diff mbox series

[1/6] libsepol: update to version 3.8.1

Message ID 20250328142811.4096141-1-dominick.grift@defensec.nl
State New
Headers show
Series [1/6] libsepol: update to version 3.8.1 | expand

Commit Message

Dominick Grift March 28, 2025, 2:28 p.m. UTC
Changes since version 3.5

8e9157bb Update VERSIONs to 3.8.1 for release.
71aec30d Update VERSIONs to 3.8 for release.
9833f0d2 Update VERSIONs to 3.8-rc4 for release.
8bbb51c9 libsepol: fix typos
4dd442f9 libsepol/cil: free nlmsg hashtable on error
e0f61d3b Update VERSIONs to 3.8-rc3 for release.
b234b710 libsepol: add missing word separators in error message
adf2e609 Update VERSIONs to 3.8-rc2 for release.
c28d9203 libsepol: avoid unnecessary memset(3) calls in hashtab
d49a3ecb libsepol: harden availability check against user CFLAGS
2dec1581 Update VERSIONs to 3.8-rc1 for release.
77da320e libsepol/tests: add cond xperm neverallow tests
c8f9dff3 libsepol: indent printed allow rule on assertion failure
1fd41f48 libsepol/cil: add support for xperms in conditional policies
438b16d1 libsepol: add support for xperms in conditional policies
18eb531b libsepol: misc assertion cleanup
be11f48b libsepol: Remove special handling of roles in module_to_cil.c
7492632a libsepol/cil: Optionally allow duplicate role declarations
b33da68f libsepol: Support nlmsg xperms in assertions
cd8302f0 libsepol: Initialize "strs" on declaration
00fb52ce libsepol/cil/cil_post: Initialize tmp on declaration
575d1cfa libsepol/mls: Do not destroy context on memory error
0dac9813 libsepol/cil: Initialize avtab_datum on declaration
9c7c6e15 libsepol: Add policy capability netlink_xperm
ba7945a2 libsepol: Support nlmsg extended permissions
0190a658 libsepol/cil: Allow dotted names in aliasactual rules
6b5626fd libsepol/cil: Check that sym_index is within bounds
1f080ffd libsepol/sepol_compute_sid: Do not destroy uninitialized context
2eb286bc Release 3.7
589e2dba libsepol: check scope permissions refer to valid class
1efc1214 libsepol: Do not reject all type rules in conditionals when validating
e6c99f34 Update VERSIONs to 3.7-rc3 for release.
c9ed9ea6 libsepol: contify function pointer arrays
a02fccf8 tree-wide: fix misc typos
8c1110d1 libsepol: validate attribute-type maps
d034a3e6 libsepol: rework permission enabled check
52e5c306 libsepol: move unchanged data out of loop
a3332e57 libsepol: hashtab: save one comparison on hit
9ef1a835 Update VERSIONs to 3.7-rc2 for release.
d506c0b1 libsepol: include prefix for module policy versions
b77d851f libsepol: validate type-attribute-map for old policies
fc3de95d libsepol: only exempt gaps checking for kernel policies
1c91bc84 libsepol: reject self flag in type rules in old policies
6a223cb1 Update VERSIONs to 3.7-rc1 for release.
1f173f8e libsepol/cil: Fix detected RESOURCE_LEAK (CWE-772)
d3d975ae libsepol: validate class permissions
fa3a1bca libsepol: improve policy lookup failure message
e81a05a5 libsepol: constify function pointer arrays
8c64e5bb libsepol: validate access vector permissions
c071aa2e libsepol/cil: Check common perms when verifiying "all"
af543f1b libselinux, libsepol: Add CFLAGS and LDFLAGS to Makefile checks
6f7ddf27 libsepol: reject MLS support in pre-MLS policies
c205b924 libsepol: Fix buffer overflow when using sepol_av_to_string()
fe16f586 checkpolicy, libsepol: Fix potential double free of mls_level_t
162a0884 libsepol/cil: ensure transitivity in compare functions
b52e27ae libsepol: ensure transitivity in compare functions
fbd6c0f0 libsepol: use typedef
90db06c5 libsepol: Use a dynamic buffer in sepol_av_to_string()
3e3661f6 libsepol/src/Makefile: fix reallocarray detection
a0ff05ef libsepol: reorder calloc(3) arguments
97fa708d Update VERSIONs to 3.6 for release.
e54bedce libsepol: validate empty common classes in scope indices
d0b1400a libsepol: extended permission formatting cleanup
a55cd374 libsepol: avoid integer overflow in add_i_to_a()
22d3609b libsepol: constify tokenized input
2752043d libsepol/cil: Clear AST node after destroying bad filecon rule
89dd980c Add CPPFLAGS to Makefiles
139afe58 libsepol: simplify string formatting
4724538b libsepol: reject linking modules with no avrules
00cfecf6 libsepol/fuzz: handle empty and non kernel policies
68c3a999 libsepol: reject invalid class datums
4f1435dd libsepol: use correct type to avoid truncations
14f76201 libsepol: validate conditional type rules have a simple default type
0f5a8dd3 Update VERSIONs to 3.6-rc2 for release.
fdb536f3 libsepol: avoid fixed sized format buffer for xperms
285d7cc8 libsepol: avoid fixed sized format buffer for xperms
d3c2992e libsepol: add check for category value before printing
903e8cf2 libsepol/cil: Do not allow classpermissionset to use anonymous classpermission
9b7d560a libsepol/cil: Give warning for name that has different flavor
18657ad1 libsepol/cil: Add pointers to datums to improve writing out AST
fb0a4ce1 libsepol/cil: Allow paths in filecon rules to be passed as arguments
9e1a8ee3 libsepol/cil: Refactor Named Type Transition Filename Creation
dc676ab1 libsepol/cil: Allow IP address and mask values to be directly written
557cda59 libsepol/cil: Refactor and improve handling of order rules
19656bea libsepol/cil: Use struct cil_db * instead of void *
0dd926f4 libsepol/tests: Update the order of neverallow test results
08be6357 libsepol/cil: use DJB2a string hash function
d03d506a libsepol: use DJB2a string hash function
26cec7ca libsepol: include length squared in hashtab_hash_eval()
4f6a3abc libsepol: validate common classes have at least one permissions
b8f52459 libsepol: update policy capabilities array
541aab88 libsepol: avoid memory corruption on realloc failure
5e425b41 libsepol: avoid leak in OOM branch
27fe2b29 libsepol: set number of target names
cf6ddded libsepol: validate the identifier for initials SID is valid
bd1b7848 libsepol: enhance saturation check
44375cb4 libsepol: adjust type for saturation check
84a5457f libsepol: use str_read() where appropriate
1aaf5943 Update VERSIONs to 3.6-rc1 for release.
7cf2bfb5 libsepol: reject unsupported policy capabilities
7b754f70 libsepol: more strict validation
80eb2192 libsepol: validate constraint depth
4670a630 libsepol: validate default type of transition is not an attribute
f9fd2500 libsepol: avtab: check read counts for saturation
b1b3467a libsepol: reject avtab entries with invalid specifier
01da3a9c libsepol: Fix the version number for the latest exported function
5d5a871c libsepol: Export the cil_write_post_ast function
2fe8a495 libsepol/cil: Add cil_write_post_ast function
b0ed365e libsepol/cil: Process deny rules
9d5ca92b libsepol/cil: Add cil_tree_node_remove function
085e3300 libsepol/cil: Add cil_list_is_empty macro
34725469 libsepol/cil: Parse and add deny rule to AST, but do not process
1936a23a libsepol: Use ERR() instead of log_err()
902f0f94 libsepol: update CIL generation for trivial not-self rules
e55621c0 libsepol/cil: Add notself and other support to CIL
2b3dd2c7 libsepol/cil: Do not call ebitmap_init twice for an ebitmap
cd575089 libsepol: Changes to ebitmap.h to fix compiler warnings
14f35fde Do not automatically install Russian translations
c3d13010 libsepol: Remove the Russian translations
8b0acb05 libsepol: ebitmap: avoid branches for iteration
1c19dc4f libsepol: expand: check for memory allocation failure
ace9ec17 libsepol: expand: use identical type to avoid implicit conversion
0d144506 hashtab: update
511f4347 libsepol: validate: use fixed sized integers
8963492b checkpolicy,libselinux,libsepol,policycoreutils,semodule-utils: update my email
e81c466b libsepol/cil: Fix class permission verification in CIL
40674f48 Revert "checkpolicy,libsepol: move transition to separate structure in avtab"
6776946d Revert "checkpolicy,libsepol: move filename transitions to avtab"
6e6444a0 Revert "checkpolicy,libsepol: move filename transition rules to avrule"
97450c62 Revert "libsepol: implement new kernel binary format for avtab"
e3388c76 Revert "libsepol: implement new module binary format of avrule"
748614b7 Revert "checkpolicy,libsepol: add prefix/suffix support to kernel policy"
311dc446 Revert "checkpolicy,libsepol: add prefix/suffix support to module policy"
a77a8b2d Revert "libsepol/cil: add support for prefix/suffix filename transtions to CIL"
1d207355 libsepol/fuzz: more strict fuzzing of binary policies
df666f70 libsepol: check for overflow in put_entry()
0e2a78d5 libsepol: free initial sid names
0c50de03 libsepol/cil: add support for prefix/suffix filename transtions to CIL
c39ebd07 checkpolicy,libsepol: add prefix/suffix support to module policy
1174483d checkpolicy,libsepol: add prefix/suffix support to kernel policy
11013986 libsepol: implement new module binary format of avrule
7b77edd9 libsepol: implement new kernel binary format for avtab
565d8748 checkpolicy,libsepol: move filename transition rules to avrule
e169fe26 checkpolicy,libsepol: move filename transitions to avtab
de708edf checkpolicy,libsepol: move transition to separate structure in avtab
02e471f1 libsepol: add support for the new "init" initial SID
55b75a2c libsepol: stop translating deprecated intial SIDs to strings
30fe0f19 libsepol: replace log_err() by ERR()
5c35a7be libsepol: replace sepol_log_err() by ERR()
b041ecc6 libsepol: drop duplicate newline in sepol_log_err() calls
808a43ab libsepol: drop message for uncommon error cases
cae65d9a libsepol: expand: skip invalid cat
4ba8f7c3 libsepol: validate: reject XEN policy with xperm rules
ac015a39 libsepol: validate: check low category is not bigger than high
4cf37608 libsepol: validate old style range trans classes
45a4fc77 libsepol: validate some object contexts
f5d664eb libsepol: dump non-mls validatetrans rules as such
ae5a5d0a libsepol: rename bool identifiers
893b50c6 libsepol/tests: rename bool indentifiers
61f21385 libsepol: rename struct member
e9072e7d libsepol/tests: add tests for minus self neverallow rules
4a43831f libsepol/tests: add tests for not self neverallow rules
ec78788c libsepol: Add not self support for neverallow rules

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
---
 package/libs/libsepol/Makefile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Daniel Golle March 28, 2025, 4:17 p.m. UTC | #1
Hi Dominick,

On Fri, Mar 28, 2025 at 03:28:06PM +0100, Dominick Grift wrote:
> ...
> diff --git a/package/libs/libsepol/Makefile b/package/libs/libsepol/Makefile
> index b1a34d293e..e9072d01ea 100644
> --- a/package/libs/libsepol/Makefile
> +++ b/package/libs/libsepol/Makefile
> @@ -6,12 +6,12 @@
>  include $(TOPDIR)/rules.mk
>  
>  PKG_NAME:=libsepol
> -PKG_VERSION:=3.5
> +PKG_VERSION:=3.8.1
>  PKG_RELEASE:=1
>  
>  PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
>  PKG_SOURCE_URL:=https://github.com/SELinuxProject/selinux/releases/download/$(PKG_VERSION)
> -PKG_HASH:=78fdaf69924db780bac78546e43d9c44074bad798c2c415d0b9bb96d065ee8a2
> +PKG_HASH:=0e78705305f955abd4c0654d37a5477ee26349ab74db9e2b03a7868897ae1ddf

somehow this fails to build for me on Arch Linux (gcc (GCC) 14.2.1 20250207)

make[2]: Entering directory '/usr/src/openwrt/package/libs/libsepol'
. /usr/src/openwrt/include/shell.sh; /usr/src/openwrt/staging_dir/host/bin/libdeflate-gzip -dc /usr/src/openwrt/dl/libsepol-3.8.1.tar.gz | tar -C /usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1/.. -xf -
[ ! -d ./src/ ] || cp -fpR ./src/* /usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1
touch /usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1/.prepared373c40fbd50048c5dd856777f1d054e4_6664517399ebbbc92a37c5bb081b5c53
(cd /usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1/; if [ -x configure ]; then cp -fpR /usr/src/openwrt/scripts/config.{guess,sub} /usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1// && CC="ccache /usr/src/openwrt/staging_dir/host/bin/gcc" CFLAGS="-O2 -I/usr/src/openwrt/staging_dir/host/include -I/usr/src/openwrt/staging_dir/hostpkg/include -I/usr/src/openwrt/staging_dir/target-aarch64_cortex-a53_musl/host/include" CXX="ccache /usr/src/openwrt/staging_dir/host/bin/g++" CPPFLAGS="-I/usr/src/openwrt/staging_dir/host/include -I/usr/src/openwrt/staging_dir/hostpkg/include -I/usr/src/openwrt/staging_dir/target-aarch64_cortex-a53_musl/host/include" CXXFLAGS="-O2 -I/usr/src/openwrt/staging_dir/host/include -I/usr/src/openwrt/staging_dir/hostpkg/include -I/usr/src/openwrt/staging_dir/target-aarch64_cortex-a53_musl/host/include" LDFLAGS="-L/usr/src/openwrt/staging_dir/host/lib -L/usr/src/openwrt/staging_dir/hostpkg/lib -L/usr/src/openwrt/staging_dir/target-aarch64_cortex-a53_musl/host/lib" CONFIG_SHELL="/usr/bin/env bash"  bash ./configure --target=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu --build=x86_64-pc-linux-gnu --disable-dependency-tracking --program-prefix="" --program-suffix="" --prefix=/usr/src/openwrt/staging_dir/hostpkg --exec-prefix=/usr/src/openwrt/staging_dir/hostpkg --sysconfdir=/usr/src/openwrt/staging_dir/hostpkg/etc --localstatedir=/usr/src/openwrt/staging_dir/hostpkg/var --sbindir=/usr/src/openwrt/staging_dir/hostpkg/bin ; fi )
touch /usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1/.configured
CFLAGS="-O2 -I/usr/src/openwrt/staging_dir/host/include -I/usr/src/openwrt/staging_dir/hostpkg/include -I/usr/src/openwrt/staging_dir/target-aarch64_cortex-a53_musl/host/include" CPPFLAGS="-I/usr/src/openwrt/staging_dir/host/include -I/usr/src/openwrt/staging_dir/hostpkg/include -I/usr/src/openwrt/staging_dir/target-aarch64_cortex-a53_musl/host/include" CXXFLAGS="-O2 -I/usr/src/openwrt/staging_dir/host/include -I/usr/src/openwrt/staging_dir/hostpkg/include -I/usr/src/openwrt/staging_dir/target-aarch64_cortex-a53_musl/host/include" LDFLAGS="-L/usr/src/openwrt/staging_dir/host/lib -L/usr/src/openwrt/staging_dir/hostpkg/lib -L/usr/src/openwrt/staging_dir/target-aarch64_cortex-a53_musl/host/lib" make -j1 -C /usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1/. PREFIX=/usr/src/openwrt/staging_dir/hostpkg SHLIBDIR=/usr/src/openwrt/staging_dir/hostpkg/lib 
make[3]: Entering directory '/usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1'
make -C src 
make[4]: Entering directory '/usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1/src'
cc -I/usr/src/openwrt/staging_dir/host/include -I/usr/src/openwrt/staging_dir/hostpkg/include -I/usr/src/openwrt/staging_dir/target-aarch64_cortex-a53_musl/host/include -O2 -I/usr/src/openwrt/staging_dir/host/include -I/usr/src/openwrt/staging_dir/hostpkg/include -I/usr/src/openwrt/staging_dir/target-aarch64_cortex-a53_musl/host/include -I. -I../include -D_GNU_SOURCE -I../cil/include -DHAVE_REALLOCARRAY -fPIC -c -o assertion.o assertion.c
In file included from assertion.c:23:
/usr/src/openwrt/staging_dir/hostpkg/include/sepol/policydb/conditional.h:57:18: error: two or more data types in declaration specifiers
   57 |         uint32_t bool;
      |                  ^~~~
In file included from /usr/src/openwrt/staging_dir/hostpkg/include/sepol/policydb/expand.h:30,
                 from assertion.c:26:
/usr/src/openwrt/staging_dir/hostpkg/include/sepol/policydb/conditional.h:57:22: warning: declaration does not declare anything
   57 |         uint32_t bool;
      |                      ^
assertion.c: In function 'report_failure':
assertion.c:48:44: warning: passing argument 1 of 'sepol_av_to_string' discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
   48 |         char *permstr = sepol_av_to_string(p, curperm->tclass, perms);
      |                                            ^
In file included from assertion.c:27:
/usr/src/openwrt/staging_dir/hostpkg/include/sepol/policydb/util.h:34:46: note: expected 'policydb_t *' {aka 'struct policydb *'} but argument is of type 'const policydb_t *' {aka 'const struct policydb *'}
   34 | extern char *sepol_av_to_string(policydb_t * policydbp, uint32_t tclass,
      |                                 ~~~~~~~~~~~~~^~~~~~~~~
assertion.c: In function 'check_extended_permissions':
assertion.c:110:46: error: 'AVRULE_XPERMS_NLMSG' undeclared (first use in this function); did you mean 'AVRULE_XPERMS_ALLOWED'?
  110 |         } else if ((neverallow->specified == AVRULE_XPERMS_NLMSG)
      |                                              ^~~~~~~~~~~~~~~~~~~
      |                                              AVRULE_XPERMS_ALLOWED
assertion.c:110:46: note: each undeclared identifier is reported only once for each function it appears in
assertion.c:111:49: error: 'AVTAB_XPERMS_NLMSG' undeclared (first use in this function); did you mean 'AVTAB_XPERMS_ALLOWED'?
  111 |                         && (allow->specified == AVTAB_XPERMS_NLMSG)) {
      |                                                 ^~~~~~~~~~~~~~~~~~
      |                                                 AVTAB_XPERMS_ALLOWED
assertion.c: In function 'extended_permissions_violated':
assertion.c:146:46: error: 'AVRULE_XPERMS_NLMSG' undeclared (first use in this function); did you mean 'AVRULE_XPERMS_ALLOWED'?
  146 |         } else if ((neverallow->specified == AVRULE_XPERMS_NLMSG)
      |                                              ^~~~~~~~~~~~~~~~~~~
      |                                              AVRULE_XPERMS_ALLOWED
assertion.c:147:49: error: 'AVTAB_XPERMS_NLMSG' undeclared (first use in this function); did you mean 'AVTAB_XPERMS_ALLOWED'?
  147 |                         && (allow->specified == AVTAB_XPERMS_NLMSG)) {
      |                                                 ^~~~~~~~~~~~~~~~~~
      |                                                 AVTAB_XPERMS_ALLOWED
assertion.c: In function 'report_assertion_extended_permissions':
assertion.c:193:74: error: 'AVTAB_XPERMS_NLMSG' undeclared (first use in this function); did you mean 'AVTAB_XPERMS_ALLOWED'?
  193 |                                                 && (xperms->specified != AVTAB_XPERMS_NLMSG))
      |                                                                          ^~~~~~~~~~~~~~~~~~
      |                                                                          AVTAB_XPERMS_ALLOWED
assertion.c: In function 'report_assertion_avtab_matches':
assertion.c:344:57: error: 'RULE_NOTSELF' undeclared (first use in this function); did you mean 'RULE_SELF'?
  344 |         const bool is_narule_notself = (narule->flags & RULE_NOTSELF) != 0;
      |                                                         ^~~~~~~~~~~~
      |                                                         RULE_SELF
assertion.c: In function 'check_assertion_extended_permissions_avtab':
assertion.c:487:74: error: 'AVTAB_XPERMS_NLMSG' undeclared (first use in this function); did you mean 'AVTAB_XPERMS_ALLOWED'?
  487 |                                                 && (xperms->specified != AVTAB_XPERMS_NLMSG))
      |                                                                          ^~~~~~~~~~~~~~~~~~
      |                                                                          AVTAB_XPERMS_ALLOWED
assertion.c: In function 'check_assertion_extended_permissions':
assertion.c:587:57: error: 'RULE_NOTSELF' undeclared (first use in this function); did you mean 'RULE_SELF'?
  587 |         const bool is_narule_notself = (narule->flags & RULE_NOTSELF) != 0;
      |                                                         ^~~~~~~~~~~~
      |                                                         RULE_SELF
assertion.c: In function 'check_assertion_avtab_match':
assertion.c:757:29: error: 'RULE_NOTSELF' undeclared (first use in this function); did you mean 'RULE_SELF'?
  757 |         if (narule->flags & RULE_NOTSELF) {
      |                             ^~~~~~~~~~~~
      |                             RULE_SELF
assertion.c: At top level:
assertion.c:794:5: error: conflicting types for 'check_assertion'; have 'int(policydb_t *, const avrule_t *)' {aka 'int(struct policydb *, const struct avrule *)'}
  794 | int check_assertion(policydb_t *p, const avrule_t *narule)
      |     ^~~~~~~~~~~~~~~
In file included from assertion.c:25:
/usr/src/openwrt/staging_dir/hostpkg/include/sepol/policydb/policydb.h:699:12: note: previous declaration of 'check_assertion' with type 'int(policydb_t *, avrule_t *)' {aka 'int(struct policydb *, struct avrule *)'}
  699 | extern int check_assertion(policydb_t *p, avrule_t *avrule);
      |            ^~~~~~~~~~~~~~~
assertion.c:815:5: error: conflicting types for 'check_assertions'; have 'int(sepol_handle_t *, policydb_t *, const avrule_t *)' {aka 'int(struct sepol_handle *, struct policydb *, const struct avrule *)'}
  815 | int check_assertions(sepol_handle_t * handle, policydb_t * p,
      |     ^~~~~~~~~~~~~~~~
/usr/src/openwrt/staging_dir/hostpkg/include/sepol/policydb/policydb.h:700:12: note: previous declaration of 'check_assertions' with type 'int(sepol_handle_t *, policydb_t *, avrule_t *)' {aka 'int(struct sepol_handle *, struct policydb *, struct avrule *)'}
  700 | extern int check_assertions(sepol_handle_t * handle,
      |            ^~~~~~~~~~~~~~~~
make[4]: *** [Makefile:82: assertion.o] Error 1
make[4]: Leaving directory '/usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1/src'
make[3]: *** [Makefile:6: all] Error 2
make[3]: Leaving directory '/usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1'
make[2]: *** [Makefile:86: /usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1/.built] Error 2
make[2]: Leaving directory '/usr/src/openwrt/package/libs/libsepol'
time: package/libs/libsepol/host-compile#0.28#0.14#0.40
    ERROR: package/libs/libsepol [host] failed to build.
Dominick Grift March 28, 2025, 4:34 p.m. UTC | #2
Daniel Golle <daniel@makrotopia.org> writes:

> Hi Dominick,

Hi, I had that too. Use a clean tree. Worked for me.

root@OpenWrt:~# for i in sepol libselinux; do apk info $i ; done
WARNING: opening from cache https://downloads.openwrt.org/snapshots/targets/mediatek/filogic/packages/packages.adb: No such file or directory
WARNING: opening from cache https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/base/packages.adb: No such file or directory
WARNING: opening from cache https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/luci/packages.adb: No such file or directory
WARNING: opening from cache https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/packages/packages.adb: No such file or directory
WARNING: opening from cache https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/routing/packages.adb: No such file or directory
WARNING: opening from cache https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/telephony/packages.adb: No such file or directory
WARNING: opening from cache https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/video/packages.adb: No such file or directory
WARNING: opening from cache https://downloads.openwrt.org/snapshots/targets/mediatek/filogic/packages/packages.adb: No such file or directory
WARNING: opening from cache https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/base/packages.adb: No such file or directory
WARNING: opening from cache https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/luci/packages.adb: No such file or directory
WARNING: opening from cache https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/packages/packages.adb: No such file or directory
WARNING: opening from cache https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/routing/packages.adb: No such file or directory
WARNING: opening from cache https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/telephony/packages.adb: No such file or directory
WARNING: opening from cache https://downloads.openwrt.org/snapshots/packages/aarch64_cortex-a53/video/packages.adb: No such file or directory
libselinux-3.8.1-r1 description:
libselinux is the runtime SELinux library that provides interfaces (e.g. library functions for the SELinux kernel APIs like getcon(), other support functions like getseuserbyname()) to SELinux-aware applications. libselinux may use the shared libsepol to manipulate the binary policy if necessary (e.g. to downgrade the policy format to an older version supported by the kernel) when loading policy.

libselinux-3.8.1-r1 webpage:
http://selinuxproject.org/page/Main_Page

libselinux-3.8.1-r1 installed size:
200 KiB

root@OpenWrt:~#

>
> On Fri, Mar 28, 2025 at 03:28:06PM +0100, Dominick Grift wrote:
>> ...
>> diff --git a/package/libs/libsepol/Makefile b/package/libs/libsepol/Makefile
>> index b1a34d293e..e9072d01ea 100644
>> --- a/package/libs/libsepol/Makefile
>> +++ b/package/libs/libsepol/Makefile
>> @@ -6,12 +6,12 @@
>>  include $(TOPDIR)/rules.mk
>>  
>>  PKG_NAME:=libsepol
>> -PKG_VERSION:=3.5
>> +PKG_VERSION:=3.8.1
>>  PKG_RELEASE:=1
>>  
>>  PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
>>  PKG_SOURCE_URL:=https://github.com/SELinuxProject/selinux/releases/download/$(PKG_VERSION)
>> -PKG_HASH:=78fdaf69924db780bac78546e43d9c44074bad798c2c415d0b9bb96d065ee8a2
>> +PKG_HASH:=0e78705305f955abd4c0654d37a5477ee26349ab74db9e2b03a7868897ae1ddf
>
> somehow this fails to build for me on Arch Linux (gcc (GCC) 14.2.1 20250207)
>
> make[2]: Entering directory '/usr/src/openwrt/package/libs/libsepol'
> . /usr/src/openwrt/include/shell.sh;
> /usr/src/openwrt/staging_dir/host/bin/libdeflate-gzip -dc
> /usr/src/openwrt/dl/libsepol-3.8.1.tar.gz | tar -C
> /usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1/.. -xf -
> [ ! -d ./src/ ] || cp -fpR ./src/* /usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1
> touch
> /usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1/.prepared373c40fbd50048c5dd856777f1d054e4_6664517399ebbbc92a37c5bb081b5c53
> (cd /usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1/; if [ -x
> configure ]; then cp -fpR /usr/src/openwrt/scripts/config.{guess,sub}
> /usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1// && CC="ccache
> /usr/src/openwrt/staging_dir/host/bin/gcc" CFLAGS="-O2
> -I/usr/src/openwrt/staging_dir/host/include
> -I/usr/src/openwrt/staging_dir/hostpkg/include
> -I/usr/src/openwrt/staging_dir/target-aarch64_cortex-a53_musl/host/include"
> CXX="ccache /usr/src/openwrt/staging_dir/host/bin/g++"
> CPPFLAGS="-I/usr/src/openwrt/staging_dir/host/include
> -I/usr/src/openwrt/staging_dir/hostpkg/include
> -I/usr/src/openwrt/staging_dir/target-aarch64_cortex-a53_musl/host/include"
> CXXFLAGS="-O2 -I/usr/src/openwrt/staging_dir/host/include
> -I/usr/src/openwrt/staging_dir/hostpkg/include
> -I/usr/src/openwrt/staging_dir/target-aarch64_cortex-a53_musl/host/include"
> LDFLAGS="-L/usr/src/openwrt/staging_dir/host/lib
> -L/usr/src/openwrt/staging_dir/hostpkg/lib
> -L/usr/src/openwrt/staging_dir/target-aarch64_cortex-a53_musl/host/lib"
> CONFIG_SHELL="/usr/bin/env bash" bash ./configure
> --target=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu
> --build=x86_64-pc-linux-gnu --disable-dependency-tracking
> --program-prefix="" --program-suffix=""
> --prefix=/usr/src/openwrt/staging_dir/hostpkg
> --exec-prefix=/usr/src/openwrt/staging_dir/hostpkg
> --sysconfdir=/usr/src/openwrt/staging_dir/hostpkg/etc
> --localstatedir=/usr/src/openwrt/staging_dir/hostpkg/var
> --sbindir=/usr/src/openwrt/staging_dir/hostpkg/bin ; fi )
> touch /usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1/.configured
> CFLAGS="-O2 -I/usr/src/openwrt/staging_dir/host/include
> -I/usr/src/openwrt/staging_dir/hostpkg/include
> -I/usr/src/openwrt/staging_dir/target-aarch64_cortex-a53_musl/host/include"
> CPPFLAGS="-I/usr/src/openwrt/staging_dir/host/include
> -I/usr/src/openwrt/staging_dir/hostpkg/include
> -I/usr/src/openwrt/staging_dir/target-aarch64_cortex-a53_musl/host/include"
> CXXFLAGS="-O2 -I/usr/src/openwrt/staging_dir/host/include
> -I/usr/src/openwrt/staging_dir/hostpkg/include
> -I/usr/src/openwrt/staging_dir/target-aarch64_cortex-a53_musl/host/include"
> LDFLAGS="-L/usr/src/openwrt/staging_dir/host/lib
> -L/usr/src/openwrt/staging_dir/hostpkg/lib
> -L/usr/src/openwrt/staging_dir/target-aarch64_cortex-a53_musl/host/lib"
> make -j1 -C
> /usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1/. PREFIX=/usr/src/openwrt/staging_dir/hostpkg
> SHLIBDIR=/usr/src/openwrt/staging_dir/hostpkg/lib
> make[3]: Entering directory '/usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1'
> make -C src 
> make[4]: Entering directory '/usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1/src'
> cc -I/usr/src/openwrt/staging_dir/host/include
> -I/usr/src/openwrt/staging_dir/hostpkg/include
> -I/usr/src/openwrt/staging_dir/target-aarch64_cortex-a53_musl/host/include
> -O2 -I/usr/src/openwrt/staging_dir/host/include
> -I/usr/src/openwrt/staging_dir/hostpkg/include
> -I/usr/src/openwrt/staging_dir/target-aarch64_cortex-a53_musl/host/include
> -I. -I../include -D_GNU_SOURCE -I../cil/include -DHAVE_REALLOCARRAY
> -fPIC -c -o assertion.o assertion.c
> In file included from assertion.c:23:
> /usr/src/openwrt/staging_dir/hostpkg/include/sepol/policydb/conditional.h:57:18:
> error: two or more data types in declaration specifiers
>    57 |         uint32_t bool;
>       |                  ^~~~
> In file included from /usr/src/openwrt/staging_dir/hostpkg/include/sepol/policydb/expand.h:30,
>                  from assertion.c:26:
> /usr/src/openwrt/staging_dir/hostpkg/include/sepol/policydb/conditional.h:57:22: warning: declaration does not declare anything
>    57 |         uint32_t bool;
>       |                      ^
> assertion.c: In function 'report_failure':
> assertion.c:48:44: warning: passing argument 1 of 'sepol_av_to_string'
> discards 'const' qualifier from pointer target type
> [-Wdiscarded-qualifiers]
>    48 |         char *permstr = sepol_av_to_string(p, curperm->tclass, perms);
>       |                                            ^
> In file included from assertion.c:27:
> /usr/src/openwrt/staging_dir/hostpkg/include/sepol/policydb/util.h:34:46:
> note: expected 'policydb_t *' {aka 'struct policydb *'} but argument
> is of type 'const policydb_t *' {aka 'const struct policydb *'}
>    34 | extern char *sepol_av_to_string(policydb_t * policydbp, uint32_t tclass,
>       |                                 ~~~~~~~~~~~~~^~~~~~~~~
> assertion.c: In function 'check_extended_permissions':
> assertion.c:110:46: error: 'AVRULE_XPERMS_NLMSG' undeclared (first use
> in this function); did you mean 'AVRULE_XPERMS_ALLOWED'?
>   110 |         } else if ((neverallow->specified == AVRULE_XPERMS_NLMSG)
>       |                                              ^~~~~~~~~~~~~~~~~~~
>       |                                              AVRULE_XPERMS_ALLOWED
> assertion.c:110:46: note: each undeclared identifier is reported only once for each function it appears in
> assertion.c:111:49: error: 'AVTAB_XPERMS_NLMSG' undeclared (first use in this function); did you mean 'AVTAB_XPERMS_ALLOWED'?
>   111 |                         && (allow->specified == AVTAB_XPERMS_NLMSG)) {
>       |                                                 ^~~~~~~~~~~~~~~~~~
>       |                                                 AVTAB_XPERMS_ALLOWED
> assertion.c: In function 'extended_permissions_violated':
> assertion.c:146:46: error: 'AVRULE_XPERMS_NLMSG' undeclared (first use
> in this function); did you mean 'AVRULE_XPERMS_ALLOWED'?
>   146 |         } else if ((neverallow->specified == AVRULE_XPERMS_NLMSG)
>       |                                              ^~~~~~~~~~~~~~~~~~~
>       |                                              AVRULE_XPERMS_ALLOWED
> assertion.c:147:49: error: 'AVTAB_XPERMS_NLMSG' undeclared (first use in this function); did you mean 'AVTAB_XPERMS_ALLOWED'?
>   147 |                         && (allow->specified == AVTAB_XPERMS_NLMSG)) {
>       |                                                 ^~~~~~~~~~~~~~~~~~
>       |                                                 AVTAB_XPERMS_ALLOWED
> assertion.c: In function 'report_assertion_extended_permissions':
> assertion.c:193:74: error: 'AVTAB_XPERMS_NLMSG' undeclared (first use in this function); did you mean 'AVTAB_XPERMS_ALLOWED'?
>   193 |                                                 && (xperms->specified != AVTAB_XPERMS_NLMSG))
>       |                                                                          ^~~~~~~~~~~~~~~~~~
>       |                                                                          AVTAB_XPERMS_ALLOWED
> assertion.c: In function 'report_assertion_avtab_matches':
> assertion.c:344:57: error: 'RULE_NOTSELF' undeclared (first use in this function); did you mean 'RULE_SELF'?
>   344 |         const bool is_narule_notself = (narule->flags & RULE_NOTSELF) != 0;
>       |                                                         ^~~~~~~~~~~~
>       |                                                         RULE_SELF
> assertion.c: In function 'check_assertion_extended_permissions_avtab':
> assertion.c:487:74: error: 'AVTAB_XPERMS_NLMSG' undeclared (first use in this function); did you mean 'AVTAB_XPERMS_ALLOWED'?
>   487 |                                                 && (xperms->specified != AVTAB_XPERMS_NLMSG))
>       |                                                                          ^~~~~~~~~~~~~~~~~~
>       |                                                                          AVTAB_XPERMS_ALLOWED
> assertion.c: In function 'check_assertion_extended_permissions':
> assertion.c:587:57: error: 'RULE_NOTSELF' undeclared (first use in this function); did you mean 'RULE_SELF'?
>   587 |         const bool is_narule_notself = (narule->flags & RULE_NOTSELF) != 0;
>       |                                                         ^~~~~~~~~~~~
>       |                                                         RULE_SELF
> assertion.c: In function 'check_assertion_avtab_match':
> assertion.c:757:29: error: 'RULE_NOTSELF' undeclared (first use in this function); did you mean 'RULE_SELF'?
>   757 |         if (narule->flags & RULE_NOTSELF) {
>       |                             ^~~~~~~~~~~~
>       |                             RULE_SELF
> assertion.c: At top level:
> assertion.c:794:5: error: conflicting types for 'check_assertion';
> have 'int(policydb_t *, const avrule_t *)' {aka 'int(struct policydb
> *, const struct avrule *)'}
>   794 | int check_assertion(policydb_t *p, const avrule_t *narule)
>       |     ^~~~~~~~~~~~~~~
> In file included from assertion.c:25:
> /usr/src/openwrt/staging_dir/hostpkg/include/sepol/policydb/policydb.h:699:12:
> note: previous declaration of 'check_assertion' with type
> 'int(policydb_t *, avrule_t *)' {aka 'int(struct policydb *, struct
> avrule *)'}
>   699 | extern int check_assertion(policydb_t *p, avrule_t *avrule);
>       |            ^~~~~~~~~~~~~~~
> assertion.c:815:5: error: conflicting types for 'check_assertions';
> have 'int(sepol_handle_t *, policydb_t *, const avrule_t *)' {aka
> 'int(struct sepol_handle *, struct policydb *, const struct avrule
> *)'}
>   815 | int check_assertions(sepol_handle_t * handle, policydb_t * p,
>       |     ^~~~~~~~~~~~~~~~
> /usr/src/openwrt/staging_dir/hostpkg/include/sepol/policydb/policydb.h:700:12:
> note: previous declaration of 'check_assertions' with type
> 'int(sepol_handle_t *, policydb_t *, avrule_t *)' {aka 'int(struct
> sepol_handle *, struct policydb *, struct avrule *)'}
>   700 | extern int check_assertions(sepol_handle_t * handle,
>       |            ^~~~~~~~~~~~~~~~
> make[4]: *** [Makefile:82: assertion.o] Error 1
> make[4]: Leaving directory '/usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1/src'
> make[3]: *** [Makefile:6: all] Error 2
> make[3]: Leaving directory '/usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1'
> make[2]: *** [Makefile:86: /usr/src/openwrt/build_dir/hostpkg/libsepol-3.8.1/.built] Error 2
> make[2]: Leaving directory '/usr/src/openwrt/package/libs/libsepol'
> time: package/libs/libsepol/host-compile#0.28#0.14#0.40
>     ERROR: package/libs/libsepol [host] failed to build.
>
Daniel Golle March 28, 2025, 4:38 p.m. UTC | #3
On Fri, Mar 28, 2025 at 05:34:14PM +0100, Dominick Grift wrote:
> Daniel Golle <daniel@makrotopia.org> writes:
> 
> > Hi Dominick,
> 
> Hi, I had that too. Use a clean tree. Worked for me.

So maybe this is a hidden dependency which should be expressed in
libsepol's Makefile...
Dominick Grift March 28, 2025, 5:08 p.m. UTC | #4
Daniel Golle <daniel@makrotopia.org> writes:

> On Fri, Mar 28, 2025 at 05:34:14PM +0100, Dominick Grift wrote:
>> Daniel Golle <daniel@makrotopia.org> writes:
>> 
>> > Hi Dominick,
>> 
>> Hi, I had that too. Use a clean tree. Worked for me.
>
> So maybe this is a hidden dependency which should be expressed in
> libsepol's Makefile...

I asked on IRC:

<bigon> bigon@eriador:~$ apt-cache showsrc libsepol|grep Dep [18:04]
<bigon> Build-Depends: debhelper-compat (= 13), file, flex
<bigon> (that's debian)

I don't think any of those two we're updated recently?

>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel@lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Dominick Grift March 31, 2025, 2:12 p.m. UTC | #5
Daniel Golle <daniel@makrotopia.org> writes:

> On Fri, Mar 28, 2025 at 05:34:14PM +0100, Dominick Grift wrote:
>> Daniel Golle <daniel@makrotopia.org> writes:
>> 
>> > Hi Dominick,
>> 
>> Hi, I had that too. Use a clean tree. Worked for me.
>
> So maybe this is a hidden dependency which should be expressed in
> libsepol's Makefile...

I honestly don't know, but I can speculate. It might have to do with how
OpenWrt deals with flex:

I stumbled upon this:
https://github.com/openwrt/openwrt/blob/main/scripts/config/README#L22

I am not sure if it is applicable but seems that aside from the kernel
only libsepol depends on flex?

In either case running the following seems to work:

make dirclean
make -j$(nproc) defconfig download clean world

Maybe even `make config-clean` is enough to make it deal with the
possible flex issue?

I suppose for some reason `make targetclean` might mess it up?

>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel@lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
diff mbox series

Patch

diff --git a/package/libs/libsepol/Makefile b/package/libs/libsepol/Makefile
index b1a34d293e..e9072d01ea 100644
--- a/package/libs/libsepol/Makefile
+++ b/package/libs/libsepol/Makefile
@@ -6,12 +6,12 @@ 
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libsepol
-PKG_VERSION:=3.5
+PKG_VERSION:=3.8.1
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/SELinuxProject/selinux/releases/download/$(PKG_VERSION)
-PKG_HASH:=78fdaf69924db780bac78546e43d9c44074bad798c2c415d0b9bb96d065ee8a2
+PKG_HASH:=0e78705305f955abd4c0654d37a5477ee26349ab74db9e2b03a7868897ae1ddf
 
 PKG_MAINTAINER:=Thomas Petazzoni <thomas.petazzoni@bootlin.com>
 PKG_CPE_ID:=cpe:/a:selinuxproject:libsepol