at: drop obsolete SELinux patch

SELinux support was merged upstream in at-3.1.18, so this patch no longer applies and is not needed. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
author: Stephen Smalley <sds@tycho.nsa.gov> 2016-02-29 17:10:38 -0500
committer: Philip Tricca <flihp@twobit.us> 2016-03-03 03:00:15 +0000
commit: 2003c8819c5d1e8f10b59b12397d90441cd4edf6 (patch)
tree: 73c85434ab5b8b1da85c417363182b20d4af3256
parent: 03ce079067284ed9ddd19855bc628cbc9966f355 (diff)
download: meta-selinux-2003c8819c5d1e8f10b59b12397d90441cd4edf6.tar.gz
2 files changed, 0 insertions, 190 deletions
diff --git a/recipes-extended/at/at/at-3.1.13-selinux.patch b/recipes-extended/at/at/at-3.1.13-selinux.patch
deleted file mode 100644
index 4e5e18c..0000000
--- a/recipes-extended/at/at/at-3.1.13-selinux.patch
+++ /dev/null
@@ -1,184 +0,0 @@
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Wed, 13 Jun 2012 14:47:54 +0800
-Subject: [PATCH] at: atd add SELinux support.
-Upstream-Status: Inappropriate [configuration]
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
- Makefile.in  |    1 +
- atd.c        |   83 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- config.h.in  |    3 ++
- configure.ac |    8 +++++
- 4 files changed, 95 insertions(+), 0 deletions(-)
-diff --git a/Makefile.in b/Makefile.in
-index 10e7ed2..35792cd 100644
--- a/Makefile.in
-+++ b/Makefile.in
-@@ -39,6 +39,7 @@ LIBS          = @LIBS@
- LIBOBJS                = @LIBOBJS@
- INSTALL                = @INSTALL@
- PAMLIB          = @PAMLIB@
-+SELINUXLIB      = @SELINUXLIB@
- 
- CLONES         = atq atrm
- ATOBJECTS      = at.o panic.o perm.o posixtm.o y.tab.o lex.yy.o
-@@ -72,7 +72,7 @@ at: $(ATOBJECTS)
-        $(LN_S) -f at atrm
- 
- atd: $(RUNOBJECTS)
-       $(CC) $(LDFLAGS) -o atd $(RUNOBJECTS) $(LIBS) $(PAMLIB)
-+       $(CC) $(LDFLAGS) -o atd $(RUNOBJECTS) $(LIBS) $(PAMLIB) $(SELINUXLIB)
- 
- y.tab.c y.tab.h: parsetime.y
-        $(YACC) -d parsetime.y
-diff --git a/atd.c b/atd.c
-index af3e577..463124f 100644
--- a/atd.c
-+++ b/atd.c
-@@ -83,6 +83,14 @@
- #include "getloadavg.h"
- #endif
- 
-+#ifdef WITH_SELINUX
-+#include <selinux/selinux.h>
-+#include <selinux/get_context_list.h>
-+int selinux_enabled = 0;
-+#include <selinux/flask.h>
-+#include <selinux/av_permissions.h>
-+#endif
-+
- /* Macros */
- 
- #define BATCH_INTERVAL_DEFAULT 60
-@@ -195,6 +203,70 @@ myfork()
- #define fork myfork
- #endif
- 
-+#ifdef WITH_SELINUX
-+static int
-+set_selinux_context(const char *name, const char *filename)
-+{
-+    security_context_t user_context=NULL;
-+    security_context_t  file_context=NULL;
-+    struct av_decision avd;
-+    int retval=-1;
-+    char *seuser=NULL;
-+    char *level=NULL;
-+
-+    if (getseuserbyname(name, &seuser, &level) == 0) {
-+       retval=get_default_context_with_level(seuser, level, NULL, &user_context);
-+       free(seuser);
-+       free(level);
-+       if (retval) {
-+           if (security_getenforce()==1) {
-+               perr("execle: couldn't get security context for user %s\n", name);
-+           } else {
-+               syslog(LOG_ERR, "execle: couldn't get security context for user %s\n", name);
-+               return -1;
-+           }
-+       }
-+    }
-+
-+    /*
-+    * Since crontab files are not directly executed,
-+    * crond must ensure that the crontab file has
-+    * a context that is appropriate for the context of
-+    * the user cron job.  It performs an entrypoint
-+    * permission check for this purpose.
-+    */
-+    if (fgetfilecon(STDIN_FILENO, &file_context) < 0)
-+       perr("fgetfilecon FAILED %s", filename);
-+
-+    retval = security_compute_av(user_context,
-+                       file_context,
-+                       SECCLASS_FILE,
-+                       FILE__ENTRYPOINT,
-+                       &avd);
-+    freecon(file_context);
-+    if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) {
-+       if (security_getenforce()==1) {
-+           perr("Not allowed to set exec context to %s for user  %s\n", user_context,name);
-+       } else {
-+           syslog(LOG_ERR, "Not allowed to set exec context to %s for user  %s\n", user_context,name);
-+           retval = -1;
-+           goto err;
-+       }
-+    }
-+    if (setexeccon(user_context) < 0) {
-+       if (security_getenforce()==1) {
-+           perr("Could not set exec context to %s for user  %s\n", user_context,name);
-+           retval = -1;
-+       } else {
-+           syslog(LOG_ERR, "Could not set exec context to %s for user  %s\n", user_context,name);
-+       }
-+    }
-+err:
-+    freecon(user_context);
-+    return 0;
-+}
-+#endif
-+
- static void
- run_file(const char *filename, uid_t uid, gid_t gid)
- {
-@@ -435,6 +507,13 @@ run_file(const char *filename, uid_t uid, gid_t gid)
- 
-            chdir("/");
- 
-+#ifdef WITH_SELINUX
-+           if (selinux_enabled > 0) {
-+               if (set_selinux_context(pentry->pw_name, filename) < 0)
-+                   perr("SELinux Failed to set context\n");
-+           }
-+#endif
-+
-            if (execle("/bin/sh", "sh", (char *) NULL, nenvp) != 0)
-                perr("Exec failed for /bin/sh");
- 
-@@ -707,6 +786,10 @@ main(int argc, char *argv[])
-     struct passwd *pwe;
-     struct group *ge;
- 
-+#ifdef WITH_SELINUX
-+    selinux_enabled = is_selinux_enabled();
-+#endif
-+
- /* We don't need root privileges all the time; running under uid and gid
-  * daemon is fine.
-  */
-diff --git a/configure.ac b/configure.ac
-index 2db7b65..5ecc35a 100644
--- a/configure.ac
-+++ b/configure.ac
-@@ -94,6 +94,18 @@ AC_CHECK_HEADERS(security/pam_appl.h, [
-    fi])
- fi
- 
-+AC_ARG_WITH([selinux],
-+  [AS_HELP_STRING([--without-selinux], [without SELinux support])])
-+
-+if test "x$with_selinux" != xno; then
-+AC_CHECK_HEADERS(selinux/selinux.h, [
-+  SELINUXLIB="-lselinux"
-+  AC_DEFINE(WITH_SELINUX, 1, [Define to 1 for SELinux support])],
-+   [if test "x$with_selinux" = xyes; then
-+   AC_MSG_ERROR([SELinux selected but selinux/selinux.h not found])
-+   fi])
-+fi
-+
- dnl Checking for programs
- 
- AC_PATH_PROG(SENDMAIL, sendmail, , $PATH:/usr/lib:/usr/sbin )
-@@ -104,6 +116,7 @@ fi
- 
- AC_SUBST(MAIL_CMD)
- AC_SUBST(PAMLIB)
-+AC_SUBST(SELINUXLIB)
- 
- AC_MSG_CHECKING(etcdir)
- AC_ARG_WITH(etcdir,
-- 
-1.7.5.4
diff --git a/recipes-extended/at/at_%.bbappend b/recipes-extended/at/at_%.bbappend
index f30abab..c1e8ed6 100644
--- a/recipes-extended/at/at_%.bbappend
+++ b/recipes-extended/at/at_%.bbappend
@@ -1,7 +1 @@
-PR .= ".2"
-FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
-SRC_URI += "file://at-3.1.13-selinux.patch"
 inherit with-selinux
author	Stephen Smalley <sds@tycho.nsa.gov>	2016-02-29 17:10:38 -0500
committer	Philip Tricca <flihp@twobit.us>	2016-03-03 03:00:15 +0000
commit	2003c8819c5d1e8f10b59b12397d90441cd4edf6 (patch)
tree	73c85434ab5b8b1da85c417363182b20d4af3256
parent	03ce079067284ed9ddd19855bc628cbc9966f355 (diff)
download	meta-selinux-2003c8819c5d1e8f10b59b12397d90441cd4edf6.tar.gz

diff --git a/recipes-extended/at/at/at-3.1.13-selinux.patch b/recipes-extended/at/at/at-3.1.13-selinux.patch deleted file mode 100644 index 4e5e18c..0000000 --- a/recipes-extended/at/at/at-3.1.13-selinux.patch +++ /dev/null
@@ -1,184 +0,0 @@
1	From: Xin Ouyang <Xin.Ouyang@windriver.com>
2	Date: Wed, 13 Jun 2012 14:47:54 +0800
3	Subject: [PATCH] at: atd add SELinux support.
4
5	Upstream-Status: Inappropriate [configuration]
6
7	Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
8	---
9	Makefile.in \| 1 +
10	atd.c \| 83 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
11	config.h.in \| 3 ++
12	configure.ac \| 8 +++++
13	4 files changed, 95 insertions(+), 0 deletions(-)
14
15	diff --git a/Makefile.in b/Makefile.in
16	index 10e7ed2..35792cd 100644
17	--- a/Makefile.in
18	+++ b/Makefile.in
19	@@ -39,6 +39,7 @@ LIBS = @LIBS@
20	LIBOBJS = @LIBOBJS@
21	INSTALL = @INSTALL@
22	PAMLIB = @PAMLIB@
23	+SELINUXLIB = @SELINUXLIB@
24
25	CLONES = atq atrm
26	ATOBJECTS = at.o panic.o perm.o posixtm.o y.tab.o lex.yy.o
27	@@ -72,7 +72,7 @@ at: $(ATOBJECTS)
28	$(LN_S) -f at atrm
29
30	atd: $(RUNOBJECTS)
31	- $(CC) $(LDFLAGS) -o atd $(RUNOBJECTS) $(LIBS) $(PAMLIB)
32	+ $(CC) $(LDFLAGS) -o atd $(RUNOBJECTS) $(LIBS) $(PAMLIB) $(SELINUXLIB)
33
34	y.tab.c y.tab.h: parsetime.y
35	$(YACC) -d parsetime.y
36	diff --git a/atd.c b/atd.c
37	index af3e577..463124f 100644
38	--- a/atd.c
39	+++ b/atd.c
40	@@ -83,6 +83,14 @@
41	#include "getloadavg.h"
42	#endif
43
44	+#ifdef WITH_SELINUX
45	+#include <selinux/selinux.h>
46	+#include <selinux/get_context_list.h>
47	+int selinux_enabled = 0;
48	+#include <selinux/flask.h>
49	+#include <selinux/av_permissions.h>
50	+#endif
51	+
52	/* Macros */
53
54	#define BATCH_INTERVAL_DEFAULT 60
55	@@ -195,6 +203,70 @@ myfork()
56	#define fork myfork
57	#endif
58
59	+#ifdef WITH_SELINUX
60	+static int
61	+set_selinux_context(const char name, const char filename)
62	+{
63	+ security_context_t user_context=NULL;
64	+ security_context_t file_context=NULL;
65	+ struct av_decision avd;
66	+ int retval=-1;
67	+ char *seuser=NULL;
68	+ char *level=NULL;
69	+
70	+ if (getseuserbyname(name, &seuser, &level) == 0) {
71	+ retval=get_default_context_with_level(seuser, level, NULL, &user_context);
72	+ free(seuser);
73	+ free(level);
74	+ if (retval) {
75	+ if (security_getenforce()==1) {
76	+ perr("execle: couldn't get security context for user %s\n", name);
77	+ } else {
78	+ syslog(LOG_ERR, "execle: couldn't get security context for user %s\n", name);
79	+ return -1;
80	+ }
81	+ }
82	+ }
83	+
84	+ /*
85	+ * Since crontab files are not directly executed,
86	+ * crond must ensure that the crontab file has
87	+ * a context that is appropriate for the context of
88	+ * the user cron job. It performs an entrypoint
89	+ * permission check for this purpose.
90	+ */
91	+ if (fgetfilecon(STDIN_FILENO, &file_context) < 0)
92	+ perr("fgetfilecon FAILED %s", filename);
93	+
94	+ retval = security_compute_av(user_context,
95	+ file_context,
96	+ SECCLASS_FILE,
97	+ FILE__ENTRYPOINT,
98	+ &avd);
99	+ freecon(file_context);
100	+ if (retval \|\| ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) {
101	+ if (security_getenforce()==1) {
102	+ perr("Not allowed to set exec context to %s for user %s\n", user_context,name);
103	+ } else {
104	+ syslog(LOG_ERR, "Not allowed to set exec context to %s for user %s\n", user_context,name);
105	+ retval = -1;
106	+ goto err;
107	+ }
108	+ }
109	+ if (setexeccon(user_context) < 0) {
110	+ if (security_getenforce()==1) {
111	+ perr("Could not set exec context to %s for user %s\n", user_context,name);
112	+ retval = -1;
113	+ } else {
114	+ syslog(LOG_ERR, "Could not set exec context to %s for user %s\n", user_context,name);
115	+ }
116	+ }
117	+err:
118	+ freecon(user_context);
119	+ return 0;
120	+}
121	+#endif
122	+
123	static void
124	run_file(const char *filename, uid_t uid, gid_t gid)
125	{
126	@@ -435,6 +507,13 @@ run_file(const char *filename, uid_t uid, gid_t gid)
127
128	chdir("/");
129
130	+#ifdef WITH_SELINUX
131	+ if (selinux_enabled > 0) {
132	+ if (set_selinux_context(pentry->pw_name, filename) < 0)
133	+ perr("SELinux Failed to set context\n");
134	+ }
135	+#endif
136	+
137	if (execle("/bin/sh", "sh", (char *) NULL, nenvp) != 0)
138	perr("Exec failed for /bin/sh");
139
140	@@ -707,6 +786,10 @@ main(int argc, char *argv[])
141	struct passwd *pwe;
142	struct group *ge;
143
144	+#ifdef WITH_SELINUX
145	+ selinux_enabled = is_selinux_enabled();
146	+#endif
147	+
148	/* We don't need root privileges all the time; running under uid and gid
149	* daemon is fine.
150	*/
151	diff --git a/configure.ac b/configure.ac
152	index 2db7b65..5ecc35a 100644
153	--- a/configure.ac
154	+++ b/configure.ac
155	@@ -94,6 +94,18 @@ AC_CHECK_HEADERS(security/pam_appl.h, [
156	fi])
157	fi
158
159	+AC_ARG_WITH([selinux],
160	+ [AS_HELP_STRING([--without-selinux], [without SELinux support])])
161	+
162	+if test "x$with_selinux" != xno; then
163	+AC_CHECK_HEADERS(selinux/selinux.h, [
164	+ SELINUXLIB="-lselinux"
165	+ AC_DEFINE(WITH_SELINUX, 1, [Define to 1 for SELinux support])],
166	+ [if test "x$with_selinux" = xyes; then
167	+ AC_MSG_ERROR([SELinux selected but selinux/selinux.h not found])
168	+ fi])
169	+fi
170	+
171	dnl Checking for programs
172
173	AC_PATH_PROG(SENDMAIL, sendmail, , $PATH:/usr/lib:/usr/sbin )
174	@@ -104,6 +116,7 @@ fi
175
176	AC_SUBST(MAIL_CMD)
177	AC_SUBST(PAMLIB)
178	+AC_SUBST(SELINUXLIB)
179
180	AC_MSG_CHECKING(etcdir)
181	AC_ARG_WITH(etcdir,
182	--
183	1.7.5.4
184


diff --git a/recipes-extended/at/at_%.bbappend b/recipes-extended/at/at_%.bbappend index f30abab..c1e8ed6 100644 --- a/recipes-extended/at/at_%.bbappend +++ b/recipes-extended/at/at_%.bbappend
@@ -1,7 +1 @@
1	PR .= ".2"
2
3	FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
4
5	SRC_URI += "file://at-3.1.13-selinux.patch"
6
7	inherit with-selinux	inherit with-selinux