control: tags -1 patch Patches attached.
Included a bunch of modernizations; the ones critical for the autopkgtest are 0013-Fix-brctl-patch-to-pass-neverallow-check.patch and 0014-Add-autopkgtest-Closes-1012841.patch.
From 909f9bb0da70dcb219d42c126e426554342d87f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzo...@googlemail.com> Date: Mon, 19 Sep 2022 21:09:00 +0200 Subject: [PATCH 02/14] Drop unused script --- debian/gen-deps.sh | 19 ------------------- 1 file changed, 19 deletions(-) delete mode 100755 debian/gen-deps.sh diff --git a/debian/gen-deps.sh b/debian/gen-deps.sh deleted file mode 100755 index f6ee0f1..0000000 --- a/debian/gen-deps.sh +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash -cd /usr/share/selinux/default || exit 1 - -SEP="my %Deps = (" -semodule_deps base.pp a*pp backup.pp b[i-z]*pp [c-z]*pp | while read INPUT ; do - echo $INPUT | grep -q ^module - if [ "$?" = "0" ]; then - MODULE=$(echo $INPUT|sed -e s/^module..//) - else - echo $INPUT | grep -q "no dependencies" - if [ "$?" = "1" -a "$INPUT" != "}" ]; then - echo -n "$SEP" - SEP=", " - echo -n " '$MODULE' => '$INPUT'" - fi - fi -done - -echo " );" -- 2.39.1
From 77cbd1f0551f51e8b147678a1ca1bc16c2b25d79 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzo...@googlemail.com> Date: Mon, 19 Sep 2022 21:08:03 +0200 Subject: [PATCH 01/14] Bump to debhelper compat level 13 dh_missing --fail-missing is now the default. --- debian/compat | 1 - debian/control | 2 +- debian/rules | 4 ---- 3 files changed, 1 insertion(+), 6 deletions(-) delete mode 100644 debian/compat diff --git a/debian/compat b/debian/compat deleted file mode 100644 index b4de394..0000000 --- a/debian/compat +++ /dev/null @@ -1 +0,0 @@ -11 diff --git a/debian/control b/debian/control index a83806f..fea4187 100644 --- a/debian/control +++ b/debian/control @@ -7,7 +7,7 @@ Homepage: https://github.com/SELinuxProject/refpolicy/releases Maintainer: Debian SELinux maintainers <selinux-de...@lists.alioth.debian.org> Uploaders: Russell Coker <russ...@coker.com.au> Standards-Version: 4.4.0 -Build-Depends: debhelper (>= 11) +Build-Depends: debhelper-compat (= 13) Build-Depends-Indep: bzip2, checkpolicy (>= 3.3), gawk, diff --git a/debian/rules b/debian/rules index 5b86e70..79c6ffd 100755 --- a/debian/rules +++ b/debian/rules @@ -22,10 +22,6 @@ endif override_dh_auto_configure: $(patsubst %, conf-%-policy, $(FLAVOURS)) conf-docs conf-src -override_dh_install: - dh_install - dh_missing --fail-missing - override_dh_fixperms: dh_fixperms chmod +x $(CURDIR)/debian/selinux-policy-dev/usr/share/selinux/devel/include/support/segenxml.py -- 2.39.1
From 0a2c8769286321752fd51705b0161e2052695e76 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzo...@googlemail.com> Date: Mon, 19 Sep 2022 21:43:57 +0200 Subject: [PATCH 05/14] Drop unused remove statement rm: cannot remove 'selinux-policy-src/support/pyplate.pyc': No such file or directory --- debian/rules | 1 - 1 file changed, 1 deletion(-) diff --git a/debian/rules b/debian/rules index 5147deb..056042e 100755 --- a/debian/rules +++ b/debian/rules @@ -164,7 +164,6 @@ install-src: conf-src $(CURDIR)/debian/tmp/etc/selinux/default/src/policy/build.conf (cd $(CURDIR)/debian/tmp/etc/selinux/default/src/; mv policy selinux-policy-src; \ rm -rf selinux-policy-src/support/__pycache__/; \ - rm selinux-policy-src/support/pyplate.pyc; \ find selinux-policy-src -type f -print0 | xargs -0r chmod 0644; \ find selinux-policy-src -type d -print0 | xargs -0r chmod 0755; \ TZ=UTC tar -cf - --sort=name --mtime="$(BUILD_DATE)" selinux-policy-src | gzip -9n > $(CURDIR)/debian/tmp/usr/src/selinux-policy-src.tar.gz) -- 2.39.1
From ab1fb89f23db846d99d8cbd854742b64c376c14b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzo...@googlemail.com> Date: Mon, 19 Sep 2022 21:43:19 +0200 Subject: [PATCH 04/14] Drop usage of GZIP environment variable gzip: warning: GZIP environment variable is deprecated; use an alias or script --- debian/rules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/rules b/debian/rules index 79c6ffd..5147deb 100755 --- a/debian/rules +++ b/debian/rules @@ -167,6 +167,6 @@ install-src: conf-src rm selinux-policy-src/support/pyplate.pyc; \ find selinux-policy-src -type f -print0 | xargs -0r chmod 0644; \ find selinux-policy-src -type d -print0 | xargs -0r chmod 0755; \ - TZ=UTC GZIP="-9n" tar zfc $(CURDIR)/debian/tmp/usr/src/selinux-policy-src.tar.gz --sort=name --mtime="$(BUILD_DATE)" selinux-policy-src) + TZ=UTC tar -cf - --sort=name --mtime="$(BUILD_DATE)" selinux-policy-src | gzip -9n > $(CURDIR)/debian/tmp/usr/src/selinux-policy-src.tar.gz) rm -rf $(CURDIR)/debian/tmp/etc/selinux/default/src/ touch $@ -- 2.39.1
From e5cd5cc7fe77d14d5b326ec7972891ed504ffb60 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzo...@googlemail.com> Date: Mon, 19 Sep 2022 21:14:32 +0200 Subject: [PATCH 03/14] Drop unnecessary build dependencies * Drop libsepol, nowhere used (checkpolicy is statically linked against it). * Drop tar, which is essential, and oldoldstable (stretch) ships 1.29. --- debian/control | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/debian/control b/debian/control index fea4187..9bd014c 100644 --- a/debian/control +++ b/debian/control @@ -11,14 +11,10 @@ Build-Depends: debhelper-compat (= 13) Build-Depends-Indep: bzip2, checkpolicy (>= 3.3), gawk, - libsepol2 (>= 3.3), m4, policycoreutils (>= 3.3), policycoreutils-python-utils (>= 3.3), - python3, -# Needed for the --sort=name option, can probably be removed when this version -# hits stable. - tar (>= 1.28) + python3 Package: selinux-policy-default Architecture: all -- 2.39.1
From e1525a842cf65732e42f5b932d4f1fdad5b69270 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzo...@googlemail.com> Date: Mon, 19 Sep 2022 21:46:01 +0200 Subject: [PATCH 07/14] Avoid use of cute fields P: refpolicy source: cute-field VCS-Browser vs Vcs-Browser [debian/control:3] N: N: The named field uses a free-style form of capitalization, which is permitted by policy. The alternative offered is probably a more common variant in the archive. N: N: Please refer to Syntax of control files (Section 5.1) in the Debian Policy Manual for details. N: N: Visibility: pedantic N: Show-Always: no N: Check: fields/style N: N: P: refpolicy source: cute-field VCS-Git vs Vcs-Git [debian/control:2] --- debian/control | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/control b/debian/control index 9bd014c..fc7a805 100644 --- a/debian/control +++ b/debian/control @@ -1,6 +1,6 @@ Source: refpolicy -VCS-Git: https://salsa.debian.org/selinux-team/refpolicy.git -VCS-Browser: https://salsa.debian.org/selinux-team/refpolicy +Vcs-Git: https://salsa.debian.org/selinux-team/refpolicy.git +Vcs-Browser: https://salsa.debian.org/selinux-team/refpolicy Priority: optional Section: admin Homepage: https://github.com/SELinuxProject/refpolicy/releases -- 2.39.1
From 1ff685839c5332b4dce272cb698829a19f58b12f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzo...@googlemail.com> Date: Mon, 19 Sep 2022 21:45:00 +0200 Subject: [PATCH 06/14] Update format of Lintian tags --- debian/selinux-policy-default.lintian-overrides | 2 +- debian/selinux-policy-mls.lintian-overrides | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/selinux-policy-default.lintian-overrides b/debian/selinux-policy-default.lintian-overrides index 363dd91..1ade564 100644 --- a/debian/selinux-policy-default.lintian-overrides +++ b/debian/selinux-policy-default.lintian-overrides @@ -1 +1 @@ -selinux-policy-default: non-standard-dir-perm var/lib/selinux/default/ 0700 != 0755 +selinux-policy-default: non-standard-dir-perm 0700 != 0755 [var/lib/selinux/default/] diff --git a/debian/selinux-policy-mls.lintian-overrides b/debian/selinux-policy-mls.lintian-overrides index a192c8c..5f139d6 100644 --- a/debian/selinux-policy-mls.lintian-overrides +++ b/debian/selinux-policy-mls.lintian-overrides @@ -1 +1 @@ -selinux-policy-mls: non-standard-dir-perm var/lib/selinux/mls/ 0700 != 0755 +selinux-policy-mls: non-standard-dir-perm 0700 != 0755 [var/lib/selinux/mls/] -- 2.39.1
From 1d3e22b3da1af2b9e585ad1b8dd460f0ca62d52d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzo...@googlemail.com> Date: Mon, 19 Sep 2022 21:46:28 +0200 Subject: [PATCH 08/14] Specify Rules-Requires-Root --- debian/control | 1 + debian/rules | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/debian/control b/debian/control index fc7a805..8e3a733 100644 --- a/debian/control +++ b/debian/control @@ -7,6 +7,7 @@ Homepage: https://github.com/SELinuxProject/refpolicy/releases Maintainer: Debian SELinux maintainers <selinux-de...@lists.alioth.debian.org> Uploaders: Russell Coker <russ...@coker.com.au> Standards-Version: 4.4.0 +Rules-Requires-Root: no Build-Depends: debhelper-compat (= 13) Build-Depends-Indep: bzip2, checkpolicy (>= 3.3), diff --git a/debian/rules b/debian/rules index 056042e..06bd8da 100755 --- a/debian/rules +++ b/debian/rules @@ -160,7 +160,7 @@ install-src: conf-src mv modules.conf modules.conf.dist; \ fi; \ ln -sf modules.conf.mls modules.conf) - install -p -o root -g root -m 644 debian/build.conf.default \ + install -p -m 644 debian/build.conf.default \ $(CURDIR)/debian/tmp/etc/selinux/default/src/policy/build.conf (cd $(CURDIR)/debian/tmp/etc/selinux/default/src/; mv policy selinux-policy-src; \ rm -rf selinux-policy-src/support/__pycache__/; \ -- 2.39.1
From 272b65c57b730c77aaed9dd486c0f505cc9fa29b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzo...@googlemail.com> Date: Mon, 19 Sep 2022 21:48:31 +0200 Subject: [PATCH 10/14] Ignore long lines in upstream source --- debian/source/lintian-overrides | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 debian/source/lintian-overrides diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides new file mode 100644 index 0000000..9aab8ee --- /dev/null +++ b/debian/source/lintian-overrides @@ -0,0 +1,2 @@ +refpolicy source: very-long-line-length-in-source-file * > 512 [policy/mls:197] +refpolicy source: very-long-line-length-in-source-file * > 512 [policy/support/obj_perm_sets.spt:37] -- 2.39.1
From 679956f4da750ef878637a969fcace3f68b5ecd9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzo...@googlemail.com> Date: Mon, 19 Sep 2022 21:47:06 +0200 Subject: [PATCH 09/14] Update URLs in copyright --- debian/copyright | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/copyright b/debian/copyright index 6ff0a29..5c7f387 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,5 +1,5 @@ -Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ -Source: http://oss.tresys.com/projects/refpolicy +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Source: https://github.com/SELinuxProject/refpolicy License: GPL-2+ Files: * -- 2.39.1
From 9599f7f5dc870630cc84021d079732178b84314e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzo...@googlemail.com> Date: Mon, 19 Sep 2022 23:12:09 +0200 Subject: [PATCH 12/14] Fix patch hunk for previous patch --- .../0001-Make-default-and-root-mcs-seusers-unconfined.patch | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/debian/patches/0001-Make-default-and-root-mcs-seusers-unconfined.patch b/debian/patches/0001-Make-default-and-root-mcs-seusers-unconfined.patch index 1b533f8..7f2a25c 100644 --- a/debian/patches/0001-Make-default-and-root-mcs-seusers-unconfined.patch +++ b/debian/patches/0001-Make-default-and-root-mcs-seusers-unconfined.patch @@ -10,11 +10,12 @@ Index: refpolicy-2.20210130/config/appconfig-mcs/seusers =================================================================== --- refpolicy-2.20210130.orig/config/appconfig-mcs/seusers +++ refpolicy-2.20210130/config/appconfig-mcs/seusers -@@ -1,2 +1,2 @@ +@@ -1,3 +1,3 @@ -root:root:s0-mcs_systemhigh -__default__:user_u:s0 +root:unconfined_u:s0-mcs_systemhigh +__default__:unconfined_u:s0-mcs_systemhigh + sddm:xdm:s0 Index: refpolicy-2.20210130/policy/constraints =================================================================== --- refpolicy-2.20210130.orig/policy/constraints -- 2.39.1
From 306da6576a74ca7b9f713082a938ca1b9fa69973 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzo...@googlemail.com> Date: Mon, 19 Sep 2022 21:49:19 +0200 Subject: [PATCH 11/14] Drop trailing spaces in changelog refpolicy source: trailing-whitespace [debian/changelog:206] --- debian/changelog | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/debian/changelog b/debian/changelog index c16279f..548f4c2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -265,7 +265,7 @@ refpolicy (2:2.20210203-4) unstable; urgency=medium Allow chromium to run naclhelper with nnp_transition Allow chromium to watch root dirs Allow chromium to read/write unix sockets from the calling domain - * Make Postgresql use postgresql_tmpfs_t for tmpfs files and make + * Make Postgresql use postgresql_tmpfs_t for tmpfs files and make mon_local_test_t and systemd_logind_t not have getattr access to tmpfs files audited. * Allow systemd_user_runtime_dir_t to unlink device nodes of type @@ -348,7 +348,7 @@ refpolicy (2:2.20210126-1) unstable; urgency=medium consoletype dcc ddcprobe denyhosts dspam firstboot howl imaze jockey ktalk lockdev lsm mailscanner mcelog oav polipo pyicqt resmgr rhcs rhsmcertd ricci rpm vhostmd - * Don't enable by default: amtu bugzilla condor + * Don't enable by default: amtu bugzilla condor * Added SE Linux "user" named xdm for the "sddm" Unix account to be used by the sddm greeter process. This makes the greeter run as xdm_t instead of unconfined_t. @@ -687,7 +687,7 @@ refpolicy (2:2.20161023.1-8) unstable; urgency=medium -- Russell Coker <russ...@coker.com.au> Mon, 23 Jan 2017 01:55:57 +1100 refpolicy (2:2.20161023.1-7) unstable; urgency=medium - + [ Laurent Bigonville and cgzones ] * Sort the files in the files in the selinux-policy-src.tar.gz tarball by name, this should fix the last issue for reproducible build @@ -1033,7 +1033,7 @@ refpolicy (2:2.20140421-12) jessie; urgency=medium * Allow kernel_t to setattr/getattr/unlink tty_device_t for kdevtmpfs * Label /usr/share/bug/.* files as bin_t for reportbug in strict configuration * Label /run/tmpfiles.d/kmod.conf as kmod_var_run_t and allow insmod_t to create it - * apache_unlink_var_lib() now includes write access to httpd_var_lib_t:dir + * apache_unlink_var_lib() now includes write access to httpd_var_lib_t:dir * Allow apache to read sysctl_vm_t for overcommit_memory Allow httpd_sys_script_t to read sysfs_t. allow httpd_t to manage httpd_log_t files and directories for mod_pagespeed. @@ -2180,18 +2180,18 @@ refpolicy (2:0.2.20091013-1) unstable; urgency=low + Allow udev_t to access anon_inodefs_t These changes take care of most of the problems encountered in recent reference policy packages in Debian. Thanks to Russell Coker for the - fixes. + fixes. -- Manoj Srivastava <sriva...@debian.org> Tue, 13 Oct 2009 15:29:54 -0500 refpolicy (2:0.2.20090828-1) unstable; urgency=low * New upstream snapshot. - - Deprecated the userdom_xwindwos_client_template(). + - Deprecated the userdom_xwindwos_client_template(). * Modified the list of modules we build (added consolekit, and added a dependency on consolekit to the devicekit policymodule. Turned off ddcprobe, since it needs kudzu. - * Bug fix: "linking policy fails", thanks to Jonathan Nieder + * Bug fix: "linking policy fails", thanks to Jonathan Nieder (Closes: #544079). * Bug fix: "linking policy fails (with a statement to file a bug)", thanks to Philipp Kern (Closes: #543148). @@ -2199,7 +2199,7 @@ refpolicy (2:0.2.20090828-1) unstable; urgency=low Russell Coker (Closes: #539855). * Bug fix: "SELinux prevented console-kit-dae from using the terminal /dev/tty0", thanks to Ritesh Raj Sarraf. We now have: - policy/modules/services/consolekit.te:term_use_all_terms(consolekit_t) + policy/modules/services/consolekit.te:term_use_all_terms(consolekit_t) This should allow access to all terms and ttys. (Closes: #515167). * Bug fix: "SELinux is preventing pulseaudio from loading /usr/lib/libFLAC.so.8.2.0 which requires text relocation", thanks to @@ -3181,4 +3181,3 @@ refpolicy (20060117-1) sesarge; urgency=low * Experimental release -- Erich Schubert <er...@debian.org> Mon, 13 Feb 2006 22:50:03 +0100 - -- 2.39.1
From 5801d4417f13c77995ee92d006632fae4ad7fb1a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzo...@googlemail.com> Date: Mon, 19 Sep 2022 23:21:43 +0200 Subject: [PATCH 13/14] Fix brctl patch to pass neverallow check Use the kernel_load_module() interface instead of manually granting capability { sys_module } to comply with neverallow rules: libsepol.report_failure: neverallow violated by allow brctl_t brctl_t:capability { sys_module }; --- debian/patches/0028-misc | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/debian/patches/0028-misc b/debian/patches/0028-misc index 62708ad..ebabdef 100644 --- a/debian/patches/0028-misc +++ b/debian/patches/0028-misc @@ -121,15 +121,14 @@ Index: refpolicy-2.20221101/policy/modules/admin/brctl.te =================================================================== --- refpolicy-2.20221101.orig/policy/modules/admin/brctl.te +++ refpolicy-2.20221101/policy/modules/admin/brctl.te -@@ -17,7 +17,7 @@ role brctl_roles types brctl_t; - # Local policy - # - --allow brctl_t self:capability net_admin; -+allow brctl_t self:capability { net_admin sys_module }; - allow brctl_t self:fifo_file rw_fifo_file_perms; - allow brctl_t self:unix_stream_socket create_stream_socket_perms; +@@ -23,6 +23,7 @@ allow brctl_t self:unix_stream_socket cr allow brctl_t self:unix_dgram_socket create_socket_perms; + allow brctl_t self:tcp_socket create_socket_perms; + ++kernel_load_module(brctl_t) + kernel_request_load_module(brctl_t) + kernel_read_network_state(brctl_t) + kernel_read_sysctl(brctl_t) Index: refpolicy-2.20221101/policy/modules/admin/logrotate.te =================================================================== --- refpolicy-2.20221101.orig/policy/modules/admin/logrotate.te -- 2.39.1
From 4f9da132197d6664e7f18003819315c0b190d5d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzo...@googlemail.com> Date: Mon, 19 Sep 2022 22:10:49 +0200 Subject: [PATCH 14/14] Add autopkgtest (Closes: #1012841) Validate a policy build from all installed modules. This should prevent future validation issues, like #1012503. --- debian/tests/control | 2 ++ debian/tests/validate-default | 16 ++++++++++++++++ debian/tests/validate-mls | 16 ++++++++++++++++ 3 files changed, 34 insertions(+) create mode 100644 debian/tests/control create mode 100755 debian/tests/validate-default create mode 100755 debian/tests/validate-mls diff --git a/debian/tests/control b/debian/tests/control new file mode 100644 index 0000000..ee62cf4 --- /dev/null +++ b/debian/tests/control @@ -0,0 +1,2 @@ +Tests: validate-default validate-mls +Depends: @ diff --git a/debian/tests/validate-default b/debian/tests/validate-default new file mode 100755 index 0000000..503c53a --- /dev/null +++ b/debian/tests/validate-default @@ -0,0 +1,16 @@ +#!/bin/sh + +set -eu + +tmpdir=$(mktemp -d) + +cd "${tmpdir}" + +cp /usr/share/selinux/default/*.pp.bz2 . + +bzip2 -d *.pp.bz2 + +mv base.pp base + +semodule_link -o test.lnk base *.pp +semodule_expand test.lnk policy.bin diff --git a/debian/tests/validate-mls b/debian/tests/validate-mls new file mode 100755 index 0000000..d281e89 --- /dev/null +++ b/debian/tests/validate-mls @@ -0,0 +1,16 @@ +#!/bin/sh + +set -eu + +tmpdir=$(mktemp -d) + +cd "${tmpdir}" + +cp /usr/share/selinux/mls/*.pp.bz2 . + +bzip2 -d *.pp.bz2 + +mv base.pp base + +semodule_link -o test.lnk base *.pp +semodule_expand test.lnk policy.bin -- 2.39.1