| Message ID | 20250328142811.4096141-1-dominick.grift@defensec.nl |
|---|---|
| State | New |
| Headers | show |
| Series | [1/6] libsepol: update to version 3.8.1 | expand |
Hi Dominick, On Fri, Mar 28, 2025 at 03:28:06PM +0100, Dominick Grift wrote: > ... > diff --git a/package/libs/libsepol/Makefile b/package/libs/libsepol/Makefile > index b1a34d293e..e9072d01ea 100644 > --- a/package/libs/libsepol/Makefile > +++ b/package/libs/libsepol/Makefile > @@ -6,12 +6,12 @@ > include $(TOPDIR)/rules.mk > > PKG_NAME:=libsepol > -PKG_VERSION:=3.5 > +PKG_VERSION:=3.8.1 > PKG_RELEASE:=1 > > PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz > PKG_SOURCE_URL:=https://github.com/SELinuxProject/selinux/releases/download/$(PKG_VERSION) > -PKG_HASH:=78fdaf69924db780bac78546e43d9c44074bad798c2c415d0b9bb96d065ee8a2 > +PKG_HASH:=0e78705305f955abd4c0654d37a5477ee26349ab74db9e2b03a7868897ae1ddf somehow this fails to build for me on Arch Linux (gcc (GCC) 14.2.1 20250207) make[2]: Entering directory '/usr/src/openwrt/package/libs/libsepol' . /usr/src/openwrt/include/shell.sh; /usr/src/openwrt/staging_dir/host/bin/libdeflate-gzip -dc /usr/src/openwrt/dl/libsepol-3.8.1.tar.gz | tar -C /usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1/.. -xf - [ ! -d ./src/ ] || cp -fpR ./src/* /usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1 touch /usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1/.prepared373c40fbd50048c5dd856777f1d054e4_6664517399ebbbc92a37c5bb081b5c53 (cd /usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1/; if [ -x configure ]; then cp -fpR /usr/src/openwrt/scripts/config.{guess,sub} /usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1// && CC="ccache /usr/src/openwrt/staging_dir/host/bin/gcc" CFLAGS="-O2 -I/usr/src/openwrt/staging_dir/host/include -I/usr/src/openwrt/staging_dir/hostpkg/include -I/usr/src/openwrt/staging_dir/target-aarch64_cortex-a53_musl/host/include" CXX="ccache /usr/src/openwrt/staging_dir/host/bin/g++" CPPFLAGS="-I/usr/src/openwrt/staging_dir/host/include -I/usr/src/openwrt/staging_dir/hostpkg/include -I/usr/src/openwrt/staging_dir/target-aarch64_cortex-a53_musl/host/include" CXXFLAGS="-O2 -I/usr/src/openwrt/staging_dir/host/include -I/usr/src/openwrt/staging_dir/hostpkg/include -I/usr/src/openwrt/staging_dir/target-aarch64_cortex-a53_musl/host/include" LDFLAGS="-L/usr/src/openwrt/staging_dir/host/lib -L/usr/src/openwrt/staging_dir/hostpkg/lib -L/usr/src/openwrt/staging_dir/target-aarch64_cortex-a53_musl/host/lib" CONFIG_SHELL="/usr/bin/env bash" bash ./configure --target=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu --build=x86_64-pc-linux-gnu --disable-dependency-tracking --program-prefix="" --program-suffix="" --prefix=/usr/src/openwrt/staging_dir/hostpkg --exec-prefix=/usr/src/openwrt/staging_dir/hostpkg --sysconfdir=/usr/src/openwrt/staging_dir/hostpkg/etc --localstatedir=/usr/src/openwrt/staging_dir/hostpkg/var --sbindir=/usr/src/openwrt/staging_dir/hostpkg/bin ; fi ) touch /usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1/.configured CFLAGS="-O2 -I/usr/src/openwrt/staging_dir/host/include -I/usr/src/openwrt/staging_dir/hostpkg/include -I/usr/src/openwrt/staging_dir/target-aarch64_cortex-a53_musl/host/include" CPPFLAGS="-I/usr/src/openwrt/staging_dir/host/include -I/usr/src/openwrt/staging_dir/hostpkg/include -I/usr/src/openwrt/staging_dir/target-aarch64_cortex-a53_musl/host/include" CXXFLAGS="-O2 -I/usr/src/openwrt/staging_dir/host/include -I/usr/src/openwrt/staging_dir/hostpkg/include -I/usr/src/openwrt/staging_dir/target-aarch64_cortex-a53_musl/host/include" LDFLAGS="-L/usr/src/openwrt/staging_dir/host/lib -L/usr/src/openwrt/staging_dir/hostpkg/lib -L/usr/src/openwrt/staging_dir/target-aarch64_cortex-a53_musl/host/lib" make -j1 -C /usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1/. PREFIX=/usr/src/openwrt/staging_dir/hostpkg SHLIBDIR=/usr/src/openwrt/staging_dir/hostpkg/lib make[3]: Entering directory '/usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1' make -C src make[4]: Entering directory '/usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1/src' cc -I/usr/src/openwrt/staging_dir/host/include -I/usr/src/openwrt/staging_dir/hostpkg/include -I/usr/src/openwrt/staging_dir/target-aarch64_cortex-a53_musl/host/include -O2 -I/usr/src/openwrt/staging_dir/host/include -I/usr/src/openwrt/staging_dir/hostpkg/include -I/usr/src/openwrt/staging_dir/target-aarch64_cortex-a53_musl/host/include -I. -I../include -D_GNU_SOURCE -I../cil/include -DHAVE_REALLOCARRAY -fPIC -c -o assertion.o assertion.c In file included from assertion.c:23: /usr/src/openwrt/staging_dir/hostpkg/include/sepol/policydb/conditional.h:57:18: error: two or more data types in declaration specifiers 57 | uint32_t bool; | ^~~~ In file included from /usr/src/openwrt/staging_dir/hostpkg/include/sepol/policydb/expand.h:30, from assertion.c:26: /usr/src/openwrt/staging_dir/hostpkg/include/sepol/policydb/conditional.h:57:22: warning: declaration does not declare anything 57 | uint32_t bool; | ^ assertion.c: In function 'report_failure': assertion.c:48:44: warning: passing argument 1 of 'sepol_av_to_string' discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers] 48 | char *permstr = sepol_av_to_string(p, curperm->tclass, perms); | ^ In file included from assertion.c:27: /usr/src/openwrt/staging_dir/hostpkg/include/sepol/policydb/util.h:34:46: note: expected 'policydb_t *' {aka 'struct policydb *'} but argument is of type 'const policydb_t *' {aka 'const struct policydb *'} 34 | extern char *sepol_av_to_string(policydb_t * policydbp, uint32_t tclass, | ~~~~~~~~~~~~~^~~~~~~~~ assertion.c: In function 'check_extended_permissions': assertion.c:110:46: error: 'AVRULE_XPERMS_NLMSG' undeclared (first use in this function); did you mean 'AVRULE_XPERMS_ALLOWED'? 110 | } else if ((neverallow->specified == AVRULE_XPERMS_NLMSG) | ^~~~~~~~~~~~~~~~~~~ | AVRULE_XPERMS_ALLOWED assertion.c:110:46: note: each undeclared identifier is reported only once for each function it appears in assertion.c:111:49: error: 'AVTAB_XPERMS_NLMSG' undeclared (first use in this function); did you mean 'AVTAB_XPERMS_ALLOWED'? 111 | && (allow->specified == AVTAB_XPERMS_NLMSG)) { | ^~~~~~~~~~~~~~~~~~ | AVTAB_XPERMS_ALLOWED assertion.c: In function 'extended_permissions_violated': assertion.c:146:46: error: 'AVRULE_XPERMS_NLMSG' undeclared (first use in this function); did you mean 'AVRULE_XPERMS_ALLOWED'? 146 | } else if ((neverallow->specified == AVRULE_XPERMS_NLMSG) | ^~~~~~~~~~~~~~~~~~~ | AVRULE_XPERMS_ALLOWED assertion.c:147:49: error: 'AVTAB_XPERMS_NLMSG' undeclared (first use in this function); did you mean 'AVTAB_XPERMS_ALLOWED'? 147 | && (allow->specified == AVTAB_XPERMS_NLMSG)) { | ^~~~~~~~~~~~~~~~~~ | AVTAB_XPERMS_ALLOWED assertion.c: In function 'report_assertion_extended_permissions': assertion.c:193:74: error: 'AVTAB_XPERMS_NLMSG' undeclared (first use in this function); did you mean 'AVTAB_XPERMS_ALLOWED'? 193 | && (xperms->specified != AVTAB_XPERMS_NLMSG)) | ^~~~~~~~~~~~~~~~~~ | AVTAB_XPERMS_ALLOWED assertion.c: In function 'report_assertion_avtab_matches': assertion.c:344:57: error: 'RULE_NOTSELF' undeclared (first use in this function); did you mean 'RULE_SELF'? 344 | const bool is_narule_notself = (narule->flags & RULE_NOTSELF) != 0; | ^~~~~~~~~~~~ | RULE_SELF assertion.c: In function 'check_assertion_extended_permissions_avtab': assertion.c:487:74: error: 'AVTAB_XPERMS_NLMSG' undeclared (first use in this function); did you mean 'AVTAB_XPERMS_ALLOWED'? 487 | && (xperms->specified != AVTAB_XPERMS_NLMSG)) | ^~~~~~~~~~~~~~~~~~ | AVTAB_XPERMS_ALLOWED assertion.c: In function 'check_assertion_extended_permissions': assertion.c:587:57: error: 'RULE_NOTSELF' undeclared (first use in this function); did you mean 'RULE_SELF'? 587 | const bool is_narule_notself = (narule->flags & RULE_NOTSELF) != 0; | ^~~~~~~~~~~~ | RULE_SELF assertion.c: In function 'check_assertion_avtab_match': assertion.c:757:29: error: 'RULE_NOTSELF' undeclared (first use in this function); did you mean 'RULE_SELF'? 757 | if (narule->flags & RULE_NOTSELF) { | ^~~~~~~~~~~~ | RULE_SELF assertion.c: At top level: assertion.c:794:5: error: conflicting types for 'check_assertion'; have 'int(policydb_t *, const avrule_t *)' {aka 'int(struct policydb *, const struct avrule *)'} 794 | int check_assertion(policydb_t *p, const avrule_t *narule) | ^~~~~~~~~~~~~~~ In file included from assertion.c:25: /usr/src/openwrt/staging_dir/hostpkg/include/sepol/policydb/policydb.h:699:12: note: previous declaration of 'check_assertion' with type 'int(policydb_t *, avrule_t *)' {aka 'int(struct policydb *, struct avrule *)'} 699 | extern int check_assertion(policydb_t *p, avrule_t *avrule); | ^~~~~~~~~~~~~~~ assertion.c:815:5: error: conflicting types for 'check_assertions'; have 'int(sepol_handle_t *, policydb_t *, const avrule_t *)' {aka 'int(struct sepol_handle *, struct policydb *, const struct avrule *)'} 815 | int check_assertions(sepol_handle_t * handle, policydb_t * p, | ^~~~~~~~~~~~~~~~ /usr/src/openwrt/staging_dir/hostpkg/include/sepol/policydb/policydb.h:700:12: note: previous declaration of 'check_assertions' with type 'int(sepol_handle_t *, policydb_t *, avrule_t *)' {aka 'int(struct sepol_handle *, struct policydb *, struct avrule *)'} 700 | extern int check_assertions(sepol_handle_t * handle, | ^~~~~~~~~~~~~~~~ make[4]: *** [Makefile:82: assertion.o] Error 1 make[4]: Leaving directory '/usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1/src' make[3]: *** [Makefile:6: all] Error 2 make[3]: Leaving directory '/usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1' make[2]: *** [Makefile:86: /usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1/.built] Error 2 make[2]: Leaving directory '/usr/src/openwrt/package/libs/libsepol' time: package/libs/libsepol/host-compile#0.28#0.14#0.40 ERROR: package/libs/libsepol [host] failed to build.
Daniel Golle <daniel@makrotopia.org> writes: > Hi Dominick, Hi, I had that too. Use a clean tree. Worked for me. root@OpenWrt:~# for i in sepol libselinux; do apk info $i ; done WARNING: opening from cache https://downloads.openwrt.org/snapshots/targets/mediatek/filogic/packages/packages.adb: No such file or directory WARNING: opening from cache https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/base/packages.adb: No such file or directory WARNING: opening from cache https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/luci/packages.adb: No such file or directory WARNING: opening from cache https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/packages/packages.adb: No such file or directory WARNING: opening from cache https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/routing/packages.adb: No such file or directory WARNING: opening from cache https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/telephony/packages.adb: No such file or directory WARNING: opening from cache https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/video/packages.adb: No such file or directory WARNING: opening from cache https://downloads.openwrt.org/snapshots/targets/mediatek/filogic/packages/packages.adb: No such file or directory WARNING: opening from cache https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/base/packages.adb: No such file or directory WARNING: opening from cache https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/luci/packages.adb: No such file or directory WARNING: opening from cache https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/packages/packages.adb: No such file or directory WARNING: opening from cache https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/routing/packages.adb: No such file or directory WARNING: opening from cache https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/telephony/packages.adb: No such file or directory WARNING: opening from cache https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/video/packages.adb: No such file or directory libselinux-3.8.1-r1 description: libselinux is the runtime SELinux library that provides interfaces (e.g. library functions for the SELinux kernel APIs like getcon(), other support functions like getseuserbyname()) to SELinux-aware applications. libselinux may use the shared libsepol to manipulate the binary policy if necessary (e.g. to downgrade the policy format to an older version supported by the kernel) when loading policy. libselinux-3.8.1-r1 webpage: http://selinuxproject.org/page/Main_Page libselinux-3.8.1-r1 installed size: 200 KiB root@OpenWrt:~# > > On Fri, Mar 28, 2025 at 03:28:06PM +0100, Dominick Grift wrote: >> ... >> diff --git a/package/libs/libsepol/Makefile b/package/libs/libsepol/Makefile >> index b1a34d293e..e9072d01ea 100644 >> --- a/package/libs/libsepol/Makefile >> +++ b/package/libs/libsepol/Makefile >> @@ -6,12 +6,12 @@ >> include $(TOPDIR)/rules.mk >> >> PKG_NAME:=libsepol >> -PKG_VERSION:=3.5 >> +PKG_VERSION:=3.8.1 >> PKG_RELEASE:=1 >> >> PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz >> PKG_SOURCE_URL:=https://github.com/SELinuxProject/selinux/releases/download/$(PKG_VERSION) >> -PKG_HASH:=78fdaf69924db780bac78546e43d9c44074bad798c2c415d0b9bb96d065ee8a2 >> +PKG_HASH:=0e78705305f955abd4c0654d37a5477ee26349ab74db9e2b03a7868897ae1ddf > > somehow this fails to build for me on Arch Linux (gcc (GCC) 14.2.1 20250207) > > make[2]: Entering directory '/usr/src/openwrt/package/libs/libsepol' > . /usr/src/openwrt/include/shell.sh; > /usr/src/openwrt/staging_dir/host/bin/libdeflate-gzip -dc > /usr/src/openwrt/dl/libsepol-3.8.1.tar.gz | tar -C > /usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1/.. -xf - > [ ! -d ./src/ ] || cp -fpR ./src/* /usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1 > touch > /usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1/.prepared373c40fbd50048c5dd856777f1d054e4_6664517399ebbbc92a37c5bb081b5c53 > (cd /usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1/; if [ -x > configure ]; then cp -fpR /usr/src/openwrt/scripts/config.{guess,sub} > /usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1// && CC="ccache > /usr/src/openwrt/staging_dir/host/bin/gcc" CFLAGS="-O2 > -I/usr/src/openwrt/staging_dir/host/include > -I/usr/src/openwrt/staging_dir/hostpkg/include > -I/usr/src/openwrt/staging_dir/target-aarch64_cortex-a53_musl/host/include" > CXX="ccache /usr/src/openwrt/staging_dir/host/bin/g++" > CPPFLAGS="-I/usr/src/openwrt/staging_dir/host/include > -I/usr/src/openwrt/staging_dir/hostpkg/include > -I/usr/src/openwrt/staging_dir/target-aarch64_cortex-a53_musl/host/include" > CXXFLAGS="-O2 -I/usr/src/openwrt/staging_dir/host/include > -I/usr/src/openwrt/staging_dir/hostpkg/include > -I/usr/src/openwrt/staging_dir/target-aarch64_cortex-a53_musl/host/include" > LDFLAGS="-L/usr/src/openwrt/staging_dir/host/lib > -L/usr/src/openwrt/staging_dir/hostpkg/lib > -L/usr/src/openwrt/staging_dir/target-aarch64_cortex-a53_musl/host/lib" > CONFIG_SHELL="/usr/bin/env bash" bash ./configure > --target=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu > --build=x86_64-pc-linux-gnu --disable-dependency-tracking > --program-prefix="" --program-suffix="" > --prefix=/usr/src/openwrt/staging_dir/hostpkg > --exec-prefix=/usr/src/openwrt/staging_dir/hostpkg > --sysconfdir=/usr/src/openwrt/staging_dir/hostpkg/etc > --localstatedir=/usr/src/openwrt/staging_dir/hostpkg/var > --sbindir=/usr/src/openwrt/staging_dir/hostpkg/bin ; fi ) > touch /usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1/.configured > CFLAGS="-O2 -I/usr/src/openwrt/staging_dir/host/include > -I/usr/src/openwrt/staging_dir/hostpkg/include > -I/usr/src/openwrt/staging_dir/target-aarch64_cortex-a53_musl/host/include" > CPPFLAGS="-I/usr/src/openwrt/staging_dir/host/include > -I/usr/src/openwrt/staging_dir/hostpkg/include > -I/usr/src/openwrt/staging_dir/target-aarch64_cortex-a53_musl/host/include" > CXXFLAGS="-O2 -I/usr/src/openwrt/staging_dir/host/include > -I/usr/src/openwrt/staging_dir/hostpkg/include > -I/usr/src/openwrt/staging_dir/target-aarch64_cortex-a53_musl/host/include" > LDFLAGS="-L/usr/src/openwrt/staging_dir/host/lib > -L/usr/src/openwrt/staging_dir/hostpkg/lib > -L/usr/src/openwrt/staging_dir/target-aarch64_cortex-a53_musl/host/lib" > make -j1 -C > /usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1/. PREFIX=/usr/src/openwrt/staging_dir/hostpkg > SHLIBDIR=/usr/src/openwrt/staging_dir/hostpkg/lib > make[3]: Entering directory '/usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1' > make -C src > make[4]: Entering directory '/usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1/src' > cc -I/usr/src/openwrt/staging_dir/host/include > -I/usr/src/openwrt/staging_dir/hostpkg/include > -I/usr/src/openwrt/staging_dir/target-aarch64_cortex-a53_musl/host/include > -O2 -I/usr/src/openwrt/staging_dir/host/include > -I/usr/src/openwrt/staging_dir/hostpkg/include > -I/usr/src/openwrt/staging_dir/target-aarch64_cortex-a53_musl/host/include > -I. -I../include -D_GNU_SOURCE -I../cil/include -DHAVE_REALLOCARRAY > -fPIC -c -o assertion.o assertion.c > In file included from assertion.c:23: > /usr/src/openwrt/staging_dir/hostpkg/include/sepol/policydb/conditional.h:57:18: > error: two or more data types in declaration specifiers > 57 | uint32_t bool; > | ^~~~ > In file included from /usr/src/openwrt/staging_dir/hostpkg/include/sepol/policydb/expand.h:30, > from assertion.c:26: > /usr/src/openwrt/staging_dir/hostpkg/include/sepol/policydb/conditional.h:57:22: warning: declaration does not declare anything > 57 | uint32_t bool; > | ^ > assertion.c: In function 'report_failure': > assertion.c:48:44: warning: passing argument 1 of 'sepol_av_to_string' > discards 'const' qualifier from pointer target type > [-Wdiscarded-qualifiers] > 48 | char *permstr = sepol_av_to_string(p, curperm->tclass, perms); > | ^ > In file included from assertion.c:27: > /usr/src/openwrt/staging_dir/hostpkg/include/sepol/policydb/util.h:34:46: > note: expected 'policydb_t *' {aka 'struct policydb *'} but argument > is of type 'const policydb_t *' {aka 'const struct policydb *'} > 34 | extern char *sepol_av_to_string(policydb_t * policydbp, uint32_t tclass, > | ~~~~~~~~~~~~~^~~~~~~~~ > assertion.c: In function 'check_extended_permissions': > assertion.c:110:46: error: 'AVRULE_XPERMS_NLMSG' undeclared (first use > in this function); did you mean 'AVRULE_XPERMS_ALLOWED'? > 110 | } else if ((neverallow->specified == AVRULE_XPERMS_NLMSG) > | ^~~~~~~~~~~~~~~~~~~ > | AVRULE_XPERMS_ALLOWED > assertion.c:110:46: note: each undeclared identifier is reported only once for each function it appears in > assertion.c:111:49: error: 'AVTAB_XPERMS_NLMSG' undeclared (first use in this function); did you mean 'AVTAB_XPERMS_ALLOWED'? > 111 | && (allow->specified == AVTAB_XPERMS_NLMSG)) { > | ^~~~~~~~~~~~~~~~~~ > | AVTAB_XPERMS_ALLOWED > assertion.c: In function 'extended_permissions_violated': > assertion.c:146:46: error: 'AVRULE_XPERMS_NLMSG' undeclared (first use > in this function); did you mean 'AVRULE_XPERMS_ALLOWED'? > 146 | } else if ((neverallow->specified == AVRULE_XPERMS_NLMSG) > | ^~~~~~~~~~~~~~~~~~~ > | AVRULE_XPERMS_ALLOWED > assertion.c:147:49: error: 'AVTAB_XPERMS_NLMSG' undeclared (first use in this function); did you mean 'AVTAB_XPERMS_ALLOWED'? > 147 | && (allow->specified == AVTAB_XPERMS_NLMSG)) { > | ^~~~~~~~~~~~~~~~~~ > | AVTAB_XPERMS_ALLOWED > assertion.c: In function 'report_assertion_extended_permissions': > assertion.c:193:74: error: 'AVTAB_XPERMS_NLMSG' undeclared (first use in this function); did you mean 'AVTAB_XPERMS_ALLOWED'? > 193 | && (xperms->specified != AVTAB_XPERMS_NLMSG)) > | ^~~~~~~~~~~~~~~~~~ > | AVTAB_XPERMS_ALLOWED > assertion.c: In function 'report_assertion_avtab_matches': > assertion.c:344:57: error: 'RULE_NOTSELF' undeclared (first use in this function); did you mean 'RULE_SELF'? > 344 | const bool is_narule_notself = (narule->flags & RULE_NOTSELF) != 0; > | ^~~~~~~~~~~~ > | RULE_SELF > assertion.c: In function 'check_assertion_extended_permissions_avtab': > assertion.c:487:74: error: 'AVTAB_XPERMS_NLMSG' undeclared (first use in this function); did you mean 'AVTAB_XPERMS_ALLOWED'? > 487 | && (xperms->specified != AVTAB_XPERMS_NLMSG)) > | ^~~~~~~~~~~~~~~~~~ > | AVTAB_XPERMS_ALLOWED > assertion.c: In function 'check_assertion_extended_permissions': > assertion.c:587:57: error: 'RULE_NOTSELF' undeclared (first use in this function); did you mean 'RULE_SELF'? > 587 | const bool is_narule_notself = (narule->flags & RULE_NOTSELF) != 0; > | ^~~~~~~~~~~~ > | RULE_SELF > assertion.c: In function 'check_assertion_avtab_match': > assertion.c:757:29: error: 'RULE_NOTSELF' undeclared (first use in this function); did you mean 'RULE_SELF'? > 757 | if (narule->flags & RULE_NOTSELF) { > | ^~~~~~~~~~~~ > | RULE_SELF > assertion.c: At top level: > assertion.c:794:5: error: conflicting types for 'check_assertion'; > have 'int(policydb_t *, const avrule_t *)' {aka 'int(struct policydb > *, const struct avrule *)'} > 794 | int check_assertion(policydb_t *p, const avrule_t *narule) > | ^~~~~~~~~~~~~~~ > In file included from assertion.c:25: > /usr/src/openwrt/staging_dir/hostpkg/include/sepol/policydb/policydb.h:699:12: > note: previous declaration of 'check_assertion' with type > 'int(policydb_t *, avrule_t *)' {aka 'int(struct policydb *, struct > avrule *)'} > 699 | extern int check_assertion(policydb_t *p, avrule_t *avrule); > | ^~~~~~~~~~~~~~~ > assertion.c:815:5: error: conflicting types for 'check_assertions'; > have 'int(sepol_handle_t *, policydb_t *, const avrule_t *)' {aka > 'int(struct sepol_handle *, struct policydb *, const struct avrule > *)'} > 815 | int check_assertions(sepol_handle_t * handle, policydb_t * p, > | ^~~~~~~~~~~~~~~~ > /usr/src/openwrt/staging_dir/hostpkg/include/sepol/policydb/policydb.h:700:12: > note: previous declaration of 'check_assertions' with type > 'int(sepol_handle_t *, policydb_t *, avrule_t *)' {aka 'int(struct > sepol_handle *, struct policydb *, struct avrule *)'} > 700 | extern int check_assertions(sepol_handle_t * handle, > | ^~~~~~~~~~~~~~~~ > make[4]: *** [Makefile:82: assertion.o] Error 1 > make[4]: Leaving directory '/usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1/src' > make[3]: *** [Makefile:6: all] Error 2 > make[3]: Leaving directory '/usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1' > make[2]: *** [Makefile:86: /usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1/.built] Error 2 > make[2]: Leaving directory '/usr/src/openwrt/package/libs/libsepol' > time: package/libs/libsepol/host-compile#0.28#0.14#0.40 > ERROR: package/libs/libsepol [host] failed to build. >
On Fri, Mar 28, 2025 at 05:34:14PM +0100, Dominick Grift wrote: > Daniel Golle <daniel@makrotopia.org> writes: > > > Hi Dominick, > > Hi, I had that too. Use a clean tree. Worked for me. So maybe this is a hidden dependency which should be expressed in libsepol's Makefile...
Daniel Golle <daniel@makrotopia.org> writes: > On Fri, Mar 28, 2025 at 05:34:14PM +0100, Dominick Grift wrote: >> Daniel Golle <daniel@makrotopia.org> writes: >> >> > Hi Dominick, >> >> Hi, I had that too. Use a clean tree. Worked for me. > > So maybe this is a hidden dependency which should be expressed in > libsepol's Makefile... I asked on IRC: <bigon> bigon@eriador:~$ apt-cache showsrc libsepol|grep Dep [18:04] <bigon> Build-Depends: debhelper-compat (= 13), file, flex <bigon> (that's debian) I don't think any of those two we're updated recently? > > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Daniel Golle <daniel@makrotopia.org> writes: > On Fri, Mar 28, 2025 at 05:34:14PM +0100, Dominick Grift wrote: >> Daniel Golle <daniel@makrotopia.org> writes: >> >> > Hi Dominick, >> >> Hi, I had that too. Use a clean tree. Worked for me. > > So maybe this is a hidden dependency which should be expressed in > libsepol's Makefile... I honestly don't know, but I can speculate. It might have to do with how OpenWrt deals with flex: I stumbled upon this: https://github.com/openwrt/openwrt/blob/main/scripts/config/README#L22 I am not sure if it is applicable but seems that aside from the kernel only libsepol depends on flex? In either case running the following seems to work: make dirclean make -j$(nproc) defconfig download clean world Maybe even `make config-clean` is enough to make it deal with the possible flex issue? I suppose for some reason `make targetclean` might mess it up? > > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel
diff --git a/package/libs/libsepol/Makefile b/package/libs/libsepol/Makefile index b1a34d293e..e9072d01ea 100644 --- a/package/libs/libsepol/Makefile +++ b/package/libs/libsepol/Makefile @@ -6,12 +6,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libsepol -PKG_VERSION:=3.5 +PKG_VERSION:=3.8.1 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/SELinuxProject/selinux/releases/download/$(PKG_VERSION) -PKG_HASH:=78fdaf69924db780bac78546e43d9c44074bad798c2c415d0b9bb96d065ee8a2 +PKG_HASH:=0e78705305f955abd4c0654d37a5477ee26349ab74db9e2b03a7868897ae1ddf PKG_MAINTAINER:=Thomas Petazzoni <thomas.petazzoni@bootlin.com> PKG_CPE_ID:=cpe:/a:selinuxproject:libsepol
Changes since version 3.5 8e9157bb Update VERSIONs to 3.8.1 for release. 71aec30d Update VERSIONs to 3.8 for release. 9833f0d2 Update VERSIONs to 3.8-rc4 for release. 8bbb51c9 libsepol: fix typos 4dd442f9 libsepol/cil: free nlmsg hashtable on error e0f61d3b Update VERSIONs to 3.8-rc3 for release. b234b710 libsepol: add missing word separators in error message adf2e609 Update VERSIONs to 3.8-rc2 for release. c28d9203 libsepol: avoid unnecessary memset(3) calls in hashtab d49a3ecb libsepol: harden availability check against user CFLAGS 2dec1581 Update VERSIONs to 3.8-rc1 for release. 77da320e libsepol/tests: add cond xperm neverallow tests c8f9dff3 libsepol: indent printed allow rule on assertion failure 1fd41f48 libsepol/cil: add support for xperms in conditional policies 438b16d1 libsepol: add support for xperms in conditional policies 18eb531b libsepol: misc assertion cleanup be11f48b libsepol: Remove special handling of roles in module_to_cil.c 7492632a libsepol/cil: Optionally allow duplicate role declarations b33da68f libsepol: Support nlmsg xperms in assertions cd8302f0 libsepol: Initialize "strs" on declaration 00fb52ce libsepol/cil/cil_post: Initialize tmp on declaration 575d1cfa libsepol/mls: Do not destroy context on memory error 0dac9813 libsepol/cil: Initialize avtab_datum on declaration 9c7c6e15 libsepol: Add policy capability netlink_xperm ba7945a2 libsepol: Support nlmsg extended permissions 0190a658 libsepol/cil: Allow dotted names in aliasactual rules 6b5626fd libsepol/cil: Check that sym_index is within bounds 1f080ffd libsepol/sepol_compute_sid: Do not destroy uninitialized context 2eb286bc Release 3.7 589e2dba libsepol: check scope permissions refer to valid class 1efc1214 libsepol: Do not reject all type rules in conditionals when validating e6c99f34 Update VERSIONs to 3.7-rc3 for release. c9ed9ea6 libsepol: contify function pointer arrays a02fccf8 tree-wide: fix misc typos 8c1110d1 libsepol: validate attribute-type maps d034a3e6 libsepol: rework permission enabled check 52e5c306 libsepol: move unchanged data out of loop a3332e57 libsepol: hashtab: save one comparison on hit 9ef1a835 Update VERSIONs to 3.7-rc2 for release. d506c0b1 libsepol: include prefix for module policy versions b77d851f libsepol: validate type-attribute-map for old policies fc3de95d libsepol: only exempt gaps checking for kernel policies 1c91bc84 libsepol: reject self flag in type rules in old policies 6a223cb1 Update VERSIONs to 3.7-rc1 for release. 1f173f8e libsepol/cil: Fix detected RESOURCE_LEAK (CWE-772) d3d975ae libsepol: validate class permissions fa3a1bca libsepol: improve policy lookup failure message e81a05a5 libsepol: constify function pointer arrays 8c64e5bb libsepol: validate access vector permissions c071aa2e libsepol/cil: Check common perms when verifiying "all" af543f1b libselinux, libsepol: Add CFLAGS and LDFLAGS to Makefile checks 6f7ddf27 libsepol: reject MLS support in pre-MLS policies c205b924 libsepol: Fix buffer overflow when using sepol_av_to_string() fe16f586 checkpolicy, libsepol: Fix potential double free of mls_level_t 162a0884 libsepol/cil: ensure transitivity in compare functions b52e27ae libsepol: ensure transitivity in compare functions fbd6c0f0 libsepol: use typedef 90db06c5 libsepol: Use a dynamic buffer in sepol_av_to_string() 3e3661f6 libsepol/src/Makefile: fix reallocarray detection a0ff05ef libsepol: reorder calloc(3) arguments 97fa708d Update VERSIONs to 3.6 for release. e54bedce libsepol: validate empty common classes in scope indices d0b1400a libsepol: extended permission formatting cleanup a55cd374 libsepol: avoid integer overflow in add_i_to_a() 22d3609b libsepol: constify tokenized input 2752043d libsepol/cil: Clear AST node after destroying bad filecon rule 89dd980c Add CPPFLAGS to Makefiles 139afe58 libsepol: simplify string formatting 4724538b libsepol: reject linking modules with no avrules 00cfecf6 libsepol/fuzz: handle empty and non kernel policies 68c3a999 libsepol: reject invalid class datums 4f1435dd libsepol: use correct type to avoid truncations 14f76201 libsepol: validate conditional type rules have a simple default type 0f5a8dd3 Update VERSIONs to 3.6-rc2 for release. fdb536f3 libsepol: avoid fixed sized format buffer for xperms 285d7cc8 libsepol: avoid fixed sized format buffer for xperms d3c2992e libsepol: add check for category value before printing 903e8cf2 libsepol/cil: Do not allow classpermissionset to use anonymous classpermission 9b7d560a libsepol/cil: Give warning for name that has different flavor 18657ad1 libsepol/cil: Add pointers to datums to improve writing out AST fb0a4ce1 libsepol/cil: Allow paths in filecon rules to be passed as arguments 9e1a8ee3 libsepol/cil: Refactor Named Type Transition Filename Creation dc676ab1 libsepol/cil: Allow IP address and mask values to be directly written 557cda59 libsepol/cil: Refactor and improve handling of order rules 19656bea libsepol/cil: Use struct cil_db * instead of void * 0dd926f4 libsepol/tests: Update the order of neverallow test results 08be6357 libsepol/cil: use DJB2a string hash function d03d506a libsepol: use DJB2a string hash function 26cec7ca libsepol: include length squared in hashtab_hash_eval() 4f6a3abc libsepol: validate common classes have at least one permissions b8f52459 libsepol: update policy capabilities array 541aab88 libsepol: avoid memory corruption on realloc failure 5e425b41 libsepol: avoid leak in OOM branch 27fe2b29 libsepol: set number of target names cf6ddded libsepol: validate the identifier for initials SID is valid bd1b7848 libsepol: enhance saturation check 44375cb4 libsepol: adjust type for saturation check 84a5457f libsepol: use str_read() where appropriate 1aaf5943 Update VERSIONs to 3.6-rc1 for release. 7cf2bfb5 libsepol: reject unsupported policy capabilities 7b754f70 libsepol: more strict validation 80eb2192 libsepol: validate constraint depth 4670a630 libsepol: validate default type of transition is not an attribute f9fd2500 libsepol: avtab: check read counts for saturation b1b3467a libsepol: reject avtab entries with invalid specifier 01da3a9c libsepol: Fix the version number for the latest exported function 5d5a871c libsepol: Export the cil_write_post_ast function 2fe8a495 libsepol/cil: Add cil_write_post_ast function b0ed365e libsepol/cil: Process deny rules 9d5ca92b libsepol/cil: Add cil_tree_node_remove function 085e3300 libsepol/cil: Add cil_list_is_empty macro 34725469 libsepol/cil: Parse and add deny rule to AST, but do not process 1936a23a libsepol: Use ERR() instead of log_err() 902f0f94 libsepol: update CIL generation for trivial not-self rules e55621c0 libsepol/cil: Add notself and other support to CIL 2b3dd2c7 libsepol/cil: Do not call ebitmap_init twice for an ebitmap cd575089 libsepol: Changes to ebitmap.h to fix compiler warnings 14f35fde Do not automatically install Russian translations c3d13010 libsepol: Remove the Russian translations 8b0acb05 libsepol: ebitmap: avoid branches for iteration 1c19dc4f libsepol: expand: check for memory allocation failure ace9ec17 libsepol: expand: use identical type to avoid implicit conversion 0d144506 hashtab: update 511f4347 libsepol: validate: use fixed sized integers 8963492b checkpolicy,libselinux,libsepol,policycoreutils,semodule-utils: update my email e81c466b libsepol/cil: Fix class permission verification in CIL 40674f48 Revert "checkpolicy,libsepol: move transition to separate structure in avtab" 6776946d Revert "checkpolicy,libsepol: move filename transitions to avtab" 6e6444a0 Revert "checkpolicy,libsepol: move filename transition rules to avrule" 97450c62 Revert "libsepol: implement new kernel binary format for avtab" e3388c76 Revert "libsepol: implement new module binary format of avrule" 748614b7 Revert "checkpolicy,libsepol: add prefix/suffix support to kernel policy" 311dc446 Revert "checkpolicy,libsepol: add prefix/suffix support to module policy" a77a8b2d Revert "libsepol/cil: add support for prefix/suffix filename transtions to CIL" 1d207355 libsepol/fuzz: more strict fuzzing of binary policies df666f70 libsepol: check for overflow in put_entry() 0e2a78d5 libsepol: free initial sid names 0c50de03 libsepol/cil: add support for prefix/suffix filename transtions to CIL c39ebd07 checkpolicy,libsepol: add prefix/suffix support to module policy 1174483d checkpolicy,libsepol: add prefix/suffix support to kernel policy 11013986 libsepol: implement new module binary format of avrule 7b77edd9 libsepol: implement new kernel binary format for avtab 565d8748 checkpolicy,libsepol: move filename transition rules to avrule e169fe26 checkpolicy,libsepol: move filename transitions to avtab de708edf checkpolicy,libsepol: move transition to separate structure in avtab 02e471f1 libsepol: add support for the new "init" initial SID 55b75a2c libsepol: stop translating deprecated intial SIDs to strings 30fe0f19 libsepol: replace log_err() by ERR() 5c35a7be libsepol: replace sepol_log_err() by ERR() b041ecc6 libsepol: drop duplicate newline in sepol_log_err() calls 808a43ab libsepol: drop message for uncommon error cases cae65d9a libsepol: expand: skip invalid cat 4ba8f7c3 libsepol: validate: reject XEN policy with xperm rules ac015a39 libsepol: validate: check low category is not bigger than high 4cf37608 libsepol: validate old style range trans classes 45a4fc77 libsepol: validate some object contexts f5d664eb libsepol: dump non-mls validatetrans rules as such ae5a5d0a libsepol: rename bool identifiers 893b50c6 libsepol/tests: rename bool indentifiers 61f21385 libsepol: rename struct member e9072e7d libsepol/tests: add tests for minus self neverallow rules 4a43831f libsepol/tests: add tests for not self neverallow rules ec78788c libsepol: Add not self support for neverallow rules Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> --- package/libs/libsepol/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)