* [Buildroot] [PATCH v2 1/2] package/refpolicy/Config.in: force merged usr when selecting upstream @ 2023-10-07 18:19 Adam Duskett 2023-10-07 18:19 ` [Buildroot] [PATCH v2 2/2] package/refpolicy: bump version to 2.20221101 Adam Duskett 2023-10-07 19:34 ` [Buildroot] [PATCH v2 1/2] package/refpolicy/Config.in: force merged usr when selecting upstream Yann E. MORIN 0 siblings, 2 replies; 4+ messages in thread From: Adam Duskett @ 2023-10-07 18:19 UTC (permalink / raw) To: buildroot; +Cc: Antoine Tenart, Adam Duskett Refpolicy contexts expect a merged /usr file system. In fact, there are no references to /bin, /sbin, /lib, or /lib64 at all. However, if a user wants to go through the trouble of creating a policy that works with a non-merged system, they should be free to do so. As such, only select BR2_ROOTFS_MERGED_USR if using BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com> --- package/refpolicy/Config.in | 1 + 1 file changed, 1 insertion(+) diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in index 0e72b895df..f1f3c7e64d 100644 --- a/package/refpolicy/Config.in +++ b/package/refpolicy/Config.in @@ -36,6 +36,7 @@ choice config BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION bool "Upstream version" + select BR2_ROOTFS_MERGED_USR help Use the refpolicy as provided by Buildroot. -- 2.41.0 _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply related [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH v2 2/2] package/refpolicy: bump version to 2.20221101 2023-10-07 18:19 [Buildroot] [PATCH v2 1/2] package/refpolicy/Config.in: force merged usr when selecting upstream Adam Duskett @ 2023-10-07 18:19 ` Adam Duskett 2023-10-07 19:34 ` [Buildroot] [PATCH v2 1/2] package/refpolicy/Config.in: force merged usr when selecting upstream Yann E. MORIN 1 sibling, 0 replies; 4+ messages in thread From: Adam Duskett @ 2023-10-07 18:19 UTC (permalink / raw) To: buildroot; +Cc: Antoine Tenart, Adam Duskett Drop upstream patch Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com> --- v1 -> v2: drop upstream patch ...ount-dbus-interface-must-be-optional.patch | 33 ------------------- package/refpolicy/refpolicy.hash | 2 +- package/refpolicy/refpolicy.mk | 2 +- 3 files changed, 2 insertions(+), 35 deletions(-) delete mode 100644 package/refpolicy/2.20221101/0001-mount-dbus-interface-must-be-optional.patch diff --git a/package/refpolicy/2.20221101/0001-mount-dbus-interface-must-be-optional.patch b/package/refpolicy/2.20221101/0001-mount-dbus-interface-must-be-optional.patch deleted file mode 100644 index adec7d98d0..0000000000 --- a/package/refpolicy/2.20221101/0001-mount-dbus-interface-must-be-optional.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 6c6be65ccf0891391681d4662cc11f508c0f4aeb Mon Sep 17 00:00:00 2001 -From: Adam Duskett <aduskett@gmail.com> -Date: Mon, 24 Apr 2023 14:24:49 -0700 -Subject: [PATCH] mount: dbus interface must be optional - -If DBus isn't built, the build process fails due to mount.te always using a -dbus interface even if the dbus module. Fix this by setting the dbus interface -as optional. - -Signed-off-by: Adam Duskett <aduskett@gmail.com> -Upstream: https://github.com/SELinuxProject/refpolicy/commit/207b09a656c2c3ac5c286d3f7eef085325e35408 ---- - policy/modules/system/mount.te | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index d028723..af84af0 100644 ---- a/policy/modules/system/mount.te -+++ b/policy/modules/system/mount.te -@@ -145,7 +145,9 @@ selinux_getattr_fs(mount_t) - - userdom_use_all_users_fds(mount_t) - --dbus_dontaudit_write_system_bus_runtime_named_sockets(mount_t) -+optional_policy(` -+ dbus_dontaudit_write_system_bus_runtime_named_sockets(mount_t) -+') - - ifdef(`distro_redhat',` - optional_policy(` --- -2.40.0 - diff --git a/package/refpolicy/refpolicy.hash b/package/refpolicy/refpolicy.hash index a09e59c270..70d1acc9af 100644 --- a/package/refpolicy/refpolicy.hash +++ b/package/refpolicy/refpolicy.hash @@ -1,5 +1,5 @@ # From https://github.com/SELinuxProject/refpolicy/releases -sha256 44f88e62c8efcef54d019b9ca077520d5993de580926bd7575788cfa78515396 refpolicy-2.20221101.tar.bz2 +sha256 c89cd3b2e5d99765cc24536fd8e76de83951ad23e05472350328b5a4f8bee410 refpolicy-2.20231002.tar.bz2 # Locally computed sha256 204d8eff92f95aac4df6c8122bc1505f468f3a901e5a4cc08940e0ede1938994 COPYING diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk index 8fea7cc254..fb1c213b84 100644 --- a/package/refpolicy/refpolicy.mk +++ b/package/refpolicy/refpolicy.mk @@ -23,7 +23,7 @@ REFPOLICY_SITE = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL)) REFPOLICY_SITE_METHOD = git BR_NO_CHECK_HASH_FOR += $(REFPOLICY_SOURCE) else -REFPOLICY_VERSION = 2.20221101 +REFPOLICY_VERSION = 2.20231002 REFPOLICY_SOURCE = refpolicy-$(REFPOLICY_VERSION).tar.bz2 REFPOLICY_SITE = https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_$(subst .,_,$(REFPOLICY_VERSION)) endif -- 2.41.0 _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH v2 1/2] package/refpolicy/Config.in: force merged usr when selecting upstream 2023-10-07 18:19 [Buildroot] [PATCH v2 1/2] package/refpolicy/Config.in: force merged usr when selecting upstream Adam Duskett 2023-10-07 18:19 ` [Buildroot] [PATCH v2 2/2] package/refpolicy: bump version to 2.20221101 Adam Duskett @ 2023-10-07 19:34 ` Yann E. MORIN 2023-10-08 9:40 ` Arnout Vandecappelle via buildroot 1 sibling, 1 reply; 4+ messages in thread From: Yann E. MORIN @ 2023-10-07 19:34 UTC (permalink / raw) To: Adam Duskett; +Cc: Antoine Tenart, buildroot Adam, All, On 2023-10-07 20:19 +0200, Adam Duskett spake thusly: > Refpolicy contexts expect a merged /usr file system. In fact, there > are no references to /bin, /sbin, /lib, or /lib64 at all. However, if a user > wants to go through the trouble of creating a policy that works with a > non-merged system, they should be free to do so. As such, only select > BR2_ROOTFS_MERGED_USR if using BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION > > Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com> > --- > package/refpolicy/Config.in | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in > index 0e72b895df..f1f3c7e64d 100644 > --- a/package/refpolicy/Config.in > +++ b/package/refpolicy/Config.in > @@ -36,6 +36,7 @@ choice > > config BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION > bool "Upstream version" > + select BR2_ROOTFS_MERGED_USR I wonder if this is the proper solution. I would have rather though of depends on rather than select: diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in index 0e72b895df..c413c1244b 100644 --- a/package/refpolicy/Config.in +++ b/package/refpolicy/Config.in @@ -32,13 +32,17 @@ if BR2_PACKAGE_REFPOLICY choice prompt "Refpolicy version" - default BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION + default BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION if BR2_ROOTFS_MERGED_USR config BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION bool "Upstream version" + depends on BR2_ROOTFS_MERGED_USR help Use the refpolicy as provided by Buildroot. +comment "upstream refpolicy needs merged /usr" + depends on !BR2_ROOTFS_MERGED_USR + config BR2_PACKAGE_REFPOLICY_CUSTOM_GIT bool "Custom git repository" help Not totally sure either ways, though... Regards, Yann E. MORIN. > help > Use the refpolicy as provided by Buildroot. > > -- > 2.41.0 > > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot -- .-----------------.--------------------.------------------.--------------------. | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: | | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ | | +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no | | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. | '------------------------------^-------^------------------^--------------------' _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH v2 1/2] package/refpolicy/Config.in: force merged usr when selecting upstream 2023-10-07 19:34 ` [Buildroot] [PATCH v2 1/2] package/refpolicy/Config.in: force merged usr when selecting upstream Yann E. MORIN @ 2023-10-08 9:40 ` Arnout Vandecappelle via buildroot 0 siblings, 0 replies; 4+ messages in thread From: Arnout Vandecappelle via buildroot @ 2023-10-08 9:40 UTC (permalink / raw) To: Yann E. MORIN, Adam Duskett; +Cc: Antoine Tenart, buildroot On 07/10/2023 21:34, Yann E. MORIN wrote: > Adam, All, > > On 2023-10-07 20:19 +0200, Adam Duskett spake thusly: >> Refpolicy contexts expect a merged /usr file system. In fact, there >> are no references to /bin, /sbin, /lib, or /lib64 at all. However, if a user >> wants to go through the trouble of creating a policy that works with a >> non-merged system, they should be free to do so. As such, only select >> BR2_ROOTFS_MERGED_USR if using BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION >> >> Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com> >> --- >> package/refpolicy/Config.in | 1 + >> 1 file changed, 1 insertion(+) >> >> diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in >> index 0e72b895df..f1f3c7e64d 100644 >> --- a/package/refpolicy/Config.in >> +++ b/package/refpolicy/Config.in >> @@ -36,6 +36,7 @@ choice >> >> config BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION >> bool "Upstream version" >> + select BR2_ROOTFS_MERGED_USR > > I wonder if this is the proper solution. I would have rather though of > depends on rather than select: I agree. I don't think anything in the system/Config.in menu should be select'ed by packages. Currently we do select BR2_TARGET_TZ_INFO, and I'm not even sure if that is such a good idea. > diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in > index 0e72b895df..c413c1244b 100644 > --- a/package/refpolicy/Config.in > +++ b/package/refpolicy/Config.in > @@ -32,13 +32,17 @@ if BR2_PACKAGE_REFPOLICY > > choice > prompt "Refpolicy version" > - default BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION > + default BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION if BR2_ROOTFS_MERGED_USR This is not great however... If merged /usr is not selected, it will default to git, which is not exactly a good default. But there's not much we can do about that I guess. Regards, Arnout > > config BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION > bool "Upstream version" > + depends on BR2_ROOTFS_MERGED_USR > help > Use the refpolicy as provided by Buildroot. > > +comment "upstream refpolicy needs merged /usr" > + depends on !BR2_ROOTFS_MERGED_USR > + > config BR2_PACKAGE_REFPOLICY_CUSTOM_GIT > bool "Custom git repository" > help > > Not totally sure either ways, though... > > Regards, > Yann E. MORIN. > >> help >> Use the refpolicy as provided by Buildroot. >> >> -- >> 2.41.0 >> >> _______________________________________________ >> buildroot mailing list >> buildroot@buildroot.org >> https://lists.buildroot.org/mailman/listinfo/buildroot > _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-10-08 9:40 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2023-10-07 18:19 [Buildroot] [PATCH v2 1/2] package/refpolicy/Config.in: force merged usr when selecting upstream Adam Duskett 2023-10-07 18:19 ` [Buildroot] [PATCH v2 2/2] package/refpolicy: bump version to 2.20221101 Adam Duskett 2023-10-07 19:34 ` [Buildroot] [PATCH v2 1/2] package/refpolicy/Config.in: force merged usr when selecting upstream Yann E. MORIN 2023-10-08 9:40 ` Arnout Vandecappelle via buildroot
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox