refpolicy: upgrade 20210908+git -> 20221101+gitlangdale

* Update to latest git rev. * Drop obsolete and useless patches. * Rebase patches. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
author: Yi Zhao <yi.zhao@windriver.com> 2022-11-09 12:30:58 +0800
committer: Joe MacDonald <joe@deserted.net> 2022-11-23 09:26:29 -0500
commit: f6d73a35d3853ab09297fa1738890706901f43b8 (patch)
tree: ade400c3827c3a84dbda977da7894c275b711de1 /recipes-security/refpolicy/refpolicy_common.inc
parent: e9270d6e5889a854edd1305b91d3e5c7268d0cb8 (diff)
download: meta-selinux-langdale.tar.gz
1 files changed, 123 insertions, 138 deletions
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
index bb0c0dd..a51312f 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -7,10 +7,10 @@ PROVIDES = "virtual/refpolicy"
 RPROVIDES:${PN} = "refpolicy"
 # Specific config files for Poky
-SRC_URI += "file://customizable_types  \
+SRC_URI += "file://customizable_types \
-            file://setrans-mls.conf  \
+            file://setrans-mls.conf \
-            file://setrans-mcs.conf  \
+            file://setrans-mcs.conf \
-           "
+           "
 # Base patches applied to all Yocto-based platforms.  Your own version of
 # refpolicy should provide a version of these and place them in your own
@@ -49,64 +49,49 @@ SRC_URI += " \
        file://0031-policy-modules-kernel-files-add-rules-for-the-symlin.patch \
        file://0032-policy-modules-system-logging-fix-auditd-startup-fai.patch \
        file://0033-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch \
-        file://0034-policy-modules-system-modutils-allow-mod_t-to-access.patch \
+        file://0034-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch \
-        file://0035-policy-modules-system-getty-allow-getty_t-to-search-.patch \
+        file://0035-policy-modules-system-systemd-enable-support-for-sys.patch \
-        file://0036-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch \
+        file://0036-policy-modules-system-systemd-allow-systemd_logind_t.patch \
-        file://0037-policy-modules-admin-usermanage-allow-useradd-to-rel.patch \
+        file://0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch \
-        file://0038-policy-modules-system-systemd-enable-support-for-sys.patch \
+        file://0038-policy-modules-system-systemd-systemd-user-fixes.patch \
-        file://0039-policy-modules-system-systemd-fix-systemd-resolved-s.patch \
+        file://0039-policy-modules-system-mount-make-mount_t-domain-MLS-.patch \
-        file://0040-policy-modules-system-systemd-allow-systemd_-_t-to-g.patch \
+        file://0040-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch \
-        file://0041-policy-modules-system-logging-fix-syslogd-failures-f.patch \
+        file://0041-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch \
-        file://0042-policy-modules-system-systemd-systemd-user-fixes.patch \
+        file://0042-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch \
-        file://0043-policy-modules-system-sysnetwork-support-priviledge-.patch \
+        file://0043-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \
-        file://0044-policy-modules-system-modutils-allow-kmod_t-to-write.patch \
+        file://0044-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \
-        file://0045-policy-modules-system-systemd-allow-systemd_logind_t.patch \
+        file://0045-policy-modules-system-systemd-make-systemd-tmpfiles_.patch \
-        file://0046-policy-modules-system-mount-make-mount_t-domain-MLS-.patch \
+        file://0046-policy-modules-system-systemd-systemd-make-systemd_-.patch \
-        file://0047-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch \
+        file://0047-policy-modules-system-logging-add-the-syslogd_t-to-t.patch \
-        file://0048-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch \
+        file://0048-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \
-        file://0049-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch \
+        file://0049-policy-modules-system-init-all-init_t-to-read-any-le.patch \
-        file://0050-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \
+        file://0050-policy-modules-system-logging-allow-auditd_t-to-writ.patch \
-        file://0051-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \
+        file://0051-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \
-        file://0052-policy-modules-system-systemd-make-systemd-tmpfiles_.patch \
+        file://0052-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \
-        file://0053-policy-modules-system-systemd-systemd-make-systemd_-.patch \
+        file://0053-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \
-        file://0054-policy-modules-system-logging-add-the-syslogd_t-to-t.patch \
+        file://0054-policy-modules-system-logging-make-syslogd_runtime_t.patch \
-        file://0055-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \
-        file://0056-policy-modules-system-init-all-init_t-to-read-any-le.patch \
-        file://0057-policy-modules-system-logging-allow-auditd_t-to-writ.patch \
-        file://0058-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \
-        file://0059-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \
-        file://0060-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \
-        file://0061-policy-modules-system-logging-make-syslogd_runtime_t.patch \
-        file://0062-systemd-systemd-resolved-is-linked-to-libselinux.patch \
-        file://0063-sysnetwork-systemd-allow-DNS-resolution-over-io.syst.patch \
-        file://0064-term-init-allow-systemd-to-watch-and-watch-reads-on-.patch \
-        file://0065-systemd-add-file-transition-for-systemd-networkd-run.patch \
-        file://0066-systemd-add-missing-file-context-for-run-systemd-net.patch \
-        file://0067-systemd-add-file-contexts-for-systemd-network-genera.patch \
-        file://0068-systemd-udev-allow-udev-to-read-systemd-networkd-run.patch \
-        file://0069-fc-fstools-apply-policy-to-findfs-alternative.patch \
        "
 S = "${WORKDIR}/refpolicy"
-CONFFILES:${PN} += "${sysconfdir}/selinux/config"
+CONFFILES:${PN} = "${sysconfdir}/selinux/config"
 FILES:${PN} += " \
-        ${sysconfdir}/selinux/${POLICY_NAME}/ \
+    ${sysconfdir}/selinux/${POLICY_NAME}/ \
-        ${datadir}/selinux/${POLICY_NAME}/*.pp \
+    ${datadir}/selinux/${POLICY_NAME}/*.pp \
-        ${localstatedir}/lib/selinux/${POLICY_NAME}/ \
+    ${localstatedir}/lib/selinux/${POLICY_NAME}/ \
-        "
+    "
 FILES:${PN}-dev =+ " \
-        ${datadir}/selinux/${POLICY_NAME}/include/ \
+    ${datadir}/selinux/${POLICY_NAME}/include/ \
-        ${sysconfdir}/selinux/sepolgen.conf \
+    ${sysconfdir}/selinux/sepolgen.conf \
-"
+    "
 EXTRANATIVEPATH += "bzip2-native"
-DEPENDS += "bzip2-replacement-native checkpolicy-native policycoreutils-native semodule-utils-native m4-native"
+DEPENDS = "bzip2-replacement-native checkpolicy-native policycoreutils-native semodule-utils-native m4-native"
-RDEPENDS:${PN}-dev =+ " \
+RDEPENDS:${PN}-dev = " \
-        python3-core \
+    python3-core \
-"
+    "
 PACKAGE_ARCH = "${MACHINE_ARCH}"
@@ -129,83 +114,83 @@ POLICY_MLS_SENS ?= "16"
 POLICY_MLS_CATS ?= "1024"
 POLICY_MCS_CATS ?= "1024"
-EXTRA_OEMAKE += "NAME=${POLICY_NAME} \
+EXTRA_OEMAKE = "NAME=${POLICY_NAME} \
-        TYPE=${POLICY_TYPE} \
+    TYPE=${POLICY_TYPE} \
-        DISTRO=${POLICY_DISTRO} \
+    DISTRO=${POLICY_DISTRO} \
-        UBAC=${POLICY_UBAC} \
+    UBAC=${POLICY_UBAC} \
-        UNK_PERMS=${POLICY_UNK_PERMS} \
+    UNK_PERMS=${POLICY_UNK_PERMS} \
-        DIRECT_INITRC=${POLICY_DIRECT_INITRC} \
+    DIRECT_INITRC=${POLICY_DIRECT_INITRC} \
-        SYSTEMD=${POLICY_SYSTEMD} \
+    SYSTEMD=${POLICY_SYSTEMD} \
-        MONOLITHIC=${POLICY_MONOLITHIC} \
+    MONOLITHIC=${POLICY_MONOLITHIC} \
-        CUSTOM_BUILDOPT=${POLICY_CUSTOM_BUILDOPT} \
+    CUSTOM_BUILDOPT=${POLICY_CUSTOM_BUILDOPT} \
-        QUIET=${POLICY_QUIET} \
+    QUIET=${POLICY_QUIET} \
-        MLS_SENS=${POLICY_MLS_SENS} \
+    MLS_SENS=${POLICY_MLS_SENS} \
-        MLS_CATS=${POLICY_MLS_CATS} \
+    MLS_CATS=${POLICY_MLS_CATS} \
-        MCS_CATS=${POLICY_MCS_CATS}"
+    MCS_CATS=${POLICY_MCS_CATS}"
 EXTRA_OEMAKE += "tc_usrbindir=${STAGING_BINDIR_NATIVE}"
 EXTRA_OEMAKE += "OUTPUT_POLICY=`${STAGING_BINDIR_NATIVE}/checkpolicy -V | cut -d' ' -f1`"
 EXTRA_OEMAKE += "CC='${BUILD_CC}' CFLAGS='${BUILD_CFLAGS}' PYTHON='${PYTHON}'"
-python __anonymous () {
+python __anonymous() {
    import re
-    # make sure DEFAULT_ENFORCING is something sane
+    # Make sure DEFAULT_ENFORCING is something sane
    if not re.match('^(enforcing|permissive|disabled)$',
                    d.getVar('DEFAULT_ENFORCING'),
                    flags=0):
        d.setVar('DEFAULT_ENFORCING', 'permissive')
 }
-disable_policy_modules () {
+disable_policy_modules() {
-        for module in ${PURGE_POLICY_MODULES} ; do
+    for module in ${PURGE_POLICY_MODULES} ; do
-                sed -i "s/^\(\<${module}\>\) *= *.*$/\1 = off/" ${S}/policy/modules.conf
+        sed -i "s/^\(\<${module}\>\) *= *.*$/\1 = off/" ${S}/policy/modules.conf
-        done
+    done
 }
 do_compile() {
-        if [ -f "${WORKDIR}/modules.conf" ] ; then
+    if [ -f "${WORKDIR}/modules.conf" ] ; then
-                cp -f ${WORKDIR}/modules.conf ${S}/policy/modules.conf
+        cp -f ${WORKDIR}/modules.conf ${S}/policy/modules.conf
-        fi
+    fi
-        oe_runmake conf
+    oe_runmake conf
-        disable_policy_modules
+    disable_policy_modules
-        oe_runmake policy
+    oe_runmake policy
 }
-prepare_policy_store () {
+prepare_policy_store() {
-        oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install
+    oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install
-        POL_PRIORITY=100
+    POL_PRIORITY=100
-        POL_SRC=${D}${datadir}/selinux/${POLICY_NAME}
+    POL_SRC=${D}${datadir}/selinux/${POLICY_NAME}
-        POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME}
+    POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME}
-        POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY}
+    POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY}
-        # Prepare to create policy store
+    # Prepare to create policy store
-        mkdir -p ${POL_STORE}
+    mkdir -p ${POL_STORE}
-        mkdir -p ${POL_ACTIVE_MODS}
+    mkdir -p ${POL_ACTIVE_MODS}
-        # get hll type from suffix on base policy module
+    # Get hll type from suffix on base policy module
-        HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print $NF}}')
+    HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print $NF}}')
-        HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE}
+    HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE}
-        for i in ${POL_SRC}/*.${HLL_TYPE}; do
+    for i in ${POL_SRC}/*.${HLL_TYPE}; do
-                MOD_NAME=$(basename $i | sed "s/\.${HLL_TYPE}$//")
+        MOD_NAME=$(basename $i | sed "s/\.${HLL_TYPE}$//")
-                MOD_DIR=${POL_ACTIVE_MODS}/${MOD_NAME}
+        MOD_DIR=${POL_ACTIVE_MODS}/${MOD_NAME}
-                mkdir -p ${MOD_DIR}
+        mkdir -p ${MOD_DIR}
-                echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext
+        echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext
-                if ! bzip2 -t $i >/dev/null 2>&1; then
+        if ! bzip2 -t $i >/dev/null 2>&1; then
-                        ${HLL_BIN} $i | bzip2 --stdout > ${MOD_DIR}/cil
+            ${HLL_BIN} $i | bzip2 --stdout > ${MOD_DIR}/cil
-                        bzip2 -f $i && mv -f $i.bz2 $i
+            bzip2 -f $i && mv -f $i.bz2 $i
-                else
+        else
-                        bunzip2 --stdout $i | \
+            bunzip2 --stdout $i | \
-                                ${HLL_BIN} | \
+                ${HLL_BIN} | \
-                                bzip2 --stdout > ${MOD_DIR}/cil
+                bzip2 --stdout > ${MOD_DIR}/cil
-                fi
+        fi
-                cp $i ${MOD_DIR}/hll
+        cp $i ${MOD_DIR}/hll
-        done
+    done
 }
-rebuild_policy () {
+rebuild_policy() {
-        cat <<-EOF > ${D}${sysconfdir}/selinux/semanage.conf
+    cat <<-EOF > ${D}${sysconfdir}/selinux/semanage.conf
 module-store = direct
 [setfiles]
 path = ${STAGING_DIR_NATIVE}${base_sbindir_native}/setfiles
@@ -219,29 +204,29 @@ args = \$@
 policy-version = 33
 EOF
-        # Create policy store and build the policy
+    # Create policy store and build the policy
-        semodule -p ${D} -s ${POLICY_NAME} -n -B
+    semodule -p ${D} -s ${POLICY_NAME} -n -B
-        rm -f ${D}${sysconfdir}/selinux/semanage.conf
+    rm -f ${D}${sysconfdir}/selinux/semanage.conf
-        # no need to leave final dir created by semanage laying around
+    # No need to leave final dir created by semanage laying around
-        rm -rf ${D}${localstatedir}/lib/selinux/final
+    rm -rf ${D}${localstatedir}/lib/selinux/final
 }
-install_misc_files () {
+install_misc_files() {
-        cat ${WORKDIR}/customizable_types >> \
+    cat ${WORKDIR}/customizable_types >> \
-                ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/customizable_types
+        ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/customizable_types
-        # install setrans.conf for mls/mcs policy
+    # Install setrans.conf for mls/mcs policy
-        if [ -f ${WORKDIR}/setrans-${POLICY_TYPE}.conf ]; then
+    if [ -f ${WORKDIR}/setrans-${POLICY_TYPE}.conf ]; then
-                install -m 0644 ${WORKDIR}/setrans-${POLICY_TYPE}.conf \
+        install -m 0644 ${WORKDIR}/setrans-${POLICY_TYPE}.conf \
-                        ${D}${sysconfdir}/selinux/${POLICY_NAME}/setrans.conf
+            ${D}${sysconfdir}/selinux/${POLICY_NAME}/setrans.conf
-        fi
+    fi
-        # install policy headers
+    # Install policy headers
-        oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install-headers
+    oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install-headers
 }
-install_config () {
+install_config() {
-        echo "\
+    echo "\
 # This file controls the state of SELinux on the system.
 # SELINUX= can take one of these three values:
 #     enforcing - SELinux security policy is enforced.
@@ -256,22 +241,22 @@ SELINUX=${DEFAULT_ENFORCING}
 #     mcs - Multi Category Security protection.
 SELINUXTYPE=${POLICY_NAME}
 " > ${WORKDIR}/config
-        install -d ${D}/${sysconfdir}/selinux
+    install -d ${D}/${sysconfdir}/selinux
-        install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/
+    install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/
 }
-do_install () {
+do_install() {
-        prepare_policy_store
+    prepare_policy_store
-        rebuild_policy
+    rebuild_policy
-        install_misc_files
+    install_misc_files
-        install_config
+    install_config
 }
-do_install:append(){
+do_install:append() {
-        # While building policies on target, Makefile will be searched from SELINUX_DEVEL_PATH
+    # While building policies on target, Makefile will be searched from SELINUX_DEVEL_PATH
-        echo "SELINUX_DEVEL_PATH=${datadir}/selinux/${POLICY_NAME}/include" > ${D}${sysconfdir}/selinux/sepolgen.conf
+    echo "SELINUX_DEVEL_PATH=${datadir}/selinux/${POLICY_NAME}/include" > ${D}${sysconfdir}/selinux/sepolgen.conf
 }
-sysroot_stage_all:append () {
+sysroot_stage_all:append() {
-        sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir}
+    sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir}
 }
author	Yi Zhao <yi.zhao@windriver.com>	2022-11-09 12:30:58 +0800
committer	Joe MacDonald <joe@deserted.net>	2022-11-23 09:26:29 -0500
commit	f6d73a35d3853ab09297fa1738890706901f43b8 (patch)
tree	ade400c3827c3a84dbda977da7894c275b711de1 /recipes-security/refpolicy/refpolicy_common.inc
parent	e9270d6e5889a854edd1305b91d3e5c7268d0cb8 (diff)
download	meta-selinux-langdale.tar.gz

diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index bb0c0dd..a51312f 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -7,10 +7,10 @@ PROVIDES = "virtual/refpolicy"
7	RPROVIDES:${PN} = "refpolicy"	7	RPROVIDES:${PN} = "refpolicy"
8		8
9	# Specific config files for Poky	9	# Specific config files for Poky
10	SRC_URI += "file://customizable_types \	10	SRC_URI += "file://customizable_types \
11	file://setrans-mls.conf \	11	file://setrans-mls.conf \
12	file://setrans-mcs.conf \	12	file://setrans-mcs.conf \
13	"	13	"
14		14
15	# Base patches applied to all Yocto-based platforms. Your own version of	15	# Base patches applied to all Yocto-based platforms. Your own version of
16	# refpolicy should provide a version of these and place them in your own	16	# refpolicy should provide a version of these and place them in your own
@@ -49,64 +49,49 @@ SRC_URI += " \
49	file://0031-policy-modules-kernel-files-add-rules-for-the-symlin.patch \	49	file://0031-policy-modules-kernel-files-add-rules-for-the-symlin.patch \
50	file://0032-policy-modules-system-logging-fix-auditd-startup-fai.patch \	50	file://0032-policy-modules-system-logging-fix-auditd-startup-fai.patch \
51	file://0033-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch \	51	file://0033-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch \
52	file://0034-policy-modules-system-modutils-allow-mod_t-to-access.patch \	52	file://0034-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch \
53	file://0035-policy-modules-system-getty-allow-getty_t-to-search-.patch \	53	file://0035-policy-modules-system-systemd-enable-support-for-sys.patch \
54	file://0036-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch \	54	file://0036-policy-modules-system-systemd-allow-systemd_logind_t.patch \
55	file://0037-policy-modules-admin-usermanage-allow-useradd-to-rel.patch \	55	file://0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch \
56	file://0038-policy-modules-system-systemd-enable-support-for-sys.patch \	56	file://0038-policy-modules-system-systemd-systemd-user-fixes.patch \
57	file://0039-policy-modules-system-systemd-fix-systemd-resolved-s.patch \	57	file://0039-policy-modules-system-mount-make-mount_t-domain-MLS-.patch \
58	file://0040-policy-modules-system-systemd-allow-systemd_-_t-to-g.patch \	58	file://0040-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch \
59	file://0041-policy-modules-system-logging-fix-syslogd-failures-f.patch \	59	file://0041-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch \
60	file://0042-policy-modules-system-systemd-systemd-user-fixes.patch \	60	file://0042-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch \
61	file://0043-policy-modules-system-sysnetwork-support-priviledge-.patch \	61	file://0043-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \
62	file://0044-policy-modules-system-modutils-allow-kmod_t-to-write.patch \	62	file://0044-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \
63	file://0045-policy-modules-system-systemd-allow-systemd_logind_t.patch \	63	file://0045-policy-modules-system-systemd-make-systemd-tmpfiles_.patch \
64	file://0046-policy-modules-system-mount-make-mount_t-domain-MLS-.patch \	64	file://0046-policy-modules-system-systemd-systemd-make-systemd_-.patch \
65	file://0047-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch \	65	file://0047-policy-modules-system-logging-add-the-syslogd_t-to-t.patch \
66	file://0048-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch \	66	file://0048-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \
67	file://0049-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch \	67	file://0049-policy-modules-system-init-all-init_t-to-read-any-le.patch \
68	file://0050-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \	68	file://0050-policy-modules-system-logging-allow-auditd_t-to-writ.patch \
69	file://0051-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \	69	file://0051-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \
70	file://0052-policy-modules-system-systemd-make-systemd-tmpfiles_.patch \	70	file://0052-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \
71	file://0053-policy-modules-system-systemd-systemd-make-systemd_-.patch \	71	file://0053-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \
72	file://0054-policy-modules-system-logging-add-the-syslogd_t-to-t.patch \	72	file://0054-policy-modules-system-logging-make-syslogd_runtime_t.patch \
73	file://0055-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \
74	file://0056-policy-modules-system-init-all-init_t-to-read-any-le.patch \
75	file://0057-policy-modules-system-logging-allow-auditd_t-to-writ.patch \
76	file://0058-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \
77	file://0059-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \
78	file://0060-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \
79	file://0061-policy-modules-system-logging-make-syslogd_runtime_t.patch \
80	file://0062-systemd-systemd-resolved-is-linked-to-libselinux.patch \
81	file://0063-sysnetwork-systemd-allow-DNS-resolution-over-io.syst.patch \
82	file://0064-term-init-allow-systemd-to-watch-and-watch-reads-on-.patch \
83	file://0065-systemd-add-file-transition-for-systemd-networkd-run.patch \
84	file://0066-systemd-add-missing-file-context-for-run-systemd-net.patch \
85	file://0067-systemd-add-file-contexts-for-systemd-network-genera.patch \
86	file://0068-systemd-udev-allow-udev-to-read-systemd-networkd-run.patch \
87	file://0069-fc-fstools-apply-policy-to-findfs-alternative.patch \
88	"	73	"
89		74
90	S = "${WORKDIR}/refpolicy"	75	S = "${WORKDIR}/refpolicy"
91		76
92	CONFFILES:${PN} += "${sysconfdir}/selinux/config"	77	CONFFILES:${PN} = "${sysconfdir}/selinux/config"
93	FILES:${PN} += " \	78	FILES:${PN} += " \
94	${sysconfdir}/selinux/${POLICY_NAME}/ \	79	${sysconfdir}/selinux/${POLICY_NAME}/ \
95	${datadir}/selinux/${POLICY_NAME}/*.pp \	80	${datadir}/selinux/${POLICY_NAME}/*.pp \
96	${localstatedir}/lib/selinux/${POLICY_NAME}/ \	81	${localstatedir}/lib/selinux/${POLICY_NAME}/ \
97	"	82	"
98	FILES:${PN}-dev =+ " \	83	FILES:${PN}-dev =+ " \
99	${datadir}/selinux/${POLICY_NAME}/include/ \	84	${datadir}/selinux/${POLICY_NAME}/include/ \
100	${sysconfdir}/selinux/sepolgen.conf \	85	${sysconfdir}/selinux/sepolgen.conf \
101	"	86	"
102		87
103	EXTRANATIVEPATH += "bzip2-native"	88	EXTRANATIVEPATH += "bzip2-native"
104		89
105	DEPENDS += "bzip2-replacement-native checkpolicy-native policycoreutils-native semodule-utils-native m4-native"	90	DEPENDS = "bzip2-replacement-native checkpolicy-native policycoreutils-native semodule-utils-native m4-native"
106		91
107	RDEPENDS:${PN}-dev =+ " \	92	RDEPENDS:${PN}-dev = " \
108	python3-core \	93	python3-core \
109	"	94	"
110		95
111	PACKAGE_ARCH = "${MACHINE_ARCH}"	96	PACKAGE_ARCH = "${MACHINE_ARCH}"
112		97
@@ -129,83 +114,83 @@ POLICY_MLS_SENS ?= "16"
129	POLICY_MLS_CATS ?= "1024"	114	POLICY_MLS_CATS ?= "1024"
130	POLICY_MCS_CATS ?= "1024"	115	POLICY_MCS_CATS ?= "1024"
131		116
132	EXTRA_OEMAKE += "NAME=${POLICY_NAME} \	117	EXTRA_OEMAKE = "NAME=${POLICY_NAME} \
133	TYPE=${POLICY_TYPE} \	118	TYPE=${POLICY_TYPE} \
134	DISTRO=${POLICY_DISTRO} \	119	DISTRO=${POLICY_DISTRO} \
135	UBAC=${POLICY_UBAC} \	120	UBAC=${POLICY_UBAC} \
136	UNK_PERMS=${POLICY_UNK_PERMS} \	121	UNK_PERMS=${POLICY_UNK_PERMS} \
137	DIRECT_INITRC=${POLICY_DIRECT_INITRC} \	122	DIRECT_INITRC=${POLICY_DIRECT_INITRC} \
138	SYSTEMD=${POLICY_SYSTEMD} \	123	SYSTEMD=${POLICY_SYSTEMD} \
139	MONOLITHIC=${POLICY_MONOLITHIC} \	124	MONOLITHIC=${POLICY_MONOLITHIC} \
140	CUSTOM_BUILDOPT=${POLICY_CUSTOM_BUILDOPT} \	125	CUSTOM_BUILDOPT=${POLICY_CUSTOM_BUILDOPT} \
141	QUIET=${POLICY_QUIET} \	126	QUIET=${POLICY_QUIET} \
142	MLS_SENS=${POLICY_MLS_SENS} \	127	MLS_SENS=${POLICY_MLS_SENS} \
143	MLS_CATS=${POLICY_MLS_CATS} \	128	MLS_CATS=${POLICY_MLS_CATS} \
144	MCS_CATS=${POLICY_MCS_CATS}"	129	MCS_CATS=${POLICY_MCS_CATS}"
145		130
146	EXTRA_OEMAKE += "tc_usrbindir=${STAGING_BINDIR_NATIVE}"	131	EXTRA_OEMAKE += "tc_usrbindir=${STAGING_BINDIR_NATIVE}"
147	EXTRA_OEMAKE += "OUTPUT_POLICY=`${STAGING_BINDIR_NATIVE}/checkpolicy -V \| cut -d' ' -f1`"	132	EXTRA_OEMAKE += "OUTPUT_POLICY=`${STAGING_BINDIR_NATIVE}/checkpolicy -V \| cut -d' ' -f1`"
148	EXTRA_OEMAKE += "CC='${BUILD_CC}' CFLAGS='${BUILD_CFLAGS}' PYTHON='${PYTHON}'"	133	EXTRA_OEMAKE += "CC='${BUILD_CC}' CFLAGS='${BUILD_CFLAGS}' PYTHON='${PYTHON}'"
149		134
150	python __anonymous () {	135	python __anonymous() {
151	import re	136	import re
152		137
153	# make sure DEFAULT_ENFORCING is something sane	138	# Make sure DEFAULT_ENFORCING is something sane
154	if not re.match('^(enforcing\|permissive\|disabled)$',	139	if not re.match('^(enforcing\|permissive\|disabled)$',
155	d.getVar('DEFAULT_ENFORCING'),	140	d.getVar('DEFAULT_ENFORCING'),
156	flags=0):	141	flags=0):
157	d.setVar('DEFAULT_ENFORCING', 'permissive')	142	d.setVar('DEFAULT_ENFORCING', 'permissive')
158	}	143	}
159		144
160	disable_policy_modules () {	145	disable_policy_modules() {
161	for module in ${PURGE_POLICY_MODULES} ; do	146	for module in ${PURGE_POLICY_MODULES} ; do
162	sed -i "s/^\(\<${module}\>\) = .*$/\1 = off/" ${S}/policy/modules.conf	147	sed -i "s/^\(\<${module}\>\) = .*$/\1 = off/" ${S}/policy/modules.conf
163	done	148	done
164	}	149	}
165		150
166	do_compile() {	151	do_compile() {
167	if [ -f "${WORKDIR}/modules.conf" ] ; then	152	if [ -f "${WORKDIR}/modules.conf" ] ; then
168	cp -f ${WORKDIR}/modules.conf ${S}/policy/modules.conf	153	cp -f ${WORKDIR}/modules.conf ${S}/policy/modules.conf
169	fi	154	fi
170	oe_runmake conf	155	oe_runmake conf
171	disable_policy_modules	156	disable_policy_modules
172	oe_runmake policy	157	oe_runmake policy
173	}	158	}
174		159
175	prepare_policy_store () {	160	prepare_policy_store() {
176	oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install	161	oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install
177	POL_PRIORITY=100	162	POL_PRIORITY=100
178	POL_SRC=${D}${datadir}/selinux/${POLICY_NAME}	163	POL_SRC=${D}${datadir}/selinux/${POLICY_NAME}
179	POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME}	164	POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME}
180	POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY}	165	POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY}
181		166
182	# Prepare to create policy store	167	# Prepare to create policy store
183	mkdir -p ${POL_STORE}	168	mkdir -p ${POL_STORE}
184	mkdir -p ${POL_ACTIVE_MODS}	169	mkdir -p ${POL_ACTIVE_MODS}
185		170
186	# get hll type from suffix on base policy module	171	# Get hll type from suffix on base policy module
187	HLL_TYPE=$(echo ${POL_SRC}/base.* \| awk -F . '{if (NF>1) {print $NF}}')	172	HLL_TYPE=$(echo ${POL_SRC}/base.* \| awk -F . '{if (NF>1) {print $NF}}')
188	HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE}	173	HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE}
189		174
190	for i in ${POL_SRC}/*.${HLL_TYPE}; do	175	for i in ${POL_SRC}/*.${HLL_TYPE}; do
191	MOD_NAME=$(basename $i \| sed "s/\.${HLL_TYPE}$//")	176	MOD_NAME=$(basename $i \| sed "s/\.${HLL_TYPE}$//")
192	MOD_DIR=${POL_ACTIVE_MODS}/${MOD_NAME}	177	MOD_DIR=${POL_ACTIVE_MODS}/${MOD_NAME}
193	mkdir -p ${MOD_DIR}	178	mkdir -p ${MOD_DIR}
194	echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext	179	echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext
195	if ! bzip2 -t $i >/dev/null 2>&1; then	180	if ! bzip2 -t $i >/dev/null 2>&1; then
196	${HLL_BIN} $i \| bzip2 --stdout > ${MOD_DIR}/cil	181	${HLL_BIN} $i \| bzip2 --stdout > ${MOD_DIR}/cil
197	bzip2 -f $i && mv -f $i.bz2 $i	182	bzip2 -f $i && mv -f $i.bz2 $i
198	else	183	else
199	bunzip2 --stdout $i \| \	184	bunzip2 --stdout $i \| \
200	${HLL_BIN} \| \	185	${HLL_BIN} \| \
201	bzip2 --stdout > ${MOD_DIR}/cil	186	bzip2 --stdout > ${MOD_DIR}/cil
202	fi	187	fi
203	cp $i ${MOD_DIR}/hll	188	cp $i ${MOD_DIR}/hll
204	done	189	done
205	}	190	}
206		191
207	rebuild_policy () {	192	rebuild_policy() {
208	cat <<-EOF > ${D}${sysconfdir}/selinux/semanage.conf	193	cat <<-EOF > ${D}${sysconfdir}/selinux/semanage.conf
209	module-store = direct	194	module-store = direct
210	[setfiles]	195	[setfiles]
211	path = ${STAGING_DIR_NATIVE}${base_sbindir_native}/setfiles	196	path = ${STAGING_DIR_NATIVE}${base_sbindir_native}/setfiles
@@ -219,29 +204,29 @@ args = \$@
219	policy-version = 33	204	policy-version = 33
220	EOF	205	EOF
221		206
222	# Create policy store and build the policy	207	# Create policy store and build the policy
223	semodule -p ${D} -s ${POLICY_NAME} -n -B	208	semodule -p ${D} -s ${POLICY_NAME} -n -B
224	rm -f ${D}${sysconfdir}/selinux/semanage.conf	209	rm -f ${D}${sysconfdir}/selinux/semanage.conf
225	# no need to leave final dir created by semanage laying around	210	# No need to leave final dir created by semanage laying around
226	rm -rf ${D}${localstatedir}/lib/selinux/final	211	rm -rf ${D}${localstatedir}/lib/selinux/final
227	}	212	}
228		213
229	install_misc_files () {	214	install_misc_files() {
230	cat ${WORKDIR}/customizable_types >> \	215	cat ${WORKDIR}/customizable_types >> \
231	${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/customizable_types	216	${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/customizable_types
232		217
233	# install setrans.conf for mls/mcs policy	218	# Install setrans.conf for mls/mcs policy
234	if [ -f ${WORKDIR}/setrans-${POLICY_TYPE}.conf ]; then	219	if [ -f ${WORKDIR}/setrans-${POLICY_TYPE}.conf ]; then
235	install -m 0644 ${WORKDIR}/setrans-${POLICY_TYPE}.conf \	220	install -m 0644 ${WORKDIR}/setrans-${POLICY_TYPE}.conf \
236	${D}${sysconfdir}/selinux/${POLICY_NAME}/setrans.conf	221	${D}${sysconfdir}/selinux/${POLICY_NAME}/setrans.conf
237	fi	222	fi
238		223
239	# install policy headers	224	# Install policy headers
240	oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install-headers	225	oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install-headers
241	}	226	}
242		227
243	install_config () {	228	install_config() {
244	echo "\	229	echo "\
245	# This file controls the state of SELinux on the system.	230	# This file controls the state of SELinux on the system.
246	# SELINUX= can take one of these three values:	231	# SELINUX= can take one of these three values:
247	# enforcing - SELinux security policy is enforced.	232	# enforcing - SELinux security policy is enforced.
@@ -256,22 +241,22 @@ SELINUX=${DEFAULT_ENFORCING}
256	# mcs - Multi Category Security protection.	241	# mcs - Multi Category Security protection.
257	SELINUXTYPE=${POLICY_NAME}	242	SELINUXTYPE=${POLICY_NAME}
258	" > ${WORKDIR}/config	243	" > ${WORKDIR}/config
259	install -d ${D}/${sysconfdir}/selinux	244	install -d ${D}/${sysconfdir}/selinux
260	install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/	245	install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/
261	}	246	}
262		247
263	do_install () {	248	do_install() {
264	prepare_policy_store	249	prepare_policy_store
265	rebuild_policy	250	rebuild_policy
266	install_misc_files	251	install_misc_files
267	install_config	252	install_config
268	}	253	}
269		254
270	do_install:append(){	255	do_install:append() {
271	# While building policies on target, Makefile will be searched from SELINUX_DEVEL_PATH	256	# While building policies on target, Makefile will be searched from SELINUX_DEVEL_PATH
272	echo "SELINUX_DEVEL_PATH=${datadir}/selinux/${POLICY_NAME}/include" > ${D}${sysconfdir}/selinux/sepolgen.conf	257	echo "SELINUX_DEVEL_PATH=${datadir}/selinux/${POLICY_NAME}/include" > ${D}${sysconfdir}/selinux/sepolgen.conf
273	}	258	}
274		259
275	sysroot_stage_all:append () {	260	sysroot_stage_all:append() {
276	sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir}	261	sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir}
277	}	262	}