From b0810f46dd3f2d892c46877d1e191d678a336df1 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Wed, 14 Jun 2023 10:01:35 +0200 Subject: [PATCH 01/22] eclass: sync selinux-policy-2 with Gentoo Commit-Ref: https://github.com/gentoo/gentoo/commit/ea4cd1f216e407735528c92434b83313e4b8a8db Signed-off-by: Mathieu Tortuyaux --- .../eclass/selinux-policy-2.eclass | 122 +++++++++--------- 1 file changed, 63 insertions(+), 59 deletions(-) diff --git a/sdk_container/src/third_party/portage-stable/eclass/selinux-policy-2.eclass b/sdk_container/src/third_party/portage-stable/eclass/selinux-policy-2.eclass index 8f69847a9f..ad760673ca 100644 --- a/sdk_container/src/third_party/portage-stable/eclass/selinux-policy-2.eclass +++ b/sdk_container/src/third_party/portage-stable/eclass/selinux-policy-2.eclass @@ -1,4 +1,4 @@ -# Copyright 1999-2020 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 # Eclass for installing SELinux policy, and optionally @@ -7,7 +7,7 @@ # @ECLASS: selinux-policy-2.eclass # @MAINTAINER: # selinux@gentoo.org -# @SUPPORTED_EAPIS: 6 7 +# @SUPPORTED_EAPIS: 7 # @BLURB: This eclass supports the deployment of the various SELinux modules in sec-policy # @DESCRIPTION: # The selinux-policy-2.eclass supports deployment of the various SELinux modules @@ -18,67 +18,69 @@ # Also, it supports for bundling patches to make the whole thing just a bit more # manageable. -# @ECLASS-VARIABLE: MODS +case ${EAPI} in + 7) ;; + *) die "${ECLASS}: EAPI ${EAPI:-0} not supported" ;; +esac + +if [[ ! ${_SELINUX_POLICY_2_ECLASS} ]]; then +_SELINUX_POLICY_2_ECLASS=1 + +# @ECLASS_VARIABLE: MODS # @DESCRIPTION: # This variable contains the (upstream) module name for the SELinux module. # This name is only the module name, not the category! -: ${MODS:="_illegal"} +: "${MODS:="_illegal"}" -# @ECLASS-VARIABLE: BASEPOL +# @ECLASS_VARIABLE: BASEPOL # @DESCRIPTION: # This variable contains the version string of the selinux-base-policy package # that this module build depends on. It is used to patch with the appropriate # patch bundle(s) that are part of selinux-base-policy. -: ${BASEPOL:=${PVR}} +: "${BASEPOL:=${PVR}}" -# @ECLASS-VARIABLE: POLICY_PATCH +# @ECLASS_VARIABLE: POLICY_PATCH # @DESCRIPTION: # This variable contains the additional patch(es) that need to be applied on top # of the patchset already contained within the BASEPOL variable. The variable # can be both a simple string (space-separated) or a bash array. -: ${POLICY_PATCH:=""} +: "${POLICY_PATCH:=""}" -# @ECLASS-VARIABLE: POLICY_FILES +# @ECLASS_VARIABLE: POLICY_FILES # @DESCRIPTION: # When defined, this contains the files (located in the ebuilds' files/ # directory) which should be copied as policy module files into the store. # Generally, users would want to include at least a .te and .fc file, but .if # files are supported as well. The variable can be both a simple string # (space-separated) or a bash array. -: ${POLICY_FILES:=""} +: "${POLICY_FILES:=""}" -# @ECLASS-VARIABLE: POLICY_TYPES +# @ECLASS_VARIABLE: POLICY_TYPES # @DESCRIPTION: # This variable informs the eclass for which SELinux policies the module should # be built. Currently, Gentoo supports targeted, strict, mcs and mls. # This variable is the same POLICY_TYPES variable that we tell SELinux # users to set in make.conf. Therefore, it is not the module that should # override it, but the user. -: ${POLICY_TYPES:="targeted strict mcs mls"} +: "${POLICY_TYPES:="targeted strict mcs mls"}" -# @ECLASS-VARIABLE: SELINUX_GIT_REPO +# @ECLASS_VARIABLE: SELINUX_GIT_REPO # @DESCRIPTION: # When defined, this variable overrides the default repository URL as used by # this eclass. It allows end users to point to a different policy repository # using a single variable, rather than having to set the packagename_LIVE_REPO # variable for each and every SELinux policy module package they want to install. # The default value is Gentoo's hardened-refpolicy repository. -: ${SELINUX_GIT_REPO:="https://anongit.gentoo.org/git/proj/hardened-refpolicy.git"}; +: "${SELINUX_GIT_REPO:="https://anongit.gentoo.org/git/proj/hardened-refpolicy.git"}" -# @ECLASS-VARIABLE: SELINUX_GIT_BRANCH +# @ECLASS_VARIABLE: SELINUX_GIT_BRANCH # @DESCRIPTION: # When defined, this variable sets the Git branch to use of the repository. This # allows for users and developers to use a different branch for the entire set of # SELinux policy packages, rather than having to override them one by one with the # packagename_LIVE_BRANCH variable. # The default value is the 'master' branch. -: ${SELINUX_GIT_BRANCH:="master"}; - -case "${EAPI:-0}" in - 0|1|2|3|4|5) die "EAPI<6 is not supported";; - 6|7) : ;; - *) die "unknown EAPI" ;; -esac +: "${SELINUX_GIT_BRANCH:="master"}" case ${BASEPOL} in 9999) inherit git-r3 @@ -113,17 +115,12 @@ else RDEPEND=">=sys-apps/policycoreutils-2.0.82 >=sec-policy/selinux-base-policy-${PV}" fi -if [[ ${EAPI} == 6 ]]; then - DEPEND="${RDEPEND} - sys-devel/m4 - >=sys-apps/checkpolicy-2.0.21" -else - DEPEND="${RDEPEND}" - BDEPEND="sys-devel/m4 - >=sys-apps/checkpolicy-2.0.21" -fi -EXPORT_FUNCTIONS src_unpack src_prepare src_compile src_install pkg_postinst pkg_postrm +DEPEND="${RDEPEND}" +BDEPEND=" + sys-devel/m4 + >=sys-apps/checkpolicy-2.0.21 +" # @FUNCTION: selinux-policy-2_src_unpack # @DESCRIPTION: @@ -159,7 +156,7 @@ selinux-policy-2_src_prepare() { if [[ -n ${BASEPOL} ]] && [[ "${BASEPOL}" != "9999" ]]; then cd "${S}" einfo "Applying SELinux policy updates ... " - eapply -p0 "${WORKDIR}/0001-full-patch-against-stable-release.patch" + eapply -p0 -- "${WORKDIR}/0001-full-patch-against-stable-release.patch" fi # Call in eapply_user. We do this early on as we start moving @@ -169,7 +166,7 @@ selinux-policy-2_src_prepare() { # Copy additional files to the 3rd_party/ location if [[ "$(declare -p POLICY_FILES 2>/dev/null 2>&1)" == "declare -a"* ]] || [[ -n ${POLICY_FILES} ]]; then - add_interfaces=1; + add_interfaces=1; cd "${S}/refpolicy/policy/modules" for POLFILE in ${POLICY_FILES[@]}; do @@ -177,22 +174,21 @@ selinux-policy-2_src_prepare() { done fi - # Apply the additional patches refered to by the module ebuild. + # Apply the additional patches referred to by the module ebuild. # But first some magic to differentiate between bash arrays and strings - cd "${S}/refpolicy/policy/modules" - for POLPATCH in ${POLICY_PATCH[@]}; - do - einfo "Installing ${POLPATCH}" - eapply -p0 "${POLPATCH}" - done + if [[ "$(declare -p POLICY_PATCH 2>/dev/null 2>&1)" == "declare -a"* ]]; then + [[ -n ${POLICY_PATCH[*]} ]] && eapply -d "${S}/refpolicy/policy/modules" -- "${POLICY_PATCH[@]}" + else + [[ -n ${POLICY_PATCH} ]] && eapply -d "${S}/refpolicy/policy/modules" -- ${POLICY_PATCH} + fi # Collect only those files needed for this particular module for i in ${MODS}; do - modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles" - modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles" - modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.cil) $modfiles" + modfiles="$(find "${S}/refpolicy/policy/modules" -iname $i.te) $modfiles" + modfiles="$(find "${S}/refpolicy/policy/modules" -iname $i.fc) $modfiles" + modfiles="$(find "${S}/refpolicy/policy/modules" -iname $i.cil) $modfiles" if [[ ${add_interfaces} -eq 1 ]]; then - modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.if) $modfiles" + modfiles="$(find "${S}/refpolicy/policy/modules" -iname $i.if) $modfiles" fi done @@ -220,7 +216,7 @@ selinux-policy-2_src_compile() { for i in ${POLICY_TYPES}; do # Support USE flags in builds export M4PARAM="${makeuse}" - emake NAME=$i SHAREDIR="${ROOT%/}"/usr/share/selinux -C "${S}"/${i} || die "${i} compile failed" + emake NAME=$i SHAREDIR="${EPREFIX}"/usr/share/selinux -C "${S}"/${i} done } @@ -256,21 +252,26 @@ selinux-policy-2_src_install() { selinux-policy-2_pkg_postinst() { # Set root path and don't load policy into the kernel when cross compiling local root_opts="" - if [[ "${ROOT%/}" != "" ]]; then - root_opts="-p ${ROOT%/} -n" + if [[ -n ${ROOT} ]]; then + root_opts="-p ${ROOT} -n" fi # build up the command in the case of multiple modules local COMMAND for i in ${POLICY_TYPES}; do - if [[ "${i}" == "strict" ]] && [[ "${MODS}" = "unconfined" ]]; then - einfo "Ignoring loading of unconfined module in strict module store."; - continue; + if [[ "${MODS}" = "unconfined" ]]; then + case ${i} in + strict|mcs|mls) + einfo "Ignoring loading of unconfined module in ${i} module store."; + continue + ;; + esac fi + einfo "Inserting the following modules into the $i module store: ${MODS}" - cd "${ROOT%/}/usr/share/selinux/${i}" || die "Could not enter /usr/share/selinux/${i}" + cd "${ROOT}/usr/share/selinux/${i}" || die "Could not enter /usr/share/selinux/${i}" for j in ${MODS} ; do if [[ -f "${j}.pp" ]] ; then COMMAND="${j}.pp ${COMMAND}" @@ -302,7 +303,7 @@ selinux-policy-2_pkg_postinst() { ewarn "If it is the last SELinux module package being installed however," ewarn "then it is advised to look at the error above and take appropriate" ewarn "action since the new SELinux policies are not loaded until the" - ewarn "command finished succesfully." + ewarn "command finished successfully." ewarn "" ewarn "To reload, run the following command from within /usr/share/selinux/${i}:" ewarn " semodule ${COMMAND_base} -i \$(ls *.pp | grep -v base.pp)" @@ -310,16 +311,16 @@ selinux-policy-2_pkg_postinst() { ewarn " semodule ${COMMAND_base} -i \$(ls *.pp | grep -v base.pp | grep -v unconfined.pp)" ewarn "depending on if you need the unconfined domain loaded as well or not." else - einfo "SELinux modules reloaded succesfully." + einfo "SELinux modules reloaded successfully." fi else - einfo "SELinux modules loaded succesfully." + einfo "SELinux modules loaded successfully." fi COMMAND=""; done # Don't relabel when cross compiling - if [[ "${ROOT%/}" == "" ]]; then + if [[ -z ${ROOT} ]]; then # Relabel depending packages local PKGSET=""; if [[ -x /usr/bin/qdepends ]] ; then @@ -342,8 +343,8 @@ selinux-policy-2_pkg_postrm() { if [[ -z "${REPLACED_BY_VERSION}" ]]; then # Set root path and don't load policy into the kernel when cross compiling local root_opts="" - if [[ "${ROOT%/}" != "" ]]; then - root_opts="-p ${ROOT%/} -n" + if [[ -n ${ROOT} ]]; then + root_opts="-p ${ROOT} -n" fi # build up the command in the case of multiple modules @@ -359,9 +360,12 @@ selinux-policy-2_pkg_postrm() { if [[ $? -ne 0 ]]; then ewarn "SELinux module unload failed."; else - einfo "SELinux modules unloaded succesfully." + einfo "SELinux modules unloaded successfully." fi done fi } +fi + +EXPORT_FUNCTIONS src_unpack src_prepare src_compile src_install pkg_postinst pkg_postrm From 7132f52f46b63d28e44e5575d9b795d4c42d2b28 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Thu, 27 Jul 2023 16:20:41 +0200 Subject: [PATCH 02/22] sys-libs/libselinux: sync with Gentoo Commit-Ref: https://github.com/gentoo/gentoo/commit/a67229c8d6bc1c312bd3171b001c352c16741239 Signed-off-by: Mathieu Tortuyaux --- .../sys-libs/libselinux/Manifest | 2 - .../libselinux/libselinux-3.1-r3.ebuild | 159 ------------------ .../sys-libs/libselinux/Manifest | 1 + .../libselinux/libselinux-3.5-r1.ebuild} | 46 ++--- .../libselinux/libselinux-9999.ebuild | 38 +++-- .../sys-libs/libselinux/metadata.xml | 5 +- 6 files changed, 46 insertions(+), 205 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/Manifest delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/libselinux-3.1-r3.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/sys-libs/libselinux/Manifest rename sdk_container/src/third_party/{coreos-overlay/sys-libs/libselinux/libselinux-3.2-r1.ebuild => portage-stable/sys-libs/libselinux/libselinux-3.5-r1.ebuild} (73%) rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/sys-libs/libselinux/libselinux-9999.ebuild (80%) rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/sys-libs/libselinux/metadata.xml (77%) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/Manifest deleted file mode 100644 index 3ba4acc00b..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/Manifest +++ /dev/null @@ -1,2 +0,0 @@ -DIST libselinux-3.1.tar.gz 204703 BLAKE2B 72ff2d99dd6640405e804f58bdfbf05e152615ea92f902b3942602af13dc17080afeabb942ed33ae6b3f528870f4b11584e533848e455a97bf8f7151a8d44646 SHA512 57730cddd2d4751556d9e1f207c0f85119c81848f0620c16239e997150989e3f9a586a8c23861fd51ed89f7e084ad441190a58a288258a49a95f7beef7dbbb13 -DIST libselinux-3.2.tar.gz 206380 BLAKE2B 544eaaa87b9738c61929abe48713b530a8909eaea017890040f2fe299af86f09b6eb2cf4c9a68e06268ba09923b2b67703ac7a2b973906acb45f698e9ccaeed2 SHA512 18129ac0b9936e1f66021f1b311cf1c1e27a01e50cb70f08a3e1c642c5251e4538aec25a8427778569dfecf5333cf1fb84f1a59afdce8019328d0cff7e5833c5 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/libselinux-3.1-r3.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/libselinux-3.1-r3.ebuild deleted file mode 100644 index 94c25dfda6..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/libselinux-3.1-r3.ebuild +++ /dev/null @@ -1,159 +0,0 @@ -# Copyright 1999-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI="7" -PYTHON_COMPAT=( python3_{6..11} ) -USE_RUBY="ruby25 ruby26 ruby27" - -# No, I am not calling ruby-ng -inherit python-r1 toolchain-funcs multilib-minimal - -MY_P="${P//_/-}" -SEPOL_VER="${PV}" -MY_RELEASEDATE="20200710" - -DESCRIPTION="SELinux userland library" -HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki" - -if [[ ${PV} == 9999 ]] ; then - inherit git-r3 - EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git" - S="${WORKDIR}/${MY_P}/${PN}" -else - SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_RELEASEDATE}/${MY_P}.tar.gz" - KEYWORDS="amd64 ~arm ~arm64 ~mips x86" - S="${WORKDIR}/${MY_P}" -fi - -LICENSE="public-domain" -SLOT="0" -IUSE="pcre2 python ruby static-libs ruby_targets_ruby25 ruby_targets_ruby26 ruby_targets_ruby27" -REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )" - -RDEPEND=">=sys-libs/libsepol-${SEPOL_VER}:=[${MULTILIB_USEDEP}] - !pcre2? ( >=dev-libs/libpcre-8.33-r1:=[static-libs?,${MULTILIB_USEDEP}] ) - pcre2? ( dev-libs/libpcre2:=[static-libs?,${MULTILIB_USEDEP}] ) - python? ( ${PYTHON_DEPS} ) - ruby? ( - ruby_targets_ruby25? ( dev-lang/ruby:2.5 ) - ruby_targets_ruby26? ( dev-lang/ruby:2.6 ) - ruby_targets_ruby27? ( dev-lang/ruby:2.7 ) - ) - elibc_musl? ( sys-libs/fts-standalone )" -DEPEND="${RDEPEND}" -BDEPEND="virtual/pkgconfig - python? ( >=dev-lang/swig-2.0.9 ) - ruby? ( >=dev-lang/swig-2.0.9 )" - -src_prepare() { - eapply_user - - multilib_copy_sources -} - -multilib_src_compile() { - tc-export AR CC PKG_CONFIG RANLIB - - emake \ - LIBDIR="\$(PREFIX)/$(get_libdir)" \ - SHLIBDIR="/$(get_libdir)" \ - LDFLAGS="-fPIC ${LDFLAGS} -pthread" \ - USE_PCRE2="$(usex pcre2 y n)" \ - FTS_LDLIBS="$(usex elibc_musl '-lfts' '')" \ - all - - if multilib_is_native_abi && use python; then - building() { - emake \ - LDFLAGS="-fPIC ${LDFLAGS} -lpthread" \ - LIBDIR="\$(PREFIX)/$(get_libdir)" \ - SHLIBDIR="/$(get_libdir)" \ - USE_PCRE2="$(usex pcre2 y n)" \ - FTS_LDLIBS="$(usex elibc_musl '-lfts' '')" \ - pywrap - } - python_foreach_impl building - fi - - if multilib_is_native_abi && use ruby; then - building() { - einfo "Calling rubywrap for ${1}" - # Clean up .lo file to force rebuild - rm -f src/selinuxswig_ruby_wrap.lo || die - emake \ - RUBY=${1} \ - LDFLAGS="-fPIC ${LDFLAGS} -lpthread" \ - LIBDIR="\$(PREFIX)/$(get_libdir)" \ - SHLIBDIR="/$(get_libdir)" \ - USE_PCRE2="$(usex pcre2 y n)" \ - FTS_LDLIBS="$(usex elibc_musl '-lfts' '')" \ - rubywrap - } - for RUBYTARGET in ${USE_RUBY}; do - use ruby_targets_${RUBYTARGET} || continue - - building ${RUBYTARGET} - done - fi -} - -multilib_src_install() { - emake DESTDIR="${D}" \ - LIBDIR="\$(PREFIX)/$(get_libdir)" \ - SHLIBDIR="/$(get_libdir)" \ - USE_PCRE2="$(usex pcre2 y n)" \ - install - - if multilib_is_native_abi && use python; then - installation() { - emake DESTDIR="${D}" \ - LIBDIR="\$(PREFIX)/$(get_libdir)" \ - SHLIBDIR="/$(get_libdir)" \ - USE_PCRE2="$(usex pcre2 y n)" \ - install-pywrap - python_optimize # bug 531638 - } - python_foreach_impl installation - fi - - if multilib_is_native_abi && use ruby; then - installation() { - einfo "Calling install-rubywrap for ${1}" - # Forcing (re)build here as otherwise the resulting SO file is used for all ruby versions - rm src/selinuxswig_ruby_wrap.lo - emake DESTDIR="${D}" \ - LIBDIR="\$(PREFIX)/$(get_libdir)" \ - SHLIBDIR="/$(get_libdir)" \ - RUBY=${1} \ - USE_PCRE2="$(usex pcre2 y n)" \ - install-rubywrap - } - for RUBYTARGET in ${USE_RUBY}; do - use ruby_targets_${RUBYTARGET} || continue - - installation ${RUBYTARGET} - done - fi - - use static-libs || rm "${D}"/usr/lib*/*.a || die -} - -pkg_postinst() { - # Fix bug 473502 - for POLTYPE in ${POLICY_TYPES}; - do - mkdir -p /etc/selinux/${POLTYPE}/contexts/files || die - touch /etc/selinux/${POLTYPE}/contexts/files/file_contexts.local || die - # Fix bug 516608 - for EXPRFILE in file_contexts file_contexts.homedirs file_contexts.local ; do - # flatcar changes: - # since libselinux is installed under `/build/amd64-usr`, we need to - # specify abspath to the binary `sefcontext_compile`, as well as abspath - # to the policy files. - if [[ -f "${ROOT}/etc/selinux/${POLTYPE}/contexts/files/${EXPRFILE}" ]]; then - ${ROOT}/usr/sbin/sefcontext_compile ${ROOT}/etc/selinux/${POLTYPE}/contexts/files/${EXPRFILE} \ - || die "Failed to recompile contexts" - fi - done - done -} diff --git a/sdk_container/src/third_party/portage-stable/sys-libs/libselinux/Manifest b/sdk_container/src/third_party/portage-stable/sys-libs/libselinux/Manifest new file mode 100644 index 0000000000..c6efbb8e1e --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-libs/libselinux/Manifest @@ -0,0 +1 @@ +DIST libselinux-3.5.tar.gz 211453 BLAKE2B f7f3067c4bb0448e18bd7085135f11d94ae99728949480a655c0f660486817beb5829d8a43dff7bce286ccd50705b0c657bde85970f01c794e01fb707f469d8b SHA512 4e13261a5821018a5f3cdce676f180bb62e5bc225981ca8a498ece0d1c88d9ba8eaa0ce4099dd0849309a8a7c5a9a0953df841a9922f2c284e5a109e5d937ba7 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/libselinux-3.2-r1.ebuild b/sdk_container/src/third_party/portage-stable/sys-libs/libselinux/libselinux-3.5-r1.ebuild similarity index 73% rename from sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/libselinux-3.2-r1.ebuild rename to sdk_container/src/third_party/portage-stable/sys-libs/libselinux/libselinux-3.5-r1.ebuild index 91e457f8dd..1ed1db1ec9 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/libselinux-3.2-r1.ebuild +++ b/sdk_container/src/third_party/portage-stable/sys-libs/libselinux/libselinux-3.5-r1.ebuild @@ -1,9 +1,9 @@ -# Copyright 1999-2021 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="7" -PYTHON_COMPAT=( python3_{6..10} ) -USE_RUBY="ruby25 ruby26 ruby27" +PYTHON_COMPAT=( python3_{10..12} ) +USE_RUBY="ruby30 ruby31 ruby32" # No, I am not calling ruby-ng inherit python-r1 toolchain-funcs multilib-minimal @@ -20,28 +20,30 @@ if [[ ${PV} == 9999 ]]; then S="${WORKDIR}/${P}/${PN}" else SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz" - KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86" + KEYWORDS="amd64 arm arm64 ~mips ~riscv x86" S="${WORKDIR}/${MY_P}" fi LICENSE="public-domain" SLOT="0" -IUSE="pcre2 python ruby static-libs ruby_targets_ruby25 ruby_targets_ruby26 ruby_targets_ruby27" +IUSE="python ruby static-libs ruby_targets_ruby30 ruby_targets_ruby31 ruby_targets_ruby32" REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )" -RDEPEND=">=sys-libs/libsepol-${PV}:=[${MULTILIB_USEDEP}] - !pcre2? ( >=dev-libs/libpcre-8.33-r1:=[static-libs?,${MULTILIB_USEDEP}] ) - pcre2? ( dev-libs/libpcre2:=[static-libs?,${MULTILIB_USEDEP}] ) +RDEPEND="dev-libs/libpcre2:=[static-libs?,${MULTILIB_USEDEP}] + >=sys-libs/libsepol-${PV}:=[${MULTILIB_USEDEP}] python? ( ${PYTHON_DEPS} ) ruby? ( - ruby_targets_ruby25? ( dev-lang/ruby:2.5 ) - ruby_targets_ruby26? ( dev-lang/ruby:2.6 ) - ruby_targets_ruby27? ( dev-lang/ruby:2.7 ) + ruby_targets_ruby30? ( dev-lang/ruby:3.0 ) + ruby_targets_ruby31? ( dev-lang/ruby:3.1 ) + ruby_targets_ruby32? ( dev-lang/ruby:3.2 ) ) elibc_musl? ( sys-libs/fts-standalone )" DEPEND="${RDEPEND}" BDEPEND="virtual/pkgconfig - python? ( >=dev-lang/swig-2.0.9 ) + python? ( + >=dev-lang/swig-2.0.9 + dev-python/pip[${PYTHON_USEDEP}] + ) ruby? ( >=dev-lang/swig-2.0.9 )" src_prepare() { @@ -59,7 +61,7 @@ multilib_src_compile() { LIBDIR="\$(PREFIX)/$(get_libdir)" \ SHLIBDIR="/$(get_libdir)" \ LDFLAGS="-fPIC ${LDFLAGS} -pthread" \ - USE_PCRE2="$(usex pcre2 y n)" \ + USE_PCRE2=y \ FTS_LDLIBS="$(usex elibc_musl '-lfts' '')" \ all @@ -69,7 +71,7 @@ multilib_src_compile() { LDFLAGS="-fPIC ${LDFLAGS} -lpthread" \ LIBDIR="\$(PREFIX)/$(get_libdir)" \ SHLIBDIR="/$(get_libdir)" \ - USE_PCRE2="$(usex pcre2 y n)" \ + USE_PCRE2=y \ FTS_LDLIBS="$(usex elibc_musl '-lfts' '')" \ pywrap } @@ -86,7 +88,7 @@ multilib_src_compile() { LDFLAGS="-fPIC ${LDFLAGS} -lpthread" \ LIBDIR="\$(PREFIX)/$(get_libdir)" \ SHLIBDIR="/$(get_libdir)" \ - USE_PCRE2="$(usex pcre2 y n)" \ + USE_PCRE2=y \ FTS_LDLIBS="$(usex elibc_musl '-lfts' '')" \ rubywrap } @@ -102,7 +104,7 @@ multilib_src_install() { emake DESTDIR="${D}" \ LIBDIR="\$(PREFIX)/$(get_libdir)" \ SHLIBDIR="/$(get_libdir)" \ - USE_PCRE2="$(usex pcre2 y n)" \ + USE_PCRE2=y \ install if multilib_is_native_abi && use python; then @@ -110,7 +112,7 @@ multilib_src_install() { emake DESTDIR="${D}" \ LIBDIR="\$(PREFIX)/$(get_libdir)" \ SHLIBDIR="/$(get_libdir)" \ - USE_PCRE2="$(usex pcre2 y n)" \ + USE_PCRE2=y \ install-pywrap python_optimize # bug 531638 } @@ -126,7 +128,7 @@ multilib_src_install() { LIBDIR="\$(PREFIX)/$(get_libdir)" \ SHLIBDIR="/$(get_libdir)" \ RUBY=${1} \ - USE_PCRE2="$(usex pcre2 y n)" \ + USE_PCRE2=y \ install-rubywrap } for RUBYTARGET in ${USE_RUBY}; do @@ -143,12 +145,12 @@ pkg_postinst() { # Fix bug 473502 for POLTYPE in ${POLICY_TYPES}; do - mkdir -p /etc/selinux/${POLTYPE}/contexts/files || die - touch /etc/selinux/${POLTYPE}/contexts/files/file_contexts.local || die + mkdir -p "${ROOT}/etc/selinux/${POLTYPE}/contexts/files" || die + touch "${ROOT}/etc/selinux/${POLTYPE}/contexts/files/file_contexts.local" || die # Fix bug 516608 for EXPRFILE in file_contexts file_contexts.homedirs file_contexts.local ; do - if [[ -f "/etc/selinux/${POLTYPE}/contexts/files/${EXPRFILE}" ]]; then - sefcontext_compile /etc/selinux/${POLTYPE}/contexts/files/${EXPRFILE} \ + if [[ -f "${ROOT}/etc/selinux/${POLTYPE}/contexts/files/${EXPRFILE}" ]]; then + sefcontext_compile "${ROOT}/etc/selinux/${POLTYPE}/contexts/files/${EXPRFILE}" \ || die "Failed to recompile contexts" fi done diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/libselinux-9999.ebuild b/sdk_container/src/third_party/portage-stable/sys-libs/libselinux/libselinux-9999.ebuild similarity index 80% rename from sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/libselinux-9999.ebuild rename to sdk_container/src/third_party/portage-stable/sys-libs/libselinux/libselinux-9999.ebuild index 91e457f8dd..f5475a7744 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/libselinux-9999.ebuild +++ b/sdk_container/src/third_party/portage-stable/sys-libs/libselinux/libselinux-9999.ebuild @@ -1,9 +1,9 @@ -# Copyright 1999-2021 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="7" -PYTHON_COMPAT=( python3_{6..10} ) -USE_RUBY="ruby25 ruby26 ruby27" +PYTHON_COMPAT=( python3_{10..12} ) +USE_RUBY="ruby30 ruby31 ruby32" # No, I am not calling ruby-ng inherit python-r1 toolchain-funcs multilib-minimal @@ -20,28 +20,30 @@ if [[ ${PV} == 9999 ]]; then S="${WORKDIR}/${P}/${PN}" else SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz" - KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86" + KEYWORDS="~amd64 ~arm ~arm64 ~mips ~riscv ~x86" S="${WORKDIR}/${MY_P}" fi LICENSE="public-domain" SLOT="0" -IUSE="pcre2 python ruby static-libs ruby_targets_ruby25 ruby_targets_ruby26 ruby_targets_ruby27" +IUSE="python ruby static-libs ruby_targets_ruby30 ruby_targets_ruby31 ruby_targets_ruby32" REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )" -RDEPEND=">=sys-libs/libsepol-${PV}:=[${MULTILIB_USEDEP}] - !pcre2? ( >=dev-libs/libpcre-8.33-r1:=[static-libs?,${MULTILIB_USEDEP}] ) - pcre2? ( dev-libs/libpcre2:=[static-libs?,${MULTILIB_USEDEP}] ) +RDEPEND="dev-libs/libpcre2:=[static-libs?,${MULTILIB_USEDEP}] + >=sys-libs/libsepol-${PV}:=[${MULTILIB_USEDEP}] python? ( ${PYTHON_DEPS} ) ruby? ( - ruby_targets_ruby25? ( dev-lang/ruby:2.5 ) - ruby_targets_ruby26? ( dev-lang/ruby:2.6 ) - ruby_targets_ruby27? ( dev-lang/ruby:2.7 ) + ruby_targets_ruby30? ( dev-lang/ruby:3.0 ) + ruby_targets_ruby31? ( dev-lang/ruby:3.1 ) + ruby_targets_ruby32? ( dev-lang/ruby:3.2 ) ) elibc_musl? ( sys-libs/fts-standalone )" DEPEND="${RDEPEND}" BDEPEND="virtual/pkgconfig - python? ( >=dev-lang/swig-2.0.9 ) + python? ( + >=dev-lang/swig-2.0.9 + dev-python/pip[${PYTHON_USEDEP}] +) ruby? ( >=dev-lang/swig-2.0.9 )" src_prepare() { @@ -59,7 +61,7 @@ multilib_src_compile() { LIBDIR="\$(PREFIX)/$(get_libdir)" \ SHLIBDIR="/$(get_libdir)" \ LDFLAGS="-fPIC ${LDFLAGS} -pthread" \ - USE_PCRE2="$(usex pcre2 y n)" \ + USE_PCRE2=y \ FTS_LDLIBS="$(usex elibc_musl '-lfts' '')" \ all @@ -69,7 +71,7 @@ multilib_src_compile() { LDFLAGS="-fPIC ${LDFLAGS} -lpthread" \ LIBDIR="\$(PREFIX)/$(get_libdir)" \ SHLIBDIR="/$(get_libdir)" \ - USE_PCRE2="$(usex pcre2 y n)" \ + USE_PCRE2=y \ FTS_LDLIBS="$(usex elibc_musl '-lfts' '')" \ pywrap } @@ -86,7 +88,7 @@ multilib_src_compile() { LDFLAGS="-fPIC ${LDFLAGS} -lpthread" \ LIBDIR="\$(PREFIX)/$(get_libdir)" \ SHLIBDIR="/$(get_libdir)" \ - USE_PCRE2="$(usex pcre2 y n)" \ + USE_PCRE2=y \ FTS_LDLIBS="$(usex elibc_musl '-lfts' '')" \ rubywrap } @@ -102,7 +104,7 @@ multilib_src_install() { emake DESTDIR="${D}" \ LIBDIR="\$(PREFIX)/$(get_libdir)" \ SHLIBDIR="/$(get_libdir)" \ - USE_PCRE2="$(usex pcre2 y n)" \ + USE_PCRE2=y \ install if multilib_is_native_abi && use python; then @@ -110,7 +112,7 @@ multilib_src_install() { emake DESTDIR="${D}" \ LIBDIR="\$(PREFIX)/$(get_libdir)" \ SHLIBDIR="/$(get_libdir)" \ - USE_PCRE2="$(usex pcre2 y n)" \ + USE_PCRE2=y \ install-pywrap python_optimize # bug 531638 } @@ -126,7 +128,7 @@ multilib_src_install() { LIBDIR="\$(PREFIX)/$(get_libdir)" \ SHLIBDIR="/$(get_libdir)" \ RUBY=${1} \ - USE_PCRE2="$(usex pcre2 y n)" \ + USE_PCRE2=y \ install-rubywrap } for RUBYTARGET in ${USE_RUBY}; do diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/metadata.xml b/sdk_container/src/third_party/portage-stable/sys-libs/libselinux/metadata.xml similarity index 77% rename from sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/metadata.xml rename to sdk_container/src/third_party/portage-stable/sys-libs/libselinux/metadata.xml index 92059a54b9..dfd7bb04e0 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/metadata.xml +++ b/sdk_container/src/third_party/portage-stable/sys-libs/libselinux/metadata.xml @@ -1,5 +1,5 @@ - + selinux@gentoo.org @@ -10,9 +10,6 @@ process and file security contexts and to obtain security policy decisions. Required for any applications that use the SELinux API. - - Use dev-libs/libpcre2 for fcontext regexes - cpe:/a:selinuxproject:libselinux SELinuxProject/selinux From c4a353d0f807a5ed155c99595720d61da06fd919 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Mon, 12 Jun 2023 18:29:09 +0200 Subject: [PATCH 03/22] sys-libs/libsepol: sync with Gentoo Commit-Ref: https://github.com/gentoo/gentoo/commit/ea4cd1f216e407735528c92434b83313e4b8a8db Signed-off-by: Mathieu Tortuyaux --- .../portage-stable/sys-libs/libsepol/Manifest | 3 +- .../sys-libs/libsepol/libsepol-3.1.ebuild | 51 ------------------- ...ibsepol-3.2.ebuild => libsepol-3.5.ebuild} | 4 +- .../sys-libs/libsepol/libsepol-9999.ebuild | 4 +- .../sys-libs/libsepol/metadata.xml | 2 +- 5 files changed, 6 insertions(+), 58 deletions(-) delete mode 100644 sdk_container/src/third_party/portage-stable/sys-libs/libsepol/libsepol-3.1.ebuild rename sdk_container/src/third_party/portage-stable/sys-libs/libsepol/{libsepol-3.2.ebuild => libsepol-3.5.ebuild} (92%) diff --git a/sdk_container/src/third_party/portage-stable/sys-libs/libsepol/Manifest b/sdk_container/src/third_party/portage-stable/sys-libs/libsepol/Manifest index abf164a008..cef9954d31 100644 --- a/sdk_container/src/third_party/portage-stable/sys-libs/libsepol/Manifest +++ b/sdk_container/src/third_party/portage-stable/sys-libs/libsepol/Manifest @@ -1,2 +1 @@ -DIST libsepol-3.1.tar.gz 473842 BLAKE2B ef1d596c4d53cc0a87e899ef4aeb5bf29c9d6b8303632ddc866c100d30debd8aedd0e8b38cb4ce3141b80421cd914148ff072e492d63dc2dacf03ac2ce59ca5a SHA512 4b5f4e82853ff3e9b4fac2dbdea5c2fc3bb7b508af912217ac4b75da6540fbcd77aa314ab95cd9dfa94fbc4a885000656a663c1a152f65b4cf6970ea0b6034ab -DIST libsepol-3.2.tar.gz 477749 BLAKE2B 6f35387c0373869672080e151f212c081389f6799539124353aa1749ae2648669b2e237a271297c1c212b7a9e0c35f05edfff1bb724c8a15993e8fb8c599ac2e SHA512 1a6b3489ff766958a4b444b9be63a794267243aed303d3e7d87278f11be492dbf603a0c8181c4c5e01cb0e1ceb43810a77f738f0b9bd1d7d2be67053f9c67a6f +DIST libsepol-3.5.tar.gz 497522 BLAKE2B dad2d346605be53fe41aef69e2e4bd4f1ce68a15f0b9307deb6b66bbe7bf06a9ee6be580e60d2f19aebbc8ee5041ac8a7b831b51342ba7c7089e1f1a447e7691 SHA512 66f45a9f4951589855961955db686b006b4c0cddead6ac49ad238a0e4a34775905bd10fb8cf0c0ff2ab64f9b7d8366b97fcd5b19c382dec39971a2835cc765c8 diff --git a/sdk_container/src/third_party/portage-stable/sys-libs/libsepol/libsepol-3.1.ebuild b/sdk_container/src/third_party/portage-stable/sys-libs/libsepol/libsepol-3.1.ebuild deleted file mode 100644 index ccf481b3d4..0000000000 --- a/sdk_container/src/third_party/portage-stable/sys-libs/libsepol/libsepol-3.1.ebuild +++ /dev/null @@ -1,51 +0,0 @@ -# Copyright 1999-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI="7" - -inherit toolchain-funcs multilib-minimal - -MY_P="${P//_/-}" -MY_RELEASEDATE="20200710" - -DESCRIPTION="SELinux binary policy representation library" -HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki" - -if [[ ${PV} == 9999 ]]; then - inherit git-r3 - EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git" - S="${WORKDIR}/${MY_P}/${PN}" -else - SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_RELEASEDATE}/${MY_P}.tar.gz" - KEYWORDS="amd64 ~arm ~arm64 ~mips x86" - S="${WORKDIR}/${MY_P}" -fi - -LICENSE="GPL-2" -SLOT="0" - -# tests are not meant to be run outside of the full SELinux userland repo -RESTRICT="test" - -src_prepare() { - eapply_user - multilib_copy_sources -} - -multilib_src_compile() { - tc-export CC AR RANLIB - - # https://bugs.gentoo.org/706730 - local -x CFLAGS="${CFLAGS} -fcommon" - - emake \ - LIBDIR="\$(PREFIX)/$(get_libdir)" \ - SHLIBDIR="/$(get_libdir)" -} - -multilib_src_install() { - emake DESTDIR="${D}" \ - LIBDIR="\$(PREFIX)/$(get_libdir)" \ - SHLIBDIR="/$(get_libdir)" \ - install -} diff --git a/sdk_container/src/third_party/portage-stable/sys-libs/libsepol/libsepol-3.2.ebuild b/sdk_container/src/third_party/portage-stable/sys-libs/libsepol/libsepol-3.5.ebuild similarity index 92% rename from sdk_container/src/third_party/portage-stable/sys-libs/libsepol/libsepol-3.2.ebuild rename to sdk_container/src/third_party/portage-stable/sys-libs/libsepol/libsepol-3.5.ebuild index 141803b9f5..16ea268dc5 100644 --- a/sdk_container/src/third_party/portage-stable/sys-libs/libsepol/libsepol-3.2.ebuild +++ b/sdk_container/src/third_party/portage-stable/sys-libs/libsepol/libsepol-3.5.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2021 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="7" @@ -17,7 +17,7 @@ if [[ ${PV} == 9999 ]]; then S="${WORKDIR}/${P}/${PN}" else SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz" - KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86" + KEYWORDS="amd64 arm arm64 ~mips ~riscv x86" S="${WORKDIR}/${MY_P}" fi diff --git a/sdk_container/src/third_party/portage-stable/sys-libs/libsepol/libsepol-9999.ebuild b/sdk_container/src/third_party/portage-stable/sys-libs/libsepol/libsepol-9999.ebuild index 141803b9f5..f682823e46 100644 --- a/sdk_container/src/third_party/portage-stable/sys-libs/libsepol/libsepol-9999.ebuild +++ b/sdk_container/src/third_party/portage-stable/sys-libs/libsepol/libsepol-9999.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2021 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="7" @@ -17,7 +17,7 @@ if [[ ${PV} == 9999 ]]; then S="${WORKDIR}/${P}/${PN}" else SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz" - KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86" + KEYWORDS="~amd64 ~arm ~arm64 ~mips ~riscv ~x86" S="${WORKDIR}/${MY_P}" fi diff --git a/sdk_container/src/third_party/portage-stable/sys-libs/libsepol/metadata.xml b/sdk_container/src/third_party/portage-stable/sys-libs/libsepol/metadata.xml index 5adbcb6f6f..6a8cf19d67 100644 --- a/sdk_container/src/third_party/portage-stable/sys-libs/libsepol/metadata.xml +++ b/sdk_container/src/third_party/portage-stable/sys-libs/libsepol/metadata.xml @@ -1,5 +1,5 @@ - + selinux@gentoo.org From d78e4b3b20c438adc53549ada31ec36c0126b19a Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Mon, 12 Jun 2023 18:29:10 +0200 Subject: [PATCH 04/22] sys-apps/policycoreutils: sync with Gentoo Commit-Ref: https://github.com/gentoo/gentoo/commit/ea4cd1f216e407735528c92434b83313e4b8a8db Signed-off-by: Mathieu Tortuyaux --- .../sys-apps/policycoreutils/Manifest | 3 +- .../sys-apps/policycoreutils/metadata.xml | 2 +- .../policycoreutils-3.1-r4.ebuild | 224 ------------------ ...2-r1.ebuild => policycoreutils-3.5.ebuild} | 32 ++- .../policycoreutils-9999.ebuild | 32 ++- 5 files changed, 40 insertions(+), 253 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.1-r4.ebuild rename sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/{policycoreutils-3.2-r1.ebuild => policycoreutils-3.5.ebuild} (87%) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/Manifest index c58464335d..cfc08315c2 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/Manifest @@ -1,3 +1,2 @@ -DIST policycoreutils-3.1.tar.gz 2817914 BLAKE2B ef68bb5f9cf577164ead44803b6be2bd6401c9e923d2c775c7c8c47f0e803749feaec4247fec5cc1cb766314954402fd2506370bb397f746437ecfcf65b384f3 SHA512 0592f218563a99ba95d2cfd07fdc3761b61c1cc3c01a17ab89ad840169e1a7d4083521d5cacc72d1b76911d516bf592db7a3f90d9ef0cc11ceed007e4580e140 +DIST policycoreutils-3.5.tar.gz 775639 BLAKE2B 777b8564484e89385db7a184c4cad9a99aabf1fd1ac41abd5826c7e6ad29118ae9d6f0d0fd968b6ced87f2f04bc6d7cd207b67428151522915367f656fb8d3f8 SHA512 7978ef6b7a278c6384c9b397734d03c4932c8aefecceaa1e6a1345be27b253dbe276fdcd219ce83ad732c6ed55d53bbc3254e39bccadd67d2cd1152a14749444 DIST policycoreutils-extra-1.37.tar.bz2 8809 BLAKE2B a7f6122c2e27f54b018174e962bd7f4c14af04e09bbb5300bde6967ea7f2dc5cd03b5787919a4e7f5288bcbc6747922962b5bd3b588ab1e3a035fbff4910d8f5 SHA512 0a85cd7cf279256b5e1927f9dfdd89626a1c8b77b0aeb62b496e7e8d1dccbaa315e39f9308fb2df7270f0bc1c10787b19990e7365cad74b47b61e30394c8b23f -DIST policycoreutils-3.2.tar.gz 2817961 BLAKE2B 747cbd7b84ffa9153067340f8f1dc5a652eaf85b037a6e10e116d3d0b31c8e7c9794bc6a46ae212848bef4887478ac167e359a387bebac49e0acd08b727808ce SHA512 d16781d2d61b8b78d6fc242f2b5c3a03f47ea524fb61655823b6b0f0327ff376c65fe7bdf7a53f5863c01e599cf4a7050f21fda0fe6a8f2c2c16f89b156a4346 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/metadata.xml b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/metadata.xml index 16effc34b8..4d3c72d81d 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/metadata.xml +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/metadata.xml @@ -1,5 +1,5 @@ - + selinux@gentoo.org diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.1-r4.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.1-r4.ebuild deleted file mode 100644 index 9b71258245..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.1-r4.ebuild +++ /dev/null @@ -1,224 +0,0 @@ -# Copyright 1999-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI="7" -PYTHON_COMPAT=( python3_{6..11} ) -PYTHON_REQ_USE="xml(+)" - -inherit multilib python-r1 toolchain-funcs bash-completion-r1 - -MY_P="${P//_/-}" - -MY_RELEASEDATE="20200710" -EXTRAS_VER="1.37" -SEMNG_VER="${PV}" -SELNX_VER="${PV}" -SEPOL_VER="${PV}" - -# flatcar changes: nls, extra -IUSE="audit extra nls pam python split-usr" -REQUIRED_USE="${PYTHON_REQUIRED_USE}" - -DESCRIPTION="SELinux core utilities" -HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki" - -if [[ ${PV} == 9999 ]]; then - inherit git-r3 - EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git" - SRC_URI="https://dev.gentoo.org/~perfinion/distfiles/policycoreutils-extra-${EXTRAS_VER}.tar.bz2" - S1="${WORKDIR}/${MY_P}/${PN}" - S2="${WORKDIR}/policycoreutils-extra" - S="${S1}" -else - SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_RELEASEDATE}/${MY_P}.tar.gz - https://dev.gentoo.org/~perfinion/distfiles/policycoreutils-extra-${EXTRAS_VER}.tar.bz2" - KEYWORDS="amd64 ~arm64 ~mips x86" - S1="${WORKDIR}/${MY_P}" - S2="${WORKDIR}/policycoreutils-extra" - S="${S1}" -fi - -LICENSE="GPL-2" -SLOT="0" - -# flatcar changes: remove setools. Since 4.x setools is written in python -# so it's not shipped anymore with Flatcar OS -DEPEND=">=sys-libs/libselinux-${SELNX_VER}:=[python?,${PYTHON_USEDEP}] - >=sys-libs/libsemanage-${SEMNG_VER}:=[python?,${PYTHON_USEDEP}] - >=sys-libs/libsepol-${SEPOL_VER}:= - sys-libs/libcap-ng:= - audit? ( >=sys-process/audit-1.5.1[python?,${PYTHON_USEDEP}] ) - pam? ( sys-libs/pam:= ) - python? ( ${PYTHON_DEPS} )" - -# Avoid dependency loop in the cross-compile case, bug #755173 -# (Still exists in native) -BDEPEND="sys-devel/gettext" - -# pax-utils for scanelf used by rlpkg -RDEPEND="${DEPEND} - app-misc/pax-utils" - -PDEPEND="sys-apps/semodule-utils - python? ( sys-apps/selinux-python )" - -src_unpack() { - # Override default one because we need the SRC_URI ones even in case of 9999 ebuilds - default - if [[ ${PV} == 9999 ]] ; then - git-r3_src_unpack - fi -} - -src_prepare() { - S="${S1}" - cd "${S}" || die "Failed to switch to ${S}" - if [[ ${PV} != 9999 ]] ; then - # If needed for live ebuilds please use /etc/portage/patches - eapply "${FILESDIR}/policycoreutils-3.1-0001-newrole-not-suid.patch" - fi - - # rlpkg is more useful than fixfiles - sed -i -e '/^all/s/fixfiles//' "${S}/scripts/Makefile" \ - || die "fixfiles sed 1 failed" - sed -i -e '/fixfiles/d' "${S}/scripts/Makefile" \ - || die "fixfiles sed 2 failed" - - eapply_user - - sed -i 's/-Werror//g' "${S1}"/*/Makefile || die "Failed to remove Werror" - - # flatcar changes - if use python; then - python_copy_sources - # Our extra code is outside the regular directory, so set it to the extra - # directory. We really should optimize this as it is ugly, but the extra - # code is needed for Gentoo at the same time that policycoreutils is present - # (so we cannot use an additional package for now). - if use extra ; then - S="${S2}" - python_copy_sources - fi - fi - - # flatcar changes - # Skip building unneeded parts. - if ! use python ; then - for dir in audit2allow gui scripts semanage sepolicy sepolgen-ifgen; do - sed -e "s/ $dir / /" -i Makefile || die - done - fi - use nls || sed -e "s/ po / /" -i Makefile || die -} - -src_compile() { - building() { - emake -C "${BUILD_DIR}" \ - AUDIT_LOG_PRIVS="y" \ - AUDITH="$(usex audit y n)" \ - PAMH="$(usex pam y n)" \ - SESANDBOX="n" \ - CC="$(tc-getCC)" \ - LIBDIR="\$(PREFIX)/$(get_libdir)" - } - - # flatcar changes - if use python; then - S="${S1}" # Regular policycoreutils - python_foreach_impl building - if use extra ; then - S="${S2}" # Extra set - python_foreach_impl building - fi - else - BUILD_DIR="${S1}" - building - if use extra ; then - BUILD_DIR="${S2}" - building - fi - fi -} - -src_install() { - # Python scripts are present in many places. There are no extension modules. - installation-policycoreutils() { - einfo "Installing policycoreutils" - emake -C "${BUILD_DIR}" DESTDIR="${D}" \ - AUDIT_LOG_PRIVS="y" \ - AUDITH="$(usex audit y n)" \ - PAMH="$(usex pam y n)" \ - SESANDBOX="n" \ - CC="$(tc-getCC)" \ - LIBDIR="\$(PREFIX)/$(get_libdir)" \ - install - # flatcar changes - if use python; then - python_optimize - fi - } - - installation-extras() { - einfo "Installing policycoreutils-extra" - emake -C "${BUILD_DIR}" \ - DESTDIR="${D}" \ - SHLIBDIR="${D}$(get_libdir)/rc" \ - install - # flatcar changes - if use python; then - python_optimize - fi - } - - # flatcar changes - if use python; then - S="${S1}" # policycoreutils - python_foreach_impl installation-policycoreutils - if use extra ; then - S="${S2}" - installation-extras - S="${S1}" # back for later - fi - else - BUILD_DIR="${S1}" - installation-policycoreutils - if use extra ; then - BUILD_DIR="${S2}" - installation-extras - fi - fi - - # remove redhat-style init script - rm -fR "${D}/etc/rc.d" || die - - # compatibility symlinks - use split-usr && dosym ../../sbin/setfiles /usr/sbin/setfiles - - bashcomp_alias setsebool getsebool - - # location for policy definitions - # flatcar changes: - dodir /usr/lib/selinux/policy - dosym ../../usr/lib/selinux/policy /var/lib/selinux - keepdir /usr/lib/selinux/policy - - # Set version-specific scripts - # flatcar changes - if use python; then - # Set version-specific scripts - for pyscript in audit2allow sepolgen-ifgen sepolicy chcat; do - python_replicate_script "${ED}/usr/bin/${pyscript}" - done - python_replicate_script "${ED}/usr/sbin/semanage" - use extra && python_replicate_script "${ED}/usr/sbin/rlpkg" - fi -} - -pkg_postinst() { - for POLICY_TYPE in ${POLICY_TYPES} ; do - # There have been some changes to the policy store, rebuilding now. - # https://marc.info/?l=selinux&m=143757277819717&w=2 - einfo "Rebuilding store ${POLICY_TYPE} in '${ROOT:-/}' (without re-loading)." - semodule -p "${ROOT:-/}" -s "${POLICY_TYPE}" -n -B || die "Failed to rebuild policy store ${POLICY_TYPE}" - done -} diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.2-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.5.ebuild similarity index 87% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.2-r1.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.5.ebuild index 8ef2854fbb..5d45077b38 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.2-r1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.5.ebuild @@ -1,17 +1,16 @@ -# Copyright 1999-2021 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="7" -PYTHON_COMPAT=( python3_{6..10} ) -PYTHON_REQ_USE="xml" +PYTHON_COMPAT=( python3_{9..11} ) +PYTHON_REQ_USE="xml(+)" inherit multilib python-r1 toolchain-funcs bash-completion-r1 +MY_PV="${PV//_/-}" +MY_P="${PN}-${MY_PV}" EXTRAS_VER="1.37" -IUSE="audit pam split-usr" -REQUIRED_USE="${PYTHON_REQUIRED_USE}" - DESCRIPTION="SELinux core utilities" HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki" @@ -19,20 +18,22 @@ if [[ ${PV} == 9999 ]]; then inherit git-r3 EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git" SRC_URI="https://dev.gentoo.org/~perfinion/distfiles/policycoreutils-extra-${EXTRAS_VER}.tar.bz2" - S1="${WORKDIR}/${PN}" + S1="${WORKDIR}/${P}/${PN}" S2="${WORKDIR}/policycoreutils-extra" S="${S1}" else - SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${PV}/${P}.tar.gz + SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz https://dev.gentoo.org/~perfinion/distfiles/policycoreutils-extra-${EXTRAS_VER}.tar.bz2" - KEYWORDS="~amd64 ~arm64 ~mips ~x86" - S1="${WORKDIR}/${P}" + KEYWORDS="amd64 arm arm64 ~mips x86" + S1="${WORKDIR}/${MY_P}" S2="${WORKDIR}/policycoreutils-extra" S="${S1}" fi LICENSE="GPL-2" SLOT="0" +IUSE="audit pam split-usr" +REQUIRED_USE="${PYTHON_REQUIRED_USE}" DEPEND=">=sys-libs/libselinux-${PV}:=[python,${PYTHON_USEDEP}] >=sys-libs/libsemanage-${PV}:=[python(+),${PYTHON_USEDEP}] @@ -138,7 +139,12 @@ src_install() { rm -fR "${D}/etc/rc.d" || die # compatibility symlinks - use split-usr && dosym ../../sbin/setfiles /usr/sbin/setfiles + if use split-usr; then + dosym ../../sbin/setfiles /usr/sbin/setfiles + else + # remove sestatus symlink + rm -f "${D}"/usr/sbin/sestatus || die + fi bashcomp_alias setsebool getsebool @@ -156,7 +162,7 @@ pkg_postinst() { for POLICY_TYPE in ${POLICY_TYPES} ; do # There have been some changes to the policy store, rebuilding now. # https://marc.info/?l=selinux&m=143757277819717&w=2 - einfo "Rebuilding store ${POLICY_TYPE} (without re-loading)." - semodule -s "${POLICY_TYPE}" -n -B || die "Failed to rebuild policy store ${POLICY_TYPE}" + einfo "Rebuilding store ${POLICY_TYPE} in '${ROOT:-/}' (without re-loading)." + semodule -p "${ROOT:-/}" -s "${POLICY_TYPE}" -n -B || die "Failed to rebuild policy store ${POLICY_TYPE}" done } diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-9999.ebuild index 8ef2854fbb..6df44f548c 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-9999.ebuild @@ -1,17 +1,16 @@ -# Copyright 1999-2021 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="7" -PYTHON_COMPAT=( python3_{6..10} ) -PYTHON_REQ_USE="xml" +PYTHON_COMPAT=( python3_{9..11} ) +PYTHON_REQ_USE="xml(+)" inherit multilib python-r1 toolchain-funcs bash-completion-r1 +MY_PV="${PV//_/-}" +MY_P="${PN}-${MY_PV}" EXTRAS_VER="1.37" -IUSE="audit pam split-usr" -REQUIRED_USE="${PYTHON_REQUIRED_USE}" - DESCRIPTION="SELinux core utilities" HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki" @@ -19,20 +18,22 @@ if [[ ${PV} == 9999 ]]; then inherit git-r3 EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git" SRC_URI="https://dev.gentoo.org/~perfinion/distfiles/policycoreutils-extra-${EXTRAS_VER}.tar.bz2" - S1="${WORKDIR}/${PN}" + S1="${WORKDIR}/${P}/${PN}" S2="${WORKDIR}/policycoreutils-extra" S="${S1}" else - SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${PV}/${P}.tar.gz + SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz https://dev.gentoo.org/~perfinion/distfiles/policycoreutils-extra-${EXTRAS_VER}.tar.bz2" - KEYWORDS="~amd64 ~arm64 ~mips ~x86" - S1="${WORKDIR}/${P}" + KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86" + S1="${WORKDIR}/${MY_P}" S2="${WORKDIR}/policycoreutils-extra" S="${S1}" fi LICENSE="GPL-2" SLOT="0" +IUSE="audit pam split-usr" +REQUIRED_USE="${PYTHON_REQUIRED_USE}" DEPEND=">=sys-libs/libselinux-${PV}:=[python,${PYTHON_USEDEP}] >=sys-libs/libsemanage-${PV}:=[python(+),${PYTHON_USEDEP}] @@ -138,7 +139,12 @@ src_install() { rm -fR "${D}/etc/rc.d" || die # compatibility symlinks - use split-usr && dosym ../../sbin/setfiles /usr/sbin/setfiles + if use split-usr; then + dosym ../../sbin/setfiles /usr/sbin/setfiles + else + # remove sestatus symlink + rm -f "${D}"/usr/sbin/sestatus || die + fi bashcomp_alias setsebool getsebool @@ -156,7 +162,7 @@ pkg_postinst() { for POLICY_TYPE in ${POLICY_TYPES} ; do # There have been some changes to the policy store, rebuilding now. # https://marc.info/?l=selinux&m=143757277819717&w=2 - einfo "Rebuilding store ${POLICY_TYPE} (without re-loading)." - semodule -s "${POLICY_TYPE}" -n -B || die "Failed to rebuild policy store ${POLICY_TYPE}" + einfo "Rebuilding store ${POLICY_TYPE} in '${ROOT:-/}' (without re-loading)." + semodule -p "${ROOT:-/}" -s "${POLICY_TYPE}" -n -B || die "Failed to rebuild policy store ${POLICY_TYPE}" done } From a38d44bd1c119ddb60e16a0718ddcd26ace6f8b4 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Mon, 12 Jun 2023 18:29:10 +0200 Subject: [PATCH 05/22] sys-apps/policycoreutils: apply flatcar changes * remove python dependencies * move selinux policy directory from /etc/selinux/policy to /usr/lib/selinux/policy * add tmpfiles to recreate /var/lib/selinux on rootfs * remove setools dependency Signed-off-by: Mathieu Tortuyaux --- .../files/tmpfiles.d/10-var-lib-selinux.conf | 2 + .../policycoreutils-3.5.ebuild | 50 ++---- .../policycoreutils-9999.ebuild | 168 ------------------ 3 files changed, 18 insertions(+), 202 deletions(-) create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/files/tmpfiles.d/10-var-lib-selinux.conf delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-9999.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/files/tmpfiles.d/10-var-lib-selinux.conf b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/files/tmpfiles.d/10-var-lib-selinux.conf new file mode 100644 index 0000000000..f763cf3e45 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/files/tmpfiles.d/10-var-lib-selinux.conf @@ -0,0 +1,2 @@ +#Type Path Mode UID GID Age Argument +L /var/lib/selinux/ - - - - ../../usr/lib/selinux/policy diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.5.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.5.ebuild index 5d45077b38..202a894257 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.5.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-3.5.ebuild @@ -5,7 +5,8 @@ EAPI="7" PYTHON_COMPAT=( python3_{9..11} ) PYTHON_REQ_USE="xml(+)" -inherit multilib python-r1 toolchain-funcs bash-completion-r1 +TMPFILES_OPTIONAL=1 +inherit multilib python-r1 toolchain-funcs bash-completion-r1 tmpfiles MY_PV="${PV//_/-}" MY_P="${PN}-${MY_PV}" @@ -35,14 +36,12 @@ SLOT="0" IUSE="audit pam split-usr" REQUIRED_USE="${PYTHON_REQUIRED_USE}" -DEPEND=">=sys-libs/libselinux-${PV}:=[python,${PYTHON_USEDEP}] - >=sys-libs/libsemanage-${PV}:=[python(+),${PYTHON_USEDEP}] +DEPEND=">=sys-libs/libselinux-${PV}:= + >=sys-libs/libsemanage-${PV}:= >=sys-libs/libsepol-${PV}:= sys-libs/libcap-ng:= - >=app-admin/setools-4.2.0[${PYTHON_USEDEP}] audit? ( >=sys-process/audit-1.5.1[python,${PYTHON_USEDEP}] ) - pam? ( sys-libs/pam:= ) - ${PYTHON_DEPS}" + pam? ( sys-libs/pam:= )" # Avoid dependency loop in the cross-compile case, bug #755173 # (Still exists in native) @@ -52,8 +51,7 @@ BDEPEND="sys-devel/gettext" RDEPEND="${DEPEND} app-misc/pax-utils" -PDEPEND="sys-apps/semodule-utils - sys-apps/selinux-python" +PDEPEND="sys-apps/semodule-utils" src_unpack() { # Override default one because we need the SRC_URI ones even in case of 9999 ebuilds @@ -80,14 +78,6 @@ src_prepare() { eapply_user sed -i 's/-Werror//g' "${S1}"/*/Makefile || die "Failed to remove Werror" - - python_copy_sources - # Our extra code is outside the regular directory, so set it to the extra - # directory. We really should optimize this as it is ugly, but the extra - # code is needed for Gentoo at the same time that policycoreutils is present - # (so we cannot use an additional package for now). - S="${S2}" - python_copy_sources } src_compile() { @@ -100,10 +90,8 @@ src_compile() { CC="$(tc-getCC)" \ LIBDIR="\$(PREFIX)/$(get_libdir)" } - S="${S1}" # Regular policycoreutils - python_foreach_impl building - S="${S2}" # Extra set - python_foreach_impl building + BUILD_DIR="${S1}" + building } src_install() { @@ -118,7 +106,6 @@ src_install() { CC="$(tc-getCC)" \ LIBDIR="\$(PREFIX)/$(get_libdir)" \ install - python_optimize } installation-extras() { @@ -126,14 +113,11 @@ src_install() { emake -C "${BUILD_DIR}" \ DESTDIR="${D}" \ install - python_optimize } - S="${S1}" # policycoreutils - python_foreach_impl installation-policycoreutils - S="${S2}" # extras - python_foreach_impl installation-extras - S="${S1}" # back for later + BUILD_DIR="${S1}" + installation-policycoreutils + # remove redhat-style init script rm -fR "${D}/etc/rc.d" || die @@ -148,14 +132,12 @@ src_install() { bashcomp_alias setsebool getsebool - # location for policy definitions - dodir /var/lib/selinux - keepdir /var/lib/selinux + dodir /usr/lib/selinux/policy + dosym ../../usr/lib/selinux/policy /var/lib/selinux + keepdir /usr/lib/selinux/policy - # Set version-specific scripts - for pyscript in rlpkg; do - python_replicate_script "${ED}/usr/sbin/${pyscript}" - done + # Recreate the symlink in /var in case of wiping the root filesystem. + dotmpfiles "${FILESDIR}/tmpfiles.d/10-var-lib-selinux.conf" } pkg_postinst() { diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-9999.ebuild deleted file mode 100644 index 6df44f548c..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-9999.ebuild +++ /dev/null @@ -1,168 +0,0 @@ -# Copyright 1999-2023 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI="7" -PYTHON_COMPAT=( python3_{9..11} ) -PYTHON_REQ_USE="xml(+)" - -inherit multilib python-r1 toolchain-funcs bash-completion-r1 - -MY_PV="${PV//_/-}" -MY_P="${PN}-${MY_PV}" -EXTRAS_VER="1.37" - -DESCRIPTION="SELinux core utilities" -HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki" - -if [[ ${PV} == 9999 ]]; then - inherit git-r3 - EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git" - SRC_URI="https://dev.gentoo.org/~perfinion/distfiles/policycoreutils-extra-${EXTRAS_VER}.tar.bz2" - S1="${WORKDIR}/${P}/${PN}" - S2="${WORKDIR}/policycoreutils-extra" - S="${S1}" -else - SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz - https://dev.gentoo.org/~perfinion/distfiles/policycoreutils-extra-${EXTRAS_VER}.tar.bz2" - KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86" - S1="${WORKDIR}/${MY_P}" - S2="${WORKDIR}/policycoreutils-extra" - S="${S1}" -fi - -LICENSE="GPL-2" -SLOT="0" -IUSE="audit pam split-usr" -REQUIRED_USE="${PYTHON_REQUIRED_USE}" - -DEPEND=">=sys-libs/libselinux-${PV}:=[python,${PYTHON_USEDEP}] - >=sys-libs/libsemanage-${PV}:=[python(+),${PYTHON_USEDEP}] - >=sys-libs/libsepol-${PV}:= - sys-libs/libcap-ng:= - >=app-admin/setools-4.2.0[${PYTHON_USEDEP}] - audit? ( >=sys-process/audit-1.5.1[python,${PYTHON_USEDEP}] ) - pam? ( sys-libs/pam:= ) - ${PYTHON_DEPS}" - -# Avoid dependency loop in the cross-compile case, bug #755173 -# (Still exists in native) -BDEPEND="sys-devel/gettext" - -# pax-utils for scanelf used by rlpkg -RDEPEND="${DEPEND} - app-misc/pax-utils" - -PDEPEND="sys-apps/semodule-utils - sys-apps/selinux-python" - -src_unpack() { - # Override default one because we need the SRC_URI ones even in case of 9999 ebuilds - default - if [[ ${PV} == 9999 ]] ; then - git-r3_src_unpack - fi -} - -src_prepare() { - S="${S1}" - cd "${S}" || die "Failed to switch to ${S}" - if [[ ${PV} != 9999 ]] ; then - # If needed for live ebuilds please use /etc/portage/patches - eapply "${FILESDIR}/policycoreutils-3.1-0001-newrole-not-suid.patch" - fi - - # rlpkg is more useful than fixfiles - sed -i -e '/^all/s/fixfiles//' "${S}/scripts/Makefile" \ - || die "fixfiles sed 1 failed" - sed -i -e '/fixfiles/d' "${S}/scripts/Makefile" \ - || die "fixfiles sed 2 failed" - - eapply_user - - sed -i 's/-Werror//g' "${S1}"/*/Makefile || die "Failed to remove Werror" - - python_copy_sources - # Our extra code is outside the regular directory, so set it to the extra - # directory. We really should optimize this as it is ugly, but the extra - # code is needed for Gentoo at the same time that policycoreutils is present - # (so we cannot use an additional package for now). - S="${S2}" - python_copy_sources -} - -src_compile() { - building() { - emake -C "${BUILD_DIR}" \ - AUDIT_LOG_PRIVS="y" \ - AUDITH="$(usex audit y n)" \ - PAMH="$(usex pam y n)" \ - SESANDBOX="n" \ - CC="$(tc-getCC)" \ - LIBDIR="\$(PREFIX)/$(get_libdir)" - } - S="${S1}" # Regular policycoreutils - python_foreach_impl building - S="${S2}" # Extra set - python_foreach_impl building -} - -src_install() { - # Python scripts are present in many places. There are no extension modules. - installation-policycoreutils() { - einfo "Installing policycoreutils" - emake -C "${BUILD_DIR}" DESTDIR="${D}" \ - AUDIT_LOG_PRIVS="y" \ - AUDITH="$(usex audit y n)" \ - PAMH="$(usex pam y n)" \ - SESANDBOX="n" \ - CC="$(tc-getCC)" \ - LIBDIR="\$(PREFIX)/$(get_libdir)" \ - install - python_optimize - } - - installation-extras() { - einfo "Installing policycoreutils-extra" - emake -C "${BUILD_DIR}" \ - DESTDIR="${D}" \ - install - python_optimize - } - - S="${S1}" # policycoreutils - python_foreach_impl installation-policycoreutils - S="${S2}" # extras - python_foreach_impl installation-extras - S="${S1}" # back for later - - # remove redhat-style init script - rm -fR "${D}/etc/rc.d" || die - - # compatibility symlinks - if use split-usr; then - dosym ../../sbin/setfiles /usr/sbin/setfiles - else - # remove sestatus symlink - rm -f "${D}"/usr/sbin/sestatus || die - fi - - bashcomp_alias setsebool getsebool - - # location for policy definitions - dodir /var/lib/selinux - keepdir /var/lib/selinux - - # Set version-specific scripts - for pyscript in rlpkg; do - python_replicate_script "${ED}/usr/sbin/${pyscript}" - done -} - -pkg_postinst() { - for POLICY_TYPE in ${POLICY_TYPES} ; do - # There have been some changes to the policy store, rebuilding now. - # https://marc.info/?l=selinux&m=143757277819717&w=2 - einfo "Rebuilding store ${POLICY_TYPE} in '${ROOT:-/}' (without re-loading)." - semodule -p "${ROOT:-/}" -s "${POLICY_TYPE}" -n -B || die "Failed to rebuild policy store ${POLICY_TYPE}" - done -} From e1ff97556ff5a1b6186e342ec0a074a1022123d4 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Mon, 12 Jun 2023 18:29:10 +0200 Subject: [PATCH 06/22] sys-libs/libsemanage: sync with Gentoo Commit-Ref: https://github.com/gentoo/gentoo/commit/ea4cd1f216e407735528c92434b83313e4b8a8db Signed-off-by: Mathieu Tortuyaux --- .../sys-libs/libsemanage/Manifest | 4 +- .../files/tmpfiles.d/libsemanage.conf | 3 - ...e-3.2.ebuild => libsemanage-3.4-r1.ebuild} | 11 ++-- ...e-3.1-r2.ebuild => libsemanage-3.5.ebuild} | 61 +++++++------------ .../libsemanage/libsemanage-9999.ebuild | 11 ++-- .../sys-libs/libsemanage/metadata.xml | 2 +- 6 files changed, 40 insertions(+), 52 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/files/tmpfiles.d/libsemanage.conf rename sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/{libsemanage-3.2.ebuild => libsemanage-3.4-r1.ebuild} (93%) rename sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/{libsemanage-3.1-r2.ebuild => libsemanage-3.5.ebuild} (76%) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/Manifest index 72d9050a7a..f9d01749aa 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/Manifest @@ -1,2 +1,2 @@ -DIST libsemanage-3.1.tar.gz 179601 BLAKE2B 69450a4eda1f3728d339f65db1eec9940995fcea5208d17dca531ebc998aefbfec48fe91beffa3490e1502953aa550405fb696635d01b0eb8050c8f00f11106a SHA512 8609ca7d13b5c603677740f2b14558fea3922624af182d20d618237ba11fcf2559fab82fc68d1efa6ff118f064d426f005138521652c761de92cd66150102197 -DIST libsemanage-3.2.tar.gz 178839 BLAKE2B c0925812d784923a7a239ba919fc0a0e1d84cb528cbf4a357fb7938d3c06ebd2f0b60cd3eba40b76bf7c2922a081b99b16b32dc16638aa1bfce32553e241fb9f SHA512 6ad670bb298b1bab506217b12a3fda5d2209f4387a11410f0c1b65f765ffb579b0d70795dee19048909e0b72ef904fc318be60d5a01f80ab12742ce07647a084 +DIST libsemanage-3.4.tar.gz 185177 BLAKE2B 45276ae6f54cf3dc453bc0d99fb4d7439970bb14ff5b909ebc5511ec31bce1d2bdc477ba9c1fb4fd04ab494ccb37cd8bf47a90d81460c2974af2196d9019bf67 SHA512 831dc789545bb9a0b009bdb4f7fe52f6197ad8325946640f886a960d08e40b8a69eccd5a70cce51466bb5cb7f742feb78d19a9ec63383fbd03aa451508677e73 +DIST libsemanage-3.5.tar.gz 185060 BLAKE2B 3e08b15cb6b335a2747bd5f0bd84f74abdd22a7e8ec91ebb443ca6fe3886d5e8cd2827fefdaa0e9caf2af3280cffbf593ee828fee54dd423a21b257493cc754c SHA512 959fbd0d6bc6849da6caa13dc41c3f8818cbbd29f04b5d2ac7246c4b395b4f370f113a04cc9cfcb52be2afebfa636013ac4ad4011384c58c7ce066a45cae2751 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/files/tmpfiles.d/libsemanage.conf b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/files/tmpfiles.d/libsemanage.conf deleted file mode 100644 index 168b972069..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/files/tmpfiles.d/libsemanage.conf +++ /dev/null @@ -1,3 +0,0 @@ -#Type Path Mode UID GID Age Argument -d /etc/selinux/ - - - - - -L /etc/selinux/semanage.conf - - - - ../../usr/lib/selinux/semanage.conf diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.2.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.4-r1.ebuild similarity index 93% rename from sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.2.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.4-r1.ebuild index 3860e725b3..cbf9430b1d 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.2.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.4-r1.ebuild @@ -1,8 +1,8 @@ -# Copyright 1999-2021 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=7 -PYTHON_COMPAT=( python3_{6..10} ) +PYTHON_COMPAT=( python3_{9..11} ) inherit python-r1 toolchain-funcs multilib-minimal @@ -18,7 +18,7 @@ if [[ ${PV} == 9999 ]]; then S="${WORKDIR}/${P}/${PN}" else SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz" - KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86" + KEYWORDS="amd64 arm arm64 ~mips ~riscv x86" S="${WORKDIR}/${MY_P}" fi @@ -26,7 +26,8 @@ LICENSE="GPL-2" SLOT="0/2" REQUIRED_USE="${PYTHON_REQUIRED_USE}" -RDEPEND=">=sys-libs/libsepol-${PV}:=[${MULTILIB_USEDEP}] +RDEPEND="app-arch/bzip2[${MULTILIB_USEDEP}] + >=sys-libs/libsepol-${PV}:=[${MULTILIB_USEDEP}] >=sys-libs/libselinux-${PV}:=[${MULTILIB_USEDEP}] >=sys-process/audit-2.2.2[${MULTILIB_USEDEP}] ${PYTHON_DEPS}" @@ -84,6 +85,7 @@ multilib_src_compile() { emake \ AR="$(tc-getAR)" \ CC="$(tc-getCC)" \ + PKG_CONFIG="$(tc-getPKG_CONFIG)" \ LIBDIR="${EPREFIX}/usr/$(get_libdir)" \ "$@" } @@ -101,6 +103,7 @@ multilib_src_install() { installation_py() { emake DESTDIR="${ED}" \ LIBDIR="${EPREFIX}/usr/$(get_libdir)" \ + PKG_CONFIG="$(tc-getPKG_CONFIG)" \ install-pywrap python_optimize # bug 531638 } diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.1-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.5.ebuild similarity index 76% rename from sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.1-r2.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.5.ebuild index f01673d1fd..cbf9430b1d 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.1-r2.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.5.ebuild @@ -1,18 +1,13 @@ -# Copyright 1999-2021 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=7 -PYTHON_COMPAT=( python3_{6..11} ) +PYTHON_COMPAT=( python3_{9..11} ) -# flatcar changes -TMPFILES_OPTIONAL=1 -inherit python-r1 toolchain-funcs multilib-minimal tmpfiles +inherit python-r1 toolchain-funcs multilib-minimal -MY_P="${P//_/-}" -MY_RELEASEDATE="20200710" - -SEPOL_VER="${PV}" -SELNX_VER="${PV}" +MY_PV="${PV//_/-}" +MY_P="${PN}-${MY_PV}" DESCRIPTION="SELinux kernel and policy management library" HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki" @@ -20,30 +15,27 @@ HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki" if [[ ${PV} == 9999 ]]; then inherit git-r3 EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git" - S="${WORKDIR}/${MY_P}/${PN}" + S="${WORKDIR}/${P}/${PN}" else - SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_RELEASEDATE}/${MY_P}.tar.gz" - KEYWORDS="amd64 ~arm ~arm64 ~mips x86" + SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz" + KEYWORDS="amd64 arm arm64 ~mips ~riscv x86" S="${WORKDIR}/${MY_P}" fi LICENSE="GPL-2" -SLOT="0" -IUSE="python" -REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )" +SLOT="0/2" +REQUIRED_USE="${PYTHON_REQUIRED_USE}" -RDEPEND=">=sys-libs/libsepol-${SEPOL_VER}[${MULTILIB_USEDEP}] - >=sys-libs/libselinux-${SELNX_VER}[${MULTILIB_USEDEP}] +RDEPEND="app-arch/bzip2[${MULTILIB_USEDEP}] + >=sys-libs/libsepol-${PV}:=[${MULTILIB_USEDEP}] + >=sys-libs/libselinux-${PV}:=[${MULTILIB_USEDEP}] >=sys-process/audit-2.2.2[${MULTILIB_USEDEP}] - python? ( ${PYTHON_DEPS} )" + ${PYTHON_DEPS}" DEPEND="${RDEPEND}" -BDEPEND=" - python? ( - >=dev-lang/swig-2.0.4-r1 - virtual/pkgconfig - ) +BDEPEND=">=dev-lang/swig-2.0.4-r1 sys-devel/bison - sys-devel/flex" + sys-devel/flex + virtual/pkgconfig" # tests are not meant to be run outside of the # full SELinux userland repo @@ -80,18 +72,20 @@ src_prepare() { } multilib_src_compile() { + local -x CFLAGS="${CFLAGS} -fno-semantic-interposition" + emake \ AR="$(tc-getAR)" \ CC="$(tc-getCC)" \ LIBDIR="${EPREFIX}/usr/$(get_libdir)" \ all - # flatcar changes - if multilib_is_native_abi && use python; then + if multilib_is_native_abi; then building_py() { emake \ AR="$(tc-getAR)" \ CC="$(tc-getCC)" \ + PKG_CONFIG="$(tc-getPKG_CONFIG)" \ LIBDIR="${EPREFIX}/usr/$(get_libdir)" \ "$@" } @@ -101,29 +95,20 @@ multilib_src_compile() { } multilib_src_install() { - # flatcar changes emake \ - DEFAULT_SEMANAGE_CONF_LOCATION="/usr/lib/selinux/semanage.conf" \ LIBDIR="${EPREFIX}/usr/$(get_libdir)" \ - SHLIBDIR="/usr/$(get_libdir)" \ DESTDIR="${ED}" install - # flatcar changes - if multilib_is_native_abi && use python; then + if multilib_is_native_abi; then installation_py() { - # flatcar changes emake DESTDIR="${ED}" \ LIBDIR="${EPREFIX}/usr/$(get_libdir)" \ - SHLIBDIR="${EPREFIX}/usr/$(get_libdir)" \ - LIBSEPOLA="${EPREFIX%/}/usr/$(get_libdir)/libsepol.a" \ + PKG_CONFIG="$(tc-getPKG_CONFIG)" \ install-pywrap python_optimize # bug 531638 } python_foreach_impl installation_py fi - - # flatcar changes - dotmpfiles "${FILESDIR}/tmpfiles.d/libsemanage.conf" } multiib_src_install_all() { diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-9999.ebuild index 3860e725b3..20b5ed06c1 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-9999.ebuild @@ -1,8 +1,8 @@ -# Copyright 1999-2021 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=7 -PYTHON_COMPAT=( python3_{6..10} ) +PYTHON_COMPAT=( python3_{9..11} ) inherit python-r1 toolchain-funcs multilib-minimal @@ -18,7 +18,7 @@ if [[ ${PV} == 9999 ]]; then S="${WORKDIR}/${P}/${PN}" else SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz" - KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86" + KEYWORDS="~amd64 ~arm ~arm64 ~mips ~riscv ~x86" S="${WORKDIR}/${MY_P}" fi @@ -26,7 +26,8 @@ LICENSE="GPL-2" SLOT="0/2" REQUIRED_USE="${PYTHON_REQUIRED_USE}" -RDEPEND=">=sys-libs/libsepol-${PV}:=[${MULTILIB_USEDEP}] +RDEPEND="app-arch/bzip2[${MULTILIB_USEDEP}] + >=sys-libs/libsepol-${PV}:=[${MULTILIB_USEDEP}] >=sys-libs/libselinux-${PV}:=[${MULTILIB_USEDEP}] >=sys-process/audit-2.2.2[${MULTILIB_USEDEP}] ${PYTHON_DEPS}" @@ -84,6 +85,7 @@ multilib_src_compile() { emake \ AR="$(tc-getAR)" \ CC="$(tc-getCC)" \ + PKG_CONFIG="$(tc-getPKG_CONFIG)" \ LIBDIR="${EPREFIX}/usr/$(get_libdir)" \ "$@" } @@ -101,6 +103,7 @@ multilib_src_install() { installation_py() { emake DESTDIR="${ED}" \ LIBDIR="${EPREFIX}/usr/$(get_libdir)" \ + PKG_CONFIG="$(tc-getPKG_CONFIG)" \ install-pywrap python_optimize # bug 531638 } diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/metadata.xml b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/metadata.xml index 9a9681c39b..861770703d 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/metadata.xml +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/metadata.xml @@ -1,5 +1,5 @@ - + selinux@gentoo.org From 90bd28e13ff4b40820ab330478acf463ab54c972 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Mon, 12 Jun 2023 18:29:10 +0200 Subject: [PATCH 07/22] sys-libs/libsemanage: apply flatcar patches * remove python dependencies * added back multilib_src_install function (qa_check does fail otherwise) * setting SHLIBDIR for installation Signed-off-by: Mathieu Tortuyaux --- .../sys-libs/libsemanage/Manifest | 1 - .../libsemanage/libsemanage-3.4-r1.ebuild | 130 ------------------ .../libsemanage/libsemanage-3.5.ebuild | 44 +----- .../libsemanage/libsemanage-9999.ebuild | 130 ------------------ 4 files changed, 7 insertions(+), 298 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.4-r1.ebuild delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-9999.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/Manifest index f9d01749aa..11ffe4e62f 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/Manifest @@ -1,2 +1 @@ -DIST libsemanage-3.4.tar.gz 185177 BLAKE2B 45276ae6f54cf3dc453bc0d99fb4d7439970bb14ff5b909ebc5511ec31bce1d2bdc477ba9c1fb4fd04ab494ccb37cd8bf47a90d81460c2974af2196d9019bf67 SHA512 831dc789545bb9a0b009bdb4f7fe52f6197ad8325946640f886a960d08e40b8a69eccd5a70cce51466bb5cb7f742feb78d19a9ec63383fbd03aa451508677e73 DIST libsemanage-3.5.tar.gz 185060 BLAKE2B 3e08b15cb6b335a2747bd5f0bd84f74abdd22a7e8ec91ebb443ca6fe3886d5e8cd2827fefdaa0e9caf2af3280cffbf593ee828fee54dd423a21b257493cc754c SHA512 959fbd0d6bc6849da6caa13dc41c3f8818cbbd29f04b5d2ac7246c4b395b4f370f113a04cc9cfcb52be2afebfa636013ac4ad4011384c58c7ce066a45cae2751 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.4-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.4-r1.ebuild deleted file mode 100644 index cbf9430b1d..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.4-r1.ebuild +++ /dev/null @@ -1,130 +0,0 @@ -# Copyright 1999-2023 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 -PYTHON_COMPAT=( python3_{9..11} ) - -inherit python-r1 toolchain-funcs multilib-minimal - -MY_PV="${PV//_/-}" -MY_P="${PN}-${MY_PV}" - -DESCRIPTION="SELinux kernel and policy management library" -HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki" - -if [[ ${PV} == 9999 ]]; then - inherit git-r3 - EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git" - S="${WORKDIR}/${P}/${PN}" -else - SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz" - KEYWORDS="amd64 arm arm64 ~mips ~riscv x86" - S="${WORKDIR}/${MY_P}" -fi - -LICENSE="GPL-2" -SLOT="0/2" -REQUIRED_USE="${PYTHON_REQUIRED_USE}" - -RDEPEND="app-arch/bzip2[${MULTILIB_USEDEP}] - >=sys-libs/libsepol-${PV}:=[${MULTILIB_USEDEP}] - >=sys-libs/libselinux-${PV}:=[${MULTILIB_USEDEP}] - >=sys-process/audit-2.2.2[${MULTILIB_USEDEP}] - ${PYTHON_DEPS}" -DEPEND="${RDEPEND}" -BDEPEND=">=dev-lang/swig-2.0.4-r1 - sys-devel/bison - sys-devel/flex - virtual/pkgconfig" - -# tests are not meant to be run outside of the -# full SELinux userland repo -RESTRICT="test" - -src_prepare() { - eapply_user - - echo >> "${S}/src/semanage.conf" - echo "# Set this to true to save the linked policy." >> "${S}/src/semanage.conf" - echo "# This is normally only useful for analysis" >> "${S}/src/semanage.conf" - echo "# or debugging of policy." >> "${S}/src/semanage.conf" - echo "save-linked=false" >> "${S}/src/semanage.conf" - echo >> "${S}/src/semanage.conf" - echo "# Set this to 0 to disable assertion checking." >> "${S}/src/semanage.conf" - echo "# This should speed up building the kernel policy" >> "${S}/src/semanage.conf" - echo "# from policy modules, but may leave you open to" >> "${S}/src/semanage.conf" - echo "# dangerous rules which assertion checking" >> "${S}/src/semanage.conf" - echo "# would catch." >> "${S}/src/semanage.conf" - echo "expand-check=1" >> "${S}/src/semanage.conf" - echo >> "${S}/src/semanage.conf" - echo "# Modules in the module store can be compressed" >> "${S}/src/semanage.conf" - echo "# with bzip2. Set this to the bzip2 blocksize" >> "${S}/src/semanage.conf" - echo "# 1-9 when compressing. The higher the number," >> "${S}/src/semanage.conf" - echo "# the more memory is traded off for disk space." >> "${S}/src/semanage.conf" - echo "# Set to 0 to disable bzip2 compression." >> "${S}/src/semanage.conf" - echo "bzip-blocksize=0" >> "${S}/src/semanage.conf" - echo >> "${S}/src/semanage.conf" - echo "# Reduce memory usage for bzip2 compression and" >> "${S}/src/semanage.conf" - echo "# decompression of modules in the module store." >> "${S}/src/semanage.conf" - echo "bzip-small=true" >> "${S}/src/semanage.conf" - - multilib_copy_sources -} - -multilib_src_compile() { - local -x CFLAGS="${CFLAGS} -fno-semantic-interposition" - - emake \ - AR="$(tc-getAR)" \ - CC="$(tc-getCC)" \ - LIBDIR="${EPREFIX}/usr/$(get_libdir)" \ - all - - if multilib_is_native_abi; then - building_py() { - emake \ - AR="$(tc-getAR)" \ - CC="$(tc-getCC)" \ - PKG_CONFIG="$(tc-getPKG_CONFIG)" \ - LIBDIR="${EPREFIX}/usr/$(get_libdir)" \ - "$@" - } - python_foreach_impl building_py swigify - python_foreach_impl building_py pywrap - fi -} - -multilib_src_install() { - emake \ - LIBDIR="${EPREFIX}/usr/$(get_libdir)" \ - DESTDIR="${ED}" install - - if multilib_is_native_abi; then - installation_py() { - emake DESTDIR="${ED}" \ - LIBDIR="${EPREFIX}/usr/$(get_libdir)" \ - PKG_CONFIG="$(tc-getPKG_CONFIG)" \ - install-pywrap - python_optimize # bug 531638 - } - python_foreach_impl installation_py - fi -} - -multiib_src_install_all() { - python_setup - python_fix_shebang "${ED}"/usr/libexec/selinux/semanage_migrate_store -} - -pkg_postinst() { - # Migrate the SELinux semanage configuration store if not done already - local selinuxtype=$(awk -F'=' '/SELINUXTYPE=/ {print $2}' "${EROOT}"/etc/selinux/config 2>/dev/null) - if [ -n "${selinuxtype}" ] && [ ! -d "${EROOT}"/var/lib/selinux/${selinuxtype}/active ] ; then - ewarn "Since the 2.4 SELinux userspace, the policy module store is moved" - ewarn "from /etc/selinux to /var/lib/selinux. The migration will be run now." - ewarn "If there are any issues, it can be done manually by running:" - ewarn "/usr/libexec/selinux/semanage_migrate_store" - ewarn "For more information, please see" - ewarn "- https://github.com/SELinuxProject/selinux/wiki/Policy-Store-Migration" - fi -} diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.5.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.5.ebuild index cbf9430b1d..98731c2390 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.5.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-3.5.ebuild @@ -24,18 +24,15 @@ fi LICENSE="GPL-2" SLOT="0/2" -REQUIRED_USE="${PYTHON_REQUIRED_USE}" RDEPEND="app-arch/bzip2[${MULTILIB_USEDEP}] >=sys-libs/libsepol-${PV}:=[${MULTILIB_USEDEP}] >=sys-libs/libselinux-${PV}:=[${MULTILIB_USEDEP}] - >=sys-process/audit-2.2.2[${MULTILIB_USEDEP}] - ${PYTHON_DEPS}" + >=sys-process/audit-2.2.2[${MULTILIB_USEDEP}]" + DEPEND="${RDEPEND}" -BDEPEND=">=dev-lang/swig-2.0.4-r1 - sys-devel/bison - sys-devel/flex - virtual/pkgconfig" +BDEPEND="sys-devel/bison + sys-devel/flex" # tests are not meant to be run outside of the # full SELinux userland repo @@ -79,41 +76,14 @@ multilib_src_compile() { CC="$(tc-getCC)" \ LIBDIR="${EPREFIX}/usr/$(get_libdir)" \ all - - if multilib_is_native_abi; then - building_py() { - emake \ - AR="$(tc-getAR)" \ - CC="$(tc-getCC)" \ - PKG_CONFIG="$(tc-getPKG_CONFIG)" \ - LIBDIR="${EPREFIX}/usr/$(get_libdir)" \ - "$@" - } - python_foreach_impl building_py swigify - python_foreach_impl building_py pywrap - fi } multilib_src_install() { emake \ LIBDIR="${EPREFIX}/usr/$(get_libdir)" \ - DESTDIR="${ED}" install - - if multilib_is_native_abi; then - installation_py() { - emake DESTDIR="${ED}" \ - LIBDIR="${EPREFIX}/usr/$(get_libdir)" \ - PKG_CONFIG="$(tc-getPKG_CONFIG)" \ - install-pywrap - python_optimize # bug 531638 - } - python_foreach_impl installation_py - fi -} - -multiib_src_install_all() { - python_setup - python_fix_shebang "${ED}"/usr/libexec/selinux/semanage_migrate_store + SHLIBDIR="/usr/$(get_libdir)" \ + DESTDIR="${ED}" \ + install } pkg_postinst() { diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-9999.ebuild deleted file mode 100644 index 20b5ed06c1..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-libs/libsemanage/libsemanage-9999.ebuild +++ /dev/null @@ -1,130 +0,0 @@ -# Copyright 1999-2023 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 -PYTHON_COMPAT=( python3_{9..11} ) - -inherit python-r1 toolchain-funcs multilib-minimal - -MY_PV="${PV//_/-}" -MY_P="${PN}-${MY_PV}" - -DESCRIPTION="SELinux kernel and policy management library" -HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki" - -if [[ ${PV} == 9999 ]]; then - inherit git-r3 - EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git" - S="${WORKDIR}/${P}/${PN}" -else - SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz" - KEYWORDS="~amd64 ~arm ~arm64 ~mips ~riscv ~x86" - S="${WORKDIR}/${MY_P}" -fi - -LICENSE="GPL-2" -SLOT="0/2" -REQUIRED_USE="${PYTHON_REQUIRED_USE}" - -RDEPEND="app-arch/bzip2[${MULTILIB_USEDEP}] - >=sys-libs/libsepol-${PV}:=[${MULTILIB_USEDEP}] - >=sys-libs/libselinux-${PV}:=[${MULTILIB_USEDEP}] - >=sys-process/audit-2.2.2[${MULTILIB_USEDEP}] - ${PYTHON_DEPS}" -DEPEND="${RDEPEND}" -BDEPEND=">=dev-lang/swig-2.0.4-r1 - sys-devel/bison - sys-devel/flex - virtual/pkgconfig" - -# tests are not meant to be run outside of the -# full SELinux userland repo -RESTRICT="test" - -src_prepare() { - eapply_user - - echo >> "${S}/src/semanage.conf" - echo "# Set this to true to save the linked policy." >> "${S}/src/semanage.conf" - echo "# This is normally only useful for analysis" >> "${S}/src/semanage.conf" - echo "# or debugging of policy." >> "${S}/src/semanage.conf" - echo "save-linked=false" >> "${S}/src/semanage.conf" - echo >> "${S}/src/semanage.conf" - echo "# Set this to 0 to disable assertion checking." >> "${S}/src/semanage.conf" - echo "# This should speed up building the kernel policy" >> "${S}/src/semanage.conf" - echo "# from policy modules, but may leave you open to" >> "${S}/src/semanage.conf" - echo "# dangerous rules which assertion checking" >> "${S}/src/semanage.conf" - echo "# would catch." >> "${S}/src/semanage.conf" - echo "expand-check=1" >> "${S}/src/semanage.conf" - echo >> "${S}/src/semanage.conf" - echo "# Modules in the module store can be compressed" >> "${S}/src/semanage.conf" - echo "# with bzip2. Set this to the bzip2 blocksize" >> "${S}/src/semanage.conf" - echo "# 1-9 when compressing. The higher the number," >> "${S}/src/semanage.conf" - echo "# the more memory is traded off for disk space." >> "${S}/src/semanage.conf" - echo "# Set to 0 to disable bzip2 compression." >> "${S}/src/semanage.conf" - echo "bzip-blocksize=0" >> "${S}/src/semanage.conf" - echo >> "${S}/src/semanage.conf" - echo "# Reduce memory usage for bzip2 compression and" >> "${S}/src/semanage.conf" - echo "# decompression of modules in the module store." >> "${S}/src/semanage.conf" - echo "bzip-small=true" >> "${S}/src/semanage.conf" - - multilib_copy_sources -} - -multilib_src_compile() { - local -x CFLAGS="${CFLAGS} -fno-semantic-interposition" - - emake \ - AR="$(tc-getAR)" \ - CC="$(tc-getCC)" \ - LIBDIR="${EPREFIX}/usr/$(get_libdir)" \ - all - - if multilib_is_native_abi; then - building_py() { - emake \ - AR="$(tc-getAR)" \ - CC="$(tc-getCC)" \ - PKG_CONFIG="$(tc-getPKG_CONFIG)" \ - LIBDIR="${EPREFIX}/usr/$(get_libdir)" \ - "$@" - } - python_foreach_impl building_py swigify - python_foreach_impl building_py pywrap - fi -} - -multilib_src_install() { - emake \ - LIBDIR="${EPREFIX}/usr/$(get_libdir)" \ - DESTDIR="${ED}" install - - if multilib_is_native_abi; then - installation_py() { - emake DESTDIR="${ED}" \ - LIBDIR="${EPREFIX}/usr/$(get_libdir)" \ - PKG_CONFIG="$(tc-getPKG_CONFIG)" \ - install-pywrap - python_optimize # bug 531638 - } - python_foreach_impl installation_py - fi -} - -multiib_src_install_all() { - python_setup - python_fix_shebang "${ED}"/usr/libexec/selinux/semanage_migrate_store -} - -pkg_postinst() { - # Migrate the SELinux semanage configuration store if not done already - local selinuxtype=$(awk -F'=' '/SELINUXTYPE=/ {print $2}' "${EROOT}"/etc/selinux/config 2>/dev/null) - if [ -n "${selinuxtype}" ] && [ ! -d "${EROOT}"/var/lib/selinux/${selinuxtype}/active ] ; then - ewarn "Since the 2.4 SELinux userspace, the policy module store is moved" - ewarn "from /etc/selinux to /var/lib/selinux. The migration will be run now." - ewarn "If there are any issues, it can be done manually by running:" - ewarn "/usr/libexec/selinux/semanage_migrate_store" - ewarn "For more information, please see" - ewarn "- https://github.com/SELinuxProject/selinux/wiki/Policy-Store-Migration" - fi -} From cd2d678f43cf22138f11ff1cbfab94aacdd024b7 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Wed, 14 Jun 2023 10:44:18 +0200 Subject: [PATCH 08/22] sys-apps/checkpolicy: sync with Gentoo Commit-Ref: https://github.com/gentoo/gentoo/commit/ea4cd1f216e407735528c92434b83313e4b8a8db Signed-off-by: Mathieu Tortuyaux --- .../sys-apps/checkpolicy/Manifest | 2 - .../checkpolicy/checkpolicy-3.1.ebuild | 65 ------------------- .../sys-apps/checkpolicy/Manifest | 1 + .../checkpolicy/checkpolicy-3.5.ebuild} | 10 ++- .../checkpolicy/checkpolicy-9999.ebuild | 10 ++- .../sys-apps/checkpolicy/metadata.xml | 5 +- 6 files changed, 19 insertions(+), 74 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/Manifest delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/checkpolicy-3.1.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/checkpolicy/Manifest rename sdk_container/src/third_party/{coreos-overlay/sys-apps/checkpolicy/checkpolicy-3.2.ebuild => portage-stable/sys-apps/checkpolicy/checkpolicy-3.5.ebuild} (83%) rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/sys-apps/checkpolicy/checkpolicy-9999.ebuild (83%) rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/sys-apps/checkpolicy/metadata.xml (52%) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/Manifest deleted file mode 100644 index 9e0b7673d5..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/Manifest +++ /dev/null @@ -1,2 +0,0 @@ -DIST checkpolicy-3.1.tar.gz 69072 BLAKE2B 31cb5ef52533b0a62f954e770278fc5766a961d87fb86260b04abe562bcd90d0025b33931c6ad54096c64ab54150c7562c112eac80eb2f60dbcdda57f4cacfe2 SHA512 2276a5a0919286049d2ceba386ef5f6de523745b588bb81cb4fed5eced5fd0b8070249b7a3ae5a85e2abb9369a86318f727d4073aad14ab75c43750a46069168 -DIST checkpolicy-3.2.tar.gz 69035 BLAKE2B 263c582c8ed3c38822513899f3591edfc5d0132977451503a8b45d2074b5a1c5ce03973353b3ceaad44da913b4e35546cfef1988b68bd517618efdb942f994ec SHA512 133639595c2acc66c02b5a637c5e0c60d80ce2bae04f4a709d9fafabd31f9497d1a6e3334904b985c2a1bd94a7a7e3df782c2af2ae41d1fd79b69156a835edeb diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/checkpolicy-3.1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/checkpolicy-3.1.ebuild deleted file mode 100644 index 31985d221c..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/checkpolicy-3.1.ebuild +++ /dev/null @@ -1,65 +0,0 @@ -# Copyright 1999-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI="7" - -inherit toolchain-funcs - -MY_P="${P//_/-}" -MY_RELEASEDATE="20200710" - -SEPOL_VER="${PV}" -SEMNG_VER="${PV}" - -DESCRIPTION="SELinux policy compiler" -HOMEPAGE="http://userspace.selinuxproject.org" - -if [[ ${PV} == 9999 ]] ; then - inherit git-r3 - EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git" - S="${WORKDIR}/${MY_P}/${PN}" -else - SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_RELEASEDATE}/${MY_P}.tar.gz" - KEYWORDS="amd64 ~arm ~arm64 ~mips x86" - S="${WORKDIR}/${MY_P}" -fi - -LICENSE="GPL-2" -SLOT="0" -IUSE="debug" - -DEPEND=">=sys-libs/libsepol-${SEPOL_VER}" -BDEPEND="sys-devel/flex - sys-devel/bison" - -RDEPEND=">=sys-libs/libsepol-${SEPOL_VER}" - -src_compile() { - # flatcar changes - emake \ - CC="$(tc-getCC)" \ - YACC="bison -y" \ - PREFIX="/usr" \ - LIBDIR="${ROOT:-/}\$(PREFIX)/$(get_libdir)" \ - INCLUDEDIR="${ROOT}\$(PREFIX)/include" -} - -src_install() { - # flatcar changes - # we remove the `default` behavior to override - # the LIBSEPOLA variable in order to fix cross compile - emake DESTDIR="${D}" \ - LIBSEPOLA="${ROOT:-/}/usr/$(get_libdir)/libsepol.a" \ - install - - if use debug; then - dobin "${S}/test/dismod" - dobin "${S}/test/dispol" - fi -} - -pkg_postinst() { - if ! tc-is-cross-compiler; then - einfo "This checkpolicy can compile version `checkpolicy -V | cut -f 1 -d ' '` policy." - fi -} diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/checkpolicy/Manifest b/sdk_container/src/third_party/portage-stable/sys-apps/checkpolicy/Manifest new file mode 100644 index 0000000000..d3279c23fc --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-apps/checkpolicy/Manifest @@ -0,0 +1 @@ +DIST checkpolicy-3.5.tar.gz 69904 BLAKE2B e02ccad07534568a1bbb612330018bbe486800ea40df20ed6f9dc38c88aff7f8858782a28ba7915a58c3bb384f180eb8da7a8fe97a92bcb9baa61eec18da6cbc SHA512 fcd490d865af3b4350c32c5dd9916f8406219841e1e255d8945c6dcc958535247aa27af5597a6988e19f11faea7beeabcb46e8ba2431112bb4aa5c7697bca529 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/checkpolicy-3.2.ebuild b/sdk_container/src/third_party/portage-stable/sys-apps/checkpolicy/checkpolicy-3.5.ebuild similarity index 83% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/checkpolicy-3.2.ebuild rename to sdk_container/src/third_party/portage-stable/sys-apps/checkpolicy/checkpolicy-3.5.ebuild index f2cee80753..e3ad0c610f 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/checkpolicy-3.2.ebuild +++ b/sdk_container/src/third_party/portage-stable/sys-apps/checkpolicy/checkpolicy-3.5.ebuild @@ -1,10 +1,13 @@ -# Copyright 1999-2021 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="7" inherit toolchain-funcs +MY_PV="${PV//_/-}" +MY_P="${PN}-${MY_PV}" + DESCRIPTION="SELinux policy compiler" HOMEPAGE="http://userspace.selinuxproject.org" @@ -13,8 +16,9 @@ if [[ ${PV} == 9999 ]] ; then EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git" S="${WORKDIR}/${P}/${PN}" else - SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${PV}/${P}.tar.gz" - KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86" + SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz" + KEYWORDS="amd64 arm arm64 ~mips ~riscv x86" + S="${WORKDIR}/${MY_P}" fi LICENSE="GPL-2" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/checkpolicy-9999.ebuild b/sdk_container/src/third_party/portage-stable/sys-apps/checkpolicy/checkpolicy-9999.ebuild similarity index 83% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/checkpolicy-9999.ebuild rename to sdk_container/src/third_party/portage-stable/sys-apps/checkpolicy/checkpolicy-9999.ebuild index f2cee80753..496db82366 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/checkpolicy-9999.ebuild +++ b/sdk_container/src/third_party/portage-stable/sys-apps/checkpolicy/checkpolicy-9999.ebuild @@ -1,10 +1,13 @@ -# Copyright 1999-2021 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="7" inherit toolchain-funcs +MY_PV="${PV//_/-}" +MY_P="${PN}-${MY_PV}" + DESCRIPTION="SELinux policy compiler" HOMEPAGE="http://userspace.selinuxproject.org" @@ -13,8 +16,9 @@ if [[ ${PV} == 9999 ]] ; then EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git" S="${WORKDIR}/${P}/${PN}" else - SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${PV}/${P}.tar.gz" - KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86" + SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz" + KEYWORDS="~amd64 ~arm ~arm64 ~mips ~riscv ~x86" + S="${WORKDIR}/${MY_P}" fi LICENSE="GPL-2" diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/metadata.xml b/sdk_container/src/third_party/portage-stable/sys-apps/checkpolicy/metadata.xml similarity index 52% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/metadata.xml rename to sdk_container/src/third_party/portage-stable/sys-apps/checkpolicy/metadata.xml index 9173800ffc..861770703d 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/metadata.xml +++ b/sdk_container/src/third_party/portage-stable/sys-apps/checkpolicy/metadata.xml @@ -1,8 +1,11 @@ - + selinux@gentoo.org SELinux Team + + SELinuxProject/selinux + From 3de5229a3caf27cc0e02e6cd953795790c5e136c Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Tue, 13 Jun 2023 17:11:16 +0200 Subject: [PATCH 09/22] sec-policy/selinux-base: sync with Gentoo Commit-Ref: https://github.com/gentoo/gentoo/commit/ea4cd1f216e407735528c92434b83313e4b8a8db Signed-off-by: Mathieu Tortuyaux --- .../sec-policy/selinux-base/Manifest | 4 -- ...s-kernel-all-more-actions-for-kernel.patch | 24 -------- ...-policy-ms-MCS-restricts-relabelfrom.patch | 27 -------- .../selinux-base/files/icmp-bind.patch | 40 ------------ .../selinux-base/files/lxc_contexts | 10 --- .../files/tmpfiles.d/selinux-base.conf | 4 -- .../sec-policy/selinux-base/Manifest | 3 + .../sec-policy/selinux-base/files/config | 2 +- .../selinux-base/files/selinux.conf | 0 .../sec-policy/selinux-base/metadata.xml | 2 +- .../selinux-base-2.20221101-r3.ebuild} | 9 ++- .../selinux-base-2.20221101-r4.ebuild} | 61 ++++--------------- .../selinux-base/selinux-base-9999.ebuild | 9 ++- 13 files changed, 31 insertions(+), 164 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/Manifest delete mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-modules-kernel-all-more-actions-for-kernel.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-ms-MCS-restricts-relabelfrom.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/icmp-bind.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/lxc_contexts delete mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/tmpfiles.d/selinux-base.conf create mode 100644 sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/Manifest rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/sec-policy/selinux-base/files/config (96%) rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/sec-policy/selinux-base/files/selinux.conf (100%) rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/sec-policy/selinux-base/metadata.xml (90%) rename sdk_container/src/third_party/{coreos-overlay/sec-policy/selinux-base/selinux-base-2.20210203-r1.ebuild => portage-stable/sec-policy/selinux-base/selinux-base-2.20221101-r3.ebuild} (95%) rename sdk_container/src/third_party/{coreos-overlay/sec-policy/selinux-base/selinux-base-2.20200818-r3.ebuild => portage-stable/sec-policy/selinux-base/selinux-base-2.20221101-r4.ebuild} (71%) rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/sec-policy/selinux-base/selinux-base-9999.ebuild (95%) diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/Manifest b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/Manifest deleted file mode 100644 index 531f9303e2..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/Manifest +++ /dev/null @@ -1,4 +0,0 @@ -DIST patchbundle-selinux-base-policy-2.20200818-r2.tar.bz2 433623 BLAKE2B f0655c45c50347faf1217e5861298dce822e4b726c0b4489d4c70c4815842f7c17ac1b0a302ae5482a3ad25d1d5b6c4c3b6395194e79005f31560d103ad0fce6 SHA512 9fd22683ecd602a429b2d489f7b8c2936409fa060046255b72a4b95c9fdefa2455ba7655945278dc972c22f3ade6617898ed169e22001aaaaded4b47ca51b0c3 -DIST patchbundle-selinux-base-policy-2.20210203-r1.tar.bz2 298116 BLAKE2B 50c5523a8b758652af6aa59d548e9499b899898b58f52f74f1667a0c552f2b2d0ed5a44352e59245c7f0ebd199e2391400168d6ab27b4160d726fccded0c56f2 SHA512 ddb877ec3e2883f57e54e7380dd449d4d89a0769a1fb87141786e5de741ac21b2ead60362fd17c25888eb1334c68f71da561f4f29f406f0d4b5d13d378f6baff -DIST refpolicy-2.20200818.tar.bz2 570896 BLAKE2B 502c00fec39e1b81e42de3f7f942623f8b3fbdeac19f9f01126722a368b7d4f70427d6e4a574754c4f2fa551e4bc75c912dbc515c004f0dcd5eb28ab416498f6 SHA512 e4b527bb7a87b9359fc42eb111d5008103f57c37128998ea0e21ec7b0b8607ffe3f67697450e4c51a0db172ece69083335b279bacef4b1bd0b7748b58caa99a7 -DIST refpolicy-2.20210203.tar.bz2 564099 BLAKE2B a94a11ebb78890ba2c98714be2fe9054fdb8ccaf5154f47b881a9575a4a6865e8df475805550d7bba8039b4230c6a0c9f5c6130bf8c35a26bc7c473d550fb40d SHA512 a6ffe718626dd6121023b4cbc424c933d44ca8b662bd708baad307cf6284be0d80fef40cdc8b37f6f17ecb3636fd8d6c1d5d4072c17d835b7f500e17a3acd9fc diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-modules-kernel-all-more-actions-for-kernel.patch b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-modules-kernel-all-more-actions-for-kernel.patch deleted file mode 100644 index cf6406da73..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-modules-kernel-all-more-actions-for-kernel.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 607ff9b67848aafd1bdefa6eda7ade0fd7161d04 Mon Sep 17 00:00:00 2001 -From: Mathieu Tortuyaux -Date: Fri, 4 Jun 2021 13:17:44 +0200 -Subject: [PATCH] policy/modules/kernel: all more actions for kernel - -Signed-off-by: Mathieu Tortuyaux ---- - policy/modules/kernel/kernel.te | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git refpolicy/policy/modules/kernel/kernel.te refpolicy/policy/modules/kernel/kernel.te ---- refpolicy/policy/modules/kernel/kernel.te -+++ refpolicy/policy/modules/kernel/kernel.te -@@ -351,6 +351,10 @@ files_list_home(kernel_t) - files_read_usr_files(kernel_t) - - mcs_process_set_categories(kernel_t) -+mcs_killall(kernel_t) -+mcs_file_read_all(kernel_t) -+mcs_file_write_all(kernel_t) -+mcs_ptrace_all(kernel_t) - - mls_process_read_all_levels(kernel_t) - mls_process_write_all_levels(kernel_t) diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-ms-MCS-restricts-relabelfrom.patch b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-ms-MCS-restricts-relabelfrom.patch deleted file mode 100644 index 5cce12771a..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-ms-MCS-restricts-relabelfrom.patch +++ /dev/null @@ -1,27 +0,0 @@ ---- refpolicy/policy/mcs -+++ refpolicy/policy/mcs -@@ -1,4 +1,6 @@ - ifdef(`enable_mcs',` -+ -+default_range dir_file_class_set target low-high; - # - # Define sensitivities - # -@@ -99,14 +101,14 @@ mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr } - # New filesystem object labels must be dominated by the relabeling subject - # clearance, also the objects are single-level. - mlsconstrain file { create relabelto } -- (( h1 dom h2 ) and ( l2 eq h2 )); -+ ((( h1 dom h2 ) and ( l2 eq h2 )) or (t1 == mcswriteall)); - - # new file labels must be dominated by the relabeling subject clearance - mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom } -- ( h1 dom h2 ); -+ (( h1 dom h2 ) or (t1 == mcswriteall)); - - mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto } -- (( h1 dom h2 ) and ( l2 eq h2 )); -+ ((( h1 dom h2 ) and ( l2 eq h2 ) or (t1 == mcswriteall))); - - mlsconstrain process { transition dyntransition } - (( h1 dom h2 ) or ( t1 == mcssetcats )); diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/icmp-bind.patch b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/icmp-bind.patch deleted file mode 100644 index a2d653caf2..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/icmp-bind.patch +++ /dev/null @@ -1,40 +0,0 @@ -diff -u -r refpolicy/policy/modules/kernel/corenetwork.if.in refpolicy2/policy/modules/kernel/corenetwork.if.in ---- refpolicy/policy/modules/kernel/corenetwork.if.in 2022-01-12 16:59:47.572670384 -0000 -+++ refpolicy2/policy/modules/kernel/corenetwork.if.in 2022-01-12 17:01:54.974858982 -0000 -@@ -879,6 +879,24 @@ - - ######################################## - ## -+## Bind ICMP sockets to generic nodes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`corenet_icmp_bind_generic_node',` -+ gen_require(` -+ type node_t; -+ ') -+ -+ allow $1 node_t:icmp_socket node_bind; -+') -+ -+######################################## -+## - ## Bind TCP sockets to generic nodes. - ## - ## -diff -u -r refpolicy/policy/modules/kernel/corenetwork.te.in refpolicy2/policy/modules/kernel/corenetwork.te.in ---- refpolicy/policy/modules/kernel/corenetwork.te.in 2022-01-12 16:59:47.573670362 -0000 -+++ refpolicy2/policy/modules/kernel/corenetwork.te.in 2022-01-12 17:03:12.754142616 -0000 -@@ -373,7 +373,7 @@ - - # Bind to any network address. - allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket sctp_socket } name_bind; --allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket sctp_socket } node_bind; -+allow corenet_unconfined_type node_type:{ icmp_socket tcp_socket udp_socket rawip_socket sctp_socket } node_bind; - - # Infiniband - corenet_ib_access_all_pkeys(corenet_unconfined_type) diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/lxc_contexts b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/lxc_contexts deleted file mode 100644 index b9ce512118..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/lxc_contexts +++ /dev/null @@ -1,10 +0,0 @@ -# This file is used to configure the per-instance contexts of rkt and other -# applications that use libvirt for lxc container support. -# -# See: -# https://coreos.com/rkt/docs/latest/selinux.html -# https://selinuxproject.org/page/PolicyConfigurationFiles#contexts.2Flxc_contexts_File - -process = "system_u:system_r:svirt_lxc_net_t:s0" -content = "system_u:object_r:virt_var_lib_t:s0" -file = "system_u:object_r:svirt_lxc_file_t:s0" diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/tmpfiles.d/selinux-base.conf b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/tmpfiles.d/selinux-base.conf deleted file mode 100644 index a123a51d15..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/tmpfiles.d/selinux-base.conf +++ /dev/null @@ -1,4 +0,0 @@ -#Type Path Mode UID GID Age Argument -d /etc/selinux/ - - - - - -L /etc/selinux/config - - - - ../../usr/lib/selinux/config -L /etc/selinux/mcs - - - - ../../usr/lib/selinux/mcs diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/Manifest b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/Manifest new file mode 100644 index 0000000000..1029253692 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/Manifest @@ -0,0 +1,3 @@ +DIST patchbundle-selinux-base-policy-2.20221101-r3.tar.bz2 444710 BLAKE2B e33cc01a8be5a354e022be1e8bf242883b09b15ead0673f859819f5e668f18773a16527f2e608878e6976695dcb2890c55658e77877e93c716ae0b2dd2ed5a9b SHA512 52e60b22346903a6fead95c9fb348fa1d4037b7dcd3e5781248a7dfc426c8c3fced258fd22762c779a5f436d8be21eaed5425ed36ff99c267daae5e1cb9c8e7f +DIST patchbundle-selinux-base-policy-2.20221101-r4.tar.bz2 457886 BLAKE2B 1e085f9f1739e0640c5eafa70db4c7ec19bca887c682ca2312a457fa57ee3eb176d0c8f16c2f84a1a026669b1240be3ff69066bd825c92fad75dcd2c13739f6c SHA512 da3ba1f076c04746719698aedb3aad48eb7c8a09df95c314b36f7a052538a07d893be413f35f4c34b01c1bf967ebe35ff32c2cea0722fe74a6e089a9d6aa47a6 +DIST refpolicy-2.20221101.tar.bz2 583183 BLAKE2B 783d8af40fd77d7ddb848dba32e91921dd7c1380c094c45b719ada7b15f91aacbb52b410ffa6341f2f705ecbc9674b8570bd4867ce998e944fa0054ffd8bdf74 SHA512 29e5a29d90f714018c88fead2d5006ea90338fb5b7a1e4e98cb2e588c96cd861871d32176f6cc6f7c4e864ce5acae1aeed85d4c706ce2da8168986535baaf3a6 diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/config b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/files/config similarity index 96% rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/config rename to sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/files/config index 7b66367667..55933ea0e5 100644 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/config +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/files/config @@ -12,4 +12,4 @@ SELINUX=permissive # mls - Full SELinux protection with Multi-Level Security # mcs - Full SELinux protection with Multi-Category Security # (mls, but only one sensitivity level) -SELINUXTYPE=mcs +SELINUXTYPE=strict diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/selinux.conf b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/files/selinux.conf similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/selinux.conf rename to sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/files/selinux.conf diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/metadata.xml b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/metadata.xml similarity index 90% rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/metadata.xml rename to sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/metadata.xml index e59a87405f..c909a1b00f 100644 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/metadata.xml +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/metadata.xml @@ -1,5 +1,5 @@ - + selinux@gentoo.org diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20210203-r1.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/selinux-base-2.20221101-r3.ebuild similarity index 95% rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20210203-r1.ebuild rename to sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/selinux-base-2.20221101-r3.ebuild index 3ea875afca..d38a576e7f 100644 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20210203-r1.ebuild +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/selinux-base-2.20221101-r3.ebuild @@ -1,8 +1,12 @@ -# Copyright 1999-2021 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="7" +PYTHON_COMPAT=( python3_{9..11} ) +PYTHON_REQ_USE="xml(+)" +inherit python-any-r1 + if [[ ${PV} == 9999* ]]; then EGIT_REPO_URI="${SELINUX_GIT_REPO:-https://anongit.gentoo.org/git/proj/hardened-refpolicy.git}" EGIT_BRANCH="${SELINUX_GIT_BRANCH:-master}" @@ -13,7 +17,7 @@ else SRC_URI="https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_${PV/./_}/refpolicy-${PV}.tar.bz2 https://dev.gentoo.org/~perfinion/patches/selinux-base-policy/patchbundle-selinux-base-policy-${PVR}.tar.bz2" - KEYWORDS="~amd64 -arm ~arm64 ~mips ~x86" + KEYWORDS="amd64 arm arm64 ~mips x86" fi IUSE="doc +unknown-perms systemd +ubac +unconfined" @@ -26,6 +30,7 @@ SLOT="0" RDEPEND=">=sys-apps/policycoreutils-2.8" DEPEND="${RDEPEND}" BDEPEND=" + ${PYTHON_DEPS} >=sys-apps/checkpolicy-2.8 sys-devel/m4" diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20200818-r3.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/selinux-base-2.20221101-r4.ebuild similarity index 71% rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20200818-r3.ebuild rename to sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/selinux-base-2.20221101-r4.ebuild index bc58b54ab5..d38a576e7f 100644 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20200818-r3.ebuild +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/selinux-base-2.20221101-r4.ebuild @@ -1,13 +1,11 @@ -# Copyright 1999-2020 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="7" -# flatcar changes -PYTHON_COMPAT=( python3_{8,9,10,11} ) +PYTHON_COMPAT=( python3_{9..11} ) PYTHON_REQ_USE="xml(+)" -TMPFILES_OPTIONAL=1 -inherit systemd tmpfiles python-any-r1 +inherit python-any-r1 if [[ ${PV} == 9999* ]]; then EGIT_REPO_URI="${SELINUX_GIT_REPO:-https://anongit.gentoo.org/git/proj/hardened-refpolicy.git}" @@ -17,9 +15,9 @@ if [[ ${PV} == 9999* ]]; then inherit git-r3 else SRC_URI="https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_${PV/./_}/refpolicy-${PV}.tar.bz2 - https://dev.gentoo.org/~perfinion/patches/selinux-base-policy/patchbundle-selinux-base-policy-${PV}-r2.tar.bz2" + https://dev.gentoo.org/~perfinion/patches/selinux-base-policy/patchbundle-selinux-base-policy-${PVR}.tar.bz2" - KEYWORDS="amd64 -arm ~arm64 ~mips x86" + KEYWORDS="amd64 arm arm64 ~mips x86" fi IUSE="doc +unknown-perms systemd +ubac +unconfined" @@ -29,24 +27,12 @@ HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux" LICENSE="GPL-2" SLOT="0" -# flatcar changes -RDEPEND=">=sys-apps/policycoreutils-2.8 - >=sys-apps/checkpolicy-2.8 -" +RDEPEND=">=sys-apps/policycoreutils-2.8" DEPEND="${RDEPEND}" -# flatcar: BDEPEND on python - normally pulled in through policycoreutils -# but we made that dep conditional on USE=python -BDEPEND="sys-devel/m4 - ${PYTHON_DEPS} -" - - -# flatcar changes -PATCHES=( - "${FILESDIR}"/0001-policy-modules-kernel-all-more-actions-for-kernel.patch - "${FILESDIR}"/0001-policy-ms-MCS-restricts-relabelfrom.patch - "${FILESDIR}"/icmp-bind.patch -) +BDEPEND=" + ${PYTHON_DEPS} + >=sys-apps/checkpolicy-2.8 + sys-devel/m4" S=${WORKDIR}/ @@ -56,8 +42,6 @@ src_prepare() { eapply -p0 "${WORKDIR}/0001-full-patch-against-stable-release.patch" fi - # flatcar changes - eapply -p0 "${PATCHES[@]}" eapply_user cd "${S}/refpolicy" || die @@ -99,10 +83,6 @@ src_configure() { sed -i -e "/= module/d" "${S}/${i}/policy/modules.conf" || die - # flatcar changes: it's required to run polkit without segfault - # we need to pass this argument now before the compilation of the policy - sed -i "s/allow_execmem = false/allow_execmem = true/" "${S}/${i}/policy/booleans.conf" || die - sed -i -e '/^QUIET/s/n/y/' -e "/^NAME/s/refpolicy/$i/" \ "${S}/${i}/build.conf" || die "build.conf setup failed." @@ -132,9 +112,7 @@ src_compile() { for i in ${POLICY_TYPES}; do cd "${S}/${i}" || die - # flatcar changes - emake base BINDIR="${ROOT}/usr/bin" NAME=$i SHAREDIR="${ROOT%/}"/usr/share/selinux \ - LD_LIBRARY_PATH="${ROOT}/usr/lib64:${LD_LIBRARY_PATH}" -C "${S}"/${i} + emake base if use doc; then emake html fi @@ -167,29 +145,14 @@ src_install() { done - # flatcar changes - dotmpfiles "${FILESDIR}/tmpfiles.d/selinux-base.conf" - systemd-tmpfiles --root="${D}" --create selinux-base.conf - docinto / dodoc doc/Makefile.example doc/example.{te,fc,if} doman man/man8/*.8; - # flatcar changes - insinto /usr/lib/selinux + insinto /etc/selinux doins "${FILESDIR}/config" - insinto /etc/selinux/mcs/contexts - doins "${FILESDIR}/lxc_contexts" - - # flatcar changes - mkdir -p "${D}/usr/lib/selinux" - for i in ${POLICY_TYPES}; do - mv "${D}/etc/selinux/${i}" "${D}/usr/lib/selinux" - dosym "../../usr/lib/selinux/${i}" "/etc/selinux/${i}" - done - insinto /usr/share/portage/config/sets doins "${FILESDIR}/selinux.conf" } diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-9999.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/selinux-base-9999.ebuild similarity index 95% rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-9999.ebuild rename to sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/selinux-base-9999.ebuild index 3be921e88d..1185969155 100644 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-9999.ebuild +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/selinux-base-9999.ebuild @@ -1,8 +1,12 @@ -# Copyright 1999-2020 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="7" +PYTHON_COMPAT=( python3_{9..11} ) +PYTHON_REQ_USE="xml(+)" +inherit python-any-r1 + if [[ ${PV} == 9999* ]]; then EGIT_REPO_URI="${SELINUX_GIT_REPO:-https://anongit.gentoo.org/git/proj/hardened-refpolicy.git}" EGIT_BRANCH="${SELINUX_GIT_BRANCH:-master}" @@ -13,7 +17,7 @@ else SRC_URI="https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_${PV/./_}/refpolicy-${PV}.tar.bz2 https://dev.gentoo.org/~perfinion/patches/selinux-base-policy/patchbundle-selinux-base-policy-${PVR}.tar.bz2" - KEYWORDS="~amd64 -arm ~arm64 ~mips ~x86" + KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86" fi IUSE="doc +unknown-perms systemd +ubac +unconfined" @@ -26,6 +30,7 @@ SLOT="0" RDEPEND=">=sys-apps/policycoreutils-2.8" DEPEND="${RDEPEND}" BDEPEND=" + ${PYTHON_DEPS} >=sys-apps/checkpolicy-2.8 sys-devel/m4" From ac520d65887541362e8c47710fa0630f7d73f63a Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Tue, 13 Jun 2023 17:13:46 +0200 Subject: [PATCH 10/22] coreos/user-patches: add selinux-base * add selinux patches (icmp-bind, relabel and kernel permissions) * ship our own config file Signed-off-by: Mathieu Tortuyaux --- .../coreos/config/env/sec-policy/selinux-base | 2 + ...s-kernel-all-more-actions-for-kernel.patch | 16 +++++++ .../selinux-base/files-relabel.patch | 44 +++++++++++++++++++ .../sec-policy/selinux-base/icmp-bind.patch | 40 +++++++++++++++++ 4 files changed, 102 insertions(+) create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/config/env/sec-policy/selinux-base create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base/0001-policy-modules-kernel-all-more-actions-for-kernel.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base/files-relabel.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base/icmp-bind.patch diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sec-policy/selinux-base b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sec-policy/selinux-base new file mode 100644 index 0000000000..b94efbdd1d --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sec-policy/selinux-base @@ -0,0 +1,2 @@ +PKG_INSTALL_MASK+=" /etc/selinux/config" +INSTALL_MASK+=" /etc/selinux/config" diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base/0001-policy-modules-kernel-all-more-actions-for-kernel.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base/0001-policy-modules-kernel-all-more-actions-for-kernel.patch new file mode 100644 index 0000000000..883720831e --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base/0001-policy-modules-kernel-all-more-actions-for-kernel.patch @@ -0,0 +1,16 @@ +diff --git refpolicy/policy/modules/kernel/kernel.te refpolicy/policy/modules/kernel/kernel.te +index 56dbd5af5..b5cf0e3c0 100644 +--- a/refpolicy/policy/modules/kernel/kernel.te ++++ b/refpolicy/policy/modules/kernel/kernel.te +@@ -363,6 +363,11 @@ files_list_home(kernel_t) + files_read_usr_files(kernel_t) + + mcs_process_set_categories(kernel_t) ++mcs_killall(kernel_t) ++mcs_file_read_all(kernel_t) ++mcs_file_write_all(kernel_t) ++mcs_ptrace_all(kernel_t) ++allow kernel_t self:user_namespace create; + + mls_process_read_all_levels(kernel_t) + mls_process_write_all_levels(kernel_t) diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base/files-relabel.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base/files-relabel.patch new file mode 100644 index 0000000000..dd1090a7ab --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base/files-relabel.patch @@ -0,0 +1,44 @@ +diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if +index 495cbe2f4..a5605f866 100644 +--- a/refpolicy/policy/modules/kernel/files.if ++++ b/refpolicy/policy/modules/kernel/files.if +@@ -7892,3 +7892,39 @@ interface(`files_unconfined',` + + typeattribute $1 files_unconfined_type; + ') ++ ++######################################## ++## ++## Relabel all files on the filesystem, except ++## policy_config_t and exceptions. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## The types to be excluded. Each type or attribute ++## must be negated by the caller. ++## ++## ++## ++# ++interface(`files_relabel_all_non_policy_files',` ++ gen_require(` ++ attribute file_type; ++ type policy_config_t; ++ ') ++ ++ allow $1 { file_type -policy_config_t $2 }:dir list_dir_perms; ++ relabel_dirs_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 }) ++ relabel_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 }) ++ relabel_lnk_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 }) ++ relabel_fifo_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 }) ++ relabel_sock_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 }) ++ # this is only relabelfrom since there should be no ++ # device nodes with file types. ++ relabelfrom_blk_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 }) ++ relabelfrom_chr_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 }) ++') diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base/icmp-bind.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base/icmp-bind.patch new file mode 100644 index 0000000000..1b4bb31467 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base/icmp-bind.patch @@ -0,0 +1,40 @@ +diff -u -r refpolicy/policy/modules/kernel/corenetwork.if.in refpolicy2/policy/modules/kernel/corenetwork.if.in +--- a/refpolicy/policy/modules/kernel/corenetwork.if.in 2022-01-12 16:59:47.572670384 -0000 ++++ b/refpolicy2/policy/modules/kernel/corenetwork.if.in 2022-01-12 17:01:54.974858982 -0000 +@@ -879,6 +879,24 @@ + + ######################################## + ## ++## Bind ICMP sockets to generic nodes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_icmp_bind_generic_node',` ++ gen_require(` ++ type node_t; ++ ') ++ ++ allow $1 node_t:icmp_socket node_bind; ++') ++ ++######################################## ++## + ## Bind TCP sockets to generic nodes. + ## + ## +diff -u -r refpolicy/policy/modules/kernel/corenetwork.te.in refpolicy2/policy/modules/kernel/corenetwork.te.in +--- a/refpolicy/policy/modules/kernel/corenetwork.te.in 2022-01-12 16:59:47.573670362 -0000 ++++ b/refpolicy2/policy/modules/kernel/corenetwork.te.in 2022-01-12 17:03:12.754142616 -0000 +@@ -373,7 +373,7 @@ + + # Bind to any network address. + allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket sctp_socket } name_bind; +-allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket sctp_socket } node_bind; ++allow corenet_unconfined_type node_type:{ icmp_socket tcp_socket udp_socket rawip_socket sctp_socket } node_bind; + + # Infiniband + corenet_ib_access_all_pkeys(corenet_unconfined_type) From 6b7c24719be2168cec80e1a0668256b7285f3e30 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Tue, 13 Jun 2023 17:25:34 +0200 Subject: [PATCH 11/22] sec-policy/selinux-base-policy: sync with Gentoo Commit-Ref: https://github.com/gentoo/gentoo/commit/ea4cd1f216e407735528c92434b83313e4b8a8db Signed-off-by: Mathieu Tortuyaux --- .../sec-policy/selinux-base-policy/Manifest | 4 -- .../selinux-base-policy/files/init.patch | 11 ----- .../files/locallogin.patch | 13 ------ .../selinux-base-policy/files/logging.patch | 18 -------- .../selinux-base-policy/files/ping.patch | 19 --------- .../selinux-base-policy/files/sshd.patch | 22 ---------- .../selinux-base-policy/files/unlabeled.patch | 11 ----- .../sec-policy/selinux-base-policy/Manifest | 3 ++ .../selinux-base-policy/metadata.xml | 2 +- .../selinux-base-policy-2.20221101-r3.ebuild} | 22 +++++++--- .../selinux-base-policy-2.20221101-r4.ebuild} | 42 +++++++++---------- .../selinux-base-policy-9999.ebuild | 22 +++++++--- 12 files changed, 57 insertions(+), 132 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/Manifest delete mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/init.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/locallogin.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/logging.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/ping.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/sshd.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/unlabeled.patch create mode 100644 sdk_container/src/third_party/portage-stable/sec-policy/selinux-base-policy/Manifest rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/sec-policy/selinux-base-policy/metadata.xml (86%) rename sdk_container/src/third_party/{coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20210203-r1.ebuild => portage-stable/sec-policy/selinux-base-policy/selinux-base-policy-2.20221101-r3.ebuild} (84%) rename sdk_container/src/third_party/{coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20200818-r3.ebuild => portage-stable/sec-policy/selinux-base-policy/selinux-base-policy-2.20221101-r4.ebuild} (75%) rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/sec-policy/selinux-base-policy/selinux-base-policy-9999.ebuild (84%) diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/Manifest b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/Manifest deleted file mode 100644 index 531f9303e2..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/Manifest +++ /dev/null @@ -1,4 +0,0 @@ -DIST patchbundle-selinux-base-policy-2.20200818-r2.tar.bz2 433623 BLAKE2B f0655c45c50347faf1217e5861298dce822e4b726c0b4489d4c70c4815842f7c17ac1b0a302ae5482a3ad25d1d5b6c4c3b6395194e79005f31560d103ad0fce6 SHA512 9fd22683ecd602a429b2d489f7b8c2936409fa060046255b72a4b95c9fdefa2455ba7655945278dc972c22f3ade6617898ed169e22001aaaaded4b47ca51b0c3 -DIST patchbundle-selinux-base-policy-2.20210203-r1.tar.bz2 298116 BLAKE2B 50c5523a8b758652af6aa59d548e9499b899898b58f52f74f1667a0c552f2b2d0ed5a44352e59245c7f0ebd199e2391400168d6ab27b4160d726fccded0c56f2 SHA512 ddb877ec3e2883f57e54e7380dd449d4d89a0769a1fb87141786e5de741ac21b2ead60362fd17c25888eb1334c68f71da561f4f29f406f0d4b5d13d378f6baff -DIST refpolicy-2.20200818.tar.bz2 570896 BLAKE2B 502c00fec39e1b81e42de3f7f942623f8b3fbdeac19f9f01126722a368b7d4f70427d6e4a574754c4f2fa551e4bc75c912dbc515c004f0dcd5eb28ab416498f6 SHA512 e4b527bb7a87b9359fc42eb111d5008103f57c37128998ea0e21ec7b0b8607ffe3f67697450e4c51a0db172ece69083335b279bacef4b1bd0b7748b58caa99a7 -DIST refpolicy-2.20210203.tar.bz2 564099 BLAKE2B a94a11ebb78890ba2c98714be2fe9054fdb8ccaf5154f47b881a9575a4a6865e8df475805550d7bba8039b4230c6a0c9f5c6130bf8c35a26bc7c473d550fb40d SHA512 a6ffe718626dd6121023b4cbc424c933d44ca8b662bd708baad307cf6284be0d80fef40cdc8b37f6f17ecb3636fd8d6c1d5d4072c17d835b7f500e17a3acd9fc diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/init.patch b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/init.patch deleted file mode 100644 index e96500288e..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/init.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index dbd39cf8f..563559ca7 100644 ---- refpolicy/policy/modules/system/init.te -+++ refpolicy/policy/modules/system/init.te -@@ -1503,3 +1503,6 @@ optional_policy(` - userdom_dontaudit_rw_all_users_stream_sockets(systemprocess) - userdom_dontaudit_write_user_tmp_files(systemprocess) - ') -+ -+require { type unconfined_t; } -+allow init_t unconfined_t:file exec_file_perms; diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/locallogin.patch b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/locallogin.patch deleted file mode 100644 index 2e9ae7ce53..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/locallogin.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te -index 109980e79..d5c4a5d95 100644 ---- refpolicy/policy/modules/system/locallogin.te -+++ refpolicy/policy/modules/system/locallogin.te -@@ -34,7 +34,7 @@ role system_r types sulogin_t; - - allow local_login_t self:capability { chown dac_read_search dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config }; - dontaudit local_login_t self:capability net_admin; --allow local_login_t self:process { getcap setcap setexec setrlimit setsched }; -+allow local_login_t self:process { setpgid getcap setcap setexec setrlimit setsched }; - allow local_login_t self:fd use; - allow local_login_t self:fifo_file rw_fifo_file_perms; - allow local_login_t self:sock_file read_sock_file_perms; diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/logging.patch b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/logging.patch deleted file mode 100644 index caa778d8ef..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/logging.patch +++ /dev/null @@ -1,18 +0,0 @@ -diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 7d713540d..d6cbc654d 100644 ---- refpolicy/policy/modules/system/logging.te -+++ refpolicy/policy/modules/system/logging.te -@@ -516,11 +516,13 @@ userdom_dontaudit_use_unpriv_user_fds(syslogd_t) - userdom_dontaudit_search_user_home_dirs(syslogd_t) - - ifdef(`init_systemd',` -+ require { type kernel_t; } - # for systemd-journal - allow syslogd_t self:netlink_audit_socket connected_socket_perms; - allow syslogd_t self:capability2 audit_read; - allow syslogd_t self:capability { chown setgid setuid sys_ptrace }; - allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write nlmsg_write }; -+ allow syslogd_t kernel_t:netlink_audit_socket getattr; - - # remove /run/log/journal when switching to permanent storage - allow syslogd_t var_log_t:dir rmdir; diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/ping.patch b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/ping.patch deleted file mode 100644 index e6a31f6630..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/ping.patch +++ /dev/null @@ -1,19 +0,0 @@ -diff -u -r refpolicy/policy/modules/admin/netutils.te refpolicy/policy/modules/admin/netutils.te ---- refpolicy/policy/modules/admin/netutils.te 2022-01-12 14:28:26.850809330 -0000 -+++ refpolicy/policy/modules/admin/netutils.te 2022-01-12 14:29:50.323880882 -0000 -@@ -117,6 +117,7 @@ - corenet_raw_sendrecv_generic_node(ping_t) - corenet_tcp_sendrecv_generic_node(ping_t) - corenet_raw_bind_generic_node(ping_t) -+corenet_icmp_bind_generic_node(ping_t) - - dev_read_urand(ping_t) - -@@ -189,6 +190,7 @@ - corenet_tcp_connect_all_ports(traceroute_t) - corenet_sendrecv_all_client_packets(traceroute_t) - corenet_sendrecv_traceroute_server_packets(traceroute_t) -+corenet_icmp_bind_generic_node(traceroute_t) - - dev_read_rand(traceroute_t) - dev_read_urand(traceroute_t) diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/sshd.patch b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/sshd.patch deleted file mode 100644 index 420139c3be..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/sshd.patch +++ /dev/null @@ -1,22 +0,0 @@ -diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc -index 60060c35c..8d9f5b7a6 100644 ---- refpolicy/policy/modules/services/ssh.fc -+++ refpolicy/policy/modules/services/ssh.fc -@@ -6,7 +6,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) - /usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0) - /usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0) - /usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0) --/usr/bin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) -+/usr/bin/sshd -- gen_context(system_u:object_r:unconfined_t,s0) - - /usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0) - /usr/lib/ssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0) -@@ -17,7 +17,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) - - /usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0) - --/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) -+/usr/sbin/sshd -- gen_context(system_u:object_r:unconfined_t,s0) - - /run/sshd(/.*)? gen_context(system_u:object_r:sshd_runtime_t,s0) - /run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_runtime_t,s0) diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/unlabeled.patch b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/unlabeled.patch deleted file mode 100644 index 972b954b2b..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/unlabeled.patch +++ /dev/null @@ -1,11 +0,0 @@ -index 7c60eda2c..736187b7a 100644 ---- refpolicy/policy/modules/kernel/kernel.te -+++ refpolicy/policy/modules/kernel/kernel.te -@@ -191,6 +191,7 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0) - type unlabeled_t; - kernel_rootfs_mountpoint(unlabeled_t) - fs_associate(unlabeled_t) -+fs_associate_tmpfs(unlabeled_t) - sid file gen_context(system_u:object_r:unlabeled_t,s0) - sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) - neverallow * unlabeled_t:file entrypoint; diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base-policy/Manifest b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base-policy/Manifest new file mode 100644 index 0000000000..1029253692 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base-policy/Manifest @@ -0,0 +1,3 @@ +DIST patchbundle-selinux-base-policy-2.20221101-r3.tar.bz2 444710 BLAKE2B e33cc01a8be5a354e022be1e8bf242883b09b15ead0673f859819f5e668f18773a16527f2e608878e6976695dcb2890c55658e77877e93c716ae0b2dd2ed5a9b SHA512 52e60b22346903a6fead95c9fb348fa1d4037b7dcd3e5781248a7dfc426c8c3fced258fd22762c779a5f436d8be21eaed5425ed36ff99c267daae5e1cb9c8e7f +DIST patchbundle-selinux-base-policy-2.20221101-r4.tar.bz2 457886 BLAKE2B 1e085f9f1739e0640c5eafa70db4c7ec19bca887c682ca2312a457fa57ee3eb176d0c8f16c2f84a1a026669b1240be3ff69066bd825c92fad75dcd2c13739f6c SHA512 da3ba1f076c04746719698aedb3aad48eb7c8a09df95c314b36f7a052538a07d893be413f35f4c34b01c1bf967ebe35ff32c2cea0722fe74a6e089a9d6aa47a6 +DIST refpolicy-2.20221101.tar.bz2 583183 BLAKE2B 783d8af40fd77d7ddb848dba32e91921dd7c1380c094c45b719ada7b15f91aacbb52b410ffa6341f2f705ecbc9674b8570bd4867ce998e944fa0054ffd8bdf74 SHA512 29e5a29d90f714018c88fead2d5006ea90338fb5b7a1e4e98cb2e588c96cd861871d32176f6cc6f7c4e864ce5acae1aeed85d4c706ce2da8168986535baaf3a6 diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/metadata.xml b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base-policy/metadata.xml similarity index 86% rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/metadata.xml rename to sdk_container/src/third_party/portage-stable/sec-policy/selinux-base-policy/metadata.xml index 46dc07f542..5828cfe255 100644 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/metadata.xml +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base-policy/metadata.xml @@ -1,5 +1,5 @@ - + selinux@gentoo.org diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20210203-r1.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base-policy/selinux-base-policy-2.20221101-r3.ebuild similarity index 84% rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20210203-r1.ebuild rename to sdk_container/src/third_party/portage-stable/sec-policy/selinux-base-policy/selinux-base-policy-2.20221101-r3.ebuild index aeab4a29b0..53278241d0 100644 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20210203-r1.ebuild +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base-policy/selinux-base-policy-2.20221101-r3.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2021 Gentoo Authors +# Copyright 1999-2022 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="7" @@ -12,7 +12,7 @@ if [[ ${PV} == 9999* ]]; then else SRC_URI="https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_${PV/./_}/refpolicy-${PV}.tar.bz2 https://dev.gentoo.org/~perfinion/patches/${PN}/patchbundle-${PN}-${PVR}.tar.bz2" - KEYWORDS="~amd64 -arm ~arm64 ~mips ~x86" + KEYWORDS="amd64 arm arm64 ~mips x86" fi HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux" @@ -28,6 +28,7 @@ BDEPEND=" sys-devel/m4" MODS="application authlogin bootloader clock consoletype cron dmesg fstools getty hostname init iptables libraries locallogin logging lvm miscfiles modutils mount mta netutils nscd portage raid rsync selinuxutil setrans ssh staff storage su sysadm sysnetwork systemd tmpfiles udev userdomain usermanage unprivuser xdg" +DEL_MODS="hotplug" LICENSE="GPL-2" SLOT="0" S="${WORKDIR}/" @@ -56,8 +57,12 @@ src_prepare() { # Collect only those files needed for this particular module for i in ${MODS}; do - modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles" - modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles" + modfiles="$(find "${S}"/refpolicy/policy/modules -iname $i.te) $modfiles" + modfiles="$(find "${S}"/refpolicy/policy/modules -iname $i.fc) $modfiles" + done + + for i in ${DEL_MODS}; do + [[ "${MODS}" != *${i}* ]] || die "Duplicate module in MODS and DEL_MODS: ${i}" done for i in ${POLICY_TYPES}; do @@ -72,7 +77,7 @@ src_prepare() { src_compile() { for i in ${POLICY_TYPES}; do - emake NAME=$i SHAREDIR="${ROOT}"/usr/share/selinux -C "${S}"/${i} + emake NAME=$i SHAREDIR="${SYSROOT%/}/usr/share/selinux" -C "${S}"/${i} done } @@ -111,6 +116,13 @@ pkg_postinst() { cd "${ROOT}/usr/share/selinux/${i}" semodule ${root_opts} -s ${i} ${COMMAND} + + for mod in ${DEL_MODS}; do + if semodule ${root_opts} -s ${i} -l | grep -q "\b${mod}\b"; then + einfo "Removing obsolete ${i} ${mod} policy package" + semodule ${root_opts} -s ${i} -r ${mod} + fi + done done # Don't relabel when cross compiling diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20200818-r3.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base-policy/selinux-base-policy-2.20221101-r4.ebuild similarity index 75% rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20200818-r3.ebuild rename to sdk_container/src/third_party/portage-stable/sec-policy/selinux-base-policy/selinux-base-policy-2.20221101-r4.ebuild index 7f1a7a6d49..599c890996 100644 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20200818-r3.ebuild +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base-policy/selinux-base-policy-2.20221101-r4.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2021 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="7" @@ -11,8 +11,8 @@ if [[ ${PV} == 9999* ]]; then inherit git-r3 else SRC_URI="https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_${PV/./_}/refpolicy-${PV}.tar.bz2 - https://dev.gentoo.org/~perfinion/patches/${PN}/patchbundle-${PN}-${PV}-r2.tar.bz2" - KEYWORDS="amd64 -arm ~arm64 ~mips x86" + https://dev.gentoo.org/~perfinion/patches/${PN}/patchbundle-${PN}-${PVR}.tar.bz2" + KEYWORDS="amd64 arm arm64 ~mips x86" fi HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux" @@ -27,26 +27,12 @@ BDEPEND=" sys-apps/checkpolicy sys-devel/m4" -MODS="application authlogin bootloader clock consoletype cron dmesg fstools getty hostname hotplug init iptables libraries locallogin logging lvm miscfiles modutils mount mta netutils nscd portage raid rsync selinuxutil setrans ssh staff storage su sysadm sysnetwork systemd tmpfiles udev userdomain usermanage unprivuser xdg" +MODS="application authlogin bootloader clock consoletype cron dmesg fstools getty hostname init iptables libraries locallogin logging lvm miscfiles modutils mount mta netutils nscd portage raid rsync selinuxutil setrans ssh staff storage su sysadm sysnetwork systemd tmpfiles udev userdomain usermanage unprivuser xdg" +DEL_MODS="hotplug" LICENSE="GPL-2" SLOT="0" S="${WORKDIR}/" -# flatcar changes: apply a couple of -# patches on the current policies -PATCHES=( - "${FILESDIR}/sshd.patch" - "${FILESDIR}/init.patch" - "${FILESDIR}/locallogin.patch" - "${FILESDIR}/logging.patch" - # this patch is required to prevent `torcx-generator` - # to fail if SELinux is enforced in early boot. - # It can be removed once we drop torcx support. - "${FILESDIR}/unlabeled.patch" - # This is to allow pings from some IP address. - "${FILESDIR}/ping.patch" -) - # Code entirely copied from selinux-eclass (cannot inherit due to dependency on # itself), when reworked reinclude it. Only postinstall (where -b base.pp is # added) needs to remain then. @@ -67,13 +53,16 @@ src_prepare() { eapply -p0 "${WORKDIR}/0001-full-patch-against-stable-release.patch" fi - eapply -p0 "${PATCHES[@]}" eapply_user # Collect only those files needed for this particular module for i in ${MODS}; do - modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles" - modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles" + modfiles="$(find "${S}"/refpolicy/policy/modules -iname $i.te) $modfiles" + modfiles="$(find "${S}"/refpolicy/policy/modules -iname $i.fc) $modfiles" + done + + for i in ${DEL_MODS}; do + [[ "${MODS}" != *${i}* ]] || die "Duplicate module in MODS and DEL_MODS: ${i}" done for i in ${POLICY_TYPES}; do @@ -88,7 +77,7 @@ src_prepare() { src_compile() { for i in ${POLICY_TYPES}; do - emake NAME=$i SHAREDIR="${ROOT}"/usr/share/selinux -C "${S}"/${i} + emake NAME=$i SHAREDIR="${SYSROOT%/}/usr/share/selinux" -C "${S}"/${i} done } @@ -127,6 +116,13 @@ pkg_postinst() { cd "${ROOT}/usr/share/selinux/${i}" semodule ${root_opts} -s ${i} ${COMMAND} + + for mod in ${DEL_MODS}; do + if semodule ${root_opts} -s ${i} -l | grep -q "\b${mod}\b"; then + einfo "Removing obsolete ${i} ${mod} policy package" + semodule ${root_opts} -s ${i} -r ${mod} + fi + done done # Don't relabel when cross compiling diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-9999.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base-policy/selinux-base-policy-9999.ebuild similarity index 84% rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-9999.ebuild rename to sdk_container/src/third_party/portage-stable/sec-policy/selinux-base-policy/selinux-base-policy-9999.ebuild index aeab4a29b0..9ca7ee646d 100644 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-9999.ebuild +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base-policy/selinux-base-policy-9999.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2021 Gentoo Authors +# Copyright 1999-2022 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="7" @@ -12,7 +12,7 @@ if [[ ${PV} == 9999* ]]; then else SRC_URI="https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_${PV/./_}/refpolicy-${PV}.tar.bz2 https://dev.gentoo.org/~perfinion/patches/${PN}/patchbundle-${PN}-${PVR}.tar.bz2" - KEYWORDS="~amd64 -arm ~arm64 ~mips ~x86" + KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86" fi HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux" @@ -28,6 +28,7 @@ BDEPEND=" sys-devel/m4" MODS="application authlogin bootloader clock consoletype cron dmesg fstools getty hostname init iptables libraries locallogin logging lvm miscfiles modutils mount mta netutils nscd portage raid rsync selinuxutil setrans ssh staff storage su sysadm sysnetwork systemd tmpfiles udev userdomain usermanage unprivuser xdg" +DEL_MODS="hotplug" LICENSE="GPL-2" SLOT="0" S="${WORKDIR}/" @@ -56,8 +57,12 @@ src_prepare() { # Collect only those files needed for this particular module for i in ${MODS}; do - modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles" - modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles" + modfiles="$(find "${S}"/refpolicy/policy/modules -iname $i.te) $modfiles" + modfiles="$(find "${S}"/refpolicy/policy/modules -iname $i.fc) $modfiles" + done + + for i in ${DEL_MODS}; do + [[ "${MODS}" != *${i}* ]] || die "Duplicate module in MODS and DEL_MODS: ${i}" done for i in ${POLICY_TYPES}; do @@ -72,7 +77,7 @@ src_prepare() { src_compile() { for i in ${POLICY_TYPES}; do - emake NAME=$i SHAREDIR="${ROOT}"/usr/share/selinux -C "${S}"/${i} + emake NAME=$i SHAREDIR="${SYSROOT%/}/usr/share/selinux" -C "${S}"/${i} done } @@ -111,6 +116,13 @@ pkg_postinst() { cd "${ROOT}/usr/share/selinux/${i}" semodule ${root_opts} -s ${i} ${COMMAND} + + for mod in ${DEL_MODS}; do + if semodule ${root_opts} -s ${i} -l | grep -q "\b${mod}\b"; then + einfo "Removing obsolete ${i} ${mod} policy package" + semodule ${root_opts} -s ${i} -r ${mod} + fi + done done # Don't relabel when cross compiling From 2af995d2dc3646687b6f76c4826f2df04c2bf4f5 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Mon, 3 Jul 2023 17:54:41 +0200 Subject: [PATCH 12/22] coreos/user-patches: add selinux-base-policy Signed-off-by: Mathieu Tortuyaux --- .../sec-policy/selinux-base-policy/init.patch | 11 +++++++++++ .../selinux-base-policy/locallogin.patch | 13 +++++++++++++ .../selinux-base-policy/logging.patch | 18 ++++++++++++++++++ .../sec-policy/selinux-base-policy/ping.patch | 19 +++++++++++++++++++ 4 files changed, 61 insertions(+) create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base-policy/init.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base-policy/locallogin.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base-policy/logging.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base-policy/ping.patch diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base-policy/init.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base-policy/init.patch new file mode 100644 index 0000000000..35b00b1b64 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base-policy/init.patch @@ -0,0 +1,11 @@ +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index dbd39cf8f..563559ca7 100644 +--- a/refpolicy/policy/modules/system/init.te ++++ b/refpolicy/policy/modules/system/init.te +@@ -1503,3 +1503,6 @@ optional_policy(` + userdom_dontaudit_rw_all_users_stream_sockets(systemprocess) + userdom_dontaudit_write_user_tmp_files(systemprocess) + ') ++ ++require { type unconfined_t; } ++allow init_t unconfined_t:file exec_file_perms; diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base-policy/locallogin.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base-policy/locallogin.patch new file mode 100644 index 0000000000..6b688e26fd --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base-policy/locallogin.patch @@ -0,0 +1,13 @@ +diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te +index 109980e79..d5c4a5d95 100644 +--- a/refpolicy/policy/modules/system/locallogin.te ++++ b/refpolicy/policy/modules/system/locallogin.te +@@ -34,7 +34,7 @@ role system_r types sulogin_t; + + allow local_login_t self:capability { chown dac_read_search dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config }; + dontaudit local_login_t self:capability net_admin; +-allow local_login_t self:process { getcap setcap setexec setrlimit setsched }; ++allow local_login_t self:process { setpgid getcap setcap setexec setrlimit setsched }; + allow local_login_t self:fd use; + allow local_login_t self:fifo_file rw_fifo_file_perms; + allow local_login_t self:sock_file read_sock_file_perms; diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base-policy/logging.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base-policy/logging.patch new file mode 100644 index 0000000000..7e760b6dba --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base-policy/logging.patch @@ -0,0 +1,18 @@ +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index abd61e6bd..fb5d69366 100644 +--- a/refpolicy/policy/modules/system/logging.te ++++ b/refpolicy/policy/modules/system/logging.te +@@ -525,11 +525,13 @@ userdom_dontaudit_search_user_home_dirs(syslogd_t) + + ifdef(`init_systemd',` + # for systemd-journal ++ require { type kernel_t; } + allow syslogd_t self:capability audit_control; + allow syslogd_t self:netlink_audit_socket connected_socket_perms; + allow syslogd_t self:capability2 audit_read; + allow syslogd_t self:capability { chown setgid setuid sys_ptrace }; + allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write nlmsg_write }; ++ allow syslogd_t kernel_t:netlink_audit_socket getattr; + + # remove /run/log/journal when switching to permanent storage + allow syslogd_t var_log_t:dir rmdir; diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base-policy/ping.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base-policy/ping.patch new file mode 100644 index 0000000000..ee99de5b77 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base-policy/ping.patch @@ -0,0 +1,19 @@ +diff -u -r refpolicy/policy/modules/admin/netutils.te refpolicy/policy/modules/admin/netutils.te +--- a/refpolicy/policy/modules/admin/netutils.te 2022-01-12 14:28:26.850809330 -0000 ++++ b/refpolicy/policy/modules/admin/netutils.te 2022-01-12 14:29:50.323880882 -0000 +@@ -117,6 +117,7 @@ + corenet_raw_sendrecv_generic_node(ping_t) + corenet_tcp_sendrecv_generic_node(ping_t) + corenet_raw_bind_generic_node(ping_t) ++corenet_icmp_bind_generic_node(ping_t) + + dev_read_urand(ping_t) + +@@ -189,6 +190,7 @@ + corenet_tcp_connect_all_ports(traceroute_t) + corenet_sendrecv_all_client_packets(traceroute_t) + corenet_sendrecv_traceroute_server_packets(traceroute_t) ++corenet_icmp_bind_generic_node(traceroute_t) + + dev_read_rand(traceroute_t) + dev_read_urand(traceroute_t) From 1e2b1c999db5b5ddde9b4fa349d3e80c624326ee Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Wed, 14 Jun 2023 09:47:10 +0200 Subject: [PATCH 13/22] sec-policy/selinux-virt: drop ebuild it's now replaced by selinux-container Signed-off-by: Mathieu Tortuyaux --- .../coreos-base/coreos/coreos-0.0.1.ebuild | 1 - .../sec-policy/selinux-virt/Manifest | 4 -- .../sec-policy/selinux-virt/files/virt.patch | 45 ------------------- .../sec-policy/selinux-virt/metadata.xml | 8 ---- .../selinux-virt-2.20200818-r2.ebuild | 18 -------- .../selinux-virt-2.20210203-r1.ebuild | 15 ------- .../selinux-virt/selinux-virt-9999.ebuild | 15 ------- 7 files changed, 106 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/Manifest delete mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/metadata.xml delete mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20200818-r2.ebuild delete mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20210203-r1.ebuild delete mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-9999.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild index b391039ffa..2c2a778bca 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild @@ -144,7 +144,6 @@ RDEPEND="${RDEPEND} net-misc/wget net-misc/whois net-vpn/wireguard-tools - sec-policy/selinux-virt sec-policy/selinux-base sec-policy/selinux-base-policy sec-policy/selinux-unconfined diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/Manifest b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/Manifest deleted file mode 100644 index 531f9303e2..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/Manifest +++ /dev/null @@ -1,4 +0,0 @@ -DIST patchbundle-selinux-base-policy-2.20200818-r2.tar.bz2 433623 BLAKE2B f0655c45c50347faf1217e5861298dce822e4b726c0b4489d4c70c4815842f7c17ac1b0a302ae5482a3ad25d1d5b6c4c3b6395194e79005f31560d103ad0fce6 SHA512 9fd22683ecd602a429b2d489f7b8c2936409fa060046255b72a4b95c9fdefa2455ba7655945278dc972c22f3ade6617898ed169e22001aaaaded4b47ca51b0c3 -DIST patchbundle-selinux-base-policy-2.20210203-r1.tar.bz2 298116 BLAKE2B 50c5523a8b758652af6aa59d548e9499b899898b58f52f74f1667a0c552f2b2d0ed5a44352e59245c7f0ebd199e2391400168d6ab27b4160d726fccded0c56f2 SHA512 ddb877ec3e2883f57e54e7380dd449d4d89a0769a1fb87141786e5de741ac21b2ead60362fd17c25888eb1334c68f71da561f4f29f406f0d4b5d13d378f6baff -DIST refpolicy-2.20200818.tar.bz2 570896 BLAKE2B 502c00fec39e1b81e42de3f7f942623f8b3fbdeac19f9f01126722a368b7d4f70427d6e4a574754c4f2fa551e4bc75c912dbc515c004f0dcd5eb28ab416498f6 SHA512 e4b527bb7a87b9359fc42eb111d5008103f57c37128998ea0e21ec7b0b8607ffe3f67697450e4c51a0db172ece69083335b279bacef4b1bd0b7748b58caa99a7 -DIST refpolicy-2.20210203.tar.bz2 564099 BLAKE2B a94a11ebb78890ba2c98714be2fe9054fdb8ccaf5154f47b881a9575a4a6865e8df475805550d7bba8039b4230c6a0c9f5c6130bf8c35a26bc7c473d550fb40d SHA512 a6ffe718626dd6121023b4cbc424c933d44ca8b662bd708baad307cf6284be0d80fef40cdc8b37f6f17ecb3636fd8d6c1d5d4072c17d835b7f500e17a3acd9fc diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.patch b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.patch deleted file mode 100644 index 74b5062ef8..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/files/virt.patch +++ /dev/null @@ -1,45 +0,0 @@ -index 4943ad79d..8b0ed779e 100644 ---- services/virt.te -+++ services/virt.te -@@ -1377,3 +1377,41 @@ sysnet_dns_name_resolve(virtlogd_t) - - virt_manage_log(virtlogd_t) - virt_read_config(virtlogd_t) -+ -+require { -+ type kernel_t; -+ type tmpfs_t; -+ type var_lib_t; -+} -+allow kernel_t svirt_lxc_net_t:process transition; -+allow initrc_t svirt_lxc_net_t:process transition; -+allow kernel_t svirt_lxc_net_t:process2 nnp_transition; -+fs_manage_tmpfs_chr_files(svirt_lxc_net_t) -+fs_manage_tmpfs_dirs(svirt_lxc_net_t) -+fs_manage_tmpfs_files(svirt_lxc_net_t) -+fs_manage_tmpfs_sockets(svirt_lxc_net_t) -+fs_manage_tmpfs_symlinks(svirt_lxc_net_t) -+fs_remount_tmpfs(svirt_lxc_net_t) -+kernel_read_messages(svirt_lxc_net_t) -+kernel_sigchld(svirt_lxc_net_t) -+kernel_use_fds(svirt_lxc_net_t) -+allow svirt_lxc_net_t self:process getcap; -+files_read_var_lib_files(svirt_lxc_net_t) -+files_read_var_lib_symlinks(svirt_lxc_net_t) -+term_use_generic_ptys(svirt_lxc_net_t) -+term_setattr_generic_ptys(svirt_lxc_net_t) -+allow svirt_lxc_net_t tmpfs_t:chr_file { read write open }; -+allow svirt_lxc_net_t svirt_lxc_file_t:chr_file { manage_file_perms }; -+allow svirt_lxc_net_t self:capability sys_chroot; -+allow svirt_lxc_net_t self:process getpgid; -+allow svirt_lxc_net_t svirt_lxc_file_t:file { entrypoint mounton }; -+allow svirt_lxc_net_t var_lib_t:file { entrypoint execute execute_no_trans }; -+allow svirt_lxc_net_t kernel_t:fifo_file { getattr ioctl read write open append }; -+allow svirt_lxc_net_t initrc_t:fifo_file { getattr ioctl read write open append }; -+filetrans_pattern(kernel_t, etc_t, svirt_lxc_file_t, dir, "cni"); -+ -+# this is required by flanneld -+allow svirt_lxc_net_t kernel_t:system { module_request }; -+ -+# required by flanneld to write into /run/flannel/subnet.env -+filetrans_pattern(kernel_t, var_run_t, svirt_lxc_file_t, dir, "flannel"); diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/metadata.xml b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/metadata.xml deleted file mode 100644 index 9173800ffc..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/metadata.xml +++ /dev/null @@ -1,8 +0,0 @@ - - - - - selinux@gentoo.org - SELinux Team - - diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20200818-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20200818-r2.ebuild deleted file mode 100644 index 64e118aaf9..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20200818-r2.ebuild +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 1999-2020 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI="7" - -IUSE="" -MODS="virt" - -inherit selinux-policy-2 - -DESCRIPTION="SELinux policy for virt" - -# flatcar changes -POLICY_PATCH="${FILESDIR}/virt.patch" - -if [[ ${PV} != 9999* ]] ; then - KEYWORDS="amd64 -arm ~arm64 ~mips x86" -fi diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20210203-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20210203-r1.ebuild deleted file mode 100644 index cfdb675f36..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-2.20210203-r1.ebuild +++ /dev/null @@ -1,15 +0,0 @@ -# Copyright 1999-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI="7" - -IUSE="" -MODS="virt" - -inherit selinux-policy-2 - -DESCRIPTION="SELinux policy for virt" - -if [[ ${PV} != 9999* ]] ; then - KEYWORDS="~amd64 -arm ~arm64 ~mips ~x86" -fi diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-9999.ebuild deleted file mode 100644 index 212b7c40b8..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-virt/selinux-virt-9999.ebuild +++ /dev/null @@ -1,15 +0,0 @@ -# Copyright 1999-2020 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI="7" - -IUSE="" -MODS="virt" - -inherit selinux-policy-2 - -DESCRIPTION="SELinux policy for virt" - -if [[ ${PV} != 9999* ]] ; then - KEYWORDS="~amd64 -arm ~arm64 ~mips ~x86" -fi From 1306dfefec7814e69a63e59981f42962d0398689 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Wed, 14 Jun 2023 09:49:50 +0200 Subject: [PATCH 14/22] sec-policy/selinux-container: add new package it comes in replacement of selinux-virt Commit-Ref: https://github.com/gentoo/gentoo/commit/ea4cd1f216e407735528c92434b83313e4b8a8db Signed-off-by: Mathieu Tortuyaux --- ...0.0.1-r308.ebuild => coreos-0.0.1-r309.ebuild} | 0 .../coreos-base/coreos/coreos-0.0.1.ebuild | 1 + .../sec-policy/selinux-container/Manifest | 3 +++ .../sec-policy/selinux-container/metadata.xml | 8 ++++++++ .../selinux-container-2.20221101-r3.ebuild | 15 +++++++++++++++ .../selinux-container-2.20221101-r4.ebuild | 15 +++++++++++++++ .../selinux-container-9999.ebuild | 15 +++++++++++++++ 7 files changed, 57 insertions(+) rename sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/{coreos-0.0.1-r308.ebuild => coreos-0.0.1-r309.ebuild} (100%) create mode 100644 sdk_container/src/third_party/portage-stable/sec-policy/selinux-container/Manifest create mode 100644 sdk_container/src/third_party/portage-stable/sec-policy/selinux-container/metadata.xml create mode 100644 sdk_container/src/third_party/portage-stable/sec-policy/selinux-container/selinux-container-2.20221101-r3.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/sec-policy/selinux-container/selinux-container-2.20221101-r4.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/sec-policy/selinux-container/selinux-container-9999.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1-r308.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1-r309.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1-r308.ebuild rename to sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1-r309.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild index 2c2a778bca..758a55ae8d 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild @@ -146,6 +146,7 @@ RDEPEND="${RDEPEND} net-vpn/wireguard-tools sec-policy/selinux-base sec-policy/selinux-base-policy + sec-policy/selinux-container sec-policy/selinux-unconfined sys-apps/acl sys-apps/attr diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-container/Manifest b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-container/Manifest new file mode 100644 index 0000000000..1029253692 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-container/Manifest @@ -0,0 +1,3 @@ +DIST patchbundle-selinux-base-policy-2.20221101-r3.tar.bz2 444710 BLAKE2B e33cc01a8be5a354e022be1e8bf242883b09b15ead0673f859819f5e668f18773a16527f2e608878e6976695dcb2890c55658e77877e93c716ae0b2dd2ed5a9b SHA512 52e60b22346903a6fead95c9fb348fa1d4037b7dcd3e5781248a7dfc426c8c3fced258fd22762c779a5f436d8be21eaed5425ed36ff99c267daae5e1cb9c8e7f +DIST patchbundle-selinux-base-policy-2.20221101-r4.tar.bz2 457886 BLAKE2B 1e085f9f1739e0640c5eafa70db4c7ec19bca887c682ca2312a457fa57ee3eb176d0c8f16c2f84a1a026669b1240be3ff69066bd825c92fad75dcd2c13739f6c SHA512 da3ba1f076c04746719698aedb3aad48eb7c8a09df95c314b36f7a052538a07d893be413f35f4c34b01c1bf967ebe35ff32c2cea0722fe74a6e089a9d6aa47a6 +DIST refpolicy-2.20221101.tar.bz2 583183 BLAKE2B 783d8af40fd77d7ddb848dba32e91921dd7c1380c094c45b719ada7b15f91aacbb52b410ffa6341f2f705ecbc9674b8570bd4867ce998e944fa0054ffd8bdf74 SHA512 29e5a29d90f714018c88fead2d5006ea90338fb5b7a1e4e98cb2e588c96cd861871d32176f6cc6f7c4e864ce5acae1aeed85d4c706ce2da8168986535baaf3a6 diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-container/metadata.xml b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-container/metadata.xml new file mode 100644 index 0000000000..781bc07e6d --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-container/metadata.xml @@ -0,0 +1,8 @@ + + + + + selinux@gentoo.org + SELinux Team + + diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-container/selinux-container-2.20221101-r3.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-container/selinux-container-2.20221101-r3.ebuild new file mode 100644 index 0000000000..4455418ebe --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-container/selinux-container-2.20221101-r3.ebuild @@ -0,0 +1,15 @@ +# Copyright 1999-2022 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="7" + +IUSE="" +MODS="container" + +inherit selinux-policy-2 + +DESCRIPTION="SELinux policy for container" + +if [[ ${PV} != 9999* ]] ; then + KEYWORDS="amd64 arm arm64 ~mips x86" +fi diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-container/selinux-container-2.20221101-r4.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-container/selinux-container-2.20221101-r4.ebuild new file mode 100644 index 0000000000..3c54414a95 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-container/selinux-container-2.20221101-r4.ebuild @@ -0,0 +1,15 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="7" + +IUSE="" +MODS="container" + +inherit selinux-policy-2 + +DESCRIPTION="SELinux policy for container" + +if [[ ${PV} != 9999* ]] ; then + KEYWORDS="amd64 arm arm64 ~mips x86" +fi diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-container/selinux-container-9999.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-container/selinux-container-9999.ebuild new file mode 100644 index 0000000000..e664a42c56 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-container/selinux-container-9999.ebuild @@ -0,0 +1,15 @@ +# Copyright 1999-2022 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="7" + +IUSE="" +MODS="container" + +inherit selinux-policy-2 + +DESCRIPTION="SELinux policy for container" + +if [[ ${PV} != 9999* ]] ; then + KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86" +fi From 206b71a48f5070f92fae1fe63c1e44d80d818fba Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Mon, 3 Jul 2023 17:49:25 +0200 Subject: [PATCH 15/22] coreos/user-patches: add selinux-container apply Flatcar patch (including the kernel_t transition that should be removed once we have a system labelled) Signed-off-by: Mathieu Tortuyaux --- .../selinux-container/container.patch | 77 +++++++++++++++++++ 1 file changed, 77 insertions(+) create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-container/container.patch diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-container/container.patch b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-container/container.patch new file mode 100644 index 0000000000..809c81244e --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-container/container.patch @@ -0,0 +1,77 @@ +diff --git a/policy/modules/services/container.fc b/policy/modules/services/container.fc +index 056aa6023..e4bcada03 100644 +--- a/refpolicy/policy/modules/services/container.fc ++++ b/refpolicy/policy/modules/services/container.fc +@@ -113,3 +113,5 @@ HOME_DIR/\.docker(/.*)? gen_context(system_u:object_r:container_conf_home_t,s0) + /var/log/kube-controller-manager(/.*)? gen_context(system_u:object_r:container_log_t,s0) + /var/log/kube-proxy(/.*)? gen_context(system_u:object_r:container_log_t,s0) + /var/log/kube-scheduler(/.*)? gen_context(system_u:object_r:container_log_t,s0) ++ ++/usr/share/containerd(/.*)? gen_context(system_u:object_r:container_config_t,s0) +diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te +index 5de421fc3..4a6c2760e 100644 +--- a/refpolicy/policy/modules/services/container.te ++++ b/refpolicy/policy/modules/services/container.te +@@ -1007,3 +1007,62 @@ optional_policy(` + unconfined_domain_noaudit(spc_user_t) + domain_ptrace_all_domains(spc_user_t) + ') ++ ++allow container_domain self:socket_class_set { accept ioctl read getattr lock write append getopt setopt }; ++allow container_domain init_t:unix_stream_socket { accept ioctl read getattr lock write append getopt shutdown }; ++ ++# required for sharing /run for the etcd-wrapper ++files_mounton_runtime_dirs(container_engine_domain) ++ ++# this is a hack while the system is not labelled. we need to authorize transition from kernel_t ++require { ++ type kernel_t; ++ type tmpfs_t; ++ type var_lib_t; ++ type unconfined_t; ++} ++allow kernel_t container_t:process transition; ++allow initrc_t container_t:process transition; ++allow kernel_t container_t:process2 nnp_transition; ++allow kernel_t unconfined_t:process transition; ++fs_manage_tmpfs_chr_files(container_t) ++fs_manage_tmpfs_dirs(container_t) ++fs_manage_tmpfs_files(container_t) ++fs_manage_tmpfs_sockets(container_t) ++fs_manage_tmpfs_symlinks(container_t) ++fs_remount_tmpfs(container_t) ++kernel_read_messages(container_t) ++kernel_sigchld(container_t) ++kernel_use_fds(container_t) ++allow container_t self:process getcap; ++files_read_var_lib_files(container_t) ++files_read_var_lib_symlinks(container_t) ++term_use_generic_ptys(container_t) ++term_setattr_generic_ptys(container_t) ++allow container_t tmpfs_t:chr_file { read write open }; ++allow container_t container_file_t:chr_file { manage_file_perms }; ++allow container_t self:capability sys_chroot; ++allow container_t self:process getpgid; ++allow container_t container_file_t:file { entrypoint mounton }; ++allow container_t var_lib_t:file { entrypoint execute execute_no_trans }; ++allow container_t kernel_t:fifo_file { getattr ioctl read write open append }; ++allow container_t initrc_t:fifo_file { getattr ioctl read write open append }; ++filetrans_pattern(kernel_t, etc_t, container_file_t, dir, "cni"); ++ ++# this is required by flanneld ++allow container_t kernel_t:system { module_request }; ++ ++# required by flanneld to write into /run/flannel/subnet.env ++filetrans_pattern(kernel_t, var_run_t, container_file_t, dir, "flannel"); ++ ++# required for cilium ++allow kernel_t spc_t:process transition; ++# required for cilium, can be upstreamed ++# Jun 20 08:01:43 localhost audit[3480]: AVC avc: denied { open } for pid=3480 comm="cilium-agent" scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:spc_t:s0 tclass=perf_event permissive=1 ++# Jun 20 08:01:43 localhost audit[3480]: AVC avc: denied { kernel } for pid=3480 comm="cilium-agent" scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:spc_t:s0 tclass=perf_event permissive=1 ++# Jun 20 08:01:43 localhost audit[3480]: AVC avc: denied { cpu } for pid=3480 comm="cilium-agent" scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:spc_t:s0 tclass=perf_event permissive=1 ++# Jun 20 08:01:43 localhost audit[3480]: AVC avc: denied { read } for pid=3480 comm="cilium-agent" scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:spc_t:s0 tclass=perf_event permissive=1 ++allow spc_t self:perf_event { open cpu kernel read }; ++# required for using cilium cgroup v1 ++allow kernel_t self:perf_event { open cpu kernel read }; ++allow unconfined_t container_file_t:file { entrypoint }; From eed7eb6d2177838e0323dfb61819893abdbadb66 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Wed, 14 Jun 2023 10:11:44 +0200 Subject: [PATCH 16/22] sec-policy/selinux-sssd: sync with Gentoo Commit-Ref: https://github.com/gentoo/gentoo/commit/ea4cd1f216e407735528c92434b83313e4b8a8db Signed-off-by: Mathieu Tortuyaux --- .../portage-stable/sec-policy/selinux-sssd/Manifest | 7 +++---- .../portage-stable/sec-policy/selinux-sssd/metadata.xml | 2 +- ...0200818-r2.ebuild => selinux-sssd-2.20221101-r3.ebuild} | 4 ++-- ...0210203-r1.ebuild => selinux-sssd-2.20221101-r4.ebuild} | 4 ++-- .../sec-policy/selinux-sssd/selinux-sssd-9999.ebuild | 4 ++-- 5 files changed, 10 insertions(+), 11 deletions(-) rename sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/{selinux-sssd-2.20200818-r2.ebuild => selinux-sssd-2.20221101-r3.ebuild} (72%) rename sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/{selinux-sssd-2.20210203-r1.ebuild => selinux-sssd-2.20221101-r4.ebuild} (71%) diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/Manifest b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/Manifest index 531f9303e2..1029253692 100644 --- a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/Manifest +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/Manifest @@ -1,4 +1,3 @@ -DIST patchbundle-selinux-base-policy-2.20200818-r2.tar.bz2 433623 BLAKE2B f0655c45c50347faf1217e5861298dce822e4b726c0b4489d4c70c4815842f7c17ac1b0a302ae5482a3ad25d1d5b6c4c3b6395194e79005f31560d103ad0fce6 SHA512 9fd22683ecd602a429b2d489f7b8c2936409fa060046255b72a4b95c9fdefa2455ba7655945278dc972c22f3ade6617898ed169e22001aaaaded4b47ca51b0c3 -DIST patchbundle-selinux-base-policy-2.20210203-r1.tar.bz2 298116 BLAKE2B 50c5523a8b758652af6aa59d548e9499b899898b58f52f74f1667a0c552f2b2d0ed5a44352e59245c7f0ebd199e2391400168d6ab27b4160d726fccded0c56f2 SHA512 ddb877ec3e2883f57e54e7380dd449d4d89a0769a1fb87141786e5de741ac21b2ead60362fd17c25888eb1334c68f71da561f4f29f406f0d4b5d13d378f6baff -DIST refpolicy-2.20200818.tar.bz2 570896 BLAKE2B 502c00fec39e1b81e42de3f7f942623f8b3fbdeac19f9f01126722a368b7d4f70427d6e4a574754c4f2fa551e4bc75c912dbc515c004f0dcd5eb28ab416498f6 SHA512 e4b527bb7a87b9359fc42eb111d5008103f57c37128998ea0e21ec7b0b8607ffe3f67697450e4c51a0db172ece69083335b279bacef4b1bd0b7748b58caa99a7 -DIST refpolicy-2.20210203.tar.bz2 564099 BLAKE2B a94a11ebb78890ba2c98714be2fe9054fdb8ccaf5154f47b881a9575a4a6865e8df475805550d7bba8039b4230c6a0c9f5c6130bf8c35a26bc7c473d550fb40d SHA512 a6ffe718626dd6121023b4cbc424c933d44ca8b662bd708baad307cf6284be0d80fef40cdc8b37f6f17ecb3636fd8d6c1d5d4072c17d835b7f500e17a3acd9fc +DIST patchbundle-selinux-base-policy-2.20221101-r3.tar.bz2 444710 BLAKE2B e33cc01a8be5a354e022be1e8bf242883b09b15ead0673f859819f5e668f18773a16527f2e608878e6976695dcb2890c55658e77877e93c716ae0b2dd2ed5a9b SHA512 52e60b22346903a6fead95c9fb348fa1d4037b7dcd3e5781248a7dfc426c8c3fced258fd22762c779a5f436d8be21eaed5425ed36ff99c267daae5e1cb9c8e7f +DIST patchbundle-selinux-base-policy-2.20221101-r4.tar.bz2 457886 BLAKE2B 1e085f9f1739e0640c5eafa70db4c7ec19bca887c682ca2312a457fa57ee3eb176d0c8f16c2f84a1a026669b1240be3ff69066bd825c92fad75dcd2c13739f6c SHA512 da3ba1f076c04746719698aedb3aad48eb7c8a09df95c314b36f7a052538a07d893be413f35f4c34b01c1bf967ebe35ff32c2cea0722fe74a6e089a9d6aa47a6 +DIST refpolicy-2.20221101.tar.bz2 583183 BLAKE2B 783d8af40fd77d7ddb848dba32e91921dd7c1380c094c45b719ada7b15f91aacbb52b410ffa6341f2f705ecbc9674b8570bd4867ce998e944fa0054ffd8bdf74 SHA512 29e5a29d90f714018c88fead2d5006ea90338fb5b7a1e4e98cb2e588c96cd861871d32176f6cc6f7c4e864ce5acae1aeed85d4c706ce2da8168986535baaf3a6 diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/metadata.xml b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/metadata.xml index 9173800ffc..781bc07e6d 100644 --- a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/metadata.xml +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/metadata.xml @@ -1,5 +1,5 @@ - + selinux@gentoo.org diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/selinux-sssd-2.20200818-r2.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/selinux-sssd-2.20221101-r3.ebuild similarity index 72% rename from sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/selinux-sssd-2.20200818-r2.ebuild rename to sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/selinux-sssd-2.20221101-r3.ebuild index 8cb63c7a8b..d0691f20a0 100644 --- a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/selinux-sssd-2.20200818-r2.ebuild +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/selinux-sssd-2.20221101-r3.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2020 Gentoo Authors +# Copyright 1999-2022 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="7" @@ -11,5 +11,5 @@ inherit selinux-policy-2 DESCRIPTION="SELinux policy for sssd" if [[ ${PV} != 9999* ]] ; then - KEYWORDS="amd64 -arm arm64 ~mips x86" + KEYWORDS="amd64 arm arm64 ~mips x86" fi diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/selinux-sssd-2.20210203-r1.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/selinux-sssd-2.20221101-r4.ebuild similarity index 71% rename from sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/selinux-sssd-2.20210203-r1.ebuild rename to sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/selinux-sssd-2.20221101-r4.ebuild index 62027e0bdf..5a569d9161 100644 --- a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/selinux-sssd-2.20210203-r1.ebuild +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/selinux-sssd-2.20221101-r4.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2021 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="7" @@ -11,5 +11,5 @@ inherit selinux-policy-2 DESCRIPTION="SELinux policy for sssd" if [[ ${PV} != 9999* ]] ; then - KEYWORDS="~amd64 -arm ~arm64 ~mips ~x86" + KEYWORDS="amd64 arm arm64 ~mips x86" fi diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/selinux-sssd-9999.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/selinux-sssd-9999.ebuild index 69e1d26c00..f1c278220c 100644 --- a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/selinux-sssd-9999.ebuild +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-sssd/selinux-sssd-9999.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2020 Gentoo Authors +# Copyright 1999-2021 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="7" @@ -11,5 +11,5 @@ inherit selinux-policy-2 DESCRIPTION="SELinux policy for sssd" if [[ ${PV} != 9999* ]] ; then - KEYWORDS="~amd64 -arm ~arm64 ~mips ~x86" + KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86" fi From af5400ce640a3d7efef567484fe4d659c9cd387b Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Wed, 14 Jun 2023 10:12:29 +0200 Subject: [PATCH 17/22] sec-policy/selinux-unconfined: sync with Gentoo Commit-Ref: https://github.com/gentoo/gentoo/commit/ea4cd1f216e407735528c92434b83313e4b8a8db Signed-off-by: Mathieu Tortuyaux --- .../portage-stable/sec-policy/selinux-unconfined/Manifest | 7 +++---- .../sec-policy/selinux-unconfined/metadata.xml | 2 +- ...8-r2.ebuild => selinux-unconfined-2.20221101-r3.ebuild} | 4 ++-- ...3-r1.ebuild => selinux-unconfined-2.20221101-r4.ebuild} | 4 ++-- .../selinux-unconfined/selinux-unconfined-9999.ebuild | 4 ++-- 5 files changed, 10 insertions(+), 11 deletions(-) rename sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/{selinux-unconfined-2.20200818-r2.ebuild => selinux-unconfined-2.20221101-r3.ebuild} (73%) rename sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/{selinux-unconfined-2.20210203-r1.ebuild => selinux-unconfined-2.20221101-r4.ebuild} (72%) diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/Manifest b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/Manifest index 531f9303e2..1029253692 100644 --- a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/Manifest +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/Manifest @@ -1,4 +1,3 @@ -DIST patchbundle-selinux-base-policy-2.20200818-r2.tar.bz2 433623 BLAKE2B f0655c45c50347faf1217e5861298dce822e4b726c0b4489d4c70c4815842f7c17ac1b0a302ae5482a3ad25d1d5b6c4c3b6395194e79005f31560d103ad0fce6 SHA512 9fd22683ecd602a429b2d489f7b8c2936409fa060046255b72a4b95c9fdefa2455ba7655945278dc972c22f3ade6617898ed169e22001aaaaded4b47ca51b0c3 -DIST patchbundle-selinux-base-policy-2.20210203-r1.tar.bz2 298116 BLAKE2B 50c5523a8b758652af6aa59d548e9499b899898b58f52f74f1667a0c552f2b2d0ed5a44352e59245c7f0ebd199e2391400168d6ab27b4160d726fccded0c56f2 SHA512 ddb877ec3e2883f57e54e7380dd449d4d89a0769a1fb87141786e5de741ac21b2ead60362fd17c25888eb1334c68f71da561f4f29f406f0d4b5d13d378f6baff -DIST refpolicy-2.20200818.tar.bz2 570896 BLAKE2B 502c00fec39e1b81e42de3f7f942623f8b3fbdeac19f9f01126722a368b7d4f70427d6e4a574754c4f2fa551e4bc75c912dbc515c004f0dcd5eb28ab416498f6 SHA512 e4b527bb7a87b9359fc42eb111d5008103f57c37128998ea0e21ec7b0b8607ffe3f67697450e4c51a0db172ece69083335b279bacef4b1bd0b7748b58caa99a7 -DIST refpolicy-2.20210203.tar.bz2 564099 BLAKE2B a94a11ebb78890ba2c98714be2fe9054fdb8ccaf5154f47b881a9575a4a6865e8df475805550d7bba8039b4230c6a0c9f5c6130bf8c35a26bc7c473d550fb40d SHA512 a6ffe718626dd6121023b4cbc424c933d44ca8b662bd708baad307cf6284be0d80fef40cdc8b37f6f17ecb3636fd8d6c1d5d4072c17d835b7f500e17a3acd9fc +DIST patchbundle-selinux-base-policy-2.20221101-r3.tar.bz2 444710 BLAKE2B e33cc01a8be5a354e022be1e8bf242883b09b15ead0673f859819f5e668f18773a16527f2e608878e6976695dcb2890c55658e77877e93c716ae0b2dd2ed5a9b SHA512 52e60b22346903a6fead95c9fb348fa1d4037b7dcd3e5781248a7dfc426c8c3fced258fd22762c779a5f436d8be21eaed5425ed36ff99c267daae5e1cb9c8e7f +DIST patchbundle-selinux-base-policy-2.20221101-r4.tar.bz2 457886 BLAKE2B 1e085f9f1739e0640c5eafa70db4c7ec19bca887c682ca2312a457fa57ee3eb176d0c8f16c2f84a1a026669b1240be3ff69066bd825c92fad75dcd2c13739f6c SHA512 da3ba1f076c04746719698aedb3aad48eb7c8a09df95c314b36f7a052538a07d893be413f35f4c34b01c1bf967ebe35ff32c2cea0722fe74a6e089a9d6aa47a6 +DIST refpolicy-2.20221101.tar.bz2 583183 BLAKE2B 783d8af40fd77d7ddb848dba32e91921dd7c1380c094c45b719ada7b15f91aacbb52b410ffa6341f2f705ecbc9674b8570bd4867ce998e944fa0054ffd8bdf74 SHA512 29e5a29d90f714018c88fead2d5006ea90338fb5b7a1e4e98cb2e588c96cd861871d32176f6cc6f7c4e864ce5acae1aeed85d4c706ce2da8168986535baaf3a6 diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/metadata.xml b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/metadata.xml index 9173800ffc..781bc07e6d 100644 --- a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/metadata.xml +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/metadata.xml @@ -1,5 +1,5 @@ - + selinux@gentoo.org diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/selinux-unconfined-2.20200818-r2.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/selinux-unconfined-2.20221101-r3.ebuild similarity index 73% rename from sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/selinux-unconfined-2.20200818-r2.ebuild rename to sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/selinux-unconfined-2.20221101-r3.ebuild index 8a4b64438c..ca2ad1523d 100644 --- a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/selinux-unconfined-2.20200818-r2.ebuild +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/selinux-unconfined-2.20221101-r3.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2020 Gentoo Authors +# Copyright 1999-2022 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="7" @@ -11,5 +11,5 @@ inherit selinux-policy-2 DESCRIPTION="SELinux policy for unconfined" if [[ ${PV} != 9999* ]] ; then - KEYWORDS="amd64 -arm ~arm64 ~mips x86" + KEYWORDS="amd64 arm arm64 ~mips x86" fi diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/selinux-unconfined-2.20210203-r1.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/selinux-unconfined-2.20221101-r4.ebuild similarity index 72% rename from sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/selinux-unconfined-2.20210203-r1.ebuild rename to sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/selinux-unconfined-2.20221101-r4.ebuild index 9846e2b753..ca550395be 100644 --- a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/selinux-unconfined-2.20210203-r1.ebuild +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/selinux-unconfined-2.20221101-r4.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2021 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="7" @@ -11,5 +11,5 @@ inherit selinux-policy-2 DESCRIPTION="SELinux policy for unconfined" if [[ ${PV} != 9999* ]] ; then - KEYWORDS="~amd64 -arm ~arm64 ~mips ~x86" + KEYWORDS="amd64 arm arm64 ~mips x86" fi diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/selinux-unconfined-9999.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/selinux-unconfined-9999.ebuild index 6726305669..5785032bbd 100644 --- a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/selinux-unconfined-9999.ebuild +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-unconfined/selinux-unconfined-9999.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2020 Gentoo Authors +# Copyright 1999-2021 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="7" @@ -11,5 +11,5 @@ inherit selinux-policy-2 DESCRIPTION="SELinux policy for unconfined" if [[ ${PV} != 9999* ]] ; then - KEYWORDS="~amd64 -arm ~arm64 ~mips ~x86" + KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86" fi From 077dd2363ec34fa90913539ca3a0d8b249bc43c4 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Wed, 14 Jun 2023 14:39:26 +0200 Subject: [PATCH 18/22] sec-policys/selinux-dbus: add new package it's a dependency from ssh module: ``` Failed to resolve typeattributeset statement at /var/lib/selinux/mcs/tmp/modules/400/ssh/cil:127 Failed to resolve AST ``` Signed-off-by: Mathieu Tortuyaux --- .../coreos-base/coreos/coreos-0.0.1.ebuild | 1 + .../sec-policy/selinux-dbus/Manifest | 3 +++ .../sec-policy/selinux-dbus/metadata.xml | 8 ++++++++ .../selinux-dbus-2.20221101-r3.ebuild | 15 +++++++++++++++ .../selinux-dbus-2.20221101-r4.ebuild | 15 +++++++++++++++ .../selinux-dbus/selinux-dbus-9999.ebuild | 15 +++++++++++++++ 6 files changed, 57 insertions(+) create mode 100644 sdk_container/src/third_party/portage-stable/sec-policy/selinux-dbus/Manifest create mode 100644 sdk_container/src/third_party/portage-stable/sec-policy/selinux-dbus/metadata.xml create mode 100644 sdk_container/src/third_party/portage-stable/sec-policy/selinux-dbus/selinux-dbus-2.20221101-r3.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/sec-policy/selinux-dbus/selinux-dbus-2.20221101-r4.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/sec-policy/selinux-dbus/selinux-dbus-9999.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild index 758a55ae8d..5313de0531 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild @@ -147,6 +147,7 @@ RDEPEND="${RDEPEND} sec-policy/selinux-base sec-policy/selinux-base-policy sec-policy/selinux-container + sec-policy/selinux-dbus sec-policy/selinux-unconfined sys-apps/acl sys-apps/attr diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-dbus/Manifest b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-dbus/Manifest new file mode 100644 index 0000000000..1029253692 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-dbus/Manifest @@ -0,0 +1,3 @@ +DIST patchbundle-selinux-base-policy-2.20221101-r3.tar.bz2 444710 BLAKE2B e33cc01a8be5a354e022be1e8bf242883b09b15ead0673f859819f5e668f18773a16527f2e608878e6976695dcb2890c55658e77877e93c716ae0b2dd2ed5a9b SHA512 52e60b22346903a6fead95c9fb348fa1d4037b7dcd3e5781248a7dfc426c8c3fced258fd22762c779a5f436d8be21eaed5425ed36ff99c267daae5e1cb9c8e7f +DIST patchbundle-selinux-base-policy-2.20221101-r4.tar.bz2 457886 BLAKE2B 1e085f9f1739e0640c5eafa70db4c7ec19bca887c682ca2312a457fa57ee3eb176d0c8f16c2f84a1a026669b1240be3ff69066bd825c92fad75dcd2c13739f6c SHA512 da3ba1f076c04746719698aedb3aad48eb7c8a09df95c314b36f7a052538a07d893be413f35f4c34b01c1bf967ebe35ff32c2cea0722fe74a6e089a9d6aa47a6 +DIST refpolicy-2.20221101.tar.bz2 583183 BLAKE2B 783d8af40fd77d7ddb848dba32e91921dd7c1380c094c45b719ada7b15f91aacbb52b410ffa6341f2f705ecbc9674b8570bd4867ce998e944fa0054ffd8bdf74 SHA512 29e5a29d90f714018c88fead2d5006ea90338fb5b7a1e4e98cb2e588c96cd861871d32176f6cc6f7c4e864ce5acae1aeed85d4c706ce2da8168986535baaf3a6 diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-dbus/metadata.xml b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-dbus/metadata.xml new file mode 100644 index 0000000000..781bc07e6d --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-dbus/metadata.xml @@ -0,0 +1,8 @@ + + + + + selinux@gentoo.org + SELinux Team + + diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-dbus/selinux-dbus-2.20221101-r3.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-dbus/selinux-dbus-2.20221101-r3.ebuild new file mode 100644 index 0000000000..d8d567fc3a --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-dbus/selinux-dbus-2.20221101-r3.ebuild @@ -0,0 +1,15 @@ +# Copyright 1999-2022 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="7" + +IUSE="" +MODS="dbus" + +inherit selinux-policy-2 + +DESCRIPTION="SELinux policy for dbus" + +if [[ ${PV} != 9999* ]] ; then + KEYWORDS="amd64 arm arm64 ~mips x86" +fi diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-dbus/selinux-dbus-2.20221101-r4.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-dbus/selinux-dbus-2.20221101-r4.ebuild new file mode 100644 index 0000000000..8410ed0b65 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-dbus/selinux-dbus-2.20221101-r4.ebuild @@ -0,0 +1,15 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="7" + +IUSE="" +MODS="dbus" + +inherit selinux-policy-2 + +DESCRIPTION="SELinux policy for dbus" + +if [[ ${PV} != 9999* ]] ; then + KEYWORDS="amd64 arm arm64 ~mips x86" +fi diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-dbus/selinux-dbus-9999.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-dbus/selinux-dbus-9999.ebuild new file mode 100644 index 0000000000..1713ca84a2 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-dbus/selinux-dbus-9999.ebuild @@ -0,0 +1,15 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="7" + +IUSE="" +MODS="dbus" + +inherit selinux-policy-2 + +DESCRIPTION="SELinux policy for dbus" + +if [[ ${PV} != 9999* ]] ; then + KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86" +fi From a07620c0d9c9c0848e6eb66e79ec5cee0b67e9ee Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Wed, 21 Jun 2023 09:49:57 +0200 Subject: [PATCH 19/22] changelog: add entries Signed-off-by: Mathieu Tortuyaux --- changelog/updates/2023-06-21-selinux.md | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 changelog/updates/2023-06-21-selinux.md diff --git a/changelog/updates/2023-06-21-selinux.md b/changelog/updates/2023-06-21-selinux.md new file mode 100644 index 0000000000..bcf96a3db3 --- /dev/null +++ b/changelog/updates/2023-06-21-selinux.md @@ -0,0 +1,11 @@ +- libselinux ([3.5](https://github.com/SELinuxProject/selinux/releases/tag/3.5)) +- libsepol ([3.5](https://github.com/SELinuxProject/selinux/releases/tag/3.5)) +- semodule-utils ([3.5](https://github.com/SELinuxProject/selinux/releases/tag/3.5)) +- policycoreutils ([3.5](https://github.com/SELinuxProject/selinux/releases/tag/3.5)) +- libsemanage ([3.5](https://github.com/SELinuxProject/selinux/releases/tag/3.5)) +- checkpolicy ([3.5](https://github.com/SELinuxProject/selinux/releases/tag/3.5)) +- selinux-base ([2.20221101](https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20221101)) +- selinux-base-policy ([2.20221101](https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20221101)) +- selinux-container ([2.20221101](https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20221101)) +- selinux-sssd ([2.20221101](https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20221101)) +- selinux-unconfined ([2.20221101](https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20221101)) From 678dfd7f79f4165d613b8754c69e9cf890bf1871 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Wed, 26 Jul 2023 10:27:23 +0200 Subject: [PATCH 20/22] sys-apps/semodule-utils: sync with Gentoo Commit-Ref: https://github.com/gentoo/gentoo/commit/a8d934769ffbdcab11a222ca978aad6b2ca2ee2e Signed-off-by: Mathieu Tortuyaux --- .../sys-apps/semodule-utils/Manifest | 3 +- .../sys-apps/semodule-utils/metadata.xml | 2 +- .../semodule-utils/semodule-utils-3.1.ebuild | 52 ------------------- ...s-3.2.ebuild => semodule-utils-3.5.ebuild} | 18 ++++--- .../semodule-utils/semodule-utils-9999.ebuild | 16 +++--- 5 files changed, 21 insertions(+), 70 deletions(-) delete mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/semodule-utils-3.1.ebuild rename sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/{semodule-utils-3.2.ebuild => semodule-utils-3.5.ebuild} (80%) diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/Manifest b/sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/Manifest index 278c76d9d8..7251728035 100644 --- a/sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/Manifest +++ b/sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/Manifest @@ -1,2 +1 @@ -DIST semodule-utils-3.1.tar.gz 14257 BLAKE2B c8c9a1ce7c9c4f53b1f4c728d16b149fdc284f4cff8b4fce0cb59b77d37d6d7e9bf2102c7177c4eaf94677af6147e42d8d0bd55c0bf3a358968d0162d5a6c65a SHA512 b92794bbfbce5834ee7f62fddb40b5506e9291e8fa7c5d669b2e281089b8f8dc40c4522ea287ac5deffdaee751442ba8e691e2ac45fdd378b60d5d6b2527d157 -DIST semodule-utils-3.2.tar.gz 14260 BLAKE2B 35c071c96071028d4a912a89b88d02672f1fb8c2d8d23c3cb472b607dad55acdf351ef870b4d52bb2bed7b816a199c18947afcd16e77b66268822288feb4af2a SHA512 f937647cc22f7ed719908bad64415d706fd97cf1dce484dbca2484b05b3295de40e31bec643b6caaf4e8be742b1f911428d393c5e2d1d0ae39a2a37fd3be9bc1 +DIST semodule-utils-3.5.tar.gz 14383 BLAKE2B a1bb432013bca1023d99b32f43b2c972b6b807a4677f9d8c9fb9aff10225232506f3ecca86fc231b4c63d04582a91a1c4218f87ce5532a4d35a26a09665c6f10 SHA512 7c32f425ae71745040d1c6a6585149a1efb319913aa9d4c8bf185b0a4216dc66378fa38595b171614ee3ae4ade997d3ae56a060346e334faec55c419a87d71dd diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/metadata.xml b/sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/metadata.xml index 855cbdbdb7..d159ea8775 100644 --- a/sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/metadata.xml +++ b/sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/metadata.xml @@ -1,5 +1,5 @@ - + selinux@gentoo.org diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/semodule-utils-3.1.ebuild b/sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/semodule-utils-3.1.ebuild deleted file mode 100644 index 2002f71e94..0000000000 --- a/sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/semodule-utils-3.1.ebuild +++ /dev/null @@ -1,52 +0,0 @@ -# Copyright 1999-2020 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI="7" - -inherit toolchain-funcs - -MY_RELEASEDATE="20200710" -SEPOL_VER="${PV}" -SELNX_VER="${PV}" - -MY_P="${P//_/-}" -IUSE="" - -if [[ ${PV} == *9999 ]] ; then - inherit git-r3 - EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git" - S="${WORKDIR}/${MY_P}/${PN}" -else - SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_RELEASEDATE}/${MY_P}.tar.gz" - KEYWORDS="amd64 ~arm ~arm64 ~mips x86" - S="${WORKDIR}/${MY_P}" -fi - -DESCRIPTION="SELinux policy module utilities" -HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki" - -LICENSE="GPL-2" -SLOT="0" - -DEPEND=">=sys-libs/libsepol-${SEPOL_VER}:=" - -# flatcar changes: add a weak blocker on policycoreutils-2.4 -# to prevent file collisions -# policycoreutils-2.4 and semodule-utils provide the same files -RDEPEND="${DEPEND} - !=sys-apps/policycoreutils-2.4-r2 -" - -src_prepare() { - default - - sed -i 's/-Werror//g' "${S}"/*/Makefile || die "Failed to remove Werror" -} - -src_compile() { - emake CC="$(tc-getCC)" -} - -src_install() { - emake DESTDIR="${D}" install -} diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/semodule-utils-3.2.ebuild b/sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/semodule-utils-3.5.ebuild similarity index 80% rename from sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/semodule-utils-3.2.ebuild rename to sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/semodule-utils-3.5.ebuild index 13fc0d8627..b67d886e7b 100644 --- a/sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/semodule-utils-3.2.ebuild +++ b/sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/semodule-utils-3.5.ebuild @@ -1,29 +1,31 @@ -# Copyright 1999-2021 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="7" inherit toolchain-funcs -IUSE="" +MY_PV="${PV//_/-}" +MY_P="${PN}-${MY_PV}" + +DESCRIPTION="SELinux policy module utilities" +HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki" if [[ ${PV} == *9999 ]] ; then inherit git-r3 EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git" S="${WORKDIR}/${P}/${PN}" else - SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${PV}/${P}.tar.gz" - KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86" + SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz" + KEYWORDS="amd64 arm arm64 ~mips x86" + S="${WORKDIR}/${MY_P}" fi -DESCRIPTION="SELinux policy module utilities" -HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki" - LICENSE="GPL-2" SLOT="0" +IUSE="" DEPEND=">=sys-libs/libsepol-${PV}:=" - RDEPEND="${DEPEND}" src_prepare() { diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/semodule-utils-9999.ebuild b/sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/semodule-utils-9999.ebuild index 13fc0d8627..525188411f 100644 --- a/sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/semodule-utils-9999.ebuild +++ b/sdk_container/src/third_party/portage-stable/sys-apps/semodule-utils/semodule-utils-9999.ebuild @@ -1,29 +1,31 @@ -# Copyright 1999-2021 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="7" inherit toolchain-funcs -IUSE="" +MY_PV="${PV//_/-}" +MY_P="${PN}-${MY_PV}" + +DESCRIPTION="SELinux policy module utilities" +HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki" if [[ ${PV} == *9999 ]] ; then inherit git-r3 EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git" S="${WORKDIR}/${P}/${PN}" else - SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${PV}/${P}.tar.gz" + SRC_URI="https://github.com/SELinuxProject/selinux/releases/download/${MY_PV}/${MY_P}.tar.gz" KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86" + S="${WORKDIR}/${MY_P}" fi -DESCRIPTION="SELinux policy module utilities" -HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki" - LICENSE="GPL-2" SLOT="0" +IUSE="" DEPEND=">=sys-libs/libsepol-${PV}:=" - RDEPEND="${DEPEND}" src_prepare() { From 0d3c1a51319e7b20b35f156a9d6c1f246d837304 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Thu, 27 Jul 2023 10:57:42 +0200 Subject: [PATCH 21/22] coreos-base/misc-files: add SELinux config Signed-off-by: Mathieu Tortuyaux --- .../coreos-base/misc-files/files/selinux-config | 15 +++++++++++++++ .../coreos-base/misc-files/misc-files-0.ebuild | 6 ++++++ 2 files changed, 21 insertions(+) create mode 100644 sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/selinux-config diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/selinux-config b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/selinux-config new file mode 100644 index 0000000000..7b66367667 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/selinux-config @@ -0,0 +1,15 @@ +# This file controls the state of SELinux on the system on boot. + +# SELINUX can take one of these three values: +# enforcing - SELinux security policy is enforced. +# permissive - SELinux prints warnings instead of enforcing. +# disabled - No SELinux policy is loaded. +SELINUX=permissive + +# SELINUXTYPE can take one of these four values: +# targeted - Only targeted network daemons are protected. +# strict - Full SELinux protection. +# mls - Full SELinux protection with Multi-Level Security +# mcs - Full SELinux protection with Multi-Category Security +# (mls, but only one sensitivity level) +SELINUXTYPE=mcs diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0.ebuild index a849c70caa..b92882df67 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0.ebuild @@ -64,6 +64,9 @@ src_install() { ['/usr/share/skel/.bash_logout']='/usr/share/flatcar/etc/skel/.bash_logout' ['/usr/share/skel/.bash_profile']='/usr/share/flatcar/etc/skel/.bash_profile' ['/usr/share/skel/.bashrc']='/usr/share/flatcar/etc/skel/.bashrc' + ['/usr/lib/selinux/config']='/usr/share/flatcar/etc/selinux/config' + ['/usr/lib/selinux/mcs']='/usr/share/flatcar/etc/selinux/mcs' + ['/usr/lib/selinux/semanage.conf']='/usr/share/flatcar/etc/selinux/semanage.conf' ) local link target @@ -76,6 +79,9 @@ src_install() { fi done + insinto '/etc/selinux/' + newins "${FILESDIR}/selinux-config" config + insinto '/etc/bash/bashrc.d' doins "${FILESDIR}/99-flatcar-bcc" From c3ba668ecef3b0a8bb37ce05cc252d527047bd50 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Mon, 3 Jul 2023 17:58:26 +0200 Subject: [PATCH 22/22] .github: add more packages to automation Signed-off-by: Mathieu Tortuyaux --- .github/workflows/portage-stable-packages-list | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.github/workflows/portage-stable-packages-list b/.github/workflows/portage-stable-packages-list index 7b23ff1f6f..f97ab4bdc3 100644 --- a/.github/workflows/portage-stable-packages-list +++ b/.github/workflows/portage-stable-packages-list @@ -295,6 +295,7 @@ eclass/python-single-r1.eclass eclass/python-utils-r1.eclass eclass/readme.gentoo-r1.eclass eclass/savedconfig.eclass +eclass/selinux-policy-2.eclass eclass/strip-linguas.eclass eclass/systemd.eclass eclass/tmpfiles.eclass @@ -363,8 +364,17 @@ profiles # # scripts +sec-policy/selinux-base +sec-policy/selinux-base-policy +sec-policy/selinux-container +sec-policy/selinux-dbus +sec-policy/selinux-sssd +sec-policy/selinux-unconfined + + sys-apps/acl sys-apps/attr +sys-apps/checkpolicy sys-apps/config-site sys-apps/coreutils sys-apps/debianutils @@ -400,6 +410,7 @@ sys-apps/portage sys-apps/pv sys-apps/sandbox sys-apps/sed +sys-apps/semodule-utils sys-apps/smartmontools sys-apps/texinfo sys-apps/usbutils @@ -454,6 +465,8 @@ sys-libs/libcap sys-libs/libcap-ng sys-libs/libnvme sys-libs/libseccomp +sys-libs/libselinux +sys-libs/libsepol sys-libs/ncurses sys-libs/readline sys-libs/talloc