- Fix segfault in selinux_restorecon_sb() (#1433577)
- Change matchpathcon usage to match with matchpathcon manpage
- Fix a corner case getsebool return value
libselinux: Rewrite restorecon() python method
When the restorecon method was added to the libselinux swig python
bindings, there was no libselinux restorecon implementation and it
he had to call matchpathcon() which is deprecated in favor of
selabel_lookup().
The new restorecon method uses selinux_restorecon method from libselinux
and which is exported by the previous commit.
https://github.com/SELinuxProject/selinux/issues/29https://github.com/fedora-selinux/selinux/pull/35
Fixes:
>>> selinux.restorecon('/var/lib', recursive=True)
Traceback (most recent call last):
File "/usr/lib64/python3.5/site-packages/selinux/__init__.py", line 114, in restorecon
status, context = matchpathcon(path, mode)
FileNotFoundError: [Errno 2] No such file or directory
- Fix -Wsign-compare warnings
- Drop unused stdio_ext.h header file
- Kill logging check for selinux_enabled()
- Drop usage of _D_ALLOC_NAMLEN
- Add openrc_contexts functions
- Fix redefinition of XATTR_NAME_SELINUX
- Correct error path to always try text
- Clean up process_file()
- Handle NULL pcre study data
- Fix in tree compilation of utils that depend on libsepol
- Clarify is_selinux_mls_enabled() description
- Explain how to free policy type from selinux_getpolicytype()
- Compare absolute pathname in matchpathcon -V
- Add selinux_snapperd_contexts_path()
There was a change in swig-3.10 to use importlib instead of imp. While
the implementation with imp looked for _selinux.so also in the directory
where __init__.py was, importlib search only standard paths. It means that we
need to move _selinux.so from $(PYLIBDIR)/site-packages/selinux/
to $(PYLIBDIR)/site-packages/
Fixes:
>>> import selinux
Traceback (most recent call last):
File "/usr/lib64/python3.5/site-packages/selinux/__init__.py", line 18, in swig_import_helper
return importlib.import_module(mname)
File "/usr/lib64/python3.5/importlib/__init__.py", line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "<frozen importlib._bootstrap>", line 986, in _gcd_import
File "<frozen importlib._bootstrap>", line 969, in _find_and_load
File "<frozen importlib._bootstrap>", line 956, in _find_and_load_unlocked
ImportError: No module named '_selinux'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib64/python3.5/site-packages/selinux/__init__.py", line 21, in <module>
_selinux = swig_import_helper()
File "/usr/lib64/python3.5/site-packages/selinux/__init__.py", line 20, in swig_import_helper
return importlib.import_module('_selinux')
File "/usr/lib64/python3.5/importlib/__init__.py", line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
ImportError: No module named '_selinux'
* Thu Jun 23 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-7
- Modify audit2why analyze function to use loaded policy
- Sort object files for deterministic linking order
- Respect CC and PKG_CONFIG environment variable
- Avoid mounting /proc outside of selinux_init_load_policy()
- Fix location of selinuxfs mount point
- Only mount /proc if necessary
- procattr: return einval for <= 0 pid args
- procattr: return error on invalid pid_t input
Conflict with selinux-policy causes deadlocks in buildroots when
there's no selinux-policy available. selinux-policy-base is provided by
targeted, mls and minimum subpackages which are not installed to
buildroots.
conflicts
- selinux.py - use os.walk() instead of os.path.walk() (#1195004)
- is_selinux_enabled(): drop no-policy-loaded test (#1195074)
- fix -Wformat errors and remove deprecated mudflap option
* Fix avc_has_perm() returns -1 even when SELinux is in permissive mode.
* Support overriding Makefile RANLIB from Sven Vermeulen.
* Update pkgconfig definition from Sven Vermeulen.
* Mount sysfs before trying to mount selinuxfs from Sven Vermeulen.
* Fix man pages from Laurent Bigonville.
* Support overriding PATH and LIBBASE in Makefiles from Laurent Bigonville.
* Fix LDFLAGS usage from Laurent Bigonville
* Avoid shadowing stat in load_mmap from Joe MacDonald.
* Support building on older PCRE libraries from Joe MacDonald.
* Fix handling of temporary file in sefcontext_compile from Dan Walsh.
* Fix procattr cache from Dan Walsh.
* Define python constants for getenforce result from Dan Walsh.
* Fix label substitution handling of / from Dan Walsh.
* Add selinux_current_policy_path from Dan Walsh.
* Change get_context_list to only return good matches from Dan Walsh.
* Support udev-197 and higher from Sven Vermeulen and Dan Walsh.
* Add support for local substitutions from Dan Walsh.
* Change setfilecon to not return ENOSUP if context is already correct from Dan Walsh.
* Python wrapper leak fixes from Dan Walsh.
* Export SELINUX_TRANS_DIR definition in selinux.h from Dan Walsh.
* Add selinux_systemd_contexts_path from Dan Walsh.
* Add selinux_set_policy_root from Dan Walsh.
* Add man page for sefcontext_compile from Dan Walsh.
- Add matchpathcon -P /etc/selinux/mls support by allowing users to set alternate root
- Make sure we set exit codes from selinux_label calls to ENOENT or SUCCESS
* audit2why: make sure path is nul terminated
* utils: new file context regex compiler
* label_file: use precompiled filecontext when possible
* do not leak mmapfd
* sefcontontext_compile: Add error handling to help debug problems in libsemanage.
* man: make selinux.8 mention service man pages
* audit2why: Fix segfault if finish() called twice
* audit2why: do not leak on multiple init() calls
* mode_to_security_class: interface to translate a mode_t in to a security class
* audit2why: Cleanup audit2why analysys function
* man: Fix program synopsis and function prototypes in man pages
* man: Fix man pages formatting
* man: Fix typo in man page
* man: Add references and man page links to _raw function variants
* Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions
* man: context_new(3): fix the return value description
* selinux_status_open: handle error from sysconf
* selinux_status_open: do not leak statusfd on exec
* Fix errors found by coverity
* Change boooleans.subs to booleans.subs_dist.
* optimize set*con functions
* pkg-config do not specifc ruby version
* unmap file contexts on selabel_close()
* do not leak file contexts with mmap'd backend
* sefcontext_compile: do not leak fd on error
* matchmediacon: do not leak fd
* src/label_android_property: do not leak fd on error
