This patch adds CPE ID information for a significant number of
packages.
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Patches 0002-libsepol-fix-CIL_KEY_-build-errors-with-fno-common.patch
and 0003-libsepol-remove-leftovers-of-cil_mem_error_handler.patch are
now upstream.
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Other changes:
- Add policy version 32 as a default version of toolchains build with kernel
headers 5.5 or later.
- Add Help text for the above.
Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The help text was wrong, as it didn't match the actual default values
we were specifying. Indeed, when we specify:
default 31 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_13
default 30 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_3
It means that the policy version 30 is supported starting from Linux
4.3 included, and that 31 is supported from Linux 4.13 included.
So we shouldn't have:
> 4.3 <= 4.13 30
> 4.13 31
but:
>= 4.3 < 4.13 30
>= 4.13 31
This patch fixes that for all versions.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
If a policy is built that is newer than the kernel can support, the
libsepol will fail to load that policy.
Indeed, a user can manually select the policy version in the config
as-is. However, it is not a friendly solution. The best solution available
is to set a default policy version based off of the toolchain header kernel
version. While a user may have a toolchain that has older kernel headers than
the built kernel, it is still better than setting the default to the maximum
available version that SELinux can support.
The following defaults policy versions are as follows for the given toolchain
headers:
31 >= 4.13
30 >= 4.3
29 >= 3.14
28 >= 3.5
26 >= 2.6
default 25
Note: Version 27 was never released.
Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The policy version has to be a number, as such, set the type to int.
Due to the type change, we can't any longer do the legacy handling of
re-using the refpolicy policy version.
Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Currently, a user sets a policy version via the refpolicy package.
Having the option here has a few disadvantages:
- The Refpolicy package is not technically needed to use SELinux.
- When building a modular policy, Refpolicy will ignore the version string
and build the highest version possible which will cause libsemanage to
possibly fail when loading the policy.
Specifying a manual policy version in /etc/selinux/semanage.conf
forces libsemanage to load a specific policy version, which fixes the
above issue. However, because refpolicy currently defines the policy
version, libsemanage does not have a way to determine the policy
version, as refpolicy is not a dependency of libsemanage.
To work around these limitations, move the policy version number
selection to libsepol, as a system using SELinux always requires this
library.
Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Adam Duskett <aduskett@gmail.com>
Cc: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Cc: Marcus Folkesson <marcus.folkesson@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Globally change Adam Duskett's email address to aduskett@gmail.com.
Note that one or two of the patches may have been applied upstream with
the old email address, but in that case those patches will anyway be
removed when bumping.
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
- Remove first patch (already in version):
f8532f1773
- Update second and third patch
- For target variant, set SHLIBDIR=/usr/lib because by default it is set
to /lib and LIBDIR is set to $(PREFIX)/lib (with PREFIX=/usr)
- For host variant, set SHLIBDIR=$(HOST_DIR)/lib otherwise shared
library will be installed in /lib (PREFIX is not used to install
shared library)
- Add hash for license file
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since bump to version 2.7 and addition of
0003-revert-ln-relative.patch, the creation of a symlink through
ln -sf libsepol.so.1 $(HOST_DIR)/lib/libsepol.so
is not needed anymore so remove it
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Patch the Makefiles to make PREFIX and DESTDIR follow standard
semantics to get rid of DESTDIR during compile time in
libsepol.mk and generate proper pkg-config files.
Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The reason for combining these patches is because the
old version of setools is not compatible iwth libsepol 2.7. If a user where
to do a git pull on a patch that only updates libsepol or setools, the build
would fail to compile.
setools has been completely rewritten in python instead of C.
The current version of setools includes a few programs that require
python-qt5 or python-networkx to run, however the package does not
check to see if these exist when compiling, and will install the scripts
to the target directory even if they don't exist.
In the case of python-networkx, this package is not available on Buildroot.
The scripts that require them are: sedta and seinfoflow.
In the case of python-qt5, qpol is the script that requires it.
Some setools.mk notes to get the package to compile:
- Convert the package .mk to use python-package instead of autotools-package.
- setup.py hard codes base_lib_dirs to point to several host directories.
To fix this, sed is used before compiling to point the base_lib_dirs to
the staging directory.
- setup.py also includes the "Werror" flag, however compilers before gcc6
cause a few autogenerated variables to not be initialized before use,
causing the build to fail.
To fix this, a patch is provided that removes the Werror flag.
- Remove sedta and seinfoflow from the target system after install. These
packages rely on the package python-networkx which is not available in
buildroot.
- Remove the installed apol package and the setoolsgui directory from the
target directory if python-qt5 is not selected.
Other changes:
- Removed all patches, as they are not compatible with the new version of
setools.
- Add COPYING, COPYING.GPL, and COPYING.LGPL to setools.hash
Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Since things are no longer installed in $(HOST_DIR)/usr, the callers
should also not refer to it.
This is a mechanical change with
git grep -l '\$(HOST_DIR)/usr' | xargs sed -i 's%\$(HOST_DIR)/usr%$(HOST_DIR)%g'
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Since things are no longer installed in $(HOST_DIR)/usr, the callers
should also not refer to it.
This is a mechanical change with
git grep -l '$(HOST_DIR)/usr/lib' | xargs sed -i 's%$(HOST_DIR)/usr/lib%$(HOST_DIR)/lib%g'
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Remove the redundant usr/ component of the HOST_DIR paths. Since a
previous commit added a symlink from $(HOST_DIR)/usr to $(HOST_DIR),
everything keeps on working.
This is a mechanical change with
git grep -l '\$(HOST_DIR)/usr' | xargs sed -i 's%\(prefix\|PREFIX\)=\("\?\)\$(HOST_DIR)/usr%\1=\2$(HOST_DIR)%g'
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
libsepol has a pretty peculiar interpretation of DESTDIR and PREFIX.
PREFIX is not consistently used: some installation paths are forced to
$(DESTDIR)/usr/... . Also, the shared lib symlink is forced to ../../lib
(i.e. assumes it's installed under /usr). For these reasons, the host
build and install commands are a bit unusual: they use DESTDIR instead
of PREFIX, DESTDIR points to $(HOST_DIR) without /usr, and some
additional fixup is needed to correct the installation directory of
libsepol.so.1 and the symlink to it.
This can be simplified quite a lot by passing both DESTDIR and PREFIX,
and including the /usr part in both. The symlink still has to be fixed,
but that's much simpler.
Note that a side effect is that the man pages are now installed under
$(HOST_DIR)/usr/usr/man. While not very nice, we don't really care
about man pages. In addition, this will resolve itself when we later
move $(HOST_DIR)/usr to $(HOST_DIR).
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
We want to use SPDX identifier for license string as much as possible.
SPDX short identifier for LGPLv2.1/LGPLv2.1+ is LGPL-2.1/LGPL-2.1+.
This change is done using following command.
find . -name "*.mk" | xargs sed -ri '/LICENSE( )?[\+:]?=/s/LGPLv2.1(\+)?/LGPL-2.1\1/g'
Signed-off-by: Rahul Bedarkar <rahulbedarkar89@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Also removed patch 0003-add-stdarg-include.patch as this has been
committed to upstream.
Signed-off-by: Adam Duskett <aduskett@codeblue.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
We now always have a sys/cdefs.h, so we can drop this patch.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Libsepol uses cdefs.h which is a internal glibc header.
This header is not intended to be used by any program and will cause
compiling against musl (and possibly other c libraries) to fail.
This patch fixed this issue and replaces all references of
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Ancient distros (especially enterprise-grade still in use) do not accept
ln --relative.
Revert the upstream commit, since the problem it was trying to fix is
not applicable in the context of Buildroot (even with a merged /usr).
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Adam Duskett <Aduskett@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
An additional patch is needed to fix the build with uClibc.
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
[Thomas: add patch to fix build with uClibc.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
libsepol use the same build system than libselinux,
so it's affected by the same issue.
Signed-off-by: Romain Naour <romain.naour@openwide.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Autogenerated from rename-patch.py (http://patchwork.ozlabs.org/patch/403345)
Signed-off-by: Samuel Martin <s.martin49@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The old location doesn't seem active any more. Even though this github URL
looks a bit odd, it is linked from
https://github.com/SELinuxProject/selinux/wiki/Releases
Also add a .hash file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since a while, the semantic of BR2_PREFER_STATIC_LIB has been changed
from "prefer static libraries when possible" to "use only static
libraries". The former semantic didn't make much sense, since the user
had absolutely no control/idea of which package would use static
libraries, and which packages would not. Therefore, for quite some
time, we have been starting to enforce that BR2_PREFER_STATIC_LIB
should really build everything with static libraries.
As a consequence, this patch renames BR2_PREFER_STATIC_LIB to
BR2_STATIC_LIBS, and adjust the Config.in option accordingly.
This also helps preparing the addition of other options to select
shared, shared+static or just static.
Note that we have verified that this commit can be reproduced by
simply doing a global rename of BR2_PREFER_STATIC_LIB to
BR2_STATIC_LIBS plus adding BR2_PREFER_STATIC_LIB to Config.in.legacy.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Since the trailing slash is stripped from $($(PKG)_SITE) by pkg-generic.mk:
$(call DOWNLOAD,$($(PKG)_SITE:/=)/$($(PKG)_SOURCE))
so it is redundant.
This patch removes it from $(PKG)_SITE variable for BR consistency.
Signed-off-by: Jerzy Grzegorek <jerzy.grzegorek@trzebnica.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
In commit 52eeb04c76 ('libsepol: fix
static-only library build') I forgot to git add the changes made to
the libsepol.mk file itself. Those changes are needed to actually pass
STATIC=<something> when building static libraries only.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Peter: white space fixes]
Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
Acked-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>