rpms/libselinux
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

base: rpms:c8
Branches Tags
rpms:c8
rpms:c10
rpms:c10s
rpms:c9
rpms:c9-beta
rpms:c8s
rpms:c9s
rpms:c8-beta
rpms:stream-libselinux-python-2.8-rhel-8.10.0
rpms:stream-libselinux-python-2.8-rhel-8.9.0
rpms:c8-beta-stream-2.8
rpms:c8-stream-2.8
rpms:imports/c10/libselinux-3.8-2.el10_0
rpms:imports/c10s/libselinux-3.8-2.el10
rpms:imports/c10/libselinux-3.8-1.el10_0
rpms:imports/c9/libselinux-3.6-3.el9
rpms:imports/c8/libselinux-2.9-10.el8_10
rpms:imports/c9-beta/libselinux-3.6-3.el9
rpms:imports/c10s/libselinux-3.8-1.el10
rpms:imports/c10s/libselinux-3.8-0.rc3.1.el10
rpms:imports/c8/libselinux-2.9-9.el8_10
rpms:imports/c10s/libselinux-3.8-0.rc1.2.el10
rpms:imports/c10s/libselinux-3.7-5.el10
rpms:imports/c10s/libselinux-3.7-4.el10
rpms:imports/c9-beta/libselinux-3.6-2.el9_4
rpms:imports/c9-beta/libselinux-3.6-2.el9
rpms:imports/c10s/libselinux-3.7-3.el10
rpms:imports/c10s/libselinux-3.7-2.el10
rpms:imports/c9/libselinux-3.6-1.el9
rpms:imports/c8/libselinux-2.9-8.el8
rpms:imports/c9/libselinux-3.5-1.el9
rpms:imports/c9-beta/libselinux-3.5-1.el9
rpms:imports/c8-beta/libselinux-2.9-8.el8
rpms:imports/c8s/libselinux-2.9-8.el8
rpms:imports/c9/libselinux-3.4-3.el9
rpms:imports/c8/libselinux-2.9-6.el8
rpms:imports/c9-beta/libselinux-3.4-3.el9
rpms:imports/c8-beta/libselinux-2.9-6.el8
rpms:imports/c8s/libselinux-2.9-6.el8
rpms:imports/c9/libselinux-3.3-2.el9
rpms:imports/c9-beta/libselinux-3.3-2.el9
rpms:imports/c9-beta/libselinux-3.3-1.el9
rpms:imports/c9-beta/libselinux-3.2-6.el9
rpms:imports/c8-beta-stream-2.8/libselinux-2.9-2.1.module+el8.1.0+3972+45ab4324
rpms:imports/c8-beta-stream-2.8/libselinux-2.8-6.module+el8+2448+8fbcdfd7
rpms:imports/c8-beta/libselinux-2.9-5.el8
rpms:imports/c8-beta/libselinux-2.9-3.el8
rpms:imports/c8-beta/libselinux-2.9-1.el8
rpms:imports/c8s/libselinux-2.9-5.el8
rpms:imports/c8s/libselinux-2.9-3.el8
rpms:imports/c8-stream-2.8/libselinux-2.9-2.1.module+el8.1.0+3972+45ab4324
rpms:imports/c8-stream-2.8/libselinux-2.8-6.module+el8+2448+8fbcdfd7
rpms:imports/c8/libselinux-2.9-5.el8
rpms:imports/c8/libselinux-2.9-4.el8_3
rpms:imports/c8/libselinux-2.9-3.el8
rpms:imports/c8/libselinux-2.9-2.1.el8
rpms:imports/c8/libselinux-2.8-6.el8
..
compare: rpms:c10s
Branches Tags
rpms:c10
rpms:c10s
rpms:c9
rpms:c8
rpms:c9-beta
rpms:c8s
rpms:c9s
rpms:c8-beta
rpms:stream-libselinux-python-2.8-rhel-8.10.0
rpms:stream-libselinux-python-2.8-rhel-8.9.0
rpms:c8-beta-stream-2.8
rpms:c8-stream-2.8
rpms:imports/c10/libselinux-3.8-2.el10_0
rpms:imports/c10s/libselinux-3.8-2.el10
rpms:imports/c10/libselinux-3.8-1.el10_0
rpms:imports/c9/libselinux-3.6-3.el9
rpms:imports/c8/libselinux-2.9-10.el8_10
rpms:imports/c9-beta/libselinux-3.6-3.el9
rpms:imports/c10s/libselinux-3.8-1.el10
rpms:imports/c10s/libselinux-3.8-0.rc3.1.el10
rpms:imports/c8/libselinux-2.9-9.el8_10
rpms:imports/c10s/libselinux-3.8-0.rc1.2.el10
rpms:imports/c10s/libselinux-3.7-5.el10
rpms:imports/c10s/libselinux-3.7-4.el10
rpms:imports/c9-beta/libselinux-3.6-2.el9_4
rpms:imports/c9-beta/libselinux-3.6-2.el9
rpms:imports/c10s/libselinux-3.7-3.el10
rpms:imports/c10s/libselinux-3.7-2.el10
rpms:imports/c9/libselinux-3.6-1.el9
rpms:imports/c8/libselinux-2.9-8.el8
rpms:imports/c9/libselinux-3.5-1.el9
rpms:imports/c9-beta/libselinux-3.5-1.el9
rpms:imports/c8-beta/libselinux-2.9-8.el8
rpms:imports/c8s/libselinux-2.9-8.el8
rpms:imports/c9/libselinux-3.4-3.el9
rpms:imports/c8/libselinux-2.9-6.el8
rpms:imports/c9-beta/libselinux-3.4-3.el9
rpms:imports/c8-beta/libselinux-2.9-6.el8
rpms:imports/c8s/libselinux-2.9-6.el8
rpms:imports/c9/libselinux-3.3-2.el9
rpms:imports/c9-beta/libselinux-3.3-2.el9
rpms:imports/c9-beta/libselinux-3.3-1.el9
rpms:imports/c9-beta/libselinux-3.2-6.el9
rpms:imports/c8-beta-stream-2.8/libselinux-2.9-2.1.module+el8.1.0+3972+45ab4324
rpms:imports/c8-beta-stream-2.8/libselinux-2.8-6.module+el8+2448+8fbcdfd7
rpms:imports/c8-beta/libselinux-2.9-5.el8
rpms:imports/c8-beta/libselinux-2.9-3.el8
rpms:imports/c8-beta/libselinux-2.9-1.el8
rpms:imports/c8s/libselinux-2.9-5.el8
rpms:imports/c8s/libselinux-2.9-3.el8
rpms:imports/c8-stream-2.8/libselinux-2.9-2.1.module+el8.1.0+3972+45ab4324
rpms:imports/c8-stream-2.8/libselinux-2.8-6.module+el8+2448+8fbcdfd7
rpms:imports/c8/libselinux-2.9-5.el8
rpms:imports/c8/libselinux-2.9-4.el8_3
rpms:imports/c8/libselinux-2.9-3.el8
rpms:imports/c8/libselinux-2.9-2.1.el8
rpms:imports/c8/libselinux-2.8-6.el8

No commits in common. "c8" and "c10s" have entirely different histories.
c8 ... c10s

33 changed files with 2720 additions and 1862 deletions
Show Stats Expand all files Collapse all files

1
.fmf/version Normal file
View File

@ -0,0 +1 @@
1

243
.gitignore vendored
View File

@ -1 +1,242 @@
SOURCES/libselinux-2.9.tar.gz
libselinux-1.17.9.tgz
libselinux-1.17.10.tgz
libselinux-1.17.11.tgz
libselinux-1.17.12.tgz
libselinux-1.17.13.tgz
libselinux-1.17.14.tgz
libselinux-1.17.15.tgz
libselinux-1.17.16.tgz
libselinux-1.18.1.tgz
libselinux-1.19.1.tgz
libselinux-1.19.2.tgz
libselinux-1.19.3.tgz
libselinux-1.19.4.tgz
libselinux-1.20.1.tgz
libselinux-1.21.1.tgz
libselinux-1.21.2.tgz
libselinux-1.21.4.tgz
libselinux-1.21.5.tgz
libselinux-1.21.7.tgz
exclude
nsadiff
nsalibselinux
libselinux-1.21.8.tgz
libselinux-1.21.9.tgz
libselinux-1.21.10.tgz
libselinux-1.21.11.tgz
libselinux-1.21.12.tgz
libselinux-1.21.13.tgz
libselinux-1.22.tgz
libselinux-1.23.1.tgz
libselinux-1.23.2.tgz
libselinux-1.23.3.tgz
libselinux-1.23.4.tgz
libselinux-1.23.5.tgz
libselinux-1.23.6.tgz
libselinux-1.23.7.tgz
libselinux-1.23.8.tgz
libselinux-1.23.10.tgz
libselinux-1.23.11.tgz
libselinux-1.24.1.tgz
libselinux-1.24.2.tgz
libselinux-1.25.2.tgz
libselinux-1.25.3.tgz
libselinux-1.25.4.tgz
libselinux-1.25.5.tgz
libselinux-1.25.6.tgz
libselinux-1.25.7.tgz
libselinux-1.26.tgz
libselinux-1.27.1.tgz
libselinux-1.27.2.tgz
libselinux-1.27.3.tgz
libselinux-1.27.4.tgz
libselinux-1.27.6.tgz
libselinux-1.27.7.tgz
libselinux-1.27.9.tgz
libselinux-1.27.10.tgz
libselinux-1.27.12.tgz
libselinux-1.27.13.tgz
libselinux-1.27.14.tgz
libselinux-1.27.17.tgz
libselinux-1.27.18.tgz
libselinux-1.27.19.tgz
libselinux-1.27.20.tgz
libselinux-1.27.21.tgz
libselinux-1.27.22.tgz
libselinux-1.27.23.tgz
libselinux-1.27.25.tgz
libselinux-1.27.26.tgz
libselinux-1.27.28.tgz
libselinux-1.28.tgz
libselinux-1.29.1.tgz
libselinux-1.29.2.tgz
libselinux-1.29.3.tgz
libselinux-1.29.4.tgz
libselinux-1.29.5.tgz
libselinux-1.29.6.tgz
libselinux-1.29.7.tgz
libselinux-1.29.8.tgz
libselinux-1.30.tgz
libselinux-1.30.1.tgz
libselinux-1.30.3.tgz
libselinux-1.30.5.tgz
libselinux-1.30.6.tgz
libselinux-1.30.7.tgz
libselinux-1.30.8.tgz
libselinux-1.30.10.tgz
libselinux-1.30.11.tgz
libselinux-1.30.12.tgz
libselinux-1.30.15.tgz
libselinux-1.30.19.tgz
libselinux-1.30.20.tgz
libselinux-1.30.22.tgz
libselinux-1.30.24.tgz
libselinux-1.30.26.tgz
libselinux-1.30.27.tgz
libselinux-1.30.28.tgz
libselinux-1.30.29.tgz
libselinux-1.30.30.tgz
libselinux-1.32.tgz
libselinux-1.33.1.tgz
libselinux-1.33.2.tgz
libselinux-1.33.3.tgz
libselinux-1.33.4.tgz
libselinux-1.33.5.tgz
libselinux-1.33.6.tgz
libselinux-1.34.0.tgz
libselinux-1.34.1.tgz
libselinux-2.0.0.tgz
libselinux-2.0.1.tgz
libselinux-2.0.2.tgz
libselinux-2.0.3.tgz
libselinux-2.0.4.tgz
libselinux-2.0.5.tgz
libselinux-2.0.7.tgz
libselinux-2.0.8.tgz
libselinux-2.0.9.tgz
libselinux-2.0.11.tgz
libselinux-2.0.12.tgz
libselinux-2.0.13.tgz
libselinux-2.0.14.tgz
libselinux-2.0.16.tgz
libselinux-2.0.18.tgz
libselinux-2.0.21.tgz
libselinux-2.0.22.tgz
libselinux-2.0.23.tgz
libselinux-2.0.24.tgz
libselinux-2.0.29.tgz
libselinux-2.0.30.tgz
libselinux-2.0.31.tgz
libselinux-2.0.33.tgz
libselinux-2.0.34.tgz
libselinux-2.0.35.tgz
libselinux-2.0.36.tgz
libselinux-2.0.37.tgz
libselinux-2.0.40.tgz
libselinux-2.0.42.tgz
libselinux-2.0.43.tgz
libselinux-2.0.45.tgz
libselinux-2.0.46.tgz
libselinux-2.0.47.tgz
libselinux-2.0.48.tgz
libselinux-2.0.49.tgz
libselinux-2.0.50.tgz
libselinux-2.0.52.tgz
libselinux-2.0.53.tgz
libselinux-2.0.55.tgz
libselinux-2.0.56.tgz
libselinux-2.0.57.tgz
libselinux-2.0.58.tgz
libselinux-2.0.59.tgz
libselinux-2.0.60.tgz
libselinux-2.0.61.tgz
libselinux-2.0.64.tgz
libselinux-2.0.65.tgz
libselinux-2.0.67.tgz
libselinux-2.0.69.tgz
libselinux-2.0.70.tgz
libselinux-2.0.71.tgz
libselinux-2.0.73.tgz
libselinux-2.0.74.tgz
libselinux-2.0.75.tgz
libselinux-2.0.76.tgz
libselinux-2.0.77.tgz
libselinux-2.0.78.tgz
libselinux-2.0.79.tgz
libselinux-2.0.80.tgz
libselinux-2.0.81.tgz
libselinux-2.0.82.tgz
libselinux-2.0.83.tgz
libselinux-2.0.84.tgz
libselinux-2.0.85.tgz
libselinux-2.0.86.tgz
libselinux-2.0.87.tgz
libselinux-2.0.88.tgz
libselinux-2.0.89.tgz
libselinux-2.0.90.tgz
libselinux-2.0.91.tgz
libselinux-2.0.92.tgz
libselinux-2.0.93.tgz
libselinux-2.0.94.tgz
libselinux-2.0.96.tgz
/libselinux-2.0.97.tgz
/libselinux-2.0.98.tgz
/libselinux-2.0.99.tgz
/libselinux-2.0.101.tgz
/libselinux-2.0.102.tgz
/libselinux-2.1.0.tgz
/libselinux-2.1.4.tgz
/libselinux-2.1.5.tgz
/libselinux-2.1.6.tgz
/libselinux-2.1.7.tgz
/libselinux-2.1.8.tgz
/libselinux-2.1.9.tgz
/libselinux-2.1.10.tgz
/libselinux-2.1.11.tgz
/libselinux-2.1.12.tgz
/libselinux-2.1.13.tgz
/libselinux-2.2.tgz
/libselinux-2.2.1.tgz
/libselinux-2.2.2.tgz
/libselinux-2.3.tgz
/libselinux-2.3.tar.gz
/libselinux-2.4.tar.gz
/libselinux-2.5-rc1.tar.gz
/libselinux-2.5.tar.gz
/libselinux-2.6.tar.gz
/libselinux-2.7.tar.gz
/libselinux-2.8-rc1.tar.gz
/libselinux-2.8-rc2.tar.gz
/libselinux-2.8-rc3.tar.gz
/libselinux-2.8.tar.gz
/libselinux-2.9-rc1.tar.gz
/libselinux-2.9-rc2.tar.gz
/libselinux-2.9.tar.gz
/libselinux-3.0-rc1.tar.gz
/libselinux-3.0.tar.gz
/libselinux-3.1.tar.gz
/libselinux-3.2-rc1.tar.gz
/libselinux-3.2-rc2.tar.gz
/libselinux-3.2.tar.gz
/libselinux-3.3-rc2.tar.gz
/libselinux-3.3-rc3.tar.gz
/libselinux-3.3.tar.gz
/libselinux-3.4-rc1.tar.gz
/libselinux-3.4-rc2.tar.gz
/libselinux-3.4-rc3.tar.gz
/libselinux-3.4.tar.gz
/libselinux-3.5-rc1.tar.gz
/libselinux-3.5-rc2.tar.gz
/libselinux-3.5-rc3.tar.gz
/libselinux-3.5.tar.gz
/libselinux-3.6-rc1.tar.gz
/libselinux-3.6-rc2.tar.gz
/libselinux-3.6.tar.gz
/libselinux-3.7.tar.gz
/libselinux-3.7.tar.gz.asc
/libselinux-3.8-rc1.tar.gz
/libselinux-3.8-rc1.tar.gz.asc
/libselinux-3.8-rc3.tar.gz
/libselinux-3.8-rc3.tar.gz.asc
/libselinux-3.8.tar.gz
/libselinux-3.8.tar.gz.asc

1
.libselinux.metadata
View File

@ -1 +0,0 @@
c53911ee9da673f7653ab1afe66c0b2bf5fb5ac9 SOURCES/libselinux-2.9.tar.gz

1362
0001-Use-SHA-2-instead-of-SHA-1.patch Normal file
View File

File diff suppressed because it is too large Load Diff

101
0002-libselinux-prioritize-local-literal-fcontext-definit.patch Normal file
View File

@ -0,0 +1,101 @@
From 6a9958d504853efa4e36900398490afe05a1134c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Thu, 17 Apr 2025 21:08:11 +0200
Subject: [PATCH] libselinux: prioritize local literal fcontext definitions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Content-type: text/plain
For literal file context definitions respect overrides from homedirs or
local configurations by ordering them first.
Fixes: 92306daf ("libselinux: rework selabel_file(5) database")
Reported-by: Paul Holzinger
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2360183
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
libselinux/src/label_file.c | 5 +++--
libselinux/src/label_file.h | 10 +++++++++-
libselinux/src/selinux_internal.h | 2 ++
3 files changed, 14 insertions(+), 3 deletions(-)
diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
index 2c7615174e5f..d1d1d01c769f 100644
--- a/libselinux/src/label_file.c
+++ b/libselinux/src/label_file.c
@@ -480,7 +480,7 @@ static int load_mmap_ctxarray(struct mmap_area *mmap_area, const char *path, str
return 0;
}
-static int load_mmap_literal_spec(struct mmap_area *mmap_area, bool validating,
+static int load_mmap_literal_spec(struct mmap_area *mmap_area, bool validating, uint8_t inputno,
struct literal_spec *lspec, const struct context_array *ctx_array)
{
uint32_t data_u32, ctx_id;
@@ -489,6 +489,7 @@ static int load_mmap_literal_spec(struct mmap_area *mmap_area, bool validating,
int rc;
lspec->from_mmap = true;
+ lspec->inputno = inputno;
/*
@@ -732,7 +733,7 @@ static int load_mmap_spec_node(struct mmap_area *mmap_area, const char *path, bo
node->literal_specs_alloc = lspec_num;
for (uint32_t i = 0; i < lspec_num; i++) {
- rc = load_mmap_literal_spec(mmap_area, validating, &node->literal_specs[i], ctx_array);
+ rc = load_mmap_literal_spec(mmap_area, validating, inputno, &node->literal_specs[i], ctx_array);
if (rc)
return -1;
}
diff --git a/libselinux/src/label_file.h b/libselinux/src/label_file.h
index 60ebbb472dda..eb7239719a85 100644
--- a/libselinux/src/label_file.h
+++ b/libselinux/src/label_file.h
@@ -96,6 +96,7 @@ struct literal_spec {
char *regex_str; /* original regular expression string for diagnostics */
char *literal_match; /* simplified string from regular expression */
uint16_t prefix_len; /* length of fixed path prefix, i.e. length of the literal match */
+ uint8_t inputno; /* Input number of source file */
uint8_t file_kind; /* file type */
bool any_matches; /* whether any pathname match */
bool from_mmap; /* whether this spec is from an mmap of the data */
@@ -368,7 +369,13 @@ static inline int compare_literal_spec(const void *p1, const void *p2)
return ret;
/* Order wildcard mode (0) last */
- return (l1->file_kind < l2->file_kind) - (l1->file_kind > l2->file_kind);
+ ret = spaceship_cmp(l1->file_kind, l2->file_kind);
+ if (ret)
+ return -ret;
+
+ /* Order by input number (higher number means added later, means higher priority) */
+ ret = spaceship_cmp(l1->inputno, l2->inputno);
+ return -ret;
}
static inline int compare_spec_node(const void *p1, const void *p2)
@@ -746,6 +753,7 @@ static int insert_spec(const struct selabel_handle *rec, struct saved_data *data
.regex_str = regex,
.prefix_len = prefix_len,
.literal_match = literal_regex,
+ .inputno = inputno,
.file_kind = file_kind,
.any_matches = false,
.lr.ctx_raw = context,
diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
index 964b84189649..3fe7d4c3953a 100644
--- a/libselinux/src/selinux_internal.h
+++ b/libselinux/src/selinux_internal.h
@@ -150,4 +150,6 @@ static inline void fclose_errno_safe(FILE *stream)
# define unlikely(x) (x)
#endif /* __GNUC__ */
+#define spaceship_cmp(a, b) (((a) > (b)) - ((a) < (b)))
+
#endif /* SELINUX_INTERNAL_H_ */
--
2.49.0

38
0003-libselinux-Revert-part-of-previous-patch.patch Normal file
View File

@ -0,0 +1,38 @@
From 3d7fb67ad45a7fa7efe24ca81ce6abceaa3a7d64 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <lautrbach@redhat.com>
Date: Tue, 27 May 2025 14:17:49 +0200
Subject: [PATCH] libselinux: Revert part of previous patch
Content-type: text/plain
These four lines should be removed. It makes sense to consider the
wildcard mode as less specific and give priority to a rule that is not
using a wildcard, but that is not how it was done in the past and that
is not (from my testing) what is being done if a regex is involved. So
for both consistency and in keeping with past practice, we should not
use the file kind to sort here.
Proposed-by: James Carter <jwcart2@gmail.com>
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
---
libselinux/src/label_file.h | 5 -----
1 file changed, 5 deletions(-)
diff --git a/libselinux/src/label_file.h b/libselinux/src/label_file.h
index eb7239719a85..284028a054ce 100644
--- a/libselinux/src/label_file.h
+++ b/libselinux/src/label_file.h
@@ -368,11 +368,6 @@ static inline int compare_literal_spec(const void *p1, const void *p2)
if (ret)
return ret;
- /* Order wildcard mode (0) last */
- ret = spaceship_cmp(l1->file_kind, l2->file_kind);
- if (ret)
- return -ret;
-
/* Order by input number (higher number means added later, means higher priority) */
ret = spaceship_cmp(l1->inputno, l2->inputno);
return -ret;
--
2.49.0

31
SOURCES/0001-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch
View File

@ -1,31 +0,0 @@
From f71fc47524bef3c4cd8a412e43d13daebd1c418b Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Wed, 16 Jul 2014 08:28:03 +0200
Subject: [PATCH] Fix selinux man page to refer seinfo and sesearch tools.
---
libselinux/man/man8/selinux.8 | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
index e37aee68..bf23b655 100644
--- a/libselinux/man/man8/selinux.8
+++ b/libselinux/man/man8/selinux.8
@@ -91,11 +91,13 @@ This manual page was written by Dan Walsh <dwalsh@redhat.com>.
.BR sepolicy (8),
.BR system-config-selinux (8),
.BR togglesebool (8),
-.BR restorecon (8),
.BR fixfiles (8),
+.BR restorecon (8),
.BR setfiles (8),
.BR semanage (8),
.BR sepolicy (8)
+.BR seinfo (8),
+.BR sesearch (8)
Every confined service on the system has a man page in the following format:
.br
--
2.21.0

214
SOURCES/0002-Verify-context-input-to-funtions-to-make-sure-the-co.patch
View File

@ -1,214 +0,0 @@
From ad3d3a0bf819f5895a6884357c2d0e18ea1ef314 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Mon, 23 Dec 2013 09:50:54 -0500
Subject: [PATCH] Verify context input to funtions to make sure the context
field is not null.
Return errno EINVAL, to prevent segfault.
Rejected by upstream https://marc.info/?l=selinux&m=145036088424584&w=2
FIXME: use __attribute__(nonnull (arg-index, ...))
---
libselinux/src/avc_sidtab.c | 5 +++++
libselinux/src/canonicalize_context.c | 5 +++++
libselinux/src/check_context.c | 5 +++++
libselinux/src/compute_av.c | 5 +++++
libselinux/src/compute_create.c | 5 +++++
libselinux/src/compute_member.c | 5 +++++
libselinux/src/compute_relabel.c | 5 +++++
libselinux/src/compute_user.c | 5 +++++
libselinux/src/fsetfilecon.c | 8 ++++++--
libselinux/src/lsetfilecon.c | 9 +++++++--
libselinux/src/setfilecon.c | 8 ++++++--
11 files changed, 59 insertions(+), 6 deletions(-)
diff --git a/libselinux/src/avc_sidtab.c b/libselinux/src/avc_sidtab.c
index 9669264d..c7754305 100644
--- a/libselinux/src/avc_sidtab.c
+++ b/libselinux/src/avc_sidtab.c
@@ -81,6 +81,11 @@ sidtab_context_to_sid(struct sidtab *s,
int hvalue, rc = 0;
struct sidtab_node *cur;
+ if (! ctx) {
+ errno=EINVAL;
+ return -1;
+ }
+
*sid = NULL;
hvalue = sidtab_hash(ctx);
diff --git a/libselinux/src/canonicalize_context.c b/libselinux/src/canonicalize_context.c
index ba4c9a2c..c8158725 100644
--- a/libselinux/src/canonicalize_context.c
+++ b/libselinux/src/canonicalize_context.c
@@ -17,6 +17,11 @@ int security_canonicalize_context_raw(const char * con,
size_t size;
int fd, ret;
+ if (! con) {
+ errno=EINVAL;
+ return -1;
+ }
+
if (!selinux_mnt) {
errno = ENOENT;
return -1;
diff --git a/libselinux/src/check_context.c b/libselinux/src/check_context.c
index 8a7997f0..5be84348 100644
--- a/libselinux/src/check_context.c
+++ b/libselinux/src/check_context.c
@@ -14,6 +14,11 @@ int security_check_context_raw(const char * con)
char path[PATH_MAX];
int fd, ret;
+ if (! con) {
+ errno=EINVAL;
+ return -1;
+ }
+
if (!selinux_mnt) {
errno = ENOENT;
return -1;
diff --git a/libselinux/src/compute_av.c b/libselinux/src/compute_av.c
index a47cffe9..6d285a2e 100644
--- a/libselinux/src/compute_av.c
+++ b/libselinux/src/compute_av.c
@@ -27,6 +27,11 @@ int security_compute_av_flags_raw(const char * scon,
return -1;
}
+ if ((! scon) || (! tcon)) {
+ errno=EINVAL;
+ return -1;
+ }
+
snprintf(path, sizeof path, "%s/access", selinux_mnt);
fd = open(path, O_RDWR | O_CLOEXEC);
if (fd < 0)
diff --git a/libselinux/src/compute_create.c b/libselinux/src/compute_create.c
index 0975aeac..3e6a48c1 100644
--- a/libselinux/src/compute_create.c
+++ b/libselinux/src/compute_create.c
@@ -64,6 +64,11 @@ int security_compute_create_name_raw(const char * scon,
return -1;
}
+ if ((! scon) || (! tcon)) {
+ errno=EINVAL;
+ return -1;
+ }
+
snprintf(path, sizeof path, "%s/create", selinux_mnt);
fd = open(path, O_RDWR | O_CLOEXEC);
if (fd < 0)
diff --git a/libselinux/src/compute_member.c b/libselinux/src/compute_member.c
index 4e2d221e..d1dd9772 100644
--- a/libselinux/src/compute_member.c
+++ b/libselinux/src/compute_member.c
@@ -25,6 +25,11 @@ int security_compute_member_raw(const char * scon,
return -1;
}
+ if ((! scon) || (! tcon)) {
+ errno=EINVAL;
+ return -1;
+ }
+
snprintf(path, sizeof path, "%s/member", selinux_mnt);
fd = open(path, O_RDWR | O_CLOEXEC);
if (fd < 0)
diff --git a/libselinux/src/compute_relabel.c b/libselinux/src/compute_relabel.c
index 49f77ef3..c3db7c0a 100644
--- a/libselinux/src/compute_relabel.c
+++ b/libselinux/src/compute_relabel.c
@@ -25,6 +25,11 @@ int security_compute_relabel_raw(const char * scon,
return -1;
}
+ if ((! scon) || (! tcon)) {
+ errno=EINVAL;
+ return -1;
+ }
+
snprintf(path, sizeof path, "%s/relabel", selinux_mnt);
fd = open(path, O_RDWR | O_CLOEXEC);
if (fd < 0)
diff --git a/libselinux/src/compute_user.c b/libselinux/src/compute_user.c
index 7b881215..401fd107 100644
--- a/libselinux/src/compute_user.c
+++ b/libselinux/src/compute_user.c
@@ -24,6 +24,11 @@ int security_compute_user_raw(const char * scon,
return -1;
}
+ if (! scon) {
+ errno=EINVAL;
+ return -1;
+ }
+
snprintf(path, sizeof path, "%s/user", selinux_mnt);
fd = open(path, O_RDWR | O_CLOEXEC);
if (fd < 0)
diff --git a/libselinux/src/fsetfilecon.c b/libselinux/src/fsetfilecon.c
index 52707d05..0cbe12d8 100644
--- a/libselinux/src/fsetfilecon.c
+++ b/libselinux/src/fsetfilecon.c
@@ -9,8 +9,12 @@
int fsetfilecon_raw(int fd, const char * context)
{
- int rc = fsetxattr(fd, XATTR_NAME_SELINUX, context, strlen(context) + 1,
- 0);
+ int rc;
+ if (! context) {
+ errno=EINVAL;
+ return -1;
+ }
+ rc = fsetxattr(fd, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
if (rc < 0 && errno == ENOTSUP) {
char * ccontext = NULL;
int err = errno;
diff --git a/libselinux/src/lsetfilecon.c b/libselinux/src/lsetfilecon.c
index 1d3b28a1..ea6d70b7 100644
--- a/libselinux/src/lsetfilecon.c
+++ b/libselinux/src/lsetfilecon.c
@@ -9,8 +9,13 @@
int lsetfilecon_raw(const char *path, const char * context)
{
- int rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1,
- 0);
+ int rc;
+ if (! context) {
+ errno=EINVAL;
+ return -1;
+ }
+
+ rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
if (rc < 0 && errno == ENOTSUP) {
char * ccontext = NULL;
int err = errno;
diff --git a/libselinux/src/setfilecon.c b/libselinux/src/setfilecon.c
index d05969c6..3f0200e8 100644
--- a/libselinux/src/setfilecon.c
+++ b/libselinux/src/setfilecon.c
@@ -9,8 +9,12 @@
int setfilecon_raw(const char *path, const char * context)
{
- int rc = setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1,
- 0);
+ int rc;
+ if (! context) {
+ errno=EINVAL;
+ return -1;
+ }
+ rc = setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
if (rc < 0 && errno == ENOTSUP) {
char * ccontext = NULL;
int err = errno;
--
2.21.0

39
SOURCES/0003-libselinux-Allow-to-override-OVERRIDE_GETTID-from-co.patch
View File

@ -1,39 +0,0 @@
From a6e839be2c5a77c22a8c72cad001e3f87eaedf2e Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Mon, 11 Mar 2019 15:26:43 +0100
Subject: [PATCH] libselinux: Allow to override OVERRIDE_GETTID from command
line
$ make CFLAGS="$CFLAGS -DOVERRIDE_GETTID=0" ...
Drop this as soon as glibc-2.30 will become real 2.30 version, see
https://bugzilla.redhat.com/show_bug.cgi?id=1685594
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
libselinux/src/procattr.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libselinux/src/procattr.c b/libselinux/src/procattr.c
index c6799ef2..cbb6824e 100644
--- a/libselinux/src/procattr.c
+++ b/libselinux/src/procattr.c
@@ -24,6 +24,7 @@ static __thread char destructor_initialized;
/* Bionic and glibc >= 2.30 declare gettid() system call wrapper in unistd.h and
* has a definition for it */
+#ifndef OVERRIDE_GETTID
#ifdef __BIONIC__
#define OVERRIDE_GETTID 0
#elif !defined(__GLIBC_PREREQ)
@@ -33,6 +34,7 @@ static __thread char destructor_initialized;
#else
#define OVERRIDE_GETTID 0
#endif
+#endif
#if OVERRIDE_GETTID
static pid_t gettid(void)
--
2.21.0

55
SOURCES/0004-Bring-some-old-permission-and-flask-constants-back-t.patch
View File

@ -1,55 +0,0 @@
From be420729fbf4adc8b32ca3722fa6ca46bb51413d Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Wed, 27 Feb 2019 09:37:17 +0100
Subject: [PATCH] Bring some old permission and flask constants back to Python
bindings
---
libselinux/src/selinuxswig.i | 4 ++++
libselinux/src/selinuxswig_python.i | 3 ++-
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/libselinux/src/selinuxswig.i b/libselinux/src/selinuxswig.i
index dbdb4c3d..9c5b9263 100644
--- a/libselinux/src/selinuxswig.i
+++ b/libselinux/src/selinuxswig.i
@@ -5,7 +5,9 @@
%module selinux
%{
#include "../include/selinux/avc.h"
+ #include "../include/selinux/av_permissions.h"
#include "../include/selinux/context.h"
+ #include "../include/selinux/flask.h"
#include "../include/selinux/get_context_list.h"
#include "../include/selinux/get_default_type.h"
#include "../include/selinux/label.h"
@@ -58,7 +60,9 @@
%ignore avc_netlink_check_nb;
%include "../include/selinux/avc.h"
+%include "../include/selinux/av_permissions.h"
%include "../include/selinux/context.h"
+%include "../include/selinux/flask.h"
%include "../include/selinux/get_context_list.h"
%include "../include/selinux/get_default_type.h"
%include "../include/selinux/label.h"
diff --git a/libselinux/src/selinuxswig_python.i b/libselinux/src/selinuxswig_python.i
index 4c73bf92..6eaab081 100644
--- a/libselinux/src/selinuxswig_python.i
+++ b/libselinux/src/selinuxswig_python.i
@@ -1,10 +1,11 @@
/* Author: James Athey
*/
-/* Never build rpm_execcon interface */
+/* Never build rpm_execcon interface unless you need to have ACG compatibility
#ifndef DISABLE_RPM
#define DISABLE_RPM
#endif
+*/
%module selinux
%{
--
2.21.0

32
SOURCES/0005-libselinux-add-missing-av_permission-values.patch
View File

@ -1,32 +0,0 @@
From 903c54bf62ffba3c95e22e74c9c43838cd3935a0 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 28 Feb 2017 16:12:43 +0100
Subject: [PATCH] libselinux: add missing av_permission values
Add missing av_permission values to av_permissions.h for the sake of
completeness (this interface is obsolete - these values are now
obtained at runtime).
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1025931
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
libselinux/include/selinux/av_permissions.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libselinux/include/selinux/av_permissions.h b/libselinux/include/selinux/av_permissions.h
index c1269af9..631f0276 100644
--- a/libselinux/include/selinux/av_permissions.h
+++ b/libselinux/include/selinux/av_permissions.h
@@ -876,6 +876,8 @@
#define NSCD__SHMEMHOST 0x00000080UL
#define NSCD__GETSERV 0x00000100UL
#define NSCD__SHMEMSERV 0x00000200UL
+#define NSCD__GETNETGRP 0x00000400UL
+#define NSCD__SHMEMNETGRP 0x00000800UL
#define ASSOCIATION__SENDTO 0x00000001UL
#define ASSOCIATION__RECVFROM 0x00000002UL
#define ASSOCIATION__SETCONTEXT 0x00000004UL
--
2.21.0

177
SOURCES/0006-libselinux-Use-Python-distutils-to-install-SELinux-p.patch
View File

@ -1,177 +0,0 @@
From 67d490a38a319126f371eaf66a5fc922d7005b1f Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 16 May 2019 15:01:59 +0200
Subject: [PATCH] libselinux: Use Python distutils to install SELinux python
bindings
SWIG-4.0 changed its behavior so that it uses: from . import _selinux which
looks for _selinux module in the same directory as where __init__.py is -
$(PYLIBDIR)/site-packages/selinux. But _selinux module is installed into
$(PYLIBDIR)/site-packages/ since a9604c30a5e2f ("libselinux: Change the location
of _selinux.so").
In order to prevent such breakage in future use Python's distutils instead of
building and installing python bindings manually in Makefile.
Fixes:
>>> import selinux
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib64/python3.7/site-packages/selinux/__init__.py", line 13, in <module>
from . import _selinux
ImportError: cannot import name '_selinux' from 'selinux' (/usr/lib64/python3.7/site-packages/selinux/__init__.py)
>>>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
libselinux/src/.gitignore | 2 +-
libselinux/src/Makefile | 37 ++++++++-----------------------------
libselinux/src/setup.py | 24 ++++++++++++++++++++++++
3 files changed, 33 insertions(+), 30 deletions(-)
create mode 100644 libselinux/src/setup.py
diff --git a/libselinux/src/.gitignore b/libselinux/src/.gitignore
index 4dcc3b3b..428afe5a 100644
--- a/libselinux/src/.gitignore
+++ b/libselinux/src/.gitignore
@@ -1,4 +1,4 @@
selinux.py
-selinuxswig_wrap.c
+selinuxswig_python_wrap.c
selinuxswig_python_exception.i
selinuxswig_ruby_wrap.c
diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index e9ed0383..826c830c 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -36,7 +36,7 @@ TARGET=libselinux.so
LIBPC=libselinux.pc
SWIGIF= selinuxswig_python.i selinuxswig_python_exception.i
SWIGRUBYIF= selinuxswig_ruby.i
-SWIGCOUT= selinuxswig_wrap.c
+SWIGCOUT= selinuxswig_python_wrap.c
SWIGPYOUT= selinux.py
SWIGRUBYCOUT= selinuxswig_ruby_wrap.c
SWIGLOBJ:= $(patsubst %.c,$(PYPREFIX)%.lo,$(SWIGCOUT))
@@ -55,7 +55,7 @@ ifeq ($(LIBSEPOLA),)
LDLIBS_LIBSEPOLA := -l:libsepol.a
endif
-GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) selinuxswig_python_exception.i
+GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) $(SWIGCOUT) selinuxswig_python_exception.i
SRCS= $(filter-out $(GENERATED) audit2why.c, $(sort $(wildcard *.c)))
MAX_STACK_SIZE=32768
@@ -125,25 +125,18 @@ DISABLE_FLAGS+= -DNO_ANDROID_BACKEND
SRCS:= $(filter-out label_backends_android.c, $(SRCS))
endif
-SWIG = swig -Wall -python -o $(SWIGCOUT) -outdir ./ $(DISABLE_FLAGS)
-
SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./ $(DISABLE_FLAGS)
all: $(LIBA) $(LIBSO) $(LIBPC)
-pywrap: all $(SWIGFILES) $(AUDIT2WHYSO)
+pywrap: all selinuxswig_python_exception.i
+ CFLAGS="$(SWIG_CFLAGS)" $(PYTHON) setup.py build_ext -I $(DESTDIR)$(INCLUDEDIR) -L $(DESTDIR)$(LIBDIR)
rubywrap: all $(SWIGRUBYSO)
-$(SWIGLOBJ): $(SWIGCOUT)
- $(CC) $(CFLAGS) $(SWIG_CFLAGS) $(PYINC) -fPIC -DSHARED -c -o $@ $<
-
$(SWIGRUBYLOBJ): $(SWIGRUBYCOUT)
$(CC) $(CFLAGS) $(SWIG_CFLAGS) $(RUBYINC) -fPIC -DSHARED -c -o $@ $<
-$(SWIGSO): $(SWIGLOBJ)
- $(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $< -lselinux $(PYLIBS)
-
$(SWIGRUBYSO): $(SWIGRUBYLOBJ)
$(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $^ -lselinux $(RUBYLIBS)
@@ -161,29 +154,15 @@ $(LIBPC): $(LIBPC).in ../VERSION
selinuxswig_python_exception.i: ../include/selinux/selinux.h
bash -e exception.sh > $@ || (rm -f $@ ; false)
-$(AUDIT2WHYLOBJ): audit2why.c
- $(CC) $(filter-out -Werror, $(CFLAGS)) $(PYINC) -fPIC -DSHARED -c -o $@ $<
-
-$(AUDIT2WHYSO): $(AUDIT2WHYLOBJ) $(LIBSEPOLA)
- $(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $^ -lselinux $(LDLIBS_LIBSEPOLA) $(PYLIBS) -Wl,-soname,audit2why.so,--version-script=audit2why.map,-z,defs
-
%.o: %.c policy.h
$(CC) $(CFLAGS) $(TLSFLAGS) -c -o $@ $<
%.lo: %.c policy.h
$(CC) $(CFLAGS) -fPIC -DSHARED -c -o $@ $<
-$(SWIGCOUT): $(SWIGIF)
- $(SWIG) $<
-
-$(SWIGPYOUT): $(SWIGCOUT)
-
$(SWIGRUBYCOUT): $(SWIGRUBYIF)
$(SWIGRUBY) $<
-swigify: $(SWIGIF)
- $(SWIG) $<
-
install: all
test -d $(DESTDIR)$(LIBDIR) || install -m 755 -d $(DESTDIR)$(LIBDIR)
install -m 644 $(LIBA) $(DESTDIR)$(LIBDIR)
@@ -194,10 +173,8 @@ install: all
ln -sf --relative $(DESTDIR)$(SHLIBDIR)/$(LIBSO) $(DESTDIR)$(LIBDIR)/$(TARGET)
install-pywrap: pywrap
- test -d $(DESTDIR)$(PYTHONLIBDIR)/selinux || install -m 755 -d $(DESTDIR)$(PYTHONLIBDIR)/selinux
- install -m 755 $(SWIGSO) $(DESTDIR)$(PYTHONLIBDIR)/_selinux$(PYCEXT)
- install -m 755 $(AUDIT2WHYSO) $(DESTDIR)$(PYTHONLIBDIR)/selinux/audit2why$(PYCEXT)
- install -m 644 $(SWIGPYOUT) $(DESTDIR)$(PYTHONLIBDIR)/selinux/__init__.py
+ $(PYTHON) setup.py install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
+ install -m 644 selinux.py $(DESTDIR)$(PYTHONLIBDIR)/selinux/__init__.py
install-rubywrap: rubywrap
test -d $(DESTDIR)$(RUBYINSTALL) || install -m 755 -d $(DESTDIR)$(RUBYINSTALL)
@@ -208,6 +185,8 @@ relabel:
clean-pywrap:
-rm -f $(SWIGLOBJ) $(SWIGSO) $(AUDIT2WHYLOBJ) $(AUDIT2WHYSO)
+ $(PYTHON) setup.py clean
+ -rm -rf build *~ \#* *pyc .#*
clean-rubywrap:
-rm -f $(SWIGRUBYLOBJ) $(SWIGRUBYSO)
diff --git a/libselinux/src/setup.py b/libselinux/src/setup.py
new file mode 100644
index 00000000..b12e7869
--- /dev/null
+++ b/libselinux/src/setup.py
@@ -0,0 +1,24 @@
+#!/usr/bin/python3
+
+from distutils.core import Extension, setup
+
+setup(
+ name="selinux",
+ version="2.9",
+ description="SELinux python 3 bindings",
+ author="SELinux Project",
+ author_email="selinux@vger.kernel.org",
+ ext_modules=[
+ Extension('selinux._selinux',
+ sources=['selinuxswig_python.i'],
+ include_dirs=['../include'],
+ library_dirs=['.'],
+ libraries=['selinux']),
+ Extension('selinux.audit2why',
+ sources=['audit2why.c'],
+ include_dirs=['../include'],
+ library_dirs=['.'],
+ libraries=['selinux'],
+ extra_link_args=['-l:libsepol.a'])
+ ],
+)
--
2.21.0

44
SOURCES/0007-libselinux-Do-not-use-SWIG_CFLAGS-when-Python-bindin.patch
View File

@ -1,44 +0,0 @@
From 6ec8116ee64a25a0c5eb543f0b12ed25f1348c45 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 27 Jun 2019 11:17:13 +0200
Subject: [PATCH] libselinux: Do not use SWIG_CFLAGS when Python bindings are
built
Fixes:
https://rpmdiff.engineering.redhat.com/run/410372/7/
Detecting usr/lib64/python3.6/site-packages/selinux/audit2why.cpython-36m-x86_64-linux-gnu.so with not-hardened warnings '
Hardened: audit2why.cpython-36m-x86_64-linux-gnu.so: FAIL: Gaps were detected in the annobin coverage. Run with -v to list.
' on x86_64
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
libselinux/src/Makefile | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index 826c830c..f64f23a8 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -104,9 +104,6 @@ FTS_LDLIBS ?=
override CFLAGS += -I../include -D_GNU_SOURCE $(DISABLE_FLAGS) $(PCRE_CFLAGS)
-SWIG_CFLAGS += -Wno-error -Wno-unused-variable -Wno-unused-but-set-variable -Wno-unused-parameter \
- -Wno-shadow -Wno-uninitialized -Wno-missing-prototypes -Wno-missing-declarations
-
RANLIB ?= ranlib
ARCH := $(patsubst i%86,i386,$(shell uname -m))
@@ -130,7 +127,7 @@ SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./ $(DISABLE_FLAGS)
all: $(LIBA) $(LIBSO) $(LIBPC)
pywrap: all selinuxswig_python_exception.i
- CFLAGS="$(SWIG_CFLAGS)" $(PYTHON) setup.py build_ext -I $(DESTDIR)$(INCLUDEDIR) -L $(DESTDIR)$(LIBDIR)
+ $(PYTHON) setup.py build_ext -I $(DESTDIR)$(INCLUDEDIR) -L $(DESTDIR)$(LIBDIR)
rubywrap: all $(SWIGRUBYSO)
--
2.21.0

66
SOURCES/0008-Fix-mcstrans-secolor-examples.patch
View File

@ -1,66 +0,0 @@
From 90a4f2b9a5194a2d1ab4c45b7a90bbb6c8099a68 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 2 Jul 2019 14:09:05 +0200
Subject: [PATCH] Fix mcstrans secolor examples
According to "check_dominance" function:
Range defined as "s15:c0.c1023" does not dominate any other range than
"s15:c0.c1023" (does not dominate "s15", "s15:c0.c200", etc.).
While range defined as "s15-s15:c0.c1023" dominates all of the above.
This is either a bug, or "s15:c0.c1023" should not be used in the
examples.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
libselinux/man/man5/secolor.conf.5 | 4 ++--
libselinux/man/ru/man5/secolor.conf.5 | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/libselinux/man/man5/secolor.conf.5 b/libselinux/man/man5/secolor.conf.5
index b834577a..a3bf2da1 100644
--- a/libselinux/man/man5/secolor.conf.5
+++ b/libselinux/man/man5/secolor.conf.5
@@ -123,7 +123,7 @@ range s7\-s7:c0.c1023 = black red
.br
range s9\-s9:c0.c1023 = black orange
.br
-range s15:c0.c1023 = black yellow
+range s15\-s15:c0.c1023 = black yellow
.RE
.sp
@@ -165,7 +165,7 @@ type xguest_t = black green
.br
user sysadm_u = white black
.br
-range s0:c0.c1023 = black white
+range s0-s0:c0.c1023 = black white
.br
user * = black white
.br
diff --git a/libselinux/man/ru/man5/secolor.conf.5 b/libselinux/man/ru/man5/secolor.conf.5
index 4c1236ae..bcae80c1 100644
--- a/libselinux/man/ru/man5/secolor.conf.5
+++ b/libselinux/man/ru/man5/secolor.conf.5
@@ -121,7 +121,7 @@ range s7\-s7:c0.c1023 = black red
.br
range s9\-s9:c0.c1023 = black orange
.br
-range s15:c0.c1023 = black yellow
+range s15\-s15:c0.c1023 = black yellow
.RE
.sp
@@ -163,7 +163,7 @@ type xguest_t = black green
.br
user sysadm_u = white black
.br
-range s0:c0.c1023 = black white
+range s0\-s0:c0.c1023 = black white
.br
user * = black white
.br
--
2.21.0

354
SOURCES/0009-libselinux-Eliminate-use-of-security_compute_user.patch
View File

@ -1,354 +0,0 @@
From bfee1a3131580a7b9d8a7366764b8e78d99a9f1b Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Mon, 17 Feb 2020 21:47:35 +0100
Subject: [PATCH] libselinux: Eliminate use of security_compute_user()
get_ordered_context_list() code used to ask the kernel to compute the complete
set of reachable contexts using /sys/fs/selinux/user aka
security_compute_user(). This set can be so huge so that it doesn't fit into a
kernel page and security_compute_user() fails. Even if it doesn't fail,
get_ordered_context_list() throws away the vast majority of the returned
contexts because they don't match anything in
/etc/selinux/targeted/contexts/default_contexts or
/etc/selinux/targeted/contexts/users/
get_ordered_context_list() is rewritten to compute set of contexts based on
/etc/selinux/targeted/contexts/users/ and
/etc/selinux/targeted/contexts/default_contexts files and to return only valid
contexts, using security_check_context(), from this set.
Fixes: https://github.com/SELinuxProject/selinux/issues/28
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
libselinux/src/get_context_list.c | 212 +++++++++++++-----------------
1 file changed, 93 insertions(+), 119 deletions(-)
diff --git a/libselinux/src/get_context_list.c b/libselinux/src/get_context_list.c
index 689e4658..26d7b3b9 100644
--- a/libselinux/src/get_context_list.c
+++ b/libselinux/src/get_context_list.c
@@ -2,6 +2,7 @@
#include <errno.h>
#include <stdio.h>
#include <stdio_ext.h>
+#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
@@ -114,64 +115,41 @@ int get_default_context(const char *user,
return 0;
}
-static int find_partialcon(char ** list,
- unsigned int nreach, char *part)
+static int is_in_reachable(char **reachable, const char *usercon_str)
{
- const char *conrole, *contype;
- char *partrole, *parttype, *ptr;
- context_t con;
- unsigned int i;
+ if (!reachable)
+ return 0;
- partrole = part;
- ptr = part;
- while (*ptr && !isspace(*ptr) && *ptr != ':')
- ptr++;
- if (*ptr != ':')
- return -1;
- *ptr++ = 0;
- parttype = ptr;
- while (*ptr && !isspace(*ptr) && *ptr != ':')
- ptr++;
- *ptr = 0;
-
- for (i = 0; i < nreach; i++) {
- con = context_new(list[i]);
- if (!con)
- return -1;
- conrole = context_role_get(con);
- contype = context_type_get(con);
- if (!conrole || !contype) {
- context_free(con);
- return -1;
- }
- if (!strcmp(conrole, partrole) && !strcmp(contype, parttype)) {
- context_free(con);
- return i;
+ for (; *reachable != NULL; reachable++) {
+ if (strcmp(*reachable, usercon_str) == 0) {
+ return 1;
}
- context_free(con);
}
-
- return -1;
+ return 0;
}
-static int get_context_order(FILE * fp,
+static int get_context_user(FILE * fp,
char * fromcon,
- char ** reachable,
- unsigned int nreach,
- unsigned int *ordering, unsigned int *nordered)
+ const char * user,
+ char ***reachable,
+ unsigned int *nreachable)
{
char *start, *end = NULL;
char *line = NULL;
- size_t line_len = 0;
+ size_t line_len = 0, usercon_len;
+ size_t user_len = strlen(user);
ssize_t len;
int found = 0;
- const char *fromrole, *fromtype;
+ const char *fromrole, *fromtype, *fromlevel;
char *linerole, *linetype;
- unsigned int i;
+ char **new_reachable = NULL;
+ char *usercon_str;
context_t con;
+ context_t usercon;
+
int rc;
- errno = -EINVAL;
+ errno = EINVAL;
/* Extract the role and type of the fromcon for matching.
User identity and MLS range can be variable. */
@@ -180,6 +158,7 @@ static int get_context_order(FILE * fp,
return -1;
fromrole = context_role_get(con);
fromtype = context_type_get(con);
+ fromlevel = context_range_get(con);
if (!fromrole || !fromtype) {
context_free(con);
return -1;
@@ -243,23 +222,75 @@ static int get_context_order(FILE * fp,
if (*end)
*end++ = 0;
- /* Check for a match in the reachable list. */
- rc = find_partialcon(reachable, nreach, start);
- if (rc < 0) {
- /* No match, skip it. */
+ /* Check whether a new context is valid */
+ if (SIZE_MAX - user_len < strlen(start) + 2) {
+ fprintf(stderr, "%s: one of partial contexts is too big\n", __FUNCTION__);
+ errno = EINVAL;
+ rc = -1;
+ goto out;
+ }
+ usercon_len = user_len + strlen(start) + 2;
+ usercon_str = malloc(usercon_len);
+ if (!usercon_str) {
+ rc = -1;
+ goto out;
+ }
+
+ /* set range from fromcon in the new usercon */
+ snprintf(usercon_str, usercon_len, "%s:%s", user, start);
+ usercon = context_new(usercon_str);
+ if (!usercon) {
+ if (errno != EINVAL) {
+ free(usercon_str);
+ rc = -1;
+ goto out;
+ }
+ fprintf(stderr,
+ "%s: can't create a context from %s, skipping\n",
+ __FUNCTION__, usercon_str);
+ free(usercon_str);
start = end;
continue;
}
+ free(usercon_str);
+ if (context_range_set(usercon, fromlevel) != 0) {
+ context_free(usercon);
+ rc = -1;
+ goto out;
+ }
+ usercon_str = context_str(usercon);
+ if (!usercon_str) {
+ context_free(usercon);
+ rc = -1;
+ goto out;
+ }
- /* If a match is found and the entry is not already ordered
- (e.g. due to prior match in prior config file), then set
- the ordering for it. */
- i = rc;
- if (ordering[i] == nreach)
- ordering[i] = (*nordered)++;
+ /* check whether usercon is already in reachable */
+ if (is_in_reachable(*reachable, usercon_str)) {
+ context_free(usercon);
+ start = end;
+ continue;
+ }
+ if (security_check_context(usercon_str) == 0) {
+ new_reachable = realloc(*reachable, (*nreachable + 2) * sizeof(char *));
+ if (!new_reachable) {
+ context_free(usercon);
+ rc = -1;
+ goto out;
+ }
+ *reachable = new_reachable;
+ new_reachable[*nreachable] = strdup(usercon_str);
+ if (new_reachable[*nreachable] == NULL) {
+ context_free(usercon);
+ rc = -1;
+ goto out;
+ }
+ new_reachable[*nreachable + 1] = 0;
+ *nreachable += 1;
+ }
+ context_free(usercon);
start = end;
}
-
rc = 0;
out:
@@ -313,21 +344,6 @@ static int get_failsafe_context(const char *user, char ** newcon)
return 0;
}
-struct context_order {
- char * con;
- unsigned int order;
-};
-
-static int order_compare(const void *A, const void *B)
-{
- const struct context_order *c1 = A, *c2 = B;
- if (c1->order < c2->order)
- return -1;
- else if (c1->order > c2->order)
- return 1;
- return strcmp(c1->con, c2->con);
-}
-
int get_ordered_context_list_with_level(const char *user,
const char *level,
char * fromcon,
@@ -395,11 +411,8 @@ int get_ordered_context_list(const char *user,
char *** list)
{
char **reachable = NULL;
- unsigned int *ordering = NULL;
- struct context_order *co = NULL;
- char **ptr;
int rc = 0;
- unsigned int nreach = 0, nordered = 0, freefrom = 0, i;
+ unsigned nreachable = 0, freefrom = 0;
FILE *fp;
char *fname = NULL;
size_t fname_len;
@@ -413,23 +426,6 @@ int get_ordered_context_list(const char *user,
freefrom = 1;
}
- /* Determine the set of reachable contexts for the user. */
- rc = security_compute_user(fromcon, user, &reachable);
- if (rc < 0)
- goto failsafe;
- nreach = 0;
- for (ptr = reachable; *ptr; ptr++)
- nreach++;
- if (!nreach)
- goto failsafe;
-
- /* Initialize ordering array. */
- ordering = malloc(nreach * sizeof(unsigned int));
- if (!ordering)
- goto failsafe;
- for (i = 0; i < nreach; i++)
- ordering[i] = nreach;
-
/* Determine the ordering to apply from the optional per-user config
and from the global config. */
fname_len = strlen(user_contexts_path) + strlen(user) + 2;
@@ -440,8 +436,8 @@ int get_ordered_context_list(const char *user,
fp = fopen(fname, "re");
if (fp) {
__fsetlocking(fp, FSETLOCKING_BYCALLER);
- rc = get_context_order(fp, fromcon, reachable, nreach, ordering,
- &nordered);
+ rc = get_context_user(fp, fromcon, user, &reachable, &nreachable);
+
fclose(fp);
if (rc < 0 && errno != ENOENT) {
fprintf(stderr,
@@ -454,8 +450,7 @@ int get_ordered_context_list(const char *user,
fp = fopen(selinux_default_context_path(), "re");
if (fp) {
__fsetlocking(fp, FSETLOCKING_BYCALLER);
- rc = get_context_order(fp, fromcon, reachable, nreach, ordering,
- &nordered);
+ rc = get_context_user(fp, fromcon, user, &reachable, &nreachable);
fclose(fp);
if (rc < 0 && errno != ENOENT) {
fprintf(stderr,
@@ -463,40 +458,19 @@ int get_ordered_context_list(const char *user,
__FUNCTION__, selinux_default_context_path());
/* Fall through */
}
- rc = 0;
}
- if (!nordered)
+ if (!nreachable)
goto failsafe;
- /* Apply the ordering. */
- co = malloc(nreach * sizeof(struct context_order));
- if (!co)
- goto failsafe;
- for (i = 0; i < nreach; i++) {
- co[i].con = reachable[i];
- co[i].order = ordering[i];
- }
- qsort(co, nreach, sizeof(struct context_order), order_compare);
- for (i = 0; i < nreach; i++)
- reachable[i] = co[i].con;
- free(co);
-
- /* Only report the ordered entries to the caller. */
- if (nordered <= nreach) {
- for (i = nordered; i < nreach; i++)
- free(reachable[i]);
- reachable[nordered] = NULL;
- rc = nordered;
- }
-
out:
- if (rc > 0)
+ if (nreachable > 0) {
*list = reachable;
+ rc = nreachable;
+ }
else
freeconary(reachable);
- free(ordering);
if (freefrom)
freecon(fromcon);
@@ -519,7 +493,7 @@ int get_ordered_context_list(const char *user,
reachable = NULL;
goto out;
}
- rc = 1; /* one context in the list */
+ nreachable = 1; /* one context in the list */
goto out;
}
--
2.25.4

168
SOURCES/0010-libselinux-deprecate-security_compute_user-update-ma.patch
View File

@ -1,168 +0,0 @@
From d4c22fcd5943fe35db648dee971f631d40b3eb94 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Thu, 20 Feb 2020 10:40:19 -0500
Subject: [PATCH] libselinux: deprecate security_compute_user(), update man
pages
commit 1f89c4e7879fcf6da5d8d1b025dcc03371f30fc9 ("libselinux: Eliminate
use of security_compute_user()") eliminated the use of
security_compute_user() by get_ordered_context_list(). Deprecate
all use of security_compute_user() by updating the headers and man
pages and logging a warning message on any calls to it. Remove
the example utility that called the interface. While here, also
fix the documentation of correct usage of the user argument to these
interfaces.
Fixes: https://github.com/SELinuxProject/selinux/issues/70
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
---
libselinux/include/selinux/selinux.h | 8 +++-
.../man/man3/get_ordered_context_list.3 | 24 +++++++++---
libselinux/man/man3/security_compute_av.3 | 5 ++-
libselinux/src/compute_user.c | 3 ++
libselinux/utils/compute_user.c | 38 -------------------
5 files changed, 31 insertions(+), 47 deletions(-)
delete mode 100644 libselinux/utils/compute_user.c
diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index a34d54fc..a5ada324 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -246,8 +246,12 @@ extern int security_compute_member_raw(const char * scon,
security_class_t tclass,
char ** newcon);
-/* Compute the set of reachable user contexts and set *con to refer to
- the NULL-terminated array of contexts. Caller must free via freeconary. */
+/*
+ * Compute the set of reachable user contexts and set *con to refer to
+ * the NULL-terminated array of contexts. Caller must free via freeconary.
+ * These interfaces are deprecated. Use get_ordered_context_list() or
+ * one of its variant interfaces instead.
+ */
extern int security_compute_user(const char * scon,
const char *username,
char *** con);
diff --git a/libselinux/man/man3/get_ordered_context_list.3 b/libselinux/man/man3/get_ordered_context_list.3
index e084da40..3ed14a96 100644
--- a/libselinux/man/man3/get_ordered_context_list.3
+++ b/libselinux/man/man3/get_ordered_context_list.3
@@ -26,14 +26,28 @@ get_ordered_context_list, get_ordered_context_list_with_level, get_default_conte
.BI "int get_default_type(const char *" role ", char **" type );
.
.SH "DESCRIPTION"
+
+This family of functions can be used to obtain either a prioritized list of
+all reachable security contexts for a given SELinux user or a single default
+(highest priority) context for a given SELinux user for use by login-like
+programs. These functions takes a SELinux user identity that must
+be defined in the SELinux policy as their input, not a Linux username.
+Most callers should typically first call
+.BR getseuserbyname(3)
+to look up the SELinux user identity and level for a given
+Linux username and then invoke one of
+.BR get_ordered_context_list_with_level ()
+or
+.BR get_default_context_with_level ()
+with the returned SELinux user and level as inputs.
+
.BR get_ordered_context_list ()
-invokes the
-.BR security_compute_user (3)
-function to obtain the list of contexts for the specified
+obtains the list of contexts for the specified
+SELinux
.I user
-that are reachable from the specified
+identity that are reachable from the specified
.I fromcon
-context. The function then orders the resulting list based on the global
+context based on the global
.I \%/etc/selinux/{SELINUXTYPE}/contexts/default_contexts
file and the per-user
.I \%/etc/selinux/{SELINUXTYPE}/contexts/users/<username>
diff --git a/libselinux/man/man3/security_compute_av.3 b/libselinux/man/man3/security_compute_av.3
index 2aade5fe..8e1f746a 100644
--- a/libselinux/man/man3/security_compute_av.3
+++ b/libselinux/man/man3/security_compute_av.3
@@ -97,8 +97,9 @@ instance.
.BR security_compute_user ()
is used to determine the set of user contexts that can be reached from a
-source context. It is mainly used by
-.BR get_ordered_context_list ().
+source context. This function is deprecated; use
+.BR get_ordered_context_list (3)
+instead.
.BR security_get_initial_context ()
is used to get the context of a kernel initial security identifier specified by
diff --git a/libselinux/src/compute_user.c b/libselinux/src/compute_user.c
index 401fd107..0f55de84 100644
--- a/libselinux/src/compute_user.c
+++ b/libselinux/src/compute_user.c
@@ -8,6 +8,7 @@
#include "selinux_internal.h"
#include "policy.h"
#include <limits.h>
+#include "callbacks.h"
int security_compute_user_raw(const char * scon,
const char *user, char *** con)
@@ -24,6 +25,8 @@ int security_compute_user_raw(const char * scon,
return -1;
}
+ selinux_log(SELINUX_WARNING, "Direct use of security_compute_user() is deprecated, switch to get_ordered_context_list()\n");
+
if (! scon) {
errno=EINVAL;
return -1;
diff --git a/libselinux/utils/compute_user.c b/libselinux/utils/compute_user.c
deleted file mode 100644
index cae62b26..00000000
--- a/libselinux/utils/compute_user.c
+++ /dev/null
@@ -1,38 +0,0 @@
-#include <unistd.h>
-#include <sys/types.h>
-#include <fcntl.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <errno.h>
-#include <string.h>
-#include <ctype.h>
-#include <selinux/selinux.h>
-
-int main(int argc, char **argv)
-{
- char **buf, **ptr;
- int ret;
-
- if (argc != 3) {
- fprintf(stderr, "usage: %s context user\n", argv[0]);
- exit(1);
- }
-
- ret = security_compute_user(argv[1], argv[2], &buf);
- if (ret < 0) {
- fprintf(stderr, "%s: security_compute_user(%s,%s) failed\n",
- argv[0], argv[1], argv[2]);
- exit(2);
- }
-
- if (!buf[0]) {
- printf("none\n");
- exit(0);
- }
-
- for (ptr = buf; *ptr; ptr++) {
- printf("%s\n", *ptr);
- }
- freeconary(buf);
- exit(0);
-}
--
2.25.4

39
SOURCES/0011-selinux-8-5-Describe-fcontext-regular-expressions.patch
View File

@ -1,39 +0,0 @@
From c556c6ad0b94cf3ba4b441a1a0930f2468434227 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Wed, 10 Feb 2021 18:05:29 +0100
Subject: [PATCH] selinux(8,5): Describe fcontext regular expressions
Describe which type of regular expression is used in file context
definitions and which flags are in effect.
Explain how local file context modifications are processed.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
---
libselinux/man/man5/selabel_file.5 | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/libselinux/man/man5/selabel_file.5 b/libselinux/man/man5/selabel_file.5
index e97bd826..baba7776 100644
--- a/libselinux/man/man5/selabel_file.5
+++ b/libselinux/man/man5/selabel_file.5
@@ -125,7 +125,14 @@ Where:
.RS
.I pathname
.RS
-An entry that defines the pathname that may be in the form of a regular expression.
+An entry that defines the path to be labeled.
+May contain either a fully qualified path,
+or a Perl compatible regular expression (PCRE),
+describing fully qualified path(s).
+The only PCRE flag in use is PCRE2_DOTALL,
+which causes a wildcard '.' to match anything, including a new line.
+Strings representing paths are processed as bytes (as opposed to Unicode),
+meaning that non-ASCII characters are not matched by a single wildcard.
.RE
.I file_type
.RS
--
2.35.3

88
SOURCES/0012-libselinux-Strip-spaces-before-values-in-config.patch
View File

@ -1,88 +0,0 @@
From 9bf63bb85d4d2cab73181ee1d8d0b07961ce4a80 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Thu, 17 Feb 2022 14:14:15 +0100
Subject: [PATCH] libselinux: Strip spaces before values in config
Spaces before values in /etc/selinux/config should be ignored just as
spaces after them are.
E.g. "SELINUXTYPE= targeted" should be a valid value.
Fixes:
# sed -i 's/^SELINUXTYPE=/SELINUXTYPE= /g' /etc/selinux/config
# dnf install <any_package>
...
RPM: error: selabel_open: (/etc/selinux/ targeted/contexts/files/file_contexts) No such file or directory
RPM: error: Plugin selinux: hook tsm_pre failed
...
Error: Could not run transaction.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
libselinux/src/selinux_config.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c
index b06cb63b..0892b87c 100644
--- a/libselinux/src/selinux_config.c
+++ b/libselinux/src/selinux_config.c
@@ -91,6 +91,7 @@ int selinux_getenforcemode(int *enforce)
FILE *cfg = fopen(SELINUXCONFIG, "re");
if (cfg) {
char *buf;
+ char *tag;
int len = sizeof(SELINUXTAG) - 1;
buf = malloc(selinux_page_size);
if (!buf) {
@@ -100,21 +101,24 @@ int selinux_getenforcemode(int *enforce)
while (fgets_unlocked(buf, selinux_page_size, cfg)) {
if (strncmp(buf, SELINUXTAG, len))
continue;
+ tag = buf+len;
+ while (isspace(*tag))
+ tag++;
if (!strncasecmp
- (buf + len, "enforcing", sizeof("enforcing") - 1)) {
+ (tag, "enforcing", sizeof("enforcing") - 1)) {
*enforce = 1;
ret = 0;
break;
} else
if (!strncasecmp
- (buf + len, "permissive",
+ (tag, "permissive",
sizeof("permissive") - 1)) {
*enforce = 0;
ret = 0;
break;
} else
if (!strncasecmp
- (buf + len, "disabled",
+ (tag, "disabled",
sizeof("disabled") - 1)) {
*enforce = -1;
ret = 0;
@@ -177,7 +181,10 @@ static void init_selinux_config(void)
if (!strncasecmp(buf_p, SELINUXTYPETAG,
sizeof(SELINUXTYPETAG) - 1)) {
- type = strdup(buf_p + sizeof(SELINUXTYPETAG) - 1);
+ buf_p += sizeof(SELINUXTYPETAG) - 1;
+ while (isspace(*buf_p))
+ buf_p++;
+ type = strdup(buf_p);
if (!type)
return;
end = type + strlen(type) - 1;
@@ -199,6 +206,8 @@ static void init_selinux_config(void)
} else if (!strncmp(buf_p, REQUIRESEUSERS,
sizeof(REQUIRESEUSERS) - 1)) {
value = buf_p + sizeof(REQUIRESEUSERS) - 1;
+ while (isspace(*value))
+ value++;
intptr = &require_seusers;
} else {
continue;
--
2.35.3

46
SOURCES/0013-libselinux-Ignore-missing-directories-when-i-is-used.patch
View File

@ -1,46 +0,0 @@
From 9a04499cebedac3f585c0240e6cf68f786ae62b7 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Mon, 31 Oct 2022 17:00:43 +0100
Subject: [PATCH] libselinux: Ignore missing directories when -i is used
Currently "-i" only ignores a file whose parent directory exists. Start also
ignoring paths with missing components.
Fixes:
# restorecon -i -v -R /var/log/missingdir/missingfile; echo $?
255
restorecon: SELinux: Could not get canonical path for /var/log/missingdir/missingfile restorecon: No such file or directory.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
libselinux/src/selinux_restorecon.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
index 5f189235..2ff73db6 100644
--- a/libselinux/src/selinux_restorecon.c
+++ b/libselinux/src/selinux_restorecon.c
@@ -820,6 +820,10 @@ int selinux_restorecon(const char *pathname_orig,
pathname = realpath(pathname_orig, NULL);
if (!pathname) {
free(basename_cpy);
+ /* missing parent directory */
+ if (flags.ignore_noent && errno == ENOENT) {
+ return 0;
+ }
goto realpatherr;
}
} else {
@@ -833,6 +837,9 @@ int selinux_restorecon(const char *pathname_orig,
free(dirname_cpy);
if (!pathdnamer) {
free(basename_cpy);
+ if (flags.ignore_noent && errno == ENOENT) {
+ return 0;
+ }
goto realpatherr;
}
if (!strcmp(pathdnamer, "/"))
--
2.37.3

42
SOURCES/0014-libselinux-restorecon-Fix-memory-leak-xattr_value.patch
View File

@ -1,42 +0,0 @@
From 599f1ec818d50ffc9690fea8c03b5fe278f30ed4 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Wed, 7 Dec 2022 09:19:29 +0100
Subject: [PATCH] libselinux/restorecon: Fix memory leak - xattr_value
Fix memory leak introduced by commit
9a04499cebedac3f585c0240e6cf68f786ae62b7
libselinux: Ignore missing directories when -i is used
Error: RESOURCE_LEAK:
selinux_restorecon.c:804: alloc_fn: Storage is returned from allocation function "malloc".
selinux_restorecon.c:804: var_assign: Assigning: "xattr_value" = storage returned from "malloc(fc_digest_len)".
selinux_restorecon.c:825: leaked_storage: Variable "xattr_value" going out of scope leaks the storage it points to.
Resolves: rhbz#2137965
---
libselinux/src/selinux_restorecon.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
index 2ff73db6..b3702764 100644
--- a/libselinux/src/selinux_restorecon.c
+++ b/libselinux/src/selinux_restorecon.c
@@ -822,6 +822,7 @@ int selinux_restorecon(const char *pathname_orig,
free(basename_cpy);
/* missing parent directory */
if (flags.ignore_noent && errno == ENOENT) {
+ free(xattr_value);
return 0;
}
goto realpatherr;
@@ -838,6 +839,7 @@ int selinux_restorecon(const char *pathname_orig,
if (!pathdnamer) {
free(basename_cpy);
if (flags.ignore_noent && errno == ENOENT) {
+ free(xattr_value);
return 0;
}
goto realpatherr;
--
2.37.3

48
SOURCES/0015-libselinux-restorecon-Include-selinux-label.h.patch
View File

@ -1,48 +0,0 @@
From 92afdbb47859ac019b8a4a6d6a597744582786b3 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Fri, 26 Jul 2024 17:59:15 +0200
Subject: [PATCH] libselinux/restorecon: Include <selinux/label.h>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
restorecon.h uses types defined in label.h, so it needs to include
label.h (or code using restorecon.h also needs to include label.h,
which is not practical).
Fixes:
$ make DESTDIR=~/obj install > make.out
In file included from semanage_store.c:39:
/home/sdsmall/obj/usr/include/selinux/restorecon.h:137:52: error:
struct selabel_handle declared inside parameter list will not be
visible outside of this definition or declaration [-Werror]
137 | extern void selinux_restorecon_set_sehandle(struct
selabel_handle *hndl);
| ^~~~~~~~~~~~~~
cc1: all warnings being treated as errors
make[2]: *** [Makefile:111: semanage_store.o] Error 1
make[1]: *** [Makefile:15: install] Error 2
make: *** [Makefile:40: install] Error 1
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
libselinux/include/selinux/restorecon.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libselinux/include/selinux/restorecon.h b/libselinux/include/selinux/restorecon.h
index 595e7728..faa84eb2 100644
--- a/libselinux/include/selinux/restorecon.h
+++ b/libselinux/include/selinux/restorecon.h
@@ -1,6 +1,8 @@
#ifndef _RESTORECON_H_
#define _RESTORECON_H_
+#include <selinux/label.h>
+
#include <sys/types.h>
#include <stdarg.h>
--
2.43.0

34
SOURCES/0016-libselinux-Fix-NULL-pointer-use-in-selinux_restoreco.patch
View File

@ -1,34 +0,0 @@
From f232f9013f04234f0c9a457499ccc9ee2254d7b3 Mon Sep 17 00:00:00 2001
From: Ji Qin <jiqin.ji@huawei.com>
Date: Sun, 14 Jun 2020 21:20:23 -0400
Subject: [PATCH] libselinux: Fix NULL pointer use in
selinux_restorecon_set_sehandle
Content-type: text/plain
error occur when selinux_restorecon_default_handle return NULL in
restorecon_init.
fixes: https://github.com/SELinuxProject/selinux/issues/249
Signed-off-by: Ji Qin <jiqin.ji@huawei.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
libselinux/src/selinux_restorecon.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
index b37027640926..a57932c0602b 100644
--- a/libselinux/src/selinux_restorecon.c
+++ b/libselinux/src/selinux_restorecon.c
@@ -1062,6 +1062,8 @@ void selinux_restorecon_set_sehandle(struct selabel_handle *hndl)
size_t num_specfiles;
fc_sehandle = (struct selabel_handle *) hndl;
+ if (!fc_sehandle)
+ return;
/*
* Read digest if requested in selabel_open(3) and set global params.
--
2.48.1

34
SOURCES/0017-libselinux-Close-old-selabel-handle-when-setting-a-n.patch
View File

@ -1,34 +0,0 @@
From 2bbacbb31d18d9856ca13b6e49a2bfeb34b22b1b Mon Sep 17 00:00:00 2001
From: James Carter <jwcart2@gmail.com>
Date: Wed, 22 Jan 2025 10:58:27 -0500
Subject: [PATCH] libselinux: Close old selabel handle when setting a new one
Content-type: text/plain
In selinux_restorecon_set_sehandle(), close the old selabel handle
(if it exists) before setting the new one.
Signed-off-by: James Carter <jwcart2@gmail.com>
---
libselinux/src/selinux_restorecon.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
index a57932c0602b..db56cc7e587b 100644
--- a/libselinux/src/selinux_restorecon.c
+++ b/libselinux/src/selinux_restorecon.c
@@ -1061,7 +1061,11 @@ void selinux_restorecon_set_sehandle(struct selabel_handle *hndl)
char **specfiles;
size_t num_specfiles;
- fc_sehandle = (struct selabel_handle *) hndl;
+ if (fc_sehandle) {
+ selabel_close(fc_sehandle);
+ }
+
+ fc_sehandle = (struct selabel_handle *) hndl;
if (!fc_sehandle)
return;
--
2.48.1

24
STAGE1-libselinux Normal file
View File

@ -0,0 +1,24 @@
# TLSFLAGS are set in order to avoid a bogus check in
# libselinux/src/Makefile.
srpm libselinux
mcd $BUILDDIR/t-libselinux
rsync -av $SRC/libselinux*/ ./
# libselinux uses $prefix/include for both -I and *.pc, which
# prevents cross compiling.
sed 's@-I$(INCLUDEDIR)@@' < src/Makefile > src/Makefile.stage1
mv src/Makefile.stage1 src/Makefile
make $J \
CC=${TARGET}-gcc \
AS=${TARGET}-as \
AR=${TARGET}-ar \
STRIP=${TARGET}-strip \
RANLIB=${TARGET}-ranlib \
CFLAGS="" \
TLSFLAGS="" \
all
ARGS="DESTDIR=${ROOTFS}"
if [ "$SUFFIX" = "64" ]
then
ARGS="$ARGS LIBDIR=${ROOTFS}/usr/lib64 SHLIBDIR=${ROOTFS}/usr/lib64"
fi
make $J $ARGS install

438
bachradsusi.gpg Normal file
View File

@ -0,0 +1,438 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBE97JQcBEAC/aeBxbuToAJokMiVxtMVFoUMgCbcVQDB21YhMq4i5a/HDzFno
qVPhQjGViGTKXQYR7SnT8CCfC3ggG7hqU0oaWKN3D003V6e/ivTJwMKrQRFqf5/A
vN7ELulXFxEt/ZjYmvTukpW5Li2AU7JBD0aO243Ld9jYdZOZn2zdfA8IpnE9Bmm3
K/LO1Xb2F9ujF9faI5/IlJvdUFk3uiCKTSvM8kGwOmAwBI921Z5x/CYvy5kKEazU
lUxMqECl+Tu2YS6NDhWYNkifAIZ7lsUvGjW3/wfh7AvmAQyt/CxOXu9LL2nGzFhw
CIS4jVIxy5bDswNfHcaMX7B5WEyqTPtjzPAEMiLL4yHJZrHDPd26QHSaqtilVA4K
AeTYbME8iZIdacquFEq02PO9qAM21O48OknCTSolF7z6nBkk6l26W3EL+Gz5I2Et
3S9pab3FMjiiKVavM6UA5D0DQkNxxDn9blDXZyhX4HFrk+NnoETcGYFymPbbijgi
kFC4339/Z1aK31aJLkxiana5mqLthD4jCeg3B8Cp5IurqPr8QEh3FH8ZZhtdx2fX
TXHTmGQF/lXG4tg1eH5cb6wWGU93wD+5mf6czJlUZTY+kdevKtZCQnA0/2ENCOFW
Jdm/oMTUw6ozPd474ctzWKeO78e8yMvZst/Zp3Gq6SD9kcoPgiuMQ+BOkwARAQAB
tCRQZXRyIExhdXRyYmFjaCA8cGxhdXRyYmFAcmVkaGF0LmNvbT6JAjgEEwECACIF
Ak97JQcCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEGOorUuYLENzy1MP
/2c4fH8eXWbqoot/vLE+hJ14k0leYOQhVSo4lNlxRlbKNd5MQSX/QjkQgJNECbB3
LM0KxE/zwVOZ+umvmxLxNskOxjubE6NzoF7Sm9ydoqjwzenIpR9BVtg71mfjBOoL
PNrst7tHRE5btSnnnOS9ddt/y9JOIvQpkjtBTI2TfVcp2b4Domg7i4qU/hJ7hu45
5oAi6rPPkr0pcGiDKTqi46l7+9orsj9Mxs1XTmrTMMB/eV6PCU7Fo4WJNXS8SXd3
sEVxXvpyYjUTTnDuewjT1q8NL7anrsckS16WYSVGKzRhqtP1Vudt1F/D5cWKVqQp
vQl/XW/uQS2IsgEWsbRmIAEZIUOy4TnuF494C/A+1BbJBdUr4Nl9zPH2bjrJeqYk
TsvGQr1icgO4pUg5oC456htkqCxCuPRqqrGDAZBx54TldgPwvCo31+aPQJlOlWvI
uWD/depp0De3oTK9FDnHh3swE0vyn4Ht96+vM+KNnDYgJ1FEaw1efYePFACobvEB
o2ZpLbnDyqAT4MzfHpHSbwzUOk52ZOnkl/KrUIOxhXtf4dxRS6J70Rzb+HWS3rY/
LgaMO5Q0BJfbvknguKmE8dO8jx0pTlVER9ujqp+bVPXmFMha1j8vyGhJ3eLJZaRL
k3jgfRjiUUb4lNp+hXpvBwIYeFWl5kFVKg2aPywgnnFWiEYEExECAAYFAlBq4WgA
CgkQ4J/vJdlkhKxmjQCfevlawFaGTx58nDFN+4j/2U6uaGcAn2g1sZcTUrEEYHdL
byAyw1GNLksOiF4EEBEIAAYFAk99mCMACgkQ/2iSBAM3HxDivAD+Lu8U54iGgL5+
h9KpeV+ZlHgIpj4cD+BVL85L6AQ3GP0A/1TwZ1tS6Ag3ut2G6AL2wewR3v9Mgu68
E0M5esz5of4oiQEcBBMBAgAGBQJPh9ZuAAoJEBliWhMliBCHMSUH/30V/E930OTT
oWeq+QKkTJuMF0lrA5NaAy+xWtrynMKoiAuM0KFNGPfrPehkoxR4D+MKXH+xh0j2
bHl6fXOHJCKZLhCtsC/o8j7kkjIJjixBlwYMul21rxecke7Zt4XpxHARJx4208Lk
ztpzOd7ZnDP6KYav3itpxK8Eyj4g8N2omoTQ2Dcd+sCa0jgRkyskpPxdt0fK0D04
XW7b1LZkxwzwrAGSpjAZVzpKBXANcSmUQDAaIhGvYSKoiwVe2eaE5lUmvAaJQaTr
Ud/LCIwFofTLSaBRX8fEOe+UwvW36VtynPyETyROeTMp//Cm5e2CQVPoDv79soyi
E/oUW9DFDhCJARwEEwECAAYFAk+Oe6EACgkQlGXZM5TcxIlIRwf/VjfbN3eVf648
vXvDctsXfucl37i6Yue2COJiGYuZOrN7wYxVvH2to8P3V53YV9OqDpJl2NXUro1V
iUjFHuIKp23VbtyBAYsrLeTMmHLjnXlaUPSr6JUDHUQhCF34BTk17e9y7tXlEshF
YVyPlGum7JhyarHB2rRdjQk8kyTqmQ4yHjw/nP/HlvVxdgb+mTmudTPVBafOT1R9
MJ/SN2x4bclT4cQ0hjNEy/TsFzVduQj8yNOMFG9r6p1Vb+u1wn3BTANIh55R9aDh
3JFFIV/jBTkxukxR5iyGQiR53nl0e0qnQFxpfhFGclh0RktjrHZ3DBAzcuYXp540
Vu9aq9QuPIkCHAQQAQIABgUCT4bdRgAKCRDCPZG7HYJE34FtEACfqPwWSItk1lNX
E0HOM1YuHXFfMGURF1AotskJatwtjGy9oDUQkjfsPROnWjgH9s0xD2UmlTrjJfWi
BdH0kTLiExVUOmvnM9VFMRhYxQZMwiHecm4FZ5IWUz4e05oGCkHFbMswXEoEG+qq
btOfLNpX67yy/JM6We+8PiXV/c2vaErpH5S8YChb5wD9lEWNM2aPBOUmbzONM1/f
EFd8AF6fUVYN7htuyG1n5zTv+oowmO2c0terJRGmMgVuLugIEnKKhaQ+H1K6bdZJ
7mX4xxx5izEyYeYhi9DhBHSwCLhWR+Yilqkc5U0nrF+3Z+Cb9THHppi071OIQ7pX
rGsQSpDzGRXCw0nKEBm0Li13re8cOoHMlPD0RHWZEIRZGSYX1YKBtVuv4kpSq8GN
85lZSDKGRNtbJBS7Qj4vyOlOrBO1eyyd4lepQCe2Ri3gU97rek52tOM+fAIibz7V
b4a0qbbphrz6PVMbDGiBxM92+YpdDyZGyL7wJ4g6DhRRcEUQahlZ1n7y+YQ60ETs
zt7+kD08Zi2BoJpiMHsFfoas2pot7VePFxGutwvq0p+OHSVlwkLgOaORPHumLA8u
J3BGlJTHsErUB2EEgdc/Tv1vsZzEI3Zi+hqw1gcbke21Ii8aDfshbeKW9hYJAhnW
m8VdF3n80UX5Eg56iybrLCjEyiAEYYkCHAQQAQIABgUCT7yYRAAKCRBOBfZjp6Qb
nnyTD/4gVbq8H5ka7fVdSAnX65/kFn5xkqGzbpCkjcqe/5uI2CvdYtjeQ4K6sm7I
5RLoyu/EE/JPbCRHiucsEak42WAZSRte/Wn2yTQpIb0mQ0wXJvuM+Hx7DSx2R12P
9rIZ4mGo/rEtdG7Y9Vog9M/XGx7w5IqSw2DF2yiYQJXsOzHjphfYB8JfoqjW/73k
n4E2IRJtCuWhfiJZJ+GEGceSBIredH3o01ThtbAeh/gzPRF3FU1361zyA1sXtmGe
qwnhNL1spHRlpub3cvAXQ8RSYrNdiFZB5zohNt+iL+qzVWaUJo+vYZal1Co5/roI
HN5nJef8kp1ngaYKvf1hIVvsdQsilVQIXKFWMd47aU6W8gPr1W2+U4yw+q+OXari
eo7gpH7/OvMSe/3wOhGVD8KJrMwAVnr3M4wo2CM6zlwxPGdltQI+IxDD8NTGTmNT
rRARYRQaFQyqd1SrVt4sSkeoegrpOG4oWXya/v4SeXHD4vt8vvvX3A4szB73a355
IfbyRXDER3EfFfW5c+BnR3bxhfATTE6T0AKz1Gq30Xm2ycTGYCAZ2yBKewaegTpx
3O/E6APTXUnVWTIPQay8T4iVUiLFs7W1UFMY/RvmIvKKFIQWcm5O0L+27PJK+YSx
Uoo1Ivt1pclTuetbRbN8VnR3K9Pp5uZ4KLz6ZkffmJg2sOSu74kCHAQSAQgABgUC
WWMlagAKCRAyfirUINN1OOtFD/4jW0ZMGigpruCnvY0nr47rA12X6dJ6+KIBE+XB
QxuaQRjM5u44geksDwrqZ0nXrNvsa4SVwAhKVOrgMJVdzvUa1m2yeNCFHOTjln6Q
GjZ5f3a6aj6n/X5tlPptdklUr9ucEwXVd5fFMpWAiwaqZt38I2u0Pi+/qHDt0kLy
RSukmRPzRuS/kO1ugGO4aoO+sanVDl2Pq6LIwubL1Unk2HUerg8VCAyQrxYtZtHc
coyhmBTlAb+EmZnUVbQZ3Uy3eA89OuNTBhJWCk8vqROFm257MiH6gvG/V8CTrJfz
lpE+s9E6kxXhXpQWZUwtwWObq7vrJVkJhRwBsO9N2erxe+biBauFErYQPw3bg6xL
1BJLxDWnKUlMWs5o+h7lyjp+1B/gbnnlrUIlpW8IKVZRHwRUPGRN07SbbEO1lDk5
uJDMk+r2KrOUNVYCEp794P014xodkLvB8X7ml6tcABE4V9d4uVDX3SsktOLMvtWg
nL6xWMoBYiVOXi3Rsm8vESBOb8JFQL/ItciUyAioM4Zjq5eqotVq90HMBO9kqcjC
YsYEs6RACRmyE+TNmzGoucIPTwPEi5Ib4gj+LG6iPOBprk5DSjD7F0/wnQPoq8PY
HIufb4+PgOXKf/ROQXDRLeD6eZBtPcDUJOgW19m7QcXZ8fvo6B91COe9jTF/H/i3
A7NjR4kCHAQTAQgABgUCUQZ8hwAKCRDZsFd72T6Y/MoUD/9xxmXbPL2Zto6qECXs
Q1GFuydiYlURxDsVUiuc1tSgEoDb8XcXl37l/IKX1QmcpvHMPzeT0g8sNwIXSnL6
BNCnFcfrd0tEz8uBPxVnzMiGwaHP1kB6Vs6sNV31+CJcTz8BHHbOdXZnhHqXSb02
SonqAYeWVSlE08Ejvq0HIWRn6NIGdGqv6icBExryJjS3ZChRFpvgAJwsVO5f6BKH
oZnEn79uQR4XPHwuxRbm4hf6iYEbOhE7Hod6kTzS9vYIhyuTFTz5Kz/YxlMoZX/j
TIYsX0nZ3r+Tshur8iUXJhKvvXVlGyrGO2HXfEuIpJqEx4/qM9jUNP0EE7aPzZ6f
BP7Xq49Dx9lnZuSQ1jeXxEEpO+AND2xmnjCHr3EfgYZrrhCSxMQhvJh7wypkzu30
D41BHPOPSotmM7WLceHWmYui0Wuq9X2hom5jq11XwACEtmNiP/odXjF0ovfK0d8l
j/kivgrXAZdN/ONJapVSLkRMS71S6eln+urR9HfswEfM7IPt0cRwN1oNIhXmK14+
XBWvvwvalfuxG2UfxD8K0JXMwARlpGlV8lXpuzDV8EcrvLipKpqiQWaJer64kaQb
8qHEtT6+JNoGkymohrfeVagxKmPzDWR4v1a9lgZwY1FTRHNVPM0P8LWlN9q0CrYc
poBwkhTMV1YJ1OBSrkM9IM2vsokCMwQTAQgAHRYhBGMZHOlBgwmGicq4237xN+yT
Ww6vBQJjLRkzAAoJEH7xN+yTWw6vZSYP/36Bt4QhRtIh6HPWbHraFSl4omnuISu6
lTHsqhik81nbIUiLZ5e/KN6ONSgD2jfMVQOLiPTQFOoxVZvOjaHmHvMuF7BCbr90
Afh1qXW9txuPbVkhtC6hqIMn87b8UHEnt1l5MiafQnPHhoociqaqwfls/iu0nJGu
Jf5eVMXpdeWRk+ckGkqP+tXp/0G933jibSdYqwG1Tsw9D98xnGV3a/+zIqRtJflp
HPEjHPT6rVKAZxk7gkYSSsv6ONBwZHqwe9W1I+U4t6OPkGo5kNbMPBORB6/7B2Qo
LHx3+KYZs1j6glI+F/8IX2+JSFs07saMnsDhE7w5FzmwWV2JcUt42RSf8DVub438
jgA/Ht5yPROEJ87de78aD/t/gPq/Gm3bnUz1BW0jxBidjqg1qPOMYjC7n4dH8X0N
cRfX6tWOdSXmDBbPg/vQi6CEIhsGVisKlnrgYi1wDZExU6UVMnBNvllUu9PXye+7
51cIbrb+fwAWiwmu+AsL0qsjxZYo+9ozOLh9wLUhxOY5MZM82alN/mlUGzEiXN3R
i7D3rDrNFHdI4LGGLbO2hjPYrG4hdNHS+6WbU6qYcpBEhrqBtnUjoVqIKP2boBLR
ara7hHqVO120s8kgGtf/AoYpggD0H4qqUy4EFNjVdcL5T08w6ldQIYo7CEa1iHFt
ML4bsPcJh8lciQIzBBIBCAAdFiEEcQCq365ubpQNLgrWVeRaWujKfIoFAmMsvIwA
CgkQVeRaWujKfIqNXA//fjCpyIPPd6RnJhagWH8XCp5NB4cCT+LqAIR5yZfz1QE8
Qbzpoobz9ysgXZ5XjLp/lbVffGyg986j0wUtSW1+g3kJcYXBUKjSWoBwwmZgyZky
95U+uklY8CdPjSeuzr2I5X/LogHNH1378d9aEmQXBfX1uW5g4Aqgnl0OOgkCVzgs
FFOO2o1j6svrrDVG52/mwXhNRm0yYK/hFB8T3PO2IvMQGDGJLHl6N5Kl7P2jtkyF
Isi4AEzJeop/2GJYXQ+VkUTSNRKQj8oOS5qe9/0RkF9uqeamoc81n2But8MZN2fv
R7ug2EuG2LHp9/pwu5ekohXmY8EtMbVbU7TYKgduK0FMBaK36jXN4Bapakfxr1z5
pwdDjN4QiqUefBQlG1CJ6fGrqbdAupzRRDqN974rs5HafnbxioYRYjoo4H0zC8XN
UwgmA2wrwIIY/cyNCSnUuT8yVAnroPiFgmMoL8RM7C5pHQYh0u3fXPfvNBswjXmR
pJ6mhTqG6SS4qIaPhqoZqA1iyA6+Ua3YLBDT5wqvuqNMnfLtLUvMuridmlj97cRc
srQIr022NdpafDQVAiVhZO0CRyFd/++XT35iiDoiv20+LewC0VVza466AE1fkAme
rKlurlET8U/+U0JB6IP77ErjMgCzotV8e1DJkp/M37nMeNzazAb//ovsdkNM6P6J
AjMEEwEIAB0WIQRFaBEoRJtl+IDGF5c6hKlGtLpirgUCYy3RvAAKCRA6hKlGtLpi
rvhHD/99Lvgf+CjbhwC87CoKX84MyAyBlYACCSuySQBnEsVigz8sCVyTYDx52h1h
/SEj7XfTylAfIl1CjUedH4w3hk+7IN4scmhf5eeEMvQd8q+Q/hWQcXIUpwgKOcVD
NbUgYcbakJAPtilK1CeQvDdBD+aYoMsJTsII/f7FJzwjPM1XGf5EoODUC8BtQf/W
KAVoESwwAUwN6Y5XeYSwMqu1s7IHs3yNYLV8C6A7EQPVaVVlORqI+33rKyqAhK5X
ErNvAREQPYJMfRnQlIW7alSORwdG0JBgVLgV+jvoFo4a1AQImHDDtKxs2X5BCVG1
I687uYDBy5Assl/VxRMIUpx5+zWvXyDZX/6nlL7AMokTlyosgP4iiifBS+5KMhan
phMgnDXYIJE10V46Bdw2tjd7wMKey6BcKgfbZSvU5z+SuVnQXCyl3/blRML54I5o
EomXPg6lgVxSb6BBnaJXzx4JKgLer5uom1OGsLgPMqEHRoO3bucr2xFdtq1Zegw4
9S3qDhQ3bn8pg9JlYwmAAhBd3Xy5cPv01mV6ompOQ38SlMCJzcAGASdMw5scaxUl
7MloV2Nl32HIzPjK47bF7aVOFX7Tz+rEFLmJCchqmUSdxi42rJyHKVRqiAlNfZ9S
9FeaEfU+vBxOHsLNqVO7ErvrTafT5fjphZqvUTqZGCUiJUjPnYkCMwQTAQgAHRYh
BOJeJUyO5NMDVUv1r+xwGh2klMXrBQJjL1NOAAoJEOxwGh2klMXrYaIP/ifHM9eU
UT6JD0m6Oa3P3T161NhOvNqr71LDSztClsWo3XX0+ZK3wpjoC6vKqgx0Cc8OL1S2
GqwCaxb5JqWpsoqR3NW6bTqTTUGREj/e0JHDeBzv57OEUTe4ea7qzqjhCX6iyzHa
qDP9fiAogMQ7uT2oCghDV5yo4JUrG5brw8GkMLEvRSs2BEv7xFAySRaGwNj+oziZ
VzL7sBzp1bCr5cwNZVYxoo3VAv6FUcExp1TydxzPVB8/VvxOa4zrht+hFTn6mjUi
NHBc7DYECgh4jlDR6TnAdvpg0FsujTXiN6A0obOUl9jGz2uFmdY+2ojlVtzqKXoP
+PDz8o2zMrRoQYkni9VyIc536E4OFIhfO6CrThMjJjPNn22Tq+fzRYkWTrlJom9b
nOldQ1BdUXQt2QNigdzqjhZTIgF5OEOTERh80dvwIbZ+7vN00BOsuncR5GUBQerU
F6+SksVRAaOg2lyoDdxUQ+Z28RU8R/n7VjMV8ctFkQvHHLBqKkpET8LRh0C/jSNh
gB8zLPc3Oa4wTf2xZWO58S18esbYMr74vRYrsACbmwxH5Tz+L6Br70Fmcz608+IQ
ESKW3657gemZgFud3AGokzKG5AuWykSinydiZbK8MRGLsdfPUojaVIgXFqnWKtkH
At9gkD8YbqGYzuVwBnljBNRdTUMk0ClgV6pjuQINBFom2R0BEAC9k1Ky6AIe9sPP
xrgsrXRe0dyYcoHufzeU3jFssl3+S4cRuvYCzdZfRfdjfHa4n+CxTaOd7xkefwJg
GpaR9KJbu8dqHm61GIiS5ZbMCRU8FAW6ohVeDqEwFrPAzZjtO41OTpeXCrPu5H5A
Tg/kDnabzlD2H8JWAqr0DYRRhFtJUihXUey9zK03wSjUi5E1+YHUC/fOpbS+msNN
945CeQNBN4Ljap9Q183Fkh0Wm4Q8C0OS1WN8a0XtqSALRCGAZ+EV6UrmQVP9PCC4
/J0hoKQPv2bfpBAsrUGAO3Fnsw7804i2TY7O3JA8gGDYX6fwOVJMUXdD7FX7LM2P
pESqAdPrjqmPqHT8cPfq27GYgqHv3N4hP9Rjt9wxmHYFbJT0YCHw2ZMiAO/VcvvN
miGr590ZFiQEb1MJN1r+h5UDE1CtF6nTieirSXi9oMilHlo2NY5nAItv/T9PKk4X
+kaH3UoicMxrkT34tACGwxi4VIRYWL+ZquxE+bwXqAvbGJ0p3XbyREURCaO96J/2
w951EvZErpFRQu4zzClmoMiNbwkQ8QdesSaqjMirlHyFI8T9BZrXbPazdVNUwfyR
LFil1q/kgXjXeJDoje73UiyGhqhlVOlEbunGzCwEBzrtQdPTDeFQr476/4pe0v4u
gdNYkL/gY8Izodn47d1XH68AuRSrzwARAQABiQI2BBgBCgAgFiEE6FPBhIsBhc9C
hk3zY6itS5gsQ3MFAlom2R0CGyAACgkQY6itS5gsQ3PQSA/8CZGTxQDbD2oLkGb6
tyECIs5A1RsfwJ9aj0R/HuEO39ki8yM88fwi8F5AfzNcmYwp0rxyYDDYM0itObSv
A9WBB8YFZ2PKT1YHrwTzWbne+spmQYDRdFt+0Kx0JLvgv7SYvQ1jNdCazixH1SAM
9O+Tn5oFybVHjRavWsQYHp1CvXY5kOHOEDHhz37pGwFvyVyFdSYS5PWT0+0XU/g6
Uq2HeFCurhUGuDXJ6WA6Ipvmu0vbi8GpyeiWCRoG76sqbBfQ7dd0oDMUHitewWGq
LP1Kioke9hu5p9CbkjYwGZjJWZEV6WHxOmICfFcBRPeIJyO8Kfa/vVBfQZj9fhqs
3sHSfAGIdKIB3tX0qKhMRdu/QoM14YQ1yK80JTUUOcrKLDt6QJinF1UQ/OcYQqGB
CXaRk1OKGFuuij16QudnX56+aYbNPltf7cLs1O7aodQcRxmMSgxSE/2ckthPYBsX
PWuDMYZCb3e6JMWsdnCI7iPpoPFAJmId7SWJebXZxntoX6YwZ7Tx58/QMLEqxMfE
ExQTAFg8/owvxCG12KaharLr4GpLx0aU39QEJenG1LqGLwiQh9Vxsejw+MkebZJE
6zhs7XBpenrd5c9OFOtb/Goxwal/6UXz7a62jZ7wDNpJw9xOfC3/eX/56+6dLVef
RFj/LOIu9reM4boTiY2dmGj1QC25Ag0EWibSSgEQAMhQB2Q329FSozPk7V6dYBO+
jDBMr1jHWvNMCR/2DkwXfDAKK3haSWSqr51/wua9skFRezQvc9PhgvOIJi1jsxRf
xNoM82a2OpYJdj16FG5RVQ/ApojiywNvp1YPJbmq4DfXSuUA6q+OephsFLrx2cPY
nyDQaI6mrqTBecET4cdQTZK0nKKUPj3U2bI96zTBIYK8Kr7GMKXm8R1eV8bktwHT
HyDjI7hN5EjZViYqZYDQ3jt2vC1Aj6XpFw5K7Sv6f0l91zyjfcu6Llsfo8xtRhAl
lub8EBuO6ljJ5uWqDgjqTOkDXcIAUkhUCg8ztweR15zgJQQ/On0XDcHLtyi7zuQd
xNaKYKkD3oROTqce+YbNN3qnP4bV0qa0JLlTOrE/0/zmif7Q1zYOidcmMgGeF6Gp
pGQkkxY4gSKet8kD8h4AZXGlpFu4e9sue1ENDRmgWaqSzIWudMRZ3z0/s9EGNNiW
60nwJ1NBoySeQEmnwMzAHXneRM9pRGQ1S3/CKttq/0eWEH3Y/Td9xi4DNvTXcvgJ
uUUwoclWP2PCPg3zE+EQ1q/Kt2oYrT8NcemM9EO8btNzJ/Y1wSDLFAFNikHwYjTM
86jWoeGhSM3fD9HJjfqoB41gDKvNIVlhQavhe6df4+AoCo/mGosLYAPFaHHdkmqn
eT0Y0BnTRIS9yLcO8CBVABEBAAGJBGwEGAEIACAWIQToU8GEiwGFz0KGTfNjqK1L
mCxDcwUCWibSSgIbAgJACRBjqK1LmCxDc8F0IAQZAQgAHRYhBNalthyaVTQWgpLb
Z74iCR4+9iJ1BQJaJtJKAAoJEL4iCR4+9iJ1D2AP/1VMC8KOmzPYyiFY+1xHu2rv
siB0f80GH1jXwDSM/IKvsH1axCD0hMV5sSi52epCov37czSlR3MpQjo0xK32wJB9
26AgbzJYZO48qulDUXUhPWJ9bxiyIcxI/3KEspY1RMoWv8AfYA/qSma1cSdT4IMo
SGJzPh3RyrUpeFP5QT02oGa5TuSQPiJwy/b9u+RVOi1SSqzHMJdKzZehGays65Pd
jC8Xtf4ipdYRBr6mIyUISOB+FBkY2MttFzNDUBdDrOepyjStQLZ1vUXnYKIiSRHX
o3XTW/W8fh72o26zeDbQcALywQMZqnwtrZluzKHZxF07whKmXvw9pUHXX6hbJDvm
GVMxnB/F6grPNi/V+Bv75sKOdImgnJBUp1Jz7288SPbNQwrqFKV2ZD3f0PFmolFj
Cz/Oc+UUk+swfnsT3pV6LClTThsOH8WlKJYxZLneX75HuVx4CmT+qv6GlFQuixjc
H0LtsbbSjAx7J2LRNVtfI+2DfMcIi8KJxe69MAKGqqxDyDPSWeFrs0MHmyD6/6m+
GTovgUT5jOZbR6GVKelW054bmby0zQevWnRieANVeFoFsnwclJnqKIRzQiGod1p1
b8HhSCw4nOeOQSifaOf3zcnFhYyByDMOtl3/AqGoLp/61u3Bk9h+BP4VPR3RUWzc
ggjmxJM0MrLzjaSXSedjzuQQAIq9g35FGpnaB8d/EjufED1TVSOkvNK/qJ+dD4Xz
f5RvnbprofMnzfEyy8jJ1Vqc3QZQU3IDQt/Un2ZywX0OboKGAIn/gyfwdkpnxJ0j
JoxRBuMplNpfNBw+oe0nFuozO9idFozKM+SWoE051/jvGHp1FqEPLnAAGeSbWB0L
RlAsnMjc5u6+SKHeFGRKYg7U0sO7ZKbVIT4ZmRnsQLDakHwbAgfcIakh9Whj0Ou5
r78Cs+DcM3XAdtZ04d81jV5TsveR8/Cn473c6dvPIfnA2P4uClTCaCDv+jXG2f9a
FIuJhYCO+TdYs7qjAsXWngJUebRFiHbfSuYDw92/eqLdKD1Hoff4MnW5YOtDpp6E
sdCDuINeRtUtnidw2vIPezX+xdmycXIq9Fb+GvKrIDsKu0VO8HObVviLa/RE11ds
EHYlrarj4mqzS2MhvmU79Bazg9rDDB4WVs502n3uJaf6Sod/+ke1c3ff7AUPox2n
pjH/bVmkZJsOq5EqcvlH3m2FZUHSFWS/yTR1rPuJoHBMHVc4OPlTuSqT3qmKL2vb
vD1l3D4zHZs1paRLddYXiaex4qPU/0YpP61XU070MmFGYE8Z43TbMPHu/6LYBpw9
p5Vj3VZwn2edNl4LGx+05hIABzM23I7JoQ44uPoTbohmYXF/DUGJ6h2LYdp81AVC
lSFWuQINBE97JQcBEACpbBqvDl8J65jEhPjOWczcDVB+WfG7GBHB7T6RxSNFIahy
mDqzx73zZD6n4NnZogPDPopYdRJ56u5AfF0bDZlgebl8+VEgPHGoay74Gf6k0B+c
pEkp5PaWQHHEqXINotVg29hTsf1u0sb+yjgcc+9WHw3MtpChsgk8Rc5N8Xvr1FJc
L+xynSvUCcLIwfgvLHYPPBYGIRpvz4ek/zgHvaGftDfnyMwrMbgi8kadrSb7PQgc
eWeTL7CQN1B88TPJFqKt/QxMdXaPy+Cr3P4XVy5V3/QEVFUizrtCCqJgxHMAeCP5
QxwYEWmA2zxUzGA/t/QUDFbccKt2BdpdKBFtHLliE+yn9FHw98JayjhAJxxeCkrp
MED9N2aGHI1q44sbmeLKQ8EuIbCamfq7fqLXgkEy8jgivv2J9YfXejjjEobGLkss
Jlxaq9JeQgFEVl6f0jJ0PgkYPd11RxTcVLy4RB417cxc9LHcoKdAtcgBTcZXPPYO
L+eM9S7rTvFTna9IdF4bbnJFNjHDMhb/9XomxxBsekpTUXEm2DGoTpO2W/jwWcZY
LVrdhikkkF8b88EdWk94fUTcFA90I+Ch0YbS8XGM/WIklrMGa0JpA4OQW5oMhKDn
gqAcV7gxRYt6ylBPVh94/AIMz++wmfqBxETFP8HMgTVEApLBLjwru9B/4lRStwAR
AQABiQIfBBgBAgAJBQJPeyUHAhsMAAoJEGOorUuYLENzegsQAL6NuhGuzQf2GELc
O5J8/BW2yF9sxHWDLrw0Pntq8D35kgGfZLB52tN3DI4NwL0vE931bXC7ovi4kHPS
sazv+WPUckYfJ7qskWVD1yDtHsADduwudJpAflfZ4VIvMJqJ7FUw5Fy9ennw/Idp
H7LC+ubn6XT6Kh9oKvVmp+BQEOsdisjVw848Thik+gS08WvAjK9m+g7++FFwKy08
5iXuuqZpvi94eU1QPvzxzzRZz6M4gQaz+pCq/5yf6I+Hu8G+5nq2foFN+G7FRkx7
KJmJ3SAEsG3M23V9MKWON49ZbhTe5xW+1at/TKKoNGzNIYs07jApR2/E4J57yMWj
zsAqg77hTDRiV0jhHl0DJw3RHFi3z+SrK+6ie6mrq8WEPj62q9qdM8dFs+y5X3UT
x0nxly7GjOxxhi+Nt83PAG2wVFpqmhVLuyPnruvxzyrVFc8Dvx46DiKCzt4PPK/Y
+jnVIQ7Jr2Jm2ZCpzZZT5QNJuDp46mKHlNBkvSy3q3+pM6cM8vKSuCFd9+dw3dX/
GptLebMrPOvLVDl4Bm9hSmG7rLpJy8U8Ns8pYSS1zaxHM8KqMaPuS/Zlx1SRIj/E
afefnHd5fIlmsH9C2O5fb18SFjmD14FCLcVTG7bwh3ZfbGo9sOJSShPxppPW2OoT
jwfANmj1cSg/VFr1d4HAEc83jFgumQINBGNZjyYBEACk7biPgvCVldNWq1CwVoJa
/Fvc4T49tqxcc/sY4uVlGo6oSi4fQcXE9XKPPBuRLmvpmMWvODQLzPxJMWUfJq6L
yYFmX2U9VRTcyITdmJs8itkEaDwq8BtXkeQfUDAVSFy6V6/uvVmNWD7pGXqJE1Gx
uV44Ihlh6v2YyqSzDG/rZur771hke8VZmlKMVMs1RSeOBA3nUmvZQ58+uqkhJNYq
OeQhxGIxDOHo7QhzTG+SlX+uQq6mzACKygVJJl33toaUwVAX5R02a0u67A5wC0wh
AoLSHInc3P7ayivWV/iESAz+gMIkuvJWns/Ak14J7MTGgjD6rle7PNMsPDCCwQSc
qA8F0x4OChCixbZGZn6Mr0u8+01VCEe2IjJwVUfFI/G4n1FZ1RAdqjkHfZJeD20L
GHSbjJLcnqLLFx3LDpI5dAxo5K2kFvz0VowrB58aHoofW8/g8yZygGQ4Zpw4JnpU
maPnMTiD5yvnFzEihM5L9DuaWqSK3sb9qzoaXABYRYI7OmX4B5nmMzFteHHq0tMt
aKWf0HkAsCP0BLJcS9Oc1/0I0+gC4oKLRD8a4+kaEpNr6BXvWnj7Y1h0Zr/CZS6+
gi34CxWMl2Q34OSqtS37mzzBu+UZxffPR0aV2RXcEpc0c5HW550Thq1NF9EmFOoy
eG4J2ox9JRANZXLh/i7mNwARAQABtCVQZXRyIExhdXRyYmFjaCA8bGF1dHJiYWNo
QHJlZGhhdC5jb20+iQJXBBMBCABBFiEEuGgoR3ZN9g31LZksvDkF8jUXnPEFAmNZ
jyYCGwMFCQPCZwAFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQvDkF8jUX
nPGeAA//ScQ3kJMqI6FRULXo0aF7CpafPXVWdvj+mfQMlZzuGwXXTmM42T0DXnXR
BSjstWkmOXP/UqkN7bNeXH/S3D3GCJ2l0qx8Qp6fP0FloJIbemyxNtzl7yvAE7kW
vuBuLvUdm23cntv49gAzj+ElDqCxtT6A6qaqM6r7DLUvw+G+r6gkeu1hNQbtRpEK
9Dt8tHriQyI410qFRMbi3QxU+iTJ79HXwrXiYpX7V7T+ugiU9lgIiC/hWJCo6SY4
knt9E6zhegUWN6zErl2HY8FBM2P9eHOTqToEOAhKeM1fXZvxe3m49fGq/spmRM1R
UUl1V9WFEaMiLg/Z2rmbD8LX9YtfYlQCbEwyX2nkIP1QIcr/DEfcmCA2MXCQCgsq
I/2XS3BTLPyjuqAYnXxrk+T/Cydcg4W3ZBYI/wT56GH02TQzB/wJsn0cW6EMG46V
SDY/mZ2/gwi54G/Pqb2R3ZC9I7wQ6/FFxuu8myI/QVmEiTlvTxBoyOdNlliBQxCk
Dczs1rxd/o8Wfjo1vwRHW84jZrCP3xr7xPJWuzsrmPU8kFHTgepGoY+4b/h3jGwl
V103RpRUK4JidwHsmYDVk6pgeUH69hf0iVcbFfKiViFTR+DwjbAOxTdsFgsYYn+7
hBj2l+pV/uzeA0akL2dkgfJc9pAf6ItRUnGC+RlntZ0Pf2NbwIS5Ag0EY1mPJgEQ
AMRQDbNHBQ376nDF8miBZOAV1txpmbHc5D/X63PNapP0P1/I7SfcJU9D3wX8c4vm
xkjEYtH23s4lmT1VLsU7PisS3MacRemm9pL2bD53hs9XQEuU9OtJsZn1ZJ+Ynh6i
5sfW1bG3OiV/TWgYXW66GwE1hn9PuP8arodUmhEft+64G2u8Xtxr5yqlQJEUThV6
280OJrxVbduaMi5C6UNeeGE5wuhfrQ0TNYZiwQ4KYbU3QhlWhHVjJlJ5hCLiktwF
DyR24P+wlTIziWA407mo2enQT+mz3bO7Paf4mBionGsJMoADqBThf4B69BxjJ7Yg
7oQVIZ7560YIRRmNo4tk5Mhep11OtQgZjZJR6MhWDaUO17w1qScrOPRj6G1IXP1R
5NarydJpLyAVb/5WFZ5jxUGMGtq3mYn4nKbbHUg2WzvCJvPctDE6EV2vaiRy5N1f
QjsHgSa29F2feh14p4ngFCmHjpdbcdjfv6rWL8tgkSpQlDdeHRRd1q03TKAg/byP
auAHKzvV+iWlmw1f6KBWjeTn0fofmk9eeQ+P1j0a3/XTxMOjB34SzqPRWzmLPLF6
YmujBK2gymM+JLirJFFzao1i4lgmxqkDhQoNYHXmVYEd7w+/qUYbfKwO9eJOWzuU
WajxvJ1Vgv6z4CPy9if0gwfhrx0OOcIpBE/xZU+SwQQpABEBAAGJAjwEGAEIACYW
IQS4aChHdk32DfUtmSy8OQXyNRec8QUCY1mPJgIbDAUJA8JnAAAKCRC8OQXyNRec
8a+qD/4whGQ9J+td1iLFMpNRAqvuGtTnM6shZJNnC5CB56Cu7ElIpr74sk0R98Ia
1pJlBcLALbYSrqwluZaLiRVDPdub6tGSRVssqQdZcKThz33waTru9IfLhCrRSNd0
ZMHJaOG1ErU0noWw2d4ifVJK+vvuvMeEyNm4H5pZOYzYeikqVUYzS143cSzMEwtv
PSdP5JkTQi4WNF09khH1D+QpJoXEgVEQla7Sr955Zdt3q5OlpYxxw+X62vslZ2OM
iKZ14kWVSRbVQ+WdnjtRYS4vivB6ko9QL770jZ131hKhC/BcWpEYSjfPpVua2oKb
ccKHXheIFEJ06kGkMeeoQPxmzPRBYIw/E+d5sZp7YXDyBGOAxBeiOaOnZ8vLBzy7
2HFng3oB3hkVGTTHq+PsHdSSaRME3QrNpDsaGeSjw62FG3I4zK985GtrXAHEzN/F
fd17srl4mcRQ+8QM/a+XbF/8ugjE/RHhhFf8sWVAPutYzVE8lF+uqcduPuq/rTcU
BuzSVjnSRfXWqCokjh+ypUpHNUO8fZDzkTLuE5rwMG1xpPueDBTzvoGDQRqc2eoX
pJnDBmdlz83zHsoR2gIHcdqyc/hCV+fTvR8E0v9ZG3Jr6RFgWdD008PsGxUevIDg
MAYFwasZSTofEnzg49/WeIFU1rGB5HZVlmOJKZnKRuBiTakEP7kCDQRjWY9xARAA
rEkjlUH4hoSQAkVJCWWk+nF+daAP5IszrGEQH7TyOVwXbRZndSPFSUqKU2kEgHbM
m+wFYoZe95h9tjDh2sLCs338pVu5Chhz3dNseTF7/rbckw2rCU+JbalEiwck7tKL
qobvbh77jnrbQnkrZNc+nMeHHLrYyc5gHW6cSn4UlU42MKmTlSeOG4Ly9wXhgaKC
heIXNX3U/D682Tffl7Gopcm7pPZF92dwY4nIpCxU2ATimkSyulbhzk2CjZ1JYUJ1
LHctMHm9F0LEGtc1GxDShzVZP8dOWpDs9BBwZDLXxCzC4rvZ+z5BJCDFbuNTKZQ5
JEoW2sM8yP1LLZGXz44hsab1aPrvB3vcdS5ETP6bqT5267ZiotdhUifU/pTV5ze4
7wNuaZenQtGd9olyh2dAqOk2DQrcBQFA0gRp55b4U62hLTYXxT+7jEbSVAxeXDPR
qPvqh/4kVn86llYjV6dAoASN1wWz423QH3u4ZK+S6g8HZ0HrY2+NBYgqthb6H/X6
FiF5VcHWstkk967g4Xt0PgN/rlCtpXh4WK9sScX/CFdOURsHlb78ZN2LexaYaVBq
QuqvfHaAPJaIElXqMheZ8aYrO6Df4yzJ+6eTs3s4PqM6EMir5waFonx5Gh50X4xL
9p7IVqgNPhQsU8Z5U5hGYbmUH766GtENv4CI1upFA1cAEQEAAYkCPAQYAQgAJhYh
BLhoKEd2TfYN9S2ZLLw5BfI1F5zxBQJjWY9xAhsgBQkDwmcAAAoJELw5BfI1F5zx
4cMP+wbjKu2xCr63oyn+lo7NqMDLBYl4zHunYTZhG/egDakVWp5Ikj5/k3i+hVSY
fUyUhqQ/b/H096ropB7GA6EzS44GS+hLMdQOJOmEbjvAP/9dJDX2FQnYZzaA2f/e
Ikgaw283oOLnmYz0x7YAW/oxlnPn+7Sg7DGGqqn3nKofDUUrowfX0tQGwkGmJJqQ
gOH/ZfU4t51UCKzF6hWRbberBI8ezp24vYngA2kGef1fCUC+EIFhoYcdHHCtC1Ti
KmOUaeB9ZMiVXkP60fmCLKObwcKTyYpAFPqM05xgsMPFaXN+fQ7YVAGpCdthk53N
5Go+QqehwLoJk77CHZxIWJIf43p3UiuH1FsuXF7OdExzIhUSiUum6MoCI8BpVwn9
uSKfXKLOdGDR6IJI8jqdC9LYoXqxZtDhpcqD70hFWJwJzZg+U2SvxZyhOqwtKXtD
TDtee3yGzPacSAJD7mFURc/DRi62UBMiFcqO1YW/5LgC4yjtzo7MTQPkaGbQLduH
IlCKa8pHWPqaLFdMawwqNrTNHWXCD4XxijJYwdAue3NUG/utekNm82mqnbbWw/AX
URIzefQsbyqiNYMztudJ9hAS8yCdkfb9SKVIvWYPQ77tHltOZF7K/NzOGeJaJr8l
vqZCfXpWmOduTpWaD2kIvU2Kx7gB4jXdMa2ai9N+/Hdr3lLouQINBGNZj8YBEADg
Y6HOawiThxQVI+0uvAAU9yisew1SSVO6mAsQtZM7s7BpLA3RGPj3UGojZIeejA+k
fq7A+PVLBhz/kSBTtw9/s3o4rlqNzz7SLaix6XKWCpHOBs84n3/LF6u9KMMVk9vT
sjKz8iDF9mBR2bmCfLvEk0HDiMyApv5SbOsZMB8k5PWyK8HYPyMI5umEaOsaC3tA
eihO3nzAxEf3oZl53J1pIw+ecdrQLbWbH0aqKngfCddD8Q0oMr/Iwly3W49+5eqJ
oelR9/dut/dg0a3Nn1wIGYRzC62CCsF5IZwKdyPh7nilEUFpA5Vlz+HfIFch2LfR
F3Q/GZD8fKzKxhjDIdgyaWSTsMbityKxX2G/pcjshyMsZT7I3Hx7SwQfFro58s2D
FsFLEZgBhJv+nW/HckeedaveXmXdHKjtsa8+rvGADti4wohOl+N5tbpYW3/zR3AY
qlh47hG0ikUJ8Tusnu865j3Z5mE+KqS68ypRVBMRrdJl2lGPDCnXGhl2720VPNMC
/jB2Mgm/L1mvQM1jPfdC3KgokDAH5NMzKvav6A71aLSUJli3UdkGHkX5d5urs3k3
WmCt7XeTb30MBvNzBcSYTbw2UGIRE8G0CFc3wtiWWiQKPeFXYhn0+COCoW/EXpIC
VaAuMPMgcsldM13bKGyGo3NngsNEdopNFfr0KKW5XwARAQABiQRyBBgBCAAmFiEE
uGgoR3ZN9g31LZksvDkF8jUXnPEFAmNZj8YCGwIFCQPCZwACQAkQvDkF8jUXnPHB
dCAEGQEIAB0WIQQb4sD/CJSWIxAv0lZGlYgcJUUI0QUCY1mPxgAKCRBGlYgcJUUI
0ZkHD/9TlRvAaZETf+pv4/IceeL3KHwj5lrC/gojXxN0AjhAXljLSRCu0EyICxZy
3158h4k0vwjdv8699yHEN97PdF84m81mqxOz+juKBRHFK/EwAAgOdSlzGnUYgNkm
mCROFWtjeneNWaFdEnq9MItx1OascPeyxnWMjq7LLYMSESP4tgUV5KdlaVAXR6q/
833u27/NodkDcNH2UK+IyT+Kt/uCOoIIL4ttxo/PvZTphzV8n6s0sJJE3/BrRxgv
CTkVU6zosyJsyau8/vayQYGPuBuEQVs4Tr+vZ42izbkHgElcZv9oYjJsxaqZqqMz
fWPte7m6Pl/pvtmlhPmpZ+ej7y8SRysBV+3aHNXaE1J3sIOmYxighlgZapSjHl/A
9N/KXdoLAjIZtBAOQ2ZFyRz/c2+VUqJgwiwdxoaFaYn2eUM+HSTbZfdGXBS/yyZL
YsM+L4M2aizQvDIRXzy8vG0vpHQEvPlXL0Gg0gyk0fox0OsAP5CfXmHC/AvYOHM8
y81X2QqDf33Au1RIgog4cLqq2wpXEARWbAj0BAMIeJoCDCu9Mz2juK1ui2wr8AZ0
42PCUgZK6CdUI18AsvApUhPsNunF7ZOc5mFMuaEGjjWJvrTG3qyrCY73ySBiGXWo
92ZB7FXu2MzgujPBEigByqeF6IV2x0EBHw/VrcxXq6Slgmik6G0SD/48l5mGCxM0
Wr91raB9zQlwDbtD3PCbjA6DtkMrRyAq+81g75N6uiztGPCVw9n1HoGOSjN1hAhe
SgQQlcXbDLpzfdPFowDEHclFFfUODCIOuF+FgmxlAz5Exr9JkJdozBFqRZ4iF/tf
E5sHB0rzeUcY3J6VjTsjULjE4GSg5trsOc8GHUnFn9wwwkf9nR/Mr1RYcX0GkTcy
iUskw+AoRz6svOfAWIDJY450wgD0MHZK08IfUUsYTGecoXcvWf/hITtv/Af5MpQA
wuGEDltVDeu9EAu65SZlMkkMuQD1h3KOQjUJ6nY4a4M2CQ51ggs/c+vsemxsuYlG
vSuhrfXt6HGD3dhsOEeyEvIcjjpP1Ku5mqrPhqXFli1swfohhYGGVO+fM7G3l7wF
kAIi0B1szn0K13qRqBIwjnWL+orP1KLzvczCH6yD0FZY90CDdMtM0VB6AqT4BFh6
5+ygjA4YiA7fFYBm8510ybUcNfzU3gUIJ5pF8MdGizO54tCPSK6U+iVRY4qfCFdu
IiOZ7FUUn78VIxQUMYMrozy7kn/0PQZa7KKRbXJ8sg0sgrQapwpgUjdMwuYZPGGv
1Jw5/+WUGWMbGxmlpHcEOmsPZpITH557M/kHyk9Ud0iKwciBI2mGLxiafCuLrUY4
TknzOqbZgjdllcUG4cDBEQuBO/GSj1LUfpkCDQRnKRF7ARAAo5H9/6cStbyjWFeb
G6qDn6pT+4v1rlbRZo0rYwWkDmEAjOZMRC9SJipTCdQeNFlv6HEiiCvl3bmZIqrZ
+zvLI6U1+2dH7k06xNqIFLTV0zbr+tUkOwspg5nr59KsuNP01WBS0ELzunO/zHj+
BOEdPg1KvB0IQFtqAwaAfuny67YvTr9O7Yz07ZCfTxPtHf6FJ80FPeRa0LoZYnW4
UmSGtm1f59VD9+qe4yhRtNanamXUKjf8BTw0rQwjoJhVT5Mg0Z6hW6fhFrD57Lgd
8fBi5ZHHUlR4z1+nqGCUoHlHjc0JVyK8j8fofKafow/79ITaOqBzv+P3psY9ecBg
7wGaOHrqzRzRxAfKYRO2IaFHRGnsEE8FnwSEL00uPVxpiiTavrLJFEjku9GmP3OY
3rbwIPXbw1m9mZG1yAVbSEEf58WSWeoBp0O6qrwAdIbdgUX4BkQ8bX5MtUjXp5tm
0StmjQiZ7O91cg0VuWtrfj/I4E3xtloNzhtG2QLI4s7iAL1orhClxEuZRO9alUCS
cnRvhmw2Dh6sB6i56evcZdUFwxMXOByxfWr0fxX4QlR8jYqMPj7UMNj2PccTBOQX
umIW2cdGEeni9vrE9cLfZRSNCwPWAXWtr1zQW54Jx5DjCGHobQk53Z7kE+MZVAje
gOaT0u50cljBNfJootuln4+gbGMAEQEAAbQlUGV0ciBMYXV0cmJhY2ggPGxhdXRy
YmFjaEByZWRoYXQuY29tPokCVwQTAQgAQRYhBGjSGCM0KhNoOus+TvtMaFtdwcE+
BQJnKRF7AhsDBQkDwmcABQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEPtM
aFtdwcE+doMQAI5mnNA8aH0dfeOZnz/NrMwY6H7jK/+lYatCx05e1TfK+zz9feRK
sxgP3Pjj0p9igo3jIdPcN5/YnlmVEeplDmSiKOOdendviy+sA8sukMo07Q+m1pYW
NzFtyiZd+c44mp9I1l7h6rktIY9XDedrlAkNog1VlUet9eNpmgXt2OmJNDmYftWc
KIpyw/ZLaubjRcAmxwsn7I6dWnT66Ffg9H8trcRlWipVWP8imO0EIpwC8RbhuNgk
xjt/cVf3CEpzokF4n0k3nqYmt90NNtGc0kG5QAlTvlUuHpNWzuzvdAPtMy3KEaXI
fu3IEZeIKCxSgWXTm7zRKUn0F6jKAsLXhK/WOA1Aa7NdAUwMxrEndfNoqBrusaLD
lpzWU7USv2YT+Pf3aQ7u1szg2J8V5eqRP+E8wwe54RNCgQrcDgUq5abyncsvull3
GqJvzvZC7/Q3Th/g5Wc+dRaGBz0O9FBuRPQwjrnB932xW1fDf17cScpVKAvV/jwn
tpWXf7nSv2M0o9fihnTBl4d2c2EBKtTdp5W0IpeRl5uLad3AYoouP6RoZ+/Id/Zg
NeaQKH/ZlCxk5S9GLzYhm665ysOYRkh7NfoThRtvAqAeDcTKWGDG1nQok2KKOSyq
S81PT2AlMz7A26R0vsH/9lQ1uZFIhIGbxZXlGERZwXd1s+lgfWTbB5K+iQIzBBAB
CAAdFiEEuGgoR3ZN9g31LZksvDkF8jUXnPEFAmcpGAUACgkQvDkF8jUXnPFdGQ/+
L7uA7EMB+Yh0urhZuOltZSNtge6b+UbLZTd8DRsf044e+Z0NJWdQ2saLBptGhIcn
as4Qd0gS+QkWB7lMrJ31uux15ZBjFsGtyqK+VoH8JIPvV8Mr5XojqA+UYUpXP6ns
ILrdkUvNzpeA51IxYuVMWcut8SUVYzjD11YG1P8LFzydsImaYe7se+RE85F3/2Po
kZNe0d0Gh36uyfJSND80XrrxLpROgabQgHNG0drL/DHjdoa3F0V5EUoG7NBwUrmB
RlWKYCLUFfW+8mQn6RVK8JIV9WaHrzi/KAZLonZb5dCjO0e+Ol16pyUofLA8SN7B
aqjens8ho297GtE3darkXmj5p3p4YPur/D+oZCNIH+BYMsht46VtE3v6V10P8KA2
6MgNo5qME1Q0kC1DUYi68cPeDgrQBMWa+nF+m9i2aGeAyi3qDhZu03JLhOYAhv45
OVRawm9vFqyKiBRANVogTRr+ch4zywaapwfVLQ+xiwVLqlT5n/iIzWCQ0hA15eKZ
gJV0kTXL4OWKBeJqSNnnLVm4AhZ2OpKHMsjE7BEopvCe9JZWFIrjtQ9TrriByOx0
3anWkmm7b4lZ1HKDOI/Cxyz8BZvYizo7hSOdGjLrFBTD/Wk0swvpzB4NKh5I6N7k
gppXMTaWp36+KmQx66JzaZjepGl1VMNFdgiP6Sw6pO+5Ag0EZykRewEQAK4EY+06
GeuX4wLlUqAMWCnbFELuhBZGWFLEIvP6WJS1WOvee45RVcpVfYMp3AqymiNRahAl
RMtSQ9YtXSdlBPkhtNcoV/hqjcNywMdbsy+Rs27pRk/DJVC0yVL4ABrSSlwhfNa4
6X4ZvPr8GGDvjAUhK6NXQ7WrZJxYR9/U0nqRGtGuPBLhFey1H60n5axP8+2f9pFC
NbDJ13HbrhVju+RUeE8Gq5WJI5dea5SfYnXFERsT/zO+pw7ZaaSDmWKR1a88P6Bk
DD7e63ZIaAa849M/Dz+OgzNEgbyRjvgbO0OEIrS2x61lGoW7F9prEgzj97NIiBu6
qpNCYJefkpfPENrk+wmOUthJfh6E7uphlliQams6dqXAc3Z+xBN9jFf74RpzVmIP
K/MFNr0EcUMFgURpBtaTrk4dGMh++v5i4qKxxwJHf4RsGCDsgH9ZZDemKz5q8uFN
TI1kbTnsKNt+d7L45U+3/mRm4l22g8eu+AvD6R4GfKjsyzEFCyGK7TmVYj0Y+EGR
9+YbRQ1GahXqtrR/aLC09LSyxQTqYfKU8KusnoceEbBOigEZUNPybpzibwHl1VEV
9crR5eT8MPHgs8xdpjQ7gRuPi12fvc83unpUsNIHSCxZqXoilGsz2+zpX2si3PxB
tK/tTo6ZFRLijhHs250Y1agp4MyXYq91A2VTABEBAAGJAjwEGAEIACYWIQRo0hgj
NCoTaDrrPk77TGhbXcHBPgUCZykRewIbDAUJA8JnAAAKCRD7TGhbXcHBPozGD/0Y
fkktGwGq2vPZUI/Fscv+VnEqVt94dBnS0/6GyYvhI7Tf81v+72URlQeX8TUQox9B
8d3Aru5b2+iSkPcvH70PbY8jt/yTwHtSlFzf6+YPIl+oyTz7DoiILSjrO51ntl8g
KmIb8Q9W74xV6VFIJ4m8rH04MKFpIlzUDq660JYQIGtOUFugSfg7aLVU/0j4WKKE
KfAfg93wYTKKd+JgRFy4FZPriem7HvlUSi2VKffdrrUF/PX35X74iKdPQoEADZi8
KkMZULDtyQ6ZOu2hiDpArjo5hDadKM314Z65VnM11hjiEhmTF3IyGBllb0qBIk0L
nBVHuMYmiqBNJEbaqHLqIju8/RvFlYV+AMISeA7B68knbJcao13ogtDpuJ4hpgCj
j2B1n0NWMcju0gteu1sfsIaQbWHevH2vgl5LJDCNtUJN/NoWB2Uov27wEvsongwY
3du40TnM+5ejwf4r8D3wX+JpVCAhfr3Oc0knw14nRqFPAe1E7DNURJ8xfEV9iPRA
swo6qoh7IIxNETUG1rywRExNt6tHsojx0Wb0I0IB7CnWRK9F6oNRp0S4kVgp+Jeh
a9NGXFK2hn8qBD/rpUPsj/OdkiBN+C7Ai07rCNez+IKdnUfXkOJqLCOyeUwC9WPl
uFPB9RnnghYM4xhMWf8XvSLOOk/vgPxiqR5ANLObsbkCDQRnKRLhARAAuh+b2Oxj
9q+RRZ+pkDVf/M6P01yDmDhwtYHzi/LW8PFHC6iQlzMReyv1R5n3uCEpAZ++mdUe
Cgo2TmFnYdpmxEgdaMIW98uqe4fuHhoXU2Mh4eiN7jyJvXQCsijCDYzifoj03HY7
nTVjw4+BSSu9kA3/vEqU9A5YjG01MmVSMaIaTrqZqsnypK6r2exJa7YVRYwRqpLY
C5ksikDVK9ftdfhjnsnYGS4pYyfMNSHY1KBMpHjT7wEkM+KZ2WRpjTZZ7nP9u4Lf
fJMKgcclRgf+13CeSaJfVIhjJlxGVLkloE8XJbOeh2vkK257e9BenEFgQnyLCpGJ
8YNsnsJVhxU1aA62dT7jmnOVMBhnGoNhMyzzfvUw0REz2VbpZBkiwZRfZ9MWUBsy
bneH8NwzZMQQLCc/yo/jnPrmDS+tgl4CXGzBtpxPUZSMuY4tHZZ2vBb0zcfhY7P1
CrHuylXLFzkOO/XRP3w1F8I1UqJCjdTKjdjCDF/VWtedHee1iEsSHxPGH8fHp4Qp
rBDDwZ4NnfilYNHMDWm6U1bzhX2ynqcGArQSd1Ny/oL7JzE1qoH/nNrwVvOSSNWF
UTXFXeLy+SOXJdFJpGP+/wV+gYfyczoUP6vmCdK1Hs15WQvKzyP/nmLS5uLilfxV
KrxZDI6SNrS4f/XkHcGnYByFKUhq5gVN0ZcAEQEAAYkEcgQYAQgAJhYhBGjSGCM0
KhNoOus+TvtMaFtdwcE+BQJnKRLhAhsCBQkDwmcAAkAJEPtMaFtdwcE+wXQgBBkB
CAAdFiEEcgDrLD9eSIRjwM6ezcroySfGvjEFAmcpEuEACgkQzcroySfGvjExiQ//
TKQ2Ci+sqNSVIcwg/k0Go1i4cA7lhKNdYRBCaIThB9jMqNg2zgPzgELBcaVJL8xw
0E2x2ZvBejM4X+eTrmkdufcxHR8B/zBF8oPlD2pgs/zZmZEO1gq4Cdab7yIoVNNr
foCZShxOCPR2wIixcYZtt5f7Z3zSXqkjIec6sTOedT75ZXrpQbvINeUkvOJfMCOi
ailauvDfv8k5iJUVbP+Dx1vOc88bvewVJcbLID4HIRr/PS+k1D10zGbnF71TnxGZ
r7anMZCSFCHJ5WV+BSwHHKtxRy+bJ1x9ML45Jcr1anTXeaHIeSKNzFBigJQSgHv0
euegkD3Rmw+IcxNb4l536selaNR0UAwx1DC1qpjBtnE9/pXdTEsZQxq9kMrj0d+f
VKFjOKADVIpkx7o0dZ1jmbUmdjQVyGDgHE+Emgdd726/2ftWriW2uPeUC6YZiqbt
vBnCnwF+aV6P1nrE0BWJchLyBjDCe5Y2oXBAYF6xwpDPfMPr4oscqzPV4TWVULBi
brtRWgSxmvinIGFx9T9wQCVfX254dqBaAEhRMImoT/YP+6evRZKqQODRhI44OG7u
V71IVAJ8BHEBN8hxvQM3WPs1fhwMBFCyGfr/x/U4/c78R9JhxkU9VwmMbLGQP7VP
1QgfiHqZpHMk8ZUmQn6KLeurzWcnwPFkwgFPZED8OQOMXxAAio3DhWr5KDd3mICH
ALNY0A2ipb/JH6LSHxu0S3MLa/bF6PbqRY1+fKMT/cFVxln99rNUrX+hDRbc7qbh
KkxvGmcnXnkcTHah9bfUghEanlKkBr1g1ik3zgEnpO/x3+X39Ov+ge92MDawV0nq
k9R/9tS+ZD/ph72Q9kx3ZfVNSL0eWxjuwBzFW0Zwh5TAX4raSmyQCmAXi05O3YmN
iq4arSUg5oAOMRZ+d96DsrAS4Sdtlx6/CuKTBzEaGPQLQ9wJNB0Vmd/eQWTP99KY
cAdIwj5BJ5P0Z7+xhsVjQOntn4otnP6vN6RuDtYrS6M7TCN/ZeKCvN/G0nRac4D+
IJX3CYYtYXgaoDuoetUWtc7O5PzHRETaBt/46ob2lzf6cT5QyVujTfz+i0rGEc63
pvXK8mV+K7BFY/DHpdEhl1pDw2YYLbBmUthQWdsL6/TVvpMe/wZadvJ/by3AeRzQ
eusUucuSo9UNN7Yj8u3dRhxNgsSiU96A/SFlAoB5s3Onh5K4WEVCBu/INjdi+r2B
LJePSnA3I7VkRE9Haf1D28jtBzm3Xbft2rs3lO18FcCqw6kd7Ih3e0tZ8uUG9UDv
qTDHTUHLAWvwrq38gKKAu2RMaU06A5kR87RcQiizxOwBIwiHuUWMU4/Hyx6fXsOD
hEs0O6AFDarNDZGee2amKTAyZpG5Ag0EZykTxQEQAOwGV1boBD3vDLsoAT62nGxb
SqXiBsObxnpWbNifOzM9BUGPOIpHsSH32PZGG/+LNjNdECfyyP1RysH5OT7j92Q8
vgRQoG3X985gbOjYyZc0xvAkTSvWxOiy5CuF3X8sJ3NSerQDXwjP9qVqLVj/3FB8
nka1HFS7KzC3Zo/kzCoxeZ3/hV3PTWIjcoJvtBSCKPZyOJxnRqWfi5BNJo3S2SR1
mxV967zawXiZ8MeeBl6rLhOfCBtz9g+bqrXZYoenuMn5Js2mcH0haYeMSV3UWIC4
kinzr1EJxs+L1/hVCVBNiiDc6DXcFXoz9ZVc9kjpZTOMoZVDkRkyOeen+5Sya9wK
4teLmDLME4+pgeHCS/Wa4KrYyEWe7NpG1VTkSJnRS+fyYGTWtwEiuwT6J9U0t1d5
hbxhM7YAhlnOEnNVmqa3Bq3yqJs9G/7gicZ7CIJ9JBHKTJzOnKfpGhxBSOgOoCOa
WW6uVCzDqfrYPmCUIKQmanB441xJFGuHVPMLBjVjswoMKGkK3gM6KMRCDYQ53u6s
FK+Jcl8HobBSezVIUKpKVX3IW9d506cE0FhSW/NvWJv0FIMVloyC2BpOjSWVgEwX
tk/m3SKPsgCAcCqzi7xlloR8+E9C2xci9cdGG5faghgSjaP6j0qDww/slRPQJc5A
DIeukkOYTCiSiDwQtblJABEBAAGJAjMEGAEIACcWIQRo0hgjNCoTaDrrPk77TGhb
XcHBPgUCZykTxQMbIAQFCQPCZwAAADcWD/4qJRLn7TcMtRMF43Yn+dX+O13YrxBC
T4n1QVmiPsGrUca4Vg1J+trV6IMsGrhktpiaV0qeL/km0h02m4gEDZKDyWWXdeWh
EXFaTVy9yCpSXUWJl5gSXTSwxrqBWyWLlLLk4UT9l9sk5mMdy0JA8unobV4M/eXQ
ggR11DL3ji7aO0hsqxyxXkJcawWjVGW5KL1EaoDKIJ/CwxOI5ipFueMIRQjQvw9A
o/w2fq11qVXY9zknk6pFkp/RDHLes+wVHDtebZfJ9xV7Mb1mf/k03dT56GaA/U3E
XvJ2FdgWR+zf+YMEa9MPDHYo2UNEvk9mOk247M8s+OeexdlkPgyKW5A8mtYuY/dR
j8W6C4pLcMWa+d/vIUpm5Guw0F5q0AWk9/FbBe9HLztEevvRnuHXmfTZeto/nCAi
Yg4pCj6p3JoN5CLebR8YtWm9AJBbX1kgVvqSU2VgwYIFsxBEz8Wu2h7z/eSCSeIg
ARFbTlJ6cBrRkXCVyhbv0LPWWUfAUqiEtdGxrA4Xx/jKrI02JjRdW/bZkXjSka8K
+cDlpcr9ixBWW5LkWsOdiL8jExfTGw25FA7Wd1HiHnBv36Mu/zb+0/I63d+fLq93
e3lmmVx9qQF8p5Okf4ojY9YoIHVkLS7t9AgFjm/ucmpEGbXxyPk2Cr3l+b5R41x3
dBW9kxiuWpZN3Q==
=iuRK
-----END PGP PUBLIC KEY BLOCK-----

474
SPECS/libselinux.spec → changelog
View File

@ -1,336 +1,259 @@
* Tue May 27 2025 Petr Lautrbach <lautrbach@redhat.com> - 3.8-2
- Prioritize local literal fcontext definitions (rhbz#2360183)
%global with_ruby 1
* Thu Jan 30 2025 Petr Lautrbach <lautrbach@redhat.com> - 3.8-1
- SELinux userspace 3.8 release
%if 0%{?with_ruby}
%global ruby_inc %(pkg-config --cflags ruby)
%endif
* Wed Dec 18 2024 Petr Lautrbach <lautrbach@redhat.com> - 3.8-0.rc3.1
- SELinux userspace 3.8-rc3 release
%define libsepolver 2.9-1
%define libselinuxrelease 10
* Wed Dec 04 2024 Petr Lautrbach <lautrbach@redhat.com> - 3.8-0.rc1.2
- libselinux/utils: drop reachable assert in sefcontext_compile
Summary: SELinux library and simple utilities
Name: libselinux
Version: 2.9
Release: %{libselinuxrelease}%{?dist}
License: Public Domain
# https://github.com/SELinuxProject/selinux/wiki/Releases
Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/libselinux-2.9.tar.gz
Source1: selinuxconlist.8
Source2: selinuxdefcon.8
Url: https://github.com/SELinuxProject/selinux/wiki
# i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
Patch0001: 0001-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch
Patch0002: 0002-Verify-context-input-to-funtions-to-make-sure-the-co.patch
Patch0003: 0003-libselinux-Allow-to-override-OVERRIDE_GETTID-from-co.patch
Patch0004: 0004-Bring-some-old-permission-and-flask-constants-back-t.patch
Patch0005: 0005-libselinux-add-missing-av_permission-values.patch
Patch0006: 0006-libselinux-Use-Python-distutils-to-install-SELinux-p.patch
Patch0007: 0007-libselinux-Do-not-use-SWIG_CFLAGS-when-Python-bindin.patch
Patch0008: 0008-Fix-mcstrans-secolor-examples.patch
Patch0009: 0009-libselinux-Eliminate-use-of-security_compute_user.patch
Patch0010: 0010-libselinux-deprecate-security_compute_user-update-ma.patch
Patch0011: 0011-selinux-8-5-Describe-fcontext-regular-expressions.patch
Patch0012: 0012-libselinux-Strip-spaces-before-values-in-config.patch
Patch0013: 0013-libselinux-Ignore-missing-directories-when-i-is-used.patch
Patch0014: 0014-libselinux-restorecon-Fix-memory-leak-xattr_value.patch
Patch0015: 0015-libselinux-restorecon-Include-selinux-label.h.patch
Patch0016: 0016-libselinux-Fix-NULL-pointer-use-in-selinux_restoreco.patch
Patch0017: 0017-libselinux-Close-old-selabel-handle-when-setting-a-n.patch
* Thu Nov 28 2024 Petr Lautrbach <lautrbach@redhat.com> - 3.8-0.rc1.1
- SELinux userspace 3.8-rc1 release
BuildRequires: gcc
%if 0%{?with_ruby}
BuildRequires: ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel xz-devel
%else
BuildRequires: libsepol-static >= %{libsepolver} swig pcre2-devel xz-devel
%endif
BuildRequires: python3 python3-devel
%if 0%{?with_python2}
BuildRequires: python2 python2-devel
%endif
BuildRequires: systemd
Requires: libsepol%{?_isa} >= %{libsepolver} pcre2
Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
* Tue Nov 12 2024 Vit Mojzis <vmojzis@redhat.com> - 3.7-5
- setexecfilecon: Remove useless rc check (RHEL-35586)
- matchpathcon: RESOURCE_LEAK: Variable "con" (RHEL-35584)
%description
Security-enhanced Linux is a feature of the Linux® kernel and a number
of utilities with enhanced security functionality designed to add
mandatory access controls to Linux. The Security-enhanced Linux
kernel contains new architectural components originally developed to
improve the security of the Flask operating system. These
architectural components provide general support for the enforcement
of many kinds of mandatory access control policies, including those
based on the concepts of Type Enforcement®, Role-based Access
Control, and Multi-level Security.
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 3.7-4
- Bump release for October 2024 mass rebuild (RHEL-64018)
libselinux provides an API for SELinux applications to get and set
process and file security contexts and to obtain security policy
decisions. Required for any applications that use the SELinux API.
* Thu Oct 17 2024 Petr Lautrbach <lautrbach@redhat.com> - 3.7-3.1
- fix swig bindings for 4.3.0
- deprecate security_disable(3)
%package utils
Summary: SELinux libselinux utilities
Requires: %{name}%{?_isa} = %{version}-%{release}
* Fri Aug 09 2024 Vit Mojzis <vmojzis@redhat.com> - 3.7-3
- restorecon: Include <selinux/label.h> (RHEL-53852)
- Fix integer comparison issues when compiling for 32-bit
%description utils
The libselinux-utils package contains the utilities
* Tue Jul 09 2024 Petr Lautrbach <lautrbach@redhat.com> - 3.7-2
- set free'd data to NULL (#2295428)
%if 0%{?with_python2}
%package -n libselinux-python
%{?python_provide:%python_provide python2-libselinux}
Provides: python2-%{name} = %{version}-%{release}
Provides: python2-%{name}%{?_isa} = %{version}-%{release}
Obsoletes: %{name}-python < %{version}-%{release}
Summary: SELinux python bindings for libselinux
Requires: %{name}%{?_isa} >= %{version}-%{libselinuxrelease}
* Thu Jun 27 2024 Petr Lautrbach <lautrbach@redhat.com> - 3.7-1
- SELinux userspace 3.7 release
%description -n libselinux-python
The libselinux-python package contains the python bindings for developing
SELinux applications.
%endif
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 3.6-6
- Bump release for June 2024 mass rebuild
%package -n python3-libselinux
Summary: SELinux python 3 bindings for libselinux
Requires: %{name}%{?_isa} = %{version}-%{release}
%{?python_provide:%python_provide python3-libselinux}
# Remove before F30
Provides: %{name}-python3 = %{version}-%{release}
Provides: %{name}-python3%{?_isa} = %{version}-%{release}
Obsoletes: %{name}-python3 < %{version}-%{release}
* Mon Apr 01 2024 Christoph Erhardt <fedora@sicherha.de> - 3.6-5
- Drop unused `xz-devel` build dependency
%description -n python3-libselinux
The libselinux-python3 package contains python 3 bindings for developing
SELinux applications.
* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.6-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
%if 0%{?with_ruby}
%package ruby
Summary: SELinux ruby bindings for libselinux
Requires: %{name}%{?_isa} = %{version}-%{release}
Provides: ruby(selinux)
* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.6-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
%description ruby
The libselinux-ruby package contains the ruby bindings for developing
SELinux applications.
%endif # with_ruby
* Wed Jan 03 2024 Mamoru TASAKA <mtasaka@fedoraproject.org> - 3.6-2
- Rebuild for https://fedoraproject.org/wiki/Changes/Ruby_3.3
%package devel
Summary: Header files and libraries used to build SELinux
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: libsepol-devel%{?_isa} >= %{libsepolver}
* Thu Dec 14 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.6-1
- SELinux userspace 3.6 release
%description devel
The libselinux-devel package contains the libraries and header files
needed for developing SELinux applications.
* Thu Nov 23 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.6-0.rc2.1
- SELinux userspace 3.6-rc2 release
%package static
Summary: Static libraries used to build SELinux
Requires: %{name}-devel%{?_isa} = %{version}-%{release}
* Mon Nov 13 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.6-0.rc1.1
- SELinux userspace 3.6-rc1 release
%description static
The libselinux-static package contains the static libraries
needed for developing SELinux applications.
* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.5-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
%prep
%autosetup -p 2 -n libselinux-%{version}
* Thu Jun 22 2023 Vit Mojzis <vmojzis@redhat.com> - 3.5-4
- Add examples to man pages
%build
export DISABLE_RPM="n"
export USE_PCRE2="y"
* Tue Jun 13 2023 Python Maint <python-maint@redhat.com> - 3.5-3
- Rebuilt for Python 3.12
%set_build_flags
* Fri May 26 2023 Miro Hrončok <mhroncok@redhat.com> - 3.5-2
- Fix build with pip 23.1.2+
- Fixes: rhbz#2209019
# To support building the Python wrapper against multiple Python runtimes
# Define a function, for how to perform a "build" of the python wrapper against
# a specific runtime:
BuildPythonWrapper() {
BinaryName=$1
* Fri Feb 24 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-1
- SELinux userspace 3.5 release
# Perform the build from the upstream Makefile:
make \
PYTHON=$BinaryName \
LIBDIR="%{_libdir}" %{?_smp_mflags} \
pywrap
}
* Mon Feb 13 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc3.1
- SELinux userspace 3.5-rc3 release
make clean
make LIBDIR="%{_libdir}" %{?_smp_mflags} swigify
make LIBDIR="%{_libdir}" %{?_smp_mflags} all
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.5-0.rc2.1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
%if 0%{?with_python2}
export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
BuildPythonWrapper %{__python2}
%endif
BuildPythonWrapper %{__python3}
* Mon Jan 16 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc2.1
- SELinux userspace 3.5-rc2 release
%if 0%{?with_ruby}
make RUBYINC="%{ruby_inc}" SHLIBDIR="%{_libdir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" %{?_smp_mflags} rubywrap
%endif
* Wed Jan 04 2023 Mamoru TASAKA <mtasaka@fedoraproject.org> - 3.5-0.rc1.1.1
- Rebuild for https://fedoraproject.org/wiki/Changes/Ruby_3.2
%install
InstallPythonWrapper() {
BinaryName=$1
* Fri Dec 23 2022 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc1.1
- SELinux userspace 3.5-rc1 release
make \
PYTHON=$BinaryName \
LIBDIR="%{_libdir}" %{?_smp_mflags} \
LIBSEPOLA="%{_libdir}/libsepol.a" \
pywrap
* Mon Nov 21 2022 Petr Lautrbach <lautrbach@redhat.com> - 3.4-6
- Rebase on upstream f56a72ac9e86
make \
PYTHON=$BinaryName \
DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" \
SHLIBDIR="%{_lib}" BINDIR="%{_bindir}" \
SBINDIR="%{_sbindir}" \
LIBSEPOLA="%{_libdir}/libsepol.a" \
install-pywrap
}
* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.4-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
rm -rf %{buildroot}
mkdir -p %{buildroot}%{_tmpfilesdir}
mkdir -p %{buildroot}%{_libdir}
mkdir -p %{buildroot}%{_includedir}
mkdir -p %{buildroot}%{_sbindir}
install -d -m 0755 %{buildroot}%{_rundir}/setrans
echo "d %{_rundir}/setrans 0755 root root" > %{buildroot}%{_tmpfilesdir}/libselinux.conf
* Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 3.4-4
- Rebuilt for Python 3.11
%if 0%{?with_python2}
export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
InstallPythonWrapper %{__python2}
mv %{buildroot}%{python2_sitearch}/selinux/_selinux.so %{buildroot}%{python2_sitearch}/
%endif
InstallPythonWrapper %{__python3}
mv %{buildroot}%{python3_sitearch}/selinux/_selinux.*.so %{buildroot}%{python3_sitearch}/
* Tue May 31 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-3
- Revert "libselinux: restorecon: pin file to avoid TOCTOU issues"
%if 0%{?with_ruby}
make DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" BINDIR="%{_bindir}" SBINDIR="%{_sbindir}" RUBYINSTALL=%{ruby_vendorarchdir} install install-rubywrap
%else
make DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" BINDIR="%{_bindir}" SBINDIR="%{_sbindir}" install
%endif
* Wed May 25 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-2
- rebuilt
# Nuke the files we don't want to distribute
rm -f %{buildroot}%{_sbindir}/compute_*
rm -f %{buildroot}%{_sbindir}/deftype
rm -f %{buildroot}%{_sbindir}/execcon
rm -f %{buildroot}%{_sbindir}/getenforcemode
rm -f %{buildroot}%{_sbindir}/getfilecon
rm -f %{buildroot}%{_sbindir}/getpidcon
rm -f %{buildroot}%{_sbindir}/mkdircon
rm -f %{buildroot}%{_sbindir}/policyvers
rm -f %{buildroot}%{_sbindir}/setfilecon
rm -f %{buildroot}%{_sbindir}/selinuxconfig
rm -f %{buildroot}%{_sbindir}/selinuxdisable
rm -f %{buildroot}%{_sbindir}/getseuser
rm -f %{buildroot}%{_sbindir}/togglesebool
rm -f %{buildroot}%{_sbindir}/selinux_check_securetty_context
mv %{buildroot}%{_sbindir}/getdefaultcon %{buildroot}%{_sbindir}/selinuxdefcon
mv %{buildroot}%{_sbindir}/getconlist %{buildroot}%{_sbindir}/selinuxconlist
install -d %{buildroot}%{_mandir}/man8/
install -m 644 %{SOURCE1} %{buildroot}%{_mandir}/man8/
install -m 644 %{SOURCE2} %{buildroot}%{_mandir}/man8/
rm -f %{buildroot}%{_mandir}/man8/togglesebool*
* Thu May 19 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-1
- SELinux userspace 3.4 release
%ldconfig_scriptlets
* Tue May 10 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-0.rc3.1
- SELinux userspace 3.4-rc3 release
%files
%license LICENSE
%{_libdir}/libselinux.so.*
%dir %{_rundir}/setrans/
%{_tmpfilesdir}/libselinux.conf
* Thu Apr 21 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-0.rc2.1
- SELinux userspace 3.4-rc2 release
%files utils
%{_sbindir}/avcstat
%{_sbindir}/getenforce
%{_sbindir}/getsebool
%{_sbindir}/matchpathcon
%{_sbindir}/sefcontext_compile
%{_sbindir}/selinuxconlist
%{_sbindir}/selinuxdefcon
%{_sbindir}/selinuxexeccon
%{_sbindir}/selinuxenabled
%{_sbindir}/setenforce
%{_sbindir}/selabel_digest
%{_sbindir}/selabel_lookup
%{_sbindir}/selabel_lookup_best_match
%{_sbindir}/selabel_partial_match
%{_sbindir}/selinux_check_access
%{_mandir}/man5/*
%{_mandir}/man8/*
%{_mandir}/ru/man5/*
%{_mandir}/ru/man8/*
* Tue Apr 12 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-0.rc1.1
- SELinux userspace 3.4-rc1 release
%files devel
%{_libdir}/libselinux.so
%{_libdir}/pkgconfig/libselinux.pc
%{_includedir}/selinux/
%{_mandir}/man3/*
* Thu Jan 27 2022 Mamoru TASAKA <mtasaka@fedoraproject.org> - 3.3-4
- F-36: rebuild against ruby31
%files static
%{_libdir}/libselinux.a
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
%if 0%{?with_python2}
%files -n libselinux-python
%{python2_sitearch}/selinux/
%{python2_sitearch}/_selinux.so
%{python2_sitearch}/selinux-%{version}-*
%endif
* Mon Nov 29 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-2
- Introduce selinux_restorecon_parallel(3)
%files -n python3-libselinux
%{python3_sitearch}/selinux/
%{python3_sitearch}/_selinux.*.so
%{python3_sitearch}/selinux-%{version}-*
* Fri Oct 22 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-1
- SELinux userspace 3.3 release
%if 0%{?with_ruby}
%files ruby
%{ruby_vendorarchdir}/selinux.so
%endif
* Fri Oct 8 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-0.rc3.1
- SELinux userspace 3.3-rc3 release
%changelog
* Fri Jan 24 2025 Petr Lautrbach <lautrbach@redhat.com> - 2.9-10
- Close old selabel handle when setting a new one (RHEL-73348)
- Fix NULL pointer use in selinux_restorecon_set_sehandle (RHEL-74252)
* Wed Sep 29 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-0.rc2.1
- SELinux userspace 3.3-rc2 release
* Mon Jul 29 2024 Vit Mojzis <vmojzis@redhat.com> - 2.9-9
- restorecon: Include <selinux/label.h> (RHEL-50830)
* Wed Jul 28 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-4
- Rebase on upstream commit 32611aea6543
* Wed Dec 07 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-8
- restorecon: Fix memory leak - xattr_value (#2137965)
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Tue Dec 06 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-7
- Restorecon: Ignore missing directories when -i is used (#2137965)
* Thu Jun 03 2021 Python Maint <python-maint@redhat.com> - 3.2-2
- Rebuilt for Python 3.10
* Thu Jul 07 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-6
- Describe fcontext regular expressions (#1904059)
- Strip spaces before values in config (#2012145)
* Mon Mar 8 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-1
- SELinux userspace 3.2 release
* Tue Oct 20 2020 Vit Mojzis <vmojzis@redhat.com> - 2.9-5
- Deprecate security_compute_user(), update man pages (#1879368)
* Fri Feb 5 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-0.rc2.1
- SELinux userspace 3.2-rc2 release
* Thu Sep 24 2020 Vit Mojzis <vmojzis@redhat.com> - 2.9-4
- Eliminate use of security_compute_user() (#1879368)
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.2-0.rc1.1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Fri Nov 08 2019 Vit Mojzis <vmojzis@redhat.com> - 2.9-3
- Fix mcstrans secolor examples in secolor.conf man page (#1770270)
* Wed Jan 20 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-0.rc1.1
- SELinux userspace 3.2-rc1 release
* Mon Jun 24 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-2.1
- Use Python distutils to install SELinux python bindings (#1719771)
- Move sefcontext_compile to -utils package (#1612518)
* Thu Jan 07 2021 Mamoru TASAKA <mtasaka@fedoraproject.org> - 3.1-6
- F-34: rebuild against ruby 3.0
* Fri Nov 20 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-5
- selinux(8): explain that runtime disable is deprecated
* Fri Oct 30 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-4
- Use libsepol.so.2
- Convert matchpathcon to selabel_lookup()
- Change userspace AVC setenforce and policy load messages to audit
format
- Remove trailing slash on selabel_file lookups
- Use kernel status page by default
* Wed Sep 02 2020 Jeff Law <law@redhat.com> - 3.1-3
- Re-enable LTO
* Mon Jul 13 2020 Tom Stellard <tstellar@redhat.com> - 3.1-2
- Use make macros
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
- Use -fno-semantic-interposition and more make macros
* Fri Jul 10 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-1
- SELinux userspace 3.1 release
* Wed Jul 1 2020 Jeff Law <law@redhat.com> - 3.0-6
- Disable LTO
* Sat May 23 2020 Miro Hrončok <mhroncok@redhat.com> - 3.0-5
- Rebuilt for Python 3.9
* Thu Mar 5 2020 Petr Lautrbach <plautrba@redhat.com> - 3.0-4
- Eliminate use of security_compute_user()
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Sat Jan 18 2020 Mamoru TASAKA <mtasaka@fedoraproject.org> - 3.0-2
- F-32: rebuild against ruby27
* Fri Dec 6 2019 Petr Lautrbach <plautrba@redhat.com> - 3.0-1
- SELinux userspace 3.0 release
* Mon Nov 11 2019 Petr Lautrbach <plautrba@redhat.com> - 3.0-0.r1.1
- SELinux userspace 3.0-rc1 release candidate
* Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 2.9-7
- Rebuilt for Python 3.8.0rc1 (#1748018)
* Fri Aug 16 2019 Miro Hrončok <mhroncok@redhat.com> - 2.9-6
- Rebuilt for Python 3.8
* Mon Aug 12 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-5
- Drop python2-libselinux (#1739646)
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Fri Jun 28 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-3
- Use standard build flags for Python bindings
* Fri May 24 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-2
- Use Python distutils to install SELinux python bindings
* Mon Mar 18 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-1
- SELinux userspace 2.9 release
* Tue Nov 6 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-6
* Wed Mar 6 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-0.rc2.1
- SELinux userspace 2.9-rc2 release
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9-0.rc1.1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Fri Jan 25 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-0.rc1.1
- SELinux userspace 2.9-rc1 release
* Tue Jan 22 2019 Mamoru TASAKA <mtasaka@fedoraproject.org> - 2.8-8
- F-30: again rebuild against ruby26
* Mon Jan 21 2019 Petr Lautrbach <plautrba@redhat.com> - 2.8-7
- selinux_restorecon: Skip customized files also without -v
- Do not dereference symlink with statfs in selinux_restorecon
* Mon Jan 21 2019 Mamoru TASAKA <mtasaka@fedoraproject.org> - 2.8-6
- F-30: rebuild against ruby26
* Tue Nov 13 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-5
- Fix RESOURCE_LEAK coverity scan defects
* Mon Oct 15 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-5
- selinux_restorecon: Skip customized files also without -v
- man pages fixes
* Tue Sep 4 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-4
- Fix the whatis line for the selinux_boolean_sub.3 manpage
- Fix line wrapping in selabel_file.5
- Fix spelling errors in manpages
* Mon Oct 1 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-4
- Build libselinux-python when %with_python2 macro is set to non-zero value
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.8-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Fri Jun 22 2018 Petr Lautrbach <plautrba@workstation> - 2.8-3
- Build libselinux-ruby (#1581322)
* Thu Jun 7 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-2
- Don't build the Python 2 subpackage (#1567358)
* Fri Jun 15 2018 Miro Hrončok <mhroncok@redhat.com> - 2.8-2
- Rebuilt for Python 3.7
* Fri May 25 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-1
- SELinux userspace 2.8 release
@ -344,9 +267,6 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
* Mon Apr 23 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-0.rc1.1
- SELinux userspace 2.8-rc1 release candidate
* Mon Apr 23 2018 Petr Lautrbach <plautrba@redhat.com> - 2.7-14
- Do not build libselinux-ruby
* Wed Mar 21 2018 Petr Lautrbach <plautrba@redhat.com> - 2.7-13
- build: Replace PYSITEDIR with PYTHONLIBDIR

6
gating.yaml Normal file
View File

@ -0,0 +1,6 @@
--- !Policy
product_versions:
- rhel-10
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}

224
libselinux.spec Normal file
View File

@ -0,0 +1,224 @@
%define ruby_inc %(pkg-config --cflags ruby)
%define libsepolver 3.8-1
Summary: SELinux library and simple utilities
Name: libselinux
Version: 3.8
Release: 2%{?dist}
License: LicenseRef-Fedora-Public-Domain
# https://github.com/SELinuxProject/selinux/wiki/Releases
Source0: https://github.com/SELinuxProject/selinux/releases/download/%{version}/libselinux-%{version}.tar.gz
Source1: https://github.com/SELinuxProject/selinux/releases/download/%{version}/libselinux-%{version}.tar.gz.asc
Source2: https://github.com/bachradsusi.gpg
Source3: selinuxconlist.8
Source4: selinuxdefcon.8
Url: https://github.com/SELinuxProject/selinux/wiki
# $ git clone https://github.com/fedora-selinux/selinux.git
# $ cd selinux
# $ git format-patch -N 3.8 -- libselinux
# $ i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
# Patch list start
Patch0001: 0001-Use-SHA-2-instead-of-SHA-1.patch
Patch0002: 0002-libselinux-prioritize-local-literal-fcontext-definit.patch
Patch0003: 0003-libselinux-Revert-part-of-previous-patch.patch
# Patch list end
BuildRequires: gcc make
BuildRequires: ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel
BuildRequires: python3 python3-devel python3-setuptools python3-wheel python3-pip
BuildRequires: systemd
BuildRequires: gnupg2
Requires: libsepol%{?_isa} >= %{libsepolver} pcre2
Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
%description
Security-enhanced Linux is a feature of the Linux® kernel and a number
of utilities with enhanced security functionality designed to add
mandatory access controls to Linux. The Security-enhanced Linux
kernel contains new architectural components originally developed to
improve the security of the Flask operating system. These
architectural components provide general support for the enforcement
of many kinds of mandatory access control policies, including those
based on the concepts of Type Enforcement®, Role-based Access
Control, and Multi-level Security.
libselinux provides an API for SELinux applications to get and set
process and file security contexts and to obtain security policy
decisions. Required for any applications that use the SELinux API.
%package utils
Summary: SELinux libselinux utilities
Requires: %{name}%{?_isa} = %{version}-%{release}
%description utils
The libselinux-utils package contains the utilities
%package -n python3-libselinux
Summary: SELinux python 3 bindings for libselinux
Requires: %{name}%{?_isa} = %{version}-%{release}
%{?python_provide:%python_provide python3-libselinux}
# Remove before F30
Provides: %{name}-python3 = %{version}-%{release}
Provides: %{name}-python3%{?_isa} = %{version}-%{release}
Obsoletes: %{name}-python3 < %{version}-%{release}
%description -n python3-libselinux
The libselinux-python3 package contains python 3 bindings for developing
SELinux applications.
%package ruby
Summary: SELinux ruby bindings for libselinux
Requires: %{name}%{?_isa} = %{version}-%{release}
Provides: ruby(selinux)
%description ruby
The libselinux-ruby package contains the ruby bindings for developing
SELinux applications.
%package devel
Summary: Header files and libraries used to build SELinux
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: libsepol-devel%{?_isa} >= %{libsepolver}
%description devel
The libselinux-devel package contains the libraries and header files
needed for developing SELinux applications.
%package static
Summary: Static libraries used to build SELinux
Requires: %{name}-devel%{?_isa} = %{version}-%{release}
%description static
The libselinux-static package contains the static libraries
needed for developing SELinux applications.
%prep
%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
%autosetup -p 2 -n libselinux-%{version}
%build
export DISABLE_RPM="y"
export USE_PCRE2="y"
%set_build_flags
CFLAGS="$CFLAGS -fno-semantic-interposition"
# To support building the Python wrapper against multiple Python runtimes
# Define a function, for how to perform a "build" of the python wrapper against
# a specific runtime:
BuildPythonWrapper() {
BinaryName=$1
# Perform the build from the upstream Makefile:
%make_build \
PYTHON=$BinaryName \
LIBDIR="%{_libdir}" \
pywrap
}
%make_build LIBDIR="%{_libdir}" swigify
%make_build LIBDIR="%{_libdir}" all
BuildPythonWrapper %{__python3}
%make_build RUBYINC="%{ruby_inc}" SHLIBDIR="%{_libdir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" rubywrap
%install
InstallPythonWrapper() {
BinaryName=$1
make \
PYTHON=$BinaryName \
DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" \
SHLIBDIR="%{_lib}" BINDIR="%{_bindir}" \
SBINDIR="%{_sbindir}" \
LIBSEPOLA="%{_libdir}/libsepol.a" \
install-pywrap
}
rm -rf %{buildroot}
mkdir -p %{buildroot}%{_tmpfilesdir}
mkdir -p %{buildroot}%{_libdir}
mkdir -p %{buildroot}%{_includedir}
mkdir -p %{buildroot}%{_sbindir}
install -d -m 0755 %{buildroot}%{_rundir}/setrans
echo "d %{_rundir}/setrans 0755 root root" > %{buildroot}%{_tmpfilesdir}/libselinux.conf
InstallPythonWrapper %{__python3}
%make_install LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" BINDIR="%{_bindir}" SBINDIR="%{_sbindir}"
make DESTDIR="%{buildroot}" RUBYINSTALL=%{ruby_vendorarchdir} install-rubywrap
# Nuke the files we don't want to distribute
rm -f %{buildroot}%{_sbindir}/compute_*
rm -f %{buildroot}%{_sbindir}/deftype
rm -f %{buildroot}%{_sbindir}/execcon
rm -f %{buildroot}%{_sbindir}/getenforcemode
rm -f %{buildroot}%{_sbindir}/getfilecon
rm -f %{buildroot}%{_sbindir}/getpidcon
rm -f %{buildroot}%{_sbindir}/mkdircon
rm -f %{buildroot}%{_sbindir}/policyvers
rm -f %{buildroot}%{_sbindir}/setfilecon
rm -f %{buildroot}%{_sbindir}/selinuxconfig
rm -f %{buildroot}%{_sbindir}/selinuxdisable
rm -f %{buildroot}%{_sbindir}/getseuser
rm -f %{buildroot}%{_sbindir}/togglesebool
rm -f %{buildroot}%{_sbindir}/selinux_check_securetty_context
mv %{buildroot}%{_sbindir}/getdefaultcon %{buildroot}%{_sbindir}/selinuxdefcon
mv %{buildroot}%{_sbindir}/getconlist %{buildroot}%{_sbindir}/selinuxconlist
install -d %{buildroot}%{_mandir}/man8/
install -m 644 %{SOURCE3} %{buildroot}%{_mandir}/man8/
install -m 644 %{SOURCE4} %{buildroot}%{_mandir}/man8/
rm -f %{buildroot}%{_mandir}/man8/togglesebool*
%ldconfig_scriptlets
%files
%license LICENSE
%{_libdir}/libselinux.so.*
%dir %{_rundir}/setrans/
%{_tmpfilesdir}/libselinux.conf
%files utils
%{_sbindir}/avcstat
%{_sbindir}/getenforce
%{_sbindir}/getpidprevcon
%{_sbindir}/getpolicyload
%{_sbindir}/getsebool
%{_sbindir}/matchpathcon
%{_sbindir}/sefcontext_compile
%{_sbindir}/selinuxconlist
%{_sbindir}/selinuxdefcon
%{_sbindir}/selinuxexeccon
%{_sbindir}/selinuxenabled
%{_sbindir}/setenforce
%{_sbindir}/selabel_compare
%{_sbindir}/selabel_digest
%{_sbindir}/selabel_lookup
%{_sbindir}/selabel_lookup_best_match
%{_sbindir}/selabel_partial_match
%{_sbindir}/selinux_check_access
%{_sbindir}/selabel_get_digests_all_partial_matches
%{_sbindir}/validatetrans
%{_mandir}/man5/*
%{_mandir}/man8/*
%files devel
%{_libdir}/libselinux.so
%{_libdir}/pkgconfig/libselinux.pc
%{_includedir}/selinux/
%{_mandir}/man3/*
%files static
%{_libdir}/libselinux.a
%files -n python3-libselinux
%{python3_sitearch}/selinux/
%{python3_sitearch}/selinux-%{version}*
%{python3_sitearch}/_selinux*
%files ruby
%{ruby_vendorarchdir}/selinux.so
%changelog
%autochangelog

7
plans/selinux.fmf Normal file
View File

@ -0,0 +1,7 @@
summary: selinux tests - Tier 1 | libselinux
discover:
how: fmf
url: https://src.fedoraproject.org/tests/selinux
filter: "tier: 1 | component: libselinux"
execute:
how: tmt

6
rubytest.rb Normal file
View File

@ -0,0 +1,6 @@
require 'selinux'
print "selinux\n"
print "Is selinux enabled? " + Selinux.is_selinux_enabled().to_s + "\n"
print "Is selinux enforce? " + Selinux.security_getenforce().to_s + "\n"
print "Setfscreatecon? " + Selinux.setfscreatecon("system_u:object_r:etc_t:s0").to_s + "\n"
print "/etc -> " + Selinux.matchpathcon("/etc", 0)[1] + "\n"

0
SOURCES/selinuxconlist.8 → selinuxconlist.8
View File

0
SOURCES/selinuxdefcon.8 → selinuxdefcon.8
View File

2
sources Normal file
View File

@ -0,0 +1,2 @@
SHA512 (libselinux-3.8.tar.gz) = e36edec33c3960679a8975f839a4d64d4b1f82d51346fba21082c2686136259040099c7fee2c947ac2ca180d61d10356c9b3d359a1c5f1242b6ecdd7c036005e
SHA512 (libselinux-3.8.tar.gz.asc) = 91e09b93949a774fcf7fe2e6b936170f56156f0661a157b5802a847486cb406e2bd24b301afa6e096eca928dcf6b53cd5ed58318a287123231f7ae712f190484