commit f740fec5af869881e58c3c7657120d22ae101389 Author: zyppe <210hcl@gmail.com> Date: Thu Feb 29 14:36:34 2024 +0800 Initialize for libsemanage diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..25a81a7 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +libsemanage-3.1.tar.gz diff --git a/.libsemanage.metadata b/.libsemanage.metadata new file mode 100644 index 0000000..a81f1a8 --- /dev/null +++ b/.libsemanage.metadata @@ -0,0 +1 @@ +446a978042c8f45189a7df5e13b59f6a834911ffd6ef9d17ce9426e90a823ae1 libsemanage-3.1.tar.gz diff --git a/baselibs.conf b/baselibs.conf new file mode 100644 index 0000000..947b903 --- /dev/null +++ b/baselibs.conf @@ -0,0 +1 @@ +libsemanage1 diff --git a/libsemanage.changes b/libsemanage.changes new file mode 100644 index 0000000..e0b13c3 --- /dev/null +++ b/libsemanage.changes @@ -0,0 +1,249 @@ +* Wed Jul 29 2020 kukuk@suse.com +- Add /var/lib/selinux +* Wed Jul 15 2020 jsegitz@suse.com +- Remove libsemanage-update-map-file.patch to prevent checkers from declining + the submission. Keeping the snippet in the spec file in case we try to + enable LTO again +* Tue Jul 14 2020 jsegitz@suse.com +- Update to version 3.1 + * Improved manpage + * fsync final files before rename +* Tue Jun 16 2020 jsegitz@suse.com +- Disabled LTO again. This breaks e.g. shadow and also other packages + in security:SELinux +* Fri Jun 12 2020 pmonrealgonzalez@suse.com +- Fix build with LTO: [bsc#1133102] + * Enable LTO (Link Time Optimization) and build with -ffat-lto-objects + * Update map file to include new symbols and remove wildcards +- Add libsemanage-update-map-file.patch +* Thu Jun 4 2020 dimstar@opensuse.org +- Drop suse_path.patch: replace it with a grep/sed logic replacing + /usr/libexec in all files with the correct value for all distros + (taking into account that openSUSE is in progress of migrating + from /usr/lib to /usr/libexec). +* Fri May 29 2020 jsegitz@suse.de +- Apply suse_path.patch only for older distributions. Newer + use libexec +* Tue Mar 3 2020 jsegitz@suse.de +- Update to version 3.0 + * Add support for DCCP and SCTP protocols + * include internal header to use the hidden function prototypes + * mark all exported function "extern" + * optionally optimize policy on rebuild + Refreshed suse_path.patch +* Thu Jun 20 2019 mliska@suse.cz +- Disable LTO due to symbol versioning (boo#1138812). +* Wed Mar 20 2019 jsegitz@suse.com +- Update to version 2.9 + * Always set errno to 0 before calling getpwent() + * Include user name in ROLE_REMOVE audit events + * genhomedircon - improve handling large groups + * improve semanage_migrate_store import failure + * reset umask before creating directories + * set selinux policy root around calls to selinux_boolean_sub + * use previous seuser when getting the previous name +* Thu Nov 8 2018 jengelh@inai.de +- Use more %%make_install. +* Thu Nov 8 2018 jsegitz@suse.com +- Adjusted source urls (bsc#1115052) +* Thu Sep 27 2018 pmonrealgonzalez@suse.com +- update to version 2.8 + * semanage fcontext -l now also lists home directory entries from + file_contexts.homedirs. + * libsemanage no longer deletes the tmp directory if there is an error + while committing the policy transaction, so that any temporary files + can be further inspected for debugging purposes (e.g. to examine a + particular line of the generated CIL module). The tmp directory will + be deleted upon the next transaction, so no manual removal is needed. + * When overriding PREFIX, BINDIR, SBINDIR, SHLIBDIR, LIBEXECDIR, etc., + DESTDIR has to be removed from the definition. For example on Arch + Linux, SBINDIR="${pkgdir}/usr/bin" was changed to SBINDIR="/usr/bin". + * PYSITEDIR has been renamed PYTHONLIBDIR (and its definition changed). +- Clened with spec-cleaner +* Thu Mar 8 2018 rgoldwyn@suse.com +- Update to version 2.7. Changes: + * IB support + * saves linked policy and skips relinking whenever possible +* Fri Nov 24 2017 jsegitz@suse.com +- Update to version 2.6. Notable changes: + * genhomedircon: do not suppress logging from libsepol + * genhomedircon: use userprefix as the role for homedir + * Fix bug preventing the installation of base modules + * Use pp module name instead of filename when installing module + * genhomedircon: remove hardcoded refpolicy strings + * genhomedircon: add support for %%group syntax + * genhomedircon: generate contexts for logins mapped to the default user + * Validate and compile file contexts before installing + * Swap tcp and udp protocol numbers + * genhomedircon: %%{USERID} and %%{USERNAME} support and code cleanups +* Mon Dec 12 2016 dimstar@opensuse.org +- Split out the Policy Store Migration tool into + libsemanage-store-migrate: it is not a devel tool to start with. + Additionally, it causes the -devel package to depend on python, + which we want to avoid (libsemanabe being part of the core build + cycle). The library suggests libsemanage-store-migrate. +* Sun Jul 17 2016 jengelh@inai.de +- Update RPM groups, trim description, combine filelist entries, + ensure pkgconfig() symbols are generated. +* Thu Jul 14 2016 jsegitz@novell.com +- Without bug number no submit to SLE 12 SP2 is possible, so to make + sle-changelog-checker happy: bsc#988977 +* Wed Jul 13 2016 jsegitz@novell.com +- Added suse_path.patch to fix path to hll compiler +* Fri Jul 8 2016 i@marguerite.su +- update version 2.5 + * Do not overwrite CFLAGS in test Makefile, from Nicolas Iooss. + * Fix uninitialized variable in direct_commit and direct_api + * semanage_migrate_store: Load libsepol.so.1 instead of libsepol.so + * Store homedir_template and users_extra in policy store + * Fix null pointer dereference in semanage_module_key_destroy + * Add semanage_module_extract() to extract a module as CIL or HLL + * semanage_migrate_store: add -r option for migrating inside chroots + * Add file_contexts and seusers to the store + * Add policy binary and file_contexts.local to the store + * Allow to install compressed modules without a compression extension + * Do not copy contexts in semanage_migrate_store + * Fix logic in bunzip for uncompressed pp files + * Fix fname[] initialization in test_utilities.c + * Add remove-hll semanage.conf option to remove HLL files after + compilation to CIL + * Fix memory leaks when parsing semanage.conf + * Change bunzip to use heap instead of stack to prevent segfault on + systems with small stack size +- changes in 2.4 + * Fix Makefile to allow LIBDIR and SHLIBDIR to be set to different + directories + * Fix bugs found by hardened gcc flags + * Add missing manpage links to security_load_policy + * Fix failing libsemanage pywrap tests + * Fix deprecation warning for bison + * Skip policy module relink when only setting booleans + * Only try to compile file contexts if they exist + * Fix memory leak when setting a custom store path + * Add semodule option to set store root path in semanage.conf and the + semodule command + * Add semanage.conf option to set an alternative root path for policy + store + * Add support for High Level Language (HLL) to CIL compilers. The HLL + compiler path is configurable, but should be placed in + /usr/libexec/selinux/hll by default + * Create a policy migration script for migrating the policy store from + /etc/selinux to /var/lib/selinux + * Add python3 support to the migration script + * Use libcil to compile modules + * Use symbolic versioning to maintain ABI compatibility for old install + functions + * Add a target-platform option to semanage.conf to control how policies + are built + * Add API to handle modules and source policies, moving module store to + /var/lib/selinux + * Only try to compile file contexts if they exist +* Sun May 18 2014 crrodriguez@opensuse.org +- version 2.3 + * Fix memory leak in semanage_genhomedircon from Thomas Hurd. +* Tue Feb 11 2014 vcizek@suse.com +- add semanage.conf as SOURCE and install it instead of the default + one +* Thu Oct 31 2013 p.drouand@gmail.com +- Update to version 2.2 + * Avoid duplicate list entries + * Add audit support to libsemanage + * Remove policy.kern and replace with symlink + * Apply a MAX_UID check for genhomedircon + * Fix man pages +- Add audit-devel BuildRequires; new dependency +- Add fdupes BuildRequires and use it to symlink duplicate manpages +* Thu Jun 27 2013 vcizek@suse.com +- change the source url to the official 2.1.10 release tarball +* Thu Apr 4 2013 vcizek@suse.com +- fixed source url +- removed old tarball +* Fri Mar 29 2013 vcizek@suse.com +- update to 2.1.10 + * Add sefcontext_compile to compile regex everytime policy is rebuilt + * Cleanup/fix enable/disable/remove module. + * redo genhomedircon minuid + * fixes from coverity + * semanage_store: do not leak memory in semanage_exec_prog + * genhomedircon: remove useless conditional in get_home_dirs + * genhomedircon: double free in get_home_dirs + * fcontext_record: do not leak on error in semanage_fcontext_key_create + * genhomedircon: do not leak on failure in write_gen_home_dir_context + * semanage_store: do not leak fd + * genhomedircon: do not leak shells list + * semanage_store: do not leak on strdup failure + * semanage_store: rewrite for readability +* Wed Jan 30 2013 vcizek@suse.com +- update to 2.1.9 + * dropped libsemanage-2.1.6-NULL_level_fix.patch (fixed upstream) + * libsemanage: do not set soname needlessly + * libsemanage: remove PYTHONLIBDIR and ruby equivalent + * do boolean name substitution + * Fix segfault for building standard policies. + * remove build warning when build swig c files + * additional makefile support for rubywrap + * ignore 80 column limit for readability + * semanage_store: fix snprintf length argument by using asprintf + * Use default semanage.conf as a fallback + * use after free in python bindings + * Alternate path for semanage.conf + * do not link against libpython, this is considered bad in Debian + * Allow to build for several ruby version + * fallback-user-level +* Mon Jan 7 2013 jengelh@inai.de +- Remove obsolete defines/sections +* Wed Oct 24 2012 vcizek@suse.com +- when building "standard" (not MCS/MLS) selinux-policies, + libsemanage will crash, because "level" is NULL + (libsemanage-2.1.6-NULL_level_fix.patch) +* Mon Aug 27 2012 cfarrell@suse.com +- license update: LGPL-2.1+ + Could not find any LGPL-2.1 "only" licensed files in the pacakge +* Wed Aug 1 2012 meissner@suse.com +- Updated to 2.1.6 + * changes too numerous to list +* Wed Oct 5 2011 uli@suse.com +- cross-build fix: use %%__cc macro +* Thu Sep 22 2011 dmueller@suse.de +- buildrequire libbz2-devel +* Mon May 23 2011 prusnak@opensuse.org +- split off python bindings to separate package to reduce build + dependencies for rpm [bnc#695436] +* Wed May 18 2011 coolo@novell.com +- add baselibs.conf for rpm-32bit to use +* Wed Feb 23 2011 coolo@novell.com +- disable parallel build, it breaks too often +* Thu Feb 25 2010 prusnak@suse.cz +- updated to 2.0.43 + * changes too numerous to list +* Fri Jan 16 2009 prusnak@suse.cz +- fix assignment of wrong context [bnc#466793] +* Wed Jan 14 2009 prusnak@suse.cz +- updated to 2.0.31 + * policy module compression (bzip) support from Dan Walsh + * hard link files between tmp/active/previous from Dan Walsh + * add semanage_mls_enabled() interface from Stephen Smalley +* Mon Dec 1 2008 prusnak@suse.cz +- updated to 2.0.29 + * add USER to lines to homedir_template context file + * add compression support + * allow fcontext and seuser changes without rebuilding the policy + * don't rebuild on fcontext or seuser modifications + * modify genhomedircon to skip %%groupname entries +* Wed Oct 22 2008 mrueckert@suse.de +- fix debug_packages_requires define +* Tue Sep 23 2008 prusnak@suse.cz +- require only version, not release [bnc#429053] +* Tue Sep 2 2008 prusnak@suse.cz +- updated to 2.0.27 + * Modify genhomedircon to skip %%groupname entries. + Ultimately we need to expand them to the list of users to support + per-role homedir labeling when using the %%groupname syntax. +- updated to 2.0.26 + * Fix bug in genhomedircon fcontext matches logic from Dan Walsh. + Strip any trailing slash before appending /*$. +* Fri Aug 1 2008 ro@suse.de +- fix requires for debuginfo package +* Tue Jul 15 2008 prusnak@suse.cz +- initial version 2.0.25 + * based on Fedora package by Dan Walsh diff --git a/libsemanage.spec b/libsemanage.spec new file mode 100644 index 0000000..80ed727 --- /dev/null +++ b/libsemanage.spec @@ -0,0 +1,129 @@ +# +# spec file for package libsemanage +# +# Copyright (c) 2022-2023 ZhuningOS +# + + +Name: libsemanage +Version: 3.1 +Release: 150400.1.65 +Summary: SELinux policy management library +License: LGPL-2.1-or-later +Group: Development/Libraries/C and C++ +URL: https://github.com/SELinuxProject/selinux/wiki/Releases +Source: https://github.com/SELinuxProject/selinux/releases/download/20200710/%{name}-%{version}.tar.gz +Source1: baselibs.conf +Source2: semanage.conf +# PATCH-FIX-UPSTREAM bsc#1133102 LTO: Update map file to include new symbols and remove wildcards +# For now we need to disable this. This breaks e.g. shadow and also other packages in security:SELinux +#Patch0: libsemanage-update-map-file.patch +BuildRequires: audit-devel +BuildRequires: bison +BuildRequires: fdupes +BuildRequires: flex +BuildRequires: libbz2-devel +BuildRequires: libselinux-devel +BuildRequires: libsepol-devel +BuildRequires: libustr-devel +BuildRequires: pkg-config + +%description +libsemanage is the policy management library. Using libsepol and +libselinux to interact with the SELinux system, it also calls helper +programs for loading policy and for checking whether the +file_contexts configuration is valid. + +%package -n libsemanage1 +Summary: SELinux policy management library +Group: System/Libraries +Suggests: %{name}-migrate-store + +%description -n libsemanage1 +libsemanage is the policy management library. Using libsepol and +libselinux to interact with the SELinux system, it also calls helper +programs for loading policy and for checking whether the +file_contexts configuration is valid. + +(Security-enhanced Linux is a feature of the kernel and some +utilities that implement mandatory access control policies, such as +Type Enforcement, Role-based Access Control and Multi-Level +Security.) + +%package devel +Summary: Header files and libraries for SELinux's policy management libary +Group: Development/Libraries/C and C++ +Requires: libsemanage1 = %{version} +Requires: libustr-devel + +%description devel +The libsemanage-devel package contains the libraries and header files +needed for developing applications that manipulate SELinux policies. + +%package devel-static +Summary: Static archives for SELinux's policy management library +Group: Development/Libraries/C and C++ +Requires: libsemanage-devel + +%description devel-static +The libsemanage-devel-static package contains the static libraries +needed for developing applications that manipulate binary policies. + +%package migrate-store +Summary: SELinux Policy Store Migration +Group: Productivity/Security + +%description migrate-store +In version 2.4 of libsemanage, libsepol, and policycoreutils, the policy +module store was moved from /etc/selinux//modules/ to +/var/lib/selinux//. Once the libraries are upgraded, all policy +stores must be migrated before any commands that modify or use the store +(e.g. semodule, semanage) can be executed. + +%prep +%setup -q +# Replace /usr/libexec with whatever the distro defines as libexecdir - across all files +grep /usr/libexec . -rl | xargs sed -i "s|/usr/libexec|%{_libexecdir}|g" + +%build +%define _lto_cflags %{nil} +make %{?_smp_mflags} clean +make -j1 CFLAGS="%{optflags} -fno-semantic-interposition" CC="gcc" +make -j1 CFLAGS="%{optflags} -fno-semantic-interposition" LIBDIR="%{_libdir}" LIBEXECDIR="%{_libexecdir}" SHLIBDIR="%{_lib}" CC="gcc" all + +%install +mkdir -p %{buildroot}/%{_lib} +mkdir -p %{buildroot}%{_libdir} +mkdir -p %{buildroot}%{_includedir} +mkdir -p %{buildroot}%{_localstatedir}/lib/selinux +%make_install LIBDIR="%{_libdir}" LIBEXECDIR="%{_libexecdir}" SHLIBDIR="%{_libdir}" +ln -sf %{_libdir}/libsemanage.so.1 %{buildroot}/%{_libdir}/libsemanage.so +cp %{SOURCE2} %{buildroot}%{_sysconfdir}/selinux/semanage.conf +# Remove duplicate files +%fdupes -s %{buildroot}%{_mandir} + +%post -n libsemanage1 -p /sbin/ldconfig +%postun -n libsemanage1 -p /sbin/ldconfig + +%files -n libsemanage1 +%dir %{_sysconfdir}/selinux +%config(noreplace) %{_sysconfdir}/selinux/semanage.conf +%{_libdir}/libsemanage.so.* +%dir %{_localstatedir}/lib/selinux + +%files devel +%{_libdir}/libsemanage.so +%{_libdir}/pkgconfig/libsemanage.pc +%{_includedir}/semanage/ +%{_mandir}/man3/* +%{_mandir}/man5/* +%{_mandir}/ru/man5/* + +%files migrate-store +%dir %{_libexecdir}/selinux +%{_libexecdir}/selinux/ + +%files devel-static +%{_libdir}/libsemanage.a + +%changelog diff --git a/semanage.conf b/semanage.conf new file mode 100644 index 0000000..bc9d4ac --- /dev/null +++ b/semanage.conf @@ -0,0 +1,51 @@ +# Authors: Jason Tang +# +# Copyright (C) 2004-2005 Tresys Technology, LLC +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA +# +# Specify how libsemanage will interact with a SELinux policy manager. +# The four options are: +# +# "source" - libsemanage manipulates a source SELinux policy +# "direct" - libsemanage will write directly to a module store. +# /foo/bar - Write by way of a policy management server, whose +# named socket is at /foo/bar. The path must begin +# with a '/'. +# foo.com:4242 - Establish a TCP connection to a remote policy +# management server at foo.com. If there is a colon +# then the remainder is interpreted as a port number; +# otherwise default to port 4242. +module-store = direct + +# When generating the final linked and expanded policy, by default +# semanage will set the policy version to POLICYDB_VERSION_MAX, as +# given in . Change this setting if a different +# version is necessary. +#policy-version = 19 + +# expand-check check neverallow rules when executing all semanage commands. +# Large penalty in time if you turn this on. +expand-check=0 + +# usepasswd check tells semanage to scan all pass word records for home directories +# and setup the labeling correctly. If this is turned off, SELinux will label /home +# correctly only. You will need to use semanage fcontext command. +# For example, if you had home dirs in /althome directory you would have to execute +# semanage fcontext -a -e /home /althome +usepasswd=False +bzip-small=true +bzip-blocksize=5 +ignoredirs=/root