From 816b52ef4de5ed11520ae87db23d4de6f1b0e1a7 Mon Sep 17 00:00:00 2001 From: Xin Ouyang Date: Mon, 23 Sep 2013 21:17:59 +0800 Subject: policycoreutils: migrate SRC_URI and patches to 2.1.14 2.1.14 imports a new python module: sepolicy, so add setools to DEPENDS and split new files to policycoreutils-python. Signed-off-by: Xin Ouyang Signed-off-by: Joe MacDonald --- recipes-security/selinux/policycoreutils.inc | 16 +- ...policycoreutils-fix-sepolicy-install-path.patch | 35 +++ ...cycoreutils-revert-restorecon-update-type.patch | 315 --------------------- .../selinux/policycoreutils/scripts_makefile.patch | 26 -- recipes-security/selinux/policycoreutils_2.1.14.bb | 10 +- 5 files changed, 52 insertions(+), 350 deletions(-) create mode 100644 recipes-security/selinux/policycoreutils/policycoreutils-fix-sepolicy-install-path.patch delete mode 100644 recipes-security/selinux/policycoreutils/policycoreutils-revert-restorecon-update-type.patch delete mode 100644 recipes-security/selinux/policycoreutils/scripts_makefile.patch diff --git a/recipes-security/selinux/policycoreutils.inc b/recipes-security/selinux/policycoreutils.inc index 7939095..1acc19f 100644 --- a/recipes-security/selinux/policycoreutils.inc +++ b/recipes-security/selinux/policycoreutils.inc @@ -16,7 +16,7 @@ PAM_SRC_URI = "file://pam.d/newrole \ " DEPENDS += "libsepol libselinux libsemanage" -EXTRA_DEPENDS = "libcap-ng libcgroup" +EXTRA_DEPENDS = "libcap-ng libcgroup setools" DEPENDS += "${@['', '${EXTRA_DEPENDS}']['${PN}' != '${BPN}-native']}" inherit selinux @@ -43,8 +43,13 @@ RDEPENDS_${BPN} += "setools setools-libs ${BPN}-python" WARN_QA := "${@oe_filter_out('unsafe-references-in-scripts', '${WARN_QA}', d)}" ERROR_QA := "${@oe_filter_out('unsafe-references-in-scripts', '${ERROR_QA}', d)}" +inherit pythonnative + PACKAGES =+ "${PN}-python ${PN}-sandbox system-config-selinux" -FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/*" +FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/seobject.py* \ + ${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolicy*.egg-info \ + ${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolicy/*" +FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolicy/.debug/*" FILES_${PN}-sandbox = "${datadir}/sandbox/*" FILES_${PN}-sandbox += "${bindir}/sandbox" FILES_${PN}-sandbox += "${sbindir}/seunshare" @@ -53,8 +58,6 @@ FILES_system-config-selinux = " \ ${datadir}/system-config-selinux/* \ " -inherit pythonnative - export STAGING_INCDIR export STAGING_LIBDIR export BUILD_SYS @@ -86,6 +89,11 @@ do_compile_prepend() { export PYTHON_SITE_PKG="${libdir}/${PYLIBVER}/site-packages" } +do_install_prepend() { + export PYTHON=python + export SEMODULE_PATH=${sbindir} +} + do_install_virtclass-native() { for PCU_CMD in ${PCU_NATIVE_CMDS} ; do oe_runmake -C $PCU_CMD install \ diff --git a/recipes-security/selinux/policycoreutils/policycoreutils-fix-sepolicy-install-path.patch b/recipes-security/selinux/policycoreutils/policycoreutils-fix-sepolicy-install-path.patch new file mode 100644 index 0000000..aaf2e66 --- /dev/null +++ b/recipes-security/selinux/policycoreutils/policycoreutils-fix-sepolicy-install-path.patch @@ -0,0 +1,35 @@ +From 086f715e2a0dd05c07f0428f424017cc96acc387 Mon Sep 17 00:00:00 2001 +From: Xin Ouyang +Date: Thu, 22 Aug 2013 16:40:26 +0800 +Subject: [PATCH] policycoreutils: fix install path for new pymodule sepolicy + +Signed-off-by: Xin Ouyang +--- + sepolicy/Makefile | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/sepolicy/Makefile b/sepolicy/Makefile +index 11b534f..9e46b74 100644 +--- a/sepolicy/Makefile ++++ b/sepolicy/Makefile +@@ -11,6 +11,8 @@ BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/ + SHAREDIR ?= $(PREFIX)/share/sandbox + override CFLAGS = $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared + ++PYLIBVER ?= $(shell python -c 'import sys;print "python%d.%d" % sys.version_info[0:2]') ++ + BASHCOMPLETIONS=sepolicy-bash-completion.sh + + all: python-build +@@ -23,7 +25,7 @@ clean: + -rm -rf build *~ \#* *pyc .#* + + install: +- $(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root $(DESTDIR)` ++ $(PYTHON) setup.py install --install-lib $(LIBDIR)/$(PYLIBVER)/site-packages + [ -d $(BINDIR) ] || mkdir -p $(BINDIR) + install -m 755 sepolicy.py $(BINDIR)/sepolicy + -mkdir -p $(MANDIR)/man8 +-- +1.7.9.5 + diff --git a/recipes-security/selinux/policycoreutils/policycoreutils-revert-restorecon-update-type.patch b/recipes-security/selinux/policycoreutils/policycoreutils-revert-restorecon-update-type.patch deleted file mode 100644 index dd7f97c..0000000 --- a/recipes-security/selinux/policycoreutils/policycoreutils-revert-restorecon-update-type.patch +++ /dev/null @@ -1,315 +0,0 @@ -From 0fa419825539f172e1097d685e92c7d1a5826f23 Mon Sep 17 00:00:00 2001 -From: Xin Ouyang -Date: Fri, 24 May 2013 14:31:10 +0800 -Subject: [PATCH] policycoreutils: Revert "restorecon: only update type by default" - -This reverts uprev commit 96cedba3e59aa474f0f040da5108a17bba45ce6c. - -96cedb will cause wrong security contexts for /dev/ while using -MLS type of old refpolicy, so revert it. - -This patch should be dropped while refpolicy is upreved to 2.20120725+. - -Upstream-Status: Inappropriate [for old refpolicy] - ---- - setfiles/restore.c | 113 +++++++++++++++------------------- - setfiles/restorecon.8 | 12 ++-- - setfiles/setfiles.8 | 19 +++--- - 3 files changed, 61 insertions(+), 83 deletions(-) - -diff --git a/setfiles/restore.c b/setfiles/restore.c -index 4c62b41..2acec8e 100644 ---- a/setfiles/restore.c -+++ b/setfiles/restore.c -@@ -1,6 +1,5 @@ - #include "restore.h" - #include --#include - - #define SKIP -2 - #define ERR -1 -@@ -34,6 +33,7 @@ struct edir { - - static file_spec_t *fl_head; - static int filespec_add(ino_t ino, const security_context_t con, const char *file); -+static int only_changed_user(const char *a, const char *b); - struct restore_opts *r_opts = NULL; - static void filespec_destroy(void); - static void filespec_eval(void); -@@ -104,7 +104,8 @@ static int restore(FTSENT *ftsent) - { - char *my_file = strdupa(ftsent->fts_path); - int ret = -1; -- security_context_t curcon = NULL, newcon = NULL; -+ char *context, *newcon; -+ int user_only_changed = 0; - - if (match(my_file, ftsent->fts_statp, &newcon) < 0) - /* Check for no matching specification. */ -@@ -138,105 +139,74 @@ static int restore(FTSENT *ftsent) - printf("%s: %s matched by %s\n", r_opts->progname, my_file, newcon); - } - -- /* -- * Do not relabel if their is no default specification for this file -- */ -- -- if (strcmp(newcon, "<>") == 0) { -- goto out; -- } -- - /* Get the current context of the file. */ -- ret = lgetfilecon_raw(ftsent->fts_accpath, &curcon); -+ ret = lgetfilecon_raw(ftsent->fts_accpath, &context); - if (ret < 0) { - if (errno == ENODATA) { -- curcon = NULL; -+ context = NULL; - } else { - fprintf(stderr, "%s get context on %s failed: '%s'\n", - r_opts->progname, my_file, strerror(errno)); - goto err; - } -- } -- -+ user_only_changed = 0; -+ } else -+ user_only_changed = only_changed_user(context, newcon); - /* lgetfilecon returns number of characters and ret needs to be reset - * to 0. - */ - ret = 0; - - /* -- * Do not relabel the file if the file is already labeled according to -- * the specification. -+ * Do not relabel the file if the matching specification is -+ * <> or the file is already labeled according to the -+ * specification. - */ -- if (curcon && (strcmp(curcon, newcon) == 0)) { -+ if ((strcmp(newcon, "<>") == 0) || -+ (context && (strcmp(context, newcon) == 0))) { -+ freecon(context); - goto out; - } - -- if (!r_opts->force && curcon && (is_context_customizable(curcon) > 0)) { -+ if (!r_opts->force && context && (is_context_customizable(context) > 0)) { - if (r_opts->verbose > 1) { - fprintf(stderr, - "%s: %s not reset customized by admin to %s\n", -- r_opts->progname, my_file, curcon); -+ r_opts->progname, my_file, context); - } -+ freecon(context); - goto out; - } - -- /* -- * Do not change label unless this is a force or the type is different -- */ -- if (!r_opts->force && curcon) { -- int types_differ = 0; -- context_t cona; -- context_t conb; -- int err = 0; -- cona = context_new(curcon); -- if (! cona) { -- goto out; -- } -- conb = context_new(newcon); -- if (! conb) { -- context_free(cona); -- goto out; -- } -- -- types_differ = strcmp(context_type_get(cona), context_type_get(conb)); -- if (types_differ) { -- err |= context_user_set(conb, context_user_get(cona)); -- err |= context_role_set(conb, context_role_get(cona)); -- err |= context_range_set(conb, context_range_get(cona)); -- if (!err) { -- freecon(newcon); -- newcon = strdup(context_str(conb)); -- } -- } -- context_free(cona); -- context_free(conb); -- -- if (!types_differ || err) { -- goto out; -- } -- } -- - if (r_opts->verbose) { -- printf("%s reset %s context %s->%s\n", -- r_opts->progname, my_file, curcon ?: "", newcon); -+ /* If we're just doing "-v", trim out any relabels where -+ * the user has r_opts->changed but the role and type are the -+ * same. For "-vv", emit everything. */ -+ if (r_opts->verbose > 1 || !user_only_changed) { -+ printf("%s reset %s context %s->%s\n", -+ r_opts->progname, my_file, context ?: "", newcon); -+ } - } - -- if (r_opts->logging && r_opts->change) { -- if (curcon) -+ if (r_opts->logging && !user_only_changed) { -+ if (context) - syslog(LOG_INFO, "relabeling %s from %s to %s\n", -- my_file, curcon, newcon); -+ my_file, context, newcon); - else - syslog(LOG_INFO, "labeling %s to %s\n", - my_file, newcon); - } - -- if (r_opts->outfile) -+ if (r_opts->outfile && !user_only_changed) - fprintf(r_opts->outfile, "%s\n", my_file); - -+ if (context) -+ freecon(context); -+ - /* - * Do not relabel the file if -n was used. - */ -- if (!r_opts->change) -+ if (!r_opts->change || user_only_changed) - goto out; - - /* -@@ -250,15 +220,12 @@ static int restore(FTSENT *ftsent) - } - ret = 0; - out: -- freecon(curcon); - freecon(newcon); - return ret; - skip: -- freecon(curcon); - freecon(newcon); - return SKIP; - err: -- freecon(curcon); - freecon(newcon); - return ERR; - } -@@ -479,6 +446,22 @@ int add_exclude(const char *directory) - return 0; - } - -+/* Compare two contexts to see if their differences are "significant", -+ * or whether the only difference is in the user. */ -+static int only_changed_user(const char *a, const char *b) -+{ -+ char *rest_a, *rest_b; /* Rest of the context after the user */ -+ if (r_opts->force) -+ return 0; -+ if (!a || !b) -+ return 0; -+ rest_a = strchr(a, ':'); -+ rest_b = strchr(b, ':'); -+ if (!rest_a || !rest_b) -+ return 0; -+ return (strcmp(rest_a, rest_b) == 0); -+} -+ - /* - * Evaluate the association hash table distribution. - */ -diff --git a/setfiles/restorecon.8 b/setfiles/restorecon.8 -index ffbb9d1..f765000 100644 ---- a/setfiles/restorecon.8 -+++ b/setfiles/restorecon.8 -@@ -21,11 +21,6 @@ It can also be run at any other time to correct inconsistent labels, to add - support for newly-installed policy or, by using the \-n option, to passively - check whether the file contexts are all set as specified by the active policy - (default behavior) or by some other policy (see the \-c option). --.P --If a file object does not have a context, restorecon will write the default --context to the file object's extended attributes. If a file object has a --context, restorecon will only modify the type portion of the security context. --The -F option will force a replacement of the entire context. - - .SH "OPTIONS" - .TP -@@ -36,8 +31,8 @@ exclude a directory (repeat the option to exclude more than one directory). - infilename contains a list of files to be processed. Use \- for stdin. - .TP - .B \-F --Force reset of context to match file_context for customizable files, and the --default file context, changing the user, role, range portion as well as the type. -+force reset of context to match file_context for customizable files, or the -+user section, if it has changed. - .TP - .B \-h, \-? - display usage information and exit. -@@ -63,6 +58,9 @@ change files and directories file labels recursively (descend directories). - .B \-v - show changes in file labels, if type or role are going to be changed. - .TP -+.B \-vv -+show changes in file labels, if type, role or user are going to be changed. -+.TP - .B \-0 - the separator for the input items is assumed to be the null character - (instead of the white space). The quotes and the backslash characters are -diff --git a/setfiles/setfiles.8 b/setfiles/setfiles.8 -index 7ff54f9..bcec84c 100644 ---- a/setfiles/setfiles.8 -+++ b/setfiles/setfiles.8 -@@ -4,7 +4,7 @@ setfiles \- set SELinux file security contexts. - - .SH "SYNOPSIS" - .B setfiles --.I [\-c policy] [\-d] [\-l] [\-n] [\-e directory] [\-o filename] [\-q] [\-s] [\-v] [\-W] [\-F] spec_file pathname... -+.I [\-c policy] [\-d] [\-l] [\-n] [\-e directory] [\-o filename] [\-q] [\-s] [\-v] [\-vv] [\-W] [\-F] spec_file pathname... - .SH "DESCRIPTION" - This manual page describes the - .BR setfiles -@@ -19,13 +19,9 @@ It can also be run at any other time to correct inconsistent labels, to add - support for newly-installed policy or, by using the \-n option, to passively - check whether the file contexts are all set as specified by the active policy - (default behavior) or by some other policy (see the \-c option). --.P --If a file object does not have a context, setfiles will write the default --context to the file object's extended attributes. If a file object has a --context, setfiles will only modify the type portion of the security context. --The -F option will force a replacement of the entire context. -+ - .SH "OPTIONS" --.TP -+.TP - .B \-c - check the validity of the contexts against the specified binary policy. - .TP -@@ -40,9 +36,7 @@ directory to exclude (repeat option for more than one directory). - take a list of files to be processed from an input file. - .TP - .B \-F --Force reset of context to match file_context for customizable files, and the --default file context, changing the user, role, range portion as well as the --type. -+force reset of context to match file_context for customizable files. - .TP - .B \-h, \-? - display usage information and exit. -@@ -73,7 +67,10 @@ take a list of files from standard input instead of using a pathname from the - command line (equivalent to \-f \-). - .TP - .B \-v --show changes in file labels. -+show changes in file labels, if type or role are going to be changed. -+.TP -+.B \-vv -+show changes in file labels, if type, role or user are going to be changed. - .TP - .B \-W - display warnings about entries that had no matching files. --- -1.8.1.2 - diff --git a/recipes-security/selinux/policycoreutils/scripts_makefile.patch b/recipes-security/selinux/policycoreutils/scripts_makefile.patch deleted file mode 100644 index 8972474..0000000 --- a/recipes-security/selinux/policycoreutils/scripts_makefile.patch +++ /dev/null @@ -1,26 +0,0 @@ -policycoreutils: fix genhomedircon generation - -The script is put on the target and needs to reference -the directory in which semodule is installed. - -Upstream Status: pending - -Signed-off-by: Joe Slater - ---- a/scripts/Makefile -+++ b/scripts/Makefile -@@ -8,11 +8,12 @@ LOCALEDIR ?= $(PREFIX)/share/locale - - all: fixfiles genhomedircon chcat - -+# we want the script to use the user sbin directory on the target -+# - genhomedircon: - @echo "#!/bin/sh" > genhomedircon - @echo >> genhomedircon -- @if [ ! -e semodule_path ]; then echo -n "$(USRSBINDIR)/" >> genhomedircon; fi -- @if [ -e semodule_path ]; then echo -n "`cat semodule_path`/" >> genhomedircon; fi -+ @echo -n "$(sbindir)/" >> genhomedircon - @echo "semodule -Bn" >> genhomedircon - - install: all diff --git a/recipes-security/selinux/policycoreutils_2.1.14.bb b/recipes-security/selinux/policycoreutils_2.1.14.bb index 687347c..b177042 100644 --- a/recipes-security/selinux/policycoreutils_2.1.14.bb +++ b/recipes-security/selinux/policycoreutils_2.1.14.bb @@ -1,15 +1,15 @@ PR = "r3" -include selinux_20120924.inc +include selinux_20130423.inc include ${BPN}.inc LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" -SRC_URI[md5sum] = "97c0b828599fe608f37894989820d71d" -SRC_URI[sha256sum] = "34040f06f3111d9ee957576e4095841d35b9ca9141ee8d80aab036cbefb28584" +SRC_URI[md5sum] = "f34216414b650a0a25dec89a758234fb" +SRC_URI[sha256sum] = "b6881741f9f9988346a73bfeccb0299941dc117349753f0ef3f23ee86f06c1b5" SRC_URI += "\ - file://policycoreutils-revert-restorecon-update-type.patch \ + file://policycoreutils-fix-strict-prototypes.patch \ file://policycoreutils-revert-run_init-open_init_pty.patch \ - file://scripts_makefile.patch \ + file://policycoreutils-fix-sepolicy-install-path.patch \ " -- cgit v1.2.3-54-g00ecf