From patchwork Thu Sep 18 02:04:44 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yi Zhao X-Patchwork-Id: 70439 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5E643CAC5A5 for ; Thu, 18 Sep 2025 02:05:08 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web11.4330.1758161105827075568 for ; Wed, 17 Sep 2025 19:05:05 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=qGIcWlxX; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=1356ee1fc6=yi.zhao@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 58I0xfEI3073366 for ; Wed, 17 Sep 2025 19:05:05 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:message-id :mime-version:subject:to; s=PPS06212021; bh=qrtq8wYNTXbuGaDOS3Jz 3UfoQ8K2GTHmrV0oSWkuFk0=; b=qGIcWlxXw6zsqHpk50zs7lFJqQnBHJ/KxBVJ uElKmNAlRZNQGu5L8xePJL9FBH5dh9s1ym2PbfPCwxYZP1NolocCmeqtoTJ/JLil 0ZlzeYuNKFkTlWN2GVhZ4w2/F7DV7s1jmEEzyzi/XGU701Fkmu2sOgx0wL8bL0+t ErdQgqJsvRD9dFe8hXA1W5MigvrAkQ2ynmnC48nEd0zk9kKZ/go5B5In0X5Y7+Ni HjRLa4ac3Ww1ZbKzm3ntikdpcVc+rN49CBDh8FofOn1+5RwJLJVeSjU5hyz7vR5l cEWjdIRtsnN9t9pADoZ7E8duhk7dFfTXm0N7P3Ud2fZSvpZP3Q== Received: from bn8pr05cu002.outbound.protection.outlook.com (mail-eastus2azon11011021.outbound.protection.outlook.com [52.101.57.21]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 497fwr1g8d-1 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Wed, 17 Sep 2025 19:05:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=SgPBcGrcNZZ8nBCBfDNYRlMK2iCtMNta6vxTJEhiKaNYDS016/rl0tEU6NvMdR4zoZr1xzcaUrxkUNSp0POkgZtaswIiYquSZto97d6ggQON/Su5h/ZIBlcEitnOisToOqFh5pfCXuquk7qpKaRF+7bvmKMSYhG6HG+YgEPGEix5286m87NRI//0gBk1FnzawhmGtInQB4Y4h/8rjGfkpLRLU1m8z/t3x/G0IbBGOWWz1DYNAhgxiFO60tEcUGn+l/gZxF32SVnTdiChW7BVl28DJBRo5wKPH+Q+CTJVF+1y37QQVC+ldq31blQx95M03lBsDQ0vY4DGFL89aDODlQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=qrtq8wYNTXbuGaDOS3Jz3UfoQ8K2GTHmrV0oSWkuFk0=; b=YJwrZKdioLck8okhE3yqM7j9prCvD5DPSxjhSQCv4tnroQ0hkA3qII12XcQxsqJXrbt8D+yffEXv4kKQX4Rf1V+FuYIycADXwoZxEgI0qsGiWckrz7Bx0pfyvxDQVb5CkuSS0EIowEThEdloWhzFBuJOrbz1/RBb8/Ud57lqI9d6zhIdHIS+FqQOQI0HLmSHuNpVQWG9cWHiB3MzZOgUiyOWUz9G3rtTVNzsYrpdXho21/K/jTdorzY12/weY1wwiKItyLthvug40xfSfwQIKLdVjHJlYs8dzfJKJIT4ddQhqwCb40lyFBBIQVdY+P5NBYsohmEnJGfGlsEjacr+Cg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DS0PR11MB6399.namprd11.prod.outlook.com (2603:10b6:8:c8::5) by DM3PR11MB8681.namprd11.prod.outlook.com (2603:10b6:0:49::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9115.23; Thu, 18 Sep 2025 02:05:02 +0000 Received: from DS0PR11MB6399.namprd11.prod.outlook.com ([fe80::2b44:787c:e7ee:bfad]) by DS0PR11MB6399.namprd11.prod.outlook.com ([fe80::2b44:787c:e7ee:bfad%4]) with mapi id 15.20.9137.012; Thu, 18 Sep 2025 02:05:02 +0000 From: Yi Zhao To: yocto-patches@lists.yoctoproject.org Subject: [meta-selinux][scarthgap][PATCH 1/2] refpolicy: fix build for refpolicy-minimum Date: Thu, 18 Sep 2025 10:04:44 +0800 Message-Id: <20250918020445.1175478-1-yi.zhao@windriver.com> X-Mailer: git-send-email 2.34.1 X-ClientProxiedBy: TYCP286CA0218.JPNP286.PROD.OUTLOOK.COM (2603:1096:400:3c5::17) To DS0PR11MB6399.namprd11.prod.outlook.com (2603:10b6:8:c8::5) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DS0PR11MB6399:EE_|DM3PR11MB8681:EE_ X-MS-Office365-Filtering-Correlation-Id: 9d927bd1-a3fa-414e-023d-08ddf657c729 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|366016|376014|52116014|38350700014; X-Microsoft-Antispam-Message-Info: 54zP6j6bOzWZFSCaHjLhpUAYZfJk4O7F2Lf41J3JGFj1sCbgWklytN/2vifzopo+9FINkYhHgMDuLeZ9u7jtKpiNbzocNt/sue2gaBVUL7tdjgdwgWUOYhnn54PnIaHBYBXyCoeeXFBYE6UKMX+H31qDM5MvHp5iDTNRXDHseobc8Xfjm2f4/VCi0DuTugnbEpsZJz9q3jjWFqBLxqQjoy1o90VNpydT+ScVMX9Q9VMhO1NRUo9l2e6Vv0xfHMKuPX+5BhVnkJoTSjbPWU4+hU2jIifHbu7AnsTv97MMetggbNet8rdxXx233s42/RclnluEyDm/ZYSeO6Xc7BO8wn8J/dKyYZClMuIUjZM4JOegsY9K74+JNkO6P/O0YGpEvqV7xh8zHSJO573PxYwf3FhzBCgU/HosOrjsYhUXRemsyRv0hZwqeTQRuLP7lxn9+nraZa7Jy9kNjhY4mriK3k7ytKfMH2D+F1SgtRSgMpM685q9I6ebEhSjvfUgMpuFSSZ+p6H8JWazhIkChDLzeJAgg5kmzqvNUl7jeiAeXRbuNT0v+rCMaiQB+e1vcQNIezUunkkc3AQyueI2CLJ56TwTitZgdN0nnR3CObWNR/f4lsi2Fq8bnpw2JGvf7Itm3p+G/fI8w53pNBB5jmogIZ4v+ppKjwX8tBEahQcb8yg0NQm43nPtNLhRJhhBhRov3b0JyPqAevyZrcyC5GpP4sSPDLOd/b3qiAo1DMSWJzWsK0ZvD0GU64wUFdz1n3Eb5xxWSYFX8e5nZSMZgR2TD3OlvzNrgge2Fc+yfnjFpNWbpiO/eK2hqMUX2AYRAWjw2i5Vzbif+hdjHKATIrwVlNL2GeSfbq6dSpUpypvLPpS3SNvyO0mCo9P8LgsWkHv4BxdUT/r4y5QLRuiW8fGooinXKARCQHKkexqAW8wWH0yz5ZlxtvX+LwDwJm58rBFD0T75hZlU5zF7WyPcD5XUJrtSrq9iu4fuGXb3UIogOE5LQmru1RXu6+QfXqtf6U8DgkvvHOaryiZb1hwhjsoYEK/tcopGhc/MIz8uPm0xXf8Wyf5uRaX68JwrHzKyyDdy3hQ/zuBFxcLew3gG0iluprRMqls06tbVGzpUM7o4z5KkSCXR/6/o9WJF4TGew/IYugZNzYiz/UH1H13ScpFtpGFO/HIRRTUJrbocM858Te5+U3YFeXT5ypECkbhPPHeXVpPxgiPcAC8YgUDHwLA2RpvafA8eRvmfR3tZI7IRz2p0TocgPYmuX5AWowfRVMXvVcAphl7wsgAa1FWV2LSQcw8YUcgWnYOzQEFNmj1lNqdGEGcDBrMpMz8d3Hj0LYt2UZ8fnzAHAVbSYdnO4ayGGwVw16oIcCCosjA/qMSySFA9fU45tTjjaS4eFbPdr7i/pHKYSDTHw1C82WyQWYbuf7xIevljoOWp4KXDH5SHcCI+cqqvZdrQKmQc/qYR+v3qdjUj3wRFHjG0E5Q5H0rFCPXFMEpFX3B+es3js6J5/B4= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DS0PR11MB6399.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014)(52116014)(38350700014);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: /6A4FzEFhum657GnnlNLih/EFibree3f5J1ey8a3GVXE6L3jqAkknC7P4RhHCZFR+WMA35v4amDr9wAjp9amTfWj6mVXtH5Azvf0IMN60SQkOVddC4dPTnk4Yu2MO/+c6mRHgLDM9B1toYANQWXwGB8g1v4u+d/fTwh9KQ5XT/oeVj3VhhtOMzlMdDSKmh0IXwqbLQFW8JMQPd79TGphaCPXT6DhEwDPdIRY3LzSMParheECknB+lPYJLiarhCMbJ5gX2MqvuIrz9uhmN5U7UeJpiJr3EQlrmZA6OnE2jLVCaaLkAOWpKaGMHe70yD8X6vHQFY2Ma+AhkMNE4l+F2yEz02kWZcovrTS4ZMFFwn3RhoYMo6nVOQGEYoT/CU1RzVUDLQz6ZzFAZTwYg9vQlKqbCZ37at3WIOG/6jeUZdt+xooBunt87wgRq8XMXxgKqa2sDEdFZah6ZHvGV7bLgJly0d15RMMNehoQhOVIyOr6bhuh88vC0V5MSfrxQBO7MCH0+SGSwWWgo2BEVM+r3+G5qNOH326ouB83A3CfGCl1sgPcc8vBGA/wOjyR7n1uOwqBuaytJZZl97RazOvB/18bKFYyyrejes8RhAZ6wryv6YHpb2uIyuas/tczj0DJJEaV34/lIVYGeoWsYlpx3XJDGvqu1mBzB6Xr/sZDPpYOyb/9duV0d5njHIm0xA3x/sJV8S4hJCa3b46z12YXW4dNSpKrvxBYJvsM/oxvrMLnwMDvHOAL/pnMj9WqaaGx2VQz3udeVx2L1mqsSE/nQRTFbjtjZa+onc2ES+K+E+kIBFYoIorI7heMVlBBs84gPhhjDyul7xZrjK6jyEEfyF8G5M+EderiffGAIFYMgy+XJ4w50F0g49w7wBF2nSofCQwu+YDjupNDKLl+GMpzJEKFq+/74+HNH7CGEh1lbHdK60abQaF5FIsxKfUSEMeLSePjXrjCKYWgpdwsABxMNoRWATakprvW+rnsusrOC9fIEqUyilS6SWbjGtYlmelYUu0WEhkr6pU0njrfMOQv8JW0hd/AVvbXwGumbPf+OlxgLSCWrlAmJ1AEGZ4mAgY3bqsIEusXh4cf4CL0N7Tp1MPFcuEfmJCs3GiMSFi1Wz7soVHSr/58Drl/7QcrIyv6tgLlA/ykOOQ6dw6ahsns+mpvsKFWL0r/LQsxHgFEmSgZVWqDAIV0o2Gl00l1mBujfpYFL4eNosaGtrpp3fs82ADW1IUDbApL9ke9MWR9nLhXComOkl/77sfwzAQZ6ZtuoiBJQZJiGIls6URjIrx/G8Lj8YSRA+lX0NgWFzyCxFLFhAb3+z6Dx4JgocLLRTP05B7U9hosK+AFdhwmBUsYqsQiE2ijDbXEApycTF6a9u0sNdKTyxNavqpw6u9yeSm1RnsxURAmyiWUML4qZOHIpR3Hlp5WIZORAq+j0Tp1FPQsoF/gfpc5Kpr8FnwbcdoKwtuBgwOJT2ylgrfJ4uqtQXRtbVKBC9Os/0ixOADCrd74pnAR+pFQ+8Ya7V1BSAy+sD1EGaffcgeDyykWiQxluGHinszyZy5xAg8Q18ogllAYBobBvieSg8dzGrCqQWds X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 9d927bd1-a3fa-414e-023d-08ddf657c729 X-MS-Exchange-CrossTenant-AuthSource: DS0PR11MB6399.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Sep 2025 02:05:02.2634 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: jG+fdUUOOeORKnNN+jkDRA5k5AN6MTmiLmdU047gX4zxkGu9vJ8wfBVjWhBr1v4tAMNcUZd6l0vOlh+dK1BNhw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM3PR11MB8681 X-Proofpoint-GUID: AiwyO11svTpKwBvpW4wjDXtGt3tkziPv X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwOTE4MDAxNiBTYWx0ZWRfX+pbDY7wgN7u3 3M97rJTi7buNme3fxc+aSd7GKP61hkgSvqkq6a0aNnBtGfez1J85AegtJ2J9r+dgI7efzLmbfVO 8pqaWZMlVCqR7HpT/ORjdqGt42AY0h27/pJ+kA1Zy5xuxwD+iJlbsdI0C2fkgv/df9xOlSjjnRV DsMWHwEdX+tWTDOYP2rqcUq2S9llyBNu2zs0DhQhy90Ir/HcfQYof4IUpyTaRjmH3qECf20IfHG 95WtTHNnv2EtxSriVKwjf+TSgWKb9EqUue68nq0G5WSE6kOQilSm9hrmqO2uLARNw0K7xS30MhX TdtlFO5tgv8TNuJ8E6GQa63VTkqU9wTvJ2mQPr6qVLqqMHLgXmsR4h82khyR2Q= X-Authority-Analysis: v=2.4 cv=WvsrMcfv c=1 sm=1 tr=0 ts=68cb68d1 cx=c_pps a=UGDxSQ6JIm3CXF+tY3HRSA==:117 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=wKuvFiaSGQ0qltdbU6+NXLB8nM8=:19 a=Ol13hO9ccFRV9qXi2t6ftBPywas=:19 a=xqWC_Br6kY4A:10 a=yJojWOMRYYMA:10 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=pGLkceISAAAA:8 a=E7_K9k9lKeYW23klVPMA:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-ORIG-GUID: AiwyO11svTpKwBvpW4wjDXtGt3tkziPv X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1117,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-09-17_01,2025-09-17_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 adultscore=0 phishscore=0 malwarescore=0 suspectscore=0 bulkscore=0 clxscore=1015 impostorscore=0 spamscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2507300000 definitions=firstrun List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 18 Sep 2025 02:05:08 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2213 Backport 2 patches to fix build for refpolicy-minimum when INIT_MANAGER is set to sysvinit. Signed-off-by: Yi Zhao --- .../refpolicy/0067-fixdep-dbus.patch | 45 +++++++++++++++++++ ...ding-when-dbus-module-is-not-enabled.patch | 42 +++++++++++++++++ .../refpolicy/refpolicy_common.inc | 2 + 3 files changed, 89 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy/0067-fixdep-dbus.patch create mode 100644 recipes-security/refpolicy/refpolicy/0068-fix-building-when-dbus-module-is-not-enabled.patch diff --git a/recipes-security/refpolicy/refpolicy/0067-fixdep-dbus.patch b/recipes-security/refpolicy/refpolicy/0067-fixdep-dbus.patch new file mode 100644 index 0000000..9f5958a --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0067-fixdep-dbus.patch @@ -0,0 +1,45 @@ +From 684b47eddf512402db552601c33e2d0ad4eef578 Mon Sep 17 00:00:00 2001 +From: Nicolas PARLANT +Date: Fri, 17 Jan 2025 15:51:48 +0100 +Subject: [PATCH] fixdep dbus + +auth_use_pam_systemd requires dbus : + +> /var/lib/selinux/targeted/tmp/modules/400/authlogin/cil:133 = +> (typeattributeset cil_gen_require dbusd_system_bus_client) + +Upstream-Status: Backport +[https://github.com/SELinuxProject/refpolicy/commit/684b47eddf512402db552601c33e2d0ad4eef578] + +Signed-off-by: Nicolas PARLANT +Signed-off-by: Yi Zhao +--- + policy/modules/system/authlogin.te | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te +index a75a669b9..d9d1a1428 100644 +--- a/policy/modules/system/authlogin.te ++++ b/policy/modules/system/authlogin.te +@@ -142,7 +142,6 @@ term_dontaudit_use_all_ptys(chkpwd_t) + + auth_read_shadow_history(chkpwd_t) + auth_use_nsswitch(chkpwd_t) +-auth_use_pam_systemd(chkpwd_t) + + logging_send_audit_msgs(chkpwd_t) + logging_send_syslog_msg(chkpwd_t) +@@ -160,6 +159,10 @@ ifdef(`distro_ubuntu',` + ') + ') + ++ifdef(`init_systemd',` ++ auth_use_pam_systemd(chkpwd_t) ++') ++ + optional_policy(` + # apache leaks file descriptors + apache_dontaudit_rw_tcp_sockets(chkpwd_t) +-- +2.34.1 + diff --git a/recipes-security/refpolicy/refpolicy/0068-fix-building-when-dbus-module-is-not-enabled.patch b/recipes-security/refpolicy/refpolicy/0068-fix-building-when-dbus-module-is-not-enabled.patch new file mode 100644 index 0000000..8709932 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0068-fix-building-when-dbus-module-is-not-enabled.patch @@ -0,0 +1,42 @@ +From 1d62379321c19e89268ac7854a8ff8dce280ed07 Mon Sep 17 00:00:00 2001 +From: Dave Sugar +Date: Thu, 15 May 2025 10:05:24 -0400 +Subject: [PATCH] fix building when dbus module is not enabled + +Upstream-Status: Backport +[https://github.com/SELinuxProject/refpolicy/commit/1d62379321c19e89268ac7854a8ff8dce280ed07] + +Signed-off-by: Dave Sugar +Signed-off-by: Yi Zhao +--- + policy/modules/system/selinuxutil.te | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te +index 86a6e5503..cd0e8762f 100644 +--- a/policy/modules/system/selinuxutil.te ++++ b/policy/modules/system/selinuxutil.te +@@ -99,7 +99,8 @@ role run_init_roles types run_init_t; + + type selinux_dbus_t; + type selinux_dbus_exec_t; +-dbus_system_domain(selinux_dbus_t, selinux_dbus_exec_t) ++domain_type(selinux_dbus_t) ++domain_entry_file(selinux_dbus_t, selinux_dbus_exec_t) + + type semanage_t; + type semanage_exec_t; +@@ -504,6 +505,10 @@ miscfiles_read_localization(selinux_dbus_t) + + seutil_domtrans_semanage(selinux_dbus_t) + ++optional_policy(` ++ dbus_system_domain(selinux_dbus_t, selinux_dbus_exec_t) ++') ++ + optional_policy(` + policykit_dbus_chat(selinux_dbus_t) + ') +-- +2.34.1 + diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index 5cb44a8..d1a6214 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc @@ -82,6 +82,8 @@ SRC_URI += " \ file://0064-policy-modules-system-locallogin-allow-sulogin_t-unc.patch \ file://0065-policy-modules-system-locallogin-allow-sulogin_t-use.patch \ file://0066-policy-modules-services-oddjob-allow-oddjob_mkhomedi.patch \ + file://0067-fixdep-dbus.patch \ + file://0068-fix-building-when-dbus-module-is-not-enabled.patch \ " S = "${WORKDIR}/refpolicy" From patchwork Thu Sep 18 02:04:45 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yi Zhao X-Patchwork-Id: 70438 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 57381CAC59F for ; Thu, 18 Sep 2025 02:05:08 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web10.4191.1758161106199032331 for ; Wed, 17 Sep 2025 19:05:06 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=oiOajckn; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=1356ee1fc6=yi.zhao@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 58I0xfEJ3073366 for ; Wed, 17 Sep 2025 19:05:06 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=PPS06212021; bh=b4nDwYRW5HLtZKWQxnBiyAFfhg+gVj0iLki/BFvEhNc=; b=oiOajcknT4ea dynACjuOo0elCnHr2AdV9VIItiYfct+An7TBPAcGmiRSLHDY8f9SuE31bvi3irSq fK6uoRaPF+aF+MGewup82sqXay/UST8zN77oalvgJmV6524E/dRpbjG6UlTYZ25o CHRoRBZ4a132DOUbo9D2acZrM535qLTASkMOlEfxNd5rnLnSDdeyIx+RHgUsiAxx KLK68jJVbYTDyYzr9yT6tUta96Abm3Hj/06ioPSVBo1Odr7mDeDwgyYfVQWvC/fW U/hfC/HoLM0nNtx/tnL/XeYWMsHgdO3mDFwPrdGEodg1UqQ3v86Lv1HvKWnBsD1i JAHHo1GD8A== Received: from bn8pr05cu002.outbound.protection.outlook.com (mail-eastus2azon11011021.outbound.protection.outlook.com [52.101.57.21]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 497fwr1g8d-2 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Wed, 17 Sep 2025 19:05:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=sIJOJv539o8Z5jmg6xtDyyNW9j5beKR2vKGubGkGH9n4rekO7IJTLvhH8kE1SuSuOAaKH/RMjV23Lst3lqlQc3HVSXrvz/P/WV6uggq1ZDvkWBeUUrBtvbVlw/FvoUJushTF4ep9lLq8bsqZGxUeJL7VCeodvK3XiZXb+4/YTxkLjT8Ya0h+CakbXDIKLxju/AYT1bzDnSk9LxDVan6X134AE9866wq2HEAUC2m/z2MSeiypSZylfnFH8Vdkm67g2swQRgR1BHfMukiig9syAyeY3NLuKasB3YSwfgbGZQ9xP2pAffayZOrQpr8657QhXhQ03qTvjEpfGx9ubDXwog== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=b4nDwYRW5HLtZKWQxnBiyAFfhg+gVj0iLki/BFvEhNc=; b=iHTTkOPZD8eCUAUpxuEMykzA9wtS0hDLNlSlEJGutB/3dlysU2Ybxr9ZNtYOuO4anaH0GiGTmZUBWNstRWtoG1ZLWBg2Xu8WtwPbW+/pbdofIdIVNsAWKt9gEZX5df3Eef6B2JRZceDkXn564pavAvX5tI8so42k9mZUWnYUx9DL6/YzdJqdz+Y+eO6B+9PkqsZdX5BNtrifNpd4o8S1U557wiPGdX/00PF+fPiKdyERHIapBSbxJwaqu+vuAcQ7SDhiOpWQrZm22Ot3ywsBpniwKUGyHRK80dTgQMaWIUlnHjWfIIw01RQQMEExU0bZqU68NmlCX+KoNK4n5A92EA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DS0PR11MB6399.namprd11.prod.outlook.com (2603:10b6:8:c8::5) by DM3PR11MB8681.namprd11.prod.outlook.com (2603:10b6:0:49::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9115.23; Thu, 18 Sep 2025 02:05:03 +0000 Received: from DS0PR11MB6399.namprd11.prod.outlook.com ([fe80::2b44:787c:e7ee:bfad]) by DS0PR11MB6399.namprd11.prod.outlook.com ([fe80::2b44:787c:e7ee:bfad%4]) with mapi id 15.20.9137.012; Thu, 18 Sep 2025 02:05:03 +0000 From: Yi Zhao To: yocto-patches@lists.yoctoproject.org Subject: [meta-selinux][scarthgap][PATCH 2/2] openssh: update sshd_config Date: Thu, 18 Sep 2025 10:04:45 +0800 Message-Id: <20250918020445.1175478-2-yi.zhao@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250918020445.1175478-1-yi.zhao@windriver.com> References: <20250918020445.1175478-1-yi.zhao@windriver.com> X-ClientProxiedBy: TYCP286CA0218.JPNP286.PROD.OUTLOOK.COM (2603:1096:400:3c5::17) To DS0PR11MB6399.namprd11.prod.outlook.com (2603:10b6:8:c8::5) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DS0PR11MB6399:EE_|DM3PR11MB8681:EE_ X-MS-Office365-Filtering-Correlation-Id: 7ad1843d-6a0b-4b5a-4662-08ddf657c814 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|366016|376014|52116014|38350700014; X-Microsoft-Antispam-Message-Info: LvmLCrgC1U28QsPHHM2jO90Ed+o+3M+c1qN5iJBlqZz4cDgfFcdA6ZDnSGx0Va6ESGEBepZhV6DGLajnq7BHSKV2e5Us9Op0OivNPEJ5lHVddKmp4n9nJ9OxgVN4Sc5S8Xy7XCFwjnHfITtgaopOChDuGJvQzL29+ct5TaXNMu28Y2lVsH9RuL+xwU30lFZ54IYA7CPw5Q1qP9RwmsIl2H3isOqsjzscTFR4IQzZzjwVo3dbLGpEDq/5d2k1hB5jhwAg32fVHX8/YsKnycYBQMrGCLFmnrxhNL3dFiiEo4f7ejf0FdhY6tmcu5vFoMK0xeKjOrXnKqQi/rts3cLER80BwNnUnbYAxyMF7ed0TjG3et2NMkkB61qMgEs27cSuQ2XJurBEr3YHiBQ1j6aQpivbM+mqFWtZvVuZel2AOX+OrzrhanHgbo1rjVwMG7sXZ9ag/Uk4bKNefa/kEH65OL/l9IyD/r9lToElklOMNFwNnj79ehsneY3k8Z2eqG22rPieGNp5iy8k9cGeSYAbpodL5+212bP+t0pCYsTvQFZPbU5QtPNcWOtADca5z1SXt6gmz7a/ok+ietr1rygTwJhxMzllr/RTUwL66CEXiQZ5lV4qTIS1vkZuoffGOrMYqst/LafzwzI/YKVTW4hN49IRex7O8agIQHmTN3MY/WwuyGE30+M0NK6i6sWZWi2PdtdXcSi+45TTAcugdzzzA5xlMRnMBToHHDF2MImglR1vFy4VB0NKaCMVUX5y36viujOCjk9qO2QBNQIPcOta4YS/8cLet5GOU+OKqo432ZOx8CAlR8HUfe8SsBN1e5I+EDZc3JUliOpa/Thw1ZiuGlpC98mQc/yqRSrTRVpAZmuypeJTJN/3Hhdgl7UhBlxeiwTFFL05fhd/+uInU5QZ9tETGzvNddZz2zuMrUotirTV8BIkigVmF4vofNX/DeWViptxgrO+4v6sEnoKp8yS0yliKgFUcNcdJvVf8AMnklOKymB+fj+X8zhfe+xZsSfaDnrewRQw0QVSRi8U8ZzWDp8XX0mekuus0LX+sCPNmYrd6X/DCjTElb6H2r+iItC1KMhnWICMITogR2A3D9AS7s6ie1Wl2fFutYBtRTf6O9mJBL7V3zmkSQOqw5rAfJa70ORgnVSjzLMk4SBGHfdhFb/CqMapaERnwayzAsrii5UrvnS29K2UGVHV+huqckPiqHPwfs7NQLdvBwJKfqPgoBMeAln5IIFh05nIFaBM0WUgREZMNQ13c93tHWMTKgtd4DaYWfG+AX4kZwfGTN9caAtxvWJotn1frN29FazU48gTcWSHFKEvF/flif73ah42iztUXbbLT0IUbM9bsC1zGT9FGRVBmOD64Sy7lMOfO9/kz8DWisUK/af6WtKAaXNp5JwvCNUq7YRupwIYLt9wyj7CpfzebSiYOa3Qibtf0sCqu/gKLT2cy5F+Sc3WUMsPCm8JkJGhoqsCRaIKhJkYrg== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DS0PR11MB6399.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014)(52116014)(38350700014);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: fLLxoloCPMLAOH21PntE8LH5mJJETYrJkNots623DrOxjfGK5n2KM6AaL0grTuQDwsz+xdXjXKJsRHWOqLAd1v85jKwXX5SRLmsASGR743uZinHbd3TFUtiTVNyC7hVWwalLyt6V/UlQi4X2l6hX4pjruBfNTdmiMxpDT49q56yZZ+82jp7CwwGvPxLGy+S8O6MzpHlmB42xducYd28cN8WJgeVfitSvnZolXDEEPRPHPLpaWkBHpANttrQa3vYyf9YCP67b5CP1ljd2/22f0AiEVIJuK6aobWaYufOtZdmtw2XeUz2pSaomlSYN9Tov+v3XPF1jUbY2R1LzkxNQUhWb6xNlXYXBICVUmeoTT5YNP7oZ67ogBlFwG7lFWt1gdHb8mjia8A3g+yeVZnFNHC5fGPOmsit8+nbhRiSbfbNUR41Z/hhhSI3lC9iYaPZQkLYTM+dbSiq/htZe54Jy87xq3xrx72de/U7r5h4kRn/cmPJcuVv9c0B2W6UVTK5XfaiSFuEpUVKp/bcpe5y29v8ykVx6+gsykDt7+nHaccpRAEZ4hkx80YKgMHCtofNZmoFAKBZ2TPzhLGOZEG6uFslqUIc5IdoRMgLMmG0FZKFjUuKNheS83qe5KzHB1EGmCPDdxBLkDsJP4nhGhQIe0PkDgzPAXDjLfgUru7usiixiYXg81OfLB6KeKsDm4tJEqcK8P1z3+lKptsUgrH+Ib2TWIRL1ohlhTBleFjGBjVCl9pLq25wQaA8Sa97G4uQCCcduCdwlfBHTjPpFSiPpNd1f7tWSITzUfiHKQwroe8iEP65WLd2PcCG90K0Y73GOgB5uwCoEomerX2tDWCATP+V61SlJ0S8v7RGpVuPXLePZ7e9gPOjw5ARD9O48g3Xc1lxDCHm4is3LcNL2+tL/xZ/QzamcxcGVYHqnzKPwi/RDewv6a0lCoSalraF4VnhQPgJeHPkX4WMAYT8WbAUuGLoyXOyVW1xZSChBBg/L55m8dYPUEnG9NQS4Is83OkkHS30umBZv3PKsal5chP5NErtwm/DbbbVDSSQdkt46oLvY86LnkJnpFSSC071kctHWMJUKhht31MMSTKzUytFiS5Mj4pR552+suHbtWE6j6xMNbQFafxlAuNQ4jo4tI4dSvzmVh5GGaDuz+FrVKEILQbOpBa9aZDI8Jymsl4132w99aKC63x7B1YadKFIVU2QQ0hMo+1OXJrBh3Y66TIx+Mzc13dkeCl65ybOa3QICnpm2AB1a2voLQEMFD6TdPVEvg8ilOl2UJ+FfrhltuyQbyiBy6S/O1tL3MZNKP/gr1Halh4HTL+7VESfr2x0qt9JGb/NiVSe89HiTdoSivkSpQhS4uxVYCyVxsjD4RoYLVekoTUaVr2J2ZEF3s8cWXqMYuGaaGHBRIn9viYPk/Z1XbFMx/pfNES86+C3NumXdo7gZvyIQi8FsH7DzT6Ngk1BqWA7XaIn7bGS9/Nr+ER4MG9NgYvxR3mxd0eC0zPOoIAZ97w7g6XwuEHDdwOzgWG/kTl7hinb9KDtNSQeRp3iZeb4ZNiCsOWDtMgIJ+7K6fXPq5r9VJ9WTpyTcZXFtnAfI X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 7ad1843d-6a0b-4b5a-4662-08ddf657c814 X-MS-Exchange-CrossTenant-AuthSource: DS0PR11MB6399.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Sep 2025 02:05:03.7536 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: urEoQNtSwf8daiByEpwqDsUClDjFxLxV+zhv3nHGMR/waZB8cLVgJrQnjprIq0S5tcbFQ8zvaQg5RYbKiuBjGA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM3PR11MB8681 X-Proofpoint-GUID: L34tREUQeU9oKdtjDOgjYPSSNCK_4mLH X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwOTE4MDAxNiBTYWx0ZWRfX3imIltDDUWYM Nt68x790l6rWc9Gogdhj0Ebx7IlT+kXsdML+BMqN8e7NefN1eXIo1P5fUQTPAYVIZv1Er/leH3d RXUef0LJIChwlXta30EZO4BIaLONttR6qA18jH0gNfcIMtZhBN4+vpL2OgRnfbeGV2FcluLZgEQ Ycpch/YPrTVo9qLpY9/uhD+6lUL+9SU7L+9brNj1B9aZjzCCOaFG7OP4qegdhy6JGnm8MQTVI4i BaxwUk1fzls9riWmTGAa2UElgeppeqgz4TEdU7+PK3Iy9Y16SFycCSfKInPNp1sHUj92QvjTbF0 yT7Mqyn3ha6u/1fXLSw1c1wZAInfktQujiquoHm2szjSsNvtbMULtRpJ4IN/WA= X-Authority-Analysis: v=2.4 cv=WvsrMcfv c=1 sm=1 tr=0 ts=68cb68d1 cx=c_pps a=UGDxSQ6JIm3CXF+tY3HRSA==:117 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=wKuvFiaSGQ0qltdbU6+NXLB8nM8=:19 a=Ol13hO9ccFRV9qXi2t6ftBPywas=:19 a=xqWC_Br6kY4A:10 a=yJojWOMRYYMA:10 a=t7CeM3EgAAAA:8 a=uSm21Sp0dwqMU9z6AYoA:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-ORIG-GUID: L34tREUQeU9oKdtjDOgjYPSSNCK_4mLH X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1117,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-09-17_01,2025-09-17_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 adultscore=0 phishscore=0 malwarescore=0 suspectscore=0 bulkscore=0 clxscore=1015 impostorscore=0 spamscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2507300000 definitions=firstrun List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 18 Sep 2025 02:05:08 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2214 Synchronize sshd_config with that in oe-core. Signed-off-by: Yi Zhao --- .../openssh/files/sshd_config | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/recipes-connectivity/openssh/files/sshd_config b/recipes-connectivity/openssh/files/sshd_config index 1c33ad0..18a69d9 100644 --- a/recipes-connectivity/openssh/files/sshd_config +++ b/recipes-connectivity/openssh/files/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.102 2018/02/16 02:32:40 djm Exp $ +# $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -10,6 +10,8 @@ # possible, but leave them commented. Uncommented options override the # default value. +Include /etc/ssh/sshd_config.d/*.conf + #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 @@ -38,7 +40,7 @@ # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys -#AuthorizedKeysFile .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys #AuthorizedPrincipalsFile none @@ -57,9 +59,9 @@ #PasswordAuthentication yes #PermitEmptyPasswords no -# Change to yes to enable challenge-response passwords (beware issues with -# some PAM modules and threads) -ChallengeResponseAuthentication no +# Change to yes to enable keyboard-interactive authentication (beware issues +# with some PAM modules and threads) +KbdInteractiveAuthentication no # Kerberos options #KerberosAuthentication no @@ -73,13 +75,13 @@ ChallengeResponseAuthentication no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication and +# be allowed through the KbdInteractiveAuthentication and # PasswordAuthentication. Depending on your PAM configuration, -# PAM authentication via ChallengeResponseAuthentication may bypass +# PAM authentication via KbdInteractiveAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication -# and ChallengeResponseAuthentication to 'no'. +# and KbdInteractiveAuthentication to 'no'. UsePAM yes #AllowAgentForwarding yes @@ -92,7 +94,6 @@ UsePAM yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes -#UseLogin no #PermitUserEnvironment no Compression no ClientAliveInterval 15