Discussion:
[yocto] [meta-selinux][sumo][PATCH 0/7] Refpolicy updates for sumo
Joe MacDonald
2018-10-29 18:31:46 UTC
Permalink
I'm sending this out as a follow-up to our discussion from last week. This
set will be placed on the newly-created 'sumo' branch. I plan to follow up
with a slightly different version for a new 'thud' branch as well, at which
point things should be stable enough on those two branches that I can
finish up the refpolicy update (2.20180701) I'd started a little while
ago. After that, I think top of my list is to clean up some (I think
unintended) behaviour in the _git recipe variants.

Comments / suggestions / etc. more than welcome.
--
Joe MacDonald
:wq
Joe MacDonald
2018-10-29 18:32:51 UTC
Permalink
From: Hongxu Jia <***@windriver.com>

Since `9ec5a8a layer.conf: Drop sumo from LAYERSERIES_CORENAMES' and
`9867924 layer.conf: Add thud to LAYERSERIES_CORENAMES' applied in oe-core,
update LAYERSERIES_COMPAT `sumo' -> `thud'

Signed-off-by: Hongxu Jia <***@windriver.com>
Signed-off-by: Joe MacDonald <***@deserted.net>
---
conf/layer.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/conf/layer.conf b/conf/layer.conf
index 0f9ea41..5fecac6 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -18,7 +18,7 @@ BBFILE_PRIORITY_selinux = "5"
# cause compatibility issues with other layers
LAYERVERSION_selinux = "1"

-LAYERSERIES_COMPAT_selinux = "sumo"
+LAYERSERIES_COMPAT_selinux = "thud"

LAYERDEPENDS_selinux = " \
core \
--
2.17.1

--
Joe MacDonald
2018-10-29 18:32:52 UTC
Permalink
From: Piotr Tworek <***@gmail.com>

The package needs logging, json and argparse modules to start.
Additionaly, it also needs libselinux-python in order to really work.
Without it it'll just print an error message instructing the user to
install it.

Signed-off-by: Piotr Tworek <***@gmail.com>
Signed-off-by: Joe MacDonald <***@deserted.net>
---
recipes-security/setools/setools_4.1.1.bb | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/recipes-security/setools/setools_4.1.1.bb b/recipes-security/setools/setools_4.1.1.bb
index 5b6d47d..c5a2d34 100644
--- a/recipes-security/setools/setools_4.1.1.bb
+++ b/recipes-security/setools/setools_4.1.1.bb
@@ -23,7 +23,8 @@ LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=83a5eb6974c11f30785e90d0eeccf40c \

DEPENDS += "bison-native flex-native swig-native python libsepol"

-RDEPENDS_${PN} += "python-networkx python-enum34 python-decorator python-setuptools"
+RDEPENDS_${PN} += "python-networkx python-enum34 python-decorator python-setuptools \
+ python-logging python-json python-argparse libselinux-python"

RPROVIDES_${PN} += "${PN}-console"
--
2.17.1

--
Joe MacDonald
2018-10-29 18:32:53 UTC
Permalink
From: Piotr Tworek <***@gmail.com>

Musl libc does not implement file traversal functions from fts.h.
Oe-core provides fts library which implements those. Libselinux makefile
allows us to use such additional library by specifying required linker
flags via FTS_LDLIBS variable.

Signed-off-by: Piotr Tworek <***@gmail.com>
Signed-off-by: Joe MacDonald <***@deserted.net>
---
recipes-security/selinux/libselinux.inc | 2 ++
1 file changed, 2 insertions(+)

diff --git a/recipes-security/selinux/libselinux.inc b/recipes-security/selinux/libselinux.inc
index 28c437f..33621cc 100644
--- a/recipes-security/selinux/libselinux.inc
+++ b/recipes-security/selinux/libselinux.inc
@@ -8,6 +8,7 @@ LICENSE = "PD"
inherit lib_package pythonnative

DEPENDS += "libsepol python libpcre swig-native"
+DEPENDS_append_libc-musl = " fts"
RDEPENDS_${PN}-python += "python-core"

PACKAGES += "${PN}-python"
@@ -23,6 +24,7 @@ def get_policyconfigarch(d):
EXTRA_OEMAKE += "${@get_policyconfigarch(d)}"

EXTRA_OEMAKE += "LDFLAGS='${LDFLAGS} -lpcre' LIBSEPOLA='${STAGING_LIBDIR}/libsepol.a'"
+EXTRA_OEMAKE_append_libc-musl = " FTS_LDLIBS=-lfts"

do_compile_append() {
oe_runmake pywrap -j1 \
--
2.17.1

--
Joe MacDonald
2018-10-29 18:32:54 UTC
Permalink
From: Chen Qi <***@windriver.com>

In case of the existence of meta-mingw, the library is .dll instead of
.so and these .dll files are in ${bindir}.

We need to check the existence of the .so file before doing readlink,
otherwise do_install fails.

Signed-off-by: Chen Qi <***@windriver.com>
Signed-off-by: Joe MacDonald <***@deserted.net>
---
recipes-support/libpcre/libpcre_selinux.inc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-support/libpcre/libpcre_selinux.inc b/recipes-support/libpcre/libpcre_selinux.inc
index 59c0184..d886792 100644
--- a/recipes-support/libpcre/libpcre_selinux.inc
+++ b/recipes-support/libpcre/libpcre_selinux.inc
@@ -1,5 +1,5 @@
do_install_append () {
- if [ ! ${D}${libdir} -ef ${D}${base_libdir} ]; then
+ if [ ! ${D}${libdir} -ef ${D}${base_libdir} -a -e ${D}${libdir}/libpcre.so ]; then
realsofile=`readlink ${D}${libdir}/libpcre.so`
mkdir -p ${D}/${base_libdir}/
mv -f ${D}${libdir}/libpcre.so.* ${D}${base_libdir}/
--
2.17.1

--
Joe MacDonald
2018-10-29 18:32:55 UTC
Permalink
From: Awais Belal <***@mentor.com>

Using AUTOREV in the main repository has its downsides.
1. The checked out version isn't actually the version depicted
by PV.
2. Breaks builds in scenarios where network isn't available
or BB_NO_NETWORK is used even after sources are already
fetched.

1 is self explanatory, for 2 whenever SRCREV is set to AUTOREV and
SRCPV is used in PV the fetcher tries to access the network in order
to determine SRCPV (bb.fetch2.get_srcrev) and fails for obvious
reasons during parsing even when versioned recipes are used as
PREFERRED_VERSION because parsing still happens for recipes that are
in BB's search paths and we see.
Traceback (most recent call last):
bb.data_smart.ExpansionError: Failure expanding variable SRCPV, expression was ${@bb.fetch2.get_srcrev(d)} which triggered exception NetworkAccess: Network access disabled through BB_NO_NETWORK (or set indirectly due to use of BB_FETCH_PREMIRRORONLY) but access requested with command git -c core.fsyncobjectfiles=0 ls-remote git://github.com/TresysTechnology/refpolicy.git (for url git://github.com/TresysTechnology/refpolicy.git)

So we lock the REVs and do that with a soft assignment which
allows overriding the REVs from elsewhere.

Signed-off-by: Awais Belal <***@mentor.com>
Signed-off-by: Joe MacDonald <***@deserted.net>
---
recipes-security/refpolicy/refpolicy_git.inc | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/recipes-security/refpolicy/refpolicy_git.inc b/recipes-security/refpolicy/refpolicy_git.inc
index f71eb35..6c318ab 100644
--- a/recipes-security/refpolicy/refpolicy_git.inc
+++ b/recipes-security/refpolicy/refpolicy_git.inc
@@ -3,8 +3,8 @@ PV = "2.20170805+git${SRCPV}"
SRC_URI = "git://github.com/TresysTechnology/refpolicy.git;protocol=git;branch=master;name=refpolicy;destsuffix=refpolicy"
SRC_URI += "git://github.com/TresysTechnology/refpolicy-contrib.git;protocol=git;branch=master;name=refpolicy-contrib;destsuffix=refpolicy/policy/modules/contrib"

-SRCREV_refpolicy = "${AUTOREV}"
-SRCREV_refpolicy-contrib = "${AUTOREV}"
+SRCREV_refpolicy ?= "794ed7efd0eca19d0353659a1ec9d4ef4e4b751c"
+SRCREV_refpolicy-contrib ?= "a393275a6ecb76311323726a029767a3a01e109e"
SRCREV_FORMAT = "refpolicy.refpolicy-contrib"

FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-git:"
--
2.17.1

--
Joe MacDonald
2018-10-29 18:32:56 UTC
Permalink
This reverts commit 8ff95d5b2a693aeb4e791aacf83d24313ce35f3e.

Signed-off-by: Joe MacDonald <***@deserted.net>
---
conf/layer.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/conf/layer.conf b/conf/layer.conf
index 5fecac6..0f9ea41 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -18,7 +18,7 @@ BBFILE_PRIORITY_selinux = "5"
# cause compatibility issues with other layers
LAYERVERSION_selinux = "1"

-LAYERSERIES_COMPAT_selinux = "thud"
+LAYERSERIES_COMPAT_selinux = "sumo"

LAYERDEPENDS_selinux = " \
core \
--
2.17.1

--
Joe MacDonald
2018-10-29 18:32:57 UTC
Permalink
Signed-off-by: Joe MacDonald <***@deserted.net>
---
...poky-fc-update-alternatives_sysklogd.patch | 44 ++++++++++---------
...add-rules-for-var-log-symlink-apache.patch | 10 ++---
...add-rules-for-var-log-symlink-apache.patch | 27 ++++++++++--
recipes-security/refpolicy/refpolicy_git.inc | 2 -
4 files changed, 51 insertions(+), 32 deletions(-)

diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysklogd.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysklogd.patch
index 2038110..e9a0464 100644
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysklogd.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-fc-update-alternatives_sysklogd.patch
@@ -11,13 +11,13 @@ Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Xin Ouyang <***@windriver.com>
Signed-off-by: Joe MacDonald <***@mentor.com>
---
- policy/modules/system/logging.fc | 4 ++++
- policy/modules/system/logging.te | 1 +
+ policy/modules/system/logging.fc | 3 +++
+ policy/modules/system/logging.te | 2 ++
2 files changed, 5 insertions(+)

--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
-@@ -1,22 +1,26 @@
+@@ -1,9 +1,10 @@
/dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)

/etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
@@ -26,35 +26,37 @@ Signed-off-by: Joe MacDonald <***@mentor.com>
/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/syslog\.sysklogd -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)

- /sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
- /sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
- /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
- /sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
- /sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
-+/sbin/klogd\.sysklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
- /sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
- /sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
- /sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
- /sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
-+/sbin/syslogd\.sysklogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
- /sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/bin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
+@@ -27,14 +28,16 @@
+ /usr/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
+ /usr/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
+ /usr/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
+ /usr/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
+ /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
++/usr/sbin/klogd\.sysklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
+ /usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
+ /usr/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
++/usr/sbin/syslogd\.sysklogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)

- /usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0)
- /usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0)
- /usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
+ /var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
-@@ -388,10 +388,11 @@ allow syslogd_t self:unix_dgram_socket s
+@@ -390,10 +390,12 @@ allow syslogd_t self:unix_dgram_socket s
allow syslogd_t self:fifo_file rw_fifo_file_perms;
allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;

allow syslogd_t syslog_conf_t:file read_file_perms;
+allow syslogd_t syslog_conf_t:lnk_file read_file_perms;
++allow syslogd_t syslog_conf_t:dir list_dir_perms;

# Create and bind to /dev/log or /var/run/log.
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
files_pid_filetrans(syslogd_t, devlog_t, sock_file)
-
+ init_pid_filetrans(syslogd_t, devlog_t, sock_file, "dev-log")
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-apache.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-apache.patch
index 8d22c21..fb912b5 100644
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-apache.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink-apache.patch
@@ -17,11 +17,11 @@ Signed-off-by: Joe MacDonald <***@mentor.com>

--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
-@@ -409,10 +409,11 @@ allow httpd_t httpd_log_t:dir setattr_di
- create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
- create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
- append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
- read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+@@ -407,10 +407,11 @@ allow httpd_t httpd_lock_t:file manage_f
+ files_lock_filetrans(httpd_t, httpd_lock_t, { file dir })
+
+ manage_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ manage_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+read_lnk_files_pattern(httpd_t, var_log_t, var_log_t)
logging_log_filetrans(httpd_t, httpd_log_t, file)
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch
index 5bd5b2e..8d22c21 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink-apache.patch
@@ -1,12 +1,31 @@
-diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
-index fcf795f..529057c 100644
+From ed2b0a00e2fb78056041b03c7e198e8f5adaf939 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <***@windriver.com>
+Date: Thu, 22 Aug 2013 19:36:44 +0800
+Subject: [PATCH 3/6] add rules for the symlink of /var/log - apache2
+
+We have added rules for the symlink of /var/log in logging.if,
+while apache.te uses /var/log but does not use the interfaces in
+logging.if. So still need add a individual rule for apache.te.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <***@windriver.com>
+Signed-off-by: Joe MacDonald <***@mentor.com>
+---
+ policy/modules/contrib/apache.te | 1 +
+ 1 file changed, 1 insertion(+)
+
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
-@@ -412,6 +412,7 @@ create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+@@ -409,10 +409,11 @@ allow httpd_t httpd_log_t:dir setattr_di
+ create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+ append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
- setattr_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
+read_lnk_files_pattern(httpd_t, var_log_t, var_log_t)
logging_log_filetrans(httpd_t, httpd_log_t, file)

allow httpd_t httpd_modules_t:dir list_dir_perms;
+ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+ read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
diff --git a/recipes-security/refpolicy/refpolicy_git.inc b/recipes-security/refpolicy/refpolicy_git.inc
index 6c318ab..b2fd638 100644
--- a/recipes-security/refpolicy/refpolicy_git.inc
+++ b/recipes-security/refpolicy/refpolicy_git.inc
@@ -12,7 +12,6 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/refpolicy-git:"
# Fix file contexts for Poky
SRC_URI += "file://poky-fc-subs_dist.patch \
file://poky-fc-update-alternatives_sysvinit.patch \
- file://poky-fc-update-alternatives_sysklogd.patch \
file://poky-fc-update-alternatives_hostname.patch \
file://poky-fc-update-alternatives_bash.patch \
file://poky-fc-fix-real-path_resolv.conf.patch \
@@ -35,7 +34,6 @@ SRC_URI += "file://poky-fc-subs_dist.patch \
# Specific policy for Poky
SRC_URI += "file://poky-policy-add-syslogd_t-to-trusted-object.patch \
file://poky-policy-add-rules-for-var-log-symlink.patch \
- file://poky-policy-add-rules-for-var-log-symlink-apache.patch \
file://poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch \
file://poky-policy-add-rules-for-syslogd_t-symlink.patch \
file://poky-policy-add-rules-for-var-cache-symlink.patch \
--
2.17.1

--
akuster
2018-10-29 19:16:16 UTC
Permalink
Post by Joe MacDonald
Since `9ec5a8a layer.conf: Drop sumo from LAYERSERIES_CORENAMES' and
`9867924 layer.conf: Add thud to LAYERSERIES_CORENAMES' applied in oe-core,
update LAYERSERIES_COMPAT `sumo' -> `thud'
the subject branch and change confuse me. Shouldn't his be for "Thud"?

- armin
Post by Joe MacDonald
---
conf/layer.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/conf/layer.conf b/conf/layer.conf
index 0f9ea41..5fecac6 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -18,7 +18,7 @@ BBFILE_PRIORITY_selinux = "5"
# cause compatibility issues with other layers
LAYERVERSION_selinux = "1"
-LAYERSERIES_COMPAT_selinux = "sumo"
+LAYERSERIES_COMPAT_selinux = "thud"
LAYERDEPENDS_selinux = " \
core \
--
Joe MacDonald
2018-10-30 12:17:24 UTC
Permalink
The patch set is definitely confusing. I'm not able to access
git.yoctoproject.org at the moment, so I've pushed all three proposed
branch updates to my fork on github. I think that's a more useful way to
review these changes anyway:

https://github.com/joeythesaint/meta-selinux/tree/jjm/master
https://github.com/joeythesaint/meta-selinux/tree/jjm/sumo
https://github.com/joeythesaint/meta-selinux/tree/jjm/thud

-J.
Post by Joe MacDonald
Post by Joe MacDonald
Since `9ec5a8a layer.conf: Drop sumo from LAYERSERIES_CORENAMES' and
`9867924 layer.conf: Add thud to LAYERSERIES_CORENAMES' applied in
oe-core,
Post by Joe MacDonald
update LAYERSERIES_COMPAT `sumo' -> `thud'
the subject branch and change confuse me. Shouldn't his be for "Thud"?
- armin
Post by Joe MacDonald
---
conf/layer.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/conf/layer.conf b/conf/layer.conf
index 0f9ea41..5fecac6 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -18,7 +18,7 @@ BBFILE_PRIORITY_selinux = "5"
# cause compatibility issues with other layers
LAYERVERSION_selinux = "1"
-LAYERSERIES_COMPAT_selinux = "sumo"
+LAYERSERIES_COMPAT_selinux = "thud"
LAYERDEPENDS_selinux = " \
core \
--
Joe MacDonald
:wq
akuster
2018-10-29 19:18:18 UTC
Permalink
I'm sending this out  as a follow-up to our discussion from last week.
This set will be placed on the newly-created 'sumo' branch.  I plan to
follow up with a slightly different version for a new 'thud' branch as
well, at which point things should be stable enough on those two
branches that I can finish up the refpolicy update (2.20180701) I'd
started a little while ago.  After that, I think top of my list is to
clean up some (I think unintended) behaviour in the _git recipe variants.
Comments / suggestions / etc. more than welcome.
so this is not based on Master?

- armin
--
Joe MacDonald
:wq
Loading...