Hello community, here is the log from the commit of package libselinux for openSUSE:Factory checked in at 2016-08-03 11:36:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libselinux (Old) and /work/SRC/openSUSE:Factory/.libselinux.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libselinux" Changes: -------- --- /work/SRC/openSUSE:Factory/libselinux/libselinux-bindings.changes 2016-07-18 21:16:41.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.libselinux.new/libselinux-bindings.changes 2016-08-03 11:36:46.000000000 +0200 @@ -1,0 +2,5 @@ +Sun Jul 17 15:30:05 UTC 2016 - jengelh@inai.de + +- Update RPM groups, trim description and combine filelist entries. + +------------------------------------------------------------------- --- /work/SRC/openSUSE:Factory/libselinux/libselinux.changes 2016-07-18 21:16:41.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.libselinux.new/libselinux.changes 2016-08-03 11:36:46.000000000 +0200 @@ -1,0 +2,20 @@ +Sun Jul 24 19:33:42 UTC 2016 - crrodriguez@opensuse.org + +- -devel static subpackage requires libpcre-devel and libsepol-devel + + +------------------------------------------------------------------- +Sun Jul 24 19:05:35 UTC 2016 - crrodriguez@opensuse.org + +- Avoid mounting /proc outside of selinux_init_load_policy(). + (Stephen Smalley) reverts upstream 5a8d8c4, 9df4988, fixes + among other things systemd seccomp sandboxing otherwise all + filters must allow mount(2) + (libselinux-proc-mount-only-if-needed.patch) + +------------------------------------------------------------------- +Sun Jul 17 15:30:05 UTC 2016 - jengelh@inai.de + +- Update RPM groups, trim description and combine filelist entries. + +------------------------------------------------------------------- New: ---- libselinux-proc-mount-only-if-needed.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libselinux-bindings.spec ++++++ --- /var/tmp/diff_new_pack.JgQOtf/_old 2016-08-03 11:36:47.000000000 +0200 +++ /var/tmp/diff_new_pack.JgQOtf/_new 2016-08-03 11:36:47.000000000 +0200 @@ -21,10 +21,10 @@ Name: libselinux-bindings Version: 2.5 Release: 0 -Url: http://userspace.selinuxproject.org/ -Summary: SELinux library and simple utilities +Summary: SELinux runtime library and simple utilities License: GPL-2.0 and SUSE-Public-Domain -Group: System/Libraries +Group: Development/Libraries/C and C++ +Url: https://github.com/SELinuxProject/selinux/wiki/Releases # embedded is the MD5 Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/libselinux-%{version}.tar.gz @@ -41,69 +41,36 @@ BuildRequires: swig %description -Security-enhanced Linux is a feature of the Linux(R) kernel and a -number of utilities with enhanced security functionality designed to -add mandatory access controls to Linux. The Security-enhanced Linux -kernel contains new architectural components originally developed to -improve the security of the Flask operating system. These architectural -components provide general support for the enforcement of many kinds of -mandatory access control policies, including those based on the -concepts of Type Enforcement(R), Role-based Access Control, and -Multi-level Security. - -libselinux provides an API for SELinux applications to get and set -process and file security contexts and to obtain security policy -decisions. Required for any applications that use the SELinux API. - - +libselinux provides an interface to get and set process and file +security contexts and to obtain security policy decisions. %package -n python-selinux -Summary: SELinux library and simple utilities +Summary: Python bindings for the SELinux runtime library License: SUSE-Public-Domain Group: Development/Libraries/Python Requires: libselinux1 = %{version} Requires: python %description -n python-selinux -Security-enhanced Linux is a feature of the Linux(R) kernel and a -number of utilities with enhanced security functionality designed to -add mandatory access controls to Linux. The Security-enhanced Linux -kernel contains new architectural components originally developed to -improve the security of the Flask operating system. These architectural -components provide general support for the enforcement of many kinds of -mandatory access control policies, including those based on the -concepts of Type Enforcement(R), Role-based Access Control, and -Multi-level Security. - -libselinux provides an API for SELinux applications to get and set -process and file security contexts and to obtain security policy -decisions. Required for any applications that use the SELinux API. - +libselinux provides an interface to get and set process and file +security contexts and to obtain security policy decisions. +This subpackage contains Python extensions to use SELinux from that +language. %package -n ruby-selinux -Summary: SELinux library and simple utilities +Summary: Ruby bindings for the SELinux runtime library License: SUSE-Public-Domain Group: Development/Languages/Ruby Requires: libselinux1 = %{version} Requires: ruby %description -n ruby-selinux -Security-enhanced Linux is a feature of the Linux(R) kernel and a -number of utilities with enhanced security functionality designed to -add mandatory access controls to Linux. The Security-enhanced Linux -kernel contains new architectural components originally developed to -improve the security of the Flask operating system. These architectural -components provide general support for the enforcement of many kinds of -mandatory access control policies, including those based on the -concepts of Type Enforcement(R), Role-based Access Control, and -Multi-level Security. - -libselinux provides an API for SELinux applications to get and set -process and file security contexts and to obtain security policy -decisions. Required for any applications that use the SELinux API. - +libselinux provides an interface to get and set process and file +security contexts and to obtain security policy decisions. +This subpackage contains Ruby extensions to use SELinux from that +language. %prep %setup -q -n libselinux-%{version} @@ -124,9 +91,8 @@ %files -n python-selinux %defattr(-,root,root,-) -%dir %{py_sitedir}/selinux +%{py_sitedir}/selinux/ %{py_sitedir}/_selinux.so -%{py_sitedir}/selinux/* %files -n ruby-selinux %defattr(-,root,root,-) ++++++ libselinux.spec ++++++ --- /var/tmp/diff_new_pack.JgQOtf/_old 2016-08-03 11:36:47.000000000 +0200 +++ /var/tmp/diff_new_pack.JgQOtf/_new 2016-08-03 11:36:47.000000000 +0200 @@ -21,10 +21,10 @@ Name: libselinux Version: 2.5 Release: 0 -Url: http://userspace.selinuxproject.org/ -Summary: SELinux library and simple utilities +Summary: SELinux runtime library and utilities License: GPL-2.0 and SUSE-Public-Domain -Group: System/Libraries +Group: Development/Libraries/C and C++ +Url: https://github.com/SELinuxProject/selinux/wiki/Releases Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/%{name}-%{version}.tar.gz Source1: selinux-ready @@ -32,6 +32,8 @@ Patch1: %{name}-2.2-ruby.patch # PATCH-FIX-UPSTREAM swig-3.10 use importlib which not search the directory __init__.py is in but standard path Patch2: python-selinux-swig-3.10.patch +# PATCH-FIX-UPSTREAM Avoid mounting /proc outside of selinux_init_load_policy(). +Patch3: libselinux-proc-mount-only-if-needed.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: fdupes BuildRequires: libsepol-devel >= %{libsepol_ver} @@ -39,91 +41,68 @@ BuildRequires: pkg-config %description -Security-enhanced Linux is a feature of the Linux(R) kernel and a -number of utilities with enhanced security functionality designed to -add mandatory access controls to Linux. The Security-enhanced Linux -kernel contains new architectural components originally developed to -improve the security of the Flask operating system. These architectural -components provide general support for the enforcement of many kinds of -mandatory access control policies, including those based on the -concepts of Type Enforcement(R), Role-based Access Control, and -Multi-level Security. - -libselinux provides an API for SELinux applications to get and set -process and file security contexts and to obtain security policy -decisions. Required for any applications that use the SELinux API. - - +libselinux provides an interface to get and set process and file +security contexts and to obtain security policy decisions. %package -n libselinux1 -Summary: SELinux library and simple utilities +Summary: SELinux runtime library Group: System/Libraries %description -n libselinux1 -Security-enhanced Linux is a feature of the Linux(R) kernel and a -number of utilities with enhanced security functionality designed to -add mandatory access controls to Linux. The Security-enhanced Linux -kernel contains new architectural components originally developed to -improve the security of the Flask operating system. These architectural -components provide general support for the enforcement of many kinds of -mandatory access control policies, including those based on the -concepts of Type Enforcement(R), Role-based Access Control, and -Multi-level Security. - -libselinux provides an API for SELinux applications to get and set -process and file security contexts and to obtain security policy -decisions. Required for any applications that use the SELinux API. - +libselinux provides an interface to get and set process and file +security contexts and to obtain security policy decisions. +(Security-enhanced Linux is a feature of the kernel and some +utilities that implement mandatory access control policies, such as +Type Enforcement, Role-based Access Control and Multi-Level +Security.) %package -n selinux-tools -Summary: SELinux library and simple utilities +Summary: SELinux command-line utilities Group: System/Base %description -n selinux-tools -Security-enhanced Linux is a feature of the Linux(R) kernel and a -number of utilities with enhanced security functionality designed to -add mandatory access controls to Linux. The Security-enhanced Linux -kernel contains new architectural components originally developed to -improve the security of the Flask operating system. These architectural -components provide general support for the enforcement of many kinds of -mandatory access control policies, including those based on the -concepts of Type Enforcement(R), Role-based Access Control, and -Multi-level Security. - -libselinux provides an API for SELinux applications to get and set -process and file security contexts and to obtain security policy -decisions. Required for any applications that use the SELinux API. - +Security-enhanced Linux is a feature of the kernel and some +utilities that implement mandatory access control policies, such as +Type Enforcement, Role-based Access Control and Multi-Level +Security. +This subpackage contains utilities to inspect and administer the +system's SELinux state. %package devel -Summary: Development Include Files and Libraries for SELinux +Summary: Development files for the SELinux runtime library Group: Development/Libraries/C and C++ Requires: glibc-devel Requires: libselinux1 = %{version} #Automatic dependency on libsepol-devel via pkgconfig %description devel +libselinux provides an interface to get and set process and file +security contexts and to obtain security policy decisions. + This package contains the development files, which are necessary to develop your own software using libselinux. - %package devel-static -Summary: Static development Include Files and Libraries for SELinux +Summary: Static archives for the SELinux runtime Group: Development/Libraries/C and C++ Requires: libselinux-devel = %{version} +Requires: pkgconfig(libpcre) +Requires: pkgconfig(libsepol) %description devel-static +libselinux provides an interface to get and set process and file +security contexts and to obtain security policy decisions. + This package contains the static development files, which are necessary to develop your own software using libselinux. - %prep %setup -q %patch1 %patch2 -p1 - +%patch3 -p1 %build make %{?_smp_mflags} LIBDIR="%{_libdir}" CC="%{__cc}" CFLAGS="$RPM_OPT_FLAGS" @@ -185,8 +164,7 @@ %files devel %defattr(-,root,root,-) %{_libdir}/libselinux.so -%dir %{_includedir}/selinux -%{_includedir}/selinux/* +%{_includedir}/selinux/ %{_mandir}/man3/* %{_libdir}/pkgconfig/libselinux.pc ++++++ libselinux-proc-mount-only-if-needed.patch ++++++ Index: libselinux-2.5/src/init.c =================================================================== --- libselinux-2.5.orig/src/init.c +++ libselinux-2.5/src/init.c @@ -11,7 +11,6 @@ #include <sys/vfs.h> #include <stdint.h> #include <limits.h> -#include <sys/mount.h> #include "dso.h" #include "policy.h" @@ -57,20 +56,18 @@ static int verify_selinuxmnt(const char int selinuxfs_exists(void) { - int exists = 0, mnt_rc = 0; + int exists = 0; FILE *fp = NULL; char *buf = NULL; size_t len; ssize_t num; - mnt_rc = mount("proc", "/proc", "proc", 0, 0); fp = fopen("/proc/filesystems", "r"); - if (!fp) { - exists = 1; /* Fail as if it exists */ - goto out; - } + if (!fp) + return 1; /* Fail as if it exists */ + __fsetlocking(fp, FSETLOCKING_BYCALLER); num = getline(&buf, &len, fp); @@ -85,13 +82,6 @@ int selinuxfs_exists(void) free(buf); fclose(fp); -out: -#ifndef MNT_DETACH -#define MNT_DETACH 2 -#endif - if (mnt_rc == 0) - umount2("/proc", MNT_DETACH); - return exists; } hidden_def(selinuxfs_exists) Index: libselinux-2.5/src/load_policy.c =================================================================== --- libselinux-2.5.orig/src/load_policy.c +++ libselinux-2.5/src/load_policy.c @@ -17,6 +17,10 @@ #include "policy.h" #include <limits.h> +#ifndef MNT_DETACH +#define MNT_DETACH 2 +#endif + int security_load_policy(void *data, size_t len) { char path[PATH_MAX]; @@ -348,11 +352,6 @@ int selinux_init_load_policy(int *enforc fclose(cfg); free(buf); } -#ifndef MNT_DETACH -#define MNT_DETACH 2 -#endif - if (rc == 0) - umount2("/proc", MNT_DETACH); /* * Determine the final desired mode. @@ -402,9 +401,13 @@ int selinux_init_load_policy(int *enforc } goto noload; + if (rc == 0) + umount2("/proc", MNT_DETACH); } set_selinuxmnt(mntpoint); - + + if (rc == 0) + umount2("/proc", MNT_DETACH); /* * Note: The following code depends on having selinuxfs * already mounted and selinuxmnt set above.