Commit Graph

675 Commits

Author SHA1 Message Date
Petr Lautrbach
fc7694d2b9 * Tue Apr 21 2015 Petr Lautrbach <plautrba@redhat.com> 2.3-8
- selinux.py - use os.walk() instead of os.path.walk() (#1195004)
- is_selinux_enabled(): drop no-policy-loaded test (#1195074)
- fix -Wformat errors and remove deprecated mudflap option
2015-04-21 17:37:16 +02:00
Petr Lautrbach
eb63890f58 Recreate libselinux-rhat.patch from https://github.com/fedora-selinux/selinux/commit/986cbec51cf3777202a90a680f86e389af6 2015-04-21 17:32:02 +02:00
Petr Lautrbach
baa2bfaada add make-rhat-patches.sh script which recreates libselinux-rhat.patch
from https://github.com/fedora-selinux/selinux/
2015-04-21 14:41:10 +02:00
Petr Lautrbach
e0682defe3 use upstream released tarball from https://github.com/SELinuxProject/selinux/wiki/Releases 2015-04-21 14:38:05 +02:00
Than Ngo
c11f149daf - bump release and rebuild so that koji-shadow can rebuild it
against new gcc on secondary arch
2015-03-16 22:30:24 +01:00
Vít Ondruch
013b6729cd Use ruby_vendorarchdir provided by ruby-devel. (#923649) 2015-02-06 19:37:34 +01:00
Petr Lautrbach
e4fb3f8a7a change the project Url to https://github.com/SELinuxProject/selinux/wiki (#1190231) 2015-02-06 19:07:01 +01:00
Vít Ondruch
a2d9f2d465 Rebuilt for https://fedoraproject.org/wiki/Changes/Ruby_2.2 2015-01-19 12:36:49 +01:00
Miroslav Grepl
a139be8c7e libselinux-rhat.patch was regenerated and we also needed to fix how to apply it 2014-10-07 15:05:25 +02:00
Miroslav Grepl
aa0f5b6e33 - Compiled file context files and the original should have the same permissions from dwalsh@redhat.com
- Add selinux_openssh_contexts_path() to get a path to /contexts/openssh_contexts
2014-08-21 08:59:15 +02:00
Peter Robinson
bb1c9d8005 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild 2014-08-17 05:55:44 +00:00
Dennis Gilmore
51d7114f1e - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild 2014-06-07 00:23:56 -05:00
Kalev Lember
aea6b4ae6d Rebuilt for https://fedoraproject.org/wiki/Changes/Python_3.4 2014-05-28 12:12:27 +02:00
Dan Walsh
13a8a0f727 Update to upstream
* Get rid of security_context_t and fix const declarations.
	* Refactor rpm_execcon() into a new setexecfilecon() from Guillem Jover.
2014-05-17 07:02:12 -04:00
Dan Walsh
ed9898ef4c Update to upstream
* Get rid of security_context_t and fix const declarations.
	* Refactor rpm_execcon() into a new setexecfilecon() from Guillem Jover.
2014-05-06 14:28:19 -04:00
Miroslav Grepl
05fcafd63b * Tue May 6 2014 Miroslav Grepl <mgrepl@redhat.com> - 2.2.2-8
- Add selinux_openssh_contexts_path()
2014-05-06 15:08:30 +02:00
Vít Ondruch
32b42e1dd7 Rebuilt for https://fedoraproject.org/wiki/Changes/Ruby_2.1 2014-04-24 13:57:46 +02:00
Dan Walsh
6339985477 Fix spelling mistake in man page 2014-02-24 16:30:52 -05:00
Dan Walsh
820aece678 More go bindings
-   restorecon, getpidcon, setexeccon
2014-02-20 17:21:25 -05:00
Dan Walsh
2492943f41 Add additional go bindings for get*con calls
- Add go bindings test command
- Modify man pages of set*con calls to mention that they are thread specific
2014-02-14 09:21:36 -05:00
Dan Walsh
ee8c867b33 Move selinux.go to /usr/lib64/golang/src/pkg/github.com/selinux/selinux.go
- Add Int_to_mcs function to generate MCS labels from integers.
2014-01-24 11:10:54 -05:00
Dan Walsh
0aa8cbe3ec Add ghost flag for /var/run/setrans 2014-01-14 17:28:48 -05:00
Dan Walsh
d6e8b72a30 Update to upstream
* Fix userspace AVC handling of per-domain permissive mode.
- Verify context is not null when passed into *setfilecon_raw
2014-01-06 10:20:47 -05:00
Dan Walsh
7e1165a3eb revert unexplained change to rhat.patch which broke SELinux disablement 2014-01-06 10:15:40 -05:00
Adam Williamson
9ba3cdd05f revert unexplained change to rhat.patch which broke SELinux disablement 2013-12-27 13:07:13 -08:00
Dan Walsh
e61de3d8f0 Verify context is not null when passed into lsetfilecon_raw 2013-12-23 09:53:25 -05:00
Dan Walsh
f4752d0882 Mv selinux.go to /usr/share/gocode/src/selinux 2013-12-18 14:40:49 -05:00
Dan Walsh
e79a10d304 Add golang support to selinux. 2013-12-17 11:21:42 -05:00
Dan Walsh
15fa31b994 Add golang support to libselinux 2013-12-17 11:07:44 -05:00
Dan Walsh
0662ba4d16 Remove togglesebool man page 2013-12-05 15:44:38 -05:00
Dan Walsh
d6f11ce40d Update to upstream
* Remove -lpthread from pkg-config file; it is not required.
- Add support for policy compressed with xv
2013-11-25 15:49:35 -05:00
Dan Walsh
5f9e3146a2 Update to upstream
* Remove -lpthread from pkg-config file; it is not required.
2013-11-25 15:24:16 -05:00
Dan Walsh
bb6f29def0 Update to upstream
* Fix avc_has_perm() returns -1 even when SELinux is in permissive mode.
	* Support overriding Makefile RANLIB from Sven Vermeulen.
	* Update pkgconfig definition from Sven Vermeulen.
	* Mount sysfs before trying to mount selinuxfs from Sven Vermeulen.
	* Fix man pages from Laurent Bigonville.
	* Support overriding PATH  and LIBBASE in Makefiles from Laurent Bigonville.
	* Fix LDFLAGS usage from Laurent Bigonville
	* Avoid shadowing stat in load_mmap from Joe MacDonald.
	* Support building on older PCRE libraries from Joe MacDonald.
	* Fix handling of temporary file in sefcontext_compile from Dan Walsh.
	* Fix procattr cache from Dan Walsh.
	* Define python constants for getenforce result from Dan Walsh.
	* Fix label substitution handling of / from Dan Walsh.
	* Add selinux_current_policy_path from Dan Walsh.
	* Change get_context_list to only return good matches from Dan Walsh.
	* Support udev-197 and higher from Sven Vermeulen and Dan Walsh.
	* Add support for local substitutions from Dan Walsh.
	* Change setfilecon to not return ENOSUP if context is already correct from Dan Walsh.
	* Python wrapper leak fixes from Dan Walsh.
	* Export SELINUX_TRANS_DIR definition in selinux.h from Dan Walsh.
	* Add selinux_systemd_contexts_path from Dan Walsh.
	* Add selinux_set_policy_root from Dan Walsh.
	* Add man page for sefcontext_compile from Dan Walsh.
2013-10-31 09:29:10 -04:00
Dan Walsh
82deec5e5b Add systemd_contexts support
- Do substitutions on a local sub followed by a dist sub
2013-10-04 10:16:56 -04:00
Dan Walsh
0695b75fac Eliminate requirement on pthread library, by applying patch for Jakub Jelinek
Resolves #1013801
2013-10-03 12:36:44 -04:00
Dan Walsh
763f66c192 Fix handling of libselinux getconlist with only one entry 2013-09-23 09:58:31 -04:00
Dennis Gilmore
aa9384564f - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild 2013-08-03 01:57:40 -05:00
Dan Walsh
876a4a8ad9 Add sefcontext_compile.8 man page
- Add Russell Coker  patch to fix man pages
- Add patches from Laurent Bigonville to fix Makefiles for debian.
- modify spec file to use %{_prefix}/lib
2013-06-28 06:10:55 -04:00
Dan Walsh
4720ddb09f Fix patch that Handles substitutions for / 2013-05-06 09:43:03 -04:00
Dan Walsh
def2153558 Handle substitutions for /
- semanage fcontext -a -e  / /opt/rh/devtoolset-2/root
2013-04-17 18:07:46 -04:00
Dan Walsh
1961617545 Add Eric Paris patch to fix procattr calls after a fork. 2013-04-09 16:53:50 -04:00
Dan Walsh
4ab41c347b Move secolor.conf.5 into mcstrans package and out of libselinux 2013-03-26 13:04:11 -04:00
Dan Walsh
70712b9211 Fix python bindings for selinux_check_access 2013-03-20 13:34:37 -04:00
Dan Walsh
58f9722469 Fix reseting the policy root in matchpathcon 2013-03-19 21:38:02 -04:00
Dan Walsh
cc9c7ddcf7 Cleanup setfcontext_compile atomic patch
- Add matchpathcon -P /etc/selinux/mls support by allowing users to set alternate root
- Make sure we set exit codes from selinux_label calls to ENOENT or SUCCESS
2013-03-08 12:23:30 -05:00
Dan Walsh
8047eef070 Make setfcontext_compile atomic 2013-03-06 13:51:35 -05:00
Dan Walsh
9df78f0c3b Fix memory leak in set*con calls. 2013-03-06 12:18:42 -05:00
Dan Walsh
afe87e85a1 Move matchpathcon to -utils package 2013-02-28 10:27:35 -05:00
Dan Walsh
e27f80642e Fix selinux man page to reflect what current selinux policy is. 2013-02-21 18:28:18 +01:00
Dan Walsh
0781a5c3ae Add new constant SETRANS_DIR which points to the directory where mstransd can find the socket and libvirt can write its translations files. 2013-02-15 15:13:59 -05:00
Dan Walsh
ade34f3e98 Bring back selinux_current_policy_path 2013-02-15 11:02:20 -05:00
Dan Walsh
5e85dc35bb Revert some changes which are causing the wrong policy version file to be created 2013-02-14 07:59:56 -05:00
Dan Walsh
c1553db668 Update to upstream
* audit2why: make sure path is nul terminated
        * utils: new file context regex compiler
        * label_file: use precompiled filecontext when possible
        * do not leak mmapfd
        * sefcontontext_compile: Add error handling to help debug problems in libsemanage.
        * man: make selinux.8 mention service man pages
        * audit2why: Fix segfault if finish() called twice
        * audit2why: do not leak on multiple init() calls
        * mode_to_security_class: interface to translate a mode_t in to a security class
        * audit2why: Cleanup audit2why analysys function
        * man: Fix program synopsis and function prototypes in man pages
        * man: Fix man pages formatting
        * man: Fix typo in man page
        * man: Add references and man page links to _raw function variants
        * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions
        * man: context_new(3): fix the return value description
        * selinux_status_open: handle error from sysconf
        * selinux_status_open: do not leak statusfd on exec
        * Fix errors found by coverity
        * Change boooleans.subs to booleans.subs_dist.
        * optimize set*con functions
        * pkg-config do not specifc ruby version
        * unmap file contexts on selabel_close()
        * do not leak file contexts with mmap'd backend
        * sefcontext_compile: do not leak fd on error
        * matchmediacon: do not leak fd
        * src/label_android_property: do not leak fd on error
2013-02-07 12:33:50 -05:00
Dan Walsh
01e3787363 Update to latest patches from eparis/Upstream 2013-01-27 20:07:56 -05:00
Dan Walsh
976da17c28 Update to latest patches from eparis/Upstream 2013-01-25 09:35:30 -05:00
Dan Walsh
0a9b6f58d0 Try procatt speedup patch again 2013-01-23 14:26:18 -05:00
Dan Walsh
f297425de0 Roll back procattr speedups since it seems to be screwing up systemd labeling. 2013-01-23 06:39:46 -05:00
Dan Walsh
775a744b5d Fix tid handling for setfscreatecon, old patch still broken in libvirt 2013-01-22 17:23:19 -05:00
Dan Walsh
f0a059565a Fix tid handling for setfscreatecon, old patch still broken in libvirt 2013-01-18 10:01:45 -06:00
Dan Walsh
7a71cdb44d setfscreatecon after fork was broken by the Set*con patch.
- We needed to reset the thread variables after a fork.
2013-01-14 16:19:46 -05:00
Dan Walsh
a9a8a9f55f Fix setfscreatecon call to handle failure mode, which was breaking udev 2013-01-10 16:06:03 -05:00
Dan Walsh
0974ef2348 Ondrej Oprala patch to optimize set*con functions
-    Set*con now caches the security context and only re-sets it if it changes.
2013-01-09 10:18:51 -05:00
Dan Walsh
3fdab66ec0 Update to latest patches from eparis/Upstream
-    Fix errors found by coverity
-    set the sepol_compute_av_reason_buffer flag to 0.  This means calculate denials only?
-    audit2why: remove a useless policy vers variable
-    audit2why: use the new constraint information
2013-01-04 17:27:39 -05:00
Dan Walsh
e7604b157b Rebuild with latest libsepol 2012-11-19 15:17:16 -05:00
Dan Walsh
edd5aaafc0 Return EPERM if login program can not reach default label for user
- Attempt to return container info from audit2why
2012-11-16 16:49:57 -05:00
rhatdan
5a7e010f07 Apply patch from eparis to fix leaked file descriptor in new labeling code 2012-11-01 15:53:47 -04:00
rhatdan
e1c914df47 Add new function mode_to_security_class which takes mode instead of a string.
- Possibly will be used with coreutils.
2012-10-25 16:27:52 -04:00
rhatdan
166aec5994 Update to upstream
* Add support for lxc_contexts_path
	* utils: add service to getdefaultcon
	* libsemanage: do not set soname needlessly
	* libsemanage: remove PYTHONLIBDIR and ruby equivalent
	* boolean name equivalency
	* getsebool: support boolean name substitution
	* Add man page for new selinux_boolean_sub function.
	* expose selinux_boolean_sub
	* matchpathcon: add -m option to force file type check
	* utils: avcstat: clear sa_mask set
	* seusers: Check for strchr failure
	* booleans: initialize pointer to silence coveriety
	* stop messages when SELinux disabled
	* label_file: use PCRE instead of glibc regex functions
	* label_file: remove all typedefs
	* label_file: move definitions to include file
	* label_file: do string to mode_t conversion in a helper function
	* label_file: move error reporting back into caller
	* label_file: move stem/spec handling to header
	* label_file: drop useless ncomp field from label_file data
	* label_file: move spec_hasMetaChars to header
	* label_file: fix potential read past buffer in spec_hasMetaChars
	* label_file: move regex sorting to the header
	* label_file: add accessors for the pcre extra data
	* label_file: only run regex files one time
	* label_file: new process_file function
	* label_file: break up find_stem_from_spec
	* label_file: struct reorg
	* label_file: only run array once when sorting
	* Ensure that we only close the selinux netlink socket once.
	* improve the file_contexts.5 manual page
2012-09-14 06:21:17 -04:00
rhatdan
2b3728456a Update to upstream
* Add support for lxc_contexts_path
	* utils: add service to getdefaultcon
	* libsemanage: do not set soname needlessly
	* libsemanage: remove PYTHONLIBDIR and ruby equivalent
	* boolean name equivalency
	* getsebool: support boolean name substitution
	* Add man page for new selinux_boolean_sub function.
	* expose selinux_boolean_sub
	* matchpathcon: add -m option to force file type check
	* utils: avcstat: clear sa_mask set
	* seusers: Check for strchr failure
	* booleans: initialize pointer to silence coveriety
	* stop messages when SELinux disabled
	* label_file: use PCRE instead of glibc regex functions
	* label_file: remove all typedefs
	* label_file: move definitions to include file
	* label_file: do string to mode_t conversion in a helper function
	* label_file: move error reporting back into caller
	* label_file: move stem/spec handling to header
	* label_file: drop useless ncomp field from label_file data
	* label_file: move spec_hasMetaChars to header
	* label_file: fix potential read past buffer in spec_hasMetaChars
	* label_file: move regex sorting to the header
	* label_file: add accessors for the pcre extra data
	* label_file: only run regex files one time
	* label_file: new process_file function
	* label_file: break up find_stem_from_spec
	* label_file: struct reorg
	* label_file: only run array once when sorting
	* Ensure that we only close the selinux netlink socket once.
	* improve the file_contexts.5 manual page
2012-09-14 06:03:06 -04:00
rhatdan
9fac486ba3 Update to upstream
* Add support for lxc_contexts_path
	* utils: add service to getdefaultcon
	* libsemanage: do not set soname needlessly
	* libsemanage: remove PYTHONLIBDIR and ruby equivalent
	* boolean name equivalency
	* getsebool: support boolean name substitution
	* Add man page for new selinux_boolean_sub function.
	* expose selinux_boolean_sub
	* matchpathcon: add -m option to force file type check
	* utils: avcstat: clear sa_mask set
	* seusers: Check for strchr failure
	* booleans: initialize pointer to silence coveriety
	* stop messages when SELinux disabled
	* label_file: use PCRE instead of glibc regex functions
	* label_file: remove all typedefs
	* label_file: move definitions to include file
	* label_file: do string to mode_t conversion in a helper function
	* label_file: move error reporting back into caller
	* label_file: move stem/spec handling to header
	* label_file: drop useless ncomp field from label_file data
	* label_file: move spec_hasMetaChars to header
	* label_file: fix potential read past buffer in spec_hasMetaChars
	* label_file: move regex sorting to the header
	* label_file: add accessors for the pcre extra data
	* label_file: only run regex files one time
	* label_file: new process_file function
	* label_file: break up find_stem_from_spec
	* label_file: struct reorg
	* label_file: only run array once when sorting
	* Ensure that we only close the selinux netlink socket once.
	* improve the file_contexts.5 manual page
2012-09-14 06:02:36 -04:00
rhatdan
01a1f705b5 Update to upstream
* Add support for lxc_contexts_path
	* utils: add service to getdefaultcon
	* libsemanage: do not set soname needlessly
	* libsemanage: remove PYTHONLIBDIR and ruby equivalent
	* boolean name equivalency
	* getsebool: support boolean name substitution
	* Add man page for new selinux_boolean_sub function.
	* expose selinux_boolean_sub
	* matchpathcon: add -m option to force file type check
	* utils: avcstat: clear sa_mask set
	* seusers: Check for strchr failure
	* booleans: initialize pointer to silence coveriety
	* stop messages when SELinux disabled
	* label_file: use PCRE instead of glibc regex functions
	* label_file: remove all typedefs
	* label_file: move definitions to include file
	* label_file: do string to mode_t conversion in a helper function
	* label_file: move error reporting back into caller
	* label_file: move stem/spec handling to header
	* label_file: drop useless ncomp field from label_file data
	* label_file: move spec_hasMetaChars to header
	* label_file: fix potential read past buffer in spec_hasMetaChars
	* label_file: move regex sorting to the header
	* label_file: add accessors for the pcre extra data
	* label_file: only run regex files one time
	* label_file: new process_file function
	* label_file: break up find_stem_from_spec
	* label_file: struct reorg
	* label_file: only run array once when sorting
	* Ensure that we only close the selinux netlink socket once.
	* improve the file_contexts.5 manual page
2012-09-14 05:59:45 -04:00
David Malcolm
ebb7fce3b2 rebuild for https://fedoraproject.org/wiki/Features/Python_3.3 2012-08-03 21:17:14 -04:00
David Malcolm
7ca2991d38 2.1.11-5: make with_python3 be conditional on fedora 2012-08-01 16:34:26 -04:00
Dan Walsh
4eed7a5379 Ensure that we only close the selinux netlink socket once.
- Taken from our Android libselinux tree. From Stephen Smalley
2012-07-31 10:14:59 -04:00
Dennis Gilmore
dc57424bd3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild 2012-07-19 16:09:21 -05:00
Dan Walsh
6b51ca9aaf Move the tmpfiles.d content from /etc/tmpfiles.d to /usr/lib/tmpfiles.d 2012-07-16 17:13:48 -04:00
Dan Walsh
852ea731d6 Revert Eric Paris Patch for selinux_binary_policy_path 2012-07-13 15:38:11 -04:00
Dan Walsh
cd092e1338 Update to upstream
* Fortify source now requires all code to be compiled with -O flag
	* asprintf return code must be checked
	* avc_netlink_recieve handle EINTR
	* audit2why: silence -Wmissing-prototypes warning
	* libsemanage: remove build warning when build swig c files
	* matchpathcon: bad handling of symlinks in /
	* seusers: remove unused lineno
	* seusers: getseuser: gracefully handle NULL service
	* New Android property labeling backend
	* label_android_property whitespace cleanups
	* additional makefile support for rubywrap
2012-07-04 07:31:12 -04:00
Dan Walsh
d9f6251b10 Fix booleans.subs name, change function name to selinux_boolean_sub,
add man page, minor fixes to the function
2012-06-11 13:31:23 -04:00
Dan Walsh
f9135bb77c Fix to compile with Fortify source
* Add -O compiler flag
      * Check return code from asprintf
- Fix handling of symbolic links in / by realpath_not_final
2012-05-25 07:20:38 -04:00
Dan Walsh
40eaa6c970 Add support for lxc contexts file 2012-04-19 16:34:27 -04:00
Dan Walsh
884d86db59 Update to upstream
* Fix dead links to www.nsa.gov/selinux
	* Remove jump over variable declaration
	* Fix old style function definitions
	* Fix const-correctness
	* Remove unused flush_class_cache method
	* Add prototype decl for destructor
	* Add more printf format annotations
	* Add printf format attribute annotation to die() method
	* Fix const-ness of parameters & make usage() methods static
	* Enable many more gcc warnings for libselinux/src/ builds
	* utils: Enable many more gcc warnings for libselinux/utils builds
	* Change annotation on include/selinux/avc.h to avoid upsetting SWIG
	* Ensure there is a prototype for 'matchpathcon_lib_destructor'
	* Update Makefiles to handle /usrmove
	* utils: Stop separating out matchpathcon as something special
	* pkg-config to figure out where ruby include files are located
	* build with either ruby 1.9 or ruby 1.8
	* assert if avc_init() not called
	* take security_deny_unknown into account
	* security_compute_create_name(3)
	* Do not link against python library, this is considered
	* bad practice in debian
	* Hide unnecessarily-exported library destructors
2012-03-29 14:43:23 -04:00
Dan Walsh
ce3cc634eb Update to upstream
* Fix dead links to www.nsa.gov/selinux
	* Remove jump over variable declaration
	* Fix old style function definitions
	* Fix const-correctness
	* Remove unused flush_class_cache method
	* Add prototype decl for destructor
	* Add more printf format annotations
	* Add printf format attribute annotation to die() method
	* Fix const-ness of parameters & make usage() methods static
	* Enable many more gcc warnings for libselinux/src/ builds
	* utils: Enable many more gcc warnings for libselinux/utils builds
	* Change annotation on include/selinux/avc.h to avoid upsetting SWIG
	* Ensure there is a prototype for 'matchpathcon_lib_destructor'
	* Update Makefiles to handle /usrmove
	* utils: Stop separating out matchpathcon as something special
	* pkg-config to figure out where ruby include files are located
	* build with either ruby 1.9 or ruby 1.8
	* assert if avc_init() not called
	* take security_deny_unknown into account
	* security_compute_create_name(3)
	* Do not link against python library, this is considered
	* bad practice in debian
	* Hide unnecessarily-exported library destructors
2012-03-29 14:39:18 -04:00
Dan Walsh
a6c6ce4ff0 avc_netlink_recieve should continue to poll if it receinves an EINTR rather 2012-02-03 10:33:11 -05:00
Dan Walsh
76fb5c8e65 avc_netlink_recieve should continue to poll if it receinves an EINTR rather 2012-02-03 10:31:53 -05:00
Kay Sievers
82dfd09743 Update release 2012-01-29 19:47:44 +01:00
Kay Sievers
de370ba771 Use /sbin/ldconfig, glibc does not provide /usr/sbin/ldconfig for now 2012-01-29 19:41:31 +01:00
Dan Walsh
86fcde8ff1 Rebuild with cleaned up upstream to work in /usr 2012-01-27 14:50:47 -05:00
Harald Hoyer
cca484b26b install everything in /usr
This patch is needed for the /usr-move feature
https://fedoraproject.org/wiki/Features/UsrMove

This package requires now 'filesystem' >= 3, which is only installable
on a system which has /bin, /sbin, /lib, /lib64 as symlinks to /usr and
not regular directories. The 'filesystem' package acts as a guard, to
prevent *this* package to be installed on old unconverted systems.

New installations will have the 'filesystem' >=3 layout right away, old
installations need to be converted with anaconda or dracut first; only
after that, the 'filesystem' package, and also *this* package can be
installed.

Packages *should* not install files in /bin, /sbin, /lib, /lib64, but
only in the corresponding directories in /usr. Packages *must* not
install conflicting files with the same names in the corresponding
directories in / and /usr. Especially compatibility symlinks must not be
installed.

Feel free to modify any of the changes to the spec file, but keep the
above in mind.
2012-01-25 20:33:26 +01:00
Dan Walsh
3b242a5830 Add Dan Berrange code cleanup patches. 2012-01-23 11:30:40 -05:00
Dan Walsh
ad8477f7a1 Fix selabal_open man page to refer to proper selinux_opt structure 2012-01-04 11:03:19 -05:00
Dan Walsh
3ae845067c Update to upstream
* Fix setenforce man page to refer to selinux man page
	* Cleanup Man pages
	* merge freecon with getcon man page
2011-12-21 18:01:55 +00:00
Dan Walsh
0c717c5b8c Add patch from Richard Haines
When selabel_lookup found an invalid context with validation enabled, it
always stated it was 'file_contexts' whether media, x, db or file.
The fix is to store the spec file name in the selabel_lookup_rec on
selabel_open and use this as output for logs. Also a minor fix if key is
NULL to stop seg faults.
Fix setenforce manage page.
2011-12-19 14:48:33 -05:00
Dan Walsh
3e52a1517d Rebuild with new libsepol 2011-12-16 06:22:49 -05:00
Dan Walsh
7a677c0c11 Rebuild with new libsepol 2011-12-15 16:50:07 -05:00
Dan Walsh
e9493af009 Fix setenforce man page, from Miroslav Grepl 2011-12-06 10:43:58 -05:00
Dan Walsh
de1ce20f11 Upgrade to upstream
* selinuxswig_python.i: don't make syscall if it won't change anything
	* Remove assert in security_get_boolean_names(3)
	* Mapped compute functions now obey deny_unknown flag
	* get_default_type now sets EINVAL if no entry.
	* return EINVAL if invalid role selected
	* Updated selabel_file(5) man page
	* Updated selabel_db(5) man page
	* Updated selabel_media(5) man page
	* Updated selabel_x(5) man page
	* Add man/man5 man pages
	* Add man/man5 man pages
	* Add man/man5 man pages
	* use -W and -Werror in utils
2011-12-06 08:55:52 -05:00
Dan Walsh
0921286973 Change python binding for restorecon to check if the context matches.
If it does do not reset
2011-11-29 09:47:57 -05:00
Dan Walsh
5cb2893d59 * Makefiles: syntax, convert all ${VAR} to $(VAR)
* load_policy: handle selinux=0 and /sys/fs/selinux not exist
	* regenerate .pc on VERSION change
	* label: cosmetic cleanups
	* simple interface for access checks
	* Don't reinitialize avc_init if it has been called previously
	* seusers: fix to handle large sets of groups
	* audit2why: close fd on enomem
	* rename and export symlink_realpath
	* label_file: style changes to make Eric happy.
2011-11-04 09:13:56 -04:00
Dan Walsh
8075466849 Apply libselinux patch to handle large groups in seusers. 2011-10-24 14:30:05 -04:00
Dan Walsh
a8fa8756a9 Add selinux_check_access function. Needed for passwd, chfn, chsh 2011-10-20 15:44:39 -04:00
Dan Walsh
3f542ebbed Handle situation where selinux=0 passed to the kernel and both /selinux and 2011-09-22 09:38:06 -04:00
Dan Walsh
942b6cd466 Update to upstream
* utils: matchpathcon: remove duplicate declaration
	* src: matchpathcon: use myprintf not fprintf
	* src: matchpathcon: make sure resolved path starts
	* put libselinux.so.1 in /lib not /usr/lib
	* tree: default make target to all not
2011-09-19 06:53:35 -04:00
Dan Walsh
aa09b7d954 Update to upstream
* utils: matchpathcon: remove duplicate declaration
	* src: matchpathcon: use myprintf not fprintf
	* src: matchpathcon: make sure resolved path starts
	* put libselinux.so.1 in /lib not /usr/lib
	* tree: default make target to all not
2011-09-19 06:52:45 -04:00
Dan Walsh
5113c7563a Switch to use ":" as prefix separator rather then ";" 2011-09-14 22:01:30 -04:00
Dan Walsh
09b67080b4 Avoid unnecessary shell invocation in %post. 2011-09-08 15:26:30 -04:00
Dan Walsh
c03bd38197 Fix handling of subset labeling that is causing segfault in restorecon 2011-09-06 09:46:57 -04:00
Dan Walsh
10e77a8370 Change matchpathcon_init_prefix and selabel_open to allow multiple initial
prefixes.  Now you can specify a ";" separated list of prefixes and the
labeling system will only load regular expressions that match these prefixes.
2011-09-02 08:58:11 -04:00
Dan Walsh
495b754734 Change matchpatcon to use proper myprintf
Fix symlink_realpath to always include "/"
Update to upstream
	* selinux_file_context_verify function returns wrong value.
	* move realpath helper to matchpathcon library
	* python wrapper makefile changes
2011-08-30 11:08:49 -04:00
Dan Walsh
4eca5fc79f Move to new Makefile that can build with or without PYTHON being set 2011-08-22 11:04:32 -04:00
Dan Walsh
00e063e5f5 Update to upstream
2.1.4 2011-0817
	* mapping fix for invalid class/perms after selinux_set_mapping
	* audit2why: work around python bug not defining
	* resolv symlinks and dot directories before matching
2011-08-18 07:09:51 -04:00
Dan Walsh
125b5b107c Update to upstream
* Release, minor version bump
	* Give correct names to mount points in load_policy by Dan Walsh.
	* Make sure selinux state is reported correctly if selinux is disabled or
	fails to load by Dan Walsh.
	* Fix crash if selinux_key_create was never called by Dan Walsh.
	* Add new file_context.subs_dist for distro specific filecon substitutions
	by Dan Walsh.
	* Update man pages for selinux_color_* functions by Richard Haines.
2011-07-28 11:58:12 -04:00
Dan Walsh
076f35f59b Only call dups check within selabel/matchpathcon if you are validating the
context
This seems to speed the loading of labels by 4 times.
2011-06-13 11:29:06 -04:00
Dan Walsh
2c3aaeae1e Move /selinux to /sys/fs/selinux
Add selinuxexeccon
Add realpath to matchpathcon to handle matchpathcon * type queries.
2011-05-25 14:25:56 -04:00
Dan Walsh
71e7978d45 Update for latest libsepol 2011-04-21 12:02:22 -04:00
Dan Walsh
f0ee56705a Update for latest libsepol 2011-04-18 09:33:23 -04:00
Dan Walsh
73bed069d2 Fix restorecon python binding to accept relative paths 2011-04-13 16:51:22 -04:00
Dan Walsh
982b2e517d Update to upstream
* Give correct names to mount points in load_policy by Dan Walsh.
	* Make sure selinux state is reported correctly if selinux is disabled or
	fails to load by Dan Walsh.
	* Fix crash if selinux_key_create was never called by Dan Walsh.
	* Add new file_context.subs_dist for distro specific filecon substitutions
	by Dan Walsh.
	* Update man pages for selinux_color_* functions by Richard Haines.
2011-04-12 10:08:26 -04:00
Dan Walsh
d455eb5e43 Clean up patch to make handling of constructor cleanup more portable
* db_language object class support for selabel_lookup from KaiGai Kohei.
* Library destructors for thread local storage keys from Eamon Walsh.
2011-04-06 16:46:47 -04:00
Dan Walsh
3d499ceb03 Clean up patch to make handling of constructor cleanup more portable 2011-04-06 11:19:19 -04:00
Dan Walsh
8723500e16 Add file_context.subs_dist to subs paths 2011-04-05 14:03:07 -04:00
Dan Walsh
4b2caaad18 Add patch from dbhole@redhat.com to initialize thread keys to -1
Errors were being seen in libpthread/libdl that were related
to corrupt thread specific keys. Global destructors that are called on dl
unload. During destruction delete a thread specific key without checking
if it has been initialized. Since the constructor is not called each time
(i.e. key is not initialized with pthread_key_create each time), and the
default is 0, there is a possibility that key 0 for an active thread gets
deleted. This is exactly what is happening in case of OpenJDK.
2011-04-05 12:10:57 -04:00
Dan Walsh
0cd375f839 Call fini_selinuxmnt if selinux is disabled, to cause is_selinux_disabled() to report correct data 2011-04-05 11:25:39 -04:00
Dan Walsh
1fefea1eb1 Update to upstream
* Turn off default user handling when computing user contexts by Dan Walsh
2011-03-30 14:42:17 -04:00
Dennis Gilmore
148fda2b16 - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild 2011-02-08 05:19:56 -06:00
Dan Walsh
c49c04df3b - Fixup selinux man page 2011-02-01 17:40:11 -05:00
Dan Walsh
3c1b814b3d - Fix Makefile to use pkg-config --cflags python3 to discover include paths 2011-01-18 10:08:15 -05:00
Dan Walsh
ca9cea7698 - Update to upstream
- Turn off fallback in to SELINUX_DEFAULTUSER in get_context_list
2010-12-21 16:29:19 -05:00
Dan Walsh
2542902e06 - Update to upstream
* Thread local storage fixes from Eamon Walsh.
2010-12-06 15:10:20 -05:00
Dan Walsh
8b8064a26e - Add /etc/tmpfiles.d support for /var/run/setrans 2010-12-02 15:19:26 -05:00
Dan Walsh
3dcd5c3eb3 - Ghost /var/run/setrans 2010-11-24 08:47:07 -05:00
Jesse Keating
2f8093690a - Rebuilt for gcc bug 634757 2010-09-29 14:41:56 -07:00
Adam Tkac
ae5808aa95 Rebuild via updated swig (#624674).
Signed-off-by: Adam Tkac <atkac@redhat.com>
2010-09-16 16:01:09 +02:00
Dan Walsh
7c0da10653 - Update for python 3.2a1 2010-08-22 06:41:49 -04:00
Daniel J Walsh
159f7d2174 - Turn off fallback in to SELINUX_DEFAULTUSER in get_context_list 2010-07-27 17:50:51 +00:00
dmalcolm
9eca71ac71 - Rebuilt for
https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild
2010-07-22 02:19:39 +00:00
Daniel J Walsh
4235807de2 - Turn off messages in audit2why 2010-06-25 21:05:56 +00:00
Daniel J Walsh
5abec270e9 - Update to upstream
Add const qualifiers to public API where appropriate by KaiGai Kohei.
2010-06-16 13:23:15 +00:00
Daniel J Walsh
982ffdc3f5 - Update to upstream
Fix from Eric Paris to fix leak on non-selinux systems.
regenerate swig wrappers
pkgconfig fix to respect LIBDIR from Dan Walsh.
2010-03-08 13:14:35 +00:00
Daniel J Walsh
68c8d967fd - Update to upstream
Change the AVC to only audit the permissions specified by the policy,
    excluding any permissions specified via dontaudit or not specified via
    auditallow.
Fix compilation of label_file.c with latest glibc headers.
2010-02-24 19:12:12 +00:00
Daniel J Walsh
de078cb3d5 - Fix man page for selinuxdefcon 2010-01-18 21:59:45 +00:00
Daniel J Walsh
1f46a5f18f Mon Jam 4 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.90-2
- Free memory on disabled selinux boxes
2010-01-04 22:17:33 +00:00
Daniel J Walsh
76ecedb2d0 - Update to upstream
add/reformat man pages by Guido Trentalancia <guido@trentalancia.com>.
Change exception.sh to be called with bash by Manoj Srivastava
    <srivasta@debian.org>
2009-12-01 21:18:45 +00:00
Daniel J Walsh
4ed79e3521 - Fix selinuxdefcon man page 2009-11-23 18:32:48 +00:00
Daniel J Walsh
ac492a22d6 - Update to upstream
Add pkgconfig file from Eamon Walsh.
2009-11-02 18:11:50 +00:00
Daniel J Walsh
a69064eb95 - Update to upstream
Add pkgconfig file from Eamon Walsh.
2009-11-02 18:01:05 +00:00
Daniel J Walsh
8a570f443e - Update to upstream
Rename and export selinux_reset_config()
2009-10-29 19:36:32 +00:00
Daniel J Walsh
510eba6977 - Update to upstream
Add exception handling in libselinux from Dan Walsh. This uses a shell
    script called exception.sh to generate a swig interface file.
make swigify
Make matchpathcon print <<none>> if path not found in fcontext file.
2009-09-28 20:33:26 +00:00
Daniel J Walsh
d3cc14428b - Eliminate -pthread switch in Makefile 2009-09-15 19:24:22 +00:00
Daniel J Walsh
9afde8153b - Update to upstream
Removal of reference counting on userspace AVC SID's.
2009-09-08 13:09:19 +00:00
Jesse Keating
0762b6438c - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild 2009-07-25 08:35:31 +00:00
Daniel J Walsh
fa621852dc - Update to upstream
Reverted Tomas Mraz's fix for freeing thread local storage to avoid pthread
    dependency.
Removed fini_context_translations() altogether.
Merged lazy init patch from Stephen Smalley based on original patch by
    Steve Grubb.
2009-07-14 15:29:55 +00:00
Daniel J Walsh
23660c5dba - Update to upstream
Add per-service seuser support from Dan Walsh.
Let load_policy gracefully handle selinuxfs being mounted from Stephen
    Smalley.
Check /proc/filesystems before /proc/mounts for selinuxfs from Eric Paris.
2009-07-07 16:26:11 +00:00
Daniel J Walsh
94187eeda7 - Add provices ruby(selinux) 2009-06-24 21:37:23 +00:00
Daniel J Walsh
a66522107b - Update to upstream
Fix improper use of thread local storage from Tomas Mraz
    <tmraz@redhat.com>.
Label substitution support from Dan Walsh.
Support for labeling virtual machine images from Dan Walsh.
2009-06-23 19:54:03 +00:00
Daniel J Walsh
403bfa5085 - Update to upstream
Trim / from the end of input paths to matchpathcon from Dan Walsh.
Fix leak in process_line in label_file.c from Hiroshi Shinji.
Move matchpathcon to /sbin, add matchpathcon to clean target from Dan
    Walsh.
getdefaultcon to print just the correct match and add verbose option from
    Dan Walsh.
2009-05-18 18:22:22 +00:00
Daniel J Walsh
c1ed6edd9a - Update to upstream
deny_unknown wrapper function from KaiGai Kohei.
security_compute_av_flags API from KaiGai Kohei.
Netlink socket management and callbacks from KaiGai Kohei.
2009-04-08 13:08:53 +00:00
Daniel J Walsh
d6eb0cea47 - Fix Memory Leak 2009-04-03 12:58:07 +00:00
Daniel J Walsh
261c72abdb - Fix crash in python 2009-04-02 13:36:47 +00:00
Daniel J Walsh
f6ba4d34de - Add back in additional interfaces 2009-03-29 15:18:28 +00:00
Daniel J Walsh
55f4c91ff1 - Add back in av_decision to python swig 2009-03-27 20:39:31 +00:00
Daniel J Walsh
974a6e4ad2 - Add back in av_decision to python swig 2009-03-27 18:25:16 +00:00
Daniel J Walsh
c86e2e8d59 - Update to upstream
Netlink socket handoff patch from Adam Jackson.
AVC caching of compute_create results by Eric Paris.
2009-03-12 12:57:57 +00:00
Daniel J Walsh
ada6d88f6b - Add eparis patch to accellerate Xwindows performance 2009-03-09 15:52:25 +00:00
Daniel J Walsh
79bb8b19a2 - Fix URL 2009-03-09 14:03:12 +00:00
Daniel J Walsh
3da9d84fdc - Add substitute pattern
- matchpathcon output <<none>> on ENOENT
2009-03-06 21:31:10 +00:00
Daniel J Walsh
07ae258133 - Update to upstream
Fix incorrect conversion in discover_class code.
2009-03-02 18:21:46 +00:00
Jesse Keating
5b3b3ee4ad - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild 2009-02-25 18:01:00 +00:00
Daniel J Walsh
19dec57f82 - Add
- selinux_virtual_domain_context_path
- selinux_virtual_image_context_path
2009-02-18 19:45:23 +00:00
Daniel J Walsh
6396f115b4 - Add
- selinux_virtual_domain_context_path
- selinux_virtual_image_context_path
2009-02-18 18:29:42 +00:00
Daniel J Walsh
b5b41bc929 - Throw exeptions in python swig bindings on failures 2009-01-27 20:00:47 +00:00
Daniel J Walsh
c1e059f764 - Fix restorecon python code 2009-01-06 15:44:49 +00:00
Daniel J Walsh
49eae3b63b - Update to upstream 2009-01-06 14:31:47 +00:00
Daniel J Walsh
e672e99f9d - Strip trailing / for matchpathcon 2008-12-19 20:17:53 +00:00
Daniel J Walsh
0c692a5a64 - Fix segfault if seusers file does not work 2008-12-16 14:38:49 +00:00
Daniel J Walsh
d9847be233 - Add new function getseuser which will take username and service and
return
- seuser and level. ipa will populate file in future.
- Change selinuxdefcon to return just the context by default
2008-12-12 16:15:27 +00:00
Daniel J Walsh
cd000f17c0 - Add new function getseuser which will take username and service and
return
- seuser and level. ipa will populate file in future.
- Change selinuxdefcon to return just the context by default
2008-12-12 15:21:10 +00:00
Ignacio Vazquez-Abrams
fdb97bc4bb Rebuild for Python 2.6 2008-11-29 16:48:05 +00:00
Daniel J Walsh
f53982306d - Update to Upstream
Allow shell-style wildcards in x_contexts file.
2008-11-21 21:06:11 +00:00
Daniel J Walsh
41931f8d57 - Eamon Walsh Patch - libselinux: allow shell-style wildcarding in X names
- Add Restorecon/Install python functions from Luke Macken
2008-11-17 15:27:48 +00:00
Daniel J Walsh
d3b013d124 - Update to Upstream
Correct message types in AVC log messages.
Make matchpathcon -V pass mode from Dan Walsh.
Add man page for selinux_file_context_cmp from Dan Walsh.
2008-11-07 14:08:36 +00:00
Daniel J Walsh
3898d8da39 - Update to Upstream
New man pages from Dan Walsh.
Update flask headers from refpolicy trunk from Dan Walsh.
2008-09-30 13:30:18 +00:00
Daniel J Walsh
263ee4f1ec - Fix matchpathcon -V call 2008-09-26 14:22:14 +00:00
Daniel J Walsh
3578778806 - Add flask definitions for open, X and nlmsg_tty_audit 2008-09-22 17:52:30 +00:00
Daniel J Walsh
15c5a627bc - Add missing get/setkeycreatecon man pages 2008-09-09 20:24:22 +00:00
Daniel J Walsh
fa0215ab2a - Split out utilities 2008-09-09 19:07:33 +00:00
Daniel J Walsh
ac4e772e3d - Add missing man page links for [lf]getfilecon 2008-09-09 18:45:26 +00:00
Daniel J Walsh
7918b2858e - Update to Upstream
Add group support to seusers using %groupname syntax from Dan Walsh.
Mark setrans socket close-on-exec from Stephen Smalley.
Only apply nodups checking to base file contexts from Stephen Smalley.
2008-08-05 14:05:15 +00:00
Daniel J Walsh
86ce8d44b1 - Update to Upstream
Merge ruby bindings from Dan Walsh.
- Add support for Linux groups to getseuserbyname
2008-08-01 10:56:37 +00:00
Daniel J Walsh
0397b472b7 - Update to Upstream
Handle duplicate file context regexes as a fatal error from Stephen
    Smalley. This prevents adding them via semanage.
Fix audit2why shadowed variables from Stephen Smalley.
Note that freecon NULL is legal in man page from Karel Zak.
2008-07-29 18:37:01 +00:00
Daniel J Walsh
d0a06b2c34 - Update to Upstream
Handle duplicate file context regexes as a fatal error from Stephen
    Smalley. This prevents adding them via semanage.
Fix audit2why shadowed variables from Stephen Smalley.
Note that freecon NULL is legal in man page from Karel Zak.
2008-07-29 13:22:45 +00:00
Daniel J Walsh
ee778682f8 - Add ruby support for puppet 2008-07-09 20:57:21 +00:00
Daniel J Walsh
c56d166bb6 - Rebuild for new libsepol 2008-07-08 12:07:38 +00:00
Daniel J Walsh
ea56feab06 - Add Karel Zak patch for freecon man page 2008-06-29 12:31:00 +00:00
Daniel J Walsh
e434a93ac5 - Update to Upstream
New and revised AVC, label, and mapping man pages from Eamon Walsh.
Add swig python bindings for avc interfaces from Dan Walsh.
2008-06-26 12:14:16 +00:00
Daniel J Walsh
6359e2ad79 - Update to Upstream
New and revised AVC, label, and mapping man pages from Eamon Walsh.
Add swig python bindings for avc interfaces from Dan Walsh.
2008-06-22 13:48:37 +00:00
Daniel J Walsh
fc4f6a4f7d - Update to Upstream
Fix selinux_file_context_verify() and selinux_lsetfilecon_default() to call
    matchpathcon_init_prefix if not already initialized.
Add -q qualifier for -V option of matchpathcon and change it to indicate
    whether verification succeeded or failed via exit status.
2008-06-22 13:42:52 +00:00
Daniel J Walsh
bff583b68b - Update to Upstream
Fix selinux_file_context_verify() and selinux_lsetfilecon_default() to call
    matchpathcon_init_prefix if not already initialized.
Add -q qualifier for -V option of matchpathcon and change it to indicate
    whether verification succeeded or failed via exit status.
2008-05-28 14:15:30 +00:00
Daniel J Walsh
454774e22d remove telinit -u, no longer needed 2008-05-16 19:04:17 +00:00
Daniel J Walsh
792921f4eb - Add sedefaultcon and setconlist commands to dump login context 2008-05-07 17:34:12 +00:00