Update libselinux-rhat.patch from abdc02a720

- is_selinux_enabled: Add /etc/selinux/config test (#1219045) - matchpathcon/selabel_file: Fix man pages (#1219718)
2015-05-12 18:54:53 +02:00 · 2015-05-12 18:54:53 +02:00 · 07d81e8685
parent ce749c90b4
commit 07d81e8685
2 changed files with 153 additions and 7 deletions
--- a/libselinux-rhat.patch
+++ b/libselinux-rhat.patch
@ -528,6 +528,107 @@ index 4dd8f30..26086d9 100644
 .SH "RETURN VALUE"
 On error \-1 is returned.
 On success 0 is returned.
+diff --git libselinux-2.3/man/man3/matchpathcon.3 libselinux-2.3/man/man3/matchpathcon.3
+index 1bc7ba1..177f15d 100644
+--- libselinux-2.3/man/man3/matchpathcon.3
+++ libselinux-2.3/man/man3/matchpathcon.3
+@@ -7,7 +7,7 @@ matchpathcon, matchpathcon_index \- get the default SELinux security context for
+ .sp
+ .BI "int matchpathcon_init(const char *" path ");"
+ .sp
+-.BI "int matchpathcon_init_prefix(const char *" path ", const char *" subset ");"
+.BI "int matchpathcon_init_prefix(const char *" path ", const char *" prefix ");"
+ .sp
+ .BI "int matchpathcon_fini(void);"
+ .sp
+@@ -16,6 +16,24 @@ matchpathcon, matchpathcon_index \- get the default SELinux security context for
+ .BI "int matchpathcon_index(const char *" name ", mode_t " mode ", char **" con ");"
+ .
+ .SH "DESCRIPTION"
+
+This family of functions is deprecated.  For new code, please use
+.BR selabel_open (3)
+with the
+.B SELABEL_CTX_FILE
+backend in place of
+.BR matchpathcon_init (),
+use
+.BR selabel_close (3)
+in place of
+.BR matchpathcon_fini (),
+and use
+.BR selabel_lookup (3)
+in place of
+.BR matchpathcon ().
+
+The remaining description below is for the legacy interface.
+
+ .BR matchpathcon_init ()
+ loads the file contexts configuration specified by
+ .I path
+@@ -41,9 +59,16 @@ customizations.
+ .BR matchpathcon_init_prefix ()
+ is the same as
+ .BR matchpathcon_init ()
+-but only loads entries with regular expressions that have stems prefixed
+-by
+-.I \%prefix.
+but only loads entries with regular expressions whose first pathname
+component is a prefix of
+.I \%prefix
+, e.g. pass "/dev" if you only intend to call
+.BR matchpathcon ()
+with pathnames beginning with /dev.
+However, this optimization is no longer necessary due to the use of
+.I file_contexts.bin
+files with precompiled regular expressions, so use of this interface
+is deprecated.
+ 
+ .BR matchpathcon_fini ()
+ frees the memory allocated by a prior call to
+@@ -54,7 +79,17 @@ calls, or to free memory when finished using
+ .BR matchpathcon ().
+ 
+ .BR matchpathcon ()
+-matches the specified pathname and mode against the file contexts
+matches the specified
+.I pathname,
+after transformation via
+.BR realpath (3)
+excepting any final symbolic link component if S_IFLNK was
+specified as the
+.I mode,
+and
+.I mode
+against the
+.I file contexts
+ configuration and sets the security context 
+ .I con 
+ to refer to the
+diff --git libselinux-2.3/man/man5/selabel_file.5 libselinux-2.3/man/man5/selabel_file.5
+index 79eca95..e738824 100644
+--- libselinux-2.3/man/man5/selabel_file.5
+++ libselinux-2.3/man/man5/selabel_file.5
+@@ -55,7 +55,9 @@ A non-null value for this option specifies a path to a file that will be opened
+ A non-null value for this option indicates that any local customizations to the file contexts mapping should be ignored.
+ .TP
+ .B SELABEL_OPT_SUBSET
+-A non-null value for this option is interpreted as a path prefix, for example "/etc".  Only file context specifications starting with the given prefix are loaded.  This may increase lookup performance, however any attempt to look up a path not starting with the given prefix will fail.
+A non-null value for this option is interpreted as a path prefix, for example "/etc".  Only file context specifications with starting with a first component that prefix matches the given prefix are loaded.  This may increase lookup performance, however any attempt to look up a path not starting with the given prefix may fail.  This optimization is no longer required due to the use of
+.I file_contexts.bin
+files and is deprecated.
+ .RE
+ .
+ .SH "FILES"
+@@ -206,7 +208,7 @@ component with \fI/var/www\fR, therefore the path used is:
+ If contexts are to be validated, then the global option \fBSELABEL_OPT_VALIDATE\fR must be set before calling \fBselabel_open\fR(3). If this is not set, then it is possible for an invalid context to be returned.
+ .IP "2." 4
+ If the size of file contexts series of files contain many entries, then \fBselabel_open\fR(3) may have a delay as it reads in the files, and if
+-requested validates the entries. If possible use the \fBSELABEL_OPT_SUBSET\fR option to reduce the number of entries processed.
+requested validates the entries.
+ .IP "3." 4
+ Depending on the version of SELinux it is possible that a \fIfile_contexts.template\fR file may also be present, however this is now deprecated.
+ .br
 diff --git libselinux-2.3/man/man8/selinux.8 libselinux-2.3/man/man8/selinux.8
 index e89b1ef..fd20363 100644
 --- libselinux-2.3/man/man8/selinux.8
@ -760,10 +861,10 @@ index b37c5d3..7703c26 100644
 	fd = open(path, O_RDWR);
 	if (fd < 0)
 diff --git libselinux-2.3/src/enabled.c libselinux-2.3/src/enabled.c
-index 5c252dd..1731ac3 100644
+index 5c252dd..bb659a9 100644
 --- libselinux-2.3/src/enabled.c
 +++ libselinux-2.3/src/enabled.c
-@@ -11,26 +11,10 @@
+@@ -11,26 +11,14 @@
 
 int is_selinux_enabled(void)
 {
@ -787,7 +888,11 @@ index 5c252dd..1731ac3 100644
 -        }
 -
 -	return enabled;
+#ifdef ANDROID
 +	return (selinux_mnt ? 1 : 0);
+#else
+	return (selinux_mnt && has_selinux_config);
+#endif
 }
 
 hidden_def(is_selinux_enabled)
@ -822,6 +927,29 @@ index 52707d0..0cbe12d 100644
 	if (rc < 0 && errno == ENOTSUP) {
 		char * ccontext = NULL;
 		int err = errno;
+diff --git libselinux-2.3/src/init.c libselinux-2.3/src/init.c
+index 6d1ef33..3c687a2 100644
+--- libselinux-2.3/src/init.c
+++ libselinux-2.3/src/init.c
+@@ -21,6 +21,8 @@ char *selinux_mnt = NULL;
+ int selinux_page_size = 0;
+ int obj_class_compat = 1;
+ 
+int has_selinux_config = 0;
+
+ /* Verify the mount point for selinux file system has a selinuxfs.
+    If the file system:
+    * Exist,
+@@ -151,6 +153,9 @@ static void init_lib(void)
+ {
+ 	selinux_page_size = sysconf(_SC_PAGE_SIZE);
+ 	init_selinuxmnt();
+#ifndef ANDROID
+	has_selinux_config = (access(SELINUXCONFIG, F_OK) == 0);
+#endif
+ }
+ 
+ static void fini_lib(void) __attribute__ ((destructor));
 diff --git libselinux-2.3/src/label_android_property.c libselinux-2.3/src/label_android_property.c
 index b00eb07..5e1b76e 100644
 --- libselinux-2.3/src/label_android_property.c
@ -1010,10 +1138,19 @@ index 3b96b1d..3868711 100644
 			} else {
 				COMPAT_LOG(SELINUX_WARNING,
 diff --git libselinux-2.3/src/selinux_config.c libselinux-2.3/src/selinux_config.c
-index 30e9dc7..1bfe500 100644
+index 30e9dc7..bec5f3b 100644
 --- libselinux-2.3/src/selinux_config.c
 +++ libselinux-2.3/src/selinux_config.c
-@@ -50,8 +50,9 @@
+@@ -13,8 +13,6 @@
+ #include "selinux_internal.h"
+ #include "get_default_type_internal.h"
+ 
+-#define SELINUXDIR "/etc/selinux/"
+-#define SELINUXCONFIG SELINUXDIR "config"
+ #define SELINUXDEFAULT "targeted"
+ #define SELINUXTYPETAG "SELINUXTYPE="
+ #define SELINUXTAG "SELINUX="
+@@ -50,8 +48,9 @@
 #define FILE_CONTEXT_SUBS_DIST 25
 #define LXC_CONTEXTS      26
 #define BOOLEAN_SUBS      27
@ -1025,7 +1162,7 @@ index 30e9dc7..1bfe500 100644
 
 /* Part of one-time lazy init */
 static pthread_once_t once = PTHREAD_ONCE_INIT;
-@@ -493,6 +494,13 @@ const char *selinux_lxc_contexts_path(void)
+@@ -493,6 +492,13 @@ const char *selinux_lxc_contexts_path(void)
 
 hidden_def(selinux_lxc_contexts_path)
 
@ -1040,7 +1177,7 @@ index 30e9dc7..1bfe500 100644
 {
 	return get_path(SYSTEMD_CONTEXTS);
 diff --git libselinux-2.3/src/selinux_internal.h libselinux-2.3/src/selinux_internal.h
-index afb2170..fe8eb67 100644
+index afb2170..9b1ca4d 100644
 --- libselinux-2.3/src/selinux_internal.h
 +++ libselinux-2.3/src/selinux_internal.h
@@ -82,6 +82,7 @@ hidden_proto(selinux_mkload_policy)
@ -1051,6 +1188,15 @@ index afb2170..fe8eb67 100644
     hidden_proto(selinux_sepgsql_context_path)
     hidden_proto(selinux_systemd_contexts_path)
     hidden_proto(selinux_path)
+@@ -137,3 +138,8 @@ extern int selinux_page_size hidden;
+ 		if (pthread_setspecific != NULL)		\
+ 			pthread_setspecific(KEY, VALUE);	\
+ 	} while (0)
+
+#define SELINUXDIR "/etc/selinux/"
+#define SELINUXCONFIG SELINUXDIR "config"
+
+extern int has_selinux_config hidden;
 diff --git libselinux-2.3/src/selinuxswig_python.i libselinux-2.3/src/selinuxswig_python.i
 index ae72246..c9a2341 100644
 --- libselinux-2.3/src/selinuxswig_python.i
--- a/libselinux.spec
+++ b/libselinux.spec
@ -18,7 +18,7 @@ Source1: selinuxconlist.8
 Source2: selinuxdefcon.8
 Url: https://github.com/SELinuxProject/selinux/wiki
 # use make-rhat-patches.sh to create following patches from https://github.com/fedora-selinux/selinux/
-# https://github.com/fedora-selinux/selinux/commit/4395ef2b8bb086878b5fad80321ac9d32f424f51
+# HEAD https://github.com/fedora-selinux/selinux/commit/abdc02a720ed5ff430887758ec254b104f2d727d
 Patch1: libselinux-rhat.patch
 BuildRequires: pkgconfig python-devel ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre-devel xz-devel
 %if 0%{?with_python3}