From 2efeea27893aec0833805d1bacdc5e7b633a71f7 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Mar 12 2009 12:57:57 +0000 Subject: - Update to upstream Netlink socket handoff patch from Adam Jackson. AVC caching of compute_create results by Eric Paris. --- diff --git a/.cvsignore b/.cvsignore index 9a30b0e..d74be31 100644 --- a/.cvsignore +++ b/.cvsignore @@ -162,3 +162,4 @@ libselinux-2.0.75.tgz libselinux-2.0.76.tgz libselinux-2.0.77.tgz libselinux-2.0.78.tgz +libselinux-2.0.79.tgz diff --git a/libselinux-2.0.77-nlfd.patch b/libselinux-2.0.77-nlfd.patch new file mode 100644 index 0000000..e8d6c28 --- /dev/null +++ b/libselinux-2.0.77-nlfd.patch @@ -0,0 +1,106 @@ +diff -up libselinux-2.0.77/include/selinux/avc.h.jx libselinux-2.0.77/include/selinux/avc.h +--- libselinux-2.0.77/include/selinux/avc.h.jx 2009-01-27 14:47:32.000000000 -0500 ++++ libselinux-2.0.77/include/selinux/avc.h 2009-03-02 13:58:11.000000000 -0500 +@@ -427,6 +427,29 @@ void avc_av_stats(void); + */ + void avc_sid_stats(void); + ++/** ++ * avc_netlink_acquire_fd - Acquire netlink socket fd. ++ * ++ * Allows the application to manage messages from the netlink socket in ++ * its own main loop. ++ */ ++int avc_netlink_acquire_fd(void); ++ ++/** ++ * avc_netlink_release_fd - Release netlink socket fd. ++ * ++ * Returns ownership of the netlink socket to the library. ++ */ ++void avc_netlink_release_fd(void); ++ ++/** ++ * avc_netlink_check_nb - Check netlink socket for new messages. ++ * ++ * Called by the application when using avc_netlink_acquire_fd() to ++ * process kernel netlink events. ++ */ ++int avc_netlink_check_nb(void); ++ + #ifdef __cplusplus + } + #endif +diff -up libselinux-2.0.77/src/avc.c.jx libselinux-2.0.77/src/avc.c +--- libselinux-2.0.77/src/avc.c.jx 2009-01-27 14:47:32.000000000 -0500 ++++ libselinux-2.0.77/src/avc.c 2009-03-02 13:58:11.000000000 -0500 +@@ -812,7 +812,7 @@ int avc_has_perm_noaudit(security_id_t s + access_vector_t denied; + struct avc_entry_ref ref; + +- if (!avc_using_threads) { ++ if (!avc_using_threads && !avc_app_main_loop) { + (void)avc_netlink_check_nb(); + } + +diff -up libselinux-2.0.77/src/avc_internal.c.jx libselinux-2.0.77/src/avc_internal.c +--- libselinux-2.0.77/src/avc_internal.c.jx 2009-01-27 14:47:32.000000000 -0500 ++++ libselinux-2.0.77/src/avc_internal.c 2009-03-02 13:58:11.000000000 -0500 +@@ -34,6 +34,7 @@ void (*avc_func_log) (const char *, ...) + void (*avc_func_audit) (void *, security_class_t, char *, size_t) = NULL; + + int avc_using_threads = 0; ++int avc_app_main_loop = 0; + void *(*avc_func_create_thread) (void (*)(void)) = NULL; + void (*avc_func_stop_thread) (void *) = NULL; + +@@ -250,3 +251,15 @@ void avc_netlink_loop(void) + "%s: netlink thread: errors encountered, terminating\n", + avc_prefix); + } ++ ++int avc_netlink_acquire_fd(void) ++{ ++ avc_app_main_loop = 1; ++ ++ return fd; ++} ++ ++void avc_netlink_release_fd(void) ++{ ++ avc_app_main_loop = 0; ++} +diff -up libselinux-2.0.77/src/avc_internal.h.jx libselinux-2.0.77/src/avc_internal.h +--- libselinux-2.0.77/src/avc_internal.h.jx 2009-01-27 14:47:32.000000000 -0500 ++++ libselinux-2.0.77/src/avc_internal.h 2009-03-02 13:58:11.000000000 -0500 +@@ -35,6 +35,7 @@ extern void (*avc_func_log) (const char + extern void (*avc_func_audit) (void *, security_class_t, char *, size_t)hidden; + + extern int avc_using_threads hidden; ++extern int avc_app_main_loop hidden; + extern void *(*avc_func_create_thread) (void (*)(void))hidden; + extern void (*avc_func_stop_thread) (void *)hidden; + +@@ -184,7 +185,6 @@ int avc_ss_set_auditdeny(security_id_t s + /* netlink kernel message code */ + extern int avc_netlink_trouble hidden; + int avc_netlink_open(int blocking) hidden; +-int avc_netlink_check_nb(void) hidden; + void avc_netlink_loop(void) hidden; + void avc_netlink_close(void) hidden; + +diff -up libselinux-2.0.77/src/selinuxswig.i.jx libselinux-2.0.77/src/selinuxswig.i +--- libselinux-2.0.77/src/selinuxswig.i.jx 2009-03-02 13:58:11.000000000 -0500 ++++ libselinux-2.0.77/src/selinuxswig.i 2009-03-02 14:07:42.000000000 -0500 +@@ -78,6 +78,11 @@ + %ignore selinux_set_mapping; + %ignore security_id; + ++/* Ignore netlink stuff for now */ ++%ignore avc_netlink_acquire_fd; ++%ignore avc_netlink_release_fd; ++%ignore avc_netlink_check_nb; ++ + %include "../include/selinux/selinux.h" + %include "../include/selinux/avc.h" + %include "../include/selinux/get_default_type.h" diff --git a/libselinux-rhat.patch b/libselinux-rhat.patch index 704f0da..37ae248 100644 --- a/libselinux-rhat.patch +++ b/libselinux-rhat.patch @@ -1,6 +1,6 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/selinux.h libselinux-2.0.78/include/selinux/selinux.h --- nsalibselinux/include/selinux/selinux.h 2009-03-06 14:41:44.000000000 -0500 -+++ libselinux-2.0.78/include/selinux/selinux.h 2009-03-06 16:27:32.000000000 -0500 ++++ libselinux-2.0.78/include/selinux/selinux.h 2009-03-10 16:23:01.000000000 -0400 @@ -457,8 +457,11 @@ extern const char *selinux_file_context_path(void); extern const char *selinux_file_context_homedir_path(void); @@ -30,7 +30,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/selinux.h lib const security_context_t b); diff --exclude-from=exclude -N -u -r nsalibselinux/man/man8/selinuxconlist.8 libselinux-2.0.78/man/man8/selinuxconlist.8 --- nsalibselinux/man/man8/selinuxconlist.8 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-2.0.78/man/man8/selinuxconlist.8 2009-03-06 16:27:32.000000000 -0500 ++++ libselinux-2.0.78/man/man8/selinuxconlist.8 2009-03-10 16:23:01.000000000 -0400 @@ -0,0 +1,18 @@ +.TH "selinuxconlist" "1" "7 May 2008" "dwalsh@redhat.com" "SELinux Command Line documentation" +.SH "NAME" @@ -52,7 +52,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/man/man8/selinuxconlist.8 lib +secon(8), selinuxdefcon(8) diff --exclude-from=exclude -N -u -r nsalibselinux/man/man8/selinuxdefcon.8 libselinux-2.0.78/man/man8/selinuxdefcon.8 --- nsalibselinux/man/man8/selinuxdefcon.8 1969-12-31 19:00:00.000000000 -0500 -+++ libselinux-2.0.78/man/man8/selinuxdefcon.8 2009-03-06 16:27:32.000000000 -0500 ++++ libselinux-2.0.78/man/man8/selinuxdefcon.8 2009-03-10 16:23:01.000000000 -0400 @@ -0,0 +1,19 @@ +.TH "selinuxdefcon" "1" "7 May 2008" "dwalsh@redhat.com" "SELinux Command Line documentation" +.SH "NAME" @@ -75,7 +75,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/man/man8/selinuxdefcon.8 libs +secon(8), selinuxconlist(8) diff --exclude-from=exclude -N -u -r nsalibselinux/src/callbacks.c libselinux-2.0.78/src/callbacks.c --- nsalibselinux/src/callbacks.c 2009-03-06 14:41:45.000000000 -0500 -+++ libselinux-2.0.78/src/callbacks.c 2009-03-06 16:27:32.000000000 -0500 ++++ libselinux-2.0.78/src/callbacks.c 2009-03-10 16:23:01.000000000 -0400 @@ -16,6 +16,7 @@ { int rc; @@ -86,7 +86,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/callbacks.c libselinux-2. va_end(ap); diff --exclude-from=exclude -N -u -r nsalibselinux/src/file_path_suffixes.h libselinux-2.0.78/src/file_path_suffixes.h --- nsalibselinux/src/file_path_suffixes.h 2009-03-06 14:41:45.000000000 -0500 -+++ libselinux-2.0.78/src/file_path_suffixes.h 2009-03-06 16:27:32.000000000 -0500 ++++ libselinux-2.0.78/src/file_path_suffixes.h 2009-03-10 16:23:01.000000000 -0400 @@ -20,3 +20,6 @@ S_(FILE_CONTEXTS_LOCAL, "/contexts/files/file_contexts.local") S_(X_CONTEXTS, "/contexts/x_contexts") @@ -96,7 +96,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/file_path_suffixes.h libs + S_(FILE_CONTEXT_SUBS, "/contexts/files/file_contexts.subs") diff --exclude-from=exclude -N -u -r nsalibselinux/src/label.c libselinux-2.0.78/src/label.c --- nsalibselinux/src/label.c 2009-03-06 14:41:45.000000000 -0500 -+++ libselinux-2.0.78/src/label.c 2009-03-06 16:27:32.000000000 -0500 ++++ libselinux-2.0.78/src/label.c 2009-03-10 16:23:01.000000000 -0400 @@ -5,10 +5,12 @@ */ @@ -243,7 +243,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/label.c libselinux-2.0.78 void selabel_stats(struct selabel_handle *rec) diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux-2.0.78/src/matchpathcon.c --- nsalibselinux/src/matchpathcon.c 2009-03-06 14:41:45.000000000 -0500 -+++ libselinux-2.0.78/src/matchpathcon.c 2009-03-06 16:27:32.000000000 -0500 ++++ libselinux-2.0.78/src/matchpathcon.c 2009-03-10 16:23:01.000000000 -0400 @@ -2,6 +2,7 @@ #include #include @@ -263,7 +263,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinux_config.c libselinux-2.0.78/src/selinux_config.c --- nsalibselinux/src/selinux_config.c 2009-03-06 14:41:45.000000000 -0500 -+++ libselinux-2.0.78/src/selinux_config.c 2009-03-06 16:27:32.000000000 -0500 ++++ libselinux-2.0.78/src/selinux_config.c 2009-03-10 16:23:01.000000000 -0400 @@ -40,7 +40,10 @@ #define SECURETTY_TYPES 18 #define X_CONTEXTS 19 @@ -303,7 +303,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinux_config.c libselin + diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinux_internal.h libselinux-2.0.78/src/selinux_internal.h --- nsalibselinux/src/selinux_internal.h 2009-03-06 14:41:45.000000000 -0500 -+++ libselinux-2.0.78/src/selinux_internal.h 2009-03-06 16:27:32.000000000 -0500 ++++ libselinux-2.0.78/src/selinux_internal.h 2009-03-10 16:23:01.000000000 -0400 @@ -56,9 +56,12 @@ hidden_proto(selinux_securetty_types_path) hidden_proto(selinux_failsafe_context_path) @@ -319,7 +319,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinux_internal.h libsel hidden_proto(selinux_user_contexts_path) diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinux.py libselinux-2.0.78/src/selinux.py --- nsalibselinux/src/selinux.py 2009-03-06 14:41:45.000000000 -0500 -+++ libselinux-2.0.78/src/selinux.py 2009-03-06 16:27:32.000000000 -0500 ++++ libselinux-2.0.78/src/selinux.py 2009-03-10 16:23:01.000000000 -0400 @@ -1,5 +1,5 @@ # This file was automatically generated by SWIG (http://www.swig.org). -# Version 1.3.35 @@ -719,8 +719,8 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinux.py libselinux-2.0 get_default_type = _selinux.get_default_type SELINUX_DEFAULTUSER = _selinux.SELINUX_DEFAULTUSER diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig.i libselinux-2.0.78/src/selinuxswig.i ---- nsalibselinux/src/selinuxswig.i 2009-03-06 14:41:45.000000000 -0500 -+++ libselinux-2.0.78/src/selinuxswig.i 2009-03-06 16:27:32.000000000 -0500 +--- nsalibselinux/src/selinuxswig.i 2009-03-12 08:48:48.000000000 -0400 ++++ libselinux-2.0.78/src/selinuxswig.i 2009-03-10 16:23:01.000000000 -0400 @@ -47,8 +47,36 @@ %ignore set_matchpathcon_printf; %ignore set_matchpathcon_invalidcon; @@ -757,11 +757,11 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig.i libselinux- +%ignore selinux_set_mapping; +%ignore security_id; - %include "../include/selinux/selinux.h" - %include "../include/selinux/avc.h" + /* Ignore netlink stuff for now */ + %ignore avc_netlink_acquire_fd; diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig_python.i libselinux-2.0.78/src/selinuxswig_python.i --- nsalibselinux/src/selinuxswig_python.i 2009-03-06 14:41:45.000000000 -0500 -+++ libselinux-2.0.78/src/selinuxswig_python.i 2009-03-06 16:27:32.000000000 -0500 ++++ libselinux-2.0.78/src/selinuxswig_python.i 2009-03-10 16:23:01.000000000 -0400 @@ -21,6 +21,15 @@ map(restorecon, [os.path.join(dirname, fname) for fname in fnames]), None) @@ -793,7 +793,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig_python.i libs %include "selinuxswig.i" diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig_wrap.c libselinux-2.0.78/src/selinuxswig_wrap.c --- nsalibselinux/src/selinuxswig_wrap.c 2009-03-06 14:41:45.000000000 -0500 -+++ libselinux-2.0.78/src/selinuxswig_wrap.c 2009-03-06 16:27:32.000000000 -0500 ++++ libselinux-2.0.78/src/selinuxswig_wrap.c 2009-03-10 16:23:01.000000000 -0400 @@ -1,6 +1,6 @@ /* ---------------------------------------------------------------------------- * This file was automatically generated by SWIG (http://www.swig.org). @@ -10456,7 +10456,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig_wrap.c libsel _swigc__p_unsigned_short, diff --exclude-from=exclude -N -u -r nsalibselinux/src/seusers.c libselinux-2.0.78/src/seusers.c --- nsalibselinux/src/seusers.c 2009-03-06 14:41:45.000000000 -0500 -+++ libselinux-2.0.78/src/seusers.c 2009-03-06 16:27:32.000000000 -0500 ++++ libselinux-2.0.78/src/seusers.c 2009-03-10 16:23:01.000000000 -0400 @@ -243,3 +243,67 @@ *r_level = NULL; return 0; @@ -10527,7 +10527,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/src/seusers.c libselinux-2.0. +} diff --exclude-from=exclude -N -u -r nsalibselinux/utils/getdefaultcon.c libselinux-2.0.78/utils/getdefaultcon.c --- nsalibselinux/utils/getdefaultcon.c 2009-03-06 14:41:45.000000000 -0500 -+++ libselinux-2.0.78/utils/getdefaultcon.c 2009-03-06 16:27:32.000000000 -0500 ++++ libselinux-2.0.78/utils/getdefaultcon.c 2009-03-10 16:23:01.000000000 -0400 @@ -22,8 +22,9 @@ security_context_t usercon = NULL, cur_context = NULL; char *user = NULL, *level = NULL, *role=NULL, *seuser=NULL, *dlevel=NULL; @@ -10575,7 +10575,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/utils/getdefaultcon.c libseli } diff --exclude-from=exclude -N -u -r nsalibselinux/utils/Makefile libselinux-2.0.78/utils/Makefile --- nsalibselinux/utils/Makefile 2009-03-06 14:41:45.000000000 -0500 -+++ libselinux-2.0.78/utils/Makefile 2009-03-06 16:27:32.000000000 -0500 ++++ libselinux-2.0.78/utils/Makefile 2009-03-10 16:23:01.000000000 -0400 @@ -2,28 +2,33 @@ PREFIX ?= $(DESTDIR)/usr LIBDIR ?= $(PREFIX)/lib @@ -10616,7 +10616,7 @@ diff --exclude-from=exclude -N -u -r nsalibselinux/utils/Makefile libselinux-2.0 ../../scripts/Lindent $(wildcard *.[ch]) diff --exclude-from=exclude -N -u -r nsalibselinux/utils/matchpathcon.c libselinux-2.0.78/utils/matchpathcon.c --- nsalibselinux/utils/matchpathcon.c 2009-03-06 14:41:45.000000000 -0500 -+++ libselinux-2.0.78/utils/matchpathcon.c 2009-03-06 16:29:27.000000000 -0500 ++++ libselinux-2.0.78/utils/matchpathcon.c 2009-03-10 16:23:01.000000000 -0400 @@ -22,9 +22,13 @@ char *buf; int rc = matchpathcon(path, mode, &buf); diff --git a/libselinux.spec b/libselinux.spec index c35dab3..7d168f7 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -4,13 +4,12 @@ Summary: SELinux library and simple utilities Name: libselinux -Version: 2.0.78 -Release: 4%{?dist} +Version: 2.0.79 +Release: 1%{?dist} License: Public Domain Group: System Environment/Libraries Source: http://www.nsa.gov/research/selinux/%{name}-%{version}.tgz Patch: libselinux-rhat.patch -Patch1: libselinux-xaccel.patch URL: http://www.selinuxproject.org BuildRequires: python-devel ruby-devel ruby libsepol-static >= %{libsepolver} swig @@ -80,7 +79,6 @@ needed for developing SELinux applications. %prep %setup -q %patch -p1 -b .rhat -%patch1 -p1 -b .xaccel %build make clean @@ -166,6 +164,15 @@ exit 0 %{ruby_sitearch}/selinux.so %changelog +* Thu Mar 12 2009 Dan Walsh - 2.0.79-1 +- Update to upstream + * Netlink socket handoff patch from Adam Jackson. + * AVC caching of compute_create results by Eric Paris. + +* Tue Mar 10 2009 Dan Walsh - 2.0.78-5 +- Add patch from ajax to accellerate X SELinux +- Update eparis patch + * Mon Mar 9 2009 Dan Walsh - 2.0.78-4 - Add eparis patch to accellerate Xwindows performance diff --git a/sources b/sources index 331df86..06bfa5b 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -c34327ec14643572f284589a2c72dcaa libselinux-2.0.78.tgz +f7418923f1f721e450ac8cf4151f8360 libselinux-2.0.79.tgz