[meta-selinux][warrior][PATCH 1/2] Revert "mesa: switch to meson build"

[meta-selinux][warrior][PATCH 1/2] Revert "mesa: switch to meson build"

[Yi Zhao]

This reverts commit 184857a52ecc9b7088021d7362c7d85e1c3551d6.

The mesa hasn't switched to meson build in this branch.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 recipes-graphics/mesa/mesa_%.bbappend  | 2 +-
 recipes-graphics/mesa/mesa_selinux.inc | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)
 create mode 100644 recipes-graphics/mesa/mesa_selinux.inc

diff --git a/recipes-graphics/mesa/mesa_%.bbappend b/recipes-graphics/mesa/mesa_%.bbappend
index 02c4918..b0b03ec 100644
--- a/recipes-graphics/mesa/mesa_%.bbappend
+++ b/recipes-graphics/mesa/mesa_%.bbappend
@@ -1,2 +1,2 @@
-inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'meson-selinux', '', d)}
+require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)}
 
diff --git a/recipes-graphics/mesa/mesa_selinux.inc b/recipes-graphics/mesa/mesa_selinux.inc
new file mode 100644
index 0000000..0004f71
--- /dev/null
+++ b/recipes-graphics/mesa/mesa_selinux.inc
@@ -0,0 +1,6 @@
+inherit enable-selinux
+
+# But wait!  There's more!  mesa builds a host program named builtin_compiler
+# and it needs selinux, too.  We replace the PACKAGECONFIG[] in the bbclass.
+#
+PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux libselinux-native,"
-- 
2.17.1

[meta-selinux][warrior][PATCH 2/2] refpolicy: fix labels for busybox init.sysvinit and start_getty

[Yi Zhao]

Fix busybox directory aliases issue.
Set correct labels for /sbin/init.sysvinit and /bin/start_getty.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 ...bs_dist-fix-busybox-directory-aliase.patch | 32 +++++++++++++++++++
 ...fc-set-correct-label-for-start_getty.patch | 32 +++++++++++++++++++
 ...-set-correct-label-for-init.sysvinit.patch | 29 +++++++++++++++++
 ...bs_dist-fix-busybox-directory-aliase.patch | 32 +++++++++++++++++++
 ...fc-set-correct-label-for-start_getty.patch | 32 +++++++++++++++++++
 ...-set-correct-label-for-init.sysvinit.patch | 29 +++++++++++++++++
 .../refpolicy/refpolicy_common.inc            |  3 ++
 7 files changed, 189 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/file_contexts.subs_dist-fix-busybox-directory-aliase.patch
 create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/getty.fc-set-correct-label-for-start_getty.patch
 create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/init.fc-set-correct-label-for-init.sysvinit.patch
 create mode 100644 recipes-security/refpolicy/refpolicy-git/file_contexts.subs_dist-fix-busybox-directory-aliase.patch
 create mode 100644 recipes-security/refpolicy/refpolicy-git/getty.fc-set-correct-label-for-start_getty.patch
 create mode 100644 recipes-security/refpolicy/refpolicy-git/init.fc-set-correct-label-for-init.sysvinit.patch

diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/file_contexts.subs_dist-fix-busybox-directory-aliase.patch b/recipes-security/refpolicy/refpolicy-2.20190201/file_contexts.subs_dist-fix-busybox-directory-aliase.patch
new file mode 100644
index 0000000..9fe2548
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/file_contexts.subs_dist-fix-busybox-directory-aliase.patch
@@ -0,0 +1,32 @@
+From 24c0c6a35c13c6156dfa385cf22a130b6893f24a Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Fri, 22 Nov 2019 14:01:08 +0800
+Subject: [PATCH] file_contexts.subs_dist: fix busybox directory aliases
+
+The /usr/bin and /usr/sbin are the original paths which configured in
+file contextes.
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ config/file_contexts.subs_dist | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
+index 04fca3c..c720871 100644
+--- a/config/file_contexts.subs_dist
++++ b/config/file_contexts.subs_dist
+@@ -44,7 +44,7 @@
+ 
+ # busybox aliases
+ # quickly match up the busybox built-in tree to the base filesystem tree
+-/usr/lib/busybox/bin /bin
+-/usr/lib/busybox/sbin /sbin
++/usr/lib/busybox/bin /usr/bin
++/usr/lib/busybox/sbin /usr/sbin
+ /usr/lib/busybox/usr /usr
+ 
+-- 
+2.7.4
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/getty.fc-set-correct-label-for-start_getty.patch b/recipes-security/refpolicy/refpolicy-2.20190201/getty.fc-set-correct-label-for-start_getty.patch
new file mode 100644
index 0000000..35e8eed
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/getty.fc-set-correct-label-for-start_getty.patch
@@ -0,0 +1,32 @@
+From 83ba87de0b5163cd7f3db8ef0a1f10f89240afa6 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Fri, 22 Nov 2019 14:12:55 +0800
+Subject: [PATCH] getty.fc: set correct label for start_getty
+
+The start_getty label should be set to bin_t not getty_exec_t.
+
+Fix error:
+setsid: failed to execute /sbin/getty: Permission denied
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/getty.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc
+index 116ea64..53ff613 100644
+--- a/policy/modules/system/getty.fc
++++ b/policy/modules/system/getty.fc
+@@ -4,6 +4,7 @@
+ /run/agetty\.reload	--	gen_context(system_u:object_r:getty_runtime_t,s0)
+ 
+ /usr/bin/.*getty	--	gen_context(system_u:object_r:getty_exec_t,s0)
++/usr/bin/start_getty	--	gen_context(system_u:object_r:bin_t,s0)
+ 
+ /usr/sbin/.*getty	--	gen_context(system_u:object_r:getty_exec_t,s0)
+ 
+-- 
+2.7.4
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/init.fc-set-correct-label-for-init.sysvinit.patch b/recipes-security/refpolicy/refpolicy-2.20190201/init.fc-set-correct-label-for-init.sysvinit.patch
new file mode 100644
index 0000000..0f024c6
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/init.fc-set-correct-label-for-init.sysvinit.patch
@@ -0,0 +1,29 @@
+From 99f1d3d2caf1281ee922ce2c8e93fb53fea576a2 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Fri, 22 Nov 2019 14:09:44 +0800
+Subject: [PATCH] init.fc: set correct label for init.sysvinit
+
+The /sbin/init.sysvinit should be set the label init_exec_t.
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/init.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
+index 11a6ce9..3c063b1 100644
+--- a/policy/modules/system/init.fc
++++ b/policy/modules/system/init.fc
+@@ -40,6 +40,7 @@ ifdef(`distro_gentoo',`
+ /usr/libexec/dcc/stop-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
+ 
+ /usr/sbin/init(ng)?	--	gen_context(system_u:object_r:init_exec_t,s0)
++/usr/sbin/init\.sysvinit	--	gen_context(system_u:object_r:init_exec_t,s0)
+ /usr/sbin/open_init_pty	--	gen_context(system_u:object_r:initrc_exec_t,s0)
+ /usr/sbin/upstart	--	gen_context(system_u:object_r:init_exec_t,s0)
+ 
+-- 
+2.7.4
+
diff --git a/recipes-security/refpolicy/refpolicy-git/file_contexts.subs_dist-fix-busybox-directory-aliase.patch b/recipes-security/refpolicy/refpolicy-git/file_contexts.subs_dist-fix-busybox-directory-aliase.patch
new file mode 100644
index 0000000..9fe2548
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/file_contexts.subs_dist-fix-busybox-directory-aliase.patch
@@ -0,0 +1,32 @@
+From 24c0c6a35c13c6156dfa385cf22a130b6893f24a Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Fri, 22 Nov 2019 14:01:08 +0800
+Subject: [PATCH] file_contexts.subs_dist: fix busybox directory aliases
+
+The /usr/bin and /usr/sbin are the original paths which configured in
+file contextes.
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ config/file_contexts.subs_dist | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/config/file_contexts.subs_dist b/config/file_contexts.subs_dist
+index 04fca3c..c720871 100644
+--- a/config/file_contexts.subs_dist
++++ b/config/file_contexts.subs_dist
+@@ -44,7 +44,7 @@
+ 
+ # busybox aliases
+ # quickly match up the busybox built-in tree to the base filesystem tree
+-/usr/lib/busybox/bin /bin
+-/usr/lib/busybox/sbin /sbin
++/usr/lib/busybox/bin /usr/bin
++/usr/lib/busybox/sbin /usr/sbin
+ /usr/lib/busybox/usr /usr
+ 
+-- 
+2.7.4
+
diff --git a/recipes-security/refpolicy/refpolicy-git/getty.fc-set-correct-label-for-start_getty.patch b/recipes-security/refpolicy/refpolicy-git/getty.fc-set-correct-label-for-start_getty.patch
new file mode 100644
index 0000000..35e8eed
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/getty.fc-set-correct-label-for-start_getty.patch
@@ -0,0 +1,32 @@
+From 83ba87de0b5163cd7f3db8ef0a1f10f89240afa6 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Fri, 22 Nov 2019 14:12:55 +0800
+Subject: [PATCH] getty.fc: set correct label for start_getty
+
+The start_getty label should be set to bin_t not getty_exec_t.
+
+Fix error:
+setsid: failed to execute /sbin/getty: Permission denied
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/getty.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc
+index 116ea64..53ff613 100644
+--- a/policy/modules/system/getty.fc
++++ b/policy/modules/system/getty.fc
+@@ -4,6 +4,7 @@
+ /run/agetty\.reload	--	gen_context(system_u:object_r:getty_runtime_t,s0)
+ 
+ /usr/bin/.*getty	--	gen_context(system_u:object_r:getty_exec_t,s0)
++/usr/bin/start_getty	--	gen_context(system_u:object_r:bin_t,s0)
+ 
+ /usr/sbin/.*getty	--	gen_context(system_u:object_r:getty_exec_t,s0)
+ 
+-- 
+2.7.4
+
diff --git a/recipes-security/refpolicy/refpolicy-git/init.fc-set-correct-label-for-init.sysvinit.patch b/recipes-security/refpolicy/refpolicy-git/init.fc-set-correct-label-for-init.sysvinit.patch
new file mode 100644
index 0000000..0f024c6
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/init.fc-set-correct-label-for-init.sysvinit.patch
@@ -0,0 +1,29 @@
+From 99f1d3d2caf1281ee922ce2c8e93fb53fea576a2 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Fri, 22 Nov 2019 14:09:44 +0800
+Subject: [PATCH] init.fc: set correct label for init.sysvinit
+
+The /sbin/init.sysvinit should be set the label init_exec_t.
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/init.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
+index 11a6ce9..3c063b1 100644
+--- a/policy/modules/system/init.fc
++++ b/policy/modules/system/init.fc
+@@ -40,6 +40,7 @@ ifdef(`distro_gentoo',`
+ /usr/libexec/dcc/stop-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
+ 
+ /usr/sbin/init(ng)?	--	gen_context(system_u:object_r:init_exec_t,s0)
++/usr/sbin/init\.sysvinit	--	gen_context(system_u:object_r:init_exec_t,s0)
+ /usr/sbin/open_init_pty	--	gen_context(system_u:object_r:initrc_exec_t,s0)
+ /usr/sbin/upstart	--	gen_context(system_u:object_r:init_exec_t,s0)
+ 
+-- 
+2.7.4
+
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
index 137ccee..e567f78 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -52,6 +52,9 @@ SRC_URI += " \
 	file://0032-policy-module-init-update-for-systemd-related-allow-.patch \
 	file://0033-refpolicy-minimum-make-sysadmin-module-optional.patch \
 	file://0034-policy-module-apache-add-rules-for-the-symlink-of-va.patch \
+	file://file_contexts.subs_dist-fix-busybox-directory-aliase.patch \
+	file://init.fc-set-correct-label-for-init.sysvinit.patch \
+	file://getty.fc-set-correct-label-for-start_getty.patch \
    "
 
 S = "${WORKDIR}/refpolicy"
-- 
2.17.1