[Buildroot] [ PATCH Selinux v11] policycoreutils: new package
Niranjan Reddy
niranjan.reddy at rockwellcollins.com
Thu Apr 14 11:13:07 UTC 2016
Hello Matthew,
On Fri, Apr 8, 2016 at 8:30 AM, Matthew Weber <matt at thewebers.ws> wrote:
> Niranjan,
>
> On Tue, Mar 22, 2016 at 5:02 PM, Thomas Petazzoni
> <thomas.petazzoni at free-electrons.com> wrote:
> > Hello,
> >
> > I really wanted to apply this patch and finally get the remaining
> > SELinux support in, but there are still some really wrong things in
> > there.
> >
> > On Wed, 16 Mar 2016 17:12:14 +0530, Niranjan Reddy wrote:
> >> From: Clayton Shotwell <clayton.shotwell at rockwellcollins.com>
> >>
> >> This package contains the core policy utilities that are required
> >> for basic operation of an SELinux system.Four patchs are included
> >> in this package.
> >
> > Minor typos: space after ".", patchs -> patches.
> >
> >> Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
> >> Allow-CFLAGS-to-be-overwritten.patch
> >> Change-sepolicy-python-install-arguments-to-be-a-var.patch
> >> disable-dbus.patch
> >
> > Completely useless to just give the filenames, especially when they are
> > wrong.
>
> Valid point, need to fix typo and provide a description of what the
> patches are doing after the "Four patches are included...." statement.
> Remove the list of patch names.
>
> >
> >
> >> diff --git
> a/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
> b/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
> >> new file mode 100644
> >> index 0000000..0192e5c
> >> --- /dev/null
> >> +++
> b/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
> >> @@ -0,0 +1,275 @@
> >> +From 92d7cc3539f8bfc68b2f2bf688375647abf73ee7 Mon Sep 17 00:00:00 2001
> >> +From: Clayton Shotwell <clayton.shotwell at rockwellcollins.com>
> >> +Date: Fri, 10 Jul 2015 11:44:08 -0500
> >> +Subject: Add DESTDIR to all paths that use an absolute path
> >> +
> >> +To aid in cross compiling, add the DESTDIR variable to the start of all
> >> +of the paths used during compilation. Most paths already used DESTDIR.
>
> Add note that "The addition of this patch makes the use of DESTDIR
> mandatory as there are conditional checks which would fail if it's not
> defined."
>
> >> +
> >> +Signed-off-by: Clayton Shotwell <clayton.shotwell at rockwellcollins.com>
> >
> > This patch does a *LOT* more than adding DESTDIR. Just check by
> > yourself. Read your own patch! It should be split in several patches.
>
> I have put comments in below noting what to put in the creation of the
> following new patches. Some suggested descriptions for the new
> patches are below too.
>
> 1) DESTDIR
> 2) PREFIX
> 3) Removal of ARCH
>
> >
> >> +---
> >> + Makefile | 4 ++--
> >> + audit2allow/Makefile | 2 +-
> >> + load_policy/Makefile | 2 +-
> >> + mcstrans/src/Makefile | 22 +++++++++++++---------
> >> + mcstrans/utils/Makefile | 11 +++++++----
> >> + newrole/Makefile | 12 ++++++------
> >> + restorecond/Makefile | 6 ++++--
> >> + run_init/Makefile | 12 ++++++------
> >> + sepolicy/Makefile | 2 +-
> >> + setfiles/Makefile | 4 ++--
> >> + 10 files changed, 43 insertions(+), 34 deletions(-)
> >> +
> >> +diff --git a/Makefile b/Makefile
> >> +index 3980799..0fca022 100644
> >> +--- a/Makefile
> >> ++++ b/Makefile
> >> +@@ -1,8 +1,8 @@
> >> + SUBDIRS = sepolicy setfiles semanage load_policy newrole run_init
> sandbox secon audit2allow audit2why sestatus semodule_package semodule
> semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool
> scripts po man gui
> >> +
> >> +-INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
> >> ++INOTIFYH = $(shell ls $(DESTDIR)/usr/include/sys/inotify.h
> 2>/dev/null)
> >
> > This is not super great, as it assumes DESTDIR is passed at build time,
> > which is not very standard. But OK, that's the easiest solution. But it
> > should *definitely* be explained in the description of the patch, as
> > it's non trivial.
> >
>
> Move to patch #1
>
> I added a note about this above and suggested a statement to add.
>
> >> +
> >> +-ifeq (${INOTIFYH}, /usr/include/sys/inotify.h)
> >> ++ifeq (${INOTIFYH}, $(DESTDIR)/usr/include/sys/inotify.h)
> >> + SUBDIRS += restorecond
> >> + endif
>
> Move to patch #2
>
> Change to use PREFIX.
>
> For patch two, the description could be something like....
> "Updates the remaining hardcoded host paths used in the build to be
> prefixed with a PREFIX path to allow cross compilation."
>
> >> +
> >> +diff --git a/audit2allow/Makefile b/audit2allow/Makefile
> >> +index 88635d4..1647b5a 100644
> >> +--- a/audit2allow/Makefile
> >> ++++ b/audit2allow/Makefile
> >> +@@ -3,7 +3,7 @@ PREFIX ?= $(DESTDIR)/usr
> >> + BINDIR ?= $(PREFIX)/bin
> >> + LIBDIR ?= $(PREFIX)/lib
> >> + MANDIR ?= $(PREFIX)/share/man
> >> +-LOCALEDIR ?= /usr/share/locale
> >> ++LOCALEDIR ?= $(PREFIX)/share/locale
> >
> > This is not about adding DESTDIR, but about changing an hardcoded /usr
> > to $(PREFIX).
>
> Move to patch #2
>
> >
> > In addition, in the INOTIFYH fix above, you don't change usr/ to
> > $(PREFIX).
>
> Resolved above.
>
> >
> >> +
> >> + all: ;
> >> +
> >> +diff --git a/load_policy/Makefile b/load_policy/Makefile
> >> +index 7c5bab0..5cd0bbb 100644
> >> +--- a/load_policy/Makefile
> >> ++++ b/load_policy/Makefile
> >> +@@ -3,7 +3,7 @@ PREFIX ?= $(DESTDIR)/usr
> >> + SBINDIR ?= $(DESTDIR)/sbin
> >> + USRSBINDIR ?= $(PREFIX)/sbin
> >> + MANDIR ?= $(PREFIX)/share/man
> >> +-LOCALEDIR ?= /usr/share/locale
> >> ++LOCALEDIR ?= $(PREFIX)/share/locale
> >
> > This is also changing /usr to PREFIX, which has nothing to do with
> > using DESTDIR.
>
> Move to patch #2
>
> >
> >> +
> >> + CFLAGS ?= -Werror -Wall -W
> >> + override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS
> -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
> >> +diff --git a/mcstrans/src/Makefile b/mcstrans/src/Makefile
> >> +index fb44490..a0666f1 100644
> >> +--- a/mcstrans/src/Makefile
> >> ++++ b/mcstrans/src/Makefile
> >> +@@ -1,22 +1,26 @@
> >> +-ARCH = $(shell uname -i)
>
> Move the above line to patch #3
>
> >> ++# Installation directories.
> >> ++PREFIX ?= $(DESTDIR)/usr
> >> ++SBINDIR ?= $(DESTDIR)/sbin
> >> ++INITDIR ?= $(DESTDIR)/etc/rc.d/init.d
> >
> > This has nothing to do with adding DESTDIR, and there is no explanation
> > why adding those variable definitions here is necessary. Thos
> > definitions are normally below, why are you moving there up here?
>
> Niranjan, why did they move, I don't have the complete file in front
> of me to check?
>
> >
> >> ++
> >> ++ARCH ?= $(shell uname -i)
> >
> > Looks good, but needs to be explained in the patch description (and in
> > a separate patch).
>
> Move to patch #3
>
> Use a description that's something like this in the patch....
> "Allow the ARCH value to be passed in as original configuration was
> solely based on host architecture."
>
> >
> >> + ifeq "$(ARCH)" "x86_64"
> >> + # In case of 64 bit system, use these lines
> >> +- LIBDIR=/usr/lib64
> >> +-else
> >> ++ LIBDIR=$(PREFIX)/lib64
> >> ++else
> >> + ifeq "$(ARCH)" "i686"
> >> + # In case of 32 bit system, use these lines
> >> +- LIBDIR=/usr/lib
> >> ++ LIBDIR=$(PREFIX)/lib
> >> + else
> >> + ifeq "$(ARCH)" "i386"
> >> + # In case of 32 bit system, use these lines
> >> +- LIBDIR=/usr/lib
> >> ++ LIBDIR=$(PREFIX)/lib
> >> ++else
> >> ++ # Default to these lines if arch is unknown
> >> ++ LIBDIR=$(PREFIX)/lib
> >
> > This is all /usr -> $(PREFIX) replacement, nothing to do with DESTDIR.
>
> Move above changes to patch #2
>
> >
> >> + endif
> >> + endif
> >> + endif
> >> +-# Installation directories.
> >> +-PREFIX ?= $(DESTDIR)/usr
> >> +-SBINDIR ?= $(DESTDIR)/sbin
> >> +-INITDIR ?= $(DESTDIR)/etc/rc.d/init.d
>
> Like previous comment, why did these get removed from here and moved above?
>
In the original file if we replace /usr to $PREFIX the replacement is
happening before the PREFIX is defined . To
have visible to complete file we have removed it from the bottom and placed
at the top.
Original file :
ifeq "$(ARCH)" "x86_64"
# In case of 64 bit system, use these lines
LIBDIR=/usr/lib64 ( *replacing /usr --> $PREFIX* )
else
PREFIX ?= $(DESTDIR)/usr ( *defined after *)
>
> >> +
> >> + PROG_SRC=mcstrans.c mcscolor.c mcstransd.c mls_level.c
> >> + PROG_OBJS= $(patsubst %.c,%.o,$(PROG_SRC))
> >> +diff --git a/mcstrans/utils/Makefile b/mcstrans/utils/Makefile
> >> +index 1ffb027..da5c152 100644
> >> +--- a/mcstrans/utils/Makefile
> >> ++++ b/mcstrans/utils/Makefile
> >> +@@ -2,18 +2,21 @@
> >> + PREFIX ?= $(DESTDIR)/usr
> >> + BINDIR ?= $(PREFIX)/sbin
> >> +
> >> +-ARCH = $(shell uname -i)
> >> ++ARCH ?= $(shell uname -i)
>
> Move the above two lines to patch #3
>
> >> + ifeq "$(ARCH)" "x86_64"
> >> + # In case of 64 bit system, use these lines
> >> +- LIBDIR=/usr/lib64
> >> ++ LIBDIR=$(PREFIX)/lib64
> >> + else
> >> + ifeq "$(ARCH)" "i686"
> >> + # In case of 32 bit system, use these lines
> >> +- LIBDIR=/usr/lib
> >> ++ LIBDIR=$(PREFIX)/lib
> >> + else
> >> + ifeq "$(ARCH)" "i386"
> >> + # In case of 32 bit system, use these lines
> >> +- LIBDIR=/usr/lib
> >> ++ LIBDIR=$(PREFIX)/lib
> >> ++else
> >> ++ # Default to these lines if arch is unknown
> >> ++ LIBDIR=$(PREFIX)/lib
> >
>
> Move to patch #2
>
> > Same comments as above;
> >
> >> + endif
> >> + endif
> >> + endif
> >> +diff --git a/newrole/Makefile b/newrole/Makefile
> >> +index 646cd4d..045e3b7 100644
> >> +--- a/newrole/Makefile
> >> ++++ b/newrole/Makefile
> >> +@@ -3,9 +3,9 @@ PREFIX ?= $(DESTDIR)/usr
> >> + BINDIR ?= $(PREFIX)/bin
> >> + MANDIR ?= $(PREFIX)/share/man
> >> + ETCDIR ?= $(DESTDIR)/etc
> >> +-LOCALEDIR = /usr/share/locale
> >> +-PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
> >> +-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
> >> ++LOCALEDIR = $(PREFIX)/share/locale
> >> ++PAMH = $(shell ls $(PREFIX)/include/security/pam_appl.h 2>/dev/null)
> >> ++AUDITH = $(shell ls $(PREFIX)/include/libaudit.h 2>/dev/null)
> >
> > This is *completely* wrong. It will look at /usr/include/libaudit.h
> > and /usr/include/security/pam_appl.h on your build machine to decide
> > where pam and audit support is available. If you follow the fix done
> > earlier for INOTIFYH, you should do:
> >
> > AUDITH = $(shell ls $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)
>
> The variable DESTDIR when used in PREFIX isn't expanded because you're
> in a shell in that "shell ls" command. So you have to use
> $(DESTDIR)/usr.
>
> Move to patch #1 and update as noted to use $(DESTDIR)/usr/ for PAMH=,
> AUDITD=
>
> >
> >> + # Enable capabilities to permit newrole to generate audit records.
> >> + # This will make newrole a setuid root program.
> >> + # The capabilities used are: CAP_AUDIT_WRITE.
> >> +@@ -24,7 +24,7 @@ CFLAGS ?= -Werror -Wall -W
> >> + EXTRA_OBJS =
> >> + override CFLAGS += -DVERSION=\"$(VERSION)\" $(LDFLAGS)
> -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\""
> -DPACKAGE="\"policycoreutils\""
> >> + LDLIBS += -lselinux -L$(PREFIX)/lib
> >> +-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
> >> ++ifeq ($(PAMH), $(PREFIX)/include/security/pam_appl.h)
> >
>
> Move to patch #2
>
> > Same comment as above.
> >
> >> + override CFLAGS += -DUSE_PAM
> >> + EXTRA_OBJS += hashtab.o
> >> + LDLIBS += -lpam -lpam_misc
> >> +@@ -32,7 +32,7 @@ else
> >> + override CFLAGS += -D_XOPEN_SOURCE=500
> >> + LDLIBS += -lcrypt
> >> + endif
> >> +-ifeq ($(AUDITH), /usr/include/libaudit.h)
> >> ++ifeq ($(AUDITH), $(PREFIX)/include/libaudit.h)
> >
> > Ditto.
>
> Move to patch #2
>
> >
> >> + override CFLAGS += -DUSE_AUDIT
> >> + LDLIBS += -laudit
> >> + endif
> >> +@@ -66,7 +66,7 @@ install: all
> >> + test -d $(MANDIR)/man1 || install -m 755 -d $(MANDIR)/man1
> >> + install -m $(MODE) newrole $(BINDIR)
> >> + install -m 644 newrole.1 $(MANDIR)/man1/
> >> +-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
> >> ++ifeq ($(PAMH), $(PREFIX)/include/security/pam_appl.h)
> >
> > Ditto.
>
> Move to patch #2
>
> >
> >> + test -d $(ETCDIR)/pam.d || install -m 755 -d $(ETCDIR)/pam.d
> >> + ifeq ($(LSPP_PRIV),y)
> >> + install -m 644 newrole-lspp.pamd $(ETCDIR)/pam.d/newrole
> >> +diff --git a/restorecond/Makefile b/restorecond/Makefile
> >> +index 3074542..7c40f95 100644
> >> +--- a/restorecond/Makefile
> >> ++++ b/restorecond/Makefile
> >> +@@ -10,11 +10,13 @@ autostart_DATA = sealertauto.desktop
> >> + INITDIR = $(DESTDIR)/etc/rc.d/init.d
> >> + SELINUXDIR = $(DESTDIR)/etc/selinux
> >> +
> >> +-DBUSFLAGS = -DHAVE_DBUS -I/usr/include/dbus-1.0
> -I/usr/lib64/dbus-1.0/include -I/usr/lib/dbus-1.0/include
> >> ++DBUSFLAGS = -DHAVE_DBUS -I$(PREFIX)/include/dbus-1.0
> -I$(PREFIX)/lib64/dbus-1.0/include \
> >> ++ -I$(PREFIX)/lib/dbus-1.0/include
> >
> > Completely wrong. This will add -I/usr/include/dbus-1.0 when
> > cross-compiling. Bad.
> >
>
> Same as other case of variable expansion. Update all use of PREFIX to
> be $(DESTDIR)/usr/
>
> Move to patch #1
>
> >> + DBUSLIB = -ldbus-glib-1 -ldbus-1
> >> +
> >> + CFLAGS ?= -g -Werror -Wall -W
> >> +-override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS)
> -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include
> -I/usr/lib/glib-2.0/include
> >> ++override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS)
> -I$(PREFIX)/include/glib-2.0 \
> >> ++ -I$(PREFIX)/lib64/glib-2.0/include
> -I$(PREFIX)/lib/glib-2.0/include
> >
> > Same.
>
>
> Same as other case of variable expansion. Update all use of PREFIX to
> be $(DESTDIR)/usr/
>
> Move to patch #1
>
> >
> >> +
> >> + LDLIBS += -lselinux $(DBUSLIB) -lglib-2.0 -L$(LIBDIR)
> >> +
> >> +diff --git a/run_init/Makefile b/run_init/Makefile
> >> +index 12b39b4..da49c41 100644
> >> +--- a/run_init/Makefile
> >> ++++ b/run_init/Makefile
> >> +@@ -4,21 +4,21 @@ PREFIX ?= $(DESTDIR)/usr
> >> + SBINDIR ?= $(PREFIX)/sbin
> >> + MANDIR ?= $(PREFIX)/share/man
> >> + ETCDIR ?= $(DESTDIR)/etc
> >> +-LOCALEDIR ?= /usr/share/locale
> >> +-PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
> >> +-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
> >> ++LOCALEDIR ?= $(PREFIX)/share/locale
> >> ++PAMH = $(shell ls $(PREFIX)/include/security/pam_appl.h 2>/dev/null)
> >> ++AUDITH = $(shell ls $(PREFIX)/include/libaudit.h 2>/dev/null)
> >
> > Also wrong.
> >
>
> Same as other case of variable expansion. Update all use of PREFIX
> when used in a "shell ls" to be $(DESTDIR)/usr/
>
> Move to patch #1
>
> >> +
> >> + CFLAGS ?= -Werror -Wall -W
> >> + override CFLAGS += -I$(PREFIX)/include -DUSE_NLS
> -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
> >> + LDLIBS += -lselinux -L$(PREFIX)/lib
> >> +-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
> >> ++ifeq ($(PAMH), $(PREFIX)/include/security/pam_appl.h)
> >
> > Ditto.
>
> Move to patch #2
>
> >
> >> + override CFLAGS += -DUSE_PAM
> >> + LDLIBS += -lpam -lpam_misc
> >> + else
> >> + override CFLAGS += -D_XOPEN_SOURCE=500
> >> + LDLIBS += -lcrypt
> >> + endif
> >> +-ifeq ($(AUDITH), /usr/include/libaudit.h)
> >> ++ifeq ($(AUDITH), $(PREFIX)/include/libaudit.h)
> >
> > Ditto.
>
> Move to patch #2
>
> >
> >> + override CFLAGS += -DUSE_AUDIT
> >> + LDLIBS += -laudit
> >> + endif
> >> +@@ -38,7 +38,7 @@ install: all
> >> + install -m 755 open_init_pty $(SBINDIR)
> >> + install -m 644 run_init.8 $(MANDIR)/man8/
> >> + install -m 644 open_init_pty.8 $(MANDIR)/man8/
> >> +-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
> >> ++ifeq ($(PAMH), $(PREFIX)/include/security/pam_appl.h)
> >
> > Ditto.
>
> Move to patch #2
>
> >
> >> + install -m 644 run_init.pamd $(ETCDIR)/pam.d/run_init
> >> + endif
> >> +
> >> +diff --git a/sepolicy/Makefile b/sepolicy/Makefile
> >> +index 11b534f..1249546 100644
> >> +--- a/sepolicy/Makefile
> >> ++++ b/sepolicy/Makefile
> >> +@@ -5,7 +5,7 @@ LIBDIR ?= $(PREFIX)/lib
> >> + BINDIR ?= $(PREFIX)/bin
> >> + SBINDIR ?= $(PREFIX)/sbin
> >> + MANDIR ?= $(PREFIX)/share/man
> >> +-LOCALEDIR ?= /usr/share/locale
> >> ++LOCALEDIR ?= $(PREFIX)/share/locale
>
> Move to patch #2
>
> >> + PYTHON ?= /usr/bin/python
> >> + BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
> >> + SHAREDIR ?= $(PREFIX)/share/sandbox
> >> +diff --git a/setfiles/Makefile b/setfiles/Makefile
> >> +index 4b44b3c..ebc22c8 100644
> >> +--- a/setfiles/Makefile
> >> ++++ b/setfiles/Makefile
> >> +@@ -3,7 +3,7 @@ PREFIX ?= $(DESTDIR)/usr
> >> + SBINDIR ?= $(DESTDIR)/sbin
> >> + MANDIR = $(PREFIX)/share/man
> >> + LIBDIR ?= $(PREFIX)/lib
> >> +-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
> >> ++AUDITH = $(shell ls $(PREFIX)/include/libaudit.h 2>/dev/null)
> >
> > Still wrong.
>
> Same as other case of variable expansion. Update all use of PREFIX
> when used in a "shell ls" to be $(DESTDIR)/usr/
>
> Move to patch #1
>
> >
> >> +
> >> + PROGRESS_STEP=$(shell grep "^\#define STAR_COUNT" restore.h | awk -S
> '{ print $$3 }')
> >> + ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c |
> awk -S '{ print $$3 }')
> >> +@@ -12,7 +12,7 @@ CFLAGS = -g -Werror -Wall -W
> >> + override CFLAGS += -I$(PREFIX)/include
> >> + LDLIBS = -lselinux -lsepol -L$(LIBDIR)
> >> +
> >> +-ifeq ($(AUDITH), /usr/include/libaudit.h)
> >> ++ifeq ($(AUDITH), $(PREFIX)/include/libaudit.h)
> >
> > Here as well.
>
> Move to patch #2
>
> >
> >> + override CFLAGS += -DUSE_AUDIT
> >> + LDLIBS += -laudit
> >> + endif
> >> +--
> >> +1.9.1
> >> +
> >> diff --git
> a/package/policycoreutils/0002-Allow-CFLAGS-to-be-overwritten.patch
> b/package/policycoreutils/0002-Allow-CFLAGS-to-be-overwritten.patch
> >> new file mode 100644
> >> index 0000000..b6e6d99
> >> --- /dev/null
> >> +++ b/package/policycoreutils/0002-Allow-CFLAGS-to-be-overwritten.patch
> >> @@ -0,0 +1,57 @@
> >> +From cfce1180f96cca5e7444d94b2ebc39213d7dac75 Mon Sep 17 00:00:00 2001
> >> +From: Clayton Shotwell <clayton.shotwell at rockwellcollins.com>
> >> +Date: Fri, 10 Jul 2015 11:47:09 -0500
> >> +Subject: Allow CFLAGS to be overwritten
> >> +
> >> +Allow all CFLAGS declarations to be overwritten to aid in cross
> >> +compiling.
> >> +
> >> +Signed-off-by: Clayton Shotwell <clayton.shotwell at rockwellcollins.com>
> >> +---
> >> + sepolicy/Makefile | 2 +-
> >> + sestatus/Makefile | 2 +-
> >> + setfiles/Makefile | 2 +-
> >> + 3 files changed, 3 insertions(+), 3 deletions(-)
> >> +
> >> +diff --git a/sepolicy/Makefile b/sepolicy/Makefile
> >> +index 1249546..a52667a 100644
> >> +--- a/sepolicy/Makefile
> >> ++++ b/sepolicy/Makefile
> >> +@@ -9,7 +9,7 @@ LOCALEDIR ?= $(PREFIX)/share/locale
> >> + PYTHON ?= /usr/bin/python
> >> + BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
> >> + SHAREDIR ?= $(PREFIX)/share/sandbox
> >> +-override CFLAGS = $(LDFLAGS) -I$(PREFIX)/include
> -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared
> >> ++override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include
> -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared
> >
> > -I$(PREFIX)/include -> bad, as it will add -I/usr/include when
> > cross-compiling.
>
> Update to instead be $(DESTDIR)/usr
>
> >
> >> +
> >> + BASHCOMPLETIONS=sepolicy-bash-completion.sh
> >> +
> >> +diff --git a/sestatus/Makefile b/sestatus/Makefile
> >> +index c5db7a3..c04ff00 100644
> >> +--- a/sestatus/Makefile
> >> ++++ b/sestatus/Makefile
> >> +@@ -5,7 +5,7 @@ MANDIR = $(PREFIX)/share/man
> >> + ETCDIR ?= $(DESTDIR)/etc
> >> + LIBDIR ?= $(PREFIX)/lib
> >> +
> >> +-CFLAGS = -Werror -Wall -W
> >> ++CFLAGS ?= -Werror -Wall -W
> >> + override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64
> >
> > Again here.
>
> Update to instead be $(DESTDIR)/usr
>
> >
> >> + LDLIBS = -lselinux -L$(LIBDIR)
> >> +
> >> +diff --git a/setfiles/Makefile b/setfiles/Makefile
> >> +index ebc22c8..7c48814 100644
> >> +--- a/setfiles/Makefile
> >> ++++ b/setfiles/Makefile
> >> +@@ -8,7 +8,7 @@ AUDITH = $(shell ls $(PREFIX)/include/libaudit.h
> 2>/dev/null)
> >> + PROGRESS_STEP=$(shell grep "^\#define STAR_COUNT" restore.h | awk -S
> '{ print $$3 }')
> >> + ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c |
> awk -S '{ print $$3 }')
> >> +
> >> +-CFLAGS = -g -Werror -Wall -W
> >> ++CFLAGS ?= -g -Werror -Wall -W
> >> + override CFLAGS += -I$(PREFIX)/include
> >
> > And here.
>
>
> Update to instead be $(DESTDIR)/usr
>
> >
> > Please build with BR2_COMPILER_PARANOID_UNSAFE_PATH=y to detect such
> > problems.
> >
> >> + LDLIBS = -lselinux -lsepol -L$(LIBDIR)
> >> +
> >> +--
> >> +1.9.1
> >> +
> >> diff --git
> a/package/policycoreutils/0003-Change-sepolicy-python-install-arguments-to-be-a-var.patch
> b/package/policycoreutils/0003-Change-sepolicy-python-install-arguments-to-be-a-var.patch
> >> new file mode 100644
> >> index 0000000..5bbfb76
> >> --- /dev/null
> >> +++
> b/package/policycoreutils/0003-Change-sepolicy-python-install-arguments-to-be-a-var.patch
> >> @@ -0,0 +1,42 @@
> >> +From 4bb3e6bda68fe52fcd2df4f27c5900f4b0d50fa1 Mon Sep 17 00:00:00 2001
> >> +From: Clayton Shotwell <clayton.shotwell at rockwellcollins.com>
> >> +Date: Fri, 10 Jul 2015 11:56:49 -0500
> >> +Subject: Change sepolicy python install arguments to be a variable
> >> +
> >> +To allow the python install arguments to be overwritten, change the
> >> +arguments to be a variable. This also cleans up the DESTDIR detection a
> >> +little bit.
> >> +
> >> +Signed-off-by: Clayton Shotwell <clayton.shotwell at rockwellcollins.com>
> >> +---
> >> + sepolicy/Makefile | 7 ++++++-
> >> + 1 file changed, 6 insertions(+), 1 deletion(-)
> >> +
> >> +diff --git a/sepolicy/Makefile b/sepolicy/Makefile
> >> +index a52667a..4a10df6 100644
> >> +--- a/sepolicy/Makefile
> >> ++++ b/sepolicy/Makefile
> >> +@@ -7,6 +7,11 @@ SBINDIR ?= $(PREFIX)/sbin
> >> + MANDIR ?= $(PREFIX)/share/man
> >> + LOCALEDIR ?= $(PREFIX)/share/locale
> >> + PYTHON ?= /usr/bin/python
> >> ++ifneq (,$(DESTDIR))
> >> ++PYTHON_INSTALL_ARGS ?= --root $(DESTDIR)
> >> ++else
> >> ++PYTHON_INSTALL_ARGS ?=
> >> ++endif
> >
> > Sounds good, but could be a bit simpler:
> >
> > ifneq ($(DESTDIR),)
> > PYTHON_INSTALL_ARGS ?= --root $(DESTDIR)
> > endif
>
> Update as noted
>
> >
> >> + BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
> >> + SHAREDIR ?= $(PREFIX)/share/sandbox
> >> + override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include
> -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared
> >> +@@ -23,7 +28,7 @@ clean:
> >> + -rm -rf build *~ \#* *pyc .#*
> >> +
> >> + install:
> >> +- $(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root
> $(DESTDIR)`
> >> ++ $(PYTHON) setup.py install $(PYTHON_INSTALL_ARGS)
> >> + [ -d $(BINDIR) ] || mkdir -p $(BINDIR)
> >> + install -m 755 sepolicy.py $(BINDIR)/sepolicy
> >> + -mkdir -p $(MANDIR)/man8
> >> +--
> >> +1.9.1
> >> +
> >> diff --git a/package/policycoreutils/0004-disable-dbus.patch
> b/package/policycoreutils/0004-disable-dbus.patch
> >> new file mode 100644
> >> index 0000000..b685d0a
> >> --- /dev/null
> >> +++ b/package/policycoreutils/0004-disable-dbus.patch
> >> @@ -0,0 +1,14 @@
> >> +--- a/restorecond/Makefile 2016-02-25 13:23:23.286671669 -0600
> >> ++++ b/restorecond/Makefile 2016-03-03 12:44:25.032118694 -0600
> >
> > Missing description + Signed-off-by in this patch.
>
> Update as noted.
>
> Description...
> " Adds a condition to prevent linking against dbus when at build time
> dbus has not been enabled"
>
> >
> >> +@@ -10,9 +10,11 @@
> >> + INITDIR = $(DESTDIR)/etc/rc.d/init.d
> >> + SELINUXDIR = $(DESTDIR)/etc/selinux
> >> +
> >> ++ifdef ENABLE_DBUS
> >> + DBUSFLAGS = -DHAVE_DBUS -I$(PREFIX)/include/dbus-1.0
> -I$(PREFIX)/lib64/dbus-1.0/include \
> >> + -I$(PREFIX)/lib/dbus-1.0/include
> >> + DBUSLIB = -ldbus-glib-1 -ldbus-1
> >> ++endif
> >> +
> >> + CFLAGS ?= -g -Werror -Wall -W
> >> + override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS)
> -I$(PREFIX)/include/glib-2.0 \
> >> diff --git a/package/policycoreutils/Config.in
> b/package/policycoreutils/Config.in
> >> new file mode 100644
> >> index 0000000..3131a02
> >> --- /dev/null
> >> +++ b/package/policycoreutils/Config.in
> >> @@ -0,0 +1,57 @@
> >> +config BR2_PACKAGE_POLICYCOREUTILS
> >> + bool "policycoreutils"
> >> + select BR2_PACKAGE_LIBSEMANAGE
> >
> > libsemanage has lots of other dependencies:
> >
> > depends on BR2_TOOLCHAIN_HAS_THREADS
> > depends on !BR2_STATIC_LIBS
> > depends on !BR2_arc
> >
> > You need to take them into account.
> >
>
> Noted, add those three.
>
> >> + select BR2_PACKAGE_LIBCAP_NG
> >> + select BR2_PACKAGE_GETTEXT if BR2_NEEDS_GETTEXT
> >> + depends on BR2_TOOLCHAIN_HAS_THREADS # libsemanage
> >> + depends on BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL #
> uses fts.h
> >> + help
> >> + Policycoreutils is a collection of policy utilities (originally
> >> + the "core" set of utilities needed to use SELinux, although it
> >> + has grown a bit over time), which have different dependencies.
> >> + sestatus, secon, run_init, and newrole only use libselinux.
> >> + load_policy and setfiles only use libselinux and libsepol.
> >> + semodule and semanage use libsemanage (and thus bring in
> >> + dependencies on libsepol and libselinux as well). setsebool
> >> + uses libselinux to make non-persistent boolean changes (via
> >> + the kernel interface) and uses libsemanage to make persistent
> >> + boolean changes.
> >> +
> >> + The base package will install the following utilities:
> >> + load_policy
> >> + newrole
> >> + restorecond
> >> + run_init
> >> + secon
> >> + semodule
> >> + semodule_deps
> >> + semodule_expand
> >> + semodule_link
> >> + semodule_package
> >> + sepolgen-ifgen
> >> + sestatus
> >> + setfiles
> >> + setsebool
> >> +
> >> + http://selinuxproject.org/page/Main_Page
> >> +
> >> +comment "policycoreutils needs a glibc or musl toolchain w/ threads"
> >> + depends on !BR2_TOOLCHAIN_HAS_THREADS \
> >> + || !(BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL)
> >> +
> >> +if BR2_PACKAGE_POLICYCOREUTILS
> >> +
> >> +config BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND
> >> + bool "restorecond Utility"
> >> + select BR2_PACKAGE_LIBGLIB2 #glib2
> >> + depends on BR2_USE_WCHAR # glib2
> >> + depends on BR2_TOOLCHAIN_HAS_THREADS # glib2
> >> + depends on BR2_USE_MMU # glib2
> >> + help
> >> + Enable restorecond to be built
> >> +
> >> +comment "restorecond needs a toolchain w/ wchar, threads"
> >> + depends on BR2_USE_MMU
> >> + depends on !BR2_USE_WCHAR || !BR2_TOOLCHAIN_HAS_THREADS
> >> +
> >> +endif
> >> diff --git a/package/policycoreutils/policycoreutils.hash
> b/package/policycoreutils/policycoreutils.hash
> >> new file mode 100644
> >> index 0000000..575dd25
> >> --- /dev/null
> >> +++ b/package/policycoreutils/policycoreutils.hash
> >> @@ -0,0 +1,2 @@
> >> +# https://github.com/SELinuxProject/selinux/wiki/Releases
> >> +sha256
> b6881741f9f9988346a73bfeccb0299941dc117349753f0ef3f23ee86f06c1b5
> policycoreutils-2.1.14.tar.gz
> >> diff --git a/package/policycoreutils/policycoreutils.mk
> b/package/policycoreutils/policycoreutils.mk
> >> new file mode 100644
> >> index 0000000..aed2705
> >> --- /dev/null
> >> +++ b/package/policycoreutils/policycoreutils.mk
> >> @@ -0,0 +1,108 @@
> >>
> +################################################################################
> >> +#
> >> +# policycoreutils
> >> +#
> >>
> +################################################################################
> >> +
> >> +POLICYCOREUTILS_VERSION = 2.1.14
> >> +POLICYCOREUTILS_SITE =
> https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20130423
> >> +POLICYCOREUTILS_LICENSE = GPLv2
> >> +POLICYCOREUTILS_LICENSE_FILES = COPYING
> >> +
> >> +# gettext for load_policy.c use of libintl_* functions
> >> +POLICYCOREUTILS_DEPENDENCIES = libsemanage libcap-ng $(if
> $(BR2_NEEDS_GETTEXT),gettext)
> >> +
> >> +ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
> >> +POLICYCOREUTILS_DEPENDENCIES += linux-pam
> >> +POLICYCOREUTILS_MAKE_OPTS += NAMESPACE_PRIV=y
> >> +define POLICYCOREUTILS_INSTALL_TARGET_LINUX_PAM_CONFS
> >> + $(INSTALL) -D -m 0644 $(@D)/newrole/newrole-lspp.pamd
> $(TARGET_DIR)/etc/pam.d/newrole
> >> + $(INSTALL) -D -m 0644 $(@D)/run_init/run_init.pamd
> $(TARGET_DIR)/etc/pam.d/run_init
> >> +endef
> >> +endif
> >> +
> >> +ifeq ($(BR2_PACKAGE_AUDIT),y)
> >> +POLICYCOREUTILS_DEPENDENCIES += audit
> >> +POLICYCOREUTILS_MAKE_OPTS += AUDIT_LOG_PRIV=y
> >> +endif
> >> +
> >> +# Enable LSPP_PRIV if both audit and linux pam are enabled
> >> +ifeq ($(BR2_PACKAGE_LINUX_PAM)$(BR2_PACKAGE_AUDIT),yy)
> >> +POLICYCOREUTILS_MAKE_OPTS += LSPP_PRIV=y
> >> +endif
> >> +
> >> +# Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h
> >> +# large file support.
> >> +# See https://bugzilla.redhat.com/show_bug.cgi?id=574992 for more
> information
> >> +POLICYCOREUTILS_MAKE_OPTS += \
> >> + CC="$(TARGET_CC)" \
> >> + CFLAGS="$(TARGET_CFLAGS) -U_FILE_OFFSET_BITS" \
> >> + LDFLAGS="$(TARGET_LDFLAGS) $(if $(BR2_NEEDS_GETTEXT),-lintl)" \
> >> + ARCH="$(BR2_ARCH)"
> >> +
> >> +POLICYCOREUTILS_MAKE_DIRS = load_policy newrole run_init \
> >> + secon semodule semodule_deps semodule_expand semodule_link \
> >> + semodule_package sepolgen-ifgen sestatus setfiles setsebool
> >> +
> >> +ifeq ($(BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND),y)
> >> +POLICYCOREUTILS_MAKE_DIRS += restorecond
> >> +endif
> >> +
> >> +define POLICYCOREUTILS_BUILD_CMDS
> >> + for dir in $(POLICYCOREUTILS_MAKE_DIRS) ; do \
> >> + $(MAKE) -C $(@D)/$${dir} $(POLICYCOREUTILS_MAKE_OPTS)
> DESTDIR=$(STAGING_DIR) all || exit 1 ; \
> >> + done
> >
> > Please add a comment above this that explains why you're passing
> > DESTDIR=$(STAGING_DIR) at build time.
>
> Add the following
> " The source has been patched to require a DESTDIR path which is
> prefixed to all filesystem paths which were by default hardcoded to
> host system paths."
>
> >
> >> +endef
> >> +
> >> +define POLICYCOREUTILS_INSTALL_TARGET_CMDS
> >> + for dir in $(POLICYCOREUTILS_MAKE_DIRS) ; do \
> >> + $(MAKE) -C $(@D)/$${dir} $(POLICYCOREUTILS_MAKE_OPTS)
> DESTDIR=$(TARGET_DIR) install || exit 1 ; \
> >> + done
> >> +endef
> >> +
> >> +HOST_POLICYCOREUTILS_DEPENDENCIES = host-libsemanage host-dbus-glib
> host-sepolgen host-setools
> >> +
> >> +# Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h
> >> +# large file support.
> >> +# See https://bugzilla.redhat.com/show_bug.cgi?id=574992 for more
> information
> >> +HOST_POLICYCOREUTILS_MAKE_OPTS = \
> >> + CC="$(HOSTCC)" \
> >> + CFLAGS="$(HOST_CFLAGS) -U_FILE_OFFSET_BITS" \
> >> + PYTHON="$(HOST_DIR)/usr/bin/python" \
> >> + PYTHON_INSTALL_ARGS="$(HOST_PKG_PYTHON_DISTUTILS_INSTALL_OPTS)" \
> >> + ARCH="$(HOSTARCH)" \
> >> + LDFLAGS="$(HOST_LDFLAGS)"
> >> +
> >> +ifeq ($(BR2_PACKAGE_PYTHON3),y)
> >> +HOST_POLICYCOREUTILS_DEPENDENCIES += host-python3
> >> +HOST_POLICYCOREUTILS_MAKE_OPTS += \
> >> + PYLIBVER="python$(PYTHON3_VERSION_MAJOR)"
> >> +else
> >> +HOST_POLICYCOREUTILS_DEPENDENCIES += host-python
> >> +HOST_POLICYCOREUTILS_MAKE_OPTS += \
> >> + PYLIBVER="python$(PYTHON_VERSION_MAJOR)"
> >> +endif
> >> +
> >> +# Note: We are only building the programs required by the refpolicy
> build
> >> +HOST_POLICYCOREUTILS_MAKE_DIRS = load_policy semodule semodule_deps
> semodule_expand semodule_link \
> >> + semodule_package setfiles restorecond audit2allow audit2why
> scripts semanage sepolicy
> >> +
> >> +define HOST_POLICYCOREUTILS_BUILD_CMDS
> >> + for dir in $(HOST_POLICYCOREUTILS_MAKE_DIRS) ; do \
> >> + $(MAKE) -C $(@D)/$${dir}
> $(HOST_POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(HOST_DIR) all || exit 1 ; \
> >
> > DESTDIR=$(HOST_DIR) is wrong. You should instead use
> PREFIX=$(HOST_DIR)/usr.
> >
>
> Thomas, I believe this is correct. PREFIX is set to $(DESTDIR)/usr in
> the Makefile. (See non-host build cmd above)
>
> >> +define HOST_POLICYCOREUTILS_INSTALL_CMDS
> >> + for dir in $(HOST_POLICYCOREUTILS_MAKE_DIRS) ; do \
> >> + $(MAKE) -C $(@D)/$${dir}
> $(HOST_POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(HOST_DIR) install || exit 1 ; \
> >
> > Ditto.
>
> Same comment as previous about PREFIX.
>
> >
> >> + done
> >> + # Fix python paths
> >> + $(SED) 's%/usr/bin/%$(HOST_DIR)/usr/bin/%g'
> $(HOST_DIR)/usr/bin/audit2allow
> >> + $(SED) 's%/usr/bin/%$(HOST_DIR)/usr/bin/%g'
> $(HOST_DIR)/usr/bin/audit2why
> >> + $(SED) 's%/usr/bin/%$(HOST_DIR)/usr/bin/%g'
> $(HOST_DIR)/usr/bin/sepolgen-ifgen
> >> + $(SED) 's%/usr/bin/%$(HOST_DIR)/usr/bin/%g'
> $(HOST_DIR)/usr/bin/sepolicy
> >
> > Sadly, this means more hardcoded paths, but I guess it's OK for now, I
> > prefer to sort out the other issues. This one can be solved later.
> >
>
> Sorry about that. I agree it isn't the best approach for those python
> files.
>
> > Could you rework your patch to solve the other issues raised above?
> >
>
> Thomas, definitely.
>
> Niranjan, let me know if you have more questions tomorrow.
>
> --
> Thanks,
> Matt
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
Thanks,
Niranjan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20160414/627a7208/attachment-0002.html>
More information about the buildroot
mailing list