libselinux-3.1-5
- selinux(8): explain that runtime disable is deprecated
This commit is contained in:
Petr Lautrbach
parent
2b807f244a
commit
c2f612087d
|
|
@ -0,0 +1,59 @@
|
|||
From f870bd1ea6847840f1878490e090ef96ed708ac4 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Bj=C3=B6rn=20Bidar?= <bjorn.bidar@jolla.com>
|
||||
Date: Mon, 12 Oct 2020 19:07:22 +0300
|
||||
Subject: [PATCH] libselinux: LABEL_BACKEND_ANDROID add option to enable
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Add option to just enable the android label backend without disabling
|
||||
anything else eg. using ANDROID_HOST. Enable by default when using ANDROID_HOST.
|
||||
|
||||
Signed-off-by: Björn Bidar <bjorn.bidar@jolla.com>
|
||||
---
|
||||
libselinux/Makefile | 3 ++-
|
||||
libselinux/src/Makefile | 6 +++++-
|
||||
2 files changed, 7 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/libselinux/Makefile b/libselinux/Makefile
|
||||
index cb5872b7b090..ac16c15e8d0a 100644
|
||||
--- a/libselinux/Makefile
|
||||
+++ b/libselinux/Makefile
|
||||
@@ -4,6 +4,7 @@ PKG_CONFIG ?= pkg-config
|
||||
DISABLE_SETRANS ?= n
|
||||
DISABLE_RPM ?= n
|
||||
ANDROID_HOST ?= n
|
||||
+LABEL_BACKEND_ANDROID ?= n
|
||||
ifeq ($(ANDROID_HOST),y)
|
||||
override DISABLE_SETRANS=y
|
||||
override DISABLE_BOOL=y
|
||||
@@ -20,7 +21,7 @@ endif
|
||||
ifeq ($(DISABLE_X11),y)
|
||||
DISABLE_FLAGS+= -DNO_X_BACKEND
|
||||
endif
|
||||
-export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST DISABLE_X11
|
||||
+export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST DISABLE_X11 LABEL_BACKEND_ANDROID
|
||||
|
||||
USE_PCRE2 ?= n
|
||||
ifeq ($(USE_PCRE2),y)
|
||||
diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
|
||||
index be0b6eec6f6d..52c40f018f51 100644
|
||||
--- a/libselinux/src/Makefile
|
||||
+++ b/libselinux/src/Makefile
|
||||
@@ -122,8 +122,12 @@ SRCS= callbacks.c freecon.c label.c label_file.c \
|
||||
label_backends_android.c regex.c label_support.c \
|
||||
matchpathcon.c setrans_client.c sha1.c booleans.c
|
||||
else
|
||||
-DISABLE_FLAGS+= -DNO_ANDROID_BACKEND
|
||||
+LABEL_BACKEND_ANDROID=y
|
||||
+endif
|
||||
+
|
||||
+ifneq ($(LABEL_BACKEND_ANDROIDT),y)
|
||||
SRCS:= $(filter-out label_backends_android.c, $(SRCS))
|
||||
+DISABLE_FLAGS+= -DNO_ANDROID_BACKEND
|
||||
endif
|
||||
|
||||
ifeq ($(DISABLE_X11),y)
|
||||
--
|
||||
2.29.2
|
||||
|
||||
|
|
@ -0,0 +1,51 @@
|
|||
From c698cd8cbc98ab2f795d3c353c9f978c1758106d Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
Date: Wed, 11 Nov 2020 17:23:38 +0100
|
||||
Subject: [PATCH] selinux(8): mark up SELINUX values
|
||||
|
||||
Mark up the possible values of SELINUX (disabled, permissive, enforcing)
|
||||
for better readability.
|
||||
|
||||
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
---
|
||||
libselinux/man/man8/selinux.8 | 24 ++++++++++++------------
|
||||
1 file changed, 12 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
|
||||
index 8b4fc3706989..522d45960bf3 100644
|
||||
--- a/libselinux/man/man8/selinux.8
|
||||
+++ b/libselinux/man/man8/selinux.8
|
||||
@@ -19,18 +19,18 @@ enabled or disabled, and if enabled, whether SELinux operates in
|
||||
permissive mode or enforcing mode. The
|
||||
.B SELINUX
|
||||
variable may be set to
|
||||
-any one of disabled, permissive, or enforcing to select one of these
|
||||
-options. The disabled option completely disables the SELinux kernel
|
||||
-and application code, leaving the system running without any SELinux
|
||||
-protection. The permissive option enables the SELinux code, but
|
||||
-causes it to operate in a mode where accesses that would be denied by
|
||||
-policy are permitted but audited. The enforcing option enables the
|
||||
-SELinux code and causes it to enforce access denials as well as
|
||||
-auditing them. Permissive mode may yield a different set of denials
|
||||
-than enforcing mode, both because enforcing mode will prevent an
|
||||
-operation from proceeding past the first denial and because some
|
||||
-application code will fall back to a less privileged mode of operation
|
||||
-if denied access.
|
||||
+any one of \fIdisabled\fR, \fIpermissive\fR, or \fIenforcing\fR to
|
||||
+select one of these options. The \fIdisabled\fR option completely
|
||||
+disables the SELinux kernel and application code, leaving the system
|
||||
+running without any SELinux protection. The \fIpermissive\fR option
|
||||
+enables the SELinux code, but causes it to operate in a mode where
|
||||
+accesses that would be denied by policy are permitted but audited. The
|
||||
+\fIenforcing\fR option enables the SELinux code and causes it to enforce
|
||||
+access denials as well as auditing them. \fIpermissive\fR mode may
|
||||
+yield a different set of denials than enforcing mode, both because
|
||||
+enforcing mode will prevent an operation from proceeding past the first
|
||||
+denial and because some application code will fall back to a less
|
||||
+privileged mode of operation if denied access.
|
||||
|
||||
The
|
||||
.I /etc/selinux/config
|
||||
--
|
||||
2.29.2
|
||||
|
||||
|
|
@ -0,0 +1,57 @@
|
|||
From 225486048881d429e4b92ad24b65af7a1fc4c3a9 Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
Date: Wed, 11 Nov 2020 17:23:39 +0100
|
||||
Subject: [PATCH] selinux(8): explain that runtime disable is deprecated
|
||||
|
||||
Update the main SELinux manpage to explain that runtime disable (i.e.
|
||||
disabling SELinux using SELINUX=Disabled) is deprecated and recommend
|
||||
disabling SELinux only via the kernel boot parameter.
|
||||
|
||||
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
---
|
||||
libselinux/man/man8/selinux.8 | 22 ++++++++++++++++++++--
|
||||
1 file changed, 20 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
|
||||
index 522d45960bf3..a36e286b1409 100644
|
||||
--- a/libselinux/man/man8/selinux.8
|
||||
+++ b/libselinux/man/man8/selinux.8
|
||||
@@ -20,8 +20,8 @@ permissive mode or enforcing mode. The
|
||||
.B SELINUX
|
||||
variable may be set to
|
||||
any one of \fIdisabled\fR, \fIpermissive\fR, or \fIenforcing\fR to
|
||||
-select one of these options. The \fIdisabled\fR option completely
|
||||
-disables the SELinux kernel and application code, leaving the system
|
||||
+select one of these options. The \fIdisabled\fR disables most of the
|
||||
+SELinux kernel and application code, leaving the system
|
||||
running without any SELinux protection. The \fIpermissive\fR option
|
||||
enables the SELinux code, but causes it to operate in a mode where
|
||||
accesses that would be denied by policy are permitted but audited. The
|
||||
@@ -32,6 +32,24 @@ enforcing mode will prevent an operation from proceeding past the first
|
||||
denial and because some application code will fall back to a less
|
||||
privileged mode of operation if denied access.
|
||||
|
||||
+.B NOTE:
|
||||
+Disabling SELinux by setting
|
||||
+.B SELINUX=disabled
|
||||
+in
|
||||
+.I /etc/selinux/config
|
||||
+is deprecated and depending on kernel version and configuration it might
|
||||
+not lead to SELinux being completely disabled. Specifically, the
|
||||
+SELinux hooks will still be executed internally, but the SELinux policy
|
||||
+will not be loaded and no operation will be denied. In such state, the
|
||||
+system will act as if SELinux was disabled, although some operations
|
||||
+might behave slightly differently. To properly disable SELinux, it is
|
||||
+recommended to use the
|
||||
+.B selinux=0
|
||||
+kernel boot option instead. In that case SELinux will be disabled
|
||||
+regardless of what is set in the
|
||||
+.I /etc/selinux/config
|
||||
+file.
|
||||
+
|
||||
The
|
||||
.I /etc/selinux/config
|
||||
configuration file also controls what policy
|
||||
--
|
||||
2.29.2
|
||||
|
||||
|
|
@ -1,10 +1,10 @@
|
|||
%define ruby_inc %(pkg-config --cflags ruby)
|
||||
%define libsepolver 3.1-4
|
||||
%define libsepolver 3.1-5
|
||||
|
||||
Summary: SELinux library and simple utilities
|
||||
Name: libselinux
|
||||
Version: 3.1
|
||||
Release: 4%{?dist}
|
||||
Release: 5%{?dist}
|
||||
License: Public Domain
|
||||
# https://github.com/SELinuxProject/selinux/wiki/Releases
|
||||
Source0: https://github.com/SELinuxProject/selinux/releases/download/20200710/libselinux-3.1.tar.gz
|
||||
|
|
@ -30,6 +30,9 @@ Patch0011: 0011-libselinux-convert-matchpathcon-to-selabel_lookup.patch
|
|||
Patch0012: 0012-libsepol-Bump-libsepol.so-version.patch
|
||||
Patch0013: 0013-libselinux-Add-build-option-to-disable-X11-backend.patch
|
||||
Patch0014: 0014-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch
|
||||
Patch0015: 0015-libselinux-LABEL_BACKEND_ANDROID-add-option-to-enabl.patch
|
||||
Patch0016: 0016-selinux-8-mark-up-SELINUX-values.patch
|
||||
Patch0017: 0017-selinux-8-explain-that-runtime-disable-is-deprecated.patch
|
||||
# Patch list end
|
||||
BuildRequires: gcc make
|
||||
BuildRequires: ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel xz-devel
|
||||
|
|
@ -226,6 +229,9 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
|
|||
%{ruby_vendorarchdir}/selinux.so
|
||||
|
||||
%changelog
|
||||
* Fri Nov 20 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-5
|
||||
- selinux(8): explain that runtime disable is deprecated
|
||||
|
||||
* Fri Oct 30 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-4
|
||||
- Use libsepol.so.2
|
||||
- Convert matchpathcon to selabel_lookup()
|
||||
|
|
|
|||
Loading…
Reference in New Issue