projects / buildroot.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d4ac914)
package/refpolicy: bump version to 2.20210908
authorFabrice Fontaine <fontaine.fabrice@gmail.com>
Thu, 9 Sep 2021 05:57:58 +0000 (07:57 +0200)
committerArnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Mon, 20 Sep 2021 19:13:17 +0000 (21:13 +0200)
- Drop upstreamed patches
- Add Upstream status to remaining patch
- Update indentation in hash file (two spaces)
- Fix the following build failure with wireshark raised since commit
  975ab2fa88a0c94b362499ea8ad99222f335fb45 thanks to
  https://github.com/SELinuxProject/refpolicy/commit/d5c571c85567fe191fcc64dfb99b36788f806ceb:

 Compiling targeted policy.31
 env LD_LIBRARY_PATH="/tmp/instance-0/output-1/host/lib:/tmp/instance-0/output-1/host/usr/lib" /tmp/instance-0/output-1/host/usr/bin/checkpolicy -c 31 -U deny -S -O -E policy.conf -o policy.31
 policy/modules/apps/wireshark.te:96:ERROR 'unknown type xdg_downloads_t' at token ';' on line 645315:
 #line 96
allow wireshark_t xdg_downloads_t:dir { getattr search open };
 checkpolicy:  error(s) encountered while parsing configuration
 make[1]: *** [Rules.monolithic:79: policy.31] Error 1

https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20210908

Fixes:
 - http://autobuild.buildroot.org/results/dfbc667e0c17072ddab89a03244f572d5234da50

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
package/refpolicy/0001-policy-modules-services-minidlna.te-make-xdg-optiona.patch [deleted file] patch | blob | history
package/refpolicy/0001-policy-modules-services-samba.te-make-crack-optional.patch [new file with mode: 0644] patch | blob
package/refpolicy/0002-policy-modules-services-cvs.te-make-inetd-optional.patch [deleted file] patch | blob | history
package/refpolicy/0003-policy-modules-services-ifplugd.te-make-netutils-opt.patch [deleted file] patch | blob | history
package/refpolicy/0004-policy-modules-services-ftp-te-make-ssh-optional.patch [deleted file] patch | blob | history
package/refpolicy/0005-policy-modules-services-samba.te-make-crack-optional.patch [deleted file] patch | blob | history
package/refpolicy/refpolicy.hash patch | blob | history
package/refpolicy/refpolicy.mk patch | blob | history

diff --git a/package/refpolicy/0001-policy-modules-services-minidlna.te-make-xdg-optiona.patch b/package/refpolicy/0001-policy-modules-services-minidlna.te-make-xdg-optiona.patch
deleted file mode 100644 (file)
index c4e98ad..0000000
--- a/package/refpolicy/0001-policy-modules-services-minidlna.te-make-xdg-optiona.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 65c87bdfb1c895934582988f03f1c9c452c1426b Mon Sep 17 00:00:00 2001
-From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-Date: Sun, 25 Jul 2021 17:59:15 +0200
-Subject: [PATCH] policy/modules/services/minidlna.te: make xdg optional
-
-Make xdg optional to avoid the following build failure:
-
- Compiling targeted policy.28
- env LD_LIBRARY_PATH="/home/buildroot/autobuild/instance-1/output-1/host/lib:/home/buildroot/autobuild/instance-1/output-1/host/usr/lib" /home/buildroot/autobuild/instance-1/output-1/host/usr/bin/checkpolicy -c 28 -U deny -S -O -E policy.conf -o policy.28
- policy/modules/services/minidlna.te:85:ERROR 'unknown type xdg_music_t' at token ';' on line 146109:
- #line 85
-       allow minidlna_t xdg_music_t:dir { getattr search open };
- checkpolicy:  error(s) encountered while parsing configuration
- Rules.monolithic:78: recipe for target 'policy.28' failed
-
-Fixes:
- - http://autobuild.buildroot.org/results/52490172afd9b72b08a7deb0bd3c2124398bbffa/build-end.log
-
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-[Upstream status: https://github.com/SELinuxProject/refpolicy/pull/396]
----
- policy/modules/services/minidlna.te | 10 ++++++----
- 1 file changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/policy/modules/services/minidlna.te b/policy/modules/services/minidlna.te
-index b980d2707..4d87e8ee7 100644
---- a/policy/modules/services/minidlna.te
-+++ b/policy/modules/services/minidlna.te
-@@ -82,10 +82,6 @@ logging_search_logs(minidlna_t)
- miscfiles_read_localization(minidlna_t)
- miscfiles_read_public_files(minidlna_t)
--xdg_read_music(minidlna_t)
--xdg_read_pictures(minidlna_t)
--xdg_read_videos(minidlna_t)
--
- tunable_policy(`minidlna_read_generic_user_content',`
-       userdom_list_user_tmp(minidlna_t)
-       userdom_read_user_home_content_files(minidlna_t)
-@@ -101,3 +97,9 @@ tunable_policy(`minidlna_read_generic_user_content',`
-       userdom_dontaudit_read_user_home_content_files(minidlna_t)
-       userdom_dontaudit_read_user_tmp_files(minidlna_t)
- ')
-+
-+optional_policy(`
-+      xdg_read_music(minidlna_t)
-+      xdg_read_pictures(minidlna_t)
-+      xdg_read_videos(minidlna_t)
-+')
--- 
-2.30.2
-
diff --git a/package/refpolicy/0001-policy-modules-services-samba.te-make-crack-optional.patch b/package/refpolicy/0001-policy-modules-services-samba.te-make-crack-optional.patch
new file mode 100644 (file)
index 0000000..2dae5d4
--- /dev/null
+++ b/package/refpolicy/0001-policy-modules-services-samba.te-make-crack-optional.patch
@@ -0,0 +1,83 @@
+From 7c58f2508efc115dea03e18e1fa611ebf81f6ee6 Mon Sep 17 00:00:00 2001
+From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+Date: Wed, 4 Aug 2021 11:12:01 +0200
+Subject: [PATCH] policy/modules/services/samba.te: make crack optional
+
+Make crack optional to avoid the following build failure:
+
+ Compiling targeted policy.31
+ env LD_LIBRARY_PATH="/tmp/instance-5/output-1/host/lib:/tmp/instance-5/output-1/host/usr/lib" /tmp/instance-5/output-1/host/usr/bin/checkpolicy -c 31 -U deny -S -O -E policy.conf -o policy.31
+ policy/modules/services/samba.te:399:ERROR 'type crack_db_t is not within scope' at token ';' on line 360232:
+       allow smbd_t crack_db_t:dir { getattr search open };
+ #line 399
+ checkpolicy:  error(s) encountered while parsing configuration
+
+Fixes:
+ - http://autobuild.buildroot.org/results/ab7098948d1920e42fa587e07f0513f23ba7fc74
+
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+[Upstream status: https://github.com/SELinuxProject/refpolicy/pull/407]
+---
+ policy/modules/services/samba.te | 32 ++++++++++++++++++--------------
+ 1 file changed, 18 insertions(+), 14 deletions(-)
+
+diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
+index 9d4665ae6..6c37625a9 100644
+--- a/policy/modules/services/samba.te
++++ b/policy/modules/services/samba.te
+@@ -396,8 +396,6 @@ userdom_signal_all_users(smbd_t)
+ userdom_home_filetrans_user_home_dir(smbd_t)
+ userdom_user_home_dir_filetrans_user_home_content(smbd_t, { dir file lnk_file sock_file fifo_file })
+-usermanage_read_crack_db(smbd_t)
+-
+ ifdef(`hide_broken_symptoms',`
+       files_dontaudit_getattr_default_dirs(smbd_t)
+       files_dontaudit_getattr_boot_dirs(smbd_t)
+@@ -413,18 +411,6 @@ tunable_policy(`samba_create_home_dirs',`
+       userdom_create_user_home_dirs(smbd_t)
+ ')
+-tunable_policy(`samba_domain_controller',`
+-      gen_require(`
+-              class passwd passwd;
+-      ')
+-
+-      usermanage_domtrans_passwd(smbd_t)
+-      usermanage_kill_passwd(smbd_t)
+-      usermanage_domtrans_useradd(smbd_t)
+-      usermanage_domtrans_groupadd(smbd_t)
+-      allow smbd_t self:passwd passwd;
+-')
+-
+ tunable_policy(`samba_enable_home_dirs',`
+       userdom_manage_user_home_content_dirs(smbd_t)
+       userdom_manage_user_home_content_files(smbd_t)
+@@ -505,6 +491,24 @@ optional_policy(`
+       seutil_sigchld_newrole(smbd_t)
+ ')
++optional_policy(`
++      usermanage_read_crack_db(smbd_t)
++')
++
++optional_policy(`
++      tunable_policy(`samba_domain_controller',`
++              gen_require(`
++                      class passwd passwd;
++              ')
++
++              usermanage_domtrans_passwd(smbd_t)
++              usermanage_kill_passwd(smbd_t)
++              usermanage_domtrans_useradd(smbd_t)
++              usermanage_domtrans_groupadd(smbd_t)
++              allow smbd_t self:passwd passwd;
++      ')
++')
++
+ ########################################
+ #
+ # Nmbd Local policy
+-- 
+2.30.2
+
diff --git a/package/refpolicy/0002-policy-modules-services-cvs.te-make-inetd-optional.patch b/package/refpolicy/0002-policy-modules-services-cvs.te-make-inetd-optional.patch
deleted file mode 100644 (file)
index 298f99c..0000000
--- a/package/refpolicy/0002-policy-modules-services-cvs.te-make-inetd-optional.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 21b0a5bc50e15e9af7edb3edad9fac0bf03f7028 Mon Sep 17 00:00:00 2001
-From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-Date: Fri, 30 Jul 2021 23:11:38 +0200
-Subject: [PATCH] policy/modules/services/cvs.te: make inetd optional
-
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-[Upstream status: not sent yet]
----
- policy/modules/services/cvs.te | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te
-index f2f60556c..61589228f 100644
---- a/policy/modules/services/cvs.te
-+++ b/policy/modules/services/cvs.te
-@@ -15,7 +15,6 @@ gen_tunable(allow_cvs_read_shadow, false)
- type cvs_t;
- type cvs_exec_t;
--inetd_tcp_service_domain(cvs_t, cvs_exec_t)
- init_daemon_domain(cvs_t, cvs_exec_t)
- application_executable_file(cvs_exec_t)
-@@ -98,6 +97,10 @@ tunable_policy(`allow_cvs_read_shadow',`
-       auth_tunable_read_shadow(cvs_t)
- ')
-+optional_policy(`
-+      inetd_tcp_service_domain(cvs_t, cvs_exec_t)
-+')
-+
- optional_policy(`
-       kerberos_read_config(cvs_t)
-       kerberos_read_keytab(cvs_t)
--- 
-2.30.2
-
diff --git a/package/refpolicy/0003-policy-modules-services-ifplugd.te-make-netutils-opt.patch b/package/refpolicy/0003-policy-modules-services-ifplugd.te-make-netutils-opt.patch
deleted file mode 100644 (file)
index b43354e..0000000
--- a/package/refpolicy/0003-policy-modules-services-ifplugd.te-make-netutils-opt.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 6dcfb6715de75677165221ee5bd8d4db6e4a01a7 Mon Sep 17 00:00:00 2001
-From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-Date: Sat, 31 Jul 2021 10:58:42 +0200
-Subject: [PATCH] policy/modules/services/ifplugd.te: make netutils
- optional
-
-Make netutils optional to avoid the following build failure:
-
- Compiling targeted policy.30
- env LD_LIBRARY_PATH="/tmp/instance-3/output-1/host/lib:/tmp/instance-3/output-1/host/usr/lib" /tmp/instance-3/output-1/host/usr/bin/checkpolicy -c 30 -U deny -S -O -E policy.conf -o policy.30
- policy/modules/services/ifplugd.te:62:ERROR 'type netutils_exec_t is not within scope' at token ';' on line 73694:
- #line 62
-       allow ifplugd_t netutils_exec_t:file { getattr open map read execute ioctl };
- checkpolicy:  error(s) encountered while parsing configuration
-
-Fixes:
- - http://autobuild.buildroot.org/results/1e27f5b193d40dfb7c73fbe15d1bef91cb92c27d
-
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-[Upstream status: not sent yet]
----
- policy/modules/services/ifplugd.te | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/policy/modules/services/ifplugd.te b/policy/modules/services/ifplugd.te
-index f49b147f7..550eecca4 100644
---- a/policy/modules/services/ifplugd.te
-+++ b/policy/modules/services/ifplugd.te
-@@ -59,8 +59,6 @@ logging_send_syslog_msg(ifplugd_t)
- miscfiles_read_localization(ifplugd_t)
--netutils_domtrans(ifplugd_t)
--
- sysnet_domtrans_ifconfig(ifplugd_t)
- sysnet_domtrans_dhcpc(ifplugd_t)
- sysnet_delete_dhcpc_runtime_files(ifplugd_t)
-@@ -70,3 +68,7 @@ sysnet_signal_dhcpc(ifplugd_t)
- optional_policy(`
-       consoletype_exec(ifplugd_t)
- ')
-+
-+optional_policy(`
-+      netutils_domtrans(ifplugd_t)
-+')
--- 
-2.30.2
-
diff --git a/package/refpolicy/0004-policy-modules-services-ftp-te-make-ssh-optional.patch b/package/refpolicy/0004-policy-modules-services-ftp-te-make-ssh-optional.patch
deleted file mode 100644 (file)
index 9269c7a..0000000
--- a/package/refpolicy/0004-policy-modules-services-ftp-te-make-ssh-optional.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From f26d4bc1b2a7b781c67891cb3bf4579c6582d630 Mon Sep 17 00:00:00 2001
-From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-Date: Fri, 30 Jul 2021 22:40:20 +0200
-Subject: [PATCH] policy/modules/services/ftp.te: make ssh optional
-
-Make ssh optional to avoid the following build failure:
-
- Compiling targeted policy.30
- env LD_LIBRARY_PATH="/home/fabrice/buildroot/output/host/lib:/home/fabrice/buildroot/output/host/usr/lib" /home/fabrice/buildroot/output/host/usr/bin/checkpolicy -c 30 -U deny -S -O -E policy.conf -o policy.30
- policy/modules/services/ftp.te:484:ERROR 'type ssh_home_t is not within scope' at token ';' on line 92051:
-       allow sftpd_t ssh_home_t:dir { open read getattr lock search ioctl add_name remove_name write };
- #line 484
- checkpolicy:  error(s) encountered while parsing configuration
-
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
----
- policy/modules/services/ftp.te | 10 ++++++----
- 1 file changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
-index 0d84da71cf..5686b22581 100644
---- a/policy/modules/services/ftp.te
-+++ b/policy/modules/services/ftp.te
-@@ -481,10 +481,6 @@ tunable_policy(`sftpd_full_access',`
-       files_manage_non_auth_files(sftpd_t)
- ')
--tunable_policy(`sftpd_write_ssh_home',`
--      ssh_manage_home_files(sftpd_t)
--')
--
- tunable_policy(`use_samba_home_dirs',`
-       fs_list_cifs(sftpd_t)
-       fs_read_cifs_files(sftpd_t)
-@@ -496,3 +492,9 @@ tunable_policy(`use_nfs_home_dirs',`
-       fs_read_nfs_files(sftpd_t)
-       fs_read_nfs_symlinks(ftpd_t)
- ')
-+
-+optional_policy(`
-+      tunable_policy(`sftpd_write_ssh_home',`
-+              ssh_manage_home_files(sftpd_t)
-+      ')
-+')
diff --git a/package/refpolicy/0005-policy-modules-services-samba.te-make-crack-optional.patch b/package/refpolicy/0005-policy-modules-services-samba.te-make-crack-optional.patch
deleted file mode 100644 (file)
index f5cc356..0000000
--- a/package/refpolicy/0005-policy-modules-services-samba.te-make-crack-optional.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-From 7c58f2508efc115dea03e18e1fa611ebf81f6ee6 Mon Sep 17 00:00:00 2001
-From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-Date: Wed, 4 Aug 2021 11:12:01 +0200
-Subject: [PATCH] policy/modules/services/samba.te: make crack optional
-
-Make crack optional to avoid the following build failure:
-
- Compiling targeted policy.31
- env LD_LIBRARY_PATH="/tmp/instance-5/output-1/host/lib:/tmp/instance-5/output-1/host/usr/lib" /tmp/instance-5/output-1/host/usr/bin/checkpolicy -c 31 -U deny -S -O -E policy.conf -o policy.31
- policy/modules/services/samba.te:399:ERROR 'type crack_db_t is not within scope' at token ';' on line 360232:
-       allow smbd_t crack_db_t:dir { getattr search open };
- #line 399
- checkpolicy:  error(s) encountered while parsing configuration
-
-Fixes:
- - http://autobuild.buildroot.org/results/ab7098948d1920e42fa587e07f0513f23ba7fc74
-
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
----
- policy/modules/services/samba.te | 32 ++++++++++++++++++--------------
- 1 file changed, 18 insertions(+), 14 deletions(-)
-
-diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index 9d4665ae6..6c37625a9 100644
---- a/policy/modules/services/samba.te
-+++ b/policy/modules/services/samba.te
-@@ -396,8 +396,6 @@ userdom_signal_all_users(smbd_t)
- userdom_home_filetrans_user_home_dir(smbd_t)
- userdom_user_home_dir_filetrans_user_home_content(smbd_t, { dir file lnk_file sock_file fifo_file })
--usermanage_read_crack_db(smbd_t)
--
- ifdef(`hide_broken_symptoms',`
-       files_dontaudit_getattr_default_dirs(smbd_t)
-       files_dontaudit_getattr_boot_dirs(smbd_t)
-@@ -413,18 +411,6 @@ tunable_policy(`samba_create_home_dirs',`
-       userdom_create_user_home_dirs(smbd_t)
- ')
--tunable_policy(`samba_domain_controller',`
--      gen_require(`
--              class passwd passwd;
--      ')
--
--      usermanage_domtrans_passwd(smbd_t)
--      usermanage_kill_passwd(smbd_t)
--      usermanage_domtrans_useradd(smbd_t)
--      usermanage_domtrans_groupadd(smbd_t)
--      allow smbd_t self:passwd passwd;
--')
--
- tunable_policy(`samba_enable_home_dirs',`
-       userdom_manage_user_home_content_dirs(smbd_t)
-       userdom_manage_user_home_content_files(smbd_t)
-@@ -505,6 +491,24 @@ optional_policy(`
-       seutil_sigchld_newrole(smbd_t)
- ')
-+optional_policy(`
-+      usermanage_read_crack_db(smbd_t)
-+')
-+
-+optional_policy(`
-+      tunable_policy(`samba_domain_controller',`
-+              gen_require(`
-+                      class passwd passwd;
-+              ')
-+
-+              usermanage_domtrans_passwd(smbd_t)
-+              usermanage_kill_passwd(smbd_t)
-+              usermanage_domtrans_useradd(smbd_t)
-+              usermanage_domtrans_groupadd(smbd_t)
-+              allow smbd_t self:passwd passwd;
-+      ')
-+')
-+
- ########################################
- #
- # Nmbd Local policy
--- 
-2.30.2
-
diff --git a/package/refpolicy/refpolicy.hash b/package/refpolicy/refpolicy.hash
index 6c33a4d97479c56dd2046c9e12b3a4359c75ec99..b8f6f023eb159b1ff5f443d99b5c37f3740f2896 100644 (file)
--- a/package/refpolicy/refpolicy.hash
+++ b/package/refpolicy/refpolicy.hash
@@ -1,5 +1,5 @@
 # From https://github.com/SELinuxProject/refpolicy/releases
-sha256 48cbf2c63ff9003bef05e03c8d3cdddb4e8f63fef2a072ae51c987301f0b874d  refpolicy-2.20210203.tar.bz2
+sha256  4d3140d9fbb91322f5de36d73959464ce1d8946dcd149e36fcaf60e92444e902  refpolicy-2.20210908.tar.bz2
 
 # Locally computed
-sha256 204d8eff92f95aac4df6c8122bc1505f468f3a901e5a4cc08940e0ede1938994 COPYING
+sha256  204d8eff92f95aac4df6c8122bc1505f468f3a901e5a4cc08940e0ede1938994  COPYING
diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
index a42483dba287a2035fcae4befe0b958316c4fd21..eb345d0f98c90c0ba39dc60515d0c4104aac504a 100644 (file)
--- a/package/refpolicy/refpolicy.mk
+++ b/package/refpolicy/refpolicy.mk
@@ -22,9 +22,9 @@ REFPOLICY_SITE = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL))
 REFPOLICY_SITE_METHOD = git
 BR_NO_CHECK_HASH_FOR += $(REFPOLICY_SOURCE)
 else
-REFPOLICY_VERSION = 2.20210203
+REFPOLICY_VERSION = 2.20210908
 REFPOLICY_SOURCE = refpolicy-$(REFPOLICY_VERSION).tar.bz2
-REFPOLICY_SITE = https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_2_20210203
+REFPOLICY_SITE = https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_$(subst .,_,$(REFPOLICY_VERSION))
 endif
 
 # Cannot use multiple threads to build the reference policy