[gentoo-commits] repo/gentoo:master commit in: net-voip/mumble/
commit: d1bb7588537fa990468a39ae411726e31eb71809
Author: Kenton Groombridge gentoo org>
AuthorDate: Mon Aug 5 14:19:12 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Mon Aug 5 14:21:16 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d1bb7588
net-voip/mumble: stabilize 1.5.634 for amd64, arm64, ppc64, x86
Signed-off-by: Kenton Groombridge gentoo.org>
net-voip/mumble/mumble-1.5.634.ebuild | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net-voip/mumble/mumble-1.5.634.ebuild
b/net-voip/mumble/mumble-1.5.634.ebuild
index d368df565216..51d7304ddd07 100644
--- a/net-voip/mumble/mumble-1.5.634.ebuild
+++ b/net-voip/mumble/mumble-1.5.634.ebuild
@@ -33,7 +33,7 @@ else
SRC_URI="https://github.com/mumble-voip/mumble/releases/download/v${MY_PV}/${MY_P}.tar.gz";
S="${WORKDIR}/${P/_*}"
fi
- KEYWORDS="~amd64 ~arm64 ~ppc64 ~x86"
+ KEYWORDS="amd64 arm64 ppc64 x86"
fi
LICENSE="BSD MIT"
[gentoo-commits] repo/gentoo:master commit in: net-voip/mumble/
commit: 9a05353dd229107e9a1863e9d4dccfb9160c65d9
Author: Kenton Groombridge gentoo org>
AuthorDate: Mon Aug 5 14:20:59 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Mon Aug 5 14:21:14 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9a05353d
net-voip/mumble: enable py3.13
Signed-off-by: Kenton Groombridge gentoo.org>
net-voip/mumble/mumble-1.5.634.ebuild | 2 +-
net-voip/mumble/mumble-.ebuild| 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/net-voip/mumble/mumble-1.5.634.ebuild
b/net-voip/mumble/mumble-1.5.634.ebuild
index 4ba02c3ee8b2..d368df565216 100644
--- a/net-voip/mumble/mumble-1.5.634.ebuild
+++ b/net-voip/mumble/mumble-1.5.634.ebuild
@@ -3,7 +3,7 @@
EAPI=8
-PYTHON_COMPAT=( python3_{10..12} )
+PYTHON_COMPAT=( python3_{10..13} )
inherit cmake flag-o-matic multilib python-any-r1 xdg
DESCRIPTION="Mumble is an open source, low-latency, high quality voice chat
software"
diff --git a/net-voip/mumble/mumble-.ebuild
b/net-voip/mumble/mumble-.ebuild
index 4ba02c3ee8b2..d368df565216 100644
--- a/net-voip/mumble/mumble-.ebuild
+++ b/net-voip/mumble/mumble-.ebuild
@@ -3,7 +3,7 @@
EAPI=8
-PYTHON_COMPAT=( python3_{10..12} )
+PYTHON_COMPAT=( python3_{10..13} )
inherit cmake flag-o-matic multilib python-any-r1 xdg
DESCRIPTION="Mumble is an open source, low-latency, high quality voice chat
software"
[gentoo-commits] repo/gentoo:master commit in: net-voip/murmur/
commit: 346f6b04a94b8469eab1bd015544a1f6b4cb4e97
Author: Kenton Groombridge gentoo org>
AuthorDate: Mon Aug 5 14:30:12 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Mon Aug 5 14:31:17 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=346f6b04
net-voip/murmur: stabilize 1.5.634 for amd64, x86
Signed-off-by: Kenton Groombridge gentoo.org>
net-voip/murmur/murmur-1.5.634.ebuild | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net-voip/murmur/murmur-1.5.634.ebuild
b/net-voip/murmur/murmur-1.5.634.ebuild
index 10ef9e24681e..2162f57c5ffd 100644
--- a/net-voip/murmur/murmur-1.5.634.ebuild
+++ b/net-voip/murmur/murmur-1.5.634.ebuild
@@ -34,7 +34,7 @@ else
SRC_URI="https://github.com/mumble-voip/mumble/releases/download/v${MY_PV}/${MY_P}.tar.gz";
S="${WORKDIR}/${MY_PN}-${PV/_*}"
fi
- KEYWORDS="~amd64 ~arm ~arm64 ~x86"
+ KEYWORDS="amd64 ~arm ~arm64 x86"
fi
LICENSE="BSD"
[gentoo-commits] repo/gentoo:master commit in: www-apps/miniflux/
commit: e18e4aba5f1b1a91206abf0e3279c4be2f6f7c6b
Author: Kenton Groombridge gentoo org>
AuthorDate: Sat Aug 17 16:34:57 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Sat Aug 17 16:40:51 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e18e4aba
www-apps/miniflux: stabilize 2.1.3 for amd64, ppc64
Signed-off-by: Kenton Groombridge gentoo.org>
www-apps/miniflux/miniflux-2.1.3.ebuild | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/www-apps/miniflux/miniflux-2.1.3.ebuild
b/www-apps/miniflux/miniflux-2.1.3.ebuild
index 8a64f1ec2999..f40982f37564 100644
--- a/www-apps/miniflux/miniflux-2.1.3.ebuild
+++ b/www-apps/miniflux/miniflux-2.1.3.ebuild
@@ -15,7 +15,7 @@ SRC_URI+="
https://dev.gentoo.org/~concord/distfiles/${P}-deps.tar.xz";
LICENSE="Apache-2.0 BSD BSD-2 MIT"
SLOT="0"
-KEYWORDS="~amd64 ~ppc64 ~riscv"
+KEYWORDS="amd64 ppc64 ~riscv"
RESTRICT="test" # requires network access
[gentoo-commits] repo/gentoo:master commit in: www-apps/miniflux/
commit: a2abea9744c25394e73c893257a7f0e2aac9619a
Author: Kenton Groombridge gentoo org>
AuthorDate: Sat Aug 17 16:35:14 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Sat Aug 17 16:40:53 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a2abea97
www-apps/miniflux: drop 2.0.49
Signed-off-by: Kenton Groombridge gentoo.org>
www-apps/miniflux/Manifest | 2 -
www-apps/miniflux/miniflux-2.0.49.ebuild | 107 ---
2 files changed, 109 deletions(-)
diff --git a/www-apps/miniflux/Manifest b/www-apps/miniflux/Manifest
index df61ea7a0f42..03ed8dc33328 100644
--- a/www-apps/miniflux/Manifest
+++ b/www-apps/miniflux/Manifest
@@ -1,5 +1,3 @@
-DIST miniflux-2.0.49-deps.tar.xz 38155476 BLAKE2B
9631c23af181cf86bd197066a453c84b09840cc71a870eba0ad4e7cdb2720fe952fca7f6a93f3e9e2e2d8c9a13629da0f758b21a4afe5849186d653b44a3f097
SHA512
c51228a3f70d73788be63ed5e7f24baeee9a369351e07bd7715a60c6b340d3e90ebd25adfb50d3e2144a8b0c7d609fca3bacdd51a1d61ff7916e6a7a439b6dc1
-DIST miniflux-2.0.49.tar.gz 614888 BLAKE2B
77fae7eafcc55d02e3e00e6c008cb6727ff48423512e9dde420b84a63858e6ba9ed33dfd61907a46ca686b211f604d452e2ad5944b709094263ca0949a6128c8
SHA512
59505f5e60228ff94cf2cabc872117cd08c06edb0df6dfb4487153add27cc4e485d7cb71330333df155f158eb650f684d55f0460ba5404f5e26b9603123fd860
DIST miniflux-2.1.3-deps.tar.xz 43436720 BLAKE2B
97a6aa1509bcde6da4368d50de9bac9a0cedf2752e020f2521cc29f38644fc9de53f14052649c9d42b4d450e1ffac6209787c9b94c1c90d0f2ba1dc31811356d
SHA512
6113f5288da2ecd77cbb21c81a60ea331943f369c9304241330b75d57e0e2f65c74d2ddcc4f920e9c572289cea30c50a673029b66877da47d1d2c13700e51081
DIST miniflux-2.1.3.tar.gz 710470 BLAKE2B
ed4f5cb60b26db797e0374d497ebf0bf6d063308bb83938ec5b90a146ba1cc1ab7f5c8c2ecc92cae77d8c683b1f212bead22828cfdad432f7400b58ade8d
SHA512
93f9c91edfdbdd47fa2a45ba4d0af08351465e84231b9f9f0886042897b0649932e02adc6680fc4952828415edcda8b634224dc21015f053c25d0e24f9cb
DIST miniflux-2.1.4-deps.tar.xz 43184308 BLAKE2B
d4412a87d07d405f93c2e7449a3e3ff4932f28b9c46ff75519c8398c8b7d0090b0759e2b3be5c20c4e1900e1058724071b3efb8144ff3149a8a06234155900c3
SHA512
75456f40578e3da2866a7ea98c3dc137934b05c73e4a5aa2a96cbce0457a9aa394a598a837b98f50cb97cb2279b8acc331fe08fa5bff245fef1bec0cb92029a8
diff --git a/www-apps/miniflux/miniflux-2.0.49.ebuild
b/www-apps/miniflux/miniflux-2.0.49.ebuild
deleted file mode 100644
index ba42a484f6ec..
--- a/www-apps/miniflux/miniflux-2.0.49.ebuild
+++ /dev/null
@@ -1,107 +0,0 @@
-# Copyright 2020-2024 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-inherit go-module systemd
-
-# Get with 'git rev-parse --short HEAD'
-MY_GIT_COMMIT="54eb5003"
-
-DESCRIPTION="Minimalist and opinionated feed reader"
-HOMEPAGE="https://miniflux.app https://github.com/miniflux/v2";
-SRC_URI="https://github.com/${PN}/v2/archive/${PV}.tar.gz -> ${P}.tar.gz"
-SRC_URI+=" https://dev.gentoo.org/~concord/distfiles/${P}-deps.tar.xz";
-
-LICENSE="Apache-2.0 BSD BSD-2 MIT"
-SLOT="0"
-KEYWORDS="amd64 ppc64 ~riscv"
-
-RESTRICT="test" # requires network access
-
-DEPEND="acct-user/miniflux"
-RDEPEND="${DEPEND}
- >=dev-db/postgresql-9.5
-"
-
-S="${WORKDIR}/v2-${PV}"
-
-src_compile() {
- ego build -ldflags="
- -s -w
- -X 'miniflux.app/v2/internal/version.Version=${PV}'
- -X 'miniflux.app/v2/internal/version.Commit=${MY_GIT_COMMIT}'
- -X 'miniflux.app/v2/internal/version.BuildDate=$(date +%FT%T%z)'
- " -o miniflux main.go
-}
-
-src_install() {
- dobin miniflux
-
- insinto /etc
- doins "${FILESDIR}/${PN}.conf"
-
- newconfd "${FILESDIR}/${PN}.confd" ${PN}
-
- newinitd "${FILESDIR}/${PN}.initd-r1" ${PN}
- systemd_dounit "${FILESDIR}/${PN}.service"
-
- fowners miniflux:root /etc/${PN}.conf
- fperms o-rwx /etc/${PN}.conf
-
- local DOCS=(
- ChangeLog
- README.md
- "${FILESDIR}"/README.gentoo
- )
-
- # Makefile has no install target, so call einstalldocs directly
- einstalldocs
-
- doman "${PN}".1
-}
-
-pkg_postinst() {
- if [[ -z "${REPLACING_VERSIONS}" ]]; then
- # This is a new installation
-
- echo
- elog "Before using miniflux, you must first create and
initialize the database"
- elog "and enable the hstore extension for it."
- elog ""
- elog "Afterwards, create your first admin user by running:"
- elog " miniflux -create-admin"
- else
- # Th
[gentoo-commits] repo/gentoo:master commit in: www-apps/miniflux/
commit: f68ecd785462e0fdb3539834224f71c9e986dd02
Author: Kenton Groombridge gentoo org>
AuthorDate: Sat Aug 17 16:34:25 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Sat Aug 17 16:40:49 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f68ecd78
www-apps/miniflux: add 2.1.4
Signed-off-by: Kenton Groombridge gentoo.org>
www-apps/miniflux/Manifest | 2 +
www-apps/miniflux/miniflux-2.1.4.ebuild | 107
2 files changed, 109 insertions(+)
diff --git a/www-apps/miniflux/Manifest b/www-apps/miniflux/Manifest
index 7ecf838595e0..df61ea7a0f42 100644
--- a/www-apps/miniflux/Manifest
+++ b/www-apps/miniflux/Manifest
@@ -2,3 +2,5 @@ DIST miniflux-2.0.49-deps.tar.xz 38155476 BLAKE2B
9631c23af181cf86bd197066a453c8
DIST miniflux-2.0.49.tar.gz 614888 BLAKE2B
77fae7eafcc55d02e3e00e6c008cb6727ff48423512e9dde420b84a63858e6ba9ed33dfd61907a46ca686b211f604d452e2ad5944b709094263ca0949a6128c8
SHA512
59505f5e60228ff94cf2cabc872117cd08c06edb0df6dfb4487153add27cc4e485d7cb71330333df155f158eb650f684d55f0460ba5404f5e26b9603123fd860
DIST miniflux-2.1.3-deps.tar.xz 43436720 BLAKE2B
97a6aa1509bcde6da4368d50de9bac9a0cedf2752e020f2521cc29f38644fc9de53f14052649c9d42b4d450e1ffac6209787c9b94c1c90d0f2ba1dc31811356d
SHA512
6113f5288da2ecd77cbb21c81a60ea331943f369c9304241330b75d57e0e2f65c74d2ddcc4f920e9c572289cea30c50a673029b66877da47d1d2c13700e51081
DIST miniflux-2.1.3.tar.gz 710470 BLAKE2B
ed4f5cb60b26db797e0374d497ebf0bf6d063308bb83938ec5b90a146ba1cc1ab7f5c8c2ecc92cae77d8c683b1f212bead22828cfdad432f7400b58ade8d
SHA512
93f9c91edfdbdd47fa2a45ba4d0af08351465e84231b9f9f0886042897b0649932e02adc6680fc4952828415edcda8b634224dc21015f053c25d0e24f9cb
+DIST miniflux-2.1.4-deps.tar.xz 43184308 BLAKE2B
d4412a87d07d405f93c2e7449a3e3ff4932f28b9c46ff75519c8398c8b7d0090b0759e2b3be5c20c4e1900e1058724071b3efb8144ff3149a8a06234155900c3
SHA512
75456f40578e3da2866a7ea98c3dc137934b05c73e4a5aa2a96cbce0457a9aa394a598a837b98f50cb97cb2279b8acc331fe08fa5bff245fef1bec0cb92029a8
+DIST miniflux-2.1.4.tar.gz 731511 BLAKE2B
a6d099411971af1319825f8b4fc2e56fac8b86eb4b2b91175f4b349aa2dfb6c0036af388deaf34eef00a7fd0c70d73350976332e9fd851fc3a9fb68fc3edceb5
SHA512
e20ddaa8682b492c5eaaef687d4b92fa40c148b0cdb9bc6f4175a2e7da0d0e13c5e93a97145de06e1210015be3361a396c1dc85aaf58b5c02ec86903617732ca
diff --git a/www-apps/miniflux/miniflux-2.1.4.ebuild
b/www-apps/miniflux/miniflux-2.1.4.ebuild
new file mode 100644
index ..c6cde0b43c88
--- /dev/null
+++ b/www-apps/miniflux/miniflux-2.1.4.ebuild
@@ -0,0 +1,107 @@
+# Copyright 2020-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit go-module systemd
+
+# git rev-parse --short HEAD
+MY_GIT_COMMIT="b683756d"
+
+DESCRIPTION="Minimalist and opinionated feed reader"
+HOMEPAGE="https://miniflux.app https://github.com/miniflux/v2";
+SRC_URI="https://github.com/${PN}/v2/archive/${PV}.tar.gz -> ${P}.tar.gz"
+SRC_URI+=" https://dev.gentoo.org/~concord/distfiles/${P}-deps.tar.xz";
+
+S="${WORKDIR}/v2-${PV}"
+
+LICENSE="Apache-2.0 BSD BSD-2 MIT"
+SLOT="0"
+KEYWORDS="~amd64 ~ppc64 ~riscv"
+
+RESTRICT="test" # requires network access
+
+DEPEND="acct-user/miniflux"
+RDEPEND="${DEPEND}
+ >=dev-db/postgresql-9.5
+"
+
+src_compile() {
+ ego build -ldflags="
+ -s -w
+ -X 'miniflux.app/v2/internal/version.Version=${PV}'
+ -X 'miniflux.app/v2/internal/version.Commit=${MY_GIT_COMMIT}'
+ -X 'miniflux.app/v2/internal/version.BuildDate=$(date +%FT%T%z)'
+ " -o miniflux main.go
+}
+
+src_install() {
+ dobin miniflux
+
+ insinto /etc
+ doins "${FILESDIR}/${PN}.conf"
+
+ newconfd "${FILESDIR}/${PN}.confd" ${PN}
+
+ newinitd "${FILESDIR}/${PN}.initd-r1" ${PN}
+ systemd_dounit "${FILESDIR}/${PN}.service"
+
+ fowners miniflux:root /etc/${PN}.conf
+ fperms o-rwx /etc/${PN}.conf
+
+ local DOCS=(
+ ChangeLog
+ README.md
+ "${FILESDIR}"/README.gentoo
+ )
+
+ # Makefile has no install target, so call einstalldocs directly
+ einstalldocs
+
+ doman "${PN}".1
+}
+
+pkg_postinst() {
+ if [[ -z "${REPLACING_VERSIONS}" ]]; then
+ # This is a new installation
+
+ echo
+ elog "Before using miniflux, you must first create and
initialize the database"
+ elog "and enable the hstore extension for it."
+ elog ""
+ elog "Afterwards, create your first admin user by running:"
+ elog " miniflux -creat
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 9e64cef53a9a17bce38b43e1a8476b4132c186ea
Author: Matt Sheets linux microsoft com>
AuthorDate: Sat Apr 27 00:09:53 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Tue May 14 17:40:58 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9e64cef5
Allow systemd to pass down sig mask
IgnoreSIGPIPE is a feature that requires systemd to passdown the signal
mask down to the fork process. To allow this the siginh permission must
be allowed for all process domains that can be forked by systemd.
Signed-off-by: Matt Sheets linux.microsoft.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/system/init.if | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 597fd169a..24be1a7a7 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -189,6 +189,7 @@ interface(`init_domain',`
allow $1 init_t:unix_stream_socket { getattr read write ioctl };
+ allow init_t $1:process siginh;
allow init_t $1:process2 { nnp_transition nosuid_transition };
# StandardInputText uses a memfd rw shm segment.
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 7a7d1e4a5e7e532b93be215172976e2fa2556e1e Author: Chris PeBenito linux microsoft com> AuthorDate: Thu Feb 29 15:14:01 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:40:54 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7a7d1e4a xen: Revoke kernel module loading permissions. This domain also calls kernel_request_load_module(), which should be sufficient. Signed-off-by: Chris PeBenito linux.microsoft.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/xen.te | 1 - 1 file changed, 1 deletion(-) diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te index 5311f3a34..d633dfef7 100644 --- a/policy/modules/system/xen.te +++ b/policy/modules/system/xen.te @@ -500,7 +500,6 @@ xen_stream_connect_xenstore(xm_t) can_exec(xm_t, xm_exec_t) -kernel_load_module(xm_t) kernel_request_load_module(xm_t) kernel_read_system_state(xm_t) kernel_read_network_state(xm_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/
commit: c102156f10d9ab9ab6a5ebf2ef21d9a36305c759
Author: Chris PeBenito linux microsoft com>
AuthorDate: Thu Feb 29 16:04:56 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Tue May 14 17:40:56 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c102156f
cups: Remove PTAL.
This is part of the HPOJ, which was superseded by HPLIP in 2006.
Signed-off-by: Chris PeBenito linux.microsoft.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/cups.fc | 8
policy/modules/services/cups.if | 34 -
policy/modules/services/cups.te | 73 -
policy/modules/system/userdomain.if | 1 -
4 files changed, 7 insertions(+), 109 deletions(-)
diff --git a/policy/modules/services/cups.fc b/policy/modules/services/cups.fc
index df02e9539..453c394da 100644
--- a/policy/modules/services/cups.fc
+++ b/policy/modules/services/cups.fc
@@ -29,9 +29,6 @@
/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0)
/usr/bin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0)
/usr/bin/printconf-backend --
gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/bin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0)
-/usr/bin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0)
-/usr/bin/ptal-photod -- gen_context(system_u:object_r:ptal_exec_t,s0)
/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -55,9 +52,6 @@
/usr/sbin/hal_lpadmin --
gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/sbin/hpiod-- gen_context(system_u:object_r:hplip_exec_t,s0)
/usr/sbin/printconf-backend--
gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0)
-/usr/sbin/ptal-mlcd-- gen_context(system_u:object_r:ptal_exec_t,s0)
-/usr/sbin/ptal-photod -- gen_context(system_u:object_r:ptal_exec_t,s0)
/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
/usr/share/foomatic/db/oldprinterids --
gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -80,7 +74,5 @@
/run/cups(/.*)?gen_context(system_u:object_r:cupsd_runtime_t,s0)
/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_runtime_t,s0)
/run/hp.*\.port--
gen_context(system_u:object_r:hplip_runtime_t,s0)
-/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_runtime_t,s0)
-/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_runtime_t,s0)
/run/udev-configure-printer(/.*)?
gen_context(system_u:object_r:cupsd_config_runtime_t,s0)
/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_runtime_t,s0)
diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if
index 852db3d67..a6b3f754a 100644
--- a/policy/modules/services/cups.if
+++ b/policy/modules/services/cups.if
@@ -271,26 +271,6 @@ interface(`cups_write_log',`
allow $1 cupsd_log_t:file write_file_perms;
')
-
-##
-## Connect to ptal over an unix
-## domain stream socket.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`cups_stream_connect_ptal',`
- gen_require(`
- type ptal_t, ptal_runtime_t;
- ')
-
- files_search_runtime($1)
- stream_connect_pattern($1, ptal_runtime_t, ptal_runtime_t, ptal_t)
-')
-
##
## Read the process state (/proc/pid) of cupsd.
@@ -354,21 +334,21 @@ interface(`cups_admin',`
type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
type cupsd_etc_t, cupsd_log_t;
type cupsd_config_runtime_t, cupsd_lpd_runtime_t;
- type cupsd_runtime_t, ptal_etc_t, cupsd_rw_etc_t;
- type ptal_runtime_t, hplip_runtime_t, cupsd_initrc_exec_t;
+ type cupsd_runtime_t, cupsd_rw_etc_t;
+ type hplip_runtime_t, cupsd_initrc_exec_t;
type cupsd_config_t, cupsd_lpd_t, cups_pdf_t;
- type hplip_t, ptal_t;
+ type hplip_t;
')
allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { ptrace
signal_perms };
- allow $1 { cups_pdf_t hplip_t ptal_t }:process { ptrace signal_perms };
+ allow $1 { cups_pdf_t hplip_t }:process { ptrace signal_perms };
ps_process_pattern($1, { cupsd_t cupsd_config_t cupsd_lpd_t })
- ps_process_pattern($1, { cups_pdf_t hplip_t ptal_t })
+ ps_process_pattern($1, { cups_pdf_t hplip_t })
init_startstop_service($1, $2, cupsd_t, cupsd_initrc_exec_t)
files_list_etc($1)
- admin_pattern($1, { cupsd_etc_t cupsd_rw_etc_t ptal_etc_t })
+ admin_pattern($1, { cupsd_etc_
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 8b220a9ced8dbe5449cf443a16b782141d6f4772
Author: Chris PeBenito linux microsoft com>
AuthorDate: Tue Mar 5 15:18:41 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Tue May 14 17:41:01 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8b220a9c
certbot: Drop execmem.
This is related to FFI use in python3-openssl. Libffi now changes behavior
when it detects SELinux, to avoid this type of denial.
Signed-off-by: Chris PeBenito linux.microsoft.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/certbot.te | 4
1 file changed, 4 deletions(-)
diff --git a/policy/modules/services/certbot.te
b/policy/modules/services/certbot.te
index 9723f7880..6edaac830 100644
--- a/policy/modules/services/certbot.te
+++ b/policy/modules/services/certbot.te
@@ -54,10 +54,6 @@ files_tmp_filetrans(certbot_t, certbot_tmp_t, { dir file })
manage_files_pattern(certbot_t, certbot_tmpfs_t, certbot_tmpfs_t)
fs_tmpfs_filetrans(certbot_t, certbot_tmpfs_t, { file })
-# this is for certbot to have write-exec memory, I know it is bad
-# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913544
-# the Debian bug report has background about python-acme and python3-openssl
-allow certbot_t self:process execmem;
allow certbot_t certbot_tmp_t:file mmap_exec_file_perms;
allow certbot_t certbot_tmpfs_t:file mmap_exec_file_perms;
allow certbot_t certbot_runtime_t:file mmap_exec_file_perms;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/services/, policy/modules/system/
commit: 89eef551684761379a5dd51221485b025d0014e5 Author: Chris PeBenito linux microsoft com> AuthorDate: Thu Feb 29 18:31:57 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:40:59 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=89eef551 xen: Drop xend/xm stack. Xend/xm was replaced with xl in Xen 4.5 (Jan 2015). https://xenproject.org/2015/01/15/less-is-more-in-the-new-xen-project-4-5-release/ Signed-off-by: Chris PeBenito linux.microsoft.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/admin/brctl.te | 1 - policy/modules/admin/consoletype.te | 2 - policy/modules/admin/sblim.te | 1 - policy/modules/services/nscd.te | 1 - policy/modules/services/pegasus.te | 1 - policy/modules/services/snmp.te | 1 - policy/modules/services/vhostmd.te | 1 - policy/modules/services/virt.te | 8 +- policy/modules/system/hostname.te | 1 - policy/modules/system/lvm.te| 1 - policy/modules/system/sysnetwork.te | 2 - policy/modules/system/xen.fc| 21 +-- policy/modules/system/xen.if| 149 +++- policy/modules/system/xen.te| 272 14 files changed, 54 insertions(+), 408 deletions(-) diff --git a/policy/modules/admin/brctl.te b/policy/modules/admin/brctl.te index 7ce029c05..026b0002d 100644 --- a/policy/modules/admin/brctl.te +++ b/policy/modules/admin/brctl.te @@ -43,5 +43,4 @@ miscfiles_read_localization(brctl_t) optional_policy(` xen_append_log(brctl_t) - xen_dontaudit_rw_unix_stream_sockets(brctl_t) ') diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te index dda9e62ff..1989db82c 100644 --- a/policy/modules/admin/consoletype.te +++ b/policy/modules/admin/consoletype.te @@ -109,6 +109,4 @@ optional_policy(` kernel_read_xen_state(consoletype_t) kernel_write_xen_state(consoletype_t) xen_append_log(consoletype_t) - xen_dontaudit_rw_unix_stream_sockets(consoletype_t) - xen_dontaudit_use_fds(consoletype_t) ') diff --git a/policy/modules/admin/sblim.te b/policy/modules/admin/sblim.te index 5e2978c5f..d9bab1a79 100644 --- a/policy/modules/admin/sblim.te +++ b/policy/modules/admin/sblim.te @@ -106,7 +106,6 @@ optional_policy(` ') optional_policy(` - xen_stream_connect(sblim_gatherd_t) xen_stream_connect_xenstore(sblim_gatherd_t) ') diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te index f63b75f4f..ffc60497c 100644 --- a/policy/modules/services/nscd.te +++ b/policy/modules/services/nscd.te @@ -132,6 +132,5 @@ optional_policy(` ') optional_policy(` - xen_dontaudit_rw_unix_stream_sockets(nscd_t) xen_append_log(nscd_t) ') diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te index a5aa3a285..e7287b49a 100644 --- a/policy/modules/services/pegasus.te +++ b/policy/modules/services/pegasus.te @@ -184,6 +184,5 @@ optional_policy(` ') optional_policy(` - xen_stream_connect(pegasus_t) xen_stream_connect_xenstore(pegasus_t) ') diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te index 846ab288a..b498e894b 100644 --- a/policy/modules/services/snmp.te +++ b/policy/modules/services/snmp.te @@ -167,6 +167,5 @@ optional_policy(` kernel_read_xen_state(snmpd_t) kernel_write_xen_state(snmpd_t) - xen_stream_connect(snmpd_t) xen_stream_connect_xenstore(snmpd_t) ') diff --git a/policy/modules/services/vhostmd.te b/policy/modules/services/vhostmd.te index 94ee048d1..9a866deea 100644 --- a/policy/modules/services/vhostmd.te +++ b/policy/modules/services/vhostmd.te @@ -79,7 +79,6 @@ optional_policy(` optional_policy(` xen_domtrans_xm(vhostmd_t) - xen_stream_connect(vhostmd_t) xen_stream_connect_xenstore(vhostmd_t) xen_stream_connect_xm(vhostmd_t) ') diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te index a6161d739..f0c4c2d65 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -820,8 +820,8 @@ optional_policy(` kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) - xen_exec(virtd_t) - xen_stream_connect(virtd_t) + xen_domtrans_xm(virtd_t) + xen_stream_connect_xm(virtd_t) xen_stream_connect_xenstore(virtd_t) xen_read_image_files(virtd_t) ') @@ -944,9 +944,9 @@ optional_policy(` optional_policy(` xen_manage_image_dirs(virsh_t) xen_append_log(virsh_t) - xen_domtrans(virsh_t) + xen_domtrans_xm(virsh_t) xen_read_xenstored_runtime_files(virsh_t) - xen_stream_connect(virsh_t) + xen_stream_connect_xm(virsh_t) xen_stream_connect_xenstore(virsh_t) ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/, policy/modules/admin/
commit: e3d5625354b069f68fe3fff6135df2e5bc14f207 Author: Grzegorz Filo wp pl> AuthorDate: Wed Apr 3 11:02:48 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:41:29 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e3d56253 files context for merged-usr profile on gentoo Signed-off-by: Grzegorz Filo wp.pl> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/admin/netutils.fc| 4 policy/modules/admin/shutdown.fc| 5 + policy/modules/services/smartmon.fc | 4 policy/modules/system/authlogin.fc | 3 +++ policy/modules/system/init.fc | 4 policy/modules/system/lvm.fc| 4 6 files changed, 24 insertions(+) diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc index 3a7ccabf2..c8f5dd950 100644 --- a/policy/modules/admin/netutils.fc +++ b/policy/modules/admin/netutils.fc @@ -21,3 +21,7 @@ /usr/sbin/ss -- gen_context(system_u:object_r:ss_exec_t,s0) /usr/sbin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0) /usr/sbin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) + +ifdef(`distro_gentoo',` +/usr/bin/iftop -- gen_context(system_u:object_r:netutils_exec_t,s0) +') diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc index 89d682d36..2e47783c2 100644 --- a/policy/modules/admin/shutdown.fc +++ b/policy/modules/admin/shutdown.fc @@ -9,3 +9,8 @@ /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) /run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_runtime_t,s0) + +ifdef(`distro_gentoo',` +/usr/bin/halt -- gen_context(system_u:object_r:shutdown_exec_t,s0) +/usr/bin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) +') diff --git a/policy/modules/services/smartmon.fc b/policy/modules/services/smartmon.fc index efbb8886f..562cf0b04 100644 --- a/policy/modules/services/smartmon.fc +++ b/policy/modules/services/smartmon.fc @@ -9,3 +9,7 @@ /run/smartd\.pid -- gen_context(system_u:object_r:fsdaemon_runtime_t,s0) /var/lib/smartmontools(/.*)? gen_context(system_u:object_r:fsdaemon_var_lib_t,s0) + +ifdef(`distro_gentoo',` +/usr/bin/update-smart-drivedb -- gen_context(system_u:object_r:smartmon_update_drivedb_exec_t,s0) +') diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc index adb53a05a..fcdd38d6d 100644 --- a/policy/modules/system/authlogin.fc +++ b/policy/modules/system/authlogin.fc @@ -40,6 +40,9 @@ ifdef(`distro_redhat', ` ifdef(`distro_suse', ` /usr/sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ') +ifdef(`distro_gentoo',` +/usr/bin/pwhistory_helper -- gen_context(system_u:object_r:updpwd_exec_t,s0) +') /var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc index 2ce804cde..e350b6adf 100644 --- a/policy/modules/system/init.fc +++ b/policy/modules/system/init.fc @@ -53,6 +53,10 @@ ifdef(`distro_gentoo',` /usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) ifdef(`distro_gentoo', ` +/usr/bin/rc-- gen_context(system_u:object_r:rc_exec_t,s0) +/usr/bin/openrc-- gen_context(system_u:object_r:rc_exec_t,s0) +/usr/bin/openrc-init -- gen_context(system_u:object_r:init_exec_t,s0) +/usr/bin/openrc-shutdown -- gen_context(system_u:object_r:init_exec_t,s0) /usr/lib/rc/cache(/.*)? gen_context(system_u:object_r:initrc_state_t,s0) /usr/lib/rc/console(/.*)? gen_context(system_u:object_r:initrc_state_t,s0) /usr/lib/rc/init\.d(/.*)? gen_context(system_u:object_r:initrc_state_t,s0) diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc index bc66de8ad..ba1d88e2b 100644 --- a/policy/modules/system/lvm.fc +++ b/policy/modules/system/lvm.fc @@ -74,6 +74,10 @@ /usr/bin/vgsplit -- gen_context(system_u:object_r:lvm_exec_t,s0) /usr/bin/vgwrapper -- gen_context(system_u:object_r:lvm_exec_t,s0) +ifdef(`distro_gentoo',` +/usr/bin/dmeventd -- gen_context(system_u:object_r:lvm_exec_t,s0) +') + /usr/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) /usr/lib/lvm-200/.*-- gen_context(system_u:object_r:lvm_exec_t,s0) /usr/lib/systemd/systemd-cryptsetup-- gen_context(system_u:object_r:lvm_exec_t,s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/
commit: b2ceb53d4b7b1df545f740ae9b4ed2e77f640dca
Author: Kenton Groombridge gentoo org>
AuthorDate: Mon May 6 19:53:46 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Tue May 14 17:41:31 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b2ceb53d
init: allow systemd to use sshd pidfds
Without this, a lengthy 2 minute delay can be observed SSHing into a
system while pam_systemd tries to create a login session.
May 06 14:22:08 megumin.fuwafuwatime.moe sshd[29384]:
pam_systemd(sshd:session): Failed to create session: Connection timed out
type=AVC msg=audit(1715019897.540:13855): avc: denied { use } for pid=1
comm="systemd" path="anon_inode:[pidfd]" dev="anon_inodefs" ino=10
scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:sshd_t:s0
tclass=fd permissive=1
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/ssh.if | 19 +++
policy/modules/system/init.te | 4
2 files changed, 23 insertions(+)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index dcbabf6b0..4b5fd5d33 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -535,6 +535,25 @@ interface(`ssh_signull',`
allow $1 sshd_t:process signull;
')
+
+##
+## Use PIDFD file descriptors from the
+## ssh server.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ssh_use_sshd_pidfds',`
+ gen_require(`
+ type sshd_t;
+ ')
+
+ allow $1 sshd_t:fd use;
+')
+
##
## Read a ssh server unnamed pipe.
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 8f3772dcb..03d0de8ed 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -630,6 +630,10 @@ ifdef(`init_systemd',`
fs_rw_rpc_named_pipes(initrc_t)
')
+ optional_policy(`
+ ssh_use_sshd_pidfds(init_t)
+ ')
+
optional_policy(`
# for systemd --user:
unconfined_search_keys(init_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 30142b2d3d2fbe3e30c81bd7463e8bb8e4f1752d Author: Kenton Groombridge gentoo org> AuthorDate: Mon May 6 20:14:04 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:41:39 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=30142b2d postgres: add a standalone execmem tunable Add a separate tunable to allow Postgres to use execmem. This is to support JIT in the Postgres server without enabling it for the entire system. Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/postgresql.te | 9 - 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index 810fb0ed4..7eec1b665 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -18,6 +18,13 @@ gen_require(` # Declarations # +## +## +## Allow postgresql to map memory regions as both executable and writable (e.g. for JIT). +## +## +gen_tunable(psql_allow_execmem, false) + ## ## ## Allow unprived users to execute DDL statement @@ -363,7 +370,7 @@ optional_policy(` mta_getattr_spool(postgresql_t) ') -tunable_policy(`allow_execmem',` +tunable_policy(`allow_execmem || psql_allow_execmem',` allow postgresql_t self:process execmem; ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: c5f642792afda4f820b416e1f0e8f82b683b52bf
Author: Kenton Groombridge gentoo org>
AuthorDate: Mon May 6 20:03:10 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Tue May 14 17:41:36 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c5f64279
userdom: allow users to read user home dir symlinks
This is to support user home directories primarily living in another
directory with a symlink in /home that points to it.
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/system/userdomain.if | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/system/userdomain.if
b/policy/modules/system/userdomain.if
index 401c5e6f7..1d98629c6 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -318,6 +318,7 @@ interface(`userdom_ro_home_role',`
# read-only home directory
allow $2 user_home_dir_t:dir list_dir_perms;
+ allow $2 user_home_dir_t:lnk_file read_lnk_file_perms;
allow $2 user_home_t:dir list_dir_perms;
allow $2 user_home_t:file entrypoint;
read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
@@ -394,6 +395,8 @@ interface(`userdom_manage_home_role',`
type_member $2 user_home_dir_t:dir user_home_dir_t;
+ allow $2 user_home_dir_t:lnk_file read_lnk_file_perms;
+
# full control of the home directory
allow $2 user_home_t:file entrypoint;
manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: dc612e94fc961e4039c1fba11c03e9f872888fbf
Author: Kenton Groombridge gentoo org>
AuthorDate: Mon May 6 19:58:20 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Tue May 14 17:41:33 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dc612e94
fail2ban: allow reading net sysctls
type=AVC msg=audit(1696613589.191:194926): avc: denied { search } for
pid=1724 comm="f2b/f.dovecot" name="net" dev="proc" ino=2813
scontext=system_u:system_r:fail2ban_t:s0
tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/fail2ban.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/services/fail2ban.te
b/policy/modules/services/fail2ban.te
index af34769d3..dce03adca 100644
--- a/policy/modules/services/fail2ban.te
+++ b/policy/modules/services/fail2ban.te
@@ -62,6 +62,7 @@ manage_sock_files_pattern(fail2ban_t, fail2ban_runtime_t,
fail2ban_runtime_t)
manage_files_pattern(fail2ban_t, fail2ban_runtime_t, fail2ban_runtime_t)
files_runtime_filetrans(fail2ban_t, fail2ban_runtime_t, file)
+kernel_read_net_sysctls(fail2ban_t)
kernel_read_system_state(fail2ban_t)
kernel_read_vm_overcommit_sysctl(fail2ban_t)
kernel_search_fs_sysctls(fail2ban_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: eb3fe60b4f0d6bf8c466179cababdfa67ab8aabc Author: Kenton Groombridge gentoo org> AuthorDate: Mon May 6 20:21:13 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:41:41 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=eb3fe60b asterisk: allow binding to all unreserved UDP ports This is for RTP streaming. Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/asterisk.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te index 0c2f9a42d..3cf98e59d 100644 --- a/policy/modules/services/asterisk.te +++ b/policy/modules/services/asterisk.te @@ -110,6 +110,7 @@ corenet_udp_bind_sip_port(asterisk_t) corenet_sendrecv_generic_server_packets(asterisk_t) corenet_tcp_bind_generic_port(asterisk_t) corenet_udp_bind_generic_port(asterisk_t) +corenet_udp_bind_all_unreserved_ports(asterisk_t) corenet_dontaudit_udp_bind_all_ports(asterisk_t) corenet_sendrecv_jabber_client_client_packets(asterisk_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 3dd05d4af8614f7e3ffc4038241f1487d61c53bb Author: Kenton Groombridge gentoo org> AuthorDate: Mon May 6 20:41:28 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:41:50 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3dd05d4a systemd: allow systemd-sysctl to search tmpfs Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/systemd.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index cef49e9a3..fca1a6018 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1752,6 +1752,7 @@ files_read_etc_files(systemd_sysctl_t) fs_getattr_all_fs(systemd_sysctl_t) fs_search_cgroup_dirs(systemd_sysctl_t) fs_search_ramfs(systemd_sysctl_t) +fs_search_tmpfs(systemd_sysctl_t) systemd_log_parse_environment(systemd_sysctl_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/kernel/
commit: da28221423dba9c102a06afb6c7eac7cd2d0117a Author: Kenton Groombridge gentoo org> AuthorDate: Mon May 6 20:31:46 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:41:44 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=da282214 bootloader: allow systemd-boot to manage EFI binaries systemd-boot's bootctl utility is used to install and update its EFI binaries in the EFI partition. If it is mounted with boot_t, bootctl needs to be able to manage boot_t files. Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/admin/bootloader.te | 4 policy/modules/kernel/files.if | 19 +++ 2 files changed, 23 insertions(+) diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index 294ce7e0c..81748a5f3 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -225,6 +225,10 @@ ifdef(`init_systemd',` fs_getattr_cgroup(bootloader_t) init_read_state(bootloader_t) init_rw_inherited_stream_socket(bootloader_t) + + # for systemd-boot-update to manage EFI binaries + domain_obj_id_change_exemption(bootloader_t) + files_mmap_read_boot_files(bootloader_t) ') optional_policy(` diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index e0337d044..b9c451321 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -2590,6 +2590,25 @@ interface(`files_read_boot_files',` read_files_pattern($1, boot_t, boot_t) ') + +## +## Read and memory map files in the /boot directory. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`files_mmap_read_boot_files',` + gen_require(` + type boot_t; + ') + + mmap_read_files_pattern($1, boot_t, boot_t) +') + ## ## Create, read, write, and delete files
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 4f530e384d56b9f11d4846e1018c56fe3df86e05
Author: Chris PeBenito linux microsoft com>
AuthorDate: Tue Mar 5 15:20:13 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Tue May 14 17:41:02 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4f530e38
cockpit: Change $1_cockpit_tmpfs_t to a tmpfs file type.
Signed-off-by: Chris PeBenito linux.microsoft.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/cockpit.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/services/cockpit.if
b/policy/modules/services/cockpit.if
index 4c452484c..1a13f4e5a 100644
--- a/policy/modules/services/cockpit.if
+++ b/policy/modules/services/cockpit.if
@@ -46,7 +46,7 @@
template(`cockpit_role_template',`
type $1_cockpit_tmpfs_t;
- files_runtime_file($1_cockpit_tmpfs_t)
+ files_tmpfs_file($1_cockpit_tmpfs_t)
dev_filetrans($2, $1_cockpit_tmpfs_t, file)
allow $2 $1_cockpit_tmpfs_t:file { manage_file_perms execute };
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 8c2f46403362398b17348da14c551acad1cdc0b4 Author: Kenton Groombridge gentoo org> AuthorDate: Mon May 6 20:33:13 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:41:45 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8c2f4640 matrixd: add tunable for binding to all unreserved ports This is to support using Synapse workers which require binding to multiple TCP ports in lieu of manually labeling unreserved ports for use. Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/matrixd.te | 16 +++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/policy/modules/services/matrixd.te b/policy/modules/services/matrixd.te index c396a3d7c..5f092f31c 100644 --- a/policy/modules/services/matrixd.te +++ b/policy/modules/services/matrixd.te @@ -20,6 +20,16 @@ gen_tunable(matrix_allow_federation, true) ## gen_tunable(matrix_postgresql_connect, false) +## +## +## Determine whether Matrixd is allowed to bind all +## TCP ports. This is intended for more complex Matrix +## server configurations (e.g. Synapse workers) and may +## be used in lieu of manually labeling each port. +## +## +gen_tunable(matrix_bind_all_unreserved_tcp_ports, false) + type matrixd_t; type matrixd_exec_t; init_daemon_domain(matrixd_t, matrixd_exec_t) @@ -117,7 +127,11 @@ tunable_policy(`matrix_postgresql_connect',` postgresql_tcp_connect(matrixd_t) ') +tunable_policy(`matrix_bind_all_unreserved_tcp_ports',` + corenet_tcp_bind_all_unreserved_ports(matrixd_t) +') + optional_policy(` apache_search_config(matrixd_t) ') - +
[gentoo-commits] proj/hardened-refpolicy:master commit in: gentoo/
commit: 45225bca740493e52132fb53fc609d859ea9deb8 Author: Kenton Groombridge gentoo org> AuthorDate: Tue May 14 17:42:26 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:42:26 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=45225bca Merge upstream Signed-off-by: Kenton Groombridge gentoo.org> gentoo/STATE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gentoo/STATE b/gentoo/STATE index b40fac216..c86b6a7a6 100644 --- a/gentoo/STATE +++ b/gentoo/STATE @@ -1 +1 @@ -fa84ee8fc04af56cced5ab8ed7abfb1abbd246dc +af26e636973bff8494e2ed2f93795bde8e2d94e7
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: b85214ca8e0a693d0b903fd31da74b6d6be4667b
Author: Kenton Groombridge gentoo org>
AuthorDate: Mon May 6 20:38:43 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Tue May 14 17:41:47 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b85214ca
container: allow system container engines to mmap runtime files
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/container.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/services/container.te
b/policy/modules/services/container.te
index 096d6c23d..9699ac36d 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -866,7 +866,7 @@ filetrans_pattern(container_engine_system_domain,
container_var_lib_t, container
filetrans_pattern(container_engine_system_domain, container_var_lib_t,
container_file_t, dir, "volumes")
allow container_engine_system_domain container_runtime_t:dir {
manage_dir_perms relabel_dir_perms watch };
-allow container_engine_system_domain container_runtime_t:file {
manage_file_perms relabel_file_perms watch };
+allow container_engine_system_domain container_runtime_t:file {
mmap_manage_file_perms relabel_file_perms watch };
allow container_engine_system_domain container_runtime_t:fifo_file {
manage_fifo_file_perms relabel_fifo_file_perms };
allow container_engine_system_domain container_runtime_t:lnk_file {
manage_lnk_file_perms relabel_lnk_file_perms };
allow container_engine_system_domain container_runtime_t:sock_file {
manage_sock_file_perms relabel_sock_file_perms };
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: cdc026e081113bc262a5183640d4fcde761858ce
Author: Kenton Groombridge gentoo org>
AuthorDate: Mon May 6 21:19:44 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Tue May 14 17:41:53 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cdc026e0
container, crio, kubernetes: minor fixes
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/container.te | 1 +
policy/modules/services/crio.te | 1 +
policy/modules/services/kubernetes.te | 3 +++
3 files changed, 5 insertions(+)
diff --git a/policy/modules/services/container.te
b/policy/modules/services/container.te
index 68aa97ae5..095308a13 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -982,6 +982,7 @@ allow spc_t self:alg_socket create_stream_socket_perms;
allow spc_t self:netlink_audit_socket { create_netlink_socket_perms
nlmsg_relay };
allow spc_t self:netlink_generic_socket create_socket_perms;
allow spc_t self:netlink_netfilter_socket create_socket_perms;
+allow spc_t self:netlink_tcpdiag_socket nlmsg_read;
allow spc_t self:netlink_xfrm_socket create_netlink_socket_perms;
allow spc_t self:perf_event { cpu kernel open read };
diff --git a/policy/modules/services/crio.te b/policy/modules/services/crio.te
index 3dd616f7a..91306d80e 100644
--- a/policy/modules/services/crio.te
+++ b/policy/modules/services/crio.te
@@ -84,6 +84,7 @@ init_use_fds(crio_conmon_t)
container_kill_all_containers(crio_conmon_t)
container_read_all_container_state(crio_conmon_t)
+container_signal_system_containers(crio_conmon_t)
# for kubernetes debug pods
container_use_container_ptys(crio_conmon_t)
diff --git a/policy/modules/services/kubernetes.te
b/policy/modules/services/kubernetes.te
index 58292de85..3ba666299 100644
--- a/policy/modules/services/kubernetes.te
+++ b/policy/modules/services/kubernetes.te
@@ -393,6 +393,7 @@ container_relabel_all_content(kubelet_t)
container_manage_log_dirs(kubelet_t)
container_manage_log_files(kubelet_t)
container_manage_log_symlinks(kubelet_t)
+container_watch_log_dirs(kubelet_t)
container_watch_log_files(kubelet_t)
container_log_filetrans(kubelet_t, { dir file })
@@ -617,6 +618,8 @@ userdom_use_user_terminals(kubectl_domain)
# kubectl local policy
#
+kernel_dontaudit_getattr_proc(kubectl_t)
+
auth_use_nsswitch(kubectl_t)
# not required, but convenient for using config commands
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 8271ab906f4389dae37b0470c44cdc6ab15b784d
Author: Kenton Groombridge gentoo org>
AuthorDate: Mon May 6 20:39:41 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Tue May 14 17:41:49 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8271ab90
container: allow containers to getcap
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/container.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/services/container.te
b/policy/modules/services/container.te
index 9699ac36d..68aa97ae5 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -286,7 +286,7 @@ corenet_port(container_port_t)
dontaudit container_domain self:capability fsetid;
dontaudit container_domain self:capability2 block_suspend;
allow container_domain self:cap_userns { chown dac_override dac_read_search
fowner kill setgid setuid };
-allow container_domain self:process { execstack execmem getattr getsched
getsession setsched setcap setpgid signal_perms };
+allow container_domain self:process { execstack execmem getattr getcap
getsched getsession setsched setcap setpgid signal_perms };
allow container_domain self:dir rw_dir_perms;
allow container_domain self:file create_file_perms;
allow container_domain self:fifo_file manage_fifo_file_perms;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/
commit: b18c0d3743affd70627adf0832b0fef674f50165
Author: Kenton Groombridge gentoo org>
AuthorDate: Mon May 6 21:03:59 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Tue May 14 17:41:52 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b18c0d37
container, podman: various fixes
Various fixes for containers and podman, mostly centered around quadlet
and netavark updates.
One particular change which may stand out is allowing podman_conmon_t to
IOCTL container_file_t files. I wish I could know why this was hit, but
I don't. The relevant AVC is:
type=PROCTITLE msg=audit(1704734027.100:15951872):
proctitle=2F7573722F6C6962657865632F706F646D616E2F636F6E6D6F6E002D2D6170692D76657273696F6E0031002D630038316432646439333738336637626231346134326463396635333163663533323864653337633838663330383466316634613036616464366163393035666337002D75003831643264643933373833663762
type=EXECVE msg=audit(1704734027.100:15951872): argc=93
a0="/usr/libexec/podman/conmon" a1="--api-version" a2="1" a3="-c"
a4="81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7" a5="-u"
a6="81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7" a7="-r"
a8="/usr/bin/crun" a9="-b"
a10="/var/lib/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata"
a11="-p"
a12="/run/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata/pidfile"
a13="-n" a14="harbor-core-pod-core" a15="--exit-dir" a16="/run/libpod/exits"
a17="--full-attach" a18="-s" a19="-l" a20="journald" a21="--log-level"
a22="warning" a23="--syslog" a24="--runtime-arg" a25="--log-format=json"
a26="--runtime-arg" a27="--log"
a28="--runtime-arg=/run/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata/oci-log"
a29="--conmon-pidfile" a30="
/run/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata/conmon.pid"
a31="--exit-command" a32="/usr/bin/podman" a33="--exit-command-arg"
a34="--root" a35="--exit-command-arg" a36="/var/lib/containers/storage"
a37="--exit-command-arg" a38="--runroot" a39="--exit-command-arg"
a40="/run/containers/storage" a41="--exit-command-arg" a42="--log-level"
a43="--exit-command-arg" a44="warning" a45="--exit-command-arg"
a46="--cgroup-manager" a47="--exit-command-arg" a48="systemd"
a49="--exit-command-arg" a50="--tmpdir" a51="--exit-command-arg"
a52="/run/libpod" a53="--exit-command-arg" a54="--network-config-dir"
a55="--exit-command-arg" a56="" a57="--exit-command-arg"
a58="--network-backend" a59="--exit-command-arg" a60="netavark"
a61="--exit-command-arg" a62="--volumepath" a63="--exit-command-arg"
a64="/var/lib/containers/storage/volumes" a65="--exit-command-arg"
a66="--db-backend" a67="--exit-command-arg" a68="sqlite" a69="--exit-co
mmand-arg" a70="--transient-store=false" a71="--exit-command-arg"
a72="--runtime" a73="--exit-command-arg" a74="crun" a75="--exit-command-arg"
a76="--storage-driver" a77="--exit-command-arg" a78="overlay"
a79="--exit-command-arg" a80="--storage-opt" a81="--exit-command-arg"
a82="overlay.mountopt=nodev" a83="--exit-command-arg" a84="--events-backend"
a85="--exit-command-arg" a86="journald" a87="--exit-command-arg"
a88="container" a89="--exit-command-arg" a90="cleanup" a91="--exit-command-arg"
a92="81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7"
type=SYSCALL msg=audit(1704734027.100:15951872): arch=c03e syscall=59
success=yes exit=0 a0=c000698020 a1=c0005ea600 a2=c000820d20 a3=0 items=0
ppid=3434178 pid=3434219 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="conmon"
exe="/usr/bin/conmon" subj=system_u:system_r:podman_conmon_t:s0 key=(null)
type=AVC msg=audit(1704734027.100:15951872): avc: denied { ioctl } for
pid=3434219 comm="conmon"
path="/va
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 304a909724d2e15445449257a45563751eb88a7c Author: Kenton Groombridge gentoo org> AuthorDate: Mon May 6 19:59:55 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:41:35 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=304a9097 dovecot: allow dovecot-auth to read SASL keytab Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/dovecot.te | 4 1 file changed, 4 insertions(+) diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te index 11ffbb177..937219831 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -321,6 +321,10 @@ optional_policy(` postfix_search_spool(dovecot_auth_t) ') +optional_policy(` + sasl_read_keytab(dovecot_auth_t) +') + optional_policy(` postgresql_unpriv_client(dovecot_auth_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: testing/, .github/workflows/
commit: 88a0ed139bf2bd39ff7e09d50e6dcf9ca6f4e5a4
Author: Chris PeBenito linux microsoft com>
AuthorDate: Fri Feb 23 21:12:25 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Tue May 14 17:41:20 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=88a0ed13
tests.yml: Add sechecker testing.
Add initial privilege and integrity tests.
Signed-off-by: Chris PeBenito linux.microsoft.com>
Signed-off-by: Kenton Groombridge gentoo.org>
.github/workflows/tests.yml | 56 --
.github/workflows/tests.yml.rej | 35
testing/sechecker.ini | 401
3 files changed, 480 insertions(+), 12 deletions(-)
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index eac1e30cc..1e3d5b7b0 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -3,21 +3,27 @@ name: Build tests
on: [push, pull_request]
env:
- # Minimum userspace version to build refpolicy.
- SELINUX_USERSPACE_VERSION: checkpolicy-3.1
+ # Minimum versions to build refpolicy.
+ PYTHON_VERSION: "3.10"
+ SELINUX_USERSPACE_VERSION: checkpolicy-3.2
+ USERSPACE_SRC: "selinux-src"
+ # branch for sechecker
+ SECHECKER_VERSION: "4.4"
+ SETOOLS_SRC: "setools-src"
jobs:
lint:
-runs-on: ubuntu-20.04
+runs-on: ubuntu-22.04
steps:
-- uses: actions/checkout@v3
+- uses: actions/checkout@v4
# This version should be the minimum required to run the fc checker
+# or the standard Python version on Ubuntu.
- name: Set up Python
- uses: actions/setup-python@v4
+ uses: actions/setup-python@v5
with:
-python-version: 3.7
+python-version: "${{env.PYTHON_VERSION}}"
- name: Install dependencies
run: |
@@ -25,7 +31,7 @@ jobs:
sudo apt-get install -qy autoconf-archive bison flex libconfuse-dev
uthash-dev
- name: Checkout SELint
- uses: actions/checkout@v3
+ uses: actions/checkout@v4
with:
repository: SELinuxProject/selint
ref: 'v1.5.0'
@@ -55,7 +61,7 @@ jobs:
selint --source --recursive --summary --fail --disable C-005 --disable
C-008 --disable W-005 policy
build:
-runs-on: ubuntu-20.04
+runs-on: ubuntu-22.04
strategy:
fail-fast: false
@@ -100,13 +106,29 @@ jobs:
- {type: mls, distro: gentoo, monolithic: y, systemd: n, apps-off:
unconfined, direct_initrc: y}
steps:
-- uses: actions/checkout@v3
+- name: Checkout Reference Policy
+ uses: actions/checkout@v4
+
+- name: Checkout SELinux userspace tools and libs
+ uses: actions/checkout@v4
+ with:
+repository: SELinuxProject/selinux
+ref: "${{env.SELINUX_USERSPACE_VERSION}}"
+path: "${{env.USERSPACE_SRC}}"
+
+- name: Checkout setools
+ uses: actions/checkout@v4
+ with:
+repository: SELinuxProject/setools
+ref: "${{env.SECHECKER_VERSION}}"
+path: "${{env.SETOOLS_SRC}}"
# This should be the minimum required Python version to build refpolicy.
+# or the standard Python version on Ubuntu.
- name: Set up Python
- uses: actions/setup-python@v4
+ uses: actions/setup-python@v5
with:
-python-version: 3.5
+python-version: "${{env.PYTHON_VERSION}}"
- name: Install dependencies
run: |
@@ -125,7 +147,6 @@ jobs:
run: |
echo "DESTDIR=/tmp/refpolicy" >> $GITHUB_ENV
echo "PYTHON=python" >> $GITHUB_ENV
-echo "TEST_TOOLCHAIN_SRC=/tmp/selinux-src" >> $GITHUB_ENV
echo "TEST_TOOLCHAIN=/tmp/selinux" >> $GITHUB_ENV
echo "TYPE=${{matrix.build-opts.type}}" >> $GITHUB_ENV
echo "DISTRO=${{matrix.build-opts.distro}}" >> $GITHUB_ENV
@@ -174,3 +195,14 @@ jobs:
make install-docs
make install-udica-templates
make install-appconfig
+
+# This skips some combinations to keep GitHub actions runtime lower by
+# eliminating duplicate analyses.
+- name: Validate security goals
+ run: |
+if [[ $MONOLITHIC == "y" ]] && [[ $TYPE != "standard" ]] && [[
$APPS_OFF ]] && [[ $SYSTEMD == "y" ]]; then
+policy_file=$(make MONOLITHIC=y --eval='output_filename: ; @echo
$(polver)' output_filename)
+sechecker testing/sechecker.ini "${policy_file}"
+else
+echo "Skipped"
+fi
diff --git a/.github/workflows/tests.yml.rej b/.github/workflows/tests.yml.rej
new file mode 100644
index 0..79e14d3d7
--- /dev/null
+++ b/.github/workflows/tests.yml.rej
@@ -0,0 +1,35 @@
+--- .github/workflows/tests.yml
.github/workflo
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: c6e72252a0d9ec8e88e28e2512737936cec8c3ea
Author: Dave Sugar gmail com>
AuthorDate: Sun May 5 01:19:20 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Tue May 14 17:41:22 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c6e72252
Need map perm for cockpit 300.4
node=localhost type=AVC msg=audit(1714870999.370:3558): avc: denied { map }
for pid=7081 comm="cockpit-bridge" path=2F6465762F23373933202864656C6574656429
dev="devtmpfs" ino=793 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=staff_u:object_r:staff_cockpit_tmpfs_t:s0 tclass=file permissive=0
Signed-off-by: Dave Sugar gmail.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/cockpit.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/services/cockpit.if
b/policy/modules/services/cockpit.if
index 1a13f4e5a..bde2bfad5 100644
--- a/policy/modules/services/cockpit.if
+++ b/policy/modules/services/cockpit.if
@@ -49,7 +49,7 @@ template(`cockpit_role_template',`
files_tmpfs_file($1_cockpit_tmpfs_t)
dev_filetrans($2, $1_cockpit_tmpfs_t, file)
- allow $2 $1_cockpit_tmpfs_t:file { manage_file_perms execute };
+ allow $2 $1_cockpit_tmpfs_t:file { mmap_manage_file_perms execute };
dev_dontaudit_execute_dev_nodes($2)
[gentoo-commits] proj/hardened-refpolicy: New tag: 2.20240226-r2
commit: Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 19:43:05 2024 + New tag: 2.20240226-r2
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: ef89017d69182a71eb3cd46369ba5bb079f6f165
Author: Grzegorz Filo wp pl>
AuthorDate: Thu Apr 4 18:09:08 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Tue May 14 17:43:11 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ef89017d
remove unnecessary code
Signed-off-by: Grzegorz Filo wp.pl>
Closes: https://github.com/gentoo/hardened-refpolicy/pull/2
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/admin/bootloader.te | 5 -
policy/modules/admin/portage.te| 1 -
2 files changed, 6 deletions(-)
diff --git a/policy/modules/admin/bootloader.te
b/policy/modules/admin/bootloader.te
index 81748a5f3..5a7e1cd4d 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -263,8 +263,3 @@ optional_policy(`
optional_policy(`
rpm_rw_pipes(bootloader_t)
')
-
-ifdef(`distro_gentoo',`
- # Fix bug #537652 - grub2-mkconfig has search rights needed on current
dir (usually user home dir)
- userdom_search_user_home_dirs(bootloader_t)
-')
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 2cd5d0482..c42552651 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -173,7 +173,6 @@ allow portage_t self:process { setfscreate };
# - kill for mysql merging, at least
allow portage_t self:capability { kill setfcap sys_nice };
allow portage_t self:netlink_route_socket create_netlink_socket_perms;
-dontaudit portage_t self:capability { dac_read_search };
# user post-sync scripts
can_exec(portage_t, portage_conf_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/, policy/modules/services/
commit: 5a4608dfd87f63d1c61c5105f52dd70af5217bd0
Author: Kenton Groombridge gentoo org>
AuthorDate: Mon May 6 21:46:06 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Tue May 14 17:41:54 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5a4608df
various: various fixes
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/kernel/devices.if | 19 +++
policy/modules/services/kubernetes.te | 2 ++
policy/modules/system/authlogin.if| 3 +++
policy/modules/system/authlogin.te| 1 +
policy/modules/system/raid.te | 3 ++-
policy/modules/system/selinuxutil.te | 1 +
6 files changed, 28 insertions(+), 1 deletion(-)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 344d858cf..c7af194b1 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -2897,6 +2897,25 @@ interface(`dev_delete_lvm_control_dev',`
delete_chr_files_pattern($1, device_t, lvm_control_t)
')
+
+##
+## Do not audit attempts to read and write the
+## Intel Management Engine Interface device.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_dontaudit_rw_mei',`
+ gen_require(`
+ type mei_device_t;
+ ')
+
+ dontaudit $1 mei_device_t:chr_file rw_chr_file_perms;
+')
+
##
## dontaudit getattr raw memory devices (e.g. /dev/mem).
diff --git a/policy/modules/services/kubernetes.te
b/policy/modules/services/kubernetes.te
index 3ba666299..839635026 100644
--- a/policy/modules/services/kubernetes.te
+++ b/policy/modules/services/kubernetes.te
@@ -618,6 +618,8 @@ userdom_use_user_terminals(kubectl_domain)
# kubectl local policy
#
+dontaudit kubectl_t self:capability { sys_admin sys_resource };
+
kernel_dontaudit_getattr_proc(kubectl_t)
auth_use_nsswitch(kubectl_t)
diff --git a/policy/modules/system/authlogin.if
b/policy/modules/system/authlogin.if
index a91ab7acb..a90ebb3db 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -105,6 +105,9 @@ interface(`auth_use_pam_systemd',`
systemd_connect_machined($1)
systemd_dbus_chat_logind($1)
systemd_read_logind_state($1)
+
+ # to read /etc/machine-id
+ files_read_etc_runtime_files($1)
')
diff --git a/policy/modules/system/authlogin.te
b/policy/modules/system/authlogin.te
index 9920ea699..14d2774a1 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -142,6 +142,7 @@ term_dontaudit_use_all_ptys(chkpwd_t)
auth_read_shadow_history(chkpwd_t)
auth_use_nsswitch(chkpwd_t)
+auth_use_pam_systemd(chkpwd_t)
logging_send_audit_msgs(chkpwd_t)
logging_send_syslog_msg(chkpwd_t)
diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
index c8db38261..e5e649f6b 100644
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
@@ -28,7 +28,7 @@ init_unit_file(mdadm_unit_t)
#
allow mdadm_t self:capability { dac_override ipc_lock sys_admin };
-dontaudit mdadm_t self:capability sys_tty_config;
+dontaudit mdadm_t self:capability { net_admin sys_tty_config };
dontaudit mdadm_t self:cap_userns sys_ptrace;
allow mdadm_t self:process { getsched setsched signal_perms };
allow mdadm_t self:fifo_file rw_fifo_file_perms;
@@ -53,6 +53,7 @@ corecmd_exec_shell(mdadm_t)
dev_rw_sysfs(mdadm_t)
dev_dontaudit_getattr_all_blk_files(mdadm_t)
dev_dontaudit_getattr_all_chr_files(mdadm_t)
+dev_dontaudit_rw_mei(mdadm_t)
dev_read_realtime_clock(mdadm_t)
# create links in /dev/md
dev_create_generic_symlinks(mdadm_t)
diff --git a/policy/modules/system/selinuxutil.te
b/policy/modules/system/selinuxutil.te
index 6393fadcf..46c275e38 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -515,6 +515,7 @@ seutil_domtrans_semanage(selinux_dbus_t)
#
allow semanage_t self:capability { audit_write dac_override };
+dontaudit semanage_t self:capability { sys_admin sys_resource };
allow semanage_t self:unix_stream_socket create_stream_socket_perms;
allow semanage_t self:unix_dgram_socket create_socket_perms;
allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms
nlmsg_relay };
[gentoo-commits] repo/gentoo:master commit in: sec-policy/selinux-firewalld/
commit: 30d7454dd538b0654626c197ec6605fffdcfd816
Author: Kenton Groombridge gentoo org>
AuthorDate: Tue May 14 18:38:18 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Tue May 14 19:44:18 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=30d7454d
sec-policy/selinux-firewalld: new package, add
Signed-off-by: Kenton Groombridge gentoo.org>
sec-policy/selinux-firewalld/metadata.xml | 8
sec-policy/selinux-firewalld/selinux-firewalld-.ebuild | 14 ++
2 files changed, 22 insertions(+)
diff --git a/sec-policy/selinux-firewalld/metadata.xml
b/sec-policy/selinux-firewalld/metadata.xml
new file mode 100644
index ..781bc07e6d59
--- /dev/null
+++ b/sec-policy/selinux-firewalld/metadata.xml
@@ -0,0 +1,8 @@
+
+https://www.gentoo.org/dtd/metadata.dtd";>
+
+
+ seli...@gentoo.org
+ SELinux Team
+
+
diff --git a/sec-policy/selinux-firewalld/selinux-firewalld-.ebuild
b/sec-policy/selinux-firewalld/selinux-firewalld-.ebuild
new file mode 100644
index ..13057cb78b5e
--- /dev/null
+++ b/sec-policy/selinux-firewalld/selinux-firewalld-.ebuild
@@ -0,0 +1,14 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="7"
+
+MODS="firewalld"
+
+inherit selinux-policy-2
+
+DESCRIPTION="SELinux policy for firewalld"
+
+if [[ ${PV} != * ]] ; then
+ KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86"
+fi
[gentoo-commits] repo/gentoo:master commit in: sys-libs/libselinux/
commit: 00ba07e73d6af17f95eada9367b4a98a9a2df753
Author: Kenton Groombridge gentoo org>
AuthorDate: Sat Apr 15 15:05:53 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Sat Apr 15 15:05:53 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=00ba07e7
sys-libs/libselinux: drop 3.4
Signed-off-by: Kenton Groombridge gentoo.org>
sys-libs/libselinux/Manifest | 1 -
sys-libs/libselinux/libselinux-3.4.ebuild | 156 --
2 files changed, 157 deletions(-)
diff --git a/sys-libs/libselinux/Manifest b/sys-libs/libselinux/Manifest
index ab7b2b4334a2..c6efbb8e1ed0 100644
--- a/sys-libs/libselinux/Manifest
+++ b/sys-libs/libselinux/Manifest
@@ -1,2 +1 @@
-DIST libselinux-3.4.tar.gz 210061 BLAKE2B
65b797516199def3feb1a5de5413e5da6f81422e7c7d97bf859896e78ef55020d3851f98c205bab622f941756341dc62f49d70558ebaf1cb3a8a28b84871d7af
SHA512
7ffa6d2159d2333d836bde3f75dfc78a278283b66ae1e441c178371adb6f463aa6f2d62439079e2068d1135c39dd2b367b001d917c0bdc6871a73630919ef81e
DIST libselinux-3.5.tar.gz 211453 BLAKE2B
f7f3067c4bb0448e18bd7085135f11d94ae99728949480a655c0f660486817beb5829d8a43dff7bce286ccd50705b0c657bde85970f01c794e01fb707f469d8b
SHA512
4e13261a5821018a5f3cdce676f180bb62e5bc225981ca8a498ece0d1c88d9ba8eaa0ce4099dd0849309a8a7c5a9a0953df841a9922f2c284e5a109e5d937ba7
diff --git a/sys-libs/libselinux/libselinux-3.4.ebuild
b/sys-libs/libselinux/libselinux-3.4.ebuild
deleted file mode 100644
index 255324c5d443..
--- a/sys-libs/libselinux/libselinux-3.4.ebuild
+++ /dev/null
@@ -1,156 +0,0 @@
-# Copyright 1999-2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="7"
-PYTHON_COMPAT=( python3_{9..11} )
-USE_RUBY="ruby27"
-
-# No, I am not calling ruby-ng
-inherit python-r1 toolchain-funcs multilib-minimal
-
-MY_PV="${PV//_/-}"
-MY_P="${PN}-${MY_PV}"
-
-DESCRIPTION="SELinux userland library"
-HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki";
-
-if [[ ${PV} == ]]; then
- inherit git-r3
- EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git";
- S="${WORKDIR}/${P}/${PN}"
-else
-
SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz";
- KEYWORDS="amd64 arm arm64 ~mips ~riscv x86"
- S="${WORKDIR}/${MY_P}"
-fi
-
-LICENSE="public-domain"
-SLOT="0"
-IUSE="python ruby static-libs ruby_targets_ruby27"
-REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"
-
-RDEPEND="dev-libs/libpcre2:=[static-libs?,${MULTILIB_USEDEP}]
- >=sys-libs/libsepol-${PV}:=[${MULTILIB_USEDEP}]
- python? ( ${PYTHON_DEPS} )
- ruby? (
- ruby_targets_ruby27? ( dev-lang/ruby:2.7 )
- )
- elibc_musl? ( sys-libs/fts-standalone )"
-DEPEND="${RDEPEND}"
-BDEPEND="virtual/pkgconfig
- python? (
- >=dev-lang/swig-2.0.9
- dev-python/pip[${PYTHON_USEDEP}]
- )
- ruby? ( >=dev-lang/swig-2.0.9 )"
-
-src_prepare() {
- eapply_user
-
- multilib_copy_sources
-}
-
-multilib_src_compile() {
- tc-export AR CC PKG_CONFIG RANLIB
-
- local -x CFLAGS="${CFLAGS} -fno-semantic-interposition"
-
- emake \
- LIBDIR="\$(PREFIX)/$(get_libdir)" \
- SHLIBDIR="/$(get_libdir)" \
- LDFLAGS="-fPIC ${LDFLAGS} -pthread" \
- USE_PCRE2=y \
- FTS_LDLIBS="$(usex elibc_musl '-lfts' '')" \
- all
-
- if multilib_is_native_abi && use python; then
- building() {
- emake \
- LDFLAGS="-fPIC ${LDFLAGS} -lpthread" \
- LIBDIR="\$(PREFIX)/$(get_libdir)" \
- SHLIBDIR="/$(get_libdir)" \
- USE_PCRE2=y \
- FTS_LDLIBS="$(usex elibc_musl '-lfts' '')" \
- pywrap
- }
- python_foreach_impl building
- fi
-
- if multilib_is_native_abi && use ruby; then
- building() {
- einfo "Calling rubywrap for ${1}"
- # Clean up .lo file to force rebuild
- rm -f src/selinuxswig_ruby_wrap.lo || die
- emake \
- RUBY=${1} \
- LDFLAGS="-fPIC ${LDFLAGS} -lpthread" \
- LIBDIR="\$(PREFIX)/$(get_libdir)" \
- SHLIBDIR="/$(get_libdir)" \
-
[gentoo-commits] repo/gentoo:master commit in: sys-apps/secilc/
commit: 422cef93753a1d1f1857a03e96b9ee7dcc10a9b9
Author: Kenton Groombridge gentoo org>
AuthorDate: Sat Apr 15 15:05:50 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Sat Apr 15 15:05:50 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=422cef93
sys-apps/secilc: drop 3.4
Signed-off-by: Kenton Groombridge gentoo.org>
sys-apps/secilc/Manifest | 1 -
sys-apps/secilc/secilc-3.4.ebuild | 37 -
2 files changed, 38 deletions(-)
diff --git a/sys-apps/secilc/Manifest b/sys-apps/secilc/Manifest
index 153758303b3d..9fe706f87af0 100644
--- a/sys-apps/secilc/Manifest
+++ b/sys-apps/secilc/Manifest
@@ -1,2 +1 @@
-DIST secilc-3.4.tar.gz 181312 BLAKE2B
cee26f3b6dc3d7a48df3bd3c9e0edf15f92f55b399afe02d7f4efe10cfd1d8ec140aa5ed588003c6ffca95e1abc82a6163f86edc58ea140703f47ca4bf2d5179
SHA512
f29ff42dd60050cdd4367af38b334876817f8e33ed40a9be89304beea840a210bd9a58d658d0b09f98bad54b12b185a0262ca05094b63e7f96c0142729699c3b
DIST secilc-3.5.tar.gz 180803 BLAKE2B
a42620318b312a5ef35565e3b40a89fd7ff44aaf73de835bc349f927193121b72c07bd2151a8a6b2cee53e2699a3ae6bb246084e18a181d334ebc082fdfdc56e
SHA512
eff37a981072c4b9c7c15bf4709db8797d8af5325883515f5c2fe611136b24419f6d01c797e4f131c9c08e1ba40576fcb2094b1e34325aae8351b6299bdba3dd
diff --git a/sys-apps/secilc/secilc-3.4.ebuild
b/sys-apps/secilc/secilc-3.4.ebuild
deleted file mode 100644
index cfba06558260..
--- a/sys-apps/secilc/secilc-3.4.ebuild
+++ /dev/null
@@ -1,37 +0,0 @@
-# Copyright 1999-2022 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="7"
-inherit toolchain-funcs
-
-MY_PV="${PV//_/-}"
-MY_P="${PN}-${MY_PV}"
-
-DESCRIPTION="SELinux Common Intermediate Language (CIL) Compiler"
-HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki";
-
-if [[ ${PV} == ]]; then
- inherit git-r3
- EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git";
- S="${WORKDIR}/${P}/${PN}"
-else
-
SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz";
- KEYWORDS="amd64 arm arm64 x86"
- S="${WORKDIR}/${MY_P}"
-fi
-
-LICENSE="GPL-2"
-SLOT="0"
-
-DEPEND=">=sys-libs/libsepol-${PV}"
-RDEPEND="${DEPEND}"
-BDEPEND="app-text/xmlto"
-
-# tests are not meant to be run outside of the
-# full SELinux userland repo
-RESTRICT="test"
-
-src_compile() {
- tc-export CC
- default
-}
[gentoo-commits] repo/gentoo:master commit in: sys-libs/libsepol/
commit: 2579cd14060cfb0a6ff5edd1ba4c7e689d0275ed
Author: Kenton Groombridge gentoo org>
AuthorDate: Sat Apr 15 15:05:42 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Sat Apr 15 15:05:42 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2579cd14
sys-libs/libsepol: drop 3.4
Signed-off-by: Kenton Groombridge gentoo.org>
sys-libs/libsepol/Manifest| 1 -
sys-libs/libsepol/libsepol-3.4.ebuild | 50 ---
2 files changed, 51 deletions(-)
diff --git a/sys-libs/libsepol/Manifest b/sys-libs/libsepol/Manifest
index 78c5d788ea35..cef9954d3145 100644
--- a/sys-libs/libsepol/Manifest
+++ b/sys-libs/libsepol/Manifest
@@ -1,2 +1 @@
-DIST libsepol-3.4.tar.gz 490628 BLAKE2B
65a71e7e0b07589c3ca636e821b7aed7c15f0588a3bcd59860fba2da18606ce18c757bb2ad5edb52e10069310f1239c415a0a9fc17495a7d6274764c1eb213fb
SHA512
5e47e6ac626f2bfc10a9f2f24c2e66c4d7f291ca778ebd81c7d565326e036e821d3eb92e5d7540517b1c715466232a7d7da895ab48811d037ad92d423ed934b6
DIST libsepol-3.5.tar.gz 497522 BLAKE2B
dad2d346605be53fe41aef69e2e4bd4f1ce68a15f0b9307deb6b66bbe7bf06a9ee6be580e60d2f19aebbc8ee5041ac8a7b831b51342ba7c7089e1f1a447e7691
SHA512
66f45a9f4951589855961955db686b006b4c0cddead6ac49ad238a0e4a34775905bd10fb8cf0c0ff2ab64f9b7d8366b97fcd5b19c382dec39971a2835cc765c8
diff --git a/sys-libs/libsepol/libsepol-3.4.ebuild
b/sys-libs/libsepol/libsepol-3.4.ebuild
deleted file mode 100644
index 63848ea5c13a..
--- a/sys-libs/libsepol/libsepol-3.4.ebuild
+++ /dev/null
@@ -1,50 +0,0 @@
-# Copyright 1999-2022 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="7"
-
-inherit toolchain-funcs multilib-minimal
-
-MY_PV="${PV//_/-}"
-MY_P="${PN}-${MY_PV}"
-
-DESCRIPTION="SELinux binary policy representation library"
-HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki";
-
-if [[ ${PV} == ]]; then
- inherit git-r3
- EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git";
- S="${WORKDIR}/${P}/${PN}"
-else
-
SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz";
- KEYWORDS="amd64 arm arm64 ~mips ~riscv x86"
- S="${WORKDIR}/${MY_P}"
-fi
-
-LICENSE="GPL-2"
-SLOT="0/2"
-
-# tests are not meant to be run outside of the full SELinux userland repo
-RESTRICT="test"
-
-src_prepare() {
- eapply_user
- multilib_copy_sources
-}
-
-multilib_src_compile() {
- tc-export CC AR RANLIB
-
- local -x CFLAGS="${CFLAGS} -fno-semantic-interposition"
-
- emake \
- LIBDIR="\$(PREFIX)/$(get_libdir)" \
- SHLIBDIR="/$(get_libdir)"
-}
-
-multilib_src_install() {
- emake DESTDIR="${D}" \
- LIBDIR="\$(PREFIX)/$(get_libdir)" \
- SHLIBDIR="/$(get_libdir)" \
- install
-}
[gentoo-commits] repo/gentoo:master commit in: sys-apps/checkpolicy/
commit: 92c63802bb4886bd9a96c41885836b5816e5762f
Author: Kenton Groombridge gentoo org>
AuthorDate: Sat Apr 15 15:05:57 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Sat Apr 15 15:05:57 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=92c63802
sys-apps/checkpolicy: drop 3.4
Signed-off-by: Kenton Groombridge gentoo.org>
sys-apps/checkpolicy/Manifest | 1 -
sys-apps/checkpolicy/checkpolicy-3.4.ebuild | 54 -
2 files changed, 55 deletions(-)
diff --git a/sys-apps/checkpolicy/Manifest b/sys-apps/checkpolicy/Manifest
index 3ce51e9cb737..d3279c23fc81 100644
--- a/sys-apps/checkpolicy/Manifest
+++ b/sys-apps/checkpolicy/Manifest
@@ -1,2 +1 @@
-DIST checkpolicy-3.4.tar.gz 69870 BLAKE2B
891033b1d9d50a3738bb779d014d2f04d6cc5450c6f84ed43246c95b0c808f347d65c0e51c7254041e13b1c555a7e1de5092abb4fc12fabb109be7ddaa090829
SHA512
e7f7a4e987af473fd7cda0e47539061a8cb2e65a6b930f4736c538eb319129b260a3f03d2f50863e73a275ee3d58c441c33f95c80ea2bff6157e37226be54b92
DIST checkpolicy-3.5.tar.gz 69904 BLAKE2B
e02ccad07534568a1bbb612330018bbe486800ea40df20ed6f9dc38c88aff7f8858782a28ba7915a58c3bb384f180eb8da7a8fe97a92bcb9baa61eec18da6cbc
SHA512
fcd490d865af3b4350c32c5dd9916f8406219841e1e255d8945c6dcc958535247aa27af5597a6988e19f11faea7beeabcb46e8ba2431112bb4aa5c7697bca529
diff --git a/sys-apps/checkpolicy/checkpolicy-3.4.ebuild
b/sys-apps/checkpolicy/checkpolicy-3.4.ebuild
deleted file mode 100644
index 4de3914676df..
--- a/sys-apps/checkpolicy/checkpolicy-3.4.ebuild
+++ /dev/null
@@ -1,54 +0,0 @@
-# Copyright 1999-2022 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="7"
-
-inherit toolchain-funcs
-
-MY_PV="${PV//_/-}"
-MY_P="${PN}-${MY_PV}"
-
-DESCRIPTION="SELinux policy compiler"
-HOMEPAGE="http://userspace.selinuxproject.org";
-
-if [[ ${PV} == ]] ; then
- inherit git-r3
- EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git";
- S="${WORKDIR}/${P}/${PN}"
-else
-
SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz";
- KEYWORDS="amd64 arm arm64 ~mips ~riscv x86"
- S="${WORKDIR}/${MY_P}"
-fi
-
-LICENSE="GPL-2"
-SLOT="0"
-IUSE="debug"
-
-DEPEND=">=sys-libs/libsepol-${PV}"
-BDEPEND="sys-devel/flex
- sys-devel/bison"
-
-RDEPEND=">=sys-libs/libsepol-${PV}"
-
-src_compile() {
- emake \
- CC="$(tc-getCC)" \
- YACC="bison -y" \
- LIBDIR="\$(PREFIX)/$(get_libdir)"
-}
-
-src_install() {
- default
-
- if use debug; then
- dobin "${S}/test/dismod"
- dobin "${S}/test/dispol"
- fi
-}
-
-pkg_postinst() {
- if ! tc-is-cross-compiler; then
- einfo "This checkpolicy can compile version `checkpolicy -V |
cut -f 1 -d ' '` policy."
- fi
-}
[gentoo-commits] repo/gentoo:master commit in: sys-apps/semodule-utils/
commit: 7e5bbadacea1706b9a1590caf8d7c896e5c48adc
Author: Kenton Groombridge gentoo org>
AuthorDate: Sat Apr 15 15:06:07 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Sat Apr 15 15:06:07 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7e5bbada
sys-apps/semodule-utils: drop 3.4
Signed-off-by: Kenton Groombridge gentoo.org>
sys-apps/semodule-utils/Manifest | 1 -
sys-apps/semodule-utils/semodule-utils-3.4.ebuild | 43 ---
2 files changed, 44 deletions(-)
diff --git a/sys-apps/semodule-utils/Manifest b/sys-apps/semodule-utils/Manifest
index 7608543afd38..725172803562 100644
--- a/sys-apps/semodule-utils/Manifest
+++ b/sys-apps/semodule-utils/Manifest
@@ -1,2 +1 @@
-DIST semodule-utils-3.4.tar.gz 14267 BLAKE2B
292c9550a5f1bc8b901c7c95fe2dde07068513bf7d358decab65afc2db185996ec905b582691265a63aba7bc47f4e1d6da4c867eb9a9df5b22fc623a716e927b
SHA512
3a102eb83e1feff9796c4da572500be1e3a8a8bc8a7eed762ef4144761280f0513050c714aa287b1e4e67d2938f9f9a0ee5036762472d732eae0288b437cb7a9
DIST semodule-utils-3.5.tar.gz 14383 BLAKE2B
a1bb432013bca1023d99b32f43b2c972b6b807a4677f9d8c9fb9aff10225232506f3ecca86fc231b4c63d04582a91a1c4218f87ce5532a4d35a26a09665c6f10
SHA512
7c32f425ae71745040d1c6a6585149a1efb319913aa9d4c8bf185b0a4216dc66378fa38595b171614ee3ae4ade997d3ae56a060346e334faec55c419a87d71dd
diff --git a/sys-apps/semodule-utils/semodule-utils-3.4.ebuild
b/sys-apps/semodule-utils/semodule-utils-3.4.ebuild
deleted file mode 100644
index f1204b6bfb30..
--- a/sys-apps/semodule-utils/semodule-utils-3.4.ebuild
+++ /dev/null
@@ -1,43 +0,0 @@
-# Copyright 1999-2022 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="7"
-
-inherit toolchain-funcs
-
-MY_PV="${PV//_/-}"
-MY_P="${PN}-${MY_PV}"
-
-DESCRIPTION="SELinux policy module utilities"
-HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki";
-
-if [[ ${PV} == * ]] ; then
- inherit git-r3
- EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git";
- S="${WORKDIR}/${P}/${PN}"
-else
-
SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz";
- KEYWORDS="amd64 arm arm64 ~mips x86"
- S="${WORKDIR}/${MY_P}"
-fi
-
-LICENSE="GPL-2"
-SLOT="0"
-IUSE=""
-
-DEPEND=">=sys-libs/libsepol-${PV}:="
-RDEPEND="${DEPEND}"
-
-src_prepare() {
- default
-
- sed -i 's/-Werror//g' "${S}"/*/Makefile || die "Failed to remove Werror"
-}
-
-src_compile() {
- emake CC="$(tc-getCC)"
-}
-
-src_install() {
- emake DESTDIR="${D}" install
-}
[gentoo-commits] repo/gentoo:master commit in: sys-apps/mcstrans/
commit: 581382821062a54416eecfe132a0bbc1389c1c41
Author: Kenton Groombridge gentoo org>
AuthorDate: Sat Apr 15 15:06:10 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Sat Apr 15 15:06:10 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=58138282
sys-apps/mcstrans: drop 3.4
Signed-off-by: Kenton Groombridge gentoo.org>
sys-apps/mcstrans/Manifest| 1 -
sys-apps/mcstrans/mcstrans-3.4.ebuild | 52 ---
2 files changed, 53 deletions(-)
diff --git a/sys-apps/mcstrans/Manifest b/sys-apps/mcstrans/Manifest
index 2ae3aab36288..19f5562abbf7 100644
--- a/sys-apps/mcstrans/Manifest
+++ b/sys-apps/mcstrans/Manifest
@@ -1,2 +1 @@
-DIST mcstrans-3.4.tar.gz 45125 BLAKE2B
59a403e7d4018bee2632360d5720e65f26b0581ed58a42e8caee2d352d104658e27ece850ca6c50ea513766a973c6ae98fd4115d478555dd5c130956188c0668
SHA512
bd612f1ae886c7a0300bb4aa1d52f139677787cc026475eada98e11a46910fa4a8baba9026530af6fa649a4f07978039f584e55567b8789ff06fb182518c
DIST mcstrans-3.5.tar.gz 45091 BLAKE2B
c6604075a6b37d7bf10e2daee40d9f034a26c5d56b81973cbc3b39621bdf5e2cb1d5906e91942e09ff077a14facafcc2464995675d8df31930707033fac5db90
SHA512
f4d3b04750e197c6abd31f1642af4b53a4fe0e968952a7ade992909f903d7486c1e72733963453563fcbc9745273c8238f169f520550df1470e7f6e4d6e56665
diff --git a/sys-apps/mcstrans/mcstrans-3.4.ebuild
b/sys-apps/mcstrans/mcstrans-3.4.ebuild
deleted file mode 100644
index ef7ae56a6978..
--- a/sys-apps/mcstrans/mcstrans-3.4.ebuild
+++ /dev/null
@@ -1,52 +0,0 @@
-# Copyright 1999-2022 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="7"
-
-inherit toolchain-funcs
-
-MY_PV="${PV//_/-}"
-MY_P="${PN}-${MY_PV}"
-
-DESCRIPTION="SELinux context translation to human readable names"
-HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki";
-
-if [[ ${PV} == * ]] ; then
- inherit git-r3
- EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git";
- S="${WORKDIR}/${P}/${PN}"
-else
-
SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz";
- KEYWORDS="amd64 arm arm64 ~mips x86"
- S="${WORKDIR}/${MY_P}"
-fi
-
-LICENSE="GPL-2"
-SLOT="0"
-IUSE=""
-
-DEPEND=">=sys-libs/libsepol-${PV}:=
- >=sys-libs/libselinux-${PV}:=
- dev-libs/libpcre2:=
- >=sys-libs/libcap-1.10-r10:="
-
-RDEPEND="${DEPEND}"
-
-src_prepare() {
- default
-
- sed -i 's/-Werror//g' "${S}"/*/Makefile || die "Failed to remove Werror"
-}
-
-src_compile() {
- tc-export CC
- default
-}
-
-src_install() {
- emake DESTDIR="${D}" install
-
- rm -rf "${D}/etc/rc.d" || die
-
- newinitd "${FILESDIR}/mcstransd.init" mcstransd
-}
[gentoo-commits] repo/gentoo:master commit in: sys-apps/selinux-python/
commit: e954fc3a29e00579c132eb9831de38fd095b6d33
Author: Kenton Groombridge gentoo org>
AuthorDate: Sat Apr 15 15:06:03 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Sat Apr 15 15:06:03 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e954fc3a
sys-apps/selinux-python: drop 3.4
Signed-off-by: Kenton Groombridge gentoo.org>
sys-apps/selinux-python/Manifest | 1 -
sys-apps/selinux-python/selinux-python-3.4.ebuild | 114 --
2 files changed, 115 deletions(-)
diff --git a/sys-apps/selinux-python/Manifest b/sys-apps/selinux-python/Manifest
index d30b9ce02a65..79672fd06f4c 100644
--- a/sys-apps/selinux-python/Manifest
+++ b/sys-apps/selinux-python/Manifest
@@ -1,2 +1 @@
-DIST selinux-python-3.4.tar.gz 3596450 BLAKE2B
b98f6ba63814a4281c5ea624b2b0f68c6ae92e4447dd6078a0d70bce34534b0a457f0a9533e1db1fbf665b8a0b379adf78fd8ba8f3ae19973b74a3332157842b
SHA512
d601ce2628c4876dc4f2dfccd6db8ff45f68c5eb1b14cec3328644b71959107546469b27dfd90488fc669019b341d0cba708a1797f427ac7f86a0f05e86c0948
DIST selinux-python-3.5.tar.gz 3604439 BLAKE2B
5a7fcd303c337cb0f5ae0066d13c945bb5cacaba472c7b17f0496295294998fcc6d81c153720ef704b749a01590c28b48b4f471a48fc386b8f02564c3550250b
SHA512
2ac176a9f078f2b2721e5871ba21e92041eed54fc692fd8d809ff14327beee6de63b3084d0f1053a640b9e40bcc6461498915bb9b038a658cd772f77d80fd217
diff --git a/sys-apps/selinux-python/selinux-python-3.4.ebuild
b/sys-apps/selinux-python/selinux-python-3.4.ebuild
deleted file mode 100644
index 6a2211786b3f..
--- a/sys-apps/selinux-python/selinux-python-3.4.ebuild
+++ /dev/null
@@ -1,114 +0,0 @@
-# Copyright 1999-2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-PYTHON_COMPAT=( python3_{9..11} )
-PYTHON_REQ_USE="xml(+)"
-
-inherit python-r1 toolchain-funcs
-
-MY_PV="${PV//_/-}"
-MY_P="${PN}-${MY_PV}"
-
-DESCRIPTION="SELinux core utilities"
-HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki";
-
-if [[ ${PV} == ]] ; then
- inherit git-r3
- EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git";
- S="${WORKDIR}/${P}/${PN#selinux-}"
-else
-
SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz";
- KEYWORDS="amd64 arm arm64 ~mips x86"
- S="${WORKDIR}/${MY_P}"
-fi
-
-LICENSE="GPL-2"
-SLOT="0"
-IUSE="test"
-RESTRICT="!test? ( test )"
-REQUIRED_USE="${PYTHON_REQUIRED_USE}"
-
-RDEPEND=">=sys-libs/libselinux-${PV}:=[python]
- >=sys-libs/libsemanage-${PV}:=[python(+)]
- >=sys-libs/libsepol-${PV}:=
- >=app-admin/setools-4.2.0[${PYTHON_USEDEP}]
- >=sys-process/audit-1.5.1[python,${PYTHON_USEDEP}]
- ${PYTHON_DEPS}"
-DEPEND="${RDEPEND}"
-BDEPEND="
- test? (
- ${RDEPEND}
- >=sys-apps/secilc-${PV}
- )"
-
-src_prepare() {
- default
- sed -i 's/-Werror//g' "${S}"/*/Makefile || die "Failed to remove Werror"
-
- python_copy_sources
-}
-
-src_compile() {
- building() {
- emake -C "${BUILD_DIR}" \
- CC="$(tc-getCC)" \
- LIBDIR="\$(PREFIX)/$(get_libdir)"
- }
- python_foreach_impl building
-}
-
-src_test() {
- testing() {
- # The different subprojects have some interproject dependencies:
- # - audit2allow depens on sepolgen
- # - chcat depends on semanage
- # and maybe others.
- # Add all the modules of the individual subprojects to the
- # PYTHONPATH, so they get actually found and used. In
- # particular, already installed versions on the system are not
- # used.
- for dir in audit2allow chcat semanage sepolgen/src sepolicy ; do
- PYTHONPATH="${BUILD_DIR}/${dir}:${PYTHONPATH}"
- done
- PYTHONPATH=${PYTHONPATH} \
- emake -C "${BUILD_DIR}" \
- test
- }
- python_foreach_impl testing
-}
-
-src_install() {
- installation() {
- emake -C "${BUILD_DIR}" \
- DESTDIR="${D}" \
- LIBDIR="\$(PREFIX)/$(get_libdir)" \
- install
- python_optimize
- }
- python_foreach_impl installation
-
- # Set version-specific scripts
- for pyscript in audit2allow sepolgen-ifgen sepolicy chcat; do
- python_replicate_script "${ED}/usr/bin/${pyscript}"
- done
- for pyscript in semanage; do
-
[gentoo-commits] repo/gentoo:master commit in: sys-apps/policycoreutils/
commit: eda5e6eb8d154d9664326ad8faaa5e8577099414
Author: Kenton Groombridge gentoo org>
AuthorDate: Sat Apr 15 15:06:00 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Sat Apr 15 15:06:00 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eda5e6eb
sys-apps/policycoreutils: drop 3.4
Signed-off-by: Kenton Groombridge gentoo.org>
sys-apps/policycoreutils/Manifest | 1 -
.../policycoreutils/policycoreutils-3.4.ebuild | 168 -
2 files changed, 169 deletions(-)
diff --git a/sys-apps/policycoreutils/Manifest
b/sys-apps/policycoreutils/Manifest
index ea1da874b127..cfc08315c275 100644
--- a/sys-apps/policycoreutils/Manifest
+++ b/sys-apps/policycoreutils/Manifest
@@ -1,3 +1,2 @@
-DIST policycoreutils-3.4.tar.gz 771435 BLAKE2B
53654ad8f17c8e539c7821ddcc4f40dde1aa214943b5f2876efbfd8e10c90747d21c1530df3d53e51677159026a70691db6282f3bedc79739673380e053f74a2
SHA512
ded0d6fb5e3f165a893ee42411ac82616ddf37a02acaca6a8437b8f10ea12e5594bbd7bc7e3ead12df00c018078950f3fbe55604c41b0554257c4ca18f55ebb6
DIST policycoreutils-3.5.tar.gz 775639 BLAKE2B
777b8564484e89385db7a184c4cad9a99aabf1fd1ac41abd5826c7e6ad29118ae9d6f0d0fd968b6ced87f2f04bc6d7cd207b67428151522915367f656fb8d3f8
SHA512
7978ef6b7a278c6384c9b397734d03c4932c8aefecceaa1e6a1345be27b253dbe276fdcd219ce83ad732c6ed55d53bbc3254e39bccadd67d2cd1152a14749444
DIST policycoreutils-extra-1.37.tar.bz2 8809 BLAKE2B
a7f6122c2e27f54b018174e962bd7f4c14af04e09bbb5300bde6967ea7f2dc5cd03b5787919a4e7f5288bcbc6747922962b5bd3b588ab1e3a035fbff4910d8f5
SHA512
0a85cd7cf279256b5e1927f9dfdd89626a1c8b77b0aeb62b496e7e8d1dccbaa315e39f9308fb2df7270f0bc1c10787b19990e7365cad74b47b61e30394c8b23f
diff --git a/sys-apps/policycoreutils/policycoreutils-3.4.ebuild
b/sys-apps/policycoreutils/policycoreutils-3.4.ebuild
deleted file mode 100644
index 5d45077b38c6..
--- a/sys-apps/policycoreutils/policycoreutils-3.4.ebuild
+++ /dev/null
@@ -1,168 +0,0 @@
-# Copyright 1999-2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="7"
-PYTHON_COMPAT=( python3_{9..11} )
-PYTHON_REQ_USE="xml(+)"
-
-inherit multilib python-r1 toolchain-funcs bash-completion-r1
-
-MY_PV="${PV//_/-}"
-MY_P="${PN}-${MY_PV}"
-EXTRAS_VER="1.37"
-
-DESCRIPTION="SELinux core utilities"
-HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki";
-
-if [[ ${PV} == ]]; then
- inherit git-r3
- EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git";
-
SRC_URI="https://dev.gentoo.org/~perfinion/distfiles/policycoreutils-extra-${EXTRAS_VER}.tar.bz2";
- S1="${WORKDIR}/${P}/${PN}"
- S2="${WORKDIR}/policycoreutils-extra"
- S="${S1}"
-else
-
SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz
-
https://dev.gentoo.org/~perfinion/distfiles/policycoreutils-extra-${EXTRAS_VER}.tar.bz2";
- KEYWORDS="amd64 arm arm64 ~mips x86"
- S1="${WORKDIR}/${MY_P}"
- S2="${WORKDIR}/policycoreutils-extra"
- S="${S1}"
-fi
-
-LICENSE="GPL-2"
-SLOT="0"
-IUSE="audit pam split-usr"
-REQUIRED_USE="${PYTHON_REQUIRED_USE}"
-
-DEPEND=">=sys-libs/libselinux-${PV}:=[python,${PYTHON_USEDEP}]
- >=sys-libs/libsemanage-${PV}:=[python(+),${PYTHON_USEDEP}]
- >=sys-libs/libsepol-${PV}:=
- sys-libs/libcap-ng:=
- >=app-admin/setools-4.2.0[${PYTHON_USEDEP}]
- audit? ( >=sys-process/audit-1.5.1[python,${PYTHON_USEDEP}] )
- pam? ( sys-libs/pam:= )
- ${PYTHON_DEPS}"
-
-# Avoid dependency loop in the cross-compile case, bug #755173
-# (Still exists in native)
-BDEPEND="sys-devel/gettext"
-
-# pax-utils for scanelf used by rlpkg
-RDEPEND="${DEPEND}
- app-misc/pax-utils"
-
-PDEPEND="sys-apps/semodule-utils
- sys-apps/selinux-python"
-
-src_unpack() {
- # Override default one because we need the SRC_URI ones even in case of
ebuilds
- default
- if [[ ${PV} == ]] ; then
- git-r3_src_unpack
- fi
-}
-
-src_prepare() {
- S="${S1}"
- cd "${S}" || die "Failed to switch to ${S}"
- if [[ ${PV} != ]] ; then
- # If needed for live ebuilds please use /etc/portage/patches
- eapply
"${FILESDIR}/policycoreutils-3.1-0001-newrole-not-suid.patch"
- fi
-
- # rlpkg is more useful than fixfiles
- sed -i -e '/^all/s/fixfiles//' "${S}/scripts/Makefile" \
- || die "fixfiles sed 1 failed"
- sed -i -e '/fixfiles/d' "${S}/scripts/Makefile" \
- || die "fixfiles sed
[gentoo-commits] repo/gentoo:master commit in: sys-apps/restorecond/
commit: 2fb5cf3dc6930afadfba100814bc71988b6485d9
Author: Kenton Groombridge gentoo org>
AuthorDate: Sat Apr 15 15:06:13 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Sat Apr 15 15:06:13 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2fb5cf3d
sys-apps/restorecond: drop 3.4
Signed-off-by: Kenton Groombridge gentoo.org>
sys-apps/restorecond/Manifest | 1 -
sys-apps/restorecond/restorecond-3.4.ebuild | 54 -
2 files changed, 55 deletions(-)
diff --git a/sys-apps/restorecond/Manifest b/sys-apps/restorecond/Manifest
index ebf77dcd81c9..49a27c18e262 100644
--- a/sys-apps/restorecond/Manifest
+++ b/sys-apps/restorecond/Manifest
@@ -1,2 +1 @@
-DIST restorecond-3.4.tar.gz 18965 BLAKE2B
a77de19d9f00d6e8f384a7ac411257b059ba3ecfefba893eda0e56362eca705347af364d51037f8b3308bac1c5248bb9326c692175c6c1dc561b18c84bff
SHA512
9c680345af1592a74177ba2e7cefa1b0e8e3c73d34ef932948598adb38c648dcae8495c951b1badfc587b2d67843b83598c904d924db349b6118560f115c
DIST restorecond-3.5.tar.gz 19070 BLAKE2B
6db7d0fc9085a07669d346e025836a94acca610572e986e2c90974b0bd21b55e66b57a2dafd7d42011bed5f06363b654f5431ac43530fccf7b68d3edd9d63850
SHA512
80cb84e62c7072a12fe57ebaafc0bcb441c853862c67f9ea35b86faa2d8e49ea22a70b9e05a3ff24e8ce08ca2999604d7961efd534f89167cd6fcb05c852de40
diff --git a/sys-apps/restorecond/restorecond-3.4.ebuild
b/sys-apps/restorecond/restorecond-3.4.ebuild
deleted file mode 100644
index 4512c4411d18..
--- a/sys-apps/restorecond/restorecond-3.4.ebuild
+++ /dev/null
@@ -1,54 +0,0 @@
-# Copyright 1999-2022 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="7"
-
-inherit systemd toolchain-funcs
-
-MY_PV="${PV//_/-}"
-MY_P="${PN}-${MY_PV}"
-
-if [[ ${PV} == * ]] ; then
- inherit git-r3
- EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git";
- S="${WORKDIR}/${P}/${PN}"
-else
-
SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz";
- KEYWORDS="amd64 arm arm64 ~mips x86"
- S="${WORKDIR}/${MY_P}"
-fi
-
-DESCRIPTION="Daemon to watch for creation and set default SELinux fcontexts"
-HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki";
-
-LICENSE="GPL-2"
-SLOT="0"
-IUSE=""
-
-DEPEND="dev-libs/glib:2
- >=sys-libs/libsepol-${PV}:=
- >=sys-libs/libselinux-${PV}:="
-
-RDEPEND="${DEPEND}"
-
-src_prepare() {
- default
-
- sed -i 's/-Werror//g' "${S}"/Makefile || die "Failed to remove Werror"
-}
-
-src_compile() {
- tc-export CC
- default
-}
-
-src_install() {
- emake DESTDIR="${D}" \
- SYSTEMDSYSTEMUNITDIR="$(systemd_get_systemunitdir)" \
- SYSTEMDUSERUNITDIR=$(systemd_get_userunitdir) \
- install
-
- rm -rf "${D}/etc/rc.d" || die
-
- newinitd "${FILESDIR}/restorecond.init" restorecond
-}
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 3b0568041bb3c496b5d776b1961763a32d184379
Author: Yi Zhao windriver com>
AuthorDate: Sat Oct 7 02:33:31 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 20 21:28:39 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3b056804
systemd: use init_daemon_domain instead of init_system_domain for
systemd-networkd and systemd-resolved
Systemd-networkd and systemd-resolved are daemons.
Fixes:
avc: denied { write } for pid=277 comm="systemd-resolve"
name="notify" dev="tmpfs" ino=31
scontext=system_u:system_r:systemd_resolved_t
tcontext=system_u:object_r:systemd_runtime_notify_t tclass=sock_file
permissive=1
avc: denied { write } for pid=324 comm="systemd-network"
name="notify" dev="tmpfs" ino=31
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:systemd_runtime_notify_t tclass=sock_file
permissive=1
Signed-off-by: Yi Zhao windriver.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/system/systemd.te | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index b14511c24..bf3a0e14e 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -199,7 +199,7 @@ init_daemon_domain(systemd_modules_load_t,
systemd_modules_load_exec_t)
type systemd_networkd_t;
type systemd_networkd_exec_t;
-init_system_domain(systemd_networkd_t, systemd_networkd_exec_t)
+init_daemon_domain(systemd_networkd_t, systemd_networkd_exec_t)
type systemd_networkd_runtime_t alias systemd_networkd_var_run_t;
files_runtime_file(systemd_networkd_runtime_t)
@@ -235,7 +235,7 @@ files_type(systemd_pstore_var_lib_t)
type systemd_resolved_t;
type systemd_resolved_exec_t;
-init_system_domain(systemd_resolved_t, systemd_resolved_exec_t)
+init_daemon_domain(systemd_resolved_t, systemd_resolved_exec_t)
type systemd_resolved_runtime_t alias systemd_resolved_var_run_t;
files_runtime_file(systemd_resolved_runtime_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: gentoo/
commit: d26d077b9a6a665bf5c89ab460ef0a89a7cf7f24 Author: Kenton Groombridge gentoo org> AuthorDate: Fri Oct 20 21:29:27 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 20 21:29:27 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d26d077b Merge upstream Signed-off-by: Kenton Groombridge gentoo.org> gentoo/STATE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gentoo/STATE b/gentoo/STATE index 1f7d780e5..1265cd5d3 100644 --- a/gentoo/STATE +++ b/gentoo/STATE @@ -1 +1 @@ -d542d53698339cd3b3bb80e6e36fb4add4016e9d +f3865abfc25a395c877a27074bd03c5fc22992dd
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/support/
commit: b6e3f0c899ce4061496cdf71bd4d83374aea339d
Author: Russell Coker coker com au>
AuthorDate: Mon Oct 9 13:32:38 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 20 21:28:39 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b6e3f0c8
patches for nspawn policy (#721)
* patches to nspawn policy.
Allow it netlink operations and creating udp sockets
Allow remounting and reading sysfs
Allow stat cgroup filesystem
Make it create fifos and sock_files in the right context
Allow mounting the selinux fs
Signed-off-by: Russell Coker coker.com.au>
* Use the new mounton_dir_perms and mounton_file_perms macros
Signed-off-by: Russell Coker coker.com.au>
* Corrected macro name
Signed-off-by: Russell Coker coker.com.au>
* Fixed description of files_mounton_kernel_symbol_table
Signed-off-by: Russell Coker coker.com.au>
* systemd: Move lines in nspawn.
No rule changes.
Signed-off-by: Chris PeBenito ieee.org>
-
Signed-off-by: Russell Coker coker.com.au>
Signed-off-by: Chris PeBenito ieee.org>
Co-authored-by: Chris PeBenito ieee.org>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/kernel/devices.if | 18 ++
policy/modules/kernel/files.if | 27 +++
policy/modules/kernel/kernel.if | 8
policy/modules/kernel/selinux.if | 18 ++
policy/modules/system/systemd.te | 17 +
policy/support/obj_perm_sets.spt | 2 ++
6 files changed, 82 insertions(+), 8 deletions(-)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index be2429a91..a2d55dedb 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4386,6 +4386,24 @@ interface(`dev_remount_sysfs',`
allow $1 sysfs_t:filesystem remount;
')
+
+##
+## unmount a sysfs filesystem
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_unmount_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:filesystem unmount;
+')
+
##
## Do not audit getting the attributes of sysfs filesystem
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 591aa64d6..370ac0931 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -542,8 +542,8 @@ interface(`files_mounton_non_security',`
attribute non_security_file_type;
')
- allow $1 non_security_file_type:dir { getattr search mounton };
- allow $1 non_security_file_type:file { getattr mounton };
+ allow $1 non_security_file_type:dir { search mounton_dir_perms };
+ allow $1 non_security_file_type:file mounton_file_perms;
')
@@ -1785,7 +1785,7 @@ interface(`files_mounton_all_mountpoints',`
')
allow $1 mountpoint:dir { search_dir_perms mounton };
- allow $1 mountpoint:file { getattr mounton };
+ allow $1 mountpoint:file mounton_file_perms;
kernel_mounton_unlabeled_dirs($1)
')
@@ -5750,6 +5750,25 @@ interface(`files_delete_kernel_symbol_table',`
delete_files_pattern($1, boot_t, system_map_t)
')
+
+##
+## Mount on a system.map in the /boot directory (for bind mounts).
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_mounton_kernel_symbol_table',`
+ gen_require(`
+ type boot_t, system_map_t;
+ ')
+
+ allow $1 boot_t:dir search_dir_perms;
+ allow $1 system_map_t:file mounton_file_perms;
+')
+
##
## Search the contents of /var.
@@ -7630,7 +7649,7 @@ interface(`files_polyinstantiate_all',`
# Need to give access to parent directories where original
# is remounted for polyinstantiation aware programs (like gdm)
- allow $1 polyparent:dir { getattr mounton };
+ allow $1 polyparent:dir mounton_dir_perms;
# Need to give permission to create directories where applicable
allow $1 self:process setfscreate;
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 6abcc1be6..022affde3 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -1440,7 +1440,7 @@ interface(`kernel_mounton_message_if',`
')
allow $1 proc_t:dir list_dir_perms;
- allow $1 proc_kmsg_t:file { getattr mounton };
+ allow $1 proc_kmsg_t:file mounton_file_perms;
')
@@ -1792,7 +1792,7 @@ interface(`kernel_mounton_sysctl_dirs',`
')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 4bb6b12fe1a936a0db91fc133ca30dfd8e5be32a
Author: Dave Sugar gmail com>
AuthorDate: Wed Oct 4 23:28:38 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 20 21:28:39 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4bb6b12f
Use interface that already exists.
Signed-off-by: Dave Sugar gmail.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/system/systemd.if | 8 +++-
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 68fb1a148..6054b5038 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -29,7 +29,6 @@ template(`systemd_role_template',`
type systemd_user_runtime_t, systemd_user_runtime_notify_t;
type systemd_user_unit_t;
type systemd_user_runtime_unit_t, systemd_user_transient_unit_t;
- type systemd_machined_t;
')
#
@@ -151,10 +150,9 @@ template(`systemd_role_template',`
allow $3 systemd_user_runtime_t:sock_file { manage_sock_file_perms
relabel_sock_file_perms };
# for "machinectl shell"
- allow $1_systemd_t systemd_machined_t:fd use;
- allow $3 systemd_machined_t:fd use;
- allow $3 systemd_machined_t:dbus send_msg;
- allow systemd_machined_t $3:dbus send_msg;
+ systemd_use_inherited_machined_ptys($1_systemd_t)
+ systemd_use_inherited_machined_ptys($3)
+ systemd_dbus_chat_machined($3)
allow $3 systemd_user_runtime_notify_t:sock_file {
manage_sock_file_perms relabel_sock_file_perms };
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 4751bfa9ef38a4d38494cadea1fa83a69881d5fa
Author: Russell Coker coker com au>
AuthorDate: Sat Oct 7 02:56:52 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 20 21:28:39 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4751bfa9
Changes to eg25manager and modemmanager needed for firmware upload on
pinephonepro
Signed-off-by: Russell Coker coker.com.au>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/eg25manager.te | 11 ++-
policy/modules/services/modemmanager.te | 18 --
2 files changed, 26 insertions(+), 3 deletions(-)
diff --git a/policy/modules/services/eg25manager.te
b/policy/modules/services/eg25manager.te
index 92fd3e4f8..f305a9a01 100644
--- a/policy/modules/services/eg25manager.te
+++ b/policy/modules/services/eg25manager.te
@@ -57,8 +57,10 @@ files_read_usr_files(eg25manager_t)
logging_send_syslog_msg(eg25manager_t)
miscfiles_read_generic_certs(eg25manager_t)
+miscfiles_read_localization(eg25manager_t)
-modemmanager_dbus_chat(eg25manager_t)
+# will not upload to pinephone modem without this
+selinux_get_fs_mount(eg25manager_t)
sysnet_read_config(eg25manager_t)
@@ -66,3 +68,10 @@ systemd_dbus_chat_logind(eg25manager_t)
systemd_read_resolved_runtime(eg25manager_t)
systemd_use_logind_fds(eg25manager_t)
systemd_write_inherited_logind_inhibit_pipes(eg25manager_t)
+
+term_use_unallocated_ttys(eg25manager_t)
+
+optional_policy(`
+ modemmanager_dbus_chat(eg25manager_t)
+')
+
diff --git a/policy/modules/services/modemmanager.te
b/policy/modules/services/modemmanager.te
index 5801baedd..b94117bff 100644
--- a/policy/modules/services/modemmanager.te
+++ b/policy/modules/services/modemmanager.te
@@ -15,16 +15,30 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t)
#
allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config };
-allow modemmanager_t self:process { getsched signal };
+allow modemmanager_t self:process { getsched setsched signal setpgid };
allow modemmanager_t self:fifo_file rw_fifo_file_perms;
-allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
+allow modemmanager_t self:unix_stream_socket { connectto
create_stream_socket_perms };
allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow modemmanager_t self:netlink_route_socket { create getattr getopt
nlmsg_write read write };
+allow modemmanager_t self:qipcrtr_socket { create getattr getopt read write };
+
+# ModemManager calls mmap(PROT_READ|PROT_WRITE|PROT_EXEC)
+allow modemmanager_t self:process execmem;
kernel_read_system_state(modemmanager_t)
+kernel_request_load_module(modemmanager_t)
+
+# for qmi/pass_through
+dev_create_sysfs_files(modemmanager_t)
+dev_getattr_sysfs(modemmanager_t)
dev_read_sysfs(modemmanager_t)
+dev_write_sysfs(modemmanager_t)
dev_rw_modem(modemmanager_t)
+# for /usr/libexec/qmi-proxy
+corecmd_exec_bin(modemmanager_t)
+
files_read_etc_files(modemmanager_t)
term_use_generic_ptys(modemmanager_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: doc/
commit: 8c8f4a31a3896a10963b987691b7c7b87ce18842 Author: Kenton Groombridge gentoo org> AuthorDate: Fri Oct 20 21:29:46 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 20 21:30:05 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8c8f4a31 Update generated policy and doc files Signed-off-by: Kenton Groombridge gentoo.org> doc/policy.xml | 670 ++--- 1 file changed, 350 insertions(+), 320 deletions(-) diff --git a/doc/policy.xml b/doc/policy.xml index e96f1ea28..8ae22432d 100644 --- a/doc/policy.xml +++ b/doc/policy.xml @@ -58392,7 +58392,17 @@ Domain allow access. - + + +unmount a sysfs filesystem + + + +Domain allowed access. + + + + Do not audit getting the attributes of sysfs filesystem @@ -58402,7 +58412,7 @@ Domain to dontaudit access from - + Dont audit attempts to read hardware state information @@ -58412,7 +58422,7 @@ Domain for which the attempts do not need to be audited - + Mount on sysfs directories. @@ -58422,7 +58432,7 @@ Domain allowed access. - + Search the sysfs directories. @@ -58432,7 +58442,7 @@ Domain allowed access. - + Do not audit attempts to search sysfs. @@ -58442,7 +58452,7 @@ Domain to not audit. - + List the contents of the sysfs directories. @@ -58452,7 +58462,7 @@ Domain allowed access. - + Write in a sysfs directories. @@ -58462,7 +58472,7 @@ Domain allowed access. - + Do not audit attempts to write in a sysfs directory. @@ -58472,7 +58482,7 @@ Domain to not audit. - + Do not audit attempts to write to a sysfs file. @@ -58482,7 +58492,7 @@ Domain to not audit. - + Create, read, write, and delete sysfs directories. @@ -58493,7 +58503,7 @@ Domain allowed access. - + Read hardware state information. @@ -58512,7 +58522,7 @@ Domain allowed access. - + Write to hardware state information. @@ -58529,7 +58539,7 @@ Domain allowed access. - + Allow caller to modify hardware state information. @@ -58539,7 +58549,7 @@ Domain allowed access. - + Add a sysfs file @@ -58549,7 +58559,7 @@ Domain allowed access. - + Relabel hardware state directories. @@ -58559,7 +58569,7 @@ Domain allowed access. - + Relabel from/to all sysfs types. @@ -58569,7 +58579,7 @@ Domain allowed access. - + Set the attributes of sysfs files, directories and symlinks. @@ -58579,7 +58589,7 @@ Domain allowed access. - + Read and write the TPM device. @@ -58589,7 +58599,7 @@ Domain allowed access. - + Read from pseudo random number generator devices (e.g., /dev/urandom). @@ -58622,7 +58632,7 @@ Domain allowed access. - + Do not audit attempts to read from pseudo random devices (e.g., /dev/urandom) @@ -58633,7 +58643,7 @@ Domain to not audit. - + Write to the pseudo random device (e.g., /dev/urandom). This sets the random number generator seed. @@ -58644,7 +58654,7 @@ Domain allowed access. - + Create the urandom device (/dev/urandom). @@ -58654,7 +58664,7 @@ Domain allowed access. - + Set attributes on the urandom device (/dev/urandom). @@ -58664,7 +58674,7 @@ Domain allowed access. - + Getattr generic the USB devices. @@ -58674,7 +58684,7 @@ Domain allowed access. - + Setattr generic the USB devices. @@ -58684,7 +58694,7 @@ Domain allowed access. - + Read generic the USB devices. @@ -58694,7 +58704,7 @@ Domain allowed access. - + Read and write generic the USB devices. @@ -58704,7 +58714,7 @@ Domain allowed access. - + Relabel generic the USB devices. @@ -58714,7 +58724,7 @@ Domain allowed access. - + Read USB monitor devices. @@ -58724,7 +58734,7 @@ Domain allowed access. - + Write USB monitor devices. @@ -58734,7 +58744,7 @@ Domain allowed access. - + Mount a usbfs filesystem. @@ -58744,7 +58754,7 @@ Domain allowed access. - + Associate a file to a usbfs filesystem. @@ -58754,7 +58764,7 @@ The type of the file to be associated to usbfs. - + Get the attributes of a directory in the usb filesystem. @@ -58764,7 +58774,7 @@ Domain allowed access. - + Do not audit attempts to get the attributes of a directory in the usb filesystem. @@ -58775,7 +58785,7 @@ Domain to not audit. - + Search the directory containing USB hardware information. @@ -58785,7 +58795,7 @@ Domain allowed access. - + Allow caller to get a list of usb hardware. @@ -58795,7 +58805,7 @@ Domain allowed access. - + Set the attributes of usbfs filesystem. @@ -58805,7 +58815,7 @@ Domain allowed access. - + Read USB hardware information using the usbfs filesystem interface. @@ -58816,7 +58826,7 @@ Domain allowed access. - + Allow caller to modify usb hardware configuration files. @@ -58826,7 +58836,7
[gentoo-commits] proj/hardened-refpolicy: New tag: 2.20231002-r2
commit: Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 20 22:06:05 2023 + New tag: 2.20231002-r2
[gentoo-commits] repo/gentoo:master commit in: app-admin/setools/
commit: c87b4b764db4fcd59ce9aa092e1c1e88d7ced6dd
Author: Kenton Groombridge gentoo org>
AuthorDate: Sun Sep 24 16:15:09 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Sun Sep 24 16:15:17 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c87b4b76
app-admin/setools: stabilize 4.4.2 for amd64, arm, arm64, x86
Closes: https://bugs.gentoo.org/913892
Signed-off-by: Kenton Groombridge gentoo.org>
app-admin/setools/setools-4.4.2.ebuild | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/app-admin/setools/setools-4.4.2.ebuild
b/app-admin/setools/setools-4.4.2.ebuild
index b56099e25e94..a0fdba4cdd9d 100644
--- a/app-admin/setools/setools-4.4.2.ebuild
+++ b/app-admin/setools/setools-4.4.2.ebuild
@@ -18,7 +18,7 @@ if [[ ${PV} == ]] ; then
S="${WORKDIR}/${P}"
else
SRC_URI="https://github.com/SELinuxProject/setools/releases/download/${PV}/${P}.tar.bz2";
- KEYWORDS="~amd64 ~arm ~arm64 ~x86"
+ KEYWORDS="amd64 arm arm64 x86"
S="${WORKDIR}/${PN}"
fi
[gentoo-commits] repo/gentoo:master commit in: app-admin/setools/, app-admin/setools/files/
commit: 660f8800a5e53b81328e1800e07df39bc16046a8 Author: Kenton Groombridge gentoo org> AuthorDate: Sun Oct 1 15:24:06 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Sun Oct 1 15:25:44 2023 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=660f8800 app-admin/setools: drop 4.4.0-r3, 4.4.1, 4.4.1-r1 Signed-off-by: Kenton Groombridge gentoo.org> app-admin/setools/Manifest | 2 - ...01-__init__.py-Make-NetworkX-dep-optional.patch | 62 -- .../setools/files/setools-4.4.0-remove-gui.patch | 16 -- app-admin/setools/metadata.xml | 3 -- app-admin/setools/setools-4.4.0-r3.ebuild | 55 --- app-admin/setools/setools-4.4.1-r1.ebuild | 60 - app-admin/setools/setools-4.4.1.ebuild | 56 --- 7 files changed, 254 deletions(-) diff --git a/app-admin/setools/Manifest b/app-admin/setools/Manifest index 603bd4cea940..ebb92c6431fe 100644 --- a/app-admin/setools/Manifest +++ b/app-admin/setools/Manifest @@ -1,3 +1 @@ -DIST setools-4.4.0.tar.bz2 275218 BLAKE2B f716a78dd628e0309d3802f2155ef3a045dd8ebee7dec42be9f8b5fc0069b0df4e3d827b0a0cc03f7f02f5a3dff1d7ab7e4eee0d83d6cf4c87af82fe756a9321 SHA512 2ec92d7a6e30261549b6a8d2f17175d4a7d8313ef0cd81f4a19a91c53fe0107bac9a89c19dd67a4c534ee51ec520590795b4312f9e03e69fdf1763b0c35291f8 -DIST setools-4.4.1.tar.bz2 262328 BLAKE2B 328a54b8efd570fad03b27a9e52b7c573e0afb6fe23a245ad248fe8931dd737729aac5d9b6371c163d1939043a777b69cf78091cde8c33e5ef7670110615285e SHA512 af1844f7f7232729eb7e93f6680775818cda93532c62524c5385a4ac7437c51bdb58ebd970a9f61f6e1b018367853d35303d3c5ee1cc087e0e26e893be42d559 DIST setools-4.4.2.tar.bz2 261962 BLAKE2B 7c8e47d8c15f1eb72d93da5d3ae1a64e857ed0a75e1a47bbad9e4b0d11180581d9e4705ebe942e460acbc4d68261f06f9b03a8c4af1516cc388c201e30dca75e SHA512 4e8cba61ca28459387d862136a2d8ee0914c4bcd254a6d39792cbfcbbf7e58cb82223c05d66c114b08aebbd75c11cef11517c51f674ddb3c1913dc85414546c1 diff --git a/app-admin/setools/files/0001-__init__.py-Make-NetworkX-dep-optional.patch b/app-admin/setools/files/0001-__init__.py-Make-NetworkX-dep-optional.patch deleted file mode 100644 index 3137f1a89f9a.. --- a/app-admin/setools/files/0001-__init__.py-Make-NetworkX-dep-optional.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 32eed2ae8fcd868179a317d48cfd61d828c834df Mon Sep 17 00:00:00 2001 -From: Jason Zaman -Date: Sun, 19 Sep 2021 14:12:44 +0200 -Subject: [PATCH] __init__.py: Make NetworkX dep optional - -selinux commit ba23ba068364ab11ff51f52bd1e20e3c63798a62 -"python: Import specific modules from setools for less deps" -Makes userspace tools only need specific parts of setools so that the -NetworkX dep can be dropped for minimal installations. -Unfortunately the __init__ still imports the parts which require -NetworkX. Wrap them in try except to guard for missing NetworkX. - -$ semanage export -Traceback (most recent call last): - File "/usr/lib/python-exec/python3.9/semanage", line 29, in -import seobject - File "/usr/lib/python3.9/site-packages/seobject.py", line 33, in -import sepolicy - File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 15, in -from setools.boolquery import BoolQuery - File "/usr/lib/python3.9/site-packages/setools/__init__.py", line 94, in -from .infoflow import InfoFlowAnalysis - File "/usr/lib/python3.9/site-packages/setools/infoflow.py", line 24, in -import networkx as nx -ModuleNotFoundError: No module named 'networkx' - -Bug: https://bugs.gentoo.org/809038 -Signed-off-by: Jason Zaman - setools/__init__.py | 13 +++-- - 1 file changed, 11 insertions(+), 2 deletions(-) - -diff --git a/setools/__init__.py b/setools/__init__.py -index d72d343..e583737 100644 a/setools/__init__.py -+++ b/setools/__init__.py -@@ -91,11 +91,20 @@ from .pcideviceconquery import PcideviceconQuery - from .devicetreeconquery import DevicetreeconQuery - - # Information Flow Analysis --from .infoflow import InfoFlowAnalysis -+try: -+from .infoflow import InfoFlowAnalysis -+except ImportError: -+# NetworkX is optional -+pass -+ - from .permmap import PermissionMap, RuleWeight, Mapping - - # Domain Transition Analysis --from .dta import DomainTransitionAnalysis, DomainEntrypoint, DomainTransition -+try: -+from .dta import DomainTransitionAnalysis, DomainEntrypoint, DomainTransition -+except ImportError: -+# NetworkX is optional -+pass - - # Policy difference - from .diff import PolicyDifference --- -2.32.0 - diff --git a/app-admin/setools/files/setools-4.4.0-remove-gui.patch b/app-admin/setools/files/setools-4.4.0-remove-gui.patch deleted file mode 100644 index 01b40adb29db.. --- a/app-admin/setools/files/setools-4.4.0-remove-gui.patch +++ /dev/null @@ -1,16 +0,0 @@ a/setup.py 2021-03-
[gentoo-commits] proj/hardened-refpolicy: New tag: 2.20231002-r1
commit: Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 16:44:06 2023 + New tag: 2.20231002-r1
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/
commit: 345902025b3c03467a48c8b1474cbd3b3bc085cf
Author: Russell Coker coker com au>
AuthorDate: Thu Sep 21 14:22:36 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 6 15:27:06 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=34590202
policy for the Reliability Availability servicability daemon (#690)
* policy for the Reliability Availability servicability daemon
Signed-off-by: Russell Coker coker.com.au>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/kernel/filesystem.if | 37
policy/modules/services/rasdaemon.fc | 3 +++
policy/modules/services/rasdaemon.if | 10 +
policy/modules/services/rasdaemon.te | 41
4 files changed, 91 insertions(+)
diff --git a/policy/modules/kernel/filesystem.if
b/policy/modules/kernel/filesystem.if
index 5cdbc5644..5213df5ba 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -6154,6 +6154,43 @@ interface(`fs_getattr_tracefs_files',`
allow $1 tracefs_t:file getattr;
')
+
+##
+## Read/write trace filesystem files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_rw_tracefs_files',`
+ gen_require(`
+ type tracefs_t;
+ ')
+
+ allow $1 tracefs_t:dir list_dir_perms;
+ allow $1 tracefs_t:file rw_file_perms;
+')
+
+
+##
+## create trace filesystem directories
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_create_tracefs_dirs',`
+ gen_require(`
+ type tracefs_t;
+ ')
+
+ allow $1 tracefs_t:dir { create rw_dir_perms };
+')
+
##
## Mount a XENFS filesystem.
diff --git a/policy/modules/services/rasdaemon.fc
b/policy/modules/services/rasdaemon.fc
new file mode 100644
index 0..9a83feb4f
--- /dev/null
+++ b/policy/modules/services/rasdaemon.fc
@@ -0,0 +1,3 @@
+/usr/sbin/rasdaemon--
gen_context(system_u:object_r:rasdaemon_exec_t,s0)
+/var/lib/rasdaemon(/.*)?
gen_context(system_u:object_r:rasdaemon_var_t,s0)
+
diff --git a/policy/modules/services/rasdaemon.if
b/policy/modules/services/rasdaemon.if
new file mode 100644
index 0..9509b0261
--- /dev/null
+++ b/policy/modules/services/rasdaemon.if
@@ -0,0 +1,10 @@
+## RAS (Reliability, Availability and Serviceability) logging
tool
+##
+##
+## rasdaemon is a RAS (Reliability, Availability and Serviceability) logging
+## tool. It currently records memory errors, using the EDAC tracing events.
+## EDAC are drivers in the Linux kernel that handle detection of ECC errors
+## from memory controllers for most chipsets on x86 and ARM architectures.
+##
+## https://git.infradead.org/users/mchehab/rasdaemon.git
+##
diff --git a/policy/modules/services/rasdaemon.te
b/policy/modules/services/rasdaemon.te
new file mode 100644
index 0..9a65d5d74
--- /dev/null
+++ b/policy/modules/services/rasdaemon.te
@@ -0,0 +1,41 @@
+policy_module(rasdaemon)
+
+
+#
+# Declarations
+#
+
+type rasdaemon_t;
+type rasdaemon_exec_t;
+init_daemon_domain(rasdaemon_t, rasdaemon_exec_t)
+
+type rasdaemon_var_t;
+files_type(rasdaemon_var_t)
+
+
+#
+# Local policy
+#
+
+allow rasdaemon_t self:process getsched;
+allow rasdaemon_t self:capability sys_rawio;
+
+allow rasdaemon_t rasdaemon_var_t:dir manage_dir_perms;
+allow rasdaemon_t rasdaemon_var_t:file manage_file_perms;
+
+kernel_read_debugfs(rasdaemon_t)
+kernel_read_system_state(rasdaemon_t)
+kernel_read_vm_overcommit_sysctl(rasdaemon_t)
+kernel_search_fs_sysctls(rasdaemon_t)
+
+dev_read_sysfs(rasdaemon_t)
+dev_read_urand(rasdaemon_t)
+dev_rw_cpu_microcode(rasdaemon_t)
+
+files_search_var_lib(rasdaemon_t)
+fs_create_tracefs_dirs(rasdaemon_t)
+fs_rw_tracefs_files(rasdaemon_t)
+
+logging_send_syslog_msg(rasdaemon_t)
+miscfiles_read_localization(rasdaemon_t)
+
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/
commit: 9139acd456b4a49f7d8286023ac6abc09725ccb7
Author: Yi Zhao windriver com>
AuthorDate: Wed Sep 20 06:43:34 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 6 15:27:06 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9139acd4
loadkeys: do not audit attempts to get attributes for all directories
Fixes:
avc: denied { getattr } for pid=239 comm="loadkeys" path="/boot"
dev="vda" ino=15 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023
tcontext=system_u:object_r:boot_t:s0 tclass=dir permissive=1
avc: denied { getattr } for pid=239 comm="loadkeys" path="/home"
dev="vda" ino=806 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023
tcontext=system_u:object_r:home_root_t:s0-s15:c0.c1023 tclass=dir permissive=1
avc: denied { getattr } for pid=239 comm="loadkeys" path="/lost+found"
dev="vda" ino=11 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023
tcontext=system_u:object_r:lost_found_t:s15:c0.c1023 tclass=dir permissive=1
avc: denied { getattr } for pid=239 comm="loadkeys" path="/media"
dev="vda" ino=810 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023
tcontext=system_u:object_r:mnt_t:s0 tclass=dir permissive=1
Signed-off-by: Yi Zhao windriver.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/apps/loadkeys.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te
index b9558dccc..56fb45114 100644
--- a/policy/modules/apps/loadkeys.te
+++ b/policy/modules/apps/loadkeys.te
@@ -35,6 +35,7 @@ files_read_usr_files(loadkeys_t)
files_search_runtime(loadkeys_t)
files_search_src(loadkeys_t)
files_search_tmp(loadkeys_t)
+files_dontaudit_getattr_all_dirs(loadkeys_t)
term_dontaudit_use_console(loadkeys_t)
term_use_unallocated_ttys(loadkeys_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/
commit: 9a761587cf212b96c093e2ea1d9c3ed66ff7c37d Author: Russell Coker coker com au> AuthorDate: Thu Sep 21 14:21:25 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:27:06 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9a761587 debian motd.d directory (#689) * policy for Debian motd.d dir Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/xserver.te | 1 + policy/modules/system/authlogin.fc | 1 + policy/modules/system/authlogin.if | 1 + 3 files changed, 3 insertions(+) diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 68d9bd34b..58cd85626 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -472,6 +472,7 @@ auth_manage_pam_runtime_dirs(xdm_t) auth_manage_pam_runtime_files(xdm_t) auth_manage_pam_console_data(xdm_t) auth_read_shadow_history(xdm_t) +auth_use_pam_motd_dynamic(xdm_t) auth_write_login_records(xdm_t) # Run telinit->init to shutdown. diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc index b47da01a5..adb53a05a 100644 --- a/policy/modules/system/authlogin.fc +++ b/policy/modules/system/authlogin.fc @@ -59,6 +59,7 @@ ifdef(`distro_suse', ` /run/motd -- gen_context(system_u:object_r:pam_motd_runtime_t,s0) /run/motd\.dynamic -- gen_context(system_u:object_r:pam_motd_runtime_t,s0) /run/motd\.dynamic\.new-- gen_context(system_u:object_r:pam_motd_runtime_t,s0) +/run/motd\.d(/.*)? gen_context(system_u:object_r:pam_motd_runtime_t,s0) /run/pam_mount(/.*)? gen_context(system_u:object_r:pam_runtime_t,s0) /run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /run/sepermit(/.*)?gen_context(system_u:object_r:pam_runtime_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index 4d11800aa..cd5ab2d7f 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -129,6 +129,7 @@ interface(`auth_use_pam_motd_dynamic',` corecmd_exec_shell($1) allow $1 pam_motd_runtime_t:file manage_file_perms; + allow $1 pam_motd_runtime_t:dir rw_dir_perms; files_runtime_filetrans($1, pam_motd_runtime_t, file, "motd.dynamic.new") ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 98ebbf0f2916e7541905c03eef89330b51c9ff97
Author: Russell Coker coker com au>
AuthorDate: Thu Sep 21 16:01:24 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 6 15:27:06 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=98ebbf0f
policy patches for anti-spam daemons (#698)
* Patches for anti-spam related policy
* Added a seperate tunable for execmem, can be enabled for people who need it
which means Debian rspam users and some of the less common SpamAssassin
configurations
Signed-off-by: Russell Coker coker.com.au>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/clamav.te | 5 ++--
policy/modules/services/dkim.fc | 1 +
policy/modules/services/dkim.te | 2 +-
policy/modules/services/milter.fc | 2 ++
policy/modules/services/milter.te | 41 +
policy/modules/services/spamassassin.te | 16 -
6 files changed, 63 insertions(+), 4 deletions(-)
diff --git a/policy/modules/services/clamav.te
b/policy/modules/services/clamav.te
index c171fd7dc..a9476a561 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -75,7 +75,7 @@ logging_log_file(freshclam_var_log_t)
allow clamd_t self:capability { chown fowner fsetid kill setgid setuid
dac_override };
dontaudit clamd_t self:capability sys_tty_config;
-allow clamd_t self:process signal;
+allow clamd_t self:process { signal getsched };
allow clamd_t self:fifo_file rw_fifo_file_perms;
allow clamd_t self:unix_stream_socket { accept connectto listen };
allow clamd_t self:tcp_socket { listen accept };
@@ -174,7 +174,7 @@ optional_policy(`
# Freshclam local policy
#
-allow freshclam_t self:capability { dac_override setgid setuid };
+allow freshclam_t self:capability { chown dac_override setgid setuid };
allow freshclam_t self:fifo_file rw_fifo_file_perms;
allow freshclam_t self:unix_stream_socket { accept listen };
allow freshclam_t self:tcp_socket { accept listen };
@@ -225,6 +225,7 @@ dev_read_urand(freshclam_t)
domain_use_interactive_fds(freshclam_t)
files_read_etc_runtime_files(freshclam_t)
+files_read_usr_files(freshclam_t)
files_search_var_lib(freshclam_t)
auth_use_nsswitch(freshclam_t)
diff --git a/policy/modules/services/dkim.fc b/policy/modules/services/dkim.fc
index 08b652630..0b269c0af 100644
--- a/policy/modules/services/dkim.fc
+++ b/policy/modules/services/dkim.fc
@@ -1,4 +1,5 @@
/etc/opendkim/keys(/.*)?
gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
+/etc/dkimkeys(/.*)?
gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
/etc/rc\.d/init\.d/((opendkim)|(dkim-milter)) --
gen_context(system_u:object_r:dkim_milter_initrc_exec_t,s0)
diff --git a/policy/modules/services/dkim.te b/policy/modules/services/dkim.te
index 32468194b..e960818da 100644
--- a/policy/modules/services/dkim.te
+++ b/policy/modules/services/dkim.te
@@ -24,7 +24,7 @@ init_daemon_runtime_file(dkim_milter_data_t, dir, "opendkim")
#
allow dkim_milter_t self:capability { dac_read_search dac_override setgid
setuid };
-allow dkim_milter_t self:process { signal signull };
+allow dkim_milter_t self:process { signal signull getsched };
allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
read_files_pattern(dkim_milter_t, dkim_milter_private_key_t,
dkim_milter_private_key_t)
diff --git a/policy/modules/services/milter.fc
b/policy/modules/services/milter.fc
index 42fe5e941..71b168061 100644
--- a/policy/modules/services/milter.fc
+++ b/policy/modules/services/milter.fc
@@ -8,6 +8,7 @@
/usr/sbin/milter-greylist --
gen_context(system_u:object_r:greylist_milter_exec_t,s0)
/usr/sbin/sqlgrey --
gen_context(system_u:object_r:greylist_milter_exec_t,s0)
/usr/sbin/milter-regex --
gen_context(system_u:object_r:regex_milter_exec_t,s0)
+/usr/sbin/postfwd.*--
gen_context(system_u:object_r:postfwd_milter_exec_t,s0)
/usr/sbin/spamass-milter --
gen_context(system_u:object_r:spamass_milter_exec_t,s0)
/var/lib/milter-greylist(/.*)?
gen_context(system_u:object_r:greylist_milter_data_t,s0)
@@ -16,6 +17,7 @@
/run/milter-greylist(/.*)?
gen_context(system_u:object_r:greylist_milter_data_t,s0)
/run/milter-greylist\.pid --
gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/run/postfwd\.pid --
gen_context(system_u:object_r:postfwd_milter_runtime_t,s0)
/run/spamass(/.*)?
gen_context(system_u:object_r:spamass_milter_data_t,s0)
/run/sqlgrey\.pid --
gen_context(system_u:object_r:greylist_milter_data_t,s0)
/run/spamass-milter(/.*)?
gen_context(system_u:object_r:spamass_milter_data_t,s0)
diff --git a/policy/modules/services/milte
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/services/
commit: 3eefa3b065ed81f56fddfb12a372012ef5e2a336
Author: Russell Coker coker com au>
AuthorDate: Mon Sep 25 15:01:12 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 6 15:27:06 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3eefa3b0
small ntp and dns changes (#703)
* Small changes for ntp, bind, avahi, and dnsmasq
Signed-off-by: Russell Coker coker.com.au>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/admin/dpkg.te | 9 +
policy/modules/services/avahi.te | 4
policy/modules/services/bind.te| 7 +--
policy/modules/services/dnsmasq.te | 4
policy/modules/services/ntp.fc | 1 +
policy/modules/services/ntp.if | 19 +++
6 files changed, 42 insertions(+), 2 deletions(-)
diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te
index d6871de21..d4a56e5eb 100644
--- a/policy/modules/admin/dpkg.te
+++ b/policy/modules/admin/dpkg.te
@@ -350,8 +350,17 @@ optional_policy(`
nis_use_ypbind(dpkg_script_t)
')
+optional_policy(`
+ ntp_filetrans_drift(dpkg_script_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(dpkg_script_t)
+')
+
optional_policy(`
systemd_read_logind_state(dpkg_script_t)
+ systemd_dbus_chat_hostnamed(dpkg_script_t)
systemd_dbus_chat_logind(dpkg_script_t)
systemd_run_sysusers(dpkg_script_t, dpkg_roles)
')
diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
index 773d2b8ff..1094e39db 100644
--- a/policy/modules/services/avahi.te
+++ b/policy/modules/services/avahi.te
@@ -111,3 +111,7 @@ optional_policy(`
seutil_sigchld_newrole(avahi_t)
')
+optional_policy(`
+ unconfined_dbus_send(avahi_t)
+')
+
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index 1b3e674a1..0a08be452 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -213,9 +213,9 @@ optional_policy(`
# NDC local policy
#
-allow ndc_t self:capability { dac_override net_admin };
+allow ndc_t self:capability { dac_override dac_read_search net_admin };
allow ndc_t self:capability2 block_suspend;
-allow ndc_t self:process signal_perms;
+allow ndc_t self:process { signal_perms getsched setsched };
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { accept listen };
@@ -231,6 +231,9 @@ allow ndc_t named_zone_t:dir search_dir_perms;
kernel_read_kernel_sysctls(ndc_t)
kernel_read_system_state(ndc_t)
+kernel_read_vm_overcommit_sysctl(ndc_t)
+
+dev_read_sysfs(ndc_t)
corenet_all_recvfrom_netlabel(ndc_t)
corenet_tcp_sendrecv_generic_if(ndc_t)
diff --git a/policy/modules/services/dnsmasq.te
b/policy/modules/services/dnsmasq.te
index 6d1799ba8..2e492954d 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
@@ -108,6 +108,10 @@ optional_policy(`
')
optional_policy(`
+ # for the dnsmasq-usb0.leases file
+ networkmanager_manage_lib_files(dnsmasq_t)
+
+ networkmanager_read_etc_files(dnsmasq_t)
networkmanager_read_runtime_files(dnsmasq_t)
')
diff --git a/policy/modules/services/ntp.fc b/policy/modules/services/ntp.fc
index 4d014d196..4f19959e7 100644
--- a/policy/modules/services/ntp.fc
+++ b/policy/modules/services/ntp.fc
@@ -30,6 +30,7 @@
/var/db/ntp-kod--
gen_context(system_u:object_r:ntp_drift_t,s0)
/var/lib/ntp(/.*)?
gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/lib/ntpsec(/.*)?
gen_context(system_u:object_r:ntp_drift_t,s0)
/var/lib/sntp-kod(/.*)?
gen_context(system_u:object_r:ntp_drift_t,s0)
/var/lib/systemd/clock --
gen_context(system_u:object_r:ntp_drift_t,s0)
/var/lib/systemd/timesync(/.*)?
gen_context(system_u:object_r:ntp_drift_t,s0)
diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
index 4953e9f08..9df5d8d07 100644
--- a/policy/modules/services/ntp.if
+++ b/policy/modules/services/ntp.if
@@ -176,6 +176,25 @@ interface(`ntp_read_drift_files',`
read_files_pattern($1, ntp_drift_t, ntp_drift_t)
')
+
+##
+## specified domain creates /var/lib/ntpsec/ with the correct type
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ntp_filetrans_drift',`
+ gen_require(`
+ type ntp_drift_t;
+ ')
+
+ files_search_var_lib($1)
+ files_var_lib_filetrans($1, ntp_drift_t, dir)
+')
+
##
## Read and write ntpd shared memory.
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: e17a5ea822384af3d15da14be3bc593037950d21
Author: Russell Coker coker com au>
AuthorDate: Fri Sep 22 09:09:12 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 6 15:27:06 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e17a5ea8
Added tmpfs file type for postgresql Small mysql stuff including anon_inode
Signed-off-by: Russell Coker coker.com.au>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/mysql.te | 4 +++-
policy/modules/services/postgresql.te | 9 -
2 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
index 2e7621471..4d1124bbf 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -67,11 +67,12 @@ files_runtime_file(mysqlmanagerd_runtime_t)
allow mysqld_t self:capability { dac_override dac_read_search ipc_lock setgid
setuid sys_resource };
dontaudit mysqld_t self:capability sys_tty_config;
-allow mysqld_t self:process { setsched getsched setrlimit signal_perms
rlimitinh };
+allow mysqld_t self:process { getcap setsched getsched setrlimit signal_perms
rlimitinh };
allow mysqld_t self:fifo_file rw_fifo_file_perms;
allow mysqld_t self:shm create_shm_perms;
allow mysqld_t self:unix_stream_socket { connectto accept listen };
allow mysqld_t self:tcp_socket { accept listen };
+allow mysqld_t self:anon_inode { create map read write };
manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
mmap_manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
@@ -191,6 +192,7 @@ dev_read_sysfs(mysqld_safe_t)
domain_read_all_domains_state(mysqld_safe_t)
+files_dontaudit_write_root_dirs(mysqld_safe_t)
files_read_etc_files(mysqld_safe_t)
files_read_usr_files(mysqld_safe_t)
files_search_runtime(mysqld_safe_t)
diff --git a/policy/modules/services/postgresql.te
b/policy/modules/services/postgresql.te
index 1b2d8ab0d..11b3936b0 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -65,6 +65,9 @@ init_daemon_runtime_file(postgresql_runtime_t, dir,
"postgresql")
type postgresql_tmp_t;
files_tmp_file(postgresql_tmp_t)
+type postgresql_tmpfs_t;
+files_tmpfs_file(postgresql_tmpfs_t)
+
type postgresql_unit_t;
init_unit_file(postgresql_unit_t)
@@ -282,7 +285,10 @@ manage_lnk_files_pattern(postgresql_t, postgresql_tmp_t,
postgresql_tmp_t)
manage_fifo_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file })
-fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file
sock_file fifo_file })
+fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir lnk_file sock_file
fifo_file })
+fs_tmpfs_filetrans(postgresql_t, postgresql_tmpfs_t, { file })
+allow postgresql_t postgresql_tmpfs_t:file map;
+manage_files_pattern(postgresql_t, postgresql_tmpfs_t, postgresql_tmpfs_t)
manage_dirs_pattern(postgresql_t, postgresql_runtime_t, postgresql_runtime_t)
manage_files_pattern(postgresql_t, postgresql_runtime_t, postgresql_runtime_t)
@@ -342,6 +348,7 @@ init_read_utmp(postgresql_t)
logging_send_syslog_msg(postgresql_t)
logging_send_audit_msgs(postgresql_t)
+miscfiles_read_generic_tls_privkey(postgresql_t)
miscfiles_read_localization(postgresql_t)
seutil_libselinux_linked(postgresql_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 8f51e189a7c8f8680f84fc11841257c19ab9fa51
Author: Russell Coker coker com au>
AuthorDate: Wed Sep 27 13:20:52 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 6 15:30:52 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8f51e189
small systemd patches (#708)
* Some small systemd patches
Signed-off-by: Russell Coker coker.com.au>
* Fixed error where systemd.if had a reference to user_devpts_t
Signed-off-by: Russell Coker coker.com.au>
* removed the init_var_run_t:service stuff as there's already interfaces and a
type for it
Signed-off-by: Russell Coker coker.com.au>
* corecmd_shell_entry_type doesn't seem to be needed
Signed-off-by: Russell Coker coker.com.au>
-
Signed-off-by: Russell Coker coker.com.au>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/system/locallogin.te | 3 ++-
policy/modules/system/systemd.if| 12 +++-
2 files changed, 9 insertions(+), 6 deletions(-)
diff --git a/policy/modules/system/locallogin.te
b/policy/modules/system/locallogin.te
index f40f15c1c..4dc9981bc 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -131,7 +131,8 @@ auth_domtrans_pam_console(local_login_t)
auth_read_pam_motd_dynamic(local_login_t)
auth_read_shadow_history(local_login_t)
-init_dontaudit_use_fds(local_login_t)
+# if local_login_t can not inherit fd from init it takes ages to login
+init_use_fds(local_login_t)
miscfiles_read_localization(local_login_t)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 77a59c662..64455eed5 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -19,11 +19,6 @@
## The user domain for the role.
##
##
-##
-##
-## The type for the user pty
-##
-##
#
template(`systemd_role_template',`
gen_require(`
@@ -34,6 +29,7 @@ template(`systemd_role_template',`
type systemd_user_runtime_t, systemd_user_runtime_notify_t;
type systemd_user_unit_t;
type systemd_user_runtime_unit_t, systemd_user_transient_unit_t;
+ type systemd_machined_t;
')
#
@@ -153,6 +149,12 @@ template(`systemd_role_template',`
allow $3 systemd_user_runtime_t:lnk_file { manage_lnk_file_perms
relabel_lnk_file_perms };
allow $3 systemd_user_runtime_t:sock_file { manage_sock_file_perms
relabel_sock_file_perms };
+ # for "machinectl shell"
+ allow $1_systemd_t systemd_machined_t:fd use;
+ allow $3 systemd_machined_t:fd use;
+ allow $3 systemd_machined_t:dbus send_msg;
+ allow systemd_machined_t $3:dbus send_msg;
+
allow $3 systemd_user_runtime_notify_t:sock_file {
manage_sock_file_perms relabel_sock_file_perms };
allow $3 systemd_user_unit_t:service { reload start status stop };
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: d7890fb6d1c7bfd1c75d454d457b5fcdc869efe1
Author: Chris PeBenito ieee org>
AuthorDate: Tue Sep 26 13:43:40 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 6 15:30:09 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d7890fb6
postgresql: Move lines
Signed-off-by: Chris PeBenito ieee.org>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/postgresql.te | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/policy/modules/services/postgresql.te
b/policy/modules/services/postgresql.te
index 11b3936b0..810fb0ed4 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -286,9 +286,10 @@ manage_fifo_files_pattern(postgresql_t, postgresql_tmp_t,
postgresql_tmp_t)
manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file })
fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir lnk_file sock_file
fifo_file })
-fs_tmpfs_filetrans(postgresql_t, postgresql_tmpfs_t, { file })
+
allow postgresql_t postgresql_tmpfs_t:file map;
manage_files_pattern(postgresql_t, postgresql_tmpfs_t, postgresql_tmpfs_t)
+fs_tmpfs_filetrans(postgresql_t, postgresql_tmpfs_t, { file })
manage_dirs_pattern(postgresql_t, postgresql_runtime_t, postgresql_runtime_t)
manage_files_pattern(postgresql_t, postgresql_runtime_t, postgresql_runtime_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: fde90b82b10e32324d96deca43928f448d8dd932
Author: Yi Zhao windriver com>
AuthorDate: Thu Sep 21 03:31:31 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 6 15:27:06 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fde90b82
systemd: allow systemd-networkd to create file in /run/systemd directory
systemd-networkd creates files in /run/systemd directory which should be
labeled appropriately.
Fixes:
avc: denied { create } for pid=136 comm="systemd-network"
name=".#networkd2c6a2ac2dbf34a8"
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_runtime_t tclass=file permissive=1
avc: denied { write } for pid=136 comm="systemd-network"
path="/run/systemd/.#networkd2c6a2ac2dbf34a8" dev="tmpfs" ino=81
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_runtime_t tclass=file permissive=1
avc: denied { setattr } for pid=136 comm="systemd-network"
name=".#networkd2c6a2ac2dbf34a8" dev="tmpfs" ino=81
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_runtime_t tclass=file permissive=1
avc: denied { rename } for pid=136 comm="systemd-network"
name=".#networkd2c6a2ac2dbf34a8" dev="tmpfs" ino=81
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_runtime_t tclass=file permissive=1
Signed-off-by: Yi Zhao windriver.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/system/systemd.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index f74ab30b4..b60d5729d 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1168,7 +1168,7 @@ auth_use_nsswitch(systemd_networkd_t)
init_dgram_send(systemd_networkd_t)
init_read_state(systemd_networkd_t)
init_read_runtime_files(systemd_networkd_t)
-init_runtime_filetrans(systemd_networkd_t, systemd_networkd_runtime_t, dir)
+init_runtime_filetrans(systemd_networkd_t, systemd_networkd_runtime_t, { dir
file })
logging_send_syslog_msg(systemd_networkd_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: c476335905f6b809c1f4ba083b071fab067aa1e5
Author: Russell Coker coker com au>
AuthorDate: Tue Sep 26 13:48:31 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 6 15:30:09 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c4763359
allow jabbers to create sock file and allow matrixd to read sysfs (#705)
* Allow jabberd_domain to create sockets in it's var/lib dir
Allow matrixd_t to read sysfs
Signed-off-by: Russell Coker coker.com.au>
* Changed to manage_sock_file_perms to allow unlink
Signed-off-by: Russell Coker coker.com.au>
-
Signed-off-by: Russell Coker coker.com.au>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/jabber.te | 1 +
policy/modules/services/matrixd.te | 1 +
2 files changed, 2 insertions(+)
diff --git a/policy/modules/services/jabber.te
b/policy/modules/services/jabber.te
index 6003cc9fb..6c8e45de5 100644
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
@@ -39,6 +39,7 @@ allow jabberd_domain self:tcp_socket { accept listen };
manage_files_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t)
allow jabberd_domain jabberd_var_lib_t:dir manage_dir_perms;
+allow jabberd_domain jabberd_var_lib_t:sock_file manage_sock_file_perms;
kernel_read_system_state(jabberd_domain)
diff --git a/policy/modules/services/matrixd.te
b/policy/modules/services/matrixd.te
index 4ac31d901..c396a3d7c 100644
--- a/policy/modules/services/matrixd.te
+++ b/policy/modules/services/matrixd.te
@@ -83,6 +83,7 @@ corenet_udp_bind_generic_node(matrixd_t)
corenet_udp_bind_generic_port(matrixd_t)
corenet_udp_bind_reserved_port(matrixd_t)
+dev_read_sysfs(matrixd_t)
dev_read_urand(matrixd_t)
files_read_etc_files(matrixd_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/, policy/modules/services/
commit: 1d66af88aa2d390ac5783557e8d04289d16bc612
Author: Russell Coker coker com au>
AuthorDate: Mon Sep 25 15:46:04 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 6 15:30:09 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1d66af88
small storage changes (#706)
* Changes to storage.fc, smartmon, samba and lvm
Signed-off-by: Russell Coker coker.com.au>
* Add the interfaces this patch needs
Signed-off-by: Russell Coker coker.com.au>
* use manage_sock_file_perms for sock_file
Signed-off-by: Russell Coker coker.com.au>
* Renamed files_watch_all_file_type_dir to files_watch_all_dirs
Signed-off-by: Russell Coker coker.com.au>
* Use read_files_pattern
Signed-off-by: Russell Coker coker.com.au>
-
Signed-off-by: Russell Coker coker.com.au>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/kernel/files.if | 19 +++
policy/modules/kernel/storage.fc| 1 +
policy/modules/services/samba.te| 11 ++-
policy/modules/services/smartmon.if | 20
policy/modules/services/smartmon.te | 2 +-
policy/modules/system/lvm.te| 1 +
policy/modules/system/userdomain.if | 18 ++
7 files changed, 70 insertions(+), 2 deletions(-)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index d8874ace2..a1113ff7c 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1426,6 +1426,25 @@ interface(`files_unmount_all_file_type_fs',`
allow $1 file_type:filesystem unmount;
')
+
+##
+## watch all directories of file_type
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_watch_all_dirs',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:dir watch;
+')
+
+
##
## Read all non-authentication related
diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
index 3033ac4de..9cd280c25 100644
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
@@ -29,6 +29,7 @@
/dev/lvm -c
gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/mcdx? -b
gen_context(system_u:object_r:removable_device_t,s0)
/dev/megadev.* -c
gen_context(system_u:object_r:removable_device_t,s0)
+/dev/megaraid.*-c
gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/mmcblk.* -b
gen_context(system_u:object_r:removable_device_t,s0)
/dev/mmcblk.* -c
gen_context(system_u:object_r:removable_device_t,s0)
/dev/mspblk.* -b
gen_context(system_u:object_r:removable_device_t,s0)
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index 8ec3a1c62..f78d316cc 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -408,11 +408,13 @@ tunable_policy(`samba_create_home_dirs',`
')
tunable_policy(`samba_enable_home_dirs',`
+ files_watch_home(smbd_t)
userdom_manage_user_home_content_dirs(smbd_t)
userdom_manage_user_home_content_files(smbd_t)
userdom_manage_user_home_content_symlinks(smbd_t)
userdom_manage_user_home_content_sockets(smbd_t)
userdom_manage_user_home_content_pipes(smbd_t)
+ userdom_watch_user_home_dirs(smbd_t)
')
tunable_policy(`samba_portmapper',`
@@ -444,11 +446,13 @@ tunable_policy(`samba_export_all_ro',`
fs_read_noxattr_fs_files(smbd_t)
files_list_non_auth_dirs(smbd_t)
files_read_non_auth_files(smbd_t)
+ files_watch_all_dirs(smbd_t)
')
tunable_policy(`samba_export_all_rw',`
fs_read_noxattr_fs_files(smbd_t)
files_manage_non_auth_files(smbd_t)
+ files_watch_all_dirs(smbd_t)
')
optional_policy(`
@@ -617,13 +621,17 @@ optional_policy(`
allow smbcontrol_t self:process signal;
allow smbcontrol_t self:fifo_file rw_fifo_file_perms;
allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
+allow smbcontrol_t self:unix_dgram_socket create_socket_perms;
allow smbcontrol_t self:process { signal signull };
allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull };
-read_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t)
+allow smbcontrol_t { smbd_t nmbd_t }:unix_dgram_socket sendto;
+manage_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t)
+allow smbcontrol_t samba_runtime_t:file map;
allow smbcontrol_t samba_runtime_t:dir rw_dir_perms;
manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
+allow smbcontrol_t samba_var_t:sock_file manage_sock_file_perms;
samba_read_config(smbcontrol_t)
samba_search_var(sm
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/, policy/modules/admin/
commit: ab9b49a1d782ac96a73b4b1553992528a599d8d6
Author: Russell Coker coker com au>
AuthorDate: Mon Sep 25 15:44:52 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 6 15:30:09 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ab9b49a1
small network patches (#707)
* Small changes for netutils(ping), firewalld, ftp, inetd, networkmanager,
openvpn ppp and rpc
Signed-off-by: Russell Coker coker.com.au>
* Fixed typo in interface name
Signed-off-by: Russell Coker coker.com.au>
* Add interface libs_watch_shared_libs_dir
Signed-off-by: Russell Coker coker.com.au>
* Added sysnet_watch_config_dir interface
Signed-off-by: Russell Coker coker.com.au>
* renamed libs_watch_shared_libs_dir to libs_watch_shared_libs_dirs
Signed-off-by: Russell Coker coker.com.au>
* rename sysnet_watch_config_dir to sysnet_watch_config_dirs
Signed-off-by: Russell Coker coker.com.au>
* Reverted a change as I can't remember why I did it.
Signed-off-by: Russell Coker coker.com.au>
-
Signed-off-by: Russell Coker coker.com.au>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/admin/netutils.te | 1 +
policy/modules/services/firewalld.te | 3 +++
policy/modules/services/ftp.fc| 6 +-
policy/modules/services/ftp.te| 9 +
policy/modules/services/inetd.te | 2 +-
policy/modules/services/networkmanager.te | 11 ++-
policy/modules/services/openvpn.te| 1 +
policy/modules/services/ppp.fc| 1 +
policy/modules/services/ppp.te| 2 ++
policy/modules/services/rpc.te| 6 +-
policy/modules/system/libraries.if| 18 ++
policy/modules/system/sysnetwork.if | 18 ++
12 files changed, 74 insertions(+), 4 deletions(-)
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 5fef6a31a..3c43a1d84 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -146,6 +146,7 @@ logging_send_syslog_msg(ping_t)
miscfiles_read_localization(ping_t)
userdom_use_inherited_user_terminals(ping_t)
+term_use_unallocated_ttys(ping_t)
optional_policy(`
munin_append_log(ping_t)
diff --git a/policy/modules/services/firewalld.te
b/policy/modules/services/firewalld.te
index 954a348f0..eb097753f 100644
--- a/policy/modules/services/firewalld.te
+++ b/policy/modules/services/firewalld.te
@@ -38,11 +38,13 @@ allow firewalld_t self:fifo_file rw_fifo_file_perms;
allow firewalld_t self:unix_stream_socket { accept listen };
allow firewalld_t self:netlink_netfilter_socket create_socket_perms;
allow firewalld_t self:udp_socket create_socket_perms;
+allow firewalld_t self:netlink_netfilter_socket create_socket_perms;
allow firewalld_t firewalld_etc_rw_t:dir watch;
manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
dontaudit firewalld_t firewalld_etc_rw_t:file { relabelfrom relabelto };
+allow firewalld_t firewalld_etc_rw_t:dir watch;
allow firewalld_t firewalld_var_log_t:file append_file_perms;
allow firewalld_t firewalld_var_log_t:file create_file_perms;
@@ -86,6 +88,7 @@ logging_send_syslog_msg(firewalld_t)
libs_watch_lib_dirs(firewalld_t)
+miscfiles_read_generic_certs(firewalld_t)
miscfiles_read_localization(firewalld_t)
seutil_exec_setfiles(firewalld_t)
diff --git a/policy/modules/services/ftp.fc b/policy/modules/services/ftp.fc
index b90598fed..a58851e58 100644
--- a/policy/modules/services/ftp.fc
+++ b/policy/modules/services/ftp.fc
@@ -1,4 +1,5 @@
/etc/proftpd\.conf -- gen_context(system_u:object_r:ftpd_etc_t,s0)
+/etc/pure-ftpd(/.*)? gen_context(system_u:object_r:ftpd_etc_t,s0)
/etc/cron\.monthly/proftpd --
gen_context(system_u:object_r:ftpd_exec_t,s0)
@@ -22,8 +23,10 @@
/usr/sbin/muddleftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
/usr/sbin/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
/usr/sbin/vsftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+/usr/sbin/pure-ftpd-- gen_context(system_u:object_r:ftpd_exec_t,s0)
-/run/proftpd.* gen_context(system_u:object_r:ftpd_runtime_t,s0)
+/run/proftpd.* gen_context(system_u:object_r:ftpd_runtime_t,s0)
+/run/pure-ftpd(/.*)? gen_context(system_u:object_r:ftpd_runtime_t,s0)
/usr/libexec/webmin/vsftpd/webalizer/xfer_log --
gen_context(system_u:object_r:xferlog_t,s0)
@@ -31,6 +34,7 @@
/var/log/muddleftpd\.log.* --
gen_context(system_u:object_r:xferlog_t,s0)
/var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0)
+/var/log/pure-ftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0)
/var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/, policy/modules/services/
commit: 3cf4d89db3171671a05868dd5ecaf933c49fcaa4
Author: Russell Coker coker com au>
AuthorDate: Thu Sep 28 13:55:56 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 6 15:30:52 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3cf4d89d
mon.te patches as well as some fstools patches related to it (#697)
* Patches for mon, mostly mon local monitoring.
Also added the fsdaemon_read_lib() interface and fstools patch because it
also uses fsdaemon_read_lib() and it's called by monitoring scripts
Signed-off-by: Russell Coker coker.com.au>
* Added the files_dontaudit_tmpfs_file_getattr() and
storage_dev_filetrans_fixed_disk_control() interfaces needed
Signed-off-by: Russell Coker coker.com.au>
* Fixed the issues from the review
Signed-off-by: Russell Coker coker.com.au>
* Specify name to avoid conflicting file trans
Signed-off-by: Russell Coker coker.com.au>
* fixed dontaudi_ typo
Signed-off-by: Russell Coker coker.com.au>
* Changed storage_dev_filetrans_fixed_disk to have a mandatory parameter for
the object class
Signed-off-by: Russell Coker coker.com.au>
* Remove fsdaemon_read_lib as it was already merged
Signed-off-by: Russell Coker coker.com.au>
-
Signed-off-by: Russell Coker coker.com.au>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/kernel/files.if | 18 ++
policy/modules/kernel/kernel.te | 2 +-
policy/modules/kernel/storage.if| 7 ++-
policy/modules/services/mon.te | 30 ++
policy/modules/services/smartmon.te | 2 +-
policy/modules/system/fstools.te| 17 +
policy/modules/system/init.te | 2 +-
policy/modules/system/lvm.te| 2 +-
policy/modules/system/raid.te | 2 +-
9 files changed, 72 insertions(+), 10 deletions(-)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index a1113ff7c..591aa64d6 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -434,6 +434,24 @@ interface(`files_tmpfs_file',`
typeattribute $1 tmpfsfile;
')
+
+##
+## dontaudit getattr on tmpfs files
+##
+##
+##
+## Domain to not have stat on tmpfs files audited
+##
+##
+#
+interface(`files_dontaudit_getattr_all_tmpfs_files',`
+ gen_require(`
+ attribute tmpfsfile;
+ ')
+
+ dontaudit $1 tmpfsfile:file getattr;
+')
+
##
## Get the attributes of all directories.
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 666d0e7e9..8156ac087 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -390,7 +390,7 @@ ifdef(`init_systemd',`
')
optional_policy(`
- storage_dev_filetrans_fixed_disk(kernel_t)
+ storage_dev_filetrans_fixed_disk(kernel_t, blk_file)
storage_setattr_fixed_disk_dev(kernel_t)
storage_create_fixed_disk_dev(kernel_t)
storage_delete_fixed_disk_dev(kernel_t)
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
index 9c581a910..777caea69 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -296,6 +296,11 @@ interface(`storage_manage_fixed_disk',`
## Domain allowed access.
##
##
+##
+##
+## The class of the object to be created.
+##
+##
##
##
## Optional filename of the block device to be created
@@ -307,7 +312,7 @@ interface(`storage_dev_filetrans_fixed_disk',`
type fixed_disk_device_t;
')
- dev_filetrans($1, fixed_disk_device_t, blk_file, $2)
+ dev_filetrans($1, fixed_disk_device_t, $2, $3)
')
diff --git a/policy/modules/services/mon.te b/policy/modules/services/mon.te
index b9a349871..bbf0496b3 100644
--- a/policy/modules/services/mon.te
+++ b/policy/modules/services/mon.te
@@ -42,8 +42,7 @@ files_tmp_file(mon_tmp_t)
allow mon_t self:fifo_file rw_fifo_file_perms;
allow mon_t self:tcp_socket create_stream_socket_perms;
-# for mailxmpp.alert to set ulimit
-allow mon_t self:process setrlimit;
+allow mon_t self:process { setrlimit getsched signal };
domtrans_pattern(mon_t, mon_local_test_exec_t, mon_local_test_t)
@@ -104,6 +103,11 @@ optional_policy(`
mta_send_mail(mon_t)
')
+optional_policy(`
+ # for config of xmpp sending program
+ xdg_read_config_files(mon_t)
+')
+
#
# Local policy
@@ -151,6 +155,10 @@ optional_policy(`
mysql_stream_connect(mon_net_test_t)
')
+optional_policy(`
+ snmp_read_snmp_var_lib_files(mon_net_test_t)
+')
+
###
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/
commit: 90affee2271dfbaad7e02781e1c583e886229754 Author: Russell Coker coker com au> AuthorDate: Thu Sep 28 13:46:14 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:30:52 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=90affee2 misc small patches for cron policy (#701) * Some misc small patches for cron policy Signed-off-by: Russell Coker coker.com.au> * added systemd_dontaudit_connect_machined interface Signed-off-by: Russell Coker coker.com.au> * Remove the line about connecting to tor Signed-off-by: Russell Coker coker.com.au> * remove the dontaudit for connecting to machined Signed-off-by: Russell Coker coker.com.au> * changed to distro_debian Signed-off-by: Russell Coker coker.com.au> * mta: Whitespace changes. Signed-off-by: Chris PeBenito ieee.org> * cron: Move lines. Signed-off-by: Chris PeBenito ieee.org> - Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Chris PeBenito ieee.org> Co-authored-by: Chris PeBenito ieee.org> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/cron.if| 36 policy/modules/services/cron.te| 11 +++ policy/modules/services/mta.te | 7 ++- policy/modules/services/postfix.te | 1 + policy/modules/system/init.if | 18 ++ policy/modules/system/systemd.if | 18 ++ 6 files changed, 90 insertions(+), 1 deletion(-) diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if index 87306cfdb..049b01494 100644 --- a/policy/modules/services/cron.if +++ b/policy/modules/services/cron.if @@ -755,6 +755,24 @@ interface(`cron_rw_tmp_files',` allow $1 crond_tmp_t:file rw_file_perms; ') + +## +## Read and write inherited crond temporary files. +## +## +## +## Domain allowed access. +## +## +# +interface(`cron_rw_inherited_tmp_files',` + gen_require(` + type crond_tmp_t; + ') + + allow $1 crond_tmp_t:file rw_inherited_file_perms; +') + ## ## Read system cron job lib files. @@ -888,6 +906,24 @@ interface(`cron_dontaudit_append_system_job_tmp_files',` dontaudit $1 system_cronjob_tmp_t:file append_file_perms; ') + +## +## allow appending temporary system cron job files. +## +## +## +## Domain to allow. +## +## +# +interface(`cron_append_system_job_tmp_files',` + gen_require(` + type system_cronjob_tmp_t; + ') + + allow $1 system_cronjob_tmp_t:file append_file_perms; +') + ## ## Read and write to inherited system cron job temporary files. diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te index b2de6de31..9df1e3060 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -436,6 +436,8 @@ optional_policy(` systemd_dbus_chat_logind(system_cronjob_t) systemd_read_journal_files(system_cronjob_t) systemd_write_inherited_logind_sessions_pipes(system_cronjob_t) + # for runuser + init_search_keys(system_cronjob_t) # so cron jobs can restart daemons init_stream_connect(system_cronjob_t) init_manage_script_service(system_cronjob_t) @@ -491,6 +493,7 @@ kernel_getattr_message_if(system_cronjob_t) kernel_read_irq_sysctls(system_cronjob_t) kernel_read_kernel_sysctls(system_cronjob_t) kernel_read_network_state(system_cronjob_t) +kernel_read_rpc_sysctls(system_cronjob_t) kernel_read_system_state(system_cronjob_t) kernel_read_software_raid_state(system_cronjob_t) @@ -535,6 +538,7 @@ files_read_usr_files(system_cronjob_t) files_read_var_files(system_cronjob_t) files_dontaudit_search_runtime(system_cronjob_t) files_manage_generic_spool(system_cronjob_t) +files_manage_var_lib_dirs(system_cronjob_t) files_create_boot_flag(system_cronjob_t) files_read_var_lib_symlinks(system_cronjob_t) @@ -554,6 +558,7 @@ logging_manage_generic_logs(system_cronjob_t) logging_send_audit_msgs(system_cronjob_t) logging_send_syslog_msg(system_cronjob_t) +miscfiles_read_generic_certs(system_cronjob_t) miscfiles_read_localization(system_cronjob_t) seutil_read_config(system_cronjob_t) @@ -654,6 +659,10 @@ optional_policy(` mysql_read_config(system_cronjob_t) ') +optional_policy(` + ntp_read_config(system_cronjob_t) +') + optional_policy(` postfix_read_config(system_cronjob_t) ') @@ -678,6 +687,8 @@ optional_policy(` # for gpg-connect-agent to access /run/user/0 userdom_manage_user_runtime_dirs(system_cronjob_t) + # for /run/user/0/gnupg + userdom_manage_user_tmp_dirs
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/
commit: a4c6f2483b5025b63c5d42837f9eabd73d9866fe
Author: Guido Trentalancia trentalancia com>
AuthorDate: Fri Sep 29 20:30:14 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 6 15:31:45 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a4c6f248
Let openoffice perform temporary file transitions and manage link files.
Signed-off-by: Guido Trentalancia trentalancia.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/apps/openoffice.te | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/policy/modules/apps/openoffice.te
b/policy/modules/apps/openoffice.te
index 37ac6720c..f8cccacd4 100644
--- a/policy/modules/apps/openoffice.te
+++ b/policy/modules/apps/openoffice.te
@@ -61,8 +61,9 @@ userdom_user_home_dir_filetrans(ooffice_t, ooffice_home_t,
dir, ".openoffice")
manage_dirs_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
manage_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+manage_lnk_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
manage_sock_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
-files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file sock_file })
+files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file lnk_file sock_file })
can_exec(ooffice_t, ooffice_exec_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 634b4ae6e433169248722aa27c12b75c302ddac6
Author: Dave Sugar gmail com>
AuthorDate: Thu Sep 14 19:44:07 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 6 15:30:52 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=634b4ae6
separate domain for journalctl during init
During system boot, when systemd-journal-catalog-update.service is
started, it fails becuase initrc_t doesn't have access to write
systemd_journal_t files/dirs. This change is to run journalctl in a
different domain during system startup (systemd_journal_init_t) to allow
the access necessary to run.
× systemd-journal-catalog-update.service - Rebuild Journal Catalog
Loaded: loaded
(/usr/lib/systemd/system/systemd-journal-catalog-update.service; static)
Active: failed (Result: exit-code) since Wed 2023-09-13 12:51:28 GMT;
10min ago
Docs: man:systemd-journald.service(8)
man:journald.conf(5)
Process: 1626 ExecStart=journalctl --update-catalog (code=exited,
status=1/FAILURE)
Main PID: 1626 (code=exited, status=1/FAILURE)
CPU: 102ms
Sep 13 12:51:28 localhost systemd[1]: Starting Rebuild Journal Catalog...
Sep 13 12:51:28 localhost journalctl[1626]: Failed to open database for
writing: /var/lib/systemd/catalog/database: Permission denied
Sep 13 12:51:28 localhost journalctl[1626]: Failed to write
/var/lib/systemd/catalog/database: Permission denied
Sep 13 12:51:28 localhost journalctl[1626]: Failed to list catalog:
Permission denied
Sep 13 12:51:28 localhost systemd[1]:
systemd-journal-catalog-update.service: Main process exited, code=exited,
status=1/FAILURE
Sep 13 12:51:28 localhost systemd[1]:
systemd-journal-catalog-update.service: Failed with result 'exit-code'.
Sep 13 12:51:28 localhost systemd[1]: Failed to start Rebuild Journal
Catalog.
node=localhost type=AVC msg=audit(1692308998.328:136): avc: denied {
write } for pid=1631 comm="journalctl" name="catalog" dev="dm-10" ino=131106
scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1692308998.328:136): avc: denied {
add_name } for pid=1631 comm="journalctl" name=".#database6ZdcMU"
scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1692308998.328:136): avc: denied {
create } for pid=1631 comm="journalctl" name=".#database6ZdcMU"
scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1692308998.328:136): avc: denied {
write } for pid=1631 comm="journalctl"
path="/var/lib/systemd/catalog/.#database6ZdcMU" dev="dm-10" ino=131204
scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1692308998.330:137): avc: denied {
setattr } for pid=1631 comm="journalctl" name=".#database6ZdcMU" dev="dm-10"
ino=131204 scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1692308998.330:138): avc: denied {
remove_name } for pid=1631 comm="journalctl" name=".#database6ZdcMU"
dev="dm-10" ino=131204 scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1692308998.330:138): avc: denied {
rename } for pid=1631 comm="journalctl" name=".#database6ZdcMU" dev="dm-10"
ino=131204 scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1692308998.330:138): avc: denied {
unlink } for pid=1631 comm="journalctl" name="database" dev="dm-10" ino=131133
scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar gmail.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/system/logging.if | 19 +++
policy/modules/system/systemd.fc | 1 +
policy/modules/system/systemd.te | 35 ++-
3 files changed, 54 insertions(+), 1 deletion(-)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 681385d50..763926dac 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -845,6 +845,25 @@ interface(`logging_watch_runtime_dirs',`
allow $1 syslogd_runtime_t:dir watch;
')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/
commit: 6f8208d24c132738f65741594de5b1b3b11d1a9c
Author: Chris PeBenito linux microsoft com>
AuthorDate: Mon Oct 2 12:44:00 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 6 15:31:45 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6f8208d2
Add append to rw and manage lnk_file permission sets for consistency.
Signed-off-by: Chris PeBenito linux.microsoft.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/support/obj_perm_sets.spt | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index d1784fae1..4b2b7c874 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -181,11 +181,11 @@ define(`setattr_lnk_file_perms',`{ setattr }')
define(`read_lnk_file_perms',`{ getattr read }')
define(`append_lnk_file_perms',`{ getattr append lock ioctl }')
define(`write_lnk_file_perms',`{ getattr append write lock ioctl }')
-define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }')
+define(`rw_lnk_file_perms',`{ getattr read write append lock ioctl }')
define(`create_lnk_file_perms',`{ create getattr }')
define(`rename_lnk_file_perms',`{ getattr rename }')
define(`delete_lnk_file_perms',`{ getattr unlink }')
-define(`manage_lnk_file_perms',`{ create read write getattr setattr link
unlink rename ioctl lock }')
+define(`manage_lnk_file_perms',`{ create read write append getattr setattr
link unlink rename ioctl lock }')
define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }')
define(`relabelto_lnk_file_perms',`{ getattr relabelto }')
define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 6a26a817c369000f602f81d7f5da7b0fd5a1bff0
Author: Yi Zhao windriver com>
AuthorDate: Sat Sep 30 10:00:38 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 6 15:31:45 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6a26a817
systemd: allow journalctl to create /var/lib/systemd/catalog
If /var/lib/systemd/catalog doesn't exist at first boot,
systemd-journal-catalog-update.service would fail:
$ systemctl status systemd-journal-catalog-update.service
systemd-journal-catalog-update.service - Rebuild Journal Catalog
Loaded: loaded
(/usr/lib/systemd/system/systemd-journal-catalog-update.service; static)
Active: failed (Result: exit-code) since Sat 2023-09-30 09:46:46 UTC; 50s
ago
Docs: man:systemd-journald.service(8)
man:journald.conf(5)
Process: 247 ExecStart=journalctl --update-catalog (code=exited,
status=1/FAILURE)
Main PID: 247 (code=exited, status=1/FAILURE)
Sep 30 09:46:45 qemux86-64 systemd[1]: Starting Rebuild Journal Catalog...
Sep 30 09:46:46 qemux86-64 journalctl[247]: Failed to create parent directories
of /var/lib/systemd/catalog/database: Permission denied
Sep 30 09:46:46 qemux86-64 journalctl[247]: Failed to write
/var/lib/systemd/catalog/database: Permission denied
Sep 30 09:46:46 qemux86-64 journalctl[247]: Failed to list catalog: Permission
denied
Sep 30 09:46:46 qemux86-64 systemd[1]: systemd-journal-catalog-update.service:
Main process exited, code=exited, status=1/FAILURE
Sep 30 09:46:46 qemux86-64 systemd[1]: systemd-journal-catalog-update.service:
Failed with result 'exit-code'.
Sep 30 09:46:46 qemux86-64 systemd[1]: Failed to start Rebuild Journal Catalog.
Fixes:
AVC avc: denied { getattr } for pid=247 comm="journalctl" name="/"
dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_journal_init_t
tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0
AVC avc: denied { write } for pid=247 comm="journalctl"
name="systemd" dev="vda" ino=13634
scontext=system_u:system_r:systemd_journal_init_t
tcontext=system_u:object_r:init_var_lib_t tclass=dir permissive=0
Signed-off-by: Yi Zhao windriver.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/system/systemd.te | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 4f1c4c856..c9d21bda5 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -787,9 +787,10 @@ seutil_read_file_contexts(systemd_hw_t)
dontaudit systemd_journal_init_t self:capability net_admin;
+manage_dirs_pattern(systemd_journal_init_t, systemd_journal_t,
systemd_journal_t)
manage_files_pattern(systemd_journal_init_t, systemd_journal_t,
systemd_journal_t)
-fs_getattr_cgroup(systemd_journal_init_t)
+fs_getattr_all_fs(systemd_journal_init_t)
fs_search_cgroup_dirs(systemd_journal_init_t)
kernel_getattr_proc(systemd_journal_init_t)
@@ -798,6 +799,7 @@ kernel_read_system_state(systemd_journal_init_t)
init_read_state(systemd_journal_init_t)
init_search_var_lib_dirs(systemd_journal_init_t)
+init_var_lib_filetrans(systemd_journal_init_t, systemd_journal_t, dir)
logging_send_syslog_msg(systemd_journal_init_t)
logging_stream_connect_journald_varlink(systemd_journal_init_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 0d4b9fb48fc13aa0e545fdc17905a1060db3c5ef
Author: Russell Coker coker com au>
AuthorDate: Thu Sep 28 13:57:18 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 6 15:31:45 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0d4b9fb4
misc small email changes (#704)
* Small changes to courier, dovecot, exim, postfix, amd sendmail policy.
Signed-off-by: Russell Coker coker.com.au>
* Removed an obsolete patch
Signed-off-by: Russell Coker coker.com.au>
* Added interfaces cron_rw_inherited_tmp_files and
systemd_dontaudit_connect_machined
Signed-off-by: Russell Coker coker.com.au>
* Use create_stream_socket_perms for unix connection to itself
Signed-off-by: Russell Coker coker.com.au>
* Removed unconfined_run_to
Signed-off-by: Russell Coker coker.com.au>
* Remove change for it to run from a user session
Signed-off-by: Russell Coker coker.com.au>
* Changed userdom_use_user_ttys to userdom_use_inherited_user_terminals and
moved it out of the postfix section
Signed-off-by: Russell Coker coker.com.au>
-
Signed-off-by: Russell Coker coker.com.au>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/courier.fc | 4 ++--
policy/modules/services/courier.te | 21 +++--
policy/modules/services/dovecot.te | 3 +++
policy/modules/services/exim.te | 3 ++-
policy/modules/services/mta.if | 1 +
policy/modules/services/mta.te | 32
policy/modules/services/postfix.if | 3 +++
policy/modules/services/postfix.te | 4
policy/modules/services/sendmail.te | 4
9 files changed, 70 insertions(+), 5 deletions(-)
diff --git a/policy/modules/services/courier.fc
b/policy/modules/services/courier.fc
index 0f56d60d8..28594264f 100644
--- a/policy/modules/services/courier.fc
+++ b/policy/modules/services/courier.fc
@@ -23,8 +23,8 @@
/usr/lib/courier/courier/courierpop.* --
gen_context(system_u:object_r:courier_pop_exec_t,s0)
/usr/lib/courier/courier/imaplogin --
gen_context(system_u:object_r:courier_pop_exec_t,s0)
/usr/lib/courier/courier/pcpd --
gen_context(system_u:object_r:courier_pcp_exec_t,s0)
-/usr/lib/courier/imapd --
gen_context(system_u:object_r:courier_pop_exec_t,s0)
-/usr/lib/courier/pop3d --
gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/imapd.* --
gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/pop3d.* --
gen_context(system_u:object_r:courier_pop_exec_t,s0)
/usr/lib/courier/rootcerts(/.*)?
gen_context(system_u:object_r:courier_etc_t,s0)
/usr/lib/courier/sqwebmail/cleancache\.pl --
gen_context(system_u:object_r:courier_sqwebmail_exec_t,s0)
/usr/lib/courier-imap/couriertcpd --
gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
diff --git a/policy/modules/services/courier.te
b/policy/modules/services/courier.te
index 00ca1db6e..b5fa0c163 100644
--- a/policy/modules/services/courier.te
+++ b/policy/modules/services/courier.te
@@ -96,6 +96,8 @@ allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket
rw_stream_socket_pe
can_exec(courier_authdaemon_t, courier_exec_t)
+kernel_getattr_proc(courier_authdaemon_t)
+
corecmd_exec_shell(courier_authdaemon_t)
domtrans_pattern(courier_authdaemon_t, courier_pop_exec_t, courier_pop_t)
@@ -112,6 +114,7 @@ libs_read_lib_files(courier_authdaemon_t)
miscfiles_read_localization(courier_authdaemon_t)
selinux_getattr_fs(courier_authdaemon_t)
+seutil_search_default_contexts(courier_authdaemon_t)
userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t)
@@ -129,20 +132,34 @@ dev_read_rand(courier_pcp_t)
# POP3/IMAP local policy
#
-allow courier_pop_t self:capability { setgid setuid };
+allow courier_pop_t self:capability { chown dac_read_search fowner setgid
setuid };
+dontaudit courier_pop_t self:capability fsetid;
+allow courier_pop_t self:unix_stream_socket create_stream_socket_perms;
+allow courier_pop_t self:process setrlimit;
+
allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms;
allow courier_pop_t courier_authdaemon_t:process sigchld;
allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket }
rw_stream_socket_perms;
-allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms;
+allow courier_pop_t courier_var_lib_t:dir rw_dir_perms;
+allow courier_pop_t courier_var_lib_t:file manage_file_perms;
+allow courier_pop_t courier_etc_t:file map;
+
+can_exec(courier_pop_t, courier_exec_t)
+can_exec(courier_pop_t, courier_tcpd_exec_t)
stream_connect_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t,
courier_authdaemon_t)
domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t,
courier_authdaemon_t)
corecmd_exec_shell(courier_pop_t)
+corenet_tcp_bind_generic_node(courier_pop_t)
+corenet_tcp_bind_pop_port(couri
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: f9bb068485de922f97495d4795c3cc475cdb32e7
Author: Yi Zhao windriver com>
AuthorDate: Mon Oct 2 08:05:49 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 6 15:31:45 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f9bb0684
bind: fix for named service
Fixes:
avc: denied { sqpoll } for pid=373 comm="named"
scontext=system_u:system_r:named_t:s0-s15:c0.c1023
tcontext=system_u:system_r:named_t:s0-s15:c0.c1023 tclass=io_uring
permissive=0
avc: denied { create } for pid=373 comm="named" anonclass=[io_uring]
scontext=system_u:system_r:named_t:s0-s15:c0.c1023
tcontext=system_u:object_r:named_t:s0 tclass=anon_inode permissive=0
Signed-off-by: Yi Zhao windriver.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/bind.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index 0a08be452..37f2fdd1f 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -80,6 +80,8 @@ allow named_t self:process { setsched getsched getcap setcap
setrlimit signal_pe
allow named_t self:fifo_file rw_fifo_file_perms;
allow named_t self:unix_stream_socket { accept listen };
allow named_t self:tcp_socket { accept listen };
+allow named_t self:anon_inode { create map read write };
+allow named_t self:io_uring sqpoll;
manage_files_pattern(named_t, dnssec_t, dnssec_t)
filetrans_pattern(named_t, named_conf_t, dnssec_t, dir, "cache")
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/
commit: 767814945e7b4302e9c085aba0d2772d051cd005 Author: Dave Sugar <31021570+dsugar100 users noreply github com> AuthorDate: Fri Oct 6 13:06:39 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:31:45 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=76781494 Separate label for /run/systemd/notify (#710) * Separate label for /run/systemd/notify label systemd_runtime_notify_t Allow daemon domains to write by default Signed-off-by: Dave Sugar gmail.com> * systemd: Add -s to /run/systemd/notify socket. Signed-off-by: Chris PeBenito ieee.org> - Signed-off-by: Dave Sugar gmail.com> Co-authored-by: Chris PeBenito ieee.org> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/dbus.te | 2 +- policy/modules/system/init.if| 19 +++ policy/modules/system/init.te| 3 ++- policy/modules/system/systemd.fc | 1 + policy/modules/system/systemd.if | 22 ++ policy/modules/system/systemd.te | 3 +++ 6 files changed, 48 insertions(+), 2 deletions(-) diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index 79089b1c5..9ccd8a424 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -219,7 +219,7 @@ ifdef(`init_systemd', ` init_stop_all_units(system_dbusd_t) # Recent versions of dbus are started as Type=notify - init_write_runtime_socket(system_dbusd_t) + systemd_write_notify_socket(system_dbusd_t) tunable_policy(`dbus_broker_system_bus',` init_get_system_status(system_dbusd_t) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index d91eadfb5..5b0f44381 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1002,6 +1002,25 @@ interface(`init_unix_stream_socket_connectto',` allow $1 init_t:unix_stream_socket connectto; ') + +## +## Send to init with a unix socket. +## Without any additional permissions. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_unix_stream_socket_sendto',` + gen_require(` + type init_t; + ') + + allow $1 init_t:unix_stream_socket sendto; +') + ## ## Inherit and use file descriptors from init. diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 457fac072..c83d88b74 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1178,6 +1178,7 @@ ifdef(`init_systemd',` systemd_start_power_units(initrc_t) systemd_watch_networkd_runtime_dirs(initrc_t) + systemd_write_notify_socket(initrc_t) # Ensures the memory.pressure cgroup file is labelled differently, so # that processes can manage it without having access to the rest of the @@ -1611,7 +1612,7 @@ ifdef(`init_systemd',` fs_search_cgroup_dirs(daemon) # need write to /var/run/systemd/notify - init_write_runtime_socket(daemon) + systemd_write_notify_socket(daemon) ') tunable_policy(`init_daemons_use_tty',` diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc index ac64a5d5c..57f746c58 100644 --- a/policy/modules/system/systemd.fc +++ b/policy/modules/system/systemd.fc @@ -103,6 +103,7 @@ HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_data /run/systemd/ask-password-block(/.*)? gen_context(system_u:object_r:systemd_passwd_runtime_t,s0) /run/systemd/home(/.*)? gen_context(system_u:object_r:systemd_homed_runtime_t,s0) /run/systemd/network(/.*)? gen_context(system_u:object_r:systemd_networkd_runtime_t,s0) +/run/systemd/notify-s gen_context(system_u:object_r:systemd_runtime_notify_t,s0) /run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_runtime_t,s0) /run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_sessions_runtime_t,s0) /run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_sessions_runtime_t,s0) diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index 19b2dbd85..68fb1a148 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -126,6 +126,7 @@ template(`systemd_role_template',` systemd_search_user_runtime_unit_dirs($1_systemd_t) systemd_search_user_transient_unit_dirs($1_systemd_t) systemd_read_user_units_files($1_systemd_t) + systemd_write_notify_socket($1_systemd_t) dbus_system_bus_client($1_systemd_t) dbus_spec_session_bus_client($1, $1_systemd_t) @@ -276,6 +277,27 @@ interface(`systemd_user_unix_stream_activated_socket',` systemd_user_activated_sock_file($
[gentoo-commits] proj/hardened-refpolicy:master commit in: gentoo/
commit: a214ace3c7ac557196b58ab0342bf8e7023aca38 Author: Kenton Groombridge gentoo org> AuthorDate: Fri Oct 6 15:32:33 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:32:33 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a214ace3 Merge upstream Signed-off-by: Kenton Groombridge gentoo.org> gentoo/STATE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gentoo/STATE b/gentoo/STATE index b2d61aa8e..1f7d780e5 100644 --- a/gentoo/STATE +++ b/gentoo/STATE @@ -1 +1 @@ -86a7f884a5af56076ae4829b25e73a74b2f56024 +d542d53698339cd3b3bb80e6e36fb4add4016e9d
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
commit: ca3332b1b3ad6b6cc3b52bf8cff26e4407f93c92 Author: Russell Coker coker com au> AuthorDate: Fri Oct 6 10:48:52 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:31:45 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ca3332b1 Label checkarray as mdadm_exec_t, allow it to read/write temp files inherited from cron, and dontaudit ps type operations from it Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/corecommands.fc | 1 - policy/modules/system/raid.fc | 2 ++ policy/modules/system/raid.te | 2 ++ 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index da5db80a2..21ec61464 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -320,7 +320,6 @@ ifdef(`distro_debian',` /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/smrsh-- gen_context(system_u:object_r:shell_exec_t,s0) -/usr/share/mdadm/checkarray-- gen_context(system_u:object_r:bin_t,s0) /usr/share/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/ajaxterm/ajaxterm\.py.* -- gen_context(system_u:object_r:bin_t,s0) /usr/share/ajaxterm/qweb\.py.* -- gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/system/raid.fc b/policy/modules/system/raid.fc index 84f1ab02a..ca16bdfdf 100644 --- a/policy/modules/system/raid.fc +++ b/policy/modules/system/raid.fc @@ -11,6 +11,8 @@ /usr/bin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0) /usr/bin/raid-check-- gen_context(system_u:object_r:mdadm_exec_t,s0) +/usr/share/mdadm/checkarray -- gen_context(system_u:object_r:mdadm_exec_t,s0) + # Systemd unit files /usr/lib/systemd/system/[^/]*mdadm-.* -- gen_context(system_u:object_r:mdadm_unit_t,s0) /usr/lib/systemd/system/[^/]*mdmon.* -- gen_context(system_u:object_r:mdadm_unit_t,s0) diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te index 907facf8d..c8db38261 100644 --- a/policy/modules/system/raid.te +++ b/policy/modules/system/raid.te @@ -57,6 +57,7 @@ dev_read_realtime_clock(mdadm_t) # create links in /dev/md dev_create_generic_symlinks(mdadm_t) +domain_dontaudit_search_all_domains_state(mdadm_t) domain_use_interactive_fds(mdadm_t) files_read_etc_files(mdadm_t) @@ -95,6 +96,7 @@ userdom_dontaudit_search_user_home_content(mdadm_t) optional_policy(` cron_system_entry(mdadm_t, mdadm_exec_t) + cron_rw_inherited_tmp_files(mdadm_t) ') optional_policy(`
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: b2b5270fcce158aedf71a5be0b2fa15822ecb069 Author: Russell Coker coker com au> AuthorDate: Thu Oct 5 11:13:54 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:31:45 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b2b5270f https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/ While cgroups2 doesn't have the "feature" of having the kernel run a program specified in the cgroup the history of this exploit suggests that writing to cgroups should be restricted and not granted to all users Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/userdomain.if | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 642da35cd..676a76241 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -690,7 +690,7 @@ template(`userdom_common_user_template',` files_watch_etc_dirs($1_t) files_watch_usr_dirs($1_t) - fs_rw_cgroup_files($1_t) + fs_read_cgroup_files($1_t) # cjp: some of this probably can be removed selinux_get_fs_mount($1_t)
[gentoo-commits] repo/gentoo:master commit in: www-apps/miniflux/
commit: 0277ec5d18edab3db9390af52131872d7e16f5eb
Author: Kenton Groombridge gentoo org>
AuthorDate: Mon Nov 6 18:30:46 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Mon Nov 6 18:32:43 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0277ec5d
www-apps/miniflux: stabilize 2.0.45 for amd64, ppc64
Signed-off-by: Kenton Groombridge gentoo.org>
www-apps/miniflux/miniflux-2.0.45.ebuild | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/www-apps/miniflux/miniflux-2.0.45.ebuild
b/www-apps/miniflux/miniflux-2.0.45.ebuild
index ed9f217ff691..ba48c8291c75 100644
--- a/www-apps/miniflux/miniflux-2.0.45.ebuild
+++ b/www-apps/miniflux/miniflux-2.0.45.ebuild
@@ -15,7 +15,7 @@ SRC_URI+="
https://dev.gentoo.org/~concord/distfiles/${P}-deps.tar.xz";
LICENSE="Apache-2.0 BSD BSD-2 MIT"
SLOT="0"
-KEYWORDS="~amd64 ~ppc64 ~riscv"
+KEYWORDS="amd64 ppc64 ~riscv"
RESTRICT="test" # requires network access
[gentoo-commits] repo/gentoo:master commit in: www-apps/miniflux/
commit: ad5fb9992f649b1b96ab0e5881d96664c0755155
Author: Kenton Groombridge gentoo org>
AuthorDate: Mon Nov 6 18:31:13 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Mon Nov 6 18:32:45 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ad5fb999
www-apps/miniflux: drop 2.0.44
Signed-off-by: Kenton Groombridge gentoo.org>
www-apps/miniflux/Manifest | 2 -
www-apps/miniflux/miniflux-2.0.44.ebuild | 107 ---
2 files changed, 109 deletions(-)
diff --git a/www-apps/miniflux/Manifest b/www-apps/miniflux/Manifest
index f2ed94d0a483..5169c94d3eb0 100644
--- a/www-apps/miniflux/Manifest
+++ b/www-apps/miniflux/Manifest
@@ -1,5 +1,3 @@
-DIST miniflux-2.0.44-deps.tar.xz 38348604 BLAKE2B
6709ad503ec64ea64fb35624ff0f6d641a6ccac78d52469a0a6c6e905e505c78866603f310e82c5ff7e1bcd7656cb0d9b3516bb9d0822d7a3f8bbbdadaff0aca
SHA512
f463a5a63c5611e8b90ebf15127e05e2df878bb6c49a347f182c5df40feea7e0b2fa21cff4c92b6a99f82e8be4cbd113999f0b3ba6187897af9fad49c9a2aecb
-DIST miniflux-2.0.44.tar.gz 574354 BLAKE2B
a0c29cb88d88584619e6890a01af15d7b7d9a6ab230b60d76c01d95e82c5ef665aeb19f120180bc328ef3847cae2c87096a096e8f0d0455f7694539556453e5b
SHA512
6c1057bcb4daf3110a8885363e2386c6d68776e917f0277299ab94fb46553a8a1b3acf4a2893ab03d30e2b3c26118257e68a7f33d5d436884bfafd8e06fc5e0a
DIST miniflux-2.0.45-deps.tar.xz 38551640 BLAKE2B
b4dfe2c8bb4d96ba9b4adcb23078b7555115fed8ac346c47411fe406b086330e12f62ca71162d7eab6e1564ae21d1330d93e6e56fde8c421ff8df56cb3ca520a
SHA512
79a659660daa01b2909a2e726dc37a789645a3e42c9132ad0e6cc7dd38ae08ad42075339da729fc5942e456fcb5037a414d26952731497586f322c9073f39872
DIST miniflux-2.0.45.tar.gz 580517 BLAKE2B
804c109a7cda5cd4aa4a65130b70c4d1ebb00decbdbb15c6175e14726aa1d0944d9803898e8ace8bdca083e4668f1fe2230a588793082b63967ef11d7e68827f
SHA512
f2770105b05251d8ec1cd63fc8fde4ac45ba6d734c2bd96b574a4c0e33b6a9c8ce67af48d9adb29794a292c47f2f7059fea8a6e20708d0fefa6de4cbaa647328
DIST miniflux-2.0.49-deps.tar.xz 38155476 BLAKE2B
9631c23af181cf86bd197066a453c84b09840cc71a870eba0ad4e7cdb2720fe952fca7f6a93f3e9e2e2d8c9a13629da0f758b21a4afe5849186d653b44a3f097
SHA512
c51228a3f70d73788be63ed5e7f24baeee9a369351e07bd7715a60c6b340d3e90ebd25adfb50d3e2144a8b0c7d609fca3bacdd51a1d61ff7916e6a7a439b6dc1
diff --git a/www-apps/miniflux/miniflux-2.0.44.ebuild
b/www-apps/miniflux/miniflux-2.0.44.ebuild
deleted file mode 100644
index 4e238162adbc..
--- a/www-apps/miniflux/miniflux-2.0.44.ebuild
+++ /dev/null
@@ -1,107 +0,0 @@
-# Copyright 2020-2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-inherit go-module systemd
-
-# Get with 'git rev-parse --short HEAD'
-MY_GIT_COMMIT="4c0c6581"
-
-DESCRIPTION="Minimalist and opinionated feed reader"
-HOMEPAGE="https://miniflux.app https://github.com/miniflux/v2";
-SRC_URI="https://github.com/${PN}/v2/archive/${PV}.tar.gz -> ${P}.tar.gz"
-SRC_URI+=" https://dev.gentoo.org/~concord/distfiles/${P}-deps.tar.xz";
-
-LICENSE="Apache-2.0 BSD BSD-2 MIT"
-SLOT="0"
-KEYWORDS="amd64 ppc64 ~riscv"
-
-RESTRICT="test" # requires network access
-
-DEPEND="acct-user/miniflux"
-RDEPEND="${DEPEND}
- >=dev-db/postgresql-9.5
-"
-
-S="${WORKDIR}/v2-${PV}"
-
-src_compile() {
- ego build -ldflags="
- -s -w
- -X 'miniflux.app/version.Version=${PV}'
- -X 'miniflux.app/version.Commit=${MY_GIT_COMMIT}'
- -X 'miniflux.app/version.BuildDate=$(date +%FT%T%z)'
- " -o miniflux main.go
-}
-
-src_install() {
- dobin miniflux
-
- insinto /etc
- doins "${FILESDIR}/${PN}.conf"
-
- newconfd "${FILESDIR}/${PN}.confd" ${PN}
-
- newinitd "${FILESDIR}/${PN}.initd-r1" ${PN}
- systemd_dounit "${FILESDIR}/${PN}.service"
-
- fowners miniflux:root /etc/${PN}.conf
- fperms o-rwx /etc/${PN}.conf
-
- local DOCS=(
- ChangeLog
- README.md
- "${FILESDIR}"/README.gentoo
- )
-
- # Makefile has no install target, so call einstalldocs directly
- einstalldocs
-
- doman "${PN}".1
-}
-
-pkg_postinst() {
- if [[ -z "${REPLACING_VERSIONS}" ]]; then
- # This is a new installation
-
- echo
- elog "Before using miniflux, you must first create and
initialize the database"
- elog "and enable the hstore extension for it."
- elog ""
- elog "Afterwards, create your first admin user by running:"
- elog " miniflux -create-admin"
- else
- # This is an existing installati
[gentoo-commits] repo/gentoo:master commit in: www-apps/miniflux/
commit: be968ced07f41e5a0beb22e2fd23eba604b81377
Author: Kenton Groombridge gentoo org>
AuthorDate: Mon Nov 6 18:30:10 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Mon Nov 6 18:32:41 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=be968ced
www-apps/miniflux: add 2.0.49
Signed-off-by: Kenton Groombridge gentoo.org>
www-apps/miniflux/Manifest | 2 +
www-apps/miniflux/miniflux-2.0.49.ebuild | 107 +++
2 files changed, 109 insertions(+)
diff --git a/www-apps/miniflux/Manifest b/www-apps/miniflux/Manifest
index 3728d48d707e..f2ed94d0a483 100644
--- a/www-apps/miniflux/Manifest
+++ b/www-apps/miniflux/Manifest
@@ -2,3 +2,5 @@ DIST miniflux-2.0.44-deps.tar.xz 38348604 BLAKE2B
6709ad503ec64ea64fb35624ff0f6d
DIST miniflux-2.0.44.tar.gz 574354 BLAKE2B
a0c29cb88d88584619e6890a01af15d7b7d9a6ab230b60d76c01d95e82c5ef665aeb19f120180bc328ef3847cae2c87096a096e8f0d0455f7694539556453e5b
SHA512
6c1057bcb4daf3110a8885363e2386c6d68776e917f0277299ab94fb46553a8a1b3acf4a2893ab03d30e2b3c26118257e68a7f33d5d436884bfafd8e06fc5e0a
DIST miniflux-2.0.45-deps.tar.xz 38551640 BLAKE2B
b4dfe2c8bb4d96ba9b4adcb23078b7555115fed8ac346c47411fe406b086330e12f62ca71162d7eab6e1564ae21d1330d93e6e56fde8c421ff8df56cb3ca520a
SHA512
79a659660daa01b2909a2e726dc37a789645a3e42c9132ad0e6cc7dd38ae08ad42075339da729fc5942e456fcb5037a414d26952731497586f322c9073f39872
DIST miniflux-2.0.45.tar.gz 580517 BLAKE2B
804c109a7cda5cd4aa4a65130b70c4d1ebb00decbdbb15c6175e14726aa1d0944d9803898e8ace8bdca083e4668f1fe2230a588793082b63967ef11d7e68827f
SHA512
f2770105b05251d8ec1cd63fc8fde4ac45ba6d734c2bd96b574a4c0e33b6a9c8ce67af48d9adb29794a292c47f2f7059fea8a6e20708d0fefa6de4cbaa647328
+DIST miniflux-2.0.49-deps.tar.xz 38155476 BLAKE2B
9631c23af181cf86bd197066a453c84b09840cc71a870eba0ad4e7cdb2720fe952fca7f6a93f3e9e2e2d8c9a13629da0f758b21a4afe5849186d653b44a3f097
SHA512
c51228a3f70d73788be63ed5e7f24baeee9a369351e07bd7715a60c6b340d3e90ebd25adfb50d3e2144a8b0c7d609fca3bacdd51a1d61ff7916e6a7a439b6dc1
+DIST miniflux-2.0.49.tar.gz 614888 BLAKE2B
77fae7eafcc55d02e3e00e6c008cb6727ff48423512e9dde420b84a63858e6ba9ed33dfd61907a46ca686b211f604d452e2ad5944b709094263ca0949a6128c8
SHA512
59505f5e60228ff94cf2cabc872117cd08c06edb0df6dfb4487153add27cc4e485d7cb71330333df155f158eb650f684d55f0460ba5404f5e26b9603123fd860
diff --git a/www-apps/miniflux/miniflux-2.0.49.ebuild
b/www-apps/miniflux/miniflux-2.0.49.ebuild
new file mode 100644
index ..12650bceb1d6
--- /dev/null
+++ b/www-apps/miniflux/miniflux-2.0.49.ebuild
@@ -0,0 +1,107 @@
+# Copyright 2020-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit go-module systemd
+
+# Get with 'git rev-parse --short HEAD'
+MY_GIT_COMMIT="54eb5003"
+
+DESCRIPTION="Minimalist and opinionated feed reader"
+HOMEPAGE="https://miniflux.app https://github.com/miniflux/v2";
+SRC_URI="https://github.com/${PN}/v2/archive/${PV}.tar.gz -> ${P}.tar.gz"
+SRC_URI+=" https://dev.gentoo.org/~concord/distfiles/${P}-deps.tar.xz";
+
+LICENSE="Apache-2.0 BSD BSD-2 MIT"
+SLOT="0"
+KEYWORDS="~amd64 ~ppc64 ~riscv"
+
+RESTRICT="test" # requires network access
+
+DEPEND="acct-user/miniflux"
+RDEPEND="${DEPEND}
+ >=dev-db/postgresql-9.5
+"
+
+S="${WORKDIR}/v2-${PV}"
+
+src_compile() {
+ ego build -ldflags="
+ -s -w
+ -X 'miniflux.app/v2/internal/version.Version=${PV}'
+ -X 'miniflux.app/v2/internal/version.Commit=${MY_GIT_COMMIT}'
+ -X 'miniflux.app/v2/internal/version.BuildDate=$(date +%FT%T%z)'
+ " -o miniflux main.go
+}
+
+src_install() {
+ dobin miniflux
+
+ insinto /etc
+ doins "${FILESDIR}/${PN}.conf"
+
+ newconfd "${FILESDIR}/${PN}.confd" ${PN}
+
+ newinitd "${FILESDIR}/${PN}.initd-r1" ${PN}
+ systemd_dounit "${FILESDIR}/${PN}.service"
+
+ fowners miniflux:root /etc/${PN}.conf
+ fperms o-rwx /etc/${PN}.conf
+
+ local DOCS=(
+ ChangeLog
+ README.md
+ "${FILESDIR}"/README.gentoo
+ )
+
+ # Makefile has no install target, so call einstalldocs directly
+ einstalldocs
+
+ doman "${PN}".1
+}
+
+pkg_postinst() {
+ if [[ -z "${REPLACING_VERSIONS}" ]]; then
+ # This is a new installation
+
+ echo
+ elog "Before using miniflux, you must first create and
initialize the database"
+ elog "and enable the hstore extension for it."
+ elog ""
+ elog "Afterwards, create your first admin user by running:"
+
[gentoo-commits] repo/gentoo:master commit in: net-voip/murmur/files/, net-voip/murmur/
commit: cdf97e00d9cc8120deb8ed2e00589d56ce26adc5
Author: Sebastian Parborg gmail com>
AuthorDate: Wed May 31 17:49:43 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Feb 9 14:40:48 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cdf97e00
net-voip/murmur: update live ebuild
Signed-off-by: Sebastian Parborg gmail.com>
Signed-off-by: Kenton Groombridge gentoo.org>
net-voip/murmur/files/murmur.confd-r2 | 9 +++
net-voip/murmur/murmur-.ebuild| 113 +++---
2 files changed, 58 insertions(+), 64 deletions(-)
diff --git a/net-voip/murmur/files/murmur.confd-r2
b/net-voip/murmur/files/murmur.confd-r2
new file mode 100644
index ..c8d3230b9974
--- /dev/null
+++ b/net-voip/murmur/files/murmur.confd-r2
@@ -0,0 +1,9 @@
+# where to look for the config file
+MURMUR_CONF=/etc/murmur/mumble-server.ini
+
+# run as this user
+MURMUR_USER=murmur
+
+# HOME directory of MURMUR_USER
+MURMUR_HOME=/var/lib/murmur
+
diff --git a/net-voip/murmur/murmur-.ebuild
b/net-voip/murmur/murmur-.ebuild
index 767d7a494eb3..b5d57c5bea38 100644
--- a/net-voip/murmur/murmur-.ebuild
+++ b/net-voip/murmur/murmur-.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2022 Gentoo Authors
+# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
@@ -10,7 +10,20 @@ HOMEPAGE="https://wiki.mumble.info";
if [[ "${PV}" == ]] ; then
inherit git-r3
EGIT_REPO_URI="https://github.com/mumble-voip/mumble.git";
- EGIT_SUBMODULES=( '-*' 3rdparty/FindPythonInterpreter 3rdparty/gsl
3rdparty/tracy )
+
+ # needed for the included 3rdparty license script,
+ # even if these components may not be compiled in
+ EGIT_SUBMODULES=(
+ '-*'
+ 3rdparty/cmake-compiler-flags
+ 3rdparty/FindPythonInterpreter
+ 3rdparty/gsl
+ 3rdparty/minhook
+ 3rdparty/opus
+ 3rdparty/rnnoise-src
+ 3rdparty/speexdsp
+ 3rdparty/tracy
+ )
else
MY_PN="mumble"
if [[ "${PV}" == *_pre* ]] ; then
@@ -29,7 +42,7 @@ fi
LICENSE="BSD"
SLOT="0"
-IUSE="+dbus grpc +ice test zeroconf"
+IUSE="+ice test zeroconf"
RESTRICT="!test? ( test )"
RDEPEND="
@@ -38,6 +51,7 @@ RDEPEND="
>=dev-libs/openssl-1.0.0b:0=
>=dev-libs/protobuf-2.2.0:=
dev-qt/qtcore:5
+ dev-qt/qtdbus:5
dev-qt/qtnetwork:5[ssl]
|| (
dev-qt/qtsql:5[sqlite]
@@ -46,8 +60,6 @@ RDEPEND="
dev-qt/qtxml:5
sys-apps/lsb-release
>=sys-libs/libcap-2.15
- dbus? ( dev-qt/qtdbus:5 )
- grpc? ( net-libs/grpc )
ice? ( dev-libs/Ice:= )
zeroconf? ( net-dns/avahi[mdnsresponder-compat] )
"
@@ -62,58 +74,43 @@ BDEPEND="
virtual/pkgconfig
"
-if [[ "${PV}" == * ]] ; then
- # Required for the mkini.sh script which calls perl multiple times
- BDEPEND+="
- dev-lang/perl
- "
-fi
-
+DISABLE_AUTOFORMATTING="yes"
DOC_CONTENTS="
- Useful scripts are located in /usr/share/doc/${PF}/scripts.\n
- Please execute:\n
- murmurd -ini /etc/murmur/murmur.ini -supw \n
- chown murmur:murmur /var/lib/murmur/murmur.sqlite\n
- to set the build-in 'SuperUser' password before starting murmur.
- Please restart dbus before starting murmur, or else dbus
- registration will fail.
+The default 'SuperUser' password will be written into the log file
+when starting murmur for the first time.
+
+If you want to manually set a password yourself, please execute:
+su murmur -s /bin/bash -c 'mumble-server -ini /etc/murmur/mumble-server.ini
-supw '
+
+This will set the built-in 'SuperUser' password to '' when starting murmur.
"
src_prepare() {
- if [[ "${PV}" == * ]] ; then
- pushd scripts &>/dev/null || die
- ./mkini.sh || die
- popd &>/dev/null || die
- fi
-
+ # Adjust default server settings to be correct for our default setup
sed \
- -e 's:mumble-server:murmur:g' \
- -e 's:/var/run:/run:g' \
- -i "${S}"/scripts/murmur.{conf,ini} || die
+ -e 's:database=:database=/var/lib/murmur/database.sqlite:' \
+ -e
's:;logfile=mumble-server.log:logfile=/var/log/murmur/murmur.log:' \
+ -e 's:;pidfile=:pidfile=/run/murmur/murmur.pid:' \
+ -i auxiliary_files/mumble-server.ini || die
- # Adjust systemd service file to our config l
[gentoo-commits] repo/gentoo:master commit in: net-voip/mumble/
commit: bec8b5cb32f5888049bc3e0b777d8acc5c2ecf52
Author: Sebastian Parborg gmail com>
AuthorDate: Fri Jan 26 14:05:00 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Feb 9 14:40:50 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bec8b5cb
net-voip/mumble: Update live ebuild
Signed-off-by: Sebastian Parborg gmail.com>
Closes: https://github.com/gentoo/gentoo/pull/30788
Signed-off-by: Kenton Groombridge gentoo.org>
net-voip/mumble/mumble-.ebuild | 1 +
1 file changed, 1 insertion(+)
diff --git a/net-voip/mumble/mumble-.ebuild
b/net-voip/mumble/mumble-.ebuild
index b5a027a596c1..7aba5eb04ba7 100644
--- a/net-voip/mumble/mumble-.ebuild
+++ b/net-voip/mumble/mumble-.ebuild
@@ -16,6 +16,7 @@ if [[ "${PV}" == ]] ; then
# even if these components may not be compiled in
EGIT_SUBMODULES=(
'-*'
+ 3rdparty/cmake-compiler-flags
3rdparty/FindPythonInterpreter
3rdparty/gsl
3rdparty/minhook
[gentoo-commits] repo/gentoo:master commit in: net-voip/mumble/
commit: 3a0b6aea3bcc3ebf5514e0411f9e0b4349d03c5c Author: Kenton Groombridge gentoo org> AuthorDate: Fri Feb 9 14:10:45 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Feb 9 14:40:51 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3a0b6aea net-voip/mumble: update copyright year Signed-off-by: Kenton Groombridge gentoo.org> net-voip/mumble/mumble-.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net-voip/mumble/mumble-.ebuild b/net-voip/mumble/mumble-.ebuild index 7aba5eb04ba7..79e98b80ec73 100644 --- a/net-voip/mumble/mumble-.ebuild +++ b/net-voip/mumble/mumble-.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2023 Gentoo Authors +# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=7
[gentoo-commits] repo/gentoo:master commit in: app-admin/setools/
commit: c0908dc9869bcc0fcacfd37e511c22db5443044f
Author: Kenton Groombridge gentoo org>
AuthorDate: Fri Feb 9 14:36:43 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Feb 9 14:40:52 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c0908dc9
app-admin/setools: stabilize 4.4.4 for amd64, arm, arm64, x86
Signed-off-by: Kenton Groombridge gentoo.org>
app-admin/setools/setools-4.4.4.ebuild | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/app-admin/setools/setools-4.4.4.ebuild
b/app-admin/setools/setools-4.4.4.ebuild
index ec3d11050109..d74e1d12b4bf 100644
--- a/app-admin/setools/setools-4.4.4.ebuild
+++ b/app-admin/setools/setools-4.4.4.ebuild
@@ -18,7 +18,7 @@ if [[ ${PV} == ]] ; then
S="${WORKDIR}/${P}"
else
SRC_URI="https://github.com/SELinuxProject/setools/releases/download/${PV}/${P}.tar.bz2";
- KEYWORDS="~amd64 ~arm ~arm64 ~x86"
+ KEYWORDS="amd64 arm arm64 x86"
S="${WORKDIR}/${PN}"
fi
[gentoo-commits] repo/gentoo:master commit in: net-voip/murmur/
commit: 5321ea9752e70e9f151b927d4bffefad49d878cf
Author: Sebastian Parborg gmail com>
AuthorDate: Fri Apr 28 12:11:18 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Feb 9 14:40:46 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5321ea97
net-voip/murmur: add 1.4.287-r2
The default install would not run out of the box and one needed to
change the following to get it up and running:
- Set the pidfile option to /run/murmur/murmur.pid in .ini config file
- Change logfile setting to /var/log/murmur/murmur.log in ini file
- Specify the data base location to /var/lib/murmur/database.sqlite in
the ini file. Otherwise it would complain that the database was read
only and wouldn't start.
- Needed to add avahi-daemon to "use" in the depend section in the init.d
script to get zeroconf functionality to work.
- Fix avahi command in initd file
Clarified and simplified the post install message as well.
Signed-off-by: Sebastian Parborg gmail.com>
Signed-off-by: Kenton Groombridge gentoo.org>
net-voip/murmur/murmur-1.4.287-r2.ebuild | 200 +++
1 file changed, 200 insertions(+)
diff --git a/net-voip/murmur/murmur-1.4.287-r2.ebuild
b/net-voip/murmur/murmur-1.4.287-r2.ebuild
new file mode 100644
index ..f439f3c88309
--- /dev/null
+++ b/net-voip/murmur/murmur-1.4.287-r2.ebuild
@@ -0,0 +1,200 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit cmake flag-o-matic systemd readme.gentoo-r1 tmpfiles
+
+DESCRIPTION="Mumble is an open source, low-latency, high quality voice chat
software"
+HOMEPAGE="https://wiki.mumble.info";
+if [[ "${PV}" == ]] ; then
+ inherit git-r3
+ EGIT_REPO_URI="https://github.com/mumble-voip/mumble.git";
+ EGIT_SUBMODULES=( '-*' )
+else
+ MY_PN="mumble"
+ if [[ "${PV}" == *_pre* ]] ; then
+ MY_P="${MY_PN}-${PV}"
+
SRC_URI="https://dev.gentoo.org/~concord/distfiles/${MY_P}.tar.xz";
+ S="${WORKDIR}/${MY_P}"
+ else
+ MY_PV="${PV/_/-}"
+ MY_P="${MY_PN}-${MY_PV}"
+
SRC_URI="https://github.com/mumble-voip/mumble/releases/download/v${MY_PV}/${MY_P}.tar.gz
+ https://dl.mumble.info/${MY_P}.tar.gz";
+ S="${WORKDIR}/${MY_P}.src"
+ fi
+ KEYWORDS="~amd64 ~arm ~arm64 ~x86"
+fi
+
+SRC_URI+="
https://dev.gentoo.org/~concord/distfiles/mumble-1.4-openssl3.patch.xz";
+SRC_URI+="
https://dev.gentoo.org/~concord/distfiles/mumble-1.4-crypto-threads.patch.xz";
+SRC_URI+=" https://dev.gentoo.org/~concord/distfiles/mumble-1.4-odr.patch.xz";
+
+LICENSE="BSD"
+SLOT="0"
+IUSE="+dbus grpc +ice test zeroconf"
+RESTRICT="!test? ( test )"
+
+RDEPEND="
+ acct-group/murmur
+ acct-user/murmur
+ >=dev-libs/openssl-1.0.0b:0=
+ >=dev-libs/protobuf-2.2.0:=
+ dev-qt/qtcore:5
+ dev-qt/qtnetwork:5[ssl]
+ || (
+ dev-qt/qtsql:5[sqlite]
+ dev-qt/qtsql:5[mysql]
+ )
+ dev-qt/qtxml:5
+ sys-apps/lsb-release
+ >=sys-libs/libcap-2.15
+ dbus? ( dev-qt/qtdbus:5 )
+ grpc? ( net-libs/grpc )
+ ice? ( dev-libs/Ice:= )
+ zeroconf? ( net-dns/avahi[mdnsresponder-compat] )
+"
+
+DEPEND="${RDEPEND}
+ dev-libs/boost
+ dev-qt/qttest:5
+"
+BDEPEND="
+ acct-group/murmur
+ acct-user/murmur
+ virtual/pkgconfig
+"
+
+if [[ "${PV}" == * ]] ; then
+ # Required for the mkini.sh script which calls perl multiple times
+ BDEPEND+="
+ dev-lang/perl
+ "
+fi
+
+DOC_CONTENTS="
+ Useful scripts are located in /usr/share/doc/${PF}/scripts.
+ The defualt 'SuperUser' password will be written into the log file
+ when starting murmur for the first time.
+ If you want to set it yourself, please execute:
+ su murmur -s /bin/bash -c 'mumble-server -ini /etc/murmur/murmur.ini
-supw '
+ to set the build-in 'SuperUser' password before starting murmur.
+ Please restart dbus before starting murmur, or else dbus
+ registration will fail.
+"
+
+PATCHES=(
+ "${WORKDIR}/mumble-1.4-openssl3.patch"
+ "${WORKDIR}/mumble-1.4-crypto-threads.patch"
+ "${WORKDIR}/mumble-1.4-odr.patch"
+)
+
+src_prepare() {
+ if [[ "${PV}" == * ]] ; then
+ pushd scripts &>/dev/null || die
+ ./mkini.sh || die
+ popd &>/dev/null || die
+ fi
+
+ # Change
[gentoo-commits] repo/gentoo:master commit in: sys-apps/secilc/
commit: 574363f5a9143cdfcf02d0c526a19ea52d89f68f
Author: Kenton Groombridge gentoo org>
AuthorDate: Fri Feb 9 14:37:28 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Feb 9 14:40:55 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=574363f5
sys-apps/secilc: stabilize 3.6 for amd64, arm, arm64, x86
Signed-off-by: Kenton Groombridge gentoo.org>
sys-apps/secilc/secilc-3.6.ebuild | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys-apps/secilc/secilc-3.6.ebuild
b/sys-apps/secilc/secilc-3.6.ebuild
index 5c59b25c3742..59d8d927a345 100644
--- a/sys-apps/secilc/secilc-3.6.ebuild
+++ b/sys-apps/secilc/secilc-3.6.ebuild
@@ -16,7 +16,7 @@ if [[ ${PV} == ]]; then
S="${WORKDIR}/${P}/${PN}"
else
SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz";
- KEYWORDS="~amd64 ~arm ~arm64 ~x86"
+ KEYWORDS="amd64 arm arm64 x86"
S="${WORKDIR}/${MY_P}"
fi
[gentoo-commits] repo/gentoo:master commit in: sys-libs/libselinux/
commit: fbeb6d4f8a1e551dd9ab5082e48942c9b0b4affb
Author: Kenton Groombridge gentoo org>
AuthorDate: Fri Feb 9 14:37:41 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Feb 9 14:40:57 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fbeb6d4f
sys-libs/libselinux: stabilize 3.6 for amd64, arm, arm64, x86
Signed-off-by: Kenton Groombridge gentoo.org>
sys-libs/libselinux/libselinux-3.6.ebuild | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys-libs/libselinux/libselinux-3.6.ebuild
b/sys-libs/libselinux/libselinux-3.6.ebuild
index 941b189dd857..11ce9f3236ba 100644
--- a/sys-libs/libselinux/libselinux-3.6.ebuild
+++ b/sys-libs/libselinux/libselinux-3.6.ebuild
@@ -20,7 +20,7 @@ if [[ ${PV} == ]]; then
S="${WORKDIR}/${P}/${PN}"
else
SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz";
- KEYWORDS="~amd64 ~arm ~arm64 ~mips ~riscv ~x86"
+ KEYWORDS="amd64 arm arm64 ~mips ~riscv x86"
S="${WORKDIR}/${MY_P}"
fi
[gentoo-commits] repo/gentoo:master commit in: sys-apps/semodule-utils/
commit: 1f382b0971cc90a38d2e806f8e6b6e0307b58a65
Author: Kenton Groombridge gentoo org>
AuthorDate: Fri Feb 9 14:38:44 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Feb 9 14:41:05 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1f382b09
sys-apps/semodule-utils: stabilize 3.6 for amd64, arm, arm64, x86
Signed-off-by: Kenton Groombridge gentoo.org>
sys-apps/semodule-utils/semodule-utils-3.6.ebuild | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys-apps/semodule-utils/semodule-utils-3.6.ebuild
b/sys-apps/semodule-utils/semodule-utils-3.6.ebuild
index 621cfaf21ea4..c63a41af0b43 100644
--- a/sys-apps/semodule-utils/semodule-utils-3.6.ebuild
+++ b/sys-apps/semodule-utils/semodule-utils-3.6.ebuild
@@ -17,7 +17,7 @@ if [[ ${PV} == * ]] ; then
S="${WORKDIR}/${P}/${PN}"
else
SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz";
- KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86"
+ KEYWORDS="amd64 arm arm64 ~mips x86"
S="${WORKDIR}/${MY_P}"
fi
[gentoo-commits] repo/gentoo:master commit in: sys-apps/restorecond/
commit: cac47e2c7efc03943afb5711686aad6e7a147bb4
Author: Kenton Groombridge gentoo org>
AuthorDate: Fri Feb 9 14:39:11 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Feb 9 14:41:08 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cac47e2c
sys-apps/restorecond: stabilize 3.6 for amd64, arm, arm64, x86
Signed-off-by: Kenton Groombridge gentoo.org>
sys-apps/restorecond/restorecond-3.6.ebuild | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys-apps/restorecond/restorecond-3.6.ebuild
b/sys-apps/restorecond/restorecond-3.6.ebuild
index 794b84bc99e8..0b80f0fc989c 100644
--- a/sys-apps/restorecond/restorecond-3.6.ebuild
+++ b/sys-apps/restorecond/restorecond-3.6.ebuild
@@ -14,7 +14,7 @@ if [[ ${PV} == * ]] ; then
S="${WORKDIR}/${P}/${PN}"
else
SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz";
- KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86"
+ KEYWORDS="amd64 arm arm64 ~mips x86"
S="${WORKDIR}/${MY_P}"
fi
[gentoo-commits] repo/gentoo:master commit in: sys-libs/libsemanage/
commit: e70aa9e9c0de8663fecbd59c4e26a0d17a41050d
Author: Kenton Groombridge gentoo org>
AuthorDate: Fri Feb 9 14:37:56 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Feb 9 14:40:59 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e70aa9e9
sys-libs/libsemanage: stabilize 3.6 for amd64, arm, arm64, x86
Signed-off-by: Kenton Groombridge gentoo.org>
sys-libs/libsemanage/libsemanage-3.6.ebuild | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys-libs/libsemanage/libsemanage-3.6.ebuild
b/sys-libs/libsemanage/libsemanage-3.6.ebuild
index eb127413897f..94a270075a5b 100644
--- a/sys-libs/libsemanage/libsemanage-3.6.ebuild
+++ b/sys-libs/libsemanage/libsemanage-3.6.ebuild
@@ -18,7 +18,7 @@ if [[ ${PV} == ]]; then
S="${WORKDIR}/${P}/${PN}"
else
SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz";
- KEYWORDS="~amd64 ~arm ~arm64 ~mips ~riscv ~x86"
+ KEYWORDS="amd64 arm arm64 ~mips ~riscv x86"
S="${WORKDIR}/${MY_P}"
fi
[gentoo-commits] repo/gentoo:master commit in: sys-apps/policycoreutils/
commit: c4719a957590a9b209422d93c8136075c2781af7
Author: Kenton Groombridge gentoo org>
AuthorDate: Fri Feb 9 14:38:21 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Feb 9 14:41:02 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c4719a95
sys-apps/policycoreutils: stabilize 3.6 for amd64, arm, arm64, x86
Signed-off-by: Kenton Groombridge gentoo.org>
sys-apps/policycoreutils/policycoreutils-3.6.ebuild | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys-apps/policycoreutils/policycoreutils-3.6.ebuild
b/sys-apps/policycoreutils/policycoreutils-3.6.ebuild
index b8625ff49cd8..e2527faa689b 100644
--- a/sys-apps/policycoreutils/policycoreutils-3.6.ebuild
+++ b/sys-apps/policycoreutils/policycoreutils-3.6.ebuild
@@ -24,7 +24,7 @@ if [[ ${PV} == ]]; then
else
SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz
https://dev.gentoo.org/~perfinion/distfiles/policycoreutils-extra-${EXTRAS_VER}.tar.bz2";
- KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86"
+ KEYWORDS="amd64 arm arm64 ~mips x86"
S1="${WORKDIR}/${MY_P}"
S2="${WORKDIR}/policycoreutils-extra"
S="${S1}"
[gentoo-commits] repo/gentoo:master commit in: sys-libs/libsepol/
commit: d395971abc52629d21910ddcb45d82f4737f8e78
Author: Kenton Groombridge gentoo org>
AuthorDate: Fri Feb 9 14:37:09 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Feb 9 14:40:54 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d395971a
sys-libs/libsepol: stabilize 3.6 for amd64, arm, arm64, x86
Signed-off-by: Kenton Groombridge gentoo.org>
sys-libs/libsepol/libsepol-3.6.ebuild | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys-libs/libsepol/libsepol-3.6.ebuild
b/sys-libs/libsepol/libsepol-3.6.ebuild
index 17fe4da89451..27b0f0542d4c 100644
--- a/sys-libs/libsepol/libsepol-3.6.ebuild
+++ b/sys-libs/libsepol/libsepol-3.6.ebuild
@@ -17,7 +17,7 @@ if [[ ${PV} == ]]; then
S="${WORKDIR}/${P}/${PN}"
else
SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz";
- KEYWORDS="~amd64 ~arm ~arm64 ~mips ~riscv ~x86"
+ KEYWORDS="amd64 arm arm64 ~mips ~riscv x86"
S="${WORKDIR}/${MY_P}"
fi
[gentoo-commits] repo/gentoo:master commit in: sys-apps/selinux-python/
commit: 59fab23942e9b457fa21d57a505772bec1331bc9
Author: Kenton Groombridge gentoo org>
AuthorDate: Fri Feb 9 14:38:32 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Feb 9 14:41:03 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=59fab239
sys-apps/selinux-python: stabilize 3.6 for amd64, arm, arm64, x86
Signed-off-by: Kenton Groombridge gentoo.org>
sys-apps/selinux-python/selinux-python-3.6.ebuild | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys-apps/selinux-python/selinux-python-3.6.ebuild
b/sys-apps/selinux-python/selinux-python-3.6.ebuild
index 20a1fea452bf..df383d6c8c4b 100644
--- a/sys-apps/selinux-python/selinux-python-3.6.ebuild
+++ b/sys-apps/selinux-python/selinux-python-3.6.ebuild
@@ -19,7 +19,7 @@ if [[ ${PV} == ]] ; then
S="${WORKDIR}/${P}/${PN#selinux-}"
else
SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz";
- KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86"
+ KEYWORDS="amd64 arm arm64 ~mips x86"
S="${WORKDIR}/${MY_P}"
fi
[gentoo-commits] repo/gentoo:master commit in: sys-apps/checkpolicy/
commit: e1703fbdbb6f9288b19541b408b55d2283abd853
Author: Kenton Groombridge gentoo org>
AuthorDate: Fri Feb 9 14:38:09 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Feb 9 14:41:00 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e1703fbd
sys-apps/checkpolicy: stabilize 3.6 for amd64, arm, arm64, x86
Signed-off-by: Kenton Groombridge gentoo.org>
sys-apps/checkpolicy/checkpolicy-3.6.ebuild | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys-apps/checkpolicy/checkpolicy-3.6.ebuild
b/sys-apps/checkpolicy/checkpolicy-3.6.ebuild
index 6d5e91d8b18a..35e87a352156 100644
--- a/sys-apps/checkpolicy/checkpolicy-3.6.ebuild
+++ b/sys-apps/checkpolicy/checkpolicy-3.6.ebuild
@@ -17,7 +17,7 @@ if [[ ${PV} == ]] ; then
S="${WORKDIR}/${P}/${PN}"
else
SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz";
- KEYWORDS="~amd64 ~arm ~arm64 ~mips ~riscv ~x86"
+ KEYWORDS="amd64 arm arm64 ~mips ~riscv x86"
S="${WORKDIR}/${MY_P}"
fi
[gentoo-commits] repo/gentoo:master commit in: sys-apps/mcstrans/
commit: b83fdda18c069a6b5af720db7ebd431091fcd3da
Author: Kenton Groombridge gentoo org>
AuthorDate: Fri Feb 9 14:38:58 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Feb 9 14:41:06 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b83fdda1
sys-apps/mcstrans: stabilize 3.6 for amd64, arm, arm64, x86
Signed-off-by: Kenton Groombridge gentoo.org>
sys-apps/mcstrans/mcstrans-3.6.ebuild | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys-apps/mcstrans/mcstrans-3.6.ebuild
b/sys-apps/mcstrans/mcstrans-3.6.ebuild
index bbd7a4cc0378..5e3f390c215e 100644
--- a/sys-apps/mcstrans/mcstrans-3.6.ebuild
+++ b/sys-apps/mcstrans/mcstrans-3.6.ebuild
@@ -17,7 +17,7 @@ if [[ ${PV} == * ]] ; then
S="${WORKDIR}/${P}/${PN}"
else
SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz";
- KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86"
+ KEYWORDS="amd64 arm arm64 ~mips x86"
S="${WORKDIR}/${MY_P}"
fi
[gentoo-commits] repo/gentoo:master commit in: sys-cluster/flux/
commit: 5e7b5b149e0db8406696740901766086e4a69f3a
Author: Kenton Groombridge gentoo org>
AuthorDate: Sat Feb 10 18:21:01 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Sat Feb 10 18:21:26 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5e7b5b14
sys-cluster/flux: add 2.2.3, drop 2.0.1
Signed-off-by: Kenton Groombridge gentoo.org>
sys-cluster/flux/Manifest | 6 +++---
sys-cluster/flux/{flux-2.0.1.ebuild => flux-2.2.3.ebuild} | 12
2 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/sys-cluster/flux/Manifest b/sys-cluster/flux/Manifest
index 3271ef37fc3f..f92efbbbc1e1 100644
--- a/sys-cluster/flux/Manifest
+++ b/sys-cluster/flux/Manifest
@@ -1,9 +1,9 @@
DIST flux-0.41.2.tar.gz 395636 BLAKE2B
2d1732729709d0f753ff62aa5b5563b9d42f3cde42a98b5356607b640715e30afa9ebdfdb9c71281eff9188c91ea6e6b082ddc2198e4d790a76aaeb155b8ef2f
SHA512
c68ad402c99b61ca9ef737749417b48dc4e852544d76311c11d94bff42c2e081a8e11e72e438cb9e1834ec7d48e69a30473aa6ab1d68c2684dde5c2b817000a2
-DIST flux-2.0.1.tar.gz 326362 BLAKE2B
f42bff5dcbd5960ba8d57f0d65a4c38e597bb6e1beb57bc38f5055c316f121ed07bb38275db6262eb1c0b3bedafd47ec9284cc05ab84f0c6e7aebc7e8458560d
SHA512
01c25c2c38c9612ffd280ede66eb01a2d4fced2ae9b4e36053afcb7742cde1aaa909d6ba983a7d60618a66b4e2f3153089bd71b2b8e1d6a0a45737bdef60d1e1
DIST flux-2.2.2.tar.gz 384815 BLAKE2B
c79fee58360a5ad988c2bb58ee6ec32245ca685a14d4fa63e7c8c06b7d79d374bf0c22bf1ffe33b16085fb4532ec35503514e91b427aa067a2495e76ec61e9ad
SHA512
d4b23ff189261d32f02682b3f57a5a81cb5faec87a8bd5a6cda7c044233761932e9f593c8019d1443fd1c63fb2585ffe6ee28084bf685802b163f36f5a2544a9
+DIST flux-2.2.3.tar.gz 388802 BLAKE2B
61bdea26e76f330fc5fc2007958551b2ee5127e66eafe9a5fd0b6b4082a9942ca1884c761d3367bb7d5e8ac9868ce6e2a05fbaf02ca82422747c46691318ca29
SHA512
5f263cb64b164967b5f66ed150384ab518783304d46e641cda048704a9cc91e011299d007e3734c18b71b660e694609a5ab16e9699ac55901d205fead4a86840
DIST flux2-0.41.2-deps.tar.xz 166945460 BLAKE2B
292ac5a66237916f1eeb8460f38f803fbe6bfec7cc6ee09512c0893928478049dbf8d482a897e7f4d5bed537f3cae3d73019d6c793764d1b15dc984724bc4ec7
SHA512
da36b3d78066cad548492d368df2b0d31c25a72f4fe4e5791b0c4315d5ed2625da5318b4a010395a587c072a07d23c6d6e7ff3c43bbf201dcd7d45a85dc24297
DIST flux2-0.41.2-manifests.tar.xz 22904 BLAKE2B
e23150ff1b7617f144a1250c890cb48bccbfa4547cc2d46b6d6905349c969a8505e2bc23466a469bb0eae326ec571eb5987ae5c0768b648ba6e35b1daec2b039
SHA512
ba58ffa05be150e32a30a492d28cdc582c9b0e7162b768a83ca8d44a4a08fca195700f8c124cc39cf85a0c62dfbe380304c0d203d0f05619a1b65284d22278de
-DIST flux2-2.0.1-deps.tar.xz 177273192 BLAKE2B
36047e5d2232bd6a4b648b78861881aa1c883de9593d0f3172e83115a62649f6369396de05cfd850143581366f8e4501d0e54a4f422515fc7165b823a9833b96
SHA512
18ae557760a4c298cc9f7556b460b9c02d2b5516b735881d5907bd934fd4bb83cdf4fc613b8b9a493f65accc24abbc7836a98dfde86386e5d7466efcb8ae995d
-DIST flux2-2.0.1-manifests.tar.xz 22916 BLAKE2B
00df38e004f2abd52566e642c299522f9e5910104ee88cdc0842b63bedccb10383e17d35eb8a7495db7036641f2fb6a2fe6fe01971017c413e95ba57e73e5894
SHA512
db0c3f7013ffec41b657047e53cad01f19427f2e46a94d52efa2e4031482b1b8cddb857fee26ecd35ecdb11029ec0da7f6917f2343730c44338a9b2792695e93
DIST flux2-2.2.2-deps.tar.xz 179877376 BLAKE2B
f80135ad82f11a47ace00f3656147069ad8d7c389bbd18b6166c91d7381f06c2cf56371583e47eb2d3d9f6e292428e95c000ad4769a25ef2bdf0c2f6297b67e6
SHA512
5f8a82a19b2d5dde597aeaace21315a4feac4777996be18eed61422bae60e710519015ea5162a8818a12d05edfc22f47d1decea2d9a7c7a4488c2377e3b4f5d0
DIST flux2-2.2.2-manifests.tar.xz 26788 BLAKE2B
82a233abd4d68d20af7160d39cadef0dd48692d469892b7ebd780a12f8e81ee00ce1e5f09f90f77035b055f85378cd9ce5979bb6af5a8fbc9dd96e1f091453ce
SHA512
51ce6b4d2b79c40d55a3df17d0b191ac313099c0d068ee02a3abc57c05aadcc0d3d8eed06793e411d57b31e7aee601e54a2e4f87e6f88d8bb835d5d6bbddf4c3
+DIST flux2-2.2.3-deps.tar.xz 199289224 BLAKE2B
18ee0bab84ac5c0c33b24dcaa4443fc959f351360bef0316e7b4d007f00428395a9b97c72bd7aeb37158064345de8a4e1263feff5082d67b77a5d4e3f1fe1c4e
SHA512
f0636d02498be0047057386929dcaf7251b448e1f3716133e63124c85aec18db5d6a7f55924243f10631f2d1404eae7658eb8ca3d49d130c100e6da6f5102598
+DIST flux2-2.2.3-manifests.tar.xz 26796 BLAKE2B
f37e25bb07a390cb08928881798ae7e0017b4628cc794a01e2a70bb01c1ff814d2ba39b8251e6ae178af70d8946d24b2fa57df808e36445032b8b8b860f93c12
SHA512
28dd16464e8348fe892242dfe9579dd9c6d9cb442c2024445042e314b12210bed75cbfa7d44ec68333d75a0dab6655ff238e5f2b22953f1d88703d3a3df0b562
diff --git a/sys-cluster/flux/flux-2.0.1.ebuild
b/sys-cluster/flux/flux-2.2.3.ebuild
similarity index 72%
rename from sys-cluster/flux/flux-2.0.1.ebuild
rename to sys-cluster/flux/flux-2.2.3.ebuild
index 3e8f5b0393f5..cad63d502521 100644
--- a/sys-cluster/flux/flux-2.0.1.ebuild
+++ b/sys-cluster/flux/flux-2.2.3.ebuild
@@ -1,14 +1,18 @@
-# Copyright 2023 Gentoo Authors
+# Copyright 2023-2024 Gentoo Authors
# Distributed under the term
[gentoo-commits] repo/gentoo:master commit in: net-voip/murmur/
commit: 083e54b61a2dc7172107c5b0ab00c22e100974ad
Author: Kenton Groombridge gentoo org>
AuthorDate: Sat Jun 8 19:03:14 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Sat Jun 8 19:12:23 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=083e54b6
net-voip/murmur: update live ebuild
Signed-off-by: Kenton Groombridge gentoo.org>
net-voip/murmur/Manifest | 1 +
net-voip/murmur/murmur-.ebuild | 21 +++--
2 files changed, 12 insertions(+), 10 deletions(-)
diff --git a/net-voip/murmur/Manifest b/net-voip/murmur/Manifest
index e3a09445c321..a47bcf364138 100644
--- a/net-voip/murmur/Manifest
+++ b/net-voip/murmur/Manifest
@@ -2,3 +2,4 @@ DIST mumble-1.4-crypto-threads.patch.xz 1472 BLAKE2B
18f64d7b63a5ac253792e31fe27
DIST mumble-1.4-odr.patch.xz 1088 BLAKE2B
48a7b04ef31f7d0f4cc7e5632ba8f328e5a7fa6961cd971b66a761366351a9a99e3cecce911c90701688083e03f2b63e6838083a8ab669f86fe0fecf23a8596d
SHA512
600807cbd893f585c621e7267ee16e2828428fff17aa7eb36b8595164356ef73be2765a41ff9cd7c549c11a63abbf593b0172e56e07571e1c0a3c86fd14e5f15
DIST mumble-1.4-openssl3.patch.xz 4172 BLAKE2B
5b68f023e218628a4d73b0991dcc7790ce5f92ce6a27c372c5e80b1f3a8beafa3ddd6416b884705b321aee31ea4f5e09dda6ceb240272dde64f420fbeb06845a
SHA512
3a4e504f3365e93418cb85d0da4e6f2f54ab904283743907604bb39276560a4215d9bea1b225601789d1c3d84d270c04840ec57cd04e3df1204cc586ea42562a
DIST mumble-1.4.287.tar.gz 9457292 BLAKE2B
5fc89c184aa54ab8269870fd87b6c9ce271d77c05a6ecb2aa78eccf297ffb842a50a18a142ac628c1b287a2b5e6c0ae0dced3237242303840a4de05b7f3e7040
SHA512
34ed30c18257ba8deae6938009a90147c8bc3a0aca28e69bea7ec0262e8d2cdacb9a840fac7d3dd623a52ef8d5903ed5424b62b483af21d6df6aa9632eae9d82
+DIST mumble-1.5.634.tar.gz 26001230 BLAKE2B
ebd1e3569dd7311d704dbb83ff0ef15875dfaba7a7ba357e3be88800544d4d2217e19a15c0df778deec5a701ddc3692ca3f053651dec1eb1525b7963107ae76e
SHA512
5fa9479dd836b87cb84fb6c067019f75aac335aa201baa34939f1c73dd7c67279aed6079aecdab74a14cb6c285b69cb82798de8801b2140ccf99c764b3a84b59
diff --git a/net-voip/murmur/murmur-.ebuild
b/net-voip/murmur/murmur-.ebuild
index b5d57c5bea38..93abe94c1455 100644
--- a/net-voip/murmur/murmur-.ebuild
+++ b/net-voip/murmur/murmur-.ebuild
@@ -1,7 +1,7 @@
# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
-EAPI=7
+EAPI=8
inherit cmake flag-o-matic systemd readme.gentoo-r1 tmpfiles
@@ -17,10 +17,8 @@ if [[ "${PV}" == ]] ; then
'-*'
3rdparty/cmake-compiler-flags
3rdparty/FindPythonInterpreter
- 3rdparty/gsl
+ 3rdparty/flag-icons
3rdparty/minhook
- 3rdparty/opus
- 3rdparty/rnnoise-src
3rdparty/speexdsp
3rdparty/tracy
)
@@ -33,11 +31,10 @@ else
else
MY_PV="${PV/_/-}"
MY_P="${MY_PN}-${MY_PV}"
-
SRC_URI="https://github.com/mumble-voip/mumble/releases/download/${MY_PV}/${MY_P}.tar.gz
- https://dl.mumble.info/${MY_P}.tar.gz";
- S="${WORKDIR}/${MY_PN}-${PV/_*}.src"
+
SRC_URI="https://github.com/mumble-voip/mumble/releases/download/v${MY_PV}/${MY_P}.tar.gz";
+ S="${WORKDIR}/${MY_PN}-${PV/_*}"
fi
- KEYWORDS="~amd64 ~x86"
+ KEYWORDS="~amd64 ~arm ~arm64 ~x86"
fi
LICENSE="BSD"
@@ -48,6 +45,7 @@ RESTRICT="!test? ( test )"
RDEPEND="
acct-group/murmur
acct-user/murmur
+ dev-cpp/ms-gsl
>=dev-libs/openssl-1.0.0b:0=
>=dev-libs/protobuf-2.2.0:=
dev-qt/qtcore:5
@@ -102,11 +100,10 @@ src_prepare() {
src_configure() {
local mycmakeargs=(
-DBUILD_TESTING="$(usex test)"
+ -Dbundled-gsl="OFF"
-Dclient="OFF"
- -Dg15="OFF"
-Dice="$(usex ice)"
-DMUMBLE_INSTALL_SYSCONFDIR="/etc/murmur"
- -Doverlay="OFF"
-Dserver="ON"
-DMUMBLE_INSTALL_SERVICEFILEDIR=$(systemd_get_systemunitdir)
-DMUMBLE_INSTALL_SYSUSERSDIR=$(systemd_get_userunitdir)
@@ -146,6 +143,10 @@ src_install() {
fowners -R murmur /var/lib/murmur /var/log/murmur
fperms 750 /var/lib/murmur /var/log/murmur
+ mv "${ED}"/etc/murmur/mumble-server.ini "${ED}"/etc/murmur/murmur.ini
|| die
+ mv "${ED}"/usr/lib/systemd/system/mumble-server.service
"${ED}"/usr/lib/systemd/system/murmur.service || die
+ sed -ie 's|mumble-server\.ini|murmur.ini|'
"${ED}"/usr/lib/systemd/system/murmur.service || die
+
readme.gentoo_create_doc
}
[gentoo-commits] repo/gentoo:master commit in: net-voip/mumble/
commit: a5ea41964e51a7daf67b26d2a5a9b6d9d9e19314
Author: Kenton Groombridge gentoo org>
AuthorDate: Sat Jun 8 19:03:50 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Sat Jun 8 19:12:45 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a5ea4196
net-voip/mumble: add 1.5.634
Signed-off-by: Kenton Groombridge gentoo.org>
net-voip/mumble/Manifest | 1 +
net-voip/mumble/mumble-1.5.634.ebuild | 156 ++
2 files changed, 157 insertions(+)
diff --git a/net-voip/mumble/Manifest b/net-voip/mumble/Manifest
index e3a09445c321..a47bcf364138 100644
--- a/net-voip/mumble/Manifest
+++ b/net-voip/mumble/Manifest
@@ -2,3 +2,4 @@ DIST mumble-1.4-crypto-threads.patch.xz 1472 BLAKE2B
18f64d7b63a5ac253792e31fe27
DIST mumble-1.4-odr.patch.xz 1088 BLAKE2B
48a7b04ef31f7d0f4cc7e5632ba8f328e5a7fa6961cd971b66a761366351a9a99e3cecce911c90701688083e03f2b63e6838083a8ab669f86fe0fecf23a8596d
SHA512
600807cbd893f585c621e7267ee16e2828428fff17aa7eb36b8595164356ef73be2765a41ff9cd7c549c11a63abbf593b0172e56e07571e1c0a3c86fd14e5f15
DIST mumble-1.4-openssl3.patch.xz 4172 BLAKE2B
5b68f023e218628a4d73b0991dcc7790ce5f92ce6a27c372c5e80b1f3a8beafa3ddd6416b884705b321aee31ea4f5e09dda6ceb240272dde64f420fbeb06845a
SHA512
3a4e504f3365e93418cb85d0da4e6f2f54ab904283743907604bb39276560a4215d9bea1b225601789d1c3d84d270c04840ec57cd04e3df1204cc586ea42562a
DIST mumble-1.4.287.tar.gz 9457292 BLAKE2B
5fc89c184aa54ab8269870fd87b6c9ce271d77c05a6ecb2aa78eccf297ffb842a50a18a142ac628c1b287a2b5e6c0ae0dced3237242303840a4de05b7f3e7040
SHA512
34ed30c18257ba8deae6938009a90147c8bc3a0aca28e69bea7ec0262e8d2cdacb9a840fac7d3dd623a52ef8d5903ed5424b62b483af21d6df6aa9632eae9d82
+DIST mumble-1.5.634.tar.gz 26001230 BLAKE2B
ebd1e3569dd7311d704dbb83ff0ef15875dfaba7a7ba357e3be88800544d4d2217e19a15c0df778deec5a701ddc3692ca3f053651dec1eb1525b7963107ae76e
SHA512
5fa9479dd836b87cb84fb6c067019f75aac335aa201baa34939f1c73dd7c67279aed6079aecdab74a14cb6c285b69cb82798de8801b2140ccf99c764b3a84b59
diff --git a/net-voip/mumble/mumble-1.5.634.ebuild
b/net-voip/mumble/mumble-1.5.634.ebuild
new file mode 100644
index ..4ba02c3ee8b2
--- /dev/null
+++ b/net-voip/mumble/mumble-1.5.634.ebuild
@@ -0,0 +1,156 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{10..12} )
+inherit cmake flag-o-matic multilib python-any-r1 xdg
+
+DESCRIPTION="Mumble is an open source, low-latency, high quality voice chat
software"
+HOMEPAGE="https://wiki.mumble.info";
+if [[ "${PV}" == ]] ; then
+ inherit git-r3
+ EGIT_REPO_URI="https://github.com/mumble-voip/mumble.git";
+
+ # needed for the included 3rdparty license script,
+ # even if these components may not be compiled in
+ EGIT_SUBMODULES=(
+ '-*'
+ 3rdparty/cmake-compiler-flags
+ 3rdparty/FindPythonInterpreter
+ 3rdparty/flag-icons
+ 3rdparty/minhook
+ 3rdparty/renamenoise
+ 3rdparty/speexdsp
+ 3rdparty/tracy
+ )
+else
+ if [[ "${PV}" == *_pre* ]] ; then
+ SRC_URI="https://dev.gentoo.org/~concord/distfiles/${P}.tar.xz";
+ else
+ MY_PV="${PV/_/-}"
+ MY_P="${PN}-${MY_PV}"
+
SRC_URI="https://github.com/mumble-voip/mumble/releases/download/v${MY_PV}/${MY_P}.tar.gz";
+ S="${WORKDIR}/${P/_*}"
+ fi
+ KEYWORDS="~amd64 ~arm64 ~ppc64 ~x86"
+fi
+
+LICENSE="BSD MIT"
+SLOT="0"
+IUSE="+alsa debug g15 jack pipewire portaudio pulseaudio multilib nls +rnnoise
speech test zeroconf"
+RESTRICT="!test? ( test )"
+
+RDEPEND="
+ dev-cpp/ms-gsl
+ >=dev-libs/openssl-1.0.0b:0=
+ dev-libs/poco[util,xml,zip]
+ >=dev-libs/protobuf-2.2.0:=
+ dev-qt/qtcore:5
+ dev-qt/qtdbus:5
+ dev-qt/qtgui:5
+ dev-qt/qtnetwork:5[ssl]
+ dev-qt/qtsql:5[sqlite]
+ dev-qt/qtsvg:5
+ dev-qt/qtwidgets:5
+ dev-qt/qtxml:5
+ >=media-libs/libsndfile-1.0.20[-minimal]
+ >=media-libs/opus-1.3.1
+ >=media-libs/speex-1.2.0
+ media-libs/speexdsp
+ sys-apps/lsb-release
+ x11-libs/libX11
+ x11-libs/libXi
+ alsa? ( media-libs/alsa-lib )
+ g15? ( app-misc/g15daemon:= )
+ jack? ( virtual/jack )
+ portaudio? ( media-libs/portaudio )
+ pulseaudio? ( media-libs/libpulse )
+ pipewire? ( media-video/pipewire )
+ speech? ( >=app-accessibility/speech-dispatcher-0.8.0 )
+ zeroconf? ( net-dns/avahi[mdnsresponder-compat] )
+"
+DEPEND="${RDEPEND}
+ ${PYTHON_DEPS}
+ dev-cpp/nlohmann_json
+ dev-q
[gentoo-commits] repo/gentoo:master commit in: net-voip/mumble/
commit: 29c33ec9cc06ea99ddc437af9ac2062e207dee9a
Author: Kenton Groombridge gentoo org>
AuthorDate: Sat Jun 8 19:03:39 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Sat Jun 8 19:12:39 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=29c33ec9
net-voip/mumble: update live ebuild
Signed-off-by: Kenton Groombridge gentoo.org>
net-voip/mumble/mumble-.ebuild | 23 +++
1 file changed, 11 insertions(+), 12 deletions(-)
diff --git a/net-voip/mumble/mumble-.ebuild
b/net-voip/mumble/mumble-.ebuild
index 79e98b80ec73..4ba02c3ee8b2 100644
--- a/net-voip/mumble/mumble-.ebuild
+++ b/net-voip/mumble/mumble-.ebuild
@@ -1,10 +1,10 @@
# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
-EAPI=7
+EAPI=8
-PYTHON_COMPAT=( python3_{9..11} )
-inherit cmake flag-o-matic python-any-r1 xdg
+PYTHON_COMPAT=( python3_{10..12} )
+inherit cmake flag-o-matic multilib python-any-r1 xdg
DESCRIPTION="Mumble is an open source, low-latency, high quality voice chat
software"
HOMEPAGE="https://wiki.mumble.info";
@@ -18,10 +18,9 @@ if [[ "${PV}" == ]] ; then
'-*'
3rdparty/cmake-compiler-flags
3rdparty/FindPythonInterpreter
- 3rdparty/gsl
+ 3rdparty/flag-icons
3rdparty/minhook
- 3rdparty/opus
- 3rdparty/rnnoise-src
+ 3rdparty/renamenoise
3rdparty/speexdsp
3rdparty/tracy
)
@@ -32,21 +31,23 @@ else
MY_PV="${PV/_/-}"
MY_P="${PN}-${MY_PV}"
SRC_URI="https://github.com/mumble-voip/mumble/releases/download/v${MY_PV}/${MY_P}.tar.gz";
- S="${WORKDIR}/${P/_*}.src"
+ S="${WORKDIR}/${P/_*}"
fi
KEYWORDS="~amd64 ~arm64 ~ppc64 ~x86"
fi
LICENSE="BSD MIT"
SLOT="0"
-IUSE="+alsa +dbus debug g15 jack pipewire portaudio pulseaudio multilib nls
+rnnoise speech test zeroconf"
+IUSE="+alsa debug g15 jack pipewire portaudio pulseaudio multilib nls +rnnoise
speech test zeroconf"
RESTRICT="!test? ( test )"
RDEPEND="
+ dev-cpp/ms-gsl
>=dev-libs/openssl-1.0.0b:0=
dev-libs/poco[util,xml,zip]
>=dev-libs/protobuf-2.2.0:=
dev-qt/qtcore:5
+ dev-qt/qtdbus:5
dev-qt/qtgui:5
dev-qt/qtnetwork:5[ssl]
dev-qt/qtsql:5[sqlite]
@@ -61,7 +62,6 @@ RDEPEND="
x11-libs/libX11
x11-libs/libXi
alsa? ( media-libs/alsa-lib )
- dbus? ( dev-qt/qtdbus:5 )
g15? ( app-misc/g15daemon:= )
jack? ( virtual/jack )
portaudio? ( media-libs/portaudio )
@@ -98,10 +98,9 @@ src_configure() {
local mycmakeargs=(
-Dalsa="$(usex alsa)"
+ -Dbundled-gsl="OFF"
-Dbundled-json="OFF"
- -Dbundled-opus="OFF"
-Dbundled-speex="OFF"
- -Ddbus="$(usex dbus)"
-Dg15="$(usex g15)"
-Djackaudio="$(usex jack)"
-Doverlay="ON"
@@ -109,7 +108,7 @@ src_configure() {
-Doverlay-xcompile="$(usex multilib)"
-Dpipewire="$(usex pipewire)"
-Dpulseaudio="$(usex pulseaudio)"
- -Drnnoise="$(usex rnnoise)"
+ -Drenamenoise="$(usex rnnoise)"
-Dserver="OFF"
-Dspeechd="$(usex speech)"
-Dtests="$(usex test)"
[gentoo-commits] repo/gentoo:master commit in: net-voip/murmur/
commit: 31bb78f3483a2fdf9c9c116c8ba5f3f017a92093
Author: Kenton Groombridge gentoo org>
AuthorDate: Sat Jun 8 19:03:27 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Sat Jun 8 19:12:33 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=31bb78f3
net-voip/murmur: add 1.5.634
Signed-off-by: Kenton Groombridge gentoo.org>
net-voip/murmur/murmur-1.5.634.ebuild | 161 ++
1 file changed, 161 insertions(+)
diff --git a/net-voip/murmur/murmur-1.5.634.ebuild
b/net-voip/murmur/murmur-1.5.634.ebuild
new file mode 100644
index ..93abe94c1455
--- /dev/null
+++ b/net-voip/murmur/murmur-1.5.634.ebuild
@@ -0,0 +1,161 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit cmake flag-o-matic systemd readme.gentoo-r1 tmpfiles
+
+DESCRIPTION="Mumble is an open source, low-latency, high quality voice chat
software"
+HOMEPAGE="https://wiki.mumble.info";
+if [[ "${PV}" == ]] ; then
+ inherit git-r3
+ EGIT_REPO_URI="https://github.com/mumble-voip/mumble.git";
+
+ # needed for the included 3rdparty license script,
+ # even if these components may not be compiled in
+ EGIT_SUBMODULES=(
+ '-*'
+ 3rdparty/cmake-compiler-flags
+ 3rdparty/FindPythonInterpreter
+ 3rdparty/flag-icons
+ 3rdparty/minhook
+ 3rdparty/speexdsp
+ 3rdparty/tracy
+ )
+else
+ MY_PN="mumble"
+ if [[ "${PV}" == *_pre* ]] ; then
+ MY_P="${MY_PN}-${PV}"
+
SRC_URI="https://dev.gentoo.org/~concord/distfiles/${MY_P}.tar.xz";
+ S="${WORKDIR}/${MY_P}"
+ else
+ MY_PV="${PV/_/-}"
+ MY_P="${MY_PN}-${MY_PV}"
+
SRC_URI="https://github.com/mumble-voip/mumble/releases/download/v${MY_PV}/${MY_P}.tar.gz";
+ S="${WORKDIR}/${MY_PN}-${PV/_*}"
+ fi
+ KEYWORDS="~amd64 ~arm ~arm64 ~x86"
+fi
+
+LICENSE="BSD"
+SLOT="0"
+IUSE="+ice test zeroconf"
+RESTRICT="!test? ( test )"
+
+RDEPEND="
+ acct-group/murmur
+ acct-user/murmur
+ dev-cpp/ms-gsl
+ >=dev-libs/openssl-1.0.0b:0=
+ >=dev-libs/protobuf-2.2.0:=
+ dev-qt/qtcore:5
+ dev-qt/qtdbus:5
+ dev-qt/qtnetwork:5[ssl]
+ || (
+ dev-qt/qtsql:5[sqlite]
+ dev-qt/qtsql:5[mysql]
+ )
+ dev-qt/qtxml:5
+ sys-apps/lsb-release
+ >=sys-libs/libcap-2.15
+ ice? ( dev-libs/Ice:= )
+ zeroconf? ( net-dns/avahi[mdnsresponder-compat] )
+"
+
+DEPEND="${RDEPEND}
+ dev-libs/boost
+ dev-qt/qttest:5
+"
+BDEPEND="
+ acct-group/murmur
+ acct-user/murmur
+ virtual/pkgconfig
+"
+
+DISABLE_AUTOFORMATTING="yes"
+DOC_CONTENTS="
+The default 'SuperUser' password will be written into the log file
+when starting murmur for the first time.
+
+If you want to manually set a password yourself, please execute:
+su murmur -s /bin/bash -c 'mumble-server -ini /etc/murmur/mumble-server.ini
-supw '
+
+This will set the built-in 'SuperUser' password to '' when starting murmur.
+"
+
+src_prepare() {
+ # Adjust default server settings to be correct for our default setup
+ sed \
+ -e 's:database=:database=/var/lib/murmur/database.sqlite:' \
+ -e
's:;logfile=mumble-server.log:logfile=/var/log/murmur/murmur.log:' \
+ -e 's:;pidfile=:pidfile=/run/murmur/murmur.pid:' \
+ -i auxiliary_files/mumble-server.ini || die
+
+ # Replace the default group and user _mumble-server with murmur
+ grep -r -l _mumble-server auxiliary_files/ | xargs sed -i
's/_mumble-server/murmur/g' || die
+
+ cmake_src_prepare
+}
+
+src_configure() {
+ local mycmakeargs=(
+ -DBUILD_TESTING="$(usex test)"
+ -Dbundled-gsl="OFF"
+ -Dclient="OFF"
+ -Dice="$(usex ice)"
+ -DMUMBLE_INSTALL_SYSCONFDIR="/etc/murmur"
+ -Dserver="ON"
+ -DMUMBLE_INSTALL_SERVICEFILEDIR=$(systemd_get_systemunitdir)
+ -DMUMBLE_INSTALL_SYSUSERSDIR=$(systemd_get_userunitdir)
+ -DMUMBLE_INSTALL_TMPFILESDIR="/usr/lib/tmpfiles.d"
+ -Dzeroconf="$(usex zeroconf)"
+ )
+ if [[ "${PV}" != ]] ; then
+ mycmakeargs+=( -DBUILD_NUMBER="$(ver_cut 3)" )
+ fi
+
+ # https://bugs.ge
[gentoo-commits] repo/gentoo:master commit in: net-voip/murmur/
commit: 4f9b82151f9db60951268508ee4986d21bcebe18
Author: Kenton Groombridge gentoo org>
AuthorDate: Sun Jun 9 16:32:51 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Sun Jun 9 16:35:27 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4f9b8215
net-voip/murmur: fix split-usr handling of systemd unit rename
Closes: https://bugs.gentoo.org/933856
Signed-off-by: Kenton Groombridge gentoo.org>
net-voip/murmur/murmur-1.5.634.ebuild | 5 +++--
net-voip/murmur/murmur-.ebuild| 5 +++--
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/net-voip/murmur/murmur-1.5.634.ebuild
b/net-voip/murmur/murmur-1.5.634.ebuild
index 93abe94c1455..be38ba9a0de5 100644
--- a/net-voip/murmur/murmur-1.5.634.ebuild
+++ b/net-voip/murmur/murmur-1.5.634.ebuild
@@ -144,8 +144,9 @@ src_install() {
fperms 750 /var/lib/murmur /var/log/murmur
mv "${ED}"/etc/murmur/mumble-server.ini "${ED}"/etc/murmur/murmur.ini
|| die
- mv "${ED}"/usr/lib/systemd/system/mumble-server.service
"${ED}"/usr/lib/systemd/system/murmur.service || die
- sed -ie 's|mumble-server\.ini|murmur.ini|'
"${ED}"/usr/lib/systemd/system/murmur.service || die
+ mv "${D}/$(systemd_get_systemunitdir)/mumble-server.service" \
+ "${D}/$(systemd_get_systemunitdir)/murmur.service" || die
+ sed -i 's|mumble-server\.ini|murmur.ini|'
"${D}/$(systemd_get_systemunitdir)/murmur.service" || die
readme.gentoo_create_doc
}
diff --git a/net-voip/murmur/murmur-.ebuild
b/net-voip/murmur/murmur-.ebuild
index 93abe94c1455..be38ba9a0de5 100644
--- a/net-voip/murmur/murmur-.ebuild
+++ b/net-voip/murmur/murmur-.ebuild
@@ -144,8 +144,9 @@ src_install() {
fperms 750 /var/lib/murmur /var/log/murmur
mv "${ED}"/etc/murmur/mumble-server.ini "${ED}"/etc/murmur/murmur.ini
|| die
- mv "${ED}"/usr/lib/systemd/system/mumble-server.service
"${ED}"/usr/lib/systemd/system/murmur.service || die
- sed -ie 's|mumble-server\.ini|murmur.ini|'
"${ED}"/usr/lib/systemd/system/murmur.service || die
+ mv "${D}/$(systemd_get_systemunitdir)/mumble-server.service" \
+ "${D}/$(systemd_get_systemunitdir)/murmur.service" || die
+ sed -i 's|mumble-server\.ini|murmur.ini|'
"${D}/$(systemd_get_systemunitdir)/murmur.service" || die
readme.gentoo_create_doc
}
