diff --git a/libselinux-rhat.patch b/libselinux-rhat.patch index 70326f7..c226b08 100644 --- a/libselinux-rhat.patch +++ b/libselinux-rhat.patch @@ -528,6 +528,107 @@ index 4dd8f30..26086d9 100644 .SH "RETURN VALUE" On error \-1 is returned. On success 0 is returned. +diff --git libselinux-2.3/man/man3/matchpathcon.3 libselinux-2.3/man/man3/matchpathcon.3 +index 1bc7ba1..177f15d 100644 +--- libselinux-2.3/man/man3/matchpathcon.3 ++++ libselinux-2.3/man/man3/matchpathcon.3 +@@ -7,7 +7,7 @@ matchpathcon, matchpathcon_index \- get the default SELinux security context for + .sp + .BI "int matchpathcon_init(const char *" path ");" + .sp +-.BI "int matchpathcon_init_prefix(const char *" path ", const char *" subset ");" ++.BI "int matchpathcon_init_prefix(const char *" path ", const char *" prefix ");" + .sp + .BI "int matchpathcon_fini(void);" + .sp +@@ -16,6 +16,24 @@ matchpathcon, matchpathcon_index \- get the default SELinux security context for + .BI "int matchpathcon_index(const char *" name ", mode_t " mode ", char **" con ");" + . + .SH "DESCRIPTION" ++ ++This family of functions is deprecated. For new code, please use ++.BR selabel_open (3) ++with the ++.B SELABEL_CTX_FILE ++backend in place of ++.BR matchpathcon_init (), ++use ++.BR selabel_close (3) ++in place of ++.BR matchpathcon_fini (), ++and use ++.BR selabel_lookup (3) ++in place of ++.BR matchpathcon (). ++ ++The remaining description below is for the legacy interface. ++ + .BR matchpathcon_init () + loads the file contexts configuration specified by + .I path +@@ -41,9 +59,16 @@ customizations. + .BR matchpathcon_init_prefix () + is the same as + .BR matchpathcon_init () +-but only loads entries with regular expressions that have stems prefixed +-by +-.I \%prefix. ++but only loads entries with regular expressions whose first pathname ++component is a prefix of ++.I \%prefix ++, e.g. pass "/dev" if you only intend to call ++.BR matchpathcon () ++with pathnames beginning with /dev. ++However, this optimization is no longer necessary due to the use of ++.I file_contexts.bin ++files with precompiled regular expressions, so use of this interface ++is deprecated. + + .BR matchpathcon_fini () + frees the memory allocated by a prior call to +@@ -54,7 +79,17 @@ calls, or to free memory when finished using + .BR matchpathcon (). + + .BR matchpathcon () +-matches the specified pathname and mode against the file contexts ++matches the specified ++.I pathname, ++after transformation via ++.BR realpath (3) ++excepting any final symbolic link component if S_IFLNK was ++specified as the ++.I mode, ++and ++.I mode ++against the ++.I file contexts + configuration and sets the security context + .I con + to refer to the +diff --git libselinux-2.3/man/man5/selabel_file.5 libselinux-2.3/man/man5/selabel_file.5 +index 79eca95..e738824 100644 +--- libselinux-2.3/man/man5/selabel_file.5 ++++ libselinux-2.3/man/man5/selabel_file.5 +@@ -55,7 +55,9 @@ A non-null value for this option specifies a path to a file that will be opened + A non-null value for this option indicates that any local customizations to the file contexts mapping should be ignored. + .TP + .B SELABEL_OPT_SUBSET +-A non-null value for this option is interpreted as a path prefix, for example "/etc". Only file context specifications starting with the given prefix are loaded. This may increase lookup performance, however any attempt to look up a path not starting with the given prefix will fail. ++A non-null value for this option is interpreted as a path prefix, for example "/etc". Only file context specifications with starting with a first component that prefix matches the given prefix are loaded. This may increase lookup performance, however any attempt to look up a path not starting with the given prefix may fail. This optimization is no longer required due to the use of ++.I file_contexts.bin ++files and is deprecated. + .RE + . + .SH "FILES" +@@ -206,7 +208,7 @@ component with \fI/var/www\fR, therefore the path used is: + If contexts are to be validated, then the global option \fBSELABEL_OPT_VALIDATE\fR must be set before calling \fBselabel_open\fR(3). If this is not set, then it is possible for an invalid context to be returned. + .IP "2." 4 + If the size of file contexts series of files contain many entries, then \fBselabel_open\fR(3) may have a delay as it reads in the files, and if +-requested validates the entries. If possible use the \fBSELABEL_OPT_SUBSET\fR option to reduce the number of entries processed. ++requested validates the entries. + .IP "3." 4 + Depending on the version of SELinux it is possible that a \fIfile_contexts.template\fR file may also be present, however this is now deprecated. + .br diff --git libselinux-2.3/man/man8/selinux.8 libselinux-2.3/man/man8/selinux.8 index e89b1ef..fd20363 100644 --- libselinux-2.3/man/man8/selinux.8 @@ -760,10 +861,10 @@ index b37c5d3..7703c26 100644 fd = open(path, O_RDWR); if (fd < 0) diff --git libselinux-2.3/src/enabled.c libselinux-2.3/src/enabled.c -index 5c252dd..1731ac3 100644 +index 5c252dd..bb659a9 100644 --- libselinux-2.3/src/enabled.c +++ libselinux-2.3/src/enabled.c -@@ -11,26 +11,10 @@ +@@ -11,26 +11,14 @@ int is_selinux_enabled(void) { @@ -787,7 +888,11 @@ index 5c252dd..1731ac3 100644 - } - - return enabled; ++#ifdef ANDROID + return (selinux_mnt ? 1 : 0); ++#else ++ return (selinux_mnt && has_selinux_config); ++#endif } hidden_def(is_selinux_enabled) @@ -822,6 +927,29 @@ index 52707d0..0cbe12d 100644 if (rc < 0 && errno == ENOTSUP) { char * ccontext = NULL; int err = errno; +diff --git libselinux-2.3/src/init.c libselinux-2.3/src/init.c +index 6d1ef33..3c687a2 100644 +--- libselinux-2.3/src/init.c ++++ libselinux-2.3/src/init.c +@@ -21,6 +21,8 @@ char *selinux_mnt = NULL; + int selinux_page_size = 0; + int obj_class_compat = 1; + ++int has_selinux_config = 0; ++ + /* Verify the mount point for selinux file system has a selinuxfs. + If the file system: + * Exist, +@@ -151,6 +153,9 @@ static void init_lib(void) + { + selinux_page_size = sysconf(_SC_PAGE_SIZE); + init_selinuxmnt(); ++#ifndef ANDROID ++ has_selinux_config = (access(SELINUXCONFIG, F_OK) == 0); ++#endif + } + + static void fini_lib(void) __attribute__ ((destructor)); diff --git libselinux-2.3/src/label_android_property.c libselinux-2.3/src/label_android_property.c index b00eb07..5e1b76e 100644 --- libselinux-2.3/src/label_android_property.c @@ -1010,10 +1138,19 @@ index 3b96b1d..3868711 100644 } else { COMPAT_LOG(SELINUX_WARNING, diff --git libselinux-2.3/src/selinux_config.c libselinux-2.3/src/selinux_config.c -index 30e9dc7..1bfe500 100644 +index 30e9dc7..bec5f3b 100644 --- libselinux-2.3/src/selinux_config.c +++ libselinux-2.3/src/selinux_config.c -@@ -50,8 +50,9 @@ +@@ -13,8 +13,6 @@ + #include "selinux_internal.h" + #include "get_default_type_internal.h" + +-#define SELINUXDIR "/etc/selinux/" +-#define SELINUXCONFIG SELINUXDIR "config" + #define SELINUXDEFAULT "targeted" + #define SELINUXTYPETAG "SELINUXTYPE=" + #define SELINUXTAG "SELINUX=" +@@ -50,8 +48,9 @@ #define FILE_CONTEXT_SUBS_DIST 25 #define LXC_CONTEXTS 26 #define BOOLEAN_SUBS 27 @@ -1025,7 +1162,7 @@ index 30e9dc7..1bfe500 100644 /* Part of one-time lazy init */ static pthread_once_t once = PTHREAD_ONCE_INIT; -@@ -493,6 +494,13 @@ const char *selinux_lxc_contexts_path(void) +@@ -493,6 +492,13 @@ const char *selinux_lxc_contexts_path(void) hidden_def(selinux_lxc_contexts_path) @@ -1040,7 +1177,7 @@ index 30e9dc7..1bfe500 100644 { return get_path(SYSTEMD_CONTEXTS); diff --git libselinux-2.3/src/selinux_internal.h libselinux-2.3/src/selinux_internal.h -index afb2170..fe8eb67 100644 +index afb2170..9b1ca4d 100644 --- libselinux-2.3/src/selinux_internal.h +++ libselinux-2.3/src/selinux_internal.h @@ -82,6 +82,7 @@ hidden_proto(selinux_mkload_policy) @@ -1051,6 +1188,15 @@ index afb2170..fe8eb67 100644 hidden_proto(selinux_sepgsql_context_path) hidden_proto(selinux_systemd_contexts_path) hidden_proto(selinux_path) +@@ -137,3 +138,8 @@ extern int selinux_page_size hidden; + if (pthread_setspecific != NULL) \ + pthread_setspecific(KEY, VALUE); \ + } while (0) ++ ++#define SELINUXDIR "/etc/selinux/" ++#define SELINUXCONFIG SELINUXDIR "config" ++ ++extern int has_selinux_config hidden; diff --git libselinux-2.3/src/selinuxswig_python.i libselinux-2.3/src/selinuxswig_python.i index ae72246..c9a2341 100644 --- libselinux-2.3/src/selinuxswig_python.i diff --git a/libselinux.spec b/libselinux.spec index 7e2bd42..e331cc9 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -18,7 +18,7 @@ Source1: selinuxconlist.8 Source2: selinuxdefcon.8 Url: https://github.com/SELinuxProject/selinux/wiki # use make-rhat-patches.sh to create following patches from https://github.com/fedora-selinux/selinux/ -# https://github.com/fedora-selinux/selinux/commit/4395ef2b8bb086878b5fad80321ac9d32f424f51 +# HEAD https://github.com/fedora-selinux/selinux/commit/abdc02a720ed5ff430887758ec254b104f2d727d Patch1: libselinux-rhat.patch BuildRequires: pkgconfig python-devel ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre-devel xz-devel %if 0%{?with_python3}