import libselinux-3.7-4.el10

i10cs changed/i10cs/libselinux-3.7-4.el10
MSVSphere Packaging Team 2 months ago
parent a0e1f77f78
commit ca10ac8130
Signed by: sys_gitsync
GPG Key ID: B2B0B9F29E528FE8

@ -0,0 +1,95 @@
From b4b002ffef9431cc3af8409a32e243cd7b057feb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Sun, 23 Jun 2024 14:26:04 +0200
Subject: [PATCH] libselinux: deprecate security_disable(3)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The runtime disable functionality has been removed in Linux 6.4. Thus
security_disable(3) will no longer work on these kernels.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
libselinux/include/selinux/selinux.h | 6 +++++-
libselinux/man/man3/security_disable.3 | 3 ++-
libselinux/src/load_policy.c | 2 ++
libselinux/src/selinux_internal.h | 18 ++++++++++++++++++
4 files changed, 27 insertions(+), 2 deletions(-)
diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index 61c1422b..1318a66a 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -367,7 +367,11 @@ extern int security_deny_unknown(void);
/* Get the checkreqprot value */
extern int security_get_checkreqprot(void);
-/* Disable SELinux at runtime (must be done prior to initial policy load). */
+/* Disable SELinux at runtime (must be done prior to initial policy load).
+ Unsupported since Linux 6.4. */
+#ifdef __GNUC__
+__attribute__ ((deprecated))
+#endif
extern int security_disable(void);
/* Get the policy version number. */
diff --git a/libselinux/man/man3/security_disable.3 b/libselinux/man/man3/security_disable.3
index 072923ce..5ad8b778 100644
--- a/libselinux/man/man3/security_disable.3
+++ b/libselinux/man/man3/security_disable.3
@@ -14,7 +14,8 @@ disables the SELinux kernel code, unregisters selinuxfs from
and then unmounts
.IR /sys/fs/selinux .
.sp
-This function can only be called at runtime and prior to the initial policy
+This function is only supported on Linux 6.3 and earlier, and can only be
+called at runtime and prior to the initial policy
load. After the initial policy load, the SELinux kernel code cannot be disabled,
but only placed in "permissive" mode by using
.BR security_setenforce(3).
diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
index 57d7aaef..dc1e4b6e 100644
--- a/libselinux/src/load_policy.c
+++ b/libselinux/src/load_policy.c
@@ -326,7 +326,9 @@ int selinux_init_load_policy(int *enforce)
if (seconfig == -1) {
/* Runtime disable of SELinux. */
+ IGNORE_DEPRECATED_DECLARATION_BEGIN
rc = security_disable();
+ IGNORE_DEPRECATED_DECLARATION_END
if (rc == 0) {
/* Successfully disabled, so umount selinuxfs too. */
umount(selinux_mnt);
diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
index b134808e..450a42c2 100644
--- a/libselinux/src/selinux_internal.h
+++ b/libselinux/src/selinux_internal.h
@@ -113,4 +113,22 @@ void *reallocarray(void *ptr, size_t nmemb, size_t size);
#define ignore_unsigned_overflow_
#endif
+/* Ignore usage of deprecated declaration */
+#ifdef __clang__
+#define IGNORE_DEPRECATED_DECLARATION_BEGIN \
+ _Pragma("clang diagnostic push") \
+ _Pragma("clang diagnostic ignored \"-Wdeprecated-declarations\"")
+#define IGNORE_DEPRECATED_DECLARATION_END \
+ _Pragma("clang diagnostic pop")
+#elif defined __GNUC__
+#define IGNORE_DEPRECATED_DECLARATION_BEGIN \
+ _Pragma("GCC diagnostic push") \
+ _Pragma("GCC diagnostic ignored \"-Wdeprecated-declarations\"")
+#define IGNORE_DEPRECATED_DECLARATION_END \
+ _Pragma("GCC diagnostic pop")
+#else
+#define IGNORE_DEPRECATED_DECLARATION_BEGIN
+#define IGNORE_DEPRECATED_DECLARATION_END
+#endif
+
#endif /* SELINUX_INTERNAL_H_ */
--
2.46.0

@ -0,0 +1,86 @@
From 2ce1276a0476c7c44d3dad0423f1fde3a0f6d2ce Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <lautrbach@redhat.com>
Date: Wed, 16 Oct 2024 19:57:10 +0200
Subject: [PATCH] libselinux: fix swig bindings for 4.3.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Content-type: text/plain
https://github.com/swig/swig/blob/master/CHANGES.current
"[Python] #2907 Fix returning null from functions with output
parameters. Ensures OUTPUT and INOUT typemaps are handled
consistently wrt return type.
New declaration of SWIG_Python_AppendOutput is now:
SWIG_Python_AppendOutput(PyObject* result, PyObject* obj, int is_void);
The 3rd parameter is new and the new $isvoid special variable
should be passed to it, indicating whether or not the wrapped
function returns void.
Also consider replacing with:
SWIG_AppendOutput(PyObject* result, PyObject* obj);
which calls SWIG_Python_AppendOutput with same parameters but adding $isvoid
for final parameter."
Fixes: https://github.com/SELinuxProject/selinux/issues/447
selinuxswig_python_wrap.c: In function _wrap_security_compute_user:
selinuxswig_python_wrap.c:11499:17: error: too few arguments to function SWIG_Python_AppendOutput
11499 | resultobj = SWIG_Python_AppendOutput(resultobj, plist);
| ^~~~~~~~~~~~~~~~~~~~~~~~
selinuxswig_python_wrap.c:1248:1: note: declared here
1248 | SWIG_Python_AppendOutput(PyObject* result, PyObject* obj, int is_void) {
| ^~~~~~~~~~~~~~~~~~~~~~~~
selinuxswig_python_wrap.c: In function _wrap_security_compute_user_raw:
selinuxswig_python_wrap.c:11570:17: error: too few arguments to function SWIG_Python_AppendOutput
11570 | resultobj = SWIG_Python_AppendOutput(resultobj, plist);
| ^~~~~~~~~~~~~~~~~~~~~~~~
selinuxswig_python_wrap.c:1248:1: note: declared here
1248 | SWIG_Python_AppendOutput(PyObject* result, PyObject* obj, int is_void) {
| ^~~~~~~~~~~~~~~~~~~~~~~~
selinuxswig_python_wrap.c: In function _wrap_security_get_boolean_names:
selinuxswig_python_wrap.c:12470:17: error: too few arguments to function SWIG_Python_AppendOutput
12470 | resultobj = SWIG_Python_AppendOutput(resultobj, list);
| ^~~~~~~~~~~~~~~~~~~~~~~~
selinuxswig_python_wrap.c:1248:1: note: declared here
1248 | SWIG_Python_AppendOutput(PyObject* result, PyObject* obj, int is_void) {
| ^~~~~~~~~~~~~~~~~~~~~~~~
error: command '/usr/bin/gcc' failed with exit code 1
Suggested-by: Jitka Plesnikova <jplesnik@redhat.com>
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
---
libselinux/src/selinuxswig_python.i | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libselinux/src/selinuxswig_python.i b/libselinux/src/selinuxswig_python.i
index 17e03b9e36a5..03ed296d5b85 100644
--- a/libselinux/src/selinuxswig_python.i
+++ b/libselinux/src/selinuxswig_python.i
@@ -71,7 +71,7 @@ def install(src, dest):
for (i = 0; i < *$2; i++) {
PyList_SetItem(list, i, PyString_FromString((*$1)[i]));
}
- $result = SWIG_Python_AppendOutput($result, list);
+ $result = SWIG_AppendOutput($result, list);
}
/* return a sid along with the result */
@@ -108,7 +108,7 @@ def install(src, dest):
plist = PyList_New(0);
}
- $result = SWIG_Python_AppendOutput($result, plist);
+ $result = SWIG_AppendOutput($result, plist);
}
/* Makes functions in get_context_list.h return a Python list of contexts */
--
2.47.0

@ -9,7 +9,7 @@
Summary: SELinux library and simple utilities
Name: libselinux
Version: 3.7
Release: 3%{?dist}
Release: 4%{?dist}
License: LicenseRef-Fedora-Public-Domain
# https://github.com/SELinuxProject/selinux/wiki/Releases
Source0: https://github.com/SELinuxProject/selinux/releases/download/3.7/libselinux-3.7.tar.gz
@ -28,6 +28,8 @@ Patch0001: 0001-Use-SHA-2-instead-of-SHA-1.patch
Patch0002: 0002-libselinux-set-free-d-data-to-NULL.patch
Patch0003: 0003-libselinux-restorecon-Include-selinux-label.h.patch
Patch0004: 0004-libselinux-Fix-integer-comparison-issues-when-compil.patch
Patch0005: 0005-libselinux-deprecate-security_disable-3.patch
Patch0006: 0006-libselinux-fix-swig-bindings-for-4.3.0.patch
# Patch list end
BuildRequires: gcc make
BuildRequires: ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel
@ -226,13 +228,15 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
%{ruby_vendorarchdir}/selinux.so
%changelog
## START: Generated by rpmautospec
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 3.7-7
- Bump release for October 2024 mass rebuild:
* Fri Oct 25 2024 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 3.7-3
- Rebuilt for MSVSphere 10
## START: Generated by rpmautospec
* Fri Aug 09 2024 Vit Mojzis <vmojzis@redhat.com> - 3.7-5
- libselinux-3.7-3
- restorecon: Include <selinux/label.h>
* Fri Aug 09 2024 Vit Mojzis <vmojzis@redhat.com> - 3.7-3
- restorecon: Include <selinux/label.h> (RHEL-53852)
- Fix integer comparison issues when compiling for 32-bit
* Tue Jul 09 2024 Petr Lautrbach <lautrbach@redhat.com> - 3.7-2

Loading…
Cancel
Save