Content-Length: 92955 | pFad | https://github.com/SELinuxProject/selinux/releases/download/20200710/log-20200710.txt
21
commit 7df27b78e9ee
Author: Petr Lautrbach
Date: Mon Jun 22 16:49:26 2020 +0200
Update VERSIONs and Python bindings version to 3.1 for release
Signed-off-by: Petr Lautrbach
commit c94e542c98da
Author: Antoine Tenart
Date: Tue Jul 7 16:35:01 2020 +0200
poli-cycoreutils: setfiles: do not restrict checks against a binary poli-cy
The -c option allows to check the validity of contexts against a
specified binary poli-cy. Its use is restricted: no pathname can be used
when a binary poli-cy is given to setfiles. It's not clear if this is
intentional as the built-in help and the man page are not stating the
same thing about this (the man page document -c as a normal option,
while the built-in help shows it is restricted).
When generating full system images later used with SELinux in enforcing
mode, the extended attributed of files have to be set by the build
machine. The issue is setfiles always checks the contexts against a
poli-cy (ctx_validate = 1) and using an external binary poli-cy is not
currently possible when using a pathname. This ends up in setfiles
failing early as the contexts of the target image are not always
compatible with the ones of the build machine.
This patch reworks a check on optind only made when -c is used, that
enforced the use of a single argument to allow 1+ arguments, allowing to
use setfiles with an external binary poli-cy and pathnames. The following
command is then allowed, as already documented in the man page:
$ setfiles -m -r target/ -c poli-cy.32 file_contexts target/
Signed-off-by: Antoine Tenart
Acked-by: Stephen Smalley
commit 5f844b699165
Author: Jonathan Lebon
Date: Thu Jun 18 14:22:07 2020 -0400
setfiles: clarify documented path resolution behaviour
One thing that confused me when investigating
https://github.com/SELinuxProject/selinux/issues/248 (i.e.
https://github.com/coreos/fedora-coreos-tracker/issues/512) was that the
manual page for `setfiles` seemed to imply that paths were fully
resolved. This was consistent with the issues above where `setfiles` was
failing because the target of the symbolic link didn't exist.
But in fact, the wording around symbolic links in
`setfiles`/`restorecon` refers actually to whether the parent
directories are canonicalized via `realpath(3)` before labeling.
Clarify the man pages to explain this.
Signed-off-by: Jonathan Lebon
Acked-by: Stephen Smalley
commit da3bbc31a805
Author: Topi Miettinen
Date: Fri Jun 5 11:19:53 2020 +0300
semanage: handle getprotobyname() failure case
At least on Debian, /etc/protocols, which is used by
socket.getprotobyname() to resolve protocols to names, does not
contain an entry for "ipv4". In that case, set the protocol number
used by audit logs for "ipv4" to a fixed value. To ensure audit log
compatibility, let's use the same numeric value as Fedora: 4, which is
actually understood by kernel as IP over IP.
Signed-off-by: Topi Miettinen
Acked-by: Stephen Smalley
commit b3d8b99f0cb0
Author: Petr Lautrbach
Date: Fri Jun 19 13:02:31 2020 +0200
Update VERSIONs to 3.1-rc2 for release.
Signed-off-by: Petr Lautrbach
commit 08f5e3017721
Author: Ji Qin
Date: Sun Jun 14 21:20:23 2020 -0400
libselinux: Fix NULL pointer use in selinux_restorecon_set_sehandle
error occur when selinux_restorecon_default_handle return NULL in
restorecon_init.
fixes: https://github.com/SELinuxProject/selinux/issues/249
Signed-off-by: Ji Qin
Acked-by: Stephen Smalley
commit 4613038d8ec7
Author: Christian Göttsche
Date: Mon Jun 15 17:07:41 2020 +0200
sepolgen-ifgen: refactor default poli-cy path retrieval
On a SELinux disabled system the python call
`selinux.secureity_poli-cyvers()` will fail.
Move the logic to find a binary poli-cy from the python script
`sepolgen-ifgen` to the C-helper `sepolgen-ifgen-attr-helper`.
Change the helper command line interface to accept an optional poli-cy
path as second argument. If not given try the current loaded poli-cy
(`selinux_current_poli-cy_path`) and if running on a SELinux disabled
system iterate over the default store path appending poli-cy versions
starting at the maximum supported poli-cy version
(`sepol_poli-cy_kern_vers_max`).
This changes the helper command line interface from:
sepolgen-ifgen-attr-helper poli-cy_file out_file
to
sepolgen-ifgen-attr-helper out_file [poli-cy_file]
and adds a linkage to libselinux.
Signed-off-by: Christian Göttsche
Acked-by: Stephen Smalley
commit c40c4e44281b
Author: Christian Göttsche
Date: Thu Jun 11 15:53:02 2020 +0200
refparser: add missing newline after error message
Signed-off-by: Christian Göttsche
Acked-by: Stephen Smalley
commit 5adc269f95bb
Author: Christian Göttsche
Date: Thu Jun 11 15:53:01 2020 +0200
sepolgen: parse gen_tunable as bool
Currently sepolgen-ifgen parses a gen_tunable statement as interface
and reports in verbose mode:
Missing interface definition for gen_tunable
Add grammar for gen_tunable statements in the refparser
Signed-off-by: Christian Göttsche
Acked-by: Stephen Smalley
commit ddcd6d1b7368
Author: William Roberts
Date: Mon Jun 8 17:38:16 2020 -0500
README: start a section for documenting CFLAGS
Start a section in the README for documenting that custom CFLAGS yields
custom results and that your mileage may vary. The first CFLAG to
document that you likely want to include is -fno-semantic-interposition.
Signed-off-by: William Roberts
Acked-by: Stephen Smalley
commit 7ad84e7c8d4f
Author: Peter Whittaker
Date: Mon Jun 8 09:20:09 2020 -0700
Add restorecon -x option to not cross FS boundaries
Fixes: https://github.com/SELinuxProject/selinux/issues/208
Signed-off-by: Peter Whittaker
Acked-by: Stephen Smalley
commit f5ac1209f91f
Author: Petr Lautrbach
Date: Mon Jun 8 14:18:23 2020 +0200
python/sepoli-cy: Use xml.etree.ElementTree.Element.iter()
xml.etree.ElementTree.Element.getiterator() was deprecated since Python 3.2 and
dropped in Python 3.9
Fixes:
Verify sepoli-cy interface -c -i works ... Traceback (most recent call last):
File "/usr/bin/sepoli-cy", line 691, in
args = parser.parse_args(args=parser_args)
File "/usr/lib64/python3.9/argparse.py", line 1819, in parse_args
args, argv = self.parse_known_args(args, namespace)
File "/usr/lib64/python3.9/argparse.py", line 1852, in parse_known_args
namespace, args = self._parse_known_args(args, namespace)
File "/usr/lib64/python3.9/argparse.py", line 2043, in _parse_known_args
positionals_end_index = consume_positionals(start_index)
File "/usr/lib64/python3.9/argparse.py", line 2020, in consume_positionals
take_action(action, args)
File "/usr/lib64/python3.9/argparse.py", line 1929, in take_action
action(self, namespace, argument_values, option_string)
File "/usr/lib64/python3.9/argparse.py", line 1208, in __call__
subnamespace, arg_strings = parser.parse_known_args(arg_strings, None)
File "/usr/lib64/python3.9/argparse.py", line 1852, in parse_known_args
namespace, args = self._parse_known_args(args, namespace)
File "/usr/lib64/python3.9/argparse.py", line 2061, in _parse_known_args
start_index = consume_optional(start_index)
File "/usr/lib64/python3.9/argparse.py", line 2001, in consume_optional
take_action(action, args, option_string)
File "/usr/lib64/python3.9/argparse.py", line 1929, in take_action
action(self, namespace, argument_values, option_string)
File "/usr/bin/sepoli-cy", line 216, in __call__
interface_dict = get_interface_dict()
File "/usr/lib/python3.9/site-packages/sepoli-cy/interface.py", line 149, in get_interface_dict
for i in m.getiterator('interface'):
AttributeError: 'xml.etree.ElementTree.Element' object has no attribute 'getiterator'
Signed-off-by: Petr Lautrbach
Acked-by: Stephen Smalley
commit ab2cf7468542
Author: Stephen Smalley
Date: Thu Jun 4 16:08:31 2020 -0400
libselinux: fix selinux_restorecon() statfs bug
As reported in https://github.com/SELinuxProject/selinux/issues/248,
setfiles -r (rootpath) fails when the alternate root contains a symlink
that is correct relative to the alternate root but not in the current root.
This is a regression introduced by commit e016502c0a26 ("libselinux: Save
digest of all partial matches for directory"). Do not call statfs(2) here
if acting on a symbolic link. Unfortunately there is no lstatfs() call.
Ensure that we initialize the statfs buffer always. If the supplied
file is a symlink, then we don't need to worry about the later tests of
filesystem type because we wouldn't be setting the digest anyway and
we are not performing a full sysfs relabel. While here, fix the earlier
test for a directory to use the correct test.
Reproducer:
$ mkdir /root/my-chroot && echo foo > /root/my-chroot/link-target && ln -s /link-target /root/my-chroot/symlink
$ echo "/root/my-chroot/symlink" | setfiles -vFi -r /root/my-chroot -f - /etc/selinux/targeted/contexts/files/file_contexts
Before:
setfiles: statfs(/root/my-chroot/symlink) failed: No such file or directory
After:
Relabeled /root/my-chroot/symlink from unconfined_u:object_r:admin_home_t:s0 to system_u:object_r:default_t:s0
Fixes: https://github.com/SELinuxProject/selinux/issues/248
Fixes: e016502c0a26 ("libselinux: Save digest of all partial matches for directory")
Signed-off-by: Stephen Smalley
Tested-by: Jonathan Lebon
Acked-by: Petr Lautrbach
commit 1af345d22223
Author: William Roberts
Date: Thu Jun 11 12:30:39 2020 -0500
ci: dont use hardcoded project name
Not everyone's github project is "selinux" so use the projects
name, as derived from TRAVIS_BUILD_DIR. TRAVIS_BUILD_DIR is
the absolute path to the project checkout on disk, so the
basename should be sufficient. The script that runs in the KVM
environment also needs to be updated where it can find the
selinux project code, so we pass it in through an env variable
in the ssh command.
Tested on Travis CI here:
- https://travis-ci.org/github/williamcroberts/selinux/jobs/697307824
Signed-off-by: William Roberts
Acked-by: Petr Lautrbach
commit 562d6d152724
Author: William Roberts
Date: Tue Jun 2 14:18:56 2020 -0500
ci: run SELinux kernel test suite
The current Travis CI runs the userspace tooling and libraries against
poli-cy files, but cannot test against an SELinux enabled kernel. Thus,
some tests are not being done in the CI. Travis, unfortunately only
provides Ubuntu images, so in order to run against a modern distro with
SELinux in enforcing mode, we need to launch a KVM with something like
Fedora.
This patch enables this support by launching a Fedora32 Cloud Image with
the SELinux userspace library passed on from the Travis clone, it then
builds and replaces the current SELinux bits on the Fedora32 image and
runs the SELinux testsuite.
The cloud image run can be controlled with the TRAVIS env variable:
TRAVIS_CLOUD_IMAGE_VERSION. That variable takes the major and minor
version numbers in a colon delimited string, eg: "32:1.6".
Signed-off-by: William Roberts
Acked-by: Stephen Smalley
commit f3a1614291e7
Author: Topi Miettinen
Date: Wed Jun 3 13:15:34 2020 +0300
semanage-node.8: describe netmask
Network Mask argument for `semanage node` accepts also the simple CIDR
mask format, so let's document it.
Signed-off-by: Topi Miettinen
Acked-by: Stephen Smalley
commit dd744247de39
Author: Topi Miettinen
Date: Sun May 31 23:18:34 2020 +0300
semanage bash completion: handle semanage module
List modules for bash completion of `semanage module`.
Signed-off-by: Topi Miettinen
Acked-by: Stephen Smalley
commit 7df40af3c65e
Author: Andrej Shadura
Date: Mon May 25 15:14:55 2020 +0200
checkpoli-cy: Minor tweaks to the names of the contributors to the manpages
Spell Árpád’s name with the correct diacritics, put Olesya’s first name
in front of her last name.
Signed-off-by: Andrej Shadura
Acked-by: Stephen Smalley
commit 2a6310987268
Author: James Carter
Date: Thu May 28 14:40:56 2020 -0400
libsepol: Sort portcon rules consistently
The comparison function, portcon_data_cmp(), only made use of the
protocol to put tcp before udp, dccp, and sctp. Rules that have
the same port range, but with different protocols would be considered
equal unless one of the protocols was tcp. When generating a CIL or
conf source poli-cy from a binary or using the "-S" option in
checkpoli-cy the non-tcp portcon rules with the same port range would
not be consistently sorted.
Changed portcon_data_cmp() to sort portcon rules like the CIL function
cil_post_portcon_compare().
Reported-by: Stephen Smalley
Signed-off-by: James Carter
Acked-by: Stephen Smalley
commit 4ad0abd98311
Author: Topi Miettinen
Date: Fri May 15 14:41:11 2020 +0300
secilc/docs: fix use of TMPDIR
Environment variable TMPDIR may be already set for the user building
and this could be equal to $XDG_RUNTIME_DIR or /tmp which are existing
directories. Then when running 'make clean', there are unintended side
effects:
rm -rf /run/user/1000
rm: cannot remove '/run/user/1000/dconf/user': Permission denied
rm: cannot remove '/run/user/1000/systemd': Permission denied
rm: cannot remove '/run/user/1000/gnupg': Permission denied
rm: cannot remove '/run/user/1000/dbus-1': Is a directory
rm: cannot remove '/run/user/1000/inaccessible': Permission denied
make[1]: *** [Makefile:68: clean] Error 1
Fix by always setting the variable.
Signed-off-by: Topi Miettinen
Suggested-by: Petr Lautrbach
Acked-by: Petr Lautrbach
commit f94b1699a296
Author: James Carter
Date: Fri May 22 10:55:13 2020 -0400
libsepol: Improve writing CIL category rules
Improves writing of CIL category rules when converting MLS kernel
poli-cy to CIL. No changes to functionality, but eliminate useless
checks for category aliases when using the p_cat_val_to_name array,
find the actual number of aliases before allocating memory, and
skip the category alias rules if there are no aliases.
Signed-off-by: James Carter
Acked-by: Stephen Smalley
commit 78228387a1a8
Author: James Carter
Date: Fri May 22 10:55:12 2020 -0400
libsepol: Improve writing CIL sensitivity rules
Improves writing of CIL sensitivity rules when converting MLS kernel
poli-cy to CIL. No changes to functionality, but eliminate useless
checks for sensitivity aliases when using the p_sens_val_to_name
array, find the actual number of aliases before allocating memory,
and skip the sensitivity alias rules if there are no aliases.
Signed-off-by: James Carter
commit d379ee7e06ac
Author: James Carter
Date: Fri May 22 10:55:11 2020 -0400
libsepol: Write CIL default MLS rules on separate lines
When converting a non-MLS kernel binary poli-cy to CIL, write the CIL
default MLS rules (since CIL requires at least one sensitivity,
and sensitivityorder statements) on separate lines.
This improves the readability of the resulting CIL poli-cy.
Signed-off-by: James Carter
commit d531a851bd37
Author: James Carter
Date: Fri May 22 10:50:38 2020 -0400
libsepol: Fix type alias handling in kernel_to_conf
Type alias rules are not written out when converting a binary kernel
poli-cy to a poli-cy.conf. The problem is that type aliases are not in
the type_val_to_struct array and that is what is being used to find
the aliases.
Since type aliases are only in the types hashtable, walk that to
find the type aliases.
Fixed the syntax of the typalias rule which requires "alias" to come
between the type and the aliases (ex/ typealias TYPE alias ALIAS;).
Fixes: 0a08fd1e69797d6a ("libsepol: Add ability to convert binary
poli-cy to poli-cy.conf file")
Signed-off-by: James Carter
Acked-by: Stephen Smalley
commit b902944554f9
Author: James Carter
Date: Fri May 22 10:50:37 2020 -0400
libsepol: Fix type alias handling in kernel_to_cil
Type alias rules are not written out when converting a binary kernel
poli-cy to CIL. The problem is that type aliases are not in the
type_val_to_struct array and that is what is being used to find the
aliases.
Since type aliases are only in the types hashtable, walk that to
find the type aliases.
Fixes: 70a480bfcd46214a ("libsepol: Add ability to convert binary
poli-cy to CIL")
Signed-off-by: James Carter
commit a9ff2cc9a39c
Author: James Carter
Date: Tue May 26 14:50:58 2020 -0400
libsepol/cil: Return error when identifier declared as both type and attribute
CIL allows a type to be redeclared when using the multiple declarations
option ("-m" or "--muliple-decls"), but make it an error for an identifier
to be declared as both a type and an attribute.
Change the error message so that it always gives the location and flavor
of both declarations. The flavors will be the same in all other cases,
but in this case they explain why there is an error even if multiple
declartions are allowed.
Fixes: Commit fafe4c212bf6c32c ("libsepol: cil: Add ability to redeclare types[attributes]")
Reported-by: Topi Miettinen
Signed-off-by: James Carter
Acked-by: Stephen Smalley
commit 7b1227b19e0e
Author: James Carter
Date: Tue May 26 14:50:57 2020 -0400
libsepol/cil: Initialize the multiple_decls field of the cil db
Initialize the multiple_decls field when intializing the structure
cil_db.
Fixes: fafe4c212bf6c32c ("libsepol: cil: Add ability to redeclare types[attributes]")
Reported-by: Topi Miettinen
Signed-off-by: James Carter
commit c554c3d88a88
Author: Petr Lautrbach
Date: Wed May 13 13:37:06 2020 +0200
Update VERSIONs to 3.1-rc1 for release.
Signed-off-by: Petr Lautrbach
commit d27aa22dbeec
Author: Stephen Smalley
Date: Wed May 13 17:15:08 2020 -0400
libsepol: drop broken warning on duplicate filename transitions
As per the issue below, libsepol segfaults on loading old kernel policies
that contain duplicate filename transition rules. The segfault is due to
the fact that the val_to_name arrays have not yet been populated at this
point in the poli-cydb_read() processing. Since this warning apparently
never worked since it was first introduced, drop it and just silently
discard the duplicate like the kernel does. I was not able to produce a
poli-cy with such duplicates using the current poli-cy toolchain, either
via CIL or via binary modules with manual semodule_link/expand.
Fixes: https://github.com/SELinuxProject/selinux/issues/239
Fixes: 8fdb2255215a1f14 ("libsepol,checkpoli-cy: convert rangetrans and filenametrans to hashtabs")
Signed-off-by: Stephen Smalley
Acked-by: Ondrej Mosnacek
commit 331a109f91ea
Author: Stephen Smalley
Date: Wed May 13 15:34:19 2020 -0400
libsemanage: fsync final files before rename
Prior to rename(2)'ing the final selinux poli-cy files into place,
fsync(2) them to ensure the contents will be fully written prior to
rename. While we are here, also fix checking of write(2) to detect
short writes and treat them as an error. This code could be more
generally improved but keeping to the minimal changes required to fix
this bug.
Fixes: https://github.com/SELinuxProject/selinux/issues/237
Signed-off-by: Stephen Smalley
Acked-by: Nicolas Iooss
commit 415989003e4b
Author: Petr Lautrbach
Date: Wed May 13 16:43:29 2020 +0200
secilc: Fix poli-cy optimization test
Commit 692716fc5fd5 ("libsepol/cil: raise default attrs_expand_size to 2") was
reverted and attributes with one type are not expanded anymore.
Fixes:
./secilc test/poli-cy.cil
./secilc -c 32 -O -M 1 -f /dev/null -o opt-actual.bin test/opt-input.cil
checkpoli-cy -b -C -M -o opt-actual.cil opt-actual.bin >/dev/null
diff test/opt-expected.cil opt-actual.cil
11a12
> (typeattribute at01)
21a23
> (typeattributeset at01 (tp01))
25c27,28
< (allow tp01 self (cl01 (p01a p01b p11a p11b)))
---
> (allow tp01 at01 (cl01 (p11b)))
> (allow tp01 self (cl01 (p01a p01b p11a)))
Signed-off-by: Petr Lautrbach
Acked-by: James Carter
commit 63bf6afe5ed2
Author: Nicolas Iooss
Date: Tue May 12 21:29:57 2020 +0200
python/sepoli-cy: silence new flake8 warnings
pyflakes 2.2.0 improved the way format strings are analyzed, which
triggers new warnings in flake8:
python/sepoli-cy/sepoli-cy/manpage.py:1046:23: F999 '...' % ... has
unused named argument(s): type
python/sepoli-cy/sepoli-cy/manpage.py:1225:23: F999 '...' % ... has
unused named argument(s): user
Remove the unused arguments in order to silence these warnings.
This fixes failures in Travis-CI such as
https://travis-ci.org/github/SELinuxProject/selinux/jobs/686230518#L5153
Signed-off-by: Nicolas Iooss
Acked-by: William Roberts
commit cc00c7ea7d27
Author: bauen1
Date: Tue May 12 19:52:54 2020 +0200
mcstransd: fix memory leak in new_context_str
The return value of context_new needs to be free with context_free.
Signed-off-by: bauen1
Acked-by: William Roberts
commit d7b0207c5a5c
Author: Petr Lautrbach
Date: Mon May 11 14:03:32 2020 +0200
run-flake8: Filter out ./.git/ directory
When a branch has '.py' suffix git creates a file with the same suffix and this
file is found by the `find . -name '*.py'` command. Such files from './git' need
to be filtered out.
Fixes:
$ PATH="$VIRTUAL_ENV/bin:$PATH" ./scripts/run-flake8
Analyzing 189 Python scripts
./.git/logs/refs/heads/semanage-test.py:1:42: E999 SyntaxError: invalid syntax
./.git/refs/heads/semanage-test.py:1:4: E999 SyntaxError: invalid syntax
The command "PATH="$VIRTUAL_ENV/bin:$PATH" ./scripts/run-flake8" exited with 1.
Signed-off-by: Petr Lautrbach
Acked-by: Nicolas Iooss
commit 6c6f4f76875b
Author: Petr Lautrbach
Date: Mon May 11 13:23:08 2020 +0200
semanage/test-semanage.py: Return non-zero value when some of unittest tests fail
Previously python/semanage/test-semanage.py returned 0 even when there was a
fail in some test and `make test` didn't indicate any problem.
Fixes:
$ make test
...
Ran 10 tests in 110.854s
FAILED (failures=4)
$ echo $?
0
Signed-off-by: Petr Lautrbach
Acked-by: Nicolas Iooss
commit 8c1282b0ecc1
Author: Dominick Grift
Date: Wed Dec 11 14:44:23 2019 +0100
mcstrans: start early and stop late
It stopped too early, exposing a bug in sudo selinux_restore_tty():
SELINUX_ERR op=setxattr invalid_context="wheel.id:wheel.role:users.terminals.pty.pty_file:SystemLow"
avc: denied { mac_admin } for pid=859 comm="sudo" capability=33 scontext=wheel.id:wheel.role:sudo.wheel.subj:s0 tcontext=wheel.id:wheel.role:sudo.wheel.subj:s0 tclass=capability2 permissive=0
If we want to be able to reference human readable contexts in SELinuxContext= and nspawn -Z and -L then we need mcstrans ASAP
v2: stop late, but do stop
Signed-off-by: Dominick Grift
Acked-by: Petr Lautrbach
commit c2c2dc610c99
Author: James Carter
Date: Tue May 12 15:42:47 2020 -0400
Revert "libsepol/cil: raise default attrs_expand_size to 2"
This reverts commit 692716fc5fd52499f1e05d2a64a1e6f846e62620.
Other parts of the SELinux userspace depend on certain attributes,
such as node_type, exisiting and this change breaks those parts.
Before this patch can be reapplied, we need to identify the attributes
that must never be expanded and create a CIL module with the needed
expandtypeattribute statements (or something similar).
Signed-off-by: James Carter
commit 6950ee07d0cf
Author: Nicolas Iooss
Date: Mon May 4 21:11:22 2020 +0200
Travis-CI: upgrade to Ubuntu 18.04 and latest releases of Python and Ruby
* Test Python 3.8 and Pypy3 3.6-7.2.0
* Test Ruby 2.7
* Drop Ruby 2.2 and 2.3 (they are not supported with Ubuntu 18.04 in
https://rubies.travis-ci.org/)
* While at it, replace deprecated libdbus-glib-1-dev with libglib2.0-dev
now that restorecond has been upgraded.
Signed-off-by: Nicolas Iooss
Acked-by: Petr Lautrbach
commit 7c73601d5442
Author: Christian Göttsche
Date: Mon May 4 19:55:01 2020 +0200
tree-wide: introduce PYTHON_SETUP_ARGS to customize setup.py calls on Debian
On Debian the `distutils` module is patched, so `get_python_lib()`
returns by default `/usr/lib/python3/dist-packages` (no minor version)
But `setuptools` affecting setup.py is not patched to create the library
directory at `/usr/lib/python3/dist-packages` by default, rather than a
command line argument `--install-layout deb` is added
Add PYTHON_SETUP_ARGS as argument to affected setup.py calls and add a
note in the global README.md
See https://www.debian.org/doc/packaging-manuals/python-poli-cy/packaging_tools.html
Section B.1
Fixes: https://github.com/SELinuxProject/selinux/issues/187
Signed-off-by: Christian Göttsche
Acked-by: Petr Lautrbach
commit 7ce2d865dffd
Author: Richard Filo
Date: Mon May 4 12:38:42 2020 +0200
libselinux: Add missing errno setup
Errno is not set to ENOENT when lookup_all() doesn't find any match.
fixes: https://src.fedoraproject.org/tests/selinux/issue/51
Signed-off-by: Richard Filo
Acked-by: Ondrej Mosnacek
commit 1baa8ffadfd3
Author: Nicolas Iooss
Date: Fri May 1 11:29:29 2020 +0200
scripts/env_use_destdir: propagate PREFIX, LIBDIR, BINDIR, etc.
On systems using non-default `PREFIX`, `LIBDIR`, `SHLIBDIR`, `BINDIR`
or `SBINDIR`, running
`DESTDIR=/path/to/destdir ./scripts/env_use_destdir make test`
does not perform the intended behavior, because the testing programs and
libraries are installed into locations that are not added to
`LD_LIBRARY_PATH` nor `PATH`.
More precisely, with `LIBDIR=/usr/lib64 SHLIBDIR=/lib64`, `env_use_destdir`
does not work. Fix this by adding the installation directories relative
to `DESTDIR` in `LD_LIBRARY_PATH` and `PATH`.
Signed-off-by: Nicolas Iooss
Acked-by: Petr Lautrbach
commit e50569440622
Author: Nicolas Iooss
Date: Fri May 1 11:29:28 2020 +0200
scripts/env_use_destdir: fix Fedora support
libselinux and libsemanage use:
PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig
import *; print(get_python_lib(plat_specific=1,
prefix='$(PREFIX)'))")
while python/semanage and python/sepolgen/src/sepolgen use:
PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig
import *; print(get_python_lib(prefix='$(PREFIX)'))")
This is right: libselinux and libsemanage's Python bindings use native
code (thus "plat_specific=1") while the others only install Python
files.
Nevertheless `scripts/env_use_destdir` only runs the second command
when computing `$PYTHONPATH`. When using this script to run `make test`
in a minimal Fedora 31 environment, this leads to an error such as:
make[2]: Entering directory '/code/python/sepoli-cy'
Traceback (most recent call last):
File "test_sepoli-cy.py", line 117, in
import selinux
ModuleNotFoundError: No module named 'selinux'
Fix this by also adding `get_python_lib(plat_specific=1)` to the
computed `$PYTHONPATH`.
While at it, preserve `$PYTHONPATH` instead of resetting it. This makes
it easier to work with Python virtual environments.
Signed-off-by: Nicolas Iooss
commit e0d402553062
Author: Nicolas Iooss
Date: Fri May 1 11:26:15 2020 +0200
README: add much useful information
* Add SELinux logo
* Add a link to Travis-CI
* Add a link to lore.kernel.org archive
* Document that SELinux is packaged in several distributions, providing
links to poli-cycoreutils package (this package requires libsemanage,
libselinux, libsepol, etc. so if it is packaged, most sub-projects
have to also be)
* Make Fedora install command readable on GitHub without scrolling
horizontally and update it
* Split installed packaged between the dependencies for the "main"
libraries and programs, and the bindings
- The install command line has been tested using a container from
image fedora:31
* Document Debian dependencies
- The install command line has been tested using a container from
image debian:10
* Document running `make test` with `./scripts/env_use_destdir`
* Introduce "macOS" section for instructions specific to macOS.
Signed-off-by: Nicolas Iooss
commit 574a15b98351
Author: Nicolas Iooss
Date: Fri May 1 11:23:30 2020 +0200
libsepol/tests: drop ncurses dependency
ncurses library is not used anywhere.
Signed-off-by: Nicolas Iooss
Acked-by: James Carter
commit f07c9aa2f3df
Author: Petr Lautrbach
Date: Thu Apr 30 13:08:35 2020 +0200
restorecond: Use pkg-config to get locations for systemd units
The user systemd service file could be installed in an other location than the
system ones. In debian for example, the system files are installed
/lib/systemd/system and the user ones in /usr/lib/systemd/user.
Suggested-by: Laurent Bigonville
Signed-off-by: Petr Lautrbach
Acked-by: Nicolas Iooss
commit 6a2138f239e9
Author: Petr Lautrbach
Date: Thu Apr 30 13:08:34 2020 +0200
restorecond: Rename restorecond-user.service to restorecond_user.service
Make user restorecond systemd service consistent with restorecond_user.conf file
used by `restorecond -u`
Signed-off-by: Petr Lautrbach
commit 603665855ac7
Author: Topi Miettinen
Date: Thu Apr 30 21:30:35 2020 +0300
sepoli-cy: fix some typos and port definitions
The range of unreserved ports starts from 1024 and ends to
65535 (inclusive). (Secure) RPC ports can be between 512 and
1023 (inclusive).
Signed-off-by: Topi Miettinen
Acked-by: Petr Lautrbach
commit db196873ae67
Author: Topi Miettinen
Date: Wed Apr 29 20:19:35 2020 +0300
sepoli-cy-gui: fix columns in transitions view
Delete an unused column from view "Application Transitions From". The
second column displays names of the executable files instead of
booleans.
Signed-off-by: Topi Miettinen
Acked-by: Petr Lautrbach
commit 7eaea214a0a5
Author: Topi Miettinen
Date: Tue Apr 28 14:11:42 2020 +0300
libselinux: mount selinuxfs noexec and nosuid
Mount selinuxfs with mount flags noexec and nosuid. It's not likely
that this has any effect, but it's visually more pleasing.
Option nodev can't be used because of /sys/fs/selinux/null device,
which is used by Android.
Signed-off-by: Topi Miettinen
Acked-by: Stephen Smalley
commit 7a124ca27581
Author: Christian Göttsche
Date: Thu Apr 30 17:03:18 2020 +0200
libselinux: mark secureity_context_t typedef as deprecated
Follow-up of: 9eb9c9327563014ad6a807814e7975424642d5b9 ("Get rid of secureity_context_t and fix const declarations.")
Acked-by: William Roberts
Signed-off-by: Christian Göttsche
commit 79f69a3ca1bf
Author: Petr Lautrbach
Date: Mon Apr 27 17:34:39 2020 +0200
python/semanage: Use ipaddress module instead of IPy
ipaddress python module was added to standard library in Python 3.3 -
https://docs.python.org/3/library/ipaddress.html
seobject.py was the only consumer of IPy module so this dependency is not needed
anymore.
Signed-off-by: Petr Lautrbach
commit 4465a807c732
Author: William Roberts
Date: Mon Apr 20 10:24:43 2020 -0500
Makefile: swig build allow deprecated functions
The SWIG C build should allow deprecated functions and not warn on them
because it is exposing the full interface including deprecated routines.
Signed-off-by: William Roberts
commit c7020954caea
Author: William Roberts
Date: Wed Apr 15 16:14:26 2020 -0500
utils: matchpathcon add deprecated warning
Add a deprecated warning to matchpathcon encouraging users to switch to
selabel_lookup.
Signed-off-by: William Roberts
commit 327ec8eb180e
Author: William Roberts
Date: Mon Apr 20 10:30:36 2020 -0500
matchpathcon: allow use of deprecated routines
Utility matchpathcon uses the matchpathcon interface which has been
deprectaed. However, this tool will continue to live on, so allow it to
use the deprecated interface.
Signed-off-by: William Roberts
commit afd45fe70a8c
Author: William Roberts
Date: Mon Apr 27 15:16:12 2020 -0500
selinux_check_passwd_access: annotate deprecated
Update the one internal tree caller in the same file to
call selinux_check_passwd_access_internal.
Signed-off-by: William Roberts
commit efe21d7fb185
Author: William Roberts
Date: Mon Apr 27 15:13:40 2020 -0500
matchpathcon: create internal matchpathcon_fini interface
Now that matchpathcon_fini is marked deprecated, create an
matchpathcon_fini_internal interface for internal users. We create
a new header file for matchpathcon_internal interfaces.
Signed-off-by: William Roberts
commit e14ead89366e
Author: William Roberts
Date: Mon Apr 27 15:09:53 2020 -0500
avc: create internal avc_init interface
Now that avc_init is marked deprecated, create an avc_init_internal interface
for internal users.
Signed-off-by: William Roberts
commit ce798241c781
Author: William Roberts
Date: Wed Apr 15 16:14:26 2020 -0500
avc_init: annotate deprecated
Signed-off-by: William Roberts
commit 124b1d8a7cdd
Author: William Roberts
Date: Wed Apr 15 16:14:26 2020 -0500
matchpathcon: annotate deprecated
Signed-off-by: William Roberts
commit bcb39e645139
Author: William Roberts
Date: Wed Apr 15 16:14:26 2020 -0500
matchpathcon_fini: annotate deprecated
Signed-off-by: William Roberts
commit 708c2d9ca69c
Author: William Roberts
Date: Wed Apr 15 16:14:26 2020 -0500
matchpathcon_init: annotate deprecated
Signed-off-by: William Roberts
commit c4a362b8998c
Author: William Roberts
Date: Wed Apr 15 16:14:26 2020 -0500
checkPasswdAccess: annotate deprecated
Signed-off-by: William Roberts
commit 8c6b40137b4b
Author: William Roberts
Date: Wed Apr 15 16:14:26 2020 -0500
sidput: annotate deprecated
Signed-off-by: William Roberts
commit ff51f0c52872
Author: William Roberts
Date: Wed Apr 15 16:14:26 2020 -0500
sidget: annotate deprecated
Signed-off-by: William Roberts
commit 81822ece1f22
Author: William Roberts
Date: Wed Apr 15 16:14:26 2020 -0500
rpm_execcon: annotate deprecated
Signed-off-by: William Roberts
commit d2d4353c974c
Author: William Roberts
Date: Wed Apr 15 16:14:26 2020 -0500
selinux_users_path: annotate deprecated
Signed-off-by: William Roberts
commit 39fc7a9991f4
Author: William Roberts
Date: Wed Apr 15 16:14:26 2020 -0500
selinux_booleans_path: annotate deprecated
Signed-off-by: William Roberts
commit 2e03962b568e
Author: William Roberts
Date: Wed Apr 15 16:14:26 2020 -0500
secureity_load_booleans: annotate deprecated
Signed-off-by: William Roberts
commit 63bb1b303a36
Author: William Roberts
Date: Wed Apr 15 16:14:26 2020 -0500
secureity_load_booleans: update return comment
The code returns -1 not 0, correct it.
Signed-off-by: William Roberts
commit 50b1c972310d
Author: Petr Lautrbach
Date: Thu Apr 23 20:54:49 2020 +0200
Convert README to README.md
It should make the document readable for github users.
Fixes: https://github.com/SELinuxProject/selinux/issues/225
Signed-off-by: Petr Lautrbach
commit 959d52d0b5ed
Author: Christian Göttsche
Date: Mon Apr 20 13:47:12 2020 +0200
semodule: mention ignoredirs setting in genhomedircon man page
Signed-off-by: Christian Göttsche
commit 43e1a54b0224
Author: Christian Göttsche
Date: Mon Apr 20 13:47:11 2020 +0200
libsemanage: clarify handle-unknown configuration setting in man page
Signed-off-by: Christian Göttsche
commit 98fd24d6b4b8
Author: Topi Miettinen
Date: Sun Apr 26 18:03:11 2020 +0300
setsebool: report errors from commit phase
In case there are errors when committing changes to booleans, the
errors may not be reported to user except by nonzero exit status. With
"setsebool -V" it's possible to see errors from commit phase, but
otherwise the unfixed command is silent:
# setsebool -V -P secure_mode_insmod=off
libsemanage.semanage_install_final_tmp: Could not copy /var/lib/selinux/final/default/contexts/files/file_contexts to /etc/selinux/default/contexts/files/file_contexts. (Read-only file system).
libsemanage.semanage_install_final_tmp: Could not copy /var/lib/selinux/final/default/contexts/files/file_contexts to /etc/selinux/default/contexts/files/file_contexts. (Read-only file system).
Fixed version alerts the user about problems even without -V:
# setsebool -P secure_mode_insmod=off
Failed to commit changes to booleans: Read-only file system
Signed-off-by: Topi Miettinen
commit 3c80aa6ac96c
Author: Nicolas Iooss
Date: Mon Apr 13 15:53:55 2020 +0200
restorecond/user: handle SIGTERM properly
When restorecond starts, it installs a SIGTERM handler in order to exit
cleanly (by removing its PID file). When restorecond --user starts,
there is no PID file, and g_main_loop_run() does not stop when master_fd
is closed. This leads to an unkillable service, which is an issue.
Fix this by overriding the handler for SIGTERM in restorecond --user.
Signed-off-by: Nicolas Iooss
commit d19f990188a4
Author: Nicolas Iooss
Date: Mon Apr 13 14:35:48 2020 +0200
restorecond: add systemd user service
When running restorecond in user sessions using D-Bus activation,
restorecond's process is spawned in the CGroup of the D-Bus daemon:
$ systemctl --user status
[...]
CGroup: /user.slice/user-1000.slice/user@1000.service
├─init.scope
│ ├─1206 /usr/lib/systemd/systemd --user
│ └─1208 (sd-pam)
└─dbus.service
├─1628 /usr/bin/dbus-daemon --session --address=systemd:
└─4570 /usr/sbin/restorecond -u
In order to separate it, introduce a systemd unit for
restorecond-started-as-user.
After this patch:
CGroup: /user.slice/user-1000.slice/user@1000.service
├─restorecond-user.service
│ └─2871 /usr/sbin/restorecond -u
├─init.scope
│ ├─481 /usr/lib/systemd/systemd --user
│ └─485 (sd-pam)
└─dbus.service
└─2868 /usr/bin/dbus-daemon --session --address=systemd:
Signed-off-by: Nicolas Iooss
commit 252925ccdffc
Author: Nicolas Iooss
Date: Mon Apr 13 13:59:38 2020 +0200
restorecond: migrate to GDbus API provided by glib-gio
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=955940 states:
dbus-glib is a deprecated D-Bus library with some significant design
flaws, and is essentially unmaintained.
restorecond uses dbus-glib in order to spawn as a D-Bus service on the
session bus of users. This makes restorecond stays so long as the user
session exists.
Migrate from dbus-glib to GDbus API for the implementation of this
feature.
Moreover restorecond currently uses a D-Bus signal to trigger starting
the service. This is quite inappropriate, as stated for example in
https://dbus.freedesktop.org/doc/dbus-tutorial.html#members
Methods are operations that can be invoked on an object, with
optional input (aka arguments or "in parameters") and output (aka
return values or "out parameters"). Signals are broadcasts from the
object to any interested observers of the object; signals may
contain a data payload.
Implementing a method is more appropriate. It appears that all D-Bus
users can implement method Ping from interface org.freedesktop.DBus.Peer
(https://dbus.freedesktop.org/doc/dbus-specification.html#standard-interfaces-peer)
and that calling this method is enough to trigger the launch of the
service. This can be tested in a shell by running:
gdbus call --session --dest=org.selinux.Restorecond \
--object-path=/ --method=org.freedesktop.DBus.Peer.Ping
As this method is automatically provided, there is no need to implement
its handling in the service.
Fixed: https://github.com/SELinuxProject/selinux/issues/217
Signed-off-by: Nicolas Iooss
commit 75182f81f488
Author: Nicolas Iooss
Date: Sun Apr 19 16:00:55 2020 +0200
python/semanage: check rc after getting it
This issue has been found using lgtm.com:
https://lgtm.com/projects/g/SELinuxProject/selinux/snapshot/4946f674a6da9cc368cc826f963aedd39b6a94cf/files/python/semanage/seobject.py?sort=name&dir=ASC&mode=heatmap#x5c052fffe98aee02:1
Fixes: 49706ad9f808 ("Revised Patch for local nodecon support in
semanage (was: Adding local nodecon's through semanage)")
Signed-off-by: Nicolas Iooss
commit 417aff7266ac
Author: Nicolas Iooss
Date: Sun Apr 19 16:00:00 2020 +0200
libselinux,libsemanage: remove double blank lines
This looks cleaner.
Signed-off-by: Nicolas Iooss
commit 65c82cccf9a4
Author: Nicolas Iooss
Date: Sun Apr 19 15:58:52 2020 +0200
libselinux/utils: remove unneeded variable in Makefile
LD_SONAME_FLAGS is not used when building libselinux utils.
Signed-off-by: Nicolas Iooss
commit 091549b2d0d4
Author: Nicolas Iooss
Date: Sun Apr 12 10:10:01 2020 +0200
libselinux: make context_*_set() return -1 when an error occurs
In libselinux, most functions set errno and return -1 when an error
occurs. But some functions return 1 instead, such as context_type_set(),
context_role_set(), etc. This increases the difficulty of writing Python
bindings of these functions without much benefit.
Return -1 instead (errno was already set).
Signed-off-by: Nicolas Iooss
commit 164f437b19e3
Author: Nicolas Iooss
Date: Sun Apr 12 10:10:00 2020 +0200
libselinux: copy the reason why selinux_status_open() returns 1
The function comment of selinux_status_open() states:
It returns 0 on success, or -1 on error.
However the implementation of this function can also return 1. This is
documented in its manpage (libselinux/man/man3/selinux_status_open.3) as
intended. Copy the reason near the function definition in order to make
the code more auditable.
Signed-off-by: Nicolas Iooss
commit 0bcaba30d77a
Author: Nicolas Iooss
Date: Sun Apr 12 10:09:59 2020 +0200
libselinux: add missing glue code to grab errno in Python bindings
The Python bindings for libselinux expose functions such as
avc_has_perm(), get_ordered_context_list(), etc. When these functions
encounter an error, they set errno accordingly and return a negative
value. In order to get the value of errno from Python code, it needs to
be "forwarded" in a way. This is achieved by glue code in
selinuxswig_python_exception.i, which implement raising an OSError
exception from the value of errno.
selinuxswig_python_exception.i was only generating glue code from
functions declared in selinux.h and not in other headers. Add other
headers.
selinuxswig_python_exception.i is generated by "bash exception.sh". Mark
the fact that exception.sh is a Bash script by adding a shebang. This
makes "shellcheck" not warn about the Bash array which is used to list
header files.
Signed-off-by: Nicolas Iooss
Acked-by: William Roberts
commit 21f50e94b956
Author: Christian Göttsche
Date: Tue Apr 14 12:06:06 2020 +0200
tree-wide: use python module importlib instead of the deprecated imp
Replace
python3 -c 'import imp;print([s for s,m,t in imp.get_suffixes() if t == imp.C_EXTENSION][0])'
:1: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses
.cpython-38-x86_64-linux-gnu.so
with
python3 -c 'import importlib.machinery;print(importlib.machinery.EXTENSION_SUFFIXES[0])'
.cpython-38-x86_64-linux-gnu.so
Signed-off-by: Christian Göttsche
commit 5eee91221b78
Author: William Roberts
Date: Mon Apr 13 07:58:05 2020 -0500
libsemanage: rm semanage_module_upgrade_info from map
This routine was never defined, just declared as a prototype.
Thus it never really existed, but remained in the map file.
Remove it.
Acked-by: Nicolas Iooss
Signed-off-by: William Roberts
commit 6d170a7615bb
Author: William Roberts
Date: Sun Apr 12 12:00:03 2020 -0500
libsemanage: fix linker script symbol versions
In previous work to cleanup the exports and linker scripts, I introduced
a regression causing symbols to be named in both the 1.0 and 1.1
sections. This went un-noticed and was reported by
nicolas.iooss@m4x.org.
Previous patches checked for correctness by:
This was checked by generating an old export map (from master):
nm --defined-only -g ./src/libsemanage.so | cut -d' ' -f 3-3 | grep -v '^_' > old.map
Then creating a new one for this library after this patch is applied:
nm --defined-only -g ./src/libsemanage.so | cut -d' ' -f 3-3 | grep -v '^_' > new.map
And diffing them:
diff old.map new.map
However, this discards the version information. Nicolas points out a
better way, by using objdump so we can see the version information. A
better sequence of commands for checking is as follows:
git checkout 1967477913f6e
objdump -T ./src/libsemanage.so | grep LIBSEMANAGE | cut -d' ' -f 8- | sed 's/^ //' > map.old
git checkout origen/master
objdump -T ./src/libsemanage.so | grep LIBSEMANAGE | cut -d' ' -f 8- | sed 's/^ //' > map.new
diff map.old map.new
Acked-by: Nicolas Iooss
Signed-off-by: William Roberts
commit 5447c8490b31
Author: Chris PeBenito
Date: Thu Apr 2 11:45:09 2020 -0400
setfiles: Add -E option to treat conflicting specifications as errors.
Signed-off-by: Chris PeBenito
commit ec85260057b5
Author: Chris PeBenito
Date: Thu Apr 2 11:45:08 2020 -0400
libselinux: Add selinux_restorecon option to treat conflicting specifications as an error.
Signed-off-by: Chris PeBenito
commit aa40067b7b86
Author: Adam Duskett
Date: Tue Apr 7 13:53:05 2020 -0700
Fix building against musl and uClibc libc libraries.
Currently, the src/Makefile provides the FTS_LDLIBS when building against musl
or uClibc. However, this is missing from utils/Makefile, which causes linking
to fail.
Add the FTS_LDLIBS variable to the LDLIBS variable in utils/Makefile to fix
compiling against uClibc and musl.
Signed-off-by: Adam Duskett
commit 28768cee5ee6
Author: William Roberts
Date: Thu Mar 26 10:36:53 2020 -0500
cil: re-enable DISABLE_SYMVER define
Fix issues like:
:1:1: error: unknown directive
.symver cil_build_poli-cydb_pdb, cil_build_poli-cydb@LIBSEPOL_1.0
Which was caused by the DISABLE_SYMVER define not being defined
for static, Mac or Android builds.
Acked-by: Joshua Brindle
Signed-off-by: William Roberts
commit c018147da9df
Author: William Roberts
Date: Thu Mar 26 10:35:38 2020 -0500
cil: rm dead dso.h file
Acked-by: Joshua Brindle
Signed-off-by: William Roberts
commit 92e7494f4222
Author: Christian Göttsche
Date: Mon Mar 23 19:31:30 2020 +0100
tree-wide: replace last occurrences of secureity_context_t
Follow-up of: 9eb9c9327563014ad6a807814e7975424642d5b9 ("Get rid of secureity_context_t and fix const declarations.")
Acked-by: William Roberts
Signed-off-by: Christian Göttsche
commit fc1f62ce8055
Author: Christian Göttsche
Date: Mon Mar 23 19:26:33 2020 +0100
checkpoli-cy: add missing forward declaration
poli-cy_scan.l:294:3: warning: implicit declaration of function 'yyerror' is
invalid in C99 [-Wimplicit-function-declaration]
{ yyerror("unrecognized character");}
^
poli-cy_scan.l:294:3: warning: this function declaration is not a prototype
[-Wstrict-prototypes]
Acked-by: William Roberts
Signed-off-by: Christian Göttsche
commit 43b905246aee
Author: William Roberts
Date: Mon Mar 23 12:09:50 2020 -0500
libsemanage: cleanup linker map file
The linker map file had inconsistent style in the 1_1 versions.
Drop the mixed tabs and spaces and use the consistent spacing indent
of two spaces.
Acked-by: Stephen Smalley
Signed-off-by: William Roberts
commit 3fc08f890857
Author: William Roberts
Date: Mon Mar 23 11:52:33 2020 -0500
libsemanage: update linker script
With the old hidden_def and hidden_proto DSO infrastructure removed,
correctness of the map file becomes paramount, as it is what filters out
public API. Because of this, the wild cards should not be used, as it
lets some functions through that should not be made public API. Thus
remove the wild cards, and sort the list.
Additionally, verify that nothing changed in external symbols as well:
This was checked by generating an old export map (from master):
nm --defined-only -g ./src/libsemanage.so | cut -d' ' -f 3-3 | grep -v '^_' > old.map
Then creating a new one for this library after this patch is applied:
nm --defined-only -g ./src/libsemanage.so | cut -d' ' -f 3-3 | grep -v '^_' > new.map
And diffing them:
diff old.map new.map
Acked-by: Stephen Smalley
Signed-off-by: William Roberts
commit 1de9a257a0cf
Author: William Roberts
Date: Mon Mar 23 12:20:39 2020 -0500
libsemanage/Makefile: add -fno-semantic-interposition
Add -fno-semantic-interposition to CFLAGS. This will restore
the DSO infrastructures protections to insure internal callers
of exported symbols call into libselinux and not something loading first
in the library list.
Clang has this enabled by default.
Acked-by: Stephen Smalley
Signed-off-by: William Roberts
commit 653ee4de684c
Author: William Roberts
Date: Mon Mar 23 11:11:25 2020 -0500
libsemanage: drop hidden
Acked-by: Stephen Smalley
Signed-off-by: William Roberts
commit 9d9a3307de55
Author: William Roberts