From patchwork Thu Feb 20 09:43:43 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yi Zhao X-Patchwork-Id: 57645 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6F678C021B1 for ; Thu, 20 Feb 2025 09:44:21 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web11.45835.1740044659188674001 for ; Thu, 20 Feb 2025 01:44:19 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=41465756f6=yi.zhao@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 51K5w5fl014354; Thu, 20 Feb 2025 01:44:18 -0800 Received: from nam12-mw2-obe.outbound.protection.outlook.com (mail-mw2nam12lp2041.outbound.protection.outlook.com [104.47.66.41]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 44w00kt6wm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 20 Feb 2025 01:44:17 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=yDyDc7/WOru6XAPbHWhv75Q4Oy6ajEIUr09tutHei0DzE8D3lFfTGarLFJkYsqR6Vv5BqsxTp/kCCV6arxMjGIZZ7MmrIXua/WX/nBfeTxemmABhetVA9UmztmiXxzNLqalnneJxBSzflWO/1j86qRoAhv+tQDWPdO3bHtsDsANpriEVUo8KjR/fk8rw9Go6T8IXo5Sy70YhJ9G/XOl/OF0kXOVWZegmi0vFlfzGByGla2yLr63UsiITpImHIJ3n+Rdp7VTIJB3tYlHYrv2617IRhzBbY3Fnoz87E8ld4TxTy+F7cLRyJ04Ob7krtV5PpfCY4uEcLa5W+0MMA1TqQQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=8Rgvdsq2YOAmi2yPx+xoZDqIVGTY6KdXHHuAjtxPhSY=; b=oXRpjShG1F3N+Bvj70D6HMtus6QGvibMuTx6CoU61ckdbrwybYfqHHHqergbuYHKCP5ScR/SxpVDPypp5Vti4rDw1fxwxbMnxS30FFACHV8zpTyA4gs7XNY7f8MdIHzyyB4qhvHP6JJ4dR6+1MKgFHoptYKOVUlsISeM3Y4iUFUhT1iEEY6Mxn4mUw7BjcYTxm1mRAxbNOZ7W0qAhxGouhZwLF5e1kRVP72HTxaJiFTjo5/0/WOjBdPousx6qaFjP87OnC9FLjqT5OKx3UGedx6U8dnHuo370BtZRk/mg7pOLh0BrIWqkiz/wO3RuaYBYd0FgsQVm+cCnTYuH2rdoQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DS0PR11MB6399.namprd11.prod.outlook.com (2603:10b6:8:c8::5) by SJ2PR11MB7672.namprd11.prod.outlook.com (2603:10b6:a03:4cd::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8445.19; Thu, 20 Feb 2025 09:44:15 +0000 Received: from DS0PR11MB6399.namprd11.prod.outlook.com ([fe80::2b44:787c:e7ee:bfad]) by DS0PR11MB6399.namprd11.prod.outlook.com ([fe80::2b44:787c:e7ee:bfad%5]) with mapi id 15.20.8466.015; Thu, 20 Feb 2025 09:44:15 +0000 From: Yi Zhao To: yocto-patches@lists.yoctoproject.org, joe@deserted.net, joe.macdonald@siemens.com Subject: [meta-selinux][PATCH 1/3] setools: inherit cython class Date: Thu, 20 Feb 2025 17:43:43 +0800 Message-Id: <20250220094345.1119650-1-yi.zhao@windriver.com> X-Mailer: git-send-email 2.25.1 X-ClientProxiedBy: SG2P153CA0054.APCP153.PROD.OUTLOOK.COM (2603:1096:4:c6::23) To DS0PR11MB6399.namprd11.prod.outlook.com (2603:10b6:8:c8::5) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DS0PR11MB6399:EE_|SJ2PR11MB7672:EE_ X-MS-Office365-Filtering-Correlation-Id: 9871741f-bab7-48a1-d7a7-08dd51932348 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|366016|376014|52116014|1800799024|38350700014; X-Microsoft-Antispam-Message-Info: ABQMFd9KCiEGB93FY7/Pue6XC6AttzJdsBizTDygpLl5m8Itb1NCYBp2G+ml5UDCBLL5qNpW6MXpEb71o1M07ark6xx2lieDjWWFjNnTXPmz7ArDcNOx6Pg7hSjLsFBOJNdXIOqwftz56QcL2PIUrEx9H3+zbdNWBDJy66f/CfLGEDOSyh/c8SYvy5RooVLN39+lZpZqpogV0qhi2yUhzdaXb6Y+RUuWUx1QY7lBZUZh3qz38mtrbh5mzBQ8yq7UK8BWrtTgYh0TztIKGUYdx+1gcP/bBV/zhdRMYEXadOekUogI++s7JmzMuF3u6cFpc5wA4PvVelOyHfH1dmZ3/JoquJ6LHaLnrstEW+lsZx90R8SBRKgrO3fkDLnB2zH3pSbe3Z8iqTGWOCAYKo/9fSQJM8cgeC0VStqDzLVFfiwZZsHhoYAvl41H/y2lF2kjifHbBTj7xllt2ql16lqpYq7I0qSgeLuByWOIQsLEJEs7URNNji3BGOMOav7GDjzDzigI/f1TGTxp9LG+WbzCXIMyv//qTJEpRQVobfiXrHZxNHR1lYiJu0PRPi4Dkxa+6llNb0cAWcCAOy9uwhSDsOj3IWvnhppHB5rI+dSRVvySWsqDp4GVoh2ikUYz0qnbMUh2sHbCC69pJ/qGL85ut/p9dCb3wVSpIFnqO2Xzt0mr6ymCqpwFjYJ1LPiatBt66N9Uc0mEmpKZVL34GMxodU0RMx1Hf7jDNUBMhyRhTrPQKTumb3OsU2RWhV3Lmuniqv324Pm4079InuXznNGo/390LFMk0gccjtMG5GS8RYoT8Yb4tDK8LP9NqYMd1Jwjer+5c4hEmFjF1dBQNHmfWROOI5WKh0PDi3T5Yi5nUM/IuNmIX8gGyIf+RU0MJEvVJLeCuXpv+IEHlY25XW7UynjOQgCyWVzUN0JXCLn4GpXxiEU9XiiZXFlBswPhcVoNCMYdTIQWtYZo5iRn1mU6icolAu3LabBRTNbruedND/LoP663bUX7CG62PZrwAfF3WrhZr+X+wMACa2fjFqBezi85zTLRV4UKWun9a6+Hoa6bohjSAcNANBWvGP2uGJTRFk354Oi6m5JWC0Uwz1UeZ+t0Yn5h/A8XaZIEjebYRfF4NWARNyS0vHJohE5nR8L6j1K+KAAdOkDcB0jlCc4Eea/vqp2LA8UXVBuzg0HUAc9zmfTwPzqJryxOhM+xYnFLeFs+WWOLYrPgFLVHk7iNukhTAX1v42jiYuCIxkCkjsGz8QplGmBG059CswRZTOEmG+s3tY6RCOQ78HrNh16K2y1L5oeEHdHG/SnlCr1BPWBAIfkyWQdPGm4UzfyWszd8w1xMP2qHdermzmtPxAsKHHRkhHN11mV0CdYdqWBUMJ7Pqkre3Rza2WSrEg+56VGbD0lc8wyZvX21QPth62tYxqD+ClPguOTdB4EGk8JTSaQuL3M+N5K+/VAgy4bXrG1u X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DS0PR11MB6399.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(376014)(52116014)(1800799024)(38350700014);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: zMzOeLBtzcmithgS0WLObryg+4O0/lIw7K4w8/5yvjSh+Pi8RwpiT1lovN6+YJzj3sgilP16x1m8gny+PooR+dlXPzZei7QUWV8qWRFQwZxaJVtBYPWMX8hTz1478orPdmOGMNkK4K9qKvN6Q/UfYiyxEznDQxSWWmIg3WHm37i1WLkUHYWt/MVvf8cP+jjx1dHXB3kYLTANiDVkUaiyOTuWNqc0rqkhWBu6Mv31OZV0bwirScPmSJudEhTXfI+645JzNmfKcBFDG7oNRNUsIxJIp391AB6MS2H0kiBcJAvZfheu5yfEIBI0NSuB0fYi7XcOJmppXRgqTdpOVnB0nnw8Amfd56+VF804DWw/6TvfnWbsC5Z+IrszaStIDJLLa85YOjDbpnu3UGVwFenHdOXl5gXppfkS8U4z2nPMLVUTp1O7HKngsGqvdXv6sg81k82GNKTKpN+AuVW7HwrRoINWiMCd3UsYJpASAb0Ijhn6XFj5PQHIPDEaPXxfBCOFQBNc9byyZBgxMai3FRkdFssLWVK99Zs3jff7QsEi2cnn8y8VnGqn3zMjarg3XVUabOAgeFj5JXt8YA49lWvn2KdHGxV7GOIeLl+h1+0xkVyKUYBRvVJa7giFCoKagK9mSiq7SdgAl8meO8CdXopzwN4kT0AVFQr4uXcOX1blUOMqFW/Pcl4e7C4NIUk913/7G/AfTGA40hLrV115vAMeKDfgq1QPjwP2rGiREe7wJSIv13EAbo1uB5GknSw5vdudDZrVOo1rWobQGJ9SL9O3Jc3GD3DbkyOCkD3BaZtNoA6DIA+9r7BDP3Jpw4g1MN1769zlCjb+ijK63IU+jBzrYsZ5LchdCNk7hDm0ALtMx+HzZ8t1J0pKqG1mWHYPD5b4Uy5H0zCRdtSTbk5xz51V/wjXEDU7s4zm/cNCpsQ6gZQIHyDLKEyA3KbSlcAA7In2qs7sMo++DasArfJz/DAoYXqa5qseY514xIP1PamkAUzFXjFrnNJu9PvqVjgdisfZQ0ndrWem2TibU2YoRtThIhTCJRV603pVCWGdMDxZsl1ereRcaraupyMl8nXDSOpOD3jGVwQZn5jF+eq2xSJY8C3Pjh2571il4Pp5bBAwYEpjhu/Hqh93/MI/CehWkfToGPq564x5+WITPUpSjJ8yBpmB7sQncpYHnbj2/txicdPYDg2HHQn1r9N5fGj22zTprQhdfFJ8QU3RBJ+25sUOmoXdqPgdYdLVlZ3r4vezedZ/NvoSpIBDB5Rx8Bxj22MoasDmJqgqwUSh8PYRUNeTvPoXGglNxr0zesHuZoFZ9UHfeNOjo9m08FrSFdxaf+jacCVnEdQzXliO0RJX7ZqQMHEBUycOCadjEkp3VYnswDRtLi06IcMHa/HjbV9g1gBxy7kCWmiMe4tmZTSemeLIz7Ul2ZQQJKuE44kmCxCG+JOW2HlnTXSunr89ipgKn6+9K7q16xg7beLY2K/u1ss2qcokzkojILA5KUBbYvODBEOIg8p+hcGt0Cfu4MuIRiDJF4cSRqg4ybe4I8mNAQRZ2ZusUAuu/OHm4y1xp36rtyyzkmihB8I0QYLgrDCRwKTO X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 9871741f-bab7-48a1-d7a7-08dd51932348 X-MS-Exchange-CrossTenant-AuthSource: DS0PR11MB6399.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Feb 2025 09:44:15.4094 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 4gOtSmoXquRf3BfujB2OtNopcX/q4SL5aHZjmG3ukf54INehNQLeV3enFfQIYRwbwPgbd7IqFjwePKLuuQ/iSQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ2PR11MB7672 X-Proofpoint-GUID: 5UHrVHPFJarmA4Pt9uhpNGYCZkS-0va6 X-Proofpoint-ORIG-GUID: 5UHrVHPFJarmA4Pt9uhpNGYCZkS-0va6 X-Authority-Analysis: v=2.4 cv=Ao8U3P9P c=1 sm=1 tr=0 ts=67b6f971 cx=c_pps a=7lEIVCGJCL/qymYIH7Lzhw==:117 a=wKuvFiaSGQ0qltdbU6+NXLB8nM8=:19 a=Ol13hO9ccFRV9qXi2t6ftBPywas=:19 a=xqWC_Br6kY4A:10 a=T2h4t0Lz3GQA:10 a=t7CeM3EgAAAA:8 a=hTR_DVrNJsjELbYIYI4A:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-02-20_04,2025-02-20_02,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 clxscore=1011 impostorscore=0 mlxlogscore=667 malwarescore=0 adultscore=0 bulkscore=0 spamscore=0 lowpriorityscore=0 mlxscore=0 phishscore=0 suspectscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2502100000 definitions=main-2502200071 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 20 Feb 2025 09:44:21 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/1097 Use the new cython class to avoid duplicated fixup code to remove build paths. Signed-off-by: Yi Zhao --- recipes-security/setools/setools_4.5.1.bb | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/recipes-security/setools/setools_4.5.1.bb b/recipes-security/setools/setools_4.5.1.bb index 9b6745e..723eeb0 100644 --- a/recipes-security/setools/setools_4.5.1.bb +++ b/recipes-security/setools/setools_4.5.1.bb @@ -16,17 +16,13 @@ LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=69a7b68f0a4a570d7c0c43465333ecbc \ S = "${WORKDIR}/git" -DEPENDS = "python3-cython-native libsepol libselinux" +DEPENDS = "libsepol libselinux" RDEPENDS:${PN} = "python3-networkx python3-logging libselinux-python" RPROVIDES:${PN} = "${PN}-console" -inherit python_setuptools_build_meta - -do_install:prepend() { - sed -i -e 's:${RECIPE_SYSROOT}::g' ${S}/setools/policyrep.c -} +inherit python_setuptools_build_meta cython do_install:append() { # Need PyQt6 support, disable gui tools From patchwork Thu Feb 20 09:43:44 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Yi Zhao X-Patchwork-Id: 57646 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7C2B8C021B2 for ; Thu, 20 Feb 2025 09:44:21 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web11.45836.1740044660702569602 for ; Thu, 20 Feb 2025 01:44:20 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=41465756f6=yi.zhao@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 51K7GFMI012597; Thu, 20 Feb 2025 01:44:19 -0800 Received: from nam12-mw2-obe.outbound.protection.outlook.com (mail-mw2nam12lp2044.outbound.protection.outlook.com [104.47.66.44]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 44w00ka6pv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 20 Feb 2025 01:44:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=UsjaxwmSlCoCPUSEGTXh9Ep19bNhDhZbu0UwEC08C3w1Ww74xI9luixtavbHXZBWI8BEongdiNefkYzsja049e99x7GJVtOLjpaRWR7nGJT4BlIbetRXfzr5OB4Nax07DpT8cgHrgmuxTY4pN2R0lo2Px7ZpsS0iEfwQabh7k9KWmkPG3itYSaAqcpBe/FfNKZ/nELm++rt6KB7oP5TjxYmY219W/NANp8yI1ORvR3colEWmBi8bs1zeH0NM6kB8KKVT/JWRj968XVWFfnIe3H1YDoPc6YSfVDtqpKMdiV0W67EqxCRdxxvVV0wjObM3OGSXFOkLFiWjSIRewBDpqg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1chmUpETNJxe3dRwsTjlM4mRsp8a/eGF7XpQc+flH4A=; b=d7SaiaYMKanOjION6ASBbq6qQo0GuStIANYUbBLG0ewrBLWH2ewyySUKQ4QDGvstBcmJQNmJO/Hj3kgIZXpr3uzCbzTotH8vZkeAeYjzPKB310/6mXwuVQCMImA2NXYKoTr7ixmNgd25LbXmEo3egVzDhCOzH9rN+wpbzf3ANAW9rtHgfVWH+WZ0oOioD6mZXi7FQ46IesAu3DBXtd+imrMlvmJ+XTpopOpPkDHrz5mXMWh1EpDHd/50OasaODo7lWasiZOs2bWS7UODOevqUfxN0fyuVE1r88gZzDJKNXVXH/UJ9d9ObvfRwVX/hjwzwYQ/PyRxouFQthGvCS/RkQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DS0PR11MB6399.namprd11.prod.outlook.com (2603:10b6:8:c8::5) by SJ2PR11MB7672.namprd11.prod.outlook.com (2603:10b6:a03:4cd::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8445.19; Thu, 20 Feb 2025 09:44:17 +0000 Received: from DS0PR11MB6399.namprd11.prod.outlook.com ([fe80::2b44:787c:e7ee:bfad]) by DS0PR11MB6399.namprd11.prod.outlook.com ([fe80::2b44:787c:e7ee:bfad%5]) with mapi id 15.20.8466.015; Thu, 20 Feb 2025 09:44:17 +0000 From: Yi Zhao To: yocto-patches@lists.yoctoproject.org, joe@deserted.net, joe.macdonald@siemens.com Subject: [meta-selinux][PATCH 2/3] selinux: upgrade 3.7 -> 3.8 Date: Thu, 20 Feb 2025 17:43:44 +0800 Message-Id: <20250220094345.1119650-2-yi.zhao@windriver.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250220094345.1119650-1-yi.zhao@windriver.com> References: <20250220094345.1119650-1-yi.zhao@windriver.com> X-ClientProxiedBy: SG2P153CA0054.APCP153.PROD.OUTLOOK.COM (2603:1096:4:c6::23) To DS0PR11MB6399.namprd11.prod.outlook.com (2603:10b6:8:c8::5) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DS0PR11MB6399:EE_|SJ2PR11MB7672:EE_ X-MS-Office365-Filtering-Correlation-Id: a25f2997-1a2e-48b1-5c97-08dd51932482 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|366016|376014|52116014|1800799024|13003099007|38350700014; X-Microsoft-Antispam-Message-Info: =?utf-8?q?m47w5KXtTSlLBX1WD4AgajXXRyk6OTa?= =?utf-8?q?ZcdYHFSpr1jts7X/CuNvCseckwsXsTnxAfTjZhcT7U52inX5Lv390pMzG9CNIE3q2?= =?utf-8?q?ebr/hii+MvklrYqseINsDjp23evWp52cEFarCTzRmpJvExHU3o8sAOHrtuuRoHAE3?= =?utf-8?q?PHMohHdlX6d447/VIYcc5zwJ1mnafZAeW12bqHgQs+5BxsC9VycA3iRH+ftWN0f5r?= =?utf-8?q?xgph65Js0KpElPkyk4l2H7kNywaMCqCi5zUbFQlS0Vmgo7I/PJp0ilwy1QBPCkvVc?= =?utf-8?q?MOUDfACUat85etmkg8ZLPOAvj8u+9o+Ga1MXx6g1u7z5CVi2+O4JMVWD2EToe14Aa?= =?utf-8?q?DtnueqHGvLA7EF1QZoqGEvVr4W66BHHqmoYNQsypw/a7ataWVucJPz8e+IybrslxA?= =?utf-8?q?mIXaC7Dlecmx6WmdKqR1+C+JuT901u5FcNRwY4/pNRR9eHkGadQYBEvOEs+EhQzxS?= =?utf-8?q?Nnj3DoSnGGiFyhuCHDCZdZVyBKxxL+rdt8w0BjAjxcTaIpewBnVwKMxew7+qMWHJL?= =?utf-8?q?jZapXb+Mnmmp3hwz1oAQMWzFkufFkMHMAhPsTzB2rF789HLgRY2xWfj0XHb6zes/e?= =?utf-8?q?POAKJDzz813dYmJED2vyfm32CleqH1zBYS5NW3yEkDeERmRD00/4eLCTuFVv4CbgG?= =?utf-8?q?y5wS97H7DV68KV8oAAiHV8GmuOYTsPHa//iDYwia6WNY6u3hyJQKSlOSgC1LZAMyR?= =?utf-8?q?gQxTOmH8iYPNp5K3GLIGDNGznbfskWR8ec7UC4fdkYRa+8QpegJql4GsEuXan4ywB?= =?utf-8?q?7OIz3kdNQCLYQVqBgV61xWwQBtms9HWQ579nnfA2K2/bkiyuZg0LWFX/S8XmBo8if?= =?utf-8?q?TWlh0eqoj5HybFpjeH2H3qD2WEts/dklnLYXBz/BT/RA44NuJcdjw8qZVbzL68iss?= =?utf-8?q?shO4Rglvk1GRwbxzasXMA8Opt7OZcOW8DT7TbvVSz4dqKBAyeL2ibcFYMx0wWbgOk?= =?utf-8?q?CkAgYUdfxjk0iFzc5+0R/kCiTvKPGluPPRjKcfFmKr+hogQvJeQzEaPYJPpc7j119?= =?utf-8?q?Mf9lV0ciR7tqzE+4RWDW3jr0clUnqhnDGR6qrWN7eWi9GfuTvNJgJo/0RCH4t4vu4?= =?utf-8?q?QbSS7JpMb/JxCTXbg36dUCs3FwxAHCVkkfNgeHnXrHG5BR6c4YPVINpoRrLl7k3Tu?= =?utf-8?q?ZI3O5GX/y8uhf61SX6V92VjYyOxGUDV/JRuW7nfdWrWf5vaEBVEYCrc9n5xl/IyPh?= =?utf-8?q?sjypWfkxz5tW1dq6uwakyKt8hYtu/zRCnCvHTlB5frUWajgYSFPz27kv0cehkWnKR?= =?utf-8?q?cB48Lv2dNvWSYbKRCa/AXzugWKT3vBL4Yejj8QGHiXmMDitYs70i4H+uVAv2PUkJF?= =?utf-8?q?hSgd0zW+Si+AxUWUMBTuSF5twF2QVHrNuw=3D=3D?= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DS0PR11MB6399.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(376014)(52116014)(1800799024)(13003099007)(38350700014);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?uizDFW2UJAHVW93pUOs6nXHdB9fN?= =?utf-8?q?n37Te9aw9kzH7pxHdL4VfQM8MKmEBmwQ/s2BZ3MUC7w3i7hHWxsA/lyzJBuVJ40gg?= =?utf-8?q?NjxZY3pzmAIthD0nlW3+PQdlsk3EBzZTufi4cZMNEJ4MKza+KPasXtsVbofY4yMhV?= =?utf-8?q?9vLcld1zO4g/eh/QrdCnEm/h5JiMyOq56oecIscMA8ncCQwCuE1nl6zuO7Hfzz+3+?= =?utf-8?q?VL7JzSgtsmyU7THv57rSU+opeMggcdZk9Ce2weaA70WigBSMeu+0j7YzvtQxaZ+sV?= =?utf-8?q?hq2qwbpQm5w8aEhNIyhmP/v+qBelAjZ8dEmCStIBxR6LaPrkZqtNIN1yU6pk8P+92?= =?utf-8?q?u1Zwk3lVes9rqsSZD7n90pi0Yd7SA+Y3YN2oSowc/1pwbvwtF11szM2S3XjHSMyKn?= =?utf-8?q?gk8i6F/Ov/9+6+mPEPWuX7X7f2k61+6M8vJ6th772FJFYQ3/rJ+fT/7pkYerw60cB?= =?utf-8?q?fu6IE0irxROh/sjCls6L/8gpSr0E0qjlw5ajatZS2bOWyyMaLyIY/vKth4nvRkbEI?= =?utf-8?q?BjB7NX2g3h1nmORVmfYFtJI0/J7ex1upH/qvDX6uYZiscx6xbmQQD5m43SPRZURhi?= =?utf-8?q?m2VSGPU4iEv63bh7MOGaTwJRxrsF6iiQKyJ759ZzQPydI2IJYXDgE0ugHAUjRpUBk?= =?utf-8?q?GhPKtVn5ecMQA5gNveDvv3MLhCFZC5RVbYHJ7AuJfMVajvUgHkWClCqlLdLqUsdRy?= =?utf-8?q?10JyBC/RikyCYkeKwXIT4HAaQvofycYz3lwYF8ZhpZR1bO19ouzXNvkWk+CxoRoK/?= =?utf-8?q?2/t4wx/bgyOqxsPXykUouk7vHWBXwdxUmqMuUrU+mxF7eAE10O5v7bgrFo6rL8MmH?= =?utf-8?q?AFV7ffad3pdwM1lENimhL9gweYCnH7bGB46k46To2M6kTH0ztgx5Fgt4pgelSnTAH?= =?utf-8?q?GYOqS1jHTHsK8KCfq0Fb89dALYPfEU2NqtOPwhP/Ynz3uhqC0A1RW5x+K7Gz0mCZU?= =?utf-8?q?qxDKUgaxRSMzCrdl4H9787q1UNXprRqCAwFxxB/kRY8TWGYmB4CIh+BesQPMFbZeB?= =?utf-8?q?DX3jVXSAn4zbmg6o3vG4DAe5to1yUxMCQXJSW4+u20t88eIMd0z6Pzl0JqBA5Uj80?= =?utf-8?q?j7PKU/CEEpI441z6oWE85E8eomUQsefT3mqvkLiBAfuWEJu4hItVQ76OesNlKRUEM?= =?utf-8?q?+9+SSTzn4jET8kV7UGEdTU+KibqAtQTivum88Ga3L5CYMw4J2yyuZVxFDkI/mFBSR?= =?utf-8?q?/T+w1Aqmvxz9Z1qpqGDA+fyCYFceHS4MCvrfFOFPGwMl/BaZ2mHwRuapLCClHlv8f?= =?utf-8?q?p9GeohhDX+aP1MmuSOuh0vq1ka56nz7lzlx82fz18pWKUXP/1H4coDcRpXBLjRG1k?= =?utf-8?q?yru1bFydpJAOSZupdPwZEV1ufDEVzkJ/RIyEYjckTU7dATWqxUxblDGXH2xKH9NbH?= =?utf-8?q?gGtyehwfHI4O/WzN62L4sE1RtiztUbrV3CvxFkj6SLluxelCNmu+7sQZpp2iFtUt9?= =?utf-8?q?2U+WMROSIEn2ZeEhB+jYDEhZFSrA+gyrPLNX8C84L6TFULhFY+Z3h7tlQrM0wjfqY?= =?utf-8?q?cVyCLbCWkSqG?= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: a25f2997-1a2e-48b1-5c97-08dd51932482 X-MS-Exchange-CrossTenant-AuthSource: DS0PR11MB6399.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Feb 2025 09:44:17.4720 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: EEKS9n/9VhasVCFO7cW3Ry35d3VoyY7SMqFz7YDeGdRDSjwcmD4OI2DF0yH5APitdqp+gzThPQJuWrvxlf6JhQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ2PR11MB7672 X-Authority-Analysis: v=2.4 cv=N67TF39B c=1 sm=1 tr=0 ts=67b6f973 cx=c_pps a=+tN8zt48bv3aY6W8EltW8A==:117 a=wKuvFiaSGQ0qltdbU6+NXLB8nM8=:19 a=Ol13hO9ccFRV9qXi2t6ftBPywas=:19 a=xqWC_Br6kY4A:10 a=IkcTkHD0fZMA:10 a=T2h4t0Lz3GQA:10 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=20KFwNOVAAAA:8 a=pGLkceISAAAA:8 a=P-IC7800AAAA:8 a=9pIZn19CAAAA:8 a=KR5XLSZxAAAA:8 a=bZcZfQ3yjtHM5BcG-j4A:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10 a=FdTzh2GWekK77mhwV6Dw:22 a=d3PnA9EDa4IxuAV0gXij:22 a=8RSB8XlrRKoi1kmjPpsj:22 a=KKIIu8bCiOnaXtcgZrz_:22 X-Proofpoint-ORIG-GUID: 5yWf7SHCPzzV6sSbOitE5lZjNiGEhS00 X-Proofpoint-GUID: 5yWf7SHCPzzV6sSbOitE5lZjNiGEhS00 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-02-20_04,2025-02-20_02,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 phishscore=0 adultscore=0 lowpriorityscore=0 malwarescore=0 mlxlogscore=999 suspectscore=0 clxscore=1015 bulkscore=0 spamscore=0 priorityscore=1501 mlxscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2502100000 definitions=main-2502200071 X-MIME-Autoconverted: from 8bit to quoted-printable by mx0a-0064b401.pphosted.com id 51K7GFMI012597 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 20 Feb 2025 09:44:21 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/1098 ChangeLog: https://github.com/SELinuxProject/selinux/releases/tag/3.8 * libsemanage: Preserve file context and ownership in policy store * libselinux: deprecate security_disable(3) * libsepol: Support nlmsg extended permissions * libsepol: Add policy capability netlink_xperm * libsemanage: Optionally allow duplicate declarations * policycoreutils: introduce unsetfiles * libselinux/utils: introduce selabel_compare * improved selabel_lookup performance * libselinux: support parallel usage of selabel_lookup(3) * libsepol: add support for xperms in conditional policies * Improved man pages * Code improvements and bug fixes * Always build for LFS mode on 32-bit archs. * libsemanage: Mute error messages from selinux_restorecon introduced in 3.8-rc1 * Regex spec ordering is restored to pre 3.8-rc1 * Binary fcontext files format changed, files using old format are ignored * Code improvements and bug fixes License-Update: White space cleanup for libsemanage/LICENSE Signed-off-by: Yi Zhao --- ...{checkpolicy_3.7.bb => checkpolicy_3.8.bb} | 0 ...python_3.7.bb => libselinux-python_3.8.bb} | 1 - ...hon-modules-install-path-for-multili.patch | 6 +- ...bselinux-fix-swig-bindings-for-4.3.0.patch | 91 ---- ...T-and-rely-on-the-installed-file-nam.patch | 6 +- ...re-drop-the-obsolete-LSF-transitiona.patch | 8 +- .../{libselinux_3.7.bb => libselinux_3.8.bb} | 0 ...semanage-fix-swig-bindings-for-4.3.0.patch | 422 ------------------ ...anage-Fix-execve-segfaults-on-Ubuntu.patch | 6 +- ...anage-allow-to-disable-audit-support.patch | 14 +- ...-disable-expand-check-on-policy-load.patch | 2 +- ...{libsemanage_3.7.bb => libsemanage_3.8.bb} | 3 +- .../{libsepol_3.7.bb => libsepol_3.8.bb} | 0 .../{mcstrans_3.7.bb => mcstrans_3.8.bb} | 2 +- ...oreutils_3.7.bb => policycoreutils_3.8.bb} | 0 ...{restorecond_3.7.bb => restorecond_3.8.bb} | 0 .../selinux/{secilc_3.7.bb => secilc_3.8.bb} | 0 ...elinux-dbus_3.7.bb => selinux-dbus_3.8.bb} | 0 ...{selinux-gui_3.7.bb => selinux-gui_3.8.bb} | 0 ...ux-python_3.7.bb => selinux-python_3.8.bb} | 0 ...-sandbox_3.7.bb => selinux-sandbox_3.8.bb} | 0 recipes-security/selinux/selinux_common.inc | 2 +- ...ule-utils_3.7.bb => semodule-utils_3.8.bb} | 0 23 files changed, 24 insertions(+), 539 deletions(-) rename recipes-security/selinux/{checkpolicy_3.7.bb => checkpolicy_3.8.bb} (100%) rename recipes-security/selinux/{libselinux-python_3.7.bb => libselinux-python_3.8.bb} (96%) delete mode 100644 recipes-security/selinux/libselinux/0001-libselinux-fix-swig-bindings-for-4.3.0.patch rename recipes-security/selinux/{libselinux_3.7.bb => libselinux_3.8.bb} (100%) delete mode 100644 recipes-security/selinux/libsemanage/0001-libsemanage-fix-swig-bindings-for-4.3.0.patch rename recipes-security/selinux/{libsemanage_3.7.bb => libsemanage_3.8.bb} (92%) rename recipes-security/selinux/{libsepol_3.7.bb => libsepol_3.8.bb} (100%) rename recipes-security/selinux/{mcstrans_3.7.bb => mcstrans_3.8.bb} (97%) rename recipes-security/selinux/{policycoreutils_3.7.bb => policycoreutils_3.8.bb} (100%) rename recipes-security/selinux/{restorecond_3.7.bb => restorecond_3.8.bb} (100%) rename recipes-security/selinux/{secilc_3.7.bb => secilc_3.8.bb} (100%) rename recipes-security/selinux/{selinux-dbus_3.7.bb => selinux-dbus_3.8.bb} (100%) rename recipes-security/selinux/{selinux-gui_3.7.bb => selinux-gui_3.8.bb} (100%) rename recipes-security/selinux/{selinux-python_3.7.bb => selinux-python_3.8.bb} (100%) rename recipes-security/selinux/{selinux-sandbox_3.7.bb => selinux-sandbox_3.8.bb} (100%) rename recipes-security/selinux/{semodule-utils_3.7.bb => semodule-utils_3.8.bb} (100%) diff --git a/recipes-security/selinux/checkpolicy_3.7.bb b/recipes-security/selinux/checkpolicy_3.8.bb similarity index 100% rename from recipes-security/selinux/checkpolicy_3.7.bb rename to recipes-security/selinux/checkpolicy_3.8.bb diff --git a/recipes-security/selinux/libselinux-python_3.7.bb b/recipes-security/selinux/libselinux-python_3.8.bb similarity index 96% rename from recipes-security/selinux/libselinux-python_3.7.bb rename to recipes-security/selinux/libselinux-python_3.8.bb index 5099e55..3c5c489 100644 --- a/recipes-security/selinux/libselinux-python_3.7.bb +++ b/recipes-security/selinux/libselinux-python_3.8.bb @@ -15,7 +15,6 @@ SRC_URI += "\ file://0001-Makefile-fix-python-modules-install-path-for-multili.patch \ file://0002-Do-not-use-PYCEXT-and-rely-on-the-installed-file-nam.patch \ file://0003-libselinux-restore-drop-the-obsolete-LSF-transitiona.patch \ - file://0001-libselinux-fix-swig-bindings-for-4.3.0.patch \ " S = "${WORKDIR}/git/libselinux" diff --git a/recipes-security/selinux/libselinux/0001-Makefile-fix-python-modules-install-path-for-multili.patch b/recipes-security/selinux/libselinux/0001-Makefile-fix-python-modules-install-path-for-multili.patch index b307b6f..28a2cc0 100644 --- a/recipes-security/selinux/libselinux/0001-Makefile-fix-python-modules-install-path-for-multili.patch +++ b/recipes-security/selinux/libselinux/0001-Makefile-fix-python-modules-install-path-for-multili.patch @@ -1,4 +1,4 @@ -From dff260851ccecf9723a6ddfce0103e09f3ba4613 Mon Sep 17 00:00:00 2001 +From 626d07afcb8e8b3a68158e8a3ea1654620769644 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Mon, 13 Apr 2020 12:44:23 +0800 Subject: [PATCH] Makefile: fix python modules install path for multilib @@ -11,10 +11,10 @@ Signed-off-by: Yi Zhao 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Makefile b/src/Makefile -index d3b981f..265f1be 100644 +index 213c7d3..92227cb 100644 --- a/src/Makefile +++ b/src/Makefile -@@ -191,7 +191,7 @@ install: all +@@ -193,7 +193,7 @@ install: all ln -sf --relative $(DESTDIR)$(SHLIBDIR)/$(LIBSO) $(DESTDIR)$(LIBDIR)/$(TARGET) install-pywrap: pywrap diff --git a/recipes-security/selinux/libselinux/0001-libselinux-fix-swig-bindings-for-4.3.0.patch b/recipes-security/selinux/libselinux/0001-libselinux-fix-swig-bindings-for-4.3.0.patch deleted file mode 100644 index 277c36c..0000000 --- a/recipes-security/selinux/libselinux/0001-libselinux-fix-swig-bindings-for-4.3.0.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 8e0e718bae53fff30831b92cd784151d475a20da Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Wed, 16 Oct 2024 20:48:11 +0200 -Subject: [PATCH] libselinux: fix swig bindings for 4.3.0 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -https://github.com/swig/swig/blob/master/CHANGES.current - -"[Python] #2907 Fix returning null from functions with output -parameters. Ensures OUTPUT and INOUT typemaps are handled -consistently wrt return type. - -New declaration of SWIG_Python_AppendOutput is now: - - SWIG_Python_AppendOutput(PyObject* result, PyObject* obj, int is_void); - -The 3rd parameter is new and the new $isvoid special variable -should be passed to it, indicating whether or not the wrapped -function returns void. - -Also consider replacing with: - - SWIG_AppendOutput(PyObject* result, PyObject* obj); - -which calls SWIG_Python_AppendOutput with same parameters but adding $isvoid -for final parameter." - -Fixes: https://github.com/SELinuxProject/selinux/issues/447 - - selinuxswig_python_wrap.c: In function ‘_wrap_security_compute_user’: - selinuxswig_python_wrap.c:11499:17: error: too few arguments to function ‘SWIG_Python_AppendOutput’ - 11499 | resultobj = SWIG_Python_AppendOutput(resultobj, plist); - | ^~~~~~~~~~~~~~~~~~~~~~~~ - selinuxswig_python_wrap.c:1248:1: note: declared here - 1248 | SWIG_Python_AppendOutput(PyObject* result, PyObject* obj, int is_void) { - | ^~~~~~~~~~~~~~~~~~~~~~~~ - selinuxswig_python_wrap.c: In function ‘_wrap_security_compute_user_raw’: - selinuxswig_python_wrap.c:11570:17: error: too few arguments to function ‘SWIG_Python_AppendOutput’ - 11570 | resultobj = SWIG_Python_AppendOutput(resultobj, plist); - | ^~~~~~~~~~~~~~~~~~~~~~~~ - selinuxswig_python_wrap.c:1248:1: note: declared here - 1248 | SWIG_Python_AppendOutput(PyObject* result, PyObject* obj, int is_void) { - | ^~~~~~~~~~~~~~~~~~~~~~~~ - selinuxswig_python_wrap.c: In function ‘_wrap_security_get_boolean_names’: - selinuxswig_python_wrap.c:12470:17: error: too few arguments to function ‘SWIG_Python_AppendOutput’ - 12470 | resultobj = SWIG_Python_AppendOutput(resultobj, list); - | ^~~~~~~~~~~~~~~~~~~~~~~~ - selinuxswig_python_wrap.c:1248:1: note: declared here - 1248 | SWIG_Python_AppendOutput(PyObject* result, PyObject* obj, int is_void) { - | ^~~~~~~~~~~~~~~~~~~~~~~~ - error: command '/usr/bin/gcc' failed with exit code 1 - -Suggested-by: Jitka Plesnikova -Signed-off-by: Petr Lautrbach -Acked-by: James Carter - -Upstream-Status: Backport -[https://github.com/SELinuxProject/selinux/commit/8e0e718bae53fff30831b92cd784151d475a20da] - -Signed-off-by: Yi Zhao ---- - src/selinuxswig_python.i | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/selinuxswig_python.i b/src/selinuxswig_python.i -index 17e03b9e..03ed296d 100644 ---- a/src/selinuxswig_python.i -+++ b/src/selinuxswig_python.i -@@ -71,7 +71,7 @@ def install(src, dest): - for (i = 0; i < *$2; i++) { - PyList_SetItem(list, i, PyString_FromString((*$1)[i])); - } -- $result = SWIG_Python_AppendOutput($result, list); -+ $result = SWIG_AppendOutput($result, list); - } - - /* return a sid along with the result */ -@@ -108,7 +108,7 @@ def install(src, dest): - plist = PyList_New(0); - } - -- $result = SWIG_Python_AppendOutput($result, plist); -+ $result = SWIG_AppendOutput($result, plist); - } - - /* Makes functions in get_context_list.h return a Python list of contexts */ --- -2.25.1 - diff --git a/recipes-security/selinux/libselinux/0002-Do-not-use-PYCEXT-and-rely-on-the-installed-file-nam.patch b/recipes-security/selinux/libselinux/0002-Do-not-use-PYCEXT-and-rely-on-the-installed-file-nam.patch index 7ebe64f..ae0da8b 100644 --- a/recipes-security/selinux/libselinux/0002-Do-not-use-PYCEXT-and-rely-on-the-installed-file-nam.patch +++ b/recipes-security/selinux/libselinux/0002-Do-not-use-PYCEXT-and-rely-on-the-installed-file-nam.patch @@ -1,4 +1,4 @@ -From 303d8dfe53fcd02ea5818f976369cdb629bc1114 Mon Sep 17 00:00:00 2001 +From 1048b80be8fe800fa343f26db833a6e89b5ba9ab Mon Sep 17 00:00:00 2001 From: Thomas Petazzoni Date: Fri, 25 Oct 2019 13:37:14 +0200 Subject: [PATCH] Do not use PYCEXT, and rely on the installed file name @@ -27,7 +27,7 @@ Signed-off-by: Changqing Li 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/Makefile b/src/Makefile -index 265f1be..47e51d6 100644 +index 92227cb..7c71c65 100644 --- a/src/Makefile +++ b/src/Makefile @@ -15,7 +15,6 @@ INCLUDEDIR ?= $(PREFIX)/include @@ -38,7 +38,7 @@ index 265f1be..47e51d6 100644 RUBYINC ?= $(shell $(RUBY) -e 'puts "-I" + RbConfig::CONFIG["rubyarchhdrdir"] + " -I" + RbConfig::CONFIG["rubyhdrdir"]') RUBYLIBS ?= $(shell $(RUBY) -e 'puts "-L" + RbConfig::CONFIG["libdir"] + " -L" + RbConfig::CONFIG["archlibdir"] + " " + RbConfig::CONFIG["LIBRUBYARG_SHARED"]') RUBYINSTALL ?= $(shell $(RUBY) -e 'puts RbConfig::CONFIG["vendorarchdir"]') -@@ -193,7 +192,7 @@ install: all +@@ -195,7 +194,7 @@ install: all install-pywrap: pywrap CFLAGS="$(CPPFLAGS) $(CFLAGS) $(SWIG_CFLAGS)" $(PYTHON) -m pip install --prefix=$(PREFIX) --root $(DESTDIR) --ignore-installed --no-deps $(PYTHON_SETUP_ARGS) . install -m 644 $(SWIGPYOUT) $(DESTDIR)$(PYTHONLIBDIR)/selinux/__init__.py diff --git a/recipes-security/selinux/libselinux/0003-libselinux-restore-drop-the-obsolete-LSF-transitiona.patch b/recipes-security/selinux/libselinux/0003-libselinux-restore-drop-the-obsolete-LSF-transitiona.patch index 0cd8f20..39edb6c 100644 --- a/recipes-security/selinux/libselinux/0003-libselinux-restore-drop-the-obsolete-LSF-transitiona.patch +++ b/recipes-security/selinux/libselinux/0003-libselinux-restore-drop-the-obsolete-LSF-transitiona.patch @@ -1,4 +1,4 @@ -From 6c2af45ec8cff9b282d599dc098db0ca127bdc59 Mon Sep 17 00:00:00 2001 +From f33b426680492629d3d8ed664049cbe584f26f18 Mon Sep 17 00:00:00 2001 From: Renato Caldas Date: Thu, 29 Jun 2023 13:59:11 +0100 Subject: [PATCH] libselinux: restore: drop the obsolete LSF transitional API. @@ -14,10 +14,10 @@ Signed-off-by: Renato Caldas 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/selinux_restorecon.c b/src/selinux_restorecon.c -index 38f10f1..5b3d035 100644 +index bc6ed93..3bc0d8d 100644 --- a/src/selinux_restorecon.c +++ b/src/selinux_restorecon.c -@@ -436,7 +436,7 @@ static int filespec_add(ino_t ino, const char *con, const char *file, +@@ -438,7 +438,7 @@ static int filespec_add(ino_t ino, const char *con, const char *file, file_spec_t *prevfl, *fl; uint32_t h; int ret; @@ -26,7 +26,7 @@ index 38f10f1..5b3d035 100644 __pthread_mutex_lock(&fl_mutex); -@@ -450,7 +450,7 @@ static int filespec_add(ino_t ino, const char *con, const char *file, +@@ -452,7 +452,7 @@ static int filespec_add(ino_t ino, const char *con, const char *file, for (prevfl = &fl_head[h], fl = fl_head[h].next; fl; prevfl = fl, fl = fl->next) { if (ino == fl->ino) { diff --git a/recipes-security/selinux/libselinux_3.7.bb b/recipes-security/selinux/libselinux_3.8.bb similarity index 100% rename from recipes-security/selinux/libselinux_3.7.bb rename to recipes-security/selinux/libselinux_3.8.bb diff --git a/recipes-security/selinux/libsemanage/0001-libsemanage-fix-swig-bindings-for-4.3.0.patch b/recipes-security/selinux/libsemanage/0001-libsemanage-fix-swig-bindings-for-4.3.0.patch deleted file mode 100644 index cba77c9..0000000 --- a/recipes-security/selinux/libsemanage/0001-libsemanage-fix-swig-bindings-for-4.3.0.patch +++ /dev/null @@ -1,422 +0,0 @@ -From e38815d7b44cac435195c82a54d2bf2517bc4b1a Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Wed, 16 Oct 2024 20:48:12 +0200 -Subject: [PATCH] libsemanage: fix swig bindings for 4.3.0 - -https://github.com/swig/swig/blob/master/CHANGES.current - -"[Python] #2907 Fix returning null from functions with output -parameters. Ensures OUTPUT and INOUT typemaps are handled -consistently wrt return type. - -New declaration of SWIG_Python_AppendOutput is now: - - SWIG_Python_AppendOutput(PyObject* result, PyObject* obj, int is_void); - -The 3rd parameter is new and the new $isvoid special variable -should be passed to it, indicating whether or not the wrapped -function returns void. - -Also consider replacing with: - - SWIG_AppendOutput(PyObject* result, PyObject* obj); - -which calls SWIG_Python_AppendOutput with same parameters but adding $isvoid -for final parameter." - -Fixes: https://github.com/SELinuxProject/selinux/issues/447 - -Suggested-by: Jitka Plesnikova -Signed-off-by: Petr Lautrbach -Acked-by: James Carter - -Upstream-Status: Backport -[https://github.com/SELinuxProject/selinux/commit/e38815d7b44cac435195c82a54d2bf2517bc4b1a] - -Signed-off-by: Yi Zhao ---- - src/semanageswig_python.i | 64 +++++++++++++-------------- - src/semanageswig_ruby.i | 32 +++++++------- - 2 files changed, 48 insertions(+), 48 deletions(-) - -diff --git a/src/semanageswig_python.i b/src/semanageswig_python.i -index 5f011396..0e27424f 100644 ---- a/src/semanageswig_python.i -+++ b/src/semanageswig_python.i -@@ -111,7 +111,7 @@ - } - - %typemap(argout) char** { -- $result = SWIG_Python_AppendOutput($result, SWIG_FromCharPtr(*$1)); -+ $result = SWIG_AppendOutput($result, SWIG_FromCharPtr(*$1)); - free(*$1); - } - -@@ -134,7 +134,7 @@ - NULL, NULL, &plist) < 0) - $result = SWIG_From_int(STATUS_ERR); - else -- $result = SWIG_Python_AppendOutput($result, plist); -+ $result = SWIG_AppendOutput($result, plist); - } - } - } -@@ -148,7 +148,7 @@ - } - - %typemap(argout) semanage_module_info_t ** { -- $result = SWIG_Python_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); -+ $result = SWIG_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); - } - - /** module key typemaps **/ -@@ -160,7 +160,7 @@ - } - - %typemap(argout) semanage_module_key_t ** { -- $result = SWIG_Python_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); -+ $result = SWIG_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); - } - - /** context typemaps **/ -@@ -172,7 +172,7 @@ - } - - %typemap(argout) semanage_context_t** { -- $result = SWIG_Python_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); -+ $result = SWIG_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); - } - - /** boolean typemaps **/ -@@ -197,7 +197,7 @@ - (void (*) (void*)) &semanage_bool_free, &plist) < 0) - $result = SWIG_From_int(STATUS_ERR); - else -- $result = SWIG_Python_AppendOutput($result, plist); -+ $result = SWIG_AppendOutput($result, plist); - } - } - } -@@ -207,11 +207,11 @@ - } - - %typemap(argout) semanage_bool_t ** { -- $result = SWIG_Python_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); -+ $result = SWIG_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); - } - - %typemap(argout) semanage_bool_key_t ** { -- $result = SWIG_Python_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); -+ $result = SWIG_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); - } - - %typemap(in, numinputs=0) semanage_bool_key_t **(semanage_bool_key_t *temp=NULL) { -@@ -240,7 +240,7 @@ - (void (*) (void*)) &semanage_fcontext_free, &plist) < 0) - $result = SWIG_From_int(STATUS_ERR); - else -- $result = SWIG_Python_AppendOutput($result, plist); -+ $result = SWIG_AppendOutput($result, plist); - } - } - } -@@ -250,11 +250,11 @@ - } - - %typemap(argout) semanage_fcontext_t ** { -- $result = SWIG_Python_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); -+ $result = SWIG_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); - } - - %typemap(argout) semanage_fcontext_key_t ** { -- $result = SWIG_Python_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); -+ $result = SWIG_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); - } - - %typemap(in, numinputs=0) semanage_fcontext_key_t **(semanage_fcontext_key_t *temp=NULL) { -@@ -284,7 +284,7 @@ - (void (*) (void*)) &semanage_iface_free, &plist) < 0) - $result = SWIG_From_int(STATUS_ERR); - else -- $result = SWIG_Python_AppendOutput($result, plist); -+ $result = SWIG_AppendOutput($result, plist); - } - } - } -@@ -294,11 +294,11 @@ - } - - %typemap(argout) semanage_iface_t ** { -- $result = SWIG_Python_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); -+ $result = SWIG_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); - } - - %typemap(argout) semanage_iface_key_t ** { -- $result = SWIG_Python_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); -+ $result = SWIG_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); - } - - %typemap(in, numinputs=0) semanage_iface_key_t **(semanage_iface_key_t *temp=NULL) { -@@ -328,7 +328,7 @@ - (void (*) (void*)) &semanage_seuser_free, &plist) < 0) - $result = SWIG_From_int(STATUS_ERR); - else -- $result = SWIG_Python_AppendOutput($result, plist); -+ $result = SWIG_AppendOutput($result, plist); - } - } - } -@@ -338,11 +338,11 @@ - } - - %typemap(argout) semanage_seuser_t ** { -- $result = SWIG_Python_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); -+ $result = SWIG_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); - } - - %typemap(argout) semanage_seuser_key_t ** { -- $result = SWIG_Python_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); -+ $result = SWIG_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); - } - - %typemap(in, numinputs=0) semanage_seuser_key_t **(semanage_seuser_key_t *temp=NULL) { -@@ -371,7 +371,7 @@ - (void (*) (void*)) &semanage_user_free, &plist) < 0) - $result = SWIG_From_int(STATUS_ERR); - else -- $result = SWIG_Python_AppendOutput($result, plist); -+ $result = SWIG_AppendOutput($result, plist); - } - } - } -@@ -381,11 +381,11 @@ - } - - %typemap(argout) semanage_user_t ** { -- $result = SWIG_Python_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); -+ $result = SWIG_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); - } - - %typemap(argout) semanage_user_key_t ** { -- $result = SWIG_Python_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); -+ $result = SWIG_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); - } - - %typemap(in, numinputs=0) semanage_user_key_t **(semanage_user_key_t *temp=NULL) { -@@ -414,7 +414,7 @@ - (void (*) (void*)) &semanage_port_free, &plist) < 0) - $result = SWIG_From_int(STATUS_ERR); - else -- $result = SWIG_Python_AppendOutput($result, plist); -+ $result = SWIG_AppendOutput($result, plist); - } - } - } -@@ -424,11 +424,11 @@ - } - - %typemap(argout) semanage_port_t ** { -- $result = SWIG_Python_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); -+ $result = SWIG_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); - } - - %typemap(argout) semanage_port_key_t ** { -- $result = SWIG_Python_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); -+ $result = SWIG_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); - } - - %typemap(in, numinputs=0) semanage_port_key_t **(semanage_port_key_t *temp=NULL) { -@@ -457,7 +457,7 @@ - (void (*) (void*)) &semanage_ibpkey_free, &plist) < 0) - $result = SWIG_From_int(STATUS_ERR); - else -- $result = SWIG_Python_AppendOutput($result, plist); -+ $result = SWIG_AppendOutput($result, plist); - } - } - } -@@ -467,11 +467,11 @@ - } - - %typemap(argout) semanage_ibpkey_t ** { -- $result = SWIG_Python_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); -+ $result = SWIG_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); - } - - %typemap(argout) semanage_ibpkey_key_t ** { -- $result = SWIG_Python_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); -+ $result = SWIG_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); - } - - %typemap(in, numinputs=0) semanage_ibpkey_key_t **(semanage_ibpkey_key_t *temp=NULL) { -@@ -500,7 +500,7 @@ - (void (*) (void*)) &semanage_ibendport_free, &plist) < 0) - $result = SWIG_From_int(STATUS_ERR); - else -- $result = SWIG_Python_AppendOutput($result, plist); -+ $result = SWIG_AppendOutput($result, plist); - } - } - } -@@ -510,11 +510,11 @@ - } - - %typemap(argout) semanage_ibendport_t ** { -- $result = SWIG_Python_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); -+ $result = SWIG_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); - } - - %typemap(argout) semanage_ibendport_key_t ** { -- $result = SWIG_Python_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); -+ $result = SWIG_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); - } - - %typemap(in, numinputs=0) semanage_ibendport_key_t **(semanage_ibendport_key_t *temp=NULL) { -@@ -543,7 +543,7 @@ - (void (*) (void*)) &semanage_node_free, &plist) < 0) - $result = SWIG_From_int(STATUS_ERR); - else -- $result = SWIG_Python_AppendOutput($result, plist); -+ $result = SWIG_AppendOutput($result, plist); - } - } - } -@@ -553,12 +553,12 @@ - } - - %typemap(argout) semanage_node_t ** { -- $result = SWIG_Python_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); -+ $result = SWIG_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); - } - - - %typemap(argout) semanage_node_key_t ** { -- $result = SWIG_Python_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); -+ $result = SWIG_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); - } - - %typemap(in, numinputs=0) semanage_node_key_t **(semanage_node_key_t *temp=NULL) { -diff --git a/src/semanageswig_ruby.i b/src/semanageswig_ruby.i -index e030e4ae..9010b545 100644 ---- a/src/semanageswig_ruby.i -+++ b/src/semanageswig_ruby.i -@@ -38,7 +38,7 @@ - } - - %typemap(argout) semanage_module_info_t ** { -- $result = SWIG_Ruby_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); -+ $result = SWIG_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); - } - - /** context typemaps **/ -@@ -50,7 +50,7 @@ - } - - %typemap(argout) semanage_context_t** { -- $result = SWIG_Ruby_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); -+ $result = SWIG_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); - } - - /** boolean typemaps **/ -@@ -66,11 +66,11 @@ - } - - %typemap(argout) semanage_bool_t ** { -- $result = SWIG_Ruby_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); -+ $result = SWIG_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); - } - - %typemap(argout) semanage_bool_key_t ** { -- $result = SWIG_Ruby_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); -+ $result = SWIG_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); - } - - %typemap(in, numinputs=0) semanage_bool_key_t **(semanage_bool_key_t *temp=NULL) { -@@ -90,11 +90,11 @@ - } - - %typemap(argout) semanage_fcontext_t ** { -- $result = SWIG_Ruby_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); -+ $result = SWIG_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); - } - - %typemap(argout) semanage_fcontext_key_t ** { -- $result = SWIG_Ruby_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); -+ $result = SWIG_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); - } - - %typemap(in, numinputs=0) semanage_fcontext_key_t **(semanage_fcontext_key_t *temp=NULL) { -@@ -114,11 +114,11 @@ - } - - %typemap(argout) semanage_iface_t ** { -- $result = SWIG_Ruby_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); -+ $result = SWIG_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); - } - - %typemap(argout) semanage_iface_key_t ** { -- $result = SWIG_Ruby_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); -+ $result = SWIG_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); - } - - %typemap(in, numinputs=0) semanage_iface_key_t **(semanage_iface_key_t *temp=NULL) { -@@ -138,11 +138,11 @@ - } - - %typemap(argout) semanage_seuser_t ** { -- $result = SWIG_Ruby_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); -+ $result = SWIG_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); - } - - %typemap(argout) semanage_seuser_key_t ** { -- $result = SWIG_Ruby_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); -+ $result = SWIG_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); - } - - %typemap(in, numinputs=0) semanage_seuser_key_t **(semanage_seuser_key_t *temp=NULL) { -@@ -162,11 +162,11 @@ - } - - %typemap(argout) semanage_user_t ** { -- $result = SWIG_Ruby_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); -+ $result = SWIG_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); - } - - %typemap(argout) semanage_user_key_t ** { -- $result = SWIG_Ruby_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); -+ $result = SWIG_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); - } - - %typemap(in, numinputs=0) semanage_user_key_t **(semanage_user_key_t *temp=NULL) { -@@ -186,11 +186,11 @@ - } - - %typemap(argout) semanage_port_t ** { -- $result = SWIG_Ruby_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); -+ $result = SWIG_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); - } - - %typemap(argout) semanage_port_key_t ** { -- $result = SWIG_Ruby_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); -+ $result = SWIG_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); - } - - %typemap(in, numinputs=0) semanage_port_key_t **(semanage_port_key_t *temp=NULL) { -@@ -210,12 +210,12 @@ - } - - %typemap(argout) semanage_node_t ** { -- $result = SWIG_Ruby_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); -+ $result = SWIG_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); - } - - - %typemap(argout) semanage_node_key_t ** { -- $result = SWIG_Ruby_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); -+ $result = SWIG_AppendOutput($result, SWIG_NewPointerObj(*$1, $*1_descriptor, 0)); - } - - %typemap(in, numinputs=0) semanage_node_key_t **(semanage_node_key_t *temp=NULL) { --- -2.25.1 - diff --git a/recipes-security/selinux/libsemanage/libsemanage-Fix-execve-segfaults-on-Ubuntu.patch b/recipes-security/selinux/libsemanage/libsemanage-Fix-execve-segfaults-on-Ubuntu.patch index daaeb3b..3cab867 100644 --- a/recipes-security/selinux/libsemanage/libsemanage-Fix-execve-segfaults-on-Ubuntu.patch +++ b/recipes-security/selinux/libsemanage/libsemanage-Fix-execve-segfaults-on-Ubuntu.patch @@ -1,4 +1,4 @@ -From a91134e98ba4b3b6645d12bb68a07976b60f86c8 Mon Sep 17 00:00:00 2001 +From 418a2736fd7da15758ab84f9448e7517e3ad82c1 Mon Sep 17 00:00:00 2001 From: Xin Ouyang Date: Mon, 26 Mar 2012 15:15:16 +0800 Subject: [PATCH] libsemanage: Fix execve segfaults on Ubuntu. @@ -17,10 +17,10 @@ Signed-off-by: Yi Zhao 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/semanage_store.c b/src/semanage_store.c -index 27c5d34..519f298 100644 +index 2ca2e90..914d720 100644 --- a/src/semanage_store.c +++ b/src/semanage_store.c -@@ -1470,7 +1470,7 @@ static int semanage_exec_prog(semanage_handle_t * sh, +@@ -1445,7 +1445,7 @@ static int semanage_exec_prog(semanage_handle_t * sh, if (forkval == 0) { /* child process. file descriptors will be closed * because they were set as close-on-exec. */ diff --git a/recipes-security/selinux/libsemanage/libsemanage-allow-to-disable-audit-support.patch b/recipes-security/selinux/libsemanage/libsemanage-allow-to-disable-audit-support.patch index e9df8be..8abf847 100644 --- a/recipes-security/selinux/libsemanage/libsemanage-allow-to-disable-audit-support.patch +++ b/recipes-security/selinux/libsemanage/libsemanage-allow-to-disable-audit-support.patch @@ -1,4 +1,4 @@ -From c96010440e7a2a87787a535fd0f9ccf26a2b4a5e Mon Sep 17 00:00:00 2001 +From 0fddb654b4193e91b8534cbbeaa5fd9b6aa1ead2 Mon Sep 17 00:00:00 2001 From: Wenzong Fan Date: Mon, 20 Jan 2014 03:53:48 -0500 Subject: [PATCH] libsemanage: allow to disable audit support @@ -13,7 +13,7 @@ Signed-off-by: Wenzong Fan 3 files changed, 31 insertions(+), 2 deletions(-) diff --git a/src/Makefile b/src/Makefile -index d525996..2f5e159 100644 +index 8dfbd76..4012f28 100644 --- a/src/Makefile +++ b/src/Makefile @@ -27,6 +27,14 @@ ifeq ($(DEBUG),1) @@ -41,7 +41,7 @@ index d525996..2f5e159 100644 $(LIBPC): $(LIBPC).in ../VERSION diff --git a/src/seusers_local.c b/src/seusers_local.c -index 795a33d..6539cdf 100644 +index eb3f82b..45da825 100644 --- a/src/seusers_local.c +++ b/src/seusers_local.c @@ -8,7 +8,11 @@ typedef struct semanage_seuser record_t; @@ -72,7 +72,7 @@ index 795a33d..6539cdf 100644 int semanage_seuser_modify_local(semanage_handle_t * handle, const semanage_seuser_key_t * key, -@@ -164,8 +170,11 @@ int semanage_seuser_modify_local(semanage_handle_t * handle, +@@ -165,8 +171,11 @@ int semanage_seuser_modify_local(semanage_handle_t * handle, (void) semanage_seuser_query(handle, key, &previous); handle->msg_callback = callback; rc = dbase_modify(handle, dconfig, key, new); @@ -84,7 +84,7 @@ index 795a33d..6539cdf 100644 err: if (previous) semanage_seuser_free(previous); -@@ -181,8 +190,12 @@ int semanage_seuser_del_local(semanage_handle_t * handle, +@@ -182,8 +191,12 @@ int semanage_seuser_del_local(semanage_handle_t * handle, dbase_config_t *dconfig = semanage_seuser_dbase_local(handle); rc = dbase_del(handle, dconfig, key); semanage_seuser_query(handle, key, &seuser); @@ -98,7 +98,7 @@ index 795a33d..6539cdf 100644 semanage_seuser_free(seuser); return rc; diff --git a/tests/Makefile b/tests/Makefile -index 69f49a3..f914492 100644 +index 241ff17..fa03fb6 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -4,10 +4,18 @@ CILS = $(sort $(wildcard *.cil)) @@ -114,7 +114,7 @@ index 69f49a3..f914492 100644 +endif + EXECUTABLE = libsemanage-tests - CFLAGS += -g -O0 -Wall -W -Wundef -Wmissing-noreturn -Wmissing-format-attribute -Wno-unused-parameter + CFLAGS += -g -O0 -Wall -W -Wundef -Wmissing-noreturn -Wmissing-format-attribute override CFLAGS += -I../src -I../include -override LDLIBS += -lcunit -lbz2 -laudit -lselinux -lsepol +override LDLIBS += -lcunit -lbz2 $(LIBAUDIT) -lselinux -lsepol diff --git a/recipes-security/selinux/libsemanage/libsemanage-disable-expand-check-on-policy-load.patch b/recipes-security/selinux/libsemanage/libsemanage-disable-expand-check-on-policy-load.patch index d880e1e..4b1d3cc 100644 --- a/recipes-security/selinux/libsemanage/libsemanage-disable-expand-check-on-policy-load.patch +++ b/recipes-security/selinux/libsemanage/libsemanage-disable-expand-check-on-policy-load.patch @@ -1,4 +1,4 @@ -From 7af73c1684ce0e30ce0cd58b51708bde1e3a1984 Mon Sep 17 00:00:00 2001 +From af4948d5a1cfb41338a7539dcd80735b5c250e58 Mon Sep 17 00:00:00 2001 From: Joe MacDonald Date: Wed, 7 May 2014 11:36:27 -0400 Subject: [PATCH] libsemanage: disable expand-check on policy load diff --git a/recipes-security/selinux/libsemanage_3.7.bb b/recipes-security/selinux/libsemanage_3.8.bb similarity index 92% rename from recipes-security/selinux/libsemanage_3.7.bb rename to recipes-security/selinux/libsemanage_3.8.bb index 7e6c91f..ef22957 100644 --- a/recipes-security/selinux/libsemanage_3.7.bb +++ b/recipes-security/selinux/libsemanage_3.8.bb @@ -5,7 +5,7 @@ as by programs like load_policy that need to perform specific transformations \ on binary policies such as customizing policy boolean settings." SECTION = "base" LICENSE = "LGPL-2.1-or-later" -LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=a6f89e2100d9b6cdffcea4f398e37343" +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=03068f550c635f6520e0f0252da412fc" require selinux_common.inc @@ -14,7 +14,6 @@ inherit lib_package python3native SRC_URI += "file://libsemanage-Fix-execve-segfaults-on-Ubuntu.patch \ file://libsemanage-allow-to-disable-audit-support.patch \ file://libsemanage-disable-expand-check-on-policy-load.patch \ - file://0001-libsemanage-fix-swig-bindings-for-4.3.0.patch \ " DEPENDS = "libsepol libselinux python3 bison-native swig-native" diff --git a/recipes-security/selinux/libsepol_3.7.bb b/recipes-security/selinux/libsepol_3.8.bb similarity index 100% rename from recipes-security/selinux/libsepol_3.7.bb rename to recipes-security/selinux/libsepol_3.8.bb diff --git a/recipes-security/selinux/mcstrans_3.7.bb b/recipes-security/selinux/mcstrans_3.8.bb similarity index 97% rename from recipes-security/selinux/mcstrans_3.7.bb rename to recipes-security/selinux/mcstrans_3.8.bb index 4a8482f..4c8aed3 100644 --- a/recipes-security/selinux/mcstrans_3.7.bb +++ b/recipes-security/selinux/mcstrans_3.8.bb @@ -31,7 +31,7 @@ do_install:append() { if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then install -d ${D}${sysconfdir}/tmpfiles.d - echo "d ${localstatedir}/run/setrans - - - -" \ + echo "d ${runtimedir}/setrans - - - -" \ > ${D}${sysconfdir}/tmpfiles.d/setrans.conf else install -d ${D}${sysconfdir}/default/volatiles diff --git a/recipes-security/selinux/policycoreutils_3.7.bb b/recipes-security/selinux/policycoreutils_3.8.bb similarity index 100% rename from recipes-security/selinux/policycoreutils_3.7.bb rename to recipes-security/selinux/policycoreutils_3.8.bb diff --git a/recipes-security/selinux/restorecond_3.7.bb b/recipes-security/selinux/restorecond_3.8.bb similarity index 100% rename from recipes-security/selinux/restorecond_3.7.bb rename to recipes-security/selinux/restorecond_3.8.bb diff --git a/recipes-security/selinux/secilc_3.7.bb b/recipes-security/selinux/secilc_3.8.bb similarity index 100% rename from recipes-security/selinux/secilc_3.7.bb rename to recipes-security/selinux/secilc_3.8.bb diff --git a/recipes-security/selinux/selinux-dbus_3.7.bb b/recipes-security/selinux/selinux-dbus_3.8.bb similarity index 100% rename from recipes-security/selinux/selinux-dbus_3.7.bb rename to recipes-security/selinux/selinux-dbus_3.8.bb diff --git a/recipes-security/selinux/selinux-gui_3.7.bb b/recipes-security/selinux/selinux-gui_3.8.bb similarity index 100% rename from recipes-security/selinux/selinux-gui_3.7.bb rename to recipes-security/selinux/selinux-gui_3.8.bb diff --git a/recipes-security/selinux/selinux-python_3.7.bb b/recipes-security/selinux/selinux-python_3.8.bb similarity index 100% rename from recipes-security/selinux/selinux-python_3.7.bb rename to recipes-security/selinux/selinux-python_3.8.bb diff --git a/recipes-security/selinux/selinux-sandbox_3.7.bb b/recipes-security/selinux/selinux-sandbox_3.8.bb similarity index 100% rename from recipes-security/selinux/selinux-sandbox_3.7.bb rename to recipes-security/selinux/selinux-sandbox_3.8.bb diff --git a/recipes-security/selinux/selinux_common.inc b/recipes-security/selinux/selinux_common.inc index 8dd6c2e..30109b9 100644 --- a/recipes-security/selinux/selinux_common.inc +++ b/recipes-security/selinux/selinux_common.inc @@ -1,7 +1,7 @@ HOMEPAGE = "https://github.com/SELinuxProject" SRC_URI = "git://github.com/SELinuxProject/selinux.git;branch=main;protocol=https" -SRCREV = "2eb286bc0841791043567437ba5413f3014fb94e" +SRCREV = "71aec30d068789e856e7cc429b620ae1cfa890f1" UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+(\.\d+)+)" diff --git a/recipes-security/selinux/semodule-utils_3.7.bb b/recipes-security/selinux/semodule-utils_3.8.bb similarity index 100% rename from recipes-security/selinux/semodule-utils_3.7.bb rename to recipes-security/selinux/semodule-utils_3.8.bb From patchwork Thu Feb 20 09:43:45 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yi Zhao X-Patchwork-Id: 57647 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 631C9C021B1 for ; Thu, 20 Feb 2025 09:44:31 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.45837.1740044664539797685 for ; Thu, 20 Feb 2025 01:44:24 -0800 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=41465756f6=yi.zhao@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 51K7gCeW022618; Thu, 20 Feb 2025 09:44:23 GMT Received: from nam12-mw2-obe.outbound.protection.outlook.com (mail-mw2nam12lp2049.outbound.protection.outlook.com [104.47.66.49]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 44w00kj5mb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 20 Feb 2025 09:44:22 +0000 (GMT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=AkLzlYaBVksI5BNqQxknklVjlkRiZ55tlJJ81cxqKSMGQmjNriti7pHq2MgVkWvCHhzz14rw317vURMGT+LsL5Y68q5VZLs29Bp71IOkU3JBk21YDzoqdEO4vdl+f6PiUvkIKM2fDYtYlaY6ZxgNgdV7gIpJOqtEU6gG+tkXH8T88K+FtsnbI16r2P40JSk0SxLv1nJOt9bF2QnygRnkuu5BEhkBp918XtWGXaRh1tQ9CrkL01UGUS2qvXt6h1NcGCbs0jPTDLcsqGduzMpNg2ivqzJ0urH8AivtCzMIicA5Homkxrk6Me6BNN15smyPLCNPeU2ZdAoXf+3qQgYpsw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1uWqe03KrwozxPnFUWpS+cy2XV9w5L9CNP7Ldki1HJU=; b=aOCvoxHKuVPYpTgTVHheS2bS6Jp+GCgL45ZRS+m7Pl1Gc0EbvdYAPuYQVV4PkwyJevPJyjf8AAwKLQG00jzqUphOKhQ6FVUDbQ1AApVlI2OC9U/UZqLrFpbwHoYsgRx6BJyGnBKVun5evDlf/J95GdbIeWTtaVOOLzPCEnOmlROdzIHTlfsZm+ptgqF9CHBCtf0meivKz6GWXJjHOx0PzFYBCjGp9n2Qp7BPGjr8cyLeQY1gVlcPOgc+/AaOGArBjmkoSqm0cdv5yjYB4zIawaO+Ioin9x+DEuhr/IteNKpit6PeX2u4tQn+oWYoapi+AKXRzr+alWmHnF0Skyvzpg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DS0PR11MB6399.namprd11.prod.outlook.com (2603:10b6:8:c8::5) by SJ2PR11MB7672.namprd11.prod.outlook.com (2603:10b6:a03:4cd::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8445.19; Thu, 20 Feb 2025 09:44:19 +0000 Received: from DS0PR11MB6399.namprd11.prod.outlook.com ([fe80::2b44:787c:e7ee:bfad]) by DS0PR11MB6399.namprd11.prod.outlook.com ([fe80::2b44:787c:e7ee:bfad%5]) with mapi id 15.20.8466.015; Thu, 20 Feb 2025 09:44:19 +0000 From: Yi Zhao To: yocto-patches@lists.yoctoproject.org, joe@deserted.net, joe.macdonald@siemens.com Subject: [meta-selinux][PATCH 3/3] refpolicy: update to 20250213+git Date: Thu, 20 Feb 2025 17:43:45 +0800 Message-Id: <20250220094345.1119650-3-yi.zhao@windriver.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20250220094345.1119650-1-yi.zhao@windriver.com> References: <20250220094345.1119650-1-yi.zhao@windriver.com> X-ClientProxiedBy: SG2P153CA0054.APCP153.PROD.OUTLOOK.COM (2603:1096:4:c6::23) To DS0PR11MB6399.namprd11.prod.outlook.com (2603:10b6:8:c8::5) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DS0PR11MB6399:EE_|SJ2PR11MB7672:EE_ X-MS-Office365-Filtering-Correlation-Id: 50039d2b-cd8f-46ea-b5a6-08dd519325be X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|366016|376014|52116014|1800799024|38350700014; X-Microsoft-Antispam-Message-Info: Acj/auZmQJTUDuFGJe/bGg65okV2KPT2ZmzczXYQTOTR1VCCchgkXWvwCQ5a2neCLEsoJrmX0BjR6MivaY1pX55bbrmm2jW3etCZCbc6mkG5iwKjsOfGNI532pYspSUvkG1T6z4O5F9uJhfKHr5+7L/yvpHJxAUgrwafjkICO13hbp+5Sh9FzaZxYywbyZ6ElYZ0otNV8FEAmo4vZViN1cBHg8sSEddoNBWYi+kLz3dxCsORmZVDc+pa+frTtY/y9M+4HhwhQmq/EVuu/Sw7GheqKGFMXNC2i0NvCrrmPDb4if0Q65pQJVb+ojjx2tEGroXqBjAGyS8toE7QzhKBi62iWOk4YeKLlyEXTcyXPecLK8q8tKtI7ANUHegMbo0NK1s3SxfHP8YIvRBZdUKwIivZQy3eGEWf3uqsL8ZLM7RY6wS33YrC2KflEGbmlWGcQ9E9EYQCBCgCtFLQn/gWXhJSs2lfv9ah9SunofEw7276I9mbhy46axMgdxsMT6Sx7WGx8hapsun6X4RTRZY4Z1+BkbHH5bxQoyYE5XnZqC731Dq6cttzrM3IxF8TI9CXyalb6hAHZasUjIsyIKcY9/FuyYZ5d5Rkbz/Apx8F975QKJuD//mDx+kdm9WjEqfgBxcKGlU/GmklGFs+/fu2zHL1ZTGABbiEZZ8cL/GzmSLmaxI45kapJQHmkM0bakbRkNuPCTihfHhzcuVPYLiOo+zxc74uNLpCRAvpcmEs2W8Etb1T0HJC5B6QXw+GV1mBwddh/WG/wOcKPJhVUHpbpm7AIKq2aORlnxYG4Q44x/3eIatpLu6rQcvkKXMT0ulAUvp29FA/j74MdcYxJeufeWro1dNrkS+gxORSX19+/P16/FJ0NEQX+Y2AiNz/0ihJkiQlZTYXYvNAyVo2WZVK8EVmCMvzxAbB9T15KpNcnYKmJFan8yty87jX1/Q5e6uGD009IMWjOjTjbAhYbCupNmYj5/o3z7zy2kz0H/O2y0E1n3g3rc1XU9TSwvr+QzStSqYurLGfhi5/G3wuwBnpvr2Wa1n0SgpL/X1nBPOmX5HS86iQ/XsA3YTVr1d21woPJtKFarnkHadZFem1BKrKGD/L5KM0dR1540F2UTCT+L1V+Aaaj/hJUxdVDdx7riY1LLUYB/pJ9ajRKBL8E4bHyWpmFAgstbVfNfxW3w/OdaQb+BICAeHv3Z4bNgUjgot4l/Mts1PS/dkvlvH8srRe21RpnWjMUWp3lCEB6KSEh75u39a6bLfCZOkQl6mvERu385ImmTb3wnfXh26VKJO+NNoOaf0prKfAxj9gCP1WaaKIz1tddqKE6/T3I2FkxFcOn+9SgFvRXcGG5DqWDOUpWbmWU/yf5u5+z0/T5Lln9vUvb/4IuH9Pt7eBXUFR4iIGFq6UVTFFEPcuTbxBKEvvw9NHzOY1BpfcnUW5PpfvamHNBWbuzEc8mYlyRM+btdmA X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DS0PR11MB6399.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(376014)(52116014)(1800799024)(38350700014);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: XuSWBDD3UwRkGPeFhFJx41VQ99sfUEOuxoUb47tPjD1DfakiKW+IwIjFRmxSUlQrPsXOkixDpGcAAQQuYpH/O0MaqXtZ4+Bq+7sBbb7blY1mxIA4+DAVuulto77xcFRg3VyYX1/z1t0EXz7yx8ZOoDvg6fMAavEgjShT4NPUi65OSyZA9BsqWmzaGeq/89/R1ZwHpLrwGgyzk+kxG2DYjYGJZd2Wqf7M1PCZpA4zbHz6lqzITDjlBJBC9QrEqmOmlReGbSc1w3hsIpSBqBUbLGi19/gFz+QL5VXWZ0l/r+fgszmIlka39VI/TXi2kA6agjtdjsi0eKjuFkC02HCGD0pDb5/U/S/AHTmJeqwrQErxKvhX+bQ6z6X8C4pixGkwahxIIxm/gY1ArQoxXzrN/p6Q7L9A0Zh9GaiAbE4pMgQotob9j/IvWivovdFHrbHtgVeXQ8bCDOag02Kc+K+OujZCUHqRwfIcu/NsfamE3RZ81agwZ2IoyBXtgx4dsYAItAi6r1doYK5/DqNxp8RHcnkfVXZlIwXcRXhA/mNOzsyERMLVJtSE3vrpavRkd7t1M1MAmnwmaVXgItZn/mGP7/VgmrNha1q/INbEqnLk4rwByFUhJqp6DVHGQZ/uKr4zi7Q7RPTp55S4BXLK3UgKSuF0WNjTxhCv70br1f0KBhiRAD4CG26l+ETC+eq2DrJdW1CmecZWivWaigggZ+g4sIUuiH3hR2RNQjN2hFeAumiJ/4Wm5tVQcL8bk0T7mYN8dxdfiHHdk/gMmTHgd2mPjuphWasmjRc3GaEVKT7prodB2m8FziNMhGTl98IHHrRF64ANYhJZNIJZuU+vgpp6PXwG2AH6F0Ur7wzkxufR6QzuOM/g8VJOq2/6mjFkECNk8E20GBqq1vD8+KR5qcVRx0T+s44MW6jBYsBoQcjZvb6rAuSjSQ4E6eGLoDYZT1PVeZPTuAcPohOOnjXo3mz5b2UUKALXpbZUGRRNoo4VUeBnP8v+ga3tycOrt6FxLb7d5XphLvkqWScVQLfIGV38hKwl1LY1+rbV6dAKZZakqLANKl2878EicZ8a50DR0636W+/ncwf+FxdDXY5mdB2XRPFhc+72HZysQjsq/LLsmYv0Q3wyOFFZMZGH8tpyRKcOx02Py66udRyo4prdzzO7Ilng5NsjA2tDYO7M85GG/Ii+Q51JVoPM7X5upDibEsYOHhjQvSRUNpgLNh1hKmDcvZydpE82zC/PEwNMNhzZCcBeBA8gAPTJmvFbvkf0FG0cpgwplIO7Toyu/8gNEGF5yTIQk5cFY1/YOkzVhVdY/k0aaURNV1UStPv8tPDRAod0ipINwBs8wlM82oA9WvX8AhvCfIOA/1lmqN2jH7wV7WgSx3FEU3al9rhgRnGZDVZGDxfKNz9wedRpZFNdg1yY/d/Hp3d0x3UqmtS6VbseVFsc6b/XaQMzfXQU7OophQk2DSZ8yOYETTDrqCfKDe+ok3hhs4aiRSkG9P4Z2PFj3Jolo2SDR7ihn3rz3qL7rbxbLd8IuugN1vLniNNBzIwJJl4F1Z61L33cGYDTw6ztEi1uMJ2p5NaY0A7QBy80dv51 X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 50039d2b-cd8f-46ea-b5a6-08dd519325be X-MS-Exchange-CrossTenant-AuthSource: DS0PR11MB6399.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Feb 2025 09:44:19.5579 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 4NDM9DdB8dHs0Fcac0zFkaxzHKkFNc3DjjRfYhPZ0RYpwNJDOhEc5+VBPuXQZnLWnwtv0eQvtsOrtJSvSOHPxg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ2PR11MB7672 X-Proofpoint-GUID: 0gm-hSrhqDMDDWm3_9yOw6g3wzKx9n4a X-Proofpoint-ORIG-GUID: 0gm-hSrhqDMDDWm3_9yOw6g3wzKx9n4a X-Authority-Analysis: v=2.4 cv=BvtnwZX5 c=1 sm=1 tr=0 ts=67b6f976 cx=c_pps a=F7QtyTBSWJEVkVFduP+sHw==:117 a=wKuvFiaSGQ0qltdbU6+NXLB8nM8=:19 a=Ol13hO9ccFRV9qXi2t6ftBPywas=:19 a=xqWC_Br6kY4A:10 a=T2h4t0Lz3GQA:10 a=NEAV23lmAAAA:8 a=20KFwNOVAAAA:8 a=t7CeM3EgAAAA:8 a=9Wbp7B8dAAAA:8 a=Mq066dflDpQVVfVOwSgA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=BESxJfN36ujmTJQqZ0Zq:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-02-20_04,2025-02-20_02,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 adultscore=0 priorityscore=1501 mlxlogscore=999 bulkscore=0 clxscore=1015 malwarescore=0 phishscore=0 mlxscore=0 spamscore=0 impostorscore=0 suspectscore=0 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2502100000 definitions=main-2502200071 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 20 Feb 2025 09:44:31 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/1099 ChangeLog: https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20250213 * Add tool for validating appconfig contexts files. * Add netlink extended permissions definitions. * Updates for Systemd up to v257. Signed-off-by: Yi Zhao --- .../refpolicy/refpolicy-minimum_git.bb | 2 +- .../refpolicy/refpolicy-targeted_git.bb | 3 +- ...tile-alias-common-var-volatile-paths.patch | 2 +- ...inimum-make-sysadmin-module-optional.patch | 10 +- ...e-unconfined_u-definition-to-unconfi.patch | 83 ++++++++++++++ ...box-set-aliases-for-bin-sbin-and-usr.patch | 2 +- ...-allow-systemd-networkd-to-accept-a.patch} | 32 +++--- ...d-make-unconfined_u-the-default-sel.patch} | 2 +- ...y-policy-to-common-yocto-hostname-al.patch | 2 +- ...sr-bin-bash-context-to-bin-bash.bash.patch | 4 +- ...abel-resolv.conf-in-var-run-properly.patch | 2 +- ...-apply-login-context-to-login.shadow.patch | 4 +- ...-fc-hwclock-add-hwclock-alternatives.patch | 2 +- ...g-apply-policy-to-dmesg-alternatives.patch | 2 +- ...ssh-apply-policy-to-ssh-alternatives.patch | 4 +- ...ply-policy-to-network-commands-alter.patch | 2 +- ...ply-rpm_exec-policy-to-cpio-binaries.patch | 2 +- ...c-su-apply-policy-to-su-alternatives.patch | 2 +- ...fc-fstools-fix-real-path-for-fstools.patch | 14 +-- ...fix-update-alternatives-for-sysvinit.patch | 4 +- ...l-apply-policy-to-brctl-alternatives.patch | 2 +- ...apply-policy-to-nologin-alternatives.patch | 6 +- ...apply-policy-to-sulogin-alternatives.patch | 2 +- ...tp-apply-policy-to-ntpd-alternatives.patch | 2 +- ...pply-policy-to-kerberos-alternatives.patch | 2 +- ...ap-apply-policy-to-ldap-alternatives.patch | 2 +- ...ply-policy-to-postgresql-alternative.patch | 2 +- ...-apply-policy-to-screen-alternatives.patch | 2 +- ...ply-policy-to-usermanage-alternative.patch | 2 +- ...etty-add-file-context-to-start_getty.patch | 2 +- ...k-apply-policy-to-vlock-alternatives.patch | 2 +- ...for-init-scripts-and-systemd-service.patch | 8 +- ...bs_dist-set-aliase-for-root-director.patch | 2 +- ...ystem-logging-add-rules-for-the-syml.patch | 2 +- ...ystem-logging-add-rules-for-syslogd-.patch | 4 +- ...ernel-files-add-rules-for-the-symlin.patch | 20 ++-- ...ystem-logging-fix-auditd-startup-fai.patch | 4 +- ...ernel-terminal-don-t-audit-tty_devic.patch | 2 +- ...ystem-systemd-enable-support-for-sys.patch | 4 +- ...ystem-logging-allow-systemd-tmpfiles.patch | 4 +- ...les-sysadm-allow-sysadm-to-use-init.patch} | 4 +- ...ystem-systemd-allow-systemd_logind_t.patch | 43 ------- ...s-system-systemd-systemd-user-fixes.patch} | 8 +- ...stem-logging-grant-getpcap-capabili.patch} | 4 +- ...stem-allow-services-to-read-tmpfs-u.patch} | 10 +- ...rnel-domain-allow-all-domains-to-co.patch} | 2 +- ...-allow-systemd-logind-to-inherit-fds.patch | 68 +++++++++++ ...stemd-tmpfiles-to-read-bin_t-symlink.patch | 107 ++++++++++++++++++ ...stem-mount-make-mount_t-domain-MLS-.patch} | 6 +- ...les-sysadm-MLS-sysadm-rw-to-clearan.patch} | 4 +- ...rvices-rpc-make-nfsd_t-domain-MLS-t.patch} | 6 +- ...min-dmesg-make-dmesg_t-MLS-trusted-.patch} | 2 +- ...rnel-kernel-make-kernel_t-MLS-trust.patch} | 6 +- ...stem-init-make-init_t-MLS-trusted-f.patch} | 6 +- ...stem-systemd-make-systemd-tmpfiles_.patch} | 6 +- ...stem-systemd-systemd-make-systemd_-.patch} | 14 +-- ...stem-logging-add-the-syslogd_t-to-t.patch} | 4 +- ...stem-init-make-init_t-MLS-trusted-f.patch} | 6 +- ...stem-init-all-init_t-to-read-any-le.patch} | 6 +- ...stem-logging-allow-auditd_t-to-writ.patch} | 4 +- ...rnel-kernel-make-kernel_t-MLS-trust.patch} | 6 +- ...stem-setrans-allow-setrans_t-use-fd.patch} | 2 +- ...stem-systemd-make-_systemd_t-MLS-tr.patch} | 6 +- ...stem-logging-make-syslogd_runtime_t.patch} | 4 +- .../refpolicy/refpolicy_common.inc | 45 ++++---- recipes-security/refpolicy/refpolicy_git.inc | 4 +- 66 files changed, 428 insertions(+), 211 deletions(-) create mode 100644 recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-Revert-users-Move-unconfined_u-definition-to-unconfi.patch rename recipes-security/refpolicy/refpolicy/{0002-refpolicy-minimum-enable-nscd_use_shm.patch => 0002-refpolicy-minimum-allow-systemd-networkd-to-accept-a.patch} (49%) rename recipes-security/refpolicy/refpolicy/{0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch => 0002-refpolicy-targeted-make-unconfined_u-the-default-sel.patch} (98%) rename recipes-security/refpolicy/refpolicy/{0036-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch => 0035-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch} (91%) delete mode 100644 recipes-security/refpolicy/refpolicy/0035-policy-modules-system-systemd-allow-systemd_logind_t.patch rename recipes-security/refpolicy/refpolicy/{0037-policy-modules-system-systemd-systemd-user-fixes.patch => 0036-policy-modules-system-systemd-systemd-user-fixes.patch} (93%) rename recipes-security/refpolicy/refpolicy/{0038-policy-modules-system-logging-grant-getpcap-capabili.patch => 0037-policy-modules-system-logging-grant-getpcap-capabili.patch} (92%) rename recipes-security/refpolicy/refpolicy/{0039-policy-modules-system-allow-services-to-read-tmpfs-u.patch => 0038-policy-modules-system-allow-services-to-read-tmpfs-u.patch} (95%) rename recipes-security/refpolicy/refpolicy/{0040-policy-modules-kernel-domain-allow-all-domains-to-co.patch => 0039-policy-modules-kernel-domain-allow-all-domains-to-co.patch} (95%) create mode 100644 recipes-security/refpolicy/refpolicy/0040-systemd-allow-systemd-logind-to-inherit-fds.patch create mode 100644 recipes-security/refpolicy/refpolicy/0041-systemd-allow-systemd-tmpfiles-to-read-bin_t-symlink.patch rename recipes-security/refpolicy/refpolicy/{0041-policy-modules-system-mount-make-mount_t-domain-MLS-.patch => 0042-policy-modules-system-mount-make-mount_t-domain-MLS-.patch} (85%) rename recipes-security/refpolicy/refpolicy/{0042-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch => 0043-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch} (92%) rename recipes-security/refpolicy/refpolicy/{0043-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch => 0044-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch} (90%) rename recipes-security/refpolicy/refpolicy/{0044-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch => 0045-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch} (94%) rename recipes-security/refpolicy/refpolicy/{0045-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch => 0046-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch} (95%) rename recipes-security/refpolicy/refpolicy/{0046-policy-modules-system-init-make-init_t-MLS-trusted-f.patch => 0047-policy-modules-system-init-make-init_t-MLS-trusted-f.patch} (90%) rename recipes-security/refpolicy/refpolicy/{0047-policy-modules-system-systemd-make-systemd-tmpfiles_.patch => 0048-policy-modules-system-systemd-make-systemd-tmpfiles_.patch} (92%) rename recipes-security/refpolicy/refpolicy/{0048-policy-modules-system-systemd-systemd-make-systemd_-.patch => 0049-policy-modules-system-systemd-systemd-make-systemd_-.patch} (88%) rename recipes-security/refpolicy/refpolicy/{0049-policy-modules-system-logging-add-the-syslogd_t-to-t.patch => 0050-policy-modules-system-logging-add-the-syslogd_t-to-t.patch} (92%) rename recipes-security/refpolicy/refpolicy/{0050-policy-modules-system-init-make-init_t-MLS-trusted-f.patch => 0051-policy-modules-system-init-make-init_t-MLS-trusted-f.patch} (86%) rename recipes-security/refpolicy/refpolicy/{0051-policy-modules-system-init-all-init_t-to-read-any-le.patch => 0052-policy-modules-system-init-all-init_t-to-read-any-le.patch} (88%) rename recipes-security/refpolicy/refpolicy/{0052-policy-modules-system-logging-allow-auditd_t-to-writ.patch => 0053-policy-modules-system-logging-allow-auditd_t-to-writ.patch} (92%) rename recipes-security/refpolicy/refpolicy/{0053-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch => 0054-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch} (84%) rename recipes-security/refpolicy/refpolicy/{0054-policy-modules-system-setrans-allow-setrans_t-use-fd.patch => 0055-policy-modules-system-setrans-allow-setrans_t-use-fd.patch} (93%) rename recipes-security/refpolicy/refpolicy/{0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch => 0056-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch} (88%) rename recipes-security/refpolicy/refpolicy/{0056-policy-modules-system-logging-make-syslogd_runtime_t.patch => 0057-policy-modules-system-logging-make-syslogd_runtime_t.patch} (94%) diff --git a/recipes-security/refpolicy/refpolicy-minimum_git.bb b/recipes-security/refpolicy/refpolicy-minimum_git.bb index 233c851..7b75d26 100644 --- a/recipes-security/refpolicy/refpolicy-minimum_git.bb +++ b/recipes-security/refpolicy/refpolicy-minimum_git.bb @@ -13,7 +13,7 @@ domains are unconfined. \ SRC_URI += " \ file://0001-refpolicy-minimum-make-sysadmin-module-optional.patch \ - file://0002-refpolicy-minimum-enable-nscd_use_shm.patch \ + file://0002-refpolicy-minimum-allow-systemd-networkd-to-accept-a.patch \ " POLICY_NAME = "minimum" diff --git a/recipes-security/refpolicy/refpolicy-targeted_git.bb b/recipes-security/refpolicy/refpolicy-targeted_git.bb index de81d46..321407d 100644 --- a/recipes-security/refpolicy/refpolicy-targeted_git.bb +++ b/recipes-security/refpolicy/refpolicy-targeted_git.bb @@ -13,5 +13,6 @@ POLICY_MLS_SENS = "0" include refpolicy_${PV}.inc SRC_URI += " \ - file://0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch \ + file://0001-refpolicy-targeted-Revert-users-Move-unconfined_u-definition-to-unconfi.patch \ + file://0002-refpolicy-targeted-make-unconfined_u-the-default-sel.patch \ " diff --git a/recipes-security/refpolicy/refpolicy/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch b/recipes-security/refpolicy/refpolicy/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch index 45686b2..87febdc 100644 --- a/recipes-security/refpolicy/refpolicy/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch +++ b/recipes-security/refpolicy/refpolicy/0001-fc-subs-volatile-alias-common-var-volatile-paths.patch @@ -1,4 +1,4 @@ -From 2627c403bb84d710a2469e501e6a0ccf5c7fb438 Mon Sep 17 00:00:00 2001 +From c36ccb73201949df2e4e01dc12e36c77bc42e099 Mon Sep 17 00:00:00 2001 From: Joe MacDonald Date: Thu, 28 Mar 2019 16:14:09 -0400 Subject: [PATCH] fc/subs/volatile: alias common /var/volatile paths diff --git a/recipes-security/refpolicy/refpolicy/0001-refpolicy-minimum-make-sysadmin-module-optional.patch b/recipes-security/refpolicy/refpolicy/0001-refpolicy-minimum-make-sysadmin-module-optional.patch index 73e6b48..b0c0556 100644 --- a/recipes-security/refpolicy/refpolicy/0001-refpolicy-minimum-make-sysadmin-module-optional.patch +++ b/recipes-security/refpolicy/refpolicy/0001-refpolicy-minimum-make-sysadmin-module-optional.patch @@ -1,4 +1,4 @@ -From 923dec0f0231024680bb6f7d48ff7edf82ed8082 Mon Sep 17 00:00:00 2001 +From 4a5d6d9b7c317a2b819ef9a0ebce2e913ad42be9 Mon Sep 17 00:00:00 2001 From: Joe MacDonald Date: Fri, 5 Apr 2019 11:53:28 -0400 Subject: [PATCH] refpolicy-minimum: make sysadmin module optional @@ -22,10 +22,10 @@ Signed-off-by: Yi Zhao 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 8af34aa7e..fdd64fb5b 100644 +index 7df44cead..65146974b 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te -@@ -653,13 +653,15 @@ ifdef(`init_systemd',` +@@ -648,13 +648,15 @@ ifdef(`init_systemd',` unconfined_write_keys(init_t) ') ',` @@ -48,10 +48,10 @@ index 8af34aa7e..fdd64fb5b 100644 ') ') diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te -index 4ba131d29..9c4b0a1d8 100644 +index f96092070..db28ce41c 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te -@@ -277,7 +277,9 @@ userdom_use_unpriv_users_fds(sulogin_t) +@@ -279,7 +279,9 @@ userdom_use_unpriv_users_fds(sulogin_t) userdom_search_user_home_dirs(sulogin_t) userdom_use_user_ptys(sulogin_t) diff --git a/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-Revert-users-Move-unconfined_u-definition-to-unconfi.patch b/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-Revert-users-Move-unconfined_u-definition-to-unconfi.patch new file mode 100644 index 0000000..6907b19 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-Revert-users-Move-unconfined_u-definition-to-unconfi.patch @@ -0,0 +1,83 @@ +From b14a64cd3a83e0c3741446cb5bca4773f7db5e6d Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Wed, 19 Feb 2025 21:35:02 +0800 +Subject: [PATCH] Revert "users: Move unconfined_u definition to unconfined + module." + +This reverts commit ca3698d543c22dbc78c4c491133405754a9f8a3f. + +Fix build error for targeted policy. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/kernel/kernel.te | 3 +++ + policy/modules/system/unconfined.te | 14 -------------- + policy/users | 7 +++++++ + 3 files changed, 10 insertions(+), 14 deletions(-) + +diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te +index 987709345..2dc5c3895 100644 +--- a/policy/modules/kernel/kernel.te ++++ b/policy/modules/kernel/kernel.te +@@ -33,6 +33,9 @@ role sysadm_r; + role staff_r; + role user_r; + ++# here until order dependence is fixed: ++role unconfined_r; ++ + ifdef(`enable_mls',` + role secadm_r; + role auditadm_r; +diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te +index 6dc1d9484..68b78ff24 100644 +--- a/policy/modules/system/unconfined.te ++++ b/policy/modules/system/unconfined.te +@@ -8,9 +8,6 @@ policy_module(unconfined) + # usage in this module of types created by these + # calls is not correct, however we dont currently + # have another method to add access to these types +- +-role unconfined_r; +- + userdom_base_user_template(unconfined) + userdom_manage_home_role(unconfined_r, unconfined_t) + userdom_manage_tmp_role(unconfined_r, unconfined_t) +@@ -253,14 +250,3 @@ unconfined_domain_noaudit(unconfined_execmem_t) + optional_policy(` + unconfined_dbus_chat(unconfined_execmem_t) + ') +- +-######################################## +-# +-# Unconfined seuser +-# +- +-ifdef(`direct_sysadm_daemon',` +- gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +-',` +- gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) +-') +diff --git a/policy/users b/policy/users +index 25402afd8..ca203758c 100644 +--- a/policy/users ++++ b/policy/users +@@ -28,6 +28,13 @@ gen_user(user_u, user, user_r, s0, s0) + gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) + gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) + ++# Until order dependence is fixed for users: ++ifdef(`direct_sysadm_daemon',` ++ gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) ++',` ++ gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) ++') ++ + # + # The following users correspond to Unix identities. + # These identities are typically assigned as the user attribute +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch b/recipes-security/refpolicy/refpolicy/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch index 5815b47..26b1d9c 100644 --- a/recipes-security/refpolicy/refpolicy/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch +++ b/recipes-security/refpolicy/refpolicy/0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch @@ -1,4 +1,4 @@ -From bd8d0af36d8f6eb0f25c43b94e31e93d4ac7513b Mon Sep 17 00:00:00 2001 +From 1fd50ccbfb7943a4e479af91d308f433f1f0ec8a Mon Sep 17 00:00:00 2001 From: Joe MacDonald Date: Thu, 28 Mar 2019 20:48:10 -0400 Subject: [PATCH] fc/subs/busybox: set aliases for bin, sbin and usr diff --git a/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-enable-nscd_use_shm.patch b/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-allow-systemd-networkd-to-accept-a.patch similarity index 49% rename from recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-enable-nscd_use_shm.patch rename to recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-allow-systemd-networkd-to-accept-a.patch index 72c5374..e4d697c 100644 --- a/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-enable-nscd_use_shm.patch +++ b/recipes-security/refpolicy/refpolicy/0002-refpolicy-minimum-allow-systemd-networkd-to-accept-a.patch @@ -1,7 +1,8 @@ -From 9494c078e1aea2ab6ecdf0c3ca01e2d3941b11a7 Mon Sep 17 00:00:00 2001 +From 805d55ae146a21575b013e041cec7f97899d39ae Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Fri, 26 Feb 2021 09:13:23 +0800 -Subject: [PATCH] refpolicy-minimum: enable nscd_use_shm +Subject: [PATCH] refpolicy-minimum: allow systemd-networkd to accept and + listen socket Fixes: avc: denied { listen } for pid=340 comm="systemd-network" @@ -26,22 +27,21 @@ Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Yi Zhao --- - policy/modules/services/nscd.te | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) + policy/modules/system/systemd.te | 1 + + 1 file changed, 1 insertion(+) -diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te -index ffc60497c..d226f1145 100644 ---- a/policy/modules/services/nscd.te -+++ b/policy/modules/services/nscd.te -@@ -15,7 +15,7 @@ gen_require(` - ## can use nscd shared memory. - ##

- ## --gen_tunable(nscd_use_shm, false) -+gen_tunable(nscd_use_shm, true) - - attribute_role nscd_roles; +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 45d4db784..af0e05e9d 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -1305,6 +1305,7 @@ allow systemd_networkd_t self:rawip_socket create_socket_perms; + allow systemd_networkd_t self:tun_socket { create_socket_perms relabelfrom relabelto }; + allow systemd_networkd_t self:udp_socket create_socket_perms; + allow systemd_networkd_t self:unix_dgram_socket create_socket_perms; ++allow systemd_networkd_t self:unix_stream_socket { accept listen }; + manage_dirs_pattern(systemd_networkd_t, systemd_networkd_runtime_t, systemd_networkd_runtime_t) + manage_files_pattern(systemd_networkd_t, systemd_networkd_runtime_t, systemd_networkd_runtime_t) -- 2.25.1 diff --git a/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch b/recipes-security/refpolicy/refpolicy/0002-refpolicy-targeted-make-unconfined_u-the-default-sel.patch similarity index 98% rename from recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch rename to recipes-security/refpolicy/refpolicy/0002-refpolicy-targeted-make-unconfined_u-the-default-sel.patch index ba472d7..57eb976 100644 --- a/recipes-security/refpolicy/refpolicy/0001-refpolicy-targeted-make-unconfined_u-the-default-sel.patch +++ b/recipes-security/refpolicy/refpolicy/0002-refpolicy-targeted-make-unconfined_u-the-default-sel.patch @@ -1,4 +1,4 @@ -From 38cac8a2f2ec94bbc9b6d04ffcc35b7459c05b11 Mon Sep 17 00:00:00 2001 +From 0b299c6f8950cbba592a366e93f9ecb0605ffe9a Mon Sep 17 00:00:00 2001 From: Xin Ouyang Date: Mon, 20 Apr 2020 11:50:03 +0800 Subject: [PATCH] refpolicy-targeted: make unconfined_u the default selinux diff --git a/recipes-security/refpolicy/refpolicy/0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch b/recipes-security/refpolicy/refpolicy/0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch index 6e82aee..e2dd9e0 100644 --- a/recipes-security/refpolicy/refpolicy/0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch +++ b/recipes-security/refpolicy/refpolicy/0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch @@ -1,4 +1,4 @@ -From b8ec557e6aa310c65d9183ae741e649eae1c3619 Mon Sep 17 00:00:00 2001 +From db25a33d356c7c273c1bcee33bd1f5df80bf29b0 Mon Sep 17 00:00:00 2001 From: Xin Ouyang Date: Thu, 22 Aug 2013 13:37:23 +0800 Subject: [PATCH] fc/hostname: apply policy to common yocto hostname diff --git a/recipes-security/refpolicy/refpolicy/0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch b/recipes-security/refpolicy/refpolicy/0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch index 27f2ea8..f5a012f 100644 --- a/recipes-security/refpolicy/refpolicy/0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch +++ b/recipes-security/refpolicy/refpolicy/0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch @@ -1,4 +1,4 @@ -From ddba777d85a78cb372a84f4ff003888e1ba06afa Mon Sep 17 00:00:00 2001 +From 2016c05b60f0d81294ccccc4242e03d4143b843e Mon Sep 17 00:00:00 2001 From: Joe MacDonald Date: Thu, 28 Mar 2019 21:37:32 -0400 Subject: [PATCH] fc/bash: apply /usr/bin/bash context to /bin/bash.bash @@ -15,7 +15,7 @@ Signed-off-by: Yi Zhao 1 file changed, 1 insertion(+) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 04d6caa80..7d2efef0a 100644 +index 9ac701579..b1163fdbb 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -147,6 +147,7 @@ ifdef(`distro_gentoo',` diff --git a/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch b/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch index 3c5f5ae..f039ebe 100644 --- a/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch +++ b/recipes-security/refpolicy/refpolicy/0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch @@ -1,4 +1,4 @@ -From 3f24037dd9c0c468d4182d6b047a9baa2469726a Mon Sep 17 00:00:00 2001 +From e2a5ddc7235c9cf248a9d860ab8d0d71ec42e7a7 Mon Sep 17 00:00:00 2001 From: Joe MacDonald Date: Thu, 4 Apr 2019 10:45:03 -0400 Subject: [PATCH] fc/resolv.conf: label resolv.conf in var/run/ properly diff --git a/recipes-security/refpolicy/refpolicy/0006-fc-login-apply-login-context-to-login.shadow.patch b/recipes-security/refpolicy/refpolicy/0006-fc-login-apply-login-context-to-login.shadow.patch index 53bb1e7..346b0db 100644 --- a/recipes-security/refpolicy/refpolicy/0006-fc-login-apply-login-context-to-login.shadow.patch +++ b/recipes-security/refpolicy/refpolicy/0006-fc-login-apply-login-context-to-login.shadow.patch @@ -1,4 +1,4 @@ -From b318d4d8feb1a021e63d38ac2bea4abe834c4e3b Mon Sep 17 00:00:00 2001 +From 59b9c22802488a693d40e7570536cca89bdc58ee Mon Sep 17 00:00:00 2001 From: Joe MacDonald Date: Thu, 28 Mar 2019 21:43:53 -0400 Subject: [PATCH] fc/login: apply login context to login.shadow @@ -12,7 +12,7 @@ Signed-off-by: Yi Zhao 1 file changed, 1 insertion(+) diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc -index fcdd38d6d..c7e7b64a9 100644 +index eca178a2e..ddf5ecec2 100644 --- a/policy/modules/system/authlogin.fc +++ b/policy/modules/system/authlogin.fc @@ -8,6 +8,7 @@ diff --git a/recipes-security/refpolicy/refpolicy/0007-fc-hwclock-add-hwclock-alternatives.patch b/recipes-security/refpolicy/refpolicy/0007-fc-hwclock-add-hwclock-alternatives.patch index c6e4662..d8c8489 100644 --- a/recipes-security/refpolicy/refpolicy/0007-fc-hwclock-add-hwclock-alternatives.patch +++ b/recipes-security/refpolicy/refpolicy/0007-fc-hwclock-add-hwclock-alternatives.patch @@ -1,4 +1,4 @@ -From 78e157da0424e06347030577dcdd00f3e6c085ef Mon Sep 17 00:00:00 2001 +From 9a551208b7e1ebd451115ea36cde1536f34f3866 Mon Sep 17 00:00:00 2001 From: Joe MacDonald Date: Thu, 28 Mar 2019 21:59:18 -0400 Subject: [PATCH] fc/hwclock: add hwclock alternatives diff --git a/recipes-security/refpolicy/refpolicy/0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch b/recipes-security/refpolicy/refpolicy/0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch index 59770e2..8d6b7b2 100644 --- a/recipes-security/refpolicy/refpolicy/0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch +++ b/recipes-security/refpolicy/refpolicy/0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch @@ -1,4 +1,4 @@ -From d15ee4e3684c52af2caa3af2c24af73ab7ceb677 Mon Sep 17 00:00:00 2001 +From c67674b38368f5d584fd3013f0193b6e6e733a66 Mon Sep 17 00:00:00 2001 From: Joe MacDonald Date: Fri, 29 Mar 2019 08:26:55 -0400 Subject: [PATCH] fc/dmesg: apply policy to dmesg alternatives diff --git a/recipes-security/refpolicy/refpolicy/0009-fc-ssh-apply-policy-to-ssh-alternatives.patch b/recipes-security/refpolicy/refpolicy/0009-fc-ssh-apply-policy-to-ssh-alternatives.patch index 84c5b62..4660bca 100644 --- a/recipes-security/refpolicy/refpolicy/0009-fc-ssh-apply-policy-to-ssh-alternatives.patch +++ b/recipes-security/refpolicy/refpolicy/0009-fc-ssh-apply-policy-to-ssh-alternatives.patch @@ -1,4 +1,4 @@ -From f287a7b6b9a41963cec1e9bf70eff99e840c9cc3 Mon Sep 17 00:00:00 2001 +From 0493199f682a52c097ae81ac96118295e47bdf90 Mon Sep 17 00:00:00 2001 From: Joe MacDonald Date: Fri, 29 Mar 2019 09:20:58 -0400 Subject: [PATCH] fc/ssh: apply policy to ssh alternatives @@ -12,7 +12,7 @@ Signed-off-by: Yi Zhao 1 file changed, 1 insertion(+) diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc -index a30d01afc..e033d1a70 100644 +index 93bfa8d26..7b7e567f9 100644 --- a/policy/modules/services/ssh.fc +++ b/policy/modules/services/ssh.fc @@ -4,6 +4,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) diff --git a/recipes-security/refpolicy/refpolicy/0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch b/recipes-security/refpolicy/refpolicy/0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch index 08d6a80..7c092ee 100644 --- a/recipes-security/refpolicy/refpolicy/0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch +++ b/recipes-security/refpolicy/refpolicy/0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch @@ -1,4 +1,4 @@ -From fcfd91661ea05b5967f75927116056924e972214 Mon Sep 17 00:00:00 2001 +From 53c2af24e86b3ab9be5a982958bb0e5c9e8c1360 Mon Sep 17 00:00:00 2001 From: Xin Ouyang Date: Tue, 9 Jun 2015 21:22:52 +0530 Subject: [PATCH] fc/sysnetwork: apply policy to network commands alternatives diff --git a/recipes-security/refpolicy/refpolicy/0011-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch b/recipes-security/refpolicy/refpolicy/0011-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch index 4420b33..f487090 100644 --- a/recipes-security/refpolicy/refpolicy/0011-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch +++ b/recipes-security/refpolicy/refpolicy/0011-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch @@ -1,4 +1,4 @@ -From 6e5d4763c0e3e7b2b819694d85710128f4e0ff28 Mon Sep 17 00:00:00 2001 +From 2df4a4620b74973ceafde3732273234de9668fe3 Mon Sep 17 00:00:00 2001 From: Joe MacDonald Date: Fri, 29 Mar 2019 09:54:07 -0400 Subject: [PATCH] fc/rpm: apply rpm_exec policy to cpio binaries diff --git a/recipes-security/refpolicy/refpolicy/0012-fc-su-apply-policy-to-su-alternatives.patch b/recipes-security/refpolicy/refpolicy/0012-fc-su-apply-policy-to-su-alternatives.patch index 699fa77..c84de1b 100644 --- a/recipes-security/refpolicy/refpolicy/0012-fc-su-apply-policy-to-su-alternatives.patch +++ b/recipes-security/refpolicy/refpolicy/0012-fc-su-apply-policy-to-su-alternatives.patch @@ -1,4 +1,4 @@ -From ca60691cffdf516f3f09cee23874a49d890c9de8 Mon Sep 17 00:00:00 2001 +From 0d026ac95a9da5e345e5b7fbaded216396e12bde Mon Sep 17 00:00:00 2001 From: Wenzong Fan Date: Thu, 13 Feb 2014 00:33:07 -0500 Subject: [PATCH] fc/su: apply policy to su alternatives diff --git a/recipes-security/refpolicy/refpolicy/0013-fc-fstools-fix-real-path-for-fstools.patch b/recipes-security/refpolicy/refpolicy/0013-fc-fstools-fix-real-path-for-fstools.patch index 7e56e75..0ef343d 100644 --- a/recipes-security/refpolicy/refpolicy/0013-fc-fstools-fix-real-path-for-fstools.patch +++ b/recipes-security/refpolicy/refpolicy/0013-fc-fstools-fix-real-path-for-fstools.patch @@ -1,4 +1,4 @@ -From f6a42851e3abe274a733f92f90541de3047e5d74 Mon Sep 17 00:00:00 2001 +From 09de3f9093cde03bf906411403ff43a25290bd6b Mon Sep 17 00:00:00 2001 From: Wenzong Fan Date: Mon, 27 Jan 2014 03:54:01 -0500 Subject: [PATCH] fc/fstools: fix real path for fstools @@ -14,10 +14,10 @@ Signed-off-by: Yi Zhao 1 file changed, 10 insertions(+) diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc -index 63423802d..124109a68 100644 +index 9064ab52e..5962e5736 100644 --- a/policy/modules/system/fstools.fc +++ b/policy/modules/system/fstools.fc -@@ -58,7 +58,9 @@ +@@ -57,7 +57,9 @@ /usr/sbin/addpart -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/badblocks -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0) @@ -27,8 +27,8 @@ index 63423802d..124109a68 100644 /usr/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/delpart -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -72,10 +74,13 @@ - /usr/sbin/efibootmgr -- gen_context(system_u:object_r:fsadm_exec_t,s0) +@@ -70,10 +72,13 @@ + /usr/sbin/e2mmpstatus -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/fatsort -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) +/usr/sbin/fdisk\.util-linux -- gen_context(system_u:object_r:fsadm_exec_t,s0) @@ -41,7 +41,7 @@ index 63423802d..124109a68 100644 /usr/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -83,13 +88,16 @@ +@@ -81,13 +86,16 @@ /usr/sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/mkdosfs -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/mke2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) @@ -58,7 +58,7 @@ index 63423802d..124109a68 100644 /usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0) -@@ -99,8 +107,10 @@ +@@ -97,8 +105,10 @@ /usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0) diff --git a/recipes-security/refpolicy/refpolicy/0014-fc-init-fix-update-alternatives-for-sysvinit.patch b/recipes-security/refpolicy/refpolicy/0014-fc-init-fix-update-alternatives-for-sysvinit.patch index 40e5413..a483165 100644 --- a/recipes-security/refpolicy/refpolicy/0014-fc-init-fix-update-alternatives-for-sysvinit.patch +++ b/recipes-security/refpolicy/refpolicy/0014-fc-init-fix-update-alternatives-for-sysvinit.patch @@ -1,4 +1,4 @@ -From eecf36ae218ee0d85fd07a14bfbcb6636ab84095 Mon Sep 17 00:00:00 2001 +From a76963ea8a74c818bd03acae75ae86db59c366e7 Mon Sep 17 00:00:00 2001 From: Xin Ouyang Date: Thu, 22 Aug 2013 13:37:23 +0800 Subject: [PATCH] fc/init: fix update-alternatives for sysvinit @@ -27,7 +27,7 @@ index 2e47783c2..e359539be 100644 /run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_runtime_t,s0) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 7d2efef0a..9a5711a83 100644 +index b1163fdbb..1c2553d21 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -156,6 +156,8 @@ ifdef(`distro_gentoo',` diff --git a/recipes-security/refpolicy/refpolicy/0015-fc-brctl-apply-policy-to-brctl-alternatives.patch b/recipes-security/refpolicy/refpolicy/0015-fc-brctl-apply-policy-to-brctl-alternatives.patch index fa9e849..855446c 100644 --- a/recipes-security/refpolicy/refpolicy/0015-fc-brctl-apply-policy-to-brctl-alternatives.patch +++ b/recipes-security/refpolicy/refpolicy/0015-fc-brctl-apply-policy-to-brctl-alternatives.patch @@ -1,4 +1,4 @@ -From e26d8e3eea2cab884562793221ce9b8c39c614cc Mon Sep 17 00:00:00 2001 +From 19c91699eda904d2c377a29c62bdf6be1ebf59f7 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Fri, 15 Nov 2019 10:19:54 +0800 Subject: [PATCH] fc/brctl: apply policy to brctl alternatives diff --git a/recipes-security/refpolicy/refpolicy/0016-fc-corecommands-apply-policy-to-nologin-alternatives.patch b/recipes-security/refpolicy/refpolicy/0016-fc-corecommands-apply-policy-to-nologin-alternatives.patch index eb49b01..220a9b8 100644 --- a/recipes-security/refpolicy/refpolicy/0016-fc-corecommands-apply-policy-to-nologin-alternatives.patch +++ b/recipes-security/refpolicy/refpolicy/0016-fc-corecommands-apply-policy-to-nologin-alternatives.patch @@ -1,4 +1,4 @@ -From 48b69b97a52cf782fbc54f5e55e92ee81466d0bc Mon Sep 17 00:00:00 2001 +From 3b40ac147bc2e1a1d387d519fd1710e92d934b4e Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Fri, 15 Nov 2019 10:21:51 +0800 Subject: [PATCH] fc/corecommands: apply policy to nologin alternatives @@ -11,10 +11,10 @@ Signed-off-by: Yi Zhao 1 file changed, 2 insertions(+) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc -index 9a5711a83..c9009af5f 100644 +index 1c2553d21..65178ba32 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc -@@ -311,6 +311,8 @@ ifdef(`distro_debian',` +@@ -312,6 +312,8 @@ ifdef(`distro_debian',` /usr/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0) /usr/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0) /usr/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0) diff --git a/recipes-security/refpolicy/refpolicy/0017-fc-locallogin-apply-policy-to-sulogin-alternatives.patch b/recipes-security/refpolicy/refpolicy/0017-fc-locallogin-apply-policy-to-sulogin-alternatives.patch index 63fa13a..29a9a05 100644 --- a/recipes-security/refpolicy/refpolicy/0017-fc-locallogin-apply-policy-to-sulogin-alternatives.patch +++ b/recipes-security/refpolicy/refpolicy/0017-fc-locallogin-apply-policy-to-sulogin-alternatives.patch @@ -1,4 +1,4 @@ -From 29e16342861e11d6463ec63ffbe55d1665d05e7d Mon Sep 17 00:00:00 2001 +From 07657262d8ac7304f8dd0224e3daaecc925d4392 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Fri, 15 Nov 2019 10:43:28 +0800 Subject: [PATCH] fc/locallogin: apply policy to sulogin alternatives diff --git a/recipes-security/refpolicy/refpolicy/0018-fc-ntp-apply-policy-to-ntpd-alternatives.patch b/recipes-security/refpolicy/refpolicy/0018-fc-ntp-apply-policy-to-ntpd-alternatives.patch index 1947803..c16b3d0 100644 --- a/recipes-security/refpolicy/refpolicy/0018-fc-ntp-apply-policy-to-ntpd-alternatives.patch +++ b/recipes-security/refpolicy/refpolicy/0018-fc-ntp-apply-policy-to-ntpd-alternatives.patch @@ -1,4 +1,4 @@ -From c1847b18ed1b1a18dbafc735bfb1368c2abb9d55 Mon Sep 17 00:00:00 2001 +From 85f3abe44a579ddff62fa3ef774c9d53c3bb35e4 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Fri, 15 Nov 2019 10:45:23 +0800 Subject: [PATCH] fc/ntp: apply policy to ntpd alternatives diff --git a/recipes-security/refpolicy/refpolicy/0019-fc-kerberos-apply-policy-to-kerberos-alternatives.patch b/recipes-security/refpolicy/refpolicy/0019-fc-kerberos-apply-policy-to-kerberos-alternatives.patch index 4248605..bcbc59f 100644 --- a/recipes-security/refpolicy/refpolicy/0019-fc-kerberos-apply-policy-to-kerberos-alternatives.patch +++ b/recipes-security/refpolicy/refpolicy/0019-fc-kerberos-apply-policy-to-kerberos-alternatives.patch @@ -1,4 +1,4 @@ -From 1400afd28f2cd886bae487fb17811a5fd98b86b9 Mon Sep 17 00:00:00 2001 +From b23752c14edcda3a5d25c386986cb2a53f68df71 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Fri, 15 Nov 2019 10:55:05 +0800 Subject: [PATCH] fc/kerberos: apply policy to kerberos alternatives diff --git a/recipes-security/refpolicy/refpolicy/0020-fc-ldap-apply-policy-to-ldap-alternatives.patch b/recipes-security/refpolicy/refpolicy/0020-fc-ldap-apply-policy-to-ldap-alternatives.patch index c0aa11b..111af65 100644 --- a/recipes-security/refpolicy/refpolicy/0020-fc-ldap-apply-policy-to-ldap-alternatives.patch +++ b/recipes-security/refpolicy/refpolicy/0020-fc-ldap-apply-policy-to-ldap-alternatives.patch @@ -1,4 +1,4 @@ -From 53370099eb97c008460bb7b99817737beb94a9bf Mon Sep 17 00:00:00 2001 +From e86acf68aec0f34bd0d0e41cedbaf4e1584d1a74 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Fri, 15 Nov 2019 11:06:13 +0800 Subject: [PATCH] fc/ldap: apply policy to ldap alternatives diff --git a/recipes-security/refpolicy/refpolicy/0021-fc-postgresql-apply-policy-to-postgresql-alternative.patch b/recipes-security/refpolicy/refpolicy/0021-fc-postgresql-apply-policy-to-postgresql-alternative.patch index d76d2e3..c5f190a 100644 --- a/recipes-security/refpolicy/refpolicy/0021-fc-postgresql-apply-policy-to-postgresql-alternative.patch +++ b/recipes-security/refpolicy/refpolicy/0021-fc-postgresql-apply-policy-to-postgresql-alternative.patch @@ -1,4 +1,4 @@ -From 67fda1f031d70d1281b058a5f3a31e220b052d21 Mon Sep 17 00:00:00 2001 +From e237a9acdb30805eec7f7baea6265a4595f93b9d Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Fri, 15 Nov 2019 11:13:16 +0800 Subject: [PATCH] fc/postgresql: apply policy to postgresql alternatives diff --git a/recipes-security/refpolicy/refpolicy/0022-fc-screen-apply-policy-to-screen-alternatives.patch b/recipes-security/refpolicy/refpolicy/0022-fc-screen-apply-policy-to-screen-alternatives.patch index 2fe39bf..0ce9694 100644 --- a/recipes-security/refpolicy/refpolicy/0022-fc-screen-apply-policy-to-screen-alternatives.patch +++ b/recipes-security/refpolicy/refpolicy/0022-fc-screen-apply-policy-to-screen-alternatives.patch @@ -1,4 +1,4 @@ -From fb72a7ca4963a7537bcb98a730025f6f8941d146 Mon Sep 17 00:00:00 2001 +From 83195f523c21392d9be0af8cd3bc358bd42f882c Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Fri, 15 Nov 2019 11:15:33 +0800 Subject: [PATCH] fc/screen: apply policy to screen alternatives diff --git a/recipes-security/refpolicy/refpolicy/0023-fc-usermanage-apply-policy-to-usermanage-alternative.patch b/recipes-security/refpolicy/refpolicy/0023-fc-usermanage-apply-policy-to-usermanage-alternative.patch index 0d95b3c..c4bcc75 100644 --- a/recipes-security/refpolicy/refpolicy/0023-fc-usermanage-apply-policy-to-usermanage-alternative.patch +++ b/recipes-security/refpolicy/refpolicy/0023-fc-usermanage-apply-policy-to-usermanage-alternative.patch @@ -1,4 +1,4 @@ -From 343389daef155325172928f7d5608e638897775d Mon Sep 17 00:00:00 2001 +From 75bc058a2571dc61b74b18647fa0288b9c47d628 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Fri, 15 Nov 2019 11:25:34 +0800 Subject: [PATCH] fc/usermanage: apply policy to usermanage alternatives diff --git a/recipes-security/refpolicy/refpolicy/0024-fc-getty-add-file-context-to-start_getty.patch b/recipes-security/refpolicy/refpolicy/0024-fc-getty-add-file-context-to-start_getty.patch index 3066e52..c06c824 100644 --- a/recipes-security/refpolicy/refpolicy/0024-fc-getty-add-file-context-to-start_getty.patch +++ b/recipes-security/refpolicy/refpolicy/0024-fc-getty-add-file-context-to-start_getty.patch @@ -1,4 +1,4 @@ -From 23cef56ad581ee4579ab6ee26c9dd8b114816b6b Mon Sep 17 00:00:00 2001 +From 5b7b58fb5b23b4ccc427233061ba816b45faaca3 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Fri, 15 Nov 2019 16:07:30 +0800 Subject: [PATCH] fc/getty: add file context to start_getty diff --git a/recipes-security/refpolicy/refpolicy/0025-fc-vlock-apply-policy-to-vlock-alternatives.patch b/recipes-security/refpolicy/refpolicy/0025-fc-vlock-apply-policy-to-vlock-alternatives.patch index 7e596ef..670446b 100644 --- a/recipes-security/refpolicy/refpolicy/0025-fc-vlock-apply-policy-to-vlock-alternatives.patch +++ b/recipes-security/refpolicy/refpolicy/0025-fc-vlock-apply-policy-to-vlock-alternatives.patch @@ -1,4 +1,4 @@ -From 32988df0a389ef480334dffce4d5cc96b0f1012e Mon Sep 17 00:00:00 2001 +From 6e72fd53bbadf600c06c3f25dfd502e6a9c502fb Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Wed, 18 Dec 2019 15:04:41 +0800 Subject: [PATCH] fc/vlock: apply policy to vlock alternatives diff --git a/recipes-security/refpolicy/refpolicy/0026-fc-add-fcontext-for-init-scripts-and-systemd-service.patch b/recipes-security/refpolicy/refpolicy/0026-fc-add-fcontext-for-init-scripts-and-systemd-service.patch index 4fe9ee9..84af1fa 100644 --- a/recipes-security/refpolicy/refpolicy/0026-fc-add-fcontext-for-init-scripts-and-systemd-service.patch +++ b/recipes-security/refpolicy/refpolicy/0026-fc-add-fcontext-for-init-scripts-and-systemd-service.patch @@ -1,4 +1,4 @@ -From 8586fbe84abd716a425e13e8b48179a08e210db2 Mon Sep 17 00:00:00 2001 +From 7f58d61471a45851dd162c2b4bd9733a5311c0b9 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Tue, 30 Jun 2020 10:45:57 +0800 Subject: [PATCH] fc: add fcontext for init scripts and systemd service files @@ -14,7 +14,7 @@ Signed-off-by: Yi Zhao 4 files changed, 5 insertions(+) diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc -index 827363d88..e8412396d 100644 +index e71ad22c1..bb1351732 100644 --- a/policy/modules/services/cron.fc +++ b/policy/modules/services/cron.fc @@ -1,4 +1,5 @@ @@ -34,7 +34,7 @@ index 382c067f9..0ecc5acc4 100644 /usr/bin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0) diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc -index 7edc09fac..7416fa39f 100644 +index 3b6d1c930..4949d995a 100644 --- a/policy/modules/services/rpc.fc +++ b/policy/modules/services/rpc.fc @@ -2,7 +2,9 @@ @@ -46,7 +46,7 @@ index 7edc09fac..7416fa39f 100644 +/etc/rc\.d/init\.d/nfscommon -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) /etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0) - /usr/bin/nfsdcld -- gen_context(system_u:object_r:rpcd_exec_t,s0) + /usr/bin/blkmapd -- gen_context(system_u:object_r:blkmapd_exec_t,s0) diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc index 3b0dea51b..0ce2bec4b 100644 --- a/policy/modules/system/logging.fc diff --git a/recipes-security/refpolicy/refpolicy/0027-file_contexts.subs_dist-set-aliase-for-root-director.patch b/recipes-security/refpolicy/refpolicy/0027-file_contexts.subs_dist-set-aliase-for-root-director.patch index 0ad146d..a2a1de8 100644 --- a/recipes-security/refpolicy/refpolicy/0027-file_contexts.subs_dist-set-aliase-for-root-director.patch +++ b/recipes-security/refpolicy/refpolicy/0027-file_contexts.subs_dist-set-aliase-for-root-director.patch @@ -1,4 +1,4 @@ -From 20f43a932c5f7369a446707624d12285035b72fc Mon Sep 17 00:00:00 2001 +From de259386cb52e44dd00534f598800a23be0d7689 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Sun, 5 Apr 2020 22:03:45 +0800 Subject: [PATCH] file_contexts.subs_dist: set aliase for /root directory diff --git a/recipes-security/refpolicy/refpolicy/0028-policy-modules-system-logging-add-rules-for-the-syml.patch b/recipes-security/refpolicy/refpolicy/0028-policy-modules-system-logging-add-rules-for-the-syml.patch index a433cb7..7aaf702 100644 --- a/recipes-security/refpolicy/refpolicy/0028-policy-modules-system-logging-add-rules-for-the-syml.patch +++ b/recipes-security/refpolicy/refpolicy/0028-policy-modules-system-logging-add-rules-for-the-syml.patch @@ -1,4 +1,4 @@ -From 97839d4388be64e168613c2ea3202a76e58fb656 Mon Sep 17 00:00:00 2001 +From 5147059bcfce76f04c4bacaadc4007588b6a722f Mon Sep 17 00:00:00 2001 From: Xin Ouyang Date: Thu, 22 Aug 2013 13:37:23 +0800 Subject: [PATCH] policy/modules/system/logging: add rules for the symlink of diff --git a/recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-syslogd-.patch b/recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-syslogd-.patch index 2465417..2b43530 100644 --- a/recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-syslogd-.patch +++ b/recipes-security/refpolicy/refpolicy/0029-policy-modules-system-logging-add-rules-for-syslogd-.patch @@ -1,4 +1,4 @@ -From 9bd0c30476615fd4af29a9dd5b3b664398a9845a Mon Sep 17 00:00:00 2001 +From e2ce1a7a491ee079b9e393ba6bc6c17d457959f4 Mon Sep 17 00:00:00 2001 From: Joe MacDonald Date: Fri, 29 Mar 2019 10:33:18 -0400 Subject: [PATCH] policy/modules/system/logging: add rules for syslogd symlink @@ -18,7 +18,7 @@ Signed-off-by: Yi Zhao 1 file changed, 1 insertion(+) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index eea78ffc5..5f06428f1 100644 +index 11bbbc113..38e0b4766 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -425,6 +425,7 @@ files_search_spool(syslogd_t) diff --git a/recipes-security/refpolicy/refpolicy/0030-policy-modules-kernel-files-add-rules-for-the-symlin.patch b/recipes-security/refpolicy/refpolicy/0030-policy-modules-kernel-files-add-rules-for-the-symlin.patch index 6c5731b..6256789 100644 --- a/recipes-security/refpolicy/refpolicy/0030-policy-modules-kernel-files-add-rules-for-the-symlin.patch +++ b/recipes-security/refpolicy/refpolicy/0030-policy-modules-kernel-files-add-rules-for-the-symlin.patch @@ -1,4 +1,4 @@ -From 6293ec11e3c471b54c328f56f20c694b7287885f Mon Sep 17 00:00:00 2001 +From da3cf0879a8e34996125871e8d1336726f715acb Mon Sep 17 00:00:00 2001 From: Xin Ouyang Date: Thu, 22 Aug 2013 13:37:23 +0800 Subject: [PATCH] policy/modules/kernel/files: add rules for the symlink of @@ -30,10 +30,10 @@ index b1728d37c..c5012e6b4 100644 /tmp/\.journal <> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 811efef94..00146fc23 100644 +index e1fafd4ab..dbd7efa60 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if -@@ -4880,6 +4880,7 @@ interface(`files_search_tmp',` +@@ -4897,6 +4897,7 @@ interface(`files_search_tmp',` ') allow $1 tmp_t:dir search_dir_perms; @@ -41,7 +41,7 @@ index 811efef94..00146fc23 100644 ') ######################################## -@@ -4916,6 +4917,7 @@ interface(`files_list_tmp',` +@@ -4933,6 +4934,7 @@ interface(`files_list_tmp',` ') allow $1 tmp_t:dir list_dir_perms; @@ -49,7 +49,7 @@ index 811efef94..00146fc23 100644 ') ######################################## -@@ -4952,6 +4954,7 @@ interface(`files_delete_tmp_dir_entry',` +@@ -4969,6 +4971,7 @@ interface(`files_delete_tmp_dir_entry',` ') allow $1 tmp_t:dir del_entry_dir_perms; @@ -57,7 +57,7 @@ index 811efef94..00146fc23 100644 ') ######################################## -@@ -4970,6 +4973,7 @@ interface(`files_read_generic_tmp_files',` +@@ -4987,6 +4990,7 @@ interface(`files_read_generic_tmp_files',` ') read_files_pattern($1, tmp_t, tmp_t) @@ -65,7 +65,7 @@ index 811efef94..00146fc23 100644 ') ######################################## -@@ -4988,6 +4992,7 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -5005,6 +5009,7 @@ interface(`files_manage_generic_tmp_dirs',` ') manage_dirs_pattern($1, tmp_t, tmp_t) @@ -73,7 +73,7 @@ index 811efef94..00146fc23 100644 ') ######################################## -@@ -5024,6 +5029,7 @@ interface(`files_manage_generic_tmp_files',` +@@ -5041,6 +5046,7 @@ interface(`files_manage_generic_tmp_files',` ') manage_files_pattern($1, tmp_t, tmp_t) @@ -81,7 +81,7 @@ index 811efef94..00146fc23 100644 ') ######################################## -@@ -5060,6 +5066,7 @@ interface(`files_rw_generic_tmp_sockets',` +@@ -5077,6 +5083,7 @@ interface(`files_rw_generic_tmp_sockets',` ') rw_sock_files_pattern($1, tmp_t, tmp_t) @@ -89,7 +89,7 @@ index 811efef94..00146fc23 100644 ') ######################################## -@@ -5267,6 +5274,7 @@ interface(`files_tmp_filetrans',` +@@ -5284,6 +5291,7 @@ interface(`files_tmp_filetrans',` ') filetrans_pattern($1, tmp_t, $2, $3, $4) diff --git a/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-fix-auditd-startup-fai.patch b/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-fix-auditd-startup-fai.patch index 9ddeb9f..b6ec45c 100644 --- a/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-fix-auditd-startup-fai.patch +++ b/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-fix-auditd-startup-fai.patch @@ -1,4 +1,4 @@ -From 40ddb313a0cb04b3e9b180e04d3427715de58aee Mon Sep 17 00:00:00 2001 +From 59c29aa28424cf61f6b71a9022dced52d5b58c8f Mon Sep 17 00:00:00 2001 From: Xin Ouyang Date: Thu, 22 Aug 2013 13:37:23 +0800 Subject: [PATCH] policy/modules/system/logging: fix auditd startup failures @@ -17,7 +17,7 @@ Signed-off-by: Yi Zhao 1 file changed, 3 insertions(+) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 5f06428f1..3ffddcb0a 100644 +index 38e0b4766..a1912254e 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -117,6 +117,7 @@ allow auditctl_t self:netlink_audit_socket nlmsg_readpriv; diff --git a/recipes-security/refpolicy/refpolicy/0032-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch b/recipes-security/refpolicy/refpolicy/0032-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch index 8af397d..77d59b8 100644 --- a/recipes-security/refpolicy/refpolicy/0032-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch +++ b/recipes-security/refpolicy/refpolicy/0032-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch @@ -1,4 +1,4 @@ -From 857a2cf93f6194d04ae8d2a8a544422e8a021e85 Mon Sep 17 00:00:00 2001 +From 81222e113818c210d4c2a65567d0b464f96b0523 Mon Sep 17 00:00:00 2001 From: Xin Ouyang Date: Thu, 22 Aug 2013 13:37:23 +0800 Subject: [PATCH] policy/modules/kernel/terminal: don't audit tty_device_t in diff --git a/recipes-security/refpolicy/refpolicy/0033-policy-modules-system-systemd-enable-support-for-sys.patch b/recipes-security/refpolicy/refpolicy/0033-policy-modules-system-systemd-enable-support-for-sys.patch index 82fe4ff..0ffd2f7 100644 --- a/recipes-security/refpolicy/refpolicy/0033-policy-modules-system-systemd-enable-support-for-sys.patch +++ b/recipes-security/refpolicy/refpolicy/0033-policy-modules-system-systemd-enable-support-for-sys.patch @@ -1,4 +1,4 @@ -From 44fe25734126ae52d95456992d6a5257bb28a5c2 Mon Sep 17 00:00:00 2001 +From 1c992963d7006927a79c9009c372ab9593b5bb95 Mon Sep 17 00:00:00 2001 From: Wenzong Fan Date: Thu, 4 Feb 2016 06:03:19 -0500 Subject: [PATCH] policy/modules/system/systemd: enable support for @@ -29,7 +29,7 @@ Signed-off-by: Yi Zhao 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index d58aba30b..8ae917644 100644 +index 523e49f14..e48a8c26f 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -10,7 +10,7 @@ policy_module(systemd) diff --git a/recipes-security/refpolicy/refpolicy/0034-policy-modules-system-logging-allow-systemd-tmpfiles.patch b/recipes-security/refpolicy/refpolicy/0034-policy-modules-system-logging-allow-systemd-tmpfiles.patch index 334872a..9c5b172 100644 --- a/recipes-security/refpolicy/refpolicy/0034-policy-modules-system-logging-allow-systemd-tmpfiles.patch +++ b/recipes-security/refpolicy/refpolicy/0034-policy-modules-system-logging-allow-systemd-tmpfiles.patch @@ -1,4 +1,4 @@ -From 07582b5efbc4fd199e80d9cc9b8144e4c88e0a2b Mon Sep 17 00:00:00 2001 +From 803bb22683f9265837d0a0713d1f49003eb33ac8 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Sat, 30 Sep 2023 17:20:29 +0800 Subject: [PATCH] policy/modules/system/logging: allow systemd-tmpfiles to @@ -24,7 +24,7 @@ Signed-off-by: Yi Zhao 1 file changed, 4 insertions(+) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 3ffddcb0a..df6095805 100644 +index a1912254e..481ae9d14 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -27,6 +27,10 @@ type auditd_log_t; diff --git a/recipes-security/refpolicy/refpolicy/0036-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch b/recipes-security/refpolicy/refpolicy/0035-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch similarity index 91% rename from recipes-security/refpolicy/refpolicy/0036-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch rename to recipes-security/refpolicy/refpolicy/0035-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch index 3461d66..e0feada 100644 --- a/recipes-security/refpolicy/refpolicy/0036-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch +++ b/recipes-security/refpolicy/refpolicy/0035-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch @@ -1,4 +1,4 @@ -From be2a2d244fd95e4207986fa095988a02cb33cb32 Mon Sep 17 00:00:00 2001 +From c89141ec6fc96e304a8dac16fa5f4e45fa802201 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Fri, 28 Oct 2022 11:56:09 +0800 Subject: [PATCH] policy/modules/roles/sysadm: allow sysadm to use init file @@ -19,7 +19,7 @@ Signed-off-by: Yi Zhao 1 file changed, 2 insertions(+) diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index 69777df20..af5ccca9d 100644 +index acf2c67ae..0c96829a9 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -95,6 +95,8 @@ ifdef(`init_systemd',` diff --git a/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-systemd-allow-systemd_logind_t.patch b/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-systemd-allow-systemd_logind_t.patch deleted file mode 100644 index 39902dd..0000000 --- a/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-systemd-allow-systemd_logind_t.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 13ad5906311d8e0be5547326c106d9b5ce8481ab Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Sat, 18 Dec 2021 09:26:43 +0800 -Subject: [PATCH] policy/modules/system/systemd: allow systemd_logind_t to read - the process state of all domains - -We encountered the following su runtime error: -$ useradd user1 -$ passwd user1 -New password: -Retype new password: -passwd: password updated successfully -$ su - user1 -Session terminated, terminating shell...Hangup - -Fixes: -avc: denied { use } for pid=344 comm="su" -path="/run/systemd/sessions/c4.ref" dev="tmpfs" ino=661 -scontext=root:sysadm_r:sysadm_su_t -tcontext=system_u:system_r:systemd_logind_t tclass=fd permissive=0 - -Upstream-Status: Pending - -Signed-off-by: Yi Zhao ---- - policy/modules/system/systemd.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index 8ae917644..9375e8926 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -1056,6 +1056,7 @@ userdom_relabelfrom_user_runtime_dirs(systemd_logind_t) - userdom_relabelto_user_runtime_dirs(systemd_logind_t) - userdom_setattr_user_ttys(systemd_logind_t) - userdom_use_user_ttys(systemd_logind_t) -+domain_read_all_domains_state(systemd_logind_t) - - # Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x - # The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96 --- -2.25.1 - diff --git a/recipes-security/refpolicy/refpolicy/0037-policy-modules-system-systemd-systemd-user-fixes.patch b/recipes-security/refpolicy/refpolicy/0036-policy-modules-system-systemd-systemd-user-fixes.patch similarity index 93% rename from recipes-security/refpolicy/refpolicy/0037-policy-modules-system-systemd-systemd-user-fixes.patch rename to recipes-security/refpolicy/refpolicy/0036-policy-modules-system-systemd-systemd-user-fixes.patch index 02e7541..fb3146a 100644 --- a/recipes-security/refpolicy/refpolicy/0037-policy-modules-system-systemd-systemd-user-fixes.patch +++ b/recipes-security/refpolicy/refpolicy/0036-policy-modules-system-systemd-systemd-user-fixes.patch @@ -1,4 +1,4 @@ -From d57677139a8fc837ede3430986bea0c42f49fc97 Mon Sep 17 00:00:00 2001 +From b2271a808dcc39a199729cbc3884577a5359bb63 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Thu, 4 Feb 2021 10:48:54 +0800 Subject: [PATCH] policy/modules/system/systemd: systemd --user fixes @@ -31,10 +31,10 @@ Signed-off-by: Yi Zhao 2 files changed, 34 insertions(+) diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if -index e62e8344a..96b5d31b4 100644 +index 0f92c23bd..1ae6195a1 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if -@@ -230,6 +230,36 @@ template(`systemd_role_template',` +@@ -236,6 +236,36 @@ template(`systemd_role_template',` ') ') @@ -72,7 +72,7 @@ index e62e8344a..96b5d31b4 100644 ## ## Allow the specified domain to be started as a daemon by the diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index 73bb7c410..ea7a90a5d 100644 +index 677bad480..d2e5feda7 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -1467,6 +1467,10 @@ template(`userdom_admin_user_template',` diff --git a/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-logging-grant-getpcap-capabili.patch b/recipes-security/refpolicy/refpolicy/0037-policy-modules-system-logging-grant-getpcap-capabili.patch similarity index 92% rename from recipes-security/refpolicy/refpolicy/0038-policy-modules-system-logging-grant-getpcap-capabili.patch rename to recipes-security/refpolicy/refpolicy/0037-policy-modules-system-logging-grant-getpcap-capabili.patch index 3f8d1bd..8885851 100644 --- a/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-logging-grant-getpcap-capabili.patch +++ b/recipes-security/refpolicy/refpolicy/0037-policy-modules-system-logging-grant-getpcap-capabili.patch @@ -1,4 +1,4 @@ -From c54c53f8765c4401aa4c1b4a6204c8b538c008ad Mon Sep 17 00:00:00 2001 +From 74f4dd3dfdd0356171a7ce08c5d5c797c57dbe4a Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Tue, 28 May 2024 11:21:48 +0800 Subject: [PATCH] policy/modules/system/logging: grant getpcap capability to @@ -21,7 +21,7 @@ Signed-off-by: Yi Zhao 1 file changed, 2 insertions(+) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index df6095805..086498936 100644 +index 481ae9d14..be602fc7f 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -402,6 +402,8 @@ optional_policy(` diff --git a/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-allow-services-to-read-tmpfs-u.patch b/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-allow-services-to-read-tmpfs-u.patch similarity index 95% rename from recipes-security/refpolicy/refpolicy/0039-policy-modules-system-allow-services-to-read-tmpfs-u.patch rename to recipes-security/refpolicy/refpolicy/0038-policy-modules-system-allow-services-to-read-tmpfs-u.patch index 1324a17..b4b8291 100644 --- a/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-allow-services-to-read-tmpfs-u.patch +++ b/recipes-security/refpolicy/refpolicy/0038-policy-modules-system-allow-services-to-read-tmpfs-u.patch @@ -1,4 +1,4 @@ -From 33bc8d28c406ffd7a6aef2f390734b3f5bdfc5a3 Mon Sep 17 00:00:00 2001 +From 0047cbb8997d9d36613dcee9b60430fa44025713 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Fri, 30 Aug 2024 12:39:48 +0800 Subject: [PATCH] policy/modules/system: allow services to read tmpfs under @@ -67,7 +67,7 @@ index a900226bf..75b94785b 100644 mcs_process_set_categories(getty_t) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 086498936..dca46f105 100644 +index be602fc7f..dbb9c62c9 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -491,6 +491,7 @@ files_read_kernel_symbol_table(syslogd_t) @@ -79,10 +79,10 @@ index 086498936..dca46f105 100644 mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index 9375e8926..24fc90838 100644 +index e48a8c26f..23f7a6027 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te -@@ -1294,6 +1294,7 @@ files_watch_root_dirs(systemd_networkd_t) +@@ -1332,6 +1332,7 @@ files_watch_root_dirs(systemd_networkd_t) files_list_runtime(systemd_networkd_t) fs_getattr_all_fs(systemd_networkd_t) @@ -91,7 +91,7 @@ index 9375e8926..24fc90838 100644 fs_read_nsfs_files(systemd_networkd_t) fs_watch_memory_pressure(systemd_networkd_t) diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index b2e43aa7d..f543a48d2 100644 +index 620de7e2e..ccb073351 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -142,6 +142,7 @@ files_dontaudit_getattr_tmp_dirs(udev_t) diff --git a/recipes-security/refpolicy/refpolicy/0040-policy-modules-kernel-domain-allow-all-domains-to-co.patch b/recipes-security/refpolicy/refpolicy/0039-policy-modules-kernel-domain-allow-all-domains-to-co.patch similarity index 95% rename from recipes-security/refpolicy/refpolicy/0040-policy-modules-kernel-domain-allow-all-domains-to-co.patch rename to recipes-security/refpolicy/refpolicy/0039-policy-modules-kernel-domain-allow-all-domains-to-co.patch index e9d9114..a2238b5 100644 --- a/recipes-security/refpolicy/refpolicy/0040-policy-modules-kernel-domain-allow-all-domains-to-co.patch +++ b/recipes-security/refpolicy/refpolicy/0039-policy-modules-kernel-domain-allow-all-domains-to-co.patch @@ -1,4 +1,4 @@ -From 58adf54a5ef927cda85c11e2c73151d6e91e8294 Mon Sep 17 00:00:00 2001 +From 975472091496c8f6ed6544dd307672ccb97cf958 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Thu, 3 Oct 2024 21:12:33 +0800 Subject: [PATCH] policy/modules/kernel/domain: allow all domains to connect to diff --git a/recipes-security/refpolicy/refpolicy/0040-systemd-allow-systemd-logind-to-inherit-fds.patch b/recipes-security/refpolicy/refpolicy/0040-systemd-allow-systemd-logind-to-inherit-fds.patch new file mode 100644 index 0000000..0010a1f --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0040-systemd-allow-systemd-logind-to-inherit-fds.patch @@ -0,0 +1,68 @@ +From 9627b5cad0230bc937ba1f2901985afbbc8fcff6 Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Tue, 18 Feb 2025 09:54:06 +0800 +Subject: [PATCH] systemd: allow systemd-logind to inherit fds + +Fix the timeout issue after exiting su environment: +root@qemux86-64:~# su - user1 +qemux86-64:~$ exit +logout +root@qemux86-64:~# reboot +Failed to set wall message, ignoring: Connection timed out +Call to Reboot failed: Connection timed out + +Upstream-Status: Pending + +Signed-off-by: Yi Zhao +--- + policy/modules/admin/su.if | 4 ++++ + policy/modules/system/systemd.if | 18 ++++++++++++++++++ + 2 files changed, 22 insertions(+) + +diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if +index ebb7ef0e0..0398ce6fd 100644 +--- a/policy/modules/admin/su.if ++++ b/policy/modules/admin/su.if +@@ -232,6 +232,10 @@ template(`su_role_template',` + auth_use_pam_systemd($1_su_t) + ') + ++ ifdef(`init_systemd',` ++ systemd_inherit_logind_fds($1_su_t) ++ ') ++ + tunable_policy(`su_allow_user_exec_domains',` + allow $3 $1_su_t:process signal; + +diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if +index 1ae6195a1..99318a3c2 100644 +--- a/policy/modules/system/systemd.if ++++ b/policy/modules/system/systemd.if +@@ -1439,6 +1439,24 @@ interface(`systemd_use_logind_fds',` + allow $1 systemd_logind_t:fd use; + ') + ++###################################### ++## ++## Allow systemd logind to inherit fds ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_inherit_logind_fds',` ++ gen_require(` ++ type systemd_logind_t; ++ ') ++ ++ allow systemd_logind_t $1:fd use; ++') ++ + ###################################### + ## + ## Watch logind sessions dirs. +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0041-systemd-allow-systemd-tmpfiles-to-read-bin_t-symlink.patch b/recipes-security/refpolicy/refpolicy/0041-systemd-allow-systemd-tmpfiles-to-read-bin_t-symlink.patch new file mode 100644 index 0000000..f3833a4 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0041-systemd-allow-systemd-tmpfiles-to-read-bin_t-symlink.patch @@ -0,0 +1,107 @@ +From a39879ca482b525ae2b48bf8708615c923df0575 Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Tue, 18 Feb 2025 15:26:19 +0800 +Subject: [PATCH] systemd: allow systemd-tmpfiles to read bin_t symlink + +Fixes: +avc: denied { getattr } for pid=279 comm="systemd-tmpfile" +path="/etc/profile.d/70-systemd-shell-extra.sh" dev="vda" ino=172 +scontext=system_u:system_r:systemd_tmpfiles_t +tcontext=system_u:object_r:bin_t tclass=lnk_file permissive=0 + +Feb 17 10:16:25 qemux86-64 systemd-tmpfiles[279]: Failed to +fstat(/etc/profile.d/70-systemd-shell-extra.sh): Permission denied + +Upstream-Status: Pending + +Signed-off-by: Yi Zhao +--- + policy/modules/kernel/corecommands.fc | 1 + + policy/modules/kernel/corecommands.if | 18 ++++++++++++++++++ + policy/modules/system/systemd.if | 1 + + policy/modules/system/systemd.te | 5 +++++ + 4 files changed, 25 insertions(+) + +diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc +index 65178ba32..c7e3d2dae 100644 +--- a/policy/modules/kernel/corecommands.fc ++++ b/policy/modules/kernel/corecommands.fc +@@ -241,6 +241,7 @@ ifdef(`distro_gentoo',` + /usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib/ssh(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib/sudo/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) ++/usr/lib/systemd/profile\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib/systemd/system-shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib/systemd/system-sleep(/.*)? gen_context(system_u:object_r:bin_t,s0) +diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if +index 08ed91f19..0fa4cbf7d 100644 +--- a/policy/modules/kernel/corecommands.if ++++ b/policy/modules/kernel/corecommands.if +@@ -842,3 +842,21 @@ interface(`corecmd_mmap_all_executables',` + corecmd_search_bin($1) + mmap_exec_files_pattern($1, bin_t, exec_type) + ') ++ ++######################################## ++## ++## Read symbolic links of bin_t files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_read_bin_symlinks',` ++ gen_require(` ++ type bin_t; ++ ') ++ ++ read_lnk_files_pattern($1, bin_t, bin_t) ++') +diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if +index 99318a3c2..7654d1076 100644 +--- a/policy/modules/system/systemd.if ++++ b/policy/modules/system/systemd.if +@@ -146,6 +146,7 @@ template(`systemd_role_template',` + userdom_exec_user_bin_files($1_systemd_t) + + # user systemd-tmpfiles rules ++ allow $1_systemd_tmpfiles_t self:capability net_admin; + allow $1_systemd_tmpfiles_t $1_systemd_t:unix_stream_socket rw_socket_perms; + domtrans_pattern($1_systemd_t, systemd_tmpfiles_exec_t, $1_systemd_tmpfiles_t) + read_files_pattern($1_systemd_t, $1_systemd_tmpfiles_t, $1_systemd_tmpfiles_t) +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 23f7a6027..c605d58de 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -817,6 +817,7 @@ files_read_etc_files(systemd_hostnamed_t) + files_read_etc_runtime_files(systemd_hostnamed_t) + + fs_getattr_all_fs(systemd_hostnamed_t) ++fs_getattr_nsfs_files(systemd_hostnamed_t) + + init_delete_runtime_files(systemd_hostnamed_t) + init_read_runtime_files(systemd_hostnamed_t) +@@ -1705,6 +1706,7 @@ manage_files_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_ + init_var_lib_filetrans(systemd_rfkill_t, systemd_rfkill_var_lib_t, dir) + + fs_getattr_all_fs(systemd_rfkill_t) ++fs_getattr_nsfs_files(systemd_rfkill_t) + + kernel_getattr_proc(systemd_rfkill_t) + kernel_read_kernel_sysctls(systemd_rfkill_t) +@@ -1930,6 +1932,9 @@ kernel_getattr_proc(systemd_tmpfiles_t) + kernel_read_kernel_sysctls(systemd_tmpfiles_t) + kernel_read_network_state(systemd_tmpfiles_t) + ++# Allow to read bin_t symlink under /etc/profile.d/ ++fs_read_bin_symlinks(systemd_tmpfiles_t) ++ + dev_getattr_fs(systemd_tmpfiles_t) + dev_manage_all_dev_nodes(systemd_tmpfiles_t) + dev_read_urand(systemd_tmpfiles_t) +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy/0041-policy-modules-system-mount-make-mount_t-domain-MLS-.patch b/recipes-security/refpolicy/refpolicy/0042-policy-modules-system-mount-make-mount_t-domain-MLS-.patch similarity index 85% rename from recipes-security/refpolicy/refpolicy/0041-policy-modules-system-mount-make-mount_t-domain-MLS-.patch rename to recipes-security/refpolicy/refpolicy/0042-policy-modules-system-mount-make-mount_t-domain-MLS-.patch index 93a52fd..43d4e83 100644 --- a/recipes-security/refpolicy/refpolicy/0041-policy-modules-system-mount-make-mount_t-domain-MLS-.patch +++ b/recipes-security/refpolicy/refpolicy/0042-policy-modules-system-mount-make-mount_t-domain-MLS-.patch @@ -1,4 +1,4 @@ -From fe5fe08deab5f02a3609e5333e09e5e3af05140a Mon Sep 17 00:00:00 2001 +From 87ebadc702f2e3de7c4a8470cffde09a53c8fb8f Mon Sep 17 00:00:00 2001 From: Wenzong Fan Date: Sat, 15 Feb 2014 04:22:47 -0500 Subject: [PATCH] policy/modules/system/mount: make mount_t domain MLS trusted @@ -19,10 +19,10 @@ Signed-off-by: Yi Zhao 1 file changed, 1 insertion(+) diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index d9e431a84..20d6aaba1 100644 +index c5727585c..71ff4efd1 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te -@@ -118,6 +118,7 @@ fs_dontaudit_write_all_image_files(mount_t) +@@ -119,6 +119,7 @@ fs_dontaudit_write_all_image_files(mount_t) mls_file_read_all_levels(mount_t) mls_file_write_all_levels(mount_t) diff --git a/recipes-security/refpolicy/refpolicy/0042-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch b/recipes-security/refpolicy/refpolicy/0043-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch similarity index 92% rename from recipes-security/refpolicy/refpolicy/0042-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch rename to recipes-security/refpolicy/refpolicy/0043-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch index 2e7a206..079510c 100644 --- a/recipes-security/refpolicy/refpolicy/0042-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch +++ b/recipes-security/refpolicy/refpolicy/0043-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch @@ -1,4 +1,4 @@ -From 7a0339aeba7cfe38b62c81ee4074446bba60e801 Mon Sep 17 00:00:00 2001 +From 4cb4afe1def20e106b0cbac0fb686c28a95ac6d7 Mon Sep 17 00:00:00 2001 From: Xin Ouyang Date: Mon, 28 Jan 2019 14:05:18 +0800 Subject: [PATCH] policy/modules/roles/sysadm: MLS - sysadm rw to clearance @@ -23,7 +23,7 @@ Signed-off-by: Yi Zhao 1 file changed, 2 insertions(+) diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index af5ccca9d..10cebdc53 100644 +index 0c96829a9..5fbcc7204 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -48,6 +48,8 @@ logging_watch_all_logs(sysadm_t) diff --git a/recipes-security/refpolicy/refpolicy/0043-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch b/recipes-security/refpolicy/refpolicy/0044-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch similarity index 90% rename from recipes-security/refpolicy/refpolicy/0043-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch rename to recipes-security/refpolicy/refpolicy/0044-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch index e37db1b..63e32ec 100644 --- a/recipes-security/refpolicy/refpolicy/0043-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch +++ b/recipes-security/refpolicy/refpolicy/0044-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch @@ -1,4 +1,4 @@ -From a563f59fe223aa9c74df7a482b5da80ce05fbbf5 Mon Sep 17 00:00:00 2001 +From 7feb72e30444b314c0bf3ca400375b2486d0e7c9 Mon Sep 17 00:00:00 2001 From: Xin Ouyang Date: Fri, 23 Aug 2013 12:01:53 +0800 Subject: [PATCH] policy/modules/services/rpc: make nfsd_t domain MLS trusted @@ -15,10 +15,10 @@ Signed-off-by: Yi Zhao 2 files changed, 7 insertions(+) diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index 8fd1875d3..6c35a2374 100644 +index 65c814a97..da264d081 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te -@@ -381,6 +381,8 @@ mls_process_read_all_levels(kernel_t) +@@ -378,6 +378,8 @@ mls_process_read_all_levels(kernel_t) mls_process_write_all_levels(kernel_t) mls_file_write_all_levels(kernel_t) mls_file_read_all_levels(kernel_t) diff --git a/recipes-security/refpolicy/refpolicy/0044-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch b/recipes-security/refpolicy/refpolicy/0045-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch similarity index 94% rename from recipes-security/refpolicy/refpolicy/0044-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch rename to recipes-security/refpolicy/refpolicy/0045-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch index 7990e3f..9f53ba7 100644 --- a/recipes-security/refpolicy/refpolicy/0044-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch +++ b/recipes-security/refpolicy/refpolicy/0045-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch @@ -1,4 +1,4 @@ -From 6bd19ab1f6adac7722ef35c70982efea04b5d91f Mon Sep 17 00:00:00 2001 +From 929d814365465704142aaa3eaa80abad6d03efde Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Tue, 30 Jun 2020 10:18:20 +0800 Subject: [PATCH] policy/modules/admin/dmesg: make dmesg_t MLS trusted reading diff --git a/recipes-security/refpolicy/refpolicy/0045-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch b/recipes-security/refpolicy/refpolicy/0046-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch similarity index 95% rename from recipes-security/refpolicy/refpolicy/0045-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch rename to recipes-security/refpolicy/refpolicy/0046-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch index cc603e6..2073395 100644 --- a/recipes-security/refpolicy/refpolicy/0045-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch +++ b/recipes-security/refpolicy/refpolicy/0046-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch @@ -1,4 +1,4 @@ -From a196f11f4a7f2f96cbf05614513204ca17aa0691 Mon Sep 17 00:00:00 2001 +From 6ebec2a77b771cfcac8a7320eae7a9abde7cfc3a Mon Sep 17 00:00:00 2001 From: Wenzong Fan Date: Fri, 13 Oct 2017 07:20:40 +0000 Subject: [PATCH] policy/modules/kernel/kernel: make kernel_t MLS trusted for @@ -59,10 +59,10 @@ Signed-off-by: Yi Zhao 1 file changed, 2 insertions(+) diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index 6c35a2374..ebde22e02 100644 +index da264d081..e84bcf2b6 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te -@@ -383,6 +383,8 @@ mls_file_write_all_levels(kernel_t) +@@ -380,6 +380,8 @@ mls_file_write_all_levels(kernel_t) mls_file_read_all_levels(kernel_t) mls_socket_write_all_levels(kernel_t) mls_fd_use_all_levels(kernel_t) diff --git a/recipes-security/refpolicy/refpolicy/0046-policy-modules-system-init-make-init_t-MLS-trusted-f.patch b/recipes-security/refpolicy/refpolicy/0047-policy-modules-system-init-make-init_t-MLS-trusted-f.patch similarity index 90% rename from recipes-security/refpolicy/refpolicy/0046-policy-modules-system-init-make-init_t-MLS-trusted-f.patch rename to recipes-security/refpolicy/refpolicy/0047-policy-modules-system-init-make-init_t-MLS-trusted-f.patch index 95896b2..85095df 100644 --- a/recipes-security/refpolicy/refpolicy/0046-policy-modules-system-init-make-init_t-MLS-trusted-f.patch +++ b/recipes-security/refpolicy/refpolicy/0047-policy-modules-system-init-make-init_t-MLS-trusted-f.patch @@ -1,4 +1,4 @@ -From 777e396d61c3af7b847fcc9ebc490f1e5f3969b9 Mon Sep 17 00:00:00 2001 +From 93936c7a0cf671f463b5d3360c6c906df4028e33 Mon Sep 17 00:00:00 2001 From: Wenzong Fan Date: Fri, 15 Jan 2016 03:47:05 -0500 Subject: [PATCH] policy/modules/system/init: make init_t MLS trusted for @@ -27,10 +27,10 @@ Signed-off-by: Yi Zhao 1 file changed, 4 insertions(+) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index e724c295e..6ffdb547f 100644 +index 43d62b2e1..039272004 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te -@@ -238,6 +238,10 @@ mls_process_write_all_levels(init_t) +@@ -239,6 +239,10 @@ mls_process_write_all_levels(init_t) mls_fd_use_all_levels(init_t) mls_process_set_level(init_t) diff --git a/recipes-security/refpolicy/refpolicy/0047-policy-modules-system-systemd-make-systemd-tmpfiles_.patch b/recipes-security/refpolicy/refpolicy/0048-policy-modules-system-systemd-make-systemd-tmpfiles_.patch similarity index 92% rename from recipes-security/refpolicy/refpolicy/0047-policy-modules-system-systemd-make-systemd-tmpfiles_.patch rename to recipes-security/refpolicy/refpolicy/0048-policy-modules-system-systemd-make-systemd-tmpfiles_.patch index 8b57c70..fd4d1fe 100644 --- a/recipes-security/refpolicy/refpolicy/0047-policy-modules-system-systemd-make-systemd-tmpfiles_.patch +++ b/recipes-security/refpolicy/refpolicy/0048-policy-modules-system-systemd-make-systemd-tmpfiles_.patch @@ -1,4 +1,4 @@ -From f87ab013d4dffe5b588376b73c51fbfc5e9b1205 Mon Sep 17 00:00:00 2001 +From a698845641cf86d0cdcab4b014b14757fbc0a605 Mon Sep 17 00:00:00 2001 From: Wenzong Fan Date: Thu, 4 Feb 2016 06:03:19 -0500 Subject: [PATCH] policy/modules/system/systemd: make systemd-tmpfiles_t domain @@ -43,10 +43,10 @@ Signed-off-by: Yi Zhao 1 file changed, 5 insertions(+) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index 24fc90838..dc3badece 100644 +index c605d58de..fb75c2f45 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te -@@ -1970,6 +1970,11 @@ sysnet_relabel_config(systemd_tmpfiles_t) +@@ -2024,6 +2024,11 @@ sysnet_relabel_config(systemd_tmpfiles_t) systemd_log_parse_environment(systemd_tmpfiles_t) diff --git a/recipes-security/refpolicy/refpolicy/0048-policy-modules-system-systemd-systemd-make-systemd_-.patch b/recipes-security/refpolicy/refpolicy/0049-policy-modules-system-systemd-systemd-make-systemd_-.patch similarity index 88% rename from recipes-security/refpolicy/refpolicy/0048-policy-modules-system-systemd-systemd-make-systemd_-.patch rename to recipes-security/refpolicy/refpolicy/0049-policy-modules-system-systemd-systemd-make-systemd_-.patch index c4b799e..c8cf04a 100644 --- a/recipes-security/refpolicy/refpolicy/0048-policy-modules-system-systemd-systemd-make-systemd_-.patch +++ b/recipes-security/refpolicy/refpolicy/0049-policy-modules-system-systemd-systemd-make-systemd_-.patch @@ -1,4 +1,4 @@ -From ec080f2b0b18b29e46bded08a0880624e5380026 Mon Sep 17 00:00:00 2001 +From f70cd58e286d417f9024b23056234038629bb75f Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Thu, 18 Jun 2020 09:59:58 +0800 Subject: [PATCH] policy/modules/system/systemd: systemd-*: make systemd_*_t @@ -43,10 +43,10 @@ Signed-off-by: Yi Zhao 1 file changed, 12 insertions(+) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index dc3badece..0440b4795 100644 +index fb75c2f45..45d4db784 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te -@@ -430,6 +430,9 @@ files_search_var_lib(systemd_backlight_t) +@@ -439,6 +439,9 @@ files_search_var_lib(systemd_backlight_t) fs_getattr_all_fs(systemd_backlight_t) fs_search_cgroup_dirs(systemd_backlight_t) @@ -56,7 +56,7 @@ index dc3badece..0440b4795 100644 ####################################### # # Binfmt local policy -@@ -603,6 +606,9 @@ term_use_unallocated_ttys(systemd_generator_t) +@@ -616,6 +619,9 @@ term_use_unallocated_ttys(systemd_generator_t) udev_read_runtime_files(systemd_generator_t) @@ -66,9 +66,9 @@ index dc3badece..0440b4795 100644 ifdef(`distro_gentoo',` corecmd_shell_entry_type(systemd_generator_t) ') -@@ -1058,6 +1064,9 @@ userdom_setattr_user_ttys(systemd_logind_t) +@@ -1093,6 +1099,9 @@ userdom_relabelto_user_runtime_dirs(systemd_logind_t) + userdom_setattr_user_ttys(systemd_logind_t) userdom_use_user_ttys(systemd_logind_t) - domain_read_all_domains_state(systemd_logind_t) +mls_file_read_all_levels(systemd_logind_t) +mls_file_write_all_levels(systemd_logind_t) @@ -76,7 +76,7 @@ index dc3badece..0440b4795 100644 # Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x # The change in systemd by Nicolas Iooss on 02-Feb-2016 with hash 4b51966cf6c06250036e428608da92f8640beb96 # should fix the problem where user directories in /run/user/$UID/ are not getting the proper context -@@ -1681,6 +1690,9 @@ udev_read_runtime_files(systemd_rfkill_t) +@@ -1722,6 +1731,9 @@ udev_read_runtime_files(systemd_rfkill_t) systemd_log_parse_environment(systemd_rfkill_t) diff --git a/recipes-security/refpolicy/refpolicy/0049-policy-modules-system-logging-add-the-syslogd_t-to-t.patch b/recipes-security/refpolicy/refpolicy/0050-policy-modules-system-logging-add-the-syslogd_t-to-t.patch similarity index 92% rename from recipes-security/refpolicy/refpolicy/0049-policy-modules-system-logging-add-the-syslogd_t-to-t.patch rename to recipes-security/refpolicy/refpolicy/0050-policy-modules-system-logging-add-the-syslogd_t-to-t.patch index 06e4775..4b70735 100644 --- a/recipes-security/refpolicy/refpolicy/0049-policy-modules-system-logging-add-the-syslogd_t-to-t.patch +++ b/recipes-security/refpolicy/refpolicy/0050-policy-modules-system-logging-add-the-syslogd_t-to-t.patch @@ -1,4 +1,4 @@ -From 564d43016ed6dcbadb7a7203d8d639d0c782d4e7 Mon Sep 17 00:00:00 2001 +From 25be898844c76cba143de013c05966258e0ec98d Mon Sep 17 00:00:00 2001 From: Xin Ouyang Date: Thu, 22 Aug 2013 13:37:23 +0800 Subject: [PATCH] policy/modules/system/logging: add the syslogd_t to trusted @@ -18,7 +18,7 @@ Signed-off-by: Yi Zhao 1 file changed, 3 insertions(+) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index dca46f105..cedcaeb36 100644 +index dbb9c62c9..9659937fe 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -495,6 +495,9 @@ fs_list_tmpfs(syslogd_t) diff --git a/recipes-security/refpolicy/refpolicy/0050-policy-modules-system-init-make-init_t-MLS-trusted-f.patch b/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-make-init_t-MLS-trusted-f.patch similarity index 86% rename from recipes-security/refpolicy/refpolicy/0050-policy-modules-system-init-make-init_t-MLS-trusted-f.patch rename to recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-make-init_t-MLS-trusted-f.patch index 1a0aded..179fc54 100644 --- a/recipes-security/refpolicy/refpolicy/0050-policy-modules-system-init-make-init_t-MLS-trusted-f.patch +++ b/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-make-init_t-MLS-trusted-f.patch @@ -1,4 +1,4 @@ -From c49b89d2a6cfc33c0e6fe6347609fea09ae7fe2e Mon Sep 17 00:00:00 2001 +From ba07393b28fd2459a6ae7e4c50a48d1ee954360e Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Tue, 28 May 2019 16:41:37 +0800 Subject: [PATCH] policy/modules/system/init: make init_t MLS trusted for @@ -17,10 +17,10 @@ Signed-off-by: Yi Zhao 1 file changed, 1 insertion(+) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 6ffdb547f..8bd8e2f63 100644 +index 039272004..0a7add4b7 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te -@@ -237,6 +237,7 @@ mls_file_write_all_levels(init_t) +@@ -238,6 +238,7 @@ mls_file_write_all_levels(init_t) mls_process_write_all_levels(init_t) mls_fd_use_all_levels(init_t) mls_process_set_level(init_t) diff --git a/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-all-init_t-to-read-any-le.patch b/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-init-all-init_t-to-read-any-le.patch similarity index 88% rename from recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-all-init_t-to-read-any-le.patch rename to recipes-security/refpolicy/refpolicy/0052-policy-modules-system-init-all-init_t-to-read-any-le.patch index a362c4b..afce2c0 100644 --- a/recipes-security/refpolicy/refpolicy/0051-policy-modules-system-init-all-init_t-to-read-any-le.patch +++ b/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-init-all-init_t-to-read-any-le.patch @@ -1,4 +1,4 @@ -From f8b5f66dd987609027d8e0381338e39b52a47138 Mon Sep 17 00:00:00 2001 +From a01c52188566c4148862076dae90baa265e985df Mon Sep 17 00:00:00 2001 From: Wenzong Fan Date: Wed, 3 Feb 2016 04:16:06 -0500 Subject: [PATCH] policy/modules/system/init: all init_t to read any level @@ -22,10 +22,10 @@ Signed-off-by: Yi Zhao 1 file changed, 3 insertions(+) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 8bd8e2f63..8af34aa7e 100644 +index 0a7add4b7..7df44cead 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te -@@ -243,6 +243,9 @@ mls_key_write_all_levels(init_t) +@@ -244,6 +244,9 @@ mls_key_write_all_levels(init_t) mls_file_downgrade(init_t) mls_file_upgrade(init_t) diff --git a/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-logging-allow-auditd_t-to-writ.patch b/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-logging-allow-auditd_t-to-writ.patch similarity index 92% rename from recipes-security/refpolicy/refpolicy/0052-policy-modules-system-logging-allow-auditd_t-to-writ.patch rename to recipes-security/refpolicy/refpolicy/0053-policy-modules-system-logging-allow-auditd_t-to-writ.patch index a5a368b..ce77779 100644 --- a/recipes-security/refpolicy/refpolicy/0052-policy-modules-system-logging-allow-auditd_t-to-writ.patch +++ b/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-logging-allow-auditd_t-to-writ.patch @@ -1,4 +1,4 @@ -From d6573102f922b0e08d49cb5582612dfbaae10600 Mon Sep 17 00:00:00 2001 +From dfc4e8ef225a6ce97ef4862b608228440d099863 Mon Sep 17 00:00:00 2001 From: Wenzong Fan Date: Thu, 25 Feb 2016 04:25:08 -0500 Subject: [PATCH] policy/modules/system/logging: allow auditd_t to write socket @@ -22,7 +22,7 @@ Signed-off-by: Yi Zhao 1 file changed, 2 insertions(+) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index cedcaeb36..1b181f7cc 100644 +index 9659937fe..2c733c0f2 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -236,6 +236,8 @@ miscfiles_read_localization(auditd_t) diff --git a/recipes-security/refpolicy/refpolicy/0053-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch b/recipes-security/refpolicy/refpolicy/0054-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch similarity index 84% rename from recipes-security/refpolicy/refpolicy/0053-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch rename to recipes-security/refpolicy/refpolicy/0054-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch index d48db28..b0af22d 100644 --- a/recipes-security/refpolicy/refpolicy/0053-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch +++ b/recipes-security/refpolicy/refpolicy/0054-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch @@ -1,4 +1,4 @@ -From 6b77c79af18f6dba52b7a63a7a2aefdd48c0fd33 Mon Sep 17 00:00:00 2001 +From f26d8ea933ef3f6fe72fbded8d1f6b683c135ab9 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Thu, 31 Oct 2019 17:35:59 +0800 Subject: [PATCH] policy/modules/kernel/kernel: make kernel_t MLS trusted for @@ -15,10 +15,10 @@ Signed-off-by: Yi Zhao 1 file changed, 1 insertion(+) diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index ebde22e02..60e805cb8 100644 +index e84bcf2b6..987709345 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te -@@ -385,6 +385,7 @@ mls_socket_write_all_levels(kernel_t) +@@ -382,6 +382,7 @@ mls_socket_write_all_levels(kernel_t) mls_fd_use_all_levels(kernel_t) # https://bugzilla.redhat.com/show_bug.cgi?id=667370 mls_file_downgrade(kernel_t) diff --git a/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-setrans-allow-setrans_t-use-fd.patch b/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-setrans-allow-setrans_t-use-fd.patch similarity index 93% rename from recipes-security/refpolicy/refpolicy/0054-policy-modules-system-setrans-allow-setrans_t-use-fd.patch rename to recipes-security/refpolicy/refpolicy/0055-policy-modules-system-setrans-allow-setrans_t-use-fd.patch index a5c17de..d415fa2 100644 --- a/recipes-security/refpolicy/refpolicy/0054-policy-modules-system-setrans-allow-setrans_t-use-fd.patch +++ b/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-setrans-allow-setrans_t-use-fd.patch @@ -1,4 +1,4 @@ -From 03e4c0afc4a0aa432b30e9b5e8abbe069871fb9e Mon Sep 17 00:00:00 2001 +From 44aada7fe60d66a45fdcb9b1e5039365cf2b962b Mon Sep 17 00:00:00 2001 From: Roy Li Date: Sat, 22 Feb 2014 13:35:38 +0800 Subject: [PATCH] policy/modules/system/setrans: allow setrans_t use fd at any diff --git a/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch b/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch similarity index 88% rename from recipes-security/refpolicy/refpolicy/0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch rename to recipes-security/refpolicy/refpolicy/0056-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch index 9e46a43..bd629fe 100644 --- a/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch +++ b/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch @@ -1,4 +1,4 @@ -From 1ca4caa4600e9b742f0c7816efe8cff153fe412a Mon Sep 17 00:00:00 2001 +From 115135e6809b715df2b382bf9e35eef3e09be311 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Mon, 22 Feb 2021 11:28:12 +0800 Subject: [PATCH] policy/modules/system/systemd: make *_systemd_t MLS trusted @@ -24,10 +24,10 @@ Signed-off-by: Yi Zhao 1 file changed, 3 insertions(+) diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if -index 96b5d31b4..07c506e1c 100644 +index 7654d1076..22d5e2b18 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if -@@ -228,6 +228,9 @@ template(`systemd_role_template',` +@@ -235,6 +235,9 @@ template(`systemd_role_template',` xdg_read_config_files($1_systemd_t) xdg_read_data_files($1_systemd_t) ') diff --git a/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-logging-make-syslogd_runtime_t.patch b/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-make-syslogd_runtime_t.patch similarity index 94% rename from recipes-security/refpolicy/refpolicy/0056-policy-modules-system-logging-make-syslogd_runtime_t.patch rename to recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-make-syslogd_runtime_t.patch index cc8a416..256fa50 100644 --- a/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-logging-make-syslogd_runtime_t.patch +++ b/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-make-syslogd_runtime_t.patch @@ -1,4 +1,4 @@ -From 8e5a17676c9976d163b70edd31834c4e16405ed9 Mon Sep 17 00:00:00 2001 +From 17f0718ec39892d411d2cbe029864167d5d191a2 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Sat, 18 Dec 2021 17:31:45 +0800 Subject: [PATCH] policy/modules/system/logging: make syslogd_runtime_t MLS @@ -31,7 +31,7 @@ Signed-off-by: Yi Zhao 1 file changed, 2 insertions(+) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 1b181f7cc..d5878876b 100644 +index 2c733c0f2..c758dbff0 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -459,6 +459,8 @@ allow syslogd_t syslogd_runtime_t:file map; diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index f8e5f10..0661e6c 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc @@ -50,28 +50,29 @@ SRC_URI += " \ file://0032-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch \ file://0033-policy-modules-system-systemd-enable-support-for-sys.patch \ file://0034-policy-modules-system-logging-allow-systemd-tmpfiles.patch \ - file://0035-policy-modules-system-systemd-allow-systemd_logind_t.patch \ - file://0036-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch \ - file://0037-policy-modules-system-systemd-systemd-user-fixes.patch \ - file://0038-policy-modules-system-logging-grant-getpcap-capabili.patch \ - file://0039-policy-modules-system-allow-services-to-read-tmpfs-u.patch \ - file://0040-policy-modules-kernel-domain-allow-all-domains-to-co.patch \ - file://0041-policy-modules-system-mount-make-mount_t-domain-MLS-.patch \ - file://0042-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch \ - file://0043-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch \ - file://0044-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch \ - file://0045-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \ - file://0046-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \ - file://0047-policy-modules-system-systemd-make-systemd-tmpfiles_.patch \ - file://0048-policy-modules-system-systemd-systemd-make-systemd_-.patch \ - file://0049-policy-modules-system-logging-add-the-syslogd_t-to-t.patch \ - file://0050-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \ - file://0051-policy-modules-system-init-all-init_t-to-read-any-le.patch \ - file://0052-policy-modules-system-logging-allow-auditd_t-to-writ.patch \ - file://0053-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \ - file://0054-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \ - file://0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \ - file://0056-policy-modules-system-logging-make-syslogd_runtime_t.patch \ + file://0035-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch \ + file://0036-policy-modules-system-systemd-systemd-user-fixes.patch \ + file://0037-policy-modules-system-logging-grant-getpcap-capabili.patch \ + file://0038-policy-modules-system-allow-services-to-read-tmpfs-u.patch \ + file://0039-policy-modules-kernel-domain-allow-all-domains-to-co.patch \ + file://0040-systemd-allow-systemd-logind-to-inherit-fds.patch \ + file://0041-systemd-allow-systemd-tmpfiles-to-read-bin_t-symlink.patch \ + file://0042-policy-modules-system-mount-make-mount_t-domain-MLS-.patch \ + file://0043-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch \ + file://0044-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch \ + file://0045-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch \ + file://0046-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \ + file://0047-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \ + file://0048-policy-modules-system-systemd-make-systemd-tmpfiles_.patch \ + file://0049-policy-modules-system-systemd-systemd-make-systemd_-.patch \ + file://0050-policy-modules-system-logging-add-the-syslogd_t-to-t.patch \ + file://0051-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \ + file://0052-policy-modules-system-init-all-init_t-to-read-any-le.patch \ + file://0053-policy-modules-system-logging-allow-auditd_t-to-writ.patch \ + file://0054-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \ + file://0055-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \ + file://0056-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \ + file://0057-policy-modules-system-logging-make-syslogd_runtime_t.patch \ " S = "${WORKDIR}/refpolicy" diff --git a/recipes-security/refpolicy/refpolicy_git.inc b/recipes-security/refpolicy/refpolicy_git.inc index 22f28ba..94b3379 100644 --- a/recipes-security/refpolicy/refpolicy_git.inc +++ b/recipes-security/refpolicy/refpolicy_git.inc @@ -1,8 +1,8 @@ -PV = "2.20240916+git" +PV = "2.20250213+git" SRC_URI = "git://github.com/SELinuxProject/refpolicy.git;protocol=https;branch=main;name=refpolicy;destsuffix=refpolicy" -SRCREV_refpolicy ?= "741dc96eb7e737bc2f00b7f4b4b394a66d32d913" +SRCREV_refpolicy = "badb91ce49e20449b1a73cd98dc9250b622ed369" UPSTREAM_CHECK_GITTAGREGEX = "RELEASE_(?P\d+_\d+)"