refpolicy: fix build for refpolicy-minimum

Backport 2 patches to fix build for refpolicy-minimum when INIT_MANAGER is set to sysvinit. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2026-01-01 13:58:04 +00:00 · 2025-09-16 20:23:23 +08:00 · 2025-09-16 20:23:23 +08:00 · 85a97cd9fc
commit 85a97cd9fc
parent 30a49ab129
3 changed files with 89 additions and 0 deletions
--- a/recipes-security/refpolicy/refpolicy/0067-fixdep-dbus.patch
+++ b/recipes-security/refpolicy/refpolicy/0067-fixdep-dbus.patch
@ -0,0 +1,45 @@
+From 684b47eddf512402db552601c33e2d0ad4eef578 Mon Sep 17 00:00:00 2001
+From: Nicolas PARLANT <nicolas.parlant@parhuet.fr>
+Date: Fri, 17 Jan 2025 15:51:48 +0100
+Subject: [PATCH] fixdep dbus
+
+auth_use_pam_systemd requires dbus  :
+
+> /var/lib/selinux/targeted/tmp/modules/400/authlogin/cil:133 =
+> (typeattributeset cil_gen_require dbusd_system_bus_client)
+
+Upstream-Status: Backport
+[https://github.com/SELinuxProject/refpolicy/commit/684b47eddf512402db552601c33e2d0ad4eef578]
+
+Signed-off-by: Nicolas PARLANT <nicolas.parlant@parhuet.fr>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/authlogin.te | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
+index a75a669b9..d9d1a1428 100644
+--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
+@@ -142,7 +142,6 @@ term_dontaudit_use_all_ptys(chkpwd_t)
+ 
+ auth_read_shadow_history(chkpwd_t)
+ auth_use_nsswitch(chkpwd_t)
+-auth_use_pam_systemd(chkpwd_t)
+ 
+ logging_send_audit_msgs(chkpwd_t)
+ logging_send_syslog_msg(chkpwd_t)
+@@ -160,6 +159,10 @@ ifdef(`distro_ubuntu',`
+ 	')
+ ')
+ 
+ifdef(`init_systemd',`
+	auth_use_pam_systemd(chkpwd_t)
+')
+
+ optional_policy(`
+ 	# apache leaks file descriptors
+ 	apache_dontaudit_rw_tcp_sockets(chkpwd_t)
+-- 
+2.34.1
+
--- a/recipes-security/refpolicy/refpolicy/0068-fix-building-when-dbus-module-is-not-enabled.patch
+++ b/recipes-security/refpolicy/refpolicy/0068-fix-building-when-dbus-module-is-not-enabled.patch
@ -0,0 +1,42 @@
+From 1d62379321c19e89268ac7854a8ff8dce280ed07 Mon Sep 17 00:00:00 2001
+From: Dave Sugar <dsugar100@gmail.com>
+Date: Thu, 15 May 2025 10:05:24 -0400
+Subject: [PATCH] fix building when dbus module is not enabled
+
+Upstream-Status: Backport
+[https://github.com/SELinuxProject/refpolicy/commit/1d62379321c19e89268ac7854a8ff8dce280ed07]
+
+Signed-off-by: Dave Sugar <dsugar100@gmail.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/selinuxutil.te | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
+index 86a6e5503..cd0e8762f 100644
+--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
+@@ -99,7 +99,8 @@ role run_init_roles types run_init_t;
+ 
+ type selinux_dbus_t;
+ type selinux_dbus_exec_t;
+-dbus_system_domain(selinux_dbus_t, selinux_dbus_exec_t)
+domain_type(selinux_dbus_t)
+domain_entry_file(selinux_dbus_t, selinux_dbus_exec_t)
+ 
+ type semanage_t;
+ type semanage_exec_t;
+@@ -504,6 +505,10 @@ miscfiles_read_localization(selinux_dbus_t)
+ 
+ seutil_domtrans_semanage(selinux_dbus_t)
+ 
+optional_policy(`
+	dbus_system_domain(selinux_dbus_t, selinux_dbus_exec_t)
+')
+
+ optional_policy(`
+ 	policykit_dbus_chat(selinux_dbus_t)
+ ')
+-- 
+2.34.1
+
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@ -82,6 +82,8 @@ SRC_URI += " \
        file://0064-policy-modules-system-locallogin-allow-sulogin_t-unc.patch \
        file://0065-policy-modules-system-locallogin-allow-sulogin_t-use.patch \
        file://0066-policy-modules-services-oddjob-allow-oddjob_mkhomedi.patch \
+        file://0067-fixdep-dbus.patch \
+        file://0068-fix-building-when-dbus-module-is-not-enabled.patch \
        "

 S = "${WORKDIR}/refpolicy"