[openwrt/openwrt] selinux-policy: update to version 1.2.3

LEDE Commits lede-commits at lists.infradead.org
Sat May 21 14:27:18 PDT 2022


dangole pushed a commit to openwrt/openwrt.git, branch master:
https://git.openwrt.org/e01b1c22dfb669abb0ad14c83ec9b3e35ff3d15c

commit e01b1c22dfb669abb0ad14c83ec9b3e35ff3d15c
Author: Dominick Grift <dominick.grift at defensec.nl>
AuthorDate: Thu May 19 18:50:16 2022 +0200

    selinux-policy: update to version 1.2.3
    
    86ca9c6 devstatus: prints to terminal
    95de949 deal with /rom/dev/console label inconsistencies
    ab6b6ee uci: hack to deal with potentially mislabeled char files
    acf9172 dnsmasq this can't be right
    021db5b luci-app-tinyproxy
    cf3a9c4 support/secmark: removes duplicate loopback rules
    eeb2610 dhcp servers: recv dhcp client packets
    d5a5fc3 more support/secmark "fixes"
    35d8604 update support secmark
    4c155c0 packets these were caused by labeling issues with loopback
    fad35a5 nftables reads routing table
    f9c5a04 umurmur: kill an mumur instance that does not run as root
    10a10c6 mmc stordev make this consistent
    ab3ec5b Makefile: sort with LC_ALL=C
    b34eaa5 fwenv rules
    8c2960f adds rfkill nodedev and some mmc partitions to stordev
    5a9ffe9 rcboot runs fwenv with a transition
    9954bf6 dnsmasq in case of tcp
    ab66468 dnsmasq try this
    5bfcb88 dnsmasq stubby not sure why this is happening
    863f549 luci not sure why it recv and send server packets
    d5cddb0 uhttpd sends sigkill luci cgi
    44cc04d stubby: it does not maintain anything in there
    db730b4 Adds stubby
    ccbcf0e tor simplify network access
    a308065 tor basic
    a9c0163 znc loose ends
    327a9af acme: allow acme_cleanup.sh to restart znc
    4015614 basic znc
    7ef14a2 support/secmark: clarify some things
    3107afe README: todo qrencode
    943035a README and secmark doc
    4c90937 ttyd: fix that socket leak again
    3239adf dnsmasq icmp packets and fix a tty leak issue
    b41d38f Makefile: optimize
    95d05b1 sandbox dontaudit ttyd leak
    0b7d670 rpcd: reads mtu
    e754bf1 opkg-lists try this
    35fb530 opkg-lists: custom
    4328754 opkg try to address mislabeled /tmp/opkg-lists
    3e2385c rcnftqos
    95eae2d ucode
    c86d366 luci diagnostics
    e10b443 rpcd packets and wireguard/luci
    a25e020 igmpproxt packets
    0106f00 luci
    dcef79c nftqos related
    3c9bc90 related to nft-qos and luci
    f8502d4 dnsmasq more related to /usr/lib/dnsmasq/dhcp-script.sh
    29a4271 dnsmasq: related to /usr/lib/dnsmasq/dhcp-script.sh
    0c5805a some nft-qos
    1100b41 adds a label for /tmp/.ujailnoafile
    e141a83 initscript: i labeled ujail procd.execfile
    a3b0302 Makefile: adds a default target + packets target
    6a3f8ef label usign as opkg and label fwtool and sysupgrade
    04d1cc7 sysupgrade: i meant don't do the fc spec
    763bec0 sysupgrade: dont do /tmp/sysupgrade.img
    af2306f adds a failsafe.tmpfile and labels validate_firmware_image
    5b15760 fwenv: comment doesnt make sense
    370ac3b fwenv: executes shell
    67e3fcb fwenv: adds fw_setsys
    544d211 adds procd execfile module to label procd related exec files
    99d5f13 rclocalconffile: treat /etc/rc.button like /etc/rc.local
    4dfd662 label uclient-fetch the same as wget
    75d8212 osreleasemiscfile: adds /etc/device_info
    0c1f116 adds a rcbuttonconffile for /etc/rc.button (base-files)
    ccd23f8 adds a syslog.conffile for /etc/syslog.conf (busybox)
    f790600 adds a libattr.conffile for /etc/xattr.conf
    fcc028e fwenv: adds fwsys
    1255470 xtables: various iptables alternatives
    a7c4035 Revert "sqm: runs xtables, so also allow nftables"
    0d331c3 sqm: runs xtables, so also allow nftables
    f34076b acme: will run nftables in the near future
    6217046 allow ssl.read types to read /tmp/etc/ssl/engines.cnf
    d0deea3 fixes dns packets
    8399efc Revert "sandbox: see if dontauditing this affects things"
    73d716a sandbox: see if dontauditing this affects things
    b5ee097 sandbox: also allow readinherited dropbear pipes
    12ee46b iwinfo traverses /tmp/run/wpa_supplicant
    4a4d724 agent.cil: also reads inherited dropbear pipes
    d48013f support/secmark: i tightened my dns packet policy
    645ad9e dns packets redone
    4790b25 dnsnetpacket: fix obj macro template
    d9fafff redo dns packets
    0a68498 ttyd: leaks a netlink route socket
    1d2e6be .gitattributes: remove todo
    e1bb954 usbutil: reads bus sysfile symlinks
    d275a32 support/secmark: clean it up a little
    af5ce12 Makefile: exclude packet types in default make target
    3caacdf support/secmark: document tunable/boolean
    e3dd3e6 invalidpacketselinuxbool: make it build-time again
    54f0ccf odhcpd packet fix
    4a864ba contrib/secmark: add a big FAT warning
    bead937 contrib/secmark: adds note about secmark support
    146ae16 netpacket remove test
    2ce9899 dns packets, odhcp6c raw packet, 4123 ntpnts for netnod
    070a45f chrony and unbound packets
    eba894f rawip socket packets cannot be labeled
    656ae0b adds isakmp (500), ipsec-nat-t (4500) and rawip packet types
    35325db adds igmp packet type
    5cf444c adds icmp packet type
    2e41304 sandbox some more packet access for sandbox net
    12caad6 packet accesses
    b8eb9a8 adds a trunkload of packet types
    a42a336 move rules related to invalid netpeers and ipsec associations
    a9e40e0 xtables/nftables allow relabelto all packet types
    aa5a52c README: adds item to wish list
    3a96eec experiment: simple label based packet filtering
    26d6f95 nftables reads/writes fw pipes
    
    Signed-off-by: Dominick Grift <dominick.grift at defensec.nl>
---
 package/system/selinux-policy/Makefile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/system/selinux-policy/Makefile b/package/system/selinux-policy/Makefile
index 10eff7be57..bcf6b4a3c2 100644
--- a/package/system/selinux-policy/Makefile
+++ b/package/system/selinux-policy/Makefile
@@ -8,8 +8,8 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=selinux-policy
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://git.defensec.nl/selinux-policy.git
-PKG_VERSION:=1.1
-PKG_MIRROR_HASH:=657ec1ff51ab946753fb3559384511a536ac1e018691f3e49cbab21c55d23e08
+PKG_VERSION:=1.2.3
+PKG_MIRROR_HASH:=ff1ddca168a6631aeac34352657f424bc4acf5d50b8aa7ff8dfa8c9663ba8538
 PKG_SOURCE_VERSION:=v$(PKG_VERSION)
 PKG_BUILD_DEPENDS:=secilc/host policycoreutils/host
 




More information about the lede-commits mailing list