From 4fefe83c3203c11fadbe43637a3058284b60427b Mon Sep 17 00:00:00 2001 From: Mark Hatle Date: Fri, 8 Sep 2017 10:44:23 -0500 Subject: Refactor to conform to YP Compat requirements Change the references to check for the distribution flag of 'selinux' being set before taking any action within the bbappends. This prevents the signature from being modified. Also remove PR changes, as they are no longer allowed. Signed-off-by: Mark Hatle --- .../augeas/augeas/augeas_%.bbappend | 2 +- .../iscsi-initiator-utils_%.bbappend | 2 +- .../iscsi-initiator-utils_selinux.inc | 1 + recipes-connectivity/bind/bind_%.bbappend | 14 +- recipes-connectivity/bind/bind_selinux.inc | 11 + recipes-connectivity/dhcp/dhcp_%.bbappend | 4 +- recipes-connectivity/dhcp/dhcp_selinux.inc | 3 + recipes-connectivity/iproute2/iproute2_%.bbappend | 10 +- recipes-connectivity/iproute2/iproute2_selinux.inc | 5 + recipes-connectivity/openssh/openssh_%.bbappend | 14 +- recipes-connectivity/openssh/openssh_selinux.inc | 9 + recipes-core/busybox/busybox_%.bbappend | 88 +------- recipes-core/busybox/busybox_selinux.inc | 85 +++++++ recipes-core/coreutils/coreutils_%.bbappend | 3 +- recipes-core/dbus/dbus_%.bbappend | 3 +- recipes-core/eudev/eudev/init | 143 ------------ recipes-core/eudev/eudev/udev-cache | 32 --- recipes-core/eudev/eudev_%.bbappend | 3 +- recipes-core/eudev/eudev_selinux.inc | 3 + recipes-core/eudev/files/init | 143 ++++++++++++ recipes-core/eudev/files/udev-cache | 32 +++ recipes-core/glib-2.0/glib-2.0_%.bbappend | 2 +- recipes-core/initscripts/files/devpts.sh | 29 +++ .../initscripts/initscripts-1.0_selinux.inc | 11 + recipes-core/initscripts/initscripts/devpts.sh | 29 --- recipes-core/initscripts/initscripts_1.0.bbappend | 14 +- recipes-core/libcgroup/libcgroup_%.bbappend | 13 +- recipes-core/libcgroup/libcgroup_selinux.inc | 10 + recipes-core/systemd/systemd_%.bbappend | 2 +- .../files/sysvinit-fix-is_selinux_enabled.patch | 71 ++++++ .../sysvinit-fix-is_selinux_enabled.patch | 71 ------ recipes-core/sysvinit/sysvinit-2.88dsf_selinux.inc | 11 + recipes-core/sysvinit/sysvinit_2.88dsf.bbappend | 15 +- recipes-core/util-linux/util-linux_%.bbappend | 4 +- ...ib-ext2fs-ext2_ext_attr.h-add-xattr-index.patch | 20 -- .../misc_create_inode.c-label_rootfs.patch | 37 ---- recipes-devtools/e2fsprogs/e2fsprogs_%.bbappend | 3 +- recipes-devtools/e2fsprogs/e2fsprogs_selinux.inc | 3 + ...ib-ext2fs-ext2_ext_attr.h-add-xattr-index.patch | 20 ++ .../files/misc_create_inode.c-label_rootfs.patch | 37 ++++ recipes-devtools/prelink/prelink_git.bbappend | 4 +- recipes-devtools/python/files/sitecustomize.py | 26 +++ recipes-devtools/python/python/sitecustomize.py | 26 --- recipes-devtools/python/python_%.bbappend | 4 +- recipes-devtools/python/python_selinux.inc | 5 + recipes-devtools/rpm/rpm_%.bbappend | 5 +- recipes-devtools/rpm/rpm_selinux.inc | 2 + recipes-extended/at/at_%.bbappend | 2 +- recipes-extended/cronie/cronie_%.bbappend | 5 +- .../findutils/findutils_4.6.%.bbappend | 3 +- recipes-extended/logrotate/logrotate_%.bbappend | 6 +- recipes-extended/logrotate/logrotate_selinux.inc | 5 + recipes-extended/lsof/lsof_%.bbappend | 17 +- recipes-extended/lsof/lsof_selinux.inc | 14 ++ .../net-tools/files/netstat-selinux-support.patch | 244 +++++++++++++++++++++ .../net-tools/netstat-selinux-support.patch | 244 --------------------- recipes-extended/net-tools/net-tools_%.bbappend | 12 +- recipes-extended/net-tools/net-tools_selinux.inc | 9 + recipes-extended/pam/libpam_%.bbappend | 4 +- recipes-extended/pam/libpam_selinux.inc | 3 + recipes-extended/parted/parted_%.bbappend | 4 +- recipes-extended/psmisc/psmisc_%.bbappend | 6 +- recipes-extended/sed/sed_4.2.2.bbappend | 4 +- recipes-extended/shadow/shadow_%.bbappend | 8 +- recipes-extended/shadow/shadow_selinux.inc | 6 + recipes-extended/sudo/sudo_%.bbappend | 4 +- recipes-extended/sysklogd/sysklogd_%.bbappend | 2 +- recipes-extended/sysklogd/sysklogd_selinux.inc | 1 + recipes-extended/tar/tar_%.bbappend | 7 +- recipes-extended/tar/tar_selinux.inc | 3 + recipes-graphics/mesa/mesa_%.bbappend | 6 +- recipes-graphics/mesa/mesa_selinux.inc | 6 + recipes-graphics/xcb/libxcb_%.bbappend | 9 +- recipes-graphics/xcb/libxcb_selinux.inc | 6 + recipes-kernel/linux/files/selinux.cfg | 31 +++ recipes-kernel/linux/linux-yocto/selinux.cfg | 31 --- recipes-kernel/linux/linux-yocto_4.%.bbappend | 9 +- recipes-kernel/linux/linux-yocto_selinux.inc | 4 + recipes-kernel/perf/perf.bbappend | 3 +- recipes-kernel/perf/perf_selinux.inc | 1 + .../fix-ptest-failures-when-selinux-enabled.patch | 41 ---- recipes-support/attr/attr_%.bbappend | 6 +- recipes-support/attr/attr_selinux.inc | 5 + .../fix-ptest-failures-when-selinux-enabled.patch | 41 ++++ recipes-support/gnupg/gnupg_2.%.bbappend | 4 +- recipes-support/gnupg/gnupg_selinux.inc | 3 + recipes-support/libpcre/libpcre_%.bbappend | 15 +- recipes-support/libpcre/libpcre_selinux.inc | 12 + .../recipes-containers/lxc/lxc_%.bbappend | 2 +- 89 files changed, 957 insertions(+), 975 deletions(-) create mode 100644 networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc create mode 100644 recipes-connectivity/bind/bind_selinux.inc create mode 100644 recipes-connectivity/dhcp/dhcp_selinux.inc create mode 100644 recipes-connectivity/iproute2/iproute2_selinux.inc create mode 100644 recipes-connectivity/openssh/openssh_selinux.inc create mode 100644 recipes-core/busybox/busybox_selinux.inc delete mode 100644 recipes-core/eudev/eudev/init delete mode 100644 recipes-core/eudev/eudev/udev-cache create mode 100644 recipes-core/eudev/eudev_selinux.inc create mode 100644 recipes-core/eudev/files/init create mode 100644 recipes-core/eudev/files/udev-cache create mode 100755 recipes-core/initscripts/files/devpts.sh create mode 100644 recipes-core/initscripts/initscripts-1.0_selinux.inc delete mode 100755 recipes-core/initscripts/initscripts/devpts.sh create mode 100644 recipes-core/libcgroup/libcgroup_selinux.inc create mode 100644 recipes-core/sysvinit/files/sysvinit-fix-is_selinux_enabled.patch delete mode 100644 recipes-core/sysvinit/sysvinit-2.88dsf/sysvinit-fix-is_selinux_enabled.patch create mode 100644 recipes-core/sysvinit/sysvinit-2.88dsf_selinux.inc delete mode 100644 recipes-devtools/e2fsprogs/e2fsprogs/lib-ext2fs-ext2_ext_attr.h-add-xattr-index.patch delete mode 100644 recipes-devtools/e2fsprogs/e2fsprogs/misc_create_inode.c-label_rootfs.patch create mode 100644 recipes-devtools/e2fsprogs/e2fsprogs_selinux.inc create mode 100644 recipes-devtools/e2fsprogs/files/lib-ext2fs-ext2_ext_attr.h-add-xattr-index.patch create mode 100644 recipes-devtools/e2fsprogs/files/misc_create_inode.c-label_rootfs.patch create mode 100644 recipes-devtools/python/files/sitecustomize.py delete mode 100644 recipes-devtools/python/python/sitecustomize.py create mode 100644 recipes-devtools/python/python_selinux.inc create mode 100644 recipes-devtools/rpm/rpm_selinux.inc create mode 100644 recipes-extended/logrotate/logrotate_selinux.inc create mode 100644 recipes-extended/lsof/lsof_selinux.inc create mode 100644 recipes-extended/net-tools/files/netstat-selinux-support.patch delete mode 100644 recipes-extended/net-tools/net-tools/netstat-selinux-support.patch create mode 100644 recipes-extended/net-tools/net-tools_selinux.inc create mode 100644 recipes-extended/pam/libpam_selinux.inc create mode 100644 recipes-extended/shadow/shadow_selinux.inc create mode 100644 recipes-extended/sysklogd/sysklogd_selinux.inc create mode 100644 recipes-extended/tar/tar_selinux.inc create mode 100644 recipes-graphics/mesa/mesa_selinux.inc create mode 100644 recipes-graphics/xcb/libxcb_selinux.inc create mode 100644 recipes-kernel/linux/files/selinux.cfg delete mode 100644 recipes-kernel/linux/linux-yocto/selinux.cfg create mode 100644 recipes-kernel/linux/linux-yocto_selinux.inc create mode 100644 recipes-kernel/perf/perf_selinux.inc delete mode 100644 recipes-support/attr/attr/fix-ptest-failures-when-selinux-enabled.patch create mode 100644 recipes-support/attr/attr_selinux.inc create mode 100644 recipes-support/attr/files/fix-ptest-failures-when-selinux-enabled.patch create mode 100644 recipes-support/gnupg/gnupg_selinux.inc create mode 100644 recipes-support/libpcre/libpcre_selinux.inc diff --git a/meta-python/recipes-extended/augeas/augeas/augeas_%.bbappend b/meta-python/recipes-extended/augeas/augeas/augeas_%.bbappend index c1e8ed6..b01ad25 100644 --- a/meta-python/recipes-extended/augeas/augeas/augeas_%.bbappend +++ b/meta-python/recipes-extended/augeas/augeas/augeas_%.bbappend @@ -1 +1 @@ -inherit with-selinux +inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'with-selinux', '', d)} diff --git a/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend b/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend index 81fe7b7..7719d3b 100644 --- a/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend +++ b/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_%.bbappend @@ -1 +1 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/files:" +require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)} diff --git a/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc b/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc new file mode 100644 index 0000000..81fe7b7 --- /dev/null +++ b/networking-layer/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_selinux.inc @@ -0,0 +1 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" diff --git a/recipes-connectivity/bind/bind_%.bbappend b/recipes-connectivity/bind/bind_%.bbappend index a15e045..7719d3b 100644 --- a/recipes-connectivity/bind/bind_%.bbappend +++ b/recipes-connectivity/bind/bind_%.bbappend @@ -1,13 +1 @@ -PR .= ".3" - -FILESEXTRAPATHS_prepend := "${THISDIR}/files:" - -SRC_URI += "file://volatiles.04_bind" - -do_install_append() { - install -d ${D}${sysconfdir}/default/volatiles - install -m 0644 ${WORKDIR}/volatiles.04_bind ${D}${sysconfdir}/default/volatiles/volatiles.04_bind - - sed -i '/^\s*\/usr\/sbin\/rndc-confgen/a\ - [ -x /sbin/restorecon ] && /sbin/restorecon -F /etc/bind/rndc.key' ${D}${sysconfdir}/init.d/bind -} +require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)} diff --git a/recipes-connectivity/bind/bind_selinux.inc b/recipes-connectivity/bind/bind_selinux.inc new file mode 100644 index 0000000..1dfef8a --- /dev/null +++ b/recipes-connectivity/bind/bind_selinux.inc @@ -0,0 +1,11 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" + +SRC_URI += "file://volatiles.04_bind" + +do_install_append() { + install -d ${D}${sysconfdir}/default/volatiles + install -m 0644 ${WORKDIR}/volatiles.04_bind ${D}${sysconfdir}/default/volatiles/volatiles.04_bind + + sed -i '/^\s*\/usr\/sbin\/rndc-confgen/a\ + [ -x /sbin/restorecon ] && /sbin/restorecon -F /etc/bind/rndc.key' ${D}${sysconfdir}/init.d/bind +} diff --git a/recipes-connectivity/dhcp/dhcp_%.bbappend b/recipes-connectivity/dhcp/dhcp_%.bbappend index 2d2232c..7719d3b 100644 --- a/recipes-connectivity/dhcp/dhcp_%.bbappend +++ b/recipes-connectivity/dhcp/dhcp_%.bbappend @@ -1,3 +1 @@ -inherit selinux - -FILESEXTRAPATHS_prepend := "${@target_selinux(d, '${THISDIR}/files:')}" +require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)} diff --git a/recipes-connectivity/dhcp/dhcp_selinux.inc b/recipes-connectivity/dhcp/dhcp_selinux.inc new file mode 100644 index 0000000..08389f1 --- /dev/null +++ b/recipes-connectivity/dhcp/dhcp_selinux.inc @@ -0,0 +1,3 @@ +inherit selinux + +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" diff --git a/recipes-connectivity/iproute2/iproute2_%.bbappend b/recipes-connectivity/iproute2/iproute2_%.bbappend index c866b54..7719d3b 100644 --- a/recipes-connectivity/iproute2/iproute2_%.bbappend +++ b/recipes-connectivity/iproute2/iproute2_%.bbappend @@ -1,9 +1 @@ -inherit with-selinux - -do_configure_append() { - if ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'true', 'false', d)}; then - sed -i 's/\(HAVE_SELINUX:=\).*/\1y/' ${B}/Config - else - sed -i 's/\(HAVE_SELINUX:=\).*/\1n/' ${B}/Config - fi -} +require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)} diff --git a/recipes-connectivity/iproute2/iproute2_selinux.inc b/recipes-connectivity/iproute2/iproute2_selinux.inc new file mode 100644 index 0000000..b0a7ffe --- /dev/null +++ b/recipes-connectivity/iproute2/iproute2_selinux.inc @@ -0,0 +1,5 @@ +inherit with-selinux + +do_configure_append() { + sed -i 's/\(HAVE_SELINUX:=\).*/\1y/' ${B}/Config +} diff --git a/recipes-connectivity/openssh/openssh_%.bbappend b/recipes-connectivity/openssh/openssh_%.bbappend index 223b8cf..7719d3b 100644 --- a/recipes-connectivity/openssh/openssh_%.bbappend +++ b/recipes-connectivity/openssh/openssh_%.bbappend @@ -1,13 +1 @@ -PR .= ".5" - -inherit with-selinux - -FILESEXTRAPATHS_prepend := "${@target_selinux(d, '${THISDIR}/files:')}" - -# There is no distro feature just for audit. If we want it, -# uncomment the following. -# -#PACKAGECONFIG += "${@target_selinux(d, 'audit')}" - -PACKAGECONFIG[audit] = "--with-audit=linux,--without-audit,audit," - +require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)} diff --git a/recipes-connectivity/openssh/openssh_selinux.inc b/recipes-connectivity/openssh/openssh_selinux.inc new file mode 100644 index 0000000..ebd2721 --- /dev/null +++ b/recipes-connectivity/openssh/openssh_selinux.inc @@ -0,0 +1,9 @@ +inherit with-selinux + +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" + +# There is no distro feature just for audit. +PACKAGECONFIG_append = " audit" + +PACKAGECONFIG[audit] = "--with-audit=linux,--without-audit,audit," + diff --git a/recipes-core/busybox/busybox_%.bbappend b/recipes-core/busybox/busybox_%.bbappend index b4935b2..7719d3b 100644 --- a/recipes-core/busybox/busybox_%.bbappend +++ b/recipes-core/busybox/busybox_%.bbappend @@ -1,87 +1 @@ -PR .= ".1" - -FILES_${PN} += "${libdir}/${PN}" - -# We should use sh wrappers instead of links so the commands could get correct -# security labels -python create_sh_wrapper_reset_alternative_vars () { - # We need to load the full set of busybox provides from the /etc/busybox.links - # Use this to see the update-alternatives with the right information - - dvar = d.getVar('D', True) - pn = d.getVar('PN', True) - - def create_sh_alternative_vars(links, target, mode): - import shutil - # Create sh wrapper template - fwp = open("busybox_wrapper", 'w') - fwp.write("#!%s" % (target)) - os.fchmod(fwp.fileno(), mode) - fwp.close() - # Install the sh wrappers and alternatives reset to link to them - wpdir = os.path.join(d.getVar('libdir', True), pn) - wpdir_dest = '%s%s' % (dvar, wpdir) - if not os.path.exists(wpdir_dest): - os.makedirs(wpdir_dest) - f = open('%s%s' % (dvar, links), 'r') - for alt_link_name in f: - alt_link_name = alt_link_name.strip() - alt_name = os.path.basename(alt_link_name) - # Copy script wrapper to wp_path - alt_wppath = '%s%s' % (wpdir, alt_link_name) - alt_wppath_dest = '%s%s' % (wpdir_dest, alt_link_name) - alt_wpdir_dest = os.path.dirname(alt_wppath_dest) - if not os.path.exists(alt_wpdir_dest): - os.makedirs(alt_wpdir_dest) - shutil.copy2("busybox_wrapper", alt_wppath_dest) - # Re-set alternatives - # Match coreutils - if alt_name == '[': - alt_name = 'lbracket' - d.appendVar('ALTERNATIVE_%s' % (pn), ' ' + alt_name) - d.setVarFlag('ALTERNATIVE_LINK_NAME', alt_name, alt_link_name) - if os.path.exists(alt_wppath_dest): - d.setVarFlag('ALTERNATIVE_TARGET', alt_name, alt_wppath) - f.close() - - os.remove("busybox_wrapper") - return - - if os.path.exists('%s/etc/busybox.links' % (dvar)): - create_sh_alternative_vars("/etc/busybox.links", "/bin/busybox", 0o0755) - else: - create_sh_alternative_vars("/etc/busybox.links.nosuid", "/bin/busybox.nosuid", 0o0755) - create_sh_alternative_vars("/etc/busybox.links.suid", "/bin/busybox.suid", 0o4755) -} - -# Add to PACKAGEBUILDPKGD so it could override the alternatives, which are set in -# do_package_prepend() section of busybox_*.bb. -PACKAGEBUILDPKGD_prepend = "create_sh_wrapper_reset_alternative_vars " - -# Use sh wrappers instead of links -pkg_postinst_${PN} () { - # This part of code is dedicated to the on target upgrade problem. - # It's known that if we don't make appropriate symlinks before update-alternatives calls, - # there will be errors indicating missing commands such as 'sed'. - # These symlinks will later be updated by update-alternatives calls. - test -n 2 > /dev/null || alias test='busybox test' - if test "x$D" = "x"; then - # Remove busybox.nosuid if it's a symlink, because this situation indicates - # that we're installing or upgrading to a one-binary busybox. - if test -h /bin/busybox.nosuid; then - rm -f /bin/busybox.nosuid - fi - for suffix in "" ".nosuid" ".suid"; do - if test -e /etc/busybox.links$suffix; then - while read link; do - if test ! -e "$link"; then - # we can use busybox here because even if we are using splitted busybox - # we've made a symlink from /bin/busybox to /bin/busybox.nosuid. - busybox echo "#!/bin/busybox$suffix" > $link - fi - done < /etc/busybox.links$suffix - fi - done - fi -} - +require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)} diff --git a/recipes-core/busybox/busybox_selinux.inc b/recipes-core/busybox/busybox_selinux.inc new file mode 100644 index 0000000..3f20815 --- /dev/null +++ b/recipes-core/busybox/busybox_selinux.inc @@ -0,0 +1,85 @@ +FILES_${PN} += "${libdir}/${PN}" + +# We should use sh wrappers instead of links so the commands could get correct +# security labels +python create_sh_wrapper_reset_alternative_vars () { + # We need to load the full set of busybox provides from the /etc/busybox.links + # Use this to see the update-alternatives with the right information + + dvar = d.getVar('D', True) + pn = d.getVar('PN', True) + + def create_sh_alternative_vars(links, target, mode): + import shutil + # Create sh wrapper template + fwp = open("busybox_wrapper", 'w') + fwp.write("#!%s" % (target)) + os.fchmod(fwp.fileno(), mode) + fwp.close() + # Install the sh wrappers and alternatives reset to link to them + wpdir = os.path.join(d.getVar('libdir', True), pn) + wpdir_dest = '%s%s' % (dvar, wpdir) + if not os.path.exists(wpdir_dest): + os.makedirs(wpdir_dest) + f = open('%s%s' % (dvar, links), 'r') + for alt_link_name in f: + alt_link_name = alt_link_name.strip() + alt_name = os.path.basename(alt_link_name) + # Copy script wrapper to wp_path + alt_wppath = '%s%s' % (wpdir, alt_link_name) + alt_wppath_dest = '%s%s' % (wpdir_dest, alt_link_name) + alt_wpdir_dest = os.path.dirname(alt_wppath_dest) + if not os.path.exists(alt_wpdir_dest): + os.makedirs(alt_wpdir_dest) + shutil.copy2("busybox_wrapper", alt_wppath_dest) + # Re-set alternatives + # Match coreutils + if alt_name == '[': + alt_name = 'lbracket' + d.appendVar('ALTERNATIVE_%s' % (pn), ' ' + alt_name) + d.setVarFlag('ALTERNATIVE_LINK_NAME', alt_name, alt_link_name) + if os.path.exists(alt_wppath_dest): + d.setVarFlag('ALTERNATIVE_TARGET', alt_name, alt_wppath) + f.close() + + os.remove("busybox_wrapper") + return + + if os.path.exists('%s/etc/busybox.links' % (dvar)): + create_sh_alternative_vars("/etc/busybox.links", "/bin/busybox", 0o0755) + else: + create_sh_alternative_vars("/etc/busybox.links.nosuid", "/bin/busybox.nosuid", 0o0755) + create_sh_alternative_vars("/etc/busybox.links.suid", "/bin/busybox.suid", 0o4755) +} + +# Add to PACKAGEBUILDPKGD so it could override the alternatives, which are set in +# do_package_prepend() section of busybox_*.bb. +PACKAGEBUILDPKGD_prepend = "create_sh_wrapper_reset_alternative_vars " + +# Use sh wrappers instead of links +pkg_postinst_${PN} () { + # This part of code is dedicated to the on target upgrade problem. + # It's known that if we don't make appropriate symlinks before update-alternatives calls, + # there will be errors indicating missing commands such as 'sed'. + # These symlinks will later be updated by update-alternatives calls. + test -n 2 > /dev/null || alias test='busybox test' + if test "x$D" = "x"; then + # Remove busybox.nosuid if it's a symlink, because this situation indicates + # that we're installing or upgrading to a one-binary busybox. + if test -h /bin/busybox.nosuid; then + rm -f /bin/busybox.nosuid + fi + for suffix in "" ".nosuid" ".suid"; do + if test -e /etc/busybox.links$suffix; then + while read link; do + if test ! -e "$link"; then + # we can use busybox here because even if we are using splitted busybox + # we've made a symlink from /bin/busybox to /bin/busybox.nosuid. + busybox echo "#!/bin/busybox$suffix" > $link + fi + done < /etc/busybox.links$suffix + fi + done + fi +} + diff --git a/recipes-core/coreutils/coreutils_%.bbappend b/recipes-core/coreutils/coreutils_%.bbappend index c1e8ed6..7b9a2dc 100644 --- a/recipes-core/coreutils/coreutils_%.bbappend +++ b/recipes-core/coreutils/coreutils_%.bbappend @@ -1 +1,2 @@ -inherit with-selinux +inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'with-selinux', '', d)} + diff --git a/recipes-core/dbus/dbus_%.bbappend b/recipes-core/dbus/dbus_%.bbappend index 8c11cac..ee221e2 100644 --- a/recipes-core/dbus/dbus_%.bbappend +++ b/recipes-core/dbus/dbus_%.bbappend @@ -1 +1,2 @@ -inherit enable-selinux +inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-selinux', '', d)} + diff --git a/recipes-core/eudev/eudev/init b/recipes-core/eudev/eudev/init deleted file mode 100644 index ee64f86..0000000 --- a/recipes-core/eudev/eudev/init +++ /dev/null @@ -1,143 +0,0 @@ -#!/bin/sh - -### BEGIN INIT INFO -# Provides: udev -# Required-Start: mountvirtfs -# Required-Stop: -# Default-Start: S -# Default-Stop: -# Short-Description: Start udevd, populate /dev and load drivers. -### END INIT INFO - -export TZ=/etc/localtime - -[ -d /sys/class ] || exit 1 -[ -r /proc/mounts ] || exit 1 -[ -x @UDEVD@ ] || exit 1 -if [ "$use_udev_cache" != "" ]; then - [ -f /etc/default/udev-cache ] && . /etc/default/udev-cache -fi -[ -f /etc/udev/udev.conf ] && . /etc/udev/udev.conf -[ -f /etc/default/rcS ] && . /etc/default/rcS - -readfiles () { - READDATA="" - for filename in $@; do - if [ -r $filename ]; then - while read line; do - READDATA="$READDATA$line" - done < $filename - fi - done -} - -kill_udevd () { - pid=`pidof -x udevd` - [ -n "$pid" ] && kill $pid -} - -case "$1" in - start) - export ACTION=add - # propagate /dev from /sys - echo "Starting udev" - - # Check for requireed devtmpfs before trying to start udev and - # mount a no-existant fs. - if ! grep -q devtmpfs /proc/filesystems - then - echo "Missing devtmpfs, which is required for udev to run"; - echo "Halting..." - halt - fi - # mount the devtmpfs on /dev, if not already done - LANG=C awk '$2 == "/dev" && ($3 == "devtmpfs") { exit 1 }' /proc/mounts && { - mount -n -o mode=0755 -t devtmpfs none "/dev" - } - [ -e /dev/pts ] || mkdir -m 0755 /dev/pts - [ -e /dev/shm ] || mkdir -m 1777 /dev/shm - # the automount rule for udev needs /tmp directory available, as /tmp is a symlink - # to /var/tmp which in turn is a symlink to /var/volatile/tmp, we need to make sure - # /var/volatile/tmp directory to be available. - mkdir -p /var/volatile/tmp - - # restorecon /run early to allow mdadm creating dir /run/mdadm - test ! -x /sbin/restorecon || /sbin/restorecon -F /run - - # Cache handling. - # A list of files which are used as a criteria to judge whether the udev cache could be reused. - CMP_FILE_LIST="/proc/version /proc/cmdline /proc/devices /proc/atags" - if [ "$use_udev_cache" != "" ]; then - if [ "$DEVCACHE" != "" ]; then - if [ -e $DEVCACHE ]; then - readfiles $CMP_FILE_LIST - NEWDATA="$READDATA" - readfiles /etc/udev/cache.data - OLDDATA="$READDATA" - if [ "$OLDDATA" = "$NEWDATA" ]; then - tar --directory=/ -xf $DEVCACHE > /dev/null 2>&1 - not_first_boot=1 - [ "$VERBOSE" != "no" ] && echo "udev: using cache file $DEVCACHE" - [ -e /dev/shm/udev.cache ] && rm -f /dev/shm/udev.cache - else - # Output detailed reason why the cached /dev is not used - if [ "$VERBOSE" != "no" ]; then - echo "udev: udev cache not used" - echo "udev: we use $CMP_FILE_LIST as criteria to judge whether the cache /dev could be resued" - echo "udev: olddata: $OLDDATA" - echo "udev: newdata: $NEWDATA" - fi - echo "$NEWDATA" > /dev/shm/udev.cache - fi - else - if [ "$ROOTFS_READ_ONLY" != "yes" ]; then - # If rootfs is not read-only, it's possible that a new udev cache would be generated; - # otherwise, we do not bother to read files. - readfiles $CMP_FILE_LIST - echo "$READDATA" > /dev/shm/udev.cache - fi - fi - fi - fi - - # make_extra_nodes - kill_udevd > "/dev/null" 2>&1 - - # trigger the sorted events - echo -e '\000\000\000\000' > /proc/sys/kernel/hotplug - @UDEVD@ -d - - udevadm control --env=STARTUP=1 - if [ "$not_first_boot" != "" ];then - udevadm trigger --action=add --subsystem-nomatch=tty --subsystem-nomatch=mem --subsystem-nomatch=vc --subsystem-nomatch=vtconsole --subsystem-nomatch=misc --subsystem-nomatch=dcon --subsystem-nomatch=pci_bus --subsystem-nomatch=graphics --subsystem-nomatch=backlight --subsystem-nomatch=video4linux --subsystem-nomatch=platform - (udevadm settle --timeout=10; udevadm control --env=STARTUP=)& - else - udevadm trigger --action=add - udevadm settle - fi - - test ! -x /sbin/restorecon || /sbin/restorecon -F /dev /dev/shm /dev/pts - - ;; - stop) - echo "Stopping udevd" - start-stop-daemon --stop --name udevd --quiet - ;; - restart) - $0 stop - sleep 1 - $0 start - ;; - status) - pid=`pidof -x udevd` - if [ -n "$pid" ]; then - echo "udevd (pid $pid) is running ..." - else - echo "udevd is stopped" - fi - ;; - *) - echo "Usage: $0 {start|stop|status|restart}" - exit 1 -esac -exit 0 diff --git a/recipes-core/eudev/eudev/udev-cache b/recipes-core/eudev/eudev/udev-cache deleted file mode 100644 index 6898577..0000000 --- a/recipes-core/eudev/eudev/udev-cache +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/sh -e - -### BEGIN INIT INFO -# Provides: udev-cache -# Required-Start: mountall -# Required-Stop: -# Default-Start: S -# Default-Stop: -# Short-Description: cache /dev to speedup the udev next boot -### END INIT INFO - -export TZ=/etc/localtime - -[ -r /proc/mounts ] || exit 1 -[ -x @UDEVD@ ] || exit 1 -[ -d /sys/class ] || exit 1 - -[ -f /etc/default/rcS ] && . /etc/default/rcS -[ -f /etc/default/udev-cache ] && . /etc/default/udev-cache - -if [ "$ROOTFS_READ_ONLY" = "yes" ]; then - [ "$VERBOSE" != "no" ] && echo "udev-cache: read-only rootfs, skip generating udev-cache" - exit 0 -fi - -if [ "$DEVCACHE" != "" -a -e /dev/shm/udev.cache ]; then - echo "Populating dev cache" - tar --directory=/ --selinux --xattrs -cf "$DEVCACHE" dev - mv /dev/shm/udev.cache /etc/udev/cache.data -fi - -exit 0 diff --git a/recipes-core/eudev/eudev_%.bbappend b/recipes-core/eudev/eudev_%.bbappend index e1e7cd1..b0b03ec 100644 --- a/recipes-core/eudev/eudev_%.bbappend +++ b/recipes-core/eudev/eudev_%.bbappend @@ -1,3 +1,2 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" +require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)} -inherit enable-selinux diff --git a/recipes-core/eudev/eudev_selinux.inc b/recipes-core/eudev/eudev_selinux.inc new file mode 100644 index 0000000..2ad6b13 --- /dev/null +++ b/recipes-core/eudev/eudev_selinux.inc @@ -0,0 +1,3 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" + +inherit enable-selinux diff --git a/recipes-core/eudev/files/init b/recipes-core/eudev/files/init new file mode 100644 index 0000000..ee64f86 --- /dev/null +++ b/recipes-core/eudev/files/init @@ -0,0 +1,143 @@ +#!/bin/sh + +### BEGIN INIT INFO +# Provides: udev +# Required-Start: mountvirtfs +# Required-Stop: +# Default-Start: S +# Default-Stop: +# Short-Description: Start udevd, populate /dev and load drivers. +### END INIT INFO + +export TZ=/etc/localtime + +[ -d /sys/class ] || exit 1 +[ -r /proc/mounts ] || exit 1 +[ -x @UDEVD@ ] || exit 1 +if [ "$use_udev_cache" != "" ]; then + [ -f /etc/default/udev-cache ] && . /etc/default/udev-cache +fi +[ -f /etc/udev/udev.conf ] && . /etc/udev/udev.conf +[ -f /etc/default/rcS ] && . /etc/default/rcS + +readfiles () { + READDATA="" + for filename in $@; do + if [ -r $filename ]; then + while read line; do + READDATA="$READDATA$line" + done < $filename + fi + done +} + +kill_udevd () { + pid=`pidof -x udevd` + [ -n "$pid" ] && kill $pid +} + +case "$1" in + start) + export ACTION=add + # propagate /dev from /sys + echo "Starting udev" + + # Check for requireed devtmpfs before trying to start udev and + # mount a no-existant fs. + if ! grep -q devtmpfs /proc/filesystems + then + echo "Missing devtmpfs, which is required for udev to run"; + echo "Halting..." + halt + fi + # mount the devtmpfs on /dev, if not already done + LANG=C awk '$2 == "/dev" && ($3 == "devtmpfs") { exit 1 }' /proc/mounts && { + mount -n -o mode=0755 -t devtmpfs none "/dev" + } + [ -e /dev/pts ] || mkdir -m 0755 /dev/pts + [ -e /dev/shm ] || mkdir -m 1777 /dev/shm + # the automount rule for udev needs /tmp directory available, as /tmp is a symlink + # to /var/tmp which in turn is a symlink to /var/volatile/tmp, we need to make sure + # /var/volatile/tmp directory to be available. + mkdir -p /var/volatile/tmp + + # restorecon /run early to allow mdadm creating dir /run/mdadm + test ! -x /sbin/restorecon || /sbin/restorecon -F /run + + # Cache handling. + # A list of files which are used as a criteria to judge whether the udev cache could be reused. + CMP_FILE_LIST="/proc/version /proc/cmdline /proc/devices /proc/atags" + if [ "$use_udev_cache" != "" ]; then + if [ "$DEVCACHE" != "" ]; then + if [ -e $DEVCACHE ]; then + readfiles $CMP_FILE_LIST + NEWDATA="$READDATA" + readfiles /etc/udev/cache.data + OLDDATA="$READDATA" + if [ "$OLDDATA" = "$NEWDATA" ]; then + tar --directory=/ -xf $DEVCACHE > /dev/null 2>&1 + not_first_boot=1 + [ "$VERBOSE" != "no" ] && echo "udev: using cache file $DEVCACHE" + [ -e /dev/shm/udev.cache ] && rm -f /dev/shm/udev.cache + else + # Output detailed reason why the cached /dev is not used + if [ "$VERBOSE" != "no" ]; then + echo "udev: udev cache not used" + echo "udev: we use $CMP_FILE_LIST as criteria to judge whether the cache /dev could be resued" + echo "udev: olddata: $OLDDATA" + echo "udev: newdata: $NEWDATA" + fi + echo "$NEWDATA" > /dev/shm/udev.cache + fi + else + if [ "$ROOTFS_READ_ONLY" != "yes" ]; then + # If rootfs is not read-only, it's possible that a new udev cache would be generated; + # otherwise, we do not bother to read files. + readfiles $CMP_FILE_LIST + echo "$READDATA" > /dev/shm/udev.cache + fi + fi + fi + fi + + # make_extra_nodes + kill_udevd > "/dev/null" 2>&1 + + # trigger the sorted events + echo -e '\000\000\000\000' > /proc/sys/kernel/hotplug + @UDEVD@ -d + + udevadm control --env=STARTUP=1 + if [ "$not_first_boot" != "" ];then + udevadm trigger --action=add --subsystem-nomatch=tty --subsystem-nomatch=mem --subsystem-nomatch=vc --subsystem-nomatch=vtconsole --subsystem-nomatch=misc --subsystem-nomatch=dcon --subsystem-nomatch=pci_bus --subsystem-nomatch=graphics --subsystem-nomatch=backlight --subsystem-nomatch=video4linux --subsystem-nomatch=platform + (udevadm settle --timeout=10; udevadm control --env=STARTUP=)& + else + udevadm trigger --action=add + udevadm settle + fi + + test ! -x /sbin/restorecon || /sbin/restorecon -F /dev /dev/shm /dev/pts + + ;; + stop) + echo "Stopping udevd" + start-stop-daemon --stop --name udevd --quiet + ;; + restart) + $0 stop + sleep 1 + $0 start + ;; + status) + pid=`pidof -x udevd` + if [ -n "$pid" ]; then + echo "udevd (pid $pid) is running ..." + else + echo "udevd is stopped" + fi + ;; + *) + echo "Usage: $0 {start|stop|status|restart}" + exit 1 +esac +exit 0 diff --git a/recipes-core/eudev/files/udev-cache b/recipes-core/eudev/files/udev-cache new file mode 100644 index 0000000..6898577 --- /dev/null +++ b/recipes-core/eudev/files/udev-cache @@ -0,0 +1,32 @@ +#!/bin/sh -e + +### BEGIN INIT INFO +# Provides: udev-cache +# Required-Start: mountall +# Required-Stop: +# Default-Start: S +# Default-Stop: +# Short-Description: cache /dev to speedup the udev next boot +### END INIT INFO + +export TZ=/etc/localtime + +[ -r /proc/mounts ] || exit 1 +[ -x @UDEVD@ ] || exit 1 +[ -d /sys/class ] || exit 1 + +[ -f /etc/default/rcS ] && . /etc/default/rcS +[ -f /etc/default/udev-cache ] && . /etc/default/udev-cache + +if [ "$ROOTFS_READ_ONLY" = "yes" ]; then + [ "$VERBOSE" != "no" ] && echo "udev-cache: read-only rootfs, skip generating udev-cache" + exit 0 +fi + +if [ "$DEVCACHE" != "" -a -e /dev/shm/udev.cache ]; then + echo "Populating dev cache" + tar --directory=/ --selinux --xattrs -cf "$DEVCACHE" dev + mv /dev/shm/udev.cache /etc/udev/cache.data +fi + +exit 0 diff --git a/recipes-core/glib-2.0/glib-2.0_%.bbappend b/recipes-core/glib-2.0/glib-2.0_%.bbappend index 8c11cac..74e22b3 100644 --- a/recipes-core/glib-2.0/glib-2.0_%.bbappend +++ b/recipes-core/glib-2.0/glib-2.0_%.bbappend @@ -1 +1 @@ -inherit enable-selinux +inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-selinux', '', d)} diff --git a/recipes-core/initscripts/files/devpts.sh b/recipes-core/initscripts/files/devpts.sh new file mode 100755 index 0000000..a0b037f --- /dev/null +++ b/recipes-core/initscripts/files/devpts.sh @@ -0,0 +1,29 @@ +#!/bin/sh +### BEGIN INIT INFO +# Provides: devpts +# Required-Start: udev +# Required-Stop: +# Default-Start: S +# Default-Stop: +# Short-Description: Mount /dev/pts file systems. +### END INIT INFO + +. /etc/default/devpts + +if grep -q devpts /proc/filesystems +then + # + # Create multiplexor device. + # + test -c /dev/ptmx || mknod -m 666 /dev/ptmx c 5 2 + + # + # Mount /dev/pts if needed. + # + if ! grep -q devpts /proc/mounts + then + mkdir -p /dev/pts + mount -t devpts devpts /dev/pts -ogid=${TTYGRP},mode=${TTYMODE} + test ! -x /sbin/restorecon || /sbin/restorecon -F /dev/pts + fi +fi diff --git a/recipes-core/initscripts/initscripts-1.0_selinux.inc b/recipes-core/initscripts/initscripts-1.0_selinux.inc new file mode 100644 index 0000000..6e8a9b6 --- /dev/null +++ b/recipes-core/initscripts/initscripts-1.0_selinux.inc @@ -0,0 +1,11 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" + +do_install_append () { + cat <<-EOF >> ${D}${sysconfdir}/init.d/populate-volatile.sh +touch /var/log/lastlog +test ! -x /sbin/restorecon || /sbin/restorecon -iRF /var/volatile/ /var/lib /run \ + /etc/resolv.conf /etc/adjtime +EOF + sed -i '/mount -n -o remount,$rootmode/i\test ! -x /sbin/restorecon || /sbin/restorecon -iRF /run' \ + ${D}${sysconfdir}/init.d/checkroot.sh +} diff --git a/recipes-core/initscripts/initscripts/devpts.sh b/recipes-core/initscripts/initscripts/devpts.sh deleted file mode 100755 index a0b037f..0000000 --- a/recipes-core/initscripts/initscripts/devpts.sh +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/sh -### BEGIN INIT INFO -# Provides: devpts -# Required-Start: udev -# Required-Stop: -# Default-Start: S -# Default-Stop: -# Short-Description: Mount /dev/pts file systems. -### END INIT INFO - -. /etc/default/devpts - -if grep -q devpts /proc/filesystems -then - # - # Create multiplexor device. - # - test -c /dev/ptmx || mknod -m 666 /dev/ptmx c 5 2 - - # - # Mount /dev/pts if needed. - # - if ! grep -q devpts /proc/mounts - then - mkdir -p /dev/pts - mount -t devpts devpts /dev/pts -ogid=${TTYGRP},mode=${TTYMODE} - test ! -x /sbin/restorecon || /sbin/restorecon -F /dev/pts - fi -fi diff --git a/recipes-core/initscripts/initscripts_1.0.bbappend b/recipes-core/initscripts/initscripts_1.0.bbappend index 0fc7a5e..4f9950b 100644 --- a/recipes-core/initscripts/initscripts_1.0.bbappend +++ b/recipes-core/initscripts/initscripts_1.0.bbappend @@ -1,13 +1 @@ -PR .= ".3" - -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" - -do_install_append () { - cat <<-EOF >> ${D}${sysconfdir}/init.d/populate-volatile.sh -touch /var/log/lastlog -test ! -x /sbin/restorecon || /sbin/restorecon -iRF /var/volatile/ /var/lib /run \ - /etc/resolv.conf /etc/adjtime -EOF - sed -i '/mount -n -o remount,$rootmode/i\test ! -x /sbin/restorecon || /sbin/restorecon -iRF /run' \ - ${D}${sysconfdir}/init.d/checkroot.sh -} +require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'initscripts-1.0_selinux.inc', '', d)} diff --git a/recipes-core/libcgroup/libcgroup_%.bbappend b/recipes-core/libcgroup/libcgroup_%.bbappend index b7e0c5f..7719d3b 100644 --- a/recipes-core/libcgroup/libcgroup_%.bbappend +++ b/recipes-core/libcgroup/libcgroup_%.bbappend @@ -1,12 +1 @@ -PR .= ".3" - -EXTRA_OECONF_virtclass-native = "--enable-pam=no" - -do_install_append() { - test ! -f ${D}${base_libdir}/security/pam_cgroup.so.0.0.0 || { - mv -f ${D}${base_libdir}/security/pam_cgroup.so.0.0.0 ${D}${base_libdir}/security/pam_cgroup.so - rm -f ${D}${base_libdir}/security/pam_cgroup.so.* - } -} - -BBCLASSEXTEND = "native" +require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)} diff --git a/recipes-core/libcgroup/libcgroup_selinux.inc b/recipes-core/libcgroup/libcgroup_selinux.inc new file mode 100644 index 0000000..f81188f --- /dev/null +++ b/recipes-core/libcgroup/libcgroup_selinux.inc @@ -0,0 +1,10 @@ +EXTRA_OECONF_virtclass-native = "--enable-pam=no" + +do_install_append() { + test ! -f ${D}${base_libdir}/security/pam_cgroup.so.0.0.0 || { + mv -f ${D}${base_libdir}/security/pam_cgroup.so.0.0.0 ${D}${base_libdir}/security/pam_cgroup.so + rm -f ${D}${base_libdir}/security/pam_cgroup.so.* + } +} + +BBCLASSEXTEND = "native" diff --git a/recipes-core/systemd/systemd_%.bbappend b/recipes-core/systemd/systemd_%.bbappend index f1bdaf8..5ac3adb 100644 --- a/recipes-core/systemd/systemd_%.bbappend +++ b/recipes-core/systemd/systemd_%.bbappend @@ -1 +1 @@ -inherit enable-audit +inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-audit', '', d)} diff --git a/recipes-core/sysvinit/files/sysvinit-fix-is_selinux_enabled.patch b/recipes-core/sysvinit/files/sysvinit-fix-is_selinux_enabled.patch new file mode 100644 index 0000000..62703b1 --- /dev/null +++ b/recipes-core/sysvinit/files/sysvinit-fix-is_selinux_enabled.patch @@ -0,0 +1,71 @@ +From 0db0276202094c8d902fc93a18eca453b6211f8a Mon Sep 17 00:00:00 2001 +From: Xin Ouyang +Date: Thu, 12 Apr 2012 10:48:04 +0800 +Subject: [PATCH] sysvinit: Fix is_selinux_enabled() for libselinux + +is_selinux_enabled()!=1 means SELinux is disabled by kernel +or SELinux is enabled but policy is not loaded. +Only at this time, /sbin/init program should call +selinux_init_load_policy() to detect whether SELinux is enabled +and to load SELinux policy. + +This is fixed already in the upstream sysvinit, +http://svn.savannah.nongnu.org/viewvc/sysvinit/trunk/src/init.c?root=sysvinit&r1=72&r2=90 +--- + src/init.c | 33 +++++++++++++-------------------- + 1 files changed, 13 insertions(+), 20 deletions(-) + +diff --git a/src/init.c b/src/init.c +index 27532ad..75ccf25 100644 +--- a/src/init.c ++++ b/src/init.c +@@ -54,10 +54,6 @@ + + #ifdef WITH_SELINUX + # include +-# include +-# ifndef MNT_DETACH /* present in glibc 2.10, missing in 2.7 */ +-# define MNT_DETACH 2 +-# endif + #endif + + #ifdef __i386__ +@@ -2869,22 +2865,19 @@ int main(int argc, char **argv) + + #ifdef WITH_SELINUX + if (getenv("SELINUX_INIT") == NULL) { +- const int rc = mount("proc", "/proc", "proc", 0, 0); +- if (is_selinux_enabled() > 0) { +- putenv("SELINUX_INIT=YES"); +- if (rc == 0) umount2("/proc", MNT_DETACH); +- if (selinux_init_load_policy(&enforce) == 0) { +- execv(myname, argv); +- } else { +- if (enforce > 0) { +- /* SELinux in enforcing mode but load_policy failed */ +- /* At this point, we probably can't open /dev/console, so log() won't work */ +- fprintf(stderr,"Unable to load SELinux Policy. Machine is in enforcing mode. Halting now.\n"); +- exit(1); +- } +- } +- } +- if (rc == 0) umount2("/proc", MNT_DETACH); ++ if (is_selinux_enabled() != 1) { ++ if (selinux_init_load_policy(&enforce) == 0) { ++ putenv("SELINUX_INIT=YES"); ++ execv(myname, argv); ++ } else { ++ if (enforce > 0) { ++ /* SELinux in enforcing mode but load_policy failed */ ++ /* At this point, we probably can't open /dev/console, so log() won't work */ ++ fprintf(stderr,"Unable to load SELinux Policy. Machine is in enforcing mode. Halting now.\n"); ++ exit(1); ++ } ++ } ++ } + } + #endif + /* Start booting. */ +-- +1.7.5.4 + diff --git a/recipes-core/sysvinit/sysvinit-2.88dsf/sysvinit-fix-is_selinux_enabled.patch b/recipes-core/sysvinit/sysvinit-2.88dsf/sysvinit-fix-is_selinux_enabled.patch deleted file mode 100644 index 62703b1..0000000 --- a/recipes-core/sysvinit/sysvinit-2.88dsf/sysvinit-fix-is_selinux_enabled.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 0db0276202094c8d902fc93a18eca453b6211f8a Mon Sep 17 00:00:00 2001 -From: Xin Ouyang -Date: Thu, 12 Apr 2012 10:48:04 +0800 -Subject: [PATCH] sysvinit: Fix is_selinux_enabled() for libselinux - -is_selinux_enabled()!=1 means SELinux is disabled by kernel -or SELinux is enabled but policy is not loaded. -Only at this time, /sbin/init program should call -selinux_init_load_policy() to detect whether SELinux is enabled -and to load SELinux policy. - -This is fixed already in the upstream sysvinit, -http://svn.savannah.nongnu.org/viewvc/sysvinit/trunk/src/init.c?root=sysvinit&r1=72&r2=90 ---- - src/init.c | 33 +++++++++++++-------------------- - 1 files changed, 13 insertions(+), 20 deletions(-) - -diff --git a/src/init.c b/src/init.c -index 27532ad..75ccf25 100644 ---- a/src/init.c -+++ b/src/init.c -@@ -54,10 +54,6 @@ - - #ifdef WITH_SELINUX - # include --# include --# ifndef MNT_DETACH /* present in glibc 2.10, missing in 2.7 */ --# define MNT_DETACH 2 --# endif - #endif - - #ifdef __i386__ -@@ -2869,22 +2865,19 @@ int main(int argc, char **argv) - - #ifdef WITH_SELINUX - if (getenv("SELINUX_INIT") == NULL) { -- const int rc = mount("proc", "/proc", "proc", 0, 0); -- if (is_selinux_enabled() > 0) { -- putenv("SELINUX_INIT=YES"); -- if (rc == 0) umount2("/proc", MNT_DETACH); -- if (selinux_init_load_policy(&enforce) == 0) { -- execv(myname, argv); -- } else { -- if (enforce > 0) { -- /* SELinux in enforcing mode but load_policy failed */ -- /* At this point, we probably can't open /dev/console, so log() won't work */ -- fprintf(stderr,"Unable to load SELinux Policy. Machine is in enforcing mode. Halting now.\n"); -- exit(1); -- } -- } -- } -- if (rc == 0) umount2("/proc", MNT_DETACH); -+ if (is_selinux_enabled() != 1) { -+ if (selinux_init_load_policy(&enforce) == 0) { -+ putenv("SELINUX_INIT=YES"); -+ execv(myname, argv); -+ } else { -+ if (enforce > 0) { -+ /* SELinux in enforcing mode but load_policy failed */ -+ /* At this point, we probably can't open /dev/console, so log() won't work */ -+ fprintf(stderr,"Unable to load SELinux Policy. Machine is in enforcing mode. Halting now.\n"); -+ exit(1); -+ } -+ } -+ } - } - #endif - /* Start booting. */ --- -1.7.5.4 - diff --git a/recipes-core/sysvinit/sysvinit-2.88dsf_selinux.inc b/recipes-core/sysvinit/sysvinit-2.88dsf_selinux.inc new file mode 100644 index 0000000..fcfbdb7 --- /dev/null +++ b/recipes-core/sysvinit/sysvinit-2.88dsf_selinux.inc @@ -0,0 +1,11 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" + +B = "${S}" + +SRC_URI += "file://sysvinit-fix-is_selinux_enabled.patch" + +inherit selinux + +DEPENDS += "${LIBSELINUX}" + +EXTRA_OEMAKE += "${@target_selinux(d, 'WITH_SELINUX=\"yes\"')}" diff --git a/recipes-core/sysvinit/sysvinit_2.88dsf.bbappend b/recipes-core/sysvinit/sysvinit_2.88dsf.bbappend index 636dc5e..9df30b6 100644 --- a/recipes-core/sysvinit/sysvinit_2.88dsf.bbappend +++ b/recipes-core/sysvinit/sysvinit_2.88dsf.bbappend @@ -1,14 +1 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}-${PV}:" - -B = "${S}" - -SRC_URI += "file://sysvinit-fix-is_selinux_enabled.patch" - -inherit selinux - -DEPENDS += "${LIBSELINUX}" - -EXTRA_OEMAKE += "${@target_selinux(d, 'WITH_SELINUX=\"yes\"')}" - -PR .= ".2" - +require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'sysvinit-2.88dsf_selinux.inc', '', d)} diff --git a/recipes-core/util-linux/util-linux_%.bbappend b/recipes-core/util-linux/util-linux_%.bbappend index 7695b77..b01ad25 100644 --- a/recipes-core/util-linux/util-linux_%.bbappend +++ b/recipes-core/util-linux/util-linux_%.bbappend @@ -1,3 +1 @@ -PR .= ".3" - -inherit with-selinux +inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'with-selinux', '', d)} diff --git a/recipes-devtools/e2fsprogs/e2fsprogs/lib-ext2fs-ext2_ext_attr.h-add-xattr-index.patch b/recipes-devtools/e2fsprogs/e2fsprogs/lib-ext2fs-ext2_ext_attr.h-add-xattr-index.patch deleted file mode 100644 index b87c414..0000000 --- a/recipes-devtools/e2fsprogs/e2fsprogs/lib-ext2fs-ext2_ext_attr.h-add-xattr-index.patch +++ /dev/null @@ -1,20 +0,0 @@ -Add xattr name index for xattrs with the 'security' prefix. These are defined -in the ext(2|3|4)/xattr.h in the kernel. We use the EXT2 prefix for consistency -with e2fslibs naming. - -Signed-off-by: Philip Tricca - -Index: e2fsprogs-1.42.9/lib/ext2fs/ext2_ext_attr.h -=================================================================== ---- e2fsprogs-1.42.9.orig/lib/ext2fs/ext2_ext_attr.h -+++ e2fsprogs-1.42.9/lib/ext2fs/ext2_ext_attr.h -@@ -15,6 +15,9 @@ - /* Maximum number of references to one attribute block */ - #define EXT2_EXT_ATTR_REFCOUNT_MAX 1024 - -+/* Name indexes */ -+#define EXT2_XATTR_INDEX_SECURITY 6 -+ - struct ext2_ext_attr_header { - __u32 h_magic; /* magic number for identification */ - __u32 h_refcount; /* reference count */ diff --git a/recipes-devtools/e2fsprogs/e2fsprogs/misc_create_inode.c-label_rootfs.patch b/recipes-devtools/e2fsprogs/e2fsprogs/misc_create_inode.c-label_rootfs.patch deleted file mode 100644 index 1de0dde..0000000 --- a/recipes-devtools/e2fsprogs/e2fsprogs/misc_create_inode.c-label_rootfs.patch +++ /dev/null @@ -1,37 +0,0 @@ -From: Philip Tricca -To: tytso@mit.edu -Cc: liezhi.yang@windriver.com -Date: Sat, 20 Feb 2016 18:58:58 +0000 -Subject: [PATCH] misc/create_inode.c: Copy xattrs from root directory when populating fs. - -When copying a file system using the -d option the xattrs from the root -directory need to be copied before the populate_fs recusion starts. - -Signed-off-by: Philip Tricca ---- - misc/create_inode.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/misc/create_inode.c b/misc/create_inode.c -index 0de5719..ee21186 100644 ---- a/misc/create_inode.c -+++ b/misc/create_inode.c -@@ -890,8 +890,15 @@ errcode_t populate_fs(ext2_filsys fs, ext2_ino_t parent_ino, - return retval; - } - -+ retval = set_inode_xattr(fs, root, source_dir); -+ if (retval) { -+ com_err(__func__, retval, -+ _("while setting xattrs for \"%s\""), source_dir); -+ goto out; -+ } - retval = __populate_fs(fs, parent_ino, source_dir, root, &hdlinks); - -+out: - free(hdlinks.hdl); - return retval; - } --- -2.1.4 - diff --git a/recipes-devtools/e2fsprogs/e2fsprogs_%.bbappend b/recipes-devtools/e2fsprogs/e2fsprogs_%.bbappend index 7acaf48..7719d3b 100644 --- a/recipes-devtools/e2fsprogs/e2fsprogs_%.bbappend +++ b/recipes-devtools/e2fsprogs/e2fsprogs_%.bbappend @@ -1,2 +1 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" -SRC_URI += "file://misc_create_inode.c-label_rootfs.patch" +require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)} diff --git a/recipes-devtools/e2fsprogs/e2fsprogs_selinux.inc b/recipes-devtools/e2fsprogs/e2fsprogs_selinux.inc new file mode 100644 index 0000000..9cbb7fe --- /dev/null +++ b/recipes-devtools/e2fsprogs/e2fsprogs_selinux.inc @@ -0,0 +1,3 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" + +SRC_URI += "file://misc_create_inode.c-label_rootfs.patch" diff --git a/recipes-devtools/e2fsprogs/files/lib-ext2fs-ext2_ext_attr.h-add-xattr-index.patch b/recipes-devtools/e2fsprogs/files/lib-ext2fs-ext2_ext_attr.h-add-xattr-index.patch new file mode 100644 index 0000000..b87c414 --- /dev/null +++ b/recipes-devtools/e2fsprogs/files/lib-ext2fs-ext2_ext_attr.h-add-xattr-index.patch @@ -0,0 +1,20 @@ +Add xattr name index for xattrs with the 'security' prefix. These are defined +in the ext(2|3|4)/xattr.h in the kernel. We use the EXT2 prefix for consistency +with e2fslibs naming. + +Signed-off-by: Philip Tricca + +Index: e2fsprogs-1.42.9/lib/ext2fs/ext2_ext_attr.h +=================================================================== +--- e2fsprogs-1.42.9.orig/lib/ext2fs/ext2_ext_attr.h ++++ e2fsprogs-1.42.9/lib/ext2fs/ext2_ext_attr.h +@@ -15,6 +15,9 @@ + /* Maximum number of references to one attribute block */ + #define EXT2_EXT_ATTR_REFCOUNT_MAX 1024 + ++/* Name indexes */ ++#define EXT2_XATTR_INDEX_SECURITY 6 ++ + struct ext2_ext_attr_header { + __u32 h_magic; /* magic number for identification */ + __u32 h_refcount; /* reference count */ diff --git a/recipes-devtools/e2fsprogs/files/misc_create_inode.c-label_rootfs.patch b/recipes-devtools/e2fsprogs/files/misc_create_inode.c-label_rootfs.patch new file mode 100644 index 0000000..1de0dde --- /dev/null +++ b/recipes-devtools/e2fsprogs/files/misc_create_inode.c-label_rootfs.patch @@ -0,0 +1,37 @@ +From: Philip Tricca +To: tytso@mit.edu +Cc: liezhi.yang@windriver.com +Date: Sat, 20 Feb 2016 18:58:58 +0000 +Subject: [PATCH] misc/create_inode.c: Copy xattrs from root directory when populating fs. + +When copying a file system using the -d option the xattrs from the root +directory need to be copied before the populate_fs recusion starts. + +Signed-off-by: Philip Tricca +--- + misc/create_inode.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/misc/create_inode.c b/misc/create_inode.c +index 0de5719..ee21186 100644 +--- a/misc/create_inode.c ++++ b/misc/create_inode.c +@@ -890,8 +890,15 @@ errcode_t populate_fs(ext2_filsys fs, ext2_ino_t parent_ino, + return retval; + } + ++ retval = set_inode_xattr(fs, root, source_dir); ++ if (retval) { ++ com_err(__func__, retval, ++ _("while setting xattrs for \"%s\""), source_dir); ++ goto out; ++ } + retval = __populate_fs(fs, parent_ino, source_dir, root, &hdlinks); + ++out: + free(hdlinks.hdl); + return retval; + } +-- +2.1.4 + diff --git a/recipes-devtools/prelink/prelink_git.bbappend b/recipes-devtools/prelink/prelink_git.bbappend index 366fdf5..74e22b3 100644 --- a/recipes-devtools/prelink/prelink_git.bbappend +++ b/recipes-devtools/prelink/prelink_git.bbappend @@ -1,3 +1 @@ -PR .= ".2" - -inherit enable-selinux +inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-selinux', '', d)} diff --git a/recipes-devtools/python/files/sitecustomize.py b/recipes-devtools/python/files/sitecustomize.py new file mode 100644 index 0000000..d2b71fa --- /dev/null +++ b/recipes-devtools/python/files/sitecustomize.py @@ -0,0 +1,26 @@ +# OpenEmbedded sitecustomize.py (C) 2002-2008 Michael 'Mickey' Lauer +# GPLv2 or later +# Version: 20081123 +# Features: +# * set proper default encoding +# Features removed for SELinux: +# * enable readline completion in the interactive interpreter +# * load command line history on startup +# * save command line history on exit + +import os + +def __enableDefaultEncoding(): + import sys + try: + sys.setdefaultencoding( "utf8" ) + except LookupError: + pass + +import sys +try: + import rlcompleter, readline +except ImportError: + pass +else: + __enableDefaultEncoding() diff --git a/recipes-devtools/python/python/sitecustomize.py b/recipes-devtools/python/python/sitecustomize.py deleted file mode 100644 index d2b71fa..0000000 --- a/recipes-devtools/python/python/sitecustomize.py +++ /dev/null @@ -1,26 +0,0 @@ -# OpenEmbedded sitecustomize.py (C) 2002-2008 Michael 'Mickey' Lauer -# GPLv2 or later -# Version: 20081123 -# Features: -# * set proper default encoding -# Features removed for SELinux: -# * enable readline completion in the interactive interpreter -# * load command line history on startup -# * save command line history on exit - -import os - -def __enableDefaultEncoding(): - import sys - try: - sys.setdefaultencoding( "utf8" ) - except LookupError: - pass - -import sys -try: - import rlcompleter, readline -except ImportError: - pass -else: - __enableDefaultEncoding() diff --git a/recipes-devtools/python/python_%.bbappend b/recipes-devtools/python/python_%.bbappend index 9eefd2d..7719d3b 100644 --- a/recipes-devtools/python/python_%.bbappend +++ b/recipes-devtools/python/python_%.bbappend @@ -1,3 +1 @@ -inherit selinux -# If selinux enabled, disable handlers to rw command history file -FILESEXTRAPATHS_prepend := "${@target_selinux(d, '${THISDIR}/${PN}:')}" +require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)} diff --git a/recipes-devtools/python/python_selinux.inc b/recipes-devtools/python/python_selinux.inc new file mode 100644 index 0000000..bb54a90 --- /dev/null +++ b/recipes-devtools/python/python_selinux.inc @@ -0,0 +1,5 @@ +# If selinux enabled, disable handlers to rw command history file +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" + +inherit selinux + diff --git a/recipes-devtools/rpm/rpm_%.bbappend b/recipes-devtools/rpm/rpm_%.bbappend index 9f3ec90..7719d3b 100644 --- a/recipes-devtools/rpm/rpm_%.bbappend +++ b/recipes-devtools/rpm/rpm_%.bbappend @@ -1,4 +1 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" - -inherit with-selinux -PACKAGECONFIG[selinux] = "${WITH_SELINUX},${WITHOUT_SELINUX},libsemanage," +require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)} diff --git a/recipes-devtools/rpm/rpm_selinux.inc b/recipes-devtools/rpm/rpm_selinux.inc new file mode 100644 index 0000000..983dda7 --- /dev/null +++ b/recipes-devtools/rpm/rpm_selinux.inc @@ -0,0 +1,2 @@ +inherit with-selinux +PACKAGECONFIG[selinux] = "${WITH_SELINUX},${WITHOUT_SELINUX},libsemanage," diff --git a/recipes-extended/at/at_%.bbappend b/recipes-extended/at/at_%.bbappend index c1e8ed6..b01ad25 100644 --- a/recipes-extended/at/at_%.bbappend +++ b/recipes-extended/at/at_%.bbappend @@ -1 +1 @@ -inherit with-selinux +inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'with-selinux', '', d)} diff --git a/recipes-extended/cronie/cronie_%.bbappend b/recipes-extended/cronie/cronie_%.bbappend index a398bec..cfa56ca 100644 --- a/recipes-extended/cronie/cronie_%.bbappend +++ b/recipes-extended/cronie/cronie_%.bbappend @@ -1,3 +1,2 @@ -PR .= ".2" - -inherit with-selinux with-audit +inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'with-audit', '', d)} +inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'with-selinux', '', d)} diff --git a/recipes-extended/findutils/findutils_4.6.%.bbappend b/recipes-extended/findutils/findutils_4.6.%.bbappend index a24a14f..b01ad25 100644 --- a/recipes-extended/findutils/findutils_4.6.%.bbappend +++ b/recipes-extended/findutils/findutils_4.6.%.bbappend @@ -1,2 +1 @@ -inherit with-selinux - +inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'with-selinux', '', d)} diff --git a/recipes-extended/logrotate/logrotate_%.bbappend b/recipes-extended/logrotate/logrotate_%.bbappend index 1bdca98..7719d3b 100644 --- a/recipes-extended/logrotate/logrotate_%.bbappend +++ b/recipes-extended/logrotate/logrotate_%.bbappend @@ -1,5 +1 @@ -inherit selinux - -DEPENDS += "${LIBSELINUX}" - -EXTRA_OEMAKE += "${@target_selinux(d, 'WITH_SELINUX=\"yes\"')}" +require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)} diff --git a/recipes-extended/logrotate/logrotate_selinux.inc b/recipes-extended/logrotate/logrotate_selinux.inc new file mode 100644 index 0000000..1bdca98 --- /dev/null +++ b/recipes-extended/logrotate/logrotate_selinux.inc @@ -0,0 +1,5 @@ +inherit selinux + +DEPENDS += "${LIBSELINUX}" + +EXTRA_OEMAKE += "${@target_selinux(d, 'WITH_SELINUX=\"yes\"')}" diff --git a/recipes-extended/lsof/lsof_%.bbappend b/recipes-extended/lsof/lsof_%.bbappend index 793b13f..7719d3b 100644 --- a/recipes-extended/lsof/lsof_%.bbappend +++ b/recipes-extended/lsof/lsof_%.bbappend @@ -1,16 +1 @@ -PR .= ".2" - -inherit selinux - -DEPENDS += "${LIBSELINUX}" - -do_configure_prepend () { - export LINUX_HASSELINUX="${@target_selinux(d, 'Y', 'N')}" - export LSOF_CFGF="${CFLAGS}" - export LSOF_CFGL="${LDFLAGS}" - export LSOF_CC="${BUILD_CC}" -} - -do_compile () { - oe_runmake 'CC=${CC}' 'DEBUG=' -} +require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)} diff --git a/recipes-extended/lsof/lsof_selinux.inc b/recipes-extended/lsof/lsof_selinux.inc new file mode 100644 index 0000000..6691b4c --- /dev/null +++ b/recipes-extended/lsof/lsof_selinux.inc @@ -0,0 +1,14 @@ +inherit selinux + +DEPENDS += "${LIBSELINUX}" + +do_configure_prepend () { + export LINUX_HASSELINUX="${@target_selinux(d, 'Y', 'N')}" + export LSOF_CFGF="${CFLAGS}" + export LSOF_CFGL="${LDFLAGS}" + export LSOF_CC="${BUILD_CC}" +} + +do_compile () { + oe_runmake 'CC=${CC}' 'DEBUG=' +} diff --git a/recipes-extended/net-tools/files/netstat-selinux-support.patch b/recipes-extended/net-tools/files/netstat-selinux-support.patch new file mode 100644 index 0000000..f089041 --- /dev/null +++ b/recipes-extended/net-tools/files/netstat-selinux-support.patch @@ -0,0 +1,244 @@ +From: Xin Ouyang +Date: Wed, 13 Jun 2012 13:32:01 +0800 +Subject: [PATCH] net-tools: netstat add SELinux support. + +Upstream-Status: Inappropriate [configuration] + +Signed-off-by: Xin Ouyang +Signed-off-by: Adrian Dudau +--- + Makefile | 9 ++++++++- + netstat.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--- + 2 files changed, 74 insertions(+), 4 deletions(-) + +diff --git a/Makefile b/Makefile +index 8fcc55c..0b5c395 100644 +--- a/Makefile ++++ b/Makefile +@@ -116,6 +116,13 @@ NET_LIB = $(NET_LIB_PATH)/lib$(NET_LIB_NAME).a + CFLAGS = $(COPTS) -I. -idirafter ./include/ -I$(NET_LIB_PATH) + LDFLAGS = $(LOPTS) -L$(NET_LIB_PATH) + ++ifeq ($(HAVE_SELINUX),1) ++SELINUX_LDFLAGS = -lselinux ++CFLAGS += -DHAVE_SELINUX ++else ++SELINUX_LDFLAGS = ++endif ++ + SUBDIRS = man/ $(NET_LIB_PATH)/ + + ifeq ($(origin CC), undefined) +@@ -209,7 +216,7 @@ plipconfig: $(NET_LIB) plipconfig.o + $(CC) $(LDFLAGS) -o plipconfig plipconfig.o $(NLIB) + + netstat: $(NET_LIB) netstat.o statistics.o +- $(CC) $(LDFLAGS) -o netstat netstat.o statistics.o $(NLIB) $(RESLIB) ++ $(CC) $(SELINUX_LDFLAGS) $(LDFLAGS) -o netstat netstat.o statistics.o $(NLIB) $(RESLIB) + + iptunnel: $(NET_LIB) iptunnel.o + $(CC) $(LDFLAGS) -o iptunnel iptunnel.o $(NLIB) $(RESLIB) +diff --git a/netstat.c b/netstat.c +index fc10414..a773e81 100644 +--- a/netstat.c ++++ b/netstat.c +@@ -90,6 +90,12 @@ + #include + #include + ++#if HAVE_SELINUX ++#include ++#else ++#define security_context_t char* ++#endif ++ + #include "net-support.h" + #include "pathnames.h" + #include "version.h" +@@ -101,6 +107,7 @@ + #include "proc.h" + + #define PROGNAME_WIDTH 20 ++#define SELINUX_WIDTH 50 + + #if !defined(s6_addr32) && defined(in6a_words) + #define s6_addr32 in6a_words /* libinet6 */ +@@ -180,6 +187,7 @@ int flag_wide= 0; + int flag_prg = 0; + int flag_arg = 0; + int flag_ver = 0; ++int flag_selinux = 0; + + FILE *procinfo; + +@@ -243,12 +251,17 @@ FILE *procinfo; + #define PROGNAME_WIDTH1(s) PROGNAME_WIDTH2(s) + #define PROGNAME_WIDTH2(s) #s + ++#define SELINUX_WIDTHs SELINUX_WIDTH1(SELINUX_WIDTH) ++#define SELINUX_WIDTH1(s) SELINUX_WIDTH2(s) ++#define SELINUX_WIDTH2(s) #s ++ + #define PRG_HASH_SIZE 211 + + static struct prg_node { + struct prg_node *next; + unsigned long inode; + char name[PROGNAME_WIDTH]; ++ char scon[SELINUX_WIDTH]; + } *prg_hash[PRG_HASH_SIZE]; + + static char prg_cache_loaded = 0; +@@ -256,9 +269,12 @@ static char prg_cache_loaded = 0; + #define PRG_HASHIT(x) ((x) % PRG_HASH_SIZE) + + #define PROGNAME_BANNER "PID/Program name" ++#define SELINUX_BANNER "Security Context" + + #define print_progname_banner() do { if (flag_prg) printf("%-" PROGNAME_WIDTHs "s"," " PROGNAME_BANNER); } while (0) + ++#define print_selinux_banner() do { if (flag_selinux) printf("%-" SELINUX_WIDTHs "s"," " SELINUX_BANNER); } while (0) ++ + #define PRG_LOCAL_ADDRESS "local_address" + #define PRG_INODE "inode" + #define PRG_SOCKET_PFX "socket:[" +@@ -280,7 +296,7 @@ static char prg_cache_loaded = 0; + /* NOT working as of glibc-2.0.7: */ + #undef DIRENT_HAVE_D_TYPE_WORKS + +-static void prg_cache_add(unsigned long inode, char *name) ++static void prg_cache_add(unsigned long inode, char *name, char *scon) + { + unsigned hi = PRG_HASHIT(inode); + struct prg_node **pnp,*pn; +@@ -301,6 +317,14 @@ static void prg_cache_add(unsigned long inode, char *name) + if (strlen(name)>sizeof(pn->name)-1) + name[sizeof(pn->name)-1]='\0'; + strcpy(pn->name,name); ++ ++ { ++ int len=(strlen(scon)-sizeof(pn->scon))+1; ++ if (len > 0) ++ strcpy(pn->scon,&scon[len+1]); ++ else ++ strcpy(pn->scon,scon); ++ } + } + + static const char *prg_cache_get(unsigned long inode) +@@ -313,6 +337,16 @@ static const char *prg_cache_get(unsigned long inode) + return("-"); + } + ++static const char *prg_cache_get_con(unsigned long inode) ++{ ++ unsigned hi=PRG_HASHIT(inode); ++ struct prg_node *pn; ++ ++ for (pn=prg_hash[hi];pn;pn=pn->next) ++ if (pn->inode==inode) return(pn->scon); ++ return("-"); ++} ++ + static void prg_cache_clear(void) + { + struct prg_node **pnp,*pn; +@@ -384,6 +418,7 @@ static void prg_cache_load(void) + const char *cs,*cmdlp; + DIR *dirproc=NULL,*dirfd=NULL; + struct dirent *direproc,*direfd; ++ security_context_t scon=NULL; + + if (prg_cache_loaded || !flag_prg) return; + prg_cache_loaded=1; +@@ -453,7 +488,15 @@ static void prg_cache_load(void) + } + + snprintf(finbuf, sizeof(finbuf), "%s/%s", direproc->d_name, cmdlp); +- prg_cache_add(inode, finbuf); ++#if HAVE_SELINUX ++ if (getpidcon(atoi(direproc->d_name), &scon) == -1) { ++ scon=strdup("-"); ++ } ++ prg_cache_add(inode, finbuf, scon); ++ freecon(scon); ++#else ++ prg_cache_add(inode, finbuf, "-"); ++#endif + } + closedir(dirfd); + dirfd = NULL; +@@ -573,6 +616,8 @@ static void finish_this_one(int uid, unsigned long inode, const char *timers) + } + if (flag_prg) + printf(" %-16s",prg_cache_get(inode)); ++ if (flag_selinux) ++ printf("%-" SELINUX_WIDTHs "s",prg_cache_get_con(inode)); + if (flag_opt) + printf(" %s", timers); + putchar('\n'); +@@ -1566,6 +1611,8 @@ static void unix_do_one(int nr, const char *line) + printf("- "); + if (flag_prg) + printf("%-" PROGNAME_WIDTHs "s",(has & HAS_INODE?prg_cache_get(inode):"-")); ++ if (flag_selinux) ++ printf("%-" SELINUX_WIDTHs "s",(has & HAS_INODE?prg_cache_get_con(inode):"-")); + puts(path); + } + +@@ -1584,6 +1631,7 @@ static int unix_info(void) + + printf(_("\nProto RefCnt Flags Type State I-Node ")); + print_progname_banner(); ++ print_selinux_banner(); + printf(_(" Path\n")); /* xxx */ + + { +@@ -1874,6 +1922,7 @@ static void usage(void) + fprintf(stderr, _(" -o, --timers display timers\n")); + fprintf(stderr, _(" -F, --fib display Forwarding Information Base (default)\n")); + fprintf(stderr, _(" -C, --cache display routing cache instead of FIB\n\n")); ++ fprintf(stderr, _(" -Z, --context display SELinux security context for sockets\n\n")); + + fprintf(stderr, _(" ={-t|--tcp} {-u|--udp} {-S|--sctp} {-w|--raw} {-x|--unix} --ax25 --ipx --netrom\n")); + fprintf(stderr, _(" =Use '-6|-4' or '-A ' or '--'; default: %s\n"), DFLT_AF); +@@ -1920,6 +1969,7 @@ int main + {"cache", 0, 0, 'C'}, + {"fib", 0, 0, 'F'}, + {"groups", 0, 0, 'g'}, ++ {"context", 0, 0, 'Z'}, + {NULL, 0, 0, 0} + }; + +@@ -1931,7 +1981,7 @@ int main + getroute_init(); /* Set up AF routing support */ + + afname[0] = '\0'; +- while ((i = getopt_long(argc, argv, "MCFA:acdegphinNorstuSWVv?wxl64", longopts, &lop)) != EOF) ++ while ((i = getopt_long(argc, argv, "MCFA:acdegphinNorstuSWVv?wxlZ64", longopts, &lop)) != EOF) + switch (i) { + case -1: + break; +@@ -2036,6 +2086,19 @@ int main + if (aftrans_opt("unix")) + exit(1); + break; ++ case 'Z': ++#if HAVE_SELINUX ++ if (is_selinux_enabled() <= 0) { ++ fprintf(stderr, _("SELinux is not enabled on this machine.\n")); ++ exit(1); ++ } ++ flag_prg++; ++ flag_selinux++; ++#else ++ fprintf(stderr, _("SELinux is not enabled for this application.\n")); ++ exit(1); ++#endif ++ break; + case '?': + case 'h': + usage(); +-- +1.9.1 + diff --git a/recipes-extended/net-tools/net-tools/netstat-selinux-support.patch b/recipes-extended/net-tools/net-tools/netstat-selinux-support.patch deleted file mode 100644 index f089041..0000000 --- a/recipes-extended/net-tools/net-tools/netstat-selinux-support.patch +++ /dev/null @@ -1,244 +0,0 @@ -From: Xin Ouyang -Date: Wed, 13 Jun 2012 13:32:01 +0800 -Subject: [PATCH] net-tools: netstat add SELinux support. - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Xin Ouyang -Signed-off-by: Adrian Dudau ---- - Makefile | 9 ++++++++- - netstat.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--- - 2 files changed, 74 insertions(+), 4 deletions(-) - -diff --git a/Makefile b/Makefile -index 8fcc55c..0b5c395 100644 ---- a/Makefile -+++ b/Makefile -@@ -116,6 +116,13 @@ NET_LIB = $(NET_LIB_PATH)/lib$(NET_LIB_NAME).a - CFLAGS = $(COPTS) -I. -idirafter ./include/ -I$(NET_LIB_PATH) - LDFLAGS = $(LOPTS) -L$(NET_LIB_PATH) - -+ifeq ($(HAVE_SELINUX),1) -+SELINUX_LDFLAGS = -lselinux -+CFLAGS += -DHAVE_SELINUX -+else -+SELINUX_LDFLAGS = -+endif -+ - SUBDIRS = man/ $(NET_LIB_PATH)/ - - ifeq ($(origin CC), undefined) -@@ -209,7 +216,7 @@ plipconfig: $(NET_LIB) plipconfig.o - $(CC) $(LDFLAGS) -o plipconfig plipconfig.o $(NLIB) - - netstat: $(NET_LIB) netstat.o statistics.o -- $(CC) $(LDFLAGS) -o netstat netstat.o statistics.o $(NLIB) $(RESLIB) -+ $(CC) $(SELINUX_LDFLAGS) $(LDFLAGS) -o netstat netstat.o statistics.o $(NLIB) $(RESLIB) - - iptunnel: $(NET_LIB) iptunnel.o - $(CC) $(LDFLAGS) -o iptunnel iptunnel.o $(NLIB) $(RESLIB) -diff --git a/netstat.c b/netstat.c -index fc10414..a773e81 100644 ---- a/netstat.c -+++ b/netstat.c -@@ -90,6 +90,12 @@ - #include - #include - -+#if HAVE_SELINUX -+#include -+#else -+#define security_context_t char* -+#endif -+ - #include "net-support.h" - #include "pathnames.h" - #include "version.h" -@@ -101,6 +107,7 @@ - #include "proc.h" - - #define PROGNAME_WIDTH 20 -+#define SELINUX_WIDTH 50 - - #if !defined(s6_addr32) && defined(in6a_words) - #define s6_addr32 in6a_words /* libinet6 */ -@@ -180,6 +187,7 @@ int flag_wide= 0; - int flag_prg = 0; - int flag_arg = 0; - int flag_ver = 0; -+int flag_selinux = 0; - - FILE *procinfo; - -@@ -243,12 +251,17 @@ FILE *procinfo; - #define PROGNAME_WIDTH1(s) PROGNAME_WIDTH2(s) - #define PROGNAME_WIDTH2(s) #s - -+#define SELINUX_WIDTHs SELINUX_WIDTH1(SELINUX_WIDTH) -+#define SELINUX_WIDTH1(s) SELINUX_WIDTH2(s) -+#define SELINUX_WIDTH2(s) #s -+ - #define PRG_HASH_SIZE 211 - - static struct prg_node { - struct prg_node *next; - unsigned long inode; - char name[PROGNAME_WIDTH]; -+ char scon[SELINUX_WIDTH]; - } *prg_hash[PRG_HASH_SIZE]; - - static char prg_cache_loaded = 0; -@@ -256,9 +269,12 @@ static char prg_cache_loaded = 0; - #define PRG_HASHIT(x) ((x) % PRG_HASH_SIZE) - - #define PROGNAME_BANNER "PID/Program name" -+#define SELINUX_BANNER "Security Context" - - #define print_progname_banner() do { if (flag_prg) printf("%-" PROGNAME_WIDTHs "s"," " PROGNAME_BANNER); } while (0) - -+#define print_selinux_banner() do { if (flag_selinux) printf("%-" SELINUX_WIDTHs "s"," " SELINUX_BANNER); } while (0) -+ - #define PRG_LOCAL_ADDRESS "local_address" - #define PRG_INODE "inode" - #define PRG_SOCKET_PFX "socket:[" -@@ -280,7 +296,7 @@ static char prg_cache_loaded = 0; - /* NOT working as of glibc-2.0.7: */ - #undef DIRENT_HAVE_D_TYPE_WORKS - --static void prg_cache_add(unsigned long inode, char *name) -+static void prg_cache_add(unsigned long inode, char *name, char *scon) - { - unsigned hi = PRG_HASHIT(inode); - struct prg_node **pnp,*pn; -@@ -301,6 +317,14 @@ static void prg_cache_add(unsigned long inode, char *name) - if (strlen(name)>sizeof(pn->name)-1) - name[sizeof(pn->name)-1]='\0'; - strcpy(pn->name,name); -+ -+ { -+ int len=(strlen(scon)-sizeof(pn->scon))+1; -+ if (len > 0) -+ strcpy(pn->scon,&scon[len+1]); -+ else -+ strcpy(pn->scon,scon); -+ } - } - - static const char *prg_cache_get(unsigned long inode) -@@ -313,6 +337,16 @@ static const char *prg_cache_get(unsigned long inode) - return("-"); - } - -+static const char *prg_cache_get_con(unsigned long inode) -+{ -+ unsigned hi=PRG_HASHIT(inode); -+ struct prg_node *pn; -+ -+ for (pn=prg_hash[hi];pn;pn=pn->next) -+ if (pn->inode==inode) return(pn->scon); -+ return("-"); -+} -+ - static void prg_cache_clear(void) - { - struct prg_node **pnp,*pn; -@@ -384,6 +418,7 @@ static void prg_cache_load(void) - const char *cs,*cmdlp; - DIR *dirproc=NULL,*dirfd=NULL; - struct dirent *direproc,*direfd; -+ security_context_t scon=NULL; - - if (prg_cache_loaded || !flag_prg) return; - prg_cache_loaded=1; -@@ -453,7 +488,15 @@ static void prg_cache_load(void) - } - - snprintf(finbuf, sizeof(finbuf), "%s/%s", direproc->d_name, cmdlp); -- prg_cache_add(inode, finbuf); -+#if HAVE_SELINUX -+ if (getpidcon(atoi(direproc->d_name), &scon) == -1) { -+ scon=strdup("-"); -+ } -+ prg_cache_add(inode, finbuf, scon); -+ freecon(scon); -+#else -+ prg_cache_add(inode, finbuf, "-"); -+#endif - } - closedir(dirfd); - dirfd = NULL; -@@ -573,6 +616,8 @@ static void finish_this_one(int uid, unsigned long inode, const char *timers) - } - if (flag_prg) - printf(" %-16s",prg_cache_get(inode)); -+ if (flag_selinux) -+ printf("%-" SELINUX_WIDTHs "s",prg_cache_get_con(inode)); - if (flag_opt) - printf(" %s", timers); - putchar('\n'); -@@ -1566,6 +1611,8 @@ static void unix_do_one(int nr, const char *line) - printf("- "); - if (flag_prg) - printf("%-" PROGNAME_WIDTHs "s",(has & HAS_INODE?prg_cache_get(inode):"-")); -+ if (flag_selinux) -+ printf("%-" SELINUX_WIDTHs "s",(has & HAS_INODE?prg_cache_get_con(inode):"-")); - puts(path); - } - -@@ -1584,6 +1631,7 @@ static int unix_info(void) - - printf(_("\nProto RefCnt Flags Type State I-Node ")); - print_progname_banner(); -+ print_selinux_banner(); - printf(_(" Path\n")); /* xxx */ - - { -@@ -1874,6 +1922,7 @@ static void usage(void) - fprintf(stderr, _(" -o, --timers display timers\n")); - fprintf(stderr, _(" -F, --fib display Forwarding Information Base (default)\n")); - fprintf(stderr, _(" -C, --cache display routing cache instead of FIB\n\n")); -+ fprintf(stderr, _(" -Z, --context display SELinux security context for sockets\n\n")); - - fprintf(stderr, _(" ={-t|--tcp} {-u|--udp} {-S|--sctp} {-w|--raw} {-x|--unix} --ax25 --ipx --netrom\n")); - fprintf(stderr, _(" =Use '-6|-4' or '-A ' or '--'; default: %s\n"), DFLT_AF); -@@ -1920,6 +1969,7 @@ int main - {"cache", 0, 0, 'C'}, - {"fib", 0, 0, 'F'}, - {"groups", 0, 0, 'g'}, -+ {"context", 0, 0, 'Z'}, - {NULL, 0, 0, 0} - }; - -@@ -1931,7 +1981,7 @@ int main - getroute_init(); /* Set up AF routing support */ - - afname[0] = '\0'; -- while ((i = getopt_long(argc, argv, "MCFA:acdegphinNorstuSWVv?wxl64", longopts, &lop)) != EOF) -+ while ((i = getopt_long(argc, argv, "MCFA:acdegphinNorstuSWVv?wxlZ64", longopts, &lop)) != EOF) - switch (i) { - case -1: - break; -@@ -2036,6 +2086,19 @@ int main - if (aftrans_opt("unix")) - exit(1); - break; -+ case 'Z': -+#if HAVE_SELINUX -+ if (is_selinux_enabled() <= 0) { -+ fprintf(stderr, _("SELinux is not enabled on this machine.\n")); -+ exit(1); -+ } -+ flag_prg++; -+ flag_selinux++; -+#else -+ fprintf(stderr, _("SELinux is not enabled for this application.\n")); -+ exit(1); -+#endif -+ break; - case '?': - case 'h': - usage(); --- -1.9.1 - diff --git a/recipes-extended/net-tools/net-tools_%.bbappend b/recipes-extended/net-tools/net-tools_%.bbappend index e99a5bc..7719d3b 100644 --- a/recipes-extended/net-tools/net-tools_%.bbappend +++ b/recipes-extended/net-tools/net-tools_%.bbappend @@ -1,11 +1 @@ -PR .= ".2" - -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" - -SRC_URI += "file://netstat-selinux-support.patch" - -inherit selinux - -DEPENDS += "${LIBSELINUX}" - -EXTRA_OEMAKE += "${@target_selinux(d, 'HAVE_SELINUX=1', 'HAVE_SELINUX=0')}" +require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)} diff --git a/recipes-extended/net-tools/net-tools_selinux.inc b/recipes-extended/net-tools/net-tools_selinux.inc new file mode 100644 index 0000000..cc3196f --- /dev/null +++ b/recipes-extended/net-tools/net-tools_selinux.inc @@ -0,0 +1,9 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" + +SRC_URI += "file://netstat-selinux-support.patch" + +inherit selinux + +DEPENDS += "${LIBSELINUX}" + +EXTRA_OEMAKE += "${@target_selinux(d, 'HAVE_SELINUX=1', 'HAVE_SELINUX=0')}" diff --git a/recipes-extended/pam/libpam_%.bbappend b/recipes-extended/pam/libpam_%.bbappend index adcf938..7719d3b 100644 --- a/recipes-extended/pam/libpam_%.bbappend +++ b/recipes-extended/pam/libpam_%.bbappend @@ -1,3 +1 @@ -inherit enable-selinux - -RDEPENDS_${PN}-runtime += "${@target_selinux(d, 'pam-plugin-selinux')}" +require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)} diff --git a/recipes-extended/pam/libpam_selinux.inc b/recipes-extended/pam/libpam_selinux.inc new file mode 100644 index 0000000..adcf938 --- /dev/null +++ b/recipes-extended/pam/libpam_selinux.inc @@ -0,0 +1,3 @@ +inherit enable-selinux + +RDEPENDS_${PN}-runtime += "${@target_selinux(d, 'pam-plugin-selinux')}" diff --git a/recipes-extended/parted/parted_%.bbappend b/recipes-extended/parted/parted_%.bbappend index 366fdf5..74e22b3 100644 --- a/recipes-extended/parted/parted_%.bbappend +++ b/recipes-extended/parted/parted_%.bbappend @@ -1,3 +1 @@ -PR .= ".2" - -inherit enable-selinux +inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-selinux', '', d)} diff --git a/recipes-extended/psmisc/psmisc_%.bbappend b/recipes-extended/psmisc/psmisc_%.bbappend index bbb84f4..74e22b3 100644 --- a/recipes-extended/psmisc/psmisc_%.bbappend +++ b/recipes-extended/psmisc/psmisc_%.bbappend @@ -1,5 +1 @@ -PR .= ".2" - -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" - -inherit enable-selinux +inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-selinux', '', d)} diff --git a/recipes-extended/sed/sed_4.2.2.bbappend b/recipes-extended/sed/sed_4.2.2.bbappend index 7695b77..b01ad25 100644 --- a/recipes-extended/sed/sed_4.2.2.bbappend +++ b/recipes-extended/sed/sed_4.2.2.bbappend @@ -1,3 +1 @@ -PR .= ".3" - -inherit with-selinux +inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'with-selinux', '', d)} diff --git a/recipes-extended/shadow/shadow_%.bbappend b/recipes-extended/shadow/shadow_%.bbappend index b7ccf40..7719d3b 100644 --- a/recipes-extended/shadow/shadow_%.bbappend +++ b/recipes-extended/shadow/shadow_%.bbappend @@ -1,7 +1 @@ -PR .= ".1" - -inherit with-selinux with-audit - -PACKAGECONFIG[selinux] = "--with-selinux,--without-selinux,libselinux libsemanage," - -FILESEXTRAPATHS_prepend := "${@target_selinux(d, '${THISDIR}/files:')}" +require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)} diff --git a/recipes-extended/shadow/shadow_selinux.inc b/recipes-extended/shadow/shadow_selinux.inc new file mode 100644 index 0000000..496ea6a --- /dev/null +++ b/recipes-extended/shadow/shadow_selinux.inc @@ -0,0 +1,6 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" + +inherit with-selinux with-audit + +PACKAGECONFIG[selinux] = "--with-selinux,--without-selinux,libselinux libsemanage," + diff --git a/recipes-extended/sudo/sudo_%.bbappend b/recipes-extended/sudo/sudo_%.bbappend index 5ad8973..b01ad25 100644 --- a/recipes-extended/sudo/sudo_%.bbappend +++ b/recipes-extended/sudo/sudo_%.bbappend @@ -1,3 +1 @@ -PR .= ".2" - -inherit with-selinux +inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'with-selinux', '', d)} diff --git a/recipes-extended/sysklogd/sysklogd_%.bbappend b/recipes-extended/sysklogd/sysklogd_%.bbappend index 81fe7b7..7719d3b 100644 --- a/recipes-extended/sysklogd/sysklogd_%.bbappend +++ b/recipes-extended/sysklogd/sysklogd_%.bbappend @@ -1 +1 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/files:" +require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)} diff --git a/recipes-extended/sysklogd/sysklogd_selinux.inc b/recipes-extended/sysklogd/sysklogd_selinux.inc new file mode 100644 index 0000000..81fe7b7 --- /dev/null +++ b/recipes-extended/sysklogd/sysklogd_selinux.inc @@ -0,0 +1 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" diff --git a/recipes-extended/tar/tar_%.bbappend b/recipes-extended/tar/tar_%.bbappend index 4b48777..7719d3b 100644 --- a/recipes-extended/tar/tar_%.bbappend +++ b/recipes-extended/tar/tar_%.bbappend @@ -1,6 +1 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" - -inherit with-selinux - - -PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'acl', 'acl', '', d)}" +require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)} diff --git a/recipes-extended/tar/tar_selinux.inc b/recipes-extended/tar/tar_selinux.inc new file mode 100644 index 0000000..341df8b --- /dev/null +++ b/recipes-extended/tar/tar_selinux.inc @@ -0,0 +1,3 @@ +inherit with-selinux + +PACKAGECONFIG_append = "${@bb.utils.contains('DISTRO_FEATURES', 'acl', ' acl', '', d)}" diff --git a/recipes-graphics/mesa/mesa_%.bbappend b/recipes-graphics/mesa/mesa_%.bbappend index 0004f71..b0b03ec 100644 --- a/recipes-graphics/mesa/mesa_%.bbappend +++ b/recipes-graphics/mesa/mesa_%.bbappend @@ -1,6 +1,2 @@ -inherit enable-selinux +require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)} -# But wait! There's more! mesa builds a host program named builtin_compiler -# and it needs selinux, too. We replace the PACKAGECONFIG[] in the bbclass. -# -PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux libselinux-native," diff --git a/recipes-graphics/mesa/mesa_selinux.inc b/recipes-graphics/mesa/mesa_selinux.inc new file mode 100644 index 0000000..0004f71 --- /dev/null +++ b/recipes-graphics/mesa/mesa_selinux.inc @@ -0,0 +1,6 @@ +inherit enable-selinux + +# But wait! There's more! mesa builds a host program named builtin_compiler +# and it needs selinux, too. We replace the PACKAGECONFIG[] in the bbclass. +# +PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux libselinux-native," diff --git a/recipes-graphics/xcb/libxcb_%.bbappend b/recipes-graphics/xcb/libxcb_%.bbappend index f1bd5a8..7719d3b 100644 --- a/recipes-graphics/xcb/libxcb_%.bbappend +++ b/recipes-graphics/xcb/libxcb_%.bbappend @@ -1,8 +1 @@ -PR .= ".1" - -inherit enable-selinux -# libxcb-xselinux will not build with libselinux, so remove the depend -PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,," - -PACKAGES += "${PN}-xselinux" -FILES_${PN}-xselinux += "${libdir}/libxcb-xselinux.so.*" +require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)} diff --git a/recipes-graphics/xcb/libxcb_selinux.inc b/recipes-graphics/xcb/libxcb_selinux.inc new file mode 100644 index 0000000..29bdadb --- /dev/null +++ b/recipes-graphics/xcb/libxcb_selinux.inc @@ -0,0 +1,6 @@ +inherit enable-selinux +# libxcb-xselinux will not build with libselinux, so remove the depend +PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,," + +PACKAGES += "${PN}-xselinux" +FILES_${PN}-xselinux += "${libdir}/libxcb-xselinux.so.*" diff --git a/recipes-kernel/linux/files/selinux.cfg b/recipes-kernel/linux/files/selinux.cfg new file mode 100644 index 0000000..2edd366 --- /dev/null +++ b/recipes-kernel/linux/files/selinux.cfg @@ -0,0 +1,31 @@ +.......................................................................... +. WARNING +. +. This file is a kernel configuration fragment, and not a full kernel +. configuration file. The final kernel configuration is made up of +. an assembly of processed fragments, each of which is designed to +. capture a specific part of the final configuration (e.g. platform +. configuration, feature configuration, and board specific hardware +. configuration). For more information on kernel configuration, please +. consult the product documentation. +. +.......................................................................... +CONFIG_AUDIT=y +CONFIG_NETWORK_SECMARK=y +CONFIG_EXT2_FS_SECURITY=y +CONFIG_EXT3_FS_SECURITY=y +CONFIG_EXT4_FS_SECURITY=y +CONFIG_JFS_SECURITY=y +CONFIG_REISERFS_FS_SECURITY=y +CONFIG_JFFS2_FS_SECURITY=y +CONFIG_SECURITY=y +CONFIG_SECURITYFS=y +CONFIG_SECURITY_NETWORK=y +CONFIG_SECURITY_SELINUX=y +CONFIG_SECURITY_SELINUX_BOOTPARAM=y +CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1 +CONFIG_SECURITY_SELINUX_DISABLE=y +CONFIG_SECURITY_SELINUX_DEVELOP=y +CONFIG_SECURITY_SELINUX_AVC_STATS=y +CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 +CONFIG_AUDIT_GENERIC=y diff --git a/recipes-kernel/linux/linux-yocto/selinux.cfg b/recipes-kernel/linux/linux-yocto/selinux.cfg deleted file mode 100644 index 2edd366..0000000 --- a/recipes-kernel/linux/linux-yocto/selinux.cfg +++ /dev/null @@ -1,31 +0,0 @@ -.......................................................................... -. WARNING -. -. This file is a kernel configuration fragment, and not a full kernel -. configuration file. The final kernel configuration is made up of -. an assembly of processed fragments, each of which is designed to -. capture a specific part of the final configuration (e.g. platform -. configuration, feature configuration, and board specific hardware -. configuration). For more information on kernel configuration, please -. consult the product documentation. -. -.......................................................................... -CONFIG_AUDIT=y -CONFIG_NETWORK_SECMARK=y -CONFIG_EXT2_FS_SECURITY=y -CONFIG_EXT3_FS_SECURITY=y -CONFIG_EXT4_FS_SECURITY=y -CONFIG_JFS_SECURITY=y -CONFIG_REISERFS_FS_SECURITY=y -CONFIG_JFFS2_FS_SECURITY=y -CONFIG_SECURITY=y -CONFIG_SECURITYFS=y -CONFIG_SECURITY_NETWORK=y -CONFIG_SECURITY_SELINUX=y -CONFIG_SECURITY_SELINUX_BOOTPARAM=y -CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1 -CONFIG_SECURITY_SELINUX_DISABLE=y -CONFIG_SECURITY_SELINUX_DEVELOP=y -CONFIG_SECURITY_SELINUX_AVC_STATS=y -CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 -CONFIG_AUDIT_GENERIC=y diff --git a/recipes-kernel/linux/linux-yocto_4.%.bbappend b/recipes-kernel/linux/linux-yocto_4.%.bbappend index a8c0647..7719d3b 100644 --- a/recipes-kernel/linux/linux-yocto_4.%.bbappend +++ b/recipes-kernel/linux/linux-yocto_4.%.bbappend @@ -1,8 +1 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" - -# Enable selinux support in the kernel if the feature is enabled -SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'file://selinux.cfg', '', d)}" - -# For inconsistent kallsyms data bug on ARM -# http://lists.infradead.org/pipermail/linux-arm-kernel/2012-March/thread.html#89718 -EXTRA_OEMAKE += "${@bb.utils.contains('TARGET_ARCH', 'arm', ' KALLSYMS_EXTRA_PASS=1', '', d)}" +require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)} diff --git a/recipes-kernel/linux/linux-yocto_selinux.inc b/recipes-kernel/linux/linux-yocto_selinux.inc new file mode 100644 index 0000000..3312e06 --- /dev/null +++ b/recipes-kernel/linux/linux-yocto_selinux.inc @@ -0,0 +1,4 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" + +# Enable selinux support in the kernel if the feature is enabled +SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'file://selinux.cfg', '', d)}" diff --git a/recipes-kernel/perf/perf.bbappend b/recipes-kernel/perf/perf.bbappend index 93df43e..b0b03ec 100644 --- a/recipes-kernel/perf/perf.bbappend +++ b/recipes-kernel/perf/perf.bbappend @@ -1 +1,2 @@ -DEPENDS += " ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'audit', '', d)}" +require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)} + diff --git a/recipes-kernel/perf/perf_selinux.inc b/recipes-kernel/perf/perf_selinux.inc new file mode 100644 index 0000000..bed3cc2 --- /dev/null +++ b/recipes-kernel/perf/perf_selinux.inc @@ -0,0 +1 @@ +DEPENDS .= "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', ' audit', '', d)}" diff --git a/recipes-support/attr/attr/fix-ptest-failures-when-selinux-enabled.patch b/recipes-support/attr/attr/fix-ptest-failures-when-selinux-enabled.patch deleted file mode 100644 index e1eefa7..0000000 --- a/recipes-support/attr/attr/fix-ptest-failures-when-selinux-enabled.patch +++ /dev/null @@ -1,41 +0,0 @@ -Upstream-Status: Pending - -When enable selinux, file has a default attribute: - -# file: here -security.selinux="system_u:object_r:lib_t:s0" - -That cause there is always more output than expected. - -Filter out selinux related attribute info to make ptest pass. - -Signed-off-by: Kai Kang ---- -diff --git a/test/run b/test/run -index cf15252..945741e 100755 ---- a/test/run -+++ b/test/run -@@ -132,6 +132,23 @@ sub process_test($$$$) { - print "[$prog_line] \$ ", join(' ', - map { s/\s/\\$&/g; $_ } @$p), " -- "; - my $result = exec_test($prog, $in); -+ -+ # filter selinux related attributes info -+ my @strip1; -+ my @strip2; -+ foreach (@$result) { -+ unless (/security.selinux=.*\n/) { -+ push @strip1, $_; -+ } -+ } -+ for (my $i = 0; $i <= $#strip1; $i++) { -+ if ($strip1[$i] =~ /^# file:.*/ && $strip1[$i+1] =~ /^\n$/) { -+ $i++; -+ } else { -+ push @strip2, $strip1[$i]; -+ } -+ } -+ $result = \@strip2; - my @good = (); - my $nmax = (@$out > @$result) ? @$out : @$result; - for (my $n=0; $n < $nmax; $n++) { diff --git a/recipes-support/attr/attr_%.bbappend b/recipes-support/attr/attr_%.bbappend index 6be8191..7719d3b 100644 --- a/recipes-support/attr/attr_%.bbappend +++ b/recipes-support/attr/attr_%.bbappend @@ -1,5 +1 @@ -inherit selinux - -FILESEXTRAPATHS_prepend := "${THISDIR}/${BPN}:" - -SRC_URI += "${@target_selinux(d, 'file://fix-ptest-failures-when-selinux-enabled.patch')}" +require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)} diff --git a/recipes-support/attr/attr_selinux.inc b/recipes-support/attr/attr_selinux.inc new file mode 100644 index 0000000..ba0314e --- /dev/null +++ b/recipes-support/attr/attr_selinux.inc @@ -0,0 +1,5 @@ +inherit selinux + +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" + +SRC_URI += "file://fix-ptest-failures-when-selinux-enabled.patch" diff --git a/recipes-support/attr/files/fix-ptest-failures-when-selinux-enabled.patch b/recipes-support/attr/files/fix-ptest-failures-when-selinux-enabled.patch new file mode 100644 index 0000000..e1eefa7 --- /dev/null +++ b/recipes-support/attr/files/fix-ptest-failures-when-selinux-enabled.patch @@ -0,0 +1,41 @@ +Upstream-Status: Pending + +When enable selinux, file has a default attribute: + +# file: here +security.selinux="system_u:object_r:lib_t:s0" + +That cause there is always more output than expected. + +Filter out selinux related attribute info to make ptest pass. + +Signed-off-by: Kai Kang +--- +diff --git a/test/run b/test/run +index cf15252..945741e 100755 +--- a/test/run ++++ b/test/run +@@ -132,6 +132,23 @@ sub process_test($$$$) { + print "[$prog_line] \$ ", join(' ', + map { s/\s/\\$&/g; $_ } @$p), " -- "; + my $result = exec_test($prog, $in); ++ ++ # filter selinux related attributes info ++ my @strip1; ++ my @strip2; ++ foreach (@$result) { ++ unless (/security.selinux=.*\n/) { ++ push @strip1, $_; ++ } ++ } ++ for (my $i = 0; $i <= $#strip1; $i++) { ++ if ($strip1[$i] =~ /^# file:.*/ && $strip1[$i+1] =~ /^\n$/) { ++ $i++; ++ } else { ++ push @strip2, $strip1[$i]; ++ } ++ } ++ $result = \@strip2; + my @good = (); + my $nmax = (@$out > @$result) ? @$out : @$result; + for (my $n=0; $n < $nmax; $n++) { diff --git a/recipes-support/gnupg/gnupg_2.%.bbappend b/recipes-support/gnupg/gnupg_2.%.bbappend index 12571b4..7719d3b 100644 --- a/recipes-support/gnupg/gnupg_2.%.bbappend +++ b/recipes-support/gnupg/gnupg_2.%.bbappend @@ -1,3 +1 @@ -inherit enable-selinux -# gnupg will not build with libselinux, so remove the depend -PACKAGECONFIG[selinux] = "--enable-selinux-support,--disable-selinux-support,," +require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)} diff --git a/recipes-support/gnupg/gnupg_selinux.inc b/recipes-support/gnupg/gnupg_selinux.inc new file mode 100644 index 0000000..12571b4 --- /dev/null +++ b/recipes-support/gnupg/gnupg_selinux.inc @@ -0,0 +1,3 @@ +inherit enable-selinux +# gnupg will not build with libselinux, so remove the depend +PACKAGECONFIG[selinux] = "--enable-selinux-support,--disable-selinux-support,," diff --git a/recipes-support/libpcre/libpcre_%.bbappend b/recipes-support/libpcre/libpcre_%.bbappend index ad18d61..7719d3b 100644 --- a/recipes-support/libpcre/libpcre_%.bbappend +++ b/recipes-support/libpcre/libpcre_%.bbappend @@ -1,14 +1 @@ -PR .= "9" - -do_install_append () { - if [ ! ${D}${libdir} -ef ${D}${base_libdir} ]; then - realsofile=`readlink ${D}${libdir}/libpcre.so` - mkdir -p ${D}/${base_libdir}/ - mv -f ${D}${libdir}/libpcre.so.* ${D}${base_libdir}/ - relpath=${@os.path.relpath("${base_libdir}", "${libdir}")} - ln -sf ${relpath}/${realsofile} ${D}${libdir}/libpcre.so - ln -sf ${relpath}/${realsofile} ${D}${libdir}/libpcre.so.1 - fi -} - -FILES_${PN} += "${base_libdir}/libpcre.so.*" +require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', '${BPN}_selinux.inc', '', d)} diff --git a/recipes-support/libpcre/libpcre_selinux.inc b/recipes-support/libpcre/libpcre_selinux.inc new file mode 100644 index 0000000..59c0184 --- /dev/null +++ b/recipes-support/libpcre/libpcre_selinux.inc @@ -0,0 +1,12 @@ +do_install_append () { + if [ ! ${D}${libdir} -ef ${D}${base_libdir} ]; then + realsofile=`readlink ${D}${libdir}/libpcre.so` + mkdir -p ${D}/${base_libdir}/ + mv -f ${D}${libdir}/libpcre.so.* ${D}${base_libdir}/ + relpath=${@os.path.relpath("${base_libdir}", "${libdir}")} + ln -sf ${relpath}/${realsofile} ${D}${libdir}/libpcre.so + ln -sf ${relpath}/${realsofile} ${D}${libdir}/libpcre.so.1 + fi +} + +FILES_${PN} += "${base_libdir}/libpcre.so.*" diff --git a/virtualization-layer/recipes-containers/lxc/lxc_%.bbappend b/virtualization-layer/recipes-containers/lxc/lxc_%.bbappend index 8c11cac..74e22b3 100644 --- a/virtualization-layer/recipes-containers/lxc/lxc_%.bbappend +++ b/virtualization-layer/recipes-containers/lxc/lxc_%.bbappend @@ -1 +1 @@ -inherit enable-selinux +inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-selinux', '', d)} -- cgit v1.2.3-54-g00ecf