3 ani în urmă · f6691d122c
--- a/package/refpolicy/2.20210908/0001-policy-modules-services-samba.te-make-crack-optional.patch
+++ b/package/refpolicy/2.20210908/0001-policy-modules-services-samba.te-make-crack-optional.patch
@@ -1,83 +0,0 @@
 
				-From 7c58f2508efc115dea03e18e1fa611ebf81f6ee6 Mon Sep 17 00:00:00 2001
			
 
				-From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
			
 
				-Date: Wed, 4 Aug 2021 11:12:01 +0200
			
 
				-Subject: [PATCH] policy/modules/services/samba.te: make crack optional
			
 
				-
			
 
				-Make crack optional to avoid the following build failure:
			
 
				-
			
 
				- Compiling targeted policy.31
			
 
				- env LD_LIBRARY_PATH="/tmp/instance-5/output-1/host/lib:/tmp/instance-5/output-1/host/usr/lib" /tmp/instance-5/output-1/host/usr/bin/checkpolicy -c 31 -U deny -S -O -E policy.conf -o policy.31
			
 
				- policy/modules/services/samba.te:399:ERROR 'type crack_db_t is not within scope' at token ';' on line 360232:
			
 
				- 	allow smbd_t crack_db_t:dir { getattr search open };
			
 
				- #line 399
			
 
				- checkpolicy:  error(s) encountered while parsing configuration
			
 
				-
			
 
				-Fixes:
			
 
				- - http://autobuild.buildroot.org/results/ab7098948d1920e42fa587e07f0513f23ba7fc74
			
 
				-
			
 
				-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
			
 
				-[Upstream status: https://github.com/SELinuxProject/refpolicy/pull/407]
			
 
				----
			
 
				- policy/modules/services/samba.te | 32 ++++++++++++++++++--------------
			
 
				- 1 file changed, 18 insertions(+), 14 deletions(-)
			
 
				-
			
 
				-diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
			
 
				-index 9d4665ae6..6c37625a9 100644
			
 
				---- a/policy/modules/services/samba.te
			
 
				-+++ b/policy/modules/services/samba.te
			
 
				-@@ -396,8 +396,6 @@ userdom_signal_all_users(smbd_t)
			
 
				- userdom_home_filetrans_user_home_dir(smbd_t)
			
 
				- userdom_user_home_dir_filetrans_user_home_content(smbd_t, { dir file lnk_file sock_file fifo_file })
			
 
				- 
			
 
				--usermanage_read_crack_db(smbd_t)
			
 
				--
			
 
				- ifdef(`hide_broken_symptoms',`
			
 
				- 	files_dontaudit_getattr_default_dirs(smbd_t)
			
 
				- 	files_dontaudit_getattr_boot_dirs(smbd_t)
			
 
				-@@ -413,18 +411,6 @@ tunable_policy(`samba_create_home_dirs',`
			
 
				- 	userdom_create_user_home_dirs(smbd_t)
			
 
				- ')
			
 
				- 
			
 
				--tunable_policy(`samba_domain_controller',`
			
 
				--	gen_require(`
			
 
				--		class passwd passwd;
			
 
				--	')
			
 
				--
			
 
				--	usermanage_domtrans_passwd(smbd_t)
			
 
				--	usermanage_kill_passwd(smbd_t)
			
 
				--	usermanage_domtrans_useradd(smbd_t)
			
 
				--	usermanage_domtrans_groupadd(smbd_t)
			
 
				--	allow smbd_t self:passwd passwd;
			
 
				--')
			
 
				--
			
 
				- tunable_policy(`samba_enable_home_dirs',`
			
 
				- 	userdom_manage_user_home_content_dirs(smbd_t)
			
 
				- 	userdom_manage_user_home_content_files(smbd_t)
			
 
				-@@ -505,6 +491,24 @@ optional_policy(`
			
 
				- 	seutil_sigchld_newrole(smbd_t)
			
 
				- ')
			
 
				- 
			
 
				-+optional_policy(`
			
 
				-+	usermanage_read_crack_db(smbd_t)
			
 
				-+')
			
 
				-+
			
 
				-+optional_policy(`
			
 
				-+	tunable_policy(`samba_domain_controller',`
			
 
				-+		gen_require(`
			
 
				-+			class passwd passwd;
			
 
				-+		')
			
 
				-+
			
 
				-+		usermanage_domtrans_passwd(smbd_t)
			
 
				-+		usermanage_kill_passwd(smbd_t)
			
 
				-+		usermanage_domtrans_useradd(smbd_t)
			
 
				-+		usermanage_domtrans_groupadd(smbd_t)
			
 
				-+		allow smbd_t self:passwd passwd;
			
 
				-+	')
			
 
				-+')
			
 
				-+
			
 
				- ########################################
			
 
				- #
			
 
				- # Nmbd Local policy
			
 
				--- 
			
 
				-2.30.2
			
 
				-
			
--- a/package/refpolicy/2.20210908/0002-policy-modules-services-wireguard.te-make-iptables-o.patch
+++ b/package/refpolicy/2.20210908/0002-policy-modules-services-wireguard.te-make-iptables-o.patch
@@ -1,54 +0,0 @@
 
				-From 67394d078c2e1438293b25d08cf408b0b0d55755 Mon Sep 17 00:00:00 2001
			
 
				-From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
			
 
				-Date: Wed, 22 Sep 2021 23:55:59 +0200
			
 
				-Subject: [PATCH] policy/modules/services/wireguard.te: make iptables optional
			
 
				-
			
 
				-Make iptables optional to avoid the following build failure raised since
			
 
				-version 2.20210908 and
			
 
				-https://github.com/SELinuxProject/refpolicy/commit/7f1a7b1cacd5d211077ce62fbb4e91890e65c820:
			
 
				-
			
 
				- Compiling targeted policy.33
			
 
				- env LD_LIBRARY_PATH="/tmp/instance-0/output-1/host/lib:/tmp/instance-0/output-1/host/usr/lib" /tmp/instance-0/output-1/host/usr/bin/checkpolicy -c 33 -U deny -S -O -E policy.conf -o policy.33
			
 
				- policy/modules/services/wireguard.te:66:ERROR 'type iptables_exec_t is not within scope' at token ';' on line 591892:
			
 
				- #line 66
			
 
				-	allow wireguard_t iptables_exec_t:file { getattr open map read execute ioctl };
			
 
				- checkpolicy:  error(s) encountered while parsing configuration
			
 
				- make[1]: *** [Rules.monolithic:79: policy.33] Error 1
			
 
				-
			
 
				-Fixes:
			
 
				- - http://autobuild.buildroot.org/results/a4223accc6adb70b06fd4e74ca4f28484446b6fa
			
 
				-
			
 
				-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
			
 
				-[Upstream status: https://github.com/SELinuxProject/refpolicy/pull/408]
			
 
				----
			
 
				- policy/modules/services/wireguard.te | 10 ++++++----
			
 
				- 1 file changed, 6 insertions(+), 4 deletions(-)
			
 
				-
			
 
				-diff --git a/policy/modules/services/wireguard.te b/policy/modules/services/wireguard.te
			
 
				-index 7241f65e6..33fd3c55d 100644
			
 
				---- a/policy/modules/services/wireguard.te
			
 
				-+++ b/policy/modules/services/wireguard.te
			
 
				-@@ -61,10 +61,6 @@ corecmd_exec_shell(wireguard_t)
			
 
				- 
			
 
				- domain_use_interactive_fds(wireguard_t)
			
 
				- 
			
 
				--# wg-quick can be configured to run iptables and other networking
			
 
				--# config tools when bringing up/down the wg interfaces
			
 
				--iptables_domtrans(wireguard_t)
			
 
				--
			
 
				- # wg-quick tries to read /proc/filesystem when running "stat" and "mv" commands
			
 
				- kernel_dontaudit_read_system_state(wireguard_t)
			
 
				- kernel_dontaudit_search_kernel_sysctl(wireguard_t)
			
 
				-@@ -75,3 +71,9 @@ miscfiles_read_localization(wireguard_t)
			
 
				- sysnet_run_ifconfig(wireguard_t, wireguard_roles)
			
 
				- 
			
 
				- userdom_use_user_terminals(wireguard_t)
			
 
				-+
			
 
				-+# wg-quick can be configured to run iptables and other networking
			
 
				-+# config tools when bringing up/down the wg interfaces
			
 
				-+optional_policy(`
			
 
				-+	iptables_domtrans(wireguard_t)
			
 
				-+')
			
 
				--- 
			
 
				-2.33.0
			
 
				-
			
--- a/package/refpolicy/refpolicy.hash
+++ b/package/refpolicy/refpolicy.hash
@@ -1,5 +1,5 @@
 
				 # From https://github.com/SELinuxProject/refpolicy/releases
			
 
				-sha256  4d3140d9fbb91322f5de36d73959464ce1d8946dcd149e36fcaf60e92444e902  refpolicy-2.20210908.tar.bz2
			
 
				+sha256  965f98f0b68a24fd0b8e8d973d319332aea88973e1d6c455ef9c2a31aefaeaa6  refpolicy-2.20220106.tar.bz2
			
 
				 
			
 
				 # Locally computed
			
 
				 sha256  204d8eff92f95aac4df6c8122bc1505f468f3a901e5a4cc08940e0ede1938994  COPYING
			
--- a/package/refpolicy/refpolicy.mk
+++ b/package/refpolicy/refpolicy.mk
@@ -23,7 +23,7 @@ REFPOLICY_SITE = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL))
 
				 REFPOLICY_SITE_METHOD = git
			
 
				 BR_NO_CHECK_HASH_FOR += $(REFPOLICY_SOURCE)
			
 
				 else
			
 
				-REFPOLICY_VERSION = 2.20210908
			
 
				+REFPOLICY_VERSION = 2.20220106
			
 
				 REFPOLICY_SOURCE = refpolicy-$(REFPOLICY_VERSION).tar.bz2
			
 
				 REFPOLICY_SITE = https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_$(subst .,_,$(REFPOLICY_VERSION))
			
 
				 endif