diff --git a/.gitignore b/.gitignore index 37c9e44..cfc3f5b 100644 --- a/.gitignore +++ b/.gitignore @@ -204,3 +204,4 @@ libselinux-2.0.96.tgz /libselinux-2.5-rc1.tar.gz /libselinux-2.5.tar.gz /libselinux-2.6.tar.gz +/libselinux-2.7.tar.gz diff --git a/libselinux-fedora.patch b/libselinux-fedora.patch index 876516a..cf66e24 100644 --- a/libselinux-fedora.patch +++ b/libselinux-fedora.patch @@ -1,46 +1,18 @@ -diff --git libselinux-2.6/Makefile libselinux-2.6/Makefile -index baa0db3..3355f01 100644 ---- libselinux-2.6/Makefile -+++ libselinux-2.6/Makefile +diff --git libselinux-2.7/Makefile libselinux-2.7/Makefile +index 1ecab17..1f507fb 100644 +--- libselinux-2.7/Makefile ++++ libselinux-2.7/Makefile @@ -1,4 +1,4 @@ -SUBDIRS = src include utils man +SUBDIRS = src include utils man golang + PKG_CONFIG ?= pkg-config DISABLE_SETRANS ?= n - DISABLE_RPM ?= n -@@ -27,6 +27,16 @@ else - endif - export PCRE_CFLAGS PCRE_LDFLAGS - -+OS := $(shell uname) -+export OS -+ -+ifeq ($(shell $(CC) -v 2>&1 | grep "clang"),) -+COMPILER := gcc -+else -+COMPILER := clang -+endif -+export COMPILER -+ - all install relabel clean distclean indent: - @for subdir in $(SUBDIRS); do \ - (cd $$subdir && $(MAKE) $@) || exit 1; \ -@@ -47,4 +57,10 @@ install-pywrap: - install-rubywrap: - $(MAKE) -C src install-rubywrap $@ - -+clean-pywrap: -+ $(MAKE) -C src clean-pywrap $@ -+ -+clean-rubywrap: -+ $(MAKE) -C src clean-rubywrap $@ -+ - test: -diff --git libselinux-2.6/golang/Makefile libselinux-2.6/golang/Makefile +diff --git libselinux-2.7/golang/Makefile libselinux-2.7/golang/Makefile new file mode 100644 index 0000000..b75677b --- /dev/null -+++ libselinux-2.6/golang/Makefile ++++ libselinux-2.7/golang/Makefile @@ -0,0 +1,22 @@ +# Installation directories. +PREFIX ?= $(DESTDIR)/usr @@ -64,11 +36,11 @@ index 0000000..b75677b +indent: + +relabel: -diff --git libselinux-2.6/golang/selinux.go libselinux-2.6/golang/selinux.go +diff --git libselinux-2.7/golang/selinux.go libselinux-2.7/golang/selinux.go new file mode 100644 index 0000000..34bf6bb --- /dev/null -+++ libselinux-2.6/golang/selinux.go ++++ libselinux-2.7/golang/selinux.go @@ -0,0 +1,412 @@ +package selinux + @@ -482,11 +454,11 @@ index 0000000..34bf6bb + fmt.Println(Getfscreatecon()) + fmt.Println(Getpidcon(1)) +} -diff --git libselinux-2.6/golang/test.go libselinux-2.6/golang/test.go +diff --git libselinux-2.7/golang/test.go libselinux-2.7/golang/test.go new file mode 100644 index 0000000..fed6de8 --- /dev/null -+++ libselinux-2.6/golang/test.go ++++ libselinux-2.7/golang/test.go @@ -0,0 +1,9 @@ +package main + @@ -497,62 +469,10 @@ index 0000000..fed6de8 +func main() { + selinux.Test() +} -diff --git libselinux-2.6/include/selinux/restorecon.h libselinux-2.6/include/selinux/restorecon.h -index 7cfdee1..de694cd 100644 ---- libselinux-2.6/include/selinux/restorecon.h -+++ libselinux-2.6/include/selinux/restorecon.h -@@ -50,9 +50,9 @@ extern int selinux_restorecon(const char *pathname, - */ - #define SELINUX_RESTORECON_VERBOSE 0x0010 - /* -- * Show progress by printing * to stdout every 1000 files, unless -- * relabeling the entire OS, that will then show the approximate -- * percentage complete. -+ * If SELINUX_RESTORECON_PROGRESS is true and -+ * SELINUX_RESTORECON_MASS_RELABEL is true, then output approx % complete, -+ * else output the number of files in 1k blocks processed to stdout. - */ - #define SELINUX_RESTORECON_PROGRESS 0x0020 - /* -@@ -91,6 +91,11 @@ extern int selinux_restorecon(const char *pathname, - * mounts to be excluded from relabeling checks. - */ - #define SELINUX_RESTORECON_IGNORE_MOUNTS 0x2000 -+/* -+ * Set if there is a mass relabel required. -+ * See SELINUX_RESTORECON_PROGRESS flag for details. -+ */ -+#define SELINUX_RESTORECON_MASS_RELABEL 0x4000 - - /** - * selinux_restorecon_set_sehandle - Set the global fc handle. -diff --git libselinux-2.6/man/man3/selinux_restorecon.3 libselinux-2.6/man/man3/selinux_restorecon.3 -index 2d8274b..3350f9c 100644 ---- libselinux-2.6/man/man3/selinux_restorecon.3 -+++ libselinux-2.6/man/man3/selinux_restorecon.3 -@@ -88,8 +88,16 @@ will take precedence. - .RE - .sp - .B SELINUX_RESTORECON_PROGRESS --show progress by printing * to stdout every 1000 files unless relabeling the --entire OS, that will then show the approximate percentage complete. -+show progress by outputting the number of files in 1k blocks processed -+to stdout. If the -+.B SELINUX_RESTORECON_MASS_RELABEL -+flag is also set then the approximate percentage complete will be shown. -+.sp -+.B SELINUX_RESTORECON_MASS_RELABEL -+generally set when relabeling the entire OS, that will then show the -+approximate percentage complete. The -+.B SELINUX_RESTORECON_PROGRESS -+flag must also be set. - .sp - .B SELINUX_RESTORECON_REALPATH - convert passed-in -diff --git libselinux-2.6/man/man8/selinux.8 libselinux-2.6/man/man8/selinux.8 -index 6f1034b..c9f188c 100644 ---- libselinux-2.6/man/man8/selinux.8 -+++ libselinux-2.6/man/man8/selinux.8 +diff --git libselinux-2.7/man/man8/selinux.8 libselinux-2.7/man/man8/selinux.8 +index e37aee6..bf23b65 100644 +--- libselinux-2.7/man/man8/selinux.8 ++++ libselinux-2.7/man/man8/selinux.8 @@ -91,11 +91,13 @@ This manual page was written by Dan Walsh . .BR sepolicy (8), .BR system-config-selinux (8), @@ -562,186 +482,16 @@ index 6f1034b..c9f188c 100644 +.BR restorecon (8), .BR setfiles (8), .BR semanage (8), --.BR sepolicy(8) -+.BR sepolicy(8), -+.BR seinfo(8), -+.BR sesearch(8) + .BR sepolicy (8) ++.BR seinfo (8), ++.BR sesearch (8) Every confined service on the system has a man page in the following format: .br -diff --git libselinux-2.6/src/Makefile libselinux-2.6/src/Makefile -index 13501cd..e1334e9 100644 ---- libselinux-2.6/src/Makefile -+++ libselinux-2.6/src/Makefile -@@ -2,7 +2,7 @@ - # runtimes (e.g. Python 2 vs Python 3) by optionally prefixing the build - # targets with "PYPREFIX": - PYTHON ?= python --PYPREFIX ?= $(notdir $(PYTHON)) -+PYPREFIX ?= $(shell $(PYTHON) -c 'import sys;print("python-%d.%d" % sys.version_info[:2])') - RUBY ?= ruby - RUBYPREFIX ?= $(notdir $(RUBY)) - PKG_CONFIG ?= pkg-config -@@ -13,15 +13,26 @@ LIBDIR ?= $(PREFIX)/lib - SHLIBDIR ?= $(DESTDIR)/lib - INCLUDEDIR ?= $(PREFIX)/include - PYINC ?= $(shell $(PKG_CONFIG) --cflags $(PYPREFIX)) -+PYLIBS ?= $(shell $(PKG_CONFIG) --libs $(PYPREFIX)) - PYSITEDIR ?= $(DESTDIR)$(shell $(PYTHON) -c 'import site; print(site.getsitepackages()[0])') --RUBYLIBVER ?= $(shell $(RUBY) -e 'print RUBY_VERSION.split(".")[0..1].join(".")') --RUBYINC ?= $(shell $(PKG_CONFIG) --exists ruby-$(RUBYLIBVER) && $(PKG_CONFIG) --cflags ruby-$(RUBYLIBVER) || $(PKG_CONFIG) --cflags ruby) -+PYCEXT ?= $(shell $(PYTHON) -c 'import imp;print([s for s,m,t in imp.get_suffixes() if t == imp.C_EXTENSION][0])') -+RUBYINC ?= $(shell $(RUBY) -e 'puts "-I" + RbConfig::CONFIG["rubyarchhdrdir"] + " -I" + RbConfig::CONFIG["rubyhdrdir"]') -+RUBYLIBS ?= $(shell $(RUBY) -e 'puts "-L" + RbConfig::CONFIG["libdir"] + " -lruby"') - RUBYINSTALL ?= $(DESTDIR)$(shell $(RUBY) -e 'puts RbConfig::CONFIG["vendorarchdir"]') - LIBBASE ?= $(shell basename $(LIBDIR)) -+LIBSEPOLA ?= $(LIBDIR)/libsepol.a - - VERSION = $(shell cat ../VERSION) - LIBVERSION = 1 - -+OS ?= $(shell uname) -+ -+ifeq ($(shell $(CC) -v 2>&1 | grep "clang"),) -+COMPILER ?= gcc -+else -+COMPILER ?= clang -+endif -+ - LIBA=libselinux.a - TARGET=libselinux.so - LIBPC=libselinux.pc -@@ -48,23 +59,38 @@ OBJS= $(patsubst %.c,%.o,$(SRCS)) - LOBJS= $(patsubst %.c,%.lo,$(SRCS)) - CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self -Wmissing-include-dirs \ - -Wunused -Wunknown-pragmas -Wstrict-aliasing -Wshadow -Wpointer-arith \ -- -Wbad-function-cast -Wcast-align -Wwrite-strings -Wlogical-op -Waggregate-return \ -+ -Wbad-function-cast -Wcast-align -Wwrite-strings -Waggregate-return \ - -Wstrict-prototypes -Wold-style-definition -Wmissing-prototypes \ - -Wmissing-declarations -Wmissing-noreturn -Wmissing-format-attribute \ - -Wredundant-decls -Wnested-externs -Winline -Winvalid-pch -Wvolatile-register-var \ -- -Wdisabled-optimization -Wbuiltin-macro-redefined -Wpacked-bitfield-compat \ -- -Wsync-nand -Wattributes -Wcoverage-mismatch -Wmultichar -Wcpp \ -+ -Wdisabled-optimization -Wbuiltin-macro-redefined \ -+ -Wattributes -Wmultichar \ - -Wdeprecated-declarations -Wdiv-by-zero -Wdouble-promotion -Wendif-labels -Wextra \ -- -Wformat-contains-nul -Wformat-extra-args -Wformat-zero-length -Wformat=2 -Wmultichar \ -- -Wnormalized=nfc -Woverflow -Wpointer-to-int-cast -Wpragmas -Wsuggest-attribute=const \ -- -Wsuggest-attribute=noreturn -Wsuggest-attribute=pure -Wtrampolines \ -- -Wno-missing-field-initializers -Wno-sign-compare -Wjump-misses-init \ -- -Wno-format-nonliteral -Wframe-larger-than=$(MAX_STACK_SIZE) -Wp,-D_FORTIFY_SOURCE=2 \ -+ -Wformat-extra-args -Wformat-zero-length -Wformat=2 -Wmultichar \ -+ -Woverflow -Wpointer-to-int-cast -Wpragmas \ -+ -Wno-missing-field-initializers -Wno-sign-compare \ -+ -Wno-format-nonliteral -Wframe-larger-than=$(MAX_STACK_SIZE) \ - -fstack-protector-all --param=ssp-buffer-size=4 -fexceptions \ - -fasynchronous-unwind-tables -fdiagnostics-show-option -funit-at-a-time \ -- -fipa-pure-const -Wno-suggest-attribute=pure -Wno-suggest-attribute=const \ - -Werror -Wno-aggregate-return -Wno-redundant-decls - -+LD_SONAME_FLAGS=-soname,$(LIBSO),-z,defs,-z,relro -+ -+ifeq ($(COMPILER), gcc) -+CFLAGS += -fipa-pure-const -Wlogical-op -Wpacked-bitfield-compat -Wsync-nand \ -+ -Wcoverage-mismatch -Wcpp -Wformat-contains-nul -Wnormalized=nfc -Wsuggest-attribute=const \ -+ -Wsuggest-attribute=noreturn -Wsuggest-attribute=pure -Wtrampolines -Wjump-misses-init \ -+ -Wno-suggest-attribute=pure -Wno-suggest-attribute=const -Wp,-D_FORTIFY_SOURCE=2 -+else -+CFLAGS += -Wunused-command-line-argument -+endif -+ -+ifeq ($(OS), Darwin) -+override CFLAGS += -I/opt/local/include -+override LDFLAGS += -L/opt/local/lib -undefined dynamic_lookup -+LD_SONAME_FLAGS=-install_name,$(LIBSO) -+endif -+ - PCRE_LDFLAGS ?= -lpcre - - override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE $(DISABLE_FLAGS) $(PCRE_CFLAGS) -@@ -84,7 +110,7 @@ DISABLE_FLAGS+= -DNO_MEDIA_BACKEND -DNO_DB_BACKEND -DNO_X_BACKEND \ - -DBUILD_HOST - SRCS= callbacks.c freecon.c label.c label_file.c \ - label_backends_android.c regex.c label_support.c \ -- matchpathcon.c setrans_client.c sha1.c -+ matchpathcon.c setrans_client.c sha1.c booleans.c - else - DISABLE_FLAGS+= -DNO_ANDROID_BACKEND - SRCS:= $(filter-out label_backends_android.c, $(SRCS)) -@@ -107,30 +133,30 @@ $(SWIGRUBYLOBJ): $(SWIGRUBYCOUT) - $(CC) $(CFLAGS) $(SWIG_CFLAGS) $(RUBYINC) -fPIC -DSHARED -c -o $@ $< - - $(SWIGSO): $(SWIGLOBJ) -- $(CC) $(CFLAGS) -shared -o $@ $< -L. -lselinux $(LDFLAGS) -L$(LIBDIR) -+ $(CC) $(CFLAGS) -shared -o $@ $< -L. -lselinux $(LDFLAGS) $(PYLIBS) -L$(LIBDIR) - - $(SWIGRUBYSO): $(SWIGRUBYLOBJ) -- $(CC) $(CFLAGS) -shared -o $@ $^ -L. -lselinux $(LDFLAGS) -L$(LIBDIR) -+ $(CC) $(CFLAGS) -shared -o $@ $^ -L. -lselinux $(LDFLAGS) $(RUBYLIBS) -L$(LIBDIR) - - $(LIBA): $(OBJS) - $(AR) rcs $@ $^ - $(RANLIB) $@ - - $(LIBSO): $(LOBJS) -- $(CC) $(CFLAGS) -shared -o $@ $^ $(PCRE_LDFLAGS) -ldl $(LDFLAGS) -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro -+ $(CC) $(CFLAGS) -shared -o $@ $^ $(PCRE_LDFLAGS) -ldl $(LDFLAGS) -L$(LIBDIR) -Wl,$(LD_SONAME_FLAGS) - ln -sf $@ $(TARGET) - - $(LIBPC): $(LIBPC).in ../VERSION - sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBBASE):; s:@includedir@:$(INCLUDEDIR):' < $< > $@ - - selinuxswig_python_exception.i: ../include/selinux/selinux.h -- bash exception.sh > $@ -+ bash -e exception.sh > $@ || (rm -f $@ ; false) - - $(AUDIT2WHYLOBJ): audit2why.c - $(CC) $(filter-out -Werror, $(CFLAGS)) $(PYINC) -fPIC -DSHARED -c -o $@ $< - - $(AUDIT2WHYSO): $(AUDIT2WHYLOBJ) -- $(CC) $(CFLAGS) -shared -o $@ $^ -L. $(LDFLAGS) -lselinux $(LIBDIR)/libsepol.a -L$(LIBDIR) -+ $(CC) $(CFLAGS) -shared -o $@ $^ -L. $(LDFLAGS) -lselinux $(LIBSEPOLA) $(PYLIBS) -L$(LIBDIR) - - %.o: %.c policy.h - $(CC) $(CFLAGS) $(TLSFLAGS) -c -o $@ $< -@@ -160,8 +186,8 @@ install: all - - install-pywrap: pywrap - test -d $(PYSITEDIR)/selinux || install -m 755 -d $(PYSITEDIR)/selinux -- install -m 755 $(SWIGSO) $(PYSITEDIR)/_selinux.so -- install -m 755 $(AUDIT2WHYSO) $(PYSITEDIR)/selinux/audit2why.so -+ install -m 755 $(SWIGSO) $(PYSITEDIR)/_selinux$(PYCEXT) -+ install -m 755 $(AUDIT2WHYSO) $(PYSITEDIR)/selinux/audit2why$(PYCEXT) - install -m 644 $(SWIGPYOUT) $(PYSITEDIR)/selinux/__init__.py - - install-rubywrap: rubywrap -@@ -171,8 +197,14 @@ install-rubywrap: rubywrap - relabel: - /sbin/restorecon $(SHLIBDIR)/$(LIBSO) - --clean: -- -rm -f $(LIBPC) $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(SWIGLOBJ) $(SWIGRUBYLOBJ) $(SWIGSO) $(TARGET) $(AUDIT2WHYSO) *.o *.lo *~ -+clean-pywrap: -+ -rm -f $(SWIGLOBJ) $(SWIGSO) $(AUDIT2WHYLOBJ) $(AUDIT2WHYSO) -+ -+clean-rubywrap: -+ -rm -f $(SWIGRUBYLOBJ) $(SWIGRUBYSO) -+ -+clean: clean-pywrap clean-rubywrap -+ -rm -f $(LIBPC) $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(TARGET) *.o *.lo *~ - - distclean: clean - rm -f $(GENERATED) $(SWIGFILES) -@@ -180,4 +212,4 @@ distclean: clean - indent: - ../../scripts/Lindent $(filter-out $(GENERATED),$(wildcard *.[ch])) - --.PHONY: all clean pywrap rubywrap swigify install install-pywrap install-rubywrap distclean -+.PHONY: all clean clean-pywrap clean-rubywrap pywrap rubywrap swigify install install-pywrap install-rubywrap distclean -diff --git libselinux-2.6/src/avc_sidtab.c libselinux-2.6/src/avc_sidtab.c +diff --git libselinux-2.7/src/avc_sidtab.c libselinux-2.7/src/avc_sidtab.c index 9669264..c775430 100644 ---- libselinux-2.6/src/avc_sidtab.c -+++ libselinux-2.6/src/avc_sidtab.c +--- libselinux-2.7/src/avc_sidtab.c ++++ libselinux-2.7/src/avc_sidtab.c @@ -81,6 +81,11 @@ sidtab_context_to_sid(struct sidtab *s, int hvalue, rc = 0; struct sidtab_node *cur; @@ -754,10 +504,10 @@ index 9669264..c775430 100644 *sid = NULL; hvalue = sidtab_hash(ctx); -diff --git libselinux-2.6/src/booleans.c libselinux-2.6/src/booleans.c -index cbb0610..9cffffe 100644 ---- libselinux-2.6/src/booleans.c -+++ libselinux-2.6/src/booleans.c +diff --git libselinux-2.7/src/booleans.c libselinux-2.7/src/booleans.c +index 1da55bf..604c588 100644 +--- libselinux-2.7/src/booleans.c ++++ libselinux-2.7/src/booleans.c @@ -55,6 +55,7 @@ int security_get_boolean_names(char ***names, int *len) snprintf(path, sizeof path, "%s%s", selinux_mnt, SELINUX_BOOL_DIR); *len = scandir(path, &namelist, &filename_select, alphasort); @@ -766,10 +516,10 @@ index cbb0610..9cffffe 100644 return -1; } -diff --git libselinux-2.6/src/canonicalize_context.c libselinux-2.6/src/canonicalize_context.c -index 7cf3139..364a746 100644 ---- libselinux-2.6/src/canonicalize_context.c -+++ libselinux-2.6/src/canonicalize_context.c +diff --git libselinux-2.7/src/canonicalize_context.c libselinux-2.7/src/canonicalize_context.c +index ba4c9a2..c815872 100644 +--- libselinux-2.7/src/canonicalize_context.c ++++ libselinux-2.7/src/canonicalize_context.c @@ -17,6 +17,11 @@ int security_canonicalize_context_raw(const char * con, size_t size; int fd, ret; @@ -782,10 +532,10 @@ index 7cf3139..364a746 100644 if (!selinux_mnt) { errno = ENOENT; return -1; -diff --git libselinux-2.6/src/check_context.c libselinux-2.6/src/check_context.c -index 52063fa..234749c 100644 ---- libselinux-2.6/src/check_context.c -+++ libselinux-2.6/src/check_context.c +diff --git libselinux-2.7/src/check_context.c libselinux-2.7/src/check_context.c +index 8a7997f..5be8434 100644 +--- libselinux-2.7/src/check_context.c ++++ libselinux-2.7/src/check_context.c @@ -14,6 +14,11 @@ int security_check_context_raw(const char * con) char path[PATH_MAX]; int fd, ret; @@ -798,10 +548,10 @@ index 52063fa..234749c 100644 if (!selinux_mnt) { errno = ENOENT; return -1; -diff --git libselinux-2.6/src/compute_av.c libselinux-2.6/src/compute_av.c -index 937e5c3..35ace7f 100644 ---- libselinux-2.6/src/compute_av.c -+++ libselinux-2.6/src/compute_av.c +diff --git libselinux-2.7/src/compute_av.c libselinux-2.7/src/compute_av.c +index 1d05e7b..d9095cc 100644 +--- libselinux-2.7/src/compute_av.c ++++ libselinux-2.7/src/compute_av.c @@ -26,6 +26,11 @@ int security_compute_av_flags_raw(const char * scon, return -1; } @@ -812,12 +562,12 @@ index 937e5c3..35ace7f 100644 + } + snprintf(path, sizeof path, "%s/access", selinux_mnt); - fd = open(path, O_RDWR); + fd = open(path, O_RDWR | O_CLOEXEC); if (fd < 0) -diff --git libselinux-2.6/src/compute_create.c libselinux-2.6/src/compute_create.c -index 9559d42..14a65d1 100644 ---- libselinux-2.6/src/compute_create.c -+++ libselinux-2.6/src/compute_create.c +diff --git libselinux-2.7/src/compute_create.c libselinux-2.7/src/compute_create.c +index 0975aea..3e6a48c 100644 +--- libselinux-2.7/src/compute_create.c ++++ libselinux-2.7/src/compute_create.c @@ -64,6 +64,11 @@ int security_compute_create_name_raw(const char * scon, return -1; } @@ -828,12 +578,12 @@ index 9559d42..14a65d1 100644 + } + snprintf(path, sizeof path, "%s/create", selinux_mnt); - fd = open(path, O_RDWR); + fd = open(path, O_RDWR | O_CLOEXEC); if (fd < 0) -diff --git libselinux-2.6/src/compute_member.c libselinux-2.6/src/compute_member.c -index 1fc7e41..065d996 100644 ---- libselinux-2.6/src/compute_member.c -+++ libselinux-2.6/src/compute_member.c +diff --git libselinux-2.7/src/compute_member.c libselinux-2.7/src/compute_member.c +index 4e2d221..d1dd977 100644 +--- libselinux-2.7/src/compute_member.c ++++ libselinux-2.7/src/compute_member.c @@ -25,6 +25,11 @@ int security_compute_member_raw(const char * scon, return -1; } @@ -844,12 +594,12 @@ index 1fc7e41..065d996 100644 + } + snprintf(path, sizeof path, "%s/member", selinux_mnt); - fd = open(path, O_RDWR); + fd = open(path, O_RDWR | O_CLOEXEC); if (fd < 0) -diff --git libselinux-2.6/src/compute_relabel.c libselinux-2.6/src/compute_relabel.c -index 4615aee..cc77f36 100644 ---- libselinux-2.6/src/compute_relabel.c -+++ libselinux-2.6/src/compute_relabel.c +diff --git libselinux-2.7/src/compute_relabel.c libselinux-2.7/src/compute_relabel.c +index 49f77ef..c3db7c0 100644 +--- libselinux-2.7/src/compute_relabel.c ++++ libselinux-2.7/src/compute_relabel.c @@ -25,6 +25,11 @@ int security_compute_relabel_raw(const char * scon, return -1; } @@ -860,12 +610,12 @@ index 4615aee..cc77f36 100644 + } + snprintf(path, sizeof path, "%s/relabel", selinux_mnt); - fd = open(path, O_RDWR); + fd = open(path, O_RDWR | O_CLOEXEC); if (fd < 0) -diff --git libselinux-2.6/src/compute_user.c libselinux-2.6/src/compute_user.c -index b37c5d3..7703c26 100644 ---- libselinux-2.6/src/compute_user.c -+++ libselinux-2.6/src/compute_user.c +diff --git libselinux-2.7/src/compute_user.c libselinux-2.7/src/compute_user.c +index 7b88121..401fd10 100644 +--- libselinux-2.7/src/compute_user.c ++++ libselinux-2.7/src/compute_user.c @@ -24,6 +24,11 @@ int security_compute_user_raw(const char * scon, return -1; } @@ -876,12 +626,12 @@ index b37c5d3..7703c26 100644 + } + snprintf(path, sizeof path, "%s/user", selinux_mnt); - fd = open(path, O_RDWR); + fd = open(path, O_RDWR | O_CLOEXEC); if (fd < 0) -diff --git libselinux-2.6/src/fsetfilecon.c libselinux-2.6/src/fsetfilecon.c +diff --git libselinux-2.7/src/fsetfilecon.c libselinux-2.7/src/fsetfilecon.c index 52707d0..0cbe12d 100644 ---- libselinux-2.6/src/fsetfilecon.c -+++ libselinux-2.6/src/fsetfilecon.c +--- libselinux-2.7/src/fsetfilecon.c ++++ libselinux-2.7/src/fsetfilecon.c @@ -9,8 +9,12 @@ int fsetfilecon_raw(int fd, const char * context) @@ -897,27 +647,10 @@ index 52707d0..0cbe12d 100644 if (rc < 0 && errno == ENOTSUP) { char * ccontext = NULL; int err = errno; -diff --git libselinux-2.6/src/load_policy.c libselinux-2.6/src/load_policy.c -index b7e1a6f..6d74a9a 100644 ---- libselinux-2.6/src/load_policy.c -+++ libselinux-2.6/src/load_policy.c -@@ -450,8 +450,11 @@ int selinux_init_load_policy(int *enforce) - } - } - -- if (seconfig == -1) -+ if (seconfig == -1) { -+ umount(selinux_mnt); -+ fini_selinuxmnt(); - goto noload; -+ } - - /* Load the policy. */ - return selinux_mkload_policy(0); -diff --git libselinux-2.6/src/lsetfilecon.c libselinux-2.6/src/lsetfilecon.c +diff --git libselinux-2.7/src/lsetfilecon.c libselinux-2.7/src/lsetfilecon.c index 1d3b28a..ea6d70b 100644 ---- libselinux-2.6/src/lsetfilecon.c -+++ libselinux-2.6/src/lsetfilecon.c +--- libselinux-2.7/src/lsetfilecon.c ++++ libselinux-2.7/src/lsetfilecon.c @@ -9,8 +9,13 @@ int lsetfilecon_raw(const char *path, const char * context) @@ -934,201 +667,10 @@ index 1d3b28a..ea6d70b 100644 if (rc < 0 && errno == ENOTSUP) { char * ccontext = NULL; int err = errno; -diff --git libselinux-2.6/src/matchpathcon.c libselinux-2.6/src/matchpathcon.c -index 724eb65..58b4144 100644 ---- libselinux-2.6/src/matchpathcon.c -+++ libselinux-2.6/src/matchpathcon.c -@@ -389,12 +389,6 @@ int realpath_not_final(const char *name, char *resolved_path) - goto out; - } - -- /* strip leading // */ -- while (tmp_path[len] && tmp_path[len] == '/' && -- tmp_path[len+1] && tmp_path[len+1] == '/') { -- tmp_path++; -- len++; -- } - last_component = strrchr(tmp_path, '/'); - - if (last_component == tmp_path) { -diff --git libselinux-2.6/src/selinux_config.c libselinux-2.6/src/selinux_config.c -index 88bcc85..bfca134 100644 ---- libselinux-2.6/src/selinux_config.c -+++ libselinux-2.6/src/selinux_config.c -@@ -282,7 +282,6 @@ int selinux_set_policy_root(const char *path) - } - policy_type++; - -- fini_selinuxmnt(); - fini_selinux_policyroot(); - - selinux_policyroot = strdup(path); -diff --git libselinux-2.6/src/selinux_restorecon.c libselinux-2.6/src/selinux_restorecon.c -index e38d1d0..690dcd8 100644 ---- libselinux-2.6/src/selinux_restorecon.c -+++ libselinux-2.6/src/selinux_restorecon.c -@@ -41,7 +41,7 @@ - #define SYS_PATH "/sys" - #define SYS_PREFIX SYS_PATH "/" - --#define STAR_COUNT 1000 -+#define STAR_COUNT 1024 - - static struct selabel_handle *fc_sehandle = NULL; - static unsigned char *fc_digest = NULL; -@@ -68,18 +68,12 @@ static uint64_t efile_count; /* Estimated total number of files */ - struct dir_xattr *dir_xattr_list; - static struct dir_xattr *dir_xattr_last; - --/* -- * If SELINUX_RESTORECON_PROGRESS is set and mass_relabel = true, then -- * output approx % complete, else output * for every STAR_COUNT files -- * processed to stdout. -- */ --static bool mass_relabel; -- - /* restorecon_flags for passing to restorecon_sb() */ - struct rest_flags { - bool nochange; - bool verbose; - bool progress; -+ bool mass_relabel; - bool set_specctx; - bool add_assoc; - bool ignore_digest; -@@ -624,14 +618,14 @@ static int restorecon_sb(const char *pathname, const struct stat *sb, - if (flags->progress) { - fc_count++; - if (fc_count % STAR_COUNT == 0) { -- if (mass_relabel && efile_count > 0) { -+ if (flags->mass_relabel && efile_count > 0) { - pc = (fc_count < efile_count) ? (100.0 * - fc_count / efile_count) : 100; - fprintf(stdout, "\r%-.1f%%", (double)pc); - } else { -- fprintf(stdout, "*"); -+ fprintf(stdout, "\r%luk", fc_count / STAR_COUNT); - } -- fflush(stdout); -+ fflush(stdout); - } - } - -@@ -663,7 +657,7 @@ static int restorecon_sb(const char *pathname, const struct stat *sb, - curcon = NULL; - } - -- if (strcmp(curcon, newcon) != 0) { -+ if (curcon == NULL || strcmp(curcon, newcon) != 0) { - if (!flags->set_specctx && curcon && - (is_context_customizable(curcon) > 0)) { - if (flags->verbose) { -@@ -743,6 +737,8 @@ int selinux_restorecon(const char *pathname_orig, - SELINUX_RESTORECON_VERBOSE) ? true : false; - flags.progress = (restorecon_flags & - SELINUX_RESTORECON_PROGRESS) ? true : false; -+ flags.mass_relabel = (restorecon_flags & -+ SELINUX_RESTORECON_MASS_RELABEL) ? true : false; - flags.recurse = (restorecon_flags & - SELINUX_RESTORECON_RECURSE) ? true : false; - flags.set_specctx = (restorecon_flags & -@@ -896,17 +892,6 @@ int selinux_restorecon(const char *pathname_orig, - } - } - -- mass_relabel = false; -- if (!strcmp(pathname, "/")) { -- mass_relabel = true; -- if (flags.set_xdev && flags.progress) -- /* -- * Need to recalculate to get accurate % complete -- * as only root device id will be processed. -- */ -- efile_count = file_system_count(pathname); -- } -- - if (flags.set_xdev) - fts_flags = FTS_PHYSICAL | FTS_NOCHDIR | FTS_XDEV; - else -@@ -1000,12 +985,8 @@ int selinux_restorecon(const char *pathname_orig, - } - - out: -- if (flags.progress) { -- if (mass_relabel) -- fprintf(stdout, "\r100.0%%\n"); -- else -- fprintf(stdout, "\n"); -- } -+ if (flags.progress && flags.mass_relabel) -+ fprintf(stdout, "\r%s 100.0%%\n", pathname); - - sverrno = errno; - (void) fts_close(fts); -diff --git libselinux-2.6/src/selinuxswig_python.i libselinux-2.6/src/selinuxswig_python.i -index 8cea18d..43df291 100644 ---- libselinux-2.6/src/selinuxswig_python.i -+++ libselinux-2.6/src/selinuxswig_python.i -@@ -64,7 +64,7 @@ def install(src, dest): - PyObject* list = PyList_New(*$2); - int i; - for (i = 0; i < *$2; i++) { -- PyList_SetItem(list, i, PyBytes_FromString((*$1)[i])); -+ PyList_SetItem(list, i, PyString_FromString((*$1)[i])); - } - $result = SWIG_Python_AppendOutput($result, list); - } -@@ -97,9 +97,7 @@ def install(src, dest): - len++; - plist = PyList_New(len); - for (i = 0; i < len; i++) { -- PyList_SetItem(plist, i, -- PyBytes_FromString((*$1)[i]) -- ); -+ PyList_SetItem(plist, i, PyString_FromString((*$1)[i])); - } - } else { - plist = PyList_New(0); -@@ -116,9 +114,7 @@ def install(src, dest): - if (*$1) { - plist = PyList_New(result); - for (i = 0; i < result; i++) { -- PyList_SetItem(plist, i, -- PyBytes_FromString((*$1)[i]) -- ); -+ PyList_SetItem(plist, i, PyString_FromString((*$1)[i])); - } - } else { - plist = PyList_New(0); -@@ -171,20 +167,16 @@ def install(src, dest): - $1 = (char**) malloc(size + 1); - - for(i = 0; i < size; i++) { -- if (!PyBytes_Check(PySequence_GetItem($input, i))) { -- PyErr_SetString(PyExc_ValueError, "Sequence must contain only bytes"); -- -+ if (!PyString_Check(PySequence_GetItem($input, i))) { -+ PyErr_SetString(PyExc_ValueError, "Sequence must contain only strings"); - return NULL; - } -- - } - - for(i = 0; i < size; i++) { - s = PySequence_GetItem($input, i); -- -- $1[i] = (char*) malloc(PyBytes_Size(s) + 1); -- strcpy($1[i], PyBytes_AsString(s)); -- -+ $1[i] = (char*) malloc(PyString_Size(s) + 1); -+ strcpy($1[i], PyString_AsString(s)); - } - $1[size] = NULL; - } -diff --git libselinux-2.6/src/setfilecon.c libselinux-2.6/src/setfilecon.c +diff --git libselinux-2.7/src/setfilecon.c libselinux-2.7/src/setfilecon.c index d05969c..3f0200e 100644 ---- libselinux-2.6/src/setfilecon.c -+++ libselinux-2.6/src/setfilecon.c +--- libselinux-2.7/src/setfilecon.c ++++ libselinux-2.7/src/setfilecon.c @@ -9,8 +9,12 @@ int setfilecon_raw(const char *path, const char * context) @@ -1144,71 +686,12 @@ index d05969c..3f0200e 100644 if (rc < 0 && errno == ENOTSUP) { char * ccontext = NULL; int err = errno; -diff --git libselinux-2.6/utils/Makefile libselinux-2.6/utils/Makefile -index e56a953..7744184 100644 ---- libselinux-2.6/utils/Makefile -+++ libselinux-2.6/utils/Makefile -@@ -5,25 +5,46 @@ USRBINDIR ?= $(PREFIX)/sbin - SBINDIR ?= $(DESTDIR)/sbin - INCLUDEDIR ?= $(PREFIX)/include - -+OS ?= $(shell uname) -+ -+ifeq ($(shell $(CC) -v 2>&1 | grep "clang"),) -+COMPILER ?= gcc -+else -+COMPILER ?= clang -+endif -+ - MAX_STACK_SIZE=8192 - CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self -Wmissing-include-dirs \ - -Wunused -Wunknown-pragmas -Wstrict-aliasing -Wshadow -Wpointer-arith \ -- -Wbad-function-cast -Wcast-align -Wwrite-strings -Wlogical-op -Waggregate-return \ -+ -Wbad-function-cast -Wcast-align -Wwrite-strings -Waggregate-return \ - -Wstrict-prototypes -Wold-style-definition -Wmissing-prototypes \ - -Wmissing-declarations -Wmissing-noreturn -Wmissing-format-attribute \ - -Wredundant-decls -Wnested-externs -Winline -Winvalid-pch -Wvolatile-register-var \ -- -Wdisabled-optimization -Wbuiltin-macro-redefined -Wpacked-bitfield-compat \ -- -Wsync-nand -Wattributes -Wcoverage-mismatch -Wmultichar -Wcpp \ -+ -Wdisabled-optimization -Wbuiltin-macro-redefined \ -+ -Wattributes -Wmultichar \ - -Wdeprecated-declarations -Wdiv-by-zero -Wdouble-promotion -Wendif-labels -Wextra \ -- -Wformat-contains-nul -Wformat-extra-args -Wformat-zero-length -Wformat=2 -Wmultichar \ -- -Wnormalized=nfc -Woverflow -Wpointer-to-int-cast -Wpragmas -Wsuggest-attribute=const \ -- -Wsuggest-attribute=noreturn -Wsuggest-attribute=pure -Wtrampolines \ -- -Wno-missing-field-initializers -Wno-sign-compare -Wjump-misses-init \ -+ -Wformat-extra-args -Wformat-zero-length -Wformat=2 -Wmultichar \ -+ -Woverflow -Wpointer-to-int-cast -Wpragmas \ -+ -Wno-missing-field-initializers -Wno-sign-compare \ - -Wno-format-nonliteral -Wframe-larger-than=$(MAX_STACK_SIZE) -Wp,-D_FORTIFY_SOURCE=2 \ - -fstack-protector-all --param=ssp-buffer-size=4 -fexceptions \ - -fasynchronous-unwind-tables -fdiagnostics-show-option -funit-at-a-time \ -- -fipa-pure-const -Wno-suggest-attribute=pure -Wno-suggest-attribute=const \ - -Werror -Wno-aggregate-return -Wno-redundant-decls -+ -+LD_SONAME_FLAGS=-soname,$(LIBSO),-z,defs,-z,relro -+ -+ifeq ($(COMPILER), gcc) -+CFLAGS += -fipa-pure-const -Wpacked-bitfield-compat -Wsync-nand -Wcoverage-mismatch \ -+ -Wcpp -Wformat-contains-nul -Wnormalized=nfc -Wsuggest-attribute=const \ -+ -Wsuggest-attribute=noreturn -Wsuggest-attribute=pure -Wtrampolines -Wjump-misses-init \ -+ -Wno-suggest-attribute=pure -Wno-suggest-attribute=const -+endif -+ -+ifeq ($(OS), Darwin) -+override CFLAGS += -I/opt/local/include -I../../libsepol/include -+override LDFLAGS += -L../../libsepol/src -undefined dynamic_lookup -+endif -+ - override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE $(DISABLE_FLAGS) $(PCRE_CFLAGS) - LDLIBS += -L../src -lselinux -L$(LIBDIR) - PCRE_LDFLAGS ?= -lpcre -diff --git libselinux-2.6/utils/matchpathcon.c libselinux-2.6/utils/matchpathcon.c -index d1f1348..0288feb 100644 ---- libselinux-2.6/utils/matchpathcon.c -+++ libselinux-2.6/utils/matchpathcon.c -@@ -15,7 +15,7 @@ - static void usage(const char *progname) +diff --git libselinux-2.7/utils/matchpathcon.c libselinux-2.7/utils/matchpathcon.c +index 67e4a43..9756d7d 100644 +--- libselinux-2.7/utils/matchpathcon.c ++++ libselinux-2.7/utils/matchpathcon.c +@@ -14,7 +14,7 @@ + static __attribute__ ((__noreturn__)) void usage(const char *progname) { fprintf(stderr, - "usage: %s [-N] [-n] [-f file_contexts] [ -P policy_root_path ] [-p prefix] [-Vq] path...\n", diff --git a/libselinux.spec b/libselinux.spec index dfd577d..e6a5dfe 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -3,31 +3,31 @@ %endif %define ruby_inc %(pkg-config --cflags ruby) -%define libsepolver 2.6-0 +%define libsepolver 2.7-1 %{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} Summary: SELinux library and simple utilities Name: libselinux -Version: 2.6 -Release: 10%{?dist} +Version: 2.7 +Release: 1%{?dist} License: Public Domain Group: System Environment/Libraries # https://github.com/SELinuxProject/selinux/wiki/Releases -Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20161014/libselinux-2.6.tar.gz +Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20170804/libselinux-2.7.tar.gz Source1: selinuxconlist.8 Source2: selinuxdefcon.8 Url: https://github.com/SELinuxProject/selinux/wiki # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh # run: -# $ VERSION=2.6 ./make-fedora-selinux-patch.sh libselinux -# HEAD https://github.com/fedora-selinux/selinux/commit/601a1d1363fe4137ff3a2991c546f7a0ccfec4cb +# $ VERSION=2.7 ./make-fedora-selinux-patch.sh libselinux +# HEAD https://github.com/fedora-selinux/selinux/commit/70a12c5e7b56a81223d67ce2469292826b84efe9 Patch1: libselinux-fedora.patch %if 0%{?fedora} > 25 BuildRequires: pkgconf-pkg-config %else BuildRequires: pkgconfig %endif -BuildRequires: python python-devel ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre-devel xz-devel +BuildRequires: python python-devel ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel xz-devel %if 0%{?with_python3} BuildRequires: python3 python3-devel %endif # if with_python3 @@ -114,6 +114,7 @@ needed for developing SELinux applications. %build export LDFLAGS="%{?__global_ldflags}" export DISABLE_RPM="y" +export USE_PCRE2="y" # To support building the Python wrapper against multiple Python runtimes # Define a function, for how to perform a "build" of the python wrapper against @@ -137,7 +138,7 @@ BuildPythonWrapper %{__python} BuildPythonWrapper %{__python3} %endif # with_python3 -make RUBYINC="%{ruby_inc}" SHLIBDIR="%{_libdir}" LIBDIR="%{_libdir}" CFLAGS="-g %{optflags}" %{?_smp_mflags} rubywrap +make RUBYINC="%{ruby_inc}" SHLIBDIR="%{_libdir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" CFLAGS="-g %{optflags}" %{?_smp_mflags} rubywrap %install InstallPythonWrapper() { @@ -146,6 +147,7 @@ InstallPythonWrapper() { make \ PYTHON=$BinaryName \ LIBDIR="%{_libdir}" CFLAGS="-g %{optflags}" %{?_smp_mflags} \ + LIBSEPOLA="%{_libdir}/libsepol.a" \ pywrap make \ @@ -153,6 +155,7 @@ InstallPythonWrapper() { DESTDIR="%{buildroot}" LIBDIR="%{buildroot}%{_libdir}" \ SHLIBDIR="%{buildroot}/%{_lib}" BINDIR="%{buildroot}%{_bindir}" \ SBINDIR="%{buildroot}%{_sbindir}" \ + LIBSEPOLA="%{_libdir}/libsepol.a" \ install-pywrap } @@ -223,7 +226,7 @@ rm -rf %{buildroot} %{_sbindir}/selabel_lookup %{_sbindir}/selabel_lookup_best_match %{_sbindir}/selabel_partial_match -%{_sbindir}/selinux_restorecon +%{_sbindir}/selinux_check_access %{_mandir}/man5/* %{_mandir}/man8/* @@ -263,6 +266,9 @@ rm -rf %{buildroot} %{ruby_vendorarchdir}/selinux.so %changelog +* Mon Aug 07 2017 Petr Lautrbach - 2.7-1 +- Update to upstream release 2017-08-04 + * Thu Aug 03 2017 Fedora Release Engineering - 2.6-10 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild diff --git a/sources b/sources index 3704ff2..683695a 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (libselinux-2.6.tar.gz) = 906e1bf98c669862ab4f4e883d511db8d739a5763dc857c9405ad3cc6c70766a482853d07134698a1a98257a8632cc756d0549a7640c2915d051714f502ff14b +SHA512 (libselinux-2.7.tar.gz) = 415d10306692d4323455b61fb61d7e56e53b9144276ff206d72760e1df9b04ab07c62a4d6f04bf4e5fa708f9f14b21a9801069b16ece0a0aade886950941ab8d