[yocto] [meta-selinux][PATCH 19/19] audit: switch to python3
* Switch to python3 * Drop patches: audit-python-configure.patch audit-python.patch fix-swig-host-contamination.patch Signed-off-by: Yi Zhao --- .../audit/audit/audit-python-configure.patch | 46 - .../audit/audit/audit-python.patch| 64 --- .../audit/fix-swig-host-contamination.patch | 56 recipes-security/audit/audit_2.8.5.bb | 11 ++-- 4 files changed, 4 insertions(+), 173 deletions(-) delete mode 100644 recipes-security/audit/audit/audit-python-configure.patch delete mode 100644 recipes-security/audit/audit/audit-python.patch delete mode 100644 recipes-security/audit/audit/fix-swig-host-contamination.patch diff --git a/recipes-security/audit/audit/audit-python-configure.patch b/recipes-security/audit/audit/audit-python-configure.patch deleted file mode 100644 index 37096b0..000 --- a/recipes-security/audit/audit/audit-python-configure.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 6a2710db094061e1956fac3ed81114d0e958ea21 Mon Sep 17 00:00:00 2001 -From: Li xin -Date: Sun, 19 Jul 2015 00:49:13 +0900 -Subject: [PATCH] audit: python cross-compile - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Xin Ouyang -Signed-off-by: Li Xin -Signed-off-by: Wenzong Fan -Signed-off-by: T.O. Radzy Radzykewycz - configure.ac | 17 ++--- - 1 file changed, 2 insertions(+), 15 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 6e345f1..54bdbf1 100644 a/configure.ac -+++ b/configure.ac -@@ -99,21 +99,8 @@ if test "x$use_python" = xno ; then - else - AC_MSG_RESULT(testing) - AM_PATH_PYTHON --PYINCLUDEDIR=`python${am_cv_python_version} -c "from distutils import sysconfig; print(sysconfig.get_config_var('INCLUDEPY'))"` --if test -f ${PYINCLUDEDIR}/Python.h ; then -- python_found="yes" -- AC_SUBST(PYINCLUDEDIR) -- pybind_dir="python" -- AC_SUBST(pybind_dir) -- AC_MSG_NOTICE(Python bindings will be built) --else -- python_found="no" -- if test "x$use_python" = xyes ; then -- AC_MSG_ERROR([Python explicitly requested and python headers were not found]) -- else -- AC_MSG_WARN("Python headers not found - python bindings will not be made") -- fi --fi -+python_found="yes" -+AC_MSG_NOTICE(Python bindings will be built) - fi - AM_CONDITIONAL(HAVE_PYTHON, test ${python_found} = "yes") - --- -2.7.4 - diff --git a/recipes-security/audit/audit/audit-python.patch b/recipes-security/audit/audit/audit-python.patch deleted file mode 100644 index c1a2595..000 --- a/recipes-security/audit/audit/audit-python.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 9d95d7e28a2c4cbefa998d375de180c731a151b1 Mon Sep 17 00:00:00 2001 -From: Li xin -Date: Sun, 19 Jul 2015 01:40:48 +0900 -Subject: [PATCH] Remove hard coded python include directory - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Mark Hatle - bindings/Makefile.am| 8 +++- - bindings/python/python2/Makefile.am | 3 ++- - bindings/swig/python/Makefile.am| 5 +++-- - 3 files changed, 12 insertions(+), 4 deletions(-) - -diff --git a/bindings/Makefile.am b/bindings/Makefile.am -index 5b5c576..7a15205 100644 a/bindings/Makefile.am -+++ b/bindings/Makefile.am -@@ -22,4 +22,10 @@ - - CONFIG_CLEAN_FILES = *.loT *.rej *.orig - --SUBDIRS = python golang swig -+SUBDIRS = swig -+if HAVE_PYTHON -+SUBDIRS += python -+endif -+if HAVE_GOLANG -+SUBDIRS += golang -+endif -diff --git a/bindings/python/python2/Makefile.am b/bindings/python/python2/Makefile.am -index 1dcb5bc..6226358 100644 a/bindings/python/python2/Makefile.am -+++ b/bindings/python/python2/Makefile.am -@@ -23,7 +23,8 @@ - - CONFIG_CLEAN_FILES = *.loT *.rej *.orig - AM_CFLAGS = -fPIC -DPIC -fno-strict-aliasing --AM_CPPFLAGS = -I$(top_builddir) -I@PYINCLUDEDIR@ -+PYINC ?= /usr/include/python$(PYTHON_VERSION) -+AM_CPPFLAGS = -I$(top_builddir) -I${PYINC} - - pyexec_LTLIBRARIES = auparse.la - -diff --git a/bindings/swig/python/Makefile.am b/bindings/swig/python/Makefile.am -index 8c98b94..ae7c52b 100644 a/bindings/swig/python/Makefile.am -+++ b/bindings/swig/python/Makefile.am -@@ -21,9 +21,10 @@ - # - CONFIG_CLEAN_FILES = *.loT *.rej *.orig - AM_CFLAGS = -fPIC -DPIC -fno-strict-aliasing --AM_CPPFLAGS = -I. -I$(top_builddir) -I${top_srcdir}/lib -I@PYINCLUDEDIR@ -+PYINC ?= /usr/include/$(PYLIBVER) -+AM_CPPFLAGS = -I. -I$(top_builddir) -I${top_srcdir}/lib -I${PYINC} - SWIG_FLAGS = -python --SWIG_INCLUDES = -I. -I$(top_builddir) -I${top_srcdir}/lib -I@PYINCLUDEDIR@ -+SWIG_INCLUDES = -I. -I$(top_builddir) -I${top_srcdir}/lib -I${PYINC} - pyexec_PYTHON = audit.py - pyexec_LTLIBRARIES = _audit.la - pyexec_SOLIBRARIES = _audit.so --- -2.7.4 - diff --git a/recipes-security/audit/audit/fix-swig-host-contamination.patch b/recipes-security/audit/audit/fix-swig-host-contamination.patch d
[yocto] [meta-selinux][PATCH 18/19] setools: upgrade 4.1.1 -> 4.2.2
* Switch to python3 * Drop patches: Fix-build-failure-with-GCC-7-due-to-possible-truncat.patch setools4-fix-cross-compiling-errors-for-powerpc-mips.patch Signed-off-by: Yi Zhao --- ...e-with-GCC-7-due-to-possible-truncat.patch | 105 -- ...ss-compiling-errors-for-powerpc-mips.patch | 35 -- .../setools4-fixes-for-cross-compiling.patch | 34 +++--- .../{setools_4.1.1.bb => setools_4.2.2.bb}| 14 +-- 4 files changed, 19 insertions(+), 169 deletions(-) delete mode 100644 recipes-security/setools/setools/Fix-build-failure-with-GCC-7-due-to-possible-truncat.patch delete mode 100644 recipes-security/setools/setools/setools4-fix-cross-compiling-errors-for-powerpc-mips.patch rename recipes-security/setools/{setools_4.1.1.bb => setools_4.2.2.bb} (61%) diff --git a/recipes-security/setools/setools/Fix-build-failure-with-GCC-7-due-to-possible-truncat.patch b/recipes-security/setools/setools/Fix-build-failure-with-GCC-7-due-to-possible-truncat.patch deleted file mode 100644 index a5af041..000 --- a/recipes-security/setools/setools/Fix-build-failure-with-GCC-7-due-to-possible-truncat.patch +++ /dev/null @@ -1,105 +0,0 @@ -Upstream-Status: Backport [https://github.com/TresysTechnology/setools/commit/e41adf0] - -Signed-off-by: Kai Kang - -From e41adf01647c695b80b112b337e76021bb9f30c3 Mon Sep 17 00:00:00 2001 -From: Laurent Bigonville -Date: Tue, 26 Sep 2017 15:15:30 +0200 -Subject: [PATCH] Fix build failure with GCC 7 due to possible truncation of - snprintf output - -setools fails to build under GCC7 -Wformat -Werror with the following error: - -x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -g -O2 -fdebug-prefix-map=/<>=. -fstack-protector-strong -Wformat -Werror=format-security -Wno-sign-compare -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -Ilibqpol -Ilibqpol/include -I/usr/include/python3.6m -c libqpol/policy_extend.c -o build/temp.linux-amd64-3.6/libqpol/policy_extend.o -Werror -Wextra -Waggregate-return -Wfloat-equal -Wformat -Wformat=2 -Winit-self -Wmissing-format-attribute -Wmissing-include-dirs -Wnested-externs -Wold-style-definition -Wpointer-arith -Wredundant-decls -Wstrict-prototypes -Wunknown-pragmas -Wwrite-strings -Wno-missing-field-initializers -Wno-unused-parameter -Wno-cast-qual -Wno-shadow -Wno-unreachable-code -fno-exceptions -libqpol/policy_extend.c: In function 'policy_extend': -libqpol/policy_extend.c:161:27: error: '%04zd' directive output may be truncated writing between 4 and 10 bytes into a region of size 5 [-Werror=format-truncation=] -snprintf(buff, 9, "@ttr%04zd", i + 1); - ^ -libqpol/policy_extend.c:161:22: note: directive argument in the range [1, 4294967295] -snprintf(buff, 9, "@ttr%04zd", i + 1); - ^~~ - -Increase the size of the buffer to avoid collisions - -Closes: https://github.com/TresysTechnology/setools/issues/174 -Signed-off-by: Laurent Bigonville - libqpol/policy_extend.c | 16 - 1 file changed, 8 insertions(+), 8 deletions(-) - -diff --git a/libqpol/policy_extend.c b/libqpol/policy_extend.c -index 742819b..739e184 100644 a/libqpol/policy_extend.c -+++ b/libqpol/policy_extend.c -@@ -110,7 +110,7 @@ static int qpol_policy_remove_bogus_aliases(qpol_policy_t * policy) - * Builds data for the attributes and inserts them into the policydb. - * This function modifies the policydb. Names created for attributes - * are of the form @ttr where value is the value of the attribute -- * as a four digit number (prepended with 0's as needed). -+ * as a ten digit number (prepended with 0's as needed). - * @param policy The policy from which to read the attribute map and - * create the type data for the attributes. This policy will be altered - * by this function. -@@ -125,7 +125,7 @@ static int qpol_policy_build_attrs_from_map(qpol_policy_t * policy) - uint32_t bit = 0, count = 0; - ebitmap_node_t *node = NULL; - type_datum_t *tmp_type = NULL, *orig_type; -- char *tmp_name = NULL, buff[10]; -+ char *tmp_name = NULL, buff[16]; - int error = 0, retv; - - INFO(policy, "%s", "Generating attributes for policy. (Step 4 of 5)"); -@@ -137,7 +137,7 @@ static int qpol_policy_build_attrs_from_map(qpol_policy_t * policy) - - db = >p->p; - -- memset(, 0, 10 * sizeof(char)); -+ memset(, 0, 16 * sizeof(char)); - - for (i = 0; i < db->p_types.nprim; i++) { - /* skip types */ -@@ -158,7 +158,7 @@ static int qpol_policy_build_attrs_from_map(qpol_policy_t * policy) -* with this attribute */ - /* Does not exist */ - if (db->p_type_val_to_name[i] == NULL){ -- snprintf(buff, 9, "@ttr%04zd", i + 1); -+ snprintf(buff, 15, "@ttr%010zd", i + 1);
[yocto] [meta-selinux][PATCH 15/19] selinux-gui: uprev to 2.9 (20190315)
* Switch to python3 Signed-off-by: Yi Zhao --- recipes-security/selinux/selinux-gui.inc| 2 +- recipes-security/selinux/selinux-gui_2.8.bb | 7 --- recipes-security/selinux/selinux-gui_2.9.bb | 7 +++ 3 files changed, 8 insertions(+), 8 deletions(-) delete mode 100644 recipes-security/selinux/selinux-gui_2.8.bb create mode 100644 recipes-security/selinux/selinux-gui_2.9.bb diff --git a/recipes-security/selinux/selinux-gui.inc b/recipes-security/selinux/selinux-gui.inc index 1096f3f..725eb23 100644 --- a/recipes-security/selinux/selinux-gui.inc +++ b/recipes-security/selinux/selinux-gui.inc @@ -6,7 +6,7 @@ Policy Generation Tool (selinux-polgengui)" SECTION = "base" LICENSE = "GPLv2+" -RDEPENDS_${PN} += "python" +RDEPENDS_${PN} += "python3-core" FILES_${PN} += " \ ${datadir}/system-config-selinux/* \ diff --git a/recipes-security/selinux/selinux-gui_2.8.bb b/recipes-security/selinux/selinux-gui_2.8.bb deleted file mode 100644 index 2c0fcd8..000 --- a/recipes-security/selinux/selinux-gui_2.8.bb +++ /dev/null @@ -1,7 +0,0 @@ -include selinux_20180524.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" - -SRC_URI[md5sum] = "52000c14ffa86840220915bd1d777845" -SRC_URI[sha256sum] = "17acd3004f01f92b288cc1322317d7964f5039fb26ba1542b6713a7147a2351d" diff --git a/recipes-security/selinux/selinux-gui_2.9.bb b/recipes-security/selinux/selinux-gui_2.9.bb new file mode 100644 index 000..0bb051c --- /dev/null +++ b/recipes-security/selinux/selinux-gui_2.9.bb @@ -0,0 +1,7 @@ +require selinux_20190315.inc +require ${BPN}.inc + +LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" + +SRC_URI[md5sum] = "1bfe5eeb861f8563a7b397ab8530ab52" +SRC_URI[sha256sum] = "bbd9e1799cc0c22d64c815c3033a54393f6f84947ff2841a4df60ded5eee0510" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 13/19] selinux-dbus: uprev to 2.9 (20190315)
* Switch to python3 Signed-off-by: Yi Zhao --- recipes-security/selinux/selinux-dbus.inc| 2 +- recipes-security/selinux/selinux-dbus_2.8.bb | 7 --- recipes-security/selinux/selinux-dbus_2.9.bb | 7 +++ 3 files changed, 8 insertions(+), 8 deletions(-) delete mode 100644 recipes-security/selinux/selinux-dbus_2.8.bb create mode 100644 recipes-security/selinux/selinux-dbus_2.9.bb diff --git a/recipes-security/selinux/selinux-dbus.inc b/recipes-security/selinux/selinux-dbus.inc index 1b66136..62e45b7 100644 --- a/recipes-security/selinux/selinux-dbus.inc +++ b/recipes-security/selinux/selinux-dbus.inc @@ -5,7 +5,7 @@ Provide SELinux dbus service files and scripts." SECTION = "base" LICENSE = "GPLv2+" -RDEPENDS_${PN} += "python selinux-python-sepolicy" +RDEPENDS_${PN} += "python3-core selinux-python-sepolicy" FILES_${PN} += "\ ${datadir}/system-config-selinux/selinux_server.py \ diff --git a/recipes-security/selinux/selinux-dbus_2.8.bb b/recipes-security/selinux/selinux-dbus_2.8.bb deleted file mode 100644 index 5091624..000 --- a/recipes-security/selinux/selinux-dbus_2.8.bb +++ /dev/null @@ -1,7 +0,0 @@ -include selinux_20180524.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" - -SRC_URI[md5sum] = "23f0264df3ed123904a17d71f2a5b325" -SRC_URI[sha256sum] = "3339cb9cd77579bab6158afc054409c3bf952e282ef957ea732b19c9f4697bc6" diff --git a/recipes-security/selinux/selinux-dbus_2.9.bb b/recipes-security/selinux/selinux-dbus_2.9.bb new file mode 100644 index 000..ab00ffc --- /dev/null +++ b/recipes-security/selinux/selinux-dbus_2.9.bb @@ -0,0 +1,7 @@ +require selinux_20190315.inc +require ${BPN}.inc + +LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" + +SRC_URI[md5sum] = "e403f9745fad67aae5903909572ca5b8" +SRC_URI[sha256sum] = "ac54cecdea6a88b4a818981ac82654d054a3c5232b1b282ebf7418c3e350cc7a" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 14/19] selinux-sandbox: uprev to 2.9 (20190315)
* Switch to python3 * Rebase patch Signed-off-by: Yi Zhao --- recipes-security/selinux/selinux-sandbox.inc | 10 -- .../selinux/selinux-sandbox/sandbox-de-bashify.patch | 9 + recipes-security/selinux/selinux-sandbox_2.8.bb| 7 --- recipes-security/selinux/selinux-sandbox_2.9.bb| 7 +++ 4 files changed, 16 insertions(+), 17 deletions(-) delete mode 100644 recipes-security/selinux/selinux-sandbox_2.8.bb create mode 100644 recipes-security/selinux/selinux-sandbox_2.9.bb diff --git a/recipes-security/selinux/selinux-sandbox.inc b/recipes-security/selinux/selinux-sandbox.inc index 854640c..c8e335a 100644 --- a/recipes-security/selinux/selinux-sandbox.inc +++ b/recipes-security/selinux/selinux-sandbox.inc @@ -13,12 +13,10 @@ SRC_URI += "file://sandbox-de-bashify.patch \ DEPENDS += "libcap-ng libselinux" RDEPENDS_${PN} += "\ -python-core \ -python-math \ -python-shell \ -python-subprocess \ -python-textutils \ -python-unixadmin \ +python3-core \ +python3-math \ +python3-shell \ +python3-unixadmin \ libselinux-python \ selinux-python \ " diff --git a/recipes-security/selinux/selinux-sandbox/sandbox-de-bashify.patch b/recipes-security/selinux/selinux-sandbox/sandbox-de-bashify.patch index 18cef4b..e9622f0 100644 --- a/recipes-security/selinux/selinux-sandbox/sandbox-de-bashify.patch +++ b/recipes-security/selinux/selinux-sandbox/sandbox-de-bashify.patch @@ -1,4 +1,4 @@ -From d3e778e0062ca441c80e2a3ef2b508f5566e1f70 Mon Sep 17 00:00:00 2001 +From b92c39f0be5552c19923f75aef4487348a08b7dc Mon Sep 17 00:00:00 2001 From: Joe MacDonald Date: Fri, 20 Feb 2015 21:07:47 -0500 Subject: [PATCH] sandbox: de-bashify @@ -10,9 +10,10 @@ Upstream-Status: Pending Signed-off-by: Joe MacDonald Signed-off-by: Wenzong Fan +Signed-off-by: Yi Zhao --- - sandbox/sandbox.init | 2 +- - sandbox/sandboxX.sh | 2 +- + sandbox.init | 2 +- + sandboxX.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/sandbox.init b/sandbox.init @@ -36,5 +37,5 @@ index eaa500d..8755d75 100644 context=`id -Z | secon -t -l -P` export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8-80`" -- -1.9.1 +2.7.4 diff --git a/recipes-security/selinux/selinux-sandbox_2.8.bb b/recipes-security/selinux/selinux-sandbox_2.8.bb deleted file mode 100644 index 1eb6c2d..000 --- a/recipes-security/selinux/selinux-sandbox_2.8.bb +++ /dev/null @@ -1,7 +0,0 @@ -include selinux_20180524.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" - -SRC_URI[md5sum] = "957f5d0fc7724f93f502d1d632568894" -SRC_URI[sha256sum] = "025f84f76e07b7bfc9ba1e9215f4ddb646d41a2e935a65e07560feaa6fc20ef3" diff --git a/recipes-security/selinux/selinux-sandbox_2.9.bb b/recipes-security/selinux/selinux-sandbox_2.9.bb new file mode 100644 index 000..b1dd462 --- /dev/null +++ b/recipes-security/selinux/selinux-sandbox_2.9.bb @@ -0,0 +1,7 @@ +require selinux_20190315.inc +require ${BPN}.inc + +LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" + +SRC_URI[md5sum] = "3482b8fa6648160e97ba48ad26f84e7d" +SRC_URI[sha256sum] = "01915f57f08642751dea550a87f82a6f2fcec754be48dcfa28266c14bd044262" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 16/19] semodule-utils: uprev to 2.9 (20190315)
Signed-off-by: Yi Zhao --- recipes-security/selinux/semodule-utils_2.8.bb | 7 --- recipes-security/selinux/semodule-utils_2.9.bb | 7 +++ 2 files changed, 7 insertions(+), 7 deletions(-) delete mode 100644 recipes-security/selinux/semodule-utils_2.8.bb create mode 100644 recipes-security/selinux/semodule-utils_2.9.bb diff --git a/recipes-security/selinux/semodule-utils_2.8.bb b/recipes-security/selinux/semodule-utils_2.8.bb deleted file mode 100644 index c56f776..000 --- a/recipes-security/selinux/semodule-utils_2.8.bb +++ /dev/null @@ -1,7 +0,0 @@ -include selinux_20180524.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" - -SRC_URI[md5sum] = "51c69e612481ce971e2ae825139d2ca0" -SRC_URI[sha256sum] = "44f59c13070c637440b143ceab4dfe1efb9018b1e47828dd8789def74c1ccadf" diff --git a/recipes-security/selinux/semodule-utils_2.9.bb b/recipes-security/selinux/semodule-utils_2.9.bb new file mode 100644 index 000..a9c0fbd --- /dev/null +++ b/recipes-security/selinux/semodule-utils_2.9.bb @@ -0,0 +1,7 @@ +require selinux_20190315.inc +require ${BPN}.inc + +LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" + +SRC_URI[md5sum] = "9e7e6afe33459cae2de5360e97f1e702" +SRC_URI[sha256sum] = "8083679ee634570f6e9a18632f2c2862b9134fa308b689b2e1952a369ae5d907" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 17/19] selinux-init: fix build error when enable usrmerge feature
Fix the following error when enable usrmerge feature: ERROR: selinux-init-0.1-r0 do_package: QA Issue: selinux-init: Files/directories were installed but not shipped in any package: /usr Please set FILES such that these items are packaged. Alternatively if they are unneeded, avoid installing them or delete them within do_install. selinux-init: 1 installed and not shipped files. [installed-vs-shipped] We don't need to install systemd service file when systemd feature is not enabled. Signed-off-by: Yi Zhao --- recipes-security/selinux/selinux-initsh.inc | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/recipes-security/selinux/selinux-initsh.inc b/recipes-security/selinux/selinux-initsh.inc index 8e31cda..f27750d 100644 --- a/recipes-security/selinux/selinux-initsh.inc +++ b/recipes-security/selinux/selinux-initsh.inc @@ -27,10 +27,9 @@ do_install () { -e '/.*HERE$/d' -e '/.*Contents.*sysvinit/d' \ ${D}${sysconfdir}/init.d/${SELINUX_SCRIPT_DST} - install -d ${D}${systemd_unitdir}/system - install -m 0644 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.service ${D}${systemd_unitdir}/system - if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + install -d ${D}${systemd_unitdir}/system + install -m 0644 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.service ${D}${systemd_unitdir}/system install -d ${D}${bindir} install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh ${D}${bindir} sed -i -e '/.*HERE$/d' ${D}${bindir}/${SELINUX_SCRIPT_SRC}.sh -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 10/19] mcstrans: uprev to 2.9 (20190315)
* Rebase patches Signed-off-by: Yi Zhao --- recipes-security/selinux/mcstrans.inc | 4 ++-- .../mcstrans/mcstrans-de-bashify.patch| 23 +++ ...tch => mcstrans-fix-the-init-script.patch} | 14 +++ recipes-security/selinux/mcstrans_2.8.bb | 7 -- recipes-security/selinux/mcstrans_2.9.bb | 7 ++ 5 files changed, 32 insertions(+), 23 deletions(-) rename recipes-security/selinux/mcstrans/{0001-mcstrans-fix-the-init-script.patch => mcstrans-fix-the-init-script.patch} (69%) delete mode 100644 recipes-security/selinux/mcstrans_2.8.bb create mode 100644 recipes-security/selinux/mcstrans_2.9.bb diff --git a/recipes-security/selinux/mcstrans.inc b/recipes-security/selinux/mcstrans.inc index 0eb8720..b9c670b 100644 --- a/recipes-security/selinux/mcstrans.inc +++ b/recipes-security/selinux/mcstrans.inc @@ -7,7 +7,7 @@ SECTION = "base" LICENSE = "GPLv2+" SRC_URI += "file://mcstrans-de-bashify.patch \ -file://0001-mcstrans-fix-the-init-script.patch \ +file://mcstrans-fix-the-init-script.patch \ " inherit systemd update-rc.d @@ -29,7 +29,7 @@ do_install_append() { else install -d ${D}${sysconfdir}/default/volatiles echo "d root root 0755 /var/run/setrans none" \ ->${D}${sysconfdir}/default/volatiles/volatiles.80_mcstrans +>${D}${sysconfdir}/default/volatiles/80_mcstrans fi install -d ${D}${datadir}/mcstrans cp -r share/* ${D}${datadir}/mcstrans/. diff --git a/recipes-security/selinux/mcstrans/mcstrans-de-bashify.patch b/recipes-security/selinux/mcstrans/mcstrans-de-bashify.patch index 805d7e5..27fd677 100644 --- a/recipes-security/selinux/mcstrans/mcstrans-de-bashify.patch +++ b/recipes-security/selinux/mcstrans/mcstrans-de-bashify.patch @@ -1,21 +1,23 @@ -commit 54875dcb50f5e40fc86d6fe98dde244bfe4751af -Author: Joe MacDonald -Date: Fri Aug 7 15:16:45 2015 -0400 +From 544b3c078374e5001e7fdc1b7d0b2eafda36f8fe Mon Sep 17 00:00:00 2001 +From: Joe MacDonald +Date: Fri, 7 Aug 2015 15:16:45 -0400 +Subject: [PATCH] mcstrans: remove dependency on bash in initscript -mcstrans: remove dependency on bash in initscript +There were no apparent bashisms in mcstrans.init, so remove the +dependency on bash. -There were no apparent bashisms in mcstrans.init, so remove the dependency -on bash. - -Signed-off-by: Joe MacDonald +Signed-off-by: Joe MacDonald Upstream-Status: Pending Signed-off-by: Wenzong Fan +Signed-off-by: Yi Zhao --- - src/mcstrans.init |2 +- + src/mcstrans.init | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) +diff --git a/src/mcstrans.init b/src/mcstrans.init +index 2804ec0..8b4737d 100644 --- a/src/mcstrans.init +++ b/src/mcstrans.init @@ -1,4 +1,4 @@ @@ -24,3 +26,6 @@ Signed-off-by: Wenzong Fan # # mcstransdThis starts and stops mcstransd # +-- +2.7.4 + diff --git a/recipes-security/selinux/mcstrans/0001-mcstrans-fix-the-init-script.patch b/recipes-security/selinux/mcstrans/mcstrans-fix-the-init-script.patch similarity index 69% rename from recipes-security/selinux/mcstrans/0001-mcstrans-fix-the-init-script.patch rename to recipes-security/selinux/mcstrans/mcstrans-fix-the-init-script.patch index 5f7163d..79be090 100644 --- a/recipes-security/selinux/mcstrans/0001-mcstrans-fix-the-init-script.patch +++ b/recipes-security/selinux/mcstrans/mcstrans-fix-the-init-script.patch @@ -1,17 +1,21 @@ -[PATCH] mcstrans: fix the init script - -Upstream-Status: Inappropriate [embedded specific] +From 4d918a9679d2902ca2d41fe769a4d76f07a67b5f Mon Sep 17 00:00:00 2001 +From: Roy Li +Date: Wed, 6 Nov 2019 22:13:33 +0800 +Subject: [PATCH] mcstrans: fix the init script replace daemon with start-stop-daemon, due to not daemon functions +Upstream-Status: Inappropriate [embedded specific] + Signed-off-by: Roy Li Signed-off-by: Wenzong Fan +Signed-off-by: Yi Zhao --- src/mcstrans.init | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/mcstrans.init b/src/mcstrans.init -index 2804ec0..c660290 100644 +index 8b4737d..86c89ea 100644 --- a/src/mcstrans.init +++ b/src/mcstrans.init @@ -51,7 +51,7 @@ start(){ @@ -24,5 +28,5 @@ index 2804ec0..c660290 100644 echo if test $RETVAL = 0 ; then -- -1.9.1 +2.7.4 diff --git a/recipes-security/selinux/mcstrans_2.8.bb b/recipes-security/selinux/mcstrans_2.8.bb deleted file mode 100644 index 8923c3c..000 --- a/recipes-security/selinux/mcstrans_2.8.bb +++ /dev/null @@ -1,7 +0,0 @@ -include selinux_20180524.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" - -SRC_URI[md5sum] = "3a0edb2a8b6a255199824abd58c0906c" -SRC_URI[sha256sum] = "ec6ea65660550ed6bbd2a834725ba7526ac53599753d7b95072e4afd4afc14e4" diff --git a/recipes-security/selinux/mcstrans_2.9.bb b/recipes-security/selinux/mcstr
[yocto] [meta-selinux][PATCH 09/19] policycoreutils: uprev to 2.9 (20190315)
* Switch to python3 Signed-off-by: Yi Zhao --- recipes-security/selinux/policycoreutils.inc| 16 recipes-security/selinux/policycoreutils_2.8.bb | 8 recipes-security/selinux/policycoreutils_2.9.bb | 8 3 files changed, 12 insertions(+), 20 deletions(-) delete mode 100644 recipes-security/selinux/policycoreutils_2.8.bb create mode 100644 recipes-security/selinux/policycoreutils_2.9.bb diff --git a/recipes-security/selinux/policycoreutils.inc b/recipes-security/selinux/policycoreutils.inc index 85ff164..92f7a75 100644 --- a/recipes-security/selinux/policycoreutils.inc +++ b/recipes-security/selinux/policycoreutils.inc @@ -19,7 +19,7 @@ DEPENDS += "libsepol libselinux libsemanage libcap gettext-native" EXTRA_DEPENDS = "libcap-ng libcgroup" DEPENDS += "${@['', '${EXTRA_DEPENDS}']['${PN}' != '${BPN}-native']}" -inherit selinux pythonnative +inherit selinux python3native RDEPENDS_${BPN}-fixfiles += "\ ${BPN}-setfiles \ @@ -27,7 +27,6 @@ RDEPENDS_${BPN}-fixfiles += "\ findutils \ " RDEPENDS_${BPN}-genhomedircon += "\ - ${BPN}-genhomedircon \ ${BPN}-semodule \ " RDEPENDS_${BPN}-loadpolicy += "\ @@ -45,10 +44,6 @@ RDEPENDS_${BPN}-semodule += "\ libselinux \ libsemanage \ " -# static link to libsepol -RDEPENDS_${BPN}-semodule-expand += "libsepol libselinux" -RDEPENDS_${BPN}-semodule-link += "libsepol libselinux" -RDEPENDS_${BPN}-semodule-package += "libsepol libselinux" RDEPENDS_${BPN}-sestatus += "libselinux" RDEPENDS_${BPN}-setfiles += "\ libselinux \ @@ -61,10 +56,6 @@ RDEPENDS_${BPN}-setsebool += "\ " RDEPENDS_${BPN} += "selinux-python" -WARN_QA_remove = " unsafe-references-in-scripts" -ERROR_QA_remove = " unsafe-references-in-scripts" - - PACKAGES =+ "\ ${PN}-fixfiles \ ${PN}-genhomedircon \ @@ -102,6 +93,7 @@ FILES_${PN}-sestatus += "\ " FILES_${PN}-setfiles += "\ ${base_sbindir}/restorecon \ + ${base_sbindir}/restorecon_xattr \ ${base_sbindir}/setfiles \ " FILES_${PN}-setsebool += "\ @@ -147,7 +139,7 @@ sysroot_stage_dirs_append_class-native() { } do_compile_prepend() { - export PYTHON=python + export PYTHON=python3 export PYLIBVER='python${PYTHON_BASEVERSION}' export PYTHON_CPPFLAGS="-I${STAGING_INCDIR}/${PYLIBVER}" export PYTHON_LDFLAGS="${STAGING_LIBDIR}/lib${PYLIBVER}.so" @@ -155,7 +147,7 @@ do_compile_prepend() { } do_install_prepend() { - export PYTHON=python + export PYTHON=python3 export SBINDIR="${D}/${base_sbindir}" } diff --git a/recipes-security/selinux/policycoreutils_2.8.bb b/recipes-security/selinux/policycoreutils_2.8.bb deleted file mode 100644 index 85f6ff0..000 --- a/recipes-security/selinux/policycoreutils_2.8.bb +++ /dev/null @@ -1,8 +0,0 @@ -include selinux_20180524.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" - -SRC_URI[md5sum] = "da5ceb9c7e1e6f8c573731031b91cffe" -SRC_URI[sha256sum] = "986553a235f27bee7ad7c2b7c35ea51eb2ee68e2cf03b661b1585de101bc1099" - diff --git a/recipes-security/selinux/policycoreutils_2.9.bb b/recipes-security/selinux/policycoreutils_2.9.bb new file mode 100644 index 000..08ba54a --- /dev/null +++ b/recipes-security/selinux/policycoreutils_2.9.bb @@ -0,0 +1,8 @@ +require selinux_20190315.inc +require ${BPN}.inc + +LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" + +SRC_URI[md5sum] = "0fbebdb4761353726cc739d5528f21d8" +SRC_URI[sha256sum] = "c53c344f28007b3c0742bd958751e9b5d2385898adeb8aec6281ae57342f0f7b" + -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 12/19] selinux-python: uprev to 2.9 (20190315)
* Switch to python3 * Drop patches: fix-TypeError-for-seobject.py.patch process-ValueError-for-sepolicy-seobject.patch * Rebase patches Signed-off-by: Yi Zhao --- recipes-security/selinux/selinux-python.inc | 62 +-- .../fix-TypeError-for-seobject.py.patch | 30 - .../fix-sepolicy-install-path.patch | 8 +-- ...ess-ValueError-for-sepolicy-seobject.patch | 47 -- .../selinux/selinux-python_2.8.bb | 7 --- .../selinux/selinux-python_2.9.bb | 7 +++ 6 files changed, 40 insertions(+), 121 deletions(-) delete mode 100644 recipes-security/selinux/selinux-python/fix-TypeError-for-seobject.py.patch delete mode 100644 recipes-security/selinux/selinux-python/process-ValueError-for-sepolicy-seobject.patch delete mode 100644 recipes-security/selinux/selinux-python_2.8.bb create mode 100644 recipes-security/selinux/selinux-python_2.9.bb diff --git a/recipes-security/selinux/selinux-python.inc b/recipes-security/selinux/selinux-python.inc index 8b34bff..5e27781 100644 --- a/recipes-security/selinux/selinux-python.inc +++ b/recipes-security/selinux/selinux-python.inc @@ -6,60 +6,54 @@ SELinux utilities audit2allow, chcat, semanage ..." SECTION = "base" LICENSE = "GPLv2+" -SRC_URI += "file://fix-sepolicy-install-path.patch \ -file://fix-TypeError-for-seobject.py.patch \ -file://process-ValueError-for-sepolicy-seobject.patch \ -" +SRC_URI += "file://fix-sepolicy-install-path.patch" -inherit python-dir +inherit python3-dir -DEPENDS += "python-native libsepol" +DEPENDS += "python3 libsepol" RDEPENDS_${BPN}-audit2allow += "\ -python-core \ -python-textutils \ +python3-core \ libselinux-python \ ${BPN}-sepolgen \ " RDEPENDS_${BPN}-chcat += "\ -python-core \ -python-codecs \ -python-shell \ -python-stringold \ -python-unixadmin \ +python3-core \ +python3-codecs \ +python3-shell \ +python3-stringold \ +python3-unixadmin \ libselinux-python \ ${BPN} \ " RDEPENDS_${BPN} += "\ -python-core \ -python-codecs \ -python-io \ -python-ipy \ -python-re \ -python-stringold \ -python-syslog \ -python-unixadmin \ +python3-core \ +python3-codecs \ +python3-io \ +python3-ipy \ +python3-stringold \ +python3-syslog \ +python3-unixadmin \ libselinux-python \ libsemanage-python \ setools \ " RDEPENDS_${BPN}-semanage += "\ -python-core \ -python-ipy \ -python-compression \ -python-xml \ -python-misc \ +python3-core \ +python3-ipy \ +python3-compression \ +python3-xml \ +python3-misc \ libselinux-python \ ${BPN} \ " RDEPENDS_${BPN}-sepolicy += "\ -python-argparse \ -python-codecs \ -python-core \ -python-syslog \ +python3-core \ +python3-codecs \ +python3-syslog \ ${BPN} \ " RDEPENDS_${BPN}-sepolgen-ifgen += "\ -python \ +python3-core \ libselinux-python \ " @@ -96,7 +90,7 @@ FILES_${PN}-sepolgen += "\ ${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolgen* \ ${localstatedir}/lib/sepolgen/perm_map \ " -# Map to policycoreutils-python in 2.6 + FILES_${PN} += "\ ${libdir}/python${PYTHON_BASEVERSION}/site-packages/seobject.py* \ ${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolicy*.egg-info \ @@ -104,9 +98,11 @@ FILES_${PN} += "\ " EXTRA_OEMAKE += "LIBSEPOLA=${STAGING_LIBDIR}/libsepol.a" + do_install() { -oe_runmake DESTDIR=${D} \ +oe_runmake DESTDIR="${D}" \ LIBDIR="${libdir}" \ +PYLIBVER='python${PYTHON_BASEVERSION}' \ PYTHONLIBDIR='${libdir}/python${PYTHON_BASEVERSION}/site-packages' \ install } diff --git a/recipes-security/selinux/selinux-python/fix-TypeError-for-seobject.py.patch b/recipes-security/selinux/selinux-python/fix-TypeError-for-seobject.py.patch deleted file mode 100644 index 62cdeee..000 --- a/recipes-security/selinux/selinux-python/fix-TypeError-for-seobject.py.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 98c2944ffa3e35095187e1df9ff33498bbd0fa54 Mon Sep 17 00:00:00 2001 -From: Wenzong Fan -Date: Tue, 1 Apr 2014 02:53:36 -0400 -Subject: [PATCH] policycoreutils: fix TypeError for seobject.py - -File "/usr/lib64/python2.7/site-packages/seobject.py", line 109, in log - message += " sename=" + sename -TypeError: cannot concatenate 'str' and 'NoneType' objects - -Uptream-Status: Pending
[yocto] [meta-selinux][PATCH 08/19] secilc: uprev to 2.9 (20190315)
Signed-off-by: Yi Zhao --- recipes-security/selinux/secilc_2.8.bb | 7 --- recipes-security/selinux/secilc_2.9.bb | 7 +++ 2 files changed, 7 insertions(+), 7 deletions(-) delete mode 100644 recipes-security/selinux/secilc_2.8.bb create mode 100644 recipes-security/selinux/secilc_2.9.bb diff --git a/recipes-security/selinux/secilc_2.8.bb b/recipes-security/selinux/secilc_2.8.bb deleted file mode 100644 index 89e0684..000 --- a/recipes-security/selinux/secilc_2.8.bb +++ /dev/null @@ -1,7 +0,0 @@ -include selinux_20180524.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=5fb82e8deb357d4e5fd8f3fed01d2f38" - -SRC_URI[md5sum] = "a3c363545842aadc6645a94112b476e7" -SRC_URI[sha256sum] = "cfe15f2e06b3013c9dfc46cf42234ff07fb61866c4c29d739eb8858f83b214d4" diff --git a/recipes-security/selinux/secilc_2.9.bb b/recipes-security/selinux/secilc_2.9.bb new file mode 100644 index 000..8207905 --- /dev/null +++ b/recipes-security/selinux/secilc_2.9.bb @@ -0,0 +1,7 @@ +require selinux_20190315.inc +require ${BPN}.inc + +LIC_FILES_CHKSUM = "file://COPYING;md5=5fb82e8deb357d4e5fd8f3fed01d2f38" + +SRC_URI[md5sum] = "489cedf50fa277ce07765053ffcdb4d5" +SRC_URI[sha256sum] = "73a1806e33a669e23545da2d35d0e5038714721f6bf71974eaa533b3ebde61b2" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 11/19] restorecond: uprev to 2.9 (20190315)
* Rebase patches Signed-off-by: Yi Zhao --- ...icycoreutils-make-O_CLOEXEC-optional.patch | 29 +++ recipes-security/selinux/restorecond_2.8.bb | 7 - recipes-security/selinux/restorecond_2.9.bb | 7 + 3 files changed, 24 insertions(+), 19 deletions(-) delete mode 100644 recipes-security/selinux/restorecond_2.8.bb create mode 100644 recipes-security/selinux/restorecond_2.9.bb diff --git a/recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch b/recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch index ab1a10a..2928aff 100644 --- a/recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch +++ b/recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch @@ -1,29 +1,34 @@ +From 4adc1c02e4da42f64249c05534875e732f043693 Mon Sep 17 00:00:00 2001 +From: Joe MacDonald +Date: Wed, 6 Nov 2019 23:17:50 +0800 Subject: [PATCH] policycoreutils: make O_CLOEXEC optional -Various commits in the selinux tree in the current release added O_CLOEXEC -to open() calls in an attempt to address file descriptor leaks as -described: +Various commits in the selinux tree in the current release added +O_CLOEXEC to open() calls in an attempt to address file descriptor leaks +as described: - http://danwalsh.livejournal.com/53603.html + http://danwalsh.livejournal.com/53603.html However O_CLOEXEC isn't available on all platforms, so make it a -compile-time option and generate a warning when it is not available. The -actual impact of leaking these file descriptors is minimal, though it does -produce curious AVC Denied messages. +compile-time option and generate a warning when it is not available. +The actual impact of leaking these file descriptors is minimal, though +it does produce curious AVC Denied messages. -Uptream-Status: Inappropriate [O_CLOEXEC has been in Linux since 2007 and POSIX since 2008] +Uptream-Status: Inappropriate +[O_CLOEXEC has been in Linux since 2007 and POSIX since 2008] Signed-off-by: Joe MacDonald Signed-off-by: Wenzong Fan +Signed-off-by: Yi Zhao --- - user.c |8 +++- + user.c | 8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/user.c b/user.c -index 2c28676..6235772 100644 +index 714aae7..bbf018e 100644 --- a/user.c +++ b/user.c -@@ -202,7 +202,13 @@ static int local_server() { +@@ -202,7 +202,13 @@ static int local_server(void) { perror("asprintf"); return -1; } @@ -39,5 +44,5 @@ index 2c28676..6235772 100644 g_warning ("Lock file: %s", ptr); -- -1.7.9.5 +2.7.4 diff --git a/recipes-security/selinux/restorecond_2.8.bb b/recipes-security/selinux/restorecond_2.8.bb deleted file mode 100644 index 4a83a23..000 --- a/recipes-security/selinux/restorecond_2.8.bb +++ /dev/null @@ -1,7 +0,0 @@ -include selinux_20180524.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" - -SRC_URI[md5sum] = "cfe4e4d6184623fdcb9bc2681e693abb" -SRC_URI[sha256sum] = "323cab1128e5308cd85fea0e5c98e3c8973e1ada0b659f2fce76187e192271bf" diff --git a/recipes-security/selinux/restorecond_2.9.bb b/recipes-security/selinux/restorecond_2.9.bb new file mode 100644 index 000..2ccac18 --- /dev/null +++ b/recipes-security/selinux/restorecond_2.9.bb @@ -0,0 +1,7 @@ +require selinux_20190315.inc +require ${BPN}.inc + +LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" + +SRC_URI[md5sum] = "1a24cb2a23d8bd01d3f8d9bb2031981f" +SRC_URI[sha256sum] = "cbf9820583e641ee0462fa7bc89e6024676af281e025703e17b2d019b1a25a4f" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 06/19] libsemanage: uprev to 2.9 (20190315)
* Switch to python3 * Drop patches: libsemanage-fix-path-nologin.patch 0001-src-Makefile-fix-includedir-in-libselinux.pc.patch * Rebase patches * Update policy version to 31 Signed-off-by: Yi Zhao --- recipes-security/selinux/libsemanage.inc | 26 ++--- ...file-fix-includedir-in-libselinux.pc.patch | 28 - ...anage-Fix-execve-segfaults-on-Ubuntu.patch | 12 -- ...anage-allow-to-disable-audit-support.patch | 26 +++-- ...anage-define-FD_CLOEXEC-as-necessary.patch | 16 ...-disable-expand-check-on-policy-load.patch | 6 ++- ...age-drop-Wno-unused-but-set-variable.patch | 12 +++--- .../libsemanage-fix-path-nologin.patch| 39 --- recipes-security/selinux/libsemanage_2.8.bb | 18 - recipes-security/selinux/libsemanage_2.9.bb | 15 +++ 10 files changed, 70 insertions(+), 128 deletions(-) delete mode 100644 recipes-security/selinux/libsemanage/0001-src-Makefile-fix-includedir-in-libselinux.pc.patch delete mode 100644 recipes-security/selinux/libsemanage/libsemanage-fix-path-nologin.patch delete mode 100644 recipes-security/selinux/libsemanage_2.8.bb create mode 100644 recipes-security/selinux/libsemanage_2.9.bb diff --git a/recipes-security/selinux/libsemanage.inc b/recipes-security/selinux/libsemanage.inc index be0a5f1..9dc1095 100644 --- a/recipes-security/selinux/libsemanage.inc +++ b/recipes-security/selinux/libsemanage.inc @@ -6,41 +6,39 @@ on binary policies such as customizing policy boolean settings." SECTION = "base" LICENSE = "LGPLv2.1+" -inherit lib_package python-dir +inherit lib_package python3-dir -DEPENDS += "libsepol libselinux bzip2 python bison-native flex-native swig-native" -DEPENDS_append_class-target += "audit" +DEPENDS += "libsepol libselinux bzip2 python3 bison-native flex-native swig-native" +DEPENDS_append_class-target = " audit" PACKAGES =+ "${PN}-python" # For /usr/libexec/selinux/semanage_migrate_store -RDEPENDS_${PN}-python += "python" +RDEPENDS_${PN}-python += "python3-core" FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/* \ ${libexecdir}/selinux/semanage_migrate_store" FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/site-packages/.debug/*" +FILES_${PN} += "${libexecdir}" + EXTRA_OEMAKE_class-native += "DISABLE_AUDIT=y" do_compile_append() { oe_runmake pywrap \ -INCLUDEDIR='${STAGING_INCDIR}' \ -LIBDIR='${STAGING_LIBDIR}' \ -PYLIBVER='python${PYTHON_BASEVERSION}' \ -PYINC='-I${STAGING_INCDIR}/$(PYLIBVER)' \ -PYLIB='-L${STAGING_LIBDIR}/$(PYLIBVER) -l$(PYLIBVER)' \ -PYTHONLIBDIR='${PYLIB}' +PYLIBVER='python${PYTHON_BASEVERSION}${PYTHON_ABI}' \ +PYINC='-I${STAGING_INCDIR}/${PYLIBVER}' \ +PYLIBS='-L${STAGING_LIBDIR}/${PYLIBVER} -l${PYLIBVER}' } do_install_append() { oe_runmake install-pywrap swigify \ PYCEXT='.so' \ - PYTHONLIBDIR='${D}${libdir}/python${PYTHON_BASEVERSION}/site-packages' \ -PYLIBVER='python${PYTHON_BASEVERSION}' \ -PYLIBDIR='${D}/${libdir}/$(PYLIBVER)' +PYLIBVER='python${PYTHON_BASEVERSION}${PYTHON_ABI}' \ + PYTHONLIBDIR='${D}${libdir}/python${PYTHON_BASEVERSION}/site-packages' # Update "policy-version" for semanage.conf -sed -i 's/^#\s*\(policy-version\s*=\).*$/\1 30/' \ +sed -i 's/^#\s*\(policy-version\s*=\).*$/\1 31/' \ ${D}/etc/selinux/semanage.conf } diff --git a/recipes-security/selinux/libsemanage/0001-src-Makefile-fix-includedir-in-libselinux.pc.patch b/recipes-security/selinux/libsemanage/0001-src-Makefile-fix-includedir-in-libselinux.pc.patch deleted file mode 100644 index 73613d3..000 --- a/recipes-security/selinux/libsemanage/0001-src-Makefile-fix-includedir-in-libselinux.pc.patch +++ /dev/null @@ -1,28 +0,0 @@ -From e773c0952b06370d81e9b113f9b0b3388e323e52 Mon Sep 17 00:00:00 2001 -From: Robert Yang -Date: Thu, 18 Feb 2016 02:39:16 +0000 -Subject: [PATCH] src/Makefile: fix includedir in libselinux.pc - -Upstream-Status: Pending - -Signed-off-by: Robert Yang -Signed-off-by: Yi Zhao - src/Makefile | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/Makefile b/src/Makefile -index dea751e..4af4568 100644 a/src/Makefile -+++ b/src/Makefile -@@ -93,6 +93,7 @@ $(LIBSO): $(LOBJS) - - $(LIBPC): $(LIBPC).in ../VERSION - sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBDIR):; s:@includedir@:$(INCLUDEDIR):' < $< > $@ -+ sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:${libdir}:; s:@includedir@:${prefix}/include:' < $< > $@ - - semanageswig_python_exception.i: ../include/semanage/semanage.h - bash -e exception.s
[yocto] [meta-selinux][PATCH 07/19] checkpolicy: uprev to 2.9 (20190315)
Signed-off-by: Yi Zhao --- recipes-security/selinux/checkpolicy_2.8.bb | 7 --- recipes-security/selinux/checkpolicy_2.9.bb | 7 +++ 2 files changed, 7 insertions(+), 7 deletions(-) delete mode 100644 recipes-security/selinux/checkpolicy_2.8.bb create mode 100644 recipes-security/selinux/checkpolicy_2.9.bb diff --git a/recipes-security/selinux/checkpolicy_2.8.bb b/recipes-security/selinux/checkpolicy_2.8.bb deleted file mode 100644 index 05e738e..000 --- a/recipes-security/selinux/checkpolicy_2.8.bb +++ /dev/null @@ -1,7 +0,0 @@ -include selinux_20180524.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" - -SRC_URI[md5sum] = "5d23a3209048c8cf70f3c13c4ce4245f" -SRC_URI[sha256sum] = "9dec811c24b88e58c3bf741365eacf1dbb945531a2fcb8f284aacf68098194c8" diff --git a/recipes-security/selinux/checkpolicy_2.9.bb b/recipes-security/selinux/checkpolicy_2.9.bb new file mode 100644 index 000..1183ea9 --- /dev/null +++ b/recipes-security/selinux/checkpolicy_2.9.bb @@ -0,0 +1,7 @@ +require selinux_20190315.inc +require ${BPN}.inc + +LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" + +SRC_URI[md5sum] = "3b0e327f6c1a143f9720a1fbefede3c0" +SRC_URI[sha256sum] = "a946c32b284532447857e4c48830f8816867c61220c8c08bdd32e6f691335f8e" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 05/19] libselinux-python: add recipe
After switch to python3, There is a loop dependency error with libselinux-python package when build libselinux. Split the original libselinux recipe into libselinux and libselinux-python. Signed-off-by: Yi Zhao --- .../selinux/libselinux-python.inc | 40 +++ .../selinux/libselinux-python_2.9.bb | 18 + 2 files changed, 58 insertions(+) create mode 100644 recipes-security/selinux/libselinux-python.inc create mode 100644 recipes-security/selinux/libselinux-python_2.9.bb diff --git a/recipes-security/selinux/libselinux-python.inc b/recipes-security/selinux/libselinux-python.inc new file mode 100644 index 000..62354b2 --- /dev/null +++ b/recipes-security/selinux/libselinux-python.inc @@ -0,0 +1,40 @@ +SUMMARY = "SELinux library and simple utilities" +DESCRIPTION = "libselinux provides an API for SELinux applications to get and set \ +process and file security contexts and to obtain security policy \ +decisions. Required for any applications that use the SELinux API." +SECTION = "base" +LICENSE = "PD" + +FILESEXTRAPATHS_prepend := "${THISDIR}/libselinux:" + +inherit python3-dir + +DEPENDS += "python3 swig-native" +RDEPENDS_${PN} += "libselinux python3-core python3-shell" + +def get_policyconfigarch(d): +import re +target = d.getVar('TARGET_ARCH', True) +p = re.compile('i.86') +target = p.sub('i386',target) +return "ARCH=%s" % (target) +EXTRA_OEMAKE += "${@get_policyconfigarch(d)}" + +EXTRA_OEMAKE += "LDFLAGS='${LDFLAGS} -lpcre' LIBSEPOLA='${STAGING_LIBDIR}/libsepol.a'" +EXTRA_OEMAKE_append_libc-musl = " FTS_LDLIBS=-lfts" + +FILES_${PN} = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/*" + +do_compile() { +oe_runmake pywrap -j1 \ +PYLIBVER='python${PYTHON_BASEVERSION}${PYTHON_ABI}' \ +PYINC='-I${STAGING_INCDIR}/${PYLIBVER}' \ +PYLIBS='-L${STAGING_LIBDIR}/${PYLIBVER} -l${PYLIBVER}' +} + +do_install() { +oe_runmake install-pywrap swigify \ +PYCEXT='.so' \ +PYLIBVER='python${PYTHON_BASEVERSION}${PYTHON_ABI}' \ + PYTHONLIBDIR='${D}${libdir}/python${PYTHON_BASEVERSION}/site-packages' +} diff --git a/recipes-security/selinux/libselinux-python_2.9.bb b/recipes-security/selinux/libselinux-python_2.9.bb new file mode 100644 index 000..8e3aae1 --- /dev/null +++ b/recipes-security/selinux/libselinux-python_2.9.bb @@ -0,0 +1,18 @@ +SELINUX_RELEASE = "20190315" + +SRC_URI = "https://github.com/SELinuxProject/selinux/releases/download/${SELINUX_RELEASE}/libselinux-${PV}.tar.gz; + +require ${BPN}.inc + +LIC_FILES_CHKSUM = "file://LICENSE;md5=84b4d2c6ef954a2d4081e775a270d0d0" + +SRC_URI[md5sum] = "bb449431b6ed55a0a0496dbc366d6e31" +SRC_URI[sha256sum] = "1bccc8873e449587d9a2b2cf253de9b89a8291b9fbc7c59393ca9e5f5f4d2693" + +SRC_URI += "\ +file://libselinux-drop-Wno-unused-but-set-variable.patch \ +file://libselinux-make-O_CLOEXEC-optional.patch \ +file://libselinux-make-SOCK_CLOEXEC-optional.patch \ +file://libselinux-define-FD_CLOEXEC-as-necessary.patch \ +" +S = "${WORKDIR}/libselinux-${PV}" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 04/19] libselinux: uprev to 2.9 (20190315)
* Switch to python3 * Drop patches: 0001-libselinux-Do-not-define-gettid-if-glibc-2.30-is-use.patch 0001-src-Makefile-fix-includedir-in-libselinux.pc.patch * Split into libselinux recipe and libselinux-python recipe to fix the loop dependency error. Signed-off-by: Yi Zhao --- recipes-security/selinux/libselinux.inc | 24 +--- ...t-define-gettid-if-glibc-2.30-is-use.patch | 60 --- ...file-fix-includedir-in-libselinux.pc.patch | 28 - .../{libselinux_2.8.bb => libselinux_2.9.bb} | 10 ++-- 4 files changed, 6 insertions(+), 116 deletions(-) delete mode 100644 recipes-security/selinux/libselinux/0001-libselinux-Do-not-define-gettid-if-glibc-2.30-is-use.patch delete mode 100644 recipes-security/selinux/libselinux/0001-src-Makefile-fix-includedir-in-libselinux.pc.patch rename recipes-security/selinux/{libselinux_2.8.bb => libselinux_2.9.bb} (50%) diff --git a/recipes-security/selinux/libselinux.inc b/recipes-security/selinux/libselinux.inc index 6e115e3..8d381de 100644 --- a/recipes-security/selinux/libselinux.inc +++ b/recipes-security/selinux/libselinux.inc @@ -5,15 +5,10 @@ decisions. Required for any applications that use the SELinux API." SECTION = "base" LICENSE = "PD" -inherit lib_package pythonnative +inherit lib_package python3native -DEPENDS += "libsepol python libpcre swig-native" +DEPENDS += "libsepol libpcre" DEPENDS_append_libc-musl = " fts" -RDEPENDS_${PN}-python += "python-core python-shell" - -PACKAGES += "${PN}-python" -FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/*" -FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/site-packages/selinux/.debug/*" def get_policyconfigarch(d): import re @@ -26,19 +21,4 @@ EXTRA_OEMAKE += "${@get_policyconfigarch(d)}" EXTRA_OEMAKE += "LDFLAGS='${LDFLAGS} -lpcre' LIBSEPOLA='${STAGING_LIBDIR}/libsepol.a'" EXTRA_OEMAKE_append_libc-musl = " FTS_LDLIBS=-lfts" -do_compile_append() { -oe_runmake pywrap -j1 \ -INCLUDEDIR='${STAGING_INCDIR}' \ -LIBDIR='${STAGING_LIBDIR}' \ -PYINC='-I${STAGING_INCDIR}/python${PYTHON_BASEVERSION}' -} - -do_install_append() { -oe_runmake install-pywrap swigify \ - PYTHONLIBDIR=${D}${libdir}/python${PYTHON_BASEVERSION}/site-packages -if ! ${@bb.utils.contains('DISTRO_FEATURES','usrmerge','true','false',d)}; then -rm -rf ${D}${base_sbindir} -fi -} - BBCLASSEXTEND = "native" diff --git a/recipes-security/selinux/libselinux/0001-libselinux-Do-not-define-gettid-if-glibc-2.30-is-use.patch b/recipes-security/selinux/libselinux/0001-libselinux-Do-not-define-gettid-if-glibc-2.30-is-use.patch deleted file mode 100644 index fc3e37e..000 --- a/recipes-security/selinux/libselinux/0001-libselinux-Do-not-define-gettid-if-glibc-2.30-is-use.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 2c672b4cc39fbddb6faec2c7434832058f339d59 Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Mon, 11 Mar 2019 16:00:41 +0100 -Subject: [PATCH] libselinux: Do not define gettid() if glibc >= 2.30 is used -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Since version 2.30 glibc implements gettid() system call wrapper, see -https://sourceware.org/bugzilla/show_bug.cgi?id=6399 - -Fixes: -cc -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -I../include -D_GNU_SOURCE -DNO_ANDROID_BACKEND -c -o procattr.o procattr.c -procattr.c:28:14: error: static declaration of ‘gettid’ follows non-static declaration - 28 | static pid_t gettid(void) - | ^~ -In file included from /usr/include/unistd.h:1170, - from procattr.c:2: -/usr/include/bits/unistd_ext.h:34:16: note: previous declaration of ‘gettid’ was here - 34 | extern __pid_t gettid (void) __THROW; - |^~ - -Upstream-Status: Backport -[https://github.com/SELinuxProject/selinux/commit/707e4b8610733b5c9eaac0f00239778f3edb23c2] - -Signed-off-by: Petr Lautrbach -Signed-off-by: Yi Zhao - src/procattr.c | 15 +-- - 1 file changed, 13 insertions(+), 2 deletions(-) - -diff --git a/src/procattr.c b/src/procattr.c -index 8bf8432..3c7b87f 100644 a/src/procattr.c -+++ b/src/procattr.c -@@ -22,8 +22,19 @@ static pthread_key_t destructor_key; - static int destructor_key_initialized = 0; - static __thread char destructor_initialized; - --#ifndef __BIONIC__ --/* Bionic declares this in unistd.h and has a definition for it */ -+/* Bionic and glibc >= 2.30 declare gettid() system call wrap
[yocto] [meta-selinux][PATCH 03/19] libsepol: uprev to 2.9 (20190315)
* Drop patch 0001-src-Makefile-fix-includedir-in-libsepol.pc.patch Signed-off-by: Yi Zhao --- ...kefile-fix-includedir-in-libsepol.pc.patch | 29 --- recipes-security/selinux/libsepol_2.8.bb | 9 -- recipes-security/selinux/libsepol_2.9.bb | 7 + 3 files changed, 7 insertions(+), 38 deletions(-) delete mode 100644 recipes-security/selinux/libsepol/0001-src-Makefile-fix-includedir-in-libsepol.pc.patch delete mode 100644 recipes-security/selinux/libsepol_2.8.bb create mode 100644 recipes-security/selinux/libsepol_2.9.bb diff --git a/recipes-security/selinux/libsepol/0001-src-Makefile-fix-includedir-in-libsepol.pc.patch b/recipes-security/selinux/libsepol/0001-src-Makefile-fix-includedir-in-libsepol.pc.patch deleted file mode 100644 index 987fdab..000 --- a/recipes-security/selinux/libsepol/0001-src-Makefile-fix-includedir-in-libsepol.pc.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 074dbf2f104d1a6ea1aa048600f44f9701c70a60 Mon Sep 17 00:00:00 2001 -From: Robert Yang -Date: Thu, 18 Feb 2016 02:04:59 + -Subject: [PATCH] src/Makefile: fix includedir in libsepol.pc - -Upstream-Status: Pending - -Signed-off-by: Robert Yang -Signed-off-by: Yi Zhao - src/Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/Makefile b/src/Makefile -index ccb7023..2bb6290 100644 a/src/Makefile -+++ b/src/Makefile -@@ -51,7 +51,7 @@ $(LIBSO): $(LOBJS) $(LIBMAP) - ln -sf $@ $(TARGET) - - $(LIBPC): $(LIBPC).in ../VERSION -- sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBDIR):; s:@includedir@:$(INCLUDEDIR):' < $< > $@ -+ sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:${libdir}:; s:@includedir@:${prefix}/include:' < $< > $@ - - $(LIBMAP): $(LIBMAP).in - ifneq ($(DISABLE_CIL),y) --- -2.7.4 - diff --git a/recipes-security/selinux/libsepol_2.8.bb b/recipes-security/selinux/libsepol_2.8.bb deleted file mode 100644 index d1f905b..000 --- a/recipes-security/selinux/libsepol_2.8.bb +++ /dev/null @@ -1,9 +0,0 @@ -include selinux_20180524.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343" - -SRC_URI[md5sum] = "c19aa9dde1e78d1c2bd3109579e4d484" -SRC_URI[sha256sum] = "3ad6916a8352bef0bad49acc8037a5f5b48c56f94e4cb4e1959ca475fa9d24d6" - -SRC_URI += "file://0001-src-Makefile-fix-includedir-in-libsepol.pc.patch" diff --git a/recipes-security/selinux/libsepol_2.9.bb b/recipes-security/selinux/libsepol_2.9.bb new file mode 100644 index 000..cd55be6 --- /dev/null +++ b/recipes-security/selinux/libsepol_2.9.bb @@ -0,0 +1,7 @@ +require selinux_20190315.inc +require ${BPN}.inc + +LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343" + +SRC_URI[md5sum] = "2fdefe870a61424d8f2d5d37551c6259" +SRC_URI[sha256sum] = "a34b12b038d121e3e459b1cbaca3c9202e983137819c16baf63658390e3f1d5d" -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 02/19] selinux: uprev inc files to 2.9 (20190315)
* Update SRC_URI * Add UPSTREAM_CHECK_URI and UPSTREAM_CHECK_REGEX Signed-off-by: Yi Zhao --- recipes-security/selinux/selinux_20180524.inc | 5 - recipes-security/selinux/selinux_20190315.inc | 8 recipes-security/selinux/selinux_common.inc | 4 +--- 3 files changed, 9 insertions(+), 8 deletions(-) delete mode 100644 recipes-security/selinux/selinux_20180524.inc create mode 100644 recipes-security/selinux/selinux_20190315.inc diff --git a/recipes-security/selinux/selinux_20180524.inc b/recipes-security/selinux/selinux_20180524.inc deleted file mode 100644 index b36b333..000 --- a/recipes-security/selinux/selinux_20180524.inc +++ /dev/null @@ -1,5 +0,0 @@ -SELINUX_RELEASE = "20180524" - -SRC_URI = "https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/${SELINUX_RELEASE}/${BPN}-${PV}.tar.gz; - -include selinux_common.inc diff --git a/recipes-security/selinux/selinux_20190315.inc b/recipes-security/selinux/selinux_20190315.inc new file mode 100644 index 000..e79dd54 --- /dev/null +++ b/recipes-security/selinux/selinux_20190315.inc @@ -0,0 +1,8 @@ +SELINUX_RELEASE = "20190315" + +SRC_URI = "https://github.com/SELinuxProject/selinux/releases/download/${SELINUX_RELEASE}/${BPN}-${PV}.tar.gz; + +UPSTREAM_CHECK_URI = "https://github.com/SELinuxProject/selinux/releases; +UPSTREAM_CHECK_REGEX = "libselinux-(?P.+)\.tar\.gz" + +require selinux_common.inc diff --git a/recipes-security/selinux/selinux_common.inc b/recipes-security/selinux/selinux_common.inc index 383f62d..f6c4a6b 100644 --- a/recipes-security/selinux/selinux_common.inc +++ b/recipes-security/selinux/selinux_common.inc @@ -1,9 +1,7 @@ HOMEPAGE = "https://github.com/SELinuxProject; do_compile() { -oe_runmake all \ -INCLUDEDIR='${STAGING_INCDIR}' \ -LIBDIR='${STAGING_LIBDIR}' +oe_runmake all } do_install() { -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 00/19] selinux: upgrade 2.8 -> 2.9
* Upgrade to 2.9 * Switch to python3 * Refresh patches Yi Zhao (19): python-ipy: upgrade to 1.00 and add python3 version selinux: uprev inc files to 2.9 (20190315) libsepol: uprev to 2.9 (20190315) libselinux: uprev to 2.9 (20190315) libselinux-python: add recipe libsemanage: uprev to 2.9 (20190315) checkpolicy: uprev to 2.9 (20190315) secilc: uprev to 2.9 (20190315) policycoreutils: uprev to 2.9 (20190315) mcstrans: uprev to 2.9 (20190315) restorecond: uprev to 2.9 (20190315) selinux-python: uprev to 2.9 (20190315) selinux-dbus: uprev to 2.9 (20190315) selinux-sandbox: uprev to 2.9 (20190315) selinux-gui: uprev to 2.9 (20190315) semodule-utils: uprev to 2.9 (20190315) selinux-init: fix build error when enable usrmerge feature setools: upgrade 4.1.1 -> 4.2.2 audit: switch to python3 recipes-devtools/python/python-ipy.inc| 18 +++ recipes-devtools/python/python-ipy_0.83.bb| 32 -- recipes-devtools/python/python-ipy_1.00.bb| 2 + recipes-devtools/python/python3-ipy_1.00.bb | 2 + .../audit/audit/audit-python-configure.patch | 46 .../audit/audit/audit-python.patch| 64 --- .../audit/fix-swig-host-contamination.patch | 56 -- recipes-security/audit/audit_2.8.5.bb | 11 +- recipes-security/selinux/checkpolicy_2.8.bb | 7 -- recipes-security/selinux/checkpolicy_2.9.bb | 7 ++ .../selinux/libselinux-python.inc | 40 +++ ...elinux_2.8.bb => libselinux-python_2.9.bb} | 14 ++- recipes-security/selinux/libselinux.inc | 24 +--- ...t-define-gettid-if-glibc-2.30-is-use.patch | 60 -- ...file-fix-includedir-in-libselinux.pc.patch | 28 - .../{libselinux_2.8.bb => libselinux_2.9.bb} | 10 +- recipes-security/selinux/libsemanage.inc | 26 ++--- ...file-fix-includedir-in-libselinux.pc.patch | 28 - ...anage-Fix-execve-segfaults-on-Ubuntu.patch | 12 +- ...anage-allow-to-disable-audit-support.patch | 26 +++-- ...anage-define-FD_CLOEXEC-as-necessary.patch | 16 +-- ...-disable-expand-check-on-policy-load.patch | 6 +- ...age-drop-Wno-unused-but-set-variable.patch | 12 +- .../libsemanage-fix-path-nologin.patch| 39 --- recipes-security/selinux/libsemanage_2.8.bb | 18 --- recipes-security/selinux/libsemanage_2.9.bb | 15 +++ ...kefile-fix-includedir-in-libsepol.pc.patch | 29 - recipes-security/selinux/libsepol_2.8.bb | 9 -- recipes-security/selinux/libsepol_2.9.bb | 7 ++ recipes-security/selinux/mcstrans.inc | 4 +- .../mcstrans/mcstrans-de-bashify.patch| 23 ++-- ...tch => mcstrans-fix-the-init-script.patch} | 14 ++- recipes-security/selinux/mcstrans_2.8.bb | 7 -- recipes-security/selinux/mcstrans_2.9.bb | 7 ++ recipes-security/selinux/policycoreutils.inc | 16 +-- .../selinux/policycoreutils_2.8.bb| 8 -- .../selinux/policycoreutils_2.9.bb| 8 ++ ...icycoreutils-make-O_CLOEXEC-optional.patch | 29 +++-- recipes-security/selinux/restorecond_2.8.bb | 7 -- recipes-security/selinux/restorecond_2.9.bb | 7 ++ recipes-security/selinux/secilc_2.8.bb| 7 -- recipes-security/selinux/secilc_2.9.bb| 7 ++ recipes-security/selinux/selinux-dbus.inc | 2 +- recipes-security/selinux/selinux-dbus_2.8.bb | 7 -- recipes-security/selinux/selinux-dbus_2.9.bb | 7 ++ recipes-security/selinux/selinux-gui.inc | 2 +- recipes-security/selinux/selinux-gui_2.8.bb | 7 -- recipes-security/selinux/selinux-gui_2.9.bb | 7 ++ recipes-security/selinux/selinux-initsh.inc | 5 +- recipes-security/selinux/selinux-python.inc | 62 +-- .../fix-TypeError-for-seobject.py.patch | 30 - .../fix-sepolicy-install-path.patch | 8 +- ...ess-ValueError-for-sepolicy-seobject.patch | 47 .../selinux/selinux-python_2.8.bb | 7 -- .../selinux/selinux-python_2.9.bb | 7 ++ recipes-security/selinux/selinux-sandbox.inc | 10 +- .../selinux-sandbox/sandbox-de-bashify.patch | 9 +- .../selinux/selinux-sandbox_2.8.bb| 7 -- .../selinux/selinux-sandbox_2.9.bb| 7 ++ recipes-security/selinux/selinux_20180524.inc | 5 - recipes-security/selinux/selinux_20190315.inc | 8 ++ recipes-security/selinux/selinux_common.inc | 4 +- .../selinux/semodule-utils_2.8.bb | 7 -- .../selinux/semodule-utils_2.9.bb | 7 ++ ...e-with-GCC-7-due-to-possible-truncat.patch | 105 -- ...ss-compiling-errors-for-powerpc-mips.patch | 35 -- .../setools4-fixes-for-cross-compiling.patch | 34 +++--- .../{setools_4.1.1.bb => setools_4.2.2.bb}| 14 +-- 68 files changed, 348 insertions(+), 910 deletions(-) create mode 100644 recipes-devtools/python/python-ipy.inc delete mode 100644 recipes-devtools/python/python-ipy_0.83.bb create mode 100644 recipes-devtools/python/pyt
[yocto] [meta-selinux][PATCH 01/19] python-ipy: upgrade to 1.00 and add python3 version
Signed-off-by: Yi Zhao --- recipes-devtools/python/python-ipy.inc | 18 recipes-devtools/python/python-ipy_0.83.bb | 32 - recipes-devtools/python/python-ipy_1.00.bb | 2 ++ recipes-devtools/python/python3-ipy_1.00.bb | 2 ++ 4 files changed, 22 insertions(+), 32 deletions(-) create mode 100644 recipes-devtools/python/python-ipy.inc delete mode 100644 recipes-devtools/python/python-ipy_0.83.bb create mode 100644 recipes-devtools/python/python-ipy_1.00.bb create mode 100644 recipes-devtools/python/python3-ipy_1.00.bb diff --git a/recipes-devtools/python/python-ipy.inc b/recipes-devtools/python/python-ipy.inc new file mode 100644 index 000..ba4c2bd --- /dev/null +++ b/recipes-devtools/python/python-ipy.inc @@ -0,0 +1,18 @@ +SUMMARY = "Python module for handling IPv4 and IPv6 Addresses and Networks" +DESCRIPTION = "IPy is a Python module for handling IPv4 and IPv6 Addresses and Networks \ +in a fashion similar to perl's Net::IP and friends. The IP class allows \ +a comfortable parsing and handling for most notations in use for IPv4 \ +and IPv6 Addresses and Networks." +SECTION = "devel/python" +HOMEPAGE = "https://github.com/haypo/python-ipy; +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://COPYING;md5=848d24919845901b4f48bae5f13252e6" + +SRC_URI[md5sum] = "1a90c68174234672241a7e60c7ea0fb9" +SRC_URI[sha256sum] = "2f2bf658a858d43868d8a4352b3889cf78c66e2ce678b300dcf518c9149ba621" + +inherit pypi + +PYPI_PACKAGE = "IPy" + +BBCLASSEXTEND = "native" diff --git a/recipes-devtools/python/python-ipy_0.83.bb b/recipes-devtools/python/python-ipy_0.83.bb deleted file mode 100644 index df060fa..000 --- a/recipes-devtools/python/python-ipy_0.83.bb +++ /dev/null @@ -1,32 +0,0 @@ -SUMMARY = "Python module for handling IPv4 and IPv6 Addresses and Networks" -DESCRIPTION = "IPy is a Python module for handling IPv4 and IPv6 Addresses and Networks \ -in a fashion similar to perl's Net::IP and friends. The IP class allows \ -a comfortable parsing and handling for most notations in use for IPv4 \ -and IPv6 Addresses and Networks." -SECTION = "devel/python" -HOMEPAGE = "https://github.com/haypo/python-ipy; -DEPENDS = "python" -LICENSE = "BSD" -LIC_FILES_CHKSUM = "file://COPYING;md5=ebc0028ff5cdaf7796604875027dcd55" - -SRC_URI = "https://pypi.python.org/packages/source/I/IPy/IPy-${PV}.tar.gz; - -SRC_URI[md5sum] = "7b8c6eb4111b15aea31b67108e769712" -SRC_URI[sha256sum] = "61da5a532b159b387176f6eabf11946e7458b6df8fb8b91ff1d345ca7a6edab8" - -S = "${WORKDIR}/IPy-${PV}" - -inherit distutils - -# need to export these variables for python-config to work -export BUILD_SYS -export HOST_SYS -export STAGING_INCDIR -export STAGING_LIBDIR - -BBCLASSEXTEND = "native" - -do_install_append() { - install -d ${D}/${datadir}/doc/${BPN}-${PV} - install AUTHORS COPYING ChangeLog README ${D}/${datadir}/doc/${BPN}-${PV} -} diff --git a/recipes-devtools/python/python-ipy_1.00.bb b/recipes-devtools/python/python-ipy_1.00.bb new file mode 100644 index 000..587a517 --- /dev/null +++ b/recipes-devtools/python/python-ipy_1.00.bb @@ -0,0 +1,2 @@ +inherit setuptools +require python-ipy.inc diff --git a/recipes-devtools/python/python3-ipy_1.00.bb b/recipes-devtools/python/python3-ipy_1.00.bb new file mode 100644 index 000..ea6a105 --- /dev/null +++ b/recipes-devtools/python/python3-ipy_1.00.bb @@ -0,0 +1,2 @@ +inherit setuptools3 +require python-ipy.inc -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH] ucarp: add initscripts-functions as runtime dependency when using systemd
The ucarp.service invokes script /usr/libexec/ucarp to start/stop the ucarp service. But the /etc/init.d/functions file which is required by the script is not installed by default when using systemd. Explicitly set the initscripts-functions package as the runtime dependency when using systemd. Signed-off-by: Yi Zhao --- meta-cgl-common/recipes-cgl/ucarp/ucarp_1.5.2.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-cgl-common/recipes-cgl/ucarp/ucarp_1.5.2.bb b/meta-cgl-common/recipes-cgl/ucarp/ucarp_1.5.2.bb index 6f30bf7..f5be421 100644 --- a/meta-cgl-common/recipes-cgl/ucarp/ucarp_1.5.2.bb +++ b/meta-cgl-common/recipes-cgl/ucarp/ucarp_1.5.2.bb @@ -31,6 +31,7 @@ SRC_URI[sha256sum] = "f3cc77e28481fd04f62bb3d4bc03104a97dd316c80c0ed04ad7be24b54 inherit autotools gettext systemd DEPENDS = "libpcap" +RDEPENDS_${PN} = "${@bb.utils.contains('DISTRO_FEATURES','systemd','initscripts-functions','',d)}" SYSTEMD_SERVICE_${PN} = "ucarp.service" SYSTEMD_AUTO_ENABLE = "disable" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH] audit: explicitly disable golang bindings
Disable golang bindings to avoid potential host contamination issue. Fixes: https://bugzilla.yoctoproject.org/show_bug.cgi?id=13166 Signed-off-by: Yi Zhao --- recipes-security/audit/audit_2.8.5.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/recipes-security/audit/audit_2.8.5.bb b/recipes-security/audit/audit_2.8.5.bb index d3b9b51..2b47812 100644 --- a/recipes-security/audit/audit_2.8.5.bb +++ b/recipes-security/audit/audit_2.8.5.bb @@ -39,6 +39,7 @@ EXTRA_OECONF += "--without-prelude \ --libdir=${base_libdir} \ --sbindir=${base_sbindir} \ --without-python3 \ +--without-golang \ --disable-zos-remote \ " EXTRA_OECONF_append_arm = " --with-arm=yes" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-selinux][PATCH] conf/layer.conf: use BBFILES_DYNAMIC for dynamic layers
On 9/10/19 1:11 AM, Joe MacDonald wrote: Hi Yi, [[meta-selinux][PATCH] conf/layer.conf: use BBFILES_DYNAMIC for dynamic layers] On 19.09.09 (Mon 14:01) Yi Zhao wrote: From: Robert Yang The previous code add all BBFILE_COLLECTIONS/recipes*/*/*.bbappend to BBFILES, which causes the parsing very slow when there are many layers, e.g., I have 87 layers: * Before: $ rm -fr tmp-glibc/ cache; time bitbake -p real0m45.173s user0m0.560s sys 0m0.060s * After: $ rm -fr tmp-glibc/ cache; time bitbake -p real0m25.542s user0m0.572s sys 0m0.040s It wasted 20s which wasn't worth (The host has 128 threads, it should cost more time on less power host), use BBFILES_DYNAMIC can fix the problem. This seems like a big claim, I certainly haven't seen that on my setup: * Before: $ rm -fr tmp cache real0m14.751s user0m0.323s sys 0m0.048s * After: $ rm -fr tmp cache ; time bitbake -p real0m14.725s user0m0.326s sys 0m0.046s but it's still a sensible change. When I ran a test before/after configuration for augeas the configuration seemed off, though. Can you confirm that with this change as is you're getting the correct --with/--without and --enable/--disable and patches applied for your layers? I just want to confirm since the ~20s difference in parsing seems kind of out of scale for moving essentially three bbappends around and I'm wondering if there's something else siginficant in your tree we want to consider. This patch is from Robert Yang. CC to him. Maybe he can give us more explanation. For the augeas, the current augeas_%.bbapend doesn't work because the augeas recipe is in meta-oe layer but not meta-python layer. This patch moves the bbappend to the correct layer to fix this issue. It works on my local: $ cat log.do_configure [snip] checking for library containing setfilecon... -lselinux [snip] checking for selinux/selinux.h... (cached) yes checking selinux/context.h usability... yes checking selinux/context.h presence... yes checking for selinux/context.h... yes [snip] //Yi -J. Signed-off-by: Robert Yang Signed-off-by: Yi Zhao --- conf/layer.conf | 11 +++ .../recipes-daemons/iscsi-initiator-utils/files/initd.debian | 0 .../iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend| 0 .../iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc | 0 .../recipes-support}/augeas/augeas_%.bbappend | 0 .../recipes-containers/lxc/lxc_%.bbappend | 0 6 files changed, 7 insertions(+), 4 deletions(-) rename {networking-layer => dynamic-layers/networking-layer}/recipes-daemons/iscsi-initiator-utils/files/initd.debian (100%) rename {networking-layer => dynamic-layers/networking-layer}/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend (100%) rename {networking-layer => dynamic-layers/networking-layer}/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc (100%) rename {meta-python/recipes-extended/augeas => dynamic-layers/openembedded-layer/recipes-support}/augeas/augeas_%.bbappend (100%) rename {virtualization-layer => dynamic-layers/virtualization-layer}/recipes-containers/lxc/lxc_%.bbappend (100%) diff --git a/conf/layer.conf b/conf/layer.conf index 9dd34b1..89b9468 100644 --- a/conf/layer.conf +++ b/conf/layer.conf @@ -5,10 +5,13 @@ BBPATH .= ":${LAYERDIR}" BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \ ${LAYERDIR}/recipes-*/*/*.bbappend" -# Let us add layer-specific bbappends which are only applied when that -# layer is included in our configuration -BBFILES += "${@' '.join('${LAYERDIR}/%s/recipes*/*/*.bbappend' % layer \ - for layer in BBFILE_COLLECTIONS.split())}" +BBFILES_DYNAMIC += "openembedded-layer:${LAYERDIR}/dynamic-layers/openembedded-layer/*/*/*.bb \ + openembedded-layer:${LAYERDIR}/dynamic-layers/openembedded-layer/*/*/*.bbappend \ + networking-layer:${LAYERDIR}/dynamic-layers/networking-layer/*/*/*.bb \ + networking-layer:${LAYERDIR}/dynamic-layers/networking-layer/*/*/*.bbappend \ + virtualization-layer:${LAYERDIR}/dynamic-layers/virtualization-layer/recipes*/*/*.bb \ + virtualization-layer:${LAYERDIR}/dynamic-layers/virtualization-layer/recipes*/*/*.bbappend \ + " BBFILE_COLLECTIONS += "selinux" BBFILE_PATTERN_selinux = "^${LAYERDIR}/" diff --git a/networking-layer/recipes-daemons/iscsi-initiator-utils/files/initd.debian b/dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/files/initd.debian similarity index 100% rename from networking-layer/recipes-daemons/iscsi-initiator-utils/files/initd.debian rename to dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/files/initd.debian diff --gi
[yocto] [meta-selinux][PATCH] conf/layer.conf: use BBFILES_DYNAMIC for dynamic layers
From: Robert Yang The previous code add all BBFILE_COLLECTIONS/recipes*/*/*.bbappend to BBFILES, which causes the parsing very slow when there are many layers, e.g., I have 87 layers: * Before: $ rm -fr tmp-glibc/ cache; time bitbake -p real0m45.173s user0m0.560s sys 0m0.060s * After: $ rm -fr tmp-glibc/ cache; time bitbake -p real0m25.542s user0m0.572s sys 0m0.040s It wasted 20s which wasn't worth (The host has 128 threads, it should cost more time on less power host), use BBFILES_DYNAMIC can fix the problem. Signed-off-by: Robert Yang Signed-off-by: Yi Zhao --- conf/layer.conf | 11 +++ .../recipes-daemons/iscsi-initiator-utils/files/initd.debian | 0 .../iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend| 0 .../iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc | 0 .../recipes-support}/augeas/augeas_%.bbappend | 0 .../recipes-containers/lxc/lxc_%.bbappend | 0 6 files changed, 7 insertions(+), 4 deletions(-) rename {networking-layer => dynamic-layers/networking-layer}/recipes-daemons/iscsi-initiator-utils/files/initd.debian (100%) rename {networking-layer => dynamic-layers/networking-layer}/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend (100%) rename {networking-layer => dynamic-layers/networking-layer}/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc (100%) rename {meta-python/recipes-extended/augeas => dynamic-layers/openembedded-layer/recipes-support}/augeas/augeas_%.bbappend (100%) rename {virtualization-layer => dynamic-layers/virtualization-layer}/recipes-containers/lxc/lxc_%.bbappend (100%) diff --git a/conf/layer.conf b/conf/layer.conf index 9dd34b1..89b9468 100644 --- a/conf/layer.conf +++ b/conf/layer.conf @@ -5,10 +5,13 @@ BBPATH .= ":${LAYERDIR}" BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \ ${LAYERDIR}/recipes-*/*/*.bbappend" -# Let us add layer-specific bbappends which are only applied when that -# layer is included in our configuration -BBFILES += "${@' '.join('${LAYERDIR}/%s/recipes*/*/*.bbappend' % layer \ - for layer in BBFILE_COLLECTIONS.split())}" +BBFILES_DYNAMIC += "openembedded-layer:${LAYERDIR}/dynamic-layers/openembedded-layer/*/*/*.bb \ + openembedded-layer:${LAYERDIR}/dynamic-layers/openembedded-layer/*/*/*.bbappend \ + networking-layer:${LAYERDIR}/dynamic-layers/networking-layer/*/*/*.bb \ + networking-layer:${LAYERDIR}/dynamic-layers/networking-layer/*/*/*.bbappend \ + virtualization-layer:${LAYERDIR}/dynamic-layers/virtualization-layer/recipes*/*/*.bb \ + virtualization-layer:${LAYERDIR}/dynamic-layers/virtualization-layer/recipes*/*/*.bbappend \ + " BBFILE_COLLECTIONS += "selinux" BBFILE_PATTERN_selinux = "^${LAYERDIR}/" diff --git a/networking-layer/recipes-daemons/iscsi-initiator-utils/files/initd.debian b/dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/files/initd.debian similarity index 100% rename from networking-layer/recipes-daemons/iscsi-initiator-utils/files/initd.debian rename to dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/files/initd.debian diff --git a/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend b/dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend similarity index 100% rename from networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend rename to dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend diff --git a/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc b/dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc similarity index 100% rename from networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc rename to dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc diff --git a/meta-python/recipes-extended/augeas/augeas/augeas_%.bbappend b/dynamic-layers/openembedded-layer/recipes-support/augeas/augeas_%.bbappend similarity index 100% rename from meta-python/recipes-extended/augeas/augeas/augeas_%.bbappend rename to dynamic-layers/openembedded-layer/recipes-support/augeas/augeas_%.bbappend diff --git a/virtualization-layer/recipes-containers/lxc/lxc_%.bbappend b/dynamic-layers/virtualization-layer/recipes-containers/lxc/lxc_%.bbappend similarity index 100% rename from virtualization-layer/recipes-containers/lxc/lxc_%.bbappend rename to dynamic-layers/virtualization-layer/recipes-containers/lxc/lxc_%.bbappend -- 2.7.4 -
[yocto] [meta-selinux][PATCH V2] selinux-autorelabel: disable enforcing mode before relabel
The commit b0d31db104d9a4e94bc1409c2ffcc1d82f4a780f introduced an issue when first boot with bootparams="selinux=1 enforcing=1". At first boot, all files are unlabeled including /sbin/setfiles. The relabel operations are not permitted under enforcing mode. So we need to disable enforcing mode before relabel. Signed-off-by: Yi Zhao --- .../selinux/selinux-autorelabel/selinux-autorelabel.sh | 9 ++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh index 154dad1..25b6921 100644 --- a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh +++ b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh @@ -3,16 +3,19 @@ /usr/sbin/selinuxenabled 2>/dev/null || exit 0 FIXFILES=/sbin/fixfiles +SETENFORCE=/usr/sbin/setenforce -if ! test -x ${FIXFILES}; then - echo "${FIXFILES} is missing in the system." +for i in ${FIXFILES} ${SETENFORCE}; do + test -x $i && continue + echo "$i is missing in the system." echo "Please add \"selinux=0\" in the kernel command line to disable SELinux." exit 1 -fi +done # If /.autorelabel placed, the whole file system should be relabeled if [ -f /.autorelabel ]; then echo "SELinux: /.autorelabel placed, filesystem will be relabeled..." + ${SETENFORCE} 0 ${FIXFILES} -F -f relabel /bin/rm -f /.autorelabel echo " * Relabel done, rebooting the system." -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-selinux][PATCH] selinux-autorelabel: disable enforcing mode before relabel
On 9/5/19 7:57 PM, Joe MacDonald wrote: [[meta-selinux][PATCH] selinux-autorelabel: disable enforcing mode before relabel] On 19.09.05 (Thu 16:57) Yi Zhao wrote: The commit b0d31db104d9a4e94bc1409c2ffcc1d82f4a780f introduced an issue when first boot with bootparams="selinux=1 enforcing=1". At first boot, all files are unlabeled including /sbin/fixfiles. The relabel operation is not permitted under enforcing mode. Set /sys/fs/selinux/enforce to 0 to ensure the enforcing mode is disabled before relabel. Did you try this with '/usr/sbin/setenforce 0' instead? The rationale makes sense but going straight at sysfs like that isn't the right approach intuitively. If that's not working, please just include a bit of an explanation for why this is the best option. It also works with setenforce. I referred to the selinux-autorelabel script on Fedora 30, it uses `echo "0" > /sys/fs/selinux/enforce` to disables enforcing mode: cat /usr/libexec/selinux/selinux-autorelabel [snip] 32 relabel_selinux() { 33 # if /sbin/init is not labeled correctly this process is running in the 34 # wrong context, so a reboot will be required after relabel 35 AUTORELABEL= 36 . /etc/selinux/config 37 echo "0" > /sys/fs/selinux/enforce 38 [ -x /bin/plymouth ] && plymouth --quit 39 [snip] //Yi Thanks. -J. Signed-off-by: Yi Zhao --- recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh index 154dad1..cb40971 100644 --- a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh +++ b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh @@ -13,6 +13,7 @@ fi # If /.autorelabel placed, the whole file system should be relabeled if [ -f /.autorelabel ]; then echo "SELinux: /.autorelabel placed, filesystem will be relabeled..." + echo "0" > /sys/fs/selinux/enforce ${FIXFILES} -F -f relabel /bin/rm -f /.autorelabel echo " * Relabel done, rebooting the system." -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH] selinux-autorelabel: disable enforcing mode before relabel
The commit b0d31db104d9a4e94bc1409c2ffcc1d82f4a780f introduced an issue when first boot with bootparams="selinux=1 enforcing=1". At first boot, all files are unlabeled including /sbin/fixfiles. The relabel operation is not permitted under enforcing mode. Set /sys/fs/selinux/enforce to 0 to ensure the enforcing mode is disabled before relabel. Signed-off-by: Yi Zhao --- recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh index 154dad1..cb40971 100644 --- a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh +++ b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh @@ -13,6 +13,7 @@ fi # If /.autorelabel placed, the whole file system should be relabeled if [ -f /.autorelabel ]; then echo "SELinux: /.autorelabel placed, filesystem will be relabeled..." + echo "0" > /sys/fs/selinux/enforce ${FIXFILES} -F -f relabel /bin/rm -f /.autorelabel echo " * Relabel done, rebooting the system." -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 2/2] mcstrans: specify INITDIR
By default the mcstrans init script will be installed to /etc/rc.d/init.d directory. Specify INITDIR to install it to /etc/init.d directory. Signed-off-by: Yi Zhao --- recipes-security/selinux/mcstrans.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-security/selinux/mcstrans.inc b/recipes-security/selinux/mcstrans.inc index e66633d..0eb8720 100644 --- a/recipes-security/selinux/mcstrans.inc +++ b/recipes-security/selinux/mcstrans.inc @@ -15,7 +15,7 @@ inherit systemd update-rc.d DEPENDS += "libsepol libselinux libcap" # We do not need "${D}/" as a prefix anymore. -EXTRA_OEMAKE += "SBINDIR=${base_sbindir}" +EXTRA_OEMAKE += "SBINDIR=${base_sbindir} INITDIR=${sysconfdir}/init.d" do_install_append() { install -d ${D}${sbindir} -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 1/2] setools: update SRC_URI
SETools has moved from https://github.com/TresysTechnology/setools to https://github.com/SELinuxProject/setools See: https://github.com/TresysTechnology/setools/wiki Signed-off-by: Yi Zhao --- recipes-security/setools/setools_4.1.1.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-security/setools/setools_4.1.1.bb b/recipes-security/setools/setools_4.1.1.bb index 8bdbfba..db529f4 100644 --- a/recipes-security/setools/setools_4.1.1.bb +++ b/recipes-security/setools/setools_4.1.1.bb @@ -9,7 +9,7 @@ SECTION = "base" LICENSE = "GPLv2 & LGPLv2.1" S = "${WORKDIR}/git" -SRC_URI = "git://github.com/TresysTechnology/${BPN}.git;branch=4.1 \ +SRC_URI = "git://github.com/SELinuxProject/${BPN}.git;branch=4.1 \ file://setools4-fixes-for-cross-compiling.patch \ file://setools4-fix-cross-compiling-errors-for-powerpc-mips.patch \ file://Fix-build-failure-with-GCC-7-due-to-possible-truncat.patch \ -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-selinux][PATCH 3/3] util-linux: drop obsolete patch
Hi Joe, Seems you were missing this patch. Would you please merge it? Thanks. //Yi On 5/20/19 12:41 PM, Yi Zhao wrote: Signed-off-by: Yi Zhao --- .../util-linux/fix-libmount_la_DEPENDENCIES.patch | 28 -- 1 file changed, 28 deletions(-) delete mode 100644 recipes-core/util-linux/util-linux/fix-libmount_la_DEPENDENCIES.patch diff --git a/recipes-core/util-linux/util-linux/fix-libmount_la_DEPENDENCIES.patch b/recipes-core/util-linux/util-linux/fix-libmount_la_DEPENDENCIES.patch deleted file mode 100644 index ab54818..000 --- a/recipes-core/util-linux/util-linux/fix-libmount_la_DEPENDENCIES.patch +++ /dev/null @@ -1,28 +0,0 @@ -Subject: [PATCH] util-linux: fix libmount_la_DEPENDENCIES. - -Upstream-Status: Pending - -libmount_la_LIBADD contains "-lselinux", this is not a object that -could consider as a dependency target. So fix this. - -Signed-off-by: Xin Ouyang - libmount/src/Makemodule.am |2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) - -diff --git a/libmount/src/Makemodule.am b/libmount/src/Makemodule.am -index 494e02a..bf494a4 100644 a/libmount/src/Makemodule.am -+++ b/libmount/src/Makemodule.am -@@ -38,7 +38,7 @@ libmount_la_CFLAGS = \ - -I$(top_srcdir)/libmount/src - - libmount_la_DEPENDENCIES = \ -- $(libmount_la_LIBADD) \ -+ libcommon.la libblkid.la \ - libmount/src/libmount.sym \ - libmount/src/libmount.h.in - --- -1.7.5.4 - -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH] selinux-sandbox: add runtime dependency on python-core
Fixes: ERROR: QA Issue: /usr/share/sandbox/start contained in package selinux-sandbox requires /usr/bin/python, but no providers found in RDEPENDS_selinux-sandbox? [file-rdeps] Signed-off-by: Yi Zhao --- recipes-security/selinux/selinux-sandbox.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/recipes-security/selinux/selinux-sandbox.inc b/recipes-security/selinux/selinux-sandbox.inc index 8616dd7..854640c 100644 --- a/recipes-security/selinux/selinux-sandbox.inc +++ b/recipes-security/selinux/selinux-sandbox.inc @@ -13,6 +13,7 @@ SRC_URI += "file://sandbox-de-bashify.patch \ DEPENDS += "libcap-ng libselinux" RDEPENDS_${PN} += "\ +python-core \ python-math \ python-shell \ python-subprocess \ -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH] openscap: add runtime dependency on bash and python3-core
Fixes: ERROR: QA Issue: /usr/bin/oscap-ssh contained in package openscap requires /bin/bash, but no providers found in RDEPENDS_openscap? [file-rdeps] ERROR: QA Issue: /usr/bin/scap-as-rpm contained in package openscap requires /usr/bin/python3, but no providers found in RDEPENDS_openscap? [file-rdeps] Signed-off-by: Yi Zhao --- meta-security-compliance/recipes-openscap/openscap/openscap.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-security-compliance/recipes-openscap/openscap/openscap.inc b/meta-security-compliance/recipes-openscap/openscap/openscap.inc index 53309e8..49e0855 100644 --- a/meta-security-compliance/recipes-openscap/openscap/openscap.inc +++ b/meta-security-compliance/recipes-openscap/openscap/openscap.inc @@ -50,6 +50,6 @@ do_install_append_class-native () { FILES_${PN} += "${PYTHON_SITEPACKAGES_DIR}" -RDEPENDS_${PN} += "libxml2 python3 libgcc" +RDEPENDS_${PN} += "libxml2 python3-core libgcc bash" BBCLASSEXTEND = "native" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 1/2] selinux-python: add python-core as runtime dependency
Fix QA issues: QA Issue: /usr/lib64/python2.7/site-packages/seobject.py contained in package selinux-python requires /usr/bin/python, but no providers found in RDEPENDS_selinux-python? [file-rdeps] QA Issue: /usr/bin/audit2allow contained in package selinux-python-audit2allow requires /usr/bin/python, but no providers found in RDEPENDS_selinux-python-audit2allow? [file-rdeps] QA Issue: /usr/bin/chcat contained in package selinux-python-chcat requires /usr/bin/python, but no providers found in RDEPENDS_selinux-python-chcat? [file-rdeps] Signed-off-by: Yi Zhao --- recipes-security/selinux/selinux-python.inc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/recipes-security/selinux/selinux-python.inc b/recipes-security/selinux/selinux-python.inc index c774de4..57042ab 100644 --- a/recipes-security/selinux/selinux-python.inc +++ b/recipes-security/selinux/selinux-python.inc @@ -15,11 +15,13 @@ inherit python-dir DEPENDS += "python-native libsepol" RDEPENDS_${BPN}-audit2allow += "\ +python-core \ python-textutils \ libselinux-python \ ${BPN}-sepolgen \ " RDEPENDS_${BPN}-chcat += "\ +python-core \ python-codecs \ python-shell \ python-stringold \ @@ -28,6 +30,7 @@ RDEPENDS_${BPN}-chcat += "\ ${BPN} \ " RDEPENDS_${BPN} += "\ +python-core \ python-codecs \ python-io \ python-ipy \ -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 2/2 V2] setools: do not use unstable github archive tarballs
From: Hongxu Jia Since commit [21f84fc insane: add sanity checks to SRC_URI] applied in oe-core, do not use unstable github archive tarballs SETools has moved from https://github.com/TresysTechnology/setools to https://github.com/SELinuxProject/setools See: https://github.com/TresysTechnology/setools/wiki Signed-off-by: Hongxu Jia Signed-off-by: Yi Zhao --- recipes-security/setools/setools_4.1.1.bb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/recipes-security/setools/setools_4.1.1.bb b/recipes-security/setools/setools_4.1.1.bb index c5a2d34..db529f4 100644 --- a/recipes-security/setools/setools_4.1.1.bb +++ b/recipes-security/setools/setools_4.1.1.bb @@ -8,14 +8,14 @@ SETools." SECTION = "base" LICENSE = "GPLv2 & LGPLv2.1" -SRC_URI = "https://github.com/TresysTechnology/setools/archive/${PV}.tar.gz;downloadfilename=setools-${PV}.tar.gz \ +S = "${WORKDIR}/git" +SRC_URI = "git://github.com/SELinuxProject/${BPN}.git;branch=4.1 \ file://setools4-fixes-for-cross-compiling.patch \ file://setools4-fix-cross-compiling-errors-for-powerpc-mips.patch \ file://Fix-build-failure-with-GCC-7-due-to-possible-truncat.patch \ " -SRC_URI[md5sum] = "54cf5c0ca2aa4ef7c6ac153981af34cd" -SRC_URI[sha256sum] = "46a927ea2b163cbe1d35cc35da43e45853e13720c7e02d4cf75a498783c19610" +SRCREV = "e03617eb7ab5a035633bff66500b95d25232e331" LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=83a5eb6974c11f30785e90d0eeccf40c \ file://${S}/COPYING.GPL;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-anaconda][PATCH] packagegroup-installer-x11-anaconda: use libsdl2 instead of libsdl
The libsdl had been moved out of oe-core because it is obsolete. Switch to libsdl2. Signed-off-by: Yi Zhao --- recipes-installer/packagegroups/packagegroup-installer-x11-anaconda.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-installer/packagegroups/packagegroup-installer-x11-anaconda.bb b/recipes-installer/packagegroups/packagegroup-installer-x11-anaconda.bb index 87c57c9..aa53809 100644 --- a/recipes-installer/packagegroups/packagegroup-installer-x11-anaconda.bb +++ b/recipes-installer/packagegroups/packagegroup-installer-x11-anaconda.bb @@ -18,7 +18,7 @@ RDEPENDS_packagegroup-installer-x11-anaconda = "\ xset \ settings-daemon \ xrandr \ -libsdl \ +libsdl2 \ metacity \ adwaita-icon-theme \ pango \ -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH] openscap: fix scap-security-guide build error
It would fail to build scap-security-guide when use openscap-native sstate cache. Steps to reproduce: Create a new build project: $ bitbake openscap-native $ bitbake openscap-native -c clean $ bitbake scap-security-guide Error message: OpenSCAP Error: Schema file 'xccdf/1.1/xccdf-schema.xsd' not found in path '/buildarea/build/tmp/work-shared/openscap/oscap-build-artifacts/usr/share/openscap/schemas' when trying to validate '/buildarea/build/tmp/work/core2-64-poky-linux/scap-security-guide/0.1.44+gitAUTOINC+5fdfdcb2e9-r0/git/build/chromium/xccdf-unlinked-resolved.xml' [/buildarea/build/tmp/work/x86_64-linux/openscap-native/1.3.1+gitAUTOINC+4bbdb46ff6-r0/git/src/source/validate.c:104] Invalid XCCDF Checklist (1.1) content in /buildarea/build/tmp/work/core2-64-poky-linux/scap-security-guide/0.1.44+gitAUTOINC+5fdfdcb2e9-r0/git/build/chromium/xccdf-unlinked-resolved.xml. [/buildarea/build/tmp/work/x86_64-linux/openscap-native/1.3.1+gitAUTOINC+4bbdb46ff6-r0/git/src/source/oscap_source.c:346] chromium/CMakeFiles/generate-internal-chromium-xccdf-unlinked-resolved.xml.dir/build.make:63: recipe for target 'chromium/xccdf-unlinked-resolved.xml' failed When using sstate cache, the openscap-native doesn't install the artifacts to work-shared/openscap/oscap-build-artifacts when prepare recipe sysroot for scap-security-guide. Set do_install[nostamp] to 1 to ensure the openscap-native artifacts are installed to work-shared/openscap/oscap-build-artifacts even if using sstate cache. Signed-off-by: Yi Zhao --- meta-security-compliance/recipes-openscap/openscap/openscap.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-security-compliance/recipes-openscap/openscap/openscap.inc b/meta-security-compliance/recipes-openscap/openscap/openscap.inc index 53309e8..07d9700 100644 --- a/meta-security-compliance/recipes-openscap/openscap/openscap.inc +++ b/meta-security-compliance/recipes-openscap/openscap/openscap.inc @@ -41,6 +41,7 @@ do_configure_append_class-native () { } do_clean[cleandirs] += "${STAGING_OSCAP_BUILDDIR}" +do_install[nostamp] = "1" do_install_append_class-native () { oscapdir=${STAGING_OSCAP_BUILDDIR}/${datadir_native} -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH] libselinux: fix build with glibc 2.30
Fix build error: procattr.c:27:14: error: static declaration of 'gettid' follows non-static declaration 27 | static pid_t gettid(void) | ^~ In file included from /buildarea/build/tmp/work/core2-64-poky-linux/libselinux/2.8-r0/recipe-sysroot/usr/include/unistd.h:1170, from procattr.c:2: /buildarea/build/tmp/work/core2-64-poky-linux/libselinux/2.8-r0/recipe-sysroot/usr/include/bits/unistd_ext.h:34:16: note: previous declaration of 'gettid' was here 34 | extern __pid_t gettid (void) __THROW; |^~ Signed-off-by: Yi Zhao --- ...Do-not-define-gettid-if-glibc-2.30-is-use.patch | 60 ++ recipes-security/selinux/libselinux_2.8.bb | 1 + 2 files changed, 61 insertions(+) create mode 100644 recipes-security/selinux/libselinux/0001-libselinux-Do-not-define-gettid-if-glibc-2.30-is-use.patch diff --git a/recipes-security/selinux/libselinux/0001-libselinux-Do-not-define-gettid-if-glibc-2.30-is-use.patch b/recipes-security/selinux/libselinux/0001-libselinux-Do-not-define-gettid-if-glibc-2.30-is-use.patch new file mode 100644 index 000..fc3e37e --- /dev/null +++ b/recipes-security/selinux/libselinux/0001-libselinux-Do-not-define-gettid-if-glibc-2.30-is-use.patch @@ -0,0 +1,60 @@ +From 2c672b4cc39fbddb6faec2c7434832058f339d59 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Mon, 11 Mar 2019 16:00:41 +0100 +Subject: [PATCH] libselinux: Do not define gettid() if glibc >= 2.30 is used +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Since version 2.30 glibc implements gettid() system call wrapper, see +https://sourceware.org/bugzilla/show_bug.cgi?id=6399 + +Fixes: +cc -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -I../include -D_GNU_SOURCE -DNO_ANDROID_BACKEND -c -o procattr.o procattr.c +procattr.c:28:14: error: static declaration of ‘gettid’ follows non-static declaration + 28 | static pid_t gettid(void) + | ^~ +In file included from /usr/include/unistd.h:1170, + from procattr.c:2: +/usr/include/bits/unistd_ext.h:34:16: note: previous declaration of ‘gettid’ was here + 34 | extern __pid_t gettid (void) __THROW; + |^~ + +Upstream-Status: Backport +[https://github.com/SELinuxProject/selinux/commit/707e4b8610733b5c9eaac0f00239778f3edb23c2] + +Signed-off-by: Petr Lautrbach +Signed-off-by: Yi Zhao +--- + src/procattr.c | 15 +-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/src/procattr.c b/src/procattr.c +index 8bf8432..3c7b87f 100644 +--- a/src/procattr.c b/src/procattr.c +@@ -22,8 +22,19 @@ static pthread_key_t destructor_key; + static int destructor_key_initialized = 0; + static __thread char destructor_initialized; + +-#ifndef __BIONIC__ +-/* Bionic declares this in unistd.h and has a definition for it */ ++/* Bionic and glibc >= 2.30 declare gettid() system call wrapper in unistd.h and ++ * has a definition for it */ ++#ifdef __BIONIC__ ++ #define OVERRIDE_GETTID 0 ++#elif !defined(__GLIBC_PREREQ) ++ #define OVERRIDE_GETTID 1 ++#elif !__GLIBC_PREREQ(2,30) ++ #define OVERRIDE_GETTID 1 ++#else ++ #define OVERRIDE_GETTID 0 ++#endif ++ ++#if OVERRIDE_GETTID + static pid_t gettid(void) + { + return syscall(__NR_gettid); +-- +2.7.4 + diff --git a/recipes-security/selinux/libselinux_2.8.bb b/recipes-security/selinux/libselinux_2.8.bb index 5de4607..7545967 100644 --- a/recipes-security/selinux/libselinux_2.8.bb +++ b/recipes-security/selinux/libselinux_2.8.bb @@ -12,4 +12,5 @@ SRC_URI += "\ file://libselinux-make-SOCK_CLOEXEC-optional.patch \ file://libselinux-define-FD_CLOEXEC-as-necessary.patch \ file://0001-src-Makefile-fix-includedir-in-libselinux.pc.patch \ +file://0001-libselinux-Do-not-define-gettid-if-glibc-2.30-is-use.patch \ " -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH] xmlsec1: upgrade 1.2.27 -> 1.2.28
Signed-off-by: Yi Zhao --- recipes-security/xmlsec1/{xmlsec1_1.2.27.bb => xmlsec1_1.2.28.bb} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename recipes-security/xmlsec1/{xmlsec1_1.2.27.bb => xmlsec1_1.2.28.bb} (93%) diff --git a/recipes-security/xmlsec1/xmlsec1_1.2.27.bb b/recipes-security/xmlsec1/xmlsec1_1.2.28.bb similarity index 93% rename from recipes-security/xmlsec1/xmlsec1_1.2.27.bb rename to recipes-security/xmlsec1/xmlsec1_1.2.28.bb index eac8d6b..0a4c56a 100644 --- a/recipes-security/xmlsec1/xmlsec1_1.2.27.bb +++ b/recipes-security/xmlsec1/xmlsec1_1.2.28.bb @@ -20,8 +20,8 @@ SRC_URI = "http://www.aleksey.com/xmlsec/download/${BP}.tar.gz \ file://run-ptest \ " -SRC_URI[md5sum] = "508bee7e4f1b99f2d50aaa7d38ede56e" -SRC_URI[sha256sum] = "97d756bad8e92588e6997d2227797eaa900d05e34a426829b149f65d87118eb6" +SRC_URI[md5sum] = "69b8d95c009a404462e19f335e650241" +SRC_URI[sha256sum] = "13eec4811ea30e3f0e16a734d1dbf7f9d246a71d540b48d143a07b489f6222d4" inherit autotools-brokensep ptest pkgconfig -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 2/2] scap-security-guide: fix typo
Fix typo: RDEPNEDS_${PN} -> RDEPENDS_${PN} Signed-off-by: Yi Zhao --- .../recipes-openscap/scap-security-guide/scap-security-guide.inc| 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc index d123561..341721a 100644 --- a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc +++ b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=97662e4486d9a1d09f358851d9f41a1a" LICENSE = "LGPL-2.1" DEPENDS = "openscap-native python3 python3-pyyaml-native python3-jinja2-native libxml2-native" -RDEPNEDS_${PN} = "openscap" +RDEPENDS_${PN} = "openscap" S = "${WORKDIR}/git" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 1/2] openscap: cleanup DEPENDS
Remove autoconf-archive from DEPENDS because it is using CMake/Ninjia build now. Also remove unused dpkg-native dependency from DEPENDS_class-native. Signed-off-by: Yi Zhao --- meta-security-compliance/recipes-openscap/openscap/openscap.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta-security-compliance/recipes-openscap/openscap/openscap.inc b/meta-security-compliance/recipes-openscap/openscap/openscap.inc index f23ea99..53309e8 100644 --- a/meta-security-compliance/recipes-openscap/openscap/openscap.inc +++ b/meta-security-compliance/recipes-openscap/openscap/openscap.inc @@ -6,8 +6,8 @@ HOME_URL = "https://www.open-scap.org/tools/openscap-base/; LIC_FILES_CHKSUM = "file://COPYING;md5=fbc093901857fcd118f065f900982c24" LICENSE = "LGPL-2.1" -DEPENDS = "autoconf-archive dbus acl bzip2 pkgconfig gconf procps curl libxml2 libxslt libcap swig" -DEPENDS_class-native = "autoconf-archive-native pkgconfig-native swig-native curl-native libxml2-native libxslt-native libcap-native dpkg-native" +DEPENDS = "dbus acl bzip2 pkgconfig gconf procps curl libxml2 libxslt libcap swig" +DEPENDS_class-native = "pkgconfig-native swig-native curl-native libxml2-native libxslt-native libcap-native" S = "${WORKDIR}/git" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 1/2 V2] openscap: update recipe
* Add PACKAGECONFIG for gcrypt, nss3 and selinux * Use EXTRA_OECMAKE rather than EXTRA_OECONF * Set CMAKE_SKIP_RPATH and CMAKE_SKIP_INSTALL_RPATH instead of chrpath * Remove ptest since there are many host contamination issues on target. We will add it back when these issues are solved. * Drop the unused patch * Add PV * Clean up DEPENDS Signed-off-by: Yi Zhao --- .../openscap/files/probe_dir_fixup.patch | 17 -- .../recipes-openscap/openscap/files/run-ptest | 3 - .../recipes-openscap/openscap/openscap.inc | 67 -- .../recipes-openscap/openscap/openscap_1.3.1.bb| 1 - .../recipes-openscap/openscap/openscap_git.bb | 3 +- 5 files changed, 25 insertions(+), 66 deletions(-) delete mode 100644 meta-security-compliance/recipes-openscap/openscap/files/probe_dir_fixup.patch delete mode 100644 meta-security-compliance/recipes-openscap/openscap/files/run-ptest diff --git a/meta-security-compliance/recipes-openscap/openscap/files/probe_dir_fixup.patch b/meta-security-compliance/recipes-openscap/openscap/files/probe_dir_fixup.patch deleted file mode 100644 index ecbe602..000 --- a/meta-security-compliance/recipes-openscap/openscap/files/probe_dir_fixup.patch +++ /dev/null @@ -1,17 +0,0 @@ -Index: git/configure.ac -=== git.orig/configure.ac -+++ git/configure.ac -@@ -1109,11 +1109,7 @@ AC_ARG_WITH([crypto], - [], - [crypto=gcrypt]) - --if test "x${libexecdir}" = xNONE; then -- probe_dir="/usr/local/libexec/openscap" --else -- EXPAND_DIR(probe_dir,"${libexecdir}/openscap") --fi -+probe_dir="/usr/local/libexec/openscap" - - AC_SUBST(probe_dir) - diff --git a/meta-security-compliance/recipes-openscap/openscap/files/run-ptest b/meta-security-compliance/recipes-openscap/openscap/files/run-ptest deleted file mode 100644 index 454a6a3..000 --- a/meta-security-compliance/recipes-openscap/openscap/files/run-ptest +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -cd tests -make -k check diff --git a/meta-security-compliance/recipes-openscap/openscap/openscap.inc b/meta-security-compliance/recipes-openscap/openscap/openscap.inc index e5daaf8..5a66d5e 100644 --- a/meta-security-compliance/recipes-openscap/openscap/openscap.inc +++ b/meta-security-compliance/recipes-openscap/openscap/openscap.inc @@ -6,71 +6,50 @@ HOME_URL = "https://www.open-scap.org/tools/openscap-base/; LIC_FILES_CHKSUM = "file://COPYING;md5=fbc093901857fcd118f065f900982c24" LICENSE = "LGPL-2.1" -DEPENDS = "autoconf-archive dbus acl bzip2 pkgconfig gconf procps curl libxml2 libxslt libcap swig libgcrypt chrpath-replacement-native " - -DEPENDS_class-native = "autoconf-archive-native pkgconfig-native swig-native curl-native libxml2-native libxslt-native dpkg-native libgcrypt-native nss-native" +DEPENDS = "dbus acl bzip2 pkgconfig gconf procps curl libxml2 libxslt libcap swig" +DEPENDS_class-native = "pkgconfig-native swig-native curl-native libxml2-native libxslt-native libcap-native" S = "${WORKDIR}/git" -inherit cmake pkgconfig python3native perlnative ptest - -PACKAGECONFIG ?= "python3 rpm perl" -PACKAGECONFIG[python3] = "-DENABLE_PYTHON3=True, , python3, python3" -PACKAGECONFIG[perl] = "-DENABLE_PERL=True,, perl, perl" -PACKAGECONFIG[rpm] = "-DENABLE_OSCAP_UTIL_AS_RPM=True, ,rpm, rpm" - -EXTRA_OECONF += "-DENABLE_PROBES_INDEPENDENT=yes -DENABLE_PROBES_LINUX=yes -DWITH_CRYPTO=gcrypt\ - -DENABLE_PROBES_SOLARIS=yes -DENABLE_PROBES_UNIX=yes -DENABLE_TESTS=no \ - -DENABLE_OSCAP_UTIL_SSH=yes -DENABLE_OSCAP_UTIL=yes -DENABLE_SCE=yes \ --DENABLE_OSCAP_UTIL_DOCKER=no \ -" - +inherit cmake pkgconfig python3native perlnative + +PACKAGECONFIG ?= "python3 rpm perl gcrypt ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" +PACKAGECONFIG[python3] = "-DENABLE_PYTHON3=ON, ,python3, python3" +PACKAGECONFIG[perl] = "-DENABLE_PERL=ON, ,perl, perl" +PACKAGECONFIG[rpm] = "-DENABLE_OSCAP_UTIL_AS_RPM=ON, ,rpm, rpm" +PACKAGECONFIG[gcrypt] = "-DWITH_CRYPTO=gcrypt, ,libgcrypt" +PACKAGECONFIG[nss3] = "-DWITH_CRYPTO=nss3, ,nss" +PACKAGECONFIG[selinux] = ", ,libselinux" + +EXTRA_OECMAKE += "-DENABLE_PROBES_LINUX=ON -DENABLE_PROBES_UNIX=ON \ + -DENABLE_PROBES_SOLARIS=OFF -DENABLE_PROBES_INDEPENDENT=ON \ + -DENABLE_OSCAP_UTIL=ON -DENABLE_OSCAP_UTIL_SSH=ON \ + -DENABLE_OSCAP_UTIL_DOCKER=OFF -DENABLE_OSCAP_UTIL_CHROOT=OFF \ + -DENABLE_OSCAP_UTIL_PODMAN=OFF -DENABLE_OSCAP_UTIL_VM=OFF \ + -DENABLE_PROBES_WINDOWS=OFF -DENABLE_VALGRIND=OFF \ + -DENABLE_SCE=ON -DENABLE_MITRE=OFF -DENABLE_TESTS
[yocto] [meta-security][PATCH 2/2 V2] scap-security-guide: update recipe
* Set B="${S}/build" to fix the build failure for out of source directory * Remove do_complile and do_install. Use the default functions from cmake.bbclass. * Install the artifacts to /usr/share rather than /usr/local/share Signed-off-by: Yi Zhao --- .../scap-security-guide/scap-security-guide.inc| 28 +- .../scap-security-guide/scap-security-guide_git.bb | 6 + 2 files changed, 7 insertions(+), 27 deletions(-) diff --git a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc index ed70c18..341721a 100644 --- a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc +++ b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc @@ -7,6 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=97662e4486d9a1d09f358851d9f41a1a" LICENSE = "LGPL-2.1" DEPENDS = "openscap-native python3 python3-pyyaml-native python3-jinja2-native libxml2-native" +RDEPENDS_${PN} = "openscap" S = "${WORKDIR}/git" @@ -20,28 +21,11 @@ OECMAKE_GENERATOR = "Unix Makefiles" EXTRA_OECMAKE += "-DENABLE_PYTHON_COVERAGE=OFF" -do_configure_prepend () { - sed -i -e 's:NAMES\ sed:NAMES\ ${HOSTTOOLS_DIR}/sed:g' ${S}/CMakeLists.txt -sed -i 's:/usr/share/openscap/:${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/:g' ${S}/cmake/SSGCommon.cmake -} - -do_compile () { - cd ${S}/build - cmake ../ - # oddly rhel7 needs to build first - make rhel7 -} +B = "${S}/build" -do_install () { - cd ${S}/build - make DESTDIR=${D} install +do_configure_prepend () { +sed -i -e 's:NAMES\ sed:NAMES\ ${HOSTTOOLS_DIR}/sed:g' ${S}/CMakeLists.txt +sed -i -e 's:NAMES\ grep:NAMES\ ${HOSTTOOLS_DIR}/grep:g' ${S}/CMakeLists.txt } -localdatadir = "${prefix}/local/share" -localmandir = "${localdatadir}/man" -localdocdir = "${localdatadir}/doc" -localxmldir = "${localdatadir}/xml" - -FILES_${PN} += "${localdatadir} ${localxmldir}" -FILES_${PN}-doc += "${localmandir} ${localdocdir}" -RDEPNEDS_${PN} = "openscap" +FILES_${PN} += "${datadir}/xml" diff --git a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb index cb21fed..d9238c0 100644 --- a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb +++ b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb @@ -2,12 +2,8 @@ SUMARRY = "SCAP content for various platforms, OE changes" SRCREV = "5fdfdcb2e95afbd86ace555beca5d20cbf1043ed" SRC_URI = "git://github.com/akuster/scap-security-guide.git;branch=oe-0.1.44;" -PV = "v0.1.44+git${SRCPV}" +PV = "0.1.44+git${SRCPV}" require scap-security-guide.inc -do_compile_append () { -make openembedded -} - EXTRA_OECMAKE += "-DSSG_PRODUCT_OPENEMBEDDED=ON" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 0/2 V2] openscap/scap-security-guide: update recipes
Changes from V1: openscap: Clean up DEPENDS. Remove autoconf-archive and dpkg-native from DEPENDS because we are using CMake/Ninjia now scap-security-guide: Fix typo: RDEPNEDS_${PN} -> RDEPENDS_${PN} Yi Zhao (2): openscap: update recipe scap-security-guide: update recipe .../openscap/files/probe_dir_fixup.patch | 17 -- .../recipes-openscap/openscap/files/run-ptest | 3 - .../recipes-openscap/openscap/openscap.inc | 67 -- .../recipes-openscap/openscap/openscap_1.3.1.bb| 1 - .../recipes-openscap/openscap/openscap_git.bb | 3 +- .../scap-security-guide/scap-security-guide.inc| 28 ++--- .../scap-security-guide/scap-security-guide_git.bb | 6 +- 7 files changed, 32 insertions(+), 93 deletions(-) delete mode 100644 meta-security-compliance/recipes-openscap/openscap/files/probe_dir_fixup.patch delete mode 100644 meta-security-compliance/recipes-openscap/openscap/files/run-ptest -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 1/2] openscap: update recipe
* Add PACKAGECONFIG for gcrypt, nss3 and selinux * Use EXTRA_OECMAKE rather than EXTRA_OECONF * Set CMAKE_SKIP_RPATH and CMAKE_SKIP_INSTALL_RPATH instead of chrpath * Remove ptest since there are many host contamination issues on target. We will add it back when these issues are solved. * Drop the unused patch * Add PV Signed-off-by: Yi Zhao --- .../openscap/files/probe_dir_fixup.patch | 17 - .../recipes-openscap/openscap/files/run-ptest | 3 - .../recipes-openscap/openscap/openscap.inc | 77 -- .../recipes-openscap/openscap/openscap_1.3.1.bb| 1 - .../recipes-openscap/openscap/openscap_git.bb | 3 +- 5 files changed, 30 insertions(+), 71 deletions(-) delete mode 100644 meta-security-compliance/recipes-openscap/openscap/files/probe_dir_fixup.patch delete mode 100644 meta-security-compliance/recipes-openscap/openscap/files/run-ptest diff --git a/meta-security-compliance/recipes-openscap/openscap/files/probe_dir_fixup.patch b/meta-security-compliance/recipes-openscap/openscap/files/probe_dir_fixup.patch deleted file mode 100644 index ecbe602..000 --- a/meta-security-compliance/recipes-openscap/openscap/files/probe_dir_fixup.patch +++ /dev/null @@ -1,17 +0,0 @@ -Index: git/configure.ac -=== git.orig/configure.ac -+++ git/configure.ac -@@ -1109,11 +1109,7 @@ AC_ARG_WITH([crypto], - [], - [crypto=gcrypt]) - --if test "x${libexecdir}" = xNONE; then -- probe_dir="/usr/local/libexec/openscap" --else -- EXPAND_DIR(probe_dir,"${libexecdir}/openscap") --fi -+probe_dir="/usr/local/libexec/openscap" - - AC_SUBST(probe_dir) - diff --git a/meta-security-compliance/recipes-openscap/openscap/files/run-ptest b/meta-security-compliance/recipes-openscap/openscap/files/run-ptest deleted file mode 100644 index 454a6a3..000 --- a/meta-security-compliance/recipes-openscap/openscap/files/run-ptest +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -cd tests -make -k check diff --git a/meta-security-compliance/recipes-openscap/openscap/openscap.inc b/meta-security-compliance/recipes-openscap/openscap/openscap.inc index e5daaf8..f23ea99 100644 --- a/meta-security-compliance/recipes-openscap/openscap/openscap.inc +++ b/meta-security-compliance/recipes-openscap/openscap/openscap.inc @@ -6,71 +6,50 @@ HOME_URL = "https://www.open-scap.org/tools/openscap-base/; LIC_FILES_CHKSUM = "file://COPYING;md5=fbc093901857fcd118f065f900982c24" LICENSE = "LGPL-2.1" -DEPENDS = "autoconf-archive dbus acl bzip2 pkgconfig gconf procps curl libxml2 libxslt libcap swig libgcrypt chrpath-replacement-native " - -DEPENDS_class-native = "autoconf-archive-native pkgconfig-native swig-native curl-native libxml2-native libxslt-native dpkg-native libgcrypt-native nss-native" +DEPENDS = "autoconf-archive dbus acl bzip2 pkgconfig gconf procps curl libxml2 libxslt libcap swig" +DEPENDS_class-native = "autoconf-archive-native pkgconfig-native swig-native curl-native libxml2-native libxslt-native libcap-native dpkg-native" S = "${WORKDIR}/git" -inherit cmake pkgconfig python3native perlnative ptest - -PACKAGECONFIG ?= "python3 rpm perl" -PACKAGECONFIG[python3] = "-DENABLE_PYTHON3=True, , python3, python3" -PACKAGECONFIG[perl] = "-DENABLE_PERL=True,, perl, perl" -PACKAGECONFIG[rpm] = "-DENABLE_OSCAP_UTIL_AS_RPM=True, ,rpm, rpm" - -EXTRA_OECONF += "-DENABLE_PROBES_INDEPENDENT=yes -DENABLE_PROBES_LINUX=yes -DWITH_CRYPTO=gcrypt\ - -DENABLE_PROBES_SOLARIS=yes -DENABLE_PROBES_UNIX=yes -DENABLE_TESTS=no \ - -DENABLE_OSCAP_UTIL_SSH=yes -DENABLE_OSCAP_UTIL=yes -DENABLE_SCE=yes \ --DENABLE_OSCAP_UTIL_DOCKER=no \ -" - +inherit cmake pkgconfig python3native perlnative + +PACKAGECONFIG ?= "python3 rpm perl gcrypt ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" +PACKAGECONFIG[python3] = "-DENABLE_PYTHON3=ON, ,python3, python3" +PACKAGECONFIG[perl] = "-DENABLE_PERL=ON, ,perl, perl" +PACKAGECONFIG[rpm] = "-DENABLE_OSCAP_UTIL_AS_RPM=ON, ,rpm, rpm" +PACKAGECONFIG[gcrypt] = "-DWITH_CRYPTO=gcrypt, ,libgcrypt" +PACKAGECONFIG[nss3] = "-DWITH_CRYPTO=nss3, ,nss" +PACKAGECONFIG[selinux] = ", ,libselinux" + +EXTRA_OECMAKE += "-DENABLE_PROBES_LINUX=ON -DENABLE_PROBES_UNIX=ON \ + -DENABLE_PROBES_SOLARIS=OFF -DENABLE_PROBES_INDEPENDENT=ON \ + -DENABLE_OSCAP_UTIL=ON -DENABLE_OSCAP_UTIL_SSH=ON \ + -DENABLE_OSCAP_UTIL_DOCKER=OFF -DENABLE_OSCAP_UTIL_CHROOT=OFF \ + -DENABLE_OSCAP_UTIL_PODMAN=OFF -DENABLE_OSCAP_UTIL_VM=OFF \ + -DENABLE_PROBES_WINDOWS=OFF -DENABLE_VALGRIND=OFF \ + -DENABLE_SCE=ON -DENA
[yocto] [meta-security][PATCH 2/2] scap-security-guide: update recipe
* Set B="${S}/build" to fix the build failure for out of source directory * Remove do_complile and do_install. Use the default functions from cmake.bbclass. * Install the artifacts to /usr/share rather than /usr/local/share Signed-off-by: Yi Zhao --- .../scap-security-guide/scap-security-guide.inc| 28 +- .../scap-security-guide/scap-security-guide_git.bb | 6 + 2 files changed, 7 insertions(+), 27 deletions(-) diff --git a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc index ed70c18..d123561 100644 --- a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc +++ b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc @@ -7,6 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=97662e4486d9a1d09f358851d9f41a1a" LICENSE = "LGPL-2.1" DEPENDS = "openscap-native python3 python3-pyyaml-native python3-jinja2-native libxml2-native" +RDEPNEDS_${PN} = "openscap" S = "${WORKDIR}/git" @@ -20,28 +21,11 @@ OECMAKE_GENERATOR = "Unix Makefiles" EXTRA_OECMAKE += "-DENABLE_PYTHON_COVERAGE=OFF" -do_configure_prepend () { - sed -i -e 's:NAMES\ sed:NAMES\ ${HOSTTOOLS_DIR}/sed:g' ${S}/CMakeLists.txt -sed -i 's:/usr/share/openscap/:${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/:g' ${S}/cmake/SSGCommon.cmake -} - -do_compile () { - cd ${S}/build - cmake ../ - # oddly rhel7 needs to build first - make rhel7 -} +B = "${S}/build" -do_install () { - cd ${S}/build - make DESTDIR=${D} install +do_configure_prepend () { +sed -i -e 's:NAMES\ sed:NAMES\ ${HOSTTOOLS_DIR}/sed:g' ${S}/CMakeLists.txt +sed -i -e 's:NAMES\ grep:NAMES\ ${HOSTTOOLS_DIR}/grep:g' ${S}/CMakeLists.txt } -localdatadir = "${prefix}/local/share" -localmandir = "${localdatadir}/man" -localdocdir = "${localdatadir}/doc" -localxmldir = "${localdatadir}/xml" - -FILES_${PN} += "${localdatadir} ${localxmldir}" -FILES_${PN}-doc += "${localmandir} ${localdocdir}" -RDEPNEDS_${PN} = "openscap" +FILES_${PN} += "${datadir}/xml" diff --git a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb index cb21fed..d9238c0 100644 --- a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb +++ b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb @@ -2,12 +2,8 @@ SUMARRY = "SCAP content for various platforms, OE changes" SRCREV = "5fdfdcb2e95afbd86ace555beca5d20cbf1043ed" SRC_URI = "git://github.com/akuster/scap-security-guide.git;branch=oe-0.1.44;" -PV = "v0.1.44+git${SRCPV}" +PV = "0.1.44+git${SRCPV}" require scap-security-guide.inc -do_compile_append () { -make openembedded -} - EXTRA_OECMAKE += "-DSSG_PRODUCT_OPENEMBEDDED=ON" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] PREMIRROR
On 7/24/19 4:49 AM, Russell Peterson wrote: Hello, I am looking to have bitbake pick up files for a particular recipe from a local git repository using the PREMIRROR functionality. Basically, the recipe (bb file) points to github but in my local build I add PREMIRROR_prepend = "git://.*/.* git:///local/path/BASENAME;protocol=file\n" I will probably make the git regular expression more exact for my specific github repo but this works for now. This all works (as I deleted the github download from the local download directory) because I can see in the do_fetch log and the correct (local) repo was found and placed in the DL_DIR. Problem is, do_unpack fails because it appears to be looking for the original (github) SRC_URI. Then it complains about "no up to date source found: clone or directory not available or not up to date (shallow clone not enabled)" Maybe you can use BB_GENERATE_MIRROR_TARBALLS to generate git repo tarball and put it to your download mirror. See: https://www.yoctoproject.org/docs/latest/mega-manual/mega-manual.html#var-bb-BB_GENERATE_MIRROR_TARBALLS and https://www.yoctoproject.org/docs/latest/mega-manual/mega-manual.html#var-DL_DIR Regards, Yi Any help on what I am missing would be appreciated. Regards, Russell -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-security-compliance][PATCH 2/4] openscap: add 1.3.1 recipes for upstream source
On 7/23/19 2:38 PM, Akuster808 wrote: On Jul 23, 2019, at 02:51, Yi Zhao wrote: Hi Armin, I got the following error when build openscap: ERROR: openscap-git-r0 do_compile_ptest_base: Function failed: do_compile_ptest_base (log file is located at /buildarea/build/tmp/work/core2-64-poky-linux/openscap/git-r0/temp/log.do_compile_ptest_base.329146) ERROR: Logfile of failure stored in: /buildarea/build/tmp/work/core2-64-poky-linux/openscap/git-r0/temp/log.do_compile_ptest_base.329146 Log data follows: | DEBUG: Executing shell function do_compile_ptest_base | /buildarea/build/tmp/work/core2-64-poky-linux/openscap/git-r0/temp/run.do_compile_ptest_base.329146: line 108: oe-runcmake: command not found | WARNING: /buildarea/build/tmp/work/core2-64-poky-linux/openscap/git-r0/temp/run.do_compile_ptest_base.329146:1 exit 127 from 'oe-runcmake tests' | ERROR: Function failed: do_compile_ptest_base (log file is located at /buildarea/build/tmp/work/core2-64-poky-linux/openscap/git-r0/temp/log.do_compile_ptest_base.329146) Thats not good. Thought I had run though this code path. I am traveling the next 2 weeks so i am not sure how quickly I can address this issue. That's OK. Thanks. //Yi Armin //Yi On 7/7/19 7:32 AM, Armin Kuster wrote: Signed-off-by: Armin Kuster --- .../recipes-openscap/openscap/openscap.inc| 11 +-- .../recipes-openscap/openscap/openscap_1.3.1.bb | 10 ++ .../recipes-openscap/openscap/openscap_git.bb | 4 ++-- 3 files changed, 17 insertions(+), 8 deletions(-) create mode 100644 meta-security-compliance/recipes-openscap/openscap/openscap_1.3.1.bb diff --git a/meta-security-compliance/recipes-openscap/openscap/openscap.inc b/meta-security-compliance/recipes-openscap/openscap/openscap.inc index 4c1f206..e5daaf8 100644 --- a/meta-security-compliance/recipes-openscap/openscap/openscap.inc +++ b/meta-security-compliance/recipes-openscap/openscap/openscap.inc @@ -10,10 +10,10 @@ DEPENDS = "autoconf-archive dbus acl bzip2 pkgconfig gconf procps curl libxml2 l DEPENDS_class-native = "autoconf-archive-native pkgconfig-native swig-native curl-native libxml2-native libxslt-native dpkg-native libgcrypt-native nss-native" -inherit cmake pkgconfig python3native perlnative ptest - S = "${WORKDIR}/git" +inherit cmake pkgconfig python3native perlnative ptest + PACKAGECONFIG ?= "python3 rpm perl" PACKAGECONFIG[python3] = "-DENABLE_PYTHON3=True, , python3, python3" PACKAGECONFIG[perl] = "-DENABLE_PERL=True,, perl, perl" @@ -25,7 +25,6 @@ EXTRA_OECONF += "-DENABLE_PROBES_INDEPENDENT=yes -DENABLE_PROBES_LINUX=yes -DWIT -DENABLE_OSCAP_UTIL_DOCKER=no \ " -EXTRA_OECONF_class-native += "-DENABLE_PROBES=True" STAGING_OSCAP_DIR = "${TMPDIR}/work-shared/${MACHINE}/oscap-source" STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts" @@ -33,9 +32,9 @@ STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts" EXTRANATIVEPATH += "chrpath-native" do_configure_append_class-native () { -sed -i 's:OSCAP_DEFAULT_CPE_PATH.*$:OSCAP_DEFAULT_CPE_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/cpe":' ${S}/config.h -sed -i 's:OSCAP_DEFAULT_SCHEMA_PATH.*$:OSCAP_DEFAULT_SCHEMA_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/schemas":' ${S}/config.h -sed -i 's:OSCAP_DEFAULT_XSLT_PATH.*$:OSCAP_DEFAULT_XSLT_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl":' ${S}/config.h +sed -i 's:OSCAP_DEFAULT_CPE_PATH.*$:OSCAP_DEFAULT_CPE_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/cpe":' ${B}/config.h +sed -i 's:OSCAP_DEFAULT_SCHEMA_PATH.*$:OSCAP_DEFAULT_SCHEMA_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/schemas":' ${B}/config.h +sed -i 's:OSCAP_DEFAULT_XSLT_PATH.*$:OSCAP_DEFAULT_XSLT_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl":' ${B}/config.h } do_clean[cleandirs] += " ${STAGING_OSCAP_BUILDDIR}" diff --git a/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.1.bb b/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.1.bb new file mode 100644 index 000..c29fd42 --- /dev/null +++ b/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.1.bb @@ -0,0 +1,10 @@ +SUMARRY = "NIST Certified SCAP 1.2 toolkit" + +require openscap.inc + +SRCREV = "3a4c635691380fa990a226acc8558db35d7ebabc" +SRC_URI = "git://github.com/OpenSCAP/openscap.git;branch=maint-1.3 \ + file://run-ptest \ +" + +DEFAULT_PREFERENCE = "-1" diff --git a/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb b/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb index 3dfa99e..aded920 100644
Re: [yocto] [meta-security-compliance][PATCH 2/4] openscap: add 1.3.1 recipes for upstream source
Hi Armin, I got the following error when build openscap: ERROR: openscap-git-r0 do_compile_ptest_base: Function failed: do_compile_ptest_base (log file is located at /buildarea/build/tmp/work/core2-64-poky-linux/openscap/git-r0/temp/log.do_compile_ptest_base.329146) ERROR: Logfile of failure stored in: /buildarea/build/tmp/work/core2-64-poky-linux/openscap/git-r0/temp/log.do_compile_ptest_base.329146 Log data follows: | DEBUG: Executing shell function do_compile_ptest_base | /buildarea/build/tmp/work/core2-64-poky-linux/openscap/git-r0/temp/run.do_compile_ptest_base.329146: line 108: oe-runcmake: command not found | WARNING: /buildarea/build/tmp/work/core2-64-poky-linux/openscap/git-r0/temp/run.do_compile_ptest_base.329146:1 exit 127 from 'oe-runcmake tests' | ERROR: Function failed: do_compile_ptest_base (log file is located at /buildarea/build/tmp/work/core2-64-poky-linux/openscap/git-r0/temp/log.do_compile_ptest_base.329146) //Yi On 7/7/19 7:32 AM, Armin Kuster wrote: Signed-off-by: Armin Kuster --- .../recipes-openscap/openscap/openscap.inc| 11 +-- .../recipes-openscap/openscap/openscap_1.3.1.bb | 10 ++ .../recipes-openscap/openscap/openscap_git.bb | 4 ++-- 3 files changed, 17 insertions(+), 8 deletions(-) create mode 100644 meta-security-compliance/recipes-openscap/openscap/openscap_1.3.1.bb diff --git a/meta-security-compliance/recipes-openscap/openscap/openscap.inc b/meta-security-compliance/recipes-openscap/openscap/openscap.inc index 4c1f206..e5daaf8 100644 --- a/meta-security-compliance/recipes-openscap/openscap/openscap.inc +++ b/meta-security-compliance/recipes-openscap/openscap/openscap.inc @@ -10,10 +10,10 @@ DEPENDS = "autoconf-archive dbus acl bzip2 pkgconfig gconf procps curl libxml2 l DEPENDS_class-native = "autoconf-archive-native pkgconfig-native swig-native curl-native libxml2-native libxslt-native dpkg-native libgcrypt-native nss-native" -inherit cmake pkgconfig python3native perlnative ptest - S = "${WORKDIR}/git" +inherit cmake pkgconfig python3native perlnative ptest + PACKAGECONFIG ?= "python3 rpm perl" PACKAGECONFIG[python3] = "-DENABLE_PYTHON3=True, , python3, python3" PACKAGECONFIG[perl] = "-DENABLE_PERL=True,, perl, perl" @@ -25,7 +25,6 @@ EXTRA_OECONF += "-DENABLE_PROBES_INDEPENDENT=yes -DENABLE_PROBES_LINUX=yes -DWIT -DENABLE_OSCAP_UTIL_DOCKER=no \ " -EXTRA_OECONF_class-native += "-DENABLE_PROBES=True" STAGING_OSCAP_DIR = "${TMPDIR}/work-shared/${MACHINE}/oscap-source" STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts" @@ -33,9 +32,9 @@ STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts" EXTRANATIVEPATH += "chrpath-native" do_configure_append_class-native () { - sed -i 's:OSCAP_DEFAULT_CPE_PATH.*$:OSCAP_DEFAULT_CPE_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/cpe":' ${S}/config.h - sed -i 's:OSCAP_DEFAULT_SCHEMA_PATH.*$:OSCAP_DEFAULT_SCHEMA_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/schemas":' ${S}/config.h - sed -i 's:OSCAP_DEFAULT_XSLT_PATH.*$:OSCAP_DEFAULT_XSLT_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl":' ${S}/config.h + sed -i 's:OSCAP_DEFAULT_CPE_PATH.*$:OSCAP_DEFAULT_CPE_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/cpe":' ${B}/config.h + sed -i 's:OSCAP_DEFAULT_SCHEMA_PATH.*$:OSCAP_DEFAULT_SCHEMA_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/schemas":' ${B}/config.h + sed -i 's:OSCAP_DEFAULT_XSLT_PATH.*$:OSCAP_DEFAULT_XSLT_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl":' ${B}/config.h } do_clean[cleandirs] += " ${STAGING_OSCAP_BUILDDIR}" diff --git a/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.1.bb b/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.1.bb new file mode 100644 index 000..c29fd42 --- /dev/null +++ b/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.1.bb @@ -0,0 +1,10 @@ +SUMARRY = "NIST Certified SCAP 1.2 toolkit" + +require openscap.inc + +SRCREV = "3a4c635691380fa990a226acc8558db35d7ebabc" +SRC_URI = "git://github.com/OpenSCAP/openscap.git;branch=maint-1.3 \ + file://run-ptest \ +" + +DEFAULT_PREFERENCE = "-1" diff --git a/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb b/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb index 3dfa99e..aded920 100644 --- a/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb +++ b/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb @@ -3,9 +3,9 @@ SUMARRY = "NIST Certified SCAP 1.2 toolkit with OE changes" +include openscap.inc + SRCREV = "4bbdb46ff651f809d5b38ca08d769790c4bfff90" SRC_URI = "git://github.com/akuster/openscap.git;branch=oe-1.3 \ file://run-ptest \ " - -include openscap.inc --
[yocto] [meta-cgl][PATCH 3/3] libhtml-tagset-perl: remove recipe
The libhtml-tagset-perl recipe was added to meta-perl layer with commit: 4058e65f3c4e17ad04423f4c9edf8607fe6fdb4f We can drop this duplicate recipe. Signed-off-by: Yi Zhao --- .../recipes-perl/perl/libhtml-tagset-perl_3.20.bb | 17 - 1 file changed, 17 deletions(-) delete mode 100644 meta-cgl-common/recipes-perl/perl/libhtml-tagset-perl_3.20.bb diff --git a/meta-cgl-common/recipes-perl/perl/libhtml-tagset-perl_3.20.bb b/meta-cgl-common/recipes-perl/perl/libhtml-tagset-perl_3.20.bb deleted file mode 100644 index 2765cd2..000 --- a/meta-cgl-common/recipes-perl/perl/libhtml-tagset-perl_3.20.bb +++ /dev/null @@ -1,17 +0,0 @@ -DESCRIPTION = "HTML Tagset bits." -HOMEPAGE = "http://search.cpan.org/dist/HTML-Tagset/; -SECTION = "libs" -LICENSE = "Artistic-1.0 | GPL-1.0+" -LIC_FILES_CHKSUM = "file://README;beginline=60;md5=16ddda2d845a5546f615e6b122d1dbad" -PR = "r4" - -SRC_URI = "http://search.cpan.org/CPAN/authors/id/P/PE/PETDANCE/HTML-Tagset-${PV}.tar.gz; - -S = "${WORKDIR}/HTML-Tagset-${PV}" - -inherit cpan - -BBCLASSEXTEND="native" - -SRC_URI[md5sum] = "d2bfa18fe1904df7f683e96611e87437" -SRC_URI[sha256sum] = "adb17dac9e36cd011f5243881c9739417fd102fce760f8de4e9be4c7131108e2" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 2/3] packagegroup-cgl-applications: only install libpam and pam-passwdqc if pam distro flag set
Fix build error when pam distro flag is not set: $ bitbake packagegroup-cgl-applications ERROR: Nothing RPROVIDES 'pam-passwdqc' (but /buildarea/poky/meta-cgl/meta-cgl-common/packagegroups/packagegroup-cgl-applications.bb RDEPENDS on or otherwise requires it) ERROR: Nothing RPROVIDES 'libpam' (but /buildarea/poky/meta-cgl/meta-cgl-common/packagegroups/packagegroup-cgl-applications.bb RDEPENDS on or otherwise requires it) Signed-off-by: Yi Zhao --- meta-cgl-common/packagegroups/packagegroup-cgl-applications.bb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/meta-cgl-common/packagegroups/packagegroup-cgl-applications.bb b/meta-cgl-common/packagegroups/packagegroup-cgl-applications.bb index 5e7170d..6b7a630 100644 --- a/meta-cgl-common/packagegroups/packagegroup-cgl-applications.bb +++ b/meta-cgl-common/packagegroups/packagegroup-cgl-applications.bb @@ -46,9 +46,8 @@ RDEPENDS_${PN} = " \ samhain-server \ audit \ crash \ -pam-passwdqc \ -libpam \ makedumpfile \ +${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-passwdqc libpam', '', d)} \ " LTTNG ?= "\ -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 1/3] packagegroup-cgl-middleware: remove ipsec-tools and umip
The ipsec-tools and umip had been removed from meta-openembedded. We should remove them from the packagegroup. Signed-off-by: Yi Zhao --- meta-cgl-common/packagegroups/packagegroup-cgl-middleware.bb | 2 -- 1 file changed, 2 deletions(-) diff --git a/meta-cgl-common/packagegroups/packagegroup-cgl-middleware.bb b/meta-cgl-common/packagegroups/packagegroup-cgl-middleware.bb index 6ec68c4..4fa7d48 100644 --- a/meta-cgl-common/packagegroups/packagegroup-cgl-middleware.bb +++ b/meta-cgl-common/packagegroups/packagegroup-cgl-middleware.bb @@ -23,7 +23,6 @@ MULTIPATH_TOOLS = " \ " RDEPENDS_packagegroup-cgl-middleware = "\ -ipsec-tools \ net-snmp-server \ net-snmp-client \ net-snmp-libs \ @@ -51,7 +50,6 @@ RDEPENDS_packagegroup-cgl-middleware = "\ ifenslave \ drbd-utils \ openl2tp \ -umip \ dmidecode \ " -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH] audit: upgrade 2.8.4 -> 2.8.5
* Drop backport patch: 0001-Remove-strdupa-as-suggested-in-pull-request-25.patch * Refresh all patches. Signed-off-by: Yi Zhao --- ...e-strdupa-as-suggested-in-pull-request-25.patch | 47 -- ...bstitue-functions-for-strndupa-rawmemchr.patch} | 23 +-- .../audit/audit/audit-python-configure.patch | 10 ++--- recipes-security/audit/audit/audit-python.patch| 8 ++-- recipes-security/audit/audit/auditd| 2 +- .../audit/audit/fix-swig-host-contamination.patch | 22 +- .../audit/{audit_2.8.4.bb => audit_2.8.5.bb} | 7 ++-- 7 files changed, 35 insertions(+), 84 deletions(-) delete mode 100644 recipes-security/audit/audit/0001-Remove-strdupa-as-suggested-in-pull-request-25.patch rename recipes-security/audit/audit/{0002-Add-substitue-functions-for-strndupa-rawmemchr.patch => Add-substitue-functions-for-strndupa-rawmemchr.patch} (88%) rename recipes-security/audit/{audit_2.8.4.bb => audit_2.8.5.bb} (92%) diff --git a/recipes-security/audit/audit/0001-Remove-strdupa-as-suggested-in-pull-request-25.patch b/recipes-security/audit/audit/0001-Remove-strdupa-as-suggested-in-pull-request-25.patch deleted file mode 100644 index 38029aa..000 --- a/recipes-security/audit/audit/0001-Remove-strdupa-as-suggested-in-pull-request-25.patch +++ /dev/null @@ -1,47 +0,0 @@ -From a1782b58b687b74249dc8b2411a3f646b821ebd6 Mon Sep 17 00:00:00 2001 -From: Steve Grubb -Date: Thu, 4 Oct 2018 08:45:47 -0400 -Subject: [PATCH] Remove strdupa as suggested in pull request #25 - - src/auditd.c | 11 ++- - 1 file changed, 6 insertions(+), 5 deletions(-) - -Origin: https://github.com/linux-audit/audit-userspace/commit/a1782b58b687b74249dc8b2411a3f646b821ebd6 -Applied-Upstream: yes - -diff --git a/src/auditd.c b/src/auditd.c -index b0952db..c826ec0 100644 a/src/auditd.c -+++ b/src/auditd.c -@@ -209,21 +209,22 @@ static void cont_handler(struct ev_loop *loop, struct ev_signal *sig, - - static int extract_type(const char *str) - { -- const char *tptr, *ptr2, *ptr = str; -+ const char *ptr2, *ptr = str; - if (*str == 'n') { - ptr = strchr(str+1, ' '); - if (ptr == NULL) - return -1; // Malformed - bomb out - ptr++; - } -+ - // ptr should be at 't' - ptr2 = strchr(ptr, ' '); -- // get type=xxx in a buffer -- tptr = strndupa(ptr, ptr2 - ptr); -+ - // find = -- str = strchr(tptr, '='); -- if (str == NULL) -+ str = strchr(ptr, '='); -+ if (str == NULL || str >= ptr2) - return -1; // Malformed - bomb out -+ - // name is 1 past - str++; - return audit_name_to_msg_type(str); --- -2.20.1 - diff --git a/recipes-security/audit/audit/0002-Add-substitue-functions-for-strndupa-rawmemchr.patch b/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch similarity index 88% rename from recipes-security/audit/audit/0002-Add-substitue-functions-for-strndupa-rawmemchr.patch rename to recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch index c948aa3..bb6c61e 100644 --- a/recipes-security/audit/audit/0002-Add-substitue-functions-for-strndupa-rawmemchr.patch +++ b/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch @@ -1,12 +1,11 @@ -From 5346b6af0ca67a2965ca5846ae150f3021a2aa17 Mon Sep 17 00:00:00 2001 +From bdcdc3dff4469aac88e718bd15958d5ed4b9392a Mon Sep 17 00:00:00 2001 From: Steve Grubb Date: Tue, 26 Feb 2019 18:33:33 -0500 Subject: [PATCH] Add substitue functions for strndupa & rawmemchr +Upstream-Status: Backport +[https://github.com/linux-audit/audit-userspace/commit/d579a08bb1cde71f939c13ac6b2261052ae9f77e] --- -Origin: https://github.com/linux-audit/audit-userspace/commit/d579a08bb1cde71f939c13ac6b2261052ae9f77e -Applied-Upstream: yes - auparse/auparse.c | 12 +++- auparse/interpret.c | 9 - configure.ac| 14 +- @@ -14,7 +13,7 @@ Applied-Upstream: yes 4 files changed, 43 insertions(+), 4 deletions(-) diff --git a/auparse/auparse.c b/auparse/auparse.c -index f84712e..3764046 100644 +index 650db02..2e1c737 100644 --- a/auparse/auparse.c +++ b/auparse/auparse.c @@ -1,5 +1,5 @@ @@ -24,7 +23,7 @@ index f84712e..3764046 100644 * All Rights Reserved. * * This library is free software; you can redistribute it and/or -@@ -1100,6 +1100,16 @@ static int str2event(char *s, au_event_t *e) +@@ -1118,6 +1118,16 @@ static int str2event(char *s, au_event_t *e) return 0; } @@ -42,7 +41,7 @@ index f84712e..3764046 100644 static int extract_timestamp(const char *b, au_event_t *e) { diff --git a/auparse/interpret.c b/auparse/interpret.c -index 1846f9d..8540bd1 100644 +index 51c4a5e..67b7b77 100644 --- a/auparse/interpret.c +++ b/auparse/interpret.c @@ -853,6 +853,13 @@ err_out: @@ -69,7 +68,7 @@ index 1846f9d
Re: [yocto] [meta-selinux][PATCH] glib-2.0: fix configure error for meson build
On 6/12/19 6:03 PM, Alexander Kanavin wrote: On Wed, 12 Jun 2019 at 09:54, Yi Zhao <mailto:yi.z...@windriver.com>> wrote: +PACKAGECONFIG[selinux] = "-Dselinux=enabled,-Dselinux=disabled,libselinux," This line should probably go into the oe-core recipe? It is fine to have options that depend on things absent in oe-core, as long as those options are disabled by default. Thanks. I will test it and send a patch to oe-core //Yi Alex -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH] glib-2.0: fix configure error for meson build
In glib 2.60.x, it turns selinux into a meson feature. We should use '-Dselinux=enabled/disabled' rather than '-Dselinux=true/false' to enable/disable the feature. Add meso-enable-selinux.bbclass for this change and inherit it in glib-2.0 bbappend to fix the configure error. Signed-off-by: Yi Zhao --- classes/meson-enable-selinux.bbclass | 4 recipes-core/glib-2.0/glib-2.0_%.bbappend | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 classes/meson-enable-selinux.bbclass diff --git a/classes/meson-enable-selinux.bbclass b/classes/meson-enable-selinux.bbclass new file mode 100644 index 000..91c2a2b --- /dev/null +++ b/classes/meson-enable-selinux.bbclass @@ -0,0 +1,4 @@ +inherit selinux + +PACKAGECONFIG_append = " ${@target_selinux(d)}" +PACKAGECONFIG[selinux] = "-Dselinux=enabled,-Dselinux=disabled,libselinux," diff --git a/recipes-core/glib-2.0/glib-2.0_%.bbappend b/recipes-core/glib-2.0/glib-2.0_%.bbappend index e5d2f6f..39a0a3a 100644 --- a/recipes-core/glib-2.0/glib-2.0_%.bbappend +++ b/recipes-core/glib-2.0/glib-2.0_%.bbappend @@ -1 +1 @@ -inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'meson-selinux', '', d)} +inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'meson-enable-selinux', '', d)} -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 2/3] findutils: drop obsolete patch
Signed-off-by: Yi Zhao --- .../findutils-4.2.31/findutils-selinux.patch | 499 - 1 file changed, 499 deletions(-) delete mode 100644 recipes-extended/findutils/findutils-4.2.31/findutils-selinux.patch diff --git a/recipes-extended/findutils/findutils-4.2.31/findutils-selinux.patch b/recipes-extended/findutils/findutils-4.2.31/findutils-selinux.patch deleted file mode 100644 index 73a9747..000 --- a/recipes-extended/findutils/findutils-4.2.31/findutils-selinux.patch +++ /dev/null @@ -1,499 +0,0 @@ -From: Xin Ouyang -Date: Thu, 21 Jun 2012 17:01:39 +0800 -Subject: [PATCH] findutils: support selinux. - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Xin Ouyang - configure.in | 10 + - doc/find.texi| 12 +++ - find/Makefile.am |2 +- - find/defs.h | 15 - - find/find.1 |4 ++ - find/find.c | 97 +- - find/parser.c| 50 ++-- - find/pred.c | 53 + - find/util.c |3 ++ - 9 files changed, 240 insertions(+), 6 deletions(-) - -diff --git a/configure.in b/configure.in -index 6a20f15..00dd7f8 100644 a/configure.in -+++ b/configure.in -@@ -101,6 +101,16 @@ dnl C library, try -lsun. - AC_CHECK_FUNC(getpwnam, [], - [AC_CHECK_LIB(sun, getpwnam)]) - -+AC_ARG_WITH([selinux], -+ AS_HELP_STRING([--without-selinux], [disable SELinux support]), -+ [:], -+[AC_CHECK_LIB([selinux], [is_selinux_enabled], -+ [with_selinux=yes], [with_selinux=no])]) -+if test x$with_selinux != xno; then -+ AC_DEFINE([WITH_SELINUX], [1], [Define to support SELinux]) -+ AC_SUBST([LIBSELINUX], [-lselinux]) -+fi -+ - dnl Checks for header files. - AC_HEADER_STDC - dnl Assume unistd.h is present - coreutils does too. -diff --git a/doc/find.texi b/doc/find.texi -index 5b5f0cf..e1ad433 100644 a/doc/find.texi -+++ b/doc/find.texi -@@ -1091,6 +1091,14 @@ will probably be made in early 2006. - - @end deffn - -+@deffn Test -context pattern -+True if file's SELinux context matches the pattern @var{pattern}. -+The pattern uses shell glob matching. -+ -+This predicate is supported only on @code{find} versions compiled with -+SELinux support and only when SELinux is enabled. -+@end deffn -+ - @node Contents - @section Contents - -@@ -1599,6 +1607,10 @@ semantics, you will see a difference between the mode as printed by - @item %M - File's permissions (in symbolic form, as for @code{ls}). This - directive is supported in findutils 4.2.5 and later. -+ -+@item %Z -+File's SELinux context, or empty string if the file has no SELinux context -+or this version of find does not support SELinux. - @end table - - @node Size Directives -diff --git a/find/Makefile.am b/find/Makefile.am -index 8e71a32..405955a 100644 a/find/Makefile.am -+++ b/find/Makefile.am -@@ -6,7 +6,7 @@ bin_PROGRAMS = find - find_SOURCES = find.c fstype.c parser.c pred.c tree.c util.c version.c - EXTRA_DIST = defs.h $(man_MANS) - INCLUDES = -I../gnulib/lib -I$(top_srcdir)/lib -I$(top_srcdir)/gnulib/lib -I../intl -DLOCALEDIR=\"$(localedir)\" --LDADD = ../lib/libfind.a ../gnulib/lib/libgnulib.a @INTLLIBS@ -+LDADD = ../lib/libfind.a ../gnulib/lib/libgnulib.a @INTLLIBS@ @LIBSELINUX@ - man_MANS = find.1 - SUBDIRS = testsuite - -diff --git a/find/defs.h b/find/defs.h -index 9369c9a..8a8cf28 100644 a/find/defs.h -+++ b/find/defs.h -@@ -131,6 +131,10 @@ int get_statinfo PARAMS((const char *pathname, const char *name, struct stat *p) - #define MODE_RWX (S_IXUSR | S_IXGRP | S_IXOTH | MODE_RW) - #define MODE_ALL (S_ISUID | S_ISGID | S_ISVTX | MODE_RWX) - -+#ifdef WITH_SELINUX -+#include -+#endif -+ - #if 1 - #include - typedef bool boolean; -@@ -320,6 +324,9 @@ struct predicate - struct dir_id fileid; /* samefile */ - mode_t type; /* type */ - FILE *stream; /* ls fls fprint0 */ -+#ifdef WITH_SELINUX -+security_context_t scontext; /* scontext */ -+#endif - struct format_val printf_vec; /* printf fprintf fprint */ - } args; - -@@ -481,7 +488,9 @@ boolean pred_uid PARAMS((char *pathname, struct stat *stat_buf, struct predicate - boolean pred_used PARAMS((char *pathname, struct stat *stat_buf, struct predicate *pred_ptr)); - boolean pred_user PARAMS((char *pathname, struct stat *stat_buf, struct predicate *pred_ptr)); - boolean pred_xtype PARAMS((char *pathname, struct stat *stat_buf, struct predicate *pred_ptr)); -- -+#ifdef WITH_SELINUX -+boolean pred_context PARAMS((char *pathname, struct stat *stat_buf, struct predicate *pred_ptr)); -+#endif - - - int launch PARAMS((const struct buildcmd_control *ctl, -@@ -570,6 +579,10 @@ struct options -* can be changed with the positional option, -regextype. -*/ - int regex_options; -+ -+#ifdef WITH_SELINUX -+ int (*x_getfilecon) (); -+#endif - }; - extern struct options options; - -diff --
[yocto] [meta-selinux][PATCH 3/3] util-linux: drop obsolete patch
Signed-off-by: Yi Zhao --- .../util-linux/fix-libmount_la_DEPENDENCIES.patch | 28 -- 1 file changed, 28 deletions(-) delete mode 100644 recipes-core/util-linux/util-linux/fix-libmount_la_DEPENDENCIES.patch diff --git a/recipes-core/util-linux/util-linux/fix-libmount_la_DEPENDENCIES.patch b/recipes-core/util-linux/util-linux/fix-libmount_la_DEPENDENCIES.patch deleted file mode 100644 index ab54818..000 --- a/recipes-core/util-linux/util-linux/fix-libmount_la_DEPENDENCIES.patch +++ /dev/null @@ -1,28 +0,0 @@ -Subject: [PATCH] util-linux: fix libmount_la_DEPENDENCIES. - -Upstream-Status: Pending - -libmount_la_LIBADD contains "-lselinux", this is not a object that -could consider as a dependency target. So fix this. - -Signed-off-by: Xin Ouyang - libmount/src/Makemodule.am |2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) - -diff --git a/libmount/src/Makemodule.am b/libmount/src/Makemodule.am -index 494e02a..bf494a4 100644 a/libmount/src/Makemodule.am -+++ b/libmount/src/Makemodule.am -@@ -38,7 +38,7 @@ libmount_la_CFLAGS = \ - -I$(top_srcdir)/libmount/src - - libmount_la_DEPENDENCIES = \ -- $(libmount_la_LIBADD) \ -+ libcommon.la libblkid.la \ - libmount/src/libmount.sym \ - libmount/src/libmount.h.in - --- -1.7.5.4 - -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 1/3] mesa: switch to meson build
The mesa had been converted to use meson build system in oe-core commit c72b6d46d392bfbcf54154f43663a7a8ada8c567. Update the bbappend to adapt it. Signed-off-by: Yi Zhao --- recipes-graphics/mesa/mesa_%.bbappend | 2 +- recipes-graphics/mesa/mesa_selinux.inc | 6 -- 2 files changed, 1 insertion(+), 7 deletions(-) delete mode 100644 recipes-graphics/mesa/mesa_selinux.inc diff --git a/recipes-graphics/mesa/mesa_%.bbappend b/recipes-graphics/mesa/mesa_%.bbappend index b0b03ec..02c4918 100644 --- a/recipes-graphics/mesa/mesa_%.bbappend +++ b/recipes-graphics/mesa/mesa_%.bbappend @@ -1,2 +1,2 @@ -require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)} +inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'meson-selinux', '', d)} diff --git a/recipes-graphics/mesa/mesa_selinux.inc b/recipes-graphics/mesa/mesa_selinux.inc deleted file mode 100644 index 0004f71..000 --- a/recipes-graphics/mesa/mesa_selinux.inc +++ /dev/null @@ -1,6 +0,0 @@ -inherit enable-selinux - -# But wait! There's more! mesa builds a host program named builtin_compiler -# and it needs selinux, too. We replace the PACKAGECONFIG[] in the bbclass. -# -PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux libselinux-native," -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 1/2] meta-tpm/conf/layer.conf: update layer dependencies
Add openembedded-layer to layer dependencies. Fix the following build errors: ERROR: Required build target 'tpm2-pkcs11' has no buildable providers. Missing or unbuildable dependency chain was: ['tpm2-pkcs11', 'dstat'] ERROR: Required build target 'cryptsetup-tpm-incubator' has no buildable providers. Missing or unbuildable dependency chain was: ['cryptsetup-tpm-incubator', 'libdevmapper'] ERROR: Required build target 'tpm2-totp' has no buildable providers. Missing or unbuildable dependency chain was: ['tpm2-totp', 'qrencode'] Signed-off-by: Yi Zhao --- meta-tpm/conf/layer.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-tpm/conf/layer.conf b/meta-tpm/conf/layer.conf index 15a2bef..bf9a76e 100644 --- a/meta-tpm/conf/layer.conf +++ b/meta-tpm/conf/layer.conf @@ -12,4 +12,5 @@ LAYERSERIES_COMPAT_tpm-layer = "thud warrior" LAYERDEPENDS_tpm-layer = " \ core \ +openembedded-layer \ " -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 2/2] meta-tpm/README: update
Add more description Signed-off-by: Yi Zhao --- meta-tpm/README | 57 + 1 file changed, 57 insertions(+) diff --git a/meta-tpm/README b/meta-tpm/README index bbc70bb..dd662b3 100644 --- a/meta-tpm/README +++ b/meta-tpm/README @@ -2,3 +2,60 @@ meta-tpm layer == This layer contains base TPM recipes. + +Dependencies + + +This layer depends on: + + URI: git://git.openembedded.org/openembedded-core + branch: master + revision: HEAD + prio: default + + URI: git://git.openembedded.org/meta-openembedded/meta-oe + branch: master + revision: HEAD + prio: default + +Adding the meta-tpm layer to your build + + +In order to use this layer, you need to make the build system aware of +it. + +Assuming this layer exists at the top-level of your +yocto build tree, you can add it to the build system by adding the +location of the meta-tpm layer to bblayers.conf, along with any +other layers needed. e.g.: + + BBLAYERS ?= " \ +/path/to/oe-core/meta \ +/path/to/meta-openembedded/meta-oe \ +/path/to/layer/meta-tpm \ + + +Maintenance +--- + +Send pull requests, patches, comments or questions to yocto@yoctoproject.org + +When sending single patches, please using something like: +'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security][PATCH' + +These values can be set as defaults for this repository: + +$ git config sendemail.to yocto@yoctoproject.org +$ git config format.subjectPrefix meta-security][PATCH + +Now you can just do 'git send-email origin/master' to send all local patches. + +Maintainers:Armin Kuster + + +License +=== + +All metadata is MIT licensed unless otherwise stated. Source code included +in tree for individual recipes is under the LICENSE stated in each recipe +(.bb file) unless otherwise stated. -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH] refpolicy: refresh patches
Refrefsh 0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch and 0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch. Remove the trailing line: \ No newline at end of file Signed-off-by: Yi Zhao --- ...y-minimum-audit-logging-getty-audit-related-.patch | 1 - ...y-minimum-systemd-mount-logging-authlogin-ad.patch | 19 --- ...y-minimum-audit-logging-getty-audit-related-.patch | 1 - ...y-minimum-systemd-mount-logging-authlogin-ad.patch | 19 --- 4 files changed, 16 insertions(+), 24 deletions(-) diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch index f92ddb8..10d2bcb 100644 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch @@ -62,7 +62,6 @@ index 63e92a8e..8ab46925 100644 +allow auditd_t initrc_t:unix_dgram_socket sendto; + +allow klogd_t initrc_t:unix_dgram_socket sendto; -\ No newline at end of file -- 2.19.1 diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch index 98b6156..65ef55b 100644 --- a/recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch @@ -33,13 +33,13 @@ Signed-off-by: Shrikant Bobade Signed-off-by: Joe MacDonald --- policy/modules/system/authlogin.te | 2 ++ - policy/modules/system/logging.te | 7 ++- + policy/modules/system/logging.te | 5 + policy/modules/system/mount.te | 3 +++ policy/modules/system/systemd.te | 5 + - 4 files changed, 16 insertions(+), 1 deletion(-) + 4 files changed, 15 insertions(+) diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 345e07f3..39f860e0 100644 +index 345e07f..39f860e 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -472,3 +472,5 @@ optional_policy(` @@ -49,23 +49,20 @@ index 345e07f3..39f860e0 100644 + +allow chkpwd_t proc_t:filesystem getattr; diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 8ab46925..520f7da6 100644 +index c9991ab..520f7da 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te -@@ -627,4 +627,9 @@ allow auditd_t tmpfs_t:file { getattr setattr create open read append }; - allow auditd_t tmpfs_t:dir { open read search add_name write getattr search }; +@@ -628,3 +628,8 @@ allow auditd_t tmpfs_t:dir { open read search add_name write getattr search }; allow auditd_t initrc_t:unix_dgram_socket sendto; --allow klogd_t initrc_t:unix_dgram_socket sendto; -\ No newline at end of file -+allow klogd_t initrc_t:unix_dgram_socket sendto; + allow klogd_t initrc_t:unix_dgram_socket sendto; + +allow syslogd_t self:shm create; +allow syslogd_t self:sem { create read unix_write write }; +allow syslogd_t self:shm { read unix_read unix_write write }; +allow syslogd_t tmpfs_t:file { read write }; diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index 3dcb8493..a87d0e82 100644 +index 3dcb849..a87d0e8 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -231,3 +231,6 @@ optional_policy(` @@ -76,7 +73,7 @@ index 3dcb8493..a87d0e82 100644 +allow mount_t proc_t:filesystem getattr; +allow mount_t initrc_t:udp_socket { read write }; diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index a6f09dfd..68b80de3 100644 +index a6f09df..68b80de 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -993,6 +993,11 @@ allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto }; diff --git a/recipes-security/refpolicy/refpolicy-git/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch b/recipes-security/refpolicy/refpolicy-git/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch index 3cc5395..517782d 100644 --- a/recipes-security/refpolicy/refpolicy-git/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch +++ b/recipes-security/refpolicy/refpolicy-git/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch @@ -62,7 +62,6 @@ index e6221a02..4cc73327 100644 +allow auditd_t initrc_t:unix_dgram_socket sendto; + +allow klogd_t initrc_t:unix_dgram_socket sendto; -\ No newline at end of file -- 2.19.1 diff --git a/recipes-security/refpolicy/refpolicy-git/0004-refpolicy
[yocto] [meta-selinux][PATCH] refpolicy: update source checksums for refpolicy 20190201
The previous md5sum and sha256sum are not correct. See: https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20190201 Signed-off-by: Yi Zhao --- recipes-security/refpolicy/refpolicy_2.20190201.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/recipes-security/refpolicy/refpolicy_2.20190201.inc b/recipes-security/refpolicy/refpolicy_2.20190201.inc index 822c0f3..78c6e74 100644 --- a/recipes-security/refpolicy/refpolicy_2.20190201.inc +++ b/recipes-security/refpolicy/refpolicy_2.20190201.inc @@ -1,6 +1,6 @@ SRC_URI = "https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_2_20190201/refpolicy-${PV}.tar.bz2; -SRC_URI[md5sum] = "76a7a455289c9216ee0fbb8de71c9799" -SRC_URI[sha256sum] = "5e4daee61d89dfdc8c7bf369f81c99845931e337916dc6401e301c5de57ea336" +SRC_URI[md5sum] = "babb0d5ca2ae333631d25392b2b3ce8d" +SRC_URI[sha256sum] = "ed620dc91c4e09eee6271b373f7c61a364a82ea57bd2dc86ca1f7075304e2843" FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-2.20190201:" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-selinux][PULL] refpolicy: update to 2.20190201 and git HEAD policies (2019-04-10 10:57:14 -0400)
Hi Joe, Thank you for working on the refpolicy upgrade. I have a quick test with your patch. Here are the results: Machine: qemux86-64 Image: core-image-selinux Init manager: systemd Boot command: runqemu qemux86-64 kvm nographic bootparams="selinux=1 enforcing=X" qemuparams="-m 1024" 1. All refpolicy type of git version can be built without problems. 2. With parameter selinux=1 & enforcing=0 The qemu can boot up and login for all refpolicy types. 3. With parameter selinux=1 & enforcing=1 Some of services failed to startup when booting. But this issue also exist on old refpolicy version (2.20170204) 4. refpolicy stable version (2.20190201) I got an do_fetch error with refpolicy stable version. Seems the SRC_URI is not correct. It should be "https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_2_20190201/refpolicy-${PV}.tar.bz2; Regards, Yi 在 2019/4/10 下午11:53, Joe MacDonald 写道: This is a huge, long-overdue update the refpolicy. I apologise for it blocking the other outstanding meta-selinux patches, but I've been trying to limit the scope of changes while this happens. Now that this is cleared off the slate, I'll be gathering up the other meta-selinux patches from the list. I'll send out a follow-up on those as they're merged and another when I think I'm done, so if I've missed your patch, that'll be the time to ping me about it. As for this, here's what I've done. - manually reviewed all patches that had been present in repolicy-* for both the old stable (2.20170204) and git versions - forked the SELinuxPolicy/refpolicy repo and applied all still-relevant patches to the RELEASE_2.20190201 branch - restructured the patches so that all patches that should reasonably apply to all variants (mcs, mls, minimum, standard and targeted) were in a common branch and only the ones that are specific to each variant would be in their own recipe - restructure the patches so that systemd and sysvinit patches were not applied to the same tree - created a parallel set of branches for each of these against current git HEAD The results of this can be examined here: https://github.com/joeythesaint/refpolicy Then each of these were exported and put in the appropriate SRC_URIs so the branch structure is more-or-less preserved. My goals with this approach were the following: - make it easier to keep refpolicy up to date, particularly for anyone wanting to use the git variants - make it easier to determine how your preferred version of refpolicy on Yocto differs from upstream refpolicy - limit the above differences to the minimum to achieve the goal of a functional Yocto system - eventually move us away from release tarballs entirely That last point is why I'm preserving the refpolicy fork above. I'd like to keep going with this and so future refpolicy patches will first be put in that repo then exported and applied to the SRC_URIs. If you have such a patch and want to send me a PR against the branch you think it belongs on from github directly, that'd be awesome, but the old method of patches to the mailing list will work fine too, just know that this is the way I'm going to try to manage this for the foreseeable future. Ultimately, if this proves to work well, I would like to move the refpolicy fork off github and house it on git.yoctoproject.org beside meta-selinux, but the workflow needs to be properly validated first. One additional point, I intend to take another pass at revising this stuff, ideally moving the huge number of common patches out as well. There's still some that aren't necessary for base yocto but are for additional layers. That's fine for us to have, but I'd like to get those moved to optional layer directories so we're making the best use of that functionality we can. If you have suggestions on which pieces already present are good candidates, let me know. Similarly, if you've got additional policy patches you want to see included, feel free to send them along, we can easily move them to optional locations inside meta-selinux. Finally, please everyone test this and provide feedback on anything that doesn't work or looks strange. This is easily the biggest change we've had in meta-selinux in years and I expect there's still some wrinkles to be ironed out. And I really appreciate everyone's patience while we got to this point and hope it's not too much more pain before we put a ribbon on this and call it done. I'll give this until at least the weekend before merging it to master, pending comments or an overwhelming "please just do it" from the community. Thanks. --- The following changes since commit a6a3cadb1ef3203a123d8f5f9df27832f55b2ce3: Backport patches from upstream to fix build with musl (2019-03-25 09:43:53 +0100) are available in the Git
[yocto] [meta-selinux][PATCH] selinux: remove git version
The git version of libselinux libsemanage libsepol checkpolicy and policycoreutils are far behind the master branch and now they can not build due to the do_patch error. The current stable 2.8 version works well so we can remove them. Signed-off-by: Yi Zhao --- recipes-security/selinux/checkpolicy_git.bb | 6 -- recipes-security/selinux/libselinux_git.bb | 14 -- recipes-security/selinux/libsemanage_git.bb | 17 - recipes-security/selinux/libsepol_git.bb| 8 recipes-security/selinux/policycoreutils_git.bb | 6 -- recipes-security/selinux/selinux_git.inc| 11 --- 6 files changed, 62 deletions(-) delete mode 100644 recipes-security/selinux/checkpolicy_git.bb delete mode 100644 recipes-security/selinux/libselinux_git.bb delete mode 100644 recipes-security/selinux/libsemanage_git.bb delete mode 100644 recipes-security/selinux/libsepol_git.bb delete mode 100644 recipes-security/selinux/policycoreutils_git.bb delete mode 100644 recipes-security/selinux/selinux_git.inc diff --git a/recipes-security/selinux/checkpolicy_git.bb b/recipes-security/selinux/checkpolicy_git.bb deleted file mode 100644 index 6d1d23a..000 --- a/recipes-security/selinux/checkpolicy_git.bb +++ /dev/null @@ -1,6 +0,0 @@ -PV = "2.7+git${SRCPV}" - -include selinux_git.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" diff --git a/recipes-security/selinux/libselinux_git.bb b/recipes-security/selinux/libselinux_git.bb deleted file mode 100644 index a43b184..000 --- a/recipes-security/selinux/libselinux_git.bb +++ /dev/null @@ -1,14 +0,0 @@ -PV = "2.7+git${SRCPV}" - -include selinux_git.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://LICENSE;md5=84b4d2c6ef954a2d4081e775a270d0d0" - -SRC_URI += "\ - file://libselinux-drop-Wno-unused-but-set-variable.patch \ - file://libselinux-make-O_CLOEXEC-optional.patch \ - file://libselinux-make-SOCK_CLOEXEC-optional.patch \ - file://libselinux-define-FD_CLOEXEC-as-necessary.patch \ - file://0001-src-Makefile-fix-includedir-in-libselinux.pc.patch \ - " diff --git a/recipes-security/selinux/libsemanage_git.bb b/recipes-security/selinux/libsemanage_git.bb deleted file mode 100644 index 2e1fdc8..000 --- a/recipes-security/selinux/libsemanage_git.bb +++ /dev/null @@ -1,17 +0,0 @@ -PV = "2.7+git${SRCPV}" - -include selinux_git.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343" - -SRC_URI += "\ - file://libsemanage-Fix-execve-segfaults-on-Ubuntu.patch \ - file://libsemanage-fix-path-nologin.patch \ - file://libsemanage-drop-Wno-unused-but-set-variable.patch \ - file://libsemanage-define-FD_CLOEXEC-as-necessary.patch;striplevel=2 \ - file://libsemanage-allow-to-disable-audit-support.patch \ - file://libsemanage-disable-expand-check-on-policy-load.patch \ - file://0001-src-Makefile-fix-includedir-in-libselinux.pc.patch \ - " -FILES_${PN} += "/usr/libexec" diff --git a/recipes-security/selinux/libsepol_git.bb b/recipes-security/selinux/libsepol_git.bb deleted file mode 100644 index f9b8010..000 --- a/recipes-security/selinux/libsepol_git.bb +++ /dev/null @@ -1,8 +0,0 @@ -PV = "2.7+git${SRCPV}" - -include selinux_git.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343" - -SRC_URI += "file://0001-src-Makefile-fix-includedir-in-libsepol.pc.patch" diff --git a/recipes-security/selinux/policycoreutils_git.bb b/recipes-security/selinux/policycoreutils_git.bb deleted file mode 100644 index 6d1d23a..000 --- a/recipes-security/selinux/policycoreutils_git.bb +++ /dev/null @@ -1,6 +0,0 @@ -PV = "2.7+git${SRCPV}" - -include selinux_git.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" diff --git a/recipes-security/selinux/selinux_git.inc b/recipes-security/selinux/selinux_git.inc deleted file mode 100644 index 9887bd1..000 --- a/recipes-security/selinux/selinux_git.inc +++ /dev/null @@ -1,11 +0,0 @@ -SRCREV = "1bac758bf6cf884c112b80545d5fc5b668fc7d71" - -SRC_URI = "git://github.com/SELinuxProject/selinux.git;protocol=http" - -include selinux_common.inc - -# ${S} is set in selinux_common above, but we need to change it here since the -# top level directory is named differently -S = "${WORKDIR}/git/${BPN}" - -DEFAULT_PREFERENCE = "-1" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH] linux-yocto: add bbappend for kernel 5.0
Signed-off-by: Yi Zhao --- recipes-kernel/linux/linux-yocto_5.%.bbappend | 1 + 1 file changed, 1 insertion(+) create mode 100644 recipes-kernel/linux/linux-yocto_5.%.bbappend diff --git a/recipes-kernel/linux/linux-yocto_5.%.bbappend b/recipes-kernel/linux/linux-yocto_5.%.bbappend new file mode 100644 index 000..7719d3b --- /dev/null +++ b/recipes-kernel/linux/linux-yocto_5.%.bbappend @@ -0,0 +1 @@ +require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)} -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH] oe-scap: fix inconsistent indentation
Signed-off-by: Yi Zhao --- .../recipes-openscap/oe-scap/oe-scap_1.0.bb | 11 +-- 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb b/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb index 5b61375..e84ed30 100644 --- a/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb +++ b/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb @@ -8,12 +8,11 @@ LICENSE = "MIT" SRCREV = "7147871d7f37d408c0dd7720ef0fd3ec1b54ad98" SRC_URI = "git://github.com/akuster/oe-scap.git" SRC_URI += " \ - file://run_cve.sh \ - file://run_test.sh \ - file://OpenEmbedded_nodistro_0.xml \ -file://OpenEmbedded_nodistro_0.xccdf.xml \ -" - +file://run_cve.sh \ +file://run_test.sh \ +file://OpenEmbedded_nodistro_0.xml \ +file://OpenEmbedded_nodistro_0.xccdf.xml \ + " S = "${WORKDIR}/git" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH] openscap-daemon: backport patch to fix build error with python 3.7
Fixes build error: | Traceback (most recent call last): | File "setup.py", line 25, in | from openscap_daemon import version | File "/buildarea/build/tmp/work/core2-64-poky-linux/openscap-daemon/0.1.10-r0/git/openscap_daemon/__init__.py", line 22, in | from openscap_daemon.system import System | File "/buildarea/build/tmp/work/core2-64-poky-linux/openscap-daemon/0.1.10-r0/git/openscap_daemon/system.py", line 29 | from openscap_daemon import async | ^ | SyntaxError: invalid syntax Signed-off-by: Yi Zhao --- ...-module-and-variables-to-get-rid-of-async.patch | 130 + .../openscap-daemon/openscap-daemon_0.1.10.bb | 4 +- 2 files changed, 133 insertions(+), 1 deletion(-) create mode 100644 meta-security-compliance/recipes-openscap/openscap-daemon/files/0001-Renamed-module-and-variables-to-get-rid-of-async.patch diff --git a/meta-security-compliance/recipes-openscap/openscap-daemon/files/0001-Renamed-module-and-variables-to-get-rid-of-async.patch b/meta-security-compliance/recipes-openscap/openscap-daemon/files/0001-Renamed-module-and-variables-to-get-rid-of-async.patch new file mode 100644 index 000..2a518bf --- /dev/null +++ b/meta-security-compliance/recipes-openscap/openscap-daemon/files/0001-Renamed-module-and-variables-to-get-rid-of-async.patch @@ -0,0 +1,130 @@ +From c34349720a57997d30946286756e2ba9dbab6ace Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Mon, 2 Jul 2018 11:21:19 +0200 +Subject: [PATCH] Renamed module and variables to get rid of async. + +async is a reserved word in Python 3.7. + +Upstream-Status: Backport +[https://github.com/OpenSCAP/openscap-daemon/commit/c34349720a57997d30946286756e2ba9dbab6ace] + +Signed-off-by: Yi Zhao +--- + openscap_daemon/{async.py => async_tools.py} | 0 + openscap_daemon/dbus_daemon.py | 2 +- + openscap_daemon/system.py| 16 + tests/unit/test_basic_update.py | 3 ++- + 4 files changed, 11 insertions(+), 10 deletions(-) + rename openscap_daemon/{async.py => async_tools.py} (100%) + +diff --git a/openscap_daemon/async.py b/openscap_daemon/async_tools.py +similarity index 100% +rename from openscap_daemon/async.py +rename to openscap_daemon/async_tools.py +diff --git a/openscap_daemon/dbus_daemon.py b/openscap_daemon/dbus_daemon.py +index e6eadf9..cb6a8b6 100644 +--- a/openscap_daemon/dbus_daemon.py b/openscap_daemon/dbus_daemon.py +@@ -81,7 +81,7 @@ class OpenSCAPDaemonDbus(dbus.service.Object): + @dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE, + in_signature="", out_signature="a(xsi)") + def GetAsyncActionsStatus(self): +-return self.system.async.get_status() ++return self.system.async_manager.get_status() + + @dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE, + in_signature="s", out_signature="(sssn)") +diff --git a/openscap_daemon/system.py b/openscap_daemon/system.py +index 2012f6e..85c2680 100644 +--- a/openscap_daemon/system.py b/openscap_daemon/system.py +@@ -26,7 +26,7 @@ import logging + from openscap_daemon.task import Task + from openscap_daemon.config import Configuration + from openscap_daemon import oscap_helpers +-from openscap_daemon import async ++from openscap_daemon import async_tools + + + class ResultsNotAvailable(Exception): +@@ -40,7 +40,7 @@ TASK_ACTION_PRIORITY = 10 + + class System(object): + def __init__(self, config_file): +-self.async = async.AsyncManager() ++self.async_manager = async_tools.AsyncManager() + + logging.info("Loading configuration from '%s'.", config_file) + self.config = Configuration() +@@ -90,7 +90,7 @@ class System(object): + input_file, tailoring_file, None + ) + +-class AsyncEvaluateSpecAction(async.AsyncAction): ++class AsyncEvaluateSpecAction(async_tools.AsyncAction): + def __init__(self, system, spec): + super(System.AsyncEvaluateSpecAction, self).__init__() + +@@ -113,7 +113,7 @@ class System(object): + return "Evaluate Spec '%s'" % (self.spec) + + def evaluate_spec_async(self, spec): +-return self.async.enqueue( ++return self.async_manager.enqueue( + System.AsyncEvaluateSpecAction( + self, + spec +@@ -488,7 +488,7 @@ class System(object): + + return ret + +-class AsyncUpdateTaskAction(async.AsyncAction): ++class AsyncUpdateTaskAction(async_tools.AsyncAction): + def __init__(self, system, task_id, reference_datetime): + super(System.AsyncUpdateTaskAction, self).__init__() + +@@ -536,7 +536,7 @@ class System(object): + + if task.should_be_updated(reference_datetime): +
[yocto] [meta-security][PATCH] scap-security-guide: use makefile generator instead of ninja for cmake
Fixes build error: | make: *** No rule to make target 'openembedded'. Stop. Signed-off-by: Yi Zhao --- .../recipes-openscap/scap-security-guide/scap-security-guide_0.1.33.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.33.bb b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.33.bb index 7fa417d..27d3d86 100644 --- a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.33.bb +++ b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.33.bb @@ -19,6 +19,8 @@ S = "${WORKDIR}/git" STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts" +OECMAKE_GENERATOR = "Unix Makefiles" + EXTRA_OECMAKE += "-DSSG_PRODUCT_CHROMIUM:BOOL=OFF" EXTRA_OECMAKE += "-DSSG_PRODUCT_DEBIAN8:BOOL=OFF" EXTRA_OECMAKE += "-DSSG_PRODUCT_FEDORA:BOOL=OFF" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 2/2] selinux-image.bbclass: using append instead of += for IMAGE_PREPROCESS_COMMAND
Fix AVC denied error when booting: type=AVC msg=audit(1548055920.478:86): avc: denied { execute } for pid=366 comm="audispd" path="/lib/ld-2.28.so" dev="vda" ino=7545 scontext=system_u:system_r:audisp_t:s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 type=AVC msg=audit(1548055920.478:87): avc: denied { open } for pid=366 comm="audispd" path="/lib/libc-2.28.so" dev="vda" ino=7558 scontext=system_u:system_r:audisp_t:s15:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 When using "+=" for IMAGE_PREPROCESS_COMMAND, the selinux_set_labels process would run before prelink process to set the security labels for the files. But the label for /lib/libc-2.28.so and /lib/ld-2.28.so would be changed after run prelink process. Use "_append" to make sure the selinux_set_labels process run after prelink process. Signed-off-by: Yi Zhao --- classes/selinux-image.bbclass | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/classes/selinux-image.bbclass b/classes/selinux-image.bbclass index 5174dc5..7f157d3 100644 --- a/classes/selinux-image.bbclass +++ b/classes/selinux-image.bbclass @@ -10,6 +10,6 @@ selinux_set_labels () { DEPENDS += "policycoreutils-native" -IMAGE_PREPROCESS_COMMAND += "selinux_set_labels ;" +IMAGE_PREPROCESS_COMMAND_append = " selinux_set_labels ;" inherit core-image -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 2/2] openssh: update sshd_config
Update sshd_config based on openssh 7.9p1. Drop the deprecated option UsePrivilegeSeparation Signed-off-by: Yi Zhao --- recipes-connectivity/openssh/files/sshd_config | 53 +- 1 file changed, 26 insertions(+), 27 deletions(-) diff --git a/recipes-connectivity/openssh/files/sshd_config b/recipes-connectivity/openssh/files/sshd_config index 2110463..1c33ad0 100644 --- a/recipes-connectivity/openssh/files/sshd_config +++ b/recipes-connectivity/openssh/files/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ +# $OpenBSD: sshd_config,v 1.102 2018/02/16 02:32:40 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -7,7 +7,7 @@ # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options change a +# possible, but leave them commented. Uncommented options override the # default value. #Port 22 @@ -15,44 +15,40 @@ #ListenAddress 0.0.0.0 #ListenAddress :: -# Disable legacy (protocol version 1) support in the server for new -# installations. In future the default will change to require explicit -# activation of protocol 1 -Protocol 2 - -# HostKey for protocol version 1 -#HostKey /etc/ssh/ssh_host_key -# HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_dsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key -# Lifetime and size of ephemeral version 1 server key -#KeyRegenerationInterval 1h -#ServerKeyBits 1024 +# Ciphers and keying +#RekeyLimit default none # Logging -# obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m -#PermitRootLogin yes +#PermitRootLogin prohibit-password #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 -#RSAAuthentication yes #PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys #AuthorizedKeysFile.ssh/authorized_keys +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#RhostsRSAAuthentication no -# similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for -# RhostsRSAAuthentication and HostbasedAuthentication +# HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes @@ -61,7 +57,8 @@ Protocol 2 #PasswordAuthentication yes #PermitEmptyPasswords no -# Change to no to disable s/key passwords +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) ChallengeResponseAuthentication no # Kerberos options @@ -74,8 +71,8 @@ ChallengeResponseAuthentication no #GSSAPIAuthentication no #GSSAPICleanupCredentials yes -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass @@ -83,7 +80,7 @@ ChallengeResponseAuthentication no # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -UsePAM yes +UsePAM yes #AllowAgentForwarding yes #AllowTcpForwarding yes @@ -91,20 +88,21 @@ UsePAM yes #X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes +#PermitTTY yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no -UsePrivilegeSeparation yes #PermitUserEnvironment no Compression no ClientAliveInterval 15 ClientAliveCountMax 4 -#UseDNS yes +#UseDNS no #PidFile /var/run/sshd.pid -#MaxStartups 10 +#MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none +#VersionAddendum none # no default banner path #Banner none @@ -116,4 +114,5 @@ Subsystem sftp/usr/libexec/sftp-server #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no +# PermitTTY no # ForceCommand cvs server -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 1/2] core-image-selinux.bb: remove trailing whitespace
Signed-off-by: Yi Zhao --- recipes-security/images/core-image-selinux.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-security/images/core-image-selinux.bb b/recipes-security/images/core-image-selinux.bb index 70b525e..68bf7ef 100644 --- a/recipes-security/images/core-image-selinux.bb +++ b/recipes-security/images/core-image-selinux.bb @@ -9,6 +9,6 @@ IMAGE_INSTALL = "\ util-linux-agetty \ packagegroup-core-full-cmdline \ packagegroup-core-selinux \ -" +" inherit selinux-image -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH] keynote: remove recipe
The keynote is unmaintained for a long time. It had been removed from main distributions (Fedora, Suse and Debian). See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594867 Signed-off-by: Yi Zhao --- .../configure-remove-hardcode-path.patch | 37 .../keynote/keynote-2.3/makefile-add-ldflags.patch | 36 --- recipes-security/keynote/keynote-2.3/run-ptest | 16 - recipes-security/keynote/keynote_2.3.bb| 40 -- 4 files changed, 129 deletions(-) delete mode 100644 recipes-security/keynote/keynote-2.3/configure-remove-hardcode-path.patch delete mode 100644 recipes-security/keynote/keynote-2.3/makefile-add-ldflags.patch delete mode 100644 recipes-security/keynote/keynote-2.3/run-ptest delete mode 100644 recipes-security/keynote/keynote_2.3.bb diff --git a/recipes-security/keynote/keynote-2.3/configure-remove-hardcode-path.patch b/recipes-security/keynote/keynote-2.3/configure-remove-hardcode-path.patch deleted file mode 100644 index af3ef42..000 --- a/recipes-security/keynote/keynote-2.3/configure-remove-hardcode-path.patch +++ /dev/null @@ -1,37 +0,0 @@ -Remove the hardcoded lib and include dirs - -Upstream-Status: Inappropriate [cross compile specific] - -written by: Amy Fong -Signed-off-by: Jackie Huang - keynote-2.3/configure.in.orig 2010-05-24 04:44:16.0 -0700 -+++ keynote-2.3/configure.in 2010-05-24 04:44:55.0 -0700 -@@ -21,27 +21,16 @@ - AC_PATH_PROG(ECHO, echo, /bin/echo) - AC_PATH_PROG(SED, sed, /usr/bin/sed) - --dnl Checks for libraries. --LIBS="-L/usr/lib -L/usr/local/lib -L/usr/ssl/lib -L/usr/openssl/lib\ -- -L/usr/local/ssl/lib -L/usr/local/openssl/lib -L/usr/pkg/lib -L/pkg/lib" -- - AC_CHECK_LIB(m, floor, LIBS="$LIBS -lm") - AC_CHECK_LIB(rsaref, RSAPrivateDecrypt, LIBS="$LIBS -lrsaref") - AC_CHECK_LIB(crypto, i2a_ASN1_STRING, LIBS="$LIBS -lcrypto") - AC_CHECK_LIB(RSAglue, RSA_ref_private_encrypt, LIBS="$LIBS -lRSAglue") - --dnl Checks for header files. --CPPFLAGS="-I/usr/include -I/usr/local/include -I/usr/ssl/include\ -- -I/usr/local/ssl/include -I/usr/openssl/include -I/usr/pkg/include\ -- -I/usr/local/openssl/include -I/pkg/include" -- - AC_HEADER_STDC - AC_HEADER_TIME - AC_CHECK_HEADERS(fcntl.h limits.h unistd.h regex.h sys/time.h io.h) - AC_CHECK_HEADERS(ssl/crypto.h openssl/crypto.h crypto.h memory.h) - --dnl Checks for other files -- - dnl Checks for typedefs, structures, and compiler characteristics. - AC_C_CONST - AC_CHECK_TYPE(u_int, unsigned int) diff --git a/recipes-security/keynote/keynote-2.3/makefile-add-ldflags.patch b/recipes-security/keynote/keynote-2.3/makefile-add-ldflags.patch deleted file mode 100644 index 80d87cf..000 --- a/recipes-security/keynote/keynote-2.3/makefile-add-ldflags.patch +++ /dev/null @@ -1,36 +0,0 @@ -Add LDFLAGS variable to Makefile so that extra linker flags can be sent via this variable. - -Upstream-Status: Pending - -Signed-off-by: Yi Zhao - -diff --git a/Makefile.in b/Makefile.in -index b216648..42b4827 100644 a/Makefile.in -+++ b/Makefile.in -@@ -35,6 +35,7 @@ MKDIR = @MKDIR@ - SED = @SED@ - ECHO = @ECHO@ - TR = @TR@ -+LDFLAGS = @LDFLAGS@ - - TARFLAGS = -cvzf ${DISTFILE} - YACCFLAGS2 = -d -p kv -b z -@@ -83,7 +84,7 @@ $(TARGET): $(OBJS) - $(RANLIB) $(TARGET) - - $(TARGET2): $(TARGET) $(OBJS2) -- $(CC) $(CFLAGS) -o $(TARGET2) $(OBJS2) $(LIBS) -+ $(CC) $(CFLAGS) $(LDFLAGS) -o $(TARGET2) $(OBJS2) $(LIBS) - - k.tab.c: keynote.y header.h keynote.h assertion.h config.h - $(YACC) $(YACCFLAGS) keynote.y -@@ -131,7 +132,7 @@ $(SSLCERT) $(SSLKEY): - -keyout $(SSLKEY) - - test-sample: all $(OBJS3) -- $(CC) $(CFLAGS) -o $(TARGET3) $(OBJS3) $(LIBS) -+ $(CC) $(CFLAGS) $(LDFLAGS) -o $(TARGET3) $(OBJS3) $(LIBS) - - test-sig: all $(SSLCERT) $(SSLKEY) - $(SED) -e 's/--.*//' < $(SSLCERT) > $(SSLCERT).1 diff --git a/recipes-security/keynote/keynote-2.3/run-ptest b/recipes-security/keynote/keynote-2.3/run-ptest deleted file mode 100644 index 4dc35c9..000 --- a/recipes-security/keynote/keynote-2.3/run-ptest +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/sh - -cd @PTEST_PATH@ -keynote verify -e testsuite/test-env \ - -r false,maybe,probably,true \ - -k testsuite/auth1 -k testsuite/auth2 \ - -k testsuite/auth3 -k testsuite/auth4 \ - -l testsuite/test-assertion1 \ - -l testsuite/test-assertion2 \ - -l testsuite/test-assertion3 \ - -l testsuite/test-assertion4 \ - -l testsuite/test-assertion5 \ - -l testsuite/test-assertion6 \ - -l testsuite/test-assertion7 \ - && echo "PASS: keynote-ptest" \ - || echo "FAIL: keynote-ptest" diff --git a/recipes-security/keynote/keynote_2.3.bb b/recipes-security/keynote/keynote_2.3.bb
[yocto] [meta-security][PATCH] keynote: depend on openssl10
Signed-off-by: Yi Zhao --- recipes-security/keynote/keynote_2.3.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-security/keynote/keynote_2.3.bb b/recipes-security/keynote/keynote_2.3.bb index 0300894..6ec26b8 100644 --- a/recipes-security/keynote/keynote_2.3.bb +++ b/recipes-security/keynote/keynote_2.3.bb @@ -23,7 +23,7 @@ inherit autotools-brokensep ptest SRC_URI[md5sum] = "a14553e6ad921b5c85026ce5bec3afe7" SRC_URI[sha256sum] = "38d2acfa1c3630a07adcb5c8fe92d2aef7f0e6d242b8998b2bbb1c6e4c408d46" -DEPENDS = "flex openssl bison-native" +DEPENDS = "flex openssl10 bison-native" EXTRA_OEMAKE += "test-sample -j1" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-selinux][PATCH 00/16] selinux: upgrade 2.7 -> 2.8
Ping //Yi 在 2018年09月05日 08:18, Yi Zhao 写道: Yi Zhao (16): selinux: uprev inc files to 2.8 (20180524) libsepol: uprev to 2.8 (20180524) libselinux: uprev to 2.8 (20180524) libsemanage: uprev to 2.8 (20180524) checkpolicy: uprev to 2.8 (20180524) secilc: uprev to 2.8 (20180524) policycoreutils: uprev to 2.8 (20180524) mcstrans: uprev to 2.8 (20180524) restorecond: uprev to 2.8 (20180524) selinux-sandbox: uprev to 2.8 (20180524) selinux-python: uprev to 2.8 (20180524) semodule-utils: uprev to 2.8 (20180524) selinux-dbus: uprev to 2.8 (20180524) selinux-gui: uprev to 2.8 (20180524) packagegroup-selinux-policycoreutils: remove semodule-utils-semodule-deps audit: uprev to 2.8.4 .../audit/{audit_2.7.6.bb => audit_2.8.4.bb} | 18 +++--- .../packagegroup-selinux-policycoreutils.bb| 1 - recipes-security/selinux/checkpolicy.inc | 1 - recipes-security/selinux/checkpolicy_2.7.bb| 7 -- recipes-security/selinux/checkpolicy_2.8.bb| 7 ++ recipes-security/selinux/libselinux.inc| 2 +- ...-Makefile-fix-includedir-in-libselinux.pc.patch | 20 --- .../{libselinux_2.7.bb => libselinux_2.8.bb} | 6 ++--- recipes-security/selinux/libsemanage.inc | 12 ++--- ...-Makefile-fix-includedir-in-libselinux.pc.patch | 20 --- .../{libsemanage_2.7.bb => libsemanage_2.8.bb} | 6 ++--- ...rc-Makefile-fix-includedir-in-libsepol.pc.patch | 13 +- recipes-security/selinux/libsepol_2.7.bb | 9 --- recipes-security/selinux/libsepol_2.8.bb | 9 +++ recipes-security/selinux/mcstrans.inc | 1 - recipes-security/selinux/mcstrans_2.7.bb | 7 -- recipes-security/selinux/mcstrans_2.8.bb | 7 ++ recipes-security/selinux/policycoreutils.inc | 8 +++--- ...policycoreutils-fix-fixfiles-install-path.patch | 29 ++ ...icycoreutils-fix-load_policy-install-path.patch | 29 ++ .../policycoreutils-loadpolicy-symlink.patch | 19 -- recipes-security/selinux/policycoreutils_2.7.bb| 8 -- recipes-security/selinux/policycoreutils_2.8.bb| 8 ++ recipes-security/selinux/restorecond.inc | 4 --- recipes-security/selinux/restorecond_2.7.bb| 7 -- recipes-security/selinux/restorecond_2.8.bb| 7 ++ recipes-security/selinux/secilc_2.7.bb | 7 -- recipes-security/selinux/secilc_2.8.bb | 7 ++ recipes-security/selinux/selinux-dbus_2.7.bb | 7 -- recipes-security/selinux/selinux-dbus_2.8.bb | 7 ++ recipes-security/selinux/selinux-gui_2.7.bb| 7 -- recipes-security/selinux/selinux-gui_2.8.bb| 7 ++ recipes-security/selinux/selinux-python.inc| 2 +- .../selinux-python/fix-sepolicy-install-path.patch | 23 + recipes-security/selinux/selinux-python_2.7.bb | 7 -- recipes-security/selinux/selinux-python_2.8.bb | 7 ++ recipes-security/selinux/selinux-sandbox_2.7.bb| 7 -- recipes-security/selinux/selinux-sandbox_2.8.bb| 7 ++ .../{selinux_20170804.inc => selinux_20180524.inc} | 2 +- recipes-security/selinux/selinux_common.inc| 9 --- recipes-security/selinux/semodule-utils.inc| 2 -- recipes-security/selinux/semodule-utils_2.7.bb | 7 -- recipes-security/selinux/semodule-utils_2.8.bb | 7 ++ 43 files changed, 209 insertions(+), 178 deletions(-) rename recipes-security/audit/{audit_2.7.6.bb => audit_2.8.4.bb} (91%) delete mode 100644 recipes-security/selinux/checkpolicy_2.7.bb create mode 100644 recipes-security/selinux/checkpolicy_2.8.bb rename recipes-security/selinux/{libselinux_2.7.bb => libselinux_2.8.bb} (72%) rename recipes-security/selinux/{libsemanage_2.7.bb => libsemanage_2.8.bb} (76%) delete mode 100644 recipes-security/selinux/libsepol_2.7.bb create mode 100644 recipes-security/selinux/libsepol_2.8.bb delete mode 100644 recipes-security/selinux/mcstrans_2.7.bb create mode 100644 recipes-security/selinux/mcstrans_2.8.bb create mode 100644 recipes-security/selinux/policycoreutils/policycoreutils-fix-fixfiles-install-path.patch create mode 100644 recipes-security/selinux/policycoreutils/policycoreutils-fix-load_policy-install-path.patch delete mode 100644 recipes-security/selinux/policycoreutils/policycoreutils-loadpolicy-symlink.patch delete mode 100644 recipes-security/selinux/policycoreutils_2.7.bb create mode 100644 recipes-security/selinux/policycoreutils_2.8.bb delete mode 100644 recipes-security/selinux/restorecond_2.7.bb create mode 100644 recipes-security/selinux/restorecond_2.8.bb delete mode 100644 recipes-security/selinux/secilc_2.7.bb create mode 100644 recipes-security/selinux/secilc_2.8.bb
[yocto] [meta-selinux][PATCH 16/16 V2] audit: uprev to 2.8.4
Add aarch64 support Signed-off-by: Yi Zhao --- .../audit/{audit_2.7.6.bb => audit_2.8.4.bb} | 19 ++- 1 file changed, 10 insertions(+), 9 deletions(-) rename recipes-security/audit/{audit_2.7.6.bb => audit_2.8.4.bb} (90%) diff --git a/recipes-security/audit/audit_2.7.6.bb b/recipes-security/audit/audit_2.8.4.bb similarity index 90% rename from recipes-security/audit/audit_2.7.6.bb rename to recipes-security/audit/audit_2.8.4.bb index d655e64..c756552 100644 --- a/recipes-security/audit/audit_2.7.6.bb +++ b/recipes-security/audit/audit_2.8.4.bb @@ -15,8 +15,8 @@ SRC_URI = "http://people.redhat.com/sgrubb/${BPN}/${BPN}-${PV}.tar.gz \ file://auditd.service \ file://audit-volatile.conf \ " -SRC_URI[md5sum] = "55a81bbed973b58a90590c949e71dc3e" -SRC_URI[sha256sum] = "fa65289cffdc95a25bfbdba541f43ee1b12c707090a38fd027dcf9354b9014e7" +SRC_URI[md5sum] = "ec9510312564c3d9483bccf8dbda4779" +SRC_URI[sha256sum] = "a410694d09fc5708d980a61a5abcb9633a591364f1ecc7e97ad5daef9c898c38" inherit autotools pythonnative update-rc.d systemd @@ -30,16 +30,17 @@ SYSTEMD_SERVICE_auditd = "auditd.service" DEPENDS += "python tcp-wrappers libcap-ng linux-libc-headers (>= 2.6.30) swig-native" EXTRA_OECONF += "--without-prelude \ - --with-libwrap \ - --enable-gssapi-krb5=no \ - --with-libcap-ng=yes \ - --with-python=yes \ - --libdir=${base_libdir} \ - --sbindir=${base_sbindir} \ +--with-libwrap \ +--enable-gssapi-krb5=no \ +--with-libcap-ng=yes \ +--with-python=yes \ +--libdir=${base_libdir} \ +--sbindir=${base_sbindir} \ --without-python3 \ --disable-zos-remote \ - " +" EXTRA_OECONF_append_arm = " --with-arm=yes" +EXTRA_OECONF_append_aarch64 = " --with-aarch64=yes" EXTRA_OEMAKE += "PYLIBVER='python${PYTHON_BASEVERSION}' \ PYINC='${STAGING_INCDIR}/$(PYLIBVER)' \ -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 16/16] audit: uprev to 2.8.4
Signed-off-by: Yi Zhao --- .../audit/{audit_2.7.6.bb => audit_2.8.4.bb} | 18 +- 1 file changed, 9 insertions(+), 9 deletions(-) rename recipes-security/audit/{audit_2.7.6.bb => audit_2.8.4.bb} (91%) diff --git a/recipes-security/audit/audit_2.7.6.bb b/recipes-security/audit/audit_2.8.4.bb similarity index 91% rename from recipes-security/audit/audit_2.7.6.bb rename to recipes-security/audit/audit_2.8.4.bb index d655e64..dcec34d 100644 --- a/recipes-security/audit/audit_2.7.6.bb +++ b/recipes-security/audit/audit_2.8.4.bb @@ -15,8 +15,8 @@ SRC_URI = "http://people.redhat.com/sgrubb/${BPN}/${BPN}-${PV}.tar.gz \ file://auditd.service \ file://audit-volatile.conf \ " -SRC_URI[md5sum] = "55a81bbed973b58a90590c949e71dc3e" -SRC_URI[sha256sum] = "fa65289cffdc95a25bfbdba541f43ee1b12c707090a38fd027dcf9354b9014e7" +SRC_URI[md5sum] = "ec9510312564c3d9483bccf8dbda4779" +SRC_URI[sha256sum] = "a410694d09fc5708d980a61a5abcb9633a591364f1ecc7e97ad5daef9c898c38" inherit autotools pythonnative update-rc.d systemd @@ -30,15 +30,15 @@ SYSTEMD_SERVICE_auditd = "auditd.service" DEPENDS += "python tcp-wrappers libcap-ng linux-libc-headers (>= 2.6.30) swig-native" EXTRA_OECONF += "--without-prelude \ - --with-libwrap \ - --enable-gssapi-krb5=no \ - --with-libcap-ng=yes \ - --with-python=yes \ - --libdir=${base_libdir} \ - --sbindir=${base_sbindir} \ +--with-libwrap \ +--enable-gssapi-krb5=no \ +--with-libcap-ng=yes \ +--with-python=yes \ +--libdir=${base_libdir} \ +--sbindir=${base_sbindir} \ --without-python3 \ --disable-zos-remote \ - " +" EXTRA_OECONF_append_arm = " --with-arm=yes" EXTRA_OEMAKE += "PYLIBVER='python${PYTHON_BASEVERSION}' \ -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 15/16] packagegroup-selinux-policycoreutils: remove semodule-utils-semodule-deps
Remove package semodule-utils-semodule-deps as it had been removed upstream. Signed-off-by: Yi Zhao --- recipes-security/packagegroups/packagegroup-selinux-policycoreutils.bb | 1 - 1 file changed, 1 deletion(-) diff --git a/recipes-security/packagegroups/packagegroup-selinux-policycoreutils.bb b/recipes-security/packagegroups/packagegroup-selinux-policycoreutils.bb index e70baf7..2263592 100644 --- a/recipes-security/packagegroups/packagegroup-selinux-policycoreutils.bb +++ b/recipes-security/packagegroups/packagegroup-selinux-policycoreutils.bb @@ -20,7 +20,6 @@ RDEPENDS_${PN} = "\ policycoreutils-setfiles \ policycoreutils-setsebool \ policycoreutils-hll \ - semodule-utils-semodule-deps \ semodule-utils-semodule-expand \ semodule-utils-semodule-link \ semodule-utils-semodule-package \ -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 14/16] selinux-gui: uprev to 2.8 (20180524)
Signed-off-by: Yi Zhao --- recipes-security/selinux/selinux-gui_2.7.bb | 7 --- recipes-security/selinux/selinux-gui_2.8.bb | 7 +++ 2 files changed, 7 insertions(+), 7 deletions(-) delete mode 100644 recipes-security/selinux/selinux-gui_2.7.bb create mode 100644 recipes-security/selinux/selinux-gui_2.8.bb diff --git a/recipes-security/selinux/selinux-gui_2.7.bb b/recipes-security/selinux/selinux-gui_2.7.bb deleted file mode 100644 index 3531591..000 --- a/recipes-security/selinux/selinux-gui_2.7.bb +++ /dev/null @@ -1,7 +0,0 @@ -include selinux_20170804.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" - -SRC_URI[md5sum] = "f3555cb50a9e67b42bc917ede1982c7d" -SRC_URI[sha256sum] = "693fb3347041b5a2273c52c33be0a256b109e60f2039ae1d7e90ba8a2ec0324f" diff --git a/recipes-security/selinux/selinux-gui_2.8.bb b/recipes-security/selinux/selinux-gui_2.8.bb new file mode 100644 index 000..2c0fcd8 --- /dev/null +++ b/recipes-security/selinux/selinux-gui_2.8.bb @@ -0,0 +1,7 @@ +include selinux_20180524.inc +include ${BPN}.inc + +LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" + +SRC_URI[md5sum] = "52000c14ffa86840220915bd1d777845" +SRC_URI[sha256sum] = "17acd3004f01f92b288cc1322317d7964f5039fb26ba1542b6713a7147a2351d" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 13/16] selinux-dbus: uprev to 2.8 (20180524)
Signed-off-by: Yi Zhao --- recipes-security/selinux/selinux-dbus_2.7.bb | 7 --- recipes-security/selinux/selinux-dbus_2.8.bb | 7 +++ 2 files changed, 7 insertions(+), 7 deletions(-) delete mode 100644 recipes-security/selinux/selinux-dbus_2.7.bb create mode 100644 recipes-security/selinux/selinux-dbus_2.8.bb diff --git a/recipes-security/selinux/selinux-dbus_2.7.bb b/recipes-security/selinux/selinux-dbus_2.7.bb deleted file mode 100644 index a4f14ed..000 --- a/recipes-security/selinux/selinux-dbus_2.7.bb +++ /dev/null @@ -1,7 +0,0 @@ -include selinux_20170804.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" - -SRC_URI[md5sum] = "6944aa95cfb44e4d76b1aff48b38f08e" -SRC_URI[sha256sum] = "a7f3dbe68c0d02cd1cbe6aac06e87c2957668cb88083389654fabacb79641ae4" diff --git a/recipes-security/selinux/selinux-dbus_2.8.bb b/recipes-security/selinux/selinux-dbus_2.8.bb new file mode 100644 index 000..5091624 --- /dev/null +++ b/recipes-security/selinux/selinux-dbus_2.8.bb @@ -0,0 +1,7 @@ +include selinux_20180524.inc +include ${BPN}.inc + +LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" + +SRC_URI[md5sum] = "23f0264df3ed123904a17d71f2a5b325" +SRC_URI[sha256sum] = "3339cb9cd77579bab6158afc054409c3bf952e282ef957ea732b19c9f4697bc6" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 12/16] semodule-utils: uprev to 2.8 (20180524)
Remove package semodule-deps as it had been removed upstream. Signed-off-by: Yi Zhao --- recipes-security/selinux/semodule-utils.inc| 2 -- recipes-security/selinux/semodule-utils_2.7.bb | 7 --- recipes-security/selinux/semodule-utils_2.8.bb | 7 +++ 3 files changed, 7 insertions(+), 9 deletions(-) delete mode 100644 recipes-security/selinux/semodule-utils_2.7.bb create mode 100644 recipes-security/selinux/semodule-utils_2.8.bb diff --git a/recipes-security/selinux/semodule-utils.inc b/recipes-security/selinux/semodule-utils.inc index 23176e5..23cbd14 100644 --- a/recipes-security/selinux/semodule-utils.inc +++ b/recipes-security/selinux/semodule-utils.inc @@ -12,12 +12,10 @@ RDEPENDS_${PN}-dev = "" EXTRA_OEMAKE += "LIBSEPOLA=${STAGING_LIBDIR}/libsepol.a" PACKAGES =+ "\ -${PN}-semodule-deps \ ${PN}-semodule-expand \ ${PN}-semodule-link \ ${PN}-semodule-package \ " -FILES_${PN}-semodule-deps += "${bindir}/semodule_deps" FILES_${PN}-semodule-expand += "${bindir}/semodule_expand" FILES_${PN}-semodule-link += "${bindir}/semodule_link" FILES_${PN}-semodule-package += "\ diff --git a/recipes-security/selinux/semodule-utils_2.7.bb b/recipes-security/selinux/semodule-utils_2.7.bb deleted file mode 100644 index fbb88bf..000 --- a/recipes-security/selinux/semodule-utils_2.7.bb +++ /dev/null @@ -1,7 +0,0 @@ -include selinux_20170804.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" - -SRC_URI[md5sum] = "678e3a5225f9645d40fd9d13bbaa156f" -SRC_URI[sha256sum] = "90c98b3362a43b4da2a51a9176820a56f3e615225e23e3395bc566c4490786ba" diff --git a/recipes-security/selinux/semodule-utils_2.8.bb b/recipes-security/selinux/semodule-utils_2.8.bb new file mode 100644 index 000..c56f776 --- /dev/null +++ b/recipes-security/selinux/semodule-utils_2.8.bb @@ -0,0 +1,7 @@ +include selinux_20180524.inc +include ${BPN}.inc + +LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" + +SRC_URI[md5sum] = "51c69e612481ce971e2ae825139d2ca0" +SRC_URI[sha256sum] = "44f59c13070c637440b143ceab4dfe1efb9018b1e47828dd8789def74c1ccadf" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 11/16] selinux-python: uprev to 2.8 (20180524)
Rebase patch: fix-sepolicy-install-path.patch Signed-off-by: Yi Zhao --- recipes-security/selinux/selinux-python.inc| 2 +- .../selinux-python/fix-sepolicy-install-path.patch | 23 -- recipes-security/selinux/selinux-python_2.7.bb | 7 --- recipes-security/selinux/selinux-python_2.8.bb | 7 +++ 4 files changed, 21 insertions(+), 18 deletions(-) delete mode 100644 recipes-security/selinux/selinux-python_2.7.bb create mode 100644 recipes-security/selinux/selinux-python_2.8.bb diff --git a/recipes-security/selinux/selinux-python.inc b/recipes-security/selinux/selinux-python.inc index 2a5d657..c774de4 100644 --- a/recipes-security/selinux/selinux-python.inc +++ b/recipes-security/selinux/selinux-python.inc @@ -102,7 +102,7 @@ FILES_${PN} += "\ EXTRA_OEMAKE += "LIBSEPOLA=${STAGING_LIBDIR}/libsepol.a" do_install() { oe_runmake DESTDIR=${D} \ -LIBDIR="${D}${libdir}" \ +LIBDIR="${libdir}" \ PYTHONLIBDIR='${libdir}/python${PYTHON_BASEVERSION}/site-packages' \ install } diff --git a/recipes-security/selinux/selinux-python/fix-sepolicy-install-path.patch b/recipes-security/selinux/selinux-python/fix-sepolicy-install-path.patch index 1d54231..6f68c94 100644 --- a/recipes-security/selinux/selinux-python/fix-sepolicy-install-path.patch +++ b/recipes-security/selinux/selinux-python/fix-sepolicy-install-path.patch @@ -1,4 +1,4 @@ -From 69e8697cd2ae48710ff8190bad3e61d2fd115b99 Mon Sep 17 00:00:00 2001 +From c1aae6cc131371729f098e4b0aa02142a85b5890 Mon Sep 17 00:00:00 2001 From: Xin Ouyang Date: Mon, 23 Sep 2013 21:17:59 +0800 Subject: [PATCH] policycoreutils: fix install path for new pymodule sepolicy @@ -7,16 +7,16 @@ Uptream-Status: Pending Signed-off-by: Xin Ouyang Signed-off-by: Wenzong Fan - +Signed-off-by: Yi Zhao --- sepolicy/Makefile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/sepolicy/Makefile b/sepolicy/Makefile -index 5a56e6c..82c3e36 100644 +index fb8a132..a6ee749 100644 --- a/sepolicy/Makefile +++ b/sepolicy/Makefile -@@ -12,6 +12,8 @@ SHAREDIR ?= $(PREFIX)/share/sandbox +@@ -8,6 +8,8 @@ BASHCOMPLETIONDIR ?= $(PREFIX)/share/bash-completion/completions CFLAGS ?= -Wall -Werror -Wextra -W override CFLAGS += -DPACKAGE="policycoreutils" -DSHARED -shared @@ -25,12 +25,15 @@ index 5a56e6c..82c3e36 100644 BASHCOMPLETIONS=sepolicy-bash-completion.sh all: python-build -@@ -30,7 +32,7 @@ test: +@@ -26,7 +28,7 @@ test: @$(PYTHON) test_sepolicy.py -v install: -- $(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root $(DESTDIR)` -+ $(PYTHON) setup.py install --install-lib $(LIBDIR)/$(PYLIBVER)/site-packages - [ -d $(BINDIR) ] || mkdir -p $(BINDIR) - install -m 755 sepolicy.py $(BINDIR)/sepolicy - (cd $(BINDIR); ln -sf sepolicy sepolgen) +- $(PYTHON) setup.py install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR)` ++ $(PYTHON) setup.py install --prefix=$(PREFIX) --install-lib $(DESTDIR)$(LIBDIR)/$(PYLIBVER)/site-packages + [ -d $(DESTDIR)$(BINDIR) ] || mkdir -p $(DESTDIR)$(BINDIR) + install -m 755 sepolicy.py $(DESTDIR)$(BINDIR)/sepolicy + (cd $(DESTDIR)$(BINDIR); ln -sf sepolicy sepolgen) +-- +2.7.4 + diff --git a/recipes-security/selinux/selinux-python_2.7.bb b/recipes-security/selinux/selinux-python_2.7.bb deleted file mode 100644 index f98be5f..000 --- a/recipes-security/selinux/selinux-python_2.7.bb +++ /dev/null @@ -1,7 +0,0 @@ -include selinux_20170804.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" - -SRC_URI[md5sum] = "b118229d34a6aec34471c3c2c9cac172" -SRC_URI[sha256sum] = "4217cb965ecda96c91e15ffcc2e7ddd13ecc2bf5631100f3cd072a7616f140ed" diff --git a/recipes-security/selinux/selinux-python_2.8.bb b/recipes-security/selinux/selinux-python_2.8.bb new file mode 100644 index 000..d63fdef --- /dev/null +++ b/recipes-security/selinux/selinux-python_2.8.bb @@ -0,0 +1,7 @@ +include selinux_20180524.inc +include ${BPN}.inc + +LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" + +SRC_URI[md5sum] = "bd9850808203c76f07efd396bde790e3" +SRC_URI[sha256sum] = "e69f5e24820cb247a3d881a9c90efba1e64d76af863c82fb81bc3b87ed71e238" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 10/16] selinux-sandbox: uprev to 2.8 (20180524)
Signed-off-by: Yi Zhao --- recipes-security/selinux/selinux-sandbox_2.7.bb | 7 --- recipes-security/selinux/selinux-sandbox_2.8.bb | 7 +++ 2 files changed, 7 insertions(+), 7 deletions(-) delete mode 100644 recipes-security/selinux/selinux-sandbox_2.7.bb create mode 100644 recipes-security/selinux/selinux-sandbox_2.8.bb diff --git a/recipes-security/selinux/selinux-sandbox_2.7.bb b/recipes-security/selinux/selinux-sandbox_2.7.bb deleted file mode 100644 index 1307ce7..000 --- a/recipes-security/selinux/selinux-sandbox_2.7.bb +++ /dev/null @@ -1,7 +0,0 @@ -include selinux_20170804.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" - -SRC_URI[md5sum] = "7360e9dc7b1757b7f82face655982bfa" -SRC_URI[sha256sum] = "9490620380ab6d428a92869002a51ada0343ca35fa2a6905595745902a64c541" diff --git a/recipes-security/selinux/selinux-sandbox_2.8.bb b/recipes-security/selinux/selinux-sandbox_2.8.bb new file mode 100644 index 000..1eb6c2d --- /dev/null +++ b/recipes-security/selinux/selinux-sandbox_2.8.bb @@ -0,0 +1,7 @@ +include selinux_20180524.inc +include ${BPN}.inc + +LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" + +SRC_URI[md5sum] = "957f5d0fc7724f93f502d1d632568894" +SRC_URI[sha256sum] = "025f84f76e07b7bfc9ba1e9215f4ddb646d41a2e935a65e07560feaa6fc20ef3" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 09/16] restorecond: uprev to 2.8 (20180524)
Signed-off-by: Yi Zhao --- recipes-security/selinux/restorecond.inc| 4 recipes-security/selinux/restorecond_2.7.bb | 7 --- recipes-security/selinux/restorecond_2.8.bb | 7 +++ 3 files changed, 7 insertions(+), 11 deletions(-) delete mode 100644 recipes-security/selinux/restorecond_2.7.bb create mode 100644 recipes-security/selinux/restorecond_2.8.bb diff --git a/recipes-security/selinux/restorecond.inc b/recipes-security/selinux/restorecond.inc index 6f12d23..d168303 100644 --- a/recipes-security/selinux/restorecond.inc +++ b/recipes-security/selinux/restorecond.inc @@ -18,10 +18,6 @@ DEPENDS += "libsepol libselinux libpcre dbus-glib glib-2.0 pkgconfig-native" FILES_${PN} += "${datadir}/dbus-1/services/org.selinux.Restorecond.service \ " -do_install_prepend() { -export SYSTEMDDIR=${D}/${systemd_unitdir} -} - SYSTEMD_SERVICE_restorecond = "restorecond.service" INITSCRIPT_PACKAGES = "restorecond" INITSCRIPT_NAME_restorecond = "restorecond" diff --git a/recipes-security/selinux/restorecond_2.7.bb b/recipes-security/selinux/restorecond_2.7.bb deleted file mode 100644 index 1f9a70c..000 --- a/recipes-security/selinux/restorecond_2.7.bb +++ /dev/null @@ -1,7 +0,0 @@ -include selinux_20170804.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" - -SRC_URI[md5sum] = "46f8ad0a37f955ef148d4e19b8cc8b1f" -SRC_URI[sha256sum] = "cb8e0a8d706cb2c1f105125f3514defcbcfb49199183a7f91ab0bdf1f24d" diff --git a/recipes-security/selinux/restorecond_2.8.bb b/recipes-security/selinux/restorecond_2.8.bb new file mode 100644 index 000..4a83a23 --- /dev/null +++ b/recipes-security/selinux/restorecond_2.8.bb @@ -0,0 +1,7 @@ +include selinux_20180524.inc +include ${BPN}.inc + +LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" + +SRC_URI[md5sum] = "cfe4e4d6184623fdcb9bc2681e693abb" +SRC_URI[sha256sum] = "323cab1128e5308cd85fea0e5c98e3c8973e1ada0b659f2fce76187e192271bf" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 08/16] mcstrans: uprev to 2.8 (20180524)
Signed-off-by: Yi Zhao --- recipes-security/selinux/mcstrans.inc| 1 - recipes-security/selinux/mcstrans_2.7.bb | 7 --- recipes-security/selinux/mcstrans_2.8.bb | 7 +++ 3 files changed, 7 insertions(+), 8 deletions(-) delete mode 100644 recipes-security/selinux/mcstrans_2.7.bb create mode 100644 recipes-security/selinux/mcstrans_2.8.bb diff --git a/recipes-security/selinux/mcstrans.inc b/recipes-security/selinux/mcstrans.inc index 996e8d0..2568c8d 100644 --- a/recipes-security/selinux/mcstrans.inc +++ b/recipes-security/selinux/mcstrans.inc @@ -14,7 +14,6 @@ inherit systemd update-rc.d DEPENDS += "libsepol libselinux libcap" -EXTRA_OEMAKE += "SYSTEMDDIR=${D}${systemd_unitdir} SBINDIR=${D}/${base_sbindir}" do_install_append() { install -d ${D}${sbindir} install -m 755 utils/untranscon ${D}${sbindir}/ diff --git a/recipes-security/selinux/mcstrans_2.7.bb b/recipes-security/selinux/mcstrans_2.7.bb deleted file mode 100644 index 2d5bbfd..000 --- a/recipes-security/selinux/mcstrans_2.7.bb +++ /dev/null @@ -1,7 +0,0 @@ -include selinux_20170804.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" - -SRC_URI[md5sum] = "edba0f72fdf7fdd1ad0a2c6d102e8cfa" -SRC_URI[sha256sum] = "cdca003282d160b50ad695ab5b013c05ca21387a419b2f89288534184d16e1e2" diff --git a/recipes-security/selinux/mcstrans_2.8.bb b/recipes-security/selinux/mcstrans_2.8.bb new file mode 100644 index 000..8923c3c --- /dev/null +++ b/recipes-security/selinux/mcstrans_2.8.bb @@ -0,0 +1,7 @@ +include selinux_20180524.inc +include ${BPN}.inc + +LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" + +SRC_URI[md5sum] = "3a0edb2a8b6a255199824abd58c0906c" +SRC_URI[sha256sum] = "ec6ea65660550ed6bbd2a834725ba7526ac53599753d7b95072e4afd4afc14e4" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 07/16] policycoreutils: uprev to 2.8 (20180524)
Remove unused patch: policycoreutils-loadpolicy-symlink.patch Add the following patches to change commands path for backward compatibility: policycoreutils-fix-fixfiles-install-path.patch policycoreutils-fix-fixfiles-install-path.patch Signed-off-by: Yi Zhao --- recipes-security/selinux/policycoreutils.inc | 8 +++--- ...policycoreutils-fix-fixfiles-install-path.patch | 29 ++ ...icycoreutils-fix-load_policy-install-path.patch | 29 ++ .../policycoreutils-loadpolicy-symlink.patch | 19 -- recipes-security/selinux/policycoreutils_2.7.bb| 8 -- recipes-security/selinux/policycoreutils_2.8.bb| 8 ++ 6 files changed, 70 insertions(+), 31 deletions(-) create mode 100644 recipes-security/selinux/policycoreutils/policycoreutils-fix-fixfiles-install-path.patch create mode 100644 recipes-security/selinux/policycoreutils/policycoreutils-fix-load_policy-install-path.patch delete mode 100644 recipes-security/selinux/policycoreutils/policycoreutils-loadpolicy-symlink.patch delete mode 100644 recipes-security/selinux/policycoreutils_2.7.bb create mode 100644 recipes-security/selinux/policycoreutils_2.8.bb diff --git a/recipes-security/selinux/policycoreutils.inc b/recipes-security/selinux/policycoreutils.inc index b7cb510..854cf4d 100644 --- a/recipes-security/selinux/policycoreutils.inc +++ b/recipes-security/selinux/policycoreutils.inc @@ -9,6 +9,8 @@ LICENSE = "GPLv2+" SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ file://policycoreutils-fixfiles-de-bashify.patch \ +file://policycoreutils-fix-fixfiles-install-path.patch \ +file://policycoreutils-fix-load_policy-install-path.patch \ " PAM_SRC_URI = "file://pam.d/newrole \ @@ -46,7 +48,6 @@ RDEPENDS_${BPN}-semodule += "\ libsemanage \ " # static link to libsepol -DEPENDS_${BPN}-semodule-deps += "libsepol" RDEPENDS_${BPN}-semodule-expand += "libsepol libselinux" RDEPENDS_${BPN}-semodule-link += "libsepol libselinux" RDEPENDS_${BPN}-semodule-package += "libsepol libselinux" @@ -157,15 +158,14 @@ do_compile_prepend() { do_install_prepend() { export PYTHON=python - export SEMODULE_PATH=${sbindir} SYSTEMDDIR=${D}/${systemd_unitdir} } do_install_class-native() { for PCU_CMD in ${PCU_NATIVE_CMDS} ; do oe_runmake -C $PCU_CMD install \ DESTDIR="${D}" \ - PREFIX="${D}/${prefix}" \ - SBINDIR="${D}/${base_sbindir}" + PREFIX="${prefix}" \ + SBINDIR="${base_sbindir}" done } diff --git a/recipes-security/selinux/policycoreutils/policycoreutils-fix-fixfiles-install-path.patch b/recipes-security/selinux/policycoreutils/policycoreutils-fix-fixfiles-install-path.patch new file mode 100644 index 000..96d2075 --- /dev/null +++ b/recipes-security/selinux/policycoreutils/policycoreutils-fix-fixfiles-install-path.patch @@ -0,0 +1,29 @@ +From 0546ad883d98799972034f8e0fdc6ca2a7319b07 Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Tue, 4 Sep 2018 14:14:45 +0800 +Subject: [PATCH] policycoreutils: fix fixfiles install path + +Change path from /usr/sbin to /sbin for backward compatibility + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + scripts/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/Makefile b/scripts/Makefile +index afe5dc4..f7a9e34 100644 +--- a/scripts/Makefile b/scripts/Makefile +@@ -1,6 +1,6 @@ + # Installation directories. + PREFIX ?= /usr +-SBINDIR ?= $(PREFIX)/sbin ++SBINDIR ?= /sbin + MANDIR ?= $(PREFIX)/share/man + + .PHONY: all +-- +2.7.4 + diff --git a/recipes-security/selinux/policycoreutils/policycoreutils-fix-load_policy-install-path.patch b/recipes-security/selinux/policycoreutils/policycoreutils-fix-load_policy-install-path.patch new file mode 100644 index 000..2136781 --- /dev/null +++ b/recipes-security/selinux/policycoreutils/policycoreutils-fix-load_policy-install-path.patch @@ -0,0 +1,29 @@ +From 46077df498b8bb54964506f03fd95390a392 Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Tue, 4 Sep 2018 14:41:13 +0800 +Subject: [PATCH] policycoreutils: fix load_policy install path + +Change path from /usr/sbin to /sbin for backward compatibility + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + load_policy/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/load_policy/Makefile b/load_policy/Makefile +index 568d5d4..7fbd077 100644 +--- a/load_policy/Makefile b/load_policy/Makefile +@@ -1,6 +1,6 @@ + # Installation directories. + PREFIX ?= /usr +-SBINDIR ?= $(PREFIX)/sbin ++SBINDIR ?= /sbin + MANDIR ?
[yocto] [meta-selinux][PATCH 06/16] secilc: uprev to 2.8 (20180524)
Signed-off-by: Yi Zhao --- recipes-security/selinux/secilc_2.7.bb | 7 --- recipes-security/selinux/secilc_2.8.bb | 7 +++ 2 files changed, 7 insertions(+), 7 deletions(-) delete mode 100644 recipes-security/selinux/secilc_2.7.bb create mode 100644 recipes-security/selinux/secilc_2.8.bb diff --git a/recipes-security/selinux/secilc_2.7.bb b/recipes-security/selinux/secilc_2.7.bb deleted file mode 100644 index 611f165..000 --- a/recipes-security/selinux/secilc_2.7.bb +++ /dev/null @@ -1,7 +0,0 @@ -include selinux_20170804.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=5fb82e8deb357d4e5fd8f3fed01d2f38" - -SRC_URI[md5sum] = "301a4e477bc7214be16558f7c2dcbcff" -SRC_URI[sha256sum] = "9ec63dd64645c718f66d33c96299adfe0445b0aa62d7ac8c642f873c570609c5" diff --git a/recipes-security/selinux/secilc_2.8.bb b/recipes-security/selinux/secilc_2.8.bb new file mode 100644 index 000..89e0684 --- /dev/null +++ b/recipes-security/selinux/secilc_2.8.bb @@ -0,0 +1,7 @@ +include selinux_20180524.inc +include ${BPN}.inc + +LIC_FILES_CHKSUM = "file://COPYING;md5=5fb82e8deb357d4e5fd8f3fed01d2f38" + +SRC_URI[md5sum] = "a3c363545842aadc6645a94112b476e7" +SRC_URI[sha256sum] = "cfe15f2e06b3013c9dfc46cf42234ff07fb61866c4c29d739eb8858f83b214d4" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 05/16] checkpolicy: uprev to 2.8 (20180524)
Signed-off-by: Yi Zhao --- recipes-security/selinux/checkpolicy.inc| 1 - recipes-security/selinux/checkpolicy_2.7.bb | 7 --- recipes-security/selinux/checkpolicy_2.8.bb | 7 +++ 3 files changed, 7 insertions(+), 8 deletions(-) delete mode 100644 recipes-security/selinux/checkpolicy_2.7.bb create mode 100644 recipes-security/selinux/checkpolicy_2.8.bb diff --git a/recipes-security/selinux/checkpolicy.inc b/recipes-security/selinux/checkpolicy.inc index 878c656..1d84ebb 100644 --- a/recipes-security/selinux/checkpolicy.inc +++ b/recipes-security/selinux/checkpolicy.inc @@ -11,7 +11,6 @@ LICENSE = "GPLv2+" DEPENDS += "libsepol bison-native flex-native" -EXTRA_OEMAKE += "PREFIX=${D}" EXTRA_OEMAKE += "LEX='flex'" EXTRA_OEMAKE += "LIBSEPOLA=${STAGING_LIBDIR}/libsepol.a" diff --git a/recipes-security/selinux/checkpolicy_2.7.bb b/recipes-security/selinux/checkpolicy_2.7.bb deleted file mode 100644 index 90b8109..000 --- a/recipes-security/selinux/checkpolicy_2.7.bb +++ /dev/null @@ -1,7 +0,0 @@ -include selinux_20170804.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" - -SRC_URI[md5sum] = "5c718eaad4d3015bd5665ffde77b50fd" -SRC_URI[sha256sum] = "5413479f1dcde866c19896b4dbfec315d822aa431606e1d03c944408984c3201" diff --git a/recipes-security/selinux/checkpolicy_2.8.bb b/recipes-security/selinux/checkpolicy_2.8.bb new file mode 100644 index 000..05e738e --- /dev/null +++ b/recipes-security/selinux/checkpolicy_2.8.bb @@ -0,0 +1,7 @@ +include selinux_20180524.inc +include ${BPN}.inc + +LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" + +SRC_URI[md5sum] = "5d23a3209048c8cf70f3c13c4ce4245f" +SRC_URI[sha256sum] = "9dec811c24b88e58c3bf741365eacf1dbb945531a2fcb8f284aacf68098194c8" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 04/16] libsemanage: uprev to 2.8 (20180524)
Rebase patch: 0001-src-Makefile-fix-includedir-in-libselinux.pc.patch Signed-off-by: Yi Zhao --- recipes-security/selinux/libsemanage.inc | 12 ++-- ...rc-Makefile-fix-includedir-in-libselinux.pc.patch | 20 +++- .../{libsemanage_2.7.bb => libsemanage_2.8.bb} | 6 +++--- 3 files changed, 16 insertions(+), 22 deletions(-) rename recipes-security/selinux/{libsemanage_2.7.bb => libsemanage_2.8.bb} (76%) diff --git a/recipes-security/selinux/libsemanage.inc b/recipes-security/selinux/libsemanage.inc index d957d89..be0a5f1 100644 --- a/recipes-security/selinux/libsemanage.inc +++ b/recipes-security/selinux/libsemanage.inc @@ -32,18 +32,10 @@ do_compile_append() { PYTHONLIBDIR='${PYLIB}' } -do_install() { -oe_runmake install \ -DESTDIR="${D}" \ -PREFIX="${D}/${prefix}" \ -INCLUDEDIR="${D}/${includedir}" \ -LIBDIR="${D}/${libdir}" \ -SHLIBDIR="${D}/${libdir}" - +do_install_append() { oe_runmake install-pywrap swigify \ -DESTDIR=${D} \ PYCEXT='.so' \ - PYSITEDIR='${D}${libdir}/python${PYTHON_BASEVERSION}/site-packages' \ + PYTHONLIBDIR='${D}${libdir}/python${PYTHON_BASEVERSION}/site-packages' \ PYLIBVER='python${PYTHON_BASEVERSION}' \ PYLIBDIR='${D}/${libdir}/$(PYLIBVER)' diff --git a/recipes-security/selinux/libsemanage/0001-src-Makefile-fix-includedir-in-libselinux.pc.patch b/recipes-security/selinux/libsemanage/0001-src-Makefile-fix-includedir-in-libselinux.pc.patch index 3d1e110..73613d3 100644 --- a/recipes-security/selinux/libsemanage/0001-src-Makefile-fix-includedir-in-libselinux.pc.patch +++ b/recipes-security/selinux/libsemanage/0001-src-Makefile-fix-includedir-in-libselinux.pc.patch @@ -1,4 +1,4 @@ -From 992d02fe0d08361529a5d158119c02521786798f Mon Sep 17 00:00:00 2001 +From e773c0952b06370d81e9b113f9b0b3388e323e52 Mon Sep 17 00:00:00 2001 From: Robert Yang Date: Thu, 18 Feb 2016 02:39:16 + Subject: [PATCH] src/Makefile: fix includedir in libselinux.pc @@ -6,21 +6,23 @@ Subject: [PATCH] src/Makefile: fix includedir in libselinux.pc Upstream-Status: Pending Signed-off-by: Robert Yang - +Signed-off-by: Yi Zhao --- - src/Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) + src/Makefile | 1 + + 1 file changed, 1 insertion(+) diff --git a/src/Makefile b/src/Makefile -index e8831ab..d3d4644 100644 +index dea751e..4af4568 100644 --- a/src/Makefile +++ b/src/Makefile -@@ -103,7 +103,7 @@ $(LIBSO): $(LOBJS) - ln -sf $@ $(TARGET) +@@ -93,6 +93,7 @@ $(LIBSO): $(LOBJS) $(LIBPC): $(LIBPC).in ../VERSION -- sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBBASE):; s:@includedir@:$(INCLUDEDIR):' < $< > $@ -+ sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBBASE):; s:@includedir@:${prefix}/include:' < $< > $@ + sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBDIR):; s:@includedir@:$(INCLUDEDIR):' < $< > $@ ++ sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:${libdir}:; s:@includedir@:${prefix}/include:' < $< > $@ semanageswig_python_exception.i: ../include/semanage/semanage.h bash -e exception.sh > $@ || (rm -f $@ ; false) +-- +2.7.4 + diff --git a/recipes-security/selinux/libsemanage_2.7.bb b/recipes-security/selinux/libsemanage_2.8.bb similarity index 76% rename from recipes-security/selinux/libsemanage_2.7.bb rename to recipes-security/selinux/libsemanage_2.8.bb index d7b5312..38942e3 100644 --- a/recipes-security/selinux/libsemanage_2.7.bb +++ b/recipes-security/selinux/libsemanage_2.8.bb @@ -1,10 +1,10 @@ -include selinux_20170804.inc +include selinux_20180524.inc include ${BPN}.inc LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343" -SRC_URI[md5sum] = "a6b5c451fbe45ff9e3e0e65f2db0ae1d" -SRC_URI[sha256sum] = "07e9477714ce6a4557a1fe924ea4cb06501b62d0fa0e3c0dc32a2cf47cb8d476" +SRC_URI[md5sum] = "62ed7bb2ede677a735f2750751677a4f" +SRC_URI[sha256sum] = "1c0de8d2c51e5460926c21e371105c84a39087dfd8f8e9f0cc1d017e4cbea8e2" SRC_URI += "\ file://libsemanage-Fix-execve-segfaults-on-Ubuntu.patch \ -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 03/16] libselinux: uprev to 2.8 (20180524)
Rebase patch: 0001-src-Makefile-fix-includedir-in-libselinux.pc.patch Signed-off-by: Yi Zhao --- recipes-security/selinux/libselinux.inc | 2 +- ...rc-Makefile-fix-includedir-in-libselinux.pc.patch | 20 +++- .../selinux/{libselinux_2.7.bb => libselinux_2.8.bb} | 6 +++--- 3 files changed, 15 insertions(+), 13 deletions(-) rename recipes-security/selinux/{libselinux_2.7.bb => libselinux_2.8.bb} (72%) diff --git a/recipes-security/selinux/libselinux.inc b/recipes-security/selinux/libselinux.inc index 51d0875..17c29f9 100644 --- a/recipes-security/selinux/libselinux.inc +++ b/recipes-security/selinux/libselinux.inc @@ -33,7 +33,7 @@ do_compile_append() { do_install_append() { oe_runmake install-pywrap swigify \ -PYSITEDIR=${D}${libdir}/python${PYTHON_BASEVERSION}/site-packages + PYTHONLIBDIR=${D}${libdir}/python${PYTHON_BASEVERSION}/site-packages rm -rf ${D}${base_sbindir} } diff --git a/recipes-security/selinux/libselinux/0001-src-Makefile-fix-includedir-in-libselinux.pc.patch b/recipes-security/selinux/libselinux/0001-src-Makefile-fix-includedir-in-libselinux.pc.patch index 725141f..46cfaaf 100644 --- a/recipes-security/selinux/libselinux/0001-src-Makefile-fix-includedir-in-libselinux.pc.patch +++ b/recipes-security/selinux/libselinux/0001-src-Makefile-fix-includedir-in-libselinux.pc.patch @@ -1,4 +1,4 @@ -From 3f633e310851cb029cb4f38d9e11a3aaef8d1099 Mon Sep 17 00:00:00 2001 +From 37f3299e8f5c468fe692f36356c2c35f968b6aee Mon Sep 17 00:00:00 2001 From: Robert Yang Date: Thu, 18 Feb 2016 02:39:16 + Subject: [PATCH] src/Makefile: fix includedir in libselinux.pc @@ -6,21 +6,23 @@ Subject: [PATCH] src/Makefile: fix includedir in libselinux.pc Upstream-Status: Pending Signed-off-by: Robert Yang - +Signed-off-by: Yi Zhao --- - src/Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) + src/Makefile | 1 + + 1 file changed, 1 insertion(+) diff --git a/src/Makefile b/src/Makefile -index a89c0f7..f304032 100644 +index 977b5c8..92a4289 100644 --- a/src/Makefile +++ b/src/Makefile -@@ -148,7 +148,7 @@ $(LIBSO): $(LOBJS) - ln -sf $@ $(TARGET) +@@ -156,6 +156,7 @@ $(LIBSO): $(LOBJS) $(LIBPC): $(LIBPC).in ../VERSION -- sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBBASE):; s:@includedir@:$(INCLUDEDIR):' < $< > $@ -+ sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBBASE):; s:@includedir@:${prefix}/include:' < $< > $@ + sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBDIR):; s:@includedir@:$(INCLUDEDIR):; s:@PCRE_MODULE@:$(PCRE_MODULE):' < $< > $@ ++ sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:${libdir}:; s:@includedir@:${prefix}/include:; s:@PCRE_MODULE@:$(PCRE_MODULE):' < $< > $@ selinuxswig_python_exception.i: ../include/selinux/selinux.h bash -e exception.sh > $@ || (rm -f $@ ; false) +-- +2.7.4 + diff --git a/recipes-security/selinux/libselinux_2.7.bb b/recipes-security/selinux/libselinux_2.8.bb similarity index 72% rename from recipes-security/selinux/libselinux_2.7.bb rename to recipes-security/selinux/libselinux_2.8.bb index e0d01fc..5de4607 100644 --- a/recipes-security/selinux/libselinux_2.7.bb +++ b/recipes-security/selinux/libselinux_2.8.bb @@ -1,10 +1,10 @@ -include selinux_20170804.inc +include selinux_20180524.inc include ${BPN}.inc LIC_FILES_CHKSUM = "file://LICENSE;md5=84b4d2c6ef954a2d4081e775a270d0d0" -SRC_URI[md5sum] = "1d48ee4e9fadd76794d70c806b69ba7d" -SRC_URI[sha256sum] = "d0fec0769b3ad60aa7baf9b9a4b7a056827769dc2dadda0dc0eb59b3d1c18c57" +SRC_URI[md5sum] = "56057e60192b21122c1aede8ff723ca2" +SRC_URI[sha256sum] = "31db96ec7643ce10912b3c3f98506a08a9116dcfe151855fd349c3fda96187e1" SRC_URI += "\ file://libselinux-drop-Wno-unused-but-set-variable.patch \ -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 02/16] libsepol: uprev to 2.8 (20180524)
Rebase patch: 0001-src-Makefile-fix-includedir-in-libsepol.pc.patch Signed-off-by: Yi Zhao --- .../0001-src-Makefile-fix-includedir-in-libsepol.pc.patch | 13 +++-- recipes-security/selinux/libsepol_2.7.bb| 9 - recipes-security/selinux/libsepol_2.8.bb| 9 + 3 files changed, 16 insertions(+), 15 deletions(-) delete mode 100644 recipes-security/selinux/libsepol_2.7.bb create mode 100644 recipes-security/selinux/libsepol_2.8.bb diff --git a/recipes-security/selinux/libsepol/0001-src-Makefile-fix-includedir-in-libsepol.pc.patch b/recipes-security/selinux/libsepol/0001-src-Makefile-fix-includedir-in-libsepol.pc.patch index 8a6e047..987fdab 100644 --- a/recipes-security/selinux/libsepol/0001-src-Makefile-fix-includedir-in-libsepol.pc.patch +++ b/recipes-security/selinux/libsepol/0001-src-Makefile-fix-includedir-in-libsepol.pc.patch @@ -1,4 +1,4 @@ -From 05907644755048f9335e05dc540f810bb580477f Mon Sep 17 00:00:00 2001 +From 074dbf2f104d1a6ea1aa048600f44f9701c70a60 Mon Sep 17 00:00:00 2001 From: Robert Yang Date: Thu, 18 Feb 2016 02:04:59 + Subject: [PATCH] src/Makefile: fix includedir in libsepol.pc @@ -6,23 +6,24 @@ Subject: [PATCH] src/Makefile: fix includedir in libsepol.pc Upstream-Status: Pending Signed-off-by: Robert Yang +Signed-off-by: Yi Zhao --- src/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Makefile b/src/Makefile -index db6c2ba..c03ee92 100644 +index ccb7023..2bb6290 100644 --- a/src/Makefile +++ b/src/Makefile -@@ -43,7 +43,7 @@ $(LIBSO): $(LOBJS) $(LIBMAP) +@@ -51,7 +51,7 @@ $(LIBSO): $(LOBJS) $(LIBMAP) ln -sf $@ $(TARGET) $(LIBPC): $(LIBPC).in ../VERSION -- sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBBASE):; s:@includedir@:$(INCLUDEDIR):' < $< > $@ -+ sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBBASE):; s:@includedir@:${prefix}/include:' < $< > $@ +- sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBDIR):; s:@includedir@:$(INCLUDEDIR):' < $< > $@ ++ sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:${libdir}:; s:@includedir@:${prefix}/include:' < $< > $@ $(LIBMAP): $(LIBMAP).in ifneq ($(DISABLE_CIL),y) -- -2.5.0 +2.7.4 diff --git a/recipes-security/selinux/libsepol_2.7.bb b/recipes-security/selinux/libsepol_2.7.bb deleted file mode 100644 index f38f7ba..000 --- a/recipes-security/selinux/libsepol_2.7.bb +++ /dev/null @@ -1,9 +0,0 @@ -include selinux_20170804.inc -include ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343" - -SRC_URI[md5sum] = "9424b93fd6efd853b9360f29265c5aa3" -SRC_URI[sha256sum] = "d69d3bd8ec901a3bd5adf2be2fb47fb1a685ed73066ab482e7e505371a48f9e7" - -SRC_URI += "file://0001-src-Makefile-fix-includedir-in-libsepol.pc.patch" diff --git a/recipes-security/selinux/libsepol_2.8.bb b/recipes-security/selinux/libsepol_2.8.bb new file mode 100644 index 000..d1f905b --- /dev/null +++ b/recipes-security/selinux/libsepol_2.8.bb @@ -0,0 +1,9 @@ +include selinux_20180524.inc +include ${BPN}.inc + +LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343" + +SRC_URI[md5sum] = "c19aa9dde1e78d1c2bd3109579e4d484" +SRC_URI[sha256sum] = "3ad6916a8352bef0bad49acc8037a5f5b48c56f94e4cb4e1959ca475fa9d24d6" + +SRC_URI += "file://0001-src-Makefile-fix-includedir-in-libsepol.pc.patch" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 01/16] selinux: uprev inc files to 2.8 (20180524)
Signed-off-by: Yi Zhao --- .../selinux/{selinux_20170804.inc => selinux_20180524.inc} | 2 +- recipes-security/selinux/selinux_common.inc | 9 + 2 files changed, 6 insertions(+), 5 deletions(-) rename recipes-security/selinux/{selinux_20170804.inc => selinux_20180524.inc} (84%) diff --git a/recipes-security/selinux/selinux_20170804.inc b/recipes-security/selinux/selinux_20180524.inc similarity index 84% rename from recipes-security/selinux/selinux_20170804.inc rename to recipes-security/selinux/selinux_20180524.inc index 1c11208..b36b333 100644 --- a/recipes-security/selinux/selinux_20170804.inc +++ b/recipes-security/selinux/selinux_20180524.inc @@ -1,4 +1,4 @@ -SELINUX_RELEASE = "20170804" +SELINUX_RELEASE = "20180524" SRC_URI = "https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/${SELINUX_RELEASE}/${BPN}-${PV}.tar.gz; diff --git a/recipes-security/selinux/selinux_common.inc b/recipes-security/selinux/selinux_common.inc index e4c23a1..383f62d 100644 --- a/recipes-security/selinux/selinux_common.inc +++ b/recipes-security/selinux/selinux_common.inc @@ -9,8 +9,9 @@ do_compile() { do_install() { oe_runmake install \ DESTDIR="${D}" \ -PREFIX="${D}/${prefix}" \ -INCLUDEDIR="${D}/${includedir}" \ -LIBDIR="${D}/${libdir}" \ -SHLIBDIR="${D}/${base_libdir}" +PREFIX="${prefix}" \ +INCLUDEDIR="${includedir}" \ +LIBDIR="${libdir}" \ +SHLIBDIR="${base_libdir}" \ +SYSTEMDDIR="${systemd_unitdir}" } -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 00/16] selinux: upgrade 2.7 -> 2.8
Yi Zhao (16): selinux: uprev inc files to 2.8 (20180524) libsepol: uprev to 2.8 (20180524) libselinux: uprev to 2.8 (20180524) libsemanage: uprev to 2.8 (20180524) checkpolicy: uprev to 2.8 (20180524) secilc: uprev to 2.8 (20180524) policycoreutils: uprev to 2.8 (20180524) mcstrans: uprev to 2.8 (20180524) restorecond: uprev to 2.8 (20180524) selinux-sandbox: uprev to 2.8 (20180524) selinux-python: uprev to 2.8 (20180524) semodule-utils: uprev to 2.8 (20180524) selinux-dbus: uprev to 2.8 (20180524) selinux-gui: uprev to 2.8 (20180524) packagegroup-selinux-policycoreutils: remove semodule-utils-semodule-deps audit: uprev to 2.8.4 .../audit/{audit_2.7.6.bb => audit_2.8.4.bb} | 18 +++--- .../packagegroup-selinux-policycoreutils.bb| 1 - recipes-security/selinux/checkpolicy.inc | 1 - recipes-security/selinux/checkpolicy_2.7.bb| 7 -- recipes-security/selinux/checkpolicy_2.8.bb| 7 ++ recipes-security/selinux/libselinux.inc| 2 +- ...-Makefile-fix-includedir-in-libselinux.pc.patch | 20 --- .../{libselinux_2.7.bb => libselinux_2.8.bb} | 6 ++--- recipes-security/selinux/libsemanage.inc | 12 ++--- ...-Makefile-fix-includedir-in-libselinux.pc.patch | 20 --- .../{libsemanage_2.7.bb => libsemanage_2.8.bb} | 6 ++--- ...rc-Makefile-fix-includedir-in-libsepol.pc.patch | 13 +- recipes-security/selinux/libsepol_2.7.bb | 9 --- recipes-security/selinux/libsepol_2.8.bb | 9 +++ recipes-security/selinux/mcstrans.inc | 1 - recipes-security/selinux/mcstrans_2.7.bb | 7 -- recipes-security/selinux/mcstrans_2.8.bb | 7 ++ recipes-security/selinux/policycoreutils.inc | 8 +++--- ...policycoreutils-fix-fixfiles-install-path.patch | 29 ++ ...icycoreutils-fix-load_policy-install-path.patch | 29 ++ .../policycoreutils-loadpolicy-symlink.patch | 19 -- recipes-security/selinux/policycoreutils_2.7.bb| 8 -- recipes-security/selinux/policycoreutils_2.8.bb| 8 ++ recipes-security/selinux/restorecond.inc | 4 --- recipes-security/selinux/restorecond_2.7.bb| 7 -- recipes-security/selinux/restorecond_2.8.bb| 7 ++ recipes-security/selinux/secilc_2.7.bb | 7 -- recipes-security/selinux/secilc_2.8.bb | 7 ++ recipes-security/selinux/selinux-dbus_2.7.bb | 7 -- recipes-security/selinux/selinux-dbus_2.8.bb | 7 ++ recipes-security/selinux/selinux-gui_2.7.bb| 7 -- recipes-security/selinux/selinux-gui_2.8.bb| 7 ++ recipes-security/selinux/selinux-python.inc| 2 +- .../selinux-python/fix-sepolicy-install-path.patch | 23 + recipes-security/selinux/selinux-python_2.7.bb | 7 -- recipes-security/selinux/selinux-python_2.8.bb | 7 ++ recipes-security/selinux/selinux-sandbox_2.7.bb| 7 -- recipes-security/selinux/selinux-sandbox_2.8.bb| 7 ++ .../{selinux_20170804.inc => selinux_20180524.inc} | 2 +- recipes-security/selinux/selinux_common.inc| 9 --- recipes-security/selinux/semodule-utils.inc| 2 -- recipes-security/selinux/semodule-utils_2.7.bb | 7 -- recipes-security/selinux/semodule-utils_2.8.bb | 7 ++ 43 files changed, 209 insertions(+), 178 deletions(-) rename recipes-security/audit/{audit_2.7.6.bb => audit_2.8.4.bb} (91%) delete mode 100644 recipes-security/selinux/checkpolicy_2.7.bb create mode 100644 recipes-security/selinux/checkpolicy_2.8.bb rename recipes-security/selinux/{libselinux_2.7.bb => libselinux_2.8.bb} (72%) rename recipes-security/selinux/{libsemanage_2.7.bb => libsemanage_2.8.bb} (76%) delete mode 100644 recipes-security/selinux/libsepol_2.7.bb create mode 100644 recipes-security/selinux/libsepol_2.8.bb delete mode 100644 recipes-security/selinux/mcstrans_2.7.bb create mode 100644 recipes-security/selinux/mcstrans_2.8.bb create mode 100644 recipes-security/selinux/policycoreutils/policycoreutils-fix-fixfiles-install-path.patch create mode 100644 recipes-security/selinux/policycoreutils/policycoreutils-fix-load_policy-install-path.patch delete mode 100644 recipes-security/selinux/policycoreutils/policycoreutils-loadpolicy-symlink.patch delete mode 100644 recipes-security/selinux/policycoreutils_2.7.bb create mode 100644 recipes-security/selinux/policycoreutils_2.8.bb delete mode 100644 recipes-security/selinux/restorecond_2.7.bb create mode 100644 recipes-security/selinux/restorecond_2.8.bb delete mode 100644 recipes-security/selinux/secilc_2.7.bb create mode 100644 recipes-security/selinux/secilc_2.8.bb delete mode 100644 recipes-security/selinux/selinux-dbus_2.7.bb create mode 100644 recipes-security/selinux/selinux-dbu
[yocto] [meta-security][PATCH 2/2] xmlsec1: upgrade 1.2.25 -> 1.2.26
Drop patch xmlsec1-fix-a-typo-in-examples-verify3.c.patch since the issue had been fixed upstream. Rebase patch change-finding-path-of-nss.patch Signed-off-by: Yi Zhao --- .../xmlsec1/change-finding-path-of-nss.patch | 107 ++--- .../xmlsec1-fix-a-typo-in-examples-verify3.c.patch | 23 - .../{xmlsec1_1.2.25.bb => xmlsec1_1.2.26.bb} | 5 +- 3 files changed, 53 insertions(+), 82 deletions(-) delete mode 100644 recipes-security/xmlsec1/xmlsec1/xmlsec1-fix-a-typo-in-examples-verify3.c.patch rename recipes-security/xmlsec1/{xmlsec1_1.2.25.bb => xmlsec1_1.2.26.bb} (89%) diff --git a/recipes-security/xmlsec1/xmlsec1/change-finding-path-of-nss.patch b/recipes-security/xmlsec1/xmlsec1/change-finding-path-of-nss.patch index fcc63b3..1cec47f 100644 --- a/recipes-security/xmlsec1/xmlsec1/change-finding-path-of-nss.patch +++ b/recipes-security/xmlsec1/xmlsec1/change-finding-path-of-nss.patch @@ -1,4 +1,4 @@ -From 47379747e34f952d31af028c672940ca7859ae3c Mon Sep 17 00:00:00 2001 +From c1c980a95d85bcaf8802524d6148783522b300d7 Mon Sep 17 00:00:00 2001 From: Yulong Pei Date: Wed, 21 Jul 2010 22:33:43 +0800 Subject: [PATCH] change finding path of nss and nspr @@ -7,66 +7,61 @@ Upstream-Status: Pending Signed-off-by: Yulong Pei Signed-off-by: Mingli Yu - +Signed-off-by: Yi Zhao --- - configure.ac | 12 ++-- - 1 file changed, 6 insertions(+), 6 deletions(-) + configure.ac | 20 ++-- + 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/configure.ac b/configure.ac -index 3278200..6edec7d 100644 +index 951b3eb..1fdeb0f 100644 --- a/configure.ac +++ b/configure.ac -@@ -644,7 +644,7 @@ if test "z$NSS_FOUND" = "zno" ; then +@@ -866,10 +866,10 @@ MOZILLA_MIN_VERSION="1.4" + NSS_CRYPTO_LIB="$XMLSEC_PACKAGE-nss" + NSPR_PACKAGE=mozilla-nspr + NSS_PACKAGE=mozilla-nss +-NSPR_INCLUDE_MARKER="nspr/nspr.h" ++NSPR_INCLUDE_MARKER="nspr.h" + NSPR_LIB_MARKER="libnspr4$shrext" + NSPR_LIBS_LIST="-lnspr4 -lplds4 -lplc4" +-NSS_INCLUDE_MARKER="nss/nss.h" ++NSS_INCLUDE_MARKER="nss3/nss.h" + NSS_LIB_MARKER="libnss3$shrext" + NSS_LIBS_LIST="-lnss3 -lsmime3" - if test "z$with_nspr" != "z" ; then - NSPR_PREFIX="$with_nspr" -- NSPR_CFLAGS="-I$with_nspr/include -I$with_nspr/include/nspr" -+ NSPR_CFLAGS="-I$with_nspr/usr/include -I$with_nspr/usr/include/nspr4" - if test "z$with_gnu_ld" = "zyes" ; then - NSPR_LIBS="-Wl,-rpath-link -Wl,$with_nspr/lib -L$with_nspr/lib $NSPR_LIBS_LIST" - else -@@ -652,7 +652,7 @@ if test "z$NSS_FOUND" = "zno" ; then - fi - NSPR_INCLUDES_FOUND="yes" - NSPR_LIBS_FOUND="yes" -- NSPR_PRINIT_H="$with_nspr/include/prinit.h" -+ NSPR_PRINIT_H="$with_nspr/usr/include/nspr4/prinit.h" +@@ -898,24 +898,24 @@ fi + dnl Priority 1: User specifies the path to installation + if test "z$NSPR_FOUND" = "zno" -a "z$with_nspr" != "z" -a "z$with_nspr" != "zyes" ; then + AC_MSG_CHECKING(for nspr library installation in "$with_nspr" folder) +-if test -f "$with_nspr/include/$NSPR_INCLUDE_MARKER" -a -f "$with_nspr/lib/$NSPR_LIB_MARKER" ; then +-NSPR_INCLUDE_PATH="$with_nspr/include" +-NSPR_LIB_PATH="$with_nspr/lib" ++if test -f "$with_nspr/usr/include/$NSPR_INCLUDE_MARKER" -a -f "$with_nspr/${libdir}/$NSPR_LIB_MARKER" ; then ++NSPR_INCLUDE_PATH="$with_nspr/usr/include" ++NSPR_LIB_PATH="$with_nspr/${libdir}" + NSPR_FOUND="yes" + AC_MSG_RESULT([yes]) else - for dir in $ac_nss_inc_dir ; do - if test -f $dir/nspr/prinit.h ; then -@@ -690,7 +690,7 @@ if test "z$NSS_FOUND" = "zno" ; then - OLD_CPPFLAGS=$CPPFLAGS - CPPFLAGS="$NSPR_CFLAGS" - AC_EGREP_CPP(yes,[ -- #include -+ #include - #if PR_VMAJOR >= 4 -yes - #endif -@@ -715,7 +715,7 @@ if test "z$NSS_FOUND" = "zno" ; then - NSS_NSS_H="" - - if test "z$with_nss" != "z" ; then -- NSS_CFLAGS="$NSS_CFLAGS -I$with_nss/include -I$with_nss/include/nss" -+ NSS_CFLAGS="$NSS_CFLAGS -I$with_nss/usr/include -I$with_nss/usr/include/nss3 -I$with_nspr/usr/include/nspr4" - if test "z$with_gnu_ld" = "zyes" ; then - NSS_LIBS="$NSS_LIBS -Wl,-rpath-link -Wl,$with_nss/lib -L$with_nss/lib $NSS_LIBS_LIST" - else -@@ -723,7 +723,7 @@ if test "z$NSS_FOUND" = "zno" ; then - fi - N
[yocto] [meta-security][PATCH 1/2] samhain: upgrade 4.2.2 -> 4.2.4
Signed-off-by: Yi Zhao --- .../samhain/{samhain-client_4.2.2.bb => samhain-client_4.2.4.bb} | 0 .../samhain/{samhain-server_4.2.2.bb => samhain-server_4.2.4.bb} | 0 .../{samhain-standalone_4.2.2.bb => samhain-standalone_4.2.4.bb} | 0 recipes-security/samhain/samhain.inc | 7 +-- 4 files changed, 5 insertions(+), 2 deletions(-) rename recipes-security/samhain/{samhain-client_4.2.2.bb => samhain-client_4.2.4.bb} (100%) rename recipes-security/samhain/{samhain-server_4.2.2.bb => samhain-server_4.2.4.bb} (100%) rename recipes-security/samhain/{samhain-standalone_4.2.2.bb => samhain-standalone_4.2.4.bb} (100%) diff --git a/recipes-security/samhain/samhain-client_4.2.2.bb b/recipes-security/samhain/samhain-client_4.2.4.bb similarity index 100% rename from recipes-security/samhain/samhain-client_4.2.2.bb rename to recipes-security/samhain/samhain-client_4.2.4.bb diff --git a/recipes-security/samhain/samhain-server_4.2.2.bb b/recipes-security/samhain/samhain-server_4.2.4.bb similarity index 100% rename from recipes-security/samhain/samhain-server_4.2.2.bb rename to recipes-security/samhain/samhain-server_4.2.4.bb diff --git a/recipes-security/samhain/samhain-standalone_4.2.2.bb b/recipes-security/samhain/samhain-standalone_4.2.4.bb similarity index 100% rename from recipes-security/samhain/samhain-standalone_4.2.2.bb rename to recipes-security/samhain/samhain-standalone_4.2.4.bb diff --git a/recipes-security/samhain/samhain.inc b/recipes-security/samhain/samhain.inc index db96264..e127e91 100644 --- a/recipes-security/samhain/samhain.inc +++ b/recipes-security/samhain/samhain.inc @@ -19,8 +19,11 @@ SRC_URI = "http://la-samhna.de/archive/samhain_signed-${PV}.tar.gz \ file://samhain.service \ " -SRC_URI[md5sum] = "f499d5d06bfd1d787073a45bf28dd60f" -SRC_URI[sha256sum] = "0f3e64afb3f00064c9b136d34a72d580cd41248c5941eba0452f364a109003c7" +SRC_URI[md5sum] = "08863fad583acc7293ef29b4528c837e" +SRC_URI[sha256sum] = "0cd779b3666264e1f370f7ec37891f680b4caa04895fab8c5aa9a52e41ec885d" + +UPSTREAM_CHECK_URI = "https://www.la-samhna.de/samhain/archive.html; +UPSTREAM_CHECK_REGEX = "samhain_signed-(?P(\d+(\.\d+)+))\.tar" S = "${WORKDIR}/samhain-${PV}" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 2/2] policycoreutils: add PACKAGECONFIG for libpam, audit
From: Wenzong Fan * make pam and audit support configurable; * remove INITDIR from EXTRA_OEMAKE, the variable is not supported now. Signed-off-by: Wenzong Fan Signed-off-by: Yi Zhao --- recipes-security/selinux/policycoreutils.inc | 21 ++--- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/recipes-security/selinux/policycoreutils.inc b/recipes-security/selinux/policycoreutils.inc index 7825a6c..b7cb510 100644 --- a/recipes-security/selinux/policycoreutils.inc +++ b/recipes-security/selinux/policycoreutils.inc @@ -21,8 +21,6 @@ DEPENDS += "${@['', '${EXTRA_DEPENDS}']['${PN}' != '${BPN}-native']}" inherit selinux pythonnative -DEPENDS += "${@target_selinux(d, 'libpam audit')}" - RDEPENDS_${BPN}-fixfiles += "\ ${BPN}-setfiles \ grep \ @@ -118,11 +116,20 @@ export STAGING_LIBDIR export BUILD_SYS export HOST_SYS -AUDITH="`ls ${STAGING_INCDIR}/libaudit.h >/dev/null 2>&1 && echo /usr/include/libaudit.h `" -PAMH="`ls ${STAGING_INCDIR}/security/pam_appl.h >/dev/null 2>&1 && echo /usr/include/security/pam_appl.h `" -EXTRA_OEMAKE += "${@target_selinux(d, 'PAMH=${PAMH} AUDITH=${AUDITH}', 'PAMH= AUDITH= ')} INOTIFYH=n" -EXTRA_OEMAKE += "PREFIX=${D}" -EXTRA_OEMAKE += "INITDIR=${D}/etc/init.d" +PACKAGECONFIG_class-target ?= "\ +${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)} \ +audit \ +" + +PACKAGECONFIG[libpam] = ",,libpam," +PACKAGECONFIG[audit] = ",,audit," + +EXTRA_OEMAKE += "\ +${@bb.utils.contains('PACKAGECONFIG', 'libpam', 'PAMH=y', 'PAMH=', d)} \ +${@bb.utils.contains('PACKAGECONFIG', 'audit', 'AUDITH=y', 'AUDITH=', d)} \ +INOTIFYH=n \ +PREFIX=${D} \ +" BBCLASSEXTEND = "native" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 1/2] selinux-python: fix installed-vs-shipped QA errors
From: Wenzong Fan Fix the QA errors when enable multilib: ERROR: selinux-python-2.7-r0 do_package: QA Issue: selinux-python: Files/directories were installed but not shipped in any package: /usr/lib /usr/lib/python2.7 /usr/lib/python2.7/site-packages /usr/lib/python2.7/site-packages/sepolicy-1.1.egg-info [snip] Signed-off-by: Wenzong Fan Signed-off-by: Yi Zhao --- recipes-security/selinux/selinux-python.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/recipes-security/selinux/selinux-python.inc b/recipes-security/selinux/selinux-python.inc index 55060e3..2a5d657 100644 --- a/recipes-security/selinux/selinux-python.inc +++ b/recipes-security/selinux/selinux-python.inc @@ -102,6 +102,7 @@ FILES_${PN} += "\ EXTRA_OEMAKE += "LIBSEPOLA=${STAGING_LIBDIR}/libsepol.a" do_install() { oe_runmake DESTDIR=${D} \ +LIBDIR="${D}${libdir}" \ PYTHONLIBDIR='${libdir}/python${PYTHON_BASEVERSION}/site-packages' \ install } -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][resend][PATCH 0/2] meta-selinux fixes
Rebase and resend Wenzong's meta-selinux patches Wenzong Fan (2): selinux-python: fix installed-vs-shipped QA errors policycoreutils: add PACKAGECONFIG for libpam, audit recipes-security/selinux/policycoreutils.inc | 21 ++--- recipes-security/selinux/selinux-python.inc | 1 + 2 files changed, 15 insertions(+), 7 deletions(-) -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-selinux][PATCH] libselinux: python-importlib is now part of python*-core
在 2018年05月15日 00:09, Joe MacDonald 写道: [Re: [yocto] [meta-selinux][PATCH] libselinux: python-importlib is now part of python*-core] On 18.05.14 (Mon 10:05) Mark Hatle wrote: On 5/11/18 1:19 PM, Rudolf J Streif wrote: Thank you, Mark. Much appreciated and understood. Would you be open to tagging the layer for rocko to the right commit and applying the patches sent to the mailing list by Armin and Kai to master so that we have known points to move forward? I'm going to try to sync with Joe later today. I'll make sure that we branch rocko.. If Joe can't get to the sumo work this week, I'll do my best to get it done. Yeah, just keep everyone in the loop on this, Mark and I will coordinate, I anticipate having the current meta-selinux queue cleaned up this week. I followed up last week to Armin indicating that I was working on this, but as I'm sure anyone building meta-selinux right now already knows, things are not happy there and corrective measures are kind of involved. As for longer-term maintenance, meta-selinux and SELinux in general is of particular interest to me personally, but much like Mark, I haven't has as much time for the layer as it deserves lately, so if anyone wants to volunteer to help out with it, by all means, let us know. Hi Joe, Mark and Philip I'm interested in this and want to volunteer to help the meta-selinux maintenance. I have enough time to review and test the patches. There are some pending patches from Wenzong which can not be merged into master. Currently I'm working on them and will re-send them. Thanks, Yi Thanks, -J. --Mark Thank you, Rudi On 05/11/2018 10:45 AM, Mark Hatle wrote: On 5/11/18 12:28 PM, Rudolf J Streif wrote: Echoing this: may I ask what the current maintenance status of meta-selinux is. It appears that no updates have been made for more than 9 months. This is of course not to blame anybody but out of concern that the layer is falling behind even more and to find a solution. The answer is the current set of people are horribly overworked and busy, so day-to-day updates have been 'sparse'. Usually we update meta-selinux about the time of a release, and thus are due. The last update of meta-selinux was about the time of the Rocko release, so what is in master is definitely current as of Rocko. (I did the last set of updates -- so I know it did work as of Rocko release.) The master needs to be branched as Rocko... master needs to be updated to be Sumo compatible. My assumption is that once Sumo is formally released (any minute now), we'll collection all of the patches and get them into place and spend some time cleaning them up... It looks like Joe is already working through this effort. (Only speaking for myself,) I don't have time to do day-to-day maintenance of meta-selinux any longer -- nor do I have the indepth knowledge to understand when not to do something. I filled this role purely out of necessity since nobody else was doing it. So with that said, if anyone wants to help, we're all open for help here... I doubt there would be any objection to adding or replacing existing maintainers and/or giving more people push access. In addition to Armin's patches there are two patches submitted by Kai Kang at Windriver: * https://lists.yoctoproject.org/pipermail/yocto/2018-February/039917.html * https://lists.yoctoproject.org/pipermail/yocto/2018-February/039918.html Curiously enough, the second patch has been applied to master but not the first one. There is also an issue with building SELinux with systemd. The layer enables auditing: meta-selinux/classes/enable-audit.bbclass:PACKAGECONFIG[audit] = "--enable-audit,--disable-audit,audit," meta-selinux/recipes-core/systemd/systemd_%.bbappend:inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-audit', '', d)} Apparently the --enable-audit switch is passed to meson when running the configure task, which meson does not appreciate. I am not that familiar with the audit feature nor with meson, so I currently have no idea on how to fix this the right way. audit feature is useful outside of selinux, so my understand was that audit itself was moving into core during the sumo time frame (if it hadn't already been oved.) I don't know anything about meson, so I can't speak to that... Further, refpolicy_git does not build anymore as the YP specific patches do not apply anymore since upstream changed. The refpolicy is and has always been crap. I've been talking to a few people on IRC about working to replace the refpolicy with a policy that can be generated dynamically based on the contents of the recipes. I don't know if that is really going to happen, but I hate the way it's currently implemented. One of the key issues about the refpolicy is that you need to be an expert at this (which I never claimed to be) in order to make any reasonable decision -- add to that any specific policy needs to userstand overall system design, and I wouldn't trust any
[yocto] [meta-selinux][PATCH 2/2] libcgroup: replace _virtclass-native with _class-native
The _virtclass-native is obsolete. Replace it with _class-native. Signed-off-by: Yi Zhao --- recipes-core/libcgroup/libcgroup_selinux.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-core/libcgroup/libcgroup_selinux.inc b/recipes-core/libcgroup/libcgroup_selinux.inc index f81188f..9d9ebfc 100644 --- a/recipes-core/libcgroup/libcgroup_selinux.inc +++ b/recipes-core/libcgroup/libcgroup_selinux.inc @@ -1,4 +1,4 @@ -EXTRA_OECONF_virtclass-native = "--enable-pam=no" +EXTRA_OECONF_append_class-native = " --enable-pam=no" do_install_append() { test ! -f ${D}${base_libdir}/security/pam_cgroup.so.0.0.0 || { -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 1/2] policycoreutils: replace _virtclass-native with _class-native
The _virtclass-native is obsolete and replaced by _class-native. In recent oe-core commit c5aa33ac483618bc23fbaccb0a18853186f9155d the _virtclass-native override was dropped entirely which caused refpolicy-mls do_install failed: libsemanage.get_home_dirs: Error while fetching users. Returning list so far. libsemanage.semanage_validate_and_compile_fcontexts: setfiles returned error code 1. (No such file or directory). Signed-off-by: Yi Zhao --- recipes-security/selinux/policycoreutils.inc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/recipes-security/selinux/policycoreutils.inc b/recipes-security/selinux/policycoreutils.inc index 1842fd8..7825a6c 100644 --- a/recipes-security/selinux/policycoreutils.inc +++ b/recipes-security/selinux/policycoreutils.inc @@ -128,7 +128,7 @@ BBCLASSEXTEND = "native" PCU_NATIVE_CMDS = "setfiles semodule hll" -do_compile_virtclass-native() { +do_compile_class-native() { for PCU_CMD in ${PCU_NATIVE_CMDS} ; do oe_runmake -C $PCU_CMD \ INCLUDEDIR='${STAGING_INCDIR}' \ @@ -136,7 +136,7 @@ do_compile_virtclass-native() { done } -sysroot_stage_dirs_append_virtclass-native() { +sysroot_stage_dirs_append_class-native() { cp -R $from/${prefix}/libexec $to/${prefix}/libexec } @@ -153,7 +153,7 @@ do_install_prepend() { export SEMODULE_PATH=${sbindir} SYSTEMDDIR=${D}/${systemd_unitdir} } -do_install_virtclass-native() { +do_install_class-native() { for PCU_CMD in ${PCU_NATIVE_CMDS} ; do oe_runmake -C $PCU_CMD install \ DESTDIR="${D}" \ -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 3/3] selinux-python: refresh patches to fix QA warning
Refresh patches with devtool command to fix do_patch warning Signed-off-by: Yi Zhao --- .../fix-TypeError-for-seobject.py.patch | 17 + .../selinux-python/fix-sepolicy-install-path.patch | 21 - .../process-ValueError-for-sepolicy-seobject.patch | 12 +--- 3 files changed, 26 insertions(+), 24 deletions(-) diff --git a/recipes-security/selinux/selinux-python/fix-TypeError-for-seobject.py.patch b/recipes-security/selinux/selinux-python/fix-TypeError-for-seobject.py.patch index 993ff7e..62cdeee 100644 --- a/recipes-security/selinux/selinux-python/fix-TypeError-for-seobject.py.patch +++ b/recipes-security/selinux/selinux-python/fix-TypeError-for-seobject.py.patch @@ -1,4 +1,4 @@ -From a66c50c0e8cd3799fc2819835b872ab62419f684 Mon Sep 17 00:00:00 2001 +From 98c2944ffa3e35095187e1df9ff33498bbd0fa54 Mon Sep 17 00:00:00 2001 From: Wenzong Fan Date: Tue, 1 Apr 2014 02:53:36 -0400 Subject: [PATCH] policycoreutils: fix TypeError for seobject.py @@ -7,18 +7,19 @@ File "/usr/lib64/python2.7/site-packages/seobject.py", line 109, in log message += " sename=" + sename TypeError: cannot concatenate 'str' and 'NoneType' objects -Uptream-Status: pending +Uptream-Status: Pending Signed-off-by: Wenzong Fan + --- - semanage/seobject.py |2 +- + semanage/seobject.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -Index: policycoreutils-2.5/semanage/seobject.py -=== policycoreutils-2.5.orig/semanage/seobject.py 2016-02-25 13:41:38.035974459 -0500 -+++ policycoreutils-2.5/semanage/seobject.py 2016-02-25 13:43:42.075974072 -0500 -@@ -121,7 +121,7 @@ +diff --git a/semanage/seobject.py b/semanage/seobject.py +index 70fd192..23ab77e 100644 +--- a/semanage/seobject.py b/semanage/seobject.py +@@ -146,7 +146,7 @@ except: def log(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""): message = " %s name=%s" % (msg, name) diff --git a/recipes-security/selinux/selinux-python/fix-sepolicy-install-path.patch b/recipes-security/selinux/selinux-python/fix-sepolicy-install-path.patch index 617908a..1d54231 100644 --- a/recipes-security/selinux/selinux-python/fix-sepolicy-install-path.patch +++ b/recipes-security/selinux/selinux-python/fix-sepolicy-install-path.patch @@ -1,18 +1,24 @@ +From 69e8697cd2ae48710ff8190bad3e61d2fd115b99 Mon Sep 17 00:00:00 2001 +From: Xin Ouyang +Date: Mon, 23 Sep 2013 21:17:59 +0800 Subject: [PATCH] policycoreutils: fix install path for new pymodule sepolicy +Uptream-Status: Pending + Signed-off-by: Xin Ouyang Signed-off-by: Wenzong Fan + --- - sepolicy/Makefile |4 +++- + sepolicy/Makefile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/sepolicy/Makefile b/sepolicy/Makefile -index 2b8716c..70f4bdd 100644 +index 5a56e6c..82c3e36 100644 --- a/sepolicy/Makefile +++ b/sepolicy/Makefile -@@ -12,6 +12,8 @@ BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions - SHAREDIR ?= $(PREFIX)/share/sandbox - override CFLAGS = -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared +@@ -12,6 +12,8 @@ SHAREDIR ?= $(PREFIX)/share/sandbox + CFLAGS ?= -Wall -Werror -Wextra -W + override CFLAGS += -DPACKAGE="policycoreutils" -DSHARED -shared +PYLIBVER ?= $(shell python -c 'import sys;print "python%d.%d" % sys.version_info[0:2]') + @@ -20,7 +26,7 @@ index 2b8716c..70f4bdd 100644 all: python-build @@ -30,7 +32,7 @@ test: - @python test_sepolicy.py -v + @$(PYTHON) test_sepolicy.py -v install: - $(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root $(DESTDIR)` @@ -28,6 +34,3 @@ index 2b8716c..70f4bdd 100644 [ -d $(BINDIR) ] || mkdir -p $(BINDIR) install -m 755 sepolicy.py $(BINDIR)/sepolicy (cd $(BINDIR); ln -sf sepolicy sepolgen) --- -1.7.9.5 - diff --git a/recipes-security/selinux/selinux-python/process-ValueError-for-sepolicy-seobject.patch b/recipes-security/selinux/selinux-python/process-ValueError-for-sepolicy-seobject.patch index 1929aa5..b0bcd1d 100644 --- a/recipes-security/selinux/selinux-python/process-ValueError-for-sepolicy-seobject.patch +++ b/recipes-security/selinux/selinux-python/process-ValueError-for-sepolicy-seobject.patch @@ -1,4 +1,4 @@ -From b8e07bd0643b581ac33c96a1f94ae17c8df80ffd Mon Sep 17 00:00:00 2001 +From 1a8bd0ca13746b5241af5736dee9a25ab360652b Mon Sep 17 00:00:00 2001 From: Wenzong Fan Date: Sun, 30 Mar 2014 22:25:59 -0400 Subject: [PATCH] semanage: process ValueError for sepolicy, seobject @@ -7,15 +7,16 @@ The sepolicy, seobject modules raise many unprocessed ValueError, just process them in semanage to make the script proivdes er