From eb5b607d396b185aecf7c6732acc9816853a71a6 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Wed, 8 Dec 2021 15:33:45 +0800 Subject: selinux: upgrade 3.2 -> 3.3 Drop backport CVE patches. Signed-off-by: Yi Zhao Signed-off-by: Joe MacDonald --- recipes-security/selinux/checkpolicy_3.2.bb | 26 --- recipes-security/selinux/checkpolicy_3.3.bb | 26 +++ recipes-security/selinux/libselinux-python_3.2.bb | 50 ------ recipes-security/selinux/libselinux-python_3.3.bb | 50 ++++++ recipes-security/selinux/libselinux_3.2.bb | 29 ---- recipes-security/selinux/libselinux_3.3.bb | 29 ++++ recipes-security/selinux/libsemanage_3.2.bb | 54 ------- recipes-security/selinux/libsemanage_3.3.bb | 54 +++++++ .../selinux/libsepol/CVE-2021-36084.patch | 99 ------------ .../selinux/libsepol/CVE-2021-36085.patch | 38 ----- .../selinux/libsepol/CVE-2021-36086.patch | 46 ------ recipes-security/selinux/libsepol_3.2.bb | 26 --- recipes-security/selinux/libsepol_3.3.bb | 22 +++ recipes-security/selinux/mcstrans_3.2.bb | 58 ------- recipes-security/selinux/mcstrans_3.3.bb | 58 +++++++ recipes-security/selinux/policycoreutils_3.2.bb | 179 --------------------- recipes-security/selinux/policycoreutils_3.3.bb | 179 +++++++++++++++++++++ recipes-security/selinux/restorecond_3.2.bb | 37 ----- recipes-security/selinux/restorecond_3.3.bb | 37 +++++ .../selinux/secilc/CVE-2021-36087.patch | 134 --------------- recipes-security/selinux/secilc_3.2.bb | 17 -- recipes-security/selinux/secilc_3.3.bb | 15 ++ recipes-security/selinux/selinux-dbus_3.2.bb | 18 --- recipes-security/selinux/selinux-dbus_3.3.bb | 18 +++ recipes-security/selinux/selinux-gui_3.2.bb | 19 --- recipes-security/selinux/selinux-gui_3.3.bb | 19 +++ recipes-security/selinux/selinux-python_3.2.bb | 112 ------------- recipes-security/selinux/selinux-python_3.3.bb | 112 +++++++++++++ recipes-security/selinux/selinux-sandbox_3.2.bb | 30 ---- recipes-security/selinux/selinux-sandbox_3.3.bb | 30 ++++ recipes-security/selinux/selinux_common.inc | 2 +- recipes-security/selinux/semodule-utils_3.2.bb | 31 ---- recipes-security/selinux/semodule-utils_3.3.bb | 31 ++++ 33 files changed, 681 insertions(+), 1004 deletions(-) delete mode 100644 recipes-security/selinux/checkpolicy_3.2.bb create mode 100644 recipes-security/selinux/checkpolicy_3.3.bb delete mode 100644 recipes-security/selinux/libselinux-python_3.2.bb create mode 100644 recipes-security/selinux/libselinux-python_3.3.bb delete mode 100644 recipes-security/selinux/libselinux_3.2.bb create mode 100644 recipes-security/selinux/libselinux_3.3.bb delete mode 100644 recipes-security/selinux/libsemanage_3.2.bb create mode 100644 recipes-security/selinux/libsemanage_3.3.bb delete mode 100644 recipes-security/selinux/libsepol/CVE-2021-36084.patch delete mode 100644 recipes-security/selinux/libsepol/CVE-2021-36085.patch delete mode 100644 recipes-security/selinux/libsepol/CVE-2021-36086.patch delete mode 100644 recipes-security/selinux/libsepol_3.2.bb create mode 100644 recipes-security/selinux/libsepol_3.3.bb delete mode 100644 recipes-security/selinux/mcstrans_3.2.bb create mode 100644 recipes-security/selinux/mcstrans_3.3.bb delete mode 100644 recipes-security/selinux/policycoreutils_3.2.bb create mode 100644 recipes-security/selinux/policycoreutils_3.3.bb delete mode 100644 recipes-security/selinux/restorecond_3.2.bb create mode 100644 recipes-security/selinux/restorecond_3.3.bb delete mode 100644 recipes-security/selinux/secilc/CVE-2021-36087.patch delete mode 100644 recipes-security/selinux/secilc_3.2.bb create mode 100644 recipes-security/selinux/secilc_3.3.bb delete mode 100644 recipes-security/selinux/selinux-dbus_3.2.bb create mode 100644 recipes-security/selinux/selinux-dbus_3.3.bb delete mode 100644 recipes-security/selinux/selinux-gui_3.2.bb create mode 100644 recipes-security/selinux/selinux-gui_3.3.bb delete mode 100644 recipes-security/selinux/selinux-python_3.2.bb create mode 100644 recipes-security/selinux/selinux-python_3.3.bb delete mode 100644 recipes-security/selinux/selinux-sandbox_3.2.bb create mode 100644 recipes-security/selinux/selinux-sandbox_3.3.bb delete mode 100644 recipes-security/selinux/semodule-utils_3.2.bb create mode 100644 recipes-security/selinux/semodule-utils_3.3.bb diff --git a/recipes-security/selinux/checkpolicy_3.2.bb b/recipes-security/selinux/checkpolicy_3.2.bb deleted file mode 100644 index 99ac470..0000000 --- a/recipes-security/selinux/checkpolicy_3.2.bb +++ /dev/null @@ -1,26 +0,0 @@ -SUMMARY = "SELinux policy compiler" -DESCRIPTION = "\ -This package contains checkpolicy, the SELinux policy compiler. Only \ -required for building policies. It uses libsepol to generate the \ -binary policy. checkpolicy uses the static libsepol since it deals \ -with low level details of the policy that have not been \ -encapsulated/abstracted by a proper shared library interface." -SECTION = "base" -LICENSE = "GPLv2+" -LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=393a5ca445f6965873eca0259a17f833" - -require selinux_common.inc - -DEPENDS += "libsepol bison-native flex-native" - -EXTRA_OEMAKE += "LEX='flex'" -EXTRA_OEMAKE += "LIBSEPOLA=${STAGING_LIBDIR}/libsepol.a" - -S = "${WORKDIR}/git/checkpolicy" - -do_install:append() { - install test/dismod ${D}/${bindir}/sedismod - install test/dispol ${D}/${bindir}/sedispol -} - -BBCLASSEXTEND = "native" diff --git a/recipes-security/selinux/checkpolicy_3.3.bb b/recipes-security/selinux/checkpolicy_3.3.bb new file mode 100644 index 0000000..99ac470 --- /dev/null +++ b/recipes-security/selinux/checkpolicy_3.3.bb @@ -0,0 +1,26 @@ +SUMMARY = "SELinux policy compiler" +DESCRIPTION = "\ +This package contains checkpolicy, the SELinux policy compiler. Only \ +required for building policies. It uses libsepol to generate the \ +binary policy. checkpolicy uses the static libsepol since it deals \ +with low level details of the policy that have not been \ +encapsulated/abstracted by a proper shared library interface." +SECTION = "base" +LICENSE = "GPLv2+" +LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=393a5ca445f6965873eca0259a17f833" + +require selinux_common.inc + +DEPENDS += "libsepol bison-native flex-native" + +EXTRA_OEMAKE += "LEX='flex'" +EXTRA_OEMAKE += "LIBSEPOLA=${STAGING_LIBDIR}/libsepol.a" + +S = "${WORKDIR}/git/checkpolicy" + +do_install:append() { + install test/dismod ${D}/${bindir}/sedismod + install test/dispol ${D}/${bindir}/sedispol +} + +BBCLASSEXTEND = "native" diff --git a/recipes-security/selinux/libselinux-python_3.2.bb b/recipes-security/selinux/libselinux-python_3.2.bb deleted file mode 100644 index 136f538..0000000 --- a/recipes-security/selinux/libselinux-python_3.2.bb +++ /dev/null @@ -1,50 +0,0 @@ -SUMMARY = "SELinux library and simple utilities" -DESCRIPTION = "libselinux provides an API for SELinux applications to get and set \ -process and file security contexts and to obtain security policy \ -decisions. Required for any applications that use the SELinux API." -SECTION = "base" -LICENSE = "PD" -LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=84b4d2c6ef954a2d4081e775a270d0d0" - -require selinux_common.inc - -inherit python3native python3targetconfig pkgconfig - -FILESEXTRAPATHS:prepend := "${THISDIR}/libselinux:" -SRC_URI += "\ - file://0001-Makefile-fix-python-modules-install-path-for-multili.patch \ - file://0001-Do-not-use-PYCEXT-and-rely-on-the-installed-file-nam.patch \ - " - -S = "${WORKDIR}/git/libselinux" - -DEPENDS += "python3 swig-native libpcre libsepol" -RDEPENDS:${PN} += "libselinux python3-core python3-shell" - -def get_policyconfigarch(d): - import re - target = d.getVar('TARGET_ARCH') - p = re.compile('i.86') - target = p.sub('i386',target) - return "ARCH=%s" % (target) - -EXTRA_OEMAKE += "${@get_policyconfigarch(d)}" -EXTRA_OEMAKE += "LDFLAGS='${LDFLAGS} -lpcre' LIBSEPOLA='${STAGING_LIBDIR}/libsepol.a'" -EXTRA_OEMAKE:append:libc-musl = " FTS_LDLIBS=-lfts" - -FILES:${PN} = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/*" -INSANE_SKIP:${PN} = "dev-so" - -do_compile() { - oe_runmake pywrap -j1 \ - PYLIBVER='python${PYTHON_BASEVERSION}${PYTHON_ABI}' \ - PYINC='-I${STAGING_INCDIR}/${PYLIBVER}' \ - PYLIBS='-L${STAGING_LIBDIR}/${PYLIBVER} -l${PYLIBVER}' -} - -do_install() { - oe_runmake install-pywrap \ - DESTDIR=${D} \ - PYLIBVER='python${PYTHON_BASEVERSION}${PYTHON_ABI}' \ - PYTHONLIBDIR='${libdir}/python${PYTHON_BASEVERSION}/site-packages' -} diff --git a/recipes-security/selinux/libselinux-python_3.3.bb b/recipes-security/selinux/libselinux-python_3.3.bb new file mode 100644 index 0000000..136f538 --- /dev/null +++ b/recipes-security/selinux/libselinux-python_3.3.bb @@ -0,0 +1,50 @@ +SUMMARY = "SELinux library and simple utilities" +DESCRIPTION = "libselinux provides an API for SELinux applications to get and set \ +process and file security contexts and to obtain security policy \ +decisions. Required for any applications that use the SELinux API." +SECTION = "base" +LICENSE = "PD" +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=84b4d2c6ef954a2d4081e775a270d0d0" + +require selinux_common.inc + +inherit python3native python3targetconfig pkgconfig + +FILESEXTRAPATHS:prepend := "${THISDIR}/libselinux:" +SRC_URI += "\ + file://0001-Makefile-fix-python-modules-install-path-for-multili.patch \ + file://0001-Do-not-use-PYCEXT-and-rely-on-the-installed-file-nam.patch \ + " + +S = "${WORKDIR}/git/libselinux" + +DEPENDS += "python3 swig-native libpcre libsepol" +RDEPENDS:${PN} += "libselinux python3-core python3-shell" + +def get_policyconfigarch(d): + import re + target = d.getVar('TARGET_ARCH') + p = re.compile('i.86') + target = p.sub('i386',target) + return "ARCH=%s" % (target) + +EXTRA_OEMAKE += "${@get_policyconfigarch(d)}" +EXTRA_OEMAKE += "LDFLAGS='${LDFLAGS} -lpcre' LIBSEPOLA='${STAGING_LIBDIR}/libsepol.a'" +EXTRA_OEMAKE:append:libc-musl = " FTS_LDLIBS=-lfts" + +FILES:${PN} = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/*" +INSANE_SKIP:${PN} = "dev-so" + +do_compile() { + oe_runmake pywrap -j1 \ + PYLIBVER='python${PYTHON_BASEVERSION}${PYTHON_ABI}' \ + PYINC='-I${STAGING_INCDIR}/${PYLIBVER}' \ + PYLIBS='-L${STAGING_LIBDIR}/${PYLIBVER} -l${PYLIBVER}' +} + +do_install() { + oe_runmake install-pywrap \ + DESTDIR=${D} \ + PYLIBVER='python${PYTHON_BASEVERSION}${PYTHON_ABI}' \ + PYTHONLIBDIR='${libdir}/python${PYTHON_BASEVERSION}/site-packages' +} diff --git a/recipes-security/selinux/libselinux_3.2.bb b/recipes-security/selinux/libselinux_3.2.bb deleted file mode 100644 index 1144840..0000000 --- a/recipes-security/selinux/libselinux_3.2.bb +++ /dev/null @@ -1,29 +0,0 @@ -SUMMARY = "SELinux library and simple utilities" -DESCRIPTION = "libselinux provides an API for SELinux applications to get and set \ -process and file security contexts and to obtain security policy \ -decisions. Required for any applications that use the SELinux API." -SECTION = "base" -LICENSE = "PD" -LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=84b4d2c6ef954a2d4081e775a270d0d0" - -require selinux_common.inc - -inherit lib_package python3native pkgconfig - -DEPENDS += "libsepol libpcre" -DEPENDS:append:libc-musl = " fts" - -S = "${WORKDIR}/git/libselinux" - -def get_policyconfigarch(d): - import re - target = d.getVar('TARGET_ARCH') - p = re.compile('i.86') - target = p.sub('i386',target) - return "ARCH=%s" % (target) - -EXTRA_OEMAKE += "${@get_policyconfigarch(d)}" -EXTRA_OEMAKE += "LDFLAGS='${LDFLAGS} -lpcre' LIBSEPOLA='${STAGING_LIBDIR}/libsepol.a'" -EXTRA_OEMAKE:append:libc-musl = " FTS_LDLIBS=-lfts" - -BBCLASSEXTEND = "native" diff --git a/recipes-security/selinux/libselinux_3.3.bb b/recipes-security/selinux/libselinux_3.3.bb new file mode 100644 index 0000000..1144840 --- /dev/null +++ b/recipes-security/selinux/libselinux_3.3.bb @@ -0,0 +1,29 @@ +SUMMARY = "SELinux library and simple utilities" +DESCRIPTION = "libselinux provides an API for SELinux applications to get and set \ +process and file security contexts and to obtain security policy \ +decisions. Required for any applications that use the SELinux API." +SECTION = "base" +LICENSE = "PD" +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=84b4d2c6ef954a2d4081e775a270d0d0" + +require selinux_common.inc + +inherit lib_package python3native pkgconfig + +DEPENDS += "libsepol libpcre" +DEPENDS:append:libc-musl = " fts" + +S = "${WORKDIR}/git/libselinux" + +def get_policyconfigarch(d): + import re + target = d.getVar('TARGET_ARCH') + p = re.compile('i.86') + target = p.sub('i386',target) + return "ARCH=%s" % (target) + +EXTRA_OEMAKE += "${@get_policyconfigarch(d)}" +EXTRA_OEMAKE += "LDFLAGS='${LDFLAGS} -lpcre' LIBSEPOLA='${STAGING_LIBDIR}/libsepol.a'" +EXTRA_OEMAKE:append:libc-musl = " FTS_LDLIBS=-lfts" + +BBCLASSEXTEND = "native" diff --git a/recipes-security/selinux/libsemanage_3.2.bb b/recipes-security/selinux/libsemanage_3.2.bb deleted file mode 100644 index 0a6ff95..0000000 --- a/recipes-security/selinux/libsemanage_3.2.bb +++ /dev/null @@ -1,54 +0,0 @@ -SUMMARY = "SELinux binary policy manipulation library" -DESCRIPTION = "libsemanage provides an API for the manipulation of SELinux binary policies. \ -It is used by checkpolicy (the policy compiler) and similar tools, as well \ -as by programs like load_policy that need to perform specific transformations \ -on binary policies such as customizing policy boolean settings." -SECTION = "base" -LICENSE = "LGPLv2.1+" -LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343" - -require selinux_common.inc - -inherit lib_package python3native - -SRC_URI += "file://libsemanage-Fix-execve-segfaults-on-Ubuntu.patch \ - file://libsemanage-allow-to-disable-audit-support.patch \ - file://libsemanage-disable-expand-check-on-policy-load.patch \ - " - -DEPENDS += "libsepol libselinux bzip2 python3 bison-native flex-native swig-native" -DEPENDS:append:class-target = " audit" - -S = "${WORKDIR}/git/libsemanage" - -PACKAGES =+ "${PN}-python" - -# For /usr/libexec/selinux/semanage_migrate_store -RDEPENDS:${PN}-python += "python3-core" - -FILES:${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/* \ - ${libexecdir}/selinux/semanage_migrate_store" -FILES:${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/site-packages/.debug/*" -FILES:${PN} += "${libexecdir}" - -EXTRA_OEMAKE:class-native += "DISABLE_AUDIT=y" - -do_compile:append() { - oe_runmake pywrap \ - PYLIBVER='python${PYTHON_BASEVERSION}${PYTHON_ABI}' \ - PYINC='-I${STAGING_INCDIR}/${PYLIBVER}' \ - PYLIBS='-L${STAGING_LIBDIR}/${PYLIBVER} -l${PYLIBVER}' -} - -do_install:append() { - oe_runmake install-pywrap \ - PYCEXT='.so' \ - PYLIBVER='python${PYTHON_BASEVERSION}${PYTHON_ABI}' \ - PYTHONLIBDIR='${D}${libdir}/python${PYTHON_BASEVERSION}/site-packages' - - # Update "policy-version" for semanage.conf - sed -i 's/^#\s*\(policy-version\s*=\).*$/\1 33/' \ - ${D}/etc/selinux/semanage.conf -} - -BBCLASSEXTEND = "native" diff --git a/recipes-security/selinux/libsemanage_3.3.bb b/recipes-security/selinux/libsemanage_3.3.bb new file mode 100644 index 0000000..0a6ff95 --- /dev/null +++ b/recipes-security/selinux/libsemanage_3.3.bb @@ -0,0 +1,54 @@ +SUMMARY = "SELinux binary policy manipulation library" +DESCRIPTION = "libsemanage provides an API for the manipulation of SELinux binary policies. \ +It is used by checkpolicy (the policy compiler) and similar tools, as well \ +as by programs like load_policy that need to perform specific transformations \ +on binary policies such as customizing policy boolean settings." +SECTION = "base" +LICENSE = "LGPLv2.1+" +LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343" + +require selinux_common.inc + +inherit lib_package python3native + +SRC_URI += "file://libsemanage-Fix-execve-segfaults-on-Ubuntu.patch \ + file://libsemanage-allow-to-disable-audit-support.patch \ + file://libsemanage-disable-expand-check-on-policy-load.patch \ + " + +DEPENDS += "libsepol libselinux bzip2 python3 bison-native flex-native swig-native" +DEPENDS:append:class-target = " audit" + +S = "${WORKDIR}/git/libsemanage" + +PACKAGES =+ "${PN}-python" + +# For /usr/libexec/selinux/semanage_migrate_store +RDEPENDS:${PN}-python += "python3-core" + +FILES:${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/* \ + ${libexecdir}/selinux/semanage_migrate_store" +FILES:${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/site-packages/.debug/*" +FILES:${PN} += "${libexecdir}" + +EXTRA_OEMAKE:class-native += "DISABLE_AUDIT=y" + +do_compile:append() { + oe_runmake pywrap \ + PYLIBVER='python${PYTHON_BASEVERSION}${PYTHON_ABI}' \ + PYINC='-I${STAGING_INCDIR}/${PYLIBVER}' \ + PYLIBS='-L${STAGING_LIBDIR}/${PYLIBVER} -l${PYLIBVER}' +} + +do_install:append() { + oe_runmake install-pywrap \ + PYCEXT='.so' \ + PYLIBVER='python${PYTHON_BASEVERSION}${PYTHON_ABI}' \ + PYTHONLIBDIR='${D}${libdir}/python${PYTHON_BASEVERSION}/site-packages' + + # Update "policy-version" for semanage.conf + sed -i 's/^#\s*\(policy-version\s*=\).*$/\1 33/' \ + ${D}/etc/selinux/semanage.conf +} + +BBCLASSEXTEND = "native" diff --git a/recipes-security/selinux/libsepol/CVE-2021-36084.patch b/recipes-security/selinux/libsepol/CVE-2021-36084.patch deleted file mode 100644 index 1001563..0000000 --- a/recipes-security/selinux/libsepol/CVE-2021-36084.patch +++ /dev/null @@ -1,99 +0,0 @@ -From f34d3d30c8325e4847a6b696fe7a3936a8a361f3 Mon Sep 17 00:00:00 2001 -From: James Carter -Date: Thu, 8 Apr 2021 13:32:01 -0400 -Subject: [PATCH] libsepol/cil: Destroy classperms list when resetting - classpermission - -Nicolas Iooss reports: - A few months ago, OSS-Fuzz found a crash in the CIL compiler, which - got reported as - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28648 (the title - is misleading, or is caused by another issue that conflicts with the - one I report in this message). Here is a minimized CIL policy which - reproduces the issue: - - (class CLASS (PERM)) - (classorder (CLASS)) - (sid SID) - (sidorder (SID)) - (user USER) - (role ROLE) - (type TYPE) - (category CAT) - (categoryorder (CAT)) - (sensitivity SENS) - (sensitivityorder (SENS)) - (sensitivitycategory SENS (CAT)) - (allow TYPE self (CLASS (PERM))) - (roletype ROLE TYPE) - (userrole USER ROLE) - (userlevel USER (SENS)) - (userrange USER ((SENS)(SENS (CAT)))) - (sidcontext SID (USER ROLE TYPE ((SENS)(SENS)))) - - (classpermission CLAPERM) - - (optional OPT - (roletype nonexistingrole nonexistingtype) - (classpermissionset CLAPERM (CLASS (PERM))) - ) - - The CIL policy fuzzer (which mimics secilc built with clang Address - Sanitizer) reports: - - ==36541==ERROR: AddressSanitizer: heap-use-after-free on address - 0x603000004f98 at pc 0x56445134c842 bp 0x7ffe2a256590 sp - 0x7ffe2a256588 - READ of size 8 at 0x603000004f98 thread T0 - #0 0x56445134c841 in __cil_verify_classperms - /selinux/libsepol/src/../cil/src/cil_verify.c:1620:8 - #1 0x56445134a43e in __cil_verify_classpermission - /selinux/libsepol/src/../cil/src/cil_verify.c:1650:9 - #2 0x56445134a43e in __cil_pre_verify_helper - /selinux/libsepol/src/../cil/src/cil_verify.c:1715:8 - #3 0x5644513225ac in cil_tree_walk_core - /selinux/libsepol/src/../cil/src/cil_tree.c:272:9 - #4 0x564451322ab1 in cil_tree_walk - /selinux/libsepol/src/../cil/src/cil_tree.c:316:7 - #5 0x5644513226af in cil_tree_walk_core - /selinux/libsepol/src/../cil/src/cil_tree.c:284:9 - #6 0x564451322ab1 in cil_tree_walk - /selinux/libsepol/src/../cil/src/cil_tree.c:316:7 - #7 0x5644512b88fd in cil_pre_verify - /selinux/libsepol/src/../cil/src/cil_post.c:2510:7 - #8 0x5644512b88fd in cil_post_process - /selinux/libsepol/src/../cil/src/cil_post.c:2524:7 - #9 0x5644511856ff in cil_compile - /selinux/libsepol/src/../cil/src/cil.c:564:7 - -The classperms list of a classpermission rule is created and filled -in when classpermissionset rules are processed, so it doesn't own any -part of the list and shouldn't retain any of it when it is reset. - -Destroy the classperms list (without destroying the data in it) when -resetting a classpermission rule. - -Reported-by: Nicolas Iooss -Signed-off-by: James Carter - -Upstream-Status: Backport -CVE: CVE-2021-36084 -Signed-off-by: Armin Kuster - ---- - libsepol/cil/src/cil_reset_ast.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -Index: libsepol-3.0/cil/src/cil_reset_ast.c -=================================================================== ---- libsepol-3.0.orig/cil/src/cil_reset_ast.c -+++ libsepol-3.0/cil/src/cil_reset_ast.c -@@ -52,7 +52,7 @@ static void cil_reset_classpermission(st - return; - } - -- cil_reset_classperms_list(cp->classperms); -+ cil_list_destroy(&cp->classperms, CIL_FALSE); - } - - static void cil_reset_classperms_set(struct cil_classperms_set *cp_set) diff --git a/recipes-security/selinux/libsepol/CVE-2021-36085.patch b/recipes-security/selinux/libsepol/CVE-2021-36085.patch deleted file mode 100644 index 4bd05eb..0000000 --- a/recipes-security/selinux/libsepol/CVE-2021-36085.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 2d35fcc7e9e976a2346b1de20e54f8663e8a6cba Mon Sep 17 00:00:00 2001 -From: James Carter -Date: Thu, 8 Apr 2021 13:32:04 -0400 -Subject: [PATCH] libsepol/cil: Destroy classperm list when resetting map perms - -Map perms share the same struct as regular perms, but only the -map perms use the classperms field. This field is a pointer to a -list of classperms that is created and added to when resolving -classmapping rules, so the map permission doesn't own any of the -data in the list and this list should be destroyed when the AST is -reset. - -When resetting a perm, destroy the classperms list without destroying -the data in the list. - -Signed-off-by: James Carter - -Upstream-Status: Backport -CVE: CVE-2021-36085 -Signed-off-by: Armin Kuster - ---- - libsepol/cil/src/cil_reset_ast.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -Index: libsepol-3.0/cil/src/cil_reset_ast.c -=================================================================== ---- libsepol-3.0.orig/cil/src/cil_reset_ast.c -+++ libsepol-3.0/cil/src/cil_reset_ast.c -@@ -34,7 +34,7 @@ static void cil_reset_class(struct cil_c - - static void cil_reset_perm(struct cil_perm *perm) - { -- cil_reset_classperms_list(perm->classperms); -+ cil_list_destroy(&perm->classperms, CIL_FALSE); - } - - static inline void cil_reset_classperms(struct cil_classperms *cp) diff --git a/recipes-security/selinux/libsepol/CVE-2021-36086.patch b/recipes-security/selinux/libsepol/CVE-2021-36086.patch deleted file mode 100644 index 7a2d616..0000000 --- a/recipes-security/selinux/libsepol/CVE-2021-36086.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 49f9aa2a460fc95f04c99b44f4dd0d22e2f0e5ee Mon Sep 17 00:00:00 2001 -From: James Carter -Date: Thu, 8 Apr 2021 13:32:06 -0400 -Subject: [PATCH] libsepol/cil: cil_reset_classperms_set() should not reset - classpermission - -In struct cil_classperms_set, the set field is a pointer to a -struct cil_classpermission which is looked up in the symbol table. -Since the cil_classperms_set does not create the cil_classpermission, -it should not reset it. - -Set the set field to NULL instead of resetting the classpermission -that it points to. - -Signed-off-by: James Carter - -Upstream-Status: Backport -[https://github.com/SELinuxProject/selinux/commit/c49a8ea09501ad66e799ea41b8154b6770fec2c8] - -CVE: CVE-2021-36086 - -Signed-off-by: Yi Zhao ---- - cil/src/cil_reset_ast.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/cil/src/cil_reset_ast.c b/cil/src/cil_reset_ast.c -index 89f91e5..1d9ca70 100644 ---- a/cil/src/cil_reset_ast.c -+++ b/cil/src/cil_reset_ast.c -@@ -59,7 +59,11 @@ static void cil_reset_classpermission(struct cil_classpermission *cp) - - static void cil_reset_classperms_set(struct cil_classperms_set *cp_set) - { -- cil_reset_classpermission(cp_set->set); -+ if (cp_set == NULL) { -+ return; -+ } -+ -+ cp_set->set = NULL; - } - - static inline void cil_reset_classperms_list(struct cil_list *cp_list) --- -2.17.1 - diff --git a/recipes-security/selinux/libsepol_3.2.bb b/recipes-security/selinux/libsepol_3.2.bb deleted file mode 100644 index 192f1b3..0000000 --- a/recipes-security/selinux/libsepol_3.2.bb +++ /dev/null @@ -1,26 +0,0 @@ -SUMMARY = "SELinux binary policy manipulation library" -DESCRIPTION = "libsepol provides an API for the manipulation of SELinux binary policies. \ -It is used by checkpolicy (the policy compiler) and similar tools, as well \ -as by programs like load_policy that need to perform specific transformations \ -on binary policies such as customizing policy boolean settings." -SECTION = "base" -LICENSE = "LGPLv2+" -LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343" - -require selinux_common.inc - -SRC_URI += "file://CVE-2021-36084.patch \ - file://CVE-2021-36085.patch \ - file://CVE-2021-36086.patch " - -inherit lib_package - -S = "${WORKDIR}/git/libsepol" - -# Change RANLIB for cross compiling, use host-tools $(AR) rather than -# local ranlib. -EXTRA_OEMAKE += "RANLIB='$(AR) s'" - -DEPENDS += "flex-native" - -BBCLASSEXTEND = "native" diff --git a/recipes-security/selinux/libsepol_3.3.bb b/recipes-security/selinux/libsepol_3.3.bb new file mode 100644 index 0000000..48d5f49 --- /dev/null +++ b/recipes-security/selinux/libsepol_3.3.bb @@ -0,0 +1,22 @@ +SUMMARY = "SELinux binary policy manipulation library" +DESCRIPTION = "libsepol provides an API for the manipulation of SELinux binary policies. \ +It is used by checkpolicy (the policy compiler) and similar tools, as well \ +as by programs like load_policy that need to perform specific transformations \ +on binary policies such as customizing policy boolean settings." +SECTION = "base" +LICENSE = "LGPLv2+" +LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343" + +require selinux_common.inc + +inherit lib_package + +S = "${WORKDIR}/git/libsepol" + +# Change RANLIB for cross compiling, use host-tools $(AR) rather than +# local ranlib. +EXTRA_OEMAKE += "RANLIB='$(AR) s'" + +DEPENDS += "flex-native" + +BBCLASSEXTEND = "native" diff --git a/recipes-security/selinux/mcstrans_3.2.bb b/recipes-security/selinux/mcstrans_3.2.bb deleted file mode 100644 index 4d99e18..0000000 --- a/recipes-security/selinux/mcstrans_3.2.bb +++ /dev/null @@ -1,58 +0,0 @@ - -SUMMARY = "Daemon to translate SELinux MCS/MLS sensitivity labels" -DESCRIPTION = "\ -mcstrans provides an translation daemon to translate SELinux categories \ -from internal representations to user defined representation." -SECTION = "base" -LICENSE = "GPLv2+" -LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" - -require selinux_common.inc - -inherit systemd update-rc.d - -SRC_URI += "file://mcstrans-de-bashify.patch \ - file://mcstrans-fix-the-init-script.patch \ - " - -DEPENDS += "libsepol libselinux libcap" - -EXTRA_OEMAKE += "SBINDIR=${base_sbindir} \ - INITDIR=${sysconfdir}/init.d \ - SYSTEMDDIR=${systemd_unitdir} \ - " - -S = "${WORKDIR}/git/mcstrans" - -do_install:append() { - install -d ${D}${sbindir} - install -m 755 utils/untranscon ${D}${sbindir}/ - install -m 755 utils/transcon ${D}${sbindir}/ - - if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then - install -d ${D}${sysconfdir}/tmpfiles.d - echo "d ${localstatedir}/run/setrans - - - -" \ - > ${D}${sysconfdir}/tmpfiles.d/setrans.conf - else - install -d ${D}${sysconfdir}/default/volatiles - echo "d root root 0755 /var/run/setrans none" \ - >${D}${sysconfdir}/default/volatiles/80_mcstrans - fi - install -d ${D}${datadir}/mcstrans - cp -r share/* ${D}${datadir}/mcstrans/. -} - -SYSTEMD_SERVICE:mcstrans = "mcstrans.service" -INITSCRIPT_PACKAGES = "mcstrans" -INITSCRIPT_NAME:mcstrans = "mcstrans" -INITSCRIPT_PARAMS:mcstrans = "defaults" - -pkg_postinst:mcstrans () { - if [ -z "$D" ]; then - if command -v systemd-tmpfiles >/dev/null; then - systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/setrans.conf - elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then - ${sysconfdir}/init.d/populate-volatile.sh update - fi - fi -} diff --git a/recipes-security/selinux/mcstrans_3.3.bb b/recipes-security/selinux/mcstrans_3.3.bb new file mode 100644 index 0000000..4d99e18 --- /dev/null +++ b/recipes-security/selinux/mcstrans_3.3.bb @@ -0,0 +1,58 @@ + +SUMMARY = "Daemon to translate SELinux MCS/MLS sensitivity labels" +DESCRIPTION = "\ +mcstrans provides an translation daemon to translate SELinux categories \ +from internal representations to user defined representation." +SECTION = "base" +LICENSE = "GPLv2+" +LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" + +require selinux_common.inc + +inherit systemd update-rc.d + +SRC_URI += "file://mcstrans-de-bashify.patch \ + file://mcstrans-fix-the-init-script.patch \ + " + +DEPENDS += "libsepol libselinux libcap" + +EXTRA_OEMAKE += "SBINDIR=${base_sbindir} \ + INITDIR=${sysconfdir}/init.d \ + SYSTEMDDIR=${systemd_unitdir} \ + " + +S = "${WORKDIR}/git/mcstrans" + +do_install:append() { + install -d ${D}${sbindir} + install -m 755 utils/untranscon ${D}${sbindir}/ + install -m 755 utils/transcon ${D}${sbindir}/ + + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + install -d ${D}${sysconfdir}/tmpfiles.d + echo "d ${localstatedir}/run/setrans - - - -" \ + > ${D}${sysconfdir}/tmpfiles.d/setrans.conf + else + install -d ${D}${sysconfdir}/default/volatiles + echo "d root root 0755 /var/run/setrans none" \ + >${D}${sysconfdir}/default/volatiles/80_mcstrans + fi + install -d ${D}${datadir}/mcstrans + cp -r share/* ${D}${datadir}/mcstrans/. +} + +SYSTEMD_SERVICE:mcstrans = "mcstrans.service" +INITSCRIPT_PACKAGES = "mcstrans" +INITSCRIPT_NAME:mcstrans = "mcstrans" +INITSCRIPT_PARAMS:mcstrans = "defaults" + +pkg_postinst:mcstrans () { + if [ -z "$D" ]; then + if command -v systemd-tmpfiles >/dev/null; then + systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/setrans.conf + elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then + ${sysconfdir}/init.d/populate-volatile.sh update + fi + fi +} diff --git a/recipes-security/selinux/policycoreutils_3.2.bb b/recipes-security/selinux/policycoreutils_3.2.bb deleted file mode 100644 index 04f8ef7..0000000 --- a/recipes-security/selinux/policycoreutils_3.2.bb +++ /dev/null @@ -1,179 +0,0 @@ -SUMMARY = "SELinux policy core utilities" -DESCRIPTION = "policycoreutils contains the policy core utilities that are required \ -for basic operation of a SELinux system. These utilities include \ -load_policy to load policies, setfiles to label filesystems, newrole \ -to switch roles, and run_init to run /etc/init.d scripts in the proper \ -context." -SECTION = "base" -LICENSE = "GPLv2+" -LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=393a5ca445f6965873eca0259a17f833" - -require selinux_common.inc - -SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ - file://policycoreutils-fixfiles-de-bashify.patch \ - " - -PAM_SRC_URI = "file://pam.d/newrole \ - file://pam.d/run_init \ - " - -DEPENDS += "libsepol libselinux libsemanage libcap gettext-native" -EXTRA_DEPENDS = "libcap-ng libcgroup" -DEPENDS += "${@['', '${EXTRA_DEPENDS}']['${PN}' != '${BPN}-native']}" - -S = "${WORKDIR}/git/policycoreutils" - -inherit selinux python3native - -RDEPENDS:${BPN}-fixfiles += "\ - ${BPN}-setfiles \ - grep \ - findutils \ -" -RDEPENDS:${BPN}-genhomedircon += "\ - ${BPN}-semodule \ -" -RDEPENDS:${BPN}-loadpolicy += "\ - libselinux \ - libsepol \ -" -RDEPENDS:${BPN}-newrole += "\ - libcap-ng \ - libselinux \ -" -RDEPENDS:${BPN}-runinit += "libselinux" -RDEPENDS:${BPN}-secon += "libselinux" -RDEPENDS:${BPN}-semodule += "\ - libsepol \ - libselinux \ - libsemanage \ -" -RDEPENDS:${BPN}-sestatus += "libselinux" -RDEPENDS:${BPN}-setfiles += "\ - libselinux \ - libsepol \ -" -RDEPENDS:${BPN}-setsebool += "\ - libsepol \ - libselinux \ - libsemanage \ -" -RDEPENDS:${BPN} += "selinux-python" - -PACKAGES =+ "\ - ${PN}-fixfiles \ - ${PN}-genhomedircon \ - ${PN}-hll \ - ${PN}-loadpolicy \ - ${PN}-newrole \ - ${PN}-runinit \ - ${PN}-secon \ - ${PN}-semodule \ - ${PN}-sestatus \ - ${PN}-setfiles \ - ${PN}-setsebool \ -" -FILES:${PN}-fixfiles += "${base_sbindir}/fixfiles" -FILES:${PN}-genhomedircon += "${base_sbindir}/genhomedircon" -FILES:${PN}-loadpolicy += "\ - ${base_sbindir}/load_policy \ -" -FILES:${PN}-newrole += "\ - ${bindir}/newrole \ - ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${sysconfdir}/pam.d/newrole', '', d)} \ -" -FILES:${PN}-runinit += "\ - ${base_sbindir}/run_init \ - ${base_sbindir}/open_init_pty \ - ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${sysconfdir}/pam.d/run_init', '', d)} \ -" -FILES:${PN}-dbg += "${prefix}/libexec/selinux/hll/.debug" -FILES:${PN}-secon += "${bindir}/secon" -FILES:${PN}-semodule += "${base_sbindir}/semodule" -FILES:${PN}-hll += "${prefix}/libexec/selinux/hll/*" -FILES:${PN}-sestatus += "\ - ${base_sbindir}/sestatus \ - ${sysconfdir}/sestatus.conf \ -" -FILES:${PN}-setfiles += "\ - ${base_sbindir}/restorecon \ - ${base_sbindir}/restorecon_xattr \ - ${base_sbindir}/setfiles \ -" -FILES:${PN}-setsebool += "\ - ${base_sbindir}/setsebool \ - ${datadir}/bash-completion/completions/setsebool \ -" - -export STAGING_INCDIR -export STAGING_LIBDIR -export BUILD_SYS -export HOST_SYS - -PACKAGECONFIG:class-target ?= "\ - ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)} \ - audit \ -" - -PACKAGECONFIG[libpam] = ",,libpam," -PACKAGECONFIG[audit] = ",,audit," - -EXTRA_OEMAKE += "\ - ${@bb.utils.contains('PACKAGECONFIG', 'libpam', 'PAMH=y', 'PAMH=', d)} \ - ${@bb.utils.contains('PACKAGECONFIG', 'audit', 'AUDITH=y', 'AUDITH=', d)} \ - INOTIFYH=n \ - PREFIX=${prefix} \ - SBINDIR=${base_sbindir} \ -" - -BBCLASSEXTEND = "native" - -PCU_NATIVE_CMDS = "setfiles semodule hll" - -do_compile:class-native() { - for PCU_CMD in ${PCU_NATIVE_CMDS} ; do - oe_runmake -C $PCU_CMD \ - INCLUDEDIR='${STAGING_INCDIR}' \ - LIBDIR='${STAGING_LIBDIR}' - done -} - -sysroot_stage_dirs:append:class-native() { - cp -R $from/${prefix}/libexec $to/${prefix}/libexec -} - -do_compile:prepend() { - export PYTHON=python3 - export PYLIBVER='python${PYTHON_BASEVERSION}' - export PYTHON_CPPFLAGS="-I${STAGING_INCDIR}/${PYLIBVER}" - export PYTHON_LDFLAGS="${STAGING_LIBDIR}/lib${PYLIBVER}.so" - export PYTHON_SITE_PKG="${libdir}/${PYLIBVER}/site-packages" -} - -do_install:prepend() { - export PYTHON=python3 - export SBINDIR="${D}/${base_sbindir}" -} - -do_install:class-native() { - for PCU_CMD in ${PCU_NATIVE_CMDS} ; do - oe_runmake -C $PCU_CMD install \ - DESTDIR="${D}" \ - PREFIX="${prefix}" \ - SBINDIR="${base_sbindir}" - done -} - -do_install:append:class-target() { - if [ -e ${WORKDIR}/pam.d ]; then - install -d ${D}${sysconfdir}/pam.d/ - install -m 0644 ${WORKDIR}/pam.d/* ${D}${sysconfdir}/pam.d/ - fi - - # /var/lib/selinux is involved by seobject.py: - # + dirname = "/var/lib/selinux" - # and it's required for running command: - # $ semanage permissive [OPTS] - install -d ${D}${localstatedir}/lib/selinux -} diff --git a/recipes-security/selinux/policycoreutils_3.3.bb b/recipes-security/selinux/policycoreutils_3.3.bb new file mode 100644 index 0000000..04f8ef7 --- /dev/null +++ b/recipes-security/selinux/policycoreutils_3.3.bb @@ -0,0 +1,179 @@ +SUMMARY = "SELinux policy core utilities" +DESCRIPTION = "policycoreutils contains the policy core utilities that are required \ +for basic operation of a SELinux system. These utilities include \ +load_policy to load policies, setfiles to label filesystems, newrole \ +to switch roles, and run_init to run /etc/init.d scripts in the proper \ +context." +SECTION = "base" +LICENSE = "GPLv2+" +LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=393a5ca445f6965873eca0259a17f833" + +require selinux_common.inc + +SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ + file://policycoreutils-fixfiles-de-bashify.patch \ + " + +PAM_SRC_URI = "file://pam.d/newrole \ + file://pam.d/run_init \ + " + +DEPENDS += "libsepol libselinux libsemanage libcap gettext-native" +EXTRA_DEPENDS = "libcap-ng libcgroup" +DEPENDS += "${@['', '${EXTRA_DEPENDS}']['${PN}' != '${BPN}-native']}" + +S = "${WORKDIR}/git/policycoreutils" + +inherit selinux python3native + +RDEPENDS:${BPN}-fixfiles += "\ + ${BPN}-setfiles \ + grep \ + findutils \ +" +RDEPENDS:${BPN}-genhomedircon += "\ + ${BPN}-semodule \ +" +RDEPENDS:${BPN}-loadpolicy += "\ + libselinux \ + libsepol \ +" +RDEPENDS:${BPN}-newrole += "\ + libcap-ng \ + libselinux \ +" +RDEPENDS:${BPN}-runinit += "libselinux" +RDEPENDS:${BPN}-secon += "libselinux" +RDEPENDS:${BPN}-semodule += "\ + libsepol \ + libselinux \ + libsemanage \ +" +RDEPENDS:${BPN}-sestatus += "libselinux" +RDEPENDS:${BPN}-setfiles += "\ + libselinux \ + libsepol \ +" +RDEPENDS:${BPN}-setsebool += "\ + libsepol \ + libselinux \ + libsemanage \ +" +RDEPENDS:${BPN} += "selinux-python" + +PACKAGES =+ "\ + ${PN}-fixfiles \ + ${PN}-genhomedircon \ + ${PN}-hll \ + ${PN}-loadpolicy \ + ${PN}-newrole \ + ${PN}-runinit \ + ${PN}-secon \ + ${PN}-semodule \ + ${PN}-sestatus \ + ${PN}-setfiles \ + ${PN}-setsebool \ +" +FILES:${PN}-fixfiles += "${base_sbindir}/fixfiles" +FILES:${PN}-genhomedircon += "${base_sbindir}/genhomedircon" +FILES:${PN}-loadpolicy += "\ + ${base_sbindir}/load_policy \ +" +FILES:${PN}-newrole += "\ + ${bindir}/newrole \ + ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${sysconfdir}/pam.d/newrole', '', d)} \ +" +FILES:${PN}-runinit += "\ + ${base_sbindir}/run_init \ + ${base_sbindir}/open_init_pty \ + ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${sysconfdir}/pam.d/run_init', '', d)} \ +" +FILES:${PN}-dbg += "${prefix}/libexec/selinux/hll/.debug" +FILES:${PN}-secon += "${bindir}/secon" +FILES:${PN}-semodule += "${base_sbindir}/semodule" +FILES:${PN}-hll += "${prefix}/libexec/selinux/hll/*" +FILES:${PN}-sestatus += "\ + ${base_sbindir}/sestatus \ + ${sysconfdir}/sestatus.conf \ +" +FILES:${PN}-setfiles += "\ + ${base_sbindir}/restorecon \ + ${base_sbindir}/restorecon_xattr \ + ${base_sbindir}/setfiles \ +" +FILES:${PN}-setsebool += "\ + ${base_sbindir}/setsebool \ + ${datadir}/bash-completion/completions/setsebool \ +" + +export STAGING_INCDIR +export STAGING_LIBDIR +export BUILD_SYS +export HOST_SYS + +PACKAGECONFIG:class-target ?= "\ + ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)} \ + audit \ +" + +PACKAGECONFIG[libpam] = ",,libpam," +PACKAGECONFIG[audit] = ",,audit," + +EXTRA_OEMAKE += "\ + ${@bb.utils.contains('PACKAGECONFIG', 'libpam', 'PAMH=y', 'PAMH=', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'audit', 'AUDITH=y', 'AUDITH=', d)} \ + INOTIFYH=n \ + PREFIX=${prefix} \ + SBINDIR=${base_sbindir} \ +" + +BBCLASSEXTEND = "native" + +PCU_NATIVE_CMDS = "setfiles semodule hll" + +do_compile:class-native() { + for PCU_CMD in ${PCU_NATIVE_CMDS} ; do + oe_runmake -C $PCU_CMD \ + INCLUDEDIR='${STAGING_INCDIR}' \ + LIBDIR='${STAGING_LIBDIR}' + done +} + +sysroot_stage_dirs:append:class-native() { + cp -R $from/${prefix}/libexec $to/${prefix}/libexec +} + +do_compile:prepend() { + export PYTHON=python3 + export PYLIBVER='python${PYTHON_BASEVERSION}' + export PYTHON_CPPFLAGS="-I${STAGING_INCDIR}/${PYLIBVER}" + export PYTHON_LDFLAGS="${STAGING_LIBDIR}/lib${PYLIBVER}.so" + export PYTHON_SITE_PKG="${libdir}/${PYLIBVER}/site-packages" +} + +do_install:prepend() { + export PYTHON=python3 + export SBINDIR="${D}/${base_sbindir}" +} + +do_install:class-native() { + for PCU_CMD in ${PCU_NATIVE_CMDS} ; do + oe_runmake -C $PCU_CMD install \ + DESTDIR="${D}" \ + PREFIX="${prefix}" \ + SBINDIR="${base_sbindir}" + done +} + +do_install:append:class-target() { + if [ -e ${WORKDIR}/pam.d ]; then + install -d ${D}${sysconfdir}/pam.d/ + install -m 0644 ${WORKDIR}/pam.d/* ${D}${sysconfdir}/pam.d/ + fi + + # /var/lib/selinux is involved by seobject.py: + # + dirname = "/var/lib/selinux" + # and it's required for running command: + # $ semanage permissive [OPTS] + install -d ${D}${localstatedir}/lib/selinux +} diff --git a/recipes-security/selinux/restorecond_3.2.bb b/recipes-security/selinux/restorecond_3.2.bb deleted file mode 100644 index 75e65a8..0000000 --- a/recipes-security/selinux/restorecond_3.2.bb +++ /dev/null @@ -1,37 +0,0 @@ -SUMMARY = "Daemon to watch for file creation and set default file context" -DESCRIPTION = "\ -The restorecond daemon uses inotify to watch files listed in the \ -/etc/selinux/restorecond.conf, when they are created, this daemon \ -will make sure they have the correct file context associated with \ -the policy." -SECTION = "base" -LICENSE = "GPLv2+" -LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=393a5ca445f6965873eca0259a17f833" - -require selinux_common.inc - -inherit systemd update-rc.d - -DEPENDS += "libsepol libselinux libpcre dbus-glib glib-2.0 pkgconfig-native" - -EXTRA_OEMAKE += "SYSTEMDSYSTEMUNITDIR=${systemd_system_unitdir} \ - SYSTEMDUSERUNITDIR=${systemd_user_unitdir} \ - " - -S = "${WORKDIR}/git/restorecond" - -FILES:${PN} += "${datadir}/dbus-1/services/org.selinux.Restorecond.service \ - ${systemd_user_unitdir}/* \ - " - -SYSTEMD_SERVICE:restorecond = "restorecond.service" -INITSCRIPT_PACKAGES = "restorecond" -INITSCRIPT_NAME:restorecond = "restorecond" -INITSCRIPT_PARAMS:restorecond = "defaults" - -do_install:append() { - if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'false', 'true', d)}; then - # remove /usr/lib/systemd/user - rm -rf ${D}${nonarch_libdir} - fi -} diff --git a/recipes-security/selinux/restorecond_3.3.bb b/recipes-security/selinux/restorecond_3.3.bb new file mode 100644 index 0000000..75e65a8 --- /dev/null +++ b/recipes-security/selinux/restorecond_3.3.bb @@ -0,0 +1,37 @@ +SUMMARY = "Daemon to watch for file creation and set default file context" +DESCRIPTION = "\ +The restorecond daemon uses inotify to watch files listed in the \ +/etc/selinux/restorecond.conf, when they are created, this daemon \ +will make sure they have the correct file context associated with \ +the policy." +SECTION = "base" +LICENSE = "GPLv2+" +LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=393a5ca445f6965873eca0259a17f833" + +require selinux_common.inc + +inherit systemd update-rc.d + +DEPENDS += "libsepol libselinux libpcre dbus-glib glib-2.0 pkgconfig-native" + +EXTRA_OEMAKE += "SYSTEMDSYSTEMUNITDIR=${systemd_system_unitdir} \ + SYSTEMDUSERUNITDIR=${systemd_user_unitdir} \ + " + +S = "${WORKDIR}/git/restorecond" + +FILES:${PN} += "${datadir}/dbus-1/services/org.selinux.Restorecond.service \ + ${systemd_user_unitdir}/* \ + " + +SYSTEMD_SERVICE:restorecond = "restorecond.service" +INITSCRIPT_PACKAGES = "restorecond" +INITSCRIPT_NAME:restorecond = "restorecond" +INITSCRIPT_PARAMS:restorecond = "defaults" + +do_install:append() { + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'false', 'true', d)}; then + # remove /usr/lib/systemd/user + rm -rf ${D}${nonarch_libdir} + fi +} diff --git a/recipes-security/selinux/secilc/CVE-2021-36087.patch b/recipes-security/selinux/secilc/CVE-2021-36087.patch deleted file mode 100644 index 5410477..0000000 --- a/recipes-security/selinux/secilc/CVE-2021-36087.patch +++ /dev/null @@ -1,134 +0,0 @@ -From bad0a746e9f4cf260dedba5828d9645d50176aac Mon Sep 17 00:00:00 2001 -From: James Carter -Date: Mon, 19 Apr 2021 09:06:15 -0400 -Subject: [PATCH] secilc/docs: Update the CIL documentation for various blocks - -Update the documentation for macros, booleans, booleanifs, tunables, -tunableifs, blocks, blockabstracts, blockinherits, and optionals to -tell where these statements can be used and, for those that have -blocks, what statements are not allowed in them. - -Signed-off-by: James Carter - -Upstream-Status: Backport -CVE: CVE-2021-36087 -Signed-off-by: Armin Kuster - ---- - docs/cil_call_macro_statements.md | 2 ++ - docs/cil_conditional_statements.md | 6 +++++ - docs/cil_container_statements.md | 28 +++++++++++++++-------- - 3 files changed, 26 insertions(+), 10 deletions(-) - -Index: secilc/docs/cil_call_macro_statements.md -=================================================================== ---- secilc.orig/docs/cil_call_macro_statements.md -+++ secilc/docs/cil_call_macro_statements.md -@@ -58,6 +58,8 @@ When resolving macros the following plac - - - Items defined in the global namespace - -+[`tunable`](cil_conditional_statements.md#tunable), [`in`](cil_container_statements.md#in), [`block`](cil_container_statements.md#block), [`blockinherit`](cil_container_statements.md#blockinherit), [`blockabstract`](cil_container_statements.md#blockabstract), and other [`macro`](cil_call_macro_statements.md#macro) statements are not allowed in [`macro`](cil_call_macro_statements.md#macro) blocks. -+ - **Statement definition:** - - ```secil -Index: secilc/docs/cil_conditional_statements.md -=================================================================== ---- secilc.orig/docs/cil_conditional_statements.md -+++ secilc/docs/cil_conditional_statements.md -@@ -6,6 +6,8 @@ boolean - - Declares a run time boolean as true or false in the current namespace. The [`booleanif`](cil_conditional_statements.md#booleanif) statement contains the CIL code that will be in the binary policy file. - -+[`boolean`](cil_conditional_statements.md#boolean) are not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) blocks. -+ - **Statement definition:** - - ```secil -@@ -126,6 +128,8 @@ Tunables are similar to booleans, howeve - - Note that tunables can be treated as booleans by the CIL compiler command line parameter `-P` or `--preserve-tunables` flags. - -+Since [`tunableif`](cil_conditional_statements.md#tunableif) statements are resolved first, [`tunable`](cil_conditional_statements.md#tunable) statements are not allowed in [`in`](cil_container_statements.md#in), [`macro`](cil_call_macro_statements.md#macro), [`optional`](cil_container_statements.md#optional), and [`booleanif`](cil_conditional_statements.md#booleanif) blocks. To simplify processing, they are also not allowed in [`tunableif`](cil_conditional_statements.md#tunableif) blocks. -+ - **Statement definition:** - - ```secil -@@ -164,6 +168,8 @@ tunableif - - Compile time conditional statement that may or may not add CIL statements to be compiled. - -+If tunables are being treated as booleans (by using the CIL compiler command line parameter `-P` or `--preserve-tunables` flag), then only the statements allowed in a [`booleanif`](cil_conditional_statements.md#booleanif) block are allowed in a [`tunableif`](cil_conditional_statements.md#tunableif) block. Otherwise, [`tunable`](cil_conditional_statements.md#tunable) statements are not allowed in a [`tunableif`](cil_conditional_statements.md#tunableif) block. -+ - **Statement definition:** - - ```secil -Index: secilc/docs/cil_container_statements.md -=================================================================== ---- secilc.orig/docs/cil_container_statements.md -+++ secilc/docs/cil_container_statements.md -@@ -4,7 +4,11 @@ Container Statements - block - ----- - --Start a new namespace where any CIL statement is valid. -+Start a new namespace. -+ -+Not allowed in [`macro`](cil_call_macro_statements.md#macro) and [`optional`](cil_container_statements.md#optional) blocks. -+ -+[`sensitivity`](cil_mls_labeling_statements.md#sensitivity) and [`category`](cil_mls_labeling_statements.md#category) statements are not allowed in [`block`](cil_container_statements.md#block) blocks. - - **Statement definition:** - -@@ -47,6 +51,8 @@ blockabstract - - Declares the namespace as a 'template' and does not generate code until instantiated by another namespace that has a [`blockinherit`](cil_container_statements.md#blockinherit) statement. - -+Not allowed in [`macro`](cil_call_macro_statements.md#macro) and [`optional`](cil_container_statements.md#optional) blocks. -+ - **Statement definition:** - - ```secil -@@ -97,6 +103,8 @@ blockinherit - - Used to add common policy rules to the current namespace via a template that has been defined with the [`blockabstract`](cil_container_statements.md#blockabstract) statement. All [`blockinherit`](cil_container_statements.md#blockinherit) statements are resolved first and then the contents of the block are copied. This is so that inherited blocks will not be inherited. For a concrete example, please see the examples section. - -+Not allowed in [`macro`](cil_call_macro_statements.md#macro) blocks. -+ - **Statement definition:** - - ```secil -@@ -199,15 +207,11 @@ This example contains a template `client - optional - -------- - --Declare an [`optional`](cil_container_statements.md#optional) namespace. All CIL statements in the optional block must be satisfied before instantiation in the binary policy. [`tunableif`](cil_conditional_statements.md#tunableif) and [`macro`](cil_call_macro_statements.md#macro) statements are not allowed in optional containers. The same restrictions apply to CIL policy statements within [`optional`](cil_container_statements.md#optional)'s that apply to kernel policy statements, i.e. only the policy statements shown in the following table are valid: -+Declare an [`optional`](cil_container_statements.md#optional) namespace. All CIL statements in the optional block must be satisfied before instantiation in the binary policy. - --| | | | | --| ------------------- | -------------- | ------------------ | ------------------ | --| [`allow`](cil_access_vector_rules.md#allow) | [`allowx`](cil_access_vector_rules.md#allowx) | [`auditallow`](cil_access_vector_rules.md#auditallow) | [`auditallowx`](cil_access_vector_rules.md#auditallowx) | --| [`booleanif`](cil_conditional_statements.md#booleanif) | [`dontaudit`](cil_access_vector_rules.md#dontaudit) | [`dontauditx`](cil_access_vector_rules.md#dontauditx) | [`typepermissive`](cil_type_statements.md#typepermissive) | --| [`rangetransition`](cil_mls_labeling_statements.md#rangetransition) | [`role`](cil_role_statements.md#role) | [`roleallow`](cil_role_statements.md#roleallow) | [`roleattribute`](cil_role_statements.md#roleattribute) | --| [`roletransition`](cil_role_statements.md#roletransition) | [`type`](cil_type_statements.md#type) | [`typealias`](cil_type_statements.md#typealias) | [`typeattribute`](cil_type_statements.md#typeattribute) | --| [`typechange`](cil_type_statements.md#typechange) | [`typemember`](cil_type_statements.md#typemember) | [`typetransition`](cil_type_statements.md#typetransition) | | -+Not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) blocks. -+ -+[`tunable`](cil_conditional_statements.md#tunable), [`in`](cil_container_statements.md#in), [`block`](cil_container_statements.md#block), [`blockabstract`](cil_container_statements.md#blockabstract), and [`macro`](cil_call_macro_statements.md#macro) statements are not allowed in [`optional`](cil_container_statements.md#optional) blocks. - - **Statement definition:** - -@@ -266,7 +270,11 @@ This example will instantiate the option - in - -- - --Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)). This statement is not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) or [`tunableif`](cil_conditional_statements.md#tunableif) statements. This only works for containers that aren't inherited using [`blockinherit`](cil_conditional_statements.md#blockinherit). -+Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)). -+ -+Not allowed in [`macro`](cil_call_macro_statements.md#macro), [`booleanif`](cil_conditional_statements.md#booleanif), and other [`in`](cil_container_statements.md#in) blocks. -+ -+[`tunable`](cil_conditional_statements.md#tunable) and [`in`](cil_container_statements.md#in) statements are not allowed in [`in`](cil_container_statements.md#in) blocks. - - **Statement definition:** - diff --git a/recipes-security/selinux/secilc_3.2.bb b/recipes-security/selinux/secilc_3.2.bb deleted file mode 100644 index 50413e0..0000000 --- a/recipes-security/selinux/secilc_3.2.bb +++ /dev/null @@ -1,17 +0,0 @@ -SUMMARY = "SELinux Common Intermediate Language (CIL) compiler" -DESCRIPTION = "\ -This package contains secilc, the SELinux Common Intermediate \ -Language (CIL) compiler." -SECTION = "base" -LICENSE = "BSD" -LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=c7e802b9a3b0c2c852669864c08b9138" - -require selinux_common.inc - -SRC_URI += "file://CVE-2021-36087.patch" - -DEPENDS += "libsepol xmlto-native" - -S = "${WORKDIR}/git/secilc" - -BBCLASSEXTEND = "native" diff --git a/recipes-security/selinux/secilc_3.3.bb b/recipes-security/selinux/secilc_3.3.bb new file mode 100644 index 0000000..60ab2fe --- /dev/null +++ b/recipes-security/selinux/secilc_3.3.bb @@ -0,0 +1,15 @@ +SUMMARY = "SELinux Common Intermediate Language (CIL) compiler" +DESCRIPTION = "\ +This package contains secilc, the SELinux Common Intermediate \ +Language (CIL) compiler." +SECTION = "base" +LICENSE = "BSD" +LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=c7e802b9a3b0c2c852669864c08b9138" + +require selinux_common.inc + +DEPENDS += "libsepol xmlto-native" + +S = "${WORKDIR}/git/secilc" + +BBCLASSEXTEND = "native" diff --git a/recipes-security/selinux/selinux-dbus_3.2.bb b/recipes-security/selinux/selinux-dbus_3.2.bb deleted file mode 100644 index badf392..0000000 --- a/recipes-security/selinux/selinux-dbus_3.2.bb +++ /dev/null @@ -1,18 +0,0 @@ -SUMMARY = "SELinux dbus service files" -DESCRIPTION = "\ -Provide SELinux dbus service files and scripts." -SECTION = "base" -LICENSE = "GPLv2+" -LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=393a5ca445f6965873eca0259a17f833" - -require selinux_common.inc - -S = "${WORKDIR}/git/dbus" - -RDEPENDS:${PN} += "python3-core selinux-python-sepolicy" - -FILES:${PN} += "\ - ${datadir}/system-config-selinux/selinux_server.py \ - ${datadir}/polkit-1/actions/org.selinux.policy \ - ${datadir}/dbus-1/system-services/org.selinux.service \ -" diff --git a/recipes-security/selinux/selinux-dbus_3.3.bb b/recipes-security/selinux/selinux-dbus_3.3.bb new file mode 100644 index 0000000..badf392 --- /dev/null +++ b/recipes-security/selinux/selinux-dbus_3.3.bb @@ -0,0 +1,18 @@ +SUMMARY = "SELinux dbus service files" +DESCRIPTION = "\ +Provide SELinux dbus service files and scripts." +SECTION = "base" +LICENSE = "GPLv2+" +LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=393a5ca445f6965873eca0259a17f833" + +require selinux_common.inc + +S = "${WORKDIR}/git/dbus" + +RDEPENDS:${PN} += "python3-core selinux-python-sepolicy" + +FILES:${PN} += "\ + ${datadir}/system-config-selinux/selinux_server.py \ + ${datadir}/polkit-1/actions/org.selinux.policy \ + ${datadir}/dbus-1/system-services/org.selinux.service \ +" diff --git a/recipes-security/selinux/selinux-gui_3.2.bb b/recipes-security/selinux/selinux-gui_3.2.bb deleted file mode 100644 index 5534ec6..0000000 --- a/recipes-security/selinux/selinux-gui_3.2.bb +++ /dev/null @@ -1,19 +0,0 @@ -SUMMARY = "SELinux GUI tools" -DESCRIPTION = "\ -Provide SELinux Management tool (system-config-selinux) and SELinux \ -Policy Generation Tool (selinux-polgengui)" -SECTION = "base" -LICENSE = "GPLv2+" -LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=393a5ca445f6965873eca0259a17f833" - -require selinux_common.inc - -S = "${WORKDIR}/git/gui" - -RDEPENDS:${PN} += "python3-core" - -FILES:${PN} += " \ - ${datadir}/system-config-selinux/* \ - ${datadir}/icons/hicolor/* \ - ${datadir}/polkit-1/actions/org.selinux.config.policy \ -" diff --git a/recipes-security/selinux/selinux-gui_3.3.bb b/recipes-security/selinux/selinux-gui_3.3.bb new file mode 100644 index 0000000..5534ec6 --- /dev/null +++ b/recipes-security/selinux/selinux-gui_3.3.bb @@ -0,0 +1,19 @@ +SUMMARY = "SELinux GUI tools" +DESCRIPTION = "\ +Provide SELinux Management tool (system-config-selinux) and SELinux \ +Policy Generation Tool (selinux-polgengui)" +SECTION = "base" +LICENSE = "GPLv2+" +LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=393a5ca445f6965873eca0259a17f833" + +require selinux_common.inc + +S = "${WORKDIR}/git/gui" + +RDEPENDS:${PN} += "python3-core" + +FILES:${PN} += " \ + ${datadir}/system-config-selinux/* \ + ${datadir}/icons/hicolor/* \ + ${datadir}/polkit-1/actions/org.selinux.config.policy \ +" diff --git a/recipes-security/selinux/selinux-python_3.2.bb b/recipes-security/selinux/selinux-python_3.2.bb deleted file mode 100644 index d130900..0000000 --- a/recipes-security/selinux/selinux-python_3.2.bb +++ /dev/null @@ -1,112 +0,0 @@ -SUMMARY = "Python modules and various SELinux utilities." -DESCRIPTION = "\ -This package contains Python modules sepolgen, sepolicy; And the \ -SELinux utilities audit2allow, chcat, semanage ..." -SECTION = "base" -LICENSE = "GPLv2+" -LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=393a5ca445f6965873eca0259a17f833" - -require selinux_common.inc - -inherit python3native - -SRC_URI += "file://fix-sepolicy-install-path.patch" - -S = "${WORKDIR}/git/python" - -EXTRA_OEMAKE += "LIBSEPOLA=${STAGING_LIBDIR}/libsepol.a" - -DEPENDS += "python3 libsepol libselinux" -RDEPENDS:${BPN}-audit2allow += "\ - python3-core \ - libselinux-python \ - ${BPN}-sepolgen \ -" -RDEPENDS:${BPN}-chcat += "\ - python3-core \ - python3-codecs \ - python3-shell \ - python3-stringold \ - python3-unixadmin \ - libselinux-python \ - ${BPN} \ -" -RDEPENDS:${BPN} += "\ - python3-core \ - python3-codecs \ - python3-io \ - python3-ipy \ - python3-stringold \ - python3-syslog \ - python3-unixadmin \ - libselinux-python \ - libsemanage-python \ - setools \ -" -RDEPENDS:${BPN}-semanage += "\ - python3-core \ - python3-ipy \ - python3-compression \ - python3-xml \ - python3-misc \ - libselinux-python \ - audit-python \ - ${BPN} \ -" -RDEPENDS:${BPN}-sepolicy += "\ - python3-core \ - python3-codecs \ - python3-syslog \ - ${BPN} \ -" -RDEPENDS:${BPN}-sepolgen-ifgen += "\ - python3-core \ - libselinux-python \ -" - -PACKAGES =+ "\ - ${PN}-audit2allow \ - ${PN}-sepolgen-ifgen \ - ${PN}-chcat \ - ${PN}-semanage \ - ${PN}-sepolgen \ - ${PN}-sepolicy \ -" -FILES:${PN}-audit2allow = "\ - ${bindir}/audit2allow \ - ${bindir}/audit2why \ -" -FILES:${PN}-chcat = "\ - ${bindir}/chcat \ -" -FILES:${PN}-semanage = "\ - ${sbindir}/semanage \ - ${datadir}/bash-completion/completions/semanage \ -" -# The ${bindir}/sepolgen is a symlink to ${bindir}/sepolicy -FILES:${PN}-sepolicy += "\ - ${bindir}/sepolgen \ - ${bindir}/sepolicy \ - ${datadir}/bash-completion/completions/sepolicy \ -" -FILES:${PN}-sepolgen-ifgen += "\ - ${bindir}/sepolgen-ifgen \ - ${bindir}/sepolgen-ifgen-attr-helper \ -" -FILES:${PN}-sepolgen += "\ - ${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolgen* \ - ${localstatedir}/lib/sepolgen/perm_map \ -" - -FILES:${PN} += "\ - ${libdir}/python${PYTHON_BASEVERSION}/site-packages/seobject.py* \ - ${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolicy*.egg-info \ - ${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolicy/* \ -" - -do_install() { - oe_runmake DESTDIR="${D}" \ - PYLIBVER='python${PYTHON_BASEVERSION}' \ - PYTHONLIBDIR='${libdir}/python${PYTHON_BASEVERSION}/site-packages' \ - install -} diff --git a/recipes-security/selinux/selinux-python_3.3.bb b/recipes-security/selinux/selinux-python_3.3.bb new file mode 100644 index 0000000..d130900 --- /dev/null +++ b/recipes-security/selinux/selinux-python_3.3.bb @@ -0,0 +1,112 @@ +SUMMARY = "Python modules and various SELinux utilities." +DESCRIPTION = "\ +This package contains Python modules sepolgen, sepolicy; And the \ +SELinux utilities audit2allow, chcat, semanage ..." +SECTION = "base" +LICENSE = "GPLv2+" +LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=393a5ca445f6965873eca0259a17f833" + +require selinux_common.inc + +inherit python3native + +SRC_URI += "file://fix-sepolicy-install-path.patch" + +S = "${WORKDIR}/git/python" + +EXTRA_OEMAKE += "LIBSEPOLA=${STAGING_LIBDIR}/libsepol.a" + +DEPENDS += "python3 libsepol libselinux" +RDEPENDS:${BPN}-audit2allow += "\ + python3-core \ + libselinux-python \ + ${BPN}-sepolgen \ +" +RDEPENDS:${BPN}-chcat += "\ + python3-core \ + python3-codecs \ + python3-shell \ + python3-stringold \ + python3-unixadmin \ + libselinux-python \ + ${BPN} \ +" +RDEPENDS:${BPN} += "\ + python3-core \ + python3-codecs \ + python3-io \ + python3-ipy \ + python3-stringold \ + python3-syslog \ + python3-unixadmin \ + libselinux-python \ + libsemanage-python \ + setools \ +" +RDEPENDS:${BPN}-semanage += "\ + python3-core \ + python3-ipy \ + python3-compression \ + python3-xml \ + python3-misc \ + libselinux-python \ + audit-python \ + ${BPN} \ +" +RDEPENDS:${BPN}-sepolicy += "\ + python3-core \ + python3-codecs \ + python3-syslog \ + ${BPN} \ +" +RDEPENDS:${BPN}-sepolgen-ifgen += "\ + python3-core \ + libselinux-python \ +" + +PACKAGES =+ "\ + ${PN}-audit2allow \ + ${PN}-sepolgen-ifgen \ + ${PN}-chcat \ + ${PN}-semanage \ + ${PN}-sepolgen \ + ${PN}-sepolicy \ +" +FILES:${PN}-audit2allow = "\ + ${bindir}/audit2allow \ + ${bindir}/audit2why \ +" +FILES:${PN}-chcat = "\ + ${bindir}/chcat \ +" +FILES:${PN}-semanage = "\ + ${sbindir}/semanage \ + ${datadir}/bash-completion/completions/semanage \ +" +# The ${bindir}/sepolgen is a symlink to ${bindir}/sepolicy +FILES:${PN}-sepolicy += "\ + ${bindir}/sepolgen \ + ${bindir}/sepolicy \ + ${datadir}/bash-completion/completions/sepolicy \ +" +FILES:${PN}-sepolgen-ifgen += "\ + ${bindir}/sepolgen-ifgen \ + ${bindir}/sepolgen-ifgen-attr-helper \ +" +FILES:${PN}-sepolgen += "\ + ${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolgen* \ + ${localstatedir}/lib/sepolgen/perm_map \ +" + +FILES:${PN} += "\ + ${libdir}/python${PYTHON_BASEVERSION}/site-packages/seobject.py* \ + ${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolicy*.egg-info \ + ${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolicy/* \ +" + +do_install() { + oe_runmake DESTDIR="${D}" \ + PYLIBVER='python${PYTHON_BASEVERSION}' \ + PYTHONLIBDIR='${libdir}/python${PYTHON_BASEVERSION}/site-packages' \ + install +} diff --git a/recipes-security/selinux/selinux-sandbox_3.2.bb b/recipes-security/selinux/selinux-sandbox_3.2.bb deleted file mode 100644 index a20982c..0000000 --- a/recipes-security/selinux/selinux-sandbox_3.2.bb +++ /dev/null @@ -1,30 +0,0 @@ -SUMMARY = "Run cmd under an SELinux sandbox" -DESCRIPTION = "\ -Run application within a tightly confined SELinux domain. The default \ -sandbox domain only allows applications the ability to read and write \ -stdin, stdout and any other file descriptors handed to it." -SECTION = "base" -LICENSE = "GPLv2+" -LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=393a5ca445f6965873eca0259a17f833" - -require selinux_common.inc - -SRC_URI += "file://sandbox-de-bashify.patch" - -S = "${WORKDIR}/git/sandbox" - -DEPENDS += "libcap-ng libselinux" - -RDEPENDS:${PN} += "\ - python3-core \ - python3-math \ - python3-shell \ - python3-unixadmin \ - libselinux-python \ - selinux-python \ -" - -FILES:${PN} += "\ - ${datadir}/sandbox/sandboxX.sh \ - ${datadir}/sandbox/start \ -" diff --git a/recipes-security/selinux/selinux-sandbox_3.3.bb b/recipes-security/selinux/selinux-sandbox_3.3.bb new file mode 100644 index 0000000..a20982c --- /dev/null +++ b/recipes-security/selinux/selinux-sandbox_3.3.bb @@ -0,0 +1,30 @@ +SUMMARY = "Run cmd under an SELinux sandbox" +DESCRIPTION = "\ +Run application within a tightly confined SELinux domain. The default \ +sandbox domain only allows applications the ability to read and write \ +stdin, stdout and any other file descriptors handed to it." +SECTION = "base" +LICENSE = "GPLv2+" +LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=393a5ca445f6965873eca0259a17f833" + +require selinux_common.inc + +SRC_URI += "file://sandbox-de-bashify.patch" + +S = "${WORKDIR}/git/sandbox" + +DEPENDS += "libcap-ng libselinux" + +RDEPENDS:${PN} += "\ + python3-core \ + python3-math \ + python3-shell \ + python3-unixadmin \ + libselinux-python \ + selinux-python \ +" + +FILES:${PN} += "\ + ${datadir}/sandbox/sandboxX.sh \ + ${datadir}/sandbox/start \ +" diff --git a/recipes-security/selinux/selinux_common.inc b/recipes-security/selinux/selinux_common.inc index dc4ccd5..8bdf8ad 100644 --- a/recipes-security/selinux/selinux_common.inc +++ b/recipes-security/selinux/selinux_common.inc @@ -1,7 +1,7 @@ HOMEPAGE = "https://github.com/SELinuxProject" SRC_URI = "git://github.com/SELinuxProject/selinux.git;branch=master;protocol=https" -SRCREV = "cf853c1a0c2328ad6c62fb2b2cc55d4926301d6b" +SRCREV = "7f600c40bc18d8180993edcd54daf45124736776" UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+(\.\d+)+)" diff --git a/recipes-security/selinux/semodule-utils_3.2.bb b/recipes-security/selinux/semodule-utils_3.2.bb deleted file mode 100644 index a8bca0e..0000000 --- a/recipes-security/selinux/semodule-utils_3.2.bb +++ /dev/null @@ -1,31 +0,0 @@ -SUMMARY = "Utilities to manipulate SELinux policy module package" -DESCRIPTION = "\ -The utilities to create, expand, link and show the dependencies between \ -the SELinux policy module packages." -SECTION = "base" -LICENSE = "GPLv2+" -LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=393a5ca445f6965873eca0259a17f833" - -require selinux_common.inc - -DEPENDS += "libsepol" -RDEPENDS:${PN}-dev = "" - -EXTRA_OEMAKE += "LIBSEPOLA=${STAGING_LIBDIR}/libsepol.a" - -S = "${WORKDIR}/git/semodule-utils" - -PACKAGES =+ "\ - ${PN}-semodule-expand \ - ${PN}-semodule-link \ - ${PN}-semodule-package \ -" - -FILES:${PN}-semodule-expand += "${bindir}/semodule_expand" -FILES:${PN}-semodule-link += "${bindir}/semodule_link" -FILES:${PN}-semodule-package += "\ - ${bindir}/semodule_package \ - ${bindir}/semodule_unpackage \ -" - -BBCLASSEXTEND = "native" diff --git a/recipes-security/selinux/semodule-utils_3.3.bb b/recipes-security/selinux/semodule-utils_3.3.bb new file mode 100644 index 0000000..a8bca0e --- /dev/null +++ b/recipes-security/selinux/semodule-utils_3.3.bb @@ -0,0 +1,31 @@ +SUMMARY = "Utilities to manipulate SELinux policy module package" +DESCRIPTION = "\ +The utilities to create, expand, link and show the dependencies between \ +the SELinux policy module packages." +SECTION = "base" +LICENSE = "GPLv2+" +LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=393a5ca445f6965873eca0259a17f833" + +require selinux_common.inc + +DEPENDS += "libsepol" +RDEPENDS:${PN}-dev = "" + +EXTRA_OEMAKE += "LIBSEPOLA=${STAGING_LIBDIR}/libsepol.a" + +S = "${WORKDIR}/git/semodule-utils" + +PACKAGES =+ "\ + ${PN}-semodule-expand \ + ${PN}-semodule-link \ + ${PN}-semodule-package \ +" + +FILES:${PN}-semodule-expand += "${bindir}/semodule_expand" +FILES:${PN}-semodule-link += "${bindir}/semodule_link" +FILES:${PN}-semodule-package += "\ + ${bindir}/semodule_package \ + ${bindir}/semodule_unpackage \ +" + +BBCLASSEXTEND = "native" -- cgit v1.2.3-54-g00ecf