diff options
author | Yi Zhao <yi.zhao@windriver.com> | 2021-12-08 15:33:45 +0800 |
---|---|---|
committer | Joe MacDonald <joe@deserted.net> | 2021-12-08 16:08:35 -0500 |
commit | eb5b607d396b185aecf7c6732acc9816853a71a6 (patch) | |
tree | 47bbec46b05ff0cb271af402694a2604d2760641 | |
parent | 19089953e2a2ce8d68f92fb51b1ca3922ea66966 (diff) | |
download | meta-selinux-eb5b607d396b185aecf7c6732acc9816853a71a6.tar.gz |
selinux: upgrade 3.2 -> 3.3
Drop backport CVE patches.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
-rw-r--r-- | recipes-security/selinux/checkpolicy_3.3.bb (renamed from recipes-security/selinux/checkpolicy_3.2.bb) | 0 | ||||
-rw-r--r-- | recipes-security/selinux/libselinux-python_3.3.bb (renamed from recipes-security/selinux/libselinux-python_3.2.bb) | 0 | ||||
-rw-r--r-- | recipes-security/selinux/libselinux_3.3.bb (renamed from recipes-security/selinux/libselinux_3.2.bb) | 0 | ||||
-rw-r--r-- | recipes-security/selinux/libsemanage_3.3.bb (renamed from recipes-security/selinux/libsemanage_3.2.bb) | 0 | ||||
-rw-r--r-- | recipes-security/selinux/libsepol/CVE-2021-36084.patch | 99 | ||||
-rw-r--r-- | recipes-security/selinux/libsepol/CVE-2021-36085.patch | 38 | ||||
-rw-r--r-- | recipes-security/selinux/libsepol/CVE-2021-36086.patch | 46 | ||||
-rw-r--r-- | recipes-security/selinux/libsepol_3.3.bb (renamed from recipes-security/selinux/libsepol_3.2.bb) | 4 | ||||
-rw-r--r-- | recipes-security/selinux/mcstrans_3.3.bb (renamed from recipes-security/selinux/mcstrans_3.2.bb) | 0 | ||||
-rw-r--r-- | recipes-security/selinux/policycoreutils_3.3.bb (renamed from recipes-security/selinux/policycoreutils_3.2.bb) | 0 | ||||
-rw-r--r-- | recipes-security/selinux/restorecond_3.3.bb (renamed from recipes-security/selinux/restorecond_3.2.bb) | 0 | ||||
-rw-r--r-- | recipes-security/selinux/secilc/CVE-2021-36087.patch | 134 | ||||
-rw-r--r-- | recipes-security/selinux/secilc_3.3.bb (renamed from recipes-security/selinux/secilc_3.2.bb) | 2 | ||||
-rw-r--r-- | recipes-security/selinux/selinux-dbus_3.3.bb (renamed from recipes-security/selinux/selinux-dbus_3.2.bb) | 0 | ||||
-rw-r--r-- | recipes-security/selinux/selinux-gui_3.3.bb (renamed from recipes-security/selinux/selinux-gui_3.2.bb) | 0 | ||||
-rw-r--r-- | recipes-security/selinux/selinux-python_3.3.bb (renamed from recipes-security/selinux/selinux-python_3.2.bb) | 0 | ||||
-rw-r--r-- | recipes-security/selinux/selinux-sandbox_3.3.bb (renamed from recipes-security/selinux/selinux-sandbox_3.2.bb) | 0 | ||||
-rw-r--r-- | recipes-security/selinux/selinux_common.inc | 2 | ||||
-rw-r--r-- | recipes-security/selinux/semodule-utils_3.3.bb (renamed from recipes-security/selinux/semodule-utils_3.2.bb) | 0 |
19 files changed, 1 insertions, 324 deletions
diff --git a/recipes-security/selinux/checkpolicy_3.2.bb b/recipes-security/selinux/checkpolicy_3.3.bb index 99ac470..99ac470 100644 --- a/recipes-security/selinux/checkpolicy_3.2.bb +++ b/recipes-security/selinux/checkpolicy_3.3.bb | |||
diff --git a/recipes-security/selinux/libselinux-python_3.2.bb b/recipes-security/selinux/libselinux-python_3.3.bb index 136f538..136f538 100644 --- a/recipes-security/selinux/libselinux-python_3.2.bb +++ b/recipes-security/selinux/libselinux-python_3.3.bb | |||
diff --git a/recipes-security/selinux/libselinux_3.2.bb b/recipes-security/selinux/libselinux_3.3.bb index 1144840..1144840 100644 --- a/recipes-security/selinux/libselinux_3.2.bb +++ b/recipes-security/selinux/libselinux_3.3.bb | |||
diff --git a/recipes-security/selinux/libsemanage_3.2.bb b/recipes-security/selinux/libsemanage_3.3.bb index 0a6ff95..0a6ff95 100644 --- a/recipes-security/selinux/libsemanage_3.2.bb +++ b/recipes-security/selinux/libsemanage_3.3.bb | |||
diff --git a/recipes-security/selinux/libsepol/CVE-2021-36084.patch b/recipes-security/selinux/libsepol/CVE-2021-36084.patch deleted file mode 100644 index 1001563..0000000 --- a/recipes-security/selinux/libsepol/CVE-2021-36084.patch +++ /dev/null | |||
@@ -1,99 +0,0 @@ | |||
1 | From f34d3d30c8325e4847a6b696fe7a3936a8a361f3 Mon Sep 17 00:00:00 2001 | ||
2 | From: James Carter <jwcart2@gmail.com> | ||
3 | Date: Thu, 8 Apr 2021 13:32:01 -0400 | ||
4 | Subject: [PATCH] libsepol/cil: Destroy classperms list when resetting | ||
5 | classpermission | ||
6 | |||
7 | Nicolas Iooss reports: | ||
8 | A few months ago, OSS-Fuzz found a crash in the CIL compiler, which | ||
9 | got reported as | ||
10 | https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28648 (the title | ||
11 | is misleading, or is caused by another issue that conflicts with the | ||
12 | one I report in this message). Here is a minimized CIL policy which | ||
13 | reproduces the issue: | ||
14 | |||
15 | (class CLASS (PERM)) | ||
16 | (classorder (CLASS)) | ||
17 | (sid SID) | ||
18 | (sidorder (SID)) | ||
19 | (user USER) | ||
20 | (role ROLE) | ||
21 | (type TYPE) | ||
22 | (category CAT) | ||
23 | (categoryorder (CAT)) | ||
24 | (sensitivity SENS) | ||
25 | (sensitivityorder (SENS)) | ||
26 | (sensitivitycategory SENS (CAT)) | ||
27 | (allow TYPE self (CLASS (PERM))) | ||
28 | (roletype ROLE TYPE) | ||
29 | (userrole USER ROLE) | ||
30 | (userlevel USER (SENS)) | ||
31 | (userrange USER ((SENS)(SENS (CAT)))) | ||
32 | (sidcontext SID (USER ROLE TYPE ((SENS)(SENS)))) | ||
33 | |||
34 | (classpermission CLAPERM) | ||
35 | |||
36 | (optional OPT | ||
37 | (roletype nonexistingrole nonexistingtype) | ||
38 | (classpermissionset CLAPERM (CLASS (PERM))) | ||
39 | ) | ||
40 | |||
41 | The CIL policy fuzzer (which mimics secilc built with clang Address | ||
42 | Sanitizer) reports: | ||
43 | |||
44 | ==36541==ERROR: AddressSanitizer: heap-use-after-free on address | ||
45 | 0x603000004f98 at pc 0x56445134c842 bp 0x7ffe2a256590 sp | ||
46 | 0x7ffe2a256588 | ||
47 | READ of size 8 at 0x603000004f98 thread T0 | ||
48 | #0 0x56445134c841 in __cil_verify_classperms | ||
49 | /selinux/libsepol/src/../cil/src/cil_verify.c:1620:8 | ||
50 | #1 0x56445134a43e in __cil_verify_classpermission | ||
51 | /selinux/libsepol/src/../cil/src/cil_verify.c:1650:9 | ||
52 | #2 0x56445134a43e in __cil_pre_verify_helper | ||
53 | /selinux/libsepol/src/../cil/src/cil_verify.c:1715:8 | ||
54 | #3 0x5644513225ac in cil_tree_walk_core | ||
55 | /selinux/libsepol/src/../cil/src/cil_tree.c:272:9 | ||
56 | #4 0x564451322ab1 in cil_tree_walk | ||
57 | /selinux/libsepol/src/../cil/src/cil_tree.c:316:7 | ||
58 | #5 0x5644513226af in cil_tree_walk_core | ||
59 | /selinux/libsepol/src/../cil/src/cil_tree.c:284:9 | ||
60 | #6 0x564451322ab1 in cil_tree_walk | ||
61 | /selinux/libsepol/src/../cil/src/cil_tree.c:316:7 | ||
62 | #7 0x5644512b88fd in cil_pre_verify | ||
63 | /selinux/libsepol/src/../cil/src/cil_post.c:2510:7 | ||
64 | #8 0x5644512b88fd in cil_post_process | ||
65 | /selinux/libsepol/src/../cil/src/cil_post.c:2524:7 | ||
66 | #9 0x5644511856ff in cil_compile | ||
67 | /selinux/libsepol/src/../cil/src/cil.c:564:7 | ||
68 | |||
69 | The classperms list of a classpermission rule is created and filled | ||
70 | in when classpermissionset rules are processed, so it doesn't own any | ||
71 | part of the list and shouldn't retain any of it when it is reset. | ||
72 | |||
73 | Destroy the classperms list (without destroying the data in it) when | ||
74 | resetting a classpermission rule. | ||
75 | |||
76 | Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org> | ||
77 | Signed-off-by: James Carter <jwcart2@gmail.com> | ||
78 | |||
79 | Upstream-Status: Backport | ||
80 | CVE: CVE-2021-36084 | ||
81 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
82 | |||
83 | --- | ||
84 | libsepol/cil/src/cil_reset_ast.c | 2 +- | ||
85 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
86 | |||
87 | Index: libsepol-3.0/cil/src/cil_reset_ast.c | ||
88 | =================================================================== | ||
89 | --- libsepol-3.0.orig/cil/src/cil_reset_ast.c | ||
90 | +++ libsepol-3.0/cil/src/cil_reset_ast.c | ||
91 | @@ -52,7 +52,7 @@ static void cil_reset_classpermission(st | ||
92 | return; | ||
93 | } | ||
94 | |||
95 | - cil_reset_classperms_list(cp->classperms); | ||
96 | + cil_list_destroy(&cp->classperms, CIL_FALSE); | ||
97 | } | ||
98 | |||
99 | static void cil_reset_classperms_set(struct cil_classperms_set *cp_set) | ||
diff --git a/recipes-security/selinux/libsepol/CVE-2021-36085.patch b/recipes-security/selinux/libsepol/CVE-2021-36085.patch deleted file mode 100644 index 4bd05eb..0000000 --- a/recipes-security/selinux/libsepol/CVE-2021-36085.patch +++ /dev/null | |||
@@ -1,38 +0,0 @@ | |||
1 | From 2d35fcc7e9e976a2346b1de20e54f8663e8a6cba Mon Sep 17 00:00:00 2001 | ||
2 | From: James Carter <jwcart2@gmail.com> | ||
3 | Date: Thu, 8 Apr 2021 13:32:04 -0400 | ||
4 | Subject: [PATCH] libsepol/cil: Destroy classperm list when resetting map perms | ||
5 | |||
6 | Map perms share the same struct as regular perms, but only the | ||
7 | map perms use the classperms field. This field is a pointer to a | ||
8 | list of classperms that is created and added to when resolving | ||
9 | classmapping rules, so the map permission doesn't own any of the | ||
10 | data in the list and this list should be destroyed when the AST is | ||
11 | reset. | ||
12 | |||
13 | When resetting a perm, destroy the classperms list without destroying | ||
14 | the data in the list. | ||
15 | |||
16 | Signed-off-by: James Carter <jwcart2@gmail.com> | ||
17 | |||
18 | Upstream-Status: Backport | ||
19 | CVE: CVE-2021-36085 | ||
20 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
21 | |||
22 | --- | ||
23 | libsepol/cil/src/cil_reset_ast.c | 2 +- | ||
24 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
25 | |||
26 | Index: libsepol-3.0/cil/src/cil_reset_ast.c | ||
27 | =================================================================== | ||
28 | --- libsepol-3.0.orig/cil/src/cil_reset_ast.c | ||
29 | +++ libsepol-3.0/cil/src/cil_reset_ast.c | ||
30 | @@ -34,7 +34,7 @@ static void cil_reset_class(struct cil_c | ||
31 | |||
32 | static void cil_reset_perm(struct cil_perm *perm) | ||
33 | { | ||
34 | - cil_reset_classperms_list(perm->classperms); | ||
35 | + cil_list_destroy(&perm->classperms, CIL_FALSE); | ||
36 | } | ||
37 | |||
38 | static inline void cil_reset_classperms(struct cil_classperms *cp) | ||
diff --git a/recipes-security/selinux/libsepol/CVE-2021-36086.patch b/recipes-security/selinux/libsepol/CVE-2021-36086.patch deleted file mode 100644 index 7a2d616..0000000 --- a/recipes-security/selinux/libsepol/CVE-2021-36086.patch +++ /dev/null | |||
@@ -1,46 +0,0 @@ | |||
1 | From 49f9aa2a460fc95f04c99b44f4dd0d22e2f0e5ee Mon Sep 17 00:00:00 2001 | ||
2 | From: James Carter <jwcart2@gmail.com> | ||
3 | Date: Thu, 8 Apr 2021 13:32:06 -0400 | ||
4 | Subject: [PATCH] libsepol/cil: cil_reset_classperms_set() should not reset | ||
5 | classpermission | ||
6 | |||
7 | In struct cil_classperms_set, the set field is a pointer to a | ||
8 | struct cil_classpermission which is looked up in the symbol table. | ||
9 | Since the cil_classperms_set does not create the cil_classpermission, | ||
10 | it should not reset it. | ||
11 | |||
12 | Set the set field to NULL instead of resetting the classpermission | ||
13 | that it points to. | ||
14 | |||
15 | Signed-off-by: James Carter <jwcart2@gmail.com> | ||
16 | |||
17 | Upstream-Status: Backport | ||
18 | [https://github.com/SELinuxProject/selinux/commit/c49a8ea09501ad66e799ea41b8154b6770fec2c8] | ||
19 | |||
20 | CVE: CVE-2021-36086 | ||
21 | |||
22 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
23 | --- | ||
24 | cil/src/cil_reset_ast.c | 6 +++++- | ||
25 | 1 file changed, 5 insertions(+), 1 deletion(-) | ||
26 | |||
27 | diff --git a/cil/src/cil_reset_ast.c b/cil/src/cil_reset_ast.c | ||
28 | index 89f91e5..1d9ca70 100644 | ||
29 | --- a/cil/src/cil_reset_ast.c | ||
30 | +++ b/cil/src/cil_reset_ast.c | ||
31 | @@ -59,7 +59,11 @@ static void cil_reset_classpermission(struct cil_classpermission *cp) | ||
32 | |||
33 | static void cil_reset_classperms_set(struct cil_classperms_set *cp_set) | ||
34 | { | ||
35 | - cil_reset_classpermission(cp_set->set); | ||
36 | + if (cp_set == NULL) { | ||
37 | + return; | ||
38 | + } | ||
39 | + | ||
40 | + cp_set->set = NULL; | ||
41 | } | ||
42 | |||
43 | static inline void cil_reset_classperms_list(struct cil_list *cp_list) | ||
44 | -- | ||
45 | 2.17.1 | ||
46 | |||
diff --git a/recipes-security/selinux/libsepol_3.2.bb b/recipes-security/selinux/libsepol_3.3.bb index 192f1b3..48d5f49 100644 --- a/recipes-security/selinux/libsepol_3.2.bb +++ b/recipes-security/selinux/libsepol_3.3.bb | |||
@@ -9,10 +9,6 @@ LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343" | |||
9 | 9 | ||
10 | require selinux_common.inc | 10 | require selinux_common.inc |
11 | 11 | ||
12 | SRC_URI += "file://CVE-2021-36084.patch \ | ||
13 | file://CVE-2021-36085.patch \ | ||
14 | file://CVE-2021-36086.patch " | ||
15 | |||
16 | inherit lib_package | 12 | inherit lib_package |
17 | 13 | ||
18 | S = "${WORKDIR}/git/libsepol" | 14 | S = "${WORKDIR}/git/libsepol" |
diff --git a/recipes-security/selinux/mcstrans_3.2.bb b/recipes-security/selinux/mcstrans_3.3.bb index 4d99e18..4d99e18 100644 --- a/recipes-security/selinux/mcstrans_3.2.bb +++ b/recipes-security/selinux/mcstrans_3.3.bb | |||
diff --git a/recipes-security/selinux/policycoreutils_3.2.bb b/recipes-security/selinux/policycoreutils_3.3.bb index 04f8ef7..04f8ef7 100644 --- a/recipes-security/selinux/policycoreutils_3.2.bb +++ b/recipes-security/selinux/policycoreutils_3.3.bb | |||
diff --git a/recipes-security/selinux/restorecond_3.2.bb b/recipes-security/selinux/restorecond_3.3.bb index 75e65a8..75e65a8 100644 --- a/recipes-security/selinux/restorecond_3.2.bb +++ b/recipes-security/selinux/restorecond_3.3.bb | |||
diff --git a/recipes-security/selinux/secilc/CVE-2021-36087.patch b/recipes-security/selinux/secilc/CVE-2021-36087.patch deleted file mode 100644 index 5410477..0000000 --- a/recipes-security/selinux/secilc/CVE-2021-36087.patch +++ /dev/null | |||
@@ -1,134 +0,0 @@ | |||
1 | From bad0a746e9f4cf260dedba5828d9645d50176aac Mon Sep 17 00:00:00 2001 | ||
2 | From: James Carter <jwcart2@gmail.com> | ||
3 | Date: Mon, 19 Apr 2021 09:06:15 -0400 | ||
4 | Subject: [PATCH] secilc/docs: Update the CIL documentation for various blocks | ||
5 | |||
6 | Update the documentation for macros, booleans, booleanifs, tunables, | ||
7 | tunableifs, blocks, blockabstracts, blockinherits, and optionals to | ||
8 | tell where these statements can be used and, for those that have | ||
9 | blocks, what statements are not allowed in them. | ||
10 | |||
11 | Signed-off-by: James Carter <jwcart2@gmail.com> | ||
12 | |||
13 | Upstream-Status: Backport | ||
14 | CVE: CVE-2021-36087 | ||
15 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
16 | |||
17 | --- | ||
18 | docs/cil_call_macro_statements.md | 2 ++ | ||
19 | docs/cil_conditional_statements.md | 6 +++++ | ||
20 | docs/cil_container_statements.md | 28 +++++++++++++++-------- | ||
21 | 3 files changed, 26 insertions(+), 10 deletions(-) | ||
22 | |||
23 | Index: secilc/docs/cil_call_macro_statements.md | ||
24 | =================================================================== | ||
25 | --- secilc.orig/docs/cil_call_macro_statements.md | ||
26 | +++ secilc/docs/cil_call_macro_statements.md | ||
27 | @@ -58,6 +58,8 @@ When resolving macros the following plac | ||
28 | |||
29 | - Items defined in the global namespace | ||
30 | |||
31 | +[`tunable`](cil_conditional_statements.md#tunable), [`in`](cil_container_statements.md#in), [`block`](cil_container_statements.md#block), [`blockinherit`](cil_container_statements.md#blockinherit), [`blockabstract`](cil_container_statements.md#blockabstract), and other [`macro`](cil_call_macro_statements.md#macro) statements are not allowed in [`macro`](cil_call_macro_statements.md#macro) blocks. | ||
32 | + | ||
33 | **Statement definition:** | ||
34 | |||
35 | ```secil | ||
36 | Index: secilc/docs/cil_conditional_statements.md | ||
37 | =================================================================== | ||
38 | --- secilc.orig/docs/cil_conditional_statements.md | ||
39 | +++ secilc/docs/cil_conditional_statements.md | ||
40 | @@ -6,6 +6,8 @@ boolean | ||
41 | |||
42 | Declares a run time boolean as true or false in the current namespace. The [`booleanif`](cil_conditional_statements.md#booleanif) statement contains the CIL code that will be in the binary policy file. | ||
43 | |||
44 | +[`boolean`](cil_conditional_statements.md#boolean) are not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) blocks. | ||
45 | + | ||
46 | **Statement definition:** | ||
47 | |||
48 | ```secil | ||
49 | @@ -126,6 +128,8 @@ Tunables are similar to booleans, howeve | ||
50 | |||
51 | Note that tunables can be treated as booleans by the CIL compiler command line parameter `-P` or `--preserve-tunables` flags. | ||
52 | |||
53 | +Since [`tunableif`](cil_conditional_statements.md#tunableif) statements are resolved first, [`tunable`](cil_conditional_statements.md#tunable) statements are not allowed in [`in`](cil_container_statements.md#in), [`macro`](cil_call_macro_statements.md#macro), [`optional`](cil_container_statements.md#optional), and [`booleanif`](cil_conditional_statements.md#booleanif) blocks. To simplify processing, they are also not allowed in [`tunableif`](cil_conditional_statements.md#tunableif) blocks. | ||
54 | + | ||
55 | **Statement definition:** | ||
56 | |||
57 | ```secil | ||
58 | @@ -164,6 +168,8 @@ tunableif | ||
59 | |||
60 | Compile time conditional statement that may or may not add CIL statements to be compiled. | ||
61 | |||
62 | +If tunables are being treated as booleans (by using the CIL compiler command line parameter `-P` or `--preserve-tunables` flag), then only the statements allowed in a [`booleanif`](cil_conditional_statements.md#booleanif) block are allowed in a [`tunableif`](cil_conditional_statements.md#tunableif) block. Otherwise, [`tunable`](cil_conditional_statements.md#tunable) statements are not allowed in a [`tunableif`](cil_conditional_statements.md#tunableif) block. | ||
63 | + | ||
64 | **Statement definition:** | ||
65 | |||
66 | ```secil | ||
67 | Index: secilc/docs/cil_container_statements.md | ||
68 | =================================================================== | ||
69 | --- secilc.orig/docs/cil_container_statements.md | ||
70 | +++ secilc/docs/cil_container_statements.md | ||
71 | @@ -4,7 +4,11 @@ Container Statements | ||
72 | block | ||
73 | ----- | ||
74 | |||
75 | -Start a new namespace where any CIL statement is valid. | ||
76 | +Start a new namespace. | ||
77 | + | ||
78 | +Not allowed in [`macro`](cil_call_macro_statements.md#macro) and [`optional`](cil_container_statements.md#optional) blocks. | ||
79 | + | ||
80 | +[`sensitivity`](cil_mls_labeling_statements.md#sensitivity) and [`category`](cil_mls_labeling_statements.md#category) statements are not allowed in [`block`](cil_container_statements.md#block) blocks. | ||
81 | |||
82 | **Statement definition:** | ||
83 | |||
84 | @@ -47,6 +51,8 @@ blockabstract | ||
85 | |||
86 | Declares the namespace as a 'template' and does not generate code until instantiated by another namespace that has a [`blockinherit`](cil_container_statements.md#blockinherit) statement. | ||
87 | |||
88 | +Not allowed in [`macro`](cil_call_macro_statements.md#macro) and [`optional`](cil_container_statements.md#optional) blocks. | ||
89 | + | ||
90 | **Statement definition:** | ||
91 | |||
92 | ```secil | ||
93 | @@ -97,6 +103,8 @@ blockinherit | ||
94 | |||
95 | Used to add common policy rules to the current namespace via a template that has been defined with the [`blockabstract`](cil_container_statements.md#blockabstract) statement. All [`blockinherit`](cil_container_statements.md#blockinherit) statements are resolved first and then the contents of the block are copied. This is so that inherited blocks will not be inherited. For a concrete example, please see the examples section. | ||
96 | |||
97 | +Not allowed in [`macro`](cil_call_macro_statements.md#macro) blocks. | ||
98 | + | ||
99 | **Statement definition:** | ||
100 | |||
101 | ```secil | ||
102 | @@ -199,15 +207,11 @@ This example contains a template `client | ||
103 | optional | ||
104 | -------- | ||
105 | |||
106 | -Declare an [`optional`](cil_container_statements.md#optional) namespace. All CIL statements in the optional block must be satisfied before instantiation in the binary policy. [`tunableif`](cil_conditional_statements.md#tunableif) and [`macro`](cil_call_macro_statements.md#macro) statements are not allowed in optional containers. The same restrictions apply to CIL policy statements within [`optional`](cil_container_statements.md#optional)'s that apply to kernel policy statements, i.e. only the policy statements shown in the following table are valid: | ||
107 | +Declare an [`optional`](cil_container_statements.md#optional) namespace. All CIL statements in the optional block must be satisfied before instantiation in the binary policy. | ||
108 | |||
109 | -| | | | | | ||
110 | -| ------------------- | -------------- | ------------------ | ------------------ | | ||
111 | -| [`allow`](cil_access_vector_rules.md#allow) | [`allowx`](cil_access_vector_rules.md#allowx) | [`auditallow`](cil_access_vector_rules.md#auditallow) | [`auditallowx`](cil_access_vector_rules.md#auditallowx) | | ||
112 | -| [`booleanif`](cil_conditional_statements.md#booleanif) | [`dontaudit`](cil_access_vector_rules.md#dontaudit) | [`dontauditx`](cil_access_vector_rules.md#dontauditx) | [`typepermissive`](cil_type_statements.md#typepermissive) | | ||
113 | -| [`rangetransition`](cil_mls_labeling_statements.md#rangetransition) | [`role`](cil_role_statements.md#role) | [`roleallow`](cil_role_statements.md#roleallow) | [`roleattribute`](cil_role_statements.md#roleattribute) | | ||
114 | -| [`roletransition`](cil_role_statements.md#roletransition) | [`type`](cil_type_statements.md#type) | [`typealias`](cil_type_statements.md#typealias) | [`typeattribute`](cil_type_statements.md#typeattribute) | | ||
115 | -| [`typechange`](cil_type_statements.md#typechange) | [`typemember`](cil_type_statements.md#typemember) | [`typetransition`](cil_type_statements.md#typetransition) | | | ||
116 | +Not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) blocks. | ||
117 | + | ||
118 | +[`tunable`](cil_conditional_statements.md#tunable), [`in`](cil_container_statements.md#in), [`block`](cil_container_statements.md#block), [`blockabstract`](cil_container_statements.md#blockabstract), and [`macro`](cil_call_macro_statements.md#macro) statements are not allowed in [`optional`](cil_container_statements.md#optional) blocks. | ||
119 | |||
120 | **Statement definition:** | ||
121 | |||
122 | @@ -266,7 +270,11 @@ This example will instantiate the option | ||
123 | in | ||
124 | -- | ||
125 | |||
126 | -Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)). This statement is not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) or [`tunableif`](cil_conditional_statements.md#tunableif) statements. This only works for containers that aren't inherited using [`blockinherit`](cil_conditional_statements.md#blockinherit). | ||
127 | +Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)). | ||
128 | + | ||
129 | +Not allowed in [`macro`](cil_call_macro_statements.md#macro), [`booleanif`](cil_conditional_statements.md#booleanif), and other [`in`](cil_container_statements.md#in) blocks. | ||
130 | + | ||
131 | +[`tunable`](cil_conditional_statements.md#tunable) and [`in`](cil_container_statements.md#in) statements are not allowed in [`in`](cil_container_statements.md#in) blocks. | ||
132 | |||
133 | **Statement definition:** | ||
134 | |||
diff --git a/recipes-security/selinux/secilc_3.2.bb b/recipes-security/selinux/secilc_3.3.bb index 50413e0..60ab2fe 100644 --- a/recipes-security/selinux/secilc_3.2.bb +++ b/recipes-security/selinux/secilc_3.3.bb | |||
@@ -8,8 +8,6 @@ LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=c7e802b9a3b0c2c852669864c08b9138" | |||
8 | 8 | ||
9 | require selinux_common.inc | 9 | require selinux_common.inc |
10 | 10 | ||
11 | SRC_URI += "file://CVE-2021-36087.patch" | ||
12 | |||
13 | DEPENDS += "libsepol xmlto-native" | 11 | DEPENDS += "libsepol xmlto-native" |
14 | 12 | ||
15 | S = "${WORKDIR}/git/secilc" | 13 | S = "${WORKDIR}/git/secilc" |
diff --git a/recipes-security/selinux/selinux-dbus_3.2.bb b/recipes-security/selinux/selinux-dbus_3.3.bb index badf392..badf392 100644 --- a/recipes-security/selinux/selinux-dbus_3.2.bb +++ b/recipes-security/selinux/selinux-dbus_3.3.bb | |||
diff --git a/recipes-security/selinux/selinux-gui_3.2.bb b/recipes-security/selinux/selinux-gui_3.3.bb index 5534ec6..5534ec6 100644 --- a/recipes-security/selinux/selinux-gui_3.2.bb +++ b/recipes-security/selinux/selinux-gui_3.3.bb | |||
diff --git a/recipes-security/selinux/selinux-python_3.2.bb b/recipes-security/selinux/selinux-python_3.3.bb index d130900..d130900 100644 --- a/recipes-security/selinux/selinux-python_3.2.bb +++ b/recipes-security/selinux/selinux-python_3.3.bb | |||
diff --git a/recipes-security/selinux/selinux-sandbox_3.2.bb b/recipes-security/selinux/selinux-sandbox_3.3.bb index a20982c..a20982c 100644 --- a/recipes-security/selinux/selinux-sandbox_3.2.bb +++ b/recipes-security/selinux/selinux-sandbox_3.3.bb | |||
diff --git a/recipes-security/selinux/selinux_common.inc b/recipes-security/selinux/selinux_common.inc index dc4ccd5..8bdf8ad 100644 --- a/recipes-security/selinux/selinux_common.inc +++ b/recipes-security/selinux/selinux_common.inc | |||
@@ -1,7 +1,7 @@ | |||
1 | HOMEPAGE = "https://github.com/SELinuxProject" | 1 | HOMEPAGE = "https://github.com/SELinuxProject" |
2 | 2 | ||
3 | SRC_URI = "git://github.com/SELinuxProject/selinux.git;branch=master;protocol=https" | 3 | SRC_URI = "git://github.com/SELinuxProject/selinux.git;branch=master;protocol=https" |
4 | SRCREV = "cf853c1a0c2328ad6c62fb2b2cc55d4926301d6b" | 4 | SRCREV = "7f600c40bc18d8180993edcd54daf45124736776" |
5 | 5 | ||
6 | UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+)" | 6 | UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+)" |
7 | 7 | ||
diff --git a/recipes-security/selinux/semodule-utils_3.2.bb b/recipes-security/selinux/semodule-utils_3.3.bb index a8bca0e..a8bca0e 100644 --- a/recipes-security/selinux/semodule-utils_3.2.bb +++ b/recipes-security/selinux/semodule-utils_3.3.bb | |||