public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
From: Petr Lautrbach <lautrbach@redhat.com>
To: git-commits@fedoraproject.org
Subject: [rpms/libselinux] rawhide: SELinux userspace 3.11 release
Date: Wed, 01 Jul 2026 19:36:26 GMT [thread overview]
Message-ID: <178293458652.1.5830165486301475632.rpms-libselinux-41d874fcf881@fedoraproject.org> (raw)
A new commit has been pushed.
Repo : rpms/libselinux
Branch : rawhide
Commit : 41d874fcf8813b7531ab920c23e1bb050503fce9
Author : Petr Lautrbach <lautrbach@redhat.com>
Date : 2026-07-01T21:36:01+02:00
Stats : +409/-276 in 5 file(s)
URL : https://src.fedoraproject.org/rpms/libselinux/c/41d874fcf8813b7531ab920c23e1bb050503fce9?branch=rawhide
Log:
SELinux userspace 3.11 release
---
diff --git a/.gitignore b/.gitignore
index 2dc4d9d..2243b75 100644
--- a/.gitignore
+++ b/.gitignore
@@ -248,3 +248,5 @@ libselinux-2.0.96.tgz
/libselinux-3.10-rc2.tar.gz.asc
/libselinux-3.10.tar.gz
/libselinux-3.10.tar.gz.asc
+/libselinux-3.11.tar.gz
+/libselinux-3.11.tar.gz.asc
diff --git a/0001-Use-SHA-2-instead-of-SHA-1.patch b/0001-Use-SHA-2-instead-of-SHA-1.patch
index 7ae78c2..3473914 100644
--- a/0001-Use-SHA-2-instead-of-SHA-1.patch
+++ b/0001-Use-SHA-2-instead-of-SHA-1.patch
@@ -1,4 +1,4 @@
-From 4780b755bb1171f5aa4cd7545535839d451a2070 Mon Sep 17 00:00:00 2001
+From cbaf1040c655bd544eedca3b8e070720dfc3b2be Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Fri, 30 Jul 2021 14:14:37 +0200
Subject: [PATCH] Use SHA-2 instead of SHA-1
@@ -13,28 +13,28 @@ The use of SHA-1 in RHEL9 is deprecated
libselinux/man/man3/selinux_restorecon.3 | 18 +-
.../man/man3/selinux_restorecon_xattr.3 | 2 +-
libselinux/src/Makefile | 2 +-
- libselinux/src/label_file.c | 40 +--
- libselinux/src/label_internal.h | 10 +-
- libselinux/src/label_support.c | 10 +-
- libselinux/src/selinux_restorecon.c | 24 +-
- libselinux/src/sha1.c | 223 -------------
- libselinux/src/sha1.h | 85 -----
+ libselinux/src/label_file.c | 46 +--
+ libselinux/src/label_internal.h | 18 +-
+ libselinux/src/label_support.c | 17 +-
+ libselinux/src/selinux_restorecon.c | 48 ++-
+ libselinux/src/sha1.c | 284 -----------------
+ libselinux/src/sha1.h | 68 ----
libselinux/src/sha256.c | 294 ++++++++++++++++++
libselinux/src/sha256.h | 89 ++++++
libselinux/utils/selabel_digest.c | 26 +-
.../selabel_get_digests_all_partial_matches.c | 28 +-
- 17 files changed, 471 insertions(+), 396 deletions(-)
+ 17 files changed, 501 insertions(+), 455 deletions(-)
delete mode 100644 libselinux/src/sha1.c
delete mode 100644 libselinux/src/sha1.h
create mode 100644 libselinux/src/sha256.c
create mode 100644 libselinux/src/sha256.h
diff --git a/libselinux/include/selinux/label.h b/libselinux/include/selinux/label.h
-index ce189a3ae2fe..ce77d32dfed1 100644
+index 05e1fd569980..0e683ff2ad3c 100644
--- a/libselinux/include/selinux/label.h
+++ b/libselinux/include/selinux/label.h
-@@ -120,13 +120,13 @@ extern int selabel_lookup_best_match_raw(struct selabel_handle *rec, char **con,
- const char *key, const char **aliases, int type);
+@@ -123,13 +123,13 @@ extern int selabel_lookup_best_match_raw(struct selabel_handle *rec, char **con,
+ int type);
/**
- * selabel_digest - Retrieve the SHA1 digest and the list of specfiles used to
@@ -51,7 +51,7 @@ index ce189a3ae2fe..ce77d32dfed1 100644
* @num_specfiles: number of specfiles in the list.
*
diff --git a/libselinux/include/selinux/restorecon.h b/libselinux/include/selinux/restorecon.h
-index 5be6542c2a91..210f65fdb709 100644
+index 6680589ec659..c8356de9ebeb 100644
--- a/libselinux/include/selinux/restorecon.h
+++ b/libselinux/include/selinux/restorecon.h
@@ -43,8 +43,8 @@ extern int selinux_restorecon_parallel(const char *pathname,
@@ -63,7 +63,7 @@ index 5be6542c2a91..210f65fdb709 100644
+ * Force the checking of labels even if the stored SHA256 digest
+ * matches the specfiles SHA256 digest (requires CAP_SYS_ADMIN).
*/
- #define SELINUX_RESTORECON_IGNORE_DIGEST 0x00001
+ #define SELINUX_RESTORECON_IGNORE_DIGEST 0x00001
/*
diff --git a/libselinux/man/man3/selabel_digest.3 b/libselinux/man/man3/selabel_digest.3
index 56a008f00df0..5f7c42533d0e 100644
@@ -97,7 +97,7 @@ index 0e03e1be111e..14ab888d2e03 100644
.BR selabel_digest (3)
.
diff --git a/libselinux/man/man3/selinux_restorecon.3 b/libselinux/man/man3/selinux_restorecon.3
-index 218aaf6d2ae5..5f6d4b386429 100644
+index 9bcd3d42bb45..3f283c4f4273 100644
--- a/libselinux/man/man3/selinux_restorecon.3
+++ b/libselinux/man/man3/selinux_restorecon.3
@@ -36,7 +36,7 @@ If this is a directory and the
@@ -138,7 +138,7 @@ index 218aaf6d2ae5..5f6d4b386429 100644
extended attribute as described in the
.B NOTES
section.
-@@ -179,12 +179,12 @@ for fetching the ignored (skipped) error count after
+@@ -179,7 +179,7 @@ for fetching the ignored (skipped) error count after
or
.BR selinux_restorecon_parallel (3)
completes with success. In case any errors were skipped during the file tree
@@ -146,6 +146,9 @@ index 218aaf6d2ae5..5f6d4b386429 100644
+walk, the specfile entries SHA256 digest will not have been written to the
.IR security.sehash
extended attribute.
+ .sp
+@@ -197,7 +197,7 @@ Use this option when relabeling untrusted directories that might
+ contain hard links to files owned by others.
.RE
.sp
-The behavior regarding the checking and updating of the SHA1 digest described
@@ -153,7 +156,7 @@ index 218aaf6d2ae5..5f6d4b386429 100644
above is the default behavior. It is possible to change this by first calling
.BR selabel_open (3)
and not enabling the
-@@ -247,7 +247,7 @@ To improve performance when relabeling file systems recursively (e.g. the
+@@ -260,7 +260,7 @@ To improve performance when relabeling file systems recursively (e.g. the
.B SELINUX_RESTORECON_RECURSE
flag is set)
.BR selinux_restorecon ()
@@ -162,7 +165,7 @@ index 218aaf6d2ae5..5f6d4b386429 100644
.BR selabel_get_digests_all_partial_matches (3)
to an extended attribute named
.IR security.sehash
-@@ -269,7 +269,7 @@ Should any of the specfile entries have changed, then when
+@@ -282,7 +282,7 @@ Should any of the specfile entries have changed, then when
.BR selinux_restorecon ()
is run again with the
.B SELINUX_RESTORECON_RECURSE
@@ -185,7 +188,7 @@ index c56326814b94..098c840fc59b 100644
.BR selabel_open (3)
must be called specifying the required
diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
-index 41cfbdca490c..658a4c3d80e0 100644
+index 9ecdbd4d0af8..fde55cd681c2 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -130,7 +130,7 @@ DISABLE_FLAGS+= -DNO_MEDIA_BACKEND -DNO_DB_BACKEND -DNO_X_BACKEND \
@@ -198,10 +201,10 @@ index 41cfbdca490c..658a4c3d80e0 100644
endif
diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
-index 189a5ed26eb7..312bb584d6b4 100644
+index 0c0499eb0365..938a0e2a5fb3 100644
--- a/libselinux/src/label_file.c
+++ b/libselinux/src/label_file.c
-@@ -1780,7 +1780,7 @@ static struct lookup_result *lookup_common(struct selabel_handle *rec,
+@@ -2244,7 +2244,7 @@ static struct lookup_result *lookup_common(struct selabel_handle *rec,
/*
* Returns true if the digest of all partial matched contexts is the same as
@@ -210,7 +213,7 @@ index 189a5ed26eb7..312bb584d6b4 100644
* digest will always be returned. The caller must free any returned digests.
*/
static bool get_digests_all_partial_matches(struct selabel_handle *rec,
-@@ -1789,39 +1789,39 @@ static bool get_digests_all_partial_matches(struct selabel_handle *rec,
+@@ -2253,40 +2253,40 @@ static bool get_digests_all_partial_matches(struct selabel_handle *rec,
uint8_t **xattr_digest,
size_t *digest_len)
{
@@ -220,13 +223,17 @@ index 189a5ed26eb7..312bb584d6b4 100644
- read_digest, SHA1_HASH_SIZE
+ read_digest, SHA256_HASH_SIZE
#ifdef __APPLE__
- , 0, 0
+ ,
+ 0, 0
#endif /* __APPLE __ */
- );
+- );
- uint8_t hash_digest[SHA1_HASH_SIZE];
+- bool status =
+- selabel_hash_all_partial_matches(rec, pathname, hash_digest);
++ );
+ uint8_t hash_digest[SHA256_HASH_SIZE];
- bool status = selabel_hash_all_partial_matches(rec, pathname,
- hash_digest);
++ bool status = selabel_hash_all_partial_matches(rec, pathname,
++ hash_digest);
*xattr_digest = NULL;
*calculated_digest = NULL;
@@ -255,13 +262,13 @@ index 189a5ed26eb7..312bb584d6b4 100644
}
- if (status && read_size == SHA1_HASH_SIZE &&
-- memcmp(read_digest, hash_digest, SHA1_HASH_SIZE) == 0)
+- memcmp(read_digest, hash_digest, SHA1_HASH_SIZE) == 0)
+ if (status && read_size == SHA256_HASH_SIZE &&
+ memcmp(read_digest, hash_digest, SHA256_HASH_SIZE) == 0)
return true;
return false;
-@@ -1840,22 +1840,22 @@ static bool hash_all_partial_matches(struct selabel_handle *rec, const char *key
+@@ -2307,22 +2307,22 @@ static bool hash_all_partial_matches(struct selabel_handle *rec,
return false;
}
@@ -271,9 +278,9 @@ index 189a5ed26eb7..312bb584d6b4 100644
+ Sha256Initialise(&context);
for (const struct lookup_result *m = matches; m; m = m->next) {
- const char* regex_str = m->regex_str;
+ const char *regex_str = m->regex_str;
uint8_t file_kind = m->file_kind;
- const char* ctx_raw = m->lr->ctx_raw;
+ const char *ctx_raw = m->lr->ctx_raw;
- Sha1Update(&context, regex_str, strlen(regex_str) + 1);
- Sha1Update(&context, &file_kind, sizeof(file_kind));
@@ -293,7 +300,7 @@ index 189a5ed26eb7..312bb584d6b4 100644
free_lookup_result(matches);
return true;
diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h
-index 743dbf9472cf..4180df92f405 100644
+index 4ff39d96f9f5..dd426a824cab 100644
--- a/libselinux/src/label_internal.h
+++ b/libselinux/src/label_internal.h
@@ -13,7 +13,7 @@
@@ -305,7 +312,7 @@ index 743dbf9472cf..4180df92f405 100644
#if defined(ANDROID) || defined(__APPLE__)
// Android and Mac do not have fgets_unlocked()
-@@ -47,15 +47,15 @@ int selabel_service_init(struct selabel_handle *rec,
+@@ -41,19 +41,19 @@ int selabel_service_init(struct selabel_handle *rec,
*/
/*
@@ -319,12 +326,20 @@ index 743dbf9472cf..4180df92f405 100644
+#define DIGEST_SPECFILE_SIZE SHA256_HASH_SIZE
#define DIGEST_FILES_MAX 8
struct selabel_digest {
-- unsigned char *digest; /* SHA1 digest of specfiles */
+- unsigned char *digest; /* SHA1 digest of specfiles */
+- unsigned char *hashbuf; /* buffer to hold specfiles */
+- size_t hashbuf_size; /* buffer size */
+- size_t specfile_cnt; /* how many specfiles processed */
+- char **specfile_list; /* and their names */
+ unsigned char *digest; /* SHA256 digest of specfiles */
- unsigned char *hashbuf; /* buffer to hold specfiles */
- size_t hashbuf_size; /* buffer size */
- size_t specfile_cnt; /* how many specfiles processed */
-@@ -111,7 +111,7 @@ struct selabel_handle {
++ unsigned char *hashbuf; /* buffer to hold specfiles */
++ size_t hashbuf_size; /* buffer size */
++ size_t specfile_cnt; /* how many specfiles processed */
++ char **specfile_list; /* and their names */
+ };
+
+ extern int digest_add_specfile(struct selabel_digest *digest, FILE *fp,
+@@ -101,7 +101,7 @@ struct selabel_handle {
*/
char *spec_file;
@@ -334,33 +349,37 @@ index 743dbf9472cf..4180df92f405 100644
};
diff --git a/libselinux/src/label_support.c b/libselinux/src/label_support.c
-index 978ba828c159..daba26941ae7 100644
+index cc5c279e88fa..aea5ed19b45a 100644
--- a/libselinux/src/label_support.c
+++ b/libselinux/src/label_support.c
-@@ -120,7 +120,7 @@ int read_spec_entries(char *line_buf, size_t nread, const char **errbuf, int nu
+@@ -131,28 +131,27 @@ int read_spec_entries(char *line_buf, size_t nread, const char **errbuf,
/* Once all the specfiles are in the hash_buf, generate the hash. */
- void digest_gen_hash(struct selabel_digest *digest)
+ void digest_gen_hash(struct selabel_digest *digest)
{
- Sha1Context context;
+ Sha256Context context;
size_t remaining_size;
const unsigned char *ptr;
+- const uint32_t chunkSize = UINT32_MAX >> 3;
-@@ -128,19 +128,19 @@ void digest_gen_hash(struct selabel_digest *digest)
+ /* If SELABEL_OPT_DIGEST not set then just return */
if (!digest)
return;
- Sha1Initialise(&context);
+ Sha256Initialise(&context);
- /* Process in blocks of UINT32_MAX bytes */
+ /* Process in blocks of chunkSize bytes */
remaining_size = digest->hashbuf_size;
ptr = digest->hashbuf;
- while (remaining_size > UINT32_MAX) {
-- Sha1Update(&context, ptr, UINT32_MAX);
+- while (remaining_size > chunkSize) {
+- Sha1Update(&context, ptr, chunkSize);
+- remaining_size -= chunkSize;
+- ptr += chunkSize;
++ while (remaining_size > UINT32_MAX) {
+ Sha256Update(&context, ptr, UINT32_MAX);
- remaining_size -= UINT32_MAX;
- ptr += UINT32_MAX;
++ remaining_size -= UINT32_MAX;
++ ptr += UINT32_MAX;
}
- Sha1Update(&context, ptr, remaining_size);
+ Sha256Update(&context, ptr, remaining_size);
@@ -371,19 +390,19 @@ index 978ba828c159..daba26941ae7 100644
digest->hashbuf = NULL;
}
diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
-index bc6ed935a4ad..93bd7779249b 100644
+index b34d8e60bb5b..d48d5a83ed6e 100644
--- a/libselinux/src/selinux_restorecon.c
+++ b/libselinux/src/selinux_restorecon.c
-@@ -37,7 +37,7 @@
+@@ -38,7 +38,7 @@
#include "callbacks.h"
#include "selinux_internal.h"
#include "label_file.h"
-#include "sha1.h"
+#include "sha256.h"
- #define STAR_COUNT 1024
-
-@@ -306,7 +306,7 @@ static uint64_t exclude_non_seclabel_mounts(void)
+ static struct selabel_handle *fc_sehandle = NULL;
+ static bool selabel_no_digest;
+@@ -360,7 +360,7 @@ static uint64_t exclude_non_seclabel_mounts(void)
static int add_xattr_entry(const char *directory, bool delete_nonmatch,
bool delete_all)
{
@@ -392,7 +411,7 @@ index bc6ed935a4ad..93bd7779249b 100644
size_t i, digest_len = 0;
int rc;
enum digest_result digest_result;
-@@ -330,15 +330,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
+@@ -385,15 +385,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
}
/* Convert entry to a hex encoded string. */
@@ -411,7 +430,7 @@ index bc6ed935a4ad..93bd7779249b 100644
digest_result = match ? MATCH : NOMATCH;
-@@ -358,7 +358,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
+@@ -414,7 +414,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
/* Now add entries to link list. */
new_entry = malloc(sizeof(struct dir_xattr));
if (!new_entry) {
@@ -420,7 +439,7 @@ index bc6ed935a4ad..93bd7779249b 100644
goto oom;
}
new_entry->next = NULL;
-@@ -366,15 +366,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
+@@ -422,11 +422,17 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
new_entry->directory = strdup(directory);
if (!new_entry->directory) {
free(new_entry);
@@ -429,49 +448,112 @@ index bc6ed935a4ad..93bd7779249b 100644
goto oom;
}
-- new_entry->digest = strdup(sha1_buf);
+- new_entry->digest = sha1_buf;
+ new_entry->digest = strdup(sha256_buf);
- if (!new_entry->digest) {
- free(new_entry->directory);
- free(new_entry);
-- free(sha1_buf);
++ if (!new_entry->digest) {
++ free(new_entry->directory);
++ free(new_entry);
+ free(sha256_buf);
- goto oom;
- }
++ goto oom;
++ }
-@@ -388,7 +388,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
+ new_entry->result = digest_result;
+
+@@ -437,7 +443,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
+ dir_xattr_last->next = new_entry;
dir_xattr_last = new_entry;
}
-
-- free(sha1_buf);
+-
+ free(sha256_buf);
return 0;
oom:
-@@ -778,7 +778,7 @@ err:
+@@ -891,6 +897,11 @@ err:
+ goto out1;
+ }
+
++struct dir_hash_node {
++ char *path;
++ uint8_t digest[SHA256_HASH_SIZE];
++ struct dir_hash_node *next;
++};
+ /*
+ * Returns true if the digest of all partial matched contexts is the same as
+ * the one saved by setxattr. Otherwise returns false and sets @have_digest
+@@ -898,7 +909,7 @@ err:
+ * relabeling this directory.
+ */
+ static bool check_context_match_for_dir(const char *pathname,
+- uint8_t digest_out[SHA1_HASH_SIZE],
++ uint8_t digest_out[SHA256_HASH_SIZE],
+ bool *have_digest)
+ {
+ bool status;
+@@ -918,8 +929,8 @@ static bool check_context_match_for_dir(const char *pathname,
- struct dir_hash_node {
- char *path;
+ /* Save digest of all matched contexts for the current directory. */
+ if (calculated_digest) {
+- assert(digest_len == SHA1_HASH_SIZE);
+- memcpy(digest_out, calculated_digest, SHA1_HASH_SIZE);
++ assert(digest_len == SHA256_HASH_SIZE);
++ memcpy(digest_out, calculated_digest, SHA256_HASH_SIZE);
+ *have_digest = true;
+ }
+
+@@ -934,7 +945,7 @@ struct walk_level {
+ dev_t dev;
+ ino_t ino;
+ size_t pathlen;
- uint8_t digest[SHA1_HASH_SIZE];
+ uint8_t digest[SHA256_HASH_SIZE];
- struct dir_hash_node *next;
+ bool write_digest;
};
- /*
-@@ -1284,7 +1284,7 @@ static int selinux_restorecon_common(const char *pathname_orig,
- if (setxattr(current->path,
- RESTORECON_PARTIAL_MATCH_DIGEST,
- current->digest,
-- SHA1_HASH_SIZE, 0) < 0) {
-+ SHA256_HASH_SIZE, 0) < 0) {
+
+@@ -1227,7 +1238,7 @@ static int walk_next(struct rest_state *state, int *ent_fd, int *rd_fd,
+ !state->skipped_errors &&
+ fsetxattr(dirfd(top->dirp),
+ RESTORECON_PARTIAL_MATCH_DIGEST,
+- top->digest, SHA1_HASH_SIZE, 0) < 0) {
++ top->digest, SHA256_HASH_SIZE, 0) < 0) {
selinux_log(SELINUX_ERROR,
- "setxattr failed: %s: %m\n",
- current->path);
+ "Could not set digest on %s: %m\n",
+ state->pathbuf);
+@@ -1398,7 +1409,7 @@ static void *selinux_restorecon_thread(void *arg)
+ continue;
+ }
+
+- uint8_t digest[SHA1_HASH_SIZE];
++ uint8_t digest[SHA256_HASH_SIZE];
+ bool have_digest = false;
+
+ if (descend && state->setrestorecondigest &&
+@@ -1430,7 +1441,7 @@ static void *selinux_restorecon_thread(void *arg)
+ &state->stack[state->depth - 1];
+
+ memcpy(wl->digest, digest,
+- SHA1_HASH_SIZE);
++ SHA256_HASH_SIZE);
+ wl->write_digest = true;
+ }
+ }
+@@ -1768,6 +1779,11 @@ static int selinux_restorecon_common(const char *pathname_orig,
+ if (state.saved_errno)
+ goto out;
+
++ /*
++ * Note: Digest writing now happens in walk_pop() during traversal,
++ * not at the end. This FTS-based code is obsolete.
++ */
++
+ skipped_errors = state.skipped_errors;
+
+ out:
diff --git a/libselinux/src/sha1.c b/libselinux/src/sha1.c
deleted file mode 100644
-index 452b0cc2ad5a..000000000000
+index 279625ee177f..000000000000
--- a/libselinux/src/sha1.c
+++ /dev/null
-@@ -1,223 +0,0 @@
+@@ -1,284 +0,0 @@
-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// LibSha1
-//
@@ -506,10 +588,9 @@ index 452b0cc2ad5a..000000000000
-// TYPES
-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-
--typedef union
--{
-- uint8_t c [64];
-- uint32_t l [16];
+-typedef union {
+- uint8_t c[64];
+- uint32_t l[16];
-} CHAR64LONG16;
-
-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
@@ -519,79 +600,157 @@ index 452b0cc2ad5a..000000000000
-#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits))))
-
-// blk0() and blk() perform the initial expand.
--#define blk0(i) (block->l[i] = (rol(block->l[i],24)&0xFF00FF00) \
-- |(rol(block->l[i],8)&0x00FF00FF))
+-#define blk0(i) \
+- (block->l[i] = (rol(block->l[i], 24) & 0xFF00FF00) | \
+- (rol(block->l[i], 8) & 0x00FF00FF))
-
--#define blk(i) (block->l[i&15] = rol(block->l[(i+13)&15]^block->l[(i+8)&15] \
-- ^block->l[(i+2)&15]^block->l[i&15],1))
+-#define blk(i) \
+- (block->l[i & 15] = \
+- rol(block->l[(i + 13) & 15] ^ block->l[(i + 8) & 15] ^ \
+- block->l[(i + 2) & 15] ^ block->l[i & 15], \
+- 1))
-
-// (R0+R1), R2, R3, R4 are the different operations used in SHA1
--#define R0(v,w,x,y,z,i) do { z += ((w&(x^y))^y) + blk0(i)+ 0x5A827999 + rol(v,5); w=rol(w,30); } while (0)
--#define R1(v,w,x,y,z,i) do { z += ((w&(x^y))^y) + blk(i) + 0x5A827999 + rol(v,5); w=rol(w,30); } while (0)
--#define R2(v,w,x,y,z,i) do { z += (w^x^y) + blk(i) + 0x6ED9EBA1 + rol(v,5); w=rol(w,30); } while (0)
--#define R3(v,w,x,y,z,i) do { z += (((w|x)&y)|(w&x)) + blk(i) + 0x8F1BBCDC + rol(v,5); w=rol(w,30); } while (0)
--#define R4(v,w,x,y,z,i) do { z += (w^x^y) + blk(i) + 0xCA62C1D6 + rol(v,5); w=rol(w,30); } while (0)
--
+-#define R0(v, w, x, y, z, i) \
+- do { \
+- z += ((w & (x ^ y)) ^ y) + blk0(i) + 0x5A827999 + rol(v, 5); \
+- w = rol(w, 30); \
+- } while (0)
+-#define R1(v, w, x, y, z, i) \
+- do { \
+- z += ((w & (x ^ y)) ^ y) + blk(i) + 0x5A827999 + rol(v, 5); \
+- w = rol(w, 30); \
+- } while (0)
+-#define R2(v, w, x, y, z, i) \
+- do { \
+- z += (w ^ x ^ y) + blk(i) + 0x6ED9EBA1 + rol(v, 5); \
+- w = rol(w, 30); \
+- } while (0)
+-#define R3(v, w, x, y, z, i) \
+- do { \
+- z += (((w | x) & y) | (w & x)) + blk(i) + 0x8F1BBCDC + \
+- rol(v, 5); \
+- w = rol(w, 30); \
+- } while (0)
+-#define R4(v, w, x, y, z, i) \
+- do { \
+- z += (w ^ x ^ y) + blk(i) + 0xCA62C1D6 + rol(v, 5); \
+- w = rol(w, 30); \
+- } while (0)
-
-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// TransformFunction
-//
-// Hash a single 512-bit block. This is the core of the algorithm
-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--ignore_unsigned_overflow_
--static
--void
-- TransformFunction
-- (
-- uint32_t state[5],
-- const uint8_t buffer[64]
-- )
+-ignore_unsigned_overflow_ static void
+-TransformFunction(uint32_t state[5], const uint8_t buffer[64])
-{
-- uint32_t a;
-- uint32_t b;
-- uint32_t c;
-- uint32_t d;
-- uint32_t e;
-- CHAR64LONG16 workspace;
-- CHAR64LONG16* block = &workspace;
+- uint32_t a;
+- uint32_t b;
+- uint32_t c;
+- uint32_t d;
+- uint32_t e;
+- CHAR64LONG16 workspace;
+- CHAR64LONG16 *block = &workspace;
-
-- memcpy(block, buffer, 64);
+- memcpy(block, buffer, 64);
-
-- // Copy context->state[] to working vars
-- a = state[0];
-- b = state[1];
-- c = state[2];
-- d = state[3];
-- e = state[4];
+- // Copy context->state[] to working vars
+- a = state[0];
+- b = state[1];
+- c = state[2];
+- d = state[3];
+- e = state[4];
-
-- // 4 rounds of 20 operations each. Loop unrolled.
-- R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3);
-- R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7);
-- R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11);
-- R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15);
-- R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19);
-- R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23);
-- R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27);
-- R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31);
-- R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35);
-- R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39);
-- R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43);
-- R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47);
-- R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51);
-- R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55);
-- R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59);
-- R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63);
-- R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67);
-- R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71);
-- R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75);
-- R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79);
+- // 4 rounds of 20 operations each. Loop unrolled.
+- R0(a, b, c, d, e, 0);
+- R0(e, a, b, c, d, 1);
+- R0(d, e, a, b, c, 2);
+- R0(c, d, e, a, b, 3);
+- R0(b, c, d, e, a, 4);
+- R0(a, b, c, d, e, 5);
+- R0(e, a, b, c, d, 6);
+- R0(d, e, a, b, c, 7);
+- R0(c, d, e, a, b, 8);
+- R0(b, c, d, e, a, 9);
+- R0(a, b, c, d, e, 10);
+- R0(e, a, b, c, d, 11);
+- R0(d, e, a, b, c, 12);
+- R0(c, d, e, a, b, 13);
+- R0(b, c, d, e, a, 14);
+- R0(a, b, c, d, e, 15);
+- R1(e, a, b, c, d, 16);
+- R1(d, e, a, b, c, 17);
+- R1(c, d, e, a, b, 18);
+- R1(b, c, d, e, a, 19);
+- R2(a, b, c, d, e, 20);
+- R2(e, a, b, c, d, 21);
+- R2(d, e, a, b, c, 22);
+- R2(c, d, e, a, b, 23);
+- R2(b, c, d, e, a, 24);
+- R2(a, b, c, d, e, 25);
+- R2(e, a, b, c, d, 26);
+- R2(d, e, a, b, c, 27);
+- R2(c, d, e, a, b, 28);
+- R2(b, c, d, e, a, 29);
+- R2(a, b, c, d, e, 30);
+- R2(e, a, b, c, d, 31);
+- R2(d, e, a, b, c, 32);
+- R2(c, d, e, a, b, 33);
+- R2(b, c, d, e, a, 34);
+- R2(a, b, c, d, e, 35);
+- R2(e, a, b, c, d, 36);
+- R2(d, e, a, b, c, 37);
+- R2(c, d, e, a, b, 38);
+- R2(b, c, d, e, a, 39);
+- R3(a, b, c, d, e, 40);
+- R3(e, a, b, c, d, 41);
+- R3(d, e, a, b, c, 42);
+- R3(c, d, e, a, b, 43);
+- R3(b, c, d, e, a, 44);
+- R3(a, b, c, d, e, 45);
+- R3(e, a, b, c, d, 46);
+- R3(d, e, a, b, c, 47);
+- R3(c, d, e, a, b, 48);
+- R3(b, c, d, e, a, 49);
+- R3(a, b, c, d, e, 50);
+- R3(e, a, b, c, d, 51);
+- R3(d, e, a, b, c, 52);
+- R3(c, d, e, a, b, 53);
+- R3(b, c, d, e, a, 54);
+- R3(a, b, c, d, e, 55);
+- R3(e, a, b, c, d, 56);
+- R3(d, e, a, b, c, 57);
+- R3(c, d, e, a, b, 58);
+- R3(b, c, d, e, a, 59);
+- R4(a, b, c, d, e, 60);
+- R4(e, a, b, c, d, 61);
+- R4(d, e, a, b, c, 62);
+- R4(c, d, e, a, b, 63);
+- R4(b, c, d, e, a, 64);
+- R4(a, b, c, d, e, 65);
+- R4(e, a, b, c, d, 66);
+- R4(d, e, a, b, c, 67);
+- R4(c, d, e, a, b, 68);
+- R4(b, c, d, e, a, 69);
+- R4(a, b, c, d, e, 70);
+- R4(e, a, b, c, d, 71);
+- R4(d, e, a, b, c, 72);
+- R4(c, d, e, a, b, 73);
+- R4(b, c, d, e, a, 74);
+- R4(a, b, c, d, e, 75);
+- R4(e, a, b, c, d, 76);
+- R4(d, e, a, b, c, 77);
+- R4(c, d, e, a, b, 78);
+- R4(b, c, d, e, a, 79);
-
-- // Add the working vars back into context.state[]
-- state[0] += a;
-- state[1] += b;
-- state[2] += c;
-- state[3] += d;
-- state[4] += e;
+- // Add the working vars back into context.state[]
+- state[0] += a;
+- state[1] += b;
+- state[2] += c;
+- state[3] += d;
+- state[4] += e;
-}
-
-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
@@ -603,20 +762,16 @@ index 452b0cc2ad5a..000000000000
-//
-// Initialises an SHA1 Context. Use this to initialise/reset a context.
-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--void
-- Sha1Initialise
-- (
-- Sha1Context* Context
-- )
+-void Sha1Initialise(Sha1Context *Context)
-{
-- // SHA1 initialization constants
-- Context->State[0] = 0x67452301;
-- Context->State[1] = 0xEFCDAB89;
-- Context->State[2] = 0x98BADCFE;
-- Context->State[3] = 0x10325476;
-- Context->State[4] = 0xC3D2E1F0;
-- Context->Count[0] = 0;
-- Context->Count[1] = 0;
+- // SHA1 initialization constants
+- Context->State[0] = 0x67452301;
+- Context->State[1] = 0xEFCDAB89;
+- Context->State[2] = 0x98BADCFE;
+- Context->State[3] = 0x10325476;
+- Context->State[4] = 0xC3D2E1F0;
+- Context->Count[0] = 0;
+- Context->Count[1] = 0;
-}
-
-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
@@ -625,41 +780,32 @@ index 452b0cc2ad5a..000000000000
-// Adds data to the SHA1 context. This will process the data and update the internal state of the context. Keep on
-// calling this function until all the data has been added. Then call Sha1Finalise to calculate the hash.
-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--void
-- Sha1Update
-- (
-- Sha1Context* Context,
-- const void* Buffer,
-- uint32_t BufferSize
-- )
+-void Sha1Update(Sha1Context *Context, const void *Buffer, uint32_t BufferSize)
-{
-- uint32_t i;
-- uint32_t j;
+- uint32_t i;
+- uint32_t j;
-
-- j = (Context->Count[0] >> 3) & 63;
-- if ((Context->Count[0] += BufferSize << 3) < (BufferSize << 3))
-- {
-- Context->Count[1]++;
-- }
+- j = (Context->Count[0] >> 3) & 63;
+- if ((Context->Count[0] += BufferSize << 3) < (BufferSize << 3)) {
+- Context->Count[1]++;
+- }
-
-- Context->Count[1] += (BufferSize >> 29);
-- if ((j + BufferSize) > 63)
-- {
-- i = 64 - j;
-- memcpy(&Context->Buffer[j], Buffer, i);
-- TransformFunction(Context->State, Context->Buffer);
-- for (; i + 63 < BufferSize; i += 64)
-- {
-- TransformFunction(Context->State, (const uint8_t*)Buffer + i);
-- }
-- j = 0;
-- }
-- else
-- {
-- i = 0;
-- }
+- Context->Count[1] += (BufferSize >> 29);
+- if ((j + BufferSize) > 63) {
+- i = 64 - j;
+- memcpy(&Context->Buffer[j], Buffer, i);
+- TransformFunction(Context->State, Context->Buffer);
+- for (; i + 63 < BufferSize; i += 64) {
+- TransformFunction(Context->State,
+- (const uint8_t *)Buffer + i);
+- }
+- j = 0;
+- } else {
+- i = 0;
+- }
-
-- memcpy(&Context->Buffer[j], &((const uint8_t*)Buffer)[i], BufferSize - i);
+- memcpy(&Context->Buffer[j], &((const uint8_t *)Buffer)[i],
+- BufferSize - i);
-}
-
-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
@@ -668,39 +814,36 @@ index 452b0cc2ad5a..000000000000
-// Performs the final calculation of the hash and returns the digest (20 byte buffer containing 160bit hash). After
-// calling this, Sha1Initialised must be used to reuse the context.
-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--void
-- Sha1Finalise
-- (
-- Sha1Context* Context,
-- SHA1_HASH* Digest
-- )
+-void Sha1Finalise(Sha1Context *Context, SHA1_HASH *Digest)
-{
-- uint32_t i;
-- uint8_t finalcount[8];
+- uint32_t i;
+- uint8_t finalcount[8];
-
-- for (i = 0; i < 8; i++)
-- {
-- finalcount[i] = (unsigned char)((Context->Count[(i >= 4 ? 0 : 1)]
-- >> ((3-(i & 3)) * 8) ) & 255); // Endian independent
-- }
-- Sha1Update(Context, (const uint8_t*)"\x80", 1);
-- while ((Context->Count[0] & 504) != 448)
-- {
-- Sha1Update(Context, (const uint8_t*)"\0", 1);
-- }
+- for (i = 0; i < 8; i++) {
+- finalcount[i] =
+- (unsigned char)((Context->Count[(i >= 4 ? 0 : 1)] >>
+- ((3 - (i & 3)) * 8)) &
+- 255); // Endian independent
+- }
+- Sha1Update(Context, (const uint8_t *)"\x80", 1);
+- while ((Context->Count[0] & 504) != 448) {
+- Sha1Update(Context, (const uint8_t *)"\0", 1);
+- }
-
-- Sha1Update(Context, finalcount, 8); // Should cause a Sha1TransformFunction()
-- for (i = 0; i < SHA1_HASH_SIZE; i++)
-- {
-- Digest->bytes[i] = (uint8_t)((Context->State[i>>2] >> ((3-(i & 3)) * 8) ) & 255);
-- }
+- Sha1Update(Context, finalcount,
+- 8); // Should cause a Sha1TransformFunction()
+- for (i = 0; i < SHA1_HASH_SIZE; i++) {
+- Digest->bytes[i] = (uint8_t)((Context->State[i >> 2] >>
+- ((3 - (i & 3)) * 8)) &
+- 255);
+- }
-}
diff --git a/libselinux/src/sha1.h b/libselinux/src/sha1.h
deleted file mode 100644
-index f83a6e7ed7ba..000000000000
+index fbf4d65538fb..000000000000
--- a/libselinux/src/sha1.h
+++ /dev/null
-@@ -1,85 +0,0 @@
+@@ -1,68 +0,0 @@
-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// LibSha1
-//
@@ -728,18 +871,16 @@ index f83a6e7ed7ba..000000000000
-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-
-// Sha1Context - This must be initialised using Sha1Initialised. Do not modify the contents of this structure directly.
--typedef struct
--{
-- uint32_t State[5];
-- uint32_t Count[2];
-- uint8_t Buffer[64];
+-typedef struct {
+- uint32_t State[5];
+- uint32_t Count[2];
+- uint8_t Buffer[64];
-} Sha1Context;
-
--#define SHA1_HASH_SIZE ( 160 / 8 )
+-#define SHA1_HASH_SIZE (160 / 8)
-
--typedef struct
--{
-- uint8_t bytes [SHA1_HASH_SIZE];
+-typedef struct {
+- uint8_t bytes[SHA1_HASH_SIZE];
-} SHA1_HASH;
-
-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
@@ -751,11 +892,7 @@ index f83a6e7ed7ba..000000000000
-//
-// Initialises an SHA1 Context. Use this to initialise/reset a context.
-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--void
-- Sha1Initialise
-- (
-- Sha1Context* Context
-- );
+-void Sha1Initialise(Sha1Context *Context);
-
-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// Sha1Update
@@ -763,13 +900,7 @@ index f83a6e7ed7ba..000000000000
-// Adds data to the SHA1 context. This will process the data and update the internal state of the context. Keep on
-// calling this function until all the data has been added. Then call Sha1Finalise to calculate the hash.
-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--void
-- Sha1Update
-- (
-- Sha1Context* Context,
-- const void* Buffer,
-- uint32_t BufferSize
-- );
+-void Sha1Update(Sha1Context *Context, const void *Buffer, uint32_t BufferSize);
-
-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// Sha1Finalise
@@ -777,12 +908,7 @@ index f83a6e7ed7ba..000000000000
-// Performs the final calculation of the hash and returns the digest (20 byte buffer containing 160bit hash). After
-// calling this, Sha1Initialised must be used to reuse the context.
-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--void
-- Sha1Finalise
-- (
-- Sha1Context* Context,
-- SHA1_HASH* Digest
-- );
+-void Sha1Finalise(Sha1Context *Context, SHA1_HASH *Digest);
-
-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-#endif //_sha1_h_
@@ -1182,13 +1308,13 @@ index 000000000000..406ed869cd82
+ SHA256_HASH* Digest // [in]
+ );
diff --git a/libselinux/utils/selabel_digest.c b/libselinux/utils/selabel_digest.c
-index 47aad21ff1fb..8bcd44a1dc73 100644
+index 2c395db6f84f..77c1b1131e31 100644
--- a/libselinux/utils/selabel_digest.c
+++ b/libselinux/utils/selabel_digest.c
-@@ -13,8 +13,8 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname)
+@@ -13,8 +13,8 @@ static __attribute__((__noreturn__)) void usage(const char *progname)
"Where:\n\t"
"-b The backend - \"file\", \"media\", \"x\", \"db\" or "
- "\"prop\"\n\t"
+ "\"prop\"\n\t"
- "-v Run \"cat <specfile_list> | openssl dgst -sha1 -hex\"\n\t"
- " on the list of specfiles to compare the SHA1 digests.\n\t"
+ "-v Run \"cat <specfile_list> | openssl dgst -sha256 -hex\"\n\t"
@@ -1196,7 +1322,7 @@ index 47aad21ff1fb..8bcd44a1dc73 100644
"-B Use base specfiles only (valid for \"-b file\" only).\n\t"
"-i Do not request a digest.\n\t"
"-f Optional file containing the specs (defaults to\n\t"
-@@ -61,12 +61,12 @@ int main(int argc, char **argv)
+@@ -63,12 +63,12 @@ int main(int argc, char **argv)
int rc, opt, validate = 0;
char *baseonly = NULL, *file = NULL, *digest = (char *)1;
char **specfiles = NULL;
@@ -1210,17 +1336,17 @@ index 47aad21ff1fb..8bcd44a1dc73 100644
+ char *sha256_buf = NULL;
struct selabel_handle *hnd;
- struct selinux_opt selabel_option[] = {
-@@ -136,7 +136,7 @@ int main(int argc, char **argv)
+ struct selinux_opt selabel_option[] = { { SELABEL_OPT_PATH, file },
+@@ -138,7 +138,7 @@ int main(int argc, char **argv)
return -1;
}
- rc = selabel_digest(hnd, &sha1_digest, &digest_len, &specfiles,
+ rc = selabel_digest(hnd, &sha256_digest, &digest_len, &specfiles,
- &num_specfiles);
+ &num_specfiles);
if (rc) {
-@@ -151,19 +151,19 @@ int main(int argc, char **argv)
+@@ -153,19 +153,19 @@ int main(int argc, char **argv)
goto err;
}
@@ -1229,7 +1355,7 @@ index 47aad21ff1fb..8bcd44a1dc73 100644
+ sha256_buf = malloc(digest_len * 2 + 1);
+ if (!sha256_buf) {
fprintf(stderr, "Could not malloc buffer ERROR: %s\n",
- strerror(errno));
+ strerror(errno));
rc = -1;
goto err;
}
@@ -1245,15 +1371,16 @@ index 47aad21ff1fb..8bcd44a1dc73 100644
printf("calculated using the following specfile(s):\n");
if (specfiles) {
-@@ -198,19 +198,19 @@ int main(int argc, char **argv)
- }
+@@ -204,7 +204,7 @@ int main(int argc, char **argv)
if (validate) {
-- ret = snprintf(cmd_ptr, cmd_rem, "| /usr/bin/openssl dgst -sha1 -hex");
-+ ret = snprintf(cmd_ptr, cmd_rem, "| /usr/bin/openssl dgst -sha256 -hex");
+ ret = snprintf(cmd_ptr, cmd_rem,
+- "| /usr/bin/openssl dgst -sha1 -hex");
++ "| /usr/bin/openssl dgst -sha256 -hex");
if (ret < 0 || (size_t)ret >= cmd_rem) {
- fprintf(stderr, "Could not format validate command\n");
- rc = -1;
+ fprintf(stderr,
+ "Could not format validate command\n");
+@@ -212,12 +212,12 @@ int main(int argc, char **argv)
goto err;
}
@@ -1269,10 +1396,10 @@ index 47aad21ff1fb..8bcd44a1dc73 100644
return rc;
}
diff --git a/libselinux/utils/selabel_get_digests_all_partial_matches.c b/libselinux/utils/selabel_get_digests_all_partial_matches.c
-index e2733b4195ff..98e533dc2692 100644
+index 0552ef0f58df..649e8b7aa0a2 100644
--- a/libselinux/utils/selabel_get_digests_all_partial_matches.c
+++ b/libselinux/utils/selabel_get_digests_all_partial_matches.c
-@@ -16,8 +16,8 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname)
+@@ -16,8 +16,8 @@ static __attribute__((__noreturn__)) void usage(const char *progname)
"-v Validate file_contxts entries against loaded policy.\n\t"
"-r Recursively descend directories.\n\t"
"-f Optional file_contexts file (defaults to current policy).\n\t"
@@ -1282,8 +1409,8 @@ index e2733b4195ff..98e533dc2692 100644
+ "This will check the directory selinux.sehash SHA256 digest for "
"<path> against\na newly generated digest based on the "
"file_context entries for that node\n(using the regx, mode "
- "and path entries).\n", progname);
-@@ -35,7 +35,7 @@ int main(int argc, char **argv)
+ "and path entries).\n",
+@@ -36,7 +36,7 @@ int main(int argc, char **argv)
char *paths[2] = { NULL, NULL };
uint8_t *xattr_digest = NULL;
uint8_t *calculated_digest = NULL;
@@ -1292,17 +1419,18 @@ index e2733b4195ff..98e533dc2692 100644
struct selabel_handle *hnd;
struct selinux_opt selabel_option[] = {
-@@ -104,27 +104,27 @@ int main(int argc, char **argv)
- &xattr_digest,
- &digest_len);
+@@ -101,8 +101,8 @@ int main(int argc, char **argv)
+ hnd, ftsent->fts_path, &calculated_digest,
+ &xattr_digest, &digest_len);
- sha1_buf = calloc(1, digest_len * 2 + 1);
- if (!sha1_buf) {
+ sha256_buf = calloc(1, digest_len * 2 + 1);
+ if (!sha256_buf) {
- fprintf(stderr, "Could not calloc buffer ERROR: %s\n",
- strerror(errno));
- return -1;
+ fprintf(stderr,
+ "Could not calloc buffer ERROR: %s\n",
+ strerror(errno));
+@@ -110,19 +110,19 @@ int main(int argc, char **argv)
}
if (status) { /* They match */
@@ -1326,7 +1454,7 @@ index e2733b4195ff..98e533dc2692 100644
ftsent->fts_path);
printf("as file_context entry is \"<<none>>\"\n");
goto cleanup;
-@@ -134,25 +134,25 @@ int main(int argc, char **argv)
+@@ -132,25 +132,25 @@ int main(int argc, char **argv)
ftsent->fts_path);
for (i = 0; i < digest_len; i++)
@@ -1349,7 +1477,7 @@ index e2733b4195ff..98e533dc2692 100644
+ printf("%s\n", sha256_buf);
}
}
- cleanup:
+ cleanup:
free(xattr_digest);
free(calculated_digest);
- free(sha1_buf);
@@ -1358,5 +1486,5 @@ index e2733b4195ff..98e533dc2692 100644
}
default:
--
-2.47.0
+2.54.0
diff --git a/changelog b/changelog
index 56a9008..55ef0fd 100644
--- a/changelog
+++ b/changelog
@@ -1,3 +1,9 @@
+* Wed Jul 01 2026 Petr Lautrbach <lautrbach@redhat.com> - 3.11-1
+- SELinux userspace 3.11 release
+
+* Wed Jun 03 2026 Python Maint <python-maint@redhat.com> - 3.10-2
+- Rebuilt for Python 3.15
+
* Mon Feb 02 2026 Petr Lautrbach <lautrbach@redhat.com> - 3.10-1
- SELinux userspace 3.10 release
diff --git a/libselinux.spec b/libselinux.spec
index 5ec26dd..4e0f72f 100644
--- a/libselinux.spec
+++ b/libselinux.spec
@@ -1,29 +1,29 @@
%define ruby_inc %(pkg-config --cflags ruby)
-%define libsepolver 3.10-1
+%define libsepolver 3.11-1
Summary: SELinux library and simple utilities
Name: libselinux
-Version: 3.10
-Release: 2%{?dist}
+Version: 3.11
+Release: 1%{?dist}
License: LicenseRef-Fedora-Public-Domain
# https://github.com/SELinuxProject/selinux/wiki/Releases
Source0: https://github.com/SELinuxProject/selinux/releases/download/%{version}/libselinux-%{version}.tar.gz
Source1: https://github.com/SELinuxProject/selinux/releases/download/%{version}/libselinux-%{version}.tar.gz.asc
-Source2: https://github.com/perfinion.gpg
+Source2: https://github.com/bachradsusi.gpg
Source3: selinuxconlist.8
Source4: selinuxdefcon.8
Url: https://github.com/SELinuxProject/selinux/wiki
# $ git clone https://github.com/fedora-selinux/selinux.git
# $ cd selinux
-# $ git format-patch -N 3.10 -- libselinux
+# $ git format-patch -N 3.11 -- libselinux
# $ i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
# Patch list start
Patch0001: 0001-Use-SHA-2-instead-of-SHA-1.patch
# Patch list end
BuildRequires: gcc make
BuildRequires: ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel
-BuildRequires: python3 python3-devel python3-setuptools python3-pip
+BuildRequires: python3 python3-devel python3-setuptools python3-pip python3-build
BuildRequires: (python3-wheel if python3-setuptools < 71)
BuildRequires: systemd
BuildRequires: gnupg2
@@ -221,7 +221,4 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
%{ruby_vendorarchdir}/selinux.so
%changelog
-* Wed Jun 03 2026 Python Maint <python-maint@redhat.com> - 3.10-2
-- Rebuilt for Python 3.15
-
%autochangelog
diff --git a/sources b/sources
index 557820a..f772a29 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (libselinux-3.10.tar.gz) = 5783f737675eb94e0bdff082013589e5bddfa0669a357df185eb89f4f88cec8b90779e86c4b17b58f5c248175da0208c80cc2642046e348c7384dd799f1ba4c1
-SHA512 (libselinux-3.10.tar.gz.asc) = 6e0a18eb77b810eb7cbf756dcd82f57fa71d7c8d066ea99f754760d9e61db8f22e776c729a7387b01638249dacc270da7a5eb6a7ed38377ba858bebcd090cce6
+SHA512 (libselinux-3.11.tar.gz) = 49eb0b180b77b4b61505117ecd98ab9fdd79a36801b6d2216813ea370a02ba4f58a0f87a18e92a2d4eeffc11d9df67e4692d2d8f5d3ee77a2abd3f606196aaad
+SHA512 (libselinux-3.11.tar.gz.asc) = fa950a332a353dfbb7959b785956076d0547b6cf5387ecbaeeb11f8171a4fc3679772707364dee4bf8db76232eb2ea6a8f0280674a8351dcf98074892c3100de
reply other threads:[~2026-07-01 19:36 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=178293458652.1.5830165486301475632.rpms-libselinux-41d874fcf881@fedoraproject.org \
--to=lautrbach@redhat.com \
--cc=git-commits@fedoraproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox