meta-security: subtree update:a85fbe980e..c20b35b527

Anton Antonov (1):
      Parsec service. Update PACKAGECONFIG definitions and README.md

Armin Kuster (20):
      python3-fail2ban: fix build failure and cleanup
      meta-parsec/README: remove rust layer req.
      opendnssec: blacklist do to ldns being blacklisted
      apparmor: Add a python 3.10 compatability patch
      tpm2-tools: update to 5.2
      openssl-tpm-engine: fix build issue with openssl 3
      tpm2-openssl: add new pkg
      tpm2-pkcs11: update to 1.7.0
      recipes: Update SRC_URI branch and protocols
      sssd: Create /var/log/sssd in runtime
      bastille: Create /var/log/Bastille in runtime
      python3-fail2ban: remove /run
      tpm2-pkcs11: update to 1.7.0
      libest: does not build with openssl 3.x
      clamav: fix useradd warning
      python3-fail2ban: update to tip
      tpm2-pkcs11: backport openssl 3.x build fixes
      packagegroup-security-tpm2: drop ibmswtpm2
      meta-integrity: drop strongswan bbappends
      meta-tpm: drop strongswan bbappends

Kai Kang (2):
      sssd: re-package to fix QA issues
      apparmor: fix warning of remove operator combined with +=

Kristian Klausen (2):
      swtpm: update to 0.6.1
      dm-verity-img.bbclass: Fix wrong override syntax for CONVERSION_DEPENDS

Liwei Song (1):
      recipes-security/chipsec: platform security assessment framework

Stefan Mueller-Klieser (1):
      tpm2-tss: fix fapi package config

Yi Zhao (2):
      openssl-tpm-engine: fix warning for append operator combined with +=
      meta-parsec/README.md: fix for append operator combined with +=

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I2156e47cf3f4f45daa2b60a73e3b46be3b6a86c0

13 files changed, 91 insertions, 196 deletions

diff --git a/meta-security/recipes-security/bastille/bastille_3.2.1.bb b/meta-security/recipes-security/bastille/bastille_3.2.1.bb
index 72281c5379..2d82983521 100644
--- a/meta-security/recipes-security/bastille/bastille_3.2.1.bb
+++ b/meta-security/recipes-security/bastille/bastille_3.2.1.bb
@@ -48,7 +48,6 @@ do_install () {
 	install -d ${D}${datadir}/Bastille/OSMap/Modules
 	install -d ${D}${datadir}/Bastille/Questions
 	install -d ${D}${datadir}/Bastille/FKL/configs/
-	install -d ${D}${localstatedir}/log/Bastille
 	install -d ${D}${sysconfdir}/Bastille
 	install -m 0755 AutomatedBastille  ${D}${sbindir}
 	install -m 0755 BastilleBackEnd    ${D}${sbindir}
@@ -148,6 +147,20 @@ do_install () {
 	${THISDIR}/files/set_required_questions.py ${D}${sysconfdir}/Bastille/config ${D}${datadir}/Bastille/Questions
 
 	ln -s RevertBastille ${D}${sbindir}/UndoBastille
+
+    # Create /var/log/Bastille in runtime.
+    if [ "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}" ]; then
+        install -d ${D}${nonarch_libdir}/tmpfiles.d
+        echo "d ${localstatedir}/log/Bastille - - - -" > ${D}${nonarch_libdir}/tmpfiles.d/Bastille.conf
+    fi
+    if [ "${@bb.utils.filter('DISTRO_FEATURES', 'sysvinit', d)}" ]; then
+        install -d ${D}${sysconfdir}/default/volatiles
+        echo "d root root 0755 ${localstatedir}/log/Bastille none" > ${D}${sysconfdir}/default/volatiles/99_Bastille
+    fi
 }
 
-FILES:${PN} += "${datadir}/Bastille ${libdir}/Bastille ${libdir}/perl* ${sysconfdir}/*"
+FILES:${PN} += "${datadir}/Bastille \
+                ${libdir}/Bastille \
+                ${libdir}/perl* \
+                ${sysconfdir}/* \
+                ${nonarch_libdir}/tmpfiles.d"
diff --git a/meta-security/recipes-security/chipsec/chipsec_git.bb b/meta-security/recipes-security/chipsec/chipsec_git.bb
new file mode 100644
index 0000000000..e265a082ed
--- /dev/null
+++ b/meta-security/recipes-security/chipsec/chipsec_git.bb
@@ -0,0 +1,35 @@
+SUMMARY = "CHIPSEC: Platform Security Assessment Framework"
+
+DESCRIPTION = "CHIPSEC is a framework for analyzing the security \
+               of PC platforms including hardware, system firmware \
+               (BIOS/UEFI), and platform components."
+
+LICENSE = "GPLv2"
+LIC_FILES_CHKSUM = "file://COPYING;md5=bc2d1f9b427be5fb63f6af9da56f7c5d"
+
+SRC_URI = "git://github.com/chipsec/chipsec.git;branch=master;protocol=https \
+          "
+
+SRCREV = "b2a61684826dc8b9f622a844a40efea579cd7e7d"
+
+COMPATIBLE_HOST = "(i.86|x86_64).*-linux"
+
+S = "${WORKDIR}/git"
+EXTRA_OEMAKE = "CC='${CC}' LDFLAGS='${LDFLAGS}' CFLAGS='${CFLAGS}'"
+
+DEPENDS = "virtual/kernel nasm-native python3-setuptools-native"
+RDEPENDS:${PN} += "python3 python3-modules"
+
+inherit module distutils3
+
+do_compile:append() {
+	cd ${S}/drivers/linux
+	oe_runmake  KSRC=${STAGING_KERNEL_BUILDDIR}
+}
+
+do_install:append() {
+	install -m 0644 ${S}/drivers/linux/chipsec.ko ${D}${PYTHON_SITEPACKAGES_DIR}/chipsec/helper/linux
+}
+
+FILES:${PN} += "${exec_prefix} \
+"
diff --git a/meta-security/recipes-security/fail2ban/files/fail2ban_setup.py b/meta-security/recipes-security/fail2ban/files/fail2ban_setup.py
deleted file mode 100755
index e23194986f..0000000000
--- a/meta-security/recipes-security/fail2ban/files/fail2ban_setup.py
+++ /dev/null
@@ -1,174 +0,0 @@
-# emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*-
-# vi: set ft=python sts=4 ts=4 sw=4 noet :
-
-# This file is part of Fail2Ban.
-#
-# Fail2Ban is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# Fail2Ban is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with Fail2Ban; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
-
-__author__ = "Cyril Jaquier, Steven Hiscocks, Yaroslav Halchenko"
-__copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2008-2016 Fail2Ban Contributors"
-__license__ = "GPL"
-
-import platform
-
-try:
-	import setuptools
-	from setuptools import setup
-	from setuptools.command.install import install
-	from setuptools.command.install_scripts import install_scripts
-except ImportError:
-	setuptools = None
-	from distutils.core import setup
-
-# all versions
-from distutils.command.build_py import build_py
-from distutils.command.build_scripts import build_scripts
-if setuptools is None:
-	from distutils.command.install import install
-	from distutils.command.install_scripts import install_scripts
-try:
-	# python 3.x
-	from distutils.command.build_py import build_py_2to3
-	from distutils.command.build_scripts import build_scripts_2to3
-	_2to3 = True
-except ImportError:
-	# python 2.x
-	_2to3 = False
-
-import os
-from os.path import isfile, join, isdir, realpath
-import sys
-import warnings
-from glob import glob
-
-from fail2ban.setup import updatePyExec
-
-if setuptools and "test" in sys.argv:
-	import logging
-	logSys = logging.getLogger("fail2ban")
-	hdlr = logging.StreamHandler(sys.stdout)
-	fmt = logging.Formatter("%(asctime)-15s %(message)s")
-	hdlr.setFormatter(fmt)
-	logSys.addHandler(hdlr)
-	if set(["-q", "--quiet"]) & set(sys.argv):
-		logSys.setLevel(logging.CRITICAL)
-		warnings.simplefilter("ignore")
-		sys.warnoptions.append("ignore")
-	elif set(["-v", "--verbose"]) & set(sys.argv):
-		logSys.setLevel(logging.DEBUG)
-	else:
-		logSys.setLevel(logging.INFO)
-elif "test" in sys.argv:
-	print("python distribute required to execute fail2ban tests")
-	print("")
-
-longdesc = '''
-Fail2Ban scans log files like /var/log/pwdfail or
-/var/log/apache/error_log and bans IP that makes
-too many password failures. It updates firewall rules
-to reject the IP address or executes user defined
-commands.'''
-
-if setuptools:
-	setup_extra = {
-		'test_suite': "fail2ban.tests.utils.gatherTests",
-		'use_2to3': True,
-	}
-else:
-	setup_extra = {}
-
-data_files_extra = []
-
-# Installing documentation files only under Linux or other GNU/ systems
-# (e.g. GNU/kFreeBSD), since others might have protective mechanisms forbidding
-# installation there (see e.g. #1233)
-platform_system = platform.system().lower()
-doc_files = ['README.md', 'DEVELOP', 'FILTERS', 'doc/run-rootless.txt']
-if platform_system in ('solaris', 'sunos'):
-	doc_files.append('README.Solaris')
-if platform_system in ('linux', 'solaris', 'sunos') or platform_system.startswith('gnu'):
-	data_files_extra.append(
-		('/usr/share/doc/fail2ban', doc_files)
-	)
-
-# Get version number, avoiding importing fail2ban.
-# This is due to tests not functioning for python3 as 2to3 takes place later
-exec(open(join("fail2ban", "version.py")).read())
-
-setup(
-	name = "fail2ban",
-	version = version,
-	description = "Ban IPs that make too many password failures",
-	long_description = longdesc,
-	author = "Cyril Jaquier & Fail2Ban Contributors",
-	author_email = "cyril.jaquier@fail2ban.org",
-	url = "http://www.fail2ban.org",
-	license = "GPL",
-	platforms = "Posix",
-	cmdclass = {
-		'build_py': build_py, 'build_scripts': build_scripts, 
-	},
-	scripts = [
-		'bin/fail2ban-client',
-		'bin/fail2ban-server',
-		'bin/fail2ban-regex',
-		'bin/fail2ban-testcases',
-		# 'bin/fail2ban-python', -- link (binary), will be installed via install_scripts_f2b wrapper
-	],
-	packages = [
-		'fail2ban',
-		'fail2ban.client',
-		'fail2ban.server',
-		'fail2ban.tests',
-		'fail2ban.tests.action_d',
-	],
-	package_data = {
-		'fail2ban.tests':
-			[ join(w[0], f).replace("fail2ban/tests/", "", 1)
-				for w in os.walk('fail2ban/tests/files')
-				for f in w[2]] +
-			[ join(w[0], f).replace("fail2ban/tests/", "", 1)
-				for w in os.walk('fail2ban/tests/config')
-				for f in w[2]] +
-			[ join(w[0], f).replace("fail2ban/tests/", "", 1)
-				for w in os.walk('fail2ban/tests/action_d')
-				for f in w[2]]
-	},
-	data_files = [
-		('/etc/fail2ban',
-			glob("config/*.conf")
-		),
-		('/etc/fail2ban/filter.d',
-			glob("config/filter.d/*.conf")
-		),
-		('/etc/fail2ban/filter.d/ignorecommands',
-			[p for p in glob("config/filter.d/ignorecommands/*") if isfile(p)]
-		),
-		('/etc/fail2ban/action.d',
-			glob("config/action.d/*.conf") +
-			glob("config/action.d/*.py")
-		),
-		('/etc/fail2ban/fail2ban.d',
-			''
-		),
-		('/etc/fail2ban/jail.d',
-			''
-		),
-		('/var/lib/fail2ban',
-			''
-		),
-	] + data_files_extra,
-	**setup_extra
-)
diff --git a/meta-security/recipes-security/fail2ban/python3-fail2ban_0.11.2.bb b/meta-security/recipes-security/fail2ban/python3-fail2ban_0.11.2.bb
index ed75a0e7dd..f6394cc8a3 100644
--- a/meta-security/recipes-security/fail2ban/python3-fail2ban_0.11.2.bb
+++ b/meta-security/recipes-security/fail2ban/python3-fail2ban_0.11.2.bb
@@ -9,10 +9,9 @@ HOMEPAGE = "http://www.fail2ban.org"
 LICENSE = "GPL-2.0"
 LIC_FILES_CHKSUM = "file://COPYING;md5=ecabc31e90311da843753ba772885d9f"
 
-SRCREV ="eea1881b734b73599a21df2bfbe58b11f78d0a46"
-SRC_URI = " git://github.com/fail2ban/fail2ban.git;branch=0.11 \
+SRCREV ="4fe4ac8dde6ba14841da598ec37f8c6911fe0f64"
+SRC_URI = " git://github.com/fail2ban/fail2ban.git;branch=0.11;protocol=https \
         file://initd \
-        file://fail2ban_setup.py \
         file://run-ptest \
 "
 
@@ -20,17 +19,18 @@ inherit update-rc.d ptest setuptools3
 
 S = "${WORKDIR}/git"
 
-do_compile:prepend () {
-    cp ${WORKDIR}/fail2ban_setup.py ${S}/setup.py
+do_compile () {
     cd ${S}
     ./fail2ban-2to3
 }
 
 do_install:append () {
+    rm  -f ${D}/${bindir}/fail2ban-python
     install -d ${D}/${sysconfdir}/fail2ban
     install -d ${D}/${sysconfdir}/init.d
     install -m 0755 ${WORKDIR}/initd ${D}${sysconfdir}/init.d/fail2ban-server
     chown -R root:root ${D}/${bindir}
+    rm -rf ${D}/run
 }
 
 do_install_ptest:append () {
@@ -38,9 +38,9 @@ do_install_ptest:append () {
     install -d ${D}${PTEST_PATH}/bin
     sed -i -e 's/##PYTHON##/${PYTHON_PN}/g' ${D}${PTEST_PATH}/run-ptest
     install -D ${S}/bin/* ${D}${PTEST_PATH}/bin
+    rm -f ${D}${PTEST_PATH}/bin/fail2ban-python
 }
 
-FILES:${PN} += "/run"
 
 INITSCRIPT_PACKAGES = "${PN}"
 INITSCRIPT_NAME = "fail2ban-server"
diff --git a/meta-security/recipes-security/fscrypt/fscrypt_1.0.0.bb b/meta-security/recipes-security/fscrypt/fscrypt_1.0.0.bb
index a70d310a5b..66bf429a46 100644
--- a/meta-security/recipes-security/fscrypt/fscrypt_1.0.0.bb
+++ b/meta-security/recipes-security/fscrypt/fscrypt_1.0.0.bb
@@ -14,7 +14,7 @@ BBCLASSEXTEND = "native nativesdk"
 DEPENDS += "go-dep-native libpam"
 
 SRCREV = "92b1e9a8670ccd3916a7d24a06cab1e4c9815bc4"
-SRC_URI = "git://github.com/google/fscrypt.git"
+SRC_URI = "git://github.com/google/fscrypt.git;branch=master;protocol=https"
 GO_IMPORT = "import"
 
 S = "${WORKDIR}/git"
diff --git a/meta-security/recipes-security/fscryptctl/fscryptctl_1.0.0.bb b/meta-security/recipes-security/fscryptctl/fscryptctl_1.0.0.bb
index 26f549b6c0..d319e48dbe 100644
--- a/meta-security/recipes-security/fscryptctl/fscryptctl_1.0.0.bb
+++ b/meta-security/recipes-security/fscryptctl/fscryptctl_1.0.0.bb
@@ -10,7 +10,7 @@ LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
 
 SRCREV = "56b898c896240328adef7407090215abbe9ee03d"
-SRC_URI = "git://github.com/google/fscryptctl.git"
+SRC_URI = "git://github.com/google/fscryptctl.git;branch=master;protocol=https"
 
 S = "${WORKDIR}/git"
 
diff --git a/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.08.bb b/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.08.bb
index 4ab8374854..e8ddf291e6 100644
--- a/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.08.bb
+++ b/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.08.bb
@@ -3,7 +3,7 @@ HOME_PAGE = "https://github.com/google/google-authenticator-libpam"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
 LICENSE = "Apache-2.0"
 
-SRC_URI = "git://github.com/google/google-authenticator-libpam.git"
+SRC_URI = "git://github.com/google/google-authenticator-libpam.git;branch=master;protocol=https"
 SRCREV = "2c7415d950fb0b4a7f779f045910666447b100ef"
 
 DEPENDS = "libpam"
diff --git a/meta-security/recipes-security/libest/libest_3.2.0.bb b/meta-security/recipes-security/libest/libest_3.2.0.bb
index fda2df4c99..41a4025601 100644
--- a/meta-security/recipes-security/libest/libest_3.2.0.bb
+++ b/meta-security/recipes-security/libest/libest_3.2.0.bb
@@ -6,7 +6,7 @@ LICENSE = "OpenSSL"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=ecb78acde8e3b795de8ef6b61aed5885"
 
 SRCREV = "4ca02c6d7540f2b1bcea278a4fbe373daac7103b"
-SRC_URI = "git://github.com/cisco/libest;branch=main"
+SRC_URI = "git://github.com/cisco/libest;branch=main;protocol=https"
 
 DEPENDS = "openssl"
 
@@ -25,3 +25,6 @@ S = "${WORKDIR}/git"
 PACKAGES = "${PN} ${PN}-dbg ${PN}-dev"
 
 FILES:${PN} = "${bindir}/* ${libdir}/libest-3.2.0p.so"
+
+# https://github.com/cisco/libest/issues/104
+PNBLACKLIST[libest] ?= "Needs porting to openssl 3.x"
diff --git a/meta-security/recipes-security/libmspack/libmspack_1.9.1.bb b/meta-security/recipes-security/libmspack/libmspack_1.9.1.bb
index 8c288beebc..65db10f976 100644
--- a/meta-security/recipes-security/libmspack/libmspack_1.9.1.bb
+++ b/meta-security/recipes-security/libmspack/libmspack_1.9.1.bb
@@ -7,7 +7,7 @@ DEPENDS = ""
 LIC_FILES_CHKSUM = "file://COPYING.LIB;beginline=1;endline=2;md5=5b1fd1f66ef926b3c8a5bb00a72a28dd"
 
 SRCREV = "63d3faf90423a4a6c174539a7d32111a840adadc"
-SRC_URI = "git://github.com/kyz/libmspack.git"
+SRC_URI = "git://github.com/kyz/libmspack.git;branch=master;protocol=https"
 
 inherit autotools
 
diff --git a/meta-security/recipes-security/ncrack/ncrack_0.7.bb b/meta-security/recipes-security/ncrack/ncrack_0.7.bb
index 8b221e53c1..f151e4e139 100644
--- a/meta-security/recipes-security/ncrack/ncrack_0.7.bb
+++ b/meta-security/recipes-security/ncrack/ncrack_0.7.bb
@@ -7,7 +7,7 @@ LICENSE = "GPL-2.0"
 LIC_FILES_CHKSUM = "file://COPYING;beginline=7;endline=12;md5=66938a7e5b4c118eda78271de14874c2"
 
 SRCREV = "dc570e7e3cec1fb176c0168eaedc723084bd0426"
-SRC_URI = "git://github.com/nmap/ncrack.git"
+SRC_URI = "git://github.com/nmap/ncrack.git;branch=master;protocol=https"
 
 DEPENDS = "openssl zlib"
 
diff --git a/meta-security/recipes-security/nikto/nikto_2.1.6.bb b/meta-security/recipes-security/nikto/nikto_2.1.6.bb
index 242f3acc57..8542d69216 100644
--- a/meta-security/recipes-security/nikto/nikto_2.1.6.bb
+++ b/meta-security/recipes-security/nikto/nikto_2.1.6.bb
@@ -7,7 +7,7 @@ LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6"
 
 SRCREV = "f1bbd1a8756c076c8fd4f4dd0bc34a8ef215ae79"
-SRC_URI = "git://github.com/sullo/nikto.git \
+SRC_URI = "git://github.com/sullo/nikto.git;branch=master;protocol=https \
            file://location.patch"
 
 S = "${WORKDIR}/git/program"
diff --git a/meta-security/recipes-security/opendnssec/opendnssec_2.1.9.bb b/meta-security/recipes-security/opendnssec/opendnssec_2.1.10.bb
index 6c1bd46b7d..6b537112c7 100644
--- a/meta-security/recipes-security/opendnssec/opendnssec_2.1.9.bb
+++ b/meta-security/recipes-security/opendnssec/opendnssec_2.1.10.bb
@@ -10,7 +10,7 @@ SRC_URI = "https://dist.opendnssec.org/source/opendnssec-${PV}.tar.gz \
            file://libdns_conf_fix.patch \
            "
 
-SRC_URI[sha256sum] = "6d1d466c8d7f507f3e665f4bfe4d16a68d6bff9d7c2ab65f852e2b2a821c28b5"
+SRC_URI[sha256sum] = "c0a8427de241118dccbf7abc508e4dd53fb75b45e9f386addbadae7ecc092756"
 
 inherit autotools pkgconfig perlnative
 
@@ -32,3 +32,5 @@ do_install:append () {
 }
 
 RDEPENDS:${PN} = "softhsm"
+
+PNBLACKLIST[opendnssec] ?= "Needs porting to openssl 3.x"
diff --git a/meta-security/recipes-security/sssd/sssd_2.5.2.bb b/meta-security/recipes-security/sssd/sssd_2.5.2.bb
index 76d6e03e9b..8bc8787b88 100644
--- a/meta-security/recipes-security/sssd/sssd_2.5.2.bb
+++ b/meta-security/recipes-security/sssd/sssd_2.5.2.bb
@@ -86,13 +86,23 @@ do_install () {
     rmdir --ignore-fail-on-non-empty "${D}/${bindir}"
     install -d ${D}/${sysconfdir}/${BPN}
     install -m 600 ${WORKDIR}/${BPN}.conf ${D}/${sysconfdir}/${BPN}
-    install -D -m 644 ${WORKDIR}/volatiles.99_sssd ${D}/${sysconfdir}/default/volatiles/99_sssd
+
+    # /var/log/sssd needs to be created in runtime. Use rmdir to catch if
+    # upstream stops creating /var/log/sssd, or adds something else in
+    # /var/log.
+    rmdir ${D}${localstatedir}/log/${BPN} ${D}${localstatedir}/log
+    rmdir --ignore-fail-on-non-empty ${D}${localstatedir}
 
     if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
         install -d ${D}${sysconfdir}/tmpfiles.d
         echo "d /var/log/sssd 0750 - - - -" > ${D}${sysconfdir}/tmpfiles.d/sss.conf
     fi
 
+    if [ "${@bb.utils.filter('DISTRO_FEATURES', 'sysvinit', d)}" ]; then
+        install -d ${D}${sysconfdir}/default/volatiles
+        echo "d ${SSSD_UID}:${SSSD_GID} 0755 ${localstatedir}/log/${BPN} none" > ${D}${sysconfdir}/default/volatiles/99_${BPN}
+    fi
+
     # Remove /run as it is created on startup
     rm -rf ${D}/run
 
@@ -106,6 +116,8 @@ fi
     chown ${SSSD_UID}:${SSSD_GID} ${sysconfdir}/${BPN}/${BPN}.conf
 }
 
+FILES:${PN} += "${nonarch_libdir}/tmpfiles.d"
+
 CONFFILES:${PN} = "${sysconfdir}/${BPN}/${BPN}.conf"
 
 INITSCRIPT_NAME = "sssd"
@@ -125,10 +137,14 @@ SYSTEMD_SERVICE:${PN} = " \
 "
 SYSTEMD_AUTO_ENABLE = "disable"
 
-FILES:${PN} += "${libdir} ${datadir} ${base_libdir}/security/pam_sss*.so"
-FILES:${PN}-dev = " ${includedir}/* ${libdir}/*la ${libdir}/*/*la"
+PACKAGES =+ "libsss-sudo"
+ALLOW_EMPTY:libsss-sudo = "1"
 
-# The package contains symlinks that trip up insane
-INSANE_SKIP:${PN} = "dev-so"
+FILES:${PN} += "${base_libdir}/security/pam_sss*.so  \
+                ${datadir}/dbus-1/system-services/*.service \
+                ${libdir}/krb5/* \
+                ${libdir}/ldb/* \
+                "
+FILES:libsss-sudo = "${libdir}/libsss_sudo.so"
 
-RDEPENDS:${PN} = "bind bind-utils dbus libldb libpam"
+RDEPENDS:${PN} = "bind bind-utils dbus libldb libpam libsss-sudo"