diff --git a/0015-libselinux-LABEL_BACKEND_ANDROID-add-option-to-enabl.patch b/0015-libselinux-LABEL_BACKEND_ANDROID-add-option-to-enabl.patch new file mode 100644 index 0000000..2fb4f30 --- /dev/null +++ b/0015-libselinux-LABEL_BACKEND_ANDROID-add-option-to-enabl.patch @@ -0,0 +1,59 @@ +From f870bd1ea6847840f1878490e090ef96ed708ac4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B6rn=20Bidar?= +Date: Mon, 12 Oct 2020 19:07:22 +0300 +Subject: [PATCH] libselinux: LABEL_BACKEND_ANDROID add option to enable +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Add option to just enable the android label backend without disabling +anything else eg. using ANDROID_HOST. Enable by default when using ANDROID_HOST. + +Signed-off-by: Björn Bidar +--- + libselinux/Makefile | 3 ++- + libselinux/src/Makefile | 6 +++++- + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/libselinux/Makefile b/libselinux/Makefile +index cb5872b7b090..ac16c15e8d0a 100644 +--- a/libselinux/Makefile ++++ b/libselinux/Makefile +@@ -4,6 +4,7 @@ PKG_CONFIG ?= pkg-config + DISABLE_SETRANS ?= n + DISABLE_RPM ?= n + ANDROID_HOST ?= n ++LABEL_BACKEND_ANDROID ?= n + ifeq ($(ANDROID_HOST),y) + override DISABLE_SETRANS=y + override DISABLE_BOOL=y +@@ -20,7 +21,7 @@ endif + ifeq ($(DISABLE_X11),y) + DISABLE_FLAGS+= -DNO_X_BACKEND + endif +-export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST DISABLE_X11 ++export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST DISABLE_X11 LABEL_BACKEND_ANDROID + + USE_PCRE2 ?= n + ifeq ($(USE_PCRE2),y) +diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile +index be0b6eec6f6d..52c40f018f51 100644 +--- a/libselinux/src/Makefile ++++ b/libselinux/src/Makefile +@@ -122,8 +122,12 @@ SRCS= callbacks.c freecon.c label.c label_file.c \ + label_backends_android.c regex.c label_support.c \ + matchpathcon.c setrans_client.c sha1.c booleans.c + else +-DISABLE_FLAGS+= -DNO_ANDROID_BACKEND ++LABEL_BACKEND_ANDROID=y ++endif ++ ++ifneq ($(LABEL_BACKEND_ANDROIDT),y) + SRCS:= $(filter-out label_backends_android.c, $(SRCS)) ++DISABLE_FLAGS+= -DNO_ANDROID_BACKEND + endif + + ifeq ($(DISABLE_X11),y) +-- +2.29.2 + diff --git a/0016-selinux-8-mark-up-SELINUX-values.patch b/0016-selinux-8-mark-up-SELINUX-values.patch new file mode 100644 index 0000000..12efd4a --- /dev/null +++ b/0016-selinux-8-mark-up-SELINUX-values.patch @@ -0,0 +1,51 @@ +From c698cd8cbc98ab2f795d3c353c9f978c1758106d Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Wed, 11 Nov 2020 17:23:38 +0100 +Subject: [PATCH] selinux(8): mark up SELINUX values + +Mark up the possible values of SELINUX (disabled, permissive, enforcing) +for better readability. + +Signed-off-by: Ondrej Mosnacek +--- + libselinux/man/man8/selinux.8 | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8 +index 8b4fc3706989..522d45960bf3 100644 +--- a/libselinux/man/man8/selinux.8 ++++ b/libselinux/man/man8/selinux.8 +@@ -19,18 +19,18 @@ enabled or disabled, and if enabled, whether SELinux operates in + permissive mode or enforcing mode. The + .B SELINUX + variable may be set to +-any one of disabled, permissive, or enforcing to select one of these +-options. The disabled option completely disables the SELinux kernel +-and application code, leaving the system running without any SELinux +-protection. The permissive option enables the SELinux code, but +-causes it to operate in a mode where accesses that would be denied by +-policy are permitted but audited. The enforcing option enables the +-SELinux code and causes it to enforce access denials as well as +-auditing them. Permissive mode may yield a different set of denials +-than enforcing mode, both because enforcing mode will prevent an +-operation from proceeding past the first denial and because some +-application code will fall back to a less privileged mode of operation +-if denied access. ++any one of \fIdisabled\fR, \fIpermissive\fR, or \fIenforcing\fR to ++select one of these options. The \fIdisabled\fR option completely ++disables the SELinux kernel and application code, leaving the system ++running without any SELinux protection. The \fIpermissive\fR option ++enables the SELinux code, but causes it to operate in a mode where ++accesses that would be denied by policy are permitted but audited. The ++\fIenforcing\fR option enables the SELinux code and causes it to enforce ++access denials as well as auditing them. \fIpermissive\fR mode may ++yield a different set of denials than enforcing mode, both because ++enforcing mode will prevent an operation from proceeding past the first ++denial and because some application code will fall back to a less ++privileged mode of operation if denied access. + + The + .I /etc/selinux/config +-- +2.29.2 + diff --git a/0017-selinux-8-explain-that-runtime-disable-is-deprecated.patch b/0017-selinux-8-explain-that-runtime-disable-is-deprecated.patch new file mode 100644 index 0000000..2b2dd43 --- /dev/null +++ b/0017-selinux-8-explain-that-runtime-disable-is-deprecated.patch @@ -0,0 +1,57 @@ +From 225486048881d429e4b92ad24b65af7a1fc4c3a9 Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Wed, 11 Nov 2020 17:23:39 +0100 +Subject: [PATCH] selinux(8): explain that runtime disable is deprecated + +Update the main SELinux manpage to explain that runtime disable (i.e. +disabling SELinux using SELINUX=Disabled) is deprecated and recommend +disabling SELinux only via the kernel boot parameter. + +Signed-off-by: Ondrej Mosnacek +--- + libselinux/man/man8/selinux.8 | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8 +index 522d45960bf3..a36e286b1409 100644 +--- a/libselinux/man/man8/selinux.8 ++++ b/libselinux/man/man8/selinux.8 +@@ -20,8 +20,8 @@ permissive mode or enforcing mode. The + .B SELINUX + variable may be set to + any one of \fIdisabled\fR, \fIpermissive\fR, or \fIenforcing\fR to +-select one of these options. The \fIdisabled\fR option completely +-disables the SELinux kernel and application code, leaving the system ++select one of these options. The \fIdisabled\fR disables most of the ++SELinux kernel and application code, leaving the system + running without any SELinux protection. The \fIpermissive\fR option + enables the SELinux code, but causes it to operate in a mode where + accesses that would be denied by policy are permitted but audited. The +@@ -32,6 +32,24 @@ enforcing mode will prevent an operation from proceeding past the first + denial and because some application code will fall back to a less + privileged mode of operation if denied access. + ++.B NOTE: ++Disabling SELinux by setting ++.B SELINUX=disabled ++in ++.I /etc/selinux/config ++is deprecated and depending on kernel version and configuration it might ++not lead to SELinux being completely disabled. Specifically, the ++SELinux hooks will still be executed internally, but the SELinux policy ++will not be loaded and no operation will be denied. In such state, the ++system will act as if SELinux was disabled, although some operations ++might behave slightly differently. To properly disable SELinux, it is ++recommended to use the ++.B selinux=0 ++kernel boot option instead. In that case SELinux will be disabled ++regardless of what is set in the ++.I /etc/selinux/config ++file. ++ + The + .I /etc/selinux/config + configuration file also controls what policy +-- +2.29.2 + diff --git a/libselinux.spec b/libselinux.spec index 5f02ff3..853feb9 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -1,10 +1,10 @@ %define ruby_inc %(pkg-config --cflags ruby) -%define libsepolver 3.1-4 +%define libsepolver 3.1-5 Summary: SELinux library and simple utilities Name: libselinux Version: 3.1 -Release: 4%{?dist} +Release: 5%{?dist} License: Public Domain # https://github.com/SELinuxProject/selinux/wiki/Releases Source0: https://github.com/SELinuxProject/selinux/releases/download/20200710/libselinux-3.1.tar.gz @@ -30,6 +30,9 @@ Patch0011: 0011-libselinux-convert-matchpathcon-to-selabel_lookup.patch Patch0012: 0012-libsepol-Bump-libsepol.so-version.patch Patch0013: 0013-libselinux-Add-build-option-to-disable-X11-backend.patch Patch0014: 0014-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch +Patch0015: 0015-libselinux-LABEL_BACKEND_ANDROID-add-option-to-enabl.patch +Patch0016: 0016-selinux-8-mark-up-SELINUX-values.patch +Patch0017: 0017-selinux-8-explain-that-runtime-disable-is-deprecated.patch # Patch list end BuildRequires: gcc make BuildRequires: ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel xz-devel @@ -226,6 +229,9 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool* %{ruby_vendorarchdir}/selinux.so %changelog +* Fri Nov 20 2020 Petr Lautrbach - 3.1-5 +- selinux(8): explain that runtime disable is deprecated + * Fri Oct 30 2020 Petr Lautrbach - 3.1-4 - Use libsepol.so.2 - Convert matchpathcon to selabel_lookup()