Message ID | 20230425171454.48802-14-aduskett@gmail.com |
---|---|
State | Accepted |
Headers | show |
Series | Selinux: bump to 3.5 | expand |
Adam, All, On 2023-04-25 10:14 -0700, Adam Duskett spake thusly: > Add an upstream patch in package/refpolicy/2.20221101 that makes dbus optional > for the mount interface. The patch must go in the 2.20221101 directory or else > the build system will automatically attempt to apply the patch to a custom git > version of refpolicy if chosen. > > Signed-off-by: Adam Duskett <aduskett@gmail.com> > --- > Changes v1 -> v2: > - Added 2.20221101/0001-mount-dbus-interface-must-be-optional.patch > > ...ount-dbus-interface-must-be-optional.patch | 33 +++++++++++++++++++ > package/refpolicy/refpolicy.hash | 2 +- > package/refpolicy/refpolicy.mk | 2 +- > 3 files changed, 35 insertions(+), 2 deletions(-) > create mode 100644 package/refpolicy/2.20221101/0001-mount-dbus-interface-must-be-optional.patch > > diff --git a/package/refpolicy/2.20221101/0001-mount-dbus-interface-must-be-optional.patch b/package/refpolicy/2.20221101/0001-mount-dbus-interface-must-be-optional.patch > new file mode 100644 > index 0000000000..dec0af828f > --- /dev/null > +++ b/package/refpolicy/2.20221101/0001-mount-dbus-interface-must-be-optional.patch > @@ -0,0 +1,33 @@ > +From 6c6be65ccf0891391681d4662cc11f508c0f4aeb Mon Sep 17 00:00:00 2001 > +From: Adam Duskett <aduskett@gmail.com> > +Date: Mon, 24 Apr 2023 14:24:49 -0700 > +Subject: [PATCH] mount: dbus interface must be optional > + > +If DBus isn't built, the build process fails due to mount.te always using a > +dbus interface even if the dbus module. Fix this by setting the dbus interface > +as optional. > + > +Signed-off-by: Adam Duskett <aduskett@gmail.com> > +Upstream-status: accepted. 207b09a656c2c3ac5c286d3f7eef085325e35408 The proper format for an Upstream: tag is just "Upstream:" (but that is a very recent change. so I just fixed it). We also prefer to have an URL to the upstream commit, so I changed that too. Applied to master, thanks. Regards, Yann E. MORIN. > +--- > + policy/modules/system/mount.te | 4 +++- > + 1 file changed, 3 insertions(+), 1 deletion(-) > + > +diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te > +index d028723..af84af0 100644 > +--- a/policy/modules/system/mount.te > ++++ b/policy/modules/system/mount.te > +@@ -145,7 +145,9 @@ selinux_getattr_fs(mount_t) > + > + userdom_use_all_users_fds(mount_t) > + > +-dbus_dontaudit_write_system_bus_runtime_named_sockets(mount_t) > ++optional_policy(` > ++ dbus_dontaudit_write_system_bus_runtime_named_sockets(mount_t) > ++') > + > + ifdef(`distro_redhat',` > + optional_policy(` > +-- > +2.40.0 > + > diff --git a/package/refpolicy/refpolicy.hash b/package/refpolicy/refpolicy.hash > index b08c22ed4e..a09e59c270 100644 > --- a/package/refpolicy/refpolicy.hash > +++ b/package/refpolicy/refpolicy.hash > @@ -1,5 +1,5 @@ > # From https://github.com/SELinuxProject/refpolicy/releases > -sha256 965f98f0b68a24fd0b8e8d973d319332aea88973e1d6c455ef9c2a31aefaeaa6 refpolicy-2.20220106.tar.bz2 > +sha256 44f88e62c8efcef54d019b9ca077520d5993de580926bd7575788cfa78515396 refpolicy-2.20221101.tar.bz2 > > # Locally computed > sha256 204d8eff92f95aac4df6c8122bc1505f468f3a901e5a4cc08940e0ede1938994 COPYING > diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk > index f11b72755a..8fea7cc254 100644 > --- a/package/refpolicy/refpolicy.mk > +++ b/package/refpolicy/refpolicy.mk > @@ -23,7 +23,7 @@ REFPOLICY_SITE = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL)) > REFPOLICY_SITE_METHOD = git > BR_NO_CHECK_HASH_FOR += $(REFPOLICY_SOURCE) > else > -REFPOLICY_VERSION = 2.20220106 > +REFPOLICY_VERSION = 2.20221101 > REFPOLICY_SOURCE = refpolicy-$(REFPOLICY_VERSION).tar.bz2 > REFPOLICY_SITE = https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_$(subst .,_,$(REFPOLICY_VERSION)) > endif > -- > 2.40.0 > > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot
diff --git a/package/refpolicy/2.20221101/0001-mount-dbus-interface-must-be-optional.patch b/package/refpolicy/2.20221101/0001-mount-dbus-interface-must-be-optional.patch new file mode 100644 index 0000000000..dec0af828f --- /dev/null +++ b/package/refpolicy/2.20221101/0001-mount-dbus-interface-must-be-optional.patch @@ -0,0 +1,33 @@ +From 6c6be65ccf0891391681d4662cc11f508c0f4aeb Mon Sep 17 00:00:00 2001 +From: Adam Duskett <aduskett@gmail.com> +Date: Mon, 24 Apr 2023 14:24:49 -0700 +Subject: [PATCH] mount: dbus interface must be optional + +If DBus isn't built, the build process fails due to mount.te always using a +dbus interface even if the dbus module. Fix this by setting the dbus interface +as optional. + +Signed-off-by: Adam Duskett <aduskett@gmail.com> +Upstream-status: accepted. 207b09a656c2c3ac5c286d3f7eef085325e35408 +--- + policy/modules/system/mount.te | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te +index d028723..af84af0 100644 +--- a/policy/modules/system/mount.te ++++ b/policy/modules/system/mount.te +@@ -145,7 +145,9 @@ selinux_getattr_fs(mount_t) + + userdom_use_all_users_fds(mount_t) + +-dbus_dontaudit_write_system_bus_runtime_named_sockets(mount_t) ++optional_policy(` ++ dbus_dontaudit_write_system_bus_runtime_named_sockets(mount_t) ++') + + ifdef(`distro_redhat',` + optional_policy(` +-- +2.40.0 + diff --git a/package/refpolicy/refpolicy.hash b/package/refpolicy/refpolicy.hash index b08c22ed4e..a09e59c270 100644 --- a/package/refpolicy/refpolicy.hash +++ b/package/refpolicy/refpolicy.hash @@ -1,5 +1,5 @@ # From https://github.com/SELinuxProject/refpolicy/releases -sha256 965f98f0b68a24fd0b8e8d973d319332aea88973e1d6c455ef9c2a31aefaeaa6 refpolicy-2.20220106.tar.bz2 +sha256 44f88e62c8efcef54d019b9ca077520d5993de580926bd7575788cfa78515396 refpolicy-2.20221101.tar.bz2 # Locally computed sha256 204d8eff92f95aac4df6c8122bc1505f468f3a901e5a4cc08940e0ede1938994 COPYING diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk index f11b72755a..8fea7cc254 100644 --- a/package/refpolicy/refpolicy.mk +++ b/package/refpolicy/refpolicy.mk @@ -23,7 +23,7 @@ REFPOLICY_SITE = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL)) REFPOLICY_SITE_METHOD = git BR_NO_CHECK_HASH_FOR += $(REFPOLICY_SOURCE) else -REFPOLICY_VERSION = 2.20220106 +REFPOLICY_VERSION = 2.20221101 REFPOLICY_SOURCE = refpolicy-$(REFPOLICY_VERSION).tar.bz2 REFPOLICY_SITE = https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_$(subst .,_,$(REFPOLICY_VERSION)) endif
Add an upstream patch in package/refpolicy/2.20221101 that makes dbus optional for the mount interface. The patch must go in the 2.20221101 directory or else the build system will automatically attempt to apply the patch to a custom git version of refpolicy if chosen. Signed-off-by: Adam Duskett <aduskett@gmail.com> --- Changes v1 -> v2: - Added 2.20221101/0001-mount-dbus-interface-must-be-optional.patch ...ount-dbus-interface-must-be-optional.patch | 33 +++++++++++++++++++ package/refpolicy/refpolicy.hash | 2 +- package/refpolicy/refpolicy.mk | 2 +- 3 files changed, 35 insertions(+), 2 deletions(-) create mode 100644 package/refpolicy/2.20221101/0001-mount-dbus-interface-must-be-optional.patch