policycoreutils: migrate SRC_URI and patches to 2.1.14

2.1.14 imports a new python module: sepolicy, so add setools to DEPENDS and split new files to policycoreutils-python. Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
author: Xin Ouyang <Xin.Ouyang@windriver.com> 2013-09-23 21:17:59 +0800
committer: Joe MacDonald <joe@deserted.net> 2013-10-02 13:24:44 -0400
commit: 816b52ef4de5ed11520ae87db23d4de6f1b0e1a7 (patch)
tree: e1b3efc14dfefcc03d2ae45c438f31785d9621d3
parent: cb25a215d9259f8372db7227a8143fce3f3d695f (diff)
download: meta-selinux-816b52ef4de5ed11520ae87db23d4de6f1b0e1a7.tar.gz
5 files changed, 52 insertions, 350 deletions
diff --git a/recipes-security/selinux/policycoreutils.inc b/recipes-security/selinux/policycoreutils.inc
index 7939095..1acc19f 100644
--- a/recipes-security/selinux/policycoreutils.inc
+++ b/recipes-security/selinux/policycoreutils.inc
@@ -16,7 +16,7 @@ PAM_SRC_URI = "file://pam.d/newrole \
              "
 DEPENDS += "libsepol libselinux libsemanage"
-EXTRA_DEPENDS = "libcap-ng libcgroup"
+EXTRA_DEPENDS = "libcap-ng libcgroup setools"
 DEPENDS += "${@['', '${EXTRA_DEPENDS}']['${PN}' != '${BPN}-native']}"
 inherit selinux
@@ -43,8 +43,13 @@ RDEPENDS_${BPN} += "setools setools-libs ${BPN}-python"
 WARN_QA := "${@oe_filter_out('unsafe-references-in-scripts', '${WARN_QA}', d)}"
 ERROR_QA := "${@oe_filter_out('unsafe-references-in-scripts', '${ERROR_QA}', d)}"
+inherit pythonnative
 PACKAGES =+ "${PN}-python ${PN}-sandbox system-config-selinux"
-FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/*"
+FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/seobject.py* \
+        ${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolicy*.egg-info \
+        ${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolicy/*"
+FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolicy/.debug/*"
 FILES_${PN}-sandbox = "${datadir}/sandbox/*"
 FILES_${PN}-sandbox += "${bindir}/sandbox"
 FILES_${PN}-sandbox += "${sbindir}/seunshare"
@@ -53,8 +58,6 @@ FILES_system-config-selinux = " \
    ${datadir}/system-config-selinux/* \
 "
-inherit pythonnative
 export STAGING_INCDIR
 export STAGING_LIBDIR
 export BUILD_SYS
@@ -86,6 +89,11 @@ do_compile_prepend() {
        export PYTHON_SITE_PKG="${libdir}/${PYLIBVER}/site-packages"
 }
+do_install_prepend() {
+        export PYTHON=python
+        export SEMODULE_PATH=${sbindir}
+}
 do_install_virtclass-native() {
        for PCU_CMD in ${PCU_NATIVE_CMDS} ; do
             oe_runmake -C $PCU_CMD install \
diff --git a/recipes-security/selinux/policycoreutils/policycoreutils-fix-sepolicy-install-path.patch b/recipes-security/selinux/policycoreutils/policycoreutils-fix-sepolicy-install-path.patch
new file mode 100644
index 0000000..aaf2e66
--- /dev/null
+++ b/recipes-security/selinux/policycoreutils/policycoreutils-fix-sepolicy-install-path.patch
@@ -0,0 +1,35 @@
+From 086f715e2a0dd05c07f0428f424017cc96acc387 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 16:40:26 +0800
+Subject: [PATCH] policycoreutils: fix install path for new pymodule sepolicy
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ sepolicy/Makefile |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+diff --git a/sepolicy/Makefile b/sepolicy/Makefile
+index 11b534f..9e46b74 100644
+--- a/sepolicy/Makefile
+++ b/sepolicy/Makefile
+@@ -11,6 +11,8 @@ BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
+ SHAREDIR ?= $(PREFIX)/share/sandbox
+ override CFLAGS = $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W  -DSHARED -shared
+ 
+PYLIBVER ?= $(shell python -c 'import sys;print "python%d.%d" % sys.version_info[0:2]')
+
+ BASHCOMPLETIONS=sepolicy-bash-completion.sh 
+ 
+ all: python-build
+@@ -23,7 +25,7 @@ clean:
+        -rm -rf build *~ \#* *pyc .#*
+ 
+ install:
+-       $(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
+       $(PYTHON) setup.py install --install-lib $(LIBDIR)/$(PYLIBVER)/site-packages
+        [ -d $(BINDIR) ] || mkdir -p $(BINDIR)
+        install -m 755 sepolicy.py $(BINDIR)/sepolicy
+        -mkdir -p $(MANDIR)/man8
+-- 
+1.7.9.5
diff --git a/recipes-security/selinux/policycoreutils/policycoreutils-revert-restorecon-update-type.patch b/recipes-security/selinux/policycoreutils/policycoreutils-revert-restorecon-update-type.patch
deleted file mode 100644
index dd7f97c..0000000
--- a/recipes-security/selinux/policycoreutils/policycoreutils-revert-restorecon-update-type.patch
+++ /dev/null
@@ -1,315 +0,0 @@
-From 0fa419825539f172e1097d685e92c7d1a5826f23 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Fri, 24 May 2013 14:31:10 +0800
-Subject: [PATCH] policycoreutils: Revert "restorecon: only update type by default"
-This reverts uprev commit 96cedba3e59aa474f0f040da5108a17bba45ce6c.
-96cedb will cause wrong security contexts for /dev/ while using
-MLS type of old refpolicy, so revert it.
-This patch should be dropped while refpolicy is upreved to 2.20120725+.
-Upstream-Status: Inappropriate [for old refpolicy]
---
- setfiles/restore.c    | 113 +++++++++++++++-------------------
- setfiles/restorecon.8 |  12 ++--
- setfiles/setfiles.8   |  19 +++---
- 3 files changed, 61 insertions(+), 83 deletions(-)
-diff --git a/setfiles/restore.c b/setfiles/restore.c
-index 4c62b41..2acec8e 100644
--- a/setfiles/restore.c
-+++ b/setfiles/restore.c
-@@ -1,6 +1,5 @@
- #include "restore.h"
- #include <glob.h>
-#include <selinux/context.h>
- 
- #define SKIP -2
- #define ERR -1
-@@ -34,6 +33,7 @@ struct edir {
- 
- static file_spec_t *fl_head;
- static int filespec_add(ino_t ino, const security_context_t con, const char *file);
-+static int only_changed_user(const char *a, const char *b);
- struct restore_opts *r_opts = NULL;
- static void filespec_destroy(void);
- static void filespec_eval(void);
-@@ -104,7 +104,8 @@ static int restore(FTSENT *ftsent)
- {
-        char *my_file = strdupa(ftsent->fts_path);
-        int ret = -1;
-       security_context_t curcon = NULL, newcon = NULL;
-+       char *context, *newcon;
-+       int user_only_changed = 0;
- 
-        if (match(my_file, ftsent->fts_statp, &newcon) < 0)
-                /* Check for no matching specification. */
-@@ -138,105 +139,74 @@ static int restore(FTSENT *ftsent)
-                printf("%s:  %s matched by %s\n", r_opts->progname, my_file, newcon);
-        }
- 
-       /*
-        * Do not relabel if their is no default specification for this file
-        */
-
-       if (strcmp(newcon, "<<none>>") == 0) {
-               goto out;
-       }
-
-        /* Get the current context of the file. */
-       ret = lgetfilecon_raw(ftsent->fts_accpath, &curcon);
-+       ret = lgetfilecon_raw(ftsent->fts_accpath, &context);
-        if (ret < 0) {
-                if (errno == ENODATA) {
-                       curcon = NULL;
-+                       context = NULL;
-                } else {
-                        fprintf(stderr, "%s get context on %s failed: '%s'\n",
-                                r_opts->progname, my_file, strerror(errno));
-                        goto err;
-                }
-       }
-
-+               user_only_changed = 0;
-+       } else
-+               user_only_changed = only_changed_user(context, newcon);
-        /* lgetfilecon returns number of characters and ret needs to be reset
-         * to 0.
-         */
-        ret = 0;
- 
-        /*
-        * Do not relabel the file if the file is already labeled according to
-        * the specification.
-+        * Do not relabel the file if the matching specification is 
-+        * <<none>> or the file is already labeled according to the 
-+        * specification.
-         */
-       if (curcon && (strcmp(curcon, newcon) == 0)) {
-+       if ((strcmp(newcon, "<<none>>") == 0) ||
-+           (context && (strcmp(context, newcon) == 0))) {
-+               freecon(context);
-                goto out;
-        }
- 
-       if (!r_opts->force && curcon && (is_context_customizable(curcon) > 0)) {
-+       if (!r_opts->force && context && (is_context_customizable(context) > 0)) {
-                if (r_opts->verbose > 1) {
-                        fprintf(stderr,
-                                "%s: %s not reset customized by admin to %s\n",
-                               r_opts->progname, my_file, curcon);
-+                               r_opts->progname, my_file, context);
-                }
-+               freecon(context);
-                goto out;
-        }
- 
-       /*
-        *  Do not change label unless this is a force or the type is different
-        */
-       if (!r_opts->force && curcon) {
-               int types_differ = 0;
-               context_t cona;
-               context_t conb;
-               int err = 0;
-               cona = context_new(curcon);
-               if (! cona) {
-                       goto out;
-               }
-               conb = context_new(newcon);
-               if (! conb) {
-                       context_free(cona);
-                       goto out;
-               }
-
-               types_differ = strcmp(context_type_get(cona), context_type_get(conb));
-               if (types_differ) {
-                       err |= context_user_set(conb, context_user_get(cona));
-                       err |= context_role_set(conb, context_role_get(cona));
-                       err |= context_range_set(conb, context_range_get(cona));
-                       if (!err) {
-                               freecon(newcon);
-                               newcon = strdup(context_str(conb));
-                       }
-               }
-               context_free(cona);
-               context_free(conb);
-
-               if (!types_differ || err) {
-                       goto out;
-               }
-       }
-
-        if (r_opts->verbose) {
-               printf("%s reset %s context %s->%s\n",
-                      r_opts->progname, my_file, curcon ?: "", newcon);
-+               /* If we're just doing "-v", trim out any relabels where
-+                * the user has r_opts->changed but the role and type are the
-+                * same.  For "-vv", emit everything. */
-+               if (r_opts->verbose > 1 || !user_only_changed) {
-+                       printf("%s reset %s context %s->%s\n",
-+                              r_opts->progname, my_file, context ?: "", newcon);
-+               }
-        }
- 
-       if (r_opts->logging && r_opts->change) {
-               if (curcon)
-+       if (r_opts->logging && !user_only_changed) {
-+               if (context)
-                        syslog(LOG_INFO, "relabeling %s from %s to %s\n",
-                              my_file, curcon, newcon);
-+                              my_file, context, newcon);
-                else
-                        syslog(LOG_INFO, "labeling %s to %s\n",
-                               my_file, newcon);
-        }
- 
-       if (r_opts->outfile)
-+       if (r_opts->outfile && !user_only_changed)
-                fprintf(r_opts->outfile, "%s\n", my_file);
- 
-+       if (context)
-+               freecon(context);
-+
-        /*
-         * Do not relabel the file if -n was used.
-         */
-       if (!r_opts->change)
-+       if (!r_opts->change || user_only_changed)
-                goto out;
- 
-        /*
-@@ -250,15 +220,12 @@ static int restore(FTSENT *ftsent)
-        }
-        ret = 0;
- out:
-       freecon(curcon);
-        freecon(newcon);
-        return ret;
- skip:
-       freecon(curcon);
-        freecon(newcon);
-        return SKIP;
- err:
-       freecon(curcon);
-        freecon(newcon);
-        return ERR;
- }
-@@ -479,6 +446,22 @@ int add_exclude(const char *directory)
-        return 0;
- }
- 
-+/* Compare two contexts to see if their differences are "significant",
-+ * or whether the only difference is in the user. */
-+static int only_changed_user(const char *a, const char *b)
-+{
-+       char *rest_a, *rest_b;  /* Rest of the context after the user */
-+       if (r_opts->force)
-+               return 0;
-+       if (!a || !b)
-+               return 0;
-+       rest_a = strchr(a, ':');
-+       rest_b = strchr(b, ':');
-+       if (!rest_a || !rest_b)
-+               return 0;
-+       return (strcmp(rest_a, rest_b) == 0);
-+}
-+
- /*
-  * Evaluate the association hash table distribution.
-  */
-diff --git a/setfiles/restorecon.8 b/setfiles/restorecon.8
-index ffbb9d1..f765000 100644
--- a/setfiles/restorecon.8
-+++ b/setfiles/restorecon.8
-@@ -21,11 +21,6 @@ It can also be run at any other time to correct inconsistent labels, to add
- support for newly-installed policy or, by using the \-n option, to passively
- check whether the file contexts are all set as specified by the active policy
- (default behavior) or by some other policy (see the \-c option).
-.P
-If a file object does not have a context, restorecon will write the default
-context to the file object's extended attributes. If a file object has a
-context, restorecon will only modify the type portion of the security context.
-The -F option will force a replacement of the entire context.
- 
- .SH "OPTIONS"
- .TP
-@@ -36,8 +31,8 @@ exclude a directory (repeat the option to exclude more than one directory).
- infilename contains a list of files to be processed. Use \- for stdin.
- .TP
- .B \-F
-Force reset of context to match file_context for customizable files, and the
-default file context, changing the user, role, range portion as well as the type.
-+force reset of context to match file_context for customizable files, or the
-+user section, if it has changed.
- .TP
- .B \-h, \-?
- display usage information and exit.
-@@ -63,6 +58,9 @@ change files and directories file labels recursively (descend directories).
- .B \-v
- show changes in file labels, if type or role are going to be changed.
- .TP 
-+.B \-vv
-+show changes in file labels, if type, role or user are going to be changed.
-+.TP 
- .B \-0
- the separator for the input items is assumed to be the null character
- (instead of the white space).  The quotes and the backslash characters are
-diff --git a/setfiles/setfiles.8 b/setfiles/setfiles.8
-index 7ff54f9..bcec84c 100644
--- a/setfiles/setfiles.8
-+++ b/setfiles/setfiles.8
-@@ -4,7 +4,7 @@ setfiles \- set SELinux file security contexts.
- 
- .SH "SYNOPSIS"
- .B setfiles
-.I [\-c policy] [\-d] [\-l] [\-n] [\-e directory] [\-o filename] [\-q] [\-s] [\-v] [\-W] [\-F] spec_file pathname...
-+.I [\-c policy] [\-d] [\-l] [\-n] [\-e directory] [\-o filename] [\-q] [\-s] [\-v] [\-vv] [\-W] [\-F] spec_file pathname...
- .SH "DESCRIPTION"
- This manual page describes the
- .BR setfiles
-@@ -19,13 +19,9 @@ It can also be run at any other time to correct inconsistent labels, to add
- support for newly-installed policy or, by using the \-n option, to passively
- check whether the file contexts are all set as specified by the active policy
- (default behavior) or by some other policy (see the \-c option).
-.P
-If a file object does not have a context, setfiles will write the default
-context to the file object's extended attributes. If a file object has a
-context, setfiles will only modify the type portion of the security context.
-The -F option will force a replacement of the entire context.
-+
- .SH "OPTIONS"
-.TP
-+.TP 
- .B \-c
- check the validity of the contexts against the specified binary policy.
- .TP
-@@ -40,9 +36,7 @@ directory to exclude (repeat option for more than one directory).
- take a list of files to be processed from an input file.
- .TP
- .B \-F
-Force reset of context to match file_context for customizable files, and the
-default file context, changing the user, role, range portion as well as the
-type.
-+force reset of context to match file_context for customizable files.
- .TP
- .B \-h, \-?
- display usage information and exit.
-@@ -73,7 +67,10 @@ take a list of files from standard input instead of using a pathname from the
- command line (equivalent to \-f \-).
- .TP
- .B \-v
-show changes in file labels.
-+show changes in file labels, if type or role are going to be changed.
-+.TP 
-+.B \-vv
-+show changes in file labels, if type, role or user are going to be changed.
- .TP 
- .B \-W
- display warnings about entries that had no matching files.
-- 
-1.8.1.2
diff --git a/recipes-security/selinux/policycoreutils/scripts_makefile.patch b/recipes-security/selinux/policycoreutils/scripts_makefile.patch
deleted file mode 100644
index 8972474..0000000
--- a/recipes-security/selinux/policycoreutils/scripts_makefile.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-policycoreutils: fix genhomedircon generation
-The script is put on the target and needs to reference
-the directory in which semodule is installed.
-Upstream Status: pending
-Signed-off-by: Joe Slater <jslater@windriver.com>
--- a/scripts/Makefile
-+++ b/scripts/Makefile
-@@ -8,11 +8,12 @@ LOCALEDIR ?= $(PREFIX)/share/locale
- 
- all: fixfiles genhomedircon chcat
- 
-+# we want the script to use the user sbin directory on the target
-+#
- genhomedircon:
-        @echo "#!/bin/sh" > genhomedircon
-        @echo >> genhomedircon
-       @if [ ! -e semodule_path ]; then echo -n "$(USRSBINDIR)/" >> genhomedircon; fi
-       @if [ -e semodule_path ]; then echo -n "`cat semodule_path`/" >> genhomedircon; fi
-+       @echo -n "$(sbindir)/" >> genhomedircon
-        @echo "semodule -Bn" >> genhomedircon
- 
- install: all
diff --git a/recipes-security/selinux/policycoreutils_2.1.14.bb b/recipes-security/selinux/policycoreutils_2.1.14.bb
index 687347c..b177042 100644
--- a/recipes-security/selinux/policycoreutils_2.1.14.bb
+++ b/recipes-security/selinux/policycoreutils_2.1.14.bb
@@ -1,15 +1,15 @@
 PR = "r3"
-include selinux_20120924.inc
+include selinux_20130423.inc
 include ${BPN}.inc
 LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
-SRC_URI[md5sum] = "97c0b828599fe608f37894989820d71d"
+SRC_URI[md5sum] = "f34216414b650a0a25dec89a758234fb"
-SRC_URI[sha256sum] = "34040f06f3111d9ee957576e4095841d35b9ca9141ee8d80aab036cbefb28584"
+SRC_URI[sha256sum] = "b6881741f9f9988346a73bfeccb0299941dc117349753f0ef3f23ee86f06c1b5"
 SRC_URI += "\
-        file://policycoreutils-revert-restorecon-update-type.patch \
+        file://policycoreutils-fix-strict-prototypes.patch \
        file://policycoreutils-revert-run_init-open_init_pty.patch \
-        file://scripts_makefile.patch \
+        file://policycoreutils-fix-sepolicy-install-path.patch \
        "
author	Xin Ouyang <Xin.Ouyang@windriver.com>	2013-09-23 21:17:59 +0800
committer	Joe MacDonald <joe@deserted.net>	2013-10-02 13:24:44 -0400
commit	816b52ef4de5ed11520ae87db23d4de6f1b0e1a7 (patch)
tree	e1b3efc14dfefcc03d2ae45c438f31785d9621d3
parent	cb25a215d9259f8372db7227a8143fce3f3d695f (diff)
download	meta-selinux-816b52ef4de5ed11520ae87db23d4de6f1b0e1a7.tar.gz

diff --git a/recipes-security/selinux/policycoreutils.inc b/recipes-security/selinux/policycoreutils.inc index 7939095..1acc19f 100644 --- a/recipes-security/selinux/policycoreutils.inc +++ b/recipes-security/selinux/policycoreutils.inc
@@ -16,7 +16,7 @@ PAM_SRC_URI = "file://pam.d/newrole \
16	"	16	"
17		17
18	DEPENDS += "libsepol libselinux libsemanage"	18	DEPENDS += "libsepol libselinux libsemanage"
19	EXTRA_DEPENDS = "libcap-ng libcgroup"	19	EXTRA_DEPENDS = "libcap-ng libcgroup setools"
20	DEPENDS += "${@['', '${EXTRA_DEPENDS}']['${PN}' != '${BPN}-native']}"	20	DEPENDS += "${@['', '${EXTRA_DEPENDS}']['${PN}' != '${BPN}-native']}"
21		21
22	inherit selinux	22	inherit selinux
@@ -43,8 +43,13 @@ RDEPENDS_${BPN} += "setools setools-libs ${BPN}-python"
43	WARN_QA := "${@oe_filter_out('unsafe-references-in-scripts', '${WARN_QA}', d)}"	43	WARN_QA := "${@oe_filter_out('unsafe-references-in-scripts', '${WARN_QA}', d)}"
44	ERROR_QA := "${@oe_filter_out('unsafe-references-in-scripts', '${ERROR_QA}', d)}"	44	ERROR_QA := "${@oe_filter_out('unsafe-references-in-scripts', '${ERROR_QA}', d)}"
45		45
		46	inherit pythonnative
		47
46	PACKAGES =+ "${PN}-python ${PN}-sandbox system-config-selinux"	48	PACKAGES =+ "${PN}-python ${PN}-sandbox system-config-selinux"
47	FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/*"	49	FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/seobject.py* \
		50	${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolicy*.egg-info \
		51	${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolicy/*"
		52	FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolicy/.debug/*"
48	FILES_${PN}-sandbox = "${datadir}/sandbox/*"	53	FILES_${PN}-sandbox = "${datadir}/sandbox/*"
49	FILES_${PN}-sandbox += "${bindir}/sandbox"	54	FILES_${PN}-sandbox += "${bindir}/sandbox"
50	FILES_${PN}-sandbox += "${sbindir}/seunshare"	55	FILES_${PN}-sandbox += "${sbindir}/seunshare"
@@ -53,8 +58,6 @@ FILES_system-config-selinux = " \
53	${datadir}/system-config-selinux/* \	58	${datadir}/system-config-selinux/* \
54	"	59	"
55		60
56	inherit pythonnative
57
58	export STAGING_INCDIR	61	export STAGING_INCDIR
59	export STAGING_LIBDIR	62	export STAGING_LIBDIR
60	export BUILD_SYS	63	export BUILD_SYS
@@ -86,6 +89,11 @@ do_compile_prepend() {
86	export PYTHON_SITE_PKG="${libdir}/${PYLIBVER}/site-packages"	89	export PYTHON_SITE_PKG="${libdir}/${PYLIBVER}/site-packages"
87	}	90	}
88		91
		92	do_install_prepend() {
		93	export PYTHON=python
		94	export SEMODULE_PATH=${sbindir}
		95	}
		96
89	do_install_virtclass-native() {	97	do_install_virtclass-native() {
90	for PCU_CMD in ${PCU_NATIVE_CMDS} ; do	98	for PCU_CMD in ${PCU_NATIVE_CMDS} ; do
91	oe_runmake -C $PCU_CMD install \	99	oe_runmake -C $PCU_CMD install \


diff --git a/recipes-security/selinux/policycoreutils/policycoreutils-fix-sepolicy-install-path.patch b/recipes-security/selinux/policycoreutils/policycoreutils-fix-sepolicy-install-path.patch new file mode 100644 index 0000000..aaf2e66 --- /dev/null +++ b/recipes-security/selinux/policycoreutils/policycoreutils-fix-sepolicy-install-path.patch
@@ -0,0 +1,35 @@
		1	From 086f715e2a0dd05c07f0428f424017cc96acc387 Mon Sep 17 00:00:00 2001
		2	From: Xin Ouyang <Xin.Ouyang@windriver.com>
		3	Date: Thu, 22 Aug 2013 16:40:26 +0800
		4	Subject: [PATCH] policycoreutils: fix install path for new pymodule sepolicy
		5
		6	Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
		7	---
		8	sepolicy/Makefile \| 4 +++-
		9	1 file changed, 3 insertions(+), 1 deletion(-)
		10
		11	diff --git a/sepolicy/Makefile b/sepolicy/Makefile
		12	index 11b534f..9e46b74 100644
		13	--- a/sepolicy/Makefile
		14	+++ b/sepolicy/Makefile
		15	@@ -11,6 +11,8 @@ BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
		16	SHAREDIR ?= $(PREFIX)/share/sandbox
		17	override CFLAGS = $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared
		18
		19	+PYLIBVER ?= $(shell python -c 'import sys;print "python%d.%d" % sys.version_info[0:2]')
		20	+
		21	BASHCOMPLETIONS=sepolicy-bash-completion.sh
		22
		23	all: python-build
		24	@@ -23,7 +25,7 @@ clean:
		25	-rm -rf build ~ \# pyc .#
		26
		27	install:
		28	- $(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
		29	+ $(PYTHON) setup.py install --install-lib $(LIBDIR)/$(PYLIBVER)/site-packages
		30	[ -d $(BINDIR) ] \|\| mkdir -p $(BINDIR)
		31	install -m 755 sepolicy.py $(BINDIR)/sepolicy
		32	-mkdir -p $(MANDIR)/man8
		33	--
		34	1.7.9.5
		35


diff --git a/recipes-security/selinux/policycoreutils/policycoreutils-revert-restorecon-update-type.patch b/recipes-security/selinux/policycoreutils/policycoreutils-revert-restorecon-update-type.patch deleted file mode 100644 index dd7f97c..0000000 --- a/recipes-security/selinux/policycoreutils/policycoreutils-revert-restorecon-update-type.patch +++ /dev/null
@@ -1,315 +0,0 @@
1	From 0fa419825539f172e1097d685e92c7d1a5826f23 Mon Sep 17 00:00:00 2001
2	From: Xin Ouyang <Xin.Ouyang@windriver.com>
3	Date: Fri, 24 May 2013 14:31:10 +0800
4	Subject: [PATCH] policycoreutils: Revert "restorecon: only update type by default"
5
6	This reverts uprev commit 96cedba3e59aa474f0f040da5108a17bba45ce6c.
7
8	96cedb will cause wrong security contexts for /dev/ while using
9	MLS type of old refpolicy, so revert it.
10
11	This patch should be dropped while refpolicy is upreved to 2.20120725+.
12
13	Upstream-Status: Inappropriate [for old refpolicy]
14
15	---
16	setfiles/restore.c \| 113 +++++++++++++++-------------------
17	setfiles/restorecon.8 \| 12 ++--
18	setfiles/setfiles.8 \| 19 +++---
19	3 files changed, 61 insertions(+), 83 deletions(-)
20
21	diff --git a/setfiles/restore.c b/setfiles/restore.c
22	index 4c62b41..2acec8e 100644
23	--- a/setfiles/restore.c
24	+++ b/setfiles/restore.c
25	@@ -1,6 +1,5 @@
26	#include "restore.h"
27	#include <glob.h>
28	-#include <selinux/context.h>
29
30	#define SKIP -2
31	#define ERR -1
32	@@ -34,6 +33,7 @@ struct edir {
33
34	static file_spec_t *fl_head;
35	static int filespec_add(ino_t ino, const security_context_t con, const char *file);
36	+static int only_changed_user(const char a, const char b);
37	struct restore_opts *r_opts = NULL;
38	static void filespec_destroy(void);
39	static void filespec_eval(void);
40	@@ -104,7 +104,8 @@ static int restore(FTSENT *ftsent)
41	{
42	char *my_file = strdupa(ftsent->fts_path);
43	int ret = -1;
44	- security_context_t curcon = NULL, newcon = NULL;
45	+ char context, newcon;
46	+ int user_only_changed = 0;
47
48	if (match(my_file, ftsent->fts_statp, &newcon) < 0)
49	/* Check for no matching specification. */
50	@@ -138,105 +139,74 @@ static int restore(FTSENT *ftsent)
51	printf("%s: %s matched by %s\n", r_opts->progname, my_file, newcon);
52	}
53
54	- /*
55	- * Do not relabel if their is no default specification for this file
56	- */
57	-
58	- if (strcmp(newcon, "<<none>>") == 0) {
59	- goto out;
60	- }
61	-
62	/* Get the current context of the file. */
63	- ret = lgetfilecon_raw(ftsent->fts_accpath, &curcon);
64	+ ret = lgetfilecon_raw(ftsent->fts_accpath, &context);
65	if (ret < 0) {
66	if (errno == ENODATA) {
67	- curcon = NULL;
68	+ context = NULL;
69	} else {
70	fprintf(stderr, "%s get context on %s failed: '%s'\n",
71	r_opts->progname, my_file, strerror(errno));
72	goto err;
73	}
74	- }
75	-
76	+ user_only_changed = 0;
77	+ } else
78	+ user_only_changed = only_changed_user(context, newcon);
79	/* lgetfilecon returns number of characters and ret needs to be reset
80	* to 0.
81	*/
82	ret = 0;
83
84	/*
85	- * Do not relabel the file if the file is already labeled according to
86	- * the specification.
87	+ * Do not relabel the file if the matching specification is
88	+ * <<none>> or the file is already labeled according to the
89	+ * specification.
90	*/
91	- if (curcon && (strcmp(curcon, newcon) == 0)) {
92	+ if ((strcmp(newcon, "<<none>>") == 0) \|\|
93	+ (context && (strcmp(context, newcon) == 0))) {
94	+ freecon(context);
95	goto out;
96	}
97
98	- if (!r_opts->force && curcon && (is_context_customizable(curcon) > 0)) {
99	+ if (!r_opts->force && context && (is_context_customizable(context) > 0)) {
100	if (r_opts->verbose > 1) {
101	fprintf(stderr,
102	"%s: %s not reset customized by admin to %s\n",
103	- r_opts->progname, my_file, curcon);
104	+ r_opts->progname, my_file, context);
105	}
106	+ freecon(context);
107	goto out;
108	}
109
110	- /*
111	- * Do not change label unless this is a force or the type is different
112	- */
113	- if (!r_opts->force && curcon) {
114	- int types_differ = 0;
115	- context_t cona;
116	- context_t conb;
117	- int err = 0;
118	- cona = context_new(curcon);
119	- if (! cona) {
120	- goto out;
121	- }
122	- conb = context_new(newcon);
123	- if (! conb) {
124	- context_free(cona);
125	- goto out;
126	- }
127	-
128	- types_differ = strcmp(context_type_get(cona), context_type_get(conb));
129	- if (types_differ) {
130	- err \|= context_user_set(conb, context_user_get(cona));
131	- err \|= context_role_set(conb, context_role_get(cona));
132	- err \|= context_range_set(conb, context_range_get(cona));
133	- if (!err) {
134	- freecon(newcon);
135	- newcon = strdup(context_str(conb));
136	- }
137	- }
138	- context_free(cona);
139	- context_free(conb);
140	-
141	- if (!types_differ \|\| err) {
142	- goto out;
143	- }
144	- }
145	-
146	if (r_opts->verbose) {
147	- printf("%s reset %s context %s->%s\n",
148	- r_opts->progname, my_file, curcon ?: "", newcon);
149	+ /* If we're just doing "-v", trim out any relabels where
150	+ * the user has r_opts->changed but the role and type are the
151	+ * same. For "-vv", emit everything. */
152	+ if (r_opts->verbose > 1 \|\| !user_only_changed) {
153	+ printf("%s reset %s context %s->%s\n",
154	+ r_opts->progname, my_file, context ?: "", newcon);
155	+ }
156	}
157
158	- if (r_opts->logging && r_opts->change) {
159	- if (curcon)
160	+ if (r_opts->logging && !user_only_changed) {
161	+ if (context)
162	syslog(LOG_INFO, "relabeling %s from %s to %s\n",
163	- my_file, curcon, newcon);
164	+ my_file, context, newcon);
165	else
166	syslog(LOG_INFO, "labeling %s to %s\n",
167	my_file, newcon);
168	}
169
170	- if (r_opts->outfile)
171	+ if (r_opts->outfile && !user_only_changed)
172	fprintf(r_opts->outfile, "%s\n", my_file);
173
174	+ if (context)
175	+ freecon(context);
176	+
177	/*
178	* Do not relabel the file if -n was used.
179	*/
180	- if (!r_opts->change)
181	+ if (!r_opts->change \|\| user_only_changed)
182	goto out;
183
184	/*
185	@@ -250,15 +220,12 @@ static int restore(FTSENT *ftsent)
186	}
187	ret = 0;
188	out:
189	- freecon(curcon);
190	freecon(newcon);
191	return ret;
192	skip:
193	- freecon(curcon);
194	freecon(newcon);
195	return SKIP;
196	err:
197	- freecon(curcon);
198	freecon(newcon);
199	return ERR;
200	}
201	@@ -479,6 +446,22 @@ int add_exclude(const char *directory)
202	return 0;
203	}
204
205	+/* Compare two contexts to see if their differences are "significant",
206	+ * or whether the only difference is in the user. */
207	+static int only_changed_user(const char a, const char b)
208	+{
209	+ char rest_a, rest_b; /* Rest of the context after the user */
210	+ if (r_opts->force)
211	+ return 0;
212	+ if (!a \|\| !b)
213	+ return 0;
214	+ rest_a = strchr(a, ':');
215	+ rest_b = strchr(b, ':');
216	+ if (!rest_a \|\| !rest_b)
217	+ return 0;
218	+ return (strcmp(rest_a, rest_b) == 0);
219	+}
220	+
221	/*
222	* Evaluate the association hash table distribution.
223	*/
224	diff --git a/setfiles/restorecon.8 b/setfiles/restorecon.8
225	index ffbb9d1..f765000 100644
226	--- a/setfiles/restorecon.8
227	+++ b/setfiles/restorecon.8
228	@@ -21,11 +21,6 @@ It can also be run at any other time to correct inconsistent labels, to add
229	support for newly-installed policy or, by using the \-n option, to passively
230	check whether the file contexts are all set as specified by the active policy
231	(default behavior) or by some other policy (see the \-c option).
232	-.P
233	-If a file object does not have a context, restorecon will write the default
234	-context to the file object's extended attributes. If a file object has a
235	-context, restorecon will only modify the type portion of the security context.
236	-The -F option will force a replacement of the entire context.
237
238	.SH "OPTIONS"
239	.TP
240	@@ -36,8 +31,8 @@ exclude a directory (repeat the option to exclude more than one directory).
241	infilename contains a list of files to be processed. Use \- for stdin.
242	.TP
243	.B \-F
244	-Force reset of context to match file_context for customizable files, and the
245	-default file context, changing the user, role, range portion as well as the type.
246	+force reset of context to match file_context for customizable files, or the
247	+user section, if it has changed.
248	.TP
249	.B \-h, \-?
250	display usage information and exit.
251	@@ -63,6 +58,9 @@ change files and directories file labels recursively (descend directories).
252	.B \-v
253	show changes in file labels, if type or role are going to be changed.
254	.TP
255	+.B \-vv
256	+show changes in file labels, if type, role or user are going to be changed.
257	+.TP
258	.B \-0
259	the separator for the input items is assumed to be the null character
260	(instead of the white space). The quotes and the backslash characters are
261	diff --git a/setfiles/setfiles.8 b/setfiles/setfiles.8
262	index 7ff54f9..bcec84c 100644
263	--- a/setfiles/setfiles.8
264	+++ b/setfiles/setfiles.8
265	@@ -4,7 +4,7 @@ setfiles \- set SELinux file security contexts.
266
267	.SH "SYNOPSIS"
268	.B setfiles
269	-.I [\-c policy] [\-d] [\-l] [\-n] [\-e directory] [\-o filename] [\-q] [\-s] [\-v] [\-W] [\-F] spec_file pathname...
270	+.I [\-c policy] [\-d] [\-l] [\-n] [\-e directory] [\-o filename] [\-q] [\-s] [\-v] [\-vv] [\-W] [\-F] spec_file pathname...
271	.SH "DESCRIPTION"
272	This manual page describes the
273	.BR setfiles
274	@@ -19,13 +19,9 @@ It can also be run at any other time to correct inconsistent labels, to add
275	support for newly-installed policy or, by using the \-n option, to passively
276	check whether the file contexts are all set as specified by the active policy
277	(default behavior) or by some other policy (see the \-c option).
278	-.P
279	-If a file object does not have a context, setfiles will write the default
280	-context to the file object's extended attributes. If a file object has a
281	-context, setfiles will only modify the type portion of the security context.
282	-The -F option will force a replacement of the entire context.
283	+
284	.SH "OPTIONS"
285	-.TP
286	+.TP
287	.B \-c
288	check the validity of the contexts against the specified binary policy.
289	.TP
290	@@ -40,9 +36,7 @@ directory to exclude (repeat option for more than one directory).
291	take a list of files to be processed from an input file.
292	.TP
293	.B \-F
294	-Force reset of context to match file_context for customizable files, and the
295	-default file context, changing the user, role, range portion as well as the
296	-type.
297	+force reset of context to match file_context for customizable files.
298	.TP
299	.B \-h, \-?
300	display usage information and exit.
301	@@ -73,7 +67,10 @@ take a list of files from standard input instead of using a pathname from the
302	command line (equivalent to \-f \-).
303	.TP
304	.B \-v
305	-show changes in file labels.
306	+show changes in file labels, if type or role are going to be changed.
307	+.TP
308	+.B \-vv
309	+show changes in file labels, if type, role or user are going to be changed.
310	.TP
311	.B \-W
312	display warnings about entries that had no matching files.
313	--
314	1.8.1.2
315


diff --git a/recipes-security/selinux/policycoreutils/scripts_makefile.patch b/recipes-security/selinux/policycoreutils/scripts_makefile.patch deleted file mode 100644 index 8972474..0000000 --- a/recipes-security/selinux/policycoreutils/scripts_makefile.patch +++ /dev/null
@@ -1,26 +0,0 @@
1	policycoreutils: fix genhomedircon generation
2
3	The script is put on the target and needs to reference
4	the directory in which semodule is installed.
5
6	Upstream Status: pending
7
8	Signed-off-by: Joe Slater <jslater@windriver.com>
9
10	--- a/scripts/Makefile
11	+++ b/scripts/Makefile
12	@@ -8,11 +8,12 @@ LOCALEDIR ?= $(PREFIX)/share/locale
13
14	all: fixfiles genhomedircon chcat
15
16	+# we want the script to use the user sbin directory on the target
17	+#
18	genhomedircon:
19	@echo "#!/bin/sh" > genhomedircon
20	@echo >> genhomedircon
21	- @if [ ! -e semodule_path ]; then echo -n "$(USRSBINDIR)/" >> genhomedircon; fi
22	- @if [ -e semodule_path ]; then echo -n "`cat semodule_path`/" >> genhomedircon; fi
23	+ @echo -n "$(sbindir)/" >> genhomedircon
24	@echo "semodule -Bn" >> genhomedircon
25
26	install: all


diff --git a/recipes-security/selinux/policycoreutils_2.1.14.bb b/recipes-security/selinux/policycoreutils_2.1.14.bb index 687347c..b177042 100644 --- a/recipes-security/selinux/policycoreutils_2.1.14.bb +++ b/recipes-security/selinux/policycoreutils_2.1.14.bb
@@ -1,15 +1,15 @@
1	PR = "r3"	1	PR = "r3"
2		2
3	include selinux_20120924.inc	3	include selinux_20130423.inc
4	include ${BPN}.inc	4	include ${BPN}.inc
5		5
6	LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"	6	LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
7		7
8	SRC_URI[md5sum] = "97c0b828599fe608f37894989820d71d"	8	SRC_URI[md5sum] = "f34216414b650a0a25dec89a758234fb"
9	SRC_URI[sha256sum] = "34040f06f3111d9ee957576e4095841d35b9ca9141ee8d80aab036cbefb28584"	9	SRC_URI[sha256sum] = "b6881741f9f9988346a73bfeccb0299941dc117349753f0ef3f23ee86f06c1b5"
10		10
11	SRC_URI += "\	11	SRC_URI += "\
12	file://policycoreutils-revert-restorecon-update-type.patch \	12	file://policycoreutils-fix-strict-prototypes.patch \
13	file://policycoreutils-revert-run_init-open_init_pty.patch \	13	file://policycoreutils-revert-run_init-open_init_pty.patch \
14	file://scripts_makefile.patch \	14	file://policycoreutils-fix-sepolicy-install-path.patch \
15	"	15	"