[Buildroot] [PATCH v7 05/22] policycoreutils: new package

Clayton Shotwell clayton.shotwell at rockwellcollins.com
Wed Jul 8 20:40:51 UTC 2015 

Thomas,

Sorry for the late reply. I just got back from vacation.

On Wed, Jun 17, 2015 at 5:13 PM, Thomas Petazzoni
<thomas.petazzoni at free-electrons.com> wrote:
> Dear Clayton Shotwell,
>
> On Tue,  2 Jun 2015 08:28:21 -0500, Clayton Shotwell wrote:
>
>> diff --git a/package/policycoreutils/0001-cross-compile-fixes.patch b/package/policycoreutils/0001-cross-compile-fixes.patch
>> new file mode 100644
>> index 0000000..8f47907
>> --- /dev/null
>> +++ b/package/policycoreutils/0001-cross-compile-fixes.patch
>> @@ -0,0 +1,332 @@
>> +Patch to enable cross compile build and install.
>> +
>> +Signed-off-by Clayton Shotwell <clshotwe at rockwellcollins.com>
>
> This patch should really be split into smaller patches. Especially
> since we definitely want you to upstream this patch. One patch adding
> DESTDIR where needed, one patch adding PREFIX where needed, other
> patches doing the other details here and there.

I'll can break those up and resubmit the patches.

>> ++PYTHON_ARGS = LDSHARED="$(CC) -shared" \
>> ++            CROSS_COMPILING=yes              \
>> ++            _python_sysroot=$(DESTDIR)       \
>> ++            _python_srcdir=$(PYTHON_SRC)     \
>> ++            _python_prefix=/usr              \
>> ++            _python_exec_prefix=/usr
>
> This cannot be put inside the patch itself. Some of these variables
> (_python_*) are Buildroot specific, and therefore do not belong inside
> the policycoreutils source, they should be passed by policycoreutils.mk.

Good catch. I'll move that into the policycoreutils.mk file.

>> diff --git a/package/policycoreutils/Config.in b/package/policycoreutils/Config.in
>> new file mode 100644
>> index 0000000..733b896
>> --- /dev/null
>> +++ b/package/policycoreutils/Config.in
>> @@ -0,0 +1,53 @@
>> +config BR2_PACKAGE_POLICYCOREUTILS
>> +     bool "policycoreutils"
>> +     select BR2_PACKAGE_LIBSEMANAGE
>> +     select BR2_PACKAGE_LIBCAP_NG
>> +     select BR2_PACKAGE_GETTEXT if BR2_NEEDS_GETTEXT
>> +     depends on BR2_TOOLCHAIN_HAS_THREADS # libsemanage
>> +     depends on BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL # uses fts.h
>> +     help
>> +       Policycoreutils is a collection of policy utilities (originally
>> +       the "core" set of utilities needed to use SELinux, although it
>> +       has grown a bit over time), which have different dependencies.
>> +       sestatus, secon, run_init, and newrole only use libselinux.
>> +       load_policy and setfiles only use libselinux and libsepol.
>> +       semodule and semanage use libsemanage (and thus bring in
>> +       dependencies on libsepol and libselinux as well). setsebool
>> +       uses libselinux to make non-persistent boolean changes (via
>> +       the kernel interface) and uses libsemanage to make persistent
>> +       boolean changes.
>> +
>> +       The base package will install the following utilities:
>> +           load_policy
>> +           newrole
>> +           restorecond
>> +           run_init
>> +           secon
>> +           semodule
>> +           semodule_deps
>> +           semodule_expand
>> +           semodule_link
>> +           semodule_package
>> +           sepolgen-ifgen
>> +           sestatus
>> +           setfiles
>> +           setsebool
>> +
>> +       http://selinuxproject.org/page/Main_Page
>> +
>> +comment "policycoreutils needs a toolchain w/ threads, glibc or musl"
>
> policycoreutils needs a glibc or musl toolchain w/ threads

Will fix.

>> +     depends on !BR2_TOOLCHAIN_HAS_THREADS  \
>> +             || !(BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL)
>> +
>> +if BR2_PACKAGE_POLICYCOREUTILS
>> +
>> +config BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND
>> +     bool "restorecond Utility"
>> +     depends on BR2_PACKAGE_DBUS_GLIB
>
> Make that a "select BR2_PACKAGE_DBUS_GLIB", and propagate the necessary
> dependencies (there shouldn't be many since you anyway already depend
> on glibc or musl).

Can do.

>> new file mode 100644
>> index 0000000..b03ea5c
>> --- /dev/null
>> +++ b/package/policycoreutils/policycoreutils.mk
>> @@ -0,0 +1,107 @@
>> +################################################################################
>> +#
>> +# policycoreutils
>> +#
>> +################################################################################
>> +
>> +POLICYCOREUTILS_VERSION = 2.1.14
>> +POLICYCOREUTILS_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20130423
>> +POLICYCOREUTILS_LICENSE = GPLv2
>> +POLICYCOREUTILS_LICENSE_FILES = COPYING
>> +
>> +# gettext for load_policy.c use of libintl_* functions
>> +POLICYCOREUTILS_DEPENDENCIES = libsemanage libcap-ng $(if $(BR2_NEEDS_GETTEXT),gettext)
>> +
>> +ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
>> +     POLICYCOREUTILS_DEPENDENCIES += linux-pam
>> +     POLICYCOREUTILS_MAKE_OPTS += NAMESPACE_PRIV=y
>
> Don't indent such lines. Only the comands should be indented.

Agreed. Must have missed those.

>> +define POLICYCOREUTILS_INSTALL_TARGET_LINUX_PAM_CONFS
>> +     $(INSTALL) -D -m 0644 $(@D)/newrole/newrole-lspp.pamd $(TARGET_DIR)/etc/pam.d/newrole
>> +     $(INSTALL) -D -m 0644 $(@D)/run_init/run_init.pamd $(TARGET_DIR)/etc/pam.d/run_init
>> +endef
>> +endif
>> +
>> +ifeq ($(BR2_PACKAGE_AUDIT),y)
>> +     POLICYCOREUTILS_DEPENDENCIES += audit
>> +     POLICYCOREUTILS_MAKE_OPTS += AUDIT_LOG_PRIV=y
>
> Ditto.
>
>> +endif
>> +
>> +# Enable LSPP_PRIV if both audit and linux pam are enabled
>> +ifeq ($(BR2_PACKAGE_LINUX_PAM)$(BR2_PACKAGE_AUDIT),yy)
>> +     POLICYCOREUTILS_MAKE_OPTS += LSPP_PRIV=y
>
> Ditto.
>
>> +endif
>> +
>> +# Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h
>> +# large file support.
>> +# See https://bugzilla.redhat.com/show_bug.cgi?id=574992 for more information
>> +POLICYCOREUTILS_MAKE_OPTS = \
>> +     $(TARGET_CONFIGURE_OPTS) \
>> +     CFLAGS="$(TARGET_CFLAGS) -U_FILE_OFFSET_BITS" \
>
> This _FILE_OFFSET_BITS hack is not pretty, but oh well.
>
>> +     LDFLAGS="$(TARGET_LDFLAGS) $(if $(BR2_NEEDS_GETTEXT),-lintl)"
>> +
>> +POLICYCOREUTILS_MAKE_DIRS = load_policy newrole run_init \
>> +     secon semodule semodule_deps semodule_expand semodule_link \
>> +     semodule_package sepolgen-ifgen sestatus setfiles setsebool
>> +
>> +ifeq ($(BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND),y)
>> +POLICYCOREUTILS_DEPENDENCIES += dbus-glib
>> +POLICYCOREUTILS_MAKE_DIRS += restorecond
>> +endif
>> +
>> +define POLICYCOREUTILS_BUILD_CMDS
>> +     for dir in $(POLICYCOREUTILS_MAKE_DIRS) ; do \
>> +             $(MAKE) -C $(@D)/$${dir} $(POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(STAGING_DIR) all || exit 1 ; \
>> +     done
>> +endef
>> +
>> +define POLICYCOREUTILS_INSTALL_TARGET_CMDS
>> +     for dir in $(POLICYCOREUTILS_MAKE_DIRS) ; do \
>> +             $(MAKE) -C $(@D)/$${dir} $(POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(TARGET_DIR) install || exit 1 ; \
>> +     done
>> +endef
>> +
>> +HOST_POLICYCOREUTILS_DEPENDENCIES = host-libsemanage host-dbus-glib host-sepolgen host-setools
>> +
>> +# Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h
>> +# large file support.
>> +# See https://bugzilla.redhat.com/show_bug.cgi?id=574992 for more information
>> +HOST_POLICYCOREUTILS_MAKE_OPTS = \
>> +     $(HOST_CONFIGURE_OPTS) \
>> +     CFLAGS+="-U_FILE_OFFSET_BITS" \
>
> This CFLAGS += doesn't make much sense, += compared to what? Don't you
> want CFLAGS="$(HOST_CFLAGS) -U_FILE_OFFSET_BITS" ?

Good point. I wonder how I missed changing that one when the target
version is correct. I'll get it fixed.

>> +     PYTHON="$(HOST_DIR)/usr/bin/python"
>> +
>> +ifeq ($(BR2_PACKAGE_PYTHON3),y)
>> +HOST_POLICYCOREUTILS_DEPENDENCIES += host-python3
>> +HOST_POLICYCOREUTILS_MAKE_OPTS += \
>> +     PYLIBVER="python$(PYTHON3_VERSION_MAJOR)" \
>> +     PYTHON_SRC="$(BUILD_DIR)/host-python$(PYTHON3_VERSION)"
>> +else
>> +HOST_POLICYCOREUTILS_DEPENDENCIES += host-python
>> +HOST_POLICYCOREUTILS_MAKE_OPTS += \
>> +     PYLIBVER="python$(PYTHON_VERSION_MAJOR)" \
>> +     PYTHON_SRC="$(BUILD_DIR)/host-python$(PYTHON_VERSION)"
>
> Gaah, why does it need access to the Python source code ?

It probably doesn't. Looks like that will be cleaned up with the cross
compiling patch fixes.

>> +endif
>> +
>> +# Note: We are only building the programs required by the refpolicy build
>> +HOST_POLICYCOREUTILS_MAKE_DIRS = load_policy semodule semodule_deps semodule_expand semodule_link \
>> +     semodule_package setfiles restorecond audit2allow audit2why scripts semanage sepolicy
>> +
>> +define HOST_POLICYCOREUTILS_BUILD_CMDS
>> +     for dir in $(HOST_POLICYCOREUTILS_MAKE_DIRS) ; do \
>> +             $(MAKE) -C $(@D)/$${dir} $(HOST_POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(HOST_DIR) all || exit 1 ; \
>> +     done
>> +endef
>> +
>> +define HOST_POLICYCOREUTILS_INSTALL_CMDS
>> +     for dir in $(HOST_POLICYCOREUTILS_MAKE_DIRS) ; do \
>> +             $(MAKE) -C $(@D)/$${dir} $(HOST_POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(HOST_DIR) install || exit 1 ; \
>> +     done
>> +     # Fix python paths
>> +     $(SED) 's~/usr/bin/~$(HOST_DIR)/usr/bin/~g' $(HOST_DIR)/usr/bin/audit2allow
>> +     $(SED) 's~/usr/bin/~$(HOST_DIR)/usr/bin/~g' $(HOST_DIR)/usr/bin/audit2why
>> +     $(SED) 's~/usr/bin/~$(HOST_DIR)/usr/bin/~g' $(HOST_DIR)/usr/bin/sepolgen-ifgen
>> +     $(SED) 's~/usr/bin/~$(HOST_DIR)/usr/bin/~g' $(HOST_DIR)/usr/bin/sepolicy
>
> Maybe a small loop is in order here. Also, use % or , as the sed
> separator, it's more traditional in Buildroot than ~.

I'll get that changed.

Thanks,
Clayton

Clayton Shotwell
Senior Software Engineer, Rockwell Collins
clayton.shotwell at rockwellcollins.com

More information about the buildroot mailing list