[yocto] [meta-selinux][PATCH 19/19] audit: switch to python3

[Yi Zhao]

* Switch to python3

* Drop patches:
  audit-python-configure.patch
  audit-python.patch
  fix-swig-host-contamination.patch

Signed-off-by: Yi Zhao 
---
 .../audit/audit/audit-python-configure.patch  | 46 -
 .../audit/audit/audit-python.patch| 64 ---
 .../audit/fix-swig-host-contamination.patch   | 56 
 recipes-security/audit/audit_2.8.5.bb | 11 ++--
 4 files changed, 4 insertions(+), 173 deletions(-)
 delete mode 100644 recipes-security/audit/audit/audit-python-configure.patch
 delete mode 100644 recipes-security/audit/audit/audit-python.patch
 delete mode 100644 
recipes-security/audit/audit/fix-swig-host-contamination.patch

diff --git a/recipes-security/audit/audit/audit-python-configure.patch 
b/recipes-security/audit/audit/audit-python-configure.patch
deleted file mode 100644
index 37096b0..000
--- a/recipes-security/audit/audit/audit-python-configure.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 6a2710db094061e1956fac3ed81114d0e958ea21 Mon Sep 17 00:00:00 2001
-From: Li xin 
-Date: Sun, 19 Jul 2015 00:49:13 +0900
-Subject: [PATCH] audit: python cross-compile
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Xin Ouyang 
-Signed-off-by: Li Xin 
-Signed-off-by: Wenzong Fan 
-Signed-off-by: T.O. Radzy Radzykewycz 

- configure.ac | 17 ++---
- 1 file changed, 2 insertions(+), 15 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 6e345f1..54bdbf1 100644
 a/configure.ac
-+++ b/configure.ac
-@@ -99,21 +99,8 @@ if test "x$use_python" = xno ; then
- else
- AC_MSG_RESULT(testing)
- AM_PATH_PYTHON
--PYINCLUDEDIR=`python${am_cv_python_version} -c "from distutils import 
sysconfig; print(sysconfig.get_config_var('INCLUDEPY'))"`
--if test -f ${PYINCLUDEDIR}/Python.h ; then
--  python_found="yes"
--  AC_SUBST(PYINCLUDEDIR)
--  pybind_dir="python"
--  AC_SUBST(pybind_dir)
--  AC_MSG_NOTICE(Python bindings will be built)
--else
--  python_found="no"
--  if test "x$use_python" = xyes ; then
--  AC_MSG_ERROR([Python explicitly requested and python headers 
were not found])
--  else
--  AC_MSG_WARN("Python headers not found - python bindings will 
not be made")
--  fi
--fi
-+python_found="yes"
-+AC_MSG_NOTICE(Python bindings will be built)
- fi
- AM_CONDITIONAL(HAVE_PYTHON, test ${python_found} = "yes")
- 
--- 
-2.7.4
-
diff --git a/recipes-security/audit/audit/audit-python.patch 
b/recipes-security/audit/audit/audit-python.patch
deleted file mode 100644
index c1a2595..000
--- a/recipes-security/audit/audit/audit-python.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 9d95d7e28a2c4cbefa998d375de180c731a151b1 Mon Sep 17 00:00:00 2001
-From: Li xin 
-Date: Sun, 19 Jul 2015 01:40:48 +0900
-Subject: [PATCH] Remove hard coded python include directory
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Mark Hatle 

- bindings/Makefile.am| 8 +++-
- bindings/python/python2/Makefile.am | 3 ++-
- bindings/swig/python/Makefile.am| 5 +++--
- 3 files changed, 12 insertions(+), 4 deletions(-)
-
-diff --git a/bindings/Makefile.am b/bindings/Makefile.am
-index 5b5c576..7a15205 100644
 a/bindings/Makefile.am
-+++ b/bindings/Makefile.am
-@@ -22,4 +22,10 @@
- 
- CONFIG_CLEAN_FILES = *.loT *.rej *.orig
- 
--SUBDIRS = python golang swig
-+SUBDIRS = swig
-+if HAVE_PYTHON
-+SUBDIRS += python
-+endif
-+if HAVE_GOLANG
-+SUBDIRS += golang
-+endif
-diff --git a/bindings/python/python2/Makefile.am 
b/bindings/python/python2/Makefile.am
-index 1dcb5bc..6226358 100644
 a/bindings/python/python2/Makefile.am
-+++ b/bindings/python/python2/Makefile.am
-@@ -23,7 +23,8 @@
- 
- CONFIG_CLEAN_FILES = *.loT *.rej *.orig
- AM_CFLAGS = -fPIC -DPIC -fno-strict-aliasing
--AM_CPPFLAGS = -I$(top_builddir) -I@PYINCLUDEDIR@
-+PYINC ?= /usr/include/python$(PYTHON_VERSION)
-+AM_CPPFLAGS = -I$(top_builddir) -I${PYINC}
- 
- pyexec_LTLIBRARIES = auparse.la
- 
-diff --git a/bindings/swig/python/Makefile.am 
b/bindings/swig/python/Makefile.am
-index 8c98b94..ae7c52b 100644
 a/bindings/swig/python/Makefile.am
-+++ b/bindings/swig/python/Makefile.am
-@@ -21,9 +21,10 @@
- #
- CONFIG_CLEAN_FILES = *.loT *.rej *.orig
- AM_CFLAGS = -fPIC -DPIC -fno-strict-aliasing
--AM_CPPFLAGS = -I. -I$(top_builddir) -I${top_srcdir}/lib -I@PYINCLUDEDIR@
-+PYINC ?= /usr/include/$(PYLIBVER)
-+AM_CPPFLAGS = -I. -I$(top_builddir) -I${top_srcdir}/lib -I${PYINC}
- SWIG_FLAGS = -python
--SWIG_INCLUDES = -I. -I$(top_builddir) -I${top_srcdir}/lib -I@PYINCLUDEDIR@
-+SWIG_INCLUDES = -I. -I$(top_builddir) -I${top_srcdir}/lib -I${PYINC}
- pyexec_PYTHON = audit.py
- pyexec_LTLIBRARIES = _audit.la
- pyexec_SOLIBRARIES = _audit.so
--- 
-2.7.4
-
diff --git a/recipes-security/audit/audit/fix-swig-host-contamination.patch 
b/recipes-security/audit/audit/fix-swig-host-contamination.patch
deleted file mode 100644
index 184f515..000
--- a/recipes-security/audit/audit/fix-swig-h

[yocto] [meta-selinux][PATCH 18/19] setools: upgrade 4.1.1 -> 4.2.2

[Yi Zhao]

* Switch to python3

* Drop patches:
  Fix-build-failure-with-GCC-7-due-to-possible-truncat.patch
  setools4-fix-cross-compiling-errors-for-powerpc-mips.patch

Signed-off-by: Yi Zhao 
---
 ...e-with-GCC-7-due-to-possible-truncat.patch | 105 --
 ...ss-compiling-errors-for-powerpc-mips.patch |  35 --
 .../setools4-fixes-for-cross-compiling.patch  |  34 +++---
 .../{setools_4.1.1.bb => setools_4.2.2.bb}|  14 +--
 4 files changed, 19 insertions(+), 169 deletions(-)
 delete mode 100644 
recipes-security/setools/setools/Fix-build-failure-with-GCC-7-due-to-possible-truncat.patch
 delete mode 100644 
recipes-security/setools/setools/setools4-fix-cross-compiling-errors-for-powerpc-mips.patch
 rename recipes-security/setools/{setools_4.1.1.bb => setools_4.2.2.bb} (61%)

diff --git 
a/recipes-security/setools/setools/Fix-build-failure-with-GCC-7-due-to-possible-truncat.patch
 
b/recipes-security/setools/setools/Fix-build-failure-with-GCC-7-due-to-possible-truncat.patch
deleted file mode 100644
index a5af041..000
--- 
a/recipes-security/setools/setools/Fix-build-failure-with-GCC-7-due-to-possible-truncat.patch
+++ /dev/null
@@ -1,105 +0,0 @@
-Upstream-Status: Backport 
[https://github.com/TresysTechnology/setools/commit/e41adf0]
-
-Signed-off-by: Kai Kang 
-
-From e41adf01647c695b80b112b337e76021bb9f30c3 Mon Sep 17 00:00:00 2001
-From: Laurent Bigonville 
-Date: Tue, 26 Sep 2017 15:15:30 +0200
-Subject: [PATCH] Fix build failure with GCC 7 due to possible truncation of
- snprintf output
-
-setools fails to build under GCC7 -Wformat -Werror with the following error:
-
-x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall 
-Wstrict-prototypes -g -O2 -fdebug-prefix-map=/<>=. 
-fstack-protector-strong -Wformat -Werror=format-security -Wno-sign-compare 
-Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -Ilibqpol -Ilibqpol/include 
-I/usr/include/python3.6m -c libqpol/policy_extend.c -o 
build/temp.linux-amd64-3.6/libqpol/policy_extend.o -Werror -Wextra 
-Waggregate-return -Wfloat-equal -Wformat -Wformat=2 -Winit-self 
-Wmissing-format-attribute -Wmissing-include-dirs -Wnested-externs 
-Wold-style-definition -Wpointer-arith -Wredundant-decls -Wstrict-prototypes 
-Wunknown-pragmas -Wwrite-strings -Wno-missing-field-initializers 
-Wno-unused-parameter -Wno-cast-qual -Wno-shadow -Wno-unreachable-code 
-fno-exceptions
-libqpol/policy_extend.c: In function 'policy_extend':
-libqpol/policy_extend.c:161:27: error: '%04zd' directive output may be 
truncated writing between 4 and 10 bytes into a region of size 5 
[-Werror=format-truncation=]
-snprintf(buff, 9, "@ttr%04zd", i + 1);
-   ^
-libqpol/policy_extend.c:161:22: note: directive argument in the range [1, 
4294967295]
-snprintf(buff, 9, "@ttr%04zd", i + 1);
-  ^~~
-
-Increase the size of the buffer to avoid collisions
-
-Closes: https://github.com/TresysTechnology/setools/issues/174
-Signed-off-by: Laurent Bigonville 

- libqpol/policy_extend.c | 16 
- 1 file changed, 8 insertions(+), 8 deletions(-)
-
-diff --git a/libqpol/policy_extend.c b/libqpol/policy_extend.c
-index 742819b..739e184 100644
 a/libqpol/policy_extend.c
-+++ b/libqpol/policy_extend.c
-@@ -110,7 +110,7 @@ static int qpol_policy_remove_bogus_aliases(qpol_policy_t 
* policy)
-  *  Builds data for the attributes and inserts them into the policydb.
-  *  This function modifies the policydb. Names created for attributes
-  *  are of the form @ttr where value is the value of the attribute
-- *  as a four digit number (prepended with 0's as needed).
-+ *  as a ten digit number (prepended with 0's as needed).
-  *  @param policy The policy from which to read the attribute map and
-  *  create the type data for the attributes. This policy will be altered
-  *  by this function.
-@@ -125,7 +125,7 @@ static int qpol_policy_build_attrs_from_map(qpol_policy_t 
* policy)
-   uint32_t bit = 0, count = 0;
-   ebitmap_node_t *node = NULL;
-   type_datum_t *tmp_type = NULL, *orig_type;
--  char *tmp_name = NULL, buff[10];
-+  char *tmp_name = NULL, buff[16];
-   int error = 0, retv;
- 
-   INFO(policy, "%s", "Generating attributes for policy. (Step 4 of 5)");
-@@ -137,7 +137,7 @@ static int qpol_policy_build_attrs_from_map(qpol_policy_t 
* policy)
- 
-   db = &policy->p->p;
- 
--  memset(&buff, 0, 10 * sizeof(char));
-+  memset(&buff, 0, 16 * sizeof(char));
- 
-   for (i = 0; i < db->p_types.nprim; i++) {
-   /* skip types */
-@@ -158,7 +158,7 @@ static int qpol_policy_build_attrs_from_map(qpol_policy_t 
* policy)
-* with this attribute */
-   /* Does not exist */
-   if (db->p_type_val_to_name[i] == NULL){
--  snprintf(buff, 9, "@ttr%04zd", i + 1);
-+  snprintf(buff, 15, "@ttr%010zd", i + 1);
-   tmp_name = strdup(buff);
-   if (!tmp_name) {
-   

[yocto] [meta-selinux][PATCH 15/19] selinux-gui: uprev to 2.9 (20190315)

[Yi Zhao]

* Switch to python3

Signed-off-by: Yi Zhao 
---
 recipes-security/selinux/selinux-gui.inc| 2 +-
 recipes-security/selinux/selinux-gui_2.8.bb | 7 ---
 recipes-security/selinux/selinux-gui_2.9.bb | 7 +++
 3 files changed, 8 insertions(+), 8 deletions(-)
 delete mode 100644 recipes-security/selinux/selinux-gui_2.8.bb
 create mode 100644 recipes-security/selinux/selinux-gui_2.9.bb

diff --git a/recipes-security/selinux/selinux-gui.inc 
b/recipes-security/selinux/selinux-gui.inc
index 1096f3f..725eb23 100644
--- a/recipes-security/selinux/selinux-gui.inc
+++ b/recipes-security/selinux/selinux-gui.inc
@@ -6,7 +6,7 @@ Policy Generation Tool (selinux-polgengui)"
 SECTION = "base"
 LICENSE = "GPLv2+"
 
-RDEPENDS_${PN} += "python"
+RDEPENDS_${PN} += "python3-core"
 
 FILES_${PN} += " \
 ${datadir}/system-config-selinux/* \
diff --git a/recipes-security/selinux/selinux-gui_2.8.bb 
b/recipes-security/selinux/selinux-gui_2.8.bb
deleted file mode 100644
index 2c0fcd8..000
--- a/recipes-security/selinux/selinux-gui_2.8.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-include selinux_20180524.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
-
-SRC_URI[md5sum] = "52000c14ffa86840220915bd1d777845"
-SRC_URI[sha256sum] = 
"17acd3004f01f92b288cc1322317d7964f5039fb26ba1542b6713a7147a2351d"
diff --git a/recipes-security/selinux/selinux-gui_2.9.bb 
b/recipes-security/selinux/selinux-gui_2.9.bb
new file mode 100644
index 000..0bb051c
--- /dev/null
+++ b/recipes-security/selinux/selinux-gui_2.9.bb
@@ -0,0 +1,7 @@
+require selinux_20190315.inc
+require ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
+
+SRC_URI[md5sum] = "1bfe5eeb861f8563a7b397ab8530ab52"
+SRC_URI[sha256sum] = 
"bbd9e1799cc0c22d64c815c3033a54393f6f84947ff2841a4df60ded5eee0510"
-- 
2.17.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 13/19] selinux-dbus: uprev to 2.9 (20190315)

[Yi Zhao]

* Switch to python3

Signed-off-by: Yi Zhao 
---
 recipes-security/selinux/selinux-dbus.inc| 2 +-
 recipes-security/selinux/selinux-dbus_2.8.bb | 7 ---
 recipes-security/selinux/selinux-dbus_2.9.bb | 7 +++
 3 files changed, 8 insertions(+), 8 deletions(-)
 delete mode 100644 recipes-security/selinux/selinux-dbus_2.8.bb
 create mode 100644 recipes-security/selinux/selinux-dbus_2.9.bb

diff --git a/recipes-security/selinux/selinux-dbus.inc 
b/recipes-security/selinux/selinux-dbus.inc
index 1b66136..62e45b7 100644
--- a/recipes-security/selinux/selinux-dbus.inc
+++ b/recipes-security/selinux/selinux-dbus.inc
@@ -5,7 +5,7 @@ Provide SELinux dbus service files and scripts."
 SECTION = "base"
 LICENSE = "GPLv2+"
 
-RDEPENDS_${PN} += "python selinux-python-sepolicy"
+RDEPENDS_${PN} += "python3-core selinux-python-sepolicy"
 
 FILES_${PN} += "\
 ${datadir}/system-config-selinux/selinux_server.py \
diff --git a/recipes-security/selinux/selinux-dbus_2.8.bb 
b/recipes-security/selinux/selinux-dbus_2.8.bb
deleted file mode 100644
index 5091624..000
--- a/recipes-security/selinux/selinux-dbus_2.8.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-include selinux_20180524.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
-
-SRC_URI[md5sum] = "23f0264df3ed123904a17d71f2a5b325"
-SRC_URI[sha256sum] = 
"3339cb9cd77579bab6158afc054409c3bf952e282ef957ea732b19c9f4697bc6"
diff --git a/recipes-security/selinux/selinux-dbus_2.9.bb 
b/recipes-security/selinux/selinux-dbus_2.9.bb
new file mode 100644
index 000..ab00ffc
--- /dev/null
+++ b/recipes-security/selinux/selinux-dbus_2.9.bb
@@ -0,0 +1,7 @@
+require selinux_20190315.inc
+require ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
+
+SRC_URI[md5sum] = "e403f9745fad67aae5903909572ca5b8"
+SRC_URI[sha256sum] = 
"ac54cecdea6a88b4a818981ac82654d054a3c5232b1b282ebf7418c3e350cc7a"
-- 
2.17.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 14/19] selinux-sandbox: uprev to 2.9 (20190315)

[Yi Zhao]

* Switch to python3
* Rebase patch

Signed-off-by: Yi Zhao 
---
 recipes-security/selinux/selinux-sandbox.inc   | 10 --
 .../selinux/selinux-sandbox/sandbox-de-bashify.patch   |  9 +
 recipes-security/selinux/selinux-sandbox_2.8.bb|  7 ---
 recipes-security/selinux/selinux-sandbox_2.9.bb|  7 +++
 4 files changed, 16 insertions(+), 17 deletions(-)
 delete mode 100644 recipes-security/selinux/selinux-sandbox_2.8.bb
 create mode 100644 recipes-security/selinux/selinux-sandbox_2.9.bb

diff --git a/recipes-security/selinux/selinux-sandbox.inc 
b/recipes-security/selinux/selinux-sandbox.inc
index 854640c..c8e335a 100644
--- a/recipes-security/selinux/selinux-sandbox.inc
+++ b/recipes-security/selinux/selinux-sandbox.inc
@@ -13,12 +13,10 @@ SRC_URI += "file://sandbox-de-bashify.patch \
 DEPENDS += "libcap-ng libselinux"
 
 RDEPENDS_${PN} += "\
-python-core \
-python-math \
-python-shell \
-python-subprocess \
-python-textutils \
-python-unixadmin \
+python3-core \
+python3-math \
+python3-shell \
+python3-unixadmin \
 libselinux-python \
 selinux-python \
 "
diff --git a/recipes-security/selinux/selinux-sandbox/sandbox-de-bashify.patch 
b/recipes-security/selinux/selinux-sandbox/sandbox-de-bashify.patch
index 18cef4b..e9622f0 100644
--- a/recipes-security/selinux/selinux-sandbox/sandbox-de-bashify.patch
+++ b/recipes-security/selinux/selinux-sandbox/sandbox-de-bashify.patch
@@ -1,4 +1,4 @@
-From d3e778e0062ca441c80e2a3ef2b508f5566e1f70 Mon Sep 17 00:00:00 2001
+From b92c39f0be5552c19923f75aef4487348a08b7dc Mon Sep 17 00:00:00 2001
 From: Joe MacDonald 
 Date: Fri, 20 Feb 2015 21:07:47 -0500
 Subject: [PATCH] sandbox: de-bashify
@@ -10,9 +10,10 @@ Upstream-Status: Pending
 
 Signed-off-by: Joe MacDonald 
 Signed-off-by: Wenzong Fan 
+Signed-off-by: Yi Zhao 
 ---
- sandbox/sandbox.init | 2 +-
- sandbox/sandboxX.sh  | 2 +-
+ sandbox.init | 2 +-
+ sandboxX.sh  | 2 +-
  2 files changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/sandbox.init b/sandbox.init
@@ -36,5 +37,5 @@ index eaa500d..8755d75 100644
  context=`id -Z | secon -t -l -P`
  export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut 
-b8-80`"
 -- 
-1.9.1
+2.7.4
 
diff --git a/recipes-security/selinux/selinux-sandbox_2.8.bb 
b/recipes-security/selinux/selinux-sandbox_2.8.bb
deleted file mode 100644
index 1eb6c2d..000
--- a/recipes-security/selinux/selinux-sandbox_2.8.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-include selinux_20180524.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
-
-SRC_URI[md5sum] = "957f5d0fc7724f93f502d1d632568894"
-SRC_URI[sha256sum] = 
"025f84f76e07b7bfc9ba1e9215f4ddb646d41a2e935a65e07560feaa6fc20ef3"
diff --git a/recipes-security/selinux/selinux-sandbox_2.9.bb 
b/recipes-security/selinux/selinux-sandbox_2.9.bb
new file mode 100644
index 000..b1dd462
--- /dev/null
+++ b/recipes-security/selinux/selinux-sandbox_2.9.bb
@@ -0,0 +1,7 @@
+require selinux_20190315.inc
+require ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
+
+SRC_URI[md5sum] = "3482b8fa6648160e97ba48ad26f84e7d"
+SRC_URI[sha256sum] = 
"01915f57f08642751dea550a87f82a6f2fcec754be48dcfa28266c14bd044262"
-- 
2.17.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 16/19] semodule-utils: uprev to 2.9 (20190315)

[Yi Zhao]

Signed-off-by: Yi Zhao 
---
 recipes-security/selinux/semodule-utils_2.8.bb | 7 ---
 recipes-security/selinux/semodule-utils_2.9.bb | 7 +++
 2 files changed, 7 insertions(+), 7 deletions(-)
 delete mode 100644 recipes-security/selinux/semodule-utils_2.8.bb
 create mode 100644 recipes-security/selinux/semodule-utils_2.9.bb

diff --git a/recipes-security/selinux/semodule-utils_2.8.bb 
b/recipes-security/selinux/semodule-utils_2.8.bb
deleted file mode 100644
index c56f776..000
--- a/recipes-security/selinux/semodule-utils_2.8.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-include selinux_20180524.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
-
-SRC_URI[md5sum] = "51c69e612481ce971e2ae825139d2ca0"
-SRC_URI[sha256sum] = 
"44f59c13070c637440b143ceab4dfe1efb9018b1e47828dd8789def74c1ccadf"
diff --git a/recipes-security/selinux/semodule-utils_2.9.bb 
b/recipes-security/selinux/semodule-utils_2.9.bb
new file mode 100644
index 000..a9c0fbd
--- /dev/null
+++ b/recipes-security/selinux/semodule-utils_2.9.bb
@@ -0,0 +1,7 @@
+require selinux_20190315.inc
+require ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
+
+SRC_URI[md5sum] = "9e7e6afe33459cae2de5360e97f1e702"
+SRC_URI[sha256sum] = 
"8083679ee634570f6e9a18632f2c2862b9134fa308b689b2e1952a369ae5d907"
-- 
2.17.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 17/19] selinux-init: fix build error when enable usrmerge feature

[Yi Zhao]

Fix the following error when enable usrmerge feature:

ERROR: selinux-init-0.1-r0 do_package: QA Issue: selinux-init:
Files/directories were installed but not shipped in any package:
  /usr
Please set FILES such that these items are packaged. Alternatively if
they are unneeded, avoid installing them or delete them within
do_install.
selinux-init: 1 installed and not shipped files. [installed-vs-shipped]

We don't need to install systemd service file when systemd feature is
not enabled.

Signed-off-by: Yi Zhao 
---
 recipes-security/selinux/selinux-initsh.inc | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/recipes-security/selinux/selinux-initsh.inc 
b/recipes-security/selinux/selinux-initsh.inc
index 8e31cda..f27750d 100644
--- a/recipes-security/selinux/selinux-initsh.inc
+++ b/recipes-security/selinux/selinux-initsh.inc
@@ -27,10 +27,9 @@ do_install () {
   -e '/.*HERE$/d' -e '/.*Contents.*sysvinit/d' \
   ${D}${sysconfdir}/init.d/${SELINUX_SCRIPT_DST}
 
-   install -d ${D}${systemd_unitdir}/system
-   install -m 0644 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.service 
${D}${systemd_unitdir}/system
-
if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', 
d)}; then
+   install -d ${D}${systemd_unitdir}/system
+   install -m 0644 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.service 
${D}${systemd_unitdir}/system
install -d ${D}${bindir}
install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh 
${D}${bindir}
sed -i -e '/.*HERE$/d' ${D}${bindir}/${SELINUX_SCRIPT_SRC}.sh
-- 
2.17.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 10/19] mcstrans: uprev to 2.9 (20190315)

[Yi Zhao]

* Rebase patches

Signed-off-by: Yi Zhao 
---
 recipes-security/selinux/mcstrans.inc |  4 ++--
 .../mcstrans/mcstrans-de-bashify.patch| 23 +++
 ...tch => mcstrans-fix-the-init-script.patch} | 14 +++
 recipes-security/selinux/mcstrans_2.8.bb  |  7 --
 recipes-security/selinux/mcstrans_2.9.bb  |  7 ++
 5 files changed, 32 insertions(+), 23 deletions(-)
 rename 
recipes-security/selinux/mcstrans/{0001-mcstrans-fix-the-init-script.patch => 
mcstrans-fix-the-init-script.patch} (69%)
 delete mode 100644 recipes-security/selinux/mcstrans_2.8.bb
 create mode 100644 recipes-security/selinux/mcstrans_2.9.bb

diff --git a/recipes-security/selinux/mcstrans.inc 
b/recipes-security/selinux/mcstrans.inc
index 0eb8720..b9c670b 100644
--- a/recipes-security/selinux/mcstrans.inc
+++ b/recipes-security/selinux/mcstrans.inc
@@ -7,7 +7,7 @@ SECTION = "base"
 LICENSE = "GPLv2+"
 
 SRC_URI += "file://mcstrans-de-bashify.patch \
-file://0001-mcstrans-fix-the-init-script.patch \
+file://mcstrans-fix-the-init-script.patch \
 "
 
 inherit systemd update-rc.d
@@ -29,7 +29,7 @@ do_install_append() {
 else
 install -d ${D}${sysconfdir}/default/volatiles
 echo "d root root 0755 /var/run/setrans none" \
->${D}${sysconfdir}/default/volatiles/volatiles.80_mcstrans
+>${D}${sysconfdir}/default/volatiles/80_mcstrans
 fi
 install -d ${D}${datadir}/mcstrans
 cp -r share/* ${D}${datadir}/mcstrans/.
diff --git a/recipes-security/selinux/mcstrans/mcstrans-de-bashify.patch 
b/recipes-security/selinux/mcstrans/mcstrans-de-bashify.patch
index 805d7e5..27fd677 100644
--- a/recipes-security/selinux/mcstrans/mcstrans-de-bashify.patch
+++ b/recipes-security/selinux/mcstrans/mcstrans-de-bashify.patch
@@ -1,21 +1,23 @@
-commit 54875dcb50f5e40fc86d6fe98dde244bfe4751af
-Author: Joe MacDonald 
-Date:   Fri Aug 7 15:16:45 2015 -0400
+From 544b3c078374e5001e7fdc1b7d0b2eafda36f8fe Mon Sep 17 00:00:00 2001
+From: Joe MacDonald 
+Date: Fri, 7 Aug 2015 15:16:45 -0400
+Subject: [PATCH] mcstrans: remove dependency on bash in initscript
 
-mcstrans: remove dependency on bash in initscript
+There were no apparent bashisms in mcstrans.init, so remove the
+dependency on bash.
 
-There were no apparent bashisms in mcstrans.init, so remove the dependency
-on bash.
-
-Signed-off-by: Joe MacDonald 
+Signed-off-by: Joe MacDonald 
 
 Upstream-Status: Pending
 
 Signed-off-by: Wenzong Fan 
+Signed-off-by: Yi Zhao 
 ---
- src/mcstrans.init |2 +-
+ src/mcstrans.init | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
+diff --git a/src/mcstrans.init b/src/mcstrans.init
+index 2804ec0..8b4737d 100644
 --- a/src/mcstrans.init
 +++ b/src/mcstrans.init
 @@ -1,4 +1,4 @@
@@ -24,3 +26,6 @@ Signed-off-by: Wenzong Fan 
  #
  # mcstransdThis starts and stops mcstransd
  #
+-- 
+2.7.4
+
diff --git 
a/recipes-security/selinux/mcstrans/0001-mcstrans-fix-the-init-script.patch 
b/recipes-security/selinux/mcstrans/mcstrans-fix-the-init-script.patch
similarity index 69%
rename from 
recipes-security/selinux/mcstrans/0001-mcstrans-fix-the-init-script.patch
rename to recipes-security/selinux/mcstrans/mcstrans-fix-the-init-script.patch
index 5f7163d..79be090 100644
--- a/recipes-security/selinux/mcstrans/0001-mcstrans-fix-the-init-script.patch
+++ b/recipes-security/selinux/mcstrans/mcstrans-fix-the-init-script.patch
@@ -1,17 +1,21 @@
-[PATCH] mcstrans: fix the init script
-
-Upstream-Status: Inappropriate [embedded specific]
+From 4d918a9679d2902ca2d41fe769a4d76f07a67b5f Mon Sep 17 00:00:00 2001
+From: Roy Li 
+Date: Wed, 6 Nov 2019 22:13:33 +0800
+Subject: [PATCH] mcstrans: fix the init script
 
 replace daemon with start-stop-daemon, due to not daemon functions
 
+Upstream-Status: Inappropriate [embedded specific]
+
 Signed-off-by: Roy Li 
 Signed-off-by: Wenzong Fan 
+Signed-off-by: Yi Zhao 
 ---
  src/mcstrans.init | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/mcstrans.init b/src/mcstrans.init
-index 2804ec0..c660290 100644
+index 8b4737d..86c89ea 100644
 --- a/src/mcstrans.init
 +++ b/src/mcstrans.init
 @@ -51,7 +51,7 @@ start(){
@@ -24,5 +28,5 @@ index 2804ec0..c660290 100644
echo
if test $RETVAL = 0 ; then
 -- 
-1.9.1
+2.7.4
 
diff --git a/recipes-security/selinux/mcstrans_2.8.bb 
b/recipes-security/selinux/mcstrans_2.8.bb
deleted file mode 100644
index 8923c3c..000
--- a/recipes-security/selinux/mcstrans_2.8.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-include selinux_20180524.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
-
-SRC_URI[md5sum] = "3a0edb2a8b6a255199824abd58c0906c"
-SRC_URI[sha256sum] = 
"ec6ea65660550ed6bbd2a834725ba7526ac53599753d7b95072e4afd4afc14e4"
diff --git a/recipes-security/selinux/mcstrans_2.9.bb 
b/recipes-security/selinux/mcstrans_2.9.bb
new file mode 100644
index 000..34aab03
--- /dev/null
+++ b/recipes-sec

[yocto] [meta-selinux][PATCH 09/19] policycoreutils: uprev to 2.9 (20190315)

[Yi Zhao]

* Switch to python3

Signed-off-by: Yi Zhao 
---
 recipes-security/selinux/policycoreutils.inc| 16 
 recipes-security/selinux/policycoreutils_2.8.bb |  8 
 recipes-security/selinux/policycoreutils_2.9.bb |  8 
 3 files changed, 12 insertions(+), 20 deletions(-)
 delete mode 100644 recipes-security/selinux/policycoreutils_2.8.bb
 create mode 100644 recipes-security/selinux/policycoreutils_2.9.bb

diff --git a/recipes-security/selinux/policycoreutils.inc 
b/recipes-security/selinux/policycoreutils.inc
index 85ff164..92f7a75 100644
--- a/recipes-security/selinux/policycoreutils.inc
+++ b/recipes-security/selinux/policycoreutils.inc
@@ -19,7 +19,7 @@ DEPENDS += "libsepol libselinux libsemanage libcap 
gettext-native"
 EXTRA_DEPENDS = "libcap-ng libcgroup"
 DEPENDS += "${@['', '${EXTRA_DEPENDS}']['${PN}' != '${BPN}-native']}"
 
-inherit selinux pythonnative
+inherit selinux python3native
 
 RDEPENDS_${BPN}-fixfiles += "\
${BPN}-setfiles \
@@ -27,7 +27,6 @@ RDEPENDS_${BPN}-fixfiles += "\
findutils \
 "
 RDEPENDS_${BPN}-genhomedircon += "\
-   ${BPN}-genhomedircon \
${BPN}-semodule \
 "
 RDEPENDS_${BPN}-loadpolicy += "\
@@ -45,10 +44,6 @@ RDEPENDS_${BPN}-semodule += "\
libselinux \
libsemanage \
 "
-# static link to libsepol
-RDEPENDS_${BPN}-semodule-expand += "libsepol libselinux"
-RDEPENDS_${BPN}-semodule-link += "libsepol libselinux"
-RDEPENDS_${BPN}-semodule-package += "libsepol libselinux"
 RDEPENDS_${BPN}-sestatus += "libselinux"
 RDEPENDS_${BPN}-setfiles += "\
libselinux \
@@ -61,10 +56,6 @@ RDEPENDS_${BPN}-setsebool += "\
 "
 RDEPENDS_${BPN} += "selinux-python"
 
-WARN_QA_remove = " unsafe-references-in-scripts"
-ERROR_QA_remove = " unsafe-references-in-scripts"
-
-
 PACKAGES =+ "\
${PN}-fixfiles \
${PN}-genhomedircon \
@@ -102,6 +93,7 @@ FILES_${PN}-sestatus += "\
 "
 FILES_${PN}-setfiles += "\
${base_sbindir}/restorecon \
+   ${base_sbindir}/restorecon_xattr \
${base_sbindir}/setfiles \
 "
 FILES_${PN}-setsebool += "\
@@ -147,7 +139,7 @@ sysroot_stage_dirs_append_class-native() {
 }
 
 do_compile_prepend() {
-   export PYTHON=python
+   export PYTHON=python3
export PYLIBVER='python${PYTHON_BASEVERSION}'
export PYTHON_CPPFLAGS="-I${STAGING_INCDIR}/${PYLIBVER}"
export PYTHON_LDFLAGS="${STAGING_LIBDIR}/lib${PYLIBVER}.so"
@@ -155,7 +147,7 @@ do_compile_prepend() {
 }
 
 do_install_prepend() {
-   export PYTHON=python
+   export PYTHON=python3
export SBINDIR="${D}/${base_sbindir}"
 }
 
diff --git a/recipes-security/selinux/policycoreutils_2.8.bb 
b/recipes-security/selinux/policycoreutils_2.8.bb
deleted file mode 100644
index 85f6ff0..000
--- a/recipes-security/selinux/policycoreutils_2.8.bb
+++ /dev/null
@@ -1,8 +0,0 @@
-include selinux_20180524.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
-
-SRC_URI[md5sum] = "da5ceb9c7e1e6f8c573731031b91cffe"
-SRC_URI[sha256sum] = 
"986553a235f27bee7ad7c2b7c35ea51eb2ee68e2cf03b661b1585de101bc1099"
-
diff --git a/recipes-security/selinux/policycoreutils_2.9.bb 
b/recipes-security/selinux/policycoreutils_2.9.bb
new file mode 100644
index 000..08ba54a
--- /dev/null
+++ b/recipes-security/selinux/policycoreutils_2.9.bb
@@ -0,0 +1,8 @@
+require selinux_20190315.inc
+require ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
+
+SRC_URI[md5sum] = "0fbebdb4761353726cc739d5528f21d8"
+SRC_URI[sha256sum] = 
"c53c344f28007b3c0742bd958751e9b5d2385898adeb8aec6281ae57342f0f7b"
+
-- 
2.17.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 12/19] selinux-python: uprev to 2.9 (20190315)

[Yi Zhao]

* Switch to python3

* Drop patches:
  fix-TypeError-for-seobject.py.patch
  process-ValueError-for-sepolicy-seobject.patch

* Rebase patches

Signed-off-by: Yi Zhao 
---
 recipes-security/selinux/selinux-python.inc   | 62 +--
 .../fix-TypeError-for-seobject.py.patch   | 30 -
 .../fix-sepolicy-install-path.patch   |  8 +--
 ...ess-ValueError-for-sepolicy-seobject.patch | 47 --
 .../selinux/selinux-python_2.8.bb |  7 ---
 .../selinux/selinux-python_2.9.bb |  7 +++
 6 files changed, 40 insertions(+), 121 deletions(-)
 delete mode 100644 
recipes-security/selinux/selinux-python/fix-TypeError-for-seobject.py.patch
 delete mode 100644 
recipes-security/selinux/selinux-python/process-ValueError-for-sepolicy-seobject.patch
 delete mode 100644 recipes-security/selinux/selinux-python_2.8.bb
 create mode 100644 recipes-security/selinux/selinux-python_2.9.bb

diff --git a/recipes-security/selinux/selinux-python.inc 
b/recipes-security/selinux/selinux-python.inc
index 8b34bff..5e27781 100644
--- a/recipes-security/selinux/selinux-python.inc
+++ b/recipes-security/selinux/selinux-python.inc
@@ -6,60 +6,54 @@ SELinux utilities audit2allow, chcat, semanage ..."
 SECTION = "base"
 LICENSE = "GPLv2+"
 
-SRC_URI += "file://fix-sepolicy-install-path.patch \
-file://fix-TypeError-for-seobject.py.patch \
-file://process-ValueError-for-sepolicy-seobject.patch \
-"
+SRC_URI += "file://fix-sepolicy-install-path.patch"
 
-inherit python-dir
+inherit python3-dir
 
-DEPENDS += "python-native libsepol"
+DEPENDS += "python3 libsepol"
 RDEPENDS_${BPN}-audit2allow += "\
-python-core \
-python-textutils \
+python3-core \
 libselinux-python \
 ${BPN}-sepolgen \
 "
 RDEPENDS_${BPN}-chcat += "\
-python-core \
-python-codecs \
-python-shell \
-python-stringold \
-python-unixadmin \
+python3-core \
+python3-codecs \
+python3-shell \
+python3-stringold \
+python3-unixadmin \
 libselinux-python \
 ${BPN} \
 "
 RDEPENDS_${BPN} += "\
-python-core \
-python-codecs \
-python-io \
-python-ipy \
-python-re \
-python-stringold \
-python-syslog \
-python-unixadmin \
+python3-core \
+python3-codecs \
+python3-io \
+python3-ipy \
+python3-stringold \
+python3-syslog \
+python3-unixadmin \
 libselinux-python \
 libsemanage-python \
 setools \
 "
 RDEPENDS_${BPN}-semanage += "\
-python-core \
-python-ipy \
-python-compression \
-python-xml \
-python-misc \
+python3-core \
+python3-ipy \
+python3-compression \
+python3-xml \
+python3-misc \
 libselinux-python \
 ${BPN} \
 "
 RDEPENDS_${BPN}-sepolicy += "\
-python-argparse \
-python-codecs \
-python-core \
-python-syslog \
+python3-core \
+python3-codecs \
+python3-syslog \
 ${BPN} \
 "
 RDEPENDS_${BPN}-sepolgen-ifgen += "\
-python \
+python3-core \
 libselinux-python \
 "
 
@@ -96,7 +90,7 @@ FILES_${PN}-sepolgen += "\
 ${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolgen* \
 ${localstatedir}/lib/sepolgen/perm_map \
 "
-# Map to policycoreutils-python in 2.6
+
 FILES_${PN} += "\
 ${libdir}/python${PYTHON_BASEVERSION}/site-packages/seobject.py* \
 ${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolicy*.egg-info 
\
@@ -104,9 +98,11 @@ FILES_${PN} += "\
 "
 
 EXTRA_OEMAKE += "LIBSEPOLA=${STAGING_LIBDIR}/libsepol.a"
+
 do_install() {
-oe_runmake DESTDIR=${D} \
+oe_runmake DESTDIR="${D}" \
 LIBDIR="${libdir}" \
+PYLIBVER='python${PYTHON_BASEVERSION}' \
 
PYTHONLIBDIR='${libdir}/python${PYTHON_BASEVERSION}/site-packages' \
 install
 }
diff --git 
a/recipes-security/selinux/selinux-python/fix-TypeError-for-seobject.py.patch 
b/recipes-security/selinux/selinux-python/fix-TypeError-for-seobject.py.patch
deleted file mode 100644
index 62cdeee..000
--- 
a/recipes-security/selinux/selinux-python/fix-TypeError-for-seobject.py.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 98c2944ffa3e35095187e1df9ff33498bbd0fa54 Mon Sep 17 00:00:00 2001
-From: Wenzong Fan 
-Date: Tue, 1 Apr 2014 02:53:36 -0400
-Subject: [PATCH] policycoreutils: fix TypeError for seobject.py
-
-File "/usr/lib64/python2.7/site-packages/seobject.py", line 109, in log
-  message += " sename=" + sename
-TypeError: cannot concatenate 'str' and 'NoneType' objects
-
-Uptream-Status: Pending
-
-Signed-off-by: Wenzong Fan 
-

- semanage/seobject.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/semanage/seobject.py b/semanage/seobject.py
-index 70fd192..23ab77e 10

[yocto] [meta-selinux][PATCH 08/19] secilc: uprev to 2.9 (20190315)

[Yi Zhao]

Signed-off-by: Yi Zhao 
---
 recipes-security/selinux/secilc_2.8.bb | 7 ---
 recipes-security/selinux/secilc_2.9.bb | 7 +++
 2 files changed, 7 insertions(+), 7 deletions(-)
 delete mode 100644 recipes-security/selinux/secilc_2.8.bb
 create mode 100644 recipes-security/selinux/secilc_2.9.bb

diff --git a/recipes-security/selinux/secilc_2.8.bb 
b/recipes-security/selinux/secilc_2.8.bb
deleted file mode 100644
index 89e0684..000
--- a/recipes-security/selinux/secilc_2.8.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-include selinux_20180524.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=5fb82e8deb357d4e5fd8f3fed01d2f38"
-
-SRC_URI[md5sum] = "a3c363545842aadc6645a94112b476e7"
-SRC_URI[sha256sum] = 
"cfe15f2e06b3013c9dfc46cf42234ff07fb61866c4c29d739eb8858f83b214d4"
diff --git a/recipes-security/selinux/secilc_2.9.bb 
b/recipes-security/selinux/secilc_2.9.bb
new file mode 100644
index 000..8207905
--- /dev/null
+++ b/recipes-security/selinux/secilc_2.9.bb
@@ -0,0 +1,7 @@
+require selinux_20190315.inc
+require ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=5fb82e8deb357d4e5fd8f3fed01d2f38"
+
+SRC_URI[md5sum] = "489cedf50fa277ce07765053ffcdb4d5"
+SRC_URI[sha256sum] = 
"73a1806e33a669e23545da2d35d0e5038714721f6bf71974eaa533b3ebde61b2"
-- 
2.17.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 11/19] restorecond: uprev to 2.9 (20190315)

[Yi Zhao]

* Rebase patches

Signed-off-by: Yi Zhao 
---
 ...icycoreutils-make-O_CLOEXEC-optional.patch | 29 +++
 recipes-security/selinux/restorecond_2.8.bb   |  7 -
 recipes-security/selinux/restorecond_2.9.bb   |  7 +
 3 files changed, 24 insertions(+), 19 deletions(-)
 delete mode 100644 recipes-security/selinux/restorecond_2.8.bb
 create mode 100644 recipes-security/selinux/restorecond_2.9.bb

diff --git 
a/recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch
 
b/recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch
index ab1a10a..2928aff 100644
--- 
a/recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch
+++ 
b/recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch
@@ -1,29 +1,34 @@
+From 4adc1c02e4da42f64249c05534875e732f043693 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald 
+Date: Wed, 6 Nov 2019 23:17:50 +0800
 Subject: [PATCH] policycoreutils: make O_CLOEXEC optional
 
-Various commits in the selinux tree in the current release added O_CLOEXEC
-to open() calls in an attempt to address file descriptor leaks as
-described:
+Various commits in the selinux tree in the current release added
+O_CLOEXEC to open() calls in an attempt to address file descriptor leaks
+as described:
 
-   http://danwalsh.livejournal.com/53603.html
+  http://danwalsh.livejournal.com/53603.html
 
 However O_CLOEXEC isn't available on all platforms, so make it a
-compile-time option and generate a warning when it is not available.  The
-actual impact of leaking these file descriptors is minimal, though it does
-produce curious AVC Denied messages.
+compile-time option and generate a warning when it is not available.
+The actual impact of leaking these file descriptors is minimal, though
+it does produce curious AVC Denied messages.
 
-Uptream-Status: Inappropriate [O_CLOEXEC has been in Linux since 2007 and 
POSIX since 2008]
+Uptream-Status: Inappropriate
+[O_CLOEXEC has been in Linux since 2007 and POSIX since 2008]
 
 Signed-off-by: Joe MacDonald 
 Signed-off-by: Wenzong Fan 
+Signed-off-by: Yi Zhao 
 ---
- user.c |8 +++-
+ user.c | 8 +++-
  1 file changed, 7 insertions(+), 1 deletion(-)
 
 diff --git a/user.c b/user.c
-index 2c28676..6235772 100644
+index 714aae7..bbf018e 100644
 --- a/user.c
 +++ b/user.c
-@@ -202,7 +202,13 @@ static int local_server() {
+@@ -202,7 +202,13 @@ static int local_server(void) {
perror("asprintf");
return -1;
}
@@ -39,5 +44,5 @@ index 2c28676..6235772 100644
g_warning ("Lock file: %s", ptr);
  
 -- 
-1.7.9.5
+2.7.4
 
diff --git a/recipes-security/selinux/restorecond_2.8.bb 
b/recipes-security/selinux/restorecond_2.8.bb
deleted file mode 100644
index 4a83a23..000
--- a/recipes-security/selinux/restorecond_2.8.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-include selinux_20180524.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
-
-SRC_URI[md5sum] = "cfe4e4d6184623fdcb9bc2681e693abb"
-SRC_URI[sha256sum] = 
"323cab1128e5308cd85fea0e5c98e3c8973e1ada0b659f2fce76187e192271bf"
diff --git a/recipes-security/selinux/restorecond_2.9.bb 
b/recipes-security/selinux/restorecond_2.9.bb
new file mode 100644
index 000..2ccac18
--- /dev/null
+++ b/recipes-security/selinux/restorecond_2.9.bb
@@ -0,0 +1,7 @@
+require selinux_20190315.inc
+require ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
+
+SRC_URI[md5sum] = "1a24cb2a23d8bd01d3f8d9bb2031981f"
+SRC_URI[sha256sum] = 
"cbf9820583e641ee0462fa7bc89e6024676af281e025703e17b2d019b1a25a4f"
-- 
2.17.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 06/19] libsemanage: uprev to 2.9 (20190315)

[Yi Zhao]

* Switch to python3

* Drop patches:
  libsemanage-fix-path-nologin.patch
  0001-src-Makefile-fix-includedir-in-libselinux.pc.patch

* Rebase patches

* Update policy version to 31

Signed-off-by: Yi Zhao 
---
 recipes-security/selinux/libsemanage.inc  | 26 ++---
 ...file-fix-includedir-in-libselinux.pc.patch | 28 -
 ...anage-Fix-execve-segfaults-on-Ubuntu.patch | 12 --
 ...anage-allow-to-disable-audit-support.patch | 26 +++--
 ...anage-define-FD_CLOEXEC-as-necessary.patch | 16 
 ...-disable-expand-check-on-policy-load.patch |  6 ++-
 ...age-drop-Wno-unused-but-set-variable.patch | 12 +++---
 .../libsemanage-fix-path-nologin.patch| 39 ---
 recipes-security/selinux/libsemanage_2.8.bb   | 18 -
 recipes-security/selinux/libsemanage_2.9.bb   | 15 +++
 10 files changed, 70 insertions(+), 128 deletions(-)
 delete mode 100644 
recipes-security/selinux/libsemanage/0001-src-Makefile-fix-includedir-in-libselinux.pc.patch
 delete mode 100644 
recipes-security/selinux/libsemanage/libsemanage-fix-path-nologin.patch
 delete mode 100644 recipes-security/selinux/libsemanage_2.8.bb
 create mode 100644 recipes-security/selinux/libsemanage_2.9.bb

diff --git a/recipes-security/selinux/libsemanage.inc 
b/recipes-security/selinux/libsemanage.inc
index be0a5f1..9dc1095 100644
--- a/recipes-security/selinux/libsemanage.inc
+++ b/recipes-security/selinux/libsemanage.inc
@@ -6,41 +6,39 @@ on binary policies such as customizing policy boolean 
settings."
 SECTION = "base"
 LICENSE = "LGPLv2.1+"
 
-inherit lib_package python-dir
+inherit lib_package python3-dir
 
-DEPENDS += "libsepol libselinux bzip2 python bison-native flex-native 
swig-native"
-DEPENDS_append_class-target += "audit"
+DEPENDS += "libsepol libselinux bzip2 python3 bison-native flex-native 
swig-native"
+DEPENDS_append_class-target = " audit"
 
 PACKAGES =+ "${PN}-python"
 
 # For /usr/libexec/selinux/semanage_migrate_store
-RDEPENDS_${PN}-python += "python"
+RDEPENDS_${PN}-python += "python3-core"
 
 FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/* \
   ${libexecdir}/selinux/semanage_migrate_store"
 FILES_${PN}-dbg += 
"${libdir}/python${PYTHON_BASEVERSION}/site-packages/.debug/*"
 
+FILES_${PN} += "${libexecdir}"
+
 EXTRA_OEMAKE_class-native += "DISABLE_AUDIT=y"
 
 do_compile_append() {
 oe_runmake pywrap \
-INCLUDEDIR='${STAGING_INCDIR}' \
-LIBDIR='${STAGING_LIBDIR}' \
-PYLIBVER='python${PYTHON_BASEVERSION}' \
-PYINC='-I${STAGING_INCDIR}/$(PYLIBVER)' \
-PYLIB='-L${STAGING_LIBDIR}/$(PYLIBVER) -l$(PYLIBVER)' \
-PYTHONLIBDIR='${PYLIB}'
+PYLIBVER='python${PYTHON_BASEVERSION}${PYTHON_ABI}' \
+PYINC='-I${STAGING_INCDIR}/${PYLIBVER}' \
+PYLIBS='-L${STAGING_LIBDIR}/${PYLIBVER} -l${PYLIBVER}'
 }
 
 do_install_append() {
 oe_runmake install-pywrap swigify \
 PYCEXT='.so' \
-
PYTHONLIBDIR='${D}${libdir}/python${PYTHON_BASEVERSION}/site-packages' \
-PYLIBVER='python${PYTHON_BASEVERSION}' \
-PYLIBDIR='${D}/${libdir}/$(PYLIBVER)'
+PYLIBVER='python${PYTHON_BASEVERSION}${PYTHON_ABI}' \
+
PYTHONLIBDIR='${D}${libdir}/python${PYTHON_BASEVERSION}/site-packages'
 
 # Update "policy-version" for semanage.conf
-sed -i 's/^#\s*\(policy-version\s*=\).*$/\1 30/' \
+sed -i 's/^#\s*\(policy-version\s*=\).*$/\1 31/' \
${D}/etc/selinux/semanage.conf
 }
 
diff --git 
a/recipes-security/selinux/libsemanage/0001-src-Makefile-fix-includedir-in-libselinux.pc.patch
 
b/recipes-security/selinux/libsemanage/0001-src-Makefile-fix-includedir-in-libselinux.pc.patch
deleted file mode 100644
index 73613d3..000
--- 
a/recipes-security/selinux/libsemanage/0001-src-Makefile-fix-includedir-in-libselinux.pc.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From e773c0952b06370d81e9b113f9b0b3388e323e52 Mon Sep 17 00:00:00 2001
-From: Robert Yang 
-Date: Thu, 18 Feb 2016 02:39:16 +
-Subject: [PATCH] src/Makefile: fix includedir in libselinux.pc
-
-Upstream-Status: Pending
-
-Signed-off-by: Robert Yang 
-Signed-off-by: Yi Zhao 

- src/Makefile | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/Makefile b/src/Makefile
-index dea751e..4af4568 100644
 a/src/Makefile
-+++ b/src/Makefile
-@@ -93,6 +93,7 @@ $(LIBSO): $(LOBJS)
- 
- $(LIBPC): $(LIBPC).in ../VERSION
-   sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; 
s:@libdir@:$(LIBDIR):; s:@includedir@:$(INCLUDEDIR):' < $< > $@
-+  sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; 
s:@libdir@:${libdir}:; s:@includedir@:${prefix}/include:' < $< > $@
- 
- semanageswig_python_exception.i: ../include/semanage/semanage.h
-   bash -e exception.sh > $@ || (rm -f $@ ; false)
--- 
-2.7.4
-
diff --git 
a/recipes-security/selinux/libsemanage/libsemanage-Fix-execve-segfaults-on-Ubuntu.patch
 
b/recipes-security/sel

[yocto] [meta-selinux][PATCH 07/19] checkpolicy: uprev to 2.9 (20190315)

[Yi Zhao]

Signed-off-by: Yi Zhao 
---
 recipes-security/selinux/checkpolicy_2.8.bb | 7 ---
 recipes-security/selinux/checkpolicy_2.9.bb | 7 +++
 2 files changed, 7 insertions(+), 7 deletions(-)
 delete mode 100644 recipes-security/selinux/checkpolicy_2.8.bb
 create mode 100644 recipes-security/selinux/checkpolicy_2.9.bb

diff --git a/recipes-security/selinux/checkpolicy_2.8.bb 
b/recipes-security/selinux/checkpolicy_2.8.bb
deleted file mode 100644
index 05e738e..000
--- a/recipes-security/selinux/checkpolicy_2.8.bb
+++ /dev/null
@@ -1,7 +0,0 @@
-include selinux_20180524.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
-
-SRC_URI[md5sum] = "5d23a3209048c8cf70f3c13c4ce4245f"
-SRC_URI[sha256sum] = 
"9dec811c24b88e58c3bf741365eacf1dbb945531a2fcb8f284aacf68098194c8"
diff --git a/recipes-security/selinux/checkpolicy_2.9.bb 
b/recipes-security/selinux/checkpolicy_2.9.bb
new file mode 100644
index 000..1183ea9
--- /dev/null
+++ b/recipes-security/selinux/checkpolicy_2.9.bb
@@ -0,0 +1,7 @@
+require selinux_20190315.inc
+require ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
+
+SRC_URI[md5sum] = "3b0e327f6c1a143f9720a1fbefede3c0"
+SRC_URI[sha256sum] = 
"a946c32b284532447857e4c48830f8816867c61220c8c08bdd32e6f691335f8e"
-- 
2.17.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 05/19] libselinux-python: add recipe

[Yi Zhao]

After switch to python3, There is a loop dependency error with
libselinux-python package when build libselinux. Split the original
libselinux recipe into  libselinux and libselinux-python.

Signed-off-by: Yi Zhao 
---
 .../selinux/libselinux-python.inc | 40 +++
 .../selinux/libselinux-python_2.9.bb  | 18 +
 2 files changed, 58 insertions(+)
 create mode 100644 recipes-security/selinux/libselinux-python.inc
 create mode 100644 recipes-security/selinux/libselinux-python_2.9.bb

diff --git a/recipes-security/selinux/libselinux-python.inc 
b/recipes-security/selinux/libselinux-python.inc
new file mode 100644
index 000..62354b2
--- /dev/null
+++ b/recipes-security/selinux/libselinux-python.inc
@@ -0,0 +1,40 @@
+SUMMARY = "SELinux library and simple utilities"
+DESCRIPTION = "libselinux provides an API for SELinux applications to get and 
set \
+process and file security contexts and to obtain security policy \
+decisions.  Required for any applications that use the SELinux API."
+SECTION = "base"
+LICENSE = "PD"
+
+FILESEXTRAPATHS_prepend := "${THISDIR}/libselinux:"
+
+inherit python3-dir
+
+DEPENDS += "python3 swig-native"
+RDEPENDS_${PN} += "libselinux python3-core python3-shell"
+
+def get_policyconfigarch(d):
+import re
+target = d.getVar('TARGET_ARCH', True)
+p = re.compile('i.86')
+target = p.sub('i386',target)
+return "ARCH=%s" % (target)
+EXTRA_OEMAKE += "${@get_policyconfigarch(d)}"
+
+EXTRA_OEMAKE += "LDFLAGS='${LDFLAGS} -lpcre' 
LIBSEPOLA='${STAGING_LIBDIR}/libsepol.a'"
+EXTRA_OEMAKE_append_libc-musl = " FTS_LDLIBS=-lfts"
+
+FILES_${PN} = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/*"
+
+do_compile() {
+oe_runmake pywrap -j1 \
+PYLIBVER='python${PYTHON_BASEVERSION}${PYTHON_ABI}' \
+PYINC='-I${STAGING_INCDIR}/${PYLIBVER}' \
+PYLIBS='-L${STAGING_LIBDIR}/${PYLIBVER} -l${PYLIBVER}'
+}
+
+do_install() {
+oe_runmake install-pywrap swigify \
+PYCEXT='.so' \
+PYLIBVER='python${PYTHON_BASEVERSION}${PYTHON_ABI}' \
+
PYTHONLIBDIR='${D}${libdir}/python${PYTHON_BASEVERSION}/site-packages'
+}
diff --git a/recipes-security/selinux/libselinux-python_2.9.bb 
b/recipes-security/selinux/libselinux-python_2.9.bb
new file mode 100644
index 000..8e3aae1
--- /dev/null
+++ b/recipes-security/selinux/libselinux-python_2.9.bb
@@ -0,0 +1,18 @@
+SELINUX_RELEASE = "20190315"
+
+SRC_URI = 
"https://github.com/SELinuxProject/selinux/releases/download/${SELINUX_RELEASE}/libselinux-${PV}.tar.gz";
+
+require ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://LICENSE;md5=84b4d2c6ef954a2d4081e775a270d0d0"
+
+SRC_URI[md5sum] = "bb449431b6ed55a0a0496dbc366d6e31"
+SRC_URI[sha256sum] = 
"1bccc8873e449587d9a2b2cf253de9b89a8291b9fbc7c59393ca9e5f5f4d2693"
+
+SRC_URI += "\
+file://libselinux-drop-Wno-unused-but-set-variable.patch \
+file://libselinux-make-O_CLOEXEC-optional.patch \
+file://libselinux-make-SOCK_CLOEXEC-optional.patch \
+file://libselinux-define-FD_CLOEXEC-as-necessary.patch \
+"
+S = "${WORKDIR}/libselinux-${PV}"
-- 
2.17.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 04/19] libselinux: uprev to 2.9 (20190315)

[Yi Zhao]

* Switch to python3

* Drop patches:
  0001-libselinux-Do-not-define-gettid-if-glibc-2.30-is-use.patch
  0001-src-Makefile-fix-includedir-in-libselinux.pc.patch

* Split into libselinux recipe and libselinux-python recipe to fix the
  loop dependency error.

Signed-off-by: Yi Zhao 
---
 recipes-security/selinux/libselinux.inc   | 24 +---
 ...t-define-gettid-if-glibc-2.30-is-use.patch | 60 ---
 ...file-fix-includedir-in-libselinux.pc.patch | 28 -
 .../{libselinux_2.8.bb => libselinux_2.9.bb}  | 10 ++--
 4 files changed, 6 insertions(+), 116 deletions(-)
 delete mode 100644 
recipes-security/selinux/libselinux/0001-libselinux-Do-not-define-gettid-if-glibc-2.30-is-use.patch
 delete mode 100644 
recipes-security/selinux/libselinux/0001-src-Makefile-fix-includedir-in-libselinux.pc.patch
 rename recipes-security/selinux/{libselinux_2.8.bb => libselinux_2.9.bb} (50%)

diff --git a/recipes-security/selinux/libselinux.inc 
b/recipes-security/selinux/libselinux.inc
index 6e115e3..8d381de 100644
--- a/recipes-security/selinux/libselinux.inc
+++ b/recipes-security/selinux/libselinux.inc
@@ -5,15 +5,10 @@ decisions.  Required for any applications that use the 
SELinux API."
 SECTION = "base"
 LICENSE = "PD"
 
-inherit lib_package pythonnative
+inherit lib_package python3native
 
-DEPENDS += "libsepol python libpcre swig-native"
+DEPENDS += "libsepol libpcre"
 DEPENDS_append_libc-musl = " fts"
-RDEPENDS_${PN}-python += "python-core python-shell"
-
-PACKAGES += "${PN}-python"
-FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/*"
-FILES_${PN}-dbg += 
"${libdir}/python${PYTHON_BASEVERSION}/site-packages/selinux/.debug/*"
 
 def get_policyconfigarch(d):
 import re
@@ -26,19 +21,4 @@ EXTRA_OEMAKE += "${@get_policyconfigarch(d)}"
 EXTRA_OEMAKE += "LDFLAGS='${LDFLAGS} -lpcre' 
LIBSEPOLA='${STAGING_LIBDIR}/libsepol.a'"
 EXTRA_OEMAKE_append_libc-musl = " FTS_LDLIBS=-lfts"
 
-do_compile_append() {
-oe_runmake pywrap -j1 \
-INCLUDEDIR='${STAGING_INCDIR}' \
-LIBDIR='${STAGING_LIBDIR}' \
-PYINC='-I${STAGING_INCDIR}/python${PYTHON_BASEVERSION}'
-}
-
-do_install_append() {
-oe_runmake install-pywrap swigify \
-
PYTHONLIBDIR=${D}${libdir}/python${PYTHON_BASEVERSION}/site-packages
-if ! ${@bb.utils.contains('DISTRO_FEATURES','usrmerge','true','false',d)}; 
then
-rm -rf ${D}${base_sbindir}
-fi
-}
-
 BBCLASSEXTEND = "native"
diff --git 
a/recipes-security/selinux/libselinux/0001-libselinux-Do-not-define-gettid-if-glibc-2.30-is-use.patch
 
b/recipes-security/selinux/libselinux/0001-libselinux-Do-not-define-gettid-if-glibc-2.30-is-use.patch
deleted file mode 100644
index fc3e37e..000
--- 
a/recipes-security/selinux/libselinux/0001-libselinux-Do-not-define-gettid-if-glibc-2.30-is-use.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From 2c672b4cc39fbddb6faec2c7434832058f339d59 Mon Sep 17 00:00:00 2001
-From: Petr Lautrbach 
-Date: Mon, 11 Mar 2019 16:00:41 +0100
-Subject: [PATCH] libselinux: Do not define gettid() if glibc >= 2.30 is used
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Since version 2.30 glibc implements gettid() system call wrapper, see
-https://sourceware.org/bugzilla/show_bug.cgi?id=6399
-
-Fixes:
-cc -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 
-Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong 
-grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic 
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection 
-I../include -D_GNU_SOURCE  -DNO_ANDROID_BACKEND   -c -o procattr.o procattr.c
-procattr.c:28:14: error: static declaration of ‘gettid’ follows non-static 
declaration
-   28 | static pid_t gettid(void)
-  |  ^~
-In file included from /usr/include/unistd.h:1170,
- from procattr.c:2:
-/usr/include/bits/unistd_ext.h:34:16: note: previous declaration of ‘gettid’ 
was here
-   34 | extern __pid_t gettid (void) __THROW;
-  |^~
-
-Upstream-Status: Backport
-[https://github.com/SELinuxProject/selinux/commit/707e4b8610733b5c9eaac0f00239778f3edb23c2]
-
-Signed-off-by: Petr Lautrbach 
-Signed-off-by: Yi Zhao 

- src/procattr.c | 15 +--
- 1 file changed, 13 insertions(+), 2 deletions(-)
-
-diff --git a/src/procattr.c b/src/procattr.c
-index 8bf8432..3c7b87f 100644
 a/src/procattr.c
-+++ b/src/procattr.c
-@@ -22,8 +22,19 @@ static pthread_key_t destructor_key;
- static int destructor_key_initialized = 0;
- static __thread char destructor_initialized;
- 
--#ifndef __BIONIC__
--/* Bionic declares this in unistd.h and has a definition for it */
-+/* Bionic and glibc >= 2.30 declare gettid() system call wrapper in unistd.h 
and
-+ * has a definition for it */
-+#ifdef __BIONIC__
-+  #define OVERRIDE_GETTID 0
-+#elif !defined(__GLIBC_PREREQ)
-+  #define OVERR

[yocto] [meta-selinux][PATCH 03/19] libsepol: uprev to 2.9 (20190315)

[Yi Zhao]

* Drop patch 0001-src-Makefile-fix-includedir-in-libsepol.pc.patch

Signed-off-by: Yi Zhao 
---
 ...kefile-fix-includedir-in-libsepol.pc.patch | 29 ---
 recipes-security/selinux/libsepol_2.8.bb  |  9 --
 recipes-security/selinux/libsepol_2.9.bb  |  7 +
 3 files changed, 7 insertions(+), 38 deletions(-)
 delete mode 100644 
recipes-security/selinux/libsepol/0001-src-Makefile-fix-includedir-in-libsepol.pc.patch
 delete mode 100644 recipes-security/selinux/libsepol_2.8.bb
 create mode 100644 recipes-security/selinux/libsepol_2.9.bb

diff --git 
a/recipes-security/selinux/libsepol/0001-src-Makefile-fix-includedir-in-libsepol.pc.patch
 
b/recipes-security/selinux/libsepol/0001-src-Makefile-fix-includedir-in-libsepol.pc.patch
deleted file mode 100644
index 987fdab..000
--- 
a/recipes-security/selinux/libsepol/0001-src-Makefile-fix-includedir-in-libsepol.pc.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 074dbf2f104d1a6ea1aa048600f44f9701c70a60 Mon Sep 17 00:00:00 2001
-From: Robert Yang 
-Date: Thu, 18 Feb 2016 02:04:59 +
-Subject: [PATCH] src/Makefile: fix includedir in libsepol.pc
-
-Upstream-Status: Pending
-
-Signed-off-by: Robert Yang 
-Signed-off-by: Yi Zhao 

- src/Makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/Makefile b/src/Makefile
-index ccb7023..2bb6290 100644
 a/src/Makefile
-+++ b/src/Makefile
-@@ -51,7 +51,7 @@ $(LIBSO): $(LOBJS) $(LIBMAP)
-   ln -sf $@ $(TARGET) 
- 
- $(LIBPC): $(LIBPC).in ../VERSION
--  sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; 
s:@libdir@:$(LIBDIR):; s:@includedir@:$(INCLUDEDIR):' < $< > $@
-+  sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; 
s:@libdir@:${libdir}:; s:@includedir@:${prefix}/include:' < $< > $@
- 
- $(LIBMAP): $(LIBMAP).in
- ifneq ($(DISABLE_CIL),y)
--- 
-2.7.4
-
diff --git a/recipes-security/selinux/libsepol_2.8.bb 
b/recipes-security/selinux/libsepol_2.8.bb
deleted file mode 100644
index d1f905b..000
--- a/recipes-security/selinux/libsepol_2.8.bb
+++ /dev/null
@@ -1,9 +0,0 @@
-include selinux_20180524.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343"
-
-SRC_URI[md5sum] = "c19aa9dde1e78d1c2bd3109579e4d484"
-SRC_URI[sha256sum] = 
"3ad6916a8352bef0bad49acc8037a5f5b48c56f94e4cb4e1959ca475fa9d24d6"
-
-SRC_URI += "file://0001-src-Makefile-fix-includedir-in-libsepol.pc.patch"
diff --git a/recipes-security/selinux/libsepol_2.9.bb 
b/recipes-security/selinux/libsepol_2.9.bb
new file mode 100644
index 000..cd55be6
--- /dev/null
+++ b/recipes-security/selinux/libsepol_2.9.bb
@@ -0,0 +1,7 @@
+require selinux_20190315.inc
+require ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343"
+
+SRC_URI[md5sum] = "2fdefe870a61424d8f2d5d37551c6259"
+SRC_URI[sha256sum] = 
"a34b12b038d121e3e459b1cbaca3c9202e983137819c16baf63658390e3f1d5d"
-- 
2.17.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 02/19] selinux: uprev inc files to 2.9 (20190315)

[Yi Zhao]

* Update SRC_URI
* Add UPSTREAM_CHECK_URI and UPSTREAM_CHECK_REGEX

Signed-off-by: Yi Zhao 
---
 recipes-security/selinux/selinux_20180524.inc | 5 -
 recipes-security/selinux/selinux_20190315.inc | 8 
 recipes-security/selinux/selinux_common.inc   | 4 +---
 3 files changed, 9 insertions(+), 8 deletions(-)
 delete mode 100644 recipes-security/selinux/selinux_20180524.inc
 create mode 100644 recipes-security/selinux/selinux_20190315.inc

diff --git a/recipes-security/selinux/selinux_20180524.inc 
b/recipes-security/selinux/selinux_20180524.inc
deleted file mode 100644
index b36b333..000
--- a/recipes-security/selinux/selinux_20180524.inc
+++ /dev/null
@@ -1,5 +0,0 @@
-SELINUX_RELEASE = "20180524"
-
-SRC_URI = 
"https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/${SELINUX_RELEASE}/${BPN}-${PV}.tar.gz";
-
-include selinux_common.inc
diff --git a/recipes-security/selinux/selinux_20190315.inc 
b/recipes-security/selinux/selinux_20190315.inc
new file mode 100644
index 000..e79dd54
--- /dev/null
+++ b/recipes-security/selinux/selinux_20190315.inc
@@ -0,0 +1,8 @@
+SELINUX_RELEASE = "20190315"
+
+SRC_URI = 
"https://github.com/SELinuxProject/selinux/releases/download/${SELINUX_RELEASE}/${BPN}-${PV}.tar.gz";
+
+UPSTREAM_CHECK_URI = "https://github.com/SELinuxProject/selinux/releases";
+UPSTREAM_CHECK_REGEX = "libselinux-(?P.+)\.tar\.gz"
+
+require selinux_common.inc
diff --git a/recipes-security/selinux/selinux_common.inc 
b/recipes-security/selinux/selinux_common.inc
index 383f62d..f6c4a6b 100644
--- a/recipes-security/selinux/selinux_common.inc
+++ b/recipes-security/selinux/selinux_common.inc
@@ -1,9 +1,7 @@
 HOMEPAGE = "https://github.com/SELinuxProject";
 
 do_compile() {
-oe_runmake all \
-INCLUDEDIR='${STAGING_INCDIR}' \
-LIBDIR='${STAGING_LIBDIR}'
+oe_runmake all
 }
 
 do_install() {
-- 
2.17.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 00/19] selinux: upgrade 2.8 -> 2.9

[Yi Zhao]

* Upgrade to 2.9
* Switch to python3
* Refresh patches

Yi Zhao (19):
  python-ipy: upgrade to 1.00 and add python3 version
  selinux: uprev inc files to 2.9 (20190315)
  libsepol: uprev to 2.9 (20190315)
  libselinux: uprev to 2.9 (20190315)
  libselinux-python: add recipe
  libsemanage: uprev to 2.9 (20190315)
  checkpolicy: uprev to 2.9 (20190315)
  secilc: uprev to 2.9 (20190315)
  policycoreutils: uprev to 2.9 (20190315)
  mcstrans: uprev to 2.9 (20190315)
  restorecond: uprev to 2.9 (20190315)
  selinux-python: uprev to 2.9 (20190315)
  selinux-dbus: uprev to 2.9 (20190315)
  selinux-sandbox: uprev to 2.9 (20190315)
  selinux-gui: uprev to 2.9 (20190315)
  semodule-utils: uprev to 2.9 (20190315)
  selinux-init: fix build error when enable usrmerge feature
  setools: upgrade 4.1.1 -> 4.2.2
  audit: switch to python3

 recipes-devtools/python/python-ipy.inc|  18 +++
 recipes-devtools/python/python-ipy_0.83.bb|  32 --
 recipes-devtools/python/python-ipy_1.00.bb|   2 +
 recipes-devtools/python/python3-ipy_1.00.bb   |   2 +
 .../audit/audit/audit-python-configure.patch  |  46 
 .../audit/audit/audit-python.patch|  64 ---
 .../audit/fix-swig-host-contamination.patch   |  56 --
 recipes-security/audit/audit_2.8.5.bb |  11 +-
 recipes-security/selinux/checkpolicy_2.8.bb   |   7 --
 recipes-security/selinux/checkpolicy_2.9.bb   |   7 ++
 .../selinux/libselinux-python.inc |  40 +++
 ...elinux_2.8.bb => libselinux-python_2.9.bb} |  14 ++-
 recipes-security/selinux/libselinux.inc   |  24 +---
 ...t-define-gettid-if-glibc-2.30-is-use.patch |  60 --
 ...file-fix-includedir-in-libselinux.pc.patch |  28 -
 .../{libselinux_2.8.bb => libselinux_2.9.bb}  |  10 +-
 recipes-security/selinux/libsemanage.inc  |  26 ++---
 ...file-fix-includedir-in-libselinux.pc.patch |  28 -
 ...anage-Fix-execve-segfaults-on-Ubuntu.patch |  12 +-
 ...anage-allow-to-disable-audit-support.patch |  26 +++--
 ...anage-define-FD_CLOEXEC-as-necessary.patch |  16 +--
 ...-disable-expand-check-on-policy-load.patch |   6 +-
 ...age-drop-Wno-unused-but-set-variable.patch |  12 +-
 .../libsemanage-fix-path-nologin.patch|  39 ---
 recipes-security/selinux/libsemanage_2.8.bb   |  18 ---
 recipes-security/selinux/libsemanage_2.9.bb   |  15 +++
 ...kefile-fix-includedir-in-libsepol.pc.patch |  29 -
 recipes-security/selinux/libsepol_2.8.bb  |   9 --
 recipes-security/selinux/libsepol_2.9.bb  |   7 ++
 recipes-security/selinux/mcstrans.inc |   4 +-
 .../mcstrans/mcstrans-de-bashify.patch|  23 ++--
 ...tch => mcstrans-fix-the-init-script.patch} |  14 ++-
 recipes-security/selinux/mcstrans_2.8.bb  |   7 --
 recipes-security/selinux/mcstrans_2.9.bb  |   7 ++
 recipes-security/selinux/policycoreutils.inc  |  16 +--
 .../selinux/policycoreutils_2.8.bb|   8 --
 .../selinux/policycoreutils_2.9.bb|   8 ++
 ...icycoreutils-make-O_CLOEXEC-optional.patch |  29 +++--
 recipes-security/selinux/restorecond_2.8.bb   |   7 --
 recipes-security/selinux/restorecond_2.9.bb   |   7 ++
 recipes-security/selinux/secilc_2.8.bb|   7 --
 recipes-security/selinux/secilc_2.9.bb|   7 ++
 recipes-security/selinux/selinux-dbus.inc |   2 +-
 recipes-security/selinux/selinux-dbus_2.8.bb  |   7 --
 recipes-security/selinux/selinux-dbus_2.9.bb  |   7 ++
 recipes-security/selinux/selinux-gui.inc  |   2 +-
 recipes-security/selinux/selinux-gui_2.8.bb   |   7 --
 recipes-security/selinux/selinux-gui_2.9.bb   |   7 ++
 recipes-security/selinux/selinux-initsh.inc   |   5 +-
 recipes-security/selinux/selinux-python.inc   |  62 +--
 .../fix-TypeError-for-seobject.py.patch   |  30 -
 .../fix-sepolicy-install-path.patch   |   8 +-
 ...ess-ValueError-for-sepolicy-seobject.patch |  47 
 .../selinux/selinux-python_2.8.bb |   7 --
 .../selinux/selinux-python_2.9.bb |   7 ++
 recipes-security/selinux/selinux-sandbox.inc  |  10 +-
 .../selinux-sandbox/sandbox-de-bashify.patch  |   9 +-
 .../selinux/selinux-sandbox_2.8.bb|   7 --
 .../selinux/selinux-sandbox_2.9.bb|   7 ++
 recipes-security/selinux/selinux_20180524.inc |   5 -
 recipes-security/selinux/selinux_20190315.inc |   8 ++
 recipes-security/selinux/selinux_common.inc   |   4 +-
 .../selinux/semodule-utils_2.8.bb |   7 --
 .../selinux/semodule-utils_2.9.bb |   7 ++
 ...e-with-GCC-7-due-to-possible-truncat.patch | 105 --
 ...ss-compiling-errors-for-powerpc-mips.patch |  35 --
 .../setools4-fixes-for-cross-compiling.patch  |  34 +++---
 .../{setools_4.1.1.bb => setools_4.2.2.bb}|  14 +--
 68 files changed, 348 insertions(+), 910 deletions(-)
 create mode 100644 recipes-devtools/python/python-ipy.inc
 delete mode 100644 recipes-devtools/python/python-ipy_0.83.bb
 create mode 100644 recipes-devtools/python/python-ipy_1.00.bb
 cr

[yocto] [meta-selinux][PATCH 01/19] python-ipy: upgrade to 1.00 and add python3 version

[Yi Zhao]

Signed-off-by: Yi Zhao 
---
 recipes-devtools/python/python-ipy.inc  | 18 
 recipes-devtools/python/python-ipy_0.83.bb  | 32 -
 recipes-devtools/python/python-ipy_1.00.bb  |  2 ++
 recipes-devtools/python/python3-ipy_1.00.bb |  2 ++
 4 files changed, 22 insertions(+), 32 deletions(-)
 create mode 100644 recipes-devtools/python/python-ipy.inc
 delete mode 100644 recipes-devtools/python/python-ipy_0.83.bb
 create mode 100644 recipes-devtools/python/python-ipy_1.00.bb
 create mode 100644 recipes-devtools/python/python3-ipy_1.00.bb

diff --git a/recipes-devtools/python/python-ipy.inc 
b/recipes-devtools/python/python-ipy.inc
new file mode 100644
index 000..ba4c2bd
--- /dev/null
+++ b/recipes-devtools/python/python-ipy.inc
@@ -0,0 +1,18 @@
+SUMMARY = "Python module for handling IPv4 and IPv6 Addresses and Networks"
+DESCRIPTION = "IPy is a Python module for handling IPv4 and IPv6 Addresses and 
Networks \
+in a fashion similar to perl's Net::IP and friends. The IP class allows \
+a comfortable parsing and handling for most notations in use for IPv4 \
+and IPv6 Addresses and Networks."
+SECTION = "devel/python"
+HOMEPAGE = "https://github.com/haypo/python-ipy";
+LICENSE = "BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://COPYING;md5=848d24919845901b4f48bae5f13252e6"
+
+SRC_URI[md5sum] = "1a90c68174234672241a7e60c7ea0fb9"
+SRC_URI[sha256sum] = 
"2f2bf658a858d43868d8a4352b3889cf78c66e2ce678b300dcf518c9149ba621"
+
+inherit pypi
+
+PYPI_PACKAGE = "IPy"
+
+BBCLASSEXTEND = "native"
diff --git a/recipes-devtools/python/python-ipy_0.83.bb 
b/recipes-devtools/python/python-ipy_0.83.bb
deleted file mode 100644
index df060fa..000
--- a/recipes-devtools/python/python-ipy_0.83.bb
+++ /dev/null
@@ -1,32 +0,0 @@
-SUMMARY = "Python module for handling IPv4 and IPv6 Addresses and Networks"
-DESCRIPTION = "IPy is a Python module for handling IPv4 and IPv6 Addresses and 
Networks \ 
-in a fashion similar to perl's Net::IP and friends. The IP class allows \
-a comfortable parsing and handling for most notations in use for IPv4 \
-and IPv6 Addresses and Networks."
-SECTION = "devel/python"
-HOMEPAGE = "https://github.com/haypo/python-ipy";
-DEPENDS = "python"
-LICENSE = "BSD"
-LIC_FILES_CHKSUM = "file://COPYING;md5=ebc0028ff5cdaf7796604875027dcd55"
-
-SRC_URI = "https://pypi.python.org/packages/source/I/IPy/IPy-${PV}.tar.gz";
-
-SRC_URI[md5sum] = "7b8c6eb4111b15aea31b67108e769712"
-SRC_URI[sha256sum] = 
"61da5a532b159b387176f6eabf11946e7458b6df8fb8b91ff1d345ca7a6edab8"
-
-S = "${WORKDIR}/IPy-${PV}"
-
-inherit distutils
-
-# need to export these variables for python-config to work
-export BUILD_SYS
-export HOST_SYS
-export STAGING_INCDIR
-export STAGING_LIBDIR
-
-BBCLASSEXTEND = "native"
-
-do_install_append() {
-   install -d ${D}/${datadir}/doc/${BPN}-${PV}
-   install AUTHORS COPYING ChangeLog README 
${D}/${datadir}/doc/${BPN}-${PV}
-}
diff --git a/recipes-devtools/python/python-ipy_1.00.bb 
b/recipes-devtools/python/python-ipy_1.00.bb
new file mode 100644
index 000..587a517
--- /dev/null
+++ b/recipes-devtools/python/python-ipy_1.00.bb
@@ -0,0 +1,2 @@
+inherit setuptools
+require python-ipy.inc
diff --git a/recipes-devtools/python/python3-ipy_1.00.bb 
b/recipes-devtools/python/python3-ipy_1.00.bb
new file mode 100644
index 000..ea6a105
--- /dev/null
+++ b/recipes-devtools/python/python3-ipy_1.00.bb
@@ -0,0 +1,2 @@
+inherit setuptools3
+require python-ipy.inc
-- 
2.17.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH] autorelabel: only selinux-autorelabel need autorelabel file

[Christophe PRIOUZEAU]

With previous implementation, several packages provided
 .autorelabel file while only selinux-autorelabel manage it.
If there is several packages which try to install .autorelabel
file, an issue occur during installation of packagegroup-core-selinux.

Signed-off-by: Christophe Priouzeau 
---
 recipes-security/selinux/selinux-autorelabel_0.1.bb | 9 +
 recipes-security/selinux/selinux-initsh.inc | 7 ---
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/recipes-security/selinux/selinux-autorelabel_0.1.bb 
b/recipes-security/selinux/selinux-autorelabel_0.1.bb
index 4eb2b4e..7e7d08c 100644
--- a/recipes-security/selinux/selinux-autorelabel_0.1.bb
+++ b/recipes-security/selinux/selinux-autorelabel_0.1.bb
@@ -18,3 +18,12 @@ SRC_URI = "file://${BPN}.sh \
 INITSCRIPT_PARAMS = "start 01 S ."
 
 require selinux-initsh.inc
+
+do_install_append() {
+   if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', 
d)}; then
+   install -d ${D}${bindir}
+   install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh 
${D}${bindir}
+   sed -i -e '/.*HERE$/d' ${D}${bindir}/${SELINUX_SCRIPT_SRC}.sh
+   echo "# first boot relabelling" > ${D}/.autorelabel
+   fi
+}
diff --git a/recipes-security/selinux/selinux-initsh.inc 
b/recipes-security/selinux/selinux-initsh.inc
index 8e31cda..6084762 100644
--- a/recipes-security/selinux/selinux-initsh.inc
+++ b/recipes-security/selinux/selinux-initsh.inc
@@ -29,13 +29,6 @@ do_install () {
 
install -d ${D}${systemd_unitdir}/system
install -m 0644 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.service 
${D}${systemd_unitdir}/system
-
-   if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', 
d)}; then
-   install -d ${D}${bindir}
-   install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh 
${D}${bindir}
-   sed -i -e '/.*HERE$/d' ${D}${bindir}/${SELINUX_SCRIPT_SRC}.sh
-   echo "# first boot relabelling" > ${D}/.autorelabel
-   fi
 }
 
 sysroot_stage_all_append () {
-- 
2.17.1
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [meta-selinux] zeus branch creation

[Joe MacDonald]

[[yocto] [meta-selinux] zeus branch creation] On 19.11.01 (Fri 14:02) Vincent 
Prince wrote:

> Hi team,
> 
> Would it be possible to create zeus branch for meta-selinux layer?

Yes, for sure.  Thanks for the reminder.

-- 
-Joe MacDonald.
Linux Architect | Mentor® A Siemens Business
:wq


signature.asc
Description: PGP signature
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux] zeus branch creation

[Vincent Prince]

Hi team,

Would it be possible to create zeus branch for meta-selinux layer?

Kind regards,
Vincent
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH v2] kernel: Remove non-existing kernel option

[zhe.he]

From: He Zhe 

CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE has been remove from mainline kernel
by the commit be6ec88f41ba ("selinux: Remove SECURITY_SELINUX_BOOTPARAM_VALUE").

Signed-off-by: He Zhe 
---
 recipes-kernel/linux/files/selinux.cfg | 1 -
 1 file changed, 1 deletion(-)

diff --git a/recipes-kernel/linux/files/selinux.cfg 
b/recipes-kernel/linux/files/selinux.cfg
index 2edd366..7d16dc5 100644
--- a/recipes-kernel/linux/files/selinux.cfg
+++ b/recipes-kernel/linux/files/selinux.cfg
@@ -23,7 +23,6 @@ CONFIG_SECURITYFS=y
 CONFIG_SECURITY_NETWORK=y
 CONFIG_SECURITY_SELINUX=y
 CONFIG_SECURITY_SELINUX_BOOTPARAM=y
-CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
 CONFIG_SECURITY_SELINUX_DISABLE=y
 CONFIG_SECURITY_SELINUX_DEVELOP=y
 CONFIG_SECURITY_SELINUX_AVC_STATS=y
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [meta-selinux][PATCH] kernel: Remove non-existing kernel option

[He Zhe]

typo in commit log, v2 will be sent.

Zhe

On 10/24/19 4:42 PM, zhe...@windriver.com wrote:
> From: He Zhe 
>
> CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION has been remove from mainline kernel
> by the commit 4c145dce2601 ("xfrm: make xfrm modes builtin").
>
> Signed-off-by: He Zhe 
> ---
>  recipes-kernel/linux/files/selinux.cfg | 1 -
>  1 file changed, 1 deletion(-)
>
> diff --git a/recipes-kernel/linux/files/selinux.cfg 
> b/recipes-kernel/linux/files/selinux.cfg
> index 2edd366..7d16dc5 100644
> --- a/recipes-kernel/linux/files/selinux.cfg
> +++ b/recipes-kernel/linux/files/selinux.cfg
> @@ -23,7 +23,6 @@ CONFIG_SECURITYFS=y
>  CONFIG_SECURITY_NETWORK=y
>  CONFIG_SECURITY_SELINUX=y
>  CONFIG_SECURITY_SELINUX_BOOTPARAM=y
> -CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
>  CONFIG_SECURITY_SELINUX_DISABLE=y
>  CONFIG_SECURITY_SELINUX_DEVELOP=y
>  CONFIG_SECURITY_SELINUX_AVC_STATS=y

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH] kernel: Remove non-existing kernel option

[zhe.he]

From: He Zhe 

CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION has been remove from mainline kernel
by the commit 4c145dce2601 ("xfrm: make xfrm modes builtin").

Signed-off-by: He Zhe 
---
 recipes-kernel/linux/files/selinux.cfg | 1 -
 1 file changed, 1 deletion(-)

diff --git a/recipes-kernel/linux/files/selinux.cfg 
b/recipes-kernel/linux/files/selinux.cfg
index 2edd366..7d16dc5 100644
--- a/recipes-kernel/linux/files/selinux.cfg
+++ b/recipes-kernel/linux/files/selinux.cfg
@@ -23,7 +23,6 @@ CONFIG_SECURITYFS=y
 CONFIG_SECURITY_NETWORK=y
 CONFIG_SECURITY_SELINUX=y
 CONFIG_SECURITY_SELINUX_BOOTPARAM=y
-CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
 CONFIG_SECURITY_SELINUX_DISABLE=y
 CONFIG_SECURITY_SELINUX_DEVELOP=y
 CONFIG_SECURITY_SELINUX_AVC_STATS=y
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [meta-selinux] Warrior branch glib/meson problem

[Joe MacDonald]

Hi Vincent,

[[yocto] [meta-selinux] Warrior branch glib/meson problem] On 19.10.17 (Thu 
12:50) Vincent Prince wrote:

> Hi Team,
> 
> I have a problem with meta-selinux layer on warrior branch, especially 
> building
> glib-2.0 with meson.
> This commit introduces enabled/disabled flags instead of true/false:
> http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/commit/?h=warrior&id=
> bb0c9c3abcb935e4b362eb57985e1ee7fec0bfe0
> 
> But current glib-2.0 is not 2.60 yet:
> https://git.yoctoproject.org/cgit.cgi/poky/plain/meta/recipes-core/glib-2.0/?h=
> warrior
> 
> Can we revert this patch on warrior?

Sorry, I've been away from meta-selinux the last couple of weeks, I'm
addressing the warrior (and other patches in the backlog) right now.

-- 
-Joe MacDonald.
:wq


signature.asc
Description: PGP signature
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] meta-selinux | meson-enable-selinux breaks

[Vincent Prince]

See patch here https://patchwork.openembedded.org/series/20519/#

Le jeu. 17 oct. 2019 à 17:19, Itay Sperling  a
écrit :

> Hi,
> I just built Yocto (warrior) with meta-selinux and got this error:
>
>> meson.build:1:0: ERROR:  Value disabled is not boolean (true or false).
>
>
> It appears the file *classes/meson-enable-selinux.bbclass* has incorrect
> values.
>
> Attached a patch that fixes the problem.
>
> Itay
>
> [image: Argus Logo]
> *Itay Sperling* *|* Software Engineer, *Argus **Cyber Security Ltd.*
> itay.sperl...@argus-sec.com *|*
> www.argus-sec.com *|*
> --
> ___
> yocto mailing list
> yocto@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto
>
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux] [Warrior] [PATCH] Revert glib-2.0: fix configure error for meson build

[Vincent Prince]

On Warrior branch, glib-2.0 is in version 2.58.3 so we need to revert commit 
[bb0c9c3abcb] until then.

Signed-off-by: Vincent Prince 
---
 classes/meson-enable-selinux.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/classes/meson-enable-selinux.bbclass 
b/classes/meson-enable-selinux.bbclass
index 91c2a2b..77a763a 100644
--- a/classes/meson-enable-selinux.bbclass
+++ b/classes/meson-enable-selinux.bbclass
@@ -1,4 +1,4 @@
 inherit selinux
 
 PACKAGECONFIG_append = " ${@target_selinux(d)}"
-PACKAGECONFIG[selinux] = "-Dselinux=enabled,-Dselinux=disabled,libselinux,"
+PACKAGECONFIG[selinux] = "-Dselinux=true,-Dselinux=false,libselinux,"
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux] Warrior branch glib/meson problem

[Vincent Prince]

Hi Team,

I have a problem with meta-selinux layer on warrior branch, especially
building glib-2.0 with meson.
This commit introduces enabled/disabled flags instead of true/false:
http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/commit/?h=warrior&id=bb0c9c3abcb935e4b362eb57985e1ee7fec0bfe0

But current glib-2.0 is not 2.60 yet:
https://git.yoctoproject.org/cgit.cgi/poky/plain/meta/recipes-core/glib-2.0/?h=warrior

Can we revert this patch on warrior?

Best regards,
Vincent
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] meta-selinux | meson-enable-selinux breaks

[Itay Sperling]

Hi,
I just built Yocto (warrior) with meta-selinux and got this error:

> meson.build:1:0: ERROR:  Value disabled is not boolean (true or false).


It appears the file *classes/meson-enable-selinux.bbclass* has incorrect
values.

Attached a patch that fixes the problem.

Itay

[image: Argus Logo]
*Itay Sperling* *|* Software Engineer, *Argus **Cyber Security Ltd.*
itay.sperl...@argus-sec.com *|*
www.argus-sec.com *|*
From fb16c433ada55283f9259fe578a073dc5566bc77 Mon Sep 17 00:00:00 2001
From: Itay Sperling 
Date: Tue, 15 Oct 2019 16:27:21 +0300
Subject: meson values 'disabled' and 'enabled' are not valid.

ERROR:  Value disabled is not boolean (true or false).
---
 classes/meson-enable-selinux.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/classes/meson-enable-selinux.bbclass b/classes/meson-enable-selinux.bbclass
index 91c2a2b..77a763a 100644
--- a/classes/meson-enable-selinux.bbclass
+++ b/classes/meson-enable-selinux.bbclass
@@ -1,4 +1,4 @@
 inherit selinux
 
 PACKAGECONFIG_append = " ${@target_selinux(d)}"
-PACKAGECONFIG[selinux] = "-Dselinux=enabled,-Dselinux=disabled,libselinux,"
+PACKAGECONFIG[selinux] = "-Dselinux=true,-Dselinux=false,libselinux,"
-- 
2.17.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH] layer.conf: Add zeus to compat layer

[C.r. Guo]

From: Chunrong Guo 

Signed-off-by: Chunrong Guo 
---
 conf/layer.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/conf/layer.conf b/conf/layer.conf
index 89b9468..30b0518 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -21,7 +21,7 @@ BBFILE_PRIORITY_selinux = "5"
 # cause compatibility issues with other layers
 LAYERVERSION_selinux = "1"
 
-LAYERSERIES_COMPAT_selinux = "thud warrior"
+LAYERSERIES_COMPAT_selinux = "thud warrior zeus"
 
 LAYERDEPENDS_selinux = " \
 core \
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux] [Warrior] [PATCH] Revert glib-2.0: fix configure error for meson build

[Vincent Prince]

On Warrior branch, glib-2.0 is in version 2.58.3 so we need to revert commit 
[bb0c9c3abcb] until then.

Signed-off-by: Vincent Prince 
---
 classes/meson-enable-selinux.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/classes/meson-enable-selinux.bbclass 
b/classes/meson-enable-selinux.bbclass
index 91c2a2b..77a763a 100644
--- a/classes/meson-enable-selinux.bbclass
+++ b/classes/meson-enable-selinux.bbclass
@@ -1,4 +1,4 @@
 inherit selinux
 
 PACKAGECONFIG_append = " ${@target_selinux(d)}"
-PACKAGECONFIG[selinux] = "-Dselinux=enabled,-Dselinux=disabled,libselinux,"
+PACKAGECONFIG[selinux] = "-Dselinux=true,-Dselinux=false,libselinux,"
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH] layer.conf: add zeus compatibility

[Nicolas Dechesne]

From: Joe MacDonald 

Also remove thud and warrior, based on:
f5170305dcff (compat: remove thud from warrior layer compatibility
list)

Since thud or warrior users are expected to use the 'thud' or
'warrior' branch.

Signed-off-by: Nicolas Dechesne 
---
 conf/layer.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/conf/layer.conf b/conf/layer.conf
index 89b9468..226a75a 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -21,7 +21,7 @@ BBFILE_PRIORITY_selinux = "5"
 # cause compatibility issues with other layers
 LAYERVERSION_selinux = "1"
 
-LAYERSERIES_COMPAT_selinux = "thud warrior"
+LAYERSERIES_COMPAT_selinux = "zeus"
 
 LAYERDEPENDS_selinux = " \
 core \
-- 
2.20.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] meta-selinux warrior support

[Mohammad, Jamal M]

Yes openembedded-core has glib-2.60.x in master branch. When I updated the glib 
recipe to what it is present in master branch. Similar error was reported by 
mesa recipe. I performed the same process and now I have warrior build 
available with selinux enabled

From: Jussi Kukkonen 
Sent: Tuesday, October 8, 2019 12:33 PM
To: Mark Hatle 
Cc: Oriya, Raxesh ; yocto@yoctoproject.org; C M, 
Kiran Reddy ; Mohammad, Jamal M 

Subject: Re: [yocto] meta-selinux warrior support

*External Message* - Use caution before opening links or attachments

On Tue, 8 Oct 2019 at 09:59, Jussi Kukkonen mailto:j...@goto.fi>> 
wrote:


On Mon, 7 Oct 2019 at 17:57, Mark Hatle 
mailto:mark.ha...@kernel.crashing.org>> wrote:
I thought this issue was already fixed:

http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/commit/?h=warrior&id=bb0c9c3abcb935e4b362eb57985e1ee7fec0bfe0<https://urldefense.com/v3/__http:/git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/commit/?h=warrior&id=bb0c9c3abcb935e4b362eb57985e1ee7fec0bfe0__;!9cTk8lEYrHI!_NfmPJMRhiXL2qhIop6uLhChWTOSbHKxot-FGygv9jnHXS1HsCVYfGDANPjJQPvTHQTD3KeZ$>

From the error log:
> glib-2.58.3

From the commit changelog
> In glib 2.60.x, it turns selinux into a meson feature.

That should explain the issue -- maybe oe-core was older than meta-selinux or 
glib was older for another reason.

Actually, poky warrior only has Glib 2.58.3, right? So the meta-selinux commit 
makes no sense in Warrior branch?




This patch is what specifically adds the enabled/disabled that the system is
saying (in the logs quoted below) is invalid.

Can you try changing these to 'true' and 'false' instead?

In the file: classes/meson-enable-selinux.bbclass

--Mark

On 10/1/19 1:39 AM, Oriya, Raxesh wrote:
> Hi,
>
>
>
> I am getting the below error when I am trying to integrate 'meta-selinux' into
> our yocto solution. This error also happens when I just build
> 'core-image-selinux' by including the required layers in warrior branch. Can
> anyone provide a fix for this..
>
>
>
> local.conf contains the following lines:
>
> -
>
> DISTRO_FEATURES_append = " acl xattr pam selinux"
>
> PREFERRED_PROVIDER_virtual/refpolicy ?= "refpolicy-mls"
>
> -
>
>
>
> ERROR: glib-2.0-native-1_2.58.3-r0 do_configure: meson failed
>
> ERROR: glib-2.0-native-1_2.58.3-r0 do_configure: Function failed: do_configure
> (log file is located at
> /home/panther2/warrior/build/tmp/work/x86_64-linux/glib-2.0-native/1_2.58.3-r0/temp/log.do_configure.34545)
>
> ERROR: Logfile of failure stored in:
> /home/panther2/warrior/build/tmp/work/x86_64-linux/glib-2.0-native/1_2.58.3-r0/temp/log.do_configure.34545
>
> Log data follows:
>
> | DEBUG: Executing shell function do_configure
>
> | NOTE: Executing meson -Ddtrace=false -Dfam=false -Dsystemtap=false
> -Dselinux=false -Dlibmount=true -Dman=false -Dselinux=disabled
> -Dinternal_pcre=false -Dinstalled_tests=false...
>
> | The Meson build system
>
> | Version: 0.49.2
>
> | Source dir:
>
> | /home/panther2/warrior/build/tmp/work/x86_64-linux/glib-2.0-native/1_2
>
> | .58.3-r0/glib-2.58.3 Build dir:
>
> | /home/panther2/warrior/build/tmp/work/x86_64-linux/glib-2.0-native/1_2
>
> | .58.3-r0/build
>
> | Build type: native build
>
> |
>
> | 
> meson.build<https://urldefense.com/v3/__http:/meson.build__;!9cTk8lEYrHI!_NfmPJMRhiXL2qhIop6uLhChWTOSbHKxot-FGygv9jnHXS1HsCVYfGDANPjJQPvTHQmUm7_x$>:1:0:
>  ERROR:  Value disabled is not boolean (true or false).
>
> |
>
> | A full log can be found at
>
> | /home/panther2/warrior/build/tmp/work/x86_64-linux/glib-2.0-native/1_2
>
> | .58.3-r0/build/meson-logs/meson-log.txt
>
> | ERROR: meson failed
>
>
>
> Thanks,
>
> Raxesh
>
>
>
>
--
___
yocto mailing list
yocto@yoctoproject.org<mailto:yocto@yoctoproject.org>
https://lists.yoctoproject.org/listinfo/yocto<https://urldefense.com/v3/__https:/lists.yoctoproject.org/listinfo/yocto__;!9cTk8lEYrHI!_NfmPJMRhiXL2qhIop6uLhChWTOSbHKxot-FGygv9jnHXS1HsCVYfGDANPjJQPvTHT1fZ2us$>
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] meta-selinux warrior support

[Jussi Kukkonen]

On Tue, 8 Oct 2019 at 09:59, Jussi Kukkonen  wrote:

>
>
> On Mon, 7 Oct 2019 at 17:57, Mark Hatle 
> wrote:
>
>> I thought this issue was already fixed:
>>
>>
>> http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/commit/?h=warrior&id=bb0c9c3abcb935e4b362eb57985e1ee7fec0bfe0
>>
>>
> From the error log:
> > glib-2.58.3
>
> From the commit changelog
> > In glib 2.60.x, it turns selinux into a meson feature.
>
> That should explain the issue -- maybe oe-core was older than meta-selinux
> or glib was older for another reason.
>

Actually, poky warrior only has Glib 2.58.3, right? So the meta-selinux
commit makes no sense in Warrior branch?



>
>
>> This patch is what specifically adds the enabled/disabled that the system
>> is
>> saying (in the logs quoted below) is invalid.
>>
>> Can you try changing these to 'true' and 'false' instead?
>>
>> In the file: classes/meson-enable-selinux.bbclass
>>
>> --Mark
>>
>> On 10/1/19 1:39 AM, Oriya, Raxesh wrote:
>> > Hi,
>> >
>> >
>> >
>> > I am getting the below error when I am trying to integrate
>> 'meta-selinux' into
>> > our yocto solution. This error also happens when I just build
>> > 'core-image-selinux' by including the required layers in warrior
>> branch. Can
>> > anyone provide a fix for this..
>> >
>> >
>> >
>> > local.conf contains the following lines:
>> >
>> > -
>> >
>> > DISTRO_FEATURES_append = " acl xattr pam selinux"
>> >
>> > PREFERRED_PROVIDER_virtual/refpolicy ?= "refpolicy-mls"
>> >
>> > -
>> >
>> >
>> >
>> > ERROR: glib-2.0-native-1_2.58.3-r0 do_configure: meson failed
>> >
>> > ERROR: glib-2.0-native-1_2.58.3-r0 do_configure: Function failed:
>> do_configure
>> > (log file is located at
>> >
>> /home/panther2/warrior/build/tmp/work/x86_64-linux/glib-2.0-native/1_2.58.3-r0/temp/log.do_configure.34545)
>> >
>> > ERROR: Logfile of failure stored in:
>> >
>> /home/panther2/warrior/build/tmp/work/x86_64-linux/glib-2.0-native/1_2.58.3-r0/temp/log.do_configure.34545
>> >
>> > Log data follows:
>> >
>> > | DEBUG: Executing shell function do_configure
>> >
>> > | NOTE: Executing meson -Ddtrace=false -Dfam=false -Dsystemtap=false
>> > -Dselinux=false -Dlibmount=true -Dman=false -Dselinux=disabled
>> > -Dinternal_pcre=false -Dinstalled_tests=false...
>> >
>> > | The Meson build system
>> >
>> > | Version: 0.49.2
>> >
>> > | Source dir:
>> >
>> > | /home/panther2/warrior/build/tmp/work/x86_64-linux/glib-2.0-native/1_2
>> >
>> > | .58.3-r0/glib-2.58.3 Build dir:
>> >
>> > | /home/panther2/warrior/build/tmp/work/x86_64-linux/glib-2.0-native/1_2
>> >
>> > | .58.3-r0/build
>> >
>> > | Build type: native build
>> >
>> > |
>> >
>> > | meson.build:1:0: ERROR:  Value disabled is not boolean (true or
>> false).
>> >
>> > |
>> >
>> > | A full log can be found at
>> >
>> > | /home/panther2/warrior/build/tmp/work/x86_64-linux/glib-2.0-native/1_2
>> >
>> > | .58.3-r0/build/meson-logs/meson-log.txt
>> >
>> > | ERROR: meson failed
>> >
>> >
>> >
>> > Thanks,
>> >
>> > Raxesh
>> >
>> >
>> >
>> >
>> --
>> ___
>> yocto mailing list
>> yocto@yoctoproject.org
>> https://lists.yoctoproject.org/listinfo/yocto
>>
>
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] meta-selinux warrior support

[Jussi Kukkonen]

On Mon, 7 Oct 2019 at 17:57, Mark Hatle 
wrote:

> I thought this issue was already fixed:
>
>
> http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/commit/?h=warrior&id=bb0c9c3abcb935e4b362eb57985e1ee7fec0bfe0
>
>
>From the error log:
> glib-2.58.3

>From the commit changelog
> In glib 2.60.x, it turns selinux into a meson feature.

That should explain the issue -- maybe oe-core was older than meta-selinux
or glib was older for another reason.



> This patch is what specifically adds the enabled/disabled that the system
> is
> saying (in the logs quoted below) is invalid.
>
> Can you try changing these to 'true' and 'false' instead?
>
> In the file: classes/meson-enable-selinux.bbclass
>
> --Mark
>
> On 10/1/19 1:39 AM, Oriya, Raxesh wrote:
> > Hi,
> >
> >
> >
> > I am getting the below error when I am trying to integrate
> 'meta-selinux' into
> > our yocto solution. This error also happens when I just build
> > 'core-image-selinux' by including the required layers in warrior branch.
> Can
> > anyone provide a fix for this..
> >
> >
> >
> > local.conf contains the following lines:
> >
> > -
> >
> > DISTRO_FEATURES_append = " acl xattr pam selinux"
> >
> > PREFERRED_PROVIDER_virtual/refpolicy ?= "refpolicy-mls"
> >
> > -
> >
> >
> >
> > ERROR: glib-2.0-native-1_2.58.3-r0 do_configure: meson failed
> >
> > ERROR: glib-2.0-native-1_2.58.3-r0 do_configure: Function failed:
> do_configure
> > (log file is located at
> >
> /home/panther2/warrior/build/tmp/work/x86_64-linux/glib-2.0-native/1_2.58.3-r0/temp/log.do_configure.34545)
> >
> > ERROR: Logfile of failure stored in:
> >
> /home/panther2/warrior/build/tmp/work/x86_64-linux/glib-2.0-native/1_2.58.3-r0/temp/log.do_configure.34545
> >
> > Log data follows:
> >
> > | DEBUG: Executing shell function do_configure
> >
> > | NOTE: Executing meson -Ddtrace=false -Dfam=false -Dsystemtap=false
> > -Dselinux=false -Dlibmount=true -Dman=false -Dselinux=disabled
> > -Dinternal_pcre=false -Dinstalled_tests=false...
> >
> > | The Meson build system
> >
> > | Version: 0.49.2
> >
> > | Source dir:
> >
> > | /home/panther2/warrior/build/tmp/work/x86_64-linux/glib-2.0-native/1_2
> >
> > | .58.3-r0/glib-2.58.3 Build dir:
> >
> > | /home/panther2/warrior/build/tmp/work/x86_64-linux/glib-2.0-native/1_2
> >
> > | .58.3-r0/build
> >
> > | Build type: native build
> >
> > |
> >
> > | meson.build:1:0: ERROR:  Value disabled is not boolean (true or false).
> >
> > |
> >
> > | A full log can be found at
> >
> > | /home/panther2/warrior/build/tmp/work/x86_64-linux/glib-2.0-native/1_2
> >
> > | .58.3-r0/build/meson-logs/meson-log.txt
> >
> > | ERROR: meson failed
> >
> >
> >
> > Thanks,
> >
> > Raxesh
> >
> >
> >
> >
> --
> ___
> yocto mailing list
> yocto@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto
>
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] meta-selinux warrior support

[Mark Hatle]

I thought this issue was already fixed:

http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/commit/?h=warrior&id=bb0c9c3abcb935e4b362eb57985e1ee7fec0bfe0

This patch is what specifically adds the enabled/disabled that the system is
saying (in the logs quoted below) is invalid.

Can you try changing these to 'true' and 'false' instead?

In the file: classes/meson-enable-selinux.bbclass

--Mark

On 10/1/19 1:39 AM, Oriya, Raxesh wrote:
> Hi,
> 
>  
> 
> I am getting the below error when I am trying to integrate 'meta-selinux' into
> our yocto solution. This error also happens when I just build
> 'core-image-selinux' by including the required layers in warrior branch. Can
> anyone provide a fix for this..
> 
>  
> 
> local.conf contains the following lines:
> 
> -
> 
> DISTRO_FEATURES_append = " acl xattr pam selinux"
> 
> PREFERRED_PROVIDER_virtual/refpolicy ?= "refpolicy-mls"
> 
> -
> 
>  
> 
> ERROR: glib-2.0-native-1_2.58.3-r0 do_configure: meson failed
> 
> ERROR: glib-2.0-native-1_2.58.3-r0 do_configure: Function failed: do_configure
> (log file is located at
> /home/panther2/warrior/build/tmp/work/x86_64-linux/glib-2.0-native/1_2.58.3-r0/temp/log.do_configure.34545)
> 
> ERROR: Logfile of failure stored in:
> /home/panther2/warrior/build/tmp/work/x86_64-linux/glib-2.0-native/1_2.58.3-r0/temp/log.do_configure.34545
> 
> Log data follows:
> 
> | DEBUG: Executing shell function do_configure
> 
> | NOTE: Executing meson -Ddtrace=false -Dfam=false -Dsystemtap=false
> -Dselinux=false -Dlibmount=true -Dman=false -Dselinux=disabled
> -Dinternal_pcre=false -Dinstalled_tests=false...
> 
> | The Meson build system
> 
> | Version: 0.49.2
> 
> | Source dir:
> 
> | /home/panther2/warrior/build/tmp/work/x86_64-linux/glib-2.0-native/1_2
> 
> | .58.3-r0/glib-2.58.3 Build dir:
> 
> | /home/panther2/warrior/build/tmp/work/x86_64-linux/glib-2.0-native/1_2
> 
> | .58.3-r0/build
> 
> | Build type: native build
> 
> |
> 
> | meson.build:1:0: ERROR:  Value disabled is not boolean (true or false).
> 
> |
> 
> | A full log can be found at
> 
> | /home/panther2/warrior/build/tmp/work/x86_64-linux/glib-2.0-native/1_2
> 
> | .58.3-r0/build/meson-logs/meson-log.txt
> 
> | ERROR: meson failed
> 
>  
> 
> Thanks,
> 
> Raxesh
> 
>  
> 
> 
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] meta-selinux warrior support

[Oriya, Raxesh]

Hi,



I am getting the below error when I am trying to integrate 'meta-selinux' into 
our yocto solution. This error also happens when I just build 
'core-image-selinux' by including the required layers in warrior branch. Can 
anyone provide a fix for this..



local.conf contains the following lines:

-

DISTRO_FEATURES_append = " acl xattr pam selinux"

PREFERRED_PROVIDER_virtual/refpolicy ?= "refpolicy-mls"

-



ERROR: glib-2.0-native-1_2.58.3-r0 do_configure: meson failed

ERROR: glib-2.0-native-1_2.58.3-r0 do_configure: Function failed: do_configure 
(log file is located at 
/home/panther2/warrior/build/tmp/work/x86_64-linux/glib-2.0-native/1_2.58.3-r0/temp/log.do_configure.34545)

ERROR: Logfile of failure stored in: 
/home/panther2/warrior/build/tmp/work/x86_64-linux/glib-2.0-native/1_2.58.3-r0/temp/log.do_configure.34545

Log data follows:

| DEBUG: Executing shell function do_configure

| NOTE: Executing meson -Ddtrace=false -Dfam=false -Dsystemtap=false 
-Dselinux=false -Dlibmount=true -Dman=false -Dselinux=disabled 
-Dinternal_pcre=false -Dinstalled_tests=false...

| The Meson build system

| Version: 0.49.2

| Source dir:

| /home/panther2/warrior/build/tmp/work/x86_64-linux/glib-2.0-native/1_2

| .58.3-r0/glib-2.58.3 Build dir:

| /home/panther2/warrior/build/tmp/work/x86_64-linux/glib-2.0-native/1_2

| .58.3-r0/build

| Build type: native build

|

| meson.build:1:0: ERROR:  Value disabled is not boolean (true or false).

|

| A full log can be found at

| /home/panther2/warrior/build/tmp/work/x86_64-linux/glib-2.0-native/1_2

| .58.3-r0/build/meson-logs/meson-log.txt

| ERROR: meson failed



Thanks,

Raxesh

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] meta-selinux thud compatibility

[Lorenz Kofler]

Hello, 

according to your layer.conf file is the meta-selinux layer compatible with 
thud, however it did not build successfully. 
I had to revert the patch eafe868098f52b061422bffc13fbc582d687d4ed. 
Is it possible to make a Yocto version dependent .bbappend file? Or maybe just 
remove compatibility for thud. 

Regard Lorenz Kofler 
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][warrior][PATCH] compat: remove thud from warrior layer compatibility list

[Joe MacDonald]

Based on this discussion:
https://www.mail-archive.com/yocto@yoctoproject.org/msg45785.html the
warrior branch does not build against oe-core thud any longer.  Since
that's not really intended to be a supported use caes anyway, remove the
layer compatibility statement for thud.

Signed-off-by: Joe MacDonald 
---
 conf/layer.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/conf/layer.conf b/conf/layer.conf
index 9dd34b1..b10bd76 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -18,7 +18,7 @@ BBFILE_PRIORITY_selinux = "5"
 # cause compatibility issues with other layers
 LAYERVERSION_selinux = "1"
 
-LAYERSERIES_COMPAT_selinux = "thud warrior"
+LAYERSERIES_COMPAT_selinux = "warrior"
 
 LAYERDEPENDS_selinux = " \
 core \
-- 
2.20.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] meta-selinux thud compatibility

[Joe MacDonald]

Hi Lorenz,

[meta-selinux thud compatibility] On 19.09.17 (Tue 15:08) Lorenz Kofler wrote:

> Hello,
> 
> according to your layer.conf file is the meta-selinux layer compatible with
> thud, however it did not build successfully.
> I had to revert the patch eafe868098f52b061422bffc13fbc582d687d4ed.
> Is it possible to make a Yocto version dependent .bbappend file? Or maybe just
> remove compatibility for thud.

Thanks for bringing this to our attention.  I haven't built thud in
ages, so it's definitely helpful to hear about any issues someone may
be having.

That said, I don't see eafe868098f52b061422bffc13fbc582d687d4ed on the
'thud' branch.  I did a fresh clone into a new workspace from
git://git.yoctoproject.org/meta-selinux just to be sure.  Are you sure
your tree is in sync with the meta-selinux thud brach?  The HEAD commit
there, as I see it, is:

commit fb6192aa2c5df8e80c5e6d4fa5448d574332f68f (HEAD -> thud,
origin/thud)
Author: Khem Raj 
Date:   Tue Feb 26 11:44:43 2019 -0800

refpolicy: Forward patch to apply cleanly on thud

Also fix devtool generated warnings by refreshing patches

Signed-off-by: Khem Raj 
Signed-off-by: Joe MacDonald 

-- 
-Joe MacDonald.
Linux Architect | Mentor® A Siemens Business
:wq


signature.asc
Description: PGP signature
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH] audit: explicitly disable golang bindings

[Yi Zhao]

Disable golang bindings to avoid potential host contamination issue.
Fixes: https://bugzilla.yoctoproject.org/show_bug.cgi?id=13166

Signed-off-by: Yi Zhao 
---
 recipes-security/audit/audit_2.8.5.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/recipes-security/audit/audit_2.8.5.bb 
b/recipes-security/audit/audit_2.8.5.bb
index d3b9b51..2b47812 100644
--- a/recipes-security/audit/audit_2.8.5.bb
+++ b/recipes-security/audit/audit_2.8.5.bb
@@ -39,6 +39,7 @@ EXTRA_OECONF += "--without-prelude \
 --libdir=${base_libdir} \
 --sbindir=${base_sbindir} \
 --without-python3 \
+--without-golang \
 --disable-zos-remote \
 "
 EXTRA_OECONF_append_arm = " --with-arm=yes"
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [meta-selinux][PATCH] conf/layer.conf: use BBFILES_DYNAMIC for dynamic layers

[Joe MacDonald]

[Re: [meta-selinux][PATCH] conf/layer.conf: use BBFILES_DYNAMIC for dynamic 
layers] On 19.09.11 (Wed 09:22) Yi Zhao wrote:

> 
> On 9/10/19 1:11 AM, Joe MacDonald wrote:
> > Hi Yi,
> > 
> > [[meta-selinux][PATCH] conf/layer.conf: use BBFILES_DYNAMIC for dynamic 
> > layers] On 19.09.09 (Mon 14:01) Yi Zhao wrote:
> > 
> > > From: Robert Yang 
> > > 
> > > The previous code add all BBFILE_COLLECTIONS/recipes*/*/*.bbappend to 
> > > BBFILES,
> > > which causes the parsing very slow when there are many layers, e.g., I 
> > > have 87
> > > layers:
> > > 
> > > * Before:
> > > $ rm -fr tmp-glibc/ cache; time bitbake -p
> > > real0m45.173s
> > > user0m0.560s
> > > sys 0m0.060s
> > > 
> > > * After:
> > > $ rm -fr tmp-glibc/ cache; time bitbake -p
> > > real0m25.542s
> > > user0m0.572s
> > > sys 0m0.040s
> > > 
> > > It wasted 20s which wasn't worth (The host has 128 threads, it should 
> > > cost more
> > > time on less power host), use BBFILES_DYNAMIC can fix the problem.
> > 
> > This seems like a big claim, I certainly haven't seen that on my setup:
> > 
> > * Before:
> > $ rm -fr tmp cache
> > real0m14.751s
> > user0m0.323s
> > sys 0m0.048s
> > 
> > * After:
> > $ rm -fr tmp cache ; time bitbake -p
> > real0m14.725s
> > user0m0.326s
> > sys 0m0.046s
> > 
> > but it's still a sensible change.  When I ran a test before/after
> > configuration for augeas the configuration seemed off, though.  Can you
> > confirm that with this change as is you're getting the correct
> > --with/--without and --enable/--disable and patches applied for your
> > layers?  I just want to confirm since the ~20s difference in parsing
> > seems kind of out of scale for moving essentially three bbappends around
> > and I'm wondering if there's something else siginficant in your tree we
> > want to consider.
> 
> 
> This patch is from Robert Yang. CC to him. Maybe he can give us more
> explanation.
> 
> For the augeas, the current augeas_%.bbapend doesn't work because the augeas
> recipe is in meta-oe layer but not meta-python layer. This patch moves the
> bbappend to the correct layer to fix this issue.
> 
> It works on my local:
> 
> $ cat log.do_configure
> 
> [snip]
> checking for library containing setfilecon... -lselinux
> [snip]
> checking for selinux/selinux.h... (cached) yes
> checking selinux/context.h usability... yes
> checking selinux/context.h presence... yes
> checking for selinux/context.h... yes
> [snip]

Okay, thanks.  Funny that I randomly picked the package that was broken
in multiple ways, but this looks like an improvement overall.

-J.

> 
> 
> //Yi
> 
> 
> > 
> > -J.
> > 
> > > Signed-off-by: Robert Yang 
> > > Signed-off-by: Yi Zhao 
> > > ---
> > >   conf/layer.conf   | 11 
> > > +++
> > >   .../recipes-daemons/iscsi-initiator-utils/files/initd.debian  |  0
> > >   .../iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend|  0
> > >   .../iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc   |  0
> > >   .../recipes-support}/augeas/augeas_%.bbappend |  0
> > >   .../recipes-containers/lxc/lxc_%.bbappend |  0
> > >   6 files changed, 7 insertions(+), 4 deletions(-)
> > >   rename {networking-layer => 
> > > dynamic-layers/networking-layer}/recipes-daemons/iscsi-initiator-utils/files/initd.debian
> > >  (100%)
> > >   rename {networking-layer => 
> > > dynamic-layers/networking-layer}/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend
> > >  (100%)
> > >   rename {networking-layer => 
> > > dynamic-layers/networking-layer}/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc
> > >  (100%)
> > >   rename {meta-python/recipes-extended/augeas => 
> > > dynamic-layers/openembedded-layer/recipes-support}/augeas/augeas_%.bbappend
> > >  (100%)
> > >   rename {virtualization-layer => 
> > > dynamic-layers/virtualization-layer}/recipes-containers/lxc/lxc_%.bbappend
> > >  (100%)
> > > 
> > > diff --git a/conf/layer.conf b/conf/layer.conf
> > > index 9dd34b1..89b9468 100644
> > > --- a/conf/layer.conf
> > > +++ b/conf/layer.conf
> > > @@ -5,10 +5,13 @@ BBPATH .= ":${LAYERDIR}"
> > >   BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
> > >   ${LAYERDIR}/recipes-*/*/*.bbappend"
> > > -# Let us add layer-specific bbappends which are only applied when that
> > > -# layer is included in our configuration
> > > -BBFILES += "${@' '.join('${LAYERDIR}/%s/recipes*/*/*.bbappend' % layer \
> > > -   for layer in BBFILE_COLLECTIONS.split())}"
> > > +BBFILES_DYNAMIC += 
> > > "openembedded-layer:${LAYERDIR}/dynamic-layers/openembedded-layer/*/*/*.bb
> > >  \
> > > +
> > > openembedded-layer:${LAYERDIR}/dynamic-layers/openembedded-layer/*/*/*.bbappend
> > >  \
> > > +
> > > networking-layer:${LAYERDIR}/dynamic-layers/networking-layer/*/*/*.bb \
> > > +
> > > networking-layer:${LAYER

Re: [yocto] [meta-selinux][PATCH] conf/layer.conf: use BBFILES_DYNAMIC for dynamic layers

[Yi Zhao]

On 9/10/19 1:11 AM, Joe MacDonald wrote:

Hi Yi,

[[meta-selinux][PATCH] conf/layer.conf: use BBFILES_DYNAMIC for dynamic layers] 
On 19.09.09 (Mon 14:01) Yi Zhao wrote:


From: Robert Yang 

The previous code add all BBFILE_COLLECTIONS/recipes*/*/*.bbappend to BBFILES,
which causes the parsing very slow when there are many layers, e.g., I have 87
layers:

* Before:
$ rm -fr tmp-glibc/ cache; time bitbake -p
real0m45.173s
user0m0.560s
sys 0m0.060s

* After:
$ rm -fr tmp-glibc/ cache; time bitbake -p
real0m25.542s
user0m0.572s
sys 0m0.040s

It wasted 20s which wasn't worth (The host has 128 threads, it should cost more
time on less power host), use BBFILES_DYNAMIC can fix the problem.


This seems like a big claim, I certainly haven't seen that on my setup:

* Before:
$ rm -fr tmp cache
real0m14.751s
user0m0.323s
sys 0m0.048s

* After:
$ rm -fr tmp cache ; time bitbake -p
real0m14.725s
user0m0.326s
sys 0m0.046s

but it's still a sensible change.  When I ran a test before/after
configuration for augeas the configuration seemed off, though.  Can you
confirm that with this change as is you're getting the correct
--with/--without and --enable/--disable and patches applied for your
layers?  I just want to confirm since the ~20s difference in parsing
seems kind of out of scale for moving essentially three bbappends around
and I'm wondering if there's something else siginficant in your tree we
want to consider.



This patch is from Robert Yang. CC to him. Maybe he can give us more 
explanation.


For the augeas, the current augeas_%.bbapend doesn't work because the 
augeas recipe is in meta-oe layer but not meta-python layer. This patch 
moves the bbappend to the correct layer to fix this issue.


It works on my local:

$ cat log.do_configure

[snip]
checking for library containing setfilecon... -lselinux
[snip]
checking for selinux/selinux.h... (cached) yes
checking selinux/context.h usability... yes
checking selinux/context.h presence... yes
checking for selinux/context.h... yes
[snip]


//Yi




-J.


Signed-off-by: Robert Yang 
Signed-off-by: Yi Zhao 
---
  conf/layer.conf   | 11 +++
  .../recipes-daemons/iscsi-initiator-utils/files/initd.debian  |  0
  .../iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend|  0
  .../iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc   |  0
  .../recipes-support}/augeas/augeas_%.bbappend |  0
  .../recipes-containers/lxc/lxc_%.bbappend |  0
  6 files changed, 7 insertions(+), 4 deletions(-)
  rename {networking-layer => 
dynamic-layers/networking-layer}/recipes-daemons/iscsi-initiator-utils/files/initd.debian
 (100%)
  rename {networking-layer => 
dynamic-layers/networking-layer}/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend
 (100%)
  rename {networking-layer => 
dynamic-layers/networking-layer}/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc
 (100%)
  rename {meta-python/recipes-extended/augeas => 
dynamic-layers/openembedded-layer/recipes-support}/augeas/augeas_%.bbappend (100%)
  rename {virtualization-layer => 
dynamic-layers/virtualization-layer}/recipes-containers/lxc/lxc_%.bbappend (100%)

diff --git a/conf/layer.conf b/conf/layer.conf
index 9dd34b1..89b9468 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -5,10 +5,13 @@ BBPATH .= ":${LAYERDIR}"
  BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
  ${LAYERDIR}/recipes-*/*/*.bbappend"
  
-# Let us add layer-specific bbappends which are only applied when that

-# layer is included in our configuration
-BBFILES += "${@' '.join('${LAYERDIR}/%s/recipes*/*/*.bbappend' % layer \
-   for layer in BBFILE_COLLECTIONS.split())}"
+BBFILES_DYNAMIC += 
"openembedded-layer:${LAYERDIR}/dynamic-layers/openembedded-layer/*/*/*.bb \
+
openembedded-layer:${LAYERDIR}/dynamic-layers/openembedded-layer/*/*/*.bbappend 
\
+
networking-layer:${LAYERDIR}/dynamic-layers/networking-layer/*/*/*.bb \
+
networking-layer:${LAYERDIR}/dynamic-layers/networking-layer/*/*/*.bbappend \
+
virtualization-layer:${LAYERDIR}/dynamic-layers/virtualization-layer/recipes*/*/*.bb
 \
+
virtualization-layer:${LAYERDIR}/dynamic-layers/virtualization-layer/recipes*/*/*.bbappend
 \
+   "
  
  BBFILE_COLLECTIONS += "selinux"

  BBFILE_PATTERN_selinux = "^${LAYERDIR}/"
diff --git 
a/networking-layer/recipes-daemons/iscsi-initiator-utils/files/initd.debian 
b/dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/files/initd.debian
similarity index 100%
rename from 
networking-layer/recipes-daemons/iscsi-initiator-utils/files/initd.debian
rename to 
dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/files/initd.debian
diff --git 
a/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils

Re: [yocto] [meta-selinux][PATCH] conf/layer.conf: use BBFILES_DYNAMIC for dynamic layers

[Joe MacDonald]

Hi Yi,

[[meta-selinux][PATCH] conf/layer.conf: use BBFILES_DYNAMIC for dynamic layers] 
On 19.09.09 (Mon 14:01) Yi Zhao wrote:

> From: Robert Yang 
> 
> The previous code add all BBFILE_COLLECTIONS/recipes*/*/*.bbappend to BBFILES,
> which causes the parsing very slow when there are many layers, e.g., I have 87
> layers:
> 
> * Before:
> $ rm -fr tmp-glibc/ cache; time bitbake -p
> real0m45.173s
> user0m0.560s
> sys 0m0.060s
> 
> * After:
> $ rm -fr tmp-glibc/ cache; time bitbake -p
> real0m25.542s
> user0m0.572s
> sys 0m0.040s
> 
> It wasted 20s which wasn't worth (The host has 128 threads, it should cost 
> more
> time on less power host), use BBFILES_DYNAMIC can fix the problem.


This seems like a big claim, I certainly haven't seen that on my setup:

* Before:
$ rm -fr tmp cache
real0m14.751s
user0m0.323s
sys 0m0.048s

* After: 
$ rm -fr tmp cache ; time bitbake -p
real0m14.725s
user0m0.326s
sys 0m0.046s

but it's still a sensible change.  When I ran a test before/after
configuration for augeas the configuration seemed off, though.  Can you
confirm that with this change as is you're getting the correct
--with/--without and --enable/--disable and patches applied for your
layers?  I just want to confirm since the ~20s difference in parsing
seems kind of out of scale for moving essentially three bbappends around
and I'm wondering if there's something else siginficant in your tree we
want to consider.

-J.

> 
> Signed-off-by: Robert Yang 
> Signed-off-by: Yi Zhao 
> ---
>  conf/layer.conf   | 11 
> +++
>  .../recipes-daemons/iscsi-initiator-utils/files/initd.debian  |  0
>  .../iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend|  0
>  .../iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc   |  0
>  .../recipes-support}/augeas/augeas_%.bbappend |  0
>  .../recipes-containers/lxc/lxc_%.bbappend |  0
>  6 files changed, 7 insertions(+), 4 deletions(-)
>  rename {networking-layer => 
> dynamic-layers/networking-layer}/recipes-daemons/iscsi-initiator-utils/files/initd.debian
>  (100%)
>  rename {networking-layer => 
> dynamic-layers/networking-layer}/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend
>  (100%)
>  rename {networking-layer => 
> dynamic-layers/networking-layer}/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc
>  (100%)
>  rename {meta-python/recipes-extended/augeas => 
> dynamic-layers/openembedded-layer/recipes-support}/augeas/augeas_%.bbappend 
> (100%)
>  rename {virtualization-layer => 
> dynamic-layers/virtualization-layer}/recipes-containers/lxc/lxc_%.bbappend 
> (100%)
> 
> diff --git a/conf/layer.conf b/conf/layer.conf
> index 9dd34b1..89b9468 100644
> --- a/conf/layer.conf
> +++ b/conf/layer.conf
> @@ -5,10 +5,13 @@ BBPATH .= ":${LAYERDIR}"
>  BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
>  ${LAYERDIR}/recipes-*/*/*.bbappend"
>  
> -# Let us add layer-specific bbappends which are only applied when that
> -# layer is included in our configuration
> -BBFILES += "${@' '.join('${LAYERDIR}/%s/recipes*/*/*.bbappend' % layer \
> -   for layer in BBFILE_COLLECTIONS.split())}"
> +BBFILES_DYNAMIC += 
> "openembedded-layer:${LAYERDIR}/dynamic-layers/openembedded-layer/*/*/*.bb \
> +
> openembedded-layer:${LAYERDIR}/dynamic-layers/openembedded-layer/*/*/*.bbappend
>  \
> +
> networking-layer:${LAYERDIR}/dynamic-layers/networking-layer/*/*/*.bb \
> +
> networking-layer:${LAYERDIR}/dynamic-layers/networking-layer/*/*/*.bbappend \
> +
> virtualization-layer:${LAYERDIR}/dynamic-layers/virtualization-layer/recipes*/*/*.bb
>  \
> +
> virtualization-layer:${LAYERDIR}/dynamic-layers/virtualization-layer/recipes*/*/*.bbappend
>  \
> +   "
>  
>  BBFILE_COLLECTIONS += "selinux"
>  BBFILE_PATTERN_selinux = "^${LAYERDIR}/"
> diff --git 
> a/networking-layer/recipes-daemons/iscsi-initiator-utils/files/initd.debian 
> b/dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/files/initd.debian
> similarity index 100%
> rename from 
> networking-layer/recipes-daemons/iscsi-initiator-utils/files/initd.debian
> rename to 
> dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/files/initd.debian
> diff --git 
> a/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend
>  
> b/dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend
> similarity index 100%
> rename from 
> networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend
> rename to 
> dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend
> diff --git 
> a/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc
>  

[yocto] [meta-selinux][PATCH] conf/layer.conf: use BBFILES_DYNAMIC for dynamic layers

[Yi Zhao]

From: Robert Yang 

The previous code add all BBFILE_COLLECTIONS/recipes*/*/*.bbappend to BBFILES,
which causes the parsing very slow when there are many layers, e.g., I have 87
layers:

* Before:
$ rm -fr tmp-glibc/ cache; time bitbake -p
real0m45.173s
user0m0.560s
sys 0m0.060s

* After:
$ rm -fr tmp-glibc/ cache; time bitbake -p
real0m25.542s
user0m0.572s
sys 0m0.040s

It wasted 20s which wasn't worth (The host has 128 threads, it should cost more
time on less power host), use BBFILES_DYNAMIC can fix the problem.

Signed-off-by: Robert Yang 
Signed-off-by: Yi Zhao 
---
 conf/layer.conf   | 11 +++
 .../recipes-daemons/iscsi-initiator-utils/files/initd.debian  |  0
 .../iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend|  0
 .../iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc   |  0
 .../recipes-support}/augeas/augeas_%.bbappend |  0
 .../recipes-containers/lxc/lxc_%.bbappend |  0
 6 files changed, 7 insertions(+), 4 deletions(-)
 rename {networking-layer => 
dynamic-layers/networking-layer}/recipes-daemons/iscsi-initiator-utils/files/initd.debian
 (100%)
 rename {networking-layer => 
dynamic-layers/networking-layer}/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend
 (100%)
 rename {networking-layer => 
dynamic-layers/networking-layer}/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc
 (100%)
 rename {meta-python/recipes-extended/augeas => 
dynamic-layers/openembedded-layer/recipes-support}/augeas/augeas_%.bbappend 
(100%)
 rename {virtualization-layer => 
dynamic-layers/virtualization-layer}/recipes-containers/lxc/lxc_%.bbappend 
(100%)

diff --git a/conf/layer.conf b/conf/layer.conf
index 9dd34b1..89b9468 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -5,10 +5,13 @@ BBPATH .= ":${LAYERDIR}"
 BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
 ${LAYERDIR}/recipes-*/*/*.bbappend"
 
-# Let us add layer-specific bbappends which are only applied when that
-# layer is included in our configuration
-BBFILES += "${@' '.join('${LAYERDIR}/%s/recipes*/*/*.bbappend' % layer \
-   for layer in BBFILE_COLLECTIONS.split())}"
+BBFILES_DYNAMIC += 
"openembedded-layer:${LAYERDIR}/dynamic-layers/openembedded-layer/*/*/*.bb \
+
openembedded-layer:${LAYERDIR}/dynamic-layers/openembedded-layer/*/*/*.bbappend 
\
+
networking-layer:${LAYERDIR}/dynamic-layers/networking-layer/*/*/*.bb \
+
networking-layer:${LAYERDIR}/dynamic-layers/networking-layer/*/*/*.bbappend \
+
virtualization-layer:${LAYERDIR}/dynamic-layers/virtualization-layer/recipes*/*/*.bb
 \
+
virtualization-layer:${LAYERDIR}/dynamic-layers/virtualization-layer/recipes*/*/*.bbappend
 \
+   "
 
 BBFILE_COLLECTIONS += "selinux"
 BBFILE_PATTERN_selinux = "^${LAYERDIR}/"
diff --git 
a/networking-layer/recipes-daemons/iscsi-initiator-utils/files/initd.debian 
b/dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/files/initd.debian
similarity index 100%
rename from 
networking-layer/recipes-daemons/iscsi-initiator-utils/files/initd.debian
rename to 
dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/files/initd.debian
diff --git 
a/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend
 
b/dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend
similarity index 100%
rename from 
networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend
rename to 
dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend
diff --git 
a/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc
 
b/dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc
similarity index 100%
rename from 
networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc
rename to 
dynamic-layers/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc
diff --git a/meta-python/recipes-extended/augeas/augeas/augeas_%.bbappend 
b/dynamic-layers/openembedded-layer/recipes-support/augeas/augeas_%.bbappend
similarity index 100%
rename from meta-python/recipes-extended/augeas/augeas/augeas_%.bbappend
rename to 
dynamic-layers/openembedded-layer/recipes-support/augeas/augeas_%.bbappend
diff --git a/virtualization-layer/recipes-containers/lxc/lxc_%.bbappend 
b/dynamic-layers/virtualization-layer/recipes-containers/lxc/lxc_%.bbappend
similarity index 100%
rename from virtualization-layer/recipes-containers/lxc/lxc_%.bbappend
rename to 
dynamic-layers/virtualization-layer/recipes-containers/lxc/lxc_%.bbappend
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yo

[yocto] [meta-selinux][PATCH V2] selinux-autorelabel: disable enforcing mode before relabel

[Yi Zhao]

The commit b0d31db104d9a4e94bc1409c2ffcc1d82f4a780f introduced an issue
when first boot with bootparams="selinux=1 enforcing=1". At first boot,
all files are unlabeled including /sbin/setfiles. The relabel operations
are not permitted under enforcing mode. So we need to disable enforcing
mode before relabel.

Signed-off-by: Yi Zhao 
---
 .../selinux/selinux-autorelabel/selinux-autorelabel.sh   | 9 ++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git 
a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh 
b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
index 154dad1..25b6921 100644
--- a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
+++ b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
@@ -3,16 +3,19 @@
 /usr/sbin/selinuxenabled 2>/dev/null || exit 0
 
 FIXFILES=/sbin/fixfiles
+SETENFORCE=/usr/sbin/setenforce
 
-if ! test -x ${FIXFILES}; then
-   echo "${FIXFILES} is missing in the system."
+for i in ${FIXFILES} ${SETENFORCE}; do
+   test -x $i && continue
+   echo "$i is missing in the system."
echo "Please add \"selinux=0\" in the kernel command line to disable 
SELinux."
exit 1
-fi
+done
 
 # If /.autorelabel placed, the whole file system should be relabeled
 if [ -f /.autorelabel ]; then
echo "SELinux: /.autorelabel placed, filesystem will be relabeled..."
+   ${SETENFORCE} 0
${FIXFILES} -F -f relabel
/bin/rm -f /.autorelabel
echo " * Relabel done, rebooting the system."
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [meta-selinux][PATCH] selinux-autorelabel: disable enforcing mode before relabel

[Joe MacDonald]

[Re: [meta-selinux][PATCH] selinux-autorelabel: disable enforcing mode before 
relabel] On 19.09.06 (Fri 11:31) Yi Zhao wrote:

> 
> On 9/5/19 7:57 PM, Joe MacDonald wrote:
> > [[meta-selinux][PATCH] selinux-autorelabel: disable enforcing mode before 
> > relabel] On 19.09.05 (Thu 16:57) Yi Zhao wrote:
> > 
> > > The commit b0d31db104d9a4e94bc1409c2ffcc1d82f4a780f introduced an issue
> > > when first boot with bootparams="selinux=1 enforcing=1". At first boot,
> > > all files are unlabeled including /sbin/fixfiles. The relabel operation
> > > is not permitted under enforcing mode. Set /sys/fs/selinux/enforce to 0
> > > to ensure the enforcing mode is disabled before relabel.
> > Did you try this with '/usr/sbin/setenforce 0' instead?  The rationale
> > makes sense but going straight at sysfs like that isn't the right
> > approach intuitively.  If that's not working, please just include a bit
> > of an explanation for why this is the best option.
> 
> It also works with setenforce.
> 
> I referred to the selinux-autorelabel script on Fedora 30, it uses `echo "0"
> > /sys/fs/selinux/enforce` to disables enforcing mode:
> 
> cat /usr/libexec/selinux/selinux-autorelabel
> 
> [snip]
>  32 relabel_selinux() {
>  33 # if /sbin/init is not labeled correctly this process is running
> in the
>  34 # wrong context, so a reboot will be required after relabel
>  35 AUTORELABEL=
>  36 . /etc/selinux/config
>  37 echo "0" > /sys/fs/selinux/enforce
>  38 [ -x /bin/plymouth ] && plymouth --quit
>  39
> [snip]

Okay, but our version of the script is much less complex than the Fedora
one and we already have the precedent of calling fixfiles by full path
and variable, I'd rather keep the script consistent in style.  If you
want to propose replacing our selinux-autorelabel.sh with the one from
Fedora, please submit a patch for that, but for this patch I'd just
rather see the style remain consistent with what's already there.

Thanks.
-J.

> 
> 
> //Yi
> 
> 
> > 
> > Thanks.
> > -J.
> > 
> > > Signed-off-by: Yi Zhao 
> > > ---
> > >   recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh | 1 
> > > +
> > >   1 file changed, 1 insertion(+)
> > > 
> > > diff --git 
> > > a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh 
> > > b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
> > > index 154dad1..cb40971 100644
> > > --- a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
> > > +++ b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
> > > @@ -13,6 +13,7 @@ fi
> > >   # If /.autorelabel placed, the whole file system should be relabeled
> > >   if [ -f /.autorelabel ]; then
> > >   echo "SELinux: /.autorelabel placed, filesystem will be 
> > > relabeled..."
> > > + echo "0" > /sys/fs/selinux/enforce
> > >   ${FIXFILES} -F -f relabel
> > >   /bin/rm -f /.autorelabel
> > >   echo " * Relabel done, rebooting the system."
> > > -- 
> > > 2.7.4
> > > 

-- 
-Joe MacDonald.
Linux Architect | Mentor® A Siemens Business
:wq


signature.asc
Description: PGP signature
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [meta-selinux][PATCH] selinux-init: use systemd (re)labelling

[Mark Asselstine]

On Thursday, September 5, 2019 4:02:11 P.M. EDT Joe MacDonald wrote:
> [Re: [yocto] [meta-selinux][PATCH] selinux-init: use systemd (re)labelling] 
On 19.09.05 (Thu 13:55) Mark Asselstine wrote:
> > On Friday, August 23, 2019 2:19:53 P.M. EDT Mark Asselstine wrote:
> > > Boot loops were being seen when booting with selinux enabled, when the
> > > init system in use is systemd. Once logs were retrieved from the
> > > failing system the error was found to be
> > > 
> > > selinux-init.sh[284]: /sbin/restorecon: Could not set context for
> > > /sys/fs/cgroup/cpuacct:  Read-only file system selinux-init.sh[284]:
> > > /sbin/restorecon: Could not set context for /sys/fs/cgroup/cpu: 
> > > Read-only
> > > file system
> > > 
> > > Systemd mounts /sys/fs/cgroup read-only and the (re)labelling code
> > > used by selinux-init.sh is unable to handle this. On top of this the
> > > system is basically presenting two methods of (re)labelling; using the
> > > built in systemd approach via selinux-autorelabel.service *and* the
> > > code we have in selinux-init.sh. This can get confusing especially
> > > given that most online resources will speak to the systemd approach
> > > using selinux-autorelabel.service and /.autorelabel.
> > > 
> > > These changes leave the current approach in place when sysvinit is the
> > > init system used, but if systemd is being used we make use of it's
> > > internal (re)labelling functionality. Overall the workflow remains the
> > > same but we now avoid boot loops (systemd remounts /sys/fs/cgroup rw
> > > during the (re)labelling procedure).
> > > 
> > > Signed-off-by: Mark Asselstine 
> > > ---
> > 
> > Joe, any thoughts on this change?
> 
> Not especially, it sounded good to me, seemed to work on a quick test
> for my use-case, and I merged it:
> 
> http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/commit/?id=b0d31db104
> d9a4e94bc1409c2ffcc1d82f4a780f
> 
> Is there something else I should've considered?  Or did you want it on a
> different branch too?

Nope, nope. I figure I should take git off my resume as I just screwed up and 
so didn't see that it was merged. I see it now. Sorry for the churn, we'll 
have to meetup for a beer for retribution.

MarkA

> 
> -J.
> 
> > MarkA
> > 
> > >  .../selinux/selinux-init/selinux-init.sh   | 14 +-
> > >  .../selinux/selinux-init/selinux-init.sh.sysvinit  | 14 ++
> > >  recipes-security/selinux/selinux-init_0.1.bb   |  8 +---
> > >  recipes-security/selinux/selinux-initsh.inc|  8 
> > >  4 files changed, 28 insertions(+), 16 deletions(-)
> > >  create mode 100644
> > > 
> > > recipes-security/selinux/selinux-init/selinux-init.sh.sysvinit
> > > 
> > > diff --git a/recipes-security/selinux/selinux-init/selinux-init.sh
> > > b/recipes-security/selinux/selinux-init/selinux-init.sh index
> > > ead4f00..f93d231 100644
> > > --- a/recipes-security/selinux/selinux-init/selinux-init.sh
> > > +++ b/recipes-security/selinux/selinux-init/selinux-init.sh
> > > @@ -33,18 +33,6 @@ check_rootfs()
> > > 
> > >   /sbin/shutdown -f -h now
> > >  
> > >  }
> > > 
> > > -# If first booting, the security context type of init would be
> > > -# "kernel_t", and the whole file system should be relabeled.
> > > -if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then
> > > - echo "Checking SELinux security contexts:"
> > > - check_rootfs
> > > - echo " * First booting, filesystem will be relabeled..."
> > > - test -x /etc/init.d/auditd && /etc/init.d/auditd start
> > > - ${SETENFORCE} 0
> > > - ${RESTORECON} -RF /
> > > - ${RESTORECON} -F /
> > > - echo " * Relabel done, rebooting the system."
> > > - /sbin/reboot
> > > -fi
> > > +# sysvinit firstboot relabel placeholder HERE
> > > 
> > >  exit 0
> > > 
> > > diff --git
> > > a/recipes-security/selinux/selinux-init/selinux-init.sh.sysvinit
> > > b/recipes-security/selinux/selinux-init/selinux-init.sh.sysvinit new
> > > file
> > > mode 100644
> > > index 000..d4f3f71
> > > --- /dev/null
> > > +++ b/recipes-security/selinux/selinux-init/selinux-init.sh.sysvinit
> > > @@ -0,0 +1,14 @@
> > > +# Contents will be added to selinux-init.sh to support relabelling with
> >

Re: [yocto] [meta-selinux][PATCH] selinux-autorelabel: disable enforcing mode before relabel

[Yi Zhao]

On 9/5/19 7:57 PM, Joe MacDonald wrote:

[[meta-selinux][PATCH] selinux-autorelabel: disable enforcing mode before 
relabel] On 19.09.05 (Thu 16:57) Yi Zhao wrote:


The commit b0d31db104d9a4e94bc1409c2ffcc1d82f4a780f introduced an issue
when first boot with bootparams="selinux=1 enforcing=1". At first boot,
all files are unlabeled including /sbin/fixfiles. The relabel operation
is not permitted under enforcing mode. Set /sys/fs/selinux/enforce to 0
to ensure the enforcing mode is disabled before relabel.

Did you try this with '/usr/sbin/setenforce 0' instead?  The rationale
makes sense but going straight at sysfs like that isn't the right
approach intuitively.  If that's not working, please just include a bit
of an explanation for why this is the best option.


It also works with setenforce.

I referred to the selinux-autorelabel script on Fedora 30, it uses `echo 
"0" > /sys/fs/selinux/enforce` to disables enforcing mode:


cat /usr/libexec/selinux/selinux-autorelabel

[snip]
 32 relabel_selinux() {
 33 # if /sbin/init is not labeled correctly this process is 
running in the

 34 # wrong context, so a reboot will be required after relabel
 35 AUTORELABEL=
 36 . /etc/selinux/config
 37 echo "0" > /sys/fs/selinux/enforce
 38 [ -x /bin/plymouth ] && plymouth --quit
 39
[snip]


//Yi




Thanks.
-J.


Signed-off-by: Yi Zhao 
---
  recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh | 1 +
  1 file changed, 1 insertion(+)

diff --git 
a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh 
b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
index 154dad1..cb40971 100644
--- a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
+++ b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
@@ -13,6 +13,7 @@ fi
  # If /.autorelabel placed, the whole file system should be relabeled
  if [ -f /.autorelabel ]; then
echo "SELinux: /.autorelabel placed, filesystem will be relabeled..."
+   echo "0" > /sys/fs/selinux/enforce
${FIXFILES} -F -f relabel
/bin/rm -f /.autorelabel
echo " * Relabel done, rebooting the system."
--
2.7.4


--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [meta-selinux][PATCH] selinux-init: use systemd (re)labelling

[Joe MacDonald]

[Re: [yocto] [meta-selinux][PATCH] selinux-init: use systemd (re)labelling] On 
19.09.05 (Thu 13:55) Mark Asselstine wrote:

> On Friday, August 23, 2019 2:19:53 P.M. EDT Mark Asselstine wrote:
> > Boot loops were being seen when booting with selinux enabled, when the
> > init system in use is systemd. Once logs were retrieved from the
> > failing system the error was found to be
> > 
> > selinux-init.sh[284]: /sbin/restorecon: Could not set context for
> > /sys/fs/cgroup/cpuacct:  Read-only file system selinux-init.sh[284]:
> > /sbin/restorecon: Could not set context for /sys/fs/cgroup/cpu:  Read-only
> > file system
> > 
> > Systemd mounts /sys/fs/cgroup read-only and the (re)labelling code
> > used by selinux-init.sh is unable to handle this. On top of this the
> > system is basically presenting two methods of (re)labelling; using the
> > built in systemd approach via selinux-autorelabel.service *and* the
> > code we have in selinux-init.sh. This can get confusing especially
> > given that most online resources will speak to the systemd approach
> > using selinux-autorelabel.service and /.autorelabel.
> > 
> > These changes leave the current approach in place when sysvinit is the
> > init system used, but if systemd is being used we make use of it's
> > internal (re)labelling functionality. Overall the workflow remains the
> > same but we now avoid boot loops (systemd remounts /sys/fs/cgroup rw
> > during the (re)labelling procedure).
> > 
> > Signed-off-by: Mark Asselstine 
> > ---
> 
> Joe, any thoughts on this change?

Not especially, it sounded good to me, seemed to work on a quick test
for my use-case, and I merged it:

http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/commit/?id=b0d31db104d9a4e94bc1409c2ffcc1d82f4a780f

Is there something else I should've considered?  Or did you want it on a
different branch too?

-J.

> 
> MarkA
> 
> >  .../selinux/selinux-init/selinux-init.sh   | 14 +-
> >  .../selinux/selinux-init/selinux-init.sh.sysvinit  | 14 ++
> >  recipes-security/selinux/selinux-init_0.1.bb   |  8 +---
> >  recipes-security/selinux/selinux-initsh.inc|  8 
> >  4 files changed, 28 insertions(+), 16 deletions(-)
> >  create mode 100644
> > recipes-security/selinux/selinux-init/selinux-init.sh.sysvinit
> > 
> > diff --git a/recipes-security/selinux/selinux-init/selinux-init.sh
> > b/recipes-security/selinux/selinux-init/selinux-init.sh index
> > ead4f00..f93d231 100644
> > --- a/recipes-security/selinux/selinux-init/selinux-init.sh
> > +++ b/recipes-security/selinux/selinux-init/selinux-init.sh
> > @@ -33,18 +33,6 @@ check_rootfs()
> > /sbin/shutdown -f -h now
> >  }
> > 
> > -# If first booting, the security context type of init would be
> > -# "kernel_t", and the whole file system should be relabeled.
> > -if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then
> > -   echo "Checking SELinux security contexts:"
> > -   check_rootfs
> > -   echo " * First booting, filesystem will be relabeled..."
> > -   test -x /etc/init.d/auditd && /etc/init.d/auditd start
> > -   ${SETENFORCE} 0
> > -   ${RESTORECON} -RF /
> > -   ${RESTORECON} -F /
> > -   echo " * Relabel done, rebooting the system."
> > -   /sbin/reboot
> > -fi
> > +# sysvinit firstboot relabel placeholder HERE
> > 
> >  exit 0
> > diff --git a/recipes-security/selinux/selinux-init/selinux-init.sh.sysvinit
> > b/recipes-security/selinux/selinux-init/selinux-init.sh.sysvinit new file
> > mode 100644
> > index 000..d4f3f71
> > --- /dev/null
> > +++ b/recipes-security/selinux/selinux-init/selinux-init.sh.sysvinit
> > @@ -0,0 +1,14 @@
> > +# Contents will be added to selinux-init.sh to support relabelling with
> > sysvinit +# If first booting, the security context type of init would be
> > +# "kernel_t", and the whole file system should be relabeled.
> > +if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then
> > +   echo "Checking SELinux security contexts:"
> > +   check_rootfs
> > +   echo " * First booting, filesystem will be relabeled..."
> > +   test -x /etc/init.d/auditd && /etc/init.d/auditd start
> > +   ${SETENFORCE} 0
> > +   ${RESTORECON} -RF /
> > +   ${RESTORECON} -F /
> > +   echo " * Relabel done, rebooting the system."
> > +   /sbin/reboot
> > +fi
> > diff --git a/recipes-security/selinux/selinux-init_0.1.bb
> > b/recipe

Re: [yocto] [meta-selinux][PATCH] selinux-init: use systemd (re)labelling

[Mark Asselstine]

On Friday, August 23, 2019 2:19:53 P.M. EDT Mark Asselstine wrote:
> Boot loops were being seen when booting with selinux enabled, when the
> init system in use is systemd. Once logs were retrieved from the
> failing system the error was found to be
> 
> selinux-init.sh[284]: /sbin/restorecon: Could not set context for
> /sys/fs/cgroup/cpuacct:  Read-only file system selinux-init.sh[284]:
> /sbin/restorecon: Could not set context for /sys/fs/cgroup/cpu:  Read-only
> file system
> 
> Systemd mounts /sys/fs/cgroup read-only and the (re)labelling code
> used by selinux-init.sh is unable to handle this. On top of this the
> system is basically presenting two methods of (re)labelling; using the
> built in systemd approach via selinux-autorelabel.service *and* the
> code we have in selinux-init.sh. This can get confusing especially
> given that most online resources will speak to the systemd approach
> using selinux-autorelabel.service and /.autorelabel.
> 
> These changes leave the current approach in place when sysvinit is the
> init system used, but if systemd is being used we make use of it's
> internal (re)labelling functionality. Overall the workflow remains the
> same but we now avoid boot loops (systemd remounts /sys/fs/cgroup rw
> during the (re)labelling procedure).
> 
> Signed-off-by: Mark Asselstine 
> ---

Joe, any thoughts on this change?

MarkA

>  .../selinux/selinux-init/selinux-init.sh   | 14 +-
>  .../selinux/selinux-init/selinux-init.sh.sysvinit  | 14 ++
>  recipes-security/selinux/selinux-init_0.1.bb   |  8 +---
>  recipes-security/selinux/selinux-initsh.inc|  8 
>  4 files changed, 28 insertions(+), 16 deletions(-)
>  create mode 100644
> recipes-security/selinux/selinux-init/selinux-init.sh.sysvinit
> 
> diff --git a/recipes-security/selinux/selinux-init/selinux-init.sh
> b/recipes-security/selinux/selinux-init/selinux-init.sh index
> ead4f00..f93d231 100644
> --- a/recipes-security/selinux/selinux-init/selinux-init.sh
> +++ b/recipes-security/selinux/selinux-init/selinux-init.sh
> @@ -33,18 +33,6 @@ check_rootfs()
>   /sbin/shutdown -f -h now
>  }
> 
> -# If first booting, the security context type of init would be
> -# "kernel_t", and the whole file system should be relabeled.
> -if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then
> - echo "Checking SELinux security contexts:"
> - check_rootfs
> - echo " * First booting, filesystem will be relabeled..."
> - test -x /etc/init.d/auditd && /etc/init.d/auditd start
> - ${SETENFORCE} 0
> - ${RESTORECON} -RF /
> - ${RESTORECON} -F /
> - echo " * Relabel done, rebooting the system."
> - /sbin/reboot
> -fi
> +# sysvinit firstboot relabel placeholder HERE
> 
>  exit 0
> diff --git a/recipes-security/selinux/selinux-init/selinux-init.sh.sysvinit
> b/recipes-security/selinux/selinux-init/selinux-init.sh.sysvinit new file
> mode 100644
> index 000..d4f3f71
> --- /dev/null
> +++ b/recipes-security/selinux/selinux-init/selinux-init.sh.sysvinit
> @@ -0,0 +1,14 @@
> +# Contents will be added to selinux-init.sh to support relabelling with
> sysvinit +# If first booting, the security context type of init would be
> +# "kernel_t", and the whole file system should be relabeled.
> +if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then
> + echo "Checking SELinux security contexts:"
> + check_rootfs
> + echo " * First booting, filesystem will be relabeled..."
> + test -x /etc/init.d/auditd && /etc/init.d/auditd start
> + ${SETENFORCE} 0
> + ${RESTORECON} -RF /
> + ${RESTORECON} -F /
> + echo " * Relabel done, rebooting the system."
> + /sbin/reboot
> +fi
> diff --git a/recipes-security/selinux/selinux-init_0.1.bb
> b/recipes-security/selinux/selinux-init_0.1.bb index 38b5900..78f571c
> 100644
> --- a/recipes-security/selinux/selinux-init_0.1.bb
> +++ b/recipes-security/selinux/selinux-init_0.1.bb
> @@ -14,9 +14,11 @@ ${PN}_RDEPENDS = " \
>  policycoreutils-setfiles \
>  "
> 
> -SRC_URI = "file://${BPN}.sh \
> - file://${BPN}.service \
> - "
> +SRC_URI = " \
> +file://${BPN}.sh \
> +file://${BPN}.sh.sysvinit \
> +file://${BPN}.service \
> +"
> 
>  INITSCRIPT_PARAMS = "start 01 S ."
> 
> diff --git a/recipes-security/selinux/selinux-initsh.inc
> b/recipes-security/selinux/selinux-initsh.inc index bcdd449..8e31cda 100644
> --- a/recipes-security/selinux/selinux-initsh.inc
> +++ b/recipes-security/selinux/selinux-initsh.inc
> @@ -17,9 +17,15 @@ inherit update-rc.d systemd
> 
>  SYSTEMD_SERVICE_${PN} = "${SELINUX_SCRIPT_SRC}.service"
> 
> +FILES_${PN} += "/.autorelabel"
> +
>  do_install () {
>   install -d ${D}${sysconfdir}/init.d/
>   install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh
> ${D}${sysconfdir}/init.d/${SELINUX_SCRIPT_DST} +  # Insert the relabelling
> code which is only needed with sysvinit + sed -i -e '/HERE/r
> ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh.sysvinit' \ +-e 

Re: [yocto] [meta-selinux][PATCH] selinux-autorelabel: disable enforcing mode before relabel

[Joe MacDonald]

[[meta-selinux][PATCH] selinux-autorelabel: disable enforcing mode before 
relabel] On 19.09.05 (Thu 16:57) Yi Zhao wrote:

> The commit b0d31db104d9a4e94bc1409c2ffcc1d82f4a780f introduced an issue
> when first boot with bootparams="selinux=1 enforcing=1". At first boot,
> all files are unlabeled including /sbin/fixfiles. The relabel operation
> is not permitted under enforcing mode. Set /sys/fs/selinux/enforce to 0
> to ensure the enforcing mode is disabled before relabel.

Did you try this with '/usr/sbin/setenforce 0' instead?  The rationale
makes sense but going straight at sysfs like that isn't the right
approach intuitively.  If that's not working, please just include a bit
of an explanation for why this is the best option.

Thanks.
-J.

> 
> Signed-off-by: Yi Zhao 
> ---
>  recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git 
> a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh 
> b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
> index 154dad1..cb40971 100644
> --- a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
> +++ b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
> @@ -13,6 +13,7 @@ fi
>  # If /.autorelabel placed, the whole file system should be relabeled
>  if [ -f /.autorelabel ]; then
>   echo "SELinux: /.autorelabel placed, filesystem will be relabeled..."
> + echo "0" > /sys/fs/selinux/enforce
>   ${FIXFILES} -F -f relabel
>   /bin/rm -f /.autorelabel
>   echo " * Relabel done, rebooting the system."
> -- 
> 2.7.4
> 


signature.asc
Description: PGP signature
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH] selinux-autorelabel: disable enforcing mode before relabel

[Yi Zhao]

The commit b0d31db104d9a4e94bc1409c2ffcc1d82f4a780f introduced an issue
when first boot with bootparams="selinux=1 enforcing=1". At first boot,
all files are unlabeled including /sbin/fixfiles. The relabel operation
is not permitted under enforcing mode. Set /sys/fs/selinux/enforce to 0
to ensure the enforcing mode is disabled before relabel.

Signed-off-by: Yi Zhao 
---
 recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git 
a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh 
b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
index 154dad1..cb40971 100644
--- a/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
+++ b/recipes-security/selinux/selinux-autorelabel/selinux-autorelabel.sh
@@ -13,6 +13,7 @@ fi
 # If /.autorelabel placed, the whole file system should be relabeled
 if [ -f /.autorelabel ]; then
echo "SELinux: /.autorelabel placed, filesystem will be relabeled..."
+   echo "0" > /sys/fs/selinux/enforce
${FIXFILES} -F -f relabel
/bin/rm -f /.autorelabel
echo " * Relabel done, rebooting the system."
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH] mcstrans: Fix package to work with usrmerge

[Jason Wessel]

ERROR: mcstrans-2.8-r0 do_package_qa: QA Issue: mcstrans-dbg package is not 
obeying usrmerge distro feature. /sbin should be relocated to /usr. [usrmerge]
ERROR: mcstrans-2.8-r0 do_package_qa: QA run found fatal errors. Please 
consider fixing them.
ERROR: mcstrans-2.8-r0 do_package_qa: Function failed: do_package_qa

It is a simple case of making sure the SBINDIR is set properly for the
Makfile.

[ Issue: LIN1018-4665 ]

Signed-off-by: Jason Wessel 
---
 recipes-security/selinux/mcstrans.inc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/recipes-security/selinux/mcstrans.inc 
b/recipes-security/selinux/mcstrans.inc
index 2568c8d..feb5715 100644
--- a/recipes-security/selinux/mcstrans.inc
+++ b/recipes-security/selinux/mcstrans.inc
@@ -12,6 +12,8 @@ SRC_URI += "file://mcstrans-de-bashify.patch \
 
 inherit systemd update-rc.d
 
+EXTRA_OEMAKE += "SBINDIR=${sbindir}"
+
 DEPENDS += "libsepol libselinux libcap"
 
 do_install_append() {
-- 
2.21.0

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [meta-selinux][PATCH 3/3] util-linux: drop obsolete patch

[Joe MacDonald]

[Re: [yocto] [meta-selinux][PATCH 3/3] util-linux: drop obsolete patch] On 
19.08.29 (Thu 16:00) Yi Zhao wrote:

> Hi Joe,
> 
> 
> Seems you were missing this patch. Would you please merge it? Thanks.

Oh, yeah, sure.  It got classified as spam.  Since it was the end of a
queue I just assumed they were mis-numbered when I only found 1/3 and
2/3.

Thanks for pinging me on it.

-J.

> 
> 
> //Yi
> 
> 
> On 5/20/19 12:41 PM, Yi Zhao wrote:
> > Signed-off-by: Yi Zhao 
> > ---
> >   .../util-linux/fix-libmount_la_DEPENDENCIES.patch  | 28 
> > --
> >   1 file changed, 28 deletions(-)
> >   delete mode 100644 
> > recipes-core/util-linux/util-linux/fix-libmount_la_DEPENDENCIES.patch
> > 
> > diff --git 
> > a/recipes-core/util-linux/util-linux/fix-libmount_la_DEPENDENCIES.patch 
> > b/recipes-core/util-linux/util-linux/fix-libmount_la_DEPENDENCIES.patch
> > deleted file mode 100644
> > index ab54818..000
> > --- a/recipes-core/util-linux/util-linux/fix-libmount_la_DEPENDENCIES.patch
> > +++ /dev/null
> > @@ -1,28 +0,0 @@
> > -Subject: [PATCH] util-linux: fix libmount_la_DEPENDENCIES.
> > -
> > -Upstream-Status: Pending
> > -
> > -libmount_la_LIBADD contains "-lselinux", this is not a object that
> > -could consider as a dependency target. So fix this.
> > -
> > -Signed-off-by: Xin Ouyang 
> > 
> > - libmount/src/Makemodule.am |2 +-
> > - 1 files changed, 1 insertions(+), 1 deletions(-)
> > -
> > -diff --git a/libmount/src/Makemodule.am b/libmount/src/Makemodule.am
> > -index 494e02a..bf494a4 100644
> >  a/libmount/src/Makemodule.am
> > -+++ b/libmount/src/Makemodule.am
> > -@@ -38,7 +38,7 @@ libmount_la_CFLAGS = \
> > -   -I$(top_srcdir)/libmount/src
> > -
> > - libmount_la_DEPENDENCIES = \
> > --  $(libmount_la_LIBADD) \
> > -+  libcommon.la libblkid.la \
> > -   libmount/src/libmount.sym \
> > -   libmount/src/libmount.h.in
> > -
> > ---
> > -1.7.5.4
> > -

-- 
-Joe MacDonald.
Linux Architect | Mentor® A Siemens Business
:wq


signature.asc
Description: PGP signature
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [meta-selinux] [PATCH] python-scapy: upgrade 2.4.2 -> 2.4.3

[akuster808]

On 8/29/19 7:25 AM, Joe MacDonald wrote:
> [Re: [yocto] [meta-selinux] [PATCH] python-scapy: upgrade 2.4.2 -> 2.4.3] On 
> 19.08.29 (Thu 07:14) akuster808 wrote:
>
No v2 required. does not affect patchwork.

- armin
>>
>> On 8/28/19 10:41 PM, Yuan Chao wrote:
>>> License file changed from bin/scapy to LICENSE
>> Is this the correct layer?
> There's no scapy in meta-selinux, AFAIK.  So proably this was destined
> for meta-security instead.
>
> -J.
>
>> -armin
>>> Signed-off-by: Yuan Chao 
>>> ---
>>>  recipes-security/scapy/python-scapy.inc   | 4 ++--
>>>  .../scapy/{python-scapy_2.4.2.bb => python-scapy_2.4.3.bb}| 0
>>>  .../scapy/{python3-scapy_2.4.2.bb => python3-scapy_2.4.3.bb}  | 0
>>>  3 files changed, 2 insertions(+), 2 deletions(-)
>>>  rename recipes-security/scapy/{python-scapy_2.4.2.bb => 
>>> python-scapy_2.4.3.bb} (100%)
>>>  rename recipes-security/scapy/{python3-scapy_2.4.2.bb => 
>>> python3-scapy_2.4.3.bb} (100%)
>>>
>>> diff --git a/recipes-security/scapy/python-scapy.inc 
>>> b/recipes-security/scapy/python-scapy.inc
>>> index baa69b2..28e13f2 100644
>>> --- a/recipes-security/scapy/python-scapy.inc
>>> +++ b/recipes-security/scapy/python-scapy.inc
>>> @@ -3,11 +3,11 @@ DESCRIPTION = "Scapy is a powerful interactive packet 
>>> manipulation program. It i
>>>  SECTION = "security"
>>>  LICENSE = "GPLv2"
>>>  
>>> -LIC_FILES_CHKSUM = 
>>> "file://bin/scapy;beginline=9;endline=13;md5=1d5249872cc54cd4ca3d3879262d0c69"
>>> +LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263"
>>>  
>>>  S = "${WORKDIR}/git"
>>>  
>>> -SRCREV = "bad14cb1a5aee29f8107fbe8ad008d4645f14da7"
>>> +SRCREV = "3047580162a9407ef05fe981983cacfa698f1159"
>>>  SRC_URI = "git://github.com/secdev/scapy.git"
>>>  
>>>  inherit ptest
>>> diff --git a/recipes-security/scapy/python-scapy_2.4.2.bb 
>>> b/recipes-security/scapy/python-scapy_2.4.3.bb
>>> similarity index 100%
>>> rename from recipes-security/scapy/python-scapy_2.4.2.bb
>>> rename to recipes-security/scapy/python-scapy_2.4.3.bb
>>> diff --git a/recipes-security/scapy/python3-scapy_2.4.2.bb 
>>> b/recipes-security/scapy/python3-scapy_2.4.3.bb
>>> similarity index 100%
>>> rename from recipes-security/scapy/python3-scapy_2.4.2.bb
>>> rename to recipes-security/scapy/python3-scapy_2.4.3.bb
>> -- 
>> ___
>> yocto mailing list
>> yocto@yoctoproject.org
>> https://lists.yoctoproject.org/listinfo/yocto




signature.asc
Description: OpenPGP digital signature
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [meta-selinux] [PATCH] python-scapy: upgrade 2.4.2 -> 2.4.3

[Joe MacDonald]

[Re: [yocto] [meta-selinux] [PATCH] python-scapy: upgrade 2.4.2 -> 2.4.3] On 
19.08.29 (Thu 07:14) akuster808 wrote:

> 
> 
> On 8/28/19 10:41 PM, Yuan Chao wrote:
> > License file changed from bin/scapy to LICENSE
> Is this the correct layer?

There's no scapy in meta-selinux, AFAIK.  So proably this was destined
for meta-security instead.

-J.

> 
> -armin
> >
> > Signed-off-by: Yuan Chao 
> > ---
> >  recipes-security/scapy/python-scapy.inc   | 4 ++--
> >  .../scapy/{python-scapy_2.4.2.bb => python-scapy_2.4.3.bb}| 0
> >  .../scapy/{python3-scapy_2.4.2.bb => python3-scapy_2.4.3.bb}  | 0
> >  3 files changed, 2 insertions(+), 2 deletions(-)
> >  rename recipes-security/scapy/{python-scapy_2.4.2.bb => 
> > python-scapy_2.4.3.bb} (100%)
> >  rename recipes-security/scapy/{python3-scapy_2.4.2.bb => 
> > python3-scapy_2.4.3.bb} (100%)
> >
> > diff --git a/recipes-security/scapy/python-scapy.inc 
> > b/recipes-security/scapy/python-scapy.inc
> > index baa69b2..28e13f2 100644
> > --- a/recipes-security/scapy/python-scapy.inc
> > +++ b/recipes-security/scapy/python-scapy.inc
> > @@ -3,11 +3,11 @@ DESCRIPTION = "Scapy is a powerful interactive packet 
> > manipulation program. It i
> >  SECTION = "security"
> >  LICENSE = "GPLv2"
> >  
> > -LIC_FILES_CHKSUM = 
> > "file://bin/scapy;beginline=9;endline=13;md5=1d5249872cc54cd4ca3d3879262d0c69"
> > +LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263"
> >  
> >  S = "${WORKDIR}/git"
> >  
> > -SRCREV = "bad14cb1a5aee29f8107fbe8ad008d4645f14da7"
> > +SRCREV = "3047580162a9407ef05fe981983cacfa698f1159"
> >  SRC_URI = "git://github.com/secdev/scapy.git"
> >  
> >  inherit ptest
> > diff --git a/recipes-security/scapy/python-scapy_2.4.2.bb 
> > b/recipes-security/scapy/python-scapy_2.4.3.bb
> > similarity index 100%
> > rename from recipes-security/scapy/python-scapy_2.4.2.bb
> > rename to recipes-security/scapy/python-scapy_2.4.3.bb
> > diff --git a/recipes-security/scapy/python3-scapy_2.4.2.bb 
> > b/recipes-security/scapy/python3-scapy_2.4.3.bb
> > similarity index 100%
> > rename from recipes-security/scapy/python3-scapy_2.4.2.bb
> > rename to recipes-security/scapy/python3-scapy_2.4.3.bb
> 
> -- 
> ___
> yocto mailing list
> yocto@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto

-- 
-Joe MacDonald.
Linux Architect | Mentor® A Siemens Business
:wq


signature.asc
Description: PGP signature
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [meta-selinux] [PATCH] python-scapy: upgrade 2.4.2 -> 2.4.3

[akuster808]

On 8/28/19 10:41 PM, Yuan Chao wrote:
> License file changed from bin/scapy to LICENSE
Is this the correct layer?

-armin
>
> Signed-off-by: Yuan Chao 
> ---
>  recipes-security/scapy/python-scapy.inc   | 4 ++--
>  .../scapy/{python-scapy_2.4.2.bb => python-scapy_2.4.3.bb}| 0
>  .../scapy/{python3-scapy_2.4.2.bb => python3-scapy_2.4.3.bb}  | 0
>  3 files changed, 2 insertions(+), 2 deletions(-)
>  rename recipes-security/scapy/{python-scapy_2.4.2.bb => 
> python-scapy_2.4.3.bb} (100%)
>  rename recipes-security/scapy/{python3-scapy_2.4.2.bb => 
> python3-scapy_2.4.3.bb} (100%)
>
> diff --git a/recipes-security/scapy/python-scapy.inc 
> b/recipes-security/scapy/python-scapy.inc
> index baa69b2..28e13f2 100644
> --- a/recipes-security/scapy/python-scapy.inc
> +++ b/recipes-security/scapy/python-scapy.inc
> @@ -3,11 +3,11 @@ DESCRIPTION = "Scapy is a powerful interactive packet 
> manipulation program. It i
>  SECTION = "security"
>  LICENSE = "GPLv2"
>  
> -LIC_FILES_CHKSUM = 
> "file://bin/scapy;beginline=9;endline=13;md5=1d5249872cc54cd4ca3d3879262d0c69"
> +LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263"
>  
>  S = "${WORKDIR}/git"
>  
> -SRCREV = "bad14cb1a5aee29f8107fbe8ad008d4645f14da7"
> +SRCREV = "3047580162a9407ef05fe981983cacfa698f1159"
>  SRC_URI = "git://github.com/secdev/scapy.git"
>  
>  inherit ptest
> diff --git a/recipes-security/scapy/python-scapy_2.4.2.bb 
> b/recipes-security/scapy/python-scapy_2.4.3.bb
> similarity index 100%
> rename from recipes-security/scapy/python-scapy_2.4.2.bb
> rename to recipes-security/scapy/python-scapy_2.4.3.bb
> diff --git a/recipes-security/scapy/python3-scapy_2.4.2.bb 
> b/recipes-security/scapy/python3-scapy_2.4.3.bb
> similarity index 100%
> rename from recipes-security/scapy/python3-scapy_2.4.2.bb
> rename to recipes-security/scapy/python3-scapy_2.4.3.bb

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 2/2] mcstrans: specify INITDIR

[Yi Zhao]

By default the mcstrans init script will be installed to
/etc/rc.d/init.d directory. Specify INITDIR to install it to /etc/init.d
directory.

Signed-off-by: Yi Zhao 
---
 recipes-security/selinux/mcstrans.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-security/selinux/mcstrans.inc 
b/recipes-security/selinux/mcstrans.inc
index e66633d..0eb8720 100644
--- a/recipes-security/selinux/mcstrans.inc
+++ b/recipes-security/selinux/mcstrans.inc
@@ -15,7 +15,7 @@ inherit systemd update-rc.d
 DEPENDS += "libsepol libselinux libcap"
 
 # We do not need "${D}/" as a prefix anymore.
-EXTRA_OEMAKE += "SBINDIR=${base_sbindir}"
+EXTRA_OEMAKE += "SBINDIR=${base_sbindir} INITDIR=${sysconfdir}/init.d"
 
 do_install_append() {
 install -d ${D}${sbindir}
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 1/2] setools: update SRC_URI

[Yi Zhao]

SETools has moved from https://github.com/TresysTechnology/setools to
https://github.com/SELinuxProject/setools
See: https://github.com/TresysTechnology/setools/wiki

Signed-off-by: Yi Zhao 
---
 recipes-security/setools/setools_4.1.1.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-security/setools/setools_4.1.1.bb 
b/recipes-security/setools/setools_4.1.1.bb
index 8bdbfba..db529f4 100644
--- a/recipes-security/setools/setools_4.1.1.bb
+++ b/recipes-security/setools/setools_4.1.1.bb
@@ -9,7 +9,7 @@ SECTION = "base"
 LICENSE = "GPLv2 & LGPLv2.1"
 
 S = "${WORKDIR}/git"
-SRC_URI = "git://github.com/TresysTechnology/${BPN}.git;branch=4.1 \
+SRC_URI = "git://github.com/SELinuxProject/${BPN}.git;branch=4.1 \
file://setools4-fixes-for-cross-compiling.patch \
file://setools4-fix-cross-compiling-errors-for-powerpc-mips.patch \
file://Fix-build-failure-with-GCC-7-due-to-possible-truncat.patch \
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [meta-selinux][PATCH 3/3] util-linux: drop obsolete patch

[Yi Zhao]

Hi Joe,


Seems you were missing this patch. Would you please merge it? Thanks.


//Yi


On 5/20/19 12:41 PM, Yi Zhao wrote:

Signed-off-by: Yi Zhao 
---
  .../util-linux/fix-libmount_la_DEPENDENCIES.patch  | 28 --
  1 file changed, 28 deletions(-)
  delete mode 100644 
recipes-core/util-linux/util-linux/fix-libmount_la_DEPENDENCIES.patch

diff --git 
a/recipes-core/util-linux/util-linux/fix-libmount_la_DEPENDENCIES.patch 
b/recipes-core/util-linux/util-linux/fix-libmount_la_DEPENDENCIES.patch
deleted file mode 100644
index ab54818..000
--- a/recipes-core/util-linux/util-linux/fix-libmount_la_DEPENDENCIES.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-Subject: [PATCH] util-linux: fix libmount_la_DEPENDENCIES.
-
-Upstream-Status: Pending
-
-libmount_la_LIBADD contains "-lselinux", this is not a object that
-could consider as a dependency target. So fix this.
-
-Signed-off-by: Xin Ouyang 

- libmount/src/Makemodule.am |2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-diff --git a/libmount/src/Makemodule.am b/libmount/src/Makemodule.am
-index 494e02a..bf494a4 100644
 a/libmount/src/Makemodule.am
-+++ b/libmount/src/Makemodule.am
-@@ -38,7 +38,7 @@ libmount_la_CFLAGS = \
-   -I$(top_srcdir)/libmount/src
-
- libmount_la_DEPENDENCIES = \
--  $(libmount_la_LIBADD) \
-+  libcommon.la libblkid.la \
-   libmount/src/libmount.sym \
-   libmount/src/libmount.h.in
-
---
-1.7.5.4
-

--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [meta-selinux][PATCH 1/2] meson-selinux.bbclass: fix meson flags for glib-2.0-native

[Mikko.Rapeli]

Hi,

On Wed, Aug 28, 2019 at 01:19:17PM -0400, Joe MacDonald wrote:
> Hi Mikko,
> 
> Is this specifically for warrior (or thud), maybe?  The following commit
> explains the current logic:
> 
> commit bb0c9c3abcb935e4b362eb57985e1ee7fec0bfe0
> Author: Yi Zhao 
> Date:   Wed Jun 12 15:53:20 2019 +0800
> 
> glib-2.0: fix configure error for meson build
> 
> In glib 2.60.x, it turns selinux into a meson feature. We should use
> '-Dselinux=enabled/disabled' rather than '-Dselinux=true/false' to
> enable/disable the feature.
> 
> Add meso-enable-selinux.bbclass for this change and inherit it in
> glib-2.0 bbappend to fix the configure error.
> 
> Signed-off-by: Yi Zhao 
> Signed-off-by: Joe MacDonald 
> 
> and the second patch is already present in tree:
> 
> commit 087fe5c8144c246c6361bd8bcbd1ffd9e9b675bb
> Author: Yi Zhao 
> Date:   Fri Aug 9 17:48:00 2019 +0800
> 
> libselinux: fix build with glibc 2.30
> 
> Fix build error:
> procattr.c:27:14: error: static declaration of 'gettid' follows
> non-static declaration
>27 | static pid_t gettid(void)
>   |  ^~
> In file included from 
> /buildarea/build/tmp/work/core2-64-poky-linux/libselinux/2.8-r0/recipe-sysroot/usr/include/unistd.h:1170,
>  from procattr.c:2:
> 
> /buildarea/build/tmp/work/core2-64-poky-linux/libselinux/2.8-r0/recipe-sysroot/usr/include/bits/unistd_ext.h:34:16:
> note: previous declaration of 'gettid' was here
>34 | extern __pid_t gettid (void) __THROW;
>   |^~
> 
> Signed-off-by: Yi Zhao 
> Signed-off-by: Joe MacDonald 
> 
> This is what my current work tree looks like, for reference:
> 
>   $ repo forall -p -c git log -1 --pretty=oneline
>   project meta-openembedded/
>   2ebaa8df1257389161d0bee9e553c28f63e52005 python3-pyatspi: Add Dbus ATSPI 
> recipe
>   
>   project meta-selinux/
>   154654a6fe12206a6b9ad6d8c36a4dbe672bcc46 selinux-python: Fix dependency for 
> ntpath
>   
>   project yocto-mainline/
>   ca2207f418b7847ffce4b8c53a5a442e5cf461d9 commands.py: fix typo

Hmm, good that same patches are already in master branch but I somehow got a
much older master branch state from remote 
git://git.yoctoproject.org/meta-selinux

commit a917c322c120c05fc6746fc9aca38c27398ffb4a
Author: Yi Zhao 
AuthorDate: Fri Apr 19 10:46:32 2019 +0800
Commit: Joe MacDonald 
CommitDate: Tue Apr 23 11:12:57 2019 -0400

Was also checking master-next there.

Based on time stamps in .git/modules/meta-selinux/refs/remotes/upstream/ my 
last fetch
was Aug 28 11:02 CET. Seems like the "libselinux: fix build with glibc 2.30"
was pushed to the server just after I had been checking for it:

commit 087fe5c8144c246c6361bd8bcbd1ffd9e9b675bb
Author: Yi Zhao 
AuthorDate: Fri Aug 9 17:48:00 2019 +0800
Commit: Joe MacDonald 
CommitDate: Wed Aug 28 10:26:52 2019 -0400

libselinux: fix build with glibc 2.30

Anyway, fixes are in and life continues :)

Thanks,

-Mikko

> -J.
> 
> [[yocto] [meta-selinux][PATCH 1/2] meson-selinux.bbclass: fix meson flags for 
> glib-2.0-native] On 19.08.28 (Wed 18:30) Mikko Rapeli wrote:
> 
> > With latest poky master, glib-2.0-native fails to compile:
> > 
> > | meson.build:1:0: ERROR: Value "false" for combo option is not one of the 
> > choices. Possible choices are: "enabled",
> >  "disabled", "auto".
> > 
> > Thus use enabled and disabled when enabling and disabling flags
> > with meson. Now glib-2.0-native compiles again.
> > 
> > Signed-off-by: Mikko Rapeli 
> > ---
> >  classes/meson-selinux.bbclass | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/classes/meson-selinux.bbclass b/classes/meson-selinux.bbclass
> > index 77a763a..91c2a2b 100644
> > --- a/classes/meson-selinux.bbclass
> > +++ b/classes/meson-selinux.bbclass
> > @@ -1,4 +1,4 @@
> >  inherit selinux
> >  
> >  PACKAGECONFIG_append = " ${@target_selinux(d)}"
> > -PACKAGECONFIG[selinux] = "-Dselinux=true,-Dselinux=false,libselinux,"
> > +PACKAGECONFIG[selinux] = "-Dselinux=enabled,-Dselinux=disabled,libselinux,"
> > -- 
> > 1.9.1
> > 
> > -- 
> > ___
> > yocto mailing list
> > yocto@yoctoproject.org
> > https://lists.yoctoproject.org/listinfo/yocto
> 
> -- 
> -Joe MacDonald.
> :wq

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux] [PATCH] python-scapy: upgrade 2.4.2 -> 2.4.3

[Yuan Chao]

License file changed from bin/scapy to LICENSE

Signed-off-by: Yuan Chao 
---
 recipes-security/scapy/python-scapy.inc   | 4 ++--
 .../scapy/{python-scapy_2.4.2.bb => python-scapy_2.4.3.bb}| 0
 .../scapy/{python3-scapy_2.4.2.bb => python3-scapy_2.4.3.bb}  | 0
 3 files changed, 2 insertions(+), 2 deletions(-)
 rename recipes-security/scapy/{python-scapy_2.4.2.bb => python-scapy_2.4.3.bb} 
(100%)
 rename recipes-security/scapy/{python3-scapy_2.4.2.bb => 
python3-scapy_2.4.3.bb} (100%)

diff --git a/recipes-security/scapy/python-scapy.inc 
b/recipes-security/scapy/python-scapy.inc
index baa69b2..28e13f2 100644
--- a/recipes-security/scapy/python-scapy.inc
+++ b/recipes-security/scapy/python-scapy.inc
@@ -3,11 +3,11 @@ DESCRIPTION = "Scapy is a powerful interactive packet 
manipulation program. It i
 SECTION = "security"
 LICENSE = "GPLv2"
 
-LIC_FILES_CHKSUM = 
"file://bin/scapy;beginline=9;endline=13;md5=1d5249872cc54cd4ca3d3879262d0c69"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263"
 
 S = "${WORKDIR}/git"
 
-SRCREV = "bad14cb1a5aee29f8107fbe8ad008d4645f14da7"
+SRCREV = "3047580162a9407ef05fe981983cacfa698f1159"
 SRC_URI = "git://github.com/secdev/scapy.git"
 
 inherit ptest
diff --git a/recipes-security/scapy/python-scapy_2.4.2.bb 
b/recipes-security/scapy/python-scapy_2.4.3.bb
similarity index 100%
rename from recipes-security/scapy/python-scapy_2.4.2.bb
rename to recipes-security/scapy/python-scapy_2.4.3.bb
diff --git a/recipes-security/scapy/python3-scapy_2.4.2.bb 
b/recipes-security/scapy/python3-scapy_2.4.3.bb
similarity index 100%
rename from recipes-security/scapy/python3-scapy_2.4.2.bb
rename to recipes-security/scapy/python3-scapy_2.4.3.bb
-- 
2.17.1



-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [meta-selinux][PATCH 1/2] meson-selinux.bbclass: fix meson flags for glib-2.0-native

[Joe MacDonald]

Hi Mikko,

Is this specifically for warrior (or thud), maybe?  The following commit
explains the current logic:

commit bb0c9c3abcb935e4b362eb57985e1ee7fec0bfe0
Author: Yi Zhao 
Date:   Wed Jun 12 15:53:20 2019 +0800

glib-2.0: fix configure error for meson build

In glib 2.60.x, it turns selinux into a meson feature. We should use
'-Dselinux=enabled/disabled' rather than '-Dselinux=true/false' to
enable/disable the feature.

Add meso-enable-selinux.bbclass for this change and inherit it in
glib-2.0 bbappend to fix the configure error.

Signed-off-by: Yi Zhao 
Signed-off-by: Joe MacDonald 

and the second patch is already present in tree:

commit 087fe5c8144c246c6361bd8bcbd1ffd9e9b675bb
Author: Yi Zhao 
Date:   Fri Aug 9 17:48:00 2019 +0800

libselinux: fix build with glibc 2.30

Fix build error:
procattr.c:27:14: error: static declaration of 'gettid' follows
non-static declaration
   27 | static pid_t gettid(void)
  |  ^~
In file included from 
/buildarea/build/tmp/work/core2-64-poky-linux/libselinux/2.8-r0/recipe-sysroot/usr/include/unistd.h:1170,
 from procattr.c:2:

/buildarea/build/tmp/work/core2-64-poky-linux/libselinux/2.8-r0/recipe-sysroot/usr/include/bits/unistd_ext.h:34:16:
note: previous declaration of 'gettid' was here
   34 | extern __pid_t gettid (void) __THROW;
  |^~

Signed-off-by: Yi Zhao 
Signed-off-by: Joe MacDonald 

This is what my current work tree looks like, for reference:

  $ repo forall -p -c git log -1 --pretty=oneline
  project meta-openembedded/
  2ebaa8df1257389161d0bee9e553c28f63e52005 python3-pyatspi: Add Dbus ATSPI 
recipe
  
  project meta-selinux/
  154654a6fe12206a6b9ad6d8c36a4dbe672bcc46 selinux-python: Fix dependency for 
ntpath
  
  project yocto-mainline/
  ca2207f418b7847ffce4b8c53a5a442e5cf461d9 commands.py: fix typo

-J.

[[yocto] [meta-selinux][PATCH 1/2] meson-selinux.bbclass: fix meson flags for 
glib-2.0-native] On 19.08.28 (Wed 18:30) Mikko Rapeli wrote:

> With latest poky master, glib-2.0-native fails to compile:
> 
> | meson.build:1:0: ERROR: Value "false" for combo option is not one of the 
> choices. Possible choices are: "enabled",
>  "disabled", "auto".
> 
> Thus use enabled and disabled when enabling and disabling flags
> with meson. Now glib-2.0-native compiles again.
> 
> Signed-off-by: Mikko Rapeli 
> ---
>  classes/meson-selinux.bbclass | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/classes/meson-selinux.bbclass b/classes/meson-selinux.bbclass
> index 77a763a..91c2a2b 100644
> --- a/classes/meson-selinux.bbclass
> +++ b/classes/meson-selinux.bbclass
> @@ -1,4 +1,4 @@
>  inherit selinux
>  
>  PACKAGECONFIG_append = " ${@target_selinux(d)}"
> -PACKAGECONFIG[selinux] = "-Dselinux=true,-Dselinux=false,libselinux,"
> +PACKAGECONFIG[selinux] = "-Dselinux=enabled,-Dselinux=disabled,libselinux,"
> -- 
> 1.9.1
> 
> -- 
> ___
> yocto mailing list
> yocto@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto

-- 
-Joe MacDonald.
:wq


signature.asc
Description: PGP signature
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 1/2] meson-selinux.bbclass: fix meson flags for glib-2.0-native

[Mikko Rapeli]

With latest poky master, glib-2.0-native fails to compile:

| meson.build:1:0: ERROR: Value "false" for combo option is not one of the 
choices. Possible choices are: "enabled",
 "disabled", "auto".

Thus use enabled and disabled when enabling and disabling flags
with meson. Now glib-2.0-native compiles again.

Signed-off-by: Mikko Rapeli 
---
 classes/meson-selinux.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/classes/meson-selinux.bbclass b/classes/meson-selinux.bbclass
index 77a763a..91c2a2b 100644
--- a/classes/meson-selinux.bbclass
+++ b/classes/meson-selinux.bbclass
@@ -1,4 +1,4 @@
 inherit selinux
 
 PACKAGECONFIG_append = " ${@target_selinux(d)}"
-PACKAGECONFIG[selinux] = "-Dselinux=true,-Dselinux=false,libselinux,"
+PACKAGECONFIG[selinux] = "-Dselinux=enabled,-Dselinux=disabled,libselinux,"
-- 
1.9.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 2/2] libselinux: fix build with glibc-2.30 from poky

[Mikko Rapeli]

Fixes build error:

procattr.c:27:14: error: static declaration of 'gettid' follows non-static 
declaration
   27 | static pid_t gettid(void)
  |  ^~
In file included from 
/home/builder/src/base/build_mgu22/tmp/work/aarch64-poky-linux/libselinux/2.8-r0/recipe-sysroot/usr/include/unistd.h:1170,
 from procattr.c:2:
/home/builder/src/base/build_mgu22/tmp/work/aarch64-poky-linux/libselinux/2.8-r0/recipe-sysroot/usr/include/bits/unistd_ext.h:34:16:
 note: previous declaration of 'gettid' was here
   34 | extern __pid_t gettid (void) __THROW;
  |^~

Signed-off-by: Mikko Rapeli 
---
 ...Do-not-define-gettid-if-glibc-2.30-is-use.patch | 58 ++
 recipes-security/selinux/libselinux_2.8.bb |  1 +
 2 files changed, 59 insertions(+)
 create mode 100644 
recipes-security/selinux/libselinux/0001-libselinux-Do-not-define-gettid-if-glibc-2.30-is-use.patch

diff --git 
a/recipes-security/selinux/libselinux/0001-libselinux-Do-not-define-gettid-if-glibc-2.30-is-use.patch
 
b/recipes-security/selinux/libselinux/0001-libselinux-Do-not-define-gettid-if-glibc-2.30-is-use.patch
new file mode 100644
index 000..3105eab
--- /dev/null
+++ 
b/recipes-security/selinux/libselinux/0001-libselinux-Do-not-define-gettid-if-glibc-2.30-is-use.patch
@@ -0,0 +1,58 @@
+From 707e4b8610733b5c9eaac0f00239778f3edb23c2 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach 
+Date: Mon, 11 Mar 2019 16:00:41 +0100
+Subject: [PATCH] libselinux: Do not define gettid() if glibc >= 2.30 is used
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Since version 2.30 glibc implements gettid() system call wrapper, see
+https://sourceware.org/bugzilla/show_bug.cgi?id=6399
+
+Fixes:
+cc -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 
-Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong 
-grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic 
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection 
-I../include -D_GNU_SOURCE  -DNO_ANDROID_BACKEND   -c -o procattr.o procattr.c
+procattr.c:28:14: error: static declaration of ???gettid??? follows non-static 
declaration
+   28 | static pid_t gettid(void)
+  |  ^~
+In file included from /usr/include/unistd.h:1170,
+ from procattr.c:2:
+/usr/include/bits/unistd_ext.h:34:16: note: previous declaration of 
???gettid??? was here
+   34 | extern __pid_t gettid (void) __THROW;
+  |^~
+
+Signed-off-by: Petr Lautrbach 
+---
+ libselinux/src/procattr.c | 15 +--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+Upstream-Status: Backport
+
+diff --git a/libselinux/src/procattr.c b/libselinux/src/procattr.c
+index 48dd8af..c6799ef 100644
+--- a/libselinux/src/procattr.c
 b/libselinux/src/procattr.c
+@@ -22,8 +22,19 @@ static pthread_key_t destructor_key;
+ static int destructor_key_initialized = 0;
+ static __thread char destructor_initialized;
+ 
+-#ifndef __BIONIC__
+-/* Bionic declares this in unistd.h and has a definition for it */
++/* Bionic and glibc >= 2.30 declare gettid() system call wrapper in unistd.h 
and
++ * has a definition for it */
++#ifdef __BIONIC__
++  #define OVERRIDE_GETTID 0
++#elif !defined(__GLIBC_PREREQ)
++  #define OVERRIDE_GETTID 1
++#elif !__GLIBC_PREREQ(2,30)
++  #define OVERRIDE_GETTID 1
++#else
++  #define OVERRIDE_GETTID 0
++#endif
++
++#if OVERRIDE_GETTID
+ static pid_t gettid(void)
+ {
+   return syscall(__NR_gettid);
+-- 
+1.9.1
+
diff --git a/recipes-security/selinux/libselinux_2.8.bb 
b/recipes-security/selinux/libselinux_2.8.bb
index 5de4607..cfa7a82 100644
--- a/recipes-security/selinux/libselinux_2.8.bb
+++ b/recipes-security/selinux/libselinux_2.8.bb
@@ -12,4 +12,5 @@ SRC_URI += "\
 file://libselinux-make-SOCK_CLOEXEC-optional.patch \
 file://libselinux-define-FD_CLOEXEC-as-necessary.patch \
 file://0001-src-Makefile-fix-includedir-in-libselinux.pc.patch \
+
file://0001-libselinux-Do-not-define-gettid-if-glibc-2.30-is-use.patch;striplevel=2
 \
 "
-- 
1.9.1

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH] selinux-init: use systemd (re)labelling

[Mark Asselstine]

Boot loops were being seen when booting with selinux enabled, when the
init system in use is systemd. Once logs were retrieved from the
failing system the error was found to be

selinux-init.sh[284]: /sbin/restorecon: Could not set context for 
/sys/fs/cgroup/cpuacct:  Read-only file system
selinux-init.sh[284]: /sbin/restorecon: Could not set context for 
/sys/fs/cgroup/cpu:  Read-only file system

Systemd mounts /sys/fs/cgroup read-only and the (re)labelling code
used by selinux-init.sh is unable to handle this. On top of this the
system is basically presenting two methods of (re)labelling; using the
built in systemd approach via selinux-autorelabel.service *and* the
code we have in selinux-init.sh. This can get confusing especially
given that most online resources will speak to the systemd approach
using selinux-autorelabel.service and /.autorelabel.

These changes leave the current approach in place when sysvinit is the
init system used, but if systemd is being used we make use of it's
internal (re)labelling functionality. Overall the workflow remains the
same but we now avoid boot loops (systemd remounts /sys/fs/cgroup rw
during the (re)labelling procedure).

Signed-off-by: Mark Asselstine 
---
 .../selinux/selinux-init/selinux-init.sh   | 14 +-
 .../selinux/selinux-init/selinux-init.sh.sysvinit  | 14 ++
 recipes-security/selinux/selinux-init_0.1.bb   |  8 +---
 recipes-security/selinux/selinux-initsh.inc|  8 
 4 files changed, 28 insertions(+), 16 deletions(-)
 create mode 100644 
recipes-security/selinux/selinux-init/selinux-init.sh.sysvinit

diff --git a/recipes-security/selinux/selinux-init/selinux-init.sh 
b/recipes-security/selinux/selinux-init/selinux-init.sh
index ead4f00..f93d231 100644
--- a/recipes-security/selinux/selinux-init/selinux-init.sh
+++ b/recipes-security/selinux/selinux-init/selinux-init.sh
@@ -33,18 +33,6 @@ check_rootfs()
/sbin/shutdown -f -h now
 }
 
-# If first booting, the security context type of init would be
-# "kernel_t", and the whole file system should be relabeled.
-if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then
-   echo "Checking SELinux security contexts:"
-   check_rootfs
-   echo " * First booting, filesystem will be relabeled..."
-   test -x /etc/init.d/auditd && /etc/init.d/auditd start
-   ${SETENFORCE} 0
-   ${RESTORECON} -RF /
-   ${RESTORECON} -F /
-   echo " * Relabel done, rebooting the system."
-   /sbin/reboot
-fi
+# sysvinit firstboot relabel placeholder HERE
 
 exit 0
diff --git a/recipes-security/selinux/selinux-init/selinux-init.sh.sysvinit 
b/recipes-security/selinux/selinux-init/selinux-init.sh.sysvinit
new file mode 100644
index 000..d4f3f71
--- /dev/null
+++ b/recipes-security/selinux/selinux-init/selinux-init.sh.sysvinit
@@ -0,0 +1,14 @@
+# Contents will be added to selinux-init.sh to support relabelling with 
sysvinit
+# If first booting, the security context type of init would be
+# "kernel_t", and the whole file system should be relabeled.
+if [ "`${SECON} -t --pid 1`" = "kernel_t" ]; then
+   echo "Checking SELinux security contexts:"
+   check_rootfs
+   echo " * First booting, filesystem will be relabeled..."
+   test -x /etc/init.d/auditd && /etc/init.d/auditd start
+   ${SETENFORCE} 0
+   ${RESTORECON} -RF /
+   ${RESTORECON} -F /
+   echo " * Relabel done, rebooting the system."
+   /sbin/reboot
+fi
diff --git a/recipes-security/selinux/selinux-init_0.1.bb 
b/recipes-security/selinux/selinux-init_0.1.bb
index 38b5900..78f571c 100644
--- a/recipes-security/selinux/selinux-init_0.1.bb
+++ b/recipes-security/selinux/selinux-init_0.1.bb
@@ -14,9 +14,11 @@ ${PN}_RDEPENDS = " \
 policycoreutils-setfiles \
 "
 
-SRC_URI = "file://${BPN}.sh \
-   file://${BPN}.service \
-   "
+SRC_URI = " \
+file://${BPN}.sh \
+file://${BPN}.sh.sysvinit \
+file://${BPN}.service \
+"
 
 INITSCRIPT_PARAMS = "start 01 S ."
 
diff --git a/recipes-security/selinux/selinux-initsh.inc 
b/recipes-security/selinux/selinux-initsh.inc
index bcdd449..8e31cda 100644
--- a/recipes-security/selinux/selinux-initsh.inc
+++ b/recipes-security/selinux/selinux-initsh.inc
@@ -17,9 +17,15 @@ inherit update-rc.d systemd
 
 SYSTEMD_SERVICE_${PN} = "${SELINUX_SCRIPT_SRC}.service"
 
+FILES_${PN} += "/.autorelabel"
+
 do_install () {
install -d ${D}${sysconfdir}/init.d/
install -m 0755 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh 
${D}${sysconfdir}/init.d/${SELINUX_SCRIPT_DST}
+   # Insert the relabelling code which is only needed with sysvinit
+   sed -i -e '/HERE/r ${WORKDIR}/${SELINUX_SCRIPT_SRC}.sh.sysvinit' \
+  -e '/.*HERE$/d' -e '/.*Contents.*sysvinit/d' \
+  ${D}${sysconfdir}/init.d/${SELINUX_SCRIPT_DST}
 
install -d ${D}${systemd_unitdir}/system
install -m 0644 ${WORKDIR}/${SELINUX_SCRIPT_SRC}.service 
${D}${systemd_unitdir}/system
@@ -27,6 +33,8 @@ do

[yocto] [meta-selinux][PATCH] selinux-sandbox: add runtime dependency on python-core

[Yi Zhao]

Fixes:
ERROR: QA Issue: /usr/share/sandbox/start contained in package selinux-sandbox 
requires /usr/bin/python,
but no providers found in RDEPENDS_selinux-sandbox?  [file-rdeps]

Signed-off-by: Yi Zhao 
---
 recipes-security/selinux/selinux-sandbox.inc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/recipes-security/selinux/selinux-sandbox.inc 
b/recipes-security/selinux/selinux-sandbox.inc
index 8616dd7..854640c 100644
--- a/recipes-security/selinux/selinux-sandbox.inc
+++ b/recipes-security/selinux/selinux-sandbox.inc
@@ -13,6 +13,7 @@ SRC_URI += "file://sandbox-de-bashify.patch \
 DEPENDS += "libcap-ng libselinux"
 
 RDEPENDS_${PN} += "\
+python-core \
 python-math \
 python-shell \
 python-subprocess \
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 1/2] selinux-python: add python-core as runtime dependency

[Yi Zhao]

Fix QA issues:
QA Issue: /usr/lib64/python2.7/site-packages/seobject.py contained in package 
selinux-python requires /usr/bin/python,
   but no providers found in RDEPENDS_selinux-python? [file-rdeps]
QA Issue: /usr/bin/audit2allow contained in package selinux-python-audit2allow 
requires /usr/bin/python,
   but no providers found in RDEPENDS_selinux-python-audit2allow? [file-rdeps]
QA Issue: /usr/bin/chcat contained in package selinux-python-chcat requires 
/usr/bin/python,
   but no providers found in RDEPENDS_selinux-python-chcat? [file-rdeps]

Signed-off-by: Yi Zhao 
---
 recipes-security/selinux/selinux-python.inc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/recipes-security/selinux/selinux-python.inc 
b/recipes-security/selinux/selinux-python.inc
index c774de4..57042ab 100644
--- a/recipes-security/selinux/selinux-python.inc
+++ b/recipes-security/selinux/selinux-python.inc
@@ -15,11 +15,13 @@ inherit python-dir
 
 DEPENDS += "python-native libsepol"
 RDEPENDS_${BPN}-audit2allow += "\
+python-core \
 python-textutils \
 libselinux-python \
 ${BPN}-sepolgen \
 "
 RDEPENDS_${BPN}-chcat += "\
+python-core \
 python-codecs \
 python-shell \
 python-stringold \
@@ -28,6 +30,7 @@ RDEPENDS_${BPN}-chcat += "\
 ${BPN} \
 "
 RDEPENDS_${BPN} += "\
+python-core \
 python-codecs \
 python-io \
 python-ipy \
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 2/2 V2] setools: do not use unstable github archive tarballs

[Yi Zhao]

From: Hongxu Jia 

Since commit [21f84fc insane: add sanity checks to SRC_URI] applied
in oe-core, do not use unstable github archive tarballs

SETools has moved from https://github.com/TresysTechnology/setools to
https://github.com/SELinuxProject/setools
See: https://github.com/TresysTechnology/setools/wiki

Signed-off-by: Hongxu Jia 
Signed-off-by: Yi Zhao 
---
 recipes-security/setools/setools_4.1.1.bb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/recipes-security/setools/setools_4.1.1.bb 
b/recipes-security/setools/setools_4.1.1.bb
index c5a2d34..db529f4 100644
--- a/recipes-security/setools/setools_4.1.1.bb
+++ b/recipes-security/setools/setools_4.1.1.bb
@@ -8,14 +8,14 @@ SETools."
 SECTION = "base"
 LICENSE = "GPLv2 & LGPLv2.1"
 
-SRC_URI = 
"https://github.com/TresysTechnology/setools/archive/${PV}.tar.gz;downloadfilename=setools-${PV}.tar.gz
 \
+S = "${WORKDIR}/git"
+SRC_URI = "git://github.com/SELinuxProject/${BPN}.git;branch=4.1 \
file://setools4-fixes-for-cross-compiling.patch \
file://setools4-fix-cross-compiling-errors-for-powerpc-mips.patch \
file://Fix-build-failure-with-GCC-7-due-to-possible-truncat.patch \
 "
 
-SRC_URI[md5sum] = "54cf5c0ca2aa4ef7c6ac153981af34cd"
-SRC_URI[sha256sum] = 
"46a927ea2b163cbe1d35cc35da43e45853e13720c7e02d4cf75a498783c19610"
+SRCREV = "e03617eb7ab5a035633bff66500b95d25232e331"
 
 LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=83a5eb6974c11f30785e90d0eeccf40c \
 
file://${S}/COPYING.GPL;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 1/1] mcstrans: specify SBINDIR

[Joe Slater]

We need SBINDIR to be compatible with the usrmerge distro feature.
The update to version 2.8 (commit c55c0aca...) removed the definition,
perhaps because the "${D}/" prefix broke the build.

Signed-off-by: Joe Slater 
---
 recipes-security/selinux/mcstrans.inc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/recipes-security/selinux/mcstrans.inc 
b/recipes-security/selinux/mcstrans.inc
index 2568c8d..e66633d 100644
--- a/recipes-security/selinux/mcstrans.inc
+++ b/recipes-security/selinux/mcstrans.inc
@@ -14,6 +14,9 @@ inherit systemd update-rc.d
 
 DEPENDS += "libsepol libselinux libcap"
 
+# We do not need "${D}/" as a prefix anymore.
+EXTRA_OEMAKE += "SBINDIR=${base_sbindir}"
+
 do_install_append() {
 install -d ${D}${sbindir}
 install -m 755 utils/untranscon ${D}${sbindir}/
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH] libselinux: fix build with glibc 2.30

[Yi Zhao]

Fix build error:
procattr.c:27:14: error: static declaration of 'gettid' follows
non-static declaration
   27 | static pid_t gettid(void)
  |  ^~
In file included from 
/buildarea/build/tmp/work/core2-64-poky-linux/libselinux/2.8-r0/recipe-sysroot/usr/include/unistd.h:1170,
 from procattr.c:2:
/buildarea/build/tmp/work/core2-64-poky-linux/libselinux/2.8-r0/recipe-sysroot/usr/include/bits/unistd_ext.h:34:16:
note: previous declaration of 'gettid' was here
   34 | extern __pid_t gettid (void) __THROW;
  |^~

Signed-off-by: Yi Zhao 
---
 ...Do-not-define-gettid-if-glibc-2.30-is-use.patch | 60 ++
 recipes-security/selinux/libselinux_2.8.bb |  1 +
 2 files changed, 61 insertions(+)
 create mode 100644 
recipes-security/selinux/libselinux/0001-libselinux-Do-not-define-gettid-if-glibc-2.30-is-use.patch

diff --git 
a/recipes-security/selinux/libselinux/0001-libselinux-Do-not-define-gettid-if-glibc-2.30-is-use.patch
 
b/recipes-security/selinux/libselinux/0001-libselinux-Do-not-define-gettid-if-glibc-2.30-is-use.patch
new file mode 100644
index 000..fc3e37e
--- /dev/null
+++ 
b/recipes-security/selinux/libselinux/0001-libselinux-Do-not-define-gettid-if-glibc-2.30-is-use.patch
@@ -0,0 +1,60 @@
+From 2c672b4cc39fbddb6faec2c7434832058f339d59 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach 
+Date: Mon, 11 Mar 2019 16:00:41 +0100
+Subject: [PATCH] libselinux: Do not define gettid() if glibc >= 2.30 is used
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Since version 2.30 glibc implements gettid() system call wrapper, see
+https://sourceware.org/bugzilla/show_bug.cgi?id=6399
+
+Fixes:
+cc -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 
-Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong 
-grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic 
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection 
-I../include -D_GNU_SOURCE  -DNO_ANDROID_BACKEND   -c -o procattr.o procattr.c
+procattr.c:28:14: error: static declaration of ‘gettid’ follows non-static 
declaration
+   28 | static pid_t gettid(void)
+  |  ^~
+In file included from /usr/include/unistd.h:1170,
+ from procattr.c:2:
+/usr/include/bits/unistd_ext.h:34:16: note: previous declaration of ‘gettid’ 
was here
+   34 | extern __pid_t gettid (void) __THROW;
+  |^~
+
+Upstream-Status: Backport
+[https://github.com/SELinuxProject/selinux/commit/707e4b8610733b5c9eaac0f00239778f3edb23c2]
+
+Signed-off-by: Petr Lautrbach 
+Signed-off-by: Yi Zhao 
+---
+ src/procattr.c | 15 +--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/src/procattr.c b/src/procattr.c
+index 8bf8432..3c7b87f 100644
+--- a/src/procattr.c
 b/src/procattr.c
+@@ -22,8 +22,19 @@ static pthread_key_t destructor_key;
+ static int destructor_key_initialized = 0;
+ static __thread char destructor_initialized;
+ 
+-#ifndef __BIONIC__
+-/* Bionic declares this in unistd.h and has a definition for it */
++/* Bionic and glibc >= 2.30 declare gettid() system call wrapper in unistd.h 
and
++ * has a definition for it */
++#ifdef __BIONIC__
++  #define OVERRIDE_GETTID 0
++#elif !defined(__GLIBC_PREREQ)
++  #define OVERRIDE_GETTID 1
++#elif !__GLIBC_PREREQ(2,30)
++  #define OVERRIDE_GETTID 1
++#else
++  #define OVERRIDE_GETTID 0
++#endif
++
++#if OVERRIDE_GETTID
+ static pid_t gettid(void)
+ {
+   return syscall(__NR_gettid);
+-- 
+2.7.4
+
diff --git a/recipes-security/selinux/libselinux_2.8.bb 
b/recipes-security/selinux/libselinux_2.8.bb
index 5de4607..7545967 100644
--- a/recipes-security/selinux/libselinux_2.8.bb
+++ b/recipes-security/selinux/libselinux_2.8.bb
@@ -12,4 +12,5 @@ SRC_URI += "\
 file://libselinux-make-SOCK_CLOEXEC-optional.patch \
 file://libselinux-define-FD_CLOEXEC-as-necessary.patch \
 file://0001-src-Makefile-fix-includedir-in-libselinux.pc.patch \
+file://0001-libselinux-Do-not-define-gettid-if-glibc-2.30-is-use.patch 
\
 "
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH v2 1/2] audit: upgrade 2.8.4 -> 2.8.5

[mingli.yu]

From: Yi Zhao 

* Drop backport patch:
  0001-Remove-strdupa-as-suggested-in-pull-request-25.patch

* Refresh all patches.

Signed-off-by: Yi Zhao 
---
 ...e-strdupa-as-suggested-in-pull-request-25.patch | 47 --
 ...bstitue-functions-for-strndupa-rawmemchr.patch} | 23 +--
 .../audit/audit/audit-python-configure.patch   | 10 ++---
 recipes-security/audit/audit/audit-python.patch|  8 ++--
 recipes-security/audit/audit/auditd|  2 +-
 .../audit/audit/fix-swig-host-contamination.patch  | 22 +-
 .../audit/{audit_2.8.4.bb => audit_2.8.5.bb}   |  7 ++--
 7 files changed, 35 insertions(+), 84 deletions(-)
 delete mode 100644 
recipes-security/audit/audit/0001-Remove-strdupa-as-suggested-in-pull-request-25.patch
 rename 
recipes-security/audit/audit/{0002-Add-substitue-functions-for-strndupa-rawmemchr.patch
 => Add-substitue-functions-for-strndupa-rawmemchr.patch} (88%)
 rename recipes-security/audit/{audit_2.8.4.bb => audit_2.8.5.bb} (92%)

diff --git 
a/recipes-security/audit/audit/0001-Remove-strdupa-as-suggested-in-pull-request-25.patch
 
b/recipes-security/audit/audit/0001-Remove-strdupa-as-suggested-in-pull-request-25.patch
deleted file mode 100644
index 38029aa..000
--- 
a/recipes-security/audit/audit/0001-Remove-strdupa-as-suggested-in-pull-request-25.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From a1782b58b687b74249dc8b2411a3f646b821ebd6 Mon Sep 17 00:00:00 2001
-From: Steve Grubb 
-Date: Thu, 4 Oct 2018 08:45:47 -0400
-Subject: [PATCH] Remove strdupa as suggested in pull request #25
-

- src/auditd.c | 11 ++-
- 1 file changed, 6 insertions(+), 5 deletions(-)
-
-Origin: 
https://github.com/linux-audit/audit-userspace/commit/a1782b58b687b74249dc8b2411a3f646b821ebd6
-Applied-Upstream: yes
-
-diff --git a/src/auditd.c b/src/auditd.c
-index b0952db..c826ec0 100644
 a/src/auditd.c
-+++ b/src/auditd.c
-@@ -209,21 +209,22 @@ static void cont_handler(struct ev_loop *loop, struct 
ev_signal *sig,
- 
- static int extract_type(const char *str)
- {
--  const char *tptr, *ptr2, *ptr = str;
-+  const char *ptr2, *ptr = str;
-   if (*str == 'n') {
-   ptr = strchr(str+1, ' ');
-   if (ptr == NULL)
-   return -1; // Malformed - bomb out
-   ptr++;
-   }
-+
-   // ptr should be at 't'
-   ptr2 = strchr(ptr, ' ');
--  // get type=xxx in a buffer
--  tptr = strndupa(ptr, ptr2 - ptr);
-+
-   // find =
--  str = strchr(tptr, '=');
--  if (str == NULL)
-+  str = strchr(ptr, '=');
-+  if (str == NULL || str >= ptr2)
-   return -1; // Malformed - bomb out
-+
-   // name is 1 past
-   str++;
-   return audit_name_to_msg_type(str);
--- 
-2.20.1
-
diff --git 
a/recipes-security/audit/audit/0002-Add-substitue-functions-for-strndupa-rawmemchr.patch
 
b/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch
similarity index 88%
rename from 
recipes-security/audit/audit/0002-Add-substitue-functions-for-strndupa-rawmemchr.patch
rename to 
recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch
index c948aa3..bb6c61e 100644
--- 
a/recipes-security/audit/audit/0002-Add-substitue-functions-for-strndupa-rawmemchr.patch
+++ 
b/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch
@@ -1,12 +1,11 @@
-From 5346b6af0ca67a2965ca5846ae150f3021a2aa17 Mon Sep 17 00:00:00 2001
+From bdcdc3dff4469aac88e718bd15958d5ed4b9392a Mon Sep 17 00:00:00 2001
 From: Steve Grubb 
 Date: Tue, 26 Feb 2019 18:33:33 -0500
 Subject: [PATCH] Add substitue functions for strndupa & rawmemchr
 
+Upstream-Status: Backport
+[https://github.com/linux-audit/audit-userspace/commit/d579a08bb1cde71f939c13ac6b2261052ae9f77e]
 ---
-Origin: 
https://github.com/linux-audit/audit-userspace/commit/d579a08bb1cde71f939c13ac6b2261052ae9f77e
-Applied-Upstream: yes
-
  auparse/auparse.c   | 12 +++-
  auparse/interpret.c |  9 -
  configure.ac| 14 +-
@@ -14,7 +13,7 @@ Applied-Upstream: yes
  4 files changed, 43 insertions(+), 4 deletions(-)
 
 diff --git a/auparse/auparse.c b/auparse/auparse.c
-index f84712e..3764046 100644
+index 650db02..2e1c737 100644
 --- a/auparse/auparse.c
 +++ b/auparse/auparse.c
 @@ -1,5 +1,5 @@
@@ -24,7 +23,7 @@ index f84712e..3764046 100644
   * All Rights Reserved.
   *
   * This library is free software; you can redistribute it and/or
-@@ -1100,6 +1100,16 @@ static int str2event(char *s, au_event_t *e)
+@@ -1118,6 +1118,16 @@ static int str2event(char *s, au_event_t *e)
return 0;
  }
  
@@ -42,7 +41,7 @@ index f84712e..3764046 100644
  static int extract_timestamp(const char *b, au_event_t *e)
  {
 diff --git a/auparse/interpret.c b/auparse/interpret.c
-index 1846f9d..8540bd1 100644
+index 51c4a5e..67b7b77 100644
 --- a/auparse/interpret.c
 +++ b/auparse/interpret.c
 @@ -853,6 +853,13 @@ err_out:
@@ -69,7 +68,7 @@ index 1846f9d..8540bd

[yocto] [meta-selinux][PATCH 2/2] audit: use git fetcher instead of the tarball source

[mingli.yu]

From: Mingli Yu 

Per http://people.redhat.com/sgrubb/audit/, the
tarball source moves to https://github.com/linux-audit/audit-userspace,
and since commit [21f84fc insane: add sanity checks to SRC_URI]
applied in oe-core, do not use unstable github archive
tarballs, so use git instead.

Signed-off-by: Mingli Yu 
---
 recipes-security/audit/audit_2.8.5.bb | 7 ---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/recipes-security/audit/audit_2.8.5.bb 
b/recipes-security/audit/audit_2.8.5.bb
index bd09873..d3b9b51 100644
--- a/recipes-security/audit/audit_2.8.5.bb
+++ b/recipes-security/audit/audit_2.8.5.bb
@@ -7,7 +7,7 @@ SECTION = "base"
 LICENSE = "GPLv2+ & LGPLv2+"
 LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
 
-SRC_URI = "http://people.redhat.com/sgrubb/${BPN}/${BPN}-${PV}.tar.gz \
+SRC_URI = 
"git://github.com/linux-audit/${BPN}-userspace.git;branch=2.8_maintenance \
file://audit-python-configure.patch \
file://audit-python.patch \
file://fix-swig-host-contamination.patch \
@@ -16,8 +16,9 @@ SRC_URI = 
"http://people.redhat.com/sgrubb/${BPN}/${BPN}-${PV}.tar.gz \
file://auditd.service \
file://audit-volatile.conf \
 "
-SRC_URI[md5sum] = "9455e5773670afdbccaeb92681b2e97d"
-SRC_URI[sha256sum] = 
"0e5d4103646e00f8d1981e1cd2faea7a2ae28e854c31a803e907a383c5e2ecb7"
+
+S = "${WORKDIR}/git"
+SRCREV = "5fae55c1ad15b3cefe6890eba7311af163e9133c"
 
 inherit autotools pythonnative update-rc.d systemd
 
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH] audit: upgrade 2.8.4 -> 2.8.5

[Yi Zhao]

* Drop backport patch:
  0001-Remove-strdupa-as-suggested-in-pull-request-25.patch

* Refresh all patches.

Signed-off-by: Yi Zhao 
---
 ...e-strdupa-as-suggested-in-pull-request-25.patch | 47 --
 ...bstitue-functions-for-strndupa-rawmemchr.patch} | 23 +--
 .../audit/audit/audit-python-configure.patch   | 10 ++---
 recipes-security/audit/audit/audit-python.patch|  8 ++--
 recipes-security/audit/audit/auditd|  2 +-
 .../audit/audit/fix-swig-host-contamination.patch  | 22 +-
 .../audit/{audit_2.8.4.bb => audit_2.8.5.bb}   |  7 ++--
 7 files changed, 35 insertions(+), 84 deletions(-)
 delete mode 100644 
recipes-security/audit/audit/0001-Remove-strdupa-as-suggested-in-pull-request-25.patch
 rename 
recipes-security/audit/audit/{0002-Add-substitue-functions-for-strndupa-rawmemchr.patch
 => Add-substitue-functions-for-strndupa-rawmemchr.patch} (88%)
 rename recipes-security/audit/{audit_2.8.4.bb => audit_2.8.5.bb} (92%)

diff --git 
a/recipes-security/audit/audit/0001-Remove-strdupa-as-suggested-in-pull-request-25.patch
 
b/recipes-security/audit/audit/0001-Remove-strdupa-as-suggested-in-pull-request-25.patch
deleted file mode 100644
index 38029aa..000
--- 
a/recipes-security/audit/audit/0001-Remove-strdupa-as-suggested-in-pull-request-25.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From a1782b58b687b74249dc8b2411a3f646b821ebd6 Mon Sep 17 00:00:00 2001
-From: Steve Grubb 
-Date: Thu, 4 Oct 2018 08:45:47 -0400
-Subject: [PATCH] Remove strdupa as suggested in pull request #25
-

- src/auditd.c | 11 ++-
- 1 file changed, 6 insertions(+), 5 deletions(-)
-
-Origin: 
https://github.com/linux-audit/audit-userspace/commit/a1782b58b687b74249dc8b2411a3f646b821ebd6
-Applied-Upstream: yes
-
-diff --git a/src/auditd.c b/src/auditd.c
-index b0952db..c826ec0 100644
 a/src/auditd.c
-+++ b/src/auditd.c
-@@ -209,21 +209,22 @@ static void cont_handler(struct ev_loop *loop, struct 
ev_signal *sig,
- 
- static int extract_type(const char *str)
- {
--  const char *tptr, *ptr2, *ptr = str;
-+  const char *ptr2, *ptr = str;
-   if (*str == 'n') {
-   ptr = strchr(str+1, ' ');
-   if (ptr == NULL)
-   return -1; // Malformed - bomb out
-   ptr++;
-   }
-+
-   // ptr should be at 't'
-   ptr2 = strchr(ptr, ' ');
--  // get type=xxx in a buffer
--  tptr = strndupa(ptr, ptr2 - ptr);
-+
-   // find =
--  str = strchr(tptr, '=');
--  if (str == NULL)
-+  str = strchr(ptr, '=');
-+  if (str == NULL || str >= ptr2)
-   return -1; // Malformed - bomb out
-+
-   // name is 1 past
-   str++;
-   return audit_name_to_msg_type(str);
--- 
-2.20.1
-
diff --git 
a/recipes-security/audit/audit/0002-Add-substitue-functions-for-strndupa-rawmemchr.patch
 
b/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch
similarity index 88%
rename from 
recipes-security/audit/audit/0002-Add-substitue-functions-for-strndupa-rawmemchr.patch
rename to 
recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch
index c948aa3..bb6c61e 100644
--- 
a/recipes-security/audit/audit/0002-Add-substitue-functions-for-strndupa-rawmemchr.patch
+++ 
b/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch
@@ -1,12 +1,11 @@
-From 5346b6af0ca67a2965ca5846ae150f3021a2aa17 Mon Sep 17 00:00:00 2001
+From bdcdc3dff4469aac88e718bd15958d5ed4b9392a Mon Sep 17 00:00:00 2001
 From: Steve Grubb 
 Date: Tue, 26 Feb 2019 18:33:33 -0500
 Subject: [PATCH] Add substitue functions for strndupa & rawmemchr
 
+Upstream-Status: Backport
+[https://github.com/linux-audit/audit-userspace/commit/d579a08bb1cde71f939c13ac6b2261052ae9f77e]
 ---
-Origin: 
https://github.com/linux-audit/audit-userspace/commit/d579a08bb1cde71f939c13ac6b2261052ae9f77e
-Applied-Upstream: yes
-
  auparse/auparse.c   | 12 +++-
  auparse/interpret.c |  9 -
  configure.ac| 14 +-
@@ -14,7 +13,7 @@ Applied-Upstream: yes
  4 files changed, 43 insertions(+), 4 deletions(-)
 
 diff --git a/auparse/auparse.c b/auparse/auparse.c
-index f84712e..3764046 100644
+index 650db02..2e1c737 100644
 --- a/auparse/auparse.c
 +++ b/auparse/auparse.c
 @@ -1,5 +1,5 @@
@@ -24,7 +23,7 @@ index f84712e..3764046 100644
   * All Rights Reserved.
   *
   * This library is free software; you can redistribute it and/or
-@@ -1100,6 +1100,16 @@ static int str2event(char *s, au_event_t *e)
+@@ -1118,6 +1118,16 @@ static int str2event(char *s, au_event_t *e)
return 0;
  }
  
@@ -42,7 +41,7 @@ index f84712e..3764046 100644
  static int extract_timestamp(const char *b, au_event_t *e)
  {
 diff --git a/auparse/interpret.c b/auparse/interpret.c
-index 1846f9d..8540bd1 100644
+index 51c4a5e..67b7b77 100644
 --- a/auparse/interpret.c
 +++ b/auparse/interpret.c
 @@ -853,6 +853,13 @@ err_out:
@@ -69,7 +68,7 @@ index 1846f9d..8540bd1 100644
   

Re: [yocto] [meta-selinux][PATCH] glib-2.0: fix configure error for meson build

[Yi Zhao]

On 6/12/19 6:03 PM, Alexander Kanavin wrote:
On Wed, 12 Jun 2019 at 09:54, Yi Zhao > wrote:


+PACKAGECONFIG[selinux] =
"-Dselinux=enabled,-Dselinux=disabled,libselinux,"


This line should probably go into the oe-core recipe? It is fine to 
have options that depend on things absent in oe-core, as long as those 
options are disabled by default.



Thanks. I will test it and send a patch to oe-core


//Yi



Alex
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [meta-selinux][PATCH] glib-2.0: fix configure error for meson build

[Alexander Kanavin]

On Wed, 12 Jun 2019 at 09:54, Yi Zhao  wrote:

> +PACKAGECONFIG[selinux] =
> "-Dselinux=enabled,-Dselinux=disabled,libselinux,"
>

This line should probably go into the oe-core recipe? It is fine to have
options that depend on things absent in oe-core, as long as those options
are disabled by default.

Alex
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH] glib-2.0: fix configure error for meson build

[Yi Zhao]

In glib 2.60.x, it turns selinux into a meson feature. We should use
'-Dselinux=enabled/disabled' rather than '-Dselinux=true/false' to
enable/disable the feature.

Add meso-enable-selinux.bbclass for this change and inherit it in
glib-2.0 bbappend to fix the configure error.

Signed-off-by: Yi Zhao 
---
 classes/meson-enable-selinux.bbclass  | 4 
 recipes-core/glib-2.0/glib-2.0_%.bbappend | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)
 create mode 100644 classes/meson-enable-selinux.bbclass

diff --git a/classes/meson-enable-selinux.bbclass 
b/classes/meson-enable-selinux.bbclass
new file mode 100644
index 000..91c2a2b
--- /dev/null
+++ b/classes/meson-enable-selinux.bbclass
@@ -0,0 +1,4 @@
+inherit selinux
+
+PACKAGECONFIG_append = " ${@target_selinux(d)}"
+PACKAGECONFIG[selinux] = "-Dselinux=enabled,-Dselinux=disabled,libselinux,"
diff --git a/recipes-core/glib-2.0/glib-2.0_%.bbappend 
b/recipes-core/glib-2.0/glib-2.0_%.bbappend
index e5d2f6f..39a0a3a 100644
--- a/recipes-core/glib-2.0/glib-2.0_%.bbappend
+++ b/recipes-core/glib-2.0/glib-2.0_%.bbappend
@@ -1 +1 @@
-inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'meson-selinux', 
'', d)}
+inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 
'meson-enable-selinux', '', d)}
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH] setools: do not use unstable github archive tarballs

[Hongxu Jia]

Since commit [21f84fc insane: add sanity checks to SRC_URI] applied
in oe-core, do not use unstable github archive tarballs

Signed-off-by: Hongxu Jia 
---
 recipes-security/setools/setools_4.1.1.bb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/recipes-security/setools/setools_4.1.1.bb 
b/recipes-security/setools/setools_4.1.1.bb
index c5a2d34..8bdbfba 100644
--- a/recipes-security/setools/setools_4.1.1.bb
+++ b/recipes-security/setools/setools_4.1.1.bb
@@ -8,14 +8,14 @@ SETools."
 SECTION = "base"
 LICENSE = "GPLv2 & LGPLv2.1"
 
-SRC_URI = 
"https://github.com/TresysTechnology/setools/archive/${PV}.tar.gz;downloadfilename=setools-${PV}.tar.gz
 \
+S = "${WORKDIR}/git"
+SRC_URI = "git://github.com/TresysTechnology/${BPN}.git;branch=4.1 \
file://setools4-fixes-for-cross-compiling.patch \
file://setools4-fix-cross-compiling-errors-for-powerpc-mips.patch \
file://Fix-build-failure-with-GCC-7-due-to-possible-truncat.patch \
 "
 
-SRC_URI[md5sum] = "54cf5c0ca2aa4ef7c6ac153981af34cd"
-SRC_URI[sha256sum] = 
"46a927ea2b163cbe1d35cc35da43e45853e13720c7e02d4cf75a498783c19610"
+SRCREV = "e03617eb7ab5a035633bff66500b95d25232e331"
 
 LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=83a5eb6974c11f30785e90d0eeccf40c \
 
file://${S}/COPYING.GPL;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 2/3] findutils: drop obsolete patch

[Yi Zhao]

Signed-off-by: Yi Zhao 
---
 .../findutils-4.2.31/findutils-selinux.patch   | 499 -
 1 file changed, 499 deletions(-)
 delete mode 100644 
recipes-extended/findutils/findutils-4.2.31/findutils-selinux.patch

diff --git 
a/recipes-extended/findutils/findutils-4.2.31/findutils-selinux.patch 
b/recipes-extended/findutils/findutils-4.2.31/findutils-selinux.patch
deleted file mode 100644
index 73a9747..000
--- a/recipes-extended/findutils/findutils-4.2.31/findutils-selinux.patch
+++ /dev/null
@@ -1,499 +0,0 @@
-From: Xin Ouyang 
-Date: Thu, 21 Jun 2012 17:01:39 +0800
-Subject: [PATCH] findutils: support selinux.
-
-Upstream-Status: Inappropriate [configuration]
-
-Signed-off-by: Xin Ouyang 

- configure.in |   10 +
- doc/find.texi|   12 +++
- find/Makefile.am |2 +-
- find/defs.h  |   15 -
- find/find.1  |4 ++
- find/find.c  |   97 +-
- find/parser.c|   50 ++--
- find/pred.c  |   53 +
- find/util.c  |3 ++
- 9 files changed, 240 insertions(+), 6 deletions(-)
-
-diff --git a/configure.in b/configure.in
-index 6a20f15..00dd7f8 100644
 a/configure.in
-+++ b/configure.in
-@@ -101,6 +101,16 @@ dnl C library, try -lsun.
- AC_CHECK_FUNC(getpwnam, [],
- [AC_CHECK_LIB(sun, getpwnam)])
- 
-+AC_ARG_WITH([selinux],
-+   AS_HELP_STRING([--without-selinux], [disable SELinux support]),
-+   [:],
-+[AC_CHECK_LIB([selinux], [is_selinux_enabled],
-+ [with_selinux=yes], [with_selinux=no])])
-+if test x$with_selinux != xno; then
-+   AC_DEFINE([WITH_SELINUX], [1], [Define to support SELinux])
-+   AC_SUBST([LIBSELINUX], [-lselinux])
-+fi
-+
- dnl Checks for header files.
- AC_HEADER_STDC
- dnl Assume unistd.h is present - coreutils does too.
-diff --git a/doc/find.texi b/doc/find.texi
-index 5b5f0cf..e1ad433 100644
 a/doc/find.texi
-+++ b/doc/find.texi
-@@ -1091,6 +1091,14 @@ will probably be made in early 2006.
- 
- @end deffn
- 
-+@deffn Test -context pattern
-+True if file's SELinux context matches the pattern @var{pattern}.
-+The pattern uses shell glob matching.
-+
-+This predicate is supported only on @code{find} versions compiled with
-+SELinux support and only when SELinux is enabled.
-+@end deffn
-+
- @node Contents
- @section Contents
- 
-@@ -1599,6 +1607,10 @@ semantics, you will see a difference between the mode 
as printed by
- @item %M
- File's permissions (in symbolic form, as for @code{ls}).  This
- directive is supported in findutils 4.2.5 and later.
-+
-+@item %Z
-+File's SELinux context, or empty string if the file has no SELinux context
-+or this version of find does not support SELinux.
- @end table
- 
- @node Size Directives
-diff --git a/find/Makefile.am b/find/Makefile.am
-index 8e71a32..405955a 100644
 a/find/Makefile.am
-+++ b/find/Makefile.am
-@@ -6,7 +6,7 @@ bin_PROGRAMS = find
- find_SOURCES = find.c fstype.c parser.c pred.c tree.c util.c version.c
- EXTRA_DIST = defs.h $(man_MANS)
- INCLUDES = -I../gnulib/lib -I$(top_srcdir)/lib -I$(top_srcdir)/gnulib/lib 
-I../intl -DLOCALEDIR=\"$(localedir)\"
--LDADD = ../lib/libfind.a ../gnulib/lib/libgnulib.a @INTLLIBS@
-+LDADD = ../lib/libfind.a ../gnulib/lib/libgnulib.a @INTLLIBS@ @LIBSELINUX@
- man_MANS = find.1
- SUBDIRS = testsuite
- 
-diff --git a/find/defs.h b/find/defs.h
-index 9369c9a..8a8cf28 100644
 a/find/defs.h
-+++ b/find/defs.h
-@@ -131,6 +131,10 @@ int get_statinfo PARAMS((const char *pathname, const char 
*name, struct stat *p)
- #define MODE_RWX  (S_IXUSR | S_IXGRP | S_IXOTH | MODE_RW)
- #define MODE_ALL  (S_ISUID | S_ISGID | S_ISVTX | MODE_RWX)
- 
-+#ifdef WITH_SELINUX
-+#include 
-+#endif
-+
- #if 1
- #include 
- typedef bool boolean;
-@@ -320,6 +324,9 @@ struct predicate
- struct dir_id   fileid;   /* samefile */
- mode_t type;  /* type */
- FILE *stream; /* ls fls fprint0 */
-+#ifdef WITH_SELINUX
-+security_context_t scontext; /* scontext */
-+#endif
- struct format_val printf_vec; /* printf fprintf fprint  */
-   } args;
- 
-@@ -481,7 +488,9 @@ boolean pred_uid PARAMS((char *pathname, struct stat 
*stat_buf, struct predicate
- boolean pred_used PARAMS((char *pathname, struct stat *stat_buf, struct 
predicate *pred_ptr));
- boolean pred_user PARAMS((char *pathname, struct stat *stat_buf, struct 
predicate *pred_ptr));
- boolean pred_xtype PARAMS((char *pathname, struct stat *stat_buf, struct 
predicate *pred_ptr));
--
-+#ifdef WITH_SELINUX
-+boolean pred_context PARAMS((char *pathname, struct stat *stat_buf, struct 
predicate *pred_ptr));
-+#endif
- 
- 
- int launch PARAMS((const struct buildcmd_control *ctl,
-@@ -570,6 +579,10 @@ struct options
-* can be changed with the positional option, -regextype.
-*/
-   int regex_options;
-+
-+#ifdef WITH_SELINUX
-+  int (*x_getfilecon) ();
-+#endif
- };
- extern struct options options;
- 
-diff --git a/find/f

[yocto] [meta-selinux][PATCH 3/3] util-linux: drop obsolete patch

[Yi Zhao]

Signed-off-by: Yi Zhao 
---
 .../util-linux/fix-libmount_la_DEPENDENCIES.patch  | 28 --
 1 file changed, 28 deletions(-)
 delete mode 100644 
recipes-core/util-linux/util-linux/fix-libmount_la_DEPENDENCIES.patch

diff --git 
a/recipes-core/util-linux/util-linux/fix-libmount_la_DEPENDENCIES.patch 
b/recipes-core/util-linux/util-linux/fix-libmount_la_DEPENDENCIES.patch
deleted file mode 100644
index ab54818..000
--- a/recipes-core/util-linux/util-linux/fix-libmount_la_DEPENDENCIES.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-Subject: [PATCH] util-linux: fix libmount_la_DEPENDENCIES.
-
-Upstream-Status: Pending
-
-libmount_la_LIBADD contains "-lselinux", this is not a object that
-could consider as a dependency target. So fix this.
-
-Signed-off-by: Xin Ouyang 

- libmount/src/Makemodule.am |2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-diff --git a/libmount/src/Makemodule.am b/libmount/src/Makemodule.am
-index 494e02a..bf494a4 100644
 a/libmount/src/Makemodule.am
-+++ b/libmount/src/Makemodule.am
-@@ -38,7 +38,7 @@ libmount_la_CFLAGS = \
-   -I$(top_srcdir)/libmount/src
- 
- libmount_la_DEPENDENCIES = \
--  $(libmount_la_LIBADD) \
-+  libcommon.la libblkid.la \
-   libmount/src/libmount.sym \
-   libmount/src/libmount.h.in
- 
--- 
-1.7.5.4
-
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 1/3] mesa: switch to meson build

[Yi Zhao]

The mesa had been converted to use meson build system in oe-core commit
c72b6d46d392bfbcf54154f43663a7a8ada8c567. Update the bbappend to adapt
it.

Signed-off-by: Yi Zhao 
---
 recipes-graphics/mesa/mesa_%.bbappend  | 2 +-
 recipes-graphics/mesa/mesa_selinux.inc | 6 --
 2 files changed, 1 insertion(+), 7 deletions(-)
 delete mode 100644 recipes-graphics/mesa/mesa_selinux.inc

diff --git a/recipes-graphics/mesa/mesa_%.bbappend 
b/recipes-graphics/mesa/mesa_%.bbappend
index b0b03ec..02c4918 100644
--- a/recipes-graphics/mesa/mesa_%.bbappend
+++ b/recipes-graphics/mesa/mesa_%.bbappend
@@ -1,2 +1,2 @@
-require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 
'${BPN}_selinux.inc', '', d)}
+inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'meson-selinux', 
'', d)}
 
diff --git a/recipes-graphics/mesa/mesa_selinux.inc 
b/recipes-graphics/mesa/mesa_selinux.inc
deleted file mode 100644
index 0004f71..000
--- a/recipes-graphics/mesa/mesa_selinux.inc
+++ /dev/null
@@ -1,6 +0,0 @@
-inherit enable-selinux
-
-# But wait!  There's more!  mesa builds a host program named builtin_compiler
-# and it needs selinux, too.  We replace the PACKAGECONFIG[] in the bbclass.
-#
-PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux 
libselinux-native,"
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [meta-selinux][PATCH] refpolicy: refresh patches

[Joe MacDonald]

Hi Yi,

Where did this patch refresh come from?  Since the goal right now for the
refpolicy recipes is to move to a purely git-based approach, I'd prefer to not
do patch refreshes that don't come from an export of the patched git trees, like
the one I'd mentioned in my earlier email here:

https://www.mail-archive.com/yocto@yoctoproject.org/msg43933.html

Thanks,
-Joe.

[[yocto] [meta-selinux][PATCH] refpolicy: refresh patches] On 19.04.19 (Fri 
14:10) Yi Zhao wrote:

> Refrefsh 0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch
> and 0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch.
> Remove the trailing line: \ No newline at end of file
> 
> Signed-off-by: Yi Zhao 
> ---
>  ...y-minimum-audit-logging-getty-audit-related-.patch |  1 -
>  ...y-minimum-systemd-mount-logging-authlogin-ad.patch | 19 
> ---
>  ...y-minimum-audit-logging-getty-audit-related-.patch |  1 -
>  ...y-minimum-systemd-mount-logging-authlogin-ad.patch | 19 
> ---
>  4 files changed, 16 insertions(+), 24 deletions(-)
> 
> diff --git 
> a/recipes-security/refpolicy/refpolicy-2.20190201/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch
>  
> b/recipes-security/refpolicy/refpolicy-2.20190201/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch
> index f92ddb8..10d2bcb 100644
> --- 
> a/recipes-security/refpolicy/refpolicy-2.20190201/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch
> +++ 
> b/recipes-security/refpolicy/refpolicy-2.20190201/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch
> @@ -62,7 +62,6 @@ index 63e92a8e..8ab46925 100644
>  +allow auditd_t initrc_t:unix_dgram_socket sendto;
>  +
>  +allow klogd_t initrc_t:unix_dgram_socket sendto;
> -\ No newline at end of file
>  -- 
>  2.19.1
>  
> diff --git 
> a/recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch
>  
> b/recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch
> index 98b6156..65ef55b 100644
> --- 
> a/recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch
> +++ 
> b/recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch
> @@ -33,13 +33,13 @@ Signed-off-by: Shrikant Bobade 
> 
>  Signed-off-by: Joe MacDonald 
>  ---
>   policy/modules/system/authlogin.te | 2 ++
> - policy/modules/system/logging.te   | 7 ++-
> + policy/modules/system/logging.te   | 5 +
>   policy/modules/system/mount.te | 3 +++
>   policy/modules/system/systemd.te   | 5 +
> - 4 files changed, 16 insertions(+), 1 deletion(-)
> + 4 files changed, 15 insertions(+)
>  
>  diff --git a/policy/modules/system/authlogin.te 
> b/policy/modules/system/authlogin.te
> -index 345e07f3..39f860e0 100644
> +index 345e07f..39f860e 100644
>  --- a/policy/modules/system/authlogin.te
>  +++ b/policy/modules/system/authlogin.te
>  @@ -472,3 +472,5 @@ optional_policy(`
> @@ -49,23 +49,20 @@ index 345e07f3..39f860e0 100644
>  +
>  +allow chkpwd_t proc_t:filesystem getattr;
>  diff --git a/policy/modules/system/logging.te 
> b/policy/modules/system/logging.te
> -index 8ab46925..520f7da6 100644
> +index c9991ab..520f7da 100644
>  --- a/policy/modules/system/logging.te
>  +++ b/policy/modules/system/logging.te
> -@@ -627,4 +627,9 @@ allow auditd_t tmpfs_t:file { getattr setattr create 
> open read append };
> - allow auditd_t tmpfs_t:dir { open read search add_name write getattr search 
> };
> +@@ -628,3 +628,8 @@ allow auditd_t tmpfs_t:dir { open read search add_name 
> write getattr search };
>   allow auditd_t initrc_t:unix_dgram_socket sendto;
>   
> --allow klogd_t initrc_t:unix_dgram_socket sendto;
> -\ No newline at end of file
> -+allow klogd_t initrc_t:unix_dgram_socket sendto;
> + allow klogd_t initrc_t:unix_dgram_socket sendto;
>  +
>  +allow syslogd_t self:shm create;
>  +allow syslogd_t self:sem { create read unix_write write };
>  +allow syslogd_t self:shm { read unix_read unix_write write };
>  +allow syslogd_t tmpfs_t:file { read write };
>  diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> -index 3dcb8493..a87d0e82 100644
> +index 3dcb849..a87d0e8 100644
>  --- a/policy/modules/system/mount.te
>  +++ b/policy/modules/system/mount.te
>  @@ -231,3 +231,6 @@ optional_policy(`
> @@ -76,7 +73,7 @@ index 3dcb8493..a87d0e82 100644
>  +allow mount_t proc_t:filesystem getattr;
>  +allow mount_t initrc_t:udp_socket { read write };
>  diff --git a/policy/modules/system/systemd.te 
> b/policy/modules/system/systemd.te
> -index a6

[yocto] [meta-selinux][PATCH] refpolicy: refresh patches

[Yi Zhao]

Refrefsh 0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch
and 0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch.
Remove the trailing line: \ No newline at end of file

Signed-off-by: Yi Zhao 
---
 ...y-minimum-audit-logging-getty-audit-related-.patch |  1 -
 ...y-minimum-systemd-mount-logging-authlogin-ad.patch | 19 ---
 ...y-minimum-audit-logging-getty-audit-related-.patch |  1 -
 ...y-minimum-systemd-mount-logging-authlogin-ad.patch | 19 ---
 4 files changed, 16 insertions(+), 24 deletions(-)

diff --git 
a/recipes-security/refpolicy/refpolicy-2.20190201/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch
 
b/recipes-security/refpolicy/refpolicy-2.20190201/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch
index f92ddb8..10d2bcb 100644
--- 
a/recipes-security/refpolicy/refpolicy-2.20190201/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch
+++ 
b/recipes-security/refpolicy/refpolicy-2.20190201/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch
@@ -62,7 +62,6 @@ index 63e92a8e..8ab46925 100644
 +allow auditd_t initrc_t:unix_dgram_socket sendto;
 +
 +allow klogd_t initrc_t:unix_dgram_socket sendto;
-\ No newline at end of file
 -- 
 2.19.1
 
diff --git 
a/recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch
 
b/recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch
index 98b6156..65ef55b 100644
--- 
a/recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch
+++ 
b/recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch
@@ -33,13 +33,13 @@ Signed-off-by: Shrikant Bobade 
 Signed-off-by: Joe MacDonald 
 ---
  policy/modules/system/authlogin.te | 2 ++
- policy/modules/system/logging.te   | 7 ++-
+ policy/modules/system/logging.te   | 5 +
  policy/modules/system/mount.te | 3 +++
  policy/modules/system/systemd.te   | 5 +
- 4 files changed, 16 insertions(+), 1 deletion(-)
+ 4 files changed, 15 insertions(+)
 
 diff --git a/policy/modules/system/authlogin.te 
b/policy/modules/system/authlogin.te
-index 345e07f3..39f860e0 100644
+index 345e07f..39f860e 100644
 --- a/policy/modules/system/authlogin.te
 +++ b/policy/modules/system/authlogin.te
 @@ -472,3 +472,5 @@ optional_policy(`
@@ -49,23 +49,20 @@ index 345e07f3..39f860e0 100644
 +
 +allow chkpwd_t proc_t:filesystem getattr;
 diff --git a/policy/modules/system/logging.te 
b/policy/modules/system/logging.te
-index 8ab46925..520f7da6 100644
+index c9991ab..520f7da 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
-@@ -627,4 +627,9 @@ allow auditd_t tmpfs_t:file { getattr setattr create open 
read append };
- allow auditd_t tmpfs_t:dir { open read search add_name write getattr search };
+@@ -628,3 +628,8 @@ allow auditd_t tmpfs_t:dir { open read search add_name 
write getattr search };
  allow auditd_t initrc_t:unix_dgram_socket sendto;
  
--allow klogd_t initrc_t:unix_dgram_socket sendto;
-\ No newline at end of file
-+allow klogd_t initrc_t:unix_dgram_socket sendto;
+ allow klogd_t initrc_t:unix_dgram_socket sendto;
 +
 +allow syslogd_t self:shm create;
 +allow syslogd_t self:sem { create read unix_write write };
 +allow syslogd_t self:shm { read unix_read unix_write write };
 +allow syslogd_t tmpfs_t:file { read write };
 diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 3dcb8493..a87d0e82 100644
+index 3dcb849..a87d0e8 100644
 --- a/policy/modules/system/mount.te
 +++ b/policy/modules/system/mount.te
 @@ -231,3 +231,6 @@ optional_policy(`
@@ -76,7 +73,7 @@ index 3dcb8493..a87d0e82 100644
 +allow mount_t proc_t:filesystem getattr;
 +allow mount_t initrc_t:udp_socket { read write };
 diff --git a/policy/modules/system/systemd.te 
b/policy/modules/system/systemd.te
-index a6f09dfd..68b80de3 100644
+index a6f09df..68b80de 100644
 --- a/policy/modules/system/systemd.te
 +++ b/policy/modules/system/systemd.te
 @@ -993,6 +993,11 @@ allow systemd_tmpfiles_t systemd_journal_t:file { 
relabelfrom relabelto };
diff --git 
a/recipes-security/refpolicy/refpolicy-git/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch
 
b/recipes-security/refpolicy/refpolicy-git/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch
index 3cc5395..517782d 100644
--- 
a/recipes-security/refpolicy/refpolicy-git/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch
+++ 
b/recipes-security/refpolicy/refpolicy-git/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch
@@ -62,7 +62,6 @@ index e6221a02..4cc73327 100644
 +allow auditd_t initrc_t:unix_dgram_socket sendto;
 +
 +allow klogd_t initrc_t:unix_dgram_socket sendto;
-\ No newline at end of file
 -- 
 2.19.1
 
diff --git 
a/recipes-security/refpolicy/refpolicy-git/0004-refpolicy-minim

[yocto] [meta-selinux][PATCH] refpolicy: update source checksums for refpolicy 20190201

[Yi Zhao]

The previous md5sum and sha256sum are not correct.
See: https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20190201

Signed-off-by: Yi Zhao 
---
 recipes-security/refpolicy/refpolicy_2.20190201.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/recipes-security/refpolicy/refpolicy_2.20190201.inc 
b/recipes-security/refpolicy/refpolicy_2.20190201.inc
index 822c0f3..78c6e74 100644
--- a/recipes-security/refpolicy/refpolicy_2.20190201.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20190201.inc
@@ -1,6 +1,6 @@
 SRC_URI = 
"https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_2_20190201/refpolicy-${PV}.tar.bz2";
-SRC_URI[md5sum] = "76a7a455289c9216ee0fbb8de71c9799"
-SRC_URI[sha256sum] = 
"5e4daee61d89dfdc8c7bf369f81c99845931e337916dc6401e301c5de57ea336"
+SRC_URI[md5sum] = "babb0d5ca2ae333631d25392b2b3ce8d"
+SRC_URI[sha256sum] = 
"ed620dc91c4e09eee6271b373f7c61a364a82ea57bd2dc86ca1f7075304e2843"
 
 FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-2.20190201:"
 
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 1/1] busybox: disable PTEST_BINDIR

[kai.kang]

From: Kai Kang 

A new feature has been added in oe-core to use update-alternative
mechanism for ptest. But it conflicts with current patch in
meta-selinux. So do not use this new feature for ptest when build with
selinux.

Signed-off-by: Kai Kang 
---
 recipes-core/busybox/busybox_selinux.inc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/recipes-core/busybox/busybox_selinux.inc 
b/recipes-core/busybox/busybox_selinux.inc
index df7c117..cc83b01 100644
--- a/recipes-core/busybox/busybox_selinux.inc
+++ b/recipes-core/busybox/busybox_selinux.inc
@@ -1,3 +1,5 @@
+PTEST_BINDIR = "0"
+
 FILES_${PN} += "${libdir}/${PN}"
 
 # We should use sh wrappers instead of links so the commands could get correct
-- 
2.20.0

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH 0/1] Fix build errors when enable selinux and ptest

[kai.kang]

From: Kai Kang 

Fix build errors when enable selinux and ptest:

 DISTRO_FEATURES_append = ""


ERROR: busybox-1.30.1-r0 do_package: Error executing a python function in 
exec_python_func() autogenerated:

The stack trace of python calls that resulted in this exception/failure was:
File: 'exec_python_func() autogenerated', lineno: 2, function: 
 0001:
 *** 0002:ptest_update_alternatives(d)
 0003:
File: 
'/home/kkang/buildarea/wrlx-201902/repo/layers/oe-core/meta/classes/ptest.bbclass',
 lineno: 97, function: ptest_update_alternatives
 0093:for alt_name, alt_link, alt_target, _ in alternatives:
 0094:# Some alternatives are for man pages,
 0095:# check if the alternative is in PATH
 0096:if os.path.dirname(alt_link) in bin_paths:
 *** 0097:os.symlink(alt_target, os.path.join(ptest_bindir, 
alt_name))
 0098:}
 0099:
 0100:do_configure_ptest_base[dirs] = "${B}"
 0101:do_compile_ptest_base[dirs] = "${B}"
Exception: FileExistsError: [Errno 17] File exists: 
'/usr/lib64/busybox/bin/ash' -> 
'/home/kkang/buildarea/wrlx-201902/LIN1019-1104/tmp-glibc/
work/aarch64-wrs-linux/busybox/1.30.1-r0/package/usr/lib64/busybox/ptest/bin/ash'

ERROR: busybox-1.30.1-r0 do_package: [Errno 17] File exists: 
'/usr/lib64/busybox/bin/ash' -> 
'/home/kkang/buildarea/wrlx-201902/LIN1019-1104/t
mp-glibc/work/aarch64-wrs-linux/busybox/1.30.1-r0/package/usr/lib64/busybox/ptest/bin/ash'
ERROR: busybox-1.30.1-r0 do_package: Function failed: ptest_update_alternatives
ERROR: Logfile of failure stored in: 
/home/kkang/buildarea/wrlx-201902/LIN1019-1104/tmp-glibc/work/aarch64-wrs-linux/busybox/1.30.1-r0/temp/lo
g.do_package.87140
ERROR: Task 
(/home/kkang/buildarea/wrlx-201902/repo/layers/oe-core/meta/recipes-core/busybox/busybox_1.30.1.bb:do_package)
 failed with exit co
de '1'
NOTE: Tasks Summary: Attempted 1775 tasks of which 1774 didn't need to be rerun 
and 1 failed.

Summary: 1 task failed:
  
/home/kkang/buildarea/wrlx-201902/repo/layers/oe-core/meta/recipes-core/busybox/busybox_1.30.1.bb:do_package

Kai Kang (1):
  busybox: disable PTEST_BINDIR

 recipes-core/busybox/busybox_selinux.inc | 2 ++
 1 file changed, 2 insertions(+)

--
2.20.0

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [meta-selinux][PULL] refpolicy: update to 2.20190201 and git HEAD policies (2019-04-10 10:57:14 -0400)

[Joe MacDonald]

Hi all,

Update on this, I've just now completed this merge (with Yi's corrected
SRC_URI for the RELEASE_2.20190201 tag) and I'm going to start pulling
in the additional meta-selinux patches that have been sent to the
mailing list.  I'll prep a queue of those updates soon and send out
another pull mail to the list in order to keep everyone reasonably
informed of what's in and what's not.  Once that happens, if you have a
patch that's still pending but not in my pull list, please let me know
with a follow up to the list.

Thanks,
-J.

[[yocto] [meta-selinux][PULL] refpolicy: update to 2.20190201 and git HEAD 
policies (2019-04-10 10:57:14 -0400)] On 19.04.10 (Wed 11:53) Joe MacDonald 
wrote:

> This is a huge, long-overdue update the refpolicy.  I apologise for it
> blocking the other outstanding meta-selinux patches, but I've been
> trying to limit the scope of changes while this happens.  Now that this
> is cleared off the slate, I'll be gathering up the other meta-selinux
> patches from the list.  I'll send out a follow-up on those as they're
> merged and another when I think I'm done, so if I've missed your patch,
> that'll be the time to ping me about it.
> 
> As for this, here's what I've done.
> 
>   - manually reviewed all patches that had been present in
> repolicy-* for both the old stable (2.20170204) and git
> versions
> 
>   - forked the SELinuxPolicy/refpolicy repo and applied all
> still-relevant patches to the RELEASE_2.20190201 branch
> 
>   - restructured the patches so that all patches that should
> reasonably apply to all variants (mcs, mls, minimum, standard
> and targeted) were in a common branch and only the ones that
> are specific to each variant would be in their own recipe
> 
>   - restructure the patches so that systemd and sysvinit patches
> were not applied to the same tree
> 
>   - created a parallel set of branches for each of these against
> current git HEAD
> 
> The results of this can be examined here:
> 
>   https://github.com/joeythesaint/refpolicy
> 
> Then each of these were exported and put in the appropriate SRC_URIs so
> the branch structure is more-or-less preserved.
> 
> My goals with this approach were the following:
> 
>   - make it easier to keep refpolicy up to date, particularly for
> anyone wanting to use the git variants
> 
>   - make it easier to determine how your preferred version of
> refpolicy on Yocto differs from upstream refpolicy
> 
>   - limit the above differences to the minimum to achieve the goal
> of a functional Yocto system
> 
>   - eventually move us away from release tarballs entirely
> 
> That last point is why I'm preserving the refpolicy fork above.  I'd
> like to keep going with this and so future refpolicy patches will first
> be put in that repo then exported and applied to the SRC_URIs.  If you
> have such a patch and want to send me a PR against the branch you think
> it belongs on from github directly, that'd be awesome, but the old
> method of patches to the mailing list will work fine too, just know that
> this is the way I'm going to try to manage this for the foreseeable
> future.  Ultimately, if this proves to work well, I would like to move
> the refpolicy fork off github and house it on git.yoctoproject.org
> beside meta-selinux, but the workflow needs to be properly validated
> first.
> 
> One additional point, I intend to take another pass at revising this
> stuff, ideally moving the huge number of common patches out as well.
> There's still some that aren't necessary for base yocto but are for
> additional layers.  That's fine for us to have, but I'd like to get
> those moved to optional layer directories so we're making the best use
> of that functionality we can.  If you have suggestions on which pieces
> already present are good candidates, let me know.  Similarly, if you've
> got additional policy patches you want to see included, feel free to
> send them along, we can easily move them to optional locations inside
> meta-selinux.
> 
> Finally, please everyone test this and provide feedback on anything that
> doesn't work or looks strange.  This is easily the biggest change we've
> had in meta-selinux in years and I expect there's still some wrinkles to
> be ironed out.  And I really appreciate everyone's patience while we got
> to this point and hope it's not too much more pain before we put a
> ribbon on this and call it done.
> 
> I'll give this until at least the weekend before merging it to maste

[yocto] [meta-selinux][PULL] consolidated meta-selinux updates

[Joe MacDonald]

Hi all,

This is the promised update to meta-selinux, incorporating all of the
current pending patches I'm aware of on the list.  As before, I'll give
everyone a couple of days to check this out and raise any questions or
concerns before merging it.  Please take a look and let me know if
you've got a pending change that isn't here.  There were a couple that
didn't get merged, but I think the only ones I dropped were due to being
no longer applicable (for example Yi's updates to refpolicy to the 2018
release).



The following changes since commit d6686698444616b9857a15bb514400f8a629e7ed:

  refpolicy: update to 2.20190201 and git HEAD policies (2019-04-12 15:28:38 
-0400)

are available in the Git repository at:

  git://git.yoctoproject.org/meta-selinux yocto/master-next

for you to fetch changes up to e0105eed2b2461bf08b7aaf71db12dfae6ca51e3:

  audit: change to use ${WORKDIR} instead ${S}/../ (2019-04-15 09:02:21 -0400)


Chen Qi (1):
  audit: change to use ${WORKDIR} instead ${S}/../

Kai Kang (2):
  layer.conf: update to warrior release name series
  setools: fix build failure with gcc 7

Luca Boccassi (1):
  packagegroup-selinux-minimal: add selinux-init

Sinan Kaya (1):
  libpcre: do no create links when compiling for windows

Yi Zhao (4):
  core-image-selinux.bb: remove trailing whitespace
  openssh: update sshd_config
  selinux-image.bbclass: using append instead of += for 
IMAGE_PREPROCESS_COMMAND
  selinux: remove git version

 classes/selinux-image.bbclass  |  2 +-
 conf/layer.conf|  2 +-
 recipes-connectivity/openssh/files/sshd_config | 53 +++--
 recipes-security/audit/audit_2.8.4.bb  |  2 +-
 recipes-security/images/core-image-selinux.bb  |  2 +-
 .../packagegroups/packagegroup-selinux-minimal.bb  |  1 +
 recipes-security/selinux/checkpolicy_git.bb|  6 --
 recipes-security/selinux/libselinux_git.bb | 14 
 recipes-security/selinux/libsemanage_git.bb| 17 
 recipes-security/selinux/libsepol_git.bb   |  8 --
 recipes-security/selinux/policycoreutils_git.bb|  6 --
 recipes-security/selinux/selinux_git.inc   | 11 ---
 ...ailure-with-GCC-7-due-to-possible-truncat.patch | 90 ++
 recipes-support/libpcre/libpcre_selinux.inc| 20 +++--
 14 files changed, 118 insertions(+), 116 deletions(-)
 delete mode 100644 recipes-security/selinux/checkpolicy_git.bb
 delete mode 100644 recipes-security/selinux/libselinux_git.bb
 delete mode 100644 recipes-security/selinux/libsemanage_git.bb
 delete mode 100644 recipes-security/selinux/libsepol_git.bb
 delete mode 100644 recipes-security/selinux/policycoreutils_git.bb
 delete mode 100644 recipes-security/selinux/selinux_git.inc

-- 
-Joe MacDonald.
:wq


signature.asc
Description: PGP signature
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH] audit: change to use ${WORKDIR} instead ${S}/../

[Chen Qi]

The do_install function is assuming that ${S}/../ is ${WORKDIR},
but this is not true when using `devtool modify audit'.

So change to use ${WORKDIR}.

Signed-off-by: Chen Qi 
---
 recipes-security/audit/audit_2.8.4.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-security/audit/audit_2.8.4.bb 
b/recipes-security/audit/audit_2.8.4.bb
index c29bb74..594786a 100644
--- a/recipes-security/audit/audit_2.8.4.bb
+++ b/recipes-security/audit/audit_2.8.4.bb
@@ -82,7 +82,7 @@ do_install_append() {
rmdir ${D}/etc/sysconfig/
 
# replace init.d
-   install -D -m 0755 ${S}/../auditd ${D}/etc/init.d/auditd
+   install -D -m 0755 ${WORKDIR}/auditd ${D}/etc/init.d/auditd
rm -rf ${D}/etc/rc.d
 
if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', 
d)}; then
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [meta-selinux][PULL] refpolicy: update to 2.20190201 and git HEAD policies (2019-04-10 10:57:14 -0400)

[Joe MacDonald]

Hi Yi,

[Re: [yocto] [meta-selinux][PULL] refpolicy: update to 2.20190201 and git HEAD 
policies (2019-04-10 10:57:14 -0400)] On 19.04.11 (Thu 16:19) Yi Zhao wrote:

> Hi Joe,
> 
> Thank you for working on the refpolicy upgrade.
> I have a quick test with your patch. Here are the results:
> 
> Machine: qemux86-64
> Image: core-image-selinux
> Init manager: systemd
> Boot command: runqemu qemux86-64 kvm nographic bootparams="selinux=1 
> enforcing=
> X" qemuparams="-m 1024"
> 
> 1. All refpolicy type of git version can be built without problems.
> 
> 2. With parameter selinux=1 & enforcing=0
> The qemu can boot up and login for all refpolicy types.

Perfect, that's what I had when testing on my reference hardware, so I'm
happy you were able to validate those results.

> 3. With parameter selinux=1 & enforcing=1
> Some of services failed to startup when booting. But this issue also exist on
> old refpolicy version (2.20170204)

Yeah, and given the scope of this change my goal was mainly parity with
the old policy but based on a version that's 2-ish years newer.  So once
that's done I think we can reasonably work at enabling the additional
services in some structured way.

> 4. refpolicy stable version (2.20190201)
> I got an do_fetch error with refpolicy stable version.
> Seems the SRC_URI is not correct. It should be "https://github.com/
> SELinuxProject/refpolicy/releases/download/RELEASE_2_20190201/refpolicy-$
> {PV}.tar.bz2"

Thanks, good catch, I don't know how that slipped through.  Corrected on
my end, I'll update it in a bit.

-J.

> 
> 
> Regards,
> Yi

-- 
-Joe MacDonald.
:wq


signature.asc
Description: PGP signature
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [meta-selinux][PULL] refpolicy: update to 2.20190201 and git HEAD policies (2019-04-10 10:57:14 -0400)

[Yi Zhao]

Hi Joe,

Thank you for working on the refpolicy upgrade.
I have a quick test with your patch. Here are the results:

Machine: qemux86-64
Image: core-image-selinux
Init manager: systemd
Boot command: runqemu qemux86-64 kvm nographic bootparams="selinux=1 
enforcing=X" qemuparams="-m 1024"


1. All refpolicy type of git version can be built without problems.

2. With parameter selinux=1 & enforcing=0
The qemu can boot up and login for all refpolicy types.

3. With parameter selinux=1 & enforcing=1
Some of services failed to startup when booting. But this issue also 
exist on old refpolicy version (2.20170204)


4. refpolicy stable version (2.20190201)
I got an do_fetch error with refpolicy stable version.
Seems the SRC_URI is not correct. It should be 
"https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_2_20190201/refpolicy-${PV}.tar.bz2";



Regards,
Yi


在 2019/4/10 下午11:53, Joe MacDonald 写道:

This is a huge, long-overdue update the refpolicy.  I apologise for it
blocking the other outstanding meta-selinux patches, but I've been
trying to limit the scope of changes while this happens.  Now that this
is cleared off the slate, I'll be gathering up the other meta-selinux
patches from the list.  I'll send out a follow-up on those as they're
merged and another when I think I'm done, so if I've missed your patch,
that'll be the time to ping me about it.

As for this, here's what I've done.

- manually reviewed all patches that had been present in
  repolicy-* for both the old stable (2.20170204) and git
  versions

- forked the SELinuxPolicy/refpolicy repo and applied all
  still-relevant patches to the RELEASE_2.20190201 branch

- restructured the patches so that all patches that should
  reasonably apply to all variants (mcs, mls, minimum, standard
  and targeted) were in a common branch and only the ones that
  are specific to each variant would be in their own recipe

- restructure the patches so that systemd and sysvinit patches
  were not applied to the same tree

- created a parallel set of branches for each of these against
  current git HEAD

The results of this can be examined here:

https://github.com/joeythesaint/refpolicy

Then each of these were exported and put in the appropriate SRC_URIs so
the branch structure is more-or-less preserved.

My goals with this approach were the following:

- make it easier to keep refpolicy up to date, particularly for
  anyone wanting to use the git variants

- make it easier to determine how your preferred version of
  refpolicy on Yocto differs from upstream refpolicy

- limit the above differences to the minimum to achieve the goal
  of a functional Yocto system

- eventually move us away from release tarballs entirely

That last point is why I'm preserving the refpolicy fork above.  I'd
like to keep going with this and so future refpolicy patches will first
be put in that repo then exported and applied to the SRC_URIs.  If you
have such a patch and want to send me a PR against the branch you think
it belongs on from github directly, that'd be awesome, but the old
method of patches to the mailing list will work fine too, just know that
this is the way I'm going to try to manage this for the foreseeable
future.  Ultimately, if this proves to work well, I would like to move
the refpolicy fork off github and house it on git.yoctoproject.org
beside meta-selinux, but the workflow needs to be properly validated
first.

One additional point, I intend to take another pass at revising this
stuff, ideally moving the huge number of common patches out as well.
There's still some that aren't necessary for base yocto but are for
additional layers.  That's fine for us to have, but I'd like to get
those moved to optional layer directories so we're making the best use
of that functionality we can.  If you have suggestions on which pieces
already present are good candidates, let me know.  Similarly, if you've
got additional policy patches you want to see included, feel free to
send them along, we can easily move them to optional locations inside
meta-selinux.

Finally, please everyone test this and provide feedback on anything that
doesn't work or looks strange.  This is easily the biggest change we've
had in meta-selinux in years and I expect there's still some wrinkles to
be ironed out.  And I really appreciate everyone's patience while we got
to this point and hope it's not too much more pain before we put a
ribbon on this and call it done.

I'll give this until at least the weekend before merging it to master,
pending comments or an overwhelming "please just do it" from the
community.

Thanks.

---

The following changes since commit a6a3cadb1ef3203a123d8f5f9df27832f55b2ce3:

   Backport patches from upstream to fix build with musl (2019-03-25 09:43:53 
+0100)

are available in the Git repos

[yocto] [meta-selinux][PULL] refpolicy: update to 2.20190201 and git HEAD policies (2019-04-10 10:57:14 -0400)

[Joe MacDonald]

This is a huge, long-overdue update the refpolicy.  I apologise for it
blocking the other outstanding meta-selinux patches, but I've been
trying to limit the scope of changes while this happens.  Now that this
is cleared off the slate, I'll be gathering up the other meta-selinux
patches from the list.  I'll send out a follow-up on those as they're
merged and another when I think I'm done, so if I've missed your patch,
that'll be the time to ping me about it.

As for this, here's what I've done.

- manually reviewed all patches that had been present in
  repolicy-* for both the old stable (2.20170204) and git
  versions

- forked the SELinuxPolicy/refpolicy repo and applied all
  still-relevant patches to the RELEASE_2.20190201 branch

- restructured the patches so that all patches that should
  reasonably apply to all variants (mcs, mls, minimum, standard
  and targeted) were in a common branch and only the ones that
  are specific to each variant would be in their own recipe

- restructure the patches so that systemd and sysvinit patches
  were not applied to the same tree

- created a parallel set of branches for each of these against
  current git HEAD

The results of this can be examined here:

https://github.com/joeythesaint/refpolicy

Then each of these were exported and put in the appropriate SRC_URIs so
the branch structure is more-or-less preserved.

My goals with this approach were the following:

- make it easier to keep refpolicy up to date, particularly for
  anyone wanting to use the git variants

- make it easier to determine how your preferred version of
  refpolicy on Yocto differs from upstream refpolicy

- limit the above differences to the minimum to achieve the goal
  of a functional Yocto system

- eventually move us away from release tarballs entirely

That last point is why I'm preserving the refpolicy fork above.  I'd
like to keep going with this and so future refpolicy patches will first
be put in that repo then exported and applied to the SRC_URIs.  If you
have such a patch and want to send me a PR against the branch you think
it belongs on from github directly, that'd be awesome, but the old
method of patches to the mailing list will work fine too, just know that
this is the way I'm going to try to manage this for the foreseeable
future.  Ultimately, if this proves to work well, I would like to move
the refpolicy fork off github and house it on git.yoctoproject.org
beside meta-selinux, but the workflow needs to be properly validated
first.

One additional point, I intend to take another pass at revising this
stuff, ideally moving the huge number of common patches out as well.
There's still some that aren't necessary for base yocto but are for
additional layers.  That's fine for us to have, but I'd like to get
those moved to optional layer directories so we're making the best use
of that functionality we can.  If you have suggestions on which pieces
already present are good candidates, let me know.  Similarly, if you've
got additional policy patches you want to see included, feel free to
send them along, we can easily move them to optional locations inside
meta-selinux.

Finally, please everyone test this and provide feedback on anything that
doesn't work or looks strange.  This is easily the biggest change we've
had in meta-selinux in years and I expect there's still some wrinkles to
be ironed out.  And I really appreciate everyone's patience while we got
to this point and hope it's not too much more pain before we put a
ribbon on this and call it done.

I'll give this until at least the weekend before merging it to master,
pending comments or an overwhelming "please just do it" from the
community.

Thanks.

---

The following changes since commit a6a3cadb1ef3203a123d8f5f9df27832f55b2ce3:

  Backport patches from upstream to fix build with musl (2019-03-25 09:43:53 
+0100)

are available in the Git repository at:

  git://git.yoctoproject.org/meta-selinux yocto/master-next

for you to fetch changes up to 776da889b550ac9e5be414a8cc10fd86b1923264:

  refpolicy: update to 2.20190201 and git HEAD policies (2019-04-10 10:57:14 
-0400)


Joe MacDonald (1):
  refpolicy: update to 2.20190201 and git HEAD policies

 README |  16 +-
 .../refpolicy-2.20170204/poky-fc-clock.patch   |  20 --
 .../poky-fc-corecommands.patch |  24 --
 .../refpolicy-2.20170204/poky-fc-dmesg.patch   |  18 --
 .../poky-fc-fix-real-path_login.patch  |  37 ---
 .../poky-fc-fix-real-path_shadow.patch |  34 ---
 .../refpolicy-2.20170204/poky-fc-fstools.patch |  75 --
 .../refpolicy-2.20170204/poky-fc-ftpwho-dir.patch  |  27 ---
 .../refpolicy-2.20170204/poky-fc-iptables.patch|  2

[yocto] [meta-selinux][PATCH 2/2] setools: fix build failure with gcc 7

[kai.kang]

From: Kai Kang 

Backport patch from setools upstream to fix build failure with GCC 7 due
to possible truncation of snprintf output. It could be reproduced on 64
bit bsps such as qemux86-64 and qemumips64 with configs:

  SELECTED_OPTIMIZATION = "${DEBUG_OPTIMIZATION}"
  DEBUG_BUILD = "1"

Signed-off-by: Kai Kang 
---
 ...e-with-GCC-7-due-to-possible-truncat.patch | 90 +++
 1 file changed, 74 insertions(+), 16 deletions(-)

diff --git 
a/recipes-security/setools/setools/Fix-build-failure-with-GCC-7-due-to-possible-truncat.patch
 
b/recipes-security/setools/setools/Fix-build-failure-with-GCC-7-due-to-possible-truncat.patch
index d0faba8..a5af041 100644
--- 
a/recipes-security/setools/setools/Fix-build-failure-with-GCC-7-due-to-possible-truncat.patch
+++ 
b/recipes-security/setools/setools/Fix-build-failure-with-GCC-7-due-to-possible-truncat.patch
@@ -1,6 +1,10 @@
-From 790d7a538f515d27d2390f1ef56c9871b107a346 Mon Sep 17 00:00:00 2001
-From: Steve Langasek 
-Date: Sun, 27 Aug 2017 21:28:40 -0700
+Upstream-Status: Backport 
[https://github.com/TresysTechnology/setools/commit/e41adf0]
+
+Signed-off-by: Kai Kang 
+
+From e41adf01647c695b80b112b337e76021bb9f30c3 Mon Sep 17 00:00:00 2001
+From: Laurent Bigonville 
+Date: Tue, 26 Sep 2017 15:15:30 +0200
 Subject: [PATCH] Fix build failure with GCC 7 due to possible truncation of
  snprintf output
 
@@ -15,33 +19,87 @@ libqpol/policy_extend.c:161:22: note: directive argument in 
the range [1, 429496
 snprintf(buff, 9, "@ttr%04zd", i + 1);
   ^~~
 
-Exceeding 10,000 attributes is necessarily going to result in collisions
-inserting into the hash table given this naming scheme, and we already error
-out on the first collision; but there will be holes since types are not
-handled the same as attributes.  Short of making backwards-incompatible
-changes to the entry names, this is probably the best way to fix this build
-failure while reducing the chances of a hash collision in the unlikely event
-that the hashtable is (nearly) full.
+Increase the size of the buffer to avoid collisions
 
 Closes: https://github.com/TresysTechnology/setools/issues/174
-Signed-off-by: Mark Hatle 
+Signed-off-by: Laurent Bigonville 
 ---
- libqpol/policy_extend.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
+ libqpol/policy_extend.c | 16 
+ 1 file changed, 8 insertions(+), 8 deletions(-)
 
 diff --git a/libqpol/policy_extend.c b/libqpol/policy_extend.c
-index 742819b..70e8f7c 100644
+index 742819b..739e184 100644
 --- a/libqpol/policy_extend.c
 +++ b/libqpol/policy_extend.c
+@@ -110,7 +110,7 @@ static int qpol_policy_remove_bogus_aliases(qpol_policy_t 
* policy)
+  *  Builds data for the attributes and inserts them into the policydb.
+  *  This function modifies the policydb. Names created for attributes
+  *  are of the form @ttr where value is the value of the attribute
+- *  as a four digit number (prepended with 0's as needed).
++ *  as a ten digit number (prepended with 0's as needed).
+  *  @param policy The policy from which to read the attribute map and
+  *  create the type data for the attributes. This policy will be altered
+  *  by this function.
+@@ -125,7 +125,7 @@ static int qpol_policy_build_attrs_from_map(qpol_policy_t 
* policy)
+   uint32_t bit = 0, count = 0;
+   ebitmap_node_t *node = NULL;
+   type_datum_t *tmp_type = NULL, *orig_type;
+-  char *tmp_name = NULL, buff[10];
++  char *tmp_name = NULL, buff[16];
+   int error = 0, retv;
+ 
+   INFO(policy, "%s", "Generating attributes for policy. (Step 4 of 5)");
+@@ -137,7 +137,7 @@ static int qpol_policy_build_attrs_from_map(qpol_policy_t 
* policy)
+ 
+   db = &policy->p->p;
+ 
+-  memset(&buff, 0, 10 * sizeof(char));
++  memset(&buff, 0, 16 * sizeof(char));
+ 
+   for (i = 0; i < db->p_types.nprim; i++) {
+   /* skip types */
 @@ -158,7 +158,7 @@ static int qpol_policy_build_attrs_from_map(qpol_policy_t 
* policy)
 * with this attribute */
/* Does not exist */
if (db->p_type_val_to_name[i] == NULL){
 -  snprintf(buff, 9, "@ttr%04zd", i + 1);
-+  snprintf(buff, 9, "@ttr%04zd", (i + 1) % 1);
++  snprintf(buff, 15, "@ttr%010zd", i + 1);
tmp_name = strdup(buff);
if (!tmp_name) {
error = errno;
+@@ -240,7 +240,7 @@ static int qpol_policy_build_attrs_from_map(qpol_policy_t 
* policy)
+  *  Builds data for empty attributes and inserts them into the policydb.
+  *  This function modifies the policydb. Names created for the attributes
+  *  are of the form @ttr where value is the value of the attribute
+- *  as a four digit number (prepended with 0's as needed).
++ *  as a ten digit number (prepended with 0's as needed).
+  *  @param policy The policy to which to add type data for attributes.
+  *  This policy 

[yocto] [meta-selinux][PATCH 1/2] layer.conf: update to warrior release name series

[kai.kang]

From: Kai Kang 

Sync with oe-core to update to warrior release name series.

Signed-off-by: Kai Kang 
---
 conf/layer.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/conf/layer.conf b/conf/layer.conf
index 5fecac6..b10bd76 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -18,7 +18,7 @@ BBFILE_PRIORITY_selinux = "5"
 # cause compatibility issues with other layers
 LAYERVERSION_selinux = "1"
 
-LAYERSERIES_COMPAT_selinux = "thud"
+LAYERSERIES_COMPAT_selinux = "warrior"
 
 LAYERDEPENDS_selinux = " \
 core \
-- 
2.20.0

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [meta-selinux][PATCH] selinux: remove git version

[Joe MacDonald]

Hi Yi,

I'm in the process of updating a big portion of the meta-selinux layer,
starting with the policy and working outward.  I am planning to update
these packages (and likely merge this) but I'm not merging your patch
yet until everything else is sorted out.

Just wanted to follow up with you so you knew what was happening.

-J.

[[meta-selinux][PATCH] selinux: remove git version] On 19.04.02 (Tue 08:54) Yi 
Zhao wrote:

> The git version of libselinux libsemanage libsepol checkpolicy and
> policycoreutils are far behind the master branch and now they can not
> build due to the do_patch error. The current stable 2.8 version works
> well so we can remove them.
> 
> Signed-off-by: Yi Zhao 
> ---
>  recipes-security/selinux/checkpolicy_git.bb |  6 --
>  recipes-security/selinux/libselinux_git.bb  | 14 --
>  recipes-security/selinux/libsemanage_git.bb | 17 -
>  recipes-security/selinux/libsepol_git.bb|  8 
>  recipes-security/selinux/policycoreutils_git.bb |  6 --
>  recipes-security/selinux/selinux_git.inc| 11 ---
>  6 files changed, 62 deletions(-)
>  delete mode 100644 recipes-security/selinux/checkpolicy_git.bb
>  delete mode 100644 recipes-security/selinux/libselinux_git.bb
>  delete mode 100644 recipes-security/selinux/libsemanage_git.bb
>  delete mode 100644 recipes-security/selinux/libsepol_git.bb
>  delete mode 100644 recipes-security/selinux/policycoreutils_git.bb
>  delete mode 100644 recipes-security/selinux/selinux_git.inc
> 
> diff --git a/recipes-security/selinux/checkpolicy_git.bb 
> b/recipes-security/selinux/checkpolicy_git.bb
> deleted file mode 100644
> index 6d1d23a..000
> --- a/recipes-security/selinux/checkpolicy_git.bb
> +++ /dev/null
> @@ -1,6 +0,0 @@
> -PV = "2.7+git${SRCPV}"
> -
> -include selinux_git.inc
> -include ${BPN}.inc
> -
> -LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
> diff --git a/recipes-security/selinux/libselinux_git.bb 
> b/recipes-security/selinux/libselinux_git.bb
> deleted file mode 100644
> index a43b184..000
> --- a/recipes-security/selinux/libselinux_git.bb
> +++ /dev/null
> @@ -1,14 +0,0 @@
> -PV = "2.7+git${SRCPV}"
> -
> -include selinux_git.inc
> -include ${BPN}.inc
> -
> -LIC_FILES_CHKSUM = "file://LICENSE;md5=84b4d2c6ef954a2d4081e775a270d0d0"
> -
> -SRC_URI += "\
> - file://libselinux-drop-Wno-unused-but-set-variable.patch \
> - file://libselinux-make-O_CLOEXEC-optional.patch \
> - file://libselinux-make-SOCK_CLOEXEC-optional.patch \
> - file://libselinux-define-FD_CLOEXEC-as-necessary.patch \
> - file://0001-src-Makefile-fix-includedir-in-libselinux.pc.patch \
> - "
> diff --git a/recipes-security/selinux/libsemanage_git.bb 
> b/recipes-security/selinux/libsemanage_git.bb
> deleted file mode 100644
> index 2e1fdc8..000
> --- a/recipes-security/selinux/libsemanage_git.bb
> +++ /dev/null
> @@ -1,17 +0,0 @@
> -PV = "2.7+git${SRCPV}"
> -
> -include selinux_git.inc
> -include ${BPN}.inc
> -
> -LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343"
> -
> -SRC_URI += "\
> - file://libsemanage-Fix-execve-segfaults-on-Ubuntu.patch \
> - file://libsemanage-fix-path-nologin.patch \
> - file://libsemanage-drop-Wno-unused-but-set-variable.patch \
> - file://libsemanage-define-FD_CLOEXEC-as-necessary.patch;striplevel=2 \
> - file://libsemanage-allow-to-disable-audit-support.patch \
> - file://libsemanage-disable-expand-check-on-policy-load.patch \
> - file://0001-src-Makefile-fix-includedir-in-libselinux.pc.patch \
> - "
> -FILES_${PN} += "/usr/libexec"
> diff --git a/recipes-security/selinux/libsepol_git.bb 
> b/recipes-security/selinux/libsepol_git.bb
> deleted file mode 100644
> index f9b8010..000
> --- a/recipes-security/selinux/libsepol_git.bb
> +++ /dev/null
> @@ -1,8 +0,0 @@
> -PV = "2.7+git${SRCPV}"
> -
> -include selinux_git.inc
> -include ${BPN}.inc
> -
> -LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343"
> -
> -SRC_URI += "file://0001-src-Makefile-fix-includedir-in-libsepol.pc.patch"
> diff --git a/recipes-security/selinux/policycoreutils_git.bb 
> b/recipes-security/selinux/policycoreutils_git.bb
> deleted file mode 100644
> index 6d1d23a..000
> --- a/recipes-security/selinux/policycoreutils_git.bb
> +++ /dev/null
> @@ -1,6 +0,0 @@
> -PV = "2.7+git${SRCPV}"
> -
> -include selinux_git.inc
> -include ${BPN}.inc
> -
> -LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
> diff --git a/recipes-security/selinux/selinux_git.inc 
> b/recipes-security/selinux/selinux_git.inc
> deleted file mode 100644
> index 9887bd1..000
> --- a/recipes-security/selinux/selinux_git.inc
> +++ /dev/null
> @@ -1,11 +0,0 @@
> -SRCREV = "1bac758bf6cf884c112b80545d5fc5b668fc7d71"
> -
> -SRC_URI = "git://github.com/SELinuxProject/selinux.git;protocol=http"
> -
> -include selinux_common.inc
> -
> -# ${S} is set in selinux_common above, but w

[yocto] [meta-selinux][PATCH] selinux: remove git version

[Yi Zhao]

The git version of libselinux libsemanage libsepol checkpolicy and
policycoreutils are far behind the master branch and now they can not
build due to the do_patch error. The current stable 2.8 version works
well so we can remove them.

Signed-off-by: Yi Zhao 
---
 recipes-security/selinux/checkpolicy_git.bb |  6 --
 recipes-security/selinux/libselinux_git.bb  | 14 --
 recipes-security/selinux/libsemanage_git.bb | 17 -
 recipes-security/selinux/libsepol_git.bb|  8 
 recipes-security/selinux/policycoreutils_git.bb |  6 --
 recipes-security/selinux/selinux_git.inc| 11 ---
 6 files changed, 62 deletions(-)
 delete mode 100644 recipes-security/selinux/checkpolicy_git.bb
 delete mode 100644 recipes-security/selinux/libselinux_git.bb
 delete mode 100644 recipes-security/selinux/libsemanage_git.bb
 delete mode 100644 recipes-security/selinux/libsepol_git.bb
 delete mode 100644 recipes-security/selinux/policycoreutils_git.bb
 delete mode 100644 recipes-security/selinux/selinux_git.inc

diff --git a/recipes-security/selinux/checkpolicy_git.bb 
b/recipes-security/selinux/checkpolicy_git.bb
deleted file mode 100644
index 6d1d23a..000
--- a/recipes-security/selinux/checkpolicy_git.bb
+++ /dev/null
@@ -1,6 +0,0 @@
-PV = "2.7+git${SRCPV}"
-
-include selinux_git.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
diff --git a/recipes-security/selinux/libselinux_git.bb 
b/recipes-security/selinux/libselinux_git.bb
deleted file mode 100644
index a43b184..000
--- a/recipes-security/selinux/libselinux_git.bb
+++ /dev/null
@@ -1,14 +0,0 @@
-PV = "2.7+git${SRCPV}"
-
-include selinux_git.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://LICENSE;md5=84b4d2c6ef954a2d4081e775a270d0d0"
-
-SRC_URI += "\
-   file://libselinux-drop-Wno-unused-but-set-variable.patch \
-   file://libselinux-make-O_CLOEXEC-optional.patch \
-   file://libselinux-make-SOCK_CLOEXEC-optional.patch \
-   file://libselinux-define-FD_CLOEXEC-as-necessary.patch \
-   file://0001-src-Makefile-fix-includedir-in-libselinux.pc.patch \
-   "
diff --git a/recipes-security/selinux/libsemanage_git.bb 
b/recipes-security/selinux/libsemanage_git.bb
deleted file mode 100644
index 2e1fdc8..000
--- a/recipes-security/selinux/libsemanage_git.bb
+++ /dev/null
@@ -1,17 +0,0 @@
-PV = "2.7+git${SRCPV}"
-
-include selinux_git.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343"
-
-SRC_URI += "\
-   file://libsemanage-Fix-execve-segfaults-on-Ubuntu.patch \
-   file://libsemanage-fix-path-nologin.patch \
-   file://libsemanage-drop-Wno-unused-but-set-variable.patch \
-   file://libsemanage-define-FD_CLOEXEC-as-necessary.patch;striplevel=2 \
-   file://libsemanage-allow-to-disable-audit-support.patch \
-   file://libsemanage-disable-expand-check-on-policy-load.patch \
-   file://0001-src-Makefile-fix-includedir-in-libselinux.pc.patch \
-   "
-FILES_${PN} += "/usr/libexec"
diff --git a/recipes-security/selinux/libsepol_git.bb 
b/recipes-security/selinux/libsepol_git.bb
deleted file mode 100644
index f9b8010..000
--- a/recipes-security/selinux/libsepol_git.bb
+++ /dev/null
@@ -1,8 +0,0 @@
-PV = "2.7+git${SRCPV}"
-
-include selinux_git.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343"
-
-SRC_URI += "file://0001-src-Makefile-fix-includedir-in-libsepol.pc.patch"
diff --git a/recipes-security/selinux/policycoreutils_git.bb 
b/recipes-security/selinux/policycoreutils_git.bb
deleted file mode 100644
index 6d1d23a..000
--- a/recipes-security/selinux/policycoreutils_git.bb
+++ /dev/null
@@ -1,6 +0,0 @@
-PV = "2.7+git${SRCPV}"
-
-include selinux_git.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
diff --git a/recipes-security/selinux/selinux_git.inc 
b/recipes-security/selinux/selinux_git.inc
deleted file mode 100644
index 9887bd1..000
--- a/recipes-security/selinux/selinux_git.inc
+++ /dev/null
@@ -1,11 +0,0 @@
-SRCREV = "1bac758bf6cf884c112b80545d5fc5b668fc7d71"
-
-SRC_URI = "git://github.com/SELinuxProject/selinux.git;protocol=http"
-
-include selinux_common.inc
-
-# ${S} is set in selinux_common above, but we need to change it here since the
-# top level directory is named differently
-S = "${WORKDIR}/git/${BPN}"
-
-DEFAULT_PREFERENCE = "-1"
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [meta-selinux][PATCH] linux-yocto: add bbappend for kernel 5.0

[Yi Zhao]

Signed-off-by: Yi Zhao 
---
 recipes-kernel/linux/linux-yocto_5.%.bbappend | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 recipes-kernel/linux/linux-yocto_5.%.bbappend

diff --git a/recipes-kernel/linux/linux-yocto_5.%.bbappend 
b/recipes-kernel/linux/linux-yocto_5.%.bbappend
new file mode 100644
index 000..7719d3b
--- /dev/null
+++ b/recipes-kernel/linux/linux-yocto_5.%.bbappend
@@ -0,0 +1 @@
+require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 
'${BPN}_selinux.inc', '', d)}
-- 
2.7.4

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto