[Buildroot] [ PATCH Selinux v11] policycoreutils: new package

Matthew Weber matt at thewebers.ws
Fri Apr 8 03:00:22 UTC 2016


Niranjan,

On Tue, Mar 22, 2016 at 5:02 PM, Thomas Petazzoni
<thomas.petazzoni at free-electrons.com> wrote:
> Hello,
>
> I really wanted to apply this patch and finally get the remaining
> SELinux support in, but there are still some really wrong things in
> there.
>
> On Wed, 16 Mar 2016 17:12:14 +0530, Niranjan Reddy wrote:
>> From: Clayton Shotwell <clayton.shotwell at rockwellcollins.com>
>>
>> This package contains the core policy utilities that are required
>> for basic operation of an SELinux system.Four patchs are included
>> in this package.
>
> Minor typos: space after ".", patchs -> patches.
>
>> Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
>> Allow-CFLAGS-to-be-overwritten.patch
>> Change-sepolicy-python-install-arguments-to-be-a-var.patch
>> disable-dbus.patch
>
> Completely useless to just give the filenames, especially when they are
> wrong.

Valid point, need to fix typo and provide a description of what the
patches are doing after the "Four patches are included...." statement.
Remove the list of patch names.

>
>
>> diff --git a/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch b/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
>> new file mode 100644
>> index 0000000..0192e5c
>> --- /dev/null
>> +++ b/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
>> @@ -0,0 +1,275 @@
>> +From 92d7cc3539f8bfc68b2f2bf688375647abf73ee7 Mon Sep 17 00:00:00 2001
>> +From: Clayton Shotwell <clayton.shotwell at rockwellcollins.com>
>> +Date: Fri, 10 Jul 2015 11:44:08 -0500
>> +Subject: Add DESTDIR to all paths that use an absolute path
>> +
>> +To aid in cross compiling, add the DESTDIR variable to the start of all
>> +of the paths used during compilation. Most paths already used DESTDIR.

Add note that "The addition of this patch makes the use of DESTDIR
mandatory as there are conditional checks which would fail if it's not
defined."

>> +
>> +Signed-off-by: Clayton Shotwell <clayton.shotwell at rockwellcollins.com>
>
> This patch does a *LOT* more than adding DESTDIR. Just check by
> yourself. Read your own patch! It should be split in several patches.

I have put comments in below noting what to put in the creation of the
following new patches.  Some suggested descriptions for the new
patches are below too.

1) DESTDIR
2) PREFIX
3) Removal of ARCH

>
>> +---
>> + Makefile                |  4 ++--
>> + audit2allow/Makefile    |  2 +-
>> + load_policy/Makefile    |  2 +-
>> + mcstrans/src/Makefile   | 22 +++++++++++++---------
>> + mcstrans/utils/Makefile | 11 +++++++----
>> + newrole/Makefile        | 12 ++++++------
>> + restorecond/Makefile    |  6 ++++--
>> + run_init/Makefile       | 12 ++++++------
>> + sepolicy/Makefile       |  2 +-
>> + setfiles/Makefile       |  4 ++--
>> + 10 files changed, 43 insertions(+), 34 deletions(-)
>> +
>> +diff --git a/Makefile b/Makefile
>> +index 3980799..0fca022 100644
>> +--- a/Makefile
>> ++++ b/Makefile
>> +@@ -1,8 +1,8 @@
>> + SUBDIRS = sepolicy setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool scripts po man gui
>> +
>> +-INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
>> ++INOTIFYH = $(shell ls $(DESTDIR)/usr/include/sys/inotify.h 2>/dev/null)
>
> This is not super great, as it assumes DESTDIR is passed at build time,
> which is not very standard. But OK, that's the easiest solution. But it
> should *definitely* be explained in the description of the patch, as
> it's non trivial.
>

Move to patch #1

I added a note about this above and suggested a statement to add.

>> +
>> +-ifeq (${INOTIFYH}, /usr/include/sys/inotify.h)
>> ++ifeq (${INOTIFYH}, $(DESTDIR)/usr/include/sys/inotify.h)
>> +     SUBDIRS += restorecond
>> + endif

Move to patch #2

Change to use PREFIX.

For patch two, the description could be something like....
"Updates the remaining hardcoded host paths used in the build to be
prefixed with a PREFIX path to allow cross compilation."

>> +
>> +diff --git a/audit2allow/Makefile b/audit2allow/Makefile
>> +index 88635d4..1647b5a 100644
>> +--- a/audit2allow/Makefile
>> ++++ b/audit2allow/Makefile
>> +@@ -3,7 +3,7 @@ PREFIX ?= $(DESTDIR)/usr
>> + BINDIR ?= $(PREFIX)/bin
>> + LIBDIR ?= $(PREFIX)/lib
>> + MANDIR ?= $(PREFIX)/share/man
>> +-LOCALEDIR ?= /usr/share/locale
>> ++LOCALEDIR ?= $(PREFIX)/share/locale
>
> This is not about adding DESTDIR, but about changing an hardcoded /usr
> to $(PREFIX).

Move to patch #2

>
> In addition, in the INOTIFYH fix above, you don't change usr/ to
> $(PREFIX).

Resolved above.

>
>> +
>> + all: ;
>> +
>> +diff --git a/load_policy/Makefile b/load_policy/Makefile
>> +index 7c5bab0..5cd0bbb 100644
>> +--- a/load_policy/Makefile
>> ++++ b/load_policy/Makefile
>> +@@ -3,7 +3,7 @@ PREFIX ?= $(DESTDIR)/usr
>> + SBINDIR ?= $(DESTDIR)/sbin
>> + USRSBINDIR ?= $(PREFIX)/sbin
>> + MANDIR ?= $(PREFIX)/share/man
>> +-LOCALEDIR ?= /usr/share/locale
>> ++LOCALEDIR ?= $(PREFIX)/share/locale
>
> This is also changing /usr to PREFIX, which has nothing to do with
> using DESTDIR.

Move to patch #2

>
>> +
>> + CFLAGS ?= -Werror -Wall -W
>> + override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
>> +diff --git a/mcstrans/src/Makefile b/mcstrans/src/Makefile
>> +index fb44490..a0666f1 100644
>> +--- a/mcstrans/src/Makefile
>> ++++ b/mcstrans/src/Makefile
>> +@@ -1,22 +1,26 @@
>> +-ARCH = $(shell uname -i)

Move the above line to patch #3

>> ++# Installation directories.
>> ++PREFIX  ?= $(DESTDIR)/usr
>> ++SBINDIR ?= $(DESTDIR)/sbin
>> ++INITDIR ?= $(DESTDIR)/etc/rc.d/init.d
>
> This has nothing to do with adding DESTDIR, and there is no explanation
> why adding those variable definitions here is necessary. Thos
> definitions are normally below, why are you moving there up here?

Niranjan, why did they move, I don't have the complete file in front
of me to check?

>
>> ++
>> ++ARCH ?= $(shell uname -i)
>
> Looks good, but needs to be explained in the patch description (and in
> a separate patch).

Move to patch #3

Use a description that's something like this in the patch....
"Allow the ARCH value to be passed in as original configuration was
solely based on host architecture."

>
>> + ifeq "$(ARCH)" "x86_64"
>> +     # In case of 64 bit system, use these lines
>> +-    LIBDIR=/usr/lib64
>> +-else
>> ++    LIBDIR=$(PREFIX)/lib64
>> ++else
>> + ifeq "$(ARCH)" "i686"
>> +     # In case of 32 bit system, use these lines
>> +-    LIBDIR=/usr/lib
>> ++    LIBDIR=$(PREFIX)/lib
>> + else
>> + ifeq "$(ARCH)" "i386"
>> +     # In case of 32 bit system, use these lines
>> +-    LIBDIR=/usr/lib
>> ++    LIBDIR=$(PREFIX)/lib
>> ++else
>> ++    # Default to these lines if arch is unknown
>> ++    LIBDIR=$(PREFIX)/lib
>
> This is all /usr -> $(PREFIX) replacement, nothing to do with DESTDIR.

Move above changes to patch #2

>
>> + endif
>> + endif
>> + endif
>> +-# Installation directories.
>> +-PREFIX  ?= $(DESTDIR)/usr
>> +-SBINDIR ?= $(DESTDIR)/sbin
>> +-INITDIR ?= $(DESTDIR)/etc/rc.d/init.d

Like previous comment, why did these get removed from here and moved above?

>> +
>> + PROG_SRC=mcstrans.c  mcscolor.c  mcstransd.c  mls_level.c
>> + PROG_OBJS= $(patsubst %.c,%.o,$(PROG_SRC))
>> +diff --git a/mcstrans/utils/Makefile b/mcstrans/utils/Makefile
>> +index 1ffb027..da5c152 100644
>> +--- a/mcstrans/utils/Makefile
>> ++++ b/mcstrans/utils/Makefile
>> +@@ -2,18 +2,21 @@
>> + PREFIX ?= $(DESTDIR)/usr
>> + BINDIR ?= $(PREFIX)/sbin
>> +
>> +-ARCH = $(shell uname -i)
>> ++ARCH ?= $(shell uname -i)

Move the above two lines to patch #3

>> + ifeq "$(ARCH)" "x86_64"
>> +         # In case of 64 bit system, use these lines
>> +-        LIBDIR=/usr/lib64
>> ++        LIBDIR=$(PREFIX)/lib64
>> + else
>> + ifeq "$(ARCH)" "i686"
>> +         # In case of 32 bit system, use these lines
>> +-        LIBDIR=/usr/lib
>> ++        LIBDIR=$(PREFIX)/lib
>> + else
>> + ifeq "$(ARCH)" "i386"
>> +         # In case of 32 bit system, use these lines
>> +-        LIBDIR=/usr/lib
>> ++        LIBDIR=$(PREFIX)/lib
>> ++else
>> ++        # Default to these lines if arch is unknown
>> ++        LIBDIR=$(PREFIX)/lib
>

Move to patch #2

> Same comments as above;
>
>> + endif
>> + endif
>> + endif
>> +diff --git a/newrole/Makefile b/newrole/Makefile
>> +index 646cd4d..045e3b7 100644
>> +--- a/newrole/Makefile
>> ++++ b/newrole/Makefile
>> +@@ -3,9 +3,9 @@ PREFIX ?= $(DESTDIR)/usr
>> + BINDIR ?= $(PREFIX)/bin
>> + MANDIR ?= $(PREFIX)/share/man
>> + ETCDIR ?= $(DESTDIR)/etc
>> +-LOCALEDIR = /usr/share/locale
>> +-PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
>> +-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
>> ++LOCALEDIR = $(PREFIX)/share/locale
>> ++PAMH = $(shell ls $(PREFIX)/include/security/pam_appl.h 2>/dev/null)
>> ++AUDITH = $(shell ls $(PREFIX)/include/libaudit.h 2>/dev/null)
>
> This is *completely* wrong. It will look at /usr/include/libaudit.h
> and /usr/include/security/pam_appl.h on your build machine to decide
> where pam and audit support is available. If you follow the fix done
> earlier for INOTIFYH, you should do:
>
> AUDITH = $(shell ls $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)

The variable DESTDIR when used in PREFIX isn't expanded because you're
in a shell in that "shell ls" command.  So you have to use
$(DESTDIR)/usr.

Move to patch #1 and update as noted to use $(DESTDIR)/usr/ for PAMH=, AUDITD=

>
>> + # Enable capabilities to permit newrole to generate audit records.
>> + # This will make newrole a setuid root program.
>> + # The capabilities used are: CAP_AUDIT_WRITE.
>> +@@ -24,7 +24,7 @@ CFLAGS ?= -Werror -Wall -W
>> + EXTRA_OBJS =
>> + override CFLAGS += -DVERSION=\"$(VERSION)\" $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
>> + LDLIBS += -lselinux -L$(PREFIX)/lib
>> +-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
>> ++ifeq ($(PAMH), $(PREFIX)/include/security/pam_appl.h)
>

Move to patch #2

> Same comment as above.
>
>> +     override CFLAGS += -DUSE_PAM
>> +     EXTRA_OBJS += hashtab.o
>> +     LDLIBS += -lpam -lpam_misc
>> +@@ -32,7 +32,7 @@ else
>> +     override CFLAGS += -D_XOPEN_SOURCE=500
>> +     LDLIBS += -lcrypt
>> + endif
>> +-ifeq ($(AUDITH), /usr/include/libaudit.h)
>> ++ifeq ($(AUDITH), $(PREFIX)/include/libaudit.h)
>
> Ditto.

Move to patch #2

>
>> +     override CFLAGS += -DUSE_AUDIT
>> +     LDLIBS += -laudit
>> + endif
>> +@@ -66,7 +66,7 @@ install: all
>> +     test -d $(MANDIR)/man1 || install -m 755 -d $(MANDIR)/man1
>> +     install -m $(MODE) newrole $(BINDIR)
>> +     install -m 644 newrole.1 $(MANDIR)/man1/
>> +-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
>> ++ifeq ($(PAMH), $(PREFIX)/include/security/pam_appl.h)
>
> Ditto.

Move to patch #2

>
>> +     test -d $(ETCDIR)/pam.d || install -m 755 -d $(ETCDIR)/pam.d
>> + ifeq ($(LSPP_PRIV),y)
>> +     install -m 644 newrole-lspp.pamd $(ETCDIR)/pam.d/newrole
>> +diff --git a/restorecond/Makefile b/restorecond/Makefile
>> +index 3074542..7c40f95 100644
>> +--- a/restorecond/Makefile
>> ++++ b/restorecond/Makefile
>> +@@ -10,11 +10,13 @@ autostart_DATA = sealertauto.desktop
>> + INITDIR = $(DESTDIR)/etc/rc.d/init.d
>> + SELINUXDIR = $(DESTDIR)/etc/selinux
>> +
>> +-DBUSFLAGS = -DHAVE_DBUS -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include -I/usr/lib/dbus-1.0/include
>> ++DBUSFLAGS = -DHAVE_DBUS -I$(PREFIX)/include/dbus-1.0 -I$(PREFIX)/lib64/dbus-1.0/include \
>> ++            -I$(PREFIX)/lib/dbus-1.0/include
>
> Completely wrong. This will add -I/usr/include/dbus-1.0 when
> cross-compiling. Bad.
>

Same as other case of variable expansion.  Update all use of PREFIX to
be $(DESTDIR)/usr/

Move to patch #1

>> + DBUSLIB = -ldbus-glib-1 -ldbus-1
>> +
>> + CFLAGS ?= -g -Werror -Wall -W
>> +-override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS) -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/lib/glib-2.0/include
>> ++override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS) -I$(PREFIX)/include/glib-2.0 \
>> ++            -I$(PREFIX)/lib64/glib-2.0/include -I$(PREFIX)/lib/glib-2.0/include
>
> Same.


Same as other case of variable expansion.  Update all use of PREFIX to
be $(DESTDIR)/usr/

Move to patch #1

>
>> +
>> + LDLIBS += -lselinux $(DBUSLIB) -lglib-2.0 -L$(LIBDIR)
>> +
>> +diff --git a/run_init/Makefile b/run_init/Makefile
>> +index 12b39b4..da49c41 100644
>> +--- a/run_init/Makefile
>> ++++ b/run_init/Makefile
>> +@@ -4,21 +4,21 @@ PREFIX ?= $(DESTDIR)/usr
>> + SBINDIR ?= $(PREFIX)/sbin
>> + MANDIR ?= $(PREFIX)/share/man
>> + ETCDIR ?= $(DESTDIR)/etc
>> +-LOCALEDIR ?= /usr/share/locale
>> +-PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
>> +-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
>> ++LOCALEDIR ?= $(PREFIX)/share/locale
>> ++PAMH = $(shell ls $(PREFIX)/include/security/pam_appl.h 2>/dev/null)
>> ++AUDITH = $(shell ls $(PREFIX)/include/libaudit.h 2>/dev/null)
>
> Also wrong.
>

Same as other case of variable expansion.  Update all use of PREFIX
when used in a "shell ls" to be $(DESTDIR)/usr/

Move to patch #1

>> +
>> + CFLAGS ?= -Werror -Wall -W
>> + override CFLAGS += -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
>> + LDLIBS += -lselinux -L$(PREFIX)/lib
>> +-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
>> ++ifeq ($(PAMH), $(PREFIX)/include/security/pam_appl.h)
>
> Ditto.

Move to patch #2

>
>> +     override CFLAGS += -DUSE_PAM
>> +     LDLIBS += -lpam -lpam_misc
>> + else
>> +     override CFLAGS += -D_XOPEN_SOURCE=500
>> +     LDLIBS += -lcrypt
>> + endif
>> +-ifeq ($(AUDITH), /usr/include/libaudit.h)
>> ++ifeq ($(AUDITH), $(PREFIX)/include/libaudit.h)
>
> Ditto.

Move to patch #2

>
>> +     override CFLAGS += -DUSE_AUDIT
>> +     LDLIBS += -laudit
>> + endif
>> +@@ -38,7 +38,7 @@ install: all
>> +     install -m 755 open_init_pty $(SBINDIR)
>> +     install -m 644 run_init.8 $(MANDIR)/man8/
>> +     install -m 644 open_init_pty.8 $(MANDIR)/man8/
>> +-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
>> ++ifeq ($(PAMH), $(PREFIX)/include/security/pam_appl.h)
>
> Ditto.

Move to patch #2

>
>> +     install -m 644 run_init.pamd $(ETCDIR)/pam.d/run_init
>> + endif
>> +
>> +diff --git a/sepolicy/Makefile b/sepolicy/Makefile
>> +index 11b534f..1249546 100644
>> +--- a/sepolicy/Makefile
>> ++++ b/sepolicy/Makefile
>> +@@ -5,7 +5,7 @@ LIBDIR ?= $(PREFIX)/lib
>> + BINDIR ?= $(PREFIX)/bin
>> + SBINDIR ?= $(PREFIX)/sbin
>> + MANDIR ?= $(PREFIX)/share/man
>> +-LOCALEDIR ?= /usr/share/locale
>> ++LOCALEDIR ?= $(PREFIX)/share/locale

Move to patch #2

>> + PYTHON ?= /usr/bin/python
>> + BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
>> + SHAREDIR ?= $(PREFIX)/share/sandbox
>> +diff --git a/setfiles/Makefile b/setfiles/Makefile
>> +index 4b44b3c..ebc22c8 100644
>> +--- a/setfiles/Makefile
>> ++++ b/setfiles/Makefile
>> +@@ -3,7 +3,7 @@ PREFIX ?= $(DESTDIR)/usr
>> + SBINDIR ?= $(DESTDIR)/sbin
>> + MANDIR = $(PREFIX)/share/man
>> + LIBDIR ?= $(PREFIX)/lib
>> +-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
>> ++AUDITH = $(shell ls $(PREFIX)/include/libaudit.h 2>/dev/null)
>
> Still wrong.

Same as other case of variable expansion.  Update all use of PREFIX
when used in a "shell ls" to be $(DESTDIR)/usr/

Move to patch #1

>
>> +
>> + PROGRESS_STEP=$(shell grep "^\#define STAR_COUNT" restore.h | awk -S '{ print $$3 }')
>> + ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk -S '{ print $$3 }')
>> +@@ -12,7 +12,7 @@ CFLAGS = -g -Werror -Wall -W
>> + override CFLAGS += -I$(PREFIX)/include
>> + LDLIBS = -lselinux -lsepol -L$(LIBDIR)
>> +
>> +-ifeq ($(AUDITH), /usr/include/libaudit.h)
>> ++ifeq ($(AUDITH), $(PREFIX)/include/libaudit.h)
>
> Here as well.

Move to patch #2

>
>> +     override CFLAGS += -DUSE_AUDIT
>> +     LDLIBS += -laudit
>> + endif
>> +--
>> +1.9.1
>> +
>> diff --git a/package/policycoreutils/0002-Allow-CFLAGS-to-be-overwritten.patch b/package/policycoreutils/0002-Allow-CFLAGS-to-be-overwritten.patch
>> new file mode 100644
>> index 0000000..b6e6d99
>> --- /dev/null
>> +++ b/package/policycoreutils/0002-Allow-CFLAGS-to-be-overwritten.patch
>> @@ -0,0 +1,57 @@
>> +From cfce1180f96cca5e7444d94b2ebc39213d7dac75 Mon Sep 17 00:00:00 2001
>> +From: Clayton Shotwell <clayton.shotwell at rockwellcollins.com>
>> +Date: Fri, 10 Jul 2015 11:47:09 -0500
>> +Subject: Allow CFLAGS to be overwritten
>> +
>> +Allow all CFLAGS declarations to be overwritten to aid in cross
>> +compiling.
>> +
>> +Signed-off-by: Clayton Shotwell <clayton.shotwell at rockwellcollins.com>
>> +---
>> + sepolicy/Makefile | 2 +-
>> + sestatus/Makefile | 2 +-
>> + setfiles/Makefile | 2 +-
>> + 3 files changed, 3 insertions(+), 3 deletions(-)
>> +
>> +diff --git a/sepolicy/Makefile b/sepolicy/Makefile
>> +index 1249546..a52667a 100644
>> +--- a/sepolicy/Makefile
>> ++++ b/sepolicy/Makefile
>> +@@ -9,7 +9,7 @@ LOCALEDIR ?= $(PREFIX)/share/locale
>> + PYTHON ?= /usr/bin/python
>> + BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
>> + SHAREDIR ?= $(PREFIX)/share/sandbox
>> +-override CFLAGS = $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W  -DSHARED -shared
>> ++override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W  -DSHARED -shared
>
> -I$(PREFIX)/include -> bad, as it will add -I/usr/include when
> cross-compiling.

Update to instead be $(DESTDIR)/usr

>
>> +
>> + BASHCOMPLETIONS=sepolicy-bash-completion.sh
>> +
>> +diff --git a/sestatus/Makefile b/sestatus/Makefile
>> +index c5db7a3..c04ff00 100644
>> +--- a/sestatus/Makefile
>> ++++ b/sestatus/Makefile
>> +@@ -5,7 +5,7 @@ MANDIR = $(PREFIX)/share/man
>> + ETCDIR ?= $(DESTDIR)/etc
>> + LIBDIR ?= $(PREFIX)/lib
>> +
>> +-CFLAGS = -Werror -Wall -W
>> ++CFLAGS ?= -Werror -Wall -W
>> + override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64
>
> Again here.

Update to instead be $(DESTDIR)/usr

>
>> + LDLIBS = -lselinux -L$(LIBDIR)
>> +
>> +diff --git a/setfiles/Makefile b/setfiles/Makefile
>> +index ebc22c8..7c48814 100644
>> +--- a/setfiles/Makefile
>> ++++ b/setfiles/Makefile
>> +@@ -8,7 +8,7 @@ AUDITH = $(shell ls $(PREFIX)/include/libaudit.h 2>/dev/null)
>> + PROGRESS_STEP=$(shell grep "^\#define STAR_COUNT" restore.h | awk -S '{ print $$3 }')
>> + ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk -S '{ print $$3 }')
>> +
>> +-CFLAGS = -g -Werror -Wall -W
>> ++CFLAGS ?= -g -Werror -Wall -W
>> + override CFLAGS += -I$(PREFIX)/include
>
> And here.


Update to instead be $(DESTDIR)/usr

>
> Please build with BR2_COMPILER_PARANOID_UNSAFE_PATH=y to detect such
> problems.
>
>> + LDLIBS = -lselinux -lsepol -L$(LIBDIR)
>> +
>> +--
>> +1.9.1
>> +
>> diff --git a/package/policycoreutils/0003-Change-sepolicy-python-install-arguments-to-be-a-var.patch b/package/policycoreutils/0003-Change-sepolicy-python-install-arguments-to-be-a-var.patch
>> new file mode 100644
>> index 0000000..5bbfb76
>> --- /dev/null
>> +++ b/package/policycoreutils/0003-Change-sepolicy-python-install-arguments-to-be-a-var.patch
>> @@ -0,0 +1,42 @@
>> +From 4bb3e6bda68fe52fcd2df4f27c5900f4b0d50fa1 Mon Sep 17 00:00:00 2001
>> +From: Clayton Shotwell <clayton.shotwell at rockwellcollins.com>
>> +Date: Fri, 10 Jul 2015 11:56:49 -0500
>> +Subject: Change sepolicy python install arguments to be a variable
>> +
>> +To allow the python install arguments to be overwritten, change the
>> +arguments to be a variable. This also cleans up the DESTDIR detection a
>> +little bit.
>> +
>> +Signed-off-by: Clayton Shotwell <clayton.shotwell at rockwellcollins.com>
>> +---
>> + sepolicy/Makefile | 7 ++++++-
>> + 1 file changed, 6 insertions(+), 1 deletion(-)
>> +
>> +diff --git a/sepolicy/Makefile b/sepolicy/Makefile
>> +index a52667a..4a10df6 100644
>> +--- a/sepolicy/Makefile
>> ++++ b/sepolicy/Makefile
>> +@@ -7,6 +7,11 @@ SBINDIR ?= $(PREFIX)/sbin
>> + MANDIR ?= $(PREFIX)/share/man
>> + LOCALEDIR ?= $(PREFIX)/share/locale
>> + PYTHON ?= /usr/bin/python
>> ++ifneq (,$(DESTDIR))
>> ++PYTHON_INSTALL_ARGS ?= --root $(DESTDIR)
>> ++else
>> ++PYTHON_INSTALL_ARGS ?=
>> ++endif
>
> Sounds good, but could be a bit simpler:
>
> ifneq ($(DESTDIR),)
> PYTHON_INSTALL_ARGS ?= --root $(DESTDIR)
> endif

Update as noted

>
>> + BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
>> + SHAREDIR ?= $(PREFIX)/share/sandbox
>> + override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W  -DSHARED -shared
>> +@@ -23,7 +28,7 @@ clean:
>> +     -rm -rf build *~ \#* *pyc .#*
>> +
>> + install:
>> +-    $(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
>> ++    $(PYTHON) setup.py install $(PYTHON_INSTALL_ARGS)
>> +     [ -d $(BINDIR) ] || mkdir -p $(BINDIR)
>> +     install -m 755 sepolicy.py $(BINDIR)/sepolicy
>> +     -mkdir -p $(MANDIR)/man8
>> +--
>> +1.9.1
>> +
>> diff --git a/package/policycoreutils/0004-disable-dbus.patch b/package/policycoreutils/0004-disable-dbus.patch
>> new file mode 100644
>> index 0000000..b685d0a
>> --- /dev/null
>> +++ b/package/policycoreutils/0004-disable-dbus.patch
>> @@ -0,0 +1,14 @@
>> +--- a/restorecond/Makefile   2016-02-25 13:23:23.286671669 -0600
>> ++++ b/restorecond/Makefile   2016-03-03 12:44:25.032118694 -0600
>
> Missing description + Signed-off-by in this patch.

Update as noted.

Description...
" Adds a condition to prevent linking against dbus when at build time
dbus has not been enabled"

>
>> +@@ -10,9 +10,11 @@
>> + INITDIR = $(DESTDIR)/etc/rc.d/init.d
>> + SELINUXDIR = $(DESTDIR)/etc/selinux
>> +
>> ++ifdef ENABLE_DBUS
>> + DBUSFLAGS = -DHAVE_DBUS -I$(PREFIX)/include/dbus-1.0 -I$(PREFIX)/lib64/dbus-1.0/include \
>> +             -I$(PREFIX)/lib/dbus-1.0/include
>> + DBUSLIB = -ldbus-glib-1 -ldbus-1
>> ++endif
>> +
>> + CFLAGS ?= -g -Werror -Wall -W
>> + override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS) -I$(PREFIX)/include/glib-2.0 \
>> diff --git a/package/policycoreutils/Config.in b/package/policycoreutils/Config.in
>> new file mode 100644
>> index 0000000..3131a02
>> --- /dev/null
>> +++ b/package/policycoreutils/Config.in
>> @@ -0,0 +1,57 @@
>> +config BR2_PACKAGE_POLICYCOREUTILS
>> +     bool "policycoreutils"
>> +     select BR2_PACKAGE_LIBSEMANAGE
>
> libsemanage has lots of other dependencies:
>
>         depends on BR2_TOOLCHAIN_HAS_THREADS
>         depends on !BR2_STATIC_LIBS
>         depends on !BR2_arc
>
> You need to take them into account.
>

Noted, add those three.

>> +     select BR2_PACKAGE_LIBCAP_NG
>> +     select BR2_PACKAGE_GETTEXT if BR2_NEEDS_GETTEXT
>> +     depends on BR2_TOOLCHAIN_HAS_THREADS # libsemanage
>> +     depends on BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL # uses fts.h
>> +     help
>> +       Policycoreutils is a collection of policy utilities (originally
>> +       the "core" set of utilities needed to use SELinux, although it
>> +       has grown a bit over time), which have different dependencies.
>> +       sestatus, secon, run_init, and newrole only use libselinux.
>> +       load_policy and setfiles only use libselinux and libsepol.
>> +       semodule and semanage use libsemanage (and thus bring in
>> +       dependencies on libsepol and libselinux as well). setsebool
>> +       uses libselinux to make non-persistent boolean changes (via
>> +       the kernel interface) and uses libsemanage to make persistent
>> +       boolean changes.
>> +
>> +       The base package will install the following utilities:
>> +           load_policy
>> +           newrole
>> +           restorecond
>> +           run_init
>> +           secon
>> +           semodule
>> +           semodule_deps
>> +           semodule_expand
>> +           semodule_link
>> +           semodule_package
>> +           sepolgen-ifgen
>> +           sestatus
>> +           setfiles
>> +           setsebool
>> +
>> +       http://selinuxproject.org/page/Main_Page
>> +
>> +comment "policycoreutils needs a glibc or musl toolchain w/ threads"
>> +     depends on !BR2_TOOLCHAIN_HAS_THREADS  \
>> +             || !(BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL)
>> +
>> +if BR2_PACKAGE_POLICYCOREUTILS
>> +
>> +config BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND
>> +     bool "restorecond Utility"
>> +     select BR2_PACKAGE_LIBGLIB2 #glib2
>> +     depends on BR2_USE_WCHAR # glib2
>> +     depends on BR2_TOOLCHAIN_HAS_THREADS # glib2
>> +     depends on BR2_USE_MMU # glib2
>> +     help
>> +       Enable restorecond to be built
>> +
>> +comment "restorecond needs a toolchain w/ wchar, threads"
>> +     depends on BR2_USE_MMU
>> +     depends on !BR2_USE_WCHAR || !BR2_TOOLCHAIN_HAS_THREADS
>> +
>> +endif
>> diff --git a/package/policycoreutils/policycoreutils.hash b/package/policycoreutils/policycoreutils.hash
>> new file mode 100644
>> index 0000000..575dd25
>> --- /dev/null
>> +++ b/package/policycoreutils/policycoreutils.hash
>> @@ -0,0 +1,2 @@
>> +# https://github.com/SELinuxProject/selinux/wiki/Releases
>> +sha256 b6881741f9f9988346a73bfeccb0299941dc117349753f0ef3f23ee86f06c1b5  policycoreutils-2.1.14.tar.gz
>> diff --git a/package/policycoreutils/policycoreutils.mk b/package/policycoreutils/policycoreutils.mk
>> new file mode 100644
>> index 0000000..aed2705
>> --- /dev/null
>> +++ b/package/policycoreutils/policycoreutils.mk
>> @@ -0,0 +1,108 @@
>> +################################################################################
>> +#
>> +# policycoreutils
>> +#
>> +################################################################################
>> +
>> +POLICYCOREUTILS_VERSION = 2.1.14
>> +POLICYCOREUTILS_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20130423
>> +POLICYCOREUTILS_LICENSE = GPLv2
>> +POLICYCOREUTILS_LICENSE_FILES = COPYING
>> +
>> +# gettext for load_policy.c use of libintl_* functions
>> +POLICYCOREUTILS_DEPENDENCIES = libsemanage libcap-ng $(if $(BR2_NEEDS_GETTEXT),gettext)
>> +
>> +ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
>> +POLICYCOREUTILS_DEPENDENCIES += linux-pam
>> +POLICYCOREUTILS_MAKE_OPTS += NAMESPACE_PRIV=y
>> +define POLICYCOREUTILS_INSTALL_TARGET_LINUX_PAM_CONFS
>> +     $(INSTALL) -D -m 0644 $(@D)/newrole/newrole-lspp.pamd $(TARGET_DIR)/etc/pam.d/newrole
>> +     $(INSTALL) -D -m 0644 $(@D)/run_init/run_init.pamd $(TARGET_DIR)/etc/pam.d/run_init
>> +endef
>> +endif
>> +
>> +ifeq ($(BR2_PACKAGE_AUDIT),y)
>> +POLICYCOREUTILS_DEPENDENCIES += audit
>> +POLICYCOREUTILS_MAKE_OPTS += AUDIT_LOG_PRIV=y
>> +endif
>> +
>> +# Enable LSPP_PRIV if both audit and linux pam are enabled
>> +ifeq ($(BR2_PACKAGE_LINUX_PAM)$(BR2_PACKAGE_AUDIT),yy)
>> +POLICYCOREUTILS_MAKE_OPTS += LSPP_PRIV=y
>> +endif
>> +
>> +# Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h
>> +# large file support.
>> +# See https://bugzilla.redhat.com/show_bug.cgi?id=574992 for more information
>> +POLICYCOREUTILS_MAKE_OPTS += \
>> +     CC="$(TARGET_CC)" \
>> +     CFLAGS="$(TARGET_CFLAGS) -U_FILE_OFFSET_BITS" \
>> +     LDFLAGS="$(TARGET_LDFLAGS) $(if $(BR2_NEEDS_GETTEXT),-lintl)" \
>> +     ARCH="$(BR2_ARCH)"
>> +
>> +POLICYCOREUTILS_MAKE_DIRS = load_policy newrole run_init \
>> +     secon semodule semodule_deps semodule_expand semodule_link \
>> +     semodule_package sepolgen-ifgen sestatus setfiles setsebool
>> +
>> +ifeq ($(BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND),y)
>> +POLICYCOREUTILS_MAKE_DIRS += restorecond
>> +endif
>> +
>> +define POLICYCOREUTILS_BUILD_CMDS
>> +     for dir in $(POLICYCOREUTILS_MAKE_DIRS) ; do \
>> +             $(MAKE) -C $(@D)/$${dir} $(POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(STAGING_DIR) all || exit 1 ; \
>> +     done
>
> Please add a comment above this that explains why you're passing
> DESTDIR=$(STAGING_DIR) at build time.

Add the following
" The source has been patched to require a DESTDIR path which is
prefixed to all filesystem paths which were by default hardcoded to
host system paths."

>
>> +endef
>> +
>> +define POLICYCOREUTILS_INSTALL_TARGET_CMDS
>> +     for dir in $(POLICYCOREUTILS_MAKE_DIRS) ; do \
>> +             $(MAKE) -C $(@D)/$${dir} $(POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(TARGET_DIR) install || exit 1 ; \
>> +     done
>> +endef
>> +
>> +HOST_POLICYCOREUTILS_DEPENDENCIES = host-libsemanage host-dbus-glib host-sepolgen host-setools
>> +
>> +# Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h
>> +# large file support.
>> +# See https://bugzilla.redhat.com/show_bug.cgi?id=574992 for more information
>> +HOST_POLICYCOREUTILS_MAKE_OPTS = \
>> +     CC="$(HOSTCC)" \
>> +     CFLAGS="$(HOST_CFLAGS) -U_FILE_OFFSET_BITS" \
>> +     PYTHON="$(HOST_DIR)/usr/bin/python" \
>> +     PYTHON_INSTALL_ARGS="$(HOST_PKG_PYTHON_DISTUTILS_INSTALL_OPTS)" \
>> +     ARCH="$(HOSTARCH)" \
>> +     LDFLAGS="$(HOST_LDFLAGS)"
>> +
>> +ifeq ($(BR2_PACKAGE_PYTHON3),y)
>> +HOST_POLICYCOREUTILS_DEPENDENCIES += host-python3
>> +HOST_POLICYCOREUTILS_MAKE_OPTS += \
>> +     PYLIBVER="python$(PYTHON3_VERSION_MAJOR)"
>> +else
>> +HOST_POLICYCOREUTILS_DEPENDENCIES += host-python
>> +HOST_POLICYCOREUTILS_MAKE_OPTS += \
>> +     PYLIBVER="python$(PYTHON_VERSION_MAJOR)"
>> +endif
>> +
>> +# Note: We are only building the programs required by the refpolicy build
>> +HOST_POLICYCOREUTILS_MAKE_DIRS = load_policy semodule semodule_deps semodule_expand semodule_link \
>> +     semodule_package setfiles restorecond audit2allow audit2why scripts semanage sepolicy
>> +
>> +define HOST_POLICYCOREUTILS_BUILD_CMDS
>> +     for dir in $(HOST_POLICYCOREUTILS_MAKE_DIRS) ; do \
>> +             $(MAKE) -C $(@D)/$${dir} $(HOST_POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(HOST_DIR) all || exit 1 ; \
>
> DESTDIR=$(HOST_DIR) is wrong. You should instead use PREFIX=$(HOST_DIR)/usr.
>

Thomas, I believe this is correct. PREFIX is set to $(DESTDIR)/usr in
the Makefile.  (See non-host build cmd above)

>> +define HOST_POLICYCOREUTILS_INSTALL_CMDS
>> +     for dir in $(HOST_POLICYCOREUTILS_MAKE_DIRS) ; do \
>> +             $(MAKE) -C $(@D)/$${dir} $(HOST_POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(HOST_DIR) install || exit 1 ; \
>
> Ditto.

Same comment as previous about PREFIX.

>
>> +     done
>> +     # Fix python paths
>> +     $(SED) 's%/usr/bin/%$(HOST_DIR)/usr/bin/%g' $(HOST_DIR)/usr/bin/audit2allow
>> +     $(SED) 's%/usr/bin/%$(HOST_DIR)/usr/bin/%g' $(HOST_DIR)/usr/bin/audit2why
>> +     $(SED) 's%/usr/bin/%$(HOST_DIR)/usr/bin/%g' $(HOST_DIR)/usr/bin/sepolgen-ifgen
>> +     $(SED) 's%/usr/bin/%$(HOST_DIR)/usr/bin/%g' $(HOST_DIR)/usr/bin/sepolicy
>
> Sadly, this means more hardcoded paths, but I guess it's OK for now, I
> prefer to sort out the other issues. This one can be solved later.
>

Sorry about that.  I agree it isn't the best approach for those python files.

> Could you rework your patch to solve the other issues raised above?
>

Thomas, definitely.

Niranjan, let me know if you have more questions tomorrow.

-- 
Thanks,
Matt



More information about the buildroot mailing list