From b0ed1f8d212c9a4a6b9977608a08c8ba59a96b6b Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Fri, 20 Nov 2020 13:48:36 +0100 Subject: [PATCH] policycoreutils-3.1-7 - python/sepolicy: allow to override manpage date - selinux_config(5): add a note that runtime disable is deprecated --- ...-add-a-note-that-runtime-disable-is-.patch | 29 +++++++++++ ...olicy-allow-to-override-manpage-date.patch | 51 +++++++++++++++++++ policycoreutils.spec | 15 ++++-- 3 files changed, 90 insertions(+), 5 deletions(-) create mode 100644 0024-selinux_config-5-add-a-note-that-runtime-disable-is-.patch create mode 100644 0025-python-sepolicy-allow-to-override-manpage-date.patch diff --git a/0024-selinux_config-5-add-a-note-that-runtime-disable-is-.patch b/0024-selinux_config-5-add-a-note-that-runtime-disable-is-.patch new file mode 100644 index 0000000..339cb4a --- /dev/null +++ b/0024-selinux_config-5-add-a-note-that-runtime-disable-is-.patch @@ -0,0 +1,29 @@ +From 99450e5c391f0e5b7da9234588123edca0993794 Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Wed, 11 Nov 2020 17:23:40 +0100 +Subject: [PATCH] selinux_config(5): add a note that runtime disable is + deprecated + +...and refer to selinux(8), which explains it further. + +Signed-off-by: Ondrej Mosnacek +--- + policycoreutils/man/man5/selinux_config.5 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policycoreutils/man/man5/selinux_config.5 b/policycoreutils/man/man5/selinux_config.5 +index 1ffade150128..58b42a0e234d 100644 +--- a/policycoreutils/man/man5/selinux_config.5 ++++ b/policycoreutils/man/man5/selinux_config.5 +@@ -48,7 +48,7 @@ SELinux security policy is enforced. + .IP \fIpermissive\fR 4 + SELinux security policy is not enforced but logs the warnings (i.e. the action is allowed to proceed). + .IP \fIdisabled\fR +-SELinux is disabled and no policy is loaded. ++No SELinux policy is loaded. This option was used to disable SELinux completely, which is now deprecated. Use the \fBselinux=0\fR kernel boot option instead (see \fBselinux\fR(8)). + .RE + .sp + The entry can be determined using the \fBsestatus\fR(8) command or \fBselinux_getenforcemode\fR(3). +-- +2.29.2 + diff --git a/0025-python-sepolicy-allow-to-override-manpage-date.patch b/0025-python-sepolicy-allow-to-override-manpage-date.patch new file mode 100644 index 0000000..c205e6a --- /dev/null +++ b/0025-python-sepolicy-allow-to-override-manpage-date.patch @@ -0,0 +1,51 @@ +From 794dbdb6b1336cae872f45b5adaa594796e4806b Mon Sep 17 00:00:00 2001 +From: "Bernhard M. Wiedemann" +Date: Fri, 30 Oct 2020 22:53:09 +0100 +Subject: [PATCH] python/sepolicy: allow to override manpage date + +in order to make builds reproducible. +See https://reproducible-builds.org/ for why this is good +and https://reproducible-builds.org/specs/source-date-epoch/ +for the definition of this variable. + +This patch was done while working on reproducible builds for openSUSE. + +Signed-off-by: Bernhard M. Wiedemann +--- + python/sepolicy/sepolicy/manpage.py | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py +index 6a3e08fca58c..c013c0d48502 100755 +--- a/python/sepolicy/sepolicy/manpage.py ++++ b/python/sepolicy/sepolicy/manpage.py +@@ -39,6 +39,8 @@ typealias_types = { + equiv_dict = {"smbd": ["samba"], "httpd": ["apache"], "virtd": ["virt", "libvirt"], "named": ["bind"], "fsdaemon": ["smartmon"], "mdadm": ["raid"]} + + equiv_dirs = ["/var"] ++man_date = time.strftime("%y-%m-%d", time.gmtime( ++ int(os.environ.get('SOURCE_DATE_EPOCH', time.time())))) + modules_dict = None + + +@@ -546,7 +548,7 @@ class ManPage: + + def _typealias(self,typealias): + self.fd.write('.TH "%(typealias)s_selinux" "8" "%(date)s" "%(typealias)s" "SELinux Policy %(typealias)s"' +- % {'typealias':typealias, 'date': time.strftime("%y-%m-%d")}) ++ % {'typealias':typealias, 'date': man_date}) + self.fd.write(r""" + .SH "NAME" + %(typealias)s_selinux \- Security Enhanced Linux Policy for the %(typealias)s processes +@@ -565,7 +567,7 @@ man page for more details. + + def _header(self): + self.fd.write('.TH "%(domainname)s_selinux" "8" "%(date)s" "%(domainname)s" "SELinux Policy %(domainname)s"' +- % {'domainname': self.domainname, 'date': time.strftime("%y-%m-%d")}) ++ % {'domainname': self.domainname, 'date': man_date}) + self.fd.write(r""" + .SH "NAME" + %(domainname)s_selinux \- Security Enhanced Linux Policy for the %(domainname)s processes +-- +2.29.2 + diff --git a/policycoreutils.spec b/policycoreutils.spec index e734c79..6ce0202 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -1,8 +1,7 @@ %global libauditver 3.0 -%global libsepolver 3.1-4 -%global libsemanagever 3.1-4 -%global libselinuxver 3.1-4 -%global sepolgenver 3.1-4 +%global libsepolver 3.1-5 +%global libsemanagever 3.1-5 +%global libselinuxver 3.1-5 %global generatorsdir %{_prefix}/lib/systemd/system-generators @@ -12,7 +11,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 3.1 -Release: 6%{?dist} +Release: 7%{?dist} License: GPLv2 # https://github.com/SELinuxProject/selinux/wiki/Releases Source0: https://github.com/SELinuxProject/selinux/releases/download/20200710/policycoreutils-3.1.tar.gz @@ -61,6 +60,8 @@ Patch0020: 0020-sepolicy-generate-Handle-more-reserved-port-types.patch Patch0021: 0021-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch Patch0022: 0022-sandbox-Use-matchbox-window-manager-instead-of-openb.patch Patch0023: 0023-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch +Patch0024: 0024-selinux_config-5-add-a-note-that-runtime-disable-is-.patch +Patch0025: 0025-python-sepolicy-allow-to-override-manpage-date.patch # Patch list end Obsoletes: policycoreutils < 2.0.61-2 @@ -538,6 +539,10 @@ The policycoreutils-restorecond package contains the restorecond service. %systemd_postun_with_restart restorecond.service %changelog +* Fri Nov 20 2020 Petr Lautrbach - 3.1-7 +- python/sepolicy: allow to override manpage date +- selinux_config(5): add a note that runtime disable is deprecated + * Mon Nov 9 2020 Petr Lautrbach - 3.1-6 - Require latest setools