commit ed03200d46f9d88ca996f1688fe03cf4a0a15dc2 Author: CentOS Sources Date: Tue May 17 06:25:32 2022 -0400 import mcstrans-3.3-2.el9 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..287c225 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/mcstrans-3.3.tar.gz diff --git a/.mcstrans.metadata b/.mcstrans.metadata new file mode 100644 index 0000000..767b0fd --- /dev/null +++ b/.mcstrans.metadata @@ -0,0 +1 @@ +7b1eff06ef33044bfe2956dfc037e698d671c32f SOURCES/mcstrans-3.3.tar.gz diff --git a/SOURCES/0001-mcstrans-Fir-RESOURCE_LEAK-and-USE_AFTER_FREE-coveri.patch b/SOURCES/0001-mcstrans-Fir-RESOURCE_LEAK-and-USE_AFTER_FREE-coveri.patch new file mode 100644 index 0000000..632e628 --- /dev/null +++ b/SOURCES/0001-mcstrans-Fir-RESOURCE_LEAK-and-USE_AFTER_FREE-coveri.patch @@ -0,0 +1,129 @@ +From 58a11e55120de4700d4e874dee0d8c36d13caedd Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Wed, 28 Nov 2018 18:28:05 +0100 +Subject: [PATCH] mcstrans: Fir RESOURCE_LEAK and USE_AFTER_FREE coverity scan + defects + +--- + mcstrans/src/mcstrans.c | 21 +++++++++++++++++++-- + mcstrans/src/mcstransd.c | 4 +++- + 2 files changed, 22 insertions(+), 3 deletions(-) + +diff --git a/mcstrans/src/mcstrans.c b/mcstrans/src/mcstrans.c +index e92dfddb0d20..d0690e6b0dca 100644 +--- a/mcstrans/src/mcstrans.c ++++ b/mcstrans/src/mcstrans.c +@@ -633,16 +633,23 @@ add_cache(domain_t *domain, char *raw, char *trans) { + + map->raw = strdup(raw); + if (!map->raw) { ++ free(map); + goto err; + } + map->trans = strdup(trans); + if (!map->trans) { ++ free(map->raw); ++ free(map); + goto err; + } + + log_debug(" add_cache (%s,%s)\n", raw, trans); +- if (add_to_hashtable(domain->raw_to_trans, map->raw, map) < 0) ++ if (add_to_hashtable(domain->raw_to_trans, map->raw, map) < 0) { ++ free(map->trans); ++ free(map->raw); ++ free(map); + goto err; ++ } + + if (add_to_hashtable(domain->trans_to_raw, map->trans, map) < 0) + goto err; +@@ -1520,6 +1527,7 @@ trans_context(const char *incon, char **rcon) { + trans = compute_trans_from_raw(range, domain); + if (trans) + if (add_cache(domain, range, trans) < 0) { ++ free(trans); + free(range); + return -1; + } +@@ -1531,6 +1539,7 @@ trans_context(const char *incon, char **rcon) { + ltrans = compute_trans_from_raw(lrange, domain); + if (ltrans) { + if (add_cache(domain, lrange, ltrans) < 0) { ++ free(ltrans); + free(range); + return -1; + } +@@ -1549,6 +1558,7 @@ trans_context(const char *incon, char **rcon) { + utrans = compute_trans_from_raw(urange, domain); + if (utrans) { + if (add_cache(domain, urange, utrans) < 0) { ++ free(utrans); + free(ltrans); + free(range); + return -1; +@@ -1648,14 +1658,19 @@ untrans_context(const char *incon, char **rcon) { + canonical = compute_trans_from_raw(raw, domain); + if (canonical && strcmp(canonical, range)) + if (add_cache(domain, raw, canonical) < 0) { ++ free(canonical); + free(range); ++ free(raw); + return -1; + } + } +- if (canonical) ++ if (canonical) { + free(canonical); ++ free(raw); ++ } + if (add_cache(domain, raw, range) < 0) { + free(range); ++ free(raw); + return -1; + } + } else { +@@ -1673,6 +1688,7 @@ untrans_context(const char *incon, char **rcon) { + canonical = compute_trans_from_raw(lraw, domain); + if (canonical) + if (add_cache(domain, lraw, canonical) < 0) { ++ free(canonical); + free(lraw); + free(range); + return -1; +@@ -1704,6 +1720,7 @@ untrans_context(const char *incon, char **rcon) { + canonical = compute_trans_from_raw(uraw, domain); + if (canonical) + if (add_cache(domain, uraw, canonical) < 0) { ++ free(canonical); + free(uraw); + free(lraw); + free(range); +diff --git a/mcstrans/src/mcstransd.c b/mcstrans/src/mcstransd.c +index 59c152e73be1..5191fc98ef06 100644 +--- a/mcstrans/src/mcstransd.c ++++ b/mcstrans/src/mcstransd.c +@@ -335,6 +335,7 @@ process_events(struct pollfd **ufds, int *nfds) + /* Setup pollfd for deletion later. */ + (*ufds)[ii].fd = -1; + close(connfd); ++ connfd = -1; + /* So we don't get bothered later */ + revents = revents & ~(POLLHUP); + } +@@ -348,10 +349,11 @@ process_events(struct pollfd **ufds, int *nfds) + /* Set the pollfd up for deletion later. */ + (*ufds)[ii].fd = -1; + close(connfd); ++ connfd = -1; + + revents = revents & ~(POLLHUP); + } +- if (revents) { ++ if (revents && connfd != -1) { + syslog(LOG_ERR, "Unknown/error events (%x) encountered" + " for fd (%d)\n", revents, connfd); + +-- +2.32.0 + diff --git a/SOURCES/0002-mcstrans-Fix-USER_AFTER_FREE-problem.patch b/SOURCES/0002-mcstrans-Fix-USER_AFTER_FREE-problem.patch new file mode 100644 index 0000000..5ec7917 --- /dev/null +++ b/SOURCES/0002-mcstrans-Fix-USER_AFTER_FREE-problem.patch @@ -0,0 +1,28 @@ +From 7a170534163ab9d9159dddfadb996587d98fe30e Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Thu, 9 May 2019 16:44:43 +0200 +Subject: [PATCH] mcstrans: Fix USER_AFTER_FREE problem + +--- + mcstrans/src/mcstrans.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/mcstrans/src/mcstrans.c b/mcstrans/src/mcstrans.c +index d0690e6b0dca..8678418a1570 100644 +--- a/mcstrans/src/mcstrans.c ++++ b/mcstrans/src/mcstrans.c +@@ -1664,10 +1664,8 @@ untrans_context(const char *incon, char **rcon) { + return -1; + } + } +- if (canonical) { ++ if (canonical) + free(canonical); +- free(raw); +- } + if (add_cache(domain, raw, range) < 0) { + free(range); + free(raw); +-- +2.32.0 + diff --git a/SOURCES/0003-mcstrans-Do-not-accept-incomplete-contexts.patch b/SOURCES/0003-mcstrans-Do-not-accept-incomplete-contexts.patch new file mode 100644 index 0000000..d86d83c --- /dev/null +++ b/SOURCES/0003-mcstrans-Do-not-accept-incomplete-contexts.patch @@ -0,0 +1,59 @@ +From a6e2b2287254b2880e8697707f10bd303ffcc06a Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Mon, 15 Apr 2019 15:22:51 +0200 +Subject: [PATCH] mcstrans: Do not accept incomplete contexts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: +$ python3 +> import selinux +> selinux.selinux_raw_context_to_color("xyz_u:xyz_r:xyz_t:") + +Traceback (most recent call last): + File "", line 2, in +OSError: [Errno 0] Error + +:: [ 10:25:45 ] :: [ BEGIN ] :: Running 'service mcstransd status' +Redirecting to /bin/systemctl status mcstransd.service +● mcstrans.service - Translates SELinux MCS/MLS labels to human readable form + Loaded: loaded (/usr/lib/systemd/system/mcstrans.service; disabled; vendor preset: disabled) + Active: failed (Result: core-dump) since Fri 2019-04-12 10:25:44 EDT; 1s ago + Process: 16681 ExecStart=/sbin/mcstransd -f (code=dumped, signal=SEGV) + Main PID: 16681 (code=dumped, signal=SEGV) + +systemd[1]: mcstrans.service: Main process exited, code=dumped, status=11/SEGV +systemd[1]: mcstrans.service: Failed with result 'core-dump'. + +Signed-off-by: Petr Lautrbach +--- + mcstrans/src/mcscolor.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/mcstrans/src/mcscolor.c b/mcstrans/src/mcscolor.c +index a38388501db5..94421a58dee4 100644 +--- a/mcstrans/src/mcscolor.c ++++ b/mcstrans/src/mcscolor.c +@@ -272,10 +272,14 @@ static const unsigned precedence[N_COLOR][N_COLOR - 1] = { + static const secolor_t default_color = { 0x000000, 0xffffff }; + + static int parse_components(context_t con, char **components) { +- components[COLOR_USER] = (char *)context_user_get(con); +- components[COLOR_ROLE] = (char *)context_role_get(con); +- components[COLOR_TYPE] = (char *)context_type_get(con); +- components[COLOR_RANGE] = (char *)context_range_get(con); ++ if ((components[COLOR_USER] = (char *)context_user_get(con)) == NULL) ++ return -1; ++ if ((components[COLOR_ROLE] = (char *)context_role_get(con)) == NULL) ++ return -1; ++ if ((components[COLOR_TYPE] = (char *)context_type_get(con)) == NULL) ++ return -1; ++ if ((components[COLOR_RANGE] = (char *)context_range_get(con)) == NULL) ++ return -1; + + return 0; + } +-- +2.32.0 + diff --git a/SOURCES/0004-mcstrans-fix-RESOURCE_LEAK-CWE-772.patch b/SOURCES/0004-mcstrans-fix-RESOURCE_LEAK-CWE-772.patch new file mode 100644 index 0000000..59a0918 --- /dev/null +++ b/SOURCES/0004-mcstrans-fix-RESOURCE_LEAK-CWE-772.patch @@ -0,0 +1,63 @@ +From a98f2f8f2f1c14646ec9c80faecf14e9bf4bbd2c Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Thu, 5 Aug 2021 16:26:44 +0200 +Subject: [PATCH] mcstrans: fix RESOURCE_LEAK (CWE-772) + +Fixes: + Error: RESOURCE_LEAK (CWE-772): [#def1] + mcstrans-3.2/src/mcstrans.c:1527: alloc_fn: Storage is returned from allocation function "compute_trans_from_raw". + mcstrans-3.2/src/mcstrans.c:1527: var_assign: Assigning: "trans" = storage returned from "compute_trans_from_raw(range, domain)". + mcstrans-3.2/src/mcstrans.c:1529: noescape: Resource "trans" is not freed or pointed-to in "add_cache". + mcstrans-3.2/src/mcstrans.c:1515: overwrite_var: Overwriting "trans" in "trans = find_in_hashtable(range, domain, domain->raw_to_trans)" leaks the storage that "trans" points to. + # 1513| domain_t *domain = domains; + # 1514| for (;domain; domain = domain->next) { + # 1515|-> trans = find_in_hashtable(range, domain, domain->raw_to_trans); + # 1516| if (trans) break; + # 1517| + + Error: RESOURCE_LEAK (CWE-772): [#def2] + mcstrans-3.2/src/mcstrans.c:1654: alloc_fn: Storage is returned from allocation function "compute_raw_from_trans". + mcstrans-3.2/src/mcstrans.c:1654: var_assign: Assigning: "raw" = storage returned from "compute_raw_from_trans(range, domain)". + mcstrans-3.2/src/mcstrans.c:1656: noescape: Resource "raw" is not freed or pointed-to in "find_in_hashtable". + mcstrans-3.2/src/mcstrans.c:1669: noescape: Resource "raw" is not freed or pointed-to in "add_cache". + mcstrans-3.2/src/mcstrans.c:1642: overwrite_var: Overwriting "raw" in "raw = find_in_hashtable(range, domain, domain->trans_to_raw)" leaks the storage that "raw" points to. + # 1640| domain_t *domain = domains; + # 1641| for (;domain; domain = domain->next) { + # 1642|-> raw = find_in_hashtable(range, domain, domain->trans_to_raw); + # 1643| if (raw) break; + # 1644| + +Signed-off-by: Petr Lautrbach +--- + mcstrans/src/mcstrans.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/mcstrans/src/mcstrans.c b/mcstrans/src/mcstrans.c +index 8678418a1570..4e110e02f73a 100644 +--- a/mcstrans/src/mcstrans.c ++++ b/mcstrans/src/mcstrans.c +@@ -1598,6 +1598,10 @@ trans_context(const char *incon, char **rcon) { + } + if (dashp) + *dashp = '-'; ++ if (trans) { ++ free(trans); ++ trans = NULL; ++ } + } + + if (trans) { +@@ -1769,6 +1773,10 @@ untrans_context(const char *incon, char **rcon) { + } + if (dashp) + *dashp = '-'; ++ if (raw) { ++ free(raw); ++ raw = NULL; ++ } + } + + if (raw) { +-- +2.32.0 + diff --git a/SOURCES/0005-mcstrans-avoid-missing-prototypes.patch b/SOURCES/0005-mcstrans-avoid-missing-prototypes.patch new file mode 100644 index 0000000..c472841 --- /dev/null +++ b/SOURCES/0005-mcstrans-avoid-missing-prototypes.patch @@ -0,0 +1,343 @@ +From 0fd5d05f4c5cbe4fbeb445f1b0bccfe1833a7253 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Fri, 12 Nov 2021 16:41:58 +0100 +Subject: [PATCH] mcstrans: avoid missing prototypes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Mark local functions static. +Export functions of mcscolor.c in mcscolor.h and avoid bare extern +function declarations. +Drop unused function emit_whitespace(). + +Signed-off-by: Christian Göttsche +--- + mcstrans/src/mcscolor.c | 2 ++ + mcstrans/src/mcscolor.h | 8 ++++++ + mcstrans/src/mcstrans.c | 57 ++++++++++++++++++---------------------- + mcstrans/src/mcstrans.h | 1 - + mcstrans/src/mcstransd.c | 13 +++------ + 5 files changed, 38 insertions(+), 43 deletions(-) + create mode 100644 mcstrans/src/mcscolor.h + +diff --git a/mcstrans/src/mcscolor.c b/mcstrans/src/mcscolor.c +index a38388501db5..9ff0ce2f29f1 100644 +--- a/mcstrans/src/mcscolor.c ++++ b/mcstrans/src/mcscolor.c +@@ -11,6 +11,8 @@ + #include + #include + #include ++ ++#include "mcscolor.h" + #include "mcstrans.h" + + /* Define data structures */ +diff --git a/mcstrans/src/mcscolor.h b/mcstrans/src/mcscolor.h +new file mode 100644 +index 000000000000..c37fe6ed5197 +--- /dev/null ++++ b/mcstrans/src/mcscolor.h +@@ -0,0 +1,8 @@ ++#ifndef __mcscolor_h__ ++#define __mcscolor_h__ ++ ++extern void finish_context_colors(void); ++extern int init_colors(void); ++extern int raw_color(const char *raw, char **color_str); ++ ++#endif +diff --git a/mcstrans/src/mcstrans.c b/mcstrans/src/mcstrans.c +index e92dfddb0d20..09577ea0cc0b 100644 +--- a/mcstrans/src/mcstrans.c ++++ b/mcstrans/src/mcstrans.c +@@ -136,7 +136,7 @@ typedef struct cat_constraint { + + static cat_constraint_t *cat_constraints; + +-unsigned int ++static unsigned int + hash(const char *str) { + unsigned int hash = 5381; + int c; +@@ -213,7 +213,7 @@ parse_category(ebitmap_t *e, const char *raw, int allowinverse) + return 0; + } + +-int ++static int + parse_ebitmap(ebitmap_t *e, ebitmap_t *def, const char *raw) { + int rc = ebitmap_cpy(e, def); + if (rc < 0) +@@ -224,7 +224,7 @@ parse_ebitmap(ebitmap_t *e, ebitmap_t *def, const char *raw) { + return 0; + } + +-mls_level_t * ++static mls_level_t * + parse_raw(const char *raw) { + mls_level_t *mls = calloc(1, sizeof(mls_level_t)); + if (!mls) +@@ -248,7 +248,7 @@ err: + return NULL; + } + +-void ++static void + destroy_word(word_t **list, word_t *word) { + if (!word) { + return; +@@ -267,7 +267,7 @@ destroy_word(word_t **list, word_t *word) { + free(word); + } + +-word_t * ++static word_t * + create_word(word_t **list, const char *text) { + word_t *w = calloc(1, sizeof(word_t)); + if (!w) { +@@ -291,7 +291,7 @@ err: + return NULL; + } + +-void ++static void + destroy_group(word_group_t **list, word_group_t *group) { + for (; list && *list; list = &(*list)->next) { + if (*list == group) { +@@ -324,7 +324,7 @@ destroy_group(word_group_t **list, word_group_t *group) { + free(group); + } + +-word_group_t * ++static word_group_t * + create_group(word_group_t **list, const char *name) { + word_group_t *group = calloc(1, sizeof(word_group_t)); + if (!group) +@@ -357,7 +357,7 @@ err: + return NULL; + } + +-void ++static void + destroy_domain(domain_t *domain) { + int i; + unsigned int rt = 0, tr = 0; +@@ -401,7 +401,7 @@ destroy_domain(domain_t *domain) { + syslog(LOG_INFO, "cache sizes: tr = %u, rt = %u", tr, rt); + } + +-domain_t * ++static domain_t * + create_domain(const char *name) { + domain_t *domain = calloc(1, sizeof(domain_t)); + if (!domain) { +@@ -425,7 +425,7 @@ err: + return NULL; + } + +-int ++static int + add_word(word_group_t *group, char *raw, char *trans) { + if (strchr(trans,'-')) { + log_error("'%s'is invalid because '-' is illegal in modifiers.\n", trans); +@@ -451,7 +451,7 @@ add_word(word_group_t *group, char *raw, char *trans) { + return 0; + } + +-int ++static int + add_constraint(char op, char *raw, char *tok) { + log_debug("%s\n", "add_constraint"); + ebitmap_t empty; +@@ -521,7 +521,7 @@ add_constraint(char op, char *raw, char *tok) { + return 0; + } + +-int ++static int + violates_constraints(mls_level_t *l) { + int nbits; + sens_constraint_t *s; +@@ -563,7 +563,7 @@ violates_constraints(mls_level_t *l) { + return 0; + } + +-void ++static void + destroy_sens_constraint(sens_constraint_t **list, sens_constraint_t *constraint) { + if (!constraint) { + return; +@@ -580,7 +580,7 @@ destroy_sens_constraint(sens_constraint_t **list, sens_constraint_t *constraint) + free(constraint); + } + +-void ++static void + destroy_cat_constraint(cat_constraint_t **list, cat_constraint_t *constraint) { + if (!constraint) { + return; +@@ -663,7 +663,7 @@ find_in_table(context_map_node_t **table, const char *key) { + return NULL; + } + +-char * ++static char * + trim(char *str, const char *whitespace) { + char *p = str + strlen(str); + +@@ -672,7 +672,7 @@ trim(char *str, const char *whitespace) { + return str; + } + +-char * ++static char * + triml(char *str, const char *whitespace) { + char *p = str; + +@@ -681,7 +681,7 @@ triml(char *str, const char *whitespace) { + return p; + } + +-int ++static int + update(char **p, char *const val) { + free (*p); + *p = strdup(val); +@@ -692,7 +692,7 @@ update(char **p, char *const val) { + return 0; + } + +-int ++static int + append(affix_t **affixes, const char *val) { + affix_t *affix = calloc(1, sizeof(affix_t)); + if (!affix) { +@@ -887,7 +887,7 @@ init_translations(void) { + return(read_translations(selinux_translations_path())); + } + +-char * ++static char * + extract_range(const char *incon) { + context_t con = context_new(incon); + if (!con) { +@@ -910,7 +910,7 @@ extract_range(const char *incon) { + return r; + } + +-char * ++static char * + new_context_str(const char *incon, const char *range) { + char *rcon = NULL; + context_t con = context_new(incon); +@@ -931,7 +931,7 @@ exit: + return NULL; + } + +-char * ++static char * + find_in_hashtable(const char *range, domain_t *domain, context_map_node_t **table) { + char *trans = NULL; + context_map_t *map = find_in_table(table, range); +@@ -946,13 +946,6 @@ find_in_hashtable(const char *range, domain_t *domain, context_map_node_t **tabl + return trans; + } + +-void +-emit_whitespace(char*buffer, char *whitespace) { +- strcat(buffer, "["); +- strcat(buffer, whitespace); +- strcat(buffer, "]"); +-} +- + static int + string_size(const void *p1, const void *p2) { + return strlen(*(char **)p2) - strlen(*(char **)p1); +@@ -969,7 +962,7 @@ word_size(const void *p1, const void *p2) { + return (w2_len - w1_len); + } + +-void ++static void + build_regexp(pcre **r, char *buffer) { + const char *error; + int error_offset; +@@ -982,7 +975,7 @@ build_regexp(pcre **r, char *buffer) { + buffer[0] = '\0'; + } + +-int ++static int + build_regexps(domain_t *domain) { + char buffer[1024 * 128]; + buffer[0] = '\0'; +@@ -1086,7 +1079,7 @@ build_regexps(domain_t *domain) { + return 0; + } + +-char * ++static char * + compute_raw_from_trans(const char *level, domain_t *domain) { + + #ifdef DEBUG +@@ -1278,7 +1271,7 @@ err: + return NULL; + } + +-char * ++static char * + compute_trans_from_raw(const char *level, domain_t *domain) { + + #ifdef DEBUG +diff --git a/mcstrans/src/mcstrans.h b/mcstrans/src/mcstrans.h +index e5cda93b8a4b..0addb325e569 100644 +--- a/mcstrans/src/mcstrans.h ++++ b/mcstrans/src/mcstrans.h +@@ -6,4 +6,3 @@ extern int init_translations(void); + extern void finish_context_translations(void); + extern int trans_context(const char *, char **); + extern int untrans_context(const char *, char **); +- +diff --git a/mcstrans/src/mcstransd.c b/mcstrans/src/mcstransd.c +index 59c152e73be1..536c0f32f23a 100644 +--- a/mcstrans/src/mcstransd.c ++++ b/mcstrans/src/mcstransd.c +@@ -16,6 +16,8 @@ + #include + #include + #include ++ ++#include "mcscolor.h" + #include "mcstrans.h" + + #ifdef UNUSED +@@ -43,15 +45,6 @@ + #define log_debug(fmt, ...) do {} while (0) + #endif + +-extern int init_translations(void); +-extern void finish_context_translations(void); +-extern int trans_context(const char *, char **); +-extern int untrans_context(const char *, char **); +- +-extern int init_colors(void); +-extern void finish_context_colors(void); +-extern int raw_color(const char *, char **); +- + #define SETRANSD_PATHNAME "/sbin/mcstransd" + + /* name of program (for error messages) */ +@@ -514,7 +507,7 @@ initialize(void) + + } + +-void dropprivs(void) ++static void dropprivs(void) + { + cap_t new_caps; + +-- +2.33.1 + diff --git a/SOURCES/0006-mcstrans-port-to-new-PCRE2-from-end-of-life-PCRE.patch b/SOURCES/0006-mcstrans-port-to-new-PCRE2-from-end-of-life-PCRE.patch new file mode 100644 index 0000000..b73d1b1 --- /dev/null +++ b/SOURCES/0006-mcstrans-port-to-new-PCRE2-from-end-of-life-PCRE.patch @@ -0,0 +1,344 @@ +From c8fea6b657cc256c43fc9c5dbe2c4e04677416c9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Tue, 30 Nov 2021 12:04:25 +0100 +Subject: [PATCH] mcstrans: port to new PCRE2 from end-of-life PCRE +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Quoting pcre.org: + + There are two major versions of the PCRE library. The current + version, PCRE2, released in 2015, is now at version 10.39. + + The older, but still widely deployed PCRE library, originally + released in 1997, is at version 8.45. This version of PCRE is now at + end of life, and is no longer being actively maintained. Version + 8.45 is expected to be the final release of the older PCRE library, + and new projects should use PCRE2 instead. + +Signed-off-by: Christian Göttsche +--- + mcstrans/Makefile | 6 ++ + mcstrans/src/Makefile | 4 +- + mcstrans/src/mcstrans.c | 131 ++++++++++++++++++++++++++++------------ + mcstrans/utils/Makefile | 6 +- + 4 files changed, 104 insertions(+), 43 deletions(-) + +diff --git a/mcstrans/Makefile b/mcstrans/Makefile +index c993a9f52713..b20279ab984a 100644 +--- a/mcstrans/Makefile ++++ b/mcstrans/Makefile +@@ -1,3 +1,9 @@ ++PKG_CONFIG ?= pkg-config ++PCRE_MODULE := libpcre2-8 ++PCRE_CFLAGS := $(shell $(PKG_CONFIG) --cflags $(PCRE_MODULE)) -DPCRE2_CODE_UNIT_WIDTH=8 ++PCRE_LDLIBS := $(shell $(PKG_CONFIG) --libs $(PCRE_MODULE)) ++export PCRE_MODULE PCRE_CFLAGS PCRE_LDLIBS ++ + all: + $(MAKE) -C src + $(MAKE) -C utils +diff --git a/mcstrans/src/Makefile b/mcstrans/src/Makefile +index 76ef055714e9..ef518625cd3b 100644 +--- a/mcstrans/src/Makefile ++++ b/mcstrans/src/Makefile +@@ -20,10 +20,10 @@ CFLAGS ?= -Wall -W -Wundef -Wmissing-noreturn -Wmissing-format-attribute + all: $(PROG) + + $(PROG): $(PROG_OBJS) $(LIBSEPOLA) +- $(CC) $(LDFLAGS) -pie -o $@ $^ -lselinux -lcap -lpcre $(LDLIBS_LIBSEPOLA) ++ $(CC) $(LDFLAGS) -pie -o $@ $^ -lselinux -lcap $(PCRE_LDLIBS) $(LDLIBS_LIBSEPOLA) + + %.o: %.c +- $(CC) $(CFLAGS) -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -fPIE -c -o $@ $< ++ $(CC) $(CFLAGS) $(PCRE_CFLAGS) -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -fPIE -c -o $@ $< + + install: all + test -d $(DESTDIR)$(SBINDIR) || install -m 755 -d $(DESTDIR)$(SBINDIR) +diff --git a/mcstrans/src/mcstrans.c b/mcstrans/src/mcstrans.c +index 09577ea0cc0b..6e4bfd3b16bd 100644 +--- a/mcstrans/src/mcstrans.c ++++ b/mcstrans/src/mcstrans.c +@@ -26,7 +26,7 @@ + #include + #include + #include +-#include ++#include + #include + #include + #include +@@ -36,7 +36,6 @@ + #include "mcstrans.h" + + #define N_BUCKETS 1453 +-#define OVECCOUNT (512*3) + + #define log_error(fmt, ...) fprintf(stderr, fmt, __VA_ARGS__) + +@@ -82,9 +81,9 @@ typedef struct word_group { + affix_t *suffixes; + word_t *words; + +- pcre *prefix_regexp; +- pcre *word_regexp; +- pcre *suffix_regexp; ++ pcre2_code *prefix_regexp; ++ pcre2_code *word_regexp; ++ pcre2_code *suffix_regexp; + + ebitmap_t def; + +@@ -109,7 +108,7 @@ typedef struct domain { + base_classification_t *base_classifications; + word_group_t *groups; + +- pcre *base_classification_regexp; ++ pcre2_code *base_classification_regexp; + struct domain *next; + } domain_t; + +@@ -317,9 +316,9 @@ destroy_group(word_group_t **list, word_group_t *group) { + free(group->name); + free(group->sword); + free(group->join); +- pcre_free(group->prefix_regexp); +- pcre_free(group->word_regexp); +- pcre_free(group->suffix_regexp); ++ pcre2_code_free(group->prefix_regexp); ++ pcre2_code_free(group->word_regexp); ++ pcre2_code_free(group->suffix_regexp); + ebitmap_destroy(&group->def); + free(group); + } +@@ -392,7 +391,7 @@ destroy_domain(domain_t *domain) { + free(domain->base_classifications); + domain->base_classifications = next; + } +- pcre_free(domain->base_classification_regexp); ++ pcre2_code_free(domain->base_classification_regexp); + while (domain->groups) + destroy_group(&domain->groups, domain->groups); + free(domain->name); +@@ -963,14 +962,16 @@ word_size(const void *p1, const void *p2) { + } + + static void +-build_regexp(pcre **r, char *buffer) { +- const char *error; +- int error_offset; ++build_regexp(pcre2_code **r, char *buffer) { ++ int error; ++ PCRE2_SIZE error_offset; + if (*r) +- pcre_free(*r); +- *r = pcre_compile(buffer, PCRE_CASELESS, &error, &error_offset, NULL); +- if (error) { +- log_error("pcre=%s, error=%s\n", buffer, error ? error: "none"); ++ pcre2_code_free(*r); ++ *r = pcre2_compile((PCRE2_SPTR8) buffer, PCRE2_ZERO_TERMINATED, PCRE2_CASELESS, &error, &error_offset, NULL); ++ if (!*r) { ++ PCRE2_UCHAR errbuf[256]; ++ pcre2_get_error_message(error, errbuf, sizeof(errbuf)); ++ log_error("pcre compilation of '%s' failed at offset %zu: %s\n", buffer, error_offset, errbuf); + } + buffer[0] = '\0'; + } +@@ -1088,12 +1089,12 @@ compute_raw_from_trans(const char *level, domain_t *domain) { + #endif + + int rc = 0; +- int ovector[OVECCOUNT]; ++ pcre2_match_data *match_data = NULL; + word_group_t *g = NULL; + char *work = NULL; + char *r = NULL; +- const char * match = NULL; +- int work_len; ++ char *match = NULL; ++ size_t work_len; + mls_level_t *mraw = NULL; + ebitmap_t set, clear, tmp; + +@@ -1114,11 +1115,20 @@ compute_raw_from_trans(const char *level, domain_t *domain) { + if (!domain->base_classification_regexp) + goto err; + log_debug(" compute_raw_from_trans work = %s\n", work); +- rc = pcre_exec(domain->base_classification_regexp, 0, work, work_len, 0, PCRE_ANCHORED, ovector, OVECCOUNT); ++ match_data = pcre2_match_data_create_from_pattern(domain->base_classification_regexp, NULL); ++ if (!match_data) { ++ log_error("allocation error %s", strerror(errno)); ++ goto err; ++ } ++ rc = pcre2_match(domain->base_classification_regexp, (PCRE2_SPTR8)work, work_len, 0, PCRE2_ANCHORED, match_data, NULL); + if (rc > 0) { +- match = NULL; +- pcre_get_substring(work, ovector, rc, 0, &match); +- log_debug(" compute_raw_from_trans match = %s len = %u\n", match, strlen(match)); ++ const PCRE2_SIZE *ovector = pcre2_get_ovector_pointer(match_data); ++ match = strndup(work + ovector[0], ovector[1] - ovector[0]); ++ if (!match) { ++ log_error("allocation error %s", strerror(errno)); ++ goto err; ++ } ++ log_debug(" compute_raw_from_trans match = %s len = %zu\n", match, strlen(match)); + base_classification_t *bc; + for (bc = domain->base_classifications; bc; bc = bc->next) { + if (!strcmp(bc->trans, match)) { +@@ -1138,12 +1148,23 @@ compute_raw_from_trans(const char *level, domain_t *domain) { + char *p=work + ovector[0] + ovector[1]; + while (*p && (strchr(" ", *p) != NULL)) + *p++ = '#'; +- pcre_free((char *)match); ++ ++ free(match); + match = NULL; + } else { +- log_debug(" compute_raw_from_trans no base classification matched %s\n", level); ++ switch (rc) { ++ case PCRE2_ERROR_NOMATCH: ++ log_debug(" compute_raw_from_trans no base classification matched %s\n", level); ++ break; ++ default: ++ log_error("compute_raw_from_trans: base matching error for input '%s': %d\n", level, rc); ++ break; ++ } + } + ++ pcre2_match_data_free(match_data); ++ match_data = NULL; ++ + if (mraw == NULL) { + goto err; + } +@@ -1154,23 +1175,43 @@ compute_raw_from_trans(const char *level, domain_t *domain) { + change = 0; + for (g = domain->groups; g && !change && !complete; g = g->next) { + int prefix = 0, suffix = 0; +- int prefix_offset = 0, prefix_len = 0; +- int suffix_offset = 0, suffix_len = 0; ++ PCRE2_SIZE prefix_offset = 0, prefix_len = 0; ++ PCRE2_SIZE suffix_offset = 0, suffix_len = 0; + if (g->prefix_regexp) { +- rc = pcre_exec(g->prefix_regexp, 0, work, work_len, 0, 0, ovector, OVECCOUNT); ++ match_data = pcre2_match_data_create_from_pattern(g->prefix_regexp, NULL); ++ if (!match_data) { ++ log_error("allocation error %s", strerror(errno)); ++ goto err; ++ } ++ rc = pcre2_match(g->prefix_regexp, (PCRE2_SPTR8)work, work_len, 0, 0, match_data, NULL); + if (rc > 0) { ++ const PCRE2_SIZE *ovector = pcre2_get_ovector_pointer(match_data); + prefix = 1; + prefix_offset = ovector[0]; + prefix_len = ovector[1] - ovector[0]; ++ } else if (rc != PCRE2_ERROR_NOMATCH) { ++ log_error("compute_raw_from_trans: prefix matching error for input '%s': %d\n", level, rc); + } ++ pcre2_match_data_free(match_data); ++ match_data = NULL; + } + if (g->suffix_regexp) { +- rc = pcre_exec(g->suffix_regexp, 0, work, work_len, 0, 0, ovector, OVECCOUNT); ++ match_data = pcre2_match_data_create_from_pattern(g->suffix_regexp, NULL); ++ if (!match_data) { ++ log_error("allocation error %s", strerror(errno)); ++ goto err; ++ } ++ rc = pcre2_match(g->suffix_regexp, (PCRE2_SPTR8)work, work_len, 0, 0, match_data, NULL); + if (rc > 0) { ++ const PCRE2_SIZE *ovector = pcre2_get_ovector_pointer(match_data); + suffix = 1; + suffix_offset = ovector[0]; + suffix_len = ovector[1] - ovector[0]; ++ } else if (rc != PCRE2_ERROR_NOMATCH) { ++ log_error("compute_raw_from_trans: suffix matching error for input '%s': %d\n", level, rc); + } ++ pcre2_match_data_free(match_data); ++ match_data = NULL; + } + + /* anchors prefix ^, suffix $ */ +@@ -1179,14 +1220,23 @@ compute_raw_from_trans(const char *level, domain_t *domain) { + (g->suffixes && suffix)) && + g->word_regexp) { + char *s = work + prefix_offset + prefix_len; +- int l = (suffix_len ? suffix_offset : work_len) - prefix_len - prefix_offset; +- rc = pcre_exec(g->word_regexp, 0, s, l, 0, 0, ovector, OVECCOUNT); ++ PCRE2_SIZE len = (suffix_len ? suffix_offset : work_len) - prefix_len - prefix_offset; ++ match_data = pcre2_match_data_create_from_pattern(g->word_regexp, NULL); ++ if (!match_data) { ++ log_error("allocation error %s", strerror(errno)); ++ goto err; ++ } ++ rc = pcre2_match(g->word_regexp, (PCRE2_SPTR8)s, len, 0, 0, match_data, NULL); + if (rc > 0) { +- match = NULL; +- pcre_get_substring(s, ovector, rc, 0, &match); +- trim((char *)match, g->whitespace); ++ const PCRE2_SIZE *ovector = pcre2_get_ovector_pointer(match_data); ++ match = strndup(s + ovector[0], ovector[1] - ovector[0]); ++ if (!match) { ++ log_error("allocation error %s", strerror(errno)); ++ goto err; ++ } ++ trim(match, g->whitespace); + if (*match) { +- char *p = triml((char *)match, g->whitespace); ++ char *p = triml(match, g->whitespace); + while (p && *p) { + int plen = strlen(p); + unsigned int i; +@@ -1223,9 +1273,13 @@ compute_raw_from_trans(const char *level, domain_t *domain) { + memset(work + suffix_offset, '#', suffix_len); + memset(s + ovector[0], '#', ovector[1] - ovector[0]); + } +- pcre_free((void *)match); ++ free(match); + match = NULL; ++ } else if (rc != PCRE2_ERROR_NOMATCH) { ++ log_error("compute_raw_from_trans: word matching error for input '%s' for substring '%s': %d\n", level, s, rc); + } ++ pcre2_match_data_free(match_data); ++ match_data = NULL; + } + /* YYY */ + complete=1; +@@ -1264,10 +1318,11 @@ err: + mls_level_destroy(mraw); + free(mraw); + free(work); +- pcre_free((void *)match); ++ free(match); + ebitmap_destroy(&tmp); + ebitmap_destroy(&set); + ebitmap_destroy(&clear); ++ pcre2_match_data_free(match_data); + return NULL; + } + +diff --git a/mcstrans/utils/Makefile b/mcstrans/utils/Makefile +index 9dfe772332b4..a48f4e72acc0 100644 +--- a/mcstrans/utils/Makefile ++++ b/mcstrans/utils/Makefile +@@ -14,13 +14,13 @@ endif + all: $(TARGETS) + + transcon: transcon.o ../src/mcstrans.o ../src/mls_level.o $(LIBSEPOLA) +- $(CC) $(LDFLAGS) -o $@ $^ -lpcre -lselinux $(LDLIBS_LIBSEPOLA) ++ $(CC) $(LDFLAGS) -o $@ $^ $(PCRE_LDLIBS) -lselinux $(LDLIBS_LIBSEPOLA) + + untranscon: untranscon.o ../src/mcstrans.o ../src/mls_level.o $(LIBSEPOLA) +- $(CC) $(LDFLAGS) -o $@ $^ -lpcre -lselinux $(LDLIBS_LIBSEPOLA) ++ $(CC) $(LDFLAGS) -o $@ $^ $(PCRE_LDLIBS) -lselinux $(LDLIBS_LIBSEPOLA) + + %.o: %.c +- $(CC) $(CFLAGS) -D_GNU_SOURCE -I../src -fPIE -c -o $@ $< ++ $(CC) $(CFLAGS) $(PCRE_CFLAGS) -D_GNU_SOURCE -I../src -fPIE -c -o $@ $< + + install: all + -mkdir -p $(DESTDIR)$(SBINDIR) +-- +2.33.1 + diff --git a/SOURCES/secolor.conf.8 b/SOURCES/secolor.conf.8 new file mode 100644 index 0000000..2947aca --- /dev/null +++ b/SOURCES/secolor.conf.8 @@ -0,0 +1,180 @@ +.TH "secolor.conf" "8" "08 April 2011" "SELinux API documentation" +.SH "NAME" +secolor.conf \- The SELinux color configuration file +. +.SH "DESCRIPTION" +The +.I /etc/selinux/{SELINUXTYPE}/secolor.conf +configuation file controls the color to be associated to the context components associated to the +.I raw +context passed by +.BR selinux_raw_context_to_color "(3)," +when context related information is to be displayed in color by an SELinux-aware application. +.sp +.BR selinux_raw_context_to_color "(3)" +obtains this color information from the active policy +.B secolor.conf +file as returned by +.BR selinux_colors_path "(3)." +. +.SH "FILE FORMAT" +The file format is as follows: +.RS +.B color +.I color_name +.BI "= #"color_mask +.br +[...] +.sp +.I context_component string +.B = +.I fg_color_name bg_color_name +.br +[...] +.sp +.RE + +Where: +.br +.B color +.RS +The color keyword. Each color entry is on a new line. +.RE +.I color_name +.RS +A single word name for the color (e.g. red). +.RE +.I color_mask +.RS +A color mask starting with a hash (#) that describes the hexadecimal RGB colors with black being #000000 and white being #ffffff. +.RE +.I context_component +.RS +The context component name that must be one of the following: +.br +.RS +user, role, type or range +.RE +Each +.IR context_component " " string " ..." +entry is on a new line. +.RE +.I string +.RS +This is the +.I context_component +string that will be matched with the +.I raw +context component passed by +.BR selinux_raw_context_to_color "(3)." +.br +A wildcard '*' may be used to match any undefined string for the user, role and type +.I context_component +entries only. +.RE + +.I fg_color_name +.RS +The color_name string that will be used as the foreground color. +A +.I color_mask +may also be used. +.RE +.I bg_color_name +.RS +The color_name string that will be used as the background color. +A +.I color_mask +may also be used. +.RE +. +.SH "EXAMPLES" +Example 1 entries are: +.RS +color black = #000000 +.br +color green = #008000 +.br +color yellow = #ffff00 +.br +color blue = #0000ff +.br +color white = #ffffff +.br +color red = #ff0000 +.br +color orange = #ffa500 +.br +color tan = #D2B48C +.sp +user * = black white +.br +role * = white black +.br +type * = tan orange +.br +range s0\-s0:c0.c1023 = black green +.br +range s1\-s1:c0.c1023 = white green +.br +range s3\-s3:c0.c1023 = black tan +.br +range s5\-s5:c0.c1023 = white blue +.br +range s7\-s7:c0.c1023 = black red +.br +range s9\-s9:c0.c1023 = black orange +.br +range s15:c0.c1023 = black yellow +.RE + +.sp +Example 2 entries are: +.RS +color black = #000000 +.br +color green = #008000 +.br +color yellow = #ffff00 +.br +color blue = #0000ff +.br +color white = #ffffff +.br +color red = #ff0000 +.br +color orange = #ffa500 +.br +color tan = #d2b48c +.sp +user unconfined_u = #ff0000 green +.br +role unconfined_r = red #ffffff +.br +type unconfined_t = red orange +.br +user user_u = black green +.br +role user_r = white black +.br +type user_t = tan red +.br +user xguest_u = black yellow +.br +role xguest_r = black red +.br +type xguest_t = black green +.br +user sysadm_u = white black +.br +range s0:c0.c1023 = black white +.br +user * = black white +.br +role * = black white +.br +type * = black white +.RE +. +.SH "SEE ALSO" +.BR mcstransd "(8), " selinux_raw_context_to_color "(3), " selinux_colors_path "(3)" diff --git a/SPECS/mcstrans.spec b/SPECS/mcstrans.spec new file mode 100644 index 0000000..812b864 --- /dev/null +++ b/SPECS/mcstrans.spec @@ -0,0 +1,350 @@ +Summary: SELinux Translation Daemon +Name: mcstrans +Version: 3.3 +Release: 2%{?dist} +License: GPL+ +Url: https://github.com/SELinuxProject/selinux/wiki +Source: https://github.com/SELinuxProject/selinux/releases/download/3.3/mcstrans-3.3.tar.gz +Source2: secolor.conf.8 +# fedora-selinux/selinux: git format-patch -N 3.3 -- mcstrans +# i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done +# Patch list start +Patch0001: 0001-mcstrans-Fir-RESOURCE_LEAK-and-USE_AFTER_FREE-coveri.patch +Patch0002: 0002-mcstrans-Fix-USER_AFTER_FREE-problem.patch +Patch0003: 0003-mcstrans-Do-not-accept-incomplete-contexts.patch +Patch0004: 0004-mcstrans-fix-RESOURCE_LEAK-CWE-772.patch +Patch0005: 0005-mcstrans-avoid-missing-prototypes.patch +Patch0006: 0006-mcstrans-port-to-new-PCRE2-from-end-of-life-PCRE.patch +# Patch list end +BuildRequires: gcc +BuildRequires: make +BuildRequires: libselinux-devel >= %{version} +BuildRequires: libcap-devel pcre2-devel libsepol-devel libsepol-static +BuildRequires: systemd +Requires: pcre2 +%{?systemd_requires} +Provides: setransd +Provides: libsetrans + +%description +Security-enhanced Linux is a feature of the Linux® kernel and a number +of utilities with enhanced security functionality designed to add +mandatory access controls to Linux. The Security-enhanced Linux +kernel contains new architectural components originally developed to +improve the security of the Flask operating system. These +architectural components provide general support for the enforcement +of many kinds of mandatory access control policies, including those +based on the concepts of Type Enforcement®, Role-based Access +Control, and Multi-level Security. + +mcstrans provides an translation daemon to translate SELinux categories +from internal representations to user defined representation. + +%prep +%autosetup -p 2 -n mcstrans-%{version} + +%build +%set_build_flags + +%make_build LIBDIR="%{_libdir}" + +%install +rm -rf %{buildroot} +mkdir -p %{buildroot}/%{_lib} +mkdir -p %{buildroot}/%{_libdir} +mkdir -p %{buildroot}%{_usr}/share/mcstrans +mkdir -p %{buildroot}%{_sysconfdir}/selinux/mls/setrans.d + +%make_install LIBDIR="%{_libdir}" SHLIBDIR="%{_lib}" SBINDIR="%{_sbindir}" +rm -f %{buildroot}%{_libdir}/*.a +cp -r share/* %{buildroot}%{_usr}/share/mcstrans/ +# Systemd +mkdir -p %{buildroot}%{_unitdir} +ln -s %{_unitdir}/mcstrans.service %{buildroot}/%{_unitdir}/mcstransd.service +rm -rf %{buildroot}/%{_sysconfdir}/rc.d/init.d/mcstrans +install -m644 %{SOURCE2} %{buildroot}%{_mandir}/man8/ + +%post +%systemd_post mcstransd.service + +%preun +%systemd_preun mcstransd.service + +%postun +%systemd_postun mcstransd.service + +%files +%{_mandir}/man8/mcs.8.gz +%{_mandir}/man8/mcstransd.8.gz +%{_mandir}/man5/setrans.conf.5.gz +%{_mandir}/ru/man8/mcs.8.gz +%{_mandir}/ru/man8/mcstransd.8.gz +%{_mandir}/ru/man5/setrans.conf.5.gz +%{_mandir}/man8/secolor.conf.8.gz +/usr/sbin/mcstransd +%{_unitdir}/mcstrans.service +%{_unitdir}/mcstransd.service +%dir %{_sysconfdir}/selinux/mls/setrans.d + +%dir %{_usr}/share/mcstrans + +%defattr(0644,root,root,0755) +%dir %{_usr}/share/mcstrans/util +%dir %{_usr}/share/mcstrans/examples +%{_usr}/share/mcstrans/examples/* + +%defattr(0755,root,root,0755) +%{_usr}/share/mcstrans/util/* + +%changelog +* Fri Dec 10 2021 Petr Lautrbach - 3.3-2 +- Port to new PCRE2 from end-of-life PCRE + +* Fri Oct 22 2021 Petr Lautrbach - 3.3-1 +- SELinux userspace 3.3 release + +* Mon Oct 11 2021 Petr Lautrbach - 3.3-0.rc3.1 +- SELinux userspace 3.3-rc3 release + +* Wed Sep 29 2021 Petr Lautrbach - 3.3-0.rc2.1 +- SELinux userspace 3.3-rc2 release + +* Mon Aug 09 2021 Mohan Boddu - 3.2-4 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Thu Aug 5 2021 Petr Lautrbach - 3.2-3 +- Fix RESOURCE_LEAK (CWE-772) + +* Fri Apr 16 2021 Mohan Boddu - 3.2-2 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Tue Mar 9 2021 Petr Lautrbach - 3.2-1 +- SELinux userspace 3.2 release + +* Sun Feb 7 2021 Petr Lautrbach - 3.2-0.rc2.1 +- SELinux userspace 3.2-rc2 release + +* Tue Jan 26 2021 Fedora Release Engineering - 3.2-0.rc1.1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Fri Jan 22 2021 Petr Lautrbach - 3.2-0.rc1.1 +- SELinux userspace 3.2-rc1 release + +* Tue Jul 28 2020 Tom Stellard - 3.1-3 +- Use make macros +- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro + +* Tue Jul 28 2020 Fedora Release Engineering - 3.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Thu Jul 16 2020 Petr Lautrbach - 3.1-1 +- SELinux userspace 3.1 release + +* Wed Jan 29 2020 Fedora Release Engineering - 3.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Fri Dec 6 2019 Petr Lautrbach - 3.0-1 +- SELinux userspace 3.0 release + +* Mon Nov 11 2019 Petr Lautrbach - 3.0-0.rc1.1 +- SELinux userspace 3.0-rc1 release candidate + +* Thu Jul 25 2019 Fedora Release Engineering - 2.9-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Tue Mar 19 2019 Petr Lautrbach - 2.9-1 +- SELinux userspace 2.9 release + +* Mon Mar 11 2019 Petr Lautrbach - 2.9-0.rc2.1 +- SELinux userspace 2.9-rc2 release + +* Fri Feb 01 2019 Fedora Release Engineering - 2.9-0.rc1.1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Wed Jan 30 2019 Petr Lautrbach - 2.9-0.rc1.1 +- Update to mcstrans-2.9-rc1 + +* Tue Oct 2 2018 Petr Lautrbach - 2.8-1 +- Update to mcstrans-2.8 + +* Fri Jul 13 2018 Fedora Release Engineering - 0.3.4-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Thu Feb 08 2018 Fedora Release Engineering - 0.3.4-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Aug 03 2017 Fedora Release Engineering - 0.3.4-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 0.3.4-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Feb 10 2017 Fedora Release Engineering - 0.3.4-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Thu Feb 04 2016 Fedora Release Engineering - 0.3.4-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Jun 17 2015 Fedora Release Engineering - 0.3.4-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Sun Aug 17 2014 Fedora Release Engineering - 0.3.4-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sat Jun 07 2014 Fedora Release Engineering - 0.3.4-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Wed Mar 19 2014 Karsten Hopp |karsten@redhat.com> - 0.3.4-4 +- fix changelog order so that it builds with a recent rpm + +* Wed Oct 16 2013 Dan Walsh - 0.3.4-3 +- Make mcstrans PIE and fully relro +- Resolves: #983268 + +* Tue Oct 15 2013 Dan Walsh - 0.3.4-2 +- Add RELRO support for long running services + +* Thu Sep 12 2013 Dan Walsh - 0.3.4-1 +- Update to latest version/applying patches +- Move binary to /usr/sbin rather then /sbin +* Sat Aug 03 2013 Fedora Release Engineering - 0.3.3-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Tue Mar 26 2013 Dan Walsh - 0.3.3-7 +- Add secolor.conf.5 man page +- Make mcstransd watch for content being written to /run/setrans for files names containing translations. +-- This will allow apps like libvirt to write content nameing randomly selected MCS labels +- Fix memory leak in mcstransd + +* Thu Feb 14 2013 Fedora Release Engineering - 0.3.3-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Thu Jul 19 2012 Fedora Release Engineering - 0.3.3-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Fri Feb 10 2012 Petr Pisar - 0.3.3-4 +- Rebuild against PCRE 8.30 + +* Thu Feb 2 2012 Dan Walsh - 0.3.3-3 +- Fix the systemd service file + +* Wed Feb 1 2012 Dan Walsh - 0.3.3-2 +- Update to upstream +- Write pid file + +* Fri Jan 13 2012 Fedora Release Engineering - 0.3.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Tue Feb 08 2011 Fedora Release Engineering - 0.3.2-1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Jan 5 2011 Ted X Toth - 0.3.2-0 +- Add constraints +- Add setrans.conf man page +- Fix mixed raw and translated range bug +- Moved todo comments to TODO file + +* Fri Oct 16 2009 Dan Walsh 0.3.1-4 +- Add mcstransd man page + +* Thu Sep 17 2009 Miroslav Grepl 0.3.1-3 +- Fix init script + +* Sat Jul 25 2009 Fedora Release Engineering - 0.3.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Thu Feb 5 2009 Joe Nall 0.3.1-1 +- Rewrite translations to allow individual word/category mapping +- Eamon Walsh's color mapping changes + +* Wed May 28 2008 Tom "spot" Callaway 0.2.11-2 +- fix license tag + +* Wed May 7 2008 Dan Walsh 0.2.11-1 +- More fixes from Jim Meyering + +* Tue May 6 2008 Dan Walsh 0.2.10-1 +- More error checking on failed strdup + +* Tue May 6 2008 Dan Walsh 0.2.9-1 +- Start mcstrans before netlabel + +* Mon Apr 14 2008 Dan Walsh 0.2.8-1 +- Fix error handling + +* Tue Feb 12 2008 Dan Walsh 0.2.7-2 +- Rebuild for gcc 4.3 + +* Tue Oct 30 2007 Steve Conklin - 0.2.7-1 +- Folded current patches into tarball + +* Thu Oct 25 2007 Steve Conklin - 0.2.6-3 +- Fixed a compile problem with max_categories + +* Thu Oct 25 2007 Steve Conklin - 0.2.6-2 +- Fixed some init script errors + +* Thu Sep 13 2007 Dan Walsh 0.2.6-1 +- Check for max_categories and error out + +* Thu Mar 1 2007 Dan Walsh 0.2.5-1 +- Fix case where s0="" + +* Mon Feb 26 2007 Dan Walsh 0.2.4-1 +- Translate range if fully specified correctly + +* Mon Feb 12 2007 Dan Walsh 0.2.3-1 +- Additional fix to handle ssh root/sysadm_r/s0:c1,c2 +Resolves: #224637 + +* Mon Feb 5 2007 Dan Walsh 0.2.1-1 +- Rewrite to handle MLS properly +Resolves: #225355 + +* Mon Jan 29 2007 Dan Walsh 0.1.10-2 +- Cleanup memory when complete + +* Mon Dec 4 2006 Dan Walsh 0.1.10-1 +- Fix Memory Leak +Resolves: #218173 + +* Thu Sep 21 2006 Dan Walsh 0.1.9-1 +- Add -pie +- Fix compiler warnings +- Fix Memory Leak +Resolves: #218173 + +* Wed Sep 13 2006 Peter Jones - 0.1.8-3 +- Fix subsys locking in init script + +* Wed Aug 23 2006 Dan Walsh 0.1.8-1 +- Only allow one version to run + +* Wed Jul 12 2006 Jesse Keating - sh: line 0: fg: no job control +- rebuild + +* Mon Jun 19 2006 Dan Walsh 0.1.7-1 +- Apply sgrubb patch to only call getpeercon on translations + +* Tue Jun 6 2006 Dan Walsh 0.1.6-1 +- Exit gracefully when selinux is not enabled + +* Mon May 15 2006 Dan Walsh 0.1.5-1 +- Fix sighup handling + +* Mon May 15 2006 Dan Walsh 0.1.4-1 +- Add patch from sgrubb +- Fix 64 bit size problems +- Increase the open file limit +- Make sure maximum size is not exceeded + +* Fri May 12 2006 Dan Walsh 0.1.3-1 +- Move initscripts to /etc/rc.d/init.d + +* Thu May 11 2006 Dan Walsh 0.1.2-1 +- Drop Privs + +* Mon May 8 2006 Dan Walsh 0.1.1-1 +- Initial Version +- This daemon reuses the code from libsetrans