From ea9eee161ed07911c9c672b0e598509e39cac679 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Fri, 28 Apr 2017 11:57:59 +0200 Subject: [PATCH] libselinux-2.6-6 - Don't finalize mount state in selinux_set_policy_root() see https://marc.info/?l=selinux&m=149323750632253&w=2 - Follow upstream and rename _selinux.so to _selinux.cpython-36m-x86_64-linux-gnu.so --- libselinux-fedora.patch | 261 +++++++++++++++++++++++++++++++++++++++- libselinux.spec | 10 +- 2 files changed, 265 insertions(+), 6 deletions(-) diff --git a/libselinux-fedora.patch b/libselinux-fedora.patch index a08e8c2..72a9450 100644 --- a/libselinux-fedora.patch +++ b/libselinux-fedora.patch @@ -1,5 +1,5 @@ diff --git libselinux-2.6/Makefile libselinux-2.6/Makefile -index baa0db3..b2fbff3 100644 +index baa0db3..3355f01 100644 --- libselinux-2.6/Makefile +++ libselinux-2.6/Makefile @@ -1,4 +1,4 @@ @@ -8,6 +8,34 @@ index baa0db3..b2fbff3 100644 DISABLE_SETRANS ?= n DISABLE_RPM ?= n +@@ -27,6 +27,16 @@ else + endif + export PCRE_CFLAGS PCRE_LDFLAGS + ++OS := $(shell uname) ++export OS ++ ++ifeq ($(shell $(CC) -v 2>&1 | grep "clang"),) ++COMPILER := gcc ++else ++COMPILER := clang ++endif ++export COMPILER ++ + all install relabel clean distclean indent: + @for subdir in $(SUBDIRS); do \ + (cd $$subdir && $(MAKE) $@) || exit 1; \ +@@ -47,4 +57,10 @@ install-pywrap: + install-rubywrap: + $(MAKE) -C src install-rubywrap $@ + ++clean-pywrap: ++ $(MAKE) -C src clean-pywrap $@ ++ ++clean-rubywrap: ++ $(MAKE) -C src clean-rubywrap $@ ++ + test: diff --git libselinux-2.6/golang/Makefile libselinux-2.6/golang/Makefile new file mode 100644 index 0000000..b75677b @@ -542,7 +570,7 @@ index 6f1034b..c9f188c 100644 Every confined service on the system has a man page in the following format: .br diff --git libselinux-2.6/src/Makefile libselinux-2.6/src/Makefile -index 13501cd..956ea1c 100644 +index 13501cd..e1334e9 100644 --- libselinux-2.6/src/Makefile +++ libselinux-2.6/src/Makefile @@ -2,7 +2,7 @@ @@ -550,10 +578,166 @@ index 13501cd..956ea1c 100644 # targets with "PYPREFIX": PYTHON ?= python -PYPREFIX ?= $(notdir $(PYTHON)) -+PYPREFIX ?= $(shell $(PYTHON) -c 'import sys;print("python%d" % sys.version_info[0])') ++PYPREFIX ?= $(shell $(PYTHON) -c 'import sys;print("python-%d.%d" % sys.version_info[:2])') RUBY ?= ruby RUBYPREFIX ?= $(notdir $(RUBY)) PKG_CONFIG ?= pkg-config +@@ -13,15 +13,26 @@ LIBDIR ?= $(PREFIX)/lib + SHLIBDIR ?= $(DESTDIR)/lib + INCLUDEDIR ?= $(PREFIX)/include + PYINC ?= $(shell $(PKG_CONFIG) --cflags $(PYPREFIX)) ++PYLIBS ?= $(shell $(PKG_CONFIG) --libs $(PYPREFIX)) + PYSITEDIR ?= $(DESTDIR)$(shell $(PYTHON) -c 'import site; print(site.getsitepackages()[0])') +-RUBYLIBVER ?= $(shell $(RUBY) -e 'print RUBY_VERSION.split(".")[0..1].join(".")') +-RUBYINC ?= $(shell $(PKG_CONFIG) --exists ruby-$(RUBYLIBVER) && $(PKG_CONFIG) --cflags ruby-$(RUBYLIBVER) || $(PKG_CONFIG) --cflags ruby) ++PYCEXT ?= $(shell $(PYTHON) -c 'import imp;print([s for s,m,t in imp.get_suffixes() if t == imp.C_EXTENSION][0])') ++RUBYINC ?= $(shell $(RUBY) -e 'puts "-I" + RbConfig::CONFIG["rubyarchhdrdir"] + " -I" + RbConfig::CONFIG["rubyhdrdir"]') ++RUBYLIBS ?= $(shell $(RUBY) -e 'puts "-L" + RbConfig::CONFIG["libdir"] + " -lruby"') + RUBYINSTALL ?= $(DESTDIR)$(shell $(RUBY) -e 'puts RbConfig::CONFIG["vendorarchdir"]') + LIBBASE ?= $(shell basename $(LIBDIR)) ++LIBSEPOLA ?= $(LIBDIR)/libsepol.a + + VERSION = $(shell cat ../VERSION) + LIBVERSION = 1 + ++OS ?= $(shell uname) ++ ++ifeq ($(shell $(CC) -v 2>&1 | grep "clang"),) ++COMPILER ?= gcc ++else ++COMPILER ?= clang ++endif ++ + LIBA=libselinux.a + TARGET=libselinux.so + LIBPC=libselinux.pc +@@ -48,23 +59,38 @@ OBJS= $(patsubst %.c,%.o,$(SRCS)) + LOBJS= $(patsubst %.c,%.lo,$(SRCS)) + CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self -Wmissing-include-dirs \ + -Wunused -Wunknown-pragmas -Wstrict-aliasing -Wshadow -Wpointer-arith \ +- -Wbad-function-cast -Wcast-align -Wwrite-strings -Wlogical-op -Waggregate-return \ ++ -Wbad-function-cast -Wcast-align -Wwrite-strings -Waggregate-return \ + -Wstrict-prototypes -Wold-style-definition -Wmissing-prototypes \ + -Wmissing-declarations -Wmissing-noreturn -Wmissing-format-attribute \ + -Wredundant-decls -Wnested-externs -Winline -Winvalid-pch -Wvolatile-register-var \ +- -Wdisabled-optimization -Wbuiltin-macro-redefined -Wpacked-bitfield-compat \ +- -Wsync-nand -Wattributes -Wcoverage-mismatch -Wmultichar -Wcpp \ ++ -Wdisabled-optimization -Wbuiltin-macro-redefined \ ++ -Wattributes -Wmultichar \ + -Wdeprecated-declarations -Wdiv-by-zero -Wdouble-promotion -Wendif-labels -Wextra \ +- -Wformat-contains-nul -Wformat-extra-args -Wformat-zero-length -Wformat=2 -Wmultichar \ +- -Wnormalized=nfc -Woverflow -Wpointer-to-int-cast -Wpragmas -Wsuggest-attribute=const \ +- -Wsuggest-attribute=noreturn -Wsuggest-attribute=pure -Wtrampolines \ +- -Wno-missing-field-initializers -Wno-sign-compare -Wjump-misses-init \ +- -Wno-format-nonliteral -Wframe-larger-than=$(MAX_STACK_SIZE) -Wp,-D_FORTIFY_SOURCE=2 \ ++ -Wformat-extra-args -Wformat-zero-length -Wformat=2 -Wmultichar \ ++ -Woverflow -Wpointer-to-int-cast -Wpragmas \ ++ -Wno-missing-field-initializers -Wno-sign-compare \ ++ -Wno-format-nonliteral -Wframe-larger-than=$(MAX_STACK_SIZE) \ + -fstack-protector-all --param=ssp-buffer-size=4 -fexceptions \ + -fasynchronous-unwind-tables -fdiagnostics-show-option -funit-at-a-time \ +- -fipa-pure-const -Wno-suggest-attribute=pure -Wno-suggest-attribute=const \ + -Werror -Wno-aggregate-return -Wno-redundant-decls + ++LD_SONAME_FLAGS=-soname,$(LIBSO),-z,defs,-z,relro ++ ++ifeq ($(COMPILER), gcc) ++CFLAGS += -fipa-pure-const -Wlogical-op -Wpacked-bitfield-compat -Wsync-nand \ ++ -Wcoverage-mismatch -Wcpp -Wformat-contains-nul -Wnormalized=nfc -Wsuggest-attribute=const \ ++ -Wsuggest-attribute=noreturn -Wsuggest-attribute=pure -Wtrampolines -Wjump-misses-init \ ++ -Wno-suggest-attribute=pure -Wno-suggest-attribute=const -Wp,-D_FORTIFY_SOURCE=2 ++else ++CFLAGS += -Wunused-command-line-argument ++endif ++ ++ifeq ($(OS), Darwin) ++override CFLAGS += -I/opt/local/include ++override LDFLAGS += -L/opt/local/lib -undefined dynamic_lookup ++LD_SONAME_FLAGS=-install_name,$(LIBSO) ++endif ++ + PCRE_LDFLAGS ?= -lpcre + + override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE $(DISABLE_FLAGS) $(PCRE_CFLAGS) +@@ -84,7 +110,7 @@ DISABLE_FLAGS+= -DNO_MEDIA_BACKEND -DNO_DB_BACKEND -DNO_X_BACKEND \ + -DBUILD_HOST + SRCS= callbacks.c freecon.c label.c label_file.c \ + label_backends_android.c regex.c label_support.c \ +- matchpathcon.c setrans_client.c sha1.c ++ matchpathcon.c setrans_client.c sha1.c booleans.c + else + DISABLE_FLAGS+= -DNO_ANDROID_BACKEND + SRCS:= $(filter-out label_backends_android.c, $(SRCS)) +@@ -107,30 +133,30 @@ $(SWIGRUBYLOBJ): $(SWIGRUBYCOUT) + $(CC) $(CFLAGS) $(SWIG_CFLAGS) $(RUBYINC) -fPIC -DSHARED -c -o $@ $< + + $(SWIGSO): $(SWIGLOBJ) +- $(CC) $(CFLAGS) -shared -o $@ $< -L. -lselinux $(LDFLAGS) -L$(LIBDIR) ++ $(CC) $(CFLAGS) -shared -o $@ $< -L. -lselinux $(LDFLAGS) $(PYLIBS) -L$(LIBDIR) + + $(SWIGRUBYSO): $(SWIGRUBYLOBJ) +- $(CC) $(CFLAGS) -shared -o $@ $^ -L. -lselinux $(LDFLAGS) -L$(LIBDIR) ++ $(CC) $(CFLAGS) -shared -o $@ $^ -L. -lselinux $(LDFLAGS) $(RUBYLIBS) -L$(LIBDIR) + + $(LIBA): $(OBJS) + $(AR) rcs $@ $^ + $(RANLIB) $@ + + $(LIBSO): $(LOBJS) +- $(CC) $(CFLAGS) -shared -o $@ $^ $(PCRE_LDFLAGS) -ldl $(LDFLAGS) -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro ++ $(CC) $(CFLAGS) -shared -o $@ $^ $(PCRE_LDFLAGS) -ldl $(LDFLAGS) -L$(LIBDIR) -Wl,$(LD_SONAME_FLAGS) + ln -sf $@ $(TARGET) + + $(LIBPC): $(LIBPC).in ../VERSION + sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBBASE):; s:@includedir@:$(INCLUDEDIR):' < $< > $@ + + selinuxswig_python_exception.i: ../include/selinux/selinux.h +- bash exception.sh > $@ ++ bash -e exception.sh > $@ || (rm -f $@ ; false) + + $(AUDIT2WHYLOBJ): audit2why.c + $(CC) $(filter-out -Werror, $(CFLAGS)) $(PYINC) -fPIC -DSHARED -c -o $@ $< + + $(AUDIT2WHYSO): $(AUDIT2WHYLOBJ) +- $(CC) $(CFLAGS) -shared -o $@ $^ -L. $(LDFLAGS) -lselinux $(LIBDIR)/libsepol.a -L$(LIBDIR) ++ $(CC) $(CFLAGS) -shared -o $@ $^ -L. $(LDFLAGS) -lselinux $(LIBSEPOLA) $(PYLIBS) -L$(LIBDIR) + + %.o: %.c policy.h + $(CC) $(CFLAGS) $(TLSFLAGS) -c -o $@ $< +@@ -160,8 +186,8 @@ install: all + + install-pywrap: pywrap + test -d $(PYSITEDIR)/selinux || install -m 755 -d $(PYSITEDIR)/selinux +- install -m 755 $(SWIGSO) $(PYSITEDIR)/_selinux.so +- install -m 755 $(AUDIT2WHYSO) $(PYSITEDIR)/selinux/audit2why.so ++ install -m 755 $(SWIGSO) $(PYSITEDIR)/_selinux$(PYCEXT) ++ install -m 755 $(AUDIT2WHYSO) $(PYSITEDIR)/selinux/audit2why$(PYCEXT) + install -m 644 $(SWIGPYOUT) $(PYSITEDIR)/selinux/__init__.py + + install-rubywrap: rubywrap +@@ -171,8 +197,14 @@ install-rubywrap: rubywrap + relabel: + /sbin/restorecon $(SHLIBDIR)/$(LIBSO) + +-clean: +- -rm -f $(LIBPC) $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(SWIGLOBJ) $(SWIGRUBYLOBJ) $(SWIGSO) $(TARGET) $(AUDIT2WHYSO) *.o *.lo *~ ++clean-pywrap: ++ -rm -f $(SWIGLOBJ) $(SWIGSO) $(AUDIT2WHYLOBJ) $(AUDIT2WHYSO) ++ ++clean-rubywrap: ++ -rm -f $(SWIGRUBYLOBJ) $(SWIGRUBYSO) ++ ++clean: clean-pywrap clean-rubywrap ++ -rm -f $(LIBPC) $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(TARGET) *.o *.lo *~ + + distclean: clean + rm -f $(GENERATED) $(SWIGFILES) +@@ -180,4 +212,4 @@ distclean: clean + indent: + ../../scripts/Lindent $(filter-out $(GENERATED),$(wildcard *.[ch])) + +-.PHONY: all clean pywrap rubywrap swigify install install-pywrap install-rubywrap distclean ++.PHONY: all clean clean-pywrap clean-rubywrap pywrap rubywrap swigify install install-pywrap install-rubywrap distclean diff --git libselinux-2.6/src/avc_sidtab.c libselinux-2.6/src/avc_sidtab.c index 9669264..c775430 100644 --- libselinux-2.6/src/avc_sidtab.c @@ -750,6 +934,18 @@ index 724eb65..58b4144 100644 last_component = strrchr(tmp_path, '/'); if (last_component == tmp_path) { +diff --git libselinux-2.6/src/selinux_config.c libselinux-2.6/src/selinux_config.c +index 88bcc85..bfca134 100644 +--- libselinux-2.6/src/selinux_config.c ++++ libselinux-2.6/src/selinux_config.c +@@ -282,7 +282,6 @@ int selinux_set_policy_root(const char *path) + } + policy_type++; + +- fini_selinuxmnt(); + fini_selinux_policyroot(); + + selinux_policyroot = strdup(path); diff --git libselinux-2.6/src/selinux_restorecon.c libselinux-2.6/src/selinux_restorecon.c index e38d1d0..690dcd8 100644 --- libselinux-2.6/src/selinux_restorecon.c @@ -931,6 +1127,65 @@ index d05969c..3f0200e 100644 if (rc < 0 && errno == ENOTSUP) { char * ccontext = NULL; int err = errno; +diff --git libselinux-2.6/utils/Makefile libselinux-2.6/utils/Makefile +index e56a953..7744184 100644 +--- libselinux-2.6/utils/Makefile ++++ libselinux-2.6/utils/Makefile +@@ -5,25 +5,46 @@ USRBINDIR ?= $(PREFIX)/sbin + SBINDIR ?= $(DESTDIR)/sbin + INCLUDEDIR ?= $(PREFIX)/include + ++OS ?= $(shell uname) ++ ++ifeq ($(shell $(CC) -v 2>&1 | grep "clang"),) ++COMPILER ?= gcc ++else ++COMPILER ?= clang ++endif ++ + MAX_STACK_SIZE=8192 + CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self -Wmissing-include-dirs \ + -Wunused -Wunknown-pragmas -Wstrict-aliasing -Wshadow -Wpointer-arith \ +- -Wbad-function-cast -Wcast-align -Wwrite-strings -Wlogical-op -Waggregate-return \ ++ -Wbad-function-cast -Wcast-align -Wwrite-strings -Waggregate-return \ + -Wstrict-prototypes -Wold-style-definition -Wmissing-prototypes \ + -Wmissing-declarations -Wmissing-noreturn -Wmissing-format-attribute \ + -Wredundant-decls -Wnested-externs -Winline -Winvalid-pch -Wvolatile-register-var \ +- -Wdisabled-optimization -Wbuiltin-macro-redefined -Wpacked-bitfield-compat \ +- -Wsync-nand -Wattributes -Wcoverage-mismatch -Wmultichar -Wcpp \ ++ -Wdisabled-optimization -Wbuiltin-macro-redefined \ ++ -Wattributes -Wmultichar \ + -Wdeprecated-declarations -Wdiv-by-zero -Wdouble-promotion -Wendif-labels -Wextra \ +- -Wformat-contains-nul -Wformat-extra-args -Wformat-zero-length -Wformat=2 -Wmultichar \ +- -Wnormalized=nfc -Woverflow -Wpointer-to-int-cast -Wpragmas -Wsuggest-attribute=const \ +- -Wsuggest-attribute=noreturn -Wsuggest-attribute=pure -Wtrampolines \ +- -Wno-missing-field-initializers -Wno-sign-compare -Wjump-misses-init \ ++ -Wformat-extra-args -Wformat-zero-length -Wformat=2 -Wmultichar \ ++ -Woverflow -Wpointer-to-int-cast -Wpragmas \ ++ -Wno-missing-field-initializers -Wno-sign-compare \ + -Wno-format-nonliteral -Wframe-larger-than=$(MAX_STACK_SIZE) -Wp,-D_FORTIFY_SOURCE=2 \ + -fstack-protector-all --param=ssp-buffer-size=4 -fexceptions \ + -fasynchronous-unwind-tables -fdiagnostics-show-option -funit-at-a-time \ +- -fipa-pure-const -Wno-suggest-attribute=pure -Wno-suggest-attribute=const \ + -Werror -Wno-aggregate-return -Wno-redundant-decls ++ ++LD_SONAME_FLAGS=-soname,$(LIBSO),-z,defs,-z,relro ++ ++ifeq ($(COMPILER), gcc) ++CFLAGS += -fipa-pure-const -Wpacked-bitfield-compat -Wsync-nand -Wcoverage-mismatch \ ++ -Wcpp -Wformat-contains-nul -Wnormalized=nfc -Wsuggest-attribute=const \ ++ -Wsuggest-attribute=noreturn -Wsuggest-attribute=pure -Wtrampolines -Wjump-misses-init \ ++ -Wno-suggest-attribute=pure -Wno-suggest-attribute=const ++endif ++ ++ifeq ($(OS), Darwin) ++override CFLAGS += -I/opt/local/include -I../../libsepol/include ++override LDFLAGS += -L../../libsepol/src -undefined dynamic_lookup ++endif ++ + override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE $(DISABLE_FLAGS) $(PCRE_CFLAGS) + LDLIBS += -L../src -lselinux -L$(LIBDIR) + PCRE_LDFLAGS ?= -lpcre diff --git libselinux-2.6/utils/matchpathcon.c libselinux-2.6/utils/matchpathcon.c index d1f1348..0288feb 100644 --- libselinux-2.6/utils/matchpathcon.c diff --git a/libselinux.spec b/libselinux.spec index 8c8d3a2..f8a6396 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -9,7 +9,7 @@ Summary: SELinux library and simple utilities Name: libselinux Version: 2.6 -Release: 5%{?dist} +Release: 6%{?dist} License: Public Domain Group: System Environment/Libraries # https://github.com/SELinuxProject/selinux/wiki/Releases @@ -20,7 +20,7 @@ Url: https://github.com/SELinuxProject/selinux/wiki # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh # run: # $ VERSION=2.6 ./make-fedora-selinux-patch.sh libselinux -# HEAD https://github.com/fedora-selinux/selinux/commit/8a1941594a7221ec948b82b26636ad5a0d2dc724 +# HEAD https://github.com/fedora-selinux/selinux/commit/55c710487a365122fc1c961c7b05620defbfe65a Patch1: libselinux-fedora.patch %if 0%{?fedora} > 25 BuildRequires: pkgconf-pkg-config @@ -252,7 +252,7 @@ rm -rf %{buildroot} %dir %{python3_sitearch}/selinux %dir %{python3_sitearch}/selinux/__pycache__ %{python3_sitearch}/selinux/*.py* -%{python3_sitearch}/_selinux.so +%{python3_sitearch}/_selinux.cpython*.so %{python3_sitearch}/selinux/*.so %{python3_sitearch}/selinux/__pycache__/* %endif with_python3 @@ -262,6 +262,10 @@ rm -rf %{buildroot} %{ruby_vendorarchdir}/selinux.so %changelog +* Fri Apr 28 2017 Petr Lautrbach - 2.6-6 +- Don't finalize mount state in selinux_set_policy_root() +- Follow upstream and rename _selinux.so to _selinux.cpython-36m-x86_64-linux-gnu.so + * Thu Apr 06 2017 Petr Lautrbach - 2.6-5 - Fix setfiles progress indicator