Compare commits
No commits in common. "imports/c9-beta/libselinux-3.2-6.el9" and "c8" have entirely different histories.
imports/c9
...
c8
|
|
@ -1 +1 @@
|
|||
SOURCES/libselinux-3.2.tar.gz
|
||||
SOURCES/libselinux-2.9.tar.gz
|
||||
|
|
|
|||
|
|
@ -1 +1 @@
|
|||
59d7e9a2db64ba994e2da976b4374871535cd196 SOURCES/libselinux-3.2.tar.gz
|
||||
c53911ee9da673f7653ab1afe66c0b2bf5fb5ac9 SOURCES/libselinux-2.9.tar.gz
|
||||
|
|
|
|||
|
|
@ -0,0 +1,31 @@
|
|||
From f71fc47524bef3c4cd8a412e43d13daebd1c418b Mon Sep 17 00:00:00 2001
|
||||
From: Miroslav Grepl <mgrepl@redhat.com>
|
||||
Date: Wed, 16 Jul 2014 08:28:03 +0200
|
||||
Subject: [PATCH] Fix selinux man page to refer seinfo and sesearch tools.
|
||||
|
||||
---
|
||||
libselinux/man/man8/selinux.8 | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
|
||||
index e37aee68..bf23b655 100644
|
||||
--- a/libselinux/man/man8/selinux.8
|
||||
+++ b/libselinux/man/man8/selinux.8
|
||||
@@ -91,11 +91,13 @@ This manual page was written by Dan Walsh <dwalsh@redhat.com>.
|
||||
.BR sepolicy (8),
|
||||
.BR system-config-selinux (8),
|
||||
.BR togglesebool (8),
|
||||
-.BR restorecon (8),
|
||||
.BR fixfiles (8),
|
||||
+.BR restorecon (8),
|
||||
.BR setfiles (8),
|
||||
.BR semanage (8),
|
||||
.BR sepolicy (8)
|
||||
+.BR seinfo (8),
|
||||
+.BR sesearch (8)
|
||||
|
||||
Every confined service on the system has a man page in the following format:
|
||||
.br
|
||||
--
|
||||
2.21.0
|
||||
|
||||
|
|
@ -1,59 +0,0 @@
|
|||
From f63263c2d002fc8a4e681ea1a1b1db1e455acc49 Mon Sep 17 00:00:00 2001
|
||||
From: Nicolas Iooss <nicolas.iooss@m4x.org>
|
||||
Date: Thu, 22 Apr 2021 08:43:56 +0200
|
||||
Subject: [PATCH] libselinux: do not duplicate make target when going into
|
||||
subdirectory
|
||||
|
||||
When running "make install-pywrap", make displays:
|
||||
|
||||
make[1]: Entering directory '/root/selinux/libselinux'
|
||||
make -C src install-pywrap install-pywrap
|
||||
make[2]: Entering directory '/root/selinux/libselinux/src'
|
||||
|
||||
The duplicated "install-pywrap" is not expected. Remove it from the
|
||||
Makefile.
|
||||
|
||||
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
|
||||
---
|
||||
libselinux/Makefile | 14 +++++++-------
|
||||
1 file changed, 7 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/libselinux/Makefile b/libselinux/Makefile
|
||||
index ac16c15e8d0a..439bc6a9b7fd 100644
|
||||
--- a/libselinux/Makefile
|
||||
+++ b/libselinux/Makefile
|
||||
@@ -50,24 +50,24 @@ all install relabel clean distclean indent:
|
||||
done
|
||||
|
||||
swigify: all
|
||||
- $(MAKE) -C src swigify $@
|
||||
+ $(MAKE) -C src $@
|
||||
|
||||
pywrap:
|
||||
- $(MAKE) -C src pywrap $@
|
||||
+ $(MAKE) -C src $@
|
||||
|
||||
rubywrap:
|
||||
- $(MAKE) -C src rubywrap $@
|
||||
+ $(MAKE) -C src $@
|
||||
|
||||
install-pywrap:
|
||||
- $(MAKE) -C src install-pywrap $@
|
||||
+ $(MAKE) -C src $@
|
||||
|
||||
install-rubywrap:
|
||||
- $(MAKE) -C src install-rubywrap $@
|
||||
+ $(MAKE) -C src $@
|
||||
|
||||
clean-pywrap:
|
||||
- $(MAKE) -C src clean-pywrap $@
|
||||
+ $(MAKE) -C src $@
|
||||
|
||||
clean-rubywrap:
|
||||
- $(MAKE) -C src clean-rubywrap $@
|
||||
+ $(MAKE) -C src $@
|
||||
|
||||
test:
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
|
@ -0,0 +1,214 @@
|
|||
From ad3d3a0bf819f5895a6884357c2d0e18ea1ef314 Mon Sep 17 00:00:00 2001
|
||||
From: Dan Walsh <dwalsh@redhat.com>
|
||||
Date: Mon, 23 Dec 2013 09:50:54 -0500
|
||||
Subject: [PATCH] Verify context input to funtions to make sure the context
|
||||
field is not null.
|
||||
|
||||
Return errno EINVAL, to prevent segfault.
|
||||
|
||||
Rejected by upstream https://marc.info/?l=selinux&m=145036088424584&w=2
|
||||
|
||||
FIXME: use __attribute__(nonnull (arg-index, ...))
|
||||
---
|
||||
libselinux/src/avc_sidtab.c | 5 +++++
|
||||
libselinux/src/canonicalize_context.c | 5 +++++
|
||||
libselinux/src/check_context.c | 5 +++++
|
||||
libselinux/src/compute_av.c | 5 +++++
|
||||
libselinux/src/compute_create.c | 5 +++++
|
||||
libselinux/src/compute_member.c | 5 +++++
|
||||
libselinux/src/compute_relabel.c | 5 +++++
|
||||
libselinux/src/compute_user.c | 5 +++++
|
||||
libselinux/src/fsetfilecon.c | 8 ++++++--
|
||||
libselinux/src/lsetfilecon.c | 9 +++++++--
|
||||
libselinux/src/setfilecon.c | 8 ++++++--
|
||||
11 files changed, 59 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/libselinux/src/avc_sidtab.c b/libselinux/src/avc_sidtab.c
|
||||
index 9669264d..c7754305 100644
|
||||
--- a/libselinux/src/avc_sidtab.c
|
||||
+++ b/libselinux/src/avc_sidtab.c
|
||||
@@ -81,6 +81,11 @@ sidtab_context_to_sid(struct sidtab *s,
|
||||
int hvalue, rc = 0;
|
||||
struct sidtab_node *cur;
|
||||
|
||||
+ if (! ctx) {
|
||||
+ errno=EINVAL;
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
*sid = NULL;
|
||||
hvalue = sidtab_hash(ctx);
|
||||
|
||||
diff --git a/libselinux/src/canonicalize_context.c b/libselinux/src/canonicalize_context.c
|
||||
index ba4c9a2c..c8158725 100644
|
||||
--- a/libselinux/src/canonicalize_context.c
|
||||
+++ b/libselinux/src/canonicalize_context.c
|
||||
@@ -17,6 +17,11 @@ int security_canonicalize_context_raw(const char * con,
|
||||
size_t size;
|
||||
int fd, ret;
|
||||
|
||||
+ if (! con) {
|
||||
+ errno=EINVAL;
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
if (!selinux_mnt) {
|
||||
errno = ENOENT;
|
||||
return -1;
|
||||
diff --git a/libselinux/src/check_context.c b/libselinux/src/check_context.c
|
||||
index 8a7997f0..5be84348 100644
|
||||
--- a/libselinux/src/check_context.c
|
||||
+++ b/libselinux/src/check_context.c
|
||||
@@ -14,6 +14,11 @@ int security_check_context_raw(const char * con)
|
||||
char path[PATH_MAX];
|
||||
int fd, ret;
|
||||
|
||||
+ if (! con) {
|
||||
+ errno=EINVAL;
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
if (!selinux_mnt) {
|
||||
errno = ENOENT;
|
||||
return -1;
|
||||
diff --git a/libselinux/src/compute_av.c b/libselinux/src/compute_av.c
|
||||
index a47cffe9..6d285a2e 100644
|
||||
--- a/libselinux/src/compute_av.c
|
||||
+++ b/libselinux/src/compute_av.c
|
||||
@@ -27,6 +27,11 @@ int security_compute_av_flags_raw(const char * scon,
|
||||
return -1;
|
||||
}
|
||||
|
||||
+ if ((! scon) || (! tcon)) {
|
||||
+ errno=EINVAL;
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
snprintf(path, sizeof path, "%s/access", selinux_mnt);
|
||||
fd = open(path, O_RDWR | O_CLOEXEC);
|
||||
if (fd < 0)
|
||||
diff --git a/libselinux/src/compute_create.c b/libselinux/src/compute_create.c
|
||||
index 0975aeac..3e6a48c1 100644
|
||||
--- a/libselinux/src/compute_create.c
|
||||
+++ b/libselinux/src/compute_create.c
|
||||
@@ -64,6 +64,11 @@ int security_compute_create_name_raw(const char * scon,
|
||||
return -1;
|
||||
}
|
||||
|
||||
+ if ((! scon) || (! tcon)) {
|
||||
+ errno=EINVAL;
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
snprintf(path, sizeof path, "%s/create", selinux_mnt);
|
||||
fd = open(path, O_RDWR | O_CLOEXEC);
|
||||
if (fd < 0)
|
||||
diff --git a/libselinux/src/compute_member.c b/libselinux/src/compute_member.c
|
||||
index 4e2d221e..d1dd9772 100644
|
||||
--- a/libselinux/src/compute_member.c
|
||||
+++ b/libselinux/src/compute_member.c
|
||||
@@ -25,6 +25,11 @@ int security_compute_member_raw(const char * scon,
|
||||
return -1;
|
||||
}
|
||||
|
||||
+ if ((! scon) || (! tcon)) {
|
||||
+ errno=EINVAL;
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
snprintf(path, sizeof path, "%s/member", selinux_mnt);
|
||||
fd = open(path, O_RDWR | O_CLOEXEC);
|
||||
if (fd < 0)
|
||||
diff --git a/libselinux/src/compute_relabel.c b/libselinux/src/compute_relabel.c
|
||||
index 49f77ef3..c3db7c0a 100644
|
||||
--- a/libselinux/src/compute_relabel.c
|
||||
+++ b/libselinux/src/compute_relabel.c
|
||||
@@ -25,6 +25,11 @@ int security_compute_relabel_raw(const char * scon,
|
||||
return -1;
|
||||
}
|
||||
|
||||
+ if ((! scon) || (! tcon)) {
|
||||
+ errno=EINVAL;
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
snprintf(path, sizeof path, "%s/relabel", selinux_mnt);
|
||||
fd = open(path, O_RDWR | O_CLOEXEC);
|
||||
if (fd < 0)
|
||||
diff --git a/libselinux/src/compute_user.c b/libselinux/src/compute_user.c
|
||||
index 7b881215..401fd107 100644
|
||||
--- a/libselinux/src/compute_user.c
|
||||
+++ b/libselinux/src/compute_user.c
|
||||
@@ -24,6 +24,11 @@ int security_compute_user_raw(const char * scon,
|
||||
return -1;
|
||||
}
|
||||
|
||||
+ if (! scon) {
|
||||
+ errno=EINVAL;
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
snprintf(path, sizeof path, "%s/user", selinux_mnt);
|
||||
fd = open(path, O_RDWR | O_CLOEXEC);
|
||||
if (fd < 0)
|
||||
diff --git a/libselinux/src/fsetfilecon.c b/libselinux/src/fsetfilecon.c
|
||||
index 52707d05..0cbe12d8 100644
|
||||
--- a/libselinux/src/fsetfilecon.c
|
||||
+++ b/libselinux/src/fsetfilecon.c
|
||||
@@ -9,8 +9,12 @@
|
||||
|
||||
int fsetfilecon_raw(int fd, const char * context)
|
||||
{
|
||||
- int rc = fsetxattr(fd, XATTR_NAME_SELINUX, context, strlen(context) + 1,
|
||||
- 0);
|
||||
+ int rc;
|
||||
+ if (! context) {
|
||||
+ errno=EINVAL;
|
||||
+ return -1;
|
||||
+ }
|
||||
+ rc = fsetxattr(fd, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
|
||||
if (rc < 0 && errno == ENOTSUP) {
|
||||
char * ccontext = NULL;
|
||||
int err = errno;
|
||||
diff --git a/libselinux/src/lsetfilecon.c b/libselinux/src/lsetfilecon.c
|
||||
index 1d3b28a1..ea6d70b7 100644
|
||||
--- a/libselinux/src/lsetfilecon.c
|
||||
+++ b/libselinux/src/lsetfilecon.c
|
||||
@@ -9,8 +9,13 @@
|
||||
|
||||
int lsetfilecon_raw(const char *path, const char * context)
|
||||
{
|
||||
- int rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1,
|
||||
- 0);
|
||||
+ int rc;
|
||||
+ if (! context) {
|
||||
+ errno=EINVAL;
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
|
||||
if (rc < 0 && errno == ENOTSUP) {
|
||||
char * ccontext = NULL;
|
||||
int err = errno;
|
||||
diff --git a/libselinux/src/setfilecon.c b/libselinux/src/setfilecon.c
|
||||
index d05969c6..3f0200e8 100644
|
||||
--- a/libselinux/src/setfilecon.c
|
||||
+++ b/libselinux/src/setfilecon.c
|
||||
@@ -9,8 +9,12 @@
|
||||
|
||||
int setfilecon_raw(const char *path, const char * context)
|
||||
{
|
||||
- int rc = setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1,
|
||||
- 0);
|
||||
+ int rc;
|
||||
+ if (! context) {
|
||||
+ errno=EINVAL;
|
||||
+ return -1;
|
||||
+ }
|
||||
+ rc = setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
|
||||
if (rc < 0 && errno == ENOTSUP) {
|
||||
char * ccontext = NULL;
|
||||
int err = errno;
|
||||
--
|
||||
2.21.0
|
||||
|
||||
|
|
@ -1,45 +0,0 @@
|
|||
From a88d24522fe74100478122c298aa4ace1af876fd Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Mon, 10 May 2021 12:12:38 +0200
|
||||
Subject: [PATCH] libselinux: selinux_check_passwd_access_internal(): respect
|
||||
deny_unknown
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
`selinux_check_passwd_access_internal()`, and thereby
|
||||
`checkPasswdAccess(3)` and `selinux_check_passwd_access(3)`, does not
|
||||
respect the policy defined setting of `deny_unknown`, like
|
||||
`selinux_check_access(3)` does.
|
||||
This means in case the security class `passwd` is not defined, success
|
||||
is returned instead of failure, i.e. permission denied.
|
||||
|
||||
Most policies should define the `passwd` class and the two affected
|
||||
public functions are marked deprecated.
|
||||
|
||||
Align the behavior with `selinux_check_access(3)` and respect
|
||||
the deny_unknown setting in case the security class is not defined.
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
libselinux/src/checkAccess.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libselinux/src/checkAccess.c b/libselinux/src/checkAccess.c
|
||||
index b337ea64f977..022cd6b5ecab 100644
|
||||
--- a/libselinux/src/checkAccess.c
|
||||
+++ b/libselinux/src/checkAccess.c
|
||||
@@ -78,7 +78,9 @@ static int selinux_check_passwd_access_internal(access_vector_t requested)
|
||||
passwd_class = string_to_security_class("passwd");
|
||||
if (passwd_class == 0) {
|
||||
freecon(user_context);
|
||||
- return 0;
|
||||
+ if (security_deny_unknown() == 0)
|
||||
+ return 0;
|
||||
+ return -1;
|
||||
}
|
||||
|
||||
retval = security_compute_av_raw(user_context,
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
|
@ -0,0 +1,39 @@
|
|||
From a6e839be2c5a77c22a8c72cad001e3f87eaedf2e Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Mon, 11 Mar 2019 15:26:43 +0100
|
||||
Subject: [PATCH] libselinux: Allow to override OVERRIDE_GETTID from command
|
||||
line
|
||||
|
||||
$ make CFLAGS="$CFLAGS -DOVERRIDE_GETTID=0" ...
|
||||
|
||||
Drop this as soon as glibc-2.30 will become real 2.30 version, see
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1685594
|
||||
|
||||
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
|
||||
---
|
||||
libselinux/src/procattr.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/libselinux/src/procattr.c b/libselinux/src/procattr.c
|
||||
index c6799ef2..cbb6824e 100644
|
||||
--- a/libselinux/src/procattr.c
|
||||
+++ b/libselinux/src/procattr.c
|
||||
@@ -24,6 +24,7 @@ static __thread char destructor_initialized;
|
||||
|
||||
/* Bionic and glibc >= 2.30 declare gettid() system call wrapper in unistd.h and
|
||||
* has a definition for it */
|
||||
+#ifndef OVERRIDE_GETTID
|
||||
#ifdef __BIONIC__
|
||||
#define OVERRIDE_GETTID 0
|
||||
#elif !defined(__GLIBC_PREREQ)
|
||||
@@ -33,6 +34,7 @@ static __thread char destructor_initialized;
|
||||
#else
|
||||
#define OVERRIDE_GETTID 0
|
||||
#endif
|
||||
+#endif
|
||||
|
||||
#if OVERRIDE_GETTID
|
||||
static pid_t gettid(void)
|
||||
--
|
||||
2.21.0
|
||||
|
||||
|
|
@ -1,51 +0,0 @@
|
|||
From f1bc162cc272e01631e8f6d890fae71e1cb96e03 Mon Sep 17 00:00:00 2001
|
||||
From: Nicolas Iooss <nicolas.iooss@m4x.org>
|
||||
Date: Fri, 30 Apr 2021 21:37:02 +0200
|
||||
Subject: [PATCH] libselinux: silence -Wstringop-overflow warning from gcc
|
||||
10.3.1
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
When building libselinux on Fedora 33 with gcc 10.3.1, the compiler
|
||||
reports:
|
||||
|
||||
label_file.c: In function ‘lookup_all.isra’:
|
||||
label_file.c:940:4: error: ‘strncpy’ specified bound depends on the
|
||||
length of the source argument [-Werror=stringop-overflow=]
|
||||
940 | strncpy(clean_key, key, len - 1);
|
||||
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
label_file.c:927:8: note: length computed here
|
||||
927 | len = strlen(key);
|
||||
| ^~~~~~~~~~~
|
||||
cc1: all warnings being treated as errors
|
||||
|
||||
As clean_key is the result of malloc(len), there is no issue here. But
|
||||
using strncpy can be considered as strange, because the size of the
|
||||
string is already known and the NUL terminator is always added later, in
|
||||
function ‘lookup_all.isra.
|
||||
|
||||
Replace strncpy with memcpy to silence this gcc false-positive warning.
|
||||
|
||||
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
|
||||
Acked-by: Petr Lautrbach <plautrba@redhat.com>
|
||||
---
|
||||
libselinux/src/label_file.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
|
||||
index 726394ca4332..cfce23e0119e 100644
|
||||
--- a/libselinux/src/label_file.c
|
||||
+++ b/libselinux/src/label_file.c
|
||||
@@ -909,7 +909,7 @@ static const struct spec **lookup_all(struct selabel_handle *rec,
|
||||
if (!clean_key)
|
||||
goto finish;
|
||||
|
||||
- strncpy(clean_key, key, len - 1);
|
||||
+ memcpy(clean_key, key, len - 1);
|
||||
}
|
||||
|
||||
clean_key[len - 1] = '\0';
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
|
@ -0,0 +1,55 @@
|
|||
From be420729fbf4adc8b32ca3722fa6ca46bb51413d Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Wed, 27 Feb 2019 09:37:17 +0100
|
||||
Subject: [PATCH] Bring some old permission and flask constants back to Python
|
||||
bindings
|
||||
|
||||
---
|
||||
libselinux/src/selinuxswig.i | 4 ++++
|
||||
libselinux/src/selinuxswig_python.i | 3 ++-
|
||||
2 files changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libselinux/src/selinuxswig.i b/libselinux/src/selinuxswig.i
|
||||
index dbdb4c3d..9c5b9263 100644
|
||||
--- a/libselinux/src/selinuxswig.i
|
||||
+++ b/libselinux/src/selinuxswig.i
|
||||
@@ -5,7 +5,9 @@
|
||||
%module selinux
|
||||
%{
|
||||
#include "../include/selinux/avc.h"
|
||||
+ #include "../include/selinux/av_permissions.h"
|
||||
#include "../include/selinux/context.h"
|
||||
+ #include "../include/selinux/flask.h"
|
||||
#include "../include/selinux/get_context_list.h"
|
||||
#include "../include/selinux/get_default_type.h"
|
||||
#include "../include/selinux/label.h"
|
||||
@@ -58,7 +60,9 @@
|
||||
%ignore avc_netlink_check_nb;
|
||||
|
||||
%include "../include/selinux/avc.h"
|
||||
+%include "../include/selinux/av_permissions.h"
|
||||
%include "../include/selinux/context.h"
|
||||
+%include "../include/selinux/flask.h"
|
||||
%include "../include/selinux/get_context_list.h"
|
||||
%include "../include/selinux/get_default_type.h"
|
||||
%include "../include/selinux/label.h"
|
||||
diff --git a/libselinux/src/selinuxswig_python.i b/libselinux/src/selinuxswig_python.i
|
||||
index 4c73bf92..6eaab081 100644
|
||||
--- a/libselinux/src/selinuxswig_python.i
|
||||
+++ b/libselinux/src/selinuxswig_python.i
|
||||
@@ -1,10 +1,11 @@
|
||||
/* Author: James Athey
|
||||
*/
|
||||
|
||||
-/* Never build rpm_execcon interface */
|
||||
+/* Never build rpm_execcon interface unless you need to have ACG compatibility
|
||||
#ifndef DISABLE_RPM
|
||||
#define DISABLE_RPM
|
||||
#endif
|
||||
+*/
|
||||
|
||||
%module selinux
|
||||
%{
|
||||
--
|
||||
2.21.0
|
||||
|
||||
|
|
@ -1,46 +0,0 @@
|
|||
From ae34b3ca3c605f8648b10722330ef3fbc872f3d6 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Mon, 3 May 2021 17:10:35 +0200
|
||||
Subject: [PATCH] libselinux: sidtab_hash(): do not discard const qualifier
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Do not discard the const qualifier of the function argument, and drop
|
||||
the redundant local variable `keyp`.
|
||||
|
||||
avc_sidtab.c: In function ‘sidtab_hash’:
|
||||
avc_sidtab.c:23:9: warning: cast discards ‘const’ qualifier from pointer target type [-Wcast-qual]
|
||||
23 | keyp = (char *)key;
|
||||
| ^
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
libselinux/src/avc_sidtab.c | 7 +++----
|
||||
1 file changed, 3 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/libselinux/src/avc_sidtab.c b/libselinux/src/avc_sidtab.c
|
||||
index 9669264d651a..8dc875608762 100644
|
||||
--- a/libselinux/src/avc_sidtab.c
|
||||
+++ b/libselinux/src/avc_sidtab.c
|
||||
@@ -15,14 +15,13 @@
|
||||
|
||||
static inline unsigned sidtab_hash(const char * key)
|
||||
{
|
||||
- char *p, *keyp;
|
||||
+ const char *p;
|
||||
unsigned int size;
|
||||
unsigned int val;
|
||||
|
||||
val = 0;
|
||||
- keyp = (char *)key;
|
||||
- size = strlen(keyp);
|
||||
- for (p = keyp; (unsigned int)(p - keyp) < size; p++)
|
||||
+ size = strlen(key);
|
||||
+ for (p = key; (unsigned int)(p - key) < size; p++)
|
||||
val =
|
||||
(val << 4 | (val >> (8 * sizeof(unsigned int) - 4))) ^ (*p);
|
||||
return val & (SIDTAB_SIZE - 1);
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
|
@ -0,0 +1,32 @@
|
|||
From 903c54bf62ffba3c95e22e74c9c43838cd3935a0 Mon Sep 17 00:00:00 2001
|
||||
From: Vit Mojzis <vmojzis@redhat.com>
|
||||
Date: Tue, 28 Feb 2017 16:12:43 +0100
|
||||
Subject: [PATCH] libselinux: add missing av_permission values
|
||||
|
||||
Add missing av_permission values to av_permissions.h for the sake of
|
||||
completeness (this interface is obsolete - these values are now
|
||||
obtained at runtime).
|
||||
|
||||
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1025931
|
||||
|
||||
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
|
||||
---
|
||||
libselinux/include/selinux/av_permissions.h | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/libselinux/include/selinux/av_permissions.h b/libselinux/include/selinux/av_permissions.h
|
||||
index c1269af9..631f0276 100644
|
||||
--- a/libselinux/include/selinux/av_permissions.h
|
||||
+++ b/libselinux/include/selinux/av_permissions.h
|
||||
@@ -876,6 +876,8 @@
|
||||
#define NSCD__SHMEMHOST 0x00000080UL
|
||||
#define NSCD__GETSERV 0x00000100UL
|
||||
#define NSCD__SHMEMSERV 0x00000200UL
|
||||
+#define NSCD__GETNETGRP 0x00000400UL
|
||||
+#define NSCD__SHMEMNETGRP 0x00000800UL
|
||||
#define ASSOCIATION__SENDTO 0x00000001UL
|
||||
#define ASSOCIATION__RECVFROM 0x00000002UL
|
||||
#define ASSOCIATION__SETCONTEXT 0x00000004UL
|
||||
--
|
||||
2.21.0
|
||||
|
||||
|
|
@ -1,48 +0,0 @@
|
|||
From d23421c65a4e53bef900d9e015833015fa123765 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Mon, 3 May 2021 17:10:40 +0200
|
||||
Subject: [PATCH] libselinux: selinux_file_context_cmp(): do not discard const
|
||||
qualifier
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
matchpathcon.c: In function ‘selinux_file_context_cmp’:
|
||||
matchpathcon.c:487:18: warning: cast discards ‘const’ qualifier from pointer target type [-Wcast-qual]
|
||||
487 | rest_a = strchr((char *)a, ':');
|
||||
| ^
|
||||
matchpathcon.c:488:18: warning: cast discards ‘const’ qualifier from pointer target type [-Wcast-qual]
|
||||
488 | rest_b = strchr((char *)b, ':');
|
||||
| ^
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
libselinux/src/matchpathcon.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c
|
||||
index 2ec66650cae0..9e1fab593266 100644
|
||||
--- a/libselinux/src/matchpathcon.c
|
||||
+++ b/libselinux/src/matchpathcon.c
|
||||
@@ -477,15 +477,15 @@ void matchpathcon_checkmatches(char *str __attribute__((unused)))
|
||||
int selinux_file_context_cmp(const char * a,
|
||||
const char * b)
|
||||
{
|
||||
- char *rest_a, *rest_b; /* Rest of the context after the user */
|
||||
+ const char *rest_a, *rest_b; /* Rest of the context after the user */
|
||||
if (!a && !b)
|
||||
return 0;
|
||||
if (!a)
|
||||
return -1;
|
||||
if (!b)
|
||||
return 1;
|
||||
- rest_a = strchr((char *)a, ':');
|
||||
- rest_b = strchr((char *)b, ':');
|
||||
+ rest_a = strchr(a, ':');
|
||||
+ rest_b = strchr(b, ':');
|
||||
if (!rest_a && !rest_b)
|
||||
return 0;
|
||||
if (!rest_a)
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
|
@ -0,0 +1,177 @@
|
|||
From 67d490a38a319126f371eaf66a5fc922d7005b1f Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Thu, 16 May 2019 15:01:59 +0200
|
||||
Subject: [PATCH] libselinux: Use Python distutils to install SELinux python
|
||||
bindings
|
||||
|
||||
SWIG-4.0 changed its behavior so that it uses: from . import _selinux which
|
||||
looks for _selinux module in the same directory as where __init__.py is -
|
||||
$(PYLIBDIR)/site-packages/selinux. But _selinux module is installed into
|
||||
$(PYLIBDIR)/site-packages/ since a9604c30a5e2f ("libselinux: Change the location
|
||||
of _selinux.so").
|
||||
|
||||
In order to prevent such breakage in future use Python's distutils instead of
|
||||
building and installing python bindings manually in Makefile.
|
||||
|
||||
Fixes:
|
||||
>>> import selinux
|
||||
Traceback (most recent call last):
|
||||
File "<stdin>", line 1, in <module>
|
||||
File "/usr/lib64/python3.7/site-packages/selinux/__init__.py", line 13, in <module>
|
||||
from . import _selinux
|
||||
ImportError: cannot import name '_selinux' from 'selinux' (/usr/lib64/python3.7/site-packages/selinux/__init__.py)
|
||||
>>>
|
||||
|
||||
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
|
||||
---
|
||||
libselinux/src/.gitignore | 2 +-
|
||||
libselinux/src/Makefile | 37 ++++++++-----------------------------
|
||||
libselinux/src/setup.py | 24 ++++++++++++++++++++++++
|
||||
3 files changed, 33 insertions(+), 30 deletions(-)
|
||||
create mode 100644 libselinux/src/setup.py
|
||||
|
||||
diff --git a/libselinux/src/.gitignore b/libselinux/src/.gitignore
|
||||
index 4dcc3b3b..428afe5a 100644
|
||||
--- a/libselinux/src/.gitignore
|
||||
+++ b/libselinux/src/.gitignore
|
||||
@@ -1,4 +1,4 @@
|
||||
selinux.py
|
||||
-selinuxswig_wrap.c
|
||||
+selinuxswig_python_wrap.c
|
||||
selinuxswig_python_exception.i
|
||||
selinuxswig_ruby_wrap.c
|
||||
diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
|
||||
index e9ed0383..826c830c 100644
|
||||
--- a/libselinux/src/Makefile
|
||||
+++ b/libselinux/src/Makefile
|
||||
@@ -36,7 +36,7 @@ TARGET=libselinux.so
|
||||
LIBPC=libselinux.pc
|
||||
SWIGIF= selinuxswig_python.i selinuxswig_python_exception.i
|
||||
SWIGRUBYIF= selinuxswig_ruby.i
|
||||
-SWIGCOUT= selinuxswig_wrap.c
|
||||
+SWIGCOUT= selinuxswig_python_wrap.c
|
||||
SWIGPYOUT= selinux.py
|
||||
SWIGRUBYCOUT= selinuxswig_ruby_wrap.c
|
||||
SWIGLOBJ:= $(patsubst %.c,$(PYPREFIX)%.lo,$(SWIGCOUT))
|
||||
@@ -55,7 +55,7 @@ ifeq ($(LIBSEPOLA),)
|
||||
LDLIBS_LIBSEPOLA := -l:libsepol.a
|
||||
endif
|
||||
|
||||
-GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) selinuxswig_python_exception.i
|
||||
+GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) $(SWIGCOUT) selinuxswig_python_exception.i
|
||||
SRCS= $(filter-out $(GENERATED) audit2why.c, $(sort $(wildcard *.c)))
|
||||
|
||||
MAX_STACK_SIZE=32768
|
||||
@@ -125,25 +125,18 @@ DISABLE_FLAGS+= -DNO_ANDROID_BACKEND
|
||||
SRCS:= $(filter-out label_backends_android.c, $(SRCS))
|
||||
endif
|
||||
|
||||
-SWIG = swig -Wall -python -o $(SWIGCOUT) -outdir ./ $(DISABLE_FLAGS)
|
||||
-
|
||||
SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./ $(DISABLE_FLAGS)
|
||||
|
||||
all: $(LIBA) $(LIBSO) $(LIBPC)
|
||||
|
||||
-pywrap: all $(SWIGFILES) $(AUDIT2WHYSO)
|
||||
+pywrap: all selinuxswig_python_exception.i
|
||||
+ CFLAGS="$(SWIG_CFLAGS)" $(PYTHON) setup.py build_ext -I $(DESTDIR)$(INCLUDEDIR) -L $(DESTDIR)$(LIBDIR)
|
||||
|
||||
rubywrap: all $(SWIGRUBYSO)
|
||||
|
||||
-$(SWIGLOBJ): $(SWIGCOUT)
|
||||
- $(CC) $(CFLAGS) $(SWIG_CFLAGS) $(PYINC) -fPIC -DSHARED -c -o $@ $<
|
||||
-
|
||||
$(SWIGRUBYLOBJ): $(SWIGRUBYCOUT)
|
||||
$(CC) $(CFLAGS) $(SWIG_CFLAGS) $(RUBYINC) -fPIC -DSHARED -c -o $@ $<
|
||||
|
||||
-$(SWIGSO): $(SWIGLOBJ)
|
||||
- $(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $< -lselinux $(PYLIBS)
|
||||
-
|
||||
$(SWIGRUBYSO): $(SWIGRUBYLOBJ)
|
||||
$(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $^ -lselinux $(RUBYLIBS)
|
||||
|
||||
@@ -161,29 +154,15 @@ $(LIBPC): $(LIBPC).in ../VERSION
|
||||
selinuxswig_python_exception.i: ../include/selinux/selinux.h
|
||||
bash -e exception.sh > $@ || (rm -f $@ ; false)
|
||||
|
||||
-$(AUDIT2WHYLOBJ): audit2why.c
|
||||
- $(CC) $(filter-out -Werror, $(CFLAGS)) $(PYINC) -fPIC -DSHARED -c -o $@ $<
|
||||
-
|
||||
-$(AUDIT2WHYSO): $(AUDIT2WHYLOBJ) $(LIBSEPOLA)
|
||||
- $(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $^ -lselinux $(LDLIBS_LIBSEPOLA) $(PYLIBS) -Wl,-soname,audit2why.so,--version-script=audit2why.map,-z,defs
|
||||
-
|
||||
%.o: %.c policy.h
|
||||
$(CC) $(CFLAGS) $(TLSFLAGS) -c -o $@ $<
|
||||
|
||||
%.lo: %.c policy.h
|
||||
$(CC) $(CFLAGS) -fPIC -DSHARED -c -o $@ $<
|
||||
|
||||
-$(SWIGCOUT): $(SWIGIF)
|
||||
- $(SWIG) $<
|
||||
-
|
||||
-$(SWIGPYOUT): $(SWIGCOUT)
|
||||
-
|
||||
$(SWIGRUBYCOUT): $(SWIGRUBYIF)
|
||||
$(SWIGRUBY) $<
|
||||
|
||||
-swigify: $(SWIGIF)
|
||||
- $(SWIG) $<
|
||||
-
|
||||
install: all
|
||||
test -d $(DESTDIR)$(LIBDIR) || install -m 755 -d $(DESTDIR)$(LIBDIR)
|
||||
install -m 644 $(LIBA) $(DESTDIR)$(LIBDIR)
|
||||
@@ -194,10 +173,8 @@ install: all
|
||||
ln -sf --relative $(DESTDIR)$(SHLIBDIR)/$(LIBSO) $(DESTDIR)$(LIBDIR)/$(TARGET)
|
||||
|
||||
install-pywrap: pywrap
|
||||
- test -d $(DESTDIR)$(PYTHONLIBDIR)/selinux || install -m 755 -d $(DESTDIR)$(PYTHONLIBDIR)/selinux
|
||||
- install -m 755 $(SWIGSO) $(DESTDIR)$(PYTHONLIBDIR)/_selinux$(PYCEXT)
|
||||
- install -m 755 $(AUDIT2WHYSO) $(DESTDIR)$(PYTHONLIBDIR)/selinux/audit2why$(PYCEXT)
|
||||
- install -m 644 $(SWIGPYOUT) $(DESTDIR)$(PYTHONLIBDIR)/selinux/__init__.py
|
||||
+ $(PYTHON) setup.py install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
|
||||
+ install -m 644 selinux.py $(DESTDIR)$(PYTHONLIBDIR)/selinux/__init__.py
|
||||
|
||||
install-rubywrap: rubywrap
|
||||
test -d $(DESTDIR)$(RUBYINSTALL) || install -m 755 -d $(DESTDIR)$(RUBYINSTALL)
|
||||
@@ -208,6 +185,8 @@ relabel:
|
||||
|
||||
clean-pywrap:
|
||||
-rm -f $(SWIGLOBJ) $(SWIGSO) $(AUDIT2WHYLOBJ) $(AUDIT2WHYSO)
|
||||
+ $(PYTHON) setup.py clean
|
||||
+ -rm -rf build *~ \#* *pyc .#*
|
||||
|
||||
clean-rubywrap:
|
||||
-rm -f $(SWIGRUBYLOBJ) $(SWIGRUBYSO)
|
||||
diff --git a/libselinux/src/setup.py b/libselinux/src/setup.py
|
||||
new file mode 100644
|
||||
index 00000000..b12e7869
|
||||
--- /dev/null
|
||||
+++ b/libselinux/src/setup.py
|
||||
@@ -0,0 +1,24 @@
|
||||
+#!/usr/bin/python3
|
||||
+
|
||||
+from distutils.core import Extension, setup
|
||||
+
|
||||
+setup(
|
||||
+ name="selinux",
|
||||
+ version="2.9",
|
||||
+ description="SELinux python 3 bindings",
|
||||
+ author="SELinux Project",
|
||||
+ author_email="selinux@vger.kernel.org",
|
||||
+ ext_modules=[
|
||||
+ Extension('selinux._selinux',
|
||||
+ sources=['selinuxswig_python.i'],
|
||||
+ include_dirs=['../include'],
|
||||
+ library_dirs=['.'],
|
||||
+ libraries=['selinux']),
|
||||
+ Extension('selinux.audit2why',
|
||||
+ sources=['audit2why.c'],
|
||||
+ include_dirs=['../include'],
|
||||
+ library_dirs=['.'],
|
||||
+ libraries=['selinux'],
|
||||
+ extra_link_args=['-l:libsepol.a'])
|
||||
+ ],
|
||||
+)
|
||||
--
|
||||
2.21.0
|
||||
|
||||
|
|
@ -1,69 +0,0 @@
|
|||
From 3950b1afedd1a5247dcb0eb4acffc3fe045a9fb3 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Mon, 3 May 2021 17:10:42 +0200
|
||||
Subject: [PATCH] libselinux: label_common(): do not discard const qualifier
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
As the const qualifier is discarded in label_common(), do not return a
|
||||
const qualified pointer pointer from the local function `lookup_all()`.
|
||||
|
||||
label_file.c: In function ‘lookup_common’:
|
||||
label_file.c:994:24: warning: cast discards ‘const’ qualifier from pointer target type [-Wcast-qual]
|
||||
994 | struct spec *result = (struct spec*)matches[0];
|
||||
| ^
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
libselinux/src/label_file.c | 10 +++++-----
|
||||
1 file changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
|
||||
index cfce23e0119e..b080fcf1305b 100644
|
||||
--- a/libselinux/src/label_file.c
|
||||
+++ b/libselinux/src/label_file.c
|
||||
@@ -845,7 +845,7 @@ static void closef(struct selabel_handle *rec)
|
||||
// Finds all the matches of |key| in the given context. Returns the result in
|
||||
// the allocated array and updates the match count. If match_count is NULL,
|
||||
// stops early once the 1st match is found.
|
||||
-static const struct spec **lookup_all(struct selabel_handle *rec,
|
||||
+static struct spec **lookup_all(struct selabel_handle *rec,
|
||||
const char *key,
|
||||
int type,
|
||||
bool partial,
|
||||
@@ -861,7 +861,7 @@ static const struct spec **lookup_all(struct selabel_handle *rec,
|
||||
unsigned int sofar = 0;
|
||||
char *sub = NULL;
|
||||
|
||||
- const struct spec **result = NULL;
|
||||
+ struct spec **result = NULL;
|
||||
if (match_count) {
|
||||
*match_count = 0;
|
||||
result = calloc(data->nspec, sizeof(struct spec*));
|
||||
@@ -987,11 +987,11 @@ static struct spec *lookup_common(struct selabel_handle *rec,
|
||||
const char *key,
|
||||
int type,
|
||||
bool partial) {
|
||||
- const struct spec **matches = lookup_all(rec, key, type, partial, NULL);
|
||||
+ struct spec **matches = lookup_all(rec, key, type, partial, NULL);
|
||||
if (!matches) {
|
||||
return NULL;
|
||||
}
|
||||
- struct spec *result = (struct spec*)matches[0];
|
||||
+ struct spec *result = matches[0];
|
||||
free(matches);
|
||||
return result;
|
||||
}
|
||||
@@ -1054,7 +1054,7 @@ static bool hash_all_partial_matches(struct selabel_handle *rec, const char *key
|
||||
assert(digest);
|
||||
|
||||
size_t total_matches;
|
||||
- const struct spec **matches = lookup_all(rec, key, 0, true, &total_matches);
|
||||
+ struct spec **matches = lookup_all(rec, key, 0, true, &total_matches);
|
||||
if (!matches) {
|
||||
return false;
|
||||
}
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
|
@ -0,0 +1,44 @@
|
|||
From 6ec8116ee64a25a0c5eb543f0b12ed25f1348c45 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Thu, 27 Jun 2019 11:17:13 +0200
|
||||
Subject: [PATCH] libselinux: Do not use SWIG_CFLAGS when Python bindings are
|
||||
built
|
||||
|
||||
Fixes:
|
||||
https://rpmdiff.engineering.redhat.com/run/410372/7/
|
||||
|
||||
Detecting usr/lib64/python3.6/site-packages/selinux/audit2why.cpython-36m-x86_64-linux-gnu.so with not-hardened warnings '
|
||||
Hardened: audit2why.cpython-36m-x86_64-linux-gnu.so: FAIL: Gaps were detected in the annobin coverage. Run with -v to list.
|
||||
' on x86_64
|
||||
|
||||
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
|
||||
---
|
||||
libselinux/src/Makefile | 5 +----
|
||||
1 file changed, 1 insertion(+), 4 deletions(-)
|
||||
|
||||
diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
|
||||
index 826c830c..f64f23a8 100644
|
||||
--- a/libselinux/src/Makefile
|
||||
+++ b/libselinux/src/Makefile
|
||||
@@ -104,9 +104,6 @@ FTS_LDLIBS ?=
|
||||
|
||||
override CFLAGS += -I../include -D_GNU_SOURCE $(DISABLE_FLAGS) $(PCRE_CFLAGS)
|
||||
|
||||
-SWIG_CFLAGS += -Wno-error -Wno-unused-variable -Wno-unused-but-set-variable -Wno-unused-parameter \
|
||||
- -Wno-shadow -Wno-uninitialized -Wno-missing-prototypes -Wno-missing-declarations
|
||||
-
|
||||
RANLIB ?= ranlib
|
||||
|
||||
ARCH := $(patsubst i%86,i386,$(shell uname -m))
|
||||
@@ -130,7 +127,7 @@ SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./ $(DISABLE_FLAGS)
|
||||
all: $(LIBA) $(LIBSO) $(LIBPC)
|
||||
|
||||
pywrap: all selinuxswig_python_exception.i
|
||||
- CFLAGS="$(SWIG_CFLAGS)" $(PYTHON) setup.py build_ext -I $(DESTDIR)$(INCLUDEDIR) -L $(DESTDIR)$(LIBDIR)
|
||||
+ $(PYTHON) setup.py build_ext -I $(DESTDIR)$(INCLUDEDIR) -L $(DESTDIR)$(LIBDIR)
|
||||
|
||||
rubywrap: all $(SWIGRUBYSO)
|
||||
|
||||
--
|
||||
2.21.0
|
||||
|
||||
|
|
@ -1,85 +0,0 @@
|
|||
From 7ca82e0db464052c1ed51e77b2d61ede82dfe3ee Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Mon, 3 May 2021 17:10:44 +0200
|
||||
Subject: [PATCH] libselinux: Sha1Finalise(): do not discard const qualifier
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Mark the argument `Buffer` of `Sha1Update()` const, since it is not
|
||||
modified.
|
||||
|
||||
sha1.c: In function ‘Sha1Finalise’:
|
||||
sha1.c:208:25: warning: cast discards ‘const’ qualifier from pointer target type [-Wcast-qual]
|
||||
208 | Sha1Update(Context, (uint8_t*)"\x80", 1);
|
||||
| ^
|
||||
sha1.c:211:29: warning: cast discards ‘const’ qualifier from pointer target type [-Wcast-qual]
|
||||
211 | Sha1Update(Context, (uint8_t*)"\0", 1);
|
||||
| ^
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
libselinux/src/sha1.c | 10 +++++-----
|
||||
libselinux/src/sha1.h | 2 +-
|
||||
2 files changed, 6 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/libselinux/src/sha1.c b/libselinux/src/sha1.c
|
||||
index 9a8ce01dceda..664bbcf26eef 100644
|
||||
--- a/libselinux/src/sha1.c
|
||||
+++ b/libselinux/src/sha1.c
|
||||
@@ -151,7 +151,7 @@ void
|
||||
Sha1Update
|
||||
(
|
||||
Sha1Context* Context,
|
||||
- void* Buffer,
|
||||
+ const void* Buffer,
|
||||
uint32_t BufferSize
|
||||
)
|
||||
{
|
||||
@@ -172,7 +172,7 @@ void
|
||||
TransformFunction(Context->State, Context->Buffer);
|
||||
for (; i + 63 < BufferSize; i += 64)
|
||||
{
|
||||
- TransformFunction(Context->State, (uint8_t*)Buffer + i);
|
||||
+ TransformFunction(Context->State, (const uint8_t*)Buffer + i);
|
||||
}
|
||||
j = 0;
|
||||
}
|
||||
@@ -181,7 +181,7 @@ void
|
||||
i = 0;
|
||||
}
|
||||
|
||||
- memcpy(&Context->Buffer[j], &((uint8_t*)Buffer)[i], BufferSize - i);
|
||||
+ memcpy(&Context->Buffer[j], &((const uint8_t*)Buffer)[i], BufferSize - i);
|
||||
}
|
||||
|
||||
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
@@ -205,10 +205,10 @@ void
|
||||
finalcount[i] = (unsigned char)((Context->Count[(i >= 4 ? 0 : 1)]
|
||||
>> ((3-(i & 3)) * 8) ) & 255); // Endian independent
|
||||
}
|
||||
- Sha1Update(Context, (uint8_t*)"\x80", 1);
|
||||
+ Sha1Update(Context, (const uint8_t*)"\x80", 1);
|
||||
while ((Context->Count[0] & 504) != 448)
|
||||
{
|
||||
- Sha1Update(Context, (uint8_t*)"\0", 1);
|
||||
+ Sha1Update(Context, (const uint8_t*)"\0", 1);
|
||||
}
|
||||
|
||||
Sha1Update(Context, finalcount, 8); // Should cause a Sha1TransformFunction()
|
||||
diff --git a/libselinux/src/sha1.h b/libselinux/src/sha1.h
|
||||
index eac3c195351a..f83a6e7ed7ba 100644
|
||||
--- a/libselinux/src/sha1.h
|
||||
+++ b/libselinux/src/sha1.h
|
||||
@@ -64,7 +64,7 @@ void
|
||||
Sha1Update
|
||||
(
|
||||
Sha1Context* Context,
|
||||
- void* Buffer,
|
||||
+ const void* Buffer,
|
||||
uint32_t BufferSize
|
||||
);
|
||||
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
|
@ -0,0 +1,66 @@
|
|||
From 90a4f2b9a5194a2d1ab4c45b7a90bbb6c8099a68 Mon Sep 17 00:00:00 2001
|
||||
From: Vit Mojzis <vmojzis@redhat.com>
|
||||
Date: Tue, 2 Jul 2019 14:09:05 +0200
|
||||
Subject: [PATCH] Fix mcstrans secolor examples
|
||||
|
||||
According to "check_dominance" function:
|
||||
Range defined as "s15:c0.c1023" does not dominate any other range than
|
||||
"s15:c0.c1023" (does not dominate "s15", "s15:c0.c200", etc.).
|
||||
While range defined as "s15-s15:c0.c1023" dominates all of the above.
|
||||
|
||||
This is either a bug, or "s15:c0.c1023" should not be used in the
|
||||
examples.
|
||||
|
||||
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
|
||||
---
|
||||
libselinux/man/man5/secolor.conf.5 | 4 ++--
|
||||
libselinux/man/ru/man5/secolor.conf.5 | 4 ++--
|
||||
2 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/libselinux/man/man5/secolor.conf.5 b/libselinux/man/man5/secolor.conf.5
|
||||
index b834577a..a3bf2da1 100644
|
||||
--- a/libselinux/man/man5/secolor.conf.5
|
||||
+++ b/libselinux/man/man5/secolor.conf.5
|
||||
@@ -123,7 +123,7 @@ range s7\-s7:c0.c1023 = black red
|
||||
.br
|
||||
range s9\-s9:c0.c1023 = black orange
|
||||
.br
|
||||
-range s15:c0.c1023 = black yellow
|
||||
+range s15\-s15:c0.c1023 = black yellow
|
||||
.RE
|
||||
|
||||
.sp
|
||||
@@ -165,7 +165,7 @@ type xguest_t = black green
|
||||
.br
|
||||
user sysadm_u = white black
|
||||
.br
|
||||
-range s0:c0.c1023 = black white
|
||||
+range s0-s0:c0.c1023 = black white
|
||||
.br
|
||||
user * = black white
|
||||
.br
|
||||
diff --git a/libselinux/man/ru/man5/secolor.conf.5 b/libselinux/man/ru/man5/secolor.conf.5
|
||||
index 4c1236ae..bcae80c1 100644
|
||||
--- a/libselinux/man/ru/man5/secolor.conf.5
|
||||
+++ b/libselinux/man/ru/man5/secolor.conf.5
|
||||
@@ -121,7 +121,7 @@ range s7\-s7:c0.c1023 = black red
|
||||
.br
|
||||
range s9\-s9:c0.c1023 = black orange
|
||||
.br
|
||||
-range s15:c0.c1023 = black yellow
|
||||
+range s15\-s15:c0.c1023 = black yellow
|
||||
.RE
|
||||
|
||||
.sp
|
||||
@@ -163,7 +163,7 @@ type xguest_t = black green
|
||||
.br
|
||||
user sysadm_u = white black
|
||||
.br
|
||||
-range s0:c0.c1023 = black white
|
||||
+range s0\-s0:c0.c1023 = black white
|
||||
.br
|
||||
user * = black white
|
||||
.br
|
||||
--
|
||||
2.21.0
|
||||
|
||||
|
|
@ -1,31 +0,0 @@
|
|||
From 11194b982bb32c05548c38e4c81b1f166083f7e9 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Mon, 3 May 2021 17:10:46 +0200
|
||||
Subject: [PATCH] libselinux: sefcontext_compile: mark local variable static
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The variable `policy_file` is only used in sefcontext_compile.c.
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
libselinux/utils/sefcontext_compile.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libselinux/utils/sefcontext_compile.c b/libselinux/utils/sefcontext_compile.c
|
||||
index dcb0085ad67e..6c32172d9944 100644
|
||||
--- a/libselinux/utils/sefcontext_compile.c
|
||||
+++ b/libselinux/utils/sefcontext_compile.c
|
||||
@@ -14,7 +14,7 @@
|
||||
#include "../src/label_file.h"
|
||||
#include "../src/regex.h"
|
||||
|
||||
-const char *policy_file;
|
||||
+static const char *policy_file;
|
||||
static int ctx_err;
|
||||
|
||||
static int validate_context(char **ctxp)
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
|
@ -0,0 +1,354 @@
|
|||
From bfee1a3131580a7b9d8a7366764b8e78d99a9f1b Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Mon, 17 Feb 2020 21:47:35 +0100
|
||||
Subject: [PATCH] libselinux: Eliminate use of security_compute_user()
|
||||
|
||||
get_ordered_context_list() code used to ask the kernel to compute the complete
|
||||
set of reachable contexts using /sys/fs/selinux/user aka
|
||||
security_compute_user(). This set can be so huge so that it doesn't fit into a
|
||||
kernel page and security_compute_user() fails. Even if it doesn't fail,
|
||||
get_ordered_context_list() throws away the vast majority of the returned
|
||||
contexts because they don't match anything in
|
||||
/etc/selinux/targeted/contexts/default_contexts or
|
||||
/etc/selinux/targeted/contexts/users/
|
||||
|
||||
get_ordered_context_list() is rewritten to compute set of contexts based on
|
||||
/etc/selinux/targeted/contexts/users/ and
|
||||
/etc/selinux/targeted/contexts/default_contexts files and to return only valid
|
||||
contexts, using security_check_context(), from this set.
|
||||
|
||||
Fixes: https://github.com/SELinuxProject/selinux/issues/28
|
||||
|
||||
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
|
||||
---
|
||||
libselinux/src/get_context_list.c | 212 +++++++++++++-----------------
|
||||
1 file changed, 93 insertions(+), 119 deletions(-)
|
||||
|
||||
diff --git a/libselinux/src/get_context_list.c b/libselinux/src/get_context_list.c
|
||||
index 689e4658..26d7b3b9 100644
|
||||
--- a/libselinux/src/get_context_list.c
|
||||
+++ b/libselinux/src/get_context_list.c
|
||||
@@ -2,6 +2,7 @@
|
||||
#include <errno.h>
|
||||
#include <stdio.h>
|
||||
#include <stdio_ext.h>
|
||||
+#include <stdint.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <ctype.h>
|
||||
@@ -114,64 +115,41 @@ int get_default_context(const char *user,
|
||||
return 0;
|
||||
}
|
||||
|
||||
-static int find_partialcon(char ** list,
|
||||
- unsigned int nreach, char *part)
|
||||
+static int is_in_reachable(char **reachable, const char *usercon_str)
|
||||
{
|
||||
- const char *conrole, *contype;
|
||||
- char *partrole, *parttype, *ptr;
|
||||
- context_t con;
|
||||
- unsigned int i;
|
||||
+ if (!reachable)
|
||||
+ return 0;
|
||||
|
||||
- partrole = part;
|
||||
- ptr = part;
|
||||
- while (*ptr && !isspace(*ptr) && *ptr != ':')
|
||||
- ptr++;
|
||||
- if (*ptr != ':')
|
||||
- return -1;
|
||||
- *ptr++ = 0;
|
||||
- parttype = ptr;
|
||||
- while (*ptr && !isspace(*ptr) && *ptr != ':')
|
||||
- ptr++;
|
||||
- *ptr = 0;
|
||||
-
|
||||
- for (i = 0; i < nreach; i++) {
|
||||
- con = context_new(list[i]);
|
||||
- if (!con)
|
||||
- return -1;
|
||||
- conrole = context_role_get(con);
|
||||
- contype = context_type_get(con);
|
||||
- if (!conrole || !contype) {
|
||||
- context_free(con);
|
||||
- return -1;
|
||||
- }
|
||||
- if (!strcmp(conrole, partrole) && !strcmp(contype, parttype)) {
|
||||
- context_free(con);
|
||||
- return i;
|
||||
+ for (; *reachable != NULL; reachable++) {
|
||||
+ if (strcmp(*reachable, usercon_str) == 0) {
|
||||
+ return 1;
|
||||
}
|
||||
- context_free(con);
|
||||
}
|
||||
-
|
||||
- return -1;
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
-static int get_context_order(FILE * fp,
|
||||
+static int get_context_user(FILE * fp,
|
||||
char * fromcon,
|
||||
- char ** reachable,
|
||||
- unsigned int nreach,
|
||||
- unsigned int *ordering, unsigned int *nordered)
|
||||
+ const char * user,
|
||||
+ char ***reachable,
|
||||
+ unsigned int *nreachable)
|
||||
{
|
||||
char *start, *end = NULL;
|
||||
char *line = NULL;
|
||||
- size_t line_len = 0;
|
||||
+ size_t line_len = 0, usercon_len;
|
||||
+ size_t user_len = strlen(user);
|
||||
ssize_t len;
|
||||
int found = 0;
|
||||
- const char *fromrole, *fromtype;
|
||||
+ const char *fromrole, *fromtype, *fromlevel;
|
||||
char *linerole, *linetype;
|
||||
- unsigned int i;
|
||||
+ char **new_reachable = NULL;
|
||||
+ char *usercon_str;
|
||||
context_t con;
|
||||
+ context_t usercon;
|
||||
+
|
||||
int rc;
|
||||
|
||||
- errno = -EINVAL;
|
||||
+ errno = EINVAL;
|
||||
|
||||
/* Extract the role and type of the fromcon for matching.
|
||||
User identity and MLS range can be variable. */
|
||||
@@ -180,6 +158,7 @@ static int get_context_order(FILE * fp,
|
||||
return -1;
|
||||
fromrole = context_role_get(con);
|
||||
fromtype = context_type_get(con);
|
||||
+ fromlevel = context_range_get(con);
|
||||
if (!fromrole || !fromtype) {
|
||||
context_free(con);
|
||||
return -1;
|
||||
@@ -243,23 +222,75 @@ static int get_context_order(FILE * fp,
|
||||
if (*end)
|
||||
*end++ = 0;
|
||||
|
||||
- /* Check for a match in the reachable list. */
|
||||
- rc = find_partialcon(reachable, nreach, start);
|
||||
- if (rc < 0) {
|
||||
- /* No match, skip it. */
|
||||
+ /* Check whether a new context is valid */
|
||||
+ if (SIZE_MAX - user_len < strlen(start) + 2) {
|
||||
+ fprintf(stderr, "%s: one of partial contexts is too big\n", __FUNCTION__);
|
||||
+ errno = EINVAL;
|
||||
+ rc = -1;
|
||||
+ goto out;
|
||||
+ }
|
||||
+ usercon_len = user_len + strlen(start) + 2;
|
||||
+ usercon_str = malloc(usercon_len);
|
||||
+ if (!usercon_str) {
|
||||
+ rc = -1;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ /* set range from fromcon in the new usercon */
|
||||
+ snprintf(usercon_str, usercon_len, "%s:%s", user, start);
|
||||
+ usercon = context_new(usercon_str);
|
||||
+ if (!usercon) {
|
||||
+ if (errno != EINVAL) {
|
||||
+ free(usercon_str);
|
||||
+ rc = -1;
|
||||
+ goto out;
|
||||
+ }
|
||||
+ fprintf(stderr,
|
||||
+ "%s: can't create a context from %s, skipping\n",
|
||||
+ __FUNCTION__, usercon_str);
|
||||
+ free(usercon_str);
|
||||
start = end;
|
||||
continue;
|
||||
}
|
||||
+ free(usercon_str);
|
||||
+ if (context_range_set(usercon, fromlevel) != 0) {
|
||||
+ context_free(usercon);
|
||||
+ rc = -1;
|
||||
+ goto out;
|
||||
+ }
|
||||
+ usercon_str = context_str(usercon);
|
||||
+ if (!usercon_str) {
|
||||
+ context_free(usercon);
|
||||
+ rc = -1;
|
||||
+ goto out;
|
||||
+ }
|
||||
|
||||
- /* If a match is found and the entry is not already ordered
|
||||
- (e.g. due to prior match in prior config file), then set
|
||||
- the ordering for it. */
|
||||
- i = rc;
|
||||
- if (ordering[i] == nreach)
|
||||
- ordering[i] = (*nordered)++;
|
||||
+ /* check whether usercon is already in reachable */
|
||||
+ if (is_in_reachable(*reachable, usercon_str)) {
|
||||
+ context_free(usercon);
|
||||
+ start = end;
|
||||
+ continue;
|
||||
+ }
|
||||
+ if (security_check_context(usercon_str) == 0) {
|
||||
+ new_reachable = realloc(*reachable, (*nreachable + 2) * sizeof(char *));
|
||||
+ if (!new_reachable) {
|
||||
+ context_free(usercon);
|
||||
+ rc = -1;
|
||||
+ goto out;
|
||||
+ }
|
||||
+ *reachable = new_reachable;
|
||||
+ new_reachable[*nreachable] = strdup(usercon_str);
|
||||
+ if (new_reachable[*nreachable] == NULL) {
|
||||
+ context_free(usercon);
|
||||
+ rc = -1;
|
||||
+ goto out;
|
||||
+ }
|
||||
+ new_reachable[*nreachable + 1] = 0;
|
||||
+ *nreachable += 1;
|
||||
+ }
|
||||
+ context_free(usercon);
|
||||
start = end;
|
||||
}
|
||||
-
|
||||
rc = 0;
|
||||
|
||||
out:
|
||||
@@ -313,21 +344,6 @@ static int get_failsafe_context(const char *user, char ** newcon)
|
||||
return 0;
|
||||
}
|
||||
|
||||
-struct context_order {
|
||||
- char * con;
|
||||
- unsigned int order;
|
||||
-};
|
||||
-
|
||||
-static int order_compare(const void *A, const void *B)
|
||||
-{
|
||||
- const struct context_order *c1 = A, *c2 = B;
|
||||
- if (c1->order < c2->order)
|
||||
- return -1;
|
||||
- else if (c1->order > c2->order)
|
||||
- return 1;
|
||||
- return strcmp(c1->con, c2->con);
|
||||
-}
|
||||
-
|
||||
int get_ordered_context_list_with_level(const char *user,
|
||||
const char *level,
|
||||
char * fromcon,
|
||||
@@ -395,11 +411,8 @@ int get_ordered_context_list(const char *user,
|
||||
char *** list)
|
||||
{
|
||||
char **reachable = NULL;
|
||||
- unsigned int *ordering = NULL;
|
||||
- struct context_order *co = NULL;
|
||||
- char **ptr;
|
||||
int rc = 0;
|
||||
- unsigned int nreach = 0, nordered = 0, freefrom = 0, i;
|
||||
+ unsigned nreachable = 0, freefrom = 0;
|
||||
FILE *fp;
|
||||
char *fname = NULL;
|
||||
size_t fname_len;
|
||||
@@ -413,23 +426,6 @@ int get_ordered_context_list(const char *user,
|
||||
freefrom = 1;
|
||||
}
|
||||
|
||||
- /* Determine the set of reachable contexts for the user. */
|
||||
- rc = security_compute_user(fromcon, user, &reachable);
|
||||
- if (rc < 0)
|
||||
- goto failsafe;
|
||||
- nreach = 0;
|
||||
- for (ptr = reachable; *ptr; ptr++)
|
||||
- nreach++;
|
||||
- if (!nreach)
|
||||
- goto failsafe;
|
||||
-
|
||||
- /* Initialize ordering array. */
|
||||
- ordering = malloc(nreach * sizeof(unsigned int));
|
||||
- if (!ordering)
|
||||
- goto failsafe;
|
||||
- for (i = 0; i < nreach; i++)
|
||||
- ordering[i] = nreach;
|
||||
-
|
||||
/* Determine the ordering to apply from the optional per-user config
|
||||
and from the global config. */
|
||||
fname_len = strlen(user_contexts_path) + strlen(user) + 2;
|
||||
@@ -440,8 +436,8 @@ int get_ordered_context_list(const char *user,
|
||||
fp = fopen(fname, "re");
|
||||
if (fp) {
|
||||
__fsetlocking(fp, FSETLOCKING_BYCALLER);
|
||||
- rc = get_context_order(fp, fromcon, reachable, nreach, ordering,
|
||||
- &nordered);
|
||||
+ rc = get_context_user(fp, fromcon, user, &reachable, &nreachable);
|
||||
+
|
||||
fclose(fp);
|
||||
if (rc < 0 && errno != ENOENT) {
|
||||
fprintf(stderr,
|
||||
@@ -454,8 +450,7 @@ int get_ordered_context_list(const char *user,
|
||||
fp = fopen(selinux_default_context_path(), "re");
|
||||
if (fp) {
|
||||
__fsetlocking(fp, FSETLOCKING_BYCALLER);
|
||||
- rc = get_context_order(fp, fromcon, reachable, nreach, ordering,
|
||||
- &nordered);
|
||||
+ rc = get_context_user(fp, fromcon, user, &reachable, &nreachable);
|
||||
fclose(fp);
|
||||
if (rc < 0 && errno != ENOENT) {
|
||||
fprintf(stderr,
|
||||
@@ -463,40 +458,19 @@ int get_ordered_context_list(const char *user,
|
||||
__FUNCTION__, selinux_default_context_path());
|
||||
/* Fall through */
|
||||
}
|
||||
- rc = 0;
|
||||
}
|
||||
|
||||
- if (!nordered)
|
||||
+ if (!nreachable)
|
||||
goto failsafe;
|
||||
|
||||
- /* Apply the ordering. */
|
||||
- co = malloc(nreach * sizeof(struct context_order));
|
||||
- if (!co)
|
||||
- goto failsafe;
|
||||
- for (i = 0; i < nreach; i++) {
|
||||
- co[i].con = reachable[i];
|
||||
- co[i].order = ordering[i];
|
||||
- }
|
||||
- qsort(co, nreach, sizeof(struct context_order), order_compare);
|
||||
- for (i = 0; i < nreach; i++)
|
||||
- reachable[i] = co[i].con;
|
||||
- free(co);
|
||||
-
|
||||
- /* Only report the ordered entries to the caller. */
|
||||
- if (nordered <= nreach) {
|
||||
- for (i = nordered; i < nreach; i++)
|
||||
- free(reachable[i]);
|
||||
- reachable[nordered] = NULL;
|
||||
- rc = nordered;
|
||||
- }
|
||||
-
|
||||
out:
|
||||
- if (rc > 0)
|
||||
+ if (nreachable > 0) {
|
||||
*list = reachable;
|
||||
+ rc = nreachable;
|
||||
+ }
|
||||
else
|
||||
freeconary(reachable);
|
||||
|
||||
- free(ordering);
|
||||
if (freefrom)
|
||||
freecon(fromcon);
|
||||
|
||||
@@ -519,7 +493,7 @@ int get_ordered_context_list(const char *user,
|
||||
reachable = NULL;
|
||||
goto out;
|
||||
}
|
||||
- rc = 1; /* one context in the list */
|
||||
+ nreachable = 1; /* one context in the list */
|
||||
goto out;
|
||||
}
|
||||
|
||||
--
|
||||
2.25.4
|
||||
|
||||
|
|
@ -1,42 +0,0 @@
|
|||
From 533e9d6ce07c8909c9c020cd6920a2384f7eee22 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Mon, 3 May 2021 17:10:48 +0200
|
||||
Subject: [PATCH] libselinux: avcstat: use standard length modifier for
|
||||
unsigned long long
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The format width specifier `L` is only standardized for floating point
|
||||
types. Use `ll` for fixed-width data types.
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
libselinux/utils/avcstat.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/libselinux/utils/avcstat.c b/libselinux/utils/avcstat.c
|
||||
index da2392870c51..cc9a48dd4c3a 100644
|
||||
--- a/libselinux/utils/avcstat.c
|
||||
+++ b/libselinux/utils/avcstat.c
|
||||
@@ -205,7 +205,7 @@ int main(int argc, char **argv)
|
||||
die("unable to parse \'%s\': no data", avcstatfile);
|
||||
|
||||
if (cumulative || !i)
|
||||
- printf("%10Lu %10Lu %10Lu %10Lu %10Lu %10Lu\n",
|
||||
+ printf("%10llu %10llu %10llu %10llu %10llu %10llu\n",
|
||||
tot.lookups, tot.hits, tot.misses,
|
||||
tot.allocations, tot.reclaims, tot.frees);
|
||||
else {
|
||||
@@ -215,7 +215,7 @@ int main(int argc, char **argv)
|
||||
rel.allocations = tot.allocations - last.allocations;
|
||||
rel.reclaims = tot.reclaims - last.reclaims;
|
||||
rel.frees = tot.frees - last.frees;
|
||||
- printf("%10Lu %10Lu %10Lu %10Lu %10Lu %10Lu\n",
|
||||
+ printf("%10llu %10llu %10llu %10llu %10llu %10llu\n",
|
||||
rel.lookups, rel.hits, rel.misses,
|
||||
rel.allocations, rel.reclaims, rel.frees);
|
||||
}
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
|
@ -0,0 +1,168 @@
|
|||
From d4c22fcd5943fe35db648dee971f631d40b3eb94 Mon Sep 17 00:00:00 2001
|
||||
From: Stephen Smalley <sds@tycho.nsa.gov>
|
||||
Date: Thu, 20 Feb 2020 10:40:19 -0500
|
||||
Subject: [PATCH] libselinux: deprecate security_compute_user(), update man
|
||||
pages
|
||||
|
||||
commit 1f89c4e7879fcf6da5d8d1b025dcc03371f30fc9 ("libselinux: Eliminate
|
||||
use of security_compute_user()") eliminated the use of
|
||||
security_compute_user() by get_ordered_context_list(). Deprecate
|
||||
all use of security_compute_user() by updating the headers and man
|
||||
pages and logging a warning message on any calls to it. Remove
|
||||
the example utility that called the interface. While here, also
|
||||
fix the documentation of correct usage of the user argument to these
|
||||
interfaces.
|
||||
|
||||
Fixes: https://github.com/SELinuxProject/selinux/issues/70
|
||||
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
||||
Acked-by: Petr Lautrbach <plautrba@redhat.com>
|
||||
---
|
||||
libselinux/include/selinux/selinux.h | 8 +++-
|
||||
.../man/man3/get_ordered_context_list.3 | 24 +++++++++---
|
||||
libselinux/man/man3/security_compute_av.3 | 5 ++-
|
||||
libselinux/src/compute_user.c | 3 ++
|
||||
libselinux/utils/compute_user.c | 38 -------------------
|
||||
5 files changed, 31 insertions(+), 47 deletions(-)
|
||||
delete mode 100644 libselinux/utils/compute_user.c
|
||||
|
||||
diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
|
||||
index a34d54fc..a5ada324 100644
|
||||
--- a/libselinux/include/selinux/selinux.h
|
||||
+++ b/libselinux/include/selinux/selinux.h
|
||||
@@ -246,8 +246,12 @@ extern int security_compute_member_raw(const char * scon,
|
||||
security_class_t tclass,
|
||||
char ** newcon);
|
||||
|
||||
-/* Compute the set of reachable user contexts and set *con to refer to
|
||||
- the NULL-terminated array of contexts. Caller must free via freeconary. */
|
||||
+/*
|
||||
+ * Compute the set of reachable user contexts and set *con to refer to
|
||||
+ * the NULL-terminated array of contexts. Caller must free via freeconary.
|
||||
+ * These interfaces are deprecated. Use get_ordered_context_list() or
|
||||
+ * one of its variant interfaces instead.
|
||||
+ */
|
||||
extern int security_compute_user(const char * scon,
|
||||
const char *username,
|
||||
char *** con);
|
||||
diff --git a/libselinux/man/man3/get_ordered_context_list.3 b/libselinux/man/man3/get_ordered_context_list.3
|
||||
index e084da40..3ed14a96 100644
|
||||
--- a/libselinux/man/man3/get_ordered_context_list.3
|
||||
+++ b/libselinux/man/man3/get_ordered_context_list.3
|
||||
@@ -26,14 +26,28 @@ get_ordered_context_list, get_ordered_context_list_with_level, get_default_conte
|
||||
.BI "int get_default_type(const char *" role ", char **" type );
|
||||
.
|
||||
.SH "DESCRIPTION"
|
||||
+
|
||||
+This family of functions can be used to obtain either a prioritized list of
|
||||
+all reachable security contexts for a given SELinux user or a single default
|
||||
+(highest priority) context for a given SELinux user for use by login-like
|
||||
+programs. These functions takes a SELinux user identity that must
|
||||
+be defined in the SELinux policy as their input, not a Linux username.
|
||||
+Most callers should typically first call
|
||||
+.BR getseuserbyname(3)
|
||||
+to look up the SELinux user identity and level for a given
|
||||
+Linux username and then invoke one of
|
||||
+.BR get_ordered_context_list_with_level ()
|
||||
+or
|
||||
+.BR get_default_context_with_level ()
|
||||
+with the returned SELinux user and level as inputs.
|
||||
+
|
||||
.BR get_ordered_context_list ()
|
||||
-invokes the
|
||||
-.BR security_compute_user (3)
|
||||
-function to obtain the list of contexts for the specified
|
||||
+obtains the list of contexts for the specified
|
||||
+SELinux
|
||||
.I user
|
||||
-that are reachable from the specified
|
||||
+identity that are reachable from the specified
|
||||
.I fromcon
|
||||
-context. The function then orders the resulting list based on the global
|
||||
+context based on the global
|
||||
.I \%/etc/selinux/{SELINUXTYPE}/contexts/default_contexts
|
||||
file and the per-user
|
||||
.I \%/etc/selinux/{SELINUXTYPE}/contexts/users/<username>
|
||||
diff --git a/libselinux/man/man3/security_compute_av.3 b/libselinux/man/man3/security_compute_av.3
|
||||
index 2aade5fe..8e1f746a 100644
|
||||
--- a/libselinux/man/man3/security_compute_av.3
|
||||
+++ b/libselinux/man/man3/security_compute_av.3
|
||||
@@ -97,8 +97,9 @@ instance.
|
||||
|
||||
.BR security_compute_user ()
|
||||
is used to determine the set of user contexts that can be reached from a
|
||||
-source context. It is mainly used by
|
||||
-.BR get_ordered_context_list ().
|
||||
+source context. This function is deprecated; use
|
||||
+.BR get_ordered_context_list (3)
|
||||
+instead.
|
||||
|
||||
.BR security_get_initial_context ()
|
||||
is used to get the context of a kernel initial security identifier specified by
|
||||
diff --git a/libselinux/src/compute_user.c b/libselinux/src/compute_user.c
|
||||
index 401fd107..0f55de84 100644
|
||||
--- a/libselinux/src/compute_user.c
|
||||
+++ b/libselinux/src/compute_user.c
|
||||
@@ -8,6 +8,7 @@
|
||||
#include "selinux_internal.h"
|
||||
#include "policy.h"
|
||||
#include <limits.h>
|
||||
+#include "callbacks.h"
|
||||
|
||||
int security_compute_user_raw(const char * scon,
|
||||
const char *user, char *** con)
|
||||
@@ -24,6 +25,8 @@ int security_compute_user_raw(const char * scon,
|
||||
return -1;
|
||||
}
|
||||
|
||||
+ selinux_log(SELINUX_WARNING, "Direct use of security_compute_user() is deprecated, switch to get_ordered_context_list()\n");
|
||||
+
|
||||
if (! scon) {
|
||||
errno=EINVAL;
|
||||
return -1;
|
||||
diff --git a/libselinux/utils/compute_user.c b/libselinux/utils/compute_user.c
|
||||
deleted file mode 100644
|
||||
index cae62b26..00000000
|
||||
--- a/libselinux/utils/compute_user.c
|
||||
+++ /dev/null
|
||||
@@ -1,38 +0,0 @@
|
||||
-#include <unistd.h>
|
||||
-#include <sys/types.h>
|
||||
-#include <fcntl.h>
|
||||
-#include <stdio.h>
|
||||
-#include <stdlib.h>
|
||||
-#include <errno.h>
|
||||
-#include <string.h>
|
||||
-#include <ctype.h>
|
||||
-#include <selinux/selinux.h>
|
||||
-
|
||||
-int main(int argc, char **argv)
|
||||
-{
|
||||
- char **buf, **ptr;
|
||||
- int ret;
|
||||
-
|
||||
- if (argc != 3) {
|
||||
- fprintf(stderr, "usage: %s context user\n", argv[0]);
|
||||
- exit(1);
|
||||
- }
|
||||
-
|
||||
- ret = security_compute_user(argv[1], argv[2], &buf);
|
||||
- if (ret < 0) {
|
||||
- fprintf(stderr, "%s: security_compute_user(%s,%s) failed\n",
|
||||
- argv[0], argv[1], argv[2]);
|
||||
- exit(2);
|
||||
- }
|
||||
-
|
||||
- if (!buf[0]) {
|
||||
- printf("none\n");
|
||||
- exit(0);
|
||||
- }
|
||||
-
|
||||
- for (ptr = buf; *ptr; ptr++) {
|
||||
- printf("%s\n", *ptr);
|
||||
- }
|
||||
- freeconary(buf);
|
||||
- exit(0);
|
||||
-}
|
||||
--
|
||||
2.25.4
|
||||
|
||||
|
|
@ -1,38 +0,0 @@
|
|||
From 7464272caa1a69e3fc7971d1d80b6afd4785abef Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Mon, 3 May 2021 17:10:51 +0200
|
||||
Subject: [PATCH] libselinux: selinux_restorecon: mark local variable static
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The variable `dir_xattr_list` is only used inside `selinux_restorecon.c`.
|
||||
|
||||
selinux_restorecon.c:65:19: warning: no previous extern declaration for non-static variable 'dir_xattr_list' [-Wmissing-variable-declarations]
|
||||
struct dir_xattr *dir_xattr_list;
|
||||
^
|
||||
selinux_restorecon.c:65:1: note: declare 'static' if the variable is not intended to be used outside of this translation unit
|
||||
struct dir_xattr *dir_xattr_list;
|
||||
^
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
libselinux/src/selinux_restorecon.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
|
||||
index 63fb8dc53c28..249c361fa988 100644
|
||||
--- a/libselinux/src/selinux_restorecon.c
|
||||
+++ b/libselinux/src/selinux_restorecon.c
|
||||
@@ -62,7 +62,7 @@ static uint64_t fc_count = 0; /* Number of files processed so far */
|
||||
static uint64_t efile_count; /* Estimated total number of files */
|
||||
|
||||
/* Store information on directories with xattr's. */
|
||||
-struct dir_xattr *dir_xattr_list;
|
||||
+static struct dir_xattr *dir_xattr_list;
|
||||
static struct dir_xattr *dir_xattr_last;
|
||||
|
||||
/* restorecon_flags for passing to restorecon_sb() */
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
|
@ -1,51 +0,0 @@
|
|||
From d0c02882b7fdcf5e6478f9a82ac2946174f4bca4 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Mon, 3 May 2021 17:10:53 +0200
|
||||
Subject: [PATCH] libselinux: selabel_get_digests_all_partial_matches: free
|
||||
memory after FTS_D block
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Free all memory from `selabel_get_digests_all_partial_matches()` in case
|
||||
of success and failure.
|
||||
|
||||
Found by clang-analyzer.
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
.../utils/selabel_get_digests_all_partial_matches.c | 10 +++++-----
|
||||
1 file changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/libselinux/utils/selabel_get_digests_all_partial_matches.c b/libselinux/utils/selabel_get_digests_all_partial_matches.c
|
||||
index 0c2edc67771d..e28833d2ce97 100644
|
||||
--- a/libselinux/utils/selabel_get_digests_all_partial_matches.c
|
||||
+++ b/libselinux/utils/selabel_get_digests_all_partial_matches.c
|
||||
@@ -128,7 +128,7 @@ int main(int argc, char **argv)
|
||||
printf("No SHA1 digest available for: %s\n",
|
||||
ftsent->fts_path);
|
||||
printf("as file_context entry is \"<<none>>\"\n");
|
||||
- break;
|
||||
+ goto cleanup;
|
||||
}
|
||||
|
||||
printf("The file_context entries for: %s\n",
|
||||
@@ -149,11 +149,11 @@ int main(int argc, char **argv)
|
||||
xattr_digest[i]);
|
||||
printf("%s\n", sha1_buf);
|
||||
}
|
||||
-
|
||||
- free(xattr_digest);
|
||||
- free(calculated_digest);
|
||||
- free(sha1_buf);
|
||||
}
|
||||
+ cleanup:
|
||||
+ free(xattr_digest);
|
||||
+ free(calculated_digest);
|
||||
+ free(sha1_buf);
|
||||
break;
|
||||
}
|
||||
default:
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
|
@ -0,0 +1,39 @@
|
|||
From c556c6ad0b94cf3ba4b441a1a0930f2468434227 Mon Sep 17 00:00:00 2001
|
||||
From: Vit Mojzis <vmojzis@redhat.com>
|
||||
Date: Wed, 10 Feb 2021 18:05:29 +0100
|
||||
Subject: [PATCH] selinux(8,5): Describe fcontext regular expressions
|
||||
|
||||
Describe which type of regular expression is used in file context
|
||||
definitions and which flags are in effect.
|
||||
|
||||
Explain how local file context modifications are processed.
|
||||
|
||||
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
|
||||
Acked-by: Petr Lautrbach <plautrba@redhat.com>
|
||||
---
|
||||
libselinux/man/man5/selabel_file.5 | 9 ++++++++-
|
||||
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libselinux/man/man5/selabel_file.5 b/libselinux/man/man5/selabel_file.5
|
||||
index e97bd826..baba7776 100644
|
||||
--- a/libselinux/man/man5/selabel_file.5
|
||||
+++ b/libselinux/man/man5/selabel_file.5
|
||||
@@ -125,7 +125,14 @@ Where:
|
||||
.RS
|
||||
.I pathname
|
||||
.RS
|
||||
-An entry that defines the pathname that may be in the form of a regular expression.
|
||||
+An entry that defines the path to be labeled.
|
||||
+May contain either a fully qualified path,
|
||||
+or a Perl compatible regular expression (PCRE),
|
||||
+describing fully qualified path(s).
|
||||
+The only PCRE flag in use is PCRE2_DOTALL,
|
||||
+which causes a wildcard '.' to match anything, including a new line.
|
||||
+Strings representing paths are processed as bytes (as opposed to Unicode),
|
||||
+meaning that non-ASCII characters are not matched by a single wildcard.
|
||||
.RE
|
||||
.I file_type
|
||||
.RS
|
||||
--
|
||||
2.35.3
|
||||
|
||||
|
|
@ -0,0 +1,88 @@
|
|||
From 9bf63bb85d4d2cab73181ee1d8d0b07961ce4a80 Mon Sep 17 00:00:00 2001
|
||||
From: Vit Mojzis <vmojzis@redhat.com>
|
||||
Date: Thu, 17 Feb 2022 14:14:15 +0100
|
||||
Subject: [PATCH] libselinux: Strip spaces before values in config
|
||||
|
||||
Spaces before values in /etc/selinux/config should be ignored just as
|
||||
spaces after them are.
|
||||
|
||||
E.g. "SELINUXTYPE= targeted" should be a valid value.
|
||||
|
||||
Fixes:
|
||||
# sed -i 's/^SELINUXTYPE=/SELINUXTYPE= /g' /etc/selinux/config
|
||||
# dnf install <any_package>
|
||||
...
|
||||
RPM: error: selabel_open: (/etc/selinux/ targeted/contexts/files/file_contexts) No such file or directory
|
||||
RPM: error: Plugin selinux: hook tsm_pre failed
|
||||
...
|
||||
Error: Could not run transaction.
|
||||
|
||||
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
|
||||
---
|
||||
libselinux/src/selinux_config.c | 17 +++++++++++++----
|
||||
1 file changed, 13 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c
|
||||
index b06cb63b..0892b87c 100644
|
||||
--- a/libselinux/src/selinux_config.c
|
||||
+++ b/libselinux/src/selinux_config.c
|
||||
@@ -91,6 +91,7 @@ int selinux_getenforcemode(int *enforce)
|
||||
FILE *cfg = fopen(SELINUXCONFIG, "re");
|
||||
if (cfg) {
|
||||
char *buf;
|
||||
+ char *tag;
|
||||
int len = sizeof(SELINUXTAG) - 1;
|
||||
buf = malloc(selinux_page_size);
|
||||
if (!buf) {
|
||||
@@ -100,21 +101,24 @@ int selinux_getenforcemode(int *enforce)
|
||||
while (fgets_unlocked(buf, selinux_page_size, cfg)) {
|
||||
if (strncmp(buf, SELINUXTAG, len))
|
||||
continue;
|
||||
+ tag = buf+len;
|
||||
+ while (isspace(*tag))
|
||||
+ tag++;
|
||||
if (!strncasecmp
|
||||
- (buf + len, "enforcing", sizeof("enforcing") - 1)) {
|
||||
+ (tag, "enforcing", sizeof("enforcing") - 1)) {
|
||||
*enforce = 1;
|
||||
ret = 0;
|
||||
break;
|
||||
} else
|
||||
if (!strncasecmp
|
||||
- (buf + len, "permissive",
|
||||
+ (tag, "permissive",
|
||||
sizeof("permissive") - 1)) {
|
||||
*enforce = 0;
|
||||
ret = 0;
|
||||
break;
|
||||
} else
|
||||
if (!strncasecmp
|
||||
- (buf + len, "disabled",
|
||||
+ (tag, "disabled",
|
||||
sizeof("disabled") - 1)) {
|
||||
*enforce = -1;
|
||||
ret = 0;
|
||||
@@ -177,7 +181,10 @@ static void init_selinux_config(void)
|
||||
|
||||
if (!strncasecmp(buf_p, SELINUXTYPETAG,
|
||||
sizeof(SELINUXTYPETAG) - 1)) {
|
||||
- type = strdup(buf_p + sizeof(SELINUXTYPETAG) - 1);
|
||||
+ buf_p += sizeof(SELINUXTYPETAG) - 1;
|
||||
+ while (isspace(*buf_p))
|
||||
+ buf_p++;
|
||||
+ type = strdup(buf_p);
|
||||
if (!type)
|
||||
return;
|
||||
end = type + strlen(type) - 1;
|
||||
@@ -199,6 +206,8 @@ static void init_selinux_config(void)
|
||||
} else if (!strncmp(buf_p, REQUIRESEUSERS,
|
||||
sizeof(REQUIRESEUSERS) - 1)) {
|
||||
value = buf_p + sizeof(REQUIRESEUSERS) - 1;
|
||||
+ while (isspace(*value))
|
||||
+ value++;
|
||||
intptr = &require_seusers;
|
||||
} else {
|
||||
continue;
|
||||
--
|
||||
2.35.3
|
||||
|
||||
|
|
@ -1,34 +0,0 @@
|
|||
From d0e16077d4ded64bbc878d29e0dc22b1f5e0912f Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Mon, 3 May 2021 17:10:55 +0200
|
||||
Subject: [PATCH] libselinux: getconlist: free memory on multiple level
|
||||
arguments
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Do not leak memory if the program argument `l` got passed more than
|
||||
once.
|
||||
|
||||
Found by clang-analyzer.
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
libselinux/utils/getconlist.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/libselinux/utils/getconlist.c b/libselinux/utils/getconlist.c
|
||||
index 76654b75151a..0bb2846937ca 100644
|
||||
--- a/libselinux/utils/getconlist.c
|
||||
+++ b/libselinux/utils/getconlist.c
|
||||
@@ -26,6 +26,7 @@ int main(int argc, char **argv)
|
||||
while ((opt = getopt(argc, argv, "l:")) > 0) {
|
||||
switch (opt) {
|
||||
case 'l':
|
||||
+ free(level);
|
||||
level = strdup(optarg);
|
||||
if (!level) {
|
||||
fprintf(stderr, "memory allocation failure: %d(%s)\n",
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
|
@ -0,0 +1,46 @@
|
|||
From 9a04499cebedac3f585c0240e6cf68f786ae62b7 Mon Sep 17 00:00:00 2001
|
||||
From: Vit Mojzis <vmojzis@redhat.com>
|
||||
Date: Mon, 31 Oct 2022 17:00:43 +0100
|
||||
Subject: [PATCH] libselinux: Ignore missing directories when -i is used
|
||||
|
||||
Currently "-i" only ignores a file whose parent directory exists. Start also
|
||||
ignoring paths with missing components.
|
||||
|
||||
Fixes:
|
||||
# restorecon -i -v -R /var/log/missingdir/missingfile; echo $?
|
||||
255
|
||||
restorecon: SELinux: Could not get canonical path for /var/log/missingdir/missingfile restorecon: No such file or directory.
|
||||
|
||||
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
|
||||
---
|
||||
libselinux/src/selinux_restorecon.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
|
||||
index 5f189235..2ff73db6 100644
|
||||
--- a/libselinux/src/selinux_restorecon.c
|
||||
+++ b/libselinux/src/selinux_restorecon.c
|
||||
@@ -820,6 +820,10 @@ int selinux_restorecon(const char *pathname_orig,
|
||||
pathname = realpath(pathname_orig, NULL);
|
||||
if (!pathname) {
|
||||
free(basename_cpy);
|
||||
+ /* missing parent directory */
|
||||
+ if (flags.ignore_noent && errno == ENOENT) {
|
||||
+ return 0;
|
||||
+ }
|
||||
goto realpatherr;
|
||||
}
|
||||
} else {
|
||||
@@ -833,6 +837,9 @@ int selinux_restorecon(const char *pathname_orig,
|
||||
free(dirname_cpy);
|
||||
if (!pathdnamer) {
|
||||
free(basename_cpy);
|
||||
+ if (flags.ignore_noent && errno == ENOENT) {
|
||||
+ return 0;
|
||||
+ }
|
||||
goto realpatherr;
|
||||
}
|
||||
if (!strcmp(pathdnamer, "/"))
|
||||
--
|
||||
2.37.3
|
||||
|
||||
|
|
@ -1,42 +0,0 @@
|
|||
From 319429ba3358c32a566f2c59898d01f2f36fdc95 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Mon, 3 May 2021 17:10:57 +0200
|
||||
Subject: [PATCH] libselinux: exclude_non_seclabel_mounts(): drop unused
|
||||
variable
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The variable `num` is never read from.
|
||||
|
||||
Found by clang-analyer.
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
libselinux/src/selinux_restorecon.c | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
|
||||
index 249c361fa988..6fb9e1ff486d 100644
|
||||
--- a/libselinux/src/selinux_restorecon.c
|
||||
+++ b/libselinux/src/selinux_restorecon.c
|
||||
@@ -230,7 +230,6 @@ static int exclude_non_seclabel_mounts(void)
|
||||
struct utsname uts;
|
||||
FILE *fp;
|
||||
size_t len;
|
||||
- ssize_t num;
|
||||
int index = 0, found = 0, nfile = 0;
|
||||
char *mount_info[4];
|
||||
char *buf = NULL, *item;
|
||||
@@ -245,7 +244,7 @@ static int exclude_non_seclabel_mounts(void)
|
||||
if (!fp)
|
||||
return 0;
|
||||
|
||||
- while ((num = getline(&buf, &len, fp)) != -1) {
|
||||
+ while (getline(&buf, &len, fp) != -1) {
|
||||
found = 0;
|
||||
index = 0;
|
||||
item = strtok(buf, " ");
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
|
@ -1,34 +0,0 @@
|
|||
From 782fa6ea38f323c60fc437577af515ce44627452 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Mon, 3 May 2021 17:10:59 +0200
|
||||
Subject: [PATCH] libselinux: context_new(): drop dead assignment
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The variable `i` is not used inside this loop, and it later
|
||||
unconditionally set to 0.
|
||||
|
||||
Found by clang-analyzer.
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
libselinux/src/context.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libselinux/src/context.c b/libselinux/src/context.c
|
||||
index ce4258806c53..b2144c7cf76c 100644
|
||||
--- a/libselinux/src/context.c
|
||||
+++ b/libselinux/src/context.c
|
||||
@@ -37,7 +37,7 @@ context_t context_new(const char *str)
|
||||
}
|
||||
n->current_str = n->component[0] = n->component[1] = n->component[2] =
|
||||
n->component[3] = 0;
|
||||
- for (i = count = 0, p = str; *p; p++) {
|
||||
+ for (count = 0, p = str; *p; p++) {
|
||||
switch (*p) {
|
||||
case ':':
|
||||
count++;
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
|
@ -0,0 +1,42 @@
|
|||
From 599f1ec818d50ffc9690fea8c03b5fe278f30ed4 Mon Sep 17 00:00:00 2001
|
||||
From: Vit Mojzis <vmojzis@redhat.com>
|
||||
Date: Wed, 7 Dec 2022 09:19:29 +0100
|
||||
Subject: [PATCH] libselinux/restorecon: Fix memory leak - xattr_value
|
||||
|
||||
Fix memory leak introduced by commit
|
||||
9a04499cebedac3f585c0240e6cf68f786ae62b7
|
||||
libselinux: Ignore missing directories when -i is used
|
||||
|
||||
Error: RESOURCE_LEAK:
|
||||
selinux_restorecon.c:804: alloc_fn: Storage is returned from allocation function "malloc".
|
||||
selinux_restorecon.c:804: var_assign: Assigning: "xattr_value" = storage returned from "malloc(fc_digest_len)".
|
||||
selinux_restorecon.c:825: leaked_storage: Variable "xattr_value" going out of scope leaks the storage it points to.
|
||||
|
||||
Resolves: rhbz#2137965
|
||||
---
|
||||
libselinux/src/selinux_restorecon.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
|
||||
index 2ff73db6..b3702764 100644
|
||||
--- a/libselinux/src/selinux_restorecon.c
|
||||
+++ b/libselinux/src/selinux_restorecon.c
|
||||
@@ -822,6 +822,7 @@ int selinux_restorecon(const char *pathname_orig,
|
||||
free(basename_cpy);
|
||||
/* missing parent directory */
|
||||
if (flags.ignore_noent && errno == ENOENT) {
|
||||
+ free(xattr_value);
|
||||
return 0;
|
||||
}
|
||||
goto realpatherr;
|
||||
@@ -838,6 +839,7 @@ int selinux_restorecon(const char *pathname_orig,
|
||||
if (!pathdnamer) {
|
||||
free(basename_cpy);
|
||||
if (flags.ignore_noent && errno == ENOENT) {
|
||||
+ free(xattr_value);
|
||||
return 0;
|
||||
}
|
||||
goto realpatherr;
|
||||
--
|
||||
2.37.3
|
||||
|
||||
|
|
@ -1,33 +0,0 @@
|
|||
From 9c26043af6e4947e0e3e7fb789452da0c66e11c9 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Mon, 3 May 2021 17:11:01 +0200
|
||||
Subject: [PATCH] libselinux: label_x::init(): drop dead assignment
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The variable `lineno` is only used in the preceding loop and is always
|
||||
set prior that to 0.
|
||||
|
||||
Found by clang-analyzer.
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
libselinux/src/label_x.c | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/libselinux/src/label_x.c b/libselinux/src/label_x.c
|
||||
index 9674529931a7..e9fa063fafff 100644
|
||||
--- a/libselinux/src/label_x.c
|
||||
+++ b/libselinux/src/label_x.c
|
||||
@@ -146,7 +146,6 @@ static int init(struct selabel_handle *rec, const struct selinux_opt *opts,
|
||||
if (process_line(path, line_buf, pass, ++lineno, rec))
|
||||
goto finish;
|
||||
}
|
||||
- lineno = 0;
|
||||
|
||||
if (pass == 0) {
|
||||
if (data->nspec == 0) {
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
|
@ -1,33 +0,0 @@
|
|||
From 04335ab146d18f5865bed3516d5cbc9057a3df89 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Mon, 3 May 2021 17:11:03 +0200
|
||||
Subject: [PATCH] libselinux: label_media::init(): drop dead assignment
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The variable `lineno` is only used in the preceding loop and it always
|
||||
set prior that to 0.
|
||||
|
||||
Found by clang-analyzer.
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
libselinux/src/label_media.c | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/libselinux/src/label_media.c b/libselinux/src/label_media.c
|
||||
index d202e5d5ab83..eb27deaf510e 100644
|
||||
--- a/libselinux/src/label_media.c
|
||||
+++ b/libselinux/src/label_media.c
|
||||
@@ -119,7 +119,6 @@ static int init(struct selabel_handle *rec, const struct selinux_opt *opts,
|
||||
if (process_line(path, line_buf, pass, ++lineno, rec))
|
||||
goto finish;
|
||||
}
|
||||
- lineno = 0;
|
||||
|
||||
if (pass == 0) {
|
||||
if (data->nspec == 0) {
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
|
@ -1,33 +0,0 @@
|
|||
From 411c5a54587b1459528fb8e6b66d0bebf1a5fb39 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Mon, 3 May 2021 17:11:05 +0200
|
||||
Subject: [PATCH] libselinux: setexecfilecon(): drop dead assignment
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The variable `rc` is always unconditionally assigned by the next call of
|
||||
`setexeccon()` and never read in between.
|
||||
|
||||
Found by clang-analyzer.
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
libselinux/src/setexecfilecon.c | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/libselinux/src/setexecfilecon.c b/libselinux/src/setexecfilecon.c
|
||||
index e72ba0d98880..2c6505a96a48 100644
|
||||
--- a/libselinux/src/setexecfilecon.c
|
||||
+++ b/libselinux/src/setexecfilecon.c
|
||||
@@ -37,7 +37,6 @@ int setexecfilecon(const char *filename, const char *fallback_type)
|
||||
newcon = strdup(context_str(con));
|
||||
if (!newcon)
|
||||
goto out;
|
||||
- rc = 0;
|
||||
}
|
||||
|
||||
rc = setexeccon(newcon);
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
|
@ -1,51 +0,0 @@
|
|||
From db69a3d3622005d3ffd62498eac8da1ded264874 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Mon, 3 May 2021 17:11:07 +0200
|
||||
Subject: [PATCH] libselinux: getdefaultcon: free memory on multiple same
|
||||
arguments
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Do not leak memory if program arguments get specified more than once.
|
||||
|
||||
Found by clang-anlyzer.
|
||||
|
||||
getdefaultcon.c:52:3: warning: Potential leak of memory pointed to by 'level' [unix.Malloc]
|
||||
fprintf(stderr,
|
||||
^~~~~~~~~~~~~~~
|
||||
getdefaultcon.c:52:3: warning: Potential leak of memory pointed to by 'role' [unix.Malloc]
|
||||
fprintf(stderr,
|
||||
^~~~~~~~~~~~~~~
|
||||
getdefaultcon.c:52:3: warning: Potential leak of memory pointed to by 'service' [unix.Malloc]
|
||||
fprintf(stderr,
|
||||
^~~~~~~~~~~~~~~
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
libselinux/utils/getdefaultcon.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/libselinux/utils/getdefaultcon.c b/libselinux/utils/getdefaultcon.c
|
||||
index 96a5a8c23656..957c1cb2e307 100644
|
||||
--- a/libselinux/utils/getdefaultcon.c
|
||||
+++ b/libselinux/utils/getdefaultcon.c
|
||||
@@ -28,12 +28,15 @@ int main(int argc, char **argv)
|
||||
while ((opt = getopt(argc, argv, "l:r:s:v")) > 0) {
|
||||
switch (opt) {
|
||||
case 'l':
|
||||
+ free(level);
|
||||
level = strdup(optarg);
|
||||
break;
|
||||
case 'r':
|
||||
+ free(role);
|
||||
role = strdup(optarg);
|
||||
break;
|
||||
case 's':
|
||||
+ free(service);
|
||||
service = strdup(optarg);
|
||||
break;
|
||||
case 'v':
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
|
@ -1,62 +0,0 @@
|
|||
From 6e5d16a012e1845774da106846b87090d39ea8f3 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Mon, 3 May 2021 17:11:09 +0200
|
||||
Subject: [PATCH] libselinux: store_stem(): do not free possible non-heap
|
||||
object
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
GCC 11 complains:
|
||||
|
||||
In file included from label_file.c:24:
|
||||
In function ‘store_stem’,
|
||||
inlined from ‘load_mmap’ at label_file.c:277:12,
|
||||
inlined from ‘process_file’ at label_file.c:551:5:
|
||||
label_file.h:289:25: error: ‘free’ called on pointer ‘*mmap_area.next_addr’ with nonzero offset 4 [-Werror=free-nonheap-object]
|
||||
289 | free(buf);
|
||||
| ^~~~~~~~~
|
||||
|
||||
Free the pointer on failure at the caller instead of inside `store_stem()`.
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
libselinux/src/label_file.h | 8 ++++++--
|
||||
1 file changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/libselinux/src/label_file.h b/libselinux/src/label_file.h
|
||||
index baed3341b6b3..9f6337012216 100644
|
||||
--- a/libselinux/src/label_file.h
|
||||
+++ b/libselinux/src/label_file.h
|
||||
@@ -286,7 +286,6 @@ static inline int store_stem(struct saved_data *data, char *buf, int stem_len)
|
||||
tmp_arr = realloc(data->stem_arr,
|
||||
sizeof(*tmp_arr) * alloc_stems);
|
||||
if (!tmp_arr) {
|
||||
- free(buf);
|
||||
return -1;
|
||||
}
|
||||
data->alloc_stems = alloc_stems;
|
||||
@@ -308,6 +307,7 @@ static inline int find_stem_from_spec(struct saved_data *data, const char *buf)
|
||||
int stem_len = get_stem_from_spec(buf);
|
||||
int stemid;
|
||||
char *stem;
|
||||
+ int r;
|
||||
|
||||
if (!stem_len)
|
||||
return -1;
|
||||
@@ -321,7 +321,11 @@ static inline int find_stem_from_spec(struct saved_data *data, const char *buf)
|
||||
if (!stem)
|
||||
return -1;
|
||||
|
||||
- return store_stem(data, stem, stem_len);
|
||||
+ r = store_stem(data, stem, stem_len);
|
||||
+ if (r < 0)
|
||||
+ free(stem);
|
||||
+
|
||||
+ return r;
|
||||
}
|
||||
|
||||
/* This will always check for buffer over-runs and either read the next entry
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
|
@ -1,39 +0,0 @@
|
|||
From 0280a2a70c35c5c319f82f37a685424706b03ad4 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Mon, 3 May 2021 17:11:11 +0200
|
||||
Subject: [PATCH] libselinux: matchmediacon(): close file on error
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Found by Infer.
|
||||
|
||||
matchmediacon.c:25: error: Resource Leak
|
||||
resource of type `_IO_FILE` acquired to `return` by call to `fopen()` at line 21, column 16 is not released after line 25, column 4.
|
||||
23. while (!feof_unlocked(infile)) {
|
||||
24. if (!fgets_unlocked(current_line, sizeof(current_line), infile)) {
|
||||
25. return -1;
|
||||
^
|
||||
26. }
|
||||
27. if (current_line[strlen(current_line) - 1])
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
libselinux/src/matchmediacon.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/libselinux/src/matchmediacon.c b/libselinux/src/matchmediacon.c
|
||||
index 23d01af476d2..d3d9504348e1 100644
|
||||
--- a/libselinux/src/matchmediacon.c
|
||||
+++ b/libselinux/src/matchmediacon.c
|
||||
@@ -22,6 +22,7 @@ int matchmediacon(const char *media, char ** con)
|
||||
return -1;
|
||||
while (!feof_unlocked(infile)) {
|
||||
if (!fgets_unlocked(current_line, sizeof(current_line), infile)) {
|
||||
+ fclose(infile);
|
||||
return -1;
|
||||
}
|
||||
if (current_line[strlen(current_line) - 1])
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
|
@ -1,53 +0,0 @@
|
|||
From 9ab27e21800e8b5589eef0fa9242042567e9bc78 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Mon, 3 May 2021 17:11:13 +0200
|
||||
Subject: [PATCH] libselinux: init_selinux_config(): free resources on error
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Found by Infer.
|
||||
|
||||
selinux_config.c:181: error: Resource Leak
|
||||
resource of type `_IO_FILE` acquired by call to `fopen()` at line 165, column 7 is not released after line 181, column 6.
|
||||
179. type = strdup(buf_p + sizeof(SELINUXTYPETAG) - 1);
|
||||
180. if (!type)
|
||||
181. return;
|
||||
^
|
||||
182. end = type + strlen(type) - 1;
|
||||
183. while ((end > type) &&
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
libselinux/src/selinux_config.c | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c
|
||||
index 6c5238953cb1..97f81a8b61ce 100644
|
||||
--- a/libselinux/src/selinux_config.c
|
||||
+++ b/libselinux/src/selinux_config.c
|
||||
@@ -177,8 +177,11 @@ static void init_selinux_config(void)
|
||||
if (!strncasecmp(buf_p, SELINUXTYPETAG,
|
||||
sizeof(SELINUXTYPETAG) - 1)) {
|
||||
type = strdup(buf_p + sizeof(SELINUXTYPETAG) - 1);
|
||||
- if (!type)
|
||||
+ if (!type) {
|
||||
+ free(line_buf);
|
||||
+ fclose(fp);
|
||||
return;
|
||||
+ }
|
||||
end = type + strlen(type) - 1;
|
||||
while ((end > type) &&
|
||||
(isspace(*end) || iscntrl(*end))) {
|
||||
@@ -187,6 +190,8 @@ static void init_selinux_config(void)
|
||||
}
|
||||
if (setpolicytype(type) != 0) {
|
||||
free(type);
|
||||
+ free(line_buf);
|
||||
+ fclose(fp);
|
||||
return;
|
||||
}
|
||||
free(type);
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
|
@ -1,48 +0,0 @@
|
|||
From bc0a0327ca6e47400e161f6d1e70e08cb350a36f Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Mon, 3 May 2021 17:11:15 +0200
|
||||
Subject: [PATCH] libselinux: label_file::init(): do not pass NULL to strdup
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
If any of the build flags `BUILD_HOST` or `ANDROID` is set and the
|
||||
caller did not pass an option of type `SELABEL_OPT_PATH`, the variable
|
||||
`path` might be not set.
|
||||
Add a check to avoid calling `strdup()` with a NULL pointer.
|
||||
|
||||
Found by cppcheck.
|
||||
|
||||
src/label_file.c:759:26: warning: Possible null pointer dereference: path [nullPointer]
|
||||
rec->spec_file = strdup(path);
|
||||
^
|
||||
src/label_file.c:713:21: note: Assignment 'path=NULL', assigned value is 0
|
||||
const char *path = NULL;
|
||||
^
|
||||
src/label_file.c:759:26: note: Null pointer dereference
|
||||
rec->spec_file = strdup(path);
|
||||
^
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
libselinux/src/label_file.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
|
||||
index b080fcf1305b..4268b52c84cc 100644
|
||||
--- a/libselinux/src/label_file.c
|
||||
+++ b/libselinux/src/label_file.c
|
||||
@@ -756,6 +756,10 @@ static int init(struct selabel_handle *rec, const struct selinux_opt *opts,
|
||||
}
|
||||
|
||||
#endif
|
||||
+
|
||||
+ if (!path)
|
||||
+ goto finish;
|
||||
+
|
||||
rec->spec_file = strdup(path);
|
||||
|
||||
/*
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
|
@ -1,80 +0,0 @@
|
|||
From 65f1ccbecc30d31e66126e470d404b757eb9898e Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Mon, 3 May 2021 17:11:17 +0200
|
||||
Subject: [PATCH] libselinux: matchpathcon: free memory on realloc failure
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
In case `realloc()` fails and returns NULL, free the passed array,
|
||||
instead of just setting the size helper variables to 0.
|
||||
|
||||
Also free the string contents in `free_array_elts()` of the array
|
||||
`con_array`, instead of just the array of pointers.
|
||||
|
||||
Found by cppcheck.
|
||||
|
||||
src/matchpathcon.c:86:4: error: Common realloc mistake: 'con_array' nulled but not freed upon failure [memleakOnRealloc]
|
||||
con_array = (char **)realloc(con_array, sizeof(char*) *
|
||||
^
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
libselinux/src/matchpathcon.c | 26 ++++++++++++++++----------
|
||||
1 file changed, 16 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c
|
||||
index 9e1fab593266..075a3fb3ffcb 100644
|
||||
--- a/libselinux/src/matchpathcon.c
|
||||
+++ b/libselinux/src/matchpathcon.c
|
||||
@@ -78,17 +78,30 @@ static pthread_once_t once = PTHREAD_ONCE_INIT;
|
||||
static pthread_key_t destructor_key;
|
||||
static int destructor_key_initialized = 0;
|
||||
|
||||
+static void free_array_elts(void)
|
||||
+{
|
||||
+ int i;
|
||||
+ for (i = 0; i < con_array_used; i++)
|
||||
+ free(con_array[i]);
|
||||
+ free(con_array);
|
||||
+
|
||||
+ con_array_size = con_array_used = 0;
|
||||
+ con_array = NULL;
|
||||
+}
|
||||
+
|
||||
static int add_array_elt(char *con)
|
||||
{
|
||||
+ char **tmp;
|
||||
if (con_array_size) {
|
||||
while (con_array_used >= con_array_size) {
|
||||
con_array_size *= 2;
|
||||
- con_array = (char **)realloc(con_array, sizeof(char*) *
|
||||
+ tmp = (char **)realloc(con_array, sizeof(char*) *
|
||||
con_array_size);
|
||||
- if (!con_array) {
|
||||
- con_array_size = con_array_used = 0;
|
||||
+ if (!tmp) {
|
||||
+ free_array_elts();
|
||||
return -1;
|
||||
}
|
||||
+ con_array = tmp;
|
||||
}
|
||||
} else {
|
||||
con_array_size = 1000;
|
||||
@@ -105,13 +118,6 @@ static int add_array_elt(char *con)
|
||||
return con_array_used++;
|
||||
}
|
||||
|
||||
-static void free_array_elts(void)
|
||||
-{
|
||||
- con_array_size = con_array_used = 0;
|
||||
- free(con_array);
|
||||
- con_array = NULL;
|
||||
-}
|
||||
-
|
||||
void set_matchpathcon_invalidcon(int (*f) (const char *p, unsigned l, char *c))
|
||||
{
|
||||
myinvalidcon = f;
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
|
@ -1,36 +0,0 @@
|
|||
From e1999379dfc6d12abb9fa454ac01d4239baf361f Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Mon, 3 May 2021 17:11:19 +0200
|
||||
Subject: [PATCH] libselinux: label_db::db_init(): open file with CLOEXEC mode
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Open the file stream with the `e` flag, so that the underlying file
|
||||
descriptor gets closed on an exec in a potential sibling thread.
|
||||
|
||||
Also drop the flag `b`, since it is ignored on POSIX systems.
|
||||
|
||||
Found by clang-tidy.
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
libselinux/src/label_db.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libselinux/src/label_db.c b/libselinux/src/label_db.c
|
||||
index fba96c92299f..94c05c6d4397 100644
|
||||
--- a/libselinux/src/label_db.c
|
||||
+++ b/libselinux/src/label_db.c
|
||||
@@ -277,7 +277,7 @@ db_init(const struct selinux_opt *opts, unsigned nopts,
|
||||
if (!path)
|
||||
path = selinux_sepgsql_context_path();
|
||||
|
||||
- if ((filp = fopen(path, "rb")) == NULL) {
|
||||
+ if ((filp = fopen(path, "re")) == NULL) {
|
||||
free(catalog);
|
||||
return NULL;
|
||||
}
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
|
@ -1,73 +0,0 @@
|
|||
From 8827610e5045b9bce7d2fe24058548f938921ccf Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Mon, 3 May 2021 17:11:22 +0200
|
||||
Subject: [PATCH] libselinux: drop redundant casts to the same type
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Found by clang-tidy.
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
libselinux/src/audit2why.c | 2 +-
|
||||
libselinux/src/avc_sidtab.c | 2 +-
|
||||
libselinux/src/is_customizable_type.c | 2 +-
|
||||
libselinux/src/selinux_restorecon.c | 2 +-
|
||||
4 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/libselinux/src/audit2why.c b/libselinux/src/audit2why.c
|
||||
index d56b56eb2a1a..029f874f4702 100644
|
||||
--- a/libselinux/src/audit2why.c
|
||||
+++ b/libselinux/src/audit2why.c
|
||||
@@ -275,7 +275,7 @@ static int __policy_init(const char *init_path)
|
||||
}
|
||||
|
||||
sepol_bool_iterate(avc->handle, avc->policydb,
|
||||
- load_booleans, (void *)NULL);
|
||||
+ load_booleans, NULL);
|
||||
|
||||
/* Initialize the sidtab for subsequent use by sepol_context_to_sid
|
||||
and sepol_compute_av_reason. */
|
||||
diff --git a/libselinux/src/avc_sidtab.c b/libselinux/src/avc_sidtab.c
|
||||
index 8dc875608762..8c81cf65d2ef 100644
|
||||
--- a/libselinux/src/avc_sidtab.c
|
||||
+++ b/libselinux/src/avc_sidtab.c
|
||||
@@ -56,7 +56,7 @@ int sidtab_insert(struct sidtab *s, const char * ctx)
|
||||
rc = -1;
|
||||
goto out;
|
||||
}
|
||||
- newctx = (char *) strdup(ctx);
|
||||
+ newctx = strdup(ctx);
|
||||
if (!newctx) {
|
||||
rc = -1;
|
||||
avc_free(newnode);
|
||||
diff --git a/libselinux/src/is_customizable_type.c b/libselinux/src/is_customizable_type.c
|
||||
index 92876f4d9371..1b17860c3622 100644
|
||||
--- a/libselinux/src/is_customizable_type.c
|
||||
+++ b/libselinux/src/is_customizable_type.c
|
||||
@@ -38,7 +38,7 @@ static int get_customizable_type_list(char *** retlist)
|
||||
while (fgets_unlocked(buf, selinux_page_size, fp)
|
||||
&& i < ctr) {
|
||||
buf[strlen(buf) - 1] = 0;
|
||||
- list[i] = (char *) strdup(buf);
|
||||
+ list[i] = strdup(buf);
|
||||
if (!list[i]) {
|
||||
unsigned int j;
|
||||
for (j = 0; j < i; j++)
|
||||
diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
|
||||
index 6fb9e1ff486d..999aa924ba32 100644
|
||||
--- a/libselinux/src/selinux_restorecon.c
|
||||
+++ b/libselinux/src/selinux_restorecon.c
|
||||
@@ -1152,7 +1152,7 @@ void selinux_restorecon_set_sehandle(struct selabel_handle *hndl)
|
||||
unsigned char *fc_digest;
|
||||
size_t num_specfiles, fc_digest_len;
|
||||
|
||||
- fc_sehandle = (struct selabel_handle *) hndl;
|
||||
+ fc_sehandle = hndl;
|
||||
if (!fc_sehandle)
|
||||
return;
|
||||
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
|
@ -1,60 +0,0 @@
|
|||
From b1a4603c9208982e33291fe6dc5aa78148762530 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Mon, 3 May 2021 17:11:24 +0200
|
||||
Subject: [PATCH] libselinux: sidtab_sid_stats(): unify parameter name
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Found by clang-tidy.
|
||||
|
||||
libselinux/src/avc_sidtab.h:32:6: warning: function 'sidtab_sid_stats' has a definition with different parameter names [readability-inconsistent-declaration-parameter-name]
|
||||
void sidtab_sid_stats(struct sidtab *s, char *buf, int buflen) ;
|
||||
^
|
||||
libselinux/src/avc_sidtab.c:103:6: note: the definition seen here
|
||||
void sidtab_sid_stats(struct sidtab *h, char *buf, int buflen)
|
||||
^
|
||||
libselinux/src/avc_sidtab.h:32:6: note: differing parameters are named here: ('s'), in definition: ('h')
|
||||
void sidtab_sid_stats(struct sidtab *s, char *buf, int buflen) ;
|
||||
^ ~
|
||||
h
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
libselinux/src/avc_sidtab.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/libselinux/src/avc_sidtab.c b/libselinux/src/avc_sidtab.c
|
||||
index 8c81cf65d2ef..f179d8558a45 100644
|
||||
--- a/libselinux/src/avc_sidtab.c
|
||||
+++ b/libselinux/src/avc_sidtab.c
|
||||
@@ -100,7 +100,7 @@ sidtab_context_to_sid(struct sidtab *s,
|
||||
return rc;
|
||||
}
|
||||
|
||||
-void sidtab_sid_stats(struct sidtab *h, char *buf, int buflen)
|
||||
+void sidtab_sid_stats(struct sidtab *s, char *buf, int buflen)
|
||||
{
|
||||
int i, chain_len, slots_used, max_chain_len;
|
||||
struct sidtab_node *cur;
|
||||
@@ -108,7 +108,7 @@ void sidtab_sid_stats(struct sidtab *h, char *buf, int buflen)
|
||||
slots_used = 0;
|
||||
max_chain_len = 0;
|
||||
for (i = 0; i < SIDTAB_SIZE; i++) {
|
||||
- cur = h->htable[i];
|
||||
+ cur = s->htable[i];
|
||||
if (cur) {
|
||||
slots_used++;
|
||||
chain_len = 0;
|
||||
@@ -124,7 +124,7 @@ void sidtab_sid_stats(struct sidtab *h, char *buf, int buflen)
|
||||
|
||||
snprintf(buf, buflen,
|
||||
"%s: %u SID entries and %d/%d buckets used, longest "
|
||||
- "chain length %d\n", avc_prefix, h->nel, slots_used,
|
||||
+ "chain length %d\n", avc_prefix, s->nel, slots_used,
|
||||
SIDTAB_SIZE, max_chain_len);
|
||||
}
|
||||
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
|
@ -1,42 +0,0 @@
|
|||
From e057080fcc148b3b1fc613c100340c325bde6c7e Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Mon, 3 May 2021 17:11:26 +0200
|
||||
Subject: [PATCH] libselinux: regex: unify parameter names
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Use the same parameter names as in the header `regex.h`.
|
||||
|
||||
Found by clang-tidy.
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
libselinux/src/regex.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/libselinux/src/regex.c b/libselinux/src/regex.c
|
||||
index 770bc3ea1310..73987d9f1063 100644
|
||||
--- a/libselinux/src/regex.c
|
||||
+++ b/libselinux/src/regex.c
|
||||
@@ -319,7 +319,7 @@ char const *regex_version(void)
|
||||
}
|
||||
|
||||
int regex_load_mmap(struct mmap_area *mmap_area, struct regex_data **regex,
|
||||
- int unused __attribute__((unused)), bool *regex_compiled)
|
||||
+ int do_load_precompregex __attribute__((unused)), bool *regex_compiled)
|
||||
{
|
||||
int rc;
|
||||
uint32_t entry_len;
|
||||
@@ -387,7 +387,7 @@ static inline pcre_extra *get_pcre_extra(struct regex_data *regex)
|
||||
}
|
||||
|
||||
int regex_writef(struct regex_data *regex, FILE *fp,
|
||||
- int unused __attribute__((unused)))
|
||||
+ int do_write_precompregex __attribute__((unused)))
|
||||
{
|
||||
int rc;
|
||||
size_t len;
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
|
@ -1,35 +0,0 @@
|
|||
From 2657e3ccbd01f09ea4c637c2d8cf23646507475a Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Mon, 3 May 2021 17:11:31 +0200
|
||||
Subject: [PATCH] libselinux: label_file.c: fix indent
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Found by clang-tidy.
|
||||
|
||||
libselinux/src/label_file.c:374:4: warning: different indentation for 'if' and corresponding 'else' [readability-misleading-indentation]
|
||||
else
|
||||
^
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
libselinux/src/label_file.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
|
||||
index 4268b52c84cc..56f499faef97 100644
|
||||
--- a/libselinux/src/label_file.c
|
||||
+++ b/libselinux/src/label_file.c
|
||||
@@ -371,7 +371,7 @@ end_arch_check:
|
||||
|
||||
if (stem_id < 0 || stem_id >= (int32_t)stem_map_len)
|
||||
spec->stem_id = -1;
|
||||
- else
|
||||
+ else
|
||||
spec->stem_id = stem_map[stem_id];
|
||||
|
||||
/* retrieve the hasMetaChars bit */
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
|
@ -1,34 +0,0 @@
|
|||
From a2304cef5780d72ef0eb927b799337982c599ca9 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Mon, 10 May 2021 12:56:46 +0200
|
||||
Subject: [PATCH] libselinux: avc_destroy(3) closes status page
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Mention in the manpage of avc_destroy(3) that it does close the SELinux
|
||||
status page, which might have been opened manually by the client
|
||||
application.
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
libselinux/man/man3/avc_open.3 | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/libselinux/man/man3/avc_open.3 b/libselinux/man/man3/avc_open.3
|
||||
index 3090dd5077c7..55683bb6594b 100644
|
||||
--- a/libselinux/man/man3/avc_open.3
|
||||
+++ b/libselinux/man/man3/avc_open.3
|
||||
@@ -26,6 +26,9 @@ initializes the userspace AVC and must be called before any other AVC operation
|
||||
destroys the userspace AVC, freeing all internal memory structures. After this call has been made,
|
||||
.BR avc_open ()
|
||||
must be called again before any AVC operations can be performed.
|
||||
+.BR avc_destroy ()
|
||||
+also closes the SELinux status page, which might have been opened manually by
|
||||
+.BR selinux_status_open (3).
|
||||
|
||||
.BR avc_reset ()
|
||||
flushes the userspace AVC, causing it to forget any cached access decisions. The userspace AVC normally calls this function automatically when needed, see
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
|
@ -1,39 +0,0 @@
|
|||
From c5a699046f4a08a554d2da9121924fc80bf27cba Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Mon, 10 May 2021 12:56:47 +0200
|
||||
Subject: [PATCH] libselinux: make selinux_status_open(3) reentrant
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Do not mmap the status page again if `selinux_status_open(3)` has already
|
||||
been called with success.
|
||||
|
||||
`selinux_status_open(3)` might be called unintentionally multiple times,
|
||||
e.g. once to manually be able to call `selinux_status_getenforce(3)` and
|
||||
once indirectly through `selinux_check_access(3)`
|
||||
(since libselinux 3.2).
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
libselinux/src/sestatus.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/libselinux/src/sestatus.c b/libselinux/src/sestatus.c
|
||||
index 12b015e088ea..531a522c0f48 100644
|
||||
--- a/libselinux/src/sestatus.c
|
||||
+++ b/libselinux/src/sestatus.c
|
||||
@@ -282,6 +282,10 @@ int selinux_status_open(int fallback)
|
||||
long pagesize;
|
||||
uint32_t seqno;
|
||||
|
||||
+ if (selinux_status != NULL) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
if (!selinux_mnt) {
|
||||
errno = ENOENT;
|
||||
return -1;
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
|
@ -1,49 +0,0 @@
|
|||
From 3cef4110bee88ac81dfb5e62c2a8b7902248abba Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Mon, 10 May 2021 12:56:48 +0200
|
||||
Subject: [PATCH] libselinux: do not use status page fallback mode internally
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Currently `avc_init_internal()`, called by `avc_open(3)` and
|
||||
`avc_init(3)`, does open the SELinux status page with fallback mode
|
||||
enabled.
|
||||
|
||||
Quote from man:selinux_status_open(3):
|
||||
In this case, this function tries to open a netlink socket using
|
||||
.BR avc_netlink_open (3) and overwrite corresponding callbacks
|
||||
(setenforce and policyload). Thus, we need to pay attention to the
|
||||
interaction with these interfaces, when fallback mode is enabled.
|
||||
|
||||
Calling `selinux_status_open` internally in fallback mode is bad, cause
|
||||
it overrides callbacks from client applications or the internal
|
||||
fallback-callbacks get overridden by client applications.
|
||||
Note that `avc_open(3)` gets called under the hood by
|
||||
`selinux_check_access(3)` without checking for failure.
|
||||
Also the status page is available since Linux 2.6.37, so failures of
|
||||
`selinux_status_open(3)` in non-fallback mode should only be caused by
|
||||
policies not allowing the client process to open/read/map
|
||||
the /sys/fs/selinux/status file.
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
libselinux/src/avc.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
|
||||
index 8314d7ba3de6..daaedbc6a6fd 100644
|
||||
--- a/libselinux/src/avc.c
|
||||
+++ b/libselinux/src/avc.c
|
||||
@@ -214,7 +214,7 @@ static int avc_init_internal(const char *prefix,
|
||||
avc_enforcing = rc;
|
||||
}
|
||||
|
||||
- rc = selinux_status_open(1);
|
||||
+ rc = selinux_status_open(0);
|
||||
if (rc < 0) {
|
||||
avc_log(SELINUX_ERROR,
|
||||
"%s: could not open selinux status page: %d (%s)\n",
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
|
@ -1,36 +0,0 @@
|
|||
From ed2e4db2f9941e01e65248ce5f0a9e49f3efd130 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Tue, 1 Jun 2021 17:05:23 +0200
|
||||
Subject: [PATCH] libselinux: selinux_status_open: return 1 in fallback mode
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
In case of a recurring call to `selinux_status_open(3)`, which
|
||||
previously has been opened in fallback mode, return `1` according to its
|
||||
documentation.
|
||||
|
||||
Fixes: c5a699046f4 ("libselinux: make selinux_status_open(3) reentrant")
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
Acked-by: Petr Lautrbach <plautrba@redhat.com>
|
||||
---
|
||||
libselinux/src/sestatus.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libselinux/src/sestatus.c b/libselinux/src/sestatus.c
|
||||
index 531a522c0f48..89c1f6216702 100644
|
||||
--- a/libselinux/src/sestatus.c
|
||||
+++ b/libselinux/src/sestatus.c
|
||||
@@ -283,7 +283,7 @@ int selinux_status_open(int fallback)
|
||||
uint32_t seqno;
|
||||
|
||||
if (selinux_status != NULL) {
|
||||
- return 0;
|
||||
+ return (selinux_status == MAP_FAILED) ? 1 : 0;
|
||||
}
|
||||
|
||||
if (!selinux_mnt) {
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
|
@ -1,118 +0,0 @@
|
|||
From ea02e0acfaab93219359448a66edff365aef4ca5 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Tue, 1 Jun 2021 17:35:09 +0200
|
||||
Subject: [PATCH] libselinux: improve getcon(3) man page
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Improve formatting of section DESCRIPTION by adding list points.
|
||||
Mention errno is set on failure.
|
||||
Mention the returned context might be NULL if SELinux is not enabled.
|
||||
Align setcon/_raw parameter by adding const.
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
Acked-by: Petr Lautrbach <plautrba@redhat.com>
|
||||
---
|
||||
libselinux/man/man3/getcon.3 | 41 +++++++++++++++++++++++++-----------
|
||||
1 file changed, 29 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/libselinux/man/man3/getcon.3 b/libselinux/man/man3/getcon.3
|
||||
index 67872a4dede6..e7e394f305b7 100644
|
||||
--- a/libselinux/man/man3/getcon.3
|
||||
+++ b/libselinux/man/man3/getcon.3
|
||||
@@ -7,7 +7,7 @@ freecon, freeconary \- free memory associated with SELinux security contexts
|
||||
getpeercon \- get security context of a peer socket
|
||||
|
||||
setcon \- set current security context of a process
|
||||
-.
|
||||
+
|
||||
.SH "SYNOPSIS"
|
||||
.B #include <selinux/selinux.h>
|
||||
.sp
|
||||
@@ -31,30 +31,39 @@ setcon \- set current security context of a process
|
||||
.sp
|
||||
.BI "void freeconary(char **" con );
|
||||
.sp
|
||||
-.BI "int setcon(char *" context );
|
||||
+.BI "int setcon(const char *" context );
|
||||
.sp
|
||||
-.BI "int setcon_raw(char *" context );
|
||||
-.
|
||||
+.BI "int setcon_raw(const char *" context );
|
||||
+
|
||||
.SH "DESCRIPTION"
|
||||
+.TP
|
||||
.BR getcon ()
|
||||
retrieves the context of the current process, which must be free'd with
|
||||
-freecon.
|
||||
+.BR freecon ().
|
||||
|
||||
+.TP
|
||||
.BR getprevcon ()
|
||||
same as getcon but gets the context before the last exec.
|
||||
|
||||
+.TP
|
||||
.BR getpidcon ()
|
||||
-returns the process context for the specified PID.
|
||||
+returns the process context for the specified PID, which must be free'd with
|
||||
+.BR freecon ().
|
||||
|
||||
+.TP
|
||||
.BR getpeercon ()
|
||||
-retrieves context of peer socket, and set
|
||||
-.BI * context
|
||||
-to refer to it, which must be free'd with
|
||||
+retrieves the context of the peer socket, which must be free'd with
|
||||
.BR freecon ().
|
||||
|
||||
+.TP
|
||||
.BR freecon ()
|
||||
frees the memory allocated for a security context.
|
||||
|
||||
+If
|
||||
+.I con
|
||||
+is NULL, no operation is performed.
|
||||
+
|
||||
+.TP
|
||||
.BR freeconary ()
|
||||
frees the memory allocated for a context array.
|
||||
|
||||
@@ -62,6 +71,7 @@ If
|
||||
.I con
|
||||
is NULL, no operation is performed.
|
||||
|
||||
+.TP
|
||||
.BR setcon ()
|
||||
sets the current security context of the process to a new value. Note
|
||||
that use of this function requires that the entire application be
|
||||
@@ -110,6 +120,8 @@ context and the
|
||||
.BR setcon ()
|
||||
will fail if it is not allowed by policy.
|
||||
|
||||
+.TP
|
||||
+.BR *_raw()
|
||||
.BR getcon_raw (),
|
||||
.BR getprevcon_raw (),
|
||||
.BR getpidcon_raw (),
|
||||
@@ -118,9 +130,14 @@ and
|
||||
.BR setcon_raw ()
|
||||
behave identically to their non-raw counterparts but do not perform context
|
||||
translation.
|
||||
-.
|
||||
+
|
||||
.SH "RETURN VALUE"
|
||||
-On error \-1 is returned. On success 0 is returned.
|
||||
-.
|
||||
+On error \-1 is returned with errno set. On success 0 is returned.
|
||||
+
|
||||
+.SH "NOTES"
|
||||
+The retrieval functions might return success and set
|
||||
+.I *context
|
||||
+to NULL if and only if SELinux is not enabled.
|
||||
+
|
||||
.SH "SEE ALSO"
|
||||
.BR selinux "(8), " setexeccon "(3)"
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
|
@ -1,30 +0,0 @@
|
|||
From fa4de3c9d85a310248bae516ed4535773885845b Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Tue, 8 Jun 2021 17:36:44 +0200
|
||||
Subject: [PATCH] libselinux: fix typo
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
Acked-by: Petr Lautrbach <plautrba@redhat.com>
|
||||
---
|
||||
libselinux/src/regex.h | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libselinux/src/regex.h b/libselinux/src/regex.h
|
||||
index 10c3df7856e1..2dfa25342034 100644
|
||||
--- a/libselinux/src/regex.h
|
||||
+++ b/libselinux/src/regex.h
|
||||
@@ -44,7 +44,7 @@ struct mmap_area;
|
||||
char const *regex_arch_string(void) ;
|
||||
|
||||
/**
|
||||
- * regex_verison returns the version string of the underlying regular
|
||||
+ * regex_version returns the version string of the underlying regular
|
||||
* regular expressions library. In the case of PCRE it just returns the
|
||||
* result of pcre_version(). In the case of PCRE2, the very first time this
|
||||
* function is called it allocates a buffer large enough to hold the version
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
|
@ -1,34 +0,0 @@
|
|||
From 70b31e75fe157f4cfa5afc6589c0605868017028 Mon Sep 17 00:00:00 2001
|
||||
From: Topi Miettinen <toiwoton@gmail.com>
|
||||
Date: Sat, 12 Jun 2021 12:07:38 +0300
|
||||
Subject: [PATCH] selinux.8: document how mount flag nosuid affects SELinux
|
||||
|
||||
Using mount flag `nosuid` also affects SELinux domain transitions but
|
||||
this has not been documented well.
|
||||
|
||||
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
|
||||
---
|
||||
libselinux/man/man8/selinux.8 | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
|
||||
index 0ef014609a36..5842150bfc72 100644
|
||||
--- a/libselinux/man/man8/selinux.8
|
||||
+++ b/libselinux/man/man8/selinux.8
|
||||
@@ -94,6 +94,13 @@ and reboot.
|
||||
also has this capability. The
|
||||
.BR restorecon / fixfiles
|
||||
commands are also available for relabeling files.
|
||||
+
|
||||
+Please note that using mount flag
|
||||
+.I nosuid
|
||||
+also disables SELinux domain transitions, unless permission
|
||||
+.I nosuid_transition
|
||||
+is used in the policy to allow this, which in turn needs also policy capability
|
||||
+.IR nnp_nosuid_transition .
|
||||
.
|
||||
.SH AUTHOR
|
||||
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
|
@ -1,46 +0,0 @@
|
|||
From 4859b738136ef8889fbb71a166cfec8d313ba4e0 Mon Sep 17 00:00:00 2001
|
||||
From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
|
||||
Date: Thu, 1 Jul 2021 19:06:19 +0200
|
||||
Subject: [PATCH] libselinux/utils/getseuser.c: fix build with gcc 4.8
|
||||
|
||||
Fix the following build failure with gcc 4.8 which is raised since
|
||||
version 3.2 and
|
||||
https://github.com/SELinuxProject/selinux/commit/156dd0de5cad31e7d437c64e11a8aef027f0a691
|
||||
|
||||
getseuser.c:53:2: error: 'for' loop initial declarations are only allowed in C99 mode
|
||||
for (int i = 0; i < n; i++)
|
||||
^
|
||||
|
||||
Fixes:
|
||||
- http://autobuild.buildroot.org/results/37eb0952a763256fbf6ef3c668f6c95fbdf2dd35
|
||||
|
||||
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
|
||||
---
|
||||
libselinux/utils/getseuser.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/libselinux/utils/getseuser.c b/libselinux/utils/getseuser.c
|
||||
index ce1b7b27dbd9..34f2e887ffa0 100644
|
||||
--- a/libselinux/utils/getseuser.c
|
||||
+++ b/libselinux/utils/getseuser.c
|
||||
@@ -9,7 +9,7 @@ int main(int argc, char **argv)
|
||||
{
|
||||
char *seuser = NULL, *level = NULL;
|
||||
char **contextlist;
|
||||
- int rc, n;
|
||||
+ int rc, n, i;
|
||||
|
||||
if (argc != 3) {
|
||||
fprintf(stderr, "usage: %s linuxuser fromcon\n", argv[0]);
|
||||
@@ -50,7 +50,7 @@ int main(int argc, char **argv)
|
||||
if (n == 0)
|
||||
printf("no valid context found\n");
|
||||
|
||||
- for (int i = 0; i < n; i++)
|
||||
+ for (i = 0; i < n; i++)
|
||||
printf("Context %d\t%s\n", i, contextlist[i]);
|
||||
|
||||
freeconary(contextlist);
|
||||
--
|
||||
2.32.0
|
||||
|
||||
|
|
@ -1,191 +0,0 @@
|
|||
From 40543dceedc1510d0d27177f564db0f232689803 Mon Sep 17 00:00:00 2001
|
||||
From: Nicolas Iooss <nicolas.iooss@m4x.org>
|
||||
Date: Sat, 3 Jul 2021 16:31:18 +0200
|
||||
Subject: [PATCH] libselinux: silence -Wextra-semi-stmt warning
|
||||
|
||||
On Ubuntu 20.04, when building with clang -Werror -Wextra-semi-stmt
|
||||
(which is not the default build configuration), the compiler reports:
|
||||
|
||||
sha1.c:90:21: error: empty expression statement has no effect;
|
||||
remove unnecessary ';' to silence this warning
|
||||
[-Werror,-Wextra-semi-stmt]
|
||||
R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3);
|
||||
^
|
||||
In file included from selinux_restorecon.c:39:
|
||||
./label_file.h:458:15: error: empty expression statement has no
|
||||
effect; remove unnecessary ';' to silence this warning
|
||||
[-Werror,-Wextra-semi-stmt]
|
||||
lineno);
|
||||
^
|
||||
|
||||
Introduce "do { } while (0)" blocks to silence such warnings.
|
||||
|
||||
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
|
||||
---
|
||||
libselinux/src/avc_internal.h | 22 +++++++++++++-------
|
||||
libselinux/src/label_internal.h | 10 +++++----
|
||||
libselinux/src/load_policy.c | 2 +-
|
||||
libselinux/src/procattr.c | 4 ++--
|
||||
libselinux/src/sha1.c | 11 +++++-----
|
||||
libselinux/utils/matchpathcon.c | 2 +-
|
||||
libselinux/utils/selabel_lookup_best_match.c | 2 +-
|
||||
7 files changed, 31 insertions(+), 22 deletions(-)
|
||||
|
||||
diff --git a/libselinux/src/avc_internal.h b/libselinux/src/avc_internal.h
|
||||
index da67affc9307..a9a4aa0b3c42 100644
|
||||
--- a/libselinux/src/avc_internal.h
|
||||
+++ b/libselinux/src/avc_internal.h
|
||||
@@ -85,10 +85,12 @@ static inline void avc_free(void *ptr)
|
||||
|
||||
/* this is a macro in order to use the variadic capability. */
|
||||
#define avc_log(type, format...) \
|
||||
- if (avc_func_log) \
|
||||
- avc_func_log(format); \
|
||||
- else \
|
||||
- selinux_log(type, format);
|
||||
+ do { \
|
||||
+ if (avc_func_log) \
|
||||
+ avc_func_log(format); \
|
||||
+ else \
|
||||
+ selinux_log(type, format); \
|
||||
+ } while (0)
|
||||
|
||||
static inline void avc_suppl_audit(void *ptr, security_class_t class,
|
||||
char *buf, size_t len)
|
||||
@@ -137,14 +139,18 @@ static inline void avc_free_lock(void *lock)
|
||||
#ifdef AVC_CACHE_STATS
|
||||
|
||||
#define avc_cache_stats_incr(field) \
|
||||
- cache_stats.field ++;
|
||||
+ do { \
|
||||
+ cache_stats.field ++; \
|
||||
+ } while (0)
|
||||
#define avc_cache_stats_add(field, num) \
|
||||
- cache_stats.field += num;
|
||||
+ do { \
|
||||
+ cache_stats.field += num; \
|
||||
+ } while (0)
|
||||
|
||||
#else
|
||||
|
||||
-#define avc_cache_stats_incr(field)
|
||||
-#define avc_cache_stats_add(field, num)
|
||||
+#define avc_cache_stats_incr(field) do {} while (0)
|
||||
+#define avc_cache_stats_add(field, num) do {} while (0)
|
||||
|
||||
#endif
|
||||
|
||||
diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h
|
||||
index 361b443cb9c4..782c6aa8cc0c 100644
|
||||
--- a/libselinux/src/label_internal.h
|
||||
+++ b/libselinux/src/label_internal.h
|
||||
@@ -128,10 +128,12 @@ extern int myprintf_compat;
|
||||
extern void __attribute__ ((format(printf, 1, 2)))
|
||||
(*myprintf) (const char *fmt, ...) ;
|
||||
|
||||
-#define COMPAT_LOG(type, fmt...) if (myprintf_compat) \
|
||||
- myprintf(fmt); \
|
||||
- else \
|
||||
- selinux_log(type, fmt);
|
||||
+#define COMPAT_LOG(type, fmt...) do { \
|
||||
+ if (myprintf_compat) \
|
||||
+ myprintf(fmt); \
|
||||
+ else \
|
||||
+ selinux_log(type, fmt); \
|
||||
+ } while (0)
|
||||
|
||||
extern int
|
||||
compat_validate(struct selabel_handle *rec,
|
||||
diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
|
||||
index 0034fa53d6e6..5857b821e80e 100644
|
||||
--- a/libselinux/src/load_policy.c
|
||||
+++ b/libselinux/src/load_policy.c
|
||||
@@ -80,7 +80,7 @@ int selinux_mkload_policy(int preservebools __attribute__((unused)))
|
||||
if (libsepolh) {
|
||||
usesepol = 1;
|
||||
dlerror();
|
||||
-#define DLERR() if ((errormsg = dlerror())) goto dlclose;
|
||||
+#define DLERR() do { if ((errormsg = dlerror())) goto dlclose; } while (0)
|
||||
vers_max = dlsym(libsepolh, "sepol_policy_kern_vers_max");
|
||||
DLERR();
|
||||
vers_min = dlsym(libsepolh, "sepol_policy_kern_vers_min");
|
||||
diff --git a/libselinux/src/procattr.c b/libselinux/src/procattr.c
|
||||
index 840570525f5f..6552ee01bca8 100644
|
||||
--- a/libselinux/src/procattr.c
|
||||
+++ b/libselinux/src/procattr.c
|
||||
@@ -146,7 +146,7 @@ static int getprocattrcon_raw(char ** context,
|
||||
default:
|
||||
errno = ENOENT;
|
||||
return -1;
|
||||
- };
|
||||
+ }
|
||||
|
||||
if (prev_context && prev_context != UNSET) {
|
||||
*context = strdup(prev_context);
|
||||
@@ -240,7 +240,7 @@ static int setprocattrcon_raw(const char * context,
|
||||
default:
|
||||
errno = ENOENT;
|
||||
return -1;
|
||||
- };
|
||||
+ }
|
||||
|
||||
if (!context && !*prev_context)
|
||||
return 0;
|
||||
diff --git a/libselinux/src/sha1.c b/libselinux/src/sha1.c
|
||||
index 664bbcf26eef..a848467785f3 100644
|
||||
--- a/libselinux/src/sha1.c
|
||||
+++ b/libselinux/src/sha1.c
|
||||
@@ -16,6 +16,7 @@
|
||||
// sha1.c:73:33: error: cast from 'uint8_t *' (aka 'unsigned char *') to 'CHAR64LONG16 *' increases required alignment from 1 to 4 [-Werror,-Wcast-align]
|
||||
// CHAR64LONG16* block = (CHAR64LONG16*) workspace;
|
||||
// William Roberts <william.c.roberts@intel.com>
|
||||
+// - Silence clang's -Wextra-semi-stmt warning - July 2021, Nicolas Iooss <nicolas.iooss@m4x.org>
|
||||
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
|
||||
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
@@ -49,11 +50,11 @@ typedef union
|
||||
^block->l[(i+2)&15]^block->l[i&15],1))
|
||||
|
||||
// (R0+R1), R2, R3, R4 are the different operations used in SHA1
|
||||
-#define R0(v,w,x,y,z,i) z += ((w&(x^y))^y) + blk0(i)+ 0x5A827999 + rol(v,5); w=rol(w,30);
|
||||
-#define R1(v,w,x,y,z,i) z += ((w&(x^y))^y) + blk(i) + 0x5A827999 + rol(v,5); w=rol(w,30);
|
||||
-#define R2(v,w,x,y,z,i) z += (w^x^y) + blk(i) + 0x6ED9EBA1 + rol(v,5); w=rol(w,30);
|
||||
-#define R3(v,w,x,y,z,i) z += (((w|x)&y)|(w&x)) + blk(i) + 0x8F1BBCDC + rol(v,5); w=rol(w,30);
|
||||
-#define R4(v,w,x,y,z,i) z += (w^x^y) + blk(i) + 0xCA62C1D6 + rol(v,5); w=rol(w,30);
|
||||
+#define R0(v,w,x,y,z,i) do { z += ((w&(x^y))^y) + blk0(i)+ 0x5A827999 + rol(v,5); w=rol(w,30); } while (0)
|
||||
+#define R1(v,w,x,y,z,i) do { z += ((w&(x^y))^y) + blk(i) + 0x5A827999 + rol(v,5); w=rol(w,30); } while (0)
|
||||
+#define R2(v,w,x,y,z,i) do { z += (w^x^y) + blk(i) + 0x6ED9EBA1 + rol(v,5); w=rol(w,30); } while (0)
|
||||
+#define R3(v,w,x,y,z,i) do { z += (((w|x)&y)|(w&x)) + blk(i) + 0x8F1BBCDC + rol(v,5); w=rol(w,30); } while (0)
|
||||
+#define R4(v,w,x,y,z,i) do { z += (w^x^y) + blk(i) + 0xCA62C1D6 + rol(v,5); w=rol(w,30); } while (0)
|
||||
|
||||
|
||||
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
diff --git a/libselinux/utils/matchpathcon.c b/libselinux/utils/matchpathcon.c
|
||||
index a07e160dee71..1d713c01f81c 100644
|
||||
--- a/libselinux/utils/matchpathcon.c
|
||||
+++ b/libselinux/utils/matchpathcon.c
|
||||
@@ -65,7 +65,7 @@ static mode_t string_to_mode(char *s)
|
||||
return S_IFREG;
|
||||
default:
|
||||
return -1;
|
||||
- };
|
||||
+ }
|
||||
return -1;
|
||||
}
|
||||
|
||||
diff --git a/libselinux/utils/selabel_lookup_best_match.c b/libselinux/utils/selabel_lookup_best_match.c
|
||||
index 6a7174233667..2cddc6cde051 100644
|
||||
--- a/libselinux/utils/selabel_lookup_best_match.c
|
||||
+++ b/libselinux/utils/selabel_lookup_best_match.c
|
||||
@@ -47,7 +47,7 @@ static mode_t string_to_mode(char *s)
|
||||
return S_IFSOCK;
|
||||
case 'f':
|
||||
return S_IFREG;
|
||||
- };
|
||||
+ }
|
||||
return 0;
|
||||
}
|
||||
|
||||
--
|
||||
2.32.0
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
|
|
@ -1,63 +1,49 @@
|
|||
%define ruby_inc %(pkg-config --cflags ruby)
|
||||
%define libsepolver 3.2-3
|
||||
|
||||
%global with_ruby 1
|
||||
|
||||
%if 0%{?with_ruby}
|
||||
%global ruby_inc %(pkg-config --cflags ruby)
|
||||
%endif
|
||||
|
||||
%define libsepolver 2.9-1
|
||||
%define libselinuxrelease 8
|
||||
|
||||
Summary: SELinux library and simple utilities
|
||||
Name: libselinux
|
||||
Version: 3.2
|
||||
Release: 6%{?dist}
|
||||
Version: 2.9
|
||||
Release: %{libselinuxrelease}%{?dist}
|
||||
License: Public Domain
|
||||
# https://github.com/SELinuxProject/selinux/wiki/Releases
|
||||
Source0: https://github.com/SELinuxProject/selinux/releases/download/3.2/libselinux-3.2.tar.gz
|
||||
Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/libselinux-2.9.tar.gz
|
||||
Source1: selinuxconlist.8
|
||||
Source2: selinuxdefcon.8
|
||||
Url: https://github.com/SELinuxProject/selinux/wiki
|
||||
# $ git clone https://github.com/fedora-selinux/selinux.git
|
||||
# $ cd selinux
|
||||
# $ git format-patch -N 3.2 -- libselinux
|
||||
# $ i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
|
||||
# Patch list start
|
||||
Patch0001: 0001-libselinux-do-not-duplicate-make-target-when-going-i.patch
|
||||
Patch0002: 0002-libselinux-selinux_check_passwd_access_internal-resp.patch
|
||||
Patch0003: 0003-libselinux-silence-Wstringop-overflow-warning-from-g.patch
|
||||
Patch0004: 0004-libselinux-sidtab_hash-do-not-discard-const-qualifie.patch
|
||||
Patch0005: 0005-libselinux-selinux_file_context_cmp-do-not-discard-c.patch
|
||||
Patch0006: 0006-libselinux-label_common-do-not-discard-const-qualifi.patch
|
||||
Patch0007: 0007-libselinux-Sha1Finalise-do-not-discard-const-qualifi.patch
|
||||
Patch0008: 0008-libselinux-sefcontext_compile-mark-local-variable-st.patch
|
||||
Patch0009: 0009-libselinux-avcstat-use-standard-length-modifier-for-.patch
|
||||
Patch0010: 0010-libselinux-selinux_restorecon-mark-local-variable-st.patch
|
||||
Patch0011: 0011-libselinux-selabel_get_digests_all_partial_matches-f.patch
|
||||
Patch0012: 0012-libselinux-getconlist-free-memory-on-multiple-level-.patch
|
||||
Patch0013: 0013-libselinux-exclude_non_seclabel_mounts-drop-unused-v.patch
|
||||
Patch0014: 0014-libselinux-context_new-drop-dead-assignment.patch
|
||||
Patch0015: 0015-libselinux-label_x-init-drop-dead-assignment.patch
|
||||
Patch0016: 0016-libselinux-label_media-init-drop-dead-assignment.patch
|
||||
Patch0017: 0017-libselinux-setexecfilecon-drop-dead-assignment.patch
|
||||
Patch0018: 0018-libselinux-getdefaultcon-free-memory-on-multiple-sam.patch
|
||||
Patch0019: 0019-libselinux-store_stem-do-not-free-possible-non-heap-.patch
|
||||
Patch0020: 0020-libselinux-matchmediacon-close-file-on-error.patch
|
||||
Patch0021: 0021-libselinux-init_selinux_config-free-resources-on-err.patch
|
||||
Patch0022: 0022-libselinux-label_file-init-do-not-pass-NULL-to-strdu.patch
|
||||
Patch0023: 0023-libselinux-matchpathcon-free-memory-on-realloc-failu.patch
|
||||
Patch0024: 0024-libselinux-label_db-db_init-open-file-with-CLOEXEC-m.patch
|
||||
Patch0025: 0025-libselinux-drop-redundant-casts-to-the-same-type.patch
|
||||
Patch0026: 0026-libselinux-sidtab_sid_stats-unify-parameter-name.patch
|
||||
Patch0027: 0027-libselinux-regex-unify-parameter-names.patch
|
||||
Patch0028: 0028-libselinux-label_file.c-fix-indent.patch
|
||||
Patch0029: 0029-libselinux-avc_destroy-3-closes-status-page.patch
|
||||
Patch0030: 0030-libselinux-make-selinux_status_open-3-reentrant.patch
|
||||
Patch0031: 0031-libselinux-do-not-use-status-page-fallback-mode-inte.patch
|
||||
Patch0032: 0032-libselinux-selinux_status_open-return-1-in-fallback-.patch
|
||||
Patch0033: 0033-libselinux-improve-getcon-3-man-page.patch
|
||||
Patch0034: 0034-libselinux-fix-typo.patch
|
||||
Patch0035: 0035-selinux.8-document-how-mount-flag-nosuid-affects-SEL.patch
|
||||
Patch0036: 0036-libselinux-utils-getseuser.c-fix-build-with-gcc-4.8.patch
|
||||
Patch0037: 0037-libselinux-silence-Wextra-semi-stmt-warning.patch
|
||||
Patch0038: 0038-sha1-sha256.patch
|
||||
# Patch list end
|
||||
BuildRequires: gcc make
|
||||
# i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
|
||||
Patch0001: 0001-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch
|
||||
Patch0002: 0002-Verify-context-input-to-funtions-to-make-sure-the-co.patch
|
||||
Patch0003: 0003-libselinux-Allow-to-override-OVERRIDE_GETTID-from-co.patch
|
||||
Patch0004: 0004-Bring-some-old-permission-and-flask-constants-back-t.patch
|
||||
Patch0005: 0005-libselinux-add-missing-av_permission-values.patch
|
||||
Patch0006: 0006-libselinux-Use-Python-distutils-to-install-SELinux-p.patch
|
||||
Patch0007: 0007-libselinux-Do-not-use-SWIG_CFLAGS-when-Python-bindin.patch
|
||||
Patch0008: 0008-Fix-mcstrans-secolor-examples.patch
|
||||
Patch0009: 0009-libselinux-Eliminate-use-of-security_compute_user.patch
|
||||
Patch0010: 0010-libselinux-deprecate-security_compute_user-update-ma.patch
|
||||
Patch0011: 0011-selinux-8-5-Describe-fcontext-regular-expressions.patch
|
||||
Patch0012: 0012-libselinux-Strip-spaces-before-values-in-config.patch
|
||||
Patch0013: 0013-libselinux-Ignore-missing-directories-when-i-is-used.patch
|
||||
Patch0014: 0014-libselinux-restorecon-Fix-memory-leak-xattr_value.patch
|
||||
|
||||
BuildRequires: gcc
|
||||
%if 0%{?with_ruby}
|
||||
BuildRequires: ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel xz-devel
|
||||
%else
|
||||
BuildRequires: libsepol-static >= %{libsepolver} swig pcre2-devel xz-devel
|
||||
%endif
|
||||
BuildRequires: python3 python3-devel
|
||||
%if 0%{?with_python2}
|
||||
BuildRequires: python2 python2-devel
|
||||
%endif
|
||||
BuildRequires: systemd
|
||||
Requires: libsepol%{?_isa} >= %{libsepolver} pcre2
|
||||
Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
|
||||
|
|
@ -84,6 +70,20 @@ Requires: %{name}%{?_isa} = %{version}-%{release}
|
|||
%description utils
|
||||
The libselinux-utils package contains the utilities
|
||||
|
||||
%if 0%{?with_python2}
|
||||
%package -n libselinux-python
|
||||
%{?python_provide:%python_provide python2-libselinux}
|
||||
Provides: python2-%{name} = %{version}-%{release}
|
||||
Provides: python2-%{name}%{?_isa} = %{version}-%{release}
|
||||
Obsoletes: %{name}-python < %{version}-%{release}
|
||||
Summary: SELinux python bindings for libselinux
|
||||
Requires: %{name}%{?_isa} >= %{version}-%{libselinuxrelease}
|
||||
|
||||
%description -n libselinux-python
|
||||
The libselinux-python package contains the python bindings for developing
|
||||
SELinux applications.
|
||||
%endif
|
||||
|
||||
%package -n python3-libselinux
|
||||
Summary: SELinux python 3 bindings for libselinux
|
||||
Requires: %{name}%{?_isa} = %{version}-%{release}
|
||||
|
|
@ -97,6 +97,7 @@ Obsoletes: %{name}-python3 < %{version}-%{release}
|
|||
The libselinux-python3 package contains python 3 bindings for developing
|
||||
SELinux applications.
|
||||
|
||||
%if 0%{?with_ruby}
|
||||
%package ruby
|
||||
Summary: SELinux ruby bindings for libselinux
|
||||
Requires: %{name}%{?_isa} = %{version}-%{release}
|
||||
|
|
@ -105,6 +106,7 @@ Provides: ruby(selinux)
|
|||
%description ruby
|
||||
The libselinux-ruby package contains the ruby bindings for developing
|
||||
SELinux applications.
|
||||
%endif # with_ruby
|
||||
|
||||
%package devel
|
||||
Summary: Header files and libraries used to build SELinux
|
||||
|
|
@ -127,11 +129,10 @@ needed for developing SELinux applications.
|
|||
%autosetup -p 2 -n libselinux-%{version}
|
||||
|
||||
%build
|
||||
export DISABLE_RPM="y"
|
||||
export DISABLE_RPM="n"
|
||||
export USE_PCRE2="y"
|
||||
|
||||
%set_build_flags
|
||||
CFLAGS="$CFLAGS -fno-semantic-interposition"
|
||||
|
||||
# To support building the Python wrapper against multiple Python runtimes
|
||||
# Define a function, for how to perform a "build" of the python wrapper against
|
||||
|
|
@ -140,23 +141,36 @@ BuildPythonWrapper() {
|
|||
BinaryName=$1
|
||||
|
||||
# Perform the build from the upstream Makefile:
|
||||
%make_build \
|
||||
make \
|
||||
PYTHON=$BinaryName \
|
||||
LIBDIR="%{_libdir}" \
|
||||
LIBDIR="%{_libdir}" %{?_smp_mflags} \
|
||||
pywrap
|
||||
}
|
||||
|
||||
%make_build LIBDIR="%{_libdir}" swigify
|
||||
%make_build LIBDIR="%{_libdir}" all
|
||||
make clean
|
||||
make LIBDIR="%{_libdir}" %{?_smp_mflags} swigify
|
||||
make LIBDIR="%{_libdir}" %{?_smp_mflags} all
|
||||
|
||||
%if 0%{?with_python2}
|
||||
export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
|
||||
BuildPythonWrapper %{__python2}
|
||||
%endif
|
||||
BuildPythonWrapper %{__python3}
|
||||
|
||||
%make_build RUBYINC="%{ruby_inc}" SHLIBDIR="%{_libdir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" rubywrap
|
||||
%if 0%{?with_ruby}
|
||||
make RUBYINC="%{ruby_inc}" SHLIBDIR="%{_libdir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" %{?_smp_mflags} rubywrap
|
||||
%endif
|
||||
|
||||
%install
|
||||
InstallPythonWrapper() {
|
||||
BinaryName=$1
|
||||
|
||||
make \
|
||||
PYTHON=$BinaryName \
|
||||
LIBDIR="%{_libdir}" %{?_smp_mflags} \
|
||||
LIBSEPOLA="%{_libdir}/libsepol.a" \
|
||||
pywrap
|
||||
|
||||
make \
|
||||
PYTHON=$BinaryName \
|
||||
DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" \
|
||||
|
|
@ -174,10 +188,19 @@ mkdir -p %{buildroot}%{_sbindir}
|
|||
install -d -m 0755 %{buildroot}%{_rundir}/setrans
|
||||
echo "d %{_rundir}/setrans 0755 root root" > %{buildroot}%{_tmpfilesdir}/libselinux.conf
|
||||
|
||||
%if 0%{?with_python2}
|
||||
export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
|
||||
InstallPythonWrapper %{__python2}
|
||||
mv %{buildroot}%{python2_sitearch}/selinux/_selinux.so %{buildroot}%{python2_sitearch}/
|
||||
%endif
|
||||
InstallPythonWrapper %{__python3}
|
||||
mv %{buildroot}%{python3_sitearch}/selinux/_selinux.*.so %{buildroot}%{python3_sitearch}/
|
||||
|
||||
%make_install LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" BINDIR="%{_bindir}" SBINDIR="%{_sbindir}"
|
||||
make DESTDIR="%{buildroot}" RUBYINSTALL=%{ruby_vendorarchdir} install-rubywrap
|
||||
%if 0%{?with_ruby}
|
||||
make DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" BINDIR="%{_bindir}" SBINDIR="%{_sbindir}" RUBYINSTALL=%{ruby_vendorarchdir} install install-rubywrap
|
||||
%else
|
||||
make DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" BINDIR="%{_bindir}" SBINDIR="%{_sbindir}" install
|
||||
%endif
|
||||
|
||||
# Nuke the files we don't want to distribute
|
||||
rm -f %{buildroot}%{_sbindir}/compute_*
|
||||
|
|
@ -225,8 +248,6 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
|
|||
%{_sbindir}/selabel_lookup_best_match
|
||||
%{_sbindir}/selabel_partial_match
|
||||
%{_sbindir}/selinux_check_access
|
||||
%{_sbindir}/selabel_get_digests_all_partial_matches
|
||||
%{_sbindir}/validatetrans
|
||||
%{_mandir}/man5/*
|
||||
%{_mandir}/man8/*
|
||||
%{_mandir}/ru/man5/*
|
||||
|
|
@ -241,144 +262,65 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
|
|||
%files static
|
||||
%{_libdir}/libselinux.a
|
||||
|
||||
%if 0%{?with_python2}
|
||||
%files -n libselinux-python
|
||||
%{python2_sitearch}/selinux/
|
||||
%{python2_sitearch}/_selinux.so
|
||||
%{python2_sitearch}/selinux-%{version}-*
|
||||
%endif
|
||||
|
||||
%files -n python3-libselinux
|
||||
%{python3_sitearch}/selinux/
|
||||
%{python3_sitearch}/selinux-%{version}*
|
||||
%{python3_sitearch}/_selinux*
|
||||
%{python3_sitearch}/_selinux.*.so
|
||||
%{python3_sitearch}/selinux-%{version}-*
|
||||
|
||||
%if 0%{?with_ruby}
|
||||
%files ruby
|
||||
%{ruby_vendorarchdir}/selinux.so
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 3.2-6
|
||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||
Related: rhbz#1991688
|
||||
* Wed Dec 07 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-8
|
||||
- restorecon: Fix memory leak - xattr_value (#2137965)
|
||||
|
||||
* Wed Jul 28 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-5
|
||||
- Rebase on upstream commit 32611aea6543
|
||||
* Tue Dec 06 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-7
|
||||
- Restorecon: Ignore missing directories when -i is used (#2137965)
|
||||
|
||||
* Fri Jun 25 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-4
|
||||
- Use SHA-2 instead of SHA-1 (#1934964)
|
||||
* Thu Jul 07 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-6
|
||||
- Describe fcontext regular expressions (#1904059)
|
||||
- Strip spaces before values in config (#2012145)
|
||||
|
||||
* Tue May 25 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-3
|
||||
- selinux_check_passwd_access_internal(): respect deny_unknown
|
||||
- Silence -Wstringop-overflow warning from gcc 10.3.1
|
||||
- Fixed misc compiler and static analyzer findings
|
||||
* Tue Oct 20 2020 Vit Mojzis <vmojzis@redhat.com> - 2.9-5
|
||||
- Deprecate security_compute_user(), update man pages (#1879368)
|
||||
|
||||
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.2-2
|
||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||
* Thu Sep 24 2020 Vit Mojzis <vmojzis@redhat.com> - 2.9-4
|
||||
- Eliminate use of security_compute_user() (#1879368)
|
||||
|
||||
* Mon Mar 8 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-1
|
||||
- SELinux userspace 3.2 release
|
||||
* Fri Nov 08 2019 Vit Mojzis <vmojzis@redhat.com> - 2.9-3
|
||||
- Fix mcstrans secolor examples in secolor.conf man page (#1770270)
|
||||
|
||||
* Fri Feb 5 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-0.rc2.1
|
||||
- SELinux userspace 3.2-rc2 release
|
||||
|
||||
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.2-0.rc1.1.1
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||
|
||||
* Wed Jan 20 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-0.rc1.1
|
||||
- SELinux userspace 3.2-rc1 release
|
||||
|
||||
* Thu Jan 07 2021 Mamoru TASAKA <mtasaka@fedoraproject.org> - 3.1-6
|
||||
- F-34: rebuild against ruby 3.0
|
||||
|
||||
* Fri Nov 20 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-5
|
||||
- selinux(8): explain that runtime disable is deprecated
|
||||
|
||||
* Fri Oct 30 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-4
|
||||
- Use libsepol.so.2
|
||||
- Convert matchpathcon to selabel_lookup()
|
||||
- Change userspace AVC setenforce and policy load messages to audit
|
||||
format
|
||||
- Remove trailing slash on selabel_file lookups
|
||||
- Use kernel status page by default
|
||||
|
||||
* Wed Sep 02 2020 Jeff Law <law@redhat.com> - 3.1-3
|
||||
- Re-enable LTO
|
||||
|
||||
* Mon Jul 13 2020 Tom Stellard <tstellar@redhat.com> - 3.1-2
|
||||
- Use make macros
|
||||
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
|
||||
- Use -fno-semantic-interposition and more make macros
|
||||
|
||||
* Fri Jul 10 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-1
|
||||
- SELinux userspace 3.1 release
|
||||
|
||||
* Wed Jul 1 2020 Jeff Law <law@redhat.com> - 3.0-6
|
||||
- Disable LTO
|
||||
|
||||
* Sat May 23 2020 Miro Hrončok <mhroncok@redhat.com> - 3.0-5
|
||||
- Rebuilt for Python 3.9
|
||||
|
||||
* Thu Mar 5 2020 Petr Lautrbach <plautrba@redhat.com> - 3.0-4
|
||||
- Eliminate use of security_compute_user()
|
||||
|
||||
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||
|
||||
* Sat Jan 18 2020 Mamoru TASAKA <mtasaka@fedoraproject.org> - 3.0-2
|
||||
- F-32: rebuild against ruby27
|
||||
|
||||
* Fri Dec 6 2019 Petr Lautrbach <plautrba@redhat.com> - 3.0-1
|
||||
- SELinux userspace 3.0 release
|
||||
|
||||
* Mon Nov 11 2019 Petr Lautrbach <plautrba@redhat.com> - 3.0-0.r1.1
|
||||
- SELinux userspace 3.0-rc1 release candidate
|
||||
|
||||
* Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 2.9-7
|
||||
- Rebuilt for Python 3.8.0rc1 (#1748018)
|
||||
|
||||
* Fri Aug 16 2019 Miro Hrončok <mhroncok@redhat.com> - 2.9-6
|
||||
- Rebuilt for Python 3.8
|
||||
|
||||
* Mon Aug 12 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-5
|
||||
- Drop python2-libselinux (#1739646)
|
||||
|
||||
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||
|
||||
* Fri Jun 28 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-3
|
||||
- Use standard build flags for Python bindings
|
||||
|
||||
* Fri May 24 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-2
|
||||
- Use Python distutils to install SELinux python bindings
|
||||
* Mon Jun 24 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-2.1
|
||||
- Use Python distutils to install SELinux python bindings (#1719771)
|
||||
- Move sefcontext_compile to -utils package (#1612518)
|
||||
|
||||
* Mon Mar 18 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-1
|
||||
- SELinux userspace 2.9 release
|
||||
|
||||
* Wed Mar 6 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-0.rc2.1
|
||||
- SELinux userspace 2.9-rc2 release
|
||||
|
||||
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9-0.rc1.1.1
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||
|
||||
* Fri Jan 25 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-0.rc1.1
|
||||
- SELinux userspace 2.9-rc1 release
|
||||
|
||||
* Tue Jan 22 2019 Mamoru TASAKA <mtasaka@fedoraproject.org> - 2.8-8
|
||||
- F-30: again rebuild against ruby26
|
||||
|
||||
* Mon Jan 21 2019 Petr Lautrbach <plautrba@redhat.com> - 2.8-7
|
||||
- selinux_restorecon: Skip customized files also without -v
|
||||
- Do not dereference symlink with statfs in selinux_restorecon
|
||||
|
||||
* Mon Jan 21 2019 Mamoru TASAKA <mtasaka@fedoraproject.org> - 2.8-6
|
||||
- F-30: rebuild against ruby26
|
||||
|
||||
* Tue Nov 13 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-5
|
||||
* Tue Nov 6 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-6
|
||||
- Fix RESOURCE_LEAK coverity scan defects
|
||||
|
||||
* Tue Sep 4 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-4
|
||||
- Fix the whatis line for the selinux_boolean_sub.3 manpage
|
||||
- Fix line wrapping in selabel_file.5
|
||||
- Fix spelling errors in manpages
|
||||
* Mon Oct 15 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-5
|
||||
- selinux_restorecon: Skip customized files also without -v
|
||||
- man pages fixes
|
||||
|
||||
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.8-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||
* Mon Oct 1 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-4
|
||||
- Build libselinux-python when %with_python2 macro is set to non-zero value
|
||||
|
||||
* Fri Jun 15 2018 Miro Hrončok <mhroncok@redhat.com> - 2.8-2
|
||||
- Rebuilt for Python 3.7
|
||||
* Fri Jun 22 2018 Petr Lautrbach <plautrba@workstation> - 2.8-3
|
||||
- Build libselinux-ruby (#1581322)
|
||||
|
||||
* Thu Jun 7 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-2
|
||||
- Don't build the Python 2 subpackage (#1567358)
|
||||
|
||||
* Fri May 25 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-1
|
||||
- SELinux userspace 2.8 release
|
||||
|
|
@ -392,6 +334,9 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
|
|||
* Mon Apr 23 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-0.rc1.1
|
||||
- SELinux userspace 2.8-rc1 release candidate
|
||||
|
||||
* Mon Apr 23 2018 Petr Lautrbach <plautrba@redhat.com> - 2.7-14
|
||||
- Do not build libselinux-ruby
|
||||
|
||||
* Wed Mar 21 2018 Petr Lautrbach <plautrba@redhat.com> - 2.7-13
|
||||
- build: Replace PYSITEDIR with PYTHONLIBDIR
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue