From 42fc24c32b0036d63165f2416eaf1ca4605a1d94 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Sat, 13 Mar 2021 13:50:38 +0800 Subject: restorecond: update to 3.2 * Merge inc file into bb file. * Drop obsolete patches: policycoreutils-make-O_CLOEXEC-optional.patch Signed-off-by: Yi Zhao Signed-off-by: Joe MacDonald --- recipes-security/selinux/restorecond.inc | 36 ---------------- .../policycoreutils-make-O_CLOEXEC-optional.patch | 48 ---------------------- recipes-security/selinux/restorecond_3.1.bb | 7 ---- recipes-security/selinux/restorecond_3.2.bb | 37 +++++++++++++++++ 4 files changed, 37 insertions(+), 91 deletions(-) delete mode 100644 recipes-security/selinux/restorecond.inc delete mode 100644 recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch delete mode 100644 recipes-security/selinux/restorecond_3.1.bb create mode 100644 recipes-security/selinux/restorecond_3.2.bb diff --git a/recipes-security/selinux/restorecond.inc b/recipes-security/selinux/restorecond.inc deleted file mode 100644 index a5b1635..0000000 --- a/recipes-security/selinux/restorecond.inc +++ /dev/null @@ -1,36 +0,0 @@ -SUMMARY = "Daemon to watch for file creation and set default file context" -DESCRIPTION = "\ -The restorecond daemon uses inotify to watch files listed in the \ -/etc/selinux/restorecond.conf, when they are created, this daemon \ -will make sure they have the correct file context associated with \ -the policy." - -SECTION = "base" -LICENSE = "GPLv2+" - -SRC_URI += "file://policycoreutils-make-O_CLOEXEC-optional.patch \ -" - -inherit systemd update-rc.d - -DEPENDS += "libsepol libselinux libpcre dbus-glib glib-2.0 pkgconfig-native" - -EXTRA_OEMAKE += "SYSTEMDSYSTEMUNITDIR=${systemd_system_unitdir} \ - SYSTEMDUSERUNITDIR=${systemd_user_unitdir} \ - " - -FILES_${PN} += "${datadir}/dbus-1/services/org.selinux.Restorecond.service \ - ${systemd_user_unitdir}/* \ - " - -SYSTEMD_SERVICE_restorecond = "restorecond.service" -INITSCRIPT_PACKAGES = "restorecond" -INITSCRIPT_NAME_restorecond = "restorecond" -INITSCRIPT_PARAMS_restorecond = "defaults" - -do_install_append() { - if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'false', 'true', d)}; then - # remove /usr/lib/systemd/user - rm -rf ${D}${nonarch_libdir} - fi -} diff --git a/recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch b/recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch deleted file mode 100644 index 83250eb..0000000 --- a/recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 4adc1c02e4da42f64249c05534875e732f043693 Mon Sep 17 00:00:00 2001 -From: Joe MacDonald -Date: Wed, 6 Nov 2019 23:17:50 +0800 -Subject: [PATCH] policycoreutils: make O_CLOEXEC optional - -Various commits in the selinux tree in the current release added -O_CLOEXEC to open() calls in an attempt to address file descriptor leaks -as described: - - http://danwalsh.livejournal.com/53603.html - -However O_CLOEXEC isn't available on all platforms, so make it a -compile-time option and generate a warning when it is not available. -The actual impact of leaking these file descriptors is minimal, though -it does produce curious AVC Denied messages. - -Upstream-Status: Inappropriate -[O_CLOEXEC has been in Linux since 2007 and POSIX since 2008] - -Signed-off-by: Joe MacDonald -Signed-off-by: Wenzong Fan -Signed-off-by: Yi Zhao ---- - user.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/user.c b/user.c -index 714aae7..bbf018e 100644 ---- a/user.c -+++ b/user.c -@@ -202,7 +202,13 @@ static int local_server(void) { - perror("asprintf"); - return -1; - } -- local_lock_fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW | O_CLOEXEC, S_IRUSR | S_IWUSR); -+ local_lock_fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW -+ #ifdef O_CLOEXEC -+ | O_CLOEXEC -+ #else -+ #warning O_CLOEXEC undefined on this platform, this may leak file descriptors -+ #endif -+ , S_IRUSR | S_IWUSR); - if (debug_mode) - g_warning ("Lock file: %s", ptr); - --- -2.7.4 - diff --git a/recipes-security/selinux/restorecond_3.1.bb b/recipes-security/selinux/restorecond_3.1.bb deleted file mode 100644 index d4e0d06..0000000 --- a/recipes-security/selinux/restorecond_3.1.bb +++ /dev/null @@ -1,7 +0,0 @@ -require selinux_20200710.inc -require ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" - -SRC_URI[md5sum] = "8daf761739a150a7a29bb491726a6cd9" -SRC_URI[sha256sum] = "82ca45099685a45d718f11f8859963c1ba83d98e510312cbf0b7dc5664c60ad0" diff --git a/recipes-security/selinux/restorecond_3.2.bb b/recipes-security/selinux/restorecond_3.2.bb new file mode 100644 index 0000000..d9def9a --- /dev/null +++ b/recipes-security/selinux/restorecond_3.2.bb @@ -0,0 +1,37 @@ +SUMMARY = "Daemon to watch for file creation and set default file context" +DESCRIPTION = "\ +The restorecond daemon uses inotify to watch files listed in the \ +/etc/selinux/restorecond.conf, when they are created, this daemon \ +will make sure they have the correct file context associated with \ +the policy." +SECTION = "base" +LICENSE = "GPLv2+" +LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=393a5ca445f6965873eca0259a17f833" + +require selinux_common.inc + +inherit systemd update-rc.d + +DEPENDS += "libsepol libselinux libpcre dbus-glib glib-2.0 pkgconfig-native" + +EXTRA_OEMAKE += "SYSTEMDSYSTEMUNITDIR=${systemd_system_unitdir} \ + SYSTEMDUSERUNITDIR=${systemd_user_unitdir} \ + " + +S = "${WORKDIR}/git/restorecond" + +FILES_${PN} += "${datadir}/dbus-1/services/org.selinux.Restorecond.service \ + ${systemd_user_unitdir}/* \ + " + +SYSTEMD_SERVICE_restorecond = "restorecond.service" +INITSCRIPT_PACKAGES = "restorecond" +INITSCRIPT_NAME_restorecond = "restorecond" +INITSCRIPT_PARAMS_restorecond = "defaults" + +do_install_append() { + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'false', 'true', d)}; then + # remove /usr/lib/systemd/user + rm -rf ${D}${nonarch_libdir} + fi +} -- cgit v1.2.3-54-g00ecf