public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: /
@ 2016-10-24 16:02 Sven Vermeulen
  2016-10-24 16:02 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
  2016-10-24 16:03 ` [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
  0 siblings, 2 replies; 13+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:02 UTC (permalink / raw
  To: gentoo-commits

commit:     7601edab81d7dd32ebe8270c7cd3ac17b0f28431
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Oct  9 11:47:09 2016 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 15:57:32 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7601edab

Rearrange lines in syncthing.

Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>

 syncthing.if | 19 +++++++++----------
 syncthing.te | 20 +++++++-------------
 2 files changed, 16 insertions(+), 23 deletions(-)

diff --git a/syncthing.if b/syncthing.if
index d71fdaa..065800a 100644
--- a/syncthing.if
+++ b/syncthing.if
@@ -16,17 +16,16 @@
 ## </param>
 #
 interface(`syncthing_role', `
+	gen_require(`
+		attribute_role syncthing_roles;
+		type syncthing_t, syncthing_exec_t, syncthing_config_home_t;
+	')
 
-    gen_require(`
-        attribute_role syncthing_roles;
-        type syncthing_t, syncthing_exec_t, syncthing_config_home_t;
-    ')
+	roleattribute $1 syncthing_roles;
 
-    roleattribute $1 syncthing_roles;
+	domtrans_pattern($2, syncthing_exec_t, syncthing_t)
 
-    domtrans_pattern($2, syncthing_exec_t, syncthing_t)
-
-    allow $2 syncthing_config_home_t:file { manage_file_perms relabel_file_perms };
-    allow $2 syncthing_config_home_t:dir { manage_dir_perms relabel_dir_perms };
-    allow $2 syncthing_config_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+	allow $2 syncthing_config_home_t:file { manage_file_perms relabel_file_perms };
+	allow $2 syncthing_config_home_t:dir { manage_dir_perms relabel_dir_perms };
+	allow $2 syncthing_config_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
 ')

diff --git a/syncthing.te b/syncthing.te
index 8144389..92d0bf5 100644
--- a/syncthing.te
+++ b/syncthing.te
@@ -27,23 +27,23 @@ allow syncthing_t self:tcp_socket { listen accept };
 
 can_exec(syncthing_t, syncthing_exec_t)
 
+manage_dirs_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
+manage_files_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
+manage_lnk_files_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
+
 kernel_read_kernel_sysctls(syncthing_t)
 kernel_read_net_sysctls(syncthing_t)
 kernel_read_system_state(syncthing_t)
 
 corenet_tcp_sendrecv_generic_if(syncthing_t)
 corenet_udp_sendrecv_generic_if(syncthing_t)
-
 corenet_tcp_bind_generic_node(syncthing_t)
 corenet_tcp_sendrecv_generic_node(syncthing_t)
 corenet_tcp_sendrecv_all_ports(syncthing_t)
-
 corenet_udp_bind_generic_node(syncthing_t)
 corenet_udp_sendrecv_generic_node(syncthing_t)
 corenet_udp_sendrecv_all_ports(syncthing_t)
-
 corenet_tcp_connect_all_ports(syncthing_t)
-
 corenet_tcp_bind_syncthing_port(syncthing_t)
 corenet_udp_bind_syncthing_discovery_port(syncthing_t)
 corenet_tcp_bind_syncthing_admin_port(syncthing_t)
@@ -55,10 +55,6 @@ fs_getattr_xattr_fs(syncthing_t)
 
 auth_use_nsswitch(syncthing_t)
 
-manage_dirs_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
-manage_files_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
-manage_lnk_files_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
-
 miscfiles_read_generic_certs(syncthing_t)
 miscfiles_read_localization(syncthing_t)
 
@@ -66,13 +62,11 @@ userdom_manage_user_home_content_files(syncthing_t)
 userdom_manage_user_home_content_dirs(syncthing_t)
 userdom_manage_user_home_content_symlinks(syncthing_t)
 userdom_user_home_dir_filetrans_user_home_content(syncthing_t, dir)
-
+userdom_use_user_terminals(syncthing_t)
 # newly created files in ~/.config/syncthing/ will transition to syncthing_config_home_t
 userdom_user_home_content_filetrans(syncthing_t, syncthing_config_home_t, dir, "syncthing")
 
-userdom_use_user_terminals(syncthing_t)
-
 optional_policy(`
-    # temporary hack for /run/NetworkManager/resolv.conf until we make this part of sysnet_dns_name_resolve()
-    networkmanager_read_pid_files(syncthing_t)
+	# temporary hack for /run/NetworkManager/resolv.conf until we make this part of sysnet_dns_name_resolve()
+	networkmanager_read_pid_files(syncthing_t)
 ')


^ permalink raw reply related	[flat|nested] 13+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2017-03-30 17:06 Jason Zaman
  2017-03-30 17:09 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
  0 siblings, 1 reply; 13+ messages in thread
From: Jason Zaman @ 2017-03-30 17:06 UTC (permalink / raw
  To: gentoo-commits

commit:     8cb5f0c4bc80f413594e10ca271343e44dc5888a
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Mar 30 15:00:46 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 15:00:46 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8cb5f0c4

travis: move make install after building

 .travis.yml | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index d4330257..a420597e 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -102,13 +102,6 @@ install:
 
   # Drop build.conf settings to listen to env vars
   - sed -r -i -e '/(DIRECT_INITRC|MONOLITHIC|TYPE|DISTRO|SYSTEMD|WERROR)/d' build.conf
-  - make xml
-  - make html
-  - make DESTDIR=${HOME}/tmp install
-  - make DESTDIR=${HOME}/tmp install-headers
-  - make DESTDIR=${HOME}/tmp install-src
-  - make DESTDIR=${HOME}/tmp install-docs
-  - make DESTDIR=${HOME}/tmp install-appconfig
 
 script:
   - echo $TYPE $DISTRO $DIRECT_INITRC $MONOLITHIC $SYSTEMD $WERROR
@@ -118,6 +111,15 @@ script:
   - make
   - make validate
 
+  - make xml
+  - make html
+
+  - make DESTDIR=${HOME}/tmp install
+  - make DESTDIR=${HOME}/tmp install-headers
+  - make DESTDIR=${HOME}/tmp install-src
+  - make DESTDIR=${HOME}/tmp install-docs
+  - make DESTDIR=${HOME}/tmp install-appconfig
+
 branches:
   only:
     - /^travis-.*/


^ permalink raw reply related	[flat|nested] 13+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2017-02-27 10:50 Jason Zaman
  2017-02-27 11:40 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
  0 siblings, 1 reply; 13+ messages in thread
From: Jason Zaman @ 2017-02-27 10:50 UTC (permalink / raw
  To: gentoo-commits

commit:     1572117a9a4c1da6797c9753cf0b20e6cbf8e5b0
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Feb 25 16:50:11 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 27 10:38:00 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1572117a

apache: Fix CI error.



^ permalink raw reply	[flat|nested] 13+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2017-02-25 16:58 Jason Zaman
  2017-02-25 16:58 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
  0 siblings, 1 reply; 13+ messages in thread
From: Jason Zaman @ 2017-02-25 16:58 UTC (permalink / raw
  To: gentoo-commits

commit:     26f8f91c4a8026fe395e8253432796a95cdab765
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Feb 25 14:38:26 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 16:43:11 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=26f8f91c

Fix typo in README.

Closes #100

 README | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README b/README
index 10cca4c1..7ac92f25 100644
--- a/README
+++ b/README
@@ -122,7 +122,7 @@ UNK_PERMS		String.  Set the kernel behavior for handling of
 UBAC			Boolean.  If set, the SELinux user will be used
 			additionally for approximate role separation.
 
-SYSTEMD			Boolean.  If set, systemd will be assumed the be the init
+SYSTEMD			Boolean.  If set, systemd will be assumed to be the init
 			process provider.
 
 MLS_SENS		Integer.  Set the number of sensitivities in the MLS


^ permalink raw reply related	[flat|nested] 13+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: /
@ 2016-10-24 16:02 Sven Vermeulen
  2016-10-24 16:03 ` [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
  0 siblings, 1 reply; 13+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:02 UTC (permalink / raw
  To: gentoo-commits

commit:     a172282d756622acde353c6bd9387431b0b3ff9e
Author:     Naftuli Tzvi Kay <rfkrocktk <AT> gmail <DOT> com>
AuthorDate: Sun Aug 21 07:08:42 2016 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 15:57:25 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a172282d

Syncthing Policy

Policy governing Syncthing - a file synchronization utility
written in Go.

Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>

 syncthing.fc |  3 +++
 syncthing.if | 32 +++++++++++++++++++++++++
 syncthing.te | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 113 insertions(+)

diff --git a/syncthing.fc b/syncthing.fc
new file mode 100644
index 0000000..4f7f53e
--- /dev/null
+++ b/syncthing.fc
@@ -0,0 +1,3 @@
+/usr/bin/syncthing                      -- gen_context(system_u:object_r:syncthing_exec_t,s0)
+
+HOME_DIR/\.config/syncthing(/.*)?          gen_context(system_u:object_r:syncthing_config_home_t,s0)

diff --git a/syncthing.if b/syncthing.if
new file mode 100644
index 0000000..d71fdaa
--- /dev/null
+++ b/syncthing.if
@@ -0,0 +1,32 @@
+## <summary>Application that lets you synchronize your files across multiple devices.</summary>
+
+########################################
+## <summary>
+##  Role access for Syncthing
+## </summary>
+## <param name="role">
+##  <summary>
+##  Role allowed access
+##  </summary>
+## </param>
+## <param name="domain">
+##  <summary>
+##  User domain for the role
+##  </summary>
+## </param>
+#
+interface(`syncthing_role', `
+
+    gen_require(`
+        attribute_role syncthing_roles;
+        type syncthing_t, syncthing_exec_t, syncthing_config_home_t;
+    ')
+
+    roleattribute $1 syncthing_roles;
+
+    domtrans_pattern($2, syncthing_exec_t, syncthing_t)
+
+    allow $2 syncthing_config_home_t:file { manage_file_perms relabel_file_perms };
+    allow $2 syncthing_config_home_t:dir { manage_dir_perms relabel_dir_perms };
+    allow $2 syncthing_config_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+')

diff --git a/syncthing.te b/syncthing.te
new file mode 100644
index 0000000..8144389
--- /dev/null
+++ b/syncthing.te
@@ -0,0 +1,78 @@
+policy_module(syncthing, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role syncthing_roles;
+role syncthing_roles types syncthing_t;
+
+type syncthing_t;
+type syncthing_exec_t;
+init_daemon_domain(syncthing_t, syncthing_exec_t)
+userdom_user_application_domain(syncthing_t, syncthing_exec_t)
+
+type syncthing_config_home_t;
+userdom_user_home_content(syncthing_config_home_t)
+
+########################################
+#
+# Declarations
+#
+
+allow syncthing_t self:process getsched;
+allow syncthing_t self:fifo_file rw_fifo_file_perms;
+allow syncthing_t self:tcp_socket { listen accept };
+
+can_exec(syncthing_t, syncthing_exec_t)
+
+kernel_read_kernel_sysctls(syncthing_t)
+kernel_read_net_sysctls(syncthing_t)
+kernel_read_system_state(syncthing_t)
+
+corenet_tcp_sendrecv_generic_if(syncthing_t)
+corenet_udp_sendrecv_generic_if(syncthing_t)
+
+corenet_tcp_bind_generic_node(syncthing_t)
+corenet_tcp_sendrecv_generic_node(syncthing_t)
+corenet_tcp_sendrecv_all_ports(syncthing_t)
+
+corenet_udp_bind_generic_node(syncthing_t)
+corenet_udp_sendrecv_generic_node(syncthing_t)
+corenet_udp_sendrecv_all_ports(syncthing_t)
+
+corenet_tcp_connect_all_ports(syncthing_t)
+
+corenet_tcp_bind_syncthing_port(syncthing_t)
+corenet_udp_bind_syncthing_discovery_port(syncthing_t)
+corenet_tcp_bind_syncthing_admin_port(syncthing_t)
+
+dev_read_rand(syncthing_t)
+dev_read_urand(syncthing_t)
+
+fs_getattr_xattr_fs(syncthing_t)
+
+auth_use_nsswitch(syncthing_t)
+
+manage_dirs_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
+manage_files_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
+manage_lnk_files_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
+
+miscfiles_read_generic_certs(syncthing_t)
+miscfiles_read_localization(syncthing_t)
+
+userdom_manage_user_home_content_files(syncthing_t)
+userdom_manage_user_home_content_dirs(syncthing_t)
+userdom_manage_user_home_content_symlinks(syncthing_t)
+userdom_user_home_dir_filetrans_user_home_content(syncthing_t, dir)
+
+# newly created files in ~/.config/syncthing/ will transition to syncthing_config_home_t
+userdom_user_home_content_filetrans(syncthing_t, syncthing_config_home_t, dir, "syncthing")
+
+userdom_use_user_terminals(syncthing_t)
+
+optional_policy(`
+    # temporary hack for /run/NetworkManager/resolv.conf until we make this part of sysnet_dns_name_resolve()
+    networkmanager_read_pid_files(syncthing_t)
+')


^ permalink raw reply related	[flat|nested] 13+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2016-10-24 16:02 Sven Vermeulen
  2016-10-24 16:03 ` [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
  0 siblings, 1 reply; 13+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:02 UTC (permalink / raw
  To: gentoo-commits

commit:     4a0e65d9a24d32297caee427433746e59468df3e
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Oct 23 20:58:59 2016 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 16:00:58 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4a0e65d9

Update Changelog and VERSION for release.

 Changelog | 234 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 VERSION   |   2 +-
 2 files changed, 235 insertions(+), 1 deletion(-)

diff --git a/Changelog b/Changelog
index 617f49e..d00f2cf 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,237 @@
+* Sun Oct 23 2016 Chris PeBenito <pebenito@ieee.org> - 2.20161023
+Chris PeBenito (94):
+      Module version bump for systemd-user-sessions fc entry from Dominick Grift
+      Module version bumps for 2 patches from Dominick Grift.
+      Module version bump for vm overcommit sysctl interfaces from Laurent
+         Bigonville.
+      Update contrib.
+      Module version bump for Xorg and SSH patches from Nicolas Iooss.
+      Add neverallow for mac_override capability. It is not used by SELinux.
+      Merge branch 'overcommit-1' of git://github.com/bigon/refpolicy into
+         bigon-overcommit-1
+      Merge branch 'bigon-overcommit-1'
+      Merge branch 'systemd-1' of git://github.com/bigon/refpolicy into
+         bigon-systemd-1
+      Merge branch 'bigon-systemd-1'
+      Module version bump for syslog and systemd changes from Laurent Bigonville
+      Merge pull request #19 from shootingatshadow/fc_sort
+      Merge branch 'xorg-1' of git://github.com/bigon/refpolicy into
+         bigon-xorg-1
+      Merge branch 'bigon-xorg-1'
+      Module version bump for Debian Xorg fc fixes from Laurent Bigonville
+      Add a type and genfscon for nsfs.
+      Module version bump for systemd PrivateNetwork patch from Nicolas Iooss
+      Module version bump for systemd audit_read capability from Laurent
+         Bigonville
+      Merge pull request #21 from fishilico/typos
+      Module version bump for patches from Nicolas Iooss and Grant Ridder.
+      Update contrib.
+      Module version bump for efivarfs patches from Dan Walsh, Vit Mojzis, and
+         Laurent Bigonville
+      Module version bump for ipset fc entry from Laurent Bigonville.
+      Update contrib.
+      Whitespace fix in iptables.fc.
+      Module version bump for iptables fc entries from Laurent Bigonville and
+         Lukas Vrabec.
+      Update contrib.
+      Module version bump for iptables/firewalld patch from Laurent Bigonville.
+      Merge pull request #29 from bigon/appconfig-lxc
+      Module version bump for getty patch from Luis Ressel.
+      Module version bump for tboot utils from Luis Ressel and systemd fix from
+         Jason Zaman.
+      Merge branch 'corecommands-archlinux' of
+         https://github.com/fishilico/selinux-refpolicy-patched
+      Merge branch 'dev_setattr_dlm_control-typo' of
+         https://github.com/fishilico/selinux-refpolicy-patched
+      Merge branch 'kdevtmpfs-unlink' of
+         https://github.com/fishilico/selinux-refpolicy-patched
+      Module version bump for several Arch fixes from Nicolas Iooss.
+      Update contrib.
+      Reduce broad entrypoints for unconfined domains.
+      Update Travis-CI build to newest SELinux userspace release.
+      Update su for libselinux-2.5 changes.
+      Merge branch 'selinux-1' of https://github.com/bigon/refpolicy
+      Module version bump for Debian fc entries from Laurent Bigonville.
+      Module version bump for patches from Dominick Grift and Lukas Vrabec.
+      Add user namespace capability object classes.
+      Module version bump for hwloc-dump-hwdata from Dominick Grift and Grzegorz
+         Andrejczuk.
+      Module version bump for nftables fc entry from Jason Zaman.
+      Update contrib.
+      Module version bump for LMNR port from Laurent Bigonville.
+      Module version bump for systemd-resolved patch from Laurent BIgonville.
+      Merge branch 'master' of https://github.com/qqo/refpolicy into qqo-master
+      Merge branch 'qqo-master'
+      Module version bump for mlstrustedsocket from qqo.
+      Module version bumps + contrib update for user_runtime from Jason Zaman.
+      Update contrib.
+      Module version bump for corecommands update from Garrett Holmstrom.
+      Module version bump for MLS relabeling patch from Lukas Vrabec.
+      Get attributes of generic ptys, from Russell Coker.
+      Module version bump for user_udp_server tunable from Russell Coker.
+      libraries: Move libsystemd fc entry.
+      libraries: Module version bump for libsystemd fc entry from Lukas Vrabec.
+      Update contrib.
+      Systemd units from Russell Coker.
+      corenetwork: Add port labeling for Global Catalog over LDAPS.
+      corenetwork: Missed version bump for previous commit.
+      Update contrib.
+      Allow the system user domains to chat over dbus with a few other domains
+         (e.g. gnome session).
+      Update alsa module use from Guido Trentalancia.
+      Update the sysnetwork module to add some permissions needed by the dhcp
+         client (another separate patch makes changes to the ifconfig part).
+      Ifconfig should be able to read firmware files in /lib (i.e. some network
+         cards need to load their firmware) and it should not audit attempts to
+         load kernel modules directly.
+      Remove redundant libs_read_lib_files() for ifconfig_t.
+      Module version bump for various patches from Guido Trentalancia.
+      Update contrib.
+      Update for the xserver module:
+      userdomain: Fix compile errors.
+      Update contrib.
+      Merge pull request #38 from fishilico/travis-nosudo
+      Module version bump for module_load perm use from Guido Trentalancia.
+      Update contrib.
+      Merge pull request #39 from rfkrocktk/feature/vagrant
+      Merge pull request #40 from jer-gentoo/patch-1
+      userdomain: Move enable_mls block in userdom_common_user_template().
+      Module version bumps for LVM and useromain patches from Guido
+         Trentalancia.
+      Update contrib.
+      Additional change from Guido Trentalancia related to evolution.
+      Module version bump for selinuxutil fix from Jason Zaman.
+      Update contrib.
+      Update contrib.
+      Merge branch 'feature/syncthing' of https://github.com/rfkrocktk/refpolicy
+         into rfkrocktk-feature/syncthing
+      Merge branch 'rfkrocktk-feature/syncthing'
+      Module version bumps for syncthing from Naftuli Tzvi Kay.
+      Merge pull request #41 from SeanPlacchetti/patch-1
+      Merge pull request #42 from SeanPlacchetti/patch-1
+      Merge pull request #43 from williamcroberts/google-patch
+      Update contrib.
+      Bump module versions for release.
+
+Dan Walsh (1):
+      Add label for efivarfs
+
+Dominick Grift (5):
+      systemd: add missing file context spec for systemd-user-sessions
+         executable file
+      authlogin: remove duplicate files_list_var_lib(nsswitch_domain)
+      kernel: implement sysctl_vm_overcommit_t for
+         /proc/sys/vm/overcommit_memory
+      systemd: Add support for --log-target
+      Update refpolicy to handle hwloc
+
+Garrett Holmstrom (1):
+      corecmd: Remove fcontext for /etc/sysconfig/libvirtd
+
+Grant Ridder (1):
+      Add redis-sentinel port to redis network_port def
+
+Guido Trentalancia (6):
+      Add module_load permission to class system
+      Add module_load permission to can_load_kernmodule
+      Remove deprecated semodule options from Makefile
+      Update the lvm module
+      Improve tunable support for rw operations on noxattr fs / removable media
+      userdomain: introduce the user certificate file context (was miscfiles:
+         introduce the user certificate file context)
+
+Jason Zaman (6):
+      system/init: move systemd_ interfaces into optional_policy
+      iptables: add fcontext for nftables
+      authlogin: remove fcontext for /var/run/user
+      userdomain: Introduce types for /run/user
+      userdomain: user_tmp requires searching /run/user
+      userdomain: introduce interfaces for user runtime
+
+Jason Zaman via refpolicy (1):
+      selinuxutil: allow setfiles to read semanage store
+
+Jeroen Roovers (1):
+      Use $(AWK) not plain awk
+
+Laurent Bigonville (15):
+      Add interfaces to read/write /proc/sys/vm/overcommit_memory
+      Give some systemd domain access to /proc/sys/kernel/random/boot_id
+      On Debian, systemd binaries are installed in / not /usr
+      Allow syslogd_t to read sysctl_vm_overcommit_t
+      Label Xorg server binary correctly on Debian
+      Allow systemd the audit_read capability
+      Allow logind to read efivarfs files
+      Add label for /sbin/ipset
+      Label /var/run/ebtables.lock as iptables_var_run_t.
+      Allow {eb,ip,ip6}tables-restore to read files in /run/firewalld
+      Add lxc_contexts config file
+      Add some labels for SELinux tools path in Debian
+      Add the validate_trans access vector to the security class
+      Add llmnr/5355 (Link-local Multicast Name Resolution)
+      Add policy for systemd-resolved
+
+Luis Ressel (2):
+      Allow getty the sys_admin capability
+      Allow sysadm to run txt-stat.
+
+Lukas Vrabec (4):
+      Label /var/run/xtables.lock as iptables_var_run_t.
+      SELinux support for cgroup2 filesystem.
+      Add new MLS attribute to allow relabeling objects higher than system low.
+         This exception is needed for package managers when processing sensitive
+         data.
+      Systemd by version 231 starts using shared library and systemd daemons
+         execute it. For this reason lib_t type is needed.
+
+Mike Palmiotto (1):
+      Add mls support for some db classes
+
+Naftuli Tzvi Kay (2):
+      Add Syncthing Support to Policy
+      Add Vagrant box for development.
+
+Nicolas Iooss (18):
+      Label Xorg server binary correctly on Arch Linux
+      Label OpenSSH files correctly on Arch Linux
+      Label OpenSSH systemd unit files
+      Allow systemd services to use PrivateNetwork feature
+      Fix typo in init_dbus_chat requirements
+      Fix typos in comments from corenetwork module
+      man: Spelling fixes
+      Fix interface descriptions when duplicate ones are found
+      Label /sys/kernel/debug/tracing filesystem
+      Label TexLive scripts bin_t
+      Label system-config-printer applet properly on Arch Linux
+      Label gedit plugins properly on Arch Linux
+      Label some user session DBus services as bin_t
+      Do not label /usr/lib/gvfs/libgvfscommon.so as bin_t
+      Fix typo in dev_setattr_dlm_control interface requirements
+      Allow kdevtmpfs to unlink fixed disk devices
+      Fix typo in module compilation message
+      Make Travis-CI build without using sudo
+
+Rahul Chaudhry (1):
+      fc_sort: cleanup warnings caught by clang tidy / static analyzer.
+
+Russell Coker (2):
+      user_udp_server tunable
+      getattr on unlabeled blk devs
+
+Sean Placchetti (2):
+      Update to refpolicy spec file
+      Update specfile
+
+Vit Mojzis (1):
+      Add interface to allow reading files in efivarfs - contains Linux Kernel
+         configuration options for UEFI systems (UEFI Runtime Variables)
+
+William Roberts (1):
+      fc_sort: strip whitespace errors
+
+qqo (1):
+      Adds attribute mlstrustedsocket, along with the interface.
+
 * Tue Dec 08 2015 Chris PeBenito <selinux@tresys.com> - 2.20151208
 Alexander Wetzel (1):
       adds vfio device support to base policy

diff --git a/VERSION b/VERSION
index 382483e..f011019 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.20151208
+2.20161023


^ permalink raw reply related	[flat|nested] 13+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: /
@ 2015-10-26  5:36 Jason Zaman
  0 siblings, 0 replies; 13+ messages in thread
From: Jason Zaman @ 2015-10-26  5:36 UTC (permalink / raw
  To: gentoo-commits

commit:     7df299c23e81022962f221aca35cc00f76015dbd
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Oct 26 04:12:02 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 26 04:12:02 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7df299c2

Add SystemD build option to travis.yml

 .travis.yml | 39 +++++++++++++++++++++++++++++----------
 1 file changed, 29 insertions(+), 10 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index 41c4a1f..b3dd454 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -4,15 +4,33 @@ language: python
 python:
  - "2.7"
 
-# for T in standard mls mcs ; do for D in arch debian gentoo ; do for I in n y ; do for M in y n ; do
-# echo "  - TYPE=$T DISTRO=$D DIRECT_INITRC=$I MONOLITHIC=$M" ; done ; done ; done ; done
+# for T in standard mls mcs ; do for D in arch debian gentoo ; do for I in n y ; do for M in y n ; do for S in n y ; do
+# echo "  - TYPE=$T DISTRO=$D DIRECT_INITRC=$I MONOLITHIC=$M SYSTEMD=$S" ; done ; done ; done ; done ; done
 env:
-  - TYPE=standard DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n
-  - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n
-  - TYPE=mls DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n
-  - TYPE=standard DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n
-  - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n
-  - TYPE=mls DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n
+  - TYPE=standard DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=y SYSTEMD=n
+  - TYPE=standard DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=y SYSTEMD=y
+  - TYPE=standard DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n SYSTEMD=n
+  - TYPE=standard DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n SYSTEMD=y
+  - TYPE=standard DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=y SYSTEMD=n
+  - TYPE=standard DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=y SYSTEMD=y
+  - TYPE=standard DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n SYSTEMD=n
+  - TYPE=standard DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n SYSTEMD=y
+  - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=y SYSTEMD=n
+  - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=y SYSTEMD=y
+  - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n SYSTEMD=n
+  - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n SYSTEMD=y
+  - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=y SYSTEMD=n
+  - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=y SYSTEMD=y
+  - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n SYSTEMD=n
+  - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n SYSTEMD=y
+  - TYPE=mls DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=y SYSTEMD=n
+  - TYPE=mls DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=y SYSTEMD=y
+  - TYPE=mls DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n SYSTEMD=n
+  - TYPE=mls DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n SYSTEMD=y
+  - TYPE=mls DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=y SYSTEMD=n
+  - TYPE=mls DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=y SYSTEMD=y
+  - TYPE=mls DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n SYSTEMD=n
+  - TYPE=mls DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n SYSTEMD=y
 
 before_install:
   - lsb_release -a
@@ -41,10 +59,10 @@ install:
   - sudo make CFLAGS="-O2 -pipe -fPIC -Wall" -C selinux-src install
 
   # Drop build.conf settings to listen to env vars
-  - sed -r -i -e '/(DIRECT_INITRC|MONOLITHIC|TYPE|DISTRO)/d' build.conf
+  - sed -r -i -e '/(DIRECT_INITRC|MONOLITHIC|TYPE|DISTRO|SYSTEMD)/d' build.conf
 
 script:
-  - echo $TYPE $DISTRO $DIRECT_INITRC $MONOLITHIC
+  - echo $TYPE $DISTRO $DIRECT_INITRC $MONOLITHIC $SYSTEMD
   - make bare
   - make conf
   - make
@@ -53,6 +71,7 @@ script:
 branches:
   only:
     - /^travis-.*/
+    - next
     - master
 
 notifications:


^ permalink raw reply related	[flat|nested] 13+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: /
@ 2015-03-29  9:59 Jason Zaman
  2015-03-29 10:01 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
  0 siblings, 1 reply; 13+ messages in thread
From: Jason Zaman @ 2015-03-29  9:59 UTC (permalink / raw
  To: gentoo-commits

commit:     68026ee4a044cb3664ff3ea64d534104928d78b8
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Mar 25 16:37:18 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Mar 29 09:55:25 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=68026ee4

update travis file to newer userland (much faster)

 .travis.yml | 105 +++++++++++++++---------------------------------------------
 1 file changed, 26 insertions(+), 79 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index ce213a3..41c4a1f 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,4 +1,4 @@
-# Originally by Nicolas Iooss from: https://github.com/fishilico/selinux-refpolicy-patched/blob/travis-upstream/.travis.yml
+# Derived from Nicolas Iooss: https://github.com/fishilico/selinux-refpolicy-patched/blob/travis-upstream/.travis.yml
 
 language: python
 python:
@@ -8,105 +8,52 @@ python:
 # echo "  - TYPE=$T DISTRO=$D DIRECT_INITRC=$I MONOLITHIC=$M" ; done ; done ; done ; done
 env:
   - TYPE=standard DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n
-  - TYPE=mls DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n
   - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n
+  - TYPE=mls DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n
+  - TYPE=standard DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n
+  - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n
+  - TYPE=mls DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n
 
-# Install SELinux userspace utilities dependencies
 before_install:
-# Show OS version information
   - lsb_release -a
+  - bison -V
+  - flex -V
   - sudo apt-get update -qq
-  - sudo apt-get install -qq libaudit-dev libcap-ng-dev libustr-dev swig
-
-# Compile and install a newer version of SELinux userspace utilities
-install:
-  # Setup the directory where SELinux utilities will be installed
-  - export DESTDIR="$HOME/selinux-project"
-  - mkdir "$DESTDIR"
-  - export PATH="$DESTDIR/usr/bin:$DESTDIR/usr/sbin:$DESTDIR/bin:$DESTDIR/sbin:$PATH"
-  - export LD_LIBRARY_PATH="$DESTDIR/usr/lib:$DESTDIR/lib:$LD_LIBRARY_PATH"
-
-  # On Ubuntu 12.04, default CFLAGS make the build fail in libsepol/cil with:
-  #    error: declaration of 'index' shadows a global declarationo
-  # So define our own CFLAGS
-  - export CFLAGS="-O2 -pipe -fPIC -Wall"
 
-  # Download SELinux userspace tools and libraries
-  - wget https://github.com/SELinuxProject/selinux/archive/20140826-rc6.tar.gz
-  - tar -xzf 20140826-rc6.tar.gz
-  - mv selinux-20140826-rc6 selinux-src
+  # Install SELinux userspace utilities dependencies
+  - sudo apt-get install -qq libaudit-dev libcap-ng-dev libustr-dev libpcre3-dev swig
 
-  # Download setools
-  - wget https://github.com/TresysTechnology/setools3/archive/setools-3.3.8.tar.gz
-  - tar -xzf setools-3.3.8.tar.gz
-  - mv setools3-setools-3.3.8 setools-src
+install:
+  # Download current SELinux userspace tools and libraries
+  - curl -sS -L https://github.com/SELinuxProject/selinux/archive/20150202.tar.gz | tar xz
+  - mv selinux-20150202 selinux-src
 
   # Ubuntu 12.04 coreutils is too old to provide "ln --relative" :(
   - sed 's/ln -sf --relative /ln -sf /' -i selinux-src/libsepol/src/Makefile
   - sed 's/ln -sf --relative /ln -sf /' -i selinux-src/libselinux/src/Makefile
 
-  # Compile and install SELinux libraries first
-  - make -C selinux-src/libsepol install
-  - make -C selinux-src/libselinux install
-  - make -C selinux-src/libsemanage install
-
-  # Now that the libraries are installed, use them to compile the tools
-  - export CFLAGS="$CFLAGS -I$DESTDIR/usr/include"
-  - export LDFLAGS="$LDFLAGS -L$DESTDIR/usr/lib"
+  # Drop sepolicy to break setools dependence (sepolicy isn't used anyway)
+  - sed -i -e 's/sepolicy//' selinux-src/policycoreutils/Makefile
 
-  # Compile and install setools
-  - cd setools-src
-  - aclocal && autoreconf -if && automake
-  - ./configure
-        --prefix="$DESTDIR/usr"
-        --disable-gui --disable-swig-tcl
-        --disable-bwidget-check --disable-selinux-check
-        --with-sepol-devel="$DESTDIR/usr"
-        --with-selinux-devel="$DESTDIR/usr"
-  - make -C libqpol DESTDIR= install
-  - make -C libapol DESTDIR= install
-  - cd ..
-
-  # Compile and install SELinux tools
-  - export LIBDIR="$DESTDIR/usr/lib"
-  - export LIBEXECDIR="$DESTDIR/usr/lib"
-  - export SHLIBDIR="$DESTDIR/usr/lib"
-  - export SEMODULE_PATH="$DESTDIR/usr/bin"
-  - make -C selinux-src/sepolgen install
-  - make -C selinux-src/checkpolicy install
-  - make -C selinux-src/policycoreutils install
+  # Compile and install SELinux toolchain
+  # On Ubuntu 12.04, default CFLAGS make the build fail in libsepol/cil with:
+  #    error: declaration of 'index' shadows a global declarationo
+  - sudo make CFLAGS="-O2 -pipe -fPIC -Wall" -C selinux-src install
 
-  # Use the newly-built toolchain
-  - export TEST_TOOLCHAIN="$DESTDIR"
+  # Drop build.conf settings to listen to env vars
+  - sed -r -i -e '/(DIRECT_INITRC|MONOLITHIC|TYPE|DISTRO)/d' build.conf
 
-# XXX: not sure whether the definition in make command line are useful or whether the env definitions are enough
-# Use a heartbeat loop to produce output while compiling the policy, which takes quite a long time.
 script:
+  - echo $TYPE $DISTRO $DIRECT_INITRC $MONOLITHIC
   - make bare
-  - make TYPE="$TYPE" MONOLITHIC="$MONOLITHIC" conf
-
-#  - if [ "$MONOLITHIC" = y ]; then
-#    ( for A in $(seq 8) ; do sleep 300 ; echo "Heartbeat $((A*5)) minutes" ; done ) &
-#    make TYPE="$TYPE" DISTRO="$DISTRO" DIRECT_INITRC="$DIRECT_INITRC" MONOLITHIC=y ;
-#    fi
-#  - if [ "$MONOLITHIC" = y ]; then make TYPE="$TYPE" DISTRO="$DISTRO" DIRECT_INITRC="$DIRECT_INITRC" MONOLITHIC=y file_contexts ; fi
-#  - if [ "$MONOLITHIC" = y ]; then setfiles -c policy.$(checkpolicy -V | cut -d' ' -f1) file_contexts ; fi
-#  - if [ "$MONOLITHIC" = n ]; then make TYPE="$TYPE" DISTRO="$DISTRO" DIRECT_INITRC="$DIRECT_INITRC" MONOLITHIC=n base ; fi
-#  - if [ "$MONOLITHIC" = n ]; then make TYPE="$TYPE" DISTRO="$DISTRO" DIRECT_INITRC="$DIRECT_INITRC" MONOLITHIC=n modules ; fi
-#  - if [ "$MONOLITHIC" = n ]; then
-#    ( for A in $(seq 8) ; do sleep 300 ; echo "Heartbeat $((A*5)) minutes" ; done ) &
-#    make TYPE="$TYPE" DISTRO="$DISTRO" DIRECT_INITRC="$DIRECT_INITRC" MONOLITHIC=n validate ;
-#    fi
-
-  - make TYPE="$TYPE" DISTRO="$DISTRO" DIRECT_INITRC="$DIRECT_INITRC" MONOLITHIC=n base
-  - make TYPE="$TYPE" DISTRO="$DISTRO" DIRECT_INITRC="$DIRECT_INITRC" MONOLITHIC=n modules
-  - ( for A in $(seq 8) ; do sleep 300 ; echo "Heartbeat $((A*5)) minutes" ; done ) &
-    make TYPE="$TYPE" DISTRO="$DISTRO" DIRECT_INITRC="$DIRECT_INITRC" MONOLITHIC=n validate
+  - make conf
+  - make
+  - make validate
 
-# Only build travis branches
 branches:
   only:
     - /^travis-.*/
+    - master
 
 notifications:
   email: false


^ permalink raw reply related	[flat|nested] 13+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: /
@ 2015-03-25 17:27 Jason Zaman
  0 siblings, 0 replies; 13+ messages in thread
From: Jason Zaman @ 2015-03-25 17:27 UTC (permalink / raw
  To: gentoo-commits

commit:     f8470ca8cb445798b6a6db04b7444f17d32dd012
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Mar 25 16:37:18 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Mar 25 17:23:49 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f8470ca8

update travis file to newer userland (much faster)

 .travis.yml | 105 +++++++++++++++---------------------------------------------
 1 file changed, 26 insertions(+), 79 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index ce213a3..41c4a1f 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,4 +1,4 @@
-# Originally by Nicolas Iooss from: https://github.com/fishilico/selinux-refpolicy-patched/blob/travis-upstream/.travis.yml
+# Derived from Nicolas Iooss: https://github.com/fishilico/selinux-refpolicy-patched/blob/travis-upstream/.travis.yml
 
 language: python
 python:
@@ -8,105 +8,52 @@ python:
 # echo "  - TYPE=$T DISTRO=$D DIRECT_INITRC=$I MONOLITHIC=$M" ; done ; done ; done ; done
 env:
   - TYPE=standard DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n
-  - TYPE=mls DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n
   - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n
+  - TYPE=mls DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n
+  - TYPE=standard DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n
+  - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n
+  - TYPE=mls DISTRO=gentoo DIRECT_INITRC=y MONOLITHIC=n
 
-# Install SELinux userspace utilities dependencies
 before_install:
-# Show OS version information
   - lsb_release -a
+  - bison -V
+  - flex -V
   - sudo apt-get update -qq
-  - sudo apt-get install -qq libaudit-dev libcap-ng-dev libustr-dev swig
-
-# Compile and install a newer version of SELinux userspace utilities
-install:
-  # Setup the directory where SELinux utilities will be installed
-  - export DESTDIR="$HOME/selinux-project"
-  - mkdir "$DESTDIR"
-  - export PATH="$DESTDIR/usr/bin:$DESTDIR/usr/sbin:$DESTDIR/bin:$DESTDIR/sbin:$PATH"
-  - export LD_LIBRARY_PATH="$DESTDIR/usr/lib:$DESTDIR/lib:$LD_LIBRARY_PATH"
-
-  # On Ubuntu 12.04, default CFLAGS make the build fail in libsepol/cil with:
-  #    error: declaration of 'index' shadows a global declarationo
-  # So define our own CFLAGS
-  - export CFLAGS="-O2 -pipe -fPIC -Wall"
 
-  # Download SELinux userspace tools and libraries
-  - wget https://github.com/SELinuxProject/selinux/archive/20140826-rc6.tar.gz
-  - tar -xzf 20140826-rc6.tar.gz
-  - mv selinux-20140826-rc6 selinux-src
+  # Install SELinux userspace utilities dependencies
+  - sudo apt-get install -qq libaudit-dev libcap-ng-dev libustr-dev libpcre3-dev swig
 
-  # Download setools
-  - wget https://github.com/TresysTechnology/setools3/archive/setools-3.3.8.tar.gz
-  - tar -xzf setools-3.3.8.tar.gz
-  - mv setools3-setools-3.3.8 setools-src
+install:
+  # Download current SELinux userspace tools and libraries
+  - curl -sS -L https://github.com/SELinuxProject/selinux/archive/20150202.tar.gz | tar xz
+  - mv selinux-20150202 selinux-src
 
   # Ubuntu 12.04 coreutils is too old to provide "ln --relative" :(
   - sed 's/ln -sf --relative /ln -sf /' -i selinux-src/libsepol/src/Makefile
   - sed 's/ln -sf --relative /ln -sf /' -i selinux-src/libselinux/src/Makefile
 
-  # Compile and install SELinux libraries first
-  - make -C selinux-src/libsepol install
-  - make -C selinux-src/libselinux install
-  - make -C selinux-src/libsemanage install
-
-  # Now that the libraries are installed, use them to compile the tools
-  - export CFLAGS="$CFLAGS -I$DESTDIR/usr/include"
-  - export LDFLAGS="$LDFLAGS -L$DESTDIR/usr/lib"
+  # Drop sepolicy to break setools dependence (sepolicy isn't used anyway)
+  - sed -i -e 's/sepolicy//' selinux-src/policycoreutils/Makefile
 
-  # Compile and install setools
-  - cd setools-src
-  - aclocal && autoreconf -if && automake
-  - ./configure
-        --prefix="$DESTDIR/usr"
-        --disable-gui --disable-swig-tcl
-        --disable-bwidget-check --disable-selinux-check
-        --with-sepol-devel="$DESTDIR/usr"
-        --with-selinux-devel="$DESTDIR/usr"
-  - make -C libqpol DESTDIR= install
-  - make -C libapol DESTDIR= install
-  - cd ..
-
-  # Compile and install SELinux tools
-  - export LIBDIR="$DESTDIR/usr/lib"
-  - export LIBEXECDIR="$DESTDIR/usr/lib"
-  - export SHLIBDIR="$DESTDIR/usr/lib"
-  - export SEMODULE_PATH="$DESTDIR/usr/bin"
-  - make -C selinux-src/sepolgen install
-  - make -C selinux-src/checkpolicy install
-  - make -C selinux-src/policycoreutils install
+  # Compile and install SELinux toolchain
+  # On Ubuntu 12.04, default CFLAGS make the build fail in libsepol/cil with:
+  #    error: declaration of 'index' shadows a global declarationo
+  - sudo make CFLAGS="-O2 -pipe -fPIC -Wall" -C selinux-src install
 
-  # Use the newly-built toolchain
-  - export TEST_TOOLCHAIN="$DESTDIR"
+  # Drop build.conf settings to listen to env vars
+  - sed -r -i -e '/(DIRECT_INITRC|MONOLITHIC|TYPE|DISTRO)/d' build.conf
 
-# XXX: not sure whether the definition in make command line are useful or whether the env definitions are enough
-# Use a heartbeat loop to produce output while compiling the policy, which takes quite a long time.
 script:
+  - echo $TYPE $DISTRO $DIRECT_INITRC $MONOLITHIC
   - make bare
-  - make TYPE="$TYPE" MONOLITHIC="$MONOLITHIC" conf
-
-#  - if [ "$MONOLITHIC" = y ]; then
-#    ( for A in $(seq 8) ; do sleep 300 ; echo "Heartbeat $((A*5)) minutes" ; done ) &
-#    make TYPE="$TYPE" DISTRO="$DISTRO" DIRECT_INITRC="$DIRECT_INITRC" MONOLITHIC=y ;
-#    fi
-#  - if [ "$MONOLITHIC" = y ]; then make TYPE="$TYPE" DISTRO="$DISTRO" DIRECT_INITRC="$DIRECT_INITRC" MONOLITHIC=y file_contexts ; fi
-#  - if [ "$MONOLITHIC" = y ]; then setfiles -c policy.$(checkpolicy -V | cut -d' ' -f1) file_contexts ; fi
-#  - if [ "$MONOLITHIC" = n ]; then make TYPE="$TYPE" DISTRO="$DISTRO" DIRECT_INITRC="$DIRECT_INITRC" MONOLITHIC=n base ; fi
-#  - if [ "$MONOLITHIC" = n ]; then make TYPE="$TYPE" DISTRO="$DISTRO" DIRECT_INITRC="$DIRECT_INITRC" MONOLITHIC=n modules ; fi
-#  - if [ "$MONOLITHIC" = n ]; then
-#    ( for A in $(seq 8) ; do sleep 300 ; echo "Heartbeat $((A*5)) minutes" ; done ) &
-#    make TYPE="$TYPE" DISTRO="$DISTRO" DIRECT_INITRC="$DIRECT_INITRC" MONOLITHIC=n validate ;
-#    fi
-
-  - make TYPE="$TYPE" DISTRO="$DISTRO" DIRECT_INITRC="$DIRECT_INITRC" MONOLITHIC=n base
-  - make TYPE="$TYPE" DISTRO="$DISTRO" DIRECT_INITRC="$DIRECT_INITRC" MONOLITHIC=n modules
-  - ( for A in $(seq 8) ; do sleep 300 ; echo "Heartbeat $((A*5)) minutes" ; done ) &
-    make TYPE="$TYPE" DISTRO="$DISTRO" DIRECT_INITRC="$DIRECT_INITRC" MONOLITHIC=n validate
+  - make conf
+  - make
+  - make validate
 
-# Only build travis branches
 branches:
   only:
     - /^travis-.*/
+    - master
 
 notifications:
   email: false


^ permalink raw reply related	[flat|nested] 13+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: /
@ 2015-02-24 17:11 Jason Zaman
  0 siblings, 0 replies; 13+ messages in thread
From: Jason Zaman @ 2015-02-24 17:11 UTC (permalink / raw
  To: gentoo-commits

commit:     7b3f359e242a5ec1b31229ccfa3e6dec82b69a87
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Feb 15 17:37:15 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 15 17:37:15 2015 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7b3f359e

Add validate target for monolithic policy

---
 Rules.monolithic | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/Rules.monolithic b/Rules.monolithic
index d2de916..c2c2147 100644
--- a/Rules.monolithic
+++ b/Rules.monolithic
@@ -207,6 +207,15 @@ $(ncpath): $(net_contexts)
 
 ########################################
 #
+# Validate file contexts
+#
+validate: $(fc) $(polver)
+	@echo "Validating $(NAME) file_contexts."
+	$(verbose) $(SETFILES) -q -c $(polver) $(fc)
+	@echo "Success."
+
+########################################
+#
 # Run policy source checks
 #
 check: $(builddir)check.res


^ permalink raw reply related	[flat|nested] 13+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: /
@ 2014-11-28 10:04 Sven Vermeulen
  0 siblings, 0 replies; 13+ messages in thread
From: Sven Vermeulen @ 2014-11-28 10:04 UTC (permalink / raw
  To: gentoo-commits

commit:     6fa8e312341c91ad17a237666d45f188bd867da3
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Nov 26 08:00:45 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Nov 26 16:29:04 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6fa8e312

add in travis config for testing

---
 .travis.yml | 113 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 113 insertions(+)

diff --git a/.travis.yml b/.travis.yml
new file mode 100644
index 0000000..ce213a3
--- /dev/null
+++ b/.travis.yml
@@ -0,0 +1,113 @@
+# Originally by Nicolas Iooss from: https://github.com/fishilico/selinux-refpolicy-patched/blob/travis-upstream/.travis.yml
+
+language: python
+python:
+ - "2.7"
+
+# for T in standard mls mcs ; do for D in arch debian gentoo ; do for I in n y ; do for M in y n ; do
+# echo "  - TYPE=$T DISTRO=$D DIRECT_INITRC=$I MONOLITHIC=$M" ; done ; done ; done ; done
+env:
+  - TYPE=standard DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n
+  - TYPE=mls DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n
+  - TYPE=mcs DISTRO=gentoo DIRECT_INITRC=n MONOLITHIC=n
+
+# Install SELinux userspace utilities dependencies
+before_install:
+# Show OS version information
+  - lsb_release -a
+  - sudo apt-get update -qq
+  - sudo apt-get install -qq libaudit-dev libcap-ng-dev libustr-dev swig
+
+# Compile and install a newer version of SELinux userspace utilities
+install:
+  # Setup the directory where SELinux utilities will be installed
+  - export DESTDIR="$HOME/selinux-project"
+  - mkdir "$DESTDIR"
+  - export PATH="$DESTDIR/usr/bin:$DESTDIR/usr/sbin:$DESTDIR/bin:$DESTDIR/sbin:$PATH"
+  - export LD_LIBRARY_PATH="$DESTDIR/usr/lib:$DESTDIR/lib:$LD_LIBRARY_PATH"
+
+  # On Ubuntu 12.04, default CFLAGS make the build fail in libsepol/cil with:
+  #    error: declaration of 'index' shadows a global declarationo
+  # So define our own CFLAGS
+  - export CFLAGS="-O2 -pipe -fPIC -Wall"
+
+  # Download SELinux userspace tools and libraries
+  - wget https://github.com/SELinuxProject/selinux/archive/20140826-rc6.tar.gz
+  - tar -xzf 20140826-rc6.tar.gz
+  - mv selinux-20140826-rc6 selinux-src
+
+  # Download setools
+  - wget https://github.com/TresysTechnology/setools3/archive/setools-3.3.8.tar.gz
+  - tar -xzf setools-3.3.8.tar.gz
+  - mv setools3-setools-3.3.8 setools-src
+
+  # Ubuntu 12.04 coreutils is too old to provide "ln --relative" :(
+  - sed 's/ln -sf --relative /ln -sf /' -i selinux-src/libsepol/src/Makefile
+  - sed 's/ln -sf --relative /ln -sf /' -i selinux-src/libselinux/src/Makefile
+
+  # Compile and install SELinux libraries first
+  - make -C selinux-src/libsepol install
+  - make -C selinux-src/libselinux install
+  - make -C selinux-src/libsemanage install
+
+  # Now that the libraries are installed, use them to compile the tools
+  - export CFLAGS="$CFLAGS -I$DESTDIR/usr/include"
+  - export LDFLAGS="$LDFLAGS -L$DESTDIR/usr/lib"
+
+  # Compile and install setools
+  - cd setools-src
+  - aclocal && autoreconf -if && automake
+  - ./configure
+        --prefix="$DESTDIR/usr"
+        --disable-gui --disable-swig-tcl
+        --disable-bwidget-check --disable-selinux-check
+        --with-sepol-devel="$DESTDIR/usr"
+        --with-selinux-devel="$DESTDIR/usr"
+  - make -C libqpol DESTDIR= install
+  - make -C libapol DESTDIR= install
+  - cd ..
+
+  # Compile and install SELinux tools
+  - export LIBDIR="$DESTDIR/usr/lib"
+  - export LIBEXECDIR="$DESTDIR/usr/lib"
+  - export SHLIBDIR="$DESTDIR/usr/lib"
+  - export SEMODULE_PATH="$DESTDIR/usr/bin"
+  - make -C selinux-src/sepolgen install
+  - make -C selinux-src/checkpolicy install
+  - make -C selinux-src/policycoreutils install
+
+  # Use the newly-built toolchain
+  - export TEST_TOOLCHAIN="$DESTDIR"
+
+# XXX: not sure whether the definition in make command line are useful or whether the env definitions are enough
+# Use a heartbeat loop to produce output while compiling the policy, which takes quite a long time.
+script:
+  - make bare
+  - make TYPE="$TYPE" MONOLITHIC="$MONOLITHIC" conf
+
+#  - if [ "$MONOLITHIC" = y ]; then
+#    ( for A in $(seq 8) ; do sleep 300 ; echo "Heartbeat $((A*5)) minutes" ; done ) &
+#    make TYPE="$TYPE" DISTRO="$DISTRO" DIRECT_INITRC="$DIRECT_INITRC" MONOLITHIC=y ;
+#    fi
+#  - if [ "$MONOLITHIC" = y ]; then make TYPE="$TYPE" DISTRO="$DISTRO" DIRECT_INITRC="$DIRECT_INITRC" MONOLITHIC=y file_contexts ; fi
+#  - if [ "$MONOLITHIC" = y ]; then setfiles -c policy.$(checkpolicy -V | cut -d' ' -f1) file_contexts ; fi
+#  - if [ "$MONOLITHIC" = n ]; then make TYPE="$TYPE" DISTRO="$DISTRO" DIRECT_INITRC="$DIRECT_INITRC" MONOLITHIC=n base ; fi
+#  - if [ "$MONOLITHIC" = n ]; then make TYPE="$TYPE" DISTRO="$DISTRO" DIRECT_INITRC="$DIRECT_INITRC" MONOLITHIC=n modules ; fi
+#  - if [ "$MONOLITHIC" = n ]; then
+#    ( for A in $(seq 8) ; do sleep 300 ; echo "Heartbeat $((A*5)) minutes" ; done ) &
+#    make TYPE="$TYPE" DISTRO="$DISTRO" DIRECT_INITRC="$DIRECT_INITRC" MONOLITHIC=n validate ;
+#    fi
+
+  - make TYPE="$TYPE" DISTRO="$DISTRO" DIRECT_INITRC="$DIRECT_INITRC" MONOLITHIC=n base
+  - make TYPE="$TYPE" DISTRO="$DISTRO" DIRECT_INITRC="$DIRECT_INITRC" MONOLITHIC=n modules
+  - ( for A in $(seq 8) ; do sleep 300 ; echo "Heartbeat $((A*5)) minutes" ; done ) &
+    make TYPE="$TYPE" DISTRO="$DISTRO" DIRECT_INITRC="$DIRECT_INITRC" MONOLITHIC=n validate
+
+# Only build travis branches
+branches:
+  only:
+    - /^travis-.*/
+
+notifications:
+  email: false
+


^ permalink raw reply related	[flat|nested] 13+ messages in thread
end of thread, other threads:[~2017-03-30 17:09 UTC | newest]

Thread overview: 13+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-10-24 16:02 [gentoo-commits] proj/hardened-refpolicy:swift commit in: / Sven Vermeulen
2016-10-24 16:02 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-10-24 16:03 ` [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
  -- strict thread matches above, loose matches on Subject: below --
2017-03-30 17:06 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-03-30 17:09 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-02-27 10:50 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-02-27 11:40 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-02-25 16:58 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-02-25 16:58 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-10-24 16:02 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2016-10-24 16:03 ` [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
2016-10-24 16:02 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-10-24 16:03 ` [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
2015-10-26  5:36 Jason Zaman
2015-03-29  9:59 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-03-29 10:01 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-03-25 17:27 Jason Zaman
2015-02-24 17:11 Jason Zaman
2014-11-28 10:04 Sven Vermeulen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox