[openwrt/openwrt] selinux-policy: update to version v2.1

LEDE Commits lede-commits at lists.infradead.org
Sat Feb 22 10:54:07 PST 2025 

hauke pushed a commit to openwrt/openwrt.git, branch main:
https://git.openwrt.org/aba52e092c703023aa35cd9d280e6c56f11851b7

commit aba52e092c703023aa35cd9d280e6c56f11851b7
Author: Dominick Grift <dominick.grift at defensec.nl>
AuthorDate: Thu Jan 16 10:23:12 2025 +0100

    selinux-policy: update to version v2.1
    
    Rebased onto dssp5-base. Baseline is:
    ss, tc, stubby, irqbalance, usbutils, ethtool, tcpdump, mtr,
    bmon, zram-swap, parted, e2fsprogs, gdisk, block-mount,
    kmod-fs-ext4, kmod-fs-f2fs, kmod-usb-storage, f2fs-tools-selinux,
    kmod-usb-storage-uas, kmod-usb3, wireguard-tools,
    openssh-sftp-server, luci-light, resolveip, blockd
    
    Changes since v2.0:
    
    3dcc957 three issues:
    434bad8 /new_root related
    04d18a5 README armsr combined-efi
    506d8c1 /efi is not a thing in armsr combined-efi
    c0db1ed efivarfs remove these filecons
    4eb35b7 adds efivars noseclabelfs for armsr combined-efi
    bbc6a6b adds /dev/ttyS3 to tty serialtermdev
    1467206 README local logins
    6ae3185 rename eficapsulemiscnodedev
    d43ded0 rename to vportserialtermdev
    a47d2f8 fixes virtio port serialtermdev
    03aec70 blockmount: make it a bit more robust
    70f1ed3 hotplugcall not sure what config triggers this
    3338764 boarddetect: i was expecting this
    d97548a deal with /dev/tty and /dev/vcs
    c6ba4a5 adds virtio block device
    d03e216 adds virtio vport serialtermdev for qemu guest agent
    2dc0291 validatefirmwareimage: allow getattr of *all* dev chr files
    fdfb3a7 adds /dev/efi_capsule_loader for armsr combined target
    b129fb9 validatefirmwareimage ordering
    b5e81b4 validatefirmwareimage clean up
    0932dc5 README typo fixes
    a1f88f0 README fix
    e6c68be README typo fixes
    a232c21 hvcloginserialtermdev: macro not used
    d7edd95 support /usr/local and update README
    c0d2947 validatefirmwareimage comment
    7dbc9b3 validatefirmwareimage: allow find to getattr of dev.except char
    f647175 platformtmpfile: elaborate a bit in comment
    52f32c1 reintroduce misc.cil
    320d77f validatefirmwareimage: /lib/upgrade/platform.sh
    365fc65 deal with /efi for combined images
    183b412 adds hvc logserialtermdev
    20cd42a sshdsysagent: limited support for legacy scp -O with firmware images
    1ccee8d validatefirmwareimages: some events related to "combined" images
    9b47fc3 jshn reads /dev/urandom
    f86def7 adds /tmp/log/apk.log
    f1247b3 these are relative to the current namespace
    32c0cc8 hotplugcall qemu virtio-console-helper
    5cc41f5 uclient-fetch for manually downloading sysupgrade related
    c8140bd cgi-io creates firmware and backup atomically
    edf517b factoryreset deal with firstboot compatibility
    f5116b5 pppd: redundant, is implied with shell client type
    86be72c updates README
    8c08ca1 luci-mod-system: a bit of speculation here
    417f4a5 adds /dev/autofs
    1ed537c misc.cil: remove
    01d014a selinuxsecfile: be more specific
    53fca71 rename blockd module
    b4c9b15 ttyloginserialtermdev: ordering
    016c3c1 sysagent traversal of /root is enough
    d0d7c91 hotplugcall: net/00-sysctl
    2821746 adds ttyAMA0 and some incomplete rules for board-detect
    
    Run-tested: ilogic-openwrt_one, ipq40xx-generic-linksys_mr8300
    
    Tested-by: Stefan Hellermann <stefan at the2masters.de>
    Signed-off-by: Dominick Grift <dominick.grift at defensec.nl>
    Link: https://patchwork.ozlabs.org/project/openwrt/patch/20250116092312.1350223-1-dominick.grift@defensec.nl/
    Signed-off-by: Hauke Mehrtens <hauke at hauke-m.de>
---
 package/system/selinux-policy/Makefile | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/package/system/selinux-policy/Makefile b/package/system/selinux-policy/Makefile
index 2834e94cc5..8b5e556da3 100644
--- a/package/system/selinux-policy/Makefile
+++ b/package/system/selinux-policy/Makefile
@@ -8,8 +8,8 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=selinux-policy
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://git.defensec.nl/selinux-policy.git
-PKG_VERSION:=1.2.5
-PKG_MIRROR_HASH:=0b485aefed7ecc1ba3c5f5843cb3b10e9d7c55c09b361cd56933081c0dbdc223
+PKG_VERSION:=2.1
+PKG_MIRROR_HASH:=8ab9f734d2a81c8d396afb4f6783c67d31b76c0334bf8e564eb050f98356655b
 PKG_SOURCE_VERSION:=v$(PKG_VERSION)
 PKG_BUILD_DEPENDS:=secilc/host policycoreutils/host
 
@@ -44,10 +44,14 @@ endef
 define Package/selinux-policy/install
 	$(INSTALL_DIR) $(1)/etc/selinux/$(PKG_NAME)/contexts/files/
 	$(INSTALL_DIR) $(1)/etc/selinux/$(PKG_NAME)/policy/
+	$(INSTALL_CONF) $(PKG_BUILD_DIR)/policy.* $(1)/etc/selinux/$(PKG_NAME)/policy/
 	$(INSTALL_DATA) $(PKG_BUILD_DIR)/customizable_types $(1)/etc/selinux/$(PKG_NAME)/contexts/
-	$(INSTALL_DATA) $(PKG_BUILD_DIR)/file_contexts.subs_dist $(1)/etc/selinux/$(PKG_NAME)/contexts/files/
+	$(INSTALL_DATA) $(PKG_BUILD_DIR)/default_contexts $(1)/etc/selinux/$(PKG_NAME)/contexts/
+	$(INSTALL_DATA) $(PKG_BUILD_DIR)/default_type $(1)/etc/selinux/$(PKG_NAME)/contexts/
+	$(INSTALL_DATA) $(PKG_BUILD_DIR)/failsafe_context $(1)/etc/selinux/$(PKG_NAME)/contexts/
 	$(INSTALL_DATA) $(PKG_BUILD_DIR)/file_contexts $(1)/etc/selinux/$(PKG_NAME)/contexts/files/
-	$(INSTALL_CONF) $(PKG_BUILD_DIR)/policy.* $(1)/etc/selinux/$(PKG_NAME)/policy/
+	$(INSTALL_DATA) $(PKG_BUILD_DIR)/file_contexts.subs_dist $(1)/etc/selinux/$(PKG_NAME)/contexts/files/
+	$(INSTALL_DATA) $(PKG_BUILD_DIR)/seusers $(1)/etc/selinux/$(PKG_NAME)/
 	$(INSTALL_DATA) ./files/selinux-config $(1)/etc/selinux/config
 endef

More information about the lede-commits mailing list