This fixes musl builds too.

Signed-off-by: Armin Kuster <akuster808@...>
---
recipes-ids/samhain/samhain.inc | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/recipes-ids/samhain/samhain.inc b/recipes-ids/samhain/samhain.inc
index d64cddb..5c1d6f5 100644
--- a/recipes-ids/samhain/samhain.inc
+++ b/recipes-ids/samhain/samhain.inc
@@ -3,7 +3,7 @@ HOMEPAGE = "http://www.la-samhna.de/samhain/"
LICENSE = "GPL-2.0-or-later"
LIC_FILES_CHKSUM = "file://LICENSE;md5=8ca43cbc842c2336e835926c2166c28b"

-PV = "4.4.6"
+PV = "4.4.7"

SRC_URI = "https://la-samhna.de/archive/samhain_signed-${PV}.tar.gz \
file://${INITSCRIPT_NAME}.init \
@@ -21,7 +21,7 @@ SRC_URI = "https://la-samhna.de/archive/samhain_signed-${PV}.tar.gz \
file://samhain-fix-initializer-element-is-not-constant.patch \
"

-SRC_URI[sha256sum] = "0b511a184066759cd864f6d15fe941ed3fe60f0cdc886dab68daa191d567de24"
+SRC_URI[sha256sum] = "0aa978accb635000c2d9170f307bff8a95836f8ec01615a53dbd9c2af9564d44"

UPSTREAM_CHECK_URI = "https://www.la-samhna.de/samhain/archive.html"
UPSTREAM_CHECK_REGEX = "samhain_signed-(?P<pver>(\d+(\.\d+)+))\.tar"
--
2.25.1

Signed-off-by: Armin Kuster <akuster808@...>
---
recipes-kernel/linux/files/lkrg.cfg | 4 ++++
recipes-kernel/linux/files/lkrg.scc | 5 +++++
recipes-kernel/linux/linux-yocto_security.inc | 3 +++
3 files changed, 12 insertions(+)
create mode 100644 recipes-kernel/linux/files/lkrg.cfg
create mode 100644 recipes-kernel/linux/files/lkrg.scc

diff --git a/recipes-kernel/linux/files/lkrg.cfg b/recipes-kernel/linux/files/lkrg.cfg
new file mode 100644
index 0000000..e02bf76
--- /dev/null
+++ b/recipes-kernel/linux/files/lkrg.cfg
@@ -0,0 +1,4 @@
+CONFIG_DEBUG_KERNEL=y
+CONFIG_KALLSYMS_ALL=y
+CONFIG_JUMP_LABEL=y
+CONFIG_DEBUG_SECTION_MISMATCH=y
diff --git a/recipes-kernel/linux/files/lkrg.scc b/recipes-kernel/linux/files/lkrg.scc
new file mode 100644
index 0000000..83397f8
--- /dev/null
+++ b/recipes-kernel/linux/files/lkrg.scc
@@ -0,0 +1,5 @@
+# SPDX-License-Identifier: MIT
+define KFEATURE_DESCRIPTION "Enable Support for LKRG"
+define KFEATURE_COMPATIBILITY board
+
+kconf hardware lkrg.cfg
diff --git a/recipes-kernel/linux/linux-yocto_security.inc b/recipes-kernel/linux/linux-yocto_security.inc
index defca57..b79af80 100644
--- a/recipes-kernel/linux/linux-yocto_security.inc
+++ b/recipes-kernel/linux/linux-yocto_security.inc
@@ -1,3 +1,6 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
KERNEL_FEATURES:append = " ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", " features/apparmor/apparmor.scc", "" ,d)}"
KERNEL_FEATURES:append = " ${@bb.utils.contains("DISTRO_FEATURES", "smack", " features/smack/smack.scc", "" ,d)}"
KERNEL_FEATURES:append = " ${@bb.utils.contains("IMAGE_CLASSES", "dm-verity-img", " features/device-mapper/dm-verity.scc", "" ,d)}"
+SRC_URI += " ${@bb.utils.contains("DISTRO_FEATURES", "lkrg", "file://lkrg.scc", "" ,d)}"
--
2.25.1

This allows to track tip easier.
refresh patch
Fix LICENSE to match SPDX format

Signed-off-by: Armin Kuster <akuster808@...>
---
recipes-kernel/lkrg/files/makefile_cleanup.patch | 6 +++---
recipes-kernel/lkrg/lkrg-module_0.9.2.bb | 10 +++++-----
2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/recipes-kernel/lkrg/files/makefile_cleanup.patch b/recipes-kernel/lkrg/files/makefile_cleanup.patch
index a4db2d9..799b1a6 100644
--- a/recipes-kernel/lkrg/files/makefile_cleanup.patch
+++ b/recipes-kernel/lkrg/files/makefile_cleanup.patch
@@ -4,10 +4,10 @@ This needs more work. Its my starting point.

Signed-off-by: Armin Kuster <akuster808@...>

-Index: lkrg-0.9.2/Makefile
+Index: git/Makefile
===================================================================
---- lkrg-0.9.2.orig/Makefile
-+++ lkrg-0.9.2/Makefile
+--- git.orig/Makefile
++++ git/Makefile
@@ -4,28 +4,10 @@
# Author:
# - Adam 'pi3' Zabrocki (http://pi3.com.pl)
diff --git a/recipes-kernel/lkrg/lkrg-module_0.9.2.bb b/recipes-kernel/lkrg/lkrg-module_0.9.2.bb
index e055fbe..85f7d44 100644
--- a/recipes-kernel/lkrg/lkrg-module_0.9.2.bb
+++ b/recipes-kernel/lkrg/lkrg-module_0.9.2.bb
@@ -3,18 +3,18 @@ DESCRIPTION="LKRG performs runtime integrity checking of the Linux \
kernel and detection of security vulnerability exploits against the kernel."
SECTION = "security"
HOMEPAGE = "https://www.openwall.com/lkrg/"
-LICENSE = "GPLv2"
+LICENSE = "GPL-2.0-only"

LIC_FILES_CHKSUM = "file://LICENSE;md5=5105ead24b08a32954f34cbaa7112432"

DEPENDS = "virtual/kernel elfutils"

-SRC_URI = "https://download.openwall.net/pub/projects/lkrg/lkrg-${PV}.tar.gz \
- file://makefile_cleanup.patch "
+SRCREV = "43db5f19fca259feb1962f6db33382348cbc8320"

-SRC_URI[sha256sum] = "c2b501c47089cce3ec3114cef6520b73aa3a098836183186b9bb5e097c99ac27"
+SRC_URI = "git://github.com/lkrg-org/lkrg.git;protocol=https;branch=main \
+ file://makefile_cleanup.patch "

-S = "${WORKDIR}/lkrg-${PV}"
+S = "${WORKDIR}/git"

inherit module kernel-module-split

--
2.25.1

On Sun, 2022-04-03 at 09:12 +0200, Federico Pellegrin wrote:

I've been playing around building a Yocto imagine based on kirkstone/master on
the just released Fedora 36 beta test image. (just to give a few bits more
details: builds a MX8X image, works perfectly fine with Fedora 34 and 35 since
quite some time)

The first and most obvious thing I've found out is that it is based on a newer
version of glibcxx (3.4.30) when the very latest uninative available (as far
as I could see, apologies if I'm wrong) is on 3.4.29, so at some point this
will break the build (when pzstd is called).

Of course for the time being I just disabled uninative and the build is going
on (will report of course should I find something else). I'm not sure (still
checking this) if that should have happened automatically, but there was
actually no warning in that sense (maybe because is GLIBCXX and not GLIBC
itself?)
But the question is: should I try to contribute that tarball (I will search
for details, but if there is any good reference more than welcome!) or is it
something that is likely done by the core team?

Of course FC36 is still a test distro so there is no surprise it broke, but as
we are close to Kirkstone release and possibly other distros will get the same
upgrade, I guess it could be great if we may fix this before that deadline.

Thanks for reporting it. I think to generate the newer version we need gcc 12
which is still in pre-release. We generate the uninative tarball using our own
builds on the autobuilder so until we have gcc 12 recipes there, we can't
generate that.

Once gcc 12 is out, we will release a new uninative (assuming we can update our
recipes).

I'd like to think the checks in uninative would have noticed the mismatch, we do
have some code there to detect libc version but perhaps not the CXX pieces so
I'd welcome help in adding something for that.

Cheers,

Richard

On Sat, Apr 02, 2022 at 12:13:26PM +0200, Quentin Schulz wrote:

FILES variables is compatible with glob from Python so that should work but that's really the first time I see this, usually it's just the directory or dir/*. Learned something new today :)

:-)

Are you on honister (or master/soon kirkstone) release? If so, it's FILES:${PN} and not FILES_${PN}.

That's it!
I wasn't aware of this change, could have searched for another couple of
days!

Thank.
you.
very.
much.

Kind Regards
Konsti


--
INSIDE M2M GmbH
Konstantin Kletschke
Berenbosteler Straße 76 B
30823 Garbsen

Telefon: +49 (0) 5137 90950136
Mobil: +49 (0) 151 15256238
Fax: +49 (0) 5137 9095010

konstantin.kletschke@...
http://www.inside-m2m.de

Geschäftsführung: Michael Emmert, Ingo Haase, Dr. Fred Könemann, Derek Uhlig
HRB: 111204, AG Hannover

On Sat, Apr 2, 2022 at 9:37 AM jchludzinski <jchludzinski@...> wrote:

I’m actually trying this on an RP4 running Raspbian.

Oh I see. we do support aarch64 as build host, so if you are trying
64bit OS on rpi then it should work
although, rpi4 may not have enough muscle to build, perhaps using SSD
with rpi4 might help a bit

So find out if rpi4 is running in 64bit mode if not then building on
armv7 might have issues.

in anycase try setting SDKMACHINE = "i686" this should get you past
this particular error, there might be more after it.

Fixed when x11 is not in DISTRO_FEATURES:
$ bitbake wxwidgets
ERROR: Nothing PROVIDES 'wxwidgets'
wxwidgets was skipped: missing required distro feature 'x11' (not in
DISTRO_FEATURES)

On 2022-04-02 12:15, Khem Raj wrote:

On Sat, Apr 2, 2022 at 1:47 AM jchludzinski <jchludzinski@...>
wrote:

$ git clone git://git.yoctoproject.org/poky.git
$ cd ./poky
$ git checkout yocto-3.4.2
$ cd ..
$ source ./poky/oe-init-build-env
$ cd ./build
$ time bitbake core-image-minimal
...
ERROR: OE-core's config sanity checker detected a potential
misconfiguration.
Either fix the cause of this error or at your own risk disable the
checker (see sanity.conf).
Following is the list of potential problems / advisories:

Specified SDKMACHINE value is not valid


Summary: There was 1 WARNING message shown.
Summary: There was 1 ERROR message shown, returning a non-zero exit
code.

________________________________________________________
Executed in 3.92 secs fish external
usr time 1.07 secs 9.77 millis 1.06 secs
sys time 0.18 secs 2.96 millis 0.17 secs



On 2022-04-01 18:09, Khem Raj wrote:

On Fri, Apr 1, 2022 at 2:02 PM jchludzinski <jchludzinski@...>
wrote:


But obviously commented out.

On 2022-04-01 16:43, jchludzinski via lists.yoctoproject.org wrote:

There's this:
#SDKMACHINE ?= "i686"


OK it should be ok then. Can you describe your steps to setup the
system?
maybe there is some caveat


---John

On 2022-04-01 16:22, Khem Raj wrote:

On Fri, Apr 1, 2022 at 1:09 PM jchludzinski via
lists.yoctoproject.org
[1 [1]] <jchludzinski=vivaldi.net@...> wrote:

I'm trying an experiment building yocto/OE on a Raspberry Pi 4 to
host on the same RP4. Admittedly, a not practical platform for
this
purpose but it should work.

I'm trying to target the ARM ISA for the image using yocto-3.4.2.
I've tried simply using the default setting and end up with:

_ERROR: OE-core's config sanity checker detected a potential
misconfiguration._
_ Either fix the cause of this error or at your own risk
disable
the checker (see sanity.conf)._
_ Following is the list of potential problems / advisories:_
_ _
_ Specified SDKMACHINE value is not valid_

I've tried editing ./conf/local.conf:

MACHINE ?= "qemuarm64"

#MACHINE ??= "qemux86-64"


It's complaining about SDKMACHINE setting which is a separate
variable, can you check your local.conf if it's set to something

But this accomplishes nothing. Needless to say, I'm a yacto/OE
newbie, so any suggestions would be greatly appreciated.

are you on a x86_64 host? Secondly try to uncomment SDKMACHINE setting
in local.conf
and see if it helps. Also check if your default shell is bash or dash.

---John


Links:
------
[1] http://lists.yoctoproject.org



Links:
------
[1] http://lists.yoctoproject.org

--
NULL

I’m actually trying this on an RP4 running Raspbian.

--
NULL

On Sat, Apr 2, 2022 at 1:47 AM jchludzinski <jchludzinski@...> wrote:

$ git clone git://git.yoctoproject.org/poky.git
$ cd ./poky
$ git checkout yocto-3.4.2
$ cd ..
$ source ./poky/oe-init-build-env
$ cd ./build
$ time bitbake core-image-minimal
...
ERROR: OE-core's config sanity checker detected a potential misconfiguration.
Either fix the cause of this error or at your own risk disable the checker (see sanity.conf).
Following is the list of potential problems / advisories:

Specified SDKMACHINE value is not valid


Summary: There was 1 WARNING message shown.
Summary: There was 1 ERROR message shown, returning a non-zero exit code.

________________________________________________________
Executed in 3.92 secs fish external
usr time 1.07 secs 9.77 millis 1.06 secs
sys time 0.18 secs 2.96 millis 0.17 secs



On 2022-04-01 18:09, Khem Raj wrote:

On Fri, Apr 1, 2022 at 2:02 PM jchludzinski <jchludzinski@...> wrote:


But obviously commented out.

On 2022-04-01 16:43, jchludzinski via lists.yoctoproject.org wrote:

There's this:
#SDKMACHINE ?= "i686"


OK it should be ok then. Can you describe your steps to setup the system?
maybe there is some caveat


---John

On 2022-04-01 16:22, Khem Raj wrote:

On Fri, Apr 1, 2022 at 1:09 PM jchludzinski via
lists.yoctoproject.org
[1 [1]] <jchludzinski=vivaldi.net@...> wrote:

I'm trying an experiment building yocto/OE on a Raspberry Pi 4 to
host on the same RP4. Admittedly, a not practical platform for
this
purpose but it should work.

I'm trying to target the ARM ISA for the image using yocto-3.4.2.
I've tried simply using the default setting and end up with:

_ERROR: OE-core's config sanity checker detected a potential
misconfiguration._
_ Either fix the cause of this error or at your own risk
disable
the checker (see sanity.conf)._
_ Following is the list of potential problems / advisories:_
_ _
_ Specified SDKMACHINE value is not valid_

I've tried editing ./conf/local.conf:

MACHINE ?= "qemuarm64"

#MACHINE ??= "qemux86-64"


It's complaining about SDKMACHINE setting which is a separate
variable, can you check your local.conf if it's set to something

But this accomplishes nothing. Needless to say, I'm a yacto/OE
newbie, so any suggestions would be greatly appreciated.

are you on a x86_64 host? Secondly try to uncomment SDKMACHINE setting
in local.conf
and see if it helps. Also check if your default shell is bash or dash.

---John


Links:
------
[1] http://lists.yoctoproject.org



Links:
------
[1] http://lists.yoctoproject.org

Hi Konstantin,

On April 1, 2022 2:50:13 PM GMT+02:00, Konstantin Kletschke <konstantin.kletschke@...> wrote:

I am currently trying to extend the meta-java framework with an
openjdk-18 recipe.
I encounter a problem with the [installed-vs-shipped] QA check which I
can't cope with, I admit.

The autotolls and crosscompile seems to work fine, the install is
overridden with this:

do_install() {
rm -rf ${D}/${JAVA_HOME}
mkdir -p ${D}/${JAVA_HOME}
echo "THIS IS D: "${D} > ${D}/${JAVA_HOME}/THE_D
if [[ "${PN}" = openjre* ]]; then
# cp -rp ${B}/images/jre/* ${D}/${JAVA_HOME}
cp -rp ${B}/jdk/* ${D}${JAVA_HOME}
else
# cp -rp ${B}/images/jdk/* ${D}/${JAVA_HOME}
cp -rp ${B}/jdk/* ${D}${JAVA_HOME}
fi
chown -R root:root ${D}${JAVA_HOME}
#install -m644 ${WORKDIR}/jvm.cfg ${D}${JAVA_HOME}/jre/lib/${JDK_ARCH}/
find ${D}/${JAVA_HOME} -name "*.debuginfo" -exec rm {} \;
}

To verify ${D} there is this "echo [...] THE_D" part in the install step
to look, what's happening.

After this stage I have the following file

/home/konsti/yocto/build/tmp/work/cortexa8hf-neon-poky-linux-gnueabi/openjdk-18/18+37+gitAUTOINC+0f2113cee7-r0/image/usr/lib/jvm/openjdk-18/THE_D

with contents

THIS IS D: /home/konsti/yocto/build/tmp/work/cortexa8hf-neon-poky-linux-gnueabi/openjdk-18/18+37+gitAUTOINC+0f2113cee7-r0/image

What I suppose is ${D} looks like this:

~/yocto/build   honister ?1 ❯ ls -la /home/konsti/yocto/build/tmp/work/cortexa8hf-neon-poky-linux-gnueabi/openjdk-18/18+37+gitAUTOINC+0f2113cee7-r0/image
total 12
drwxr-xr-x 3 konsti konsti 4096 Apr 1 14:24 .
drwxr-xr-x 17 konsti konsti 4096 Apr 1 14:24 ..
drwxr-xr-x 3 konsti konsti 4096 Apr 1 14:24 usr

${JAVA_HOME} expands to /usr/lib/jvm/openjdk-18:

~/yocto/build   honister ?1 ❯ ls -la /home/konsti/yocto/build/tmp/work/cortexa8hf-neon-poky-linux-gnueabi/openjdk-18/18+37+gitAUTOINC+0f2113cee7-r0/image/usr/lib/jvm/openjdk-18/
total 36
drwxr-xr-x 7 konsti konsti 4096 Apr 1 14:24 .
drwxr-xr-x 3 konsti konsti 4096 Apr 1 14:24 ..
-rw-r--r-- 3 konsti konsti 128 Apr 1 14:24 THE_D
drwxr-xr-x 2 konsti konsti 4096 Apr 1 14:24 bin
drwxr-xr-x 5 konsti konsti 4096 Apr 1 14:22 conf
drwxr-xr-x 3 konsti konsti 4096 Apr 1 14:22 include
drwxr-xr-x 5 konsti konsti 4096 Apr 1 14:24 lib
drwxr-xr-x 69 konsti konsti 4096 Apr 1 14:23 modules
-rw-r--r-- 3 konsti konsti 129 Apr 1 14:22 release

So accordingly the recipe continues with extending the FILES to do
packaging this way:

FILES_${PN} += "\
${JAVA_HOME}/bin/[a-z]* \
${JAVA_HOME}/lib/[a-z]* \

FILES variables is compatible with glob from Python so that should work but that's really the first time I see this, usually it's just the directory or dir/*. Learned something new today :)

${JAVA_HOME}/modules \
${JAVA_HOME}/release \
${JAVA_HOME}/conf \
${JAVA_HOME}/include \
${JAVA_HOME}/THE_D \
"

When I do "bitbake -e openjdk-18 |grep FILES_openjdk-18=" I get this:

Are you on honister (or master/soon kirkstone) release? If so, it's FILES:${PN} and not FILES_${PN}.

Try to avoid using hardcoded names instead of ${PN} because it breaks multilib (probably not a problem for many, I can concede :) ).

Make sure that openjdk-18 is actually a valid package name too by running bitbake -e <recipe-name> | grep "^PACKAGES=".

FILES_openjdk-18=" /usr/lib/jvm/openjdk-18/bin/[a-z]* /usr/lib/jvm/openjdk-18/lib/[a-z]* /usr/lib/jvm/openjdk-18/modules /usr/lib/jvm/openjdk-18/release /usr/lib/jvm/openjdk-18/conf /usr/lib/jvm/openjdk-18/include /usr/lib/jvm/openjdk-18/THE_D "

When bitbake tries to package, I get this error:

ERROR: openjdk-18-18+37+gitAUTOINC+0f2113cee7-r0 do_package: QA Issue: openjdk-18: Files/directories were installed but not shipped in any package:
/usr/lib/jvm/openjdk-18/release
/usr/lib/jvm/openjdk-18/THE_D
/usr/lib/jvm/openjdk-18/conf
/usr/lib/jvm/openjdk-18/include
/usr/lib/jvm/openjdk-18/lib/libj2gss.so
[...]
/usr/lib/jvm/openjdk-18/modules/jdk.internal.le/jdk/internal/org/jline/keymap/BindingReader.class
/usr/lib/jvm/openjdk-18/modules/jdk.internal.le/jdk/internal/org/jline/keymap/KeyMap.class
Please set FILES such that these items are packaged. Alternatively if they are unneeded, avoid installing them or delete them within do_install.
openjdk-18: 28751 installed and not shipped files. [installed-vs-shipped]
ERROR: openjdk-18-18+37+gitAUTOINC+0f2113cee7-r0 do_package: Fatal QA errors found, failing task.
ERROR: Logfile of failure stored in: /home/konsti/yocto/build/tmp/work/cortexa8hf-neon-poky-linux-gnueabi/openjdk-18/18+37+gitAUTOINC+0f2113cee7-r0/temp/log.do_package.3424506
ERROR: Task (/home/konsti/yocto/meta-insidem2m/recipes-core/openjdk/openjdk-18_18+37.bb:do_package) failed with exit code '1'

Well, I am pretty shure the FILES_${PN} refers relative to ${D}, where
is my stupid misunderstanding?

Side-Quest: In do install the destination is referred as
${D}${JAVA_HOME}. Why does this not need to be ${D}/${JAVA_HOME}?

To quote yourself:

${JAVA_HOME} expands to /usr/lib/jvm/openjdk-18

Cheers,
Quentin

From: Mingli Yu <mingli.yu@...>

Update LICENSE variable to use SPDX license identifiers.

Signed-off-by: Mingli Yu <mingli.yu@...>
---
recipes-security/selinux/checkpolicy_3.3.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-security/selinux/checkpolicy_3.3.bb b/recipes-security/selinux/checkpolicy_3.3.bb
index 99ac470..ad90cc2 100644
--- a/recipes-security/selinux/checkpolicy_3.3.bb
+++ b/recipes-security/selinux/checkpolicy_3.3.bb
@@ -6,7 +6,7 @@ binary policy. checkpolicy uses the static libsepol since it deals \
with low level details of the policy that have not been \
encapsulated/abstracted by a proper shared library interface."
SECTION = "base"
-LICENSE = "GPLv2+"
+LICENSE = "GPL-2.0-or-later"
LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=393a5ca445f6965873eca0259a17f833"

require selinux_common.inc
--
2.25.1

From: Mingli Yu <mingli.yu@...>

Update LICENSE variable to use SPDX license identifiers.

Signed-off-by: Mingli Yu <mingli.yu@...>
---
recipes-security/selinux/selinux-sandbox_3.3.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-security/selinux/selinux-sandbox_3.3.bb b/recipes-security/selinux/selinux-sandbox_3.3.bb
index a20982c..cc9baad 100644
--- a/recipes-security/selinux/selinux-sandbox_3.3.bb
+++ b/recipes-security/selinux/selinux-sandbox_3.3.bb
@@ -4,7 +4,7 @@ Run application within a tightly confined SELinux domain. The default \
sandbox domain only allows applications the ability to read and write \
stdin, stdout and any other file descriptors handed to it."
SECTION = "base"
-LICENSE = "GPLv2+"
+LICENSE = "GPL-2.0-or-later"
LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=393a5ca445f6965873eca0259a17f833"

require selinux_common.inc
--
2.25.1

From: Mingli Yu <mingli.yu@...>

Update LICENSE variable to use SPDX license identifiers.

Signed-off-by: Mingli Yu <mingli.yu@...>
---
recipes-security/setools/setools_4.4.0.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-security/setools/setools_4.4.0.bb b/recipes-security/setools/setools_4.4.0.bb
index b78af36..f1557b1 100644
--- a/recipes-security/setools/setools_4.4.0.bb
+++ b/recipes-security/setools/setools_4.4.0.bb
@@ -6,7 +6,7 @@ libraries designed to facilitate SELinux policy analysis. \
This meta-package depends upon the main packages necessary to run \
SETools."
SECTION = "base"
-LICENSE = "GPLv2 & LGPLv2.1"
+LICENSE = "GPL-2.0-only & LGPL-2.1-only"

S = "${WORKDIR}/git"
SRC_URI = "git://github.com/SELinuxProject/${BPN}.git;branch=4.4;protocol=https \
--
2.25.1

From: Mingli Yu <mingli.yu@...>

Update LICENSE variable to use SPDX license identifiers.

Signed-off-by: Mingli Yu <mingli.yu@...>
---
recipes-security/selinux/policycoreutils_3.3.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-security/selinux/policycoreutils_3.3.bb b/recipes-security/selinux/policycoreutils_3.3.bb
index 04f8ef7..552d354 100644
--- a/recipes-security/selinux/policycoreutils_3.3.bb
+++ b/recipes-security/selinux/policycoreutils_3.3.bb
@@ -5,7 +5,7 @@ load_policy to load policies, setfiles to label filesystems, newrole \
to switch roles, and run_init to run /etc/init.d scripts in the proper \
context."
SECTION = "base"
-LICENSE = "GPLv2+"
+LICENSE = "GPL-2.0-or-later"
LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=393a5ca445f6965873eca0259a17f833"

require selinux_common.inc
--
2.25.1

From: Mingli Yu <mingli.yu@...>

Update LICENSE variable to use SPDX license identifiers.

Signed-off-by: Mingli Yu <mingli.yu@...>
---
recipes-security/selinux/mcstrans_3.3.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-security/selinux/mcstrans_3.3.bb b/recipes-security/selinux/mcstrans_3.3.bb
index 4d99e18..cd8780b 100644
--- a/recipes-security/selinux/mcstrans_3.3.bb
+++ b/recipes-security/selinux/mcstrans_3.3.bb
@@ -4,7 +4,7 @@ DESCRIPTION = "\
mcstrans provides an translation daemon to translate SELinux categories \
from internal representations to user defined representation."
SECTION = "base"
-LICENSE = "GPLv2+"
+LICENSE = "GPL-2.0-or-later"
LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"

require selinux_common.inc
--
2.25.1

From: Mingli Yu <mingli.yu@...>

Update LICENSE variable to use SPDX license identifiers.

Signed-off-by: Mingli Yu <mingli.yu@...>
---
recipes-security/selinux/libsemanage_3.3.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-security/selinux/libsemanage_3.3.bb b/recipes-security/selinux/libsemanage_3.3.bb
index 0a6ff95..b17eb68 100644
--- a/recipes-security/selinux/libsemanage_3.3.bb
+++ b/recipes-security/selinux/libsemanage_3.3.bb
@@ -4,7 +4,7 @@ It is used by checkpolicy (the policy compiler) and similar tools, as well \
as by programs like load_policy that need to perform specific transformations \
on binary policies such as customizing policy boolean settings."
SECTION = "base"
-LICENSE = "LGPLv2.1+"
+LICENSE = "LGPL-2.1-or-later"
LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343"

require selinux_common.inc
--
2.25.1