[Buildroot] [PATCH 00/11] SELinux fixes and updates

[Buildroot] [PATCH 00/11] SELinux fixes and updates

[Thomas Petazzoni via buildroot]

Hello,

This series has 3 patches fixing various build issues with the current
SELinux stack, and then continues with an update of all SELinux
components.

It was verified by running our SELinux runtime tests:

  https://gitlab.com/tpetazzoni/buildroot/-/pipelines/2029530265
  https://gitlab.com/tpetazzoni/buildroot/-/pipelines/2029530263

Best regards,

Thomas

Thomas Petazzoni (11):
  package/libselinux: fix build issues caused by 3.8.1 bump
  package/libsemanage: fix build issue due to basename()
  package/policycoreutils: fix build with musl due to getpass()
  package/libselinux: bump version to 3.9
  package/checkpolicy: bump to version 3.9
  package/libsemanage: bump to version 3.9
  package/libsepol: bump to version 3.9
  package/policycoreutils: bump to version 3.9
  package/restorecond: bump to version 3.9
  package/selinux-python: bump to version 3.9
  package/semodule-utils: bump to version 3.9

 .checkpackageignore                           |  1 -
 package/checkpolicy/checkpolicy.hash          |  2 +-
 package/checkpolicy/checkpolicy.mk            |  2 +-
 package/libselinux/libselinux.hash            |  2 +-
 package/libselinux/libselinux.mk              |  2 +-
 package/libsemanage/libsemanage.hash          |  2 +-
 package/libsemanage/libsemanage.mk            |  2 +-
 .../libsepol/0001-support-static-only.patch   | 52 -------------------
 package/libsepol/libsepol.hash                |  2 +-
 package/libsepol/libsepol.mk                  |  4 +-
 ...-all-paths-that-use-an-absolute-path.patch |  2 +-
 .../0002-Add-PREFIX-to-host-paths.patch       |  2 +-
 package/policycoreutils/Config.in             |  5 +-
 package/policycoreutils/policycoreutils.hash  |  2 +-
 package/policycoreutils/policycoreutils.mk    | 37 ++++---------
 package/restorecond/restorecond.hash          |  2 +-
 package/restorecond/restorecond.mk            |  2 +-
 package/selinux-python/selinux-python.hash    |  2 +-
 package/selinux-python/selinux-python.mk      |  2 +-
 package/semodule-utils/semodule-utils.hash    |  2 +-
 package/semodule-utils/semodule-utils.mk      |  2 +-
 21 files changed, 30 insertions(+), 101 deletions(-)
 delete mode 100644 package/libsepol/0001-support-static-only.patch

-- 
2.51.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 01/11] package/libselinux: fix build issues caused by 3.8.1 bump

[Thomas Petazzoni via buildroot]

Since the bump to version 3.8.1 in commit
1ae3ad4e878e1f4217ba3276ff0c9e584234afa4, libselinux fails to build
with at least

- Musl configurations
- RISC-V 32-bit configurations
- OpenRISC configurations

These build failures are due to additional checks on the size of some
data structures:

matchpathcon.c:270:47: error: '__ino_t' undeclared here (not in a function); did you mean 'ino_t'?
  270 | static_assert(sizeof(unsigned long) == sizeof(__ino_t), "inode size mismatch");
      |                                               ^~~~~~~
      |                                               ino_t
matchpathcon.c:270:15: error: expression in static assertion is not an integer
  270 | static_assert(sizeof(unsigned long) == sizeof(__ino_t), "inode size mismatch");
      |               ^~~~~~

These issues have been fixed in follow-up upstream commits, which we
backport.

Fixes:

  https://autobuild.buildroot.net/results/00a1ab30cc6b7af503aa96384ba4c4444c217401/ (musl)
  https://autobuild.buildroot.net/results/c8321be687201937bd5eb48b31dfabac12f4e9ea/ (glibc or1k)
  https://autobuild.buildroot.net/results/7b94f44282582d5994f40a741cc0c38bd68b53bd/ (risc-v 32-bit)

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 ...con_filespec_add64-if-defined-__INO_.patch | 84 +++++++++++++++++++
 ...-careful-with-non-portable-LFS-macro.patch | 56 +++++++++++++
 2 files changed, 140 insertions(+)
 create mode 100644 package/libselinux/0003-Inject-matchpathcon_filespec_add64-if-defined-__INO_.patch
 create mode 100644 package/libselinux/0004-libselinux-be-careful-with-non-portable-LFS-macro.patch

diff --git a/package/libselinux/0003-Inject-matchpathcon_filespec_add64-if-defined-__INO_.patch b/package/libselinux/0003-Inject-matchpathcon_filespec_add64-if-defined-__INO_.patch
new file mode 100644
index 0000000000..6573cb1673
--- /dev/null
+++ b/package/libselinux/0003-Inject-matchpathcon_filespec_add64-if-defined-__INO_.patch
@@ -0,0 +1,84 @@
+From daecc54878e6768b3e6a2b2a0061d2690a63dea4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= <nabijaczleweli@nabijaczleweli.xyz>
+Date: Thu, 20 Mar 2025 16:55:17 +0100
+Subject: [PATCH] Inject matchpathcon_filespec_add64() if
+ !defined(__INO_T_MATCHES_INO64_T) instead of using __BITS_PER_LONG < 64 as
+ proxy
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The __INO_T_MATCHES_INO64_T is defined
+if ino_t would be the same size as ino64_t
+if -D_FILE_OFFSET_BITS=64 were not defined.
+
+This is /exactly/ what
+  /* ABI backwards-compatible shim for non-LFS 32-bit systems */
+  #if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64 && __BITS_PER_LONG < 64
+is trying to get at, but currently fails because x32/RV32 are "LFS"
+with 32-bit longs and 64-bit time_ts natively.
+
+Thus, the
+  static_assert(sizeof(unsigned long) == sizeof(__ino_t), "inode size mismatch");
+assertion fails (__ino_t is the "kernel ino_t" type,
+which generally corresponds to the kernel's ulong, which is u64 on x32).
+
+glibc headers allow us to check the condition we care about directly.
+
+Fixes: commit 9395cc0322 ("Always build for LFS mode on 32-bit archs.")
+Closes: #463
+Closes: Debian#1098481
+Signed-off-by: наб <nabijaczleweli@nabijaczleweli.xyz>
+Cc: Alba Mendez <me@alba.sh>
+Acked-by: James Carter <jwcart2@gmail.com>
+Upstream: 5c3fcbd931b7f9752b5ce29cec3b6813991d61c0
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+---
+ include/selinux/selinux.h | 2 +-
+ src/matchpathcon.c        | 8 ++++++--
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/include/selinux/selinux.h b/include/selinux/selinux.h
+index f3cf5a20..f64896b7 100644
+--- a/include/selinux/selinux.h
++++ b/include/selinux/selinux.h
+@@ -537,7 +537,7 @@ extern int matchpathcon_index(const char *path,
+    with the same inode (e.g. due to multiple hard links).  If so, then
+    use the latter of the two specifications based on their order in the 
+    file contexts configuration.  Return the used specification index. */
+-#if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64 && __BITS_PER_LONG < 64
++#if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64 && !defined(__INO_T_MATCHES_INO64_T)
+ #define matchpathcon_filespec_add matchpathcon_filespec_add64
+ #endif
+ extern int matchpathcon_filespec_add(ino_t ino, int specind, const char *file);
+diff --git a/src/matchpathcon.c b/src/matchpathcon.c
+index 51f0e4ff..a4f65045 100644
+--- a/src/matchpathcon.c
++++ b/src/matchpathcon.c
+@@ -261,7 +261,7 @@ int matchpathcon_filespec_add(ino_t ino, int specind, const char *file)
+ 	return -1;
+ }
+ 
+-#if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64 && __BITS_PER_LONG < 64
++#if (defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64) && !defined(__INO_T_MATCHES_INO64_T)
+ /* alias defined in the public header but we undefine it here */
+ #undef matchpathcon_filespec_add
+ 
+@@ -280,9 +280,13 @@ int matchpathcon_filespec_add(unsigned long ino, int specind,
+ {
+ 	return matchpathcon_filespec_add64(ino, specind, file);
+ }
++#elif (defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64) || defined(__INO_T_MATCHES_INO64_T)
++
++static_assert(sizeof(uint64_t) == sizeof(ino_t), "inode size mismatch");
++
+ #else
+ 
+-static_assert(sizeof(unsigned long) == sizeof(ino_t), "inode size mismatch");
++static_assert(sizeof(uint32_t) == sizeof(ino_t), "inode size mismatch");
+ 
+ #endif
+ 
+-- 
+2.51.0
+
diff --git a/package/libselinux/0004-libselinux-be-careful-with-non-portable-LFS-macro.patch b/package/libselinux/0004-libselinux-be-careful-with-non-portable-LFS-macro.patch
new file mode 100644
index 0000000000..9a1d874706
--- /dev/null
+++ b/package/libselinux/0004-libselinux-be-careful-with-non-portable-LFS-macro.patch
@@ -0,0 +1,56 @@
+From bfcdaf2ff36d69a57810470f5405e5f27e51e01c Mon Sep 17 00:00:00 2001
+From: Alyssa Ross <hi@alyssa.is>
+Date: Sat, 26 Apr 2025 17:13:57 +0200
+Subject: [PATCH] libselinux: be careful with non-portable LFS macro
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+musl does not provide the obsolete LFS64 APIs (like ino64_t) — ino_t
+has always been 64-bit on all platforms there.  That means there's
+also no __INO_T_MATCHES_INO64_T macro, meaning the check would pass
+and reach the static asserts for the shim, which would fail due to
+there being no ino64_t to check the size of.  Fix this by only
+assuming the absense of __INO_T_MATCHES_INO64_t is meaningful when
+another non-portable Glibc macro, __INO64_T_TYPE, is defined.  If both
+are missing, that probably just means there is no ino64_t.
+
+Fixes: 5c3fcbd9 ("Inject matchpathcon_filespec_add64() if !defined(__INO_T_MATCHES_INO64_T) instead of using __BITS_PER_LONG < 64 as proxy")
+Signed-off-by: Alyssa Ross <hi@alyssa.is>
+Acked-by: James Carter <jwcart2@gmail.com>
+Upstream: 21dd00713ae99b13e36c632992cb171c6ec1abce
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+---
+ include/selinux/selinux.h | 2 +-
+ src/matchpathcon.c        | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/selinux/selinux.h b/include/selinux/selinux.h
+index f64896b7..b1431e5d 100644
+--- a/include/selinux/selinux.h
++++ b/include/selinux/selinux.h
+@@ -537,7 +537,7 @@ extern int matchpathcon_index(const char *path,
+    with the same inode (e.g. due to multiple hard links).  If so, then
+    use the latter of the two specifications based on their order in the 
+    file contexts configuration.  Return the used specification index. */
+-#if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64 && !defined(__INO_T_MATCHES_INO64_T)
++#if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64 && defined(__INO64_T_TYPE) && !defined(__INO_T_MATCHES_INO64_T)
+ #define matchpathcon_filespec_add matchpathcon_filespec_add64
+ #endif
+ extern int matchpathcon_filespec_add(ino_t ino, int specind, const char *file);
+diff --git a/src/matchpathcon.c b/src/matchpathcon.c
+index a4f65045..240c9fa7 100644
+--- a/src/matchpathcon.c
++++ b/src/matchpathcon.c
+@@ -261,7 +261,7 @@ int matchpathcon_filespec_add(ino_t ino, int specind, const char *file)
+ 	return -1;
+ }
+ 
+-#if (defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64) && !defined(__INO_T_MATCHES_INO64_T)
++#if (defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64) && defined(__INO64_T_TYPE) && !defined(__INO_T_MATCHES_INO64_T)
+ /* alias defined in the public header but we undefine it here */
+ #undef matchpathcon_filespec_add
+ 
+-- 
+2.51.0
+
-- 
2.51.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 02/11] package/libsemanage: fix build issue due to basename()

[Thomas Petazzoni via buildroot]

The build of libsemanage on musl configurations fails with:

direct_api.c: In function 'semanage_direct_install_file':
direct_api.c:1746:20: error: implicit declaration of function 'basename' [-Wimplicit-function-declaration]
 1746 |         filename = basename(path);
      |                    ^~~~~~~~

This fails to build even with a GCC 14.x toolchain, even with
libsemanage 3.7, which is the version we have in our LTS branch.

Let's backport an upstream patch fixing this issue.

Fixes:

  https://autobuild.buildroot.net/results/913852e35c925888ced37e15be3731b9d3963019/

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 ...te-semanage_basename-to-ensure-posix.patch | 172 ++++++++++++++++++
 1 file changed, 172 insertions(+)
 create mode 100644 package/libsemanage/0001-libsemanage-create-semanage_basename-to-ensure-posix.patch

diff --git a/package/libsemanage/0001-libsemanage-create-semanage_basename-to-ensure-posix.patch b/package/libsemanage/0001-libsemanage-create-semanage_basename-to-ensure-posix.patch
new file mode 100644
index 0000000000..10a81241a1
--- /dev/null
+++ b/package/libsemanage/0001-libsemanage-create-semanage_basename-to-ensure-posix.patch
@@ -0,0 +1,172 @@
+From 795f8381fd64abf692b26d01369561fc68be230c Mon Sep 17 00:00:00 2001
+From: Rahul Sandhu <nvraxn@gmail.com>
+Date: Fri, 21 Feb 2025 09:39:10 +0000
+Subject: [PATCH] libsemanage: create semanage_basename to ensure posix
+ compliance
+
+Passing a const char * to basename(3) is a glibc-specific extension, so
+create our own basename implementation. As it's a trivial 2 LOC, always
+use our implementation of basename even if glibc is available to avoid
+the complications of attaining the non-posix glibc implementation of
+basename(3) as _GNU_SOURCE needs to be defined, but libgen.h also needs
+to have not been included.
+
+Also fix a missing check for selinux_policy_root(3). From the man page:
+On failure, selinux_policy_root returns NULL.
+
+As the glibc basename(3) (unlike posix basename(3)) does not support
+having a nullptr passed to it, only pass the policy_root to basename(3)
+if it is non-null.
+
+Signed-off-by: Rahul Sandhu <nvraxn@gmail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+Upstream: a339594da6f027aed5d66ec6798a3d732df235e4
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+---
+ src/conf-parse.y       | 13 ++++++++++---
+ src/direct_api.c       |  1 +
+ src/utilities.c        |  9 +++++++++
+ src/utilities.h        | 13 +++++++++++++
+ tests/test_utilities.c | 26 ++++++++++++++++++++++++++
+ 5 files changed, 59 insertions(+), 3 deletions(-)
+
+diff --git a/src/conf-parse.y b/src/conf-parse.y
+index 6cb8a598..d3ca5f1f 100644
+--- a/src/conf-parse.y
++++ b/src/conf-parse.y
+@@ -21,6 +21,7 @@
+ %{
+ 
+ #include "semanage_conf.h"
++#include "utilities.h"
+ 
+ #include <sepol/policydb.h>
+ #include <selinux/selinux.h>
+@@ -382,7 +383,10 @@ external_opt:   PROG_PATH '=' ARG  { PASSIGN(new_external->path, $3); }
+ static int semanage_conf_init(semanage_conf_t * conf)
+ {
+ 	conf->store_type = SEMANAGE_CON_DIRECT;
+-	conf->store_path = strdup(basename(selinux_policy_root()));
++	const char *policy_root = selinux_policy_root();
++	if (policy_root != NULL) {
++		conf->store_path = strdup(semanage_basename(policy_root));
++	}
+ 	conf->ignoredirs = NULL;
+ 	conf->store_root_path = strdup("/var/lib/selinux");
+ 	conf->compiler_directory_path = strdup("/usr/libexec/selinux/hll");
+@@ -544,8 +548,11 @@ static int parse_module_store(char *arg)
+ 	free(current_conf->store_path);
+ 	if (strcmp(arg, "direct") == 0) {
+ 		current_conf->store_type = SEMANAGE_CON_DIRECT;
+-		current_conf->store_path =
+-		    strdup(basename(selinux_policy_root()));
++		const char *policy_root = selinux_policy_root();
++		if (policy_root != NULL) {
++			current_conf->store_path =
++			    strdup(semanage_basename(policy_root));
++		}
+ 		current_conf->server_port = -1;
+ 	} else if (*arg == '/') {
+ 		current_conf->store_type = SEMANAGE_CON_POLSERV_LOCAL;
+diff --git a/src/direct_api.c b/src/direct_api.c
+index 99cba7f7..ce12ccaf 100644
+--- a/src/direct_api.c
++++ b/src/direct_api.c
+@@ -26,6 +26,7 @@
+ 
+ #include <assert.h>
+ #include <fcntl.h>
++#include <libgen.h>
+ #include <stdio.h>
+ #include <stdio_ext.h>
+ #include <stdlib.h>
+diff --git a/src/utilities.c b/src/utilities.c
+index 70b5b677..004ffb62 100644
+--- a/src/utilities.c
++++ b/src/utilities.c
+@@ -349,3 +349,12 @@ int write_full(int fd, const void *buf, size_t len)
+ 
+ 	return 0;
+ }
++
++#ifdef __GNUC__
++__attribute__((nonnull))
++#endif
++char *semanage_basename(const char *filename)
++{
++	char *p = strrchr(filename, '/');
++	return p ? p + 1 : (char *)filename;
++}
+diff --git a/src/utilities.h b/src/utilities.h
+index c2d484a7..7481077a 100644
+--- a/src/utilities.h
++++ b/src/utilities.h
+@@ -156,4 +156,17 @@ semanage_list_t *semanage_slurp_file_filter(FILE * file,
+ 
+ int write_full(int fd, const void *buf, size_t len) WARN_UNUSED;
+ 
++/**
++ * Portable implementation of the glibc version of basename(3).
++ *
++ * @param filename  path to find basename of
++ *
++ * @return          basename of filename
++ */
++
++#ifdef __GNUC__
++__attribute__((nonnull))
++#endif
++char *semanage_basename(const char *filename);
++
+ #endif
+diff --git a/tests/test_utilities.c b/tests/test_utilities.c
+index bbd5af30..70a76fe7 100644
+--- a/tests/test_utilities.c
++++ b/tests/test_utilities.c
+@@ -46,6 +46,7 @@ static void test_semanage_rtrim(void);
+ static void test_semanage_str_replace(void);
+ static void test_semanage_findval(void);
+ static void test_slurp_file_filter(void);
++static void test_semanage_basename(void);
+ 
+ static char fname[] = {
+ 	'T', 'E', 'S', 'T', '_', 'T', 'E', 'M', 'P', '_', 'X', 'X', 'X', 'X',
+@@ -117,6 +118,10 @@ int semanage_utilities_add_tests(CU_pSuite suite)
+ 				test_slurp_file_filter)) {
+ 		goto err;
+ 	}
++	if (NULL == CU_add_test(suite, "semanage_basename",
++				test_semanage_basename)) {
++		goto err;
++	}
+ 	return 0;
+       err:
+ 	CU_cleanup_registry();
+@@ -346,3 +351,24 @@ static void test_slurp_file_filter(void)
+ 
+ 	semanage_list_destroy(&data);
+ }
++
++static void test_semanage_basename(void)
++{
++	char *basename1 = semanage_basename("/foo/bar");
++	CU_ASSERT_STRING_EQUAL(basename1, "bar");
++
++	char *basename2 = semanage_basename("/foo/bar/");
++	CU_ASSERT_STRING_EQUAL(basename2, "");
++
++	char *basename3 = semanage_basename("/foo.bar");
++	CU_ASSERT_STRING_EQUAL(basename3, "foo.bar");
++
++	char *basename5 = semanage_basename(".");
++	CU_ASSERT_STRING_EQUAL(basename5, ".");
++
++	char *basename6 = semanage_basename("");
++	CU_ASSERT_STRING_EQUAL(basename6, "");
++
++	char *basename7 = semanage_basename("/");
++	CU_ASSERT_STRING_EQUAL(basename7, "");
++}
+-- 
+2.51.0
+
-- 
2.51.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 03/11] package/policycoreutils: fix build with musl due to getpass()

[Thomas Petazzoni via buildroot]

policycoreutils uses getpass(), which with musl is only defined with
some feature macro defined, such as _GNU_SOURCE. So let's pick-up an
upstream fix to address this issue.

There are no autobuilder failures, the issue was most likely hidden by
other failures with musl affecting the SELinux stack.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 ...oreutils-run_init-define-_GNU_SOURCE.patch | 37 +++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 package/policycoreutils/0003-policycoreutils-run_init-define-_GNU_SOURCE.patch

diff --git a/package/policycoreutils/0003-policycoreutils-run_init-define-_GNU_SOURCE.patch b/package/policycoreutils/0003-policycoreutils-run_init-define-_GNU_SOURCE.patch
new file mode 100644
index 0000000000..bef6909b0a
--- /dev/null
+++ b/package/policycoreutils/0003-policycoreutils-run_init-define-_GNU_SOURCE.patch
@@ -0,0 +1,37 @@
+From f338b2e7d2bbf70cb811eb1331162e33deb4ce6c Mon Sep 17 00:00:00 2001
+From: Robert Marko <robimarko@gmail.com>
+Date: Thu, 1 May 2025 21:59:13 +0200
+Subject: [PATCH] policycoreutils: run_init: define _GNU_SOURCE
+
+Trying to compile run_init with musl will fail with:
+run_init.c: In function 'authenticate_via_shadow_passwd':
+run_init.c:206:40: error: implicit declaration of function 'getpass' [-Wimplicit-function-declaration]
+  206 |         if (!(unencrypted_password_s = getpass(PASSWORD_PROMPT))) {
+
+This is because getpass in musl is guarded only for _GNU_SOURCE, so
+define _GNU_SOURCE for run_init.
+
+Signed-off-by: Robert Marko <robimarko@gmail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+Upstream: 50bafc3d9c08cf26c3b0f61e29157a0ea8efbf4a
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+---
+ policycoreutils/run_init/run_init.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policycoreutils/run_init/run_init.c b/policycoreutils/run_init/run_init.c
+index ce499781..4531a8ba 100644
+--- a/policycoreutils/run_init/run_init.c
++++ b/policycoreutils/run_init/run_init.c
+@@ -37,6 +37,8 @@
+  *
+  *************************************************************************/
+ 
++#define _GNU_SOURCE
++
+ #include <stdio.h>
+ #include <stdlib.h>		/* for malloc(), realloc(), free() */
+ #include <pwd.h>		/* for getpwuid() */
+-- 
+2.51.0
+
-- 
2.51.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 04/11] package/libselinux: bump version to 3.9

[Thomas Petazzoni via buildroot]

Release notes:

https://github.com/SELinuxProject/selinux/releases/tag/3.9

For libselinux:

libselinux: Fix local literal fcontext definitions priority
libselinux: Fix order for path substitutions

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 ...con_filespec_add64-if-defined-__INO_.patch | 84 -------------------
 ...-careful-with-non-portable-LFS-macro.patch | 56 -------------
 package/libselinux/libselinux.hash            |  2 +-
 package/libselinux/libselinux.mk              |  2 +-
 4 files changed, 2 insertions(+), 142 deletions(-)
 delete mode 100644 package/libselinux/0003-Inject-matchpathcon_filespec_add64-if-defined-__INO_.patch
 delete mode 100644 package/libselinux/0004-libselinux-be-careful-with-non-portable-LFS-macro.patch

diff --git a/package/libselinux/0003-Inject-matchpathcon_filespec_add64-if-defined-__INO_.patch b/package/libselinux/0003-Inject-matchpathcon_filespec_add64-if-defined-__INO_.patch
deleted file mode 100644
index 6573cb1673..0000000000
--- a/package/libselinux/0003-Inject-matchpathcon_filespec_add64-if-defined-__INO_.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-From daecc54878e6768b3e6a2b2a0061d2690a63dea4 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= <nabijaczleweli@nabijaczleweli.xyz>
-Date: Thu, 20 Mar 2025 16:55:17 +0100
-Subject: [PATCH] Inject matchpathcon_filespec_add64() if
- !defined(__INO_T_MATCHES_INO64_T) instead of using __BITS_PER_LONG < 64 as
- proxy
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The __INO_T_MATCHES_INO64_T is defined
-if ino_t would be the same size as ino64_t
-if -D_FILE_OFFSET_BITS=64 were not defined.
-
-This is /exactly/ what
-  /* ABI backwards-compatible shim for non-LFS 32-bit systems */
-  #if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64 && __BITS_PER_LONG < 64
-is trying to get at, but currently fails because x32/RV32 are "LFS"
-with 32-bit longs and 64-bit time_ts natively.
-
-Thus, the
-  static_assert(sizeof(unsigned long) == sizeof(__ino_t), "inode size mismatch");
-assertion fails (__ino_t is the "kernel ino_t" type,
-which generally corresponds to the kernel's ulong, which is u64 on x32).
-
-glibc headers allow us to check the condition we care about directly.
-
-Fixes: commit 9395cc0322 ("Always build for LFS mode on 32-bit archs.")
-Closes: #463
-Closes: Debian#1098481
-Signed-off-by: наб <nabijaczleweli@nabijaczleweli.xyz>
-Cc: Alba Mendez <me@alba.sh>
-Acked-by: James Carter <jwcart2@gmail.com>
-Upstream: 5c3fcbd931b7f9752b5ce29cec3b6813991d61c0
-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
----
- include/selinux/selinux.h | 2 +-
- src/matchpathcon.c        | 8 ++++++--
- 2 files changed, 7 insertions(+), 3 deletions(-)
-
-diff --git a/include/selinux/selinux.h b/include/selinux/selinux.h
-index f3cf5a20..f64896b7 100644
---- a/include/selinux/selinux.h
-+++ b/include/selinux/selinux.h
-@@ -537,7 +537,7 @@ extern int matchpathcon_index(const char *path,
-    with the same inode (e.g. due to multiple hard links).  If so, then
-    use the latter of the two specifications based on their order in the 
-    file contexts configuration.  Return the used specification index. */
--#if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64 && __BITS_PER_LONG < 64
-+#if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64 && !defined(__INO_T_MATCHES_INO64_T)
- #define matchpathcon_filespec_add matchpathcon_filespec_add64
- #endif
- extern int matchpathcon_filespec_add(ino_t ino, int specind, const char *file);
-diff --git a/src/matchpathcon.c b/src/matchpathcon.c
-index 51f0e4ff..a4f65045 100644
---- a/src/matchpathcon.c
-+++ b/src/matchpathcon.c
-@@ -261,7 +261,7 @@ int matchpathcon_filespec_add(ino_t ino, int specind, const char *file)
- 	return -1;
- }
- 
--#if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64 && __BITS_PER_LONG < 64
-+#if (defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64) && !defined(__INO_T_MATCHES_INO64_T)
- /* alias defined in the public header but we undefine it here */
- #undef matchpathcon_filespec_add
- 
-@@ -280,9 +280,13 @@ int matchpathcon_filespec_add(unsigned long ino, int specind,
- {
- 	return matchpathcon_filespec_add64(ino, specind, file);
- }
-+#elif (defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64) || defined(__INO_T_MATCHES_INO64_T)
-+
-+static_assert(sizeof(uint64_t) == sizeof(ino_t), "inode size mismatch");
-+
- #else
- 
--static_assert(sizeof(unsigned long) == sizeof(ino_t), "inode size mismatch");
-+static_assert(sizeof(uint32_t) == sizeof(ino_t), "inode size mismatch");
- 
- #endif
- 
--- 
-2.51.0
-
diff --git a/package/libselinux/0004-libselinux-be-careful-with-non-portable-LFS-macro.patch b/package/libselinux/0004-libselinux-be-careful-with-non-portable-LFS-macro.patch
deleted file mode 100644
index 9a1d874706..0000000000
--- a/package/libselinux/0004-libselinux-be-careful-with-non-portable-LFS-macro.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From bfcdaf2ff36d69a57810470f5405e5f27e51e01c Mon Sep 17 00:00:00 2001
-From: Alyssa Ross <hi@alyssa.is>
-Date: Sat, 26 Apr 2025 17:13:57 +0200
-Subject: [PATCH] libselinux: be careful with non-portable LFS macro
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-musl does not provide the obsolete LFS64 APIs (like ino64_t) — ino_t
-has always been 64-bit on all platforms there.  That means there's
-also no __INO_T_MATCHES_INO64_T macro, meaning the check would pass
-and reach the static asserts for the shim, which would fail due to
-there being no ino64_t to check the size of.  Fix this by only
-assuming the absense of __INO_T_MATCHES_INO64_t is meaningful when
-another non-portable Glibc macro, __INO64_T_TYPE, is defined.  If both
-are missing, that probably just means there is no ino64_t.
-
-Fixes: 5c3fcbd9 ("Inject matchpathcon_filespec_add64() if !defined(__INO_T_MATCHES_INO64_T) instead of using __BITS_PER_LONG < 64 as proxy")
-Signed-off-by: Alyssa Ross <hi@alyssa.is>
-Acked-by: James Carter <jwcart2@gmail.com>
-Upstream: 21dd00713ae99b13e36c632992cb171c6ec1abce
-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
----
- include/selinux/selinux.h | 2 +-
- src/matchpathcon.c        | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/include/selinux/selinux.h b/include/selinux/selinux.h
-index f64896b7..b1431e5d 100644
---- a/include/selinux/selinux.h
-+++ b/include/selinux/selinux.h
-@@ -537,7 +537,7 @@ extern int matchpathcon_index(const char *path,
-    with the same inode (e.g. due to multiple hard links).  If so, then
-    use the latter of the two specifications based on their order in the 
-    file contexts configuration.  Return the used specification index. */
--#if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64 && !defined(__INO_T_MATCHES_INO64_T)
-+#if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64 && defined(__INO64_T_TYPE) && !defined(__INO_T_MATCHES_INO64_T)
- #define matchpathcon_filespec_add matchpathcon_filespec_add64
- #endif
- extern int matchpathcon_filespec_add(ino_t ino, int specind, const char *file);
-diff --git a/src/matchpathcon.c b/src/matchpathcon.c
-index a4f65045..240c9fa7 100644
---- a/src/matchpathcon.c
-+++ b/src/matchpathcon.c
-@@ -261,7 +261,7 @@ int matchpathcon_filespec_add(ino_t ino, int specind, const char *file)
- 	return -1;
- }
- 
--#if (defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64) && !defined(__INO_T_MATCHES_INO64_T)
-+#if (defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64) && defined(__INO64_T_TYPE) && !defined(__INO_T_MATCHES_INO64_T)
- /* alias defined in the public header but we undefine it here */
- #undef matchpathcon_filespec_add
- 
--- 
-2.51.0
-
diff --git a/package/libselinux/libselinux.hash b/package/libselinux/libselinux.hash
index 0933398f1e..2f897e1287 100644
--- a/package/libselinux/libselinux.hash
+++ b/package/libselinux/libselinux.hash
@@ -1,5 +1,5 @@
 # From: https://github.com/SELinuxProject/selinux/wiki/Releases
-sha256  ec2d2789f931152d21c1db1eb4bc202ce4eccede34d9be9e360e3b45243cee2c  libselinux-3.8.1.tar.gz
+sha256  e7ee2c01dba64a0c35c9d7c9c0e06209d8186b325b0638a0d83f915cc3c101e8  libselinux-3.9.tar.gz
 
 # Hash for license file
 sha256  86657b4c0fe868d7cbd977cb04c63b6c667e08fa51595a7bc846ad4bed8fc364  LICENSE
diff --git a/package/libselinux/libselinux.mk b/package/libselinux/libselinux.mk
index e19bb4dd2d..405c4a9f21 100644
--- a/package/libselinux/libselinux.mk
+++ b/package/libselinux/libselinux.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-LIBSELINUX_VERSION = 3.8.1
+LIBSELINUX_VERSION = 3.9
 LIBSELINUX_SITE = https://github.com/SELinuxProject/selinux/releases/download/$(LIBSELINUX_VERSION)
 LIBSELINUX_LICENSE = Public Domain
 LIBSELINUX_LICENSE_FILES = LICENSE
-- 
2.51.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 05/11] package/checkpolicy: bump to version 3.9

[Thomas Petazzoni via buildroot]

Changes: https://github.com/SELinuxProject/selinux/releases/download/3.9/RELEASE-3.9.txt

Related to checkpolicy:

* checkpolicy: Add support for wildcard netifcon names

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 package/checkpolicy/checkpolicy.hash | 2 +-
 package/checkpolicy/checkpolicy.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/checkpolicy/checkpolicy.hash b/package/checkpolicy/checkpolicy.hash
index ba33165685..442ac883ee 100644
--- a/package/checkpolicy/checkpolicy.hash
+++ b/package/checkpolicy/checkpolicy.hash
@@ -1,5 +1,5 @@
 # https://github.com/SELinuxProject/selinux/wiki/Releases
-sha256  7b477c516e2693d8b6c511386323177f1d7db51c2e04eb6d0de8ca2b36120e5d  checkpolicy-3.8.1.tar.gz
+sha256  dd85b0173ca6e96b22ebf472bcbccf04eb10e1aa07add8f1b7e0e9e8e995e027  checkpolicy-3.9.tar.gz
 
 # Hash for license file
 sha256  204d8eff92f95aac4df6c8122bc1505f468f3a901e5a4cc08940e0ede1938994  LICENSE
diff --git a/package/checkpolicy/checkpolicy.mk b/package/checkpolicy/checkpolicy.mk
index 8c094f23a5..df3da2efdd 100644
--- a/package/checkpolicy/checkpolicy.mk
+++ b/package/checkpolicy/checkpolicy.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-CHECKPOLICY_VERSION = 3.8.1
+CHECKPOLICY_VERSION = 3.9
 CHECKPOLICY_SITE = https://github.com/SELinuxProject/selinux/releases/download/$(CHECKPOLICY_VERSION)
 CHECKPOLICY_LICENSE = GPL-2.0
 CHECKPOLICY_LICENSE_FILES = LICENSE
-- 
2.51.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 06/11] package/libsemanage: bump to version 3.9

[Thomas Petazzoni via buildroot]

Changes:
https://github.com/SELinuxProject/selinux/releases/download/3.9/RELEASE-3.9.txt

Related to libsemanage: nothing relevant.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 ...te-semanage_basename-to-ensure-posix.patch | 172 ------------------
 package/libsemanage/libsemanage.hash          |   2 +-
 package/libsemanage/libsemanage.mk            |   2 +-
 3 files changed, 2 insertions(+), 174 deletions(-)
 delete mode 100644 package/libsemanage/0001-libsemanage-create-semanage_basename-to-ensure-posix.patch

diff --git a/package/libsemanage/0001-libsemanage-create-semanage_basename-to-ensure-posix.patch b/package/libsemanage/0001-libsemanage-create-semanage_basename-to-ensure-posix.patch
deleted file mode 100644
index 10a81241a1..0000000000
--- a/package/libsemanage/0001-libsemanage-create-semanage_basename-to-ensure-posix.patch
+++ /dev/null
@@ -1,172 +0,0 @@
-From 795f8381fd64abf692b26d01369561fc68be230c Mon Sep 17 00:00:00 2001
-From: Rahul Sandhu <nvraxn@gmail.com>
-Date: Fri, 21 Feb 2025 09:39:10 +0000
-Subject: [PATCH] libsemanage: create semanage_basename to ensure posix
- compliance
-
-Passing a const char * to basename(3) is a glibc-specific extension, so
-create our own basename implementation. As it's a trivial 2 LOC, always
-use our implementation of basename even if glibc is available to avoid
-the complications of attaining the non-posix glibc implementation of
-basename(3) as _GNU_SOURCE needs to be defined, but libgen.h also needs
-to have not been included.
-
-Also fix a missing check for selinux_policy_root(3). From the man page:
-On failure, selinux_policy_root returns NULL.
-
-As the glibc basename(3) (unlike posix basename(3)) does not support
-having a nullptr passed to it, only pass the policy_root to basename(3)
-if it is non-null.
-
-Signed-off-by: Rahul Sandhu <nvraxn@gmail.com>
-Acked-by: James Carter <jwcart2@gmail.com>
-Upstream: a339594da6f027aed5d66ec6798a3d732df235e4
-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
----
- src/conf-parse.y       | 13 ++++++++++---
- src/direct_api.c       |  1 +
- src/utilities.c        |  9 +++++++++
- src/utilities.h        | 13 +++++++++++++
- tests/test_utilities.c | 26 ++++++++++++++++++++++++++
- 5 files changed, 59 insertions(+), 3 deletions(-)
-
-diff --git a/src/conf-parse.y b/src/conf-parse.y
-index 6cb8a598..d3ca5f1f 100644
---- a/src/conf-parse.y
-+++ b/src/conf-parse.y
-@@ -21,6 +21,7 @@
- %{
- 
- #include "semanage_conf.h"
-+#include "utilities.h"
- 
- #include <sepol/policydb.h>
- #include <selinux/selinux.h>
-@@ -382,7 +383,10 @@ external_opt:   PROG_PATH '=' ARG  { PASSIGN(new_external->path, $3); }
- static int semanage_conf_init(semanage_conf_t * conf)
- {
- 	conf->store_type = SEMANAGE_CON_DIRECT;
--	conf->store_path = strdup(basename(selinux_policy_root()));
-+	const char *policy_root = selinux_policy_root();
-+	if (policy_root != NULL) {
-+		conf->store_path = strdup(semanage_basename(policy_root));
-+	}
- 	conf->ignoredirs = NULL;
- 	conf->store_root_path = strdup("/var/lib/selinux");
- 	conf->compiler_directory_path = strdup("/usr/libexec/selinux/hll");
-@@ -544,8 +548,11 @@ static int parse_module_store(char *arg)
- 	free(current_conf->store_path);
- 	if (strcmp(arg, "direct") == 0) {
- 		current_conf->store_type = SEMANAGE_CON_DIRECT;
--		current_conf->store_path =
--		    strdup(basename(selinux_policy_root()));
-+		const char *policy_root = selinux_policy_root();
-+		if (policy_root != NULL) {
-+			current_conf->store_path =
-+			    strdup(semanage_basename(policy_root));
-+		}
- 		current_conf->server_port = -1;
- 	} else if (*arg == '/') {
- 		current_conf->store_type = SEMANAGE_CON_POLSERV_LOCAL;
-diff --git a/src/direct_api.c b/src/direct_api.c
-index 99cba7f7..ce12ccaf 100644
---- a/src/direct_api.c
-+++ b/src/direct_api.c
-@@ -26,6 +26,7 @@
- 
- #include <assert.h>
- #include <fcntl.h>
-+#include <libgen.h>
- #include <stdio.h>
- #include <stdio_ext.h>
- #include <stdlib.h>
-diff --git a/src/utilities.c b/src/utilities.c
-index 70b5b677..004ffb62 100644
---- a/src/utilities.c
-+++ b/src/utilities.c
-@@ -349,3 +349,12 @@ int write_full(int fd, const void *buf, size_t len)
- 
- 	return 0;
- }
-+
-+#ifdef __GNUC__
-+__attribute__((nonnull))
-+#endif
-+char *semanage_basename(const char *filename)
-+{
-+	char *p = strrchr(filename, '/');
-+	return p ? p + 1 : (char *)filename;
-+}
-diff --git a/src/utilities.h b/src/utilities.h
-index c2d484a7..7481077a 100644
---- a/src/utilities.h
-+++ b/src/utilities.h
-@@ -156,4 +156,17 @@ semanage_list_t *semanage_slurp_file_filter(FILE * file,
- 
- int write_full(int fd, const void *buf, size_t len) WARN_UNUSED;
- 
-+/**
-+ * Portable implementation of the glibc version of basename(3).
-+ *
-+ * @param filename  path to find basename of
-+ *
-+ * @return          basename of filename
-+ */
-+
-+#ifdef __GNUC__
-+__attribute__((nonnull))
-+#endif
-+char *semanage_basename(const char *filename);
-+
- #endif
-diff --git a/tests/test_utilities.c b/tests/test_utilities.c
-index bbd5af30..70a76fe7 100644
---- a/tests/test_utilities.c
-+++ b/tests/test_utilities.c
-@@ -46,6 +46,7 @@ static void test_semanage_rtrim(void);
- static void test_semanage_str_replace(void);
- static void test_semanage_findval(void);
- static void test_slurp_file_filter(void);
-+static void test_semanage_basename(void);
- 
- static char fname[] = {
- 	'T', 'E', 'S', 'T', '_', 'T', 'E', 'M', 'P', '_', 'X', 'X', 'X', 'X',
-@@ -117,6 +118,10 @@ int semanage_utilities_add_tests(CU_pSuite suite)
- 				test_slurp_file_filter)) {
- 		goto err;
- 	}
-+	if (NULL == CU_add_test(suite, "semanage_basename",
-+				test_semanage_basename)) {
-+		goto err;
-+	}
- 	return 0;
-       err:
- 	CU_cleanup_registry();
-@@ -346,3 +351,24 @@ static void test_slurp_file_filter(void)
- 
- 	semanage_list_destroy(&data);
- }
-+
-+static void test_semanage_basename(void)
-+{
-+	char *basename1 = semanage_basename("/foo/bar");
-+	CU_ASSERT_STRING_EQUAL(basename1, "bar");
-+
-+	char *basename2 = semanage_basename("/foo/bar/");
-+	CU_ASSERT_STRING_EQUAL(basename2, "");
-+
-+	char *basename3 = semanage_basename("/foo.bar");
-+	CU_ASSERT_STRING_EQUAL(basename3, "foo.bar");
-+
-+	char *basename5 = semanage_basename(".");
-+	CU_ASSERT_STRING_EQUAL(basename5, ".");
-+
-+	char *basename6 = semanage_basename("");
-+	CU_ASSERT_STRING_EQUAL(basename6, "");
-+
-+	char *basename7 = semanage_basename("/");
-+	CU_ASSERT_STRING_EQUAL(basename7, "");
-+}
--- 
-2.51.0
-
diff --git a/package/libsemanage/libsemanage.hash b/package/libsemanage/libsemanage.hash
index 78067b3ede..1fd5a8019b 100644
--- a/package/libsemanage/libsemanage.hash
+++ b/package/libsemanage/libsemanage.hash
@@ -1,5 +1,5 @@
 # From: https://github.com/SELinuxProject/selinux/wiki/Releases
-sha256  7b39127b219cc70bfd935a4af6b0f2ba83d4b35c916f253c7e942c23ab490f07  libsemanage-3.8.1.tar.gz
+sha256  ec05850aef48bfb8e02135a7f4f3f7edba3670f63d5e67f2708d4bd80b9a4634  libsemanage-3.9.tar.gz
 
 # Hash for license file
 sha256  e1c0890440efe31b6cd2ee2abf895eb917c787799f079133f5809414d90d5d60  LICENSE
diff --git a/package/libsemanage/libsemanage.mk b/package/libsemanage/libsemanage.mk
index 21ca9fd3f9..289954f700 100644
--- a/package/libsemanage/libsemanage.mk
+++ b/package/libsemanage/libsemanage.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-LIBSEMANAGE_VERSION = 3.8.1
+LIBSEMANAGE_VERSION = 3.9
 LIBSEMANAGE_SITE = https://github.com/SELinuxProject/selinux/releases/download/$(LIBSEMANAGE_VERSION)
 LIBSEMANAGE_LICENSE = LGPL-2.1+
 LIBSEMANAGE_LICENSE_FILES = LICENSE
-- 
2.51.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 07/11] package/libsepol: bump to version 3.9

[Thomas Petazzoni via buildroot]

Changes:
https://github.com/SELinuxProject/selinux/releases/download/3.9/RELEASE-3.9.txt

Notable changes for libsepol:

* libsepol: Add new 'netif_wildcard' policy capability

* libsepol: Allow multiple policycap statements

* libsepol: Support genfs_seclabel_wildcard

We can drop our patch since SELinux now has an official DISABLE_SHARED
variable to do a static-only build (but it needs a 'y' value and not a
'1' value like our previous variable needed).

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 .checkpackageignore                           |  1 -
 .../libsepol/0001-support-static-only.patch   | 52 -------------------
 package/libsepol/libsepol.hash                |  2 +-
 package/libsepol/libsepol.mk                  |  4 +-
 4 files changed, 3 insertions(+), 56 deletions(-)
 delete mode 100644 package/libsepol/0001-support-static-only.patch

diff --git a/.checkpackageignore b/.checkpackageignore
index 426d112c14..3814df39b9 100644
--- a/.checkpackageignore
+++ b/.checkpackageignore
@@ -636,7 +636,6 @@ package/libroxml/0001-src-roxml_mem.h-add-missing-extern.patch lib_patch.Upstrea
 package/librsvg/0001-gdk-pixbuf-loader-Makefile.am-set-GDK_PIXBUF_MODULED.patch lib_patch.Upstream
 package/librtlsdr/0001-Makefile.am-respect-DESTDIR-with-install-udev-rules.patch lib_patch.Upstream
 package/libselinux/0001-Do-not-use-PYCEXT-and-rely-on-the-installed-file-nam.patch lib_patch.Upstream
-package/libsepol/0001-support-static-only.patch lib_patch.Upstream
 package/libserial/0001-SerialPort.cpp-fix-build-when-size_t-is-an-unsigned-.patch lib_patch.Upstream
 package/libserial/0002-SerialPort.cpp-don-t-use-high-baudrates-when-not-ava.patch lib_patch.Upstream
 package/libshdata/0001-backend-Add-missing-include-files.patch lib_patch.Upstream
diff --git a/package/libsepol/0001-support-static-only.patch b/package/libsepol/0001-support-static-only.patch
deleted file mode 100644
index 7a614d7d0d..0000000000
--- a/package/libsepol/0001-support-static-only.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 2140db697c7f1da2a0a3f7bbcb14c1a0dade84e5 Mon Sep 17 00:00:00 2001
-From: Adam Duskett <adam.duskett@amarulasolutions.com>
-Date: Wed, 14 May 2025 16:32:53 +0200
-Subject: [PATCH] Add support for static-only build
-
-Instead of unconditionally building shared libraries, this patch
-improves the libsepol build system with a "STATIC" variable, which
-when defined to some non-empty value, will disable the build of shared
-libraries. It allows to support cases where the target architecture
-does not have support for shared libraries.
-
-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
-[Updated for 3.8.1]
-Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-[Update for 2.8]
----
- src/Makefile | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/src/Makefile b/src/Makefile
-index 71fa3ed..efb81bc 100644
---- a/src/Makefile
-+++ b/src/Makefile
-@@ -45,7 +45,12 @@ LDFLAGS += -undefined dynamic_lookup
- LN=gln
- endif
- 
--all: $(LIBA) $(LIBSO) $(LIBPC)
-+ALL_TARGETS = $(LIBA) $(LIBPC)
-+ifeq ($(STATIC),)
-+ALL_TARGETS += $(LIBSO)
-+endif
-+
-+all: $(ALL_TARGETS)
- 
- 
- $(LIBA):  $(OBJS)
-@@ -87,8 +92,10 @@ endif
- install: all
- 	test -d $(DESTDIR)$(LIBDIR) || install -m 755 -d $(DESTDIR)$(LIBDIR)
- 	install -m 644 $(LIBA) $(DESTDIR)$(LIBDIR)
-+ifeq ($(STATIC),)
- 	test -d $(DESTDIR)$(SHLIBDIR) || install -m 755 -d $(DESTDIR)$(SHLIBDIR)
- 	install -m 755 $(LIBSO) $(DESTDIR)$(SHLIBDIR)
-+endif
- 	test -d $(DESTDIR)$(LIBDIR)/pkgconfig || install -m 755 -d $(DESTDIR)$(LIBDIR)/pkgconfig
- 	install -m 644 $(LIBPC) $(DESTDIR)$(LIBDIR)/pkgconfig
- 	$(LN) -sf --relative $(DESTDIR)$(SHLIBDIR)/$(LIBSO) $(DESTDIR)$(LIBDIR)/$(TARGET)
--- 
-2.49.0
-
diff --git a/package/libsepol/libsepol.hash b/package/libsepol/libsepol.hash
index adf7cb86bb..08a1bf0cc2 100644
--- a/package/libsepol/libsepol.hash
+++ b/package/libsepol/libsepol.hash
@@ -1,5 +1,5 @@
 # From: https://github.com/SELinuxProject/selinux/wiki/Releases
-sha256  0e78705305f955abd4c0654d37a5477ee26349ab74db9e2b03a7868897ae1ddf  libsepol-3.8.1.tar.gz
+sha256  ba630b59e50c5fbf9e9dd45eb3734f373cf78d689d8c10c537114c9bd769fa2e  libsepol-3.9.tar.gz
 
 # Hash for license file
 sha256  6095e9ffa777dd22839f7801aa845b31c9ed07f3d6bf8a26dc5d2dec8ccc0ef3  LICENSE
diff --git a/package/libsepol/libsepol.mk b/package/libsepol/libsepol.mk
index 2376ab852d..3e1a275808 100644
--- a/package/libsepol/libsepol.mk
+++ b/package/libsepol/libsepol.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-LIBSEPOL_VERSION = 3.8.1
+LIBSEPOL_VERSION = 3.9
 LIBSEPOL_SITE = https://github.com/SELinuxProject/selinux/releases/download/$(LIBSEPOL_VERSION)
 LIBSEPOL_LICENSE = LGPL-2.1+
 LIBSEPOL_LICENSE_FILES = LICENSE
@@ -17,7 +17,7 @@ HOST_LIBSEPOL_DEPENDENCIES = $(BR2_COREUTILS_HOST_DEPENDENCY) host-flex
 LIBSEPOL_MAKE_FLAGS = $(TARGET_CONFIGURE_OPTS)
 
 ifeq ($(BR2_STATIC_LIBS),y)
-LIBSEPOL_MAKE_FLAGS += STATIC=1
+LIBSEPOL_MAKE_FLAGS += DISABLE_SHARED=y
 endif
 
 define LIBSEPOL_BUILD_CMDS
-- 
2.51.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 08/11] package/policycoreutils: bump to version 3.9

[Thomas Petazzoni via buildroot]

Changes:
https://github.com/SELinuxProject/selinux/releases/download/3.9/RELEASE-3.9.txt

Notable changes related to policycoreutils: none.

However, in terms of packaging, there's a change: the top-level
Makefile of policycoreutils now uses pkg-config to find libselinux and
libsemanage. So building directly the subdirs no longer works because
the variables defined by the top-level Makefile are no longer set. So
we simplify the whole packaging by building from the top-level
Makefile. In order for this pkg-config to work for the host variant,
we need to pass $(HOST_MAKE_ENV) in the environment of make, so we
also did the same for consistency with $(TARGET_MAKE_ENV).

In terms of dependencies: policycoreutils directly links with
libselinux, libsemanage and libsepol, so all three are needed for both
the target and host variants. And host-pkgconf is now needed for the
host variant, as it's used to detect the dependent libraries.

The patches also need to be refreshed, except 0003 that is dropped
since it was a backport from upstream.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

merge policycoreutils
---
 ...-all-paths-that-use-an-absolute-path.patch |  2 +-
 .../0002-Add-PREFIX-to-host-paths.patch       |  2 +-
 ...oreutils-run_init-define-_GNU_SOURCE.patch | 37 -------------------
 package/policycoreutils/Config.in             |  5 ++-
 package/policycoreutils/policycoreutils.hash  |  2 +-
 package/policycoreutils/policycoreutils.mk    | 37 +++++--------------
 6 files changed, 15 insertions(+), 70 deletions(-)
 delete mode 100644 package/policycoreutils/0003-policycoreutils-run_init-define-_GNU_SOURCE.patch

diff --git a/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch b/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
index 18f0001aef..e894987f49 100644
--- a/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
+++ b/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
@@ -32,7 +32,7 @@ index a3bbbe1..df675cf 100644
 +AUDITH ?= $(shell test -f $(DESTDIR)$(PREFIX)/include/libaudit.h && echo y)
  
  CFLAGS ?= -g -Werror -Wall -W
- override LDLIBS += -lselinux -lsepol -lpthread
+ override CFLAGS += -I../../libselinux/include
 -- 
 2.13.6
 
diff --git a/package/policycoreutils/0002-Add-PREFIX-to-host-paths.patch b/package/policycoreutils/0002-Add-PREFIX-to-host-paths.patch
index 2daed57c97..6f838e8d54 100644
--- a/package/policycoreutils/0002-Add-PREFIX-to-host-paths.patch
+++ b/package/policycoreutils/0002-Add-PREFIX-to-host-paths.patch
@@ -48,7 +48,7 @@ index e86364a..20a64d4 100644
 +AUDITH ?= $(shell test -f $(DESTDIR)$(PREFIX)/include/libaudit.h && echo y)
  
  CFLAGS ?= -Werror -Wall -W
- override CFLAGS += -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
+ override CFLAGS += -I../../libselinux/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
 -- 
 2.31.1
 
diff --git a/package/policycoreutils/0003-policycoreutils-run_init-define-_GNU_SOURCE.patch b/package/policycoreutils/0003-policycoreutils-run_init-define-_GNU_SOURCE.patch
deleted file mode 100644
index bef6909b0a..0000000000
--- a/package/policycoreutils/0003-policycoreutils-run_init-define-_GNU_SOURCE.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From f338b2e7d2bbf70cb811eb1331162e33deb4ce6c Mon Sep 17 00:00:00 2001
-From: Robert Marko <robimarko@gmail.com>
-Date: Thu, 1 May 2025 21:59:13 +0200
-Subject: [PATCH] policycoreutils: run_init: define _GNU_SOURCE
-
-Trying to compile run_init with musl will fail with:
-run_init.c: In function 'authenticate_via_shadow_passwd':
-run_init.c:206:40: error: implicit declaration of function 'getpass' [-Wimplicit-function-declaration]
-  206 |         if (!(unencrypted_password_s = getpass(PASSWORD_PROMPT))) {
-
-This is because getpass in musl is guarded only for _GNU_SOURCE, so
-define _GNU_SOURCE for run_init.
-
-Signed-off-by: Robert Marko <robimarko@gmail.com>
-Acked-by: James Carter <jwcart2@gmail.com>
-Upstream: 50bafc3d9c08cf26c3b0f61e29157a0ea8efbf4a
-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
----
- policycoreutils/run_init/run_init.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/policycoreutils/run_init/run_init.c b/policycoreutils/run_init/run_init.c
-index ce499781..4531a8ba 100644
---- a/policycoreutils/run_init/run_init.c
-+++ b/policycoreutils/run_init/run_init.c
-@@ -37,6 +37,8 @@
-  *
-  *************************************************************************/
- 
-+#define _GNU_SOURCE
-+
- #include <stdio.h>
- #include <stdlib.h>		/* for malloc(), realloc(), free() */
- #include <pwd.h>		/* for getpwuid() */
--- 
-2.51.0
-
diff --git a/package/policycoreutils/Config.in b/package/policycoreutils/Config.in
index 07e171a53f..db9eb9f6b5 100644
--- a/package/policycoreutils/Config.in
+++ b/package/policycoreutils/Config.in
@@ -6,9 +6,10 @@ comment "policycoreutils needs a toolchain w/ threads, dynamic library, gcc >= 5
 config BR2_PACKAGE_POLICYCOREUTILS
 	bool "policycoreutils"
 	depends on BR2_PACKAGE_AUDIT_ARCH_SUPPORTS # libsemanage
-	depends on BR2_TOOLCHAIN_HAS_THREADS # libsemanage, libsepol
-	depends on !BR2_STATIC_LIBS # libsemanage, libsepol
+	depends on BR2_TOOLCHAIN_HAS_THREADS # libselinux, libsemanage, libsepol
+	depends on !BR2_STATIC_LIBS # libselinux, libsemanage, libsepol
 	depends on BR2_TOOLCHAIN_GCC_AT_LEAST_5 # libsemanage -> libselinux -> libsepol
+	select BR2_PACKAGE_LIBSELINUX
 	select BR2_PACKAGE_LIBSEMANAGE
 	select BR2_PACKAGE_LIBSEPOL
 	select BR2_PACKAGE_LIBCAP_NG
diff --git a/package/policycoreutils/policycoreutils.hash b/package/policycoreutils/policycoreutils.hash
index 4884c55770..7664be0b35 100644
--- a/package/policycoreutils/policycoreutils.hash
+++ b/package/policycoreutils/policycoreutils.hash
@@ -1,3 +1,3 @@
 # https://github.com/SELinuxProject/selinux/wiki/Releases
-sha256  eef23196b501d141cb95f5fc52ef1a7289f459b65e4415ea0fe9aeedc5d80ef2  policycoreutils-3.8.1.tar.gz
+sha256  44a294139876cf4c7969cb6a75d1932cb42543d74a7661760ded44a20bf7ebe8  policycoreutils-3.9.tar.gz
 sha256  204d8eff92f95aac4df6c8122bc1505f468f3a901e5a4cc08940e0ede1938994  LICENSE
diff --git a/package/policycoreutils/policycoreutils.mk b/package/policycoreutils/policycoreutils.mk
index 3265986bff..d0e1aae312 100644
--- a/package/policycoreutils/policycoreutils.mk
+++ b/package/policycoreutils/policycoreutils.mk
@@ -4,13 +4,13 @@
 #
 ################################################################################
 
-POLICYCOREUTILS_VERSION = 3.8.1
+POLICYCOREUTILS_VERSION = 3.9
 POLICYCOREUTILS_SITE = https://github.com/SELinuxProject/selinux/releases/download/$(POLICYCOREUTILS_VERSION)
 POLICYCOREUTILS_LICENSE = GPL-2.0
 POLICYCOREUTILS_LICENSE_FILES = LICENSE
 POLICYCOREUTILS_CPE_ID_VENDOR = selinuxproject
 
-POLICYCOREUTILS_DEPENDENCIES = libsemanage libsepol libcap-ng $(TARGET_NLS_DEPENDENCIES)
+POLICYCOREUTILS_DEPENDENCIES = libselinux libsemanage libsepol libcap-ng host-pkgconf $(TARGET_NLS_DEPENDENCIES)
 POLICYCOREUTILS_MAKE_OPTS = $(TARGET_CONFIGURE_OPTS) LDLIBS=$(TARGET_NLS_LIBS)
 
 ifeq ($(BR2_PACKAGE_LIBXCRYPT),y)
@@ -32,28 +32,19 @@ ifeq ($(BR2_PACKAGE_LINUX_PAM)$(BR2_PACKAGE_AUDIT),yy)
 POLICYCOREUTILS_MAKE_OPTS += LSPP_PRIV=y
 endif
 
-POLICYCOREUTILS_MAKE_DIRS = \
-	load_policy newrole run_init \
-	secon semodule sestatus setfiles \
-	setsebool scripts
-
 # We need to pass DESTDIR at build time because it's used by
 # policycoreutils build system to find headers and libraries.
 define POLICYCOREUTILS_BUILD_CMDS
-	$(foreach d,$(POLICYCOREUTILS_MAKE_DIRS),
-		$(MAKE) -C $(@D)/$(d) $(POLICYCOREUTILS_MAKE_OPTS) \
-			DESTDIR=$(STAGING_DIR) all
-	)
+	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(STAGING_DIR) all
 endef
 
 define POLICYCOREUTILS_INSTALL_TARGET_CMDS
-	$(foreach d,$(POLICYCOREUTILS_MAKE_DIRS),
-		$(MAKE) -C $(@D)/$(d) $(POLICYCOREUTILS_MAKE_OPTS) \
-			DESTDIR=$(TARGET_DIR) install
-	)
+	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(TARGET_DIR) install
 endef
 
-HOST_POLICYCOREUTILS_DEPENDENCIES = host-libsemanage
+HOST_POLICYCOREUTILS_DEPENDENCIES = host-libselinux host-libsemanage host-libsepol host-pkgconf
 
 # We need to pass PREFIX because it defaults to $(DESTDIR)/usr
 HOST_POLICYCOREUTILS_MAKE_OPTS = \
@@ -62,22 +53,12 @@ HOST_POLICYCOREUTILS_MAKE_OPTS = \
 	ETCDIR=$(HOST_DIR)/etc \
 	SBINDIR=$(HOST_DIR)/sbin
 
-# Note: We are only building the programs required by the refpolicy build
-HOST_POLICYCOREUTILS_MAKE_DIRS = \
-	load_policy newrole run_init \
-	secon semodule sestatus setfiles \
-	setsebool
-
 define HOST_POLICYCOREUTILS_BUILD_CMDS
-	$(foreach d,$(HOST_POLICYCOREUTILS_MAKE_DIRS),
-		$(MAKE) -C $(@D)/$(d) $(HOST_POLICYCOREUTILS_MAKE_OPTS) all
-	)
+	$(HOST_MAKE_ENV) $(MAKE) -C $(@D) $(HOST_POLICYCOREUTILS_MAKE_OPTS) all
 endef
 
 define HOST_POLICYCOREUTILS_INSTALL_CMDS
-	$(foreach d,$(HOST_POLICYCOREUTILS_MAKE_DIRS),
-		$(MAKE) -C $(@D)/$(d) $(HOST_POLICYCOREUTILS_MAKE_OPTS) install
-	)
+	$(HOST_MAKE_ENV) $(MAKE) -C $(@D) $(HOST_POLICYCOREUTILS_MAKE_OPTS) install
 endef
 
 $(eval $(generic-package))
-- 
2.51.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 09/11] package/restorecond: bump to version 3.9

[Thomas Petazzoni via buildroot]

Changes:
https://github.com/SELinuxProject/selinux/releases/download/3.9/RELEASE-3.9.txt

No notable changes related to restorecond.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 package/restorecond/restorecond.hash | 2 +-
 package/restorecond/restorecond.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/restorecond/restorecond.hash b/package/restorecond/restorecond.hash
index 2a55edc313..dcfbd54617 100644
--- a/package/restorecond/restorecond.hash
+++ b/package/restorecond/restorecond.hash
@@ -1,5 +1,5 @@
 # https://github.com/SELinuxProject/selinux/wiki/Releases
-sha256  164fe4825a9c65f3dd664f68fe252e67df72d4ea817a90d8f62ae0544bfb8ba2  restorecond-3.8.1.tar.gz
+sha256  d57b6ffe7eafd01af58e5efa50f8522eca73c0b3cb2955ca3f33397ba074a1a7  restorecond-3.9.tar.gz
 
 # Hash for license file
 sha256  204d8eff92f95aac4df6c8122bc1505f468f3a901e5a4cc08940e0ede1938994  LICENSE
diff --git a/package/restorecond/restorecond.mk b/package/restorecond/restorecond.mk
index f2618c20b3..e8f432c88d 100644
--- a/package/restorecond/restorecond.mk
+++ b/package/restorecond/restorecond.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-RESTORECOND_VERSION = 3.8.1
+RESTORECOND_VERSION = 3.9
 RESTORECOND_SITE = https://github.com/SELinuxProject/selinux/releases/download/$(RESTORECOND_VERSION)
 RESTORECOND_LICENSE = GPL-2.0
 RESTORECOND_LICENSE_FILES = LICENSE
-- 
2.51.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 10/11] package/selinux-python: bump to version 3.9

[Thomas Petazzoni via buildroot]

Changes:
https://github.com/SELinuxProject/selinux/releases/download/3.9/RELEASE-3.9.txt

No notable changes for selinux-python.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 package/selinux-python/selinux-python.hash | 2 +-
 package/selinux-python/selinux-python.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/selinux-python/selinux-python.hash b/package/selinux-python/selinux-python.hash
index 54173dc7ff..44095dcd74 100644
--- a/package/selinux-python/selinux-python.hash
+++ b/package/selinux-python/selinux-python.hash
@@ -1,5 +1,5 @@
 # https://github.com/SELinuxProject/selinux/wiki/Releases
-sha256  749025bfa4aa0e009bf3ffc455d565a18d4db71cfe796be4405821717206c25a  selinux-python-3.8.1.tar.gz
+sha256  dcfa5f1919dcb7e7b775851994eb5c83b7580dc496cd2d1f73867dfa074d2339  selinux-python-3.9.tar.gz
 
 # Hash for license file
 sha256  204d8eff92f95aac4df6c8122bc1505f468f3a901e5a4cc08940e0ede1938994  LICENSE
diff --git a/package/selinux-python/selinux-python.mk b/package/selinux-python/selinux-python.mk
index ccac245fd8..635d5945a4 100644
--- a/package/selinux-python/selinux-python.mk
+++ b/package/selinux-python/selinux-python.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-SELINUX_PYTHON_VERSION = 3.8.1
+SELINUX_PYTHON_VERSION = 3.9
 SELINUX_PYTHON_SITE = https://github.com/SELinuxProject/selinux/releases/download/$(SELINUX_PYTHON_VERSION)
 SELINUX_PYTHON_LICENSE = GPL-2.0
 SELINUX_PYTHON_LICENSE_FILES = LICENSE
-- 
2.51.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 11/11] package/semodule-utils: bump to version 3.9

[Thomas Petazzoni via buildroot]

Changes:
https://github.com/SELinuxProject/selinux/releases/download/3.9/RELEASE-3.9.txt

Notable changes:
* semodule: Add [-g PATH |--config=PATH] for an alternate path for the semanage config

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 package/semodule-utils/semodule-utils.hash | 2 +-
 package/semodule-utils/semodule-utils.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/semodule-utils/semodule-utils.hash b/package/semodule-utils/semodule-utils.hash
index 011833027c..65d34a0fce 100644
--- a/package/semodule-utils/semodule-utils.hash
+++ b/package/semodule-utils/semodule-utils.hash
@@ -1,5 +1,5 @@
 # https://github.com/SELinuxProject/selinux/wiki/Releases
-sha256  7705b0db059c53a21d6a77c0b50f6c467d91a0ea92ff875f1c93527cd2762395  semodule-utils-3.8.1.tar.gz
+sha256  729be36e4726c5d0833732681a94b2e0e4aff973c076504e41f8547abb6c5424  semodule-utils-3.9.tar.gz
 
 # Hash for license file
 sha256  204d8eff92f95aac4df6c8122bc1505f468f3a901e5a4cc08940e0ede1938994  LICENSE
diff --git a/package/semodule-utils/semodule-utils.mk b/package/semodule-utils/semodule-utils.mk
index ae32e6cd80..75955845df 100644
--- a/package/semodule-utils/semodule-utils.mk
+++ b/package/semodule-utils/semodule-utils.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-SEMODULE_UTILS_VERSION = 3.8.1
+SEMODULE_UTILS_VERSION = 3.9
 SEMODULE_UTILS_SITE = https://github.com/SELinuxProject/selinux/releases/download/$(SEMODULE_UTILS_VERSION)
 SEMODULE_UTILS_LICENSE = GPL-2.0
 SEMODULE_UTILS_LICENSE_FILES = LICENSE
-- 
2.51.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 01/11] package/libselinux: fix build issues caused by 3.8.1 bump

[Julien Olivain via buildroot]

On 09/09/2025 14:08, Thomas Petazzoni via buildroot wrote:
> Since the bump to version 3.8.1 in commit
> 1ae3ad4e878e1f4217ba3276ff0c9e584234afa4, libselinux fails to build
> with at least
> 
> - Musl configurations
> - RISC-V 32-bit configurations
> - OpenRISC configurations
> 
> These build failures are due to additional checks on the size of some
> data structures:
> 
> matchpathcon.c:270:47: error: '__ino_t' undeclared here (not in a 
> function); did you mean 'ino_t'?
>   270 | static_assert(sizeof(unsigned long) == sizeof(__ino_t), "inode 
> size mismatch");
>       |                                               ^~~~~~~
>       |                                               ino_t
> matchpathcon.c:270:15: error: expression in static assertion is not an 
> integer
>   270 | static_assert(sizeof(unsigned long) == sizeof(__ino_t), "inode 
> size mismatch");
>       |               ^~~~~~
> 
> These issues have been fixed in follow-up upstream commits, which we
> backport.
> 
> Fixes:
> 
>   
> https://autobuild.buildroot.net/results/00a1ab30cc6b7af503aa96384ba4c4444c217401/ 
> (musl)
>   
> https://autobuild.buildroot.net/results/c8321be687201937bd5eb48b31dfabac12f4e9ea/ 
> (glibc or1k)
>   
> https://autobuild.buildroot.net/results/7b94f44282582d5994f40a741cc0c38bd68b53bd/ 
> (risc-v 32-bit)
> 
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

I applied the full series to master, thanks.

While reviewing, I found one corner case build failure with libselinux 
3.9
on x86_64 uclibc. See:
https://gitlab.com/jolivain/buildroot/-/jobs/11350151899

It seems to be a followup issue related to the one fixed in this patch.

Best regards,

Julien.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 01/11] package/libselinux: fix build issues caused by 3.8.1 bump

[Thomas Petazzoni via buildroot]

Hello Julien,

+Waldemar in Cc, uClibc-ng related issue.

On Mon, 15 Sep 2025 00:28:28 +0200
Julien Olivain <ju.o@free.fr> wrote:

> I applied the full series to master, thanks.

Thanks!

> While reviewing, I found one corner case build failure with libselinux 
> 3.9
> on x86_64 uclibc. See:
> https://gitlab.com/jolivain/buildroot/-/jobs/11350151899
> 
> It seems to be a followup issue related to the one fixed in this patch.

Dammit. I must say I don't quite grasp what they are trying to do in
these matchpathcon.c checks.

It seems like:

#if (defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64) && defined(__INO64_T_TYPE) && !defined(__INO_T_MATCHES_INO64_T)
/* alias defined in the public header but we undefine it here */
#undef matchpathcon_filespec_add

/* ABI backwards-compatible shim for non-LFS 32-bit systems */

static_assert(sizeof(unsigned long) == sizeof(__ino_t), "inode size mismatch");
static_assert(sizeof(unsigned long) == sizeof(uint32_t), "inode size mismatch");
static_assert(sizeof(ino_t) == sizeof(ino64_t), "inode size mismatch");
static_assert(sizeof(ino64_t) == sizeof(uint64_t), "inode size mismatch");

is for 32-bit systems? And here you are building for x86-64, but it
gets detected as a 32-bit system, or something like that. Is it due to
the fact that we always build with _FILE_OFFSET_BITS=64 even on 64-bit
systems, where I guess it doesn't make sense because off_t is anyway
going to always be 64-bit.

And indeed, the check used to be:

-#if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64 && __BITS_PER_LONG < 64
+#if (defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64) && !defined(__INO_T_MATCHES_INO64_T)

which would be false on 64-bit platforms... but now is true on
uClibc-ng.

That check was "improved" for musl:

-#if (defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64) && !defined(__INO_T_MATCHES_INO64_T)
+#if (defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64) && defined(__INO64_T_TYPE) && !defined(__INO_T_MATCHES_INO64_T)

So I guess some additional tweak is needed for uClibc-ng.

I'm not sure what the correct fix is.

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 02/11] package/libsemanage: fix build issue due to basename()

[Thomas Perale via buildroot]

In reply of:
> The build of libsemanage on musl configurations fails with:
> 
> direct_api.c: In function 'semanage_direct_install_file':
> direct_api.c:1746:20: error: implicit declaration of function 'basename' [-Wimplicit-function-declaration]
>  1746 |         filename = basename(path);
>       |                    ^~~~~~~~
> 
> This fails to build even with a GCC 14.x toolchain, even with
> libsemanage 3.7, which is the version we have in our LTS branch.
> 
> Let's backport an upstream patch fixing this issue.
> 
> Fixes:
> 
>   https://autobuild.buildroot.net/results/913852e35c925888ced37e15be3731b9d3963019/
> 
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

Applied to 2025.02.x, 2025.05.x & 2025.08.x. Thanks

> ---
>  ...te-semanage_basename-to-ensure-posix.patch | 172 ++++++++++++++++++
>  1 file changed, 172 insertions(+)
>  create mode 100644 package/libsemanage/0001-libsemanage-create-semanage_basename-to-ensure-posix.patch
> 
> diff --git a/package/libsemanage/0001-libsemanage-create-semanage_basename-to-ensure-posix.patch b/package/libsemanage/0001-libsemanage-create-semanage_basename-to-ensure-posix.patch
> new file mode 100644
> index 0000000000..10a81241a1
> --- /dev/null
> +++ b/package/libsemanage/0001-libsemanage-create-semanage_basename-to-ensure-posix.patch
> @@ -0,0 +1,172 @@
> +From 795f8381fd64abf692b26d01369561fc68be230c Mon Sep 17 00:00:00 2001
> +From: Rahul Sandhu <nvraxn@gmail.com>
> +Date: Fri, 21 Feb 2025 09:39:10 +0000
> +Subject: [PATCH] libsemanage: create semanage_basename to ensure posix
> + compliance
> +
> +Passing a const char * to basename(3) is a glibc-specific extension, so
> +create our own basename implementation. As it's a trivial 2 LOC, always
> +use our implementation of basename even if glibc is available to avoid
> +the complications of attaining the non-posix glibc implementation of
> +basename(3) as _GNU_SOURCE needs to be defined, but libgen.h also needs
> +to have not been included.
> +
> +Also fix a missing check for selinux_policy_root(3). From the man page:
> +On failure, selinux_policy_root returns NULL.
> +
> +As the glibc basename(3) (unlike posix basename(3)) does not support
> +having a nullptr passed to it, only pass the policy_root to basename(3)
> +if it is non-null.
> +
> +Signed-off-by: Rahul Sandhu <nvraxn@gmail.com>
> +Acked-by: James Carter <jwcart2@gmail.com>
> +Upstream: a339594da6f027aed5d66ec6798a3d732df235e4
> +Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> +---
> + src/conf-parse.y       | 13 ++++++++++---
> + src/direct_api.c       |  1 +
> + src/utilities.c        |  9 +++++++++
> + src/utilities.h        | 13 +++++++++++++
> + tests/test_utilities.c | 26 ++++++++++++++++++++++++++
> + 5 files changed, 59 insertions(+), 3 deletions(-)
> +
> +diff --git a/src/conf-parse.y b/src/conf-parse.y
> +index 6cb8a598..d3ca5f1f 100644
> +--- a/src/conf-parse.y
> ++++ b/src/conf-parse.y
> +@@ -21,6 +21,7 @@
> + %{
> + 
> + #include "semanage_conf.h"
> ++#include "utilities.h"
> + 
> + #include <sepol/policydb.h>
> + #include <selinux/selinux.h>
> +@@ -382,7 +383,10 @@ external_opt:   PROG_PATH '=' ARG  { PASSIGN(new_external->path, $3); }
> + static int semanage_conf_init(semanage_conf_t * conf)
> + {
> + 	conf->store_type = SEMANAGE_CON_DIRECT;
> +-	conf->store_path = strdup(basename(selinux_policy_root()));
> ++	const char *policy_root = selinux_policy_root();
> ++	if (policy_root != NULL) {
> ++		conf->store_path = strdup(semanage_basename(policy_root));
> ++	}
> + 	conf->ignoredirs = NULL;
> + 	conf->store_root_path = strdup("/var/lib/selinux");
> + 	conf->compiler_directory_path = strdup("/usr/libexec/selinux/hll");
> +@@ -544,8 +548,11 @@ static int parse_module_store(char *arg)
> + 	free(current_conf->store_path);
> + 	if (strcmp(arg, "direct") == 0) {
> + 		current_conf->store_type = SEMANAGE_CON_DIRECT;
> +-		current_conf->store_path =
> +-		    strdup(basename(selinux_policy_root()));
> ++		const char *policy_root = selinux_policy_root();
> ++		if (policy_root != NULL) {
> ++			current_conf->store_path =
> ++			    strdup(semanage_basename(policy_root));
> ++		}
> + 		current_conf->server_port = -1;
> + 	} else if (*arg == '/') {
> + 		current_conf->store_type = SEMANAGE_CON_POLSERV_LOCAL;
> +diff --git a/src/direct_api.c b/src/direct_api.c
> +index 99cba7f7..ce12ccaf 100644
> +--- a/src/direct_api.c
> ++++ b/src/direct_api.c
> +@@ -26,6 +26,7 @@
> + 
> + #include <assert.h>
> + #include <fcntl.h>
> ++#include <libgen.h>
> + #include <stdio.h>
> + #include <stdio_ext.h>
> + #include <stdlib.h>
> +diff --git a/src/utilities.c b/src/utilities.c
> +index 70b5b677..004ffb62 100644
> +--- a/src/utilities.c
> ++++ b/src/utilities.c
> +@@ -349,3 +349,12 @@ int write_full(int fd, const void *buf, size_t len)
> + 
> + 	return 0;
> + }
> ++
> ++#ifdef __GNUC__
> ++__attribute__((nonnull))
> ++#endif
> ++char *semanage_basename(const char *filename)
> ++{
> ++	char *p = strrchr(filename, '/');
> ++	return p ? p + 1 : (char *)filename;
> ++}
> +diff --git a/src/utilities.h b/src/utilities.h
> +index c2d484a7..7481077a 100644
> +--- a/src/utilities.h
> ++++ b/src/utilities.h
> +@@ -156,4 +156,17 @@ semanage_list_t *semanage_slurp_file_filter(FILE * file,
> + 
> + int write_full(int fd, const void *buf, size_t len) WARN_UNUSED;
> + 
> ++/**
> ++ * Portable implementation of the glibc version of basename(3).
> ++ *
> ++ * @param filename  path to find basename of
> ++ *
> ++ * @return          basename of filename
> ++ */
> ++
> ++#ifdef __GNUC__
> ++__attribute__((nonnull))
> ++#endif
> ++char *semanage_basename(const char *filename);
> ++
> + #endif
> +diff --git a/tests/test_utilities.c b/tests/test_utilities.c
> +index bbd5af30..70a76fe7 100644
> +--- a/tests/test_utilities.c
> ++++ b/tests/test_utilities.c
> +@@ -46,6 +46,7 @@ static void test_semanage_rtrim(void);
> + static void test_semanage_str_replace(void);
> + static void test_semanage_findval(void);
> + static void test_slurp_file_filter(void);
> ++static void test_semanage_basename(void);
> + 
> + static char fname[] = {
> + 	'T', 'E', 'S', 'T', '_', 'T', 'E', 'M', 'P', '_', 'X', 'X', 'X', 'X',
> +@@ -117,6 +118,10 @@ int semanage_utilities_add_tests(CU_pSuite suite)
> + 				test_slurp_file_filter)) {
> + 		goto err;
> + 	}
> ++	if (NULL == CU_add_test(suite, "semanage_basename",
> ++				test_semanage_basename)) {
> ++		goto err;
> ++	}
> + 	return 0;
> +       err:
> + 	CU_cleanup_registry();
> +@@ -346,3 +351,24 @@ static void test_slurp_file_filter(void)
> + 
> + 	semanage_list_destroy(&data);
> + }
> ++
> ++static void test_semanage_basename(void)
> ++{
> ++	char *basename1 = semanage_basename("/foo/bar");
> ++	CU_ASSERT_STRING_EQUAL(basename1, "bar");
> ++
> ++	char *basename2 = semanage_basename("/foo/bar/");
> ++	CU_ASSERT_STRING_EQUAL(basename2, "");
> ++
> ++	char *basename3 = semanage_basename("/foo.bar");
> ++	CU_ASSERT_STRING_EQUAL(basename3, "foo.bar");
> ++
> ++	char *basename5 = semanage_basename(".");
> ++	CU_ASSERT_STRING_EQUAL(basename5, ".");
> ++
> ++	char *basename6 = semanage_basename("");
> ++	CU_ASSERT_STRING_EQUAL(basename6, "");
> ++
> ++	char *basename7 = semanage_basename("/");
> ++	CU_ASSERT_STRING_EQUAL(basename7, "");
> ++}
> +-- 
> +2.51.0
> +
> -- 
> 2.51.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 03/11] package/policycoreutils: fix build with musl due to getpass()

[Thomas Perale via buildroot]

In reply of:
> policycoreutils uses getpass(), which with musl is only defined with
> some feature macro defined, such as _GNU_SOURCE. So let's pick-up an
> upstream fix to address this issue.
> 
> There are no autobuilder failures, the issue was most likely hidden by
> other failures with musl affecting the SELinux stack.
> 
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

Applied to 2025.02.x, 2025.05.x & 2025.08.x. Thanks

> ---
>  ...oreutils-run_init-define-_GNU_SOURCE.patch | 37 +++++++++++++++++++
>  1 file changed, 37 insertions(+)
>  create mode 100644 package/policycoreutils/0003-policycoreutils-run_init-define-_GNU_SOURCE.patch
> 
> diff --git a/package/policycoreutils/0003-policycoreutils-run_init-define-_GNU_SOURCE.patch b/package/policycoreutils/0003-policycoreutils-run_init-define-_GNU_SOURCE.patch
> new file mode 100644
> index 0000000000..bef6909b0a
> --- /dev/null
> +++ b/package/policycoreutils/0003-policycoreutils-run_init-define-_GNU_SOURCE.patch
> @@ -0,0 +1,37 @@
> +From f338b2e7d2bbf70cb811eb1331162e33deb4ce6c Mon Sep 17 00:00:00 2001
> +From: Robert Marko <robimarko@gmail.com>
> +Date: Thu, 1 May 2025 21:59:13 +0200
> +Subject: [PATCH] policycoreutils: run_init: define _GNU_SOURCE
> +
> +Trying to compile run_init with musl will fail with:
> +run_init.c: In function 'authenticate_via_shadow_passwd':
> +run_init.c:206:40: error: implicit declaration of function 'getpass' [-Wimplicit-function-declaration]
> +  206 |         if (!(unencrypted_password_s = getpass(PASSWORD_PROMPT))) {
> +
> +This is because getpass in musl is guarded only for _GNU_SOURCE, so
> +define _GNU_SOURCE for run_init.
> +
> +Signed-off-by: Robert Marko <robimarko@gmail.com>
> +Acked-by: James Carter <jwcart2@gmail.com>
> +Upstream: 50bafc3d9c08cf26c3b0f61e29157a0ea8efbf4a
> +Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> +---
> + policycoreutils/run_init/run_init.c | 2 ++
> + 1 file changed, 2 insertions(+)
> +
> +diff --git a/policycoreutils/run_init/run_init.c b/policycoreutils/run_init/run_init.c
> +index ce499781..4531a8ba 100644
> +--- a/policycoreutils/run_init/run_init.c
> ++++ b/policycoreutils/run_init/run_init.c
> +@@ -37,6 +37,8 @@
> +  *
> +  *************************************************************************/
> + 
> ++#define _GNU_SOURCE
> ++
> + #include <stdio.h>
> + #include <stdlib.h>		/* for malloc(), realloc(), free() */
> + #include <pwd.h>		/* for getpwuid() */
> +-- 
> +2.51.0
> +
> -- 
> 2.51.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 01/11] package/libselinux: fix build issues caused by 3.8.1 bump

[Thomas Perale via buildroot]

In reply of:
> Since the bump to version 3.8.1 in commit
> 1ae3ad4e878e1f4217ba3276ff0c9e584234afa4, libselinux fails to build
> with at least
> 
> - Musl configurations
> - RISC-V 32-bit configurations
> - OpenRISC configurations
> 
> These build failures are due to additional checks on the size of some
> data structures:
> 
> matchpathcon.c:270:47: error: '__ino_t' undeclared here (not in a function); did you mean 'ino_t'?
>   270 | static_assert(sizeof(unsigned long) == sizeof(__ino_t), "inode size mismatch");
>       |                                               ^~~~~~~
>       |                                               ino_t
> matchpathcon.c:270:15: error: expression in static assertion is not an integer
>   270 | static_assert(sizeof(unsigned long) == sizeof(__ino_t), "inode size mismatch");
>       |               ^~~~~~
> 
> These issues have been fixed in follow-up upstream commits, which we
> backport.
> 
> Fixes:
> 
>   https://autobuild.buildroot.net/results/00a1ab30cc6b7af503aa96384ba4c4444c217401/ (musl)
>   https://autobuild.buildroot.net/results/c8321be687201937bd5eb48b31dfabac12f4e9ea/ (glibc or1k)
>   https://autobuild.buildroot.net/results/7b94f44282582d5994f40a741cc0c38bd68b53bd/ (risc-v 32-bit)
> 
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

Applied to 2025.05.x & 2025.08.x. Thanks

> ---
>  ...con_filespec_add64-if-defined-__INO_.patch | 84 +++++++++++++++++++
>  ...-careful-with-non-portable-LFS-macro.patch | 56 +++++++++++++
>  2 files changed, 140 insertions(+)
>  create mode 100644 package/libselinux/0003-Inject-matchpathcon_filespec_add64-if-defined-__INO_.patch
>  create mode 100644 package/libselinux/0004-libselinux-be-careful-with-non-portable-LFS-macro.patch
> 
> diff --git a/package/libselinux/0003-Inject-matchpathcon_filespec_add64-if-defined-__INO_.patch b/package/libselinux/0003-Inject-matchpathcon_filespec_add64-if-defined-__INO_.patch
> new file mode 100644
> index 0000000000..6573cb1673
> --- /dev/null
> +++ b/package/libselinux/0003-Inject-matchpathcon_filespec_add64-if-defined-__INO_.patch
> @@ -0,0 +1,84 @@
> +From daecc54878e6768b3e6a2b2a0061d2690a63dea4 Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= <nabijaczleweli@nabijaczleweli.xyz>
> +Date: Thu, 20 Mar 2025 16:55:17 +0100
> +Subject: [PATCH] Inject matchpathcon_filespec_add64() if
> + !defined(__INO_T_MATCHES_INO64_T) instead of using __BITS_PER_LONG < 64 as
> + proxy
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +The __INO_T_MATCHES_INO64_T is defined
> +if ino_t would be the same size as ino64_t
> +if -D_FILE_OFFSET_BITS=64 were not defined.
> +
> +This is /exactly/ what
> +  /* ABI backwards-compatible shim for non-LFS 32-bit systems */
> +  #if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64 && __BITS_PER_LONG < 64
> +is trying to get at, but currently fails because x32/RV32 are "LFS"
> +with 32-bit longs and 64-bit time_ts natively.
> +
> +Thus, the
> +  static_assert(sizeof(unsigned long) == sizeof(__ino_t), "inode size mismatch");
> +assertion fails (__ino_t is the "kernel ino_t" type,
> +which generally corresponds to the kernel's ulong, which is u64 on x32).
> +
> +glibc headers allow us to check the condition we care about directly.
> +
> +Fixes: commit 9395cc0322 ("Always build for LFS mode on 32-bit archs.")
> +Closes: #463
> +Closes: Debian#1098481
> +Signed-off-by: наб <nabijaczleweli@nabijaczleweli.xyz>
> +Cc: Alba Mendez <me@alba.sh>
> +Acked-by: James Carter <jwcart2@gmail.com>
> +Upstream: 5c3fcbd931b7f9752b5ce29cec3b6813991d61c0
> +Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> +---
> + include/selinux/selinux.h | 2 +-
> + src/matchpathcon.c        | 8 ++++++--
> + 2 files changed, 7 insertions(+), 3 deletions(-)
> +
> +diff --git a/include/selinux/selinux.h b/include/selinux/selinux.h
> +index f3cf5a20..f64896b7 100644
> +--- a/include/selinux/selinux.h
> ++++ b/include/selinux/selinux.h
> +@@ -537,7 +537,7 @@ extern int matchpathcon_index(const char *path,
> +    with the same inode (e.g. due to multiple hard links).  If so, then
> +    use the latter of the two specifications based on their order in the 
> +    file contexts configuration.  Return the used specification index. */
> +-#if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64 && __BITS_PER_LONG < 64
> ++#if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64 && !defined(__INO_T_MATCHES_INO64_T)
> + #define matchpathcon_filespec_add matchpathcon_filespec_add64
> + #endif
> + extern int matchpathcon_filespec_add(ino_t ino, int specind, const char *file);
> +diff --git a/src/matchpathcon.c b/src/matchpathcon.c
> +index 51f0e4ff..a4f65045 100644
> +--- a/src/matchpathcon.c
> ++++ b/src/matchpathcon.c
> +@@ -261,7 +261,7 @@ int matchpathcon_filespec_add(ino_t ino, int specind, const char *file)
> + 	return -1;
> + }
> + 
> +-#if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64 && __BITS_PER_LONG < 64
> ++#if (defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64) && !defined(__INO_T_MATCHES_INO64_T)
> + /* alias defined in the public header but we undefine it here */
> + #undef matchpathcon_filespec_add
> + 
> +@@ -280,9 +280,13 @@ int matchpathcon_filespec_add(unsigned long ino, int specind,
> + {
> + 	return matchpathcon_filespec_add64(ino, specind, file);
> + }
> ++#elif (defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64) || defined(__INO_T_MATCHES_INO64_T)
> ++
> ++static_assert(sizeof(uint64_t) == sizeof(ino_t), "inode size mismatch");
> ++
> + #else
> + 
> +-static_assert(sizeof(unsigned long) == sizeof(ino_t), "inode size mismatch");
> ++static_assert(sizeof(uint32_t) == sizeof(ino_t), "inode size mismatch");
> + 
> + #endif
> + 
> +-- 
> +2.51.0
> +
> diff --git a/package/libselinux/0004-libselinux-be-careful-with-non-portable-LFS-macro.patch b/package/libselinux/0004-libselinux-be-careful-with-non-portable-LFS-macro.patch
> new file mode 100644
> index 0000000000..9a1d874706
> --- /dev/null
> +++ b/package/libselinux/0004-libselinux-be-careful-with-non-portable-LFS-macro.patch
> @@ -0,0 +1,56 @@
> +From bfcdaf2ff36d69a57810470f5405e5f27e51e01c Mon Sep 17 00:00:00 2001
> +From: Alyssa Ross <hi@alyssa.is>
> +Date: Sat, 26 Apr 2025 17:13:57 +0200
> +Subject: [PATCH] libselinux: be careful with non-portable LFS macro
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +musl does not provide the obsolete LFS64 APIs (like ino64_t) — ino_t
> +has always been 64-bit on all platforms there.  That means there's
> +also no __INO_T_MATCHES_INO64_T macro, meaning the check would pass
> +and reach the static asserts for the shim, which would fail due to
> +there being no ino64_t to check the size of.  Fix this by only
> +assuming the absense of __INO_T_MATCHES_INO64_t is meaningful when
> +another non-portable Glibc macro, __INO64_T_TYPE, is defined.  If both
> +are missing, that probably just means there is no ino64_t.
> +
> +Fixes: 5c3fcbd9 ("Inject matchpathcon_filespec_add64() if !defined(__INO_T_MATCHES_INO64_T) instead of using __BITS_PER_LONG < 64 as proxy")
> +Signed-off-by: Alyssa Ross <hi@alyssa.is>
> +Acked-by: James Carter <jwcart2@gmail.com>
> +Upstream: 21dd00713ae99b13e36c632992cb171c6ec1abce
> +Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> +---
> + include/selinux/selinux.h | 2 +-
> + src/matchpathcon.c        | 2 +-
> + 2 files changed, 2 insertions(+), 2 deletions(-)
> +
> +diff --git a/include/selinux/selinux.h b/include/selinux/selinux.h
> +index f64896b7..b1431e5d 100644
> +--- a/include/selinux/selinux.h
> ++++ b/include/selinux/selinux.h
> +@@ -537,7 +537,7 @@ extern int matchpathcon_index(const char *path,
> +    with the same inode (e.g. due to multiple hard links).  If so, then
> +    use the latter of the two specifications based on their order in the 
> +    file contexts configuration.  Return the used specification index. */
> +-#if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64 && !defined(__INO_T_MATCHES_INO64_T)
> ++#if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64 && defined(__INO64_T_TYPE) && !defined(__INO_T_MATCHES_INO64_T)
> + #define matchpathcon_filespec_add matchpathcon_filespec_add64
> + #endif
> + extern int matchpathcon_filespec_add(ino_t ino, int specind, const char *file);
> +diff --git a/src/matchpathcon.c b/src/matchpathcon.c
> +index a4f65045..240c9fa7 100644
> +--- a/src/matchpathcon.c
> ++++ b/src/matchpathcon.c
> +@@ -261,7 +261,7 @@ int matchpathcon_filespec_add(ino_t ino, int specind, const char *file)
> + 	return -1;
> + }
> + 
> +-#if (defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64) && !defined(__INO_T_MATCHES_INO64_T)
> ++#if (defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64) && defined(__INO64_T_TYPE) && !defined(__INO_T_MATCHES_INO64_T)
> + /* alias defined in the public header but we undefine it here */
> + #undef matchpathcon_filespec_add
> + 
> +-- 
> +2.51.0
> +
> -- 
> 2.51.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 01/11] package/libselinux: fix build issues caused by 3.8.1 bump

[Waldemar Brodkorb]

Hi Thomas,
Thomas Petazzoni wrote,

> Hello Julien,
> 
> +Waldemar in Cc, uClibc-ng related issue.
> 
> On Mon, 15 Sep 2025 00:28:28 +0200
> Julien Olivain <ju.o@free.fr> wrote:
> 
> > I applied the full series to master, thanks.
> 
> Thanks!
> 
> > While reviewing, I found one corner case build failure with libselinux 
> > 3.9
> > on x86_64 uclibc. See:
> > https://gitlab.com/jolivain/buildroot/-/jobs/11350151899
> > 
> > It seems to be a followup issue related to the one fixed in this patch.
> 
> Dammit. I must say I don't quite grasp what they are trying to do in
> these matchpathcon.c checks.
> 
> It seems like:
> 
> #if (defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64) && defined(__INO64_T_TYPE) && !defined(__INO_T_MATCHES_INO64_T)
> /* alias defined in the public header but we undefine it here */
> #undef matchpathcon_filespec_add
> 
> /* ABI backwards-compatible shim for non-LFS 32-bit systems */
> 
> static_assert(sizeof(unsigned long) == sizeof(__ino_t), "inode size mismatch");
> static_assert(sizeof(unsigned long) == sizeof(uint32_t), "inode size mismatch");
> static_assert(sizeof(ino_t) == sizeof(ino64_t), "inode size mismatch");
> static_assert(sizeof(ino64_t) == sizeof(uint64_t), "inode size mismatch");
> 
> is for 32-bit systems? And here you are building for x86-64, but it
> gets detected as a 32-bit system, or something like that. Is it due to
> the fact that we always build with _FILE_OFFSET_BITS=64 even on 64-bit
> systems, where I guess it doesn't make sense because off_t is anyway
> going to always be 64-bit.

So would the right fix to enable _FILE_OFFSET_BITS=64 only for
32-bit systems? Or do you think something in uClibc-ng is wrong?

best regards
 Waldemar
 
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 01/11] package/libselinux: fix build issues caused by 3.8.1 bump

[Thomas Petazzoni via buildroot]

On Fri, 19 Sep 2025 20:42:30 +0200
Waldemar Brodkorb <wbx@openadk.org> wrote:

> > Dammit. I must say I don't quite grasp what they are trying to do in
> > these matchpathcon.c checks.
> > 
> > It seems like:
> > 
> > #if (defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64) && defined(__INO64_T_TYPE) && !defined(__INO_T_MATCHES_INO64_T)
> > /* alias defined in the public header but we undefine it here */
> > #undef matchpathcon_filespec_add
> > 
> > /* ABI backwards-compatible shim for non-LFS 32-bit systems */
> > 
> > static_assert(sizeof(unsigned long) == sizeof(__ino_t), "inode size mismatch");
> > static_assert(sizeof(unsigned long) == sizeof(uint32_t), "inode size mismatch");
> > static_assert(sizeof(ino_t) == sizeof(ino64_t), "inode size mismatch");
> > static_assert(sizeof(ino64_t) == sizeof(uint64_t), "inode size mismatch");
> > 
> > is for 32-bit systems? And here you are building for x86-64, but it
> > gets detected as a 32-bit system, or something like that. Is it due to
> > the fact that we always build with _FILE_OFFSET_BITS=64 even on 64-bit
> > systems, where I guess it doesn't make sense because off_t is anyway
> > going to always be 64-bit.  
> 
> So would the right fix to enable _FILE_OFFSET_BITS=64 only for
> 32-bit systems? Or do you think something in uClibc-ng is wrong?

Defining FILE_OFFSET_BITS=64 all the time works fine with everything
but uClibc-ng, so I'm tempted to think that something else is wrong in
uClibc-ng, but I'm not 100% sure.

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 01/11] package/libselinux: fix build issues caused by 3.8.1 bump

[Waldemar Brodkorb]

[-- Attachment #1: Type: text/plain, Size: 1803 bytes --]

Hi Thomas,
Thomas Petazzoni wrote,

> On Fri, 19 Sep 2025 20:42:30 +0200
> Waldemar Brodkorb <wbx@openadk.org> wrote:
> 
> > > Dammit. I must say I don't quite grasp what they are trying to do in
> > > these matchpathcon.c checks.
> > > 
> > > It seems like:
> > > 
> > > #if (defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64) && defined(__INO64_T_TYPE) && !defined(__INO_T_MATCHES_INO64_T)
> > > /* alias defined in the public header but we undefine it here */
> > > #undef matchpathcon_filespec_add
> > > 
> > > /* ABI backwards-compatible shim for non-LFS 32-bit systems */
> > > 
> > > static_assert(sizeof(unsigned long) == sizeof(__ino_t), "inode size mismatch");
> > > static_assert(sizeof(unsigned long) == sizeof(uint32_t), "inode size mismatch");
> > > static_assert(sizeof(ino_t) == sizeof(ino64_t), "inode size mismatch");
> > > static_assert(sizeof(ino64_t) == sizeof(uint64_t), "inode size mismatch");
> > > 
> > > is for 32-bit systems? And here you are building for x86-64, but it
> > > gets detected as a 32-bit system, or something like that. Is it due to
> > > the fact that we always build with _FILE_OFFSET_BITS=64 even on 64-bit
> > > systems, where I guess it doesn't make sense because off_t is anyway
> > > going to always be 64-bit.  
> > 
> > So would the right fix to enable _FILE_OFFSET_BITS=64 only for
> > 32-bit systems? Or do you think something in uClibc-ng is wrong?
> 
> Defining FILE_OFFSET_BITS=64 all the time works fine with everything
> but uClibc-ng, so I'm tempted to think that something else is wrong in
> uClibc-ng, but I'm not 100% sure.

__INO_T_MATCHES_INO64_T is a internal macro in glibc.
As uClibc-ng tries to be compatible to glibc we can add this macro.

What do you think about following patch, attached to this email?

best regards
 Waldemar

[-- Attachment #2: 0001-Add-glibc-internal-macros-for-64-Bit-architectures.patch --]
[-- Type: text/x-diff, Size: 1243 bytes --]

From a3d56d059df62b4ad6eb5ddb9edd1bb59609397a Mon Sep 17 00:00:00 2001
From: Waldemar Brodkorb <wbx@openadk.org>
Date: Sat, 20 Sep 2025 07:58:14 +0200
Subject: [PATCH] Add glibc internal macros for 64 Bit architectures

To satisfy detection of LFS support add these glibc internal macros.
Fixes f.e. libselinux compile.

Reported-By: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
---
 libc/sysdeps/linux/common/bits/typesizes.h | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/libc/sysdeps/linux/common/bits/typesizes.h b/libc/sysdeps/linux/common/bits/typesizes.h
index dcb2c3b0a..074758701 100644
--- a/libc/sysdeps/linux/common/bits/typesizes.h
+++ b/libc/sysdeps/linux/common/bits/typesizes.h
@@ -73,5 +73,15 @@
 /* Number of descriptors that can fit in an `fd_set'.  */
 #define	__FD_SETSIZE		1024
 
+#if __WORDSIZE == 64
+/* Tell the code that off_t and off64_t are actually the same type
+   for all ABI purposes, even if possibly expressed as different base types
+   for C type-checking purposes.  */
+# define __OFF_T_MATCHES_OFF64_T	1
+
+/* Same for ino_t and ino64_t.  */
+# define __INO_T_MATCHES_INO64_T	1
+
+#endif
 
 #endif /* bits/typesizes.h */
-- 
2.47.3


[-- Attachment #3: Type: text/plain, Size: 150 bytes --]

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 01/11] package/libselinux: fix build issues caused by 3.8.1 bump

[Thomas Petazzoni via buildroot]

On Sat, 20 Sep 2025 08:07:56 +0200
Waldemar Brodkorb <wbx@openadk.org> wrote:

> > Defining FILE_OFFSET_BITS=64 all the time works fine with everything
> > but uClibc-ng, so I'm tempted to think that something else is wrong in
> > uClibc-ng, but I'm not 100% sure.  
> 
> __INO_T_MATCHES_INO64_T is a internal macro in glibc.
> As uClibc-ng tries to be compatible to glibc we can add this macro.
> 
> What do you think about following patch, attached to this email?

I guess it does fix the build, but I have no idea whether this is the
right fix. Probably it is if glibc defines those magic macros under the
same WORDSIZE == 64 condition, but I clearly don't pretend to fully
grasp what's going on.

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot