Hello community,

here is the log from the commit of package policycoreutils for openSUSE:Factory 
checked in at 2018-04-06 17:47:16
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/policycoreutils (Old)
 and      /work/SRC/openSUSE:Factory/.policycoreutils.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "policycoreutils"

Fri Apr  6 17:47:16 2018 rev:44 rq:593258 version:2.6

Changes:
--------
--- /work/SRC/openSUSE:Factory/policycoreutils/policycoreutils.changes  
2017-12-23 12:20:36.772287710 +0100
+++ /work/SRC/openSUSE:Factory/.policycoreutils.new/policycoreutils.changes     
2018-04-06 17:47:19.960289985 +0200
@@ -1,0 +2,19 @@
+Tue Mar 27 13:46:37 UTC 2018 - tchva...@suse.com
+
+- Drop SLE11 support, needs the audit that is not present on SLE11
+- Fix service link to actually work on current releases
+- Drop SUSE_ASNEEDED=0 as it seems to build fine without it
+- Do not depend on systemd, just systemd-rpm-macros
+
+-------------------------------------------------------------------
+Wed Mar 21 11:32:47 UTC 2018 - jseg...@suse.com
+
+- Added CVE-2018-1063.patch to prevent chcon from following symlinks in
+  /tmp, /var/tmp, /var/run and /var/lib/debug (bsc#1083624, CVE-2018-1063)
+
+-------------------------------------------------------------------
+Tue Mar 20 12:01:55 UTC 2018 - jseg...@suse.com
+
+- Remove BuildRequires for libcgroup-devel (bsc#1085837)
+
+-------------------------------------------------------------------

New:
----
  CVE-2018-1063.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ policycoreutils.spec ++++++
--- /var/tmp/diff_new_pack.KCkq7p/_old  2018-04-06 17:47:21.424237073 +0200
+++ /var/tmp/diff_new_pack.KCkq7p/_new  2018-04-06 17:47:21.428236927 +0200
@@ -1,7 +1,7 @@
 #
 # spec file for package policycoreutils
 #
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -16,23 +16,22 @@
 #
 
 
-#Compat macro for new _fillupdir macro introduced in Nov 2017
-%if ! %{defined _fillupdir}
-  %define _fillupdir /var/adm/fillup-templates
-%endif
-
 %define libaudit_ver     2.2
 %define libsepol_ver     2.6
 %define libsemanage_ver  2.6
 %define libselinux_ver   2.6
 %define sepolgen_ver     2.6
+#Compat macro for new _fillupdir macro introduced in Nov 2017
+%if ! %{defined _fillupdir}
+  %define _fillupdir %{_localstatedir}/adm/fillup-templates
+%endif
 Name:           policycoreutils
 Version:        2.6
 Release:        0
 Summary:        SELinux policy core utilities
-License:        GPL-2.0+
+License:        GPL-2.0-or-later
 Group:          Productivity/Security
-Url:            https://github.com/SELinuxProject/selinux
+URL:            https://github.com/SELinuxProject/selinux
 Source:         
https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20161014/%{name}-%{version}.tar.gz
 Source1:        
https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20161014/sepolgen-%{sepolgen_ver}.tar.gz
 Source2:        system-config-selinux.png
@@ -45,6 +44,7 @@
 Patch4:         policycoreutils-initscript.patch
 Patch5:         policycoreutils-pam-common.patch
 Patch10:        loadpolicy_path.patch
+Patch11:        CVE-2018-1063.patch
 BuildRequires:  audit-devel >= %{libaudit_ver}
 BuildRequires:  dbus-1-glib-devel
 BuildRequires:  fdupes
@@ -52,12 +52,14 @@
 BuildRequires:  hicolor-icon-theme
 BuildRequires:  libcap-devel
 BuildRequires:  libcap-ng-devel
-BuildRequires:  libcgroup-devel
 BuildRequires:  libselinux-devel >= %{libselinux_ver}
 BuildRequires:  libsemanage-devel >= %{libsemanage_ver}
 BuildRequires:  libsepol-devel-static >= %{libsepol_ver}
 BuildRequires:  pam-devel
+# needed only for dir /usr/share/polkit-1 from policycoreutils-gui
+BuildRequires:  polkit
 BuildRequires:  python-devel
+BuildRequires:  systemd-rpm-macros
 BuildRequires:  update-desktop-files
 Requires:       audit-libs-python
 Requires:       checkpolicy
@@ -67,15 +69,10 @@
 Requires:       util-linux
 # we need selinuxenabled
 Requires(post): selinux-tools
-Requires(pre):  %fillup_prereq permissions
+Requires(pre):  %fillup_prereq
+Requires(pre):  permissions
 Recommends:     %{name}-lang
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build
-%if 0%{?suse_version} > 1140
-BuildRequires:  systemd
 %{?systemd_requires}
-%else
-Requires(pre):  %insserv_prereq
-%endif
 
 %description
 policycoreutils contains the policy core utilities that are required
@@ -145,9 +142,9 @@
 %patch4
 %patch5
 %patch10 -p1
+%patch11
 
 %build
-export SUSE_ASNEEDED=0
 make %{?_smp_mflags} LSPP_PRIV=y LIBDIR="%{_libdir}" 
LIBEXECDIR="%{_libexecdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie 
-Wl,-z,relro" all
 make %{?_smp_mflags} -C sepolgen-%{sepolgen_ver} LSPP_PRIV=y 
LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro" all
 
@@ -164,13 +161,8 @@
 make -C sepolgen-%{sepolgen_ver} DESTDIR=%{buildroot} 
LIBDIR="%{buildroot}%{_libdir}" install
 install -D -m 644 %{SOURCE2} 
%{buildroot}%{_datadir}/pixmaps/system-config-selinux.png
 # Don't install initscript if systemd is available
-%if 0%{?suse_version} > 1140
 rm -r %{buildroot}%{_initddir}
-ln -sf /sbin/service %{buildroot}%{_sbindir}/rcrestorecond
-%else
-rm -r %{buildroot}%{_unitdir}
-ln -sf %{_initddir}/restorecond %{buildroot}%{_sbindir}/rcrestorecond
-%endif
+ln -sf service %{buildroot}%{_sbindir}/rcrestorecond
 install -m 644 %{SOURCE4} 
%{buildroot}%{_sysconfdir}/pam.d/system-config-selinux
 install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/pam.d/selinux-polgengui
 install -m 644 %{SOURCE5} 
%{buildroot}%{_sysconfdir}/security/console.apps/system-config-selinux
@@ -189,37 +181,17 @@
 %fdupes -s %{buildroot}/%{_datadir}
 
 %pre
-%if 0%{?suse_version} > 1140
 %service_add_pre restorecond.service
-%endif
 
 %post
-%if 0%{?suse_version} > 1140
 %service_add_post restorecond.service
 %fillup_only
-%else
-%fillup_and_insserv restorecond
-%endif
 
 %preun
-%if 0%{?suse_version} > 1140
 %service_del_preun restorecond.service
-%else
-if [ "$1" -eq "0" ]; then
-    %stop_on_removal restorecond
-    %insserv_cleanup
-fi
-%endif
 
 %postun
-%if 0%{?suse_version} > 1140
 %service_del_postun restorecond.service
-%else
-if [ "$1" -ge "1" ]; then
-    %restart_on_update restorecond
-    %insserv_cleanup
-fi
-%endif
 
 %post python
 selinuxenabled && [ -f %{_datadir}/selinux/devel/include/build.conf ] && 
%{_bindir}/sepolgen-ifgen 2>/dev/null
@@ -232,7 +204,6 @@
 %verify_permissions -e %{_bindir}/newrole
 
 %files
-%defattr(-,root,root)
 /sbin/restorecon
 /sbin/fixfiles
 /sbin/setfiles
@@ -252,11 +223,7 @@
 %{_bindir}/semodule_link
 %{_bindir}/semodule_package
 %{_bindir}/semodule_unpackage
-%if 0%{?suse_version} > 1140
 %attr(644,root,root) %{_unitdir}/restorecond.service
-%else
-%attr(755,root,root) %{_initddir}/restorecond
-%endif
 %config(noreplace) %{_sysconfdir}/pam.d/run_init
 %config(noreplace) %{_sysconfdir}/sestatus.conf
 %{_sbindir}/rcrestorecond
@@ -272,47 +239,45 @@
 %dir %{_mandir}/ru
 %dir %{_mandir}/ru/man1
 %dir %{_mandir}/ru/man8
-%{_mandir}/man8/restorecon_xattr.8*
-%{_mandir}/man5/selinux_config.5*
-%{_mandir}/man5/sestatus.conf.5*
-%{_mandir}/man8/semodule_unpackage.8*
-%{_mandir}/man8/fixfiles.8*
-%{_mandir}/ru/man8/fixfiles.8*
-%{_mandir}/man8/load_policy.8*
-%{_mandir}/ru/man8/load_policy.8*
-%{_mandir}/man8/open_init_pty.8*
-%{_mandir}/ru/man8/open_init_pty.8*
-%{_mandir}/man8/restorecon.8*
-%{_mandir}/ru/man8/restorecon.8*
-%{_mandir}/man8/restorecond.8*
-%{_mandir}/ru/man8/restorecond.8*
-%{_mandir}/man8/run_init.8*
-%{_mandir}/ru/man8/run_init.8*
-%{_mandir}/man8/semodule.8*
-%{_mandir}/ru/man8/semodule.8*
-%{_mandir}/man8/semodule_deps.8*
-%{_mandir}/ru/man8/semodule_deps.8*
-%{_mandir}/man8/semodule_expand.8*
-%{_mandir}/ru/man8/semodule_expand.8*
-%{_mandir}/man8/semodule_link.8*
-%{_mandir}/ru/man8/semodule_link.8*
-%{_mandir}/man8/semodule_package.8*
-%{_mandir}/ru/man8/semodule_package.8*
-%{_mandir}/man8/sestatus.8*
-%{_mandir}/ru/man8/sestatus.8*
-%{_mandir}/man8/setfiles.8*
-%{_mandir}/ru/man8/setfiles.8*
-%{_mandir}/man8/setsebool.8*
-%{_mandir}/ru/man8/setsebool.8*
-%{_mandir}/man1/secon.1*
-%{_mandir}/ru/man1/secon.1*
-%{_mandir}/man8/genhomedircon.8*
+%{_mandir}/man8/restorecon_xattr.8%{?ext_man}
+%{_mandir}/man5/selinux_config.5%{?ext_man}
+%{_mandir}/man5/sestatus.conf.5%{?ext_man}
+%{_mandir}/man8/semodule_unpackage.8%{?ext_man}
+%{_mandir}/man8/fixfiles.8%{?ext_man}
+%{_mandir}/ru/man8/fixfiles.8%{?ext_man}
+%{_mandir}/man8/load_policy.8%{?ext_man}
+%{_mandir}/ru/man8/load_policy.8%{?ext_man}
+%{_mandir}/man8/open_init_pty.8%{?ext_man}
+%{_mandir}/ru/man8/open_init_pty.8%{?ext_man}
+%{_mandir}/man8/restorecon.8%{?ext_man}
+%{_mandir}/ru/man8/restorecon.8%{?ext_man}
+%{_mandir}/man8/restorecond.8%{?ext_man}
+%{_mandir}/ru/man8/restorecond.8%{?ext_man}
+%{_mandir}/man8/run_init.8%{?ext_man}
+%{_mandir}/ru/man8/run_init.8%{?ext_man}
+%{_mandir}/man8/semodule.8%{?ext_man}
+%{_mandir}/ru/man8/semodule.8%{?ext_man}
+%{_mandir}/man8/semodule_deps.8%{?ext_man}
+%{_mandir}/ru/man8/semodule_deps.8%{?ext_man}
+%{_mandir}/man8/semodule_expand.8%{?ext_man}
+%{_mandir}/ru/man8/semodule_expand.8%{?ext_man}
+%{_mandir}/man8/semodule_link.8%{?ext_man}
+%{_mandir}/ru/man8/semodule_link.8%{?ext_man}
+%{_mandir}/man8/semodule_package.8%{?ext_man}
+%{_mandir}/ru/man8/semodule_package.8%{?ext_man}
+%{_mandir}/man8/sestatus.8%{?ext_man}
+%{_mandir}/ru/man8/sestatus.8%{?ext_man}
+%{_mandir}/man8/setfiles.8%{?ext_man}
+%{_mandir}/ru/man8/setfiles.8%{?ext_man}
+%{_mandir}/man8/setsebool.8%{?ext_man}
+%{_mandir}/ru/man8/setsebool.8%{?ext_man}
+%{_mandir}/man1/secon.1%{?ext_man}
+%{_mandir}/ru/man1/secon.1%{?ext_man}
+%{_mandir}/man8/genhomedircon.8%{?ext_man}
 
 %files lang -f %{name}.lang
-%defattr(-,root,root)
 
 %files python
-%defattr(-,root,root,-)
 %{_sbindir}/semanage
 %{_bindir}/audit2allow
 %{_bindir}/audit2why
@@ -323,43 +288,40 @@
 %{_bindir}/sepolgen-ifgen-attr-helper
 %{python_sitearch}/seobject.py*
 %{python_sitearch}/sepolgen
-/usr/lib*/python2.7/site-packages/sepolicy
-/usr/lib*/python2.7/site-packages/sepolicy*.egg-info
+%{_prefix}/lib*/python2.7/site-packages/sepolicy
+%{_prefix}/lib*/python2.7/site-packages/sepolicy*.egg-info
 %dir %{_localstatedir}/lib/sepolgen
 %dir %{_localstatedir}/lib/selinux
 %{_localstatedir}/lib/sepolgen/perm_map
-%{_mandir}/man1/audit2allow.1*
-%{_mandir}/ru/man1/audit2allow.1*
-%{_mandir}/man1/audit2why.1*
-%{_mandir}/man8/chcat.8*
-%{_mandir}/ru/man8/chcat.8*
-%{_mandir}/man8/sandbox.8*
+%{_mandir}/man1/audit2allow.1%{?ext_man}
+%{_mandir}/ru/man1/audit2allow.1%{?ext_man}
+%{_mandir}/man1/audit2why.1%{?ext_man}
+%{_mandir}/man8/chcat.8%{?ext_man}
+%{_mandir}/ru/man8/chcat.8%{?ext_man}
+%{_mandir}/man8/sandbox.8%{?ext_man}
 %{_mandir}/man5/sandbox*
-%{_mandir}/man8/semanage*.8*
-%{_mandir}/man8/sepolicy*.8*
-%{_mandir}/man8/sepolgen.8*
-%{_mandir}/ru/man8/semanage.8*
+%{_mandir}/man8/semanage*.8%{?ext_man}
+%{_mandir}/man8/sepolicy*.8%{?ext_man}
+%{_mandir}/man8/sepolgen.8%{?ext_man}
+%{_mandir}/ru/man8/semanage.8%{?ext_man}
 %{_datadir}/bash-completion/completions/semanage
 %{_datadir}/bash-completion/completions/sepolicy
 %{_datadir}/bash-completion/completions/setsebool
 
 %files sandbox
-%defattr(-,root,root,-)
 %attr(0755,root,root) %{_sbindir}/seunshare
 %dir %{_datadir}/sandbox
 %{_datadir}/sandbox/sandboxX.sh
 %{_datadir}/sandbox/start
 %{_fillupdir}/sysconfig.sandbox
-%{_mandir}/man8/seunshare.8*
+%{_mandir}/man8/seunshare.8%{?ext_man}
 
 %files newrole
-%defattr(-,root,root)
 %verify(not mode) %attr(0755,root,root) %{_bindir}/newrole
-%{_mandir}/man1/newrole.1%{ext_man}
+%{_mandir}/man1/newrole.1%{?ext_man}
 %config(noreplace) %{_sysconfdir}/pam.d/newrole
 
 %files gui
-%defattr(-,root,root)
 %{_bindir}/system-config-selinux
 %{_bindir}/selinux-polgengui
 %{_datadir}/applications/system-config-selinux.desktop
@@ -389,8 +351,8 @@
 %{_datadir}/system-config-selinux/*.py*
 #%{_datadir}/system-config-selinux/selinux.tbl
 %{_datadir}/system-config-selinux/*.glade
-%{_mandir}/man8/selinux-polgengui.8%{ext_man}
-%{_mandir}/man8/system-config-selinux.8%{ext_man}
+%{_mandir}/man8/selinux-polgengui.8%{?ext_man}
+%{_mandir}/man8/system-config-selinux.8%{?ext_man}
 #%%{_datadir}/system-config-selinux/templates/*.py*
 %config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.selinux.conf
 %config(noreplace) %{_sysconfdir}/pam.d/system-config-selinux

++++++ CVE-2018-1063.patch ++++++
--- scripts/fixfiles    2016-10-14 17:31:26.000000000 +0200
+++ scripts/fixfiles.fixed      2018-03-21 12:56:40.562659484 +0100
@@ -270,10 +270,10 @@
 UNDEFINED=`get_undefined_type` || exit $?
 UNLABELED=`get_unlabeled_type` || exit $?
 find /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) \( 
-type s -o -type p \) -delete
-find /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec 
chcon --reference /tmp {} \;
-find /var/tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) 
-exec chcon --reference /var/tmp {} \;
-find /var/run \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) 
-exec chcon --reference /var/run {} \;
-[ ! -e /var/lib/debug ] || find /var/lib/debug \( -context "*:${UNLABELED}*" 
-o -context "*:${UNDEFINED}*" \) -exec chcon --reference /lib {} \;
+find /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec 
chcon --no-dereference --reference /tmp {} \;
+find /var/tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) 
-exec chcon --no-dereference --reference /var/tmp {} \;
+find /var/run \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) 
-exec chcon --no-dereference --reference /var/run {} \;
+[ ! -e /var/lib/debug ] || find /var/lib/debug \( -context "*:${UNLABELED}*" 
-o -context "*:${UNDEFINED}*" \) -exec chcon --no-dereference --reference /lib 
{} \;
 exit 0
 }
 


Reply via email to