Message ID | 20240625143317.1644238-1-ecordonnier@snap.com |
---|---|
State | New |
Headers | show |
Series | [meta-selinux,scarthgap] refpolicy: backport build fix | expand |
This has been fixed in https://git.yoctoproject.org/meta-selinux/commit/?h=scarthgap&id=17c7cd46219e74bf7404dca23b9b9f6380e2d3c0 //Yi On 6/25/24 22:33, Etienne Cordonnier via lists.yoctoproject.org wrote: > From: Etienne Cordonnier <ecordonnier@snap.com> > > Signed-off-by: Etienne Cordonnier <ecordonnier@snap.com> > --- > ...-selinuxutil-make-policykit-optional.patch | 36 +++++++++++++++++++ > .../refpolicy/refpolicy_common.inc | 1 + > 2 files changed, 37 insertions(+) > create mode 100644 recipes-security/refpolicy/refpolicy/0057-selinuxutil-make-policykit-optional.patch > > diff --git a/recipes-security/refpolicy/refpolicy/0057-selinuxutil-make-policykit-optional.patch b/recipes-security/refpolicy/refpolicy/0057-selinuxutil-make-policykit-optional.patch > new file mode 100644 > index 0000000..62b35d5 > --- /dev/null > +++ b/recipes-security/refpolicy/refpolicy/0057-selinuxutil-make-policykit-optional.patch > @@ -0,0 +1,36 @@ > +From 0f997a134adb6c68d871a31ec27d63f02297c588 Mon Sep 17 00:00:00 2001 > +From: Yi Zhao <yi.zhao@windriver.com> > +Date: Wed, 5 Jun 2024 10:32:34 +0800 > +Subject: [PATCH] selinuxutil: make policykit optional > + > +Make policykit optional to avoid a potential build error. > + > +Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/commit/c6dd4087def22fa0f3e2b62bce5fc531bbf824a0] > + > +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> > +Signed-off-by: Etienne Cordonnier <ecordonnier@snap.com> > +--- > + policy/modules/system/selinuxutil.te | 6 ++++-- > + 1 file changed, 4 insertions(+), 2 deletions(-) > + > +diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te > +index 57c2e0e01..c65d5e8e6 100644 > +--- a/policy/modules/system/selinuxutil.te > ++++ b/policy/modules/system/selinuxutil.te > +@@ -501,12 +501,14 @@ corecmd_exec_bin(selinux_dbus_t) > + files_read_etc_symlinks(selinux_dbus_t) > + files_list_usr(selinux_dbus_t) > + > +-policykit_dbus_chat(selinux_dbus_t) > +- > + miscfiles_read_localization(selinux_dbus_t) > + > + seutil_domtrans_semanage(selinux_dbus_t) > + > ++optional_policy(` > ++ policykit_dbus_chat(selinux_dbus_t) > ++') > ++ > + ######################################## > + # > + # semodule local policy > diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc > index 6ea1fc2..0f5fe1b 100644 > --- a/recipes-security/refpolicy/refpolicy_common.inc > +++ b/recipes-security/refpolicy/refpolicy_common.inc > @@ -72,6 +72,7 @@ SRC_URI += " \ > file://0054-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \ > file://0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \ > file://0056-policy-modules-system-logging-make-syslogd_runtime_t.patch \ > + file://0057-selinuxutil-make-policykit-optional.patch \ > " > > S = "${WORKDIR}/refpolicy"
diff --git a/recipes-security/refpolicy/refpolicy/0057-selinuxutil-make-policykit-optional.patch b/recipes-security/refpolicy/refpolicy/0057-selinuxutil-make-policykit-optional.patch new file mode 100644 index 0000000..62b35d5 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0057-selinuxutil-make-policykit-optional.patch @@ -0,0 +1,36 @@ +From 0f997a134adb6c68d871a31ec27d63f02297c588 Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@windriver.com> +Date: Wed, 5 Jun 2024 10:32:34 +0800 +Subject: [PATCH] selinuxutil: make policykit optional + +Make policykit optional to avoid a potential build error. + +Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/commit/c6dd4087def22fa0f3e2b62bce5fc531bbf824a0] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +Signed-off-by: Etienne Cordonnier <ecordonnier@snap.com> +--- + policy/modules/system/selinuxutil.te | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te +index 57c2e0e01..c65d5e8e6 100644 +--- a/policy/modules/system/selinuxutil.te ++++ b/policy/modules/system/selinuxutil.te +@@ -501,12 +501,14 @@ corecmd_exec_bin(selinux_dbus_t) + files_read_etc_symlinks(selinux_dbus_t) + files_list_usr(selinux_dbus_t) + +-policykit_dbus_chat(selinux_dbus_t) +- + miscfiles_read_localization(selinux_dbus_t) + + seutil_domtrans_semanage(selinux_dbus_t) + ++optional_policy(` ++ policykit_dbus_chat(selinux_dbus_t) ++') ++ + ######################################## + # + # semodule local policy diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index 6ea1fc2..0f5fe1b 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc @@ -72,6 +72,7 @@ SRC_URI += " \ file://0054-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \ file://0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \ file://0056-policy-modules-system-logging-make-syslogd_runtime_t.patch \ + file://0057-selinuxutil-make-policykit-optional.patch \ " S = "${WORKDIR}/refpolicy"