selinux: upgrade 3.8.1 -> 3.9

ChangeLog:
https://github.com/SELinuxProject/selinux/releases/tag/3.9

* Support static-only builds with DISABLE_SHARED=y
* Add restore option to modify user and role portions
* setfiles: Add -U option to modify user and role portions
* semanage.conf: Add relabel_store config option
* semodule: Add [-g PATH |--config=PATH] for an alternate path for the
  semanage config
* libselinux: Fix local literal fcontext definitions priority
* libselinux: Fix order for path substitutions
* libsepol: Add new 'netif_wildcard' policy capability
* checkpolicy: Add support for wildcard netifcon names
* libsepol: Allow multiple policycap statements
* libsepol: Support genfs_seclabel_wildcard
* Replace all links to selinuxproject.org
* Bug fixes

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>

recipes-security/selinux/libselinux-python_3.9.bb

@@ -12,9 +12,9 @@ inherit python3targetconfig pkgconfig
 
 FILESEXTRAPATHS:prepend := "${THISDIR}/libselinux:"
 SRC_URI += "\
-        file://0001-Makefile-fix-python-modules-install-path-for-multili.patch \
-        file://0002-Do-not-use-PYCEXT-and-rely-on-the-installed-file-nam.patch \
-        file://0003-libselinux-restore-drop-the-obsolete-LSF-transitiona.patch \
+        file://0001-Makefile-fix-python-modules-install-path-for-multili.patch;patchdir=.. \
+        file://0002-Do-not-use-PYCEXT-and-rely-on-the-installed-file-nam.patch;patchdir=.. \
+        file://0003-libselinux-restore-drop-the-obsolete-LSF-transitiona.patch;patchdir=.. \
         "
 
 S = "${UNPACKDIR}/${BP}/libselinux"

recipes-security/selinux/libselinux/0001-Makefile-fix-python-modules-install-path-for-multili.patch

@@ -1,4 +1,4 @@
-From 626d07afcb8e8b3a68158e8a3ea1654620769644 Mon Sep 17 00:00:00 2001
+From 985a3e50fe2f80f47e3ee71ad74b72f3b4ecf7c6 Mon Sep 17 00:00:00 2001
 From: Yi Zhao <yi.zhao@windriver.com>
 Date: Mon, 13 Apr 2020 12:44:23 +0800
 Subject: [PATCH] Makefile: fix python modules install path for multilib
@@ -7,15 +7,15 @@ Upstream-Status: Inappropriate [embedded specific]
 
 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 ---
- src/Makefile | 2 +-
+ libselinux/src/Makefile | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
-diff --git a/src/Makefile b/src/Makefile
-index 213c7d3..92227cb 100644
---- a/src/Makefile
-+++ b/src/Makefile
-@@ -193,7 +193,7 @@ install: all
- 	ln -sf --relative $(DESTDIR)$(SHLIBDIR)/$(LIBSO) $(DESTDIR)$(LIBDIR)/$(TARGET)
+diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
+index 261c22d4..edb3ca06 100644
+--- a/libselinux/src/Makefile
++++ b/libselinux/src/Makefile
+@@ -198,7 +198,7 @@ ifneq ($(DISABLE_SHARED),y)
+ endif
  
  install-pywrap: pywrap
 -	CFLAGS="$(CPPFLAGS) $(CFLAGS) $(SWIG_CFLAGS)" $(PYTHON) -m pip install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR) --ignore-installed --no-deps` $(PYTHON_SETUP_ARGS) .
@@ -24,5 +24,5 @@ index 213c7d3..92227cb 100644
  	ln -sf --relative $(DESTDIR)$(PYTHONLIBDIR)/selinux/_selinux$(PYCEXT) $(DESTDIR)$(PYTHONLIBDIR)/_selinux$(PYCEXT)
  
 -- 
-2.25.1
+2.34.1
 

recipes-security/selinux/libselinux/0002-Do-not-use-PYCEXT-and-rely-on-the-installed-file-nam.patch

@@ -1,4 +1,4 @@
-From 1048b80be8fe800fa343f26db833a6e89b5ba9ab Mon Sep 17 00:00:00 2001
+From 1bb35bc277129c976bb480a05de91dab346c84c9 Mon Sep 17 00:00:00 2001
 From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
 Date: Fri, 25 Oct 2019 13:37:14 +0200
 Subject: [PATCH] Do not use PYCEXT, and rely on the installed file name
@@ -23,13 +23,13 @@ Upstream-Status: Denied [https://patchwork.kernel.org/patch/11212405/]
 [Refreshed for 3.0]
 Signed-off-by: Changqing Li <changqing.li@windriver.com>
 ---
- src/Makefile | 3 +--
+ libselinux/src/Makefile | 3 +--
  1 file changed, 1 insertion(+), 2 deletions(-)
 
-diff --git a/src/Makefile b/src/Makefile
-index 92227cb..7c71c65 100644
---- a/src/Makefile
-+++ b/src/Makefile
+diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
+index edb3ca06..8da3f542 100644
+--- a/libselinux/src/Makefile
++++ b/libselinux/src/Makefile
 @@ -15,7 +15,6 @@ INCLUDEDIR ?= $(PREFIX)/include
  PYINC ?= $(shell $(PKG_CONFIG) --cflags $(PYPREFIX))
  PYLIBS ?= $(shell $(PKG_CONFIG) --libs $(PYPREFIX))
@@ -38,7 +38,7 @@ index 92227cb..7c71c65 100644
  RUBYINC ?= $(shell $(RUBY) -e 'puts "-I" + RbConfig::CONFIG["rubyarchhdrdir"] + " -I" + RbConfig::CONFIG["rubyhdrdir"]')
  RUBYLIBS ?= $(shell $(RUBY) -e 'puts "-L" + RbConfig::CONFIG["libdir"] + " -L" + RbConfig::CONFIG["archlibdir"] + " " + RbConfig::CONFIG["LIBRUBYARG_SHARED"]')
  RUBYINSTALL ?= $(shell $(RUBY) -e 'puts RbConfig::CONFIG["vendorarchdir"]')
-@@ -195,7 +194,7 @@ install: all
+@@ -200,7 +199,7 @@ endif
  install-pywrap: pywrap
  	CFLAGS="$(CPPFLAGS) $(CFLAGS) $(SWIG_CFLAGS)" $(PYTHON) -m pip install --prefix=$(PREFIX) --root $(DESTDIR) --ignore-installed --no-deps $(PYTHON_SETUP_ARGS) .
  	install -m 644 $(SWIGPYOUT) $(DESTDIR)$(PYTHONLIBDIR)/selinux/__init__.py
@@ -48,5 +48,5 @@ index 92227cb..7c71c65 100644
  install-rubywrap: rubywrap
  	test -d $(DESTDIR)$(RUBYINSTALL) || install -m 755 -d $(DESTDIR)$(RUBYINSTALL) 
 -- 
-2.25.1
+2.34.1
 

recipes-security/selinux/libselinux/0003-libselinux-restore-drop-the-obsolete-LSF-transitiona.patch

@@ -1,4 +1,4 @@
-From f33b426680492629d3d8ed664049cbe584f26f18 Mon Sep 17 00:00:00 2001
+From d555e83f8ca2482c673981250d72fbc4ce29c44c Mon Sep 17 00:00:00 2001
 From: Renato Caldas <renato@calgera.com>
 Date: Thu, 29 Jun 2023 13:59:11 +0100
 Subject: [PATCH] libselinux: restore: drop the obsolete LSF transitional API.
@@ -10,14 +10,14 @@ Upstream-Status: Submitted [https://github.com/SELinuxProject/selinux/pull/401]
 
 Signed-off-by: Renato Caldas <renato@calgera.com>
 ---
- src/selinux_restorecon.c | 4 ++--
+ libselinux/src/selinux_restorecon.c | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)
 
-diff --git a/src/selinux_restorecon.c b/src/selinux_restorecon.c
-index bc6ed93..3bc0d8d 100644
---- a/src/selinux_restorecon.c
-+++ b/src/selinux_restorecon.c
-@@ -438,7 +438,7 @@ static int filespec_add(ino_t ino, const char *con, const char *file,
+diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
+index 39eabeb9..128aff4b 100644
+--- a/libselinux/src/selinux_restorecon.c
++++ b/libselinux/src/selinux_restorecon.c
+@@ -439,7 +439,7 @@ static int filespec_add(ino_t ino, const char *con, const char *file,
  	file_spec_t *prevfl, *fl;
  	uint32_t h;
  	int ret;
@@ -26,7 +26,7 @@ index bc6ed93..3bc0d8d 100644
  
  	__pthread_mutex_lock(&fl_mutex);
  
-@@ -452,7 +452,7 @@ static int filespec_add(ino_t ino, const char *con, const char *file,
+@@ -453,7 +453,7 @@ static int filespec_add(ino_t ino, const char *con, const char *file,
  	for (prevfl = &fl_head[h], fl = fl_head[h].next; fl;
  	     prevfl = fl, fl = fl->next) {
  		if (ino == fl->ino) {
@@ -36,5 +36,5 @@ index bc6ed93..3bc0d8d 100644
  				freecon(fl->con);
  				free(fl->file);
 -- 
-2.25.1
+2.34.1
 

recipes-security/selinux/libselinux_3.9.bb

@@ -12,7 +12,7 @@ inherit lib_package pkgconfig
 
 FILESEXTRAPATHS:prepend := "${THISDIR}/libselinux:"
 SRC_URI += "\
-        file://0003-libselinux-restore-drop-the-obsolete-LSF-transitiona.patch \
+        file://0003-libselinux-restore-drop-the-obsolete-LSF-transitiona.patch;patchdir=.. \
         "
 
 DEPENDS = "libsepol libpcre2"

recipes-security/selinux/libsemanage/libsemanage-Fix-execve-segfaults-on-Ubuntu.patch

@@ -1,4 +1,4 @@
-From 418a2736fd7da15758ab84f9448e7517e3ad82c1 Mon Sep 17 00:00:00 2001
+From 6ab4a37bca66674e9535a7e838c2b4680849e2ba Mon Sep 17 00:00:00 2001
 From: Xin Ouyang <Xin.Ouyang@windriver.com>
 Date: Mon, 26 Mar 2012 15:15:16 +0800
 Subject: [PATCH] libsemanage: Fix execve segfaults on Ubuntu.
@@ -13,13 +13,13 @@ Upstream-Status: Inappropriate [embedded specific]
 
 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 ---
- src/semanage_store.c | 2 +-
+ libsemanage/src/semanage_store.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
-diff --git a/src/semanage_store.c b/src/semanage_store.c
-index 2ca2e90..914d720 100644
---- a/src/semanage_store.c
-+++ b/src/semanage_store.c
+diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
+index 1731c5e8..c6ace295 100644
+--- a/libsemanage/src/semanage_store.c
++++ b/libsemanage/src/semanage_store.c
 @@ -1445,7 +1445,7 @@ static int semanage_exec_prog(semanage_handle_t * sh,
  	if (forkval == 0) {
  		/* child process.  file descriptors will be closed
@@ -30,5 +30,5 @@ index 2ca2e90..914d720 100644
  	}
  
 -- 
-2.25.1
+2.34.1
 

recipes-security/selinux/libsemanage/libsemanage-allow-to-disable-audit-support.patch

@@ -1,4 +1,4 @@
-From 0fddb654b4193e91b8534cbbeaa5fd9b6aa1ead2 Mon Sep 17 00:00:00 2001
+From beb674e585126fbcc803299ff14feec9bf736873 Mon Sep 17 00:00:00 2001
 From: Wenzong Fan <wenzong.fan@windriver.com>
 Date: Mon, 20 Jan 2014 03:53:48 -0500
 Subject: [PATCH] libsemanage: allow to disable audit support
@@ -7,15 +7,15 @@ Upstream-Status: Inappropriate [embedded specific]
 
 Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
 ---
- src/Makefile        | 10 +++++++++-
- src/seusers_local.c | 13 +++++++++++++
- tests/Makefile      | 10 +++++++++-
+ libsemanage/src/Makefile        | 10 +++++++++-
+ libsemanage/src/seusers_local.c | 13 +++++++++++++
+ libsemanage/tests/Makefile      | 10 +++++++++-
  3 files changed, 31 insertions(+), 2 deletions(-)
 
-diff --git a/src/Makefile b/src/Makefile
-index 8dfbd76..4012f28 100644
---- a/src/Makefile
-+++ b/src/Makefile
+diff --git a/libsemanage/src/Makefile b/libsemanage/src/Makefile
+index fa3449fb..66c3010f 100644
+--- a/libsemanage/src/Makefile
++++ b/libsemanage/src/Makefile
 @@ -27,6 +27,14 @@ ifeq ($(DEBUG),1)
  	export LDFLAGS ?= -g
  endif
@@ -31,19 +31,19 @@ index 8dfbd76..4012f28 100644
  LEX = flex
  LFLAGS = -s
  YACC = bison
-@@ -90,7 +98,7 @@ $(LIBA): $(OBJS)
+@@ -93,7 +101,7 @@ $(LIBA): $(OBJS)
  	$(RANLIB) $@
  
  $(LIBSO): $(LOBJS)
--	$(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -lsepol -laudit -lselinux -lbz2 -Wl,-soname,$(LIBSO),--version-script=libsemanage.map,-z,defs
-+	$(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -lsepol $(LIBAUDIT) -lselinux -lbz2 -Wl,-soname,$(LIBSO),--version-script=libsemanage.map,-z,defs
+-	$(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -L../../libselinux/src -lsepol -laudit -lselinux -lbz2 -Wl,-soname,$(LIBSO),--version-script=libsemanage.map,-z,defs
++	$(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -L../../libselinux/src -lsepol $(LIBAUDIT) -lselinux -lbz2 -Wl,-soname,$(LIBSO),--version-script=libsemanage.map,-z,defs
  	ln -sf $@ $(TARGET)
  
  $(LIBPC): $(LIBPC).in ../VERSION
-diff --git a/src/seusers_local.c b/src/seusers_local.c
-index eb3f82b..45da825 100644
---- a/src/seusers_local.c
-+++ b/src/seusers_local.c
+diff --git a/libsemanage/src/seusers_local.c b/libsemanage/src/seusers_local.c
+index eb3f82bc..45da8257 100644
+--- a/libsemanage/src/seusers_local.c
++++ b/libsemanage/src/seusers_local.c
 @@ -8,7 +8,11 @@ typedef struct semanage_seuser record_t;
  
  #include <sepol/policydb.h>
@@ -97,10 +97,10 @@ index eb3f82b..45da825 100644
  	if (seuser)
  		semanage_seuser_free(seuser);
  	return rc;
-diff --git a/tests/Makefile b/tests/Makefile
-index 241ff17..fa03fb6 100644
---- a/tests/Makefile
-+++ b/tests/Makefile
+diff --git a/libsemanage/tests/Makefile b/libsemanage/tests/Makefile
+index 241ff17a..fa03fb66 100644
+--- a/libsemanage/tests/Makefile
++++ b/libsemanage/tests/Makefile
 @@ -4,10 +4,18 @@ CILS = $(sort $(wildcard *.cil))
  
  ###########################################################################
@@ -122,5 +122,5 @@ index 241ff17..fa03fb6 100644
  OBJECTS = $(SOURCES:.c=.o)
  POLICIES = $(CILS:.cil=.policy)
 -- 
-2.25.1
+2.34.1
 

recipes-security/selinux/libsemanage/libsemanage-disable-expand-check-on-policy-load.patch

@@ -1,4 +1,4 @@
-From af4948d5a1cfb41338a7539dcd80735b5c250e58 Mon Sep 17 00:00:00 2001
+From deeb4536309e53478650a2b4d1c01f01422fa75f Mon Sep 17 00:00:00 2001
 From: Joe MacDonald <joe@deserted.net>
 Date: Wed, 7 May 2014 11:36:27 -0400
 Subject: [PATCH] libsemanage: disable expand-check on policy load
@@ -13,13 +13,13 @@ Upstream-Status: Denied [upstream developers want to preserve the default
 
 Signed-off-by: Joe MacDonald <joe@deserted.net>
 ---
- src/semanage.conf | 4 ++++
+ libsemanage/src/semanage.conf | 4 ++++
  1 file changed, 4 insertions(+)
 
-diff --git a/src/semanage.conf b/src/semanage.conf
-index 98d769b..708fa8c 100644
---- a/src/semanage.conf
-+++ b/src/semanage.conf
+diff --git a/libsemanage/src/semanage.conf b/libsemanage/src/semanage.conf
+index 98d769b5..708fa8cb 100644
+--- a/libsemanage/src/semanage.conf
++++ b/libsemanage/src/semanage.conf
 @@ -40,3 +40,7 @@ module-store = direct
  # By default, semanage will generate policies for the SELinux target.
  # To build policies for Xen, uncomment the following line.
@@ -29,5 +29,5 @@ index 98d769b..708fa8c 100644
 +# module.  This results in a significant speed-up in policy loading.
 +expand-check=0
 -- 
-2.25.1
+2.34.1
 

recipes-security/selinux/libsemanage_3.9.bb

@@ -11,9 +11,9 @@ require selinux_common.inc
 
 inherit lib_package python3native
 
-SRC_URI += "file://libsemanage-Fix-execve-segfaults-on-Ubuntu.patch \
-            file://libsemanage-allow-to-disable-audit-support.patch \
-            file://libsemanage-disable-expand-check-on-policy-load.patch \
+SRC_URI += "file://libsemanage-Fix-execve-segfaults-on-Ubuntu.patch;patchdir=.. \
+            file://libsemanage-allow-to-disable-audit-support.patch;patchdir=.. \
+            file://libsemanage-disable-expand-check-on-policy-load.patch;patchdir=.. \
            "
 
 DEPENDS = "libsepol libselinux python3 bison-native swig-native"

recipes-security/selinux/mcstrans/mcstrans-de-bashify.patch

@@ -1,4 +1,4 @@
-From 580a625e9e1266d92c248a5e3f471d12d42c149b Mon Sep 17 00:00:00 2001
+From fb739bb565978ec896739daf758c2f6328e48b75 Mon Sep 17 00:00:00 2001
 From: Joe MacDonald <joe_macdonald@mentor.com>
 Date: Fri, 7 Aug 2015 15:16:45 -0400
 Subject: [PATCH] mcstrans: remove dependency on bash in initscript
@@ -13,13 +13,13 @@ Upstream-Status: Inappropriate [embedded specific]
 Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 ---
- src/mcstrans.init | 2 +-
+ mcstrans/src/mcstrans.init | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
-diff --git a/src/mcstrans.init b/src/mcstrans.init
-index 2804ec0..8b4737d 100644
---- a/src/mcstrans.init
-+++ b/src/mcstrans.init
+diff --git a/mcstrans/src/mcstrans.init b/mcstrans/src/mcstrans.init
+index 2804ec0a..8b4737d0 100644
+--- a/mcstrans/src/mcstrans.init
++++ b/mcstrans/src/mcstrans.init
 @@ -1,4 +1,4 @@
 -#!/bin/bash
 +#!/bin/sh
@@ -27,5 +27,5 @@ index 2804ec0..8b4737d 100644
  # mcstransd        This starts and stops mcstransd
  #
 -- 
-2.25.1
+2.34.1
 

recipes-security/selinux/mcstrans/mcstrans-fix-the-init-script.patch

@@ -1,4 +1,4 @@
-From 123d5b6413905bfad535a072ff0ab5a495cb2a2a Mon Sep 17 00:00:00 2001
+From 99895a7d84e3e132a3d3d44152a99c7379dbd9f4 Mon Sep 17 00:00:00 2001
 From: Roy Li <rongqing.li@windriver.com>
 Date: Wed, 6 Nov 2019 22:13:33 +0800
 Subject: [PATCH] mcstrans: fix the init script
@@ -11,13 +11,13 @@ Signed-off-by: Roy Li <rongqing.li@windriver.com>
 Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 ---
- src/mcstrans.init | 2 +-
+ mcstrans/src/mcstrans.init | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
-diff --git a/src/mcstrans.init b/src/mcstrans.init
-index 8b4737d..86c89ea 100644
---- a/src/mcstrans.init
-+++ b/src/mcstrans.init
+diff --git a/mcstrans/src/mcstrans.init b/mcstrans/src/mcstrans.init
+index 8b4737d0..86c89ea2 100644
+--- a/mcstrans/src/mcstrans.init
++++ b/mcstrans/src/mcstrans.init
 @@ -51,7 +51,7 @@ start(){
  	fi
  
@@ -28,5 +28,5 @@ index 8b4737d..86c89ea 100644
  	echo
  	if test $RETVAL = 0 ; then
 -- 
-2.25.1
+2.34.1
 

recipes-security/selinux/mcstrans_3.9.bb

@@ -11,8 +11,8 @@ require selinux_common.inc
 
 inherit pkgconfig systemd update-rc.d
 
-SRC_URI += "file://mcstrans-de-bashify.patch \
-            file://mcstrans-fix-the-init-script.patch \
+SRC_URI += "file://mcstrans-de-bashify.patch;patchdir=.. \
+            file://mcstrans-fix-the-init-script.patch;patchdir=.. \
            "
 
 DEPENDS = "libsepol libselinux libcap"

recipes-security/selinux/policycoreutils/policycoreutils-fixfiles-de-bashify.patch

@@ -1,4 +1,4 @@
-From 624d6231ca9daf494e33352d562ff97cb0219f2d Mon Sep 17 00:00:00 2001
+From c0675c5dc7e59b345cbd62fd134ef950f3474c22 Mon Sep 17 00:00:00 2001
 From: Joe MacDonald <joe_macdonald@mentor.com>
 Date: Fri, 20 Feb 2015 17:00:19 -0500
 Subject: [PATCH] fixfiles: de-bashify
@@ -15,13 +15,13 @@ Upstream-Status: Inappropriate [embedded specific]
 Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
 ---
- scripts/fixfiles | 23 ++++++++++++++---------
+ policycoreutils/scripts/fixfiles | 23 ++++++++++++++---------
  1 file changed, 14 insertions(+), 9 deletions(-)
 
-diff --git a/scripts/fixfiles b/scripts/fixfiles
-index 166af6f..a23cdc6 100755
---- a/scripts/fixfiles
-+++ b/scripts/fixfiles
+diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
+index b7cd765c..38497765 100755
+--- a/policycoreutils/scripts/fixfiles
++++ b/policycoreutils/scripts/fixfiles
 @@ -1,4 +1,4 @@
 -#!/bin/bash
 +#!/bin/sh
@@ -85,5 +85,5 @@ index 166af6f..a23cdc6 100755
  	return
      fi
 -- 
-2.25.1
+2.34.1
 

recipes-security/selinux/policycoreutils_3.9.bb

@@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=393a5ca445f6965873eca0259a17f833"
 require selinux_common.inc
 
 SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
-            file://policycoreutils-fixfiles-de-bashify.patch \
+            file://policycoreutils-fixfiles-de-bashify.patch;patchdir=.. \
            "
 
 PAM_SRC_URI = "file://pam.d/newrole \
@@ -21,7 +21,7 @@ PAM_SRC_URI = "file://pam.d/newrole \
 DEPENDS = "libsepol libselinux libsemanage gettext-native"
 DEPENDS:append:class-target = " libcap-ng"
 
-inherit selinux python3native
+inherit selinux python3native pkgconfig
 
 RDEPENDS:${PN}-fixfiles = "\
     ${PN}-setfiles \
@@ -139,6 +139,8 @@ do_compile:prepend() {
 }
 
 do_compile:class-native() {
+    export LIBSELINUX_LDLIBS="-lselinux"
+    export LIBSEMANAGE_LDLIBS="-lsemanage"
     for PCU_CMD in ${PCU_NATIVE_CMDS} ; do
         oe_runmake -C $PCU_CMD \
             INCLUDEDIR='${STAGING_INCDIR}' \

recipes-security/selinux/selinux-python/0001-sepolicy-fix-install-path-for-new-pymodule-sepolicy.patch

@@ -1,4 +1,4 @@
-From fb449373ae92a05c324895cd7daee1461a0f0349 Mon Sep 17 00:00:00 2001
+From d7e063d1a41d45cd76a242377b0ee15df37e2520 Mon Sep 17 00:00:00 2001
 From: Xin Ouyang <Xin.Ouyang@windriver.com>
 Date: Mon, 23 Sep 2013 21:17:59 +0800
 Subject: [PATCH] sepolicy: fix install path for new pymodule sepolicy
@@ -9,13 +9,13 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 ---
- sepolicy/Makefile | 2 +-
+ python/sepolicy/Makefile | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
-diff --git a/sepolicy/Makefile b/sepolicy/Makefile
-index 1a26cfd..6e40691 100644
---- a/sepolicy/Makefile
-+++ b/sepolicy/Makefile
+diff --git a/python/sepolicy/Makefile b/python/sepolicy/Makefile
+index 1a26cfdc..6e40691d 100644
+--- a/python/sepolicy/Makefile
++++ b/python/sepolicy/Makefile
 @@ -27,7 +27,7 @@ test:
  	@$(PYTHON) test_sepolicy.py -v
  
@@ -26,5 +26,5 @@ index 1a26cfd..6e40691 100644
  	install -m 755 sepolicy.py $(DESTDIR)$(BINDIR)/sepolicy
  	(cd $(DESTDIR)$(BINDIR); ln -sf sepolicy sepolgen)
 -- 
-2.25.1
+2.34.1
 

recipes-security/selinux/selinux-python/0002-sepolicy-set-conf.substitutions-releasever-to-empty-.patch

@@ -1,4 +1,4 @@
-From 70187651a2239d5d8d70130e82c6f108eee77aa1 Mon Sep 17 00:00:00 2001
+From 845f081ba3dab6c27aeac12ab20a45250fd9a8e6 Mon Sep 17 00:00:00 2001
 From: Yi Zhao <yi.zhao@windriver.com>
 Date: Tue, 24 Sep 2024 14:07:41 +0800
 Subject: [PATCH] sepolicy: set conf.substitutions['releasever'] to empty str
@@ -39,13 +39,13 @@ Upstream-Status: Submitted [https://github.com/SELinuxProject/selinux/pull/444]
 
 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 ---
- sepolicy/sepolicy/generate.py | 3 +++
+ python/sepolicy/sepolicy/generate.py | 3 +++
  1 file changed, 3 insertions(+)
 
-diff --git a/sepolicy/sepolicy/generate.py b/sepolicy/sepolicy/generate.py
-index adf65f2..56923dc 100644
---- a/sepolicy/sepolicy/generate.py
-+++ b/sepolicy/sepolicy/generate.py
+diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
+index adf65f27..56923dc4 100644
+--- a/python/sepolicy/sepolicy/generate.py
++++ b/python/sepolicy/sepolicy/generate.py
 @@ -1265,6 +1265,9 @@ allow %s_t %s_t:%s_socket name_%s;
          import dnf
  
@@ -57,5 +57,5 @@ index adf65f2..56923dc 100644
              base.fill_sack(load_system_repo=True)
  
 -- 
-2.25.1
+2.34.1
 

recipes-security/selinux/selinux-python_3.9.bb

@@ -10,8 +10,8 @@ require selinux_common.inc
 
 inherit python3targetconfig
 
-SRC_URI += "file://fix-sepolicy-install-path.patch \
-            file://0001-sepolicy-set-conf.substitutions-releasever-to-empty-.patch \
+SRC_URI += "file://0001-sepolicy-fix-install-path-for-new-pymodule-sepolicy.patch;patchdir=.. \
+            file://0002-sepolicy-set-conf.substitutions-releasever-to-empty-.patch;patchdir=.. \
            "
 
 S = "${UNPACKDIR}/${BP}/python"

recipes-security/selinux/selinux-sandbox/sandbox-de-bashify.patch

@@ -1,4 +1,4 @@
-From d592d59eb4e7dbf8ce6dc84b3f4c0026fd7cc60c Mon Sep 17 00:00:00 2001
+From 1bfa95fac4e32cecec452d0c48c191ab05d7d038 Mon Sep 17 00:00:00 2001
 From: Joe MacDonald <joe_macdonald@mentor.com>
 Date: Fri, 20 Feb 2015 21:07:47 -0500
 Subject: [PATCH] sandbox: de-bashify
@@ -12,24 +12,24 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 ---
- sandbox.init | 2 +-
- sandboxX.sh  | 2 +-
+ sandbox/sandbox.init | 2 +-
+ sandbox/sandboxX.sh  | 2 +-
  2 files changed, 2 insertions(+), 2 deletions(-)
 
-diff --git a/sandbox.init b/sandbox.init
-index b3979bf..1893dc8 100644
---- a/sandbox.init
-+++ b/sandbox.init
+diff --git a/sandbox/sandbox.init b/sandbox/sandbox.init
+index b3979bf5..1893dc87 100644
+--- a/sandbox/sandbox.init
++++ b/sandbox/sandbox.init
 @@ -1,4 +1,4 @@
 -#!/bin/bash
 +#!/bin/sh
  ## BEGIN INIT INFO
  # Provides: sandbox
  # Default-Start: 3 4 5
-diff --git a/sandboxX.sh b/sandboxX.sh
-index eaa500d..8755d75 100644
---- a/sandboxX.sh
-+++ b/sandboxX.sh
+diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh
+index 28169182..1af61824 100644
+--- a/sandbox/sandboxX.sh
++++ b/sandbox/sandboxX.sh
 @@ -1,4 +1,4 @@
 -#!/bin/bash
 +#!/bin/sh
@@ -37,5 +37,5 @@ index eaa500d..8755d75 100644
  context=`id -Z | secon -t -l -P`
  export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8-80`"
 -- 
-2.25.1
+2.34.1
 

recipes-security/selinux/selinux-sandbox_3.9.bb

@@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=393a5ca445f6965873eca0259a17f833"
 
 require selinux_common.inc
 
-SRC_URI += "file://sandbox-de-bashify.patch \
+SRC_URI += "file://sandbox-de-bashify.patch;patchdir=.. \
            "
 
 S = "${UNPACKDIR}/${BP}/sandbox"

recipes-security/selinux/selinux_common.inc

@@ -1,7 +1,7 @@
 HOMEPAGE = "https://github.com/SELinuxProject"
 
 SRC_URI = "git://github.com/SELinuxProject/selinux.git;branch=main;protocol=https"
-SRCREV = "8e9157bbeea1899b7b8b257e7eaa71efef3fffed"
+SRCREV = "919e9e64cc4b20f5a1e4df1e38cce1bfe15aff09"
 
 S = "${UNPACKDIR}/${BP}/${BPN}"