From 07a392fef4e52d34c9caeb144960dc97384fa888 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Thu, 27 Jun 2024 17:47:47 +0200 Subject: [PATCH] SELinux userspace 3.7 release Resolves: RHEL-40233 --- .gitignore | 1 + ...t-be-verbose-if-you-are-not-on-a-tty.patch | 6 +- ...t-to-Xephyr-as-it-works-better-with-.patch | 27 -- ...rate-Handle-more-reserved-port-types.patch | 6 +- ...hbox-window-manager-instead-of-openb.patch | 20 +- ...h => 0004-Use-SHA-2-instead-of-SHA-1.patch | 4 +- ...-sepolicy-Fix-spec-file-dependencies.patch | 4 +- ...-sandbox-do-not-fail-without-xmodmap.patch | 30 --- ...un-window-manager-if-it-s-not-a-sess.patch | 35 --- ...pipewiresocket-W-waylandsocket-optio.patch | 232 ------------------ 0010-sandbox-Add-support-for-Wayland.patch | 133 ---------- policycoreutils.spec | 32 ++- sources | 2 +- 13 files changed, 37 insertions(+), 495 deletions(-) rename 0002-Don-t-be-verbose-if-you-are-not-on-a-tty.patch => 0001-Don-t-be-verbose-if-you-are-not-on-a-tty.patch (83%) delete mode 100644 0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch rename 0003-sepolicy-generate-Handle-more-reserved-port-types.patch => 0002-sepolicy-generate-Handle-more-reserved-port-types.patch (96%) rename 0004-sandbox-Use-matchbox-window-manager-instead-of-openb.patch => 0003-sandbox-Use-matchbox-window-manager-instead-of-openb.patch (79%) rename 0005-Use-SHA-2-instead-of-SHA-1.patch => 0004-Use-SHA-2-instead-of-SHA-1.patch (98%) rename 0006-python-sepolicy-Fix-spec-file-dependencies.patch => 0005-python-sepolicy-Fix-spec-file-dependencies.patch (95%) delete mode 100644 0007-sandbox-do-not-fail-without-xmodmap.patch delete mode 100644 0008-sandbox-do-not-run-window-manager-if-it-s-not-a-sess.patch delete mode 100644 0009-seunshare-Add-P-pipewiresocket-W-waylandsocket-optio.patch delete mode 100644 0010-sandbox-Add-support-for-Wayland.patch diff --git a/.gitignore b/.gitignore index f168b35..dc44242 100644 --- a/.gitignore +++ b/.gitignore @@ -355,3 +355,4 @@ policycoreutils-2.0.83.tgz /selinux-3.6-rc1.tar.gz /selinux-3.6-rc2.tar.gz /selinux-3.6.tar.gz +/selinux-3.7.tar.gz diff --git a/0002-Don-t-be-verbose-if-you-are-not-on-a-tty.patch b/0001-Don-t-be-verbose-if-you-are-not-on-a-tty.patch similarity index 83% rename from 0002-Don-t-be-verbose-if-you-are-not-on-a-tty.patch rename to 0001-Don-t-be-verbose-if-you-are-not-on-a-tty.patch index 87f5561..aaea883 100644 --- a/0002-Don-t-be-verbose-if-you-are-not-on-a-tty.patch +++ b/0001-Don-t-be-verbose-if-you-are-not-on-a-tty.patch @@ -1,4 +1,4 @@ -From 5dd7c8460230bd27170725bbb27014855652f356 Mon Sep 17 00:00:00 2001 +From 7030465cd94d22aef6824e46df69f82b256195c8 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Fri, 14 Feb 2014 12:32:12 -0500 Subject: [PATCH] Don't be verbose if you are not on a tty @@ -9,7 +9,7 @@ Content-type: text/plain 1 file changed, 1 insertion(+) diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles -index 166af6f360a2..ebe64563c7d7 100755 +index cb50fef3ca65..13ac07414c14 100755 --- a/policycoreutils/scripts/fixfiles +++ b/policycoreutils/scripts/fixfiles @@ -108,6 +108,7 @@ exclude_dirs_from_relabelling() { @@ -21,5 +21,5 @@ index 166af6f360a2..ebe64563c7d7 100755 THREADS="" RPMFILES="" -- -2.41.0 +2.44.0 diff --git a/0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch b/0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch deleted file mode 100644 index ed3f2a4..0000000 --- a/0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 10542b4fde99a089950126b008105c14b9452da1 Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Thu, 20 Aug 2015 12:58:41 +0200 -Subject: [PATCH] sandbox: add -reset to Xephyr as it works better with it in - recent Fedoras -Content-type: text/plain - ---- - sandbox/sandboxX.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh -index eaa500d08143..4774528027ef 100644 ---- a/sandbox/sandboxX.sh -+++ b/sandbox/sandboxX.sh -@@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF - - EOF - --(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do -+(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do - export DISPLAY=:$D - cat > ~/seremote << __EOF - #!/bin/sh --- -2.41.0 - diff --git a/0003-sepolicy-generate-Handle-more-reserved-port-types.patch b/0002-sepolicy-generate-Handle-more-reserved-port-types.patch similarity index 96% rename from 0003-sepolicy-generate-Handle-more-reserved-port-types.patch rename to 0002-sepolicy-generate-Handle-more-reserved-port-types.patch index 20134a1..1ff3536 100644 --- a/0003-sepolicy-generate-Handle-more-reserved-port-types.patch +++ b/0002-sepolicy-generate-Handle-more-reserved-port-types.patch @@ -1,4 +1,4 @@ -From 6213773ec3a6364cac48eb39d8ecfb11b5addc12 Mon Sep 17 00:00:00 2001 +From 856ac05345d8557a38e82d012a4d13b4d34efd6f Mon Sep 17 00:00:00 2001 From: Masatake YAMATO Date: Thu, 14 Dec 2017 15:57:58 +0900 Subject: [PATCH] sepolicy-generate: Handle more reserved port types @@ -53,7 +53,7 @@ https://lore.kernel.org/selinux/20150610.190635.1866127952891120915.yamato@redha 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py -index b6df3e91160b..36a3ea1196b1 100644 +index adf65f27a822..f726ad51b775 100644 --- a/python/sepolicy/sepolicy/generate.py +++ b/python/sepolicy/sepolicy/generate.py @@ -100,7 +100,9 @@ def get_all_ports(): @@ -68,5 +68,5 @@ index b6df3e91160b..36a3ea1196b1 100644 dict[(p['low'], p['high'], p['protocol'])] = (p['type'], p.get('range')) return dict -- -2.41.0 +2.44.0 diff --git a/0004-sandbox-Use-matchbox-window-manager-instead-of-openb.patch b/0003-sandbox-Use-matchbox-window-manager-instead-of-openb.patch similarity index 79% rename from 0004-sandbox-Use-matchbox-window-manager-instead-of-openb.patch rename to 0003-sandbox-Use-matchbox-window-manager-instead-of-openb.patch index a920866..91b36be 100644 --- a/0004-sandbox-Use-matchbox-window-manager-instead-of-openb.patch +++ b/0003-sandbox-Use-matchbox-window-manager-instead-of-openb.patch @@ -1,4 +1,4 @@ -From 7bf4ac2438df52b259b9d3d539b9a9e889cc7424 Mon Sep 17 00:00:00 2001 +From 8f7a90cb77a79aaef2ceca75bc25679a7b17ff98 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Wed, 18 Jul 2018 09:09:35 +0200 Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox @@ -11,7 +11,7 @@ Content-type: text/plain 3 files changed, 3 insertions(+), 17 deletions(-) diff --git a/sandbox/sandbox b/sandbox/sandbox -index a2762a7d215a..a32a33ea3cf6 100644 +index e3fd6119ed4d..e01425f0c637 100644 --- a/sandbox/sandbox +++ b/sandbox/sandbox @@ -270,7 +270,7 @@ class Sandbox: @@ -23,7 +23,7 @@ index a2762a7d215a..a32a33ea3cf6 100644 execfile = self.__homedir + "/.sandboxrc" fd = open(execfile, "w+") if self.__options.session: -@@ -369,7 +369,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- +@@ -370,7 +370,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- parser.add_option("-W", "--windowmanager", dest="wm", type="string", @@ -46,11 +46,11 @@ index 095b9e27042d..1c1870190e51 100644 \fB\-X\fR Create an X based Sandbox for gui apps, temporary files for diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh -index 4774528027ef..c211ebc14549 100644 +index 28169182ce42..e2a7ad9b2ac7 100644 --- a/sandbox/sandboxX.sh +++ b/sandbox/sandboxX.sh -@@ -6,20 +6,6 @@ export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8 - [ -z $2 ] && export DPI="96" || export DPI="$2" +@@ -7,20 +7,6 @@ export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8 + [ -z $3 ] && export DPI="96" || export DPI="$3" trap "exit 0" HUP -mkdir -p ~/.config/openbox @@ -67,9 +67,9 @@ index 4774528027ef..c211ebc14549 100644 - -EOF - - (/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do - export DISPLAY=:$D - cat > ~/seremote << __EOF + if [ "$WAYLAND_NATIVE" == "no" ]; then + if [ -z "$WAYLAND_DISPLAY" ]; then + DISPLAY_COMMAND='/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null' -- -2.41.0 +2.44.0 diff --git a/0005-Use-SHA-2-instead-of-SHA-1.patch b/0004-Use-SHA-2-instead-of-SHA-1.patch similarity index 98% rename from 0005-Use-SHA-2-instead-of-SHA-1.patch rename to 0004-Use-SHA-2-instead-of-SHA-1.patch index 7025395..96f6d1d 100644 --- a/0005-Use-SHA-2-instead-of-SHA-1.patch +++ b/0004-Use-SHA-2-instead-of-SHA-1.patch @@ -1,4 +1,4 @@ -From 94859162dbf9d2ccd4ffb923720c654a4cb9150a Mon Sep 17 00:00:00 2001 +From 4884c917237e53e34d3fc75dcf4f07217cfd7584 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Fri, 30 Jul 2021 14:14:37 +0200 Subject: [PATCH] Use SHA-2 instead of SHA-1 @@ -174,5 +174,5 @@ index ee01725050bb..57c663a99d67 100644 and provided the .B \-n -- -2.41.0 +2.44.0 diff --git a/0006-python-sepolicy-Fix-spec-file-dependencies.patch b/0005-python-sepolicy-Fix-spec-file-dependencies.patch similarity index 95% rename from 0006-python-sepolicy-Fix-spec-file-dependencies.patch rename to 0005-python-sepolicy-Fix-spec-file-dependencies.patch index 817224b..ff76509 100644 --- a/0006-python-sepolicy-Fix-spec-file-dependencies.patch +++ b/0005-python-sepolicy-Fix-spec-file-dependencies.patch @@ -1,4 +1,4 @@ -From f364324e66cb2bf014362c5c1d1b6a2bcf98d6ff Mon Sep 17 00:00:00 2001 +From cb1b3bdca016edaa90e92b49d51544f8a38cba19 Mon Sep 17 00:00:00 2001 From: Vit Mojzis Date: Tue, 30 May 2023 09:07:28 +0200 Subject: [PATCH] python/sepolicy: Fix spec file dependencies @@ -44,5 +44,5 @@ index 433c298a17e0..a6d4508bb670 100644 mid_section="""\ -- -2.41.0 +2.44.0 diff --git a/0007-sandbox-do-not-fail-without-xmodmap.patch b/0007-sandbox-do-not-fail-without-xmodmap.patch deleted file mode 100644 index 30af299..0000000 --- a/0007-sandbox-do-not-fail-without-xmodmap.patch +++ /dev/null @@ -1,30 +0,0 @@ -From daedef300edce80cf8ee20825292504104dc0221 Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Thu, 9 May 2024 16:17:05 +0200 -Subject: [PATCH] sandbox: do not fail without xmodmap -Content-type: text/plain - -Signed-off-by: Petr Lautrbach ---- - sandbox/sandbox | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/sandbox/sandbox b/sandbox/sandbox -index 0dc25584dd98..be8722e3b8d3 100644 ---- a/sandbox/sandbox -+++ b/sandbox/sandbox -@@ -479,7 +479,10 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- - - xmodmapfile = self.__homedir + "/.xmodmap" - xd = open(xmodmapfile, "w") -- subprocess.Popen(["/usr/bin/xmodmap", "-pke"], stdout=xd).wait() -+ try: -+ subprocess.Popen(["/usr/bin/xmodmap", "-pke"], stdout=xd).wait() -+ except: -+ pass - xd.close() - - self.__setup_sandboxrc(self.__options.wm) --- -2.44.0 - diff --git a/0008-sandbox-do-not-run-window-manager-if-it-s-not-a-sess.patch b/0008-sandbox-do-not-run-window-manager-if-it-s-not-a-sess.patch deleted file mode 100644 index a033946..0000000 --- a/0008-sandbox-do-not-run-window-manager-if-it-s-not-a-sess.patch +++ /dev/null @@ -1,35 +0,0 @@ -From d6e533bde4a25e5cdbb9445dfef6080dcaa6f43e Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Tue, 20 Feb 2024 11:14:52 +0100 -Subject: [PATCH] sandbox: do not run window manager if it's not a session -Content-type: text/plain - -Signed-off-by: Petr Lautrbach ---- - sandbox/sandbox | 5 +---- - 1 file changed, 1 insertion(+), 4 deletions(-) - -diff --git a/sandbox/sandbox b/sandbox/sandbox -index be8722e3b8d3..7ab98076fd2b 100644 ---- a/sandbox/sandbox -+++ b/sandbox/sandbox -@@ -285,15 +285,12 @@ class Sandbox: - fd.write("""#! /bin/sh - #TITLE: %s - # /usr/bin/test -r ~/.xmodmap && /usr/bin/xmodmap ~/.xmodmap --%s & --WM_PID=$! - if which dbus-run-session >/dev/null 2>&1; then - dbus-run-session -- %s - else - dbus-launch --exit-with-session %s - fi --kill -TERM $WM_PID 2> /dev/null --""" % (command, wm, command, command)) -+""" % (command, command, command)) - fd.close() - os.chmod(execfile, 0o700) - --- -2.44.0 - diff --git a/0009-seunshare-Add-P-pipewiresocket-W-waylandsocket-optio.patch b/0009-seunshare-Add-P-pipewiresocket-W-waylandsocket-optio.patch deleted file mode 100644 index 11ffed4..0000000 --- a/0009-seunshare-Add-P-pipewiresocket-W-waylandsocket-optio.patch +++ /dev/null @@ -1,232 +0,0 @@ -From dde02ec582db3daa50ef09fdcfde025750f0575e Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Tue, 20 Feb 2024 11:11:56 +0100 -Subject: [PATCH] seunshare: Add [ -P pipewiresocket ] [ -W waylandsocket ] - options -Content-type: text/plain - -Mount /run/user/UID/ or /run/user/UID/ -inside unshared /run/user/UID directory - -Signed-off-by: Petr Lautrbach ---- - sandbox/seunshare.c | 120 +++++++++++++++++++++++++++++++++++++++++--- - 1 file changed, 113 insertions(+), 7 deletions(-) - -diff --git a/sandbox/seunshare.c b/sandbox/seunshare.c -index 1d38ea92b9ae..106f625fcba5 100644 ---- a/sandbox/seunshare.c -+++ b/sandbox/seunshare.c -@@ -52,7 +52,8 @@ - - #define BUF_SIZE 1024 - #define DEFAULT_PATH "/usr/bin:/bin" --#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -C ] [ -k ] [ -t tmpdir ] [ -h homedir ] [ -r runuserdir ] [ -Z CONTEXT ] -- executable [args] ") -+#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -C ] [ -k ] [ -t tmpdir ] [ -h homedir ] \ -+[ -r runuserdir ] [ -P pipewiresocket ] [ -W waylandsocket ] [ -Z CONTEXT ] -- executable [args] ") - - static int verbose = 0; - static int child = 0; -@@ -265,6 +266,10 @@ static int seunshare_mount(const char *src, const char *dst, struct stat *src_st - is_tmp = 1; - } - -+ if (strncmp("/run/user", dst, 9) == 0) { -+ flags = flags | MS_REC; -+ } -+ - /* mount directory */ - if (mount(src, dst, NULL, MS_BIND | flags, NULL) < 0) { - fprintf(stderr, _("Failed to mount %s on %s: %s\n"), src, dst, strerror(errno)); -@@ -289,6 +294,31 @@ static int seunshare_mount(const char *src, const char *dst, struct stat *src_st - - } - -+/** -+ * Mount directory and check that we mounted the right directory. -+ */ -+static int seunshare_mount_file(const char *src, const char *dst) -+{ -+ int flags = 0; -+ -+ if (verbose) -+ printf(_("Mounting %s on %s\n"), src, dst); -+ -+ if (access(dst, F_OK) == -1) { -+ FILE *fptr; -+ fptr = fopen(dst, "w"); -+ fclose(fptr); -+ } -+ /* mount file */ -+ if (mount(src, dst, NULL, MS_BIND | flags, NULL) < 0) { -+ fprintf(stderr, _("Failed to mount %s on %s: %s\n"), src, dst, strerror(errno)); -+ return -1; -+ } -+ -+ return 0; -+ -+} -+ - /* - If path is empty or ends with "/." or "/.. return -1 else return 0; - */ -@@ -616,6 +646,8 @@ killall (const char *execcon) - int main(int argc, char **argv) { - int status = -1; - const char *execcon = NULL; -+ const char *pipewire_socket = NULL; -+ const char *wayland_display = NULL; - - int clflag; /* holds codes for command line flags */ - int kill_all = 0; -@@ -641,6 +673,8 @@ int main(int argc, char **argv) { - {"verbose", 1, 0, 'v'}, - {"context", 1, 0, 'Z'}, - {"capabilities", 1, 0, 'C'}, -+ {"wayland", 1, 0, 'W'}, -+ {"pipewire", 1, 0, 'P'}, - {NULL, 0, 0, 0} - }; - -@@ -670,7 +704,7 @@ int main(int argc, char **argv) { - } - - while (1) { -- clflag = getopt_long(argc, argv, "Ccvh:r:t:Z:", long_options, NULL); -+ clflag = getopt_long(argc, argv, "Ccvh:r:t:W:Z:", long_options, NULL); - if (clflag == -1) - break; - -@@ -693,6 +727,12 @@ int main(int argc, char **argv) { - case 'C': - cap_set = CAPNG_SELECT_CAPS; - break; -+ case 'P': -+ pipewire_socket = optarg; -+ break; -+ case 'W': -+ wayland_display = optarg; -+ break; - case 'Z': - execcon = optarg; - break; -@@ -767,8 +807,14 @@ int main(int argc, char **argv) { - char *display = NULL; - char *LANG = NULL; - char *RUNTIME_DIR = NULL; -+ char *XDG_SESSION_TYPE = NULL; - int rc = -1; - char *resolved_path = NULL; -+ char *wayland_path_s = NULL; /* /tmp/.../wayland-0 */ -+ char *wayland_path = NULL; /* /run/user/UID/wayland-0 */ -+ char *pipewire_path_s = NULL; /* /tmp/.../pipewire-0 */ -+ char *pipewire_path = NULL; /* /run/user/UID/pipewire-0 */ -+ - - if (unshare(CLONE_NEWNS) < 0) { - perror(_("Failed to unshare")); -@@ -805,6 +851,42 @@ int main(int argc, char **argv) { - } - } - -+ if ((XDG_SESSION_TYPE = getenv("XDG_SESSION_TYPE")) != NULL) { -+ if ((XDG_SESSION_TYPE = strdup(XDG_SESSION_TYPE)) == NULL) { -+ perror(_("Out of memory")); -+ goto childerr; -+ } -+ } -+ -+ if (runuserdir_s && (wayland_display || pipewire_socket)) { -+ if (wayland_display) { -+ if (asprintf(&wayland_path_s, "%s/%s", runuserdir_s, wayland_display) == -1) { -+ perror(_("Out of memory")); -+ goto childerr; -+ } -+ -+ if (asprintf(&wayland_path, "%s/%s", RUNTIME_DIR, wayland_display) == -1) { -+ perror(_("Out of memory")); -+ goto childerr; -+ } -+ -+ if (seunshare_mount_file(wayland_path, wayland_path_s) == -1) -+ goto childerr; -+ } -+ -+ if (pipewire_socket) { -+ if (asprintf(&pipewire_path_s, "%s/%s", runuserdir_s, pipewire_socket) == -1) { -+ perror(_("Out of memory")); -+ goto childerr; -+ } -+ if (asprintf(&pipewire_path, "%s/pipewire-0", RUNTIME_DIR) == -1) { -+ perror(_("Out of memory")); -+ goto childerr; -+ } -+ seunshare_mount_file(pipewire_path, pipewire_path_s); -+ } -+ } -+ - /* mount homedir, runuserdir and tmpdir, in this order */ - if (runuserdir_s && seunshare_mount(runuserdir_s, RUNTIME_DIR, - &st_runuserdir_s) != 0) goto childerr; -@@ -816,10 +898,21 @@ int main(int argc, char **argv) { - if (drop_privs(uid) != 0) goto childerr; - - /* construct a new environment */ -- if ((display = getenv("DISPLAY")) != NULL) { -- if ((display = strdup(display)) == NULL) { -- perror(_("Out of memory")); -- goto childerr; -+ -+ if (XDG_SESSION_TYPE && strcmp(XDG_SESSION_TYPE, "wayland") == 0) { -+ if (wayland_display == NULL && (wayland_display = getenv("WAYLAND_DISPLAY")) != NULL) { -+ if ((wayland_display = strdup(wayland_display)) == NULL) { -+ perror(_("Out of memory")); -+ goto childerr; -+ } -+ } -+ } -+ else { -+ if ((display = getenv("DISPLAY")) != NULL) { -+ if ((display = strdup(display)) == NULL) { -+ perror(_("Out of memory")); -+ goto childerr; -+ } - } - } - -@@ -835,8 +928,16 @@ int main(int argc, char **argv) { - perror(_("Failed to clear environment")); - goto childerr; - } -- if (display) -+ if (display) { - rc |= setenv("DISPLAY", display, 1); -+ } -+ if (wayland_display) { -+ rc |= setenv("WAYLAND_DISPLAY", wayland_display, 1); -+ } -+ -+ if (XDG_SESSION_TYPE) -+ rc |= setenv("XDG_SESSION_TYPE", XDG_SESSION_TYPE, 1); -+ - if (LANG) - rc |= setenv("LANG", LANG, 1); - if (RUNTIME_DIR) -@@ -874,9 +975,14 @@ int main(int argc, char **argv) { - fprintf(stderr, _("Failed to execute command %s: %s\n"), argv[optind], strerror(errno)); - childerr: - free(resolved_path); -+ free(wayland_path); -+ free(wayland_path_s); -+ free(pipewire_path); -+ free(pipewire_path_s); - free(display); - free(LANG); - free(RUNTIME_DIR); -+ free(XDG_SESSION_TYPE); - exit(-1); - } - --- -2.44.0 - diff --git a/0010-sandbox-Add-support-for-Wayland.patch b/0010-sandbox-Add-support-for-Wayland.patch deleted file mode 100644 index 203c35f..0000000 --- a/0010-sandbox-Add-support-for-Wayland.patch +++ /dev/null @@ -1,133 +0,0 @@ -From 5d1224b87ea10f3026ecf53c4c448ac4655add04 Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Tue, 20 Feb 2024 11:17:20 +0100 -Subject: [PATCH] sandbox: Add support for Wayland -Content-type: text/plain - -- use XWayland for X application if it's run in Wayland session -- run Wayland apps directly if it's run in Wayland session -- add sandbox -Y option to run run Wayland application - -Signed-off-by: Petr Lautrbach ---- - sandbox/sandbox | 26 ++++++++++++++++++++++++-- - sandbox/sandboxX.sh | 36 ++++++++++++++++++++++++------------ - 2 files changed, 48 insertions(+), 14 deletions(-) - -diff --git a/sandbox/sandbox b/sandbox/sandbox -index 7ab98076fd2b..009b5f4df8f2 100644 ---- a/sandbox/sandbox -+++ b/sandbox/sandbox -@@ -344,6 +344,10 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- - action="callback", callback=self.__x_callback, - default=False, help=_("run X application within a sandbox")) - -+ parser.add_option("-Y", dest="Y_ind", -+ action="callback", callback=self.__x_callback, -+ default=False, help=_("run Wayland application within a sandbox")) -+ - parser.add_option("-H", "--homedir", - action="callback", callback=self.__validdir, - type="string", -@@ -457,6 +461,16 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- - selinux.chcon(self.__runuserdir, self.__filecon, recursive=True) - selinux.setfscreatecon(None) - -+ def __is_wayland_app(self): -+ binary = shutil.which(self.__paths[0]) -+ if binary is None: -+ return True -+ output = subprocess.run(['ldd', binary], capture_output=True) -+ for line in str(output.stdout, "utf-8").split('\n'): -+ if line.find("libwayland") != -1: -+ return "yes" -+ return False -+ - def __execute(self): - try: - cmds = [SEUNSHARE, "-Z", self.__execcon] -@@ -465,7 +479,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- - if self.__mount: - cmds += ["-t", self.__tmpdir, "-h", self.__homedir, "-r", self.__runuserdir] - -- if self.__options.X_ind: -+ if self.__options.X_ind or self.__options.Y_ind: - if self.__options.dpi: - dpi = self.__options.dpi - else: -@@ -474,6 +488,9 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- - from gi.repository import Gtk - dpi = str(Gtk.Settings.get_default().props.gtk_xft_dpi / 1024) - -+ if os.environ.get('WAYLAND_DISPLAY') is not None: -+ cmds += ["-W", os.environ["WAYLAND_DISPLAY"]] -+ - xmodmapfile = self.__homedir + "/.xmodmap" - xd = open(xmodmapfile, "w") - try: -@@ -484,7 +501,12 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- - - self.__setup_sandboxrc(self.__options.wm) - -- cmds += ["--", SANDBOXSH, self.__options.windowsize, dpi] -+ if self.__options.Y_ind or self.__is_wayland_app(): -+ WN = "yes" -+ else: -+ WN = "no" -+ -+ cmds += ["--", SANDBOXSH, WN, self.__options.windowsize, dpi] - else: - cmds += ["--"] + self.__paths - return subprocess.Popen(cmds).wait() -diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh -index c211ebc14549..e2a7ad9b2ac7 100644 ---- a/sandbox/sandboxX.sh -+++ b/sandbox/sandboxX.sh -@@ -2,20 +2,32 @@ - trap "" TERM - context=`id -Z | secon -t -l -P` - export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8-80`" --[ -z $1 ] && export SCREENSIZE="1000x700" || export SCREENSIZE="$1" --[ -z $2 ] && export DPI="96" || export DPI="$2" -+[ -z $1 ] && export WAYLAND_NATIVE="no" || export WAYLAND_NATIVE="$1" -+[ -z $2 ] && export SCREENSIZE="1000x700" || export SCREENSIZE="$2" -+[ -z $3 ] && export DPI="96" || export DPI="$3" - trap "exit 0" HUP - --(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do -- export DISPLAY=:$D -- cat > ~/seremote << __EOF --#!/bin/sh --DISPLAY=$DISPLAY "\$@" -+if [ "$WAYLAND_NATIVE" == "no" ]; then -+ if [ -z "$WAYLAND_DISPLAY" ]; then -+ DISPLAY_COMMAND='/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null' -+ else -+ DISPLAY_COMMAND='/usr/bin/Xwayland -terminate -dpi $DPI -retro -geometry $SCREENSIZE -decorate -displayfd 5 5>&1 2>/dev/null' -+ fi -+ eval $DISPLAY_COMMAND | while read D; do -+ export DISPLAY=:$D -+ cat > ~/seremote << __EOF -+#!/bin/bash -x -+export DISPLAY=$DISPLAY -+export WAYLAND_DISPLAY=$WAYLAND_DISPLAY -+"\$@" - __EOF -- chmod +x ~/seremote -+ chmod +x ~/seremote -+ /usr/share/sandbox/start $HOME/.sandboxrc -+ export EXITCODE=$? -+ kill -TERM 0 -+ break -+ done -+else - /usr/share/sandbox/start $HOME/.sandboxrc -- export EXITCODE=$? -- kill -TERM 0 -- break --done -+fi - exit 0 --- -2.44.0 - diff --git a/policycoreutils.spec b/policycoreutils.spec index 2471c1d..de9fd65 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -1,7 +1,7 @@ %global libauditver 3.0 -%global libsepolver 3.6-1 -%global libsemanagever 3.6-1 -%global libselinuxver 3.6-1 +%global libsepolver 3.7-1 +%global libsemanagever 3.7-1 +%global libselinuxver 3.7-1 %global generatorsdir %{_prefix}/lib/systemd/system-generators @@ -10,11 +10,11 @@ Summary: SELinux policy core utilities Name: policycoreutils -Version: 3.6 -Release: 5%{?dist} +Version: 3.7 +Release: 1%{?dist} License: GPL-2.0-or-later # https://github.com/SELinuxProject/selinux/wiki/Releases -Source0: https://github.com/SELinuxProject/selinux/releases/download/3.6/selinux-3.6.tar.gz +Source0: https://github.com/SELinuxProject/selinux/releases/download/3.7/selinux-3.7.tar.gz URL: https://github.com/SELinuxProject/selinux Source13: system-config-selinux.png Source14: sepolicy-icons.tgz @@ -33,19 +33,14 @@ Source22: selinux-gui.zip # wlc --key --url https://translate.fedoraproject.org/api/ download selinux/sandbox --output ./ Source23: selinux-sandbox.zip # https://github.com/fedora-selinux/selinux -# $ git format-patch -N 3.6 -- policycoreutils python gui sandbox dbus semodule-utils restorecond +# $ git format-patch -N 3.7 -- policycoreutils python gui sandbox dbus semodule-utils restorecond # $ for j in [0-9]*.patch; do printf "Patch%s: %s\n" ${j/-*/} $j; done # Patch list start -Patch0001: 0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch -Patch0002: 0002-Don-t-be-verbose-if-you-are-not-on-a-tty.patch -Patch0003: 0003-sepolicy-generate-Handle-more-reserved-port-types.patch -Patch0004: 0004-sandbox-Use-matchbox-window-manager-instead-of-openb.patch -Patch0005: 0005-Use-SHA-2-instead-of-SHA-1.patch -Patch0006: 0006-python-sepolicy-Fix-spec-file-dependencies.patch -Patch0007: 0007-sandbox-do-not-fail-without-xmodmap.patch -Patch0008: 0008-sandbox-do-not-run-window-manager-if-it-s-not-a-sess.patch -Patch0009: 0009-seunshare-Add-P-pipewiresocket-W-waylandsocket-optio.patch -Patch0010: 0010-sandbox-Add-support-for-Wayland.patch +Patch0001: 0001-Don-t-be-verbose-if-you-are-not-on-a-tty.patch +Patch0002: 0002-sepolicy-generate-Handle-more-reserved-port-types.patch +Patch0003: 0003-sandbox-Use-matchbox-window-manager-instead-of-openb.patch +Patch0004: 0004-Use-SHA-2-instead-of-SHA-1.patch +Patch0005: 0005-python-sepolicy-Fix-spec-file-dependencies.patch # Patch list end Obsoletes: policycoreutils < 2.0.61-2 @@ -427,6 +422,9 @@ The policycoreutils-restorecond package contains the restorecond service. %systemd_postun_with_restart restorecond.service %changelog +* Thu Jun 27 2024 Petr Lautrbach - 3.7-1 +- SELinux userspace 3.7 release + * Mon Jun 24 2024 Troy Dawson - 3.6-5 - Bump release for June 2024 mass rebuild diff --git a/sources b/sources index 9d03d1f..322ed2e 100644 --- a/sources +++ b/sources @@ -1,5 +1,5 @@ -SHA512 (selinux-3.6.tar.gz) = 15ba9c5901ec4dc1e9e24374ffe61216301335fb07c0d653692251a59f210628775852f22d7c5eb784a43b65c133fad983ba1e6159d72fd3fd16e87f9a335fb6 SHA512 (selinux-policycoreutils.zip) = 0df9dc274e0d1a2e4e2467f95a18a5bf7b6de2428ac90a0a73d7f3bd766a897062af142ba3cf39cdb79565ba78af960bcd2e35865cc26e14bf2305321780c918 SHA512 (selinux-python.zip) = 35d209f8bcff498f66465499fcc4cef0780781276a4ba060b2d1d56eed1dd72d253f6b0eae5f679d46cf426b967a7aadac909363513be5d483c95a31249eacdd SHA512 (selinux-sandbox.zip) = ecbc0c8280eb6c013b039a2e63ee5a361cd84807613962a012ac0a98092357e9809bea23c3c71bd8ae4745b1dd12a4fce43db5e1cab31614f386a2a8db88b733 SHA512 (selinux-gui.zip) = 3ae41eba5dd6d34e10dfdb97f4194d170ace2f3044e984077db7d26d05bdaad86625e48e5694e3e8680487ad99a50861d4bea30c4bf08e2820e3b7a8671270c7 +SHA512 (selinux-3.7.tar.gz) = f16c3731e27a09306147ffd5b929f55357642da663326edf5837885b36e8fe763ba6a1d18e8ae4001f6091545d06bb11f2d9ed78d69711c0211fbb406bc52345