[gentoo-commits] repo/gentoo:master commit in: net-voip/murmur/
commit: c8dced7f7e0dd36a09ed44d30dbbf807d62b8252
Author: Kenton Groombridge gentoo org>
AuthorDate: Thu Mar 7 15:51:51 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Thu Mar 7 15:51:51 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c8dced7f
net-voip/murmur: drop 1.4.287-r1
Signed-off-by: Kenton Groombridge gentoo.org>
net-voip/murmur/murmur-1.4.287-r1.ebuild | 185 ---
1 file changed, 185 deletions(-)
diff --git a/net-voip/murmur/murmur-1.4.287-r1.ebuild
b/net-voip/murmur/murmur-1.4.287-r1.ebuild
deleted file mode 100644
index da97454719ad..
--- a/net-voip/murmur/murmur-1.4.287-r1.ebuild
+++ /dev/null
@@ -1,185 +0,0 @@
-# Copyright 1999-2022 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-inherit cmake flag-o-matic systemd readme.gentoo-r1 tmpfiles
-
-DESCRIPTION="Mumble is an open source, low-latency, high quality voice chat
software"
-HOMEPAGE="https://wiki.mumble.info;
-if [[ "${PV}" == ]] ; then
- inherit git-r3
- EGIT_REPO_URI="https://github.com/mumble-voip/mumble.git;
- EGIT_SUBMODULES=( '-*' )
-else
- MY_PN="mumble"
- if [[ "${PV}" == *_pre* ]] ; then
- MY_P="${MY_PN}-${PV}"
-
SRC_URI="https://dev.gentoo.org/~concord/distfiles/${MY_P}.tar.xz;
- S="${WORKDIR}/${MY_P}"
- else
- MY_PV="${PV/_/-}"
- MY_P="${MY_PN}-${MY_PV}"
-
SRC_URI="https://github.com/mumble-voip/mumble/releases/download/v${MY_PV}/${MY_P}.tar.gz
- https://dl.mumble.info/${MY_P}.tar.gz;
- S="${WORKDIR}/${MY_P}.src"
- fi
- KEYWORDS="amd64 ~arm ~arm64 x86"
-fi
-
-SRC_URI+="
https://dev.gentoo.org/~concord/distfiles/mumble-1.4-openssl3.patch.xz;
-SRC_URI+="
https://dev.gentoo.org/~concord/distfiles/mumble-1.4-crypto-threads.patch.xz;
-SRC_URI+=" https://dev.gentoo.org/~concord/distfiles/mumble-1.4-odr.patch.xz;
-
-LICENSE="BSD"
-SLOT="0"
-IUSE="+dbus grpc +ice test zeroconf"
-RESTRICT="!test? ( test )"
-
-RDEPEND="
- acct-group/murmur
- acct-user/murmur
- >=dev-libs/openssl-1.0.0b:0=
- >=dev-libs/protobuf-2.2.0:=
- dev-qt/qtcore:5
- dev-qt/qtnetwork:5[ssl]
- || (
- dev-qt/qtsql:5[sqlite]
- dev-qt/qtsql:5[mysql]
- )
- dev-qt/qtxml:5
- sys-apps/lsb-release
- >=sys-libs/libcap-2.15
- dbus? ( dev-qt/qtdbus:5 )
- grpc? ( net-libs/grpc )
- ice? ( dev-libs/Ice:= )
- zeroconf? ( net-dns/avahi[mdnsresponder-compat] )
-"
-
-DEPEND="${RDEPEND}
- dev-libs/boost
- dev-qt/qttest:5
-"
-BDEPEND="
- acct-group/murmur
- acct-user/murmur
- virtual/pkgconfig
-"
-
-if [[ "${PV}" == * ]] ; then
- # Required for the mkini.sh script which calls perl multiple times
- BDEPEND+="
- dev-lang/perl
- "
-fi
-
-DOC_CONTENTS="
- Useful scripts are located in /usr/share/doc/${PF}/scripts.\n
- Please execute:\n
- murmurd -ini /etc/murmur/murmur.ini -supw \n
- chown murmur:murmur /var/lib/murmur/murmur.sqlite\n
- to set the build-in 'SuperUser' password before starting murmur.
- Please restart dbus before starting murmur, or else dbus
- registration will fail.
-"
-
-PATCHES=(
- "${WORKDIR}/mumble-1.4-openssl3.patch"
- "${WORKDIR}/mumble-1.4-crypto-threads.patch"
- "${WORKDIR}/mumble-1.4-odr.patch"
-)
-
-src_prepare() {
- if [[ "${PV}" == * ]] ; then
- pushd scripts &>/dev/null || die
- ./mkini.sh || die
- popd &>/dev/null || die
- fi
-
- sed \
- -e 's:mumble-server:murmur:g' \
- -e 's:/var/run:/run:g' \
- -i "${S}"/scripts/murmur.{conf,ini} || die
-
- # Adjust systemd service file to our config location #689208
- sed \
- -e "s@/etc/${PN}\.ini@/etc/${PN}/${PN}.ini@" \
- -e "s@murmurd@mumble-server@" \
- -i scripts/${PN}.service || die
-
- cmake_src_prepare
-}
-
-src_configure() {
- myuse() {
- [[ -n "${1}" ]] || die "myconf: No use flag given."
- use ${1} || echo "no-${1}"
- }
- local mycmakeargs=(
- -DBUILD_TESTING="$(usex test)"
- -Dclient="OFF"
- -Ddbus="$(usex dbus)"
- -Dg15="OFF"
- -Dgrpc="$(usex grpc)"
-
[gentoo-commits] repo/gentoo:master commit in: net-voip/murmur/
commit: 155e07eaaf58d16fd212a0b973d82c73f44f595e
Author: Kenton Groombridge gentoo org>
AuthorDate: Thu Mar 7 15:50:39 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Thu Mar 7 15:50:39 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=155e07ea
net-voip/murmur: stabilize 1.4.287-r2 for amd64, x86
Signed-off-by: Kenton Groombridge gentoo.org>
net-voip/murmur/murmur-1.4.287-r2.ebuild | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net-voip/murmur/murmur-1.4.287-r2.ebuild
b/net-voip/murmur/murmur-1.4.287-r2.ebuild
index f439f3c88309..61f7d8175087 100644
--- a/net-voip/murmur/murmur-1.4.287-r2.ebuild
+++ b/net-voip/murmur/murmur-1.4.287-r2.ebuild
@@ -24,7 +24,7 @@ else
https://dl.mumble.info/${MY_P}.tar.gz;
S="${WORKDIR}/${MY_P}.src"
fi
- KEYWORDS="~amd64 ~arm ~arm64 ~x86"
+ KEYWORDS="amd64 ~arm ~arm64 x86"
fi
SRC_URI+="
https://dev.gentoo.org/~concord/distfiles/mumble-1.4-openssl3.patch.xz;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 007072b1c66cfb28310f9d0449f8167f496be2ae
Author: Christian Göttsche googlemail com>
AuthorDate: Thu Feb 22 17:00:52 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Mar 1 17:05:56 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=007072b1
systemd: logind update
type=PROCTITLE msg=audit(21/02/24 23:31:52.659:83) :
proctitle=/usr/lib/systemd/systemd-logind
type=SYSCALL msg=audit(21/02/24 23:31:52.659:83) : arch=x86_64
syscall=recvmsg success=yes exit=24 a0=0xf a1=0x7ffdec4e7bc0
a2=MSG_DONTWAIT|MSG_CMSG_CLOEXEC a3=0x0 items=0 ppid=1 pid=909 auid=unset
uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
tty=(none) ses=unset comm=systemd-logind exe=/usr/lib/systemd/systemd-logind
subj=system_u:system_r:systemd_logind_t:s0 key=(null)
type=AVC msg=audit(21/02/24 23:31:52.659:83) : avc: denied { use } for
pid=909 comm=systemd-logind path=anon_inode:[pidfd] dev="anon_inodefs" ino=1051
scontext=system_u:system_r:systemd_logind_t:s0
tcontext=system_u:system_r:system_dbusd_t:s0 tclass=fd permissive=1
p.s.: this might need an overhaul after pidfd handling in the kernel has
been improved.
Signed-off-by: Christian Göttsche googlemail.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/system/systemd.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index e3af88033..cef49e9a3 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1053,6 +1053,9 @@ storage_raw_read_fixed_disk_cond(systemd_logind_t,
systemd_logind_get_bootloader
optional_policy(`
dbus_connect_system_bus(systemd_logind_t)
dbus_system_bus_client(systemd_logind_t)
+
+ # pidfd
+ dbus_use_system_bus_fds(systemd_logind_t)
')
optional_policy(`
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: 5c8203bfd90758d92cd93c786de8fe94e6d716ca Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 17:00:48 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:52 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5c8203bf fs: add support for virtiofs Adopted from https://github.com/fedora-selinux/selinux-policy/commit/5580e9a576f759820dbc3387961ce58a959221dc Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/filesystem.te | 11 +++ 1 file changed, 11 insertions(+) diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index f21fc71e9..f9aa5f90b 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -41,6 +41,7 @@ fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0); fs_use_xattr overlay gen_context(system_u:object_r:fs_t,s0); fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr ubifs gen_context(system_u:object_r:fs_t,s0); +fs_use_xattr virtiofs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0); @@ -203,6 +204,16 @@ optional_policy(` init_mountpoint(tracefs_t) ') + +# +# virtiofs_t is the default type for virtio file systems +# and their files. +# +type virtiofs_t; +fs_noxattr_type(virtiofs_t) +files_mountpoint(virtiofs_t) +genfscon virtiofs / gen_context(system_u:object_r:virtiofs_t,s0) + type vmblock_t; fs_noxattr_type(vmblock_t) files_mountpoint(vmblock_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: f6e3b01a354b974ffc259994385d03909c4be93e Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 17:00:42 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:47 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f6e3b01a userdom: permit reading PSI as admin Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/userdomain.if | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index aadbe34c3..b87f6d48e 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -1382,6 +1382,7 @@ template(`userdom_admin_user_template',` kernel_change_ring_buffer_level($1_t) kernel_clear_ring_buffer($1_t) kernel_read_ring_buffer($1_t) + kernel_read_psi($1_t) kernel_get_sysvipc_info($1_t) kernel_rw_all_sysctls($1_t) # signal unlabeled processes:
[gentoo-commits] proj/hardened-refpolicy: New tag: 2.20240226-r1
commit: Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 19:56:20 2024 + New tag: 2.20240226-r1
[gentoo-commits] proj/hardened-refpolicy:master commit in: /
commit: 1949397458a649cf876a4a758a28d65626ad2709
Author: Chris PeBenito ieee org>
AuthorDate: Mon Feb 26 18:38:45 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Mar 1 17:06:00 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=19493974
Update Changelog and VERSION for release 2.20240226.
Signed-off-by: Chris PeBenito ieee.org>
Signed-off-by: Kenton Groombridge gentoo.org>
Changelog | 487 ++
VERSION | 2 +-
2 files changed, 488 insertions(+), 1 deletion(-)
diff --git a/Changelog b/Changelog
index 76cd60fdc..a1938b4f0 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,490 @@
+* Mon Feb 26 2024 Chris PeBenito - 2.20240226
+Chris PeBenito (174):
+ tests.yml: Pin ubuntu 20.04.
+ tests.yml: Pin ubuntu 20.04.
+ fstools: Move lines.
+ munin: Move munin_rw_tcp_sockets() implementation.
+ munin: Whitespace change.
+ systemd: Tmpfilesd can correct seusers on files.
+ iscsi: Read initiatorname.iscsi.
+ lvm: Add fc entry for /etc/multipath/*
+ sysnetwork: Rename sysnet_dontaudit_rw_dhcpc_unix_dgram_sockets()
+ Define user_namespace object class.
+ chromium: Allow user namespace creation.
+ mozilla: Allow user namespace creation.
+ systemd: Allow user namespace creation.
+ container: Allow user namespace creation for all container engines.
+ Update eg25manager.te
+ switcheroo: Whitespace fix.
+ unconfined: Keys are linkable by systemd.
+ postgresql: Move lines
+ Add append to rw and manage lnk_file permission sets for consistency.
+ domain: Manage own fds.
+ systemd: systemd-cgroups reads kernel.cap_last_cap sysctl.
+ kernel: hv_utils shutdown on systemd systems.
+ Container: Minor fixes from interactive container use.
+ systemd: Minor coredump fixes.
+ rpm: Minor fixes
+ init: Allow nnp/nosuid transitions from systemd initrc_t.
+ selinuxutil: Semanage reads policy for export.
+ sysnetwork: ifconfig searches debugfs.
+ usermanage: Add sysctl access for groupadd to get number of groups.
+ files: Handle symlinks for /media and /srv.
+ cloudinit: Add support for installing RPMs and setting passwords.
+ kdump: Fixes from testing kdumpctl.
+ usermanage: Handle symlinks in /usr/share/cracklib.
+ unconfined: Add remaining watch_* permissions.
+ chronyd: Read /dev/urandom.
+ cloud-init: Allow use of sudo in runcmd.
+ cloud-init: Add systemd permissions.
+ cloud-init: Change udev rules
+ systemd: Updates for systemd-locale.
+ cloudinit: Add permissions derived from sysadm.
+
+Christian Göttsche (28):
+ git: add fcontext for default binary
+ init: only grant getattr in init_getattr_generic_units_files()
+ ci: bump SELint version to 1.5.0
+ SELint userspace class tweaks
+ systemd: reorder optional block
+ devicedisk: reorder optional block
+ access_vectors: define io_uring { cmd }
+ support/genhomedircon: support usr prefixed paths
+ fix misc typos
+ Support multi-line interface calls
+ policy_capabilities: remove estimated from released versions
+ Rules.monolithic: pre-compile fcontexts on install
+ Rules.modular: use temporary file to not ignore error
+ Makefile: use sepolgen-ifgen-attr-helper from test toolchain
+ Makefile: set PYTHONPATH for test toolchain
+ virt: label qemu configuration directory
+ selinuxutil: setfiles updates
+ selinuxutil: ignore getattr proc in newrole
+ userdom: permit reading PSI as admin
+ fs: mark memory pressure type as file
+ systemd: binfmt updates
+ vnstatd: update
+ fs: add support for virtiofs
+ systemd: generator updates
+ udev: update
+ systemd: logind update
+ consolesetup: update
+ libraries: drop space in empty line
+
+Christian Schneider (1):
+ systemd-generator: systemd_generator_t load kernel modules used for e.g.
+ zram-generator
+
+Corentin LABBE (20):
+ udev: permit to read hwdb
+ fstools: handle gentoo place for drivedb.h
+ mount: dbus interface must be optional
+ mcelog: add missing file context for triggers
+ munin: add file context for common functions file
+ rsyslog: add label for /var/empty/dev/log
+ munin: disk-plugin: transition to fsadm
+ munin: add fc for munin-node plugin state
+ usermanage: permit groupadd to read kernel sysctl
+ portage: Remove old binary location
+ portage: add go/hg source control files
+ portage: add new location for portage commands
+ portage: add missing go/hg context in new distfiles location
+ mandb: permit to read inherited cron files
+ selinuxutil: do not audit load_policy trying to use portage ptys
+ selinuxutil: permit run_init to read kernel sysctl
+ porta
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 1f6f6eca2f76f7fa1354acdae20898666823bebc Author: Christian Göttsche googlemail com> AuthorDate: Fri Feb 23 17:04:11 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:59 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1f6f6eca libraries: drop space in empty line Drop a line containing a single space from the file context file to avoid SELint stumble on it: libraries.mod.fc: 130: (E): Bad file context format (E-002) Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/libraries.fc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc index 757b18bcb..b5491aa8a 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -284,7 +284,7 @@ HOME_DIR/\.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:t /usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/.*/program(/.*)?\.so gen_context(system_u:object_r:lib_t,s0) -') dnl end distro_redhat +')dnl end distro_redhat # # /var
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 3676555ed89c3a47ec1f553710f70bf547bd7245
Author: Christian Göttsche googlemail com>
AuthorDate: Thu Feb 22 17:00:55 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Mar 1 17:05:57 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3676555e
consolesetup: update
AVC avc: denied { read } for pid=770 comm="mkdir" name="filesystems"
dev="proc" ino=4026532069 scontext=system_u:system_r:consolesetup_t:s0
tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=0
Signed-off-by: Christian Göttsche googlemail.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/consolesetup.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/services/consolesetup.te
b/policy/modules/services/consolesetup.te
index 7756ef6c9..023ec5d23 100644
--- a/policy/modules/services/consolesetup.te
+++ b/policy/modules/services/consolesetup.te
@@ -37,6 +37,8 @@ files_runtime_filetrans(consolesetup_t,
consolesetup_runtime_t, dir, "console-se
manage_files_pattern(consolesetup_t, consolesetup_tmp_t, consolesetup_tmp_t)
files_tmp_filetrans(consolesetup_t, consolesetup_tmp_t, file)
+kernel_read_system_state(consolesetup_t)
+
corecmd_exec_bin(consolesetup_t)
corecmd_exec_shell(consolesetup_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 9127b63127407012150cc1257dab821bc300477d
Author: Christian Göttsche googlemail com>
AuthorDate: Thu Feb 22 17:00:51 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Mar 1 17:05:55 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9127b631
udev: update
AVC avc: denied { create } for pid=685 comm="ifquery" name="network"
scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:var_run_t:s0
tclass=dir permissive=1
Signed-off-by: Christian Göttsche googlemail.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/system/sysnetwork.if | 30 ++
policy/modules/system/udev.te | 3 +++
2 files changed, 33 insertions(+)
diff --git a/policy/modules/system/sysnetwork.if
b/policy/modules/system/sysnetwork.if
index f41024669..884f3735d 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -489,6 +489,7 @@ interface(`sysnet_create_config',`
')
files_search_etc($1)
+ allow $1 net_conf_t:dir { add_entry_dir_perms create_dir_perms };
allow $1 net_conf_t:file create_file_perms;
')
@@ -535,6 +536,35 @@ interface(`sysnet_etc_filetrans_config',`
files_etc_filetrans($1, net_conf_t, file, $2)
')
+###
+##
+## Create files in /run with the type used for
+## the network config files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The object class of the object being created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`sysnet_runtime_filetrans_config',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ files_runtime_filetrans($1, net_conf_t, $2, $3)
+')
+
###
##
## Create, read, write, and delete network config files.
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 6e24d515f..8ecc17bc7 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -217,6 +217,9 @@ ifdef(`distro_debian',`
files_runtime_filetrans(udev_t, udev_runtime_t, dir, "xen-hotplug")
+ sysnet_runtime_filetrans_config(udev_t, dir, "network")
+ sysnet_create_config(udev_t)
+
optional_policy(`
# for /usr/lib/avahi/avahi-daemon-check-dns.sh
kernel_read_vm_sysctls(udev_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: /
commit: cf1d8825dd74db410aca630202e62d0e0ad5169e
Author: Christian Göttsche googlemail com>
AuthorDate: Thu Feb 22 19:21:35 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Mar 1 17:05:42 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cf1d8825
Makefile: set PYTHONPATH for test toolchain
In case of a non-default toolchain also set the environment variable
PTYHONPATH to run sepolgen related python code from that toolchain.
See scripts/env_use_destdir in the SELinux userland repository.
Signed-off-by: Christian Göttsche googlemail.com>
Signed-off-by: Kenton Groombridge gentoo.org>
Makefile | 13 ++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/Makefile b/Makefile
index 82df20454..42d6484bc 100644
--- a/Makefile
+++ b/Makefile
@@ -47,9 +47,16 @@ endif
BINDIR ?= /usr/bin
SBINDIR ?= /usr/sbin
ifdef TEST_TOOLCHAIN
-tc_usrbindir := env
LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib:$(TEST_TOOLCHAIN)/usr/lib"
$(TEST_TOOLCHAIN)$(BINDIR)
-tc_usrsbindir := env
LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib:$(TEST_TOOLCHAIN)/usr/lib"
$(TEST_TOOLCHAIN)$(SBINDIR)
-tc_sbindir := env
LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib:$(TEST_TOOLCHAIN)/usr/lib"
$(TEST_TOOLCHAIN)/sbin
+python_path_plat := $(shell python3 -c "import sysconfig;
print(sysconfig.get_path('platlib', vars={'platbase': '/usr', 'base':
'/usr'}))")
+python_path_pure := $(shell python3 -c "import sysconfig;
print(sysconfig.get_path('purelib', vars={'platbase': '/usr', 'base':
'/usr'}))")
+ifdef PYTHONPATH
+python_path :=
"$(TEST_TOOLCHAIN)$(python_path_plat):$(TEST_TOOLCHAIN)$(python_path_pure):$(PYTHONPATH)"
+else
+python_path :=
"$(TEST_TOOLCHAIN)$(python_path_plat):$(TEST_TOOLCHAIN)$(python_path_pure)"
+endif
+tc_usrbindir := env
LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib:$(TEST_TOOLCHAIN)/usr/lib"
PYTHONPATH="$(python_path)" $(TEST_TOOLCHAIN)$(BINDIR)
+tc_usrsbindir := env
LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib:$(TEST_TOOLCHAIN)/usr/lib"
PYTHONPATH="$(python_path)" $(TEST_TOOLCHAIN)$(SBINDIR)
+tc_sbindir := env
LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib:$(TEST_TOOLCHAIN)/usr/lib"
PYTHONPATH="$(python_path)" $(TEST_TOOLCHAIN)/sbin
else
tc_usrbindir := $(BINDIR)
tc_usrsbindir := $(SBINDIR)
[gentoo-commits] proj/hardened-refpolicy:master commit in: gentoo/
commit: d98d3461c9fd467af7308047b5f6a496259a4104 Author: Kenton Groombridge gentoo org> AuthorDate: Fri Mar 1 17:06:33 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:06:33 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d98d3461 Merge upstream Signed-off-by: Kenton Groombridge gentoo.org> gentoo/STATE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gentoo/STATE b/gentoo/STATE index 1265cd5d3..b40fac216 100644 --- a/gentoo/STATE +++ b/gentoo/STATE @@ -1 +1 @@ -f3865abfc25a395c877a27074bd03c5fc22992dd +fa84ee8fc04af56cced5ab8ed7abfb1abbd246dc
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: b1a213b26e58f32d250057fcb9e1af3a9f05a63d
Author: Christian Göttsche googlemail com>
AuthorDate: Thu Feb 22 17:00:46 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Mar 1 17:05:51 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b1a213b2
vnstatd: update
type=PROCTITLE msg=audit(21/02/24 22:54:36.792:69) :
proctitle=/usr/sbin/vnstatd -n
type=PATH msg=audit(21/02/24 22:54:36.792:69) : item=0 name=/dev/urandom
inode=18 dev=00:2b mode=character,666 ouid=root ogid=root rdev=01:09
obj=system_u:object_r:urandom_device_t:s0 nametype=NORMAL cap_fp=none
cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(21/02/24 22:54:36.792:69) : cwd=/
type=SYSCALL msg=audit(21/02/24 22:54:36.792:69) : arch=x86_64
syscall=openat success=yes exit=5 a0=AT_FDCWD a1=0x7f197cc66865
a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=900 auid=unset uid=vnstat
gid=vnstat euid=vnstat suid=vnstat fsuid=vnstat egid=vnstat sgid=vnstat
fsgid=vnstat tty=(none) ses=unset comm=vnstatd exe=/usr/sbin/vnstatd
subj=system_u:system_r:vnstatd_t:s0 key=(null)
type=AVC msg=audit(21/02/24 22:54:36.792:69) : avc: denied { open } for
pid=900 comm=vnstatd path=/dev/urandom dev=tmpfs ino=18
scontext=system_u:system_r:vnstatd_t:s0
tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(21/02/24 22:54:36.792:69) : avc: denied { read } for
pid=900 comm=vnstatd name=urandom dev=tmpfs ino=18
scontext=system_u:system_r:vnstatd_t:s0
tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=1
Signed-off-by: Christian Göttsche googlemail.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/vnstatd.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/services/vnstatd.te
b/policy/modules/services/vnstatd.te
index f8274d451..3be384a9a 100644
--- a/policy/modules/services/vnstatd.te
+++ b/policy/modules/services/vnstatd.te
@@ -48,6 +48,7 @@ kernel_read_system_state(vnstatd_t)
# read /sys/class/net/eth0
dev_read_sysfs(vnstatd_t)
+dev_read_urand(vnstatd_t)
files_read_etc_files(vnstatd_t)
files_search_var_lib(vnstatd_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 2ce9c1574e77cfedf075413013b6247ff0e7f8ce
Author: Christian Göttsche googlemail com>
AuthorDate: Thu Feb 22 17:00:49 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Mar 1 17:05:54 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2ce9c157
systemd: generator updates
type=1400 audit(1708552475.580:3): avc: denied { getattr } for pid=528
comm="systemd-sysv-ge" path="/etc/init.d/auditd" dev="vda1" ino=262124
scontext=system_u:system_r:systemd_generator_t:s0
tcontext=system_u:object_r:auditd_initrc_exec_t:s0 tclass=file permissive=1
type=1400 audit(1708552475.580:4): avc: denied { getattr } for pid=528
comm="systemd-sysv-ge" path="/usr/lib/systemd/system/auditd.service" dev="vda1"
ino=395421 scontext=system_u:system_r:systemd_generator_t:s0
tcontext=system_u:object_r:auditd_unit_t:s0 tclass=file permissive=1
type=1400 audit(1708552475.580:5): avc: denied { getattr } for pid=528
comm="systemd-sysv-ge" path="/etc/init.d/vnstat" dev="vda1" ino=261247
scontext=system_u:system_r:systemd_generator_t:s0
tcontext=system_u:object_r:vnstatd_initrc_exec_t:s0 tclass=file permissive=1
type=1400 audit(1708552475.580:6): avc: denied { getattr } for pid=528
comm="systemd-sysv-ge" path="/usr/lib/systemd/system/vnstat.service" dev="vda1"
ino=394196 scontext=system_u:system_r:systemd_generator_t:s0
tcontext=system_u:object_r:vnstatd_unit_t:s0 tclass=file permissive=1
type=1400 audit(1708552475.580:7): avc: denied { getattr } for pid=528
comm="systemd-sysv-ge" path="/usr/lib/systemd/system/dbus-broker.service"
dev="vda1" ino=394383 scontext=system_u:system_r:systemd_generator_t:s0
tcontext=system_u:object_r:dbusd_unit_t:s0 tclass=file permissive=1
type=1400 audit(1708552475.584:8): avc: denied { getattr } for pid=528
comm="systemd-sysv-ge" path="/usr/lib/systemd/system/qemu-guest-agent.service"
dev="vda1" ino=392981 scontext=system_u:system_r:systemd_generator_t:s0
tcontext=system_u:object_r:qemu_unit_t:s0 tclass=file permissive=1
type=1400 audit(1708552475.584:9): avc: denied { getattr } for pid=528
comm="systemd-sysv-ge" path="/usr/lib/systemd/system/ssh.service" dev="vda1"
ino=393521 scontext=system_u:system_r:systemd_generator_t:s0
tcontext=system_u:object_r:sshd_unit_t:s0 tclass=file permissive=1
Signed-off-by: Christian Göttsche googlemail.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/system/init.if| 20
policy/modules/system/systemd.te | 3 ++-
2 files changed, 22 insertions(+), 1 deletion(-)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 3e4192eb4..597fd169a 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -3858,6 +3858,26 @@ interface(`init_list_all_units',`
read_lnk_files_pattern($1, systemdunit, systemdunit)
')
+
+##
+## Get the attributes of systemd unit directories and the files in them.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_getattr_all_unit_files',`
+ gen_require(`
+ attribute systemdunit;
+ ')
+
+ list_dirs_pattern($1, systemdunit, systemdunit)
+ getattr_files_pattern($1, systemdunit, systemdunit)
+ read_lnk_files_pattern($1, systemdunit, systemdunit)
+')
+
##
## Manage systemd unit dirs and the files in them
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 63fef177b..e3af88033 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -536,10 +536,11 @@ init_rename_runtime_files(systemd_generator_t)
init_search_runtime(systemd_generator_t)
init_setattr_runtime_files(systemd_generator_t)
init_write_runtime_files(systemd_generator_t)
-init_list_all_units(systemd_generator_t)
init_read_generic_units_files(systemd_generator_t)
init_read_generic_units_symlinks(systemd_generator_t)
init_read_script_files(systemd_generator_t)
+init_getattr_all_unit_files(systemd_generator_t)
+init_getattr_all_script_files(systemd_generator_t)
kernel_use_fds(systemd_generator_t)
kernel_read_system_state(systemd_generator_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
commit: 2742ffe56eb2a1943c6ddbbd47071a6fa5437875
Author: Christian Göttsche googlemail com>
AuthorDate: Thu Feb 22 17:00:40 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Mar 1 17:05:44 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2742ffe5
selinuxutil: setfiles updates
type=PROCTITLE msg=audit(21/02/24 22:31:50.044:122) : proctitle=restorecon
-vRn -T0 /
type=SYSCALL msg=audit(21/02/24 22:31:50.044:122) : arch=x86_64
syscall=sched_getaffinity success=yes exit=8 a0=0x0 a1=0x1000 a2=0x7fc235649bf0
a3=0x0 items=0 ppid=1103 pid=13398 auid=root uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1
comm=restorecon exe=/usr/sbin/setfiles
subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(21/02/24 22:31:50.044:122) : avc: denied { getsched }
for pid=13398 comm=restorecon
scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process
permissive=1
type=PROCTITLE msg=audit(21/02/24 22:31:55.040:123) : proctitle=restorecon
-vRn -T0 /
type=PATH msg=audit(21/02/24 22:31:55.040:123) : item=0
name=/sys/fs/cgroup/user.slice/user-0.slice/user 0.service/memory.pressure
inode=2455 dev=00:1b mode=file,644 ouid=root ogid=root rdev=00:00
obj=system_u:object_r:memory_pressure_t:s0 nametype=NORMAL cap_fp=none
cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(21/02/24 22:31:55.040:123) :
cwd=/root/workspace/selinux/refpolicy/refpolicy
type=SYSCALL msg=audit(21/02/24 22:31:55.040:123) : arch=x86_64
syscall=newfstatat success=yes exit=0 a0=AT_FDCWD a1=0x557264466530
a2=0x7fc2004cacc0 a3=0x100 items=1 ppid=1103 pid=13398 auid=root uid=root
gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1
ses=1 comm=restorecon exe=/usr/sbin/setfiles
subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(21/02/24 22:31:55.040:123) : avc: denied { getattr }
for pid=13398 comm=restorecon path=/sys/fs/cgroup/user.slice/user-0.slice/user
0.service/memory.pressure dev="cgroup2" ino=2455
scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023
tcontext=system_u:object_r:memory_pressure_t:s0 tclass=file permissive=1
type=PROCTITLE msg=audit(21/02/24 22:32:15.512:126) : proctitle=restorecon
-vRFn -T0 /usr/
type=PATH msg=audit(21/02/24 22:32:15.512:126) : item=0
name=/proc/sys/vm/overcommit_memory inode=41106 dev=00:16 mode=file,644
ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_vm_overcommit_t:s0
nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(21/02/24 22:32:15.512:126) :
cwd=/root/workspace/selinux/refpolicy/refpolicy
type=SYSCALL msg=audit(21/02/24 22:32:15.512:126) : arch=x86_64
syscall=openat success=yes exit=3 a0=AT_FDCWD a1=0x7f59f7316810
a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1103 pid=13491 auid=root uid=root
gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1
ses=1 comm=restorecon exe=/usr/sbin/setfiles
subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(21/02/24 22:32:15.512:126) : avc: denied { open } for
pid=13491 comm=restorecon path=/proc/sys/vm/overcommit_memory dev="proc"
ino=41106 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_vm_overcommit_t:s0 tclass=file permissive=1
type=AVC msg=audit(21/02/24 22:32:15.512:126) : avc: denied { read } for
pid=13491 comm=restorecon name=overcommit_memory dev="proc" ino=41106
scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_vm_overcommit_t:s0 tclass=file permissive=1
Signed-off-by: Christian Göttsche googlemail.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/kernel/filesystem.if | 18 ++
policy/modules/system/selinuxutil.te | 3 +++
2 files changed, 21 insertions(+)
diff --git a/policy/modules/kernel/filesystem.if
b/policy/modules/kernel/filesystem.if
index e529b187f..08ad5503d 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -1271,6 +1271,24 @@ interface(`fs_cgroup_filetrans_memory_pressure',`
fs_cgroup_filetrans($1, memory_pressure_t, $2, $3)
')
+
+##
+## Get the attributes of cgroup's memory.pressure files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_getattr_memory_pressure',`
+ gen_require(`
+ type memory_pressure_t;
+ ')
+
+ allow $1 memory_pressure_t:file getattr;
+')
+
##
## Allow managing a cgroup's memory.pressure file to get notifications
diff --git a/policy/modul
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: a1f8db5c896e3aef75922cf3ff53ccd53e00f79f Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 17:00:43 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:48 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a1f8db5c fs: mark memory pressure type as file Associate the type memory_pressure_t with the attribute file_type, so all attribute based rules apply, e.g. for unconfined_t. Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/filesystem.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 7ffac9812..f21fc71e9 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -100,6 +100,7 @@ genfscon cgroup2 / gen_context(system_u:object_r:cgroup_t,s0) # the rest of the cgroup tree. type memory_pressure_t; typeattribute memory_pressure_t cgroup_types; +files_type(memory_pressure_t) dev_associate_sysfs(memory_pressure_t) type configfs_t;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/
commit: b093761cac708c6320ea8588f089cb98fd974a24
Author: Christian Göttsche googlemail com>
AuthorDate: Thu Feb 22 17:00:44 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Mar 1 17:05:50 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b093761c
systemd: binfmt updates
type=PROCTITLE msg=audit(21/02/24 22:54:36.708:53) :
proctitle=/usr/lib/systemd/systemd-binfmt
type=SYSCALL msg=audit(21/02/24 22:54:36.708:53) : arch=x86_64
syscall=fstatfs success=yes exit=0 a0=0x5 a1=0x7ffc547fbda0 a2=0x0 a3=0x0
items=0 ppid=1 pid=694 auid=unset uid=root gid=root euid=root suid=root
fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset
comm=systemd-binfmt exe=/usr/lib/systemd/systemd-binfmt
subj=system_u:system_r:systemd_binfmt_t:s0 key=(null)
type=AVC msg=audit(21/02/24 22:54:36.708:53) : avc: denied { getattr }
for pid=694 comm=systemd-binfmt name=/ dev=binfmt_misc ino=1
scontext=system_u:system_r:systemd_binfmt_t:s0
tcontext=system_u:object_r:binfmt_misc_fs_t:s0 tclass=filesystem permissive=1
type=PROCTITLE msg=audit(21/02/24 22:54:36.708:54) :
proctitle=/usr/lib/systemd/systemd-binfmt
type=PATH msg=audit(21/02/24 22:54:36.708:54) : item=0 name=/proc/self/fd/4
inode=1 dev=00:27 mode=dir,755 ouid=root ogid=root rdev=00:00
obj=system_u:object_r:binfmt_misc_fs_t:s0 nametype=NORMAL cap_fp=none
cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(21/02/24 22:54:36.708:54) : cwd=/
type=SYSCALL msg=audit(21/02/24 22:54:36.708:54) : arch=x86_64
syscall=access success=yes exit=0 a0=0x7ffc547fbdf0 a1=W_OK a2=0x0 a3=0x0
items=1 ppid=1 pid=694 auid=unset uid=root gid=root euid=root suid=root
fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset
comm=systemd-binfmt exe=/usr/lib/systemd/systemd-binfmt
subj=system_u:system_r:systemd_binfmt_t:s0 key=(null)
type=AVC msg=audit(21/02/24 22:54:36.708:54) : avc: denied { write } for
pid=694 comm=systemd-binfmt name=/ dev=binfmt_misc ino=1
scontext=system_u:system_r:systemd_binfmt_t:s0
tcontext=system_u:object_r:binfmt_misc_fs_t:s0 tclass=dir permissive=1
Signed-off-by: Christian Göttsche googlemail.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/kernel/filesystem.if | 37 +
policy/modules/system/systemd.te| 6 ++
2 files changed, 43 insertions(+)
diff --git a/policy/modules/kernel/filesystem.if
b/policy/modules/kernel/filesystem.if
index 08ad5503d..ae022b6c0 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -602,6 +602,24 @@ interface(`fs_manage_autofs_symlinks',`
manage_lnk_files_pattern($1, autofs_t, autofs_t)
')
+
+##
+## Get the attributes of binfmt_misc filesystems.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_getattr_binfmt_misc_fs',`
+ gen_require(`
+ type binfmt_misc_fs_t;
+ ')
+
+ allow $1 binfmt_misc_fs_t:filesystem getattr;
+')
+
##
## Get the attributes of directories on
@@ -622,6 +640,25 @@ interface(`fs_getattr_binfmt_misc_dirs',`
')
+
+##
+## Check for permissions using access(2) of directories on
+## binfmt_misc filesystems.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`fs_check_write_binfmt_misc_dirs',`
+ gen_require(`
+ type binfmt_misc_fs_t;
+ ')
+
+ allow $1 binfmt_misc_fs_t:dir { getattr write };
+')
+
##
## Register an interpreter for new binary
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 6d07466e6..63fef177b 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -401,6 +401,7 @@ fs_search_cgroup_dirs(systemd_backlight_t)
#
kernel_read_kernel_sysctls(systemd_binfmt_t)
+kernel_getattr_proc(systemd_binfmt_t)
systemd_log_parse_environment(systemd_binfmt_t)
@@ -409,6 +410,11 @@ files_read_etc_files(systemd_binfmt_t)
fs_register_binary_executable_type(systemd_binfmt_t)
+fs_getattr_binfmt_misc_fs(systemd_binfmt_t)
+fs_check_write_binfmt_misc_dirs(systemd_binfmt_t)
+
+fs_getattr_cgroup(systemd_binfmt_t)
+fs_search_cgroup_dirs(systemd_binfmt_t)
##
#
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 6d1c3e8b33d3134dbe1767539363491a5f1600ea Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 17:00:33 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:43 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6d1c3e8b virt: label qemu configuration directory Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/virt.fc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc index ab5d0885d..9c209d8f0 100644 --- a/policy/modules/services/virt.fc +++ b/policy/modules/services/virt.fc @@ -9,6 +9,8 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t /etc/libvirt/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) /etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) +/etc/qemu(/.*)?gen_context(system_u:object_r:virt_etc_t,s0) + /etc/rc\.d/init\.d/(libvirt-bin|libvirtd) -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0) /etc/xen -d gen_context(system_u:object_r:virt_etc_t,s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 103deadfb6e257799ebf9026cae8a409e0c5a353
Author: Christian Göttsche googlemail com>
AuthorDate: Thu Feb 22 17:00:41 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Mar 1 17:05:46 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=103deadf
selinuxutil: ignore getattr proc in newrole
type=PROCTITLE msg=audit(02/21/24 22:42:44.555:112) : proctitle=newrole -r
sysadm_r
type=SYSCALL msg=audit(02/21/24 22:42:44.555:112) : arch=x86_64
syscall=fstatfs success=yes exit=0 a0=0x3 a1=0x7ffc75fe1990 a2=0x0 a3=0x0
items=0 ppid=946 pid=1001 auid=root uid=root gid=root euid=root suid=root
fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=newrole
exe=/usr/bin/newrole subj=root:staff_r:newrole_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(02/21/24 22:42:44.555:112) : avc: denied { getattr }
for pid=1001 comm=newrole name=/ dev=proc ino=1
scontext=root:staff_r:newrole_t:s0-s0:c0.c1023
tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1
Signed-off-by: Christian Göttsche googlemail.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/system/selinuxutil.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/selinuxutil.te
b/policy/modules/system/selinuxutil.te
index b1213aa76..4d8624c6b 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -251,6 +251,7 @@ read_lnk_files_pattern(newrole_t, default_context_t,
default_context_t)
kernel_read_system_state(newrole_t)
kernel_read_kernel_sysctls(newrole_t)
+kernel_dontaudit_getattr_proc(newrole_t)
corecmd_list_bin(newrole_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: /
commit: d4a01ab0b955623422eade1f35368a2ee3983db9 Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 16:41:28 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:41 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d4a01ab0 Makefile: use sepolgen-ifgen-attr-helper from test toolchain When building with a non default toolchain by setting the environment variable TEST_TOOLCHAIN also use the sepolgen-ifgen helper binary sepolgen-ifgen-attr-helper from this toolchain. Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> Makefile | 4 1 file changed, 4 insertions(+) diff --git a/Makefile b/Makefile index 3f1d30605..82df20454 100644 --- a/Makefile +++ b/Makefile @@ -62,7 +62,11 @@ SEMOD_PKG ?= $(tc_usrbindir)/semodule_package SEMOD_LNK ?= $(tc_usrbindir)/semodule_link SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand LOADPOLICY ?= $(tc_usrsbindir)/load_policy +ifdef TEST_TOOLCHAIN +SEPOLGEN_IFGEN ?= $(tc_usrbindir)/sepolgen-ifgen --attr-helper $(TEST_TOOLCHAIN)$(BINDIR)/sepolgen-ifgen-attr-helper +else SEPOLGEN_IFGEN ?= $(tc_usrbindir)/sepolgen-ifgen +endif SETFILES ?= $(tc_sbindir)/setfiles SEFCONTEXT_COMPILE ?= $(tc_usrsbindir)/sefcontext_compile XMLLINT ?= $(BINDIR)/xmllint
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/
commit: 35167ff4b12c7285fcfed384d4a3bac2ca6eed85
Author: Christian Göttsche googlemail com>
AuthorDate: Thu Feb 22 16:27:36 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Mar 1 17:05:35 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=35167ff4
Support multi-line interface calls
Support splitting the call of an interface over multiple lines, e.g. for
interfaces with a long list as argument:
term_control_unallocated_ttys(udev_t, {
ioctl_kdgkbtype
ioctl_kdgetmode
ioctl_pio_unimap
ioctl_pio_unimapclr
ioctl_kdfontop
ioctl_tcgets
})
Signed-off-by: Christian Göttsche googlemail.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/support/loadable_module.spt | 13 +
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/policy/support/loadable_module.spt
b/policy/support/loadable_module.spt
index 1f6163054..93e793961 100644
--- a/policy/support/loadable_module.spt
+++ b/policy/support/loadable_module.spt
@@ -53,6 +53,11 @@ define(`policy_m4_comment',`
# $2 depth: $1
')dnl
+define(NL,`
+')dnl
+
+define(`chomp', `translit(`$1',NL,` ')')dnl
+
##
#
# In the future interfaces should be in loadable modules
@@ -63,10 +68,10 @@ define(`template',` dnl
ifdef(`$1',`refpolicyerr(`duplicate definition of $1(). Original
definition on '$1.) define(`__if_error')',`define(`$1',__file__:__line__)') dnl
`define(`$1',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
- policy_m4_comment(policy_call_depth,begin `$1'(dollarsstar)) dnl
+ policy_m4_comment(policy_call_depth,begin `$1'(chomp(dollarsstar))) dnl
$2 dnl
popdef(`policy_call_depth') dnl
- policy_m4_comment(policy_call_depth,end `$1'(dollarsstar)) dnl
+ policy_m4_comment(policy_call_depth,end `$1'(chomp(dollarsstar))) dnl
'')
')
@@ -80,10 +85,10 @@ define(`interface',` dnl
ifdef(`$1',`refpolicyerr(`duplicate definition of $1(). Original
definition on '$1.) define(`__if_error')',`define(`$1',__file__:__line__)') dnl
`define(`$1',` dnl
pushdef(`policy_call_depth',incr(policy_call_depth)) dnl
- policy_m4_comment(policy_call_depth,begin `$1'(dollarsstar)) dnl
+ policy_m4_comment(policy_call_depth,begin `$1'(chomp(dollarsstar))) dnl
$2 dnl
popdef(`policy_call_depth') dnl
- policy_m4_comment(policy_call_depth,end `$1'(dollarsstar)) dnl
+ policy_m4_comment(policy_call_depth,end `$1'(chomp(dollarsstar))) dnl
'')
')
[gentoo-commits] proj/hardened-refpolicy:master commit in: /
commit: 2dce7975e36e015abbe53d9749d5db5344d79d34 Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 16:38:21 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:39 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2dce7975 Rules.modular: use temporary file to not ignore error Save the result of the m4 command into a temporary file and split the commands, to avoid ignoring failures of the first command. Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> Rules.modular | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Rules.modular b/Rules.modular index f7ee2c11f..c731ea01d 100644 --- a/Rules.modular +++ b/Rules.modular @@ -119,8 +119,8 @@ $(tmpdir)/seusers: $(seusers) $(users_extra): $(m4support) $(user_files) @test -d $(tmpdir) || mkdir -p $(tmpdir) - $(verbose) $(M4) $(M4PARAM) -D users_extra $^ | \ - $(SED) -r -n -e 's/^[[:blank:]]*//g' -e '/^user/p' > $@ + $(verbose) $(M4) $(M4PARAM) -D users_extra $^ > $(tmpdir)/$(@F).tmp + $(verbose) $(SED) -r -n -e 's/^[[:blank:]]*//g' -e '/^user/p' $(tmpdir)/$(@F).tmp > $@ #
[gentoo-commits] proj/hardened-refpolicy:master commit in: support/, policy/support/
commit: 85d57ceba1e3c39f6fac27a32b39fb6539166552
Author: Christian Göttsche googlemail com>
AuthorDate: Thu Feb 22 16:22:50 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Mar 1 17:05:34 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=85d57ceb
fix misc typos
Signed-off-by: Christian Göttsche googlemail.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/support/loadable_module.spt | 2 +-
policy/support/mls_mcs_macros.spt | 2 +-
support/genhomedircon.py | 4 ++--
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/policy/support/loadable_module.spt
b/policy/support/loadable_module.spt
index 606ee80d0..1f6163054 100644
--- a/policy/support/loadable_module.spt
+++ b/policy/support/loadable_module.spt
@@ -47,7 +47,7 @@ define(`gen_require',`
')
')
-# helper function, since m4 wont expand macros
+# helper function, since m4 will not expand macros
# if a line is a comment (#):
define(`policy_m4_comment',`
# $2 depth: $1
diff --git a/policy/support/mls_mcs_macros.spt
b/policy/support/mls_mcs_macros.spt
index 7593e20d0..7d1293301 100644
--- a/policy/support/mls_mcs_macros.spt
+++ b/policy/support/mls_mcs_macros.spt
@@ -15,7 +15,7 @@ define(`gen_cats',`decl_cats(0,decr($1))')
#
# gen_sens(N)
#
-# declares sensitivites s0 to s(N-1) with dominance
+# declares sensitivities s0 to s(N-1) with dominance
# in increasing numeric order with s0 lowest, s(N-1) highest
#
define(`decl_sens',`dnl
diff --git a/support/genhomedircon.py b/support/genhomedircon.py
index d5177ee4a..b865a07c8 100644
--- a/support/genhomedircon.py
+++ b/support/genhomedircon.py
@@ -51,7 +51,7 @@ def getStartingUID():
rc=getstatusoutput("grep -h '^UID_MIN' /etc/login.defs")
if rc[0] == 0:
uid_min = re.sub("^UID_MIN[^0-9]*", "", rc[1])
- #stip any comment from the end of the line
+ #strip any comment from the end of the line
uid_min = uid_min.split("#")[0]
uid_min = uid_min.strip()
if int(uid_min) < starting_uid:
@@ -59,7 +59,7 @@ def getStartingUID():
rc=getstatusoutput("grep -h '^LU_UIDNUMBER' /etc/libuser.conf")
if rc[0] == 0:
lu_uidnumber = re.sub("^LU_UIDNUMBER[^0-9]*", "", rc[1])
- #stip any comment from the end of the line
+ #strip any comment from the end of the line
lu_uidnumber = re.sub("[ \t].*", "", lu_uidnumber)
lu_uidnumber = lu_uidnumber.split("#")[0]
lu_uidnumber = lu_uidnumber.strip()
[gentoo-commits] proj/hardened-refpolicy:master commit in: /
commit: 70c06276d352e4513bd68ca085b07e5e2d8e6205 Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 16:32:50 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:38 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=70c06276 Rules.monolithic: pre-compile fcontexts on install On install pre-compile the file contexts. Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> Makefile | 1 + Rules.monolithic | 6 ++ 2 files changed, 7 insertions(+) diff --git a/Makefile b/Makefile index b93e133be..3f1d30605 100644 --- a/Makefile +++ b/Makefile @@ -64,6 +64,7 @@ SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand LOADPOLICY ?= $(tc_usrsbindir)/load_policy SEPOLGEN_IFGEN ?= $(tc_usrbindir)/sepolgen-ifgen SETFILES ?= $(tc_sbindir)/setfiles +SEFCONTEXT_COMPILE ?= $(tc_usrsbindir)/sefcontext_compile XMLLINT ?= $(BINDIR)/xmllint SECHECK ?= $(BINDIR)/sechecker diff --git a/Rules.monolithic b/Rules.monolithic index d6d0e6f28..d6e20a371 100644 --- a/Rules.monolithic +++ b/Rules.monolithic @@ -232,6 +232,12 @@ $(fcpath): $(fc) $(loadpath) $(userpath)/system.users $(verbose) $(INSTALL) -m 0644 $(fc) $(fcpath) $(verbose) $(INSTALL) -m 0644 $(homedir_template) $(homedirpath) $(verbose) $(UMASK) 022 ; $(genhomedircon) -d $(topdir) -t $(NAME) + $(verbose) if $(SEFCONTEXT_COMPILE) -i > /dev/null 2>&1 ; then \ + $(SEFCONTEXT_COMPILE) $(fcpath) ;\ + $(SEFCONTEXT_COMPILE) $(fcpath).homedirs ;\ + else \ + echo "$@ Pre-compiled file context not generated! Please install the sefcontext_compile tool (commonly part of libselinux-utils)." ;\ + fi #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/
commit: 28556c70623efdadf8cb93fd004bd8385638be65
Author: Christian Göttsche googlemail com>
AuthorDate: Thu Feb 22 16:28:11 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Mar 1 17:05:37 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=28556c70
policy_capabilities: remove estimated from released versions
Signed-off-by: Christian Göttsche googlemail.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/policy_capabilities | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/policy_capabilities b/policy/policy_capabilities
index b800997f3..c6b84d8c7 100644
--- a/policy/policy_capabilities
+++ b/policy/policy_capabilities
@@ -108,7 +108,7 @@ policycap nnp_nosuid_transition;
#policycap genfs_seclabel_symlinks;
# Always allow FIOCLEX and FIONCLEX ioctl.
-# Requires libsepol 3.4 (estimated) and kernel 5.18 (estimated).
+# Requires libsepol 3.4 and kernel 5.18.
#
# Removed checks:
# common file/socket: ioctl { 0x5450 0x5451 }
[gentoo-commits] proj/hardened-refpolicy:master commit in: support/
commit: 83d40084db8ceeaa3225e915ea8d8e9ebfbe878e Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 16:12:56 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:33 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=83d40084 support/genhomedircon: support usr prefixed paths Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> support/genhomedircon.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/support/genhomedircon.py b/support/genhomedircon.py index 2721bd7df..d5177ee4a 100644 --- a/support/genhomedircon.py +++ b/support/genhomedircon.py @@ -43,7 +43,7 @@ import sys, pwd, getopt, re, os from subprocess import getstatusoutput -EXCLUDE_LOGINS=["/sbin/nologin", "/bin/false"] +EXCLUDE_LOGINS=["/sbin/nologin", "/usr/sbin/nologin", "/bin/false", "/usr/bin/false"] def getStartingUID():
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/flask/
commit: 9002ef977497033f6d26368ceaa12fbd154ce38d
Author: Christian Göttsche googlemail com>
AuthorDate: Thu Feb 22 16:12:36 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Mar 1 17:05:31 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9002ef97
access_vectors: define io_uring { cmd }
Added in Linux 6.0.
Link:
https://github.com/SELinuxProject/selinux-kernel/commit/f4d653dcaa4e4056e1630423e6a8ece4869b544f
Signed-off-by: Christian Göttsche googlemail.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/flask/access_vectors | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index a22b11a7e..b260f9d24 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -1071,6 +1071,7 @@ class io_uring
{
override_creds
sqpoll
+ cmd
}
class user_namespace
[gentoo-commits] repo/gentoo:master commit in: sys-cluster/flux/
commit: 5e7b5b149e0db8406696740901766086e4a69f3a
Author: Kenton Groombridge gentoo org>
AuthorDate: Sat Feb 10 18:21:01 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Sat Feb 10 18:21:26 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5e7b5b14
sys-cluster/flux: add 2.2.3, drop 2.0.1
Signed-off-by: Kenton Groombridge gentoo.org>
sys-cluster/flux/Manifest | 6 +++---
sys-cluster/flux/{flux-2.0.1.ebuild => flux-2.2.3.ebuild} | 12
2 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/sys-cluster/flux/Manifest b/sys-cluster/flux/Manifest
index 3271ef37fc3f..f92efbbbc1e1 100644
--- a/sys-cluster/flux/Manifest
+++ b/sys-cluster/flux/Manifest
@@ -1,9 +1,9 @@
DIST flux-0.41.2.tar.gz 395636 BLAKE2B
2d1732729709d0f753ff62aa5b5563b9d42f3cde42a98b5356607b640715e30afa9ebdfdb9c71281eff9188c91ea6e6b082ddc2198e4d790a76aaeb155b8ef2f
SHA512
c68ad402c99b61ca9ef737749417b48dc4e852544d76311c11d94bff42c2e081a8e11e72e438cb9e1834ec7d48e69a30473aa6ab1d68c2684dde5c2b817000a2
-DIST flux-2.0.1.tar.gz 326362 BLAKE2B
f42bff5dcbd5960ba8d57f0d65a4c38e597bb6e1beb57bc38f5055c316f121ed07bb38275db6262eb1c0b3bedafd47ec9284cc05ab84f0c6e7aebc7e8458560d
SHA512
01c25c2c38c9612ffd280ede66eb01a2d4fced2ae9b4e36053afcb7742cde1aaa909d6ba983a7d60618a66b4e2f3153089bd71b2b8e1d6a0a45737bdef60d1e1
DIST flux-2.2.2.tar.gz 384815 BLAKE2B
c79fee58360a5ad988c2bb58ee6ec32245ca685a14d4fa63e7c8c06b7d79d374bf0c22bf1ffe33b16085fb4532ec35503514e91b427aa067a2495e76ec61e9ad
SHA512
d4b23ff189261d32f02682b3f57a5a81cb5faec87a8bd5a6cda7c044233761932e9f593c8019d1443fd1c63fb2585ffe6ee28084bf685802b163f36f5a2544a9
+DIST flux-2.2.3.tar.gz 388802 BLAKE2B
61bdea26e76f330fc5fc2007958551b2ee5127e66eafe9a5fd0b6b4082a9942ca1884c761d3367bb7d5e8ac9868ce6e2a05fbaf02ca82422747c46691318ca29
SHA512
5f263cb64b164967b5f66ed150384ab518783304d46e641cda048704a9cc91e011299d007e3734c18b71b660e694609a5ab16e9699ac55901d205fead4a86840
DIST flux2-0.41.2-deps.tar.xz 166945460 BLAKE2B
292ac5a66237916f1eeb8460f38f803fbe6bfec7cc6ee09512c0893928478049dbf8d482a897e7f4d5bed537f3cae3d73019d6c793764d1b15dc984724bc4ec7
SHA512
da36b3d78066cad548492d368df2b0d31c25a72f4fe4e5791b0c4315d5ed2625da5318b4a010395a587c072a07d23c6d6e7ff3c43bbf201dcd7d45a85dc24297
DIST flux2-0.41.2-manifests.tar.xz 22904 BLAKE2B
e23150ff1b7617f144a1250c890cb48bccbfa4547cc2d46b6d6905349c969a8505e2bc23466a469bb0eae326ec571eb5987ae5c0768b648ba6e35b1daec2b039
SHA512
ba58ffa05be150e32a30a492d28cdc582c9b0e7162b768a83ca8d44a4a08fca195700f8c124cc39cf85a0c62dfbe380304c0d203d0f05619a1b65284d22278de
-DIST flux2-2.0.1-deps.tar.xz 177273192 BLAKE2B
36047e5d2232bd6a4b648b78861881aa1c883de9593d0f3172e83115a62649f6369396de05cfd850143581366f8e4501d0e54a4f422515fc7165b823a9833b96
SHA512
18ae557760a4c298cc9f7556b460b9c02d2b5516b735881d5907bd934fd4bb83cdf4fc613b8b9a493f65accc24abbc7836a98dfde86386e5d7466efcb8ae995d
-DIST flux2-2.0.1-manifests.tar.xz 22916 BLAKE2B
00df38e004f2abd52566e642c299522f9e5910104ee88cdc0842b63bedccb10383e17d35eb8a7495db7036641f2fb6a2fe6fe01971017c413e95ba57e73e5894
SHA512
db0c3f7013ffec41b657047e53cad01f19427f2e46a94d52efa2e4031482b1b8cddb857fee26ecd35ecdb11029ec0da7f6917f2343730c44338a9b2792695e93
DIST flux2-2.2.2-deps.tar.xz 179877376 BLAKE2B
f80135ad82f11a47ace00f3656147069ad8d7c389bbd18b6166c91d7381f06c2cf56371583e47eb2d3d9f6e292428e95c000ad4769a25ef2bdf0c2f6297b67e6
SHA512
5f8a82a19b2d5dde597aeaace21315a4feac4777996be18eed61422bae60e710519015ea5162a8818a12d05edfc22f47d1decea2d9a7c7a4488c2377e3b4f5d0
DIST flux2-2.2.2-manifests.tar.xz 26788 BLAKE2B
82a233abd4d68d20af7160d39cadef0dd48692d469892b7ebd780a12f8e81ee00ce1e5f09f90f77035b055f85378cd9ce5979bb6af5a8fbc9dd96e1f091453ce
SHA512
51ce6b4d2b79c40d55a3df17d0b191ac313099c0d068ee02a3abc57c05aadcc0d3d8eed06793e411d57b31e7aee601e54a2e4f87e6f88d8bb835d5d6bbddf4c3
+DIST flux2-2.2.3-deps.tar.xz 199289224 BLAKE2B
18ee0bab84ac5c0c33b24dcaa4443fc959f351360bef0316e7b4d007f00428395a9b97c72bd7aeb37158064345de8a4e1263feff5082d67b77a5d4e3f1fe1c4e
SHA512
f0636d02498be0047057386929dcaf7251b448e1f3716133e63124c85aec18db5d6a7f55924243f10631f2d1404eae7658eb8ca3d49d130c100e6da6f5102598
+DIST flux2-2.2.3-manifests.tar.xz 26796 BLAKE2B
f37e25bb07a390cb08928881798ae7e0017b4628cc794a01e2a70bb01c1ff814d2ba39b8251e6ae178af70d8946d24b2fa57df808e36445032b8b8b860f93c12
SHA512
28dd16464e8348fe892242dfe9579dd9c6d9cb442c2024445042e314b12210bed75cbfa7d44ec68333d75a0dab6655ff238e5f2b22953f1d88703d3a3df0b562
diff --git a/sys-cluster/flux/flux-2.0.1.ebuild
b/sys-cluster/flux/flux-2.2.3.ebuild
similarity index 72%
rename from sys-cluster/flux/flux-2.0.1.ebuild
rename to sys-cluster/flux/flux-2.2.3.ebuild
index 3e8f5b0393f5..cad63d502521 100644
--- a/sys-cluster/flux/flux-2.0.1.ebuild
+++ b/sys-cluster/flux/flux-2.2.3.ebuild
@@ -1,14 +1,18 @@
-# Copyright 2023 Gentoo Authors
+# Copyright 2023-2024 Gentoo Authors
# Distributed under the term
[gentoo-commits] repo/gentoo:master commit in: sys-apps/mcstrans/
commit: b83fdda18c069a6b5af720db7ebd431091fcd3da
Author: Kenton Groombridge gentoo org>
AuthorDate: Fri Feb 9 14:38:58 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Feb 9 14:41:06 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b83fdda1
sys-apps/mcstrans: stabilize 3.6 for amd64, arm, arm64, x86
Signed-off-by: Kenton Groombridge gentoo.org>
sys-apps/mcstrans/mcstrans-3.6.ebuild | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys-apps/mcstrans/mcstrans-3.6.ebuild
b/sys-apps/mcstrans/mcstrans-3.6.ebuild
index bbd7a4cc0378..5e3f390c215e 100644
--- a/sys-apps/mcstrans/mcstrans-3.6.ebuild
+++ b/sys-apps/mcstrans/mcstrans-3.6.ebuild
@@ -17,7 +17,7 @@ if [[ ${PV} == * ]] ; then
S="${WORKDIR}/${P}/${PN}"
else
SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz;
- KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86"
+ KEYWORDS="amd64 arm arm64 ~mips x86"
S="${WORKDIR}/${MY_P}"
fi
[gentoo-commits] repo/gentoo:master commit in: sys-apps/selinux-python/
commit: 59fab23942e9b457fa21d57a505772bec1331bc9
Author: Kenton Groombridge gentoo org>
AuthorDate: Fri Feb 9 14:38:32 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Feb 9 14:41:03 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=59fab239
sys-apps/selinux-python: stabilize 3.6 for amd64, arm, arm64, x86
Signed-off-by: Kenton Groombridge gentoo.org>
sys-apps/selinux-python/selinux-python-3.6.ebuild | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys-apps/selinux-python/selinux-python-3.6.ebuild
b/sys-apps/selinux-python/selinux-python-3.6.ebuild
index 20a1fea452bf..df383d6c8c4b 100644
--- a/sys-apps/selinux-python/selinux-python-3.6.ebuild
+++ b/sys-apps/selinux-python/selinux-python-3.6.ebuild
@@ -19,7 +19,7 @@ if [[ ${PV} == ]] ; then
S="${WORKDIR}/${P}/${PN#selinux-}"
else
SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz;
- KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86"
+ KEYWORDS="amd64 arm arm64 ~mips x86"
S="${WORKDIR}/${MY_P}"
fi
[gentoo-commits] repo/gentoo:master commit in: sys-apps/checkpolicy/
commit: e1703fbdbb6f9288b19541b408b55d2283abd853
Author: Kenton Groombridge gentoo org>
AuthorDate: Fri Feb 9 14:38:09 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Feb 9 14:41:00 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e1703fbd
sys-apps/checkpolicy: stabilize 3.6 for amd64, arm, arm64, x86
Signed-off-by: Kenton Groombridge gentoo.org>
sys-apps/checkpolicy/checkpolicy-3.6.ebuild | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys-apps/checkpolicy/checkpolicy-3.6.ebuild
b/sys-apps/checkpolicy/checkpolicy-3.6.ebuild
index 6d5e91d8b18a..35e87a352156 100644
--- a/sys-apps/checkpolicy/checkpolicy-3.6.ebuild
+++ b/sys-apps/checkpolicy/checkpolicy-3.6.ebuild
@@ -17,7 +17,7 @@ if [[ ${PV} == ]] ; then
S="${WORKDIR}/${P}/${PN}"
else
SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz;
- KEYWORDS="~amd64 ~arm ~arm64 ~mips ~riscv ~x86"
+ KEYWORDS="amd64 arm arm64 ~mips ~riscv x86"
S="${WORKDIR}/${MY_P}"
fi
[gentoo-commits] repo/gentoo:master commit in: sys-libs/libsemanage/
commit: e70aa9e9c0de8663fecbd59c4e26a0d17a41050d
Author: Kenton Groombridge gentoo org>
AuthorDate: Fri Feb 9 14:37:56 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Feb 9 14:40:59 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e70aa9e9
sys-libs/libsemanage: stabilize 3.6 for amd64, arm, arm64, x86
Signed-off-by: Kenton Groombridge gentoo.org>
sys-libs/libsemanage/libsemanage-3.6.ebuild | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys-libs/libsemanage/libsemanage-3.6.ebuild
b/sys-libs/libsemanage/libsemanage-3.6.ebuild
index eb127413897f..94a270075a5b 100644
--- a/sys-libs/libsemanage/libsemanage-3.6.ebuild
+++ b/sys-libs/libsemanage/libsemanage-3.6.ebuild
@@ -18,7 +18,7 @@ if [[ ${PV} == ]]; then
S="${WORKDIR}/${P}/${PN}"
else
SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz;
- KEYWORDS="~amd64 ~arm ~arm64 ~mips ~riscv ~x86"
+ KEYWORDS="amd64 arm arm64 ~mips ~riscv x86"
S="${WORKDIR}/${MY_P}"
fi
[gentoo-commits] repo/gentoo:master commit in: sys-apps/policycoreutils/
commit: c4719a957590a9b209422d93c8136075c2781af7
Author: Kenton Groombridge gentoo org>
AuthorDate: Fri Feb 9 14:38:21 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Feb 9 14:41:02 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c4719a95
sys-apps/policycoreutils: stabilize 3.6 for amd64, arm, arm64, x86
Signed-off-by: Kenton Groombridge gentoo.org>
sys-apps/policycoreutils/policycoreutils-3.6.ebuild | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys-apps/policycoreutils/policycoreutils-3.6.ebuild
b/sys-apps/policycoreutils/policycoreutils-3.6.ebuild
index b8625ff49cd8..e2527faa689b 100644
--- a/sys-apps/policycoreutils/policycoreutils-3.6.ebuild
+++ b/sys-apps/policycoreutils/policycoreutils-3.6.ebuild
@@ -24,7 +24,7 @@ if [[ ${PV} == ]]; then
else
SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz
https://dev.gentoo.org/~perfinion/distfiles/policycoreutils-extra-${EXTRAS_VER}.tar.bz2;
- KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86"
+ KEYWORDS="amd64 arm arm64 ~mips x86"
S1="${WORKDIR}/${MY_P}"
S2="${WORKDIR}/policycoreutils-extra"
S="${S1}"
[gentoo-commits] repo/gentoo:master commit in: sys-libs/libsepol/
commit: d395971abc52629d21910ddcb45d82f4737f8e78
Author: Kenton Groombridge gentoo org>
AuthorDate: Fri Feb 9 14:37:09 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Feb 9 14:40:54 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d395971a
sys-libs/libsepol: stabilize 3.6 for amd64, arm, arm64, x86
Signed-off-by: Kenton Groombridge gentoo.org>
sys-libs/libsepol/libsepol-3.6.ebuild | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys-libs/libsepol/libsepol-3.6.ebuild
b/sys-libs/libsepol/libsepol-3.6.ebuild
index 17fe4da89451..27b0f0542d4c 100644
--- a/sys-libs/libsepol/libsepol-3.6.ebuild
+++ b/sys-libs/libsepol/libsepol-3.6.ebuild
@@ -17,7 +17,7 @@ if [[ ${PV} == ]]; then
S="${WORKDIR}/${P}/${PN}"
else
SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz;
- KEYWORDS="~amd64 ~arm ~arm64 ~mips ~riscv ~x86"
+ KEYWORDS="amd64 arm arm64 ~mips ~riscv x86"
S="${WORKDIR}/${MY_P}"
fi
[gentoo-commits] repo/gentoo:master commit in: sys-apps/restorecond/
commit: cac47e2c7efc03943afb5711686aad6e7a147bb4
Author: Kenton Groombridge gentoo org>
AuthorDate: Fri Feb 9 14:39:11 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Feb 9 14:41:08 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cac47e2c
sys-apps/restorecond: stabilize 3.6 for amd64, arm, arm64, x86
Signed-off-by: Kenton Groombridge gentoo.org>
sys-apps/restorecond/restorecond-3.6.ebuild | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys-apps/restorecond/restorecond-3.6.ebuild
b/sys-apps/restorecond/restorecond-3.6.ebuild
index 794b84bc99e8..0b80f0fc989c 100644
--- a/sys-apps/restorecond/restorecond-3.6.ebuild
+++ b/sys-apps/restorecond/restorecond-3.6.ebuild
@@ -14,7 +14,7 @@ if [[ ${PV} == * ]] ; then
S="${WORKDIR}/${P}/${PN}"
else
SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz;
- KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86"
+ KEYWORDS="amd64 arm arm64 ~mips x86"
S="${WORKDIR}/${MY_P}"
fi
[gentoo-commits] repo/gentoo:master commit in: sys-libs/libselinux/
commit: fbeb6d4f8a1e551dd9ab5082e48942c9b0b4affb
Author: Kenton Groombridge gentoo org>
AuthorDate: Fri Feb 9 14:37:41 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Feb 9 14:40:57 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fbeb6d4f
sys-libs/libselinux: stabilize 3.6 for amd64, arm, arm64, x86
Signed-off-by: Kenton Groombridge gentoo.org>
sys-libs/libselinux/libselinux-3.6.ebuild | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys-libs/libselinux/libselinux-3.6.ebuild
b/sys-libs/libselinux/libselinux-3.6.ebuild
index 941b189dd857..11ce9f3236ba 100644
--- a/sys-libs/libselinux/libselinux-3.6.ebuild
+++ b/sys-libs/libselinux/libselinux-3.6.ebuild
@@ -20,7 +20,7 @@ if [[ ${PV} == ]]; then
S="${WORKDIR}/${P}/${PN}"
else
SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz;
- KEYWORDS="~amd64 ~arm ~arm64 ~mips ~riscv ~x86"
+ KEYWORDS="amd64 arm arm64 ~mips ~riscv x86"
S="${WORKDIR}/${MY_P}"
fi
[gentoo-commits] repo/gentoo:master commit in: sys-apps/semodule-utils/
commit: 1f382b0971cc90a38d2e806f8e6b6e0307b58a65
Author: Kenton Groombridge gentoo org>
AuthorDate: Fri Feb 9 14:38:44 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Feb 9 14:41:05 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1f382b09
sys-apps/semodule-utils: stabilize 3.6 for amd64, arm, arm64, x86
Signed-off-by: Kenton Groombridge gentoo.org>
sys-apps/semodule-utils/semodule-utils-3.6.ebuild | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys-apps/semodule-utils/semodule-utils-3.6.ebuild
b/sys-apps/semodule-utils/semodule-utils-3.6.ebuild
index 621cfaf21ea4..c63a41af0b43 100644
--- a/sys-apps/semodule-utils/semodule-utils-3.6.ebuild
+++ b/sys-apps/semodule-utils/semodule-utils-3.6.ebuild
@@ -17,7 +17,7 @@ if [[ ${PV} == * ]] ; then
S="${WORKDIR}/${P}/${PN}"
else
SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz;
- KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86"
+ KEYWORDS="amd64 arm arm64 ~mips x86"
S="${WORKDIR}/${MY_P}"
fi
[gentoo-commits] repo/gentoo:master commit in: sys-apps/secilc/
commit: 574363f5a9143cdfcf02d0c526a19ea52d89f68f
Author: Kenton Groombridge gentoo org>
AuthorDate: Fri Feb 9 14:37:28 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Feb 9 14:40:55 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=574363f5
sys-apps/secilc: stabilize 3.6 for amd64, arm, arm64, x86
Signed-off-by: Kenton Groombridge gentoo.org>
sys-apps/secilc/secilc-3.6.ebuild | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys-apps/secilc/secilc-3.6.ebuild
b/sys-apps/secilc/secilc-3.6.ebuild
index 5c59b25c3742..59d8d927a345 100644
--- a/sys-apps/secilc/secilc-3.6.ebuild
+++ b/sys-apps/secilc/secilc-3.6.ebuild
@@ -16,7 +16,7 @@ if [[ ${PV} == ]]; then
S="${WORKDIR}/${P}/${PN}"
else
SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz;
- KEYWORDS="~amd64 ~arm ~arm64 ~x86"
+ KEYWORDS="amd64 arm arm64 x86"
S="${WORKDIR}/${MY_P}"
fi
[gentoo-commits] repo/gentoo:master commit in: net-voip/mumble/
commit: bec8b5cb32f5888049bc3e0b777d8acc5c2ecf52
Author: Sebastian Parborg gmail com>
AuthorDate: Fri Jan 26 14:05:00 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Feb 9 14:40:50 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bec8b5cb
net-voip/mumble: Update live ebuild
Signed-off-by: Sebastian Parborg gmail.com>
Closes: https://github.com/gentoo/gentoo/pull/30788
Signed-off-by: Kenton Groombridge gentoo.org>
net-voip/mumble/mumble-.ebuild | 1 +
1 file changed, 1 insertion(+)
diff --git a/net-voip/mumble/mumble-.ebuild
b/net-voip/mumble/mumble-.ebuild
index b5a027a596c1..7aba5eb04ba7 100644
--- a/net-voip/mumble/mumble-.ebuild
+++ b/net-voip/mumble/mumble-.ebuild
@@ -16,6 +16,7 @@ if [[ "${PV}" == ]] ; then
# even if these components may not be compiled in
EGIT_SUBMODULES=(
'-*'
+ 3rdparty/cmake-compiler-flags
3rdparty/FindPythonInterpreter
3rdparty/gsl
3rdparty/minhook
[gentoo-commits] repo/gentoo:master commit in: net-voip/mumble/
commit: 3a0b6aea3bcc3ebf5514e0411f9e0b4349d03c5c Author: Kenton Groombridge gentoo org> AuthorDate: Fri Feb 9 14:10:45 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Feb 9 14:40:51 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3a0b6aea net-voip/mumble: update copyright year Signed-off-by: Kenton Groombridge gentoo.org> net-voip/mumble/mumble-.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net-voip/mumble/mumble-.ebuild b/net-voip/mumble/mumble-.ebuild index 7aba5eb04ba7..79e98b80ec73 100644 --- a/net-voip/mumble/mumble-.ebuild +++ b/net-voip/mumble/mumble-.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2023 Gentoo Authors +# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=7
[gentoo-commits] repo/gentoo:master commit in: app-admin/setools/
commit: c0908dc9869bcc0fcacfd37e511c22db5443044f
Author: Kenton Groombridge gentoo org>
AuthorDate: Fri Feb 9 14:36:43 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Feb 9 14:40:52 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c0908dc9
app-admin/setools: stabilize 4.4.4 for amd64, arm, arm64, x86
Signed-off-by: Kenton Groombridge gentoo.org>
app-admin/setools/setools-4.4.4.ebuild | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/app-admin/setools/setools-4.4.4.ebuild
b/app-admin/setools/setools-4.4.4.ebuild
index ec3d11050109..d74e1d12b4bf 100644
--- a/app-admin/setools/setools-4.4.4.ebuild
+++ b/app-admin/setools/setools-4.4.4.ebuild
@@ -18,7 +18,7 @@ if [[ ${PV} == ]] ; then
S="${WORKDIR}/${P}"
else
SRC_URI="https://github.com/SELinuxProject/setools/releases/download/${PV}/${P}.tar.bz2;
- KEYWORDS="~amd64 ~arm ~arm64 ~x86"
+ KEYWORDS="amd64 arm arm64 x86"
S="${WORKDIR}/${PN}"
fi
[gentoo-commits] repo/gentoo:master commit in: net-voip/murmur/
commit: 5321ea9752e70e9f151b927d4bffefad49d878cf
Author: Sebastian Parborg gmail com>
AuthorDate: Fri Apr 28 12:11:18 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Feb 9 14:40:46 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5321ea97
net-voip/murmur: add 1.4.287-r2
The default install would not run out of the box and one needed to
change the following to get it up and running:
- Set the pidfile option to /run/murmur/murmur.pid in .ini config file
- Change logfile setting to /var/log/murmur/murmur.log in ini file
- Specify the data base location to /var/lib/murmur/database.sqlite in
the ini file. Otherwise it would complain that the database was read
only and wouldn't start.
- Needed to add avahi-daemon to "use" in the depend section in the init.d
script to get zeroconf functionality to work.
- Fix avahi command in initd file
Clarified and simplified the post install message as well.
Signed-off-by: Sebastian Parborg gmail.com>
Signed-off-by: Kenton Groombridge gentoo.org>
net-voip/murmur/murmur-1.4.287-r2.ebuild | 200 +++
1 file changed, 200 insertions(+)
diff --git a/net-voip/murmur/murmur-1.4.287-r2.ebuild
b/net-voip/murmur/murmur-1.4.287-r2.ebuild
new file mode 100644
index ..f439f3c88309
--- /dev/null
+++ b/net-voip/murmur/murmur-1.4.287-r2.ebuild
@@ -0,0 +1,200 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit cmake flag-o-matic systemd readme.gentoo-r1 tmpfiles
+
+DESCRIPTION="Mumble is an open source, low-latency, high quality voice chat
software"
+HOMEPAGE="https://wiki.mumble.info;
+if [[ "${PV}" == ]] ; then
+ inherit git-r3
+ EGIT_REPO_URI="https://github.com/mumble-voip/mumble.git;
+ EGIT_SUBMODULES=( '-*' )
+else
+ MY_PN="mumble"
+ if [[ "${PV}" == *_pre* ]] ; then
+ MY_P="${MY_PN}-${PV}"
+
SRC_URI="https://dev.gentoo.org/~concord/distfiles/${MY_P}.tar.xz;
+ S="${WORKDIR}/${MY_P}"
+ else
+ MY_PV="${PV/_/-}"
+ MY_P="${MY_PN}-${MY_PV}"
+
SRC_URI="https://github.com/mumble-voip/mumble/releases/download/v${MY_PV}/${MY_P}.tar.gz
+ https://dl.mumble.info/${MY_P}.tar.gz;
+ S="${WORKDIR}/${MY_P}.src"
+ fi
+ KEYWORDS="~amd64 ~arm ~arm64 ~x86"
+fi
+
+SRC_URI+="
https://dev.gentoo.org/~concord/distfiles/mumble-1.4-openssl3.patch.xz;
+SRC_URI+="
https://dev.gentoo.org/~concord/distfiles/mumble-1.4-crypto-threads.patch.xz;
+SRC_URI+=" https://dev.gentoo.org/~concord/distfiles/mumble-1.4-odr.patch.xz;
+
+LICENSE="BSD"
+SLOT="0"
+IUSE="+dbus grpc +ice test zeroconf"
+RESTRICT="!test? ( test )"
+
+RDEPEND="
+ acct-group/murmur
+ acct-user/murmur
+ >=dev-libs/openssl-1.0.0b:0=
+ >=dev-libs/protobuf-2.2.0:=
+ dev-qt/qtcore:5
+ dev-qt/qtnetwork:5[ssl]
+ || (
+ dev-qt/qtsql:5[sqlite]
+ dev-qt/qtsql:5[mysql]
+ )
+ dev-qt/qtxml:5
+ sys-apps/lsb-release
+ >=sys-libs/libcap-2.15
+ dbus? ( dev-qt/qtdbus:5 )
+ grpc? ( net-libs/grpc )
+ ice? ( dev-libs/Ice:= )
+ zeroconf? ( net-dns/avahi[mdnsresponder-compat] )
+"
+
+DEPEND="${RDEPEND}
+ dev-libs/boost
+ dev-qt/qttest:5
+"
+BDEPEND="
+ acct-group/murmur
+ acct-user/murmur
+ virtual/pkgconfig
+"
+
+if [[ "${PV}" == * ]] ; then
+ # Required for the mkini.sh script which calls perl multiple times
+ BDEPEND+="
+ dev-lang/perl
+ "
+fi
+
+DOC_CONTENTS="
+ Useful scripts are located in /usr/share/doc/${PF}/scripts.
+ The defualt 'SuperUser' password will be written into the log file
+ when starting murmur for the first time.
+ If you want to set it yourself, please execute:
+ su murmur -s /bin/bash -c 'mumble-server -ini /etc/murmur/murmur.ini
-supw '
+ to set the build-in 'SuperUser' password before starting murmur.
+ Please restart dbus before starting murmur, or else dbus
+ registration will fail.
+"
+
+PATCHES=(
+ "${WORKDIR}/mumble-1.4-openssl3.patch"
+ "${WORKDIR}/mumble-1.4-crypto-threads.patch"
+ "${WORKDIR}/mumble-1.4-odr.patch"
+)
+
+src_prepare() {
+ if [[ "${PV}" == * ]] ; then
+ pushd scripts &>/dev/null || die
+ ./mkini.sh || die
+ popd &>/dev/null || die
+ fi
+
+ # Change dbus user from mumble-server to murmur
+ sed \
+ -e 's:mumbl
[gentoo-commits] repo/gentoo:master commit in: net-voip/murmur/files/, net-voip/murmur/
commit: cdf97e00d9cc8120deb8ed2e00589d56ce26adc5
Author: Sebastian Parborg gmail com>
AuthorDate: Wed May 31 17:49:43 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Feb 9 14:40:48 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cdf97e00
net-voip/murmur: update live ebuild
Signed-off-by: Sebastian Parborg gmail.com>
Signed-off-by: Kenton Groombridge gentoo.org>
net-voip/murmur/files/murmur.confd-r2 | 9 +++
net-voip/murmur/murmur-.ebuild| 113 +++---
2 files changed, 58 insertions(+), 64 deletions(-)
diff --git a/net-voip/murmur/files/murmur.confd-r2
b/net-voip/murmur/files/murmur.confd-r2
new file mode 100644
index ..c8d3230b9974
--- /dev/null
+++ b/net-voip/murmur/files/murmur.confd-r2
@@ -0,0 +1,9 @@
+# where to look for the config file
+MURMUR_CONF=/etc/murmur/mumble-server.ini
+
+# run as this user
+MURMUR_USER=murmur
+
+# HOME directory of MURMUR_USER
+MURMUR_HOME=/var/lib/murmur
+
diff --git a/net-voip/murmur/murmur-.ebuild
b/net-voip/murmur/murmur-.ebuild
index 767d7a494eb3..b5d57c5bea38 100644
--- a/net-voip/murmur/murmur-.ebuild
+++ b/net-voip/murmur/murmur-.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2022 Gentoo Authors
+# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
@@ -10,7 +10,20 @@ HOMEPAGE="https://wiki.mumble.info;
if [[ "${PV}" == ]] ; then
inherit git-r3
EGIT_REPO_URI="https://github.com/mumble-voip/mumble.git;
- EGIT_SUBMODULES=( '-*' 3rdparty/FindPythonInterpreter 3rdparty/gsl
3rdparty/tracy )
+
+ # needed for the included 3rdparty license script,
+ # even if these components may not be compiled in
+ EGIT_SUBMODULES=(
+ '-*'
+ 3rdparty/cmake-compiler-flags
+ 3rdparty/FindPythonInterpreter
+ 3rdparty/gsl
+ 3rdparty/minhook
+ 3rdparty/opus
+ 3rdparty/rnnoise-src
+ 3rdparty/speexdsp
+ 3rdparty/tracy
+ )
else
MY_PN="mumble"
if [[ "${PV}" == *_pre* ]] ; then
@@ -29,7 +42,7 @@ fi
LICENSE="BSD"
SLOT="0"
-IUSE="+dbus grpc +ice test zeroconf"
+IUSE="+ice test zeroconf"
RESTRICT="!test? ( test )"
RDEPEND="
@@ -38,6 +51,7 @@ RDEPEND="
>=dev-libs/openssl-1.0.0b:0=
>=dev-libs/protobuf-2.2.0:=
dev-qt/qtcore:5
+ dev-qt/qtdbus:5
dev-qt/qtnetwork:5[ssl]
|| (
dev-qt/qtsql:5[sqlite]
@@ -46,8 +60,6 @@ RDEPEND="
dev-qt/qtxml:5
sys-apps/lsb-release
>=sys-libs/libcap-2.15
- dbus? ( dev-qt/qtdbus:5 )
- grpc? ( net-libs/grpc )
ice? ( dev-libs/Ice:= )
zeroconf? ( net-dns/avahi[mdnsresponder-compat] )
"
@@ -62,58 +74,43 @@ BDEPEND="
virtual/pkgconfig
"
-if [[ "${PV}" == * ]] ; then
- # Required for the mkini.sh script which calls perl multiple times
- BDEPEND+="
- dev-lang/perl
- "
-fi
-
+DISABLE_AUTOFORMATTING="yes"
DOC_CONTENTS="
- Useful scripts are located in /usr/share/doc/${PF}/scripts.\n
- Please execute:\n
- murmurd -ini /etc/murmur/murmur.ini -supw \n
- chown murmur:murmur /var/lib/murmur/murmur.sqlite\n
- to set the build-in 'SuperUser' password before starting murmur.
- Please restart dbus before starting murmur, or else dbus
- registration will fail.
+The default 'SuperUser' password will be written into the log file
+when starting murmur for the first time.
+
+If you want to manually set a password yourself, please execute:
+su murmur -s /bin/bash -c 'mumble-server -ini /etc/murmur/mumble-server.ini
-supw '
+
+This will set the built-in 'SuperUser' password to '' when starting murmur.
"
src_prepare() {
- if [[ "${PV}" == * ]] ; then
- pushd scripts &>/dev/null || die
- ./mkini.sh || die
- popd &>/dev/null || die
- fi
-
+ # Adjust default server settings to be correct for our default setup
sed \
- -e 's:mumble-server:murmur:g' \
- -e 's:/var/run:/run:g' \
- -i "${S}"/scripts/murmur.{conf,ini} || die
+ -e 's:database=:database=/var/lib/murmur/database.sqlite:' \
+ -e
's:;logfile=mumble-server.log:logfile=/var/log/murmur/murmur.log:' \
+ -e 's:;pidfile=:pidfile=/run/murmur/murmur.pid:' \
+ -i auxiliary_files/mumble-server.ini || die
- # Adjust systemd service file to our config location #689208
- sed \
- -e "s@/etc/${PN}\.ini@/etc/${PN}/${PN}.ini@" \
- -e "s@
[gentoo-commits] repo/gentoo:master commit in: sys-libs/libsepol/
commit: f9c83ecfad63b6c0c513399376b52acb319c43fb
Author: Kenton Groombridge gentoo org>
AuthorDate: Wed Jan 17 00:26:55 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Wed Jan 17 01:29:14 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f9c83ecf
sys-libs/libsepol: bump to 3.6
Signed-off-by: Kenton Groombridge gentoo.org>
sys-libs/libsepol/Manifest| 1 +
sys-libs/libsepol/libsepol-3.6.ebuild | 50 +++
2 files changed, 51 insertions(+)
diff --git a/sys-libs/libsepol/Manifest b/sys-libs/libsepol/Manifest
index cef9954d3145..aeb3b703de01 100644
--- a/sys-libs/libsepol/Manifest
+++ b/sys-libs/libsepol/Manifest
@@ -1 +1,2 @@
DIST libsepol-3.5.tar.gz 497522 BLAKE2B
dad2d346605be53fe41aef69e2e4bd4f1ce68a15f0b9307deb6b66bbe7bf06a9ee6be580e60d2f19aebbc8ee5041ac8a7b831b51342ba7c7089e1f1a447e7691
SHA512
66f45a9f4951589855961955db686b006b4c0cddead6ac49ad238a0e4a34775905bd10fb8cf0c0ff2ab64f9b7d8366b97fcd5b19c382dec39971a2835cc765c8
+DIST libsepol-3.6.tar.gz 509100 BLAKE2B
c073c9437004df0c723125971ed26354dc6b8a78b069c593977062527342061303bcc48917fcd9623d17998748254f63408b233173f3c62e92ee0ea2f3c4a430
SHA512
35a42d2749fc4f71bc6b7488380714f56975564007128566f1c73e5c50bf81c17535b2cfda4583aacb4870aa2cd5885321c01523e415bda8b3326bfefb13d58e
diff --git a/sys-libs/libsepol/libsepol-3.6.ebuild
b/sys-libs/libsepol/libsepol-3.6.ebuild
new file mode 100644
index ..17fe4da89451
--- /dev/null
+++ b/sys-libs/libsepol/libsepol-3.6.ebuild
@@ -0,0 +1,50 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="7"
+
+inherit toolchain-funcs multilib-minimal
+
+MY_PV="${PV//_/-}"
+MY_P="${PN}-${MY_PV}"
+
+DESCRIPTION="SELinux binary policy representation library"
+HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki;
+
+if [[ ${PV} == ]]; then
+ inherit git-r3
+ EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git;
+ S="${WORKDIR}/${P}/${PN}"
+else
+
SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz;
+ KEYWORDS="~amd64 ~arm ~arm64 ~mips ~riscv ~x86"
+ S="${WORKDIR}/${MY_P}"
+fi
+
+LICENSE="GPL-2"
+SLOT="0/2"
+
+# tests are not meant to be run outside of the full SELinux userland repo
+RESTRICT="test"
+
+src_prepare() {
+ eapply_user
+ multilib_copy_sources
+}
+
+multilib_src_compile() {
+ tc-export CC AR RANLIB
+
+ local -x CFLAGS="${CFLAGS} -fno-semantic-interposition"
+
+ emake \
+ LIBDIR="\$(PREFIX)/$(get_libdir)" \
+ SHLIBDIR="/$(get_libdir)"
+}
+
+multilib_src_install() {
+ emake DESTDIR="${D}" \
+ LIBDIR="\$(PREFIX)/$(get_libdir)" \
+ SHLIBDIR="/$(get_libdir)" \
+ install
+}
[gentoo-commits] repo/gentoo:master commit in: sys-apps/semodule-utils/
commit: 5e4c0876825ae97e95d3d80df48928210441bc28
Author: Kenton Groombridge gentoo org>
AuthorDate: Wed Jan 17 00:27:57 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Wed Jan 17 01:29:25 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5e4c0876
sys-apps/semodule-utils: bump to 3.6
Signed-off-by: Kenton Groombridge gentoo.org>
sys-apps/semodule-utils/Manifest | 1 +
sys-apps/semodule-utils/semodule-utils-3.6.ebuild | 42 +++
2 files changed, 43 insertions(+)
diff --git a/sys-apps/semodule-utils/Manifest b/sys-apps/semodule-utils/Manifest
index 725172803562..0b70f909b56e 100644
--- a/sys-apps/semodule-utils/Manifest
+++ b/sys-apps/semodule-utils/Manifest
@@ -1 +1,2 @@
DIST semodule-utils-3.5.tar.gz 14383 BLAKE2B
a1bb432013bca1023d99b32f43b2c972b6b807a4677f9d8c9fb9aff10225232506f3ecca86fc231b4c63d04582a91a1c4218f87ce5532a4d35a26a09665c6f10
SHA512
7c32f425ae71745040d1c6a6585149a1efb319913aa9d4c8bf185b0a4216dc66378fa38595b171614ee3ae4ade997d3ae56a060346e334faec55c419a87d71dd
+DIST semodule-utils-3.6.tar.gz 12844 BLAKE2B
e5e7501c412649f471e89cc89569d6c51421e0b46f172f243ce778bbe3a2c658ef9a92e3f3e1e07fb3358e25f63e004b6bd4b56619472fbcae8cb5b916d54170
SHA512
16b58bbafcaef9a2e8e34a20d0e1e4024a9044024de8fa3137c5ba1b9af600afac51c15ccb648dd6bff77747c047f4c9feafeea07c19b1eb14955acc92697a48
diff --git a/sys-apps/semodule-utils/semodule-utils-3.6.ebuild
b/sys-apps/semodule-utils/semodule-utils-3.6.ebuild
new file mode 100644
index ..621cfaf21ea4
--- /dev/null
+++ b/sys-apps/semodule-utils/semodule-utils-3.6.ebuild
@@ -0,0 +1,42 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="7"
+
+inherit toolchain-funcs
+
+MY_PV="${PV//_/-}"
+MY_P="${PN}-${MY_PV}"
+
+DESCRIPTION="SELinux policy module utilities"
+HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki;
+
+if [[ ${PV} == * ]] ; then
+ inherit git-r3
+ EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git;
+ S="${WORKDIR}/${P}/${PN}"
+else
+
SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz;
+ KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86"
+ S="${WORKDIR}/${MY_P}"
+fi
+
+LICENSE="GPL-2"
+SLOT="0"
+
+DEPEND=">=sys-libs/libsepol-${PV}:="
+RDEPEND="${DEPEND}"
+
+src_prepare() {
+ default
+
+ sed -i 's/-Werror//g' "${S}"/*/Makefile || die "Failed to remove Werror"
+}
+
+src_compile() {
+ emake CC="$(tc-getCC)"
+}
+
+src_install() {
+ emake DESTDIR="${D}" install
+}
[gentoo-commits] repo/gentoo:master commit in: sys-apps/mcstrans/
commit: 7e9f8ef9196f519fb710e880b92de0184f520bf3
Author: Kenton Groombridge gentoo org>
AuthorDate: Wed Jan 17 00:28:07 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Wed Jan 17 01:29:27 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7e9f8ef9
sys-apps/mcstrans: bump to 3.6
Signed-off-by: Kenton Groombridge gentoo.org>
sys-apps/mcstrans/Manifest| 1 +
sys-apps/mcstrans/mcstrans-3.6.ebuild | 51 +++
2 files changed, 52 insertions(+)
diff --git a/sys-apps/mcstrans/Manifest b/sys-apps/mcstrans/Manifest
index 19f5562abbf7..aafb84a12eef 100644
--- a/sys-apps/mcstrans/Manifest
+++ b/sys-apps/mcstrans/Manifest
@@ -1 +1,2 @@
DIST mcstrans-3.5.tar.gz 45091 BLAKE2B
c6604075a6b37d7bf10e2daee40d9f034a26c5d56b81973cbc3b39621bdf5e2cb1d5906e91942e09ff077a14facafcc2464995675d8df31930707033fac5db90
SHA512
f4d3b04750e197c6abd31f1642af4b53a4fe0e968952a7ade992909f903d7486c1e72733963453563fcbc9745273c8238f169f520550df1470e7f6e4d6e56665
+DIST mcstrans-3.6.tar.gz 42199 BLAKE2B
0f1b4ed212994037b062c42887e2629ae7374e0cbbd79692588ce164440eafddc6d7ab15d58f6064d68781a5a8fd614c9cfa734c4dbe1d3fea1dbb0f8191ddc1
SHA512
2c01a70741675faa41e8a9243f3cf08b558e568d7ae343874ff9c269473ba2748d42e0b45871d82d6c9b01bf71547835d547683f1aa5a8cf626708c7c69569fc
diff --git a/sys-apps/mcstrans/mcstrans-3.6.ebuild
b/sys-apps/mcstrans/mcstrans-3.6.ebuild
new file mode 100644
index ..bbd7a4cc0378
--- /dev/null
+++ b/sys-apps/mcstrans/mcstrans-3.6.ebuild
@@ -0,0 +1,51 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="7"
+
+inherit toolchain-funcs
+
+MY_PV="${PV//_/-}"
+MY_P="${PN}-${MY_PV}"
+
+DESCRIPTION="SELinux context translation to human readable names"
+HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki;
+
+if [[ ${PV} == * ]] ; then
+ inherit git-r3
+ EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git;
+ S="${WORKDIR}/${P}/${PN}"
+else
+
SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz;
+ KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86"
+ S="${WORKDIR}/${MY_P}"
+fi
+
+LICENSE="GPL-2"
+SLOT="0"
+
+DEPEND=">=sys-libs/libsepol-${PV}:=
+ >=sys-libs/libselinux-${PV}:=
+ dev-libs/libpcre2:=
+ >=sys-libs/libcap-1.10-r10:="
+
+RDEPEND="${DEPEND}"
+
+src_prepare() {
+ default
+
+ sed -i 's/-Werror//g' "${S}"/*/Makefile || die "Failed to remove Werror"
+}
+
+src_compile() {
+ tc-export CC
+ default
+}
+
+src_install() {
+ emake DESTDIR="${D}" install
+
+ rm -rf "${D}/etc/rc.d" || die
+
+ newinitd "${FILESDIR}/mcstransd.init" mcstransd
+}
[gentoo-commits] repo/gentoo:master commit in: sys-apps/restorecond/
commit: c7b146ac346a4e3f09e471a439c1181204652021
Author: Kenton Groombridge gentoo org>
AuthorDate: Wed Jan 17 00:28:16 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Wed Jan 17 01:29:28 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c7b146ac
sys-apps/restorecond: bump to 3.6
Signed-off-by: Kenton Groombridge gentoo.org>
sys-apps/restorecond/Manifest | 1 +
sys-apps/restorecond/restorecond-3.6.ebuild | 53 +
2 files changed, 54 insertions(+)
diff --git a/sys-apps/restorecond/Manifest b/sys-apps/restorecond/Manifest
index 49a27c18e262..c48a0b0fc5a8 100644
--- a/sys-apps/restorecond/Manifest
+++ b/sys-apps/restorecond/Manifest
@@ -1 +1,2 @@
DIST restorecond-3.5.tar.gz 19070 BLAKE2B
6db7d0fc9085a07669d346e025836a94acca610572e986e2c90974b0bd21b55e66b57a2dafd7d42011bed5f06363b654f5431ac43530fccf7b68d3edd9d63850
SHA512
80cb84e62c7072a12fe57ebaafc0bcb441c853862c67f9ea35b86faa2d8e49ea22a70b9e05a3ff24e8ce08ca2999604d7961efd534f89167cd6fcb05c852de40
+DIST restorecond-3.6.tar.gz 18020 BLAKE2B
306b4a7c9990c0b2f229cc7963dbd0481df5f9fbecd709b37d254839177fc604f6f85ac19235209f4fbb12d9186f01dd71a11f98deca5d01bd70c415240ddf5a
SHA512
e21fa23bfea488f2bddd01b4bab353f22863e09247078e47db9852995d7a0153aee6483cbeaaaf033b482b60f80affad0b6a3e829f935c3901c034a7efb1ebef
diff --git a/sys-apps/restorecond/restorecond-3.6.ebuild
b/sys-apps/restorecond/restorecond-3.6.ebuild
new file mode 100644
index ..794b84bc99e8
--- /dev/null
+++ b/sys-apps/restorecond/restorecond-3.6.ebuild
@@ -0,0 +1,53 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="7"
+
+inherit systemd toolchain-funcs
+
+MY_PV="${PV//_/-}"
+MY_P="${PN}-${MY_PV}"
+
+if [[ ${PV} == * ]] ; then
+ inherit git-r3
+ EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git;
+ S="${WORKDIR}/${P}/${PN}"
+else
+
SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz;
+ KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86"
+ S="${WORKDIR}/${MY_P}"
+fi
+
+DESCRIPTION="Daemon to watch for creation and set default SELinux fcontexts"
+HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki;
+
+LICENSE="GPL-2"
+SLOT="0"
+
+DEPEND="dev-libs/glib:2
+ >=sys-libs/libsepol-${PV}:=
+ >=sys-libs/libselinux-${PV}:="
+
+RDEPEND="${DEPEND}"
+
+src_prepare() {
+ default
+
+ sed -i 's/-Werror//g' "${S}"/Makefile || die "Failed to remove Werror"
+}
+
+src_compile() {
+ tc-export CC
+ default
+}
+
+src_install() {
+ emake DESTDIR="${D}" \
+ SYSTEMDSYSTEMUNITDIR="$(systemd_get_systemunitdir)" \
+ SYSTEMDUSERUNITDIR=$(systemd_get_userunitdir) \
+ install
+
+ rm -rf "${D}/etc/rc.d" || die
+
+ newinitd "${FILESDIR}/restorecond.init" restorecond
+}
[gentoo-commits] repo/gentoo:master commit in: sys-libs/libsemanage/
commit: 8fd6723fded6592794592e644383730f2e635845
Author: Kenton Groombridge gentoo org>
AuthorDate: Wed Jan 17 00:27:20 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Wed Jan 17 01:29:18 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8fd6723f
sys-libs/libsemanage: bump to 3.6
Signed-off-by: Kenton Groombridge gentoo.org>
sys-libs/libsemanage/Manifest | 1 +
sys-libs/libsemanage/libsemanage-3.6.ebuild | 130
2 files changed, 131 insertions(+)
diff --git a/sys-libs/libsemanage/Manifest b/sys-libs/libsemanage/Manifest
index f9d01749aa6b..a3f9dcc60c04 100644
--- a/sys-libs/libsemanage/Manifest
+++ b/sys-libs/libsemanage/Manifest
@@ -1,2 +1,3 @@
DIST libsemanage-3.4.tar.gz 185177 BLAKE2B
45276ae6f54cf3dc453bc0d99fb4d7439970bb14ff5b909ebc5511ec31bce1d2bdc477ba9c1fb4fd04ab494ccb37cd8bf47a90d81460c2974af2196d9019bf67
SHA512
831dc789545bb9a0b009bdb4f7fe52f6197ad8325946640f886a960d08e40b8a69eccd5a70cce51466bb5cb7f742feb78d19a9ec63383fbd03aa451508677e73
DIST libsemanage-3.5.tar.gz 185060 BLAKE2B
3e08b15cb6b335a2747bd5f0bd84f74abdd22a7e8ec91ebb443ca6fe3886d5e8cd2827fefdaa0e9caf2af3280cffbf593ee828fee54dd423a21b257493cc754c
SHA512
959fbd0d6bc6849da6caa13dc41c3f8818cbbd29f04b5d2ac7246c4b395b4f370f113a04cc9cfcb52be2afebfa636013ac4ad4011384c58c7ce066a45cae2751
+DIST libsemanage-3.6.tar.gz 182583 BLAKE2B
3ed9ef06601093983fa41ad6ab9f7eeae241dce98937db04efca6f421afcfd3f59cf5e51d24c596ae03997a398949ed84fbdf629518e3c382a5453129b0a87ab
SHA512
8998b6a1b254a9673b99ae4d70a1edc769bb728a44f573cdf62e0a9c9392b77644ee2d70e1936a2f8a9a7f8b063ce98a981f4b8b7060f5b82791889330d69364
diff --git a/sys-libs/libsemanage/libsemanage-3.6.ebuild
b/sys-libs/libsemanage/libsemanage-3.6.ebuild
new file mode 100644
index ..eb127413897f
--- /dev/null
+++ b/sys-libs/libsemanage/libsemanage-3.6.ebuild
@@ -0,0 +1,130 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+PYTHON_COMPAT=( python3_{10..11} )
+
+inherit python-r1 toolchain-funcs multilib-minimal
+
+MY_PV="${PV//_/-}"
+MY_P="${PN}-${MY_PV}"
+
+DESCRIPTION="SELinux kernel and policy management library"
+HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki;
+
+if [[ ${PV} == ]]; then
+ inherit git-r3
+ EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git;
+ S="${WORKDIR}/${P}/${PN}"
+else
+
SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz;
+ KEYWORDS="~amd64 ~arm ~arm64 ~mips ~riscv ~x86"
+ S="${WORKDIR}/${MY_P}"
+fi
+
+LICENSE="GPL-2"
+SLOT="0/2"
+REQUIRED_USE="${PYTHON_REQUIRED_USE}"
+
+RDEPEND="app-arch/bzip2[${MULTILIB_USEDEP}]
+ >=sys-libs/libsepol-${PV}:=[${MULTILIB_USEDEP}]
+ >=sys-libs/libselinux-${PV}:=[${MULTILIB_USEDEP}]
+ >=sys-process/audit-2.2.2[${MULTILIB_USEDEP}]
+ ${PYTHON_DEPS}"
+DEPEND="${RDEPEND}"
+BDEPEND=">=dev-lang/swig-2.0.4-r1
+ app-alternatives/yacc
+ app-alternatives/lex
+ virtual/pkgconfig"
+
+# tests are not meant to be run outside of the
+# full SELinux userland repo
+RESTRICT="test"
+
+src_prepare() {
+ eapply_user
+
+ echo >> "${S}/src/semanage.conf"
+ echo "# Set this to true to save the linked policy." >>
"${S}/src/semanage.conf"
+ echo "# This is normally only useful for analysis" >>
"${S}/src/semanage.conf"
+ echo "# or debugging of policy." >> "${S}/src/semanage.conf"
+ echo "save-linked=false" >> "${S}/src/semanage.conf"
+ echo >> "${S}/src/semanage.conf"
+ echo "# Set this to 0 to disable assertion checking." >>
"${S}/src/semanage.conf"
+ echo "# This should speed up building the kernel policy" >>
"${S}/src/semanage.conf"
+ echo "# from policy modules, but may leave you open to" >>
"${S}/src/semanage.conf"
+ echo "# dangerous rules which assertion checking" >>
"${S}/src/semanage.conf"
+ echo "# would catch." >> "${S}/src/semanage.conf"
+ echo "expand-check=1" >> "${S}/src/semanage.conf"
+ echo >> "${S}/src/semanage.conf"
+ echo "# Modules in the module store can be compressed" >>
"${S}/src/semanage.conf"
+ echo "# with bzip2. Set this to the bzip2 blocksize" >>
"${S}/src/semanage.conf"
+ echo "# 1-9 when compressing. The higher the number," >>
"${S}/src/semanage.conf"
[gentoo-commits] repo/gentoo:master commit in: sys-apps/selinux-python/
commit: e8a0328496f17ade59847bd3ddfb529c7a333e7f
Author: Kenton Groombridge gentoo org>
AuthorDate: Wed Jan 17 00:27:48 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Wed Jan 17 01:29:23 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e8a03284
sys-apps/selinux-python: bump to 3.6
Signed-off-by: Kenton Groombridge gentoo.org>
sys-apps/selinux-python/Manifest | 1 +
sys-apps/selinux-python/selinux-python-3.6.ebuild | 114 ++
2 files changed, 115 insertions(+)
diff --git a/sys-apps/selinux-python/Manifest b/sys-apps/selinux-python/Manifest
index 79672fd06f4c..36a775ec9d10 100644
--- a/sys-apps/selinux-python/Manifest
+++ b/sys-apps/selinux-python/Manifest
@@ -1 +1,2 @@
DIST selinux-python-3.5.tar.gz 3604439 BLAKE2B
5a7fcd303c337cb0f5ae0066d13c945bb5cacaba472c7b17f0496295294998fcc6d81c153720ef704b749a01590c28b48b4f471a48fc386b8f02564c3550250b
SHA512
2ac176a9f078f2b2721e5871ba21e92041eed54fc692fd8d809ff14327beee6de63b3084d0f1053a640b9e40bcc6461498915bb9b038a658cd772f77d80fd217
+DIST selinux-python-3.6.tar.gz 3633272 BLAKE2B
c2b99779eda2c7698f7f68740e3136cbfa5ab471a5d154142aafd2694d8c32aa605df3609a3667c687449d3ba44e72bcc3b37c36adecba8e34fcc629b9f04de5
SHA512
6289f3f2a3038b2cb62f6b3b12c729a9981c34a5ee80c0830e6316e8c77f5283dffa46007f6e7dc073332b829ed9953ba54e64c986fb18c7dc40759ec0375dc9
diff --git a/sys-apps/selinux-python/selinux-python-3.6.ebuild
b/sys-apps/selinux-python/selinux-python-3.6.ebuild
new file mode 100644
index ..20a1fea452bf
--- /dev/null
+++ b/sys-apps/selinux-python/selinux-python-3.6.ebuild
@@ -0,0 +1,114 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+PYTHON_COMPAT=( python3_{10..11} )
+PYTHON_REQ_USE="xml(+)"
+
+inherit python-r1 toolchain-funcs
+
+MY_PV="${PV//_/-}"
+MY_P="${PN}-${MY_PV}"
+
+DESCRIPTION="SELinux core utilities"
+HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki;
+
+if [[ ${PV} == ]] ; then
+ inherit git-r3
+ EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git;
+ S="${WORKDIR}/${P}/${PN#selinux-}"
+else
+
SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz;
+ KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86"
+ S="${WORKDIR}/${MY_P}"
+fi
+
+LICENSE="GPL-2"
+SLOT="0"
+IUSE="test"
+RESTRICT="!test? ( test )"
+REQUIRED_USE="${PYTHON_REQUIRED_USE}"
+
+RDEPEND=">=sys-libs/libselinux-${PV}:=[python]
+ >=sys-libs/libsemanage-${PV}:=[python(+)]
+ >=sys-libs/libsepol-${PV}:=
+ >=app-admin/setools-4.2.0[${PYTHON_USEDEP}]
+ >=sys-process/audit-1.5.1[python,${PYTHON_USEDEP}]
+ ${PYTHON_DEPS}"
+DEPEND="${RDEPEND}"
+BDEPEND="
+ test? (
+ ${RDEPEND}
+ >=sys-apps/secilc-${PV}
+ )"
+
+src_prepare() {
+ default
+ sed -i 's/-Werror//g' "${S}"/*/Makefile || die "Failed to remove Werror"
+
+ python_copy_sources
+}
+
+src_compile() {
+ building() {
+ emake -C "${BUILD_DIR}" \
+ CC="$(tc-getCC)" \
+ LIBDIR="\$(PREFIX)/$(get_libdir)"
+ }
+ python_foreach_impl building
+}
+
+src_test() {
+ testing() {
+ # The different subprojects have some interproject dependencies:
+ # - audit2allow depens on sepolgen
+ # - chcat depends on semanage
+ # and maybe others.
+ # Add all the modules of the individual subprojects to the
+ # PYTHONPATH, so they get actually found and used. In
+ # particular, already installed versions on the system are not
+ # used.
+ for dir in audit2allow chcat semanage sepolgen/src sepolicy ; do
+ PYTHONPATH="${BUILD_DIR}/${dir}:${PYTHONPATH}"
+ done
+ PYTHONPATH=${PYTHONPATH} \
+ emake -C "${BUILD_DIR}" \
+ test
+ }
+ python_foreach_impl testing
+}
+
+src_install() {
+ installation() {
+ emake -C "${BUILD_DIR}" \
+ DESTDIR="${D}" \
+ LIBDIR="\$(PREFIX)/$(get_libdir)" \
+ install
+ python_optimize
+ }
+ python_foreach_impl installation
+
+ # Set version-specific scripts
+ for pyscript in audit2allow sepolgen-ifgen sepolicy chcat; do
+ python_replicate_script "${ED}/usr/bin/${pyscript}"
+ done
+ for pyscript in semanage; do
+ python_replicate_s
[gentoo-commits] repo/gentoo:master commit in: sys-apps/checkpolicy/
commit: 2b30c5b2a0d1a79a5c803d745ec3ff2f50f3dafb
Author: Kenton Groombridge gentoo org>
AuthorDate: Wed Jan 17 00:27:29 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Wed Jan 17 01:29:20 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2b30c5b2
sys-apps/checkpolicy: bump to 3.6
Signed-off-by: Kenton Groombridge gentoo.org>
sys-apps/checkpolicy/Manifest | 1 +
sys-apps/checkpolicy/checkpolicy-3.6.ebuild | 54 +
2 files changed, 55 insertions(+)
diff --git a/sys-apps/checkpolicy/Manifest b/sys-apps/checkpolicy/Manifest
index d3279c23fc81..d8d08681182e 100644
--- a/sys-apps/checkpolicy/Manifest
+++ b/sys-apps/checkpolicy/Manifest
@@ -1 +1,2 @@
DIST checkpolicy-3.5.tar.gz 69904 BLAKE2B
e02ccad07534568a1bbb612330018bbe486800ea40df20ed6f9dc38c88aff7f8858782a28ba7915a58c3bb384f180eb8da7a8fe97a92bcb9baa61eec18da6cbc
SHA512
fcd490d865af3b4350c32c5dd9916f8406219841e1e255d8945c6dcc958535247aa27af5597a6988e19f11faea7beeabcb46e8ba2431112bb4aa5c7697bca529
+DIST checkpolicy-3.6.tar.gz 70684 BLAKE2B
d32a8b86897bd4a08caf61a096a691c8d049fa7b5b4561f4847e0dfbb62a82fc6c3ddb5be163c7cd6163491c50513aec14e4c67842f256f48688b26178c2887a
SHA512
0d48fb385b4d1e66d562e40b6e794406f46d8803cc504705b26547130cb13b65fab5fdb4fc032b1c95d4f91862ff134a89fffde854c5ce466c2dd2657e416070
diff --git a/sys-apps/checkpolicy/checkpolicy-3.6.ebuild
b/sys-apps/checkpolicy/checkpolicy-3.6.ebuild
new file mode 100644
index ..6d5e91d8b18a
--- /dev/null
+++ b/sys-apps/checkpolicy/checkpolicy-3.6.ebuild
@@ -0,0 +1,54 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="7"
+
+inherit toolchain-funcs
+
+MY_PV="${PV//_/-}"
+MY_P="${PN}-${MY_PV}"
+
+DESCRIPTION="SELinux policy compiler"
+HOMEPAGE="http://userspace.selinuxproject.org;
+
+if [[ ${PV} == ]] ; then
+ inherit git-r3
+ EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git;
+ S="${WORKDIR}/${P}/${PN}"
+else
+
SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz;
+ KEYWORDS="~amd64 ~arm ~arm64 ~mips ~riscv ~x86"
+ S="${WORKDIR}/${MY_P}"
+fi
+
+LICENSE="GPL-2"
+SLOT="0"
+IUSE="debug"
+
+DEPEND=">=sys-libs/libsepol-${PV}"
+BDEPEND="sys-devel/flex
+ sys-devel/bison"
+
+RDEPEND=">=sys-libs/libsepol-${PV}"
+
+src_compile() {
+ emake \
+ CC="$(tc-getCC)" \
+ YACC="bison -y" \
+ LIBDIR="\$(PREFIX)/$(get_libdir)"
+}
+
+src_install() {
+ default
+
+ if use debug; then
+ dobin "${S}/test/dismod"
+ dobin "${S}/test/dispol"
+ fi
+}
+
+pkg_postinst() {
+ if ! tc-is-cross-compiler; then
+ einfo "This checkpolicy can compile version `checkpolicy -V |
cut -f 1 -d ' '` policy."
+ fi
+}
[gentoo-commits] repo/gentoo:master commit in: sys-apps/semodule-utils/
commit: 7b7cb4319d3d7a629e56a3e5361732f4fa6f5703
Author: Kenton Groombridge gentoo org>
AuthorDate: Wed Jan 17 00:26:32 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Wed Jan 17 01:29:09 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7b7cb431
sys-apps/semodule-utils: update live ebuild
Signed-off-by: Kenton Groombridge gentoo.org>
sys-apps/semodule-utils/semodule-utils-.ebuild | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/sys-apps/semodule-utils/semodule-utils-.ebuild
b/sys-apps/semodule-utils/semodule-utils-.ebuild
index 525188411f40..621cfaf21ea4 100644
--- a/sys-apps/semodule-utils/semodule-utils-.ebuild
+++ b/sys-apps/semodule-utils/semodule-utils-.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2023 Gentoo Authors
+# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI="7"
@@ -23,7 +23,6 @@ fi
LICENSE="GPL-2"
SLOT="0"
-IUSE=""
DEPEND=">=sys-libs/libsepol-${PV}:="
RDEPEND="${DEPEND}"
[gentoo-commits] repo/gentoo:master commit in: sys-apps/policycoreutils/
commit: 5b5ba532a660c3e09552473500f03b9c6b380f28
Author: Kenton Groombridge gentoo org>
AuthorDate: Wed Jan 17 00:27:38 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Wed Jan 17 01:29:22 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5b5ba532
sys-apps/policycoreutils: bump to 3.6
Signed-off-by: Kenton Groombridge gentoo.org>
sys-apps/policycoreutils/Manifest | 1 +
.../policycoreutils/policycoreutils-3.6.ebuild | 168 +
2 files changed, 169 insertions(+)
diff --git a/sys-apps/policycoreutils/Manifest
b/sys-apps/policycoreutils/Manifest
index cfc08315c275..6983b77d03e7 100644
--- a/sys-apps/policycoreutils/Manifest
+++ b/sys-apps/policycoreutils/Manifest
@@ -1,2 +1,3 @@
DIST policycoreutils-3.5.tar.gz 775639 BLAKE2B
777b8564484e89385db7a184c4cad9a99aabf1fd1ac41abd5826c7e6ad29118ae9d6f0d0fd968b6ced87f2f04bc6d7cd207b67428151522915367f656fb8d3f8
SHA512
7978ef6b7a278c6384c9b397734d03c4932c8aefecceaa1e6a1345be27b253dbe276fdcd219ce83ad732c6ed55d53bbc3254e39bccadd67d2cd1152a14749444
+DIST policycoreutils-3.6.tar.gz 755682 BLAKE2B
a8b180c8006989192d152651dcfa51856956780bfe1139cc1dc0162eb66ba1eef4f7d64f68a48479572b02e2e97a68c7082722a745d22a9453e8378373319e3c
SHA512
e1f32e6e0310b879a5aadab157b103314a61bf3b8fd59c1212d701fbf39900e3b9a0b727338988103d784a7e505355a871ba519dd91520b135a3b9dae40bf1b0
DIST policycoreutils-extra-1.37.tar.bz2 8809 BLAKE2B
a7f6122c2e27f54b018174e962bd7f4c14af04e09bbb5300bde6967ea7f2dc5cd03b5787919a4e7f5288bcbc6747922962b5bd3b588ab1e3a035fbff4910d8f5
SHA512
0a85cd7cf279256b5e1927f9dfdd89626a1c8b77b0aeb62b496e7e8d1dccbaa315e39f9308fb2df7270f0bc1c10787b19990e7365cad74b47b61e30394c8b23f
diff --git a/sys-apps/policycoreutils/policycoreutils-3.6.ebuild
b/sys-apps/policycoreutils/policycoreutils-3.6.ebuild
new file mode 100644
index ..b8625ff49cd8
--- /dev/null
+++ b/sys-apps/policycoreutils/policycoreutils-3.6.ebuild
@@ -0,0 +1,168 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="7"
+PYTHON_COMPAT=( python3_{10..11} )
+PYTHON_REQ_USE="xml(+)"
+
+inherit python-r1 toolchain-funcs bash-completion-r1
+
+MY_PV="${PV//_/-}"
+MY_P="${PN}-${MY_PV}"
+EXTRAS_VER="1.37"
+
+DESCRIPTION="SELinux core utilities"
+HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki;
+
+if [[ ${PV} == ]]; then
+ inherit git-r3
+ EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git;
+
SRC_URI="https://dev.gentoo.org/~perfinion/distfiles/policycoreutils-extra-${EXTRAS_VER}.tar.bz2;
+ S1="${WORKDIR}/${P}/${PN}"
+ S2="${WORKDIR}/policycoreutils-extra"
+ S="${S1}"
+else
+
SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz
+
https://dev.gentoo.org/~perfinion/distfiles/policycoreutils-extra-${EXTRAS_VER}.tar.bz2;
+ KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86"
+ S1="${WORKDIR}/${MY_P}"
+ S2="${WORKDIR}/policycoreutils-extra"
+ S="${S1}"
+fi
+
+LICENSE="GPL-2"
+SLOT="0"
+IUSE="audit pam split-usr"
+REQUIRED_USE="${PYTHON_REQUIRED_USE}"
+
+DEPEND=">=sys-libs/libselinux-${PV}:=[python,${PYTHON_USEDEP}]
+ >=sys-libs/libsemanage-${PV}:=[python(+),${PYTHON_USEDEP}]
+ >=sys-libs/libsepol-${PV}:=
+ sys-libs/libcap-ng:=
+ >=app-admin/setools-4.2.0[${PYTHON_USEDEP}]
+ audit? ( >=sys-process/audit-1.5.1[python,${PYTHON_USEDEP}] )
+ pam? ( sys-libs/pam:= )
+ ${PYTHON_DEPS}"
+
+# Avoid dependency loop in the cross-compile case, bug #755173
+# (Still exists in native)
+BDEPEND="sys-devel/gettext"
+
+# pax-utils for scanelf used by rlpkg
+RDEPEND="${DEPEND}
+ app-misc/pax-utils"
+
+PDEPEND="sys-apps/semodule-utils
+ sys-apps/selinux-python"
+
+src_unpack() {
+ # Override default one because we need the SRC_URI ones even in case of
ebuilds
+ default
+ if [[ ${PV} == ]] ; then
+ git-r3_src_unpack
+ fi
+}
+
+src_prepare() {
+ S="${S1}"
+ cd "${S}" || die "Failed to switch to ${S}"
+ if [[ ${PV} != ]] ; then
+ # If needed for live ebuilds please use /etc/portage/patches
+ eapply
"${FILESDIR}/policycoreutils-3.1-0001-newrole-not-suid.patch"
+ fi
+
+ # rlpkg is more useful than fixfiles
+ sed -i -e '/^all/s/fixfiles//' "${S}/scripts/Makefile" \
+ || die "fixfiles sed 1 failed"
+ sed -i -e '/fixfiles/d' "${S}/scripts/Makefile" \
+ || die "fixfiles sed 2 failed"
+
+ eapply_us
[gentoo-commits] repo/gentoo:master commit in: sys-apps/secilc/
commit: fb7c91bd11413199c4d4a47e993a2454ace36912
Author: Kenton Groombridge gentoo org>
AuthorDate: Wed Jan 17 00:27:04 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Wed Jan 17 01:29:15 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fb7c91bd
sys-apps/secilc: bump to 3.6
Signed-off-by: Kenton Groombridge gentoo.org>
sys-apps/secilc/Manifest | 1 +
sys-apps/secilc/secilc-3.6.ebuild | 37 +
2 files changed, 38 insertions(+)
diff --git a/sys-apps/secilc/Manifest b/sys-apps/secilc/Manifest
index 9fe706f87af0..36fef1449bdc 100644
--- a/sys-apps/secilc/Manifest
+++ b/sys-apps/secilc/Manifest
@@ -1 +1,2 @@
DIST secilc-3.5.tar.gz 180803 BLAKE2B
a42620318b312a5ef35565e3b40a89fd7ff44aaf73de835bc349f927193121b72c07bd2151a8a6b2cee53e2699a3ae6bb246084e18a181d334ebc082fdfdc56e
SHA512
eff37a981072c4b9c7c15bf4709db8797d8af5325883515f5c2fe611136b24419f6d01c797e4f131c9c08e1ba40576fcb2094b1e34325aae8351b6299bdba3dd
+DIST secilc-3.6.tar.gz 185186 BLAKE2B
47fdc281cad69339eb23226a277df8c8086557fe3a2c7f013eef38bbfcd62584e318ce2d79552388617687b39c37e67a1328b808becbecad364253b7527d3a52
SHA512
91381aae1444822c7897729c1695ca221a4226dcec042b2223a55800d1247510ef2033b844d8d0627623fb15b8169a626fb0ca2efeee8090635219c4139eabf5
diff --git a/sys-apps/secilc/secilc-3.6.ebuild
b/sys-apps/secilc/secilc-3.6.ebuild
new file mode 100644
index ..5c59b25c3742
--- /dev/null
+++ b/sys-apps/secilc/secilc-3.6.ebuild
@@ -0,0 +1,37 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="7"
+inherit toolchain-funcs
+
+MY_PV="${PV//_/-}"
+MY_P="${PN}-${MY_PV}"
+
+DESCRIPTION="SELinux Common Intermediate Language (CIL) Compiler"
+HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki;
+
+if [[ ${PV} == ]]; then
+ inherit git-r3
+ EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git;
+ S="${WORKDIR}/${P}/${PN}"
+else
+
SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz;
+ KEYWORDS="~amd64 ~arm ~arm64 ~x86"
+ S="${WORKDIR}/${MY_P}"
+fi
+
+LICENSE="GPL-2"
+SLOT="0"
+
+DEPEND=">=sys-libs/libsepol-${PV}"
+RDEPEND="${DEPEND}"
+BDEPEND="app-text/xmlto"
+
+# tests are not meant to be run outside of the
+# full SELinux userland repo
+RESTRICT="test"
+
+src_compile() {
+ tc-export CC
+ default
+}
[gentoo-commits] repo/gentoo:master commit in: sys-apps/restorecond/
commit: 9c1177cedb72bc536c8a0846326a983fc4b6611b
Author: Kenton Groombridge gentoo org>
AuthorDate: Wed Jan 17 00:26:47 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Wed Jan 17 01:29:12 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9c1177ce
sys-apps/restorecond: update live ebuild
Signed-off-by: Kenton Groombridge gentoo.org>
sys-apps/restorecond/restorecond-.ebuild | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/sys-apps/restorecond/restorecond-.ebuild
b/sys-apps/restorecond/restorecond-.ebuild
index a55a218edd6c..794b84bc99e8 100644
--- a/sys-apps/restorecond/restorecond-.ebuild
+++ b/sys-apps/restorecond/restorecond-.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2023 Gentoo Authors
+# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI="7"
@@ -23,7 +23,6 @@ HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki;
LICENSE="GPL-2"
SLOT="0"
-IUSE=""
DEPEND="dev-libs/glib:2
>=sys-libs/libsepol-${PV}:=
[gentoo-commits] repo/gentoo:master commit in: sys-apps/mcstrans/
commit: 23435ef811345b7e141841a958ecc02dfbd18096
Author: Kenton Groombridge gentoo org>
AuthorDate: Wed Jan 17 00:26:39 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Wed Jan 17 01:29:11 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=23435ef8
sys-apps/mcstrans: update live ebuild
Signed-off-by: Kenton Groombridge gentoo.org>
sys-apps/mcstrans/mcstrans-.ebuild | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/sys-apps/mcstrans/mcstrans-.ebuild
b/sys-apps/mcstrans/mcstrans-.ebuild
index 5cad428935de..bbd7a4cc0378 100644
--- a/sys-apps/mcstrans/mcstrans-.ebuild
+++ b/sys-apps/mcstrans/mcstrans-.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2023 Gentoo Authors
+# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI="7"
@@ -23,7 +23,6 @@ fi
LICENSE="GPL-2"
SLOT="0"
-IUSE=""
DEPEND=">=sys-libs/libsepol-${PV}:=
>=sys-libs/libselinux-${PV}:=
[gentoo-commits] repo/gentoo:master commit in: sys-apps/policycoreutils/
commit: 42432f8f58e64a9ea77dd3db8c010a2b7f8399ac
Author: Kenton Groombridge gentoo org>
AuthorDate: Wed Jan 17 00:26:16 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Wed Jan 17 01:29:06 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=42432f8f
sys-apps/policycoreutils: update live ebuild
Signed-off-by: Kenton Groombridge gentoo.org>
sys-apps/policycoreutils/policycoreutils-.ebuild | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/sys-apps/policycoreutils/policycoreutils-.ebuild
b/sys-apps/policycoreutils/policycoreutils-.ebuild
index 6df44f548cc8..b8625ff49cd8 100644
--- a/sys-apps/policycoreutils/policycoreutils-.ebuild
+++ b/sys-apps/policycoreutils/policycoreutils-.ebuild
@@ -1,11 +1,11 @@
-# Copyright 1999-2023 Gentoo Authors
+# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI="7"
-PYTHON_COMPAT=( python3_{9..11} )
+PYTHON_COMPAT=( python3_{10..11} )
PYTHON_REQ_USE="xml(+)"
-inherit multilib python-r1 toolchain-funcs bash-completion-r1
+inherit python-r1 toolchain-funcs bash-completion-r1
MY_PV="${PV//_/-}"
MY_P="${PN}-${MY_PV}"
[gentoo-commits] repo/gentoo:master commit in: sys-libs/libselinux/
commit: ad05a1d7e765f6c4e4cc3e196dbade6753eb75a8
Author: Kenton Groombridge gentoo org>
AuthorDate: Wed Jan 17 00:27:12 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Wed Jan 17 01:29:17 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ad05a1d7
sys-libs/libselinux: bump to 3.6
Signed-off-by: Kenton Groombridge gentoo.org>
sys-libs/libselinux/Manifest | 1 +
sys-libs/libselinux/libselinux-3.6.ebuild | 158 ++
2 files changed, 159 insertions(+)
diff --git a/sys-libs/libselinux/Manifest b/sys-libs/libselinux/Manifest
index c6efbb8e1ed0..3dedaef745f7 100644
--- a/sys-libs/libselinux/Manifest
+++ b/sys-libs/libselinux/Manifest
@@ -1 +1,2 @@
DIST libselinux-3.5.tar.gz 211453 BLAKE2B
f7f3067c4bb0448e18bd7085135f11d94ae99728949480a655c0f660486817beb5829d8a43dff7bce286ccd50705b0c657bde85970f01c794e01fb707f469d8b
SHA512
4e13261a5821018a5f3cdce676f180bb62e5bc225981ca8a498ece0d1c88d9ba8eaa0ce4099dd0849309a8a7c5a9a0953df841a9922f2c284e5a109e5d937ba7
+DIST libselinux-3.6.tar.gz 194210 BLAKE2B
615198d47ecfb4b6274810cbe32cce5953dd44d1d04e8ce244213dc4ddbd61cde3515f4650046b805cf98f341aba718af8d7a9e1d66773172031ac19599f6032
SHA512
182dcdf3510083ff4b9376a4a6d6a7b33905ac3c5e974c188bf3965686c54b663162c543ecf15eab75102f3c91a2502d33d0f1104dec01dd9b14737ef3f2b544
diff --git a/sys-libs/libselinux/libselinux-3.6.ebuild
b/sys-libs/libselinux/libselinux-3.6.ebuild
new file mode 100644
index ..941b189dd857
--- /dev/null
+++ b/sys-libs/libselinux/libselinux-3.6.ebuild
@@ -0,0 +1,158 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="7"
+PYTHON_COMPAT=( python3_{10..12} )
+USE_RUBY="ruby31 ruby32 ruby33"
+
+# No, I am not calling ruby-ng
+inherit python-r1 toolchain-funcs multilib-minimal
+
+MY_PV="${PV//_/-}"
+MY_P="${PN}-${MY_PV}"
+
+DESCRIPTION="SELinux userland library"
+HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki;
+
+if [[ ${PV} == ]]; then
+ inherit git-r3
+ EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git;
+ S="${WORKDIR}/${P}/${PN}"
+else
+
SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz;
+ KEYWORDS="~amd64 ~arm ~arm64 ~mips ~riscv ~x86"
+ S="${WORKDIR}/${MY_P}"
+fi
+
+LICENSE="public-domain"
+SLOT="0"
+IUSE="python ruby static-libs ruby_targets_ruby31 ruby_targets_ruby32
ruby_targets_ruby33"
+REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"
+
+RDEPEND="dev-libs/libpcre2:=[static-libs?,${MULTILIB_USEDEP}]
+ >=sys-libs/libsepol-${PV}:=[${MULTILIB_USEDEP}]
+ python? ( ${PYTHON_DEPS} )
+ ruby? (
+ ruby_targets_ruby31? ( dev-lang/ruby:3.1 )
+ ruby_targets_ruby32? ( dev-lang/ruby:3.2 )
+ ruby_targets_ruby33? ( dev-lang/ruby:3.3 )
+ )
+ elibc_musl? ( sys-libs/fts-standalone )"
+DEPEND="${RDEPEND}"
+BDEPEND="virtual/pkgconfig
+ python? (
+ >=dev-lang/swig-2.0.9
+ dev-python/pip[${PYTHON_USEDEP}]
+)
+ ruby? ( >=dev-lang/swig-2.0.9 )"
+
+src_prepare() {
+ eapply_user
+
+ multilib_copy_sources
+}
+
+multilib_src_compile() {
+ tc-export AR CC PKG_CONFIG RANLIB
+
+ local -x CFLAGS="${CFLAGS} -fno-semantic-interposition"
+
+ emake \
+ LIBDIR="\$(PREFIX)/$(get_libdir)" \
+ SHLIBDIR="/$(get_libdir)" \
+ LDFLAGS="-fPIC ${LDFLAGS} -pthread" \
+ USE_PCRE2=y \
+ FTS_LDLIBS="$(usex elibc_musl '-lfts' '')" \
+ all
+
+ if multilib_is_native_abi && use python; then
+ building() {
+ emake \
+ LDFLAGS="-fPIC ${LDFLAGS} -lpthread" \
+ LIBDIR="\$(PREFIX)/$(get_libdir)" \
+ SHLIBDIR="/$(get_libdir)" \
+ USE_PCRE2=y \
+ FTS_LDLIBS="$(usex elibc_musl '-lfts' '')" \
+ pywrap
+ }
+ python_foreach_impl building
+ fi
+
+ if multilib_is_native_abi && use ruby; then
+ building() {
+ einfo "Calling rubywrap for ${1}"
+ # Clean up .lo file to force rebuild
+ rm -f src/selinuxswig_ruby_wrap.lo || die
+ emake \
+ RUBY=${1} \
+ LDFLAGS="-fPIC ${LDFLAGS} -lpthread" \
+ LIBDIR="\$(PR
[gentoo-commits] repo/gentoo:master commit in: sys-apps/selinux-python/
commit: f4c787d27fac252f19b9c1924ae94ae8fd504e39
Author: Kenton Groombridge gentoo org>
AuthorDate: Wed Jan 17 00:26:24 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Wed Jan 17 01:29:08 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f4c787d2
sys-apps/selinux-python: update live ebuild
Signed-off-by: Kenton Groombridge gentoo.org>
sys-apps/selinux-python/selinux-python-.ebuild | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sys-apps/selinux-python/selinux-python-.ebuild
b/sys-apps/selinux-python/selinux-python-.ebuild
index 470211f8d553..20a1fea452bf 100644
--- a/sys-apps/selinux-python/selinux-python-.ebuild
+++ b/sys-apps/selinux-python/selinux-python-.ebuild
@@ -1,8 +1,8 @@
-# Copyright 1999-2023 Gentoo Authors
+# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
-PYTHON_COMPAT=( python3_{9..11} )
+PYTHON_COMPAT=( python3_{10..11} )
PYTHON_REQ_USE="xml(+)"
inherit python-r1 toolchain-funcs
[gentoo-commits] repo/gentoo:master commit in: sys-apps/checkpolicy/
commit: dbae134de49afb55add279a26f720c75da5ac470 Author: Kenton Groombridge gentoo org> AuthorDate: Wed Jan 17 00:26:08 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Wed Jan 17 01:29:05 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dbae134d sys-apps/checkpolicy: update live ebuild Signed-off-by: Kenton Groombridge gentoo.org> sys-apps/checkpolicy/checkpolicy-.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys-apps/checkpolicy/checkpolicy-.ebuild b/sys-apps/checkpolicy/checkpolicy-.ebuild index 496db82366f7..6d5e91d8b18a 100644 --- a/sys-apps/checkpolicy/checkpolicy-.ebuild +++ b/sys-apps/checkpolicy/checkpolicy-.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2023 Gentoo Authors +# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="7"
[gentoo-commits] repo/gentoo:master commit in: app-admin/setools/
commit: cee102b9f47d416612fcf36b5f80d3bb99011b57
Author: Kenton Groombridge gentoo org>
AuthorDate: Wed Jan 17 00:51:31 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Wed Jan 17 01:28:57 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cee102b9
app-admin/setools: add 4.4.4
Bug: https://bugs.gentoo.org/922136
Signed-off-by: Kenton Groombridge gentoo.org>
app-admin/setools/Manifest | 1 +
app-admin/setools/setools-4.4.4.ebuild | 57 ++
2 files changed, 58 insertions(+)
diff --git a/app-admin/setools/Manifest b/app-admin/setools/Manifest
index ebb92c6431fe..2e475c76c75d 100644
--- a/app-admin/setools/Manifest
+++ b/app-admin/setools/Manifest
@@ -1 +1,2 @@
DIST setools-4.4.2.tar.bz2 261962 BLAKE2B
7c8e47d8c15f1eb72d93da5d3ae1a64e857ed0a75e1a47bbad9e4b0d11180581d9e4705ebe942e460acbc4d68261f06f9b03a8c4af1516cc388c201e30dca75e
SHA512
4e8cba61ca28459387d862136a2d8ee0914c4bcd254a6d39792cbfcbbf7e58cb82223c05d66c114b08aebbd75c11cef11517c51f674ddb3c1913dc85414546c1
+DIST setools-4.4.4.tar.bz2 262867 BLAKE2B
d64605ef050a2d51531e2a180bff086da536aa8d5e5c8cb96a81e137f575d089f9e9ec117cf0de9864f07174d92258b27ebf8fbc462714ef50bbd6d9f80d0a60
SHA512
ef72a7244ba0c724c4aea3afc40d71427e9c0592715f81cccaa8917e96836a88807ea78039c11c261dd3b4d72294accd76ab4bd37447cd500772030245db3c6e
diff --git a/app-admin/setools/setools-4.4.4.ebuild
b/app-admin/setools/setools-4.4.4.ebuild
new file mode 100644
index ..ec3d11050109
--- /dev/null
+++ b/app-admin/setools/setools-4.4.4.ebuild
@@ -0,0 +1,57 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="8"
+
+DISTUTILS_EXT=1
+DISTUTILS_USE_PEP517=setuptools
+PYTHON_COMPAT=( python3_{10..12} )
+
+inherit distutils-r1
+
+DESCRIPTION="Policy Analysis Tools for SELinux"
+HOMEPAGE="https://github.com/SELinuxProject/setools/wiki;
+
+if [[ ${PV} == ]] ; then
+ inherit git-r3
+ EGIT_REPO_URI="https://github.com/SELinuxProject/setools.git;
+ S="${WORKDIR}/${P}"
+else
+
SRC_URI="https://github.com/SELinuxProject/setools/releases/download/${PV}/${P}.tar.bz2;
+ KEYWORDS="~amd64 ~arm ~arm64 ~x86"
+ S="${WORKDIR}/${PN}"
+fi
+
+LICENSE="GPL-2 LGPL-2.1"
+SLOT="0"
+IUSE="test X"
+RESTRICT="!test? ( test )"
+
+RDEPEND="${PYTHON_DEPS}
+ >=dev-python/networkx-2.0[${PYTHON_USEDEP}]
+ dev-python/setuptools[${PYTHON_USEDEP}]
+ >=sys-libs/libsepol-3.2:=
+ >=sys-libs/libselinux-3.2:=
+ X? (
+ dev-python/PyQt5[gui,widgets,${PYTHON_USEDEP}]
+ )"
+DEPEND="${RDEPEND}"
+BDEPEND=">=dev-python/cython-0.27[${PYTHON_USEDEP}]
+ test? (
+ sys-apps/checkpolicy
+ )"
+
+distutils_enable_tests pytest
+
+python_prepare_all() {
+ sed -i "s@^lib_dirs = .*@lib_dirs = ['${ROOT:-/}usr/$(get_libdir)']@"
"${S}"/setup.py || \
+ die "failed to set lib_dirs"
+
+ use X || PATCHES+=( "${FILESDIR}"/setools-4.4.2-remove-gui.patch )
+ distutils-r1_python_prepare_all
+}
+
+python_test() {
+ rm -rf setools || die
+ epytest
+}
[gentoo-commits] repo/gentoo:master commit in: sys-libs/libselinux/
commit: 53934b03bc007e741ed1e0664d049e73bac440b0
Author: Kenton Groombridge gentoo org>
AuthorDate: Wed Jan 17 00:25:53 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Wed Jan 17 01:29:02 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=53934b03
sys-libs/libselinux: update live ebuild
Signed-off-by: Kenton Groombridge gentoo.org>
sys-libs/libselinux/libselinux-.ebuild | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/sys-libs/libselinux/libselinux-.ebuild
b/sys-libs/libselinux/libselinux-.ebuild
index f5475a7744c4..941b189dd857 100644
--- a/sys-libs/libselinux/libselinux-.ebuild
+++ b/sys-libs/libselinux/libselinux-.ebuild
@@ -1,9 +1,9 @@
-# Copyright 1999-2023 Gentoo Authors
+# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI="7"
PYTHON_COMPAT=( python3_{10..12} )
-USE_RUBY="ruby30 ruby31 ruby32"
+USE_RUBY="ruby31 ruby32 ruby33"
# No, I am not calling ruby-ng
inherit python-r1 toolchain-funcs multilib-minimal
@@ -26,16 +26,16 @@ fi
LICENSE="public-domain"
SLOT="0"
-IUSE="python ruby static-libs ruby_targets_ruby30 ruby_targets_ruby31
ruby_targets_ruby32"
+IUSE="python ruby static-libs ruby_targets_ruby31 ruby_targets_ruby32
ruby_targets_ruby33"
REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"
RDEPEND="dev-libs/libpcre2:=[static-libs?,${MULTILIB_USEDEP}]
>=sys-libs/libsepol-${PV}:=[${MULTILIB_USEDEP}]
python? ( ${PYTHON_DEPS} )
ruby? (
- ruby_targets_ruby30? ( dev-lang/ruby:3.0 )
ruby_targets_ruby31? ( dev-lang/ruby:3.1 )
ruby_targets_ruby32? ( dev-lang/ruby:3.2 )
+ ruby_targets_ruby33? ( dev-lang/ruby:3.3 )
)
elibc_musl? ( sys-libs/fts-standalone )"
DEPEND="${RDEPEND}"
[gentoo-commits] repo/gentoo:master commit in: sys-libs/libsemanage/
commit: 5430490f316af3e51845574c41adff0c61add9b9
Author: Kenton Groombridge gentoo org>
AuthorDate: Wed Jan 17 00:26:00 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Wed Jan 17 01:29:03 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5430490f
sys-libs/libsemanage: update live ebuild
Signed-off-by: Kenton Groombridge gentoo.org>
sys-libs/libsemanage/libsemanage-.ebuild | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys-libs/libsemanage/libsemanage-.ebuild
b/sys-libs/libsemanage/libsemanage-.ebuild
index 7c2c0548cf0e..eb127413897f 100644
--- a/sys-libs/libsemanage/libsemanage-.ebuild
+++ b/sys-libs/libsemanage/libsemanage-.ebuild
@@ -2,7 +2,7 @@
# Distributed under the terms of the GNU General Public License v2
EAPI=7
-PYTHON_COMPAT=( python3_{9..11} )
+PYTHON_COMPAT=( python3_{10..11} )
inherit python-r1 toolchain-funcs multilib-minimal
[gentoo-commits] repo/gentoo:master commit in: app-admin/setools/
commit: 2e2caf41499f1d20f0f52d34fadb9ae8f566c4da
Author: Kenton Groombridge gentoo org>
AuthorDate: Wed Jan 17 00:32:53 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Wed Jan 17 01:28:55 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2e2caf41
app-admin/setools: update live ebuild
Signed-off-by: Kenton Groombridge gentoo.org>
app-admin/setools/setools-.ebuild | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/app-admin/setools/setools-.ebuild
b/app-admin/setools/setools-.ebuild
index 2d9636b33744..ec3d11050109 100644
--- a/app-admin/setools/setools-.ebuild
+++ b/app-admin/setools/setools-.ebuild
@@ -1,11 +1,11 @@
-# Copyright 1999-2023 Gentoo Authors
+# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI="8"
DISTUTILS_EXT=1
DISTUTILS_USE_PEP517=setuptools
-PYTHON_COMPAT=( python3_{10..11} )
+PYTHON_COMPAT=( python3_{10..12} )
inherit distutils-r1
@@ -28,6 +28,7 @@ IUSE="test X"
RESTRICT="!test? ( test )"
RDEPEND="${PYTHON_DEPS}
+ >=dev-python/networkx-2.0[${PYTHON_USEDEP}]
dev-python/setuptools[${PYTHON_USEDEP}]
>=sys-libs/libsepol-3.2:=
>=sys-libs/libselinux-3.2:=
@@ -37,7 +38,6 @@ RDEPEND="${PYTHON_DEPS}
DEPEND="${RDEPEND}"
BDEPEND=">=dev-python/cython-0.27[${PYTHON_USEDEP}]
test? (
- >=dev-python/networkx-2.0[${PYTHON_USEDEP}]
sys-apps/checkpolicy
)"
[gentoo-commits] repo/gentoo:master commit in: sys-libs/libsepol/
commit: ae10056b740bbceac5d5f7391a5b884c5eff Author: Kenton Groombridge gentoo org> AuthorDate: Wed Jan 17 00:25:31 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Wed Jan 17 01:28:59 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ae10056b sys-libs/libsepol: update live ebuild Signed-off-by: Kenton Groombridge gentoo.org> sys-libs/libsepol/libsepol-.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys-libs/libsepol/libsepol-.ebuild b/sys-libs/libsepol/libsepol-.ebuild index f682823e4643..17fe4da89451 100644 --- a/sys-libs/libsepol/libsepol-.ebuild +++ b/sys-libs/libsepol/libsepol-.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2023 Gentoo Authors +# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="7"
[gentoo-commits] repo/gentoo:master commit in: sys-apps/secilc/
commit: 8dfbd781a9e3e4992d5ed88fcf0602bbc46d0927 Author: Kenton Groombridge gentoo org> AuthorDate: Wed Jan 17 00:25:46 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Wed Jan 17 01:29:00 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8dfbd781 sys-apps/secilc: update live ebuild Signed-off-by: Kenton Groombridge gentoo.org> sys-apps/secilc/secilc-.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys-apps/secilc/secilc-.ebuild b/sys-apps/secilc/secilc-.ebuild index 76eeb7422445..5c59b25c3742 100644 --- a/sys-apps/secilc/secilc-.ebuild +++ b/sys-apps/secilc/secilc-.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2023 Gentoo Authors +# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="7"
[gentoo-commits] repo/gentoo:master commit in: sys-cluster/flux/
commit: 4af9ff9c6bcfa40154a0a82c9ea6ca454a8937d9
Author: Kenton Groombridge gentoo org>
AuthorDate: Fri Dec 22 16:15:38 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Dec 22 16:23:54 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4af9ff9c
sys-cluster/flux: add 2.2.2
Signed-off-by: Kenton Groombridge gentoo.org>
sys-cluster/flux/Manifest | 3 +++
sys-cluster/flux/flux-2.2.2.ebuild | 37 +
2 files changed, 40 insertions(+)
diff --git a/sys-cluster/flux/Manifest b/sys-cluster/flux/Manifest
index 466852070eed..3271ef37fc3f 100644
--- a/sys-cluster/flux/Manifest
+++ b/sys-cluster/flux/Manifest
@@ -1,6 +1,9 @@
DIST flux-0.41.2.tar.gz 395636 BLAKE2B
2d1732729709d0f753ff62aa5b5563b9d42f3cde42a98b5356607b640715e30afa9ebdfdb9c71281eff9188c91ea6e6b082ddc2198e4d790a76aaeb155b8ef2f
SHA512
c68ad402c99b61ca9ef737749417b48dc4e852544d76311c11d94bff42c2e081a8e11e72e438cb9e1834ec7d48e69a30473aa6ab1d68c2684dde5c2b817000a2
DIST flux-2.0.1.tar.gz 326362 BLAKE2B
f42bff5dcbd5960ba8d57f0d65a4c38e597bb6e1beb57bc38f5055c316f121ed07bb38275db6262eb1c0b3bedafd47ec9284cc05ab84f0c6e7aebc7e8458560d
SHA512
01c25c2c38c9612ffd280ede66eb01a2d4fced2ae9b4e36053afcb7742cde1aaa909d6ba983a7d60618a66b4e2f3153089bd71b2b8e1d6a0a45737bdef60d1e1
+DIST flux-2.2.2.tar.gz 384815 BLAKE2B
c79fee58360a5ad988c2bb58ee6ec32245ca685a14d4fa63e7c8c06b7d79d374bf0c22bf1ffe33b16085fb4532ec35503514e91b427aa067a2495e76ec61e9ad
SHA512
d4b23ff189261d32f02682b3f57a5a81cb5faec87a8bd5a6cda7c044233761932e9f593c8019d1443fd1c63fb2585ffe6ee28084bf685802b163f36f5a2544a9
DIST flux2-0.41.2-deps.tar.xz 166945460 BLAKE2B
292ac5a66237916f1eeb8460f38f803fbe6bfec7cc6ee09512c0893928478049dbf8d482a897e7f4d5bed537f3cae3d73019d6c793764d1b15dc984724bc4ec7
SHA512
da36b3d78066cad548492d368df2b0d31c25a72f4fe4e5791b0c4315d5ed2625da5318b4a010395a587c072a07d23c6d6e7ff3c43bbf201dcd7d45a85dc24297
DIST flux2-0.41.2-manifests.tar.xz 22904 BLAKE2B
e23150ff1b7617f144a1250c890cb48bccbfa4547cc2d46b6d6905349c969a8505e2bc23466a469bb0eae326ec571eb5987ae5c0768b648ba6e35b1daec2b039
SHA512
ba58ffa05be150e32a30a492d28cdc582c9b0e7162b768a83ca8d44a4a08fca195700f8c124cc39cf85a0c62dfbe380304c0d203d0f05619a1b65284d22278de
DIST flux2-2.0.1-deps.tar.xz 177273192 BLAKE2B
36047e5d2232bd6a4b648b78861881aa1c883de9593d0f3172e83115a62649f6369396de05cfd850143581366f8e4501d0e54a4f422515fc7165b823a9833b96
SHA512
18ae557760a4c298cc9f7556b460b9c02d2b5516b735881d5907bd934fd4bb83cdf4fc613b8b9a493f65accc24abbc7836a98dfde86386e5d7466efcb8ae995d
DIST flux2-2.0.1-manifests.tar.xz 22916 BLAKE2B
00df38e004f2abd52566e642c299522f9e5910104ee88cdc0842b63bedccb10383e17d35eb8a7495db7036641f2fb6a2fe6fe01971017c413e95ba57e73e5894
SHA512
db0c3f7013ffec41b657047e53cad01f19427f2e46a94d52efa2e4031482b1b8cddb857fee26ecd35ecdb11029ec0da7f6917f2343730c44338a9b2792695e93
+DIST flux2-2.2.2-deps.tar.xz 179877376 BLAKE2B
f80135ad82f11a47ace00f3656147069ad8d7c389bbd18b6166c91d7381f06c2cf56371583e47eb2d3d9f6e292428e95c000ad4769a25ef2bdf0c2f6297b67e6
SHA512
5f8a82a19b2d5dde597aeaace21315a4feac4777996be18eed61422bae60e710519015ea5162a8818a12d05edfc22f47d1decea2d9a7c7a4488c2377e3b4f5d0
+DIST flux2-2.2.2-manifests.tar.xz 26788 BLAKE2B
82a233abd4d68d20af7160d39cadef0dd48692d469892b7ebd780a12f8e81ee00ce1e5f09f90f77035b055f85378cd9ce5979bb6af5a8fbc9dd96e1f091453ce
SHA512
51ce6b4d2b79c40d55a3df17d0b191ac313099c0d068ee02a3abc57c05aadcc0d3d8eed06793e411d57b31e7aee601e54a2e4f87e6f88d8bb835d5d6bbddf4c3
diff --git a/sys-cluster/flux/flux-2.2.2.ebuild
b/sys-cluster/flux/flux-2.2.2.ebuild
new file mode 100644
index ..a5454a53db5e
--- /dev/null
+++ b/sys-cluster/flux/flux-2.2.2.ebuild
@@ -0,0 +1,37 @@
+# Copyright 2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+inherit bash-completion-r1 go-module
+
+DESCRIPTION="Flux is a tool for keeping Kubernetes clusters in sync"
+HOMEPAGE="https://fluxcd.io https://github.com/fluxcd/flux2;
+SRC_URI="https://github.com/fluxcd/flux2/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+SRC_URI+=" https://dev.gentoo.org/~concord/distfiles/flux2-${PV}-deps.tar.xz;
+# Manifests require kustomize to build. Do it with: make
cmd/flux/.manifests.done
+SRC_URI+="
https://dev.gentoo.org/~concord/distfiles/flux2-${PV}-manifests.tar.xz;
+
+LICENSE="Apache-2.0 BSD BSD-2 ISC MIT MPL-2.0"
+SLOT="0"
+KEYWORDS="~amd64"
+IUSE="hardened"
+
+BDEPEND=">=dev-lang/go-1.19"
+
+RESTRICT+=" test"
+S="${WORKDIR}/flux2-${PV}"
+
+src_compile() {
+ mv "${WORKDIR}"/manifests cmd/"${PN}" || die
+ CGO_LDFLAGS="$(usex hardened '-fno-PIC ' '')" \
+ ego build -ldflags="-s -w -X main.VERSION=${PV}" -o ./bin/${PN}
./cmd/${PN}
+}
+
+src_install() {
+ dobin bin/${PN}
+ bin/${PN}
[gentoo-commits] repo/gentoo:master commit in: sys-cluster/kubeseal/
commit: 448d48e0bf7d178fe2feaa8cd7baed2b13095989
Author: Kenton Groombridge gentoo org>
AuthorDate: Fri Dec 22 16:14:36 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Dec 22 16:23:52 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=448d48e0
sys-cluster/kubeseal: drop 0.21.0
Signed-off-by: Kenton Groombridge gentoo.org>
sys-cluster/kubeseal/Manifest | 2 --
sys-cluster/kubeseal/kubeseal-0.21.0.ebuild | 32 -
2 files changed, 34 deletions(-)
diff --git a/sys-cluster/kubeseal/Manifest b/sys-cluster/kubeseal/Manifest
index 50fce63d7bfe..f8ea32cf0349 100644
--- a/sys-cluster/kubeseal/Manifest
+++ b/sys-cluster/kubeseal/Manifest
@@ -1,5 +1,3 @@
-DIST sealed-secrets-0.21.0-deps.tar.xz 51527452 BLAKE2B
0f2518167321760a6eed37ae69464b36f5c29c085487c21259e9e115f812fb50ebf3039e625971c9862e022a70abb5d4620262d4c30420e95c756a8731519639
SHA512
d53cf1575cda1c34d5823863bf9c6a0ca477ab85942706589f38ac9ec81f7c82396fa45b7f84fc3b45f2ee0180d28276515b670ddbe0b3ecfcccb506f36106ad
-DIST sealed-secrets-0.21.0.tar.gz 1295839 BLAKE2B
d1dd9ccb9ef60fcb8cc8ea8a038d714d0055313868ee2c848c287a57a5b1f7e674c68dbb1f7d3e8a03a98db70fcc5447b5a1672cb4088cd10c5ee95fee35c693
SHA512
e527189daaa259d5301086fd47a87b7daa1cf1da0a729ba59a46064e4e915d3af08fceede22f35a912b5d692cf29aaf6508780cf97b29d779de5d771cec29bf8
DIST sealed-secrets-0.23.0-deps.tar.xz 52956852 BLAKE2B
85d3ec425e86c76757ba60c3a1f3f4b1d7453429f789573f1ff80d5329c15df4c54a2feb74932812b18167001512d13c4a8a2a1c550ed6715d9ca13f66e9aac7
SHA512
5cc767566c22a7f00f2980f8e023149e57c078bd5e11581b25d629d689c504547ef6d2ba6032b400e8040a82804af8b56ed44fc487d15a3071f329fdfbdeb0e7
DIST sealed-secrets-0.23.0.tar.gz 1315727 BLAKE2B
eb37a18e3f8d89f6096098c7a8b6f0d99c21a0e6f03c3a6ea2047b5c29c8021ca5b0ebc15fce0f53f2d2d37d99fe346a4c06d3d1782c31cbccdb72750daef37e
SHA512
79fb2f66c900e340cb64b2fc5571b2d7cca3debcc8442d8e53139a4fbdcb11ef9be7aad337eced2f9e574d5d7b6af8ee45a5ab8a0229330736a412d415e90952
DIST sealed-secrets-0.24.5-deps.tar.xz 53092736 BLAKE2B
09b29581ebea10e4c873bd76c1e41ee0eeb4fc99e5bd39450c946252f9e922facd5892fb916a62e3105f272f6c6c0429c42117fbd34717bbca692b14098850e2
SHA512
e64f8e14a3a68987653420244e8c23a0b080f1955b3987d6efb22be3c58ed32fd5c11cc615eae3ac9295aa4041638598f906672551d180514bc1edf99f66bb61
diff --git a/sys-cluster/kubeseal/kubeseal-0.21.0.ebuild
b/sys-cluster/kubeseal/kubeseal-0.21.0.ebuild
deleted file mode 100644
index d4f364c86e91..
--- a/sys-cluster/kubeseal/kubeseal-0.21.0.ebuild
+++ /dev/null
@@ -1,32 +0,0 @@
-# Copyright 2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-inherit go-module
-
-MY_PN="sealed-secrets"
-MY_P="${MY_PN}-${PV}"
-
-DESCRIPTION="Client-side utility for one-way encrypted secrets in kubernetes"
-HOMEPAGE="https://github.com/bitnami-labs/sealed-secrets;
-SRC_URI="https://github.com/bitnami-labs/sealed-secrets/archive/v${PV}.tar.gz
-> ${MY_P}.tar.gz"
-SRC_URI+=" https://dev.gentoo.org/~concord/distfiles/${MY_P}-deps.tar.xz;
-
-LICENSE="Apache-2.0 BSD ISC MIT"
-SLOT="0"
-KEYWORDS="~amd64"
-IUSE="hardened"
-
-BDEPEND=">=dev-lang/go-1.19"
-
-RESTRICT+=" test"
-S="${WORKDIR}/${MY_P}"
-
-src_compile() {
- CGO_LDFLAGS="$(usex hardened '-fno-PIC ' '')" \
- emake -j1 GOFLAGS="" GOLDFLAGS="" LDFLAGS="" VERSION="v${PV}"
${PN}
-}
-
-src_install() {
- dobin ${PN}
-}
[gentoo-commits] repo/gentoo:master commit in: sys-cluster/kubeseal/
commit: e799557b641006f66b1a985a63e6e848879616d7
Author: Kenton Groombridge gentoo org>
AuthorDate: Fri Dec 22 16:14:03 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Dec 22 16:23:51 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e799557b
sys-cluster/kubeseal: add 0.24.5
Signed-off-by: Kenton Groombridge gentoo.org>
sys-cluster/kubeseal/Manifest | 2 ++
sys-cluster/kubeseal/kubeseal-0.24.5.ebuild | 32 +
2 files changed, 34 insertions(+)
diff --git a/sys-cluster/kubeseal/Manifest b/sys-cluster/kubeseal/Manifest
index 36be019d9cf8..50fce63d7bfe 100644
--- a/sys-cluster/kubeseal/Manifest
+++ b/sys-cluster/kubeseal/Manifest
@@ -2,3 +2,5 @@ DIST sealed-secrets-0.21.0-deps.tar.xz 51527452 BLAKE2B
0f2518167321760a6eed37ae
DIST sealed-secrets-0.21.0.tar.gz 1295839 BLAKE2B
d1dd9ccb9ef60fcb8cc8ea8a038d714d0055313868ee2c848c287a57a5b1f7e674c68dbb1f7d3e8a03a98db70fcc5447b5a1672cb4088cd10c5ee95fee35c693
SHA512
e527189daaa259d5301086fd47a87b7daa1cf1da0a729ba59a46064e4e915d3af08fceede22f35a912b5d692cf29aaf6508780cf97b29d779de5d771cec29bf8
DIST sealed-secrets-0.23.0-deps.tar.xz 52956852 BLAKE2B
85d3ec425e86c76757ba60c3a1f3f4b1d7453429f789573f1ff80d5329c15df4c54a2feb74932812b18167001512d13c4a8a2a1c550ed6715d9ca13f66e9aac7
SHA512
5cc767566c22a7f00f2980f8e023149e57c078bd5e11581b25d629d689c504547ef6d2ba6032b400e8040a82804af8b56ed44fc487d15a3071f329fdfbdeb0e7
DIST sealed-secrets-0.23.0.tar.gz 1315727 BLAKE2B
eb37a18e3f8d89f6096098c7a8b6f0d99c21a0e6f03c3a6ea2047b5c29c8021ca5b0ebc15fce0f53f2d2d37d99fe346a4c06d3d1782c31cbccdb72750daef37e
SHA512
79fb2f66c900e340cb64b2fc5571b2d7cca3debcc8442d8e53139a4fbdcb11ef9be7aad337eced2f9e574d5d7b6af8ee45a5ab8a0229330736a412d415e90952
+DIST sealed-secrets-0.24.5-deps.tar.xz 53092736 BLAKE2B
09b29581ebea10e4c873bd76c1e41ee0eeb4fc99e5bd39450c946252f9e922facd5892fb916a62e3105f272f6c6c0429c42117fbd34717bbca692b14098850e2
SHA512
e64f8e14a3a68987653420244e8c23a0b080f1955b3987d6efb22be3c58ed32fd5c11cc615eae3ac9295aa4041638598f906672551d180514bc1edf99f66bb61
+DIST sealed-secrets-0.24.5.tar.gz 1311827 BLAKE2B
1a567722cf98b10ec41a8477554209c0e196cc181c4a559d945a3f19cb8dffeb9bcb1e8638eaa8df6c3266d2086ef749dcba2b49e2edcce20afb12351daf829d
SHA512
e0a552f99a866af3b3304182bbdd824a6e7490c6410e3e4b29ffd2ec0e6e9c1f4d7f30a9499ac8b20c3e0313b6bf5e1e26aa14fd67c5725df8eeaf36299e308a
diff --git a/sys-cluster/kubeseal/kubeseal-0.24.5.ebuild
b/sys-cluster/kubeseal/kubeseal-0.24.5.ebuild
new file mode 100644
index ..d4f364c86e91
--- /dev/null
+++ b/sys-cluster/kubeseal/kubeseal-0.24.5.ebuild
@@ -0,0 +1,32 @@
+# Copyright 2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+inherit go-module
+
+MY_PN="sealed-secrets"
+MY_P="${MY_PN}-${PV}"
+
+DESCRIPTION="Client-side utility for one-way encrypted secrets in kubernetes"
+HOMEPAGE="https://github.com/bitnami-labs/sealed-secrets;
+SRC_URI="https://github.com/bitnami-labs/sealed-secrets/archive/v${PV}.tar.gz
-> ${MY_P}.tar.gz"
+SRC_URI+=" https://dev.gentoo.org/~concord/distfiles/${MY_P}-deps.tar.xz;
+
+LICENSE="Apache-2.0 BSD ISC MIT"
+SLOT="0"
+KEYWORDS="~amd64"
+IUSE="hardened"
+
+BDEPEND=">=dev-lang/go-1.19"
+
+RESTRICT+=" test"
+S="${WORKDIR}/${MY_P}"
+
+src_compile() {
+ CGO_LDFLAGS="$(usex hardened '-fno-PIC ' '')" \
+ emake -j1 GOFLAGS="" GOLDFLAGS="" LDFLAGS="" VERSION="v${PV}"
${PN}
+}
+
+src_install() {
+ dobin ${PN}
+}
[gentoo-commits] repo/gentoo:master commit in: sys-apps/bolt/
commit: 1bf83bcb2351c75602b07f4b339d8e64d30ecbd8
Author: Kenton Groombridge gentoo org>
AuthorDate: Mon Nov 6 15:45:48 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Tue Nov 14 21:47:24 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1bf83bcb
sys-apps/bolt: add USE=selinux
Signed-off-by: Kenton Groombridge gentoo.org>
sys-apps/bolt/bolt-0.9.1.ebuild | 7 ---
sys-apps/bolt/bolt-0.9.2.ebuild | 5 +++--
sys-apps/bolt/bolt-0.9.3.ebuild | 5 +++--
3 files changed, 10 insertions(+), 7 deletions(-)
diff --git a/sys-apps/bolt/bolt-0.9.1.ebuild b/sys-apps/bolt/bolt-0.9.1.ebuild
index 3c46d3566a5c..cb34716378bc 100644
--- a/sys-apps/bolt/bolt-0.9.1.ebuild
+++ b/sys-apps/bolt/bolt-0.9.1.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
@@ -12,7 +12,7 @@
SRC_URI="https://gitlab.freedesktop.org/${PN}/${PN}/-/archive/${PV}/${P}.tar.gz;
LICENSE="LGPL-2.1"
SLOT="0"
KEYWORDS="amd64 ~riscv x86"
-IUSE="doc systemd"
+IUSE="doc selinux systemd"
DEPEND="
>=dev-libs/glib-2.56.0:2
@@ -23,7 +23,8 @@ DEPEND="
sys-auth/polkit[introspection]
systemd? ( sys-apps/systemd )
doc? ( app-text/asciidoc )"
-RDEPEND="${DEPEND}"
+RDEPEND="${DEPEND}
+ selinux? ( sec-policy/selinux-thunderbolt )"
pkg_pretend() {
if use kernel_linux && kernel_is lt 5 6; then
diff --git a/sys-apps/bolt/bolt-0.9.2.ebuild b/sys-apps/bolt/bolt-0.9.2.ebuild
index d1044fd43ad2..3275183ef322 100644
--- a/sys-apps/bolt/bolt-0.9.2.ebuild
+++ b/sys-apps/bolt/bolt-0.9.2.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2022 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@@ -12,7 +12,7 @@
SRC_URI="https://gitlab.freedesktop.org/${PN}/${PN}/-/archive/${PV}/${P}.tar.gz;
LICENSE="LGPL-2.1 GPL-2+"
SLOT="0"
KEYWORDS="amd64 ~riscv x86"
-IUSE="test"
+IUSE="selinux test"
RESTRICT="!test? ( test )"
RDEPEND="
@@ -20,6 +20,7 @@ RDEPEND="
virtual/libudev:=
virtual/udev
sys-auth/polkit[introspection]
+ selinux? ( sec-policy/selinux-thunderbolt )
"
DEPEND="
${RDEPEND}
diff --git a/sys-apps/bolt/bolt-0.9.3.ebuild b/sys-apps/bolt/bolt-0.9.3.ebuild
index 3e80af202e25..16e2be81e05b 100644
--- a/sys-apps/bolt/bolt-0.9.3.ebuild
+++ b/sys-apps/bolt/bolt-0.9.3.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2022 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@@ -12,7 +12,7 @@
SRC_URI="https://gitlab.freedesktop.org/${PN}/${PN}/-/archive/${PV}/${P}.tar.gz;
LICENSE="LGPL-2.1 GPL-2+"
SLOT="0"
KEYWORDS="amd64 ~loong ~riscv x86"
-IUSE="test"
+IUSE="selinux test"
RESTRICT="!test? ( test )"
RDEPEND="
@@ -20,6 +20,7 @@ RDEPEND="
virtual/libudev:=
virtual/udev
sys-auth/polkit[introspection]
+ selinux? ( sec-policy/selinux-thunderbolt )
"
DEPEND="
${RDEPEND}
[gentoo-commits] repo/gentoo:master commit in: sys-power/switcheroo-control/
commit: 3ae9378d1f9e5983d411b01c6fe3da43ae312949
Author: Kenton Groombridge gentoo org>
AuthorDate: Mon Nov 6 15:42:50 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Tue Nov 14 21:47:22 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3ae9378d
sys-power/switcheroo-control: add USE=selinux
Signed-off-by: Kenton Groombridge gentoo.org>
sys-power/switcheroo-control/switcheroo-control-2.6-r2.ebuild | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/sys-power/switcheroo-control/switcheroo-control-2.6-r2.ebuild
b/sys-power/switcheroo-control/switcheroo-control-2.6-r2.ebuild
index d8788ef9cf76..36faca9d3eef 100644
--- a/sys-power/switcheroo-control/switcheroo-control-2.6-r2.ebuild
+++ b/sys-power/switcheroo-control/switcheroo-control-2.6-r2.ebuild
@@ -12,7 +12,7 @@
SRC_URI="https://gitlab.freedesktop.org/hadess/switcheroo-control/uploads/86ea54
LICENSE="GPL-3"
SLOT="0"
-IUSE="gtk-doc test"
+IUSE="gtk-doc selinux test"
REQUIRED_USE="${PYTHON_REQUIRED_USE}"
KEYWORDS="amd64 ~arm arm64 ~loong ~ppc64 ~riscv x86"
@@ -21,6 +21,7 @@ RDEPEND="${PYTHON_DEPS}
$(python_gen_cond_dep 'dev-python/pygobject:3[${PYTHON_USEDEP}]')
>=dev-libs/glib-2.56.0:2
>=dev-libs/libgudev-232:=
+ selinux? ( sec-policy/selinux-switcheroo )
"
DEPEND="${RDEPEND}"
BDEPEND="
[gentoo-commits] repo/gentoo:master commit in: sys-power/power-profiles-daemon/
commit: 37640bd95a4706e9705d2c2244428b081e87262d
Author: Kenton Groombridge gentoo org>
AuthorDate: Mon Nov 6 15:35:47 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Tue Nov 14 21:47:20 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=37640bd9
sys-power/power-profiles-daemon: add USE=selinux
Signed-off-by: Kenton Groombridge gentoo.org>
sys-power/power-profiles-daemon/power-profiles-daemon-0.13.ebuild | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/sys-power/power-profiles-daemon/power-profiles-daemon-0.13.ebuild
b/sys-power/power-profiles-daemon/power-profiles-daemon-0.13.ebuild
index 75019fefc95d..f96ce6849085 100644
--- a/sys-power/power-profiles-daemon/power-profiles-daemon-0.13.ebuild
+++ b/sys-power/power-profiles-daemon/power-profiles-daemon-0.13.ebuild
@@ -14,7 +14,7 @@ LICENSE="GPL-3+"
SLOT="0"
KEYWORDS="amd64 ~arm arm64 ~loong ~ppc64 ~riscv x86"
-IUSE="gtk-doc test"
+IUSE="gtk-doc selinux test"
REQUIRED_USE="${PYTHON_REQUIRED_USE}"
RESTRICT="!test? ( test )"
@@ -25,6 +25,7 @@ RDEPEND="${PYTHON_DEPS}
>=dev-libs/libgudev-234
>=sys-auth/polkit-0.114
sys-power/upower
+ selinux? ( sec-policy/selinux-powerprofiles )
"
DEPEND="${RDEPEND}"
BDEPEND="
[gentoo-commits] repo/gentoo:master commit in: www-apps/miniflux/
commit: 0277ec5d18edab3db9390af52131872d7e16f5eb
Author: Kenton Groombridge gentoo org>
AuthorDate: Mon Nov 6 18:30:46 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Mon Nov 6 18:32:43 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0277ec5d
www-apps/miniflux: stabilize 2.0.45 for amd64, ppc64
Signed-off-by: Kenton Groombridge gentoo.org>
www-apps/miniflux/miniflux-2.0.45.ebuild | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/www-apps/miniflux/miniflux-2.0.45.ebuild
b/www-apps/miniflux/miniflux-2.0.45.ebuild
index ed9f217ff691..ba48c8291c75 100644
--- a/www-apps/miniflux/miniflux-2.0.45.ebuild
+++ b/www-apps/miniflux/miniflux-2.0.45.ebuild
@@ -15,7 +15,7 @@ SRC_URI+="
https://dev.gentoo.org/~concord/distfiles/${P}-deps.tar.xz;
LICENSE="Apache-2.0 BSD BSD-2 MIT"
SLOT="0"
-KEYWORDS="~amd64 ~ppc64 ~riscv"
+KEYWORDS="amd64 ppc64 ~riscv"
RESTRICT="test" # requires network access
[gentoo-commits] repo/gentoo:master commit in: www-apps/miniflux/
commit: ad5fb9992f649b1b96ab0e5881d96664c0755155
Author: Kenton Groombridge gentoo org>
AuthorDate: Mon Nov 6 18:31:13 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Mon Nov 6 18:32:45 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ad5fb999
www-apps/miniflux: drop 2.0.44
Signed-off-by: Kenton Groombridge gentoo.org>
www-apps/miniflux/Manifest | 2 -
www-apps/miniflux/miniflux-2.0.44.ebuild | 107 ---
2 files changed, 109 deletions(-)
diff --git a/www-apps/miniflux/Manifest b/www-apps/miniflux/Manifest
index f2ed94d0a483..5169c94d3eb0 100644
--- a/www-apps/miniflux/Manifest
+++ b/www-apps/miniflux/Manifest
@@ -1,5 +1,3 @@
-DIST miniflux-2.0.44-deps.tar.xz 38348604 BLAKE2B
6709ad503ec64ea64fb35624ff0f6d641a6ccac78d52469a0a6c6e905e505c78866603f310e82c5ff7e1bcd7656cb0d9b3516bb9d0822d7a3f8bbbdadaff0aca
SHA512
f463a5a63c5611e8b90ebf15127e05e2df878bb6c49a347f182c5df40feea7e0b2fa21cff4c92b6a99f82e8be4cbd113999f0b3ba6187897af9fad49c9a2aecb
-DIST miniflux-2.0.44.tar.gz 574354 BLAKE2B
a0c29cb88d88584619e6890a01af15d7b7d9a6ab230b60d76c01d95e82c5ef665aeb19f120180bc328ef3847cae2c87096a096e8f0d0455f7694539556453e5b
SHA512
6c1057bcb4daf3110a8885363e2386c6d68776e917f0277299ab94fb46553a8a1b3acf4a2893ab03d30e2b3c26118257e68a7f33d5d436884bfafd8e06fc5e0a
DIST miniflux-2.0.45-deps.tar.xz 38551640 BLAKE2B
b4dfe2c8bb4d96ba9b4adcb23078b7555115fed8ac346c47411fe406b086330e12f62ca71162d7eab6e1564ae21d1330d93e6e56fde8c421ff8df56cb3ca520a
SHA512
79a659660daa01b2909a2e726dc37a789645a3e42c9132ad0e6cc7dd38ae08ad42075339da729fc5942e456fcb5037a414d26952731497586f322c9073f39872
DIST miniflux-2.0.45.tar.gz 580517 BLAKE2B
804c109a7cda5cd4aa4a65130b70c4d1ebb00decbdbb15c6175e14726aa1d0944d9803898e8ace8bdca083e4668f1fe2230a588793082b63967ef11d7e68827f
SHA512
f2770105b05251d8ec1cd63fc8fde4ac45ba6d734c2bd96b574a4c0e33b6a9c8ce67af48d9adb29794a292c47f2f7059fea8a6e20708d0fefa6de4cbaa647328
DIST miniflux-2.0.49-deps.tar.xz 38155476 BLAKE2B
9631c23af181cf86bd197066a453c84b09840cc71a870eba0ad4e7cdb2720fe952fca7f6a93f3e9e2e2d8c9a13629da0f758b21a4afe5849186d653b44a3f097
SHA512
c51228a3f70d73788be63ed5e7f24baeee9a369351e07bd7715a60c6b340d3e90ebd25adfb50d3e2144a8b0c7d609fca3bacdd51a1d61ff7916e6a7a439b6dc1
diff --git a/www-apps/miniflux/miniflux-2.0.44.ebuild
b/www-apps/miniflux/miniflux-2.0.44.ebuild
deleted file mode 100644
index 4e238162adbc..
--- a/www-apps/miniflux/miniflux-2.0.44.ebuild
+++ /dev/null
@@ -1,107 +0,0 @@
-# Copyright 2020-2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-inherit go-module systemd
-
-# Get with 'git rev-parse --short HEAD'
-MY_GIT_COMMIT="4c0c6581"
-
-DESCRIPTION="Minimalist and opinionated feed reader"
-HOMEPAGE="https://miniflux.app https://github.com/miniflux/v2;
-SRC_URI="https://github.com/${PN}/v2/archive/${PV}.tar.gz -> ${P}.tar.gz"
-SRC_URI+=" https://dev.gentoo.org/~concord/distfiles/${P}-deps.tar.xz;
-
-LICENSE="Apache-2.0 BSD BSD-2 MIT"
-SLOT="0"
-KEYWORDS="amd64 ppc64 ~riscv"
-
-RESTRICT="test" # requires network access
-
-DEPEND="acct-user/miniflux"
-RDEPEND="${DEPEND}
- >=dev-db/postgresql-9.5
-"
-
-S="${WORKDIR}/v2-${PV}"
-
-src_compile() {
- ego build -ldflags="
- -s -w
- -X 'miniflux.app/version.Version=${PV}'
- -X 'miniflux.app/version.Commit=${MY_GIT_COMMIT}'
- -X 'miniflux.app/version.BuildDate=$(date +%FT%T%z)'
- " -o miniflux main.go
-}
-
-src_install() {
- dobin miniflux
-
- insinto /etc
- doins "${FILESDIR}/${PN}.conf"
-
- newconfd "${FILESDIR}/${PN}.confd" ${PN}
-
- newinitd "${FILESDIR}/${PN}.initd-r1" ${PN}
- systemd_dounit "${FILESDIR}/${PN}.service"
-
- fowners miniflux:root /etc/${PN}.conf
- fperms o-rwx /etc/${PN}.conf
-
- local DOCS=(
- ChangeLog
- README.md
- "${FILESDIR}"/README.gentoo
- )
-
- # Makefile has no install target, so call einstalldocs directly
- einstalldocs
-
- doman "${PN}".1
-}
-
-pkg_postinst() {
- if [[ -z "${REPLACING_VERSIONS}" ]]; then
- # This is a new installation
-
- echo
- elog "Before using miniflux, you must first create and
initialize the database"
- elog "and enable the hstore extension for it."
- elog ""
- elog "Afterwards, create your first admin user by running:"
- elog " miniflux -create-admin"
- else
- # This is an existing installation
-
- echo
- elog &qu
[gentoo-commits] repo/gentoo:master commit in: www-apps/miniflux/
commit: be968ced07f41e5a0beb22e2fd23eba604b81377
Author: Kenton Groombridge gentoo org>
AuthorDate: Mon Nov 6 18:30:10 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Mon Nov 6 18:32:41 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=be968ced
www-apps/miniflux: add 2.0.49
Signed-off-by: Kenton Groombridge gentoo.org>
www-apps/miniflux/Manifest | 2 +
www-apps/miniflux/miniflux-2.0.49.ebuild | 107 +++
2 files changed, 109 insertions(+)
diff --git a/www-apps/miniflux/Manifest b/www-apps/miniflux/Manifest
index 3728d48d707e..f2ed94d0a483 100644
--- a/www-apps/miniflux/Manifest
+++ b/www-apps/miniflux/Manifest
@@ -2,3 +2,5 @@ DIST miniflux-2.0.44-deps.tar.xz 38348604 BLAKE2B
6709ad503ec64ea64fb35624ff0f6d
DIST miniflux-2.0.44.tar.gz 574354 BLAKE2B
a0c29cb88d88584619e6890a01af15d7b7d9a6ab230b60d76c01d95e82c5ef665aeb19f120180bc328ef3847cae2c87096a096e8f0d0455f7694539556453e5b
SHA512
6c1057bcb4daf3110a8885363e2386c6d68776e917f0277299ab94fb46553a8a1b3acf4a2893ab03d30e2b3c26118257e68a7f33d5d436884bfafd8e06fc5e0a
DIST miniflux-2.0.45-deps.tar.xz 38551640 BLAKE2B
b4dfe2c8bb4d96ba9b4adcb23078b7555115fed8ac346c47411fe406b086330e12f62ca71162d7eab6e1564ae21d1330d93e6e56fde8c421ff8df56cb3ca520a
SHA512
79a659660daa01b2909a2e726dc37a789645a3e42c9132ad0e6cc7dd38ae08ad42075339da729fc5942e456fcb5037a414d26952731497586f322c9073f39872
DIST miniflux-2.0.45.tar.gz 580517 BLAKE2B
804c109a7cda5cd4aa4a65130b70c4d1ebb00decbdbb15c6175e14726aa1d0944d9803898e8ace8bdca083e4668f1fe2230a588793082b63967ef11d7e68827f
SHA512
f2770105b05251d8ec1cd63fc8fde4ac45ba6d734c2bd96b574a4c0e33b6a9c8ce67af48d9adb29794a292c47f2f7059fea8a6e20708d0fefa6de4cbaa647328
+DIST miniflux-2.0.49-deps.tar.xz 38155476 BLAKE2B
9631c23af181cf86bd197066a453c84b09840cc71a870eba0ad4e7cdb2720fe952fca7f6a93f3e9e2e2d8c9a13629da0f758b21a4afe5849186d653b44a3f097
SHA512
c51228a3f70d73788be63ed5e7f24baeee9a369351e07bd7715a60c6b340d3e90ebd25adfb50d3e2144a8b0c7d609fca3bacdd51a1d61ff7916e6a7a439b6dc1
+DIST miniflux-2.0.49.tar.gz 614888 BLAKE2B
77fae7eafcc55d02e3e00e6c008cb6727ff48423512e9dde420b84a63858e6ba9ed33dfd61907a46ca686b211f604d452e2ad5944b709094263ca0949a6128c8
SHA512
59505f5e60228ff94cf2cabc872117cd08c06edb0df6dfb4487153add27cc4e485d7cb71330333df155f158eb650f684d55f0460ba5404f5e26b9603123fd860
diff --git a/www-apps/miniflux/miniflux-2.0.49.ebuild
b/www-apps/miniflux/miniflux-2.0.49.ebuild
new file mode 100644
index ..12650bceb1d6
--- /dev/null
+++ b/www-apps/miniflux/miniflux-2.0.49.ebuild
@@ -0,0 +1,107 @@
+# Copyright 2020-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit go-module systemd
+
+# Get with 'git rev-parse --short HEAD'
+MY_GIT_COMMIT="54eb5003"
+
+DESCRIPTION="Minimalist and opinionated feed reader"
+HOMEPAGE="https://miniflux.app https://github.com/miniflux/v2;
+SRC_URI="https://github.com/${PN}/v2/archive/${PV}.tar.gz -> ${P}.tar.gz"
+SRC_URI+=" https://dev.gentoo.org/~concord/distfiles/${P}-deps.tar.xz;
+
+LICENSE="Apache-2.0 BSD BSD-2 MIT"
+SLOT="0"
+KEYWORDS="~amd64 ~ppc64 ~riscv"
+
+RESTRICT="test" # requires network access
+
+DEPEND="acct-user/miniflux"
+RDEPEND="${DEPEND}
+ >=dev-db/postgresql-9.5
+"
+
+S="${WORKDIR}/v2-${PV}"
+
+src_compile() {
+ ego build -ldflags="
+ -s -w
+ -X 'miniflux.app/v2/internal/version.Version=${PV}'
+ -X 'miniflux.app/v2/internal/version.Commit=${MY_GIT_COMMIT}'
+ -X 'miniflux.app/v2/internal/version.BuildDate=$(date +%FT%T%z)'
+ " -o miniflux main.go
+}
+
+src_install() {
+ dobin miniflux
+
+ insinto /etc
+ doins "${FILESDIR}/${PN}.conf"
+
+ newconfd "${FILESDIR}/${PN}.confd" ${PN}
+
+ newinitd "${FILESDIR}/${PN}.initd-r1" ${PN}
+ systemd_dounit "${FILESDIR}/${PN}.service"
+
+ fowners miniflux:root /etc/${PN}.conf
+ fperms o-rwx /etc/${PN}.conf
+
+ local DOCS=(
+ ChangeLog
+ README.md
+ "${FILESDIR}"/README.gentoo
+ )
+
+ # Makefile has no install target, so call einstalldocs directly
+ einstalldocs
+
+ doman "${PN}".1
+}
+
+pkg_postinst() {
+ if [[ -z "${REPLACING_VERSIONS}" ]]; then
+ # This is a new installation
+
+ echo
+ elog "Before using miniflux, you must first create and
initialize the database"
+ elog "and enable the hstore extension for it."
+ elog ""
+ elog "Afterwards, create your first admin user by running:"
+ elog " miniflux -create-admin"
+ els
[gentoo-commits] proj/hardened-refpolicy: New tag: 2.20231002-r2
commit: Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 20 22:06:05 2023 + New tag: 2.20231002-r2
[gentoo-commits] proj/hardened-refpolicy:master commit in: doc/
commit: 8c8f4a31a3896a10963b987691b7c7b87ce18842 Author: Kenton Groombridge gentoo org> AuthorDate: Fri Oct 20 21:29:46 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 20 21:30:05 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8c8f4a31 Update generated policy and doc files Signed-off-by: Kenton Groombridge gentoo.org> doc/policy.xml | 670 ++--- 1 file changed, 350 insertions(+), 320 deletions(-) diff --git a/doc/policy.xml b/doc/policy.xml index e96f1ea28..8ae22432d 100644 --- a/doc/policy.xml +++ b/doc/policy.xml @@ -58392,7 +58392,17 @@ Domain allow access. - + + +unmount a sysfs filesystem + + + +Domain allowed access. + + + + Do not audit getting the attributes of sysfs filesystem @@ -58402,7 +58412,7 @@ Domain to dontaudit access from - + Dont audit attempts to read hardware state information @@ -58412,7 +58422,7 @@ Domain for which the attempts do not need to be audited - + Mount on sysfs directories. @@ -58422,7 +58432,7 @@ Domain allowed access. - + Search the sysfs directories. @@ -58432,7 +58442,7 @@ Domain allowed access. - + Do not audit attempts to search sysfs. @@ -58442,7 +58452,7 @@ Domain to not audit. - + List the contents of the sysfs directories. @@ -58452,7 +58462,7 @@ Domain allowed access. - + Write in a sysfs directories. @@ -58462,7 +58472,7 @@ Domain allowed access. - + Do not audit attempts to write in a sysfs directory. @@ -58472,7 +58482,7 @@ Domain to not audit. - + Do not audit attempts to write to a sysfs file. @@ -58482,7 +58492,7 @@ Domain to not audit. - + Create, read, write, and delete sysfs directories. @@ -58493,7 +58503,7 @@ Domain allowed access. - + Read hardware state information. @@ -58512,7 +58522,7 @@ Domain allowed access. - + Write to hardware state information. @@ -58529,7 +58539,7 @@ Domain allowed access. - + Allow caller to modify hardware state information. @@ -58539,7 +58549,7 @@ Domain allowed access. - + Add a sysfs file @@ -58549,7 +58559,7 @@ Domain allowed access. - + Relabel hardware state directories. @@ -58559,7 +58569,7 @@ Domain allowed access. - + Relabel from/to all sysfs types. @@ -58569,7 +58579,7 @@ Domain allowed access. - + Set the attributes of sysfs files, directories and symlinks. @@ -58579,7 +58589,7 @@ Domain allowed access. - + Read and write the TPM device. @@ -58589,7 +58599,7 @@ Domain allowed access. - + Read from pseudo random number generator devices (e.g., /dev/urandom). @@ -58622,7 +58632,7 @@ Domain allowed access. - + Do not audit attempts to read from pseudo random devices (e.g., /dev/urandom) @@ -58633,7 +58643,7 @@ Domain to not audit. - + Write to the pseudo random device (e.g., /dev/urandom). This sets the random number generator seed. @@ -58644,7 +58654,7 @@ Domain allowed access. - + Create the urandom device (/dev/urandom). @@ -58654,7 +58664,7 @@ Domain allowed access. - + Set attributes on the urandom device (/dev/urandom). @@ -58664,7 +58674,7 @@ Domain allowed access. - + Getattr generic the USB devices. @@ -58674,7 +58684,7 @@ Domain allowed access. - + Setattr generic the USB devices. @@ -58684,7 +58694,7 @@ Domain allowed access. - + Read generic the USB devices. @@ -58694,7 +58704,7 @@ Domain allowed access. - + Read and write generic the USB devices. @@ -58704,7 +58714,7 @@ Domain allowed access. - + Relabel generic the USB devices. @@ -58714,7 +58724,7 @@ Domain allowed access. - + Read USB monitor devices. @@ -58724,7 +58734,7 @@ Domain allowed access. - + Write USB monitor devices. @@ -58734,7 +58744,7 @@ Domain allowed access. - + Mount a usbfs filesystem. @@ -58744,7 +58754,7 @@ Domain allowed access. - + Associate a file to a usbfs filesystem. @@ -58754,7 +58764,7 @@ The type of the file to be associated to usbfs. - + Get the attributes of a directory in the usb filesystem. @@ -58764,7 +58774,7 @@ Domain allowed access. - + Do not audit attempts to get the attributes of a directory in the usb filesystem. @@ -58775,7 +58785,7 @@ Domain to not audit. - + Search the directory containing USB hardware information. @@ -58785,7 +58795,7 @@ Domain allowed access. - + Allow caller to get a list of usb hardware. @@ -58795,7 +58805,7 @@ Domain allowed access. - + Set the attributes of usbfs filesystem. @@ -58805,7 +58815,7 @@ Domain allowed access. - + Read USB hardware information using the usbfs filesystem interface. @@ -58816,7 +58826,7 @@ Domain allowed access. - + Allow caller to modify usb hardware configuration files. @@ -58826,7 +58836,7
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 4751bfa9ef38a4d38494cadea1fa83a69881d5fa
Author: Russell Coker coker com au>
AuthorDate: Sat Oct 7 02:56:52 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 20 21:28:39 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4751bfa9
Changes to eg25manager and modemmanager needed for firmware upload on
pinephonepro
Signed-off-by: Russell Coker coker.com.au>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/eg25manager.te | 11 ++-
policy/modules/services/modemmanager.te | 18 --
2 files changed, 26 insertions(+), 3 deletions(-)
diff --git a/policy/modules/services/eg25manager.te
b/policy/modules/services/eg25manager.te
index 92fd3e4f8..f305a9a01 100644
--- a/policy/modules/services/eg25manager.te
+++ b/policy/modules/services/eg25manager.te
@@ -57,8 +57,10 @@ files_read_usr_files(eg25manager_t)
logging_send_syslog_msg(eg25manager_t)
miscfiles_read_generic_certs(eg25manager_t)
+miscfiles_read_localization(eg25manager_t)
-modemmanager_dbus_chat(eg25manager_t)
+# will not upload to pinephone modem without this
+selinux_get_fs_mount(eg25manager_t)
sysnet_read_config(eg25manager_t)
@@ -66,3 +68,10 @@ systemd_dbus_chat_logind(eg25manager_t)
systemd_read_resolved_runtime(eg25manager_t)
systemd_use_logind_fds(eg25manager_t)
systemd_write_inherited_logind_inhibit_pipes(eg25manager_t)
+
+term_use_unallocated_ttys(eg25manager_t)
+
+optional_policy(`
+ modemmanager_dbus_chat(eg25manager_t)
+')
+
diff --git a/policy/modules/services/modemmanager.te
b/policy/modules/services/modemmanager.te
index 5801baedd..b94117bff 100644
--- a/policy/modules/services/modemmanager.te
+++ b/policy/modules/services/modemmanager.te
@@ -15,16 +15,30 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t)
#
allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config };
-allow modemmanager_t self:process { getsched signal };
+allow modemmanager_t self:process { getsched setsched signal setpgid };
allow modemmanager_t self:fifo_file rw_fifo_file_perms;
-allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
+allow modemmanager_t self:unix_stream_socket { connectto
create_stream_socket_perms };
allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow modemmanager_t self:netlink_route_socket { create getattr getopt
nlmsg_write read write };
+allow modemmanager_t self:qipcrtr_socket { create getattr getopt read write };
+
+# ModemManager calls mmap(PROT_READ|PROT_WRITE|PROT_EXEC)
+allow modemmanager_t self:process execmem;
kernel_read_system_state(modemmanager_t)
+kernel_request_load_module(modemmanager_t)
+
+# for qmi/pass_through
+dev_create_sysfs_files(modemmanager_t)
+dev_getattr_sysfs(modemmanager_t)
dev_read_sysfs(modemmanager_t)
+dev_write_sysfs(modemmanager_t)
dev_rw_modem(modemmanager_t)
+# for /usr/libexec/qmi-proxy
+corecmd_exec_bin(modemmanager_t)
+
files_read_etc_files(modemmanager_t)
term_use_generic_ptys(modemmanager_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 3b0568041bb3c496b5d776b1961763a32d184379
Author: Yi Zhao windriver com>
AuthorDate: Sat Oct 7 02:33:31 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 20 21:28:39 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3b056804
systemd: use init_daemon_domain instead of init_system_domain for
systemd-networkd and systemd-resolved
Systemd-networkd and systemd-resolved are daemons.
Fixes:
avc: denied { write } for pid=277 comm="systemd-resolve"
name="notify" dev="tmpfs" ino=31
scontext=system_u:system_r:systemd_resolved_t
tcontext=system_u:object_r:systemd_runtime_notify_t tclass=sock_file
permissive=1
avc: denied { write } for pid=324 comm="systemd-network"
name="notify" dev="tmpfs" ino=31
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:systemd_runtime_notify_t tclass=sock_file
permissive=1
Signed-off-by: Yi Zhao windriver.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/system/systemd.te | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index b14511c24..bf3a0e14e 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -199,7 +199,7 @@ init_daemon_domain(systemd_modules_load_t,
systemd_modules_load_exec_t)
type systemd_networkd_t;
type systemd_networkd_exec_t;
-init_system_domain(systemd_networkd_t, systemd_networkd_exec_t)
+init_daemon_domain(systemd_networkd_t, systemd_networkd_exec_t)
type systemd_networkd_runtime_t alias systemd_networkd_var_run_t;
files_runtime_file(systemd_networkd_runtime_t)
@@ -235,7 +235,7 @@ files_type(systemd_pstore_var_lib_t)
type systemd_resolved_t;
type systemd_resolved_exec_t;
-init_system_domain(systemd_resolved_t, systemd_resolved_exec_t)
+init_daemon_domain(systemd_resolved_t, systemd_resolved_exec_t)
type systemd_resolved_runtime_t alias systemd_resolved_var_run_t;
files_runtime_file(systemd_resolved_runtime_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: gentoo/
commit: d26d077b9a6a665bf5c89ab460ef0a89a7cf7f24 Author: Kenton Groombridge gentoo org> AuthorDate: Fri Oct 20 21:29:27 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 20 21:29:27 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d26d077b Merge upstream Signed-off-by: Kenton Groombridge gentoo.org> gentoo/STATE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gentoo/STATE b/gentoo/STATE index 1f7d780e5..1265cd5d3 100644 --- a/gentoo/STATE +++ b/gentoo/STATE @@ -1 +1 @@ -d542d53698339cd3b3bb80e6e36fb4add4016e9d +f3865abfc25a395c877a27074bd03c5fc22992dd
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/support/
commit: b6e3f0c899ce4061496cdf71bd4d83374aea339d
Author: Russell Coker coker com au>
AuthorDate: Mon Oct 9 13:32:38 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 20 21:28:39 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b6e3f0c8
patches for nspawn policy (#721)
* patches to nspawn policy.
Allow it netlink operations and creating udp sockets
Allow remounting and reading sysfs
Allow stat cgroup filesystem
Make it create fifos and sock_files in the right context
Allow mounting the selinux fs
Signed-off-by: Russell Coker coker.com.au>
* Use the new mounton_dir_perms and mounton_file_perms macros
Signed-off-by: Russell Coker coker.com.au>
* Corrected macro name
Signed-off-by: Russell Coker coker.com.au>
* Fixed description of files_mounton_kernel_symbol_table
Signed-off-by: Russell Coker coker.com.au>
* systemd: Move lines in nspawn.
No rule changes.
Signed-off-by: Chris PeBenito ieee.org>
-
Signed-off-by: Russell Coker coker.com.au>
Signed-off-by: Chris PeBenito ieee.org>
Co-authored-by: Chris PeBenito ieee.org>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/kernel/devices.if | 18 ++
policy/modules/kernel/files.if | 27 +++
policy/modules/kernel/kernel.if | 8
policy/modules/kernel/selinux.if | 18 ++
policy/modules/system/systemd.te | 17 +
policy/support/obj_perm_sets.spt | 2 ++
6 files changed, 82 insertions(+), 8 deletions(-)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index be2429a91..a2d55dedb 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4386,6 +4386,24 @@ interface(`dev_remount_sysfs',`
allow $1 sysfs_t:filesystem remount;
')
+
+##
+## unmount a sysfs filesystem
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_unmount_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:filesystem unmount;
+')
+
##
## Do not audit getting the attributes of sysfs filesystem
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 591aa64d6..370ac0931 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -542,8 +542,8 @@ interface(`files_mounton_non_security',`
attribute non_security_file_type;
')
- allow $1 non_security_file_type:dir { getattr search mounton };
- allow $1 non_security_file_type:file { getattr mounton };
+ allow $1 non_security_file_type:dir { search mounton_dir_perms };
+ allow $1 non_security_file_type:file mounton_file_perms;
')
@@ -1785,7 +1785,7 @@ interface(`files_mounton_all_mountpoints',`
')
allow $1 mountpoint:dir { search_dir_perms mounton };
- allow $1 mountpoint:file { getattr mounton };
+ allow $1 mountpoint:file mounton_file_perms;
kernel_mounton_unlabeled_dirs($1)
')
@@ -5750,6 +5750,25 @@ interface(`files_delete_kernel_symbol_table',`
delete_files_pattern($1, boot_t, system_map_t)
')
+
+##
+## Mount on a system.map in the /boot directory (for bind mounts).
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_mounton_kernel_symbol_table',`
+ gen_require(`
+ type boot_t, system_map_t;
+ ')
+
+ allow $1 boot_t:dir search_dir_perms;
+ allow $1 system_map_t:file mounton_file_perms;
+')
+
##
## Search the contents of /var.
@@ -7630,7 +7649,7 @@ interface(`files_polyinstantiate_all',`
# Need to give access to parent directories where original
# is remounted for polyinstantiation aware programs (like gdm)
- allow $1 polyparent:dir { getattr mounton };
+ allow $1 polyparent:dir mounton_dir_perms;
# Need to give permission to create directories where applicable
allow $1 self:process setfscreate;
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 6abcc1be6..022affde3 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -1440,7 +1440,7 @@ interface(`kernel_mounton_message_if',`
')
allow $1 proc_t:dir list_dir_perms;
- allow $1 proc_kmsg_t:file { getattr mounton };
+ allow $1 proc_kmsg_t:file mounton_file_perms;
')
@@ -1792,7 +1792,7 @@ interface(`kernel_mounton_sysctl_dirs',`
')
allow $1 proc_t:dir list_dir_perms;
- allow $1 sysctl_t:dir { getattr mounton };
+ allow
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 4bb6b12fe1a936a0db91fc133ca30dfd8e5be32a
Author: Dave Sugar gmail com>
AuthorDate: Wed Oct 4 23:28:38 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 20 21:28:39 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4bb6b12f
Use interface that already exists.
Signed-off-by: Dave Sugar gmail.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/system/systemd.if | 8 +++-
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 68fb1a148..6054b5038 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -29,7 +29,6 @@ template(`systemd_role_template',`
type systemd_user_runtime_t, systemd_user_runtime_notify_t;
type systemd_user_unit_t;
type systemd_user_runtime_unit_t, systemd_user_transient_unit_t;
- type systemd_machined_t;
')
#
@@ -151,10 +150,9 @@ template(`systemd_role_template',`
allow $3 systemd_user_runtime_t:sock_file { manage_sock_file_perms
relabel_sock_file_perms };
# for "machinectl shell"
- allow $1_systemd_t systemd_machined_t:fd use;
- allow $3 systemd_machined_t:fd use;
- allow $3 systemd_machined_t:dbus send_msg;
- allow systemd_machined_t $3:dbus send_msg;
+ systemd_use_inherited_machined_ptys($1_systemd_t)
+ systemd_use_inherited_machined_ptys($3)
+ systemd_dbus_chat_machined($3)
allow $3 systemd_user_runtime_notify_t:sock_file {
manage_sock_file_perms relabel_sock_file_perms };
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: b2b5270fcce158aedf71a5be0b2fa15822ecb069 Author: Russell Coker coker com au> AuthorDate: Thu Oct 5 11:13:54 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:31:45 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b2b5270f https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/ While cgroups2 doesn't have the "feature" of having the kernel run a program specified in the cgroup the history of this exploit suggests that writing to cgroups should be restricted and not granted to all users Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/userdomain.if | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 642da35cd..676a76241 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -690,7 +690,7 @@ template(`userdom_common_user_template',` files_watch_etc_dirs($1_t) files_watch_usr_dirs($1_t) - fs_rw_cgroup_files($1_t) + fs_read_cgroup_files($1_t) # cjp: some of this probably can be removed selinux_get_fs_mount($1_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
commit: ca3332b1b3ad6b6cc3b52bf8cff26e4407f93c92 Author: Russell Coker coker com au> AuthorDate: Fri Oct 6 10:48:52 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:31:45 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ca3332b1 Label checkarray as mdadm_exec_t, allow it to read/write temp files inherited from cron, and dontaudit ps type operations from it Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/corecommands.fc | 1 - policy/modules/system/raid.fc | 2 ++ policy/modules/system/raid.te | 2 ++ 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index da5db80a2..21ec61464 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -320,7 +320,6 @@ ifdef(`distro_debian',` /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/smrsh-- gen_context(system_u:object_r:shell_exec_t,s0) -/usr/share/mdadm/checkarray-- gen_context(system_u:object_r:bin_t,s0) /usr/share/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/ajaxterm/ajaxterm\.py.* -- gen_context(system_u:object_r:bin_t,s0) /usr/share/ajaxterm/qweb\.py.* -- gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/system/raid.fc b/policy/modules/system/raid.fc index 84f1ab02a..ca16bdfdf 100644 --- a/policy/modules/system/raid.fc +++ b/policy/modules/system/raid.fc @@ -11,6 +11,8 @@ /usr/bin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0) /usr/bin/raid-check-- gen_context(system_u:object_r:mdadm_exec_t,s0) +/usr/share/mdadm/checkarray -- gen_context(system_u:object_r:mdadm_exec_t,s0) + # Systemd unit files /usr/lib/systemd/system/[^/]*mdadm-.* -- gen_context(system_u:object_r:mdadm_unit_t,s0) /usr/lib/systemd/system/[^/]*mdmon.* -- gen_context(system_u:object_r:mdadm_unit_t,s0) diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te index 907facf8d..c8db38261 100644 --- a/policy/modules/system/raid.te +++ b/policy/modules/system/raid.te @@ -57,6 +57,7 @@ dev_read_realtime_clock(mdadm_t) # create links in /dev/md dev_create_generic_symlinks(mdadm_t) +domain_dontaudit_search_all_domains_state(mdadm_t) domain_use_interactive_fds(mdadm_t) files_read_etc_files(mdadm_t) @@ -95,6 +96,7 @@ userdom_dontaudit_search_user_home_content(mdadm_t) optional_policy(` cron_system_entry(mdadm_t, mdadm_exec_t) + cron_rw_inherited_tmp_files(mdadm_t) ') optional_policy(`
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: f9bb068485de922f97495d4795c3cc475cdb32e7
Author: Yi Zhao windriver com>
AuthorDate: Mon Oct 2 08:05:49 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 6 15:31:45 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f9bb0684
bind: fix for named service
Fixes:
avc: denied { sqpoll } for pid=373 comm="named"
scontext=system_u:system_r:named_t:s0-s15:c0.c1023
tcontext=system_u:system_r:named_t:s0-s15:c0.c1023 tclass=io_uring
permissive=0
avc: denied { create } for pid=373 comm="named" anonclass=[io_uring]
scontext=system_u:system_r:named_t:s0-s15:c0.c1023
tcontext=system_u:object_r:named_t:s0 tclass=anon_inode permissive=0
Signed-off-by: Yi Zhao windriver.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/bind.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index 0a08be452..37f2fdd1f 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -80,6 +80,8 @@ allow named_t self:process { setsched getsched getcap setcap
setrlimit signal_pe
allow named_t self:fifo_file rw_fifo_file_perms;
allow named_t self:unix_stream_socket { accept listen };
allow named_t self:tcp_socket { accept listen };
+allow named_t self:anon_inode { create map read write };
+allow named_t self:io_uring sqpoll;
manage_files_pattern(named_t, dnssec_t, dnssec_t)
filetrans_pattern(named_t, named_conf_t, dnssec_t, dir, "cache")
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/
commit: 767814945e7b4302e9c085aba0d2772d051cd005 Author: Dave Sugar <31021570+dsugar100 users noreply github com> AuthorDate: Fri Oct 6 13:06:39 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:31:45 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=76781494 Separate label for /run/systemd/notify (#710) * Separate label for /run/systemd/notify label systemd_runtime_notify_t Allow daemon domains to write by default Signed-off-by: Dave Sugar gmail.com> * systemd: Add -s to /run/systemd/notify socket. Signed-off-by: Chris PeBenito ieee.org> - Signed-off-by: Dave Sugar gmail.com> Co-authored-by: Chris PeBenito ieee.org> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/dbus.te | 2 +- policy/modules/system/init.if| 19 +++ policy/modules/system/init.te| 3 ++- policy/modules/system/systemd.fc | 1 + policy/modules/system/systemd.if | 22 ++ policy/modules/system/systemd.te | 3 +++ 6 files changed, 48 insertions(+), 2 deletions(-) diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index 79089b1c5..9ccd8a424 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -219,7 +219,7 @@ ifdef(`init_systemd', ` init_stop_all_units(system_dbusd_t) # Recent versions of dbus are started as Type=notify - init_write_runtime_socket(system_dbusd_t) + systemd_write_notify_socket(system_dbusd_t) tunable_policy(`dbus_broker_system_bus',` init_get_system_status(system_dbusd_t) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index d91eadfb5..5b0f44381 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1002,6 +1002,25 @@ interface(`init_unix_stream_socket_connectto',` allow $1 init_t:unix_stream_socket connectto; ') + +## +## Send to init with a unix socket. +## Without any additional permissions. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_unix_stream_socket_sendto',` + gen_require(` + type init_t; + ') + + allow $1 init_t:unix_stream_socket sendto; +') + ## ## Inherit and use file descriptors from init. diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 457fac072..c83d88b74 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1178,6 +1178,7 @@ ifdef(`init_systemd',` systemd_start_power_units(initrc_t) systemd_watch_networkd_runtime_dirs(initrc_t) + systemd_write_notify_socket(initrc_t) # Ensures the memory.pressure cgroup file is labelled differently, so # that processes can manage it without having access to the rest of the @@ -1611,7 +1612,7 @@ ifdef(`init_systemd',` fs_search_cgroup_dirs(daemon) # need write to /var/run/systemd/notify - init_write_runtime_socket(daemon) + systemd_write_notify_socket(daemon) ') tunable_policy(`init_daemons_use_tty',` diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc index ac64a5d5c..57f746c58 100644 --- a/policy/modules/system/systemd.fc +++ b/policy/modules/system/systemd.fc @@ -103,6 +103,7 @@ HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_data /run/systemd/ask-password-block(/.*)? gen_context(system_u:object_r:systemd_passwd_runtime_t,s0) /run/systemd/home(/.*)? gen_context(system_u:object_r:systemd_homed_runtime_t,s0) /run/systemd/network(/.*)? gen_context(system_u:object_r:systemd_networkd_runtime_t,s0) +/run/systemd/notify-s gen_context(system_u:object_r:systemd_runtime_notify_t,s0) /run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_runtime_t,s0) /run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_sessions_runtime_t,s0) /run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_sessions_runtime_t,s0) diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index 19b2dbd85..68fb1a148 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -126,6 +126,7 @@ template(`systemd_role_template',` systemd_search_user_runtime_unit_dirs($1_systemd_t) systemd_search_user_transient_unit_dirs($1_systemd_t) systemd_read_user_units_files($1_systemd_t) + systemd_write_notify_socket($1_systemd_t) dbus_system_bus_client($1_systemd_t) dbus_spec_session_bus_client($1, $1_systemd_t) @@ -276,6 +277,27 @@ interface(`systemd_user_unix_stream_activated_socket',` systemd_user_activated_sock_file($2) ') +### +## +## Al
[gentoo-commits] proj/hardened-refpolicy:master commit in: gentoo/
commit: a214ace3c7ac557196b58ab0342bf8e7023aca38 Author: Kenton Groombridge gentoo org> AuthorDate: Fri Oct 6 15:32:33 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:32:33 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a214ace3 Merge upstream Signed-off-by: Kenton Groombridge gentoo.org> gentoo/STATE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gentoo/STATE b/gentoo/STATE index b2d61aa8e..1f7d780e5 100644 --- a/gentoo/STATE +++ b/gentoo/STATE @@ -1 +1 @@ -86a7f884a5af56076ae4829b25e73a74b2f56024 +d542d53698339cd3b3bb80e6e36fb4add4016e9d
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 0d4b9fb48fc13aa0e545fdc17905a1060db3c5ef
Author: Russell Coker coker com au>
AuthorDate: Thu Sep 28 13:57:18 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 6 15:31:45 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0d4b9fb4
misc small email changes (#704)
* Small changes to courier, dovecot, exim, postfix, amd sendmail policy.
Signed-off-by: Russell Coker coker.com.au>
* Removed an obsolete patch
Signed-off-by: Russell Coker coker.com.au>
* Added interfaces cron_rw_inherited_tmp_files and
systemd_dontaudit_connect_machined
Signed-off-by: Russell Coker coker.com.au>
* Use create_stream_socket_perms for unix connection to itself
Signed-off-by: Russell Coker coker.com.au>
* Removed unconfined_run_to
Signed-off-by: Russell Coker coker.com.au>
* Remove change for it to run from a user session
Signed-off-by: Russell Coker coker.com.au>
* Changed userdom_use_user_ttys to userdom_use_inherited_user_terminals and
moved it out of the postfix section
Signed-off-by: Russell Coker coker.com.au>
-
Signed-off-by: Russell Coker coker.com.au>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/courier.fc | 4 ++--
policy/modules/services/courier.te | 21 +++--
policy/modules/services/dovecot.te | 3 +++
policy/modules/services/exim.te | 3 ++-
policy/modules/services/mta.if | 1 +
policy/modules/services/mta.te | 32
policy/modules/services/postfix.if | 3 +++
policy/modules/services/postfix.te | 4
policy/modules/services/sendmail.te | 4
9 files changed, 70 insertions(+), 5 deletions(-)
diff --git a/policy/modules/services/courier.fc
b/policy/modules/services/courier.fc
index 0f56d60d8..28594264f 100644
--- a/policy/modules/services/courier.fc
+++ b/policy/modules/services/courier.fc
@@ -23,8 +23,8 @@
/usr/lib/courier/courier/courierpop.* --
gen_context(system_u:object_r:courier_pop_exec_t,s0)
/usr/lib/courier/courier/imaplogin --
gen_context(system_u:object_r:courier_pop_exec_t,s0)
/usr/lib/courier/courier/pcpd --
gen_context(system_u:object_r:courier_pcp_exec_t,s0)
-/usr/lib/courier/imapd --
gen_context(system_u:object_r:courier_pop_exec_t,s0)
-/usr/lib/courier/pop3d --
gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/imapd.* --
gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/pop3d.* --
gen_context(system_u:object_r:courier_pop_exec_t,s0)
/usr/lib/courier/rootcerts(/.*)?
gen_context(system_u:object_r:courier_etc_t,s0)
/usr/lib/courier/sqwebmail/cleancache\.pl --
gen_context(system_u:object_r:courier_sqwebmail_exec_t,s0)
/usr/lib/courier-imap/couriertcpd --
gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
diff --git a/policy/modules/services/courier.te
b/policy/modules/services/courier.te
index 00ca1db6e..b5fa0c163 100644
--- a/policy/modules/services/courier.te
+++ b/policy/modules/services/courier.te
@@ -96,6 +96,8 @@ allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket
rw_stream_socket_pe
can_exec(courier_authdaemon_t, courier_exec_t)
+kernel_getattr_proc(courier_authdaemon_t)
+
corecmd_exec_shell(courier_authdaemon_t)
domtrans_pattern(courier_authdaemon_t, courier_pop_exec_t, courier_pop_t)
@@ -112,6 +114,7 @@ libs_read_lib_files(courier_authdaemon_t)
miscfiles_read_localization(courier_authdaemon_t)
selinux_getattr_fs(courier_authdaemon_t)
+seutil_search_default_contexts(courier_authdaemon_t)
userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t)
@@ -129,20 +132,34 @@ dev_read_rand(courier_pcp_t)
# POP3/IMAP local policy
#
-allow courier_pop_t self:capability { setgid setuid };
+allow courier_pop_t self:capability { chown dac_read_search fowner setgid
setuid };
+dontaudit courier_pop_t self:capability fsetid;
+allow courier_pop_t self:unix_stream_socket create_stream_socket_perms;
+allow courier_pop_t self:process setrlimit;
+
allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms;
allow courier_pop_t courier_authdaemon_t:process sigchld;
allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket }
rw_stream_socket_perms;
-allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms;
+allow courier_pop_t courier_var_lib_t:dir rw_dir_perms;
+allow courier_pop_t courier_var_lib_t:file manage_file_perms;
+allow courier_pop_t courier_etc_t:file map;
+
+can_exec(courier_pop_t, courier_exec_t)
+can_exec(courier_pop_t, courier_tcpd_exec_t)
stream_connect_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t,
courier_authdaemon_t)
domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t,
courier_authdaemon_t)
corecmd_exec_shell(courier_pop_t)
+corenet_tcp_bind_generic_node(courier_pop_t)
+corenet_tcp_bind_pop_port(couri
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/
commit: 6f8208d24c132738f65741594de5b1b3b11d1a9c
Author: Chris PeBenito linux microsoft com>
AuthorDate: Mon Oct 2 12:44:00 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 6 15:31:45 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6f8208d2
Add append to rw and manage lnk_file permission sets for consistency.
Signed-off-by: Chris PeBenito linux.microsoft.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/support/obj_perm_sets.spt | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index d1784fae1..4b2b7c874 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -181,11 +181,11 @@ define(`setattr_lnk_file_perms',`{ setattr }')
define(`read_lnk_file_perms',`{ getattr read }')
define(`append_lnk_file_perms',`{ getattr append lock ioctl }')
define(`write_lnk_file_perms',`{ getattr append write lock ioctl }')
-define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }')
+define(`rw_lnk_file_perms',`{ getattr read write append lock ioctl }')
define(`create_lnk_file_perms',`{ create getattr }')
define(`rename_lnk_file_perms',`{ getattr rename }')
define(`delete_lnk_file_perms',`{ getattr unlink }')
-define(`manage_lnk_file_perms',`{ create read write getattr setattr link
unlink rename ioctl lock }')
+define(`manage_lnk_file_perms',`{ create read write append getattr setattr
link unlink rename ioctl lock }')
define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }')
define(`relabelto_lnk_file_perms',`{ getattr relabelto }')
define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 6a26a817c369000f602f81d7f5da7b0fd5a1bff0
Author: Yi Zhao windriver com>
AuthorDate: Sat Sep 30 10:00:38 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 6 15:31:45 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6a26a817
systemd: allow journalctl to create /var/lib/systemd/catalog
If /var/lib/systemd/catalog doesn't exist at first boot,
systemd-journal-catalog-update.service would fail:
$ systemctl status systemd-journal-catalog-update.service
systemd-journal-catalog-update.service - Rebuild Journal Catalog
Loaded: loaded
(/usr/lib/systemd/system/systemd-journal-catalog-update.service; static)
Active: failed (Result: exit-code) since Sat 2023-09-30 09:46:46 UTC; 50s
ago
Docs: man:systemd-journald.service(8)
man:journald.conf(5)
Process: 247 ExecStart=journalctl --update-catalog (code=exited,
status=1/FAILURE)
Main PID: 247 (code=exited, status=1/FAILURE)
Sep 30 09:46:45 qemux86-64 systemd[1]: Starting Rebuild Journal Catalog...
Sep 30 09:46:46 qemux86-64 journalctl[247]: Failed to create parent directories
of /var/lib/systemd/catalog/database: Permission denied
Sep 30 09:46:46 qemux86-64 journalctl[247]: Failed to write
/var/lib/systemd/catalog/database: Permission denied
Sep 30 09:46:46 qemux86-64 journalctl[247]: Failed to list catalog: Permission
denied
Sep 30 09:46:46 qemux86-64 systemd[1]: systemd-journal-catalog-update.service:
Main process exited, code=exited, status=1/FAILURE
Sep 30 09:46:46 qemux86-64 systemd[1]: systemd-journal-catalog-update.service:
Failed with result 'exit-code'.
Sep 30 09:46:46 qemux86-64 systemd[1]: Failed to start Rebuild Journal Catalog.
Fixes:
AVC avc: denied { getattr } for pid=247 comm="journalctl" name="/"
dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_journal_init_t
tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0
AVC avc: denied { write } for pid=247 comm="journalctl"
name="systemd" dev="vda" ino=13634
scontext=system_u:system_r:systemd_journal_init_t
tcontext=system_u:object_r:init_var_lib_t tclass=dir permissive=0
Signed-off-by: Yi Zhao windriver.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/system/systemd.te | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 4f1c4c856..c9d21bda5 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -787,9 +787,10 @@ seutil_read_file_contexts(systemd_hw_t)
dontaudit systemd_journal_init_t self:capability net_admin;
+manage_dirs_pattern(systemd_journal_init_t, systemd_journal_t,
systemd_journal_t)
manage_files_pattern(systemd_journal_init_t, systemd_journal_t,
systemd_journal_t)
-fs_getattr_cgroup(systemd_journal_init_t)
+fs_getattr_all_fs(systemd_journal_init_t)
fs_search_cgroup_dirs(systemd_journal_init_t)
kernel_getattr_proc(systemd_journal_init_t)
@@ -798,6 +799,7 @@ kernel_read_system_state(systemd_journal_init_t)
init_read_state(systemd_journal_init_t)
init_search_var_lib_dirs(systemd_journal_init_t)
+init_var_lib_filetrans(systemd_journal_init_t, systemd_journal_t, dir)
logging_send_syslog_msg(systemd_journal_init_t)
logging_stream_connect_journald_varlink(systemd_journal_init_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/
commit: 90affee2271dfbaad7e02781e1c583e886229754 Author: Russell Coker coker com au> AuthorDate: Thu Sep 28 13:46:14 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:30:52 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=90affee2 misc small patches for cron policy (#701) * Some misc small patches for cron policy Signed-off-by: Russell Coker coker.com.au> * added systemd_dontaudit_connect_machined interface Signed-off-by: Russell Coker coker.com.au> * Remove the line about connecting to tor Signed-off-by: Russell Coker coker.com.au> * remove the dontaudit for connecting to machined Signed-off-by: Russell Coker coker.com.au> * changed to distro_debian Signed-off-by: Russell Coker coker.com.au> * mta: Whitespace changes. Signed-off-by: Chris PeBenito ieee.org> * cron: Move lines. Signed-off-by: Chris PeBenito ieee.org> - Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Chris PeBenito ieee.org> Co-authored-by: Chris PeBenito ieee.org> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/cron.if| 36 policy/modules/services/cron.te| 11 +++ policy/modules/services/mta.te | 7 ++- policy/modules/services/postfix.te | 1 + policy/modules/system/init.if | 18 ++ policy/modules/system/systemd.if | 18 ++ 6 files changed, 90 insertions(+), 1 deletion(-) diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if index 87306cfdb..049b01494 100644 --- a/policy/modules/services/cron.if +++ b/policy/modules/services/cron.if @@ -755,6 +755,24 @@ interface(`cron_rw_tmp_files',` allow $1 crond_tmp_t:file rw_file_perms; ') + +## +## Read and write inherited crond temporary files. +## +## +## +## Domain allowed access. +## +## +# +interface(`cron_rw_inherited_tmp_files',` + gen_require(` + type crond_tmp_t; + ') + + allow $1 crond_tmp_t:file rw_inherited_file_perms; +') + ## ## Read system cron job lib files. @@ -888,6 +906,24 @@ interface(`cron_dontaudit_append_system_job_tmp_files',` dontaudit $1 system_cronjob_tmp_t:file append_file_perms; ') + +## +## allow appending temporary system cron job files. +## +## +## +## Domain to allow. +## +## +# +interface(`cron_append_system_job_tmp_files',` + gen_require(` + type system_cronjob_tmp_t; + ') + + allow $1 system_cronjob_tmp_t:file append_file_perms; +') + ## ## Read and write to inherited system cron job temporary files. diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te index b2de6de31..9df1e3060 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -436,6 +436,8 @@ optional_policy(` systemd_dbus_chat_logind(system_cronjob_t) systemd_read_journal_files(system_cronjob_t) systemd_write_inherited_logind_sessions_pipes(system_cronjob_t) + # for runuser + init_search_keys(system_cronjob_t) # so cron jobs can restart daemons init_stream_connect(system_cronjob_t) init_manage_script_service(system_cronjob_t) @@ -491,6 +493,7 @@ kernel_getattr_message_if(system_cronjob_t) kernel_read_irq_sysctls(system_cronjob_t) kernel_read_kernel_sysctls(system_cronjob_t) kernel_read_network_state(system_cronjob_t) +kernel_read_rpc_sysctls(system_cronjob_t) kernel_read_system_state(system_cronjob_t) kernel_read_software_raid_state(system_cronjob_t) @@ -535,6 +538,7 @@ files_read_usr_files(system_cronjob_t) files_read_var_files(system_cronjob_t) files_dontaudit_search_runtime(system_cronjob_t) files_manage_generic_spool(system_cronjob_t) +files_manage_var_lib_dirs(system_cronjob_t) files_create_boot_flag(system_cronjob_t) files_read_var_lib_symlinks(system_cronjob_t) @@ -554,6 +558,7 @@ logging_manage_generic_logs(system_cronjob_t) logging_send_audit_msgs(system_cronjob_t) logging_send_syslog_msg(system_cronjob_t) +miscfiles_read_generic_certs(system_cronjob_t) miscfiles_read_localization(system_cronjob_t) seutil_read_config(system_cronjob_t) @@ -654,6 +659,10 @@ optional_policy(` mysql_read_config(system_cronjob_t) ') +optional_policy(` + ntp_read_config(system_cronjob_t) +') + optional_policy(` postfix_read_config(system_cronjob_t) ') @@ -678,6 +687,8 @@ optional_policy(` # for gpg-connect-agent to access /run/user/0 userdom_manage_user_runtime_dirs(system_cronjob_t) + # for /run/user/0/gnupg + userdom_manage_user_tmp_dirs(system_cronjob_t) ') ###
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/
commit: a4c6f2483b5025b63c5d42837f9eabd73d9866fe
Author: Guido Trentalancia trentalancia com>
AuthorDate: Fri Sep 29 20:30:14 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 6 15:31:45 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a4c6f248
Let openoffice perform temporary file transitions and manage link files.
Signed-off-by: Guido Trentalancia trentalancia.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/apps/openoffice.te | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/policy/modules/apps/openoffice.te
b/policy/modules/apps/openoffice.te
index 37ac6720c..f8cccacd4 100644
--- a/policy/modules/apps/openoffice.te
+++ b/policy/modules/apps/openoffice.te
@@ -61,8 +61,9 @@ userdom_user_home_dir_filetrans(ooffice_t, ooffice_home_t,
dir, ".openoffice")
manage_dirs_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
manage_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
+manage_lnk_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
manage_sock_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t)
-files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file sock_file })
+files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file lnk_file sock_file })
can_exec(ooffice_t, ooffice_exec_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 634b4ae6e433169248722aa27c12b75c302ddac6
Author: Dave Sugar gmail com>
AuthorDate: Thu Sep 14 19:44:07 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 6 15:30:52 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=634b4ae6
separate domain for journalctl during init
During system boot, when systemd-journal-catalog-update.service is
started, it fails becuase initrc_t doesn't have access to write
systemd_journal_t files/dirs. This change is to run journalctl in a
different domain during system startup (systemd_journal_init_t) to allow
the access necessary to run.
× systemd-journal-catalog-update.service - Rebuild Journal Catalog
Loaded: loaded
(/usr/lib/systemd/system/systemd-journal-catalog-update.service; static)
Active: failed (Result: exit-code) since Wed 2023-09-13 12:51:28 GMT;
10min ago
Docs: man:systemd-journald.service(8)
man:journald.conf(5)
Process: 1626 ExecStart=journalctl --update-catalog (code=exited,
status=1/FAILURE)
Main PID: 1626 (code=exited, status=1/FAILURE)
CPU: 102ms
Sep 13 12:51:28 localhost systemd[1]: Starting Rebuild Journal Catalog...
Sep 13 12:51:28 localhost journalctl[1626]: Failed to open database for
writing: /var/lib/systemd/catalog/database: Permission denied
Sep 13 12:51:28 localhost journalctl[1626]: Failed to write
/var/lib/systemd/catalog/database: Permission denied
Sep 13 12:51:28 localhost journalctl[1626]: Failed to list catalog:
Permission denied
Sep 13 12:51:28 localhost systemd[1]:
systemd-journal-catalog-update.service: Main process exited, code=exited,
status=1/FAILURE
Sep 13 12:51:28 localhost systemd[1]:
systemd-journal-catalog-update.service: Failed with result 'exit-code'.
Sep 13 12:51:28 localhost systemd[1]: Failed to start Rebuild Journal
Catalog.
node=localhost type=AVC msg=audit(1692308998.328:136): avc: denied {
write } for pid=1631 comm="journalctl" name="catalog" dev="dm-10" ino=131106
scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1692308998.328:136): avc: denied {
add_name } for pid=1631 comm="journalctl" name=".#database6ZdcMU"
scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1692308998.328:136): avc: denied {
create } for pid=1631 comm="journalctl" name=".#database6ZdcMU"
scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1692308998.328:136): avc: denied {
write } for pid=1631 comm="journalctl"
path="/var/lib/systemd/catalog/.#database6ZdcMU" dev="dm-10" ino=131204
scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1692308998.330:137): avc: denied {
setattr } for pid=1631 comm="journalctl" name=".#database6ZdcMU" dev="dm-10"
ino=131204 scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1692308998.330:138): avc: denied {
remove_name } for pid=1631 comm="journalctl" name=".#database6ZdcMU"
dev="dm-10" ino=131204 scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1692308998.330:138): avc: denied {
rename } for pid=1631 comm="journalctl" name=".#database6ZdcMU" dev="dm-10"
ino=131204 scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1692308998.330:138): avc: denied {
unlink } for pid=1631 comm="journalctl" name="database" dev="dm-10" ino=131133
scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar gmail.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/system/logging.if | 19 +++
policy/modules/system/systemd.fc | 1 +
policy/modules/system/systemd.te | 35 ++-
3 files changed, 54 insertions(+), 1 deletion(-)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 681385d50..763926dac 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -845,6 +845,25 @@ interface(`logging_watch_runtime_dirs',`
allow $1 syslogd_runtime_t:dir watch;
')
+###
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/, policy/modules/services/
commit: 1d66af88aa2d390ac5783557e8d04289d16bc612
Author: Russell Coker coker com au>
AuthorDate: Mon Sep 25 15:46:04 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 6 15:30:09 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1d66af88
small storage changes (#706)
* Changes to storage.fc, smartmon, samba and lvm
Signed-off-by: Russell Coker coker.com.au>
* Add the interfaces this patch needs
Signed-off-by: Russell Coker coker.com.au>
* use manage_sock_file_perms for sock_file
Signed-off-by: Russell Coker coker.com.au>
* Renamed files_watch_all_file_type_dir to files_watch_all_dirs
Signed-off-by: Russell Coker coker.com.au>
* Use read_files_pattern
Signed-off-by: Russell Coker coker.com.au>
-
Signed-off-by: Russell Coker coker.com.au>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/kernel/files.if | 19 +++
policy/modules/kernel/storage.fc| 1 +
policy/modules/services/samba.te| 11 ++-
policy/modules/services/smartmon.if | 20
policy/modules/services/smartmon.te | 2 +-
policy/modules/system/lvm.te| 1 +
policy/modules/system/userdomain.if | 18 ++
7 files changed, 70 insertions(+), 2 deletions(-)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index d8874ace2..a1113ff7c 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1426,6 +1426,25 @@ interface(`files_unmount_all_file_type_fs',`
allow $1 file_type:filesystem unmount;
')
+
+##
+## watch all directories of file_type
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`files_watch_all_dirs',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:dir watch;
+')
+
+
##
## Read all non-authentication related
diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
index 3033ac4de..9cd280c25 100644
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
@@ -29,6 +29,7 @@
/dev/lvm -c
gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/mcdx? -b
gen_context(system_u:object_r:removable_device_t,s0)
/dev/megadev.* -c
gen_context(system_u:object_r:removable_device_t,s0)
+/dev/megaraid.*-c
gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/mmcblk.* -b
gen_context(system_u:object_r:removable_device_t,s0)
/dev/mmcblk.* -c
gen_context(system_u:object_r:removable_device_t,s0)
/dev/mspblk.* -b
gen_context(system_u:object_r:removable_device_t,s0)
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index 8ec3a1c62..f78d316cc 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -408,11 +408,13 @@ tunable_policy(`samba_create_home_dirs',`
')
tunable_policy(`samba_enable_home_dirs',`
+ files_watch_home(smbd_t)
userdom_manage_user_home_content_dirs(smbd_t)
userdom_manage_user_home_content_files(smbd_t)
userdom_manage_user_home_content_symlinks(smbd_t)
userdom_manage_user_home_content_sockets(smbd_t)
userdom_manage_user_home_content_pipes(smbd_t)
+ userdom_watch_user_home_dirs(smbd_t)
')
tunable_policy(`samba_portmapper',`
@@ -444,11 +446,13 @@ tunable_policy(`samba_export_all_ro',`
fs_read_noxattr_fs_files(smbd_t)
files_list_non_auth_dirs(smbd_t)
files_read_non_auth_files(smbd_t)
+ files_watch_all_dirs(smbd_t)
')
tunable_policy(`samba_export_all_rw',`
fs_read_noxattr_fs_files(smbd_t)
files_manage_non_auth_files(smbd_t)
+ files_watch_all_dirs(smbd_t)
')
optional_policy(`
@@ -617,13 +621,17 @@ optional_policy(`
allow smbcontrol_t self:process signal;
allow smbcontrol_t self:fifo_file rw_fifo_file_perms;
allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
+allow smbcontrol_t self:unix_dgram_socket create_socket_perms;
allow smbcontrol_t self:process { signal signull };
allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull };
-read_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t)
+allow smbcontrol_t { smbd_t nmbd_t }:unix_dgram_socket sendto;
+manage_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t)
+allow smbcontrol_t samba_runtime_t:file map;
allow smbcontrol_t samba_runtime_t:dir rw_dir_perms;
manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
+allow smbcontrol_t samba_var_t:sock_file manage_sock_file_perms;
samba_read_config(smbcontrol_t)
samba_search_var(smbcontrol_t)
@@ -639,6 +647,7 @@ files_search_var_lib(smbcontrol_t)
te
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/, policy/modules/admin/
commit: ab9b49a1d782ac96a73b4b1553992528a599d8d6
Author: Russell Coker coker com au>
AuthorDate: Mon Sep 25 15:44:52 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 6 15:30:09 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ab9b49a1
small network patches (#707)
* Small changes for netutils(ping), firewalld, ftp, inetd, networkmanager,
openvpn ppp and rpc
Signed-off-by: Russell Coker coker.com.au>
* Fixed typo in interface name
Signed-off-by: Russell Coker coker.com.au>
* Add interface libs_watch_shared_libs_dir
Signed-off-by: Russell Coker coker.com.au>
* Added sysnet_watch_config_dir interface
Signed-off-by: Russell Coker coker.com.au>
* renamed libs_watch_shared_libs_dir to libs_watch_shared_libs_dirs
Signed-off-by: Russell Coker coker.com.au>
* rename sysnet_watch_config_dir to sysnet_watch_config_dirs
Signed-off-by: Russell Coker coker.com.au>
* Reverted a change as I can't remember why I did it.
Signed-off-by: Russell Coker coker.com.au>
-
Signed-off-by: Russell Coker coker.com.au>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/admin/netutils.te | 1 +
policy/modules/services/firewalld.te | 3 +++
policy/modules/services/ftp.fc| 6 +-
policy/modules/services/ftp.te| 9 +
policy/modules/services/inetd.te | 2 +-
policy/modules/services/networkmanager.te | 11 ++-
policy/modules/services/openvpn.te| 1 +
policy/modules/services/ppp.fc| 1 +
policy/modules/services/ppp.te| 2 ++
policy/modules/services/rpc.te| 6 +-
policy/modules/system/libraries.if| 18 ++
policy/modules/system/sysnetwork.if | 18 ++
12 files changed, 74 insertions(+), 4 deletions(-)
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 5fef6a31a..3c43a1d84 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -146,6 +146,7 @@ logging_send_syslog_msg(ping_t)
miscfiles_read_localization(ping_t)
userdom_use_inherited_user_terminals(ping_t)
+term_use_unallocated_ttys(ping_t)
optional_policy(`
munin_append_log(ping_t)
diff --git a/policy/modules/services/firewalld.te
b/policy/modules/services/firewalld.te
index 954a348f0..eb097753f 100644
--- a/policy/modules/services/firewalld.te
+++ b/policy/modules/services/firewalld.te
@@ -38,11 +38,13 @@ allow firewalld_t self:fifo_file rw_fifo_file_perms;
allow firewalld_t self:unix_stream_socket { accept listen };
allow firewalld_t self:netlink_netfilter_socket create_socket_perms;
allow firewalld_t self:udp_socket create_socket_perms;
+allow firewalld_t self:netlink_netfilter_socket create_socket_perms;
allow firewalld_t firewalld_etc_rw_t:dir watch;
manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
dontaudit firewalld_t firewalld_etc_rw_t:file { relabelfrom relabelto };
+allow firewalld_t firewalld_etc_rw_t:dir watch;
allow firewalld_t firewalld_var_log_t:file append_file_perms;
allow firewalld_t firewalld_var_log_t:file create_file_perms;
@@ -86,6 +88,7 @@ logging_send_syslog_msg(firewalld_t)
libs_watch_lib_dirs(firewalld_t)
+miscfiles_read_generic_certs(firewalld_t)
miscfiles_read_localization(firewalld_t)
seutil_exec_setfiles(firewalld_t)
diff --git a/policy/modules/services/ftp.fc b/policy/modules/services/ftp.fc
index b90598fed..a58851e58 100644
--- a/policy/modules/services/ftp.fc
+++ b/policy/modules/services/ftp.fc
@@ -1,4 +1,5 @@
/etc/proftpd\.conf -- gen_context(system_u:object_r:ftpd_etc_t,s0)
+/etc/pure-ftpd(/.*)? gen_context(system_u:object_r:ftpd_etc_t,s0)
/etc/cron\.monthly/proftpd --
gen_context(system_u:object_r:ftpd_exec_t,s0)
@@ -22,8 +23,10 @@
/usr/sbin/muddleftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
/usr/sbin/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
/usr/sbin/vsftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+/usr/sbin/pure-ftpd-- gen_context(system_u:object_r:ftpd_exec_t,s0)
-/run/proftpd.* gen_context(system_u:object_r:ftpd_runtime_t,s0)
+/run/proftpd.* gen_context(system_u:object_r:ftpd_runtime_t,s0)
+/run/pure-ftpd(/.*)? gen_context(system_u:object_r:ftpd_runtime_t,s0)
/usr/libexec/webmin/vsftpd/webalizer/xfer_log --
gen_context(system_u:object_r:xferlog_t,s0)
@@ -31,6 +34,7 @@
/var/log/muddleftpd\.log.* --
gen_context(system_u:object_r:xferlog_t,s0)
/var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0)
+/var/log/pure-ftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0)
/var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/, policy/modules/services/
commit: 3cf4d89db3171671a05868dd5ecaf933c49fcaa4
Author: Russell Coker coker com au>
AuthorDate: Thu Sep 28 13:55:56 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 6 15:30:52 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3cf4d89d
mon.te patches as well as some fstools patches related to it (#697)
* Patches for mon, mostly mon local monitoring.
Also added the fsdaemon_read_lib() interface and fstools patch because it
also uses fsdaemon_read_lib() and it's called by monitoring scripts
Signed-off-by: Russell Coker coker.com.au>
* Added the files_dontaudit_tmpfs_file_getattr() and
storage_dev_filetrans_fixed_disk_control() interfaces needed
Signed-off-by: Russell Coker coker.com.au>
* Fixed the issues from the review
Signed-off-by: Russell Coker coker.com.au>
* Specify name to avoid conflicting file trans
Signed-off-by: Russell Coker coker.com.au>
* fixed dontaudi_ typo
Signed-off-by: Russell Coker coker.com.au>
* Changed storage_dev_filetrans_fixed_disk to have a mandatory parameter for
the object class
Signed-off-by: Russell Coker coker.com.au>
* Remove fsdaemon_read_lib as it was already merged
Signed-off-by: Russell Coker coker.com.au>
-
Signed-off-by: Russell Coker coker.com.au>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/kernel/files.if | 18 ++
policy/modules/kernel/kernel.te | 2 +-
policy/modules/kernel/storage.if| 7 ++-
policy/modules/services/mon.te | 30 ++
policy/modules/services/smartmon.te | 2 +-
policy/modules/system/fstools.te| 17 +
policy/modules/system/init.te | 2 +-
policy/modules/system/lvm.te| 2 +-
policy/modules/system/raid.te | 2 +-
9 files changed, 72 insertions(+), 10 deletions(-)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index a1113ff7c..591aa64d6 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -434,6 +434,24 @@ interface(`files_tmpfs_file',`
typeattribute $1 tmpfsfile;
')
+
+##
+## dontaudit getattr on tmpfs files
+##
+##
+##
+## Domain to not have stat on tmpfs files audited
+##
+##
+#
+interface(`files_dontaudit_getattr_all_tmpfs_files',`
+ gen_require(`
+ attribute tmpfsfile;
+ ')
+
+ dontaudit $1 tmpfsfile:file getattr;
+')
+
##
## Get the attributes of all directories.
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 666d0e7e9..8156ac087 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -390,7 +390,7 @@ ifdef(`init_systemd',`
')
optional_policy(`
- storage_dev_filetrans_fixed_disk(kernel_t)
+ storage_dev_filetrans_fixed_disk(kernel_t, blk_file)
storage_setattr_fixed_disk_dev(kernel_t)
storage_create_fixed_disk_dev(kernel_t)
storage_delete_fixed_disk_dev(kernel_t)
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
index 9c581a910..777caea69 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -296,6 +296,11 @@ interface(`storage_manage_fixed_disk',`
## Domain allowed access.
##
##
+##
+##
+## The class of the object to be created.
+##
+##
##
##
## Optional filename of the block device to be created
@@ -307,7 +312,7 @@ interface(`storage_dev_filetrans_fixed_disk',`
type fixed_disk_device_t;
')
- dev_filetrans($1, fixed_disk_device_t, blk_file, $2)
+ dev_filetrans($1, fixed_disk_device_t, $2, $3)
')
diff --git a/policy/modules/services/mon.te b/policy/modules/services/mon.te
index b9a349871..bbf0496b3 100644
--- a/policy/modules/services/mon.te
+++ b/policy/modules/services/mon.te
@@ -42,8 +42,7 @@ files_tmp_file(mon_tmp_t)
allow mon_t self:fifo_file rw_fifo_file_perms;
allow mon_t self:tcp_socket create_stream_socket_perms;
-# for mailxmpp.alert to set ulimit
-allow mon_t self:process setrlimit;
+allow mon_t self:process { setrlimit getsched signal };
domtrans_pattern(mon_t, mon_local_test_exec_t, mon_local_test_t)
@@ -104,6 +103,11 @@ optional_policy(`
mta_send_mail(mon_t)
')
+optional_policy(`
+ # for config of xmpp sending program
+ xdg_read_config_files(mon_t)
+')
+
#
# Local policy
@@ -151,6 +155,10 @@ optional_policy(`
mysql_stream_connect(mon_net_test_t)
')
+optional_policy(`
+ snmp_read_snmp_var_lib_files(mon_net_test_t)
+')
+
#
# Local policy
@@ -161,9 +169,10 @@ opt
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: c476335905f6b809c1f4ba083b071fab067aa1e5
Author: Russell Coker coker com au>
AuthorDate: Tue Sep 26 13:48:31 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 6 15:30:09 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c4763359
allow jabbers to create sock file and allow matrixd to read sysfs (#705)
* Allow jabberd_domain to create sockets in it's var/lib dir
Allow matrixd_t to read sysfs
Signed-off-by: Russell Coker coker.com.au>
* Changed to manage_sock_file_perms to allow unlink
Signed-off-by: Russell Coker coker.com.au>
-
Signed-off-by: Russell Coker coker.com.au>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/jabber.te | 1 +
policy/modules/services/matrixd.te | 1 +
2 files changed, 2 insertions(+)
diff --git a/policy/modules/services/jabber.te
b/policy/modules/services/jabber.te
index 6003cc9fb..6c8e45de5 100644
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
@@ -39,6 +39,7 @@ allow jabberd_domain self:tcp_socket { accept listen };
manage_files_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t)
allow jabberd_domain jabberd_var_lib_t:dir manage_dir_perms;
+allow jabberd_domain jabberd_var_lib_t:sock_file manage_sock_file_perms;
kernel_read_system_state(jabberd_domain)
diff --git a/policy/modules/services/matrixd.te
b/policy/modules/services/matrixd.te
index 4ac31d901..c396a3d7c 100644
--- a/policy/modules/services/matrixd.te
+++ b/policy/modules/services/matrixd.te
@@ -83,6 +83,7 @@ corenet_udp_bind_generic_node(matrixd_t)
corenet_udp_bind_generic_port(matrixd_t)
corenet_udp_bind_reserved_port(matrixd_t)
+dev_read_sysfs(matrixd_t)
dev_read_urand(matrixd_t)
files_read_etc_files(matrixd_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/services/
commit: 3eefa3b065ed81f56fddfb12a372012ef5e2a336
Author: Russell Coker coker com au>
AuthorDate: Mon Sep 25 15:01:12 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 6 15:27:06 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3eefa3b0
small ntp and dns changes (#703)
* Small changes for ntp, bind, avahi, and dnsmasq
Signed-off-by: Russell Coker coker.com.au>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/admin/dpkg.te | 9 +
policy/modules/services/avahi.te | 4
policy/modules/services/bind.te| 7 +--
policy/modules/services/dnsmasq.te | 4
policy/modules/services/ntp.fc | 1 +
policy/modules/services/ntp.if | 19 +++
6 files changed, 42 insertions(+), 2 deletions(-)
diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te
index d6871de21..d4a56e5eb 100644
--- a/policy/modules/admin/dpkg.te
+++ b/policy/modules/admin/dpkg.te
@@ -350,8 +350,17 @@ optional_policy(`
nis_use_ypbind(dpkg_script_t)
')
+optional_policy(`
+ ntp_filetrans_drift(dpkg_script_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(dpkg_script_t)
+')
+
optional_policy(`
systemd_read_logind_state(dpkg_script_t)
+ systemd_dbus_chat_hostnamed(dpkg_script_t)
systemd_dbus_chat_logind(dpkg_script_t)
systemd_run_sysusers(dpkg_script_t, dpkg_roles)
')
diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
index 773d2b8ff..1094e39db 100644
--- a/policy/modules/services/avahi.te
+++ b/policy/modules/services/avahi.te
@@ -111,3 +111,7 @@ optional_policy(`
seutil_sigchld_newrole(avahi_t)
')
+optional_policy(`
+ unconfined_dbus_send(avahi_t)
+')
+
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index 1b3e674a1..0a08be452 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -213,9 +213,9 @@ optional_policy(`
# NDC local policy
#
-allow ndc_t self:capability { dac_override net_admin };
+allow ndc_t self:capability { dac_override dac_read_search net_admin };
allow ndc_t self:capability2 block_suspend;
-allow ndc_t self:process signal_perms;
+allow ndc_t self:process { signal_perms getsched setsched };
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { accept listen };
@@ -231,6 +231,9 @@ allow ndc_t named_zone_t:dir search_dir_perms;
kernel_read_kernel_sysctls(ndc_t)
kernel_read_system_state(ndc_t)
+kernel_read_vm_overcommit_sysctl(ndc_t)
+
+dev_read_sysfs(ndc_t)
corenet_all_recvfrom_netlabel(ndc_t)
corenet_tcp_sendrecv_generic_if(ndc_t)
diff --git a/policy/modules/services/dnsmasq.te
b/policy/modules/services/dnsmasq.te
index 6d1799ba8..2e492954d 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
@@ -108,6 +108,10 @@ optional_policy(`
')
optional_policy(`
+ # for the dnsmasq-usb0.leases file
+ networkmanager_manage_lib_files(dnsmasq_t)
+
+ networkmanager_read_etc_files(dnsmasq_t)
networkmanager_read_runtime_files(dnsmasq_t)
')
diff --git a/policy/modules/services/ntp.fc b/policy/modules/services/ntp.fc
index 4d014d196..4f19959e7 100644
--- a/policy/modules/services/ntp.fc
+++ b/policy/modules/services/ntp.fc
@@ -30,6 +30,7 @@
/var/db/ntp-kod--
gen_context(system_u:object_r:ntp_drift_t,s0)
/var/lib/ntp(/.*)?
gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/lib/ntpsec(/.*)?
gen_context(system_u:object_r:ntp_drift_t,s0)
/var/lib/sntp-kod(/.*)?
gen_context(system_u:object_r:ntp_drift_t,s0)
/var/lib/systemd/clock --
gen_context(system_u:object_r:ntp_drift_t,s0)
/var/lib/systemd/timesync(/.*)?
gen_context(system_u:object_r:ntp_drift_t,s0)
diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
index 4953e9f08..9df5d8d07 100644
--- a/policy/modules/services/ntp.if
+++ b/policy/modules/services/ntp.if
@@ -176,6 +176,25 @@ interface(`ntp_read_drift_files',`
read_files_pattern($1, ntp_drift_t, ntp_drift_t)
')
+
+##
+## specified domain creates /var/lib/ntpsec/ with the correct type
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ntp_filetrans_drift',`
+ gen_require(`
+ type ntp_drift_t;
+ ')
+
+ files_search_var_lib($1)
+ files_var_lib_filetrans($1, ntp_drift_t, dir)
+')
+
##
## Read and write ntpd shared memory.
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: e17a5ea822384af3d15da14be3bc593037950d21
Author: Russell Coker coker com au>
AuthorDate: Fri Sep 22 09:09:12 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 6 15:27:06 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e17a5ea8
Added tmpfs file type for postgresql Small mysql stuff including anon_inode
Signed-off-by: Russell Coker coker.com.au>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/mysql.te | 4 +++-
policy/modules/services/postgresql.te | 9 -
2 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
index 2e7621471..4d1124bbf 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -67,11 +67,12 @@ files_runtime_file(mysqlmanagerd_runtime_t)
allow mysqld_t self:capability { dac_override dac_read_search ipc_lock setgid
setuid sys_resource };
dontaudit mysqld_t self:capability sys_tty_config;
-allow mysqld_t self:process { setsched getsched setrlimit signal_perms
rlimitinh };
+allow mysqld_t self:process { getcap setsched getsched setrlimit signal_perms
rlimitinh };
allow mysqld_t self:fifo_file rw_fifo_file_perms;
allow mysqld_t self:shm create_shm_perms;
allow mysqld_t self:unix_stream_socket { connectto accept listen };
allow mysqld_t self:tcp_socket { accept listen };
+allow mysqld_t self:anon_inode { create map read write };
manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
mmap_manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
@@ -191,6 +192,7 @@ dev_read_sysfs(mysqld_safe_t)
domain_read_all_domains_state(mysqld_safe_t)
+files_dontaudit_write_root_dirs(mysqld_safe_t)
files_read_etc_files(mysqld_safe_t)
files_read_usr_files(mysqld_safe_t)
files_search_runtime(mysqld_safe_t)
diff --git a/policy/modules/services/postgresql.te
b/policy/modules/services/postgresql.te
index 1b2d8ab0d..11b3936b0 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -65,6 +65,9 @@ init_daemon_runtime_file(postgresql_runtime_t, dir,
"postgresql")
type postgresql_tmp_t;
files_tmp_file(postgresql_tmp_t)
+type postgresql_tmpfs_t;
+files_tmpfs_file(postgresql_tmpfs_t)
+
type postgresql_unit_t;
init_unit_file(postgresql_unit_t)
@@ -282,7 +285,10 @@ manage_lnk_files_pattern(postgresql_t, postgresql_tmp_t,
postgresql_tmp_t)
manage_fifo_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file })
-fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file
sock_file fifo_file })
+fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir lnk_file sock_file
fifo_file })
+fs_tmpfs_filetrans(postgresql_t, postgresql_tmpfs_t, { file })
+allow postgresql_t postgresql_tmpfs_t:file map;
+manage_files_pattern(postgresql_t, postgresql_tmpfs_t, postgresql_tmpfs_t)
manage_dirs_pattern(postgresql_t, postgresql_runtime_t, postgresql_runtime_t)
manage_files_pattern(postgresql_t, postgresql_runtime_t, postgresql_runtime_t)
@@ -342,6 +348,7 @@ init_read_utmp(postgresql_t)
logging_send_syslog_msg(postgresql_t)
logging_send_audit_msgs(postgresql_t)
+miscfiles_read_generic_tls_privkey(postgresql_t)
miscfiles_read_localization(postgresql_t)
seutil_libselinux_linked(postgresql_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 8f51e189a7c8f8680f84fc11841257c19ab9fa51
Author: Russell Coker coker com au>
AuthorDate: Wed Sep 27 13:20:52 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 6 15:30:52 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8f51e189
small systemd patches (#708)
* Some small systemd patches
Signed-off-by: Russell Coker coker.com.au>
* Fixed error where systemd.if had a reference to user_devpts_t
Signed-off-by: Russell Coker coker.com.au>
* removed the init_var_run_t:service stuff as there's already interfaces and a
type for it
Signed-off-by: Russell Coker coker.com.au>
* corecmd_shell_entry_type doesn't seem to be needed
Signed-off-by: Russell Coker coker.com.au>
-
Signed-off-by: Russell Coker coker.com.au>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/system/locallogin.te | 3 ++-
policy/modules/system/systemd.if| 12 +++-
2 files changed, 9 insertions(+), 6 deletions(-)
diff --git a/policy/modules/system/locallogin.te
b/policy/modules/system/locallogin.te
index f40f15c1c..4dc9981bc 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -131,7 +131,8 @@ auth_domtrans_pam_console(local_login_t)
auth_read_pam_motd_dynamic(local_login_t)
auth_read_shadow_history(local_login_t)
-init_dontaudit_use_fds(local_login_t)
+# if local_login_t can not inherit fd from init it takes ages to login
+init_use_fds(local_login_t)
miscfiles_read_localization(local_login_t)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 77a59c662..64455eed5 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -19,11 +19,6 @@
## The user domain for the role.
##
##
-##
-##
-## The type for the user pty
-##
-##
#
template(`systemd_role_template',`
gen_require(`
@@ -34,6 +29,7 @@ template(`systemd_role_template',`
type systemd_user_runtime_t, systemd_user_runtime_notify_t;
type systemd_user_unit_t;
type systemd_user_runtime_unit_t, systemd_user_transient_unit_t;
+ type systemd_machined_t;
')
#
@@ -153,6 +149,12 @@ template(`systemd_role_template',`
allow $3 systemd_user_runtime_t:lnk_file { manage_lnk_file_perms
relabel_lnk_file_perms };
allow $3 systemd_user_runtime_t:sock_file { manage_sock_file_perms
relabel_sock_file_perms };
+ # for "machinectl shell"
+ allow $1_systemd_t systemd_machined_t:fd use;
+ allow $3 systemd_machined_t:fd use;
+ allow $3 systemd_machined_t:dbus send_msg;
+ allow systemd_machined_t $3:dbus send_msg;
+
allow $3 systemd_user_runtime_notify_t:sock_file {
manage_sock_file_perms relabel_sock_file_perms };
allow $3 systemd_user_unit_t:service { reload start status stop };
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: d7890fb6d1c7bfd1c75d454d457b5fcdc869efe1
Author: Chris PeBenito ieee org>
AuthorDate: Tue Sep 26 13:43:40 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 6 15:30:09 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d7890fb6
postgresql: Move lines
Signed-off-by: Chris PeBenito ieee.org>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/postgresql.te | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/policy/modules/services/postgresql.te
b/policy/modules/services/postgresql.te
index 11b3936b0..810fb0ed4 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -286,9 +286,10 @@ manage_fifo_files_pattern(postgresql_t, postgresql_tmp_t,
postgresql_tmp_t)
manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file })
fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir lnk_file sock_file
fifo_file })
-fs_tmpfs_filetrans(postgresql_t, postgresql_tmpfs_t, { file })
+
allow postgresql_t postgresql_tmpfs_t:file map;
manage_files_pattern(postgresql_t, postgresql_tmpfs_t, postgresql_tmpfs_t)
+fs_tmpfs_filetrans(postgresql_t, postgresql_tmpfs_t, { file })
manage_dirs_pattern(postgresql_t, postgresql_runtime_t, postgresql_runtime_t)
manage_files_pattern(postgresql_t, postgresql_runtime_t, postgresql_runtime_t)
