From 9a07ac84248c97ea7adebebbf11d28bf9872b77f Mon Sep 17 00:00:00 2001 From: Wenzong Fan Date: Mon, 4 Sep 2017 22:59:47 -0700 Subject: restorecond: add package 2.7 (20170804) Move policycoreutils/restorecond to restorecond: * Move and rebase patch: - policycoreutils-make-O_CLOEXEC-optional.patch * Cleanup policycoreutils_2.7.bb. Signed-off-by: Wenzong Fan Update policycoreutils_git.bb Signed-off-by: Mark Hatle --- .../policycoreutils-make-O_CLOEXEC-optional.patch | 43 ---------------------- recipes-security/selinux/policycoreutils_2.7.bb | 1 - recipes-security/selinux/policycoreutils_git.bb | 1 - recipes-security/selinux/restorecond.inc | 28 ++++++++++++++ .../policycoreutils-make-O_CLOEXEC-optional.patch | 43 ++++++++++++++++++++++ recipes-security/selinux/restorecond_2.7.bb | 7 ++++ 6 files changed, 78 insertions(+), 45 deletions(-) delete mode 100644 recipes-security/selinux/policycoreutils/policycoreutils-make-O_CLOEXEC-optional.patch create mode 100644 recipes-security/selinux/restorecond.inc create mode 100644 recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch create mode 100644 recipes-security/selinux/restorecond_2.7.bb (limited to 'recipes-security/selinux') diff --git a/recipes-security/selinux/policycoreutils/policycoreutils-make-O_CLOEXEC-optional.patch b/recipes-security/selinux/policycoreutils/policycoreutils-make-O_CLOEXEC-optional.patch deleted file mode 100644 index d50356e..0000000 --- a/recipes-security/selinux/policycoreutils/policycoreutils-make-O_CLOEXEC-optional.patch +++ /dev/null @@ -1,43 +0,0 @@ -Subject: [PATCH] policycoreutils: make O_CLOEXEC optional - -Various commits in the selinux tree in the current release added O_CLOEXEC -to open() calls in an attempt to address file descriptor leaks as -described: - - http://danwalsh.livejournal.com/53603.html - -However O_CLOEXEC isn't available on all platforms, so make it a -compile-time option and generate a warning when it is not available. The -actual impact of leaking these file descriptors is minimal, though it does -produce curious AVC Denied messages. - -Uptream-Status: Inappropriate [O_CLOEXEC has been in Linux since 2007 and POSIX since 2008] - -Signed-off-by: Joe MacDonald -Signed-off-by: Wenzong Fan ---- - restorecond/user.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/restorecond/user.c b/restorecond/user.c -index 2c28676..6235772 100644 ---- a/restorecond/user.c -+++ b/restorecond/user.c -@@ -202,7 +202,13 @@ static int local_server() { - perror("asprintf"); - return -1; - } -- local_lock_fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW | O_CLOEXEC, S_IRUSR | S_IWUSR); -+ local_lock_fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW -+ #ifdef O_CLOEXEC -+ | O_CLOEXEC -+ #else -+ #warning O_CLOEXEC undefined on this platform, this may leak file descriptors -+ #endif -+ , S_IRUSR | S_IWUSR); - if (debug_mode) - g_warning ("Lock file: %s", ptr); - --- -1.7.9.5 - diff --git a/recipes-security/selinux/policycoreutils_2.7.bb b/recipes-security/selinux/policycoreutils_2.7.bb index d407ac3..54ec69a 100644 --- a/recipes-security/selinux/policycoreutils_2.7.bb +++ b/recipes-security/selinux/policycoreutils_2.7.bb @@ -8,7 +8,6 @@ SRC_URI[sha256sum] = "0a1b8a4a323b854981c6755ff025fe98a0f1cff307f109abb260f0490f SRC_URI += "\ file://policycoreutils-fix-sepolicy-install-path.patch \ - file://policycoreutils-make-O_CLOEXEC-optional.patch \ file://policycoreutils-loadpolicy-symlink.patch \ file://policycoreutils-process-ValueError-for-sepolicy-seobject.patch \ file://policycoreutils-fix-TypeError-for-seobject.py.patch \ diff --git a/recipes-security/selinux/policycoreutils_git.bb b/recipes-security/selinux/policycoreutils_git.bb index 1f72805..2057408 100644 --- a/recipes-security/selinux/policycoreutils_git.bb +++ b/recipes-security/selinux/policycoreutils_git.bb @@ -7,7 +7,6 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" SRC_URI += "\ file://policycoreutils-fix-sepolicy-install-path.patch \ - file://policycoreutils-make-O_CLOEXEC-optional.patch \ file://policycoreutils-loadpolicy-symlink.patch \ file://policycoreutils-process-ValueError-for-sepolicy-seobject.patch \ file://policycoreutils-fix-TypeError-for-seobject.py.patch \ diff --git a/recipes-security/selinux/restorecond.inc b/recipes-security/selinux/restorecond.inc new file mode 100644 index 0000000..6f12d23 --- /dev/null +++ b/recipes-security/selinux/restorecond.inc @@ -0,0 +1,28 @@ +SUMMARY = "Daemon to watch for file creation and set default file context" +DESCRIPTION = "\ +The restorecond daemon uses inotify to watch files listed in the \ +/etc/selinux/restorecond.conf, when they are created, this daemon \ +will make sure they have the correct file context associated with \ +the policy." + +SECTION = "base" +LICENSE = "GPLv2+" + +SRC_URI += "file://policycoreutils-make-O_CLOEXEC-optional.patch \ +" + +inherit systemd update-rc.d + +DEPENDS += "libsepol libselinux libpcre dbus-glib glib-2.0 pkgconfig-native" + +FILES_${PN} += "${datadir}/dbus-1/services/org.selinux.Restorecond.service \ +" + +do_install_prepend() { + export SYSTEMDDIR=${D}/${systemd_unitdir} +} + +SYSTEMD_SERVICE_restorecond = "restorecond.service" +INITSCRIPT_PACKAGES = "restorecond" +INITSCRIPT_NAME_restorecond = "restorecond" +INITSCRIPT_PARAMS_restorecond = "defaults" diff --git a/recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch b/recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch new file mode 100644 index 0000000..ab1a10a --- /dev/null +++ b/recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch @@ -0,0 +1,43 @@ +Subject: [PATCH] policycoreutils: make O_CLOEXEC optional + +Various commits in the selinux tree in the current release added O_CLOEXEC +to open() calls in an attempt to address file descriptor leaks as +described: + + http://danwalsh.livejournal.com/53603.html + +However O_CLOEXEC isn't available on all platforms, so make it a +compile-time option and generate a warning when it is not available. The +actual impact of leaking these file descriptors is minimal, though it does +produce curious AVC Denied messages. + +Uptream-Status: Inappropriate [O_CLOEXEC has been in Linux since 2007 and POSIX since 2008] + +Signed-off-by: Joe MacDonald +Signed-off-by: Wenzong Fan +--- + user.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/user.c b/user.c +index 2c28676..6235772 100644 +--- a/user.c ++++ b/user.c +@@ -202,7 +202,13 @@ static int local_server() { + perror("asprintf"); + return -1; + } +- local_lock_fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW | O_CLOEXEC, S_IRUSR | S_IWUSR); ++ local_lock_fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW ++ #ifdef O_CLOEXEC ++ | O_CLOEXEC ++ #else ++ #warning O_CLOEXEC undefined on this platform, this may leak file descriptors ++ #endif ++ , S_IRUSR | S_IWUSR); + if (debug_mode) + g_warning ("Lock file: %s", ptr); + +-- +1.7.9.5 + diff --git a/recipes-security/selinux/restorecond_2.7.bb b/recipes-security/selinux/restorecond_2.7.bb new file mode 100644 index 0000000..1f9a70c --- /dev/null +++ b/recipes-security/selinux/restorecond_2.7.bb @@ -0,0 +1,7 @@ +include selinux_20170804.inc +include ${BPN}.inc + +LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" + +SRC_URI[md5sum] = "46f8ad0a37f955ef148d4e19b8cc8b1f" +SRC_URI[sha256sum] = "cb8e0a8d706cb2c1f105125f3514dffffefcbcfb49199183a7f91ab0bdf1f24d" -- cgit v1.2.3-54-g00ecf