SELinux status report and call to action

2021-01-12 Thread Dominick Grift
gpg --locate-keys dominick.gr...@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.

Re: SELinux status report and call to action

2021-01-13 Thread Dominick Grift
On 1/12/21 6:27 PM, Dominick Grift wrote: > > Community, > > Optional SELinux support has been added to OpenWrt for a while now and I > gave a talk about the status at "Battle of the meshes 13th edition". > > There was a comment mentioning that there was an

Re: SELinux status report and call to action

2021-01-13 Thread Dominick Grift
On 1/13/21 5:42 PM, David Lang wrote: > OpenWRT uses different commands than other distros for manipulating > configs, so those different programs are going to need to be given > appropriate permissions. UCI should already be addressed barring any loose ends (LuCI coverage is still rough though)

[PATCH 2/5] libselinux: update to version 3.2

2021-03-06 Thread Dominick Grift
Signed-off-by: Dominick Grift --- package/libs/libselinux/Makefile | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/package/libs/libselinux/Makefile b/package/libs/libselinux/Makefile index 5fe745d004..0c5f9baceb 100644 --- a/package/libs/libselinux/Makefile +++ b

[PATCH 5/5] secilc: update to version 3.2

2021-03-06 Thread Dominick Grift
Signed-off-by: Dominick Grift --- package/utils/checkpolicy/Makefile | 6 +++--- package/utils/secilc/Makefile | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/package/utils/checkpolicy/Makefile b/package/utils/checkpolicy/Makefile index 8def9ea65d..206bf201c0

[PATCH 3/5] libsemanage: update to version 3.2

2021-03-06 Thread Dominick Grift
Signed-off-by: Dominick Grift --- package/libs/libsemanage/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package/libs/libsemanage/Makefile b/package/libs/libsemanage/Makefile index 79b492d0d3..ff1519f14e 100644 --- a/package/libs/libsemanage/Makefile +++ b

[PATCH 1/5] libsepol: update to version 3.2

2021-03-06 Thread Dominick Grift
Signed-off-by: Dominick Grift --- package/libs/libsepol/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package/libs/libsepol/Makefile b/package/libs/libsepol/Makefile index 8ceb7164a7..c7950a9ba0 100644 --- a/package/libs/libsepol/Makefile +++ b/package/libs

[PATCH 0/5] selinux: update to version 3.2

2021-03-06 Thread Dominick Grift
Tested on: OPENWRT_BOARD="mvebu/cortexa9" OPENWRT_RELEASE="OpenWrt SNAPSHOT r16130+5-9397b22df1" OPENWRT_ARCH="arm_cortex-a9_vfpv3-d16" OPENWRT_TAINTS="no-all" Linux OpenWrt 5.10.20 #0 SMP Sat Mar 6 15:31:22 2021 armv7l GNU/Linux Dominick Grift (5): libs

[PATCH 4/5] policycoreutils: update to version 3.2

2021-03-06 Thread Dominick Grift
Signed-off-by: Dominick Grift --- package/utils/policycoreutils/Makefile | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/package/utils/policycoreutils/Makefile b/package/utils/policycoreutils/Makefile index ec55a3d8ee..da4976457c 100644 --- a/package/utils

[PATCH 4/5 V2] policycoreutils: update to version 3.2

2021-03-06 Thread Dominick Grift
ABORT_ON_ERRORS and related code 9207823c setfiles: Do not abort on labeling error c064d214 selinux_config(5): add a note that runtime disable is deprecated 8bc865e1 newrole: support cross-compilation with PAM and audit ba2d6c10 fixfiles: correctly restore context of mountpoints Signed-off-by: Dominick

[PATCH 2/5 V2] libselinux: update to version 3.2

2021-03-06 Thread Dominick Grift
selinux_status_updated() 9e4480b9 libselinux: Remove trailing slash on selabel_file lookups. 21fb5f20 libselinux: use full argument specifiers for security_check_context in man page e7abd802 libselinux: fix build order 05bdc031 libselinux: use kernel status page by default Signed-off-by: Dominick Grift

[PATCH 0/5 V2] selinux: update to version 3.2

2021-03-06 Thread Dominick Grift
Tested on: OPENWRT_BOARD="mvebu/cortexa9" OPENWRT_RELEASE="OpenWrt SNAPSHOT r16130+5-9397b22df1" OPENWRT_ARCH="arm_cortex-a9_vfpv3-d16" OPENWRT_TAINTS="no-all" Linux OpenWrt 5.10.20 #0 SMP Sat Mar 6 15:31:22 2021 armv7l GNU/Linux Dominick Grift (5): libs

[PATCH 3/5 V2] libsemanage: update to version 3.2

2021-03-06 Thread Dominick Grift
n c08b73d7 libsemanage: Drop deprecated functions b46406de libsemanage: Remove legacy and duplicate symbols Signed-off-by: Dominick Grift --- Changes in V2: adds commit message package/libs/libsemanage/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package/libs/l

[PATCH 1/5 V2] libsepol: update to version 3.2

2021-03-06 Thread Dominick Grift
sepol/cil: Validate conditional expressions before adding to binary policy 685f577a libsepol/cil: Validate constraint expressions before adding to binary policy 8206b8cb libsepol: implement POLICYDB_VERSION_COMP_FTRANS 42ae834a libsepol,checkpolicy: optimize storage of filename transitions Signed-off-by:

[PATCH 5/5 V2] secilc: update to version 3.2

2021-03-06 Thread Dominick Grift
cil_access_vector_rules: allowx, auditallowx and dontauditx fixes 9e9b8103 secilc/docs: document expandtypeattribute fbe1e526 Update the cil docs to match the current behaviour. Signed-off-by: Dominick Grift --- Changes in V2: adds commit message package/utils/checkpolicy/Makefile | 6 +++--- package

[PATCH 2/6 V3] libselinux: update to version 3.2

2021-03-06 Thread Dominick Grift
selinux_status_updated() 9e4480b9 libselinux: Remove trailing slash on selabel_file lookups. 21fb5f20 libselinux: use full argument specifiers for security_check_context in man page e7abd802 libselinux: fix build order 05bdc031 libselinux: use kernel status page by default Signed-off-by: Dominick Grift

[PATCH 3/6 V3] libsemanage: update to version 3.2

2021-03-06 Thread Dominick Grift
n c08b73d7 libsemanage: Drop deprecated functions b46406de libsemanage: Remove legacy and duplicate symbols Signed-off-by: Dominick Grift --- Changes in V3: no changes package/libs/libsemanage/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package/libs/libsemanag

[PATCH 1/6 V3] libsepol: update to version 3.2

2021-03-06 Thread Dominick Grift
sepol/cil: Validate conditional expressions before adding to binary policy 685f577a libsepol/cil: Validate constraint expressions before adding to binary policy 8206b8cb libsepol: implement POLICYDB_VERSION_COMP_FTRANS 42ae834a libsepol,checkpolicy: optimize storage of filename transitions Signed-off-by:

[PATCH 0/6 V3] selinux: update to version 3.2

2021-03-06 Thread Dominick Grift
Tested on: OPENWRT_BOARD="mvebu/cortexa9" OPENWRT_RELEASE="OpenWrt SNAPSHOT r16130+5-9397b22df1" OPENWRT_ARCH="arm_cortex-a9_vfpv3-d16" OPENWRT_TAINTS="no-all" Linux OpenWrt 5.10.20 #0 SMP Sat Mar 6 15:31:22 2021 armv7l GNU/Linux Dominick Grift (6): libs

[PATCH 4/6 V3] policycoreutils: update to version 3.2

2021-03-06 Thread Dominick Grift
ABORT_ON_ERRORS and related code 9207823c setfiles: Do not abort on labeling error c064d214 selinux_config(5): add a note that runtime disable is deprecated 8bc865e1 newrole: support cross-compilation with PAM and audit ba2d6c10 fixfiles: correctly restore context of mountpoints Signed-off-by: Dominick

[PATCH 6/6 V3] checkpolicy: update to version 3.2

2021-03-06 Thread Dominick Grift
521e6a2f libsepol/cil: fix signed overflow caused by using (1 << 31) - 1 42ae834a libsepol,checkpolicy: optimize storage of filename transitions Signed-off-by: Dominick Grift --- Changes in V3: split from secilc update to version 3.2 package/utils/checkpolicy/Makefile | 6 +++---

[PATCH 5/6 V3] secilc: update to version 3.2

2021-03-06 Thread Dominick Grift
cil_access_vector_rules: allowx, auditallowx and dontauditx fixes 9e9b8103 secilc/docs: document expandtypeattribute fbe1e526 Update the cil docs to match the current behaviour. Signed-off-by: Dominick Grift --- Changes in v3: split out checkpolicy update to version 3.2 package/utils/secilc/Makefile

[PATCH 0/6 V4] selinux: update to version 3.2

2021-03-06 Thread Dominick Grift
Tested on: OPENWRT_BOARD="mvebu/cortexa9" OPENWRT_RELEASE="OpenWrt SNAPSHOT r16130+5-9397b22df1" OPENWRT_ARCH="arm_cortex-a9_vfpv3-d16" OPENWRT_TAINTS="no-all" Linux OpenWrt 5.10.20 #0 SMP Sat Mar 6 15:31:22 2021 armv7l GNU/Linux Dominick Grift (6): libs

[PATCH 4/6 V4] policycoreutils: update to version 3.2

2021-03-06 Thread Dominick Grift
ABORT_ON_ERRORS and related code 9207823c setfiles: Do not abort on labeling error c064d214 selinux_config(5): add a note that runtime disable is deprecated 8bc865e1 newrole: support cross-compilation with PAM and audit ba2d6c10 fixfiles: correctly restore context of mountpoints Signed-off-by: Dominick

[PATCH 1/6 V4] libsepol: update to version 3.2

2021-03-06 Thread Dominick Grift
sepol/cil: Validate conditional expressions before adding to binary policy 685f577a libsepol/cil: Validate constraint expressions before adding to binary policy 8206b8cb libsepol: implement POLICYDB_VERSION_COMP_FTRANS 42ae834a libsepol,checkpolicy: optimize storage of filename transitions Signed-off-by:

[PATCH 2/6 V4] libselinux: update to version 3.2

2021-03-06 Thread Dominick Grift
selinux_status_updated() 9e4480b9 libselinux: Remove trailing slash on selabel_file lookups. 21fb5f20 libselinux: use full argument specifiers for security_check_context in man page e7abd802 libselinux: fix build order 05bdc031 libselinux: use kernel status page by default Signed-off-by: Dominick Grift

[PATCH 3/6 V4] libsemanage: update to version 3.2

2021-03-06 Thread Dominick Grift
n c08b73d7 libsemanage: Drop deprecated functions b46406de libsemanage: Remove legacy and duplicate symbols Signed-off-by: Dominick Grift --- Changes in V4: none package/libs/libsemanage/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package/libs/libsemanage/M

[PATCH 6/6 V4] checkpolicy: update to version 3.2

2021-03-06 Thread Dominick Grift
521e6a2f libsepol/cil: fix signed overflow caused by using (1 << 31) - 1 42ae834a libsepol,checkpolicy: optimize storage of filename transitions Signed-off-by: Dominick Grift --- Changes in V4: none package/utils/checkpolicy/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 del

[PATCH 5/6 v4] secilc: update to version 3.2

2021-03-06 Thread Dominick Grift
cil_access_vector_rules: allowx, auditallowx and dontauditx fixes 9e9b8103 secilc/docs: document expandtypeattribute fbe1e526 Update the cil docs to match the current behaviour. Signed-off-by: Dominick Grift --- Changes in V4: none package/utils/secilc/Makefile | 6 +++--- 1 file changed, 3 insertions

[PATCH] selinux-policy: update to version v0.8

2021-03-14 Thread Dominick Grift
on b851df6 squid fix 8c55acd squid: adds certfile and allow connect http but... b7c1f6d Makefile: exclude tinyproxy from mintesttgt (using squid) 5ff39bd squid: forgot about luci 5366c97 squid/rcsquid some basic fill in 8743da6 squid skeleton 687a43b adds squid 3128 port to httpproxy port Signed-off-by

SELinux updates

2021-10-22 Thread Dominick Grift
New upstream release 3.3 libsepol, libselinux, libsemanage, checkpolicy, policycoreutils, secilc. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[PATCH 1/6] libsepol: update to version 3.3

2021-10-22 Thread Dominick Grift
xpand role attributes in constraint expressions Signed-off-by: Dominick Grift --- package/libs/libsepol/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package/libs/libsepol/Makefile b/package/libs/libsepol/Makefile index c7950a9ba0..87f1ccd917 100644 --- a/package/l

[PATCH 5/6] policycoreutils: update to version 3.3

2021-10-22 Thread Dominick Grift
file Signed-off-by: Dominick Grift --- package/utils/policycoreutils/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package/utils/policycoreutils/Makefile b/package/utils/policycoreutils/Makefile index 249c2afb94..f724deda97 100644 --- a/package/utils

[PATCH 2/6] libselinux: update to version 3.3

2021-10-22 Thread Dominick Grift
libselinux: do not duplicate make target when going into subdirectory Signed-off-by: Dominick Grift --- package/libs/libselinux/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package/libs/libselinux/Makefile b/package/libs/libselinux/Makefile index 0c5f9baceb

[PATCH 4/6] checkpolicy: update to version 3.3

2021-10-22 Thread Dominick Grift
checkpolicy: drop -pipe compile option checkpolicy: pass CFLAGS at link stage checkpolicy: silence -Wextra-semi-stmt warning checkpolicy: Do not automatically upgrade when using "-b" flag libsepol/checkpolicy: Set user roles using role value instead of dominance Signed-off-by: Domi

[PATCH 3/6] libsemanage: update to version 3.3

2021-10-22 Thread Dominick Grift
warning libsemanage: fix use-after-free in parse_module_store() Signed-off-by: Dominick Grift --- package/libs/libsemanage/Makefile | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/package/libs/libsemanage/Makefile b/package/libs/libsemanage/Makefile index 2fde14c06c

[PATCH 6/6] secilc: update to version 3.3

2021-10-22 Thread Dominick Grift
ts.md: fix expr definition secilc/docs: Lists are now allowed in constraint expressions Signed-off-by: Dominick Grift --- package/utils/secilc/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package/utils/secilc/Makefile b/package/utils/secilc/Makefile index 7ed22

[PATCH] selinux-policy: update to version 1.0

2021-10-22 Thread Dominick Grift
workflows adds a note about persistent /var option project moved to https://github.com/DefenSec/selinux-policy Signed-off-by: Dominick Grift --- package/system/selinux-policy/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package/system/selinux-policy/Makefile

[PATCH] selinux-policy: update to version 1.1

2022-04-16 Thread Dominick Grift
workflows workflow use selinux 3.3 project moved back to https://git.defensec.nl/selinux-policy.git Signed-off-by: Dominick Grift --- package/system/selinux-policy/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package/system/selinux-policy/Makefile b/pack

[PATCH] Addresses sed in-place without SELinux awareness

2022-05-01 Thread Dominick Grift
sed(1) in busybox does not support this functionality: https://git.savannah.gnu.org/cgit/sed.git/tree/sed/execute.c#n598 This causes /etc/group to become mislabeled when a package requests that a uid/gid be added on OpenWrt with SELinux Signed-off-by: Dominick Grift --- package/base-files

[PATCH v2] Addresses sed in-place without SELinux awareness

2022-05-01 Thread Dominick Grift
sed(1) in busybox does not support this functionality: https://git.savannah.gnu.org/cgit/sed.git/tree/sed/execute.c#n598 This causes /etc/group to become mislabeled when a package requests that a uid/gid be added on OpenWrt with SELinux Signed-off-by: Dominick Grift --- v2: fixes missing

[PATCH] Adds pcre2 to base

2022-05-19 Thread Dominick Grift
targets. 900921f Minor improvement for s390x SIMD. 1951243 JIT compiler update Signed-off-by: Dominick Grift --- Build tested on IP40xx Once pcre2 makes it to base: 1. Remove pcre2 from packages feed 2. Update SELinux to version 3.4 in base 3. Add pcre to packages feed 4. Remove pcre from base pa

[PATCH 2/4] pcre2: use official mirror

2022-05-19 Thread Dominick Grift
the mirror on sourceforge is not official and it is no longer maintained Signed-off-by: Dominick Grift --- package/libs/pcre2/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package/libs/pcre2/Makefile b/package/libs/pcre2/Makefile index 4e75a1cda9..98910bb3ef

pcre2: preparation for libselinux-3.4

2022-05-19 Thread Dominick Grift
libselinux-3.4 added a change to encourage using pcre2 instead of pcre. pcre has been unmaintained for quite some time but libselinux defaulted to using that. for compatibility. Now libselinux-3.4 defaults to pcre2. This set adds pcre2 to base, changes to official pcre2 upstream, updates pcre2

[PATCH 3/4] pcre2: update to version 10.40

2022-05-19 Thread Dominick Grift
tition issues in JIT. 3d80cf5 Add s390x to JIT targets. 900921f Minor improvement for s390x SIMD. 1951243 JIT compiler update Signed-off-by: Dominick Grift --- package/libs/pcre2/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/libs/pcre2/Makefile b/packag

[PATCH 1/4] pcre2: adds pcre2 to base

2022-05-19 Thread Dominick Grift
libselinux-3.4 requires pcre2 Signed-off-by: Dominick Grift --- package/libs/pcre2/Config.in | 30 package/libs/pcre2/Makefile | 92 2 files changed, 122 insertions(+) create mode 100644 package/libs/pcre2/Config.in create mode 100644 package

[PATCH 4/4] pcre2: for libeselinux

2022-05-19 Thread Dominick Grift
libselinux-3.4 uses pcre2 Signed-off-by: Dominick Grift --- package/libs/pcre2/Makefile | 5 + 1 file changed, 5 insertions(+) diff --git a/package/libs/pcre2/Makefile b/package/libs/pcre2/Makefile index e9d43c3d24..923387b361 100644 --- a/package/libs/pcre2/Makefile +++ b/package/libs

Re: [PATCH] Adds pcre2 to base

2022-05-19 Thread Dominick Grift
Dominick Grift writes: > In preparation for libselinux-3.4 (libselinux-3.4 requires pcre2) Please ignore this patch. > > Changes pcre2 upstream from sourceforge to github because sf is a unofficial > mirror that is no longer maintained > Updates pcre2 to version 10.40 > >

[PATCH] selinux-policy: update to version 1.2.3

2022-05-19 Thread Dominick Grift
kload of packet types a42a336 move rules related to invalid netpeers and ipsec associations a9e40e0 xtables/nftables allow relabelto all packet types aa5a52c README: adds item to wish list 3a96eec experiment: simple label based packet filtering 26d6f95 nftables reads/writes fw pipes Signed-off-by: Dom

Re: [PATCH 1/4] pcre2: adds pcre2 to base

2022-05-19 Thread Dominick Grift
Daniel Golle writes: > On Thu, May 19, 2022 at 06:37:28PM +0200, Dominick Grift wrote: >> libselinux-3.4 requires pcre2 >> >> Signed-off-by: Dominick Grift >> --- >> package/libs/pcre2/Config.in | 30 >> package/libs/pcre2/Makefile | 92 +++

SELinux 3-4

2022-05-19 Thread Dominick Grift
libselinux-3.4 requires pcre2. I submitted a patch set for that. This should wait until that is in. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[PATCH 4/8] checkpolicy: update to version 3.4

2022-05-19 Thread Dominick Grift
checkpolicy: use correct unsigned format specifiers Signed-off-by: Dominick Grift --- package/utils/checkpolicy/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/utils/checkpolicy/Makefile b/package/utils/checkpolicy/Makefile index e9c10e293f..1e7cfbe541 100644

[PATCH 2/8] libselinux: update to version 3.4

2022-05-19 Thread Dominick Grift
to silence glibc 2.34 warnings Signed-off-by: Dominick Grift --- package/libs/libselinux/Makefile | 14 +++--- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/package/libs/libselinux/Makefile b/package/libs/libselinux/Makefile index 6bda72b5de..9a485157b8 100644 --- a

[PATCH 3/8] libsemanage: update to version 3.4

2022-05-19 Thread Dominick Grift
7e30a10b Use IANA-managed domain example.com in examples fe01a91a libsemanage/tests: free memory ea539017 libsemanage: do not sort empty records Signed-off-by: Dominick Grift --- package/libs/libsemanage/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/libs

[PATCH 1/8] libsepol: update to version 3.4

2022-05-19 Thread Dominick Grift
erals as format strings f95dbf2c libsepol: avoid passing NULL pointer to memcpy b98d3c4c libsepol: do not pass NULL to memcpy Signed-off-by: Dominick Grift --- package/libs/libsepol/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/libs/libsepol/Makefile

[PATCH 6/8] secilc: update to version 3.4

2022-05-19 Thread Dominick Grift
language is infix 03b1dcac secilc/docs: Document the optional file type for genfscon rules Signed-off-by: Dominick Grift --- package/utils/secilc/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/utils/secilc/Makefile b/package/utils/secilc/Makefile index

[PATCH 5/8] policycoreutils: update to version 3.4

2022-05-19 Thread Dominick Grift
e semodule: add -m | --checksum option 93902fc8 setfiles/restorecon: support parallel relabeling 081ac391 policycoreutils: mark local functions static fb68d036 policycoreutils: use string literal as format strings Signed-off-by: Dominick Grift --- package/utils/policycoreutils/Makefile | 4 ++--

Re: [PATCH 1/4] pcre2: adds pcre2 to base

2022-05-20 Thread Dominick Grift
Dominick Grift writes: > Daniel Golle writes: > >> On Thu, May 19, 2022 at 06:37:28PM +0200, Dominick Grift wrote: >>> libselinux-3.4 requires pcre2 >>> >>> Signed-off-by: Dominick Grift >>> --- >>> package/libs/pcre2/Config.in

Re: [PATCH 1/4] pcre2: adds pcre2 to base

2022-05-20 Thread Dominick Grift
Rui Salvaterra writes: > On Thu, 19 May 2022 at 18:35, Daniel Golle wrote: >> >> On Thu, May 19, 2022 at 06:37:28PM +0200, Dominick Grift wrote: >> > libselinux-3.4 requires pcre2 >> > >> > Signed-off-by: Dominick Grift >&g

[PATCH] selinux-policy: update to version v2.0

2025-01-12 Thread Dominick Grift
-light, resolveip, blockd Run-tested: ilogic-openwrt_one, ipq40xx-generic-linksys_mr8300 Signed-off-by: Dominick Grift --- package/system/selinux-policy/Makefile | 12 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/package/system/selinux-policy/Makefile b/package

Re: [PATCH] selinux-policy: update to version v2.0

2025-01-12 Thread Dominick Grift
ee: https://git.defensec.nl/?p=selinux-policy.git;a=commitdiff;h=2821746844669ab2f5cce94fd42eb3d158f16e5c See if you can make that hotplug script work with the info provided above. if any questions let me know. As for moving files from one filesystem to another. Probably best to just cp instead of mv.

Re: [PATCH] selinux-policy: update to version v2.0

2025-01-12 Thread Dominick Grift
Dominick Grift writes: > Hi, Thank you for feedback. Comments inline below: > > Stefan Hellermann writes: > >> audit(1736704702.290:4): avc:  denied  { associate } for  pid=1010 >> comm="mv" name="sysupgrade.tgz" scontext=sys.id:sys.role:dos.fs

Re: [PATCH] selinux-policy: update to version v2.0

2025-01-14 Thread Dominick Grift
Dominick Grift writes: > Stefan Hellermann writes: > >> Hi! Thank you for your really fast changes! > > Thank you for your feedback. It is appreciated. Comments below: > >> >> With your last commit f86def7e there are 3 new errors for /dev/urandom: >> >

Re: [PATCH] selinux-policy: update to version v2.0

2025-01-13 Thread Dominick Grift
gt; tcontext=sys.id:sys.role:hwrng.nodedev tclass=chr_file permissive=1 I will look into adding rules for some of these validate-firmware-image related events. Not sure what is happening there with "image.bs" ... Thanks > > This is all done on a fresh openwrt checkout, I adde

Re: [PATCH] selinux-policy: update to version v2.0

2025-01-14 Thread Dominick Grift
Dominick Grift writes: > Dominick Grift writes: > >> Stefan Hellermann writes: >> >>> Hi! Thank you for your really fast changes! >> >> Thank you for your feedback. It is appreciated. Comments below: >> >>> >>> With yo

Re: [PATCH] selinux-policy: update to version v2.0

2025-01-14 Thread Dominick Grift
nk } for  pid=3459 comm="rm" name="image.bs" dev="tmpfs" ino=96 > scontext=sys.id:sys.role:validatefirmwareimage.subj > tcontext=sys.id:sys.role:tmp.fs tclass=file permissive=1 > [   87.255570] audit: type=1400 audit(1736811847.370:53): avc: denied  > { getattr } f

Re: [PATCH] selinux-policy: update to version v2.0

2025-01-14 Thread Dominick Grift
Dominick Grift writes: > Dominick Grift writes: > >> Stefan Hellermann writes: >> >>> Hi! Thank you for your really fast changes! >> >> Thank you for your feedback. It is appreciated. Comments below: >> >>> >>> With yo

Re: [PATCH] selinux-policy: update to version v2.0

2025-01-13 Thread Dominick Grift
Dominick Grift writes: > Dominick Grift writes: > >> Hi, Thank you for feedback. Comments inline below: >> >> Stefan Hellermann writes: >> > > > >>> audit(1736704702.290:4): avc:  denied  { associate } for  pid=1010 >>> comm=&

Help test selinux-policy v2 on your openwrt one

2025-01-05 Thread Dominick Grift
= FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 Dominick Grift Mastodon: @kcini...@defensec.nl ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[PATCH] selinux-policy: update to version v2.1

2025-01-16 Thread Dominick Grift
e, ipq40xx-generic-linksys_mr8300 Tested-by: Stefan Hellermann Signed-off-by: Dominick Grift --- package/system/selinux-policy/Makefile | 12 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/package/system/selinux-policy/Makefile b/package/system/selinux-policy/Make

[PATCH 6/6] checkpolicy: update to version 3.8.1

2025-03-28 Thread Dominick Grift
kpolicy: reject condition with bool and tunable in expression 2d5f97b8 checkpolicy: drop unused token CLONE b7b32cf4 checkpolicy/dispol: add output functions d213d80f checkpolicy: rename bool identifiers 513fc157 checkpolicy: update cond_expr_t struct member name 6f7b0ee6 checkpolicy: add not-self

[PATCH 5/6] secilc: update to version 3.8.1

2025-03-28 Thread Dominick Grift
secilc/test: Add notself and other tests ed8f4a95 secilc/docs: Add notself and other keywords to CIL documentation 04613f68 secilc: add check for malloc in secilc Signed-off-by: Dominick Grift --- package/utils/secilc/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a

[PATCH 3/6] libsemanage: update to version 3.8.1

2025-03-28 Thread Dominick Grift
the module checksum Signed-off-by: Dominick Grift --- package/libs/libsemanage/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/libs/libsemanage/Makefile b/package/libs/libsemanage/Makefile index 9ebf9a6f21..4811af508b 100644 --- a/package/libs/libsemanage

[PATCH 2/6] libselinux: update to version 3.8.1

2025-03-28 Thread Dominick Grift
ip installation Signed-off-by: Dominick Grift --- package/libs/libselinux/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/libs/libselinux/Makefile b/package/libs/libselinux/Makefile index f90d4993c8..9f65f5bf65 100644 --- a/package/libs/libselinux/Makefile +++

[PATCH 1/6] libsepol: update to version 3.8.1

2025-03-28 Thread Dominick Grift
libsepol/tests: rename bool indentifiers 61f21385 libsepol: rename struct member e9072e7d libsepol/tests: add tests for minus self neverallow rules 4a43831f libsepol/tests: add tests for not self neverallow rules ec78788c libsepol: Add not self support for neverallow rules Signed-off-by: Domin

[PATCH 4/6] policycoreutils: update to version 3.8.1

2025-03-28 Thread Dominick Grift
: update my email f189e8af libselinux,policycoreutils,python,semodule-utils: de-brand SELinux c5581864 setsebool: drop unnecessary linking against libsepol 4c6a339e setsebool: improve bash-completion script e867c95b policycoreutils: Add examples to man pages Signed-off-by: Dominick Grift --- package

[PATCH] selinux-policy: update to version v2.6

2025-03-15 Thread Dominick Grift
a07 README updates 0cc10ff vdastordev: adds one more partition 3867574 blkid adds alternative --cache-file 009b441 blkid run file f9b75d0 README: adds blkid to baseline Run-tested: mediatek-filogic-bananapi_bpi-r4 Signed-off-by: Dominick Grift --- feeds.conf.default | 1 + pack

[PATCH] selinux-policy: update to version v2.6

2025-03-15 Thread Dominick Grift
a07 README updates 0cc10ff vdastordev: adds one more partition 3867574 blkid adds alternative --cache-file 009b441 blkid run file f9b75d0 README: adds blkid to baseline Run-tested: mediatek-filogic-bananapi_bpi-r4 Signed-off-by: Dominick Grift --- package/system/selinux-policy/Makefile | 4 ++-- 1 fi

[PATCH] selinux-policy: update version to v2.8

2025-05-27 Thread Dominick Grift
line sysupgrade sdcard 8251117 README badfb57 iw/tmux socket creation is implied in macros 5663f89 iwsysagent and readme 6815a6c README bde5a56 README 6b89f0a hotplug and netif unconfined.exec.file underline "trusted" 862da9b unknown netifd protocols with netif.unconfined.exec.file Signed-off

[PATCH] selinux-policy: update version to v2.8.2

2025-06-01 Thread Dominick Grift
unconfined.exec.file underline "trusted" 862da9b unknown netifd protocols with netif.unconfined.exec.file Signed-off-by: Dominick Grift --- a3383be fixes an issue where system becomes inaccesible over the network due to some recent change There is a regression in libselinux 3.8 that might

[PATCH] selinux-policy: update to version v2.8.1

2025-05-29 Thread Dominick Grift
mux socket creation is implied in macros 5663f89 iwsysagent and readme 6815a6c README bde5a56 README 6b89f0a hotplug and netif unconfined.exec.file underline "trusted" 862da9b unknown netifd protocols with netif.unconfined.exec.file Signed-off-by: Dominick Grift --- package/system/

[PATCH] selinux-policy: update to version v2.8.1

2025-05-29 Thread Dominick Grift
mux socket creation is implied in macros 5663f89 iwsysagent and readme 6815a6c README bde5a56 README 6b89f0a hotplug and netif unconfined.exec.file underline "trusted" 862da9b unknown netifd protocols with netif.unconfined.exec.file Signed-off-by: Dominick Grift --- package/system/

Re: [PATCH] selinux-policy: update version to v2.8

2025-05-29 Thread Dominick Grift
Ignore this please. Most likely has incorrect package mirror hash. Dominick Grift writes: > Changes since v2.6 > > 3e93844 related to bpi-r4 Linux 6.12 > 449cb74 sysagent: use logintermdev (no differences) > 20ad31d unlabeled/invalid: these are relative to . > 9c85622 ip

Re: [PATCH] selinux-policy: update version to v2.8.2

2025-06-01 Thread Dominick Grift
Dominick Grift writes: > Changes since v2.6: > > a3383be configgenerate > --- > > a3383be fixes an issue where system becomes inaccesible over the > network due to some recent change Likely this change https://github.com/openwrt/openwrt/commit/d989d9a8ec4c94bd2185cac45ad9