From 2f629a5050563d4ba492ce1404d1b8bc7e1c6e65 Mon Sep 17 00:00:00 2001 From: Alexandru Ardelean Date: Fri, 17 Apr 2026 22:35:12 +0300 Subject: [PATCH 1/7] python-selinux: update to 3.10 Changes in 3.10: - fix parsing of the enforcing kernel cmdline parameter - build python module without isolation (Makefile fix) - treewide: add .clang-format configuration file - various libsepol bug fixes (NULL deref, use-after-free, MLS range validation, functionfs_seclabel policycap, bpf_token_perms polcap) Signed-off-by: Alexandru Ardelean --- lang/python/python-selinux/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lang/python/python-selinux/Makefile b/lang/python/python-selinux/Makefile index 8367110594ff06..193a8e7bfce4f4 100644 --- a/lang/python/python-selinux/Makefile +++ b/lang/python/python-selinux/Makefile @@ -6,13 +6,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=python-selinux -PKG_VERSION:=3.9 -PKG_RELEASE:=2 +PKG_VERSION:=3.10 +PKG_RELEASE:=1 SRC_NAME:=libselinux PKG_SOURCE:=$(SRC_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/SELinuxProject/selinux/releases/download/$(PKG_VERSION) -PKG_HASH:=e7ee2c01dba64a0c35c9d7c9c0e06209d8186b325b0638a0d83f915cc3c101e8 +PKG_HASH:=1ef216c5b56fb7e0a51cd2909787a175a17ee391e0467894807873539ebe766b PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)/$(SRC_NAME)-$(PKG_VERSION) PKG_MAINTAINER:=Thomas Petazzoni From 53a8bb69fd7261760418f86c596eba4fbdc8bbe8 Mon Sep 17 00:00:00 2001 From: Alexandru Ardelean Date: Fri, 17 Apr 2026 22:35:31 +0300 Subject: [PATCH 2/7] python-semanage: update to 3.10 Changes in 3.10: - improve semanage man pages: add examples for -r RANGE flag usage - semanage: reset active value when deleting boolean customizations - various libsemanage/libsepol bug fixes and security hardening Signed-off-by: Alexandru Ardelean --- lang/python/python-semanage/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lang/python/python-semanage/Makefile b/lang/python/python-semanage/Makefile index 5f443e958cee57..0b7e7b3f21ac54 100644 --- a/lang/python/python-semanage/Makefile +++ b/lang/python/python-semanage/Makefile @@ -6,13 +6,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=python-semanage -PKG_VERSION:=3.9 -PKG_RELEASE:=2 +PKG_VERSION:=3.10 +PKG_RELEASE:=1 SRC_NAME:=libsemanage PKG_SOURCE:=$(SRC_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/SELinuxProject/selinux/releases/download/$(PKG_VERSION) -PKG_HASH:=ec05850aef48bfb8e02135a7f4f3f7edba3670f63d5e67f2708d4bd80b9a4634 +PKG_HASH:=1978894c414769ad77438d26886eaae3fb7bb74578ef2a5ad3130c89cb5cb1fe PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)/$(SRC_NAME)-$(PKG_VERSION) PKG_MAINTAINER:=Thomas Petazzoni From 35252e9d46a76262bca0ea8af153ab204d57448d Mon Sep 17 00:00:00 2001 From: Alexandru Ardelean Date: Fri, 17 Apr 2026 22:36:02 +0300 Subject: [PATCH 3/7] selinux-python: update to 3.10 Changes in 3.10: - python/sepolicy: add support for DNF5 - sandbox/seunshare: replace system() with execv() to prevent shell injection vulnerability - seunshare: always use translations when printing - setfiles: add -A option to disable SELINUX_RESTORECON_ADD_ASSOC Signed-off-by: Alexandru Ardelean --- utils/selinux-python/Makefile | 6 +++--- utils/selinux-python/patches/0005-no-translations.patch | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/utils/selinux-python/Makefile b/utils/selinux-python/Makefile index cc038ff3196557..d113f018cc6310 100644 --- a/utils/selinux-python/Makefile +++ b/utils/selinux-python/Makefile @@ -6,12 +6,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=selinux-python -PKG_VERSION:=3.9 -PKG_RELEASE:=2 +PKG_VERSION:=3.10 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/SELinuxProject/selinux/releases/download/$(PKG_VERSION) -PKG_HASH:=dcfa5f1919dcb7e7b775851994eb5c83b7580dc496cd2d1f73867dfa074d2339 +PKG_HASH:=9d0a5b69f2fbcce8e5ccd8e0f17d56f71e6005a756386f8fb36c31f9424191a2 PKG_MAINTAINER:=Thomas Petazzoni PKG_LICENSE:=GPL-2.0-only diff --git a/utils/selinux-python/patches/0005-no-translations.patch b/utils/selinux-python/patches/0005-no-translations.patch index 9b1cb8cfeec1e1..d79cf90f15064a 100644 --- a/utils/selinux-python/patches/0005-no-translations.patch +++ b/utils/selinux-python/patches/0005-no-translations.patch @@ -4,5 +4,5 @@ -SUBDIRS = sepolicy audit2allow semanage sepolgen chcat po +SUBDIRS = sepolicy audit2allow semanage sepolgen chcat - all install relabel clean indent test: + all install relabel clean format test: @for subdir in $(SUBDIRS); do \ From a1585d0f6b40340254908f21632478209efb87d6 Mon Sep 17 00:00:00 2001 From: Alexandru Ardelean Date: Fri, 17 Apr 2026 22:36:25 +0300 Subject: [PATCH 4/7] semodule-utils: update to 3.10 Changes in 3.10: - general bug fixes from libsepol (bounds statements in optional blocks, type attribute handling in role-types rule, NULL dereference and use-after-free fixes) - treewide: add .clang-format configuration file Signed-off-by: Alexandru Ardelean --- utils/semodule-utils/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/utils/semodule-utils/Makefile b/utils/semodule-utils/Makefile index 339e025b09b9a3..fcf70d4ef39283 100644 --- a/utils/semodule-utils/Makefile +++ b/utils/semodule-utils/Makefile @@ -6,12 +6,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=semodule-utils -PKG_VERSION:=3.9 +PKG_VERSION:=3.10 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/SELinuxProject/selinux/releases/download/$(PKG_VERSION) -PKG_HASH:=729be36e4726c5d0833732681a94b2e0e4aff973c076504e41f8547abb6c5424 +PKG_HASH:=1c2f14cc098cbb4d75912d131c5f747e70246e1042e72f2ab40e28f53cf45c10 PKG_MAINTAINER:=W. Michael Petullo PKG_LICENSE:=GPL-2.0-only From 69f782a083acb056355910a19d4186f6d1b052cc Mon Sep 17 00:00:00 2001 From: Alexandru Ardelean Date: Fri, 1 May 2026 10:22:47 +0300 Subject: [PATCH 5/7] bluez: add test.sh for binaries without --version Several bluez utilities do not implement --version so the generic CI version check fails for them. Add test.sh cases that verify the binaries are present and executable instead. bluez-daemon: obexd bluez-utils: bdaddr, ciptool, hciattach, hciconfig, l2ping, l2test, rctest bluez-utils-extra: gatttool Signed-off-by: Alexandru Ardelean --- utils/bluez/test.sh | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 utils/bluez/test.sh diff --git a/utils/bluez/test.sh b/utils/bluez/test.sh new file mode 100644 index 00000000000000..159f6ea9c54df0 --- /dev/null +++ b/utils/bluez/test.sh @@ -0,0 +1,18 @@ +#!/bin/sh + +case "$1" in + bluez-daemon) + # obexd does not implement --version; just verify it is present + [ -x /usr/bin/obexd ] || exit 1 + ;; + bluez-utils) + # these tools do not implement --version; verify they are present + for bin in bdaddr ciptool hciattach hciconfig l2ping l2test rctest; do + [ -x "/usr/bin/$bin" ] || exit 1 + done + ;; + bluez-utils-extra) + # gatttool does not implement --version; just verify it is present + [ -x /usr/bin/gatttool ] || exit 1 + ;; +esac From cce34f99480b27374c3a6ed4f98da4acc63495d3 Mon Sep 17 00:00:00 2001 From: Alexandru Ardelean Date: Fri, 1 May 2026 10:22:51 +0300 Subject: [PATCH 6/7] dbus: add test.sh for binaries without --version dbus-utils utilities do not implement --version so the generic CI version check fails for them. Add a test.sh case that verifies the binaries are present and executable instead. dbus-utils: dbus-monitor, dbus-send, dbus-test-tool Signed-off-by: Alexandru Ardelean --- utils/dbus/test.sh | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 utils/dbus/test.sh diff --git a/utils/dbus/test.sh b/utils/dbus/test.sh new file mode 100644 index 00000000000000..da8fae57a9c67c --- /dev/null +++ b/utils/dbus/test.sh @@ -0,0 +1,10 @@ +#!/bin/sh + +case "$1" in + dbus-utils) + # dbus-monitor, dbus-send, dbus-test-tool do not implement --version + for bin in dbus-monitor dbus-send dbus-test-tool; do + [ -x "/usr/bin/$bin" ] || exit 1 + done + ;; +esac From a416ae98b498b058b66e9ff7f0721369020b324f Mon Sep 17 00:00:00 2001 From: Alexandru Ardelean Date: Fri, 1 May 2026 19:29:22 +0300 Subject: [PATCH 7/7] zstd: add test.sh for script wrappers without --version zstdgrep and zstdless are shell script wrappers that do not output a version string, so the generic CI version check fails for them. Add a test.sh case that verifies they are present and executable instead. Signed-off-by: Alexandru Ardelean --- utils/zstd/test.sh | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 utils/zstd/test.sh diff --git a/utils/zstd/test.sh b/utils/zstd/test.sh new file mode 100644 index 00000000000000..acc74d277868aa --- /dev/null +++ b/utils/zstd/test.sh @@ -0,0 +1,9 @@ +#!/bin/sh + +case "$1" in + zstd) + # zstdgrep and zstdless are shell script wrappers; they do not output a version + [ -x /usr/bin/zstdgrep ] || exit 1 + [ -x /usr/bin/zstdless ] || exit 1 + ;; +esac