This is an automated change & the command used is:
find -name '*.signatures.json' -exec sh -c '[ -n "$(tail -c1 {})" ] && echo >> {}' \;
Reference: https://stackoverflow.com/a/729795
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
* Bump package version to recompile binaries with fixed gcc stack protection (CVE-2023-4039)
* Bump debuginfo versions in toolchain manifests
* Bump kernel headers to match kernel
* Update SPECS/gettext/gettext.spec
Taking suggestion
Co-authored-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
* Update for code review comments
* Fix for code review comment in qt5-qtdeclarative changelog
* Fix dash version for signed spec files
---------
Co-authored-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
* Enable dbus audit logs.
dbus has implemented its own SELinux rules. When dbus blocks an
operation based on SELinux, it has logic to log the violation to the
security audit logs (as it should). Unfortunatley, this logic is
currently incorrectly disabled by a build flag. This changes fixes this
problem.
Note: The audit client lib supports and actively encourages clients to
not fail when the audit service is not available on the system. So,
this does not add a dependency on the audit package.
* .spec linting fixes
* dbus: add an explicit provides `dbus-x11`
* dbus-x11: drop metapackage
* toolkit: dbus-x11: remove entanglement with dbus
* dbus: add comment to build with X11 support
* dbus: license: update entry
Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
* Add SELinux packages to Mariner.
This commit add the following packages to Mariner to provide basic
SELinux support:
- checkpolicy
- libsemanage
- mcstrans
- policycoreutils
- secilc
- selinux-policy
- setools
The selinux-policy provided here is a generic base policy, which is not
specifically tuned for Mariner, therefore only permissive mode support
is enabled in this commit. (Although users could load a custom policy
to run in enforcing mode). Future phases have been discussed to add
SELinux enforcing mode support.
This commit does not enable SELinux by default. In order to enable
SELinux support, one must first install necessary packages (libselinux,
policycoreutils, secilc, selinux-policy), and then append "lsm=selinux
selinux=1" to the kernel command line. This will trigger an initial
boot to relabel the system, at which point the system will reboot, and
boot into an SELinux enabled system. SELinux state can be queried with
the "getenforce" command line tool. If SELinux has not been enabled, it
will report "Disabled" (the default). If SELinux support has been
enabled as described in this paragraph, it will report "permissive".
This commit also modifies the following packages to enabled SELinux
functionality in existing packages:
- coreutils
- cronie
- dbus
- openssh
- pam
- rpm
- shadow-utils
- systemd
- util-linux
This enables them to build with SELinux support so that when SELinux is
enabled, they have SELinux related functionality available.
Because coreutils is a basic package and requires building with
libselinux-devel present in order to enable key SELinux functionality,
several dependencies in other packages that rely on coreutils (namely
python2, python3 and systemd-bootstrap) had to be removed in order to
avoid circular dependencies. There does not appear to be a functional
impact from this change based on my testing.
Sam Meluch
Dan Streetman
Muhammad Falak R Wani
bfjelds
jslobodzian
Chris Gunn
CBL-Mariner-Bot
Andrew Phelps
Pawel Winogrodzki
Thomas Crain
Joe Schmitt
rychenf1
Daniel Burgener