From ca66da29cd4429957b1c5b98dab6837e9fa6adad Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Wed, 16 Jul 2025 16:24:54 +0200 Subject: [PATCH] SELinux userspace 3.9 release Resolves: RHEL-104006 --- .gitignore | 2 + ...t-be-verbose-if-you-are-not-on-a-tty.patch | 2 +- ...rate-Handle-more-reserved-port-types.patch | 2 +- ...hbox-window-manager-instead-of-openb.patch | 2 +- 0004-Use-SHA-2-instead-of-SHA-1.patch | 2 +- ...-sepolicy-Fix-spec-file-dependencies.patch | 2 +- ...Fix-detection-of-writeable-locations.patch | 2 +- ...licy-use-multiprocessing-fork-method.patch | 58 -------------- ...utils-use-pkg-config-for-libsemanage.patch | 76 ------------------- ...Make-pkg-config-work-for-more-types-.patch | 40 ---------- changelog | 3 + policycoreutils.spec | 19 ++--- sources | 4 +- 13 files changed, 21 insertions(+), 193 deletions(-) delete mode 100644 0007-sepolicy-use-multiprocessing-fork-method.patch delete mode 100644 0008-policycoreutils-use-pkg-config-for-libsemanage.patch delete mode 100644 0009-Policycoreutils-Make-pkg-config-work-for-more-types-.patch diff --git a/.gitignore b/.gitignore index 2bcddbf..5686001 100644 --- a/.gitignore +++ b/.gitignore @@ -365,3 +365,5 @@ policycoreutils-2.0.83.tgz /selinux-3.8.tar.gz.asc /selinux-3.9-rc2.tar.gz /selinux-3.9-rc2.tar.gz.asc +/selinux-3.9.tar.gz +/selinux-3.9.tar.gz.asc diff --git a/0001-Don-t-be-verbose-if-you-are-not-on-a-tty.patch b/0001-Don-t-be-verbose-if-you-are-not-on-a-tty.patch index cfadc13..0f81963 100644 --- a/0001-Don-t-be-verbose-if-you-are-not-on-a-tty.patch +++ b/0001-Don-t-be-verbose-if-you-are-not-on-a-tty.patch @@ -1,4 +1,4 @@ -From 8bbb7a654825223fccf5839d208cfc091a78d979 Mon Sep 17 00:00:00 2001 +From ce28d432bef8d1a346054b56a989e58533fecfa7 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Fri, 14 Feb 2014 12:32:12 -0500 Subject: [PATCH] Don't be verbose if you are not on a tty diff --git a/0002-sepolicy-generate-Handle-more-reserved-port-types.patch b/0002-sepolicy-generate-Handle-more-reserved-port-types.patch index 2f528ee..39b1382 100644 --- a/0002-sepolicy-generate-Handle-more-reserved-port-types.patch +++ b/0002-sepolicy-generate-Handle-more-reserved-port-types.patch @@ -1,4 +1,4 @@ -From 0acd95264dadf06ad93591c949f6e8aebb559c11 Mon Sep 17 00:00:00 2001 +From 618ae48ebf1334f9380a9ae7460c553515f9c4ca Mon Sep 17 00:00:00 2001 From: Masatake YAMATO Date: Thu, 14 Dec 2017 15:57:58 +0900 Subject: [PATCH] sepolicy-generate: Handle more reserved port types diff --git a/0003-sandbox-Use-matchbox-window-manager-instead-of-openb.patch b/0003-sandbox-Use-matchbox-window-manager-instead-of-openb.patch index c772fe1..7e6554b 100644 --- a/0003-sandbox-Use-matchbox-window-manager-instead-of-openb.patch +++ b/0003-sandbox-Use-matchbox-window-manager-instead-of-openb.patch @@ -1,4 +1,4 @@ -From af70b132b985fd7fe7bf4e085082f7e821d54452 Mon Sep 17 00:00:00 2001 +From 16fd581da479f80b8f8ff8ae8ff58a4f0a610d54 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Wed, 18 Jul 2018 09:09:35 +0200 Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox diff --git a/0004-Use-SHA-2-instead-of-SHA-1.patch b/0004-Use-SHA-2-instead-of-SHA-1.patch index df1a7e0..6531704 100644 --- a/0004-Use-SHA-2-instead-of-SHA-1.patch +++ b/0004-Use-SHA-2-instead-of-SHA-1.patch @@ -1,4 +1,4 @@ -From 661202f1fadb8b233df5ec92f620c866390304f6 Mon Sep 17 00:00:00 2001 +From 1a3fc195c6dc7fe51ef76e4484910f7b41161ccc Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Fri, 30 Jul 2021 14:14:37 +0200 Subject: [PATCH] Use SHA-2 instead of SHA-1 diff --git a/0005-python-sepolicy-Fix-spec-file-dependencies.patch b/0005-python-sepolicy-Fix-spec-file-dependencies.patch index 1c423d7..6d7ab38 100644 --- a/0005-python-sepolicy-Fix-spec-file-dependencies.patch +++ b/0005-python-sepolicy-Fix-spec-file-dependencies.patch @@ -1,4 +1,4 @@ -From 38e0ac0e99462a6e792e57fffa7b32498715f7f4 Mon Sep 17 00:00:00 2001 +From 84b051139ab536519cc8e9c333483475d830d40b Mon Sep 17 00:00:00 2001 From: Vit Mojzis Date: Tue, 30 May 2023 09:07:28 +0200 Subject: [PATCH] python/sepolicy: Fix spec file dependencies diff --git a/0006-sepolicy-Fix-detection-of-writeable-locations.patch b/0006-sepolicy-Fix-detection-of-writeable-locations.patch index f423961..2cd313a 100644 --- a/0006-sepolicy-Fix-detection-of-writeable-locations.patch +++ b/0006-sepolicy-Fix-detection-of-writeable-locations.patch @@ -1,4 +1,4 @@ -From 6773c49ffa8091d67452f4831defbe84e47bbd5b Mon Sep 17 00:00:00 2001 +From 98cd707e8106e9e77b179bccbeb4fd4004b4c601 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Mon, 5 May 2025 18:28:40 +0200 Subject: [PATCH] sepolicy: Fix detection of writeable locations diff --git a/0007-sepolicy-use-multiprocessing-fork-method.patch b/0007-sepolicy-use-multiprocessing-fork-method.patch deleted file mode 100644 index 7af3c2c..0000000 --- a/0007-sepolicy-use-multiprocessing-fork-method.patch +++ /dev/null @@ -1,58 +0,0 @@ -From cfec5c81d6513791a170d101cf2f27773f3052f1 Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Mon, 30 Jun 2025 11:20:56 +0200 -Subject: [PATCH] sepolicy: use multiprocessing 'fork' method - -'fork' was the default starting method in Python before 3.14 and it's -necessary for this code to work correctly - -Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2374569 - - sh-5.2# sepolicy manpage -a -p /builddir/build/BUILD/selinux-policy-41.43-build/BUILDROOT/usr/share/man/man8/ -w -r /builddir/build/BUILD/selinux-policy-41.43-build/BUILDROOT - ValueError: No SELinux Policy installed - Exception ignored while calling deallocator : - Traceback (most recent call last): - File "/usr/lib64/python3.14/multiprocessing/pool.py", line 271, in __del__ - self._change_notifier.put(None) - File "/usr/lib64/python3.14/multiprocessing/queues.py", line 397, in put - self._writer.send_bytes(obj) - File "/usr/lib64/python3.14/multiprocessing/connection.py", line 206, in send_bytes - self._send_bytes(m[offset:offset + size]) - File "/usr/lib64/python3.14/multiprocessing/connection.py", line 444, in _send_bytes - self._send(header + buf) - File "/usr/lib64/python3.14/multiprocessing/connection.py", line 400, in _send - n = write(self._handle, buf) - BrokenPipeError: [Errno 32] Broken pipe - -Signed-off-by: Petr Lautrbach -Acked-by: James Carter ---- - python/sepolicy/sepolicy.py | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py -index 82ff6af2..febb2fc1 100755 ---- a/python/sepolicy/sepolicy.py -+++ b/python/sepolicy/sepolicy.py -@@ -25,7 +25,7 @@ import os - import sys - import selinux - import sepolicy --from multiprocessing import Pool -+import multiprocessing - from sepolicy import get_os_version, get_conditionals, get_conditionals_format_text - import argparse - PROGNAME = "selinux-python" -@@ -350,7 +350,8 @@ def manpage(args): - - manpage_domains = set() - manpage_roles = set() -- p = Pool() -+ multiprocessing.set_start_method('fork') -+ p = multiprocessing.Pool() - async_results = [] - for domain in test_domains: - async_results.append(p.apply_async(manpage_work, [domain, path, args.root, args.source_files, args.web])) --- -2.49.0 - diff --git a/0008-policycoreutils-use-pkg-config-for-libsemanage.patch b/0008-policycoreutils-use-pkg-config-for-libsemanage.patch deleted file mode 100644 index a3f053a..0000000 --- a/0008-policycoreutils-use-pkg-config-for-libsemanage.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 21955dcb5a201b0ec0487b3f1aa1da052afd9b97 Mon Sep 17 00:00:00 2001 -From: Alyssa Ross -Date: Wed, 25 Jun 2025 12:41:03 +0200 -Subject: [PATCH] policycoreutils: use pkg-config for libsemanage - -libaudit and libbz2 are only required to be in the linker path for -static builds. For dynamic builds, they'll be discovered through ELF -metadata. pkg-config knows how to do the right thing in both cases, -so just use it rather than listing libsemanage's dependencies -manually. - -Fixes: da6cd3d8 ("Support static-only builds") -Closes: https://lore.kernel.org/r/87bjqebpre.fsf@redhat.com -Signed-off-by: Alyssa Ross -Acked-by: James Carter ---- - policycoreutils/Makefile | 3 ++- - policycoreutils/semodule/Makefile | 3 +-- - policycoreutils/setsebool/Makefile | 3 +-- - 3 files changed, 4 insertions(+), 5 deletions(-) - -diff --git a/policycoreutils/Makefile b/policycoreutils/Makefile -index 7acd51dd..0f3d62f2 100644 ---- a/policycoreutils/Makefile -+++ b/policycoreutils/Makefile -@@ -3,7 +3,8 @@ SUBDIRS = setfiles load_policy newrole run_init secon sestatus semodule setseboo - PKG_CONFIG ?= pkg-config - - LIBSELINUX_LDLIBS := $(shell $(PKG_CONFIG) --libs libselinux) --export LIBSELINUX_LDLIBS -+LIBSEMANAGE_LDLIBS := $(shell $(PKG_CONFIG) --libs libsemanage) -+export LIBSELINUX_LDLIBS LIBSEMANAGE_LDLIBS - - all install relabel clean indent: - @for subdir in $(SUBDIRS); do \ -diff --git a/policycoreutils/semodule/Makefile b/policycoreutils/semodule/Makefile -index 7c45831f..018ee2ca 100644 ---- a/policycoreutils/semodule/Makefile -+++ b/policycoreutils/semodule/Makefile -@@ -7,12 +7,11 @@ MANDIR = $(PREFIX)/share/man - CFLAGS ?= -Werror -Wall -W - override CFLAGS += -I../../libselinux/include -I../../libsemanage/include - override LDFLAGS+= -L../../libselinux/src -L../../libsemanage/src --override LDLIBS += -lsemanage -lsepol $(LIBSELINUX_LDLIBS) -+override LDLIBS += $(LIBSEMANAGE_LDLIBS) -lsepol $(LIBSELINUX_LDLIBS) - SEMODULE_OBJS = semodule.o - - all: semodule genhomedircon - --semodule: LDLIBS += -laudit -lbz2 - semodule: $(SEMODULE_OBJS) - - genhomedircon: -diff --git a/policycoreutils/setsebool/Makefile b/policycoreutils/setsebool/Makefile -index 1d514846..87494c55 100644 ---- a/policycoreutils/setsebool/Makefile -+++ b/policycoreutils/setsebool/Makefile -@@ -8,14 +8,13 @@ BASHCOMPLETIONDIR ?= $(PREFIX)/share/bash-completion/completions - CFLAGS ?= -Werror -Wall -W - override CFLAGS += -I../../libselinux/include -I../../libsemanage/include - override LDFLAGS+= -L../../libselinux/src -L../../libsemanage/src --override LDLIBS += -lsemanage $(LIBSELINUX_LDLIBS) -+override LDLIBS += $(LIBSEMANAGE_LDLIBS) $(LIBSELINUX_LDLIBS) - SETSEBOOL_OBJS = setsebool.o - - BASHCOMPLETIONS=setsebool-bash-completion.sh - - all: setsebool - --setsebool: LDLIBS += -laudit -lbz2 - setsebool: $(SETSEBOOL_OBJS) - - install: all --- -2.49.0 - diff --git a/0009-Policycoreutils-Make-pkg-config-work-for-more-types-.patch b/0009-Policycoreutils-Make-pkg-config-work-for-more-types-.patch deleted file mode 100644 index 7e9ef38..0000000 --- a/0009-Policycoreutils-Make-pkg-config-work-for-more-types-.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 0ca24e16ece36e6c45a50be350f82495abc742ec Mon Sep 17 00:00:00 2001 -From: James Carter -Date: Tue, 1 Jul 2025 09:01:43 -0400 -Subject: [PATCH] Policycoreutils: Make pkg-config work for more types of - builds - -To support static builds, pkg-config is used to add the libraries -needed for libselinux and libsemanage during the build. Unforunately, -pkg-config will always use the installed pc files for libselinux and -libsemanage. - -Instead set PKG_CONFIG_PATH when invoking pkg-config so that -it searches in order: -1) The directory specified by PKG_CONFIG_PATH, if already set. -2) The local src directories of libselinux and libsemaange. -3) The default directories specified by the system. - -Signed-off-by: James Carter ---- - policycoreutils/Makefile | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/policycoreutils/Makefile b/policycoreutils/Makefile -index 0f3d62f2..7c9706e3 100644 ---- a/policycoreutils/Makefile -+++ b/policycoreutils/Makefile -@@ -2,8 +2,8 @@ SUBDIRS = setfiles load_policy newrole run_init secon sestatus semodule setseboo - - PKG_CONFIG ?= pkg-config - --LIBSELINUX_LDLIBS := $(shell $(PKG_CONFIG) --libs libselinux) --LIBSEMANAGE_LDLIBS := $(shell $(PKG_CONFIG) --libs libsemanage) -+LIBSELINUX_LDLIBS := $(shell PKG_CONFIG_PATH="$(PKG_CONFIG_PATH):../libselinux/src" $(PKG_CONFIG) --libs libselinux) -+LIBSEMANAGE_LDLIBS := $(shell PKG_CONFIG_PATH="$(PKG_CONFIG_PATH):../libsemanage/src" $(PKG_CONFIG) --libs libsemanage) - export LIBSELINUX_LDLIBS LIBSEMANAGE_LDLIBS - - all install relabel clean indent: --- -2.49.0 - diff --git a/changelog b/changelog index 119245f..92fceab 100644 --- a/changelog +++ b/changelog @@ -1,3 +1,6 @@ +* Wed Jul 23 2025 Vit Mojzis - 3.9-1 +- SELinux userspace 3.9 release + * Fri Jul 04 2025 Petr Lautrbach - 3.9-0.rc2.1 - SELinux userspace 3.9-rc2 release diff --git a/policycoreutils.spec b/policycoreutils.spec index 8a163dd..456a3f2 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -1,7 +1,7 @@ %global libauditver 3.0 -%global libsepolver 3.9-0 -%global libsemanagever 3.9-0 -%global libselinuxver 3.9-0 +%global libsepolver 3.9-1 +%global libsemanagever 3.9-1 +%global libselinuxver 3.9-1 %global generatorsdir %{_prefix}/lib/systemd/system-generators @@ -11,11 +11,11 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 3.9 -Release: 0.rc2.1%{?dist} +Release: 1%{?dist} License: GPL-2.0-or-later # https://github.com/SELinuxProject/selinux/wiki/Releases -Source0: https://github.com/SELinuxProject/selinux/releases/download/%{version}-rc2/selinux-%{version}-rc2.tar.gz -Source1: https://github.com/SELinuxProject/selinux/releases/download/%{version}-rc2/selinux-%{version}-rc2.tar.gz.asc +Source0: https://github.com/SELinuxProject/selinux/releases/download/%{version}/selinux-%{version}.tar.gz +Source1: https://github.com/SELinuxProject/selinux/releases/download/%{version}/selinux-%{version}.tar.gz.asc Source2: https://github.com/bachradsusi.gpg URL: https://github.com/SELinuxProject/selinux Source13: system-config-selinux.png @@ -35,7 +35,7 @@ Source22: selinux-gui.zip # wlc --key --url https://translate.fedoraproject.org/api/ download selinux/sandbox --output ./ Source23: selinux-sandbox.zip # https://github.com/fedora-selinux/selinux -# $ git format-patch -N 3.9-rc2 -- policycoreutils python gui sandbox dbus semodule-utils restorecond +# $ git format-patch -N 3.9 -- policycoreutils python gui sandbox dbus semodule-utils restorecond # $ for j in [0-9]*.patch; do printf "Patch%s: %s\n" ${j/-*/} $j; done # Patch list start Patch0001: 0001-Don-t-be-verbose-if-you-are-not-on-a-tty.patch @@ -44,9 +44,6 @@ Patch0003: 0003-sandbox-Use-matchbox-window-manager-instead-of-openb.patch Patch0004: 0004-Use-SHA-2-instead-of-SHA-1.patch Patch0005: 0005-python-sepolicy-Fix-spec-file-dependencies.patch Patch0006: 0006-sepolicy-Fix-detection-of-writeable-locations.patch -Patch0007: 0007-sepolicy-use-multiprocessing-fork-method.patch -Patch0008: 0008-policycoreutils-use-pkg-config-for-libsemanage.patch -Patch0009: 0009-Policycoreutils-Make-pkg-config-work-for-more-types-.patch # Patch list end Obsoletes: policycoreutils < 2.0.61-2 @@ -84,7 +81,7 @@ to switch roles. %prep -p /usr/bin/bash %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' -%autosetup -p 1 -n selinux-%{version}-rc2 +%autosetup -p 1 -n selinux-%{version} cp %{SOURCE13} gui/ tar -xvf %{SOURCE14} -C python/sepolicy/ diff --git a/sources b/sources index 26bad72..2f274a6 100644 --- a/sources +++ b/sources @@ -2,5 +2,5 @@ SHA512 (selinux-policycoreutils.zip) = 0df9dc274e0d1a2e4e2467f95a18a5bf7b6de2428 SHA512 (selinux-python.zip) = 35d209f8bcff498f66465499fcc4cef0780781276a4ba060b2d1d56eed1dd72d253f6b0eae5f679d46cf426b967a7aadac909363513be5d483c95a31249eacdd SHA512 (selinux-sandbox.zip) = ecbc0c8280eb6c013b039a2e63ee5a361cd84807613962a012ac0a98092357e9809bea23c3c71bd8ae4745b1dd12a4fce43db5e1cab31614f386a2a8db88b733 SHA512 (selinux-gui.zip) = 3ae41eba5dd6d34e10dfdb97f4194d170ace2f3044e984077db7d26d05bdaad86625e48e5694e3e8680487ad99a50861d4bea30c4bf08e2820e3b7a8671270c7 -SHA512 (selinux-3.9-rc2.tar.gz) = d05d7633826154007117fc17a22de5dfb5f929fa124123341e98039ecf68a133b9ca70c575ca5e4aaa390daa930ffb6dda43b016b9cfcda8d8a901fb5204ba89 -SHA512 (selinux-3.9-rc2.tar.gz.asc) = 0fec5c55f48978829bbb61ac9e3330fbd42be08ecc89b9abb318ccd86feda41f7a5dea58aef73979c471b95b539202336a7336feb8c9014e32c7d7684ed081f1 +SHA512 (selinux-3.9.tar.gz) = ccfe9c8907ef50e35cda1e8282a4e02e8d2e1749dabde856343f236724214c89d0bcd4e799f383961b990c5fb9a6b0191880a478a8930af447951c8b36689720 +SHA512 (selinux-3.9.tar.gz.asc) = 598498e3919c72e1b7e6db85250ac7b1ff26e33598fb94c29ee74569dddee407fca73961d9fbb245ecf5ff5a7ee0eaa83031f79b7f0b2d89661119d45bbf5954