diff --git a/recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch b/recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch deleted file mode 100644 index 83250eb..0000000 --- a/recipes-security/selinux/restorecond/policycoreutils-make-O_CLOEXEC-optional.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 4adc1c02e4da42f64249c05534875e732f043693 Mon Sep 17 00:00:00 2001 -From: Joe MacDonald -Date: Wed, 6 Nov 2019 23:17:50 +0800 -Subject: [PATCH] policycoreutils: make O_CLOEXEC optional - -Various commits in the selinux tree in the current release added -O_CLOEXEC to open() calls in an attempt to address file descriptor leaks -as described: - - http://danwalsh.livejournal.com/53603.html - -However O_CLOEXEC isn't available on all platforms, so make it a -compile-time option and generate a warning when it is not available. -The actual impact of leaking these file descriptors is minimal, though -it does produce curious AVC Denied messages. - -Upstream-Status: Inappropriate -[O_CLOEXEC has been in Linux since 2007 and POSIX since 2008] - -Signed-off-by: Joe MacDonald -Signed-off-by: Wenzong Fan -Signed-off-by: Yi Zhao ---- - user.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/user.c b/user.c -index 714aae7..bbf018e 100644 ---- a/user.c -+++ b/user.c -@@ -202,7 +202,13 @@ static int local_server(void) { - perror("asprintf"); - return -1; - } -- local_lock_fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW | O_CLOEXEC, S_IRUSR | S_IWUSR); -+ local_lock_fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW -+ #ifdef O_CLOEXEC -+ | O_CLOEXEC -+ #else -+ #warning O_CLOEXEC undefined on this platform, this may leak file descriptors -+ #endif -+ , S_IRUSR | S_IWUSR); - if (debug_mode) - g_warning ("Lock file: %s", ptr); - --- -2.7.4 - diff --git a/recipes-security/selinux/restorecond_3.1.bb b/recipes-security/selinux/restorecond_3.1.bb deleted file mode 100644 index d4e0d06..0000000 --- a/recipes-security/selinux/restorecond_3.1.bb +++ /dev/null @@ -1,7 +0,0 @@ -require selinux_20200710.inc -require ${BPN}.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" - -SRC_URI[md5sum] = "8daf761739a150a7a29bb491726a6cd9" -SRC_URI[sha256sum] = "82ca45099685a45d718f11f8859963c1ba83d98e510312cbf0b7dc5664c60ad0" diff --git a/recipes-security/selinux/restorecond.inc b/recipes-security/selinux/restorecond_3.2.bb similarity index 88% rename from recipes-security/selinux/restorecond.inc rename to recipes-security/selinux/restorecond_3.2.bb index a5b1635..d9def9a 100644 --- a/recipes-security/selinux/restorecond.inc +++ b/recipes-security/selinux/restorecond_3.2.bb @@ -4,12 +4,11 @@ The restorecond daemon uses inotify to watch files listed in the \ /etc/selinux/restorecond.conf, when they are created, this daemon \ will make sure they have the correct file context associated with \ the policy." - SECTION = "base" LICENSE = "GPLv2+" +LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=393a5ca445f6965873eca0259a17f833" -SRC_URI += "file://policycoreutils-make-O_CLOEXEC-optional.patch \ -" +require selinux_common.inc inherit systemd update-rc.d @@ -19,6 +18,8 @@ EXTRA_OEMAKE += "SYSTEMDSYSTEMUNITDIR=${systemd_system_unitdir} \ SYSTEMDUSERUNITDIR=${systemd_user_unitdir} \ " +S = "${WORKDIR}/git/restorecond" + FILES_${PN} += "${datadir}/dbus-1/services/org.selinux.Restorecond.service \ ${systemd_user_unitdir}/* \ "