
>>> import selinux
Traceback (most recent call last):
File "/usr/lib64/python3.5/site-packages/selinux/__init__.py", line 18, in swig_import_helper
return importlib.import_module(mname)
File "/usr/lib64/python3.5/importlib/__init__.py", line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "<frozen importlib._bootstrap>", line 986, in _gcd_import
File "<frozen importlib._bootstrap>", line 969, in _find_and_load
File "<frozen importlib._bootstrap>", line 956, in _find_and_load_unlocked
ImportError: No module named '_selinux'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib64/python3.5/site-packages/selinux/__init__.py", line 21, in <module>
_selinux = swig_import_helper()
File "/usr/lib64/python3.5/site-packages/selinux/__init__.py", line 20, in swig_import_helper
return importlib.import_module('_selinux')
File "/usr/lib64/python3.5/importlib/__init__.py", line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
ImportError: No module named '_selinux'
* Thu Jun 23 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-7
- Modify audit2why analyze function to use loaded policy
- Sort object files for deterministic linking order
- Respect CC and PKG_CONFIG environment variable
- Avoid mounting /proc outside of selinux_init_load_policy()
- Fix location of selinuxfs mount point
- Only mount /proc if necessary
- procattr: return einval for <= 0 pid args
- procattr: return error on invalid pid_t input
Conflict with selinux-policy causes deadlocks in buildroots when
there's no selinux-policy available. selinux-policy-base is provided by
targeted, mls and minimum subpackages which are not installed to
buildroots.
conflicts
- selinux.py - use os.walk() instead of os.path.walk() (#1195004)
- is_selinux_enabled(): drop no-policy-loaded test (#1195074)
- fix -Wformat errors and remove deprecated mudflap option
* Fix avc_has_perm() returns -1 even when SELinux is in permissive mode.
* Support overriding Makefile RANLIB from Sven Vermeulen.
* Update pkgconfig definition from Sven Vermeulen.
* Mount sysfs before trying to mount selinuxfs from Sven Vermeulen.
* Fix man pages from Laurent Bigonville.
* Support overriding PATH and LIBBASE in Makefiles from Laurent Bigonville.
* Fix LDFLAGS usage from Laurent Bigonville
* Avoid shadowing stat in load_mmap from Joe MacDonald.
* Support building on older PCRE libraries from Joe MacDonald.
* Fix handling of temporary file in sefcontext_compile from Dan Walsh.
* Fix procattr cache from Dan Walsh.
* Define python constants for getenforce result from Dan Walsh.
* Fix label substitution handling of / from Dan Walsh.
* Add selinux_current_policy_path from Dan Walsh.
* Change get_context_list to only return good matches from Dan Walsh.
* Support udev-197 and higher from Sven Vermeulen and Dan Walsh.
* Add support for local substitutions from Dan Walsh.
* Change setfilecon to not return ENOSUP if context is already correct from Dan Walsh.
* Python wrapper leak fixes from Dan Walsh.
* Export SELINUX_TRANS_DIR definition in selinux.h from Dan Walsh.
* Add selinux_systemd_contexts_path from Dan Walsh.
* Add selinux_set_policy_root from Dan Walsh.
* Add man page for sefcontext_compile from Dan Walsh.
- Add matchpathcon -P /etc/selinux/mls support by allowing users to set alternate root
- Make sure we set exit codes from selinux_label calls to ENOENT or SUCCESS
* audit2why: make sure path is nul terminated
* utils: new file context regex compiler
* label_file: use precompiled filecontext when possible
* do not leak mmapfd
* sefcontontext_compile: Add error handling to help debug problems in libsemanage.
* man: make selinux.8 mention service man pages
* audit2why: Fix segfault if finish() called twice
* audit2why: do not leak on multiple init() calls
* mode_to_security_class: interface to translate a mode_t in to a security class
* audit2why: Cleanup audit2why analysys function
* man: Fix program synopsis and function prototypes in man pages
* man: Fix man pages formatting
* man: Fix typo in man page
* man: Add references and man page links to _raw function variants
* Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions
* man: context_new(3): fix the return value description
* selinux_status_open: handle error from sysconf
* selinux_status_open: do not leak statusfd on exec
* Fix errors found by coverity
* Change boooleans.subs to booleans.subs_dist.
* optimize set*con functions
* pkg-config do not specifc ruby version
* unmap file contexts on selabel_close()
* do not leak file contexts with mmap'd backend
* sefcontext_compile: do not leak fd on error
* matchmediacon: do not leak fd
* src/label_android_property: do not leak fd on error
- Fix errors found by coverity
- set the sepol_compute_av_reason_buffer flag to 0. This means calculate denials only?
- audit2why: remove a useless policy vers variable
- audit2why: use the new constraint information
* Add support for lxc_contexts_path
* utils: add service to getdefaultcon
* libsemanage: do not set soname needlessly
* libsemanage: remove PYTHONLIBDIR and ruby equivalent
* boolean name equivalency
* getsebool: support boolean name substitution
* Add man page for new selinux_boolean_sub function.
* expose selinux_boolean_sub
* matchpathcon: add -m option to force file type check
* utils: avcstat: clear sa_mask set
* seusers: Check for strchr failure
* booleans: initialize pointer to silence coveriety
* stop messages when SELinux disabled
* label_file: use PCRE instead of glibc regex functions
* label_file: remove all typedefs
* label_file: move definitions to include file
* label_file: do string to mode_t conversion in a helper function
* label_file: move error reporting back into caller
* label_file: move stem/spec handling to header
* label_file: drop useless ncomp field from label_file data
* label_file: move spec_hasMetaChars to header
* label_file: fix potential read past buffer in spec_hasMetaChars
* label_file: move regex sorting to the header
* label_file: add accessors for the pcre extra data
* label_file: only run regex files one time
* label_file: new process_file function
* label_file: break up find_stem_from_spec
* label_file: struct reorg
* label_file: only run array once when sorting
* Ensure that we only close the selinux netlink socket once.
* improve the file_contexts.5 manual page
* Add support for lxc_contexts_path
* utils: add service to getdefaultcon
* libsemanage: do not set soname needlessly
* libsemanage: remove PYTHONLIBDIR and ruby equivalent
* boolean name equivalency
* getsebool: support boolean name substitution
* Add man page for new selinux_boolean_sub function.
* expose selinux_boolean_sub
* matchpathcon: add -m option to force file type check
* utils: avcstat: clear sa_mask set
* seusers: Check for strchr failure
* booleans: initialize pointer to silence coveriety
* stop messages when SELinux disabled
* label_file: use PCRE instead of glibc regex functions
* label_file: remove all typedefs
* label_file: move definitions to include file
* label_file: do string to mode_t conversion in a helper function
* label_file: move error reporting back into caller
* label_file: move stem/spec handling to header
* label_file: drop useless ncomp field from label_file data
* label_file: move spec_hasMetaChars to header
* label_file: fix potential read past buffer in spec_hasMetaChars
* label_file: move regex sorting to the header
* label_file: add accessors for the pcre extra data
* label_file: only run regex files one time
* label_file: new process_file function
* label_file: break up find_stem_from_spec
* label_file: struct reorg
* label_file: only run array once when sorting
* Ensure that we only close the selinux netlink socket once.
* improve the file_contexts.5 manual page
* Add support for lxc_contexts_path
* utils: add service to getdefaultcon
* libsemanage: do not set soname needlessly
* libsemanage: remove PYTHONLIBDIR and ruby equivalent
* boolean name equivalency
* getsebool: support boolean name substitution
* Add man page for new selinux_boolean_sub function.
* expose selinux_boolean_sub
* matchpathcon: add -m option to force file type check
* utils: avcstat: clear sa_mask set
* seusers: Check for strchr failure
* booleans: initialize pointer to silence coveriety
* stop messages when SELinux disabled
* label_file: use PCRE instead of glibc regex functions
* label_file: remove all typedefs
* label_file: move definitions to include file
* label_file: do string to mode_t conversion in a helper function
* label_file: move error reporting back into caller
* label_file: move stem/spec handling to header
* label_file: drop useless ncomp field from label_file data
* label_file: move spec_hasMetaChars to header
* label_file: fix potential read past buffer in spec_hasMetaChars
* label_file: move regex sorting to the header
* label_file: add accessors for the pcre extra data
* label_file: only run regex files one time
* label_file: new process_file function
* label_file: break up find_stem_from_spec
* label_file: struct reorg
* label_file: only run array once when sorting
* Ensure that we only close the selinux netlink socket once.
* improve the file_contexts.5 manual page
* Add support for lxc_contexts_path
* utils: add service to getdefaultcon
* libsemanage: do not set soname needlessly
* libsemanage: remove PYTHONLIBDIR and ruby equivalent
* boolean name equivalency
* getsebool: support boolean name substitution
* Add man page for new selinux_boolean_sub function.
* expose selinux_boolean_sub
* matchpathcon: add -m option to force file type check
* utils: avcstat: clear sa_mask set
* seusers: Check for strchr failure
* booleans: initialize pointer to silence coveriety
* stop messages when SELinux disabled
* label_file: use PCRE instead of glibc regex functions
* label_file: remove all typedefs
* label_file: move definitions to include file
* label_file: do string to mode_t conversion in a helper function
* label_file: move error reporting back into caller
* label_file: move stem/spec handling to header
* label_file: drop useless ncomp field from label_file data
* label_file: move spec_hasMetaChars to header
* label_file: fix potential read past buffer in spec_hasMetaChars
* label_file: move regex sorting to the header
* label_file: add accessors for the pcre extra data
* label_file: only run regex files one time
* label_file: new process_file function
* label_file: break up find_stem_from_spec
* label_file: struct reorg
* label_file: only run array once when sorting
* Ensure that we only close the selinux netlink socket once.
* improve the file_contexts.5 manual page
* Fortify source now requires all code to be compiled with -O flag
* asprintf return code must be checked
* avc_netlink_recieve handle EINTR
* audit2why: silence -Wmissing-prototypes warning
* libsemanage: remove build warning when build swig c files
* matchpathcon: bad handling of symlinks in /
* seusers: remove unused lineno
* seusers: getseuser: gracefully handle NULL service
* New Android property labeling backend
* label_android_property whitespace cleanups
* additional makefile support for rubywrap
* Fix dead links to www.nsa.gov/selinux
* Remove jump over variable declaration
* Fix old style function definitions
* Fix const-correctness
* Remove unused flush_class_cache method
* Add prototype decl for destructor
* Add more printf format annotations
* Add printf format attribute annotation to die() method
* Fix const-ness of parameters & make usage() methods static
* Enable many more gcc warnings for libselinux/src/ builds
* utils: Enable many more gcc warnings for libselinux/utils builds
* Change annotation on include/selinux/avc.h to avoid upsetting SWIG
* Ensure there is a prototype for 'matchpathcon_lib_destructor'
* Update Makefiles to handle /usrmove
* utils: Stop separating out matchpathcon as something special
* pkg-config to figure out where ruby include files are located
* build with either ruby 1.9 or ruby 1.8
* assert if avc_init() not called
* take security_deny_unknown into account
* security_compute_create_name(3)
* Do not link against python library, this is considered
* bad practice in debian
* Hide unnecessarily-exported library destructors
* Fix dead links to www.nsa.gov/selinux
* Remove jump over variable declaration
* Fix old style function definitions
* Fix const-correctness
* Remove unused flush_class_cache method
* Add prototype decl for destructor
* Add more printf format annotations
* Add printf format attribute annotation to die() method
* Fix const-ness of parameters & make usage() methods static
* Enable many more gcc warnings for libselinux/src/ builds
* utils: Enable many more gcc warnings for libselinux/utils builds
* Change annotation on include/selinux/avc.h to avoid upsetting SWIG
* Ensure there is a prototype for 'matchpathcon_lib_destructor'
* Update Makefiles to handle /usrmove
* utils: Stop separating out matchpathcon as something special
* pkg-config to figure out where ruby include files are located
* build with either ruby 1.9 or ruby 1.8
* assert if avc_init() not called
* take security_deny_unknown into account
* security_compute_create_name(3)
* Do not link against python library, this is considered
* bad practice in debian
* Hide unnecessarily-exported library destructors
This patch is needed for the /usr-move feature
https://fedoraproject.org/wiki/Features/UsrMove
This package requires now 'filesystem' >= 3, which is only installable
on a system which has /bin, /sbin, /lib, /lib64 as symlinks to /usr and
not regular directories. The 'filesystem' package acts as a guard, to
prevent *this* package to be installed on old unconverted systems.
New installations will have the 'filesystem' >=3 layout right away, old
installations need to be converted with anaconda or dracut first; only
after that, the 'filesystem' package, and also *this* package can be
installed.
Packages *should* not install files in /bin, /sbin, /lib, /lib64, but
only in the corresponding directories in /usr. Packages *must* not
install conflicting files with the same names in the corresponding
directories in / and /usr. Especially compatibility symlinks must not be
installed.
Feel free to modify any of the changes to the spec file, but keep the
above in mind.
When selabel_lookup found an invalid context with validation enabled, it
always stated it was 'file_contexts' whether media, x, db or file.
The fix is to store the spec file name in the selabel_lookup_rec on
selabel_open and use this as output for logs. Also a minor fix if key is
NULL to stop seg faults.
Fix setenforce manage page.
* selinuxswig_python.i: don't make syscall if it won't change anything
* Remove assert in security_get_boolean_names(3)
* Mapped compute functions now obey deny_unknown flag
* get_default_type now sets EINVAL if no entry.
* return EINVAL if invalid role selected
* Updated selabel_file(5) man page
* Updated selabel_db(5) man page
* Updated selabel_media(5) man page
* Updated selabel_x(5) man page
* Add man/man5 man pages
* Add man/man5 man pages
* Add man/man5 man pages
* use -W and -Werror in utils
* load_policy: handle selinux=0 and /sys/fs/selinux not exist
* regenerate .pc on VERSION change
* label: cosmetic cleanups
* simple interface for access checks
* Don't reinitialize avc_init if it has been called previously
* seusers: fix to handle large sets of groups
* audit2why: close fd on enomem
* rename and export symlink_realpath
* label_file: style changes to make Eric happy.
* utils: matchpathcon: remove duplicate declaration
* src: matchpathcon: use myprintf not fprintf
* src: matchpathcon: make sure resolved path starts
* put libselinux.so.1 in /lib not /usr/lib
* tree: default make target to all not
* utils: matchpathcon: remove duplicate declaration
* src: matchpathcon: use myprintf not fprintf
* src: matchpathcon: make sure resolved path starts
* put libselinux.so.1 in /lib not /usr/lib
* tree: default make target to all not
2.1.4 2011-0817
* mapping fix for invalid class/perms after selinux_set_mapping
* audit2why: work around python bug not defining
* resolv symlinks and dot directories before matching
* Release, minor version bump
* Give correct names to mount points in load_policy by Dan Walsh.
* Make sure selinux state is reported correctly if selinux is disabled or
fails to load by Dan Walsh.
* Fix crash if selinux_key_create was never called by Dan Walsh.
* Add new file_context.subs_dist for distro specific filecon substitutions
by Dan Walsh.
* Update man pages for selinux_color_* functions by Richard Haines.