[Buildroot] [PATCH v2 00/13] Selinux: bump to 3.5

[Buildroot] [PATCH v2 00/13] Selinux: bump to 3.5

[Adam Duskett]

It's been quite some time since anyone updated the SELinux packages (mainly me!)

Most of the changes are straight forward:
  - Update the package to 3.5
  - Change the license file from COPYING to LICENSE.
    (The COPYING file has been renamed to LICENSE.)

Some notes for specific packages:
  - Audit now installs ausearch to /usr/sbin (or we do?) As such, a small patch
    for selinux-python is necessary to change the patch for ausearch from /sbin
    to /usr/sbin

  - libselinux now requires host-pip to install the python modules.
    Surprisingly, host-pip3 cross-compiles the modules without issue and just
    worked. I should buy a lottery ticket!

  - I found out that if you have rst2html5 on the host, the glib meson package
    tries to use it to generate documents, which causes a failure on installing
    to the target. Luckily we don't want the documents so the fix is to simply
    remove the docs/ subdirectroy from meson.build. This patch is tiny and won't
    be a headache to maintain.
    
  - A small upstream patch needs to be added to refpolicy to ensure refpolicy
    builds without dbus selected.

Tested on Fedora 38. Both with pc_efi and aarch-virt configs.

Other tests ran and passed:

tests.init.test_systemd_selinux.TestSELinuxSystemdExt4
tests.init.test_systemd_selinux.TestSELinuxSystemdSquashfs
tests.core.test_selinux.TestSELinuxCustomGit
tests.core.test_selinux.TestSELinuxExtraModules
tests.core.test_selinux.TestSELinuxExtraModulesDirs
tests.core.test_selinux.TestSELinuxPackage

Changes v1 -> v2:
  - Added refpolicy/2.20221101/0001-mount-dbus-interface-must-be-optional.patch
  
Adam Duskett (13):
  package/libglib2/0003-disable-building-docs.patch: new patch
  package/python-pip: add host variant
  package/libsepol: bump to version 3.5
  package/libsemanage: bump to version 3.5
  package/libselinux: bump to version 3.5
  package/policycoreutils: bump to version 3.5
  package/checkpolicy: bump to version 3.5
  package/restorecond: bump to version 3.5
  package/semodule-utils: bump to version 3.5
  package/audit: bump to version 3.1
  package/selinux-python: bump to version 3.5
  package/setools: bump to version 4.4.2
  package/refpolicy: bump to version 2.20221101

 package/audit/audit.hash                      |  2 +-
 package/audit/audit.mk                        |  2 +-
 package/checkpolicy/checkpolicy.hash          |  4 +-
 package/checkpolicy/checkpolicy.mk            |  4 +-
 .../libglib2/0003-disable-building-docs.patch | 38 ++++++++++++++
 package/libselinux/0001-fix-musl-build.patch  |  4 +-
 ...T-and-rely-on-the-installed-file-nam.patch |  8 +--
 package/libselinux/Config.in                  |  1 +
 package/libselinux/libselinux.hash            |  2 +-
 package/libselinux/libselinux.mk              | 16 ++++--
 package/libsemanage/libsemanage.hash          |  4 +-
 package/libsemanage/libsemanage.mk            |  4 +-
 package/libsepol/libsepol.hash                |  4 +-
 package/libsepol/libsepol.mk                  |  4 +-
 ...-all-paths-that-use-an-absolute-path.patch |  2 +-
 package/policycoreutils/policycoreutils.hash  |  4 +-
 package/policycoreutils/policycoreutils.mk    |  4 +-
 package/python-pip/python-pip.mk              |  1 +
 ...ount-dbus-interface-must-be-optional.patch | 33 ++++++++++++
 package/refpolicy/refpolicy.hash              |  2 +-
 package/refpolicy/refpolicy.mk                |  2 +-
 package/restorecond/restorecond.hash          |  4 +-
 package/restorecond/restorecond.mk            |  4 +-
 .../0001-fix-ausearch-path.patch              | 37 ++++++++++++++
 package/selinux-python/selinux-python.hash    |  4 +-
 package/selinux-python/selinux-python.mk      |  4 +-
 package/semodule-utils/semodule-utils.hash    |  4 +-
 package/semodule-utils/semodule-utils.mk      |  4 +-
 ...e-setools.InfoFlowAnalysis-and-setoo.patch | 50 +++++++++----------
 package/setools/setools.hash                  |  4 +-
 package/setools/setools.mk                    |  2 +-
 31 files changed, 191 insertions(+), 71 deletions(-)
 create mode 100644 package/libglib2/0003-disable-building-docs.patch
 create mode 100644 package/refpolicy/2.20221101/0001-mount-dbus-interface-must-be-optional.patch
 create mode 100644 package/selinux-python/0001-fix-ausearch-path.patch

-- 
2.40.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 01/13] package/libglib2/0003-disable-building-docs.patch: new patch

[Adam Duskett]

If rst2html5 is installed on a host system, meson will attempt to build
html5 documentation from the docs directory, resulting in the following
error:

/usr/local/bin/rst2html5.py
Traceback (most recent call last):
  File "/usr/local/bin/rst2html5.py", line 27, in <module>
    from docutils.core import publish_cmdline, default_description
ModuleNotFoundError: No module named 'docutils'

Since we don't need, nor want to build the documentation, remove the docs
subdirectory from being built entirely.

Signed-off-by: Adam Duskett <aduskett@gmail.com>
---
 .../libglib2/0003-disable-building-docs.patch | 38 +++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 package/libglib2/0003-disable-building-docs.patch

diff --git a/package/libglib2/0003-disable-building-docs.patch b/package/libglib2/0003-disable-building-docs.patch
new file mode 100644
index 0000000000..27a540bf61
--- /dev/null
+++ b/package/libglib2/0003-disable-building-docs.patch
@@ -0,0 +1,38 @@
+From f3b8515471aaa452f06d84da68372fcead8637d2 Mon Sep 17 00:00:00 2001
+From: Adam Duskett <aduskett@gmail.com>
+Date: Mon, 24 Apr 2023 11:52:24 -0700
+Subject: [PATCH 1/1] disable building docs
+
+If rst2html5 is installed on a host system, meson will attempt to build
+html5 documentation from the docs directory, resulting in the following
+error:
+
+/usr/local/bin/rst2html5.py
+Traceback (most recent call last):
+  File "/usr/local/bin/rst2html5.py", line 27, in <module>
+    from docutils.core import publish_cmdline, default_description
+ModuleNotFoundError: No module named 'docutils'
+
+Since we don't need, nor want to build the documentation, remove the docs
+subdirectory from being built entirely.
+
+Signed-off-by: Adam Duskett <aduskett@gmail.com>
+---
+ meson.build | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/meson.build b/meson.build
+index 0cbc968..28e1147 100644
+--- a/meson.build
++++ b/meson.build
+@@ -2442,7 +2442,6 @@ if get_option('man')
+ endif
+ 
+ gnome = import('gnome')
+-subdir('docs/reference')
+ 
+ summary({
+   'host cpu' : host_machine.cpu_family(),
+-- 
+2.40.0
+
-- 
2.40.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 02/13] package/python-pip: add host variant

[Adam Duskett]

In the following patch that updates libselinux, the libselinux python tools now
require pip to install.

Signed-off-by: Adam Duskett <aduskett@gmail.com>
---
 package/python-pip/python-pip.mk | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package/python-pip/python-pip.mk b/package/python-pip/python-pip.mk
index 8cf3aaa3ec..35ad7bede2 100644
--- a/package/python-pip/python-pip.mk
+++ b/package/python-pip/python-pip.mk
@@ -14,3 +14,4 @@ PYTHON_PIP_CPE_ID_VENDOR = pypa
 PYTHON_PIP_CPE_ID_PRODUCT = pip
 
 $(eval $(python-package))
+$(eval $(host-python-package))
-- 
2.40.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 03/13] package/libsepol: bump to version 3.5

[Adam Duskett]

Change the license file to LICENSE. The hash remains the same.

Signed-off-by: Adam Duskett <aduskett@gmail.com>
---
 package/libsepol/libsepol.hash | 4 ++--
 package/libsepol/libsepol.mk   | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/libsepol/libsepol.hash b/package/libsepol/libsepol.hash
index 039e4e3c7e..c243aaae2b 100644
--- a/package/libsepol/libsepol.hash
+++ b/package/libsepol/libsepol.hash
@@ -1,5 +1,5 @@
 # From: https://github.com/SELinuxProject/selinux/wiki/Releases
-sha256  2d97df3eb8466169b389c3660acbb90c54200ac96e452eca9f41a9639f4f238b  libsepol-3.3.tar.gz
+sha256  78fdaf69924db780bac78546e43d9c44074bad798c2c415d0b9bb96d065ee8a2  libsepol-3.5.tar.gz
 
 # Hash for license file
-sha256  6095e9ffa777dd22839f7801aa845b31c9ed07f3d6bf8a26dc5d2dec8ccc0ef3  COPYING
+sha256  6095e9ffa777dd22839f7801aa845b31c9ed07f3d6bf8a26dc5d2dec8ccc0ef3  LICENSE
diff --git a/package/libsepol/libsepol.mk b/package/libsepol/libsepol.mk
index 8551a5de79..f7782542ec 100644
--- a/package/libsepol/libsepol.mk
+++ b/package/libsepol/libsepol.mk
@@ -4,10 +4,10 @@
 #
 ################################################################################
 
-LIBSEPOL_VERSION = 3.3
+LIBSEPOL_VERSION = 3.5
 LIBSEPOL_SITE = https://github.com/SELinuxProject/selinux/releases/download/$(LIBSEPOL_VERSION)
 LIBSEPOL_LICENSE = LGPL-2.1+
-LIBSEPOL_LICENSE_FILES = COPYING
+LIBSEPOL_LICENSE_FILES = LICENSE
 LIBSEPOL_CPE_ID_VENDOR = selinuxproject
 
 LIBSEPOL_INSTALL_STAGING = YES
-- 
2.40.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 04/13] package/libsemanage: bump to version 3.5

[Adam Duskett]

Change the license file to LICENSE. The hash remains the same.

Signed-off-by: Adam Duskett <aduskett@gmail.com>
---
 package/libsemanage/libsemanage.hash | 4 ++--
 package/libsemanage/libsemanage.mk   | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/libsemanage/libsemanage.hash b/package/libsemanage/libsemanage.hash
index 1f333aac30..73df34bde9 100644
--- a/package/libsemanage/libsemanage.hash
+++ b/package/libsemanage/libsemanage.hash
@@ -1,5 +1,5 @@
 # From: https://github.com/SELinuxProject/selinux/wiki/Releases
-sha256  84d0ec5afa34bbbb471f602d8c1bf317d12443d07852a34b60741d428d597ce8  libsemanage-3.3.tar.gz
+sha256  f53534e50247538280ed0d76c6ce81d8fb3939bd64cadb89da10dba42e40dd9c  libsemanage-3.5.tar.gz
 
 # Hash for license file
-sha256  6095e9ffa777dd22839f7801aa845b31c9ed07f3d6bf8a26dc5d2dec8ccc0ef3  COPYING
+sha256  6095e9ffa777dd22839f7801aa845b31c9ed07f3d6bf8a26dc5d2dec8ccc0ef3  LICENSE
diff --git a/package/libsemanage/libsemanage.mk b/package/libsemanage/libsemanage.mk
index db9f16bb6a..0fbdc5ae8d 100644
--- a/package/libsemanage/libsemanage.mk
+++ b/package/libsemanage/libsemanage.mk
@@ -4,10 +4,10 @@
 #
 ################################################################################
 
-LIBSEMANAGE_VERSION = 3.3
+LIBSEMANAGE_VERSION = 3.5
 LIBSEMANAGE_SITE = https://github.com/SELinuxProject/selinux/releases/download/$(LIBSEMANAGE_VERSION)
 LIBSEMANAGE_LICENSE = LGPL-2.1+
-LIBSEMANAGE_LICENSE_FILES = COPYING
+LIBSEMANAGE_LICENSE_FILES = LICENSE
 LIBSEMANAGE_DEPENDENCIES = host-bison host-flex audit libselinux bzip2
 LIBSEMANAGE_CPE_ID_VENDOR = selinuxproject
 LIBSEMANAGE_INSTALL_STAGING = YES
-- 
2.40.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 05/13] package/libselinux: bump to version 3.5

[Adam Duskett]

- libselinux now requires pip to install the python tools.
- Rebase patches for version 3.5

Signed-off-by: Adam Duskett <aduskett@gmail.com>
---
 package/libselinux/0001-fix-musl-build.patch     |  4 ++--
 ...CEXT-and-rely-on-the-installed-file-nam.patch |  8 ++++----
 package/libselinux/Config.in                     |  1 +
 package/libselinux/libselinux.hash               |  2 +-
 package/libselinux/libselinux.mk                 | 16 +++++++++++++---
 5 files changed, 21 insertions(+), 10 deletions(-)

diff --git a/package/libselinux/0001-fix-musl-build.patch b/package/libselinux/0001-fix-musl-build.patch
index 44189e6400..b8b16be26f 100644
--- a/package/libselinux/0001-fix-musl-build.patch
+++ b/package/libselinux/0001-fix-musl-build.patch
@@ -12,13 +12,13 @@ Domain, and we want to avoid license propagation, so this macro is
 completely written from scratch, and non-optimal.
 
 Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
-[Updated for 3.0]
+[Updated for 3.5]
 Signed-off-by: Adam Duskett <Aduskett@gmail.com>
 diff --git a/src/booleans.c b/src/booleans.c
 index ffa8d26..8569002 100644
 --- a/src/booleans.c
 +++ b/src/booleans.c
-@@ -65,6 +65,14 @@ int security_get_boolean_names(char ***names, int *len)
+@@ -64,6 +64,14 @@ int security_get_boolean_names(char ***names, int *len)
  		goto bad;
  	}
  
diff --git a/package/libselinux/0002-Do-not-use-PYCEXT-and-rely-on-the-installed-file-nam.patch b/package/libselinux/0002-Do-not-use-PYCEXT-and-rely-on-the-installed-file-nam.patch
index 18c79b3b4d..c744ca4069 100644
--- a/package/libselinux/0002-Do-not-use-PYCEXT-and-rely-on-the-installed-file-nam.patch
+++ b/package/libselinux/0002-Do-not-use-PYCEXT-and-rely-on-the-installed-file-nam.patch
@@ -18,7 +18,7 @@ was installed.
 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 [Refreshed for 3.1]
 Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
-[Refreshed for 3.0]
+[Refreshed for 3.5]
 Signed-off-by: Adam Duskett <Aduskett@gmail.com>
 ---
  src/Makefile | 3 +--
@@ -31,14 +31,14 @@ index 190016e2af34..7ee22fd35da3 100644
 @@ -15,7 +15,6 @@ INCLUDEDIR ?= $(PREFIX)/include
  PYINC ?= $(shell $(PKG_CONFIG) --cflags $(PYPREFIX))
  PYLIBS ?= $(shell $(PKG_CONFIG) --libs $(PYPREFIX))
- PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; print(get_python_lib(plat_specific=1, prefix='$(PREFIX)'))")
+ PYTHONLIBDIR ?= $(shell $(PYTHON) -c "import sysconfig; print(sysconfig.get_path('platlib', vars={'platbase': '$(PREFIX)', 'base': '$(PREFIX)'}))")
 -PYCEXT ?= $(shell $(PYTHON) -c 'import importlib.machinery;print(importlib.machinery.EXTENSION_SUFFIXES[0])')
  RUBYINC ?= $(shell $(RUBY) -e 'puts "-I" + RbConfig::CONFIG["rubyarchhdrdir"] + " -I" + RbConfig::CONFIG["rubyhdrdir"]')
  RUBYLIBS ?= $(shell $(RUBY) -e 'puts "-L" + RbConfig::CONFIG["libdir"] + " -L" + RbConfig::CONFIG["archlibdir"] + " " + RbConfig::CONFIG["LIBRUBYARG_SHARED"]')
  RUBYINSTALL ?= $(shell $(RUBY) -e 'puts RbConfig::CONFIG["vendorarchdir"]')
-@@ -184,7 +183,7 @@ install: all
+@@ -189,7 +188,7 @@ install: all
  install-pywrap: pywrap
- 	$(PYTHON) setup.py install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR)` $(PYTHON_SETUP_ARGS)
+ 	$(PYTHON) -m pip install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR) --ignore-installed --no-deps` $(PYTHON_SETUP_ARGS) .
  	install -m 644 $(SWIGPYOUT) $(DESTDIR)$(PYTHONLIBDIR)/selinux/__init__.py
 -	ln -sf --relative $(DESTDIR)$(PYTHONLIBDIR)/selinux/_selinux$(PYCEXT) $(DESTDIR)$(PYTHONLIBDIR)/_selinux$(PYCEXT)
 +	ln -sf --relative $(DESTDIR)$(PYTHONLIBDIR)/selinux/_selinux*.so $(DESTDIR)$(PYTHONLIBDIR)/
diff --git a/package/libselinux/Config.in b/package/libselinux/Config.in
index 3098fe3ea4..bc40e32a46 100644
--- a/package/libselinux/Config.in
+++ b/package/libselinux/Config.in
@@ -6,6 +6,7 @@ config BR2_PACKAGE_LIBSELINUX
 	select BR2_PACKAGE_LIBSEPOL
 	select BR2_PACKAGE_PCRE2
 	select BR2_PACKAGE_MUSL_FTS if !BR2_TOOLCHAIN_USES_GLIBC
+	select BR2_PACKAGE_PYTHON_SETUPTOOLS if BR2_PACKAGE_PYTHON3
 	help
 	  libselinux is the runtime SELinux library that provides
 	  interfaces (e.g. library functions for the SELinux kernel
diff --git a/package/libselinux/libselinux.hash b/package/libselinux/libselinux.hash
index a2e0083f7b..14bc627a80 100644
--- a/package/libselinux/libselinux.hash
+++ b/package/libselinux/libselinux.hash
@@ -1,5 +1,5 @@
 # From: https://github.com/SELinuxProject/selinux/wiki/Releases
-sha256  acfdee27633d2496508c28727c3d41d3748076f66d42fccde2e6b9f3463a7057  libselinux-3.3.tar.gz
+sha256  9a3a3705ac13a2ccca2de6d652b6356fead10f36fb33115c185c5ccdf29eec19  libselinux-3.5.tar.gz
 
 # Hash for license file
 sha256  86657b4c0fe868d7cbd977cb04c63b6c667e08fa51595a7bc846ad4bed8fc364  LICENSE
diff --git a/package/libselinux/libselinux.mk b/package/libselinux/libselinux.mk
index db35da130f..b8de21edaa 100644
--- a/package/libselinux/libselinux.mk
+++ b/package/libselinux/libselinux.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-LIBSELINUX_VERSION = 3.3
+LIBSELINUX_VERSION = 3.5
 LIBSELINUX_SITE = https://github.com/SELinuxProject/selinux/releases/download/$(LIBSELINUX_VERSION)
 LIBSELINUX_LICENSE = Public Domain
 LIBSELINUX_LICENSE_FILES = LICENSE
@@ -31,7 +31,11 @@ LIBSELINUX_MAKE_OPTS += FTS_LDLIBS=-lfts
 endif
 
 ifeq ($(BR2_PACKAGE_PYTHON3),y)
-LIBSELINUX_DEPENDENCIES += python3 host-swig
+LIBSELINUX_DEPENDENCIES += \
+	python3 \
+	python-setuptools \
+	host-python-pip \
+	host-swig
 
 LIBSELINUX_MAKE_OPTS += \
 	$(PKG_PYTHON_DISTUTILS_ENV) \
@@ -77,7 +81,13 @@ define LIBSELINUX_INSTALL_TARGET_CMDS
 endef
 
 HOST_LIBSELINUX_DEPENDENCIES = \
-	host-pkgconf host-libsepol host-pcre2 host-swig host-python3
+	host-pkgconf \
+	host-libsepol \
+	host-pcre2 \
+	host-swig \
+	host-python3 \
+	host-python-pip \
+	host-python-setuptools
 
 HOST_LIBSELINUX_MAKE_OPTS = \
 	$(HOST_CONFIGURE_OPTS) \
-- 
2.40.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 06/13] package/policycoreutils: bump to version 3.5

[Adam Duskett]

Change the license file to LICENSE. The hash remains the same.

Signed-off-by: Adam Duskett <aduskett@gmail.com>
---
 ...1-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch | 2 +-
 package/policycoreutils/policycoreutils.hash                  | 4 ++--
 package/policycoreutils/policycoreutils.mk                    | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch b/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
index aa75ca63c0..18f0001aef 100644
--- a/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
+++ b/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
@@ -32,7 +32,7 @@ index a3bbbe1..df675cf 100644
 +AUDITH ?= $(shell test -f $(DESTDIR)$(PREFIX)/include/libaudit.h && echo y)
  
  CFLAGS ?= -g -Werror -Wall -W
- override LDLIBS += -lselinux -lsepol
+ override LDLIBS += -lselinux -lsepol -lpthread
 -- 
 2.13.6
 
diff --git a/package/policycoreutils/policycoreutils.hash b/package/policycoreutils/policycoreutils.hash
index e7f006b023..e29d192b13 100644
--- a/package/policycoreutils/policycoreutils.hash
+++ b/package/policycoreutils/policycoreutils.hash
@@ -1,3 +1,3 @@
 # https://github.com/SELinuxProject/selinux/wiki/Releases
-sha256  d1331c6fa766c547b071c491de90b9f343c8dbffdb119be8a5a7e491199b93a9  policycoreutils-3.2.tar.gz
-sha256  204d8eff92f95aac4df6c8122bc1505f468f3a901e5a4cc08940e0ede1938994  COPYING
+sha256  78453e1529fbbf800e88860094d555e781ce1fba11a7ef77b5aabb43e1173276  policycoreutils-3.5.tar.gz
+sha256  204d8eff92f95aac4df6c8122bc1505f468f3a901e5a4cc08940e0ede1938994  LICENSE
diff --git a/package/policycoreutils/policycoreutils.mk b/package/policycoreutils/policycoreutils.mk
index 8505dbca3f..61d91066d4 100644
--- a/package/policycoreutils/policycoreutils.mk
+++ b/package/policycoreutils/policycoreutils.mk
@@ -4,10 +4,10 @@
 #
 ################################################################################
 
-POLICYCOREUTILS_VERSION = 3.2
+POLICYCOREUTILS_VERSION = 3.5
 POLICYCOREUTILS_SITE = https://github.com/SELinuxProject/selinux/releases/download/$(POLICYCOREUTILS_VERSION)
 POLICYCOREUTILS_LICENSE = GPL-2.0
-POLICYCOREUTILS_LICENSE_FILES = COPYING
+POLICYCOREUTILS_LICENSE_FILES = LICENSE
 POLICYCOREUTILS_CPE_ID_VENDOR = selinuxproject
 
 POLICYCOREUTILS_DEPENDENCIES = libsemanage libcap-ng $(TARGET_NLS_DEPENDENCIES)
-- 
2.40.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 07/13] package/checkpolicy: bump to version 3.5

[Adam Duskett]

Change the license file to LICENSE. The hash remains the same.

Signed-off-by: Adam Duskett <aduskett@gmail.com>
---
 package/checkpolicy/checkpolicy.hash | 4 ++--
 package/checkpolicy/checkpolicy.mk   | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/checkpolicy/checkpolicy.hash b/package/checkpolicy/checkpolicy.hash
index 3586389047..fcfd81c554 100644
--- a/package/checkpolicy/checkpolicy.hash
+++ b/package/checkpolicy/checkpolicy.hash
@@ -1,5 +1,5 @@
 # https://github.com/SELinuxProject/selinux/wiki/Releases
-sha256  25c84edfa3a10ab8cb073b97bc55cb66377532d54a2723da9accdabd05431485  checkpolicy-3.3.tar.gz
+sha256  7aa48ab2222a0b9881111d6d7f70c3014d3d9338827d9e02df105a68c0df5dbc  checkpolicy-3.5.tar.gz
 
 # Hash for license file
-sha256  204d8eff92f95aac4df6c8122bc1505f468f3a901e5a4cc08940e0ede1938994  COPYING
+sha256  204d8eff92f95aac4df6c8122bc1505f468f3a901e5a4cc08940e0ede1938994  LICENSE
diff --git a/package/checkpolicy/checkpolicy.mk b/package/checkpolicy/checkpolicy.mk
index baf16fb802..024d306233 100644
--- a/package/checkpolicy/checkpolicy.mk
+++ b/package/checkpolicy/checkpolicy.mk
@@ -4,10 +4,10 @@
 #
 ################################################################################
 
-CHECKPOLICY_VERSION = 3.3
+CHECKPOLICY_VERSION = 3.5
 CHECKPOLICY_SITE = https://github.com/SELinuxProject/selinux/releases/download/$(CHECKPOLICY_VERSION)
 CHECKPOLICY_LICENSE = GPL-2.0
-CHECKPOLICY_LICENSE_FILES = COPYING
+CHECKPOLICY_LICENSE_FILES = LICENSE
 
 CHECKPOLICY_DEPENDENCIES = libselinux flex host-flex host-bison
 
-- 
2.40.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 08/13] package/restorecond: bump to version 3.5

[Adam Duskett]

Change the license file to LICENSE. The hash remains the same.

Signed-off-by: Adam Duskett <aduskett@gmail.com>
---
 package/restorecond/restorecond.hash | 4 ++--
 package/restorecond/restorecond.mk   | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/restorecond/restorecond.hash b/package/restorecond/restorecond.hash
index b38c6dcf14..215c9192f4 100644
--- a/package/restorecond/restorecond.hash
+++ b/package/restorecond/restorecond.hash
@@ -1,5 +1,5 @@
 # https://github.com/SELinuxProject/selinux/wiki/Releases
-sha256  218c3d8873f31764e3c82d53ac713c0c9faaa07caf42ed7184e93ca2b27d8f27  restorecond-3.3.tar.gz
+sha256  f00d8caddb6aba2793c65e69154d04671b52f3d37e081b0e96c1b443fe23c2fe  restorecond-3.5.tar.gz
 
 # Hash for license file
-sha256  204d8eff92f95aac4df6c8122bc1505f468f3a901e5a4cc08940e0ede1938994  COPYING
+sha256  204d8eff92f95aac4df6c8122bc1505f468f3a901e5a4cc08940e0ede1938994  LICENSE
diff --git a/package/restorecond/restorecond.mk b/package/restorecond/restorecond.mk
index 7d6ed86f08..cd40905230 100644
--- a/package/restorecond/restorecond.mk
+++ b/package/restorecond/restorecond.mk
@@ -4,10 +4,10 @@
 #
 ################################################################################
 
-RESTORECOND_VERSION = 3.3
+RESTORECOND_VERSION = 3.5
 RESTORECOND_SITE = https://github.com/SELinuxProject/selinux/releases/download/$(RESTORECOND_VERSION)
 RESTORECOND_LICENSE = GPL-2.0
-RESTORECOND_LICENSE_FILES = COPYING
+RESTORECOND_LICENSE_FILES = LICENSE
 
 RESTORECOND_DEPENDENCIES = libglib2 libsepol libselinux dbus-glib
 
-- 
2.40.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 09/13] package/semodule-utils: bump to version 3.5

[Adam Duskett]

Change the license file to LICENSE. The hash remains the same.

Signed-off-by: Adam Duskett <aduskett@gmail.com>
---
 package/semodule-utils/semodule-utils.hash | 4 ++--
 package/semodule-utils/semodule-utils.mk   | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/semodule-utils/semodule-utils.hash b/package/semodule-utils/semodule-utils.hash
index c252506df5..ac3357d3fa 100644
--- a/package/semodule-utils/semodule-utils.hash
+++ b/package/semodule-utils/semodule-utils.hash
@@ -1,5 +1,5 @@
 # https://github.com/SELinuxProject/selinux/wiki/Releases
-sha256  3098ec5e5f04a1dbbf4aa569b63a4570750a9fe0d4da14ce45954aa300a17063  semodule-utils-3.3.tar.gz
+sha256  c9a550a737051ebaf2c102f665c7ec2f85e7232870980aa0067998459b414283  semodule-utils-3.5.tar.gz
 
 # Hash for license file
-sha256  204d8eff92f95aac4df6c8122bc1505f468f3a901e5a4cc08940e0ede1938994  COPYING
+sha256  204d8eff92f95aac4df6c8122bc1505f468f3a901e5a4cc08940e0ede1938994  LICENSE
diff --git a/package/semodule-utils/semodule-utils.mk b/package/semodule-utils/semodule-utils.mk
index a9388f7ee8..9a0f084128 100644
--- a/package/semodule-utils/semodule-utils.mk
+++ b/package/semodule-utils/semodule-utils.mk
@@ -4,10 +4,10 @@
 #
 ################################################################################
 
-SEMODULE_UTILS_VERSION = 3.3
+SEMODULE_UTILS_VERSION = 3.5
 SEMODULE_UTILS_SITE = https://github.com/SELinuxProject/selinux/releases/download/$(SEMODULE_UTILS_VERSION)
 SEMODULE_UTILS_LICENSE = GPL-2.0
-SEMODULE_UTILS_LICENSE_FILES = COPYING
+SEMODULE_UTILS_LICENSE_FILES = LICENSE
 SEMODULE_UTILS_DEPENDENCIES = libsepol
 
 SEMODULE_UTILS_MAKE_OPTS += \
-- 
2.40.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 10/13] package/audit: bump to version 3.1

[Adam Duskett]

Signed-off-by: Adam Duskett <aduskett@gmail.com>
---
 package/audit/audit.hash | 2 +-
 package/audit/audit.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/audit/audit.hash b/package/audit/audit.hash
index 6260f158d8..87c00ec241 100644
--- a/package/audit/audit.hash
+++ b/package/audit/audit.hash
@@ -1,4 +1,4 @@
 #Locally computed
-sha256  8b4c78632a9301a1c7f859b0e38fc0b9c260b8214d6b7c771bf28b3d73a62597  audit-3.0.7.tar.gz
+sha256  b5cf3cdabb2786c08b1de3599a3b1a547e55f7a9f9c1eb2078f5b44cf44e8378  audit-3.1.tar.gz
 sha256  32b1062f7da84967e7019d01ab805935caa7ab7321a7ced0e30ebe75e5df1670  COPYING
 sha256  f18a0811fa0e220ccbc42f661545e77f0388631e209585ed582a1c693029c6aa  COPYING.LIB
diff --git a/package/audit/audit.mk b/package/audit/audit.mk
index 77e7c24000..252f5865b5 100644
--- a/package/audit/audit.mk
+++ b/package/audit/audit.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-AUDIT_VERSION = 3.0.7
+AUDIT_VERSION = 3.1
 AUDIT_SITE = http://people.redhat.com/sgrubb/audit
 AUDIT_LICENSE = GPL-2.0+ (programs), LGPL-2.1+ (libraries)
 AUDIT_LICENSE_FILES = COPYING COPYING.LIB
-- 
2.40.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 11/13] package/selinux-python: bump to version 3.5

[Adam Duskett]

Also:
  - Change the license file to LICENSE. The hash remains the same.

  - Add 0001-fix-ausearch-path.patch as audit 3.1 installs ausearch to
    /usr/sbin not /sbin

Signed-off-by: Adam Duskett <aduskett@gmail.com>
---
 .../0001-fix-ausearch-path.patch              | 37 +++++++++++++++++++
 package/selinux-python/selinux-python.hash    |  4 +-
 package/selinux-python/selinux-python.mk      |  4 +-
 3 files changed, 41 insertions(+), 4 deletions(-)
 create mode 100644 package/selinux-python/0001-fix-ausearch-path.patch

diff --git a/package/selinux-python/0001-fix-ausearch-path.patch b/package/selinux-python/0001-fix-ausearch-path.patch
new file mode 100644
index 0000000000..c5f0a990ed
--- /dev/null
+++ b/package/selinux-python/0001-fix-ausearch-path.patch
@@ -0,0 +1,37 @@
+From 7a2456f18a49fa70de1f9ace12512bb00437b6ba Mon Sep 17 00:00:00 2001
+From: Adam Duskett <aduskett@gmail.com>
+Date: Mon, 24 Apr 2023 12:25:19 -0700
+Subject: [PATCH 1/1] fix ausearch path
+
+ausearch is installed in /usr/sbin not /sbin
+
+Signed-off-by: Adam Duskett <aduskett@gmail.com>
+---
+ sepolgen/src/sepolgen/audit.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py
+index 4adb851..5afe85d 100644
+--- a/sepolgen/src/sepolgen/audit.py
++++ b/sepolgen/src/sepolgen/audit.py
+@@ -41,7 +41,7 @@ def get_audit_boot_msgs():
+     s = time.localtime(time.time() - off)
+     bootdate = time.strftime("%x", s)
+     boottime = time.strftime("%X", s)
+-    output = subprocess.Popen(["/sbin/ausearch", "-m", "AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_START,SELINUX_ERR", "-ts", bootdate, boottime],
++    output = subprocess.Popen(["/usr/sbin/ausearch", "-m", "AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_START,SELINUX_ERR", "-ts", bootdate, boottime],
+                               stdout=subprocess.PIPE).communicate()[0]
+     if util.PY3:
+         output = util.decode_input(output)
+@@ -56,7 +56,7 @@ def get_audit_msgs():
+        string contain all of the audit messages returned by ausearch.
+     """
+     import subprocess
+-    output = subprocess.Popen(["/sbin/ausearch", "-m", "AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_START,SELINUX_ERR"],
++    output = subprocess.Popen(["/usr/sbin/ausearch", "-m", "AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_START,SELINUX_ERR"],
+                               stdout=subprocess.PIPE).communicate()[0]
+     if util.PY3:
+         output = util.decode_input(output)
+-- 
+2.40.0
+
diff --git a/package/selinux-python/selinux-python.hash b/package/selinux-python/selinux-python.hash
index 6ada3fee36..3592540703 100644
--- a/package/selinux-python/selinux-python.hash
+++ b/package/selinux-python/selinux-python.hash
@@ -1,5 +1,5 @@
 # https://github.com/SELinuxProject/selinux/wiki/Releases
-sha256  8ad91061300387996ccb474962fb93dde263d924aa8f740618be16b22e2444ec  selinux-python-3.3.tar.gz
+sha256  8245bb4dae59333461f19ca0c79a829081f07972fa5e3ad4c2b2b917dd71d96b  selinux-python-3.5.tar.gz
 
 # Hash for license file
-sha256  204d8eff92f95aac4df6c8122bc1505f468f3a901e5a4cc08940e0ede1938994  COPYING
+sha256  204d8eff92f95aac4df6c8122bc1505f468f3a901e5a4cc08940e0ede1938994  LICENSE
diff --git a/package/selinux-python/selinux-python.mk b/package/selinux-python/selinux-python.mk
index 0cec602f3d..7505474aa4 100644
--- a/package/selinux-python/selinux-python.mk
+++ b/package/selinux-python/selinux-python.mk
@@ -4,10 +4,10 @@
 #
 ################################################################################
 
-SELINUX_PYTHON_VERSION = 3.3
+SELINUX_PYTHON_VERSION = 3.5
 SELINUX_PYTHON_SITE = https://github.com/SELinuxProject/selinux/releases/download/$(SELINUX_PYTHON_VERSION)
 SELINUX_PYTHON_LICENSE = GPL-2.0
-SELINUX_PYTHON_LICENSE_FILES = COPYING
+SELINUX_PYTHON_LICENSE_FILES = LICENSE
 SELINUX_PYTHON_DEPENDENCIES = python3
 
 SELINUX_PYTHON_MAKE_OPTS += \
-- 
2.40.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 12/13] package/setools: bump to version 4.4.2

[Adam Duskett]

In addition:
  - Refresh 0001-Do-not-export-use-setools.InfoFlowAnalysis-and-setoo.patch

  - Update COPYING hash as the license file has been rewritten for clarity.
    However, the licenses have not been changed.

Signed-off-by: Adam Duskett <aduskett@gmail.com>
---
 ...e-setools.InfoFlowAnalysis-and-setoo.patch | 50 +++++++++----------
 package/setools/setools.hash                  |  4 +-
 package/setools/setools.mk                    |  2 +-
 3 files changed, 28 insertions(+), 28 deletions(-)

diff --git a/package/setools/0001-Do-not-export-use-setools.InfoFlowAnalysis-and-setoo.patch b/package/setools/0001-Do-not-export-use-setools.InfoFlowAnalysis-and-setoo.patch
index 3c3ae97dff..36063a4e13 100644
--- a/package/setools/0001-Do-not-export-use-setools.InfoFlowAnalysis-and-setoo.patch
+++ b/package/setools/0001-Do-not-export-use-setools.InfoFlowAnalysis-and-setoo.patch
@@ -15,22 +15,22 @@ sedta and seinfoflow to require python3-networkx
 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 [Refreshed for 4.3.0]
 Signed-off-by: Adam Duskett <aduskett@gmail.com>
-[Refreshed for 4.4.0]
+[Refreshed for 4.4.2]
 ---
  sedta                       | 3 ++-
  seinfoflow                  | 5 +++--
  setools/__init__.py         | 4 ++--
  setoolsgui/apol/dta.py      | 2 +-
  setoolsgui/apol/infoflow.py | 2 +-
- tests/dta.py                | 2 +-
- tests/infoflow.py           | 2 +-
+ tests/test_dta.py           | 2 +-
+ tests/test_infoflow.py      | 2 +-
  7 files changed, 11 insertions(+), 9 deletions(-)
 
 diff --git a/sedta b/sedta
-index 60861ca630a5..0056172a55e5 100755
+index ffd9ede..4c53825 100755
 --- a/sedta
 +++ b/sedta
-@@ -23,6 +23,7 @@ import logging
+@@ -10,6 +10,7 @@ import logging
  import signal
  
  import setools
@@ -38,7 +38,7 @@ index 60861ca630a5..0056172a55e5 100755
  
  
  def print_transition(trans: setools.DomainTransition) -> None:
-@@ -114,7 +115,7 @@ else:
+@@ -104,7 +105,7 @@ else:
  
  try:
      p = setools.SELinuxPolicy(args.policy)
@@ -48,10 +48,10 @@ index 60861ca630a5..0056172a55e5 100755
      if args.shortest_path or args.all_paths:
          if args.shortest_path:
 diff --git a/seinfoflow b/seinfoflow
-index f10c39de4d8e..fe733bbd0787 100755
+index 5f4e764..a27b781 100755
 --- a/seinfoflow
 +++ b/seinfoflow
-@@ -18,6 +18,7 @@
+@@ -5,6 +5,7 @@
  #
  
  import setools
@@ -59,7 +59,7 @@ index f10c39de4d8e..fe733bbd0787 100755
  import argparse
  import sys
  import logging
-@@ -102,8 +103,8 @@ elif args.booleans is not None:
+@@ -91,8 +92,8 @@ elif args.booleans is not None:
  try:
      p = setools.SELinuxPolicy(args.policy)
      m = setools.PermissionMap(args.map)
@@ -71,10 +71,10 @@ index f10c39de4d8e..fe733bbd0787 100755
      if args.shortest_path or args.all_paths:
          if args.shortest_path:
 diff --git a/setools/__init__.py b/setools/__init__.py
-index d72d343..4d5aaaa 100644
+index ad9b36a..2bde01b 100644
 --- a/setools/__init__.py
 +++ b/setools/__init__.py
-@@ -91,11 +91,11 @@ from .pcideviceconquery import PcideviceconQuery
+@@ -77,11 +77,11 @@ from .pcideviceconquery import PcideviceconQuery
  from .devicetreeconquery import DevicetreeconQuery
  
  # Information Flow Analysis
@@ -89,10 +89,10 @@ index d72d343..4d5aaaa 100644
  # Policy difference
  from .diff import PolicyDifference
 diff --git a/setoolsgui/apol/dta.py b/setoolsgui/apol/dta.py
-index 4608b9dbf34e..2cde44c142e9 100644
+index a78d960..e71c70a 100644
 --- a/setoolsgui/apol/dta.py
 +++ b/setoolsgui/apol/dta.py
-@@ -24,7 +24,7 @@ from PyQt5.QtCore import pyqtSignal, Qt, QStringListModel, QThread
+@@ -11,7 +11,7 @@ from PyQt5.QtCore import pyqtSignal, Qt, QStringListModel, QThread
  from PyQt5.QtGui import QPalette, QTextCursor
  from PyQt5.QtWidgets import QCompleter, QHeaderView, QMessageBox, QProgressDialog, \
      QTreeWidgetItem
@@ -102,10 +102,10 @@ index 4608b9dbf34e..2cde44c142e9 100644
  from ..logtosignal import LogHandlerToSignal
  from .analysistab import AnalysisSection, AnalysisTab
 diff --git a/setoolsgui/apol/infoflow.py b/setoolsgui/apol/infoflow.py
-index 7bca299d23fc..7fee2778f35f 100644
+index fb9b409..738f1b8 100644
 --- a/setoolsgui/apol/infoflow.py
 +++ b/setoolsgui/apol/infoflow.py
-@@ -26,7 +26,7 @@ from PyQt5.QtCore import pyqtSignal, Qt, QStringListModel, QThread
+@@ -13,7 +13,7 @@ from PyQt5.QtCore import pyqtSignal, Qt, QStringListModel, QThread
  from PyQt5.QtGui import QPalette, QTextCursor
  from PyQt5.QtWidgets import QCompleter, QHeaderView, QMessageBox, QProgressDialog, \
      QTreeWidgetItem
@@ -114,11 +114,11 @@ index 7bca299d23fc..7fee2778f35f 100644
  from setools.exception import UnmappedClass, UnmappedPermission
  
  from ..logtosignal import LogHandlerToSignal
-diff --git a/tests/dta.py b/tests/dta.py
-index a0cc9381469c..177e6fb0b961 100644
---- a/tests/dta.py
-+++ b/tests/dta.py
-@@ -18,7 +18,7 @@
+diff --git a/tests/test_dta.py b/tests/test_dta.py
+index 7f9bbc9..48338c5 100644
+--- a/tests/test_dta.py
++++ b/tests/test_dta.py
+@@ -5,7 +5,7 @@
  import os
  import unittest
  
@@ -127,11 +127,11 @@ index a0cc9381469c..177e6fb0b961 100644
  from setools import TERuletype as TERT
  from setools.exception import InvalidType
  from setools.policyrep import Type
-diff --git a/tests/infoflow.py b/tests/infoflow.py
-index aa0e44a7e4f8..fca2848aeca5 100644
---- a/tests/infoflow.py
-+++ b/tests/infoflow.py
-@@ -18,7 +18,7 @@
+diff --git a/tests/test_infoflow.py b/tests/test_infoflow.py
+index 5a8f745..e25993b 100644
+--- a/tests/test_infoflow.py
++++ b/tests/test_infoflow.py
+@@ -5,7 +5,7 @@
  import os
  import unittest
  
diff --git a/package/setools/setools.hash b/package/setools/setools.hash
index fdb0919f11..c353e1f609 100644
--- a/package/setools/setools.hash
+++ b/package/setools/setools.hash
@@ -1,5 +1,5 @@
 # Locally computed
-sha256  202eac5f857475937bee8136cff278aa2b4a4b94a0dec63fbbbe18c9eb644a4e  setools-4.4.0.tar.gz
-sha256  2f7547e10f76a382c24c053595f38a5cc6dda9347f508f254ca490e0046a9624  COPYING
+sha256  998d12d01852feed1889110a4ca81090a47a2d9b47368e4dfe2b94d68696c813  setools-4.4.2.tar.gz
+sha256  0e58d74751e394f39748c7b7b4039d6a883b5def9711160668ba962b52e69e01  COPYING
 sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING.GPL
 sha256  dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551  COPYING.LGPL
diff --git a/package/setools/setools.mk b/package/setools/setools.mk
index ea355f10c8..b80d25a6b9 100644
--- a/package/setools/setools.mk
+++ b/package/setools/setools.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-SETOOLS_VERSION = 4.4.0
+SETOOLS_VERSION = 4.4.2
 SETOOLS_SITE = $(call github,SELinuxProject,setools,$(SETOOLS_VERSION))
 SETOOLS_DEPENDENCIES = libselinux libsepol python-setuptools host-bison host-flex host-python-cython host-swig
 SETOOLS_INSTALL_STAGING = YES
-- 
2.40.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 13/13] package/refpolicy: bump to version 2.20221101

[Adam Duskett]

Add an upstream patch in package/refpolicy/2.20221101 that makes dbus optional
for the mount interface. The patch must go in the 2.20221101 directory or else
the build system will automatically attempt to apply the patch to a custom git
version of refpolicy if chosen.

Signed-off-by: Adam Duskett <aduskett@gmail.com>
---
Changes v1 -> v2:
  - Added 2.20221101/0001-mount-dbus-interface-must-be-optional.patch

 ...ount-dbus-interface-must-be-optional.patch | 33 +++++++++++++++++++
 package/refpolicy/refpolicy.hash              |  2 +-
 package/refpolicy/refpolicy.mk                |  2 +-
 3 files changed, 35 insertions(+), 2 deletions(-)
 create mode 100644 package/refpolicy/2.20221101/0001-mount-dbus-interface-must-be-optional.patch

diff --git a/package/refpolicy/2.20221101/0001-mount-dbus-interface-must-be-optional.patch b/package/refpolicy/2.20221101/0001-mount-dbus-interface-must-be-optional.patch
new file mode 100644
index 0000000000..dec0af828f
--- /dev/null
+++ b/package/refpolicy/2.20221101/0001-mount-dbus-interface-must-be-optional.patch
@@ -0,0 +1,33 @@
+From 6c6be65ccf0891391681d4662cc11f508c0f4aeb Mon Sep 17 00:00:00 2001
+From: Adam Duskett <aduskett@gmail.com>
+Date: Mon, 24 Apr 2023 14:24:49 -0700
+Subject: [PATCH] mount: dbus interface must be optional
+
+If DBus isn't built, the build process fails due to mount.te always using a
+dbus interface even if the dbus module. Fix this by setting the dbus interface
+as optional.
+
+Signed-off-by: Adam Duskett <aduskett@gmail.com>
+Upstream-status: accepted. 207b09a656c2c3ac5c286d3f7eef085325e35408
+---
+ policy/modules/system/mount.te | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
+index d028723..af84af0 100644
+--- a/policy/modules/system/mount.te
++++ b/policy/modules/system/mount.te
+@@ -145,7 +145,9 @@ selinux_getattr_fs(mount_t)
+ 
+ userdom_use_all_users_fds(mount_t)
+ 
+-dbus_dontaudit_write_system_bus_runtime_named_sockets(mount_t)
++optional_policy(`
++	dbus_dontaudit_write_system_bus_runtime_named_sockets(mount_t)
++')
+ 
+ ifdef(`distro_redhat',`
+ 	optional_policy(`
+-- 
+2.40.0
+
diff --git a/package/refpolicy/refpolicy.hash b/package/refpolicy/refpolicy.hash
index b08c22ed4e..a09e59c270 100644
--- a/package/refpolicy/refpolicy.hash
+++ b/package/refpolicy/refpolicy.hash
@@ -1,5 +1,5 @@
 # From https://github.com/SELinuxProject/refpolicy/releases
-sha256  965f98f0b68a24fd0b8e8d973d319332aea88973e1d6c455ef9c2a31aefaeaa6  refpolicy-2.20220106.tar.bz2
+sha256  44f88e62c8efcef54d019b9ca077520d5993de580926bd7575788cfa78515396  refpolicy-2.20221101.tar.bz2
 
 # Locally computed
 sha256  204d8eff92f95aac4df6c8122bc1505f468f3a901e5a4cc08940e0ede1938994  COPYING
diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
index f11b72755a..8fea7cc254 100644
--- a/package/refpolicy/refpolicy.mk
+++ b/package/refpolicy/refpolicy.mk
@@ -23,7 +23,7 @@ REFPOLICY_SITE = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL))
 REFPOLICY_SITE_METHOD = git
 BR_NO_CHECK_HASH_FOR += $(REFPOLICY_SOURCE)
 else
-REFPOLICY_VERSION = 2.20220106
+REFPOLICY_VERSION = 2.20221101
 REFPOLICY_SOURCE = refpolicy-$(REFPOLICY_VERSION).tar.bz2
 REFPOLICY_SITE = https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_$(subst .,_,$(REFPOLICY_VERSION))
 endif
-- 
2.40.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 01/13] package/libglib2/0003-disable-building-docs.patch: new patch

[Peter Seiderer]

Hello Adam,

On Tue, 25 Apr 2023 10:14:42 -0700, Adam Duskett <aduskett@gmail.com> wrote:

> If rst2html5 is installed on a host system, meson will attempt to build
> html5 documentation from the docs directory, resulting in the following
> error:
>
> /usr/local/bin/rst2html5.py
> Traceback (most recent call last):
>   File "/usr/local/bin/rst2html5.py", line 27, in <module>
>     from docutils.core import publish_cmdline, default_description
> ModuleNotFoundError: No module named 'docutils'
>
> Since we don't need, nor want to build the documentation, remove the docs
> subdirectory from being built entirely.
>
> Signed-off-by: Adam Duskett <aduskett@gmail.com>
> ---
>  .../libglib2/0003-disable-building-docs.patch | 38 +++++++++++++++++++
>  1 file changed, 38 insertions(+)
>  create mode 100644 package/libglib2/0003-disable-building-docs.patch
>
> diff --git a/package/libglib2/0003-disable-building-docs.patch b/package/libglib2/0003-disable-building-docs.patch
> new file mode 100644
> index 0000000000..27a540bf61
> --- /dev/null
> +++ b/package/libglib2/0003-disable-building-docs.patch
> @@ -0,0 +1,38 @@
> +From f3b8515471aaa452f06d84da68372fcead8637d2 Mon Sep 17 00:00:00 2001
> +From: Adam Duskett <aduskett@gmail.com>
> +Date: Mon, 24 Apr 2023 11:52:24 -0700
> +Subject: [PATCH 1/1] disable building docs
> +
> +If rst2html5 is installed on a host system, meson will attempt to build
> +html5 documentation from the docs directory, resulting in the following
> +error:
> +
> +/usr/local/bin/rst2html5.py
> +Traceback (most recent call last):
> +  File "/usr/local/bin/rst2html5.py", line 27, in <module>
> +    from docutils.core import publish_cmdline, default_description
> +ModuleNotFoundError: No module named 'docutils'
> +
> +Since we don't need, nor want to build the documentation, remove the docs
> +subdirectory from being built entirely.
> +
> +Signed-off-by: Adam Duskett <aduskett@gmail.com>
> +---
> + meson.build | 1 -
> + 1 file changed, 1 deletion(-)
> +
> +diff --git a/meson.build b/meson.build
> +index 0cbc968..28e1147 100644
> +--- a/meson.build
> ++++ b/meson.build
> +@@ -2442,7 +2442,6 @@ if get_option('man')
> + endif
> +
> + gnome = import('gnome')
> +-subdir('docs/reference')

As far as I read the meson.build files all actions in docs/reference
are protected by the options 'gtk_doc' or 'man', is disabling this
ones not enough?

Regards,
Peter

> +
> + summary({
> +   'host cpu' : host_machine.cpu_family(),
> +--
> +2.40.0
> +

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 01/13] package/libglib2/0003-disable-building-docs.patch: new patch

[James Knight]

Peter, Adam;

On Tue, Apr 25, 2023 at 5:03 PM Peter Seiderer <ps.report@gmx.net> wrote:
> As far as I read the meson.build files all actions in docs/reference
> are protected by the options 'gtk_doc' or 'man', is disabling this
> ones not enough?

GLIB's HTML (gvariant) documentation was not bound to the `gtk_doc` or
`man` options. This has now been addressed upstream [1]. Using the
existing patch or replacing it with the upstream patch will
functionally achieve the same results.

[1]: https://gitlab.gnome.org/GNOME/glib/-/commit/0fa17ec3c7152cf0e1cbf965acf1426ac203bb1d
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 01/13] package/libglib2/0003-disable-building-docs.patch: new patch

[Yann E. MORIN]

Adam, All,

On 2023-04-25 10:14 -0700, Adam Duskett spake thusly:
> If rst2html5 is installed on a host system, meson will attempt to build
> html5 documentation from the docs directory, resulting in the following
> error:
> 
> /usr/local/bin/rst2html5.py
> Traceback (most recent call last):
>   File "/usr/local/bin/rst2html5.py", line 27, in <module>
>     from docutils.core import publish_cmdline, default_description
> ModuleNotFoundError: No module named 'docutils'
> 
> Since we don't need, nor want to build the documentation, remove the docs
> subdirectory from being built entirely.
> 
> Signed-off-by: Adam Duskett <aduskett@gmail.com>

As noticed by James, there is an upstream patch that fixes the issue, so
I've instead backported that.

Also, see below...

> ---
>  .../libglib2/0003-disable-building-docs.patch | 38 +++++++++++++++++++
>  1 file changed, 38 insertions(+)
>  create mode 100644 package/libglib2/0003-disable-building-docs.patch
> 
> diff --git a/package/libglib2/0003-disable-building-docs.patch b/package/libglib2/0003-disable-building-docs.patch
> new file mode 100644
> index 0000000000..27a540bf61
> --- /dev/null
> +++ b/package/libglib2/0003-disable-building-docs.patch
> @@ -0,0 +1,38 @@
> +From f3b8515471aaa452f06d84da68372fcead8637d2 Mon Sep 17 00:00:00 2001
> +From: Adam Duskett <aduskett@gmail.com>
> +Date: Mon, 24 Apr 2023 11:52:24 -0700
> +Subject: [PATCH 1/1] disable building docs
> +
> +If rst2html5 is installed on a host system, meson will attempt to build
> +html5 documentation from the docs directory, resulting in the following
> +error:
> +
> +/usr/local/bin/rst2html5.py
> +Traceback (most recent call last):
> +  File "/usr/local/bin/rst2html5.py", line 27, in <module>
> +    from docutils.core import publish_cmdline, default_description
> +ModuleNotFoundError: No module named 'docutils'
> +
> +Since we don't need, nor want to build the documentation, remove the docs
> +subdirectory from being built entirely.
> +
> +Signed-off-by: Adam Duskett <aduskett@gmail.com>

    $ ./utils/docker-run make check-package
    package/libglib2/0003-disable-building-docs.patch:4: generate your patches with 'git format-patch -N'
    package/libglib2/0003-disable-building-docs.patch:0: missing Upstream in the header (http://nightly.buildroot.org/#_additional_patch_documentation)

Since I've replaced your path with a backport, that fixed those
warnings. ;-)

Regards,
Yann E. MORIN.

> +---
> + meson.build | 1 -
> + 1 file changed, 1 deletion(-)
> +
> +diff --git a/meson.build b/meson.build
> +index 0cbc968..28e1147 100644
> +--- a/meson.build
> ++++ b/meson.build
> +@@ -2442,7 +2442,6 @@ if get_option('man')
> + endif
> + 
> + gnome = import('gnome')
> +-subdir('docs/reference')
> + 
> + summary({
> +   'host cpu' : host_machine.cpu_family(),
> +-- 
> +2.40.0
> +
> -- 
> 2.40.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 00/13] Selinux: bump to 3.5

[Yann E. MORIN]

Adam, All,

On 2023-04-25 10:14 -0700, Adam Duskett spake thusly:
> It's been quite some time since anyone updated the SELinux packages (mainly me!)
[--SNIP--]
> Adam Duskett (13):
>   package/libglib2/0003-disable-building-docs.patch: new patch
>   package/python-pip: add host variant
>   package/libsepol: bump to version 3.5
>   package/libsemanage: bump to version 3.5
>   package/libselinux: bump to version 3.5
>   package/policycoreutils: bump to version 3.5
>   package/checkpolicy: bump to version 3.5
>   package/restorecond: bump to version 3.5
>   package/semodule-utils: bump to version 3.5
>   package/audit: bump to version 3.1
>   package/selinux-python: bump to version 3.5
>   package/setools: bump to version 4.4.2
>   package/refpolicy: bump to version 2.20221101

Entire series applied to master, thanls!

I had to do some fixups on some patches, I'll reply to them individually.

Regards,
Yann E. MORIN.


-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 02/13] package/python-pip: add host variant

[Yann E. MORIN]

Adam, All,

On 2023-04-25 10:14 -0700, Adam Duskett spake thusly:
> In the following patch that updates libselinux, the libselinux python tools now
> require pip to install.

This was a bit terse an explanation, so I extended it a bit.

Applied to master, thanks.

Regards,
Yann E. MORIN.

> Signed-off-by: Adam Duskett <aduskett@gmail.com>
> ---
>  package/python-pip/python-pip.mk | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/package/python-pip/python-pip.mk b/package/python-pip/python-pip.mk
> index 8cf3aaa3ec..35ad7bede2 100644
> --- a/package/python-pip/python-pip.mk
> +++ b/package/python-pip/python-pip.mk
> @@ -14,3 +14,4 @@ PYTHON_PIP_CPE_ID_VENDOR = pypa
>  PYTHON_PIP_CPE_ID_PRODUCT = pip
>  
>  $(eval $(python-package))
> +$(eval $(host-python-package))
> -- 
> 2.40.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 05/13] package/libselinux: bump to version 3.5

[Yann E. MORIN]

Adam, All,

On 2023-04-25 10:14 -0700, Adam Duskett spake thusly:
> - libselinux now requires pip to install the python tools.

I extended that to explain that is really is just about the
installation, while the build is still performed with setuptools.

Also, that python bindings, not python tools; python tools have their
own dedicated pachage.selinux-python (which you update in a follow-up
patch).

> - Rebase patches for version 3.5

I also backported an upstream patch to fix intsallation of the python
bindings.

Applied to master, thanks.

Regards,
Yann E. MORIN.

> Signed-off-by: Adam Duskett <aduskett@gmail.com>
> ---
>  package/libselinux/0001-fix-musl-build.patch     |  4 ++--
>  ...CEXT-and-rely-on-the-installed-file-nam.patch |  8 ++++----
>  package/libselinux/Config.in                     |  1 +
>  package/libselinux/libselinux.hash               |  2 +-
>  package/libselinux/libselinux.mk                 | 16 +++++++++++++---
>  5 files changed, 21 insertions(+), 10 deletions(-)
> 
> diff --git a/package/libselinux/0001-fix-musl-build.patch b/package/libselinux/0001-fix-musl-build.patch
> index 44189e6400..b8b16be26f 100644
> --- a/package/libselinux/0001-fix-musl-build.patch
> +++ b/package/libselinux/0001-fix-musl-build.patch
> @@ -12,13 +12,13 @@ Domain, and we want to avoid license propagation, so this macro is
>  completely written from scratch, and non-optimal.
>  
>  Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
> -[Updated for 3.0]
> +[Updated for 3.5]
>  Signed-off-by: Adam Duskett <Aduskett@gmail.com>
>  diff --git a/src/booleans.c b/src/booleans.c
>  index ffa8d26..8569002 100644
>  --- a/src/booleans.c
>  +++ b/src/booleans.c
> -@@ -65,6 +65,14 @@ int security_get_boolean_names(char ***names, int *len)
> +@@ -64,6 +64,14 @@ int security_get_boolean_names(char ***names, int *len)
>   		goto bad;
>   	}
>   
> diff --git a/package/libselinux/0002-Do-not-use-PYCEXT-and-rely-on-the-installed-file-nam.patch b/package/libselinux/0002-Do-not-use-PYCEXT-and-rely-on-the-installed-file-nam.patch
> index 18c79b3b4d..c744ca4069 100644
> --- a/package/libselinux/0002-Do-not-use-PYCEXT-and-rely-on-the-installed-file-nam.patch
> +++ b/package/libselinux/0002-Do-not-use-PYCEXT-and-rely-on-the-installed-file-nam.patch
> @@ -18,7 +18,7 @@ was installed.
>  Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
>  [Refreshed for 3.1]
>  Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> -[Refreshed for 3.0]
> +[Refreshed for 3.5]
>  Signed-off-by: Adam Duskett <Aduskett@gmail.com>
>  ---
>   src/Makefile | 3 +--
> @@ -31,14 +31,14 @@ index 190016e2af34..7ee22fd35da3 100644
>  @@ -15,7 +15,6 @@ INCLUDEDIR ?= $(PREFIX)/include
>   PYINC ?= $(shell $(PKG_CONFIG) --cflags $(PYPREFIX))
>   PYLIBS ?= $(shell $(PKG_CONFIG) --libs $(PYPREFIX))
> - PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; print(get_python_lib(plat_specific=1, prefix='$(PREFIX)'))")
> + PYTHONLIBDIR ?= $(shell $(PYTHON) -c "import sysconfig; print(sysconfig.get_path('platlib', vars={'platbase': '$(PREFIX)', 'base': '$(PREFIX)'}))")
>  -PYCEXT ?= $(shell $(PYTHON) -c 'import importlib.machinery;print(importlib.machinery.EXTENSION_SUFFIXES[0])')
>   RUBYINC ?= $(shell $(RUBY) -e 'puts "-I" + RbConfig::CONFIG["rubyarchhdrdir"] + " -I" + RbConfig::CONFIG["rubyhdrdir"]')
>   RUBYLIBS ?= $(shell $(RUBY) -e 'puts "-L" + RbConfig::CONFIG["libdir"] + " -L" + RbConfig::CONFIG["archlibdir"] + " " + RbConfig::CONFIG["LIBRUBYARG_SHARED"]')
>   RUBYINSTALL ?= $(shell $(RUBY) -e 'puts RbConfig::CONFIG["vendorarchdir"]')
> -@@ -184,7 +183,7 @@ install: all
> +@@ -189,7 +188,7 @@ install: all
>   install-pywrap: pywrap
> - 	$(PYTHON) setup.py install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR)` $(PYTHON_SETUP_ARGS)
> + 	$(PYTHON) -m pip install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR) --ignore-installed --no-deps` $(PYTHON_SETUP_ARGS) .
>   	install -m 644 $(SWIGPYOUT) $(DESTDIR)$(PYTHONLIBDIR)/selinux/__init__.py
>  -	ln -sf --relative $(DESTDIR)$(PYTHONLIBDIR)/selinux/_selinux$(PYCEXT) $(DESTDIR)$(PYTHONLIBDIR)/_selinux$(PYCEXT)
>  +	ln -sf --relative $(DESTDIR)$(PYTHONLIBDIR)/selinux/_selinux*.so $(DESTDIR)$(PYTHONLIBDIR)/
> diff --git a/package/libselinux/Config.in b/package/libselinux/Config.in
> index 3098fe3ea4..bc40e32a46 100644
> --- a/package/libselinux/Config.in
> +++ b/package/libselinux/Config.in
> @@ -6,6 +6,7 @@ config BR2_PACKAGE_LIBSELINUX
>  	select BR2_PACKAGE_LIBSEPOL
>  	select BR2_PACKAGE_PCRE2
>  	select BR2_PACKAGE_MUSL_FTS if !BR2_TOOLCHAIN_USES_GLIBC
> +	select BR2_PACKAGE_PYTHON_SETUPTOOLS if BR2_PACKAGE_PYTHON3
>  	help
>  	  libselinux is the runtime SELinux library that provides
>  	  interfaces (e.g. library functions for the SELinux kernel
> diff --git a/package/libselinux/libselinux.hash b/package/libselinux/libselinux.hash
> index a2e0083f7b..14bc627a80 100644
> --- a/package/libselinux/libselinux.hash
> +++ b/package/libselinux/libselinux.hash
> @@ -1,5 +1,5 @@
>  # From: https://github.com/SELinuxProject/selinux/wiki/Releases
> -sha256  acfdee27633d2496508c28727c3d41d3748076f66d42fccde2e6b9f3463a7057  libselinux-3.3.tar.gz
> +sha256  9a3a3705ac13a2ccca2de6d652b6356fead10f36fb33115c185c5ccdf29eec19  libselinux-3.5.tar.gz
>  
>  # Hash for license file
>  sha256  86657b4c0fe868d7cbd977cb04c63b6c667e08fa51595a7bc846ad4bed8fc364  LICENSE
> diff --git a/package/libselinux/libselinux.mk b/package/libselinux/libselinux.mk
> index db35da130f..b8de21edaa 100644
> --- a/package/libselinux/libselinux.mk
> +++ b/package/libselinux/libselinux.mk
> @@ -4,7 +4,7 @@
>  #
>  ################################################################################
>  
> -LIBSELINUX_VERSION = 3.3
> +LIBSELINUX_VERSION = 3.5
>  LIBSELINUX_SITE = https://github.com/SELinuxProject/selinux/releases/download/$(LIBSELINUX_VERSION)
>  LIBSELINUX_LICENSE = Public Domain
>  LIBSELINUX_LICENSE_FILES = LICENSE
> @@ -31,7 +31,11 @@ LIBSELINUX_MAKE_OPTS += FTS_LDLIBS=-lfts
>  endif
>  
>  ifeq ($(BR2_PACKAGE_PYTHON3),y)
> -LIBSELINUX_DEPENDENCIES += python3 host-swig
> +LIBSELINUX_DEPENDENCIES += \
> +	python3 \
> +	python-setuptools \
> +	host-python-pip \
> +	host-swig
>  
>  LIBSELINUX_MAKE_OPTS += \
>  	$(PKG_PYTHON_DISTUTILS_ENV) \
> @@ -77,7 +81,13 @@ define LIBSELINUX_INSTALL_TARGET_CMDS
>  endef
>  
>  HOST_LIBSELINUX_DEPENDENCIES = \
> -	host-pkgconf host-libsepol host-pcre2 host-swig host-python3
> +	host-pkgconf \
> +	host-libsepol \
> +	host-pcre2 \
> +	host-swig \
> +	host-python3 \
> +	host-python-pip \
> +	host-python-setuptools
>  
>  HOST_LIBSELINUX_MAKE_OPTS = \
>  	$(HOST_CONFIGURE_OPTS) \
> -- 
> 2.40.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 11/13] package/selinux-python: bump to version 3.5

[Yann E. MORIN]

Adam, All,

On 2023-04-25 10:14 -0700, Adam Duskett spake thusly:
> Also:
>   - Change the license file to LICENSE. The hash remains the same.
> 
>   - Add 0001-fix-ausearch-path.patch as audit 3.1 installs ausearch to
>     /usr/sbin not /sbin
> 
> Signed-off-by: Adam Duskett <aduskett@gmail.com>
> ---
>  .../0001-fix-ausearch-path.patch              | 37 +++++++++++++++++++
>  package/selinux-python/selinux-python.hash    |  4 +-
>  package/selinux-python/selinux-python.mk      |  4 +-
>  3 files changed, 41 insertions(+), 4 deletions(-)
>  create mode 100644 package/selinux-python/0001-fix-ausearch-path.patch
> 
> diff --git a/package/selinux-python/0001-fix-ausearch-path.patch b/package/selinux-python/0001-fix-ausearch-path.patch
> new file mode 100644
> index 0000000000..c5f0a990ed
> --- /dev/null
> +++ b/package/selinux-python/0001-fix-ausearch-path.patch
> @@ -0,0 +1,37 @@
> +From 7a2456f18a49fa70de1f9ace12512bb00437b6ba Mon Sep 17 00:00:00 2001
> +From: Adam Duskett <aduskett@gmail.com>
> +Date: Mon, 24 Apr 2023 12:25:19 -0700
> +Subject: [PATCH 1/1] fix ausearch path
> +
> +ausearch is installed in /usr/sbin not /sbin
> +
> +Signed-off-by: Adam Duskett <aduskett@gmail.com>

    $ ./utils/docker-run make check-package
    package/selinux-python/0001-fix-ausearch-path.patch:4: generate your patches with 'git format-patch -N'
    package/selinux-python/0001-fix-ausearch-path.patch:0: missing Upstream in the header (http://nightly.buildroot.org/#_additional_patch_documentation)

I changed the commit to an upstreamable one, and rewrote the commit log
with more in-depth explanations, so that fixed those two warnings.

Can you see into pushing that patch upstream, please?

Applied to master, thanks.

Regards,
Yann E. MORIN.

> +---
> + sepolgen/src/sepolgen/audit.py | 4 ++--
> + 1 file changed, 2 insertions(+), 2 deletions(-)
> +
> +diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py
> +index 4adb851..5afe85d 100644
> +--- a/sepolgen/src/sepolgen/audit.py
> ++++ b/sepolgen/src/sepolgen/audit.py
> +@@ -41,7 +41,7 @@ def get_audit_boot_msgs():
> +     s = time.localtime(time.time() - off)
> +     bootdate = time.strftime("%x", s)
> +     boottime = time.strftime("%X", s)
> +-    output = subprocess.Popen(["/sbin/ausearch", "-m", "AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_START,SELINUX_ERR", "-ts", bootdate, boottime],
> ++    output = subprocess.Popen(["/usr/sbin/ausearch", "-m", "AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_START,SELINUX_ERR", "-ts", bootdate, boottime],
> +                               stdout=subprocess.PIPE).communicate()[0]
> +     if util.PY3:
> +         output = util.decode_input(output)
> +@@ -56,7 +56,7 @@ def get_audit_msgs():
> +        string contain all of the audit messages returned by ausearch.
> +     """
> +     import subprocess
> +-    output = subprocess.Popen(["/sbin/ausearch", "-m", "AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_START,SELINUX_ERR"],
> ++    output = subprocess.Popen(["/usr/sbin/ausearch", "-m", "AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_START,SELINUX_ERR"],
> +                               stdout=subprocess.PIPE).communicate()[0]
> +     if util.PY3:
> +         output = util.decode_input(output)
> +-- 
> +2.40.0
> +
> diff --git a/package/selinux-python/selinux-python.hash b/package/selinux-python/selinux-python.hash
> index 6ada3fee36..3592540703 100644
> --- a/package/selinux-python/selinux-python.hash
> +++ b/package/selinux-python/selinux-python.hash
> @@ -1,5 +1,5 @@
>  # https://github.com/SELinuxProject/selinux/wiki/Releases
> -sha256  8ad91061300387996ccb474962fb93dde263d924aa8f740618be16b22e2444ec  selinux-python-3.3.tar.gz
> +sha256  8245bb4dae59333461f19ca0c79a829081f07972fa5e3ad4c2b2b917dd71d96b  selinux-python-3.5.tar.gz
>  
>  # Hash for license file
> -sha256  204d8eff92f95aac4df6c8122bc1505f468f3a901e5a4cc08940e0ede1938994  COPYING
> +sha256  204d8eff92f95aac4df6c8122bc1505f468f3a901e5a4cc08940e0ede1938994  LICENSE
> diff --git a/package/selinux-python/selinux-python.mk b/package/selinux-python/selinux-python.mk
> index 0cec602f3d..7505474aa4 100644
> --- a/package/selinux-python/selinux-python.mk
> +++ b/package/selinux-python/selinux-python.mk
> @@ -4,10 +4,10 @@
>  #
>  ################################################################################
>  
> -SELINUX_PYTHON_VERSION = 3.3
> +SELINUX_PYTHON_VERSION = 3.5
>  SELINUX_PYTHON_SITE = https://github.com/SELinuxProject/selinux/releases/download/$(SELINUX_PYTHON_VERSION)
>  SELINUX_PYTHON_LICENSE = GPL-2.0
> -SELINUX_PYTHON_LICENSE_FILES = COPYING
> +SELINUX_PYTHON_LICENSE_FILES = LICENSE
>  SELINUX_PYTHON_DEPENDENCIES = python3
>  
>  SELINUX_PYTHON_MAKE_OPTS += \
> -- 
> 2.40.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 13/13] package/refpolicy: bump to version 2.20221101

[Yann E. MORIN]

Adam, All,

On 2023-04-25 10:14 -0700, Adam Duskett spake thusly:
> Add an upstream patch in package/refpolicy/2.20221101 that makes dbus optional
> for the mount interface. The patch must go in the 2.20221101 directory or else
> the build system will automatically attempt to apply the patch to a custom git
> version of refpolicy if chosen.
> 
> Signed-off-by: Adam Duskett <aduskett@gmail.com>
> ---
> Changes v1 -> v2:
>   - Added 2.20221101/0001-mount-dbus-interface-must-be-optional.patch
> 
>  ...ount-dbus-interface-must-be-optional.patch | 33 +++++++++++++++++++
>  package/refpolicy/refpolicy.hash              |  2 +-
>  package/refpolicy/refpolicy.mk                |  2 +-
>  3 files changed, 35 insertions(+), 2 deletions(-)
>  create mode 100644 package/refpolicy/2.20221101/0001-mount-dbus-interface-must-be-optional.patch
> 
> diff --git a/package/refpolicy/2.20221101/0001-mount-dbus-interface-must-be-optional.patch b/package/refpolicy/2.20221101/0001-mount-dbus-interface-must-be-optional.patch
> new file mode 100644
> index 0000000000..dec0af828f
> --- /dev/null
> +++ b/package/refpolicy/2.20221101/0001-mount-dbus-interface-must-be-optional.patch
> @@ -0,0 +1,33 @@
> +From 6c6be65ccf0891391681d4662cc11f508c0f4aeb Mon Sep 17 00:00:00 2001
> +From: Adam Duskett <aduskett@gmail.com>
> +Date: Mon, 24 Apr 2023 14:24:49 -0700
> +Subject: [PATCH] mount: dbus interface must be optional
> +
> +If DBus isn't built, the build process fails due to mount.te always using a
> +dbus interface even if the dbus module. Fix this by setting the dbus interface
> +as optional.
> +
> +Signed-off-by: Adam Duskett <aduskett@gmail.com>
> +Upstream-status: accepted. 207b09a656c2c3ac5c286d3f7eef085325e35408

The proper format for an Upstream: tag is just "Upstream:" (but that is
a very recent change. so I just fixed it). We also prefer to have an URL
to the upstream commit, so I changed that too.

Applied to master, thanks.

Regards,
Yann E. MORIN.

> +---
> + policy/modules/system/mount.te | 4 +++-
> + 1 file changed, 3 insertions(+), 1 deletion(-)
> +
> +diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> +index d028723..af84af0 100644
> +--- a/policy/modules/system/mount.te
> ++++ b/policy/modules/system/mount.te
> +@@ -145,7 +145,9 @@ selinux_getattr_fs(mount_t)
> + 
> + userdom_use_all_users_fds(mount_t)
> + 
> +-dbus_dontaudit_write_system_bus_runtime_named_sockets(mount_t)
> ++optional_policy(`
> ++	dbus_dontaudit_write_system_bus_runtime_named_sockets(mount_t)
> ++')
> + 
> + ifdef(`distro_redhat',`
> + 	optional_policy(`
> +-- 
> +2.40.0
> +
> diff --git a/package/refpolicy/refpolicy.hash b/package/refpolicy/refpolicy.hash
> index b08c22ed4e..a09e59c270 100644
> --- a/package/refpolicy/refpolicy.hash
> +++ b/package/refpolicy/refpolicy.hash
> @@ -1,5 +1,5 @@
>  # From https://github.com/SELinuxProject/refpolicy/releases
> -sha256  965f98f0b68a24fd0b8e8d973d319332aea88973e1d6c455ef9c2a31aefaeaa6  refpolicy-2.20220106.tar.bz2
> +sha256  44f88e62c8efcef54d019b9ca077520d5993de580926bd7575788cfa78515396  refpolicy-2.20221101.tar.bz2
>  
>  # Locally computed
>  sha256  204d8eff92f95aac4df6c8122bc1505f468f3a901e5a4cc08940e0ede1938994  COPYING
> diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
> index f11b72755a..8fea7cc254 100644
> --- a/package/refpolicy/refpolicy.mk
> +++ b/package/refpolicy/refpolicy.mk
> @@ -23,7 +23,7 @@ REFPOLICY_SITE = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL))
>  REFPOLICY_SITE_METHOD = git
>  BR_NO_CHECK_HASH_FOR += $(REFPOLICY_SOURCE)
>  else
> -REFPOLICY_VERSION = 2.20220106
> +REFPOLICY_VERSION = 2.20221101
>  REFPOLICY_SOURCE = refpolicy-$(REFPOLICY_VERSION).tar.bz2
>  REFPOLICY_SITE = https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_$(subst .,_,$(REFPOLICY_VERSION))
>  endif
> -- 
> 2.40.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 02/13] package/python-pip: add host variant

[Peter Korsgaard]

>>>>> "Adam" == Adam Duskett <aduskett@gmail.com> writes:

 > In the following patch that updates libselinux, the libselinux python tools now
 > require pip to install.

 > Signed-off-by: Adam Duskett <aduskett@gmail.com>

Somewhat related, is there any way we can ensure that this pip is only
used for the installation logic (which is fine if a bit odd) and NOT to pull in extra python
dependencies (which is naturally NOT OK)?


> ---
 >  package/python-pip/python-pip.mk | 1 +
 >  1 file changed, 1 insertion(+)

 > diff --git a/package/python-pip/python-pip.mk b/package/python-pip/python-pip.mk
 > index 8cf3aaa3ec..35ad7bede2 100644
 > --- a/package/python-pip/python-pip.mk
 > +++ b/package/python-pip/python-pip.mk
 > @@ -14,3 +14,4 @@ PYTHON_PIP_CPE_ID_VENDOR = pypa
 >  PYTHON_PIP_CPE_ID_PRODUCT = pip
 
 >  $(eval $(python-package))
 > +$(eval $(host-python-package))
 > -- 

 > 2.40.0

 > _______________________________________________
 > buildroot mailing list
 > buildroot@buildroot.org
 > https://lists.buildroot.org/mailman/listinfo/buildroot


-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 02/13] package/python-pip: add host variant

[Yann E. MORIN]

Peter, All,

On 2023-06-12 17:52 +0200, Peter Korsgaard spake thusly:
> >>>>> "Adam" == Adam Duskett <aduskett@gmail.com> writes:
>  > In the following patch that updates libselinux, the libselinux python tools now
>  > require pip to install.
>  > Signed-off-by: Adam Duskett <aduskett@gmail.com>
> Somewhat related, is there any way we can ensure that this pip is only
> used for the installation logic (which is fine if a bit odd)

Yes, I too found it odd. I don't recall the details, though, but indeed,
we do need pip to perform the install step, while the build step is
still performed with setuptools.

> and NOT to pull in extra python
> dependencies (which is naturally NOT OK)?

That was a concern of mine when I applied the patch, too, but I did not
have a good idea to prevent that.

But since then, I've learnt about --no-index, and if that is not enough,
we can redirect to a fake index with -i and --extra-index-url. Could
using --no-deps also be useful?

So we could maybe provide our wrapper around pip3, that uses a combo of
those options, to prevent installing anything but a local file.

That would not work for packages that use a python script to import pip
and directly call it, though; is that even possible (I'd guess so, and
probably something, somewhere is (ab)using that).

Alternatively, the wrapper could also export http_proxy and https_proxy
to something that does not exist, and that would cause the download to
fail.

Regards,
Yann E. MORIN.

> > ---
>  >  package/python-pip/python-pip.mk | 1 +
>  >  1 file changed, 1 insertion(+)
> 
>  > diff --git a/package/python-pip/python-pip.mk b/package/python-pip/python-pip.mk
>  > index 8cf3aaa3ec..35ad7bede2 100644
>  > --- a/package/python-pip/python-pip.mk
>  > +++ b/package/python-pip/python-pip.mk
>  > @@ -14,3 +14,4 @@ PYTHON_PIP_CPE_ID_VENDOR = pypa
>  >  PYTHON_PIP_CPE_ID_PRODUCT = pip
>  
>  >  $(eval $(python-package))
>  > +$(eval $(host-python-package))
>  > -- 
> 
>  > 2.40.0
> 
>  > _______________________________________________
>  > buildroot mailing list
>  > buildroot@buildroot.org
>  > https://lists.buildroot.org/mailman/listinfo/buildroot
> 
> 
> -- 
> Bye, Peter Korsgaard

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 02/13] package/python-pip: add host variant

[Peter Korsgaard]

>>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes:

 > Peter, All,
 > On 2023-06-12 17:52 +0200, Peter Korsgaard spake thusly:
 >> >>>>> "Adam" == Adam Duskett <aduskett@gmail.com> writes:
 >> > In the following patch that updates libselinux, the libselinux python tools now
 >> > require pip to install.
 >> > Signed-off-by: Adam Duskett <aduskett@gmail.com>
 >> Somewhat related, is there any way we can ensure that this pip is only
 >> used for the installation logic (which is fine if a bit odd)

 > Yes, I too found it odd. I don't recall the details, though, but indeed,
 > we do need pip to perform the install step, while the build step is
 > still performed with setuptools.

 >> and NOT to pull in extra python
 >> dependencies (which is naturally NOT OK)?

 > That was a concern of mine when I applied the patch, too, but I did not
 > have a good idea to prevent that.

 > But since then, I've learnt about --no-index, and if that is not enough,
 > we can redirect to a fake index with -i and --extra-index-url. Could
 > using --no-deps also be useful?

 > So we could maybe provide our wrapper around pip3, that uses a combo of
 > those options, to prevent installing anything but a local file.

Ahh, yes - That could be a nice improvement!

 > That would not work for packages that use a python script to import pip
 > and directly call it, though; is that even possible (I'd guess so, and
 > probably something, somewhere is (ab)using that).

Hmm, I guess someone is creative enough for that ;)

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot