policycoreutils: address QA issues

Both the fixfiles and sandbox utilities had dependencies on bash when they didn't really need to. Update sandbox and patch fixfiles. ifgen is python script, so ensure that python is listed as a runtime dependency. Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
author: Joe MacDonald <joe_macdonald@mentor.com> 2015-02-20 21:31:25 -0500
committer: Joe MacDonald <joe_macdonald@mentor.com> 2015-02-20 21:31:25 -0500
commit: a1185c46b8e142f1e9847579861231105bcf1461 (patch)
tree: e2733c5abd40fe01637a5ff171a3b9f88485c402
parent: d382d54f0a9a913791fca1d7f61e87fcfd32842b (diff)
download: meta-selinux-a1185c46b8e142f1e9847579861231105bcf1461.tar.gz
3 files changed, 136 insertions, 2 deletions
diff --git a/recipes-security/selinux/policycoreutils.inc b/recipes-security/selinux/policycoreutils.inc
index 44a5861..4846683 100644
--- a/recipes-security/selinux/policycoreutils.inc
+++ b/recipes-security/selinux/policycoreutils.inc
@@ -7,7 +7,10 @@ context."
 SECTION = "base"
 LICENSE = "GPLv2+"
-SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)}"
+SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
+            file://policycoreutils-fixfiles-de-bashify.patch \
+            file://policycoreutils-sandbox-de-bashify.patch \
+           "
 PAM_SRC_URI = "file://pam.d/newrole \
               file://pam.d/run_init \
@@ -97,7 +100,7 @@ RDEPENDS_${BPN}-sepolicy += "\
 "
 # static link to libsepol
 DEPENDS_${BPN}-sepolgen-ifgen += "libsepol"
-RDEPENDS_${BPN}-sepolgen-ifgen += "libselinux-python"
+RDEPENDS_${BPN}-sepolgen-ifgen += "python libselinux-python"
 RDEPENDS_${BPN}-sestatus += "libselinux"
 RDEPENDS_${BPN}-setfiles += "\
        libselinux \
diff --git a/recipes-security/selinux/policycoreutils/policycoreutils-fixfiles-de-bashify.patch b/recipes-security/selinux/policycoreutils/policycoreutils-fixfiles-de-bashify.patch
new file mode 100644
index 0000000..44d7525
--- /dev/null
+++ b/recipes-security/selinux/policycoreutils/policycoreutils-fixfiles-de-bashify.patch
@@ -0,0 +1,92 @@
+From 25ca94680f2fe20f49b80e8b5b180a0dbb903f17 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Fri, 20 Feb 2015 17:00:19 -0500
+Subject: [PATCH] fixfiles: de-bashify
+Most of the bashisms in fixfiles are pretty easy to work around, the only
+complex one is the use of PIPESTATUS.  The common solution to this is to
+use fifos but considering the action this script is performing, that's not
+necessarily the best option here.  Introducing a second invocation of rpm
+is minimal overhead on an operation that should happen very infrequently,
+so we'll try that instead.
+Upstream-Status: Pending
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ scripts/fixfiles | 26 +++++++++++++++-----------
+ 1 file changed, 15 insertions(+), 11 deletions(-)
+diff --git a/scripts/fixfiles b/scripts/fixfiles
+index 5c29eb9..10a5078 100755
+--- a/scripts/fixfiles
+++ b/scripts/fixfiles
+@@ -1,4 +1,4 @@
+-#!/bin/bash
+#!/bin/sh
+ # fixfiles
+ #
+ # Script to restore labels on a SELinux box
+@@ -25,7 +25,7 @@
+ # number if the current kernel version is greater than 2.6.30, a negative
+ # number if the current is less than 2.6.30 and 0 if they are the same.
+ #
+-function useseclabel {
+useseclabel() {
+        VER=`uname -r`
+        SUP=2.6.30
+        expr '(' "$VER" : '\([^.]*\)' ')' '-' '(' "$SUP" : '\([^.]*\)' ')' '|' \
+@@ -91,9 +91,9 @@ exclude_dirs_from_relabelling() {
+          # skip not absolute path
+          # skip not directory
+          [ -z "${i}" ] && continue
+-         [[ "${i}" =~ "^[[:blank:]]*#" ]] && continue
+-         [[ ! "${i}" =~ ^/.* ]] && continue
+-         [[ ! -d "${i}" ]] && continue
+         echo "${i}" | egrep -q '^[[:space:]]*#' && continue
+         echo "${i}" | egrep -v '^/.*' && continue
+         [ ! -d "${i}" ] && continue
+          exclude_from_relabelling="$exclude_from_relabelling -e $i"
+          logit "skipping the directory $i"
+        done < /etc/selinux/fixfiles_exclude_dirs
+@@ -205,8 +205,12 @@ fi
+ }
+ 
+ rpmlist() {
+-rpm -q --qf '[%{FILESTATES} %{FILENAMES}\n]' "$1" | grep '^0 ' | cut -f2- -d ' '
+-[ ${PIPESTATUS[0]} != 0 ] && echo "$1 not found" >/dev/stderr
+    if rpm -q --qf '[%{FILESTATES} %{FILENAMES}\n]' "$1" >/dev/null
+    then
+        rpm -q --qf '[%{FILESTATES} %{FILENAMES}\n]' "$1" | grep '^0 ' | cut -f2- -d ' '
+    else
+        echo "$1 not found" >/dev/stderr
+    fi
+ }
+ 
+ #
+@@ -233,10 +237,10 @@ if [ -n "${exclude_dirs}" ]
+ then
+        TEMPFCFILE=`mktemp ${FC}.XXXXXXXXXX`
+        test -z "$TEMPFCFILE" && exit
+-       /bin/cp -p ${FC} ${TEMPFCFILE} &>/dev/null || exit
+-       tmpdirs=${tempdirs//-e/}
+-       for p in ${tmpdirs}
+       /bin/cp -p ${FC} ${TEMPFCFILE} >/dev/null 2>&1 || exit
+       for p in ${tempdirs}
+        do
+               [ ${p} = "-e" ] && continue
+                p="${p%/}"
+                p1="${p}(/.*)? -- <<none>>"
+                echo "${p1}" >> $TEMPFCFILE
+@@ -288,7 +292,7 @@ relabel() {
+        restore Relabel
+     fi
+ 
+-    if [ $fullFlag == 1  ]; then
+    if [ $fullFlag = 1 ]; then
+        fullrelabel
+     fi
+ 
+-- 
+1.9.1
diff --git a/recipes-security/selinux/policycoreutils/policycoreutils-sandbox-de-bashify.patch b/recipes-security/selinux/policycoreutils/policycoreutils-sandbox-de-bashify.patch
new file mode 100644
index 0000000..c078ef6
--- /dev/null
+++ b/recipes-security/selinux/policycoreutils/policycoreutils-sandbox-de-bashify.patch
@@ -0,0 +1,39 @@
+From d3e778e0062ca441c80e2a3ef2b508f5566e1f70 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald@mentor.com>
+Date: Fri, 20 Feb 2015 21:07:47 -0500
+Subject: [PATCH] sandbox: de-bashify
+There's no bashisms apparent in either the sandbox initscript nor the
+sandboxX script, so point them at /bin/sh instead.
+Upstream-Status: Pending
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ sandbox/sandbox.init | 2 +-
+ sandbox/sandboxX.sh  | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+diff --git a/sandbox/sandbox.init b/sandbox/sandbox.init
+index b3979bf..1893dc8 100644
+--- a/sandbox/sandbox.init
+++ b/sandbox/sandbox.init
+@@ -1,4 +1,4 @@
+-#!/bin/bash
+#!/bin/sh
+ ## BEGIN INIT INFO
+ # Provides: sandbox
+ # Default-Start: 3 4 5
+diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh
+index eaa500d..8755d75 100644
+--- a/sandbox/sandboxX.sh
+++ b/sandbox/sandboxX.sh
+@@ -1,4 +1,4 @@
+-#!/bin/bash
+#!/bin/sh
+ trap "" TERM
+ context=`id -Z | secon -t -l -P`
+ export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8-80`"
+-- 
+1.9.1
author	Joe MacDonald <joe_macdonald@mentor.com>	2015-02-20 21:31:25 -0500
committer	Joe MacDonald <joe_macdonald@mentor.com>	2015-02-20 21:31:25 -0500
commit	a1185c46b8e142f1e9847579861231105bcf1461 (patch)
tree	e2733c5abd40fe01637a5ff171a3b9f88485c402
parent	d382d54f0a9a913791fca1d7f61e87fcfd32842b (diff)
download	meta-selinux-a1185c46b8e142f1e9847579861231105bcf1461.tar.gz

diff --git a/recipes-security/selinux/policycoreutils.inc b/recipes-security/selinux/policycoreutils.inc index 44a5861..4846683 100644 --- a/recipes-security/selinux/policycoreutils.inc +++ b/recipes-security/selinux/policycoreutils.inc
@@ -7,7 +7,10 @@ context."
7	SECTION = "base"	7	SECTION = "base"
8	LICENSE = "GPLv2+"	8	LICENSE = "GPLv2+"
9		9
10	SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)}"	10	SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
		11	file://policycoreutils-fixfiles-de-bashify.patch \
		12	file://policycoreutils-sandbox-de-bashify.patch \
		13	"
11		14
12	PAM_SRC_URI = "file://pam.d/newrole \	15	PAM_SRC_URI = "file://pam.d/newrole \
13	file://pam.d/run_init \	16	file://pam.d/run_init \
@@ -97,7 +100,7 @@ RDEPENDS_${BPN}-sepolicy += "\
97	"	100	"
98	# static link to libsepol	101	# static link to libsepol
99	DEPENDS_${BPN}-sepolgen-ifgen += "libsepol"	102	DEPENDS_${BPN}-sepolgen-ifgen += "libsepol"
100	RDEPENDS_${BPN}-sepolgen-ifgen += "libselinux-python"	103	RDEPENDS_${BPN}-sepolgen-ifgen += "python libselinux-python"
101	RDEPENDS_${BPN}-sestatus += "libselinux"	104	RDEPENDS_${BPN}-sestatus += "libselinux"
102	RDEPENDS_${BPN}-setfiles += "\	105	RDEPENDS_${BPN}-setfiles += "\
103	libselinux \	106	libselinux \


diff --git a/recipes-security/selinux/policycoreutils/policycoreutils-fixfiles-de-bashify.patch b/recipes-security/selinux/policycoreutils/policycoreutils-fixfiles-de-bashify.patch new file mode 100644 index 0000000..44d7525 --- /dev/null +++ b/recipes-security/selinux/policycoreutils/policycoreutils-fixfiles-de-bashify.patch
@@ -0,0 +1,92 @@
		1	From 25ca94680f2fe20f49b80e8b5b180a0dbb903f17 Mon Sep 17 00:00:00 2001
		2	From: Joe MacDonald <joe_macdonald@mentor.com>
		3	Date: Fri, 20 Feb 2015 17:00:19 -0500
		4	Subject: [PATCH] fixfiles: de-bashify
		5
		6	Most of the bashisms in fixfiles are pretty easy to work around, the only
		7	complex one is the use of PIPESTATUS. The common solution to this is to
		8	use fifos but considering the action this script is performing, that's not
		9	necessarily the best option here. Introducing a second invocation of rpm
		10	is minimal overhead on an operation that should happen very infrequently,
		11	so we'll try that instead.
		12
		13	Upstream-Status: Pending
		14
		15	Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
		16	---
		17	scripts/fixfiles \| 26 +++++++++++++++-----------
		18	1 file changed, 15 insertions(+), 11 deletions(-)
		19
		20	diff --git a/scripts/fixfiles b/scripts/fixfiles
		21	index 5c29eb9..10a5078 100755
		22	--- a/scripts/fixfiles
		23	+++ b/scripts/fixfiles
		24	@@ -1,4 +1,4 @@
		25	-#!/bin/bash
		26	+#!/bin/sh
		27	# fixfiles
		28	#
		29	# Script to restore labels on a SELinux box
		30	@@ -25,7 +25,7 @@
		31	# number if the current kernel version is greater than 2.6.30, a negative
		32	# number if the current is less than 2.6.30 and 0 if they are the same.
		33	#
		34	-function useseclabel {
		35	+useseclabel() {
		36	VER=`uname -r`
		37	SUP=2.6.30
		38	expr '(' "$VER" : '\([^.]\)' ')' '-' '(' "$SUP" : '\([^.]\)' ')' '\|' \
		39	@@ -91,9 +91,9 @@ exclude_dirs_from_relabelling() {
		40	# skip not absolute path
		41	# skip not directory
		42	[ -z "${i}" ] && continue
		43	- [[ "${i}" =~ "^[[:blank:]]*#" ]] && continue
		44	- [[ ! "${i}" =~ ^/.* ]] && continue
		45	- [[ ! -d "${i}" ]] && continue
		46	+ echo "${i}" \| egrep -q '^[[:space:]]*#' && continue
		47	+ echo "${i}" \| egrep -v '^/.*' && continue
		48	+ [ ! -d "${i}" ] && continue
		49	exclude_from_relabelling="$exclude_from_relabelling -e $i"
		50	logit "skipping the directory $i"
		51	done < /etc/selinux/fixfiles_exclude_dirs
		52	@@ -205,8 +205,12 @@ fi
		53	}
		54
		55	rpmlist() {
		56	-rpm -q --qf '[%{FILESTATES} %{FILENAMES}\n]' "$1" \| grep '^0 ' \| cut -f2- -d ' '
		57	-[ ${PIPESTATUS[0]} != 0 ] && echo "$1 not found" >/dev/stderr
		58	+ if rpm -q --qf '[%{FILESTATES} %{FILENAMES}\n]' "$1" >/dev/null
		59	+ then
		60	+ rpm -q --qf '[%{FILESTATES} %{FILENAMES}\n]' "$1" \| grep '^0 ' \| cut -f2- -d ' '
		61	+ else
		62	+ echo "$1 not found" >/dev/stderr
		63	+ fi
		64	}
		65
		66	#
		67	@@ -233,10 +237,10 @@ if [ -n "${exclude_dirs}" ]
		68	then
		69	TEMPFCFILE=`mktemp ${FC}.XXXXXXXXXX`
		70	test -z "$TEMPFCFILE" && exit
		71	- /bin/cp -p ${FC} ${TEMPFCFILE} &>/dev/null \|\| exit
		72	- tmpdirs=${tempdirs//-e/}
		73	- for p in ${tmpdirs}
		74	+ /bin/cp -p ${FC} ${TEMPFCFILE} >/dev/null 2>&1 \|\| exit
		75	+ for p in ${tempdirs}
		76	do
		77	+ [ ${p} = "-e" ] && continue
		78	p="${p%/}"
		79	p1="${p}(/.*)? -- <<none>>"
		80	echo "${p1}" >> $TEMPFCFILE
		81	@@ -288,7 +292,7 @@ relabel() {
		82	restore Relabel
		83	fi
		84
		85	- if [ $fullFlag == 1 ]; then
		86	+ if [ $fullFlag = 1 ]; then
		87	fullrelabel
		88	fi
		89
		90	--
		91	1.9.1
		92


diff --git a/recipes-security/selinux/policycoreutils/policycoreutils-sandbox-de-bashify.patch b/recipes-security/selinux/policycoreutils/policycoreutils-sandbox-de-bashify.patch new file mode 100644 index 0000000..c078ef6 --- /dev/null +++ b/recipes-security/selinux/policycoreutils/policycoreutils-sandbox-de-bashify.patch
@@ -0,0 +1,39 @@
		1	From d3e778e0062ca441c80e2a3ef2b508f5566e1f70 Mon Sep 17 00:00:00 2001
		2	From: Joe MacDonald <joe_macdonald@mentor.com>
		3	Date: Fri, 20 Feb 2015 21:07:47 -0500
		4	Subject: [PATCH] sandbox: de-bashify
		5
		6	There's no bashisms apparent in either the sandbox initscript nor the
		7	sandboxX script, so point them at /bin/sh instead.
		8
		9	Upstream-Status: Pending
		10
		11	Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
		12	---
		13	sandbox/sandbox.init \| 2 +-
		14	sandbox/sandboxX.sh \| 2 +-
		15	2 files changed, 2 insertions(+), 2 deletions(-)
		16
		17	diff --git a/sandbox/sandbox.init b/sandbox/sandbox.init
		18	index b3979bf..1893dc8 100644
		19	--- a/sandbox/sandbox.init
		20	+++ b/sandbox/sandbox.init
		21	@@ -1,4 +1,4 @@
		22	-#!/bin/bash
		23	+#!/bin/sh
		24	## BEGIN INIT INFO
		25	# Provides: sandbox
		26	# Default-Start: 3 4 5
		27	diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh
		28	index eaa500d..8755d75 100644
		29	--- a/sandbox/sandboxX.sh
		30	+++ b/sandbox/sandboxX.sh
		31	@@ -1,4 +1,4 @@
		32	-#!/bin/bash
		33	+#!/bin/sh
		34	trap "" TERM
		35	context=`id -Z \| secon -t -l -P`
		36	export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc \| /usr/bin/cut -b8-80`"
		37	--
		38	1.9.1
		39