Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libselinux for openSUSE:Factory
checked in at 2021-03-24 16:09:01
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libselinux (Old)
and /work/SRC/openSUSE:Factory/.libselinux.new.2401 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libselinux"
Wed Mar 24 16:09:01 2021 rev:65 rq:879862 version:3.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/libselinux/libselinux-bindings.changes
2020-10-06 17:09:19.149434456 +0200
+++ /work/SRC/openSUSE:Factory/.libselinux.new.2401/libselinux-bindings.changes
2021-03-24 16:09:06.903697394 +0100
@@ -1,0 +2,18 @@
+Wed Mar 17 15:17:27 UTC 2021 - Dominique Leuenberger <dims...@opensuse.org>
+
+- Switch to pcre2:
+ + Replace pcre-devel BuildRequires with pkgconfig(libpcre2-8)
+ + Pass USE_PCRE2=y to make.
+
+-------------------------------------------------------------------
+Tue Mar 9 09:01:15 UTC 2021 - Johannes Segitz <jseg...@suse.com>
+
+- Update to version 3.2:
+ * Use mmap()'ed kernel status page instead of netlink by default.
+ See "KERNEL STATUS PAGE" section in avc_init(3) for more details.
+ * New log callback levels for enforcing and policy load notices -
+ SELINUX_POLICYLOAD, SELINUX_SETENFORCE
+ * Changed userspace AVC setenforce and policy load messages to audit
+ format.
+
+-------------------------------------------------------------------
--- /work/SRC/openSUSE:Factory/libselinux/libselinux.changes 2021-02-11
12:46:00.829368886 +0100
+++ /work/SRC/openSUSE:Factory/.libselinux.new.2401/libselinux.changes
2021-03-24 16:09:06.955697449 +0100
@@ -1,0 +2,20 @@
+Wed Mar 17 15:13:16 UTC 2021 - Dominique Leuenberger <dims...@opensuse.org>
+
+- Switch to pcre2:
+ + Replace pcre-devel BuildRequires with pkgconfig(libpcre2-8)
+ + Pass USE_PCRE2=y to make.
+ + Replace pkgconfig(libpcre) Requires in -devel static with
+ pkgconfig(libpcre2-8).
+
+-------------------------------------------------------------------
+Tue Mar 9 09:01:15 UTC 2021 - Johannes Segitz <jseg...@suse.com>
+
+- Update to version 3.2:
+ * Use mmap()'ed kernel status page instead of netlink by default.
+ See "KERNEL STATUS PAGE" section in avc_init(3) for more details.
+ * New log callback levels for enforcing and policy load notices -
+ SELINUX_POLICYLOAD, SELINUX_SETENFORCE
+ * Changed userspace AVC setenforce and policy load messages to audit
+ format.
+
+-------------------------------------------------------------------
Old:
----
libselinux-3.1.tar.gz
New:
----
libselinux-3.2.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libselinux-bindings.spec ++++++
--- /var/tmp/diff_new_pack.UVhRgL/_old 2021-03-24 16:09:07.671698200 +0100
+++ /var/tmp/diff_new_pack.UVhRgL/_new 2021-03-24 16:09:07.675698205 +0100
@@ -17,9 +17,9 @@
%{?!python_module:%define python_module() python-%{**} python3-%{**}}
-%define libsepol_ver 3.1
+%define libsepol_ver 3.2
Name: libselinux-bindings
-Version: 3.1
+Version: 3.2
Release: 0
Summary: SELinux runtime library and simple utilities
License: SUSE-Public-Domain
@@ -36,11 +36,11 @@
Patch5: python3.8-compat.patch
Patch6: swig4_moduleimport.patch
BuildRequires: libsepol-devel-static >= %{libsepol_ver}
-BuildRequires: pcre-devel
BuildRequires: python-rpm-macros
BuildRequires: python3-devel
BuildRequires: ruby-devel
BuildRequires: swig
+BuildRequires: pkgconfig(libpcre2-8)
%description
libselinux provides an interface to get and set process and file
@@ -83,15 +83,13 @@
%build
%define _lto_cflags %{nil}
-make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="%{optflags}
-fno-semantic-interposition" -C src V=1
-make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="%{optflags}
-fno-semantic-interposition" -C src swigify V=1
-make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="%{optflags}
-fno-semantic-interposition" -C src pywrap V=1
-make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="%{optflags}
-fno-semantic-interposition" -C src rubywrap V=1
+make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="%{optflags}
-fno-semantic-interposition" swigify V=1 USE_PCRE2=y
+make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="%{optflags}
-fno-semantic-interposition" pywrap V=1 USE_PCRE2=y
+make %{?_smp_mflags} LIBDIR="%{_libdir}" CFLAGS="%{optflags}
-fno-semantic-interposition" rubywrap V=1 USE_PCRE2=y
%install
-make DESTDIR=%{buildroot} LIBDIR="%{_libdir}" SHLIBDIR="/%{_lib}"
LIBSEPOLA=%{_libdir}/libsepol.a -C src install V=1
-make DESTDIR=%{buildroot} LIBDIR="%{_libdir}" SHLIBDIR="/%{_lib}"
LIBSEPOLA=%{_libdir}/libsepol.a -C src install-pywrap V=1
-make DESTDIR=%{buildroot} LIBDIR="%{_libdir}" SHLIBDIR="/%{_lib}"
LIBSEPOLA=%{_libdir}/libsepol.a -C src install-rubywrap V=1
+make DESTDIR=%{buildroot} LIBDIR="%{_libdir}" SHLIBDIR="/%{_lib}"
LIBSEPOLA=%{_libdir}/libsepol.a install-pywrap V=1
+make DESTDIR=%{buildroot} LIBDIR="%{_libdir}" SHLIBDIR="/%{_lib}"
LIBSEPOLA=%{_libdir}/libsepol.a install-rubywrap V=1
rm -rf %{buildroot}/%{_lib} %{buildroot}%{_libdir}/libselinux.*
%{buildroot}%{_libdir}/pkgconfig
%files -n python3-selinux
++++++ libselinux.spec ++++++
--- /var/tmp/diff_new_pack.UVhRgL/_old 2021-03-24 16:09:07.691698221 +0100
+++ /var/tmp/diff_new_pack.UVhRgL/_new 2021-03-24 16:09:07.691698221 +0100
@@ -16,15 +16,15 @@
#
-%define libsepol_ver 3.1
+%define libsepol_ver 3.2
Name: libselinux
-Version: 3.1
+Version: 3.2
Release: 0
Summary: SELinux runtime library and utilities
License: SUSE-Public-Domain
Group: Development/Libraries/C and C++
URL: https://github.com/SELinuxProject/selinux/wiki/Releases
-Source:
https://github.com/SELinuxProject/selinux/releases/download/20200710/%{name}-%{version}.tar.gz
+Source:
https://github.com/SELinuxProject/selinux/releases/download/%{version}/%{name}-%{version}.tar.gz
Source1: selinux-ready
Source2: baselibs.conf
# PATCH-FIX-UPSTREAM Include <sys/uio.h> for readv prototype
@@ -32,8 +32,8 @@
Patch5: skip_cycles.patch
BuildRequires: fdupes
BuildRequires: libsepol-devel >= %{libsepol_ver}
-BuildRequires: pcre-devel
BuildRequires: pkgconfig
+BuildRequires: pkgconfig(libpcre2-8)
%description
libselinux provides an interface to get and set process and file
@@ -84,7 +84,7 @@
Summary: Static archives for the SELinux runtime
Group: Development/Libraries/C and C++
Requires: libselinux-devel = %{version}
-Requires: pkgconfig(libpcre)
+Requires: pkgconfig(libpcre2-8)
Requires: pkgconfig(libsepol)
%description devel-static
@@ -101,7 +101,7 @@
%build
%define _lto_cflags %{nil}
-make %{?_smp_mflags} LIBDIR="%{_libdir}" CC="gcc" CFLAGS="%{optflags}
-fno-semantic-interposition"
+make %{?_smp_mflags} LIBDIR="%{_libdir}" CC="gcc" CFLAGS="%{optflags}
-fno-semantic-interposition" USE_PCRE2=y
%install
mkdir -p %{buildroot}/%{_lib}
++++++ libselinux-3.1.tar.gz -> libselinux-3.2.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.1/Makefile new/libselinux-3.2/Makefile
--- old/libselinux-3.1/Makefile 2020-07-10 17:17:15.000000000 +0200
+++ new/libselinux-3.2/Makefile 2021-03-04 16:42:59.000000000 +0100
@@ -1,9 +1,10 @@
-SUBDIRS = src include utils man
+SUBDIRS = include src utils man
PKG_CONFIG ?= pkg-config
DISABLE_SETRANS ?= n
DISABLE_RPM ?= n
ANDROID_HOST ?= n
+LABEL_BACKEND_ANDROID ?= n
ifeq ($(ANDROID_HOST),y)
override DISABLE_SETRANS=y
override DISABLE_BOOL=y
@@ -17,7 +18,10 @@
ifeq ($(DISABLE_BOOL),y)
DISABLE_FLAGS+= -DDISABLE_BOOL
endif
-export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST
+ifeq ($(DISABLE_X11),y)
+ DISABLE_FLAGS+= -DNO_X_BACKEND
+endif
+export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST DISABLE_X11
LABEL_BACKEND_ANDROID
USE_PCRE2 ?= n
ifeq ($(USE_PCRE2),y)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.1/VERSION new/libselinux-3.2/VERSION
--- old/libselinux-3.1/VERSION 2020-07-10 17:17:15.000000000 +0200
+++ new/libselinux-3.2/VERSION 2021-03-04 16:42:59.000000000 +0100
@@ -1 +1 @@
-3.1
+3.2
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.1/include/selinux/get_context_list.h
new/libselinux-3.2/include/selinux/get_context_list.h
--- old/libselinux-3.1/include/selinux/get_context_list.h 2020-07-10
17:17:15.000000000 +0200
+++ new/libselinux-3.2/include/selinux/get_context_list.h 2021-03-04
16:42:59.000000000 +0100
@@ -17,14 +17,14 @@
If 'fromcon' is NULL, defaults to current context.
Caller must free via freeconary. */
extern int get_ordered_context_list(const char *user,
- char * fromcon,
+ const char *fromcon,
char *** list);
/* As above, but use the provided MLS level rather than the
default level for the user. */
extern int get_ordered_context_list_with_level(const char *user,
const char *level,
- char * fromcon,
+ const char *fromcon,
char *** list);
/* Get the default security context for a user session for 'user'
@@ -35,14 +35,14 @@
Returns 0 on success or -1 otherwise.
Caller must free via freecon. */
extern int get_default_context(const char *user,
- char * fromcon,
+ const char *fromcon,
char ** newcon);
/* As above, but use the provided MLS level rather than the
default level for the user. */
extern int get_default_context_with_level(const char *user,
const char *level,
- char * fromcon,
+ const char *fromcon,
char ** newcon);
/* Same as get_default_context, but only return a context
@@ -50,7 +50,7 @@
for the user with that role, then return -1. */
extern int get_default_context_with_role(const char *user,
const char *role,
- char * fromcon,
+ const char *fromcon,
char ** newcon);
/* Same as get_default_context, but only return a context
@@ -59,7 +59,7 @@
extern int get_default_context_with_rolelevel(const char *user,
const char *role,
const char *level,
- char * fromcon,
+ const char *fromcon,
char ** newcon);
/* Given a list of authorized security contexts for the user,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.1/include/selinux/selinux.h
new/libselinux-3.2/include/selinux/selinux.h
--- old/libselinux-3.1/include/selinux/selinux.h 2020-07-10
17:17:15.000000000 +0200
+++ new/libselinux-3.2/include/selinux/selinux.h 2021-03-04
16:42:59.000000000 +0100
@@ -182,6 +182,8 @@
#define SELINUX_WARNING 1
#define SELINUX_INFO 2
#define SELINUX_AVC 3
+#define SELINUX_POLICYLOAD 4
+#define SELINUX_SETENFORCE 5
#define SELINUX_TRANS_DIR "/var/run/setrans"
/* Compute an access decision. */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.1/man/man3/avc_init.3
new/libselinux-3.2/man/man3/avc_init.3
--- old/libselinux-3.1/man/man3/avc_init.3 2020-07-10 17:17:15.000000000
+0200
+++ new/libselinux-3.2/man/man3/avc_init.3 2021-03-04 16:42:59.000000000
+0100
@@ -117,6 +117,8 @@
callback should cancel the running thread referenced by
.IR thread .
By default, threading is not used; see
+.B KERNEL STATUS PAGE
+and
.B NETLINK NOTIFICATION
below.
@@ -153,14 +155,49 @@
.IR lock ,
freeing any resources associated with it. The default behavior is not to
perform any locking. Note that undefined behavior may result if threading is
used without appropriate locking.
.
-.SH "NETLINK NOTIFICATION"
-Beginning with version 2.6.4, the Linux kernel supports SELinux status change
notification via netlink. Two message types are currently implemented,
indicating changes to the enforcing mode and to the loaded policy in the
kernel, respectively. The userspace AVC listens for these messages and takes
the appropriate action, modifying the behavior of
-.BR avc_has_perm (3)
-to reflect the current enforcing mode and flushing the cache on receipt of a
policy load notification. Audit messages are produced when netlink
notifications are processed.
+.SH "KERNEL STATUS PAGE"
+Linux kernel version 2.6.37 supports the SELinux kernel status page, enabling
userspace applications to
+.BR mmap (2)
+SELinux status state in read-only mode to avoid system calls during the cache
hit code path.
-In the default single-threaded mode, the userspace AVC checks for new netlink
messages at the start of each permission query. If threading and locking
callbacks are passed to
.BR avc_init ()
-however, a dedicated thread will be started to listen on the netlink socket.
This may increase performance and will ensure that log messages are generated
immediately rather than at the time of the next permission query.
+calls
+.BR selinux_status_open (3)
+to initialize the selinux status state. If successfully initialized, the
userspace AVC will default to single-threaded mode and ignore the
+.B func_create_thread
+and
+.B func_stop_thread
+callbacks. All callbacks set via
+.BR selinux_set_callback (3)
+will still be honored.
+
+.BR avc_has_perm (3)
+and
+.BR selinux_check_access (3)
+both check for status updates through calls to
+.BR selinux_status_updated (3)
+at the start of each permission query and take the appropriate action.
+
+Two status types are currently implemented.
+.B setenforce
+events will change the effective enforcing state used within the AVC, and
+.B policyload
+events will result in a cache flush.
+.
+.SH "NETLINK NOTIFICATION"
+In the event that the kernel status page is not successfully
+.BR mmap (2)'ed
+the AVC will default to the netlink fallback mechanism, which opens a netlink
socket for receiving status updates.
+.B setenforce
+and
+.B policyload
+events will have the same results as for the status page implementation, but
all status update checks will now require a system call.
+
+By default,
+.BR avc_open (3)
+does not set threading or locking callbacks. In the fallback case, the
userspace AVC checks for new netlink messages at the start of each permission
query. If threading and locking callbacks are passed to
+.BR avc_init (),
+a dedicated thread will be started to listen on the netlink socket. This may
increase performance in the absence of the status page and will ensure that log
messages are generated immediately rather than at the time of the next
permission query.
.
.SH "RETURN VALUE"
Functions with a return value return zero on success. On error, \-1 is
returned and
@@ -192,5 +229,7 @@
.
.SH "SEE ALSO"
.BR avc_open (3),
+.BR selinux_status_open (3),
+.BR selinux_status_updated (3),
.BR selinux_set_callback (3),
.BR selinux (8)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.1/man/man3/avc_netlink_loop.3
new/libselinux-3.2/man/man3/avc_netlink_loop.3
--- old/libselinux-3.1/man/man3/avc_netlink_loop.3 2020-07-10
17:17:15.000000000 +0200
+++ new/libselinux-3.2/man/man3/avc_netlink_loop.3 2021-03-04
16:42:59.000000000 +0100
@@ -54,6 +54,11 @@
returns the netlink socket descriptor number and informs the userspace AVC
not to check the socket descriptor automatically on calls to
.BR avc_has_perm (3).
+If no such socket descriptor exists,
+.BR avc_netlink_acquire_fd (3)
+will first call
+.BR avc_netlink_open (3)
+and then return the resulting fd.
.BR avc_netlink_release_fd ()
returns control of the netlink socket to the userspace AVC, re-enabling
@@ -78,6 +83,9 @@
.I errno
is set appropriately.
.
+.SH "AUTHOR"
+Originally KaiGai Kohei. Updated by Mike Palmiotto
<mike.palmio...@crunchydata.com>
+.
.SH "SEE ALSO"
.BR avc_open (3),
.BR selinux_set_callback (3),
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.1/man/man3/avc_open.3
new/libselinux-3.2/man/man3/avc_open.3
--- old/libselinux-3.1/man/man3/avc_open.3 2020-07-10 17:17:15.000000000
+0200
+++ new/libselinux-3.2/man/man3/avc_open.3 2021-03-04 16:42:59.000000000
+0100
@@ -46,10 +46,37 @@
.B AVC_OPT_SETENFORCE
This option forces the userspace AVC into enforcing mode if the option value
is non-NULL; permissive mode otherwise. The system enforcing mode will be
ignored.
.
-.SH "NETLINK NOTIFICATION"
-Beginning with version 2.6.4, the Linux kernel supports SELinux status change
notification via netlink. Two message types are currently implemented,
indicating changes to the enforcing mode and to the loaded policy in the
kernel, respectively. The userspace AVC listens for these messages and takes
the appropriate action, modifying the behavior of
+.SH "KERNEL STATUS PAGE"
+Linux kernel version 2.6.37 supports the SELinux kernel status page, enabling
userspace applications to
+.BR mmap (2)
+SELinux status state in read-only mode to avoid system calls during the cache
hit code path.
+
+.BR avc_open ()
+calls
+.BR selinux_status_open (3)
+to initialize the selinux status state.
+
.BR avc_has_perm (3)
-to reflect the current enforcing mode and flushing the cache on receipt of a
policy load notification. Audit messages are produced when netlink
notifications are processed.
+and
+.BR selinux_check_access (3)
+both check for status updates through calls to
+.BR selinux_status_updated (3)
+at the start of each permission query and take the appropriate action.
+
+Two status types are currently implemented.
+.B setenforce
+events will change the effective enforcing state used within the AVC, and
+.B policyload
+events will result in a cache flush.
+.
+.SH "NETLINK NOTIFICATION"
+In the event that the kernel status page is not successfully
+.BR mmap (2)'ed
+the AVC will default to the netlink fallback mechanism, which opens a netlink
socket for receiving status updates.
+.B setenforce
+and
+.B policyload
+events will have the same results as for the status page implementation, but
all status update checks will now require a system call.
.
.SH "RETURN VALUE"
Functions with a return value return zero on success. On error, \-1 is
returned and
@@ -61,9 +88,12 @@
.
.SH "SEE ALSO"
.BR selinux (8),
+.BR selinux_check_access (3),
.BR avc_has_perm (3),
.BR avc_context_to_sid (3),
.BR avc_cache_stats (3),
.BR avc_add_callback (3),
+.BR selinux_status_open (3),
+.BR selinux_status_updated (3),
.BR selinux_set_callback (3),
.BR security_compute_av (3)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.1/man/man3/get_ordered_context_list.3
new/libselinux-3.2/man/man3/get_ordered_context_list.3
--- old/libselinux-3.1/man/man3/get_ordered_context_list.3 2020-07-10
17:17:15.000000000 +0200
+++ new/libselinux-3.2/man/man3/get_ordered_context_list.3 2021-03-04
16:42:59.000000000 +0100
@@ -7,17 +7,17 @@
.br
.B #include <selinux/get_context_list.h>
.sp
-.BI "int get_ordered_context_list(const char *" user ", char *" fromcon ",
char ***" list );
+.BI "int get_ordered_context_list(const char *" user ", const char *" fromcon
", char ***" list );
.sp
-.BI "int get_ordered_context_list_with_level(const char *" user ", const char
*" level ", char *" fromcon ", char ***" list );
+.BI "int get_ordered_context_list_with_level(const char *" user ", const char
*" level ", const char *" fromcon ", char ***" list );
.sp
-.BI "int get_default_context(const char *" user ", char *" fromcon ", char **"
newcon );
+.BI "int get_default_context(const char *" user ", const char *" fromcon ",
char **" newcon );
.sp
-.BI "int get_default_context_with_level(const char *" user ", const char *"
level ", char *" fromcon ", char **" newcon );
+.BI "int get_default_context_with_level(const char *" user ", const char *"
level ", const char *" fromcon ", char **" newcon );
.sp
-.BI "int get_default_context_with_role(const char *" user ", const char *"
role ", char *" fromcon ", char **" newcon ");
+.BI "int get_default_context_with_role(const char *" user ", const char *"
role ", const char *" fromcon ", char **" newcon ");
.sp
-.BI "int get_default_context_with_rolelevel(const char *" user ", const char
*" role ", const char *" level ", char *" fromcon ", char **" newcon ");
+.BI "int get_default_context_with_rolelevel(const char *" user ", const char
*" role ", const char *" level ", const char *" fromcon ", char **" newcon ");
.sp
.BI "int query_user_context(char **" list ", char **" newcon );
.sp
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.1/man/man3/security_check_context.3
new/libselinux-3.2/man/man3/security_check_context.3
--- old/libselinux-3.1/man/man3/security_check_context.3 2020-07-10
17:17:15.000000000 +0200
+++ new/libselinux-3.2/man/man3/security_check_context.3 2021-03-04
16:42:59.000000000 +0100
@@ -5,9 +5,9 @@
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.sp
-.BI "int security_check_context(char *" con );
+.BI "int security_check_context(const char *" con );
.sp
-.BI "int security_check_context_raw(char *" con );
+.BI "int security_check_context_raw(const char *" con );
.
.SH "DESCRIPTION"
.BR security_check_context ()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.1/man/man3/selinux_set_callback.3
new/libselinux-3.2/man/man3/selinux_set_callback.3
--- old/libselinux-3.1/man/man3/selinux_set_callback.3 2020-07-10
17:17:15.000000000 +0200
+++ new/libselinux-3.2/man/man3/selinux_set_callback.3 2021-03-04
16:42:59.000000000 +0100
@@ -46,6 +46,20 @@
.B SELINUX_INFO
.B SELINUX_AVC
+
+.B SELINUX_POLICYLOAD
+
+.B SELINUX_SETENFORCE
+
+SELINUX_ERROR, SELINUX_WARNING, and SELINUX_INFO indicate standard log severity
+levels and are not auditable messages.
+
+The SELINUX_AVC, SELINUX_POLICYLOAD, and SELINUX_SETENFORCE message types can
be
+audited with AUDIT_USER_AVC, AUDIT_USER_MAC_POLICY_LOAD, and
AUDIT_USER_MAC_STATUS
+values from libaudit, respectively. If they are not audited, SELINUX_AVC
should be
+considered equivalent to SELINUX_ERROR; similarly, SELINUX_POLICYLOAD and
+SELINUX_SETENFORCE should be considered equivalent to SELINUX_INFO.
+
.
.TP
.B SELINUX_CB_AUDIT
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.1/man/man3/selinux_status_open.3
new/libselinux-3.2/man/man3/selinux_status_open.3
--- old/libselinux-3.1/man/man3/selinux_status_open.3 2020-07-10
17:17:15.000000000 +0200
+++ new/libselinux-3.2/man/man3/selinux_status_open.3 2021-03-04
16:42:59.000000000 +0100
@@ -48,7 +48,7 @@
argument to handle a case of older kernels without kernel status page support.
In this case, this function tries to open a netlink socket using
.BR avc_netlink_open (3)
-and overwrite corresponding callbacks ( setenforce and policyload).
+and overwrite corresponding callbacks (setenforce and policyload).
Thus, we need to pay attention to the interaction with these interfaces,
when fallback mode is enabled.
.sp
@@ -57,9 +57,14 @@
netlink socket if fallbacked.
.sp
.BR selinux_status_updated ()
-informs us whether something has been updated since the last call.
-It returns 0 if nothing was happened, however, 1 if something has been
-updated in this duration, or \-1 on error.
+processes status update events. There are two kinds of status updates.
+.B setenforce
+events will change the effective enforcing state used within the AVC, and
+.B policyload
+events will result in a cache flush.
+
+This function returns 0 if there have been no updates since the last call,
+1 if there have been updates since the last call, or \-1 on error.
.sp
.BR selinux_status_getenforce ()
returns 0 if SELinux is running in permissive mode, 1 if enforcing mode,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.1/man/man5/selabel_file.5
new/libselinux-3.2/man/man5/selabel_file.5
--- old/libselinux-3.1/man/man5/selabel_file.5 2020-07-10 17:17:15.000000000
+0200
+++ new/libselinux-3.2/man/man5/selabel_file.5 2021-03-04 16:42:59.000000000
+0100
@@ -125,7 +125,14 @@
.RS
.I pathname
.RS
-An entry that defines the pathname that may be in the form of a regular
expression.
+An entry that defines the path to be labeled.
+May contain either a fully qualified path,
+or a Perl compatible regular expression (PCRE),
+describing fully qualified path(s).
+The only PCRE flag in use is PCRE2_DOTALL,
+which causes a wildcard '.' to match anything, including a new line.
+Strings representing paths are processed as bytes (as opposed to Unicode),
+meaning that non-ASCII characters are not matched by a single wildcard.
.RE
.I file_type
.RS
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.1/man/man8/selinux.8
new/libselinux-3.2/man/man8/selinux.8
--- old/libselinux-3.1/man/man8/selinux.8 2020-07-10 17:17:15.000000000
+0200
+++ new/libselinux-3.2/man/man8/selinux.8 2021-03-04 16:42:59.000000000
+0100
@@ -19,18 +19,36 @@
permissive mode or enforcing mode. The
.B SELINUX
variable may be set to
-any one of disabled, permissive, or enforcing to select one of these
-options. The disabled option completely disables the SELinux kernel
-and application code, leaving the system running without any SELinux
-protection. The permissive option enables the SELinux code, but
-causes it to operate in a mode where accesses that would be denied by
-policy are permitted but audited. The enforcing option enables the
-SELinux code and causes it to enforce access denials as well as
-auditing them. Permissive mode may yield a different set of denials
-than enforcing mode, both because enforcing mode will prevent an
-operation from proceeding past the first denial and because some
-application code will fall back to a less privileged mode of operation
-if denied access.
+any one of \fIdisabled\fR, \fIpermissive\fR, or \fIenforcing\fR to
+select one of these options. The \fIdisabled\fR disables most of the
+SELinux kernel and application code, leaving the system
+running without any SELinux protection. The \fIpermissive\fR option
+enables the SELinux code, but causes it to operate in a mode where
+accesses that would be denied by policy are permitted but audited. The
+\fIenforcing\fR option enables the SELinux code and causes it to enforce
+access denials as well as auditing them. \fIpermissive\fR mode may
+yield a different set of denials than enforcing mode, both because
+enforcing mode will prevent an operation from proceeding past the first
+denial and because some application code will fall back to a less
+privileged mode of operation if denied access.
+
+.B NOTE:
+Disabling SELinux by setting
+.B SELINUX=disabled
+in
+.I /etc/selinux/config
+is deprecated and depending on kernel version and configuration it might
+not lead to SELinux being completely disabled. Specifically, the
+SELinux hooks will still be executed internally, but the SELinux policy
+will not be loaded and no operation will be denied. In such state, the
+system will act as if SELinux was disabled, although some operations
+might behave slightly differently. To properly disable SELinux, it is
+recommended to use the
+.B selinux=0
+kernel boot option instead. In that case SELinux will be disabled
+regardless of what is set in the
+.I /etc/selinux/config
+file.
The
.I /etc/selinux/config
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.1/src/Makefile
new/libselinux-3.2/src/Makefile
--- old/libselinux-3.1/src/Makefile 2020-07-10 17:17:15.000000000 +0200
+++ new/libselinux-3.2/src/Makefile 2021-03-04 16:42:59.000000000 +0100
@@ -122,8 +122,16 @@
label_backends_android.c regex.c label_support.c \
matchpathcon.c setrans_client.c sha1.c booleans.c
else
-DISABLE_FLAGS+= -DNO_ANDROID_BACKEND
+LABEL_BACKEND_ANDROID=y
+endif
+
+ifneq ($(LABEL_BACKEND_ANDROIDT),y)
SRCS:= $(filter-out label_backends_android.c, $(SRCS))
+DISABLE_FLAGS+= -DNO_ANDROID_BACKEND
+endif
+
+ifeq ($(DISABLE_X11),y)
+SRCS:= $(filter-out label_x.c, $(SRCS))
endif
SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./ $(DISABLE_FLAGS)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.1/src/avc.c new/libselinux-3.2/src/avc.c
--- old/libselinux-3.1/src/avc.c 2020-07-10 17:17:15.000000000 +0200
+++ new/libselinux-3.2/src/avc.c 2021-03-04 16:42:59.000000000 +0100
@@ -50,7 +50,6 @@
struct avc_callback_node *next;
};
-static void *avc_netlink_thread = NULL;
static void *avc_lock = NULL;
static void *avc_log_lock = NULL;
static struct avc_node *avc_node_freelist = NULL;
@@ -215,17 +214,13 @@
avc_enforcing = rc;
}
- rc = avc_netlink_open(0);
+ rc = selinux_status_open(1);
if (rc < 0) {
avc_log(SELINUX_ERROR,
- "%s: can't open netlink socket: %d (%s)\n",
+ "%s: could not open selinux status page: %d (%s)\n",
avc_prefix, errno, strerror(errno));
goto out;
}
- if (avc_using_threads) {
- avc_netlink_thread = avc_create_thread(&avc_netlink_loop);
- avc_netlink_trouble = 0;
- }
avc_running = 1;
out:
return rc;
@@ -557,9 +552,7 @@
avc_get_lock(avc_lock);
- if (avc_using_threads)
- avc_stop_thread(avc_netlink_thread);
- avc_netlink_close();
+ selinux_status_close();
for (i = 0; i < AVC_CACHE_SLOTS; i++) {
node = avc_cache.slots[i];
@@ -766,7 +759,7 @@
avd_init(avd);
if (!avc_using_threads && !avc_app_main_loop) {
- (void)avc_netlink_check_nb();
+ (void) selinux_status_updated();
}
if (!aeref) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.1/src/avc_internal.c
new/libselinux-3.2/src/avc_internal.c
--- old/libselinux-3.1/src/avc_internal.c 2020-07-10 17:17:15.000000000
+0200
+++ new/libselinux-3.2/src/avc_internal.c 2021-03-04 16:42:59.000000000
+0100
@@ -53,6 +53,49 @@
int avc_setenforce = 0;
int avc_netlink_trouble = 0;
+/* process setenforce events for netlink and sestatus */
+int avc_process_setenforce(int enforcing)
+{
+ int rc = 0;
+
+ avc_log(SELINUX_SETENFORCE,
+ "%s: op=setenforce lsm=selinux enforcing=%d res=1",
+ avc_prefix, enforcing);
+ if (avc_setenforce)
+ goto out;
+ avc_enforcing = enforcing;
+ if (avc_enforcing && (rc = avc_ss_reset(0)) < 0) {
+ avc_log(SELINUX_ERROR,
+ "%s: cache reset returned %d (errno %d)\n",
+ avc_prefix, rc, errno);
+ return rc;
+ }
+
+out:
+ return selinux_netlink_setenforce(enforcing);
+}
+
+/* process policyload events for netlink and sestatus */
+int avc_process_policyload(uint32_t seqno)
+{
+ int rc = 0;
+
+ avc_log(SELINUX_POLICYLOAD,
+ "%s: op=load_policy lsm=selinux seqno=%u res=1",
+ avc_prefix, seqno);
+ rc = avc_ss_reset(seqno);
+ if (rc < 0) {
+ avc_log(SELINUX_ERROR,
+ "%s: cache reset returned %d (errno %d)\n",
+ avc_prefix, rc, errno);
+ return rc;
+ }
+
+ selinux_flush_class_cache();
+
+ return selinux_netlink_policyload(seqno);
+}
+
/* netlink socket code */
static int fd = -1;
@@ -177,20 +220,7 @@
case SELNL_MSG_SETENFORCE:{
struct selnl_msg_setenforce *msg = NLMSG_DATA(nlh);
- msg->val = !!msg->val;
- avc_log(SELINUX_INFO,
- "%s: received setenforce notice (enforcing=%d)\n",
- avc_prefix, msg->val);
- if (avc_setenforce)
- break;
- avc_enforcing = msg->val;
- if (avc_enforcing && (rc = avc_ss_reset(0)) < 0) {
- avc_log(SELINUX_ERROR,
- "%s: cache reset returned %d (errno %d)\n",
- avc_prefix, rc, errno);
- return rc;
- }
- rc = selinux_netlink_setenforce(msg->val);
+ rc = avc_process_setenforce(!!msg->val);
if (rc < 0)
return rc;
break;
@@ -198,18 +228,7 @@
case SELNL_MSG_POLICYLOAD:{
struct selnl_msg_policyload *msg = NLMSG_DATA(nlh);
- avc_log(SELINUX_INFO,
- "%s: received policyload notice (seqno=%u)\n",
- avc_prefix, msg->seqno);
- rc = avc_ss_reset(msg->seqno);
- if (rc < 0) {
- avc_log(SELINUX_ERROR,
- "%s: cache reset returned %d (errno %d)\n",
- avc_prefix, rc, errno);
- return rc;
- }
- selinux_flush_class_cache();
- rc = selinux_netlink_policyload(msg->seqno);
+ rc = avc_process_policyload(msg->seqno);
if (rc < 0)
return rc;
break;
@@ -284,6 +303,17 @@
int avc_netlink_acquire_fd(void)
{
+ if (fd < 0) {
+ int rc = 0;
+ rc = avc_netlink_open(0);
+ if (rc < 0) {
+ avc_log(SELINUX_ERROR,
+ "%s: could not open netlink socket: %d (%s)\n",
+ avc_prefix, errno, strerror(errno));
+ return rc;
+ }
+ }
+
avc_app_main_loop = 1;
return fd;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.1/src/avc_internal.h
new/libselinux-3.2/src/avc_internal.h
--- old/libselinux-3.1/src/avc_internal.h 2020-07-10 17:17:15.000000000
+0200
+++ new/libselinux-3.2/src/avc_internal.h 2021-03-04 16:42:59.000000000
+0100
@@ -32,6 +32,10 @@
extern void (*avc_func_release_lock) (void *);
extern void (*avc_func_free_lock) (void *);
+/* selinux status processing for netlink and sestatus */
+extern int avc_process_setenforce(int enforcing);
+extern int avc_process_policyload(uint32_t seqno);
+
static inline void set_callbacks(const struct avc_memory_callback *mem_cb,
const struct avc_log_callback *log_cb,
const struct avc_thread_callback *thread_cb,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.1/src/checkAccess.c
new/libselinux-3.2/src/checkAccess.c
--- old/libselinux-3.1/src/checkAccess.c 2020-07-10 17:17:15.000000000
+0200
+++ new/libselinux-3.2/src/checkAccess.c 2021-03-04 16:42:59.000000000
+0100
@@ -39,7 +39,7 @@
if (rc < 0)
return rc;
- (void) avc_netlink_check_nb();
+ (void) selinux_status_updated();
sclass = string_to_security_class(class);
if (sclass == 0) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.1/src/get_context_list.c
new/libselinux-3.2/src/get_context_list.c
--- old/libselinux-3.1/src/get_context_list.c 2020-07-10 17:17:15.000000000
+0200
+++ new/libselinux-3.2/src/get_context_list.c 2021-03-04 16:42:59.000000000
+0100
@@ -13,7 +13,7 @@
int get_default_context_with_role(const char *user,
const char *role,
- char * fromcon,
+ const char *fromcon,
char ** newcon)
{
char **conary;
@@ -56,23 +56,24 @@
int get_default_context_with_rolelevel(const char *user,
const char *role,
const char *level,
- char * fromcon,
+ const char *fromcon,
char ** newcon)
{
- int rc = 0;
- int freefrom = 0;
+ int rc;
+ char *backup_fromcon = NULL;
context_t con;
- char *newfromcon;
+ const char *newfromcon;
+
if (!level)
return get_default_context_with_role(user, role, fromcon,
newcon);
if (!fromcon) {
- rc = getcon(&fromcon);
+ rc = getcon(&backup_fromcon);
if (rc < 0)
return rc;
- freefrom = 1;
+ fromcon = backup_fromcon;
}
rc = -1;
@@ -91,14 +92,13 @@
out:
context_free(con);
- if (freefrom)
- freecon(fromcon);
+ freecon(backup_fromcon);
return rc;
}
int get_default_context(const char *user,
- char * fromcon, char ** newcon)
+ const char *fromcon, char ** newcon)
{
char **conary;
int rc;
@@ -128,7 +128,7 @@
}
static int get_context_user(FILE * fp,
- char * fromcon,
+ const char * fromcon,
const char * user,
char ***reachable,
unsigned int *nreachable)
@@ -345,22 +345,22 @@
int get_ordered_context_list_with_level(const char *user,
const char *level,
- char * fromcon,
+ const char *fromcon,
char *** list)
{
int rc;
- int freefrom = 0;
+ char *backup_fromcon = NULL;
context_t con;
- char *newfromcon;
+ const char *newfromcon;
if (!level)
return get_ordered_context_list(user, fromcon, list);
if (!fromcon) {
- rc = getcon(&fromcon);
+ rc = getcon(&backup_fromcon);
if (rc < 0)
return rc;
- freefrom = 1;
+ fromcon = backup_fromcon;
}
rc = -1;
@@ -379,15 +379,14 @@
out:
context_free(con);
- if (freefrom)
- freecon(fromcon);
+ freecon(backup_fromcon);
return rc;
}
int get_default_context_with_level(const char *user,
const char *level,
- char * fromcon,
+ const char *fromcon,
char ** newcon)
{
char **conary;
@@ -405,12 +404,13 @@
}
int get_ordered_context_list(const char *user,
- char * fromcon,
+ const char *fromcon,
char *** list)
{
char **reachable = NULL;
int rc = 0;
- unsigned nreachable = 0, freefrom = 0;
+ unsigned nreachable = 0;
+ char *backup_fromcon = NULL;
FILE *fp;
char *fname = NULL;
size_t fname_len;
@@ -418,10 +418,10 @@
if (!fromcon) {
/* Get the current context and use it for the starting context
*/
- rc = getcon(&fromcon);
+ rc = getcon(&backup_fromcon);
if (rc < 0)
return rc;
- freefrom = 1;
+ fromcon = backup_fromcon;
}
/* Determine the ordering to apply from the optional per-user config
@@ -469,8 +469,7 @@
else
freeconary(reachable);
- if (freefrom)
- freecon(fromcon);
+ freecon(backup_fromcon);
return rc;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.1/src/label_file.c
new/libselinux-3.2/src/label_file.c
--- old/libselinux-3.1/src/label_file.c 2020-07-10 17:17:15.000000000 +0200
+++ new/libselinux-3.2/src/label_file.c 2021-03-04 16:42:59.000000000 +0100
@@ -854,6 +854,7 @@
struct saved_data *data = (struct saved_data *)rec->data;
struct spec *spec_arr = data->spec_arr;
int i, rc, file_stem;
+ size_t len;
mode_t mode = (mode_t)type;
char *clean_key = NULL;
const char *prev_slash, *next_slash;
@@ -894,6 +895,27 @@
key = clean_key;
}
+ /* remove trailing slash */
+ len = strlen(key);
+ if (len == 0) {
+ errno = EINVAL;
+ goto finish;
+ }
+
+ if (len > 1 && key[len - 1] == '/') {
+ /* reuse clean_key from above if available */
+ if (!clean_key) {
+ clean_key = (char *) malloc(len);
+ if (!clean_key)
+ goto finish;
+
+ strncpy(clean_key, key, len - 1);
+ }
+
+ clean_key[len - 1] = '\0';
+ key = clean_key;
+ }
+
sub = selabel_sub_key(data, key);
if (sub)
key = sub;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.1/src/load_policy.c
new/libselinux-3.2/src/load_policy.c
--- old/libselinux-3.1/src/load_policy.c 2020-07-10 17:17:15.000000000
+0200
+++ new/libselinux-3.2/src/load_policy.c 2021-03-04 16:42:59.000000000
+0100
@@ -76,7 +76,7 @@
#ifdef SHARED
char *errormsg = NULL;
void *libsepolh = NULL;
- libsepolh = dlopen("libsepol.so.1", RTLD_NOW);
+ libsepolh = dlopen("libsepol.so.2", RTLD_NOW);
if (libsepolh) {
usesepol = 1;
dlerror();
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.1/src/procattr.c
new/libselinux-3.2/src/procattr.c
--- old/libselinux-3.1/src/procattr.c 2020-07-10 17:17:15.000000000 +0200
+++ new/libselinux-3.2/src/procattr.c 2021-03-04 16:42:59.000000000 +0100
@@ -25,21 +25,23 @@
/* Bionic and glibc >= 2.30 declare gettid() system call wrapper in unistd.h
and
* has a definition for it */
#ifdef __BIONIC__
- #define OVERRIDE_GETTID 0
+ #define HAVE_GETTID 1
#elif !defined(__GLIBC_PREREQ)
- #define OVERRIDE_GETTID 1
+ #define HAVE_GETTID 0
#elif !__GLIBC_PREREQ(2,30)
- #define OVERRIDE_GETTID 1
+ #define HAVE_GETTID 0
#else
- #define OVERRIDE_GETTID 0
+ #define HAVE_GETTID 1
#endif
-#if OVERRIDE_GETTID
-static pid_t gettid(void)
+static pid_t selinux_gettid(void)
{
+#if HAVE_GETTID
+ return gettid();
+#else
return syscall(__NR_gettid);
-}
#endif
+}
static void procattr_thread_destructor(void __attribute__((unused)) *unused)
{
@@ -94,7 +96,7 @@
if (fd >= 0 || errno != ENOENT)
goto out;
free(path);
- tid = gettid();
+ tid = selinux_gettid();
rc = asprintf(&path, "/proc/self/task/%d/attr/%s", tid, attr);
} else {
errno = EINVAL;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.1/src/selinux_restorecon.c
new/libselinux-3.2/src/selinux_restorecon.c
--- old/libselinux-3.1/src/selinux_restorecon.c 2020-07-10 17:17:15.000000000
+0200
+++ new/libselinux-3.2/src/selinux_restorecon.c 2021-03-04 16:42:59.000000000
+0100
@@ -297,6 +297,7 @@
char *sha1_buf = NULL;
size_t i, digest_len = 0;
int rc, digest_result;
+ bool match;
struct dir_xattr *new_entry;
uint8_t *xattr_digest = NULL;
uint8_t *calculated_digest = NULL;
@@ -306,9 +307,9 @@
return -1;
}
- selabel_get_digests_all_partial_matches(fc_sehandle, directory,
- &calculated_digest,
- &xattr_digest, &digest_len);
+ match = selabel_get_digests_all_partial_matches(fc_sehandle, directory,
+
&calculated_digest, &xattr_digest,
+ &digest_len);
if (!xattr_digest || !digest_len) {
free(calculated_digest);
@@ -326,11 +327,10 @@
for (i = 0; i < digest_len; i++)
sprintf((&sha1_buf[i * 2]), "%02x", xattr_digest[i]);
- rc = memcmp(calculated_digest, xattr_digest, digest_len);
- digest_result = rc ? NOMATCH : MATCH;
+ digest_result = match ? MATCH : NOMATCH;
- if ((delete_nonmatch && rc != 0) || delete_all) {
- digest_result = rc ? DELETED_NOMATCH : DELETED_MATCH;
+ if ((delete_nonmatch && !match) || delete_all) {
+ digest_result = match ? DELETED_MATCH : DELETED_NOMATCH;
rc = removexattr(directory, RESTORECON_PARTIAL_MATCH_DIGEST);
if (rc) {
selinux_log(SELINUX_ERROR,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.1/src/sestatus.c
new/libselinux-3.2/src/sestatus.c
--- old/libselinux-3.1/src/sestatus.c 2020-07-10 17:17:15.000000000 +0200
+++ new/libselinux-3.2/src/sestatus.c 2021-03-04 16:42:59.000000000 +0100
@@ -37,13 +37,15 @@
* Valid Pointer : opened and mapped correctly
*/
static struct selinux_status_t *selinux_status = NULL;
-static int selinux_status_fd;
static uint32_t last_seqno;
+static uint32_t last_policyload;
static uint32_t fallback_sequence;
static int fallback_enforcing;
static int fallback_policyload;
+static void *fallback_netlink_thread = NULL;
+
/*
* read_sequence
*
@@ -88,7 +90,9 @@
int selinux_status_updated(void)
{
uint32_t curr_seqno;
- int result = 0;
+ uint32_t tmp_seqno;
+ uint32_t enforcing;
+ uint32_t policyload;
if (selinux_status == NULL) {
errno = EINVAL;
@@ -114,12 +118,29 @@
if (last_seqno & 0x0001)
last_seqno = curr_seqno;
- if (last_seqno != curr_seqno)
- {
- last_seqno = curr_seqno;
- result = 1;
+ if (last_seqno == curr_seqno)
+ return 0;
+
+ /* sequence must not be changed during references */
+ do {
+ enforcing = selinux_status->enforcing;
+ policyload = selinux_status->policyload;
+ tmp_seqno = curr_seqno;
+ curr_seqno = read_sequence(selinux_status);
+ } while (tmp_seqno != curr_seqno);
+
+ if (avc_enforcing != (int) enforcing) {
+ if (avc_process_setenforce(enforcing) < 0)
+ return -1;
}
- return result;
+ if (last_policyload != policyload) {
+ if (avc_process_policyload(policyload) < 0)
+ return -1;
+ last_policyload = policyload;
+ }
+ last_seqno = curr_seqno;
+
+ return 1;
}
/*
@@ -256,9 +277,10 @@
*/
int selinux_status_open(int fallback)
{
- int fd;
- char path[PATH_MAX];
- long pagesize;
+ int fd;
+ char path[PATH_MAX];
+ long pagesize;
+ uint32_t seqno;
if (!selinux_mnt) {
errno = ENOENT;
@@ -275,13 +297,23 @@
goto error;
selinux_status = mmap(NULL, pagesize, PROT_READ, MAP_SHARED, fd, 0);
+ close(fd);
if (selinux_status == MAP_FAILED) {
- close(fd);
goto error;
}
- selinux_status_fd = fd;
last_seqno = (uint32_t)(-1);
+ /* sequence must not be changed during references */
+ do {
+ seqno = read_sequence(selinux_status);
+
+ last_policyload = selinux_status->policyload;
+
+ } while (seqno != read_sequence(selinux_status));
+
+ /* No need to use avc threads if the kernel status page is available */
+ avc_using_threads = 0;
+
return 0;
error:
@@ -302,9 +334,14 @@
/* mark as fallback mode */
selinux_status = MAP_FAILED;
- selinux_status_fd = avc_netlink_acquire_fd();
last_seqno = (uint32_t)(-1);
+ if (avc_using_threads)
+ {
+ fallback_netlink_thread =
avc_create_thread(&avc_netlink_loop);
+ avc_netlink_trouble = 0;
+ }
+
fallback_sequence = 0;
fallback_enforcing = security_getenforce();
fallback_policyload = 0;
@@ -333,6 +370,9 @@
/* fallback-mode */
if (selinux_status == MAP_FAILED)
{
+ if (avc_using_threads)
+ avc_stop_thread(fallback_netlink_thread);
+
avc_netlink_release_fd();
avc_netlink_close();
selinux_status = NULL;
@@ -345,7 +385,5 @@
munmap(selinux_status, pagesize);
selinux_status = NULL;
- close(selinux_status_fd);
- selinux_status_fd = -1;
last_seqno = (uint32_t)(-1);
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.1/src/setup.py
new/libselinux-3.2/src/setup.py
--- old/libselinux-3.1/src/setup.py 2020-07-10 17:17:15.000000000 +0200
+++ new/libselinux-3.2/src/setup.py 2021-03-04 16:42:59.000000000 +0100
@@ -4,7 +4,7 @@
setup(
name="selinux",
- version="3.1",
+ version="3.2",
description="SELinux python 3 bindings",
author="SELinux Project",
author_email="seli...@vger.kernel.org",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.1/utils/Makefile
new/libselinux-3.2/utils/Makefile
--- old/libselinux-3.1/utils/Makefile 2020-07-10 17:17:15.000000000 +0200
+++ new/libselinux-3.2/utils/Makefile 2021-03-04 16:42:59.000000000 +0100
@@ -56,8 +56,6 @@
sefcontext_compile: sefcontext_compile.o ../src/regex.o
-matchpathcon: CFLAGS += -Wno-deprecated-declarations
-
all: $(TARGETS)
install: all
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.1/utils/getconlist.c
new/libselinux-3.2/utils/getconlist.c
--- old/libselinux-3.1/utils/getconlist.c 2020-07-10 17:17:15.000000000
+0200
+++ new/libselinux-3.2/utils/getconlist.c 2021-03-04 16:42:59.000000000
+0100
@@ -58,8 +58,14 @@
free(level);
return 2;
}
- } else
+ } else {
cur_context = argv[optind + 1];
+ if (security_check_context(cur_context) != 0) {
+ fprintf(stderr, "Given context '%s' is invalid.\n",
cur_context);
+ free(level);
+ return 3;
+ }
+ }
/* Get the list and print it */
if (level)
@@ -72,6 +78,11 @@
for (i = 0; list[i]; i++)
puts(list[i]);
freeconary(list);
+ } else {
+ fprintf(stderr, "get_ordered_context_list%s failure: %d(%s)\n",
+ level ? "_with_level" : "", errno, strerror(errno));
+ free(level);
+ return 4;
}
free(level);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.1/utils/getseuser.c
new/libselinux-3.2/utils/getseuser.c
--- old/libselinux-3.1/utils/getseuser.c 2020-07-10 17:17:15.000000000
+0200
+++ new/libselinux-3.2/utils/getseuser.c 2021-03-04 16:42:59.000000000
+0100
@@ -9,32 +9,51 @@
{
char *seuser = NULL, *level = NULL;
char **contextlist;
- int rc, n, i;
+ int rc, n;
if (argc != 3) {
fprintf(stderr, "usage: %s linuxuser fromcon\n", argv[0]);
- exit(1);
+ return 1;
+ }
+
+ if (!is_selinux_enabled()) {
+ fprintf(stderr, "%s may be used only on a SELinux enabled
kernel.\n", argv[0]);
+ return 4;
}
rc = getseuserbyname(argv[1], &seuser, &level);
if (rc) {
- fprintf(stderr, "getseuserbyname failed: %s\n",
- strerror(errno));
- exit(2);
+ fprintf(stderr, "getseuserbyname failed: %s\n",
strerror(errno));
+ return 2;
}
printf("seuser: %s, level %s\n", seuser, level);
- n = get_ordered_context_list_with_level(seuser, level, argv[2],
- &contextlist);
- if (n <= 0) {
- fprintf(stderr,
- "get_ordered_context_list_with_level failed: %s\n",
- strerror(errno));
- exit(3);
+
+ rc = security_check_context(argv[2]);
+ if (rc) {
+ fprintf(stderr, "context '%s' is invalid\n", argv[2]);
+ free(seuser);
+ free(level);
+ return 5;
+ }
+
+ n = get_ordered_context_list_with_level(seuser, level, argv[2],
&contextlist);
+ if (n < 0) {
+ fprintf(stderr, "get_ordered_context_list_with_level failed:
%s\n", strerror(errno));
+ free(seuser);
+ free(level);
+ return 3;
}
+
free(seuser);
free(level);
- for (i = 0; i < n; i++)
+
+ if (n == 0)
+ printf("no valid context found\n");
+
+ for (int i = 0; i < n; i++)
printf("Context %d\t%s\n", i, contextlist[i]);
+
freeconary(contextlist);
- exit(EXIT_SUCCESS);
+
+ return EXIT_SUCCESS;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libselinux-3.1/utils/matchpathcon.c
new/libselinux-3.2/utils/matchpathcon.c
--- old/libselinux-3.1/utils/matchpathcon.c 2020-07-10 17:17:15.000000000
+0200
+++ new/libselinux-3.2/utils/matchpathcon.c 2021-03-04 16:42:59.000000000
+0100
@@ -1,15 +1,14 @@
-#include <unistd.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <getopt.h>
#include <errno.h>
-#include <string.h>
+#include <getopt.h>
#include <limits.h>
-#include <sys/types.h>
-#include <sys/stat.h>
+#include <selinux/label.h>
#include <selinux/selinux.h>
-#include <limits.h>
+#include <stdio.h>
#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
static __attribute__ ((__noreturn__)) void usage(const char *progname)
{
@@ -19,15 +18,21 @@
exit(1);
}
-static int printmatchpathcon(const char *path, int header, int mode)
+static int printmatchpathcon(struct selabel_handle *hnd, const char *path, int
header, int mode, int notrans)
{
- char *buf;
- int rc = matchpathcon(path, mode, &buf);
+ char *buf = NULL;
+ int rc;
+
+ if (notrans) {
+ rc = selabel_lookup_raw(hnd, &buf, path, mode);
+ } else {
+ rc = selabel_lookup(hnd, &buf, path, mode);
+ }
if (rc < 0) {
if (errno == ENOENT) {
buf = strdup("<<none>>");
} else {
- fprintf(stderr, "matchpathcon(%s) failed: %s\n", path,
+ fprintf(stderr, "selabel_lookup(%s) failed: %s\n", path,
strerror(errno));
return 1;
}
@@ -66,15 +71,14 @@
int main(int argc, char **argv)
{
- int i, init = 0, force_mode = 0;
+ int i, force_mode = 0;
int header = 1, opt;
int verify = 0;
int notrans = 0;
int error = 0;
int quiet = 0;
-
- fprintf(stderr,
- "Deprecated, use selabel_lookup\n");
+ struct selabel_handle *hnd;
+ struct selinux_opt options[SELABEL_NOPT] = {};
if (argc < 2)
usage(argv[0]);
@@ -96,23 +100,10 @@
break;
case 'N':
notrans = 1;
- set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
break;
case 'f':
- if (init) {
- fprintf(stderr,
- "%s: -f and -p are exclusive\n",
- argv[0]);
- exit(1);
- }
- init = 1;
- if (matchpathcon_init(optarg)) {
- fprintf(stderr,
- "Error while processing %s: %s\n",
- optarg,
- errno ? strerror(errno) : "invalid");
- exit(1);
- }
+ options[SELABEL_OPT_PATH].type = SELABEL_OPT_PATH;
+ options[SELABEL_OPT_PATH].value = optarg;
break;
case 'P':
if (selinux_set_policy_root(optarg) < 0 ) {
@@ -124,20 +115,11 @@
}
break;
case 'p':
- if (init) {
- fprintf(stderr,
- "%s: -f and -p are exclusive\n",
- argv[0]);
- exit(1);
- }
- init = 1;
- if (matchpathcon_init_prefix(NULL, optarg)) {
- fprintf(stderr,
- "Error while processing %s: %s\n",
- optarg,
- errno ? strerror(errno) : "invalid");
- exit(1);
- }
+ // This option has been deprecated since libselinux 2.5
(2016):
+ //
https://github.com/SELinuxProject/selinux/commit/26e05da0fc2d0a4bd274320968a88f8acbb3b6a6
+ fprintf(stderr, "Warning: using %s -p is deprecated\n",
argv[0]);
+ options[SELABEL_OPT_SUBSET].type = SELABEL_OPT_SUBSET;
+ options[SELABEL_OPT_SUBSET].value = optarg;
break;
case 'q':
quiet = 1;
@@ -146,6 +128,13 @@
usage(argv[0]);
}
}
+ hnd = selabel_open(SELABEL_CTX_FILE, options, SELABEL_NOPT);
+ if (!hnd) {
+ fprintf(stderr,
+ "Error while opening file contexts database: %s\n",
+ strerror(errno));
+ return -1;
+ }
for (i = optind; i < argc; i++) {
int rc, mode = 0;
struct stat buf;
@@ -185,19 +174,19 @@
if (rc >= 0) {
printf("%s has context %s, should be ",
path, con);
- printmatchpathcon(path, 0, mode);
+ printmatchpathcon(hnd, path, 0, mode,
notrans);
freecon(con);
} else {
printf
("actual context unknown: %s,
should be ",
strerror(errno));
- printmatchpathcon(path, 0, mode);
+ printmatchpathcon(hnd, path, 0, mode,
notrans);
}
}
} else {
- error |= printmatchpathcon(path, header, mode);
+ error |= printmatchpathcon(hnd, path, header, mode,
notrans);
}
}
- matchpathcon_fini();
+ selabel_close(hnd);
return error;
}
++++++ selinux-ready ++++++
--- /var/tmp/diff_new_pack.UVhRgL/_old 2021-03-24 16:09:07.819698356 +0100
+++ /var/tmp/diff_new_pack.UVhRgL/_new 2021-03-24 16:09:07.819698356 +0100
@@ -206,7 +206,7 @@
check_packages()
{
- PKGLST="checkpolicy policycoreutils selinux-tools libselinux1 libsepol1
libsemanage1 restorecond"
+ PKGLST="checkpolicy policycoreutils selinux-tools libselinux1 libsepol2
libsemanage2 restorecond"
FAIL=0
for i in $PKGLST
