| Message ID | 20251017064318.3442718-1-quic_sasikuma@quicinc.com |
|---|---|
| State | New |
| Headers | show |
| Series | [meta-selinux] genhomedircon: remove build path reference from generated file_context.homedirs header | expand |
On 10/17/25 14:43, Sasi Kumar Maddineni (QUIC) via lists.yoctoproject.org wrote: > The heading() function in genhomedircon.py included a comment referencing the > absolute path to the local.users file, which resides under TMPDIR during Yocto > builds. This caused the package QA check 'buildpaths' to fail due to the presence > of build-time paths in the final packaged output. > > Reference: > The below commented lines are in filecontexts.homedirs file as a header, > which contains TMPDIR path. So, do_package_qa is flagging this issue in > case of MONOLITHIC design. > > To resolve this, the line generating the comment with the full path was removed, > preventing unnecessary QA errors and ensuring cleaner policy files. We can simply use 'sed' to filter TMPDIR. For example, add the following line in do_install:append(): sed -i -e 's|${D}||' ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files/file_contexts.homedirs //Yi > > Signed-off-by: Sasi Kumar Maddineni <quic_sasikuma@quicinc.com> > --- > ...move-build-path-reference-from-gener.patch | 36 +++++++++++++++++++ > .../refpolicy/refpolicy_common.inc | 3 +- > 2 files changed, 38 insertions(+), 1 deletion(-) > create mode 100644 recipes-security/refpolicy/refpolicy/0057-genhomedircon-remove-build-path-reference-from-gener.patch > > diff --git a/recipes-security/refpolicy/refpolicy/0057-genhomedircon-remove-build-path-reference-from-gener.patch b/recipes-security/refpolicy/refpolicy/0057-genhomedircon-remove-build-path-reference-from-gener.patch > new file mode 100644 > index 0000000..af9bba3 > --- /dev/null > +++ b/recipes-security/refpolicy/refpolicy/0057-genhomedircon-remove-build-path-reference-from-gener.patch > @@ -0,0 +1,36 @@ > +From f584d80dc13f63119af53618350fd8262f17fe63 Mon Sep 17 00:00:00 2001 > +From: Sasi Kumar Maddineni <quic_sasikuma@quicinc.com> > +Date: Fri, 17 Oct 2025 11:51:15 +0530 > +Subject: [PATCH] genhomedircon: remove build path reference from generated > + file_context.homedirs header > + > +The heading() function in genhomedircon.py included a comment referencing the > +absolute path to the local.users file, which resides under TMPDIR during Yocto > +builds. This caused the package QA check 'buildpaths' to fail due to the presence > +of build-time paths in the final packaged output. > + > +To resolve this, the line generating the comment with the full path was removed, > +preventing unnecessary QA errors and ensuring cleaner policy files. > + > +Upstream-Status: Pending > + > +Signed-off-by: Sasi Kumar Maddineni <quic_sasikuma@quicinc.com> > +--- > + support/genhomedircon.py | 1 - > + 1 file changed, 1 deletion(-) > + > +diff --git a/support/genhomedircon.py b/support/genhomedircon.py > +index b865a07c8..e7685545f 100644 > +--- a/support/genhomedircon.py > ++++ b/support/genhomedircon.py > +@@ -157,7 +157,6 @@ class selinuxConfig: > + > + def heading(self): > + ret = "\n#\n#\n# User-specific file contexts, generated via %s\n" % sys.argv[0] > +- ret += "# edit %s to change file_context\n#\n#\n" % self.getUsersFile() > + return ret > + > + def getUsers(self): > +-- > +2.34.1 > + > diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc > index cf32723..aa782ca 100644 > --- a/recipes-security/refpolicy/refpolicy_common.inc > +++ b/recipes-security/refpolicy/refpolicy_common.inc > @@ -72,7 +72,8 @@ SRC_URI += " \ > file://0054-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \ > file://0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \ > file://0056-policy-modules-system-logging-make-syslogd_runtime_t.patch \ > - " > + file://0057-genhomedircon-remove-build-path-reference-from-gener.patch \ > + " > > S = "${UNPACKDIR}/refpolicy" >
diff --git a/recipes-security/refpolicy/refpolicy/0057-genhomedircon-remove-build-path-reference-from-gener.patch b/recipes-security/refpolicy/refpolicy/0057-genhomedircon-remove-build-path-reference-from-gener.patch new file mode 100644 index 0000000..af9bba3 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0057-genhomedircon-remove-build-path-reference-from-gener.patch @@ -0,0 +1,36 @@ +From f584d80dc13f63119af53618350fd8262f17fe63 Mon Sep 17 00:00:00 2001 +From: Sasi Kumar Maddineni <quic_sasikuma@quicinc.com> +Date: Fri, 17 Oct 2025 11:51:15 +0530 +Subject: [PATCH] genhomedircon: remove build path reference from generated + file_context.homedirs header + +The heading() function in genhomedircon.py included a comment referencing the +absolute path to the local.users file, which resides under TMPDIR during Yocto +builds. This caused the package QA check 'buildpaths' to fail due to the presence +of build-time paths in the final packaged output. + +To resolve this, the line generating the comment with the full path was removed, +preventing unnecessary QA errors and ensuring cleaner policy files. + +Upstream-Status: Pending + +Signed-off-by: Sasi Kumar Maddineni <quic_sasikuma@quicinc.com> +--- + support/genhomedircon.py | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/support/genhomedircon.py b/support/genhomedircon.py +index b865a07c8..e7685545f 100644 +--- a/support/genhomedircon.py ++++ b/support/genhomedircon.py +@@ -157,7 +157,6 @@ class selinuxConfig: + + def heading(self): + ret = "\n#\n#\n# User-specific file contexts, generated via %s\n" % sys.argv[0] +- ret += "# edit %s to change file_context\n#\n#\n" % self.getUsersFile() + return ret + + def getUsers(self): +-- +2.34.1 + diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index cf32723..aa782ca 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc @@ -72,7 +72,8 @@ SRC_URI += " \ file://0054-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \ file://0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \ file://0056-policy-modules-system-logging-make-syslogd_runtime_t.patch \ - " + file://0057-genhomedircon-remove-build-path-reference-from-gener.patch \ + " S = "${UNPACKDIR}/refpolicy"
The heading() function in genhomedircon.py included a comment referencing the absolute path to the local.users file, which resides under TMPDIR during Yocto builds. This caused the package QA check 'buildpaths' to fail due to the presence of build-time paths in the final packaged output. Reference: The below commented lines are in filecontexts.homedirs file as a header, which contains TMPDIR path. So, do_package_qa is flagging this issue in case of MONOLITHIC design. To resolve this, the line generating the comment with the full path was removed, preventing unnecessary QA errors and ensuring cleaner policy files. Signed-off-by: Sasi Kumar Maddineni <quic_sasikuma@quicinc.com> --- ...move-build-path-reference-from-gener.patch | 36 +++++++++++++++++++ .../refpolicy/refpolicy_common.inc | 3 +- 2 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 recipes-security/refpolicy/refpolicy/0057-genhomedircon-remove-build-path-reference-from-gener.patch