From patchwork Mon Feb 3 13:29:48 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adam Duskett X-Patchwork-Id: 1232771 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.138; helo=whitealder.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=GzuRQfsg; dkim-atps=neutral Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 48B7ww2MsCz9sRs for ; Tue, 4 Feb 2020 00:30:07 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 549BF8608B; Mon, 3 Feb 2020 13:30:03 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1UJxS5UoN2s4; Mon, 3 Feb 2020 13:30:01 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by whitealder.osuosl.org (Postfix) with ESMTP id EC6AA826E6; Mon, 3 Feb 2020 13:30:00 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id 3679C1BF3E0 for ; Mon, 3 Feb 2020 13:29:58 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id 32A4D2043B for ; Mon, 3 Feb 2020 13:29:58 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XXL+mmb1I96J for ; Mon, 3 Feb 2020 13:29:57 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-wr1-f68.google.com (mail-wr1-f68.google.com [209.85.221.68]) by silver.osuosl.org (Postfix) with ESMTPS id 2F2632038A for ; Mon, 3 Feb 2020 13:29:57 +0000 (UTC) Received: by mail-wr1-f68.google.com with SMTP id u6so4857850wrt.0 for ; Mon, 03 Feb 2020 05:29:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=o+uglqCPN81K/xzrwjZXW5ncWIeK8YUMenhuRGgQ6YE=; b=GzuRQfsgpgZzni4Nf6jwW0z2DDpUOO7yGZJ1bI7+1mNqrbXGxxKSCoWyvAL4gaXFYf VD90am8woQDCgWDJDYo5lcACVKzya2cqG/Xmsi5SLfa9kamKUYMY+EYvPp2ybcM6cwFN R/HDBXx2MDHpNtRlaXW2eMGDNhdF6h0G4T5atqbfLNROkHJcFejpFqEiGvZ3EMNgRaT2 OAVls2WF4RbIYp5OmRxCl81wBNLKH1GFcrIEjZBl3VPnzyvh/jDTYuwsUJjP80HfmH1S Ooa2PLgIzGHOqlwsoTyKu1a4sjioyUso1jqDjsER2rnxuILVf7Qf0eN68S2OQfa403Ad Gz5w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=o+uglqCPN81K/xzrwjZXW5ncWIeK8YUMenhuRGgQ6YE=; b=Hk57jd1TTZp5xqkUlukT/a0ZO8sLHwgXrc618UVKdLA+btvViCHd63gy73XLBlSgJ2 t8EqohPUfiZzqXb979W5xrWWrXFfSLJKF6zlCyVflXJ6BmMgYPJEKNuzgGv0sZy4iFHh Wzcz4PGfQw91CXW4jevmKyGLmwJanrAXWj49fXlPT0+kVu1x6hBZuJXpRNcGly2K8EjR k7mJVIFgGjsrQc2v+XBVTxdw5SBRkWIO2f6FqxISX3zeNeDGA7hXp3HZwlJl4eRcCwLB ZcCkZDEf+x5nKNOnxjQJEkQCZCfB72EnOUGIrsRvNav7S57G8Hw0lRVW9cXSNGK2DCea csQA== X-Gm-Message-State: APjAAAWAAY+iL3DNDpReP/vRImr01z2zPEYLmfAXAPWTfXVie7f6OkXH i2dmg4SgJ9k33m5YP2CYGkgb4Ttfg2Q= X-Google-Smtp-Source: APXvYqye/27iLG8tlSZ5/cmy1D4omez9TlwWDDO/CsRMRBZAviZzjkUIt6LzllqUobUj5Elpl0INLg== X-Received: by 2002:adf:ebc6:: with SMTP id v6mr15344521wrn.75.1580736595323; Mon, 03 Feb 2020 05:29:55 -0800 (PST) Received: from localhost.localdomain ([2620:0:1055:fd00:66f4:6a26:7bb5:b9ee]) by smtp.gmail.com with ESMTPSA id m3sm25828753wrs.53.2020.02.03.05.29.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Feb 2020 05:29:54 -0800 (PST) From: Adam Duskett To: buildroot@buildroot.org Date: Mon, 3 Feb 2020 05:29:48 -0800 Message-Id: <20200203132951.1331252-2-aduskett@gmail.com> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200203132951.1331252-1-aduskett@gmail.com> References: <20200203132951.1331252-1-aduskett@gmail.com> MIME-Version: 1.0 Subject: [Buildroot] [PATCH 2/5] package/refpolicy: bump version to 2.20190609 X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Marcus Folkesson , Adam Duskett Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Other changes: - Depend on host-python3, as python2 support was removed. Signed-off-by: Adam Duskett --- package/refpolicy/refpolicy.hash | 2 +- package/refpolicy/refpolicy.mk | 13 ++++--------- 2 files changed, 5 insertions(+), 10 deletions(-) diff --git a/package/refpolicy/refpolicy.hash b/package/refpolicy/refpolicy.hash index 856d8cb8a2..0c77b626cc 100644 --- a/package/refpolicy/refpolicy.hash +++ b/package/refpolicy/refpolicy.hash @@ -1,5 +1,5 @@ # From https://github.com/SELinuxProject/refpolicy/releases -sha256 ed620dc91c4e09eee6271b373f7c61a364a82ea57bd2dc86ca1f7075304e2843 refpolicy-2.20190201.tar.bz2 +sha256 67bd1213e9d014ada15512028bb7f35ef6610c2d209cc5117b8577474aa6147f refpolicy-2.20190609.tar.bz2 # Locally computed sha256 204d8eff92f95aac4df6c8122bc1505f468f3a901e5a4cc08940e0ede1938994 COPYING diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk index 66bddd1aee..d13be18f73 100644 --- a/package/refpolicy/refpolicy.mk +++ b/package/refpolicy/refpolicy.mk @@ -4,9 +4,9 @@ # ################################################################################ -REFPOLICY_VERSION = 2.20190201 +REFPOLICY_VERSION = 2.20190609 REFPOLICY_SOURCE = refpolicy-$(REFPOLICY_VERSION).tar.bz2 -REFPOLICY_SITE = https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_2_20190201 +REFPOLICY_SITE = https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_2_20190609 REFPOLICY_LICENSE = GPL-2.0 REFPOLICY_LICENSE_FILES = COPYING REFPOLICY_INSTALL_STAGING = YES @@ -14,18 +14,13 @@ REFPOLICY_DEPENDENCIES = \ host-m4 \ host-checkpolicy \ host-policycoreutils \ + host-python3 \ host-setools \ host-gawk -ifeq ($(BR2_PACKAGE_PYTHON3),y) -REFPOLICY_DEPENDENCIES += host-python3 -else -REFPOLICY_DEPENDENCIES += host-python -endif - # Cannot use multiple threads to build the reference policy REFPOLICY_MAKE = \ - PYTHON=$(HOST_DIR)/usr/bin/python \ + PYTHON=$(HOST_DIR)/usr/bin/python3 \ TEST_TOOLCHAIN=$(HOST_DIR) \ $(TARGET_MAKE_ENV) \ $(MAKE1) From patchwork Mon Feb 3 13:29:49 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adam Duskett X-Patchwork-Id: 1232772 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.136; helo=silver.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=vETl+v51; dkim-atps=neutral Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 48B7wx1pB5z9sRt for ; Tue, 4 Feb 2020 00:30:09 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id E853A204E5; Mon, 3 Feb 2020 13:30:04 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iJpegC69Ha8L; Mon, 3 Feb 2020 13:30:02 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by silver.osuosl.org (Postfix) with ESMTP id E823A204A5; Mon, 3 Feb 2020 13:30:01 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by ash.osuosl.org (Postfix) with ESMTP id 1AEF51BF3E0 for ; Mon, 3 Feb 2020 13:29:59 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 16889875B2 for ; Mon, 3 Feb 2020 13:29:59 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U1Sn8WNkXTN9 for ; Mon, 3 Feb 2020 13:29:58 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-wr1-f65.google.com (mail-wr1-f65.google.com [209.85.221.65]) by hemlock.osuosl.org (Postfix) with ESMTPS id 335E38757C for ; Mon, 3 Feb 2020 13:29:58 +0000 (UTC) Received: by mail-wr1-f65.google.com with SMTP id y11so18127691wrt.6 for ; Mon, 03 Feb 2020 05:29:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=dvBXn9P8tlGsz6+8P2upnPiYm1NvHMmJVggxsBxyEL0=; b=vETl+v51P7zIr+lScqmz1kAFs6HaKLS/WB+jvZLBAfMSU9VHDE16NAkAuCFGUZjCHm ApFhdI21PAS1daDsRGpktw/zFQmj6iiN55uHSAVCPNmMb+8UNG2rkgTQkKRzzxEFaVBi 6U1BPXo3RAdGargwtgPC8VvOv9gdQ/6s4y6I+as1ABPMV0tEeAb3Tcyvt5otZtRi6yoM GtGiBPoXa90Xe+uo3EWp/21w07JTRHo/wdejVnkdCevAYaC87TdQUyrCQUYFgdaB7chU iu45vl4O/anOymMAtxIY8EhwPPjg+SabluQbAtBH3D5chyobiDBKqegeqdt6WWqP/ejz Qr7A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=dvBXn9P8tlGsz6+8P2upnPiYm1NvHMmJVggxsBxyEL0=; b=UeoHv9lnkArYFkA4GIdN6zkbZJtW+YHloP1r2z4DxyIsOVxOffO0bWmfqvNO9nBXMQ bcCEKPXrm153p+5jaOL1vkLFeUpxdv3S0zW3Jcr6wqG3les10lIHQcLLXnptM2yY9cS+ FVxSRti7iGx9dl4GlN0w89TsE38hlovcRO1Izi3yYIePIC9VSHjsWLTxh6T4DdyCSWZY 4IdQc1tdZVS9YzQ5S1maUi8jAMV7k3WWq/BR7btx59MX+lElxB5DusJhtPCdJkuRXfRP LDOkOH3+8qiwjaAPYkC6LpHswov2ccPpK7QLBxTUC+j47wdL56dI5byydd9zItDaR8Il PTUA== X-Gm-Message-State: APjAAAVKridZNN4SdknVUIi/Puz9L0ZNCK3RuoHJEx8om8mSwQgQKyWh mjZ7+MnaAIXlvtPlBe4HLH6+/V65Pkw= X-Google-Smtp-Source: APXvYqxD8KMP86osEesza8hhHsAcm+rns9OD8Ri6AMC61vWlnwIEQ2DRvSqTQrVCF0XcRmG28z8NhA== X-Received: by 2002:adf:e943:: with SMTP id m3mr15400044wrn.397.1580736596332; Mon, 03 Feb 2020 05:29:56 -0800 (PST) Received: from localhost.localdomain ([2620:0:1055:fd00:66f4:6a26:7bb5:b9ee]) by smtp.gmail.com with ESMTPSA id m3sm25828753wrs.53.2020.02.03.05.29.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Feb 2020 05:29:55 -0800 (PST) From: Adam Duskett To: buildroot@buildroot.org Date: Mon, 3 Feb 2020 05:29:49 -0800 Message-Id: <20200203132951.1331252-3-aduskett@gmail.com> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200203132951.1331252-1-aduskett@gmail.com> References: <20200203132951.1331252-1-aduskett@gmail.com> MIME-Version: 1.0 Subject: [Buildroot] [PATCH 3/5] Move refpolicy policy version selection to libsepol X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Marcus Folkesson , Adam Duskett Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Currently, a user sets a policy version via the refpolicy package. Having the option here has a few disadvantages: - The Refpolicy package is not technically needed to use SELinux. - When building a modular policy, Refpolicy will ignore the version string and build the highest version possible which will cause libsemanage to possibly fail when loading the policy. Specifying a manual policy version in /etc/selinux/semanage.conf forces libsemanage to load a specific policy version, which fixes the above issue. However, because refpolicy currently defines the policy version, libsemanage does not have a way to determine the policy version, as refpolicy is not a dependency of libsemanage. To work around these limitations, move the policy version number selection to libsepol, as a system using SELinux always requires this library. Signed-off-by: Adam Duskett --- Config.in.legacy | 6 ++++++ package/libsepol/Config.in | 7 +++++++ package/refpolicy/Config.in | 11 +++++++---- package/refpolicy/refpolicy.mk | 5 +++-- 4 files changed, 23 insertions(+), 6 deletions(-) diff --git a/Config.in.legacy b/Config.in.legacy index 4b84116e0c..3bddca9be0 100644 --- a/Config.in.legacy +++ b/Config.in.legacy @@ -146,6 +146,12 @@ endif comment "Legacy options removed in 2020.02" +config BR2_PACKAGE_REFPOLICY_POLICY_VERSION + bool "refpolicy version selection moved to libsepol" + select BR2_LEGACY + help + The policy version selection was moved to libsepol + config BR2_PACKAGE_CELT051 bool "celt051 package was removed" select BR2_LEGACY diff --git a/package/libsepol/Config.in b/package/libsepol/Config.in index cfa923e452..4453e298a6 100644 --- a/package/libsepol/Config.in +++ b/package/libsepol/Config.in @@ -7,5 +7,12 @@ config BR2_PACKAGE_LIBSEPOL http://selinuxproject.org/page/Main_Page +if BR2_PACKAGE_LIBSEPOL + +config BR2_PACKAGE_LIBSEPOL_POLICY_VERSION + string "Policy version" + default "30" +endif + comment "libsepol needs a toolchain w/ threads" depends on !BR2_TOOLCHAIN_HAS_THREADS diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in index d9cf6e6531..ecb662600d 100644 --- a/package/refpolicy/Config.in +++ b/package/refpolicy/Config.in @@ -1,6 +1,10 @@ config BR2_PACKAGE_REFPOLICY bool "refpolicy" + depends on BR2_TOOLCHAIN_HAS_THREADS # libsepol select BR2_PACKAGE_BUSYBOX_SELINUX if BR2_PACKAGE_BUSYBOX + # Even though libsepol is not necessary for building, we get the policy + # version from libsepol + select BR2_PACKAGE_LIBSEPOL help The SELinux Reference Policy project (refpolicy) is a complete SELinux policy that can be used as the system @@ -24,10 +28,6 @@ config BR2_PACKAGE_REFPOLICY if BR2_PACKAGE_REFPOLICY -config BR2_PACKAGE_REFPOLICY_POLICY_VERSION - string "Policy version" - default "30" - choice prompt "SELinux default state" default BR2_PACKAGE_REFPOLICY_POLICY_STATE_PERMISSIVE @@ -55,3 +55,6 @@ config BR2_PACKAGE_REFPOLICY_POLICY_STATE default "disabled" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_DISABLED endif + +comment "refpolicy needs a toolchain w/ threads" + depends on !BR2_TOOLCHAIN_HAS_THREADS diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk index d13be18f73..001519f8cd 100644 --- a/package/refpolicy/refpolicy.mk +++ b/package/refpolicy/refpolicy.mk @@ -16,7 +16,8 @@ REFPOLICY_DEPENDENCIES = \ host-policycoreutils \ host-python3 \ host-setools \ - host-gawk + host-gawk \ + libsepol # Cannot use multiple threads to build the reference policy REFPOLICY_MAKE = \ @@ -26,7 +27,7 @@ REFPOLICY_MAKE = \ $(MAKE1) REFPOLICY_POLICY_VERSION = \ - $(call qstrip,$(BR2_PACKAGE_REFPOLICY_POLICY_VERSION)) + $(call qstrip,$(BR2_PACKAGE_LIBSEPOL_POLICY_VERSION)) REFPOLICY_POLICY_STATE = \ $(call qstrip,$(BR2_PACKAGE_REFPOLICY_POLICY_STATE)) From patchwork Mon Feb 3 13:29:50 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adam Duskett X-Patchwork-Id: 1232770 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.137; helo=fraxinus.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=cjtjHObN; dkim-atps=neutral Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 48B7wt2wb9z9sRm for ; Tue, 4 Feb 2020 00:30:06 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id CF330852F8; Mon, 3 Feb 2020 13:30:04 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7nxQmzuyLDpb; Mon, 3 Feb 2020 13:30:04 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by fraxinus.osuosl.org (Postfix) with ESMTP id 1915B84FDD; Mon, 3 Feb 2020 13:30:04 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by ash.osuosl.org (Postfix) with ESMTP id 49A911BF3E0 for ; Mon, 3 Feb 2020 13:30:00 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 46BAC826E6 for ; Mon, 3 Feb 2020 13:30:00 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ORpOuX6EO3Ln for ; Mon, 3 Feb 2020 13:29:59 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-wr1-f68.google.com (mail-wr1-f68.google.com [209.85.221.68]) by whitealder.osuosl.org (Postfix) with ESMTPS id 4D26782507 for ; Mon, 3 Feb 2020 13:29:59 +0000 (UTC) Received: by mail-wr1-f68.google.com with SMTP id z3so18166007wru.3 for ; Mon, 03 Feb 2020 05:29:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=DrFPJRXWrSiQA6or0SrYG3TJ2xHZbDRIepYjDsPm0T8=; b=cjtjHObNMAAHhAm4rL7P72tvJ+TSvshZKXSzG+v4Xhd1IdBb5u5tsI1R7WpPWyn+hf hzPY9A489ycwI8GVAkVsdNZEZI4CCefszyYVFcRzxUsZJXQULQIJD12pK/No87P2GMtq sR6sp8/DGHhH/J2Nf3hODNtktk5c5B6IKmmBXPzyFx/e1Kn6iejdp5kddjMOp5yKneQu NHWM3pAtk47MyDMfhOkDqPm8Pb/QSiSNWtqSLj5Bea2+TzvgMeLZEKeA/a4igJJDEqzG IyiV6Mq6VPsocZppZhRaLmtao8oqbKcZTP+eP08JYrj9HbiZ8AI/8/jjY4Y1VMF+QkLJ TdTg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=DrFPJRXWrSiQA6or0SrYG3TJ2xHZbDRIepYjDsPm0T8=; b=fGGPcZlRp2wQhBlwL9PqQjLHgUppGgjvbR4HzjQq1mTEQCQfLcTEJST2baJkSSqQBi /H6pEGh0QdxF6GTrFAtDcEg25ONLty22y9mrunMI6IdyjCtQfRwe7FqS7Akuyyo22AGY f/W9ZDssVWykC8ZLiOL/EDQiNh6XxncSRhjoIwwa+cg7eObGUVSIPsk8wbf+oPQTa9g/ fL+VvWhI5kvOs9Eb2irNoaNnw8aC9zMoPHBHy2dcjeD3t6yBraT5Z8hbOLohHLzkY4EU YkxRPc0Vem8Z6+dP0rB5jAFi6j3htRzrxaKxuQ8gS2XlcXcbWRH4yeTSjoNfPSVq/Vg9 L4zA== X-Gm-Message-State: APjAAAVlvuFcAfH45ScPR0oo5upIQk4OM5aCeauJhdgTX/32toQG50EV jslrpJdOL3HsQPaGcgzPlVEB70Jn6MM= X-Google-Smtp-Source: APXvYqx1HI1dHxoD+kQtX2gG0T2L7vNfRMrcNBvgPN+dYaezzrv7Srd1PobKSuy0Oee9sTsljiyV3A== X-Received: by 2002:a5d:4d8d:: with SMTP id b13mr15884522wru.6.1580736597319; Mon, 03 Feb 2020 05:29:57 -0800 (PST) Received: from localhost.localdomain ([2620:0:1055:fd00:66f4:6a26:7bb5:b9ee]) by smtp.gmail.com with ESMTPSA id m3sm25828753wrs.53.2020.02.03.05.29.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Feb 2020 05:29:56 -0800 (PST) From: Adam Duskett To: buildroot@buildroot.org Date: Mon, 3 Feb 2020 05:29:50 -0800 Message-Id: <20200203132951.1331252-4-aduskett@gmail.com> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200203132951.1331252-1-aduskett@gmail.com> References: <20200203132951.1331252-1-aduskett@gmail.com> MIME-Version: 1.0 Subject: [Buildroot] [PATCH 4/5] package/libsepol: change policy version to an int X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Marcus Folkesson , Adam Duskett Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" The policy version has to be a number, as such, set the type to int. Signed-off-by: Adam Duskett --- package/libsepol/Config.in | 4 ++-- package/refpolicy/refpolicy.mk | 3 +-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/package/libsepol/Config.in b/package/libsepol/Config.in index 4453e298a6..aac31c21b8 100644 --- a/package/libsepol/Config.in +++ b/package/libsepol/Config.in @@ -10,8 +10,8 @@ config BR2_PACKAGE_LIBSEPOL if BR2_PACKAGE_LIBSEPOL config BR2_PACKAGE_LIBSEPOL_POLICY_VERSION - string "Policy version" - default "30" + int "Policy version" + default 30 endif comment "libsepol needs a toolchain w/ threads" diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk index 001519f8cd..05c1bf270d 100644 --- a/package/refpolicy/refpolicy.mk +++ b/package/refpolicy/refpolicy.mk @@ -26,8 +26,7 @@ REFPOLICY_MAKE = \ $(TARGET_MAKE_ENV) \ $(MAKE1) -REFPOLICY_POLICY_VERSION = \ - $(call qstrip,$(BR2_PACKAGE_LIBSEPOL_POLICY_VERSION)) +REFPOLICY_POLICY_VERSION = $(BR2_PACKAGE_LIBSEPOL_POLICY_VERSION) REFPOLICY_POLICY_STATE = \ $(call qstrip,$(BR2_PACKAGE_REFPOLICY_POLICY_STATE)) From patchwork Mon Feb 3 13:29:51 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adam Duskett X-Patchwork-Id: 1232773 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.138; helo=whitealder.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=AtODq3I1; dkim-atps=neutral Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 48B7wx1pCCz9sS9 for ; Tue, 4 Feb 2020 00:30:09 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 73023860BF; Mon, 3 Feb 2020 13:30:07 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Vf6MeYViI+W; Mon, 3 Feb 2020 13:30:05 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by whitealder.osuosl.org (Postfix) with ESMTP id 1AE5F85E12; Mon, 3 Feb 2020 13:30:05 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by ash.osuosl.org (Postfix) with ESMTP id E61801BF3E0 for ; Mon, 3 Feb 2020 13:30:00 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id E365B82507 for ; Mon, 3 Feb 2020 13:30:00 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F8jWBFCnMgFf for ; Mon, 3 Feb 2020 13:30:00 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-wr1-f68.google.com (mail-wr1-f68.google.com [209.85.221.68]) by whitealder.osuosl.org (Postfix) with ESMTPS id 30C0385E12 for ; Mon, 3 Feb 2020 13:30:00 +0000 (UTC) Received: by mail-wr1-f68.google.com with SMTP id m16so18109877wrx.11 for ; Mon, 03 Feb 2020 05:30:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=Zpq5Dtola/S9qYJWOuofhu3CmZUId9Vu4W8e8dTv84U=; b=AtODq3I1a4xeyoLvMGdn/Mys3oxsRqxgMnWz81mgr5IkRMLuwcAGMDJJRCdhighu21 XJVixFFRZARWr9N6KEczTl2KQBv4iLxXxGFS7HFdjRhimKuPqxgy1m2Lyh4ZRdznwJ3n QBght9XUWbnCSdfokr8Yc/K5iZoiX2oNsXye2jE+1cpFZZxV8PI7FV9DrKkwhVrjcAwn 3nrOhSKZXH7dkcUziEIdAGFO2bv1ikxy9dCOUE91NKA7h4MgBvSEmeqxNnkkJH0aNTpi WBzr9wpCeYWgDgK8Xt6aF0wcalRUClX4ipubTZucUJ6+7m0TlgksBk9pBf0wt8xwxXfW 2Eww== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Zpq5Dtola/S9qYJWOuofhu3CmZUId9Vu4W8e8dTv84U=; b=DdL14Ulsh31WMw3SBwGm7VB5nq0krA4SuZvEqxb/ashMTt1uMa5uAdulrsKlZBht2b ko6RAvW8DGdkoWsum9M+Wd68VntTlDNnonxBUFSx2UtcOL1yX45uSTJAFwIqXSuy/meY kjNkdAxGIQvgQz79MKVlhK1OLxJ2XenhBjbCtUpJ5v9R/7pv5+O/DL59uUTPv30mWev3 os8NQHcAt5hjaSzBgDAuIO+FcYsWj2UbPyfa9w99vQ+K6vpUiZJW/mFstUZPQP35qWAI J7oGi/Wtaiy1HHSEtk8iAo3W4sNTri+975eHi+1x3ZQ6KahGKFGh88YExZTxbQ5I5nos tPxg== X-Gm-Message-State: APjAAAVp8dlBTZ7KvI30d0Uc9D9Zw9zAIgTQAnuAZAzJlUzPZb++wgcR DEjQ7OkuyFEt/3HF5ny2M3see2eppFA= X-Google-Smtp-Source: APXvYqy8I7QJoASqaBWRQkZLyeoN1UdI//FFlwS2B9DgDVquvo3JyH2d0fsQXewMgAjI9WJNJMCo+Q== X-Received: by 2002:adf:f606:: with SMTP id t6mr9655944wrp.304.1580736598399; Mon, 03 Feb 2020 05:29:58 -0800 (PST) Received: from localhost.localdomain ([2620:0:1055:fd00:66f4:6a26:7bb5:b9ee]) by smtp.gmail.com with ESMTPSA id m3sm25828753wrs.53.2020.02.03.05.29.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Feb 2020 05:29:57 -0800 (PST) From: Adam Duskett To: buildroot@buildroot.org Date: Mon, 3 Feb 2020 05:29:51 -0800 Message-Id: <20200203132951.1331252-5-aduskett@gmail.com> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200203132951.1331252-1-aduskett@gmail.com> References: <20200203132951.1331252-1-aduskett@gmail.com> MIME-Version: 1.0 Subject: [Buildroot] [PATCH 5/5] package/libsepol: set default policy version X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Marcus Folkesson , Adam Duskett Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" If a policy is built that is newer than the kernel can support, the libsepol will fail to load that policy. Indeed, a user can manually select the policy version in the config as-is. However, it is not a friendly solution. The best solution available is to set a default policy version based off of the toolchain header kernel version. While a user may have a toolchain that has older kernel headers than the built kernel, it is still better than setting the default to the maximum available version that SELinux can support. The following defaults policy versions are as follows for the given toolchain headers: 31 >= 4.13 30 >= 4.3 29 >= 3.14 28 >= 3.5 26 >= 2.6 default 25 Note: Version 27 was never released. Signed-off-by: Adam Duskett --- package/libsepol/Config.in | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/package/libsepol/Config.in b/package/libsepol/Config.in index aac31c21b8..4e2a145011 100644 --- a/package/libsepol/Config.in +++ b/package/libsepol/Config.in @@ -11,7 +11,24 @@ if BR2_PACKAGE_LIBSEPOL config BR2_PACKAGE_LIBSEPOL_POLICY_VERSION int "Policy version" - default 30 + default 31 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_13 + default 30 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_3 + default 29 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_14 + default 28 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_5 + default 26 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_2_6 + default 25 + help + The maximum SELinux policy version your kernel supports. + + Here's a handy table to help you choose: + kernel version SElinux policy max version + <= 2.6.x 25 + > 2.6 <= 3.5 26 + > 3.5 <= 3.14 28 (27 and 28 were added at the same time) + > 3.14 <= 4.3 29 + > 4.3 <= 4.13 30 + > 4.13 <= 5.5 31 + endif comment "libsepol needs a toolchain w/ threads"