[gentoo-commits] repo/gentoo:master commit in: net-voip/murmur/
commit: c8dced7f7e0dd36a09ed44d30dbbf807d62b8252 Author: Kenton Groombridge gentoo org> AuthorDate: Thu Mar 7 15:51:51 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Thu Mar 7 15:51:51 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c8dced7f net-voip/murmur: drop 1.4.287-r1 Signed-off-by: Kenton Groombridge gentoo.org> net-voip/murmur/murmur-1.4.287-r1.ebuild | 185 --- 1 file changed, 185 deletions(-) diff --git a/net-voip/murmur/murmur-1.4.287-r1.ebuild b/net-voip/murmur/murmur-1.4.287-r1.ebuild deleted file mode 100644 index da97454719ad.. --- a/net-voip/murmur/murmur-1.4.287-r1.ebuild +++ /dev/null @@ -1,185 +0,0 @@ -# Copyright 1999-2022 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit cmake flag-o-matic systemd readme.gentoo-r1 tmpfiles - -DESCRIPTION="Mumble is an open source, low-latency, high quality voice chat software" -HOMEPAGE="https://wiki.mumble.info; -if [[ "${PV}" == ]] ; then - inherit git-r3 - EGIT_REPO_URI="https://github.com/mumble-voip/mumble.git; - EGIT_SUBMODULES=( '-*' ) -else - MY_PN="mumble" - if [[ "${PV}" == *_pre* ]] ; then - MY_P="${MY_PN}-${PV}" - SRC_URI="https://dev.gentoo.org/~concord/distfiles/${MY_P}.tar.xz; - S="${WORKDIR}/${MY_P}" - else - MY_PV="${PV/_/-}" - MY_P="${MY_PN}-${MY_PV}" - SRC_URI="https://github.com/mumble-voip/mumble/releases/download/v${MY_PV}/${MY_P}.tar.gz - https://dl.mumble.info/${MY_P}.tar.gz; - S="${WORKDIR}/${MY_P}.src" - fi - KEYWORDS="amd64 ~arm ~arm64 x86" -fi - -SRC_URI+=" https://dev.gentoo.org/~concord/distfiles/mumble-1.4-openssl3.patch.xz; -SRC_URI+=" https://dev.gentoo.org/~concord/distfiles/mumble-1.4-crypto-threads.patch.xz; -SRC_URI+=" https://dev.gentoo.org/~concord/distfiles/mumble-1.4-odr.patch.xz; - -LICENSE="BSD" -SLOT="0" -IUSE="+dbus grpc +ice test zeroconf" -RESTRICT="!test? ( test )" - -RDEPEND=" - acct-group/murmur - acct-user/murmur - >=dev-libs/openssl-1.0.0b:0= - >=dev-libs/protobuf-2.2.0:= - dev-qt/qtcore:5 - dev-qt/qtnetwork:5[ssl] - || ( - dev-qt/qtsql:5[sqlite] - dev-qt/qtsql:5[mysql] - ) - dev-qt/qtxml:5 - sys-apps/lsb-release - >=sys-libs/libcap-2.15 - dbus? ( dev-qt/qtdbus:5 ) - grpc? ( net-libs/grpc ) - ice? ( dev-libs/Ice:= ) - zeroconf? ( net-dns/avahi[mdnsresponder-compat] ) -" - -DEPEND="${RDEPEND} - dev-libs/boost - dev-qt/qttest:5 -" -BDEPEND=" - acct-group/murmur - acct-user/murmur - virtual/pkgconfig -" - -if [[ "${PV}" == * ]] ; then - # Required for the mkini.sh script which calls perl multiple times - BDEPEND+=" - dev-lang/perl - " -fi - -DOC_CONTENTS=" - Useful scripts are located in /usr/share/doc/${PF}/scripts.\n - Please execute:\n - murmurd -ini /etc/murmur/murmur.ini -supw \n - chown murmur:murmur /var/lib/murmur/murmur.sqlite\n - to set the build-in 'SuperUser' password before starting murmur. - Please restart dbus before starting murmur, or else dbus - registration will fail. -" - -PATCHES=( - "${WORKDIR}/mumble-1.4-openssl3.patch" - "${WORKDIR}/mumble-1.4-crypto-threads.patch" - "${WORKDIR}/mumble-1.4-odr.patch" -) - -src_prepare() { - if [[ "${PV}" == * ]] ; then - pushd scripts &>/dev/null || die - ./mkini.sh || die - popd &>/dev/null || die - fi - - sed \ - -e 's:mumble-server:murmur:g' \ - -e 's:/var/run:/run:g' \ - -i "${S}"/scripts/murmur.{conf,ini} || die - - # Adjust systemd service file to our config location #689208 - sed \ - -e "s@/etc/${PN}\.ini@/etc/${PN}/${PN}.ini@" \ - -e "s@murmurd@mumble-server@" \ - -i scripts/${PN}.service || die - - cmake_src_prepare -} - -src_configure() { - myuse() { - [[ -n "${1}" ]] || die "myconf: No use flag given." - use ${1} || echo "no-${1}" - } - local mycmakeargs=( - -DBUILD_TESTING="$(usex test)" - -Dclient="OFF" - -Ddbus="$(usex dbus)" - -Dg15="OFF" - -Dgrpc="$(usex grpc)" -
[gentoo-commits] repo/gentoo:master commit in: net-voip/murmur/
commit: 155e07eaaf58d16fd212a0b973d82c73f44f595e Author: Kenton Groombridge gentoo org> AuthorDate: Thu Mar 7 15:50:39 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Thu Mar 7 15:50:39 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=155e07ea net-voip/murmur: stabilize 1.4.287-r2 for amd64, x86 Signed-off-by: Kenton Groombridge gentoo.org> net-voip/murmur/murmur-1.4.287-r2.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net-voip/murmur/murmur-1.4.287-r2.ebuild b/net-voip/murmur/murmur-1.4.287-r2.ebuild index f439f3c88309..61f7d8175087 100644 --- a/net-voip/murmur/murmur-1.4.287-r2.ebuild +++ b/net-voip/murmur/murmur-1.4.287-r2.ebuild @@ -24,7 +24,7 @@ else https://dl.mumble.info/${MY_P}.tar.gz; S="${WORKDIR}/${MY_P}.src" fi - KEYWORDS="~amd64 ~arm ~arm64 ~x86" + KEYWORDS="amd64 ~arm ~arm64 x86" fi SRC_URI+=" https://dev.gentoo.org/~concord/distfiles/mumble-1.4-openssl3.patch.xz;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 007072b1c66cfb28310f9d0449f8167f496be2ae Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 17:00:52 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:56 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=007072b1 systemd: logind update type=PROCTITLE msg=audit(21/02/24 23:31:52.659:83) : proctitle=/usr/lib/systemd/systemd-logind type=SYSCALL msg=audit(21/02/24 23:31:52.659:83) : arch=x86_64 syscall=recvmsg success=yes exit=24 a0=0xf a1=0x7ffdec4e7bc0 a2=MSG_DONTWAIT|MSG_CMSG_CLOEXEC a3=0x0 items=0 ppid=1 pid=909 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-logind exe=/usr/lib/systemd/systemd-logind subj=system_u:system_r:systemd_logind_t:s0 key=(null) type=AVC msg=audit(21/02/24 23:31:52.659:83) : avc: denied { use } for pid=909 comm=systemd-logind path=anon_inode:[pidfd] dev="anon_inodefs" ino=1051 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0 tclass=fd permissive=1 p.s.: this might need an overhaul after pidfd handling in the kernel has been improved. Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/systemd.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index e3af88033..cef49e9a3 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1053,6 +1053,9 @@ storage_raw_read_fixed_disk_cond(systemd_logind_t, systemd_logind_get_bootloader optional_policy(` dbus_connect_system_bus(systemd_logind_t) dbus_system_bus_client(systemd_logind_t) + + # pidfd + dbus_use_system_bus_fds(systemd_logind_t) ') optional_policy(`
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: 5c8203bfd90758d92cd93c786de8fe94e6d716ca Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 17:00:48 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:52 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5c8203bf fs: add support for virtiofs Adopted from https://github.com/fedora-selinux/selinux-policy/commit/5580e9a576f759820dbc3387961ce58a959221dc Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/filesystem.te | 11 +++ 1 file changed, 11 insertions(+) diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index f21fc71e9..f9aa5f90b 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -41,6 +41,7 @@ fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0); fs_use_xattr overlay gen_context(system_u:object_r:fs_t,s0); fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr ubifs gen_context(system_u:object_r:fs_t,s0); +fs_use_xattr virtiofs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0); @@ -203,6 +204,16 @@ optional_policy(` init_mountpoint(tracefs_t) ') + +# +# virtiofs_t is the default type for virtio file systems +# and their files. +# +type virtiofs_t; +fs_noxattr_type(virtiofs_t) +files_mountpoint(virtiofs_t) +genfscon virtiofs / gen_context(system_u:object_r:virtiofs_t,s0) + type vmblock_t; fs_noxattr_type(vmblock_t) files_mountpoint(vmblock_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: f6e3b01a354b974ffc259994385d03909c4be93e Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 17:00:42 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:47 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f6e3b01a userdom: permit reading PSI as admin Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/userdomain.if | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index aadbe34c3..b87f6d48e 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -1382,6 +1382,7 @@ template(`userdom_admin_user_template',` kernel_change_ring_buffer_level($1_t) kernel_clear_ring_buffer($1_t) kernel_read_ring_buffer($1_t) + kernel_read_psi($1_t) kernel_get_sysvipc_info($1_t) kernel_rw_all_sysctls($1_t) # signal unlabeled processes:
[gentoo-commits] proj/hardened-refpolicy: New tag: 2.20240226-r1
commit: Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 19:56:20 2024 + New tag: 2.20240226-r1
[gentoo-commits] proj/hardened-refpolicy:master commit in: /
commit: 1949397458a649cf876a4a758a28d65626ad2709 Author: Chris PeBenito ieee org> AuthorDate: Mon Feb 26 18:38:45 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:06:00 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=19493974 Update Changelog and VERSION for release 2.20240226. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Kenton Groombridge gentoo.org> Changelog | 487 ++ VERSION | 2 +- 2 files changed, 488 insertions(+), 1 deletion(-) diff --git a/Changelog b/Changelog index 76cd60fdc..a1938b4f0 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,490 @@ +* Mon Feb 26 2024 Chris PeBenito - 2.20240226 +Chris PeBenito (174): + tests.yml: Pin ubuntu 20.04. + tests.yml: Pin ubuntu 20.04. + fstools: Move lines. + munin: Move munin_rw_tcp_sockets() implementation. + munin: Whitespace change. + systemd: Tmpfilesd can correct seusers on files. + iscsi: Read initiatorname.iscsi. + lvm: Add fc entry for /etc/multipath/* + sysnetwork: Rename sysnet_dontaudit_rw_dhcpc_unix_dgram_sockets() + Define user_namespace object class. + chromium: Allow user namespace creation. + mozilla: Allow user namespace creation. + systemd: Allow user namespace creation. + container: Allow user namespace creation for all container engines. + Update eg25manager.te + switcheroo: Whitespace fix. + unconfined: Keys are linkable by systemd. + postgresql: Move lines + Add append to rw and manage lnk_file permission sets for consistency. + domain: Manage own fds. + systemd: systemd-cgroups reads kernel.cap_last_cap sysctl. + kernel: hv_utils shutdown on systemd systems. + Container: Minor fixes from interactive container use. + systemd: Minor coredump fixes. + rpm: Minor fixes + init: Allow nnp/nosuid transitions from systemd initrc_t. + selinuxutil: Semanage reads policy for export. + sysnetwork: ifconfig searches debugfs. + usermanage: Add sysctl access for groupadd to get number of groups. + files: Handle symlinks for /media and /srv. + cloudinit: Add support for installing RPMs and setting passwords. + kdump: Fixes from testing kdumpctl. + usermanage: Handle symlinks in /usr/share/cracklib. + unconfined: Add remaining watch_* permissions. + chronyd: Read /dev/urandom. + cloud-init: Allow use of sudo in runcmd. + cloud-init: Add systemd permissions. + cloud-init: Change udev rules + systemd: Updates for systemd-locale. + cloudinit: Add permissions derived from sysadm. + +Christian Göttsche (28): + git: add fcontext for default binary + init: only grant getattr in init_getattr_generic_units_files() + ci: bump SELint version to 1.5.0 + SELint userspace class tweaks + systemd: reorder optional block + devicedisk: reorder optional block + access_vectors: define io_uring { cmd } + support/genhomedircon: support usr prefixed paths + fix misc typos + Support multi-line interface calls + policy_capabilities: remove estimated from released versions + Rules.monolithic: pre-compile fcontexts on install + Rules.modular: use temporary file to not ignore error + Makefile: use sepolgen-ifgen-attr-helper from test toolchain + Makefile: set PYTHONPATH for test toolchain + virt: label qemu configuration directory + selinuxutil: setfiles updates + selinuxutil: ignore getattr proc in newrole + userdom: permit reading PSI as admin + fs: mark memory pressure type as file + systemd: binfmt updates + vnstatd: update + fs: add support for virtiofs + systemd: generator updates + udev: update + systemd: logind update + consolesetup: update + libraries: drop space in empty line + +Christian Schneider (1): + systemd-generator: systemd_generator_t load kernel modules used for e.g. + zram-generator + +Corentin LABBE (20): + udev: permit to read hwdb + fstools: handle gentoo place for drivedb.h + mount: dbus interface must be optional + mcelog: add missing file context for triggers + munin: add file context for common functions file + rsyslog: add label for /var/empty/dev/log + munin: disk-plugin: transition to fsadm + munin: add fc for munin-node plugin state + usermanage: permit groupadd to read kernel sysctl + portage: Remove old binary location + portage: add go/hg source control files + portage: add new location for portage commands + portage: add missing go/hg context in new distfiles location + mandb: permit to read inherited cron files + selinuxutil: do not audit load_policy trying to use portage ptys + selinuxutil: permit run_init to read kernel sysctl + porta
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 1f6f6eca2f76f7fa1354acdae20898666823bebc Author: Christian Göttsche googlemail com> AuthorDate: Fri Feb 23 17:04:11 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:59 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1f6f6eca libraries: drop space in empty line Drop a line containing a single space from the file context file to avoid SELint stumble on it: libraries.mod.fc: 130: (E): Bad file context format (E-002) Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/libraries.fc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc index 757b18bcb..b5491aa8a 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -284,7 +284,7 @@ HOME_DIR/\.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:t /usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/.*/program(/.*)?\.so gen_context(system_u:object_r:lib_t,s0) -') dnl end distro_redhat +')dnl end distro_redhat # # /var
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 3676555ed89c3a47ec1f553710f70bf547bd7245 Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 17:00:55 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:57 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3676555e consolesetup: update AVC avc: denied { read } for pid=770 comm="mkdir" name="filesystems" dev="proc" ino=4026532069 scontext=system_u:system_r:consolesetup_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=0 Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/consolesetup.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/services/consolesetup.te b/policy/modules/services/consolesetup.te index 7756ef6c9..023ec5d23 100644 --- a/policy/modules/services/consolesetup.te +++ b/policy/modules/services/consolesetup.te @@ -37,6 +37,8 @@ files_runtime_filetrans(consolesetup_t, consolesetup_runtime_t, dir, "console-se manage_files_pattern(consolesetup_t, consolesetup_tmp_t, consolesetup_tmp_t) files_tmp_filetrans(consolesetup_t, consolesetup_tmp_t, file) +kernel_read_system_state(consolesetup_t) + corecmd_exec_bin(consolesetup_t) corecmd_exec_shell(consolesetup_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 9127b63127407012150cc1257dab821bc300477d Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 17:00:51 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:55 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9127b631 udev: update AVC avc: denied { create } for pid=685 comm="ifquery" name="network" scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1 Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/sysnetwork.if | 30 ++ policy/modules/system/udev.te | 3 +++ 2 files changed, 33 insertions(+) diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if index f41024669..884f3735d 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -489,6 +489,7 @@ interface(`sysnet_create_config',` ') files_search_etc($1) + allow $1 net_conf_t:dir { add_entry_dir_perms create_dir_perms }; allow $1 net_conf_t:file create_file_perms; ') @@ -535,6 +536,35 @@ interface(`sysnet_etc_filetrans_config',` files_etc_filetrans($1, net_conf_t, file, $2) ') +### +## +## Create files in /run with the type used for +## the network config files. +## +## +## +## Domain allowed access. +## +## +## +## +## The object class of the object being created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`sysnet_runtime_filetrans_config',` + gen_require(` + type net_conf_t; + ') + + files_runtime_filetrans($1, net_conf_t, $2, $3) +') + ### ## ## Create, read, write, and delete network config files. diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index 6e24d515f..8ecc17bc7 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -217,6 +217,9 @@ ifdef(`distro_debian',` files_runtime_filetrans(udev_t, udev_runtime_t, dir, "xen-hotplug") + sysnet_runtime_filetrans_config(udev_t, dir, "network") + sysnet_create_config(udev_t) + optional_policy(` # for /usr/lib/avahi/avahi-daemon-check-dns.sh kernel_read_vm_sysctls(udev_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: /
commit: cf1d8825dd74db410aca630202e62d0e0ad5169e Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 19:21:35 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:42 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cf1d8825 Makefile: set PYTHONPATH for test toolchain In case of a non-default toolchain also set the environment variable PTYHONPATH to run sepolgen related python code from that toolchain. See scripts/env_use_destdir in the SELinux userland repository. Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> Makefile | 13 ++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index 82df20454..42d6484bc 100644 --- a/Makefile +++ b/Makefile @@ -47,9 +47,16 @@ endif BINDIR ?= /usr/bin SBINDIR ?= /usr/sbin ifdef TEST_TOOLCHAIN -tc_usrbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib:$(TEST_TOOLCHAIN)/usr/lib" $(TEST_TOOLCHAIN)$(BINDIR) -tc_usrsbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib:$(TEST_TOOLCHAIN)/usr/lib" $(TEST_TOOLCHAIN)$(SBINDIR) -tc_sbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib:$(TEST_TOOLCHAIN)/usr/lib" $(TEST_TOOLCHAIN)/sbin +python_path_plat := $(shell python3 -c "import sysconfig; print(sysconfig.get_path('platlib', vars={'platbase': '/usr', 'base': '/usr'}))") +python_path_pure := $(shell python3 -c "import sysconfig; print(sysconfig.get_path('purelib', vars={'platbase': '/usr', 'base': '/usr'}))") +ifdef PYTHONPATH +python_path := "$(TEST_TOOLCHAIN)$(python_path_plat):$(TEST_TOOLCHAIN)$(python_path_pure):$(PYTHONPATH)" +else +python_path := "$(TEST_TOOLCHAIN)$(python_path_plat):$(TEST_TOOLCHAIN)$(python_path_pure)" +endif +tc_usrbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib:$(TEST_TOOLCHAIN)/usr/lib" PYTHONPATH="$(python_path)" $(TEST_TOOLCHAIN)$(BINDIR) +tc_usrsbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib:$(TEST_TOOLCHAIN)/usr/lib" PYTHONPATH="$(python_path)" $(TEST_TOOLCHAIN)$(SBINDIR) +tc_sbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib:$(TEST_TOOLCHAIN)/usr/lib" PYTHONPATH="$(python_path)" $(TEST_TOOLCHAIN)/sbin else tc_usrbindir := $(BINDIR) tc_usrsbindir := $(SBINDIR)
[gentoo-commits] proj/hardened-refpolicy:master commit in: gentoo/
commit: d98d3461c9fd467af7308047b5f6a496259a4104 Author: Kenton Groombridge gentoo org> AuthorDate: Fri Mar 1 17:06:33 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:06:33 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d98d3461 Merge upstream Signed-off-by: Kenton Groombridge gentoo.org> gentoo/STATE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gentoo/STATE b/gentoo/STATE index 1265cd5d3..b40fac216 100644 --- a/gentoo/STATE +++ b/gentoo/STATE @@ -1 +1 @@ -f3865abfc25a395c877a27074bd03c5fc22992dd +fa84ee8fc04af56cced5ab8ed7abfb1abbd246dc
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: b1a213b26e58f32d250057fcb9e1af3a9f05a63d Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 17:00:46 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:51 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b1a213b2 vnstatd: update type=PROCTITLE msg=audit(21/02/24 22:54:36.792:69) : proctitle=/usr/sbin/vnstatd -n type=PATH msg=audit(21/02/24 22:54:36.792:69) : item=0 name=/dev/urandom inode=18 dev=00:2b mode=character,666 ouid=root ogid=root rdev=01:09 obj=system_u:object_r:urandom_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(21/02/24 22:54:36.792:69) : cwd=/ type=SYSCALL msg=audit(21/02/24 22:54:36.792:69) : arch=x86_64 syscall=openat success=yes exit=5 a0=AT_FDCWD a1=0x7f197cc66865 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=900 auid=unset uid=vnstat gid=vnstat euid=vnstat suid=vnstat fsuid=vnstat egid=vnstat sgid=vnstat fsgid=vnstat tty=(none) ses=unset comm=vnstatd exe=/usr/sbin/vnstatd subj=system_u:system_r:vnstatd_t:s0 key=(null) type=AVC msg=audit(21/02/24 22:54:36.792:69) : avc: denied { open } for pid=900 comm=vnstatd path=/dev/urandom dev=tmpfs ino=18 scontext=system_u:system_r:vnstatd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(21/02/24 22:54:36.792:69) : avc: denied { read } for pid=900 comm=vnstatd name=urandom dev=tmpfs ino=18 scontext=system_u:system_r:vnstatd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=1 Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/vnstatd.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/services/vnstatd.te b/policy/modules/services/vnstatd.te index f8274d451..3be384a9a 100644 --- a/policy/modules/services/vnstatd.te +++ b/policy/modules/services/vnstatd.te @@ -48,6 +48,7 @@ kernel_read_system_state(vnstatd_t) # read /sys/class/net/eth0 dev_read_sysfs(vnstatd_t) +dev_read_urand(vnstatd_t) files_read_etc_files(vnstatd_t) files_search_var_lib(vnstatd_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 2ce9c1574e77cfedf075413013b6247ff0e7f8ce Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 17:00:49 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:54 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2ce9c157 systemd: generator updates type=1400 audit(1708552475.580:3): avc: denied { getattr } for pid=528 comm="systemd-sysv-ge" path="/etc/init.d/auditd" dev="vda1" ino=262124 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:auditd_initrc_exec_t:s0 tclass=file permissive=1 type=1400 audit(1708552475.580:4): avc: denied { getattr } for pid=528 comm="systemd-sysv-ge" path="/usr/lib/systemd/system/auditd.service" dev="vda1" ino=395421 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:auditd_unit_t:s0 tclass=file permissive=1 type=1400 audit(1708552475.580:5): avc: denied { getattr } for pid=528 comm="systemd-sysv-ge" path="/etc/init.d/vnstat" dev="vda1" ino=261247 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:vnstatd_initrc_exec_t:s0 tclass=file permissive=1 type=1400 audit(1708552475.580:6): avc: denied { getattr } for pid=528 comm="systemd-sysv-ge" path="/usr/lib/systemd/system/vnstat.service" dev="vda1" ino=394196 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:vnstatd_unit_t:s0 tclass=file permissive=1 type=1400 audit(1708552475.580:7): avc: denied { getattr } for pid=528 comm="systemd-sysv-ge" path="/usr/lib/systemd/system/dbus-broker.service" dev="vda1" ino=394383 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:dbusd_unit_t:s0 tclass=file permissive=1 type=1400 audit(1708552475.584:8): avc: denied { getattr } for pid=528 comm="systemd-sysv-ge" path="/usr/lib/systemd/system/qemu-guest-agent.service" dev="vda1" ino=392981 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:qemu_unit_t:s0 tclass=file permissive=1 type=1400 audit(1708552475.584:9): avc: denied { getattr } for pid=528 comm="systemd-sysv-ge" path="/usr/lib/systemd/system/ssh.service" dev="vda1" ino=393521 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:sshd_unit_t:s0 tclass=file permissive=1 Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/init.if| 20 policy/modules/system/systemd.te | 3 ++- 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 3e4192eb4..597fd169a 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -3858,6 +3858,26 @@ interface(`init_list_all_units',` read_lnk_files_pattern($1, systemdunit, systemdunit) ') + +## +## Get the attributes of systemd unit directories and the files in them. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_getattr_all_unit_files',` + gen_require(` + attribute systemdunit; + ') + + list_dirs_pattern($1, systemdunit, systemdunit) + getattr_files_pattern($1, systemdunit, systemdunit) + read_lnk_files_pattern($1, systemdunit, systemdunit) +') + ## ## Manage systemd unit dirs and the files in them diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 63fef177b..e3af88033 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -536,10 +536,11 @@ init_rename_runtime_files(systemd_generator_t) init_search_runtime(systemd_generator_t) init_setattr_runtime_files(systemd_generator_t) init_write_runtime_files(systemd_generator_t) -init_list_all_units(systemd_generator_t) init_read_generic_units_files(systemd_generator_t) init_read_generic_units_symlinks(systemd_generator_t) init_read_script_files(systemd_generator_t) +init_getattr_all_unit_files(systemd_generator_t) +init_getattr_all_script_files(systemd_generator_t) kernel_use_fds(systemd_generator_t) kernel_read_system_state(systemd_generator_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
commit: 2742ffe56eb2a1943c6ddbbd47071a6fa5437875 Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 17:00:40 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:44 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2742ffe5 selinuxutil: setfiles updates type=PROCTITLE msg=audit(21/02/24 22:31:50.044:122) : proctitle=restorecon -vRn -T0 / type=SYSCALL msg=audit(21/02/24 22:31:50.044:122) : arch=x86_64 syscall=sched_getaffinity success=yes exit=8 a0=0x0 a1=0x1000 a2=0x7fc235649bf0 a3=0x0 items=0 ppid=1103 pid=13398 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1 comm=restorecon exe=/usr/sbin/setfiles subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(21/02/24 22:31:50.044:122) : avc: denied { getsched } for pid=13398 comm=restorecon scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process permissive=1 type=PROCTITLE msg=audit(21/02/24 22:31:55.040:123) : proctitle=restorecon -vRn -T0 / type=PATH msg=audit(21/02/24 22:31:55.040:123) : item=0 name=/sys/fs/cgroup/user.slice/user-0.slice/user 0.service/memory.pressure inode=2455 dev=00:1b mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:memory_pressure_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(21/02/24 22:31:55.040:123) : cwd=/root/workspace/selinux/refpolicy/refpolicy type=SYSCALL msg=audit(21/02/24 22:31:55.040:123) : arch=x86_64 syscall=newfstatat success=yes exit=0 a0=AT_FDCWD a1=0x557264466530 a2=0x7fc2004cacc0 a3=0x100 items=1 ppid=1103 pid=13398 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1 comm=restorecon exe=/usr/sbin/setfiles subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(21/02/24 22:31:55.040:123) : avc: denied { getattr } for pid=13398 comm=restorecon path=/sys/fs/cgroup/user.slice/user-0.slice/user 0.service/memory.pressure dev="cgroup2" ino=2455 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:memory_pressure_t:s0 tclass=file permissive=1 type=PROCTITLE msg=audit(21/02/24 22:32:15.512:126) : proctitle=restorecon -vRFn -T0 /usr/ type=PATH msg=audit(21/02/24 22:32:15.512:126) : item=0 name=/proc/sys/vm/overcommit_memory inode=41106 dev=00:16 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_vm_overcommit_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(21/02/24 22:32:15.512:126) : cwd=/root/workspace/selinux/refpolicy/refpolicy type=SYSCALL msg=audit(21/02/24 22:32:15.512:126) : arch=x86_64 syscall=openat success=yes exit=3 a0=AT_FDCWD a1=0x7f59f7316810 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1103 pid=13491 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1 comm=restorecon exe=/usr/sbin/setfiles subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(21/02/24 22:32:15.512:126) : avc: denied { open } for pid=13491 comm=restorecon path=/proc/sys/vm/overcommit_memory dev="proc" ino=41106 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_vm_overcommit_t:s0 tclass=file permissive=1 type=AVC msg=audit(21/02/24 22:32:15.512:126) : avc: denied { read } for pid=13491 comm=restorecon name=overcommit_memory dev="proc" ino=41106 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_vm_overcommit_t:s0 tclass=file permissive=1 Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/filesystem.if | 18 ++ policy/modules/system/selinuxutil.te | 3 +++ 2 files changed, 21 insertions(+) diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index e529b187f..08ad5503d 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -1271,6 +1271,24 @@ interface(`fs_cgroup_filetrans_memory_pressure',` fs_cgroup_filetrans($1, memory_pressure_t, $2, $3) ') + +## +## Get the attributes of cgroup's memory.pressure files. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_getattr_memory_pressure',` + gen_require(` + type memory_pressure_t; + ') + + allow $1 memory_pressure_t:file getattr; +') + ## ## Allow managing a cgroup's memory.pressure file to get notifications diff --git a/policy/modul
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: a1f8db5c896e3aef75922cf3ff53ccd53e00f79f Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 17:00:43 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:48 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a1f8db5c fs: mark memory pressure type as file Associate the type memory_pressure_t with the attribute file_type, so all attribute based rules apply, e.g. for unconfined_t. Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/filesystem.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 7ffac9812..f21fc71e9 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -100,6 +100,7 @@ genfscon cgroup2 / gen_context(system_u:object_r:cgroup_t,s0) # the rest of the cgroup tree. type memory_pressure_t; typeattribute memory_pressure_t cgroup_types; +files_type(memory_pressure_t) dev_associate_sysfs(memory_pressure_t) type configfs_t;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/
commit: b093761cac708c6320ea8588f089cb98fd974a24 Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 17:00:44 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:50 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b093761c systemd: binfmt updates type=PROCTITLE msg=audit(21/02/24 22:54:36.708:53) : proctitle=/usr/lib/systemd/systemd-binfmt type=SYSCALL msg=audit(21/02/24 22:54:36.708:53) : arch=x86_64 syscall=fstatfs success=yes exit=0 a0=0x5 a1=0x7ffc547fbda0 a2=0x0 a3=0x0 items=0 ppid=1 pid=694 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-binfmt exe=/usr/lib/systemd/systemd-binfmt subj=system_u:system_r:systemd_binfmt_t:s0 key=(null) type=AVC msg=audit(21/02/24 22:54:36.708:53) : avc: denied { getattr } for pid=694 comm=systemd-binfmt name=/ dev=binfmt_misc ino=1 scontext=system_u:system_r:systemd_binfmt_t:s0 tcontext=system_u:object_r:binfmt_misc_fs_t:s0 tclass=filesystem permissive=1 type=PROCTITLE msg=audit(21/02/24 22:54:36.708:54) : proctitle=/usr/lib/systemd/systemd-binfmt type=PATH msg=audit(21/02/24 22:54:36.708:54) : item=0 name=/proc/self/fd/4 inode=1 dev=00:27 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:binfmt_misc_fs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(21/02/24 22:54:36.708:54) : cwd=/ type=SYSCALL msg=audit(21/02/24 22:54:36.708:54) : arch=x86_64 syscall=access success=yes exit=0 a0=0x7ffc547fbdf0 a1=W_OK a2=0x0 a3=0x0 items=1 ppid=1 pid=694 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-binfmt exe=/usr/lib/systemd/systemd-binfmt subj=system_u:system_r:systemd_binfmt_t:s0 key=(null) type=AVC msg=audit(21/02/24 22:54:36.708:54) : avc: denied { write } for pid=694 comm=systemd-binfmt name=/ dev=binfmt_misc ino=1 scontext=system_u:system_r:systemd_binfmt_t:s0 tcontext=system_u:object_r:binfmt_misc_fs_t:s0 tclass=dir permissive=1 Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/filesystem.if | 37 + policy/modules/system/systemd.te| 6 ++ 2 files changed, 43 insertions(+) diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 08ad5503d..ae022b6c0 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -602,6 +602,24 @@ interface(`fs_manage_autofs_symlinks',` manage_lnk_files_pattern($1, autofs_t, autofs_t) ') + +## +## Get the attributes of binfmt_misc filesystems. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_getattr_binfmt_misc_fs',` + gen_require(` + type binfmt_misc_fs_t; + ') + + allow $1 binfmt_misc_fs_t:filesystem getattr; +') + ## ## Get the attributes of directories on @@ -622,6 +640,25 @@ interface(`fs_getattr_binfmt_misc_dirs',` ') + +## +## Check for permissions using access(2) of directories on +## binfmt_misc filesystems. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_check_write_binfmt_misc_dirs',` + gen_require(` + type binfmt_misc_fs_t; + ') + + allow $1 binfmt_misc_fs_t:dir { getattr write }; +') + ## ## Register an interpreter for new binary diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 6d07466e6..63fef177b 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -401,6 +401,7 @@ fs_search_cgroup_dirs(systemd_backlight_t) # kernel_read_kernel_sysctls(systemd_binfmt_t) +kernel_getattr_proc(systemd_binfmt_t) systemd_log_parse_environment(systemd_binfmt_t) @@ -409,6 +410,11 @@ files_read_etc_files(systemd_binfmt_t) fs_register_binary_executable_type(systemd_binfmt_t) +fs_getattr_binfmt_misc_fs(systemd_binfmt_t) +fs_check_write_binfmt_misc_dirs(systemd_binfmt_t) + +fs_getattr_cgroup(systemd_binfmt_t) +fs_search_cgroup_dirs(systemd_binfmt_t) ## #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 6d1c3e8b33d3134dbe1767539363491a5f1600ea Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 17:00:33 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:43 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6d1c3e8b virt: label qemu configuration directory Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/virt.fc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc index ab5d0885d..9c209d8f0 100644 --- a/policy/modules/services/virt.fc +++ b/policy/modules/services/virt.fc @@ -9,6 +9,8 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t /etc/libvirt/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) /etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) +/etc/qemu(/.*)?gen_context(system_u:object_r:virt_etc_t,s0) + /etc/rc\.d/init\.d/(libvirt-bin|libvirtd) -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0) /etc/xen -d gen_context(system_u:object_r:virt_etc_t,s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 103deadfb6e257799ebf9026cae8a409e0c5a353 Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 17:00:41 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:46 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=103deadf selinuxutil: ignore getattr proc in newrole type=PROCTITLE msg=audit(02/21/24 22:42:44.555:112) : proctitle=newrole -r sysadm_r type=SYSCALL msg=audit(02/21/24 22:42:44.555:112) : arch=x86_64 syscall=fstatfs success=yes exit=0 a0=0x3 a1=0x7ffc75fe1990 a2=0x0 a3=0x0 items=0 ppid=946 pid=1001 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=newrole exe=/usr/bin/newrole subj=root:staff_r:newrole_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(02/21/24 22:42:44.555:112) : avc: denied { getattr } for pid=1001 comm=newrole name=/ dev=proc ino=1 scontext=root:staff_r:newrole_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1 Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/selinuxutil.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index b1213aa76..4d8624c6b 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -251,6 +251,7 @@ read_lnk_files_pattern(newrole_t, default_context_t, default_context_t) kernel_read_system_state(newrole_t) kernel_read_kernel_sysctls(newrole_t) +kernel_dontaudit_getattr_proc(newrole_t) corecmd_list_bin(newrole_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: /
commit: d4a01ab0b955623422eade1f35368a2ee3983db9 Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 16:41:28 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:41 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d4a01ab0 Makefile: use sepolgen-ifgen-attr-helper from test toolchain When building with a non default toolchain by setting the environment variable TEST_TOOLCHAIN also use the sepolgen-ifgen helper binary sepolgen-ifgen-attr-helper from this toolchain. Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> Makefile | 4 1 file changed, 4 insertions(+) diff --git a/Makefile b/Makefile index 3f1d30605..82df20454 100644 --- a/Makefile +++ b/Makefile @@ -62,7 +62,11 @@ SEMOD_PKG ?= $(tc_usrbindir)/semodule_package SEMOD_LNK ?= $(tc_usrbindir)/semodule_link SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand LOADPOLICY ?= $(tc_usrsbindir)/load_policy +ifdef TEST_TOOLCHAIN +SEPOLGEN_IFGEN ?= $(tc_usrbindir)/sepolgen-ifgen --attr-helper $(TEST_TOOLCHAIN)$(BINDIR)/sepolgen-ifgen-attr-helper +else SEPOLGEN_IFGEN ?= $(tc_usrbindir)/sepolgen-ifgen +endif SETFILES ?= $(tc_sbindir)/setfiles SEFCONTEXT_COMPILE ?= $(tc_usrsbindir)/sefcontext_compile XMLLINT ?= $(BINDIR)/xmllint
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/
commit: 35167ff4b12c7285fcfed384d4a3bac2ca6eed85 Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 16:27:36 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:35 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=35167ff4 Support multi-line interface calls Support splitting the call of an interface over multiple lines, e.g. for interfaces with a long list as argument: term_control_unallocated_ttys(udev_t, { ioctl_kdgkbtype ioctl_kdgetmode ioctl_pio_unimap ioctl_pio_unimapclr ioctl_kdfontop ioctl_tcgets }) Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/support/loadable_module.spt | 13 + 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/policy/support/loadable_module.spt b/policy/support/loadable_module.spt index 1f6163054..93e793961 100644 --- a/policy/support/loadable_module.spt +++ b/policy/support/loadable_module.spt @@ -53,6 +53,11 @@ define(`policy_m4_comment',` # $2 depth: $1 ')dnl +define(NL,` +')dnl + +define(`chomp', `translit(`$1',NL,` ')')dnl + ## # # In the future interfaces should be in loadable modules @@ -63,10 +68,10 @@ define(`template',` dnl ifdef(`$1',`refpolicyerr(`duplicate definition of $1(). Original definition on '$1.) define(`__if_error')',`define(`$1',__file__:__line__)') dnl `define(`$1',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `$1'(dollarsstar)) dnl + policy_m4_comment(policy_call_depth,begin `$1'(chomp(dollarsstar))) dnl $2 dnl popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `$1'(dollarsstar)) dnl + policy_m4_comment(policy_call_depth,end `$1'(chomp(dollarsstar))) dnl '') ') @@ -80,10 +85,10 @@ define(`interface',` dnl ifdef(`$1',`refpolicyerr(`duplicate definition of $1(). Original definition on '$1.) define(`__if_error')',`define(`$1',__file__:__line__)') dnl `define(`$1',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `$1'(dollarsstar)) dnl + policy_m4_comment(policy_call_depth,begin `$1'(chomp(dollarsstar))) dnl $2 dnl popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `$1'(dollarsstar)) dnl + policy_m4_comment(policy_call_depth,end `$1'(chomp(dollarsstar))) dnl '') ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: /
commit: 2dce7975e36e015abbe53d9749d5db5344d79d34 Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 16:38:21 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:39 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2dce7975 Rules.modular: use temporary file to not ignore error Save the result of the m4 command into a temporary file and split the commands, to avoid ignoring failures of the first command. Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> Rules.modular | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Rules.modular b/Rules.modular index f7ee2c11f..c731ea01d 100644 --- a/Rules.modular +++ b/Rules.modular @@ -119,8 +119,8 @@ $(tmpdir)/seusers: $(seusers) $(users_extra): $(m4support) $(user_files) @test -d $(tmpdir) || mkdir -p $(tmpdir) - $(verbose) $(M4) $(M4PARAM) -D users_extra $^ | \ - $(SED) -r -n -e 's/^[[:blank:]]*//g' -e '/^user/p' > $@ + $(verbose) $(M4) $(M4PARAM) -D users_extra $^ > $(tmpdir)/$(@F).tmp + $(verbose) $(SED) -r -n -e 's/^[[:blank:]]*//g' -e '/^user/p' $(tmpdir)/$(@F).tmp > $@ #
[gentoo-commits] proj/hardened-refpolicy:master commit in: support/, policy/support/
commit: 85d57ceba1e3c39f6fac27a32b39fb6539166552 Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 16:22:50 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:34 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=85d57ceb fix misc typos Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/support/loadable_module.spt | 2 +- policy/support/mls_mcs_macros.spt | 2 +- support/genhomedircon.py | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/policy/support/loadable_module.spt b/policy/support/loadable_module.spt index 606ee80d0..1f6163054 100644 --- a/policy/support/loadable_module.spt +++ b/policy/support/loadable_module.spt @@ -47,7 +47,7 @@ define(`gen_require',` ') ') -# helper function, since m4 wont expand macros +# helper function, since m4 will not expand macros # if a line is a comment (#): define(`policy_m4_comment',` # $2 depth: $1 diff --git a/policy/support/mls_mcs_macros.spt b/policy/support/mls_mcs_macros.spt index 7593e20d0..7d1293301 100644 --- a/policy/support/mls_mcs_macros.spt +++ b/policy/support/mls_mcs_macros.spt @@ -15,7 +15,7 @@ define(`gen_cats',`decl_cats(0,decr($1))') # # gen_sens(N) # -# declares sensitivites s0 to s(N-1) with dominance +# declares sensitivities s0 to s(N-1) with dominance # in increasing numeric order with s0 lowest, s(N-1) highest # define(`decl_sens',`dnl diff --git a/support/genhomedircon.py b/support/genhomedircon.py index d5177ee4a..b865a07c8 100644 --- a/support/genhomedircon.py +++ b/support/genhomedircon.py @@ -51,7 +51,7 @@ def getStartingUID(): rc=getstatusoutput("grep -h '^UID_MIN' /etc/login.defs") if rc[0] == 0: uid_min = re.sub("^UID_MIN[^0-9]*", "", rc[1]) - #stip any comment from the end of the line + #strip any comment from the end of the line uid_min = uid_min.split("#")[0] uid_min = uid_min.strip() if int(uid_min) < starting_uid: @@ -59,7 +59,7 @@ def getStartingUID(): rc=getstatusoutput("grep -h '^LU_UIDNUMBER' /etc/libuser.conf") if rc[0] == 0: lu_uidnumber = re.sub("^LU_UIDNUMBER[^0-9]*", "", rc[1]) - #stip any comment from the end of the line + #strip any comment from the end of the line lu_uidnumber = re.sub("[ \t].*", "", lu_uidnumber) lu_uidnumber = lu_uidnumber.split("#")[0] lu_uidnumber = lu_uidnumber.strip()
[gentoo-commits] proj/hardened-refpolicy:master commit in: /
commit: 70c06276d352e4513bd68ca085b07e5e2d8e6205 Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 16:32:50 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:38 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=70c06276 Rules.monolithic: pre-compile fcontexts on install On install pre-compile the file contexts. Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> Makefile | 1 + Rules.monolithic | 6 ++ 2 files changed, 7 insertions(+) diff --git a/Makefile b/Makefile index b93e133be..3f1d30605 100644 --- a/Makefile +++ b/Makefile @@ -64,6 +64,7 @@ SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand LOADPOLICY ?= $(tc_usrsbindir)/load_policy SEPOLGEN_IFGEN ?= $(tc_usrbindir)/sepolgen-ifgen SETFILES ?= $(tc_sbindir)/setfiles +SEFCONTEXT_COMPILE ?= $(tc_usrsbindir)/sefcontext_compile XMLLINT ?= $(BINDIR)/xmllint SECHECK ?= $(BINDIR)/sechecker diff --git a/Rules.monolithic b/Rules.monolithic index d6d0e6f28..d6e20a371 100644 --- a/Rules.monolithic +++ b/Rules.monolithic @@ -232,6 +232,12 @@ $(fcpath): $(fc) $(loadpath) $(userpath)/system.users $(verbose) $(INSTALL) -m 0644 $(fc) $(fcpath) $(verbose) $(INSTALL) -m 0644 $(homedir_template) $(homedirpath) $(verbose) $(UMASK) 022 ; $(genhomedircon) -d $(topdir) -t $(NAME) + $(verbose) if $(SEFCONTEXT_COMPILE) -i > /dev/null 2>&1 ; then \ + $(SEFCONTEXT_COMPILE) $(fcpath) ;\ + $(SEFCONTEXT_COMPILE) $(fcpath).homedirs ;\ + else \ + echo "$@ Pre-compiled file context not generated! Please install the sefcontext_compile tool (commonly part of libselinux-utils)." ;\ + fi #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/
commit: 28556c70623efdadf8cb93fd004bd8385638be65 Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 16:28:11 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:37 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=28556c70 policy_capabilities: remove estimated from released versions Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/policy_capabilities | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/policy_capabilities b/policy/policy_capabilities index b800997f3..c6b84d8c7 100644 --- a/policy/policy_capabilities +++ b/policy/policy_capabilities @@ -108,7 +108,7 @@ policycap nnp_nosuid_transition; #policycap genfs_seclabel_symlinks; # Always allow FIOCLEX and FIONCLEX ioctl. -# Requires libsepol 3.4 (estimated) and kernel 5.18 (estimated). +# Requires libsepol 3.4 and kernel 5.18. # # Removed checks: # common file/socket: ioctl { 0x5450 0x5451 }
[gentoo-commits] proj/hardened-refpolicy:master commit in: support/
commit: 83d40084db8ceeaa3225e915ea8d8e9ebfbe878e Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 16:12:56 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:33 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=83d40084 support/genhomedircon: support usr prefixed paths Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> support/genhomedircon.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/support/genhomedircon.py b/support/genhomedircon.py index 2721bd7df..d5177ee4a 100644 --- a/support/genhomedircon.py +++ b/support/genhomedircon.py @@ -43,7 +43,7 @@ import sys, pwd, getopt, re, os from subprocess import getstatusoutput -EXCLUDE_LOGINS=["/sbin/nologin", "/bin/false"] +EXCLUDE_LOGINS=["/sbin/nologin", "/usr/sbin/nologin", "/bin/false", "/usr/bin/false"] def getStartingUID():
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/flask/
commit: 9002ef977497033f6d26368ceaa12fbd154ce38d Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 16:12:36 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:31 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9002ef97 access_vectors: define io_uring { cmd } Added in Linux 6.0. Link: https://github.com/SELinuxProject/selinux-kernel/commit/f4d653dcaa4e4056e1630423e6a8ece4869b544f Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/flask/access_vectors | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors index a22b11a7e..b260f9d24 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -1071,6 +1071,7 @@ class io_uring { override_creds sqpoll + cmd } class user_namespace
[gentoo-commits] repo/gentoo:master commit in: sys-cluster/flux/
commit: 5e7b5b149e0db8406696740901766086e4a69f3a Author: Kenton Groombridge gentoo org> AuthorDate: Sat Feb 10 18:21:01 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Sat Feb 10 18:21:26 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5e7b5b14 sys-cluster/flux: add 2.2.3, drop 2.0.1 Signed-off-by: Kenton Groombridge gentoo.org> sys-cluster/flux/Manifest | 6 +++--- sys-cluster/flux/{flux-2.0.1.ebuild => flux-2.2.3.ebuild} | 12 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/sys-cluster/flux/Manifest b/sys-cluster/flux/Manifest index 3271ef37fc3f..f92efbbbc1e1 100644 --- a/sys-cluster/flux/Manifest +++ b/sys-cluster/flux/Manifest @@ -1,9 +1,9 @@ DIST flux-0.41.2.tar.gz 395636 BLAKE2B 2d1732729709d0f753ff62aa5b5563b9d42f3cde42a98b5356607b640715e30afa9ebdfdb9c71281eff9188c91ea6e6b082ddc2198e4d790a76aaeb155b8ef2f SHA512 c68ad402c99b61ca9ef737749417b48dc4e852544d76311c11d94bff42c2e081a8e11e72e438cb9e1834ec7d48e69a30473aa6ab1d68c2684dde5c2b817000a2 -DIST flux-2.0.1.tar.gz 326362 BLAKE2B f42bff5dcbd5960ba8d57f0d65a4c38e597bb6e1beb57bc38f5055c316f121ed07bb38275db6262eb1c0b3bedafd47ec9284cc05ab84f0c6e7aebc7e8458560d SHA512 01c25c2c38c9612ffd280ede66eb01a2d4fced2ae9b4e36053afcb7742cde1aaa909d6ba983a7d60618a66b4e2f3153089bd71b2b8e1d6a0a45737bdef60d1e1 DIST flux-2.2.2.tar.gz 384815 BLAKE2B c79fee58360a5ad988c2bb58ee6ec32245ca685a14d4fa63e7c8c06b7d79d374bf0c22bf1ffe33b16085fb4532ec35503514e91b427aa067a2495e76ec61e9ad SHA512 d4b23ff189261d32f02682b3f57a5a81cb5faec87a8bd5a6cda7c044233761932e9f593c8019d1443fd1c63fb2585ffe6ee28084bf685802b163f36f5a2544a9 +DIST flux-2.2.3.tar.gz 388802 BLAKE2B 61bdea26e76f330fc5fc2007958551b2ee5127e66eafe9a5fd0b6b4082a9942ca1884c761d3367bb7d5e8ac9868ce6e2a05fbaf02ca82422747c46691318ca29 SHA512 5f263cb64b164967b5f66ed150384ab518783304d46e641cda048704a9cc91e011299d007e3734c18b71b660e694609a5ab16e9699ac55901d205fead4a86840 DIST flux2-0.41.2-deps.tar.xz 166945460 BLAKE2B 292ac5a66237916f1eeb8460f38f803fbe6bfec7cc6ee09512c0893928478049dbf8d482a897e7f4d5bed537f3cae3d73019d6c793764d1b15dc984724bc4ec7 SHA512 da36b3d78066cad548492d368df2b0d31c25a72f4fe4e5791b0c4315d5ed2625da5318b4a010395a587c072a07d23c6d6e7ff3c43bbf201dcd7d45a85dc24297 DIST flux2-0.41.2-manifests.tar.xz 22904 BLAKE2B e23150ff1b7617f144a1250c890cb48bccbfa4547cc2d46b6d6905349c969a8505e2bc23466a469bb0eae326ec571eb5987ae5c0768b648ba6e35b1daec2b039 SHA512 ba58ffa05be150e32a30a492d28cdc582c9b0e7162b768a83ca8d44a4a08fca195700f8c124cc39cf85a0c62dfbe380304c0d203d0f05619a1b65284d22278de -DIST flux2-2.0.1-deps.tar.xz 177273192 BLAKE2B 36047e5d2232bd6a4b648b78861881aa1c883de9593d0f3172e83115a62649f6369396de05cfd850143581366f8e4501d0e54a4f422515fc7165b823a9833b96 SHA512 18ae557760a4c298cc9f7556b460b9c02d2b5516b735881d5907bd934fd4bb83cdf4fc613b8b9a493f65accc24abbc7836a98dfde86386e5d7466efcb8ae995d -DIST flux2-2.0.1-manifests.tar.xz 22916 BLAKE2B 00df38e004f2abd52566e642c299522f9e5910104ee88cdc0842b63bedccb10383e17d35eb8a7495db7036641f2fb6a2fe6fe01971017c413e95ba57e73e5894 SHA512 db0c3f7013ffec41b657047e53cad01f19427f2e46a94d52efa2e4031482b1b8cddb857fee26ecd35ecdb11029ec0da7f6917f2343730c44338a9b2792695e93 DIST flux2-2.2.2-deps.tar.xz 179877376 BLAKE2B f80135ad82f11a47ace00f3656147069ad8d7c389bbd18b6166c91d7381f06c2cf56371583e47eb2d3d9f6e292428e95c000ad4769a25ef2bdf0c2f6297b67e6 SHA512 5f8a82a19b2d5dde597aeaace21315a4feac4777996be18eed61422bae60e710519015ea5162a8818a12d05edfc22f47d1decea2d9a7c7a4488c2377e3b4f5d0 DIST flux2-2.2.2-manifests.tar.xz 26788 BLAKE2B 82a233abd4d68d20af7160d39cadef0dd48692d469892b7ebd780a12f8e81ee00ce1e5f09f90f77035b055f85378cd9ce5979bb6af5a8fbc9dd96e1f091453ce SHA512 51ce6b4d2b79c40d55a3df17d0b191ac313099c0d068ee02a3abc57c05aadcc0d3d8eed06793e411d57b31e7aee601e54a2e4f87e6f88d8bb835d5d6bbddf4c3 +DIST flux2-2.2.3-deps.tar.xz 199289224 BLAKE2B 18ee0bab84ac5c0c33b24dcaa4443fc959f351360bef0316e7b4d007f00428395a9b97c72bd7aeb37158064345de8a4e1263feff5082d67b77a5d4e3f1fe1c4e SHA512 f0636d02498be0047057386929dcaf7251b448e1f3716133e63124c85aec18db5d6a7f55924243f10631f2d1404eae7658eb8ca3d49d130c100e6da6f5102598 +DIST flux2-2.2.3-manifests.tar.xz 26796 BLAKE2B f37e25bb07a390cb08928881798ae7e0017b4628cc794a01e2a70bb01c1ff814d2ba39b8251e6ae178af70d8946d24b2fa57df808e36445032b8b8b860f93c12 SHA512 28dd16464e8348fe892242dfe9579dd9c6d9cb442c2024445042e314b12210bed75cbfa7d44ec68333d75a0dab6655ff238e5f2b22953f1d88703d3a3df0b562 diff --git a/sys-cluster/flux/flux-2.0.1.ebuild b/sys-cluster/flux/flux-2.2.3.ebuild similarity index 72% rename from sys-cluster/flux/flux-2.0.1.ebuild rename to sys-cluster/flux/flux-2.2.3.ebuild index 3e8f5b0393f5..cad63d502521 100644 --- a/sys-cluster/flux/flux-2.0.1.ebuild +++ b/sys-cluster/flux/flux-2.2.3.ebuild @@ -1,14 +1,18 @@ -# Copyright 2023 Gentoo Authors +# Copyright 2023-2024 Gentoo Authors # Distributed under the term
[gentoo-commits] repo/gentoo:master commit in: sys-apps/mcstrans/
commit: b83fdda18c069a6b5af720db7ebd431091fcd3da Author: Kenton Groombridge gentoo org> AuthorDate: Fri Feb 9 14:38:58 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Feb 9 14:41:06 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b83fdda1 sys-apps/mcstrans: stabilize 3.6 for amd64, arm, arm64, x86 Signed-off-by: Kenton Groombridge gentoo.org> sys-apps/mcstrans/mcstrans-3.6.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys-apps/mcstrans/mcstrans-3.6.ebuild b/sys-apps/mcstrans/mcstrans-3.6.ebuild index bbd7a4cc0378..5e3f390c215e 100644 --- a/sys-apps/mcstrans/mcstrans-3.6.ebuild +++ b/sys-apps/mcstrans/mcstrans-3.6.ebuild @@ -17,7 +17,7 @@ if [[ ${PV} == * ]] ; then S="${WORKDIR}/${P}/${PN}" else SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz; - KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86" + KEYWORDS="amd64 arm arm64 ~mips x86" S="${WORKDIR}/${MY_P}" fi
[gentoo-commits] repo/gentoo:master commit in: sys-apps/selinux-python/
commit: 59fab23942e9b457fa21d57a505772bec1331bc9 Author: Kenton Groombridge gentoo org> AuthorDate: Fri Feb 9 14:38:32 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Feb 9 14:41:03 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=59fab239 sys-apps/selinux-python: stabilize 3.6 for amd64, arm, arm64, x86 Signed-off-by: Kenton Groombridge gentoo.org> sys-apps/selinux-python/selinux-python-3.6.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys-apps/selinux-python/selinux-python-3.6.ebuild b/sys-apps/selinux-python/selinux-python-3.6.ebuild index 20a1fea452bf..df383d6c8c4b 100644 --- a/sys-apps/selinux-python/selinux-python-3.6.ebuild +++ b/sys-apps/selinux-python/selinux-python-3.6.ebuild @@ -19,7 +19,7 @@ if [[ ${PV} == ]] ; then S="${WORKDIR}/${P}/${PN#selinux-}" else SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz; - KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86" + KEYWORDS="amd64 arm arm64 ~mips x86" S="${WORKDIR}/${MY_P}" fi
[gentoo-commits] repo/gentoo:master commit in: sys-apps/checkpolicy/
commit: e1703fbdbb6f9288b19541b408b55d2283abd853 Author: Kenton Groombridge gentoo org> AuthorDate: Fri Feb 9 14:38:09 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Feb 9 14:41:00 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e1703fbd sys-apps/checkpolicy: stabilize 3.6 for amd64, arm, arm64, x86 Signed-off-by: Kenton Groombridge gentoo.org> sys-apps/checkpolicy/checkpolicy-3.6.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys-apps/checkpolicy/checkpolicy-3.6.ebuild b/sys-apps/checkpolicy/checkpolicy-3.6.ebuild index 6d5e91d8b18a..35e87a352156 100644 --- a/sys-apps/checkpolicy/checkpolicy-3.6.ebuild +++ b/sys-apps/checkpolicy/checkpolicy-3.6.ebuild @@ -17,7 +17,7 @@ if [[ ${PV} == ]] ; then S="${WORKDIR}/${P}/${PN}" else SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz; - KEYWORDS="~amd64 ~arm ~arm64 ~mips ~riscv ~x86" + KEYWORDS="amd64 arm arm64 ~mips ~riscv x86" S="${WORKDIR}/${MY_P}" fi
[gentoo-commits] repo/gentoo:master commit in: sys-libs/libsemanage/
commit: e70aa9e9c0de8663fecbd59c4e26a0d17a41050d Author: Kenton Groombridge gentoo org> AuthorDate: Fri Feb 9 14:37:56 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Feb 9 14:40:59 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e70aa9e9 sys-libs/libsemanage: stabilize 3.6 for amd64, arm, arm64, x86 Signed-off-by: Kenton Groombridge gentoo.org> sys-libs/libsemanage/libsemanage-3.6.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys-libs/libsemanage/libsemanage-3.6.ebuild b/sys-libs/libsemanage/libsemanage-3.6.ebuild index eb127413897f..94a270075a5b 100644 --- a/sys-libs/libsemanage/libsemanage-3.6.ebuild +++ b/sys-libs/libsemanage/libsemanage-3.6.ebuild @@ -18,7 +18,7 @@ if [[ ${PV} == ]]; then S="${WORKDIR}/${P}/${PN}" else SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz; - KEYWORDS="~amd64 ~arm ~arm64 ~mips ~riscv ~x86" + KEYWORDS="amd64 arm arm64 ~mips ~riscv x86" S="${WORKDIR}/${MY_P}" fi
[gentoo-commits] repo/gentoo:master commit in: sys-apps/policycoreutils/
commit: c4719a957590a9b209422d93c8136075c2781af7 Author: Kenton Groombridge gentoo org> AuthorDate: Fri Feb 9 14:38:21 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Feb 9 14:41:02 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c4719a95 sys-apps/policycoreutils: stabilize 3.6 for amd64, arm, arm64, x86 Signed-off-by: Kenton Groombridge gentoo.org> sys-apps/policycoreutils/policycoreutils-3.6.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys-apps/policycoreutils/policycoreutils-3.6.ebuild b/sys-apps/policycoreutils/policycoreutils-3.6.ebuild index b8625ff49cd8..e2527faa689b 100644 --- a/sys-apps/policycoreutils/policycoreutils-3.6.ebuild +++ b/sys-apps/policycoreutils/policycoreutils-3.6.ebuild @@ -24,7 +24,7 @@ if [[ ${PV} == ]]; then else SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz https://dev.gentoo.org/~perfinion/distfiles/policycoreutils-extra-${EXTRAS_VER}.tar.bz2; - KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86" + KEYWORDS="amd64 arm arm64 ~mips x86" S1="${WORKDIR}/${MY_P}" S2="${WORKDIR}/policycoreutils-extra" S="${S1}"
[gentoo-commits] repo/gentoo:master commit in: sys-libs/libsepol/
commit: d395971abc52629d21910ddcb45d82f4737f8e78 Author: Kenton Groombridge gentoo org> AuthorDate: Fri Feb 9 14:37:09 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Feb 9 14:40:54 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d395971a sys-libs/libsepol: stabilize 3.6 for amd64, arm, arm64, x86 Signed-off-by: Kenton Groombridge gentoo.org> sys-libs/libsepol/libsepol-3.6.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys-libs/libsepol/libsepol-3.6.ebuild b/sys-libs/libsepol/libsepol-3.6.ebuild index 17fe4da89451..27b0f0542d4c 100644 --- a/sys-libs/libsepol/libsepol-3.6.ebuild +++ b/sys-libs/libsepol/libsepol-3.6.ebuild @@ -17,7 +17,7 @@ if [[ ${PV} == ]]; then S="${WORKDIR}/${P}/${PN}" else SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz; - KEYWORDS="~amd64 ~arm ~arm64 ~mips ~riscv ~x86" + KEYWORDS="amd64 arm arm64 ~mips ~riscv x86" S="${WORKDIR}/${MY_P}" fi
[gentoo-commits] repo/gentoo:master commit in: sys-apps/restorecond/
commit: cac47e2c7efc03943afb5711686aad6e7a147bb4 Author: Kenton Groombridge gentoo org> AuthorDate: Fri Feb 9 14:39:11 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Feb 9 14:41:08 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cac47e2c sys-apps/restorecond: stabilize 3.6 for amd64, arm, arm64, x86 Signed-off-by: Kenton Groombridge gentoo.org> sys-apps/restorecond/restorecond-3.6.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys-apps/restorecond/restorecond-3.6.ebuild b/sys-apps/restorecond/restorecond-3.6.ebuild index 794b84bc99e8..0b80f0fc989c 100644 --- a/sys-apps/restorecond/restorecond-3.6.ebuild +++ b/sys-apps/restorecond/restorecond-3.6.ebuild @@ -14,7 +14,7 @@ if [[ ${PV} == * ]] ; then S="${WORKDIR}/${P}/${PN}" else SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz; - KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86" + KEYWORDS="amd64 arm arm64 ~mips x86" S="${WORKDIR}/${MY_P}" fi
[gentoo-commits] repo/gentoo:master commit in: sys-libs/libselinux/
commit: fbeb6d4f8a1e551dd9ab5082e48942c9b0b4affb Author: Kenton Groombridge gentoo org> AuthorDate: Fri Feb 9 14:37:41 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Feb 9 14:40:57 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fbeb6d4f sys-libs/libselinux: stabilize 3.6 for amd64, arm, arm64, x86 Signed-off-by: Kenton Groombridge gentoo.org> sys-libs/libselinux/libselinux-3.6.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys-libs/libselinux/libselinux-3.6.ebuild b/sys-libs/libselinux/libselinux-3.6.ebuild index 941b189dd857..11ce9f3236ba 100644 --- a/sys-libs/libselinux/libselinux-3.6.ebuild +++ b/sys-libs/libselinux/libselinux-3.6.ebuild @@ -20,7 +20,7 @@ if [[ ${PV} == ]]; then S="${WORKDIR}/${P}/${PN}" else SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz; - KEYWORDS="~amd64 ~arm ~arm64 ~mips ~riscv ~x86" + KEYWORDS="amd64 arm arm64 ~mips ~riscv x86" S="${WORKDIR}/${MY_P}" fi
[gentoo-commits] repo/gentoo:master commit in: sys-apps/semodule-utils/
commit: 1f382b0971cc90a38d2e806f8e6b6e0307b58a65 Author: Kenton Groombridge gentoo org> AuthorDate: Fri Feb 9 14:38:44 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Feb 9 14:41:05 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1f382b09 sys-apps/semodule-utils: stabilize 3.6 for amd64, arm, arm64, x86 Signed-off-by: Kenton Groombridge gentoo.org> sys-apps/semodule-utils/semodule-utils-3.6.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys-apps/semodule-utils/semodule-utils-3.6.ebuild b/sys-apps/semodule-utils/semodule-utils-3.6.ebuild index 621cfaf21ea4..c63a41af0b43 100644 --- a/sys-apps/semodule-utils/semodule-utils-3.6.ebuild +++ b/sys-apps/semodule-utils/semodule-utils-3.6.ebuild @@ -17,7 +17,7 @@ if [[ ${PV} == * ]] ; then S="${WORKDIR}/${P}/${PN}" else SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz; - KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86" + KEYWORDS="amd64 arm arm64 ~mips x86" S="${WORKDIR}/${MY_P}" fi
[gentoo-commits] repo/gentoo:master commit in: sys-apps/secilc/
commit: 574363f5a9143cdfcf02d0c526a19ea52d89f68f Author: Kenton Groombridge gentoo org> AuthorDate: Fri Feb 9 14:37:28 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Feb 9 14:40:55 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=574363f5 sys-apps/secilc: stabilize 3.6 for amd64, arm, arm64, x86 Signed-off-by: Kenton Groombridge gentoo.org> sys-apps/secilc/secilc-3.6.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys-apps/secilc/secilc-3.6.ebuild b/sys-apps/secilc/secilc-3.6.ebuild index 5c59b25c3742..59d8d927a345 100644 --- a/sys-apps/secilc/secilc-3.6.ebuild +++ b/sys-apps/secilc/secilc-3.6.ebuild @@ -16,7 +16,7 @@ if [[ ${PV} == ]]; then S="${WORKDIR}/${P}/${PN}" else SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz; - KEYWORDS="~amd64 ~arm ~arm64 ~x86" + KEYWORDS="amd64 arm arm64 x86" S="${WORKDIR}/${MY_P}" fi
[gentoo-commits] repo/gentoo:master commit in: net-voip/mumble/
commit: bec8b5cb32f5888049bc3e0b777d8acc5c2ecf52 Author: Sebastian Parborg gmail com> AuthorDate: Fri Jan 26 14:05:00 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Feb 9 14:40:50 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bec8b5cb net-voip/mumble: Update live ebuild Signed-off-by: Sebastian Parborg gmail.com> Closes: https://github.com/gentoo/gentoo/pull/30788 Signed-off-by: Kenton Groombridge gentoo.org> net-voip/mumble/mumble-.ebuild | 1 + 1 file changed, 1 insertion(+) diff --git a/net-voip/mumble/mumble-.ebuild b/net-voip/mumble/mumble-.ebuild index b5a027a596c1..7aba5eb04ba7 100644 --- a/net-voip/mumble/mumble-.ebuild +++ b/net-voip/mumble/mumble-.ebuild @@ -16,6 +16,7 @@ if [[ "${PV}" == ]] ; then # even if these components may not be compiled in EGIT_SUBMODULES=( '-*' + 3rdparty/cmake-compiler-flags 3rdparty/FindPythonInterpreter 3rdparty/gsl 3rdparty/minhook
[gentoo-commits] repo/gentoo:master commit in: net-voip/mumble/
commit: 3a0b6aea3bcc3ebf5514e0411f9e0b4349d03c5c Author: Kenton Groombridge gentoo org> AuthorDate: Fri Feb 9 14:10:45 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Feb 9 14:40:51 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3a0b6aea net-voip/mumble: update copyright year Signed-off-by: Kenton Groombridge gentoo.org> net-voip/mumble/mumble-.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net-voip/mumble/mumble-.ebuild b/net-voip/mumble/mumble-.ebuild index 7aba5eb04ba7..79e98b80ec73 100644 --- a/net-voip/mumble/mumble-.ebuild +++ b/net-voip/mumble/mumble-.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2023 Gentoo Authors +# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=7
[gentoo-commits] repo/gentoo:master commit in: app-admin/setools/
commit: c0908dc9869bcc0fcacfd37e511c22db5443044f Author: Kenton Groombridge gentoo org> AuthorDate: Fri Feb 9 14:36:43 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Feb 9 14:40:52 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c0908dc9 app-admin/setools: stabilize 4.4.4 for amd64, arm, arm64, x86 Signed-off-by: Kenton Groombridge gentoo.org> app-admin/setools/setools-4.4.4.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app-admin/setools/setools-4.4.4.ebuild b/app-admin/setools/setools-4.4.4.ebuild index ec3d11050109..d74e1d12b4bf 100644 --- a/app-admin/setools/setools-4.4.4.ebuild +++ b/app-admin/setools/setools-4.4.4.ebuild @@ -18,7 +18,7 @@ if [[ ${PV} == ]] ; then S="${WORKDIR}/${P}" else SRC_URI="https://github.com/SELinuxProject/setools/releases/download/${PV}/${P}.tar.bz2; - KEYWORDS="~amd64 ~arm ~arm64 ~x86" + KEYWORDS="amd64 arm arm64 x86" S="${WORKDIR}/${PN}" fi
[gentoo-commits] repo/gentoo:master commit in: net-voip/murmur/
commit: 5321ea9752e70e9f151b927d4bffefad49d878cf Author: Sebastian Parborg gmail com> AuthorDate: Fri Apr 28 12:11:18 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Feb 9 14:40:46 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5321ea97 net-voip/murmur: add 1.4.287-r2 The default install would not run out of the box and one needed to change the following to get it up and running: - Set the pidfile option to /run/murmur/murmur.pid in .ini config file - Change logfile setting to /var/log/murmur/murmur.log in ini file - Specify the data base location to /var/lib/murmur/database.sqlite in the ini file. Otherwise it would complain that the database was read only and wouldn't start. - Needed to add avahi-daemon to "use" in the depend section in the init.d script to get zeroconf functionality to work. - Fix avahi command in initd file Clarified and simplified the post install message as well. Signed-off-by: Sebastian Parborg gmail.com> Signed-off-by: Kenton Groombridge gentoo.org> net-voip/murmur/murmur-1.4.287-r2.ebuild | 200 +++ 1 file changed, 200 insertions(+) diff --git a/net-voip/murmur/murmur-1.4.287-r2.ebuild b/net-voip/murmur/murmur-1.4.287-r2.ebuild new file mode 100644 index ..f439f3c88309 --- /dev/null +++ b/net-voip/murmur/murmur-1.4.287-r2.ebuild @@ -0,0 +1,200 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit cmake flag-o-matic systemd readme.gentoo-r1 tmpfiles + +DESCRIPTION="Mumble is an open source, low-latency, high quality voice chat software" +HOMEPAGE="https://wiki.mumble.info; +if [[ "${PV}" == ]] ; then + inherit git-r3 + EGIT_REPO_URI="https://github.com/mumble-voip/mumble.git; + EGIT_SUBMODULES=( '-*' ) +else + MY_PN="mumble" + if [[ "${PV}" == *_pre* ]] ; then + MY_P="${MY_PN}-${PV}" + SRC_URI="https://dev.gentoo.org/~concord/distfiles/${MY_P}.tar.xz; + S="${WORKDIR}/${MY_P}" + else + MY_PV="${PV/_/-}" + MY_P="${MY_PN}-${MY_PV}" + SRC_URI="https://github.com/mumble-voip/mumble/releases/download/v${MY_PV}/${MY_P}.tar.gz + https://dl.mumble.info/${MY_P}.tar.gz; + S="${WORKDIR}/${MY_P}.src" + fi + KEYWORDS="~amd64 ~arm ~arm64 ~x86" +fi + +SRC_URI+=" https://dev.gentoo.org/~concord/distfiles/mumble-1.4-openssl3.patch.xz; +SRC_URI+=" https://dev.gentoo.org/~concord/distfiles/mumble-1.4-crypto-threads.patch.xz; +SRC_URI+=" https://dev.gentoo.org/~concord/distfiles/mumble-1.4-odr.patch.xz; + +LICENSE="BSD" +SLOT="0" +IUSE="+dbus grpc +ice test zeroconf" +RESTRICT="!test? ( test )" + +RDEPEND=" + acct-group/murmur + acct-user/murmur + >=dev-libs/openssl-1.0.0b:0= + >=dev-libs/protobuf-2.2.0:= + dev-qt/qtcore:5 + dev-qt/qtnetwork:5[ssl] + || ( + dev-qt/qtsql:5[sqlite] + dev-qt/qtsql:5[mysql] + ) + dev-qt/qtxml:5 + sys-apps/lsb-release + >=sys-libs/libcap-2.15 + dbus? ( dev-qt/qtdbus:5 ) + grpc? ( net-libs/grpc ) + ice? ( dev-libs/Ice:= ) + zeroconf? ( net-dns/avahi[mdnsresponder-compat] ) +" + +DEPEND="${RDEPEND} + dev-libs/boost + dev-qt/qttest:5 +" +BDEPEND=" + acct-group/murmur + acct-user/murmur + virtual/pkgconfig +" + +if [[ "${PV}" == * ]] ; then + # Required for the mkini.sh script which calls perl multiple times + BDEPEND+=" + dev-lang/perl + " +fi + +DOC_CONTENTS=" + Useful scripts are located in /usr/share/doc/${PF}/scripts. + The defualt 'SuperUser' password will be written into the log file + when starting murmur for the first time. + If you want to set it yourself, please execute: + su murmur -s /bin/bash -c 'mumble-server -ini /etc/murmur/murmur.ini -supw ' + to set the build-in 'SuperUser' password before starting murmur. + Please restart dbus before starting murmur, or else dbus + registration will fail. +" + +PATCHES=( + "${WORKDIR}/mumble-1.4-openssl3.patch" + "${WORKDIR}/mumble-1.4-crypto-threads.patch" + "${WORKDIR}/mumble-1.4-odr.patch" +) + +src_prepare() { + if [[ "${PV}" == * ]] ; then + pushd scripts &>/dev/null || die + ./mkini.sh || die + popd &>/dev/null || die + fi + + # Change dbus user from mumble-server to murmur + sed \ + -e 's:mumbl
[gentoo-commits] repo/gentoo:master commit in: net-voip/murmur/files/, net-voip/murmur/
commit: cdf97e00d9cc8120deb8ed2e00589d56ce26adc5 Author: Sebastian Parborg gmail com> AuthorDate: Wed May 31 17:49:43 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Feb 9 14:40:48 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cdf97e00 net-voip/murmur: update live ebuild Signed-off-by: Sebastian Parborg gmail.com> Signed-off-by: Kenton Groombridge gentoo.org> net-voip/murmur/files/murmur.confd-r2 | 9 +++ net-voip/murmur/murmur-.ebuild| 113 +++--- 2 files changed, 58 insertions(+), 64 deletions(-) diff --git a/net-voip/murmur/files/murmur.confd-r2 b/net-voip/murmur/files/murmur.confd-r2 new file mode 100644 index ..c8d3230b9974 --- /dev/null +++ b/net-voip/murmur/files/murmur.confd-r2 @@ -0,0 +1,9 @@ +# where to look for the config file +MURMUR_CONF=/etc/murmur/mumble-server.ini + +# run as this user +MURMUR_USER=murmur + +# HOME directory of MURMUR_USER +MURMUR_HOME=/var/lib/murmur + diff --git a/net-voip/murmur/murmur-.ebuild b/net-voip/murmur/murmur-.ebuild index 767d7a494eb3..b5d57c5bea38 100644 --- a/net-voip/murmur/murmur-.ebuild +++ b/net-voip/murmur/murmur-.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2022 Gentoo Authors +# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=7 @@ -10,7 +10,20 @@ HOMEPAGE="https://wiki.mumble.info; if [[ "${PV}" == ]] ; then inherit git-r3 EGIT_REPO_URI="https://github.com/mumble-voip/mumble.git; - EGIT_SUBMODULES=( '-*' 3rdparty/FindPythonInterpreter 3rdparty/gsl 3rdparty/tracy ) + + # needed for the included 3rdparty license script, + # even if these components may not be compiled in + EGIT_SUBMODULES=( + '-*' + 3rdparty/cmake-compiler-flags + 3rdparty/FindPythonInterpreter + 3rdparty/gsl + 3rdparty/minhook + 3rdparty/opus + 3rdparty/rnnoise-src + 3rdparty/speexdsp + 3rdparty/tracy + ) else MY_PN="mumble" if [[ "${PV}" == *_pre* ]] ; then @@ -29,7 +42,7 @@ fi LICENSE="BSD" SLOT="0" -IUSE="+dbus grpc +ice test zeroconf" +IUSE="+ice test zeroconf" RESTRICT="!test? ( test )" RDEPEND=" @@ -38,6 +51,7 @@ RDEPEND=" >=dev-libs/openssl-1.0.0b:0= >=dev-libs/protobuf-2.2.0:= dev-qt/qtcore:5 + dev-qt/qtdbus:5 dev-qt/qtnetwork:5[ssl] || ( dev-qt/qtsql:5[sqlite] @@ -46,8 +60,6 @@ RDEPEND=" dev-qt/qtxml:5 sys-apps/lsb-release >=sys-libs/libcap-2.15 - dbus? ( dev-qt/qtdbus:5 ) - grpc? ( net-libs/grpc ) ice? ( dev-libs/Ice:= ) zeroconf? ( net-dns/avahi[mdnsresponder-compat] ) " @@ -62,58 +74,43 @@ BDEPEND=" virtual/pkgconfig " -if [[ "${PV}" == * ]] ; then - # Required for the mkini.sh script which calls perl multiple times - BDEPEND+=" - dev-lang/perl - " -fi - +DISABLE_AUTOFORMATTING="yes" DOC_CONTENTS=" - Useful scripts are located in /usr/share/doc/${PF}/scripts.\n - Please execute:\n - murmurd -ini /etc/murmur/murmur.ini -supw \n - chown murmur:murmur /var/lib/murmur/murmur.sqlite\n - to set the build-in 'SuperUser' password before starting murmur. - Please restart dbus before starting murmur, or else dbus - registration will fail. +The default 'SuperUser' password will be written into the log file +when starting murmur for the first time. + +If you want to manually set a password yourself, please execute: +su murmur -s /bin/bash -c 'mumble-server -ini /etc/murmur/mumble-server.ini -supw ' + +This will set the built-in 'SuperUser' password to '' when starting murmur. " src_prepare() { - if [[ "${PV}" == * ]] ; then - pushd scripts &>/dev/null || die - ./mkini.sh || die - popd &>/dev/null || die - fi - + # Adjust default server settings to be correct for our default setup sed \ - -e 's:mumble-server:murmur:g' \ - -e 's:/var/run:/run:g' \ - -i "${S}"/scripts/murmur.{conf,ini} || die + -e 's:database=:database=/var/lib/murmur/database.sqlite:' \ + -e 's:;logfile=mumble-server.log:logfile=/var/log/murmur/murmur.log:' \ + -e 's:;pidfile=:pidfile=/run/murmur/murmur.pid:' \ + -i auxiliary_files/mumble-server.ini || die - # Adjust systemd service file to our config location #689208 - sed \ - -e "s@/etc/${PN}\.ini@/etc/${PN}/${PN}.ini@" \ - -e "s@
[gentoo-commits] repo/gentoo:master commit in: sys-libs/libsepol/
commit: f9c83ecfad63b6c0c513399376b52acb319c43fb Author: Kenton Groombridge gentoo org> AuthorDate: Wed Jan 17 00:26:55 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Wed Jan 17 01:29:14 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f9c83ecf sys-libs/libsepol: bump to 3.6 Signed-off-by: Kenton Groombridge gentoo.org> sys-libs/libsepol/Manifest| 1 + sys-libs/libsepol/libsepol-3.6.ebuild | 50 +++ 2 files changed, 51 insertions(+) diff --git a/sys-libs/libsepol/Manifest b/sys-libs/libsepol/Manifest index cef9954d3145..aeb3b703de01 100644 --- a/sys-libs/libsepol/Manifest +++ b/sys-libs/libsepol/Manifest @@ -1 +1,2 @@ DIST libsepol-3.5.tar.gz 497522 BLAKE2B dad2d346605be53fe41aef69e2e4bd4f1ce68a15f0b9307deb6b66bbe7bf06a9ee6be580e60d2f19aebbc8ee5041ac8a7b831b51342ba7c7089e1f1a447e7691 SHA512 66f45a9f4951589855961955db686b006b4c0cddead6ac49ad238a0e4a34775905bd10fb8cf0c0ff2ab64f9b7d8366b97fcd5b19c382dec39971a2835cc765c8 +DIST libsepol-3.6.tar.gz 509100 BLAKE2B c073c9437004df0c723125971ed26354dc6b8a78b069c593977062527342061303bcc48917fcd9623d17998748254f63408b233173f3c62e92ee0ea2f3c4a430 SHA512 35a42d2749fc4f71bc6b7488380714f56975564007128566f1c73e5c50bf81c17535b2cfda4583aacb4870aa2cd5885321c01523e415bda8b3326bfefb13d58e diff --git a/sys-libs/libsepol/libsepol-3.6.ebuild b/sys-libs/libsepol/libsepol-3.6.ebuild new file mode 100644 index ..17fe4da89451 --- /dev/null +++ b/sys-libs/libsepol/libsepol-3.6.ebuild @@ -0,0 +1,50 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="7" + +inherit toolchain-funcs multilib-minimal + +MY_PV="${PV//_/-}" +MY_P="${PN}-${MY_PV}" + +DESCRIPTION="SELinux binary policy representation library" +HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki; + +if [[ ${PV} == ]]; then + inherit git-r3 + EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git; + S="${WORKDIR}/${P}/${PN}" +else + SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz; + KEYWORDS="~amd64 ~arm ~arm64 ~mips ~riscv ~x86" + S="${WORKDIR}/${MY_P}" +fi + +LICENSE="GPL-2" +SLOT="0/2" + +# tests are not meant to be run outside of the full SELinux userland repo +RESTRICT="test" + +src_prepare() { + eapply_user + multilib_copy_sources +} + +multilib_src_compile() { + tc-export CC AR RANLIB + + local -x CFLAGS="${CFLAGS} -fno-semantic-interposition" + + emake \ + LIBDIR="\$(PREFIX)/$(get_libdir)" \ + SHLIBDIR="/$(get_libdir)" +} + +multilib_src_install() { + emake DESTDIR="${D}" \ + LIBDIR="\$(PREFIX)/$(get_libdir)" \ + SHLIBDIR="/$(get_libdir)" \ + install +}
[gentoo-commits] repo/gentoo:master commit in: sys-apps/semodule-utils/
commit: 5e4c0876825ae97e95d3d80df48928210441bc28 Author: Kenton Groombridge gentoo org> AuthorDate: Wed Jan 17 00:27:57 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Wed Jan 17 01:29:25 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5e4c0876 sys-apps/semodule-utils: bump to 3.6 Signed-off-by: Kenton Groombridge gentoo.org> sys-apps/semodule-utils/Manifest | 1 + sys-apps/semodule-utils/semodule-utils-3.6.ebuild | 42 +++ 2 files changed, 43 insertions(+) diff --git a/sys-apps/semodule-utils/Manifest b/sys-apps/semodule-utils/Manifest index 725172803562..0b70f909b56e 100644 --- a/sys-apps/semodule-utils/Manifest +++ b/sys-apps/semodule-utils/Manifest @@ -1 +1,2 @@ DIST semodule-utils-3.5.tar.gz 14383 BLAKE2B a1bb432013bca1023d99b32f43b2c972b6b807a4677f9d8c9fb9aff10225232506f3ecca86fc231b4c63d04582a91a1c4218f87ce5532a4d35a26a09665c6f10 SHA512 7c32f425ae71745040d1c6a6585149a1efb319913aa9d4c8bf185b0a4216dc66378fa38595b171614ee3ae4ade997d3ae56a060346e334faec55c419a87d71dd +DIST semodule-utils-3.6.tar.gz 12844 BLAKE2B e5e7501c412649f471e89cc89569d6c51421e0b46f172f243ce778bbe3a2c658ef9a92e3f3e1e07fb3358e25f63e004b6bd4b56619472fbcae8cb5b916d54170 SHA512 16b58bbafcaef9a2e8e34a20d0e1e4024a9044024de8fa3137c5ba1b9af600afac51c15ccb648dd6bff77747c047f4c9feafeea07c19b1eb14955acc92697a48 diff --git a/sys-apps/semodule-utils/semodule-utils-3.6.ebuild b/sys-apps/semodule-utils/semodule-utils-3.6.ebuild new file mode 100644 index ..621cfaf21ea4 --- /dev/null +++ b/sys-apps/semodule-utils/semodule-utils-3.6.ebuild @@ -0,0 +1,42 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="7" + +inherit toolchain-funcs + +MY_PV="${PV//_/-}" +MY_P="${PN}-${MY_PV}" + +DESCRIPTION="SELinux policy module utilities" +HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki; + +if [[ ${PV} == * ]] ; then + inherit git-r3 + EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git; + S="${WORKDIR}/${P}/${PN}" +else + SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz; + KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86" + S="${WORKDIR}/${MY_P}" +fi + +LICENSE="GPL-2" +SLOT="0" + +DEPEND=">=sys-libs/libsepol-${PV}:=" +RDEPEND="${DEPEND}" + +src_prepare() { + default + + sed -i 's/-Werror//g' "${S}"/*/Makefile || die "Failed to remove Werror" +} + +src_compile() { + emake CC="$(tc-getCC)" +} + +src_install() { + emake DESTDIR="${D}" install +}
[gentoo-commits] repo/gentoo:master commit in: sys-apps/mcstrans/
commit: 7e9f8ef9196f519fb710e880b92de0184f520bf3 Author: Kenton Groombridge gentoo org> AuthorDate: Wed Jan 17 00:28:07 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Wed Jan 17 01:29:27 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7e9f8ef9 sys-apps/mcstrans: bump to 3.6 Signed-off-by: Kenton Groombridge gentoo.org> sys-apps/mcstrans/Manifest| 1 + sys-apps/mcstrans/mcstrans-3.6.ebuild | 51 +++ 2 files changed, 52 insertions(+) diff --git a/sys-apps/mcstrans/Manifest b/sys-apps/mcstrans/Manifest index 19f5562abbf7..aafb84a12eef 100644 --- a/sys-apps/mcstrans/Manifest +++ b/sys-apps/mcstrans/Manifest @@ -1 +1,2 @@ DIST mcstrans-3.5.tar.gz 45091 BLAKE2B c6604075a6b37d7bf10e2daee40d9f034a26c5d56b81973cbc3b39621bdf5e2cb1d5906e91942e09ff077a14facafcc2464995675d8df31930707033fac5db90 SHA512 f4d3b04750e197c6abd31f1642af4b53a4fe0e968952a7ade992909f903d7486c1e72733963453563fcbc9745273c8238f169f520550df1470e7f6e4d6e56665 +DIST mcstrans-3.6.tar.gz 42199 BLAKE2B 0f1b4ed212994037b062c42887e2629ae7374e0cbbd79692588ce164440eafddc6d7ab15d58f6064d68781a5a8fd614c9cfa734c4dbe1d3fea1dbb0f8191ddc1 SHA512 2c01a70741675faa41e8a9243f3cf08b558e568d7ae343874ff9c269473ba2748d42e0b45871d82d6c9b01bf71547835d547683f1aa5a8cf626708c7c69569fc diff --git a/sys-apps/mcstrans/mcstrans-3.6.ebuild b/sys-apps/mcstrans/mcstrans-3.6.ebuild new file mode 100644 index ..bbd7a4cc0378 --- /dev/null +++ b/sys-apps/mcstrans/mcstrans-3.6.ebuild @@ -0,0 +1,51 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="7" + +inherit toolchain-funcs + +MY_PV="${PV//_/-}" +MY_P="${PN}-${MY_PV}" + +DESCRIPTION="SELinux context translation to human readable names" +HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki; + +if [[ ${PV} == * ]] ; then + inherit git-r3 + EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git; + S="${WORKDIR}/${P}/${PN}" +else + SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz; + KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86" + S="${WORKDIR}/${MY_P}" +fi + +LICENSE="GPL-2" +SLOT="0" + +DEPEND=">=sys-libs/libsepol-${PV}:= + >=sys-libs/libselinux-${PV}:= + dev-libs/libpcre2:= + >=sys-libs/libcap-1.10-r10:=" + +RDEPEND="${DEPEND}" + +src_prepare() { + default + + sed -i 's/-Werror//g' "${S}"/*/Makefile || die "Failed to remove Werror" +} + +src_compile() { + tc-export CC + default +} + +src_install() { + emake DESTDIR="${D}" install + + rm -rf "${D}/etc/rc.d" || die + + newinitd "${FILESDIR}/mcstransd.init" mcstransd +}
[gentoo-commits] repo/gentoo:master commit in: sys-apps/restorecond/
commit: c7b146ac346a4e3f09e471a439c1181204652021 Author: Kenton Groombridge gentoo org> AuthorDate: Wed Jan 17 00:28:16 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Wed Jan 17 01:29:28 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c7b146ac sys-apps/restorecond: bump to 3.6 Signed-off-by: Kenton Groombridge gentoo.org> sys-apps/restorecond/Manifest | 1 + sys-apps/restorecond/restorecond-3.6.ebuild | 53 + 2 files changed, 54 insertions(+) diff --git a/sys-apps/restorecond/Manifest b/sys-apps/restorecond/Manifest index 49a27c18e262..c48a0b0fc5a8 100644 --- a/sys-apps/restorecond/Manifest +++ b/sys-apps/restorecond/Manifest @@ -1 +1,2 @@ DIST restorecond-3.5.tar.gz 19070 BLAKE2B 6db7d0fc9085a07669d346e025836a94acca610572e986e2c90974b0bd21b55e66b57a2dafd7d42011bed5f06363b654f5431ac43530fccf7b68d3edd9d63850 SHA512 80cb84e62c7072a12fe57ebaafc0bcb441c853862c67f9ea35b86faa2d8e49ea22a70b9e05a3ff24e8ce08ca2999604d7961efd534f89167cd6fcb05c852de40 +DIST restorecond-3.6.tar.gz 18020 BLAKE2B 306b4a7c9990c0b2f229cc7963dbd0481df5f9fbecd709b37d254839177fc604f6f85ac19235209f4fbb12d9186f01dd71a11f98deca5d01bd70c415240ddf5a SHA512 e21fa23bfea488f2bddd01b4bab353f22863e09247078e47db9852995d7a0153aee6483cbeaaaf033b482b60f80affad0b6a3e829f935c3901c034a7efb1ebef diff --git a/sys-apps/restorecond/restorecond-3.6.ebuild b/sys-apps/restorecond/restorecond-3.6.ebuild new file mode 100644 index ..794b84bc99e8 --- /dev/null +++ b/sys-apps/restorecond/restorecond-3.6.ebuild @@ -0,0 +1,53 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="7" + +inherit systemd toolchain-funcs + +MY_PV="${PV//_/-}" +MY_P="${PN}-${MY_PV}" + +if [[ ${PV} == * ]] ; then + inherit git-r3 + EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git; + S="${WORKDIR}/${P}/${PN}" +else + SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz; + KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86" + S="${WORKDIR}/${MY_P}" +fi + +DESCRIPTION="Daemon to watch for creation and set default SELinux fcontexts" +HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki; + +LICENSE="GPL-2" +SLOT="0" + +DEPEND="dev-libs/glib:2 + >=sys-libs/libsepol-${PV}:= + >=sys-libs/libselinux-${PV}:=" + +RDEPEND="${DEPEND}" + +src_prepare() { + default + + sed -i 's/-Werror//g' "${S}"/Makefile || die "Failed to remove Werror" +} + +src_compile() { + tc-export CC + default +} + +src_install() { + emake DESTDIR="${D}" \ + SYSTEMDSYSTEMUNITDIR="$(systemd_get_systemunitdir)" \ + SYSTEMDUSERUNITDIR=$(systemd_get_userunitdir) \ + install + + rm -rf "${D}/etc/rc.d" || die + + newinitd "${FILESDIR}/restorecond.init" restorecond +}
[gentoo-commits] repo/gentoo:master commit in: sys-libs/libsemanage/
commit: 8fd6723fded6592794592e644383730f2e635845 Author: Kenton Groombridge gentoo org> AuthorDate: Wed Jan 17 00:27:20 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Wed Jan 17 01:29:18 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8fd6723f sys-libs/libsemanage: bump to 3.6 Signed-off-by: Kenton Groombridge gentoo.org> sys-libs/libsemanage/Manifest | 1 + sys-libs/libsemanage/libsemanage-3.6.ebuild | 130 2 files changed, 131 insertions(+) diff --git a/sys-libs/libsemanage/Manifest b/sys-libs/libsemanage/Manifest index f9d01749aa6b..a3f9dcc60c04 100644 --- a/sys-libs/libsemanage/Manifest +++ b/sys-libs/libsemanage/Manifest @@ -1,2 +1,3 @@ DIST libsemanage-3.4.tar.gz 185177 BLAKE2B 45276ae6f54cf3dc453bc0d99fb4d7439970bb14ff5b909ebc5511ec31bce1d2bdc477ba9c1fb4fd04ab494ccb37cd8bf47a90d81460c2974af2196d9019bf67 SHA512 831dc789545bb9a0b009bdb4f7fe52f6197ad8325946640f886a960d08e40b8a69eccd5a70cce51466bb5cb7f742feb78d19a9ec63383fbd03aa451508677e73 DIST libsemanage-3.5.tar.gz 185060 BLAKE2B 3e08b15cb6b335a2747bd5f0bd84f74abdd22a7e8ec91ebb443ca6fe3886d5e8cd2827fefdaa0e9caf2af3280cffbf593ee828fee54dd423a21b257493cc754c SHA512 959fbd0d6bc6849da6caa13dc41c3f8818cbbd29f04b5d2ac7246c4b395b4f370f113a04cc9cfcb52be2afebfa636013ac4ad4011384c58c7ce066a45cae2751 +DIST libsemanage-3.6.tar.gz 182583 BLAKE2B 3ed9ef06601093983fa41ad6ab9f7eeae241dce98937db04efca6f421afcfd3f59cf5e51d24c596ae03997a398949ed84fbdf629518e3c382a5453129b0a87ab SHA512 8998b6a1b254a9673b99ae4d70a1edc769bb728a44f573cdf62e0a9c9392b77644ee2d70e1936a2f8a9a7f8b063ce98a981f4b8b7060f5b82791889330d69364 diff --git a/sys-libs/libsemanage/libsemanage-3.6.ebuild b/sys-libs/libsemanage/libsemanage-3.6.ebuild new file mode 100644 index ..eb127413897f --- /dev/null +++ b/sys-libs/libsemanage/libsemanage-3.6.ebuild @@ -0,0 +1,130 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 +PYTHON_COMPAT=( python3_{10..11} ) + +inherit python-r1 toolchain-funcs multilib-minimal + +MY_PV="${PV//_/-}" +MY_P="${PN}-${MY_PV}" + +DESCRIPTION="SELinux kernel and policy management library" +HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki; + +if [[ ${PV} == ]]; then + inherit git-r3 + EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git; + S="${WORKDIR}/${P}/${PN}" +else + SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz; + KEYWORDS="~amd64 ~arm ~arm64 ~mips ~riscv ~x86" + S="${WORKDIR}/${MY_P}" +fi + +LICENSE="GPL-2" +SLOT="0/2" +REQUIRED_USE="${PYTHON_REQUIRED_USE}" + +RDEPEND="app-arch/bzip2[${MULTILIB_USEDEP}] + >=sys-libs/libsepol-${PV}:=[${MULTILIB_USEDEP}] + >=sys-libs/libselinux-${PV}:=[${MULTILIB_USEDEP}] + >=sys-process/audit-2.2.2[${MULTILIB_USEDEP}] + ${PYTHON_DEPS}" +DEPEND="${RDEPEND}" +BDEPEND=">=dev-lang/swig-2.0.4-r1 + app-alternatives/yacc + app-alternatives/lex + virtual/pkgconfig" + +# tests are not meant to be run outside of the +# full SELinux userland repo +RESTRICT="test" + +src_prepare() { + eapply_user + + echo >> "${S}/src/semanage.conf" + echo "# Set this to true to save the linked policy." >> "${S}/src/semanage.conf" + echo "# This is normally only useful for analysis" >> "${S}/src/semanage.conf" + echo "# or debugging of policy." >> "${S}/src/semanage.conf" + echo "save-linked=false" >> "${S}/src/semanage.conf" + echo >> "${S}/src/semanage.conf" + echo "# Set this to 0 to disable assertion checking." >> "${S}/src/semanage.conf" + echo "# This should speed up building the kernel policy" >> "${S}/src/semanage.conf" + echo "# from policy modules, but may leave you open to" >> "${S}/src/semanage.conf" + echo "# dangerous rules which assertion checking" >> "${S}/src/semanage.conf" + echo "# would catch." >> "${S}/src/semanage.conf" + echo "expand-check=1" >> "${S}/src/semanage.conf" + echo >> "${S}/src/semanage.conf" + echo "# Modules in the module store can be compressed" >> "${S}/src/semanage.conf" + echo "# with bzip2. Set this to the bzip2 blocksize" >> "${S}/src/semanage.conf" + echo "# 1-9 when compressing. The higher the number," >> "${S}/src/semanage.conf"
[gentoo-commits] repo/gentoo:master commit in: sys-apps/selinux-python/
commit: e8a0328496f17ade59847bd3ddfb529c7a333e7f Author: Kenton Groombridge gentoo org> AuthorDate: Wed Jan 17 00:27:48 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Wed Jan 17 01:29:23 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e8a03284 sys-apps/selinux-python: bump to 3.6 Signed-off-by: Kenton Groombridge gentoo.org> sys-apps/selinux-python/Manifest | 1 + sys-apps/selinux-python/selinux-python-3.6.ebuild | 114 ++ 2 files changed, 115 insertions(+) diff --git a/sys-apps/selinux-python/Manifest b/sys-apps/selinux-python/Manifest index 79672fd06f4c..36a775ec9d10 100644 --- a/sys-apps/selinux-python/Manifest +++ b/sys-apps/selinux-python/Manifest @@ -1 +1,2 @@ DIST selinux-python-3.5.tar.gz 3604439 BLAKE2B 5a7fcd303c337cb0f5ae0066d13c945bb5cacaba472c7b17f0496295294998fcc6d81c153720ef704b749a01590c28b48b4f471a48fc386b8f02564c3550250b SHA512 2ac176a9f078f2b2721e5871ba21e92041eed54fc692fd8d809ff14327beee6de63b3084d0f1053a640b9e40bcc6461498915bb9b038a658cd772f77d80fd217 +DIST selinux-python-3.6.tar.gz 3633272 BLAKE2B c2b99779eda2c7698f7f68740e3136cbfa5ab471a5d154142aafd2694d8c32aa605df3609a3667c687449d3ba44e72bcc3b37c36adecba8e34fcc629b9f04de5 SHA512 6289f3f2a3038b2cb62f6b3b12c729a9981c34a5ee80c0830e6316e8c77f5283dffa46007f6e7dc073332b829ed9953ba54e64c986fb18c7dc40759ec0375dc9 diff --git a/sys-apps/selinux-python/selinux-python-3.6.ebuild b/sys-apps/selinux-python/selinux-python-3.6.ebuild new file mode 100644 index ..20a1fea452bf --- /dev/null +++ b/sys-apps/selinux-python/selinux-python-3.6.ebuild @@ -0,0 +1,114 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 +PYTHON_COMPAT=( python3_{10..11} ) +PYTHON_REQ_USE="xml(+)" + +inherit python-r1 toolchain-funcs + +MY_PV="${PV//_/-}" +MY_P="${PN}-${MY_PV}" + +DESCRIPTION="SELinux core utilities" +HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki; + +if [[ ${PV} == ]] ; then + inherit git-r3 + EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git; + S="${WORKDIR}/${P}/${PN#selinux-}" +else + SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz; + KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86" + S="${WORKDIR}/${MY_P}" +fi + +LICENSE="GPL-2" +SLOT="0" +IUSE="test" +RESTRICT="!test? ( test )" +REQUIRED_USE="${PYTHON_REQUIRED_USE}" + +RDEPEND=">=sys-libs/libselinux-${PV}:=[python] + >=sys-libs/libsemanage-${PV}:=[python(+)] + >=sys-libs/libsepol-${PV}:= + >=app-admin/setools-4.2.0[${PYTHON_USEDEP}] + >=sys-process/audit-1.5.1[python,${PYTHON_USEDEP}] + ${PYTHON_DEPS}" +DEPEND="${RDEPEND}" +BDEPEND=" + test? ( + ${RDEPEND} + >=sys-apps/secilc-${PV} + )" + +src_prepare() { + default + sed -i 's/-Werror//g' "${S}"/*/Makefile || die "Failed to remove Werror" + + python_copy_sources +} + +src_compile() { + building() { + emake -C "${BUILD_DIR}" \ + CC="$(tc-getCC)" \ + LIBDIR="\$(PREFIX)/$(get_libdir)" + } + python_foreach_impl building +} + +src_test() { + testing() { + # The different subprojects have some interproject dependencies: + # - audit2allow depens on sepolgen + # - chcat depends on semanage + # and maybe others. + # Add all the modules of the individual subprojects to the + # PYTHONPATH, so they get actually found and used. In + # particular, already installed versions on the system are not + # used. + for dir in audit2allow chcat semanage sepolgen/src sepolicy ; do + PYTHONPATH="${BUILD_DIR}/${dir}:${PYTHONPATH}" + done + PYTHONPATH=${PYTHONPATH} \ + emake -C "${BUILD_DIR}" \ + test + } + python_foreach_impl testing +} + +src_install() { + installation() { + emake -C "${BUILD_DIR}" \ + DESTDIR="${D}" \ + LIBDIR="\$(PREFIX)/$(get_libdir)" \ + install + python_optimize + } + python_foreach_impl installation + + # Set version-specific scripts + for pyscript in audit2allow sepolgen-ifgen sepolicy chcat; do + python_replicate_script "${ED}/usr/bin/${pyscript}" + done + for pyscript in semanage; do + python_replicate_s
[gentoo-commits] repo/gentoo:master commit in: sys-apps/checkpolicy/
commit: 2b30c5b2a0d1a79a5c803d745ec3ff2f50f3dafb Author: Kenton Groombridge gentoo org> AuthorDate: Wed Jan 17 00:27:29 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Wed Jan 17 01:29:20 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2b30c5b2 sys-apps/checkpolicy: bump to 3.6 Signed-off-by: Kenton Groombridge gentoo.org> sys-apps/checkpolicy/Manifest | 1 + sys-apps/checkpolicy/checkpolicy-3.6.ebuild | 54 + 2 files changed, 55 insertions(+) diff --git a/sys-apps/checkpolicy/Manifest b/sys-apps/checkpolicy/Manifest index d3279c23fc81..d8d08681182e 100644 --- a/sys-apps/checkpolicy/Manifest +++ b/sys-apps/checkpolicy/Manifest @@ -1 +1,2 @@ DIST checkpolicy-3.5.tar.gz 69904 BLAKE2B e02ccad07534568a1bbb612330018bbe486800ea40df20ed6f9dc38c88aff7f8858782a28ba7915a58c3bb384f180eb8da7a8fe97a92bcb9baa61eec18da6cbc SHA512 fcd490d865af3b4350c32c5dd9916f8406219841e1e255d8945c6dcc958535247aa27af5597a6988e19f11faea7beeabcb46e8ba2431112bb4aa5c7697bca529 +DIST checkpolicy-3.6.tar.gz 70684 BLAKE2B d32a8b86897bd4a08caf61a096a691c8d049fa7b5b4561f4847e0dfbb62a82fc6c3ddb5be163c7cd6163491c50513aec14e4c67842f256f48688b26178c2887a SHA512 0d48fb385b4d1e66d562e40b6e794406f46d8803cc504705b26547130cb13b65fab5fdb4fc032b1c95d4f91862ff134a89fffde854c5ce466c2dd2657e416070 diff --git a/sys-apps/checkpolicy/checkpolicy-3.6.ebuild b/sys-apps/checkpolicy/checkpolicy-3.6.ebuild new file mode 100644 index ..6d5e91d8b18a --- /dev/null +++ b/sys-apps/checkpolicy/checkpolicy-3.6.ebuild @@ -0,0 +1,54 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="7" + +inherit toolchain-funcs + +MY_PV="${PV//_/-}" +MY_P="${PN}-${MY_PV}" + +DESCRIPTION="SELinux policy compiler" +HOMEPAGE="http://userspace.selinuxproject.org; + +if [[ ${PV} == ]] ; then + inherit git-r3 + EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git; + S="${WORKDIR}/${P}/${PN}" +else + SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz; + KEYWORDS="~amd64 ~arm ~arm64 ~mips ~riscv ~x86" + S="${WORKDIR}/${MY_P}" +fi + +LICENSE="GPL-2" +SLOT="0" +IUSE="debug" + +DEPEND=">=sys-libs/libsepol-${PV}" +BDEPEND="sys-devel/flex + sys-devel/bison" + +RDEPEND=">=sys-libs/libsepol-${PV}" + +src_compile() { + emake \ + CC="$(tc-getCC)" \ + YACC="bison -y" \ + LIBDIR="\$(PREFIX)/$(get_libdir)" +} + +src_install() { + default + + if use debug; then + dobin "${S}/test/dismod" + dobin "${S}/test/dispol" + fi +} + +pkg_postinst() { + if ! tc-is-cross-compiler; then + einfo "This checkpolicy can compile version `checkpolicy -V | cut -f 1 -d ' '` policy." + fi +}
[gentoo-commits] repo/gentoo:master commit in: sys-apps/semodule-utils/
commit: 7b7cb4319d3d7a629e56a3e5361732f4fa6f5703 Author: Kenton Groombridge gentoo org> AuthorDate: Wed Jan 17 00:26:32 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Wed Jan 17 01:29:09 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7b7cb431 sys-apps/semodule-utils: update live ebuild Signed-off-by: Kenton Groombridge gentoo.org> sys-apps/semodule-utils/semodule-utils-.ebuild | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/sys-apps/semodule-utils/semodule-utils-.ebuild b/sys-apps/semodule-utils/semodule-utils-.ebuild index 525188411f40..621cfaf21ea4 100644 --- a/sys-apps/semodule-utils/semodule-utils-.ebuild +++ b/sys-apps/semodule-utils/semodule-utils-.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2023 Gentoo Authors +# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="7" @@ -23,7 +23,6 @@ fi LICENSE="GPL-2" SLOT="0" -IUSE="" DEPEND=">=sys-libs/libsepol-${PV}:=" RDEPEND="${DEPEND}"
[gentoo-commits] repo/gentoo:master commit in: sys-apps/policycoreutils/
commit: 5b5ba532a660c3e09552473500f03b9c6b380f28 Author: Kenton Groombridge gentoo org> AuthorDate: Wed Jan 17 00:27:38 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Wed Jan 17 01:29:22 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5b5ba532 sys-apps/policycoreutils: bump to 3.6 Signed-off-by: Kenton Groombridge gentoo.org> sys-apps/policycoreutils/Manifest | 1 + .../policycoreutils/policycoreutils-3.6.ebuild | 168 + 2 files changed, 169 insertions(+) diff --git a/sys-apps/policycoreutils/Manifest b/sys-apps/policycoreutils/Manifest index cfc08315c275..6983b77d03e7 100644 --- a/sys-apps/policycoreutils/Manifest +++ b/sys-apps/policycoreutils/Manifest @@ -1,2 +1,3 @@ DIST policycoreutils-3.5.tar.gz 775639 BLAKE2B 777b8564484e89385db7a184c4cad9a99aabf1fd1ac41abd5826c7e6ad29118ae9d6f0d0fd968b6ced87f2f04bc6d7cd207b67428151522915367f656fb8d3f8 SHA512 7978ef6b7a278c6384c9b397734d03c4932c8aefecceaa1e6a1345be27b253dbe276fdcd219ce83ad732c6ed55d53bbc3254e39bccadd67d2cd1152a14749444 +DIST policycoreutils-3.6.tar.gz 755682 BLAKE2B a8b180c8006989192d152651dcfa51856956780bfe1139cc1dc0162eb66ba1eef4f7d64f68a48479572b02e2e97a68c7082722a745d22a9453e8378373319e3c SHA512 e1f32e6e0310b879a5aadab157b103314a61bf3b8fd59c1212d701fbf39900e3b9a0b727338988103d784a7e505355a871ba519dd91520b135a3b9dae40bf1b0 DIST policycoreutils-extra-1.37.tar.bz2 8809 BLAKE2B a7f6122c2e27f54b018174e962bd7f4c14af04e09bbb5300bde6967ea7f2dc5cd03b5787919a4e7f5288bcbc6747922962b5bd3b588ab1e3a035fbff4910d8f5 SHA512 0a85cd7cf279256b5e1927f9dfdd89626a1c8b77b0aeb62b496e7e8d1dccbaa315e39f9308fb2df7270f0bc1c10787b19990e7365cad74b47b61e30394c8b23f diff --git a/sys-apps/policycoreutils/policycoreutils-3.6.ebuild b/sys-apps/policycoreutils/policycoreutils-3.6.ebuild new file mode 100644 index ..b8625ff49cd8 --- /dev/null +++ b/sys-apps/policycoreutils/policycoreutils-3.6.ebuild @@ -0,0 +1,168 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="7" +PYTHON_COMPAT=( python3_{10..11} ) +PYTHON_REQ_USE="xml(+)" + +inherit python-r1 toolchain-funcs bash-completion-r1 + +MY_PV="${PV//_/-}" +MY_P="${PN}-${MY_PV}" +EXTRAS_VER="1.37" + +DESCRIPTION="SELinux core utilities" +HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki; + +if [[ ${PV} == ]]; then + inherit git-r3 + EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git; + SRC_URI="https://dev.gentoo.org/~perfinion/distfiles/policycoreutils-extra-${EXTRAS_VER}.tar.bz2; + S1="${WORKDIR}/${P}/${PN}" + S2="${WORKDIR}/policycoreutils-extra" + S="${S1}" +else + SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz + https://dev.gentoo.org/~perfinion/distfiles/policycoreutils-extra-${EXTRAS_VER}.tar.bz2; + KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86" + S1="${WORKDIR}/${MY_P}" + S2="${WORKDIR}/policycoreutils-extra" + S="${S1}" +fi + +LICENSE="GPL-2" +SLOT="0" +IUSE="audit pam split-usr" +REQUIRED_USE="${PYTHON_REQUIRED_USE}" + +DEPEND=">=sys-libs/libselinux-${PV}:=[python,${PYTHON_USEDEP}] + >=sys-libs/libsemanage-${PV}:=[python(+),${PYTHON_USEDEP}] + >=sys-libs/libsepol-${PV}:= + sys-libs/libcap-ng:= + >=app-admin/setools-4.2.0[${PYTHON_USEDEP}] + audit? ( >=sys-process/audit-1.5.1[python,${PYTHON_USEDEP}] ) + pam? ( sys-libs/pam:= ) + ${PYTHON_DEPS}" + +# Avoid dependency loop in the cross-compile case, bug #755173 +# (Still exists in native) +BDEPEND="sys-devel/gettext" + +# pax-utils for scanelf used by rlpkg +RDEPEND="${DEPEND} + app-misc/pax-utils" + +PDEPEND="sys-apps/semodule-utils + sys-apps/selinux-python" + +src_unpack() { + # Override default one because we need the SRC_URI ones even in case of ebuilds + default + if [[ ${PV} == ]] ; then + git-r3_src_unpack + fi +} + +src_prepare() { + S="${S1}" + cd "${S}" || die "Failed to switch to ${S}" + if [[ ${PV} != ]] ; then + # If needed for live ebuilds please use /etc/portage/patches + eapply "${FILESDIR}/policycoreutils-3.1-0001-newrole-not-suid.patch" + fi + + # rlpkg is more useful than fixfiles + sed -i -e '/^all/s/fixfiles//' "${S}/scripts/Makefile" \ + || die "fixfiles sed 1 failed" + sed -i -e '/fixfiles/d' "${S}/scripts/Makefile" \ + || die "fixfiles sed 2 failed" + + eapply_us
[gentoo-commits] repo/gentoo:master commit in: sys-apps/secilc/
commit: fb7c91bd11413199c4d4a47e993a2454ace36912 Author: Kenton Groombridge gentoo org> AuthorDate: Wed Jan 17 00:27:04 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Wed Jan 17 01:29:15 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fb7c91bd sys-apps/secilc: bump to 3.6 Signed-off-by: Kenton Groombridge gentoo.org> sys-apps/secilc/Manifest | 1 + sys-apps/secilc/secilc-3.6.ebuild | 37 + 2 files changed, 38 insertions(+) diff --git a/sys-apps/secilc/Manifest b/sys-apps/secilc/Manifest index 9fe706f87af0..36fef1449bdc 100644 --- a/sys-apps/secilc/Manifest +++ b/sys-apps/secilc/Manifest @@ -1 +1,2 @@ DIST secilc-3.5.tar.gz 180803 BLAKE2B a42620318b312a5ef35565e3b40a89fd7ff44aaf73de835bc349f927193121b72c07bd2151a8a6b2cee53e2699a3ae6bb246084e18a181d334ebc082fdfdc56e SHA512 eff37a981072c4b9c7c15bf4709db8797d8af5325883515f5c2fe611136b24419f6d01c797e4f131c9c08e1ba40576fcb2094b1e34325aae8351b6299bdba3dd +DIST secilc-3.6.tar.gz 185186 BLAKE2B 47fdc281cad69339eb23226a277df8c8086557fe3a2c7f013eef38bbfcd62584e318ce2d79552388617687b39c37e67a1328b808becbecad364253b7527d3a52 SHA512 91381aae1444822c7897729c1695ca221a4226dcec042b2223a55800d1247510ef2033b844d8d0627623fb15b8169a626fb0ca2efeee8090635219c4139eabf5 diff --git a/sys-apps/secilc/secilc-3.6.ebuild b/sys-apps/secilc/secilc-3.6.ebuild new file mode 100644 index ..5c59b25c3742 --- /dev/null +++ b/sys-apps/secilc/secilc-3.6.ebuild @@ -0,0 +1,37 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="7" +inherit toolchain-funcs + +MY_PV="${PV//_/-}" +MY_P="${PN}-${MY_PV}" + +DESCRIPTION="SELinux Common Intermediate Language (CIL) Compiler" +HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki; + +if [[ ${PV} == ]]; then + inherit git-r3 + EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git; + S="${WORKDIR}/${P}/${PN}" +else + SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz; + KEYWORDS="~amd64 ~arm ~arm64 ~x86" + S="${WORKDIR}/${MY_P}" +fi + +LICENSE="GPL-2" +SLOT="0" + +DEPEND=">=sys-libs/libsepol-${PV}" +RDEPEND="${DEPEND}" +BDEPEND="app-text/xmlto" + +# tests are not meant to be run outside of the +# full SELinux userland repo +RESTRICT="test" + +src_compile() { + tc-export CC + default +}
[gentoo-commits] repo/gentoo:master commit in: sys-apps/restorecond/
commit: 9c1177cedb72bc536c8a0846326a983fc4b6611b Author: Kenton Groombridge gentoo org> AuthorDate: Wed Jan 17 00:26:47 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Wed Jan 17 01:29:12 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9c1177ce sys-apps/restorecond: update live ebuild Signed-off-by: Kenton Groombridge gentoo.org> sys-apps/restorecond/restorecond-.ebuild | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/sys-apps/restorecond/restorecond-.ebuild b/sys-apps/restorecond/restorecond-.ebuild index a55a218edd6c..794b84bc99e8 100644 --- a/sys-apps/restorecond/restorecond-.ebuild +++ b/sys-apps/restorecond/restorecond-.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2023 Gentoo Authors +# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="7" @@ -23,7 +23,6 @@ HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki; LICENSE="GPL-2" SLOT="0" -IUSE="" DEPEND="dev-libs/glib:2 >=sys-libs/libsepol-${PV}:=
[gentoo-commits] repo/gentoo:master commit in: sys-apps/mcstrans/
commit: 23435ef811345b7e141841a958ecc02dfbd18096 Author: Kenton Groombridge gentoo org> AuthorDate: Wed Jan 17 00:26:39 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Wed Jan 17 01:29:11 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=23435ef8 sys-apps/mcstrans: update live ebuild Signed-off-by: Kenton Groombridge gentoo.org> sys-apps/mcstrans/mcstrans-.ebuild | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/sys-apps/mcstrans/mcstrans-.ebuild b/sys-apps/mcstrans/mcstrans-.ebuild index 5cad428935de..bbd7a4cc0378 100644 --- a/sys-apps/mcstrans/mcstrans-.ebuild +++ b/sys-apps/mcstrans/mcstrans-.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2023 Gentoo Authors +# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="7" @@ -23,7 +23,6 @@ fi LICENSE="GPL-2" SLOT="0" -IUSE="" DEPEND=">=sys-libs/libsepol-${PV}:= >=sys-libs/libselinux-${PV}:=
[gentoo-commits] repo/gentoo:master commit in: sys-apps/policycoreutils/
commit: 42432f8f58e64a9ea77dd3db8c010a2b7f8399ac Author: Kenton Groombridge gentoo org> AuthorDate: Wed Jan 17 00:26:16 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Wed Jan 17 01:29:06 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=42432f8f sys-apps/policycoreutils: update live ebuild Signed-off-by: Kenton Groombridge gentoo.org> sys-apps/policycoreutils/policycoreutils-.ebuild | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sys-apps/policycoreutils/policycoreutils-.ebuild b/sys-apps/policycoreutils/policycoreutils-.ebuild index 6df44f548cc8..b8625ff49cd8 100644 --- a/sys-apps/policycoreutils/policycoreutils-.ebuild +++ b/sys-apps/policycoreutils/policycoreutils-.ebuild @@ -1,11 +1,11 @@ -# Copyright 1999-2023 Gentoo Authors +# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="7" -PYTHON_COMPAT=( python3_{9..11} ) +PYTHON_COMPAT=( python3_{10..11} ) PYTHON_REQ_USE="xml(+)" -inherit multilib python-r1 toolchain-funcs bash-completion-r1 +inherit python-r1 toolchain-funcs bash-completion-r1 MY_PV="${PV//_/-}" MY_P="${PN}-${MY_PV}"
[gentoo-commits] repo/gentoo:master commit in: sys-libs/libselinux/
commit: ad05a1d7e765f6c4e4cc3e196dbade6753eb75a8 Author: Kenton Groombridge gentoo org> AuthorDate: Wed Jan 17 00:27:12 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Wed Jan 17 01:29:17 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ad05a1d7 sys-libs/libselinux: bump to 3.6 Signed-off-by: Kenton Groombridge gentoo.org> sys-libs/libselinux/Manifest | 1 + sys-libs/libselinux/libselinux-3.6.ebuild | 158 ++ 2 files changed, 159 insertions(+) diff --git a/sys-libs/libselinux/Manifest b/sys-libs/libselinux/Manifest index c6efbb8e1ed0..3dedaef745f7 100644 --- a/sys-libs/libselinux/Manifest +++ b/sys-libs/libselinux/Manifest @@ -1 +1,2 @@ DIST libselinux-3.5.tar.gz 211453 BLAKE2B f7f3067c4bb0448e18bd7085135f11d94ae99728949480a655c0f660486817beb5829d8a43dff7bce286ccd50705b0c657bde85970f01c794e01fb707f469d8b SHA512 4e13261a5821018a5f3cdce676f180bb62e5bc225981ca8a498ece0d1c88d9ba8eaa0ce4099dd0849309a8a7c5a9a0953df841a9922f2c284e5a109e5d937ba7 +DIST libselinux-3.6.tar.gz 194210 BLAKE2B 615198d47ecfb4b6274810cbe32cce5953dd44d1d04e8ce244213dc4ddbd61cde3515f4650046b805cf98f341aba718af8d7a9e1d66773172031ac19599f6032 SHA512 182dcdf3510083ff4b9376a4a6d6a7b33905ac3c5e974c188bf3965686c54b663162c543ecf15eab75102f3c91a2502d33d0f1104dec01dd9b14737ef3f2b544 diff --git a/sys-libs/libselinux/libselinux-3.6.ebuild b/sys-libs/libselinux/libselinux-3.6.ebuild new file mode 100644 index ..941b189dd857 --- /dev/null +++ b/sys-libs/libselinux/libselinux-3.6.ebuild @@ -0,0 +1,158 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="7" +PYTHON_COMPAT=( python3_{10..12} ) +USE_RUBY="ruby31 ruby32 ruby33" + +# No, I am not calling ruby-ng +inherit python-r1 toolchain-funcs multilib-minimal + +MY_PV="${PV//_/-}" +MY_P="${PN}-${MY_PV}" + +DESCRIPTION="SELinux userland library" +HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki; + +if [[ ${PV} == ]]; then + inherit git-r3 + EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git; + S="${WORKDIR}/${P}/${PN}" +else + SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz; + KEYWORDS="~amd64 ~arm ~arm64 ~mips ~riscv ~x86" + S="${WORKDIR}/${MY_P}" +fi + +LICENSE="public-domain" +SLOT="0" +IUSE="python ruby static-libs ruby_targets_ruby31 ruby_targets_ruby32 ruby_targets_ruby33" +REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )" + +RDEPEND="dev-libs/libpcre2:=[static-libs?,${MULTILIB_USEDEP}] + >=sys-libs/libsepol-${PV}:=[${MULTILIB_USEDEP}] + python? ( ${PYTHON_DEPS} ) + ruby? ( + ruby_targets_ruby31? ( dev-lang/ruby:3.1 ) + ruby_targets_ruby32? ( dev-lang/ruby:3.2 ) + ruby_targets_ruby33? ( dev-lang/ruby:3.3 ) + ) + elibc_musl? ( sys-libs/fts-standalone )" +DEPEND="${RDEPEND}" +BDEPEND="virtual/pkgconfig + python? ( + >=dev-lang/swig-2.0.9 + dev-python/pip[${PYTHON_USEDEP}] +) + ruby? ( >=dev-lang/swig-2.0.9 )" + +src_prepare() { + eapply_user + + multilib_copy_sources +} + +multilib_src_compile() { + tc-export AR CC PKG_CONFIG RANLIB + + local -x CFLAGS="${CFLAGS} -fno-semantic-interposition" + + emake \ + LIBDIR="\$(PREFIX)/$(get_libdir)" \ + SHLIBDIR="/$(get_libdir)" \ + LDFLAGS="-fPIC ${LDFLAGS} -pthread" \ + USE_PCRE2=y \ + FTS_LDLIBS="$(usex elibc_musl '-lfts' '')" \ + all + + if multilib_is_native_abi && use python; then + building() { + emake \ + LDFLAGS="-fPIC ${LDFLAGS} -lpthread" \ + LIBDIR="\$(PREFIX)/$(get_libdir)" \ + SHLIBDIR="/$(get_libdir)" \ + USE_PCRE2=y \ + FTS_LDLIBS="$(usex elibc_musl '-lfts' '')" \ + pywrap + } + python_foreach_impl building + fi + + if multilib_is_native_abi && use ruby; then + building() { + einfo "Calling rubywrap for ${1}" + # Clean up .lo file to force rebuild + rm -f src/selinuxswig_ruby_wrap.lo || die + emake \ + RUBY=${1} \ + LDFLAGS="-fPIC ${LDFLAGS} -lpthread" \ + LIBDIR="\$(PR
[gentoo-commits] repo/gentoo:master commit in: sys-apps/selinux-python/
commit: f4c787d27fac252f19b9c1924ae94ae8fd504e39 Author: Kenton Groombridge gentoo org> AuthorDate: Wed Jan 17 00:26:24 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Wed Jan 17 01:29:08 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f4c787d2 sys-apps/selinux-python: update live ebuild Signed-off-by: Kenton Groombridge gentoo.org> sys-apps/selinux-python/selinux-python-.ebuild | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys-apps/selinux-python/selinux-python-.ebuild b/sys-apps/selinux-python/selinux-python-.ebuild index 470211f8d553..20a1fea452bf 100644 --- a/sys-apps/selinux-python/selinux-python-.ebuild +++ b/sys-apps/selinux-python/selinux-python-.ebuild @@ -1,8 +1,8 @@ -# Copyright 1999-2023 Gentoo Authors +# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=7 -PYTHON_COMPAT=( python3_{9..11} ) +PYTHON_COMPAT=( python3_{10..11} ) PYTHON_REQ_USE="xml(+)" inherit python-r1 toolchain-funcs
[gentoo-commits] repo/gentoo:master commit in: sys-apps/checkpolicy/
commit: dbae134de49afb55add279a26f720c75da5ac470 Author: Kenton Groombridge gentoo org> AuthorDate: Wed Jan 17 00:26:08 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Wed Jan 17 01:29:05 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dbae134d sys-apps/checkpolicy: update live ebuild Signed-off-by: Kenton Groombridge gentoo.org> sys-apps/checkpolicy/checkpolicy-.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys-apps/checkpolicy/checkpolicy-.ebuild b/sys-apps/checkpolicy/checkpolicy-.ebuild index 496db82366f7..6d5e91d8b18a 100644 --- a/sys-apps/checkpolicy/checkpolicy-.ebuild +++ b/sys-apps/checkpolicy/checkpolicy-.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2023 Gentoo Authors +# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="7"
[gentoo-commits] repo/gentoo:master commit in: app-admin/setools/
commit: cee102b9f47d416612fcf36b5f80d3bb99011b57 Author: Kenton Groombridge gentoo org> AuthorDate: Wed Jan 17 00:51:31 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Wed Jan 17 01:28:57 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cee102b9 app-admin/setools: add 4.4.4 Bug: https://bugs.gentoo.org/922136 Signed-off-by: Kenton Groombridge gentoo.org> app-admin/setools/Manifest | 1 + app-admin/setools/setools-4.4.4.ebuild | 57 ++ 2 files changed, 58 insertions(+) diff --git a/app-admin/setools/Manifest b/app-admin/setools/Manifest index ebb92c6431fe..2e475c76c75d 100644 --- a/app-admin/setools/Manifest +++ b/app-admin/setools/Manifest @@ -1 +1,2 @@ DIST setools-4.4.2.tar.bz2 261962 BLAKE2B 7c8e47d8c15f1eb72d93da5d3ae1a64e857ed0a75e1a47bbad9e4b0d11180581d9e4705ebe942e460acbc4d68261f06f9b03a8c4af1516cc388c201e30dca75e SHA512 4e8cba61ca28459387d862136a2d8ee0914c4bcd254a6d39792cbfcbbf7e58cb82223c05d66c114b08aebbd75c11cef11517c51f674ddb3c1913dc85414546c1 +DIST setools-4.4.4.tar.bz2 262867 BLAKE2B d64605ef050a2d51531e2a180bff086da536aa8d5e5c8cb96a81e137f575d089f9e9ec117cf0de9864f07174d92258b27ebf8fbc462714ef50bbd6d9f80d0a60 SHA512 ef72a7244ba0c724c4aea3afc40d71427e9c0592715f81cccaa8917e96836a88807ea78039c11c261dd3b4d72294accd76ab4bd37447cd500772030245db3c6e diff --git a/app-admin/setools/setools-4.4.4.ebuild b/app-admin/setools/setools-4.4.4.ebuild new file mode 100644 index ..ec3d11050109 --- /dev/null +++ b/app-admin/setools/setools-4.4.4.ebuild @@ -0,0 +1,57 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="8" + +DISTUTILS_EXT=1 +DISTUTILS_USE_PEP517=setuptools +PYTHON_COMPAT=( python3_{10..12} ) + +inherit distutils-r1 + +DESCRIPTION="Policy Analysis Tools for SELinux" +HOMEPAGE="https://github.com/SELinuxProject/setools/wiki; + +if [[ ${PV} == ]] ; then + inherit git-r3 + EGIT_REPO_URI="https://github.com/SELinuxProject/setools.git; + S="${WORKDIR}/${P}" +else + SRC_URI="https://github.com/SELinuxProject/setools/releases/download/${PV}/${P}.tar.bz2; + KEYWORDS="~amd64 ~arm ~arm64 ~x86" + S="${WORKDIR}/${PN}" +fi + +LICENSE="GPL-2 LGPL-2.1" +SLOT="0" +IUSE="test X" +RESTRICT="!test? ( test )" + +RDEPEND="${PYTHON_DEPS} + >=dev-python/networkx-2.0[${PYTHON_USEDEP}] + dev-python/setuptools[${PYTHON_USEDEP}] + >=sys-libs/libsepol-3.2:= + >=sys-libs/libselinux-3.2:= + X? ( + dev-python/PyQt5[gui,widgets,${PYTHON_USEDEP}] + )" +DEPEND="${RDEPEND}" +BDEPEND=">=dev-python/cython-0.27[${PYTHON_USEDEP}] + test? ( + sys-apps/checkpolicy + )" + +distutils_enable_tests pytest + +python_prepare_all() { + sed -i "s@^lib_dirs = .*@lib_dirs = ['${ROOT:-/}usr/$(get_libdir)']@" "${S}"/setup.py || \ + die "failed to set lib_dirs" + + use X || PATCHES+=( "${FILESDIR}"/setools-4.4.2-remove-gui.patch ) + distutils-r1_python_prepare_all +} + +python_test() { + rm -rf setools || die + epytest +}
[gentoo-commits] repo/gentoo:master commit in: sys-libs/libselinux/
commit: 53934b03bc007e741ed1e0664d049e73bac440b0 Author: Kenton Groombridge gentoo org> AuthorDate: Wed Jan 17 00:25:53 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Wed Jan 17 01:29:02 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=53934b03 sys-libs/libselinux: update live ebuild Signed-off-by: Kenton Groombridge gentoo.org> sys-libs/libselinux/libselinux-.ebuild | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/sys-libs/libselinux/libselinux-.ebuild b/sys-libs/libselinux/libselinux-.ebuild index f5475a7744c4..941b189dd857 100644 --- a/sys-libs/libselinux/libselinux-.ebuild +++ b/sys-libs/libselinux/libselinux-.ebuild @@ -1,9 +1,9 @@ -# Copyright 1999-2023 Gentoo Authors +# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="7" PYTHON_COMPAT=( python3_{10..12} ) -USE_RUBY="ruby30 ruby31 ruby32" +USE_RUBY="ruby31 ruby32 ruby33" # No, I am not calling ruby-ng inherit python-r1 toolchain-funcs multilib-minimal @@ -26,16 +26,16 @@ fi LICENSE="public-domain" SLOT="0" -IUSE="python ruby static-libs ruby_targets_ruby30 ruby_targets_ruby31 ruby_targets_ruby32" +IUSE="python ruby static-libs ruby_targets_ruby31 ruby_targets_ruby32 ruby_targets_ruby33" REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )" RDEPEND="dev-libs/libpcre2:=[static-libs?,${MULTILIB_USEDEP}] >=sys-libs/libsepol-${PV}:=[${MULTILIB_USEDEP}] python? ( ${PYTHON_DEPS} ) ruby? ( - ruby_targets_ruby30? ( dev-lang/ruby:3.0 ) ruby_targets_ruby31? ( dev-lang/ruby:3.1 ) ruby_targets_ruby32? ( dev-lang/ruby:3.2 ) + ruby_targets_ruby33? ( dev-lang/ruby:3.3 ) ) elibc_musl? ( sys-libs/fts-standalone )" DEPEND="${RDEPEND}"
[gentoo-commits] repo/gentoo:master commit in: sys-libs/libsemanage/
commit: 5430490f316af3e51845574c41adff0c61add9b9 Author: Kenton Groombridge gentoo org> AuthorDate: Wed Jan 17 00:26:00 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Wed Jan 17 01:29:03 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5430490f sys-libs/libsemanage: update live ebuild Signed-off-by: Kenton Groombridge gentoo.org> sys-libs/libsemanage/libsemanage-.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys-libs/libsemanage/libsemanage-.ebuild b/sys-libs/libsemanage/libsemanage-.ebuild index 7c2c0548cf0e..eb127413897f 100644 --- a/sys-libs/libsemanage/libsemanage-.ebuild +++ b/sys-libs/libsemanage/libsemanage-.ebuild @@ -2,7 +2,7 @@ # Distributed under the terms of the GNU General Public License v2 EAPI=7 -PYTHON_COMPAT=( python3_{9..11} ) +PYTHON_COMPAT=( python3_{10..11} ) inherit python-r1 toolchain-funcs multilib-minimal
[gentoo-commits] repo/gentoo:master commit in: app-admin/setools/
commit: 2e2caf41499f1d20f0f52d34fadb9ae8f566c4da Author: Kenton Groombridge gentoo org> AuthorDate: Wed Jan 17 00:32:53 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Wed Jan 17 01:28:55 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2e2caf41 app-admin/setools: update live ebuild Signed-off-by: Kenton Groombridge gentoo.org> app-admin/setools/setools-.ebuild | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/app-admin/setools/setools-.ebuild b/app-admin/setools/setools-.ebuild index 2d9636b33744..ec3d11050109 100644 --- a/app-admin/setools/setools-.ebuild +++ b/app-admin/setools/setools-.ebuild @@ -1,11 +1,11 @@ -# Copyright 1999-2023 Gentoo Authors +# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="8" DISTUTILS_EXT=1 DISTUTILS_USE_PEP517=setuptools -PYTHON_COMPAT=( python3_{10..11} ) +PYTHON_COMPAT=( python3_{10..12} ) inherit distutils-r1 @@ -28,6 +28,7 @@ IUSE="test X" RESTRICT="!test? ( test )" RDEPEND="${PYTHON_DEPS} + >=dev-python/networkx-2.0[${PYTHON_USEDEP}] dev-python/setuptools[${PYTHON_USEDEP}] >=sys-libs/libsepol-3.2:= >=sys-libs/libselinux-3.2:= @@ -37,7 +38,6 @@ RDEPEND="${PYTHON_DEPS} DEPEND="${RDEPEND}" BDEPEND=">=dev-python/cython-0.27[${PYTHON_USEDEP}] test? ( - >=dev-python/networkx-2.0[${PYTHON_USEDEP}] sys-apps/checkpolicy )"
[gentoo-commits] repo/gentoo:master commit in: sys-libs/libsepol/
commit: ae10056b740bbceac5d5f7391a5b884c5eff Author: Kenton Groombridge gentoo org> AuthorDate: Wed Jan 17 00:25:31 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Wed Jan 17 01:28:59 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ae10056b sys-libs/libsepol: update live ebuild Signed-off-by: Kenton Groombridge gentoo.org> sys-libs/libsepol/libsepol-.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys-libs/libsepol/libsepol-.ebuild b/sys-libs/libsepol/libsepol-.ebuild index f682823e4643..17fe4da89451 100644 --- a/sys-libs/libsepol/libsepol-.ebuild +++ b/sys-libs/libsepol/libsepol-.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2023 Gentoo Authors +# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="7"
[gentoo-commits] repo/gentoo:master commit in: sys-apps/secilc/
commit: 8dfbd781a9e3e4992d5ed88fcf0602bbc46d0927 Author: Kenton Groombridge gentoo org> AuthorDate: Wed Jan 17 00:25:46 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Wed Jan 17 01:29:00 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8dfbd781 sys-apps/secilc: update live ebuild Signed-off-by: Kenton Groombridge gentoo.org> sys-apps/secilc/secilc-.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys-apps/secilc/secilc-.ebuild b/sys-apps/secilc/secilc-.ebuild index 76eeb7422445..5c59b25c3742 100644 --- a/sys-apps/secilc/secilc-.ebuild +++ b/sys-apps/secilc/secilc-.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2023 Gentoo Authors +# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="7"
[gentoo-commits] repo/gentoo:master commit in: sys-cluster/flux/
commit: 4af9ff9c6bcfa40154a0a82c9ea6ca454a8937d9 Author: Kenton Groombridge gentoo org> AuthorDate: Fri Dec 22 16:15:38 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Dec 22 16:23:54 2023 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4af9ff9c sys-cluster/flux: add 2.2.2 Signed-off-by: Kenton Groombridge gentoo.org> sys-cluster/flux/Manifest | 3 +++ sys-cluster/flux/flux-2.2.2.ebuild | 37 + 2 files changed, 40 insertions(+) diff --git a/sys-cluster/flux/Manifest b/sys-cluster/flux/Manifest index 466852070eed..3271ef37fc3f 100644 --- a/sys-cluster/flux/Manifest +++ b/sys-cluster/flux/Manifest @@ -1,6 +1,9 @@ DIST flux-0.41.2.tar.gz 395636 BLAKE2B 2d1732729709d0f753ff62aa5b5563b9d42f3cde42a98b5356607b640715e30afa9ebdfdb9c71281eff9188c91ea6e6b082ddc2198e4d790a76aaeb155b8ef2f SHA512 c68ad402c99b61ca9ef737749417b48dc4e852544d76311c11d94bff42c2e081a8e11e72e438cb9e1834ec7d48e69a30473aa6ab1d68c2684dde5c2b817000a2 DIST flux-2.0.1.tar.gz 326362 BLAKE2B f42bff5dcbd5960ba8d57f0d65a4c38e597bb6e1beb57bc38f5055c316f121ed07bb38275db6262eb1c0b3bedafd47ec9284cc05ab84f0c6e7aebc7e8458560d SHA512 01c25c2c38c9612ffd280ede66eb01a2d4fced2ae9b4e36053afcb7742cde1aaa909d6ba983a7d60618a66b4e2f3153089bd71b2b8e1d6a0a45737bdef60d1e1 +DIST flux-2.2.2.tar.gz 384815 BLAKE2B c79fee58360a5ad988c2bb58ee6ec32245ca685a14d4fa63e7c8c06b7d79d374bf0c22bf1ffe33b16085fb4532ec35503514e91b427aa067a2495e76ec61e9ad SHA512 d4b23ff189261d32f02682b3f57a5a81cb5faec87a8bd5a6cda7c044233761932e9f593c8019d1443fd1c63fb2585ffe6ee28084bf685802b163f36f5a2544a9 DIST flux2-0.41.2-deps.tar.xz 166945460 BLAKE2B 292ac5a66237916f1eeb8460f38f803fbe6bfec7cc6ee09512c0893928478049dbf8d482a897e7f4d5bed537f3cae3d73019d6c793764d1b15dc984724bc4ec7 SHA512 da36b3d78066cad548492d368df2b0d31c25a72f4fe4e5791b0c4315d5ed2625da5318b4a010395a587c072a07d23c6d6e7ff3c43bbf201dcd7d45a85dc24297 DIST flux2-0.41.2-manifests.tar.xz 22904 BLAKE2B e23150ff1b7617f144a1250c890cb48bccbfa4547cc2d46b6d6905349c969a8505e2bc23466a469bb0eae326ec571eb5987ae5c0768b648ba6e35b1daec2b039 SHA512 ba58ffa05be150e32a30a492d28cdc582c9b0e7162b768a83ca8d44a4a08fca195700f8c124cc39cf85a0c62dfbe380304c0d203d0f05619a1b65284d22278de DIST flux2-2.0.1-deps.tar.xz 177273192 BLAKE2B 36047e5d2232bd6a4b648b78861881aa1c883de9593d0f3172e83115a62649f6369396de05cfd850143581366f8e4501d0e54a4f422515fc7165b823a9833b96 SHA512 18ae557760a4c298cc9f7556b460b9c02d2b5516b735881d5907bd934fd4bb83cdf4fc613b8b9a493f65accc24abbc7836a98dfde86386e5d7466efcb8ae995d DIST flux2-2.0.1-manifests.tar.xz 22916 BLAKE2B 00df38e004f2abd52566e642c299522f9e5910104ee88cdc0842b63bedccb10383e17d35eb8a7495db7036641f2fb6a2fe6fe01971017c413e95ba57e73e5894 SHA512 db0c3f7013ffec41b657047e53cad01f19427f2e46a94d52efa2e4031482b1b8cddb857fee26ecd35ecdb11029ec0da7f6917f2343730c44338a9b2792695e93 +DIST flux2-2.2.2-deps.tar.xz 179877376 BLAKE2B f80135ad82f11a47ace00f3656147069ad8d7c389bbd18b6166c91d7381f06c2cf56371583e47eb2d3d9f6e292428e95c000ad4769a25ef2bdf0c2f6297b67e6 SHA512 5f8a82a19b2d5dde597aeaace21315a4feac4777996be18eed61422bae60e710519015ea5162a8818a12d05edfc22f47d1decea2d9a7c7a4488c2377e3b4f5d0 +DIST flux2-2.2.2-manifests.tar.xz 26788 BLAKE2B 82a233abd4d68d20af7160d39cadef0dd48692d469892b7ebd780a12f8e81ee00ce1e5f09f90f77035b055f85378cd9ce5979bb6af5a8fbc9dd96e1f091453ce SHA512 51ce6b4d2b79c40d55a3df17d0b191ac313099c0d068ee02a3abc57c05aadcc0d3d8eed06793e411d57b31e7aee601e54a2e4f87e6f88d8bb835d5d6bbddf4c3 diff --git a/sys-cluster/flux/flux-2.2.2.ebuild b/sys-cluster/flux/flux-2.2.2.ebuild new file mode 100644 index ..a5454a53db5e --- /dev/null +++ b/sys-cluster/flux/flux-2.2.2.ebuild @@ -0,0 +1,37 @@ +# Copyright 2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 +inherit bash-completion-r1 go-module + +DESCRIPTION="Flux is a tool for keeping Kubernetes clusters in sync" +HOMEPAGE="https://fluxcd.io https://github.com/fluxcd/flux2; +SRC_URI="https://github.com/fluxcd/flux2/archive/v${PV}.tar.gz -> ${P}.tar.gz" +SRC_URI+=" https://dev.gentoo.org/~concord/distfiles/flux2-${PV}-deps.tar.xz; +# Manifests require kustomize to build. Do it with: make cmd/flux/.manifests.done +SRC_URI+=" https://dev.gentoo.org/~concord/distfiles/flux2-${PV}-manifests.tar.xz; + +LICENSE="Apache-2.0 BSD BSD-2 ISC MIT MPL-2.0" +SLOT="0" +KEYWORDS="~amd64" +IUSE="hardened" + +BDEPEND=">=dev-lang/go-1.19" + +RESTRICT+=" test" +S="${WORKDIR}/flux2-${PV}" + +src_compile() { + mv "${WORKDIR}"/manifests cmd/"${PN}" || die + CGO_LDFLAGS="$(usex hardened '-fno-PIC ' '')" \ + ego build -ldflags="-s -w -X main.VERSION=${PV}" -o ./bin/${PN} ./cmd/${PN} +} + +src_install() { + dobin bin/${PN} + bin/${PN}
[gentoo-commits] repo/gentoo:master commit in: sys-cluster/kubeseal/
commit: 448d48e0bf7d178fe2feaa8cd7baed2b13095989 Author: Kenton Groombridge gentoo org> AuthorDate: Fri Dec 22 16:14:36 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Dec 22 16:23:52 2023 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=448d48e0 sys-cluster/kubeseal: drop 0.21.0 Signed-off-by: Kenton Groombridge gentoo.org> sys-cluster/kubeseal/Manifest | 2 -- sys-cluster/kubeseal/kubeseal-0.21.0.ebuild | 32 - 2 files changed, 34 deletions(-) diff --git a/sys-cluster/kubeseal/Manifest b/sys-cluster/kubeseal/Manifest index 50fce63d7bfe..f8ea32cf0349 100644 --- a/sys-cluster/kubeseal/Manifest +++ b/sys-cluster/kubeseal/Manifest @@ -1,5 +1,3 @@ -DIST sealed-secrets-0.21.0-deps.tar.xz 51527452 BLAKE2B 0f2518167321760a6eed37ae69464b36f5c29c085487c21259e9e115f812fb50ebf3039e625971c9862e022a70abb5d4620262d4c30420e95c756a8731519639 SHA512 d53cf1575cda1c34d5823863bf9c6a0ca477ab85942706589f38ac9ec81f7c82396fa45b7f84fc3b45f2ee0180d28276515b670ddbe0b3ecfcccb506f36106ad -DIST sealed-secrets-0.21.0.tar.gz 1295839 BLAKE2B d1dd9ccb9ef60fcb8cc8ea8a038d714d0055313868ee2c848c287a57a5b1f7e674c68dbb1f7d3e8a03a98db70fcc5447b5a1672cb4088cd10c5ee95fee35c693 SHA512 e527189daaa259d5301086fd47a87b7daa1cf1da0a729ba59a46064e4e915d3af08fceede22f35a912b5d692cf29aaf6508780cf97b29d779de5d771cec29bf8 DIST sealed-secrets-0.23.0-deps.tar.xz 52956852 BLAKE2B 85d3ec425e86c76757ba60c3a1f3f4b1d7453429f789573f1ff80d5329c15df4c54a2feb74932812b18167001512d13c4a8a2a1c550ed6715d9ca13f66e9aac7 SHA512 5cc767566c22a7f00f2980f8e023149e57c078bd5e11581b25d629d689c504547ef6d2ba6032b400e8040a82804af8b56ed44fc487d15a3071f329fdfbdeb0e7 DIST sealed-secrets-0.23.0.tar.gz 1315727 BLAKE2B eb37a18e3f8d89f6096098c7a8b6f0d99c21a0e6f03c3a6ea2047b5c29c8021ca5b0ebc15fce0f53f2d2d37d99fe346a4c06d3d1782c31cbccdb72750daef37e SHA512 79fb2f66c900e340cb64b2fc5571b2d7cca3debcc8442d8e53139a4fbdcb11ef9be7aad337eced2f9e574d5d7b6af8ee45a5ab8a0229330736a412d415e90952 DIST sealed-secrets-0.24.5-deps.tar.xz 53092736 BLAKE2B 09b29581ebea10e4c873bd76c1e41ee0eeb4fc99e5bd39450c946252f9e922facd5892fb916a62e3105f272f6c6c0429c42117fbd34717bbca692b14098850e2 SHA512 e64f8e14a3a68987653420244e8c23a0b080f1955b3987d6efb22be3c58ed32fd5c11cc615eae3ac9295aa4041638598f906672551d180514bc1edf99f66bb61 diff --git a/sys-cluster/kubeseal/kubeseal-0.21.0.ebuild b/sys-cluster/kubeseal/kubeseal-0.21.0.ebuild deleted file mode 100644 index d4f364c86e91.. --- a/sys-cluster/kubeseal/kubeseal-0.21.0.ebuild +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright 2023 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 -inherit go-module - -MY_PN="sealed-secrets" -MY_P="${MY_PN}-${PV}" - -DESCRIPTION="Client-side utility for one-way encrypted secrets in kubernetes" -HOMEPAGE="https://github.com/bitnami-labs/sealed-secrets; -SRC_URI="https://github.com/bitnami-labs/sealed-secrets/archive/v${PV}.tar.gz -> ${MY_P}.tar.gz" -SRC_URI+=" https://dev.gentoo.org/~concord/distfiles/${MY_P}-deps.tar.xz; - -LICENSE="Apache-2.0 BSD ISC MIT" -SLOT="0" -KEYWORDS="~amd64" -IUSE="hardened" - -BDEPEND=">=dev-lang/go-1.19" - -RESTRICT+=" test" -S="${WORKDIR}/${MY_P}" - -src_compile() { - CGO_LDFLAGS="$(usex hardened '-fno-PIC ' '')" \ - emake -j1 GOFLAGS="" GOLDFLAGS="" LDFLAGS="" VERSION="v${PV}" ${PN} -} - -src_install() { - dobin ${PN} -}
[gentoo-commits] repo/gentoo:master commit in: sys-cluster/kubeseal/
commit: e799557b641006f66b1a985a63e6e848879616d7 Author: Kenton Groombridge gentoo org> AuthorDate: Fri Dec 22 16:14:03 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Dec 22 16:23:51 2023 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e799557b sys-cluster/kubeseal: add 0.24.5 Signed-off-by: Kenton Groombridge gentoo.org> sys-cluster/kubeseal/Manifest | 2 ++ sys-cluster/kubeseal/kubeseal-0.24.5.ebuild | 32 + 2 files changed, 34 insertions(+) diff --git a/sys-cluster/kubeseal/Manifest b/sys-cluster/kubeseal/Manifest index 36be019d9cf8..50fce63d7bfe 100644 --- a/sys-cluster/kubeseal/Manifest +++ b/sys-cluster/kubeseal/Manifest @@ -2,3 +2,5 @@ DIST sealed-secrets-0.21.0-deps.tar.xz 51527452 BLAKE2B 0f2518167321760a6eed37ae DIST sealed-secrets-0.21.0.tar.gz 1295839 BLAKE2B d1dd9ccb9ef60fcb8cc8ea8a038d714d0055313868ee2c848c287a57a5b1f7e674c68dbb1f7d3e8a03a98db70fcc5447b5a1672cb4088cd10c5ee95fee35c693 SHA512 e527189daaa259d5301086fd47a87b7daa1cf1da0a729ba59a46064e4e915d3af08fceede22f35a912b5d692cf29aaf6508780cf97b29d779de5d771cec29bf8 DIST sealed-secrets-0.23.0-deps.tar.xz 52956852 BLAKE2B 85d3ec425e86c76757ba60c3a1f3f4b1d7453429f789573f1ff80d5329c15df4c54a2feb74932812b18167001512d13c4a8a2a1c550ed6715d9ca13f66e9aac7 SHA512 5cc767566c22a7f00f2980f8e023149e57c078bd5e11581b25d629d689c504547ef6d2ba6032b400e8040a82804af8b56ed44fc487d15a3071f329fdfbdeb0e7 DIST sealed-secrets-0.23.0.tar.gz 1315727 BLAKE2B eb37a18e3f8d89f6096098c7a8b6f0d99c21a0e6f03c3a6ea2047b5c29c8021ca5b0ebc15fce0f53f2d2d37d99fe346a4c06d3d1782c31cbccdb72750daef37e SHA512 79fb2f66c900e340cb64b2fc5571b2d7cca3debcc8442d8e53139a4fbdcb11ef9be7aad337eced2f9e574d5d7b6af8ee45a5ab8a0229330736a412d415e90952 +DIST sealed-secrets-0.24.5-deps.tar.xz 53092736 BLAKE2B 09b29581ebea10e4c873bd76c1e41ee0eeb4fc99e5bd39450c946252f9e922facd5892fb916a62e3105f272f6c6c0429c42117fbd34717bbca692b14098850e2 SHA512 e64f8e14a3a68987653420244e8c23a0b080f1955b3987d6efb22be3c58ed32fd5c11cc615eae3ac9295aa4041638598f906672551d180514bc1edf99f66bb61 +DIST sealed-secrets-0.24.5.tar.gz 1311827 BLAKE2B 1a567722cf98b10ec41a8477554209c0e196cc181c4a559d945a3f19cb8dffeb9bcb1e8638eaa8df6c3266d2086ef749dcba2b49e2edcce20afb12351daf829d SHA512 e0a552f99a866af3b3304182bbdd824a6e7490c6410e3e4b29ffd2ec0e6e9c1f4d7f30a9499ac8b20c3e0313b6bf5e1e26aa14fd67c5725df8eeaf36299e308a diff --git a/sys-cluster/kubeseal/kubeseal-0.24.5.ebuild b/sys-cluster/kubeseal/kubeseal-0.24.5.ebuild new file mode 100644 index ..d4f364c86e91 --- /dev/null +++ b/sys-cluster/kubeseal/kubeseal-0.24.5.ebuild @@ -0,0 +1,32 @@ +# Copyright 2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 +inherit go-module + +MY_PN="sealed-secrets" +MY_P="${MY_PN}-${PV}" + +DESCRIPTION="Client-side utility for one-way encrypted secrets in kubernetes" +HOMEPAGE="https://github.com/bitnami-labs/sealed-secrets; +SRC_URI="https://github.com/bitnami-labs/sealed-secrets/archive/v${PV}.tar.gz -> ${MY_P}.tar.gz" +SRC_URI+=" https://dev.gentoo.org/~concord/distfiles/${MY_P}-deps.tar.xz; + +LICENSE="Apache-2.0 BSD ISC MIT" +SLOT="0" +KEYWORDS="~amd64" +IUSE="hardened" + +BDEPEND=">=dev-lang/go-1.19" + +RESTRICT+=" test" +S="${WORKDIR}/${MY_P}" + +src_compile() { + CGO_LDFLAGS="$(usex hardened '-fno-PIC ' '')" \ + emake -j1 GOFLAGS="" GOLDFLAGS="" LDFLAGS="" VERSION="v${PV}" ${PN} +} + +src_install() { + dobin ${PN} +}
[gentoo-commits] repo/gentoo:master commit in: sys-apps/bolt/
commit: 1bf83bcb2351c75602b07f4b339d8e64d30ecbd8 Author: Kenton Groombridge gentoo org> AuthorDate: Mon Nov 6 15:45:48 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue Nov 14 21:47:24 2023 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1bf83bcb sys-apps/bolt: add USE=selinux Signed-off-by: Kenton Groombridge gentoo.org> sys-apps/bolt/bolt-0.9.1.ebuild | 7 --- sys-apps/bolt/bolt-0.9.2.ebuild | 5 +++-- sys-apps/bolt/bolt-0.9.3.ebuild | 5 +++-- 3 files changed, 10 insertions(+), 7 deletions(-) diff --git a/sys-apps/bolt/bolt-0.9.1.ebuild b/sys-apps/bolt/bolt-0.9.1.ebuild index 3c46d3566a5c..cb34716378bc 100644 --- a/sys-apps/bolt/bolt-0.9.1.ebuild +++ b/sys-apps/bolt/bolt-0.9.1.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2021 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=7 @@ -12,7 +12,7 @@ SRC_URI="https://gitlab.freedesktop.org/${PN}/${PN}/-/archive/${PV}/${P}.tar.gz; LICENSE="LGPL-2.1" SLOT="0" KEYWORDS="amd64 ~riscv x86" -IUSE="doc systemd" +IUSE="doc selinux systemd" DEPEND=" >=dev-libs/glib-2.56.0:2 @@ -23,7 +23,8 @@ DEPEND=" sys-auth/polkit[introspection] systemd? ( sys-apps/systemd ) doc? ( app-text/asciidoc )" -RDEPEND="${DEPEND}" +RDEPEND="${DEPEND} + selinux? ( sec-policy/selinux-thunderbolt )" pkg_pretend() { if use kernel_linux && kernel_is lt 5 6; then diff --git a/sys-apps/bolt/bolt-0.9.2.ebuild b/sys-apps/bolt/bolt-0.9.2.ebuild index d1044fd43ad2..3275183ef322 100644 --- a/sys-apps/bolt/bolt-0.9.2.ebuild +++ b/sys-apps/bolt/bolt-0.9.2.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2022 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 @@ -12,7 +12,7 @@ SRC_URI="https://gitlab.freedesktop.org/${PN}/${PN}/-/archive/${PV}/${P}.tar.gz; LICENSE="LGPL-2.1 GPL-2+" SLOT="0" KEYWORDS="amd64 ~riscv x86" -IUSE="test" +IUSE="selinux test" RESTRICT="!test? ( test )" RDEPEND=" @@ -20,6 +20,7 @@ RDEPEND=" virtual/libudev:= virtual/udev sys-auth/polkit[introspection] + selinux? ( sec-policy/selinux-thunderbolt ) " DEPEND=" ${RDEPEND} diff --git a/sys-apps/bolt/bolt-0.9.3.ebuild b/sys-apps/bolt/bolt-0.9.3.ebuild index 3e80af202e25..16e2be81e05b 100644 --- a/sys-apps/bolt/bolt-0.9.3.ebuild +++ b/sys-apps/bolt/bolt-0.9.3.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2022 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 @@ -12,7 +12,7 @@ SRC_URI="https://gitlab.freedesktop.org/${PN}/${PN}/-/archive/${PV}/${P}.tar.gz; LICENSE="LGPL-2.1 GPL-2+" SLOT="0" KEYWORDS="amd64 ~loong ~riscv x86" -IUSE="test" +IUSE="selinux test" RESTRICT="!test? ( test )" RDEPEND=" @@ -20,6 +20,7 @@ RDEPEND=" virtual/libudev:= virtual/udev sys-auth/polkit[introspection] + selinux? ( sec-policy/selinux-thunderbolt ) " DEPEND=" ${RDEPEND}
[gentoo-commits] repo/gentoo:master commit in: sys-power/switcheroo-control/
commit: 3ae9378d1f9e5983d411b01c6fe3da43ae312949 Author: Kenton Groombridge gentoo org> AuthorDate: Mon Nov 6 15:42:50 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue Nov 14 21:47:22 2023 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3ae9378d sys-power/switcheroo-control: add USE=selinux Signed-off-by: Kenton Groombridge gentoo.org> sys-power/switcheroo-control/switcheroo-control-2.6-r2.ebuild | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sys-power/switcheroo-control/switcheroo-control-2.6-r2.ebuild b/sys-power/switcheroo-control/switcheroo-control-2.6-r2.ebuild index d8788ef9cf76..36faca9d3eef 100644 --- a/sys-power/switcheroo-control/switcheroo-control-2.6-r2.ebuild +++ b/sys-power/switcheroo-control/switcheroo-control-2.6-r2.ebuild @@ -12,7 +12,7 @@ SRC_URI="https://gitlab.freedesktop.org/hadess/switcheroo-control/uploads/86ea54 LICENSE="GPL-3" SLOT="0" -IUSE="gtk-doc test" +IUSE="gtk-doc selinux test" REQUIRED_USE="${PYTHON_REQUIRED_USE}" KEYWORDS="amd64 ~arm arm64 ~loong ~ppc64 ~riscv x86" @@ -21,6 +21,7 @@ RDEPEND="${PYTHON_DEPS} $(python_gen_cond_dep 'dev-python/pygobject:3[${PYTHON_USEDEP}]') >=dev-libs/glib-2.56.0:2 >=dev-libs/libgudev-232:= + selinux? ( sec-policy/selinux-switcheroo ) " DEPEND="${RDEPEND}" BDEPEND="
[gentoo-commits] repo/gentoo:master commit in: sys-power/power-profiles-daemon/
commit: 37640bd95a4706e9705d2c2244428b081e87262d Author: Kenton Groombridge gentoo org> AuthorDate: Mon Nov 6 15:35:47 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue Nov 14 21:47:20 2023 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=37640bd9 sys-power/power-profiles-daemon: add USE=selinux Signed-off-by: Kenton Groombridge gentoo.org> sys-power/power-profiles-daemon/power-profiles-daemon-0.13.ebuild | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sys-power/power-profiles-daemon/power-profiles-daemon-0.13.ebuild b/sys-power/power-profiles-daemon/power-profiles-daemon-0.13.ebuild index 75019fefc95d..f96ce6849085 100644 --- a/sys-power/power-profiles-daemon/power-profiles-daemon-0.13.ebuild +++ b/sys-power/power-profiles-daemon/power-profiles-daemon-0.13.ebuild @@ -14,7 +14,7 @@ LICENSE="GPL-3+" SLOT="0" KEYWORDS="amd64 ~arm arm64 ~loong ~ppc64 ~riscv x86" -IUSE="gtk-doc test" +IUSE="gtk-doc selinux test" REQUIRED_USE="${PYTHON_REQUIRED_USE}" RESTRICT="!test? ( test )" @@ -25,6 +25,7 @@ RDEPEND="${PYTHON_DEPS} >=dev-libs/libgudev-234 >=sys-auth/polkit-0.114 sys-power/upower + selinux? ( sec-policy/selinux-powerprofiles ) " DEPEND="${RDEPEND}" BDEPEND="
[gentoo-commits] repo/gentoo:master commit in: www-apps/miniflux/
commit: 0277ec5d18edab3db9390af52131872d7e16f5eb Author: Kenton Groombridge gentoo org> AuthorDate: Mon Nov 6 18:30:46 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Mon Nov 6 18:32:43 2023 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0277ec5d www-apps/miniflux: stabilize 2.0.45 for amd64, ppc64 Signed-off-by: Kenton Groombridge gentoo.org> www-apps/miniflux/miniflux-2.0.45.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/www-apps/miniflux/miniflux-2.0.45.ebuild b/www-apps/miniflux/miniflux-2.0.45.ebuild index ed9f217ff691..ba48c8291c75 100644 --- a/www-apps/miniflux/miniflux-2.0.45.ebuild +++ b/www-apps/miniflux/miniflux-2.0.45.ebuild @@ -15,7 +15,7 @@ SRC_URI+=" https://dev.gentoo.org/~concord/distfiles/${P}-deps.tar.xz; LICENSE="Apache-2.0 BSD BSD-2 MIT" SLOT="0" -KEYWORDS="~amd64 ~ppc64 ~riscv" +KEYWORDS="amd64 ppc64 ~riscv" RESTRICT="test" # requires network access
[gentoo-commits] repo/gentoo:master commit in: www-apps/miniflux/
commit: ad5fb9992f649b1b96ab0e5881d96664c0755155 Author: Kenton Groombridge gentoo org> AuthorDate: Mon Nov 6 18:31:13 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Mon Nov 6 18:32:45 2023 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ad5fb999 www-apps/miniflux: drop 2.0.44 Signed-off-by: Kenton Groombridge gentoo.org> www-apps/miniflux/Manifest | 2 - www-apps/miniflux/miniflux-2.0.44.ebuild | 107 --- 2 files changed, 109 deletions(-) diff --git a/www-apps/miniflux/Manifest b/www-apps/miniflux/Manifest index f2ed94d0a483..5169c94d3eb0 100644 --- a/www-apps/miniflux/Manifest +++ b/www-apps/miniflux/Manifest @@ -1,5 +1,3 @@ -DIST miniflux-2.0.44-deps.tar.xz 38348604 BLAKE2B 6709ad503ec64ea64fb35624ff0f6d641a6ccac78d52469a0a6c6e905e505c78866603f310e82c5ff7e1bcd7656cb0d9b3516bb9d0822d7a3f8bbbdadaff0aca SHA512 f463a5a63c5611e8b90ebf15127e05e2df878bb6c49a347f182c5df40feea7e0b2fa21cff4c92b6a99f82e8be4cbd113999f0b3ba6187897af9fad49c9a2aecb -DIST miniflux-2.0.44.tar.gz 574354 BLAKE2B a0c29cb88d88584619e6890a01af15d7b7d9a6ab230b60d76c01d95e82c5ef665aeb19f120180bc328ef3847cae2c87096a096e8f0d0455f7694539556453e5b SHA512 6c1057bcb4daf3110a8885363e2386c6d68776e917f0277299ab94fb46553a8a1b3acf4a2893ab03d30e2b3c26118257e68a7f33d5d436884bfafd8e06fc5e0a DIST miniflux-2.0.45-deps.tar.xz 38551640 BLAKE2B b4dfe2c8bb4d96ba9b4adcb23078b7555115fed8ac346c47411fe406b086330e12f62ca71162d7eab6e1564ae21d1330d93e6e56fde8c421ff8df56cb3ca520a SHA512 79a659660daa01b2909a2e726dc37a789645a3e42c9132ad0e6cc7dd38ae08ad42075339da729fc5942e456fcb5037a414d26952731497586f322c9073f39872 DIST miniflux-2.0.45.tar.gz 580517 BLAKE2B 804c109a7cda5cd4aa4a65130b70c4d1ebb00decbdbb15c6175e14726aa1d0944d9803898e8ace8bdca083e4668f1fe2230a588793082b63967ef11d7e68827f SHA512 f2770105b05251d8ec1cd63fc8fde4ac45ba6d734c2bd96b574a4c0e33b6a9c8ce67af48d9adb29794a292c47f2f7059fea8a6e20708d0fefa6de4cbaa647328 DIST miniflux-2.0.49-deps.tar.xz 38155476 BLAKE2B 9631c23af181cf86bd197066a453c84b09840cc71a870eba0ad4e7cdb2720fe952fca7f6a93f3e9e2e2d8c9a13629da0f758b21a4afe5849186d653b44a3f097 SHA512 c51228a3f70d73788be63ed5e7f24baeee9a369351e07bd7715a60c6b340d3e90ebd25adfb50d3e2144a8b0c7d609fca3bacdd51a1d61ff7916e6a7a439b6dc1 diff --git a/www-apps/miniflux/miniflux-2.0.44.ebuild b/www-apps/miniflux/miniflux-2.0.44.ebuild deleted file mode 100644 index 4e238162adbc.. --- a/www-apps/miniflux/miniflux-2.0.44.ebuild +++ /dev/null @@ -1,107 +0,0 @@ -# Copyright 2020-2023 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -inherit go-module systemd - -# Get with 'git rev-parse --short HEAD' -MY_GIT_COMMIT="4c0c6581" - -DESCRIPTION="Minimalist and opinionated feed reader" -HOMEPAGE="https://miniflux.app https://github.com/miniflux/v2; -SRC_URI="https://github.com/${PN}/v2/archive/${PV}.tar.gz -> ${P}.tar.gz" -SRC_URI+=" https://dev.gentoo.org/~concord/distfiles/${P}-deps.tar.xz; - -LICENSE="Apache-2.0 BSD BSD-2 MIT" -SLOT="0" -KEYWORDS="amd64 ppc64 ~riscv" - -RESTRICT="test" # requires network access - -DEPEND="acct-user/miniflux" -RDEPEND="${DEPEND} - >=dev-db/postgresql-9.5 -" - -S="${WORKDIR}/v2-${PV}" - -src_compile() { - ego build -ldflags=" - -s -w - -X 'miniflux.app/version.Version=${PV}' - -X 'miniflux.app/version.Commit=${MY_GIT_COMMIT}' - -X 'miniflux.app/version.BuildDate=$(date +%FT%T%z)' - " -o miniflux main.go -} - -src_install() { - dobin miniflux - - insinto /etc - doins "${FILESDIR}/${PN}.conf" - - newconfd "${FILESDIR}/${PN}.confd" ${PN} - - newinitd "${FILESDIR}/${PN}.initd-r1" ${PN} - systemd_dounit "${FILESDIR}/${PN}.service" - - fowners miniflux:root /etc/${PN}.conf - fperms o-rwx /etc/${PN}.conf - - local DOCS=( - ChangeLog - README.md - "${FILESDIR}"/README.gentoo - ) - - # Makefile has no install target, so call einstalldocs directly - einstalldocs - - doman "${PN}".1 -} - -pkg_postinst() { - if [[ -z "${REPLACING_VERSIONS}" ]]; then - # This is a new installation - - echo - elog "Before using miniflux, you must first create and initialize the database" - elog "and enable the hstore extension for it." - elog "" - elog "Afterwards, create your first admin user by running:" - elog " miniflux -create-admin" - else - # This is an existing installation - - echo - elog &qu
[gentoo-commits] repo/gentoo:master commit in: www-apps/miniflux/
commit: be968ced07f41e5a0beb22e2fd23eba604b81377 Author: Kenton Groombridge gentoo org> AuthorDate: Mon Nov 6 18:30:10 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Mon Nov 6 18:32:41 2023 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=be968ced www-apps/miniflux: add 2.0.49 Signed-off-by: Kenton Groombridge gentoo.org> www-apps/miniflux/Manifest | 2 + www-apps/miniflux/miniflux-2.0.49.ebuild | 107 +++ 2 files changed, 109 insertions(+) diff --git a/www-apps/miniflux/Manifest b/www-apps/miniflux/Manifest index 3728d48d707e..f2ed94d0a483 100644 --- a/www-apps/miniflux/Manifest +++ b/www-apps/miniflux/Manifest @@ -2,3 +2,5 @@ DIST miniflux-2.0.44-deps.tar.xz 38348604 BLAKE2B 6709ad503ec64ea64fb35624ff0f6d DIST miniflux-2.0.44.tar.gz 574354 BLAKE2B a0c29cb88d88584619e6890a01af15d7b7d9a6ab230b60d76c01d95e82c5ef665aeb19f120180bc328ef3847cae2c87096a096e8f0d0455f7694539556453e5b SHA512 6c1057bcb4daf3110a8885363e2386c6d68776e917f0277299ab94fb46553a8a1b3acf4a2893ab03d30e2b3c26118257e68a7f33d5d436884bfafd8e06fc5e0a DIST miniflux-2.0.45-deps.tar.xz 38551640 BLAKE2B b4dfe2c8bb4d96ba9b4adcb23078b7555115fed8ac346c47411fe406b086330e12f62ca71162d7eab6e1564ae21d1330d93e6e56fde8c421ff8df56cb3ca520a SHA512 79a659660daa01b2909a2e726dc37a789645a3e42c9132ad0e6cc7dd38ae08ad42075339da729fc5942e456fcb5037a414d26952731497586f322c9073f39872 DIST miniflux-2.0.45.tar.gz 580517 BLAKE2B 804c109a7cda5cd4aa4a65130b70c4d1ebb00decbdbb15c6175e14726aa1d0944d9803898e8ace8bdca083e4668f1fe2230a588793082b63967ef11d7e68827f SHA512 f2770105b05251d8ec1cd63fc8fde4ac45ba6d734c2bd96b574a4c0e33b6a9c8ce67af48d9adb29794a292c47f2f7059fea8a6e20708d0fefa6de4cbaa647328 +DIST miniflux-2.0.49-deps.tar.xz 38155476 BLAKE2B 9631c23af181cf86bd197066a453c84b09840cc71a870eba0ad4e7cdb2720fe952fca7f6a93f3e9e2e2d8c9a13629da0f758b21a4afe5849186d653b44a3f097 SHA512 c51228a3f70d73788be63ed5e7f24baeee9a369351e07bd7715a60c6b340d3e90ebd25adfb50d3e2144a8b0c7d609fca3bacdd51a1d61ff7916e6a7a439b6dc1 +DIST miniflux-2.0.49.tar.gz 614888 BLAKE2B 77fae7eafcc55d02e3e00e6c008cb6727ff48423512e9dde420b84a63858e6ba9ed33dfd61907a46ca686b211f604d452e2ad5944b709094263ca0949a6128c8 SHA512 59505f5e60228ff94cf2cabc872117cd08c06edb0df6dfb4487153add27cc4e485d7cb71330333df155f158eb650f684d55f0460ba5404f5e26b9603123fd860 diff --git a/www-apps/miniflux/miniflux-2.0.49.ebuild b/www-apps/miniflux/miniflux-2.0.49.ebuild new file mode 100644 index ..12650bceb1d6 --- /dev/null +++ b/www-apps/miniflux/miniflux-2.0.49.ebuild @@ -0,0 +1,107 @@ +# Copyright 2020-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit go-module systemd + +# Get with 'git rev-parse --short HEAD' +MY_GIT_COMMIT="54eb5003" + +DESCRIPTION="Minimalist and opinionated feed reader" +HOMEPAGE="https://miniflux.app https://github.com/miniflux/v2; +SRC_URI="https://github.com/${PN}/v2/archive/${PV}.tar.gz -> ${P}.tar.gz" +SRC_URI+=" https://dev.gentoo.org/~concord/distfiles/${P}-deps.tar.xz; + +LICENSE="Apache-2.0 BSD BSD-2 MIT" +SLOT="0" +KEYWORDS="~amd64 ~ppc64 ~riscv" + +RESTRICT="test" # requires network access + +DEPEND="acct-user/miniflux" +RDEPEND="${DEPEND} + >=dev-db/postgresql-9.5 +" + +S="${WORKDIR}/v2-${PV}" + +src_compile() { + ego build -ldflags=" + -s -w + -X 'miniflux.app/v2/internal/version.Version=${PV}' + -X 'miniflux.app/v2/internal/version.Commit=${MY_GIT_COMMIT}' + -X 'miniflux.app/v2/internal/version.BuildDate=$(date +%FT%T%z)' + " -o miniflux main.go +} + +src_install() { + dobin miniflux + + insinto /etc + doins "${FILESDIR}/${PN}.conf" + + newconfd "${FILESDIR}/${PN}.confd" ${PN} + + newinitd "${FILESDIR}/${PN}.initd-r1" ${PN} + systemd_dounit "${FILESDIR}/${PN}.service" + + fowners miniflux:root /etc/${PN}.conf + fperms o-rwx /etc/${PN}.conf + + local DOCS=( + ChangeLog + README.md + "${FILESDIR}"/README.gentoo + ) + + # Makefile has no install target, so call einstalldocs directly + einstalldocs + + doman "${PN}".1 +} + +pkg_postinst() { + if [[ -z "${REPLACING_VERSIONS}" ]]; then + # This is a new installation + + echo + elog "Before using miniflux, you must first create and initialize the database" + elog "and enable the hstore extension for it." + elog "" + elog "Afterwards, create your first admin user by running:" + elog " miniflux -create-admin" + els
[gentoo-commits] proj/hardened-refpolicy: New tag: 2.20231002-r2
commit: Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 20 22:06:05 2023 + New tag: 2.20231002-r2
[gentoo-commits] proj/hardened-refpolicy:master commit in: doc/
commit: 8c8f4a31a3896a10963b987691b7c7b87ce18842 Author: Kenton Groombridge gentoo org> AuthorDate: Fri Oct 20 21:29:46 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 20 21:30:05 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8c8f4a31 Update generated policy and doc files Signed-off-by: Kenton Groombridge gentoo.org> doc/policy.xml | 670 ++--- 1 file changed, 350 insertions(+), 320 deletions(-) diff --git a/doc/policy.xml b/doc/policy.xml index e96f1ea28..8ae22432d 100644 --- a/doc/policy.xml +++ b/doc/policy.xml @@ -58392,7 +58392,17 @@ Domain allow access. - + + +unmount a sysfs filesystem + + + +Domain allowed access. + + + + Do not audit getting the attributes of sysfs filesystem @@ -58402,7 +58412,7 @@ Domain to dontaudit access from - + Dont audit attempts to read hardware state information @@ -58412,7 +58422,7 @@ Domain for which the attempts do not need to be audited - + Mount on sysfs directories. @@ -58422,7 +58432,7 @@ Domain allowed access. - + Search the sysfs directories. @@ -58432,7 +58442,7 @@ Domain allowed access. - + Do not audit attempts to search sysfs. @@ -58442,7 +58452,7 @@ Domain to not audit. - + List the contents of the sysfs directories. @@ -58452,7 +58462,7 @@ Domain allowed access. - + Write in a sysfs directories. @@ -58462,7 +58472,7 @@ Domain allowed access. - + Do not audit attempts to write in a sysfs directory. @@ -58472,7 +58482,7 @@ Domain to not audit. - + Do not audit attempts to write to a sysfs file. @@ -58482,7 +58492,7 @@ Domain to not audit. - + Create, read, write, and delete sysfs directories. @@ -58493,7 +58503,7 @@ Domain allowed access. - + Read hardware state information. @@ -58512,7 +58522,7 @@ Domain allowed access. - + Write to hardware state information. @@ -58529,7 +58539,7 @@ Domain allowed access. - + Allow caller to modify hardware state information. @@ -58539,7 +58549,7 @@ Domain allowed access. - + Add a sysfs file @@ -58549,7 +58559,7 @@ Domain allowed access. - + Relabel hardware state directories. @@ -58559,7 +58569,7 @@ Domain allowed access. - + Relabel from/to all sysfs types. @@ -58569,7 +58579,7 @@ Domain allowed access. - + Set the attributes of sysfs files, directories and symlinks. @@ -58579,7 +58589,7 @@ Domain allowed access. - + Read and write the TPM device. @@ -58589,7 +58599,7 @@ Domain allowed access. - + Read from pseudo random number generator devices (e.g., /dev/urandom). @@ -58622,7 +58632,7 @@ Domain allowed access. - + Do not audit attempts to read from pseudo random devices (e.g., /dev/urandom) @@ -58633,7 +58643,7 @@ Domain to not audit. - + Write to the pseudo random device (e.g., /dev/urandom). This sets the random number generator seed. @@ -58644,7 +58654,7 @@ Domain allowed access. - + Create the urandom device (/dev/urandom). @@ -58654,7 +58664,7 @@ Domain allowed access. - + Set attributes on the urandom device (/dev/urandom). @@ -58664,7 +58674,7 @@ Domain allowed access. - + Getattr generic the USB devices. @@ -58674,7 +58684,7 @@ Domain allowed access. - + Setattr generic the USB devices. @@ -58684,7 +58694,7 @@ Domain allowed access. - + Read generic the USB devices. @@ -58694,7 +58704,7 @@ Domain allowed access. - + Read and write generic the USB devices. @@ -58704,7 +58714,7 @@ Domain allowed access. - + Relabel generic the USB devices. @@ -58714,7 +58724,7 @@ Domain allowed access. - + Read USB monitor devices. @@ -58724,7 +58734,7 @@ Domain allowed access. - + Write USB monitor devices. @@ -58734,7 +58744,7 @@ Domain allowed access. - + Mount a usbfs filesystem. @@ -58744,7 +58754,7 @@ Domain allowed access. - + Associate a file to a usbfs filesystem. @@ -58754,7 +58764,7 @@ The type of the file to be associated to usbfs. - + Get the attributes of a directory in the usb filesystem. @@ -58764,7 +58774,7 @@ Domain allowed access. - + Do not audit attempts to get the attributes of a directory in the usb filesystem. @@ -58775,7 +58785,7 @@ Domain to not audit. - + Search the directory containing USB hardware information. @@ -58785,7 +58795,7 @@ Domain allowed access. - + Allow caller to get a list of usb hardware. @@ -58795,7 +58805,7 @@ Domain allowed access. - + Set the attributes of usbfs filesystem. @@ -58805,7 +58815,7 @@ Domain allowed access. - + Read USB hardware information using the usbfs filesystem interface. @@ -58816,7 +58826,7 @@ Domain allowed access. - + Allow caller to modify usb hardware configuration files. @@ -58826,7 +58836,7
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 4751bfa9ef38a4d38494cadea1fa83a69881d5fa Author: Russell Coker coker com au> AuthorDate: Sat Oct 7 02:56:52 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 20 21:28:39 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4751bfa9 Changes to eg25manager and modemmanager needed for firmware upload on pinephonepro Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/eg25manager.te | 11 ++- policy/modules/services/modemmanager.te | 18 -- 2 files changed, 26 insertions(+), 3 deletions(-) diff --git a/policy/modules/services/eg25manager.te b/policy/modules/services/eg25manager.te index 92fd3e4f8..f305a9a01 100644 --- a/policy/modules/services/eg25manager.te +++ b/policy/modules/services/eg25manager.te @@ -57,8 +57,10 @@ files_read_usr_files(eg25manager_t) logging_send_syslog_msg(eg25manager_t) miscfiles_read_generic_certs(eg25manager_t) +miscfiles_read_localization(eg25manager_t) -modemmanager_dbus_chat(eg25manager_t) +# will not upload to pinephone modem without this +selinux_get_fs_mount(eg25manager_t) sysnet_read_config(eg25manager_t) @@ -66,3 +68,10 @@ systemd_dbus_chat_logind(eg25manager_t) systemd_read_resolved_runtime(eg25manager_t) systemd_use_logind_fds(eg25manager_t) systemd_write_inherited_logind_inhibit_pipes(eg25manager_t) + +term_use_unallocated_ttys(eg25manager_t) + +optional_policy(` + modemmanager_dbus_chat(eg25manager_t) +') + diff --git a/policy/modules/services/modemmanager.te b/policy/modules/services/modemmanager.te index 5801baedd..b94117bff 100644 --- a/policy/modules/services/modemmanager.te +++ b/policy/modules/services/modemmanager.te @@ -15,16 +15,30 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t) # allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config }; -allow modemmanager_t self:process { getsched signal }; +allow modemmanager_t self:process { getsched setsched signal setpgid }; allow modemmanager_t self:fifo_file rw_fifo_file_perms; -allow modemmanager_t self:unix_stream_socket create_stream_socket_perms; +allow modemmanager_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms; +allow modemmanager_t self:netlink_route_socket { create getattr getopt nlmsg_write read write }; +allow modemmanager_t self:qipcrtr_socket { create getattr getopt read write }; + +# ModemManager calls mmap(PROT_READ|PROT_WRITE|PROT_EXEC) +allow modemmanager_t self:process execmem; kernel_read_system_state(modemmanager_t) +kernel_request_load_module(modemmanager_t) + +# for qmi/pass_through +dev_create_sysfs_files(modemmanager_t) +dev_getattr_sysfs(modemmanager_t) dev_read_sysfs(modemmanager_t) +dev_write_sysfs(modemmanager_t) dev_rw_modem(modemmanager_t) +# for /usr/libexec/qmi-proxy +corecmd_exec_bin(modemmanager_t) + files_read_etc_files(modemmanager_t) term_use_generic_ptys(modemmanager_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 3b0568041bb3c496b5d776b1961763a32d184379 Author: Yi Zhao windriver com> AuthorDate: Sat Oct 7 02:33:31 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 20 21:28:39 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3b056804 systemd: use init_daemon_domain instead of init_system_domain for systemd-networkd and systemd-resolved Systemd-networkd and systemd-resolved are daemons. Fixes: avc: denied { write } for pid=277 comm="systemd-resolve" name="notify" dev="tmpfs" ino=31 scontext=system_u:system_r:systemd_resolved_t tcontext=system_u:object_r:systemd_runtime_notify_t tclass=sock_file permissive=1 avc: denied { write } for pid=324 comm="systemd-network" name="notify" dev="tmpfs" ino=31 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:systemd_runtime_notify_t tclass=sock_file permissive=1 Signed-off-by: Yi Zhao windriver.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/systemd.te | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index b14511c24..bf3a0e14e 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -199,7 +199,7 @@ init_daemon_domain(systemd_modules_load_t, systemd_modules_load_exec_t) type systemd_networkd_t; type systemd_networkd_exec_t; -init_system_domain(systemd_networkd_t, systemd_networkd_exec_t) +init_daemon_domain(systemd_networkd_t, systemd_networkd_exec_t) type systemd_networkd_runtime_t alias systemd_networkd_var_run_t; files_runtime_file(systemd_networkd_runtime_t) @@ -235,7 +235,7 @@ files_type(systemd_pstore_var_lib_t) type systemd_resolved_t; type systemd_resolved_exec_t; -init_system_domain(systemd_resolved_t, systemd_resolved_exec_t) +init_daemon_domain(systemd_resolved_t, systemd_resolved_exec_t) type systemd_resolved_runtime_t alias systemd_resolved_var_run_t; files_runtime_file(systemd_resolved_runtime_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: gentoo/
commit: d26d077b9a6a665bf5c89ab460ef0a89a7cf7f24 Author: Kenton Groombridge gentoo org> AuthorDate: Fri Oct 20 21:29:27 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 20 21:29:27 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d26d077b Merge upstream Signed-off-by: Kenton Groombridge gentoo.org> gentoo/STATE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gentoo/STATE b/gentoo/STATE index 1f7d780e5..1265cd5d3 100644 --- a/gentoo/STATE +++ b/gentoo/STATE @@ -1 +1 @@ -d542d53698339cd3b3bb80e6e36fb4add4016e9d +f3865abfc25a395c877a27074bd03c5fc22992dd
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/support/
commit: b6e3f0c899ce4061496cdf71bd4d83374aea339d Author: Russell Coker coker com au> AuthorDate: Mon Oct 9 13:32:38 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 20 21:28:39 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b6e3f0c8 patches for nspawn policy (#721) * patches to nspawn policy. Allow it netlink operations and creating udp sockets Allow remounting and reading sysfs Allow stat cgroup filesystem Make it create fifos and sock_files in the right context Allow mounting the selinux fs Signed-off-by: Russell Coker coker.com.au> * Use the new mounton_dir_perms and mounton_file_perms macros Signed-off-by: Russell Coker coker.com.au> * Corrected macro name Signed-off-by: Russell Coker coker.com.au> * Fixed description of files_mounton_kernel_symbol_table Signed-off-by: Russell Coker coker.com.au> * systemd: Move lines in nspawn. No rule changes. Signed-off-by: Chris PeBenito ieee.org> - Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Chris PeBenito ieee.org> Co-authored-by: Chris PeBenito ieee.org> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/devices.if | 18 ++ policy/modules/kernel/files.if | 27 +++ policy/modules/kernel/kernel.if | 8 policy/modules/kernel/selinux.if | 18 ++ policy/modules/system/systemd.te | 17 + policy/support/obj_perm_sets.spt | 2 ++ 6 files changed, 82 insertions(+), 8 deletions(-) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index be2429a91..a2d55dedb 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -4386,6 +4386,24 @@ interface(`dev_remount_sysfs',` allow $1 sysfs_t:filesystem remount; ') + +## +## unmount a sysfs filesystem +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_unmount_sysfs',` + gen_require(` + type sysfs_t; + ') + + allow $1 sysfs_t:filesystem unmount; +') + ## ## Do not audit getting the attributes of sysfs filesystem diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 591aa64d6..370ac0931 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -542,8 +542,8 @@ interface(`files_mounton_non_security',` attribute non_security_file_type; ') - allow $1 non_security_file_type:dir { getattr search mounton }; - allow $1 non_security_file_type:file { getattr mounton }; + allow $1 non_security_file_type:dir { search mounton_dir_perms }; + allow $1 non_security_file_type:file mounton_file_perms; ') @@ -1785,7 +1785,7 @@ interface(`files_mounton_all_mountpoints',` ') allow $1 mountpoint:dir { search_dir_perms mounton }; - allow $1 mountpoint:file { getattr mounton }; + allow $1 mountpoint:file mounton_file_perms; kernel_mounton_unlabeled_dirs($1) ') @@ -5750,6 +5750,25 @@ interface(`files_delete_kernel_symbol_table',` delete_files_pattern($1, boot_t, system_map_t) ') + +## +## Mount on a system.map in the /boot directory (for bind mounts). +## +## +## +## Domain allowed access. +## +## +# +interface(`files_mounton_kernel_symbol_table',` + gen_require(` + type boot_t, system_map_t; + ') + + allow $1 boot_t:dir search_dir_perms; + allow $1 system_map_t:file mounton_file_perms; +') + ## ## Search the contents of /var. @@ -7630,7 +7649,7 @@ interface(`files_polyinstantiate_all',` # Need to give access to parent directories where original # is remounted for polyinstantiation aware programs (like gdm) - allow $1 polyparent:dir { getattr mounton }; + allow $1 polyparent:dir mounton_dir_perms; # Need to give permission to create directories where applicable allow $1 self:process setfscreate; diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index 6abcc1be6..022affde3 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -1440,7 +1440,7 @@ interface(`kernel_mounton_message_if',` ') allow $1 proc_t:dir list_dir_perms; - allow $1 proc_kmsg_t:file { getattr mounton }; + allow $1 proc_kmsg_t:file mounton_file_perms; ') @@ -1792,7 +1792,7 @@ interface(`kernel_mounton_sysctl_dirs',` ') allow $1 proc_t:dir list_dir_perms; - allow $1 sysctl_t:dir { getattr mounton }; + allow
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 4bb6b12fe1a936a0db91fc133ca30dfd8e5be32a Author: Dave Sugar gmail com> AuthorDate: Wed Oct 4 23:28:38 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 20 21:28:39 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4bb6b12f Use interface that already exists. Signed-off-by: Dave Sugar gmail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/systemd.if | 8 +++- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index 68fb1a148..6054b5038 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -29,7 +29,6 @@ template(`systemd_role_template',` type systemd_user_runtime_t, systemd_user_runtime_notify_t; type systemd_user_unit_t; type systemd_user_runtime_unit_t, systemd_user_transient_unit_t; - type systemd_machined_t; ') # @@ -151,10 +150,9 @@ template(`systemd_role_template',` allow $3 systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; # for "machinectl shell" - allow $1_systemd_t systemd_machined_t:fd use; - allow $3 systemd_machined_t:fd use; - allow $3 systemd_machined_t:dbus send_msg; - allow systemd_machined_t $3:dbus send_msg; + systemd_use_inherited_machined_ptys($1_systemd_t) + systemd_use_inherited_machined_ptys($3) + systemd_dbus_chat_machined($3) allow $3 systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: b2b5270fcce158aedf71a5be0b2fa15822ecb069 Author: Russell Coker coker com au> AuthorDate: Thu Oct 5 11:13:54 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:31:45 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b2b5270f https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/ While cgroups2 doesn't have the "feature" of having the kernel run a program specified in the cgroup the history of this exploit suggests that writing to cgroups should be restricted and not granted to all users Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/userdomain.if | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 642da35cd..676a76241 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -690,7 +690,7 @@ template(`userdom_common_user_template',` files_watch_etc_dirs($1_t) files_watch_usr_dirs($1_t) - fs_rw_cgroup_files($1_t) + fs_read_cgroup_files($1_t) # cjp: some of this probably can be removed selinux_get_fs_mount($1_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
commit: ca3332b1b3ad6b6cc3b52bf8cff26e4407f93c92 Author: Russell Coker coker com au> AuthorDate: Fri Oct 6 10:48:52 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:31:45 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ca3332b1 Label checkarray as mdadm_exec_t, allow it to read/write temp files inherited from cron, and dontaudit ps type operations from it Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/corecommands.fc | 1 - policy/modules/system/raid.fc | 2 ++ policy/modules/system/raid.te | 2 ++ 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index da5db80a2..21ec61464 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -320,7 +320,6 @@ ifdef(`distro_debian',` /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/smrsh-- gen_context(system_u:object_r:shell_exec_t,s0) -/usr/share/mdadm/checkarray-- gen_context(system_u:object_r:bin_t,s0) /usr/share/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/ajaxterm/ajaxterm\.py.* -- gen_context(system_u:object_r:bin_t,s0) /usr/share/ajaxterm/qweb\.py.* -- gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/system/raid.fc b/policy/modules/system/raid.fc index 84f1ab02a..ca16bdfdf 100644 --- a/policy/modules/system/raid.fc +++ b/policy/modules/system/raid.fc @@ -11,6 +11,8 @@ /usr/bin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0) /usr/bin/raid-check-- gen_context(system_u:object_r:mdadm_exec_t,s0) +/usr/share/mdadm/checkarray -- gen_context(system_u:object_r:mdadm_exec_t,s0) + # Systemd unit files /usr/lib/systemd/system/[^/]*mdadm-.* -- gen_context(system_u:object_r:mdadm_unit_t,s0) /usr/lib/systemd/system/[^/]*mdmon.* -- gen_context(system_u:object_r:mdadm_unit_t,s0) diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te index 907facf8d..c8db38261 100644 --- a/policy/modules/system/raid.te +++ b/policy/modules/system/raid.te @@ -57,6 +57,7 @@ dev_read_realtime_clock(mdadm_t) # create links in /dev/md dev_create_generic_symlinks(mdadm_t) +domain_dontaudit_search_all_domains_state(mdadm_t) domain_use_interactive_fds(mdadm_t) files_read_etc_files(mdadm_t) @@ -95,6 +96,7 @@ userdom_dontaudit_search_user_home_content(mdadm_t) optional_policy(` cron_system_entry(mdadm_t, mdadm_exec_t) + cron_rw_inherited_tmp_files(mdadm_t) ') optional_policy(`
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: f9bb068485de922f97495d4795c3cc475cdb32e7 Author: Yi Zhao windriver com> AuthorDate: Mon Oct 2 08:05:49 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:31:45 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f9bb0684 bind: fix for named service Fixes: avc: denied { sqpoll } for pid=373 comm="named" scontext=system_u:system_r:named_t:s0-s15:c0.c1023 tcontext=system_u:system_r:named_t:s0-s15:c0.c1023 tclass=io_uring permissive=0 avc: denied { create } for pid=373 comm="named" anonclass=[io_uring] scontext=system_u:system_r:named_t:s0-s15:c0.c1023 tcontext=system_u:object_r:named_t:s0 tclass=anon_inode permissive=0 Signed-off-by: Yi Zhao windriver.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/bind.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te index 0a08be452..37f2fdd1f 100644 --- a/policy/modules/services/bind.te +++ b/policy/modules/services/bind.te @@ -80,6 +80,8 @@ allow named_t self:process { setsched getsched getcap setcap setrlimit signal_pe allow named_t self:fifo_file rw_fifo_file_perms; allow named_t self:unix_stream_socket { accept listen }; allow named_t self:tcp_socket { accept listen }; +allow named_t self:anon_inode { create map read write }; +allow named_t self:io_uring sqpoll; manage_files_pattern(named_t, dnssec_t, dnssec_t) filetrans_pattern(named_t, named_conf_t, dnssec_t, dir, "cache")
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/
commit: 767814945e7b4302e9c085aba0d2772d051cd005 Author: Dave Sugar <31021570+dsugar100 users noreply github com> AuthorDate: Fri Oct 6 13:06:39 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:31:45 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=76781494 Separate label for /run/systemd/notify (#710) * Separate label for /run/systemd/notify label systemd_runtime_notify_t Allow daemon domains to write by default Signed-off-by: Dave Sugar gmail.com> * systemd: Add -s to /run/systemd/notify socket. Signed-off-by: Chris PeBenito ieee.org> - Signed-off-by: Dave Sugar gmail.com> Co-authored-by: Chris PeBenito ieee.org> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/dbus.te | 2 +- policy/modules/system/init.if| 19 +++ policy/modules/system/init.te| 3 ++- policy/modules/system/systemd.fc | 1 + policy/modules/system/systemd.if | 22 ++ policy/modules/system/systemd.te | 3 +++ 6 files changed, 48 insertions(+), 2 deletions(-) diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index 79089b1c5..9ccd8a424 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -219,7 +219,7 @@ ifdef(`init_systemd', ` init_stop_all_units(system_dbusd_t) # Recent versions of dbus are started as Type=notify - init_write_runtime_socket(system_dbusd_t) + systemd_write_notify_socket(system_dbusd_t) tunable_policy(`dbus_broker_system_bus',` init_get_system_status(system_dbusd_t) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index d91eadfb5..5b0f44381 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1002,6 +1002,25 @@ interface(`init_unix_stream_socket_connectto',` allow $1 init_t:unix_stream_socket connectto; ') + +## +## Send to init with a unix socket. +## Without any additional permissions. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_unix_stream_socket_sendto',` + gen_require(` + type init_t; + ') + + allow $1 init_t:unix_stream_socket sendto; +') + ## ## Inherit and use file descriptors from init. diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 457fac072..c83d88b74 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1178,6 +1178,7 @@ ifdef(`init_systemd',` systemd_start_power_units(initrc_t) systemd_watch_networkd_runtime_dirs(initrc_t) + systemd_write_notify_socket(initrc_t) # Ensures the memory.pressure cgroup file is labelled differently, so # that processes can manage it without having access to the rest of the @@ -1611,7 +1612,7 @@ ifdef(`init_systemd',` fs_search_cgroup_dirs(daemon) # need write to /var/run/systemd/notify - init_write_runtime_socket(daemon) + systemd_write_notify_socket(daemon) ') tunable_policy(`init_daemons_use_tty',` diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc index ac64a5d5c..57f746c58 100644 --- a/policy/modules/system/systemd.fc +++ b/policy/modules/system/systemd.fc @@ -103,6 +103,7 @@ HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_data /run/systemd/ask-password-block(/.*)? gen_context(system_u:object_r:systemd_passwd_runtime_t,s0) /run/systemd/home(/.*)? gen_context(system_u:object_r:systemd_homed_runtime_t,s0) /run/systemd/network(/.*)? gen_context(system_u:object_r:systemd_networkd_runtime_t,s0) +/run/systemd/notify-s gen_context(system_u:object_r:systemd_runtime_notify_t,s0) /run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_runtime_t,s0) /run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_sessions_runtime_t,s0) /run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_sessions_runtime_t,s0) diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index 19b2dbd85..68fb1a148 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -126,6 +126,7 @@ template(`systemd_role_template',` systemd_search_user_runtime_unit_dirs($1_systemd_t) systemd_search_user_transient_unit_dirs($1_systemd_t) systemd_read_user_units_files($1_systemd_t) + systemd_write_notify_socket($1_systemd_t) dbus_system_bus_client($1_systemd_t) dbus_spec_session_bus_client($1, $1_systemd_t) @@ -276,6 +277,27 @@ interface(`systemd_user_unix_stream_activated_socket',` systemd_user_activated_sock_file($2) ') +### +## +## Al
[gentoo-commits] proj/hardened-refpolicy:master commit in: gentoo/
commit: a214ace3c7ac557196b58ab0342bf8e7023aca38 Author: Kenton Groombridge gentoo org> AuthorDate: Fri Oct 6 15:32:33 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:32:33 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a214ace3 Merge upstream Signed-off-by: Kenton Groombridge gentoo.org> gentoo/STATE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gentoo/STATE b/gentoo/STATE index b2d61aa8e..1f7d780e5 100644 --- a/gentoo/STATE +++ b/gentoo/STATE @@ -1 +1 @@ -86a7f884a5af56076ae4829b25e73a74b2f56024 +d542d53698339cd3b3bb80e6e36fb4add4016e9d
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 0d4b9fb48fc13aa0e545fdc17905a1060db3c5ef Author: Russell Coker coker com au> AuthorDate: Thu Sep 28 13:57:18 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:31:45 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0d4b9fb4 misc small email changes (#704) * Small changes to courier, dovecot, exim, postfix, amd sendmail policy. Signed-off-by: Russell Coker coker.com.au> * Removed an obsolete patch Signed-off-by: Russell Coker coker.com.au> * Added interfaces cron_rw_inherited_tmp_files and systemd_dontaudit_connect_machined Signed-off-by: Russell Coker coker.com.au> * Use create_stream_socket_perms for unix connection to itself Signed-off-by: Russell Coker coker.com.au> * Removed unconfined_run_to Signed-off-by: Russell Coker coker.com.au> * Remove change for it to run from a user session Signed-off-by: Russell Coker coker.com.au> * Changed userdom_use_user_ttys to userdom_use_inherited_user_terminals and moved it out of the postfix section Signed-off-by: Russell Coker coker.com.au> - Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/courier.fc | 4 ++-- policy/modules/services/courier.te | 21 +++-- policy/modules/services/dovecot.te | 3 +++ policy/modules/services/exim.te | 3 ++- policy/modules/services/mta.if | 1 + policy/modules/services/mta.te | 32 policy/modules/services/postfix.if | 3 +++ policy/modules/services/postfix.te | 4 policy/modules/services/sendmail.te | 4 9 files changed, 70 insertions(+), 5 deletions(-) diff --git a/policy/modules/services/courier.fc b/policy/modules/services/courier.fc index 0f56d60d8..28594264f 100644 --- a/policy/modules/services/courier.fc +++ b/policy/modules/services/courier.fc @@ -23,8 +23,8 @@ /usr/lib/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0) /usr/lib/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0) /usr/lib/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0) -/usr/lib/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) -/usr/lib/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0) +/usr/lib/courier/imapd.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0) +/usr/lib/courier/pop3d.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0) /usr/lib/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) /usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:courier_sqwebmail_exec_t,s0) /usr/lib/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0) diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te index 00ca1db6e..b5fa0c163 100644 --- a/policy/modules/services/courier.te +++ b/policy/modules/services/courier.te @@ -96,6 +96,8 @@ allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_pe can_exec(courier_authdaemon_t, courier_exec_t) +kernel_getattr_proc(courier_authdaemon_t) + corecmd_exec_shell(courier_authdaemon_t) domtrans_pattern(courier_authdaemon_t, courier_pop_exec_t, courier_pop_t) @@ -112,6 +114,7 @@ libs_read_lib_files(courier_authdaemon_t) miscfiles_read_localization(courier_authdaemon_t) selinux_getattr_fs(courier_authdaemon_t) +seutil_search_default_contexts(courier_authdaemon_t) userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t) @@ -129,20 +132,34 @@ dev_read_rand(courier_pcp_t) # POP3/IMAP local policy # -allow courier_pop_t self:capability { setgid setuid }; +allow courier_pop_t self:capability { chown dac_read_search fowner setgid setuid }; +dontaudit courier_pop_t self:capability fsetid; +allow courier_pop_t self:unix_stream_socket create_stream_socket_perms; +allow courier_pop_t self:process setrlimit; + allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms; allow courier_pop_t courier_authdaemon_t:process sigchld; allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms; -allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms; +allow courier_pop_t courier_var_lib_t:dir rw_dir_perms; +allow courier_pop_t courier_var_lib_t:file manage_file_perms; +allow courier_pop_t courier_etc_t:file map; + +can_exec(courier_pop_t, courier_exec_t) +can_exec(courier_pop_t, courier_tcpd_exec_t) stream_connect_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t, courier_authdaemon_t) domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t) corecmd_exec_shell(courier_pop_t) +corenet_tcp_bind_generic_node(courier_pop_t) +corenet_tcp_bind_pop_port(couri
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/
commit: 6f8208d24c132738f65741594de5b1b3b11d1a9c Author: Chris PeBenito linux microsoft com> AuthorDate: Mon Oct 2 12:44:00 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:31:45 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6f8208d2 Add append to rw and manage lnk_file permission sets for consistency. Signed-off-by: Chris PeBenito linux.microsoft.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/support/obj_perm_sets.spt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt index d1784fae1..4b2b7c874 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -181,11 +181,11 @@ define(`setattr_lnk_file_perms',`{ setattr }') define(`read_lnk_file_perms',`{ getattr read }') define(`append_lnk_file_perms',`{ getattr append lock ioctl }') define(`write_lnk_file_perms',`{ getattr append write lock ioctl }') -define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }') +define(`rw_lnk_file_perms',`{ getattr read write append lock ioctl }') define(`create_lnk_file_perms',`{ create getattr }') define(`rename_lnk_file_perms',`{ getattr rename }') define(`delete_lnk_file_perms',`{ getattr unlink }') -define(`manage_lnk_file_perms',`{ create read write getattr setattr link unlink rename ioctl lock }') +define(`manage_lnk_file_perms',`{ create read write append getattr setattr link unlink rename ioctl lock }') define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }') define(`relabelto_lnk_file_perms',`{ getattr relabelto }') define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 6a26a817c369000f602f81d7f5da7b0fd5a1bff0 Author: Yi Zhao windriver com> AuthorDate: Sat Sep 30 10:00:38 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:31:45 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6a26a817 systemd: allow journalctl to create /var/lib/systemd/catalog If /var/lib/systemd/catalog doesn't exist at first boot, systemd-journal-catalog-update.service would fail: $ systemctl status systemd-journal-catalog-update.service systemd-journal-catalog-update.service - Rebuild Journal Catalog Loaded: loaded (/usr/lib/systemd/system/systemd-journal-catalog-update.service; static) Active: failed (Result: exit-code) since Sat 2023-09-30 09:46:46 UTC; 50s ago Docs: man:systemd-journald.service(8) man:journald.conf(5) Process: 247 ExecStart=journalctl --update-catalog (code=exited, status=1/FAILURE) Main PID: 247 (code=exited, status=1/FAILURE) Sep 30 09:46:45 qemux86-64 systemd[1]: Starting Rebuild Journal Catalog... Sep 30 09:46:46 qemux86-64 journalctl[247]: Failed to create parent directories of /var/lib/systemd/catalog/database: Permission denied Sep 30 09:46:46 qemux86-64 journalctl[247]: Failed to write /var/lib/systemd/catalog/database: Permission denied Sep 30 09:46:46 qemux86-64 journalctl[247]: Failed to list catalog: Permission denied Sep 30 09:46:46 qemux86-64 systemd[1]: systemd-journal-catalog-update.service: Main process exited, code=exited, status=1/FAILURE Sep 30 09:46:46 qemux86-64 systemd[1]: systemd-journal-catalog-update.service: Failed with result 'exit-code'. Sep 30 09:46:46 qemux86-64 systemd[1]: Failed to start Rebuild Journal Catalog. Fixes: AVC avc: denied { getattr } for pid=247 comm="journalctl" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_journal_init_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0 AVC avc: denied { write } for pid=247 comm="journalctl" name="systemd" dev="vda" ino=13634 scontext=system_u:system_r:systemd_journal_init_t tcontext=system_u:object_r:init_var_lib_t tclass=dir permissive=0 Signed-off-by: Yi Zhao windriver.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/systemd.te | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 4f1c4c856..c9d21bda5 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -787,9 +787,10 @@ seutil_read_file_contexts(systemd_hw_t) dontaudit systemd_journal_init_t self:capability net_admin; +manage_dirs_pattern(systemd_journal_init_t, systemd_journal_t, systemd_journal_t) manage_files_pattern(systemd_journal_init_t, systemd_journal_t, systemd_journal_t) -fs_getattr_cgroup(systemd_journal_init_t) +fs_getattr_all_fs(systemd_journal_init_t) fs_search_cgroup_dirs(systemd_journal_init_t) kernel_getattr_proc(systemd_journal_init_t) @@ -798,6 +799,7 @@ kernel_read_system_state(systemd_journal_init_t) init_read_state(systemd_journal_init_t) init_search_var_lib_dirs(systemd_journal_init_t) +init_var_lib_filetrans(systemd_journal_init_t, systemd_journal_t, dir) logging_send_syslog_msg(systemd_journal_init_t) logging_stream_connect_journald_varlink(systemd_journal_init_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/
commit: 90affee2271dfbaad7e02781e1c583e886229754 Author: Russell Coker coker com au> AuthorDate: Thu Sep 28 13:46:14 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:30:52 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=90affee2 misc small patches for cron policy (#701) * Some misc small patches for cron policy Signed-off-by: Russell Coker coker.com.au> * added systemd_dontaudit_connect_machined interface Signed-off-by: Russell Coker coker.com.au> * Remove the line about connecting to tor Signed-off-by: Russell Coker coker.com.au> * remove the dontaudit for connecting to machined Signed-off-by: Russell Coker coker.com.au> * changed to distro_debian Signed-off-by: Russell Coker coker.com.au> * mta: Whitespace changes. Signed-off-by: Chris PeBenito ieee.org> * cron: Move lines. Signed-off-by: Chris PeBenito ieee.org> - Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Chris PeBenito ieee.org> Co-authored-by: Chris PeBenito ieee.org> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/cron.if| 36 policy/modules/services/cron.te| 11 +++ policy/modules/services/mta.te | 7 ++- policy/modules/services/postfix.te | 1 + policy/modules/system/init.if | 18 ++ policy/modules/system/systemd.if | 18 ++ 6 files changed, 90 insertions(+), 1 deletion(-) diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if index 87306cfdb..049b01494 100644 --- a/policy/modules/services/cron.if +++ b/policy/modules/services/cron.if @@ -755,6 +755,24 @@ interface(`cron_rw_tmp_files',` allow $1 crond_tmp_t:file rw_file_perms; ') + +## +## Read and write inherited crond temporary files. +## +## +## +## Domain allowed access. +## +## +# +interface(`cron_rw_inherited_tmp_files',` + gen_require(` + type crond_tmp_t; + ') + + allow $1 crond_tmp_t:file rw_inherited_file_perms; +') + ## ## Read system cron job lib files. @@ -888,6 +906,24 @@ interface(`cron_dontaudit_append_system_job_tmp_files',` dontaudit $1 system_cronjob_tmp_t:file append_file_perms; ') + +## +## allow appending temporary system cron job files. +## +## +## +## Domain to allow. +## +## +# +interface(`cron_append_system_job_tmp_files',` + gen_require(` + type system_cronjob_tmp_t; + ') + + allow $1 system_cronjob_tmp_t:file append_file_perms; +') + ## ## Read and write to inherited system cron job temporary files. diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te index b2de6de31..9df1e3060 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -436,6 +436,8 @@ optional_policy(` systemd_dbus_chat_logind(system_cronjob_t) systemd_read_journal_files(system_cronjob_t) systemd_write_inherited_logind_sessions_pipes(system_cronjob_t) + # for runuser + init_search_keys(system_cronjob_t) # so cron jobs can restart daemons init_stream_connect(system_cronjob_t) init_manage_script_service(system_cronjob_t) @@ -491,6 +493,7 @@ kernel_getattr_message_if(system_cronjob_t) kernel_read_irq_sysctls(system_cronjob_t) kernel_read_kernel_sysctls(system_cronjob_t) kernel_read_network_state(system_cronjob_t) +kernel_read_rpc_sysctls(system_cronjob_t) kernel_read_system_state(system_cronjob_t) kernel_read_software_raid_state(system_cronjob_t) @@ -535,6 +538,7 @@ files_read_usr_files(system_cronjob_t) files_read_var_files(system_cronjob_t) files_dontaudit_search_runtime(system_cronjob_t) files_manage_generic_spool(system_cronjob_t) +files_manage_var_lib_dirs(system_cronjob_t) files_create_boot_flag(system_cronjob_t) files_read_var_lib_symlinks(system_cronjob_t) @@ -554,6 +558,7 @@ logging_manage_generic_logs(system_cronjob_t) logging_send_audit_msgs(system_cronjob_t) logging_send_syslog_msg(system_cronjob_t) +miscfiles_read_generic_certs(system_cronjob_t) miscfiles_read_localization(system_cronjob_t) seutil_read_config(system_cronjob_t) @@ -654,6 +659,10 @@ optional_policy(` mysql_read_config(system_cronjob_t) ') +optional_policy(` + ntp_read_config(system_cronjob_t) +') + optional_policy(` postfix_read_config(system_cronjob_t) ') @@ -678,6 +687,8 @@ optional_policy(` # for gpg-connect-agent to access /run/user/0 userdom_manage_user_runtime_dirs(system_cronjob_t) + # for /run/user/0/gnupg + userdom_manage_user_tmp_dirs(system_cronjob_t) ') ###
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/
commit: a4c6f2483b5025b63c5d42837f9eabd73d9866fe Author: Guido Trentalancia trentalancia com> AuthorDate: Fri Sep 29 20:30:14 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:31:45 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a4c6f248 Let openoffice perform temporary file transitions and manage link files. Signed-off-by: Guido Trentalancia trentalancia.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/apps/openoffice.te | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/policy/modules/apps/openoffice.te b/policy/modules/apps/openoffice.te index 37ac6720c..f8cccacd4 100644 --- a/policy/modules/apps/openoffice.te +++ b/policy/modules/apps/openoffice.te @@ -61,8 +61,9 @@ userdom_user_home_dir_filetrans(ooffice_t, ooffice_home_t, dir, ".openoffice") manage_dirs_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t) manage_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t) +manage_lnk_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t) manage_sock_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t) -files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file sock_file }) +files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file lnk_file sock_file }) can_exec(ooffice_t, ooffice_exec_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 634b4ae6e433169248722aa27c12b75c302ddac6 Author: Dave Sugar gmail com> AuthorDate: Thu Sep 14 19:44:07 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:30:52 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=634b4ae6 separate domain for journalctl during init During system boot, when systemd-journal-catalog-update.service is started, it fails becuase initrc_t doesn't have access to write systemd_journal_t files/dirs. This change is to run journalctl in a different domain during system startup (systemd_journal_init_t) to allow the access necessary to run. × systemd-journal-catalog-update.service - Rebuild Journal Catalog Loaded: loaded (/usr/lib/systemd/system/systemd-journal-catalog-update.service; static) Active: failed (Result: exit-code) since Wed 2023-09-13 12:51:28 GMT; 10min ago Docs: man:systemd-journald.service(8) man:journald.conf(5) Process: 1626 ExecStart=journalctl --update-catalog (code=exited, status=1/FAILURE) Main PID: 1626 (code=exited, status=1/FAILURE) CPU: 102ms Sep 13 12:51:28 localhost systemd[1]: Starting Rebuild Journal Catalog... Sep 13 12:51:28 localhost journalctl[1626]: Failed to open database for writing: /var/lib/systemd/catalog/database: Permission denied Sep 13 12:51:28 localhost journalctl[1626]: Failed to write /var/lib/systemd/catalog/database: Permission denied Sep 13 12:51:28 localhost journalctl[1626]: Failed to list catalog: Permission denied Sep 13 12:51:28 localhost systemd[1]: systemd-journal-catalog-update.service: Main process exited, code=exited, status=1/FAILURE Sep 13 12:51:28 localhost systemd[1]: systemd-journal-catalog-update.service: Failed with result 'exit-code'. Sep 13 12:51:28 localhost systemd[1]: Failed to start Rebuild Journal Catalog. node=localhost type=AVC msg=audit(1692308998.328:136): avc: denied { write } for pid=1631 comm="journalctl" name="catalog" dev="dm-10" ino=131106 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1692308998.328:136): avc: denied { add_name } for pid=1631 comm="journalctl" name=".#database6ZdcMU" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1692308998.328:136): avc: denied { create } for pid=1631 comm="journalctl" name=".#database6ZdcMU" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1692308998.328:136): avc: denied { write } for pid=1631 comm="journalctl" path="/var/lib/systemd/catalog/.#database6ZdcMU" dev="dm-10" ino=131204 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1692308998.330:137): avc: denied { setattr } for pid=1631 comm="journalctl" name=".#database6ZdcMU" dev="dm-10" ino=131204 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1692308998.330:138): avc: denied { remove_name } for pid=1631 comm="journalctl" name=".#database6ZdcMU" dev="dm-10" ino=131204 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1692308998.330:138): avc: denied { rename } for pid=1631 comm="journalctl" name=".#database6ZdcMU" dev="dm-10" ino=131204 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1692308998.330:138): avc: denied { unlink } for pid=1631 comm="journalctl" name="database" dev="dm-10" ino=131133 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar gmail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/logging.if | 19 +++ policy/modules/system/systemd.fc | 1 + policy/modules/system/systemd.te | 35 ++- 3 files changed, 54 insertions(+), 1 deletion(-) diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if index 681385d50..763926dac 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -845,6 +845,25 @@ interface(`logging_watch_runtime_dirs',` allow $1 syslogd_runtime_t:dir watch; ') +###
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/, policy/modules/services/
commit: 1d66af88aa2d390ac5783557e8d04289d16bc612 Author: Russell Coker coker com au> AuthorDate: Mon Sep 25 15:46:04 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:30:09 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1d66af88 small storage changes (#706) * Changes to storage.fc, smartmon, samba and lvm Signed-off-by: Russell Coker coker.com.au> * Add the interfaces this patch needs Signed-off-by: Russell Coker coker.com.au> * use manage_sock_file_perms for sock_file Signed-off-by: Russell Coker coker.com.au> * Renamed files_watch_all_file_type_dir to files_watch_all_dirs Signed-off-by: Russell Coker coker.com.au> * Use read_files_pattern Signed-off-by: Russell Coker coker.com.au> - Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/files.if | 19 +++ policy/modules/kernel/storage.fc| 1 + policy/modules/services/samba.te| 11 ++- policy/modules/services/smartmon.if | 20 policy/modules/services/smartmon.te | 2 +- policy/modules/system/lvm.te| 1 + policy/modules/system/userdomain.if | 18 ++ 7 files changed, 70 insertions(+), 2 deletions(-) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index d8874ace2..a1113ff7c 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1426,6 +1426,25 @@ interface(`files_unmount_all_file_type_fs',` allow $1 file_type:filesystem unmount; ') + +## +## watch all directories of file_type +## +## +## +## Domain allowed access. +## +## +# +interface(`files_watch_all_dirs',` + gen_require(` + attribute file_type; + ') + + allow $1 file_type:dir watch; +') + + ## ## Read all non-authentication related diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc index 3033ac4de..9cd280c25 100644 --- a/policy/modules/kernel/storage.fc +++ b/policy/modules/kernel/storage.fc @@ -29,6 +29,7 @@ /dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0) /dev/megadev.* -c gen_context(system_u:object_r:removable_device_t,s0) +/dev/megaraid.*-c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/mmcblk.* -c gen_context(system_u:object_r:removable_device_t,s0) /dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0) diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te index 8ec3a1c62..f78d316cc 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -408,11 +408,13 @@ tunable_policy(`samba_create_home_dirs',` ') tunable_policy(`samba_enable_home_dirs',` + files_watch_home(smbd_t) userdom_manage_user_home_content_dirs(smbd_t) userdom_manage_user_home_content_files(smbd_t) userdom_manage_user_home_content_symlinks(smbd_t) userdom_manage_user_home_content_sockets(smbd_t) userdom_manage_user_home_content_pipes(smbd_t) + userdom_watch_user_home_dirs(smbd_t) ') tunable_policy(`samba_portmapper',` @@ -444,11 +446,13 @@ tunable_policy(`samba_export_all_ro',` fs_read_noxattr_fs_files(smbd_t) files_list_non_auth_dirs(smbd_t) files_read_non_auth_files(smbd_t) + files_watch_all_dirs(smbd_t) ') tunable_policy(`samba_export_all_rw',` fs_read_noxattr_fs_files(smbd_t) files_manage_non_auth_files(smbd_t) + files_watch_all_dirs(smbd_t) ') optional_policy(` @@ -617,13 +621,17 @@ optional_policy(` allow smbcontrol_t self:process signal; allow smbcontrol_t self:fifo_file rw_fifo_file_perms; allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms; +allow smbcontrol_t self:unix_dgram_socket create_socket_perms; allow smbcontrol_t self:process { signal signull }; allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull }; -read_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t) +allow smbcontrol_t { smbd_t nmbd_t }:unix_dgram_socket sendto; +manage_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t) +allow smbcontrol_t samba_runtime_t:file map; allow smbcontrol_t samba_runtime_t:dir rw_dir_perms; manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t) +allow smbcontrol_t samba_var_t:sock_file manage_sock_file_perms; samba_read_config(smbcontrol_t) samba_search_var(smbcontrol_t) @@ -639,6 +647,7 @@ files_search_var_lib(smbcontrol_t) te
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/, policy/modules/admin/
commit: ab9b49a1d782ac96a73b4b1553992528a599d8d6 Author: Russell Coker coker com au> AuthorDate: Mon Sep 25 15:44:52 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:30:09 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ab9b49a1 small network patches (#707) * Small changes for netutils(ping), firewalld, ftp, inetd, networkmanager, openvpn ppp and rpc Signed-off-by: Russell Coker coker.com.au> * Fixed typo in interface name Signed-off-by: Russell Coker coker.com.au> * Add interface libs_watch_shared_libs_dir Signed-off-by: Russell Coker coker.com.au> * Added sysnet_watch_config_dir interface Signed-off-by: Russell Coker coker.com.au> * renamed libs_watch_shared_libs_dir to libs_watch_shared_libs_dirs Signed-off-by: Russell Coker coker.com.au> * rename sysnet_watch_config_dir to sysnet_watch_config_dirs Signed-off-by: Russell Coker coker.com.au> * Reverted a change as I can't remember why I did it. Signed-off-by: Russell Coker coker.com.au> - Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/admin/netutils.te | 1 + policy/modules/services/firewalld.te | 3 +++ policy/modules/services/ftp.fc| 6 +- policy/modules/services/ftp.te| 9 + policy/modules/services/inetd.te | 2 +- policy/modules/services/networkmanager.te | 11 ++- policy/modules/services/openvpn.te| 1 + policy/modules/services/ppp.fc| 1 + policy/modules/services/ppp.te| 2 ++ policy/modules/services/rpc.te| 6 +- policy/modules/system/libraries.if| 18 ++ policy/modules/system/sysnetwork.if | 18 ++ 12 files changed, 74 insertions(+), 4 deletions(-) diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index 5fef6a31a..3c43a1d84 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -146,6 +146,7 @@ logging_send_syslog_msg(ping_t) miscfiles_read_localization(ping_t) userdom_use_inherited_user_terminals(ping_t) +term_use_unallocated_ttys(ping_t) optional_policy(` munin_append_log(ping_t) diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te index 954a348f0..eb097753f 100644 --- a/policy/modules/services/firewalld.te +++ b/policy/modules/services/firewalld.te @@ -38,11 +38,13 @@ allow firewalld_t self:fifo_file rw_fifo_file_perms; allow firewalld_t self:unix_stream_socket { accept listen }; allow firewalld_t self:netlink_netfilter_socket create_socket_perms; allow firewalld_t self:udp_socket create_socket_perms; +allow firewalld_t self:netlink_netfilter_socket create_socket_perms; allow firewalld_t firewalld_etc_rw_t:dir watch; manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t) manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t) dontaudit firewalld_t firewalld_etc_rw_t:file { relabelfrom relabelto }; +allow firewalld_t firewalld_etc_rw_t:dir watch; allow firewalld_t firewalld_var_log_t:file append_file_perms; allow firewalld_t firewalld_var_log_t:file create_file_perms; @@ -86,6 +88,7 @@ logging_send_syslog_msg(firewalld_t) libs_watch_lib_dirs(firewalld_t) +miscfiles_read_generic_certs(firewalld_t) miscfiles_read_localization(firewalld_t) seutil_exec_setfiles(firewalld_t) diff --git a/policy/modules/services/ftp.fc b/policy/modules/services/ftp.fc index b90598fed..a58851e58 100644 --- a/policy/modules/services/ftp.fc +++ b/policy/modules/services/ftp.fc @@ -1,4 +1,5 @@ /etc/proftpd\.conf -- gen_context(system_u:object_r:ftpd_etc_t,s0) +/etc/pure-ftpd(/.*)? gen_context(system_u:object_r:ftpd_etc_t,s0) /etc/cron\.monthly/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) @@ -22,8 +23,10 @@ /usr/sbin/muddleftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) /usr/sbin/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) /usr/sbin/vsftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) +/usr/sbin/pure-ftpd-- gen_context(system_u:object_r:ftpd_exec_t,s0) -/run/proftpd.* gen_context(system_u:object_r:ftpd_runtime_t,s0) +/run/proftpd.* gen_context(system_u:object_r:ftpd_runtime_t,s0) +/run/pure-ftpd(/.*)? gen_context(system_u:object_r:ftpd_runtime_t,s0) /usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0) @@ -31,6 +34,7 @@ /var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0) +/var/log/pure-ftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0) /var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/, policy/modules/services/
commit: 3cf4d89db3171671a05868dd5ecaf933c49fcaa4 Author: Russell Coker coker com au> AuthorDate: Thu Sep 28 13:55:56 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:30:52 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3cf4d89d mon.te patches as well as some fstools patches related to it (#697) * Patches for mon, mostly mon local monitoring. Also added the fsdaemon_read_lib() interface and fstools patch because it also uses fsdaemon_read_lib() and it's called by monitoring scripts Signed-off-by: Russell Coker coker.com.au> * Added the files_dontaudit_tmpfs_file_getattr() and storage_dev_filetrans_fixed_disk_control() interfaces needed Signed-off-by: Russell Coker coker.com.au> * Fixed the issues from the review Signed-off-by: Russell Coker coker.com.au> * Specify name to avoid conflicting file trans Signed-off-by: Russell Coker coker.com.au> * fixed dontaudi_ typo Signed-off-by: Russell Coker coker.com.au> * Changed storage_dev_filetrans_fixed_disk to have a mandatory parameter for the object class Signed-off-by: Russell Coker coker.com.au> * Remove fsdaemon_read_lib as it was already merged Signed-off-by: Russell Coker coker.com.au> - Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/files.if | 18 ++ policy/modules/kernel/kernel.te | 2 +- policy/modules/kernel/storage.if| 7 ++- policy/modules/services/mon.te | 30 ++ policy/modules/services/smartmon.te | 2 +- policy/modules/system/fstools.te| 17 + policy/modules/system/init.te | 2 +- policy/modules/system/lvm.te| 2 +- policy/modules/system/raid.te | 2 +- 9 files changed, 72 insertions(+), 10 deletions(-) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index a1113ff7c..591aa64d6 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -434,6 +434,24 @@ interface(`files_tmpfs_file',` typeattribute $1 tmpfsfile; ') + +## +## dontaudit getattr on tmpfs files +## +## +## +## Domain to not have stat on tmpfs files audited +## +## +# +interface(`files_dontaudit_getattr_all_tmpfs_files',` + gen_require(` + attribute tmpfsfile; + ') + + dontaudit $1 tmpfsfile:file getattr; +') + ## ## Get the attributes of all directories. diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 666d0e7e9..8156ac087 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -390,7 +390,7 @@ ifdef(`init_systemd',` ') optional_policy(` - storage_dev_filetrans_fixed_disk(kernel_t) + storage_dev_filetrans_fixed_disk(kernel_t, blk_file) storage_setattr_fixed_disk_dev(kernel_t) storage_create_fixed_disk_dev(kernel_t) storage_delete_fixed_disk_dev(kernel_t) diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if index 9c581a910..777caea69 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -296,6 +296,11 @@ interface(`storage_manage_fixed_disk',` ## Domain allowed access. ## ## +## +## +## The class of the object to be created. +## +## ## ## ## Optional filename of the block device to be created @@ -307,7 +312,7 @@ interface(`storage_dev_filetrans_fixed_disk',` type fixed_disk_device_t; ') - dev_filetrans($1, fixed_disk_device_t, blk_file, $2) + dev_filetrans($1, fixed_disk_device_t, $2, $3) ') diff --git a/policy/modules/services/mon.te b/policy/modules/services/mon.te index b9a349871..bbf0496b3 100644 --- a/policy/modules/services/mon.te +++ b/policy/modules/services/mon.te @@ -42,8 +42,7 @@ files_tmp_file(mon_tmp_t) allow mon_t self:fifo_file rw_fifo_file_perms; allow mon_t self:tcp_socket create_stream_socket_perms; -# for mailxmpp.alert to set ulimit -allow mon_t self:process setrlimit; +allow mon_t self:process { setrlimit getsched signal }; domtrans_pattern(mon_t, mon_local_test_exec_t, mon_local_test_t) @@ -104,6 +103,11 @@ optional_policy(` mta_send_mail(mon_t) ') +optional_policy(` + # for config of xmpp sending program + xdg_read_config_files(mon_t) +') + # # Local policy @@ -151,6 +155,10 @@ optional_policy(` mysql_stream_connect(mon_net_test_t) ') +optional_policy(` + snmp_read_snmp_var_lib_files(mon_net_test_t) +') + # # Local policy @@ -161,9 +169,10 @@ opt
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: c476335905f6b809c1f4ba083b071fab067aa1e5 Author: Russell Coker coker com au> AuthorDate: Tue Sep 26 13:48:31 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:30:09 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c4763359 allow jabbers to create sock file and allow matrixd to read sysfs (#705) * Allow jabberd_domain to create sockets in it's var/lib dir Allow matrixd_t to read sysfs Signed-off-by: Russell Coker coker.com.au> * Changed to manage_sock_file_perms to allow unlink Signed-off-by: Russell Coker coker.com.au> - Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/jabber.te | 1 + policy/modules/services/matrixd.te | 1 + 2 files changed, 2 insertions(+) diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te index 6003cc9fb..6c8e45de5 100644 --- a/policy/modules/services/jabber.te +++ b/policy/modules/services/jabber.te @@ -39,6 +39,7 @@ allow jabberd_domain self:tcp_socket { accept listen }; manage_files_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t) allow jabberd_domain jabberd_var_lib_t:dir manage_dir_perms; +allow jabberd_domain jabberd_var_lib_t:sock_file manage_sock_file_perms; kernel_read_system_state(jabberd_domain) diff --git a/policy/modules/services/matrixd.te b/policy/modules/services/matrixd.te index 4ac31d901..c396a3d7c 100644 --- a/policy/modules/services/matrixd.te +++ b/policy/modules/services/matrixd.te @@ -83,6 +83,7 @@ corenet_udp_bind_generic_node(matrixd_t) corenet_udp_bind_generic_port(matrixd_t) corenet_udp_bind_reserved_port(matrixd_t) +dev_read_sysfs(matrixd_t) dev_read_urand(matrixd_t) files_read_etc_files(matrixd_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/services/
commit: 3eefa3b065ed81f56fddfb12a372012ef5e2a336 Author: Russell Coker coker com au> AuthorDate: Mon Sep 25 15:01:12 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:27:06 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3eefa3b0 small ntp and dns changes (#703) * Small changes for ntp, bind, avahi, and dnsmasq Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/admin/dpkg.te | 9 + policy/modules/services/avahi.te | 4 policy/modules/services/bind.te| 7 +-- policy/modules/services/dnsmasq.te | 4 policy/modules/services/ntp.fc | 1 + policy/modules/services/ntp.if | 19 +++ 6 files changed, 42 insertions(+), 2 deletions(-) diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te index d6871de21..d4a56e5eb 100644 --- a/policy/modules/admin/dpkg.te +++ b/policy/modules/admin/dpkg.te @@ -350,8 +350,17 @@ optional_policy(` nis_use_ypbind(dpkg_script_t) ') +optional_policy(` + ntp_filetrans_drift(dpkg_script_t) +') + +optional_policy(` + policykit_dbus_chat(dpkg_script_t) +') + optional_policy(` systemd_read_logind_state(dpkg_script_t) + systemd_dbus_chat_hostnamed(dpkg_script_t) systemd_dbus_chat_logind(dpkg_script_t) systemd_run_sysusers(dpkg_script_t, dpkg_roles) ') diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te index 773d2b8ff..1094e39db 100644 --- a/policy/modules/services/avahi.te +++ b/policy/modules/services/avahi.te @@ -111,3 +111,7 @@ optional_policy(` seutil_sigchld_newrole(avahi_t) ') +optional_policy(` + unconfined_dbus_send(avahi_t) +') + diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te index 1b3e674a1..0a08be452 100644 --- a/policy/modules/services/bind.te +++ b/policy/modules/services/bind.te @@ -213,9 +213,9 @@ optional_policy(` # NDC local policy # -allow ndc_t self:capability { dac_override net_admin }; +allow ndc_t self:capability { dac_override dac_read_search net_admin }; allow ndc_t self:capability2 block_suspend; -allow ndc_t self:process signal_perms; +allow ndc_t self:process { signal_perms getsched setsched }; allow ndc_t self:fifo_file rw_fifo_file_perms; allow ndc_t self:unix_stream_socket { accept listen }; @@ -231,6 +231,9 @@ allow ndc_t named_zone_t:dir search_dir_perms; kernel_read_kernel_sysctls(ndc_t) kernel_read_system_state(ndc_t) +kernel_read_vm_overcommit_sysctl(ndc_t) + +dev_read_sysfs(ndc_t) corenet_all_recvfrom_netlabel(ndc_t) corenet_tcp_sendrecv_generic_if(ndc_t) diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te index 6d1799ba8..2e492954d 100644 --- a/policy/modules/services/dnsmasq.te +++ b/policy/modules/services/dnsmasq.te @@ -108,6 +108,10 @@ optional_policy(` ') optional_policy(` + # for the dnsmasq-usb0.leases file + networkmanager_manage_lib_files(dnsmasq_t) + + networkmanager_read_etc_files(dnsmasq_t) networkmanager_read_runtime_files(dnsmasq_t) ') diff --git a/policy/modules/services/ntp.fc b/policy/modules/services/ntp.fc index 4d014d196..4f19959e7 100644 --- a/policy/modules/services/ntp.fc +++ b/policy/modules/services/ntp.fc @@ -30,6 +30,7 @@ /var/db/ntp-kod-- gen_context(system_u:object_r:ntp_drift_t,s0) /var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) +/var/lib/ntpsec(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) /var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) /var/lib/systemd/clock -- gen_context(system_u:object_r:ntp_drift_t,s0) /var/lib/systemd/timesync(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if index 4953e9f08..9df5d8d07 100644 --- a/policy/modules/services/ntp.if +++ b/policy/modules/services/ntp.if @@ -176,6 +176,25 @@ interface(`ntp_read_drift_files',` read_files_pattern($1, ntp_drift_t, ntp_drift_t) ') + +## +## specified domain creates /var/lib/ntpsec/ with the correct type +## +## +## +## Domain allowed access. +## +## +# +interface(`ntp_filetrans_drift',` + gen_require(` + type ntp_drift_t; + ') + + files_search_var_lib($1) + files_var_lib_filetrans($1, ntp_drift_t, dir) +') + ## ## Read and write ntpd shared memory.
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: e17a5ea822384af3d15da14be3bc593037950d21 Author: Russell Coker coker com au> AuthorDate: Fri Sep 22 09:09:12 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:27:06 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e17a5ea8 Added tmpfs file type for postgresql Small mysql stuff including anon_inode Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/mysql.te | 4 +++- policy/modules/services/postgresql.te | 9 - 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te index 2e7621471..4d1124bbf 100644 --- a/policy/modules/services/mysql.te +++ b/policy/modules/services/mysql.te @@ -67,11 +67,12 @@ files_runtime_file(mysqlmanagerd_runtime_t) allow mysqld_t self:capability { dac_override dac_read_search ipc_lock setgid setuid sys_resource }; dontaudit mysqld_t self:capability sys_tty_config; -allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh }; +allow mysqld_t self:process { getcap setsched getsched setrlimit signal_perms rlimitinh }; allow mysqld_t self:fifo_file rw_fifo_file_perms; allow mysqld_t self:shm create_shm_perms; allow mysqld_t self:unix_stream_socket { connectto accept listen }; allow mysqld_t self:tcp_socket { accept listen }; +allow mysqld_t self:anon_inode { create map read write }; manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) mmap_manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) @@ -191,6 +192,7 @@ dev_read_sysfs(mysqld_safe_t) domain_read_all_domains_state(mysqld_safe_t) +files_dontaudit_write_root_dirs(mysqld_safe_t) files_read_etc_files(mysqld_safe_t) files_read_usr_files(mysqld_safe_t) files_search_runtime(mysqld_safe_t) diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index 1b2d8ab0d..11b3936b0 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -65,6 +65,9 @@ init_daemon_runtime_file(postgresql_runtime_t, dir, "postgresql") type postgresql_tmp_t; files_tmp_file(postgresql_tmp_t) +type postgresql_tmpfs_t; +files_tmpfs_file(postgresql_tmpfs_t) + type postgresql_unit_t; init_unit_file(postgresql_unit_t) @@ -282,7 +285,10 @@ manage_lnk_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) manage_fifo_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file }) -fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file }) +fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir lnk_file sock_file fifo_file }) +fs_tmpfs_filetrans(postgresql_t, postgresql_tmpfs_t, { file }) +allow postgresql_t postgresql_tmpfs_t:file map; +manage_files_pattern(postgresql_t, postgresql_tmpfs_t, postgresql_tmpfs_t) manage_dirs_pattern(postgresql_t, postgresql_runtime_t, postgresql_runtime_t) manage_files_pattern(postgresql_t, postgresql_runtime_t, postgresql_runtime_t) @@ -342,6 +348,7 @@ init_read_utmp(postgresql_t) logging_send_syslog_msg(postgresql_t) logging_send_audit_msgs(postgresql_t) +miscfiles_read_generic_tls_privkey(postgresql_t) miscfiles_read_localization(postgresql_t) seutil_libselinux_linked(postgresql_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 8f51e189a7c8f8680f84fc11841257c19ab9fa51 Author: Russell Coker coker com au> AuthorDate: Wed Sep 27 13:20:52 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:30:52 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8f51e189 small systemd patches (#708) * Some small systemd patches Signed-off-by: Russell Coker coker.com.au> * Fixed error where systemd.if had a reference to user_devpts_t Signed-off-by: Russell Coker coker.com.au> * removed the init_var_run_t:service stuff as there's already interfaces and a type for it Signed-off-by: Russell Coker coker.com.au> * corecmd_shell_entry_type doesn't seem to be needed Signed-off-by: Russell Coker coker.com.au> - Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/locallogin.te | 3 ++- policy/modules/system/systemd.if| 12 +++- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te index f40f15c1c..4dc9981bc 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -131,7 +131,8 @@ auth_domtrans_pam_console(local_login_t) auth_read_pam_motd_dynamic(local_login_t) auth_read_shadow_history(local_login_t) -init_dontaudit_use_fds(local_login_t) +# if local_login_t can not inherit fd from init it takes ages to login +init_use_fds(local_login_t) miscfiles_read_localization(local_login_t) diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index 77a59c662..64455eed5 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -19,11 +19,6 @@ ## The user domain for the role. ## ## -## -## -## The type for the user pty -## -## # template(`systemd_role_template',` gen_require(` @@ -34,6 +29,7 @@ template(`systemd_role_template',` type systemd_user_runtime_t, systemd_user_runtime_notify_t; type systemd_user_unit_t; type systemd_user_runtime_unit_t, systemd_user_transient_unit_t; + type systemd_machined_t; ') # @@ -153,6 +149,12 @@ template(`systemd_role_template',` allow $3 systemd_user_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; allow $3 systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; + # for "machinectl shell" + allow $1_systemd_t systemd_machined_t:fd use; + allow $3 systemd_machined_t:fd use; + allow $3 systemd_machined_t:dbus send_msg; + allow systemd_machined_t $3:dbus send_msg; + allow $3 systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; allow $3 systemd_user_unit_t:service { reload start status stop };
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: d7890fb6d1c7bfd1c75d454d457b5fcdc869efe1 Author: Chris PeBenito ieee org> AuthorDate: Tue Sep 26 13:43:40 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:30:09 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d7890fb6 postgresql: Move lines Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/postgresql.te | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index 11b3936b0..810fb0ed4 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -286,9 +286,10 @@ manage_fifo_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file }) fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir lnk_file sock_file fifo_file }) -fs_tmpfs_filetrans(postgresql_t, postgresql_tmpfs_t, { file }) + allow postgresql_t postgresql_tmpfs_t:file map; manage_files_pattern(postgresql_t, postgresql_tmpfs_t, postgresql_tmpfs_t) +fs_tmpfs_filetrans(postgresql_t, postgresql_tmpfs_t, { file }) manage_dirs_pattern(postgresql_t, postgresql_runtime_t, postgresql_runtime_t) manage_files_pattern(postgresql_t, postgresql_runtime_t, postgresql_runtime_t)