diff --git a/libselinux-fedora.patch b/libselinux-fedora.patch index cf66e24..cb3d29b 100644 --- a/libselinux-fedora.patch +++ b/libselinux-fedora.patch @@ -1,474 +1,27 @@ diff --git libselinux-2.7/Makefile libselinux-2.7/Makefile -index 1ecab17..1f507fb 100644 +index 1ecab17..16531fe 100644 --- libselinux-2.7/Makefile +++ libselinux-2.7/Makefile -@@ -1,4 +1,4 @@ --SUBDIRS = src include utils man -+SUBDIRS = src include utils man golang +@@ -21,13 +21,14 @@ export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST - PKG_CONFIG ?= pkg-config - DISABLE_SETRANS ?= n -diff --git libselinux-2.7/golang/Makefile libselinux-2.7/golang/Makefile -new file mode 100644 -index 0000000..b75677b ---- /dev/null -+++ libselinux-2.7/golang/Makefile -@@ -0,0 +1,22 @@ -+# Installation directories. -+PREFIX ?= $(DESTDIR)/usr -+LIBDIR ?= $(DESTDIR)/usr/lib -+GODIR ?= $(LIBDIR)/golang/src/pkg/github.com/selinux -+all: -+ -+install: -+ [ -d $(GODIR) ] || mkdir -p $(GODIR) -+ install -m 644 selinux.go $(GODIR) -+ -+test: -+ @mkdir selinux -+ @cp selinux.go selinux -+ GOPATH=$(pwd) go run test.go -+ @rm -rf selinux -+ -+clean: -+ @rm -f *~ -+ @rm -rf selinux -+indent: -+ -+relabel: -diff --git libselinux-2.7/golang/selinux.go libselinux-2.7/golang/selinux.go -new file mode 100644 -index 0000000..34bf6bb ---- /dev/null -+++ libselinux-2.7/golang/selinux.go -@@ -0,0 +1,412 @@ -+package selinux -+ -+/* -+ The selinux package is a go bindings to libselinux required to add selinux -+ support to docker. -+ -+ Author Dan Walsh -+ -+ Used some ideas/code from the go-ini packages https://github.com/vaughan0 -+ By Vaughan Newton -+*/ -+ -+// #cgo pkg-config: libselinux -+// #include -+// #include -+import "C" -+import ( -+ "bufio" -+ "crypto/rand" -+ "encoding/binary" -+ "fmt" -+ "io" -+ "os" -+ "path" -+ "path/filepath" -+ "regexp" -+ "strings" -+ "unsafe" -+) -+ -+var ( -+ assignRegex = regexp.MustCompile(`^([^=]+)=(.*)$`) -+ mcsList = make(map[string]bool) -+) -+ -+func Matchpathcon(path string, mode os.FileMode) (string, error) { -+ var con C.security_context_t -+ var scon string -+ rc, err := C.matchpathcon(C.CString(path), C.mode_t(mode), &con) -+ if rc == 0 { -+ scon = C.GoString(con) -+ C.free(unsafe.Pointer(con)) -+ } -+ return scon, err -+} -+ -+func Setfilecon(path, scon string) (int, error) { -+ rc, err := C.lsetfilecon(C.CString(path), C.CString(scon)) -+ return int(rc), err -+} -+ -+func Getfilecon(path string) (string, error) { -+ var scon C.security_context_t -+ var fcon string -+ rc, err := C.lgetfilecon(C.CString(path), &scon) -+ if rc >= 0 { -+ fcon = C.GoString(scon) -+ err = nil -+ } -+ return fcon, err -+} -+ -+func Setfscreatecon(scon string) (int, error) { -+ var ( -+ rc C.int -+ err error -+ ) -+ if scon != "" { -+ rc, err = C.setfscreatecon(C.CString(scon)) -+ } else { -+ rc, err = C.setfscreatecon(nil) -+ } -+ return int(rc), err -+} -+ -+func Getfscreatecon() (string, error) { -+ var scon C.security_context_t -+ var fcon string -+ rc, err := C.getfscreatecon(&scon) -+ if rc >= 0 { -+ fcon = C.GoString(scon) -+ err = nil -+ C.freecon(scon) -+ } -+ return fcon, err -+} -+ -+func Getcon() string { -+ var pcon C.security_context_t -+ C.getcon(&pcon) -+ scon := C.GoString(pcon) -+ C.freecon(pcon) -+ return scon -+} -+ -+func Getpidcon(pid int) (string, error) { -+ var pcon C.security_context_t -+ var scon string -+ rc, err := C.getpidcon(C.pid_t(pid), &pcon) -+ if rc >= 0 { -+ scon = C.GoString(pcon) -+ C.freecon(pcon) -+ err = nil -+ } -+ return scon, err -+} -+ -+func Getpeercon(socket int) (string, error) { -+ var pcon C.security_context_t -+ var scon string -+ rc, err := C.getpeercon(C.int(socket), &pcon) -+ if rc >= 0 { -+ scon = C.GoString(pcon) -+ C.freecon(pcon) -+ err = nil -+ } -+ return scon, err -+} -+ -+func Setexeccon(scon string) error { -+ var val *C.char -+ if !SelinuxEnabled() { -+ return nil -+ } -+ if scon != "" { -+ val = C.CString(scon) -+ } else { -+ val = nil -+ } -+ _, err := C.setexeccon(val) -+ return err -+} -+ -+type Context struct { -+ con []string -+} -+ -+func (c *Context) SetUser(user string) { -+ c.con[0] = user -+} -+func (c *Context) GetUser() string { -+ return c.con[0] -+} -+func (c *Context) SetRole(role string) { -+ c.con[1] = role -+} -+func (c *Context) GetRole() string { -+ return c.con[1] -+} -+func (c *Context) SetType(setype string) { -+ c.con[2] = setype -+} -+func (c *Context) GetType() string { -+ return c.con[2] -+} -+func (c *Context) SetLevel(mls string) { -+ c.con[3] = mls -+} -+func (c *Context) GetLevel() string { -+ return c.con[3] -+} -+func (c *Context) Get() string { -+ return strings.Join(c.con, ":") -+} -+func (c *Context) Set(scon string) { -+ c.con = strings.SplitN(scon, ":", 4) -+} -+func NewContext(scon string) Context { -+ var con Context -+ con.Set(scon) -+ return con -+} -+ -+func SelinuxEnabled() bool { -+ b := C.is_selinux_enabled() -+ if b > 0 { -+ return true -+ } -+ return false -+} -+ -+const ( -+ Enforcing = 1 -+ Permissive = 0 -+ Disabled = -1 -+) -+ -+func SelinuxGetEnforce() int { -+ return int(C.security_getenforce()) -+} -+ -+func SelinuxGetEnforceMode() int { -+ var enforce C.int -+ C.selinux_getenforcemode(&enforce) -+ return int(enforce) -+} -+ -+func mcsAdd(mcs string) { -+ mcsList[mcs] = true -+} -+ -+func mcsDelete(mcs string) { -+ mcsList[mcs] = false -+} -+ -+func mcsExists(mcs string) bool { -+ return mcsList[mcs] -+} -+ -+func IntToMcs(id int, catRange uint32) string { -+ if (id < 1) || (id > 523776) { -+ return "" -+ } -+ -+ SETSIZE := int(catRange) -+ TIER := SETSIZE -+ -+ ORD := id -+ for ORD > TIER { -+ ORD = ORD - TIER -+ TIER -= 1 -+ } -+ TIER = SETSIZE - TIER -+ ORD = ORD + TIER -+ return fmt.Sprintf("s0:c%d,c%d", TIER, ORD) -+} -+ -+func uniqMcs(catRange uint32) string { -+ var n uint32 -+ var c1, c2 uint32 -+ var mcs string -+ for { -+ binary.Read(rand.Reader, binary.LittleEndian, &n) -+ c1 = n % catRange -+ binary.Read(rand.Reader, binary.LittleEndian, &n) -+ c2 = n % catRange -+ if c1 == c2 { -+ continue -+ } else { -+ if c1 > c2 { -+ t := c1 -+ c1 = c2 -+ c2 = t -+ } -+ } -+ mcs = fmt.Sprintf("s0:c%d,c%d", c1, c2) -+ if mcsExists(mcs) { -+ continue -+ } -+ mcsAdd(mcs) -+ break -+ } -+ return mcs -+} -+func freeContext(processLabel string) { -+ var scon Context -+ scon = NewContext(processLabel) -+ mcsDelete(scon.GetLevel()) -+} -+ -+func GetLxcContexts() (processLabel string, fileLabel string) { -+ var val, key string -+ var bufin *bufio.Reader -+ if !SelinuxEnabled() { -+ return -+ } -+ lxcPath := C.GoString(C.selinux_lxc_contexts_path()) -+ fileLabel = "system_u:object_r:svirt_sandbox_file_t:s0" -+ processLabel = "system_u:system_r:svirt_lxc_net_t:s0" -+ -+ in, err := os.Open(lxcPath) -+ if err != nil { -+ goto exit -+ } -+ -+ defer in.Close() -+ bufin = bufio.NewReader(in) -+ -+ for done := false; !done; { -+ var line string -+ if line, err = bufin.ReadString('\n'); err != nil { -+ if err == io.EOF { -+ done = true -+ } else { -+ goto exit -+ } -+ } -+ line = strings.TrimSpace(line) -+ if len(line) == 0 { -+ // Skip blank lines -+ continue -+ } -+ if line[0] == ';' || line[0] == '#' { -+ // Skip comments -+ continue -+ } -+ if groups := assignRegex.FindStringSubmatch(line); groups != nil { -+ key, val = strings.TrimSpace(groups[1]), strings.TrimSpace(groups[2]) -+ if key == "process" { -+ processLabel = strings.Trim(val, "\"") -+ } -+ if key == "file" { -+ fileLabel = strings.Trim(val, "\"") -+ } -+ } -+ } -+exit: -+ var scon Context -+ mcs := IntToMcs(os.Getpid(), 1024) -+ scon = NewContext(processLabel) -+ scon.SetLevel(mcs) -+ processLabel = scon.Get() -+ scon = NewContext(fileLabel) -+ scon.SetLevel(mcs) -+ fileLabel = scon.Get() -+ return processLabel, fileLabel -+} -+ -+func CopyLevel(src, dest string) (string, error) { -+ if !SelinuxEnabled() { -+ return "", nil -+ } -+ if src == "" { -+ return "", nil -+ } -+ rc, err := C.security_check_context(C.CString(src)) -+ if rc != 0 { -+ return "", err -+ } -+ rc, err = C.security_check_context(C.CString(dest)) -+ if rc != 0 { -+ return "", err -+ } -+ scon := NewContext(src) -+ tcon := NewContext(dest) -+ tcon.SetLevel(scon.GetLevel()) -+ return tcon.Get(), nil -+} -+ -+func RestoreCon(fpath string, recurse bool) error { -+ var flabel string -+ var err error -+ var fs os.FileInfo -+ -+ if !SelinuxEnabled() { -+ return nil -+ } -+ -+ if recurse { -+ var paths []string -+ var err error -+ -+ if paths, err = filepath.Glob(path.Join(fpath, "**", "*")); err != nil { -+ return fmt.Errorf("Unable to find directory %v: %v", fpath, err) -+ } -+ -+ for _, fpath := range paths { -+ if err = RestoreCon(fpath, false); err != nil { -+ return fmt.Errorf("Unable to restore selinux context for %v: %v", fpath, err) -+ } -+ } -+ return nil -+ } -+ if fs, err = os.Stat(fpath); err != nil { -+ return fmt.Errorf("Unable stat %v: %v", fpath, err) -+ } -+ -+ if flabel, err = Matchpathcon(fpath, fs.Mode()); flabel == "" { -+ return fmt.Errorf("Unable to get context for %v: %v", fpath, err) -+ } -+ -+ if rc, err := Setfilecon(fpath, flabel); rc != 0 { -+ return fmt.Errorf("Unable to set selinux context for %v: %v", fpath, err) -+ } -+ -+ return nil -+} -+ -+func Test() { -+ var plabel, flabel string -+ if !SelinuxEnabled() { -+ return -+ } -+ -+ plabel, flabel = GetLxcContexts() -+ fmt.Println(plabel) -+ fmt.Println(flabel) -+ freeContext(plabel) -+ plabel, flabel = GetLxcContexts() -+ fmt.Println(plabel) -+ fmt.Println(flabel) -+ freeContext(plabel) -+ if SelinuxEnabled() { -+ fmt.Println("Enabled") -+ } else { -+ fmt.Println("Disabled") -+ } -+ fmt.Println("getenforce ", SelinuxGetEnforce()) -+ fmt.Println("getenforcemode ", SelinuxGetEnforceMode()) -+ flabel, _ = Matchpathcon("/home/dwalsh/.emacs", 0) -+ fmt.Println(flabel) -+ pid := os.Getpid() -+ fmt.Printf("PID:%d MCS:%s\n", pid, IntToMcs(pid, 1023)) -+ fmt.Println(Getcon()) -+ fmt.Println(Getfilecon("/etc/passwd")) -+ fmt.Println(Getpidcon(1)) -+ Setfscreatecon("unconfined_u:unconfined_r:unconfined_t:s0") -+ fmt.Println(Getfscreatecon()) -+ Setfscreatecon("") -+ fmt.Println(Getfscreatecon()) -+ fmt.Println(Getpidcon(1)) -+} -diff --git libselinux-2.7/golang/test.go libselinux-2.7/golang/test.go -new file mode 100644 -index 0000000..fed6de8 ---- /dev/null -+++ libselinux-2.7/golang/test.go -@@ -0,0 +1,9 @@ -+package main -+ -+import ( -+ "./selinux" -+) -+ -+func main() { -+ selinux.Test() -+} + USE_PCRE2 ?= n + ifeq ($(USE_PCRE2),y) +- PCRE_CFLAGS := -DUSE_PCRE2 -DPCRE2_CODE_UNIT_WIDTH=8 $(shell $(PKG_CONFIG) --cflags libpcre2-8) +- PCRE_LDLIBS := $(shell $(PKG_CONFIG) --libs libpcre2-8) ++ PCRE_MODULE := libpcre2-8 ++ PCRE_CFLAGS := -DUSE_PCRE2 -DPCRE2_CODE_UNIT_WIDTH=8 + else +- PCRE_CFLAGS := $(shell $(PKG_CONFIG) --cflags libpcre) +- PCRE_LDLIBS := $(shell $(PKG_CONFIG) --libs libpcre) ++ PCRE_MODULE := libpcre + endif +-export PCRE_CFLAGS PCRE_LDLIBS ++PCRE_CFLAGS += $(shell $(PKG_CONFIG) --cflags $(PCRE_MODULE)) ++PCRE_LDLIBS := $(shell $(PKG_CONFIG) --libs $(PCRE_MODULE)) ++export PCRE_MODULE PCRE_CFLAGS PCRE_LDLIBS + + OS := $(shell uname) + export OS diff --git libselinux-2.7/man/man8/selinux.8 libselinux-2.7/man/man8/selinux.8 index e37aee6..bf23b65 100644 --- libselinux-2.7/man/man8/selinux.8 @@ -488,6 +41,32 @@ index e37aee6..bf23b65 100644 Every confined service on the system has a man page in the following format: .br +diff --git libselinux-2.7/src/Makefile libselinux-2.7/src/Makefile +index 2408fae..18df75c 100644 +--- libselinux-2.7/src/Makefile ++++ libselinux-2.7/src/Makefile +@@ -148,7 +148,7 @@ $(LIBSO): $(LOBJS) + ln -sf $@ $(TARGET) + + $(LIBPC): $(LIBPC).in ../VERSION +- sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBBASE):; s:@includedir@:$(INCLUDEDIR):' < $< > $@ ++ sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBBASE):; s:@includedir@:$(INCLUDEDIR):; s:@PCRE_MODULE@:$(PCRE_MODULE):' < $< > $@ + + selinuxswig_python_exception.i: ../include/selinux/selinux.h + bash -e exception.sh > $@ || (rm -f $@ ; false) +diff --git libselinux-2.7/src/avc.c libselinux-2.7/src/avc.c +index 96b2678..5230efd 100644 +--- libselinux-2.7/src/avc.c ++++ libselinux-2.7/src/avc.c +@@ -4,7 +4,7 @@ + * Author : Eamon Walsh + * + * Derived from the kernel AVC implementation by +- * Stephen Smalley and ++ * Stephen Smalley and + * James Morris . + */ + #include diff --git libselinux-2.7/src/avc_sidtab.c libselinux-2.7/src/avc_sidtab.c index 9669264..c775430 100644 --- libselinux-2.7/src/avc_sidtab.c @@ -647,6 +226,18 @@ index 52707d0..0cbe12d 100644 if (rc < 0 && errno == ENOTSUP) { char * ccontext = NULL; int err = errno; +diff --git libselinux-2.7/src/libselinux.pc.in libselinux-2.7/src/libselinux.pc.in +index 2cd04d3..2e90a84 100644 +--- libselinux-2.7/src/libselinux.pc.in ++++ libselinux-2.7/src/libselinux.pc.in +@@ -7,6 +7,6 @@ Name: libselinux + Description: SELinux utility library + Version: @VERSION@ + URL: http://userspace.selinuxproject.org/ +-Requires.private: libsepol libpcre ++Requires.private: libsepol @PCRE_MODULE@ + Libs: -L${libdir} -lselinux + Cflags: -I${includedir} diff --git libselinux-2.7/src/lsetfilecon.c libselinux-2.7/src/lsetfilecon.c index 1d3b28a..ea6d70b 100644 --- libselinux-2.7/src/lsetfilecon.c diff --git a/libselinux.spec b/libselinux.spec index 0aca521..0fd6599 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -3,13 +3,13 @@ %endif %define ruby_inc %(pkg-config --cflags ruby) -%define libsepolver 2.7-1 +%define libsepolver 2.7-2 %{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} Summary: SELinux library and simple utilities Name: libselinux Version: 2.7 -Release: 4%{?dist} +Release: 5%{?dist} License: Public Domain Group: System Environment/Libraries # https://github.com/SELinuxProject/selinux/wiki/Releases @@ -20,7 +20,7 @@ Url: https://github.com/SELinuxProject/selinux/wiki # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh # run: # $ VERSION=2.7 ./make-fedora-selinux-patch.sh libselinux -# HEAD https://github.com/fedora-selinux/selinux/commit/70a12c5e7b56a81223d67ce2469292826b84efe9 +# HEAD https://github.com/fedora-selinux/selinux/commit/4247fad665261169b430895f0ab10f56eb33dd10 Patch1: libselinux-fedora.patch BuildRequires: python python-devel ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel xz-devel %if 0%{?with_python3} @@ -232,8 +232,6 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool* %files devel %{_libdir}/libselinux.so %{_libdir}/pkgconfig/libselinux.pc -%dir %{_libdir}/golang/src/pkg/github.com/selinux -%{_libdir}/golang/src/pkg/github.com/selinux/selinux.go %{_includedir}/selinux/ %{_mandir}/man3/* @@ -254,6 +252,10 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool* %{ruby_vendorarchdir}/selinux.so %changelog +* Fri Oct 20 2017 Petr Lautrbach - 2.7-5 +- Drop golang bindings +- Add support for pcre2 to pkgconfig definition + * Wed Sep 27 2017 Petr Ĺ abata - 2.7-4 - Enable the python3 subpackages on EL