rpms
/
libselinux
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

base: rpms:imports/c9/libselinux-3.3-2.el9
Branches Tags
rpms:c8
rpms:c9
rpms:c9-beta
rpms:c9s
rpms:stream-libselinux-python-2.8-rhel-8.10.0
rpms:stream-libselinux-python-2.8-rhel-8.9.0
rpms:c8-beta
rpms:c8s
rpms:c8-beta-stream-2.8
rpms:c8-stream-2.8
rpms:imports/c9/libselinux-3.6-1.el9
rpms:imports/c8/libselinux-2.9-8.el8
rpms:imports/c9/libselinux-3.5-1.el9
rpms:imports/c9-beta/libselinux-3.5-1.el9
rpms:imports/c8-beta/libselinux-2.9-8.el8
rpms:imports/c8s/libselinux-2.9-8.el8
rpms:imports/c9/libselinux-3.4-3.el9
rpms:imports/c8/libselinux-2.9-6.el8
rpms:imports/c9-beta/libselinux-3.4-3.el9
rpms:imports/c8-beta/libselinux-2.9-6.el8
rpms:imports/c8s/libselinux-2.9-6.el8
rpms:imports/c9/libselinux-3.3-2.el9
rpms:imports/c9-beta/libselinux-3.3-2.el9
rpms:imports/c9-beta/libselinux-3.3-1.el9
rpms:imports/c9-beta/libselinux-3.2-6.el9
rpms:imports/c8-beta-stream-2.8/libselinux-2.9-2.1.module+el8.1.0+3972+45ab4324
rpms:imports/c8-beta-stream-2.8/libselinux-2.8-6.module+el8+2448+8fbcdfd7
rpms:imports/c8-beta/libselinux-2.9-5.el8
rpms:imports/c8-beta/libselinux-2.9-3.el8
rpms:imports/c8-beta/libselinux-2.9-1.el8
rpms:imports/c8s/libselinux-2.9-5.el8
rpms:imports/c8s/libselinux-2.9-3.el8
rpms:imports/c8-stream-2.8/libselinux-2.9-2.1.module+el8.1.0+3972+45ab4324
rpms:imports/c8-stream-2.8/libselinux-2.8-6.module+el8+2448+8fbcdfd7
rpms:imports/c8/libselinux-2.9-5.el8
rpms:imports/c8/libselinux-2.9-4.el8_3
rpms:imports/c8/libselinux-2.9-3.el8
rpms:imports/c8/libselinux-2.9-2.1.el8
rpms:imports/c8/libselinux-2.8-6.el8
...
compare: rpms:c8
Branches Tags
rpms:c9
rpms:c9-beta
rpms:c9s
rpms:stream-libselinux-python-2.8-rhel-8.10.0
rpms:stream-libselinux-python-2.8-rhel-8.9.0
rpms:c8
rpms:c8-beta
rpms:c8s
rpms:c8-beta-stream-2.8
rpms:c8-stream-2.8
rpms:imports/c9/libselinux-3.6-1.el9
rpms:imports/c8/libselinux-2.9-8.el8
rpms:imports/c9/libselinux-3.5-1.el9
rpms:imports/c9-beta/libselinux-3.5-1.el9
rpms:imports/c8-beta/libselinux-2.9-8.el8
rpms:imports/c8s/libselinux-2.9-8.el8
rpms:imports/c9/libselinux-3.4-3.el9
rpms:imports/c8/libselinux-2.9-6.el8
rpms:imports/c9-beta/libselinux-3.4-3.el9
rpms:imports/c8-beta/libselinux-2.9-6.el8
rpms:imports/c8s/libselinux-2.9-6.el8
rpms:imports/c9/libselinux-3.3-2.el9
rpms:imports/c9-beta/libselinux-3.3-2.el9
rpms:imports/c9-beta/libselinux-3.3-1.el9
rpms:imports/c9-beta/libselinux-3.2-6.el9
rpms:imports/c8-beta-stream-2.8/libselinux-2.9-2.1.module+el8.1.0+3972+45ab4324
rpms:imports/c8-beta-stream-2.8/libselinux-2.8-6.module+el8+2448+8fbcdfd7
rpms:imports/c8-beta/libselinux-2.9-5.el8
rpms:imports/c8-beta/libselinux-2.9-3.el8
rpms:imports/c8-beta/libselinux-2.9-1.el8
rpms:imports/c8s/libselinux-2.9-5.el8
rpms:imports/c8s/libselinux-2.9-3.el8
rpms:imports/c8-stream-2.8/libselinux-2.9-2.1.module+el8.1.0+3972+45ab4324
rpms:imports/c8-stream-2.8/libselinux-2.8-6.module+el8+2448+8fbcdfd7
rpms:imports/c8/libselinux-2.9-5.el8
rpms:imports/c8/libselinux-2.9-4.el8_3
rpms:imports/c8/libselinux-2.9-3.el8
rpms:imports/c8/libselinux-2.9-2.1.el8
rpms:imports/c8/libselinux-2.8-6.el8

No commits in common. "imports/c9/libselinux-3.3-2.el9" and "c8" have entirely different histories.
imports/c9 ... c8

26 changed files with 1520 additions and 2723 deletions
Show Stats Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/libselinux-3.3.tar.gz
SOURCES/libselinux-2.9.tar.gz

2
.libselinux.metadata
View File

@ -1 +1 @@
70128f2395fc86b09c57db979972b4823b35e614 SOURCES/libselinux-3.3.tar.gz
c53911ee9da673f7653ab1afe66c0b2bf5fb5ac9 SOURCES/libselinux-2.9.tar.gz

31
SOURCES/0001-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch Normal file
View File

@ -0,0 +1,31 @@
From f71fc47524bef3c4cd8a412e43d13daebd1c418b Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Wed, 16 Jul 2014 08:28:03 +0200
Subject: [PATCH] Fix selinux man page to refer seinfo and sesearch tools.
---
libselinux/man/man8/selinux.8 | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
index e37aee68..bf23b655 100644
--- a/libselinux/man/man8/selinux.8
+++ b/libselinux/man/man8/selinux.8
@@ -91,11 +91,13 @@ This manual page was written by Dan Walsh <dwalsh@redhat.com>.
.BR sepolicy (8),
.BR system-config-selinux (8),
.BR togglesebool (8),
-.BR restorecon (8),
.BR fixfiles (8),
+.BR restorecon (8),
.BR setfiles (8),
.BR semanage (8),
.BR sepolicy (8)
+.BR seinfo (8),
+.BR sesearch (8)
Every confined service on the system has a man page in the following format:
.br
--
2.21.0

1333
SOURCES/0001-Use-SHA-2-instead-of-SHA-1.patch
View File

File diff suppressed because it is too large Load Diff

214
SOURCES/0002-Verify-context-input-to-funtions-to-make-sure-the-co.patch Normal file
View File

@ -0,0 +1,214 @@
From ad3d3a0bf819f5895a6884357c2d0e18ea1ef314 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Mon, 23 Dec 2013 09:50:54 -0500
Subject: [PATCH] Verify context input to funtions to make sure the context
field is not null.
Return errno EINVAL, to prevent segfault.
Rejected by upstream https://marc.info/?l=selinux&m=145036088424584&w=2
FIXME: use __attribute__(nonnull (arg-index, ...))
---
libselinux/src/avc_sidtab.c | 5 +++++
libselinux/src/canonicalize_context.c | 5 +++++
libselinux/src/check_context.c | 5 +++++
libselinux/src/compute_av.c | 5 +++++
libselinux/src/compute_create.c | 5 +++++
libselinux/src/compute_member.c | 5 +++++
libselinux/src/compute_relabel.c | 5 +++++
libselinux/src/compute_user.c | 5 +++++
libselinux/src/fsetfilecon.c | 8 ++++++--
libselinux/src/lsetfilecon.c | 9 +++++++--
libselinux/src/setfilecon.c | 8 ++++++--
11 files changed, 59 insertions(+), 6 deletions(-)
diff --git a/libselinux/src/avc_sidtab.c b/libselinux/src/avc_sidtab.c
index 9669264d..c7754305 100644
--- a/libselinux/src/avc_sidtab.c
+++ b/libselinux/src/avc_sidtab.c
@@ -81,6 +81,11 @@ sidtab_context_to_sid(struct sidtab *s,
int hvalue, rc = 0;
struct sidtab_node *cur;
+ if (! ctx) {
+ errno=EINVAL;
+ return -1;
+ }
+
*sid = NULL;
hvalue = sidtab_hash(ctx);
diff --git a/libselinux/src/canonicalize_context.c b/libselinux/src/canonicalize_context.c
index ba4c9a2c..c8158725 100644
--- a/libselinux/src/canonicalize_context.c
+++ b/libselinux/src/canonicalize_context.c
@@ -17,6 +17,11 @@ int security_canonicalize_context_raw(const char * con,
size_t size;
int fd, ret;
+ if (! con) {
+ errno=EINVAL;
+ return -1;
+ }
+
if (!selinux_mnt) {
errno = ENOENT;
return -1;
diff --git a/libselinux/src/check_context.c b/libselinux/src/check_context.c
index 8a7997f0..5be84348 100644
--- a/libselinux/src/check_context.c
+++ b/libselinux/src/check_context.c
@@ -14,6 +14,11 @@ int security_check_context_raw(const char * con)
char path[PATH_MAX];
int fd, ret;
+ if (! con) {
+ errno=EINVAL;
+ return -1;
+ }
+
if (!selinux_mnt) {
errno = ENOENT;
return -1;
diff --git a/libselinux/src/compute_av.c b/libselinux/src/compute_av.c
index a47cffe9..6d285a2e 100644
--- a/libselinux/src/compute_av.c
+++ b/libselinux/src/compute_av.c
@@ -27,6 +27,11 @@ int security_compute_av_flags_raw(const char * scon,
return -1;
}
+ if ((! scon) || (! tcon)) {
+ errno=EINVAL;
+ return -1;
+ }
+
snprintf(path, sizeof path, "%s/access", selinux_mnt);
fd = open(path, O_RDWR | O_CLOEXEC);
if (fd < 0)
diff --git a/libselinux/src/compute_create.c b/libselinux/src/compute_create.c
index 0975aeac..3e6a48c1 100644
--- a/libselinux/src/compute_create.c
+++ b/libselinux/src/compute_create.c
@@ -64,6 +64,11 @@ int security_compute_create_name_raw(const char * scon,
return -1;
}
+ if ((! scon) || (! tcon)) {
+ errno=EINVAL;
+ return -1;
+ }
+
snprintf(path, sizeof path, "%s/create", selinux_mnt);
fd = open(path, O_RDWR | O_CLOEXEC);
if (fd < 0)
diff --git a/libselinux/src/compute_member.c b/libselinux/src/compute_member.c
index 4e2d221e..d1dd9772 100644
--- a/libselinux/src/compute_member.c
+++ b/libselinux/src/compute_member.c
@@ -25,6 +25,11 @@ int security_compute_member_raw(const char * scon,
return -1;
}
+ if ((! scon) || (! tcon)) {
+ errno=EINVAL;
+ return -1;
+ }
+
snprintf(path, sizeof path, "%s/member", selinux_mnt);
fd = open(path, O_RDWR | O_CLOEXEC);
if (fd < 0)
diff --git a/libselinux/src/compute_relabel.c b/libselinux/src/compute_relabel.c
index 49f77ef3..c3db7c0a 100644
--- a/libselinux/src/compute_relabel.c
+++ b/libselinux/src/compute_relabel.c
@@ -25,6 +25,11 @@ int security_compute_relabel_raw(const char * scon,
return -1;
}
+ if ((! scon) || (! tcon)) {
+ errno=EINVAL;
+ return -1;
+ }
+
snprintf(path, sizeof path, "%s/relabel", selinux_mnt);
fd = open(path, O_RDWR | O_CLOEXEC);
if (fd < 0)
diff --git a/libselinux/src/compute_user.c b/libselinux/src/compute_user.c
index 7b881215..401fd107 100644
--- a/libselinux/src/compute_user.c
+++ b/libselinux/src/compute_user.c
@@ -24,6 +24,11 @@ int security_compute_user_raw(const char * scon,
return -1;
}
+ if (! scon) {
+ errno=EINVAL;
+ return -1;
+ }
+
snprintf(path, sizeof path, "%s/user", selinux_mnt);
fd = open(path, O_RDWR | O_CLOEXEC);
if (fd < 0)
diff --git a/libselinux/src/fsetfilecon.c b/libselinux/src/fsetfilecon.c
index 52707d05..0cbe12d8 100644
--- a/libselinux/src/fsetfilecon.c
+++ b/libselinux/src/fsetfilecon.c
@@ -9,8 +9,12 @@
int fsetfilecon_raw(int fd, const char * context)
{
- int rc = fsetxattr(fd, XATTR_NAME_SELINUX, context, strlen(context) + 1,
- 0);
+ int rc;
+ if (! context) {
+ errno=EINVAL;
+ return -1;
+ }
+ rc = fsetxattr(fd, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
if (rc < 0 && errno == ENOTSUP) {
char * ccontext = NULL;
int err = errno;
diff --git a/libselinux/src/lsetfilecon.c b/libselinux/src/lsetfilecon.c
index 1d3b28a1..ea6d70b7 100644
--- a/libselinux/src/lsetfilecon.c
+++ b/libselinux/src/lsetfilecon.c
@@ -9,8 +9,13 @@
int lsetfilecon_raw(const char *path, const char * context)
{
- int rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1,
- 0);
+ int rc;
+ if (! context) {
+ errno=EINVAL;
+ return -1;
+ }
+
+ rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
if (rc < 0 && errno == ENOTSUP) {
char * ccontext = NULL;
int err = errno;
diff --git a/libselinux/src/setfilecon.c b/libselinux/src/setfilecon.c
index d05969c6..3f0200e8 100644
--- a/libselinux/src/setfilecon.c
+++ b/libselinux/src/setfilecon.c
@@ -9,8 +9,12 @@
int setfilecon_raw(const char *path, const char * context)
{
- int rc = setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1,
- 0);
+ int rc;
+ if (! context) {
+ errno=EINVAL;
+ return -1;
+ }
+ rc = setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
if (rc < 0 && errno == ENOTSUP) {
char * ccontext = NULL;
int err = errno;
--
2.21.0

73
SOURCES/0002-label_file-fix-a-data-race.patch
View File

@ -1,73 +0,0 @@
From 5844f389429f26a0a62a65561fa3006feaaf6f3b Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Tue, 26 Oct 2021 13:52:32 +0200
Subject: [PATCH] label_file: fix a data race
The 'matches' member of 'struct spec' may be written to by different
threads, so it needs to be accessed using the proper atomic constructs.
Since the actual count of matches doesn't matter and is not used,
convert this field to a bool and just atomically set/read it using GCC
__atomic builtins (which are already being used in another place).
If the compiler lacks support for __atomic builtins (which seem to have
been introduced in GCC 4.1), just fail the compilation. I don't think
it's worth tryin to invent a workaround to support a 15 years old
compiler.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
libselinux/src/label_file.c | 15 +++++++++++++--
libselinux/src/label_file.h | 2 +-
2 files changed, 14 insertions(+), 3 deletions(-)
diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
index c1306c9979e7..33d395e414f0 100644
--- a/libselinux/src/label_file.c
+++ b/libselinux/src/label_file.c
@@ -951,7 +951,12 @@ static struct spec **lookup_all(struct selabel_handle *rec,
rc = regex_match(spec->regex, key, partial);
if (rc == REGEX_MATCH || (partial && rc == REGEX_MATCH_PARTIAL)) {
if (rc == REGEX_MATCH) {
- spec->matches++;
+#ifdef __ATOMIC_RELAXED
+ __atomic_store_n(&spec->any_matches,
+ true, __ATOMIC_RELAXED);
+#else
+#error "Please use a compiler that supports __atomic builtins"
+#endif
}
if (strcmp(spec_arr[i].lr.ctx_raw, "<<none>>") == 0) {
@@ -1249,9 +1254,15 @@ static void stats(struct selabel_handle *rec)
struct saved_data *data = (struct saved_data *)rec->data;
unsigned int i, nspec = data->nspec;
struct spec *spec_arr = data->spec_arr;
+ bool any_matches;
for (i = 0; i < nspec; i++) {
- if (spec_arr[i].matches == 0) {
+#ifdef __ATOMIC_RELAXED
+ any_matches = __atomic_load_n(&spec_arr[i].any_matches, __ATOMIC_RELAXED);
+#else
+#error "Please use a compiler that supports __atomic builtins"
+#endif
+ if (!any_matches) {
if (spec_arr[i].type_str) {
COMPAT_LOG(SELINUX_WARNING,
"Warning! No matches for (%s, %s, %s)\n",
diff --git a/libselinux/src/label_file.h b/libselinux/src/label_file.h
index 343ffc705e43..b453e13f8075 100644
--- a/libselinux/src/label_file.h
+++ b/libselinux/src/label_file.h
@@ -51,7 +51,7 @@ struct spec {
bool regex_compiled; /* bool to indicate if the regex is compiled */
pthread_mutex_t regex_lock; /* lock for lazy compilation of regex */
mode_t mode; /* mode format value */
- int matches; /* number of matching pathnames */
+ bool any_matches; /* did any pathname match? */
int stem_id; /* indicates which stem-compression item */
char hasMetaChars; /* regular expression has meta-chars */
char from_mmap; /* this spec is from an mmap of the data */
--
2.33.1

39
SOURCES/0003-libselinux-Allow-to-override-OVERRIDE_GETTID-from-co.patch Normal file
View File

@ -0,0 +1,39 @@
From a6e839be2c5a77c22a8c72cad001e3f87eaedf2e Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Mon, 11 Mar 2019 15:26:43 +0100
Subject: [PATCH] libselinux: Allow to override OVERRIDE_GETTID from command
line
$ make CFLAGS="$CFLAGS -DOVERRIDE_GETTID=0" ...
Drop this as soon as glibc-2.30 will become real 2.30 version, see
https://bugzilla.redhat.com/show_bug.cgi?id=1685594
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
libselinux/src/procattr.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libselinux/src/procattr.c b/libselinux/src/procattr.c
index c6799ef2..cbb6824e 100644
--- a/libselinux/src/procattr.c
+++ b/libselinux/src/procattr.c
@@ -24,6 +24,7 @@ static __thread char destructor_initialized;
/* Bionic and glibc >= 2.30 declare gettid() system call wrapper in unistd.h and
* has a definition for it */
+#ifndef OVERRIDE_GETTID
#ifdef __BIONIC__
#define OVERRIDE_GETTID 0
#elif !defined(__GLIBC_PREREQ)
@@ -33,6 +34,7 @@ static __thread char destructor_initialized;
#else
#define OVERRIDE_GETTID 0
#endif
+#endif
#if OVERRIDE_GETTID
static pid_t gettid(void)
--
2.21.0

30
SOURCES/0003-selinux_restorecon-simplify-fl_head-allocation-by-us.patch
View File

@ -1,30 +0,0 @@
From 5dd3a11842c08a25a0f7ab798ce85710fe1e8f1f Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Tue, 26 Oct 2021 13:52:33 +0200
Subject: [PATCH] selinux_restorecon: simplify fl_head allocation by using
calloc()
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
libselinux/src/selinux_restorecon.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
index 100c77108a27..e29a2c390182 100644
--- a/libselinux/src/selinux_restorecon.c
+++ b/libselinux/src/selinux_restorecon.c
@@ -425,10 +425,9 @@ static int filespec_add(ino_t ino, const char *con, const char *file,
struct stat64 sb;
if (!fl_head) {
- fl_head = malloc(sizeof(file_spec_t) * HASH_BUCKETS);
+ fl_head = calloc(HASH_BUCKETS, sizeof(file_spec_t));
if (!fl_head)
goto oom;
- memset(fl_head, 0, sizeof(file_spec_t) * HASH_BUCKETS);
}
h = (ino + (ino >> HASH_BITS)) & HASH_MASK;
--
2.33.1

55
SOURCES/0004-Bring-some-old-permission-and-flask-constants-back-t.patch Normal file
View File

@ -0,0 +1,55 @@
From be420729fbf4adc8b32ca3722fa6ca46bb51413d Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Wed, 27 Feb 2019 09:37:17 +0100
Subject: [PATCH] Bring some old permission and flask constants back to Python
bindings
---
libselinux/src/selinuxswig.i | 4 ++++
libselinux/src/selinuxswig_python.i | 3 ++-
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/libselinux/src/selinuxswig.i b/libselinux/src/selinuxswig.i
index dbdb4c3d..9c5b9263 100644
--- a/libselinux/src/selinuxswig.i
+++ b/libselinux/src/selinuxswig.i
@@ -5,7 +5,9 @@
%module selinux
%{
#include "../include/selinux/avc.h"
+ #include "../include/selinux/av_permissions.h"
#include "../include/selinux/context.h"
+ #include "../include/selinux/flask.h"
#include "../include/selinux/get_context_list.h"
#include "../include/selinux/get_default_type.h"
#include "../include/selinux/label.h"
@@ -58,7 +60,9 @@
%ignore avc_netlink_check_nb;
%include "../include/selinux/avc.h"
+%include "../include/selinux/av_permissions.h"
%include "../include/selinux/context.h"
+%include "../include/selinux/flask.h"
%include "../include/selinux/get_context_list.h"
%include "../include/selinux/get_default_type.h"
%include "../include/selinux/label.h"
diff --git a/libselinux/src/selinuxswig_python.i b/libselinux/src/selinuxswig_python.i
index 4c73bf92..6eaab081 100644
--- a/libselinux/src/selinuxswig_python.i
+++ b/libselinux/src/selinuxswig_python.i
@@ -1,10 +1,11 @@
/* Author: James Athey
*/
-/* Never build rpm_execcon interface */
+/* Never build rpm_execcon interface unless you need to have ACG compatibility
#ifndef DISABLE_RPM
#define DISABLE_RPM
#endif
+*/
%module selinux
%{
--
2.21.0

81
SOURCES/0004-selinux_restorecon-protect-file_spec-list-with-a-mut.patch
View File

@ -1,81 +0,0 @@
From 4598a46c5ed12248a3a6e1dbe1b5a3dca52bacac Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Tue, 26 Oct 2021 13:52:34 +0200
Subject: [PATCH] selinux_restorecon: protect file_spec list with a mutex
Not very useful on its own, but will allow to implement a parallel
version of selinux_restorecon() in subsequent patches.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
libselinux/src/selinux_restorecon.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
index e29a2c390182..43acbace309d 100644
--- a/libselinux/src/selinux_restorecon.c
+++ b/libselinux/src/selinux_restorecon.c
@@ -411,6 +411,7 @@ typedef struct file_spec {
} file_spec_t;
static file_spec_t *fl_head;
+static pthread_mutex_t fl_mutex = PTHREAD_MUTEX_INITIALIZER;
/*
* Try to add an association between an inode and a context. If there is a
@@ -424,6 +425,8 @@ static int filespec_add(ino_t ino, const char *con, const char *file,
int h, ret;
struct stat64 sb;
+ __pthread_mutex_lock(&fl_mutex);
+
if (!fl_head) {
fl_head = calloc(HASH_BUCKETS, sizeof(file_spec_t));
if (!fl_head)
@@ -444,11 +447,11 @@ static int filespec_add(ino_t ino, const char *con, const char *file,
fl->con = strdup(con);
if (!fl->con)
goto oom;
- return 1;
+ goto unlock_1;
}
if (strcmp(fl->con, con) == 0)
- return 1;
+ goto unlock_1;
selinux_log(SELINUX_ERROR,
"conflicting specifications for %s and %s, using %s.\n",
@@ -457,6 +460,9 @@ static int filespec_add(ino_t ino, const char *con, const char *file,
fl->file = strdup(file);
if (!fl->file)
goto oom;
+
+ __pthread_mutex_unlock(&fl_mutex);
+
if (flags->conflicterror) {
selinux_log(SELINUX_ERROR,
"treating conflicting specifications as an error.\n");
@@ -481,13 +487,19 @@ static int filespec_add(ino_t ino, const char *con, const char *file,
goto oom_freefl;
fl->next = prevfl->next;
prevfl->next = fl;
+
+ __pthread_mutex_unlock(&fl_mutex);
return 0;
oom_freefl:
free(fl);
oom:
+ __pthread_mutex_unlock(&fl_mutex);
selinux_log(SELINUX_ERROR, "%s: Out of memory\n", __func__);
return -1;
+unlock_1:
+ __pthread_mutex_unlock(&fl_mutex);
+ return 1;
}
/*
--
2.33.1

32
SOURCES/0005-libselinux-add-missing-av_permission-values.patch Normal file
View File

@ -0,0 +1,32 @@
From 903c54bf62ffba3c95e22e74c9c43838cd3935a0 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 28 Feb 2017 16:12:43 +0100
Subject: [PATCH] libselinux: add missing av_permission values
Add missing av_permission values to av_permissions.h for the sake of
completeness (this interface is obsolete - these values are now
obtained at runtime).
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1025931
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
libselinux/include/selinux/av_permissions.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libselinux/include/selinux/av_permissions.h b/libselinux/include/selinux/av_permissions.h
index c1269af9..631f0276 100644
--- a/libselinux/include/selinux/av_permissions.h
+++ b/libselinux/include/selinux/av_permissions.h
@@ -876,6 +876,8 @@
#define NSCD__SHMEMHOST 0x00000080UL
#define NSCD__GETSERV 0x00000100UL
#define NSCD__SHMEMSERV 0x00000200UL
+#define NSCD__GETNETGRP 0x00000400UL
+#define NSCD__SHMEMNETGRP 0x00000800UL
#define ASSOCIATION__SENDTO 0x00000001UL
#define ASSOCIATION__RECVFROM 0x00000002UL
#define ASSOCIATION__SETCONTEXT 0x00000004UL
--
2.21.0

88
SOURCES/0005-libselinux-make-selinux_log-thread-safe.patch
View File

@ -1,88 +0,0 @@
From c2e4cf5b21e8c775c669f3933d25a0946774ec0d Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Tue, 26 Oct 2021 13:52:35 +0200
Subject: [PATCH] libselinux: make selinux_log() thread-safe
Ensure that selinux_log() is thread-safe by guarding the call to the
underlying callback with a mutex.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
libselinux/src/callbacks.c | 8 +++++---
libselinux/src/callbacks.h | 13 ++++++++++++-
2 files changed, 17 insertions(+), 4 deletions(-)
diff --git a/libselinux/src/callbacks.c b/libselinux/src/callbacks.c
index c18ccc54754a..469c4055f4d7 100644
--- a/libselinux/src/callbacks.c
+++ b/libselinux/src/callbacks.c
@@ -10,6 +10,8 @@
#include <selinux/selinux.h>
#include "callbacks.h"
+pthread_mutex_t log_mutex = PTHREAD_MUTEX_INITIALIZER;
+
/* default implementations */
static int __attribute__ ((format(printf, 2, 3)))
default_selinux_log(int type __attribute__((unused)), const char *fmt, ...)
@@ -56,7 +58,7 @@ default_selinux_policyload(int seqno __attribute__((unused)))
/* callback pointers */
int __attribute__ ((format(printf, 2, 3)))
-(*selinux_log)(int, const char *, ...) =
+(*selinux_log_direct)(int, const char *, ...) =
default_selinux_log;
int
@@ -81,7 +83,7 @@ selinux_set_callback(int type, union selinux_callback cb)
{
switch (type) {
case SELINUX_CB_LOG:
- selinux_log = cb.func_log;
+ selinux_log_direct = cb.func_log;
break;
case SELINUX_CB_AUDIT:
selinux_audit = cb.func_audit;
@@ -106,7 +108,7 @@ selinux_get_callback(int type)
switch (type) {
case SELINUX_CB_LOG:
- cb.func_log = selinux_log;
+ cb.func_log = selinux_log_direct;
break;
case SELINUX_CB_AUDIT:
cb.func_audit = selinux_audit;
diff --git a/libselinux/src/callbacks.h b/libselinux/src/callbacks.h
index 03d87f0cbdfe..f4dab15789f9 100644
--- a/libselinux/src/callbacks.h
+++ b/libselinux/src/callbacks.h
@@ -10,9 +10,11 @@
#include <string.h>
#include <selinux/selinux.h>
+#include "selinux_internal.h"
+
/* callback pointers */
extern int __attribute__ ((format(printf, 2, 3)))
-(*selinux_log) (int type, const char *, ...) ;
+(*selinux_log_direct) (int type, const char *, ...) ;
extern int
(*selinux_audit) (void *, security_class_t, char *, size_t) ;
@@ -26,4 +28,13 @@ extern int
extern int
(*selinux_netlink_policyload) (int seqno) ;
+/* Thread-safe selinux_log() function */
+extern pthread_mutex_t log_mutex;
+
+#define selinux_log(type, ...) do { \
+ __pthread_mutex_lock(&log_mutex); \
+ selinux_log_direct(type, __VA_ARGS__); \
+ __pthread_mutex_unlock(&log_mutex); \
+} while(0)
+
#endif /* _SELINUX_CALLBACKS_H_ */
--
2.33.1

177
SOURCES/0006-libselinux-Use-Python-distutils-to-install-SELinux-p.patch Normal file
View File

@ -0,0 +1,177 @@
From 67d490a38a319126f371eaf66a5fc922d7005b1f Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 16 May 2019 15:01:59 +0200
Subject: [PATCH] libselinux: Use Python distutils to install SELinux python
bindings
SWIG-4.0 changed its behavior so that it uses: from . import _selinux which
looks for _selinux module in the same directory as where __init__.py is -
$(PYLIBDIR)/site-packages/selinux. But _selinux module is installed into
$(PYLIBDIR)/site-packages/ since a9604c30a5e2f ("libselinux: Change the location
of _selinux.so").
In order to prevent such breakage in future use Python's distutils instead of
building and installing python bindings manually in Makefile.
Fixes:
>>> import selinux
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib64/python3.7/site-packages/selinux/__init__.py", line 13, in <module>
from . import _selinux
ImportError: cannot import name '_selinux' from 'selinux' (/usr/lib64/python3.7/site-packages/selinux/__init__.py)
>>>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
libselinux/src/.gitignore | 2 +-
libselinux/src/Makefile | 37 ++++++++-----------------------------
libselinux/src/setup.py | 24 ++++++++++++++++++++++++
3 files changed, 33 insertions(+), 30 deletions(-)
create mode 100644 libselinux/src/setup.py
diff --git a/libselinux/src/.gitignore b/libselinux/src/.gitignore
index 4dcc3b3b..428afe5a 100644
--- a/libselinux/src/.gitignore
+++ b/libselinux/src/.gitignore
@@ -1,4 +1,4 @@
selinux.py
-selinuxswig_wrap.c
+selinuxswig_python_wrap.c
selinuxswig_python_exception.i
selinuxswig_ruby_wrap.c
diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index e9ed0383..826c830c 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -36,7 +36,7 @@ TARGET=libselinux.so
LIBPC=libselinux.pc
SWIGIF= selinuxswig_python.i selinuxswig_python_exception.i
SWIGRUBYIF= selinuxswig_ruby.i
-SWIGCOUT= selinuxswig_wrap.c
+SWIGCOUT= selinuxswig_python_wrap.c
SWIGPYOUT= selinux.py
SWIGRUBYCOUT= selinuxswig_ruby_wrap.c
SWIGLOBJ:= $(patsubst %.c,$(PYPREFIX)%.lo,$(SWIGCOUT))
@@ -55,7 +55,7 @@ ifeq ($(LIBSEPOLA),)
LDLIBS_LIBSEPOLA := -l:libsepol.a
endif
-GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) selinuxswig_python_exception.i
+GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) $(SWIGCOUT) selinuxswig_python_exception.i
SRCS= $(filter-out $(GENERATED) audit2why.c, $(sort $(wildcard *.c)))
MAX_STACK_SIZE=32768
@@ -125,25 +125,18 @@ DISABLE_FLAGS+= -DNO_ANDROID_BACKEND
SRCS:= $(filter-out label_backends_android.c, $(SRCS))
endif
-SWIG = swig -Wall -python -o $(SWIGCOUT) -outdir ./ $(DISABLE_FLAGS)
-
SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./ $(DISABLE_FLAGS)
all: $(LIBA) $(LIBSO) $(LIBPC)
-pywrap: all $(SWIGFILES) $(AUDIT2WHYSO)
+pywrap: all selinuxswig_python_exception.i
+ CFLAGS="$(SWIG_CFLAGS)" $(PYTHON) setup.py build_ext -I $(DESTDIR)$(INCLUDEDIR) -L $(DESTDIR)$(LIBDIR)
rubywrap: all $(SWIGRUBYSO)
-$(SWIGLOBJ): $(SWIGCOUT)
- $(CC) $(CFLAGS) $(SWIG_CFLAGS) $(PYINC) -fPIC -DSHARED -c -o $@ $<
-
$(SWIGRUBYLOBJ): $(SWIGRUBYCOUT)
$(CC) $(CFLAGS) $(SWIG_CFLAGS) $(RUBYINC) -fPIC -DSHARED -c -o $@ $<
-$(SWIGSO): $(SWIGLOBJ)
- $(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $< -lselinux $(PYLIBS)
-
$(SWIGRUBYSO): $(SWIGRUBYLOBJ)
$(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $^ -lselinux $(RUBYLIBS)
@@ -161,29 +154,15 @@ $(LIBPC): $(LIBPC).in ../VERSION
selinuxswig_python_exception.i: ../include/selinux/selinux.h
bash -e exception.sh > $@ || (rm -f $@ ; false)
-$(AUDIT2WHYLOBJ): audit2why.c
- $(CC) $(filter-out -Werror, $(CFLAGS)) $(PYINC) -fPIC -DSHARED -c -o $@ $<
-
-$(AUDIT2WHYSO): $(AUDIT2WHYLOBJ) $(LIBSEPOLA)
- $(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $^ -lselinux $(LDLIBS_LIBSEPOLA) $(PYLIBS) -Wl,-soname,audit2why.so,--version-script=audit2why.map,-z,defs
-
%.o: %.c policy.h
$(CC) $(CFLAGS) $(TLSFLAGS) -c -o $@ $<
%.lo: %.c policy.h
$(CC) $(CFLAGS) -fPIC -DSHARED -c -o $@ $<
-$(SWIGCOUT): $(SWIGIF)
- $(SWIG) $<
-
-$(SWIGPYOUT): $(SWIGCOUT)
-
$(SWIGRUBYCOUT): $(SWIGRUBYIF)
$(SWIGRUBY) $<
-swigify: $(SWIGIF)
- $(SWIG) $<
-
install: all
test -d $(DESTDIR)$(LIBDIR) || install -m 755 -d $(DESTDIR)$(LIBDIR)
install -m 644 $(LIBA) $(DESTDIR)$(LIBDIR)
@@ -194,10 +173,8 @@ install: all
ln -sf --relative $(DESTDIR)$(SHLIBDIR)/$(LIBSO) $(DESTDIR)$(LIBDIR)/$(TARGET)
install-pywrap: pywrap
- test -d $(DESTDIR)$(PYTHONLIBDIR)/selinux || install -m 755 -d $(DESTDIR)$(PYTHONLIBDIR)/selinux
- install -m 755 $(SWIGSO) $(DESTDIR)$(PYTHONLIBDIR)/_selinux$(PYCEXT)
- install -m 755 $(AUDIT2WHYSO) $(DESTDIR)$(PYTHONLIBDIR)/selinux/audit2why$(PYCEXT)
- install -m 644 $(SWIGPYOUT) $(DESTDIR)$(PYTHONLIBDIR)/selinux/__init__.py
+ $(PYTHON) setup.py install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
+ install -m 644 selinux.py $(DESTDIR)$(PYTHONLIBDIR)/selinux/__init__.py
install-rubywrap: rubywrap
test -d $(DESTDIR)$(RUBYINSTALL) || install -m 755 -d $(DESTDIR)$(RUBYINSTALL)
@@ -208,6 +185,8 @@ relabel:
clean-pywrap:
-rm -f $(SWIGLOBJ) $(SWIGSO) $(AUDIT2WHYLOBJ) $(AUDIT2WHYSO)
+ $(PYTHON) setup.py clean
+ -rm -rf build *~ \#* *pyc .#*
clean-rubywrap:
-rm -f $(SWIGRUBYLOBJ) $(SWIGRUBYSO)
diff --git a/libselinux/src/setup.py b/libselinux/src/setup.py
new file mode 100644
index 00000000..b12e7869
--- /dev/null
+++ b/libselinux/src/setup.py
@@ -0,0 +1,24 @@
+#!/usr/bin/python3
+
+from distutils.core import Extension, setup
+
+setup(
+ name="selinux",
+ version="2.9",
+ description="SELinux python 3 bindings",
+ author="SELinux Project",
+ author_email="selinux@vger.kernel.org",
+ ext_modules=[
+ Extension('selinux._selinux',
+ sources=['selinuxswig_python.i'],
+ include_dirs=['../include'],
+ library_dirs=['.'],
+ libraries=['selinux']),
+ Extension('selinux.audit2why',
+ sources=['audit2why.c'],
+ include_dirs=['../include'],
+ library_dirs=['.'],
+ libraries=['selinux'],
+ extra_link_args=['-l:libsepol.a'])
+ ],
+)
--
2.21.0

81
SOURCES/0006-libselinux-make-is_context_customizable-thread-safe.patch
View File

@ -1,81 +0,0 @@
From 9a8db9356c07d16a9337df416a3261c0527afeb7 Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Tue, 26 Oct 2021 13:52:36 +0200
Subject: [PATCH] libselinux: make is_context_customizable() thread-safe
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Use the __selinux_once() macro to ensure that threads don't race to
initialize the list of customizable types.
Reported-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Tested-by: Christian Göttsche <cgzones@googlemail.com>
---
libselinux/src/is_customizable_type.c | 23 +++++++++++------------
1 file changed, 11 insertions(+), 12 deletions(-)
diff --git a/libselinux/src/is_customizable_type.c b/libselinux/src/is_customizable_type.c
index 1b17860c3622..f83e1e83e944 100644
--- a/libselinux/src/is_customizable_type.c
+++ b/libselinux/src/is_customizable_type.c
@@ -9,7 +9,10 @@
#include "selinux_internal.h"
#include "context_internal.h"
-static int get_customizable_type_list(char *** retlist)
+static char **customizable_list = NULL;
+static pthread_once_t customizable_once = PTHREAD_ONCE_INIT;
+
+static void customizable_init(void)
{
FILE *fp;
char *buf;
@@ -18,12 +21,12 @@ static int get_customizable_type_list(char *** retlist)
fp = fopen(selinux_customizable_types_path(), "re");
if (!fp)
- return -1;
+ return;
buf = malloc(selinux_page_size);
if (!buf) {
fclose(fp);
- return -1;
+ return;
}
while (fgets_unlocked(buf, selinux_page_size, fp) && ctr < UINT_MAX) {
ctr++;
@@ -54,23 +57,19 @@ static int get_customizable_type_list(char *** retlist)
fclose(fp);
free(buf);
if (!list)
- return -1;
- *retlist = list;
- return 0;
+ return;
+ customizable_list = list;
}
-static char **customizable_list = NULL;
-
int is_context_customizable(const char * scontext)
{
int i;
const char *type;
context_t c;
- if (!customizable_list) {
- if (get_customizable_type_list(&customizable_list) != 0)
- return -1;
- }
+ __selinux_once(customizable_once, customizable_init);
+ if (!customizable_list)
+ return -1;
c = context_new(scontext);
if (!c)
--
2.33.1

44
SOURCES/0007-libselinux-Do-not-use-SWIG_CFLAGS-when-Python-bindin.patch Normal file
View File

@ -0,0 +1,44 @@
From 6ec8116ee64a25a0c5eb543f0b12ed25f1348c45 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 27 Jun 2019 11:17:13 +0200
Subject: [PATCH] libselinux: Do not use SWIG_CFLAGS when Python bindings are
built
Fixes:
https://rpmdiff.engineering.redhat.com/run/410372/7/
Detecting usr/lib64/python3.6/site-packages/selinux/audit2why.cpython-36m-x86_64-linux-gnu.so with not-hardened warnings '
Hardened: audit2why.cpython-36m-x86_64-linux-gnu.so: FAIL: Gaps were detected in the annobin coverage. Run with -v to list.
' on x86_64
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
libselinux/src/Makefile | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index 826c830c..f64f23a8 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -104,9 +104,6 @@ FTS_LDLIBS ?=
override CFLAGS += -I../include -D_GNU_SOURCE $(DISABLE_FLAGS) $(PCRE_CFLAGS)
-SWIG_CFLAGS += -Wno-error -Wno-unused-variable -Wno-unused-but-set-variable -Wno-unused-parameter \
- -Wno-shadow -Wno-uninitialized -Wno-missing-prototypes -Wno-missing-declarations
-
RANLIB ?= ranlib
ARCH := $(patsubst i%86,i386,$(shell uname -m))
@@ -130,7 +127,7 @@ SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./ $(DISABLE_FLAGS)
all: $(LIBA) $(LIBSO) $(LIBPC)
pywrap: all selinuxswig_python_exception.i
- CFLAGS="$(SWIG_CFLAGS)" $(PYTHON) setup.py build_ext -I $(DESTDIR)$(INCLUDEDIR) -L $(DESTDIR)$(LIBDIR)
+ $(PYTHON) setup.py build_ext -I $(DESTDIR)$(INCLUDEDIR) -L $(DESTDIR)$(LIBDIR)
rubywrap: all $(SWIGRUBYSO)
--
2.21.0

45
SOURCES/0007-selinux_restorecon-add-a-global-mutex-to-synchronize.patch
View File

@ -1,45 +0,0 @@
From 73310c9694724b3ef54bbf3a3193dbb0a68ecc3b Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Tue, 26 Oct 2021 13:52:37 +0200
Subject: [PATCH] selinux_restorecon: add a global mutex to synchronize
progress output
Another small incremental change to pave the way for a parallel
selinux_restorecon() function.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
libselinux/src/selinux_restorecon.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
index 43acbace309d..169dfe3ae232 100644
--- a/libselinux/src/selinux_restorecon.c
+++ b/libselinux/src/selinux_restorecon.c
@@ -60,6 +60,7 @@ static int exclude_count = 0;
static struct edir *exclude_lst = NULL;
static uint64_t fc_count = 0; /* Number of files processed so far */
static uint64_t efile_count; /* Estimated total number of files */
+static pthread_mutex_t progress_mutex = PTHREAD_MUTEX_INITIALIZER;
/* Store information on directories with xattr's. */
static struct dir_xattr *dir_xattr_list;
@@ -647,6 +648,7 @@ static int restorecon_sb(const char *pathname, const struct stat *sb,
}
if (flags->progress) {
+ __pthread_mutex_lock(&progress_mutex);
fc_count++;
if (fc_count % STAR_COUNT == 0) {
if (flags->mass_relabel && efile_count > 0) {
@@ -658,6 +660,7 @@ static int restorecon_sb(const char *pathname, const struct stat *sb,
}
fflush(stdout);
}
+ __pthread_mutex_unlock(&progress_mutex);
}
if (flags->add_assoc) {
--
2.33.1

66
SOURCES/0008-Fix-mcstrans-secolor-examples.patch Normal file
View File

@ -0,0 +1,66 @@
From 90a4f2b9a5194a2d1ab4c45b7a90bbb6c8099a68 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 2 Jul 2019 14:09:05 +0200
Subject: [PATCH] Fix mcstrans secolor examples
According to "check_dominance" function:
Range defined as "s15:c0.c1023" does not dominate any other range than
"s15:c0.c1023" (does not dominate "s15", "s15:c0.c200", etc.).
While range defined as "s15-s15:c0.c1023" dominates all of the above.
This is either a bug, or "s15:c0.c1023" should not be used in the
examples.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
libselinux/man/man5/secolor.conf.5 | 4 ++--
libselinux/man/ru/man5/secolor.conf.5 | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/libselinux/man/man5/secolor.conf.5 b/libselinux/man/man5/secolor.conf.5
index b834577a..a3bf2da1 100644
--- a/libselinux/man/man5/secolor.conf.5
+++ b/libselinux/man/man5/secolor.conf.5
@@ -123,7 +123,7 @@ range s7\-s7:c0.c1023 = black red
.br
range s9\-s9:c0.c1023 = black orange
.br
-range s15:c0.c1023 = black yellow
+range s15\-s15:c0.c1023 = black yellow
.RE
.sp
@@ -165,7 +165,7 @@ type xguest_t = black green
.br
user sysadm_u = white black
.br
-range s0:c0.c1023 = black white
+range s0-s0:c0.c1023 = black white
.br
user * = black white
.br
diff --git a/libselinux/man/ru/man5/secolor.conf.5 b/libselinux/man/ru/man5/secolor.conf.5
index 4c1236ae..bcae80c1 100644
--- a/libselinux/man/ru/man5/secolor.conf.5
+++ b/libselinux/man/ru/man5/secolor.conf.5
@@ -121,7 +121,7 @@ range s7\-s7:c0.c1023 = black red
.br
range s9\-s9:c0.c1023 = black orange
.br
-range s15:c0.c1023 = black yellow
+range s15\-s15:c0.c1023 = black yellow
.RE
.sp
@@ -163,7 +163,7 @@ type xguest_t = black green
.br
user sysadm_u = white black
.br
-range s0:c0.c1023 = black white
+range s0\-s0:c0.c1023 = black white
.br
user * = black white
.br
--
2.21.0

800
SOURCES/0008-selinux_restorecon-introduce-selinux_restorecon_para.patch
View File

@ -1,800 +0,0 @@
From 847282ce385a4fc03092eb10422b1878590e9bdd Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Tue, 26 Oct 2021 13:52:38 +0200
Subject: [PATCH] selinux_restorecon: introduce selinux_restorecon_parallel(3)
Refactor selinux_restorecon(3) to allow for distributing the relabeling
to multiple threads and add a new function
selinux_restorecon_parallel(3), which allows specifying the number of
threads to use. The existing selinux_restorecon(3) function maintains
the same interface and maintains the same behavior (i.e. relabeling is
done on a single thread).
The parallel implementation takes a simple approach of performing all
the directory tree traversal in a critical section and only letting the
relabeling of individual objects run in parallel. Thankfully, this
approach turns out to be efficient enough in practice, as shown by
restorecon benchmarks (detailed in a subsequent patch that switches
setfiles & restorecon to use selinux_restorecon_parallel(3)).
Note that to be able to use the parallelism, the calling application/
library must be explicitly linked to the libpthread library (statically
or dynamically). This is necessary to mantain the requirement that
libselinux shouldn't explicitly link with libpthread. (I don't know what
exactly was the reason behind this requirement as the commit logs are
fuzzy, but special care has been taken in the past to maintain it, so I
didn't want to break it...)
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
libselinux/include/selinux/restorecon.h | 14 +
libselinux/man/man3/selinux_restorecon.3 | 29 ++
.../man/man3/selinux_restorecon_parallel.3 | 1 +
libselinux/src/libselinux.map | 5 +
libselinux/src/selinux_internal.h | 16 +
libselinux/src/selinux_restorecon.c | 436 ++++++++++++------
libselinux/src/selinuxswig_python.i | 6 +-
libselinux/src/selinuxswig_python_exception.i | 8 +
8 files changed, 368 insertions(+), 147 deletions(-)
create mode 100644 libselinux/man/man3/selinux_restorecon_parallel.3
diff --git a/libselinux/include/selinux/restorecon.h b/libselinux/include/selinux/restorecon.h
index ca8ce768587a..8f9a030cda98 100644
--- a/libselinux/include/selinux/restorecon.h
+++ b/libselinux/include/selinux/restorecon.h
@@ -2,6 +2,7 @@
#define _RESTORECON_H_
#include <sys/types.h>
+#include <stddef.h>
#include <stdarg.h>
#ifdef __cplusplus
@@ -23,6 +24,19 @@ extern "C" {
*/
extern int selinux_restorecon(const char *pathname,
unsigned int restorecon_flags);
+/**
+ * selinux_restorecon_parallel - Relabel files, optionally use more threads.
+ * @pathname: specifies file/directory to relabel.
+ * @restorecon_flags: specifies the actions to be performed when relabeling.
+ * @nthreads: specifies the number of threads to use (0 = use number of CPUs
+ * currently online)
+ *
+ * Same as selinux_restorecon(3), but allows to use multiple threads to do
+ * the work.
+ */
+extern int selinux_restorecon_parallel(const char *pathname,
+ unsigned int restorecon_flags,
+ size_t nthreads);
/*
* restorecon_flags options
*/
diff --git a/libselinux/man/man3/selinux_restorecon.3 b/libselinux/man/man3/selinux_restorecon.3
index c4576fe79ff6..500845917fb8 100644
--- a/libselinux/man/man3/selinux_restorecon.3
+++ b/libselinux/man/man3/selinux_restorecon.3
@@ -11,6 +11,14 @@ selinux_restorecon \- restore file(s) default SELinux security contexts
.br
.BI "unsigned int " restorecon_flags ");"
.in
+.sp
+.BI "int selinux_restorecon_parallel(const char *" pathname ,
+.in +\w'int selinux_restorecon_parallel('u
+.br
+.BI "unsigned int " restorecon_flags ","
+.br
+.BI "size_t " nthreads ");"
+.in
.
.SH "DESCRIPTION"
.BR selinux_restorecon ()
@@ -187,6 +195,27 @@ unless the
.B SELINUX_RESTORECON_IGNORE_MOUNTS
flag has been set.
.RE
+.sp
+.BR selinux_restorecon_parallel()
+is similar to
+.BR selinux_restorecon (3),
+but accepts another parameter that allows to run relabeling over multiple
+threads:
+.sp
+.RS
+.IR nthreads
+specifies the number of threads to use during relabeling. When set to 1,
+the behavior is the same as calling
+.BR selinux_restorecon (3).
+When set to 0, the function will try to use as many threads as there are
+online CPU cores. When set to any other number, the function will try to use
+the given number of threads.
+.sp
+Note that to use the parallel relabeling capability, the calling process
+must be linked with the
+.B libpthread
+library (either at compile time or dynamically at run time). Otherwise the
+function will print a warning and fall back to the single threaded mode.
.
.SH "RETURN VALUE"
On success, zero is returned. On error, \-1 is returned and
diff --git a/libselinux/man/man3/selinux_restorecon_parallel.3 b/libselinux/man/man3/selinux_restorecon_parallel.3
new file mode 100644
index 000000000000..092d8412cc93
--- /dev/null
+++ b/libselinux/man/man3/selinux_restorecon_parallel.3
@@ -0,0 +1 @@
+.so man3/selinux_restorecon.3
diff --git a/libselinux/src/libselinux.map b/libselinux/src/libselinux.map
index 2a368e93f9fd..d138e951ef0d 100644
--- a/libselinux/src/libselinux.map
+++ b/libselinux/src/libselinux.map
@@ -240,3 +240,8 @@ LIBSELINUX_1.0 {
local:
*;
};
+
+LIBSELINUX_3.3 {
+ global:
+ selinux_restorecon_parallel;
+} LIBSELINUX_1.0;
diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
index 27e9ac532c3f..297dcf26dee3 100644
--- a/libselinux/src/selinux_internal.h
+++ b/libselinux/src/selinux_internal.h
@@ -69,6 +69,22 @@ extern int selinux_page_size ;
pthread_mutex_unlock(LOCK); \
} while (0)
+#pragma weak pthread_create
+#pragma weak pthread_join
+#pragma weak pthread_cond_init
+#pragma weak pthread_cond_signal
+#pragma weak pthread_cond_destroy
+#pragma weak pthread_cond_wait
+
+/* check if all functions needed to do parallel operations are available */
+#define __pthread_supported ( \
+ pthread_create && \
+ pthread_join && \
+ pthread_cond_init && \
+ pthread_cond_destroy && \
+ pthread_cond_signal && \
+ pthread_cond_wait \
+)
#define SELINUXDIR "/etc/selinux/"
#define SELINUXCONFIG SELINUXDIR "config"
diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
index 169dfe3ae232..f7e84657d09d 100644
--- a/libselinux/src/selinux_restorecon.c
+++ b/libselinux/src/selinux_restorecon.c
@@ -610,7 +610,7 @@ out:
}
static int restorecon_sb(const char *pathname, const struct stat *sb,
- struct rest_flags *flags)
+ struct rest_flags *flags, bool first)
{
char *newcon = NULL;
char *curcon = NULL;
@@ -639,7 +639,7 @@ static int restorecon_sb(const char *pathname, const struct stat *sb,
sb->st_mode);
if (rc < 0) {
- if (errno == ENOENT && flags->warnonnomatch)
+ if (errno == ENOENT && flags->warnonnomatch && first)
selinux_log(SELINUX_INFO,
"Warning no default label for %s\n",
lookup_path);
@@ -814,66 +814,215 @@ oom:
goto free;
}
+struct rest_state {
+ struct rest_flags flags;
+ dev_t dev_num;
+ struct statfs sfsb;
+ bool ignore_digest;
+ bool setrestorecondigest;
+ bool parallel;
-/*
- * Public API
- */
+ FTS *fts;
+ FTSENT *ftsent_first;
+ struct dir_hash_node *head, *current;
+ bool abort;
+ int error;
+ int saved_errno;
+ pthread_mutex_t mutex;
+};
-/* selinux_restorecon(3) - Main function that is responsible for labeling */
-int selinux_restorecon(const char *pathname_orig,
- unsigned int restorecon_flags)
+static void *selinux_restorecon_thread(void *arg)
{
- struct rest_flags flags;
+ struct rest_state *state = arg;
+ FTS *fts = state->fts;
+ FTSENT *ftsent;
+ int error;
+ char ent_path[PATH_MAX];
+ struct stat ent_st;
+ bool first = false;
+
+ if (state->parallel)
+ pthread_mutex_lock(&state->mutex);
+
+ if (state->ftsent_first) {
+ ftsent = state->ftsent_first;
+ state->ftsent_first = NULL;
+ first = true;
+ goto loop_body;
+ }
+
+ while (((void)(errno = 0), ftsent = fts_read(fts)) != NULL) {
+loop_body:
+ /* If the FTS_XDEV flag is set and the device is different */
+ if (state->flags.set_xdev &&
+ ftsent->fts_statp->st_dev != state->dev_num)
+ continue;
+
+ switch (ftsent->fts_info) {
+ case FTS_DC:
+ selinux_log(SELINUX_ERROR,
+ "Directory cycle on %s.\n",
+ ftsent->fts_path);
+ errno = ELOOP;
+ state->error = -1;
+ state->abort = true;
+ goto finish;
+ case FTS_DP:
+ continue;
+ case FTS_DNR:
+ error = errno;
+ errno = ftsent->fts_errno;
+ selinux_log(SELINUX_ERROR,
+ "Could not read %s: %m.\n",
+ ftsent->fts_path);
+ errno = error;
+ fts_set(fts, ftsent, FTS_SKIP);
+ continue;
+ case FTS_NS:
+ error = errno;
+ errno = ftsent->fts_errno;
+ selinux_log(SELINUX_ERROR,
+ "Could not stat %s: %m.\n",
+ ftsent->fts_path);
+ errno = error;
+ fts_set(fts, ftsent, FTS_SKIP);
+ continue;
+ case FTS_ERR:
+ error = errno;
+ errno = ftsent->fts_errno;
+ selinux_log(SELINUX_ERROR,
+ "Error on %s: %m.\n",
+ ftsent->fts_path);
+ errno = error;
+ fts_set(fts, ftsent, FTS_SKIP);
+ continue;
+ case FTS_D:
+ if (state->sfsb.f_type == SYSFS_MAGIC &&
+ !selabel_partial_match(fc_sehandle,
+ ftsent->fts_path)) {
+ fts_set(fts, ftsent, FTS_SKIP);
+ continue;
+ }
+
+ if (check_excluded(ftsent->fts_path)) {
+ fts_set(fts, ftsent, FTS_SKIP);
+ continue;
+ }
- flags.nochange = (restorecon_flags &
+ if (state->setrestorecondigest) {
+ struct dir_hash_node *new_node = NULL;
+
+ if (check_context_match_for_dir(ftsent->fts_path,
+ &new_node,
+ state->error) &&
+ !state->ignore_digest) {
+ selinux_log(SELINUX_INFO,
+ "Skipping restorecon on directory(%s)\n",
+ ftsent->fts_path);
+ fts_set(fts, ftsent, FTS_SKIP);
+ continue;
+ }
+
+ if (new_node && !state->error) {
+ if (!state->current) {
+ state->current = new_node;
+ state->head = state->current;
+ } else {
+ state->current->next = new_node;
+ state->current = new_node;
+ }
+ }
+ }
+ /* fall through */
+ default:
+ strcpy(ent_path, ftsent->fts_path);
+ ent_st = *ftsent->fts_statp;
+ if (state->parallel)
+ pthread_mutex_unlock(&state->mutex);
+
+ error = restorecon_sb(ent_path, &ent_st, &state->flags,
+ first);
+
+ if (state->parallel) {
+ pthread_mutex_lock(&state->mutex);
+ if (state->abort)
+ goto unlock;
+ }
+
+ state->error |= error;
+ first = false;
+ if (error && state->flags.abort_on_error) {
+ state->abort = true;
+ goto finish;
+ }
+ break;
+ }
+ }
+
+finish:
+ if (!state->saved_errno)
+ state->saved_errno = errno;
+unlock:
+ if (state->parallel)
+ pthread_mutex_unlock(&state->mutex);
+ return NULL;
+}
+
+static int selinux_restorecon_common(const char *pathname_orig,
+ unsigned int restorecon_flags,
+ size_t nthreads)
+{
+ struct rest_state state;
+
+ state.flags.nochange = (restorecon_flags &
SELINUX_RESTORECON_NOCHANGE) ? true : false;
- flags.verbose = (restorecon_flags &
+ state.flags.verbose = (restorecon_flags &
SELINUX_RESTORECON_VERBOSE) ? true : false;
- flags.progress = (restorecon_flags &
+ state.flags.progress = (restorecon_flags &
SELINUX_RESTORECON_PROGRESS) ? true : false;
- flags.mass_relabel = (restorecon_flags &
+ state.flags.mass_relabel = (restorecon_flags &
SELINUX_RESTORECON_MASS_RELABEL) ? true : false;
- flags.recurse = (restorecon_flags &
+ state.flags.recurse = (restorecon_flags &
SELINUX_RESTORECON_RECURSE) ? true : false;
- flags.set_specctx = (restorecon_flags &
+ state.flags.set_specctx = (restorecon_flags &
SELINUX_RESTORECON_SET_SPECFILE_CTX) ? true : false;
- flags.userealpath = (restorecon_flags &
+ state.flags.userealpath = (restorecon_flags &
SELINUX_RESTORECON_REALPATH) ? true : false;
- flags.set_xdev = (restorecon_flags &
+ state.flags.set_xdev = (restorecon_flags &
SELINUX_RESTORECON_XDEV) ? true : false;
- flags.add_assoc = (restorecon_flags &
+ state.flags.add_assoc = (restorecon_flags &
SELINUX_RESTORECON_ADD_ASSOC) ? true : false;
- flags.abort_on_error = (restorecon_flags &
+ state.flags.abort_on_error = (restorecon_flags &
SELINUX_RESTORECON_ABORT_ON_ERROR) ? true : false;
- flags.syslog_changes = (restorecon_flags &
+ state.flags.syslog_changes = (restorecon_flags &
SELINUX_RESTORECON_SYSLOG_CHANGES) ? true : false;
- flags.log_matches = (restorecon_flags &
+ state.flags.log_matches = (restorecon_flags &
SELINUX_RESTORECON_LOG_MATCHES) ? true : false;
- flags.ignore_noent = (restorecon_flags &
+ state.flags.ignore_noent = (restorecon_flags &
SELINUX_RESTORECON_IGNORE_NOENTRY) ? true : false;
- flags.warnonnomatch = true;
- flags.conflicterror = (restorecon_flags &
+ state.flags.warnonnomatch = true;
+ state.flags.conflicterror = (restorecon_flags &
SELINUX_RESTORECON_CONFLICT_ERROR) ? true : false;
ignore_mounts = (restorecon_flags &
SELINUX_RESTORECON_IGNORE_MOUNTS) ? true : false;
- bool ignore_digest = (restorecon_flags &
+ state.ignore_digest = (restorecon_flags &
SELINUX_RESTORECON_IGNORE_DIGEST) ? true : false;
- bool setrestorecondigest = true;
+ state.setrestorecondigest = true;
+
+ state.head = NULL;
+ state.current = NULL;
+ state.abort = false;
+ state.error = 0;
+ state.saved_errno = 0;
struct stat sb;
- struct statfs sfsb;
- FTS *fts;
- FTSENT *ftsent;
char *pathname = NULL, *pathdnamer = NULL, *pathdname, *pathbname;
char *paths[2] = { NULL, NULL };
int fts_flags, error, sverrno;
- dev_t dev_num = 0;
struct dir_hash_node *current = NULL;
- struct dir_hash_node *head = NULL;
- int errno_tmp;
- if (flags.verbose && flags.progress)
- flags.verbose = false;
+ if (state.flags.verbose && state.flags.progress)
+ state.flags.verbose = false;
__selinux_once(fc_once, restorecon_init);
@@ -886,13 +1035,31 @@ int selinux_restorecon(const char *pathname_orig,
*/
if (selabel_no_digest ||
(restorecon_flags & SELINUX_RESTORECON_SKIP_DIGEST))
- setrestorecondigest = false;
+ state.setrestorecondigest = false;
+
+ if (!__pthread_supported) {
+ if (nthreads != 1) {
+ nthreads = 1;
+ selinux_log(SELINUX_WARNING,
+ "Threading functionality not available, falling back to 1 thread.");
+ }
+ } else if (nthreads == 0) {
+ long nproc = sysconf(_SC_NPROCESSORS_ONLN);
+
+ if (nproc > 0) {
+ nthreads = nproc;
+ } else {
+ nthreads = 1;
+ selinux_log(SELINUX_WARNING,
+ "Unable to detect CPU count, falling back to 1 thread.");
+ }
+ }
/*
* Convert passed-in pathname to canonical pathname by resolving
* realpath of containing dir, then appending last component name.
*/
- if (flags.userealpath) {
+ if (state.flags.userealpath) {
char *basename_cpy = strdup(pathname_orig);
if (!basename_cpy)
goto realpatherr;
@@ -937,7 +1104,7 @@ int selinux_restorecon(const char *pathname_orig,
paths[0] = pathname;
if (lstat(pathname, &sb) < 0) {
- if (flags.ignore_noent && errno == ENOENT) {
+ if (state.flags.ignore_noent && errno == ENOENT) {
free(pathdnamer);
free(pathname);
return 0;
@@ -952,21 +1119,21 @@ int selinux_restorecon(const char *pathname_orig,
/* Skip digest if not a directory */
if (!S_ISDIR(sb.st_mode))
- setrestorecondigest = false;
+ state.setrestorecondigest = false;
- if (!flags.recurse) {
+ if (!state.flags.recurse) {
if (check_excluded(pathname)) {
error = 0;
goto cleanup;
}
- error = restorecon_sb(pathname, &sb, &flags);
+ error = restorecon_sb(pathname, &sb, &state.flags, true);
goto cleanup;
}
/* Obtain fs type */
- memset(&sfsb, 0, sizeof sfsb);
- if (!S_ISLNK(sb.st_mode) && statfs(pathname, &sfsb) < 0) {
+ memset(&state.sfsb, 0, sizeof(state.sfsb));
+ if (!S_ISLNK(sb.st_mode) && statfs(pathname, &state.sfsb) < 0) {
selinux_log(SELINUX_ERROR,
"statfs(%s) failed: %m\n",
pathname);
@@ -975,21 +1142,21 @@ int selinux_restorecon(const char *pathname_orig,
}
/* Skip digest on in-memory filesystems and /sys */
- if (sfsb.f_type == RAMFS_MAGIC || sfsb.f_type == TMPFS_MAGIC ||
- sfsb.f_type == SYSFS_MAGIC)
- setrestorecondigest = false;
+ if (state.sfsb.f_type == RAMFS_MAGIC || state.sfsb.f_type == TMPFS_MAGIC ||
+ state.sfsb.f_type == SYSFS_MAGIC)
+ state.setrestorecondigest = false;
- if (flags.set_xdev)
+ if (state.flags.set_xdev)
fts_flags = FTS_PHYSICAL | FTS_NOCHDIR | FTS_XDEV;
else
fts_flags = FTS_PHYSICAL | FTS_NOCHDIR;
- fts = fts_open(paths, fts_flags, NULL);
- if (!fts)
+ state.fts = fts_open(paths, fts_flags, NULL);
+ if (!state.fts)
goto fts_err;
- ftsent = fts_read(fts);
- if (!ftsent)
+ state.ftsent_first = fts_read(state.fts);
+ if (!state.ftsent_first)
goto fts_err;
/*
@@ -1001,106 +1168,66 @@ int selinux_restorecon(const char *pathname_orig,
* directories with a different device number when the FTS_XDEV flag
* is set (from http://marc.info/?l=selinux&m=124688830500777&w=2).
*/
- dev_num = ftsent->fts_statp->st_dev;
+ state.dev_num = state.ftsent_first->fts_statp->st_dev;
- error = 0;
- do {
- /* If the FTS_XDEV flag is set and the device is different */
- if (flags.set_xdev && ftsent->fts_statp->st_dev != dev_num)
- continue;
+ if (nthreads == 1) {
+ state.parallel = false;
+ selinux_restorecon_thread(&state);
+ } else {
+ size_t i;
+ pthread_t self = pthread_self();
+ pthread_t *threads = NULL;
- switch (ftsent->fts_info) {
- case FTS_DC:
- selinux_log(SELINUX_ERROR,
- "Directory cycle on %s.\n",
- ftsent->fts_path);
- errno = ELOOP;
- error = -1;
- goto out;
- case FTS_DP:
- continue;
- case FTS_DNR:
- errno_tmp = errno;
- errno = ftsent->fts_errno;
- selinux_log(SELINUX_ERROR,
- "Could not read %s: %m.\n",
- ftsent->fts_path);
- errno = errno_tmp;
- fts_set(fts, ftsent, FTS_SKIP);
- continue;
- case FTS_NS:
- errno_tmp = errno;
- errno = ftsent->fts_errno;
- selinux_log(SELINUX_ERROR,
- "Could not stat %s: %m.\n",
- ftsent->fts_path);
- errno = errno_tmp;
- fts_set(fts, ftsent, FTS_SKIP);
- continue;
- case FTS_ERR:
- errno_tmp = errno;
- errno = ftsent->fts_errno;
- selinux_log(SELINUX_ERROR,
- "Error on %s: %m.\n",
- ftsent->fts_path);
- errno = errno_tmp;
- fts_set(fts, ftsent, FTS_SKIP);
- continue;
- case FTS_D:
- if (sfsb.f_type == SYSFS_MAGIC &&
- !selabel_partial_match(fc_sehandle,
- ftsent->fts_path)) {
- fts_set(fts, ftsent, FTS_SKIP);
- continue;
- }
+ pthread_mutex_init(&state.mutex, NULL);
- if (check_excluded(ftsent->fts_path)) {
- fts_set(fts, ftsent, FTS_SKIP);
- continue;
+ threads = calloc(nthreads - 1, sizeof(*threads));
+ if (!threads)
+ goto oom;
+
+ state.parallel = true;
+ /*
+ * Start (nthreads - 1) threads - the main thread is going to
+ * take part, too.
+ */
+ for (i = 0; i < nthreads - 1; i++) {
+ if (pthread_create(&threads[i], NULL,
+ selinux_restorecon_thread, &state)) {
+ /*
+ * If any thread fails to be created, just mark
+ * it as such and let the successfully created
+ * threads do the job. In the worst case the
+ * main thread will do everything, but that's
+ * still better than to give up.
+ */
+ threads[i] = self;
}
+ }
- if (setrestorecondigest) {
- struct dir_hash_node *new_node = NULL;
+ /* Let's join in on the fun! */
+ selinux_restorecon_thread(&state);
- if (check_context_match_for_dir(ftsent->fts_path,
- &new_node,
- error) &&
- !ignore_digest) {
- selinux_log(SELINUX_INFO,
- "Skipping restorecon on directory(%s)\n",
- ftsent->fts_path);
- fts_set(fts, ftsent, FTS_SKIP);
- continue;
- }
-
- if (new_node && !error) {
- if (!current) {
- current = new_node;
- head = current;
- } else {
- current->next = new_node;
- current = current->next;
- }
- }
- }
- /* fall through */
- default:
- error |= restorecon_sb(ftsent->fts_path,
- ftsent->fts_statp, &flags);
- if (flags.warnonnomatch)
- flags.warnonnomatch = false;
- if (error && flags.abort_on_error)
- goto out;
- break;
+ /* Now wait for all threads to finish. */
+ for (i = 0; i < nthreads - 1; i++) {
+ /* Skip threads that failed to be created. */
+ if (pthread_equal(threads[i], self))
+ continue;
+ pthread_join(threads[i], NULL);
}
- } while ((ftsent = fts_read(fts)) != NULL);
+ free(threads);
+
+ pthread_mutex_destroy(&state.mutex);
+ }
+
+ error = state.error;
+ if (state.saved_errno)
+ goto out;
/*
* Labeling successful. Write partial match digests for subdirectories.
* TODO: Write digest upon FTS_DP if no error occurs in its descents.
*/
- if (setrestorecondigest && !flags.nochange && !error) {
- current = head;
+ if (state.setrestorecondigest && !state.flags.nochange && !error) {
+ current = state.head;
while (current != NULL) {
if (setxattr(current->path,
RESTORECON_PARTIAL_MATCH_DIGEST,
@@ -1115,22 +1242,21 @@ int selinux_restorecon(const char *pathname_orig,
}
out:
- if (flags.progress && flags.mass_relabel)
+ if (state.flags.progress && state.flags.mass_relabel)
fprintf(stdout, "\r%s 100.0%%\n", pathname);
- sverrno = errno;
- (void) fts_close(fts);
- errno = sverrno;
+ (void) fts_close(state.fts);
+ errno = state.saved_errno;
cleanup:
- if (flags.add_assoc) {
- if (flags.verbose)
+ if (state.flags.add_assoc) {
+ if (state.flags.verbose)
filespec_eval();
filespec_destroy();
}
free(pathdnamer);
free(pathname);
- current = head;
+ current = state.head;
while (current != NULL) {
struct dir_hash_node *next = current->next;
@@ -1164,6 +1290,26 @@ fts_err:
goto cleanup;
}
+
+/*
+ * Public API
+ */
+
+/* selinux_restorecon(3) - Main function that is responsible for labeling */
+int selinux_restorecon(const char *pathname_orig,
+ unsigned int restorecon_flags)
+{
+ return selinux_restorecon_common(pathname_orig, restorecon_flags, 1);
+}
+
+/* selinux_restorecon_parallel(3) - Parallel version of selinux_restorecon(3) */
+int selinux_restorecon_parallel(const char *pathname_orig,
+ unsigned int restorecon_flags,
+ size_t nthreads)
+{
+ return selinux_restorecon_common(pathname_orig, restorecon_flags, nthreads);
+}
+
/* selinux_restorecon_set_sehandle(3) is called to set the global fc handle */
void selinux_restorecon_set_sehandle(struct selabel_handle *hndl)
{
diff --git a/libselinux/src/selinuxswig_python.i b/libselinux/src/selinuxswig_python.i
index 4c73bf92df96..17e03b9e36a5 100644
--- a/libselinux/src/selinuxswig_python.i
+++ b/libselinux/src/selinuxswig_python.i
@@ -20,7 +20,7 @@ DISABLED = -1
PERMISSIVE = 0
ENFORCING = 1
-def restorecon(path, recursive=False, verbose=False, force=False):
+def restorecon(path, recursive=False, verbose=False, force=False, nthreads=1):
""" Restore SELinux context on a given path
Arguments:
@@ -32,6 +32,8 @@ def restorecon(path, recursive=False, verbose=False, force=False):
force -- Force reset of context to match file_context for customizable files,
and the default file context, changing the user, role, range portion as well
as the type (default False)
+ nthreads -- The number of threads to use during relabeling, or 0 to use as many
+ threads as there are online CPU cores (default 1)
"""
restorecon_flags = SELINUX_RESTORECON_IGNORE_DIGEST | SELINUX_RESTORECON_REALPATH
@@ -41,7 +43,7 @@ def restorecon(path, recursive=False, verbose=False, force=False):
restorecon_flags |= SELINUX_RESTORECON_VERBOSE
if force:
restorecon_flags |= SELINUX_RESTORECON_SET_SPECFILE_CTX
- selinux_restorecon(os.path.expanduser(path), restorecon_flags)
+ selinux_restorecon_parallel(os.path.expanduser(path), restorecon_flags, nthreads)
def chcon(path, context, recursive=False):
""" Set the SELinux context on a given path """
diff --git a/libselinux/src/selinuxswig_python_exception.i b/libselinux/src/selinuxswig_python_exception.i
index 237ea69ad5f5..a02f4923a1e7 100644
--- a/libselinux/src/selinuxswig_python_exception.i
+++ b/libselinux/src/selinuxswig_python_exception.i
@@ -1183,6 +1183,14 @@
}
}
+%exception selinux_restorecon_parallel {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
%exception selinux_restorecon_set_alt_rootpath {
$action
if (result < 0) {
--
2.33.1

354
SOURCES/0009-libselinux-Eliminate-use-of-security_compute_user.patch Normal file
View File

@ -0,0 +1,354 @@
From bfee1a3131580a7b9d8a7366764b8e78d99a9f1b Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Mon, 17 Feb 2020 21:47:35 +0100
Subject: [PATCH] libselinux: Eliminate use of security_compute_user()
get_ordered_context_list() code used to ask the kernel to compute the complete
set of reachable contexts using /sys/fs/selinux/user aka
security_compute_user(). This set can be so huge so that it doesn't fit into a
kernel page and security_compute_user() fails. Even if it doesn't fail,
get_ordered_context_list() throws away the vast majority of the returned
contexts because they don't match anything in
/etc/selinux/targeted/contexts/default_contexts or
/etc/selinux/targeted/contexts/users/
get_ordered_context_list() is rewritten to compute set of contexts based on
/etc/selinux/targeted/contexts/users/ and
/etc/selinux/targeted/contexts/default_contexts files and to return only valid
contexts, using security_check_context(), from this set.
Fixes: https://github.com/SELinuxProject/selinux/issues/28
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
libselinux/src/get_context_list.c | 212 +++++++++++++-----------------
1 file changed, 93 insertions(+), 119 deletions(-)
diff --git a/libselinux/src/get_context_list.c b/libselinux/src/get_context_list.c
index 689e4658..26d7b3b9 100644
--- a/libselinux/src/get_context_list.c
+++ b/libselinux/src/get_context_list.c
@@ -2,6 +2,7 @@
#include <errno.h>
#include <stdio.h>
#include <stdio_ext.h>
+#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
@@ -114,64 +115,41 @@ int get_default_context(const char *user,
return 0;
}
-static int find_partialcon(char ** list,
- unsigned int nreach, char *part)
+static int is_in_reachable(char **reachable, const char *usercon_str)
{
- const char *conrole, *contype;
- char *partrole, *parttype, *ptr;
- context_t con;
- unsigned int i;
+ if (!reachable)
+ return 0;
- partrole = part;
- ptr = part;
- while (*ptr && !isspace(*ptr) && *ptr != ':')
- ptr++;
- if (*ptr != ':')
- return -1;
- *ptr++ = 0;
- parttype = ptr;
- while (*ptr && !isspace(*ptr) && *ptr != ':')
- ptr++;
- *ptr = 0;
-
- for (i = 0; i < nreach; i++) {
- con = context_new(list[i]);
- if (!con)
- return -1;
- conrole = context_role_get(con);
- contype = context_type_get(con);
- if (!conrole || !contype) {
- context_free(con);
- return -1;
- }
- if (!strcmp(conrole, partrole) && !strcmp(contype, parttype)) {
- context_free(con);
- return i;
+ for (; *reachable != NULL; reachable++) {
+ if (strcmp(*reachable, usercon_str) == 0) {
+ return 1;
}
- context_free(con);
}
-
- return -1;
+ return 0;
}
-static int get_context_order(FILE * fp,
+static int get_context_user(FILE * fp,
char * fromcon,
- char ** reachable,
- unsigned int nreach,
- unsigned int *ordering, unsigned int *nordered)
+ const char * user,
+ char ***reachable,
+ unsigned int *nreachable)
{
char *start, *end = NULL;
char *line = NULL;
- size_t line_len = 0;
+ size_t line_len = 0, usercon_len;
+ size_t user_len = strlen(user);
ssize_t len;
int found = 0;
- const char *fromrole, *fromtype;
+ const char *fromrole, *fromtype, *fromlevel;
char *linerole, *linetype;
- unsigned int i;
+ char **new_reachable = NULL;
+ char *usercon_str;
context_t con;
+ context_t usercon;
+
int rc;
- errno = -EINVAL;
+ errno = EINVAL;
/* Extract the role and type of the fromcon for matching.
User identity and MLS range can be variable. */
@@ -180,6 +158,7 @@ static int get_context_order(FILE * fp,
return -1;
fromrole = context_role_get(con);
fromtype = context_type_get(con);
+ fromlevel = context_range_get(con);
if (!fromrole || !fromtype) {
context_free(con);
return -1;
@@ -243,23 +222,75 @@ static int get_context_order(FILE * fp,
if (*end)
*end++ = 0;
- /* Check for a match in the reachable list. */
- rc = find_partialcon(reachable, nreach, start);
- if (rc < 0) {
- /* No match, skip it. */
+ /* Check whether a new context is valid */
+ if (SIZE_MAX - user_len < strlen(start) + 2) {
+ fprintf(stderr, "%s: one of partial contexts is too big\n", __FUNCTION__);
+ errno = EINVAL;
+ rc = -1;
+ goto out;
+ }
+ usercon_len = user_len + strlen(start) + 2;
+ usercon_str = malloc(usercon_len);
+ if (!usercon_str) {
+ rc = -1;
+ goto out;
+ }
+
+ /* set range from fromcon in the new usercon */
+ snprintf(usercon_str, usercon_len, "%s:%s", user, start);
+ usercon = context_new(usercon_str);
+ if (!usercon) {
+ if (errno != EINVAL) {
+ free(usercon_str);
+ rc = -1;
+ goto out;
+ }
+ fprintf(stderr,
+ "%s: can't create a context from %s, skipping\n",
+ __FUNCTION__, usercon_str);
+ free(usercon_str);
start = end;
continue;
}
+ free(usercon_str);
+ if (context_range_set(usercon, fromlevel) != 0) {
+ context_free(usercon);
+ rc = -1;
+ goto out;
+ }
+ usercon_str = context_str(usercon);
+ if (!usercon_str) {
+ context_free(usercon);
+ rc = -1;
+ goto out;
+ }
- /* If a match is found and the entry is not already ordered
- (e.g. due to prior match in prior config file), then set
- the ordering for it. */
- i = rc;
- if (ordering[i] == nreach)
- ordering[i] = (*nordered)++;
+ /* check whether usercon is already in reachable */
+ if (is_in_reachable(*reachable, usercon_str)) {
+ context_free(usercon);
+ start = end;
+ continue;
+ }
+ if (security_check_context(usercon_str) == 0) {
+ new_reachable = realloc(*reachable, (*nreachable + 2) * sizeof(char *));
+ if (!new_reachable) {
+ context_free(usercon);
+ rc = -1;
+ goto out;
+ }
+ *reachable = new_reachable;
+ new_reachable[*nreachable] = strdup(usercon_str);
+ if (new_reachable[*nreachable] == NULL) {
+ context_free(usercon);
+ rc = -1;
+ goto out;
+ }
+ new_reachable[*nreachable + 1] = 0;
+ *nreachable += 1;
+ }
+ context_free(usercon);
start = end;
}
-
rc = 0;
out:
@@ -313,21 +344,6 @@ static int get_failsafe_context(const char *user, char ** newcon)
return 0;
}
-struct context_order {
- char * con;
- unsigned int order;
-};
-
-static int order_compare(const void *A, const void *B)
-{
- const struct context_order *c1 = A, *c2 = B;
- if (c1->order < c2->order)
- return -1;
- else if (c1->order > c2->order)
- return 1;
- return strcmp(c1->con, c2->con);
-}
-
int get_ordered_context_list_with_level(const char *user,
const char *level,
char * fromcon,
@@ -395,11 +411,8 @@ int get_ordered_context_list(const char *user,
char *** list)
{
char **reachable = NULL;
- unsigned int *ordering = NULL;
- struct context_order *co = NULL;
- char **ptr;
int rc = 0;
- unsigned int nreach = 0, nordered = 0, freefrom = 0, i;
+ unsigned nreachable = 0, freefrom = 0;
FILE *fp;
char *fname = NULL;
size_t fname_len;
@@ -413,23 +426,6 @@ int get_ordered_context_list(const char *user,
freefrom = 1;
}
- /* Determine the set of reachable contexts for the user. */
- rc = security_compute_user(fromcon, user, &reachable);
- if (rc < 0)
- goto failsafe;
- nreach = 0;
- for (ptr = reachable; *ptr; ptr++)
- nreach++;
- if (!nreach)
- goto failsafe;
-
- /* Initialize ordering array. */
- ordering = malloc(nreach * sizeof(unsigned int));
- if (!ordering)
- goto failsafe;
- for (i = 0; i < nreach; i++)
- ordering[i] = nreach;
-
/* Determine the ordering to apply from the optional per-user config
and from the global config. */
fname_len = strlen(user_contexts_path) + strlen(user) + 2;
@@ -440,8 +436,8 @@ int get_ordered_context_list(const char *user,
fp = fopen(fname, "re");
if (fp) {
__fsetlocking(fp, FSETLOCKING_BYCALLER);
- rc = get_context_order(fp, fromcon, reachable, nreach, ordering,
- &nordered);
+ rc = get_context_user(fp, fromcon, user, &reachable, &nreachable);
+
fclose(fp);
if (rc < 0 && errno != ENOENT) {
fprintf(stderr,
@@ -454,8 +450,7 @@ int get_ordered_context_list(const char *user,
fp = fopen(selinux_default_context_path(), "re");
if (fp) {
__fsetlocking(fp, FSETLOCKING_BYCALLER);
- rc = get_context_order(fp, fromcon, reachable, nreach, ordering,
- &nordered);
+ rc = get_context_user(fp, fromcon, user, &reachable, &nreachable);
fclose(fp);
if (rc < 0 && errno != ENOENT) {
fprintf(stderr,
@@ -463,40 +458,19 @@ int get_ordered_context_list(const char *user,
__FUNCTION__, selinux_default_context_path());
/* Fall through */
}
- rc = 0;
}
- if (!nordered)
+ if (!nreachable)
goto failsafe;
- /* Apply the ordering. */
- co = malloc(nreach * sizeof(struct context_order));
- if (!co)
- goto failsafe;
- for (i = 0; i < nreach; i++) {
- co[i].con = reachable[i];
- co[i].order = ordering[i];
- }
- qsort(co, nreach, sizeof(struct context_order), order_compare);
- for (i = 0; i < nreach; i++)
- reachable[i] = co[i].con;
- free(co);
-
- /* Only report the ordered entries to the caller. */
- if (nordered <= nreach) {
- for (i = nordered; i < nreach; i++)
- free(reachable[i]);
- reachable[nordered] = NULL;
- rc = nordered;
- }
-
out:
- if (rc > 0)
+ if (nreachable > 0) {
*list = reachable;
+ rc = nreachable;
+ }
else
freeconary(reachable);
- free(ordering);
if (freefrom)
freecon(fromcon);
@@ -519,7 +493,7 @@ int get_ordered_context_list(const char *user,
reachable = NULL;
goto out;
}
- rc = 1; /* one context in the list */
+ nreachable = 1; /* one context in the list */
goto out;
}
--
2.25.4

29
SOURCES/0009-libselinux-Fix-selinux_restorecon_parallel-symbol-ve.patch
View File

@ -1,29 +0,0 @@
From 9456297275987dedefe2e8ad508360be9d9f9e7f Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Tue, 23 Nov 2021 11:31:08 +0100
Subject: [PATCH] libselinux: Fix selinux_restorecon_parallel symbol version
selinux_restorecon_parallel was originally proposed before 3.3, but it
was merged after release so it will be introduced in version 3.4.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
libselinux/src/libselinux.map | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libselinux/src/libselinux.map b/libselinux/src/libselinux.map
index d138e951ef0d..4acf1caacb55 100644
--- a/libselinux/src/libselinux.map
+++ b/libselinux/src/libselinux.map
@@ -241,7 +241,7 @@ LIBSELINUX_1.0 {
*;
};
-LIBSELINUX_3.3 {
+LIBSELINUX_3.4 {
global:
selinux_restorecon_parallel;
} LIBSELINUX_1.0;
--
2.33.1

168
SOURCES/0010-libselinux-deprecate-security_compute_user-update-ma.patch Normal file
View File

@ -0,0 +1,168 @@
From d4c22fcd5943fe35db648dee971f631d40b3eb94 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Thu, 20 Feb 2020 10:40:19 -0500
Subject: [PATCH] libselinux: deprecate security_compute_user(), update man
pages
commit 1f89c4e7879fcf6da5d8d1b025dcc03371f30fc9 ("libselinux: Eliminate
use of security_compute_user()") eliminated the use of
security_compute_user() by get_ordered_context_list(). Deprecate
all use of security_compute_user() by updating the headers and man
pages and logging a warning message on any calls to it. Remove
the example utility that called the interface. While here, also
fix the documentation of correct usage of the user argument to these
interfaces.
Fixes: https://github.com/SELinuxProject/selinux/issues/70
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
---
libselinux/include/selinux/selinux.h | 8 +++-
.../man/man3/get_ordered_context_list.3 | 24 +++++++++---
libselinux/man/man3/security_compute_av.3 | 5 ++-
libselinux/src/compute_user.c | 3 ++
libselinux/utils/compute_user.c | 38 -------------------
5 files changed, 31 insertions(+), 47 deletions(-)
delete mode 100644 libselinux/utils/compute_user.c
diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index a34d54fc..a5ada324 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -246,8 +246,12 @@ extern int security_compute_member_raw(const char * scon,
security_class_t tclass,
char ** newcon);
-/* Compute the set of reachable user contexts and set *con to refer to
- the NULL-terminated array of contexts. Caller must free via freeconary. */
+/*
+ * Compute the set of reachable user contexts and set *con to refer to
+ * the NULL-terminated array of contexts. Caller must free via freeconary.
+ * These interfaces are deprecated. Use get_ordered_context_list() or
+ * one of its variant interfaces instead.
+ */
extern int security_compute_user(const char * scon,
const char *username,
char *** con);
diff --git a/libselinux/man/man3/get_ordered_context_list.3 b/libselinux/man/man3/get_ordered_context_list.3
index e084da40..3ed14a96 100644
--- a/libselinux/man/man3/get_ordered_context_list.3
+++ b/libselinux/man/man3/get_ordered_context_list.3
@@ -26,14 +26,28 @@ get_ordered_context_list, get_ordered_context_list_with_level, get_default_conte
.BI "int get_default_type(const char *" role ", char **" type );
.
.SH "DESCRIPTION"
+
+This family of functions can be used to obtain either a prioritized list of
+all reachable security contexts for a given SELinux user or a single default
+(highest priority) context for a given SELinux user for use by login-like
+programs. These functions takes a SELinux user identity that must
+be defined in the SELinux policy as their input, not a Linux username.
+Most callers should typically first call
+.BR getseuserbyname(3)
+to look up the SELinux user identity and level for a given
+Linux username and then invoke one of
+.BR get_ordered_context_list_with_level ()
+or
+.BR get_default_context_with_level ()
+with the returned SELinux user and level as inputs.
+
.BR get_ordered_context_list ()
-invokes the
-.BR security_compute_user (3)
-function to obtain the list of contexts for the specified
+obtains the list of contexts for the specified
+SELinux
.I user
-that are reachable from the specified
+identity that are reachable from the specified
.I fromcon
-context. The function then orders the resulting list based on the global
+context based on the global
.I \%/etc/selinux/{SELINUXTYPE}/contexts/default_contexts
file and the per-user
.I \%/etc/selinux/{SELINUXTYPE}/contexts/users/<username>
diff --git a/libselinux/man/man3/security_compute_av.3 b/libselinux/man/man3/security_compute_av.3
index 2aade5fe..8e1f746a 100644
--- a/libselinux/man/man3/security_compute_av.3
+++ b/libselinux/man/man3/security_compute_av.3
@@ -97,8 +97,9 @@ instance.
.BR security_compute_user ()
is used to determine the set of user contexts that can be reached from a
-source context. It is mainly used by
-.BR get_ordered_context_list ().
+source context. This function is deprecated; use
+.BR get_ordered_context_list (3)
+instead.
.BR security_get_initial_context ()
is used to get the context of a kernel initial security identifier specified by
diff --git a/libselinux/src/compute_user.c b/libselinux/src/compute_user.c
index 401fd107..0f55de84 100644
--- a/libselinux/src/compute_user.c
+++ b/libselinux/src/compute_user.c
@@ -8,6 +8,7 @@
#include "selinux_internal.h"
#include "policy.h"
#include <limits.h>
+#include "callbacks.h"
int security_compute_user_raw(const char * scon,
const char *user, char *** con)
@@ -24,6 +25,8 @@ int security_compute_user_raw(const char * scon,
return -1;
}
+ selinux_log(SELINUX_WARNING, "Direct use of security_compute_user() is deprecated, switch to get_ordered_context_list()\n");
+
if (! scon) {
errno=EINVAL;
return -1;
diff --git a/libselinux/utils/compute_user.c b/libselinux/utils/compute_user.c
deleted file mode 100644
index cae62b26..00000000
--- a/libselinux/utils/compute_user.c
+++ /dev/null
@@ -1,38 +0,0 @@
-#include <unistd.h>
-#include <sys/types.h>
-#include <fcntl.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <errno.h>
-#include <string.h>
-#include <ctype.h>
-#include <selinux/selinux.h>
-
-int main(int argc, char **argv)
-{
- char **buf, **ptr;
- int ret;
-
- if (argc != 3) {
- fprintf(stderr, "usage: %s context user\n", argv[0]);
- exit(1);
- }
-
- ret = security_compute_user(argv[1], argv[2], &buf);
- if (ret < 0) {
- fprintf(stderr, "%s: security_compute_user(%s,%s) failed\n",
- argv[0], argv[1], argv[2]);
- exit(2);
- }
-
- if (!buf[0]) {
- printf("none\n");
- exit(0);
- }
-
- for (ptr = buf; *ptr; ptr++) {
- printf("%s\n", *ptr);
- }
- freeconary(buf);
- exit(0);
-}
--
2.25.4

39
SOURCES/0011-selinux-8-5-Describe-fcontext-regular-expressions.patch Normal file
View File

@ -0,0 +1,39 @@
From c556c6ad0b94cf3ba4b441a1a0930f2468434227 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Wed, 10 Feb 2021 18:05:29 +0100
Subject: [PATCH] selinux(8,5): Describe fcontext regular expressions
Describe which type of regular expression is used in file context
definitions and which flags are in effect.
Explain how local file context modifications are processed.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
---
libselinux/man/man5/selabel_file.5 | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/libselinux/man/man5/selabel_file.5 b/libselinux/man/man5/selabel_file.5
index e97bd826..baba7776 100644
--- a/libselinux/man/man5/selabel_file.5
+++ b/libselinux/man/man5/selabel_file.5
@@ -125,7 +125,14 @@ Where:
.RS
.I pathname
.RS
-An entry that defines the pathname that may be in the form of a regular expression.
+An entry that defines the path to be labeled.
+May contain either a fully qualified path,
+or a Perl compatible regular expression (PCRE),
+describing fully qualified path(s).
+The only PCRE flag in use is PCRE2_DOTALL,
+which causes a wildcard '.' to match anything, including a new line.
+Strings representing paths are processed as bytes (as opposed to Unicode),
+meaning that non-ASCII characters are not matched by a single wildcard.
.RE
.I file_type
.RS
--
2.35.3

88
SOURCES/0012-libselinux-Strip-spaces-before-values-in-config.patch Normal file
View File

@ -0,0 +1,88 @@
From 9bf63bb85d4d2cab73181ee1d8d0b07961ce4a80 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Thu, 17 Feb 2022 14:14:15 +0100
Subject: [PATCH] libselinux: Strip spaces before values in config
Spaces before values in /etc/selinux/config should be ignored just as
spaces after them are.
E.g. "SELINUXTYPE= targeted" should be a valid value.
Fixes:
# sed -i 's/^SELINUXTYPE=/SELINUXTYPE= /g' /etc/selinux/config
# dnf install <any_package>
...
RPM: error: selabel_open: (/etc/selinux/ targeted/contexts/files/file_contexts) No such file or directory
RPM: error: Plugin selinux: hook tsm_pre failed
...
Error: Could not run transaction.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
libselinux/src/selinux_config.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c
index b06cb63b..0892b87c 100644
--- a/libselinux/src/selinux_config.c
+++ b/libselinux/src/selinux_config.c
@@ -91,6 +91,7 @@ int selinux_getenforcemode(int *enforce)
FILE *cfg = fopen(SELINUXCONFIG, "re");
if (cfg) {
char *buf;
+ char *tag;
int len = sizeof(SELINUXTAG) - 1;
buf = malloc(selinux_page_size);
if (!buf) {
@@ -100,21 +101,24 @@ int selinux_getenforcemode(int *enforce)
while (fgets_unlocked(buf, selinux_page_size, cfg)) {
if (strncmp(buf, SELINUXTAG, len))
continue;
+ tag = buf+len;
+ while (isspace(*tag))
+ tag++;
if (!strncasecmp
- (buf + len, "enforcing", sizeof("enforcing") - 1)) {
+ (tag, "enforcing", sizeof("enforcing") - 1)) {
*enforce = 1;
ret = 0;
break;
} else
if (!strncasecmp
- (buf + len, "permissive",
+ (tag, "permissive",
sizeof("permissive") - 1)) {
*enforce = 0;
ret = 0;
break;
} else
if (!strncasecmp
- (buf + len, "disabled",
+ (tag, "disabled",
sizeof("disabled") - 1)) {
*enforce = -1;
ret = 0;
@@ -177,7 +181,10 @@ static void init_selinux_config(void)
if (!strncasecmp(buf_p, SELINUXTYPETAG,
sizeof(SELINUXTYPETAG) - 1)) {
- type = strdup(buf_p + sizeof(SELINUXTYPETAG) - 1);
+ buf_p += sizeof(SELINUXTYPETAG) - 1;
+ while (isspace(*buf_p))
+ buf_p++;
+ type = strdup(buf_p);
if (!type)
return;
end = type + strlen(type) - 1;
@@ -199,6 +206,8 @@ static void init_selinux_config(void)
} else if (!strncmp(buf_p, REQUIRESEUSERS,
sizeof(REQUIRESEUSERS) - 1)) {
value = buf_p + sizeof(REQUIRESEUSERS) - 1;
+ while (isspace(*value))
+ value++;
intptr = &require_seusers;
} else {
continue;
--
2.35.3

46
SOURCES/0013-libselinux-Ignore-missing-directories-when-i-is-used.patch Normal file
View File

@ -0,0 +1,46 @@
From 9a04499cebedac3f585c0240e6cf68f786ae62b7 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Mon, 31 Oct 2022 17:00:43 +0100
Subject: [PATCH] libselinux: Ignore missing directories when -i is used
Currently "-i" only ignores a file whose parent directory exists. Start also
ignoring paths with missing components.
Fixes:
# restorecon -i -v -R /var/log/missingdir/missingfile; echo $?
255
restorecon: SELinux: Could not get canonical path for /var/log/missingdir/missingfile restorecon: No such file or directory.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
libselinux/src/selinux_restorecon.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
index 5f189235..2ff73db6 100644
--- a/libselinux/src/selinux_restorecon.c
+++ b/libselinux/src/selinux_restorecon.c
@@ -820,6 +820,10 @@ int selinux_restorecon(const char *pathname_orig,
pathname = realpath(pathname_orig, NULL);
if (!pathname) {
free(basename_cpy);
+ /* missing parent directory */
+ if (flags.ignore_noent && errno == ENOENT) {
+ return 0;
+ }
goto realpatherr;
}
} else {
@@ -833,6 +837,9 @@ int selinux_restorecon(const char *pathname_orig,
free(dirname_cpy);
if (!pathdnamer) {
free(basename_cpy);
+ if (flags.ignore_noent && errno == ENOENT) {
+ return 0;
+ }
goto realpatherr;
}
if (!strcmp(pathdnamer, "/"))
--
2.37.3

42
SOURCES/0014-libselinux-restorecon-Fix-memory-leak-xattr_value.patch Normal file
View File

@ -0,0 +1,42 @@
From 599f1ec818d50ffc9690fea8c03b5fe278f30ed4 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Wed, 7 Dec 2022 09:19:29 +0100
Subject: [PATCH] libselinux/restorecon: Fix memory leak - xattr_value
Fix memory leak introduced by commit
9a04499cebedac3f585c0240e6cf68f786ae62b7
libselinux: Ignore missing directories when -i is used
Error: RESOURCE_LEAK:
selinux_restorecon.c:804: alloc_fn: Storage is returned from allocation function "malloc".
selinux_restorecon.c:804: var_assign: Assigning: "xattr_value" = storage returned from "malloc(fc_digest_len)".
selinux_restorecon.c:825: leaked_storage: Variable "xattr_value" going out of scope leaks the storage it points to.
Resolves: rhbz#2137965
---
libselinux/src/selinux_restorecon.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
index 2ff73db6..b3702764 100644
--- a/libselinux/src/selinux_restorecon.c
+++ b/libselinux/src/selinux_restorecon.c
@@ -822,6 +822,7 @@ int selinux_restorecon(const char *pathname_orig,
free(basename_cpy);
/* missing parent directory */
if (flags.ignore_noent && errno == ENOENT) {
+ free(xattr_value);
return 0;
}
goto realpatherr;
@@ -838,6 +839,7 @@ int selinux_restorecon(const char *pathname_orig,
if (!pathdnamer) {
free(basename_cpy);
if (flags.ignore_noent && errno == ENOENT) {
+ free(xattr_value);
return 0;
}
goto realpatherr;
--
2.37.3

284
SPECS/libselinux.spec
View File

@ -1,34 +1,49 @@
%define ruby_inc %(pkg-config --cflags ruby)
%define libsepolver 3.3-1
%global with_ruby 1
%if 0%{?with_ruby}
%global ruby_inc %(pkg-config --cflags ruby)
%endif
%define libsepolver 2.9-1
%define libselinuxrelease 8
Summary: SELinux library and simple utilities
Name: libselinux
Version: 3.3
Release: 2%{?dist}
Version: 2.9
Release: %{libselinuxrelease}%{?dist}
License: Public Domain
# https://github.com/SELinuxProject/selinux/wiki/Releases
Source0: https://github.com/SELinuxProject/selinux/releases/download/3.3/libselinux-3.3.tar.gz
Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/libselinux-2.9.tar.gz
Source1: selinuxconlist.8
Source2: selinuxdefcon.8
Url: https://github.com/SELinuxProject/selinux/wiki
# $ git clone https://github.com/fedora-selinux/selinux.git
# $ cd selinux
# $ git format-patch -N 3.3 -- libselinux
# $ i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
# Patch list start
Patch0001: 0001-Use-SHA-2-instead-of-SHA-1.patch
Patch0002: 0002-label_file-fix-a-data-race.patch
Patch0003: 0003-selinux_restorecon-simplify-fl_head-allocation-by-us.patch
Patch0004: 0004-selinux_restorecon-protect-file_spec-list-with-a-mut.patch
Patch0005: 0005-libselinux-make-selinux_log-thread-safe.patch
Patch0006: 0006-libselinux-make-is_context_customizable-thread-safe.patch
Patch0007: 0007-selinux_restorecon-add-a-global-mutex-to-synchronize.patch
Patch0008: 0008-selinux_restorecon-introduce-selinux_restorecon_para.patch
Patch0009: 0009-libselinux-Fix-selinux_restorecon_parallel-symbol-ve.patch
# Patch list end
BuildRequires: gcc make
# i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
Patch0001: 0001-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch
Patch0002: 0002-Verify-context-input-to-funtions-to-make-sure-the-co.patch
Patch0003: 0003-libselinux-Allow-to-override-OVERRIDE_GETTID-from-co.patch
Patch0004: 0004-Bring-some-old-permission-and-flask-constants-back-t.patch
Patch0005: 0005-libselinux-add-missing-av_permission-values.patch
Patch0006: 0006-libselinux-Use-Python-distutils-to-install-SELinux-p.patch
Patch0007: 0007-libselinux-Do-not-use-SWIG_CFLAGS-when-Python-bindin.patch
Patch0008: 0008-Fix-mcstrans-secolor-examples.patch
Patch0009: 0009-libselinux-Eliminate-use-of-security_compute_user.patch
Patch0010: 0010-libselinux-deprecate-security_compute_user-update-ma.patch
Patch0011: 0011-selinux-8-5-Describe-fcontext-regular-expressions.patch
Patch0012: 0012-libselinux-Strip-spaces-before-values-in-config.patch
Patch0013: 0013-libselinux-Ignore-missing-directories-when-i-is-used.patch
Patch0014: 0014-libselinux-restorecon-Fix-memory-leak-xattr_value.patch
BuildRequires: gcc
%if 0%{?with_ruby}
BuildRequires: ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel xz-devel
%else
BuildRequires: libsepol-static >= %{libsepolver} swig pcre2-devel xz-devel
%endif
BuildRequires: python3 python3-devel
%if 0%{?with_python2}
BuildRequires: python2 python2-devel
%endif
BuildRequires: systemd
Requires: libsepol%{?_isa} >= %{libsepolver} pcre2
Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
@ -55,6 +70,20 @@ Requires: %{name}%{?_isa} = %{version}-%{release}
%description utils
The libselinux-utils package contains the utilities
%if 0%{?with_python2}
%package -n libselinux-python
%{?python_provide:%python_provide python2-libselinux}
Provides: python2-%{name} = %{version}-%{release}
Provides: python2-%{name}%{?_isa} = %{version}-%{release}
Obsoletes: %{name}-python < %{version}-%{release}
Summary: SELinux python bindings for libselinux
Requires: %{name}%{?_isa} >= %{version}-%{libselinuxrelease}
%description -n libselinux-python
The libselinux-python package contains the python bindings for developing
SELinux applications.
%endif
%package -n python3-libselinux
Summary: SELinux python 3 bindings for libselinux
Requires: %{name}%{?_isa} = %{version}-%{release}
@ -68,6 +97,7 @@ Obsoletes: %{name}-python3 < %{version}-%{release}
The libselinux-python3 package contains python 3 bindings for developing
SELinux applications.
%if 0%{?with_ruby}
%package ruby
Summary: SELinux ruby bindings for libselinux
Requires: %{name}%{?_isa} = %{version}-%{release}
@ -76,6 +106,7 @@ Provides: ruby(selinux)
%description ruby
The libselinux-ruby package contains the ruby bindings for developing
SELinux applications.
%endif # with_ruby
%package devel
Summary: Header files and libraries used to build SELinux
@ -98,11 +129,10 @@ needed for developing SELinux applications.
%autosetup -p 2 -n libselinux-%{version}
%build
export DISABLE_RPM="y"
export DISABLE_RPM="n"
export USE_PCRE2="y"
%set_build_flags
CFLAGS="$CFLAGS -fno-semantic-interposition"
# To support building the Python wrapper against multiple Python runtimes
# Define a function, for how to perform a "build" of the python wrapper against
@ -111,23 +141,36 @@ BuildPythonWrapper() {
BinaryName=$1
# Perform the build from the upstream Makefile:
%make_build \
make \
PYTHON=$BinaryName \
LIBDIR="%{_libdir}" \
LIBDIR="%{_libdir}" %{?_smp_mflags} \
pywrap
}
%make_build LIBDIR="%{_libdir}" swigify
%make_build LIBDIR="%{_libdir}" all
make clean
make LIBDIR="%{_libdir}" %{?_smp_mflags} swigify
make LIBDIR="%{_libdir}" %{?_smp_mflags} all
%if 0%{?with_python2}
export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
BuildPythonWrapper %{__python2}
%endif
BuildPythonWrapper %{__python3}
%make_build RUBYINC="%{ruby_inc}" SHLIBDIR="%{_libdir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" rubywrap
%if 0%{?with_ruby}
make RUBYINC="%{ruby_inc}" SHLIBDIR="%{_libdir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" %{?_smp_mflags} rubywrap
%endif
%install
InstallPythonWrapper() {
BinaryName=$1
make \
PYTHON=$BinaryName \
LIBDIR="%{_libdir}" %{?_smp_mflags} \
LIBSEPOLA="%{_libdir}/libsepol.a" \
pywrap
make \
PYTHON=$BinaryName \
DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" \
@ -145,10 +188,19 @@ mkdir -p %{buildroot}%{_sbindir}
install -d -m 0755 %{buildroot}%{_rundir}/setrans
echo "d %{_rundir}/setrans 0755 root root" > %{buildroot}%{_tmpfilesdir}/libselinux.conf
%if 0%{?with_python2}
export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
InstallPythonWrapper %{__python2}
mv %{buildroot}%{python2_sitearch}/selinux/_selinux.so %{buildroot}%{python2_sitearch}/
%endif
InstallPythonWrapper %{__python3}
mv %{buildroot}%{python3_sitearch}/selinux/_selinux.*.so %{buildroot}%{python3_sitearch}/
%make_install LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" BINDIR="%{_bindir}" SBINDIR="%{_sbindir}"
make DESTDIR="%{buildroot}" RUBYINSTALL=%{ruby_vendorarchdir} install-rubywrap
%if 0%{?with_ruby}
make DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" BINDIR="%{_bindir}" SBINDIR="%{_sbindir}" RUBYINSTALL=%{ruby_vendorarchdir} install install-rubywrap
%else
make DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" BINDIR="%{_bindir}" SBINDIR="%{_sbindir}" install
%endif
# Nuke the files we don't want to distribute
rm -f %{buildroot}%{_sbindir}/compute_*
@ -196,8 +248,6 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
%{_sbindir}/selabel_lookup_best_match
%{_sbindir}/selabel_partial_match
%{_sbindir}/selinux_check_access
%{_sbindir}/selabel_get_digests_all_partial_matches
%{_sbindir}/validatetrans
%{_mandir}/man5/*
%{_mandir}/man8/*
%{_mandir}/ru/man5/*
@ -212,156 +262,65 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
%files static
%{_libdir}/libselinux.a
%if 0%{?with_python2}
%files -n libselinux-python
%{python2_sitearch}/selinux/
%{python2_sitearch}/_selinux.so
%{python2_sitearch}/selinux-%{version}-*
%endif
%files -n python3-libselinux
%{python3_sitearch}/selinux/
%{python3_sitearch}/selinux-%{version}*
%{python3_sitearch}/_selinux*
%{python3_sitearch}/_selinux.*.so
%{python3_sitearch}/selinux-%{version}-*
%if 0%{?with_ruby}
%files ruby
%{ruby_vendorarchdir}/selinux.so
%endif
%changelog
* Mon Nov 29 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-2
- Introduce selinux_restorecon_parallel(3)
* Wed Dec 07 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-8
- restorecon: Fix memory leak - xattr_value (#2137965)
* Fri Oct 22 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-1
- SELinux userspace 3.3 release
* Tue Dec 06 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-7
- Restorecon: Ignore missing directories when -i is used (#2137965)
* Fri Oct 8 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-0.rc3.1
- SELinux userspace 3.3-rc3 release
* Thu Jul 07 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-6
- Describe fcontext regular expressions (#1904059)
- Strip spaces before values in config (#2012145)
* Wed Sep 29 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-0.rc2.1
- SELinux userspace 3.3-rc2 release
* Tue Oct 20 2020 Vit Mojzis <vmojzis@redhat.com> - 2.9-5
- Deprecate security_compute_user(), update man pages (#1879368)
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 3.2-6
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Thu Sep 24 2020 Vit Mojzis <vmojzis@redhat.com> - 2.9-4
- Eliminate use of security_compute_user() (#1879368)
* Wed Jul 28 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-5
- Rebase on upstream commit 32611aea6543
* Fri Nov 08 2019 Vit Mojzis <vmojzis@redhat.com> - 2.9-3
- Fix mcstrans secolor examples in secolor.conf man page (#1770270)
* Fri Jun 25 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-4
- Use SHA-2 instead of SHA-1 (#1934964)
* Tue May 25 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-3
- selinux_check_passwd_access_internal(): respect deny_unknown
- Silence -Wstringop-overflow warning from gcc 10.3.1
- Fixed misc compiler and static analyzer findings
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.2-2
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Mon Mar 8 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-1
- SELinux userspace 3.2 release
* Fri Feb 5 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-0.rc2.1
- SELinux userspace 3.2-rc2 release
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.2-0.rc1.1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Jan 20 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-0.rc1.1
- SELinux userspace 3.2-rc1 release
* Thu Jan 07 2021 Mamoru TASAKA <mtasaka@fedoraproject.org> - 3.1-6
- F-34: rebuild against ruby 3.0
* Fri Nov 20 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-5
- selinux(8): explain that runtime disable is deprecated
* Fri Oct 30 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-4
- Use libsepol.so.2
- Convert matchpathcon to selabel_lookup()
- Change userspace AVC setenforce and policy load messages to audit
format
- Remove trailing slash on selabel_file lookups
- Use kernel status page by default
* Wed Sep 02 2020 Jeff Law <law@redhat.com> - 3.1-3
- Re-enable LTO
* Mon Jul 13 2020 Tom Stellard <tstellar@redhat.com> - 3.1-2
- Use make macros
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
- Use -fno-semantic-interposition and more make macros
* Fri Jul 10 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-1
- SELinux userspace 3.1 release
* Wed Jul 1 2020 Jeff Law <law@redhat.com> - 3.0-6
- Disable LTO
* Sat May 23 2020 Miro Hrončok <mhroncok@redhat.com> - 3.0-5
- Rebuilt for Python 3.9
* Thu Mar 5 2020 Petr Lautrbach <plautrba@redhat.com> - 3.0-4
- Eliminate use of security_compute_user()
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Sat Jan 18 2020 Mamoru TASAKA <mtasaka@fedoraproject.org> - 3.0-2
- F-32: rebuild against ruby27
* Fri Dec 6 2019 Petr Lautrbach <plautrba@redhat.com> - 3.0-1
- SELinux userspace 3.0 release
* Mon Nov 11 2019 Petr Lautrbach <plautrba@redhat.com> - 3.0-0.r1.1
- SELinux userspace 3.0-rc1 release candidate
* Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 2.9-7
- Rebuilt for Python 3.8.0rc1 (#1748018)
* Fri Aug 16 2019 Miro Hrončok <mhroncok@redhat.com> - 2.9-6
- Rebuilt for Python 3.8
* Mon Aug 12 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-5
- Drop python2-libselinux (#1739646)
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Fri Jun 28 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-3
- Use standard build flags for Python bindings
* Fri May 24 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-2
- Use Python distutils to install SELinux python bindings
* Mon Jun 24 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-2.1
- Use Python distutils to install SELinux python bindings (#1719771)
- Move sefcontext_compile to -utils package (#1612518)
* Mon Mar 18 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-1
- SELinux userspace 2.9 release
* Wed Mar 6 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-0.rc2.1
- SELinux userspace 2.9-rc2 release
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9-0.rc1.1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Fri Jan 25 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-0.rc1.1
- SELinux userspace 2.9-rc1 release
* Tue Jan 22 2019 Mamoru TASAKA <mtasaka@fedoraproject.org> - 2.8-8
- F-30: again rebuild against ruby26
* Mon Jan 21 2019 Petr Lautrbach <plautrba@redhat.com> - 2.8-7
- selinux_restorecon: Skip customized files also without -v
- Do not dereference symlink with statfs in selinux_restorecon
* Mon Jan 21 2019 Mamoru TASAKA <mtasaka@fedoraproject.org> - 2.8-6
- F-30: rebuild against ruby26
* Tue Nov 13 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-5
* Tue Nov 6 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-6
- Fix RESOURCE_LEAK coverity scan defects
* Tue Sep 4 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-4
- Fix the whatis line for the selinux_boolean_sub.3 manpage
- Fix line wrapping in selabel_file.5
- Fix spelling errors in manpages
* Mon Oct 15 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-5
- selinux_restorecon: Skip customized files also without -v
- man pages fixes
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.8-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Mon Oct 1 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-4
- Build libselinux-python when %with_python2 macro is set to non-zero value
* Fri Jun 15 2018 Miro Hrončok <mhroncok@redhat.com> - 2.8-2
- Rebuilt for Python 3.7
* Fri Jun 22 2018 Petr Lautrbach <plautrba@workstation> - 2.8-3
- Build libselinux-ruby (#1581322)
* Thu Jun 7 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-2
- Don't build the Python 2 subpackage (#1567358)
* Fri May 25 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-1
- SELinux userspace 2.8 release
@ -375,6 +334,9 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
* Mon Apr 23 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-0.rc1.1
- SELinux userspace 2.8-rc1 release candidate
* Mon Apr 23 2018 Petr Lautrbach <plautrba@redhat.com> - 2.7-14
- Do not build libselinux-ruby
* Wed Mar 21 2018 Petr Lautrbach <plautrba@redhat.com> - 2.7-13
- build: Replace PYSITEDIR with PYTHONLIBDIR