[Buildroot] [PATCH 00/13] selinux-packages: bump to 3.7

[Buildroot] [PATCH 00/13] selinux-packages: bump to 3.7

[Adam Duskett]

No large changes other than the following:
  - setools 0001-Do-not-export-use-setools.InfoFlowAnalysis-and-setoo.patch
    needed to be refactored to work with 4.5.1

  - The audit package needed to be cleaned up and a new init.d service file
    added.

Other than those two things, it's a very straight-forward patch series.

All SELinux unit tests pass.

Adam Duskett (13):
  package/libsepol: bump version to 3.7
  package/libsemanage: bump version to 3.7
  package/libselinux: bump version to 3.7
  package/policycoreutils: bump version to 3.7
  package/checkpolicy: bump version to 3.7
  package/restorecond: bump version to 3.7
  package/semodule-utils: bump to version 3.7
  package/selinux-python: bump to version 3.7
  package/setools: bump version to 4.5.1
  package/refpolicy: bump version to 2.20240226
  package/polkit: bump version to 125
  package/audit/S02auditd: fix shellcheck and check-package warnings
  package/audit: bump version to 4.0.2

 package/audit/S02auditd                       | 80 ---------------
 package/audit/S02augenrules                   | 31 ++++++
 package/audit/S03auditd                       | 82 ++++++++++++++++
 package/audit/audit.hash                      |  2 +-
 package/audit/audit.mk                        | 20 ++--
 package/checkpolicy/checkpolicy.hash          |  2 +-
 package/checkpolicy/checkpolicy.mk            |  2 +-
 package/libselinux/libselinux.hash            |  2 +-
 package/libselinux/libselinux.mk              |  2 +-
 package/libsemanage/libsemanage.hash          |  2 +-
 package/libsemanage/libsemanage.mk            |  2 +-
 package/libsepol/libsepol.hash                |  2 +-
 package/libsepol/libsepol.mk                  |  2 +-
 package/policycoreutils/policycoreutils.hash  |  2 +-
 package/policycoreutils/policycoreutils.mk    |  2 +-
 package/polkit/polkit.hash                    |  2 +-
 package/polkit/polkit.mk                      |  4 +-
 package/refpolicy/refpolicy.hash              |  2 +-
 package/refpolicy/refpolicy.mk                |  2 +-
 package/restorecond/restorecond.hash          |  2 +-
 package/restorecond/restorecond.mk            |  2 +-
 package/selinux-python/selinux-python.hash    |  2 +-
 package/selinux-python/selinux-python.mk      |  2 +-
 package/semodule-utils/semodule-utils.hash    |  2 +-
 package/semodule-utils/semodule-utils.mk      |  2 +-
 ...e-setools.InfoFlowAnalysis-and-setoo.patch | 98 +++++++------------
 package/setools/setools.hash                  |  2 +-
 package/setools/setools.mk                    |  2 +-
 28 files changed, 181 insertions(+), 178 deletions(-)
 delete mode 100644 package/audit/S02auditd
 create mode 100644 package/audit/S02augenrules
 create mode 100644 package/audit/S03auditd

-- 
2.46.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 01/13] package/libsepol: bump version to 3.7

[Adam Duskett]

Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
---
 package/libsepol/libsepol.hash | 2 +-
 package/libsepol/libsepol.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/libsepol/libsepol.hash b/package/libsepol/libsepol.hash
index 1369d820e1..dcc67ac638 100644
--- a/package/libsepol/libsepol.hash
+++ b/package/libsepol/libsepol.hash
@@ -1,5 +1,5 @@
 # From: https://github.com/SELinuxProject/selinux/wiki/Releases
-sha256  c9dc585ea94903d784d597c861cd5dce6459168f95e22b31a0eab1cdd800975a  libsepol-3.6.tar.gz
+sha256  cd741e25244e7ef6cd934d633614131a266c3eaeab33d8bfa45e8a93b45cc901  libsepol-3.7.tar.gz
 
 # Hash for license file
 sha256  6095e9ffa777dd22839f7801aa845b31c9ed07f3d6bf8a26dc5d2dec8ccc0ef3  LICENSE
diff --git a/package/libsepol/libsepol.mk b/package/libsepol/libsepol.mk
index 6361cc66bc..af14778ead 100644
--- a/package/libsepol/libsepol.mk
+++ b/package/libsepol/libsepol.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-LIBSEPOL_VERSION = 3.6
+LIBSEPOL_VERSION = 3.7
 LIBSEPOL_SITE = https://github.com/SELinuxProject/selinux/releases/download/$(LIBSEPOL_VERSION)
 LIBSEPOL_LICENSE = LGPL-2.1+
 LIBSEPOL_LICENSE_FILES = LICENSE
-- 
2.46.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 02/13] package/libsemanage: bump version to 3.7

[Adam Duskett]

Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
---
 package/libsemanage/libsemanage.hash | 2 +-
 package/libsemanage/libsemanage.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/libsemanage/libsemanage.hash b/package/libsemanage/libsemanage.hash
index 862e49f52e..4d1b2161da 100644
--- a/package/libsemanage/libsemanage.hash
+++ b/package/libsemanage/libsemanage.hash
@@ -1,5 +1,5 @@
 # From: https://github.com/SELinuxProject/selinux/wiki/Releases
-sha256  41138f46222439e1242f27c1587e95cf54a059259aaf1681db642cc30c4e0d60  libsemanage-3.6.tar.gz
+sha256  e166cae29a417dab008db9ca0874023f353a3017b07693a036ed97487eda35b1  libsemanage-3.7.tar.gz
 
 # Hash for license file
 sha256  6095e9ffa777dd22839f7801aa845b31c9ed07f3d6bf8a26dc5d2dec8ccc0ef3  LICENSE
diff --git a/package/libsemanage/libsemanage.mk b/package/libsemanage/libsemanage.mk
index 7742e7060c..cf9e9c46fa 100644
--- a/package/libsemanage/libsemanage.mk
+++ b/package/libsemanage/libsemanage.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-LIBSEMANAGE_VERSION = 3.6
+LIBSEMANAGE_VERSION = 3.7
 LIBSEMANAGE_SITE = https://github.com/SELinuxProject/selinux/releases/download/$(LIBSEMANAGE_VERSION)
 LIBSEMANAGE_LICENSE = LGPL-2.1+
 LIBSEMANAGE_LICENSE_FILES = LICENSE
-- 
2.46.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 03/13] package/libselinux: bump version to 3.7

[Adam Duskett]

Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
---
 package/libselinux/libselinux.hash | 2 +-
 package/libselinux/libselinux.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/libselinux/libselinux.hash b/package/libselinux/libselinux.hash
index 4e0a2ca317..fac9d3cef2 100644
--- a/package/libselinux/libselinux.hash
+++ b/package/libselinux/libselinux.hash
@@ -1,5 +1,5 @@
 # From: https://github.com/SELinuxProject/selinux/wiki/Releases
-sha256  ba4e0ef34b270e7672a5e5f1b523fe2beab3a40bb33d9389f4ad3a8728f21b52  libselinux-3.6.tar.gz
+sha256  ea03f42d13a4f95757997dba8cf0b26321fac5d2f164418b4cc856a92d2b17bd  libselinux-3.7.tar.gz
 
 # Hash for license file
 sha256  86657b4c0fe868d7cbd977cb04c63b6c667e08fa51595a7bc846ad4bed8fc364  LICENSE
diff --git a/package/libselinux/libselinux.mk b/package/libselinux/libselinux.mk
index f07498d739..360ab063ca 100644
--- a/package/libselinux/libselinux.mk
+++ b/package/libselinux/libselinux.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-LIBSELINUX_VERSION = 3.6
+LIBSELINUX_VERSION = 3.7
 LIBSELINUX_SITE = https://github.com/SELinuxProject/selinux/releases/download/$(LIBSELINUX_VERSION)
 LIBSELINUX_LICENSE = Public Domain
 LIBSELINUX_LICENSE_FILES = LICENSE
-- 
2.46.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 04/13] package/policycoreutils: bump version to 3.7

[Adam Duskett]

Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
---
 package/policycoreutils/policycoreutils.hash | 2 +-
 package/policycoreutils/policycoreutils.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/policycoreutils/policycoreutils.hash b/package/policycoreutils/policycoreutils.hash
index ea45116912..661c1285e8 100644
--- a/package/policycoreutils/policycoreutils.hash
+++ b/package/policycoreutils/policycoreutils.hash
@@ -1,3 +1,3 @@
 # https://github.com/SELinuxProject/selinux/wiki/Releases
-sha256  a76ac431ea40a35a83164ce9007909c1c6c12fd1056627f622144e4a705c0a2c  policycoreutils-3.6.tar.gz
+sha256  58fe4e481edfb4456c114925442e11389df17394925acdba3de211145ce5ea98  policycoreutils-3.7.tar.gz
 sha256  204d8eff92f95aac4df6c8122bc1505f468f3a901e5a4cc08940e0ede1938994  LICENSE
diff --git a/package/policycoreutils/policycoreutils.mk b/package/policycoreutils/policycoreutils.mk
index 714e2d7ad6..2b53c56e49 100644
--- a/package/policycoreutils/policycoreutils.mk
+++ b/package/policycoreutils/policycoreutils.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-POLICYCOREUTILS_VERSION = 3.6
+POLICYCOREUTILS_VERSION = 3.7
 POLICYCOREUTILS_SITE = https://github.com/SELinuxProject/selinux/releases/download/$(POLICYCOREUTILS_VERSION)
 POLICYCOREUTILS_LICENSE = GPL-2.0
 POLICYCOREUTILS_LICENSE_FILES = LICENSE
-- 
2.46.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 05/13] package/checkpolicy: bump version to 3.7

[Adam Duskett]

Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
---
 package/checkpolicy/checkpolicy.hash | 2 +-
 package/checkpolicy/checkpolicy.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/checkpolicy/checkpolicy.hash b/package/checkpolicy/checkpolicy.hash
index d2ecc7265a..e768a80cdf 100644
--- a/package/checkpolicy/checkpolicy.hash
+++ b/package/checkpolicy/checkpolicy.hash
@@ -1,5 +1,5 @@
 # https://github.com/SELinuxProject/selinux/wiki/Releases
-sha256  1b346b3cdd4f8a78a157627bad64a3b3479c67b6a19d15e6d5c8694620eadbc1  checkpolicy-3.6.tar.gz
+sha256  fd3e1925477d49946d1116938661af44c1f86f0d681466fd9f02eaa06002a07f  checkpolicy-3.7.tar.gz
 
 # Hash for license file
 sha256  204d8eff92f95aac4df6c8122bc1505f468f3a901e5a4cc08940e0ede1938994  LICENSE
diff --git a/package/checkpolicy/checkpolicy.mk b/package/checkpolicy/checkpolicy.mk
index 109aaf6072..adf125ebf8 100644
--- a/package/checkpolicy/checkpolicy.mk
+++ b/package/checkpolicy/checkpolicy.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-CHECKPOLICY_VERSION = 3.6
+CHECKPOLICY_VERSION = 3.7
 CHECKPOLICY_SITE = https://github.com/SELinuxProject/selinux/releases/download/$(CHECKPOLICY_VERSION)
 CHECKPOLICY_LICENSE = GPL-2.0
 CHECKPOLICY_LICENSE_FILES = LICENSE
-- 
2.46.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 06/13] package/restorecond: bump version to 3.7

[Adam Duskett]

Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
---
 package/restorecond/restorecond.hash | 2 +-
 package/restorecond/restorecond.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/restorecond/restorecond.hash b/package/restorecond/restorecond.hash
index 5b86afdcc0..34847f28f1 100644
--- a/package/restorecond/restorecond.hash
+++ b/package/restorecond/restorecond.hash
@@ -1,5 +1,5 @@
 # https://github.com/SELinuxProject/selinux/wiki/Releases
-sha256  8f8aa2c6c66bcc6d91c6edd63913e5d738de6428928f27d1019d89c31cf347b1  restorecond-3.6.tar.gz
+sha256  4192595c08c775ff540f5ab850885ce11b132a4a4e29b65f20e751dd0a69d31f  restorecond-3.7.tar.gz
 
 # Hash for license file
 sha256  204d8eff92f95aac4df6c8122bc1505f468f3a901e5a4cc08940e0ede1938994  LICENSE
diff --git a/package/restorecond/restorecond.mk b/package/restorecond/restorecond.mk
index 93495d8b7f..4624b9204d 100644
--- a/package/restorecond/restorecond.mk
+++ b/package/restorecond/restorecond.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-RESTORECOND_VERSION = 3.6
+RESTORECOND_VERSION = 3.7
 RESTORECOND_SITE = https://github.com/SELinuxProject/selinux/releases/download/$(RESTORECOND_VERSION)
 RESTORECOND_LICENSE = GPL-2.0
 RESTORECOND_LICENSE_FILES = LICENSE
-- 
2.46.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 07/13] package/semodule-utils: bump to version 3.7

[Adam Duskett]

Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
---
 package/semodule-utils/semodule-utils.hash | 2 +-
 package/semodule-utils/semodule-utils.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/semodule-utils/semodule-utils.hash b/package/semodule-utils/semodule-utils.hash
index 5e7d698f3b..296f7fe137 100644
--- a/package/semodule-utils/semodule-utils.hash
+++ b/package/semodule-utils/semodule-utils.hash
@@ -1,5 +1,5 @@
 # https://github.com/SELinuxProject/selinux/wiki/Releases
-sha256  eedb88f2b2124e538f2d614be063c0d9ac3eacc0c51a4da44500ca1ed1ba16f4  semodule-utils-3.6.tar.gz
+sha256  db0641aeafefec46612c7c2ddd33ef1060bb721ce64842d2a96c33dddb5eb176  semodule-utils-3.7.tar.gz
 
 # Hash for license file
 sha256  204d8eff92f95aac4df6c8122bc1505f468f3a901e5a4cc08940e0ede1938994  LICENSE
diff --git a/package/semodule-utils/semodule-utils.mk b/package/semodule-utils/semodule-utils.mk
index b58f7535f1..c9d3af4509 100644
--- a/package/semodule-utils/semodule-utils.mk
+++ b/package/semodule-utils/semodule-utils.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-SEMODULE_UTILS_VERSION = 3.6
+SEMODULE_UTILS_VERSION = 3.7
 SEMODULE_UTILS_SITE = https://github.com/SELinuxProject/selinux/releases/download/$(SEMODULE_UTILS_VERSION)
 SEMODULE_UTILS_LICENSE = GPL-2.0
 SEMODULE_UTILS_LICENSE_FILES = LICENSE
-- 
2.46.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 08/13] package/selinux-python: bump to version 3.7

[Adam Duskett]

Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
---
 package/selinux-python/selinux-python.hash | 2 +-
 package/selinux-python/selinux-python.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/selinux-python/selinux-python.hash b/package/selinux-python/selinux-python.hash
index 96be214fd3..9cf1fee97e 100644
--- a/package/selinux-python/selinux-python.hash
+++ b/package/selinux-python/selinux-python.hash
@@ -1,5 +1,5 @@
 # https://github.com/SELinuxProject/selinux/wiki/Releases
-sha256  e2867d4cd26f9869c55216cc20ca7d10442491a0fbf256116ade99ec39426ec0  selinux-python-3.6.tar.gz
+sha256  630b2ad50e017a06a81d4f94312bee85465a93cb050a7536c728055de9a41a2b  selinux-python-3.7.tar.gz
 
 # Hash for license file
 sha256  204d8eff92f95aac4df6c8122bc1505f468f3a901e5a4cc08940e0ede1938994  LICENSE
diff --git a/package/selinux-python/selinux-python.mk b/package/selinux-python/selinux-python.mk
index 84fc9cbc22..3ea461b37e 100644
--- a/package/selinux-python/selinux-python.mk
+++ b/package/selinux-python/selinux-python.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-SELINUX_PYTHON_VERSION = 3.6
+SELINUX_PYTHON_VERSION = 3.7
 SELINUX_PYTHON_SITE = https://github.com/SELinuxProject/selinux/releases/download/$(SELINUX_PYTHON_VERSION)
 SELINUX_PYTHON_LICENSE = GPL-2.0
 SELINUX_PYTHON_LICENSE_FILES = LICENSE
-- 
2.46.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 09/13] package/setools: bump version to 4.5.1

[Adam Duskett]

Refresh 0001-Do-not-export-use-setools.InfoFlowAnalysis-and-setoo.patch to
apply cleanly with 4.5.1.

Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
---
 ...e-setools.InfoFlowAnalysis-and-setoo.patch | 98 +++++++------------
 package/setools/setools.hash                  |  2 +-
 package/setools/setools.mk                    |  2 +-
 3 files changed, 35 insertions(+), 67 deletions(-)

diff --git a/package/setools/0001-Do-not-export-use-setools.InfoFlowAnalysis-and-setoo.patch b/package/setools/0001-Do-not-export-use-setools.InfoFlowAnalysis-and-setoo.patch
index 67c306e99c..67a7395c3c 100644
--- a/package/setools/0001-Do-not-export-use-setools.InfoFlowAnalysis-and-setoo.patch
+++ b/package/setools/0001-Do-not-export-use-setools.InfoFlowAnalysis-and-setoo.patch
@@ -15,51 +15,50 @@ sedta and seinfoflow to require python3-networkx
 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 [Refreshed for 4.3.0]
 Signed-off-by: Adam Duskett <aduskett@gmail.com>
-[Refreshed for 4.4.2]
+[Refreshed for 4.5.1]
+Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
 ---
- sedta                       | 3 ++-
- seinfoflow                  | 5 +++--
- setools/__init__.py         | 4 ++--
- setoolsgui/apol/dta.py      | 2 +-
- setoolsgui/apol/infoflow.py | 2 +-
- tests/test_dta.py           | 2 +-
- tests/test_infoflow.py      | 2 +-
- 7 files changed, 11 insertions(+), 9 deletions(-)
+ sedta                  | 3 ++-
+ seinfoflow             | 5 +++--
+ setools/__init__.py    | 2 +-
+ tests/test_dta.py      | 2 +-
+ tests/test_infoflow.py | 2 +-
+ 5 files changed, 8 insertions(+), 6 deletions(-)
 
 diff --git a/sedta b/sedta
-index ffd9ede..4c53825 100755
+index 9b580fc..bec89d4 100755
 --- a/sedta
 +++ b/sedta
-@@ -10,6 +10,7 @@ import logging
- import signal
+@@ -12,6 +12,7 @@ import warnings
  
+ import networkx as nx
  import setools
 +import setools.dta
  
  
- def print_transition(trans: setools.DomainTransition) -> None:
-@@ -104,7 +105,7 @@ else:
+ signal.signal(signal.SIGPIPE, signal.SIG_DFL)
+@@ -68,7 +69,7 @@ else:
  
  try:
      p = setools.SELinuxPolicy(args.policy)
--    g = setools.DomainTransitionAnalysis(p, reverse=args.reverse, exclude=args.exclude)
-+    g = setools.dta.DomainTransitionAnalysis(p, reverse=args.reverse, exclude=args.exclude)
+-    g = setools.DomainTransitionAnalysis(p, exclude=args.exclude)
++    g = setools.dta.DomainTransitionAnalysis(p, exclude=args.exclude)
  
-     if args.shortest_path or args.all_paths:
-         if args.shortest_path:
+     pathnum: int = 0
+     path: setools.DTAPath
 diff --git a/seinfoflow b/seinfoflow
-index 5f4e764..a27b781 100755
+index b4ad328..61f1ef5 100755
 --- a/seinfoflow
 +++ b/seinfoflow
-@@ -5,6 +5,7 @@
- #
+@@ -13,6 +13,7 @@ from typing import Dict, Optional
  
+ import networkx as nx
  import setools
 +import setools.infoflow
- import argparse
- import sys
- import logging
-@@ -94,8 +95,8 @@ elif args.booleans is not None:
+ 
+ signal.signal(signal.SIGPIPE, signal.SIG_DFL)
+ 
+@@ -104,8 +105,8 @@ elif args.booleans is not None:
  try:
      p = setools.SELinuxPolicy(args.policy)
      m = setools.PermissionMap(args.map)
@@ -68,54 +67,23 @@ index 5f4e764..a27b781 100755
 +    g = setools.infoflow.InfoFlowAnalysis(p, m, min_weight=args.min_weight, exclude=args.exclude,
 +                                          booleans=booleans)
  
-     if args.shortest_path or args.all_paths:
-         if args.shortest_path:
+     flownum: int = 0
+     flow: setools.InfoFlowPath
 diff --git a/setools/__init__.py b/setools/__init__.py
-index ad9b36a..2bde01b 100644
+index 1efd2cc..fe54ab2 100644
 --- a/setools/__init__.py
 +++ b/setools/__init__.py
-@@ -77,11 +77,11 @@ from .pcideviceconquery import PcideviceconQuery
- from .devicetreeconquery import DevicetreeconQuery
- 
- # Information Flow Analysis
--from .infoflow import InfoFlowAnalysis
-+# from .infoflow import InfoFlowAnalysis
+@@ -81,7 +81,7 @@ from .infoflow import *
  from .permmap import PermissionMap, RuleWeight, Mapping
  
  # Domain Transition Analysis
--from .dta import DomainTransitionAnalysis, DomainEntrypoint, DomainTransition
-+# from .dta import DomainTransitionAnalysis, DomainEntrypoint, DomainTransition
+-from .dta import *
++# from .dta import *
  
  # Policy difference
  from .diff import PolicyDifference
-diff --git a/setoolsgui/apol/dta.py b/setoolsgui/apol/dta.py
-index a78d960..e71c70a 100644
---- a/setoolsgui/apol/dta.py
-+++ b/setoolsgui/apol/dta.py
-@@ -11,7 +11,7 @@ from PyQt5.QtCore import pyqtSignal, Qt, QStringListModel, QThread
- from PyQt5.QtGui import QPalette, QTextCursor
- from PyQt5.QtWidgets import QCompleter, QHeaderView, QMessageBox, QProgressDialog, \
-     QTreeWidgetItem
--from setools import DomainTransitionAnalysis
-+from setools.dta import DomainTransitionAnalysis
- 
- from ..logtosignal import LogHandlerToSignal
- from .analysistab import AnalysisSection, AnalysisTab
-diff --git a/setoolsgui/apol/infoflow.py b/setoolsgui/apol/infoflow.py
-index fb9b409..738f1b8 100644
---- a/setoolsgui/apol/infoflow.py
-+++ b/setoolsgui/apol/infoflow.py
-@@ -13,7 +13,7 @@ from PyQt5.QtCore import pyqtSignal, Qt, QStringListModel, QThread
- from PyQt5.QtGui import QPalette, QTextCursor
- from PyQt5.QtWidgets import QCompleter, QHeaderView, QMessageBox, QProgressDialog, \
-     QTreeWidgetItem
--from setools import InfoFlowAnalysis
-+from setools.infoflow import InfoFlowAnalysis
- from setools.exception import UnmappedClass, UnmappedPermission
- 
- from ..logtosignal import LogHandlerToSignal
 diff --git a/tests/test_dta.py b/tests/test_dta.py
-index 7f9bbc9..48338c5 100644
+index 2398b3f..b943bd6 100644
 --- a/tests/test_dta.py
 +++ b/tests/test_dta.py
 @@ -5,7 +5,7 @@
@@ -128,7 +96,7 @@ index 7f9bbc9..48338c5 100644
  from setools.exception import InvalidType
  from setools.policyrep import Type
 diff --git a/tests/test_infoflow.py b/tests/test_infoflow.py
-index 5a8f745..e25993b 100644
+index ba2983f..9cd6ab3 100644
 --- a/tests/test_infoflow.py
 +++ b/tests/test_infoflow.py
 @@ -5,7 +5,7 @@
@@ -141,5 +109,5 @@ index 5a8f745..e25993b 100644
  from setools.exception import InvalidType
  from setools.permmap import PermissionMap
 -- 
-2.26.2
+2.46.0
 
diff --git a/package/setools/setools.hash b/package/setools/setools.hash
index bb98231de9..26b893c09e 100644
--- a/package/setools/setools.hash
+++ b/package/setools/setools.hash
@@ -1,5 +1,5 @@
 # Locally computed
-sha256  92afeea2f2433cbb981ff47f6ce4e2485d9202b530842f7f5d95f905b2ddaea4  setools-4.4.4.tar.gz
+sha256  3fc1d663bbe00e3e2c3f97b371ff55b468e70d7965908cfde35ccc8e55bb2491  setools-4.5.1.tar.gz
 sha256  0e58d74751e394f39748c7b7b4039d6a883b5def9711160668ba962b52e69e01  COPYING
 sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING.GPL
 sha256  dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551  COPYING.LGPL
diff --git a/package/setools/setools.mk b/package/setools/setools.mk
index 1ffc2852d2..81ae11d004 100644
--- a/package/setools/setools.mk
+++ b/package/setools/setools.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-SETOOLS_VERSION = 4.4.4
+SETOOLS_VERSION = 4.5.1
 SETOOLS_SITE = $(call github,SELinuxProject,setools,$(SETOOLS_VERSION))
 SETOOLS_DEPENDENCIES = libselinux libsepol python-setuptools host-bison host-flex host-python-cython host-swig
 SETOOLS_INSTALL_STAGING = YES
-- 
2.46.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 10/13] package/refpolicy: bump version to 2.20240226

[Adam Duskett]

Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
---
 package/refpolicy/refpolicy.hash | 2 +-
 package/refpolicy/refpolicy.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/refpolicy/refpolicy.hash b/package/refpolicy/refpolicy.hash
index 70d1acc9af..5e876d4a43 100644
--- a/package/refpolicy/refpolicy.hash
+++ b/package/refpolicy/refpolicy.hash
@@ -1,5 +1,5 @@
 # From https://github.com/SELinuxProject/refpolicy/releases
-sha256  c89cd3b2e5d99765cc24536fd8e76de83951ad23e05472350328b5a4f8bee410  refpolicy-2.20231002.tar.bz2
+sha256  7ed41f4f45189b9ee9706da8ac357eccc103651b56daabaddb54c436e8117cf9  refpolicy-2.20240226.tar.bz2
 
 # Locally computed
 sha256  204d8eff92f95aac4df6c8122bc1505f468f3a901e5a4cc08940e0ede1938994  COPYING
diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
index fb1c213b84..74ccb79624 100644
--- a/package/refpolicy/refpolicy.mk
+++ b/package/refpolicy/refpolicy.mk
@@ -23,7 +23,7 @@ REFPOLICY_SITE = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL))
 REFPOLICY_SITE_METHOD = git
 BR_NO_CHECK_HASH_FOR += $(REFPOLICY_SOURCE)
 else
-REFPOLICY_VERSION = 2.20231002
+REFPOLICY_VERSION = 2.20240226
 REFPOLICY_SOURCE = refpolicy-$(REFPOLICY_VERSION).tar.bz2
 REFPOLICY_SITE = https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_$(subst .,_,$(REFPOLICY_VERSION))
 endif
-- 
2.46.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 11/13] package/polkit: bump version to 125

[Adam Duskett]

Also, change the url to https://github.com/polkit-org/polkit as
https://gitlab.freedesktop.org/polkit/polkit The new address of the codebase
for the polkit project points to the github URL.

Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
---
 package/polkit/polkit.hash | 2 +-
 package/polkit/polkit.mk   | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package/polkit/polkit.hash b/package/polkit/polkit.hash
index 5eadc89753..a3855adecd 100644
--- a/package/polkit/polkit.hash
+++ b/package/polkit/polkit.hash
@@ -1,3 +1,3 @@
 # Locally calculated
-sha256  b69278f6ea0eac406350c45f5720e2fe5e4beaf9f53c16d9902e025965418864  polkit-123.tar.gz
+sha256  ea5cd6e6e2afa6bad938ee770bf0c2cd9317910f37956faeba2869adcf3747d1  polkit-125.tar.gz
 sha256  d2e2aa973e29c75e1b492e67ea7b7da9de2d501d49a934657971fd74f9a0b0a8  COPYING
diff --git a/package/polkit/polkit.mk b/package/polkit/polkit.mk
index cdbbf8f9b0..fb49f6ce2a 100644
--- a/package/polkit/polkit.mk
+++ b/package/polkit/polkit.mk
@@ -4,8 +4,8 @@
 #
 ################################################################################
 
-POLKIT_VERSION = 123
-POLKIT_SITE = https://gitlab.freedesktop.org/polkit/polkit/-/archive/$(POLKIT_VERSION)
+POLKIT_VERSION = 125
+POLKIT_SITE = $(call github,polkit-org,polkit,$(POLKIT_VERSION))
 POLKIT_LICENSE = GPL-2.0
 POLKIT_LICENSE_FILES = COPYING
 POLKIT_CPE_ID_VALID = YES
-- 
2.46.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 11/13] package/polkit: bump version to 125

[Romain Naour via buildroot]

Hello Adam, All,

Le 16/09/2024 à 17:12, Adam Duskett a écrit :
> Also, change the url to https://github.com/polkit-org/polkit as
> https://gitlab.freedesktop.org/polkit/polkit The new address of the codebase
> for the polkit project points to the github URL.

TestPolkitInitd fail since the polkit version bump to 125 [1]

It seems an upstream issue under investigation [2].

[1] https://gitlab.com/buildroot.org/buildroot/-/jobs/8199992596
[2] https://github.com/polkit-org/polkit/issues/451

Best regards,
Romain



> 
> Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
> ---
>  package/polkit/polkit.hash | 2 +-
>  package/polkit/polkit.mk   | 4 ++--
>  2 files changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/package/polkit/polkit.hash b/package/polkit/polkit.hash
> index 5eadc89753..a3855adecd 100644
> --- a/package/polkit/polkit.hash
> +++ b/package/polkit/polkit.hash
> @@ -1,3 +1,3 @@
>  # Locally calculated
> -sha256  b69278f6ea0eac406350c45f5720e2fe5e4beaf9f53c16d9902e025965418864  polkit-123.tar.gz
> +sha256  ea5cd6e6e2afa6bad938ee770bf0c2cd9317910f37956faeba2869adcf3747d1  polkit-125.tar.gz
>  sha256  d2e2aa973e29c75e1b492e67ea7b7da9de2d501d49a934657971fd74f9a0b0a8  COPYING
> diff --git a/package/polkit/polkit.mk b/package/polkit/polkit.mk
> index cdbbf8f9b0..fb49f6ce2a 100644
> --- a/package/polkit/polkit.mk
> +++ b/package/polkit/polkit.mk
> @@ -4,8 +4,8 @@
>  #
>  ################################################################################
>  
> -POLKIT_VERSION = 123
> -POLKIT_SITE = https://gitlab.freedesktop.org/polkit/polkit/-/archive/$(POLKIT_VERSION)
> +POLKIT_VERSION = 125
> +POLKIT_SITE = $(call github,polkit-org,polkit,$(POLKIT_VERSION))
>  POLKIT_LICENSE = GPL-2.0
>  POLKIT_LICENSE_FILES = COPYING
>  POLKIT_CPE_ID_VALID = YES

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 12/13] package/audit/S02auditd: fix shellcheck and check-package warnings

[Adam Duskett]

Tested with qemu_x86_64_defconfig. start, stop, restart, reload, and rotate
all work with busybox ash shell.

Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
---
 package/audit/S02auditd | 44 ++++++++++++++++++++++-------------------
 1 file changed, 24 insertions(+), 20 deletions(-)

diff --git a/package/audit/S02auditd b/package/audit/S02auditd
index dd3dc22d6d..b23c49a125 100644
--- a/package/audit/S02auditd
+++ b/package/audit/S02auditd
@@ -8,27 +8,22 @@
 #              will be sent to syslog.
 #
 
-NAME=auditd
-DAEMON=/usr/sbin/${NAME}
-CONFIG=/etc/audit/auditd.conf
-PIDFILE=/var/run/${NAME}.pid
+DAEMON="auditd"
+PIDFILE="/var/run/${DAEMON}.pid"
 
 start(){
-	printf "Starting ${NAME}: "
+	printf "Starting %s: " "${DAEMON}"
 
 	# Create dir to store log files in if one doesn't exist. Create
 	# the directory with SELinux permissions if possible
-	command -v selabel_lookup >/dev/null 2>&1
-	if [ $? = 0 ]; then
-		mkdir -p /var/log/audit -Z `selabel_lookup -b file -k /var/log/audit | cut -d ' ' -f 3`
+	if command -v selabel_lookup >/dev/null 2>&1; then
+		mkdir -p /var/log/audit -Z "$(selabel_lookup -b file -k /var/log/audit | cut -d ' ' -f 3)"
 	else
 		mkdir -p /var/log/audit
 	fi
 
 	# Run audit daemon executable
-	start-stop-daemon -S -q -p ${PIDFILE} --exec ${DAEMON}
-
-	if [ $? = 0 ]; then
+	if start-stop-daemon -S -q -p "${PIDFILE}" --exec /usr/sbin/"${DAEMON}"; then
 		# Load the default rules
 		test -f /etc/audit/rules.d/audit.rules && /usr/sbin/auditctl -R /etc/audit/rules.d/audit.rules >/dev/null
 		echo "OK"
@@ -38,22 +33,31 @@ start(){
 }
 
 stop(){
-	printf "Stopping ${NAME}: "
+	printf "Stopping %s: " "${DAEMON}"
 
-	start-stop-daemon -K -q -p ${PIDFILE}
-	[ $? = 0 ] && echo "OK" || echo "FAIL"
+	if start-stop-daemon -K -q -p "${PIDFILE}"; then
+		echo "OK"
+	else
+		echo "FAIL"
+	fi
 }
 
 reload(){
-	printf "Reloading ${NAME} configuration: "
-	start-stop-daemon --stop -s 1 -p ${PIDFILE} 1>/dev/null
-	[ $? = 0 ] && echo "OK" || echo "FAIL"
+	printf "Reloading %s configuration: " "${DAEMON}"
+	if start-stop-daemon --stop -s 1 -p "${PIDFILE}" 1>/dev/nulll; then
+		echo "OK"
+	else
+		echo "FAIL"
+	fi
 }
 
 rotate(){
-	printf "Rotating ${NAME} logs: "
-	start-stop-daemon --stop -s 10 -p ${PIDFILE} 1>/dev/null
-	[ $? = 0 ] && echo "OK" || echo "FAIL"
+	printf "Rotating %s logs: " "${DAEMON}"
+	if start-stop-daemon --stop -s 10 -p "${PIDFILE}" 1>/dev/null; then
+		echo "OK"
+	else
+		echo "FAIL"
+	fi
 }
 
 case "$1" in
-- 
2.46.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 12/13] package/audit/S02auditd: fix shellcheck and check-package warnings

[Thomas Petazzoni via buildroot]

Hello Adam,

On Mon, 16 Sep 2024 17:12:05 +0200
Adam Duskett <adam.duskett@amarulasolutions.com> wrote:

> Tested with qemu_x86_64_defconfig. start, stop, restart, reload, and rotate
> all work with busybox ash shell.
> 
> Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
> ---
>  package/audit/S02auditd | 44 ++++++++++++++++++++++-------------------
>  1 file changed, 24 insertions(+), 20 deletions(-)

Thanks for this rework. As part of this, could you rework S02auditd to
follow the canonical example of package/busybox/S01syslogd ? There's
been an effort from Fiona to start aligning our init scripts, and this
effort is really good, so I'd rather see rework of other init scripts
go in the direction that Fiona has initiated.

I've added Fiona in the loop so that hopefully she can help if your
specific init script raises some specific questions.

Thanks a lot!

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 12/13] package/audit/S02auditd: fix shellcheck and check-package warnings

[Fiona Klute via buildroot]

Hi Adam, Thomas!

Am 26.10.24 um 18:09 schrieb Thomas Petazzoni:
> Hello Adam,
>
> On Mon, 16 Sep 2024 17:12:05 +0200
> Adam Duskett <adam.duskett@amarulasolutions.com> wrote:
>
>> Tested with qemu_x86_64_defconfig. start, stop, restart, reload, and rotate
>> all work with busybox ash shell.
>>
>> Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
>> ---
>>   package/audit/S02auditd | 44 ++++++++++++++++++++++-------------------
>>   1 file changed, 24 insertions(+), 20 deletions(-)
>
> Thanks for this rework. As part of this, could you rework S02auditd to
> follow the canonical example of package/busybox/S01syslogd ? There's
> been an effort from Fiona to start aligning our init scripts, and this
> effort is really good, so I'd rather see rework of other init scripts
> go in the direction that Fiona has initiated.
>
> I've added Fiona in the loop so that hopefully she can help if your
> specific init script raises some specific questions.
I took a look at that patch [1], general issues I see:

* Critical (though pre-existing, just restructured in the patch): reload
and rotate use numeric signals. 1 seems to be pretty consistent (HUP),
but according to signal(7) 10 can actually have different meanings
across different architectures. Use the symbolic names instead, both to
make sure you get the right one and for readability. Or maybe it'd make
sense to use auditctl?

* There's a "/dev/nulll" in the reload function.

For the canonical style, things to consider:

* On stop, check that the daemon process is actually gone before
returning. Otherwise restart might fail because the new instance is
started before the old one has actually stopped (I've seen that with a
lot of services).

* Action functions should return a success (or failure) code, usually
the return code of the relevant start-stop-daemon action, and the last
one should be the return code of the init script. That way it's possible
to check success when calling the init script from automated tools (e.g.
other scripts).

* Use long form options where possible for clarity.

While you're tidying up the script, it might be good to break some of
the very long lines, too.

I guess I should put some of the above into the docs some time. :-)

Best regards,
Fiona

[1]
https://patchwork.ozlabs.org/project/buildroot/patch/20240916151206.947484-13-adam.duskett@amarulasolutions.com/
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 13/13] package/audit: bump version to 4.0.2

[Adam Duskett]

In addition, audit 4.x now provides two service files:
 - audit-rules.service
 - auditd.service, which depends on audit-rules.service

audit-rules.service is a one-shot service that runs augenrules --load.
To keep audit compatible with sysvinit-based systems, create a new file,
S02augenrules, and move S02auditd to S03auditd. This change keeps the basic
format of the systemd provided service files for ease of maintance.

Other changes:
 - The --without-python option is no longer present.
 - There is no longer a --enable/--disable-systemd option.
 - audit.rules are no longer autogenerated on startup. As such, the RedHat
   rpm .spec logic is copied, and $(@D)/rules/10-base-config.rules is copied
   to $(TARGET_DIR)/etc/audit/rules.d/audit.rules as part of the
   POST_INSTALL_TARGET_HOOKS. If /etc/audit/rules.d/audit.rules does not exit
   on the target, auditd fails to run. This change is also a bonus for
   read-only systems and the audit.rules file is guaranteed to be on the system.

Tested with qemu_x86_64_defconfig and running checking if audit is running
properly.

Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
---
 package/audit/S02augenrules            | 31 ++++++++++++++++++++++++++
 package/audit/{S02auditd => S03auditd} |  4 +---
 package/audit/audit.hash               |  2 +-
 package/audit/audit.mk                 | 20 +++++++++--------
 4 files changed, 44 insertions(+), 13 deletions(-)
 create mode 100644 package/audit/S02augenrules
 rename package/audit/{S02auditd => S03auditd} (87%)

diff --git a/package/audit/S02augenrules b/package/audit/S02augenrules
new file mode 100644
index 0000000000..70342a231c
--- /dev/null
+++ b/package/audit/S02augenrules
@@ -0,0 +1,31 @@
+#!/bin/sh
+#
+# audi       This starts and stops auditd
+#
+# description: This starts the Linux Auditing System Daemon,
+#              which collects security related events in a dedicated
+#              audit log. If this daemon is turned off, audit events
+#              will be sent to syslog.
+#
+
+DAEMON="augenrules"
+
+start(){
+	printf "Starting %s: " "${DAEMON}"
+	# Run audit daemon executable
+	if /usr/sbin/"${DAEMON}" --load > /dev/null 2>&1; then
+		echo "OK"
+	else
+		echo "FAIL"
+	fi
+}
+
+case "$1" in
+	start)
+		start
+		;;
+	*)
+		echo "Usage: $0 {start}"
+		exit 1
+		;;
+esac
diff --git a/package/audit/S02auditd b/package/audit/S03auditd
similarity index 87%
rename from package/audit/S02auditd
rename to package/audit/S03auditd
index b23c49a125..9b3f633812 100644
--- a/package/audit/S02auditd
+++ b/package/audit/S03auditd
@@ -23,9 +23,7 @@ start(){
 	fi
 
 	# Run audit daemon executable
-	if start-stop-daemon -S -q -p "${PIDFILE}" --exec /usr/sbin/"${DAEMON}"; then
-		# Load the default rules
-		test -f /etc/audit/rules.d/audit.rules && /usr/sbin/auditctl -R /etc/audit/rules.d/audit.rules >/dev/null
+	if start-stop-daemon -S -p "${PIDFILE}" --exec /usr/sbin/"${DAEMON}"; then
 		echo "OK"
 	else
 		echo "FAIL"
diff --git a/package/audit/audit.hash b/package/audit/audit.hash
index 5743b3a13a..6db85f1b33 100644
--- a/package/audit/audit.hash
+++ b/package/audit/audit.hash
@@ -1,4 +1,4 @@
 #Locally computed
-sha256  c0b1792d1f0a88c6f1828710509cbb987059fc68712c97669ca90eae103d287d  audit-3.1.2.tar.gz
+sha256  d5d1b5d50ee4a2d0d17875bc6ae6bd6a7d5b34d9557ea847a39faec531faaa0a  audit-4.0.2.tar.gz
 sha256  32b1062f7da84967e7019d01ab805935caa7ab7321a7ced0e30ebe75e5df1670  COPYING
 sha256  f18a0811fa0e220ccbc42f661545e77f0388631e209585ed582a1c693029c6aa  COPYING.LIB
diff --git a/package/audit/audit.mk b/package/audit/audit.mk
index c703acc559..161c15e70f 100644
--- a/package/audit/audit.mk
+++ b/package/audit/audit.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-AUDIT_VERSION = 3.1.2
+AUDIT_VERSION = 4.0.2
 AUDIT_SITE = http://people.redhat.com/sgrubb/audit
 AUDIT_LICENSE = GPL-2.0+ (programs), LGPL-2.1+ (libraries)
 AUDIT_LICENSE_FILES = COPYING COPYING.LIB
@@ -13,7 +13,7 @@ AUDIT_CPE_ID_PRODUCT = linux_audit
 
 AUDIT_INSTALL_STAGING = YES
 
-AUDIT_CONF_OPTS = --without-python --without-python3 --disable-zos-remote
+AUDIT_CONF_OPTS = --without-python3 --disable-zos-remote
 
 # src/libev has some assembly function that is not present in Thumb mode:
 # Error: selected processor does not support `mcr p15,0,r3,c7,c10,5' in Thumb mode
@@ -40,14 +40,9 @@ ifeq ($(BR2_aarch64),y)
 AUDIT_CONF_OPTS += --with-aarch64
 endif
 
-ifeq ($(BR2_INIT_SYSTEMD),y)
-AUDIT_CONF_OPTS += --enable-systemd
-else
-AUDIT_CONF_OPTS += --disable-systemd
-endif
-
 define AUDIT_INSTALL_INIT_SYSV
-	$(INSTALL) -D -m 755 package/audit/S02auditd $(TARGET_DIR)/etc/init.d/S02auditd
+	$(INSTALL) -D -m 755 package/audit/S02augenrules $(TARGET_DIR)/etc/init.d/S02augenrules
+	$(INSTALL) -D -m 755 package/audit/S03auditd $(TARGET_DIR)/etc/init.d/S03auditd
 endef
 
 define AUDIT_INSTALL_INIT_SYSTEMD
@@ -55,6 +50,13 @@ define AUDIT_INSTALL_INIT_SYSTEMD
 		$(TARGET_DIR)/usr/lib/tmpfiles.d/audit.conf
 endef
 
+define AUDIT_INSTALL_RULES
+	mkdir -p $(TARGET_DIR)/etc/audit/rules.d
+	$(INSTALL) -m 0640 $(@D)/rules/10-base-config.rules \
+		$(TARGET_DIR)/etc/audit/rules.d/audit.rules
+endef
+AUDIT_POST_INSTALL_TARGET_HOOKS += AUDIT_INSTALL_RULES
+
 define AUDIT_INSTALL_CLEANUP
 	$(RM) $(TARGET_DIR)/etc/rc.d/init.d/auditd
 	$(RM) $(TARGET_DIR)/etc/sysconfig/auditd
-- 
2.46.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 13/13] package/audit: bump version to 4.0.2

[Thomas Petazzoni via buildroot]

Hello Adam,

Cc Julien for runtime test, Cc Fiona for init script.

On Mon, 16 Sep 2024 17:12:06 +0200
Adam Duskett <adam.duskett@amarulasolutions.com> wrote:

> In addition, audit 4.x now provides two service files:
>  - audit-rules.service
>  - auditd.service, which depends on audit-rules.service
> 
> audit-rules.service is a one-shot service that runs augenrules --load.
> To keep audit compatible with sysvinit-based systems, create a new file,
> S02augenrules, and move S02auditd to S03auditd. This change keeps the basic
> format of the systemd provided service files for ease of maintance.

I don't follow you here. What do you mean by "keep audit compatible
with sysvinit-based systems" ?

Are you saying that to keep consistency/symmetry with the systemd unit
files, you introduce two separate init scripts, one for augenrules
--load, and one for starting the daemon itself?

> Other changes:
>  - The --without-python option is no longer present.
>  - There is no longer a --enable/--disable-systemd option.
>  - audit.rules are no longer autogenerated on startup. As such, the RedHat
>    rpm .spec logic is copied, and $(@D)/rules/10-base-config.rules is copied
>    to $(TARGET_DIR)/etc/audit/rules.d/audit.rules as part of the
>    POST_INSTALL_TARGET_HOOKS. If /etc/audit/rules.d/audit.rules does not exit

                                                                           ^^^ exists ?

>    on the target, auditd fails to run. This change is also a bonus for
>    read-only systems and the audit.rules file is guaranteed to be on the system.

                       ^^^ as ?

> Tested with qemu_x86_64_defconfig and running checking if audit is running
> properly.

Would be nice to have an audit test case in support/testing :-)

> diff --git a/package/audit/S02augenrules b/package/audit/S02augenrules
> new file mode 100644
> index 0000000000..70342a231c
> --- /dev/null
> +++ b/package/audit/S02augenrules
> @@ -0,0 +1,31 @@
> +#!/bin/sh
> +#
> +# audi       This starts and stops auditd

audi?

This scripts doesn't starts auditd.

> +#
> +# description: This starts the Linux Auditing System Daemon,
> +#              which collects security related events in a dedicated
> +#              audit log. If this daemon is turned off, audit events
> +#              will be sent to syslog.

Nope, this is not what this script does.

> +#
> +
> +DAEMON="augenrules"
> +
> +start(){
> +	printf "Starting %s: " "${DAEMON}"

We're not really starting a daemon here.

> +	# Run audit daemon executable

Nope, this is not what is happening.

> +	if /usr/sbin/"${DAEMON}" --load > /dev/null 2>&1; then
> +		echo "OK"
> +	else
> +		echo "FAIL"
> +	fi
> +}

This init script is kind of special, as it doesn't really start a
service, but does a one-shot action. Could you Cc: the next iteration
to Fiona so that she can review the proposal? Or maybe Fiona can even
review this first iteration.


> +	mkdir -p $(TARGET_DIR)/etc/audit/rules.d

This mkdir -p is useless if you add -D to the following $(INSTALL)
command.

> +	$(INSTALL) -m 0640 $(@D)/rules/10-base-config.rules \
> +		$(TARGET_DIR)/etc/audit/rules.d/audit.rules
> +endef
> +AUDIT_POST_INSTALL_TARGET_HOOKS += AUDIT_INSTALL_RULES

Thanks a lot!

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 13/13] package/audit: bump version to 4.0.2

[Julien Olivain]

Hi Thomas, Adam, all,

On 26/10/2024 18:18, Thomas Petazzoni wrote:
> Hello Adam,
> 
> Cc Julien for runtime test, Cc Fiona for init script.
> 
> On Mon, 16 Sep 2024 17:12:06 +0200
> Adam Duskett <adam.duskett@amarulasolutions.com> wrote:
> 

[...]

>> Tested with qemu_x86_64_defconfig and running checking if audit is 
>> running
>> properly.
> 
> Would be nice to have an audit test case in support/testing :-)

Thanks for suggesting a new runtime test! I added this one on
my list.

While I quickly tried to draft something, I've hit the following
issue. Compiling with a (aarch64) Bootlin external toolchain, the
build failed with:

     libaudit.c: In function 'audit_rule_fieldpair_data':
     libaudit.c:1911:22: error: 'AUDIT_SADDR_FAM' undeclared (first use 
in this function); did you mean 'AUDIT_ADD_RULE'?
      1911 |                 case AUDIT_SADDR_FAM:
           |                      ^~~~~~~~~~~~~~~
           |                      AUDIT_ADD_RULE

This build failure is not happening with audit v3.1.2.

This is because the toolchain I used included Kernel headers 4.20.
This AUDIT_SADDR_FAM support was added in Kernel v5.3. See [1].

Also, audit v4.0 removed some definitions in [2]. This commit
claim to raise the Kernel header requirement to 5.0. Unless I missed
something, it seems there is a small discrepancy here (v5.0 ~ v5.3).
There is possibly a bug in the audit code (which should have kept
this definition). The audit code indeed claim kernel >= 5.0, see [3].

Anyways, whatever the exact kernel version is needed, I believe audit
needs a new "depends on BR2_TOOLCHAIN_HEADERS_AT_LEAST_5_x".

Adam, could you have a look at this?

Best regards,

Julien.

[1] 
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=bf361231c295d92a28ca283ea713f56e93e55796
[2] 
https://github.com/linux-audit/audit-userspace/commit/7e417fd78ae89eef8c512d4f1ded29d58b36f11b
[3] 
https://github.com/linux-audit/audit-userspace/blob/v4.0.2/README.md#build-time-dependencies-for-tar-file
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 13/13] package/audit: bump version to 4.0.2

[Fiona Klute via buildroot]

Am 26.10.24 um 18:18 schrieb Thomas Petazzoni:
> Hello Adam,
>
> Cc Julien for runtime test, Cc Fiona for init script.
>
> On Mon, 16 Sep 2024 17:12:06 +0200
> Adam Duskett <adam.duskett@amarulasolutions.com> wrote:
>
>> In addition, audit 4.x now provides two service files:
>>   - audit-rules.service
>>   - auditd.service, which depends on audit-rules.service
>>
>> audit-rules.service is a one-shot service that runs augenrules --load.
>> To keep audit compatible with sysvinit-based systems, create a new file,
>> S02augenrules, and move S02auditd to S03auditd. This change keeps the basic
>> format of the systemd provided service files for ease of maintance.
>
> I don't follow you here. What do you mean by "keep audit compatible
> with sysvinit-based systems" ?
>
> Are you saying that to keep consistency/symmetry with the systemd unit
> files, you introduce two separate init scripts, one for augenrules
> --load, and one for starting the daemon itself?
>
>> Other changes:
>>   - The --without-python option is no longer present.
>>   - There is no longer a --enable/--disable-systemd option.
>>   - audit.rules are no longer autogenerated on startup. As such, the RedHat
>>     rpm .spec logic is copied, and $(@D)/rules/10-base-config.rules is copied
>>     to $(TARGET_DIR)/etc/audit/rules.d/audit.rules as part of the
>>     POST_INSTALL_TARGET_HOOKS. If /etc/audit/rules.d/audit.rules does not exit
>
>                                                                             ^^^ exists ?
>
>>     on the target, auditd fails to run. This change is also a bonus for
>>     read-only systems and the audit.rules file is guaranteed to be on the system.
>
>                         ^^^ as ?
>
>> Tested with qemu_x86_64_defconfig and running checking if audit is running
>> properly.
>
> Would be nice to have an audit test case in support/testing :-)
>
>> diff --git a/package/audit/S02augenrules b/package/audit/S02augenrules
>> new file mode 100644
>> index 0000000000..70342a231c
>> --- /dev/null
>> +++ b/package/audit/S02augenrules
>> @@ -0,0 +1,31 @@
>> +#!/bin/sh
>> +#
>> +# audi       This starts and stops auditd
>
> audi?
>
> This scripts doesn't starts auditd.
>
>> +#
>> +# description: This starts the Linux Auditing System Daemon,
>> +#              which collects security related events in a dedicated
>> +#              audit log. If this daemon is turned off, audit events
>> +#              will be sent to syslog.
>
> Nope, this is not what this script does.
>
>> +#
>> +
>> +DAEMON="augenrules"
>> +
>> +start(){
>> +	printf "Starting %s: " "${DAEMON}"
>
> We're not really starting a daemon here.
>
>> +	# Run audit daemon executable
>
> Nope, this is not what is happening.
>
>> +	if /usr/sbin/"${DAEMON}" --load > /dev/null 2>&1; then
>> +		echo "OK"
>> +	else
>> +		echo "FAIL"
>> +	fi
>> +}
>
> This init script is kind of special, as it doesn't really start a
> service, but does a one-shot action. Could you Cc: the next iteration
> to Fiona so that she can review the proposal? Or maybe Fiona can even
> review this first iteration.

I'm not that familiar with SELinux, so I have to ask: Is that rule
loading something one might want to do independently of starting auditd,
or is it something that only makes sense if you're using auditd? In the
latter case I think it should stay part of the auditd init script, just
like package/openssh/S50sshd runs host key generation if needed. With
systemd you can define explicit relationships between units, but we
don't have anything of the kind with Busybox init, and implicit
dependencies tend to be confusing & error prone.

If having a separate script makes sense, I agree that the description
needs to be fixed. ;-) And there's the question in how far implementing
other targets make sense, currently I'd expect stop during shutdown to fail.

In general, the nftables script I sent a while ago (unfortunately not
yet merged) is how I think oneshot actions should be handled, in that
case (un-)loading firewall rules:
https://patchwork.ozlabs.org/project/buildroot/patch/20240726162013.2183792-2-fiona.klute@gmx.de/
That series also tidies up the iptables init script for consistency if
you want another example, though in my opinion that script is mostly
useless now because it is by nature IPv4 only, if anyone really wants to
use it they'll need to add ip6tables support (but that's a different
matter).

Best regards,
Fiona

>> +	mkdir -p $(TARGET_DIR)/etc/audit/rules.d
>
> This mkdir -p is useless if you add -D to the following $(INSTALL)
> command.
>
>> +	$(INSTALL) -m 0640 $(@D)/rules/10-base-config.rules \
>> +		$(TARGET_DIR)/etc/audit/rules.d/audit.rules
>> +endef
>> +AUDIT_POST_INSTALL_TARGET_HOOKS += AUDIT_INSTALL_RULES
>
> Thanks a lot!
>
> Thomas

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 13/13] package/audit: bump version to 4.0.2

[Thomas Petazzoni via buildroot]

Hello Fiona,

On Sun, 27 Oct 2024 17:45:29 +0100
Fiona Klute <fiona.klute@gmx.de> wrote:

> > This init script is kind of special, as it doesn't really start a
> > service, but does a one-shot action. Could you Cc: the next iteration
> > to Fiona so that she can review the proposal? Or maybe Fiona can even
> > review this first iteration.  
> 
> I'm not that familiar with SELinux, so I have to ask: Is that rule
> loading something one might want to do independently of starting auditd,
> or is it something that only makes sense if you're using auditd? In the
> latter case I think it should stay part of the auditd init script, just
> like package/openssh/S50sshd runs host key generation if needed. With
> systemd you can define explicit relationships between units, but we
> don't have anything of the kind with Busybox init, and implicit
> dependencies tend to be confusing & error prone.

I don't think it's something that makes sense if you don't start
auditd. I believe the reason to have it in a separate init script was
to mimic how systemd unit files were organized: there is one systemd
unit to load the rules, and one systemd unit file to start auditd.
Whether it makes to mimic this or not can be discussed, but I believe
that's where it comes from.

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 00/13] selinux-packages: bump to 3.7

[Thomas Petazzoni via buildroot]

Hello Adam,

On Mon, 16 Sep 2024 17:11:53 +0200
Adam Duskett <adam.duskett@amarulasolutions.com> wrote:

> No large changes other than the following:
>   - setools 0001-Do-not-export-use-setools.InfoFlowAnalysis-and-setoo.patch
>     needed to be refactored to work with 4.5.1
> 
>   - The audit package needed to be cleaned up and a new init.d service file
>     added.
> 
> Other than those two things, it's a very straight-forward patch series.
> 
> All SELinux unit tests pass.

Thanks for having run the unit tests, much appreciated!

> Adam Duskett (13):
>   package/libsepol: bump version to 3.7
>   package/libsemanage: bump version to 3.7
>   package/libselinux: bump version to 3.7
>   package/policycoreutils: bump version to 3.7
>   package/checkpolicy: bump version to 3.7
>   package/restorecond: bump version to 3.7
>   package/semodule-utils: bump to version 3.7
>   package/selinux-python: bump to version 3.7
>   package/setools: bump version to 4.5.1
>   package/refpolicy: bump version to 2.20240226
>   package/polkit: bump version to 125

All those patches applied up to here.

>   package/audit/S02auditd: fix shellcheck and check-package warnings
>   package/audit: bump version to 4.0.2

I'll reply on those two ones.

Thanks!

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot