libselinux-2.5-7

* Thu Jun 23 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-7
- Modify audit2why analyze function to use loaded policy
- Sort object files for deterministic linking order
- Respect CC and PKG_CONFIG environment variable
- Avoid mounting /proc outside of selinux_init_load_policy()

libselinux-fedora.patch

@@ -1,8 +1,12 @@
 diff --git libselinux-2.5/ChangeLog libselinux-2.5/ChangeLog
-index 24673dd..e696b94 100644
+index 24673dd..34d0ac7 100644
 --- libselinux-2.5/ChangeLog
 +++ libselinux-2.5/ChangeLog
-@@ -1,3 +1,10 @@
+@@ -1,3 +1,14 @@
++	* Modify audit2why analyze function to use loaded policy, from Joshua Brindle.
++	* Sort object files for deterministic linking order, from Laurent Bigonville.
++	* Respect CC and PKG_CONFIG environment variable, from Julien Pivotto.
++	* Avoid mounting /proc outside of selinux_init_load_policy(), from Stephen Smalley.
 +	* Fix multiple spelling errors, from Laurent Bigonville.
 +	* Fix typo in sefcontext_compile.8, from Petr Lautrbach and Milos Malik
 +	* Fix location of selinuxfs mount point, from Dan Walsh.
@@ -621,6 +625,67 @@ index 6f1034b..c9f188c 100644
  
  Every confined service on the system has a man page in the following format:
  .br
+diff --git libselinux-2.5/src/Makefile libselinux-2.5/src/Makefile
+index d0021ae..d94163e 100644
+--- libselinux-2.5/src/Makefile
++++ libselinux-2.5/src/Makefile
+@@ -5,6 +5,7 @@ PYTHON ?= python
+ PYPREFIX ?= $(notdir $(PYTHON))
+ RUBY ?= ruby
+ RUBYPREFIX ?= $(notdir $(RUBY))
++PKG_CONFIG ?= pkg-config
+ 
+ # Installation directories.
+ PREFIX ?= $(DESTDIR)/usr
+@@ -12,11 +13,11 @@ LIBDIR ?= $(PREFIX)/lib
+ SHLIBDIR ?= $(DESTDIR)/lib
+ INCLUDEDIR ?= $(PREFIX)/include
+ PYLIBVER ?= $(shell $(PYTHON) -c 'import sys;print("python%d.%d" % sys.version_info[0:2])')
+-PYINC ?= $(shell pkg-config --cflags $(PYPREFIX))
++PYINC ?= $(shell $(PKG_CONFIG) --cflags $(PYPREFIX))
+ PYLIBDIR ?= $(LIBDIR)/$(PYLIBVER)
+ RUBYLIBVER ?= $(shell $(RUBY) -e 'print RUBY_VERSION.split(".")[0..1].join(".")')
+ RUBYPLATFORM ?= $(shell $(RUBY) -e 'print RUBY_PLATFORM')
+-RUBYINC ?= $(shell pkg-config --cflags ruby)
++RUBYINC ?= $(shell $(PKG_CONFIG) --cflags ruby)
+ RUBYINSTALL ?= $(LIBDIR)/ruby/site_ruby/$(RUBYLIBVER)/$(RUBYPLATFORM)
+ LIBBASE ?= $(shell basename $(LIBDIR))
+ 
+@@ -48,7 +49,7 @@ ifeq ($(DISABLE_BOOL),y)
+ endif
+ 
+ GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) selinuxswig_python_exception.i
+-SRCS= $(filter-out $(UNUSED_SRCS) $(GENERATED) audit2why.c, $(wildcard *.c))
++SRCS= $(filter-out $(UNUSED_SRCS) $(GENERATED) audit2why.c, $(sort $(wildcard *.c)))
+ 
+ MAX_STACK_SIZE=32768
+ 
+diff --git libselinux-2.5/src/audit2why.c libselinux-2.5/src/audit2why.c
+index 12745b3..abe1701 100644
+--- libselinux-2.5/src/audit2why.c
++++ libselinux-2.5/src/audit2why.c
+@@ -343,8 +343,8 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args
+ 	if (rc < 0)
+ 		RETURN(BADTCON)
+ 
+-	tclass = string_to_security_class(tclassstr);
+-	if (!tclass)
++	rc = sepol_string_to_security_class(tclassstr, &tclass);
++	if (rc < 0)
+ 		RETURN(BADTCLASS)
+ 
+ 	/* Convert the permission list to an AV. */
+@@ -365,8 +365,8 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args
+ 		permstr = PyString_AsString( strObj );
+ #endif
+ 		
+-		perm = string_to_av_perm(tclass, permstr);
+-		if (!perm)
++		rc = sepol_string_to_av_perm(tclass, permstr, &perm);
++		if (rc < 0)
+ 			RETURN(BADPERM)
+ 
+ 		av |= perm;
 diff --git libselinux-2.5/src/avc_sidtab.c libselinux-2.5/src/avc_sidtab.c
 index 9669264..c775430 100644
 --- libselinux-2.5/src/avc_sidtab.c
@@ -749,6 +814,18 @@ index b37c5d3..7703c26 100644
  	snprintf(path, sizeof path, "%s/user", selinux_mnt);
  	fd = open(path, O_RDWR);
  	if (fd < 0)
+diff --git libselinux-2.5/src/exception.sh libselinux-2.5/src/exception.sh
+index b7cff7e..a58bf3f 100755
+--- libselinux-2.5/src/exception.sh
++++ libselinux-2.5/src/exception.sh
+@@ -15,6 +15,6 @@ echo "
+ ;;
+ esac
+ }
+-gcc -x c -c -I../include - -aux-info temp.aux < ../include/selinux/selinux.h
++${CC:-gcc} -x c -c -I../include - -aux-info temp.aux < ../include/selinux/selinux.h
+ for i in `awk '/<stdin>.*extern int/ { print $6 }' temp.aux`; do except $i ; done 
+ rm -f -- temp.aux -.o
 diff --git libselinux-2.5/src/fsetfilecon.c libselinux-2.5/src/fsetfilecon.c
 index 52707d0..0cbe12d 100644
 --- libselinux-2.5/src/fsetfilecon.c
@@ -769,39 +846,101 @@ index 52707d0..0cbe12d 100644
  		char * ccontext = NULL;
  		int err = errno;
 diff --git libselinux-2.5/src/init.c libselinux-2.5/src/init.c
-index 3db4de0..3530594 100644
+index 3db4de0..3c687a2 100644
 --- libselinux-2.5/src/init.c
 +++ libselinux-2.5/src/init.c
-@@ -12,6 +12,7 @@
+@@ -11,7 +11,6 @@
+ #include <sys/vfs.h>
  #include <stdint.h>
  #include <limits.h>
- #include <sys/mount.h>
-+#include <linux/magic.h>
+-#include <sys/mount.h>
  
  #include "dso.h"
  #include "policy.h"
-@@ -57,13 +58,19 @@ static int verify_selinuxmnt(const char *mnt)
+@@ -57,20 +56,15 @@ static int verify_selinuxmnt(const char *mnt)
  
  int selinuxfs_exists(void)
  {
 -	int exists = 0, mnt_rc = 0;
-+	int exists = 0, mnt_rc = -1, rc;
-+	struct statfs sb;
++	int exists = 0;
  	FILE *fp = NULL;
  	char *buf = NULL;
  	size_t len;
  	ssize_t num;
  
 -	mnt_rc = mount("proc", "/proc", "proc", 0, 0);
-+	do {
-+		rc = statfs("/proc", &sb);
-+	} while (rc < 0 && errno == EINTR);
-+
-+	if (rc == 0 && ((uint32_t)sb.f_type != (uint32_t)PROC_SUPER_MAGIC))
-+		mnt_rc = mount("proc", "/proc", "proc", 0, 0);
- 
+-
  	fp = fopen("/proc/filesystems", "r");
- 	if (!fp) {
+-	if (!fp) {
+-		exists = 1; /* Fail as if it exists */
+-		goto out;
+-	}
+-
++	if (!fp)
++		return 1; /* Fail as if it exists */
+ 	__fsetlocking(fp, FSETLOCKING_BYCALLER);
+ 
+ 	num = getline(&buf, &len, fp);
+@@ -84,14 +78,6 @@ int selinuxfs_exists(void)
+ 
+ 	free(buf);
+ 	fclose(fp);
+-
+-out:
+-#ifndef MNT_DETACH
+-#define MNT_DETACH 2
+-#endif
+-	if (mnt_rc == 0)
+-		umount2("/proc", MNT_DETACH);
+-
+ 	return exists;
+ }
+ hidden_def(selinuxfs_exists)
+diff --git libselinux-2.5/src/load_policy.c libselinux-2.5/src/load_policy.c
+index 21ee58b..4f39fc7 100644
+--- libselinux-2.5/src/load_policy.c
++++ libselinux-2.5/src/load_policy.c
+@@ -17,6 +17,10 @@
+ #include "policy.h"
+ #include <limits.h>
+ 
++#ifndef MNT_DETACH
++#define MNT_DETACH 2
++#endif
++
+ int security_load_policy(void *data, size_t len)
+ {
+ 	char path[PATH_MAX];
+@@ -348,11 +352,6 @@ int selinux_init_load_policy(int *enforce)
+ 		fclose(cfg);
+ 		free(buf);
+ 	}
+-#ifndef MNT_DETACH
+-#define MNT_DETACH 2
+-#endif
+-	if (rc == 0)
+-		umount2("/proc", MNT_DETACH);
+ 
+ 	/* 
+ 	 * Determine the final desired mode.
+@@ -400,11 +399,17 @@ int selinux_init_load_policy(int *enforce)
+ 			/* Only emit this error if selinux was not disabled */
+ 			fprintf(stderr, "Mount failed for selinuxfs on %s:  %s\n", SELINUXMNT, strerror(errno));
+ 		}
++
++		if (rc == 0)
++			umount2("/proc", MNT_DETACH);
+                 
+ 		goto noload;
+ 	}
+ 	set_selinuxmnt(mntpoint);
+ 
++	if (rc == 0)
++		umount2("/proc", MNT_DETACH);
++
+ 	/*
+ 	 * Note:  The following code depends on having selinuxfs 
+ 	 * already mounted and selinuxmnt set above.
 diff --git libselinux-2.5/src/lsetfilecon.c libselinux-2.5/src/lsetfilecon.c
 index 1d3b28a..ea6d70b 100644
 --- libselinux-2.5/src/lsetfilecon.c
@@ -912,3 +1051,20 @@ index d05969c..3f0200e 100644
  	if (rc < 0 && errno == ENOTSUP) {
  		char * ccontext = NULL;
  		int err = errno;
+diff --git libselinux-2.5/utils/.gitignore libselinux-2.5/utils/.gitignore
+index 060eaab..ed3bf0b 100644
+--- libselinux-2.5/utils/.gitignore
++++ libselinux-2.5/utils/.gitignore
+@@ -14,7 +14,12 @@ getseuser
+ matchpathcon
+ policyvers
+ sefcontext_compile
++selabel_digest
++selabel_lookup
++selabel_lookup_best_match
++selabel_partial_match
+ selinux_check_securetty_context
++selinux_restorecon
+ selinuxenabled
+ selinuxexeccon
+ setenforce

libselinux.spec

@@ -3,13 +3,13 @@
 %endif
 
 %define ruby_inc %(pkg-config --cflags ruby)
-%define libsepolver 2.5
+%define libsepolver 2.5-7
 %{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
 
 Summary: SELinux library and simple utilities
 Name: libselinux
 Version: 2.5
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: Public Domain
 Group: System Environment/Libraries
 # https://github.com/SELinuxProject/selinux/wiki/Releases
@@ -20,7 +20,7 @@ Url: https://github.com/SELinuxProject/selinux/wiki
 # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
 # run:
 # $ VERSION=2.5 ./make-fedora-selinux-patch.sh libselinux
-# HEAD https://github.com/fedora-selinux/selinux/commit/b4fd6cda6dede7a90892aac8f138b86b3ebda3e8
+# HEAD https://github.com/fedora-selinux/selinux/commit/9abe77e2a670f2f2dfb91f9cec46ee37f9c23995
 Patch1: libselinux-fedora.patch
 BuildRequires: pkgconfig python python-devel ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre-devel xz-devel
 %if 0%{?with_python3}
@@ -254,6 +254,12 @@ rm -rf %{buildroot}
 %{ruby_vendorarchdir}/selinux.so
 
 %changelog
+* Thu Jun 23 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-7
+- Modify audit2why analyze function to use loaded policy
+- Sort object files for deterministic linking order
+- Respect CC and PKG_CONFIG environment variable
+- Avoid mounting /proc outside of selinux_init_load_policy()
+
 * Fri May 06 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-6
 - Fix multiple spelling errors