From c23d6b654cdf10ca7ea039f285666dcd6ca88a53 Mon Sep 17 00:00:00 2001 From: zyppe <210hcl@gmail.com> Date: Thu, 29 Feb 2024 14:35:35 +0800 Subject: [PATCH] Initialize for libselinux --- .gitignore | 1 + .libselinux.metadata | 1 + baselibs.conf | 1 + libselinux.changes | 411 +++++++++++++++++++++++++++++++++++++++++++ libselinux.spec | 153 ++++++++++++++++ readv-proto.patch | 12 ++ selinux-ready | 272 ++++++++++++++++++++++++++++ skip_cycles.patch | 16 ++ 8 files changed, 867 insertions(+) create mode 100644 .gitignore create mode 100644 .libselinux.metadata create mode 100644 baselibs.conf create mode 100644 libselinux.changes create mode 100644 libselinux.spec create mode 100644 readv-proto.patch create mode 100644 selinux-ready create mode 100644 skip_cycles.patch diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..f08d1dc --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +libselinux-3.1.tar.gz diff --git a/.libselinux.metadata b/.libselinux.metadata new file mode 100644 index 0000000..9be2d97 --- /dev/null +++ b/.libselinux.metadata @@ -0,0 +1 @@ +c1fb7a9f2be845125f70d7166fa913fdf1e0c345f4f08db010201abbd4ff62ed libselinux-3.1.tar.gz diff --git a/baselibs.conf b/baselibs.conf new file mode 100644 index 0000000..3627aba --- /dev/null +++ b/baselibs.conf @@ -0,0 +1 @@ +libselinux1 diff --git a/libselinux.changes b/libselinux.changes new file mode 100644 index 0000000..5d58ab4 --- /dev/null +++ b/libselinux.changes @@ -0,0 +1,411 @@ +* Tue Jul 14 2020 jsegitz@suse.com +- Update to version 3.1: + * selinux/flask.h, selinux/av_permissions.h and sepol/policydb/flask.h were + removed. All userspace object managers should have been updated to use the + dynamic class/perm mapping support. + Use string_to_security_class(3) and string_to_av_perm(3) to map the class + and permission names to their policy values, or selinux_set_mapping(3) to + create a mapping from class and permission index values used by the + application to the policy values. + * Removed restrictions in libsepol and checkpolicy that required all declared + initial SIDs to be assigned a context. + * Support for new policy capability genfs_seclabel_symlinks + * selinuxfs is mounted with noexec and nosuid + * `security_compute_user()` was deprecated +* Thu Mar 26 2020 jsegitz@suse.de +- Added skip_cycles.patch to skip directory cycles and not error + out +* Tue Mar 3 2020 jsegitz@suse.de +- Update to version 3.0 + * Ignore the stem when looking up all matches in file context + * Save digest of all partial matches for directory + * Use Python distutils to install SELinux python bindings + * ensure that digest_len is not zero + * fix string conversion of unknown perms + * mark all exported function "extern" + Dropped Use-Python-distutils-to-install-SELinux.patch, included + upstream +* Wed Nov 13 2019 jsegitz@suse.de +- Added Use-Python-distutils-to-install-SELinux.patch to use + Python's distutils instead of building and installing python + bindings manually +* Mon Jun 3 2019 jsegitz@suse.com +- In selinux-ready + * Removed check for selinux-policy package as we don't ship one + (bsc#1136845) + * Add check that restorecond is installed and enabled +* Fri May 24 2019 jsegitz@suse.com +- Set License: to correct value (bsc#1135710) +* Thu Apr 25 2019 mliska@suse.cz +- Disable LTO (boo#1133244). +* Wed Mar 20 2019 jsegitz@suse.com +- Update to version 2.9 + * Add security_reject_unknown(3) man page + * Change matchpathcon usage to match with matchpathcon manpage + * Do not define gettid() if glibc >= 2.30 is used + * Fix RESOURCE_LEAK defects reported by coverity scan + * Fix line wrapping in selabel_file.5 + * Do not dereference symlink with statfs in selinux_restorecon + * Fix overly strict validation of file_contexts.bin + * Fix selinux_restorecon() on non-SELinux hosts + * Fix the whatis line for the selinux_boolean_sub.3 manpage + * Fix printf format string specifier for uint64_t + * Fix handling of unknown classes/perms + * Set an appropriate errno in booleans.c +- Dropped python3.patch, is now upstream +* Fri Jan 4 2019 jsegitz@suse.com +- Remove unneeded build requires for python3 (bsc#1120255) +* Wed Oct 17 2018 jsegitz@suse.com +- Update to version 2.8 (bsc#1111732) + For changes please see + https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/RELEASE-20180524.txt +- ran spec-cleaner on spec files +* Mon May 14 2018 mcepl@cepl.eu +- Update to version 2.7. + * %%files needed to be heavily modified + * Based expressly on python3, not just python + For changes please see + https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20170804/RELEASE-20170804.txt +* Fri Nov 24 2017 jsegitz@suse.com +- Update to version 2.6. Notable changes: + * selinux_restorecon: fix realpath logic + * sefcontext_compile: invert semantics of "-r" flag + * sefcontext_compile: Add "-i" flag + * Introduce configurable backends + * Add function to find security.restorecon_last entries + * Add openrc_contexts functions + * Add support for pcre2 + * Handle NULL pcre study data + * Add setfiles support to selinux_restorecon(3) + * Evaluate inodes in selinux_restorecon(3) + * Change the location of _selinux.so + * Explain how to free policy type from selinux_getpolicytype() + * Compare absolute pathname in matchpathcon -V + * Add selinux_snapperd_contexts_path() + * Modify audit2why analyze function to use loaded policy + * Avoid mounting /proc outside of selinux_init_load_policy() + * Fix location of selinuxfs mount point + * Only mount /proc if necessary + * procattr: return einval for <= 0 pid args + * procattr: return error on invalid pid_t input +- Dropped + * libselinux-2.2-ruby.patch + * libselinux-proc-mount-only-if-needed.patch + * python-selinux-swig-3.10.patch +* Wed Jul 5 2017 schwab@suse.de +- readv-proto.patch: include for readv prototype +* Sun Jul 24 2016 crrodriguez@opensuse.org +- -devel static subpackage requires libpcre-devel and libsepol-devel +* Sun Jul 24 2016 crrodriguez@opensuse.org +- Avoid mounting /proc outside of selinux_init_load_policy(). + (Stephen Smalley) reverts upstream 5a8d8c4, 9df4988, fixes + among other things systemd seccomp sandboxing otherwise all + filters must allow mount(2) + (libselinux-proc-mount-only-if-needed.patch) +* Sun Jul 17 2016 jengelh@inai.de +- Update RPM groups, trim description and combine filelist entries. +* Thu Jul 14 2016 jsegitz@novell.com +- Adjusted source link +* Tue Jul 5 2016 i@marguerite.su +- add patch: python-selinux-swig-3.10.patch, fixed boo#985368 + * swig-3.10 in Factory use importlib instead of imp to find + _selinux.so. imp searched the same directory as __init__.py + is while importlib searchs only standard paths. so we have + to move _selinux.so. fixed by upstream +- update version 2.5 + * Add selinux_restorecon function + * read_spec_entry: fail on non-ascii + * Add man information about thread specific functions + * Don't wrap rpm_execcon with DISABLE_RPM with SWIG + * Correct line count for property and service context files + * label_file: fix memory leaks and uninitialized jump + * Replace selabel_digest hash function + * Fix selabel_open(3) services if no digest requested + * Add selabel_digest function + * Flush the class/perm string mapping cache on policy reload + * Fix restorecon when path has no context + * Free memory when processing media and x specfiles + * Fix mmap memory release for file labeling + * Add policy context validation to sefcontext_compile + * Do not treat an empty file_contexts(.local) as an error + * Fail hard on invalid property_contexts entries + * Fail hard on invalid file_contexts entries + * Support context validation on file_contexts.bin + * Add selabel_cmp interface and label_file backend + * Support specifying file_contexts.bin file path + * Support file_contexts.bin without file_contexts + * Simplify procattr cache + * Use /proc/thread-self when available + * Add const to selinux_opt for label backends + * Fix binary file labels for regexes with metachars + * Fix file labels for regexes with metachars + * Fix if file_contexts not '\n' terminated + * Enhance file context support + * Fix property processing and cleanup formatting + * Add read_spec_entries function to replace sscanf + * Support consistent mode size for bin files + * Fix more bin file processing core dumps + * add selinux_openssh_contexts_path() + * setrans_client: minimize overhead when mcstransd is not present + * Ensure selabel_lookup_best_match links NULL terminated + * Fix core dumps with corrupt *.bin files + * Add selabel partial and best match APIs + * Use os.walk() instead of the deprecated os.path.walk() + * Remove deprecated mudflap option + * Mount procfs before checking /proc/filesystems + * Fix -Wformat errors with gcc-5.0.0 + * label_file: handle newlines in file names + * Fix audit2why error handling if SELinux is disabled + * pcre_study can return NULL without error + * Only check SELinux enabled status once in selinux_check_access +- changes in 2.4 + * Remove assumption that SHLIBDIR is ../../ relative to LIBDIR + * Fix bugs found by hardened gcc flags + * Set the system to permissive if failing to disable SELinux because + policy has already been loaded + * Add db_exception and db_datatype support to label_db backend + * Log an error on unknown classes and permissions + * Add pcre version string to the compiled file_contexts format + * Deprecate use of flask.h and av_permissions.h + * Compiled file_context files and the original should have the same DAC + permissions +* Thu Jul 30 2015 jsegitz@novell.com +- fixed selinux-ready to work with initrd files created by dracut (bsc#940006) +* Mon Sep 8 2014 jsegitz@suse.com +- updated selinux-ready script to handle initrd files compressed with xz +* Sun May 18 2014 crrodriguez@opensuse.org +- Update to version 2.3 + * Get rid of security_context_t and fix const declarations. + * Refactor rpm_execcon() into a new setexecfilecon() from Guillem Jover. +* Thu Oct 31 2013 p.drouand@gmail.com +- Update to version 2.2 + * Fix avc_has_perm() returns -1 even when SELinux is in permissive mode. + * Support overriding Makefile RANLIB + * Update pkgconfig definition + * Mount sysfs before trying to mount selinuxfs. + * Fix man pages + * Support overriding PATH and LIBBASE in Makefile + * Fix LDFLAGS usage + * Avoid shadowing stat in load_mmap + * Support building on older PCRE libraries + * Fix handling of temporary file in sefcontext_compile + * Fix procattr cache + * Define python constants for getenforce result + * Fix label substitution handling of / + * Add selinux_current_policy_path from + * Change get_context_list to only return good matches + * Support udev-197 and higher + * Add support for local substitutions + * Change setfilecon to not return ENOSUP if context is already correct + * Python wrapper leak fixes + * Export SELINUX_TRANS_DIR definition in selinux.h + * Add selinux_systemd_contexts_path + * Add selinux_set_policy_root + * Add man page for sefcontext_compile +- Remove libselinux-rhat.patch; merged on upstream +- Adapt libselinux-ruby.patch to upstream changes +- Use fdupes to symlink duplicate manpages +* Thu Jun 27 2013 vcizek@suse.com +- change the source url to the official 2.1.13 release tarball +* Wed May 22 2013 jengelh@inai.de +- Reuse implicit dependencies injected by pkgconfig +* Thu Apr 4 2013 vcizek@suse.com +- fixed source url in libselinux-bindings.spec +- removed old tarball +* Wed Apr 3 2013 vcizek@suse.com +- fix source url +- document changes in libselinux-rhat.patch from previous submission: + (most code of the removed code was integrated upstream) + * Add matchpathcon -P /etc/selinux/mls support by allowing users + to set alternate root + * Add new constant SETRANS_DIR which points to the directory + where mstransd can find the socket and libvirt can write its + translations files +* Fri Mar 29 2013 vcizek@suse.com +-update to 2.1.13 + * audit2why: make sure path is nul terminated + * utils: new file context regex compiler + * label_file: use precompiled filecontext when possible + * do not leak mmapfd + * sefcontontext_compile: Add error handling to help debug problems in libsemanage. + * man: make selinux.8 mention service man pages + * audit2why: Fix segfault if finish() called twice + * audit2why: do not leak on multiple init() calls + * mode_to_security_class: interface to translate a mode_t in to a security class + * audit2why: Cleanup audit2why analysys function + * man: Fix program synopsis and function prototypes in man pages + * man: Fix man pages formatting + * man: Fix typo in man page + * man: Add references and man page links to _raw function variants + * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions + * man: context_new(3): fix the return value description + * selinux_status_open: handle error from sysconf + * selinux_status_open: do not leak statusfd on exec + * Fix errors found by coverity + * Change boooleans.subs to booleans.subs_dist. + * optimize set*con functions + * pkg-config do not specifc ruby version + * unmap file contexts on selabel_close() + * do not leak file contexts with mmap'd backend + * sefcontext_compile: do not leak fd on error + * matchmediacon: do not leak fd + * src/label_android_property: do not leak fd on error +* Wed Jan 30 2013 vcizek@suse.com +- update to 2.1.12 + - added the recent libselinux-rhat.patch + * Add support for lxc_contexts_path + * utils: add service to getdefaultcon + * libsemanage: do not set soname needlessly + * libsemanage: remove PYTHONLIBDIR and ruby equivalent + * boolean name equivalency + * getsebool: support boolean name substitution + * Add man page for new selinux_boolean_sub function. + * expose selinux_boolean_sub + * matchpathcon: add -m option to force file type check + * utils: avcstat: clear sa_mask set + * seusers: Check for strchr failure + * booleans: initialize pointer to silence coveriety + * stop messages when SELinux disabled + * Ensure that we only close the selinux netlink socket once. + * improve the file_contexts.5 manual page + * Fortify source now requires all code to be compiled with -O flag + * asprintf return code must be checked + * avc_netlink_recieve handle EINTR + * audit2why: silence -Wmissing-prototypes warning + * libsemanage: remove build warning when build swig c files + * matchpathcon: bad handling of symlinks in / + * seusers: remove unused lineno + * seusers: getseuser: gracefully handle NULL service + * New Android property labeling backend + * label_android_property whitespace cleanups + * additional makefile support for rubywrap + * Remove jump over variable declaration + * Fix old style function definitions + * Fix const-correctness + * Remove unused flush_class_cache method + * Add prototype decl for destructor + * Add more printf format annotations + * Add printf format attribute annotation to die() method + * Fix const-ness of parameters & make usage() methods static + * Enable many more gcc warnings for libselinux/src/ builds + * utils: Enable many more gcc warnings for libselinux/utils builds + * Change annotation on include/selinux/avc.h to avoid upsetting SWIG + * Ensure there is a prototype for 'matchpathcon_lib_destructor' + * Update Makefiles to handle /usrmove + * utils: Stop separating out matchpathcon as something special + * pkg-config to figure out where ruby include files are located + * build with either ruby 1.9 or ruby 1.8 + * assert if avc_init() not called + * take security_deny_unknown into account + * security_compute_create_name(3) + * Do not link against python library, this is considered + * bad practice in debian + * Hide unnecessarily-exported library destructors +* Mon Jan 7 2013 jengelh@inai.de +- Remove obsolete defines/sections +* Tue Dec 11 2012 vcizek@suse.com +- update selinux-ready script + * use -L when stat()ing /etc/selinux/config + * make sure that SELINUX isn't disabled in /etc/selinux/config + * look for either of /sys/fs/selinux and /selinux directory + * use systemctl to check for restorecond + * don't look for booleans file (deprecated) +* Tue Nov 27 2012 vcizek@suse.com +- update selinux-ready script +* Wed Jul 25 2012 meissner@suse.com +- updated to 2.1.9 again (see below) +* Wed Jun 13 2012 coolo@suse.com +- go back even more - everything else requires the full SELinux stack + (too late for 12.2) +* Mon Jun 11 2012 factory-maintainer@kulow.org +- revert back to 2.0.98 for 12.2 +* Fri Jun 1 2012 mls@suse.de +- update to libselinux-2.1.9 + * better man pages + * selinux_status interfaces + * simple interface for access checks + * multiple bug fixes +* Wed Oct 5 2011 uli@suse.com +- cross-build fix: use %%__cc macro +* Mon Jun 28 2010 jengelh@medozas.de +- use %%_smp_mflags +* Mon May 3 2010 prusnak@suse.cz +- don't package /var/run/setrans in libselinux1 package + - Feature#303793 + - the directory will be created in initscript of mcstrans package +* Sat Apr 24 2010 coolo@novell.com +- buildrequire pkg-config to fix provides +* Fri Apr 9 2010 thomas@novell.com +- selinux-ready: added function to check for restorecond in + runlevel 3/5 +* Thu Apr 8 2010 thomas@novell.com +- selinux-ready: added functions for checking PAM config and + policy boolean init_upstart +* Wed Apr 7 2010 thomas@novell.com +- selinux-ready: fixed init ramfs checking +* Wed Apr 7 2010 thomas@novell.com +- added new selinux-ready script +* Thu Feb 25 2010 prusnak@suse.cz +- updated to 2.0.91 + * changes too numerous to list +* Sat Dec 12 2009 jengelh@medozas.de +- add baselibs.conf as a source +* Fri Jul 24 2009 thomas@novell.com +- updated selinux-ready script +* Wed Jul 22 2009 prusnak@suse.cz +- change libsepol-devel to libsepol-devel-static in dependencies + of python bindings +* Wed Jul 1 2009 prusnak@suse.cz +- put libsepol-devel back to Requires of libselinux-devel +* Mon Jun 29 2009 prusnak@suse.cz +- added selinux-ready tool to selinux-tools package +* Tue Jun 9 2009 crrodriguez@suse.de +- remove static libraries +- libselinux-devel does not require libsepol-devel +* Wed May 27 2009 prusnak@suse.cz +- updated to 2.0.80 + * deny_unknown wrapper function from KaiGai Kohei + * security_compute_av_flags API from KaiGai Kohei + * Netlink socket management and callbacks from KaiGai Kohei + * Netlink socket handoff patch from Adam Jackson + * AVC caching of compute_create results by Eric Paris + * fix incorrect conversion in discover_class code +* Fri Apr 17 2009 prusnak@suse.cz +- fixed memory leak (memleak.patch) +* Wed Jan 14 2009 prusnak@suse.cz +- updated to 2.0.77 + * add new function getseuser which will take username and service + and return seuser and level; ipa will populate file in future + * change selinuxdefcon to return just the context by default + * fix segfault if seusers file does not work + * strip trailing / for matchpathcon + * fix restorecon python code +* Mon Dec 1 2008 prusnak@suse.cz +- updated to 2.0.76 + * allow shell-style wildcarding in X names + * add Restorecon/Install python functions + * correct message types in AVC log messages + * make matchpathcon -V pass mode + * add man page for selinux_file_context_cmp + * update flask headers from refpolicy trunk +* Wed Oct 22 2008 mrueckert@suse.de +- fix debug_packages_requires define +* Tue Sep 23 2008 prusnak@suse.cz +- require only version, not release [bnc#429053] +* Tue Sep 2 2008 prusnak@suse.cz +- updated to 2.0.71 + * Add group support to seusers using %%groupname syntax from Dan Walsh. + * Mark setrans socket close-on-exec from Stephen Smalley. + * Only apply nodups checking to base file contexts from Stephen Smalley. + * Merge ruby bindings from Dan Walsh. +* Mon Sep 1 2008 aj@suse.de +- Fix build of debuginfo. +* Fri Aug 22 2008 prusnak@suse.cz +- added baselibs.conf file +- split bindings into separate subpackage (libselinux-bindings) +- split tools into separate subpackage (selinux-tools) +* Fri Aug 1 2008 ro@suse.de +- fix requires for debuginfo package +* Tue Jul 15 2008 prusnak@suse.cz +- initial version 2.0.67 + * based on Fedora package by Dan Walsh diff --git a/libselinux.spec b/libselinux.spec new file mode 100644 index 0000000..2b2cc56 --- /dev/null +++ b/libselinux.spec @@ -0,0 +1,153 @@ +# +# spec file for package libselinux +# +# Copyright (c) 2022-2023 ZhuningOS +# + + +%define libsepol_ver 3.1 +Name: libselinux +Version: 3.1 +Release: 150400.1.69 +Summary: SELinux runtime library and utilities +License: SUSE-Public-Domain +Group: Development/Libraries/C and C++ +URL: https://github.com/SELinuxProject/selinux/wiki/Releases +Source: https://github.com/SELinuxProject/selinux/releases/download/20200710/%{name}-%{version}.tar.gz +Source1: selinux-ready +Source2: baselibs.conf +# PATCH-FIX-UPSTREAM Include for readv prototype +Patch4: readv-proto.patch +Patch5: skip_cycles.patch +BuildRequires: fdupes +BuildRequires: libsepol-devel >= %{libsepol_ver} +BuildRequires: pcre-devel +BuildRequires: pkgconfig + +%description +libselinux provides an interface to get and set process and file +security contexts and to obtain security policy decisions. + +%package -n libselinux1 +Summary: SELinux runtime library +Group: System/Libraries + +%description -n libselinux1 +libselinux provides an interface to get and set process and file +security contexts and to obtain security policy decisions. + +(Security-enhanced Linux is a feature of the kernel and some +utilities that implement mandatory access control policies, such as +Type Enforcement, Role-based Access Control and Multi-Level +Security.) + +%package -n selinux-tools +Summary: SELinux command-line utilities +Group: System/Base + +%description -n selinux-tools +Security-enhanced Linux is a feature of the kernel and some +utilities that implement mandatory access control policies, such as +Type Enforcement, Role-based Access Control and Multi-Level +Security. + +This subpackage contains utilities to inspect and administer the +system's SELinux state. + +%package devel +Summary: Development files for the SELinux runtime library +Group: Development/Libraries/C and C++ +Requires: glibc-devel +Requires: libselinux1 = %{version} +#Automatic dependency on libsepol-devel via pkgconfig + +%description devel +libselinux provides an interface to get and set process and file +security contexts and to obtain security policy decisions. + +This package contains the development files, which are +necessary to develop your own software using libselinux. + +%package devel-static +Summary: Static archives for the SELinux runtime +Group: Development/Libraries/C and C++ +Requires: libselinux-devel = %{version} +Requires: pkgconfig(libpcre) +Requires: pkgconfig(libsepol) + +%description devel-static +libselinux provides an interface to get and set process and file +security contexts and to obtain security policy decisions. + +This package contains the static development files, which are +necessary to develop your own software using libselinux. + +%prep +%setup -q +%patch4 -p1 +%patch5 -p1 + +%build +%define _lto_cflags %{nil} +make %{?_smp_mflags} LIBDIR="%{_libdir}" CC="gcc" CFLAGS="%{optflags} -fno-semantic-interposition" + +%install +mkdir -p %{buildroot}/%{_lib} +mkdir -p %{buildroot}%{_libdir} +mkdir -p %{buildroot}%{_includedir} +mkdir -p %{buildroot}%{_sbindir} +make DESTDIR=%{buildroot} LIBDIR="%{_libdir}" SHLIBDIR="/%{_lib}" BINDIR="%{_sbindir}" install +mv %{buildroot}%{_sbindir}/getdefaultcon %{buildroot}%{_sbindir}/selinuxdefcon +mv %{buildroot}%{_sbindir}/getconlist %{buildroot}%{_sbindir}/selinuxconlist +install -m 0755 %{SOURCE1} %{buildroot}%{_sbindir}/selinux-ready +# Remove duplicate files +%fdupes -s %{buildroot}%{_mandir} + +%post -n libselinux1 -p /sbin/ldconfig +%postun -n libselinux1 -p /sbin/ldconfig + +%files -n selinux-tools +%{_sbindir}/avcstat +%{_sbindir}/getenforce +%{_sbindir}/getsebool +%{_sbindir}/matchpathcon +%{_sbindir}/selabel_digest +%{_sbindir}/selabel_lookup +%{_sbindir}/selinux_check_access +%{_sbindir}/selabel_lookup_best_match +%{_sbindir}/selabel_partial_match +%{_sbindir}/selinuxconlist +%{_sbindir}/selinuxdefcon +%{_sbindir}/selinuxenabled +%{_sbindir}/setenforce +%{_sbindir}/togglesebool +%{_sbindir}/selinux-ready +%{_sbindir}/selinuxexeccon +%{_sbindir}/sefcontext_compile +%{_sbindir}/compute_* +%{_sbindir}/getfilecon +%{_sbindir}/getpidcon +%{_sbindir}/policyvers +%{_sbindir}/setfilecon +%{_sbindir}/getseuser +%{_sbindir}/selinux_check_securetty_context +%{_sbindir}/selabel_get_digests_all_partial_matches +%{_sbindir}/validatetrans +%{_mandir}/man5/* +%{_mandir}/ru/man5/* +%{_mandir}/man8/* +%{_mandir}/ru/man8/* + +%files -n libselinux1 +/%{_lib}/libselinux.so.* + +%files devel +%{_libdir}/libselinux.so +%{_includedir}/selinux/ +%{_mandir}/man3/* +%{_libdir}/pkgconfig/libselinux.pc + +%files devel-static +%{_libdir}/libselinux.a + +%changelog diff --git a/readv-proto.patch b/readv-proto.patch new file mode 100644 index 0000000..0d6c133 --- /dev/null +++ b/readv-proto.patch @@ -0,0 +1,12 @@ +Index: libselinux-2.5/src/setrans_client.c +=================================================================== +--- libselinux-2.5.orig/src/setrans_client.c ++++ libselinux-2.5/src/setrans_client.c +@@ -9,6 +9,7 @@ + #include + #include + #include ++#include + + #include + #include diff --git a/selinux-ready b/selinux-ready new file mode 100644 index 0000000..6191f0c --- /dev/null +++ b/selinux-ready @@ -0,0 +1,272 @@ +#!/bin/bash + +KERNEL="unknown" +INITRD="unknown" +TD="" + + +# init needs /selinux to be there +check_dir() +{ + SLDIRS="/selinux /sys/fs/selinux" + FOUND="no" + + for DIR in $SLDIRS; do + if [ -d $DIR ]; then + printf "\tcheck_dir: OK. $DIR exists.\n" + FOUND="yes" + fi + done + + if [ $FOUND == "yes" ]; then + return 0 + else + printf "\tcheck_dir: ERR. Neither of $SLDIRS does exist. Please execute 'mkdir /sys/fs/selinux' as root\n" + return 1 + fi +} + +check_filesystem() +{ + FSPATH="/proc/filesystems" + FSNAMES="securityfs selinuxfs" + OK="O" + + for FSNAME in $FSNAMES; do + grep -w $FSNAME $FSPATH 1>&2 >/dev/null + + if [ $? == 0 ]; then + printf "\tcheck_filesystem: OK. Filesystem '$FSNAME' exists.\n" + else + printf "\tcheck_filesystem: ERR. Filesystem '$FSNAME' is missing. Please enable SELinux while compiling the kernel.\n" + OK="1" + fi + done + if [ "$OK" == "0" ]; then + return 0; + else + return 1; + fi +} + +check_boot() +{ + BPARAM1="security=selinux" + BPARAM2="selinux=1" + + printf "\tcheck_boot: Assuming GRUB2 as bootloader.\n" + + # look for parameters of the current kernel + CURRENT_KERNEL=$(uname -r) + OTHERS="" + RETVAL="FAIL" + while read BLINE + do + K=$(echo $BLINE | awk -F' ' '{print $2}') + KERNEL=$(basename $K) + K=$(echo $KERNEL | sed s/vmlinuz-//) + + if [ "$K" == "$CURRENT_KERNEL" ]; then + INITRD=initrd-$K + RETVAL="OK" + else + OTHERS="$KERNEL $OTHERS" + fi + done < <(grep -- $BPARAM1 /boot/grub2/grub.cfg 2>/dev/null | grep -- $BPARAM2) + + if [ "$RETVAL" == OK ]; then + printf "\tcheck_boot: OK. Current kernel '$KERNEL' has boot-parameters '$BPARAM1 $BPARAM2'\n" + printf "\tcheck_boot: OK. Other kernels with correct parameters: $OTHERS\n" + return 0 + else + printf "\tcheck_boot: ERR. Boot-parameter missing for booting the kernel.\n" + printf "\t Please use YaST2 to add 'security=selinux selinux=1' to the kernel boot-parameter list.\n" + return 1 + fi +} + +check_mkinitrd() +{ + if [ "$INITRD" == "unknown" ]; then + return 1 + fi + MCMD="mount.*/root/proc.*" + + if ! [ -f "/boot/$INITRD" ];then + printf "\tcheck_mkinitrd: ERR. Unable to locate '/boot/$INITRD'\n" + return 2 + fi + + cp /boot/$INITRD $TD/ 2>/dev/null + + if ! [ -f "$TD/$INITRD" ];then + printf "\tcheck_mkinitrd: ERR. Error while copying initrd file.'\n" + return 2 + fi + + + pushd . 2>&1>/dev/null + cd $TD + mkdir initrd-extracted + cd initrd-extracted + INITRD_FORMAT=$(file $TD/$INITRD | awk -F' ' '{print $2}') + case $INITRD_FORMAT in + 'XZ' ) + xz -d -c $TD/$INITRD | cpio -i --force-local --no-absolute-filenames 2>/dev/null ;; + 'ASCII' ) + /usr/lib/dracut/skipcpio $TD/$INITRD | xz -d | cpio -i --force-local --no-absolute-filenames 2>/dev/null ;; + 'gzip' ) + gzip -d -c $TD/$INITRD | cpio -i --force-local --no-absolute-filenames 2>/dev/null ;; + * ) + printf "\tcheck_mkinitrd: ERR. Error while extracting initrd file.'\n" + return 2 + esac + if [ -d boot ]; then + grep -E -- $MCMD boot/* 2>&1 >/dev/null + FLG1=$? + grep -E -- load_policy boot/* 2>&1 >/dev/null + FLG2=$? + else + # looks like we're using dracut/systemd. We can only check if libselinux1 + # exists + if [ -f lib64/libselinux.so.1 ]; then + # if this exists + FLG1=0 + FLG2=0 + fi + fi + popd 2>&1>/dev/null + + if [ $FLG1 == 0 -a $FLG2 == 0 ];then + printf "\tcheck_mkinitrd: OK. Your initrd seems to be correct.\n" + return 0 + else + printf "\tcheck_mkinitrd: ERR. Your initrd seems not to mount /proc of\n" + printf "\t the root filesystem during boot and/or load_policy\n" + printf "\t is missing,\n" + printf "\t this may be a reason for SELinux not working.\n" + return 1 + fi +} + +check_pam() +{ + AA_PAM=0 + SE_PAM=0 + + # test for AA pam module + grep apparmor /etc/pam.d/* 2>&1 >/dev/null + FLG=$? + if [ $FLG == 0 ]; then + AA_PAM=1 + fi + + # test for SELinux pam module + grep selinux /etc/pam.d/* 2>&1 >/dev/null + FLG=$? + if [ $FLG == 0 ]; then + SE_PAM=1 + fi + + # suggest config + if [ $SE_PAM == 1 ] && [ $AA_PAM == 0 ]; then + printf "\tcheck_pam: OK. Your PAM configuration seems to be correct.\n" + return 0 + fi + printf "\tcheck_pam: ERR. Your PAM configuration seems to be incorrect.\n" + if [ $AA_PAM == 1 ]; then + printf " execute 'pam-config -d --apparmor' as root\n" + fi + if [ $SE_PAM == 0 ]; then + printf " execute 'pam-config -a --selinux' as root\n" + fi + + return 1 +} + +check_initupstart() +{ + CFGFILE="/etc/selinux/config" + + if ! [ -f $CFGFILE ]; then + printf "\tcheck_initupstart: ERR. $CFGFILE does not exist.\n" + return 1; + fi +} + +check_runlevel() +{ + if [ "$(systemctl is-enabled restorecond.service 2>/dev/null)" == "enabled" ]; then + printf "\tcheck_runlevel: OK. restorecond is enabled on your system\n" + return 0; + fi + printf "\tcheck_runlevel: ERR. please enable restorecond with systemctl enable restorecond.service.\n" + return 1 +} + +check_packages() +{ + PKGLST="checkpolicy policycoreutils selinux-tools libselinux1 libsepol1 libsemanage1 restorecond" + FAIL=0 + + for i in $PKGLST + do + rpm -q $i 1>&2 >/dev/null + if [ $? == 1 ];then + printf "\tcheck_packages: ERR. Package '$i' not installed, please run 'zypper in $i' as root\n" + FAIL=1 + fi + done + + if [ $FAIL == 0 ]; then + printf "\tcheck_packages: OK. All essential packages are installed\n" + return 0 + else + return 1 + fi +} + +check_config() +{ + CF="/etc/selinux/config" + + if [ -f $CF ];then + printf "\tcheck_config: OK. Config file seems to be there.\n" + # with -L because /etc/selinux/config is now a link to /etc/sysconfig/selinux-policy + if ! [ $(stat -L --printf=%a $CF) -eq "644" ]; then + printf "\tcheck_config: ERR. Config file '$CF' has wrong permissions.\n" + return 1 + fi + + # check that SELINUX is not disabled there + SELINUX_MODE=$(grep "^\s*SELINUX\s*=" $CF | sed "s/SELINUX\s*=\(\S*\)\s*"/\\1/) + case "$SELINUX_MODE" in + permissive | enforcing ) + printf "\tcheck_config: OK. SELINUX is set to '$SELINUX_MODE'.\n" + return 0 + ;; + * ) + printf "\tcheck_config: ERR. SELINUX is set to '$SELINUX_MODE' in '$CF'. Should be either 'permissive' or 'enforcing'\n" + return 1 + ;; + esac + else + printf "\tcheck_config: ERR. Config file '$CF' is missing.\n" + return 1 + fi +} + +TD=$(mktemp -q -d /tmp/selinux-ready.XXXXXX) + +echo "Start checking your system if it is selinux-ready or not:" +check_dir +check_filesystem +check_boot +check_mkinitrd +check_packages +check_config +check_initupstart +check_pam +check_runlevel + +rm -rf $TD diff --git a/skip_cycles.patch b/skip_cycles.patch new file mode 100644 index 0000000..7dd6a1f --- /dev/null +++ b/skip_cycles.patch @@ -0,0 +1,16 @@ +Index: libselinux-3.0/src/selinux_restorecon.c +=================================================================== +--- libselinux-3.0.orig/src/selinux_restorecon.c ++++ libselinux-3.0/src/selinux_restorecon.c +@@ -991,9 +991,8 @@ int selinux_restorecon(const char *pathn + selinux_log(SELINUX_ERROR, + "Directory cycle on %s.\n", + ftsent->fts_path); +- errno = ELOOP; +- error = -1; +- goto out; ++ fts_set(fts, ftsent, FTS_SKIP); ++ continue; + case FTS_DP: + continue; + case FTS_DNR: