commit libsepol for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libsepol for openSUSE:Factory
checked in at 2024-07-12 17:04:21
Comparing /work/SRC/openSUSE:Factory/libsepol (Old)
and /work/SRC/openSUSE:Factory/.libsepol.new.17339 (New)
Package is "libsepol"
Fri Jul 12 17:04:21 2024 rev:56 rq:1185748 version:3.7
Changes:
--- /work/SRC/openSUSE:Factory/libsepol/libsepol.changes2024-01-08
23:43:53.115308503 +0100
+++ /work/SRC/openSUSE:Factory/.libsepol.new.17339/libsepol.changes
2024-07-12 17:04:26.547676225 +0200
@@ -1,0 +2,24 @@
+Mon Jul 1 08:01:08 UTC 2024 - Cathy Hu
+
+- Update to version 3.7
+ https://github.com/SELinuxProject/selinux/releases/tag/3.7
+ * User-visible changes:
+* libsepol: improve policy lookup failure message
+* libsepol: include prefix for module policy versions
+* libsepol: validate type-attribute-map for old policies
+* libsepol: only exempt gaps checking for kernel policies
+ * Bugfixes:
+* libsepol/src/Makefile: fix reallocarray detection
+* libsepol/cil: Fix detected RESOURCE_LEAK (CWE-772)
+* libsepol: ensure transitivity in compare functions
+ * oss-fuzz fixes:
+* libsepol: check scope permissions refer to valid class
+* libsepol: validate attribute-type maps
+* libsepol: reject self flag in type rules in old policies
+* libsepol: validate class permissions
+* libsepol: validate access vector permissions
+* libsepol: reject MLS support in pre-MLS policies
+* libsepol: Fix buffer overflow when using sepol_av_to_string()
+* libsepol: Use a dynamic buffer in sepol_av_to_string()
+
+---
Old:
libsepol-3.6.tar.gz
libsepol-3.6.tar.gz.asc
New:
libsepol-3.7.tar.gz
libsepol-3.7.tar.gz.asc
Other differences:
--
++ libsepol.spec ++
--- /var/tmp/diff_new_pack.v3mzoy/_old 2024-07-12 17:04:29.323778224 +0200
+++ /var/tmp/diff_new_pack.v3mzoy/_new 2024-07-12 17:04:29.327778371 +0200
@@ -1,7 +1,7 @@
#
# spec file for package libsepol
#
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -19,7 +19,7 @@
%define libname libsepol2
Name: libsepol
-Version:3.6
+Version:3.7
Release:0
Summary:SELinux binary policy manipulation library
License:LGPL-2.1-or-later
++ libsepol-3.6.tar.gz -> libsepol-3.7.tar.gz ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libsepol-3.6/VERSION new/libsepol-3.7/VERSION
--- old/libsepol-3.6/VERSION2023-12-13 15:46:22.0 +0100
+++ new/libsepol-3.7/VERSION2024-06-26 17:30:41.0 +0200
@@ -1 +1 @@
-3.6
+3.7
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libsepol-3.6/cil/src/cil_binary.c
new/libsepol-3.7/cil/src/cil_binary.c
--- old/libsepol-3.6/cil/src/cil_binary.c 2023-12-13 15:46:22.0
+0100
+++ new/libsepol-3.7/cil/src/cil_binary.c 2024-06-26 17:30:41.0
+0200
@@ -904,10 +904,10 @@
rc = mls_level_cpy(mls_level, sepol_level->level);
if (rc != SEPOL_OK) {
+ free(mls_level);
goto exit;
}
sepol_alias->level = mls_level;
- sepol_alias->defined = 1;
sepol_alias->isalias = 1;
return SEPOL_OK;
@@ -3163,8 +3163,6 @@
}
}
- sepol_level->defined = 1;
-
return SEPOL_OK;
exit:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/libsepol-3.6/cil/src/cil_post.c
new/libsepol-3.7/cil/src/cil_post.c
--- old/libsepol-3.6/cil/src/cil_post.c 2023-12-13 15:46:22.0 +0100
+++ new/libsepol-3.7/cil/src/cil_post.c 2024-06-26 17:30:41.0 +0200
@@ -52,6 +52,8 @@
#define GEN_REQUIRE_ATTR "cil_gen_require" /* Also in
libsepol/src/module_to_cil.c */
#define TYPEATTR_INFIX "_typeattr_"/* Also in
libsepol/src/module_to_cil.c */
+#define spaceship_cmp(a, b) (((a) > (b)) - ((a) < (b)))
+
struct fc_data {
unsigned int meta;
size_t stem_len;
@@ -263,8 +265,8 @@
if (rc)
return rc;
- rc = (aibpkeycon->pkey_high - aibpkeycon->pkey_low)
- - (bibpkeycon->pkey_high - bibpkeycon->pkey_low);
+ rc = spaceship_cmp(aibpkeycon->pkey_high - aibpkeycon->pkey_low,
+ bibpkeycon->pkey_high - bibpkeycon->pkey_low);
if (rc == 0) {
if (aibpkeycon->pkey_low < bibpkeycon->pkey_low)
commit libsepol for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libsepol for openSUSE:Factory
checked in at 2024-01-08 23:43:46
Comparing /work/SRC/openSUSE:Factory/libsepol (Old)
and /work/SRC/openSUSE:Factory/.libsepol.new.21961 (New)
Package is "libsepol"
Mon Jan 8 23:43:46 2024 rev:55 rq:1137090 version:3.6
Changes:
--- /work/SRC/openSUSE:Factory/libsepol/libsepol.changes2023-10-08
12:20:40.847253600 +0200
+++ /work/SRC/openSUSE:Factory/.libsepol.new.21961/libsepol.changes
2024-01-08 23:43:53.115308503 +0100
@@ -1,0 +2,24 @@
+Tue Dec 19 09:20:58 UTC 2023 - Cathy Hu
+
+- Update to version 3.6
+ https://github.com/SELinuxProject/selinux/releases/tag/3.6
+ * struct cond_expr_t bool renamed to boolean
+The change is indicated by COND_EXPR_T_RENAME_BOOL_BOOLEAN macro
+ * Add notself support for neverallow rules
+ * Improve man pages
+ * man pages: Remove the Russian translations
+ * Add notself and other support to CIL
+ * Add support for deny rules
+ * Translations updated from
+https://translate.fedoraproject.org/projects/selinux/
+ * Bug fixes
+- Remove keys from keyring since they expired:
+ - E853C1848B0185CF42864DF363A8AD4B982C4373
+Petr Lautrbach
+ - 63191CE94183098689CAB8DB7EF137EC935B0EAF
+Jason Zaman
+- Add key to keyring:
+ - B8682847764DF60DF52D992CBC3905F235179CF1
+Petr Lautrbach
+
+---
Old:
libsepol-3.5.tar.gz
libsepol-3.5.tar.gz.asc
New:
libsepol-3.6.tar.gz
libsepol-3.6.tar.gz.asc
Other differences:
--
++ libsepol.spec ++
--- /var/tmp/diff_new_pack.c12yVH/_old 2024-01-08 23:43:54.143345845 +0100
+++ /var/tmp/diff_new_pack.c12yVH/_new 2024-01-08 23:43:54.147345991 +0100
@@ -19,7 +19,7 @@
%define libname libsepol2
Name: libsepol
-Version:3.5
+Version:3.6
Release:0
Summary:SELinux binary policy manipulation library
License:LGPL-2.1-or-later
@@ -111,7 +111,6 @@
%{_bindir}/sepol_compute_relabel
%{_bindir}/sepol_validate_transition
%{_mandir}/man8/*.8%{ext_man}
-%{_mandir}/ru/man8/*.8%{ext_man}
%files -n %{libname}
%defattr(-,root,root)
++ libsepol-3.5.tar.gz -> libsepol-3.6.tar.gz ++
14200 lines of diff (skipped)
++ libsepol.keyring ++
--- /var/tmp/diff_new_pack.c12yVH/_old 2024-01-08 23:43:54.343353110 +0100
+++ /var/tmp/diff_new_pack.c12yVH/_new 2024-01-08 23:43:54.343353110 +0100
@@ -1,306 +1,111 @@
-BEGIN PGP PUBLIC KEY BLOCK-
-mQINBE97JQcBEAC/aeBxbuToAJokMiVxtMVFoUMgCbcVQDB21YhMq4i5a/HDzFno
-qVPhQjGViGTKXQYR7SnT8CCfC3ggG7hqU0oaWKN3D003V6e/ivTJwMKrQRFqf5/A
-vN7ELulXFxEt/ZjYmvTukpW5Li2AU7JBD0aO243Ld9jYdZOZn2zdfA8IpnE9Bmm3
-K/LO1Xb2F9ujF9faI5/IlJvdUFk3uiCKTSvM8kGwOmAwBI921Z5x/CYvy5kKEazU
-lUxMqECl+Tu2YS6NDhWYNkifAIZ7lsUvGjW3/wfh7AvmAQyt/CxOXu9LL2nGzFhw
-CIS4jVIxy5bDswNfHcaMX7B5WEyqTPtjzPAEMiLL4yHJZrHDPd26QHSaqtilVA4K
-AeTYbME8iZIdacquFEq02PO9qAM21O48OknCTSolF7z6nBkk6l26W3EL+Gz5I2Et
-3S9pab3FMjiiKVavM6UA5D0DQkNxxDn9blDXZyhX4HFrk+NnoETcGYFymPbbijgi
-kFC4339/Z1aK31aJLkxiana5mqLthD4jCeg3B8Cp5IurqPr8QEh3FH8ZZhtdx2fX
-TXHTmGQF/lXG4tg1eH5cb6wWGU93wD+5mf6czJlUZTY+kdevKtZCQnA0/2ENCOFW
-Jdm/oMTUw6ozPd474ctzWKeO78e8yMvZst/Zp3Gq6SD9kcoPgiuMQ+BOkwARAQAB
-tCRQZXRyIExhdXRyYmFjaCA8cGxhdXRyYmFAcmVkaGF0LmNvbT6IRgQTEQIABgUC
-UGrhaAAKCRDgn+8l2WSErGaNAJ96+VrAVoZPHnycMU37iP/ZTq5oZwCfaDWxlxNS
-sQRgd0tvIDLDUY0uSw6IXgQQEQgABgUCT32YIwAKCRD/aJIEAzcfEOK8AP4u7xTn
-iIaAvn6H0ql5X5mUeAimPhwP4FUvzkvoBDcY/QD/VPBnW1LoCDe63YboAvbB7BHe
-/0yC7rwTQzl6zPmh/iiJARwEEwECAAYFAk+H1m4ACgkQGWJaEyWIEIcxJQf/fRX8
-T3fQ5NOhZ6r5AqRMm4wXSWsDk1oDL7Fa2vKcwqiIC4zQoU0Y9+s96GSjFHgP4wpc
-f7GHSPZseXp9c4ckIpkuEK2wL+jyPuSSMgmOLEGXBgy6XbWvF5yR7tm3henEcBEn
-HjbTwuTO2nM53tmcM/ophq/eK2nErwTKPiDw3aiahNDYNx36wJrSOBGTKySk/F23
-R8rQPThdbtvUtmTHDPCsAZKmMBlXOkoFcA1xKZRAMBoiEa9hIqiLBV7Z5oTmVSa8
-BolBpOtR38sIjAWh9MtJoFFfx8Q575TC9bfpW3Kc/IRPJE55Myn/8Kbl7YJBU+gO
-/v2yjKIT+hRb0MUOEIkBHAQTAQIABgUCT457oQAKCRCUZdkzlNzEiUhHB/9WN9s3
-d5V/rjy9e8Ny2xd+5yXfuLpi57YI4mIZi5k6s3vBjFW8fa2jw/dXndhX06oOkmXY
-1dSujVWJSMUe4gqnbdVu3IEBiyst5MyYcuOdeVpQ9KvolQMdRCEIXfgFOTXt73Lu
-1eUSyEVhXI+Ua6bsmHJqscHatF2NCTyTJOqZDjIePD+c/8eW9XF2Bv6ZOa51M9UF
-p85PVH0wn9I3bHhtyVPhxDSGM0TL9OwXNV25CPzI04wUb2vqnVVv67XCfcFMA0iH
-nlH1oOHckUUhX+MFOTG6TFHmLIZCJHneeXR7SqdAXGl+EUZyWHRGS2OsdncMEDNy
-5hennjRW71qr1C48iQIcBBABAgAGBQJPht1GAAoJEMI9kbsdgkTfgW0QAJ+o/BZI
-i2TWU1cTQc4zVi4dcV8wZREXUCi2yQlq3C2MbL2gNRCSN+w9E6daOAf2zTEPZSaV
-OuMl9aIF0fSRMuITFVQ6a+cz1UUxGFjFBkzCId5ybgVnkhZTPh7TmgYKQcVsyzBc
-SgQb6qpu058s2lfrvLL8kzpZ77w+JdX9za9oSukflLxgKFvnAP2URY0zZo8E5SZv
-M40zX98QV3wAXp9RVg3uG27IbWfnNO/6ijCY7ZzS16slEaYyBW4u6AgScoqFpD4f
-Urpt1knuZfjHHHmLMTJh5iGL0OEEdLAIuFZH5iKWqRzlTSesX7dn4Jv1McemmLTv
-
commit libsepol for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libsepol for openSUSE:Factory
checked in at 2023-10-08 12:17:38
Comparing /work/SRC/openSUSE:Factory/libsepol (Old)
and /work/SRC/openSUSE:Factory/.libsepol.new.28202 (New)
Package is "libsepol"
Sun Oct 8 12:17:38 2023 rev:54 rq:1115852 version:3.5
Changes:
--- /work/SRC/openSUSE:Factory/libsepol/libsepol.changes2023-03-07
16:48:24.112974378 +0100
+++ /work/SRC/openSUSE:Factory/.libsepol.new.28202/libsepol.changes
2023-10-08 12:20:40.847253600 +0200
@@ -1,0 +2,5 @@
+Thu Mar 23 16:06:02 UTC 2023 - Martin Liška
+
+- Enable LTO now (boo#1138813).
+
+---
Other differences:
--
++ libsepol.spec ++
--- /var/tmp/diff_new_pack.5ynYRF/_old 2023-10-08 12:20:42.003295165 +0200
+++ /var/tmp/diff_new_pack.5ynYRF/_new 2023-10-08 12:20:42.003295165 +0200
@@ -92,7 +92,7 @@
%setup -q
%build
-%define _lto_cflags %{nil}
+%global _lto_cflags %{_lto_cflags} -ffat-lto-objects
export CFLAGS="%{optflags} -fcommon"
make %{?_smp_mflags}
commit libsepol for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libsepol for openSUSE:Factory checked in at 2023-03-07 16:48:20 Comparing /work/SRC/openSUSE:Factory/libsepol (Old) and /work/SRC/openSUSE:Factory/.libsepol.new.31432 (New) Package is "libsepol" Tue Mar 7 16:48:20 2023 rev:53 rq:1068398 version:3.5 Changes: --- /work/SRC/openSUSE:Factory/libsepol/libsepol.changes2022-06-20 15:36:53.162825327 +0200 +++ /work/SRC/openSUSE:Factory/.libsepol.new.31432/libsepol.changes 2023-03-07 16:48:24.112974378 +0100 @@ -1,0 +2,9 @@ +Fri Feb 24 07:50:14 UTC 2023 - Johannes Segitz + +- Update to version 3.5 + * Stricter policy validation + * do not write empty class definitions to allow simpler round-trip tests + * reject attributes in type av rules for kernel policies +- Added additional developer key (Jason Zaman) + +--- Old: libsepol-3.4.tar.gz libsepol-3.4.tar.gz.asc New: libsepol-3.5.tar.gz libsepol-3.5.tar.gz.asc Other differences: -- ++ libsepol.spec ++ --- /var/tmp/diff_new_pack.8j5tL2/_old 2023-03-07 16:48:24.884978440 +0100 +++ /var/tmp/diff_new_pack.8j5tL2/_new 2023-03-07 16:48:24.892978483 +0100 @@ -1,7 +1,7 @@ # # spec file for package libsepol # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,7 +19,7 @@ %define libname libsepol2 Name: libsepol -Version:3.4 +Version:3.5 Release:0 Summary:SELinux binary policy manipulation library License:LGPL-2.1-or-later ++ libsepol-3.4.tar.gz -> libsepol-3.5.tar.gz ++ 4656 lines of diff (skipped) ++ libsepol.keyring ++ --- /var/tmp/diff_new_pack.8j5tL2/_old 2023-03-07 16:48:25.136979767 +0100 +++ /var/tmp/diff_new_pack.8j5tL2/_new 2023-03-07 16:48:25.140979788 +0100 @@ -167,4 +167,140 @@ t4zhuhOJjZ2YaPVALQ== =UVQc -END PGP PUBLIC KEY BLOCK- +-BEGIN PGP PUBLIC KEY BLOCK- + +mQINBFMyh7gBEADHbVdNWxivgqISiinIAE7gOl9vFemvnqfzn7hdfw2y02hUzojd +0HzEJsyqxGBYHpdNYoiLbCYNubMDA/Xd0Att2D7fIAuNFo3gnKEm27xLSzjC02bk +h2Pxp9d92dxPXsk+zDvY74Vwem74Yon824ESurH4gTK/HsiX2Y+7+5z3Ep07xC7p +IA0RzD3zlKhfT9dpS0QR2LP1utFcT40eEjSZY8QK3iKapNtyvIrpKpkWx0tZTWwX ++F8IoL9MzJBi5L/pS8fyUOkyBVIwdRXLNuX+sle+llH7i+6DWsWHEphiZ3ObiXDm +iXKBu/I0useEE4K7TmOLqqeEZl+CTU6YWJLPpD38pq+p64TlAcT7rZSmRUr7zY0a +X1gsXqm7e95Txm6UYy3Xth1jmZ0PuHjCBIvy8foxZVKGsR34ntAYcZzZhDca+J2S +WyL/YcQbSFhad1N1ZpCXj4eYGQIg57b1OLrabopdSQ73s8uGdS12aNQKcehkAvKs +Pab45Qxk7PWGNXuvHGYFCvedl8Gh/MUy3UqlXE58GBob9ldB+7eaO5VgR0GydSFO +cbRDDpXBdWbsq4u0BDT3uB4FZTqYC3i83NFdCSppxG6aXDl4Hux+Fq7FcjFV7scw +e/ndpnLMzj0oSyOmq6GZfvbZKRbyPztYxrEIoDw1mgvJQhm2AnfnhoOWVwARAQAB +tCJKYXNvbiBaYW1hbiA8amFzb256YW1hbkBnbWFpbC5jb20+iQJXBBMBCABBAhsD +Ah4BAheABQsJCAcDBRUKCQgLBRYCAwEAAhkBFiEEYxkc6UGDCYaJyrjbfvE37JNb +Dq8FAl1mIt8FCQw1xCcACgkQfvE37JNbDq8mKA/7BnUyy3K0nEboJfXKP7mbI7vH +hnDYP9ojwi6Lv7BJLOGNVmHDrZa9HA8uzH7AZIIf1XLOWd+bABqHETETElckXK+x +gtE9GUQO0DQRVH2gCyJUaLtYgK/VD2GRXLlFRUA81XLmU0pNZVIRL6u5P1RbHjdd +G01NgzH2sDKtmAtIashj25YD5m2RukTDfGYDMujjxR2bBRp8QnNiDHp93pYmF6oR +iElJKrUOhBS7Mw2Cuy7GhcvPmFsUY7o/Kq+4bu9DzZOMrPTmVQMF//PV5JChWCou +Aqv1Qybrt5I4/OzOVX+9bID7xowueMbTlak/1yqmgGNmFA5jN5XDuwZxoOX7F/m2 +ITJPRADEvZZLNF0kdj4zcLvk+/C8ofwcPcltO9SmDYwi3aKuMifVHqQnaG+Tu4qI +okSA+Vngamvy0BFBLjjZ1DZhRBS4GELzprzQ4brBqmdFnwtGnc3GOHK5Q8teZeRW +SbCh1u7CNBNXIdnTX5VlGonxjAO27ISDP7oaQyiJetnMy2W2qEG1DIDnLJtlPwDR ++UFO5kBHdJSnuTnCl20XUADeH0tx4jHAAYcIyx0tvJCuOWylMG8yVadxS73IA6a9 +GA+fOku9XBh4eP5vIoMRfuVwDDu2y2n5J68OCfshs3JllGImrWUzR8hpZmjXmpAZ +VjN4Ft83ZEvUEntlI620NUphc29uIFphbWFuIChHZW50b28gRGV2ZWxvcGVyKSA8 +cGVyZmluaW9uQGdlbnRvby5vcmc+iQJUBBMBCAA+AhsDBQsJCAcDBRUKCQgLBRYD +AgEAAh4BAheAFiEEYxkc6UGDCYaJyrjbfvE37JNbDq8FAl1mIucFCQw1xCcACgkQ +fvE37JNbDq8dtA//cUEBx8rIvXyO14TcUu5o3Cc2DRhFxLwVIPOnw6cfZYhRrIKr +2wegsllvV4vJ+KJoIBvlw83VAunHt07N2+hF72LM6qPWkX055gY5PkFSGPBpybZk +oevE9rI+8p7aOqu0Qns4O3juDMava+nSnHjmZCJO7wnjrkGC57eBwI7Z3H32EFIU +b+IvOivBFA6iSeXkmEg1ub3iaA2vXdKOGDfoxrEjSJWt04q8VDUmtscKRkRrc1AX +XToVzcSd4w8C6j4tlOk8DbCLfyf8M3cDeETzyD6ICYWkSN1OxYFopNvsty2L9xQ2 +oTCp/1CjJTO2mxOY7K75vLr8MNYnVrYPzCruazt0YetOY74raTMFhnA6mQapcM+c +L0DKylIOHra/jSj7WQCy/xujMWZKDg8LfcfTuknSFPXVL6s95TYwBayRkVhFs73c +Z5Tpk4dAxSLZI040uExlFmzqwaMRoAhLJShhe/QRGu5rBnjtaKRYl08Hnb2gLc+0 +LH1gsGIvrsB89coa4y5Grues0mw9Bbk5tjGJHWlSgGG6NPds/L2RWCsXgkb4qn6p +Prsq6dyA8qp7O4LiZkzvKpFxmpO3ggIeIh17N21piUs9awnFySLR68gv0E6OnLdL +s2fpRYclaw2DxS4WHloWfW2MoV/b4K+GzovlVGAi19gwzBVk1uHneB504eW0IUph +c29uIFphbWFuIDxqYXNvbkBwZXJmaW5pb24uY29tPokCVAQTAQgAPgIbAwIeAQIX
commit libsepol for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libsepol for openSUSE:Factory
checked in at 2022-06-20 15:36:47
Comparing /work/SRC/openSUSE:Factory/libsepol (Old)
and /work/SRC/openSUSE:Factory/.libsepol.new.1548 (New)
Package is "libsepol"
Mon Jun 20 15:36:47 2022 rev:52 rq:978302 version:3.4
Changes:
--- /work/SRC/openSUSE:Factory/libsepol/libsepol.changes2021-11-15
15:27:36.165843702 +0100
+++ /work/SRC/openSUSE:Factory/.libsepol.new.1548/libsepol.changes
2022-06-20 15:36:53.162825327 +0200
@@ -1,0 +2,12 @@
+Mon May 9 10:27:53 UTC 2022 - Johannes Segitz
+
+- Update to version 3.4
+ * Add 'ioctl_skip_cloexec' policy capability
+ * Add sepol_av_perm_to_string
+ * Add policy utilities
+ * Support IPv4/IPv6 address embedding
+ * Hardened/added many validations
+ * Add support for file types in writing out policy.conf
+ * Allow optional file type in genfscon rules
+
+---
Old:
libsepol-3.3.tar.gz
New:
libsepol-3.4.tar.gz
libsepol-3.4.tar.gz.asc
libsepol.keyring
Other differences:
--
++ libsepol.spec ++
--- /var/tmp/diff_new_pack.XIeoHQ/_old 2022-06-20 15:36:53.670826070 +0200
+++ /var/tmp/diff_new_pack.XIeoHQ/_new 2022-06-20 15:36:53.678826082 +0200
@@ -1,7 +1,7 @@
#
# spec file for package libsepol
#
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -19,14 +19,16 @@
%define libname libsepol2
Name: libsepol
-Version:3.3
+Version:3.4
Release:0
Summary:SELinux binary policy manipulation library
License:LGPL-2.1-or-later
Group: Development/Libraries/C and C++
URL:https://github.com/SELinuxProject/selinux/wiki/Releases
-Source:
https://github.com/SELinuxProject/selinux/releases/download/%{version}/%{name}-%{version}.tar.gz
-Source2:baselibs.conf
+Source0:
https://github.com/SELinuxProject/selinux/releases/download/%{version}/%{name}-%{version}.tar.gz
+Source1:
https://github.com/SELinuxProject/selinux/releases/download/%{version}/%{name}-%{version}.tar.gz.asc
+Source2:libsepol.keyring
+Source3:baselibs.conf
BuildRequires: flex
BuildRequires: pkgconfig
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@@ -103,6 +105,11 @@
%files utils
%defattr(-,root,root)
%{_bindir}/chkcon
+%{_bindir}/sepol_check_access
+%{_bindir}/sepol_compute_av
+%{_bindir}/sepol_compute_member
+%{_bindir}/sepol_compute_relabel
+%{_bindir}/sepol_validate_transition
%{_mandir}/man8/*.8%{ext_man}
%{_mandir}/ru/man8/*.8%{ext_man}
++ libsepol-3.3.tar.gz -> libsepol-3.4.tar.gz ++
7455 lines of diff (skipped)
commit libsepol for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libsepol for openSUSE:Factory
checked in at 2021-11-15 15:26:03
Comparing /work/SRC/openSUSE:Factory/libsepol (Old)
and /work/SRC/openSUSE:Factory/.libsepol.new.1890 (New)
Package is "libsepol"
Mon Nov 15 15:26:03 2021 rev:51 rq:930939 version:3.3
Changes:
--- /work/SRC/openSUSE:Factory/libsepol/libsepol.changes2021-07-25
20:09:04.495456287 +0200
+++ /work/SRC/openSUSE:Factory/.libsepol.new.1890/libsepol.changes
2021-11-15 15:27:36.165843702 +0100
@@ -1,0 +2,8 @@
+Thu Nov 11 13:28:14 UTC 2021 - Johannes Segitz
+
+- Update to version 3.3
+ * Dropped CVE-2021-36085.patch, CVE-2021-36086.patch, CVE-2021-36087.patch
+are all included
+ * Lot of smaller fixes identified by fuzzing
+
+---
Old:
CVE-2021-36085.patch
CVE-2021-36086.patch
CVE-2021-36087.patch
libsepol-3.2.tar.gz
New:
libsepol-3.3.tar.gz
Other differences:
--
++ libsepol.spec ++
--- /var/tmp/diff_new_pack.JnYloa/_old 2021-11-15 15:27:36.613843827 +0100
+++ /var/tmp/diff_new_pack.JnYloa/_new 2021-11-15 15:27:36.617843829 +0100
@@ -19,7 +19,7 @@
%define libname libsepol2
Name: libsepol
-Version:3.2
+Version:3.3
Release:0
Summary:SELinux binary policy manipulation library
License:LGPL-2.1-or-later
@@ -27,10 +27,6 @@
URL:https://github.com/SELinuxProject/selinux/wiki/Releases
Source:
https://github.com/SELinuxProject/selinux/releases/download/%{version}/%{name}-%{version}.tar.gz
Source2:baselibs.conf
-# all upstream, remove in next version
-Patch0: CVE-2021-36085.patch
-Patch1: CVE-2021-36086.patch
-Patch2: CVE-2021-36087.patch
BuildRequires: flex
BuildRequires: pkgconfig
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@@ -92,9 +88,6 @@
%prep
%setup -q
-%patch0 -p2
-%patch1 -p2
-%patch2 -p1
%build
%define _lto_cflags %{nil}
++ libsepol-3.2.tar.gz -> libsepol-3.3.tar.gz ++
11869 lines of diff (skipped)
commit libsepol for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libsepol for openSUSE:Factory
checked in at 2021-07-25 20:09:04
Comparing /work/SRC/openSUSE:Factory/libsepol (Old)
and /work/SRC/openSUSE:Factory/.libsepol.new.1899 (New)
Package is "libsepol"
Sun Jul 25 20:09:04 2021 rev:50 rq:907664 version:3.2
Changes:
--- /work/SRC/openSUSE:Factory/libsepol/libsepol.changes2021-07-09
23:56:35.581805886 +0200
+++ /work/SRC/openSUSE:Factory/.libsepol.new.1899/libsepol.changes
2021-07-25 20:09:04.495456287 +0200
@@ -1,0 +2,6 @@
+Wed Jul 21 13:16:54 UTC 2021 - Johannes Segitz
+
+- Fix heap-based buffer over-read in ebitmap_match_any (CVE-2021-36087,
1187928.
+ Added CVE-2021-36087.patch
+
+---
New:
CVE-2021-36087.patch
Other differences:
--
++ libsepol.spec ++
--- /var/tmp/diff_new_pack.rRGaHe/_old 2021-07-25 20:09:05.203455498 +0200
+++ /var/tmp/diff_new_pack.rRGaHe/_new 2021-07-25 20:09:05.207455494 +0200
@@ -30,6 +30,7 @@
# all upstream, remove in next version
Patch0: CVE-2021-36085.patch
Patch1: CVE-2021-36086.patch
+Patch2: CVE-2021-36087.patch
BuildRequires: flex
BuildRequires: pkgconfig
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@@ -91,7 +92,9 @@
%prep
%setup -q
-%autopatch -p2
+%patch0 -p2
+%patch1 -p2
+%patch2 -p1
%build
%define _lto_cflags %{nil}
++ CVE-2021-36087.patch ++
diff -r -u libsepol-3.2_orig/cil/src/cil_build_ast.c
libsepol-3.2/cil/src/cil_build_ast.c
--- libsepol-3.2_orig/cil/src/cil_build_ast.c 2021-07-21 15:15:01.875585374
+0200
+++ libsepol-3.2/cil/src/cil_build_ast.c2021-07-21 15:15:10.655704516
+0200
@@ -50,6 +50,7 @@
struct cil_tree_node *ast;
struct cil_db *db;
struct cil_tree_node *macro;
+ struct cil_tree_node *optional;
struct cil_tree_node *boolif;
struct cil_tree_node *tunif;
struct cil_tree_node *in;
@@ -6098,6 +6099,7 @@
struct cil_db *db = NULL;
struct cil_tree_node *ast_node = NULL;
struct cil_tree_node *macro = NULL;
+ struct cil_tree_node *optional = NULL;
struct cil_tree_node *boolif = NULL;
struct cil_tree_node *tunif = NULL;
struct cil_tree_node *in = NULL;
@@ -6143,6 +6145,18 @@
}
}
+ if (optional != NULL) {
+ if (parse_current->data == CIL_KEY_TUNABLE ||
+ parse_current->data == CIL_KEY_IN ||
+ parse_current->data == CIL_KEY_BLOCK ||
+ parse_current->data == CIL_KEY_BLOCKABSTRACT ||
+ parse_current->data == CIL_KEY_MACRO) {
+ rc = SEPOL_ERR;
+ cil_tree_log(parse_current, CIL_ERR, "%s is not allowed
in optionals", (char *)parse_current->data);
+ goto exit;
+ }
+ }
+
if (boolif != NULL) {
if (parse_current->data != CIL_KEY_CONDTRUE &&
parse_current->data != CIL_KEY_CONDFALSE &&
@@ -6524,6 +6538,19 @@
args->macro = NULL;
}
+ if (ast->flavor == CIL_OPTIONAL) {
+ struct cil_tree_node *n = ast->parent;
+ args->optional = NULL;
+ /* Optionals can be nested */
+ while (n && n->flavor != CIL_ROOT) {
+ if (n->flavor == CIL_OPTIONAL) {
+ args->optional = n;
+ break;
+ }
+ n = n->parent;
+ }
+ }
+
if (ast->flavor == CIL_BOOLEANIF) {
args->boolif = NULL;
}
@@ -6561,6 +6588,7 @@
extra_args.ast = ast;
extra_args.db = db;
extra_args.macro = NULL;
+ extra_args.optional = NULL;
extra_args.boolif = NULL;
extra_args.tunif = NULL;
extra_args.in = NULL;
diff -r -u libsepol-3.2_orig/cil/src/cil_resolve_ast.c
libsepol-3.2/cil/src/cil_resolve_ast.c
--- libsepol-3.2_orig/cil/src/cil_resolve_ast.c 2021-07-21 15:15:01.879585428
+0200
+++ libsepol-3.2/cil/src/cil_resolve_ast.c 2021-07-21 15:15:15.559771063
+0200
@@ -3788,8 +3788,11 @@
}
if (optstack != NULL) {
- if (node->flavor == CIL_TUNABLE || node->flavor == CIL_MACRO) {
- /* tuanbles and macros are not allowed in optionals*/
+ if (node->flavor == CIL_TUNABLE ||
+ node->flavor == CIL_IN ||
+ node->flavor == CIL_BLOCK ||
+ node->flavor == CIL_BLOCKABSTRACT ||
+
commit libsepol for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libsepol for openSUSE:Factory
checked in at 2021-07-09 23:56:34
Comparing /work/SRC/openSUSE:Factory/libsepol (Old)
and /work/SRC/openSUSE:Factory/.libsepol.new.2625 (New)
Package is "libsepol"
Fri Jul 9 23:56:34 2021 rev:49 rq:904154 version:3.2
Changes:
--- /work/SRC/openSUSE:Factory/libsepol/libsepol.changes2021-03-24
16:08:49.803679446 +0100
+++ /work/SRC/openSUSE:Factory/.libsepol.new.2625/libsepol.changes
2021-07-09 23:56:35.581805886 +0200
@@ -1,0 +2,8 @@
+Mon Jul 5 11:31:07 UTC 2021 - Johannes Segitz
+
+- Fix use-after-free in __cil_verify_classperms (CVE-2021-36085, 1187965).
+ Added CVE-2021-36085.patch
+- Fix use-after-free in cil_reset_classpermission (CVE-2021-36086, 1187964).
+ Added CVE-2021-36086.patch
+
+---
New:
CVE-2021-36085.patch
CVE-2021-36086.patch
Other differences:
--
++ libsepol.spec ++
--- /var/tmp/diff_new_pack.svuAvH/_old 2021-07-09 23:56:36.097801873 +0200
+++ /var/tmp/diff_new_pack.svuAvH/_new 2021-07-09 23:56:36.101801842 +0200
@@ -27,6 +27,9 @@
URL:https://github.com/SELinuxProject/selinux/wiki/Releases
Source:
https://github.com/SELinuxProject/selinux/releases/download/%{version}/%{name}-%{version}.tar.gz
Source2:baselibs.conf
+# all upstream, remove in next version
+Patch0: CVE-2021-36085.patch
+Patch1: CVE-2021-36086.patch
BuildRequires: flex
BuildRequires: pkgconfig
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@@ -88,6 +91,7 @@
%prep
%setup -q
+%autopatch -p2
%build
%define _lto_cflags %{nil}
++ CVE-2021-36085.patch ++
>From 2d35fcc7e9e976a2346b1de20e54f8663e8a6cba Mon Sep 17 00:00:00 2001
From: James Carter
Date: Thu, 8 Apr 2021 13:32:04 -0400
Subject: [PATCH] libsepol/cil: Destroy classperm list when resetting map perms
Map perms share the same struct as regular perms, but only the
map perms use the classperms field. This field is a pointer to a
list of classperms that is created and added to when resolving
classmapping rules, so the map permission doesn't own any of the
data in the list and this list should be destroyed when the AST is
reset.
When resetting a perm, destroy the classperms list without destroying
the data in the list.
Signed-off-by: James Carter
---
libsepol/cil/src/cil_reset_ast.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: libsepol/libsepol-3.2/cil/src/cil_reset_ast.c
===
--- libsepol.orig/libsepol-3.2/cil/src/cil_reset_ast.c
+++ libsepol/libsepol-3.2/cil/src/cil_reset_ast.c
@@ -36,7 +36,7 @@ static void cil_reset_class(struct cil_c
static void cil_reset_perm(struct cil_perm *perm)
{
- cil_reset_classperms_list(perm->classperms);
+ cil_list_destroy(&perm->classperms, CIL_FALSE);
}
static inline void cil_reset_classperms(struct cil_classperms *cp)
++ CVE-2021-36086.patch ++
>From c49a8ea09501ad66e799ea41b8154b6770fec2c8 Mon Sep 17 00:00:00 2001
From: James Carter
Date: Thu, 8 Apr 2021 13:32:06 -0400
Subject: [PATCH] libsepol/cil: cil_reset_classperms_set() should not reset
classpermission
In struct cil_classperms_set, the set field is a pointer to a
struct cil_classpermission which is looked up in the symbol table.
Since the cil_classperms_set does not create the cil_classpermission,
it should not reset it.
Set the set field to NULL instead of resetting the classpermission
that it points to.
Signed-off-by: James Carter
---
libsepol/cil/src/cil_reset_ast.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libsepol/cil/src/cil_reset_ast.c b/libsepol/cil/src/cil_reset_ast.c
index 89f91e56..1d9ca704 100644
--- a/libsepol/cil/src/cil_reset_ast.c
+++ b/libsepol/cil/src/cil_reset_ast.c
@@ -59,7 +59,11 @@ static void cil_reset_classpermission(struct
cil_classpermission *cp)
static void cil_reset_classperms_set(struct cil_classperms_set *cp_set)
{
- cil_reset_classpermission(cp_set->set);
+ if (cp_set == NULL) {
+ return;
+ }
+
+ cp_set->set = NULL;
}
static inline void cil_reset_classperms_list(struct cil_list *cp_list)
--
2.26.2
commit libsepol for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libsepol for openSUSE:Factory
checked in at 2021-03-24 16:08:48
Comparing /work/SRC/openSUSE:Factory/libsepol (Old)
and /work/SRC/openSUSE:Factory/.libsepol.new.2401 (New)
Package is "libsepol"
Wed Mar 24 16:08:48 2021 rev:48 rq:878577 version:3.2
Changes:
--- /work/SRC/openSUSE:Factory/libsepol/libsepol.changes2020-11-26
23:09:15.488821331 +0100
+++ /work/SRC/openSUSE:Factory/.libsepol.new.2401/libsepol.changes
2021-03-24 16:08:49.803679446 +0100
@@ -1,0 +2,9 @@
+Tue Mar 9 09:11:42 UTC 2021 - Johannes Segitz
+
+- Update to version 3.2
+ * more space-efficient form of storing filename transitions in the binary
+policy and reduced the size of the binary policy
+ * dropped old and deprecated symbols and functions. Version was bumped to
+libsepol.so.2
+
+---
Old:
libsepol-3.1.tar.gz
New:
libsepol-3.2.tar.gz
Other differences:
--
++ libsepol.spec ++
--- /var/tmp/diff_new_pack.yXWxLi/_old 2021-03-24 16:08:51.287681005 +0100
+++ /var/tmp/diff_new_pack.yXWxLi/_new 2021-03-24 16:08:51.287681005 +0100
@@ -1,7 +1,7 @@
#
# spec file for package libsepol
#
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -16,14 +16,16 @@
#
+%define libname libsepol2
+
Name: libsepol
-Version:3.1
+Version:3.2
Release:0
Summary:SELinux binary policy manipulation library
License:LGPL-2.1-or-later
Group: Development/Libraries/C and C++
URL:https://github.com/SELinuxProject/selinux/wiki/Releases
-Source:
https://github.com/SELinuxProject/selinux/releases/download/20200710/%{name}-%{version}.tar.gz
+Source:
https://github.com/SELinuxProject/selinux/releases/download/%{version}/%{name}-%{version}.tar.gz
Source2:baselibs.conf
BuildRequires: flex
BuildRequires: pkgconfig
@@ -47,11 +49,11 @@
specific transformations on binary policies such as customizing
policy boolean settings.
-%package -n libsepol1
+%package -n %{libname}
Summary:SELinux binary policy manipulation library
Group: System/Libraries
-%description -n libsepol1
+%description -n %{libname}
libsepol provides an API for the manipulation of SELinux binary
policies. It is used by checkpolicy (the policy compiler) and similar
tools, as well as by programs like load_policy that need to perform
@@ -66,8 +68,8 @@
%package devel
Summary:Development files for SELinux's binary policy manipulation
library
Group: Development/Libraries/C and C++
+Requires: %{libname} = %{version}
Requires: glibc-devel
-Requires: libsepol1 = %{version}
%description devel
The libsepol-devel package contains the libraries and header files
@@ -95,8 +97,8 @@
%install
%make_install LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}"
-%post -n libsepol1 -p /sbin/ldconfig
-%postun -n libsepol1 -p /sbin/ldconfig
+%post -n %{libname} -p /sbin/ldconfig
+%postun -n %{libname} -p /sbin/ldconfig
%files utils
%defattr(-,root,root)
@@ -104,7 +106,7 @@
%{_mandir}/man8/*.8%{ext_man}
%{_mandir}/ru/man8/*.8%{ext_man}
-%files -n libsepol1
+%files -n %{libname}
%defattr(-,root,root)
%{_libdir}/libsepol.so.*
++ baselibs.conf ++
--- /var/tmp/diff_new_pack.yXWxLi/_old 2021-03-24 16:08:51.311681030 +0100
+++ /var/tmp/diff_new_pack.yXWxLi/_new 2021-03-24 16:08:51.315681035 +0100
@@ -1 +1 @@
-libsepol1
+libsepol2
++ libsepol-3.1.tar.gz -> libsepol-3.2.tar.gz ++
4080 lines of diff (skipped)
[opensuse-commit] commit libsepol for openSUSE:Factory
Hello community,
here is the log from the commit of package libsepol for openSUSE:Factory
checked in at 2020-11-26 23:09:10
Comparing /work/SRC/openSUSE:Factory/libsepol (Old)
and /work/SRC/openSUSE:Factory/.libsepol.new.5913 (New)
Package is "libsepol"
Thu Nov 26 23:09:10 2020 rev:47 rq:849698 version:3.1
Changes:
--- /work/SRC/openSUSE:Factory/libsepol/libsepol.changes2020-10-06
17:09:31.113444790 +0200
+++ /work/SRC/openSUSE:Factory/.libsepol.new.5913/libsepol.changes
2020-11-26 23:09:15.488821331 +0100
@@ -1,0 +2,5 @@
+Thu Oct 29 10:40:16 UTC 2020 - Ludwig Nussel
+
+- install to /usr (boo#1029961)
+
+---
Other differences:
--
++ libsepol.spec ++
--- /var/tmp/diff_new_pack.uAIjHv/_old 2020-11-26 23:09:16.092821925 +0100
+++ /var/tmp/diff_new_pack.uAIjHv/_new 2020-11-26 23:09:16.096821930 +0100
@@ -93,7 +93,7 @@
make %{?_smp_mflags}
%install
-%make_install LIBDIR="%{_libdir}" SHLIBDIR="/%{_lib}"
+%make_install LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}"
%post -n libsepol1 -p /sbin/ldconfig
%postun -n libsepol1 -p /sbin/ldconfig
@@ -106,7 +106,7 @@
%files -n libsepol1
%defattr(-,root,root)
-/%{_lib}/libsepol.so.*
+%{_libdir}/libsepol.so.*
%files devel
%defattr(-,root,root)
___
openSUSE Commits mailing list -- commit@lists.opensuse.org
To unsubscribe, email commit-le...@lists.opensuse.org
List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette
List Archives:
https://lists.opensuse.org/archives/list/commit@lists.opensuse.org
