diff options
-rw-r--r-- | .SRCINFO | 20 | ||||
-rw-r--r-- | 0001-libselinux-fix-pointer-handling-in-realpath_not_fina.patch | 37 | ||||
-rw-r--r-- | 0001-libselinux-only-mount-proc-if-necessary.patch | 54 | ||||
-rw-r--r-- | 0002-Avoid-mounting-proc-outside-of-selinux_init_load_pol.patch | 130 | ||||
-rw-r--r-- | 0002-Revert-libselinux-support-new-python3-functions.patch | 82 | ||||
-rw-r--r-- | 0003-libselinux-Change-the-location-of-_selinux-so.patch | 44 | ||||
-rw-r--r-- | PKGBUILD | 38 |
7 files changed, 147 insertions, 258 deletions
@@ -1,7 +1,7 @@ pkgbase = libselinux pkgdesc = SELinux library and simple utilities - pkgver = 2.5 - pkgrel = 3 + pkgver = 2.6 + pkgrel = 1 url = http://userspace.selinuxproject.org arch = i686 arch = x86_64 @@ -18,19 +18,17 @@ pkgbase = libselinux optdepends = python2: python2 bindings optdepends = python: python bindings optdepends = ruby: ruby bindings - provides = selinux-usr-libselinux=2.5-3 + provides = selinux-usr-libselinux=2.6-1 conflicts = selinux-usr-libselinux options = !emptydirs - source = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/libselinux-2.5.tar.gz + source = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20161014/libselinux-2.6.tar.gz source = libselinux.tmpfiles.d - source = 0001-libselinux-only-mount-proc-if-necessary.patch - source = 0002-Avoid-mounting-proc-outside-of-selinux_init_load_pol.patch - source = 0003-libselinux-Change-the-location-of-_selinux-so.patch - sha256sums = 94c9e97706280bedcc288f784f67f2b9d3d6136c192b2c9f812115edba58514f + source = 0001-libselinux-fix-pointer-handling-in-realpath_not_fina.patch + source = 0002-Revert-libselinux-support-new-python3-functions.patch + sha256sums = 4ea2dde50665c202253ba5caac7738370ea0337c47b251ba981c60d24e1a118a sha256sums = afe23890fb2e12e6756e5d81bad3c3da33f38a95d072731c0422fbeb0b1fa1fc - sha256sums = da3ed20d45b7656c25411bcc31109a78b64265978839bbc06b25151a7231611c - sha256sums = 1d20ae0d6fb39dd93258388297206980cb530b04511c4b16db247e05c84804a8 - sha256sums = 725ec5a452b899309626b5e75f16f068ac108f9652565c99aedc268fd1d3922d + sha256sums = 4d7998c5368a6d13f5b730184b4e9ddb28dd42e1576f8daf12676ca468a935b3 + sha256sums = 82f598ab5c5d21b8b76e887fea43e5d8549f4e9a4047ba3a4cf1a6980ff22eec pkgname = libselinux diff --git a/0001-libselinux-fix-pointer-handling-in-realpath_not_fina.patch b/0001-libselinux-fix-pointer-handling-in-realpath_not_fina.patch new file mode 100644 index 000000000000..28da417a2cb3 --- /dev/null +++ b/0001-libselinux-fix-pointer-handling-in-realpath_not_fina.patch @@ -0,0 +1,37 @@ +From 550c0122ee22c5c41bba6cd1ddd5a71529610ada Mon Sep 17 00:00:00 2001 +From: vmojzis <vmojzis@redhat.com> +Date: Thu, 27 Oct 2016 13:52:36 +0200 +Subject: [PATCH] libselinux: fix pointer handling in realpath_not_final + +Loop designed for stripping leading "//" was changing +the only pointer referencing block of memory allocated +by "strdup", resulting in "free()" failure. The loop +had no effect because "realpath" is used later on. + +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1376598 + +Signed-off-by: vmojzis <vmojzis@redhat.com> +--- + libselinux/src/matchpathcon.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c +index 724eb65097d6..58b4144ac0bf 100644 +--- a/libselinux/src/matchpathcon.c ++++ b/libselinux/src/matchpathcon.c +@@ -389,12 +389,6 @@ int realpath_not_final(const char *name, char *resolved_path) + goto out; + } + +- /* strip leading // */ +- while (tmp_path[len] && tmp_path[len] == '/' && +- tmp_path[len+1] && tmp_path[len+1] == '/') { +- tmp_path++; +- len++; +- } + last_component = strrchr(tmp_path, '/'); + + if (last_component == tmp_path) { +-- +2.10.2 + diff --git a/0001-libselinux-only-mount-proc-if-necessary.patch b/0001-libselinux-only-mount-proc-if-necessary.patch deleted file mode 100644 index eb718a20d82f..000000000000 --- a/0001-libselinux-only-mount-proc-if-necessary.patch +++ /dev/null @@ -1,54 +0,0 @@ -From fb2c271e1903ca11320b9bfad747f55fb2b1535f Mon Sep 17 00:00:00 2001 -From: Stephen Smalley <sds@tycho.nsa.gov> -Date: Mon, 29 Feb 2016 10:10:55 -0500 -Subject: [PATCH 1/2] libselinux: only mount /proc if necessary - -Commit 9df498884665d ("libselinux: Mount procfs before checking -/proc/filesystems") changed selinuxfs_exists() to always try -mounting /proc before reading /proc/filesystems. However, this is -unnecessary if /proc is already mounted and can produce avc denials -if the process is not allowed to perform the mount. Check first -to see if /proc is already present and only try the mount if it is not. - -Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> ---- - libselinux/src/init.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/libselinux/src/init.c b/libselinux/src/init.c -index 3db4de06aa7e..35305942970f 100644 ---- a/libselinux/src/init.c -+++ b/libselinux/src/init.c -@@ -12,6 +12,7 @@ - #include <stdint.h> - #include <limits.h> - #include <sys/mount.h> -+#include <linux/magic.h> - - #include "dso.h" - #include "policy.h" -@@ -57,13 +58,19 @@ static int verify_selinuxmnt(const char *mnt) - - int selinuxfs_exists(void) - { -- int exists = 0, mnt_rc = 0; -+ int exists = 0, mnt_rc = -1, rc; -+ struct statfs sb; - FILE *fp = NULL; - char *buf = NULL; - size_t len; - ssize_t num; - -- mnt_rc = mount("proc", "/proc", "proc", 0, 0); -+ do { -+ rc = statfs("/proc", &sb); -+ } while (rc < 0 && errno == EINTR); -+ -+ if (rc == 0 && ((uint32_t)sb.f_type != (uint32_t)PROC_SUPER_MAGIC)) -+ mnt_rc = mount("proc", "/proc", "proc", 0, 0); - - fp = fopen("/proc/filesystems", "r"); - if (!fp) { --- -2.9.3 - diff --git a/0002-Avoid-mounting-proc-outside-of-selinux_init_load_pol.patch b/0002-Avoid-mounting-proc-outside-of-selinux_init_load_pol.patch deleted file mode 100644 index 5b666bebf50e..000000000000 --- a/0002-Avoid-mounting-proc-outside-of-selinux_init_load_pol.patch +++ /dev/null @@ -1,130 +0,0 @@ -From e4057752bc98451232d402364dc6dc9dff2a5e60 Mon Sep 17 00:00:00 2001 -From: Stephen Smalley <sds@tycho.nsa.gov> -Date: Fri, 13 May 2016 11:59:47 -0400 -Subject: [PATCH 2/2] Avoid mounting /proc outside of - selinux_init_load_policy(). - -Temporarily mounting /proc within selinuxfs_exists() can cause -problems since it can be called by a libselinux constructor and -therefore may be invoked by every program linked with libselinux. -Since this was only motivated originally by a situation where -selinuxfs_exists() was called from selinux_init_load_policy() -before /proc was mounted, fix it in selinux_init_load_policy() instead. - -This reverts commit 5a8d8c499b2ef80eaa7b5abe2ec68d7101e613bf -("libselinux: only mount /proc if necessary") and -commit 9df498884665d79474b79f0f30d1cd67df11bd3e -("libselinux: Mount procfs before checking /proc/filesystems"). - -Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> ---- - libselinux/src/init.c | 27 +++------------------------ - libselinux/src/load_policy.c | 15 ++++++++++----- - 2 files changed, 13 insertions(+), 29 deletions(-) - -diff --git a/libselinux/src/init.c b/libselinux/src/init.c -index 35305942970f..3c687a29d7ff 100644 ---- a/libselinux/src/init.c -+++ b/libselinux/src/init.c -@@ -11,8 +11,6 @@ - #include <sys/vfs.h> - #include <stdint.h> - #include <limits.h> --#include <sys/mount.h> --#include <linux/magic.h> - - #include "dso.h" - #include "policy.h" -@@ -58,26 +56,15 @@ static int verify_selinuxmnt(const char *mnt) - - int selinuxfs_exists(void) - { -- int exists = 0, mnt_rc = -1, rc; -- struct statfs sb; -+ int exists = 0; - FILE *fp = NULL; - char *buf = NULL; - size_t len; - ssize_t num; - -- do { -- rc = statfs("/proc", &sb); -- } while (rc < 0 && errno == EINTR); -- -- if (rc == 0 && ((uint32_t)sb.f_type != (uint32_t)PROC_SUPER_MAGIC)) -- mnt_rc = mount("proc", "/proc", "proc", 0, 0); -- - fp = fopen("/proc/filesystems", "r"); -- if (!fp) { -- exists = 1; /* Fail as if it exists */ -- goto out; -- } -- -+ if (!fp) -+ return 1; /* Fail as if it exists */ - __fsetlocking(fp, FSETLOCKING_BYCALLER); - - num = getline(&buf, &len, fp); -@@ -91,14 +78,6 @@ int selinuxfs_exists(void) - - free(buf); - fclose(fp); -- --out: --#ifndef MNT_DETACH --#define MNT_DETACH 2 --#endif -- if (mnt_rc == 0) -- umount2("/proc", MNT_DETACH); -- - return exists; - } - hidden_def(selinuxfs_exists) -diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c -index 21ee58b2e4d7..4f39fc78d7bf 100644 ---- a/libselinux/src/load_policy.c -+++ b/libselinux/src/load_policy.c -@@ -17,6 +17,10 @@ - #include "policy.h" - #include <limits.h> - -+#ifndef MNT_DETACH -+#define MNT_DETACH 2 -+#endif -+ - int security_load_policy(void *data, size_t len) - { - char path[PATH_MAX]; -@@ -348,11 +352,6 @@ int selinux_init_load_policy(int *enforce) - fclose(cfg); - free(buf); - } --#ifndef MNT_DETACH --#define MNT_DETACH 2 --#endif -- if (rc == 0) -- umount2("/proc", MNT_DETACH); - - /* - * Determine the final desired mode. -@@ -400,11 +399,17 @@ int selinux_init_load_policy(int *enforce) - /* Only emit this error if selinux was not disabled */ - fprintf(stderr, "Mount failed for selinuxfs on %s: %s\n", SELINUXMNT, strerror(errno)); - } -+ -+ if (rc == 0) -+ umount2("/proc", MNT_DETACH); - - goto noload; - } - set_selinuxmnt(mntpoint); - -+ if (rc == 0) -+ umount2("/proc", MNT_DETACH); -+ - /* - * Note: The following code depends on having selinuxfs - * already mounted and selinuxmnt set above. --- -2.9.3 - diff --git a/0002-Revert-libselinux-support-new-python3-functions.patch b/0002-Revert-libselinux-support-new-python3-functions.patch new file mode 100644 index 000000000000..4570a1074b6a --- /dev/null +++ b/0002-Revert-libselinux-support-new-python3-functions.patch @@ -0,0 +1,82 @@ +From cc550202c358286c488aba45be2009d6f2d2746d Mon Sep 17 00:00:00 2001 +From: Laurent Bigonville <bigon@bigon.be> +Date: Wed, 2 Nov 2016 16:24:31 +0100 +Subject: [PATCH] Revert "libselinux: support new python3 functions" + +With the reverted commit applied, some functions were returning arrays +of bytes instead of python strings under python3 this was causing issues +with string manipulation functions like split(). + +Swig (checked with 3.0.7) is adding compatibility macros that take care +of the differences between python2 and python3. + +This reverts commit 63df0f7ef12844b9b86cc293299671da772fcf84. + +Signed-off-by: Laurent Bigonville <bigon@bigon.be> +--- + libselinux/src/selinuxswig_python.i | 22 +++++++--------------- + 1 file changed, 7 insertions(+), 15 deletions(-) + +diff --git a/libselinux/src/selinuxswig_python.i b/libselinux/src/selinuxswig_python.i +index 8cea18d25dba..43df29153d7c 100644 +--- a/libselinux/src/selinuxswig_python.i ++++ b/libselinux/src/selinuxswig_python.i +@@ -64,7 +64,7 @@ def install(src, dest): + PyObject* list = PyList_New(*$2); + int i; + for (i = 0; i < *$2; i++) { +- PyList_SetItem(list, i, PyBytes_FromString((*$1)[i])); ++ PyList_SetItem(list, i, PyString_FromString((*$1)[i])); + } + $result = SWIG_Python_AppendOutput($result, list); + } +@@ -97,9 +97,7 @@ def install(src, dest): + len++; + plist = PyList_New(len); + for (i = 0; i < len; i++) { +- PyList_SetItem(plist, i, +- PyBytes_FromString((*$1)[i]) +- ); ++ PyList_SetItem(plist, i, PyString_FromString((*$1)[i])); + } + } else { + plist = PyList_New(0); +@@ -116,9 +114,7 @@ def install(src, dest): + if (*$1) { + plist = PyList_New(result); + for (i = 0; i < result; i++) { +- PyList_SetItem(plist, i, +- PyBytes_FromString((*$1)[i]) +- ); ++ PyList_SetItem(plist, i, PyString_FromString((*$1)[i])); + } + } else { + plist = PyList_New(0); +@@ -171,20 +167,16 @@ def install(src, dest): + $1 = (char**) malloc(size + 1); + + for(i = 0; i < size; i++) { +- if (!PyBytes_Check(PySequence_GetItem($input, i))) { +- PyErr_SetString(PyExc_ValueError, "Sequence must contain only bytes"); +- ++ if (!PyString_Check(PySequence_GetItem($input, i))) { ++ PyErr_SetString(PyExc_ValueError, "Sequence must contain only strings"); + return NULL; + } +- + } + + for(i = 0; i < size; i++) { + s = PySequence_GetItem($input, i); +- +- $1[i] = (char*) malloc(PyBytes_Size(s) + 1); +- strcpy($1[i], PyBytes_AsString(s)); +- ++ $1[i] = (char*) malloc(PyString_Size(s) + 1); ++ strcpy($1[i], PyString_AsString(s)); + } + $1[size] = NULL; + } +-- +2.10.2 + diff --git a/0003-libselinux-Change-the-location-of-_selinux-so.patch b/0003-libselinux-Change-the-location-of-_selinux-so.patch deleted file mode 100644 index a77ec39b3989..000000000000 --- a/0003-libselinux-Change-the-location-of-_selinux-so.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 722afe4068bada52aae1af84d7a6ef823ea309b4 Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach <plautrba@redhat.com> -Date: Mon, 27 Jun 2016 10:46:13 +0200 -Subject: [PATCH 1/1] libselinux: Change the location of _selinux.so - -There was a change in swig-3.10 to use importlib instead of imp. While -the implementation with imp looked for _selinux.so also into the same directory -as __init__.py is, a new module with importlib searchs only standard paths. -It means that we need to move _selinux.so from $(PYLIBDIR)/site-packages/selinux/ -to $(PYLIBDIR)/site-packages/. - -Fixes: ->>> import selinux -Traceback (most recent call last): - File "<stdin>", line 1, in <module> - File "/usr/lib64/python2.7/site-packages/selinux/__init__.py", line 21, in <module> - _selinux = swig_import_helper() - File "/usr/lib64/python2.7/site-packages/selinux/__init__.py", line 20, in swig_import_helper - return importlib.import_module('_selinux') - File "/usr/lib64/python2.7/importlib/__init__.py", line 37, in import_module - __import__(name) -ImportError: No module named _selinux - -Signed-off-by: Petr Lautrbach <plautrba@redhat.com> ---- - libselinux/src/Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile -index d0021ae8d77d..48d65abb5e32 100644 ---- a/libselinux/src/Makefile -+++ b/libselinux/src/Makefile -@@ -155,7 +155,7 @@ install: all - - install-pywrap: pywrap - test -d $(PYLIBDIR)/site-packages/selinux || install -m 755 -d $(PYLIBDIR)/site-packages/selinux -- install -m 755 $(SWIGSO) $(PYLIBDIR)/site-packages/selinux/_selinux.so -+ install -m 755 $(SWIGSO) $(PYLIBDIR)/site-packages/_selinux.so - install -m 755 $(AUDIT2WHYSO) $(PYLIBDIR)/site-packages/selinux/audit2why.so - install -m 644 $(SWIGPYOUT) $(PYLIBDIR)/site-packages/selinux/__init__.py - --- -2.9.3 - @@ -5,8 +5,8 @@ # Contributor: Zezadas pkgname=libselinux -pkgver=2.5 -pkgrel=3 +pkgver=2.6 +pkgrel=1 pkgdesc="SELinux library and simple utilities" arch=('i686' 'x86_64' 'armv6h') url='http://userspace.selinuxproject.org' @@ -20,33 +20,28 @@ optdepends=('python2: python2 bindings' conflicts=("selinux-usr-${pkgname}") provides=("selinux-usr-${pkgname}=${pkgver}-${pkgrel}") options=(!emptydirs) -source=("https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/${pkgname}-${pkgver}.tar.gz" +source=("https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20161014/${pkgname}-${pkgver}.tar.gz" "libselinux.tmpfiles.d" - "0001-libselinux-only-mount-proc-if-necessary.patch" - "0002-Avoid-mounting-proc-outside-of-selinux_init_load_pol.patch" - "0003-libselinux-Change-the-location-of-_selinux-so.patch") -sha256sums=('94c9e97706280bedcc288f784f67f2b9d3d6136c192b2c9f812115edba58514f' + '0001-libselinux-fix-pointer-handling-in-realpath_not_fina.patch' + '0002-Revert-libselinux-support-new-python3-functions.patch') +sha256sums=('4ea2dde50665c202253ba5caac7738370ea0337c47b251ba981c60d24e1a118a' 'afe23890fb2e12e6756e5d81bad3c3da33f38a95d072731c0422fbeb0b1fa1fc' - 'da3ed20d45b7656c25411bcc31109a78b64265978839bbc06b25151a7231611c' - '1d20ae0d6fb39dd93258388297206980cb530b04511c4b16db247e05c84804a8' - '725ec5a452b899309626b5e75f16f068ac108f9652565c99aedc268fd1d3922d') + '4d7998c5368a6d13f5b730184b4e9ddb28dd42e1576f8daf12676ca468a935b3' + '82f598ab5c5d21b8b76e887fea43e5d8549f4e9a4047ba3a4cf1a6980ff22eec') prepare() { cd "${pkgname}-${pkgver}" - sed -i 's|pkg-config --cflags ruby|pkg-config --cflags ruby-$(RUBYLIBVER)|' src/Makefile - sed -i 's|site_ruby|vendor_ruby|' src/Makefile - # Backport commits to fix issues when SELinux is disabled - # https://github.com/systemd/systemd/issues/3962#issuecomment-239827399 - patch -Np2 -i "../0001-libselinux-only-mount-proc-if-necessary.patch" - patch -Np2 -i "../0002-Avoid-mounting-proc-outside-of-selinux_init_load_pol.patch" - - # Backport commit to fix the Python wrapper with SWIG 3.0.10 - patch -Np2 -i "../0003-libselinux-Change-the-location-of-_selinux-so.patch" + patch -Np2 -i '../0001-libselinux-fix-pointer-handling-in-realpath_not_fina.patch' + patch -Np2 -i '../0002-Revert-libselinux-support-new-python3-functions.patch' } build() { cd "${pkgname}-${pkgver}" + + # Do not build deprecated rpm_execcon() interface. It is useless on Arch Linux anyway. + export DISABLE_RPM=y + make swigify make all make PYTHON=python2 pywrap @@ -56,10 +51,15 @@ build() { package(){ cd "${pkgname}-${pkgver}" + + export DISABLE_RPM=y + make DESTDIR="${pkgdir}" USRBINDIR="${pkgdir}"/usr/bin LIBDIR="${pkgdir}"/usr/lib SHLIBDIR="${pkgdir}"/usr/lib install make DESTDIR="${pkgdir}" USRBINDIR="${pkgdir}"/usr/bin LIBDIR="${pkgdir}"/usr/lib SHLIBDIR="${pkgdir}"/usr/lib PYTHON=python2 install-pywrap make DESTDIR="${pkgdir}" USRBINDIR="${pkgdir}"/usr/bin LIBDIR="${pkgdir}"/usr/lib SHLIBDIR="${pkgdir}"/usr/lib PYTHON=python3 install-pywrap make DESTDIR="${pkgdir}" USRBINDIR="${pkgdir}"/usr/bin LIBDIR="${pkgdir}"/usr/lib SHLIBDIR="${pkgdir}"/usr/lib install-rubywrap + python2 -m compileall "${pkgdir}/$(python2 -c 'import site; print(site.getsitepackages()[0])')" + python3 -m compileall "${pkgdir}/$(python3 -c 'import site; print(site.getsitepackages()[0])')" install -Dm 0644 "${srcdir}"/libselinux.tmpfiles.d "${pkgdir}"/usr/lib/tmpfiles.d/libselinux.conf } |