[yocto] [meta-selinux][PATCH 19/19] audit: switch to python3
* Switch to python3
* Drop patches:
audit-python-configure.patch
audit-python.patch
fix-swig-host-contamination.patch
Signed-off-by: Yi Zhao
---
.../audit/audit/audit-python-configure.patch | 46 -
.../audit/audit/audit-python.patch| 64 ---
.../audit/fix-swig-host-contamination.patch | 56
recipes-security/audit/audit_2.8.5.bb | 11 ++--
4 files changed, 4 insertions(+), 173 deletions(-)
delete mode 100644 recipes-security/audit/audit/audit-python-configure.patch
delete mode 100644 recipes-security/audit/audit/audit-python.patch
delete mode 100644
recipes-security/audit/audit/fix-swig-host-contamination.patch
diff --git a/recipes-security/audit/audit/audit-python-configure.patch
b/recipes-security/audit/audit/audit-python-configure.patch
deleted file mode 100644
index 37096b0..000
--- a/recipes-security/audit/audit/audit-python-configure.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 6a2710db094061e1956fac3ed81114d0e958ea21 Mon Sep 17 00:00:00 2001
-From: Li xin
-Date: Sun, 19 Jul 2015 00:49:13 +0900
-Subject: [PATCH] audit: python cross-compile
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Xin Ouyang
-Signed-off-by: Li Xin
-Signed-off-by: Wenzong Fan
-Signed-off-by: T.O. Radzy Radzykewycz
- configure.ac | 17 ++---
- 1 file changed, 2 insertions(+), 15 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 6e345f1..54bdbf1 100644
a/configure.ac
-+++ b/configure.ac
-@@ -99,21 +99,8 @@ if test "x$use_python" = xno ; then
- else
- AC_MSG_RESULT(testing)
- AM_PATH_PYTHON
--PYINCLUDEDIR=`python${am_cv_python_version} -c "from distutils import
sysconfig; print(sysconfig.get_config_var('INCLUDEPY'))"`
--if test -f ${PYINCLUDEDIR}/Python.h ; then
-- python_found="yes"
-- AC_SUBST(PYINCLUDEDIR)
-- pybind_dir="python"
-- AC_SUBST(pybind_dir)
-- AC_MSG_NOTICE(Python bindings will be built)
--else
-- python_found="no"
-- if test "x$use_python" = xyes ; then
-- AC_MSG_ERROR([Python explicitly requested and python headers
were not found])
-- else
-- AC_MSG_WARN("Python headers not found - python bindings will
not be made")
-- fi
--fi
-+python_found="yes"
-+AC_MSG_NOTICE(Python bindings will be built)
- fi
- AM_CONDITIONAL(HAVE_PYTHON, test ${python_found} = "yes")
-
---
-2.7.4
-
diff --git a/recipes-security/audit/audit/audit-python.patch
b/recipes-security/audit/audit/audit-python.patch
deleted file mode 100644
index c1a2595..000
--- a/recipes-security/audit/audit/audit-python.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 9d95d7e28a2c4cbefa998d375de180c731a151b1 Mon Sep 17 00:00:00 2001
-From: Li xin
-Date: Sun, 19 Jul 2015 01:40:48 +0900
-Subject: [PATCH] Remove hard coded python include directory
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Mark Hatle
- bindings/Makefile.am| 8 +++-
- bindings/python/python2/Makefile.am | 3 ++-
- bindings/swig/python/Makefile.am| 5 +++--
- 3 files changed, 12 insertions(+), 4 deletions(-)
-
-diff --git a/bindings/Makefile.am b/bindings/Makefile.am
-index 5b5c576..7a15205 100644
a/bindings/Makefile.am
-+++ b/bindings/Makefile.am
-@@ -22,4 +22,10 @@
-
- CONFIG_CLEAN_FILES = *.loT *.rej *.orig
-
--SUBDIRS = python golang swig
-+SUBDIRS = swig
-+if HAVE_PYTHON
-+SUBDIRS += python
-+endif
-+if HAVE_GOLANG
-+SUBDIRS += golang
-+endif
-diff --git a/bindings/python/python2/Makefile.am
b/bindings/python/python2/Makefile.am
-index 1dcb5bc..6226358 100644
a/bindings/python/python2/Makefile.am
-+++ b/bindings/python/python2/Makefile.am
-@@ -23,7 +23,8 @@
-
- CONFIG_CLEAN_FILES = *.loT *.rej *.orig
- AM_CFLAGS = -fPIC -DPIC -fno-strict-aliasing
--AM_CPPFLAGS = -I$(top_builddir) -I@PYINCLUDEDIR@
-+PYINC ?= /usr/include/python$(PYTHON_VERSION)
-+AM_CPPFLAGS = -I$(top_builddir) -I${PYINC}
-
- pyexec_LTLIBRARIES = auparse.la
-
-diff --git a/bindings/swig/python/Makefile.am
b/bindings/swig/python/Makefile.am
-index 8c98b94..ae7c52b 100644
a/bindings/swig/python/Makefile.am
-+++ b/bindings/swig/python/Makefile.am
-@@ -21,9 +21,10 @@
- #
- CONFIG_CLEAN_FILES = *.loT *.rej *.orig
- AM_CFLAGS = -fPIC -DPIC -fno-strict-aliasing
--AM_CPPFLAGS = -I. -I$(top_builddir) -I${top_srcdir}/lib -I@PYINCLUDEDIR@
-+PYINC ?= /usr/include/$(PYLIBVER)
-+AM_CPPFLAGS = -I. -I$(top_builddir) -I${top_srcdir}/lib -I${PYINC}
- SWIG_FLAGS = -python
--SWIG_INCLUDES = -I. -I$(top_builddir) -I${top_srcdir}/lib -I@PYINCLUDEDIR@
-+SWIG_INCLUDES = -I. -I$(top_builddir) -I${top_srcdir}/lib -I${PYINC}
- pyexec_PYTHON = audit.py
- pyexec_LTLIBRARIES = _audit.la
- pyexec_SOLIBRARIES = _audit.so
---
-2.7.4
-
diff --git a/recipes-security/audit/audit/fix-swig-host-contamination.patch
b/recipes-security/audit/audit/fix-swig-host-contamination.patch
d
[yocto] [meta-selinux][PATCH 18/19] setools: upgrade 4.1.1 -> 4.2.2
* Switch to python3
* Drop patches:
Fix-build-failure-with-GCC-7-due-to-possible-truncat.patch
setools4-fix-cross-compiling-errors-for-powerpc-mips.patch
Signed-off-by: Yi Zhao
---
...e-with-GCC-7-due-to-possible-truncat.patch | 105 --
...ss-compiling-errors-for-powerpc-mips.patch | 35 --
.../setools4-fixes-for-cross-compiling.patch | 34 +++---
.../{setools_4.1.1.bb => setools_4.2.2.bb}| 14 +--
4 files changed, 19 insertions(+), 169 deletions(-)
delete mode 100644
recipes-security/setools/setools/Fix-build-failure-with-GCC-7-due-to-possible-truncat.patch
delete mode 100644
recipes-security/setools/setools/setools4-fix-cross-compiling-errors-for-powerpc-mips.patch
rename recipes-security/setools/{setools_4.1.1.bb => setools_4.2.2.bb} (61%)
diff --git
a/recipes-security/setools/setools/Fix-build-failure-with-GCC-7-due-to-possible-truncat.patch
b/recipes-security/setools/setools/Fix-build-failure-with-GCC-7-due-to-possible-truncat.patch
deleted file mode 100644
index a5af041..000
---
a/recipes-security/setools/setools/Fix-build-failure-with-GCC-7-due-to-possible-truncat.patch
+++ /dev/null
@@ -1,105 +0,0 @@
-Upstream-Status: Backport
[https://github.com/TresysTechnology/setools/commit/e41adf0]
-
-Signed-off-by: Kai Kang
-
-From e41adf01647c695b80b112b337e76021bb9f30c3 Mon Sep 17 00:00:00 2001
-From: Laurent Bigonville
-Date: Tue, 26 Sep 2017 15:15:30 +0200
-Subject: [PATCH] Fix build failure with GCC 7 due to possible truncation of
- snprintf output
-
-setools fails to build under GCC7 -Wformat -Werror with the following error:
-
-x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall
-Wstrict-prototypes -g -O2 -fdebug-prefix-map=/<>=.
-fstack-protector-strong -Wformat -Werror=format-security -Wno-sign-compare
-Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -Ilibqpol -Ilibqpol/include
-I/usr/include/python3.6m -c libqpol/policy_extend.c -o
build/temp.linux-amd64-3.6/libqpol/policy_extend.o -Werror -Wextra
-Waggregate-return -Wfloat-equal -Wformat -Wformat=2 -Winit-self
-Wmissing-format-attribute -Wmissing-include-dirs -Wnested-externs
-Wold-style-definition -Wpointer-arith -Wredundant-decls -Wstrict-prototypes
-Wunknown-pragmas -Wwrite-strings -Wno-missing-field-initializers
-Wno-unused-parameter -Wno-cast-qual -Wno-shadow -Wno-unreachable-code
-fno-exceptions
-libqpol/policy_extend.c: In function 'policy_extend':
-libqpol/policy_extend.c:161:27: error: '%04zd' directive output may be
truncated writing between 4 and 10 bytes into a region of size 5
[-Werror=format-truncation=]
-snprintf(buff, 9, "@ttr%04zd", i + 1);
- ^
-libqpol/policy_extend.c:161:22: note: directive argument in the range [1,
4294967295]
-snprintf(buff, 9, "@ttr%04zd", i + 1);
- ^~~
-
-Increase the size of the buffer to avoid collisions
-
-Closes: https://github.com/TresysTechnology/setools/issues/174
-Signed-off-by: Laurent Bigonville
- libqpol/policy_extend.c | 16
- 1 file changed, 8 insertions(+), 8 deletions(-)
-
-diff --git a/libqpol/policy_extend.c b/libqpol/policy_extend.c
-index 742819b..739e184 100644
a/libqpol/policy_extend.c
-+++ b/libqpol/policy_extend.c
-@@ -110,7 +110,7 @@ static int qpol_policy_remove_bogus_aliases(qpol_policy_t
* policy)
- * Builds data for the attributes and inserts them into the policydb.
- * This function modifies the policydb. Names created for attributes
- * are of the form @ttr where value is the value of the attribute
-- * as a four digit number (prepended with 0's as needed).
-+ * as a ten digit number (prepended with 0's as needed).
- * @param policy The policy from which to read the attribute map and
- * create the type data for the attributes. This policy will be altered
- * by this function.
-@@ -125,7 +125,7 @@ static int qpol_policy_build_attrs_from_map(qpol_policy_t
* policy)
- uint32_t bit = 0, count = 0;
- ebitmap_node_t *node = NULL;
- type_datum_t *tmp_type = NULL, *orig_type;
-- char *tmp_name = NULL, buff[10];
-+ char *tmp_name = NULL, buff[16];
- int error = 0, retv;
-
- INFO(policy, "%s", "Generating attributes for policy. (Step 4 of 5)");
-@@ -137,7 +137,7 @@ static int qpol_policy_build_attrs_from_map(qpol_policy_t
* policy)
-
- db = >p->p;
-
-- memset(, 0, 10 * sizeof(char));
-+ memset(, 0, 16 * sizeof(char));
-
- for (i = 0; i < db->p_types.nprim; i++) {
- /* skip types */
-@@ -158,7 +158,7 @@ static int qpol_policy_build_attrs_from_map(qpol_policy_t
* policy)
-* with this attribute */
- /* Does not exist */
- if (db->p_type_val_to_name[i] == NULL){
-- snprintf(buff, 9, "@ttr%04zd", i + 1);
-+ snprintf(buff, 15, "@ttr%010zd", i + 1);
[yocto] [meta-selinux][PATCH 15/19] selinux-gui: uprev to 2.9 (20190315)
* Switch to python3
Signed-off-by: Yi Zhao
---
recipes-security/selinux/selinux-gui.inc| 2 +-
recipes-security/selinux/selinux-gui_2.8.bb | 7 ---
recipes-security/selinux/selinux-gui_2.9.bb | 7 +++
3 files changed, 8 insertions(+), 8 deletions(-)
delete mode 100644 recipes-security/selinux/selinux-gui_2.8.bb
create mode 100644 recipes-security/selinux/selinux-gui_2.9.bb
diff --git a/recipes-security/selinux/selinux-gui.inc
b/recipes-security/selinux/selinux-gui.inc
index 1096f3f..725eb23 100644
--- a/recipes-security/selinux/selinux-gui.inc
+++ b/recipes-security/selinux/selinux-gui.inc
@@ -6,7 +6,7 @@ Policy Generation Tool (selinux-polgengui)"
SECTION = "base"
LICENSE = "GPLv2+"
-RDEPENDS_${PN} += "python"
+RDEPENDS_${PN} += "python3-core"
FILES_${PN} += " \
${datadir}/system-config-selinux/* \
diff --git a/recipes-security/selinux/selinux-gui_2.8.bb
b/recipes-security/selinux/selinux-gui_2.8.bb
deleted file mode 100644
index 2c0fcd8..000
--- a/recipes-security/selinux/selinux-gui_2.8.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-include selinux_20180524.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
-
-SRC_URI[md5sum] = "52000c14ffa86840220915bd1d777845"
-SRC_URI[sha256sum] =
"17acd3004f01f92b288cc1322317d7964f5039fb26ba1542b6713a7147a2351d"
diff --git a/recipes-security/selinux/selinux-gui_2.9.bb
b/recipes-security/selinux/selinux-gui_2.9.bb
new file mode 100644
index 000..0bb051c
--- /dev/null
+++ b/recipes-security/selinux/selinux-gui_2.9.bb
@@ -0,0 +1,7 @@
+require selinux_20190315.inc
+require ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
+
+SRC_URI[md5sum] = "1bfe5eeb861f8563a7b397ab8530ab52"
+SRC_URI[sha256sum] =
"bbd9e1799cc0c22d64c815c3033a54393f6f84947ff2841a4df60ded5eee0510"
--
2.17.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 13/19] selinux-dbus: uprev to 2.9 (20190315)
* Switch to python3
Signed-off-by: Yi Zhao
---
recipes-security/selinux/selinux-dbus.inc| 2 +-
recipes-security/selinux/selinux-dbus_2.8.bb | 7 ---
recipes-security/selinux/selinux-dbus_2.9.bb | 7 +++
3 files changed, 8 insertions(+), 8 deletions(-)
delete mode 100644 recipes-security/selinux/selinux-dbus_2.8.bb
create mode 100644 recipes-security/selinux/selinux-dbus_2.9.bb
diff --git a/recipes-security/selinux/selinux-dbus.inc
b/recipes-security/selinux/selinux-dbus.inc
index 1b66136..62e45b7 100644
--- a/recipes-security/selinux/selinux-dbus.inc
+++ b/recipes-security/selinux/selinux-dbus.inc
@@ -5,7 +5,7 @@ Provide SELinux dbus service files and scripts."
SECTION = "base"
LICENSE = "GPLv2+"
-RDEPENDS_${PN} += "python selinux-python-sepolicy"
+RDEPENDS_${PN} += "python3-core selinux-python-sepolicy"
FILES_${PN} += "\
${datadir}/system-config-selinux/selinux_server.py \
diff --git a/recipes-security/selinux/selinux-dbus_2.8.bb
b/recipes-security/selinux/selinux-dbus_2.8.bb
deleted file mode 100644
index 5091624..000
--- a/recipes-security/selinux/selinux-dbus_2.8.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-include selinux_20180524.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
-
-SRC_URI[md5sum] = "23f0264df3ed123904a17d71f2a5b325"
-SRC_URI[sha256sum] =
"3339cb9cd77579bab6158afc054409c3bf952e282ef957ea732b19c9f4697bc6"
diff --git a/recipes-security/selinux/selinux-dbus_2.9.bb
b/recipes-security/selinux/selinux-dbus_2.9.bb
new file mode 100644
index 000..ab00ffc
--- /dev/null
+++ b/recipes-security/selinux/selinux-dbus_2.9.bb
@@ -0,0 +1,7 @@
+require selinux_20190315.inc
+require ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
+
+SRC_URI[md5sum] = "e403f9745fad67aae5903909572ca5b8"
+SRC_URI[sha256sum] =
"ac54cecdea6a88b4a818981ac82654d054a3c5232b1b282ebf7418c3e350cc7a"
--
2.17.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 14/19] selinux-sandbox: uprev to 2.9 (20190315)
* Switch to python3
* Rebase patch
Signed-off-by: Yi Zhao
---
recipes-security/selinux/selinux-sandbox.inc | 10 --
.../selinux/selinux-sandbox/sandbox-de-bashify.patch | 9 +
recipes-security/selinux/selinux-sandbox_2.8.bb| 7 ---
recipes-security/selinux/selinux-sandbox_2.9.bb| 7 +++
4 files changed, 16 insertions(+), 17 deletions(-)
delete mode 100644 recipes-security/selinux/selinux-sandbox_2.8.bb
create mode 100644 recipes-security/selinux/selinux-sandbox_2.9.bb
diff --git a/recipes-security/selinux/selinux-sandbox.inc
b/recipes-security/selinux/selinux-sandbox.inc
index 854640c..c8e335a 100644
--- a/recipes-security/selinux/selinux-sandbox.inc
+++ b/recipes-security/selinux/selinux-sandbox.inc
@@ -13,12 +13,10 @@ SRC_URI += "file://sandbox-de-bashify.patch \
DEPENDS += "libcap-ng libselinux"
RDEPENDS_${PN} += "\
-python-core \
-python-math \
-python-shell \
-python-subprocess \
-python-textutils \
-python-unixadmin \
+python3-core \
+python3-math \
+python3-shell \
+python3-unixadmin \
libselinux-python \
selinux-python \
"
diff --git a/recipes-security/selinux/selinux-sandbox/sandbox-de-bashify.patch
b/recipes-security/selinux/selinux-sandbox/sandbox-de-bashify.patch
index 18cef4b..e9622f0 100644
--- a/recipes-security/selinux/selinux-sandbox/sandbox-de-bashify.patch
+++ b/recipes-security/selinux/selinux-sandbox/sandbox-de-bashify.patch
@@ -1,4 +1,4 @@
-From d3e778e0062ca441c80e2a3ef2b508f5566e1f70 Mon Sep 17 00:00:00 2001
+From b92c39f0be5552c19923f75aef4487348a08b7dc Mon Sep 17 00:00:00 2001
From: Joe MacDonald
Date: Fri, 20 Feb 2015 21:07:47 -0500
Subject: [PATCH] sandbox: de-bashify
@@ -10,9 +10,10 @@ Upstream-Status: Pending
Signed-off-by: Joe MacDonald
Signed-off-by: Wenzong Fan
+Signed-off-by: Yi Zhao
---
- sandbox/sandbox.init | 2 +-
- sandbox/sandboxX.sh | 2 +-
+ sandbox.init | 2 +-
+ sandboxX.sh | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/sandbox.init b/sandbox.init
@@ -36,5 +37,5 @@ index eaa500d..8755d75 100644
context=`id -Z | secon -t -l -P`
export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut
-b8-80`"
--
-1.9.1
+2.7.4
diff --git a/recipes-security/selinux/selinux-sandbox_2.8.bb
b/recipes-security/selinux/selinux-sandbox_2.8.bb
deleted file mode 100644
index 1eb6c2d..000
--- a/recipes-security/selinux/selinux-sandbox_2.8.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-include selinux_20180524.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
-
-SRC_URI[md5sum] = "957f5d0fc7724f93f502d1d632568894"
-SRC_URI[sha256sum] =
"025f84f76e07b7bfc9ba1e9215f4ddb646d41a2e935a65e07560feaa6fc20ef3"
diff --git a/recipes-security/selinux/selinux-sandbox_2.9.bb
b/recipes-security/selinux/selinux-sandbox_2.9.bb
new file mode 100644
index 000..b1dd462
--- /dev/null
+++ b/recipes-security/selinux/selinux-sandbox_2.9.bb
@@ -0,0 +1,7 @@
+require selinux_20190315.inc
+require ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
+
+SRC_URI[md5sum] = "3482b8fa6648160e97ba48ad26f84e7d"
+SRC_URI[sha256sum] =
"01915f57f08642751dea550a87f82a6f2fcec754be48dcfa28266c14bd044262"
--
2.17.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 16/19] semodule-utils: uprev to 2.9 (20190315)
Signed-off-by: Yi Zhao
---
recipes-security/selinux/semodule-utils_2.8.bb | 7 ---
recipes-security/selinux/semodule-utils_2.9.bb | 7 +++
2 files changed, 7 insertions(+), 7 deletions(-)
delete mode 100644 recipes-security/selinux/semodule-utils_2.8.bb
create mode 100644 recipes-security/selinux/semodule-utils_2.9.bb
diff --git a/recipes-security/selinux/semodule-utils_2.8.bb
b/recipes-security/selinux/semodule-utils_2.8.bb
deleted file mode 100644
index c56f776..000
--- a/recipes-security/selinux/semodule-utils_2.8.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-include selinux_20180524.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
-
-SRC_URI[md5sum] = "51c69e612481ce971e2ae825139d2ca0"
-SRC_URI[sha256sum] =
"44f59c13070c637440b143ceab4dfe1efb9018b1e47828dd8789def74c1ccadf"
diff --git a/recipes-security/selinux/semodule-utils_2.9.bb
b/recipes-security/selinux/semodule-utils_2.9.bb
new file mode 100644
index 000..a9c0fbd
--- /dev/null
+++ b/recipes-security/selinux/semodule-utils_2.9.bb
@@ -0,0 +1,7 @@
+require selinux_20190315.inc
+require ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
+
+SRC_URI[md5sum] = "9e7e6afe33459cae2de5360e97f1e702"
+SRC_URI[sha256sum] =
"8083679ee634570f6e9a18632f2c2862b9134fa308b689b2e1952a369ae5d907"
--
2.17.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 17/19] selinux-init: fix build error when enable usrmerge feature
Fix the following error when enable usrmerge feature:
ERROR: selinux-init-0.1-r0 do_package: QA Issue: selinux-init:
Files/directories were installed but not shipped in any package:
/usr
Please set FILES such that these items are packaged. Alternatively if
they are unneeded, avoid installing them or delete them within
do_install.
selinux-init: 1 installed and not shipped files. [installed-vs-shipped]
We don't need to install systemd service file when systemd feature is
not enabled.
Signed-off-by: Yi Zhao
---
recipes-security/selinux/selinux-initsh.inc | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/recipes-security/selinux/selinux-initsh.inc
b/recipes-security/selinux/selinux-initsh.inc
index 8e31cda..f27750d 100644
--- a/recipes-security/selinux/selinux-initsh.inc
+++ b/recipes-security/selinux/selinux-initsh.inc
@@ -27,10 +27,9 @@ do_install () {
-e '/.*HERE$/d' -e '/.*Contents.*sysvinit/d' \
${D}${sysconfdir}/init.d/${SELINUX_SCRIPT_DST}
- install -d ${D}${systemd_unitdir}/system
- install -m 0644 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.service
${D}${systemd_unitdir}/system
-
if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false',
d)}; then
+ install -d ${D}${systemd_unitdir}/system
+ install -m 0644 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.service
${D}${systemd_unitdir}/system
install -d ${D}${bindir}
install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh
${D}${bindir}
sed -i -e '/.*HERE$/d' ${D}${bindir}/${SELINUX_SCRIPT_SRC}.sh
--
2.17.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 10/19] mcstrans: uprev to 2.9 (20190315)
* Rebase patches
Signed-off-by: Yi Zhao
---
recipes-security/selinux/mcstrans.inc | 4 ++--
.../mcstrans/mcstrans-de-bashify.patch| 23 +++
...tch => mcstrans-fix-the-init-script.patch} | 14 +++
recipes-security/selinux/mcstrans_2.8.bb | 7 --
recipes-security/selinux/mcstrans_2.9.bb | 7 ++
5 files changed, 32 insertions(+), 23 deletions(-)
rename
recipes-security/selinux/mcstrans/{0001-mcstrans-fix-the-init-script.patch =>
mcstrans-fix-the-init-script.patch} (69%)
delete mode 100644 recipes-security/selinux/mcstrans_2.8.bb
create mode 100644 recipes-security/selinux/mcstrans_2.9.bb
diff --git a/recipes-security/selinux/mcstrans.inc
b/recipes-security/selinux/mcstrans.inc
index 0eb8720..b9c670b 100644
--- a/recipes-security/selinux/mcstrans.inc
+++ b/recipes-security/selinux/mcstrans.inc
@@ -7,7 +7,7 @@ SECTION = "base"
LICENSE = "GPLv2+"
SRC_URI += "file://mcstrans-de-bashify.patch \
-file://0001-mcstrans-fix-the-init-script.patch \
+file://mcstrans-fix-the-init-script.patch \
"
inherit systemd update-rc.d
@@ -29,7 +29,7 @@ do_install_append() {
else
install -d ${D}${sysconfdir}/default/volatiles
echo "d root root 0755 /var/run/setrans none" \
->${D}${sysconfdir}/default/volatiles/volatiles.80_mcstrans
+>${D}${sysconfdir}/default/volatiles/80_mcstrans
fi
install -d ${D}${datadir}/mcstrans
cp -r share/* ${D}${datadir}/mcstrans/.
diff --git a/recipes-security/selinux/mcstrans/mcstrans-de-bashify.patch
b/recipes-security/selinux/mcstrans/mcstrans-de-bashify.patch
index 805d7e5..27fd677 100644
--- a/recipes-security/selinux/mcstrans/mcstrans-de-bashify.patch
+++ b/recipes-security/selinux/mcstrans/mcstrans-de-bashify.patch
@@ -1,21 +1,23 @@
-commit 54875dcb50f5e40fc86d6fe98dde244bfe4751af
-Author: Joe MacDonald
-Date: Fri Aug 7 15:16:45 2015 -0400
+From 544b3c078374e5001e7fdc1b7d0b2eafda36f8fe Mon Sep 17 00:00:00 2001
+From: Joe MacDonald
+Date: Fri, 7 Aug 2015 15:16:45 -0400
+Subject: [PATCH] mcstrans: remove dependency on bash in initscript
-mcstrans: remove dependency on bash in initscript
+There were no apparent bashisms in mcstrans.init, so remove the
+dependency on bash.
-There were no apparent bashisms in mcstrans.init, so remove the dependency
-on bash.
-
-Signed-off-by: Joe MacDonald
+Signed-off-by: Joe MacDonald
Upstream-Status: Pending
Signed-off-by: Wenzong Fan
+Signed-off-by: Yi Zhao
---
- src/mcstrans.init |2 +-
+ src/mcstrans.init | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/src/mcstrans.init b/src/mcstrans.init
+index 2804ec0..8b4737d 100644
--- a/src/mcstrans.init
+++ b/src/mcstrans.init
@@ -1,4 +1,4 @@
@@ -24,3 +26,6 @@ Signed-off-by: Wenzong Fan
#
# mcstransdThis starts and stops mcstransd
#
+--
+2.7.4
+
diff --git
a/recipes-security/selinux/mcstrans/0001-mcstrans-fix-the-init-script.patch
b/recipes-security/selinux/mcstrans/mcstrans-fix-the-init-script.patch
similarity index 69%
rename from
recipes-security/selinux/mcstrans/0001-mcstrans-fix-the-init-script.patch
rename to recipes-security/selinux/mcstrans/mcstrans-fix-the-init-script.patch
index 5f7163d..79be090 100644
--- a/recipes-security/selinux/mcstrans/0001-mcstrans-fix-the-init-script.patch
+++ b/recipes-security/selinux/mcstrans/mcstrans-fix-the-init-script.patch
@@ -1,17 +1,21 @@
-[PATCH] mcstrans: fix the init script
-
-Upstream-Status: Inappropriate [embedded specific]
+From 4d918a9679d2902ca2d41fe769a4d76f07a67b5f Mon Sep 17 00:00:00 2001
+From: Roy Li
+Date: Wed, 6 Nov 2019 22:13:33 +0800
+Subject: [PATCH] mcstrans: fix the init script
replace daemon with start-stop-daemon, due to not daemon functions
+Upstream-Status: Inappropriate [embedded specific]
+
Signed-off-by: Roy Li
Signed-off-by: Wenzong Fan
+Signed-off-by: Yi Zhao
---
src/mcstrans.init | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/mcstrans.init b/src/mcstrans.init
-index 2804ec0..c660290 100644
+index 8b4737d..86c89ea 100644
--- a/src/mcstrans.init
+++ b/src/mcstrans.init
@@ -51,7 +51,7 @@ start(){
@@ -24,5 +28,5 @@ index 2804ec0..c660290 100644
echo
if test $RETVAL = 0 ; then
--
-1.9.1
+2.7.4
diff --git a/recipes-security/selinux/mcstrans_2.8.bb
b/recipes-security/selinux/mcstrans_2.8.bb
deleted file mode 100644
index 8923c3c..000
--- a/recipes-security/selinux/mcstrans_2.8.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-include selinux_20180524.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
-
-SRC_URI[md5sum] = "3a0edb2a8b6a255199824abd58c0906c"
-SRC_URI[sha256sum] =
"ec6ea65660550ed6bbd2a834725ba7526ac53599753d7b95072e4afd4afc14e4"
diff --git a/recipes-security/selinux/mcstrans_2.9.bb
b/recipes-security/selinux/mcstr
[yocto] [meta-selinux][PATCH 09/19] policycoreutils: uprev to 2.9 (20190315)
* Switch to python3
Signed-off-by: Yi Zhao
---
recipes-security/selinux/policycoreutils.inc| 16
recipes-security/selinux/policycoreutils_2.8.bb | 8
recipes-security/selinux/policycoreutils_2.9.bb | 8
3 files changed, 12 insertions(+), 20 deletions(-)
delete mode 100644 recipes-security/selinux/policycoreutils_2.8.bb
create mode 100644 recipes-security/selinux/policycoreutils_2.9.bb
diff --git a/recipes-security/selinux/policycoreutils.inc
b/recipes-security/selinux/policycoreutils.inc
index 85ff164..92f7a75 100644
--- a/recipes-security/selinux/policycoreutils.inc
+++ b/recipes-security/selinux/policycoreutils.inc
@@ -19,7 +19,7 @@ DEPENDS += "libsepol libselinux libsemanage libcap
gettext-native"
EXTRA_DEPENDS = "libcap-ng libcgroup"
DEPENDS += "${@['', '${EXTRA_DEPENDS}']['${PN}' != '${BPN}-native']}"
-inherit selinux pythonnative
+inherit selinux python3native
RDEPENDS_${BPN}-fixfiles += "\
${BPN}-setfiles \
@@ -27,7 +27,6 @@ RDEPENDS_${BPN}-fixfiles += "\
findutils \
"
RDEPENDS_${BPN}-genhomedircon += "\
- ${BPN}-genhomedircon \
${BPN}-semodule \
"
RDEPENDS_${BPN}-loadpolicy += "\
@@ -45,10 +44,6 @@ RDEPENDS_${BPN}-semodule += "\
libselinux \
libsemanage \
"
-# static link to libsepol
-RDEPENDS_${BPN}-semodule-expand += "libsepol libselinux"
-RDEPENDS_${BPN}-semodule-link += "libsepol libselinux"
-RDEPENDS_${BPN}-semodule-package += "libsepol libselinux"
RDEPENDS_${BPN}-sestatus += "libselinux"
RDEPENDS_${BPN}-setfiles += "\
libselinux \
@@ -61,10 +56,6 @@ RDEPENDS_${BPN}-setsebool += "\
"
RDEPENDS_${BPN} += "selinux-python"
-WARN_QA_remove = " unsafe-references-in-scripts"
-ERROR_QA_remove = " unsafe-references-in-scripts"
-
-
PACKAGES =+ "\
${PN}-fixfiles \
${PN}-genhomedircon \
@@ -102,6 +93,7 @@ FILES_${PN}-sestatus += "\
"
FILES_${PN}-setfiles += "\
${base_sbindir}/restorecon \
+ ${base_sbindir}/restorecon_xattr \
${base_sbindir}/setfiles \
"
FILES_${PN}-setsebool += "\
@@ -147,7 +139,7 @@ sysroot_stage_dirs_append_class-native() {
}
do_compile_prepend() {
- export PYTHON=python
+ export PYTHON=python3
export PYLIBVER='python${PYTHON_BASEVERSION}'
export PYTHON_CPPFLAGS="-I${STAGING_INCDIR}/${PYLIBVER}"
export PYTHON_LDFLAGS="${STAGING_LIBDIR}/lib${PYLIBVER}.so"
@@ -155,7 +147,7 @@ do_compile_prepend() {
}
do_install_prepend() {
- export PYTHON=python
+ export PYTHON=python3
export SBINDIR="${D}/${base_sbindir}"
}
diff --git a/recipes-security/selinux/policycoreutils_2.8.bb
b/recipes-security/selinux/policycoreutils_2.8.bb
deleted file mode 100644
index 85f6ff0..000
--- a/recipes-security/selinux/policycoreutils_2.8.bb
+++ /dev/null
@@ -1,8 +0,0 @@
-include selinux_20180524.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
-
-SRC_URI[md5sum] = "da5ceb9c7e1e6f8c573731031b91cffe"
-SRC_URI[sha256sum] =
"986553a235f27bee7ad7c2b7c35ea51eb2ee68e2cf03b661b1585de101bc1099"
-
diff --git a/recipes-security/selinux/policycoreutils_2.9.bb
b/recipes-security/selinux/policycoreutils_2.9.bb
new file mode 100644
index 000..08ba54a
--- /dev/null
+++ b/recipes-security/selinux/policycoreutils_2.9.bb
@@ -0,0 +1,8 @@
+require selinux_20190315.inc
+require ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
+
+SRC_URI[md5sum] = "0fbebdb4761353726cc739d5528f21d8"
+SRC_URI[sha256sum] =
"c53c344f28007b3c0742bd958751e9b5d2385898adeb8aec6281ae57342f0f7b"
+
--
2.17.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 12/19] selinux-python: uprev to 2.9 (20190315)
* Switch to python3
* Drop patches:
fix-TypeError-for-seobject.py.patch
process-ValueError-for-sepolicy-seobject.patch
* Rebase patches
Signed-off-by: Yi Zhao
---
recipes-security/selinux/selinux-python.inc | 62 +--
.../fix-TypeError-for-seobject.py.patch | 30 -
.../fix-sepolicy-install-path.patch | 8 +--
...ess-ValueError-for-sepolicy-seobject.patch | 47 --
.../selinux/selinux-python_2.8.bb | 7 ---
.../selinux/selinux-python_2.9.bb | 7 +++
6 files changed, 40 insertions(+), 121 deletions(-)
delete mode 100644
recipes-security/selinux/selinux-python/fix-TypeError-for-seobject.py.patch
delete mode 100644
recipes-security/selinux/selinux-python/process-ValueError-for-sepolicy-seobject.patch
delete mode 100644 recipes-security/selinux/selinux-python_2.8.bb
create mode 100644 recipes-security/selinux/selinux-python_2.9.bb
diff --git a/recipes-security/selinux/selinux-python.inc
b/recipes-security/selinux/selinux-python.inc
index 8b34bff..5e27781 100644
--- a/recipes-security/selinux/selinux-python.inc
+++ b/recipes-security/selinux/selinux-python.inc
@@ -6,60 +6,54 @@ SELinux utilities audit2allow, chcat, semanage ..."
SECTION = "base"
LICENSE = "GPLv2+"
-SRC_URI += "file://fix-sepolicy-install-path.patch \
-file://fix-TypeError-for-seobject.py.patch \
-file://process-ValueError-for-sepolicy-seobject.patch \
-"
+SRC_URI += "file://fix-sepolicy-install-path.patch"
-inherit python-dir
+inherit python3-dir
-DEPENDS += "python-native libsepol"
+DEPENDS += "python3 libsepol"
RDEPENDS_${BPN}-audit2allow += "\
-python-core \
-python-textutils \
+python3-core \
libselinux-python \
${BPN}-sepolgen \
"
RDEPENDS_${BPN}-chcat += "\
-python-core \
-python-codecs \
-python-shell \
-python-stringold \
-python-unixadmin \
+python3-core \
+python3-codecs \
+python3-shell \
+python3-stringold \
+python3-unixadmin \
libselinux-python \
${BPN} \
"
RDEPENDS_${BPN} += "\
-python-core \
-python-codecs \
-python-io \
-python-ipy \
-python-re \
-python-stringold \
-python-syslog \
-python-unixadmin \
+python3-core \
+python3-codecs \
+python3-io \
+python3-ipy \
+python3-stringold \
+python3-syslog \
+python3-unixadmin \
libselinux-python \
libsemanage-python \
setools \
"
RDEPENDS_${BPN}-semanage += "\
-python-core \
-python-ipy \
-python-compression \
-python-xml \
-python-misc \
+python3-core \
+python3-ipy \
+python3-compression \
+python3-xml \
+python3-misc \
libselinux-python \
${BPN} \
"
RDEPENDS_${BPN}-sepolicy += "\
-python-argparse \
-python-codecs \
-python-core \
-python-syslog \
+python3-core \
+python3-codecs \
+python3-syslog \
${BPN} \
"
RDEPENDS_${BPN}-sepolgen-ifgen += "\
-python \
+python3-core \
libselinux-python \
"
@@ -96,7 +90,7 @@ FILES_${PN}-sepolgen += "\
${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolgen* \
${localstatedir}/lib/sepolgen/perm_map \
"
-# Map to policycoreutils-python in 2.6
+
FILES_${PN} += "\
${libdir}/python${PYTHON_BASEVERSION}/site-packages/seobject.py* \
${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolicy*.egg-info
\
@@ -104,9 +98,11 @@ FILES_${PN} += "\
"
EXTRA_OEMAKE += "LIBSEPOLA=${STAGING_LIBDIR}/libsepol.a"
+
do_install() {
-oe_runmake DESTDIR=${D} \
+oe_runmake DESTDIR="${D}" \
LIBDIR="${libdir}" \
+PYLIBVER='python${PYTHON_BASEVERSION}' \
PYTHONLIBDIR='${libdir}/python${PYTHON_BASEVERSION}/site-packages' \
install
}
diff --git
a/recipes-security/selinux/selinux-python/fix-TypeError-for-seobject.py.patch
b/recipes-security/selinux/selinux-python/fix-TypeError-for-seobject.py.patch
deleted file mode 100644
index 62cdeee..000
---
a/recipes-security/selinux/selinux-python/fix-TypeError-for-seobject.py.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 98c2944ffa3e35095187e1df9ff33498bbd0fa54 Mon Sep 17 00:00:00 2001
-From: Wenzong Fan
-Date: Tue, 1 Apr 2014 02:53:36 -0400
-Subject: [PATCH] policycoreutils: fix TypeError for seobject.py
-
-File "/usr/lib64/python2.7/site-packages/seobject.py", line 109, in log
- message += " sename=" + sename
-TypeError: cannot concatenate 'str' and 'NoneType' objects
-
-Uptream-Status: Pending
[yocto] [meta-selinux][PATCH 08/19] secilc: uprev to 2.9 (20190315)
Signed-off-by: Yi Zhao
---
recipes-security/selinux/secilc_2.8.bb | 7 ---
recipes-security/selinux/secilc_2.9.bb | 7 +++
2 files changed, 7 insertions(+), 7 deletions(-)
delete mode 100644 recipes-security/selinux/secilc_2.8.bb
create mode 100644 recipes-security/selinux/secilc_2.9.bb
diff --git a/recipes-security/selinux/secilc_2.8.bb
b/recipes-security/selinux/secilc_2.8.bb
deleted file mode 100644
index 89e0684..000
--- a/recipes-security/selinux/secilc_2.8.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-include selinux_20180524.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=5fb82e8deb357d4e5fd8f3fed01d2f38"
-
-SRC_URI[md5sum] = "a3c363545842aadc6645a94112b476e7"
-SRC_URI[sha256sum] =
"cfe15f2e06b3013c9dfc46cf42234ff07fb61866c4c29d739eb8858f83b214d4"
diff --git a/recipes-security/selinux/secilc_2.9.bb
b/recipes-security/selinux/secilc_2.9.bb
new file mode 100644
index 000..8207905
--- /dev/null
+++ b/recipes-security/selinux/secilc_2.9.bb
@@ -0,0 +1,7 @@
+require selinux_20190315.inc
+require ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=5fb82e8deb357d4e5fd8f3fed01d2f38"
+
+SRC_URI[md5sum] = "489cedf50fa277ce07765053ffcdb4d5"
+SRC_URI[sha256sum] =
"73a1806e33a669e23545da2d35d0e5038714721f6bf71974eaa533b3ebde61b2"
--
2.17.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 11/19] restorecond: uprev to 2.9 (20190315)
* Rebase patches
Signed-off-by: Yi Zhao
---
...icycoreutils-make-O_CLOEXEC-optional.patch | 29 +++
recipes-security/selinux/restorecond_2.8.bb | 7 -
recipes-security/selinux/restorecond_2.9.bb | 7 +
3 files changed, 24 insertions(+), 19 deletions(-)
delete mode 100644 recipes-security/selinux/restorecond_2.8.bb
create mode 100644 recipes-security/selinux/restorecond_2.9.bb
diff --git
a/recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch
b/recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch
index ab1a10a..2928aff 100644
---
a/recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch
+++
b/recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch
@@ -1,29 +1,34 @@
+From 4adc1c02e4da42f64249c05534875e732f043693 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald
+Date: Wed, 6 Nov 2019 23:17:50 +0800
Subject: [PATCH] policycoreutils: make O_CLOEXEC optional
-Various commits in the selinux tree in the current release added O_CLOEXEC
-to open() calls in an attempt to address file descriptor leaks as
-described:
+Various commits in the selinux tree in the current release added
+O_CLOEXEC to open() calls in an attempt to address file descriptor leaks
+as described:
- http://danwalsh.livejournal.com/53603.html
+ http://danwalsh.livejournal.com/53603.html
However O_CLOEXEC isn't available on all platforms, so make it a
-compile-time option and generate a warning when it is not available. The
-actual impact of leaking these file descriptors is minimal, though it does
-produce curious AVC Denied messages.
+compile-time option and generate a warning when it is not available.
+The actual impact of leaking these file descriptors is minimal, though
+it does produce curious AVC Denied messages.
-Uptream-Status: Inappropriate [O_CLOEXEC has been in Linux since 2007 and
POSIX since 2008]
+Uptream-Status: Inappropriate
+[O_CLOEXEC has been in Linux since 2007 and POSIX since 2008]
Signed-off-by: Joe MacDonald
Signed-off-by: Wenzong Fan
+Signed-off-by: Yi Zhao
---
- user.c |8 +++-
+ user.c | 8 +++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/user.c b/user.c
-index 2c28676..6235772 100644
+index 714aae7..bbf018e 100644
--- a/user.c
+++ b/user.c
-@@ -202,7 +202,13 @@ static int local_server() {
+@@ -202,7 +202,13 @@ static int local_server(void) {
perror("asprintf");
return -1;
}
@@ -39,5 +44,5 @@ index 2c28676..6235772 100644
g_warning ("Lock file: %s", ptr);
--
-1.7.9.5
+2.7.4
diff --git a/recipes-security/selinux/restorecond_2.8.bb
b/recipes-security/selinux/restorecond_2.8.bb
deleted file mode 100644
index 4a83a23..000
--- a/recipes-security/selinux/restorecond_2.8.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-include selinux_20180524.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
-
-SRC_URI[md5sum] = "cfe4e4d6184623fdcb9bc2681e693abb"
-SRC_URI[sha256sum] =
"323cab1128e5308cd85fea0e5c98e3c8973e1ada0b659f2fce76187e192271bf"
diff --git a/recipes-security/selinux/restorecond_2.9.bb
b/recipes-security/selinux/restorecond_2.9.bb
new file mode 100644
index 000..2ccac18
--- /dev/null
+++ b/recipes-security/selinux/restorecond_2.9.bb
@@ -0,0 +1,7 @@
+require selinux_20190315.inc
+require ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
+
+SRC_URI[md5sum] = "1a24cb2a23d8bd01d3f8d9bb2031981f"
+SRC_URI[sha256sum] =
"cbf9820583e641ee0462fa7bc89e6024676af281e025703e17b2d019b1a25a4f"
--
2.17.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 06/19] libsemanage: uprev to 2.9 (20190315)
* Switch to python3
* Drop patches:
libsemanage-fix-path-nologin.patch
0001-src-Makefile-fix-includedir-in-libselinux.pc.patch
* Rebase patches
* Update policy version to 31
Signed-off-by: Yi Zhao
---
recipes-security/selinux/libsemanage.inc | 26 ++---
...file-fix-includedir-in-libselinux.pc.patch | 28 -
...anage-Fix-execve-segfaults-on-Ubuntu.patch | 12 --
...anage-allow-to-disable-audit-support.patch | 26 +++--
...anage-define-FD_CLOEXEC-as-necessary.patch | 16
...-disable-expand-check-on-policy-load.patch | 6 ++-
...age-drop-Wno-unused-but-set-variable.patch | 12 +++---
.../libsemanage-fix-path-nologin.patch| 39 ---
recipes-security/selinux/libsemanage_2.8.bb | 18 -
recipes-security/selinux/libsemanage_2.9.bb | 15 +++
10 files changed, 70 insertions(+), 128 deletions(-)
delete mode 100644
recipes-security/selinux/libsemanage/0001-src-Makefile-fix-includedir-in-libselinux.pc.patch
delete mode 100644
recipes-security/selinux/libsemanage/libsemanage-fix-path-nologin.patch
delete mode 100644 recipes-security/selinux/libsemanage_2.8.bb
create mode 100644 recipes-security/selinux/libsemanage_2.9.bb
diff --git a/recipes-security/selinux/libsemanage.inc
b/recipes-security/selinux/libsemanage.inc
index be0a5f1..9dc1095 100644
--- a/recipes-security/selinux/libsemanage.inc
+++ b/recipes-security/selinux/libsemanage.inc
@@ -6,41 +6,39 @@ on binary policies such as customizing policy boolean
settings."
SECTION = "base"
LICENSE = "LGPLv2.1+"
-inherit lib_package python-dir
+inherit lib_package python3-dir
-DEPENDS += "libsepol libselinux bzip2 python bison-native flex-native
swig-native"
-DEPENDS_append_class-target += "audit"
+DEPENDS += "libsepol libselinux bzip2 python3 bison-native flex-native
swig-native"
+DEPENDS_append_class-target = " audit"
PACKAGES =+ "${PN}-python"
# For /usr/libexec/selinux/semanage_migrate_store
-RDEPENDS_${PN}-python += "python"
+RDEPENDS_${PN}-python += "python3-core"
FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/* \
${libexecdir}/selinux/semanage_migrate_store"
FILES_${PN}-dbg +=
"${libdir}/python${PYTHON_BASEVERSION}/site-packages/.debug/*"
+FILES_${PN} += "${libexecdir}"
+
EXTRA_OEMAKE_class-native += "DISABLE_AUDIT=y"
do_compile_append() {
oe_runmake pywrap \
-INCLUDEDIR='${STAGING_INCDIR}' \
-LIBDIR='${STAGING_LIBDIR}' \
-PYLIBVER='python${PYTHON_BASEVERSION}' \
-PYINC='-I${STAGING_INCDIR}/$(PYLIBVER)' \
-PYLIB='-L${STAGING_LIBDIR}/$(PYLIBVER) -l$(PYLIBVER)' \
-PYTHONLIBDIR='${PYLIB}'
+PYLIBVER='python${PYTHON_BASEVERSION}${PYTHON_ABI}' \
+PYINC='-I${STAGING_INCDIR}/${PYLIBVER}' \
+PYLIBS='-L${STAGING_LIBDIR}/${PYLIBVER} -l${PYLIBVER}'
}
do_install_append() {
oe_runmake install-pywrap swigify \
PYCEXT='.so' \
-
PYTHONLIBDIR='${D}${libdir}/python${PYTHON_BASEVERSION}/site-packages' \
-PYLIBVER='python${PYTHON_BASEVERSION}' \
-PYLIBDIR='${D}/${libdir}/$(PYLIBVER)'
+PYLIBVER='python${PYTHON_BASEVERSION}${PYTHON_ABI}' \
+
PYTHONLIBDIR='${D}${libdir}/python${PYTHON_BASEVERSION}/site-packages'
# Update "policy-version" for semanage.conf
-sed -i 's/^#\s*\(policy-version\s*=\).*$/\1 30/' \
+sed -i 's/^#\s*\(policy-version\s*=\).*$/\1 31/' \
${D}/etc/selinux/semanage.conf
}
diff --git
a/recipes-security/selinux/libsemanage/0001-src-Makefile-fix-includedir-in-libselinux.pc.patch
b/recipes-security/selinux/libsemanage/0001-src-Makefile-fix-includedir-in-libselinux.pc.patch
deleted file mode 100644
index 73613d3..000
---
a/recipes-security/selinux/libsemanage/0001-src-Makefile-fix-includedir-in-libselinux.pc.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From e773c0952b06370d81e9b113f9b0b3388e323e52 Mon Sep 17 00:00:00 2001
-From: Robert Yang
-Date: Thu, 18 Feb 2016 02:39:16 +0000
-Subject: [PATCH] src/Makefile: fix includedir in libselinux.pc
-
-Upstream-Status: Pending
-
-Signed-off-by: Robert Yang
-Signed-off-by: Yi Zhao
- src/Makefile | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/Makefile b/src/Makefile
-index dea751e..4af4568 100644
a/src/Makefile
-+++ b/src/Makefile
-@@ -93,6 +93,7 @@ $(LIBSO): $(LOBJS)
-
- $(LIBPC): $(LIBPC).in ../VERSION
- sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):;
s:@libdir@:$(LIBDIR):; s:@includedir@:$(INCLUDEDIR):' < $< > $@
-+ sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):;
s:@libdir@:${libdir}:; s:@includedir@:${prefix}/include:' < $< > $@
-
- semanageswig_python_exception.i: ../include/semanage/semanage.h
- bash -e exception.s
[yocto] [meta-selinux][PATCH 07/19] checkpolicy: uprev to 2.9 (20190315)
Signed-off-by: Yi Zhao
---
recipes-security/selinux/checkpolicy_2.8.bb | 7 ---
recipes-security/selinux/checkpolicy_2.9.bb | 7 +++
2 files changed, 7 insertions(+), 7 deletions(-)
delete mode 100644 recipes-security/selinux/checkpolicy_2.8.bb
create mode 100644 recipes-security/selinux/checkpolicy_2.9.bb
diff --git a/recipes-security/selinux/checkpolicy_2.8.bb
b/recipes-security/selinux/checkpolicy_2.8.bb
deleted file mode 100644
index 05e738e..000
--- a/recipes-security/selinux/checkpolicy_2.8.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-include selinux_20180524.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
-
-SRC_URI[md5sum] = "5d23a3209048c8cf70f3c13c4ce4245f"
-SRC_URI[sha256sum] =
"9dec811c24b88e58c3bf741365eacf1dbb945531a2fcb8f284aacf68098194c8"
diff --git a/recipes-security/selinux/checkpolicy_2.9.bb
b/recipes-security/selinux/checkpolicy_2.9.bb
new file mode 100644
index 000..1183ea9
--- /dev/null
+++ b/recipes-security/selinux/checkpolicy_2.9.bb
@@ -0,0 +1,7 @@
+require selinux_20190315.inc
+require ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
+
+SRC_URI[md5sum] = "3b0e327f6c1a143f9720a1fbefede3c0"
+SRC_URI[sha256sum] =
"a946c32b284532447857e4c48830f8816867c61220c8c08bdd32e6f691335f8e"
--
2.17.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 05/19] libselinux-python: add recipe
After switch to python3, There is a loop dependency error with
libselinux-python package when build libselinux. Split the original
libselinux recipe into libselinux and libselinux-python.
Signed-off-by: Yi Zhao
---
.../selinux/libselinux-python.inc | 40 +++
.../selinux/libselinux-python_2.9.bb | 18 +
2 files changed, 58 insertions(+)
create mode 100644 recipes-security/selinux/libselinux-python.inc
create mode 100644 recipes-security/selinux/libselinux-python_2.9.bb
diff --git a/recipes-security/selinux/libselinux-python.inc
b/recipes-security/selinux/libselinux-python.inc
new file mode 100644
index 000..62354b2
--- /dev/null
+++ b/recipes-security/selinux/libselinux-python.inc
@@ -0,0 +1,40 @@
+SUMMARY = "SELinux library and simple utilities"
+DESCRIPTION = "libselinux provides an API for SELinux applications to get and
set \
+process and file security contexts and to obtain security policy \
+decisions. Required for any applications that use the SELinux API."
+SECTION = "base"
+LICENSE = "PD"
+
+FILESEXTRAPATHS_prepend := "${THISDIR}/libselinux:"
+
+inherit python3-dir
+
+DEPENDS += "python3 swig-native"
+RDEPENDS_${PN} += "libselinux python3-core python3-shell"
+
+def get_policyconfigarch(d):
+import re
+target = d.getVar('TARGET_ARCH', True)
+p = re.compile('i.86')
+target = p.sub('i386',target)
+return "ARCH=%s" % (target)
+EXTRA_OEMAKE += "${@get_policyconfigarch(d)}"
+
+EXTRA_OEMAKE += "LDFLAGS='${LDFLAGS} -lpcre'
LIBSEPOLA='${STAGING_LIBDIR}/libsepol.a'"
+EXTRA_OEMAKE_append_libc-musl = " FTS_LDLIBS=-lfts"
+
+FILES_${PN} = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/*"
+
+do_compile() {
+oe_runmake pywrap -j1 \
+PYLIBVER='python${PYTHON_BASEVERSION}${PYTHON_ABI}' \
+PYINC='-I${STAGING_INCDIR}/${PYLIBVER}' \
+PYLIBS='-L${STAGING_LIBDIR}/${PYLIBVER} -l${PYLIBVER}'
+}
+
+do_install() {
+oe_runmake install-pywrap swigify \
+PYCEXT='.so' \
+PYLIBVER='python${PYTHON_BASEVERSION}${PYTHON_ABI}' \
+
PYTHONLIBDIR='${D}${libdir}/python${PYTHON_BASEVERSION}/site-packages'
+}
diff --git a/recipes-security/selinux/libselinux-python_2.9.bb
b/recipes-security/selinux/libselinux-python_2.9.bb
new file mode 100644
index 000..8e3aae1
--- /dev/null
+++ b/recipes-security/selinux/libselinux-python_2.9.bb
@@ -0,0 +1,18 @@
+SELINUX_RELEASE = "20190315"
+
+SRC_URI =
"https://github.com/SELinuxProject/selinux/releases/download/${SELINUX_RELEASE}/libselinux-${PV}.tar.gz;
+
+require ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://LICENSE;md5=84b4d2c6ef954a2d4081e775a270d0d0"
+
+SRC_URI[md5sum] = "bb449431b6ed55a0a0496dbc366d6e31"
+SRC_URI[sha256sum] =
"1bccc8873e449587d9a2b2cf253de9b89a8291b9fbc7c59393ca9e5f5f4d2693"
+
+SRC_URI += "\
+file://libselinux-drop-Wno-unused-but-set-variable.patch \
+file://libselinux-make-O_CLOEXEC-optional.patch \
+file://libselinux-make-SOCK_CLOEXEC-optional.patch \
+file://libselinux-define-FD_CLOEXEC-as-necessary.patch \
+"
+S = "${WORKDIR}/libselinux-${PV}"
--
2.17.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 04/19] libselinux: uprev to 2.9 (20190315)
* Switch to python3
* Drop patches:
0001-libselinux-Do-not-define-gettid-if-glibc-2.30-is-use.patch
0001-src-Makefile-fix-includedir-in-libselinux.pc.patch
* Split into libselinux recipe and libselinux-python recipe to fix the
loop dependency error.
Signed-off-by: Yi Zhao
---
recipes-security/selinux/libselinux.inc | 24 +---
...t-define-gettid-if-glibc-2.30-is-use.patch | 60 ---
...file-fix-includedir-in-libselinux.pc.patch | 28 -
.../{libselinux_2.8.bb => libselinux_2.9.bb} | 10 ++--
4 files changed, 6 insertions(+), 116 deletions(-)
delete mode 100644
recipes-security/selinux/libselinux/0001-libselinux-Do-not-define-gettid-if-glibc-2.30-is-use.patch
delete mode 100644
recipes-security/selinux/libselinux/0001-src-Makefile-fix-includedir-in-libselinux.pc.patch
rename recipes-security/selinux/{libselinux_2.8.bb => libselinux_2.9.bb} (50%)
diff --git a/recipes-security/selinux/libselinux.inc
b/recipes-security/selinux/libselinux.inc
index 6e115e3..8d381de 100644
--- a/recipes-security/selinux/libselinux.inc
+++ b/recipes-security/selinux/libselinux.inc
@@ -5,15 +5,10 @@ decisions. Required for any applications that use the
SELinux API."
SECTION = "base"
LICENSE = "PD"
-inherit lib_package pythonnative
+inherit lib_package python3native
-DEPENDS += "libsepol python libpcre swig-native"
+DEPENDS += "libsepol libpcre"
DEPENDS_append_libc-musl = " fts"
-RDEPENDS_${PN}-python += "python-core python-shell"
-
-PACKAGES += "${PN}-python"
-FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/*"
-FILES_${PN}-dbg +=
"${libdir}/python${PYTHON_BASEVERSION}/site-packages/selinux/.debug/*"
def get_policyconfigarch(d):
import re
@@ -26,19 +21,4 @@ EXTRA_OEMAKE += "${@get_policyconfigarch(d)}"
EXTRA_OEMAKE += "LDFLAGS='${LDFLAGS} -lpcre'
LIBSEPOLA='${STAGING_LIBDIR}/libsepol.a'"
EXTRA_OEMAKE_append_libc-musl = " FTS_LDLIBS=-lfts"
-do_compile_append() {
-oe_runmake pywrap -j1 \
-INCLUDEDIR='${STAGING_INCDIR}' \
-LIBDIR='${STAGING_LIBDIR}' \
-PYINC='-I${STAGING_INCDIR}/python${PYTHON_BASEVERSION}'
-}
-
-do_install_append() {
-oe_runmake install-pywrap swigify \
-
PYTHONLIBDIR=${D}${libdir}/python${PYTHON_BASEVERSION}/site-packages
-if ! ${@bb.utils.contains('DISTRO_FEATURES','usrmerge','true','false',d)};
then
-rm -rf ${D}${base_sbindir}
-fi
-}
-
BBCLASSEXTEND = "native"
diff --git
a/recipes-security/selinux/libselinux/0001-libselinux-Do-not-define-gettid-if-glibc-2.30-is-use.patch
b/recipes-security/selinux/libselinux/0001-libselinux-Do-not-define-gettid-if-glibc-2.30-is-use.patch
deleted file mode 100644
index fc3e37e..000
---
a/recipes-security/selinux/libselinux/0001-libselinux-Do-not-define-gettid-if-glibc-2.30-is-use.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From 2c672b4cc39fbddb6faec2c7434832058f339d59 Mon Sep 17 00:00:00 2001
-From: Petr Lautrbach
-Date: Mon, 11 Mar 2019 16:00:41 +0100
-Subject: [PATCH] libselinux: Do not define gettid() if glibc >= 2.30 is used
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Since version 2.30 glibc implements gettid() system call wrapper, see
-https://sourceware.org/bugzilla/show_bug.cgi?id=6399
-
-Fixes:
-cc -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2
-Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong
-grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
-I../include -D_GNU_SOURCE -DNO_ANDROID_BACKEND -c -o procattr.o procattr.c
-procattr.c:28:14: error: static declaration of ‘gettid’ follows non-static
declaration
- 28 | static pid_t gettid(void)
- | ^~
-In file included from /usr/include/unistd.h:1170,
- from procattr.c:2:
-/usr/include/bits/unistd_ext.h:34:16: note: previous declaration of ‘gettid’
was here
- 34 | extern __pid_t gettid (void) __THROW;
- |^~
-
-Upstream-Status: Backport
-[https://github.com/SELinuxProject/selinux/commit/707e4b8610733b5c9eaac0f00239778f3edb23c2]
-
-Signed-off-by: Petr Lautrbach
-Signed-off-by: Yi Zhao
- src/procattr.c | 15 +--
- 1 file changed, 13 insertions(+), 2 deletions(-)
-
-diff --git a/src/procattr.c b/src/procattr.c
-index 8bf8432..3c7b87f 100644
a/src/procattr.c
-+++ b/src/procattr.c
-@@ -22,8 +22,19 @@ static pthread_key_t destructor_key;
- static int destructor_key_initialized = 0;
- static __thread char destructor_initialized;
-
--#ifndef __BIONIC__
--/* Bionic declares this in unistd.h and has a definition for it */
-+/* Bionic and glibc >= 2.30 declare gettid() system call wrap
[yocto] [meta-selinux][PATCH 03/19] libsepol: uprev to 2.9 (20190315)
* Drop patch 0001-src-Makefile-fix-includedir-in-libsepol.pc.patch
Signed-off-by: Yi Zhao
---
...kefile-fix-includedir-in-libsepol.pc.patch | 29 ---
recipes-security/selinux/libsepol_2.8.bb | 9 --
recipes-security/selinux/libsepol_2.9.bb | 7 +
3 files changed, 7 insertions(+), 38 deletions(-)
delete mode 100644
recipes-security/selinux/libsepol/0001-src-Makefile-fix-includedir-in-libsepol.pc.patch
delete mode 100644 recipes-security/selinux/libsepol_2.8.bb
create mode 100644 recipes-security/selinux/libsepol_2.9.bb
diff --git
a/recipes-security/selinux/libsepol/0001-src-Makefile-fix-includedir-in-libsepol.pc.patch
b/recipes-security/selinux/libsepol/0001-src-Makefile-fix-includedir-in-libsepol.pc.patch
deleted file mode 100644
index 987fdab..000
---
a/recipes-security/selinux/libsepol/0001-src-Makefile-fix-includedir-in-libsepol.pc.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 074dbf2f104d1a6ea1aa048600f44f9701c70a60 Mon Sep 17 00:00:00 2001
-From: Robert Yang
-Date: Thu, 18 Feb 2016 02:04:59 +
-Subject: [PATCH] src/Makefile: fix includedir in libsepol.pc
-
-Upstream-Status: Pending
-
-Signed-off-by: Robert Yang
-Signed-off-by: Yi Zhao
- src/Makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/Makefile b/src/Makefile
-index ccb7023..2bb6290 100644
a/src/Makefile
-+++ b/src/Makefile
-@@ -51,7 +51,7 @@ $(LIBSO): $(LOBJS) $(LIBMAP)
- ln -sf $@ $(TARGET)
-
- $(LIBPC): $(LIBPC).in ../VERSION
-- sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):;
s:@libdir@:$(LIBDIR):; s:@includedir@:$(INCLUDEDIR):' < $< > $@
-+ sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):;
s:@libdir@:${libdir}:; s:@includedir@:${prefix}/include:' < $< > $@
-
- $(LIBMAP): $(LIBMAP).in
- ifneq ($(DISABLE_CIL),y)
---
-2.7.4
-
diff --git a/recipes-security/selinux/libsepol_2.8.bb
b/recipes-security/selinux/libsepol_2.8.bb
deleted file mode 100644
index d1f905b..000
--- a/recipes-security/selinux/libsepol_2.8.bb
+++ /dev/null
@@ -1,9 +0,0 @@
-include selinux_20180524.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343"
-
-SRC_URI[md5sum] = "c19aa9dde1e78d1c2bd3109579e4d484"
-SRC_URI[sha256sum] =
"3ad6916a8352bef0bad49acc8037a5f5b48c56f94e4cb4e1959ca475fa9d24d6"
-
-SRC_URI += "file://0001-src-Makefile-fix-includedir-in-libsepol.pc.patch"
diff --git a/recipes-security/selinux/libsepol_2.9.bb
b/recipes-security/selinux/libsepol_2.9.bb
new file mode 100644
index 000..cd55be6
--- /dev/null
+++ b/recipes-security/selinux/libsepol_2.9.bb
@@ -0,0 +1,7 @@
+require selinux_20190315.inc
+require ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343"
+
+SRC_URI[md5sum] = "2fdefe870a61424d8f2d5d37551c6259"
+SRC_URI[sha256sum] =
"a34b12b038d121e3e459b1cbaca3c9202e983137819c16baf63658390e3f1d5d"
--
2.17.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 02/19] selinux: uprev inc files to 2.9 (20190315)
* Update SRC_URI
* Add UPSTREAM_CHECK_URI and UPSTREAM_CHECK_REGEX
Signed-off-by: Yi Zhao
---
recipes-security/selinux/selinux_20180524.inc | 5 -
recipes-security/selinux/selinux_20190315.inc | 8
recipes-security/selinux/selinux_common.inc | 4 +---
3 files changed, 9 insertions(+), 8 deletions(-)
delete mode 100644 recipes-security/selinux/selinux_20180524.inc
create mode 100644 recipes-security/selinux/selinux_20190315.inc
diff --git a/recipes-security/selinux/selinux_20180524.inc
b/recipes-security/selinux/selinux_20180524.inc
deleted file mode 100644
index b36b333..000
--- a/recipes-security/selinux/selinux_20180524.inc
+++ /dev/null
@@ -1,5 +0,0 @@
-SELINUX_RELEASE = "20180524"
-
-SRC_URI =
"https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/${SELINUX_RELEASE}/${BPN}-${PV}.tar.gz;
-
-include selinux_common.inc
diff --git a/recipes-security/selinux/selinux_20190315.inc
b/recipes-security/selinux/selinux_20190315.inc
new file mode 100644
index 000..e79dd54
--- /dev/null
+++ b/recipes-security/selinux/selinux_20190315.inc
@@ -0,0 +1,8 @@
+SELINUX_RELEASE = "20190315"
+
+SRC_URI =
"https://github.com/SELinuxProject/selinux/releases/download/${SELINUX_RELEASE}/${BPN}-${PV}.tar.gz;
+
+UPSTREAM_CHECK_URI = "https://github.com/SELinuxProject/selinux/releases;
+UPSTREAM_CHECK_REGEX = "libselinux-(?P.+)\.tar\.gz"
+
+require selinux_common.inc
diff --git a/recipes-security/selinux/selinux_common.inc
b/recipes-security/selinux/selinux_common.inc
index 383f62d..f6c4a6b 100644
--- a/recipes-security/selinux/selinux_common.inc
+++ b/recipes-security/selinux/selinux_common.inc
@@ -1,9 +1,7 @@
HOMEPAGE = "https://github.com/SELinuxProject;
do_compile() {
-oe_runmake all \
-INCLUDEDIR='${STAGING_INCDIR}' \
-LIBDIR='${STAGING_LIBDIR}'
+oe_runmake all
}
do_install() {
--
2.17.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 00/19] selinux: upgrade 2.8 -> 2.9
* Upgrade to 2.9
* Switch to python3
* Refresh patches
Yi Zhao (19):
python-ipy: upgrade to 1.00 and add python3 version
selinux: uprev inc files to 2.9 (20190315)
libsepol: uprev to 2.9 (20190315)
libselinux: uprev to 2.9 (20190315)
libselinux-python: add recipe
libsemanage: uprev to 2.9 (20190315)
checkpolicy: uprev to 2.9 (20190315)
secilc: uprev to 2.9 (20190315)
policycoreutils: uprev to 2.9 (20190315)
mcstrans: uprev to 2.9 (20190315)
restorecond: uprev to 2.9 (20190315)
selinux-python: uprev to 2.9 (20190315)
selinux-dbus: uprev to 2.9 (20190315)
selinux-sandbox: uprev to 2.9 (20190315)
selinux-gui: uprev to 2.9 (20190315)
semodule-utils: uprev to 2.9 (20190315)
selinux-init: fix build error when enable usrmerge feature
setools: upgrade 4.1.1 -> 4.2.2
audit: switch to python3
recipes-devtools/python/python-ipy.inc| 18 +++
recipes-devtools/python/python-ipy_0.83.bb| 32 --
recipes-devtools/python/python-ipy_1.00.bb| 2 +
recipes-devtools/python/python3-ipy_1.00.bb | 2 +
.../audit/audit/audit-python-configure.patch | 46
.../audit/audit/audit-python.patch| 64 ---
.../audit/fix-swig-host-contamination.patch | 56 --
recipes-security/audit/audit_2.8.5.bb | 11 +-
recipes-security/selinux/checkpolicy_2.8.bb | 7 --
recipes-security/selinux/checkpolicy_2.9.bb | 7 ++
.../selinux/libselinux-python.inc | 40 +++
...elinux_2.8.bb => libselinux-python_2.9.bb} | 14 ++-
recipes-security/selinux/libselinux.inc | 24 +---
...t-define-gettid-if-glibc-2.30-is-use.patch | 60 --
...file-fix-includedir-in-libselinux.pc.patch | 28 -
.../{libselinux_2.8.bb => libselinux_2.9.bb} | 10 +-
recipes-security/selinux/libsemanage.inc | 26 ++---
...file-fix-includedir-in-libselinux.pc.patch | 28 -
...anage-Fix-execve-segfaults-on-Ubuntu.patch | 12 +-
...anage-allow-to-disable-audit-support.patch | 26 +++--
...anage-define-FD_CLOEXEC-as-necessary.patch | 16 +--
...-disable-expand-check-on-policy-load.patch | 6 +-
...age-drop-Wno-unused-but-set-variable.patch | 12 +-
.../libsemanage-fix-path-nologin.patch| 39 ---
recipes-security/selinux/libsemanage_2.8.bb | 18 ---
recipes-security/selinux/libsemanage_2.9.bb | 15 +++
...kefile-fix-includedir-in-libsepol.pc.patch | 29 -
recipes-security/selinux/libsepol_2.8.bb | 9 --
recipes-security/selinux/libsepol_2.9.bb | 7 ++
recipes-security/selinux/mcstrans.inc | 4 +-
.../mcstrans/mcstrans-de-bashify.patch| 23 ++--
...tch => mcstrans-fix-the-init-script.patch} | 14 ++-
recipes-security/selinux/mcstrans_2.8.bb | 7 --
recipes-security/selinux/mcstrans_2.9.bb | 7 ++
recipes-security/selinux/policycoreutils.inc | 16 +--
.../selinux/policycoreutils_2.8.bb| 8 --
.../selinux/policycoreutils_2.9.bb| 8 ++
...icycoreutils-make-O_CLOEXEC-optional.patch | 29 +++--
recipes-security/selinux/restorecond_2.8.bb | 7 --
recipes-security/selinux/restorecond_2.9.bb | 7 ++
recipes-security/selinux/secilc_2.8.bb| 7 --
recipes-security/selinux/secilc_2.9.bb| 7 ++
recipes-security/selinux/selinux-dbus.inc | 2 +-
recipes-security/selinux/selinux-dbus_2.8.bb | 7 --
recipes-security/selinux/selinux-dbus_2.9.bb | 7 ++
recipes-security/selinux/selinux-gui.inc | 2 +-
recipes-security/selinux/selinux-gui_2.8.bb | 7 --
recipes-security/selinux/selinux-gui_2.9.bb | 7 ++
recipes-security/selinux/selinux-initsh.inc | 5 +-
recipes-security/selinux/selinux-python.inc | 62 +--
.../fix-TypeError-for-seobject.py.patch | 30 -
.../fix-sepolicy-install-path.patch | 8 +-
...ess-ValueError-for-sepolicy-seobject.patch | 47
.../selinux/selinux-python_2.8.bb | 7 --
.../selinux/selinux-python_2.9.bb | 7 ++
recipes-security/selinux/selinux-sandbox.inc | 10 +-
.../selinux-sandbox/sandbox-de-bashify.patch | 9 +-
.../selinux/selinux-sandbox_2.8.bb| 7 --
.../selinux/selinux-sandbox_2.9.bb| 7 ++
recipes-security/selinux/selinux_20180524.inc | 5 -
recipes-security/selinux/selinux_20190315.inc | 8 ++
recipes-security/selinux/selinux_common.inc | 4 +-
.../selinux/semodule-utils_2.8.bb | 7 --
.../selinux/semodule-utils_2.9.bb | 7 ++
...e-with-GCC-7-due-to-possible-truncat.patch | 105 --
...ss-compiling-errors-for-powerpc-mips.patch | 35 --
.../setools4-fixes-for-cross-compiling.patch | 34 +++---
.../{setools_4.1.1.bb => setools_4.2.2.bb}| 14 +--
68 files changed, 348 insertions(+), 910 deletions(-)
create mode 100644 recipes-devtools/python/python-ipy.inc
delete mode 100644 recipes-devtools/python/python-ipy_0.83.bb
create mode 100644 recipes-devtools/python/pyt
[yocto] [meta-selinux][PATCH 01/19] python-ipy: upgrade to 1.00 and add python3 version
Signed-off-by: Yi Zhao
---
recipes-devtools/python/python-ipy.inc | 18
recipes-devtools/python/python-ipy_0.83.bb | 32 -
recipes-devtools/python/python-ipy_1.00.bb | 2 ++
recipes-devtools/python/python3-ipy_1.00.bb | 2 ++
4 files changed, 22 insertions(+), 32 deletions(-)
create mode 100644 recipes-devtools/python/python-ipy.inc
delete mode 100644 recipes-devtools/python/python-ipy_0.83.bb
create mode 100644 recipes-devtools/python/python-ipy_1.00.bb
create mode 100644 recipes-devtools/python/python3-ipy_1.00.bb
diff --git a/recipes-devtools/python/python-ipy.inc
b/recipes-devtools/python/python-ipy.inc
new file mode 100644
index 000..ba4c2bd
--- /dev/null
+++ b/recipes-devtools/python/python-ipy.inc
@@ -0,0 +1,18 @@
+SUMMARY = "Python module for handling IPv4 and IPv6 Addresses and Networks"
+DESCRIPTION = "IPy is a Python module for handling IPv4 and IPv6 Addresses and
Networks \
+in a fashion similar to perl's Net::IP and friends. The IP class allows \
+a comfortable parsing and handling for most notations in use for IPv4 \
+and IPv6 Addresses and Networks."
+SECTION = "devel/python"
+HOMEPAGE = "https://github.com/haypo/python-ipy;
+LICENSE = "BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://COPYING;md5=848d24919845901b4f48bae5f13252e6"
+
+SRC_URI[md5sum] = "1a90c68174234672241a7e60c7ea0fb9"
+SRC_URI[sha256sum] =
"2f2bf658a858d43868d8a4352b3889cf78c66e2ce678b300dcf518c9149ba621"
+
+inherit pypi
+
+PYPI_PACKAGE = "IPy"
+
+BBCLASSEXTEND = "native"
diff --git a/recipes-devtools/python/python-ipy_0.83.bb
b/recipes-devtools/python/python-ipy_0.83.bb
deleted file mode 100644
index df060fa..000
--- a/recipes-devtools/python/python-ipy_0.83.bb
+++ /dev/null
@@ -1,32 +0,0 @@
-SUMMARY = "Python module for handling IPv4 and IPv6 Addresses and Networks"
-DESCRIPTION = "IPy is a Python module for handling IPv4 and IPv6 Addresses and
Networks \
-in a fashion similar to perl's Net::IP and friends. The IP class allows \
-a comfortable parsing and handling for most notations in use for IPv4 \
-and IPv6 Addresses and Networks."
-SECTION = "devel/python"
-HOMEPAGE = "https://github.com/haypo/python-ipy;
-DEPENDS = "python"
-LICENSE = "BSD"
-LIC_FILES_CHKSUM = "file://COPYING;md5=ebc0028ff5cdaf7796604875027dcd55"
-
-SRC_URI = "https://pypi.python.org/packages/source/I/IPy/IPy-${PV}.tar.gz;
-
-SRC_URI[md5sum] = "7b8c6eb4111b15aea31b67108e769712"
-SRC_URI[sha256sum] =
"61da5a532b159b387176f6eabf11946e7458b6df8fb8b91ff1d345ca7a6edab8"
-
-S = "${WORKDIR}/IPy-${PV}"
-
-inherit distutils
-
-# need to export these variables for python-config to work
-export BUILD_SYS
-export HOST_SYS
-export STAGING_INCDIR
-export STAGING_LIBDIR
-
-BBCLASSEXTEND = "native"
-
-do_install_append() {
- install -d ${D}/${datadir}/doc/${BPN}-${PV}
- install AUTHORS COPYING ChangeLog README
${D}/${datadir}/doc/${BPN}-${PV}
-}
diff --git a/recipes-devtools/python/python-ipy_1.00.bb
b/recipes-devtools/python/python-ipy_1.00.bb
new file mode 100644
index 000..587a517
--- /dev/null
+++ b/recipes-devtools/python/python-ipy_1.00.bb
@@ -0,0 +1,2 @@
+inherit setuptools
+require python-ipy.inc
diff --git a/recipes-devtools/python/python3-ipy_1.00.bb
b/recipes-devtools/python/python3-ipy_1.00.bb
new file mode 100644
index 000..ea6a105
--- /dev/null
+++ b/recipes-devtools/python/python3-ipy_1.00.bb
@@ -0,0 +1,2 @@
+inherit setuptools3
+require python-ipy.inc
--
2.17.1
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH] ucarp: add initscripts-functions as runtime dependency when using systemd
The ucarp.service invokes script /usr/libexec/ucarp to start/stop the
ucarp service. But the /etc/init.d/functions file which is required by
the script is not installed by default when using systemd. Explicitly
set the initscripts-functions package as the runtime dependency when
using systemd.
Signed-off-by: Yi Zhao
---
meta-cgl-common/recipes-cgl/ucarp/ucarp_1.5.2.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta-cgl-common/recipes-cgl/ucarp/ucarp_1.5.2.bb
b/meta-cgl-common/recipes-cgl/ucarp/ucarp_1.5.2.bb
index 6f30bf7..f5be421 100644
--- a/meta-cgl-common/recipes-cgl/ucarp/ucarp_1.5.2.bb
+++ b/meta-cgl-common/recipes-cgl/ucarp/ucarp_1.5.2.bb
@@ -31,6 +31,7 @@ SRC_URI[sha256sum] =
"f3cc77e28481fd04f62bb3d4bc03104a97dd316c80c0ed04ad7be24b54
inherit autotools gettext systemd
DEPENDS = "libpcap"
+RDEPENDS_${PN} =
"${@bb.utils.contains('DISTRO_FEATURES','systemd','initscripts-functions','',d)}"
SYSTEMD_SERVICE_${PN} = "ucarp.service"
SYSTEMD_AUTO_ENABLE = "disable"
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH] audit: explicitly disable golang bindings
Disable golang bindings to avoid potential host contamination issue.
Fixes: https://bugzilla.yoctoproject.org/show_bug.cgi?id=13166
Signed-off-by: Yi Zhao
---
recipes-security/audit/audit_2.8.5.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/recipes-security/audit/audit_2.8.5.bb
b/recipes-security/audit/audit_2.8.5.bb
index d3b9b51..2b47812 100644
--- a/recipes-security/audit/audit_2.8.5.bb
+++ b/recipes-security/audit/audit_2.8.5.bb
@@ -39,6 +39,7 @@ EXTRA_OECONF += "--without-prelude \
--libdir=${base_libdir} \
--sbindir=${base_sbindir} \
--without-python3 \
+--without-golang \
--disable-zos-remote \
"
EXTRA_OECONF_append_arm = " --with-arm=yes"
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-selinux][PATCH] conf/layer.conf: use BBFILES_DYNAMIC for dynamic layers
On 9/10/19 1:11 AM, Joe MacDonald wrote:
Hi Yi,
[[meta-selinux][PATCH] conf/layer.conf: use BBFILES_DYNAMIC for dynamic layers]
On 19.09.09 (Mon 14:01) Yi Zhao wrote:
From: Robert Yang
The previous code add all BBFILE_COLLECTIONS/recipes*/*/*.bbappend to BBFILES,
which causes the parsing very slow when there are many layers, e.g., I have 87
layers:
* Before:
$ rm -fr tmp-glibc/ cache; time bitbake -p
real0m45.173s
user0m0.560s
sys 0m0.060s
* After:
$ rm -fr tmp-glibc/ cache; time bitbake -p
real0m25.542s
user0m0.572s
sys 0m0.040s
It wasted 20s which wasn't worth (The host has 128 threads, it should cost more
time on less power host), use BBFILES_DYNAMIC can fix the problem.
This seems like a big claim, I certainly haven't seen that on my setup:
* Before:
$ rm -fr tmp cache
real0m14.751s
user0m0.323s
sys 0m0.048s
* After:
$ rm -fr tmp cache ; time bitbake -p
real0m14.725s
user0m0.326s
sys 0m0.046s
but it's still a sensible change. When I ran a test before/after
configuration for augeas the configuration seemed off, though. Can you
confirm that with this change as is you're getting the correct
--with/--without and --enable/--disable and patches applied for your
layers? I just want to confirm since the ~20s difference in parsing
seems kind of out of scale for moving essentially three bbappends around
and I'm wondering if there's something else siginficant in your tree we
want to consider.
This patch is from Robert Yang. CC to him. Maybe he can give us more
explanation.
For the augeas, the current augeas_%.bbapend doesn't work because the
augeas recipe is in meta-oe layer but not meta-python layer. This patch
moves the bbappend to the correct layer to fix this issue.
It works on my local:
$ cat log.do_configure
[snip]
checking for library containing setfilecon... -lselinux
[snip]
checking for selinux/selinux.h... (cached) yes
checking selinux/context.h usability... yes
checking selinux/context.h presence... yes
checking for selinux/context.h... yes
[snip]
//Yi
-J.
Signed-off-by: Robert Yang
Signed-off-by: Yi Zhao
---
conf/layer.conf | 11 +++
.../recipes-daemons/iscsi-initiator-utils/files/initd.debian | 0
.../iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend| 0
.../iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc | 0
.../recipes-support}/augeas/augeas_%.bbappend | 0
.../recipes-containers/lxc/lxc_%.bbappend | 0
6 files changed, 7 insertions(+), 4 deletions(-)
rename {networking-layer =>
dynamic-layers/networking-layer}/recipes-daemons/iscsi-initiator-utils/files/initd.debian
(100%)
rename {networking-layer =>
dynamic-layers/networking-layer}/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend
(100%)
rename {networking-layer =>
dynamic-layers/networking-layer}/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc
(100%)
rename {meta-python/recipes-extended/augeas =>
dynamic-layers/openembedded-layer/recipes-support}/augeas/augeas_%.bbappend (100%)
rename {virtualization-layer =>
dynamic-layers/virtualization-layer}/recipes-containers/lxc/lxc_%.bbappend (100%)
diff --git a/conf/layer.conf b/conf/layer.conf
index 9dd34b1..89b9468 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -5,10 +5,13 @@ BBPATH .= ":${LAYERDIR}"
BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
${LAYERDIR}/recipes-*/*/*.bbappend"
-# Let us add layer-specific bbappends which are only applied when that
-# layer is included in our configuration
-BBFILES += "${@' '.join('${LAYERDIR}/%s/recipes*/*/*.bbappend' % layer \
- for layer in BBFILE_COLLECTIONS.split())}"
+BBFILES_DYNAMIC +=
"openembedded-layer:${LAYERDIR}/dynamic-layers/openembedded-layer/*/*/*.bb \
+
openembedded-layer:${LAYERDIR}/dynamic-layers/openembedded-layer/*/*/*.bbappend
\
+
networking-layer:${LAYERDIR}/dynamic-layers/networking-layer/*/*/*.bb \
+
networking-layer:${LAYERDIR}/dynamic-layers/networking-layer/*/*/*.bbappend \
+
virtualization-layer:${LAYERDIR}/dynamic-layers/virtualization-layer/recipes*/*/*.bb
\
+
virtualization-layer:${LAYERDIR}/dynamic-layers/virtualization-layer/recipes*/*/*.bbappend
\
+ "
BBFILE_COLLECTIONS += "selinux"
BBFILE_PATTERN_selinux = "^${LAYERDIR}/"
diff --git
a/networking-layer/recipes-daemons/iscsi-initiator-utils/files/initd.debian
b/dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/files/initd.debian
similarity index 100%
rename from
networking-layer/recipes-daemons/iscsi-initiator-utils/files/initd.debian
rename to
dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/files/initd.debian
diff --gi
[yocto] [meta-selinux][PATCH] conf/layer.conf: use BBFILES_DYNAMIC for dynamic layers
From: Robert Yang
The previous code add all BBFILE_COLLECTIONS/recipes*/*/*.bbappend to BBFILES,
which causes the parsing very slow when there are many layers, e.g., I have 87
layers:
* Before:
$ rm -fr tmp-glibc/ cache; time bitbake -p
real0m45.173s
user0m0.560s
sys 0m0.060s
* After:
$ rm -fr tmp-glibc/ cache; time bitbake -p
real0m25.542s
user0m0.572s
sys 0m0.040s
It wasted 20s which wasn't worth (The host has 128 threads, it should cost more
time on less power host), use BBFILES_DYNAMIC can fix the problem.
Signed-off-by: Robert Yang
Signed-off-by: Yi Zhao
---
conf/layer.conf | 11 +++
.../recipes-daemons/iscsi-initiator-utils/files/initd.debian | 0
.../iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend| 0
.../iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc | 0
.../recipes-support}/augeas/augeas_%.bbappend | 0
.../recipes-containers/lxc/lxc_%.bbappend | 0
6 files changed, 7 insertions(+), 4 deletions(-)
rename {networking-layer =>
dynamic-layers/networking-layer}/recipes-daemons/iscsi-initiator-utils/files/initd.debian
(100%)
rename {networking-layer =>
dynamic-layers/networking-layer}/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend
(100%)
rename {networking-layer =>
dynamic-layers/networking-layer}/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc
(100%)
rename {meta-python/recipes-extended/augeas =>
dynamic-layers/openembedded-layer/recipes-support}/augeas/augeas_%.bbappend
(100%)
rename {virtualization-layer =>
dynamic-layers/virtualization-layer}/recipes-containers/lxc/lxc_%.bbappend
(100%)
diff --git a/conf/layer.conf b/conf/layer.conf
index 9dd34b1..89b9468 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -5,10 +5,13 @@ BBPATH .= ":${LAYERDIR}"
BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
${LAYERDIR}/recipes-*/*/*.bbappend"
-# Let us add layer-specific bbappends which are only applied when that
-# layer is included in our configuration
-BBFILES += "${@' '.join('${LAYERDIR}/%s/recipes*/*/*.bbappend' % layer \
- for layer in BBFILE_COLLECTIONS.split())}"
+BBFILES_DYNAMIC +=
"openembedded-layer:${LAYERDIR}/dynamic-layers/openembedded-layer/*/*/*.bb \
+
openembedded-layer:${LAYERDIR}/dynamic-layers/openembedded-layer/*/*/*.bbappend
\
+
networking-layer:${LAYERDIR}/dynamic-layers/networking-layer/*/*/*.bb \
+
networking-layer:${LAYERDIR}/dynamic-layers/networking-layer/*/*/*.bbappend \
+
virtualization-layer:${LAYERDIR}/dynamic-layers/virtualization-layer/recipes*/*/*.bb
\
+
virtualization-layer:${LAYERDIR}/dynamic-layers/virtualization-layer/recipes*/*/*.bbappend
\
+ "
BBFILE_COLLECTIONS += "selinux"
BBFILE_PATTERN_selinux = "^${LAYERDIR}/"
diff --git
a/networking-layer/recipes-daemons/iscsi-initiator-utils/files/initd.debian
b/dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/files/initd.debian
similarity index 100%
rename from
networking-layer/recipes-daemons/iscsi-initiator-utils/files/initd.debian
rename to
dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/files/initd.debian
diff --git
a/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend
b/dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend
similarity index 100%
rename from
networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend
rename to
dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend
diff --git
a/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc
b/dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc
similarity index 100%
rename from
networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc
rename to
dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc
diff --git a/meta-python/recipes-extended/augeas/augeas/augeas_%.bbappend
b/dynamic-layers/openembedded-layer/recipes-support/augeas/augeas_%.bbappend
similarity index 100%
rename from meta-python/recipes-extended/augeas/augeas/augeas_%.bbappend
rename to
dynamic-layers/openembedded-layer/recipes-support/augeas/augeas_%.bbappend
diff --git a/virtualization-layer/recipes-containers/lxc/lxc_%.bbappend
b/dynamic-layers/virtualization-layer/recipes-containers/lxc/lxc_%.bbappend
similarity index 100%
rename from virtualization-layer/recipes-containers/lxc/lxc_%.bbappend
rename to
dynamic-layers/virtualization-layer/recipes-containers/lxc/lxc_%.bbappend
--
2.7.4
-
[yocto] [meta-selinux][PATCH V2] selinux-autorelabel: disable enforcing mode before relabel
The commit b0d31db104d9a4e94bc1409c2ffcc1d82f4a780f introduced an issue
when first boot with bootparams="selinux=1 enforcing=1". At first boot,
all files are unlabeled including /sbin/setfiles. The relabel operations
are not permitted under enforcing mode. So we need to disable enforcing
mode before relabel.
Signed-off-by: Yi Zhao
---
.../selinux/selinux-autorelabel/selinux-autorelabel.sh | 9 ++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git
a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
index 154dad1..25b6921 100644
--- a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
+++ b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
@@ -3,16 +3,19 @@
/usr/sbin/selinuxenabled 2>/dev/null || exit 0
FIXFILES=/sbin/fixfiles
+SETENFORCE=/usr/sbin/setenforce
-if ! test -x ${FIXFILES}; then
- echo "${FIXFILES} is missing in the system."
+for i in ${FIXFILES} ${SETENFORCE}; do
+ test -x $i && continue
+ echo "$i is missing in the system."
echo "Please add \"selinux=0\" in the kernel command line to disable
SELinux."
exit 1
-fi
+done
# If /.autorelabel placed, the whole file system should be relabeled
if [ -f /.autorelabel ]; then
echo "SELinux: /.autorelabel placed, filesystem will be relabeled..."
+ ${SETENFORCE} 0
${FIXFILES} -F -f relabel
/bin/rm -f /.autorelabel
echo " * Relabel done, rebooting the system."
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-selinux][PATCH] selinux-autorelabel: disable enforcing mode before relabel
On 9/5/19 7:57 PM, Joe MacDonald wrote:
[[meta-selinux][PATCH] selinux-autorelabel: disable enforcing mode before
relabel] On 19.09.05 (Thu 16:57) Yi Zhao wrote:
The commit b0d31db104d9a4e94bc1409c2ffcc1d82f4a780f introduced an issue
when first boot with bootparams="selinux=1 enforcing=1". At first boot,
all files are unlabeled including /sbin/fixfiles. The relabel operation
is not permitted under enforcing mode. Set /sys/fs/selinux/enforce to 0
to ensure the enforcing mode is disabled before relabel.
Did you try this with '/usr/sbin/setenforce 0' instead? The rationale
makes sense but going straight at sysfs like that isn't the right
approach intuitively. If that's not working, please just include a bit
of an explanation for why this is the best option.
It also works with setenforce.
I referred to the selinux-autorelabel script on Fedora 30, it uses `echo
"0" > /sys/fs/selinux/enforce` to disables enforcing mode:
cat /usr/libexec/selinux/selinux-autorelabel
[snip]
32 relabel_selinux() {
33 # if /sbin/init is not labeled correctly this process is
running in the
34 # wrong context, so a reboot will be required after relabel
35 AUTORELABEL=
36 . /etc/selinux/config
37 echo "0" > /sys/fs/selinux/enforce
38 [ -x /bin/plymouth ] && plymouth --quit
39
[snip]
//Yi
Thanks.
-J.
Signed-off-by: Yi Zhao
---
recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh | 1 +
1 file changed, 1 insertion(+)
diff --git
a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
index 154dad1..cb40971 100644
--- a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
+++ b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
@@ -13,6 +13,7 @@ fi
# If /.autorelabel placed, the whole file system should be relabeled
if [ -f /.autorelabel ]; then
echo "SELinux: /.autorelabel placed, filesystem will be relabeled..."
+ echo "0" > /sys/fs/selinux/enforce
${FIXFILES} -F -f relabel
/bin/rm -f /.autorelabel
echo " * Relabel done, rebooting the system."
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH] selinux-autorelabel: disable enforcing mode before relabel
The commit b0d31db104d9a4e94bc1409c2ffcc1d82f4a780f introduced an issue
when first boot with bootparams="selinux=1 enforcing=1". At first boot,
all files are unlabeled including /sbin/fixfiles. The relabel operation
is not permitted under enforcing mode. Set /sys/fs/selinux/enforce to 0
to ensure the enforcing mode is disabled before relabel.
Signed-off-by: Yi Zhao
---
recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh | 1 +
1 file changed, 1 insertion(+)
diff --git
a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
index 154dad1..cb40971 100644
--- a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
+++ b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
@@ -13,6 +13,7 @@ fi
# If /.autorelabel placed, the whole file system should be relabeled
if [ -f /.autorelabel ]; then
echo "SELinux: /.autorelabel placed, filesystem will be relabeled..."
+ echo "0" > /sys/fs/selinux/enforce
${FIXFILES} -F -f relabel
/bin/rm -f /.autorelabel
echo " * Relabel done, rebooting the system."
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 2/2] mcstrans: specify INITDIR
By default the mcstrans init script will be installed to
/etc/rc.d/init.d directory. Specify INITDIR to install it to /etc/init.d
directory.
Signed-off-by: Yi Zhao
---
recipes-security/selinux/mcstrans.inc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/recipes-security/selinux/mcstrans.inc
b/recipes-security/selinux/mcstrans.inc
index e66633d..0eb8720 100644
--- a/recipes-security/selinux/mcstrans.inc
+++ b/recipes-security/selinux/mcstrans.inc
@@ -15,7 +15,7 @@ inherit systemd update-rc.d
DEPENDS += "libsepol libselinux libcap"
# We do not need "${D}/" as a prefix anymore.
-EXTRA_OEMAKE += "SBINDIR=${base_sbindir}"
+EXTRA_OEMAKE += "SBINDIR=${base_sbindir} INITDIR=${sysconfdir}/init.d"
do_install_append() {
install -d ${D}${sbindir}
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 1/2] setools: update SRC_URI
SETools has moved from https://github.com/TresysTechnology/setools to
https://github.com/SELinuxProject/setools
See: https://github.com/TresysTechnology/setools/wiki
Signed-off-by: Yi Zhao
---
recipes-security/setools/setools_4.1.1.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/recipes-security/setools/setools_4.1.1.bb
b/recipes-security/setools/setools_4.1.1.bb
index 8bdbfba..db529f4 100644
--- a/recipes-security/setools/setools_4.1.1.bb
+++ b/recipes-security/setools/setools_4.1.1.bb
@@ -9,7 +9,7 @@ SECTION = "base"
LICENSE = "GPLv2 & LGPLv2.1"
S = "${WORKDIR}/git"
-SRC_URI = "git://github.com/TresysTechnology/${BPN}.git;branch=4.1 \
+SRC_URI = "git://github.com/SELinuxProject/${BPN}.git;branch=4.1 \
file://setools4-fixes-for-cross-compiling.patch \
file://setools4-fix-cross-compiling-errors-for-powerpc-mips.patch \
file://Fix-build-failure-with-GCC-7-due-to-possible-truncat.patch \
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-selinux][PATCH 3/3] util-linux: drop obsolete patch
Hi Joe, Seems you were missing this patch. Would you please merge it? Thanks. //Yi On 5/20/19 12:41 PM, Yi Zhao wrote: Signed-off-by: Yi Zhao --- .../util-linux/fix-libmount_la_DEPENDENCIES.patch | 28 -- 1 file changed, 28 deletions(-) delete mode 100644 recipes-core/util-linux/util-linux/fix-libmount_la_DEPENDENCIES.patch diff --git a/recipes-core/util-linux/util-linux/fix-libmount_la_DEPENDENCIES.patch b/recipes-core/util-linux/util-linux/fix-libmount_la_DEPENDENCIES.patch deleted file mode 100644 index ab54818..000 --- a/recipes-core/util-linux/util-linux/fix-libmount_la_DEPENDENCIES.patch +++ /dev/null @@ -1,28 +0,0 @@ -Subject: [PATCH] util-linux: fix libmount_la_DEPENDENCIES. - -Upstream-Status: Pending - -libmount_la_LIBADD contains "-lselinux", this is not a object that -could consider as a dependency target. So fix this. - -Signed-off-by: Xin Ouyang - libmount/src/Makemodule.am |2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) - -diff --git a/libmount/src/Makemodule.am b/libmount/src/Makemodule.am -index 494e02a..bf494a4 100644 a/libmount/src/Makemodule.am -+++ b/libmount/src/Makemodule.am -@@ -38,7 +38,7 @@ libmount_la_CFLAGS = \ - -I$(top_srcdir)/libmount/src - - libmount_la_DEPENDENCIES = \ -- $(libmount_la_LIBADD) \ -+ libcommon.la libblkid.la \ - libmount/src/libmount.sym \ - libmount/src/libmount.h.in - --- -1.7.5.4 - -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH] selinux-sandbox: add runtime dependency on python-core
Fixes:
ERROR: QA Issue: /usr/share/sandbox/start contained in package selinux-sandbox
requires /usr/bin/python,
but no providers found in RDEPENDS_selinux-sandbox? [file-rdeps]
Signed-off-by: Yi Zhao
---
recipes-security/selinux/selinux-sandbox.inc | 1 +
1 file changed, 1 insertion(+)
diff --git a/recipes-security/selinux/selinux-sandbox.inc
b/recipes-security/selinux/selinux-sandbox.inc
index 8616dd7..854640c 100644
--- a/recipes-security/selinux/selinux-sandbox.inc
+++ b/recipes-security/selinux/selinux-sandbox.inc
@@ -13,6 +13,7 @@ SRC_URI += "file://sandbox-de-bashify.patch \
DEPENDS += "libcap-ng libselinux"
RDEPENDS_${PN} += "\
+python-core \
python-math \
python-shell \
python-subprocess \
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH] openscap: add runtime dependency on bash and python3-core
Fixes:
ERROR: QA Issue: /usr/bin/oscap-ssh contained in package openscap requires
/bin/bash, but no providers found in RDEPENDS_openscap? [file-rdeps]
ERROR: QA Issue: /usr/bin/scap-as-rpm contained in package openscap requires
/usr/bin/python3, but no providers found in RDEPENDS_openscap? [file-rdeps]
Signed-off-by: Yi Zhao
---
meta-security-compliance/recipes-openscap/openscap/openscap.inc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta-security-compliance/recipes-openscap/openscap/openscap.inc
b/meta-security-compliance/recipes-openscap/openscap/openscap.inc
index 53309e8..49e0855 100644
--- a/meta-security-compliance/recipes-openscap/openscap/openscap.inc
+++ b/meta-security-compliance/recipes-openscap/openscap/openscap.inc
@@ -50,6 +50,6 @@ do_install_append_class-native () {
FILES_${PN} += "${PYTHON_SITEPACKAGES_DIR}"
-RDEPENDS_${PN} += "libxml2 python3 libgcc"
+RDEPENDS_${PN} += "libxml2 python3-core libgcc bash"
BBCLASSEXTEND = "native"
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 1/2] selinux-python: add python-core as runtime dependency
Fix QA issues:
QA Issue: /usr/lib64/python2.7/site-packages/seobject.py contained in package
selinux-python requires /usr/bin/python,
but no providers found in RDEPENDS_selinux-python? [file-rdeps]
QA Issue: /usr/bin/audit2allow contained in package selinux-python-audit2allow
requires /usr/bin/python,
but no providers found in RDEPENDS_selinux-python-audit2allow? [file-rdeps]
QA Issue: /usr/bin/chcat contained in package selinux-python-chcat requires
/usr/bin/python,
but no providers found in RDEPENDS_selinux-python-chcat? [file-rdeps]
Signed-off-by: Yi Zhao
---
recipes-security/selinux/selinux-python.inc | 3 +++
1 file changed, 3 insertions(+)
diff --git a/recipes-security/selinux/selinux-python.inc
b/recipes-security/selinux/selinux-python.inc
index c774de4..57042ab 100644
--- a/recipes-security/selinux/selinux-python.inc
+++ b/recipes-security/selinux/selinux-python.inc
@@ -15,11 +15,13 @@ inherit python-dir
DEPENDS += "python-native libsepol"
RDEPENDS_${BPN}-audit2allow += "\
+python-core \
python-textutils \
libselinux-python \
${BPN}-sepolgen \
"
RDEPENDS_${BPN}-chcat += "\
+python-core \
python-codecs \
python-shell \
python-stringold \
@@ -28,6 +30,7 @@ RDEPENDS_${BPN}-chcat += "\
${BPN} \
"
RDEPENDS_${BPN} += "\
+python-core \
python-codecs \
python-io \
python-ipy \
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 2/2 V2] setools: do not use unstable github archive tarballs
From: Hongxu Jia
Since commit [21f84fc insane: add sanity checks to SRC_URI] applied
in oe-core, do not use unstable github archive tarballs
SETools has moved from https://github.com/TresysTechnology/setools to
https://github.com/SELinuxProject/setools
See: https://github.com/TresysTechnology/setools/wiki
Signed-off-by: Hongxu Jia
Signed-off-by: Yi Zhao
---
recipes-security/setools/setools_4.1.1.bb | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/recipes-security/setools/setools_4.1.1.bb
b/recipes-security/setools/setools_4.1.1.bb
index c5a2d34..db529f4 100644
--- a/recipes-security/setools/setools_4.1.1.bb
+++ b/recipes-security/setools/setools_4.1.1.bb
@@ -8,14 +8,14 @@ SETools."
SECTION = "base"
LICENSE = "GPLv2 & LGPLv2.1"
-SRC_URI =
"https://github.com/TresysTechnology/setools/archive/${PV}.tar.gz;downloadfilename=setools-${PV}.tar.gz
\
+S = "${WORKDIR}/git"
+SRC_URI = "git://github.com/SELinuxProject/${BPN}.git;branch=4.1 \
file://setools4-fixes-for-cross-compiling.patch \
file://setools4-fix-cross-compiling-errors-for-powerpc-mips.patch \
file://Fix-build-failure-with-GCC-7-due-to-possible-truncat.patch \
"
-SRC_URI[md5sum] = "54cf5c0ca2aa4ef7c6ac153981af34cd"
-SRC_URI[sha256sum] =
"46a927ea2b163cbe1d35cc35da43e45853e13720c7e02d4cf75a498783c19610"
+SRCREV = "e03617eb7ab5a035633bff66500b95d25232e331"
LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=83a5eb6974c11f30785e90d0eeccf40c \
file://${S}/COPYING.GPL;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-anaconda][PATCH] packagegroup-installer-x11-anaconda: use libsdl2 instead of libsdl
The libsdl had been moved out of oe-core because it is obsolete. Switch to libsdl2. Signed-off-by: Yi Zhao --- recipes-installer/packagegroups/packagegroup-installer-x11-anaconda.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-installer/packagegroups/packagegroup-installer-x11-anaconda.bb b/recipes-installer/packagegroups/packagegroup-installer-x11-anaconda.bb index 87c57c9..aa53809 100644 --- a/recipes-installer/packagegroups/packagegroup-installer-x11-anaconda.bb +++ b/recipes-installer/packagegroups/packagegroup-installer-x11-anaconda.bb @@ -18,7 +18,7 @@ RDEPENDS_packagegroup-installer-x11-anaconda = "\ xset \ settings-daemon \ xrandr \ -libsdl \ +libsdl2 \ metacity \ adwaita-icon-theme \ pango \ -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH] openscap: fix scap-security-guide build error
It would fail to build scap-security-guide when use openscap-native
sstate cache.
Steps to reproduce:
Create a new build project:
$ bitbake openscap-native
$ bitbake openscap-native -c clean
$ bitbake scap-security-guide
Error message:
OpenSCAP Error: Schema file 'xccdf/1.1/xccdf-schema.xsd' not found in path
'/buildarea/build/tmp/work-shared/openscap/oscap-build-artifacts/usr/share/openscap/schemas'
when trying to validate
'/buildarea/build/tmp/work/core2-64-poky-linux/scap-security-guide/0.1.44+gitAUTOINC+5fdfdcb2e9-r0/git/build/chromium/xccdf-unlinked-resolved.xml'
[/buildarea/build/tmp/work/x86_64-linux/openscap-native/1.3.1+gitAUTOINC+4bbdb46ff6-r0/git/src/source/validate.c:104]
Invalid XCCDF Checklist (1.1) content in
/buildarea/build/tmp/work/core2-64-poky-linux/scap-security-guide/0.1.44+gitAUTOINC+5fdfdcb2e9-r0/git/build/chromium/xccdf-unlinked-resolved.xml.
[/buildarea/build/tmp/work/x86_64-linux/openscap-native/1.3.1+gitAUTOINC+4bbdb46ff6-r0/git/src/source/oscap_source.c:346]
chromium/CMakeFiles/generate-internal-chromium-xccdf-unlinked-resolved.xml.dir/build.make:63:
recipe for target 'chromium/xccdf-unlinked-resolved.xml' failed
When using sstate cache, the openscap-native doesn't install the
artifacts to work-shared/openscap/oscap-build-artifacts when prepare
recipe sysroot for scap-security-guide.
Set do_install[nostamp] to 1 to ensure the openscap-native artifacts
are installed to work-shared/openscap/oscap-build-artifacts even if
using sstate cache.
Signed-off-by: Yi Zhao
---
meta-security-compliance/recipes-openscap/openscap/openscap.inc | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta-security-compliance/recipes-openscap/openscap/openscap.inc
b/meta-security-compliance/recipes-openscap/openscap/openscap.inc
index 53309e8..07d9700 100644
--- a/meta-security-compliance/recipes-openscap/openscap/openscap.inc
+++ b/meta-security-compliance/recipes-openscap/openscap/openscap.inc
@@ -41,6 +41,7 @@ do_configure_append_class-native () {
}
do_clean[cleandirs] += "${STAGING_OSCAP_BUILDDIR}"
+do_install[nostamp] = "1"
do_install_append_class-native () {
oscapdir=${STAGING_OSCAP_BUILDDIR}/${datadir_native}
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH] libselinux: fix build with glibc 2.30
Fix build error:
procattr.c:27:14: error: static declaration of 'gettid' follows
non-static declaration
27 | static pid_t gettid(void)
| ^~
In file included from
/buildarea/build/tmp/work/core2-64-poky-linux/libselinux/2.8-r0/recipe-sysroot/usr/include/unistd.h:1170,
from procattr.c:2:
/buildarea/build/tmp/work/core2-64-poky-linux/libselinux/2.8-r0/recipe-sysroot/usr/include/bits/unistd_ext.h:34:16:
note: previous declaration of 'gettid' was here
34 | extern __pid_t gettid (void) __THROW;
|^~
Signed-off-by: Yi Zhao
---
...Do-not-define-gettid-if-glibc-2.30-is-use.patch | 60 ++
recipes-security/selinux/libselinux_2.8.bb | 1 +
2 files changed, 61 insertions(+)
create mode 100644
recipes-security/selinux/libselinux/0001-libselinux-Do-not-define-gettid-if-glibc-2.30-is-use.patch
diff --git
a/recipes-security/selinux/libselinux/0001-libselinux-Do-not-define-gettid-if-glibc-2.30-is-use.patch
b/recipes-security/selinux/libselinux/0001-libselinux-Do-not-define-gettid-if-glibc-2.30-is-use.patch
new file mode 100644
index 000..fc3e37e
--- /dev/null
+++
b/recipes-security/selinux/libselinux/0001-libselinux-Do-not-define-gettid-if-glibc-2.30-is-use.patch
@@ -0,0 +1,60 @@
+From 2c672b4cc39fbddb6faec2c7434832058f339d59 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach
+Date: Mon, 11 Mar 2019 16:00:41 +0100
+Subject: [PATCH] libselinux: Do not define gettid() if glibc >= 2.30 is used
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Since version 2.30 glibc implements gettid() system call wrapper, see
+https://sourceware.org/bugzilla/show_bug.cgi?id=6399
+
+Fixes:
+cc -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2
-Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong
-grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
-I../include -D_GNU_SOURCE -DNO_ANDROID_BACKEND -c -o procattr.o procattr.c
+procattr.c:28:14: error: static declaration of ‘gettid’ follows non-static
declaration
+ 28 | static pid_t gettid(void)
+ | ^~
+In file included from /usr/include/unistd.h:1170,
+ from procattr.c:2:
+/usr/include/bits/unistd_ext.h:34:16: note: previous declaration of ‘gettid’
was here
+ 34 | extern __pid_t gettid (void) __THROW;
+ |^~
+
+Upstream-Status: Backport
+[https://github.com/SELinuxProject/selinux/commit/707e4b8610733b5c9eaac0f00239778f3edb23c2]
+
+Signed-off-by: Petr Lautrbach
+Signed-off-by: Yi Zhao
+---
+ src/procattr.c | 15 +--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/src/procattr.c b/src/procattr.c
+index 8bf8432..3c7b87f 100644
+--- a/src/procattr.c
b/src/procattr.c
+@@ -22,8 +22,19 @@ static pthread_key_t destructor_key;
+ static int destructor_key_initialized = 0;
+ static __thread char destructor_initialized;
+
+-#ifndef __BIONIC__
+-/* Bionic declares this in unistd.h and has a definition for it */
++/* Bionic and glibc >= 2.30 declare gettid() system call wrapper in unistd.h
and
++ * has a definition for it */
++#ifdef __BIONIC__
++ #define OVERRIDE_GETTID 0
++#elif !defined(__GLIBC_PREREQ)
++ #define OVERRIDE_GETTID 1
++#elif !__GLIBC_PREREQ(2,30)
++ #define OVERRIDE_GETTID 1
++#else
++ #define OVERRIDE_GETTID 0
++#endif
++
++#if OVERRIDE_GETTID
+ static pid_t gettid(void)
+ {
+ return syscall(__NR_gettid);
+--
+2.7.4
+
diff --git a/recipes-security/selinux/libselinux_2.8.bb
b/recipes-security/selinux/libselinux_2.8.bb
index 5de4607..7545967 100644
--- a/recipes-security/selinux/libselinux_2.8.bb
+++ b/recipes-security/selinux/libselinux_2.8.bb
@@ -12,4 +12,5 @@ SRC_URI += "\
file://libselinux-make-SOCK_CLOEXEC-optional.patch \
file://libselinux-define-FD_CLOEXEC-as-necessary.patch \
file://0001-src-Makefile-fix-includedir-in-libselinux.pc.patch \
+file://0001-libselinux-Do-not-define-gettid-if-glibc-2.30-is-use.patch
\
"
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH] xmlsec1: upgrade 1.2.27 -> 1.2.28
Signed-off-by: Yi Zhao
---
recipes-security/xmlsec1/{xmlsec1_1.2.27.bb => xmlsec1_1.2.28.bb} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename recipes-security/xmlsec1/{xmlsec1_1.2.27.bb => xmlsec1_1.2.28.bb} (93%)
diff --git a/recipes-security/xmlsec1/xmlsec1_1.2.27.bb
b/recipes-security/xmlsec1/xmlsec1_1.2.28.bb
similarity index 93%
rename from recipes-security/xmlsec1/xmlsec1_1.2.27.bb
rename to recipes-security/xmlsec1/xmlsec1_1.2.28.bb
index eac8d6b..0a4c56a 100644
--- a/recipes-security/xmlsec1/xmlsec1_1.2.27.bb
+++ b/recipes-security/xmlsec1/xmlsec1_1.2.28.bb
@@ -20,8 +20,8 @@ SRC_URI =
"http://www.aleksey.com/xmlsec/download/${BP}.tar.gz \
file://run-ptest \
"
-SRC_URI[md5sum] = "508bee7e4f1b99f2d50aaa7d38ede56e"
-SRC_URI[sha256sum] =
"97d756bad8e92588e6997d2227797eaa900d05e34a426829b149f65d87118eb6"
+SRC_URI[md5sum] = "69b8d95c009a404462e19f335e650241"
+SRC_URI[sha256sum] =
"13eec4811ea30e3f0e16a734d1dbf7f9d246a71d540b48d143a07b489f6222d4"
inherit autotools-brokensep ptest pkgconfig
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 2/2] scap-security-guide: fix typo
Fix typo: RDEPNEDS_${PN} -> RDEPENDS_${PN}
Signed-off-by: Yi Zhao
---
.../recipes-openscap/scap-security-guide/scap-security-guide.inc| 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git
a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc
b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc
index d123561..341721a 100644
---
a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc
+++
b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc
@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM =
"file://LICENSE;md5=97662e4486d9a1d09f358851d9f41a1a"
LICENSE = "LGPL-2.1"
DEPENDS = "openscap-native python3 python3-pyyaml-native python3-jinja2-native
libxml2-native"
-RDEPNEDS_${PN} = "openscap"
+RDEPENDS_${PN} = "openscap"
S = "${WORKDIR}/git"
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 1/2] openscap: cleanup DEPENDS
Remove autoconf-archive from DEPENDS because it is using CMake/Ninjia
build now. Also remove unused dpkg-native dependency from
DEPENDS_class-native.
Signed-off-by: Yi Zhao
---
meta-security-compliance/recipes-openscap/openscap/openscap.inc | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta-security-compliance/recipes-openscap/openscap/openscap.inc
b/meta-security-compliance/recipes-openscap/openscap/openscap.inc
index f23ea99..53309e8 100644
--- a/meta-security-compliance/recipes-openscap/openscap/openscap.inc
+++ b/meta-security-compliance/recipes-openscap/openscap/openscap.inc
@@ -6,8 +6,8 @@ HOME_URL = "https://www.open-scap.org/tools/openscap-base/;
LIC_FILES_CHKSUM = "file://COPYING;md5=fbc093901857fcd118f065f900982c24"
LICENSE = "LGPL-2.1"
-DEPENDS = "autoconf-archive dbus acl bzip2 pkgconfig gconf procps curl libxml2
libxslt libcap swig"
-DEPENDS_class-native = "autoconf-archive-native pkgconfig-native swig-native
curl-native libxml2-native libxslt-native libcap-native dpkg-native"
+DEPENDS = "dbus acl bzip2 pkgconfig gconf procps curl libxml2 libxslt libcap
swig"
+DEPENDS_class-native = "pkgconfig-native swig-native curl-native
libxml2-native libxslt-native libcap-native"
S = "${WORKDIR}/git"
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 1/2 V2] openscap: update recipe
* Add PACKAGECONFIG for gcrypt, nss3 and selinux
* Use EXTRA_OECMAKE rather than EXTRA_OECONF
* Set CMAKE_SKIP_RPATH and CMAKE_SKIP_INSTALL_RPATH instead of chrpath
* Remove ptest since there are many host contamination issues on target.
We will add it back when these issues are solved.
* Drop the unused patch
* Add PV
* Clean up DEPENDS
Signed-off-by: Yi Zhao
---
.../openscap/files/probe_dir_fixup.patch | 17 --
.../recipes-openscap/openscap/files/run-ptest | 3 -
.../recipes-openscap/openscap/openscap.inc | 67 --
.../recipes-openscap/openscap/openscap_1.3.1.bb| 1 -
.../recipes-openscap/openscap/openscap_git.bb | 3 +-
5 files changed, 25 insertions(+), 66 deletions(-)
delete mode 100644
meta-security-compliance/recipes-openscap/openscap/files/probe_dir_fixup.patch
delete mode 100644
meta-security-compliance/recipes-openscap/openscap/files/run-ptest
diff --git
a/meta-security-compliance/recipes-openscap/openscap/files/probe_dir_fixup.patch
b/meta-security-compliance/recipes-openscap/openscap/files/probe_dir_fixup.patch
deleted file mode 100644
index ecbe602..000
---
a/meta-security-compliance/recipes-openscap/openscap/files/probe_dir_fixup.patch
+++ /dev/null
@@ -1,17 +0,0 @@
-Index: git/configure.ac
-===
git.orig/configure.ac
-+++ git/configure.ac
-@@ -1109,11 +1109,7 @@ AC_ARG_WITH([crypto],
- [],
- [crypto=gcrypt])
-
--if test "x${libexecdir}" = xNONE; then
-- probe_dir="/usr/local/libexec/openscap"
--else
-- EXPAND_DIR(probe_dir,"${libexecdir}/openscap")
--fi
-+probe_dir="/usr/local/libexec/openscap"
-
- AC_SUBST(probe_dir)
-
diff --git a/meta-security-compliance/recipes-openscap/openscap/files/run-ptest
b/meta-security-compliance/recipes-openscap/openscap/files/run-ptest
deleted file mode 100644
index 454a6a3..000
--- a/meta-security-compliance/recipes-openscap/openscap/files/run-ptest
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-cd tests
-make -k check
diff --git a/meta-security-compliance/recipes-openscap/openscap/openscap.inc
b/meta-security-compliance/recipes-openscap/openscap/openscap.inc
index e5daaf8..5a66d5e 100644
--- a/meta-security-compliance/recipes-openscap/openscap/openscap.inc
+++ b/meta-security-compliance/recipes-openscap/openscap/openscap.inc
@@ -6,71 +6,50 @@ HOME_URL = "https://www.open-scap.org/tools/openscap-base/;
LIC_FILES_CHKSUM = "file://COPYING;md5=fbc093901857fcd118f065f900982c24"
LICENSE = "LGPL-2.1"
-DEPENDS = "autoconf-archive dbus acl bzip2 pkgconfig gconf procps curl libxml2
libxslt libcap swig libgcrypt chrpath-replacement-native "
-
-DEPENDS_class-native = "autoconf-archive-native pkgconfig-native swig-native
curl-native libxml2-native libxslt-native dpkg-native libgcrypt-native
nss-native"
+DEPENDS = "dbus acl bzip2 pkgconfig gconf procps curl libxml2 libxslt libcap
swig"
+DEPENDS_class-native = "pkgconfig-native swig-native curl-native
libxml2-native libxslt-native libcap-native"
S = "${WORKDIR}/git"
-inherit cmake pkgconfig python3native perlnative ptest
-
-PACKAGECONFIG ?= "python3 rpm perl"
-PACKAGECONFIG[python3] = "-DENABLE_PYTHON3=True, , python3, python3"
-PACKAGECONFIG[perl] = "-DENABLE_PERL=True,, perl, perl"
-PACKAGECONFIG[rpm] = "-DENABLE_OSCAP_UTIL_AS_RPM=True, ,rpm, rpm"
-
-EXTRA_OECONF += "-DENABLE_PROBES_INDEPENDENT=yes -DENABLE_PROBES_LINUX=yes
-DWITH_CRYPTO=gcrypt\
- -DENABLE_PROBES_SOLARIS=yes -DENABLE_PROBES_UNIX=yes
-DENABLE_TESTS=no \
- -DENABLE_OSCAP_UTIL_SSH=yes -DENABLE_OSCAP_UTIL=yes
-DENABLE_SCE=yes \
--DENABLE_OSCAP_UTIL_DOCKER=no \
-"
-
+inherit cmake pkgconfig python3native perlnative
+
+PACKAGECONFIG ?= "python3 rpm perl gcrypt
${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
+PACKAGECONFIG[python3] = "-DENABLE_PYTHON3=ON, ,python3, python3"
+PACKAGECONFIG[perl] = "-DENABLE_PERL=ON, ,perl, perl"
+PACKAGECONFIG[rpm] = "-DENABLE_OSCAP_UTIL_AS_RPM=ON, ,rpm, rpm"
+PACKAGECONFIG[gcrypt] = "-DWITH_CRYPTO=gcrypt, ,libgcrypt"
+PACKAGECONFIG[nss3] = "-DWITH_CRYPTO=nss3, ,nss"
+PACKAGECONFIG[selinux] = ", ,libselinux"
+
+EXTRA_OECMAKE += "-DENABLE_PROBES_LINUX=ON -DENABLE_PROBES_UNIX=ON \
+ -DENABLE_PROBES_SOLARIS=OFF -DENABLE_PROBES_INDEPENDENT=ON \
+ -DENABLE_OSCAP_UTIL=ON -DENABLE_OSCAP_UTIL_SSH=ON \
+ -DENABLE_OSCAP_UTIL_DOCKER=OFF
-DENABLE_OSCAP_UTIL_CHROOT=OFF \
+ -DENABLE_OSCAP_UTIL_PODMAN=OFF -DENABLE_OSCAP_UTIL_VM=OFF \
+ -DENABLE_PROBES_WINDOWS=OFF -DENABLE_VALGRIND=OFF \
+ -DENABLE_SCE=ON -DENABLE_MITRE=OFF -DENABLE_TESTS
[yocto] [meta-security][PATCH 2/2 V2] scap-security-guide: update recipe
* Set B="${S}/build" to fix the build failure for out of source
directory
* Remove do_complile and do_install. Use the default functions from
cmake.bbclass.
* Install the artifacts to /usr/share rather than /usr/local/share
Signed-off-by: Yi Zhao
---
.../scap-security-guide/scap-security-guide.inc| 28 +-
.../scap-security-guide/scap-security-guide_git.bb | 6 +
2 files changed, 7 insertions(+), 27 deletions(-)
diff --git
a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc
b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc
index ed70c18..341721a 100644
---
a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc
+++
b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc
@@ -7,6 +7,7 @@ LIC_FILES_CHKSUM =
"file://LICENSE;md5=97662e4486d9a1d09f358851d9f41a1a"
LICENSE = "LGPL-2.1"
DEPENDS = "openscap-native python3 python3-pyyaml-native python3-jinja2-native
libxml2-native"
+RDEPENDS_${PN} = "openscap"
S = "${WORKDIR}/git"
@@ -20,28 +21,11 @@ OECMAKE_GENERATOR = "Unix Makefiles"
EXTRA_OECMAKE += "-DENABLE_PYTHON_COVERAGE=OFF"
-do_configure_prepend () {
- sed -i -e 's:NAMES\ sed:NAMES\ ${HOSTTOOLS_DIR}/sed:g'
${S}/CMakeLists.txt
-sed -i
's:/usr/share/openscap/:${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/:g'
${S}/cmake/SSGCommon.cmake
-}
-
-do_compile () {
- cd ${S}/build
- cmake ../
- # oddly rhel7 needs to build first
- make rhel7
-}
+B = "${S}/build"
-do_install () {
- cd ${S}/build
- make DESTDIR=${D} install
+do_configure_prepend () {
+sed -i -e 's:NAMES\ sed:NAMES\ ${HOSTTOOLS_DIR}/sed:g' ${S}/CMakeLists.txt
+sed -i -e 's:NAMES\ grep:NAMES\ ${HOSTTOOLS_DIR}/grep:g'
${S}/CMakeLists.txt
}
-localdatadir = "${prefix}/local/share"
-localmandir = "${localdatadir}/man"
-localdocdir = "${localdatadir}/doc"
-localxmldir = "${localdatadir}/xml"
-
-FILES_${PN} += "${localdatadir} ${localxmldir}"
-FILES_${PN}-doc += "${localmandir} ${localdocdir}"
-RDEPNEDS_${PN} = "openscap"
+FILES_${PN} += "${datadir}/xml"
diff --git
a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb
b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb
index cb21fed..d9238c0 100644
---
a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb
+++
b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb
@@ -2,12 +2,8 @@ SUMARRY = "SCAP content for various platforms, OE changes"
SRCREV = "5fdfdcb2e95afbd86ace555beca5d20cbf1043ed"
SRC_URI = "git://github.com/akuster/scap-security-guide.git;branch=oe-0.1.44;"
-PV = "v0.1.44+git${SRCPV}"
+PV = "0.1.44+git${SRCPV}"
require scap-security-guide.inc
-do_compile_append () {
-make openembedded
-}
-
EXTRA_OECMAKE += "-DSSG_PRODUCT_OPENEMBEDDED=ON"
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 0/2 V2] openscap/scap-security-guide: update recipes
Changes from V1:
openscap: Clean up DEPENDS. Remove autoconf-archive and dpkg-native from
DEPENDS because we are using CMake/Ninjia now
scap-security-guide: Fix typo: RDEPNEDS_${PN} -> RDEPENDS_${PN}
Yi Zhao (2):
openscap: update recipe
scap-security-guide: update recipe
.../openscap/files/probe_dir_fixup.patch | 17 --
.../recipes-openscap/openscap/files/run-ptest | 3 -
.../recipes-openscap/openscap/openscap.inc | 67 --
.../recipes-openscap/openscap/openscap_1.3.1.bb| 1 -
.../recipes-openscap/openscap/openscap_git.bb | 3 +-
.../scap-security-guide/scap-security-guide.inc| 28 ++---
.../scap-security-guide/scap-security-guide_git.bb | 6 +-
7 files changed, 32 insertions(+), 93 deletions(-)
delete mode 100644
meta-security-compliance/recipes-openscap/openscap/files/probe_dir_fixup.patch
delete mode 100644
meta-security-compliance/recipes-openscap/openscap/files/run-ptest
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 1/2] openscap: update recipe
* Add PACKAGECONFIG for gcrypt, nss3 and selinux
* Use EXTRA_OECMAKE rather than EXTRA_OECONF
* Set CMAKE_SKIP_RPATH and CMAKE_SKIP_INSTALL_RPATH instead of chrpath
* Remove ptest since there are many host contamination issues on target.
We will add it back when these issues are solved.
* Drop the unused patch
* Add PV
Signed-off-by: Yi Zhao
---
.../openscap/files/probe_dir_fixup.patch | 17 -
.../recipes-openscap/openscap/files/run-ptest | 3 -
.../recipes-openscap/openscap/openscap.inc | 77 --
.../recipes-openscap/openscap/openscap_1.3.1.bb| 1 -
.../recipes-openscap/openscap/openscap_git.bb | 3 +-
5 files changed, 30 insertions(+), 71 deletions(-)
delete mode 100644
meta-security-compliance/recipes-openscap/openscap/files/probe_dir_fixup.patch
delete mode 100644
meta-security-compliance/recipes-openscap/openscap/files/run-ptest
diff --git
a/meta-security-compliance/recipes-openscap/openscap/files/probe_dir_fixup.patch
b/meta-security-compliance/recipes-openscap/openscap/files/probe_dir_fixup.patch
deleted file mode 100644
index ecbe602..000
---
a/meta-security-compliance/recipes-openscap/openscap/files/probe_dir_fixup.patch
+++ /dev/null
@@ -1,17 +0,0 @@
-Index: git/configure.ac
-===
git.orig/configure.ac
-+++ git/configure.ac
-@@ -1109,11 +1109,7 @@ AC_ARG_WITH([crypto],
- [],
- [crypto=gcrypt])
-
--if test "x${libexecdir}" = xNONE; then
-- probe_dir="/usr/local/libexec/openscap"
--else
-- EXPAND_DIR(probe_dir,"${libexecdir}/openscap")
--fi
-+probe_dir="/usr/local/libexec/openscap"
-
- AC_SUBST(probe_dir)
-
diff --git a/meta-security-compliance/recipes-openscap/openscap/files/run-ptest
b/meta-security-compliance/recipes-openscap/openscap/files/run-ptest
deleted file mode 100644
index 454a6a3..000
--- a/meta-security-compliance/recipes-openscap/openscap/files/run-ptest
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-cd tests
-make -k check
diff --git a/meta-security-compliance/recipes-openscap/openscap/openscap.inc
b/meta-security-compliance/recipes-openscap/openscap/openscap.inc
index e5daaf8..f23ea99 100644
--- a/meta-security-compliance/recipes-openscap/openscap/openscap.inc
+++ b/meta-security-compliance/recipes-openscap/openscap/openscap.inc
@@ -6,71 +6,50 @@ HOME_URL = "https://www.open-scap.org/tools/openscap-base/;
LIC_FILES_CHKSUM = "file://COPYING;md5=fbc093901857fcd118f065f900982c24"
LICENSE = "LGPL-2.1"
-DEPENDS = "autoconf-archive dbus acl bzip2 pkgconfig gconf procps curl libxml2
libxslt libcap swig libgcrypt chrpath-replacement-native "
-
-DEPENDS_class-native = "autoconf-archive-native pkgconfig-native swig-native
curl-native libxml2-native libxslt-native dpkg-native libgcrypt-native
nss-native"
+DEPENDS = "autoconf-archive dbus acl bzip2 pkgconfig gconf procps curl libxml2
libxslt libcap swig"
+DEPENDS_class-native = "autoconf-archive-native pkgconfig-native swig-native
curl-native libxml2-native libxslt-native libcap-native dpkg-native"
S = "${WORKDIR}/git"
-inherit cmake pkgconfig python3native perlnative ptest
-
-PACKAGECONFIG ?= "python3 rpm perl"
-PACKAGECONFIG[python3] = "-DENABLE_PYTHON3=True, , python3, python3"
-PACKAGECONFIG[perl] = "-DENABLE_PERL=True,, perl, perl"
-PACKAGECONFIG[rpm] = "-DENABLE_OSCAP_UTIL_AS_RPM=True, ,rpm, rpm"
-
-EXTRA_OECONF += "-DENABLE_PROBES_INDEPENDENT=yes -DENABLE_PROBES_LINUX=yes
-DWITH_CRYPTO=gcrypt\
- -DENABLE_PROBES_SOLARIS=yes -DENABLE_PROBES_UNIX=yes
-DENABLE_TESTS=no \
- -DENABLE_OSCAP_UTIL_SSH=yes -DENABLE_OSCAP_UTIL=yes
-DENABLE_SCE=yes \
--DENABLE_OSCAP_UTIL_DOCKER=no \
-"
-
+inherit cmake pkgconfig python3native perlnative
+
+PACKAGECONFIG ?= "python3 rpm perl gcrypt
${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
+PACKAGECONFIG[python3] = "-DENABLE_PYTHON3=ON, ,python3, python3"
+PACKAGECONFIG[perl] = "-DENABLE_PERL=ON, ,perl, perl"
+PACKAGECONFIG[rpm] = "-DENABLE_OSCAP_UTIL_AS_RPM=ON, ,rpm, rpm"
+PACKAGECONFIG[gcrypt] = "-DWITH_CRYPTO=gcrypt, ,libgcrypt"
+PACKAGECONFIG[nss3] = "-DWITH_CRYPTO=nss3, ,nss"
+PACKAGECONFIG[selinux] = ", ,libselinux"
+
+EXTRA_OECMAKE += "-DENABLE_PROBES_LINUX=ON -DENABLE_PROBES_UNIX=ON \
+ -DENABLE_PROBES_SOLARIS=OFF -DENABLE_PROBES_INDEPENDENT=ON \
+ -DENABLE_OSCAP_UTIL=ON -DENABLE_OSCAP_UTIL_SSH=ON \
+ -DENABLE_OSCAP_UTIL_DOCKER=OFF
-DENABLE_OSCAP_UTIL_CHROOT=OFF \
+ -DENABLE_OSCAP_UTIL_PODMAN=OFF -DENABLE_OSCAP_UTIL_VM=OFF \
+ -DENABLE_PROBES_WINDOWS=OFF -DENABLE_VALGRIND=OFF \
+ -DENABLE_SCE=ON -DENA
[yocto] [meta-security][PATCH 2/2] scap-security-guide: update recipe
* Set B="${S}/build" to fix the build failure for out of source
directory
* Remove do_complile and do_install. Use the default functions from
cmake.bbclass.
* Install the artifacts to /usr/share rather than /usr/local/share
Signed-off-by: Yi Zhao
---
.../scap-security-guide/scap-security-guide.inc| 28 +-
.../scap-security-guide/scap-security-guide_git.bb | 6 +
2 files changed, 7 insertions(+), 27 deletions(-)
diff --git
a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc
b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc
index ed70c18..d123561 100644
---
a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc
+++
b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc
@@ -7,6 +7,7 @@ LIC_FILES_CHKSUM =
"file://LICENSE;md5=97662e4486d9a1d09f358851d9f41a1a"
LICENSE = "LGPL-2.1"
DEPENDS = "openscap-native python3 python3-pyyaml-native python3-jinja2-native
libxml2-native"
+RDEPNEDS_${PN} = "openscap"
S = "${WORKDIR}/git"
@@ -20,28 +21,11 @@ OECMAKE_GENERATOR = "Unix Makefiles"
EXTRA_OECMAKE += "-DENABLE_PYTHON_COVERAGE=OFF"
-do_configure_prepend () {
- sed -i -e 's:NAMES\ sed:NAMES\ ${HOSTTOOLS_DIR}/sed:g'
${S}/CMakeLists.txt
-sed -i
's:/usr/share/openscap/:${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/:g'
${S}/cmake/SSGCommon.cmake
-}
-
-do_compile () {
- cd ${S}/build
- cmake ../
- # oddly rhel7 needs to build first
- make rhel7
-}
+B = "${S}/build"
-do_install () {
- cd ${S}/build
- make DESTDIR=${D} install
+do_configure_prepend () {
+sed -i -e 's:NAMES\ sed:NAMES\ ${HOSTTOOLS_DIR}/sed:g' ${S}/CMakeLists.txt
+sed -i -e 's:NAMES\ grep:NAMES\ ${HOSTTOOLS_DIR}/grep:g'
${S}/CMakeLists.txt
}
-localdatadir = "${prefix}/local/share"
-localmandir = "${localdatadir}/man"
-localdocdir = "${localdatadir}/doc"
-localxmldir = "${localdatadir}/xml"
-
-FILES_${PN} += "${localdatadir} ${localxmldir}"
-FILES_${PN}-doc += "${localmandir} ${localdocdir}"
-RDEPNEDS_${PN} = "openscap"
+FILES_${PN} += "${datadir}/xml"
diff --git
a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb
b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb
index cb21fed..d9238c0 100644
---
a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb
+++
b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb
@@ -2,12 +2,8 @@ SUMARRY = "SCAP content for various platforms, OE changes"
SRCREV = "5fdfdcb2e95afbd86ace555beca5d20cbf1043ed"
SRC_URI = "git://github.com/akuster/scap-security-guide.git;branch=oe-0.1.44;"
-PV = "v0.1.44+git${SRCPV}"
+PV = "0.1.44+git${SRCPV}"
require scap-security-guide.inc
-do_compile_append () {
-make openembedded
-}
-
EXTRA_OECMAKE += "-DSSG_PRODUCT_OPENEMBEDDED=ON"
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] PREMIRROR
On 7/24/19 4:49 AM, Russell Peterson wrote: Hello, I am looking to have bitbake pick up files for a particular recipe from a local git repository using the PREMIRROR functionality. Basically, the recipe (bb file) points to github but in my local build I add PREMIRROR_prepend = "git://.*/.* git:///local/path/BASENAME;protocol=file\n" I will probably make the git regular expression more exact for my specific github repo but this works for now. This all works (as I deleted the github download from the local download directory) because I can see in the do_fetch log and the correct (local) repo was found and placed in the DL_DIR. Problem is, do_unpack fails because it appears to be looking for the original (github) SRC_URI. Then it complains about "no up to date source found: clone or directory not available or not up to date (shallow clone not enabled)" Maybe you can use BB_GENERATE_MIRROR_TARBALLS to generate git repo tarball and put it to your download mirror. See: https://www.yoctoproject.org/docs/latest/mega-manual/mega-manual.html#var-bb-BB_GENERATE_MIRROR_TARBALLS and https://www.yoctoproject.org/docs/latest/mega-manual/mega-manual.html#var-DL_DIR Regards, Yi Any help on what I am missing would be appreciated. Regards, Russell -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-security-compliance][PATCH 2/4] openscap: add 1.3.1 recipes for upstream source
On 7/23/19 2:38 PM, Akuster808 wrote:
On Jul 23, 2019, at 02:51, Yi Zhao wrote:
Hi Armin,
I got the following error when build openscap:
ERROR: openscap-git-r0 do_compile_ptest_base: Function failed:
do_compile_ptest_base (log file is located at
/buildarea/build/tmp/work/core2-64-poky-linux/openscap/git-r0/temp/log.do_compile_ptest_base.329146)
ERROR: Logfile of failure stored in:
/buildarea/build/tmp/work/core2-64-poky-linux/openscap/git-r0/temp/log.do_compile_ptest_base.329146
Log data follows:
| DEBUG: Executing shell function do_compile_ptest_base
|
/buildarea/build/tmp/work/core2-64-poky-linux/openscap/git-r0/temp/run.do_compile_ptest_base.329146:
line 108: oe-runcmake: command not found
| WARNING:
/buildarea/build/tmp/work/core2-64-poky-linux/openscap/git-r0/temp/run.do_compile_ptest_base.329146:1
exit 127 from 'oe-runcmake tests'
| ERROR: Function failed: do_compile_ptest_base (log file is located at
/buildarea/build/tmp/work/core2-64-poky-linux/openscap/git-r0/temp/log.do_compile_ptest_base.329146)
Thats not good. Thought I had run though this code path.
I am traveling the next 2 weeks so i am not sure how quickly I can address
this issue.
That's OK. Thanks.
//Yi
Armin
//Yi
On 7/7/19 7:32 AM, Armin Kuster wrote:
Signed-off-by: Armin Kuster
---
.../recipes-openscap/openscap/openscap.inc| 11 +--
.../recipes-openscap/openscap/openscap_1.3.1.bb | 10 ++
.../recipes-openscap/openscap/openscap_git.bb | 4 ++--
3 files changed, 17 insertions(+), 8 deletions(-)
create mode 100644
meta-security-compliance/recipes-openscap/openscap/openscap_1.3.1.bb
diff --git a/meta-security-compliance/recipes-openscap/openscap/openscap.inc
b/meta-security-compliance/recipes-openscap/openscap/openscap.inc
index 4c1f206..e5daaf8 100644
--- a/meta-security-compliance/recipes-openscap/openscap/openscap.inc
+++ b/meta-security-compliance/recipes-openscap/openscap/openscap.inc
@@ -10,10 +10,10 @@ DEPENDS = "autoconf-archive dbus acl bzip2 pkgconfig gconf
procps curl libxml2 l
DEPENDS_class-native = "autoconf-archive-native pkgconfig-native swig-native
curl-native libxml2-native libxslt-native dpkg-native libgcrypt-native nss-native"
-inherit cmake pkgconfig python3native perlnative ptest
-
S = "${WORKDIR}/git"
+inherit cmake pkgconfig python3native perlnative ptest
+
PACKAGECONFIG ?= "python3 rpm perl"
PACKAGECONFIG[python3] = "-DENABLE_PYTHON3=True, , python3, python3"
PACKAGECONFIG[perl] = "-DENABLE_PERL=True,, perl, perl"
@@ -25,7 +25,6 @@ EXTRA_OECONF += "-DENABLE_PROBES_INDEPENDENT=yes
-DENABLE_PROBES_LINUX=yes -DWIT
-DENABLE_OSCAP_UTIL_DOCKER=no \
"
-EXTRA_OECONF_class-native += "-DENABLE_PROBES=True"
STAGING_OSCAP_DIR = "${TMPDIR}/work-shared/${MACHINE}/oscap-source"
STAGING_OSCAP_BUILDDIR =
"${TMPDIR}/work-shared/openscap/oscap-build-artifacts"
@@ -33,9 +32,9 @@ STAGING_OSCAP_BUILDDIR =
"${TMPDIR}/work-shared/openscap/oscap-build-artifacts"
EXTRANATIVEPATH += "chrpath-native"
do_configure_append_class-native () {
-sed -i 's:OSCAP_DEFAULT_CPE_PATH.*$:OSCAP_DEFAULT_CPE_PATH
"${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/cpe":' ${S}/config.h
-sed -i 's:OSCAP_DEFAULT_SCHEMA_PATH.*$:OSCAP_DEFAULT_SCHEMA_PATH
"${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/schemas":' ${S}/config.h
-sed -i 's:OSCAP_DEFAULT_XSLT_PATH.*$:OSCAP_DEFAULT_XSLT_PATH
"${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl":' ${S}/config.h
+sed -i 's:OSCAP_DEFAULT_CPE_PATH.*$:OSCAP_DEFAULT_CPE_PATH
"${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/cpe":' ${B}/config.h
+sed -i 's:OSCAP_DEFAULT_SCHEMA_PATH.*$:OSCAP_DEFAULT_SCHEMA_PATH
"${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/schemas":' ${B}/config.h
+sed -i 's:OSCAP_DEFAULT_XSLT_PATH.*$:OSCAP_DEFAULT_XSLT_PATH
"${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl":' ${B}/config.h
}
do_clean[cleandirs] += " ${STAGING_OSCAP_BUILDDIR}"
diff --git
a/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.1.bb
b/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.1.bb
new file mode 100644
index 000..c29fd42
--- /dev/null
+++ b/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.1.bb
@@ -0,0 +1,10 @@
+SUMARRY = "NIST Certified SCAP 1.2 toolkit"
+
+require openscap.inc
+
+SRCREV = "3a4c635691380fa990a226acc8558db35d7ebabc"
+SRC_URI = "git://github.com/OpenSCAP/openscap.git;branch=maint-1.3 \
+ file://run-ptest \
+"
+
+DEFAULT_PREFERENCE = "-1"
diff --git a/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb
b/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb
index 3dfa99e..aded920 100644
Re: [yocto] [meta-security-compliance][PATCH 2/4] openscap: add 1.3.1 recipes for upstream source
Hi Armin,
I got the following error when build openscap:
ERROR: openscap-git-r0 do_compile_ptest_base: Function failed:
do_compile_ptest_base (log file is located at
/buildarea/build/tmp/work/core2-64-poky-linux/openscap/git-r0/temp/log.do_compile_ptest_base.329146)
ERROR: Logfile of failure stored in:
/buildarea/build/tmp/work/core2-64-poky-linux/openscap/git-r0/temp/log.do_compile_ptest_base.329146
Log data follows:
| DEBUG: Executing shell function do_compile_ptest_base
|
/buildarea/build/tmp/work/core2-64-poky-linux/openscap/git-r0/temp/run.do_compile_ptest_base.329146:
line 108: oe-runcmake: command not found
| WARNING:
/buildarea/build/tmp/work/core2-64-poky-linux/openscap/git-r0/temp/run.do_compile_ptest_base.329146:1
exit 127 from 'oe-runcmake tests'
| ERROR: Function failed: do_compile_ptest_base (log file is located at
/buildarea/build/tmp/work/core2-64-poky-linux/openscap/git-r0/temp/log.do_compile_ptest_base.329146)
//Yi
On 7/7/19 7:32 AM, Armin Kuster wrote:
Signed-off-by: Armin Kuster
---
.../recipes-openscap/openscap/openscap.inc| 11 +--
.../recipes-openscap/openscap/openscap_1.3.1.bb | 10 ++
.../recipes-openscap/openscap/openscap_git.bb | 4 ++--
3 files changed, 17 insertions(+), 8 deletions(-)
create mode 100644
meta-security-compliance/recipes-openscap/openscap/openscap_1.3.1.bb
diff --git a/meta-security-compliance/recipes-openscap/openscap/openscap.inc
b/meta-security-compliance/recipes-openscap/openscap/openscap.inc
index 4c1f206..e5daaf8 100644
--- a/meta-security-compliance/recipes-openscap/openscap/openscap.inc
+++ b/meta-security-compliance/recipes-openscap/openscap/openscap.inc
@@ -10,10 +10,10 @@ DEPENDS = "autoconf-archive dbus acl bzip2 pkgconfig gconf
procps curl libxml2 l
DEPENDS_class-native = "autoconf-archive-native pkgconfig-native swig-native curl-native libxml2-native libxslt-native dpkg-native libgcrypt-native nss-native"
-inherit cmake pkgconfig python3native perlnative ptest
-
S = "${WORKDIR}/git"
+inherit cmake pkgconfig python3native perlnative ptest
+
PACKAGECONFIG ?= "python3 rpm perl"
PACKAGECONFIG[python3] = "-DENABLE_PYTHON3=True, , python3, python3"
PACKAGECONFIG[perl] = "-DENABLE_PERL=True,, perl, perl"
@@ -25,7 +25,6 @@ EXTRA_OECONF += "-DENABLE_PROBES_INDEPENDENT=yes
-DENABLE_PROBES_LINUX=yes -DWIT
-DENABLE_OSCAP_UTIL_DOCKER=no \
"
-EXTRA_OECONF_class-native += "-DENABLE_PROBES=True"
STAGING_OSCAP_DIR = "${TMPDIR}/work-shared/${MACHINE}/oscap-source"
STAGING_OSCAP_BUILDDIR =
"${TMPDIR}/work-shared/openscap/oscap-build-artifacts"
@@ -33,9 +32,9 @@ STAGING_OSCAP_BUILDDIR =
"${TMPDIR}/work-shared/openscap/oscap-build-artifacts"
EXTRANATIVEPATH += "chrpath-native"
do_configure_append_class-native () {
- sed -i 's:OSCAP_DEFAULT_CPE_PATH.*$:OSCAP_DEFAULT_CPE_PATH
"${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/cpe":' ${S}/config.h
- sed -i 's:OSCAP_DEFAULT_SCHEMA_PATH.*$:OSCAP_DEFAULT_SCHEMA_PATH
"${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/schemas":' ${S}/config.h
- sed -i 's:OSCAP_DEFAULT_XSLT_PATH.*$:OSCAP_DEFAULT_XSLT_PATH
"${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl":' ${S}/config.h
+ sed -i 's:OSCAP_DEFAULT_CPE_PATH.*$:OSCAP_DEFAULT_CPE_PATH
"${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/cpe":' ${B}/config.h
+ sed -i 's:OSCAP_DEFAULT_SCHEMA_PATH.*$:OSCAP_DEFAULT_SCHEMA_PATH
"${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/schemas":' ${B}/config.h
+ sed -i 's:OSCAP_DEFAULT_XSLT_PATH.*$:OSCAP_DEFAULT_XSLT_PATH
"${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl":' ${B}/config.h
}
do_clean[cleandirs] += " ${STAGING_OSCAP_BUILDDIR}"
diff --git
a/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.1.bb
b/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.1.bb
new file mode 100644
index 000..c29fd42
--- /dev/null
+++ b/meta-security-compliance/recipes-openscap/openscap/openscap_1.3.1.bb
@@ -0,0 +1,10 @@
+SUMARRY = "NIST Certified SCAP 1.2 toolkit"
+
+require openscap.inc
+
+SRCREV = "3a4c635691380fa990a226acc8558db35d7ebabc"
+SRC_URI = "git://github.com/OpenSCAP/openscap.git;branch=maint-1.3 \
+ file://run-ptest \
+"
+
+DEFAULT_PREFERENCE = "-1"
diff --git a/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb
b/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb
index 3dfa99e..aded920 100644
--- a/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb
+++ b/meta-security-compliance/recipes-openscap/openscap/openscap_git.bb
@@ -3,9 +3,9 @@
SUMARRY = "NIST Certified SCAP 1.2 toolkit with OE changes"
+include openscap.inc
+
SRCREV = "4bbdb46ff651f809d5b38ca08d769790c4bfff90"
SRC_URI = "git://github.com/akuster/openscap.git;branch=oe-1.3 \
file://run-ptest \
"
-
-include openscap.inc
--
[yocto] [meta-cgl][PATCH 3/3] libhtml-tagset-perl: remove recipe
The libhtml-tagset-perl recipe was added to meta-perl layer with commit:
4058e65f3c4e17ad04423f4c9edf8607fe6fdb4f
We can drop this duplicate recipe.
Signed-off-by: Yi Zhao
---
.../recipes-perl/perl/libhtml-tagset-perl_3.20.bb | 17 -
1 file changed, 17 deletions(-)
delete mode 100644
meta-cgl-common/recipes-perl/perl/libhtml-tagset-perl_3.20.bb
diff --git a/meta-cgl-common/recipes-perl/perl/libhtml-tagset-perl_3.20.bb
b/meta-cgl-common/recipes-perl/perl/libhtml-tagset-perl_3.20.bb
deleted file mode 100644
index 2765cd2..000
--- a/meta-cgl-common/recipes-perl/perl/libhtml-tagset-perl_3.20.bb
+++ /dev/null
@@ -1,17 +0,0 @@
-DESCRIPTION = "HTML Tagset bits."
-HOMEPAGE = "http://search.cpan.org/dist/HTML-Tagset/;
-SECTION = "libs"
-LICENSE = "Artistic-1.0 | GPL-1.0+"
-LIC_FILES_CHKSUM =
"file://README;beginline=60;md5=16ddda2d845a5546f615e6b122d1dbad"
-PR = "r4"
-
-SRC_URI =
"http://search.cpan.org/CPAN/authors/id/P/PE/PETDANCE/HTML-Tagset-${PV}.tar.gz;
-
-S = "${WORKDIR}/HTML-Tagset-${PV}"
-
-inherit cpan
-
-BBCLASSEXTEND="native"
-
-SRC_URI[md5sum] = "d2bfa18fe1904df7f683e96611e87437"
-SRC_URI[sha256sum] =
"adb17dac9e36cd011f5243881c9739417fd102fce760f8de4e9be4c7131108e2"
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 2/3] packagegroup-cgl-applications: only install libpam and pam-passwdqc if pam distro flag set
Fix build error when pam distro flag is not set:
$ bitbake packagegroup-cgl-applications
ERROR: Nothing RPROVIDES 'pam-passwdqc' (but
/buildarea/poky/meta-cgl/meta-cgl-common/packagegroups/packagegroup-cgl-applications.bb
RDEPENDS on or otherwise requires it)
ERROR: Nothing RPROVIDES 'libpam' (but
/buildarea/poky/meta-cgl/meta-cgl-common/packagegroups/packagegroup-cgl-applications.bb
RDEPENDS on or otherwise requires it)
Signed-off-by: Yi Zhao
---
meta-cgl-common/packagegroups/packagegroup-cgl-applications.bb | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/meta-cgl-common/packagegroups/packagegroup-cgl-applications.bb
b/meta-cgl-common/packagegroups/packagegroup-cgl-applications.bb
index 5e7170d..6b7a630 100644
--- a/meta-cgl-common/packagegroups/packagegroup-cgl-applications.bb
+++ b/meta-cgl-common/packagegroups/packagegroup-cgl-applications.bb
@@ -46,9 +46,8 @@ RDEPENDS_${PN} = " \
samhain-server \
audit \
crash \
-pam-passwdqc \
-libpam \
makedumpfile \
+${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-passwdqc libpam', '',
d)} \
"
LTTNG ?= "\
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-cgl][PATCH 1/3] packagegroup-cgl-middleware: remove ipsec-tools and umip
The ipsec-tools and umip had been removed from meta-openembedded. We should remove them from the packagegroup. Signed-off-by: Yi Zhao --- meta-cgl-common/packagegroups/packagegroup-cgl-middleware.bb | 2 -- 1 file changed, 2 deletions(-) diff --git a/meta-cgl-common/packagegroups/packagegroup-cgl-middleware.bb b/meta-cgl-common/packagegroups/packagegroup-cgl-middleware.bb index 6ec68c4..4fa7d48 100644 --- a/meta-cgl-common/packagegroups/packagegroup-cgl-middleware.bb +++ b/meta-cgl-common/packagegroups/packagegroup-cgl-middleware.bb @@ -23,7 +23,6 @@ MULTIPATH_TOOLS = " \ " RDEPENDS_packagegroup-cgl-middleware = "\ -ipsec-tools \ net-snmp-server \ net-snmp-client \ net-snmp-libs \ @@ -51,7 +50,6 @@ RDEPENDS_packagegroup-cgl-middleware = "\ ifenslave \ drbd-utils \ openl2tp \ -umip \ dmidecode \ " -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH] audit: upgrade 2.8.4 -> 2.8.5
* Drop backport patch:
0001-Remove-strdupa-as-suggested-in-pull-request-25.patch
* Refresh all patches.
Signed-off-by: Yi Zhao
---
...e-strdupa-as-suggested-in-pull-request-25.patch | 47 --
...bstitue-functions-for-strndupa-rawmemchr.patch} | 23 +--
.../audit/audit/audit-python-configure.patch | 10 ++---
recipes-security/audit/audit/audit-python.patch| 8 ++--
recipes-security/audit/audit/auditd| 2 +-
.../audit/audit/fix-swig-host-contamination.patch | 22 +-
.../audit/{audit_2.8.4.bb => audit_2.8.5.bb} | 7 ++--
7 files changed, 35 insertions(+), 84 deletions(-)
delete mode 100644
recipes-security/audit/audit/0001-Remove-strdupa-as-suggested-in-pull-request-25.patch
rename
recipes-security/audit/audit/{0002-Add-substitue-functions-for-strndupa-rawmemchr.patch
=> Add-substitue-functions-for-strndupa-rawmemchr.patch} (88%)
rename recipes-security/audit/{audit_2.8.4.bb => audit_2.8.5.bb} (92%)
diff --git
a/recipes-security/audit/audit/0001-Remove-strdupa-as-suggested-in-pull-request-25.patch
b/recipes-security/audit/audit/0001-Remove-strdupa-as-suggested-in-pull-request-25.patch
deleted file mode 100644
index 38029aa..000
---
a/recipes-security/audit/audit/0001-Remove-strdupa-as-suggested-in-pull-request-25.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From a1782b58b687b74249dc8b2411a3f646b821ebd6 Mon Sep 17 00:00:00 2001
-From: Steve Grubb
-Date: Thu, 4 Oct 2018 08:45:47 -0400
-Subject: [PATCH] Remove strdupa as suggested in pull request #25
-
- src/auditd.c | 11 ++-
- 1 file changed, 6 insertions(+), 5 deletions(-)
-
-Origin:
https://github.com/linux-audit/audit-userspace/commit/a1782b58b687b74249dc8b2411a3f646b821ebd6
-Applied-Upstream: yes
-
-diff --git a/src/auditd.c b/src/auditd.c
-index b0952db..c826ec0 100644
a/src/auditd.c
-+++ b/src/auditd.c
-@@ -209,21 +209,22 @@ static void cont_handler(struct ev_loop *loop, struct
ev_signal *sig,
-
- static int extract_type(const char *str)
- {
-- const char *tptr, *ptr2, *ptr = str;
-+ const char *ptr2, *ptr = str;
- if (*str == 'n') {
- ptr = strchr(str+1, ' ');
- if (ptr == NULL)
- return -1; // Malformed - bomb out
- ptr++;
- }
-+
- // ptr should be at 't'
- ptr2 = strchr(ptr, ' ');
-- // get type=xxx in a buffer
-- tptr = strndupa(ptr, ptr2 - ptr);
-+
- // find =
-- str = strchr(tptr, '=');
-- if (str == NULL)
-+ str = strchr(ptr, '=');
-+ if (str == NULL || str >= ptr2)
- return -1; // Malformed - bomb out
-+
- // name is 1 past
- str++;
- return audit_name_to_msg_type(str);
---
-2.20.1
-
diff --git
a/recipes-security/audit/audit/0002-Add-substitue-functions-for-strndupa-rawmemchr.patch
b/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch
similarity index 88%
rename from
recipes-security/audit/audit/0002-Add-substitue-functions-for-strndupa-rawmemchr.patch
rename to
recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch
index c948aa3..bb6c61e 100644
---
a/recipes-security/audit/audit/0002-Add-substitue-functions-for-strndupa-rawmemchr.patch
+++
b/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch
@@ -1,12 +1,11 @@
-From 5346b6af0ca67a2965ca5846ae150f3021a2aa17 Mon Sep 17 00:00:00 2001
+From bdcdc3dff4469aac88e718bd15958d5ed4b9392a Mon Sep 17 00:00:00 2001
From: Steve Grubb
Date: Tue, 26 Feb 2019 18:33:33 -0500
Subject: [PATCH] Add substitue functions for strndupa & rawmemchr
+Upstream-Status: Backport
+[https://github.com/linux-audit/audit-userspace/commit/d579a08bb1cde71f939c13ac6b2261052ae9f77e]
---
-Origin:
https://github.com/linux-audit/audit-userspace/commit/d579a08bb1cde71f939c13ac6b2261052ae9f77e
-Applied-Upstream: yes
-
auparse/auparse.c | 12 +++-
auparse/interpret.c | 9 -
configure.ac| 14 +-
@@ -14,7 +13,7 @@ Applied-Upstream: yes
4 files changed, 43 insertions(+), 4 deletions(-)
diff --git a/auparse/auparse.c b/auparse/auparse.c
-index f84712e..3764046 100644
+index 650db02..2e1c737 100644
--- a/auparse/auparse.c
+++ b/auparse/auparse.c
@@ -1,5 +1,5 @@
@@ -24,7 +23,7 @@ index f84712e..3764046 100644
* All Rights Reserved.
*
* This library is free software; you can redistribute it and/or
-@@ -1100,6 +1100,16 @@ static int str2event(char *s, au_event_t *e)
+@@ -1118,6 +1118,16 @@ static int str2event(char *s, au_event_t *e)
return 0;
}
@@ -42,7 +41,7 @@ index f84712e..3764046 100644
static int extract_timestamp(const char *b, au_event_t *e)
{
diff --git a/auparse/interpret.c b/auparse/interpret.c
-index 1846f9d..8540bd1 100644
+index 51c4a5e..67b7b77 100644
--- a/auparse/interpret.c
+++ b/auparse/interpret.c
@@ -853,6 +853,13 @@ err_out:
@@ -69,7 +68,7 @@ index 1846f9d
Re: [yocto] [meta-selinux][PATCH] glib-2.0: fix configure error for meson build
On 6/12/19 6:03 PM, Alexander Kanavin wrote: On Wed, 12 Jun 2019 at 09:54, Yi Zhao <mailto:yi.z...@windriver.com>> wrote: +PACKAGECONFIG[selinux] = "-Dselinux=enabled,-Dselinux=disabled,libselinux," This line should probably go into the oe-core recipe? It is fine to have options that depend on things absent in oe-core, as long as those options are disabled by default. Thanks. I will test it and send a patch to oe-core //Yi Alex -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH] glib-2.0: fix configure error for meson build
In glib 2.60.x, it turns selinux into a meson feature. We should use
'-Dselinux=enabled/disabled' rather than '-Dselinux=true/false' to
enable/disable the feature.
Add meso-enable-selinux.bbclass for this change and inherit it in
glib-2.0 bbappend to fix the configure error.
Signed-off-by: Yi Zhao
---
classes/meson-enable-selinux.bbclass | 4
recipes-core/glib-2.0/glib-2.0_%.bbappend | 2 +-
2 files changed, 5 insertions(+), 1 deletion(-)
create mode 100644 classes/meson-enable-selinux.bbclass
diff --git a/classes/meson-enable-selinux.bbclass
b/classes/meson-enable-selinux.bbclass
new file mode 100644
index 000..91c2a2b
--- /dev/null
+++ b/classes/meson-enable-selinux.bbclass
@@ -0,0 +1,4 @@
+inherit selinux
+
+PACKAGECONFIG_append = " ${@target_selinux(d)}"
+PACKAGECONFIG[selinux] = "-Dselinux=enabled,-Dselinux=disabled,libselinux,"
diff --git a/recipes-core/glib-2.0/glib-2.0_%.bbappend
b/recipes-core/glib-2.0/glib-2.0_%.bbappend
index e5d2f6f..39a0a3a 100644
--- a/recipes-core/glib-2.0/glib-2.0_%.bbappend
+++ b/recipes-core/glib-2.0/glib-2.0_%.bbappend
@@ -1 +1 @@
-inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'meson-selinux',
'', d)}
+inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux',
'meson-enable-selinux', '', d)}
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 2/3] findutils: drop obsolete patch
Signed-off-by: Yi Zhao
---
.../findutils-4.2.31/findutils-selinux.patch | 499 -
1 file changed, 499 deletions(-)
delete mode 100644
recipes-extended/findutils/findutils-4.2.31/findutils-selinux.patch
diff --git
a/recipes-extended/findutils/findutils-4.2.31/findutils-selinux.patch
b/recipes-extended/findutils/findutils-4.2.31/findutils-selinux.patch
deleted file mode 100644
index 73a9747..000
--- a/recipes-extended/findutils/findutils-4.2.31/findutils-selinux.patch
+++ /dev/null
@@ -1,499 +0,0 @@
-From: Xin Ouyang
-Date: Thu, 21 Jun 2012 17:01:39 +0800
-Subject: [PATCH] findutils: support selinux.
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang
- configure.in | 10 +
- doc/find.texi| 12 +++
- find/Makefile.am |2 +-
- find/defs.h | 15 -
- find/find.1 |4 ++
- find/find.c | 97 +-
- find/parser.c| 50 ++--
- find/pred.c | 53 +
- find/util.c |3 ++
- 9 files changed, 240 insertions(+), 6 deletions(-)
-
-diff --git a/configure.in b/configure.in
-index 6a20f15..00dd7f8 100644
a/configure.in
-+++ b/configure.in
-@@ -101,6 +101,16 @@ dnl C library, try -lsun.
- AC_CHECK_FUNC(getpwnam, [],
- [AC_CHECK_LIB(sun, getpwnam)])
-
-+AC_ARG_WITH([selinux],
-+ AS_HELP_STRING([--without-selinux], [disable SELinux support]),
-+ [:],
-+[AC_CHECK_LIB([selinux], [is_selinux_enabled],
-+ [with_selinux=yes], [with_selinux=no])])
-+if test x$with_selinux != xno; then
-+ AC_DEFINE([WITH_SELINUX], [1], [Define to support SELinux])
-+ AC_SUBST([LIBSELINUX], [-lselinux])
-+fi
-+
- dnl Checks for header files.
- AC_HEADER_STDC
- dnl Assume unistd.h is present - coreutils does too.
-diff --git a/doc/find.texi b/doc/find.texi
-index 5b5f0cf..e1ad433 100644
a/doc/find.texi
-+++ b/doc/find.texi
-@@ -1091,6 +1091,14 @@ will probably be made in early 2006.
-
- @end deffn
-
-+@deffn Test -context pattern
-+True if file's SELinux context matches the pattern @var{pattern}.
-+The pattern uses shell glob matching.
-+
-+This predicate is supported only on @code{find} versions compiled with
-+SELinux support and only when SELinux is enabled.
-+@end deffn
-+
- @node Contents
- @section Contents
-
-@@ -1599,6 +1607,10 @@ semantics, you will see a difference between the mode
as printed by
- @item %M
- File's permissions (in symbolic form, as for @code{ls}). This
- directive is supported in findutils 4.2.5 and later.
-+
-+@item %Z
-+File's SELinux context, or empty string if the file has no SELinux context
-+or this version of find does not support SELinux.
- @end table
-
- @node Size Directives
-diff --git a/find/Makefile.am b/find/Makefile.am
-index 8e71a32..405955a 100644
a/find/Makefile.am
-+++ b/find/Makefile.am
-@@ -6,7 +6,7 @@ bin_PROGRAMS = find
- find_SOURCES = find.c fstype.c parser.c pred.c tree.c util.c version.c
- EXTRA_DIST = defs.h $(man_MANS)
- INCLUDES = -I../gnulib/lib -I$(top_srcdir)/lib -I$(top_srcdir)/gnulib/lib
-I../intl -DLOCALEDIR=\"$(localedir)\"
--LDADD = ../lib/libfind.a ../gnulib/lib/libgnulib.a @INTLLIBS@
-+LDADD = ../lib/libfind.a ../gnulib/lib/libgnulib.a @INTLLIBS@ @LIBSELINUX@
- man_MANS = find.1
- SUBDIRS = testsuite
-
-diff --git a/find/defs.h b/find/defs.h
-index 9369c9a..8a8cf28 100644
a/find/defs.h
-+++ b/find/defs.h
-@@ -131,6 +131,10 @@ int get_statinfo PARAMS((const char *pathname, const char
*name, struct stat *p)
- #define MODE_RWX (S_IXUSR | S_IXGRP | S_IXOTH | MODE_RW)
- #define MODE_ALL (S_ISUID | S_ISGID | S_ISVTX | MODE_RWX)
-
-+#ifdef WITH_SELINUX
-+#include
-+#endif
-+
- #if 1
- #include
- typedef bool boolean;
-@@ -320,6 +324,9 @@ struct predicate
- struct dir_id fileid; /* samefile */
- mode_t type; /* type */
- FILE *stream; /* ls fls fprint0 */
-+#ifdef WITH_SELINUX
-+security_context_t scontext; /* scontext */
-+#endif
- struct format_val printf_vec; /* printf fprintf fprint */
- } args;
-
-@@ -481,7 +488,9 @@ boolean pred_uid PARAMS((char *pathname, struct stat
*stat_buf, struct predicate
- boolean pred_used PARAMS((char *pathname, struct stat *stat_buf, struct
predicate *pred_ptr));
- boolean pred_user PARAMS((char *pathname, struct stat *stat_buf, struct
predicate *pred_ptr));
- boolean pred_xtype PARAMS((char *pathname, struct stat *stat_buf, struct
predicate *pred_ptr));
--
-+#ifdef WITH_SELINUX
-+boolean pred_context PARAMS((char *pathname, struct stat *stat_buf, struct
predicate *pred_ptr));
-+#endif
-
-
- int launch PARAMS((const struct buildcmd_control *ctl,
-@@ -570,6 +579,10 @@ struct options
-* can be changed with the positional option, -regextype.
-*/
- int regex_options;
-+
-+#ifdef WITH_SELINUX
-+ int (*x_getfilecon) ();
-+#endif
- };
- extern struct options options;
-
-diff --
[yocto] [meta-selinux][PATCH 3/3] util-linux: drop obsolete patch
Signed-off-by: Yi Zhao --- .../util-linux/fix-libmount_la_DEPENDENCIES.patch | 28 -- 1 file changed, 28 deletions(-) delete mode 100644 recipes-core/util-linux/util-linux/fix-libmount_la_DEPENDENCIES.patch diff --git a/recipes-core/util-linux/util-linux/fix-libmount_la_DEPENDENCIES.patch b/recipes-core/util-linux/util-linux/fix-libmount_la_DEPENDENCIES.patch deleted file mode 100644 index ab54818..000 --- a/recipes-core/util-linux/util-linux/fix-libmount_la_DEPENDENCIES.patch +++ /dev/null @@ -1,28 +0,0 @@ -Subject: [PATCH] util-linux: fix libmount_la_DEPENDENCIES. - -Upstream-Status: Pending - -libmount_la_LIBADD contains "-lselinux", this is not a object that -could consider as a dependency target. So fix this. - -Signed-off-by: Xin Ouyang - libmount/src/Makemodule.am |2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) - -diff --git a/libmount/src/Makemodule.am b/libmount/src/Makemodule.am -index 494e02a..bf494a4 100644 a/libmount/src/Makemodule.am -+++ b/libmount/src/Makemodule.am -@@ -38,7 +38,7 @@ libmount_la_CFLAGS = \ - -I$(top_srcdir)/libmount/src - - libmount_la_DEPENDENCIES = \ -- $(libmount_la_LIBADD) \ -+ libcommon.la libblkid.la \ - libmount/src/libmount.sym \ - libmount/src/libmount.h.in - --- -1.7.5.4 - -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 1/3] mesa: switch to meson build
The mesa had been converted to use meson build system in oe-core commit
c72b6d46d392bfbcf54154f43663a7a8ada8c567. Update the bbappend to adapt
it.
Signed-off-by: Yi Zhao
---
recipes-graphics/mesa/mesa_%.bbappend | 2 +-
recipes-graphics/mesa/mesa_selinux.inc | 6 --
2 files changed, 1 insertion(+), 7 deletions(-)
delete mode 100644 recipes-graphics/mesa/mesa_selinux.inc
diff --git a/recipes-graphics/mesa/mesa_%.bbappend
b/recipes-graphics/mesa/mesa_%.bbappend
index b0b03ec..02c4918 100644
--- a/recipes-graphics/mesa/mesa_%.bbappend
+++ b/recipes-graphics/mesa/mesa_%.bbappend
@@ -1,2 +1,2 @@
-require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux',
'${BPN}_selinux.inc', '', d)}
+inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'meson-selinux',
'', d)}
diff --git a/recipes-graphics/mesa/mesa_selinux.inc
b/recipes-graphics/mesa/mesa_selinux.inc
deleted file mode 100644
index 0004f71..000
--- a/recipes-graphics/mesa/mesa_selinux.inc
+++ /dev/null
@@ -1,6 +0,0 @@
-inherit enable-selinux
-
-# But wait! There's more! mesa builds a host program named builtin_compiler
-# and it needs selinux, too. We replace the PACKAGECONFIG[] in the bbclass.
-#
-PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux
libselinux-native,"
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 1/2] meta-tpm/conf/layer.conf: update layer dependencies
Add openembedded-layer to layer dependencies. Fix the following build errors: ERROR: Required build target 'tpm2-pkcs11' has no buildable providers. Missing or unbuildable dependency chain was: ['tpm2-pkcs11', 'dstat'] ERROR: Required build target 'cryptsetup-tpm-incubator' has no buildable providers. Missing or unbuildable dependency chain was: ['cryptsetup-tpm-incubator', 'libdevmapper'] ERROR: Required build target 'tpm2-totp' has no buildable providers. Missing or unbuildable dependency chain was: ['tpm2-totp', 'qrencode'] Signed-off-by: Yi Zhao --- meta-tpm/conf/layer.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-tpm/conf/layer.conf b/meta-tpm/conf/layer.conf index 15a2bef..bf9a76e 100644 --- a/meta-tpm/conf/layer.conf +++ b/meta-tpm/conf/layer.conf @@ -12,4 +12,5 @@ LAYERSERIES_COMPAT_tpm-layer = "thud warrior" LAYERDEPENDS_tpm-layer = " \ core \ +openembedded-layer \ " -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH 2/2] meta-tpm/README: update
Add more description Signed-off-by: Yi Zhao --- meta-tpm/README | 57 + 1 file changed, 57 insertions(+) diff --git a/meta-tpm/README b/meta-tpm/README index bbc70bb..dd662b3 100644 --- a/meta-tpm/README +++ b/meta-tpm/README @@ -2,3 +2,60 @@ meta-tpm layer == This layer contains base TPM recipes. + +Dependencies + + +This layer depends on: + + URI: git://git.openembedded.org/openembedded-core + branch: master + revision: HEAD + prio: default + + URI: git://git.openembedded.org/meta-openembedded/meta-oe + branch: master + revision: HEAD + prio: default + +Adding the meta-tpm layer to your build + + +In order to use this layer, you need to make the build system aware of +it. + +Assuming this layer exists at the top-level of your +yocto build tree, you can add it to the build system by adding the +location of the meta-tpm layer to bblayers.conf, along with any +other layers needed. e.g.: + + BBLAYERS ?= " \ +/path/to/oe-core/meta \ +/path/to/meta-openembedded/meta-oe \ +/path/to/layer/meta-tpm \ + + +Maintenance +--- + +Send pull requests, patches, comments or questions to yocto@yoctoproject.org + +When sending single patches, please using something like: +'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security][PATCH' + +These values can be set as defaults for this repository: + +$ git config sendemail.to yocto@yoctoproject.org +$ git config format.subjectPrefix meta-security][PATCH + +Now you can just do 'git send-email origin/master' to send all local patches. + +Maintainers:Armin Kuster + + +License +=== + +All metadata is MIT licensed unless otherwise stated. Source code included +in tree for individual recipes is under the LICENSE stated in each recipe +(.bb file) unless otherwise stated. -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH] refpolicy: refresh patches
Refrefsh 0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch
and 0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch.
Remove the trailing line: \ No newline at end of file
Signed-off-by: Yi Zhao
---
...y-minimum-audit-logging-getty-audit-related-.patch | 1 -
...y-minimum-systemd-mount-logging-authlogin-ad.patch | 19 ---
...y-minimum-audit-logging-getty-audit-related-.patch | 1 -
...y-minimum-systemd-mount-logging-authlogin-ad.patch | 19 ---
4 files changed, 16 insertions(+), 24 deletions(-)
diff --git
a/recipes-security/refpolicy/refpolicy-2.20190201/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch
b/recipes-security/refpolicy/refpolicy-2.20190201/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch
index f92ddb8..10d2bcb 100644
---
a/recipes-security/refpolicy/refpolicy-2.20190201/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch
+++
b/recipes-security/refpolicy/refpolicy-2.20190201/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch
@@ -62,7 +62,6 @@ index 63e92a8e..8ab46925 100644
+allow auditd_t initrc_t:unix_dgram_socket sendto;
+
+allow klogd_t initrc_t:unix_dgram_socket sendto;
-\ No newline at end of file
--
2.19.1
diff --git
a/recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch
b/recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch
index 98b6156..65ef55b 100644
---
a/recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch
+++
b/recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch
@@ -33,13 +33,13 @@ Signed-off-by: Shrikant Bobade
Signed-off-by: Joe MacDonald
---
policy/modules/system/authlogin.te | 2 ++
- policy/modules/system/logging.te | 7 ++-
+ policy/modules/system/logging.te | 5 +
policy/modules/system/mount.te | 3 +++
policy/modules/system/systemd.te | 5 +
- 4 files changed, 16 insertions(+), 1 deletion(-)
+ 4 files changed, 15 insertions(+)
diff --git a/policy/modules/system/authlogin.te
b/policy/modules/system/authlogin.te
-index 345e07f3..39f860e0 100644
+index 345e07f..39f860e 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -472,3 +472,5 @@ optional_policy(`
@@ -49,23 +49,20 @@ index 345e07f3..39f860e0 100644
+
+allow chkpwd_t proc_t:filesystem getattr;
diff --git a/policy/modules/system/logging.te
b/policy/modules/system/logging.te
-index 8ab46925..520f7da6 100644
+index c9991ab..520f7da 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
-@@ -627,4 +627,9 @@ allow auditd_t tmpfs_t:file { getattr setattr create open
read append };
- allow auditd_t tmpfs_t:dir { open read search add_name write getattr search };
+@@ -628,3 +628,8 @@ allow auditd_t tmpfs_t:dir { open read search add_name
write getattr search };
allow auditd_t initrc_t:unix_dgram_socket sendto;
--allow klogd_t initrc_t:unix_dgram_socket sendto;
-\ No newline at end of file
-+allow klogd_t initrc_t:unix_dgram_socket sendto;
+ allow klogd_t initrc_t:unix_dgram_socket sendto;
+
+allow syslogd_t self:shm create;
+allow syslogd_t self:sem { create read unix_write write };
+allow syslogd_t self:shm { read unix_read unix_write write };
+allow syslogd_t tmpfs_t:file { read write };
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 3dcb8493..a87d0e82 100644
+index 3dcb849..a87d0e8 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -231,3 +231,6 @@ optional_policy(`
@@ -76,7 +73,7 @@ index 3dcb8493..a87d0e82 100644
+allow mount_t proc_t:filesystem getattr;
+allow mount_t initrc_t:udp_socket { read write };
diff --git a/policy/modules/system/systemd.te
b/policy/modules/system/systemd.te
-index a6f09dfd..68b80de3 100644
+index a6f09df..68b80de 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -993,6 +993,11 @@ allow systemd_tmpfiles_t systemd_journal_t:file {
relabelfrom relabelto };
diff --git
a/recipes-security/refpolicy/refpolicy-git/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch
b/recipes-security/refpolicy/refpolicy-git/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch
index 3cc5395..517782d 100644
---
a/recipes-security/refpolicy/refpolicy-git/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch
+++
b/recipes-security/refpolicy/refpolicy-git/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch
@@ -62,7 +62,6 @@ index e6221a02..4cc73327 100644
+allow auditd_t initrc_t:unix_dgram_socket sendto;
+
+allow klogd_t initrc_t:unix_dgram_socket sendto;
-\ No newline at end of file
--
2.19.1
diff --git
a/recipes-security/refpolicy/refpolicy-git/0004-refpolicy
[yocto] [meta-selinux][PATCH] refpolicy: update source checksums for refpolicy 20190201
The previous md5sum and sha256sum are not correct.
See: https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20190201
Signed-off-by: Yi Zhao
---
recipes-security/refpolicy/refpolicy_2.20190201.inc | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/recipes-security/refpolicy/refpolicy_2.20190201.inc
b/recipes-security/refpolicy/refpolicy_2.20190201.inc
index 822c0f3..78c6e74 100644
--- a/recipes-security/refpolicy/refpolicy_2.20190201.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20190201.inc
@@ -1,6 +1,6 @@
SRC_URI =
"https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_2_20190201/refpolicy-${PV}.tar.bz2;
-SRC_URI[md5sum] = "76a7a455289c9216ee0fbb8de71c9799"
-SRC_URI[sha256sum] =
"5e4daee61d89dfdc8c7bf369f81c99845931e337916dc6401e301c5de57ea336"
+SRC_URI[md5sum] = "babb0d5ca2ae333631d25392b2b3ce8d"
+SRC_URI[sha256sum] =
"ed620dc91c4e09eee6271b373f7c61a364a82ea57bd2dc86ca1f7075304e2843"
FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-2.20190201:"
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-selinux][PULL] refpolicy: update to 2.20190201 and git HEAD policies (2019-04-10 10:57:14 -0400)
Hi Joe,
Thank you for working on the refpolicy upgrade.
I have a quick test with your patch. Here are the results:
Machine: qemux86-64
Image: core-image-selinux
Init manager: systemd
Boot command: runqemu qemux86-64 kvm nographic bootparams="selinux=1
enforcing=X" qemuparams="-m 1024"
1. All refpolicy type of git version can be built without problems.
2. With parameter selinux=1 & enforcing=0
The qemu can boot up and login for all refpolicy types.
3. With parameter selinux=1 & enforcing=1
Some of services failed to startup when booting. But this issue also
exist on old refpolicy version (2.20170204)
4. refpolicy stable version (2.20190201)
I got an do_fetch error with refpolicy stable version.
Seems the SRC_URI is not correct. It should be
"https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_2_20190201/refpolicy-${PV}.tar.bz2;
Regards,
Yi
在 2019/4/10 下午11:53, Joe MacDonald 写道:
This is a huge, long-overdue update the refpolicy. I apologise for it
blocking the other outstanding meta-selinux patches, but I've been
trying to limit the scope of changes while this happens. Now that this
is cleared off the slate, I'll be gathering up the other meta-selinux
patches from the list. I'll send out a follow-up on those as they're
merged and another when I think I'm done, so if I've missed your patch,
that'll be the time to ping me about it.
As for this, here's what I've done.
- manually reviewed all patches that had been present in
repolicy-* for both the old stable (2.20170204) and git
versions
- forked the SELinuxPolicy/refpolicy repo and applied all
still-relevant patches to the RELEASE_2.20190201 branch
- restructured the patches so that all patches that should
reasonably apply to all variants (mcs, mls, minimum, standard
and targeted) were in a common branch and only the ones that
are specific to each variant would be in their own recipe
- restructure the patches so that systemd and sysvinit patches
were not applied to the same tree
- created a parallel set of branches for each of these against
current git HEAD
The results of this can be examined here:
https://github.com/joeythesaint/refpolicy
Then each of these were exported and put in the appropriate SRC_URIs so
the branch structure is more-or-less preserved.
My goals with this approach were the following:
- make it easier to keep refpolicy up to date, particularly for
anyone wanting to use the git variants
- make it easier to determine how your preferred version of
refpolicy on Yocto differs from upstream refpolicy
- limit the above differences to the minimum to achieve the goal
of a functional Yocto system
- eventually move us away from release tarballs entirely
That last point is why I'm preserving the refpolicy fork above. I'd
like to keep going with this and so future refpolicy patches will first
be put in that repo then exported and applied to the SRC_URIs. If you
have such a patch and want to send me a PR against the branch you think
it belongs on from github directly, that'd be awesome, but the old
method of patches to the mailing list will work fine too, just know that
this is the way I'm going to try to manage this for the foreseeable
future. Ultimately, if this proves to work well, I would like to move
the refpolicy fork off github and house it on git.yoctoproject.org
beside meta-selinux, but the workflow needs to be properly validated
first.
One additional point, I intend to take another pass at revising this
stuff, ideally moving the huge number of common patches out as well.
There's still some that aren't necessary for base yocto but are for
additional layers. That's fine for us to have, but I'd like to get
those moved to optional layer directories so we're making the best use
of that functionality we can. If you have suggestions on which pieces
already present are good candidates, let me know. Similarly, if you've
got additional policy patches you want to see included, feel free to
send them along, we can easily move them to optional locations inside
meta-selinux.
Finally, please everyone test this and provide feedback on anything that
doesn't work or looks strange. This is easily the biggest change we've
had in meta-selinux in years and I expect there's still some wrinkles to
be ironed out. And I really appreciate everyone's patience while we got
to this point and hope it's not too much more pain before we put a
ribbon on this and call it done.
I'll give this until at least the weekend before merging it to master,
pending comments or an overwhelming "please just do it" from the
community.
Thanks.
---
The following changes since commit a6a3cadb1ef3203a123d8f5f9df27832f55b2ce3:
Backport patches from upstream to fix build with musl (2019-03-25 09:43:53
+0100)
are available in the Git
[yocto] [meta-selinux][PATCH] selinux: remove git version
The git version of libselinux libsemanage libsepol checkpolicy and
policycoreutils are far behind the master branch and now they can not
build due to the do_patch error. The current stable 2.8 version works
well so we can remove them.
Signed-off-by: Yi Zhao
---
recipes-security/selinux/checkpolicy_git.bb | 6 --
recipes-security/selinux/libselinux_git.bb | 14 --
recipes-security/selinux/libsemanage_git.bb | 17 -
recipes-security/selinux/libsepol_git.bb| 8
recipes-security/selinux/policycoreutils_git.bb | 6 --
recipes-security/selinux/selinux_git.inc| 11 ---
6 files changed, 62 deletions(-)
delete mode 100644 recipes-security/selinux/checkpolicy_git.bb
delete mode 100644 recipes-security/selinux/libselinux_git.bb
delete mode 100644 recipes-security/selinux/libsemanage_git.bb
delete mode 100644 recipes-security/selinux/libsepol_git.bb
delete mode 100644 recipes-security/selinux/policycoreutils_git.bb
delete mode 100644 recipes-security/selinux/selinux_git.inc
diff --git a/recipes-security/selinux/checkpolicy_git.bb
b/recipes-security/selinux/checkpolicy_git.bb
deleted file mode 100644
index 6d1d23a..000
--- a/recipes-security/selinux/checkpolicy_git.bb
+++ /dev/null
@@ -1,6 +0,0 @@
-PV = "2.7+git${SRCPV}"
-
-include selinux_git.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
diff --git a/recipes-security/selinux/libselinux_git.bb
b/recipes-security/selinux/libselinux_git.bb
deleted file mode 100644
index a43b184..000
--- a/recipes-security/selinux/libselinux_git.bb
+++ /dev/null
@@ -1,14 +0,0 @@
-PV = "2.7+git${SRCPV}"
-
-include selinux_git.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://LICENSE;md5=84b4d2c6ef954a2d4081e775a270d0d0"
-
-SRC_URI += "\
- file://libselinux-drop-Wno-unused-but-set-variable.patch \
- file://libselinux-make-O_CLOEXEC-optional.patch \
- file://libselinux-make-SOCK_CLOEXEC-optional.patch \
- file://libselinux-define-FD_CLOEXEC-as-necessary.patch \
- file://0001-src-Makefile-fix-includedir-in-libselinux.pc.patch \
- "
diff --git a/recipes-security/selinux/libsemanage_git.bb
b/recipes-security/selinux/libsemanage_git.bb
deleted file mode 100644
index 2e1fdc8..000
--- a/recipes-security/selinux/libsemanage_git.bb
+++ /dev/null
@@ -1,17 +0,0 @@
-PV = "2.7+git${SRCPV}"
-
-include selinux_git.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343"
-
-SRC_URI += "\
- file://libsemanage-Fix-execve-segfaults-on-Ubuntu.patch \
- file://libsemanage-fix-path-nologin.patch \
- file://libsemanage-drop-Wno-unused-but-set-variable.patch \
- file://libsemanage-define-FD_CLOEXEC-as-necessary.patch;striplevel=2 \
- file://libsemanage-allow-to-disable-audit-support.patch \
- file://libsemanage-disable-expand-check-on-policy-load.patch \
- file://0001-src-Makefile-fix-includedir-in-libselinux.pc.patch \
- "
-FILES_${PN} += "/usr/libexec"
diff --git a/recipes-security/selinux/libsepol_git.bb
b/recipes-security/selinux/libsepol_git.bb
deleted file mode 100644
index f9b8010..000
--- a/recipes-security/selinux/libsepol_git.bb
+++ /dev/null
@@ -1,8 +0,0 @@
-PV = "2.7+git${SRCPV}"
-
-include selinux_git.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343"
-
-SRC_URI += "file://0001-src-Makefile-fix-includedir-in-libsepol.pc.patch"
diff --git a/recipes-security/selinux/policycoreutils_git.bb
b/recipes-security/selinux/policycoreutils_git.bb
deleted file mode 100644
index 6d1d23a..000
--- a/recipes-security/selinux/policycoreutils_git.bb
+++ /dev/null
@@ -1,6 +0,0 @@
-PV = "2.7+git${SRCPV}"
-
-include selinux_git.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
diff --git a/recipes-security/selinux/selinux_git.inc
b/recipes-security/selinux/selinux_git.inc
deleted file mode 100644
index 9887bd1..000
--- a/recipes-security/selinux/selinux_git.inc
+++ /dev/null
@@ -1,11 +0,0 @@
-SRCREV = "1bac758bf6cf884c112b80545d5fc5b668fc7d71"
-
-SRC_URI = "git://github.com/SELinuxProject/selinux.git;protocol=http"
-
-include selinux_common.inc
-
-# ${S} is set in selinux_common above, but we need to change it here since the
-# top level directory is named differently
-S = "${WORKDIR}/git/${BPN}"
-
-DEFAULT_PREFERENCE = "-1"
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH] linux-yocto: add bbappend for kernel 5.0
Signed-off-by: Yi Zhao
---
recipes-kernel/linux/linux-yocto_5.%.bbappend | 1 +
1 file changed, 1 insertion(+)
create mode 100644 recipes-kernel/linux/linux-yocto_5.%.bbappend
diff --git a/recipes-kernel/linux/linux-yocto_5.%.bbappend
b/recipes-kernel/linux/linux-yocto_5.%.bbappend
new file mode 100644
index 000..7719d3b
--- /dev/null
+++ b/recipes-kernel/linux/linux-yocto_5.%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux',
'${BPN}_selinux.inc', '', d)}
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH] oe-scap: fix inconsistent indentation
Signed-off-by: Yi Zhao
---
.../recipes-openscap/oe-scap/oe-scap_1.0.bb | 11 +--
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb
b/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb
index 5b61375..e84ed30 100644
--- a/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb
+++ b/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb
@@ -8,12 +8,11 @@ LICENSE = "MIT"
SRCREV = "7147871d7f37d408c0dd7720ef0fd3ec1b54ad98"
SRC_URI = "git://github.com/akuster/oe-scap.git"
SRC_URI += " \
- file://run_cve.sh \
- file://run_test.sh \
- file://OpenEmbedded_nodistro_0.xml \
-file://OpenEmbedded_nodistro_0.xccdf.xml \
-"
-
+file://run_cve.sh \
+file://run_test.sh \
+file://OpenEmbedded_nodistro_0.xml \
+file://OpenEmbedded_nodistro_0.xccdf.xml \
+ "
S = "${WORKDIR}/git"
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH] openscap-daemon: backport patch to fix build error with python 3.7
Fixes build error:
| Traceback (most recent call last):
| File "setup.py", line 25, in
| from openscap_daemon import version
| File
"/buildarea/build/tmp/work/core2-64-poky-linux/openscap-daemon/0.1.10-r0/git/openscap_daemon/__init__.py",
line 22, in
| from openscap_daemon.system import System
| File
"/buildarea/build/tmp/work/core2-64-poky-linux/openscap-daemon/0.1.10-r0/git/openscap_daemon/system.py",
line 29
| from openscap_daemon import async
| ^
| SyntaxError: invalid syntax
Signed-off-by: Yi Zhao
---
...-module-and-variables-to-get-rid-of-async.patch | 130 +
.../openscap-daemon/openscap-daemon_0.1.10.bb | 4 +-
2 files changed, 133 insertions(+), 1 deletion(-)
create mode 100644
meta-security-compliance/recipes-openscap/openscap-daemon/files/0001-Renamed-module-and-variables-to-get-rid-of-async.patch
diff --git
a/meta-security-compliance/recipes-openscap/openscap-daemon/files/0001-Renamed-module-and-variables-to-get-rid-of-async.patch
b/meta-security-compliance/recipes-openscap/openscap-daemon/files/0001-Renamed-module-and-variables-to-get-rid-of-async.patch
new file mode 100644
index 000..2a518bf
--- /dev/null
+++
b/meta-security-compliance/recipes-openscap/openscap-daemon/files/0001-Renamed-module-and-variables-to-get-rid-of-async.patch
@@ -0,0 +1,130 @@
+From c34349720a57997d30946286756e2ba9dbab6ace Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?=
+Date: Mon, 2 Jul 2018 11:21:19 +0200
+Subject: [PATCH] Renamed module and variables to get rid of async.
+
+async is a reserved word in Python 3.7.
+
+Upstream-Status: Backport
+[https://github.com/OpenSCAP/openscap-daemon/commit/c34349720a57997d30946286756e2ba9dbab6ace]
+
+Signed-off-by: Yi Zhao
+---
+ openscap_daemon/{async.py => async_tools.py} | 0
+ openscap_daemon/dbus_daemon.py | 2 +-
+ openscap_daemon/system.py| 16
+ tests/unit/test_basic_update.py | 3 ++-
+ 4 files changed, 11 insertions(+), 10 deletions(-)
+ rename openscap_daemon/{async.py => async_tools.py} (100%)
+
+diff --git a/openscap_daemon/async.py b/openscap_daemon/async_tools.py
+similarity index 100%
+rename from openscap_daemon/async.py
+rename to openscap_daemon/async_tools.py
+diff --git a/openscap_daemon/dbus_daemon.py b/openscap_daemon/dbus_daemon.py
+index e6eadf9..cb6a8b6 100644
+--- a/openscap_daemon/dbus_daemon.py
b/openscap_daemon/dbus_daemon.py
+@@ -81,7 +81,7 @@ class OpenSCAPDaemonDbus(dbus.service.Object):
+ @dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
+ in_signature="", out_signature="a(xsi)")
+ def GetAsyncActionsStatus(self):
+-return self.system.async.get_status()
++return self.system.async_manager.get_status()
+
+ @dbus.service.method(dbus_interface=dbus_utils.DBUS_INTERFACE,
+ in_signature="s", out_signature="(sssn)")
+diff --git a/openscap_daemon/system.py b/openscap_daemon/system.py
+index 2012f6e..85c2680 100644
+--- a/openscap_daemon/system.py
b/openscap_daemon/system.py
+@@ -26,7 +26,7 @@ import logging
+ from openscap_daemon.task import Task
+ from openscap_daemon.config import Configuration
+ from openscap_daemon import oscap_helpers
+-from openscap_daemon import async
++from openscap_daemon import async_tools
+
+
+ class ResultsNotAvailable(Exception):
+@@ -40,7 +40,7 @@ TASK_ACTION_PRIORITY = 10
+
+ class System(object):
+ def __init__(self, config_file):
+-self.async = async.AsyncManager()
++self.async_manager = async_tools.AsyncManager()
+
+ logging.info("Loading configuration from '%s'.", config_file)
+ self.config = Configuration()
+@@ -90,7 +90,7 @@ class System(object):
+ input_file, tailoring_file, None
+ )
+
+-class AsyncEvaluateSpecAction(async.AsyncAction):
++class AsyncEvaluateSpecAction(async_tools.AsyncAction):
+ def __init__(self, system, spec):
+ super(System.AsyncEvaluateSpecAction, self).__init__()
+
+@@ -113,7 +113,7 @@ class System(object):
+ return "Evaluate Spec '%s'" % (self.spec)
+
+ def evaluate_spec_async(self, spec):
+-return self.async.enqueue(
++return self.async_manager.enqueue(
+ System.AsyncEvaluateSpecAction(
+ self,
+ spec
+@@ -488,7 +488,7 @@ class System(object):
+
+ return ret
+
+-class AsyncUpdateTaskAction(async.AsyncAction):
++class AsyncUpdateTaskAction(async_tools.AsyncAction):
+ def __init__(self, system, task_id, reference_datetime):
+ super(System.AsyncUpdateTaskAction, self).__init__()
+
+@@ -536,7 +536,7 @@ class System(object):
+
+ if task.should_be_updated(reference_datetime):
+
[yocto] [meta-security][PATCH] scap-security-guide: use makefile generator instead of ninja for cmake
Fixes build error:
| make: *** No rule to make target 'openembedded'. Stop.
Signed-off-by: Yi Zhao
---
.../recipes-openscap/scap-security-guide/scap-security-guide_0.1.33.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git
a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.33.bb
b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.33.bb
index 7fa417d..27d3d86 100644
---
a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.33.bb
+++
b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.33.bb
@@ -19,6 +19,8 @@ S = "${WORKDIR}/git"
STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts"
+OECMAKE_GENERATOR = "Unix Makefiles"
+
EXTRA_OECMAKE += "-DSSG_PRODUCT_CHROMIUM:BOOL=OFF"
EXTRA_OECMAKE += "-DSSG_PRODUCT_DEBIAN8:BOOL=OFF"
EXTRA_OECMAKE += "-DSSG_PRODUCT_FEDORA:BOOL=OFF"
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 2/2] selinux-image.bbclass: using append instead of += for IMAGE_PREPROCESS_COMMAND
Fix AVC denied error when booting:
type=AVC msg=audit(1548055920.478:86): avc: denied { execute } for
pid=366 comm="audispd" path="/lib/ld-2.28.so" dev="vda" ino=7545
scontext=system_u:system_r:audisp_t:s15:c0.c1023
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
type=AVC msg=audit(1548055920.478:87): avc: denied { open } for
pid=366 comm="audispd" path="/lib/libc-2.28.so" dev="vda" ino=7558
scontext=system_u:system_r:audisp_t:s15:c0.c1023
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
When using "+=" for IMAGE_PREPROCESS_COMMAND, the selinux_set_labels
process would run before prelink process to set the security labels for
the files. But the label for /lib/libc-2.28.so and /lib/ld-2.28.so would
be changed after run prelink process. Use "_append" to make sure the
selinux_set_labels process run after prelink process.
Signed-off-by: Yi Zhao
---
classes/selinux-image.bbclass | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/classes/selinux-image.bbclass b/classes/selinux-image.bbclass
index 5174dc5..7f157d3 100644
--- a/classes/selinux-image.bbclass
+++ b/classes/selinux-image.bbclass
@@ -10,6 +10,6 @@ selinux_set_labels () {
DEPENDS += "policycoreutils-native"
-IMAGE_PREPROCESS_COMMAND += "selinux_set_labels ;"
+IMAGE_PREPROCESS_COMMAND_append = " selinux_set_labels ;"
inherit core-image
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 2/2] openssh: update sshd_config
Update sshd_config based on openssh 7.9p1. Drop the deprecated option UsePrivilegeSeparation Signed-off-by: Yi Zhao --- recipes-connectivity/openssh/files/sshd_config | 53 +- 1 file changed, 26 insertions(+), 27 deletions(-) diff --git a/recipes-connectivity/openssh/files/sshd_config b/recipes-connectivity/openssh/files/sshd_config index 2110463..1c33ad0 100644 --- a/recipes-connectivity/openssh/files/sshd_config +++ b/recipes-connectivity/openssh/files/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ +# $OpenBSD: sshd_config,v 1.102 2018/02/16 02:32:40 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -7,7 +7,7 @@ # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options change a +# possible, but leave them commented. Uncommented options override the # default value. #Port 22 @@ -15,44 +15,40 @@ #ListenAddress 0.0.0.0 #ListenAddress :: -# Disable legacy (protocol version 1) support in the server for new -# installations. In future the default will change to require explicit -# activation of protocol 1 -Protocol 2 - -# HostKey for protocol version 1 -#HostKey /etc/ssh/ssh_host_key -# HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key -#HostKey /etc/ssh/ssh_host_dsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key -# Lifetime and size of ephemeral version 1 server key -#KeyRegenerationInterval 1h -#ServerKeyBits 1024 +# Ciphers and keying +#RekeyLimit default none # Logging -# obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m -#PermitRootLogin yes +#PermitRootLogin prohibit-password #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 -#RSAAuthentication yes #PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys #AuthorizedKeysFile.ssh/authorized_keys +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#RhostsRSAAuthentication no -# similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for -# RhostsRSAAuthentication and HostbasedAuthentication +# HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes @@ -61,7 +57,8 @@ Protocol 2 #PasswordAuthentication yes #PermitEmptyPasswords no -# Change to no to disable s/key passwords +# Change to yes to enable challenge-response passwords (beware issues with +# some PAM modules and threads) ChallengeResponseAuthentication no # Kerberos options @@ -74,8 +71,8 @@ ChallengeResponseAuthentication no #GSSAPIAuthentication no #GSSAPICleanupCredentials yes -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass @@ -83,7 +80,7 @@ ChallengeResponseAuthentication no # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -UsePAM yes +UsePAM yes #AllowAgentForwarding yes #AllowTcpForwarding yes @@ -91,20 +88,21 @@ UsePAM yes #X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes +#PermitTTY yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no -UsePrivilegeSeparation yes #PermitUserEnvironment no Compression no ClientAliveInterval 15 ClientAliveCountMax 4 -#UseDNS yes +#UseDNS no #PidFile /var/run/sshd.pid -#MaxStartups 10 +#MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none +#VersionAddendum none # no default banner path #Banner none @@ -116,4 +114,5 @@ Subsystem sftp/usr/libexec/sftp-server #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no +# PermitTTY no # ForceCommand cvs server -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 1/2] core-image-selinux.bb: remove trailing whitespace
Signed-off-by: Yi Zhao --- recipes-security/images/core-image-selinux.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-security/images/core-image-selinux.bb b/recipes-security/images/core-image-selinux.bb index 70b525e..68bf7ef 100644 --- a/recipes-security/images/core-image-selinux.bb +++ b/recipes-security/images/core-image-selinux.bb @@ -9,6 +9,6 @@ IMAGE_INSTALL = "\ util-linux-agetty \ packagegroup-core-full-cmdline \ packagegroup-core-selinux \ -" +" inherit selinux-image -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH] keynote: remove recipe
The keynote is unmaintained for a long time. It had been removed from
main distributions (Fedora, Suse and Debian).
See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594867
Signed-off-by: Yi Zhao
---
.../configure-remove-hardcode-path.patch | 37
.../keynote/keynote-2.3/makefile-add-ldflags.patch | 36 ---
recipes-security/keynote/keynote-2.3/run-ptest | 16 -
recipes-security/keynote/keynote_2.3.bb| 40 --
4 files changed, 129 deletions(-)
delete mode 100644
recipes-security/keynote/keynote-2.3/configure-remove-hardcode-path.patch
delete mode 100644
recipes-security/keynote/keynote-2.3/makefile-add-ldflags.patch
delete mode 100644 recipes-security/keynote/keynote-2.3/run-ptest
delete mode 100644 recipes-security/keynote/keynote_2.3.bb
diff --git
a/recipes-security/keynote/keynote-2.3/configure-remove-hardcode-path.patch
b/recipes-security/keynote/keynote-2.3/configure-remove-hardcode-path.patch
deleted file mode 100644
index af3ef42..000
--- a/recipes-security/keynote/keynote-2.3/configure-remove-hardcode-path.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-Remove the hardcoded lib and include dirs
-
-Upstream-Status: Inappropriate [cross compile specific]
-
-written by: Amy Fong
-Signed-off-by: Jackie Huang
-
keynote-2.3/configure.in.orig 2010-05-24 04:44:16.0 -0700
-+++ keynote-2.3/configure.in 2010-05-24 04:44:55.0 -0700
-@@ -21,27 +21,16 @@
- AC_PATH_PROG(ECHO, echo, /bin/echo)
- AC_PATH_PROG(SED, sed, /usr/bin/sed)
-
--dnl Checks for libraries.
--LIBS="-L/usr/lib -L/usr/local/lib -L/usr/ssl/lib -L/usr/openssl/lib\
-- -L/usr/local/ssl/lib -L/usr/local/openssl/lib -L/usr/pkg/lib -L/pkg/lib"
--
- AC_CHECK_LIB(m, floor, LIBS="$LIBS -lm")
- AC_CHECK_LIB(rsaref, RSAPrivateDecrypt, LIBS="$LIBS -lrsaref")
- AC_CHECK_LIB(crypto, i2a_ASN1_STRING, LIBS="$LIBS -lcrypto")
- AC_CHECK_LIB(RSAglue, RSA_ref_private_encrypt, LIBS="$LIBS -lRSAglue")
-
--dnl Checks for header files.
--CPPFLAGS="-I/usr/include -I/usr/local/include -I/usr/ssl/include\
-- -I/usr/local/ssl/include -I/usr/openssl/include -I/usr/pkg/include\
-- -I/usr/local/openssl/include -I/pkg/include"
--
- AC_HEADER_STDC
- AC_HEADER_TIME
- AC_CHECK_HEADERS(fcntl.h limits.h unistd.h regex.h sys/time.h io.h)
- AC_CHECK_HEADERS(ssl/crypto.h openssl/crypto.h crypto.h memory.h)
-
--dnl Checks for other files
--
- dnl Checks for typedefs, structures, and compiler characteristics.
- AC_C_CONST
- AC_CHECK_TYPE(u_int, unsigned int)
diff --git a/recipes-security/keynote/keynote-2.3/makefile-add-ldflags.patch
b/recipes-security/keynote/keynote-2.3/makefile-add-ldflags.patch
deleted file mode 100644
index 80d87cf..000
--- a/recipes-security/keynote/keynote-2.3/makefile-add-ldflags.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-Add LDFLAGS variable to Makefile so that extra linker flags can be sent via
this variable.
-
-Upstream-Status: Pending
-
-Signed-off-by: Yi Zhao
-
-diff --git a/Makefile.in b/Makefile.in
-index b216648..42b4827 100644
a/Makefile.in
-+++ b/Makefile.in
-@@ -35,6 +35,7 @@ MKDIR = @MKDIR@
- SED = @SED@
- ECHO = @ECHO@
- TR = @TR@
-+LDFLAGS = @LDFLAGS@
-
- TARFLAGS = -cvzf ${DISTFILE}
- YACCFLAGS2 = -d -p kv -b z
-@@ -83,7 +84,7 @@ $(TARGET): $(OBJS)
- $(RANLIB) $(TARGET)
-
- $(TARGET2): $(TARGET) $(OBJS2)
-- $(CC) $(CFLAGS) -o $(TARGET2) $(OBJS2) $(LIBS)
-+ $(CC) $(CFLAGS) $(LDFLAGS) -o $(TARGET2) $(OBJS2) $(LIBS)
-
- k.tab.c: keynote.y header.h keynote.h assertion.h config.h
- $(YACC) $(YACCFLAGS) keynote.y
-@@ -131,7 +132,7 @@ $(SSLCERT) $(SSLKEY):
- -keyout $(SSLKEY)
-
- test-sample: all $(OBJS3)
-- $(CC) $(CFLAGS) -o $(TARGET3) $(OBJS3) $(LIBS)
-+ $(CC) $(CFLAGS) $(LDFLAGS) -o $(TARGET3) $(OBJS3) $(LIBS)
-
- test-sig: all $(SSLCERT) $(SSLKEY)
- $(SED) -e 's/--.*//' < $(SSLCERT) > $(SSLCERT).1
diff --git a/recipes-security/keynote/keynote-2.3/run-ptest
b/recipes-security/keynote/keynote-2.3/run-ptest
deleted file mode 100644
index 4dc35c9..000
--- a/recipes-security/keynote/keynote-2.3/run-ptest
+++ /dev/null
@@ -1,16 +0,0 @@
-#!/bin/sh
-
-cd @PTEST_PATH@
-keynote verify -e testsuite/test-env \
- -r false,maybe,probably,true \
- -k testsuite/auth1 -k testsuite/auth2 \
- -k testsuite/auth3 -k testsuite/auth4 \
- -l testsuite/test-assertion1 \
- -l testsuite/test-assertion2 \
- -l testsuite/test-assertion3 \
- -l testsuite/test-assertion4 \
- -l testsuite/test-assertion5 \
- -l testsuite/test-assertion6 \
- -l testsuite/test-assertion7 \
- && echo "PASS: keynote-ptest" \
- || echo "FAIL: keynote-ptest"
diff --git a/recipes-security/keynote/keynote_2.3.bb
b/recipes-security/keynote/keynote_2.3.bb
[yocto] [meta-security][PATCH] keynote: depend on openssl10
Signed-off-by: Yi Zhao --- recipes-security/keynote/keynote_2.3.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-security/keynote/keynote_2.3.bb b/recipes-security/keynote/keynote_2.3.bb index 0300894..6ec26b8 100644 --- a/recipes-security/keynote/keynote_2.3.bb +++ b/recipes-security/keynote/keynote_2.3.bb @@ -23,7 +23,7 @@ inherit autotools-brokensep ptest SRC_URI[md5sum] = "a14553e6ad921b5c85026ce5bec3afe7" SRC_URI[sha256sum] = "38d2acfa1c3630a07adcb5c8fe92d2aef7f0e6d242b8998b2bbb1c6e4c408d46" -DEPENDS = "flex openssl bison-native" +DEPENDS = "flex openssl10 bison-native" EXTRA_OEMAKE += "test-sample -j1" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-selinux][PATCH 00/16] selinux: upgrade 2.7 -> 2.8
Ping
//Yi
在 2018年09月05日 08:18, Yi Zhao 写道:
Yi Zhao (16):
selinux: uprev inc files to 2.8 (20180524)
libsepol: uprev to 2.8 (20180524)
libselinux: uprev to 2.8 (20180524)
libsemanage: uprev to 2.8 (20180524)
checkpolicy: uprev to 2.8 (20180524)
secilc: uprev to 2.8 (20180524)
policycoreutils: uprev to 2.8 (20180524)
mcstrans: uprev to 2.8 (20180524)
restorecond: uprev to 2.8 (20180524)
selinux-sandbox: uprev to 2.8 (20180524)
selinux-python: uprev to 2.8 (20180524)
semodule-utils: uprev to 2.8 (20180524)
selinux-dbus: uprev to 2.8 (20180524)
selinux-gui: uprev to 2.8 (20180524)
packagegroup-selinux-policycoreutils: remove
semodule-utils-semodule-deps
audit: uprev to 2.8.4
.../audit/{audit_2.7.6.bb => audit_2.8.4.bb} | 18 +++---
.../packagegroup-selinux-policycoreutils.bb| 1 -
recipes-security/selinux/checkpolicy.inc | 1 -
recipes-security/selinux/checkpolicy_2.7.bb| 7 --
recipes-security/selinux/checkpolicy_2.8.bb| 7 ++
recipes-security/selinux/libselinux.inc| 2 +-
...-Makefile-fix-includedir-in-libselinux.pc.patch | 20 ---
.../{libselinux_2.7.bb => libselinux_2.8.bb} | 6 ++---
recipes-security/selinux/libsemanage.inc | 12 ++---
...-Makefile-fix-includedir-in-libselinux.pc.patch | 20 ---
.../{libsemanage_2.7.bb => libsemanage_2.8.bb} | 6 ++---
...rc-Makefile-fix-includedir-in-libsepol.pc.patch | 13 +-
recipes-security/selinux/libsepol_2.7.bb | 9 ---
recipes-security/selinux/libsepol_2.8.bb | 9 +++
recipes-security/selinux/mcstrans.inc | 1 -
recipes-security/selinux/mcstrans_2.7.bb | 7 --
recipes-security/selinux/mcstrans_2.8.bb | 7 ++
recipes-security/selinux/policycoreutils.inc | 8 +++---
...policycoreutils-fix-fixfiles-install-path.patch | 29 ++
...icycoreutils-fix-load_policy-install-path.patch | 29 ++
.../policycoreutils-loadpolicy-symlink.patch | 19 --
recipes-security/selinux/policycoreutils_2.7.bb| 8 --
recipes-security/selinux/policycoreutils_2.8.bb| 8 ++
recipes-security/selinux/restorecond.inc | 4 ---
recipes-security/selinux/restorecond_2.7.bb| 7 --
recipes-security/selinux/restorecond_2.8.bb| 7 ++
recipes-security/selinux/secilc_2.7.bb | 7 --
recipes-security/selinux/secilc_2.8.bb | 7 ++
recipes-security/selinux/selinux-dbus_2.7.bb | 7 --
recipes-security/selinux/selinux-dbus_2.8.bb | 7 ++
recipes-security/selinux/selinux-gui_2.7.bb| 7 --
recipes-security/selinux/selinux-gui_2.8.bb| 7 ++
recipes-security/selinux/selinux-python.inc| 2 +-
.../selinux-python/fix-sepolicy-install-path.patch | 23 +
recipes-security/selinux/selinux-python_2.7.bb | 7 --
recipes-security/selinux/selinux-python_2.8.bb | 7 ++
recipes-security/selinux/selinux-sandbox_2.7.bb| 7 --
recipes-security/selinux/selinux-sandbox_2.8.bb| 7 ++
.../{selinux_20170804.inc => selinux_20180524.inc} | 2 +-
recipes-security/selinux/selinux_common.inc| 9 ---
recipes-security/selinux/semodule-utils.inc| 2 --
recipes-security/selinux/semodule-utils_2.7.bb | 7 --
recipes-security/selinux/semodule-utils_2.8.bb | 7 ++
43 files changed, 209 insertions(+), 178 deletions(-)
rename recipes-security/audit/{audit_2.7.6.bb => audit_2.8.4.bb} (91%)
delete mode 100644 recipes-security/selinux/checkpolicy_2.7.bb
create mode 100644 recipes-security/selinux/checkpolicy_2.8.bb
rename recipes-security/selinux/{libselinux_2.7.bb => libselinux_2.8.bb} (72%)
rename recipes-security/selinux/{libsemanage_2.7.bb => libsemanage_2.8.bb}
(76%)
delete mode 100644 recipes-security/selinux/libsepol_2.7.bb
create mode 100644 recipes-security/selinux/libsepol_2.8.bb
delete mode 100644 recipes-security/selinux/mcstrans_2.7.bb
create mode 100644 recipes-security/selinux/mcstrans_2.8.bb
create mode 100644
recipes-security/selinux/policycoreutils/policycoreutils-fix-fixfiles-install-path.patch
create mode 100644
recipes-security/selinux/policycoreutils/policycoreutils-fix-load_policy-install-path.patch
delete mode 100644
recipes-security/selinux/policycoreutils/policycoreutils-loadpolicy-symlink.patch
delete mode 100644 recipes-security/selinux/policycoreutils_2.7.bb
create mode 100644 recipes-security/selinux/policycoreutils_2.8.bb
delete mode 100644 recipes-security/selinux/restorecond_2.7.bb
create mode 100644 recipes-security/selinux/restorecond_2.8.bb
delete mode 100644 recipes-security/selinux/secilc_2.7.bb
create mode 100644 recipes-security/selinux/secilc_2.8.bb
[yocto] [meta-selinux][PATCH 16/16 V2] audit: uprev to 2.8.4
Add aarch64 support
Signed-off-by: Yi Zhao
---
.../audit/{audit_2.7.6.bb => audit_2.8.4.bb} | 19 ++-
1 file changed, 10 insertions(+), 9 deletions(-)
rename recipes-security/audit/{audit_2.7.6.bb => audit_2.8.4.bb} (90%)
diff --git a/recipes-security/audit/audit_2.7.6.bb
b/recipes-security/audit/audit_2.8.4.bb
similarity index 90%
rename from recipes-security/audit/audit_2.7.6.bb
rename to recipes-security/audit/audit_2.8.4.bb
index d655e64..c756552 100644
--- a/recipes-security/audit/audit_2.7.6.bb
+++ b/recipes-security/audit/audit_2.8.4.bb
@@ -15,8 +15,8 @@ SRC_URI =
"http://people.redhat.com/sgrubb/${BPN}/${BPN}-${PV}.tar.gz \
file://auditd.service \
file://audit-volatile.conf \
"
-SRC_URI[md5sum] = "55a81bbed973b58a90590c949e71dc3e"
-SRC_URI[sha256sum] =
"fa65289cffdc95a25bfbdba541f43ee1b12c707090a38fd027dcf9354b9014e7"
+SRC_URI[md5sum] = "ec9510312564c3d9483bccf8dbda4779"
+SRC_URI[sha256sum] =
"a410694d09fc5708d980a61a5abcb9633a591364f1ecc7e97ad5daef9c898c38"
inherit autotools pythonnative update-rc.d systemd
@@ -30,16 +30,17 @@ SYSTEMD_SERVICE_auditd = "auditd.service"
DEPENDS += "python tcp-wrappers libcap-ng linux-libc-headers (>= 2.6.30)
swig-native"
EXTRA_OECONF += "--without-prelude \
- --with-libwrap \
- --enable-gssapi-krb5=no \
- --with-libcap-ng=yes \
- --with-python=yes \
- --libdir=${base_libdir} \
- --sbindir=${base_sbindir} \
+--with-libwrap \
+--enable-gssapi-krb5=no \
+--with-libcap-ng=yes \
+--with-python=yes \
+--libdir=${base_libdir} \
+--sbindir=${base_sbindir} \
--without-python3 \
--disable-zos-remote \
- "
+"
EXTRA_OECONF_append_arm = " --with-arm=yes"
+EXTRA_OECONF_append_aarch64 = " --with-aarch64=yes"
EXTRA_OEMAKE += "PYLIBVER='python${PYTHON_BASEVERSION}' \
PYINC='${STAGING_INCDIR}/$(PYLIBVER)' \
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 16/16] audit: uprev to 2.8.4
Signed-off-by: Yi Zhao
---
.../audit/{audit_2.7.6.bb => audit_2.8.4.bb} | 18 +-
1 file changed, 9 insertions(+), 9 deletions(-)
rename recipes-security/audit/{audit_2.7.6.bb => audit_2.8.4.bb} (91%)
diff --git a/recipes-security/audit/audit_2.7.6.bb
b/recipes-security/audit/audit_2.8.4.bb
similarity index 91%
rename from recipes-security/audit/audit_2.7.6.bb
rename to recipes-security/audit/audit_2.8.4.bb
index d655e64..dcec34d 100644
--- a/recipes-security/audit/audit_2.7.6.bb
+++ b/recipes-security/audit/audit_2.8.4.bb
@@ -15,8 +15,8 @@ SRC_URI =
"http://people.redhat.com/sgrubb/${BPN}/${BPN}-${PV}.tar.gz \
file://auditd.service \
file://audit-volatile.conf \
"
-SRC_URI[md5sum] = "55a81bbed973b58a90590c949e71dc3e"
-SRC_URI[sha256sum] =
"fa65289cffdc95a25bfbdba541f43ee1b12c707090a38fd027dcf9354b9014e7"
+SRC_URI[md5sum] = "ec9510312564c3d9483bccf8dbda4779"
+SRC_URI[sha256sum] =
"a410694d09fc5708d980a61a5abcb9633a591364f1ecc7e97ad5daef9c898c38"
inherit autotools pythonnative update-rc.d systemd
@@ -30,15 +30,15 @@ SYSTEMD_SERVICE_auditd = "auditd.service"
DEPENDS += "python tcp-wrappers libcap-ng linux-libc-headers (>= 2.6.30)
swig-native"
EXTRA_OECONF += "--without-prelude \
- --with-libwrap \
- --enable-gssapi-krb5=no \
- --with-libcap-ng=yes \
- --with-python=yes \
- --libdir=${base_libdir} \
- --sbindir=${base_sbindir} \
+--with-libwrap \
+--enable-gssapi-krb5=no \
+--with-libcap-ng=yes \
+--with-python=yes \
+--libdir=${base_libdir} \
+--sbindir=${base_sbindir} \
--without-python3 \
--disable-zos-remote \
- "
+"
EXTRA_OECONF_append_arm = " --with-arm=yes"
EXTRA_OEMAKE += "PYLIBVER='python${PYTHON_BASEVERSION}' \
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 15/16] packagegroup-selinux-policycoreutils: remove semodule-utils-semodule-deps
Remove package semodule-utils-semodule-deps as it had been removed
upstream.
Signed-off-by: Yi Zhao
---
recipes-security/packagegroups/packagegroup-selinux-policycoreutils.bb | 1 -
1 file changed, 1 deletion(-)
diff --git
a/recipes-security/packagegroups/packagegroup-selinux-policycoreutils.bb
b/recipes-security/packagegroups/packagegroup-selinux-policycoreutils.bb
index e70baf7..2263592 100644
--- a/recipes-security/packagegroups/packagegroup-selinux-policycoreutils.bb
+++ b/recipes-security/packagegroups/packagegroup-selinux-policycoreutils.bb
@@ -20,7 +20,6 @@ RDEPENDS_${PN} = "\
policycoreutils-setfiles \
policycoreutils-setsebool \
policycoreutils-hll \
- semodule-utils-semodule-deps \
semodule-utils-semodule-expand \
semodule-utils-semodule-link \
semodule-utils-semodule-package \
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 14/16] selinux-gui: uprev to 2.8 (20180524)
Signed-off-by: Yi Zhao
---
recipes-security/selinux/selinux-gui_2.7.bb | 7 ---
recipes-security/selinux/selinux-gui_2.8.bb | 7 +++
2 files changed, 7 insertions(+), 7 deletions(-)
delete mode 100644 recipes-security/selinux/selinux-gui_2.7.bb
create mode 100644 recipes-security/selinux/selinux-gui_2.8.bb
diff --git a/recipes-security/selinux/selinux-gui_2.7.bb
b/recipes-security/selinux/selinux-gui_2.7.bb
deleted file mode 100644
index 3531591..000
--- a/recipes-security/selinux/selinux-gui_2.7.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-include selinux_20170804.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
-
-SRC_URI[md5sum] = "f3555cb50a9e67b42bc917ede1982c7d"
-SRC_URI[sha256sum] =
"693fb3347041b5a2273c52c33be0a256b109e60f2039ae1d7e90ba8a2ec0324f"
diff --git a/recipes-security/selinux/selinux-gui_2.8.bb
b/recipes-security/selinux/selinux-gui_2.8.bb
new file mode 100644
index 000..2c0fcd8
--- /dev/null
+++ b/recipes-security/selinux/selinux-gui_2.8.bb
@@ -0,0 +1,7 @@
+include selinux_20180524.inc
+include ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
+
+SRC_URI[md5sum] = "52000c14ffa86840220915bd1d777845"
+SRC_URI[sha256sum] =
"17acd3004f01f92b288cc1322317d7964f5039fb26ba1542b6713a7147a2351d"
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 13/16] selinux-dbus: uprev to 2.8 (20180524)
Signed-off-by: Yi Zhao
---
recipes-security/selinux/selinux-dbus_2.7.bb | 7 ---
recipes-security/selinux/selinux-dbus_2.8.bb | 7 +++
2 files changed, 7 insertions(+), 7 deletions(-)
delete mode 100644 recipes-security/selinux/selinux-dbus_2.7.bb
create mode 100644 recipes-security/selinux/selinux-dbus_2.8.bb
diff --git a/recipes-security/selinux/selinux-dbus_2.7.bb
b/recipes-security/selinux/selinux-dbus_2.7.bb
deleted file mode 100644
index a4f14ed..000
--- a/recipes-security/selinux/selinux-dbus_2.7.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-include selinux_20170804.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
-
-SRC_URI[md5sum] = "6944aa95cfb44e4d76b1aff48b38f08e"
-SRC_URI[sha256sum] =
"a7f3dbe68c0d02cd1cbe6aac06e87c2957668cb88083389654fabacb79641ae4"
diff --git a/recipes-security/selinux/selinux-dbus_2.8.bb
b/recipes-security/selinux/selinux-dbus_2.8.bb
new file mode 100644
index 000..5091624
--- /dev/null
+++ b/recipes-security/selinux/selinux-dbus_2.8.bb
@@ -0,0 +1,7 @@
+include selinux_20180524.inc
+include ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
+
+SRC_URI[md5sum] = "23f0264df3ed123904a17d71f2a5b325"
+SRC_URI[sha256sum] =
"3339cb9cd77579bab6158afc054409c3bf952e282ef957ea732b19c9f4697bc6"
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 12/16] semodule-utils: uprev to 2.8 (20180524)
Remove package semodule-deps as it had been removed upstream.
Signed-off-by: Yi Zhao
---
recipes-security/selinux/semodule-utils.inc| 2 --
recipes-security/selinux/semodule-utils_2.7.bb | 7 ---
recipes-security/selinux/semodule-utils_2.8.bb | 7 +++
3 files changed, 7 insertions(+), 9 deletions(-)
delete mode 100644 recipes-security/selinux/semodule-utils_2.7.bb
create mode 100644 recipes-security/selinux/semodule-utils_2.8.bb
diff --git a/recipes-security/selinux/semodule-utils.inc
b/recipes-security/selinux/semodule-utils.inc
index 23176e5..23cbd14 100644
--- a/recipes-security/selinux/semodule-utils.inc
+++ b/recipes-security/selinux/semodule-utils.inc
@@ -12,12 +12,10 @@ RDEPENDS_${PN}-dev = ""
EXTRA_OEMAKE += "LIBSEPOLA=${STAGING_LIBDIR}/libsepol.a"
PACKAGES =+ "\
-${PN}-semodule-deps \
${PN}-semodule-expand \
${PN}-semodule-link \
${PN}-semodule-package \
"
-FILES_${PN}-semodule-deps += "${bindir}/semodule_deps"
FILES_${PN}-semodule-expand += "${bindir}/semodule_expand"
FILES_${PN}-semodule-link += "${bindir}/semodule_link"
FILES_${PN}-semodule-package += "\
diff --git a/recipes-security/selinux/semodule-utils_2.7.bb
b/recipes-security/selinux/semodule-utils_2.7.bb
deleted file mode 100644
index fbb88bf..000
--- a/recipes-security/selinux/semodule-utils_2.7.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-include selinux_20170804.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
-
-SRC_URI[md5sum] = "678e3a5225f9645d40fd9d13bbaa156f"
-SRC_URI[sha256sum] =
"90c98b3362a43b4da2a51a9176820a56f3e615225e23e3395bc566c4490786ba"
diff --git a/recipes-security/selinux/semodule-utils_2.8.bb
b/recipes-security/selinux/semodule-utils_2.8.bb
new file mode 100644
index 000..c56f776
--- /dev/null
+++ b/recipes-security/selinux/semodule-utils_2.8.bb
@@ -0,0 +1,7 @@
+include selinux_20180524.inc
+include ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
+
+SRC_URI[md5sum] = "51c69e612481ce971e2ae825139d2ca0"
+SRC_URI[sha256sum] =
"44f59c13070c637440b143ceab4dfe1efb9018b1e47828dd8789def74c1ccadf"
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 11/16] selinux-python: uprev to 2.8 (20180524)
Rebase patch:
fix-sepolicy-install-path.patch
Signed-off-by: Yi Zhao
---
recipes-security/selinux/selinux-python.inc| 2 +-
.../selinux-python/fix-sepolicy-install-path.patch | 23 --
recipes-security/selinux/selinux-python_2.7.bb | 7 ---
recipes-security/selinux/selinux-python_2.8.bb | 7 +++
4 files changed, 21 insertions(+), 18 deletions(-)
delete mode 100644 recipes-security/selinux/selinux-python_2.7.bb
create mode 100644 recipes-security/selinux/selinux-python_2.8.bb
diff --git a/recipes-security/selinux/selinux-python.inc
b/recipes-security/selinux/selinux-python.inc
index 2a5d657..c774de4 100644
--- a/recipes-security/selinux/selinux-python.inc
+++ b/recipes-security/selinux/selinux-python.inc
@@ -102,7 +102,7 @@ FILES_${PN} += "\
EXTRA_OEMAKE += "LIBSEPOLA=${STAGING_LIBDIR}/libsepol.a"
do_install() {
oe_runmake DESTDIR=${D} \
-LIBDIR="${D}${libdir}" \
+LIBDIR="${libdir}" \
PYTHONLIBDIR='${libdir}/python${PYTHON_BASEVERSION}/site-packages' \
install
}
diff --git
a/recipes-security/selinux/selinux-python/fix-sepolicy-install-path.patch
b/recipes-security/selinux/selinux-python/fix-sepolicy-install-path.patch
index 1d54231..6f68c94 100644
--- a/recipes-security/selinux/selinux-python/fix-sepolicy-install-path.patch
+++ b/recipes-security/selinux/selinux-python/fix-sepolicy-install-path.patch
@@ -1,4 +1,4 @@
-From 69e8697cd2ae48710ff8190bad3e61d2fd115b99 Mon Sep 17 00:00:00 2001
+From c1aae6cc131371729f098e4b0aa02142a85b5890 Mon Sep 17 00:00:00 2001
From: Xin Ouyang
Date: Mon, 23 Sep 2013 21:17:59 +0800
Subject: [PATCH] policycoreutils: fix install path for new pymodule sepolicy
@@ -7,16 +7,16 @@ Uptream-Status: Pending
Signed-off-by: Xin Ouyang
Signed-off-by: Wenzong Fan
-
+Signed-off-by: Yi Zhao
---
sepolicy/Makefile | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/sepolicy/Makefile b/sepolicy/Makefile
-index 5a56e6c..82c3e36 100644
+index fb8a132..a6ee749 100644
--- a/sepolicy/Makefile
+++ b/sepolicy/Makefile
-@@ -12,6 +12,8 @@ SHAREDIR ?= $(PREFIX)/share/sandbox
+@@ -8,6 +8,8 @@ BASHCOMPLETIONDIR ?=
$(PREFIX)/share/bash-completion/completions
CFLAGS ?= -Wall -Werror -Wextra -W
override CFLAGS += -DPACKAGE="policycoreutils" -DSHARED -shared
@@ -25,12 +25,15 @@ index 5a56e6c..82c3e36 100644
BASHCOMPLETIONS=sepolicy-bash-completion.sh
all: python-build
-@@ -30,7 +32,7 @@ test:
+@@ -26,7 +28,7 @@ test:
@$(PYTHON) test_sepolicy.py -v
install:
-- $(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root
$(DESTDIR)`
-+ $(PYTHON) setup.py install --install-lib
$(LIBDIR)/$(PYLIBVER)/site-packages
- [ -d $(BINDIR) ] || mkdir -p $(BINDIR)
- install -m 755 sepolicy.py $(BINDIR)/sepolicy
- (cd $(BINDIR); ln -sf sepolicy sepolgen)
+- $(PYTHON) setup.py install --prefix=$(PREFIX) `test -n "$(DESTDIR)" &&
echo --root $(DESTDIR)`
++ $(PYTHON) setup.py install --prefix=$(PREFIX) --install-lib
$(DESTDIR)$(LIBDIR)/$(PYLIBVER)/site-packages
+ [ -d $(DESTDIR)$(BINDIR) ] || mkdir -p $(DESTDIR)$(BINDIR)
+ install -m 755 sepolicy.py $(DESTDIR)$(BINDIR)/sepolicy
+ (cd $(DESTDIR)$(BINDIR); ln -sf sepolicy sepolgen)
+--
+2.7.4
+
diff --git a/recipes-security/selinux/selinux-python_2.7.bb
b/recipes-security/selinux/selinux-python_2.7.bb
deleted file mode 100644
index f98be5f..000
--- a/recipes-security/selinux/selinux-python_2.7.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-include selinux_20170804.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
-
-SRC_URI[md5sum] = "b118229d34a6aec34471c3c2c9cac172"
-SRC_URI[sha256sum] =
"4217cb965ecda96c91e15ffcc2e7ddd13ecc2bf5631100f3cd072a7616f140ed"
diff --git a/recipes-security/selinux/selinux-python_2.8.bb
b/recipes-security/selinux/selinux-python_2.8.bb
new file mode 100644
index 000..d63fdef
--- /dev/null
+++ b/recipes-security/selinux/selinux-python_2.8.bb
@@ -0,0 +1,7 @@
+include selinux_20180524.inc
+include ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
+
+SRC_URI[md5sum] = "bd9850808203c76f07efd396bde790e3"
+SRC_URI[sha256sum] =
"e69f5e24820cb247a3d881a9c90efba1e64d76af863c82fb81bc3b87ed71e238"
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 10/16] selinux-sandbox: uprev to 2.8 (20180524)
Signed-off-by: Yi Zhao
---
recipes-security/selinux/selinux-sandbox_2.7.bb | 7 ---
recipes-security/selinux/selinux-sandbox_2.8.bb | 7 +++
2 files changed, 7 insertions(+), 7 deletions(-)
delete mode 100644 recipes-security/selinux/selinux-sandbox_2.7.bb
create mode 100644 recipes-security/selinux/selinux-sandbox_2.8.bb
diff --git a/recipes-security/selinux/selinux-sandbox_2.7.bb
b/recipes-security/selinux/selinux-sandbox_2.7.bb
deleted file mode 100644
index 1307ce7..000
--- a/recipes-security/selinux/selinux-sandbox_2.7.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-include selinux_20170804.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
-
-SRC_URI[md5sum] = "7360e9dc7b1757b7f82face655982bfa"
-SRC_URI[sha256sum] =
"9490620380ab6d428a92869002a51ada0343ca35fa2a6905595745902a64c541"
diff --git a/recipes-security/selinux/selinux-sandbox_2.8.bb
b/recipes-security/selinux/selinux-sandbox_2.8.bb
new file mode 100644
index 000..1eb6c2d
--- /dev/null
+++ b/recipes-security/selinux/selinux-sandbox_2.8.bb
@@ -0,0 +1,7 @@
+include selinux_20180524.inc
+include ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
+
+SRC_URI[md5sum] = "957f5d0fc7724f93f502d1d632568894"
+SRC_URI[sha256sum] =
"025f84f76e07b7bfc9ba1e9215f4ddb646d41a2e935a65e07560feaa6fc20ef3"
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 09/16] restorecond: uprev to 2.8 (20180524)
Signed-off-by: Yi Zhao
---
recipes-security/selinux/restorecond.inc| 4
recipes-security/selinux/restorecond_2.7.bb | 7 ---
recipes-security/selinux/restorecond_2.8.bb | 7 +++
3 files changed, 7 insertions(+), 11 deletions(-)
delete mode 100644 recipes-security/selinux/restorecond_2.7.bb
create mode 100644 recipes-security/selinux/restorecond_2.8.bb
diff --git a/recipes-security/selinux/restorecond.inc
b/recipes-security/selinux/restorecond.inc
index 6f12d23..d168303 100644
--- a/recipes-security/selinux/restorecond.inc
+++ b/recipes-security/selinux/restorecond.inc
@@ -18,10 +18,6 @@ DEPENDS += "libsepol libselinux libpcre dbus-glib glib-2.0
pkgconfig-native"
FILES_${PN} += "${datadir}/dbus-1/services/org.selinux.Restorecond.service \
"
-do_install_prepend() {
-export SYSTEMDDIR=${D}/${systemd_unitdir}
-}
-
SYSTEMD_SERVICE_restorecond = "restorecond.service"
INITSCRIPT_PACKAGES = "restorecond"
INITSCRIPT_NAME_restorecond = "restorecond"
diff --git a/recipes-security/selinux/restorecond_2.7.bb
b/recipes-security/selinux/restorecond_2.7.bb
deleted file mode 100644
index 1f9a70c..000
--- a/recipes-security/selinux/restorecond_2.7.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-include selinux_20170804.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
-
-SRC_URI[md5sum] = "46f8ad0a37f955ef148d4e19b8cc8b1f"
-SRC_URI[sha256sum] =
"cb8e0a8d706cb2c1f105125f3514defcbcfb49199183a7f91ab0bdf1f24d"
diff --git a/recipes-security/selinux/restorecond_2.8.bb
b/recipes-security/selinux/restorecond_2.8.bb
new file mode 100644
index 000..4a83a23
--- /dev/null
+++ b/recipes-security/selinux/restorecond_2.8.bb
@@ -0,0 +1,7 @@
+include selinux_20180524.inc
+include ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
+
+SRC_URI[md5sum] = "cfe4e4d6184623fdcb9bc2681e693abb"
+SRC_URI[sha256sum] =
"323cab1128e5308cd85fea0e5c98e3c8973e1ada0b659f2fce76187e192271bf"
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 08/16] mcstrans: uprev to 2.8 (20180524)
Signed-off-by: Yi Zhao
---
recipes-security/selinux/mcstrans.inc| 1 -
recipes-security/selinux/mcstrans_2.7.bb | 7 ---
recipes-security/selinux/mcstrans_2.8.bb | 7 +++
3 files changed, 7 insertions(+), 8 deletions(-)
delete mode 100644 recipes-security/selinux/mcstrans_2.7.bb
create mode 100644 recipes-security/selinux/mcstrans_2.8.bb
diff --git a/recipes-security/selinux/mcstrans.inc
b/recipes-security/selinux/mcstrans.inc
index 996e8d0..2568c8d 100644
--- a/recipes-security/selinux/mcstrans.inc
+++ b/recipes-security/selinux/mcstrans.inc
@@ -14,7 +14,6 @@ inherit systemd update-rc.d
DEPENDS += "libsepol libselinux libcap"
-EXTRA_OEMAKE += "SYSTEMDDIR=${D}${systemd_unitdir}
SBINDIR=${D}/${base_sbindir}"
do_install_append() {
install -d ${D}${sbindir}
install -m 755 utils/untranscon ${D}${sbindir}/
diff --git a/recipes-security/selinux/mcstrans_2.7.bb
b/recipes-security/selinux/mcstrans_2.7.bb
deleted file mode 100644
index 2d5bbfd..000
--- a/recipes-security/selinux/mcstrans_2.7.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-include selinux_20170804.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
-
-SRC_URI[md5sum] = "edba0f72fdf7fdd1ad0a2c6d102e8cfa"
-SRC_URI[sha256sum] =
"cdca003282d160b50ad695ab5b013c05ca21387a419b2f89288534184d16e1e2"
diff --git a/recipes-security/selinux/mcstrans_2.8.bb
b/recipes-security/selinux/mcstrans_2.8.bb
new file mode 100644
index 000..8923c3c
--- /dev/null
+++ b/recipes-security/selinux/mcstrans_2.8.bb
@@ -0,0 +1,7 @@
+include selinux_20180524.inc
+include ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
+
+SRC_URI[md5sum] = "3a0edb2a8b6a255199824abd58c0906c"
+SRC_URI[sha256sum] =
"ec6ea65660550ed6bbd2a834725ba7526ac53599753d7b95072e4afd4afc14e4"
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 07/16] policycoreutils: uprev to 2.8 (20180524)
Remove unused patch:
policycoreutils-loadpolicy-symlink.patch
Add the following patches to change commands path for backward
compatibility:
policycoreutils-fix-fixfiles-install-path.patch
policycoreutils-fix-fixfiles-install-path.patch
Signed-off-by: Yi Zhao
---
recipes-security/selinux/policycoreutils.inc | 8 +++---
...policycoreutils-fix-fixfiles-install-path.patch | 29 ++
...icycoreutils-fix-load_policy-install-path.patch | 29 ++
.../policycoreutils-loadpolicy-symlink.patch | 19 --
recipes-security/selinux/policycoreutils_2.7.bb| 8 --
recipes-security/selinux/policycoreutils_2.8.bb| 8 ++
6 files changed, 70 insertions(+), 31 deletions(-)
create mode 100644
recipes-security/selinux/policycoreutils/policycoreutils-fix-fixfiles-install-path.patch
create mode 100644
recipes-security/selinux/policycoreutils/policycoreutils-fix-load_policy-install-path.patch
delete mode 100644
recipes-security/selinux/policycoreutils/policycoreutils-loadpolicy-symlink.patch
delete mode 100644 recipes-security/selinux/policycoreutils_2.7.bb
create mode 100644 recipes-security/selinux/policycoreutils_2.8.bb
diff --git a/recipes-security/selinux/policycoreutils.inc
b/recipes-security/selinux/policycoreutils.inc
index b7cb510..854cf4d 100644
--- a/recipes-security/selinux/policycoreutils.inc
+++ b/recipes-security/selinux/policycoreutils.inc
@@ -9,6 +9,8 @@ LICENSE = "GPLv2+"
SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}',
'', d)} \
file://policycoreutils-fixfiles-de-bashify.patch \
+file://policycoreutils-fix-fixfiles-install-path.patch \
+file://policycoreutils-fix-load_policy-install-path.patch \
"
PAM_SRC_URI = "file://pam.d/newrole \
@@ -46,7 +48,6 @@ RDEPENDS_${BPN}-semodule += "\
libsemanage \
"
# static link to libsepol
-DEPENDS_${BPN}-semodule-deps += "libsepol"
RDEPENDS_${BPN}-semodule-expand += "libsepol libselinux"
RDEPENDS_${BPN}-semodule-link += "libsepol libselinux"
RDEPENDS_${BPN}-semodule-package += "libsepol libselinux"
@@ -157,15 +158,14 @@ do_compile_prepend() {
do_install_prepend() {
export PYTHON=python
- export SEMODULE_PATH=${sbindir} SYSTEMDDIR=${D}/${systemd_unitdir}
}
do_install_class-native() {
for PCU_CMD in ${PCU_NATIVE_CMDS} ; do
oe_runmake -C $PCU_CMD install \
DESTDIR="${D}" \
- PREFIX="${D}/${prefix}" \
- SBINDIR="${D}/${base_sbindir}"
+ PREFIX="${prefix}" \
+ SBINDIR="${base_sbindir}"
done
}
diff --git
a/recipes-security/selinux/policycoreutils/policycoreutils-fix-fixfiles-install-path.patch
b/recipes-security/selinux/policycoreutils/policycoreutils-fix-fixfiles-install-path.patch
new file mode 100644
index 000..96d2075
--- /dev/null
+++
b/recipes-security/selinux/policycoreutils/policycoreutils-fix-fixfiles-install-path.patch
@@ -0,0 +1,29 @@
+From 0546ad883d98799972034f8e0fdc6ca2a7319b07 Mon Sep 17 00:00:00 2001
+From: Yi Zhao
+Date: Tue, 4 Sep 2018 14:14:45 +0800
+Subject: [PATCH] policycoreutils: fix fixfiles install path
+
+Change path from /usr/sbin to /sbin for backward compatibility
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao
+---
+ scripts/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/Makefile b/scripts/Makefile
+index afe5dc4..f7a9e34 100644
+--- a/scripts/Makefile
b/scripts/Makefile
+@@ -1,6 +1,6 @@
+ # Installation directories.
+ PREFIX ?= /usr
+-SBINDIR ?= $(PREFIX)/sbin
++SBINDIR ?= /sbin
+ MANDIR ?= $(PREFIX)/share/man
+
+ .PHONY: all
+--
+2.7.4
+
diff --git
a/recipes-security/selinux/policycoreutils/policycoreutils-fix-load_policy-install-path.patch
b/recipes-security/selinux/policycoreutils/policycoreutils-fix-load_policy-install-path.patch
new file mode 100644
index 000..2136781
--- /dev/null
+++
b/recipes-security/selinux/policycoreutils/policycoreutils-fix-load_policy-install-path.patch
@@ -0,0 +1,29 @@
+From 46077df498b8bb54964506f03fd95390a392 Mon Sep 17 00:00:00 2001
+From: Yi Zhao
+Date: Tue, 4 Sep 2018 14:41:13 +0800
+Subject: [PATCH] policycoreutils: fix load_policy install path
+
+Change path from /usr/sbin to /sbin for backward compatibility
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao
+---
+ load_policy/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/load_policy/Makefile b/load_policy/Makefile
+index 568d5d4..7fbd077 100644
+--- a/load_policy/Makefile
b/load_policy/Makefile
+@@ -1,6 +1,6 @@
+ # Installation directories.
+ PREFIX ?= /usr
+-SBINDIR ?= $(PREFIX)/sbin
++SBINDIR ?= /sbin
+ MANDIR ?
[yocto] [meta-selinux][PATCH 06/16] secilc: uprev to 2.8 (20180524)
Signed-off-by: Yi Zhao
---
recipes-security/selinux/secilc_2.7.bb | 7 ---
recipes-security/selinux/secilc_2.8.bb | 7 +++
2 files changed, 7 insertions(+), 7 deletions(-)
delete mode 100644 recipes-security/selinux/secilc_2.7.bb
create mode 100644 recipes-security/selinux/secilc_2.8.bb
diff --git a/recipes-security/selinux/secilc_2.7.bb
b/recipes-security/selinux/secilc_2.7.bb
deleted file mode 100644
index 611f165..000
--- a/recipes-security/selinux/secilc_2.7.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-include selinux_20170804.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=5fb82e8deb357d4e5fd8f3fed01d2f38"
-
-SRC_URI[md5sum] = "301a4e477bc7214be16558f7c2dcbcff"
-SRC_URI[sha256sum] =
"9ec63dd64645c718f66d33c96299adfe0445b0aa62d7ac8c642f873c570609c5"
diff --git a/recipes-security/selinux/secilc_2.8.bb
b/recipes-security/selinux/secilc_2.8.bb
new file mode 100644
index 000..89e0684
--- /dev/null
+++ b/recipes-security/selinux/secilc_2.8.bb
@@ -0,0 +1,7 @@
+include selinux_20180524.inc
+include ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=5fb82e8deb357d4e5fd8f3fed01d2f38"
+
+SRC_URI[md5sum] = "a3c363545842aadc6645a94112b476e7"
+SRC_URI[sha256sum] =
"cfe15f2e06b3013c9dfc46cf42234ff07fb61866c4c29d739eb8858f83b214d4"
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 05/16] checkpolicy: uprev to 2.8 (20180524)
Signed-off-by: Yi Zhao
---
recipes-security/selinux/checkpolicy.inc| 1 -
recipes-security/selinux/checkpolicy_2.7.bb | 7 ---
recipes-security/selinux/checkpolicy_2.8.bb | 7 +++
3 files changed, 7 insertions(+), 8 deletions(-)
delete mode 100644 recipes-security/selinux/checkpolicy_2.7.bb
create mode 100644 recipes-security/selinux/checkpolicy_2.8.bb
diff --git a/recipes-security/selinux/checkpolicy.inc
b/recipes-security/selinux/checkpolicy.inc
index 878c656..1d84ebb 100644
--- a/recipes-security/selinux/checkpolicy.inc
+++ b/recipes-security/selinux/checkpolicy.inc
@@ -11,7 +11,6 @@ LICENSE = "GPLv2+"
DEPENDS += "libsepol bison-native flex-native"
-EXTRA_OEMAKE += "PREFIX=${D}"
EXTRA_OEMAKE += "LEX='flex'"
EXTRA_OEMAKE += "LIBSEPOLA=${STAGING_LIBDIR}/libsepol.a"
diff --git a/recipes-security/selinux/checkpolicy_2.7.bb
b/recipes-security/selinux/checkpolicy_2.7.bb
deleted file mode 100644
index 90b8109..000
--- a/recipes-security/selinux/checkpolicy_2.7.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-include selinux_20170804.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
-
-SRC_URI[md5sum] = "5c718eaad4d3015bd5665ffde77b50fd"
-SRC_URI[sha256sum] =
"5413479f1dcde866c19896b4dbfec315d822aa431606e1d03c944408984c3201"
diff --git a/recipes-security/selinux/checkpolicy_2.8.bb
b/recipes-security/selinux/checkpolicy_2.8.bb
new file mode 100644
index 000..05e738e
--- /dev/null
+++ b/recipes-security/selinux/checkpolicy_2.8.bb
@@ -0,0 +1,7 @@
+include selinux_20180524.inc
+include ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
+
+SRC_URI[md5sum] = "5d23a3209048c8cf70f3c13c4ce4245f"
+SRC_URI[sha256sum] =
"9dec811c24b88e58c3bf741365eacf1dbb945531a2fcb8f284aacf68098194c8"
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 04/16] libsemanage: uprev to 2.8 (20180524)
Rebase patch:
0001-src-Makefile-fix-includedir-in-libselinux.pc.patch
Signed-off-by: Yi Zhao
---
recipes-security/selinux/libsemanage.inc | 12 ++--
...rc-Makefile-fix-includedir-in-libselinux.pc.patch | 20 +++-
.../{libsemanage_2.7.bb => libsemanage_2.8.bb} | 6 +++---
3 files changed, 16 insertions(+), 22 deletions(-)
rename recipes-security/selinux/{libsemanage_2.7.bb => libsemanage_2.8.bb}
(76%)
diff --git a/recipes-security/selinux/libsemanage.inc
b/recipes-security/selinux/libsemanage.inc
index d957d89..be0a5f1 100644
--- a/recipes-security/selinux/libsemanage.inc
+++ b/recipes-security/selinux/libsemanage.inc
@@ -32,18 +32,10 @@ do_compile_append() {
PYTHONLIBDIR='${PYLIB}'
}
-do_install() {
-oe_runmake install \
-DESTDIR="${D}" \
-PREFIX="${D}/${prefix}" \
-INCLUDEDIR="${D}/${includedir}" \
-LIBDIR="${D}/${libdir}" \
-SHLIBDIR="${D}/${libdir}"
-
+do_install_append() {
oe_runmake install-pywrap swigify \
-DESTDIR=${D} \
PYCEXT='.so' \
-
PYSITEDIR='${D}${libdir}/python${PYTHON_BASEVERSION}/site-packages' \
+
PYTHONLIBDIR='${D}${libdir}/python${PYTHON_BASEVERSION}/site-packages' \
PYLIBVER='python${PYTHON_BASEVERSION}' \
PYLIBDIR='${D}/${libdir}/$(PYLIBVER)'
diff --git
a/recipes-security/selinux/libsemanage/0001-src-Makefile-fix-includedir-in-libselinux.pc.patch
b/recipes-security/selinux/libsemanage/0001-src-Makefile-fix-includedir-in-libselinux.pc.patch
index 3d1e110..73613d3 100644
---
a/recipes-security/selinux/libsemanage/0001-src-Makefile-fix-includedir-in-libselinux.pc.patch
+++
b/recipes-security/selinux/libsemanage/0001-src-Makefile-fix-includedir-in-libselinux.pc.patch
@@ -1,4 +1,4 @@
-From 992d02fe0d08361529a5d158119c02521786798f Mon Sep 17 00:00:00 2001
+From e773c0952b06370d81e9b113f9b0b3388e323e52 Mon Sep 17 00:00:00 2001
From: Robert Yang
Date: Thu, 18 Feb 2016 02:39:16 +
Subject: [PATCH] src/Makefile: fix includedir in libselinux.pc
@@ -6,21 +6,23 @@ Subject: [PATCH] src/Makefile: fix includedir in libselinux.pc
Upstream-Status: Pending
Signed-off-by: Robert Yang
-
+Signed-off-by: Yi Zhao
---
- src/Makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
+ src/Makefile | 1 +
+ 1 file changed, 1 insertion(+)
diff --git a/src/Makefile b/src/Makefile
-index e8831ab..d3d4644 100644
+index dea751e..4af4568 100644
--- a/src/Makefile
+++ b/src/Makefile
-@@ -103,7 +103,7 @@ $(LIBSO): $(LOBJS)
- ln -sf $@ $(TARGET)
+@@ -93,6 +93,7 @@ $(LIBSO): $(LOBJS)
$(LIBPC): $(LIBPC).in ../VERSION
-- sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):;
s:@libdir@:$(LIBBASE):; s:@includedir@:$(INCLUDEDIR):' < $< > $@
-+ sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):;
s:@libdir@:$(LIBBASE):; s:@includedir@:${prefix}/include:' < $< > $@
+ sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):;
s:@libdir@:$(LIBDIR):; s:@includedir@:$(INCLUDEDIR):' < $< > $@
++ sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):;
s:@libdir@:${libdir}:; s:@includedir@:${prefix}/include:' < $< > $@
semanageswig_python_exception.i: ../include/semanage/semanage.h
bash -e exception.sh > $@ || (rm -f $@ ; false)
+--
+2.7.4
+
diff --git a/recipes-security/selinux/libsemanage_2.7.bb
b/recipes-security/selinux/libsemanage_2.8.bb
similarity index 76%
rename from recipes-security/selinux/libsemanage_2.7.bb
rename to recipes-security/selinux/libsemanage_2.8.bb
index d7b5312..38942e3 100644
--- a/recipes-security/selinux/libsemanage_2.7.bb
+++ b/recipes-security/selinux/libsemanage_2.8.bb
@@ -1,10 +1,10 @@
-include selinux_20170804.inc
+include selinux_20180524.inc
include ${BPN}.inc
LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343"
-SRC_URI[md5sum] = "a6b5c451fbe45ff9e3e0e65f2db0ae1d"
-SRC_URI[sha256sum] =
"07e9477714ce6a4557a1fe924ea4cb06501b62d0fa0e3c0dc32a2cf47cb8d476"
+SRC_URI[md5sum] = "62ed7bb2ede677a735f2750751677a4f"
+SRC_URI[sha256sum] =
"1c0de8d2c51e5460926c21e371105c84a39087dfd8f8e9f0cc1d017e4cbea8e2"
SRC_URI += "\
file://libsemanage-Fix-execve-segfaults-on-Ubuntu.patch \
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 03/16] libselinux: uprev to 2.8 (20180524)
Rebase patch:
0001-src-Makefile-fix-includedir-in-libselinux.pc.patch
Signed-off-by: Yi Zhao
---
recipes-security/selinux/libselinux.inc | 2 +-
...rc-Makefile-fix-includedir-in-libselinux.pc.patch | 20 +++-
.../selinux/{libselinux_2.7.bb => libselinux_2.8.bb} | 6 +++---
3 files changed, 15 insertions(+), 13 deletions(-)
rename recipes-security/selinux/{libselinux_2.7.bb => libselinux_2.8.bb} (72%)
diff --git a/recipes-security/selinux/libselinux.inc
b/recipes-security/selinux/libselinux.inc
index 51d0875..17c29f9 100644
--- a/recipes-security/selinux/libselinux.inc
+++ b/recipes-security/selinux/libselinux.inc
@@ -33,7 +33,7 @@ do_compile_append() {
do_install_append() {
oe_runmake install-pywrap swigify \
-PYSITEDIR=${D}${libdir}/python${PYTHON_BASEVERSION}/site-packages
+
PYTHONLIBDIR=${D}${libdir}/python${PYTHON_BASEVERSION}/site-packages
rm -rf ${D}${base_sbindir}
}
diff --git
a/recipes-security/selinux/libselinux/0001-src-Makefile-fix-includedir-in-libselinux.pc.patch
b/recipes-security/selinux/libselinux/0001-src-Makefile-fix-includedir-in-libselinux.pc.patch
index 725141f..46cfaaf 100644
---
a/recipes-security/selinux/libselinux/0001-src-Makefile-fix-includedir-in-libselinux.pc.patch
+++
b/recipes-security/selinux/libselinux/0001-src-Makefile-fix-includedir-in-libselinux.pc.patch
@@ -1,4 +1,4 @@
-From 3f633e310851cb029cb4f38d9e11a3aaef8d1099 Mon Sep 17 00:00:00 2001
+From 37f3299e8f5c468fe692f36356c2c35f968b6aee Mon Sep 17 00:00:00 2001
From: Robert Yang
Date: Thu, 18 Feb 2016 02:39:16 +
Subject: [PATCH] src/Makefile: fix includedir in libselinux.pc
@@ -6,21 +6,23 @@ Subject: [PATCH] src/Makefile: fix includedir in libselinux.pc
Upstream-Status: Pending
Signed-off-by: Robert Yang
-
+Signed-off-by: Yi Zhao
---
- src/Makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
+ src/Makefile | 1 +
+ 1 file changed, 1 insertion(+)
diff --git a/src/Makefile b/src/Makefile
-index a89c0f7..f304032 100644
+index 977b5c8..92a4289 100644
--- a/src/Makefile
+++ b/src/Makefile
-@@ -148,7 +148,7 @@ $(LIBSO): $(LOBJS)
- ln -sf $@ $(TARGET)
+@@ -156,6 +156,7 @@ $(LIBSO): $(LOBJS)
$(LIBPC): $(LIBPC).in ../VERSION
-- sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):;
s:@libdir@:$(LIBBASE):; s:@includedir@:$(INCLUDEDIR):' < $< > $@
-+ sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):;
s:@libdir@:$(LIBBASE):; s:@includedir@:${prefix}/include:' < $< > $@
+ sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):;
s:@libdir@:$(LIBDIR):; s:@includedir@:$(INCLUDEDIR):;
s:@PCRE_MODULE@:$(PCRE_MODULE):' < $< > $@
++ sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):;
s:@libdir@:${libdir}:; s:@includedir@:${prefix}/include:;
s:@PCRE_MODULE@:$(PCRE_MODULE):' < $< > $@
selinuxswig_python_exception.i: ../include/selinux/selinux.h
bash -e exception.sh > $@ || (rm -f $@ ; false)
+--
+2.7.4
+
diff --git a/recipes-security/selinux/libselinux_2.7.bb
b/recipes-security/selinux/libselinux_2.8.bb
similarity index 72%
rename from recipes-security/selinux/libselinux_2.7.bb
rename to recipes-security/selinux/libselinux_2.8.bb
index e0d01fc..5de4607 100644
--- a/recipes-security/selinux/libselinux_2.7.bb
+++ b/recipes-security/selinux/libselinux_2.8.bb
@@ -1,10 +1,10 @@
-include selinux_20170804.inc
+include selinux_20180524.inc
include ${BPN}.inc
LIC_FILES_CHKSUM = "file://LICENSE;md5=84b4d2c6ef954a2d4081e775a270d0d0"
-SRC_URI[md5sum] = "1d48ee4e9fadd76794d70c806b69ba7d"
-SRC_URI[sha256sum] =
"d0fec0769b3ad60aa7baf9b9a4b7a056827769dc2dadda0dc0eb59b3d1c18c57"
+SRC_URI[md5sum] = "56057e60192b21122c1aede8ff723ca2"
+SRC_URI[sha256sum] =
"31db96ec7643ce10912b3c3f98506a08a9116dcfe151855fd349c3fda96187e1"
SRC_URI += "\
file://libselinux-drop-Wno-unused-but-set-variable.patch \
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 02/16] libsepol: uprev to 2.8 (20180524)
Rebase patch:
0001-src-Makefile-fix-includedir-in-libsepol.pc.patch
Signed-off-by: Yi Zhao
---
.../0001-src-Makefile-fix-includedir-in-libsepol.pc.patch | 13 +++--
recipes-security/selinux/libsepol_2.7.bb| 9 -
recipes-security/selinux/libsepol_2.8.bb| 9 +
3 files changed, 16 insertions(+), 15 deletions(-)
delete mode 100644 recipes-security/selinux/libsepol_2.7.bb
create mode 100644 recipes-security/selinux/libsepol_2.8.bb
diff --git
a/recipes-security/selinux/libsepol/0001-src-Makefile-fix-includedir-in-libsepol.pc.patch
b/recipes-security/selinux/libsepol/0001-src-Makefile-fix-includedir-in-libsepol.pc.patch
index 8a6e047..987fdab 100644
---
a/recipes-security/selinux/libsepol/0001-src-Makefile-fix-includedir-in-libsepol.pc.patch
+++
b/recipes-security/selinux/libsepol/0001-src-Makefile-fix-includedir-in-libsepol.pc.patch
@@ -1,4 +1,4 @@
-From 05907644755048f9335e05dc540f810bb580477f Mon Sep 17 00:00:00 2001
+From 074dbf2f104d1a6ea1aa048600f44f9701c70a60 Mon Sep 17 00:00:00 2001
From: Robert Yang
Date: Thu, 18 Feb 2016 02:04:59 +
Subject: [PATCH] src/Makefile: fix includedir in libsepol.pc
@@ -6,23 +6,24 @@ Subject: [PATCH] src/Makefile: fix includedir in libsepol.pc
Upstream-Status: Pending
Signed-off-by: Robert Yang
+Signed-off-by: Yi Zhao
---
src/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/Makefile b/src/Makefile
-index db6c2ba..c03ee92 100644
+index ccb7023..2bb6290 100644
--- a/src/Makefile
+++ b/src/Makefile
-@@ -43,7 +43,7 @@ $(LIBSO): $(LOBJS) $(LIBMAP)
+@@ -51,7 +51,7 @@ $(LIBSO): $(LOBJS) $(LIBMAP)
ln -sf $@ $(TARGET)
$(LIBPC): $(LIBPC).in ../VERSION
-- sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):;
s:@libdir@:$(LIBBASE):; s:@includedir@:$(INCLUDEDIR):' < $< > $@
-+ sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):;
s:@libdir@:$(LIBBASE):; s:@includedir@:${prefix}/include:' < $< > $@
+- sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):;
s:@libdir@:$(LIBDIR):; s:@includedir@:$(INCLUDEDIR):' < $< > $@
++ sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):;
s:@libdir@:${libdir}:; s:@includedir@:${prefix}/include:' < $< > $@
$(LIBMAP): $(LIBMAP).in
ifneq ($(DISABLE_CIL),y)
--
-2.5.0
+2.7.4
diff --git a/recipes-security/selinux/libsepol_2.7.bb
b/recipes-security/selinux/libsepol_2.7.bb
deleted file mode 100644
index f38f7ba..000
--- a/recipes-security/selinux/libsepol_2.7.bb
+++ /dev/null
@@ -1,9 +0,0 @@
-include selinux_20170804.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343"
-
-SRC_URI[md5sum] = "9424b93fd6efd853b9360f29265c5aa3"
-SRC_URI[sha256sum] =
"d69d3bd8ec901a3bd5adf2be2fb47fb1a685ed73066ab482e7e505371a48f9e7"
-
-SRC_URI += "file://0001-src-Makefile-fix-includedir-in-libsepol.pc.patch"
diff --git a/recipes-security/selinux/libsepol_2.8.bb
b/recipes-security/selinux/libsepol_2.8.bb
new file mode 100644
index 000..d1f905b
--- /dev/null
+++ b/recipes-security/selinux/libsepol_2.8.bb
@@ -0,0 +1,9 @@
+include selinux_20180524.inc
+include ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343"
+
+SRC_URI[md5sum] = "c19aa9dde1e78d1c2bd3109579e4d484"
+SRC_URI[sha256sum] =
"3ad6916a8352bef0bad49acc8037a5f5b48c56f94e4cb4e1959ca475fa9d24d6"
+
+SRC_URI += "file://0001-src-Makefile-fix-includedir-in-libsepol.pc.patch"
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 01/16] selinux: uprev inc files to 2.8 (20180524)
Signed-off-by: Yi Zhao
---
.../selinux/{selinux_20170804.inc => selinux_20180524.inc} | 2 +-
recipes-security/selinux/selinux_common.inc | 9 +
2 files changed, 6 insertions(+), 5 deletions(-)
rename recipes-security/selinux/{selinux_20170804.inc => selinux_20180524.inc}
(84%)
diff --git a/recipes-security/selinux/selinux_20170804.inc
b/recipes-security/selinux/selinux_20180524.inc
similarity index 84%
rename from recipes-security/selinux/selinux_20170804.inc
rename to recipes-security/selinux/selinux_20180524.inc
index 1c11208..b36b333 100644
--- a/recipes-security/selinux/selinux_20170804.inc
+++ b/recipes-security/selinux/selinux_20180524.inc
@@ -1,4 +1,4 @@
-SELINUX_RELEASE = "20170804"
+SELINUX_RELEASE = "20180524"
SRC_URI =
"https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/${SELINUX_RELEASE}/${BPN}-${PV}.tar.gz;
diff --git a/recipes-security/selinux/selinux_common.inc
b/recipes-security/selinux/selinux_common.inc
index e4c23a1..383f62d 100644
--- a/recipes-security/selinux/selinux_common.inc
+++ b/recipes-security/selinux/selinux_common.inc
@@ -9,8 +9,9 @@ do_compile() {
do_install() {
oe_runmake install \
DESTDIR="${D}" \
-PREFIX="${D}/${prefix}" \
-INCLUDEDIR="${D}/${includedir}" \
-LIBDIR="${D}/${libdir}" \
-SHLIBDIR="${D}/${base_libdir}"
+PREFIX="${prefix}" \
+INCLUDEDIR="${includedir}" \
+LIBDIR="${libdir}" \
+SHLIBDIR="${base_libdir}" \
+SYSTEMDDIR="${systemd_unitdir}"
}
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 00/16] selinux: upgrade 2.7 -> 2.8
Yi Zhao (16):
selinux: uprev inc files to 2.8 (20180524)
libsepol: uprev to 2.8 (20180524)
libselinux: uprev to 2.8 (20180524)
libsemanage: uprev to 2.8 (20180524)
checkpolicy: uprev to 2.8 (20180524)
secilc: uprev to 2.8 (20180524)
policycoreutils: uprev to 2.8 (20180524)
mcstrans: uprev to 2.8 (20180524)
restorecond: uprev to 2.8 (20180524)
selinux-sandbox: uprev to 2.8 (20180524)
selinux-python: uprev to 2.8 (20180524)
semodule-utils: uprev to 2.8 (20180524)
selinux-dbus: uprev to 2.8 (20180524)
selinux-gui: uprev to 2.8 (20180524)
packagegroup-selinux-policycoreutils: remove
semodule-utils-semodule-deps
audit: uprev to 2.8.4
.../audit/{audit_2.7.6.bb => audit_2.8.4.bb} | 18 +++---
.../packagegroup-selinux-policycoreutils.bb| 1 -
recipes-security/selinux/checkpolicy.inc | 1 -
recipes-security/selinux/checkpolicy_2.7.bb| 7 --
recipes-security/selinux/checkpolicy_2.8.bb| 7 ++
recipes-security/selinux/libselinux.inc| 2 +-
...-Makefile-fix-includedir-in-libselinux.pc.patch | 20 ---
.../{libselinux_2.7.bb => libselinux_2.8.bb} | 6 ++---
recipes-security/selinux/libsemanage.inc | 12 ++---
...-Makefile-fix-includedir-in-libselinux.pc.patch | 20 ---
.../{libsemanage_2.7.bb => libsemanage_2.8.bb} | 6 ++---
...rc-Makefile-fix-includedir-in-libsepol.pc.patch | 13 +-
recipes-security/selinux/libsepol_2.7.bb | 9 ---
recipes-security/selinux/libsepol_2.8.bb | 9 +++
recipes-security/selinux/mcstrans.inc | 1 -
recipes-security/selinux/mcstrans_2.7.bb | 7 --
recipes-security/selinux/mcstrans_2.8.bb | 7 ++
recipes-security/selinux/policycoreutils.inc | 8 +++---
...policycoreutils-fix-fixfiles-install-path.patch | 29 ++
...icycoreutils-fix-load_policy-install-path.patch | 29 ++
.../policycoreutils-loadpolicy-symlink.patch | 19 --
recipes-security/selinux/policycoreutils_2.7.bb| 8 --
recipes-security/selinux/policycoreutils_2.8.bb| 8 ++
recipes-security/selinux/restorecond.inc | 4 ---
recipes-security/selinux/restorecond_2.7.bb| 7 --
recipes-security/selinux/restorecond_2.8.bb| 7 ++
recipes-security/selinux/secilc_2.7.bb | 7 --
recipes-security/selinux/secilc_2.8.bb | 7 ++
recipes-security/selinux/selinux-dbus_2.7.bb | 7 --
recipes-security/selinux/selinux-dbus_2.8.bb | 7 ++
recipes-security/selinux/selinux-gui_2.7.bb| 7 --
recipes-security/selinux/selinux-gui_2.8.bb| 7 ++
recipes-security/selinux/selinux-python.inc| 2 +-
.../selinux-python/fix-sepolicy-install-path.patch | 23 +
recipes-security/selinux/selinux-python_2.7.bb | 7 --
recipes-security/selinux/selinux-python_2.8.bb | 7 ++
recipes-security/selinux/selinux-sandbox_2.7.bb| 7 --
recipes-security/selinux/selinux-sandbox_2.8.bb| 7 ++
.../{selinux_20170804.inc => selinux_20180524.inc} | 2 +-
recipes-security/selinux/selinux_common.inc| 9 ---
recipes-security/selinux/semodule-utils.inc| 2 --
recipes-security/selinux/semodule-utils_2.7.bb | 7 --
recipes-security/selinux/semodule-utils_2.8.bb | 7 ++
43 files changed, 209 insertions(+), 178 deletions(-)
rename recipes-security/audit/{audit_2.7.6.bb => audit_2.8.4.bb} (91%)
delete mode 100644 recipes-security/selinux/checkpolicy_2.7.bb
create mode 100644 recipes-security/selinux/checkpolicy_2.8.bb
rename recipes-security/selinux/{libselinux_2.7.bb => libselinux_2.8.bb} (72%)
rename recipes-security/selinux/{libsemanage_2.7.bb => libsemanage_2.8.bb}
(76%)
delete mode 100644 recipes-security/selinux/libsepol_2.7.bb
create mode 100644 recipes-security/selinux/libsepol_2.8.bb
delete mode 100644 recipes-security/selinux/mcstrans_2.7.bb
create mode 100644 recipes-security/selinux/mcstrans_2.8.bb
create mode 100644
recipes-security/selinux/policycoreutils/policycoreutils-fix-fixfiles-install-path.patch
create mode 100644
recipes-security/selinux/policycoreutils/policycoreutils-fix-load_policy-install-path.patch
delete mode 100644
recipes-security/selinux/policycoreutils/policycoreutils-loadpolicy-symlink.patch
delete mode 100644 recipes-security/selinux/policycoreutils_2.7.bb
create mode 100644 recipes-security/selinux/policycoreutils_2.8.bb
delete mode 100644 recipes-security/selinux/restorecond_2.7.bb
create mode 100644 recipes-security/selinux/restorecond_2.8.bb
delete mode 100644 recipes-security/selinux/secilc_2.7.bb
create mode 100644 recipes-security/selinux/secilc_2.8.bb
delete mode 100644 recipes-security/selinux/selinux-dbus_2.7.bb
create mode 100644 recipes-security/selinux/selinux-dbu
[yocto] [meta-security][PATCH 2/2] xmlsec1: upgrade 1.2.25 -> 1.2.26
Drop patch xmlsec1-fix-a-typo-in-examples-verify3.c.patch since the
issue had been fixed upstream.
Rebase patch change-finding-path-of-nss.patch
Signed-off-by: Yi Zhao
---
.../xmlsec1/change-finding-path-of-nss.patch | 107 ++---
.../xmlsec1-fix-a-typo-in-examples-verify3.c.patch | 23 -
.../{xmlsec1_1.2.25.bb => xmlsec1_1.2.26.bb} | 5 +-
3 files changed, 53 insertions(+), 82 deletions(-)
delete mode 100644
recipes-security/xmlsec1/xmlsec1/xmlsec1-fix-a-typo-in-examples-verify3.c.patch
rename recipes-security/xmlsec1/{xmlsec1_1.2.25.bb => xmlsec1_1.2.26.bb} (89%)
diff --git a/recipes-security/xmlsec1/xmlsec1/change-finding-path-of-nss.patch
b/recipes-security/xmlsec1/xmlsec1/change-finding-path-of-nss.patch
index fcc63b3..1cec47f 100644
--- a/recipes-security/xmlsec1/xmlsec1/change-finding-path-of-nss.patch
+++ b/recipes-security/xmlsec1/xmlsec1/change-finding-path-of-nss.patch
@@ -1,4 +1,4 @@
-From 47379747e34f952d31af028c672940ca7859ae3c Mon Sep 17 00:00:00 2001
+From c1c980a95d85bcaf8802524d6148783522b300d7 Mon Sep 17 00:00:00 2001
From: Yulong Pei
Date: Wed, 21 Jul 2010 22:33:43 +0800
Subject: [PATCH] change finding path of nss and nspr
@@ -7,66 +7,61 @@ Upstream-Status: Pending
Signed-off-by: Yulong Pei
Signed-off-by: Mingli Yu
-
+Signed-off-by: Yi Zhao
---
- configure.ac | 12 ++--
- 1 file changed, 6 insertions(+), 6 deletions(-)
+ configure.ac | 20 ++--
+ 1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/configure.ac b/configure.ac
-index 3278200..6edec7d 100644
+index 951b3eb..1fdeb0f 100644
--- a/configure.ac
+++ b/configure.ac
-@@ -644,7 +644,7 @@ if test "z$NSS_FOUND" = "zno" ; then
+@@ -866,10 +866,10 @@ MOZILLA_MIN_VERSION="1.4"
+ NSS_CRYPTO_LIB="$XMLSEC_PACKAGE-nss"
+ NSPR_PACKAGE=mozilla-nspr
+ NSS_PACKAGE=mozilla-nss
+-NSPR_INCLUDE_MARKER="nspr/nspr.h"
++NSPR_INCLUDE_MARKER="nspr.h"
+ NSPR_LIB_MARKER="libnspr4$shrext"
+ NSPR_LIBS_LIST="-lnspr4 -lplds4 -lplc4"
+-NSS_INCLUDE_MARKER="nss/nss.h"
++NSS_INCLUDE_MARKER="nss3/nss.h"
+ NSS_LIB_MARKER="libnss3$shrext"
+ NSS_LIBS_LIST="-lnss3 -lsmime3"
- if test "z$with_nspr" != "z" ; then
- NSPR_PREFIX="$with_nspr"
-- NSPR_CFLAGS="-I$with_nspr/include -I$with_nspr/include/nspr"
-+ NSPR_CFLAGS="-I$with_nspr/usr/include -I$with_nspr/usr/include/nspr4"
- if test "z$with_gnu_ld" = "zyes" ; then
- NSPR_LIBS="-Wl,-rpath-link -Wl,$with_nspr/lib -L$with_nspr/lib
$NSPR_LIBS_LIST"
- else
-@@ -652,7 +652,7 @@ if test "z$NSS_FOUND" = "zno" ; then
- fi
- NSPR_INCLUDES_FOUND="yes"
- NSPR_LIBS_FOUND="yes"
-- NSPR_PRINIT_H="$with_nspr/include/prinit.h"
-+ NSPR_PRINIT_H="$with_nspr/usr/include/nspr4/prinit.h"
+@@ -898,24 +898,24 @@ fi
+ dnl Priority 1: User specifies the path to installation
+ if test "z$NSPR_FOUND" = "zno" -a "z$with_nspr" != "z" -a "z$with_nspr" !=
"zyes" ; then
+ AC_MSG_CHECKING(for nspr library installation in "$with_nspr" folder)
+-if test -f "$with_nspr/include/$NSPR_INCLUDE_MARKER" -a -f
"$with_nspr/lib/$NSPR_LIB_MARKER" ; then
+-NSPR_INCLUDE_PATH="$with_nspr/include"
+-NSPR_LIB_PATH="$with_nspr/lib"
++if test -f "$with_nspr/usr/include/$NSPR_INCLUDE_MARKER" -a -f
"$with_nspr/${libdir}/$NSPR_LIB_MARKER" ; then
++NSPR_INCLUDE_PATH="$with_nspr/usr/include"
++NSPR_LIB_PATH="$with_nspr/${libdir}"
+ NSPR_FOUND="yes"
+ AC_MSG_RESULT([yes])
else
- for dir in $ac_nss_inc_dir ; do
- if test -f $dir/nspr/prinit.h ; then
-@@ -690,7 +690,7 @@ if test "z$NSS_FOUND" = "zno" ; then
- OLD_CPPFLAGS=$CPPFLAGS
- CPPFLAGS="$NSPR_CFLAGS"
- AC_EGREP_CPP(yes,[
-- #include
-+ #include
- #if PR_VMAJOR >= 4
-yes
- #endif
-@@ -715,7 +715,7 @@ if test "z$NSS_FOUND" = "zno" ; then
- NSS_NSS_H=""
-
- if test "z$with_nss" != "z" ; then
-- NSS_CFLAGS="$NSS_CFLAGS -I$with_nss/include -I$with_nss/include/nss"
-+ NSS_CFLAGS="$NSS_CFLAGS -I$with_nss/usr/include
-I$with_nss/usr/include/nss3 -I$with_nspr/usr/include/nspr4"
- if test "z$with_gnu_ld" = "zyes" ; then
- NSS_LIBS="$NSS_LIBS -Wl,-rpath-link -Wl,$with_nss/lib
-L$with_nss/lib $NSS_LIBS_LIST"
- else
-@@ -723,7 +723,7 @@ if test "z$NSS_FOUND" = "zno" ; then
- fi
- N
[yocto] [meta-security][PATCH 1/2] samhain: upgrade 4.2.2 -> 4.2.4
Signed-off-by: Yi Zhao
---
.../samhain/{samhain-client_4.2.2.bb => samhain-client_4.2.4.bb} | 0
.../samhain/{samhain-server_4.2.2.bb => samhain-server_4.2.4.bb} | 0
.../{samhain-standalone_4.2.2.bb => samhain-standalone_4.2.4.bb} | 0
recipes-security/samhain/samhain.inc | 7 +--
4 files changed, 5 insertions(+), 2 deletions(-)
rename recipes-security/samhain/{samhain-client_4.2.2.bb =>
samhain-client_4.2.4.bb} (100%)
rename recipes-security/samhain/{samhain-server_4.2.2.bb =>
samhain-server_4.2.4.bb} (100%)
rename recipes-security/samhain/{samhain-standalone_4.2.2.bb =>
samhain-standalone_4.2.4.bb} (100%)
diff --git a/recipes-security/samhain/samhain-client_4.2.2.bb
b/recipes-security/samhain/samhain-client_4.2.4.bb
similarity index 100%
rename from recipes-security/samhain/samhain-client_4.2.2.bb
rename to recipes-security/samhain/samhain-client_4.2.4.bb
diff --git a/recipes-security/samhain/samhain-server_4.2.2.bb
b/recipes-security/samhain/samhain-server_4.2.4.bb
similarity index 100%
rename from recipes-security/samhain/samhain-server_4.2.2.bb
rename to recipes-security/samhain/samhain-server_4.2.4.bb
diff --git a/recipes-security/samhain/samhain-standalone_4.2.2.bb
b/recipes-security/samhain/samhain-standalone_4.2.4.bb
similarity index 100%
rename from recipes-security/samhain/samhain-standalone_4.2.2.bb
rename to recipes-security/samhain/samhain-standalone_4.2.4.bb
diff --git a/recipes-security/samhain/samhain.inc
b/recipes-security/samhain/samhain.inc
index db96264..e127e91 100644
--- a/recipes-security/samhain/samhain.inc
+++ b/recipes-security/samhain/samhain.inc
@@ -19,8 +19,11 @@ SRC_URI =
"http://la-samhna.de/archive/samhain_signed-${PV}.tar.gz \
file://samhain.service \
"
-SRC_URI[md5sum] = "f499d5d06bfd1d787073a45bf28dd60f"
-SRC_URI[sha256sum] =
"0f3e64afb3f00064c9b136d34a72d580cd41248c5941eba0452f364a109003c7"
+SRC_URI[md5sum] = "08863fad583acc7293ef29b4528c837e"
+SRC_URI[sha256sum] =
"0cd779b3666264e1f370f7ec37891f680b4caa04895fab8c5aa9a52e41ec885d"
+
+UPSTREAM_CHECK_URI = "https://www.la-samhna.de/samhain/archive.html;
+UPSTREAM_CHECK_REGEX = "samhain_signed-(?P(\d+(\.\d+)+))\.tar"
S = "${WORKDIR}/samhain-${PV}"
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 2/2] policycoreutils: add PACKAGECONFIG for libpam, audit
From: Wenzong Fan
* make pam and audit support configurable;
* remove INITDIR from EXTRA_OEMAKE, the variable is not supported now.
Signed-off-by: Wenzong Fan
Signed-off-by: Yi Zhao
---
recipes-security/selinux/policycoreutils.inc | 21 ++---
1 file changed, 14 insertions(+), 7 deletions(-)
diff --git a/recipes-security/selinux/policycoreutils.inc
b/recipes-security/selinux/policycoreutils.inc
index 7825a6c..b7cb510 100644
--- a/recipes-security/selinux/policycoreutils.inc
+++ b/recipes-security/selinux/policycoreutils.inc
@@ -21,8 +21,6 @@ DEPENDS += "${@['', '${EXTRA_DEPENDS}']['${PN}' !=
'${BPN}-native']}"
inherit selinux pythonnative
-DEPENDS += "${@target_selinux(d, 'libpam audit')}"
-
RDEPENDS_${BPN}-fixfiles += "\
${BPN}-setfiles \
grep \
@@ -118,11 +116,20 @@ export STAGING_LIBDIR
export BUILD_SYS
export HOST_SYS
-AUDITH="`ls ${STAGING_INCDIR}/libaudit.h >/dev/null 2>&1 && echo
/usr/include/libaudit.h `"
-PAMH="`ls ${STAGING_INCDIR}/security/pam_appl.h >/dev/null 2>&1 && echo
/usr/include/security/pam_appl.h `"
-EXTRA_OEMAKE += "${@target_selinux(d, 'PAMH=${PAMH} AUDITH=${AUDITH}', 'PAMH=
AUDITH= ')} INOTIFYH=n"
-EXTRA_OEMAKE += "PREFIX=${D}"
-EXTRA_OEMAKE += "INITDIR=${D}/etc/init.d"
+PACKAGECONFIG_class-target ?= "\
+${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)} \
+audit \
+"
+
+PACKAGECONFIG[libpam] = ",,libpam,"
+PACKAGECONFIG[audit] = ",,audit,"
+
+EXTRA_OEMAKE += "\
+${@bb.utils.contains('PACKAGECONFIG', 'libpam', 'PAMH=y', 'PAMH=', d)}
\
+${@bb.utils.contains('PACKAGECONFIG', 'audit', 'AUDITH=y', 'AUDITH=',
d)} \
+INOTIFYH=n \
+PREFIX=${D} \
+"
BBCLASSEXTEND = "native"
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 1/2] selinux-python: fix installed-vs-shipped QA errors
From: Wenzong Fan
Fix the QA errors when enable multilib:
ERROR: selinux-python-2.7-r0 do_package: QA Issue: selinux-python:
Files/directories were installed but not shipped in any package:
/usr/lib
/usr/lib/python2.7
/usr/lib/python2.7/site-packages
/usr/lib/python2.7/site-packages/sepolicy-1.1.egg-info
[snip]
Signed-off-by: Wenzong Fan
Signed-off-by: Yi Zhao
---
recipes-security/selinux/selinux-python.inc | 1 +
1 file changed, 1 insertion(+)
diff --git a/recipes-security/selinux/selinux-python.inc
b/recipes-security/selinux/selinux-python.inc
index 55060e3..2a5d657 100644
--- a/recipes-security/selinux/selinux-python.inc
+++ b/recipes-security/selinux/selinux-python.inc
@@ -102,6 +102,7 @@ FILES_${PN} += "\
EXTRA_OEMAKE += "LIBSEPOLA=${STAGING_LIBDIR}/libsepol.a"
do_install() {
oe_runmake DESTDIR=${D} \
+LIBDIR="${D}${libdir}" \
PYTHONLIBDIR='${libdir}/python${PYTHON_BASEVERSION}/site-packages' \
install
}
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][resend][PATCH 0/2] meta-selinux fixes
Rebase and resend Wenzong's meta-selinux patches Wenzong Fan (2): selinux-python: fix installed-vs-shipped QA errors policycoreutils: add PACKAGECONFIG for libpam, audit recipes-security/selinux/policycoreutils.inc | 21 ++--- recipes-security/selinux/selinux-python.inc | 1 + 2 files changed, 15 insertions(+), 7 deletions(-) -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [meta-selinux][PATCH] libselinux: python-importlib is now part of python*-core
在 2018年05月15日 00:09, Joe MacDonald 写道:
[Re: [yocto] [meta-selinux][PATCH] libselinux: python-importlib is now part of
python*-core] On 18.05.14 (Mon 10:05) Mark Hatle wrote:
On 5/11/18 1:19 PM, Rudolf J Streif wrote:
Thank you, Mark. Much appreciated and understood.
Would you be open to tagging the layer for rocko to the right commit and
applying the patches sent to the mailing list by Armin and Kai to master
so that we have known points to move forward?
I'm going to try to sync with Joe later today. I'll make sure that we
branch rocko.. If Joe can't get to the sumo work this week, I'll do
my best to get it done.
Yeah, just keep everyone in the loop on this, Mark and I will
coordinate, I anticipate having the current meta-selinux queue cleaned
up this week. I followed up last week to Armin indicating that I was
working on this, but as I'm sure anyone building meta-selinux right now
already knows, things are not happy there and corrective measures are
kind of involved.
As for longer-term maintenance, meta-selinux and SELinux in general is
of particular interest to me personally, but much like Mark, I haven't
has as much time for the layer as it deserves lately, so if anyone wants
to volunteer to help out with it, by all means, let us know.
Hi Joe, Mark and Philip
I'm interested in this and want to volunteer to help the meta-selinux
maintenance. I have enough time to review and test the patches. There
are some pending patches from Wenzong which can not be merged into
master. Currently I'm working on them and will re-send them.
Thanks,
Yi
Thanks,
-J.
--Mark
Thank you,
Rudi
On 05/11/2018 10:45 AM, Mark Hatle wrote:
On 5/11/18 12:28 PM, Rudolf J Streif wrote:
Echoing this: may I ask what the current maintenance status of
meta-selinux is. It appears that no updates have been made for more than
9 months. This is of course not to blame anybody but out of concern that
the layer is falling behind even more and to find a solution.
The answer is the current set of people are horribly overworked and busy, so
day-to-day updates have been 'sparse'.
Usually we update meta-selinux about the time of a release, and thus are due.
The last update of meta-selinux was about the time of the Rocko release, so what
is in master is definitely current as of Rocko. (I did the last set of updates
-- so I know it did work as of Rocko release.) The master needs to be branched
as Rocko... master needs to be updated to be Sumo compatible.
My assumption is that once Sumo is formally released (any minute now), we'll
collection all of the patches and get them into place and spend some time
cleaning them up...
It looks like Joe is already working through this effort.
(Only speaking for myself,) I don't have time to do day-to-day maintenance of
meta-selinux any longer -- nor do I have the indepth knowledge to understand
when not to do something. I filled this role purely out of necessity since
nobody else was doing it.
So with that said, if anyone wants to help, we're all open for help here... I
doubt there would be any objection to adding or replacing existing maintainers
and/or giving more people push access.
In addition to Armin's patches there are two patches submitted by Kai
Kang at Windriver:
* https://lists.yoctoproject.org/pipermail/yocto/2018-February/039917.html
* https://lists.yoctoproject.org/pipermail/yocto/2018-February/039918.html
Curiously enough, the second patch has been applied to master but not
the first one.
There is also an issue with building SELinux with systemd. The layer
enables auditing:
meta-selinux/classes/enable-audit.bbclass:PACKAGECONFIG[audit] =
"--enable-audit,--disable-audit,audit,"
meta-selinux/recipes-core/systemd/systemd_%.bbappend:inherit
${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-audit', '', d)}
Apparently the --enable-audit switch is passed to meson when running the
configure task, which meson does not appreciate. I am not that familiar
with the audit feature nor with meson, so I currently have no idea on
how to fix this the right way.
audit feature is useful outside of selinux, so my understand was that audit
itself was moving into core during the sumo time frame (if it hadn't already
been oved.)
I don't know anything about meson, so I can't speak to that...
Further, refpolicy_git does not build anymore as the YP specific patches
do not apply anymore since upstream changed.
The refpolicy is and has always been crap. I've been talking to a few people on
IRC about working to replace the refpolicy with a policy that can be generated
dynamically based on the contents of the recipes. I don't know if that is
really going to happen, but I hate the way it's currently implemented.
One of the key issues about the refpolicy is that you need to be an expert at
this (which I never claimed to be) in order to make any reasonable decision --
add to that any specific policy needs to userstand overall system design, and I
wouldn't trust any
[yocto] [meta-selinux][PATCH 2/2] libcgroup: replace _virtclass-native with _class-native
The _virtclass-native is obsolete. Replace it with _class-native.
Signed-off-by: Yi Zhao
---
recipes-core/libcgroup/libcgroup_selinux.inc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/recipes-core/libcgroup/libcgroup_selinux.inc
b/recipes-core/libcgroup/libcgroup_selinux.inc
index f81188f..9d9ebfc 100644
--- a/recipes-core/libcgroup/libcgroup_selinux.inc
+++ b/recipes-core/libcgroup/libcgroup_selinux.inc
@@ -1,4 +1,4 @@
-EXTRA_OECONF_virtclass-native = "--enable-pam=no"
+EXTRA_OECONF_append_class-native = " --enable-pam=no"
do_install_append() {
test ! -f ${D}${base_libdir}/security/pam_cgroup.so.0.0.0 || {
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 1/2] policycoreutils: replace _virtclass-native with _class-native
The _virtclass-native is obsolete and replaced by _class-native. In
recent oe-core commit c5aa33ac483618bc23fbaccb0a18853186f9155d the
_virtclass-native override was dropped entirely which caused
refpolicy-mls do_install failed:
libsemanage.get_home_dirs: Error while fetching users.
Returning list so far.
libsemanage.semanage_validate_and_compile_fcontexts:
setfiles returned error code 1. (No such file or directory).
Signed-off-by: Yi Zhao
---
recipes-security/selinux/policycoreutils.inc | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/recipes-security/selinux/policycoreutils.inc
b/recipes-security/selinux/policycoreutils.inc
index 1842fd8..7825a6c 100644
--- a/recipes-security/selinux/policycoreutils.inc
+++ b/recipes-security/selinux/policycoreutils.inc
@@ -128,7 +128,7 @@ BBCLASSEXTEND = "native"
PCU_NATIVE_CMDS = "setfiles semodule hll"
-do_compile_virtclass-native() {
+do_compile_class-native() {
for PCU_CMD in ${PCU_NATIVE_CMDS} ; do
oe_runmake -C $PCU_CMD \
INCLUDEDIR='${STAGING_INCDIR}' \
@@ -136,7 +136,7 @@ do_compile_virtclass-native() {
done
}
-sysroot_stage_dirs_append_virtclass-native() {
+sysroot_stage_dirs_append_class-native() {
cp -R $from/${prefix}/libexec $to/${prefix}/libexec
}
@@ -153,7 +153,7 @@ do_install_prepend() {
export SEMODULE_PATH=${sbindir} SYSTEMDDIR=${D}/${systemd_unitdir}
}
-do_install_virtclass-native() {
+do_install_class-native() {
for PCU_CMD in ${PCU_NATIVE_CMDS} ; do
oe_runmake -C $PCU_CMD install \
DESTDIR="${D}" \
--
2.7.4
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-selinux][PATCH 3/3] selinux-python: refresh patches to fix QA warning
Refresh patches with devtool command to fix do_patch warning Signed-off-by: Yi Zhao --- .../fix-TypeError-for-seobject.py.patch | 17 + .../selinux-python/fix-sepolicy-install-path.patch | 21 - .../process-ValueError-for-sepolicy-seobject.patch | 12 +--- 3 files changed, 26 insertions(+), 24 deletions(-) diff --git a/recipes-security/selinux/selinux-python/fix-TypeError-for-seobject.py.patch b/recipes-security/selinux/selinux-python/fix-TypeError-for-seobject.py.patch index 993ff7e..62cdeee 100644 --- a/recipes-security/selinux/selinux-python/fix-TypeError-for-seobject.py.patch +++ b/recipes-security/selinux/selinux-python/fix-TypeError-for-seobject.py.patch @@ -1,4 +1,4 @@ -From a66c50c0e8cd3799fc2819835b872ab62419f684 Mon Sep 17 00:00:00 2001 +From 98c2944ffa3e35095187e1df9ff33498bbd0fa54 Mon Sep 17 00:00:00 2001 From: Wenzong Fan Date: Tue, 1 Apr 2014 02:53:36 -0400 Subject: [PATCH] policycoreutils: fix TypeError for seobject.py @@ -7,18 +7,19 @@ File "/usr/lib64/python2.7/site-packages/seobject.py", line 109, in log message += " sename=" + sename TypeError: cannot concatenate 'str' and 'NoneType' objects -Uptream-Status: pending +Uptream-Status: Pending Signed-off-by: Wenzong Fan + --- - semanage/seobject.py |2 +- + semanage/seobject.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -Index: policycoreutils-2.5/semanage/seobject.py -=== policycoreutils-2.5.orig/semanage/seobject.py 2016-02-25 13:41:38.035974459 -0500 -+++ policycoreutils-2.5/semanage/seobject.py 2016-02-25 13:43:42.075974072 -0500 -@@ -121,7 +121,7 @@ +diff --git a/semanage/seobject.py b/semanage/seobject.py +index 70fd192..23ab77e 100644 +--- a/semanage/seobject.py b/semanage/seobject.py +@@ -146,7 +146,7 @@ except: def log(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""): message = " %s name=%s" % (msg, name) diff --git a/recipes-security/selinux/selinux-python/fix-sepolicy-install-path.patch b/recipes-security/selinux/selinux-python/fix-sepolicy-install-path.patch index 617908a..1d54231 100644 --- a/recipes-security/selinux/selinux-python/fix-sepolicy-install-path.patch +++ b/recipes-security/selinux/selinux-python/fix-sepolicy-install-path.patch @@ -1,18 +1,24 @@ +From 69e8697cd2ae48710ff8190bad3e61d2fd115b99 Mon Sep 17 00:00:00 2001 +From: Xin Ouyang +Date: Mon, 23 Sep 2013 21:17:59 +0800 Subject: [PATCH] policycoreutils: fix install path for new pymodule sepolicy +Uptream-Status: Pending + Signed-off-by: Xin Ouyang Signed-off-by: Wenzong Fan + --- - sepolicy/Makefile |4 +++- + sepolicy/Makefile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/sepolicy/Makefile b/sepolicy/Makefile -index 2b8716c..70f4bdd 100644 +index 5a56e6c..82c3e36 100644 --- a/sepolicy/Makefile +++ b/sepolicy/Makefile -@@ -12,6 +12,8 @@ BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions - SHAREDIR ?= $(PREFIX)/share/sandbox - override CFLAGS = -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared +@@ -12,6 +12,8 @@ SHAREDIR ?= $(PREFIX)/share/sandbox + CFLAGS ?= -Wall -Werror -Wextra -W + override CFLAGS += -DPACKAGE="policycoreutils" -DSHARED -shared +PYLIBVER ?= $(shell python -c 'import sys;print "python%d.%d" % sys.version_info[0:2]') + @@ -20,7 +26,7 @@ index 2b8716c..70f4bdd 100644 all: python-build @@ -30,7 +32,7 @@ test: - @python test_sepolicy.py -v + @$(PYTHON) test_sepolicy.py -v install: - $(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root $(DESTDIR)` @@ -28,6 +34,3 @@ index 2b8716c..70f4bdd 100644 [ -d $(BINDIR) ] || mkdir -p $(BINDIR) install -m 755 sepolicy.py $(BINDIR)/sepolicy (cd $(BINDIR); ln -sf sepolicy sepolgen) --- -1.7.9.5 - diff --git a/recipes-security/selinux/selinux-python/process-ValueError-for-sepolicy-seobject.patch b/recipes-security/selinux/selinux-python/process-ValueError-for-sepolicy-seobject.patch index 1929aa5..b0bcd1d 100644 --- a/recipes-security/selinux/selinux-python/process-ValueError-for-sepolicy-seobject.patch +++ b/recipes-security/selinux/selinux-python/process-ValueError-for-sepolicy-seobject.patch @@ -1,4 +1,4 @@ -From b8e07bd0643b581ac33c96a1f94ae17c8df80ffd Mon Sep 17 00:00:00 2001 +From 1a8bd0ca13746b5241af5736dee9a25ab360652b Mon Sep 17 00:00:00 2001 From: Wenzong Fan Date: Sun, 30 Mar 2014 22:25:59 -0400 Subject: [PATCH] semanage: process ValueError for sepolicy, seobject @@ -7,15 +7,16 @@ The sepolicy, seobject modules raise many unprocessed ValueError, just process them in semanage to make the script proivdes er
