sys-libs/libselinux: backport patches to 2.5-r1

Avoid mounting /proc outside of selinux_init_load_policy()

Fix compat issue with swig 3.0.10
https://bugs.gentoo.org/587712

Package-Manager: portage-2.2.28

5 files changed, 388 insertions, 1 deletions

diff --git a/sys-libs/libselinux/files/libselinux-2.5-0001-only-mount-proc-if-necessary.patch b/sys-libs/libselinux/files/libselinux-2.5-0001-only-mount-proc-if-necessary.patch
new file mode 100644
index 000000000000..dfa6a0fa5553
--- /dev/null
+++ b/sys-libs/libselinux/files/libselinux-2.5-0001-only-mount-proc-if-necessary.patch
@@ -0,0 +1,54 @@
+From 5a8d8c499b2ef80eaa7b5abe2ec68d7101e613bf Mon Sep 17 00:00:00 2001
+From: Stephen Smalley <sds@tycho.nsa.gov>
+Date: Mon, 29 Feb 2016 10:10:55 -0500
+Subject: [PATCH] libselinux: only mount /proc if necessary
+
+Commit 9df498884665d ("libselinux: Mount procfs before checking
+/proc/filesystems") changed selinuxfs_exists() to always try
+mounting /proc before reading /proc/filesystems.  However, this is
+unnecessary if /proc is already mounted and can produce avc denials
+if the process is not allowed to perform the mount.  Check first
+to see if /proc is already present and only try the mount if it is not.
+
+Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
+---
+ libselinux/src/init.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/libselinux/src/init.c b/libselinux/src/init.c
+index 3db4de0..3530594 100644
+--- libselinux/src/init.c
++++ libselinux/src/init.c
+@@ -12,6 +12,7 @@
+ #include <stdint.h>
+ #include <limits.h>
+ #include <sys/mount.h>
++#include <linux/magic.h>
+ 
+ #include "dso.h"
+ #include "policy.h"
+@@ -57,13 +58,19 @@ static int verify_selinuxmnt(const char *mnt)
+ 
+ int selinuxfs_exists(void)
+ {
+-	int exists = 0, mnt_rc = 0;
++	int exists = 0, mnt_rc = -1, rc;
++	struct statfs sb;
+ 	FILE *fp = NULL;
+ 	char *buf = NULL;
+ 	size_t len;
+ 	ssize_t num;
+ 
+-	mnt_rc = mount("proc", "/proc", "proc", 0, 0);
++	do {
++		rc = statfs("/proc", &sb);
++	} while (rc < 0 && errno == EINTR);
++
++	if (rc == 0 && ((uint32_t)sb.f_type != (uint32_t)PROC_SUPER_MAGIC))
++		mnt_rc = mount("proc", "/proc", "proc", 0, 0);
+ 
+ 	fp = fopen("/proc/filesystems", "r");
+ 	if (!fp) {
+-- 
+2.7.3
+
diff --git a/sys-libs/libselinux/files/libselinux-2.5-0002-Avoid-mounting-proc-outside-of-selinux_init_load_pol.patch b/sys-libs/libselinux/files/libselinux-2.5-0002-Avoid-mounting-proc-outside-of-selinux_init_load_pol.patch
new file mode 100644
index 000000000000..c811450ba396
--- /dev/null
+++ b/sys-libs/libselinux/files/libselinux-2.5-0002-Avoid-mounting-proc-outside-of-selinux_init_load_pol.patch
@@ -0,0 +1,129 @@
+From 32773a99b1f0cf2b61b5f5a33359684b18aab1ed Mon Sep 17 00:00:00 2001
+From: Stephen Smalley <sds@tycho.nsa.gov>
+Date: Fri, 13 May 2016 11:59:47 -0400
+Subject: [PATCH] Avoid mounting /proc outside of selinux_init_load_policy().
+
+Temporarily mounting /proc within selinuxfs_exists() can cause
+problems since it can be called by a libselinux constructor and
+therefore may be invoked by every program linked with libselinux.
+Since this was only motivated originally by a situation where
+selinuxfs_exists() was called from selinux_init_load_policy()
+before /proc was mounted, fix it in selinux_init_load_policy() instead.
+
+This reverts commit 5a8d8c499b2ef80eaa7b5abe2ec68d7101e613bf
+("libselinux: only mount /proc if necessary") and
+commit 9df498884665d79474b79f0f30d1cd67df11bd3e
+("libselinux: Mount procfs before checking /proc/filesystems").
+
+Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
+---
+ libselinux/src/init.c        | 27 +++------------------------
+ libselinux/src/load_policy.c | 15 ++++++++++-----
+ 2 files changed, 13 insertions(+), 29 deletions(-)
+
+diff --git a/libselinux/src/init.c b/libselinux/src/init.c
+index 3530594..3c687a2 100644
+--- libselinux/src/init.c
++++ libselinux/src/init.c
+@@ -11,8 +11,6 @@
+ #include <sys/vfs.h>
+ #include <stdint.h>
+ #include <limits.h>
+-#include <sys/mount.h>
+-#include <linux/magic.h>
+ 
+ #include "dso.h"
+ #include "policy.h"
+@@ -58,26 +56,15 @@ static int verify_selinuxmnt(const char *mnt)
+ 
+ int selinuxfs_exists(void)
+ {
+-	int exists = 0, mnt_rc = -1, rc;
+-	struct statfs sb;
++	int exists = 0;
+ 	FILE *fp = NULL;
+ 	char *buf = NULL;
+ 	size_t len;
+ 	ssize_t num;
+ 
+-	do {
+-		rc = statfs("/proc", &sb);
+-	} while (rc < 0 && errno == EINTR);
+-
+-	if (rc == 0 && ((uint32_t)sb.f_type != (uint32_t)PROC_SUPER_MAGIC))
+-		mnt_rc = mount("proc", "/proc", "proc", 0, 0);
+-
+ 	fp = fopen("/proc/filesystems", "r");
+-	if (!fp) {
+-		exists = 1; /* Fail as if it exists */
+-		goto out;
+-	}
+-
++	if (!fp)
++		return 1; /* Fail as if it exists */
+ 	__fsetlocking(fp, FSETLOCKING_BYCALLER);
+ 
+ 	num = getline(&buf, &len, fp);
+@@ -91,14 +78,6 @@ int selinuxfs_exists(void)
+ 
+ 	free(buf);
+ 	fclose(fp);
+-
+-out:
+-#ifndef MNT_DETACH
+-#define MNT_DETACH 2
+-#endif
+-	if (mnt_rc == 0)
+-		umount2("/proc", MNT_DETACH);
+-
+ 	return exists;
+ }
+ hidden_def(selinuxfs_exists)
+diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
+index 21ee58b..4f39fc7 100644
+--- libselinux/src/load_policy.c
++++ libselinux/src/load_policy.c
+@@ -17,6 +17,10 @@
+ #include "policy.h"
+ #include <limits.h>
+ 
++#ifndef MNT_DETACH
++#define MNT_DETACH 2
++#endif
++
+ int security_load_policy(void *data, size_t len)
+ {
+ 	char path[PATH_MAX];
+@@ -348,11 +352,6 @@ int selinux_init_load_policy(int *enforce)
+ 		fclose(cfg);
+ 		free(buf);
+ 	}
+-#ifndef MNT_DETACH
+-#define MNT_DETACH 2
+-#endif
+-	if (rc == 0)
+-		umount2("/proc", MNT_DETACH);
+ 
+ 	/* 
+ 	 * Determine the final desired mode.
+@@ -400,11 +399,17 @@ int selinux_init_load_policy(int *enforce)
+ 			/* Only emit this error if selinux was not disabled */
+ 			fprintf(stderr, "Mount failed for selinuxfs on %s:  %s\n", SELINUXMNT, strerror(errno));
+ 		}
++
++		if (rc == 0)
++			umount2("/proc", MNT_DETACH);
+                 
+ 		goto noload;
+ 	}
+ 	set_selinuxmnt(mntpoint);
+ 
++	if (rc == 0)
++		umount2("/proc", MNT_DETACH);
++
+ 	/*
+ 	 * Note:  The following code depends on having selinuxfs 
+ 	 * already mounted and selinuxmnt set above.
+-- 
+2.7.3
+
diff --git a/sys-libs/libselinux/files/libselinux-2.5-0003-Change-the-location-of-_selinux.so.patch b/sys-libs/libselinux/files/libselinux-2.5-0003-Change-the-location-of-_selinux.so.patch
new file mode 100644
index 000000000000..542acfdc2437
--- /dev/null
+++ b/sys-libs/libselinux/files/libselinux-2.5-0003-Change-the-location-of-_selinux.so.patch
@@ -0,0 +1,44 @@
+From a9604c30a5e2f71007d31aa6ba41cf7b95d94822 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Mon, 27 Jun 2016 10:46:13 +0200
+Subject: [PATCH] libselinux: Change the location of _selinux.so
+
+There was a change in swig-3.10 to use importlib instead of imp. While
+the implementation with imp looked for _selinux.so also into the same directory
+as __init__.py is, a new module with importlib searchs only standard paths.
+It means that we need to move _selinux.so from $(PYLIBDIR)/site-packages/selinux/
+to $(PYLIBDIR)/site-packages/.
+
+Fixes:
+>>> import selinux
+Traceback (most recent call last):
+  File "<stdin>", line 1, in <module>
+  File "/usr/lib64/python2.7/site-packages/selinux/__init__.py", line 21, in <module>
+    _selinux = swig_import_helper()
+  File "/usr/lib64/python2.7/site-packages/selinux/__init__.py", line 20, in swig_import_helper
+    return importlib.import_module('_selinux')
+  File "/usr/lib64/python2.7/importlib/__init__.py", line 37, in import_module
+    __import__(name)
+ImportError: No module named _selinux
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ libselinux/src/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
+index d94163e..37d01af 100644
+--- libselinux/src/Makefile
++++ libselinux/src/Makefile
+@@ -156,7 +156,7 @@ install: all
+ 
+ install-pywrap: pywrap
+ 	test -d $(PYLIBDIR)/site-packages/selinux || install -m 755 -d $(PYLIBDIR)/site-packages/selinux
+-	install -m 755 $(SWIGSO) $(PYLIBDIR)/site-packages/selinux/_selinux.so
++	install -m 755 $(SWIGSO) $(PYLIBDIR)/site-packages/_selinux.so
+ 	install -m 755 $(AUDIT2WHYSO) $(PYLIBDIR)/site-packages/selinux/audit2why.so
+ 	install -m 644 $(SWIGPYOUT) $(PYLIBDIR)/site-packages/selinux/__init__.py
+ 
+-- 
+2.7.3
+
diff --git a/sys-libs/libselinux/libselinux-2.5-r1.ebuild b/sys-libs/libselinux/libselinux-2.5-r1.ebuild
new file mode 100644
index 000000000000..51e5c29e746e
--- /dev/null
+++ b/sys-libs/libselinux/libselinux-2.5-r1.ebuild
@@ -0,0 +1,160 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="6"
+PYTHON_COMPAT=( python2_7 python3_4 python3_5 )
+USE_RUBY="ruby21 ruby22 ruby23"
+
+# No, I am not calling ruby-ng
+inherit multilib python-r1 toolchain-funcs multilib-minimal
+
+MY_P="${P//_/-}"
+SEPOL_VER="${PV}"
+MY_RELEASEDATE="20160223"
+
+DESCRIPTION="SELinux userland library"
+HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki"
+
+if [[ ${PV} == 9999 ]] ; then
+	inherit git-r3
+	EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git"
+	S="${WORKDIR}/${MY_P}/${PN}"
+else
+	SRC_URI="https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/${MY_RELEASEDATE}/${MY_P}.tar.gz"
+	KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86"
+	S="${WORKDIR}/${MY_P}"
+fi
+
+LICENSE="public-domain"
+SLOT="0"
+
+IUSE="python ruby static-libs ruby_targets_ruby21 ruby_targets_ruby22 ruby_targets_ruby23"
+
+RDEPEND=">=sys-libs/libsepol-${SEPOL_VER}[${MULTILIB_USEDEP}]
+	>=dev-libs/libpcre-8.33-r1:=[static-libs?,${MULTILIB_USEDEP}]
+	python? ( ${PYTHON_DEPS} )
+	ruby? (
+		ruby_targets_ruby21? ( dev-lang/ruby:2.1 )
+		ruby_targets_ruby22? ( dev-lang/ruby:2.2 )
+		ruby_targets_ruby23? ( dev-lang/ruby:2.3 )
+	)"
+DEPEND="${RDEPEND}
+	virtual/pkgconfig
+	python? ( >=dev-lang/swig-2.0.9 )"
+
+src_prepare() {
+	if [[ ${PV} != 9999 ]] ; then
+		# If needed for live builds, place them in /etc/portage/patches
+		eapply "${FILESDIR}/0005-use-ruby-include-with-rubylibver.patch"
+		eapply "${FILESDIR}/0007-build-related-fixes-bug-500674-for-2.5.patch"
+
+		eapply "${FILESDIR}/libselinux-2.5-0001-only-mount-proc-if-necessary.patch"
+		eapply "${FILESDIR}/libselinux-2.5-0002-Avoid-mounting-proc-outside-of-selinux_init_load_pol.patch"
+		eapply "${FILESDIR}/libselinux-2.5-0003-Change-the-location-of-_selinux.so.patch"
+	fi
+
+	eapply_user
+
+	multilib_copy_sources
+}
+
+multilib_src_compile() {
+	tc-export PKG_CONFIG RANLIB
+	local PCRE_CFLAGS=$(${PKG_CONFIG} libpcre --cflags)
+	local PCRE_LIBS=$(${PKG_CONFIG} libpcre --libs)
+	export PCRE_{CFLAGS,LIBS}
+
+	emake \
+		AR="$(tc-getAR)" \
+		CC="$(tc-getCC)" \
+		LIBDIR="\$(PREFIX)/$(get_libdir)" \
+		SHLIBDIR="\$(DESTDIR)/$(get_libdir)" \
+		LDFLAGS="-fPIC ${LDFLAGS} -pthread" \
+		all
+
+	if multilib_is_native_abi && use python; then
+		building() {
+			python_export PYTHON_INCLUDEDIR PYTHON_LIBPATH
+			emake \
+				CC="$(tc-getCC)" \
+				PYINC="-I${PYTHON_INCLUDEDIR}" \
+				PYTHONLIBDIR="${PYTHON_LIBPATH}" \
+				PYPREFIX="${EPYTHON##*/}" \
+				LDFLAGS="-fPIC ${LDFLAGS} -lpthread" \
+				LIBDIR="\$(PREFIX)/$(get_libdir)" \
+				SHLIBDIR="\$(DESTDIR)/$(get_libdir)" \
+				pywrap
+		}
+		python_foreach_impl building
+	fi
+
+	if multilib_is_native_abi && use ruby; then
+		building() {
+			einfo "Calling rubywrap for ${1}"
+			# Clean up .lo file to force rebuild
+			rm -f src/selinuxswig_ruby_wrap.lo || die
+			emake \
+				CC="$(tc-getCC)" \
+				RUBY=${1} \
+				RUBYINSTALL=$(${1} -e 'print RbConfig::CONFIG["vendorarchdir"]') \
+				LDFLAGS="-fPIC ${LDFLAGS} -lpthread" \
+				LIBDIR="\$(PREFIX)/$(get_libdir)" \
+				SHLIBDIR="\$(DESTDIR)/$(get_libdir)" \
+				rubywrap
+		}
+		for RUBYTARGET in ${USE_RUBY}; do
+			use ruby_targets_${RUBYTARGET} || continue
+
+			building ${RUBYTARGET}
+		done
+	fi
+}
+
+multilib_src_install() {
+	LIBDIR="\$(PREFIX)/$(get_libdir)" SHLIBDIR="\$(DESTDIR)/$(get_libdir)" \
+		emake DESTDIR="${D}" install
+
+	if multilib_is_native_abi && use python; then
+		installation() {
+			LIBDIR="\$(PREFIX)/$(get_libdir)" emake DESTDIR="${D}" install-pywrap
+			python_optimize # bug 531638
+		}
+		python_foreach_impl installation
+	fi
+
+	if multilib_is_native_abi && use ruby; then
+		installation() {
+			einfo "Calling install-rubywrap for ${1}"
+			# Forcing (re)build here as otherwise the resulting SO file is used for all ruby versions
+			rm src/selinuxswig_ruby_wrap.lo
+			LIBDIR="\$(PREFIX)/$(get_libdir)" emake DESTDIR="${D}" \
+				RUBY=${1} \
+				RUBYINSTALL="${D}/$(${1} -e 'print RbConfig::CONFIG["vendorarchdir"]')" \
+				install-rubywrap
+		}
+		for RUBYTARGET in ${USE_RUBY}; do
+			use ruby_targets_${RUBYTARGET} || continue
+
+			installation ${RUBYTARGET}
+		done
+	fi
+
+	use static-libs || rm "${D}"/usr/lib*/*.a || die
+}
+
+pkg_postinst() {
+	# Fix bug 473502
+	for POLTYPE in ${POLICY_TYPES};
+	do
+		mkdir -p /etc/selinux/${POLTYPE}/contexts/files || die
+		touch /etc/selinux/${POLTYPE}/contexts/files/file_contexts.local || die
+		# Fix bug 516608
+		for EXPRFILE in file_contexts file_contexts.homedirs file_contexts.local ; do
+			if [[ -f "/etc/selinux/${POLTYPE}/contexts/files/${EXPRFILE}" ]]; then
+				sefcontext_compile /etc/selinux/${POLTYPE}/contexts/files/${EXPRFILE} \
+				|| die "Failed to recompile contexts"
+			fi
+		done
+	done
+}
diff --git a/sys-libs/libselinux/libselinux-9999.ebuild b/sys-libs/libselinux/libselinux-9999.ebuild
index e686746030d2..54de3c9dbc8b 100644
--- a/sys-libs/libselinux/libselinux-9999.ebuild
+++ b/sys-libs/libselinux/libselinux-9999.ebuild
@@ -11,7 +11,7 @@ inherit multilib python-r1 toolchain-funcs multilib-minimal
 
 MY_P="${P//_/-}"
 SEPOL_VER="${PV}"
-MY_RELEASEDATE="20150202"
+MY_RELEASEDATE="20160223"
 
 DESCRIPTION="SELinux userland library"
 HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki"