From patchwork Sat Apr 16 13:10:39 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dominick Grift X-Patchwork-Id: 1618023 X-Patchwork-Delegate: daniel@makrotopia.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=tfCxVvNG; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=defensec.nl header.i=@defensec.nl header.a=rsa-sha256 header.s=default header.b=L382RJcP; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4KgYdW64f8z9sFx for ; Sat, 16 Apr 2022 23:17:18 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=zeTu0y1/UpCJTfoseX5rq6aKm7fwXW/jUOTdayGPoFo=; b=tfCxVvNGlhAZ9P tWJMLoAk//8Z618b+LDVcUeHllLdRJMIkkYB6nYvVa9YpUAw9vlGDSRAWI83I4KXhhUYyIVVdTTmK ZMDoF0hmmyzh8ZZbw+81W95L62uAnH8gwCvH54QhZoWTxZnhPqOEgDavNomVDSJmmvgn7yA75BI2r NPFEcYDrjLXmkkst0OjVaT2IKecALkD7Allp03kS8FobvoEYTZ+BvK5A+Z4wrIqk1LjKcPMjbnlrH 252F2Wmm0wQrNwjfaisOYT6Zb5lF/mr2tlLHpGtyFlEHO0GbVc9okIqcZbpvt0UevagbT6lpHV8mc 0GeaJfxfYuT2hPdTw9Xw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1nfiDA-00CwS2-6l; Sat, 16 Apr 2022 13:11:36 +0000 Received: from markus.defensec.nl ([2a10:3781:2099::123]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1nfiD3-00CwRH-De for openwrt-devel@lists.openwrt.org; Sat, 16 Apr 2022 13:11:31 +0000 Received: from brutus.. (brutus.defensec.nl [IPv6:2a10:3781:2099::438]) by markus.defensec.nl (Postfix) with ESMTPSA id 89B98FC133D; Sat, 16 Apr 2022 15:11:17 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=defensec.nl; s=default; t=1650114677; bh=TlZJiOj2FZJOmngH7/of+Ye3/nYOpXeEZeOJZGDiYpc=; h=From:To:Cc:Subject:Date:From; b=L382RJcPEecA7AyuF/DQDiEfRuaa8Osmagaq8mH1R9++zMq+KyDHxBArqBvQ3wx5e Tf2BUguC1IAGNjU6gmGNGRBqD9vdIQtOcUI3oGLB/UMNwFH5Qa4eCj13WUGst/D/rG G1IM4pz5iutjmlsSEZxOZ9qdNSZ/iU5n7To6/IL0= From: Dominick Grift To: openwrt-devel@lists.openwrt.org Cc: Dominick Grift Subject: [PATCH] selinux-policy: update to version 1.1 Date: Sat, 16 Apr 2022 15:10:39 +0200 Message-Id: <20220416131039.355957-1-dominick.grift@defensec.nl> X-Mailer: git-send-email 2.35.2 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220416_061129_963911_9DB3FA93 X-CRM114-Status: UNSURE ( 8.48 ) X-CRM114-Notice: Please train this message. X-Spam-Score: -0.9 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: try to clean up some labeling inconsistencies iwinfo loose ends ucode loose ends Makefile: adjust mintesttgt (adds blockmount/blockd) nftables: reads inherited netifd pipe ucode: reads inherited netif [...] Content analysis details: (-0.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [2a10:3781:2099:0:0:0:0:123 listed in] [list.dnswl.org] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org try to clean up some labeling inconsistencies iwinfo loose ends ucode loose ends Makefile: adjust mintesttgt (adds blockmount/blockd) nftables: reads inherited netifd pipe ucode: reads inherited netifd pipes mountroot: fowner sandbox: writes inherited dropbear pipes unbound related to /tmp/etc/ssl unbound loose ends adds a sslconftmpfile for /tmp/etc/ssl README: maintain a wish list in the README iwinfo: netifd forgot write gptfdisk loose ends iwinfo: netifd wpad reads/writes inherited netifd fifo files netifd (mac80211.sh) executes iwinfo luci: executes wireguard luci-cgi: audits xtables execute access rcuhttpd: lists ssl certfile dirs iwinfo, wifi,nftables usage of ttyd pty if available urandomseed: seedrng needs cap_sys_admin iwinfo iwinfo, nftables and some chronyd rules related to ntp nts server nftables, wifi and adds iwinfo skel nftables, rpcd, ucode nftables, ucode and seedrng ucode, fw3/nftables, luci adds ucode skel and some fw3/nftables related urandomseed: some seedrng rules fw3 adds some support for fw4 urandomseed: /etc/seedrng is for seed.credit hotplugcal: runs ucode which is interpreter like adds a nftables skeleton and makes xtables optional agent: allow all agents to write inherited dropbear pipes urandomseed: this seems to be replaced by seedrng kmodloader: label /etc/modules.conf kmodloader.conffile Revert "shelexecfile: remove auditallow rule" Makefile: sort the modules to process by secilc Moves back to git.defensec.nl unbound odhcpd (ip) reads net proc tcp dump shelexecfile: remove auditallow rule rrd.cil: fixes indent Target rddtool from cgi-io instead of runnit it without transition rrd.cil related rrd, rpcd, cgiio clean ups related to luci-app-statistics Rules for rrd files and luci-statistics unboundcontrol ordering Several missing permissions blockmount, dnsmasq, hotplugcall, rpcd, unbound adds mctp_socket (linux 5.15) ip: forgot tc-tiny type transition to go along with the fc spec ip: adds a fc spec for tc-tiny (called by sqm) adds ttyACM fc spec and various assorted loose ends .gitattributes: do not export the github workflows workflow use selinux 3.3 project moved back to https://git.defensec.nl/selinux-policy.git Signed-off-by: Dominick Grift --- package/system/selinux-policy/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package/system/selinux-policy/Makefile b/package/system/selinux-policy/Makefile index 0b85920170..10eff7be57 100644 --- a/package/system/selinux-policy/Makefile +++ b/package/system/selinux-policy/Makefile @@ -7,9 +7,9 @@ include $(TOPDIR)/rules.mk PKG_NAME:=selinux-policy PKG_SOURCE_PROTO:=git -PKG_SOURCE_URL:=https://github.com/DefenSec/selinux-policy -PKG_VERSION:=1.0 -PKG_MIRROR_HASH:=2358a064d1231d39e6292d646e1a38898d949b8bef6558ac1e0992d3b5bca33f +PKG_SOURCE_URL:=https://git.defensec.nl/selinux-policy.git +PKG_VERSION:=1.1 +PKG_MIRROR_HASH:=657ec1ff51ab946753fb3559384511a536ac1e018691f3e49cbab21c55d23e08 PKG_SOURCE_VERSION:=v$(PKG_VERSION) PKG_BUILD_DEPENDS:=secilc/host policycoreutils/host