From 3de5229a3caf27cc0e02e6cd953795790c5e136c Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Tue, 13 Jun 2023 17:11:16 +0200 Subject: [PATCH] sec-policy/selinux-base: sync with Gentoo Commit-Ref: https://github.com/gentoo/gentoo/commit/ea4cd1f216e407735528c92434b83313e4b8a8db Signed-off-by: Mathieu Tortuyaux --- .../sec-policy/selinux-base/Manifest | 4 -- ...s-kernel-all-more-actions-for-kernel.patch | 24 -------- ...-policy-ms-MCS-restricts-relabelfrom.patch | 27 -------- .../selinux-base/files/icmp-bind.patch | 40 ------------ .../selinux-base/files/lxc_contexts | 10 --- .../files/tmpfiles.d/selinux-base.conf | 4 -- .../sec-policy/selinux-base/Manifest | 3 + .../sec-policy/selinux-base/files/config | 2 +- .../selinux-base/files/selinux.conf | 0 .../sec-policy/selinux-base/metadata.xml | 2 +- .../selinux-base-2.20221101-r3.ebuild} | 9 ++- .../selinux-base-2.20221101-r4.ebuild} | 61 ++++--------------- .../selinux-base/selinux-base-9999.ebuild | 9 ++- 13 files changed, 31 insertions(+), 164 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/Manifest delete mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-modules-kernel-all-more-actions-for-kernel.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-ms-MCS-restricts-relabelfrom.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/icmp-bind.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/lxc_contexts delete mode 100644 sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/tmpfiles.d/selinux-base.conf create mode 100644 sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/Manifest rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/sec-policy/selinux-base/files/config (96%) rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/sec-policy/selinux-base/files/selinux.conf (100%) rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/sec-policy/selinux-base/metadata.xml (90%) rename sdk_container/src/third_party/{coreos-overlay/sec-policy/selinux-base/selinux-base-2.20210203-r1.ebuild => portage-stable/sec-policy/selinux-base/selinux-base-2.20221101-r3.ebuild} (95%) rename sdk_container/src/third_party/{coreos-overlay/sec-policy/selinux-base/selinux-base-2.20200818-r3.ebuild => portage-stable/sec-policy/selinux-base/selinux-base-2.20221101-r4.ebuild} (71%) rename sdk_container/src/third_party/{coreos-overlay => portage-stable}/sec-policy/selinux-base/selinux-base-9999.ebuild (95%) diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/Manifest b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/Manifest deleted file mode 100644 index 531f9303e2..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/Manifest +++ /dev/null @@ -1,4 +0,0 @@ -DIST patchbundle-selinux-base-policy-2.20200818-r2.tar.bz2 433623 BLAKE2B f0655c45c50347faf1217e5861298dce822e4b726c0b4489d4c70c4815842f7c17ac1b0a302ae5482a3ad25d1d5b6c4c3b6395194e79005f31560d103ad0fce6 SHA512 9fd22683ecd602a429b2d489f7b8c2936409fa060046255b72a4b95c9fdefa2455ba7655945278dc972c22f3ade6617898ed169e22001aaaaded4b47ca51b0c3 -DIST patchbundle-selinux-base-policy-2.20210203-r1.tar.bz2 298116 BLAKE2B 50c5523a8b758652af6aa59d548e9499b899898b58f52f74f1667a0c552f2b2d0ed5a44352e59245c7f0ebd199e2391400168d6ab27b4160d726fccded0c56f2 SHA512 ddb877ec3e2883f57e54e7380dd449d4d89a0769a1fb87141786e5de741ac21b2ead60362fd17c25888eb1334c68f71da561f4f29f406f0d4b5d13d378f6baff -DIST refpolicy-2.20200818.tar.bz2 570896 BLAKE2B 502c00fec39e1b81e42de3f7f942623f8b3fbdeac19f9f01126722a368b7d4f70427d6e4a574754c4f2fa551e4bc75c912dbc515c004f0dcd5eb28ab416498f6 SHA512 e4b527bb7a87b9359fc42eb111d5008103f57c37128998ea0e21ec7b0b8607ffe3f67697450e4c51a0db172ece69083335b279bacef4b1bd0b7748b58caa99a7 -DIST refpolicy-2.20210203.tar.bz2 564099 BLAKE2B a94a11ebb78890ba2c98714be2fe9054fdb8ccaf5154f47b881a9575a4a6865e8df475805550d7bba8039b4230c6a0c9f5c6130bf8c35a26bc7c473d550fb40d SHA512 a6ffe718626dd6121023b4cbc424c933d44ca8b662bd708baad307cf6284be0d80fef40cdc8b37f6f17ecb3636fd8d6c1d5d4072c17d835b7f500e17a3acd9fc diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-modules-kernel-all-more-actions-for-kernel.patch b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-modules-kernel-all-more-actions-for-kernel.patch deleted file mode 100644 index cf6406da73..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-modules-kernel-all-more-actions-for-kernel.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 607ff9b67848aafd1bdefa6eda7ade0fd7161d04 Mon Sep 17 00:00:00 2001 -From: Mathieu Tortuyaux -Date: Fri, 4 Jun 2021 13:17:44 +0200 -Subject: [PATCH] policy/modules/kernel: all more actions for kernel - -Signed-off-by: Mathieu Tortuyaux ---- - policy/modules/kernel/kernel.te | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git refpolicy/policy/modules/kernel/kernel.te refpolicy/policy/modules/kernel/kernel.te ---- refpolicy/policy/modules/kernel/kernel.te -+++ refpolicy/policy/modules/kernel/kernel.te -@@ -351,6 +351,10 @@ files_list_home(kernel_t) - files_read_usr_files(kernel_t) - - mcs_process_set_categories(kernel_t) -+mcs_killall(kernel_t) -+mcs_file_read_all(kernel_t) -+mcs_file_write_all(kernel_t) -+mcs_ptrace_all(kernel_t) - - mls_process_read_all_levels(kernel_t) - mls_process_write_all_levels(kernel_t) diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-ms-MCS-restricts-relabelfrom.patch b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-ms-MCS-restricts-relabelfrom.patch deleted file mode 100644 index 5cce12771a..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/0001-policy-ms-MCS-restricts-relabelfrom.patch +++ /dev/null @@ -1,27 +0,0 @@ ---- refpolicy/policy/mcs -+++ refpolicy/policy/mcs -@@ -1,4 +1,6 @@ - ifdef(`enable_mcs',` -+ -+default_range dir_file_class_set target low-high; - # - # Define sensitivities - # -@@ -99,14 +101,14 @@ mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr } - # New filesystem object labels must be dominated by the relabeling subject - # clearance, also the objects are single-level. - mlsconstrain file { create relabelto } -- (( h1 dom h2 ) and ( l2 eq h2 )); -+ ((( h1 dom h2 ) and ( l2 eq h2 )) or (t1 == mcswriteall)); - - # new file labels must be dominated by the relabeling subject clearance - mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom } -- ( h1 dom h2 ); -+ (( h1 dom h2 ) or (t1 == mcswriteall)); - - mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto } -- (( h1 dom h2 ) and ( l2 eq h2 )); -+ ((( h1 dom h2 ) and ( l2 eq h2 ) or (t1 == mcswriteall))); - - mlsconstrain process { transition dyntransition } - (( h1 dom h2 ) or ( t1 == mcssetcats )); diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/icmp-bind.patch b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/icmp-bind.patch deleted file mode 100644 index a2d653caf2..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/icmp-bind.patch +++ /dev/null @@ -1,40 +0,0 @@ -diff -u -r refpolicy/policy/modules/kernel/corenetwork.if.in refpolicy2/policy/modules/kernel/corenetwork.if.in ---- refpolicy/policy/modules/kernel/corenetwork.if.in 2022-01-12 16:59:47.572670384 -0000 -+++ refpolicy2/policy/modules/kernel/corenetwork.if.in 2022-01-12 17:01:54.974858982 -0000 -@@ -879,6 +879,24 @@ - - ######################################## - ## -+## Bind ICMP sockets to generic nodes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`corenet_icmp_bind_generic_node',` -+ gen_require(` -+ type node_t; -+ ') -+ -+ allow $1 node_t:icmp_socket node_bind; -+') -+ -+######################################## -+## - ## Bind TCP sockets to generic nodes. - ## - ## -diff -u -r refpolicy/policy/modules/kernel/corenetwork.te.in refpolicy2/policy/modules/kernel/corenetwork.te.in ---- refpolicy/policy/modules/kernel/corenetwork.te.in 2022-01-12 16:59:47.573670362 -0000 -+++ refpolicy2/policy/modules/kernel/corenetwork.te.in 2022-01-12 17:03:12.754142616 -0000 -@@ -373,7 +373,7 @@ - - # Bind to any network address. - allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket sctp_socket } name_bind; --allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket sctp_socket } node_bind; -+allow corenet_unconfined_type node_type:{ icmp_socket tcp_socket udp_socket rawip_socket sctp_socket } node_bind; - - # Infiniband - corenet_ib_access_all_pkeys(corenet_unconfined_type) diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/lxc_contexts b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/lxc_contexts deleted file mode 100644 index b9ce512118..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/lxc_contexts +++ /dev/null @@ -1,10 +0,0 @@ -# This file is used to configure the per-instance contexts of rkt and other -# applications that use libvirt for lxc container support. -# -# See: -# https://coreos.com/rkt/docs/latest/selinux.html -# https://selinuxproject.org/page/PolicyConfigurationFiles#contexts.2Flxc_contexts_File - -process = "system_u:system_r:svirt_lxc_net_t:s0" -content = "system_u:object_r:virt_var_lib_t:s0" -file = "system_u:object_r:svirt_lxc_file_t:s0" diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/tmpfiles.d/selinux-base.conf b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/tmpfiles.d/selinux-base.conf deleted file mode 100644 index a123a51d15..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/tmpfiles.d/selinux-base.conf +++ /dev/null @@ -1,4 +0,0 @@ -#Type Path Mode UID GID Age Argument -d /etc/selinux/ - - - - - -L /etc/selinux/config - - - - ../../usr/lib/selinux/config -L /etc/selinux/mcs - - - - ../../usr/lib/selinux/mcs diff --git a/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/Manifest b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/Manifest new file mode 100644 index 0000000000..1029253692 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/Manifest @@ -0,0 +1,3 @@ +DIST patchbundle-selinux-base-policy-2.20221101-r3.tar.bz2 444710 BLAKE2B e33cc01a8be5a354e022be1e8bf242883b09b15ead0673f859819f5e668f18773a16527f2e608878e6976695dcb2890c55658e77877e93c716ae0b2dd2ed5a9b SHA512 52e60b22346903a6fead95c9fb348fa1d4037b7dcd3e5781248a7dfc426c8c3fced258fd22762c779a5f436d8be21eaed5425ed36ff99c267daae5e1cb9c8e7f +DIST patchbundle-selinux-base-policy-2.20221101-r4.tar.bz2 457886 BLAKE2B 1e085f9f1739e0640c5eafa70db4c7ec19bca887c682ca2312a457fa57ee3eb176d0c8f16c2f84a1a026669b1240be3ff69066bd825c92fad75dcd2c13739f6c SHA512 da3ba1f076c04746719698aedb3aad48eb7c8a09df95c314b36f7a052538a07d893be413f35f4c34b01c1bf967ebe35ff32c2cea0722fe74a6e089a9d6aa47a6 +DIST refpolicy-2.20221101.tar.bz2 583183 BLAKE2B 783d8af40fd77d7ddb848dba32e91921dd7c1380c094c45b719ada7b15f91aacbb52b410ffa6341f2f705ecbc9674b8570bd4867ce998e944fa0054ffd8bdf74 SHA512 29e5a29d90f714018c88fead2d5006ea90338fb5b7a1e4e98cb2e588c96cd861871d32176f6cc6f7c4e864ce5acae1aeed85d4c706ce2da8168986535baaf3a6 diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/config b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/files/config similarity index 96% rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/config rename to sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/files/config index 7b66367667..55933ea0e5 100644 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/config +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/files/config @@ -12,4 +12,4 @@ SELINUX=permissive # mls - Full SELinux protection with Multi-Level Security # mcs - Full SELinux protection with Multi-Category Security # (mls, but only one sensitivity level) -SELINUXTYPE=mcs +SELINUXTYPE=strict diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/selinux.conf b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/files/selinux.conf similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/selinux.conf rename to sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/files/selinux.conf diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/metadata.xml b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/metadata.xml similarity index 90% rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/metadata.xml rename to sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/metadata.xml index e59a87405f..c909a1b00f 100644 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/metadata.xml +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/metadata.xml @@ -1,5 +1,5 @@ - + selinux@gentoo.org diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20210203-r1.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/selinux-base-2.20221101-r3.ebuild similarity index 95% rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20210203-r1.ebuild rename to sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/selinux-base-2.20221101-r3.ebuild index 3ea875afca..d38a576e7f 100644 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20210203-r1.ebuild +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/selinux-base-2.20221101-r3.ebuild @@ -1,8 +1,12 @@ -# Copyright 1999-2021 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="7" +PYTHON_COMPAT=( python3_{9..11} ) +PYTHON_REQ_USE="xml(+)" +inherit python-any-r1 + if [[ ${PV} == 9999* ]]; then EGIT_REPO_URI="${SELINUX_GIT_REPO:-https://anongit.gentoo.org/git/proj/hardened-refpolicy.git}" EGIT_BRANCH="${SELINUX_GIT_BRANCH:-master}" @@ -13,7 +17,7 @@ else SRC_URI="https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_${PV/./_}/refpolicy-${PV}.tar.bz2 https://dev.gentoo.org/~perfinion/patches/selinux-base-policy/patchbundle-selinux-base-policy-${PVR}.tar.bz2" - KEYWORDS="~amd64 -arm ~arm64 ~mips ~x86" + KEYWORDS="amd64 arm arm64 ~mips x86" fi IUSE="doc +unknown-perms systemd +ubac +unconfined" @@ -26,6 +30,7 @@ SLOT="0" RDEPEND=">=sys-apps/policycoreutils-2.8" DEPEND="${RDEPEND}" BDEPEND=" + ${PYTHON_DEPS} >=sys-apps/checkpolicy-2.8 sys-devel/m4" diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20200818-r3.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/selinux-base-2.20221101-r4.ebuild similarity index 71% rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20200818-r3.ebuild rename to sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/selinux-base-2.20221101-r4.ebuild index bc58b54ab5..d38a576e7f 100644 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20200818-r3.ebuild +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/selinux-base-2.20221101-r4.ebuild @@ -1,13 +1,11 @@ -# Copyright 1999-2020 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="7" -# flatcar changes -PYTHON_COMPAT=( python3_{8,9,10,11} ) +PYTHON_COMPAT=( python3_{9..11} ) PYTHON_REQ_USE="xml(+)" -TMPFILES_OPTIONAL=1 -inherit systemd tmpfiles python-any-r1 +inherit python-any-r1 if [[ ${PV} == 9999* ]]; then EGIT_REPO_URI="${SELINUX_GIT_REPO:-https://anongit.gentoo.org/git/proj/hardened-refpolicy.git}" @@ -17,9 +15,9 @@ if [[ ${PV} == 9999* ]]; then inherit git-r3 else SRC_URI="https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_${PV/./_}/refpolicy-${PV}.tar.bz2 - https://dev.gentoo.org/~perfinion/patches/selinux-base-policy/patchbundle-selinux-base-policy-${PV}-r2.tar.bz2" + https://dev.gentoo.org/~perfinion/patches/selinux-base-policy/patchbundle-selinux-base-policy-${PVR}.tar.bz2" - KEYWORDS="amd64 -arm ~arm64 ~mips x86" + KEYWORDS="amd64 arm arm64 ~mips x86" fi IUSE="doc +unknown-perms systemd +ubac +unconfined" @@ -29,24 +27,12 @@ HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux" LICENSE="GPL-2" SLOT="0" -# flatcar changes -RDEPEND=">=sys-apps/policycoreutils-2.8 - >=sys-apps/checkpolicy-2.8 -" +RDEPEND=">=sys-apps/policycoreutils-2.8" DEPEND="${RDEPEND}" -# flatcar: BDEPEND on python - normally pulled in through policycoreutils -# but we made that dep conditional on USE=python -BDEPEND="sys-devel/m4 - ${PYTHON_DEPS} -" - - -# flatcar changes -PATCHES=( - "${FILESDIR}"/0001-policy-modules-kernel-all-more-actions-for-kernel.patch - "${FILESDIR}"/0001-policy-ms-MCS-restricts-relabelfrom.patch - "${FILESDIR}"/icmp-bind.patch -) +BDEPEND=" + ${PYTHON_DEPS} + >=sys-apps/checkpolicy-2.8 + sys-devel/m4" S=${WORKDIR}/ @@ -56,8 +42,6 @@ src_prepare() { eapply -p0 "${WORKDIR}/0001-full-patch-against-stable-release.patch" fi - # flatcar changes - eapply -p0 "${PATCHES[@]}" eapply_user cd "${S}/refpolicy" || die @@ -99,10 +83,6 @@ src_configure() { sed -i -e "/= module/d" "${S}/${i}/policy/modules.conf" || die - # flatcar changes: it's required to run polkit without segfault - # we need to pass this argument now before the compilation of the policy - sed -i "s/allow_execmem = false/allow_execmem = true/" "${S}/${i}/policy/booleans.conf" || die - sed -i -e '/^QUIET/s/n/y/' -e "/^NAME/s/refpolicy/$i/" \ "${S}/${i}/build.conf" || die "build.conf setup failed." @@ -132,9 +112,7 @@ src_compile() { for i in ${POLICY_TYPES}; do cd "${S}/${i}" || die - # flatcar changes - emake base BINDIR="${ROOT}/usr/bin" NAME=$i SHAREDIR="${ROOT%/}"/usr/share/selinux \ - LD_LIBRARY_PATH="${ROOT}/usr/lib64:${LD_LIBRARY_PATH}" -C "${S}"/${i} + emake base if use doc; then emake html fi @@ -167,29 +145,14 @@ src_install() { done - # flatcar changes - dotmpfiles "${FILESDIR}/tmpfiles.d/selinux-base.conf" - systemd-tmpfiles --root="${D}" --create selinux-base.conf - docinto / dodoc doc/Makefile.example doc/example.{te,fc,if} doman man/man8/*.8; - # flatcar changes - insinto /usr/lib/selinux + insinto /etc/selinux doins "${FILESDIR}/config" - insinto /etc/selinux/mcs/contexts - doins "${FILESDIR}/lxc_contexts" - - # flatcar changes - mkdir -p "${D}/usr/lib/selinux" - for i in ${POLICY_TYPES}; do - mv "${D}/etc/selinux/${i}" "${D}/usr/lib/selinux" - dosym "../../usr/lib/selinux/${i}" "/etc/selinux/${i}" - done - insinto /usr/share/portage/config/sets doins "${FILESDIR}/selinux.conf" } diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-9999.ebuild b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/selinux-base-9999.ebuild similarity index 95% rename from sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-9999.ebuild rename to sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/selinux-base-9999.ebuild index 3be921e88d..1185969155 100644 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-9999.ebuild +++ b/sdk_container/src/third_party/portage-stable/sec-policy/selinux-base/selinux-base-9999.ebuild @@ -1,8 +1,12 @@ -# Copyright 1999-2020 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="7" +PYTHON_COMPAT=( python3_{9..11} ) +PYTHON_REQ_USE="xml(+)" +inherit python-any-r1 + if [[ ${PV} == 9999* ]]; then EGIT_REPO_URI="${SELINUX_GIT_REPO:-https://anongit.gentoo.org/git/proj/hardened-refpolicy.git}" EGIT_BRANCH="${SELINUX_GIT_BRANCH:-master}" @@ -13,7 +17,7 @@ else SRC_URI="https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_${PV/./_}/refpolicy-${PV}.tar.bz2 https://dev.gentoo.org/~perfinion/patches/selinux-base-policy/patchbundle-selinux-base-policy-${PVR}.tar.bz2" - KEYWORDS="~amd64 -arm ~arm64 ~mips ~x86" + KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86" fi IUSE="doc +unknown-perms systemd +ubac +unconfined" @@ -26,6 +30,7 @@ SLOT="0" RDEPEND=">=sys-apps/policycoreutils-2.8" DEPEND="${RDEPEND}" BDEPEND=" + ${PYTHON_DEPS} >=sys-apps/checkpolicy-2.8 sys-devel/m4"