[Buildroot] [PATCH v2 00/17] SELinux Buildroot Additions

[Buildroot] [PATCH v2 00/17] SELinux Buildroot Additions

[Clayton Shotwell]

This is Round 2 for the SELinux package additions.
General changes in this version
  - General formatting cleanup on all files to match the buildroot standard.
  - Reworked the Python selects and dependencies to be a little simpler.
    Now, when Python is enabled, all Python bindings are built for the
    SELinux packages.
  - Moved all of the SELinux libraries to a Libraries -> Security folder.
  - More information on SELinux and how to enable it (see below).

Per Thomas Petazzoni's <thomas.petazzoni@free-electrons.com> email, here is
a brief overview of SELinux and how I have implemented it in buildroot.

SELinux is made up of several packages and Linux kernel configurations.
The best reference, at least the most complete, is probably the SELinux
Notebook at the link below.  The notebook details how SELinux works and
gives very good examples on how to implement SELinux policies.

http://www.freetechbooks.com/the-selinux-notebook-the-foundations-t785.html

Packages:
   libsepol
   libselinux
   libsemanage
   checkpolicy
   sepolgen
   setools
   policycoreutils
   refpolicy

For this implementation, I have added a package hierarchy that will allow
for both a debugging and a paired down release version.  The debugging
version required Python support, and is therefore much larger while the
release version does not.  To enable the release version, simply select
the refpolicy package (BR2_PACKAGE_REFPOLICY) and it selects all of the 
necessary packages to enable SELinux. For the debugging version, select
the policycoreutils debugging configure option
(BR2_PACKAGE_POLICYCOREUTILS_POLICY_DEBUGGING).  This will pull in Python
and a bunch of other packages into the build to debug the SELinux policy 
on target.  

Caveats:
   1. The Linux kernel config will need to be changed to enable SELinux
      support and extended attribute support on the file systems
   2. The busybox config will need to be changed to remove some packages
      or to build each executable as a stand-alone package. The busybox
      symlinks don't work well with the default refpolicy.
   3. The audit package will need to be enabled to log issues with the
      SELinux policy, especially if it is in enforcing mode.
   4. If a modular SELinux policy is selected, 
      BR2_PACKAGE_REFPOLICY_MONOLITHIC = n, then the policy will be compiled
      on target during the first boot which will take a long time (about
      a half hour on a pandaboard).

Clayton Shotwell (17):
  libsepol: new package
  libselinux: new package
  ustr: new package
  libsemanage: new package
  checkpolicy: new package
  sepolgen: new package
  setools: new package
  libcgroup: new package
  policycoreutils: new package
  python-pyxml: new package
  refpolicy: new package
  python-pyparsing: Add host build option
  audit: new package
  shadow: new package
  pcre: Add host build support
  bzip2: Add host build shared library installation
  sqlite: Add host build support

 package/Config.in                                  |   20 +
 package/Config.in.host                             |    1 +
 package/audit/Config.in                            |   10 +
 package/audit/S14auditd                            |  172 +++
 .../audit-0001-crossCompileHeaderCreationFix.patch | 1420 ++++++++++++++++++++
 package/audit/audit-0002-remove-zos-plugin.patch   |   35 +
 package/audit/audit.mk                             |   58 +
 package/bzip2/bzip2.mk                             |    2 +
 package/checkpolicy/Config.in.host                 |   10 +
 package/checkpolicy/checkpolicy.mk                 |   30 +
 package/libcgroup/Config.in                        |    4 +
 package/libcgroup/libcgroup.mk                     |   38 +
 package/libselinux/Config.in                       |   13 +
 package/libselinux/libselinux.mk                   |   93 ++
 package/libsemanage/Config.in                      |   14 +
 .../libsemanage-0001-execptionLibPathFix.patch     |   14 +
 package/libsemanage/libsemanage.mk                 |   80 ++
 package/libsepol/Config.in                         |    7 +
 package/libsepol/libsepol.mk                       |   48 +
 package/pcre/pcre.mk                               |    1 +
 package/policycoreutils/Config.in                  |   69 +
 package/policycoreutils/S15restorecond             |   85 ++
 .../policycoreutils-0001-crossCompileFixes.patch   |  332 +++++
 package/policycoreutils/policycoreutils.mk         |  230 ++++
 package/python-pyparsing/python-pyparsing.mk       |   47 +-
 package/python-pyxml/Config.in                     |   11 +
 package/python-pyxml/python-xml.mk                 |   58 +
 package/refpolicy/Config.in                        |   88 ++
 package/refpolicy/S12selinux                       |  134 ++
 package/refpolicy/config                           |   10 +
 .../refpolicy-0001-gentoo_hardened_fixes.patch     | 1250 +++++++++++++++++
 package/refpolicy/refpolicy.mk                     |   86 ++
 package/sepolgen/Config.in                         |    8 +
 package/sepolgen/sepolgen.mk                       |   35 +
 package/setools/Config.in                          |   16 +
 .../setools/setools-0001-cross_compile_fixes.patch |  121 ++
 .../setools-0002-swig_typedef_python_fixes.patch   | 1014 ++++++++++++++
 package/setools/setools.mk                         |   85 ++
 package/shadow/Config.in                           |   13 +
 package/shadow/shadow.mk                           |   49 +
 package/sqlite/sqlite.mk                           |    1 +
 package/ustr/Config.in                             |    6 +
 .../ustr/ustr-0001-crossCompileModifications.patch |  144 ++
 package/ustr/ustr.mk                               |   55 +
 44 files changed, 6004 insertions(+), 13 deletions(-)
 create mode 100644 package/audit/Config.in
 create mode 100755 package/audit/S14auditd
 create mode 100644 package/audit/audit-0001-crossCompileHeaderCreationFix.patch
 create mode 100644 package/audit/audit-0002-remove-zos-plugin.patch
 create mode 100644 package/audit/audit.mk
 create mode 100644 package/checkpolicy/Config.in.host
 create mode 100644 package/checkpolicy/checkpolicy.mk
 create mode 100644 package/libcgroup/Config.in
 create mode 100644 package/libcgroup/libcgroup.mk
 create mode 100644 package/libselinux/Config.in
 create mode 100644 package/libselinux/libselinux.mk
 create mode 100644 package/libsemanage/Config.in
 create mode 100644 package/libsemanage/libsemanage-0001-execptionLibPathFix.patch
 create mode 100644 package/libsemanage/libsemanage.mk
 create mode 100644 package/libsepol/Config.in
 create mode 100644 package/libsepol/libsepol.mk
 create mode 100644 package/policycoreutils/Config.in
 create mode 100755 package/policycoreutils/S15restorecond
 create mode 100644 package/policycoreutils/policycoreutils-0001-crossCompileFixes.patch
 create mode 100644 package/policycoreutils/policycoreutils.mk
 create mode 100644 package/python-pyxml/Config.in
 create mode 100644 package/python-pyxml/python-xml.mk
 create mode 100644 package/refpolicy/Config.in
 create mode 100644 package/refpolicy/S12selinux
 create mode 100755 package/refpolicy/config
 create mode 100644 package/refpolicy/refpolicy-0001-gentoo_hardened_fixes.patch
 create mode 100644 package/refpolicy/refpolicy.mk
 create mode 100644 package/sepolgen/Config.in
 create mode 100644 package/sepolgen/sepolgen.mk
 create mode 100644 package/setools/Config.in
 create mode 100644 package/setools/setools-0001-cross_compile_fixes.patch
 create mode 100644 package/setools/setools-0002-swig_typedef_python_fixes.patch
 create mode 100644 package/setools/setools.mk
 create mode 100644 package/shadow/Config.in
 create mode 100644 package/shadow/shadow.mk
 create mode 100644 package/ustr/Config.in
 create mode 100644 package/ustr/ustr-0001-crossCompileModifications.patch
 create mode 100644 package/ustr/ustr.mk

[Buildroot] [PATCH v2 01/17] libsepol: new package

[Clayton Shotwell]

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v1 -> v2:
  - Move Config.in entry into the libraries section since this is a
    library.
  - General cleanup to the mk file to conform to the standard format.
  - Fixed the license version to be LGPLv2.1+ to match the headers in
    the source files (suggested by Thomas)

 package/Config.in            |    4 +++
 package/libsepol/Config.in   |    7 ++++++
 package/libsepol/libsepol.mk |   48 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 59 insertions(+), 0 deletions(-)
 create mode 100644 package/libsepol/Config.in
 create mode 100644 package/libsepol/libsepol.mk

diff --git a/package/Config.in b/package/Config.in
index 2351839..aa0b1df 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -689,6 +689,10 @@ source "package/liblog4c-localtime/Config.in"
 source "package/tzdata/Config.in"
 endmenu
 
+menu "Security"
+source "package/libsepol/Config.in"
+endmenu
+
 menu "Text and terminal handling"
 source "package/enchant/Config.in"
 source "package/libfribidi/Config.in"
diff --git a/package/libsepol/Config.in b/package/libsepol/Config.in
new file mode 100644
index 0000000..feb7f39
--- /dev/null
+++ b/package/libsepol/Config.in
@@ -0,0 +1,7 @@
+config BR2_PACKAGE_LIBSEPOL
+	bool "libsepol"
+	help
+	  Libsepol is the binary policy manipulation library. It doesn't 
+	  depend upon or use any of the other SELinux components.
+	  
+	  http://selinuxproject.org/page/Main_Page
diff --git a/package/libsepol/libsepol.mk b/package/libsepol/libsepol.mk
new file mode 100644
index 0000000..2731c57
--- /dev/null
+++ b/package/libsepol/libsepol.mk
@@ -0,0 +1,48 @@
+################################################################################
+#
+# libsepol
+#
+################################################################################
+
+LIBSEPOL_VERSION = 2.1.9
+LIBSEPOL_SITE = http://userspace.selinuxproject.org/releases/20130423/
+LIBSEPOL_LICENSE = LGPLv2.1+
+LIBSEPOL_LICENSE_FILES = COPYING
+
+LIBSEPOL_INSTALL_STAGING = YES
+
+define LIBSEPOL_BUILD_CMDS
+	# DESTDIR is needed during the compile to compute library and 
+	# header paths.
+	$(MAKE) -C $(@D) $(TARGET_CONFIGURE_OPTS) DESTDIR=$(STAGING_DIR)
+endef
+
+define LIBSEPOL_INSTALL_STAGING_CMDS
+	$(MAKE) -C $(@D) install $(TARGET_CONFIGURE_OPTS) DESTDIR=$(STAGING_DIR)
+endef
+
+define LIBSEPOL_INSTALL_TARGET_CMDS
+	$(MAKE) -C $(@D) install $(TARGET_CONFIGURE_OPTS) DESTDIR=$(TARGET_DIR)
+endef
+
+define LIBSEPOL_CLEAN_CMDS
+	$(MAKE) -C $(@D) clean
+endef
+
+define HOST_LIBSEPOL_BUILD_CMDS
+	$(MAKE) -C $(@D) $(HOST_CONFIGURE_OPTS) DESTDIR=$(HOST_DIR)
+endef
+
+define HOST_LIBSEPOL_INSTALL_CMDS
+	$(MAKE) -C $(@D) install $(HOST_CONFIGURE_OPTS) DESTDIR=$(HOST_DIR)
+	mv $(HOST_DIR)/lib/libsepol.so.1 $(HOST_DIR)/usr/lib
+	(cd $(HOST_DIR)/usr/lib; rm -f libsepol.so; ln -s libsepol.so.1 libsepol.so)
+	-rmdir $(HOST_DIR)/lib
+endef
+
+define HOST_LIBSEPOL_CLEAN_CMDS
+	$(MAKE) -C $(@D) clean
+endef
+
+$(eval $(generic-package))
+$(eval $(host-generic-package))
-- 
1.7.1

[Buildroot] [PATCH v2 02/17] libselinux: new package

[Clayton Shotwell]

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v1 -> v2:
  - Move Config.in entry into the libraries section since this is a
    library.
  - General cleanup to the mk file to conform to the standard format.
  - Removed a dependency on the Linux kernel.
  - Changed the original Python select in the Config.in to be a check 
    in the libselinux.mk file.
  - Added a select for libsepol and pcre in the menuconfig instead of
    just having package dependencies.
  - Removed building the python bindings in the host configuration.

 package/Config.in                |    1 +
 package/libselinux/Config.in     |   13 +++++
 package/libselinux/libselinux.mk |   93 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 107 insertions(+), 0 deletions(-)
 create mode 100644 package/libselinux/Config.in
 create mode 100644 package/libselinux/libselinux.mk

diff --git a/package/Config.in b/package/Config.in
index aa0b1df..315652c 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -690,6 +690,7 @@ source "package/tzdata/Config.in"
 endmenu
 
 menu "Security"
+source "package/libselinux/Config.in"
 source "package/libsepol/Config.in"
 endmenu
 
diff --git a/package/libselinux/Config.in b/package/libselinux/Config.in
new file mode 100644
index 0000000..d1acabb
--- /dev/null
+++ b/package/libselinux/Config.in
@@ -0,0 +1,13 @@
+config BR2_PACKAGE_LIBSELINUX
+	bool "libselinux"
+	select BR2_PACKAGE_LIBSEPOL
+	select BR2_PACKAGE_PCRE
+	help
+	  libselinux is the runtime SELinux library that provides interfaces 
+	  (e.g. library functions for the SELinux kernel APIs like getcon(), 
+	  other support functions like getseuserbyname()) to SELinux-aware 
+	  applications. libselinux may use the shared libsepol to manipulate 
+	  the binary policy if necessary (e.g. to downgrade the policy format 
+	  to an older version supported by the kernel) when loading policy.
+	  
+	  http://selinuxproject.org/page/Main_Page
diff --git a/package/libselinux/libselinux.mk b/package/libselinux/libselinux.mk
new file mode 100644
index 0000000..4d59f11
--- /dev/null
+++ b/package/libselinux/libselinux.mk
@@ -0,0 +1,93 @@
+################################################################################
+#
+# libselinux
+#
+################################################################################
+
+LIBSELINUX_VERSION = 2.1.13
+LIBSELINUX_SITE = http://userspace.selinuxproject.org/releases/20130423/
+LIBSELINUX_LICENSE = PublicDomain
+LIBSELINUX_LICENSE_FILES = LICENSE
+
+LIBSELINUX_DEPENDENCIES = libsepol pcre
+
+LIBSELINUX_INSTALL_STAGING = YES
+
+LIBSELINUX_MAKE_OPTS = \
+	$(TARGET_CONFIGURE_OPTS) \
+	LDFLAGS="$(TARGET_LDFLAGS) -lpcre -lpthread"
+
+ifeq ($(BR2_PACKAGE_PYTHON),y)
+
+LIBSELINUX_DEPENDENCIES += python host-swig host-python
+LIBSELINUX_MAKE_OPTS += \
+	PYINC="-I$(STAGING_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)/" \
+	PYTHONLIBDIR="-L$(STAGING_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/" \
+	PYLIBVER="python$(PYTHON_VERSION_MAJOR)" \
+	SWIG_LIB="$(HOST_DIR)/usr/share/swig/$(SWIG_VERSION)/"
+
+define LIBSELINUX_PYTHON_BUILD_CMDS
+	# DESTDIR is needed during the compile to compute library and 
+	# header paths.
+	$(MAKE) -C $(@D) $(LIBSELINUX_MAKE_OPTS) DESTDIR=$(STAGING_DIR) swigify pywrap
+endef
+
+define LIBSELINUX_PYTHON_INSTALL_STAGING_CMDS
+	$(MAKE) -C $(@D) install-pywrap $(LIBSELINUX_MAKE_OPTS) DESTDIR=$(STAGING_DIR)
+endef
+
+define LIBSELINUX_PYTHON_INSTALL_TARGET_CMDS
+	$(MAKE) -C $(@D) install-pywrap $(LIBSELINUX_MAKE_OPTS) DESTDIR=$(TARGET_DIR)
+endef
+
+endif
+
+define LIBSELINUX_BUILD_CMDS
+	# DESTDIR is needed during the compile to compute library and 
+	# header paths.
+	$(MAKE) -C $(@D) $(LIBSELINUX_MAKE_OPTS) DESTDIR=$(STAGING_DIR) all
+	$(LIBSELINUX_PYTHON_BUILD_CMDS)
+endef
+
+define LIBSELINUX_INSTALL_STAGING_CMDS
+	$(MAKE) -C $(@D) install $(LIBSELINUX_MAKE_OPTS) DESTDIR=$(STAGING_DIR)
+	$(LIBSELINUX_PYTHON_INSTALL_STAGING_CMDS)
+endef
+
+define LIBSELINUX_INSTALL_TARGET_CMDS
+	$(MAKE) -C $(@D) install $(LIBSELINUX_MAKE_OPTS) DESTDIR=$(TARGET_DIR)
+	$(LIBSELINUX_PYTHON_INSTALL_TARGET_CMDS)
+endef
+
+define LIBSELINUX_CLEAN_CMDS
+	$(MAKE) -C $(@D) clean
+endef
+
+HOST_LIBSELINUX_DEPENDENCIES = host-libsepol host-pcre
+
+HOST_LIBSELINUX_MAKE_OPTS = $(HOST_CONFIGURE_OPTS) \
+	LDFLAGS="$(HOST_LDFLAGS) -lpcre -lpthread"
+
+define HOST_LIBSELINUX_BUILD_CMDS
+	# DESTDIR is needed during the compile to compute library and 
+	# header paths.
+	$(MAKE) -C $(@D) $(HOST_LIBSELINUX_MAKE_OPTS) DESTDIR=$(HOST_DIR) all
+endef
+
+define HOST_LIBSELINUX_INSTALL_CMDS
+	$(MAKE) -C $(@D) install $(HOST_LIBSELINUX_MAKE_OPTS) DESTDIR=$(HOST_DIR)
+	mv $(HOST_DIR)/lib/libselinux.so.1 $(HOST_DIR)/usr/lib
+	(cd $(HOST_DIR)/usr/lib; rm -f libselinux.so; ln -s libselinux.so.1 libselinux.so)
+	-rmdir $(HOST_DIR)/lib
+	(if -f $(HOST_DIR)/sbin/matchpathcon; then \
+		mv $(HOST_DIR)/sbin/matchpathcon $(HOST_DIR)/usr/sbin/; \
+		-rmdir $(HOST_DIR)/sbin; \
+	fi)
+endef
+
+define HOST_LIBSELINUX_CLEAN_CMDS
+	$(MAKE) -C $(@D) clean
+endef
+
+$(eval $(generic-package))
+$(eval $(host-generic-package))
-- 
1.7.1

[Buildroot] [PATCH v2 03/17] ustr: new package

[Clayton Shotwell]

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v1 -> v2:
  - General cleanup to the mk file to conform to the standard format.
  - Fixed the patch naming to avoid using the version number.
  - Cleaned up the patch to include a signed-off-by line.
  - Added a check to only build static libraries if selected.

 package/Config.in                                  |    1 +
 package/ustr/Config.in                             |    6 +
 .../ustr/ustr-0001-crossCompileModifications.patch |  144 ++++++++++++++++++++
 package/ustr/ustr.mk                               |   55 ++++++++
 4 files changed, 206 insertions(+), 0 deletions(-)
 create mode 100644 package/ustr/Config.in
 create mode 100644 package/ustr/ustr-0001-crossCompileModifications.patch
 create mode 100644 package/ustr/ustr.mk

diff --git a/package/Config.in b/package/Config.in
index 315652c..0527a6a 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -707,6 +707,7 @@ source "package/pcre/Config.in"
 source "package/popt/Config.in"
 source "package/readline/Config.in"
 source "package/slang/Config.in"
+source "package/ustr/Config.in"
 endmenu
 
 menu "JSON/XML"
diff --git a/package/ustr/Config.in b/package/ustr/Config.in
new file mode 100644
index 0000000..62db57d
--- /dev/null
+++ b/package/ustr/Config.in
@@ -0,0 +1,6 @@
+config BR2_PACKAGE_USTR
+	bool "ustr"
+	help
+	  A small, safe string library.
+	  
+	  http://www.and.org/ustr/
diff --git a/package/ustr/ustr-0001-crossCompileModifications.patch b/package/ustr/ustr-0001-crossCompileModifications.patch
new file mode 100644
index 0000000..cdf17c5
--- /dev/null
+++ b/package/ustr/ustr-0001-crossCompileModifications.patch
@@ -0,0 +1,144 @@
+Changes are to allow ustr verion 1.0.4 to cross compile in buildroot.
+
+Signed-off-by Clayton Shotwell <clshotwe@rockwellcollins.com>
+
+diff -urN a/ustr-compiler.h b/ustr-compiler.h
+--- a/ustr-compiler.h	2008-02-15 14:12:28.000000000 -0600
++++ b/ustr-compiler.h	2012-06-15 11:04:55.000000000 -0500
+@@ -13,10 +13,10 @@
+ 
+ /* We assume this is enough,
+  * C99 specifies that va_copy() exists and is a macro */
+-#ifdef va_copy
++#if defined va_copy
+ # define USTR_CONF_HAVE_VA_COPY 1
+ # define USTR__VA_COPY(x, y)   va_copy(x, y)
+-#elif __va_copy
++#elif defined __va_copy
+ # define USTR_CONF_HAVE_VA_COPY 1
+ # define USTR__VA_COPY(x, y) __va_copy(x, y)
+ #else
+diff -urN a/Makefile b/Makefile
+--- a/Makefile	2008-03-05 21:38:00.000000000 -0600
++++ b/Makefile	2013-09-10 16:54:45.916874387 -0500
+@@ -8,8 +8,8 @@
+ VERS_ESONAME =1
+ VERS_ESO     =$(VERS_ESONAME).0.4
+ 
+-DESTDIR =
+-prefix=/usr
++DESTDIR ?= 
++prefix ?= /usr
+ datadir=$(prefix)/share
+ libdir=$(prefix)/lib
+ libexecdir=$(prefix)/libexec
+@@ -18,7 +18,7 @@
+ SHRDIR=$(datadir)/ustr-$(VERS_FULL)
+ DOCSHRDIR=$(datadir)/doc/ustr-devel-$(VERS_FULL)
+ EXAMDIR=$(SHRDIR)/examples
+-mandir=$(datadir)/doc/man
++mandir=$(datadir)/man
+ MBINDIR=$(libexecdir)/ustr-$(VERS_FULL)
+ 
+ ###############################################################################
+@@ -28,12 +28,12 @@
+ ###############################################################################
+ HIDE=@
+ 
+-CC = cc
+-AR = ar
+-RANLIB = ranlib
+-LDCONFIG = /sbin/ldconfig
++CC ?= cc
++AR ?= ar
++RANLIB ?= ranlib
+ 
+-CFLAGS  = -O2 -g
++CFLAGS ?= -O2 -g
++LDFLAGS ?= 
+ 
+ # Debug versions...
+ WARNS = -W -Wall -Wundef -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wwrite-strings -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -Wno-format-zero-length -Wformat-nonliteral -Wformat-security # -Wfloat-equal -- no floats
+@@ -376,7 +376,7 @@
+ all-shared: all $(LIB_SHARED)
+ 		$(HIDE)echo Done shared
+ 
+-install: all-shared ustr.pc ustr-debug.pc
++install: all ustr.pc ustr-debug.pc
+ 		$(HIDE)echo Making directories
+ 		install -d $(DESTDIR)$(libdir)
+ 		install -d $(DESTDIR)$(includedir)
+@@ -389,16 +389,6 @@
+ 		install -d $(DESTDIR)$(libdir)/pkgconfig
+ 		$(HIDE)echo Installing files
+ 		install -m 644 -t $(DESTDIR)$(libdir) $(LIB_STATIC)
+-		install -m 755 -t $(DESTDIR)$(libdir) $(LIB_SHARED)
+-		-rm -f $(DESTDIR)$(libdir)/$(OPT_LIB_SHARED_NAME)
+-		ln -s $(OPT_LIB_SHARED) $(DESTDIR)$(libdir)/$(OPT_LIB_SHARED_NAME)
+-		-rm -f $(DESTDIR)$(libdir)/$(OPT_LIB_SHAREDEV)
+-		ln -s $(OPT_LIB_SHARED_NAME) $(DESTDIR)$(libdir)/$(OPT_LIB_SHAREDEV)
+-		-rm -f $(DESTDIR)$(libdir)/$(DBG_LIB_SHARED_NAME)
+-		ln -s $(DBG_LIB_SHARED) $(DESTDIR)$(libdir)/$(DBG_LIB_SHARED_NAME)
+-		-rm -f $(DESTDIR)$(libdir)/$(DBG_LIB_SHAREDEV)
+-		ln -s $(DBG_LIB_SHARED_NAME) $(DESTDIR)$(libdir)/$(DBG_LIB_SHAREDEV)
+-		$(LDCONFIG) -n $(DESTDIR)$(libdir)
+ 		install -pm 644 -t $(DESTDIR)$(includedir) $(SRC_HDRS)
+ 		install -pm 644 -t $(DESTDIR)$(SHRDIR) $(SRC_SRCS)
+ 		install -pm 644 -t $(DESTDIR)$(SHRDIR) $(XSRC_SRCS)
+@@ -409,13 +399,24 @@
+ 		install -m 755 -t $(DESTDIR)$(bindir) ustr-import
+ 		install -pm 644 -t $(DESTDIR)$(libdir)/pkgconfig ustr.pc ustr-debug.pc
+ 
++install-shared: all-shared install
++		$(HIDE)echo Installing files
++		install -m 755 -t $(DESTDIR)$(libdir) $(LIB_SHARED)
++		-rm -f $(DESTDIR)$(libdir)/$(OPT_LIB_SHARED_NAME)
++		ln -s $(OPT_LIB_SHARED) $(DESTDIR)$(libdir)/$(OPT_LIB_SHARED_NAME)
++		-rm -f $(DESTDIR)$(libdir)/$(OPT_LIB_SHAREDEV)
++		ln -s $(OPT_LIB_SHARED_NAME) $(DESTDIR)$(libdir)/$(OPT_LIB_SHAREDEV)
++		-rm -f $(DESTDIR)$(libdir)/$(DBG_LIB_SHARED_NAME)
++		ln -s $(DBG_LIB_SHARED) $(DESTDIR)$(libdir)/$(DBG_LIB_SHARED_NAME)
++		-rm -f $(DESTDIR)$(libdir)/$(DBG_LIB_SHAREDEV)
++		ln -s $(DBG_LIB_SHARED_NAME) $(DESTDIR)$(libdir)/$(DBG_LIB_SHAREDEV)
++
+ ustr-import-multilib: ustr-import-multilib.in
+ 		sed -e 's, at INCLUDEDIR@,$(includedir),g' -e 's, at MBINDIR@,$(MBINDIR),g' < $< > $@
+ 
+ install-multilib-linux: install autoconf_64b ustr-import-multilib
+ 		install -d $(DESTDIR)$(MBINDIR)
+-		$(HIDE)mlib=`./autoconf_64b`; \
+-                   if test "x$$mlib" = "x1"; then mlib=64; else mlib=32; fi; \
++		$(HIDE))if test "`echo "__SIZEOF_SIZE_T__" | $(CC) -E -x c - | tail -n 1`" = 8; then mlib=64; else mlib=32; fi; \
+                    mv -f $(DESTDIR)$(includedir)/ustr-conf-debug.h \
+                          $(DESTDIR)$(includedir)/ustr-conf-debug-$$mlib.h; \
+                    mv -f $(DESTDIR)$(includedir)/ustr-conf.h \
+@@ -451,7 +452,8 @@
+ 
+ ustr-import: ustr-import.in autoconf_64b autoconf_vsnprintf
+ 		$(HIDE)echo Creating $@
+-		$(HIDE)sz64=`./autoconf_64b`; vsnp=`./autoconf_vsnprintf`; \
++		$(HIDE)if test "`echo "__SIZEOF_SIZE_T__" | $(CC) -E -x c - | tail -n 1`" = 8; then sz64=1; else sz64=0; fi; \
++		if test "`./autoconf_vsnprintf`" = 0; then vsnp=0; else vsnp=1; fi; \
+ 		sed -e 's, at INCLUDEDIR@,$(includedir),g' -e 's, at SHRDIR@,$(SHRDIR),g' -e 's, at VERS@,$(VERS),g'  -e 's, at VERS_FULL@,$(VERS_FULL),g' -e "s, at HAVE_64bit_SIZE_MAX@,$$sz64,g" -e "s, at HAVE_RETARDED_VSNPRINTF@,$$vsnp,g" < $< > $@
+ 		$(HIDE)chmod 755 $@
+ 
+@@ -485,7 +487,8 @@
+ ustr-conf.h: ustr-conf.h.in autoconf_64b autoconf_vsnprintf
+ 		$(HIDE)echo Creating $@
+ 		$(HIDE)have_stdint_h=0; dbg1=0; dbg2=0; \
+-                sz64=`./autoconf_64b`; vsnp=`./autoconf_vsnprintf`; \
++                if test "`echo "__SIZEOF_SIZE_T__" | $(CC) -E -x c - | tail -n 1`" = 8; then sz64=1; else sz64=0; fi; \
++                if test "`./autoconf_vsnprintf`" = 0; then vsnp=0; else vsnp=1; fi; \
+                 if test -f "/usr/include/stdint.h"; then have_stdint_h=1; fi; \
+                 if test -f "$(prefix)/include/stdint.h"; then have_stdint_h=1; fi; \
+                 if test -f "$(includedir)/stdint.h"; then have_stdint_h=1; fi; \
+@@ -494,7 +497,8 @@
+ ustr-conf-debug.h: ustr-conf.h.in autoconf_64b autoconf_vsnprintf
+ 		$(HIDE)echo Creating $@
+ 		$(HIDE)have_stdint_h=0; dbg1=1; dbg2=1; \
+-                sz64=`./autoconf_64b`; vsnp=`./autoconf_vsnprintf`; \
++                if test "`echo "__SIZEOF_SIZE_T__" | $(CC) -E -x c - | tail -n 1`" = 8; then sz64=1; else sz64=0; fi; \
++                if test "`./autoconf_vsnprintf`" = 0; then vsnp=0; else vsnp=1; fi; \
+                 if test -f "/usr/include/stdint.h"; then have_stdint_h=1; fi; \
+                 if test -f "$(prefix)/include/stdint.h"; then have_stdint_h=1; fi; \
+                 if test -f "$(includedir)/stdint.h"; then have_stdint_h=1; fi; \
diff --git a/package/ustr/ustr.mk b/package/ustr/ustr.mk
new file mode 100644
index 0000000..f4a3b71
--- /dev/null
+++ b/package/ustr/ustr.mk
@@ -0,0 +1,55 @@
+################################################################################
+#
+# ustr
+#
+################################################################################
+
+USTR_VERSION = 1.0.4
+USTR_SOURCE = ustr-$(USTR_VERSION).tar.bz2
+USTR_SITE = http://www.and.org/ustr/$(USTR_VERSION)/
+USTR_LICENSE = BSD-2c MIT LGPLv2+
+USTR_LICENSE_FILES = LICENCE LICENSE_BSD LICENSE_LGPL LICENSE_MIT
+
+USTR_INSTALL_STAGING = YES
+
+ifeq ($(BR2_PREFER_STATIC_LIB),y)
+	USTR_BUILD_CMD = all
+	USTR_INSTALL_CMD = install
+else
+	USTR_BUILD_CMD = all all-shared
+	USTR_INSTALL_CMD = install install-shared
+endif
+
+define USTR_BUILD_CMDS
+	$(MAKE) -C $(@D) $(USTR_BUILD_CMD) $(TARGET_CONFIGURE_OPTS)
+endef
+
+define USTR_INSTALL_STAGING_CMDS
+	$(MAKE) -C $(@D) $(USTR_INSTALL_CMD) $(TARGET_CONFIGURE_OPTS) \
+		DESTDIR=$(STAGING_DIR)
+endef
+
+define USTR_INSTALL_TARGET_CMDS
+	$(MAKE) -C $(@D) $(USTR_INSTALL_CMD) $(TARGET_CONFIGURE_OPTS) \
+		DESTDIR=$(TARGET_DIR)
+endef
+
+define USTR_CLEAN_CMDS
+	$(MAKE) -C $(@D) clean
+endef
+
+define HOST_USTR_BUILD_CMDS
+	$(MAKE) -C $(@D) $(USTR_BUILD_CMD) $(HOST_CONFIGURE_OPTS)
+endef
+
+define HOST_USTR_INSTALL_CMDS
+	$(MAKE) -C $(@D) $(USTR_INSTALL_CMD) $(HOST_CONFIGURE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+endef
+
+define HOST_USTR_CLEAN_CMDS
+	$(MAKE) -C $(@D) clean
+endef
+
+$(eval $(generic-package))
+$(eval $(host-generic-package))
-- 
1.7.1

[Buildroot] [PATCH v2 04/17] libsemanage: new package

[Clayton Shotwell]

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v1 -> v2:
  - Move Config.in entry into the libraries section since this is a
    library.
  - General cleanup to the mk file to conform to the standard format.
  - Fixed the patch naming to avoid using the version number.
  - Cleaned up the patch to include a signed-off-by line.
  - Changed package dependencies into selects in the config.
  - Changed the original Python select in the Config.in to be a check 
    in the mk file.
  - Removed building the python bindings in the host configuration.

 package/Config.in                                  |    1 +
 package/libsemanage/Config.in                      |   14 ++++
 .../libsemanage-0001-execptionLibPathFix.patch     |   14 ++++
 package/libsemanage/libsemanage.mk                 |   80 ++++++++++++++++++++
 4 files changed, 109 insertions(+), 0 deletions(-)
 create mode 100644 package/libsemanage/Config.in
 create mode 100644 package/libsemanage/libsemanage-0001-execptionLibPathFix.patch
 create mode 100644 package/libsemanage/libsemanage.mk

diff --git a/package/Config.in b/package/Config.in
index 0527a6a..4569fa2 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -691,6 +691,7 @@ endmenu
 
 menu "Security"
 source "package/libselinux/Config.in"
+source "package/libsemanage/Config.in"
 source "package/libsepol/Config.in"
 endmenu
 
diff --git a/package/libsemanage/Config.in b/package/libsemanage/Config.in
new file mode 100644
index 0000000..6d32af4
--- /dev/null
+++ b/package/libsemanage/Config.in
@@ -0,0 +1,14 @@
+config BR2_PACKAGE_LIBSEMANAGE
+	bool "libsemanage"
+	select BR2_PACKAGE_LIBSELINUX
+	select BR2_PACKAGE_USTR
+	select BR2_PACKAGE_BZIP2
+	help
+	  libsemanage is the policy management library. It uses libsepol for binary 
+	  policy manipulation and libselinux for interacting with the SELinux 
+	  system. It also exec's helper programs for loading policy and for checking
+	  whether the file_contexts configuration is valid (load_policy and 
+	  setfiles from policycoreutils) presently, although this may change at 
+	  least for the bootstrapping case (for rpm).
+	  
+	  http://selinuxproject.org/page/Main_Page
diff --git a/package/libsemanage/libsemanage-0001-execptionLibPathFix.patch b/package/libsemanage/libsemanage-0001-execptionLibPathFix.patch
new file mode 100644
index 0000000..cbcbea5
--- /dev/null
+++ b/package/libsemanage/libsemanage-0001-execptionLibPathFix.patch
@@ -0,0 +1,14 @@
+Patch to correct a missing header file issue.
+
+Signed-off-by Clayton Shotwell <clshotwe@rockwellcollins.com>
+
+--- a/src/exception.sh	2011-12-21 11:46:04.000000000 -0600
++++ b/src/exception.sh	2012-08-27 11:29:58.000000000 -0500
+@@ -9,6 +9,6 @@
+ }
+ "
+ }
+-gcc -x c -c - -aux-info temp.aux < ../include/semanage/semanage.h
++gcc -x c -c - -aux-info temp.aux -I../include < ../include/semanage/semanage.h
+ for i in `awk '/extern int/ { print $6 }' temp.aux`; do except $i ; done
+ rm -f -- temp.aux -.o
diff --git a/package/libsemanage/libsemanage.mk b/package/libsemanage/libsemanage.mk
new file mode 100644
index 0000000..b8de72e
--- /dev/null
+++ b/package/libsemanage/libsemanage.mk
@@ -0,0 +1,80 @@
+################################################################################
+#
+# libsemanage
+#
+################################################################################
+
+LIBSEMANAGE_VERSION = 2.1.10
+LIBSEMANAGE_SITE = http://userspace.selinuxproject.org/releases/20130423/
+LIBSEPOL_LICENSE = LGPLv2.1+
+LIBSEPOL_LICENSE_FILES = COPYING
+
+LIBSEMANAGE_DEPENDENCIES = host-bison libselinux ustr bzip2
+
+LIBSEMANAGE_INSTALL_STAGING = YES
+
+LIBSEMANAGE_MAKE_OPT = $(TARGET_CONFIGURE_OPTS)
+
+ifeq ($(BR2_PACKAGE_PYTHON),y)
+
+LIBSEMANAGE_DEPENDENCIES += python host-swig host-python
+LIBSEMANAGE_MAKE_OPT += \
+	PYINC="-I$(STAGING_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)/" \
+	PYTHONLIBDIR="-L$(STAGING_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/" \
+	PYLIBVER="python$(PYTHON_VERSION_MAJOR)" \
+	SWIG_LIB="$(HOST_DIR)/usr/share/swig/$(SWIG_VERSION)/"
+
+define LIBSEMANAGE_PYTHON_BUILD_CMDS
+	$(MAKE) -C $(@D) $(LIBSEMANAGE_MAKE_OPT) DESTDIR=$(STAGING_DIR) swigify pywrap
+endef
+
+define LIBSEMANAGE_PYTHON_INSTALL_STAGING_CMDS
+	$(MAKE) -C $(@D) install-pywrap $(LIBSEMANAGE_MAKE_OPT) DESTDIR=$(STAGING_DIR)
+endef
+
+define LIBSEMANAGE_PYTHON_INSTALL_TARGET_CMDS
+	$(MAKE) -C $(@D) install-pywrap $(LIBSEMANAGE_MAKE_OPT) DESTDIR=$(TARGET_DIR)
+endef
+
+endif # End of BR2_PACKAGE_PYTHON
+
+define LIBSEMANAGE_BUILD_CMDS
+	# DESTDIR is needed during the compile to compute library and 
+	# header paths.
+	$(MAKE) -C $(@D) $(LIBSEMANAGE_MAKE_OPT) DESTDIR=$(STAGING_DIR) all
+	$(LIBSEMANAGE_PYTHON_BUILD_CMDS)
+endef
+
+define LIBSEMANAGE_INSTALL_STAGING_CMDS
+	$(MAKE) -C $(@D) install $(LIBSEMANAGE_MAKE_OPT) DESTDIR=$(STAGING_DIR)
+	$(LIBSEMANAGE_PYTHON_INSTALL_STAGING_CMDS)
+endef
+
+define LIBSEMANAGE_INSTALL_TARGET_CMDS
+	$(MAKE) -C $(@D) install $(LIBSEMANAGE_MAKE_OPT) DESTDIR=$(TARGET_DIR)
+	$(LIBSEMANAGE_PYTHON_INSTALL_TARGET_CMDS)
+endef
+
+define LIBSEMANAGE_CLEAN_CMDS
+	$(MAKE) -C $(@D) clean
+endef
+
+HOST_LIBSEMANAGE_DEPENDENCIES = host-bison host-libsepol \
+	host-libselinux host-ustr host-bzip2
+
+define HOST_LIBSEMANAGE_BUILD_CMDS
+	# DESTDIR is needed during the compile to compute library and 
+	# header paths.
+	$(MAKE) -C $(@D) all $(HOST_CONFIGURE_OPTS) DESTDIR=$(HOST_DIR)
+endef
+
+define HOST_LIBSEMANAGE_INSTALL_CMDS
+	$(MAKE) -C $(@D) install $(HOST_CONFIGURE_OPTS) DESTDIR=$(HOST_DIR)
+endef
+
+define HOST_LIBSEMANAGE_CLEAN_CMDS
+	$(MAKE) -C $(@D) clean
+endef
+
+$(eval $(generic-package))
+$(eval $(host-generic-package))
-- 
1.7.1

[Buildroot] [PATCH v2 05/17] checkpolicy: new package

[Clayton Shotwell]

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v1 -> v2:
  - General cleanup to the mk file to conform to the standard format.
  - Removed the option to do a target build because it should never 
    be needed during normal operation.
  - Added checkpolicy as a host package. (Suggested by Arnout)

 package/checkpolicy/checkpolicy.mk |   30 ++++++++++++++++++++++++++++++
 3 files changed, 41 insertions(+), 0 deletions(-)
 create mode 100644 package/checkpolicy/Config.in.host
 create mode 100644 package/checkpolicy/checkpolicy.mk

diff --git a/package/Config.in.host b/package/Config.in.host
index 5fd2570..1b3e11b 100644
--- a/package/Config.in.host
+++ b/package/Config.in.host
@@ -1,5 +1,6 @@
 menu "Host utilities"
 
+source "package/checkpolicy/Config.in.host"
 source "package/dfu-util/Config.in.host"
 source "package/dosfstools/Config.in.host"
 source "package/e2fsprogs/Config.in.host"
diff --git a/package/checkpolicy/Config.in.host b/package/checkpolicy/Config.in.host
new file mode 100644
index 0000000..75794be
--- /dev/null
+++ b/package/checkpolicy/Config.in.host
@@ -0,0 +1,10 @@
+config BR2_PACKAGE_HOST_CHECKPOLICY
+	bool "host checkpolicy"
+	help
+	  checkpolicy is the policy compiler. It uses libsepol to 
+	  generate the binary policy. checkpolicy uses the static 
+	  libsepol since it deals with low level details of the policy 
+	  that have not been encapsulated/abstracted by a proper 
+	  shared library interface. 
+	  
+	  http://selinuxproject.org/page/Main_Page
diff --git a/package/checkpolicy/checkpolicy.mk b/package/checkpolicy/checkpolicy.mk
new file mode 100644
index 0000000..0c82d63
--- /dev/null
+++ b/package/checkpolicy/checkpolicy.mk
@@ -0,0 +1,30 @@
+################################################################################
+#
+# checkpolicy
+#
+################################################################################
+
+CHECKPOLICY_VERSION = 2.1.12
+CHECKPOLICY_SITE = http://userspace.selinuxproject.org/releases/20130423/
+CHECKPOLICY_LICENSE = GPLv2
+CHECKPOLICY_LICENSE_FILES = COPYING
+
+HOST_CHECKPOLICY_DEPENDENCIES = host-libselinux host-flex host-bison
+
+HOST_CHECKPOLICY_MAKE_OPTS = $(HOST_CONFIGURE_OPTS) \
+	LEX="$(HOST_DIR)/usr/bin/flex" \
+	YACC="$(HOST_DIR)/usr/bin/bison -y"
+
+define HOST_CHECKPOLICY_BUILD_CMDS
+	$(MAKE) -C $(@D) $(HOST_CHECKPOLICY_MAKE_OPTS) DESTDIR=$(HOST_DIR)
+endef
+
+define HOST_CHECKPOLICY_INSTALL_CMDS
+	$(MAKE) -C $(@D) install $(HOST_CHECKPOLICY_MAKE_OPTS) DESTDIR=$(HOST_DIR)
+endef
+
+define HOST_CHECKPOLICY_CLEAN_CMDS
+	$(MAKE) -C $(@D) clean
+endef
+
+$(eval $(host-generic-package))
-- 
1.7.1

[Buildroot] [PATCH v2 06/17] sepolgen: new package

[Clayton Shotwell]

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v1 -> v2:
  - General cleanup to the mk file to conform to the standard format.
  - Changed package dependencies into selects in the config.

 package/Config.in            |    4 ++++
 package/sepolgen/Config.in   |    8 ++++++++
 package/sepolgen/sepolgen.mk |   35 +++++++++++++++++++++++++++++++++++
 3 files changed, 47 insertions(+), 0 deletions(-)
 create mode 100644 package/sepolgen/Config.in
 create mode 100644 package/sepolgen/sepolgen.mk

diff --git a/package/Config.in b/package/Config.in
index 4569fa2..57fe70d 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -905,6 +905,10 @@ source "package/xenomai/Config.in"
 source "package/rtai/Config.in"
 endmenu
 
+menu "Security"
+source "package/sepolgen/Config.in"
+endmenu
+
 menu "Shell and utilities"
 source "package/at/Config.in"
 if BR2_PACKAGE_BUSYBOX_SHOW_OTHERS
diff --git a/package/sepolgen/Config.in b/package/sepolgen/Config.in
new file mode 100644
index 0000000..2a4b49c
--- /dev/null
+++ b/package/sepolgen/Config.in
@@ -0,0 +1,8 @@
+config BR2_PACKAGE_SEPOLGEN
+	bool "sepolgen"
+	select BR2_PACKAGE_PYTHON
+	help
+	  sepolgen is a python module/library that forms the core 
+	  of the modern audit2allow (a rewrite). 
+	  
+	  http://selinuxproject.org/page/Main_Page
diff --git a/package/sepolgen/sepolgen.mk b/package/sepolgen/sepolgen.mk
new file mode 100644
index 0000000..a8c4786
--- /dev/null
+++ b/package/sepolgen/sepolgen.mk
@@ -0,0 +1,35 @@
+################################################################################
+#
+# sepolgen
+#
+################################################################################
+
+SEPOLGEN_VERSION = 1.1.9
+SEPOLGEN_SITE = http://userspace.selinuxproject.org/releases/20130423/
+SEPOLGEN_LICENSE = GPLv2
+SEPOLGEN_LICENSE_FILES = COPYING
+
+SEPOLGEN_DEPENDENCIES = python
+
+SEPOLGEN_INSTALL_STAGING = YES
+
+SEPOLGEN_MAKE_CMDS = $(TARGET_CONFIGURE_OPTS) \
+	PYTHONLIBDIR=/usr/lib/python$(PYTHON_VERSION_MAJOR)/site-packages
+
+define SEPOLGEN_BUILD_CMDS
+	$(MAKE) -C $(@D) $(SEPOLGEN_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
+endef
+
+define SEPOLGEN_INSTALL_STAGING_CMDS
+	$(MAKE) -C $(@D) install $(SEPOLGEN_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
+endef
+
+define SEPOLGEN_INSTALL_TARGET_CMDS
+	$(MAKE) -C $(@D) install $(SEPOLGEN_MAKE_CMDS) DESTDIR=$(TARGET_DIR)
+endef
+
+define SEPOLGEN_CLEAN_CMDS
+	$(MAKE) -C $(@D) clean
+endef
+
+$(eval $(generic-package))
-- 
1.7.1

[Buildroot] [PATCH v2 07/17] setools: new package

[Clayton Shotwell]

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v1 -> v2:
  - General cleanup to the mk file to conform to the standard format.
  - Cleaned up the patch to include a signed-off-by line.
  - Changed package dependencies into selects in the config.
  - Changed the original Python select in the Config.in to be a check 
    in the mk file.

 package/Config.in                                  |    1 +
 package/setools/Config.in                          |   16 +
 .../setools/setools-0001-cross_compile_fixes.patch |  121 +++
 .../setools-0002-swig_typedef_python_fixes.patch   | 1014 ++++++++++++++++++++
 package/setools/setools.mk                         |   85 ++
 5 files changed, 1237 insertions(+), 0 deletions(-)
 create mode 100644 package/setools/Config.in
 create mode 100644 package/setools/setools-0001-cross_compile_fixes.patch
 create mode 100644 package/setools/setools-0002-swig_typedef_python_fixes.patch
 create mode 100644 package/setools/setools.mk

diff --git a/package/Config.in b/package/Config.in
index 57fe70d..0e7184a 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -907,6 +907,7 @@ endmenu
 
 menu "Security"
 source "package/sepolgen/Config.in"
+source "package/setools/Config.in"
 endmenu
 
 menu "Shell and utilities"
diff --git a/package/setools/Config.in b/package/setools/Config.in
new file mode 100644
index 0000000..7fc215d
--- /dev/null
+++ b/package/setools/Config.in
@@ -0,0 +1,16 @@
+config BR2_PACKAGE_SETOOLS
+	bool "setools"
+	select BR2_PACKAGE_LIBSELINUX
+	select BR2_PACKAGE_SQLITE
+	select BR2_PACKAGE_LIBXML2
+	select BR2_PACKAGE_BZIP2
+	help
+	  SETools is an open source project designed to facilitate SELinux policy 
+	  analysis. The primary tools are:
+	      
+	      apol - analyze a SELinux policy.
+	      seaudit - analyze audit messages from SELinux.
+	      seaudit-report - generate highly-customized audit log reports.
+	      sechecker - command line tool for performing modular checks on an SELinux policy.
+	      sediff - semantic policy difference tool for SELinux.
+	      secmds - command-line tools to analyze and search SELinux policy. 
diff --git a/package/setools/setools-0001-cross_compile_fixes.patch b/package/setools/setools-0001-cross_compile_fixes.patch
new file mode 100644
index 0000000..c931039
--- /dev/null
+++ b/package/setools/setools-0001-cross_compile_fixes.patch
@@ -0,0 +1,121 @@
+Correct build issues to enable cross compiling.  These rechanges require the
+package to be auto reconfigured.  
+
+Signed-off-by Clayton Shotwell <clshotwe@rockwellcollins.com>
+
+diff -urN a/configure.ac b/configure.ac
+--- a/configure.ac	2013-01-16 10:36:24.000000000 -0600
++++ b/configure.ac	2013-07-12 08:22:10.380255248 -0500
+@@ -448,8 +448,9 @@
+               sepol_srcdir="")
+ if test "x${sepol_srcdir}" = "x"; then
+    sepol_srcdir=${sepol_devel_libdir}
+-   AC_CHECK_FILE([${sepol_srcdir}/libsepol.a],,
+-      AC_MSG_ERROR([make sure libsepol-static is installed]))
++   if test ! -f ${sepol_srcdir}/libsepol.a; then
++      AC_MSG_ERROR([could not find precompiled libsepol.a])
++   fi
+ else
+    AC_MSG_CHECKING([for compatible sepol source tree])
+    sepol_version=${sepol_srcdir}/VERSION
+@@ -484,8 +485,9 @@
+    AC_CHECK_HEADER([sepol/policydb/policydb.h], , AC_MSG_ERROR([could not find sepol source tree]))
+    CFLAGS="${sepol_src_save_CFLAGS}"
+    CPPFLAGS="${sepol_src_save_CPPFLAGS}"
+-   AC_CHECK_FILE([${sepol_srcdir}/libsepol.a],,
+-      AC_MSG_ERROR([could not find precompiled libsepol.a]))
++   if test ! -f ${sepol_srcdir}/libsepol.a; then
++      AC_MSG_ERROR([could not find precompiled libsepol.a])
++   fi
+    sepol_devel_incdir="${sepol_srcdir}/../include"
+ fi
+ SELINUX_CFLAGS="-I${sepol_devel_incdir} -I${selinux_devel_incdir}"
+@@ -578,12 +580,13 @@
+                          [AC_LANG_SOURCE([
+ #include <sepol/policydb/expand.h>
+ int main () {
+-  return expand_module_avrules(NULL, NULL, NULL, NULL, NULL, 0, 0);
++  return expand_module_avrules(NULL, NULL, NULL, NULL, NULL, 0, 0, 0, 0);
+ }])],
+                          AC_MSG_RESULT([yes]),
+                          AC_MSG_ERROR([this version of libsepol is incompatible with SETools]))
+     fi
+     sepol_new_expand_boolmap="yes"
++    sepol_new_user_role_mapping="yes"
+ else
+     sepol_new_expand_boolmap="no"
+ fi
+@@ -607,7 +610,8 @@
+     exit(EXIT_FAILURE);
+ }])],
+     sepol_policy_version_max=`cat conftest.data`,
+-    AC_MSG_FAILURE([could not determine maximum libsepol policy version]))
++    AC_MSG_FAILURE([could not determine maximum libsepol policy version]),
++    sepol_policy_version_max="26")
+ AC_DEFINE_UNQUOTED(SEPOL_POLICY_VERSION_MAX, ${sepol_policy_version_max}, [maximum policy version supported by libsepol])
+ CFLAGS="${sepol_save_CFLAGS}"
+ CPPFLAGS="${sepol_save_CPPFLAGS}"
+@@ -631,7 +635,7 @@
+     changequote([,])dnl
+     selinux_save_CFLAGS="${CFLAGS}"
+     CFLAGS="${SELINUX_CFLAGS} ${SELINUX_LIB_FLAG} -lselinux -lsepol ${CFLAGS}"
+-    gcc ${CFLAGS} -o conftest conftest.c >&5
++    ${CC} ${CFLAGS} -o conftest conftest.c >&5
+     selinux_policy_dir=`./conftest`
+     AC_MSG_RESULT(${selinux_policy_dir})
+     CFLAGS="${selinux_save_CFLAGS}"
+diff -urN a/libqpol/src/policy_define.c b/libqpol/src/policy_define.c
+--- a/libqpol/src/policy_define.c	2013-01-16 10:36:24.000000000 -0600
++++ b/libqpol/src/policy_define.c	2013-07-12 08:22:10.380255248 -0500
+@@ -2135,7 +2135,7 @@
+ #ifdef HAVE_SEPOL_ROLE_ATTRS
+ 	if (role_set_expand(&roles, &e_roles, policydbp, NULL, NULL))
+ #elif HAVE_SEPOL_USER_ROLE_MAPPING
+-	if (role_set_expand(&roles, &e_roles, policydbp, NULL))
++	if (role_set_expand(&roles, &e_roles, policydbp, NULL, NULL))
+ #else
+ 	if (role_set_expand(&roles, &e_roles, policydbp))
+ #endif
+diff -urN a/m4/ac_python_devel.m4 b/m4/ac_python_devel.m4
+--- a/m4/ac_python_devel.m4	2013-01-16 10:36:22.000000000 -0600
++++ b/m4/ac_python_devel.m4	2013-07-12 08:22:10.380255248 -0500
+@@ -234,7 +234,7 @@
+ 	AC_MSG_CHECKING([consistency of all components of python development environment])
+ 	AC_LANG_PUSH([C])
+ 	# save current global flags
+-	LIBS="$ac_save_LIBS $PYTHON_LDFLAGS"
++	LIBS="$ac_save_LIBS $PYTHON_EXTRA_LIBS $PYTHON_LDFLAGS"
+ 	CPPFLAGS="$ac_save_CPPFLAGS $PYTHON_CPPFLAGS"
+ 	AC_TRY_LINK([
+ 		#include <Python.h>
+diff -urN a/python/setools/Makefile.am b/python/setools/Makefile.am
+--- a/python/setools/Makefile.am	2013-01-16 10:36:22.000000000 -0600
++++ b/python/setools/Makefile.am	2013-07-12 08:22:19.200251011 -0500
+@@ -22,13 +22,13 @@
+ python-build: sesearch.c seinfo.c
+ 	@mkdir -p setools
+ 	@cp __init__.py setools
+-	LIBS="$(QPOL_LIB_FLAG) $(APOL_LIB_FLAG)" INCLUDES="$(QPOL_CFLAGS) $(APOL_CFLAGS)" $(PYTHON) setup.py build
++	LIBS="$(QPOL_LIB_FLAG) $(APOL_LIB_FLAG)" LIBDIRS="$(PYTHON_LDFLAGS)" INCLUDES="$(PYTHON_CPPFLAGS) $(QPOL_CFLAGS) $(APOL_CFLAGS)" CC="$(CC)" CFLAGS="$(CFLAGS)" LDSHARED="$(CC) -shared" LDFLAGS="$(LDFLAGS)" $(PYTHON) setup.py build_ext
+ 
+ install-exec-hook:
+-	$(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
++	$(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --prefix=$(DESTDIR)/usr`
+ 
+ uninstall-hook: 
+-	$(PYTHON) setup.py uninstall `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
++	$(PYTHON) setup.py uninstall `test -n "$(DESTDIR)" && echo --prefix=$(DESTDIR)/usr`
+ 
+ clean-local:
+ 	$(PYTHON) setup.py clean -a 
+--- a/python/setools/setup.py	2013-01-16 10:36:22.000000000 -0600
++++ b/python/setools/setup.py	2013-09-04 09:17:48.452916991 -0500
+@@ -8,7 +8,7 @@
+ try:
+     inc=os.getenv("INCLUDES").split(" ")    
+     INCLUDES=map(lambda x: x[2:], inc)
+-    LIBDIRS=map(lambda x: "/".join(x.split("/")[:-1]), os.getenv("LIBS").split())
++    LIBDIRS=map(lambda x: "/".join(x.split("/")[:-1]), os.getenv("LIBS").split()) + map(lambda x: x[2:], os.getenv("LIBDIRS").split())
+ except:
+     INCLUDES=""
+     LIBDIRS=""
diff --git a/package/setools/setools-0002-swig_typedef_python_fixes.patch b/package/setools/setools-0002-swig_typedef_python_fixes.patch
new file mode 100644
index 0000000..999fed4
--- /dev/null
+++ b/package/setools/setools-0002-swig_typedef_python_fixes.patch
@@ -0,0 +1,1014 @@
+Correct swig typdef naming convention errors that cause the build to break. 
+
+Signed-off-by Clayton Shotwell <clshotwe@rockwellcollins.com>
+
+--- a/libapol/swig/apol.i	2010-04-23 11:22:08.000000000 -0500
++++ b/libapol/swig/apol.i	2012-08-29 08:04:29.000000000 -0500
+@@ -232,7 +232,7 @@
+ %newobject wrap_apol_str_to_internal_ip(char*);
+ %rename(apol_str_to_internal_ip) wrap_apol_str_to_internal_ip;
+ %inline %{
+-	typedef struct apol_ip {
++	typedef struct {
+ 		uint32_t ip[4];
+ 		int proto;
+ 	} apol_ip_t;
+@@ -301,7 +301,7 @@
+ %inline %{
+ 	typedef struct apol_string_vector apol_string_vector_t;
+ %}
+-typedef struct apol_vector {} apol_vector_t;
++typedef struct {} apol_vector_t;
+ %extend apol_vector_t {
+ 	apol_vector_t() {
+ 		return apol_vector_create(NULL);
+@@ -377,7 +377,7 @@
+ 		return apol_vector_compare(a, b, NULL, NULL, &idx);
+ 	}
+ %}
+-typedef struct apol_string_vector {} apol_string_vector_t;
++typedef struct {} apol_string_vector_t;
+ %extend apol_string_vector_t {
+ 	apol_string_vector_t() {
+ 		return (apol_string_vector_t*)apol_vector_create(free);
+@@ -460,7 +460,7 @@
+ 	APOL_POLICY_PATH_TYPE_MONOLITHIC = 0,
+ 	APOL_POLICY_PATH_TYPE_MODULAR
+ } apol_policy_path_type_e;
+-typedef struct apol_policy_path {} apol_policy_path_t;
++typedef struct {} apol_policy_path_t;
+ %extend apol_policy_path_t {
+ 	apol_policy_path_t(apol_policy_path_type_e type, char * primary, apol_string_vector_t *modules = NULL) {
+ 		apol_policy_path_t *p;
+@@ -540,7 +540,7 @@
+ int apol_file_is_policy_path_list(const char *filename);
+ 
+ /* apol policy */
+-typedef struct apol_policy {} apol_policy_t;
++typedef struct {} apol_policy_t;
+ #define APOL_PERMMAP_MAX_WEIGHT 10
+ #define APOL_PERMMAP_MIN_WEIGHT 1
+ #define APOL_PERMMAP_UNMAPPED	0x00
+@@ -650,7 +650,7 @@
+ };
+ 
+ /* apol type query */
+-typedef struct apol_type_query {} apol_type_query_t;
++typedef struct {} apol_type_query_t;
+ %extend apol_type_query_t {
+ 	apol_type_query_t() {
+ 		apol_type_query_t *tq;
+@@ -692,7 +692,7 @@
+ };
+ 
+ /* apol attribute query */
+-typedef struct apol_attr_query {} apol_attr_query_t;
++typedef struct {} apol_attr_query_t;
+ %extend apol_attr_query_t {
+ 	apol_attr_query_t() {
+ 		apol_attr_query_t *aq;
+@@ -734,7 +734,7 @@
+ };
+ 
+ /* apol role query */
+-typedef struct apol_role_query {} apol_role_query_t;
++typedef struct {} apol_role_query_t;
+ %extend apol_role_query_t {
+ 	apol_role_query_t() {
+ 		apol_role_query_t *rq;
+@@ -786,7 +786,7 @@
+ int apol_role_has_type(apol_policy_t * p, qpol_role_t * r, qpol_type_t * t);
+ 
+ /* apol class query */
+-typedef struct apol_class_query {} apol_class_query_t;
++typedef struct {} apol_class_query_t;
+ %extend apol_class_query_t {
+ 	apol_class_query_t() {
+ 		apol_class_query_t *cq;
+@@ -837,7 +837,7 @@
+ };
+ 
+ /* apol common query */
+-typedef struct apol_common_query {} apol_common_query_t;
++typedef struct {} apol_common_query_t;
+ %extend apol_common_query_t {
+ 	apol_common_query_t() {
+ 		apol_common_query_t *cq;
+@@ -879,7 +879,7 @@
+ };
+ 
+ /* apol perm query */
+-typedef struct apol_perm_query {} apol_perm_query_t;
++typedef struct {} apol_perm_query_t;
+ %extend apol_perm_query_t {
+ 	apol_perm_query_t() {
+ 		apol_perm_query_t *pq;
+@@ -921,7 +921,7 @@
+ };
+ 
+ /* apol bool query */
+-typedef struct apol_bool_query {} apol_bool_query_t;
++typedef struct {} apol_bool_query_t;
+ %extend apol_bool_query_t {
+ 	apol_bool_query_t() {
+ 		apol_bool_query_t *bq;
+@@ -963,7 +963,7 @@
+ };
+ 
+ /* apol mls level */
+-typedef struct apol_mls_level {} apol_mls_level_t;
++typedef struct {} apol_mls_level_t;
+ %extend apol_mls_level_t {
+ 	apol_mls_level_t() {
+ 		apol_mls_level_t *aml;
+@@ -1122,11 +1122,11 @@
+ %typemap(in) apol_mls_level_t *lvl {
+ 	void *x = NULL;
+ 	Py_IncRef($input);
+-	SWIG_ConvertPtr($input, &x,SWIGTYPE_p_apol_mls_level, 0 |  0 );
++	SWIG_ConvertPtr($input, &x,SWIGTYPE_p_apol_mls_level_t, 0 |  0 );
+ 	$1 = (apol_mls_level_t*)x;
+ }
+ #endif
+-typedef struct apol_mls_range {} apol_mls_range_t;
++typedef struct {} apol_mls_range_t;
+ %extend apol_mls_range_t {
+ 	apol_mls_range_t() {
+ 		apol_mls_range_t *amr;
+@@ -1276,7 +1276,7 @@
+ %}
+ 
+ /* apol level query */
+-typedef struct apol_level_query {} apol_level_query_t;
++typedef struct {} apol_level_query_t;
+ %extend apol_level_query_t {
+ 	apol_level_query_t() {
+ 		apol_level_query_t * alq;
+@@ -1327,7 +1327,7 @@
+ };
+ 
+ /* apol cat query */
+-typedef struct apol_cat_query {} apol_cat_query_t;
++typedef struct {} apol_cat_query_t;
+ %extend apol_cat_query_t {
+ 	apol_cat_query_t() {
+ 		apol_cat_query_t * acq;
+@@ -1373,11 +1373,11 @@
+ %typemap(in) apol_mls_range_t *rng {
+ 	void *x = NULL;
+ 	Py_IncRef($input);
+-	SWIG_ConvertPtr($input, &x,SWIGTYPE_p_apol_mls_range, 0 |  0 );
++	SWIG_ConvertPtr($input, &x,SWIGTYPE_p_apol_mls_range_t, 0 |  0 );
+ 	$1 = (apol_mls_range_t*)x;
+ }
+ #endif
+-typedef struct apol_user_query {} apol_user_query_t;
++typedef struct {} apol_user_query_t;
+ %extend apol_user_query_t {
+ 	apol_user_query_t() {
+ 		apol_user_query_t *auq;
+@@ -1446,7 +1446,7 @@
+ };
+ 
+ /* apol context */
+-typedef struct apol_context {} apol_context_t;
++typedef struct {} apol_context_t;
+ %extend apol_context_t {
+ 	apol_context_t() {
+ 		apol_context_t *ctx;
+@@ -1581,7 +1581,7 @@
+ int apol_context_compare(apol_policy_t * p, apol_context_t * target, apol_context_t * search, unsigned int range_compare_type);
+ 
+ /* apol constraint query */
+-typedef struct apol_constraint_query {} apol_constraint_query_t;
++typedef struct {} apol_constraint_query_t;
+ %extend apol_constraint_query_t {
+ 	apol_constraint_query_t() {
+ 		apol_constraint_query_t *acq;
+@@ -1632,7 +1632,7 @@
+ };
+ 
+ /* apol validatetrans query */
+-typedef struct apol_validatetrans_query {} apol_validatetrans_query_t;
++typedef struct {} apol_validatetrans_query_t;
+ %extend apol_validatetrans_query_t {
+ 	apol_validatetrans_query_t() {
+ 		apol_validatetrans_query_t *avq;
+@@ -1678,11 +1678,11 @@
+ %typemap(in) apol_context_t *ctx {
+ 	void *x = NULL;
+ 	Py_IncRef($input);
+-	SWIG_ConvertPtr($input, &x,SWIGTYPE_p_apol_context, 0 |  0 );
++	SWIG_ConvertPtr($input, &x,SWIGTYPE_p_apol_context_t, 0 |  0 );
+ 	$1 = (apol_context_t*)x;
+ }
+ #endif
+-typedef struct apol_genfscon_query {} apol_genfscon_query_t;
++typedef struct {} apol_genfscon_query_t;
+ %extend apol_genfscon_query_t {
+ 	apol_genfscon_query_t() {
+ 		apol_genfscon_query_t *agq;
+@@ -1744,7 +1744,7 @@
+ char *apol_genfscon_render(apol_policy_t * p, qpol_genfscon_t * genfscon);
+ 
+ /* apol fs_use query */
+-typedef struct apol_fs_use_query {} apol_fs_use_query_t;
++typedef struct {} apol_fs_use_query_t;
+ %extend apol_fs_use_query_t {
+ 	apol_fs_use_query_t() {
+ 		apol_fs_use_query_t *afq;
+@@ -1797,7 +1797,7 @@
+ char *apol_fs_use_render(apol_policy_t * p, qpol_fs_use_t * fsuse);
+ 
+ /* apol initial sid query */
+-typedef struct apol_isid_query {} apol_isid_query_t;
++typedef struct {} apol_isid_query_t;
+ %extend apol_isid_query_t {
+ 	apol_isid_query_t() {
+ 		apol_isid_query_t *aiq;
+@@ -1839,7 +1839,7 @@
+ };
+ 
+ /* apol portcon query */
+-typedef struct apol_portcon_query {} apol_portcon_query_t;
++typedef struct {} apol_portcon_query_t;
+ %extend apol_portcon_query_t {
+ 	apol_portcon_query_t() {
+ 		apol_portcon_query_t *apq;
+@@ -1883,7 +1883,7 @@
+ char *apol_portcon_render(apol_policy_t * p, qpol_portcon_t * portcon);
+ 
+ /* apol netifcon query */
+-typedef struct apol_netifcon_query {} apol_netifcon_query_t;
++typedef struct {} apol_netifcon_query_t;
+ %extend apol_netifcon_query_t {
+ 	apol_netifcon_query_t() {
+ 		apol_netifcon_query_t *anq;
+@@ -1930,7 +1930,7 @@
+ char *apol_netifcon_render(apol_policy_t * p, qpol_netifcon_t * netifcon);
+ 
+ /* apol nodecon query */
+-typedef struct apol_nodecon_query {} apol_nodecon_query_t;
++typedef struct {} apol_nodecon_query_t;
+ %extend apol_nodecon_query_t {
+ 	apol_nodecon_query_t() {
+ 		apol_nodecon_query_t *anq;
+@@ -2010,7 +2010,7 @@
+ char *apol_nodecon_render(apol_policy_t * p, qpol_nodecon_t * nodecon);
+ 
+ /* apol avrule query */
+-typedef struct apol_avrule_query {} apol_avrule_query_t;
++typedef struct {} apol_avrule_query_t;
+ %extend apol_avrule_query_t {
+ 	apol_avrule_query_t() {
+ 		apol_avrule_query_t *avq;
+@@ -2161,7 +2161,7 @@
+ %}
+ 
+ /* apol terule query */
+-typedef struct apol_terule_query {} apol_terule_query_t;
++typedef struct {} apol_terule_query_t;
+ %extend apol_terule_query_t {
+ 	apol_terule_query_t() {
+ 		apol_terule_query_t *atq;
+@@ -2285,7 +2285,7 @@
+ apol_vector_t *apol_terule_list_to_syn_terules(apol_policy_t * p, apol_vector_t * rules);
+ 
+ /* apol cond rule query */
+-typedef struct apol_cond_query {} apol_cond_query_t;
++typedef struct {} apol_cond_query_t;
+ %extend apol_cond_query_t {
+ 	apol_cond_query_t() {
+ 		apol_cond_query_t *acq;
+@@ -2329,7 +2329,7 @@
+ char *apol_cond_expr_render(apol_policy_t * p, qpol_cond_t * cond);
+ 
+ /* apol role allow query */
+-typedef struct apol_role_allow_query {} apol_role_allow_query_t;
++typedef struct {} apol_role_allow_query_t;
+ %extend apol_role_allow_query_t {
+ 	apol_role_allow_query_t() {
+ 		apol_role_allow_query_t *arq;
+@@ -2385,7 +2385,7 @@
+ char *apol_role_allow_render(apol_policy_t * policy, qpol_role_allow_t * rule);
+ 
+ /* apol role transition rule query */
+-typedef struct apol_role_trans_query {} apol_role_trans_query_t;
++typedef struct {} apol_role_trans_query_t;
+ %extend apol_role_trans_query_t {
+ 	apol_role_trans_query_t() {
+ 		apol_role_trans_query_t *arq;
+@@ -2450,7 +2450,7 @@
+ char *apol_role_trans_render(apol_policy_t * policy, qpol_role_trans_t * rule);
+ 
+ /* apol range transition rule query */
+-typedef struct apol_range_trans_query {} apol_range_trans_query_t;
++typedef struct {} apol_range_trans_query_t;
+ %extend apol_range_trans_query_t {
+ 	apol_range_trans_query_t() {
+ 		apol_range_trans_query_t *arq;
+@@ -2529,7 +2529,7 @@
+ #define APOL_DOMAIN_TRANS_SEARCH_VALID		0x01
+ #define APOL_DOMAIN_TRANS_SEARCH_INVALID	0x02
+ #define APOL_DOMAIN_TRANS_SEARCH_BOTH		(APOL_DOMAIN_TRANS_SEARCH_VALID|APOL_DOMAIN_TRANS_SEARCH_INVALID)
+-typedef struct apol_domain_trans_analysis {} apol_domain_trans_analysis_t;
++typedef struct {} apol_domain_trans_analysis_t;
+ %extend apol_domain_trans_analysis_t {
+ 	apol_domain_trans_analysis_t() {
+ 		apol_domain_trans_analysis_t *dta;
+@@ -2620,7 +2620,7 @@
+ 		return v;
+ 	};
+ };
+-typedef struct apol_domain_trans_result {} apol_domain_trans_result_t;
++typedef struct {} apol_domain_trans_result_t;
+ %extend apol_domain_trans_result_t {
+ 	apol_domain_trans_result_t(apol_domain_trans_result_t *in) {
+ 		apol_domain_trans_result_t *dtr;
+@@ -2703,7 +2703,7 @@
+ 		*in = NULL;
+ 	}
+ %}
+-typedef struct apol_infoflow {} apol_infoflow_t;
++typedef struct {} apol_infoflow_t;
+ %extend apol_infoflow_t {
+ 	apol_infoflow_t() {
+ 		BEGIN_EXCEPTION
+@@ -2728,7 +2728,7 @@
+ 		return v;
+ 	};
+ };
+-typedef struct apol_infoflow_analysis {} apol_infoflow_analysis_t;
++typedef struct {} apol_infoflow_analysis_t;
+ %extend apol_infoflow_analysis_t {
+ 	apol_infoflow_analysis_t() {
+ 		apol_infoflow_analysis_t *aia;
+@@ -2821,7 +2821,7 @@
+ 		return;
+ 	};
+ };
+-typedef struct apol_infoflow_graph {} apol_infoflow_graph_t;
++typedef struct {} apol_infoflow_graph_t;
+ %extend apol_infoflow_graph_t {
+ 	apol_infoflow_graph_t() {
+ 		BEGIN_EXCEPTION
+@@ -2865,7 +2865,7 @@
+ 		return retval;
+ 	};
+ };
+-typedef struct apol_infoflow_result {} apol_infoflow_result_t;
++typedef struct {} apol_infoflow_result_t;
+ %extend apol_infoflow_result_t {
+ 	apol_infoflow_result_t() {
+ 		BEGIN_EXCEPTION
+@@ -2899,7 +2899,7 @@
+ 		return (apol_infoflow_result_t*)x;
+ 	};
+ %}
+-typedef struct apol_infoflow_step {} apol_infoflow_step_t;
++typedef struct {} apol_infoflow_step_t;
+ %extend apol_infoflow_step_t {
+ 	apol_infoflow_step_t() {
+ 		BEGIN_EXCEPTION
+@@ -2936,7 +2936,7 @@
+ #define APOL_RELABEL_DIR_FROM    0x02
+ #define APOL_RELABEL_DIR_BOTH    (APOL_RELABEL_DIR_TO|APOL_RELABEL_DIR_FROM)
+ #define APOL_RELABEL_DIR_SUBJECT 0x04
+-typedef struct apol_relabel_analysis {} apol_relabel_analysis_t;
++typedef struct {} apol_relabel_analysis_t;
+ %extend apol_relabel_analysis_t {
+ 	apol_relabel_analysis_t() {
+ 		apol_relabel_analysis_t *ara;
+@@ -3009,7 +3009,7 @@
+ 		return;
+ 	};
+ };
+-typedef struct apol_relabel_result {} apol_relabel_result_t;
++typedef struct {} apol_relabel_result_t;
+ %extend apol_relabel_result_t {
+ 	apol_relabel_result_t() {
+ 		BEGIN_EXCEPTION
+@@ -3040,7 +3040,7 @@
+ 		return (apol_relabel_result_t*)x;
+ 	};
+ %}
+-typedef struct apol_relabel_result_pair {} apol_relabel_result_pair_t;
++typedef struct {} apol_relabel_result_pair_t;
+ %extend apol_relabel_result_pair_t {
+ 	apol_relabel_result_pair_t() {
+ 		BEGIN_EXCEPTION
+@@ -3082,7 +3082,7 @@
+ #define APOL_TYPES_RELATION_DIRECT_FLOW 0x1000
+ #define APOL_TYPES_RELATION_TRANS_FLOW_AB 0x4000
+ #define APOL_TYPES_RELATION_TRANS_FLOW_BA 0x8000
+-typedef struct apol_types_relation_analysis {} apol_types_relation_analysis_t;
++typedef struct {} apol_types_relation_analysis_t;
+ %extend apol_types_relation_analysis_t {
+ 	apol_types_relation_analysis_t() {
+ 		apol_types_relation_analysis_t *atr;
+@@ -3137,7 +3137,7 @@
+ 		return;
+ 	};
+ };
+-typedef struct apol_types_relation_result {} apol_types_relation_result_t;
++typedef struct {} apol_types_relation_result_t;
+ %extend apol_types_relation_result_t {
+ 	apol_types_relation_result_t() {
+ 		BEGIN_EXCEPTION
+@@ -3192,7 +3192,7 @@
+ 		return apol_types_relation_result_get_domainsBA(self);
+ 	};
+ };
+-typedef struct apol_types_relation_access {} apol_types_relation_access_t;
++typedef struct {} apol_types_relation_access_t;
+ %extend apol_types_relation_access_t {
+ 	apol_types_relation_access_t() {
+ 		BEGIN_EXCEPTION
+--- a/libqpol/swig/qpol.i	2010-04-30 11:23:28.000000000 -0500
++++ b/libqpol/swig/qpol.i	2012-08-29 07:52:17.000000000 -0500
+@@ -226,7 +226,7 @@
+ #define QPOL_MODULE_UNKNOWN 0
+ #define QPOL_MODULE_BASE    1
+ #define QPOL_MODULE_OTHER   2
+-typedef struct qpol_module {} qpol_module_t;
++typedef struct {} qpol_module_t;
+ %extend qpol_module_t {
+ 	qpol_module_t(const char *path) {
+ 		qpol_module_t *m;
+@@ -310,7 +310,7 @@
+ #define QPOL_POLICY_OPTION_NO_NEVERALLOWS 0x00000001
+ #define QPOL_POLICY_OPTION_NO_RULES       0x00000002
+ #define QPOL_POLICY_OPTION_MATCH_SYSTEM   0x00000004
+-typedef struct qpol_policy {} qpol_policy_t;
++typedef struct {} qpol_policy_t;
+ typedef void (*qpol_callback_fn_t) (void *varg, struct qpol_policy * policy, int level, const char *fmt, va_list va_args);
+ #define QPOL_POLICY_UNKNOWN       -1
+ #define QPOL_POLICY_KERNEL_SOURCE  0
+@@ -684,7 +684,7 @@
+ };
+ 
+ /* qpol iterator */
+-typedef struct qpol_iterator {} qpol_iterator_t;
++typedef struct {} qpol_iterator_t;
+ %extend qpol_iterator_t {
+ 	/* user never directly creates, but SWIG expects a constructor */
+ 	qpol_iterator_t() {
+@@ -734,7 +734,7 @@
+ };
+ 
+ /* qpol type */
+-typedef struct qpol_type {} qpol_type_t;
++typedef struct {} qpol_type_t;
+ %extend qpol_type_t {
+ 	qpol_type_t(qpol_policy_t *p, const char *name) {
+ 		BEGIN_EXCEPTION
+@@ -849,7 +849,7 @@
+ %}
+ 
+ /* qpol role */
+-typedef struct qpol_role {} qpol_role_t;
++typedef struct {} qpol_role_t;
+ %extend qpol_role_t {
+ 	qpol_role_t(qpol_policy_t *p, const char *name) {
+ 		const qpol_role_t *r;
+@@ -917,7 +917,7 @@
+ %}
+ 
+ /* qpol level */
+-typedef struct qpol_level {} qpol_level_t;
++typedef struct {} qpol_level_t;
+ %extend qpol_level_t {
+ 	qpol_level_t(qpol_policy_t *p, const char *name) {
+ 		const qpol_level_t *l;
+@@ -995,7 +995,7 @@
+ %}
+ 
+ /* qpol cat */
+-typedef struct qpol_cat {} qpol_cat_t;
++typedef struct {} qpol_cat_t;
+ %extend qpol_cat_t {
+ 	qpol_cat_t(qpol_policy_t *p, const char *name) {
+ 		const qpol_cat_t *c;
+@@ -1062,7 +1062,7 @@
+ %}
+ 
+ /* qpol mls range */
+-typedef struct qpol_mls_range {} qpol_mls_range_t;
++typedef struct {} qpol_mls_range_t;
+ %extend qpol_mls_range_t {
+ 	qpol_mls_range_t() {
+ 		BEGIN_EXCEPTION
+@@ -1103,7 +1103,7 @@
+ %}
+ 
+ /* qpol mls level */
+-typedef struct qpol_mls_level {} qpol_mls_level_t;
++typedef struct {} qpol_mls_level_t;
+ %extend qpol_mls_level_t {
+ 	qpol_mls_level_t() {
+ 		BEGIN_EXCEPTION
+@@ -1145,7 +1145,7 @@
+ %}
+ 
+ /* qpol user */
+-typedef struct qpol_user {} qpol_user_t;
++typedef struct {} qpol_user_t;
+ %extend qpol_user_t {
+ 	qpol_user_t(qpol_policy_t *p, const char *name) {
+ 		const qpol_user_t *u;
+@@ -1221,7 +1221,7 @@
+ %}
+ 
+ /* qpol bool */
+-typedef struct qpol_bool {} qpol_bool_t;
++typedef struct {} qpol_bool_t;
+ %extend qpol_bool_t {
+ 	qpol_bool_t(qpol_policy_t *p, const char *name) {
+ 		qpol_bool_t *b;
+@@ -1293,7 +1293,7 @@
+ %}
+ 
+ /* qpol context */
+-typedef struct qpol_context {} qpol_context_t;
++typedef struct {} qpol_context_t;
+ %extend qpol_context_t {
+ 	qpol_context_t() {
+ 		BEGIN_EXCEPTION
+@@ -1354,7 +1354,7 @@
+ %}
+ 
+ /* qpol class */
+-typedef struct qpol_class {} qpol_class_t;
++typedef struct {} qpol_class_t;
+ %extend qpol_class_t {
+ 	qpol_class_t(qpol_policy_t *p, const char *name) {
+ 		const qpol_class_t *c;
+@@ -1441,7 +1441,7 @@
+ %}
+ 
+ /* qpol common */
+-typedef struct qpol_common {} qpol_common_t;
++typedef struct {} qpol_common_t;
+ %extend qpol_common_t {
+ 	qpol_common_t(qpol_policy_t *p, const char *name) {
+ 		const qpol_common_t *c;
+@@ -1514,7 +1514,7 @@
+ #define QPOL_FS_USE_NONE  5U
+ #define QPOL_FS_USE_PSID  6U
+ #endif
+-typedef struct qpol_fs_use {} qpol_fs_use_t;
++typedef struct {} qpol_fs_use_t;
+ %extend qpol_fs_use_t {
+ 	qpol_fs_use_t(qpol_policy_t *p, const char *name) {
+ 		const qpol_fs_use_t *f;
+@@ -1592,7 +1592,7 @@
+ #define QPOL_CLASS_LNK_FILE   9U
+ #define QPOL_CLASS_SOCK_FILE 12U
+ #endif
+-typedef struct qpol_genfscon {} qpol_genfscon_t;
++typedef struct {} qpol_genfscon_t;
+ %extend qpol_genfscon_t {
+ 	qpol_genfscon_t(qpol_policy_t *p, const char *name, const char *path) {
+ 		qpol_genfscon_t *g;
+@@ -1655,7 +1655,7 @@
+ %}
+ 
+ /* qpol isid */
+-typedef struct qpol_isid {} qpol_isid_t;
++typedef struct {} qpol_isid_t;
+ %extend qpol_isid_t {
+ 	qpol_isid_t(qpol_policy_t *p, const char *name) {
+ 		const qpol_isid_t *i;
+@@ -1699,7 +1699,7 @@
+ %}
+ 
+ /* qpol netifcon */
+-typedef struct qpol_netifcon {} qpol_netifcon_t;
++typedef struct {} qpol_netifcon_t;
+ %extend qpol_netifcon_t {
+ 	qpol_netifcon_t(qpol_policy_t *p, const char *name) {
+ 		const qpol_netifcon_t *n;
+@@ -1755,7 +1755,7 @@
+ /* qpol nodecon */
+ #define QPOL_IPV4 0
+ #define QPOL_IPV6 1
+-typedef struct qpol_nodecon {} qpol_nodecon_t;
++typedef struct {} qpol_nodecon_t;
+ %extend qpol_nodecon_t {
+ 	qpol_nodecon_t(qpol_policy_t *p, int addr[4], int mask[4], int protocol) {
+ 		uint32_t a[4], m[4];
+@@ -1828,7 +1828,7 @@
+ /* from netinet/in.h */
+ #define IPPROTO_TCP 6
+ #define IPPROTO_UDP 17
+-typedef struct qpol_portcon {} qpol_portcon_t;
++typedef struct {} qpol_portcon_t;
+ %extend qpol_portcon_t {
+ 	qpol_portcon_t(qpol_policy_t *p, uint16_t low, uint16_t high, uint8_t protocol) {
+ 		const qpol_portcon_t *qp;
+@@ -1892,7 +1892,7 @@
+ %}
+ 
+ /* qpol constraint */
+-typedef struct qpol_constraint {} qpol_constraint_t;
++typedef struct {} qpol_constraint_t;
+ %extend qpol_constraint_t {
+ 	qpol_constraint_t() {
+ 		BEGIN_EXCEPTION
+@@ -1944,7 +1944,7 @@
+ %}
+ 
+ /* qpol validatetrans */
+-typedef struct qpol_validatetrans {} qpol_validatetrans_t;
++typedef struct {} qpol_validatetrans_t;
+ %extend qpol_validatetrans_t {
+ 	qpol_validatetrans_t() {
+ 		BEGIN_EXCEPTION
+@@ -2009,7 +2009,7 @@
+ #define QPOL_CEXPR_OP_DOM    3
+ #define QPOL_CEXPR_OP_DOMBY  4
+ #define QPOL_CEXPR_OP_INCOMP 5
+-typedef struct qpol_constraint_expr_node {} qpol_constraint_expr_node_t;
++typedef struct {} qpol_constraint_expr_node_t;
+ %extend qpol_constraint_expr_node_t {
+ 	qpol_constraint_expr_node_t() {
+ 		BEGIN_EXCEPTION
+@@ -2071,7 +2071,7 @@
+ %}
+ 
+ /* qpol role allow */
+-typedef struct qpol_role_allow {} qpol_role_allow_t;
++typedef struct {} qpol_role_allow_t;
+ %extend qpol_role_allow_t {
+ 	qpol_role_allow_t() {
+ 		BEGIN_EXCEPTION
+@@ -2112,7 +2112,7 @@
+ %}
+ 
+ /* qpol role trans */
+-typedef struct qpol_role_trans {} qpol_role_trans_t;
++typedef struct {} qpol_role_trans_t;
+ %extend qpol_role_trans_t {
+ 	qpol_role_trans_t() {
+ 		BEGIN_EXCEPTION
+@@ -2163,7 +2163,7 @@
+ %}
+ 
+ /* qpol range trans */
+-typedef struct qpol_range_trans {} qpol_range_trans_t;
++typedef struct {} qpol_range_trans_t;
+ %extend qpol_range_trans_t {
+ 	qpol_range_trans_t() {
+ 		BEGIN_EXCEPTION
+@@ -2226,7 +2226,7 @@
+ #define QPOL_RULE_NEVERALLOW  128
+ #define QPOL_RULE_AUDITALLOW    2
+ #define QPOL_RULE_DONTAUDIT     4
+-typedef struct qpol_avrule {} qpol_avrule_t;
++typedef struct {} qpol_avrule_t;
+ %extend qpol_avrule_t {
+ 	qpol_avrule_t() {
+ 		BEGIN_EXCEPTION
+@@ -2346,7 +2346,7 @@
+ #define QPOL_RULE_TYPE_TRANS   16
+ #define QPOL_RULE_TYPE_CHANGE  64
+ #define QPOL_RULE_TYPE_MEMBER  32
+-typedef struct qpol_terule {} qpol_terule_t;
++typedef struct {} qpol_terule_t;
+ %extend qpol_terule_t {
+ 	qpol_terule_t() {
+ 		BEGIN_EXCEPTION
+@@ -2462,7 +2462,7 @@
+ %}
+ 
+ /* qpol conditional */
+-typedef struct qpol_cond {} qpol_cond_t;
++typedef struct {} qpol_cond_t;
+ %extend qpol_cond_t {
+ 	qpol_cond_t() {
+ 		BEGIN_EXCEPTION
+@@ -2555,7 +2555,7 @@
+ #define QPOL_COND_EXPR_XOR  5      /* bool ^ bool */
+ #define QPOL_COND_EXPR_EQ   6      /* bool == bool */
+ #define QPOL_COND_EXPR_NEQ  7      /* bool != bool */
+-typedef struct qpol_cond_expr_node {} qpol_cond_expr_node_t;
++typedef struct {} qpol_cond_expr_node_t;
+ %extend qpol_cond_expr_node_t {
+ 	qpol_cond_expr_node_t() {
+ 		BEGIN_EXCEPTION
+@@ -2600,7 +2600,7 @@
+ %}
+ 
+ /* qpol type set */
+-typedef struct qpol_type_set {} qpol_type_set_t;
++typedef struct {} qpol_type_set_t;
+ %extend qpol_type_set_t {
+ 	qpol_type_set_t() {
+ 		BEGIN_EXCEPTION
+@@ -2663,7 +2663,7 @@
+ %}
+ 
+ /* qpol syn av rule */
+-typedef struct qpol_syn_avrule {} qpol_syn_avrule_t;
++typedef struct {} qpol_syn_avrule_t;
+ %extend qpol_syn_avrule_t {
+ 	qpol_syn_avrule_t() {
+ 		BEGIN_EXCEPTION
+@@ -2776,7 +2776,7 @@
+ %}
+ 
+ /* qpol syn te rule */
+-typedef struct qpol_syn_terule {} qpol_syn_terule_t;
++typedef struct {} qpol_syn_terule_t;
+ %extend qpol_syn_terule_t {
+ 	qpol_syn_terule_t() {
+ 		BEGIN_EXCEPTION
+--- a/libpoldiff/swig/poldiff.i	2007-10-31 16:03:33.000000000 -0500
++++ b/libpoldiff/swig/poldiff.i	2012-08-29 08:08:02.000000000 -0500
+@@ -258,7 +258,7 @@
+ 
+ /* for handling the get_stats function */
+ %{
+-	typedef struct poldiff_stats {
++	typedef struct {
+ 		size_t stats[5];
+ 	} poldiff_stats_t;
+ 	poldiff_stats_t *poldiff_stats_create() {
+@@ -271,7 +271,7 @@
+ 		*x = NULL;
+ 	}
+ %}
+-typedef struct poldiff_stats {} poldiff_stats_t;
++typedef struct {} poldiff_stats_t;
+ %extend poldiff_stats_t {
+ 	poldiff_stats_t() {
+ 		poldiff_stats_t *s;
+@@ -336,17 +336,17 @@
+ %typemap(in) apol_policy_t *op {
+ 	void *x = NULL;
+ 	Py_IncRef($input);
+-	SWIG_ConvertPtr($input, &x,SWIGTYPE_p_apol_policy, 0 |  0 );
++	SWIG_ConvertPtr($input, &x,SWIGTYPE_p_apol_policy_t, 0 |  0 );
+ 	$1 = (apol_policy_t*)x;
+ }
+ %typemap(in) apol_policy_t *mp {
+ 	void *x = NULL;
+ 	Py_IncRef($input);
+-	SWIG_ConvertPtr($input, &x,SWIGTYPE_p_apol_policy, 0 |  0 );
++	SWIG_ConvertPtr($input, &x,SWIGTYPE_p_apol_policy_t, 0 |  0 );
+ 	$1 = (apol_policy_t*)x;
+ }
+ #endif
+-typedef struct poldiff {} poldiff_t;
++typedef struct {} poldiff_t;
+ %extend poldiff_t {
+ 	poldiff_t(apol_policy_t *op, apol_policy_t *mp) {
+ 		poldiff_t *p;
+@@ -476,7 +476,7 @@
+ };
+ 
+ /* attribute diff */
+-typedef struct poldiff_attrib {} poldiff_attrib_t;
++typedef struct {} poldiff_attrib_t;
+ %extend poldiff_attrib_t {
+    poldiff_attrib_t () {
+       BEGIN_EXCEPTION
+@@ -521,7 +521,7 @@
+ %}
+ 
+ /* av rule diff */
+-typedef struct poldiff_avrule {} poldiff_avrule_t;
++typedef struct {} poldiff_avrule_t;
+ %extend poldiff_avrule_t {
+    poldiff_avrule_t() {
+       BEGIN_EXCEPTION
+@@ -629,7 +629,7 @@
+ %}
+ 
+ /* boolean diff */
+-typedef struct poldiff_bool {} poldiff_bool_t;
++typedef struct {} poldiff_bool_t;
+ %extend poldiff_bool_t {
+ 	poldiff_bool_t() {
+       BEGIN_EXCEPTION
+@@ -668,7 +668,7 @@
+ %}
+ 
+ /* category diff */
+-typedef struct poldiff_cat {} poldiff_cat_t;
++typedef struct {} poldiff_cat_t;
+ %extend poldiff_cat_t {
+ 	poldiff_cat_t() {
+       BEGIN_EXCEPTION
+@@ -707,7 +707,7 @@
+ %}
+ 
+ /* class diff */
+-typedef struct poldiff_class {} poldiff_class_t;
++typedef struct {} poldiff_class_t;
+ %extend poldiff_class_t {
+ 	poldiff_class_t() {
+       BEGIN_EXCEPTION
+@@ -752,7 +752,7 @@
+ %}
+ 
+ /* common diff */
+-typedef struct poldiff_common {} poldiff_common_t;
++typedef struct {} poldiff_common_t;
+ %extend poldiff_common_t {
+ 	poldiff_common_t() {
+       BEGIN_EXCEPTION
+@@ -797,7 +797,7 @@
+ %}
+ 
+ /* level diff */
+-typedef struct poldiff_level {} poldiff_level_t;
++typedef struct {} poldiff_level_t;
+ %extend poldiff_level_t {
+ 	poldiff_level_t() {
+       BEGIN_EXCEPTION
+@@ -857,7 +857,7 @@
+ %}
+ 
+ /* range diff */
+-typedef struct poldiff_range {} poldiff_range_t;
++typedef struct {} poldiff_range_t;
+ %extend poldiff_range_t {
+ 	poldiff_range_t() {
+       BEGIN_EXCEPTION
+@@ -908,7 +908,7 @@
+ %}
+ 
+ /* range_transition rule diff */
+-typedef struct poldiff_range_trans {} poldiff_range_trans_t;
++typedef struct {} poldiff_range_trans_t;
+ %extend poldiff_range_trans_t {
+ 	poldiff_range_trans_t() {
+       BEGIN_EXCEPTION
+@@ -956,7 +956,7 @@
+ %}
+ 
+ /* role allow rule diff */
+-typedef struct poldiff_role_allow {} poldiff_role_allow_t;
++typedef struct {} poldiff_role_allow_t;
+ %extend poldiff_role_allow_t {
+ 	poldiff_role_allow_t() {
+       BEGIN_EXCEPTION
+@@ -1004,7 +1004,7 @@
+ %}
+ 
+ /* role_transition rule diff */
+-typedef struct poldiff_role_trans {} poldiff_role_trans_t;
++typedef struct {} poldiff_role_trans_t;
+ %extend poldiff_role_trans_t {
+ 	poldiff_role_trans_t() {
+       BEGIN_EXCEPTION
+@@ -1052,7 +1052,7 @@
+ %}
+ 
+ /* role diff */
+-typedef struct poldiff_role {} poldiff_role_t;
++typedef struct {} poldiff_role_t;
+ %extend poldiff_role_t {
+ 	poldiff_role_t() {
+       BEGIN_EXCEPTION
+@@ -1097,7 +1097,7 @@
+ %}
+ 
+ /* te rule diff */
+-typedef struct poldiff_terule {} poldiff_terule_t;
++typedef struct {} poldiff_terule_t;
+ %extend poldiff_terule_t {
+ 	poldiff_terule_t() {
+       BEGIN_EXCEPTION
+@@ -1178,7 +1178,7 @@
+ %}
+ 
+ /* type diff */
+-typedef struct poldiff_type {} poldiff_type_t;
++typedef struct {} poldiff_type_t;
+ %extend poldiff_type_t {
+ 	poldiff_type_t() {
+       BEGIN_EXCEPTION
+@@ -1223,7 +1223,7 @@
+ %}
+ 
+ /* user diff */
+-typedef struct poldiff_user {} poldiff_user_t;
++typedef struct {} poldiff_user_t;
+ %extend poldiff_user_t {
+ 	poldiff_user_t() {
+       BEGIN_EXCEPTION
+@@ -1280,7 +1280,7 @@
+ %}
+ 
+ /* type remap */
+-typedef struct poldiff_type_remap_entry {} poldiff_type_remap_entry_t;
++typedef struct {} poldiff_type_remap_entry_t;
+ %extend poldiff_type_remap_entry_t {
+ 	poldiff_type_remap_entry_t() {
+       BEGIN_EXCEPTION
+--- a/libseaudit/swig/seaudit.i	2007-10-31 16:03:33.000000000 -0500
++++ b/libseaudit/swig/seaudit.i	2012-08-29 08:11:39.000000000 -0500
+@@ -240,7 +240,7 @@
+ %{
+ 	typedef struct tm tm_t;
+ %}
+-typedef struct tm {
++typedef struct {
+ 	int tm_sec;   /* seconds */
+ 	int tm_min;   /* minutes */
+ 	int tm_hour;  /* hours */
+@@ -278,7 +278,7 @@
+ 	SEAUDIT_LOG_TYPE_SYSLOG,
+ 	SEAUDIT_LOG_TYPE_AUDITD
+ } seaudit_log_type_e;
+-typedef struct seaudit_log {} seaudit_log_t;
++typedef struct {} seaudit_log_t;
+ %extend seaudit_log_t {
+ 	seaudit_log_t() {
+ 		seaudit_log_t *slog;
+@@ -355,7 +355,7 @@
+ 	SEAUDIT_MESSAGE_TYPE_AVC,
+ 	SEAUDIT_MESSAGE_TYPE_LOAD
+ } seaudit_message_type_e;
+-typedef struct seaudit_message {} seaudit_message_t;
++typedef struct {} seaudit_message_t;
+ %extend seaudit_message_t {
+ 	seaudit_message_t() {
+ 		BEGIN_EXCEPTION
+@@ -427,7 +427,7 @@
+ %}
+ 
+ /* seaudit load message */
+-typedef struct seaudit_load_message {} seaudit_load_message_t;
++typedef struct {} seaudit_load_message_t;
+ %extend seaudit_load_message_t {
+ 	seaudit_load_message_t() {
+ 		BEGIN_EXCEPTION
+@@ -448,7 +448,7 @@
+ %}
+ 
+ /* seaudit bool message */
+-typedef struct seaudit_bool_message {} seaudit_bool_message_t;
++typedef struct {} seaudit_bool_message_t;
+ %extend seaudit_bool_message_t {
+ 	seaudit_bool_message_t(void *msg) {
+ 		BEGIN_EXCEPTION
+@@ -475,7 +475,7 @@
+ 	SEAUDIT_AVC_DENIED,
+ 	SEAUDIT_AVC_GRANTED
+ } seaudit_avc_message_type_e;
+-typedef struct seaudit_avc_message {} seaudit_avc_message_t;
++typedef struct {} seaudit_avc_message_t;
+ %extend seaudit_avc_message_t {
+ 	seaudit_avc_message_t() {
+ 		BEGIN_EXCEPTION
+@@ -606,7 +606,7 @@
+ 	SEAUDIT_FILTER_DATE_MATCH_AFTER,
+ 	SEAUDIT_FILTER_DATE_MATCH_BETWEEN
+ } seaudit_filter_date_match_e;
+-typedef struct seaudit_filter {} seaudit_filter_t;
++typedef struct {} seaudit_filter_t;
+ %extend seaudit_filter_t {
+ 	seaudit_filter_t(char *name = NULL) {
+ 		seaudit_filter_t *sf = NULL;
+@@ -1012,7 +1012,7 @@
+ %}
+ 
+ /* seaudit sort */
+-typedef struct seaudit_sort {} seaudit_sort_t;
++typedef struct {} seaudit_sort_t;
+ %extend seaudit_sort_t {
+ 	seaudit_sort_t() {
+ 		BEGIN_EXCEPTION
+@@ -1101,17 +1101,17 @@
+ %typemap(in) seaudit_filter_t *filter {
+ 	void *x = NULL;
+ 	Py_IncRef($input);
+-	SWIG_ConvertPtr($input, &x,SWIGTYPE_p_seaudit_filter, 0 |  0 );
++	SWIG_ConvertPtr($input, &x,SWIGTYPE_p_seaudit_filter_t, 0 |  0 );
+ 	$1 = (seaudit_filter_t*)x;
+ }
+ %typemap(in) seaudit_sort_t *ssort {
+ 	void *x = NULL;
+ 	Py_IncRef($input);
+-	SWIG_ConvertPtr($input, &x,SWIGTYPE_p_seaudit_sort, 0 |  0 );
++	SWIG_ConvertPtr($input, &x,SWIGTYPE_p_seaudit_sort_t, 0 |  0 );
+ 	$1 = (seaudit_sort_t*)x;
+ }
+ #endif
+-typedef struct seaudit_model {} seaudit_model_t;
++typedef struct {} seaudit_model_t;
+ %extend seaudit_model_t {
+ 	seaudit_model_t(char *name = NULL, seaudit_log_t *slog = NULL) {
+ 		seaudit_model_t *smod;
+@@ -1309,7 +1309,7 @@
+ 	SEAUDIT_REPORT_FORMAT_TEXT,
+ 	SEAUDIT_REPORT_FORMAT_HTML
+ } seaudit_report_format_e;
+-typedef struct seaudit_report {} seaudit_report_t;
++typedef struct {} seaudit_report_t;
+ %extend seaudit_report_t {
+ 	seaudit_report_t(seaudit_model_t *m) {
+ 		seaudit_report_t *sr;
diff --git a/package/setools/setools.mk b/package/setools/setools.mk
new file mode 100644
index 0000000..ee3d73b
--- /dev/null
+++ b/package/setools/setools.mk
@@ -0,0 +1,85 @@
+################################################################################
+#
+# setools
+#
+################################################################################
+
+SETOOLS_VERSION = 3.3.8
+SETOOLS_SOURCE = setools-$(SETOOLS_VERSION).tar.bz2
+SETOOLS_SITE = http://oss.tresys.com/projects/setools/chrome/site/dists/setools-$(SETOOLS_VERSION)/
+SETOOLS_DEPENDENCIES = libselinux sqlite libxml2 bzip2
+
+SETOOLS_INSTALL_STAGING = YES
+
+SETOOLS_AUTORECONF = YES
+SETOOLS_AUTORECONF_OPT = -i -s
+
+# Notes: Need "disable-selinux-check" so the configure does not check to see if host has
+#        selinux enabled.
+SETOOLS_CONF_OPT = \
+	--disable-debug \
+	--disable-gui \
+	--disable-bwidget-check \
+	--disable-selinux-check \
+	--disable-swig-java \
+	--disable-swig-python \
+	--disable-swig-tcl \
+	--with-sepol-devel="$(STAGING_DIR)/usr" \
+	--with-selinux-devel="$(STAGING_DIR)/usr" \
+
+ifeq ($(BR2_PACKAGE_PYTHON),y)
+	SETOOLS_DEPENDENCIES += python host-python host-swig 
+	SETOOLS_CONF_ENV += am_cv_pathless_PYTHON=python \
+		ac_cv_path_PYTHON=$(HOST_DIR)/usr/bin/python \
+		am_cv_python_version=$(PYTHON_VERSION) \
+		am_cv_python_platform=linux2 \
+		am_cv_python_pythondir=$(STAGING_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/site-packages \
+		am_cv_python_pyexecdir=$(STAGING_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/site-packages \
+		am_cv_python_includes=-I$(STAGING_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)
+	SETOOLS_CONF_OPT += \
+		--enable-swig-python \
+		PYTHON_CPPFLAGS="-I$(STAGING_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)" \
+		PYTHON_LDFLAGS="-L$(STAGING_DIR)/usr/lib/" \
+		PYTHON_SITE_PKG="$(STAGING_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/site-packages" \
+		PYTHON_EXTRA_LIBS="-lpthread -ldl -lutil -lpython$(PYTHON_VERSION_MAJOR)"
+endif
+
+HOST_SETOOLS_DEPENDENCIES = host-libselinux host-libsepol host-sqlite \
+	host-libxml2 host-bzip2
+
+HOST_SETOOLS_AUTORECONF = YES
+HOST_SETOOLS_AUTORECONF_OPT = -i -s
+
+# Notes: Need "disable-selinux-check" so the configure does not check to see if host has
+#        selinux enabled.
+HOST_SETOOLS_CONF_OPT = \
+	--disable-debug \
+	--disable-gui \
+	--disable-bwidget-check \
+	--disable-selinux-check \
+	--disable-swig-java \
+	--disable-swig-python \
+	--disable-swig-tcl \
+	--with-sepol-devel="$(HOST_DIR)/usr" \
+	--with-selinux-devel="$(HOST_DIR)/usr" \
+
+ifeq ($(BR2_PACKAGE_PYTHON),y)
+	HOST_SETOOLS_DEPENDENCIES += host-python host-swig 
+	HOST_SETOOLS_CONF_ENV += \
+		am_cv_pathless_PYTHON=python \
+		ac_cv_path_PYTHON=$(HOST_DIR)/usr/bin/python \
+		am_cv_python_version=$(PYTHON_VERSION) \
+		am_cv_python_platform=linux2 \
+		am_cv_python_pythondir=$(HOST_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/site-packages \
+		am_cv_python_pyexecdir=$(HOST_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/site-packages \
+		am_cv_python_includes=-I$(HOST_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)
+	HOST_SETOOLS_CONF_OPT += \
+		--enable-swig-python \
+		PYTHON_CPPFLAGS="-I$(HOST_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)" \
+		PYTHON_LDFLAGS="-L$(HOST_DIR)/usr/lib/" \
+		PYTHON_SITE_PKG="$(HOST_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/site-packages" \
+		PYTHON_EXTRA_LIBS="-lpthread -ldl -lutil -lpython$(PYTHON_VERSION_MAJOR)"
+endif
+
+$(eval $(autotools-package))
+$(eval $(host-autotools-package))
-- 
1.7.1

[Buildroot] [PATCH v2 08/17] libcgroup: new package

[Clayton Shotwell]

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v1 -> v2:
  - General cleanup to the mk file to conform to the standard format.
  - Corrected the license version and license file to be correct.
  - Cleaned up the configure options to enable options for static
    libraries and linux-pam if they are selected in the configuration.

 package/Config.in              |    1 +
 package/libcgroup/Config.in    |    4 ++++
 package/libcgroup/libcgroup.mk |   38 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 43 insertions(+), 0 deletions(-)
 create mode 100644 package/libcgroup/Config.in
 create mode 100644 package/libcgroup/libcgroup.mk

diff --git a/package/Config.in b/package/Config.in
index 0e7184a..a0ba26d 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -654,6 +654,7 @@ source "package/libatomic_ops/Config.in"
 source "package/libbsd/Config.in"
 source "package/libcap/Config.in"
 source "package/libcap-ng/Config.in"
+source "package/libcgroup/Config.in"
 source "package/libdaemon/Config.in"
 source "package/libelf/Config.in"
 source "package/libevent/Config.in"
diff --git a/package/libcgroup/Config.in b/package/libcgroup/Config.in
new file mode 100644
index 0000000..17d2db2
--- /dev/null
+++ b/package/libcgroup/Config.in
@@ -0,0 +1,4 @@
+config BR2_PACKAGE_LIBCGROUP
+	bool "libcgroup"
+	help
+	  libcgroup is a library that abstracts the control group file system in Linux. 
diff --git a/package/libcgroup/libcgroup.mk b/package/libcgroup/libcgroup.mk
new file mode 100644
index 0000000..06f1e60
--- /dev/null
+++ b/package/libcgroup/libcgroup.mk
@@ -0,0 +1,38 @@
+################################################################################
+#
+# libcgroup
+#
+################################################################################
+
+LIBCGROUP_VERSION = 0.38
+LIBCGROUP_SOURCE = libcgroup-$(LIBCGROUP_VERSION).tar.bz2
+LIBCGROUP_SITE = http://sourceforge.net/projects/libcg/files/latest/download
+LIBCGROUP_LICENSE = LGPLv2.1
+LIBCGROUP_LICENSE_FILES = COPYING
+
+LIBCGROUP_INSTALL_STAGING = YES
+
+# Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h 
+# large file support. See https://bugzilla.redhat.com/show_bug.cgi?id=574992 
+# for more information.
+LIBCGROUP_CONF_ENV = \
+	CXXFLAGS+="-U_FILE_OFFSET_BITS" \
+	CFLAGS+="-U_FILE_OFFSET_BITS"
+
+LIBCGROUP_CONF_OPT = \
+	--disable-tools \
+	--disable-daemon \
+	--disable-initscript-install
+
+ifeq ($(BR2_PREFER_STATIC_LIB),y)
+	LIBCGROUP_CONF_OPT += --enable-static --disable-shared
+endif
+
+ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
+	LIBCGROUP_DEPENDENCIES += linux-pam
+	LIBCGROUP_CONF_OPT += --enable-pam
+else
+	LIBCGROUP_CONF_OPT += --disable-pam
+endif
+
+$(eval $(autotools-package))
-- 
1.7.1

[Buildroot] [PATCH v2 09/17] policycoreutils: new package

[Clayton Shotwell]

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v1 -> v2:
  - General cleanup to the mk file to conform to the standard format.
  - Fixed the patch naming to avoid using the version number.
  - Cleaned up the patch to include a signed-off-by line.
  - Changed package dependencies into selects in the config.

 package/Config.in                                  |    1 +
 package/policycoreutils/Config.in                  |   69 ++++
 package/policycoreutils/S15restorecond             |   85 +++++
 .../policycoreutils-0001-crossCompileFixes.patch   |  332 ++++++++++++++++++++
 package/policycoreutils/policycoreutils.mk         |  230 ++++++++++++++
 5 files changed, 717 insertions(+), 0 deletions(-)
 create mode 100644 package/policycoreutils/Config.in
 create mode 100755 package/policycoreutils/S15restorecond
 create mode 100644 package/policycoreutils/policycoreutils-0001-crossCompileFixes.patch
 create mode 100644 package/policycoreutils/policycoreutils.mk

diff --git a/package/Config.in b/package/Config.in
index a0ba26d..d80518d 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -907,6 +907,7 @@ source "package/rtai/Config.in"
 endmenu
 
 menu "Security"
+source "package/policycoreutils/Config.in"
 source "package/sepolgen/Config.in"
 source "package/setools/Config.in"
 endmenu
diff --git a/package/policycoreutils/Config.in b/package/policycoreutils/Config.in
new file mode 100644
index 0000000..4e720d0
--- /dev/null
+++ b/package/policycoreutils/Config.in
@@ -0,0 +1,69 @@
+config BR2_PACKAGE_POLICYCOREUTILS
+	bool "policycoreutils"
+	select BR2_PACKAGE_LIBSEMANAGE
+	help
+	  Policycoreutils is a collection of policy utilities (originally 
+	  the "core" set of utilities needed to use SELinux, although it 
+	  has grown a bit over time), which have different dependencies. 
+	  sestatus, secon, run_init, and newrole only use libselinux. 
+	  load_policy and setfiles only use libselinux and libsepol. 
+	  semodule and semanage use libsemanage (and thus bring in 
+	  dependencies on libsepol and libselinux as well). setsebool 
+	  uses libselinux to make non-persistent boolean changes (via 
+	  the kernel interface) and uses libsemanage to make persistent 
+	  boolean changes. 
+	  
+	  The base package will install the following utilities:
+	      load_policy
+	      newrole
+	      restorecond
+	      run_init
+	      secon
+	      semodule
+	      semodule_deps
+	      semodule_expand
+	      semodule_link
+	      semodule_package
+	      sepolgen-ifgen
+	      sestatus
+	      setfiles
+	      setsebool
+	      
+	  http://selinuxproject.org/page/Main_Page
+
+if BR2_PACKAGE_POLICYCOREUTILS
+
+config BR2_PACKAGE_POLICYCOREUTILS_POLICY_DEBUGGING
+	bool "Policy Debugging Utilities"
+	select BR2_PACKAGE_PYTHON
+	select BR2_PACKAGE_SEPOLGEN
+	select BR2_PACKAGE_SETOOLS
+	help
+	  Enable policy debugging packages to be built.  These are being included
+	  separately because of dependencies.
+	      audit2allow
+	      audit2why
+	      semanage
+	      sepolicy
+	      scripts
+
+config BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND
+	bool "restorecond Utility"
+	help
+	  Enable restorecond to be built
+
+config BR2_PACKAGE_POLICYCOREUTILS_MCSTRANS
+	bool "mcstrans Utility"
+	select BR2_PACKAGE_PCRE
+	select BR2_PACKAGE_LIBCAP
+	help
+	  Enable mcstrans to be built
+
+config BR2_PACKAGE_POLICYCOREUTILS_SANDBOX
+	bool "sandbox Utility"
+	select BR2_PACKAGE_POLICYCOREUTILS_POLICY_DEBUGGING
+	select BR2_PACKAGE_LIBCGROUP
+	help
+	  Enable sandbox to be built
+
+endif
diff --git a/package/policycoreutils/S15restorecond b/package/policycoreutils/S15restorecond
new file mode 100755
index 0000000..e408281
--- /dev/null
+++ b/package/policycoreutils/S15restorecond
@@ -0,0 +1,85 @@
+#!/bin/sh
+#
+# restorecond:		Daemon used to maintain path file context
+#
+# description:	restorecond uses inotify to look for creation of new files \
+# listed in the /etc/selinux/restorecond.conf file, and restores the \
+# correct security context.
+#
+# processname: /usr/sbin/restorecond
+# config: /etc/selinux/restorecond.conf 
+# pidfile: /var/run/restorecond.pid
+#
+# Return values according to LSB for all commands but status:
+# 0 - success
+# 1 - generic or unspecified error
+# 2 - invalid or excess argument(s)
+# 3 - unimplemented feature (e.g. "reload")
+# 4 - insufficient privilege
+# 5 - program is not installed
+# 6 - program is not configured
+# 7 - program is not running
+
+PATH=/sbin:/bin:/usr/bin:/usr/sbin
+
+[ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled || exit 7
+
+# Check that we are root ... so non-root users stop here
+test $EUID = 0  || exit 4
+
+test -x /usr/sbin/restorecond  || exit 5
+test -f /etc/selinux/restorecond.conf  || exit 6
+
+RETVAL=0
+
+start() 
+{
+	echo -n $"Starting restorecond: "
+	unset HOME MAIL USER USERNAME
+	/usr/sbin/restorecond 
+	RETVAL=$?
+	touch /var/lock/subsys/restorecond
+	echo
+	return $RETVAL
+}
+
+stop() 
+{
+	echo -n $"Shutting down restorecond: "
+	killproc restorecond
+	RETVAL=$?
+	rm -f  /var/lock/subsys/restorecond
+	echo
+	return $RETVAL
+}
+
+restart() 
+{
+	stop
+	start
+}
+
+# See how we were called.
+case "$1" in
+  start)
+	start
+	;;
+  stop)
+	stop
+	;;
+  status)
+	status restorecond
+	RETVAL=$?
+	;;
+  force-reload|restart|reload)
+	restart
+	;;
+  condrestart)
+	[ -e /var/lock/subsys/restorecond ] && restart || :
+	;;
+  *)
+	echo $"Usage: $0 {start|stop|restart|force-reload|status|condrestart}"
+	RETVAL=3
+esac
+
+exit $RETVAL
diff --git a/package/policycoreutils/policycoreutils-0001-crossCompileFixes.patch b/package/policycoreutils/policycoreutils-0001-crossCompileFixes.patch
new file mode 100644
index 0000000..8f47907
--- /dev/null
+++ b/package/policycoreutils/policycoreutils-0001-crossCompileFixes.patch
@@ -0,0 +1,332 @@
+Patch to enable cross compile build and install.
+
+Signed-off-by Clayton Shotwell <clshotwe@rockwellcollins.com>
+
+diff -urN a/audit2allow/Makefile b/audit2allow/Makefile
+--- a/audit2allow/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/audit2allow/Makefile	2013-08-23 09:16:21.282917254 -0500
+@@ -3,7 +3,7 @@
+ BINDIR ?= $(PREFIX)/bin
+ LIBDIR ?= $(PREFIX)/lib
+ MANDIR ?= $(PREFIX)/share/man
+-LOCALEDIR ?= /usr/share/locale
++LOCALEDIR ?= $(DESTDIR)/usr/share/locale
+ 
+ all: ;
+ 
+diff -urN a/load_policy/Makefile b/load_policy/Makefile
+--- a/load_policy/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/load_policy/Makefile	2013-08-23 09:16:21.282917254 -0500
+@@ -3,7 +3,7 @@
+ SBINDIR ?= $(DESTDIR)/sbin
+ USRSBINDIR ?= $(PREFIX)/sbin
+ MANDIR ?= $(PREFIX)/share/man
+-LOCALEDIR ?= /usr/share/locale
++LOCALEDIR ?= $(DESTDIR)/usr/share/locale
+ 
+ CFLAGS ?= -Werror -Wall -W
+ override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
+diff -urN a/Makefile b/Makefile
+--- a/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/Makefile	2013-08-23 09:16:21.292985286 -0500
+@@ -1,8 +1,8 @@
+ SUBDIRS = sepolicy setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool scripts po man gui
+ 
+-INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
++INOTIFYH = $(shell ls $(DESTDIR)/usr/include/sys/inotify.h 2>/dev/null)
+ 
+-ifeq (${INOTIFYH}, /usr/include/sys/inotify.h)
++ifeq (${INOTIFYH}, $(DESTDIR)/usr/include/sys/inotify.h)
+ 	SUBDIRS += restorecond
+ endif
+ 
+diff -urN a/mcstrans/src/Makefile b/mcstrans/src/Makefile
+--- a/mcstrans/src/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/mcstrans/src/Makefile	2013-08-23 09:41:18.782916946 -0500
+@@ -1,22 +1,8 @@
+-ARCH = $(shell uname -i)
+-ifeq "$(ARCH)" "x86_64"
+-	# In case of 64 bit system, use these lines
+-	LIBDIR=/usr/lib64
+-else 
+-ifeq "$(ARCH)" "i686"
+-	# In case of 32 bit system, use these lines
+-	LIBDIR=/usr/lib
+-else
+-ifeq "$(ARCH)" "i386"
+-	# In case of 32 bit system, use these lines
+-	LIBDIR=/usr/lib
+-endif
+-endif
+-endif
+ # Installation directories.
+ PREFIX  ?= $(DESTDIR)/usr
+-SBINDIR ?= $(DESTDIR)/sbin
+-INITDIR ?= $(DESTDIR)/etc/rc.d/init.d
++LIBDIR  ?= $(PREFIX)/lib
++SBINDIR ?= $(PREFIX)/sbin
++INITDIR ?= $(DESTDIR)/etc/init.d
+ 
+ PROG_SRC=mcstrans.c  mcscolor.c  mcstransd.c  mls_level.c
+ PROG_OBJS= $(patsubst %.c,%.o,$(PROG_SRC))
+@@ -40,5 +26,5 @@
+ 	install -m 755 $(INITSCRIPT).init $(INITDIR)/$(INITSCRIPT)
+ 
+ clean: 
+-	-rm -f $(OBJS) $(LOBJS) $(TARGET) $(PROG) $(PROG_OBJS) *~ \#*
++	-rm -f $(PROG) $(PROG_OBJS) *.o *~ \#*
+ 
+diff -urN a/mcstrans/utils/Makefile b/mcstrans/utils/Makefile
+--- a/mcstrans/utils/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/mcstrans/utils/Makefile	2013-08-23 09:16:21.292985286 -0500
+@@ -1,24 +1,8 @@
+ # Installation directories.
+ PREFIX ?= $(DESTDIR)/usr
++LIBDIR  ?= $(PREFIX)/lib
+ BINDIR ?= $(PREFIX)/sbin
+ 
+-ARCH = $(shell uname -i)
+-ifeq "$(ARCH)" "x86_64"
+-        # In case of 64 bit system, use these lines
+-        LIBDIR=/usr/lib64
+-else
+-ifeq "$(ARCH)" "i686"
+-        # In case of 32 bit system, use these lines
+-        LIBDIR=/usr/lib
+-else
+-ifeq "$(ARCH)" "i386"
+-        # In case of 32 bit system, use these lines
+-        LIBDIR=/usr/lib
+-endif
+-endif
+-endif
+-
+-
+ CFLAGS ?= -Wall
+ override CFLAGS += -I../src -D_GNU_SOURCE
+ LDLIBS += -L../src ../src/mcstrans.o ../src/mls_level.o -lselinux -lpcre $(LIBDIR)/libsepol.a
+diff -urN a/newrole/Makefile b/newrole/Makefile
+--- a/newrole/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/newrole/Makefile	2013-08-23 09:16:21.292985286 -0500
+@@ -3,9 +3,9 @@
+ BINDIR ?= $(PREFIX)/bin
+ MANDIR ?= $(PREFIX)/share/man
+ ETCDIR ?= $(DESTDIR)/etc
+-LOCALEDIR = /usr/share/locale
+-PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
+-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
++LOCALEDIR = $(DESTDIR)/usr/share/locale
++PAMH = $(shell ls $(DESTDIR)/usr/include/security/pam_appl.h 2>/dev/null)
++AUDITH = $(shell ls $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)
+ # Enable capabilities to permit newrole to generate audit records.
+ # This will make newrole a setuid root program.
+ # The capabilities used are: CAP_AUDIT_WRITE.
+@@ -24,7 +24,7 @@
+ EXTRA_OBJS =
+ override CFLAGS += -DVERSION=\"$(VERSION)\" $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
+ LDLIBS += -lselinux -L$(PREFIX)/lib
+-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
++ifeq ($(PAMH), $(DESTDIR)/usr/include/security/pam_appl.h)
+ 	override CFLAGS += -DUSE_PAM
+ 	EXTRA_OBJS += hashtab.o
+ 	LDLIBS += -lpam -lpam_misc
+@@ -32,7 +32,7 @@
+ 	override CFLAGS += -D_XOPEN_SOURCE=500
+ 	LDLIBS += -lcrypt
+ endif
+-ifeq ($(AUDITH), /usr/include/libaudit.h)
++ifeq ($(AUDITH), $(DESTDIR)/usr/include/libaudit.h)
+ 	override CFLAGS += -DUSE_AUDIT
+ 	LDLIBS += -laudit
+ endif
+@@ -66,7 +66,7 @@
+ 	test -d $(MANDIR)/man1 || install -m 755 -d $(MANDIR)/man1
+ 	install -m $(MODE) newrole $(BINDIR)
+ 	install -m 644 newrole.1 $(MANDIR)/man1/
+-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
++ifeq ($(PAMH), $(DESTDIR)/usr/include/security/pam_appl.h)
+ 	test -d $(ETCDIR)/pam.d || install -m 755 -d $(ETCDIR)/pam.d
+ ifeq ($(LSPP_PRIV),y)
+ 	install -m 644 newrole-lspp.pamd $(ETCDIR)/pam.d/newrole
+diff -urN a/restorecond/Makefile b/restorecond/Makefile
+--- a/restorecond/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/restorecond/Makefile	2013-08-23 09:16:21.292985286 -0500
+@@ -2,24 +2,29 @@
+ PREFIX ?= $(DESTDIR)/usr
+ SBINDIR ?= $(PREFIX)/sbin
+ LIBDIR ?= $(PREFIX)/lib
+-MANDIR = $(PREFIX)/share/man
++MANDIR ?= $(PREFIX)/share/man
+ AUTOSTARTDIR = $(DESTDIR)/etc/xdg/autostart
+ DBUSSERVICEDIR = $(DESTDIR)/usr/share/dbus-1/services
+ 
+ autostart_DATA = sealertauto.desktop
+-INITDIR = $(DESTDIR)/etc/rc.d/init.d
++INITDIR = $(DESTDIR)/etc/init.d
+ SELINUXDIR = $(DESTDIR)/etc/selinux
+ 
+-DBUSFLAGS = -DHAVE_DBUS -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include -I/usr/lib/dbus-1.0/include
++DBUSFLAGS = -DHAVE_DBUS -I$(PREFIX)/include/dbus-1.0 -I$(PREFIX)/lib64/dbus-1.0/include \
++		-I$(PREFIX)/lib/dbus-1.0/include
+ DBUSLIB = -ldbus-glib-1 -ldbus-1
+ 
+ CFLAGS ?= -g -Werror -Wall -W
+-override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS) -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/lib/glib-2.0/include
++override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS) -I$(PREFIX)/include/glib-2.0 \
++		-I$(PREFIX)/lib64/glib-2.0/include -I$(PREFIX)/lib/glib-2.0/include
+ 
+ LDLIBS += -lselinux $(DBUSLIB) -lglib-2.0 -L$(LIBDIR)
+ 
+ all: restorecond
+ 
++%.o: %.c
++	$(CC) $(CFLAGS) -c -o $@ $<
++
+ restorecond.o utmpwatcher.o stringslist.o user.o watch.o: restorecond.h
+ 
+ restorecond:  ../setfiles/restore.o restorecond.o utmpwatcher.o stringslist.o user.o watch.o
+diff -urN a/run_init/Makefile b/run_init/Makefile
+--- a/run_init/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/run_init/Makefile	2013-08-23 09:16:21.292985286 -0500
+@@ -4,21 +4,21 @@
+ SBINDIR ?= $(PREFIX)/sbin
+ MANDIR ?= $(PREFIX)/share/man
+ ETCDIR ?= $(DESTDIR)/etc
+-LOCALEDIR ?= /usr/share/locale
+-PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
+-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
++LOCALEDIR ?= $(DESTDIR)/usr/share/locale
++PAMH = $(shell ls $(DESTDIR)/usr/include/security/pam_appl.h 2>/dev/null)
++AUDITH = $(shell ls $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)
+ 
+ CFLAGS ?= -Werror -Wall -W
+ override CFLAGS += -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
+ LDLIBS += -lselinux -L$(PREFIX)/lib
+-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
++ifeq ($(PAMH), $(DESTDIR)/usr/include/security/pam_appl.h)
+ 	override CFLAGS += -DUSE_PAM
+ 	LDLIBS += -lpam -lpam_misc
+ else
+ 	override CFLAGS += -D_XOPEN_SOURCE=500
+ 	LDLIBS += -lcrypt
+ endif
+-ifeq ($(AUDITH), /usr/include/libaudit.h)
++ifeq ($(AUDITH), $(DESTDIR)/usr/include/libaudit.h)
+ 	override CFLAGS += -DUSE_AUDIT
+ 	LDLIBS += -laudit
+ endif
+@@ -38,7 +38,7 @@
+ 	install -m 755 open_init_pty $(SBINDIR)
+ 	install -m 644 run_init.8 $(MANDIR)/man8/
+ 	install -m 644 open_init_pty.8 $(MANDIR)/man8/
+-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
++ifeq ($(PAMH), $(DESTDIR)/usr/include/security/pam_appl.h)
+ 	install -m 644 run_init.pamd $(ETCDIR)/pam.d/run_init
+ endif
+ 
+diff -urN a/semodule/Makefile b/semodule/Makefile
+--- a/semodule/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/semodule/Makefile	2013-08-23 09:16:21.302924109 -0500
+@@ -2,7 +2,7 @@
+ PREFIX ?= $(DESTDIR)/usr
+ INCLUDEDIR ?= $(PREFIX)/include
+ SBINDIR ?= $(PREFIX)/sbin
+-MANDIR = $(PREFIX)/share/man
++MANDIR ?= $(PREFIX)/share/man
+ LIBDIR ?= $(PREFIX)/lib
+ 
+ CFLAGS ?= -Werror -Wall -W
+diff -urN a/sepolicy/Makefile b/sepolicy/Makefile
+--- a/sepolicy/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/sepolicy/Makefile	2013-08-23 09:16:21.302924109 -0500
+@@ -5,25 +5,32 @@
+ BINDIR ?= $(PREFIX)/bin
+ SBINDIR ?= $(PREFIX)/sbin
+ MANDIR ?= $(PREFIX)/share/man
+-LOCALEDIR ?= /usr/share/locale
++LOCALEDIR ?= $(DESTDIR)/usr/share/locale
+ PYTHON ?= /usr/bin/python
+ BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
+ SHAREDIR ?= $(PREFIX)/share/sandbox
+-override CFLAGS = $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W  -DSHARED -shared
++override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W  -DSHARED -shared
+ 
+ BASHCOMPLETIONS=sepolicy-bash-completion.sh 
+ 
++PYTHON_ARGS = LDSHARED="$(CC) -shared" \
++		CROSS_COMPILING=yes              \
++		_python_sysroot=$(DESTDIR)       \
++		_python_srcdir=$(PYTHON_SRC)     \
++		_python_prefix=/usr              \
++		_python_exec_prefix=/usr
++
+ all: python-build
+ 
+ python-build: info.c search.c common.h policy.h policy.c
+-	$(PYTHON) setup.py build
++	$(PYTHON_ARGS) $(PYTHON) setup.py build
+ 
+ clean:
+ 	$(PYTHON) setup.py clean
+ 	-rm -rf build *~ \#* *pyc .#*
+ 
+ install:
+-	$(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
++	$(PYTHON_ARGS) $(PYTHON) setup.py install --prefix=$(PREFIX)
+ 	[ -d $(BINDIR) ] || mkdir -p $(BINDIR)
+ 	install -m 755 sepolicy.py $(BINDIR)/sepolicy
+ 	-mkdir -p $(MANDIR)/man8
+diff -urN a/sestatus/Makefile b/sestatus/Makefile
+--- a/sestatus/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/sestatus/Makefile	2013-08-23 09:16:21.302924109 -0500
+@@ -1,11 +1,11 @@
+ # Installation directories.
+ PREFIX ?= $(DESTDIR)/usr
+ SBINDIR ?= $(PREFIX)/sbin
+-MANDIR = $(PREFIX)/share/man
++MANDIR ?= $(PREFIX)/share/man
+ ETCDIR ?= $(DESTDIR)/etc
+ LIBDIR ?= $(PREFIX)/lib
+ 
+-CFLAGS = -Werror -Wall -W
++CFLAGS ?= -Werror -Wall -W
+ override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64
+ LDLIBS = -lselinux -L$(LIBDIR)
+ 
+diff -urN a/setfiles/Makefile b/setfiles/Makefile
+--- a/setfiles/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/setfiles/Makefile	2013-08-23 09:16:21.302924109 -0500
+@@ -1,24 +1,27 @@
+ # Installation directories.
+ PREFIX ?= $(DESTDIR)/usr
+ SBINDIR ?= $(DESTDIR)/sbin
+-MANDIR = $(PREFIX)/share/man
++MANDIR ?= $(PREFIX)/share/man
+ LIBDIR ?= $(PREFIX)/lib
+-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
++AUDITH = $(shell ls $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)
+ 
+-PROGRESS_STEP=$(shell grep "^\#define STAR_COUNT" restore.h | awk -S '{ print $$3 }')
+-ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk -S '{ print $$3 }')
++PROGRESS_STEP=$(shell grep "^\#define STAR_COUNT" restore.h | awk '{ print $$3 }')
++ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk '{ print $$3 }')
+ 
+-CFLAGS = -g -Werror -Wall -W
++CFLAGS ?= -g -Werror -Wall -W
+ override CFLAGS += -I$(PREFIX)/include
+ LDLIBS = -lselinux -lsepol -L$(LIBDIR)
+ 
+-ifeq ($(AUDITH), /usr/include/libaudit.h)
++ifeq ($(AUDITH), $(DESTDIR)/usr/include/libaudit.h)
+ 	override CFLAGS += -DUSE_AUDIT
+ 	LDLIBS += -laudit
+ endif
+ 
+ all: setfiles restorecon man
+ 
++%.o: %.c
++	$(CC) $(CFLAGS) -c -o $@ $<
++
+ setfiles:  setfiles.o restore.o
+ 
+ restorecon: setfiles
diff --git a/package/policycoreutils/policycoreutils.mk b/package/policycoreutils/policycoreutils.mk
new file mode 100644
index 0000000..d4926f3
--- /dev/null
+++ b/package/policycoreutils/policycoreutils.mk
@@ -0,0 +1,230 @@
+################################################################################
+#
+# policycoreutils
+#
+################################################################################
+
+POLICYCOREUTILS_VERSION = 2.1.14
+POLICYCOREUTILS_SITE = http://userspace.selinuxproject.org/releases/20130423/
+POLICYCOREUTILS_LICENSE = GPLv2
+POLICYCOREUTILS_LICENSE_FILES = COPYING
+
+# Both audit and linux-pam are required by the LSPP_PRIV=y option below
+POLICYCOREUTILS_DEPENDENCIES = libsemanage libcap-ng dbus-glib \
+	libglib2 linux-pam audit
+
+ifeq ($(BR2_PACKAGE_POLICYCOREUTILS_POLICY_DEBUGGING),y)
+
+POLICYCOREUTILS_DEPENDENCIES += python host-python sepolgen setools
+
+POLICYCOREUTILS_DEBUGGING_MAKE_OPTS = $(TARGET_CONFIGURE_OPTS) \
+	PYTHON="$(HOST_DIR)/usr/bin/python" \
+	PYLIBVER="python$(PYTHON_VERSION_MAJOR)" \
+	PYTHON_SRC="$(BUILD_DIR)/python$(PYTHON_VERSION)"
+
+define POLICYCOREUTILS_DEBUGGING_BUILD_CMDS
+	$(MAKE) -C $(@D)/audit2allow $(POLICYCOREUTILS_DEBUGGING_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/audit2why $(POLICYCOREUTILS_DEBUGGING_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/scripts $(POLICYCOREUTILS_DEBUGGING_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/semanage $(POLICYCOREUTILS_DEBUGGING_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/sepolicy $(POLICYCOREUTILS_DEBUGGING_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+endef
+
+define POLICYCOREUTILS_DEBUGGING_INSTALL_TARGET_CMDS
+	$(MAKE) -C $(@D)/audit2allow $(POLICYCOREUTILS_DEBUGGING_MAKE_OPTS) \
+		DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/audit2why $(POLICYCOREUTILS_DEBUGGING_MAKE_OPTS) \
+		DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/scripts $(POLICYCOREUTILS_DEBUGGING_MAKE_OPTS) \
+		DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/semanage $(POLICYCOREUTILS_DEBUGGING_MAKE_OPTS) \
+		DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/sepolicy $(POLICYCOREUTILS_DEBUGGING_MAKE_OPTS) \
+		DESTDIR="$(TARGET_DIR)" install
+endef
+
+endif # End of BR2_PACKAGE_POLICYCOREUTILS_POLICY_DEBUGGING
+
+ifeq ($(BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND),y)
+
+define POLICYCOREUTILS_RESTORECOND_BUILD_CMDS
+	$(MAKE) -C $(@D)/restorecond $(TARGET_CONFIGURE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+endef
+
+define POLICYCOREUTILS_RESTORECOND_INSTALL_TARGET_CMDS
+	$(MAKE) -C $(@D)/restorecond $(TARGET_CONFIGURE_OPTS) \
+		DESTDIR="$(TARGET_DIR)" install
+	rm $(TARGET_DIR)/etc/init.d/restorecond
+	$(INSTALL) -m 0755 package/policycoreutils/S15restorecond \
+		$(TARGET_DIR)/etc/init.d/
+endef
+
+endif # End of BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND
+
+ifeq ($(BR2_PACKAGE_POLICYCOREUTILS_MCSTRANS),y)
+
+POLICYCOREUTILS_DEPENDENCIES += pcre libcap
+
+define POLICYCOREUTILS_MCSTRANS_BUILD_CMDS
+	$(MAKE) -C $(@D)/mcstrans $(TARGET_CONFIGURE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+endef
+
+define POLICYCOREUTILS_MCSTRANS_INSTALL_TARGET_CMDS
+	$(MAKE) -C $(@D)/mcstrans $(TARGET_CONFIGURE_OPTS) \
+		DESTDIR="$(TARGET_DIR)" install
+endef
+
+endif # End of BR2_PACKAGE_POLICYCOREUTILS_MCSTRANS
+
+ifeq ($(BR2_PACKAGE_POLICYCOREUTILS_SANDBOX),y)
+
+POLICYCOREUTILS_DEPENDENCIES += libcgroup
+
+define POLICYCOREUTILS_SANDBOX_BUILD_CMDS
+	$(MAKE) -C $(@D)/sandbox $(TARGET_CONFIGURE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+endef
+
+define POLICYCOREUTILS_SANDBOX_INSTALL_TARGET_CMDS
+	$(MAKE) -C $(@D)/sandbox $(TARGET_CONFIGURE_OPTS) \
+		DESTDIR="$(TARGET_DIR)" install
+endef
+
+endif # End of BR2_PACKAGE_POLICYCOREUTILS_SANDBOX
+
+define POLICYCOREUTILS_INSTALL_TARGET_PAM_CONFS
+	$(INSTALL) -D -m 0644 $(@D)/newrole/newrole-lspp.pamd \
+		$(TARGET_DIR)/etc/pam.d/newrole
+	$(INSTALL) -D -m 0644 $(@D)/run_init/run_init.pamd \
+		$(TARGET_DIR)/etc/pam.d/run_init
+endef
+
+# Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h 
+# large file support.
+# See https://bugzilla.redhat.com/show_bug.cgi?id=574992 for more information
+POLICYCOREUTILS_MAKE_OPTS = \
+	$(TARGET_CONFIGURE_OPTS) \
+	CFLAGS+="-U_FILE_OFFSET_BITS" \
+	LSPP_PRIV=y
+
+define POLICYCOREUTILS_BUILD_CMDS
+	$(MAKE) -C $(@D)/load_policy $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/newrole $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/restorecond $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/run_init $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/secon $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/semodule $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/semodule_deps $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/semodule_expand $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/semodule_link $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/semodule_package $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/sepolgen-ifgen $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/sestatus $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/setfiles $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/setsebool $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(POLICYCOREUTILS_DEBUGGING_BUILD_CMDS)
+	$(POLICYCOREUTILS_RESTORECOND_BUILD_CMDS)
+	$(POLICYCOREUTILS_MCSTRANS_BUILD_CMDS)
+	$(POLICYCOREUTILS_SANDBOX_BUILD_CMDS)
+endef
+
+define POLICYCOREUTILS_INSTALL_TARGET_CMDS
+	$(MAKE) -C $(@D)/load_policy      DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/newrole          DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/restorecond      DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/run_init         DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/secon            DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/semodule         DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/semodule_deps    DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/semodule_expand  DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/semodule_link    DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/semodule_package DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/sepolgen-ifgen   DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/sestatus         DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/setfiles         DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/setsebool        DESTDIR="$(TARGET_DIR)" install
+	$(POLICYCOREUTILS_INSTALL_TARGET_PAM_CONFS)
+	$(POLICYCOREUTILS_DEBUGGING_INSTALL_TARGET_CMDS)
+	$(POLICYCOREUTILS_RESTORECOND_INSTALL_TARGET_CMDS)
+	$(POLICYCOREUTILS_MCSTRANS_INSTALL_TARGET_CMDS)
+	$(POLICYCOREUTILS_SANDBOX_INSTALL_TARGET_CMDS)
+endef
+
+define POLICYCOREUTILS_CLEAN_CMDS
+	$(MAKE) -C $(@D) clean DESTDIR=$(STAGING_DIR)
+	$(MAKE) -C $(@D)/mcstrans clean DESTDIR=$(STAGING_DIR)
+	$(MAKE) -C $(@D)/restorecond clean DESTDIR=$(STAGING_DIR)
+endef
+
+HOST_POLICYCOREUTILS_DEPENDENCIES = host-libsemanage
+
+# Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h 
+# large file support.
+# See https://bugzilla.redhat.com/show_bug.cgi?id=574992 for more information
+HOST_POLICYCOREUTILS_MAKE_OPTS = \
+	$(HOST_CONFIGURE_OPTS) \
+	CFLAGS+="-U_FILE_OFFSET_BITS" \
+	LSPP_PRIV=y
+
+# Note: We are only building the programs required by the refpolicy build
+define HOST_POLICYCOREUTILS_BUILD_CMDS
+	$(MAKE) -C $(@D)/semodule $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	$(MAKE) -C $(@D)/semodule_package $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	$(MAKE) -C $(@D)/semodule_link $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	$(MAKE) -C $(@D)/semodule_expand $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	$(MAKE) -C $(@D)/semodule_deps $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	$(MAKE) -C $(@D)/load_policy $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	$(MAKE) -C $(@D)/setfiles $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+endef
+
+define HOST_POLICYCOREUTILS_INSTALL_CMDS
+	$(MAKE) -C $(@D)/semodule install $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	$(MAKE) -C $(@D)/semodule_package install $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	$(MAKE) -C $(@D)/semodule_link install $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	$(MAKE) -C $(@D)/semodule_expand install $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	$(MAKE) -C $(@D)/semodule_deps install $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	$(MAKE) -C $(@D)/load_policy install $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	$(MAKE) -C $(@D)/setfiles install $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+endef
+
+define HOST_POLICYCOREUTILS_CLEAN_CMDS
+	$(MAKE) -C $(@D) clean DESTDIR=$(HOST_DIR)
+endef
+
+$(eval $(generic-package))
+$(eval $(host-generic-package))
-- 
1.7.1

[Buildroot] [PATCH v2 10/17] python-pyxml: new package

[Clayton Shotwell]

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v1 -> v2:
  - General cleanup to the mk file to conform to the standard format.

 package/Config.in                  |    1 +
 package/python-pyxml/Config.in     |   11 +++++++
 package/python-pyxml/python-xml.mk |   58 ++++++++++++++++++++++++++++++++++++
 3 files changed, 70 insertions(+), 0 deletions(-)
 create mode 100644 package/python-pyxml/Config.in
 create mode 100644 package/python-pyxml/python-xml.mk

diff --git a/package/Config.in b/package/Config.in
index d80518d..84190f2 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -394,6 +394,7 @@ source "package/python-protobuf/Config.in"
 source "package/python-pygame/Config.in"
 source "package/python-pyparsing/Config.in"
 source "package/python-pyro/Config.in"
+source "package/python-pyxml/Config.in"
 source "package/python-serial/Config.in"
 source "package/python-setuptools/Config.in"
 source "package/python-thrift/Config.in"
diff --git a/package/python-pyxml/Config.in b/package/python-pyxml/Config.in
new file mode 100644
index 0000000..420f3ad
--- /dev/null
+++ b/package/python-pyxml/Config.in
@@ -0,0 +1,11 @@
+config BR2_PACKAGE_PYTHON_PYXML
+	bool "python-pyxml"
+	depends on BR2_PACKAGE_PYTHON
+	help
+	  This is the Python XML package.  The distribution contains a
+	  validating XML parser, an implementation of the SAX and DOM
+	  programming interfaces, an interface to the Expat parser (and the
+	  Expat parser itself), and a C helper module that can speed up
+	  xmllib.py by a factor of 5.  There's even documentation!
+
+	  http://pyxml.sourceforge.net/topics/index.html
diff --git a/package/python-pyxml/python-xml.mk b/package/python-pyxml/python-xml.mk
new file mode 100644
index 0000000..0723e42
--- /dev/null
+++ b/package/python-pyxml/python-xml.mk
@@ -0,0 +1,58 @@
+################################################################################
+#
+# python-pyxml
+#
+################################################################################
+
+PYTHON_PYXML_VERSION = 0.8.4
+PYTHON_PYXML_SOURCE  = PyXML-$(PYTHON_PYXML_VERSION).tar.gz
+PYTHON_PYXML_SITE    = http://sourceforge.net/projects/pyxml/files/pyxml/0.8.4/PyXML-0.8.4.tar.gz/download
+PYTHON_PYXML_LICENSE = BSD-3c
+PYTHON_PYXML_LICENSE_FILES = LICENSE
+
+PYTHON_PYXML_DEPENDENCIES = host-python python expat
+
+PYTHON_PYXML_INSTALL_STAGING = NO
+
+define PYTHON_PYXML_BUILD_CMDS
+	(cd $(@D); \
+		CC="$(TARGET_CC)" \
+		CFLAGS="$(TARGET_CFLAGS) -I$(STAGING_DIR)/usr/include" \
+		LDSHARED="$(TARGET_CC) -shared" \
+		LDFLAGS="$(TARGET_LDFLAGS) -L$(STAGING_DIR)/lib -L$(STAGING_DIR)/usr/lib" \
+		$(HOST_DIR)/usr/bin/python setup.py build_ext \
+		--include-dirs=$(STAGING_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR) \
+		--with-libexpat=$(STAGING_DIR)/usr \
+	)
+	(cd $(@D); $(HOST_DIR)/usr/bin/python setup.py build)
+endef
+
+define PYTHON_PYXML_CLEAN_CMDS
+	(cd $(@D); $(HOST_DIR)/usr/bin/python setup.py clean -a)
+endef
+
+define PYTHON_PYXML_INSTALL_STAGING_CMDS
+	(cd $(@D); $(HOST_DIR)/usr/bin/python setup.py install --prefix=$(STAGING_DIR)/usr)
+endef
+
+define PYTHON_PYXML_INSTALL_TARGET_CMDS
+	(cd $(@D); $(HOST_DIR)/usr/bin/python setup.py install --prefix=$(TARGET_DIR)/usr)
+endef
+
+HOST_PYTHON_PYXML_DEPENDENCIES = host-python
+
+define HOST_PYTHON_PYXML_BUILD_CMDS
+	(cd $(@D); $(HOST_DIR)/usr/bin/python setup.py build_ext --with-libexpat=$(HOST_DIR)/usr)
+	(cd $(@D); $(HOST_DIR)/usr/bin/python setup.py build)
+endef
+
+define HOST_PYTHON_PYXML_CLEAN_CMDS
+	(cd $(@D); $(HOST_DIR)/usr/bin/python setup.py clean)
+endef
+
+define HOST_PYTHON_PYXML_INSTALL_CMDS
+	(cd $(@D); $(HOST_DIR)/usr/bin/python setup.py install --prefix=$(HOST_DIR)/usr)
+endef
+
+$(eval $(generic-package))
+$(eval $(host-generic-package))
-- 
1.7.1

[Buildroot] [PATCH v2 11/17] refpolicy: new package

[Clayton Shotwell]

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v1 -> v2:
  - General cleanup to the mk file to conform to the standard format.
  - Fixed the patch naming to match the standard 4 digit numbering.
  - Changed package dependencies into selects in the config.

 package/Config.in                                  |    1 +
 package/refpolicy/Config.in                        |   88 ++
 package/refpolicy/S12selinux                       |  134 +++
 package/refpolicy/config                           |   10 +
 .../refpolicy-0001-gentoo_hardened_fixes.patch     | 1250 ++++++++++++++++++++
 package/refpolicy/refpolicy.mk                     |   86 ++
 6 files changed, 1569 insertions(+), 0 deletions(-)
 create mode 100644 package/refpolicy/Config.in
 create mode 100644 package/refpolicy/S12selinux
 create mode 100755 package/refpolicy/config
 create mode 100644 package/refpolicy/refpolicy-0001-gentoo_hardened_fixes.patch
 create mode 100644 package/refpolicy/refpolicy.mk

diff --git a/package/Config.in b/package/Config.in
index 84190f2..847b8d2 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -909,6 +909,7 @@ endmenu
 
 menu "Security"
 source "package/policycoreutils/Config.in"
+source "package/refpolicy/Config.in"
 source "package/sepolgen/Config.in"
 source "package/setools/Config.in"
 endmenu
diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in
new file mode 100644
index 0000000..8f44052
--- /dev/null
+++ b/package/refpolicy/Config.in
@@ -0,0 +1,88 @@
+config BR2_PACKAGE_REFPOLICY
+	bool "refpolicy"
+	select BR2_PACKAGE_POLICYCOREUTILS
+	help
+	  The SELinux Reference Policy project (refpolicy) is a 
+	  complete SELinux policy that can be used as the system 
+	  policy for a variety of systems and used as the basis 
+	  for creating other policies. Reference Policy was originally 
+	  based on the NSA example policy, but aims to accomplish 
+	  many additional goals. 
+
+if BR2_PACKAGE_REFPOLICY
+
+config BR2_PACKAGE_REFPOLICY_PATCH_FOLDER
+	string "Build specific refpolicy patches folder"
+	default ""
+	help
+	  A path to a folder containing board specific 
+	  configuration patch files.  These will get applied
+	  after the patches in the package folder.
+
+choice
+	prompt "SELinux policy type"
+	default BR2_PACKAGE_REFPOLICY_TYPE_STANDARD
+
+	config BR2_PACKAGE_REFPOLICY_TYPE_STANDARD
+		bool "Standard"
+		help
+		  Standard SELinux policy
+	
+	config BR2_PACKAGE_REFPOLICY_TYPE_MCS
+		bool "MCS"
+		help
+		  SELinux policy with multi-catagory support
+	
+	config BR2_PACKAGE_REFPOLICY_TYPE_MLS
+		bool "MLS"
+		help
+		  SELinux policy with multi-catagory and multi-level support
+endchoice
+
+config BR2_PACKAGE_REFPOLICY_TYPE
+	string
+	default "standard" if BR2_PACKAGE_REFPOLICY_TYPE_STANDARD
+	default "mcs" if BR2_PACKAGE_REFPOLICY_TYPE_MCS
+	default "mls" if BR2_PACKAGE_REFPOLICY_TYPE_MLS
+
+choice
+	prompt "SELinux Policy Distribution"
+	default BR2_PACKAGE_REFPOLICY_DIST_REDHAT
+	
+	config BR2_PACKAGE_REFPOLICY_DIST_REDHAT
+		bool "redhat"
+
+	config BR2_PACKAGE_REFPOLICY_DIST_GENTOO
+		bool "gentoo"
+
+	config BR2_PACKAGE_REFPOLICY_DIST_DEBIAN
+		bool "debian"
+
+	config BR2_PACKAGE_REFPOLICY_DIST_SUSE
+		bool "suse"
+
+	config BR2_PACKAGE_REFPOLICY_DIST_REDHAT14
+		bool "redhat 14"
+endchoice
+
+config BR2_PACKAGE_REFPOLICY_DIST
+	string
+	default "redhat" if BR2_PACKAGE_REFPOLICY_DIST_REDHAT
+	default "gentoo" if BR2_PACKAGE_REFPOLICY_DIST_GENTOO
+	default "debian" if BR2_PACKAGE_REFPOLICY_DIST_DEBIAN
+	default "suse" if BR2_PACKAGE_REFPOLICY_DIST_SUSE
+	default "rhel14" if BR2_PACKAGE_REFPOLICY_DIST_REDHAT14
+
+config BR2_PACKAGE_REFPOLICY_MONOLITHIC
+	bool "Build a monolithic SELinux policy"
+	default y
+	help
+	  Select Y to build a monolithic SELinux policy otherwise
+	  a modular policy will be built. Note, this is suggested
+	  for embedded systems.
+
+config BR2_PACKAGE_REFPOLICY_NAME
+	string "Name for the SELinux policy"
+	default "refpolicy"
+
+endif
diff --git a/package/refpolicy/S12selinux b/package/refpolicy/S12selinux
new file mode 100644
index 0000000..24aec7a
--- /dev/null
+++ b/package/refpolicy/S12selinux
@@ -0,0 +1,134 @@
+#!/bin/sh
+################################################################################
+#
+# This file labels the security contexts of memory based filesystems such as
+# /dev/ and checks for auto relabel request if '/.autorelabel' file exists.
+# The 'stop' argument drops the security mode to 'permissive'.
+#
+# This script is a heavily stripped down and modified version of the one use
+# in CentOS 6.2
+#
+################################################################################
+
+failed()
+{
+   echo $1
+   exit 1
+}
+
+setup_selinux() {
+   # Get SELinux config env vars
+   . /etc/selinux/config || failed "Failed to source the SELinux config"
+
+   # Create required directories
+   mkdir -p /etc/selinux/${SELINUXTYPE}/policy/ || 
+         failed "Failed to create the policy folder"
+   mkdir -p /etc/selinux/${SELINUXTYPE}/modules/active/modules || \
+         failed "Failed to create the modules folder"
+   if [ ! -f /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts.local ]
+   then
+      touch /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts.local || \
+            failed "Failed to create the file_contexts.local file"
+   fi
+   
+   # Install modules
+   semodule -v -s ${SELINUXTYPE} -b /usr/share/selinux/${SELINUXTYPE}/base.pp \
+         -i $(ls /usr/share/selinux/${SELINUXTYPE}/*.pp | grep -v base) || \
+         failed "Failed to install the base policy"
+   
+   # Load the policy to activate it
+   load_policy -i || failed "Failed to load the SELinux policy"
+}
+
+relabel_selinux() {
+   # if /sbin/init is not labeled correctly this process is running in the
+   # wrong context, so a reboot will be required after relabel
+   AUTORELABEL=
+
+   # Get SELinux config env vars
+   . /etc/selinux/config || failed "Failed to source the SELinux config"
+
+   # Switch to Permissive mode
+   echo "0" > /selinux/enforce || failed "Failed to disable enforcing mode"
+
+   echo
+   echo "*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required."
+   echo "*** Relabeling could take a very long time, depending on file"
+   echo "*** system size and speed of hard drives."
+
+   # Relabel mount points
+   restorecon $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// { print $2 }' /etc/fstab) \
+         >/dev/null 2>&1 || failed "Failed to relabel the mount points"
+   
+   # Relabel file system
+   echo "Relabeling file systems"
+   restorecon -R -F / || failed "Failed to relabel the file system"
+
+   # Remove label
+   rm -f  /.autorelabel || failed "Failed to remove the autorelabel flag"
+   
+   # Reboot to activate relabeled file system
+   echo "Automatic reboot in progress."
+   reboot -f
+}
+
+start() {
+   echo -n "Initializing SELinux: "
+
+   # Check to see if the default policy has been installed
+   if [ "`sestatus | grep "SELinux status" | grep enabled`" == "" ]; then
+      setup_selinux
+   fi
+
+   # Check SELinux status
+   SELINUX_STATE=
+   if [ -e "/selinux/enforce" ] && [ "$(cat /proc/self/attr/current)" != "kernel" ]; then
+      if [ -r "/selinux/enforce" ] ; then
+         SELINUX_STATE=$(cat "/selinux/enforce")
+      else
+         # assume enforcing if you can't read it
+         SELINUX_STATE=1
+      fi
+   fi
+
+   # Context Label /dev/
+   if [ -n "$SELINUX_STATE" -a -x /sbin/restorecon ] && fgrep " /dev " /proc/mounts >/dev/null 2>&1 ; then
+      /sbin/restorecon -R -F /dev 2>/dev/null
+   fi
+
+   # Context Label tmpfs mounts
+   if [ -n "$SELINUX_STATE" -a -x /sbin/restorecon ]; then
+      /sbin/restorecon -R -F $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// && $3 =="tmpfs" { print $2 }' /etc/fstab) >/dev/null 2>&1
+   fi
+
+   # Clean up SELinux labels
+   if [ -n "$SELINUX_STATE" -a -x /sbin/restorecon ]; then
+      restorecon -F /etc/mtab /etc/ld.so.cache /etc/resolv.conf >/dev/null 2>&1
+   fi
+
+   # Check for filesystem relabel request
+   if [ -f /.autorelabel ] ; then
+      relabel_selinux
+   fi
+
+   echo "OK"
+}  
+stop() {
+   # There is nothing to do
+   echo "OK" 
+}
+
+case "$1" in
+   start)
+      start
+      ;;
+   stop)
+      stop
+      ;;
+   *)
+      echo "Usage: $0 {start|stop}"
+      exit 1
+      ;;
+esac
+
+exit $?
diff --git a/package/refpolicy/config b/package/refpolicy/config
new file mode 100755
index 0000000..c482b3f
--- /dev/null
+++ b/package/refpolicy/config
@@ -0,0 +1,10 @@
+# This file controls the state of SELinux on the system.
+# SELINUX= can take one of these three values:
+#     enforcing - SELinux security policy is enforced.
+#     permissive - SELinux prints warnings instead of enforcing.
+#     disabled - No SELinux policy is loaded.
+SELINUX=permissive
+# SELINUXTYPE= can take one of these two values:
+#     targeted - Targeted processes are protected,
+#     mls - Multi Level Security protection.
+SELINUXTYPE=refpolicy
diff --git a/package/refpolicy/refpolicy-0001-gentoo_hardened_fixes.patch b/package/refpolicy/refpolicy-0001-gentoo_hardened_fixes.patch
new file mode 100644
index 0000000..c1c398f
--- /dev/null
+++ b/package/refpolicy/refpolicy-0001-gentoo_hardened_fixes.patch
@@ -0,0 +1,1250 @@
+From: Dominick Grift <dominick.grift@gmail.com>
+Date: Fri, 16 Aug 2013 07:07:37 +0000 (+0200)
+Subject: Fix monolithic built
+X-Git-Url: http://git.overlays.gentoo.org/gitweb/?p=proj%2Fhardened-refpolicy.git;a=commitdiff_plain;h=86500de7
+
+Fix monolithic built
+
+Make unconfined_cronjob_t declaration mandatory, because else monolithic
+built fails due to duplicate declaration
+
+Deprecate kerberos_keytab_template:
+
+Keytab type declarations have to be mandatory, because else monolithic
+built fails due to out-of-scope
+
+This keytab solution does not make sense in its current implementation,
+as many corresponding file context specs are missing, and there are no
+type transtion rules
+
+Replaced two deprecated interface calls
+
+Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
+---
+
+diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if
+index a1d1131..655cbe1 100644
+--- a/policy/modules/contrib/apache.if
++++ b/policy/modules/contrib/apache.if
+@@ -1203,9 +1203,9 @@ interface(`apache_admin',`
+ 		attribute httpd_script_domains, httpd_htaccess_type;
+ 		type httpd_t, httpd_config_t, httpd_log_t;
+ 		type httpd_modules_t, httpd_lock_t, httpd_helper_t;
+-		type httpd_var_run_t, httpd_keytab_t, httpd_passwd_t;
++		type httpd_var_run_t, httpd_passwd_t, httpd_suexec_t;
+ 		type httpd_suexec_tmp_t, httpd_tmp_t, httpd_rotatelogs_t;
+-		type httpd_initrc_exec_t, httpd_suexec_t;
++		type httpd_initrc_exec_t, httpd_keytab_t;
+ 	')
+ 
+ 	allow $1 { httpd_script_domains httpd_t httpd_helper_t }:process { ptrace signal_perms };
+@@ -1222,7 +1222,7 @@ interface(`apache_admin',`
+ 	miscfiles_manage_public_files($1)
+ 
+ 	files_search_etc($1)
+-	admin_pattern($1, { httpd_config_t httpd_keytab_t })
++	admin_pattern($1, { httpd_keytab_t httpd_config_t })
+ 
+ 	logging_search_logs($1)
+ 	admin_pattern($1, httpd_log_t)
+diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
+index 0da7cc3..99bb9b5 100644
+--- a/policy/modules/contrib/apache.te
++++ b/policy/modules/contrib/apache.te
+@@ -1,4 +1,4 @@
+-policy_module(apache, 2.7.0)
++policy_module(apache, 2.7.1)
+ 
+ ########################################
+ #
+@@ -283,6 +283,9 @@ role httpd_helper_roles types httpd_helper_t;
+ type httpd_initrc_exec_t;
+ init_script_file(httpd_initrc_exec_t)
+ 
++type httpd_keytab_t;
++files_type(httpd_keytab_t)
++
+ type httpd_lock_t;
+ files_lock_file(httpd_lock_t)
+ 
+@@ -391,6 +394,8 @@ allow httpd_t httpd_config_t:dir list_dir_perms;
+ read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
+ read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
+ 
++allow httpd_t httpd_keytab_t:file read_file_perms;
++
+ allow httpd_t httpd_lock_t:file manage_file_perms;
+ files_lock_filetrans(httpd_t, httpd_lock_t, file)
+ 
+@@ -781,10 +786,11 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(httpd, httpd_t)
+ 	kerberos_manage_host_rcache(httpd_t)
++	kerberos_read_keytab(httpd_t)
+ 	kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_23")
+ 	kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_48")
++	kerberos_use(httpd_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/automount.if b/policy/modules/contrib/automount.if
+index 089430a..f24e369 100644
+--- a/policy/modules/contrib/automount.if
++++ b/policy/modules/contrib/automount.if
+@@ -153,6 +153,7 @@ interface(`automount_admin',`
+ 	gen_require(`
+ 		type automount_t, automount_lock_t, automount_tmp_t;
+ 		type automount_var_run_t, automount_initrc_exec_t;
++		type automount_keytab_t;
+ 	')
+ 
+ 	allow $1 automount_t:process { ptrace signal_perms };
+@@ -163,6 +164,9 @@ interface(`automount_admin',`
+ 	role_transition $2 automount_initrc_exec_t system_r;
+ 	allow $2 system_r;
+ 
++	files_list_etc($1)
++	admin_pattern($1, automount_keytab_t)
++
+ 	files_list_var($1)
+ 	admin_pattern($1, automount_lock_t)
+ 
+diff --git a/policy/modules/contrib/automount.te b/policy/modules/contrib/automount.te
+index d4e58ea..27d2f40 100644
+--- a/policy/modules/contrib/automount.te
++++ b/policy/modules/contrib/automount.te
+@@ -1,4 +1,4 @@
+-policy_module(automount, 1.14.0)
++policy_module(automount, 1.14.1)
+ 
+ ########################################
+ #
+@@ -12,8 +12,8 @@ init_daemon_domain(automount_t, automount_exec_t)
+ type automount_initrc_exec_t;
+ init_script_file(automount_initrc_exec_t)
+ 
+-type automount_var_run_t;
+-files_pid_file(automount_var_run_t)
++type automount_keytab_t;
++files_type(automount_keytab_t)
+ 
+ type automount_lock_t;
+ files_lock_file(automount_lock_t)
+@@ -22,6 +22,9 @@ type automount_tmp_t;
+ files_tmp_file(automount_tmp_t)
+ files_mountpoint(automount_tmp_t)
+ 
++type automount_var_run_t;
++files_pid_file(automount_var_run_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -36,6 +39,8 @@ allow automount_t self:rawip_socket create_socket_perms;
+ 
+ can_exec(automount_t, automount_exec_t)
+ 
++allow automount_t automount_keytab_t:file read_file_perms;
++
+ allow automount_t automount_lock_t:file manage_file_perms;
+ files_lock_filetrans(automount_t, automount_lock_t, file)
+ 
+@@ -143,8 +148,9 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(automount, automount_t)
+ 	kerberos_read_config(automount_t)
++	kerberos_read_keytab(automount_t)
++	kerberos_use(automount_t)
+ 	kerberos_dontaudit_write_config(automount_t)
+ ')
+ 
+diff --git a/policy/modules/contrib/bind.if b/policy/modules/contrib/bind.if
+index 866a1e2..531a8f2 100644
+--- a/policy/modules/contrib/bind.if
++++ b/policy/modules/contrib/bind.if
+@@ -364,6 +364,7 @@ interface(`bind_admin',`
+ 		type named_t, named_tmp_t, named_log_t;
+ 		type named_cache_t, named_zone_t, named_initrc_exec_t;
+ 		type dnssec_t, ndc_t, named_conf_t, named_var_run_t;
++		type named_keytab_t;
+ 	')
+ 
+ 	allow $1 { named_t ndc_t }:process { ptrace signal_perms };
+@@ -381,7 +382,7 @@ interface(`bind_admin',`
+ 	admin_pattern($1, named_log_t)
+ 
+ 	files_list_etc($1)
+-	admin_pattern($1, named_conf_t)
++	admin_pattern($1, { named_keytab_t named_conf_t })
+ 
+ 	files_list_var($1)
+ 	admin_pattern($1, { dnssec_t named_cache_t named_zone_t })
+diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
+index b01e493..1241123 100644
+--- a/policy/modules/contrib/bind.te
++++ b/policy/modules/contrib/bind.te
+@@ -1,4 +1,4 @@
+-policy_module(bind, 1.13.0)
++policy_module(bind, 1.13.1)
+ 
+ ########################################
+ #
+@@ -44,6 +44,9 @@ files_type(named_cache_t)
+ type named_initrc_exec_t;
+ init_script_file(named_initrc_exec_t)
+ 
++type named_keytab_t;
++files_type(named_keytab_t)
++
+ type named_log_t;
+ logging_log_file(named_log_t)
+ 
+@@ -84,7 +87,7 @@ read_lnk_files_pattern(named_t, named_conf_t, named_conf_t)
+ manage_files_pattern(named_t, named_cache_t, named_cache_t)
+ manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t)
+ 
+-can_exec(named_t, named_exec_t)
++allow named_t named_keytab_t:file read_file_perms;
+ 
+ append_files_pattern(named_t, named_log_t, named_log_t)
+ create_files_pattern(named_t, named_log_t, named_log_t)
+@@ -100,6 +103,8 @@ manage_files_pattern(named_t, named_var_run_t, named_var_run_t)
+ manage_sock_files_pattern(named_t, named_var_run_t, named_var_run_t)
+ files_pid_filetrans(named_t, named_var_run_t, { dir file sock_file })
+ 
++can_exec(named_t, named_exec_t)
++
+ allow named_t named_zone_t:dir list_dir_perms;
+ read_files_pattern(named_t, named_zone_t, named_zone_t)
+ read_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
+@@ -182,7 +187,8 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(named, named_t)
++	kerberos_read_keytab(named_t)
++	kerberos_use(named_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
+index d865049..41bb279 100644
+--- a/policy/modules/contrib/cron.te
++++ b/policy/modules/contrib/cron.te
+@@ -1,4 +1,4 @@
+-policy_module(cron, 2.6.0)
++policy_module(cron, 2.6.1)
+ 
+ gen_require(`
+ 	class passwd rootok;
+@@ -701,22 +701,22 @@ optional_policy(`
+ # Unconfined local policy
+ #
+ 
+-optional_policy(`
+-	type unconfined_cronjob_t;
+-	domain_type(unconfined_cronjob_t)
+-	domain_cron_exemption_target(unconfined_cronjob_t)
++type unconfined_cronjob_t;
++domain_type(unconfined_cronjob_t)
++domain_cron_exemption_target(unconfined_cronjob_t)
+ 
+-	dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh };
++dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh };
+ 
+-	unconfined_domain(unconfined_cronjob_t)
++tunable_policy(`cron_userdomain_transition',`
++	dontaudit crond_t unconfined_cronjob_t:process transition;
++	dontaudit crond_t unconfined_cronjob_t:fd use;
++	dontaudit crond_t unconfined_cronjob_t:key manage_key_perms;
++',`
++	allow crond_t unconfined_cronjob_t:process transition;
++	allow crond_t unconfined_cronjob_t:fd use;
++	allow crond_t unconfined_cronjob_t:key manage_key_perms;
++')
+ 
+-	tunable_policy(`cron_userdomain_transition',`
+-		dontaudit crond_t unconfined_cronjob_t:process transition;
+-		dontaudit crond_t unconfined_cronjob_t:fd use;
+-		dontaudit crond_t unconfined_cronjob_t:key manage_key_perms;
+-	',`
+-		allow crond_t unconfined_cronjob_t:process transition;
+-		allow crond_t unconfined_cronjob_t:fd use;
+-		allow crond_t unconfined_cronjob_t:key manage_key_perms;
+-	')
++optional_policy(`
++	unconfined_domain(unconfined_cronjob_t)
+ ')
+diff --git a/policy/modules/contrib/cvs.if b/policy/modules/contrib/cvs.if
+index 9fa7ffb..64775fd 100644
+--- a/policy/modules/contrib/cvs.if
++++ b/policy/modules/contrib/cvs.if
+@@ -59,7 +59,7 @@ interface(`cvs_exec',`
+ interface(`cvs_admin',`
+ 	gen_require(`
+ 		type cvs_t, cvs_tmp_t, cvs_initrc_exec_t;
+-		type cvs_data_t, cvs_var_run_t;
++		type cvs_data_t, cvs_var_run_t, cvs_keytab_t;
+ 	')
+ 
+ 	allow $1 cvs_t:process { ptrace signal_perms };
+@@ -70,6 +70,9 @@ interface(`cvs_admin',`
+ 	role_transition $2 cvs_initrc_exec_t system_r;
+ 	allow $2 system_r;
+ 
++	files_search_etc($1)
++	admin_pattern($1, cvs_keytab_t)
++
+ 	files_list_tmp($1)
+ 	admin_pattern($1, cvs_tmp_t)
+ 
+diff --git a/policy/modules/contrib/cvs.te b/policy/modules/contrib/cvs.te
+index 6c544e5..17df324 100644
+--- a/policy/modules/contrib/cvs.te
++++ b/policy/modules/contrib/cvs.te
+@@ -1,4 +1,4 @@
+-policy_module(cvs, 1.10.0)
++policy_module(cvs, 1.10.1)
+ 
+ ########################################
+ #
+@@ -24,6 +24,9 @@ files_type(cvs_data_t)
+ type cvs_initrc_exec_t;
+ init_script_file(cvs_initrc_exec_t)
+ 
++type cvs_keytab_t;
++files_type(cvs_keytab_t)
++
+ type cvs_tmp_t;
+ files_tmp_file(cvs_tmp_t)
+ 
+@@ -44,6 +47,8 @@ manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
+ manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
+ manage_lnk_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
+ 
++allow cvs_t cvs_keytab_t:file read_file_perms;
++
+ manage_dirs_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t)
+ manage_files_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t)
+ files_tmp_filetrans(cvs_t, cvs_tmp_t, { dir file })
+@@ -87,8 +92,9 @@ tunable_policy(`allow_cvs_read_shadow',`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(cvs, cvs_t)
+ 	kerberos_read_config(cvs_t)
++	kerberos_read_keytab(cvs_t)
++	kerberos_use(cvs_t)
+ 	kerberos_dontaudit_write_config(cvs_t)
+ ')
+ 
+diff --git a/policy/modules/contrib/cyrus.if b/policy/modules/contrib/cyrus.if
+index 6508280..83bfda6 100644
+--- a/policy/modules/contrib/cyrus.if
++++ b/policy/modules/contrib/cyrus.if
+@@ -61,6 +61,7 @@ interface(`cyrus_admin',`
+ 	gen_require(`
+ 		type cyrus_t, cyrus_tmp_t, cyrus_var_lib_t;
+ 		type cyrus_var_run_t, cyrus_initrc_exec_t;
++		type cyrus_keytab_t;
+ 	')
+ 
+ 	allow $1 cyrus_t:process { ptrace signal_perms };
+@@ -71,6 +72,9 @@ interface(`cyrus_admin',`
+ 	role_transition $2 cyrus_initrc_exec_t system_r;
+ 	allow $2 system_r;
+ 
++	files_list_etc($1)
++	admin_pattern($1, cyrus_keytab_t)
++
+ 	files_list_tmp($1)
+ 	admin_pattern($1, cyrus_tmp_t)
+ 
+diff --git a/policy/modules/contrib/cyrus.te b/policy/modules/contrib/cyrus.te
+index 0cef3ef..4283f2d 100644
+--- a/policy/modules/contrib/cyrus.te
++++ b/policy/modules/contrib/cyrus.te
+@@ -1,4 +1,4 @@
+-policy_module(cyrus, 1.13.0)
++policy_module(cyrus, 1.13.1)
+ 
+ ########################################
+ #
+@@ -12,6 +12,9 @@ init_daemon_domain(cyrus_t, cyrus_exec_t)
+ type cyrus_initrc_exec_t;
+ init_script_file(cyrus_initrc_exec_t)
+ 
++type cyrus_keytab_t;
++files_type(cyrus_keytab_t)
++
+ type cyrus_tmp_t;
+ files_tmp_file(cyrus_tmp_t)
+ 
+@@ -41,6 +44,8 @@ allow cyrus_t self:unix_dgram_socket sendto;
+ allow cyrus_t self:unix_stream_socket { accept connectto listen };
+ allow cyrus_t self:tcp_socket { accept listen };
+ 
++allow cyrus_t cyrus_keytab_t:file read_file_perms;
++
+ manage_dirs_pattern(cyrus_t, cyrus_tmp_t, cyrus_tmp_t)
+ manage_files_pattern(cyrus_t, cyrus_tmp_t, cyrus_tmp_t)
+ files_tmp_filetrans(cyrus_t, cyrus_tmp_t, { dir file })
+@@ -116,7 +121,8 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(cyrus, cyrus_t)
++	kerberos_read_keytab(cyrus_t)
++	kerberos_use(cyrus_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/dovecot.if b/policy/modules/contrib/dovecot.if
+index dbcac59..d5badb7 100644
+--- a/policy/modules/contrib/dovecot.if
++++ b/policy/modules/contrib/dovecot.if
+@@ -143,6 +143,7 @@ interface(`dovecot_admin',`
+ 		type dovecot_spool_t, dovecot_var_lib_t, dovecot_initrc_exec_t;
+ 		type dovecot_var_run_t, dovecot_cert_t, dovecot_passwd_t;
+ 		type dovecot_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t;
++		type dovecot_keytab_t;
+ 	')
+ 
+ 	allow $1 dovecot_t:process { ptrace signal_perms };
+@@ -154,7 +155,7 @@ interface(`dovecot_admin',`
+ 	allow $2 system_r;
+ 
+ 	files_list_etc($1)
+-	admin_pattern($1, dovecot_etc_t)
++	admin_pattern($1, { dovecot_keytab_t dovecot_etc_t })
+ 
+ 	logging_list_logs($1)
+ 	admin_pattern($1, dovecot_var_log_t)
+diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te
+index 3a6e733..0aabc7e 100644
+--- a/policy/modules/contrib/dovecot.te
++++ b/policy/modules/contrib/dovecot.te
+@@ -1,4 +1,4 @@
+-policy_module(dovecot, 1.16.0)
++policy_module(dovecot, 1.16.1)
+ 
+ ########################################
+ #
+@@ -38,6 +38,9 @@ files_config_file(dovecot_etc_t)
+ type dovecot_initrc_exec_t;
+ init_script_file(dovecot_initrc_exec_t)
+ 
++type dovecot_keytab_t;
++files_type(dovecot_keytab_t)
++
+ type dovecot_passwd_t;
+ files_type(dovecot_passwd_t)
+ 
+@@ -99,6 +102,8 @@ allow dovecot_t dovecot_cert_t:dir list_dir_perms;
+ allow dovecot_t dovecot_cert_t:file read_file_perms;
+ allow dovecot_t dovecot_cert_t:lnk_file read_lnk_file_perms;
+ 
++allow dovecot_t dovecot_keytab_t:file read_file_perms;
++
+ manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
+ manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
+ files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })
+@@ -182,9 +187,10 @@ tunable_policy(`use_samba_home_dirs',`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(dovecot, dovecot_t)
+ 	kerberos_manage_host_rcache(dovecot_t)
++	kerberos_read_keytab(dovecot_t)
+ 	kerberos_tmp_filetrans_host_rcache(dovecot_t, file, "imap_0")
++	kerberos_use(dovecot_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/exim.if b/policy/modules/contrib/exim.if
+index 6041113..94a8269 100644
+--- a/policy/modules/contrib/exim.if
++++ b/policy/modules/contrib/exim.if
+@@ -244,6 +244,7 @@ interface(`exim_admin',`
+ 	gen_require(`
+ 		type exim_t, exim_spool_t, exim_log_t;
+ 		type exim_var_run_t, exim_initrc_exec_t, exim_tmp_t;
++		type exim_keytab_t;
+ 	')
+ 
+ 	allow $1 exim_t:process { ptrace signal_perms };
+@@ -254,6 +255,9 @@ interface(`exim_admin',`
+ 	role_transition $2 exim_initrc_exec_t system_r;
+ 	allow $2 system_r;
+ 
++	files_search_etc($1)
++	admin_pattern($1, exim_keytab_t)
++
+ 	files_search_spool($1)
+ 	admin_pattern($1, exim_spool_t)
+ 
+diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
+index c9c04ee..7e8cf42 100644
+--- a/policy/modules/contrib/exim.te
++++ b/policy/modules/contrib/exim.te
+@@ -1,4 +1,4 @@
+-policy_module(exim, 1.6.0)
++policy_module(exim, 1.6.1)
+ 
+ ########################################
+ #
+@@ -45,6 +45,9 @@ mta_agent_executable(exim_exec_t)
+ type exim_initrc_exec_t;
+ init_script_file(exim_initrc_exec_t)
+ 
++type exim_keytab_t;
++files_type(exim_keytab_t)
++
+ type exim_log_t;
+ logging_log_file(exim_log_t)
+ 
+@@ -68,6 +71,8 @@ allow exim_t self:fifo_file rw_fifo_file_perms;
+ allow exim_t self:unix_stream_socket { accept listen };
+ allow exim_t self:tcp_socket { accept listen };
+ 
++allow exim_t exim_keytab_t:file read_file_perms;
++
+ append_files_pattern(exim_t, exim_log_t, exim_log_t)
+ create_files_pattern(exim_t, exim_log_t, exim_log_t)
+ setattr_files_pattern(exim_t, exim_log_t, exim_log_t)
+@@ -188,7 +193,8 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(exim, exim_t)
++	kerberos_read_keytab(exim_t)
++	kerberos_use(exim_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/ftp.if b/policy/modules/contrib/ftp.if
+index d062080..4498143 100644
+--- a/policy/modules/contrib/ftp.if
++++ b/policy/modules/contrib/ftp.if
+@@ -176,6 +176,7 @@ interface(`ftp_admin',`
+ 		type ftpd_etc_t, ftpd_lock_t, sftpd_t;
+ 		type ftpd_var_run_t, xferlog_t, anon_sftpd_t;
+ 		type ftpd_initrc_exec_t, ftpdctl_tmp_t;
++		type ftpd_keytab_t;
+ 	')
+ 
+ 	allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd }:process { ptrace signal_perms };
+@@ -192,7 +193,7 @@ interface(`ftp_admin',`
+ 	admin_pattern($1, { ftpd_tmp_t ftpdctl_tmp_t })
+ 
+ 	files_list_etc($1)
+-	admin_pattern($1, ftpd_etc_t)
++	admin_pattern($1, { ftpd_etc_t ftpd_keytab_t })
+ 
+ 	files_list_var($1)
+ 	admin_pattern($1, ftpd_lock_t)
+diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
+index 544c512..36838c2 100644
+--- a/policy/modules/contrib/ftp.te
++++ b/policy/modules/contrib/ftp.te
+@@ -1,4 +1,4 @@
+-policy_module(ftp, 1.15.0)
++policy_module(ftp, 1.15.1)
+ 
+ ########################################
+ #
+@@ -124,6 +124,9 @@ files_config_file(ftpd_etc_t)
+ type ftpd_initrc_exec_t;
+ init_script_file(ftpd_initrc_exec_t)
+ 
++type ftpd_keytab_t;
++files_type(ftpd_keytab_t)
++
+ type ftpd_lock_t;
+ files_lock_file(ftpd_lock_t)
+ 
+@@ -176,6 +179,8 @@ allow ftpd_t self:key manage_key_perms;
+ 
+ allow ftpd_t ftpd_etc_t:file read_file_perms;
+ 
++allow ftpd_t ftpd_keytab_t:file read_file_perms;
++
+ allow ftpd_t ftpd_lock_t:file manage_file_perms;
+ files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
+ 
+@@ -359,8 +364,9 @@ optional_policy(`
+ optional_policy(`
+ 	selinux_validate_context(ftpd_t)
+ 
+-	kerberos_keytab_template(ftpd, ftpd_t)
++	kerberos_read_keytab(ftpd_t)
+ 	kerberos_tmp_filetrans_host_rcache(ftpd_t, file, "host_0")
++	kerberos_use(ftpd_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/kerberos.if b/policy/modules/contrib/kerberos.if
+index f9de9fc..f6c00d8 100644
+--- a/policy/modules/contrib/kerberos.if
++++ b/policy/modules/contrib/kerberos.if
+@@ -354,22 +354,7 @@ interface(`kerberos_etc_filetrans_keytab',`
+ ## </param>
+ #
+ template(`kerberos_keytab_template',`
+-
+-	########################################
+-	#
+-	# Declarations
+-	#
+-
+-	type $1_keytab_t;
+-	files_type($1_keytab_t)
+-
+-	########################################
+-	#
+-	# Policy
+-	#
+-
+-	allow $2 $1_keytab_t:file read_file_perms;
+-
++	refpolicywarn(`$0($*) has been deprecated.')
+ 	kerberos_read_keytab($2)
+ 	kerberos_use($2)
+ ')
+diff --git a/policy/modules/contrib/ldap.if b/policy/modules/contrib/ldap.if
+index de2508e..7f09b4a 100644
+--- a/policy/modules/contrib/ldap.if
++++ b/policy/modules/contrib/ldap.if
+@@ -116,7 +116,7 @@ interface(`ldap_admin',`
+ 		type slapd_t, slapd_tmp_t, slapd_replog_t;
+ 		type slapd_lock_t, slapd_etc_t, slapd_var_run_t;
+ 		type slapd_initrc_exec_t, slapd_log_t, slapd_cert_t;
+-		type slapd_db_t;
++		type slapd_db_t, slapd_keytab_t;
+ 	')
+ 
+ 	allow $1 slapd_t:process { ptrace signal_perms };
+@@ -128,7 +128,7 @@ interface(`ldap_admin',`
+ 	allow $2 system_r;
+ 
+ 	files_list_etc($1)
+-	admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t })
++	admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t slapd_keytab_t })
+ 
+ 	files_list_locks($1)
+ 	admin_pattern($1, slapd_lock_t)
+diff --git a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te
+index 71b00f8..131dc88 100644
+--- a/policy/modules/contrib/ldap.te
++++ b/policy/modules/contrib/ldap.te
+@@ -1,4 +1,4 @@
+-policy_module(ldap, 1.11.0)
++policy_module(ldap, 1.11.1)
+ 
+ ########################################
+ #
+@@ -21,6 +21,9 @@ files_config_file(slapd_etc_t)
+ type slapd_initrc_exec_t;
+ init_script_file(slapd_initrc_exec_t)
+ 
++type slapd_keytab_t;
++files_type(slapd_keytab_t)
++
+ type slapd_lock_t;
+ files_lock_file(slapd_lock_t)
+ 
+@@ -60,6 +63,8 @@ manage_lnk_files_pattern(slapd_t, slapd_db_t, slapd_db_t)
+ 
+ allow slapd_t slapd_etc_t:file read_file_perms;
+ 
++allow slapd_t slapd_keytab_t:file read_file_perms;
++
+ allow slapd_t slapd_lock_t:file manage_file_perms;
+ files_lock_filetrans(slapd_t, slapd_lock_t, file)
+ 
+@@ -131,11 +136,12 @@ ifdef(`distro_gentoo',`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(slapd, slapd_t)
+ 	kerberos_manage_host_rcache(slapd_t)
++	kerberos_read_keytab(slapd_t)
+ 	kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldapmap1_0")
+ 	kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldap_487")
+ 	kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldap_55")
++	kerberos_use(slapd_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/postfix.if b/policy/modules/contrib/postfix.if
+index 6e26d71..8e7d1e7 100644
+--- a/policy/modules/contrib/postfix.if
++++ b/policy/modules/contrib/postfix.if
+@@ -714,6 +714,7 @@ interface(`postfix_admin',`
+ 		type postfix_initrc_exec_t, postfix_prng_t, postfix_etc_t;
+ 		type postfix_data_t, postfix_var_run_t, postfix_public_t;
+ 		type postfix_private_t, postfix_map_tmp_t, postfix_exec_t;
++		type postfix_keytab_t;
+ 	')
+ 
+ 	allow $1 postfix_domain:process { ptrace signal_perms };
+@@ -725,7 +726,7 @@ interface(`postfix_admin',`
+ 	allow $2 system_r;
+ 
+ 	files_search_etc($1)
+-	admin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t })
++	admin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t postfix_keytab_t })
+ 
+ 	files_search_spool($1)
+ 	admin_pattern($1, { postfix_public_t postfix_private_t postfix_spool_type })
+diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
+index 0cb7938..dd7259f 100644
+--- a/policy/modules/contrib/postfix.te
++++ b/policy/modules/contrib/postfix.te
+@@ -1,4 +1,4 @@
+-policy_module(postfix, 1.15.0)
++policy_module(postfix, 1.15.1)
+ 
+ ########################################
+ #
+@@ -36,6 +36,9 @@ files_config_file(postfix_etc_t)
+ type postfix_exec_t;
+ application_executable_file(postfix_exec_t)
+ 
++type postfix_keytab_t;
++files_type(postfix_keytab_t)
++
+ postfix_server_domain_template(local)
+ mta_mailserver_delivery(postfix_local_t)
+ 
+@@ -209,6 +212,8 @@ allow postfix_master_t postfix_etc_t:file rw_file_perms;
+ allow postfix_master_t postfix_data_t:dir manage_dir_perms;
+ allow postfix_master_t postfix_data_t:file manage_file_perms;
+ 
++allow postfix_master_t postfix_keytab_t:file read_file_perms;
++
+ allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock };
+ 
+ allow postfix_master_t { postfix_postdrop_exec_t postfix_postqueue_exec_t }:file getattr_file_perms;
+@@ -314,7 +319,8 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(postfix, postfix_t)
++	kerberos_read_keytab(postfix_master_t)
++	kerberos_use(postfix_master_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/procmail.te b/policy/modules/contrib/procmail.te
+index fbbc398..cc426e6 100644
+--- a/policy/modules/contrib/procmail.te
++++ b/policy/modules/contrib/procmail.te
+@@ -1,4 +1,4 @@
+-policy_module(procmail, 1.13.0)
++policy_module(procmail, 1.13.1)
+ 
+ ########################################
+ #
+@@ -122,7 +122,7 @@ optional_policy(`
+ 	postfix_read_spool_files(procmail_t)
+ 	postfix_read_local_state(procmail_t)
+ 	postfix_read_master_state(procmail_t)
+-	postfix_rw_master_pipes(procmail_t)
++	postfix_rw_inherited_master_pipes(procmail_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/qmail.te b/policy/modules/contrib/qmail.te
+index 83cccf9..8742944 100644
+--- a/policy/modules/contrib/qmail.te
++++ b/policy/modules/contrib/qmail.te
+@@ -1,4 +1,4 @@
+-policy_module(qmail, 1.6.0)
++policy_module(qmail, 1.6.1)
+ 
+ ########################################
+ #
+@@ -42,6 +42,9 @@ qmail_child_domain_template(qmail_send, qmail_start_t)
+ qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t)
+ qmail_child_domain_template(qmail_splogger, qmail_start_t)
+ 
++type qmail_keytab_t;
++files_type(qmail_keytab_t)
++
+ type qmail_spool_t;
+ files_type(qmail_spool_t)
+ 
+@@ -241,6 +244,8 @@ allow qmail_smtpd_t self:process signal_perms;
+ allow qmail_smtpd_t self:fifo_file write_fifo_file_perms;
+ allow qmail_smtpd_t self:tcp_socket create_socket_perms;
+ 
++allow qmail_smtpd_t qmail_keytab_t:file read_file_perms;
++
+ allow qmail_smtpd_t qmail_queue_exec_t:file read_file_perms;
+ 
+ dev_read_rand(qmail_smtpd_t)
+@@ -253,7 +258,8 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(qmail, qmail_smtpd_t)
++	kerberos_read_keytab(qmail_smtpd_t)
++	kerberos_use(qmail_smtpd_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/rlogin.te b/policy/modules/contrib/rlogin.te
+index 20696cc..5916f81 100644
+--- a/policy/modules/contrib/rlogin.te
++++ b/policy/modules/contrib/rlogin.te
+@@ -1,4 +1,4 @@
+-policy_module(rlogin, 1.11.0)
++policy_module(rlogin, 1.11.1)
+ 
+ ########################################
+ #
+@@ -16,6 +16,9 @@ term_login_pty(rlogind_devpts_t)
+ type rlogind_home_t;
+ userdom_user_home_content(rlogind_home_t)
+ 
++type rlogind_keytab_t;
++files_type(rlogind_keytab_t)
++
+ type rlogind_tmp_t;
+ files_tmp_file(rlogind_tmp_t)
+ 
+@@ -37,6 +40,8 @@ term_create_pty(rlogind_t, rlogind_devpts_t)
+ 
+ allow rlogind_t rlogind_home_t:file read_file_perms;
+ 
++allow rlogind_t rlogind_keytab_t:file read_file_perms;
++
+ manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
+ manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
+ files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { dir file })
+@@ -98,9 +103,10 @@ tunable_policy(`use_samba_home_dirs',`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(rlogind, rlogind_t)
++	kerberos_read_keytab(rlogind_t)
+ 	kerberos_tmp_filetrans_host_rcache(rlogind_t, file, "host_0")
+ 	kerberos_manage_host_rcache(rlogind_t)
++	kerberos_use(rlogind_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/rpc.if b/policy/modules/contrib/rpc.if
+index 07f5eb0..157afd9 100644
+--- a/policy/modules/contrib/rpc.if
++++ b/policy/modules/contrib/rpc.if
+@@ -394,7 +394,7 @@ interface(`rpc_admin',`
+ 		attribute rpc_domain;
+ 		type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t;
+ 		type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t;
+-		type nfsd_ro_t, nfsd_rw_t;
++		type nfsd_ro_t, nfsd_rw_t, gssd_keytab_t;
+ 	')
+ 
+ 	allow $1 rpc_domain:process { ptrace signal_perms };
+@@ -406,7 +406,7 @@ interface(`rpc_admin',`
+  	allow $2 system_r;
+ 
+ 	files_list_etc($1)
+-	admin_pattern($1, exports_t)
++	admin_pattern($1, { gssd_keytab_t exports_t })
+ 
+ 	files_list_var_lib($1)
+ 	admin_pattern($1, var_lib_nfs_t)
+diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
+index 1e6b44d..a8de8bd 100644
+--- a/policy/modules/contrib/rpc.te
++++ b/policy/modules/contrib/rpc.te
+@@ -1,4 +1,4 @@
+-policy_module(rpc, 1.15.0)
++policy_module(rpc, 1.15.1)
+ 
+ ########################################
+ #
+@@ -30,6 +30,9 @@ files_config_file(exports_t)
+ 
+ rpc_domain_template(gssd)
+ 
++type gssd_keytab_t;
++files_type(gssd_keytab_t)
++
+ type gssd_tmp_t;
+ files_tmp_file(gssd_tmp_t)
+ 
+@@ -271,6 +274,8 @@ allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
+ allow gssd_t self:process { getsched setsched };
+ allow gssd_t self:fifo_file rw_fifo_file_perms;
+ 
++allow gssd_t gssd_keytab_t:file read_file_perms;
++
+ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+ manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+ files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
+@@ -309,9 +314,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(gssd, gssd_t)
+ 	kerberos_manage_host_rcache(gssd_t)
++	kerberos_read_keytab(gssd_t)
+ 	kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0")
++	kerberos_use(gssd_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/rshd.te b/policy/modules/contrib/rshd.te
+index 575e3e3..864e089 100644
+--- a/policy/modules/contrib/rshd.te
++++ b/policy/modules/contrib/rshd.te
+@@ -1,4 +1,4 @@
+-policy_module(rshd, 1.8.0)
++policy_module(rshd, 1.8.1)
+ 
+ ########################################
+ #
+@@ -10,6 +10,9 @@ type rshd_exec_t;
+ auth_login_pgm_domain(rshd_t)
+ inetd_tcp_service_domain(rshd_t, rshd_exec_t)
+ 
++type rshd_keytab_t;
++files_type(rshd_keytab_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -20,6 +23,8 @@ allow rshd_t self:process { signal_perms setsched setpgid setexec };
+ allow rshd_t self:fifo_file rw_fifo_file_perms;
+ allow rshd_t self:tcp_socket create_stream_socket_perms;
+ 
++allow rshd_t rshd_keytab_t:file read_file_perms;
++
+ kernel_read_kernel_sysctls(rshd_t)
+ 
+ corenet_all_recvfrom_unlabeled(rshd_t)
+@@ -54,9 +59,10 @@ tunable_policy(`use_samba_home_dirs',`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(rshd, rshd_t)
+ 	kerberos_manage_host_rcache(rshd_t)
++	kerberos_read_keytab(rshd_t)
+ 	kerberos_tmp_filetrans_host_rcache(rshd_t, file, "host_0")
++	kerberos_use(rshd_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/samba.if b/policy/modules/contrib/samba.if
+index aee75af..50d07fb 100644
+--- a/policy/modules/contrib/samba.if
++++ b/policy/modules/contrib/samba.if
+@@ -689,6 +689,7 @@ interface(`samba_admin',`
+ 		type samba_etc_t, samba_share_t, samba_initrc_exec_t;
+ 		type swat_var_run_t, swat_tmp_t, winbind_log_t;
+ 		type winbind_var_run_t, winbind_tmp_t;
++		type smbd_keytab_t;
+ 	')
+ 
+ 	allow $1 { nmbd_t smbd_t }:process { ptrace signal_perms };
+@@ -700,7 +701,7 @@ interface(`samba_admin',`
+ 	allow $2 system_r;
+ 
+ 	files_list_etc($1)
+-	admin_pattern($1, samba_etc_t)
++	admin_pattern($1, { samba_etc_t smbd_keytab_t })
+ 
+ 	logging_list_logs($1)
+ 	admin_pattern($1, { samba_log_t winbind_log_t })
+diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
+index 54b89a6..98daaef 100644
+--- a/policy/modules/contrib/samba.te
++++ b/policy/modules/contrib/samba.te
+@@ -1,4 +1,4 @@
+-policy_module(samba, 1.16.0)
++policy_module(samba, 1.16.1)
+ 
+ #################################
+ #
+@@ -142,6 +142,9 @@ type smbd_t;
+ type smbd_exec_t;
+ init_daemon_domain(smbd_t, smbd_exec_t)
+ 
++type smbd_keytab_t;
++files_type(smbd_keytab_t)
++
+ type smbd_tmp_t;
+ files_tmp_file(smbd_tmp_t)
+ 
+@@ -271,6 +274,8 @@ allow smbd_t { swat_t winbind_t smbcontrol_t nmbd_t }:process { signal signull }
+ 
+ allow smbd_t samba_etc_t:file { rw_file_perms setattr_file_perms };
+ 
++allow smbd_t smbd_keytab_t:file read_file_perms;
++
+ manage_dirs_pattern(smbd_t, samba_log_t, samba_log_t)
+ append_files_pattern(smbd_t, samba_log_t, samba_log_t)
+ create_files_pattern(smbd_t, samba_log_t, samba_log_t)
+@@ -468,8 +473,8 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	kerberos_read_keytab(smbd_t)
+ 	kerberos_use(smbd_t)
+-	kerberos_keytab_template(smbd, smbd_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/sasl.if b/policy/modules/contrib/sasl.if
+index b2f388a..8c3c151 100644
+--- a/policy/modules/contrib/sasl.if
++++ b/policy/modules/contrib/sasl.if
+@@ -39,6 +39,7 @@ interface(`sasl_connect',`
+ interface(`sasl_admin',`
+ 	gen_require(`
+ 		type saslauthd_t, saslauthd_var_run_t, saslauthd_initrc_exec_t;
++		type saslauthd_keytab_t;
+ 	')
+ 
+ 	allow $1 saslauthd_t:process { ptrace signal_perms };
+@@ -49,6 +50,9 @@ interface(`sasl_admin',`
+ 	role_transition $2 saslauthd_initrc_exec_t system_r;
+ 	allow $2 system_r;
+ 
++	files_list_etc($1)
++	admin_pattern($1, saslauthd_keytab_t)
++
+ 	files_list_pids($1)
+ 	admin_pattern($1, saslauthd_var_run_t)
+ ')
+diff --git a/policy/modules/contrib/sasl.te b/policy/modules/contrib/sasl.te
+index 20ebffb..6c3bc20 100644
+--- a/policy/modules/contrib/sasl.te
++++ b/policy/modules/contrib/sasl.te
+@@ -1,4 +1,4 @@
+-policy_module(sasl, 1.15.0)
++policy_module(sasl, 1.15.1)
+ 
+ ########################################
+ #
+@@ -20,6 +20,9 @@ init_daemon_domain(saslauthd_t, saslauthd_exec_t)
+ type saslauthd_initrc_exec_t;
+ init_script_file(saslauthd_initrc_exec_t)
+ 
++type saslauthd_keytab_t;
++files_type(saslauthd_keytab_t)
++
+ type saslauthd_var_run_t;
+ files_pid_file(saslauthd_var_run_t)
+ 
+@@ -34,6 +37,8 @@ allow saslauthd_t self:process { setsched signal_perms };
+ allow saslauthd_t self:fifo_file rw_fifo_file_perms;
+ allow saslauthd_t self:unix_stream_socket { accept listen };
+ 
++allow saslauthd_t saslauthd_keytab_t:file read_file_perms;
++
+ manage_dirs_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
+ manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
+ manage_sock_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
+@@ -92,9 +97,10 @@ tunable_policy(`allow_saslauthd_read_shadow',`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(saslauthd, saslauthd_t)
++	kerberos_read_keytab(saslauthd_t)
+ 	kerberos_manage_host_rcache(saslauthd_t)
+ 	kerberos_tmp_filetrans_host_rcache(saslauthd_t, file, "host_0")
++	kerberos_use(saslauthd_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/sendmail.if b/policy/modules/contrib/sendmail.if
+index 88e753f..35ad2a7 100644
+--- a/policy/modules/contrib/sendmail.if
++++ b/policy/modules/contrib/sendmail.if
+@@ -354,6 +354,7 @@ interface(`sendmail_admin',`
+ 	gen_require(`
+ 		type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t;
+ 		type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t;
++		type sendmail_keytab_t;
+ 	')
+ 
+ 	allow $1 { unconfined_sendmail_t sendmail_t }:process { ptrace signal_perms };
+@@ -363,6 +364,9 @@ interface(`sendmail_admin',`
+ 	domain_system_change_exemption($1)
+ 	role_transition $2 sendmail_initrc_exec_t system_r;
+ 
++	files_list_etc($1)
++	admin_pattern($1, sendmail_keytab_t)
++
+ 	logging_list_logs($1)
+ 	admin_pattern($1, sendmail_log_t)
+ 
+diff --git a/policy/modules/contrib/sendmail.te b/policy/modules/contrib/sendmail.te
+index 320db21..12700b4 100644
+--- a/policy/modules/contrib/sendmail.te
++++ b/policy/modules/contrib/sendmail.te
+@@ -1,4 +1,4 @@
+-policy_module(sendmail, 1.12.0)
++policy_module(sendmail, 1.12.1)
+ 
+ ########################################
+ #
+@@ -13,6 +13,9 @@ roleattribute system_r sendmail_unconfined_roles;
+ type sendmail_initrc_exec_t;
+ init_script_file(sendmail_initrc_exec_t)
+ 
++type sendmail_keytab_t;
++files_type(sendmail_keytab_t)
++
+ type sendmail_log_t;
+ logging_log_file(sendmail_log_t)
+ 
+@@ -43,6 +46,8 @@ allow sendmail_t self:fifo_file rw_fifo_file_perms;
+ allow sendmail_t self:unix_stream_socket { accept listen };
+ allow sendmail_t self:tcp_socket { accept listen };
+ 
++allow sendmail_t sendmail_keytab_t:file read_file_perms;
++
+ allow sendmail_t sendmail_log_t:dir setattr_dir_perms;
+ append_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t)
+ create_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t)
+@@ -154,7 +159,8 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(sendmail, sendmail_t)
++	kerberos_read_keytab(sendmail_t)
++	kerberos_use(sendmail_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te
+index 02fba54..cc58e35 100644
+--- a/policy/modules/contrib/spamassassin.te
++++ b/policy/modules/contrib/spamassassin.te
+@@ -1,4 +1,4 @@
+-policy_module(spamassassin, 2.6.0)
++policy_module(spamassassin, 2.6.1)
+ 
+ ########################################
+ #
+@@ -262,7 +262,7 @@ optional_policy(`
+ 	postfix_domtrans_postdrop(spamc_t)
+ 	postfix_search_spool(spamc_t)
+ 	postfix_rw_local_pipes(spamc_t)
+-	postfix_rw_master_pipes(spamc_t)
++	postfix_rw_inherited_master_pipes(spamc_t)
+ ')
+ 
+ ########################################
+diff --git a/policy/modules/contrib/telnet.te b/policy/modules/contrib/telnet.te
+index b9e2061..bcef8b5 100644
+--- a/policy/modules/contrib/telnet.te
++++ b/policy/modules/contrib/telnet.te
+@@ -1,4 +1,4 @@
+-policy_module(telnet, 1.11.0)
++policy_module(telnet, 1.11.1)
+ 
+ ########################################
+ #
+@@ -12,6 +12,9 @@ inetd_service_domain(telnetd_t, telnetd_exec_t)
+ type telnetd_devpts_t;
+ term_login_pty(telnetd_devpts_t)
+ 
++type telnetd_keytab_t;
++files_type(telnetd_keytab_t)
++
+ type telnetd_tmp_t;
+ files_tmp_file(telnetd_tmp_t)
+ 
+@@ -30,6 +33,8 @@ allow telnetd_t self:fifo_file rw_fifo_file_perms;
+ allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+ term_create_pty(telnetd_t, telnetd_devpts_t)
+ 
++allow telnetd_t telnetd_keytab_t:file read_file_perms;
++
+ manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
+ manage_files_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
+ files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir })
+@@ -85,9 +90,10 @@ tunable_policy(`use_samba_home_dirs',`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(telnetd, telnetd_t)
++	kerberos_read_keytab(telnetd_t)
+ 	kerberos_tmp_filetrans_host_rcache(telnetd_t, file, "host_0")
+ 	kerberos_manage_host_rcache(telnetd_t)
++	kerberos_use(telnetd_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/virt.if b/policy/modules/contrib/virt.if
+index e30a42e..c8bc302 100644
+--- a/policy/modules/contrib/virt.if
++++ b/policy/modules/contrib/virt.if
+@@ -1148,7 +1148,7 @@ interface(`virt_admin',`
+ 		type virt_bridgehelper_t, virt_qmf_t, virt_var_lib_t;
+ 		type virt_var_run_t, virt_tmp_t, virt_log_t;
+ 		type virt_lock_t, svirt_var_run_t, virt_etc_rw_t;
+-		type virt_etc_t, svirt_cache_t;
++		type virt_etc_t, svirt_cache_t, virtd_keytab_t;
+ 	')
+ 
+ 	allow $1 { virt_domain svirt_lxc_domain virtd_t }:process { ptrace signal_perms };
+@@ -1168,7 +1168,7 @@ interface(`virt_admin',`
+ 	admin_pattern($1, { virt_tmp_type virt_tmp_t })
+ 
+ 	files_search_etc($1)
+-	admin_pattern($1, { virt_etc_t virt_etc_rw_t })
++	admin_pattern($1, { virt_etc_t virt_etc_rw_t virtd_keytab_t })
+ 
+ 	logging_search_logs($1)
+ 	admin_pattern($1, virt_log_t)
+diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
+index 9230f0d..f2916f7 100644
+--- a/policy/modules/contrib/virt.te
++++ b/policy/modules/contrib/virt.te
+@@ -1,4 +1,4 @@
+-policy_module(virt, 1.7.0)
++policy_module(virt, 1.7.1)
+ 
+ ########################################
+ #
+@@ -142,6 +142,9 @@ domain_subj_id_change_exemption(virtd_t)
+ type virtd_initrc_exec_t;
+ init_script_file(virtd_initrc_exec_t)
+ 
++type virtd_keytab_t;
++files_type(virtd_keytab_t)
++
+ ifdef(`enable_mcs',`
+ 	init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
+ ')
+@@ -438,6 +441,8 @@ manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t)
+ manage_files_pattern(virtd_t, virt_content_t, virt_content_t)
+ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos")
+ 
++allow virtd_t virtd_keytab_t:file read_file_perms;
++
+ allow virtd_t svirt_var_run_t:file relabel_file_perms;
+ manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
+ manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
+@@ -700,7 +705,8 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(virtd, virtd_t)
++	kerberos_read_keytab(virtd_t)
++	kerberos_use(virtd_t)
+ ')
+ 
+ optional_policy(`
diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
new file mode 100644
index 0000000..b3b7bf0
--- /dev/null
+++ b/package/refpolicy/refpolicy.mk
@@ -0,0 +1,86 @@
+################################################################################
+#
+# refpolicy
+#
+################################################################################
+
+REFPOLICY_VERSION = 2.20130424
+REFPOLICY_SOURCE = refpolicy-$(REFPOLICY_VERSION).tar.bz2
+REFPOLICY_SITE = http://oss.tresys.com/files/refpolicy/
+REFPOLICY_LICENSE = GPLv2
+REFPOLICY_LICENSE_FILES = COPYING
+
+# Cannot use multiple threads to build the reference policy
+REFPOLICY_MAKE=$(MAKE1)
+
+REFPOLICY_DEPENDENCIES = host-m4 host-checkpolicy host-policycoreutils \
+	host-setools host-python-pyxml policycoreutils
+
+REFPOLICY_INSTALL_STAGING = YES
+
+define REFPOLICY_BUILD_SPECIFIC_PATCH_CMDS
+	@echo "Applying board specific patches"
+	$(ifneq $(BR2_PACKAGE_REFPOLICY_PATCH_FOLDER) "", \
+		toolchain/patch-kernel.sh $(@D) \
+		$(call qstrip,$(BR2_PACKAGE_REFPOLICY_PATCH_FOLDER)) refpolicy-\*.patch)
+endef
+
+REFPOLICY_POST_PATCH_HOOKS += REFPOLICY_BUILD_SPECIFIC_PATCH_CMDS
+
+# Pointing to the host compiled SELinux applications while using the target 
+# cross compiler.  Note, the TEST_TOOLCHAIN option will also set the 
+# LD_LIBRARY_PATH at run time.
+REFPOLICY_MAKE_CMDS = $(HOST_CONFIGURE_OPTS) \
+	TEST_TOOLCHAIN="$(HOST_DIR)" \
+	PYTHON="$(HOST_DIR)/usr/bin/python" \
+	M4="$(HOST_DIR)/usr/bin/m4"
+
+define REFPOLICY_CONFIGURE_CMDS
+	$(REFPOLICY_MAKE) -C $(@D) bare $(REFPOLICY_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
+	sed -i "/TYPE/c\TYPE = $(BR2_PACKAGE_REFPOLICY_TYPE)" $(@D)/build.conf
+	sed -i "/NAME/c\NAME = $(BR2_PACKAGE_REFPOLICY_NAME)" $(@D)/build.conf
+	sed -i "/DISTRO/c\DISTRO = $(BR2_PACKAGE_REFPOLICY_DIST)" $(@D)/build.conf
+	sed -i "/MONOLITHIC/c\MONOLITHIC = $(BR2_PACKAGE_REFPOLICY_MONOLITHIC)" $(@D)/build.conf
+	$(REFPOLICY_MAKE) -C $(@D) conf $(REFPOLICY_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
+endef
+
+define REFPOLICY_BUILD_CMDS
+	$(REFPOLICY_MAKE) -C $(@D) $(REFPOLICY_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
+endef
+
+define REFPOLICY_CLEAN_CMDS
+	$(REFPOLICY_MAKE) -C $(@D) clean $(REFPOLICY_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
+endef
+
+define REFPOLICY_INSTALL_STAGING_CMDS
+	$(REFPOLICY_MAKE) -C $(@D) install-src install-headers install-docs \
+		$(REFPOLICY_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
+endef
+
+define REFPOLICY_INSTALL_TARGET_CMDS
+	$(REFPOLICY_MAKE) -C $(@D) install $(REFPOLICY_MAKE_CMDS) DESTDIR=$(TARGET_DIR)
+	$(INSTALL) -m 0755 package/refpolicy/config $(TARGET_DIR)/etc/selinux/
+	sed -i "/^SELINUXTYPE/c\SELINUXTYPE=$(BR2_PACKAGE_REFPOLICY_NAME)" $(TARGET_DIR)/etc/selinux/config
+	$(INSTALL) -m 0755 package/refpolicy/S12selinux $(TARGET_DIR)/etc/init.d/
+endef
+
+define REFPOLICY_POLICY_COMPILE
+	$(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/selinux/$(BR2_PACKAGE_REFPOLICY_NAME)/policy
+	$(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/selinux/$(BR2_PACKAGE_REFPOLICY_NAME)/modules/active/modules
+	if [ ! -f $(TARGET_DIR)/etc/selinux/$(BR2_PACKAGE_REFPOLICY_NAME)/contexts/files/file_contexts.local ]; \
+	then \
+		touch $(TARGET_DIR)/etc/selinux/$(BR2_PACKAGE_REFPOLICY_NAME)/contexts/files/file_contexts.local; \
+	fi
+	# Currently, semodule is unabled to compile the policy during the build so 
+	# the modules must be compiled into the policy during the first boot.  This 
+	# is done by the S12selinux startup script.
+	#( export PATH=$(TARGET_PATH); \
+	#	$(HOST_DIR)/usr/sbin/semodule -v -n -p $(TARGET_DIR) -s $(BR2_PACKAGE_REFPOLICY_NAME) \
+	#		-b $(@D)/base.pp -i $(shell ls $(@D)/*.pp | grep -v base); \
+	#)
+endef
+ifeq ($(BR2_PACKAGE_REFPOLICY_MONOLITHIC),)
+	REFPOLICY_POST_INSTALL_TARGET_HOOKS += REFPOLICY_POLICY_COMPILE
+endif
+
+$(eval $(generic-package))
-- 
1.7.1

[Buildroot] [PATCH v2 12/17] python-pyparsing: Add host build option

[Clayton Shotwell]

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v1 -> v2:
  - No changes.

 package/python-pyparsing/python-pyparsing.mk |   47 ++++++++++++++++++-------
 1 files changed, 34 insertions(+), 13 deletions(-)

diff --git a/package/python-pyparsing/python-pyparsing.mk b/package/python-pyparsing/python-pyparsing.mk
index 7814ce3..b6ba40d 100644
--- a/package/python-pyparsing/python-pyparsing.mk
+++ b/package/python-pyparsing/python-pyparsing.mk
@@ -14,25 +14,46 @@ PYTHON_PYPARSING_DEPENDENCIES    = python
 
 # Shamelessly vampirised from python-pygame ;-)
 define PYTHON_PYPARSING_BUILD_CMDS
-	(cd $(@D);                                              \
-	 CC="$(TARGET_CC)"                                      \
-	 CFLAGS="$(TARGET_CFLAGS)"                              \
-	 LDSHARED="$(TARGET_CROSS)gcc -shared"                  \
-	 CROSS_COMPILING=yes                                    \
-	 _python_sysroot=$(STAGING_DIR)                         \
-	 _python_srcdir=$(BUILD_DIR)/python$(PYTHON_VERSION)    \
-	 _python_prefix=/usr                                    \
-	 _python_exec_prefix=/usr                               \
-	 $(HOST_DIR)/usr/bin/python setup.py build              \
+	(cd $(@D); \
+		CC="$(TARGET_CC)" \
+		CFLAGS="$(TARGET_CFLAGS)" \
+		LDSHARED="$(TARGET_CROSS)gcc -shared" \
+		CROSS_COMPILING=yes \
+		_python_sysroot=$(STAGING_DIR) \
+		_python_srcdir=$(BUILD_DIR)/python$(PYTHON_VERSION) \
+		_python_prefix=/usr \
+		_python_exec_prefix=/usr \
+		$(HOST_DIR)/usr/bin/python setup.py build \
 	)
 endef
 
 # Shamelessly vampirised from python-pygame ;-)
 define PYTHON_PYPARSING_INSTALL_TARGET_CMDS
-	(cd $(@D);                                              \
-	 $(HOST_DIR)/usr/bin/python setup.py install            \
-	                            --prefix=$(TARGET_DIR)/usr  \
+	(cd $(@D); \
+		$(HOST_DIR)/usr/bin/python setup.py install \
+		--prefix=$(TARGET_DIR)/usr \
+	)
+endef
+
+HOST_PYTHON_PYPARSING_DEPENDENCIES = host-python
+
+define HOST_PYTHON_PYPARSING_BUILD_CMDS
+	(cd $(@D); \
+		_python_sysroot=$(HOST_DIR) \
+		_python_srcdir=$(BUILD_DIR)/host-python$(PYTHON_VERSION) \
+		_python_prefix=/usr \
+		_python_exec_prefix=/usr \
+		$(HOST_DIR)/usr/bin/python setup.py build \
+	)
+endef
+
+define HOST_PYTHON_PYPARSING_INSTALL_CMDS
+	(cd $(@D); \
+		$(HOST_DIR)/usr/bin/python setup.py install \
+		--prefix=$(HOST_DIR)/usr \
 	)
 endef
 
 $(eval $(generic-package))
+$(eval $(host-generic-package))
+
-- 
1.7.1

[Buildroot] [PATCH v2 13/17] audit: new package

[Clayton Shotwell]

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v1 -> v2:
  - General cleanup to the mk file to conform to the standard format.
  - Fixed the patch naming to avoid using the version number.
  - Cleaned up the patch to include a signed-off-by line.
  - Changed the original Python select in the Config.in to be a check 
    in the mk file.

 package/Config.in                                  |    1 +
 package/audit/Config.in                            |   10 +
 package/audit/S14auditd                            |  172 +++
 .../audit-0001-crossCompileHeaderCreationFix.patch | 1420 ++++++++++++++++++++
 package/audit/audit-0002-remove-zos-plugin.patch   |   35 +
 package/audit/audit.mk                             |   58 +
 6 files changed, 1696 insertions(+), 0 deletions(-)
 create mode 100644 package/audit/Config.in
 create mode 100755 package/audit/S14auditd
 create mode 100644 package/audit/audit-0001-crossCompileHeaderCreationFix.patch
 create mode 100644 package/audit/audit-0002-remove-zos-plugin.patch
 create mode 100644 package/audit/audit.mk

diff --git a/package/Config.in b/package/Config.in
index 847b8d2..b5b4a6e 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -940,6 +940,7 @@ endmenu
 menu "System tools"
 source "package/acl/Config.in"
 source "package/attr/Config.in"
+source "package/audit/Config.in"
 if BR2_PACKAGE_BUSYBOX_SHOW_OTHERS
 source "package/bootutils/Config.in"
 endif
diff --git a/package/audit/Config.in b/package/audit/Config.in
new file mode 100644
index 0000000..4766c10
--- /dev/null
+++ b/package/audit/Config.in
@@ -0,0 +1,10 @@
+config BR2_PACKAGE_AUDIT
+	bool "audit"
+	help
+	  The audit package contains the user space utilities for
+	  storing and searching the audit records generate by
+	  the audit subsystem in the Linux 2.6 kernel
+	  
+	  Note: The z/OS remote plugin is disabled in this package
+	  
+	  http://people.redhat.com/sgrubb/audit/
diff --git a/package/audit/S14auditd b/package/audit/S14auditd
new file mode 100755
index 0000000..74a6249
--- /dev/null
+++ b/package/audit/S14auditd
@@ -0,0 +1,172 @@
+#!/bin/bash
+#
+# auditd        This starts and stops auditd
+#
+# description: This starts the Linux Auditing System Daemon, \
+#              which collects security related events in a dedicated \
+#              audit log. If this daemon is turned off, audit events \
+#              will be sent to syslog.
+#
+# processname: /sbin/auditd
+# config: /etc/sysconfig/auditd
+# config: /etc/audit/auditd.conf
+# pidfile: /var/run/auditd.pid
+#
+# Return values according to LSB for all commands but status:
+# 0 - success
+# 1 - generic or unspecified error
+# 3 - unimplemented feature (e.g. "reload")
+# 4 - insufficient privilege
+# 5 - program is not installed
+# 6 - program is not configured
+# 7 - program is not running
+#
+prog="auditd"
+
+# Check that we are root ... so non-root users stop here
+test $EUID=0  ||  exit 4
+
+# Check config
+test -f /etc/sysconfig/auditd && . /etc/sysconfig/auditd
+
+RETVAL=0
+LOCK=/var/lock/subsys/auditd
+
+start(){
+   echo -n "Initializing $prog: "
+
+   if [ ! -e $LOCK ]; then
+      test -x /sbin/auditd  || exit 5
+      test -f /etc/audit/auditd.conf  || exit 6
+   
+      # Create dir to store log files in if one doesn't exist
+      test -d /var/log/audit || mkdir -p /var/log/audit && /sbin/restorecon /var/log/audit
+   
+      # Run audit daemon executable
+      $prog
+      RETVAL=$?
+      if test $RETVAL = 0 ; then
+         test -d /var/lock/subsys || mkdir -p /var/lock/subsys
+         touch $LOCK
+         # Load the default rules
+         test -f /etc/audit/audit.rules && /sbin/auditctl -R /etc/audit/audit.rules >/dev/null
+         echo "OK"
+      else
+         echo "FAILED: auditd failed to start"
+      fi
+   else
+      echo "FAILED: auditd already started, stop first"
+      RETVAL=1
+   fi
+   return $RETVAL
+}
+
+stop(){
+   echo -n "Uninitializing $prog: "
+   if [ -e $LOCK ]; then
+      killall -TERM $prog
+      RETVAL=$?
+      if [ $RETVAL ]; then
+         rm -f $LOCK
+         # Remove watches so shutdown works cleanly
+         if test x"$AUDITD_CLEAN_STOP" != "x" ; then
+            if test "`echo $AUDITD_CLEAN_STOP | tr 'NO' 'no'`" != "no"
+            then
+               /sbin/auditctl -D >/dev/null
+            fi
+         fi
+         if test x"$AUDITD_STOP_DISABLE" != "x" ; then
+            if test "`echo $AUDITD_STOP_DISABLE | tr 'NO' 'no'`" != "no"
+            then
+               /sbin/auditctl -e 0 >/dev/null
+            fi
+         fi
+         echo "OK"
+      else
+         echo "FAILED: auditd not stopped"
+      fi
+   else
+      echo "FAILED: auditd not started"
+      RETVAL=1
+   fi
+   return $RETVAL
+}
+
+reload(){
+   echo -n "Reloading auditd configuration: "
+   if [ -e $LOCK ]; then
+      test -f /etc/audit/auditd.conf  || exit 6
+      echo -n "Reloading configuration: " 
+      killall -HUP $prog
+      RETVAL=$?
+      if [ $RETVAL ]; then
+         echo "OK"
+      else
+         echo "FAILED"
+      fi
+   else
+      echo "FAILED: auditd not started"
+      RETVAL=1
+   fi
+   return $RETVAL
+}
+
+rotate(){
+   echo -n "Rotating auditd logs: "  
+   if [ -e $LOCK ]; then
+      killall -USR1 $prog
+      RETVAL=$?
+      if [ $RETVAL ]; then
+         echo "OK"
+      else
+         echo "FAILED"
+      fi
+   else
+      echo "FAILED: auditd not started"
+      RETVAL=1
+   fi
+   return $RETVAL
+}
+
+restart(){
+   test -f /etc/audit/auditd.conf  || exit 6
+   stop
+   start
+   return $RETVAL
+}
+
+condrestart(){
+   [ -e $LOCK ] && restart
+   return 0
+}
+
+# See how we were called.
+case "$1" in
+   start)
+      start
+      ;;
+   stop)
+      stop
+      ;;
+   restart)
+      restart
+      ;;
+   reload)
+      reload
+      ;;
+   rotate)
+      rotate
+      ;;
+   resume)
+      resume
+      ;;
+   condrestart)
+      condrestart
+      ;;
+   *)
+      echo "Usage: $0 {start|stop|restart|condrestart|reload|rotate}"
+      RETVAL=3
+      ;;
+esac
+
+exit $RETVAL
diff --git a/package/audit/audit-0001-crossCompileHeaderCreationFix.patch b/package/audit/audit-0001-crossCompileHeaderCreationFix.patch
new file mode 100644
index 0000000..11ab393
--- /dev/null
+++ b/package/audit/audit-0001-crossCompileHeaderCreationFix.patch
@@ -0,0 +1,1420 @@
+Rework the build system to generate the required header files using a 
+Python script rather than compiling executables.  This change has
+to be made because the executables that are generated are built for
+the target architecture and are generally not compilable on the host
+build machine.  
+
+Signed-off-by Clayton Shotwell <clshotwe@rockwellcollins.com>
+
+diff -urN a/configure.ac b/configure.ac
+--- a/configure.ac	2013-07-29 16:37:01.000000000 -0500
++++ b/configure.ac	2013-08-21 13:29:55.760585744 -0500
+@@ -51,11 +51,14 @@
+ AC_PROG_CC
+ AC_PROG_INSTALL
+ AC_PROG_AWK
++AM_PATH_PYTHON
++AC_PYTHON_MODULE(pyparsing, 1)
+ 
+ echo .
+ echo Checking for header files
+ AC_HEADER_STDC
+ AC_HEADER_TIME
++AC_CHECK_HEADER([Python.h])
+ 
+ AC_C_CONST
+ AC_C_INLINE
+@@ -89,14 +92,13 @@
+ 	AC_MSG_RESULT(no)
+ else
+ AC_MSG_RESULT(testing)
+-AM_PATH_PYTHON
+-if test -f /usr/include/python${am_cv_python_version}/Python.h ; then
++if test x$ac_cv_header_Python_h != x ; then
+ 	python_found="yes"
+ 	AC_MSG_NOTICE(Python bindings will be built)
+ else
+ 	python_found="no"
+ 	if test x$use_python = xyes ; then
+-		AC_MSG_ERROR([Python explicitly required and python headers found])
++		AC_MSG_ERROR([Python explicitly required and python headers not found])
+ 	else
+ 		AC_MSG_WARN("Python headers not found - python bindings will not be made")
+ 	fi
+diff -urN a/bindings/python/Makefile.am b/bindings/python/Makefile.am
+--- a/bindings/python/Makefile.am	2013-07-29 16:37:00.000000000 -0500
++++ b/bindings/python/Makefile.am	2013-09-11 08:18:41.437704969 -0500
+@@ -26,6 +26,6 @@
+ pyexec_LTLIBRARIES = auparse.la
+ 
+ auparse_la_SOURCES = auparse_python.c
+-auparse_la_CPPFLAGS = -I$(top_srcdir)/auparse $(AM_CPPFLAGS) -I/usr/include/python$(PYTHON_VERSION) -fno-strict-aliasing
++auparse_la_CPPFLAGS = -I$(top_srcdir)/auparse $(AM_CPPFLAGS) -fno-strict-aliasing
+ auparse_la_LDFLAGS = -module -avoid-version -Wl,-z,relro
+ auparse_la_LIBADD = ../../auparse/libauparse.la ../../lib/libaudit.la
+diff -urN /dev/null b/m4/ax_python_module.m4
+--- /dev/null	2013-06-19 11:25:31.230442052 -0500
++++ b/m4/ax_python_module.m4	2013-08-21 12:43:56.829882655 -0500
+@@ -0,0 +1,49 @@
++# ===========================================================================
++#     http://www.gnu.org/software/autoconf-archive/ax_python_module.html
++# ===========================================================================
++#
++# SYNOPSIS
++#
++#   AX_PYTHON_MODULE(modname[, fatal])
++#
++# DESCRIPTION
++#
++#   Checks for Python module.
++#
++#   If fatal is non-empty then absence of a module will trigger an error.
++#
++# LICENSE
++#
++#   Copyright (c) 2008 Andrew Collier
++#
++#   Copying and distribution of this file, with or without modification, are
++#   permitted in any medium without royalty provided the copyright notice
++#   and this notice are preserved. This file is offered as-is, without any
++#   warranty.
++
++#serial 6
++
++AU_ALIAS([AC_PYTHON_MODULE], [AX_PYTHON_MODULE])
++AC_DEFUN([AX_PYTHON_MODULE],[
++    if test -z $PYTHON;
++    then
++        PYTHON="python"
++    fi
++    PYTHON_NAME=`basename $PYTHON`
++    AC_MSG_CHECKING($PYTHON_NAME module: $1)
++	$PYTHON -c "import $1" 2>/dev/null
++	if test $? -eq 0;
++	then
++		AC_MSG_RESULT(yes)
++		eval AS_TR_CPP(HAVE_PYMOD_$1)=yes
++	else
++		AC_MSG_RESULT(no)
++		eval AS_TR_CPP(HAVE_PYMOD_$1)=no
++		#
++		if test -n "$2"
++		then
++			AC_MSG_ERROR(failed to find required module $1)
++			exit 1
++		fi
++	fi
++])
+diff -urN a/auparse/Makefile.am b/auparse/Makefile.am
+--- a/auparse/Makefile.am	2013-07-29 16:37:01.000000000 -0500
++++ b/auparse/Makefile.am	2013-08-19 14:37:31.230510790 -0500
+@@ -52,8 +52,8 @@
+ 	rlimittabs.h recvtabs.h schedtabs.h seccomptabs.h \
+ 	seektabs.h shm_modetabs.h signaltabs.h sockoptnametabs.h \
+ 	socktabs.h sockleveltabs.h socktypetabs.h \
+-	tcpoptnametabs.h typetabs.h umounttabs.h
+-noinst_PROGRAMS = gen_accesstabs_h gen_captabs_h gen_clock_h \
++	tcpoptnametabs.h typetabs.h umounttabs.h \
++	gen_accesstabs_h gen_captabs_h gen_clock_h \
+ 	gen_clone-flagtabs_h \
+ 	gen_epoll_ctls_h gen_famtabs_h \
+ 	gen_fcntl-cmdtabs_h gen_flagtabs_h \
+@@ -69,187 +69,184 @@
+ 	gen_socktypetabs_h gen_tcpoptnametabs_h gen_typetabs_h \
+ 	gen_umounttabs_h
+ 
+-gen_accesstabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h accesstab.h
+-gen_accesstabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="accesstab.h"'
++gen_accesstabs_h: ../lib/gen_tables.c ../lib/gen_tables.h accesstab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"accesstab.h\" -E -o $@ ../lib/gen_tables.c
+ accesstabs.h: gen_accesstabs_h Makefile
+-	./gen_accesstabs_h --i2s-transtab access > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s-transtab access gen_accesstabs_h $@
+ 
+-gen_captabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h captab.h
+-gen_captabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="captab.h"'
++gen_captabs_h: ../lib/gen_tables.c ../lib/gen_tables.h captab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"captab.h\" -E -o $@ ../lib/gen_tables.c
+ captabs.h: gen_captabs_h Makefile
+-	./gen_captabs_h --i2s cap > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s cap gen_captabs_h $@
+ 
+-gen_clock_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h clocktab.h
+-gen_clock_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="clocktab.h"'
++gen_clock_h: ../lib/gen_tables.c ../lib/gen_tables.h clocktab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"clocktab.h\" -E -o $@ ../lib/gen_tables.c
+ clocktabs.h: gen_clock_h Makefile
+-	./gen_clock_h --i2s clock > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s clock gen_clock_h $@
+ 
+-gen_clone_flagtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h \
+-	clone-flagtab.h
+-gen_clone_flagtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="clone-flagtab.h"'
++gen_clone-flagtabs_h: ../lib/gen_tables.c ../lib/gen_tables.h clone-flagtab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"clone-flagtab.h\" -E -o $@ ../lib/gen_tables.c
+ clone-flagtabs.h: gen_clone-flagtabs_h Makefile
+-	./gen_clone-flagtabs_h --i2s-transtab clone_flag > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s-transtab clone_flag gen_clone-flagtabs_h $@
+ 
+-gen_epoll_ctls_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h epoll_ctl.h
+-gen_epoll_ctls_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="epoll_ctl.h"'
++gen_epoll_ctls_h: ../lib/gen_tables.c ../lib/gen_tables.h epoll_ctl.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"epoll_ctl.h\" -E -o $@ ../lib/gen_tables.c
+ epoll_ctls.h: gen_epoll_ctls_h Makefile
+-	./gen_epoll_ctls_h --i2s epoll_ctl > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s epoll_ctl gen_epoll_ctls_h $@
+ 
+-gen_famtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h famtab.h
+-gen_famtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="famtab.h"'
++gen_famtabs_h: ../lib/gen_tables.c ../lib/gen_tables.h famtab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"famtab.h\" -E -o $@ ../lib/gen_tables.c
+ famtabs.h: gen_famtabs_h Makefile
+-	./gen_famtabs_h --i2s fam > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s fam gen_famtabs_h $@
+ 
+-gen_flagtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h flagtab.h
+ # ../auparse/ is used to avoid using ../lib/flagtab.h
+-gen_flagtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="../auparse/flagtab.h"'
++gen_flagtabs_h: ../lib/gen_tables.c ../lib/gen_tables.h ../auparse/flagtab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"../auparse/flagtab.h\" -E -o $@ ../lib/gen_tables.c
+ flagtabs.h: gen_flagtabs_h Makefile
+-	./gen_flagtabs_h --i2s-transtab flag > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s-transtab flag gen_flagtabs_h $@
+ 
+-gen_fcntl_cmdtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h \
+-	fcntl-cmdtab.h
+-gen_fcntl_cmdtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="fcntl-cmdtab.h"'
++gen_fcntl-cmdtabs_h: ../lib/gen_tables.c ../lib/gen_tables.h fcntl-cmdtab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"fcntl-cmdtab.h\" -E -o $@ ../lib/gen_tables.c
+ fcntl-cmdtabs.h: gen_fcntl-cmdtabs_h Makefile
+-	./gen_fcntl-cmdtabs_h --i2s fcntl > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s fcntl gen_fcntl-cmdtabs_h $@
+ 
+-gen_icmptypetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h icmptypetab.h
+-gen_icmptypetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="icmptypetab.h"'
++gen_icmptypetabs_h: ../lib/gen_tables.c ../lib/gen_tables.h icmptypetab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"icmptypetab.h\" -E -o $@ ../lib/gen_tables.c
+ icmptypetabs.h: gen_icmptypetabs_h Makefile
+-	./gen_icmptypetabs_h --i2s icmptype > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s icmptype gen_icmptypetabs_h $@
+ 
+-gen_ipctabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ipctab.h
+-gen_ipctabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ipctab.h"'
++gen_ipctabs_h: ../lib/gen_tables.c ../lib/gen_tables.h ipctab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"ipctab.h\" -E -o $@ ../lib/gen_tables.c
+ ipctabs.h: gen_ipctabs_h Makefile
+-	./gen_ipctabs_h --i2s ipc > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s ipc gen_ipctabs_h $@
+ 
+-gen_ipccmdtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ipccmdtab.h
+-gen_ipccmdtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ipccmdtab.h"'
++gen_ipccmdtabs_h: ../lib/gen_tables.c ../lib/gen_tables.h ipccmdtab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"ipccmdtab.h\" -E -o $@ ../lib/gen_tables.c
+ ipccmdtabs.h: gen_ipccmdtabs_h Makefile
+-	./gen_ipccmdtabs_h --i2s-transtab ipccmd > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s-transtab ipccmd gen_ipccmdtabs_h $@
+ 
+-gen_ipoptnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ipoptnametab.h
+-gen_ipoptnametabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ipoptnametab.h"'
++gen_ipoptnametabs_h: ../lib/gen_tables.c ../lib/gen_tables.h ipoptnametab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"ipoptnametab.h\" -E -o $@ ../lib/gen_tables.c
+ ipoptnametabs.h: gen_ipoptnametabs_h Makefile
+-	./gen_ipoptnametabs_h --i2s ipoptname > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s ipoptname gen_ipoptnametabs_h $@
+ 
+-gen_ip6optnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ip6optnametab.h
+-gen_ip6optnametabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ip6optnametab.h"'
++gen_ip6optnametabs_h: ../lib/gen_tables.c ../lib/gen_tables.h ip6optnametab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"ip6optnametab.h\" -E -o $@ ../lib/gen_tables.c
+ ip6optnametabs.h: gen_ip6optnametabs_h Makefile
+-	./gen_ip6optnametabs_h --i2s ip6optname > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s ip6optname gen_ip6optnametabs_h $@
+ 
+-gen_mmaptabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h mmaptab.h
+-gen_mmaptabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="mmaptab.h"'
++gen_mmaptabs_h: ../lib/gen_tables.c ../lib/gen_tables.h mmaptab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"mmaptab.h\" -E -o $@ ../lib/gen_tables.c
+ mmaptabs.h: gen_mmaptabs_h Makefile
+-	./gen_mmaptabs_h --i2s-transtab mmap > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s-transtab mmap gen_mmaptabs_h $@
+ 
+-gen_mounttabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h mounttab.h
+-gen_mounttabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="mounttab.h"'
++gen_mounttabs_h: ../lib/gen_tables.c ../lib/gen_tables.h mounttab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"mounttab.h\" -E -o $@ ../lib/gen_tables.c
+ mounttabs.h: gen_mounttabs_h Makefile
+-	./gen_mounttabs_h --i2s-transtab mount > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s-transtab mount gen_mounttabs_h $@
+ 
+-gen_nfprototabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h nfprototab.h
+-gen_nfprototabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="nfprototab.h"'
++gen_nfprototabs_h: ../lib/gen_tables.c ../lib/gen_tables.h nfprototab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"nfprototab.h\" -E -o $@ ../lib/gen_tables.c
+ nfprototabs.h: gen_nfprototabs_h Makefile
+-	./gen_nfprototabs_h --i2s nfproto > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s nfproto gen_nfprototabs_h $@
+ 
+-gen_open_flagtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h \
+-	open-flagtab.h
+-gen_open_flagtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="open-flagtab.h"'
++gen_open-flagtabs_h: ../lib/gen_tables.c ../lib/gen_tables.h open-flagtab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"open-flagtab.h\" -E -o $@ ../lib/gen_tables.c
+ open-flagtabs.h: gen_open-flagtabs_h Makefile
+-	./gen_open-flagtabs_h --i2s-transtab open_flag > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s-transtab open_flag gen_open-flagtabs_h $@
+ 
+-gen_persontabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h persontab.h
+-gen_persontabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="persontab.h"'
++gen_persontabs_h: ../lib/gen_tables.c ../lib/gen_tables.h persontab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"persontab.h\" -E -o $@ ../lib/gen_tables.c
+ persontabs.h: gen_persontabs_h Makefile
+-	./gen_persontabs_h --i2s person > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s person gen_persontabs_h $@
+ 
+-gen_ptracetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ptracetab.h
+-gen_ptracetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ptracetab.h"'
++gen_ptracetabs_h: ../lib/gen_tables.c ../lib/gen_tables.h ptracetab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"ptracetab.h\" -E -o $@ ../lib/gen_tables.c
+ ptracetabs.h: gen_ptracetabs_h Makefile
+-	./gen_ptracetabs_h --i2s ptrace > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s ptrace gen_ptracetabs_h $@
+ 
+-gen_prctl_opttabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h prctl-opt-tab.h
+-gen_prctl_opttabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="prctl-opt-tab.h"'
++gen_prctl_opttabs_h: ../lib/gen_tables.c ../lib/gen_tables.h prctl-opt-tab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"prctl-opt-tab.h\" -E -o $@ ../lib/gen_tables.c
+ prctl_opttabs.h: gen_prctl_opttabs_h Makefile
+-	./gen_prctl_opttabs_h --i2s prctl_opt > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s prctl_opt gen_prctl_opttabs_h $@
+ 
+-gen_pktoptnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h pktoptnametab.h
+-gen_pktoptnametabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="pktoptnametab.h"'
++gen_pktoptnametabs_h: ../lib/gen_tables.c ../lib/gen_tables.h pktoptnametab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"pktoptnametab.h\" -E -o $@ ../lib/gen_tables.c
+ pktoptnametabs.h: gen_pktoptnametabs_h Makefile
+-	./gen_pktoptnametabs_h --i2s pktoptname > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s pktoptname gen_pktoptnametabs_h $@
+ 
+-gen_prottabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h prottab.h
+-gen_prottabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="prottab.h"'
++gen_prottabs_h: ../lib/gen_tables.c ../lib/gen_tables.h prottab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"prottab.h\" -E -o $@ ../lib/gen_tables.c
+ prottabs.h: gen_prottabs_h Makefile
+-	./gen_prottabs_h --i2s-transtab prot > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s-transtab prot gen_prottabs_h $@
+ 
+-gen_recvtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h recvtab.h
+-gen_recvtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="recvtab.h"'
++gen_recvtabs_h: ../lib/gen_tables.c ../lib/gen_tables.h recvtab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"recvtab.h\" -E -o $@ ../lib/gen_tables.c
+ recvtabs.h: gen_recvtabs_h Makefile
+-	./gen_recvtabs_h --i2s-transtab recv > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s-transtab recv gen_recvtabs_h $@
+ 
+-gen_rlimit_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h rlimittab.h
+-gen_rlimit_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="rlimittab.h"'
++gen_rlimit_h: ../lib/gen_tables.c ../lib/gen_tables.h rlimittab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"rlimittab.h\" -E -o $@ ../lib/gen_tables.c
+ rlimittabs.h: gen_rlimit_h Makefile
+-	./gen_rlimit_h --i2s rlimit > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s rlimit gen_rlimit_h $@
+ 
+-gen_schedtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h schedtab.h
+-gen_schedtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="schedtab.h"'
++gen_schedtabs_h: ../lib/gen_tables.c ../lib/gen_tables.h schedtab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"schedtab.h\" -E -o $@ ../lib/gen_tables.c
+ schedtabs.h: gen_schedtabs_h Makefile
+-	./gen_schedtabs_h --i2s sched > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s sched gen_schedtabs_h $@
+ 
+-gen_seccomptabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h seccomptab.h
+-gen_seccomptabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="seccomptab.h"'
++gen_seccomptabs_h: ../lib/gen_tables.c ../lib/gen_tables.h seccomptab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"seccomptab.h\" -E -o $@ ../lib/gen_tables.c
+ seccomptabs.h: gen_seccomptabs_h Makefile
+-	./gen_seccomptabs_h --i2s seccomp > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s seccomp gen_seccomptabs_h $@
+ 
+-gen_seektabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h seektab.h
+-gen_seektabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="seektab.h"'
++gen_seektabs_h: ../lib/gen_tables.c ../lib/gen_tables.h seektab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"seektab.h\" -E -o $@ ../lib/gen_tables.c
+ seektabs.h: gen_seektabs_h Makefile
+-	./gen_seektabs_h --i2s seek > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s seek gen_seektabs_h $@
+ 
+-gen_shm_modetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h shm_modetab.h
+-gen_shm_modetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="shm_modetab.h"'
++gen_shm_modetabs_h: ../lib/gen_tables.c ../lib/gen_tables.h shm_modetab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"shm_modetab.h\" -E -o $@ ../lib/gen_tables.c
+ shm_modetabs.h: gen_shm_modetabs_h Makefile
+-	./gen_shm_modetabs_h --i2s-transtab shm_mode > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s-transtab shm_mode gen_shm_modetabs_h $@
+ 
+-gen_signals_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h signaltab.h
+-gen_signals_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="signaltab.h"'
++gen_signals_h: ../lib/gen_tables.c ../lib/gen_tables.h signaltab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"signaltab.h\" -E -o $@ ../lib/gen_tables.c
+ signaltabs.h: gen_signals_h Makefile
+-	./gen_signals_h --i2s signal > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s signal gen_signals_h $@
+ 
+-gen_sockleveltabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h sockleveltab.h
+-gen_sockleveltabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="sockleveltab.h"'
++gen_sockleveltabs_h: ../lib/gen_tables.c ../lib/gen_tables.h sockleveltab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"sockleveltab.h\" -E -o $@ ../lib/gen_tables.c
+ sockleveltabs.h: gen_sockleveltabs_h Makefile
+-	./gen_sockleveltabs_h --i2s socklevel > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s socklevel gen_sockleveltabs_h $@
+ 
+-gen_sockoptnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h sockoptnametab.h
+-gen_sockoptnametabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="sockoptnametab.h"'
++gen_sockoptnametabs_h: ../lib/gen_tables.c ../lib/gen_tables.h sockoptnametab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"sockoptnametab.h\" -E -o $@ ../lib/gen_tables.c
+ sockoptnametabs.h: gen_sockoptnametabs_h Makefile
+-	./gen_sockoptnametabs_h --i2s sockoptname > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s sockoptname gen_sockoptnametabs_h $@
+ 
+-gen_socktabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h socktab.h
+-gen_socktabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="socktab.h"'
++gen_socktabs_h: ../lib/gen_tables.c ../lib/gen_tables.h socktab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"socktab.h\" -E -o $@ ../lib/gen_tables.c
+ socktabs.h: gen_socktabs_h Makefile
+-	./gen_socktabs_h --i2s sock > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s sock gen_socktabs_h $@
+ 
+-gen_socktypetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h socktypetab.h
+-gen_socktypetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="socktypetab.h"'
++gen_socktypetabs_h: ../lib/gen_tables.c ../lib/gen_tables.h socktypetab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"socktypetab.h\" -E -o $@ ../lib/gen_tables.c
+ socktypetabs.h: gen_socktypetabs_h Makefile
+-	./gen_socktypetabs_h --i2s sock_type > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s sock_type gen_socktypetabs_h $@
+ 
+-gen_tcpoptnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h tcpoptnametab.h
+-gen_tcpoptnametabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="tcpoptnametab.h"'
++gen_tcpoptnametabs_h: ../lib/gen_tables.c ../lib/gen_tables.h tcpoptnametab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"tcpoptnametab.h\" -E -o $@ ../lib/gen_tables.c
+ tcpoptnametabs.h: gen_tcpoptnametabs_h Makefile
+-	./gen_tcpoptnametabs_h --i2s tcpoptname > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s tcpoptname gen_tcpoptnametabs_h $@
+ 
+-gen_typetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h typetab.h
+-gen_typetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="typetab.h"'
++gen_typetabs_h: ../lib/gen_tables.c ../lib/gen_tables.h typetab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"typetab.h\" -E -o $@ ../lib/gen_tables.c
+ typetabs.h: gen_typetabs_h Makefile
+-	./gen_typetabs_h --s2i type > $@
++	$(PYTHON) ../lib/gen_tables.py --s2i type gen_typetabs_h $@
+ 
+-gen_umounttabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h umounttab.h
+-gen_umounttabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="umounttab.h"'
++gen_umounttabs_h: ../lib/gen_tables.c ../lib/gen_tables.h umounttab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"umounttab.h\" -E -o $@ ../lib/gen_tables.c
+ umounttabs.h: gen_umounttabs_h Makefile
+-	./gen_umounttabs_h --i2s-transtab umount > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s-transtab umount gen_umounttabs_h $@
+ 
+diff -urN a/lib/gen_tables.c b/lib/gen_tables.c
+--- a/lib/gen_tables.c	2013-07-29 16:37:01.000000000 -0500
++++ b/lib/gen_tables.c	2013-08-19 10:09:03.060041420 -0500
+@@ -54,19 +54,6 @@
+ #define SHMGET          23
+ #define SHMCTL          24
+ 
+-
+-/* The ratio of table size to number of non-empty elements allowed for a
+-   "direct" s2i table; if the ratio would be bigger, bsearch tables are used
+-   instead.
+-
+-   2 looks like a lot at a first glance, but the bsearch tables need twice as
+-   much space per element, so with the ratio equal to 2 the direct table uses
+-   no more memory and is faster. */
+-#define DIRECT_THRESHOLD 2
+-
+-/* Allow more than one string defined for a single integer value */
+-static bool allow_duplicate_ints; /* = false; */
+-
+ struct value {
+ 	int val;
+ 	const char *s;
+@@ -83,335 +70,11 @@
+ 
+ #define NUM_VALUES (sizeof(values) / sizeof(*values))
+ 
+-/* Compare two "struct value" members by name. */
+-static int
+-cmp_value_strings(const void *xa, const void *xb)
+-{
+-	const struct value *a, *b;
+-
+-	a = xa;
+-	b = xb;
+-	return strcmp(a->s, b->s);
+-}
+-
+-/* Compare two "struct value" members by value. */
+-static int
+-cmp_value_vals(const void *xa, const void *xb)
+-{
+-	const struct value *a, *b;
+-
+-	a = xa;
+-	b = xb;
+-	if (a->val > b->val)
+-		return 1;
+-	if (a->val < b->val)
+-		return -1;
+-	/* Preserve the original order if there is an ambiguity, to always use
+-	   the first specified value. */
+-	if (a->orig_index > b->orig_index)
+-		return 1;
+-	if (a->orig_index < b->orig_index)
+-		return -1;
+-	return 0;
+-}
+-
+-/* Compare two "struct value" members by orig_index. */
+-static int
+-cmp_value_orig_index(const void *xa, const void *xb)
+-{
+-	const struct value *a, *b;
+-
+-	a = xa;
+-	b = xb;
+-	if (a->orig_index > b->orig_index)
+-		return 1;
+-	if (a->orig_index < b->orig_index)
+-		return -1;
+-	return 0;
+-}
+-
+-/* Output the string table, initialize values[*]->s_offset. */
+-static void
+-output_strings(const char *prefix)
+-{
+-	size_t i, offset;
+-
+-	offset = 0;
+-	for (i = 0; i < NUM_VALUES; i++) {
+-		values[i].s_offset = offset;
+-		offset += strlen(values[i].s) + 1;
+-	}
+-	printf("static const char %s_strings[] = \"", prefix);
+-	assert(NUM_VALUES > 0);
+-	for (i = 0; i < NUM_VALUES; i++) {
+-		const char *c;
+-
+-		if (i != 0 && i % 10 == 0)
+-			fputs("\"\n"
+-			      "\t\"", stdout);
+-		for (c = values[i].s; *c != '\0'; c++) {
+-			assert(*c != '"' && *c != '\\'
+-			       && isprint((unsigned char)*c));
+-			putc(*c, stdout);
+-		}
+-		if (i != NUM_VALUES - 1)
+-			fputs("\\0", stdout);
+-	}
+-	fputs("\";\n", stdout);
+-}
+-
+-/* Output the string to integer mapping code.
+-   Assume strings are all uppsercase or all lowercase if specified by
+-   parameters; in that case, make the search case-insensitive.
+-   values must be sorted by strings. */
+-static void
+-output_s2i(const char *prefix, bool uppercase, bool lowercase)
+-{
+-	size_t i;
+-
+-	for (i = 0; i < NUM_VALUES - 1; i++) {
+-		assert(strcmp(values[i].s, values[i + 1].s) <= 0);
+-		if (strcmp(values[i].s, values[i + 1].s) == 0) {
+-			fprintf(stderr, "Duplicate value `%s': %d, %d\n",
+-				values[i].s, values[i].val, values[i + 1].val);
+-			abort();
+-		}
+-	}
+-	printf("static const unsigned %s_s2i_s[] = {", prefix);
+-	for (i = 0; i < NUM_VALUES; i++) {
+-		if (i % 10 == 0)
+-			fputs("\n\t", stdout);
+-		assert(values[i].s_offset <= UINT_MAX);
+-		printf("%zu,", values[i].s_offset);
+-	}
+-	printf("\n"
+-	       "};\n"
+-	       "static const int %s_s2i_i[] = {", prefix);
+-	for (i = 0; i < NUM_VALUES; i++) {
+-		if (i % 10 == 0)
+-			fputs("\n\t", stdout);
+-		printf("%d,", values[i].val);
+-	}
+-	fputs("\n"
+-	      "};\n", stdout);
+-	assert(!(uppercase && lowercase));
+-	if (uppercase) {
+-		for (i = 0; i < NUM_VALUES; i++) {
+-			const char *c;
+-
+-			for (c = values[i].s; *c != '\0'; c++)
+-				assert(isascii((unsigned char)*c)
+-				       && !GT_ISLOWER(*c));
+-		}
+-	} else if (lowercase) {
+-		for (i = 0; i < NUM_VALUES; i++) {
+-			const char *c;
+-
+-			for (c = values[i].s; *c != '\0'; c++)
+-				assert(isascii((unsigned char)*c)
+-				       && !GT_ISUPPER(*c));
+-		}
+-	}
+-	if (uppercase || lowercase) {
+-		printf("static int %s_s2i(const char *s, int *value) {\n"
+-		       "\tsize_t len, i;\n"
+-		       "\tlen = strlen(s);\n"
+-		       "\t{ char copy[len + 1];\n"
+-		       "\tfor (i = 0; i < len; i++) {\n"
+-		       "\t\tchar c = s[i];\n", prefix);
+-		if (uppercase)
+-			fputs("\t\tcopy[i] = GT_ISLOWER(c) ? c - 'a' + 'A' "
+-							  ": c;\n", stdout);
+-		else
+-			fputs("\t\tcopy[i] = GT_ISUPPER(c) ? c - 'A' + 'a' "
+-							  ": c;\n", stdout);
+-		printf("\t}\n"
+-		       "\tcopy[i] = 0;\n"
+-		       "\treturn s2i__(%s_strings, %s_s2i_s, %s_s2i_i, %zu, "
+-				      "copy, value);\n"
+-		       "\t}\n"
+-		       "}\n", prefix, prefix, prefix, NUM_VALUES);
+-	} else
+-		printf("static int %s_s2i(const char *s, int *value) {\n"
+-		       "\treturn s2i__(%s_strings, %s_s2i_s, %s_s2i_i, %zu, s, "
+-				      "value);\n"
+-		       "}\n", prefix, prefix, prefix, prefix, NUM_VALUES);
+-}
+-
+-/* Output the string to integer mapping table.
+-   values must be sorted by strings. */
+-static void
+-output_i2s(const char *prefix)
+-{
+-	struct value *unique_values;
+-	int min_val, max_val;
+-	size_t i, n;
+-
+-	assert(NUM_VALUES > 0);
+-	for (i = 0; i < NUM_VALUES - 1; i++) {
+-		assert(values[i].val <= values[i + 1].val);
+-		if (!allow_duplicate_ints
+-		    && values[i].val == values[i + 1].val) {
+-			fprintf(stderr, "Duplicate value %d: `%s', `%s'\n",
+-				values[i].val, values[i].s, values[i + 1].s);
+-			abort();
+-		}
+-	}
+-
+-	unique_values = malloc(NUM_VALUES * sizeof(*unique_values));
+-	assert(unique_values != NULL);
+-	n = 0;
+-	for (i = 0; i < NUM_VALUES; i++) {
+-		if (n == 0 || unique_values[n - 1].val != values[i].val) {
+-			unique_values[n] = values[i];
+-			n++;
+-		}
+-	}
+-
+-	min_val = unique_values[0].val;
+-	max_val = unique_values[n - 1].val;
+-	if (((double)max_val - (double)min_val) / n <= DIRECT_THRESHOLD) {
+-		int next_index;
+-
+-		printf("static const unsigned %s_i2s_direct[] = {", prefix);
+-		next_index = min_val;
+-		i = 0;
+-		for (;;) {
+-			if ((next_index - min_val) % 10 == 0)
+-				fputs("\n\t", stdout);
+-			while (unique_values[i].val < next_index)
+-				/* This can happen if (allow_duplicate_ints) */
+-				i++;
+-			if (unique_values[i].val == next_index) {
+-				assert(unique_values[i].s_offset <= UINT_MAX);
+-				printf("%zu,", unique_values[i].s_offset);
+-			} else
+-				fputs("-1u,", stdout);
+-			if (next_index == max_val)
+-				/* Done like this to avoid integer overflow */
+-				break;
+-			next_index++;
+-		}
+-		printf("\n"
+-		       "};\n"
+-		       "static const char *%s_i2s(int v) {\n"
+-		       "\treturn i2s_direct__(%s_strings, %s_i2s_direct, %d, "
+-					     "%d, v);\n"
+-		       "}\n", prefix, prefix, prefix, min_val, max_val);
+-	} else {
+-		printf("static const int %s_i2s_i[] = {", prefix);
+-		for (i = 0; i < n; i++) {
+-			if (i % 10 == 0)
+-				fputs("\n\t", stdout);
+-			printf("%d,", unique_values[i].val);
+-		}
+-		printf("\n"
+-		       "};\n"
+-		       "static const unsigned %s_i2s_s[] = {", prefix);
+-		for (i = 0; i < n; i++) {
+-			if (i % 10 == 0)
+-				fputs("\n\t", stdout);
+-			assert(unique_values[i].s_offset <= UINT_MAX);
+-			printf("%zu,", unique_values[i].s_offset);
+-		}
+-		printf("\n"
+-		       "};\n"
+-		       "static const char *%s_i2s(int v) {\n"
+-		       "\treturn i2s_bsearch__(%s_strings, %s_i2s_i, %s_i2s_s, "
+-			      "%zu, v);\n"
+-		       "}\n", prefix, prefix, prefix, prefix, n);
+-	}
+-	free(unique_values);
+-}
+-
+-/* Output the string to integer mapping table as a transtab[].
+-   values must be sorted in the desired order. */
+-static void
+-output_i2s_transtab(const char *prefix)
+-{
+-	size_t i;
+-	char *uc_prefix;
+-
+-	printf("static const struct transtab %s_table[] = {", prefix);
+-	for (i = 0; i < NUM_VALUES; i++) {
+-		if (i % 10 == 0)
+-			fputs("\n\t", stdout);
+-		printf("{%d,%zu},", values[i].val, values[i].s_offset);
+-	}
+-	uc_prefix = strdup(prefix);
+-	assert(uc_prefix != NULL);
+-	for (i = 0; uc_prefix[i] != '\0'; i++)
+-		uc_prefix[i] = toupper((unsigned char)uc_prefix[i]);
+-	printf("\n"
+-	       "};\n"
+-	       "#define %s_NUM_ENTRIES "
+-	       "(sizeof(%s_table) / sizeof(*%s_table))\n", uc_prefix, prefix,
+-	       prefix);
+-	free(uc_prefix);
+-}
+-
+ int
+ main(int argc, char **argv)
+ {
+-	bool gen_i2s, gen_i2s_transtab, gen_s2i, uppercase, lowercase;
+-	char *prefix;
+-	size_t i;
+-
+ 	/* This is required by gen_tables.h */
+ 	assert(NUM_VALUES <= (SSIZE_MAX / 2 + 1));
+ 
+-	/* To make sure GT_ISUPPER and GT_ISLOWER work. */
+-	assert('Z' == 'A' + 25 && 'z' == 'a' + 25);
+-	gen_i2s = false;
+-	gen_i2s_transtab = false;
+-	gen_s2i = false;
+-	uppercase = false;
+-	lowercase = false;
+-	prefix = NULL;
+-	assert (argc > 1);
+-	for (i = 1; i < (size_t)argc; i++) {
+-		if (strcmp(argv[i], "--i2s") == 0)
+-			gen_i2s = true;
+-		else if (strcmp(argv[i], "--i2s-transtab") == 0)
+-			gen_i2s_transtab = true;
+-		else if (strcmp(argv[i], "--s2i") == 0)
+-			gen_s2i = true;
+-		else if (strcmp(argv[i], "--uppercase") == 0)
+-			uppercase = true;
+-		else if (strcmp(argv[i], "--lowercase") == 0)
+-			lowercase = true;
+-		else if (strcmp(argv[i], "--duplicate-ints") == 0)
+-			allow_duplicate_ints = true;
+-		else {
+-			assert(*argv[i] != '-');
+-			assert(prefix == NULL);
+-			prefix = argv[i];
+-		}
+-	}
+-	assert(prefix != NULL);
+-	assert(!(uppercase && lowercase));
+-
+-	printf("/* This is a generated file, see Makefile.am for its "
+-	       "inputs. */\n");
+-	for (i = 0; i < NUM_VALUES; i++)
+-		values[i].orig_index = i;
+-	qsort(values, NUM_VALUES, sizeof(*values), cmp_value_strings);
+-	/* FIXME? if (gen_s2i), sort the strings in some other order
+-	   (e.g. "first 4 nodes in BFS of the bsearch tree first") to use the
+-	   cache better. */
+-	/* FIXME? If the only thing generated is a transtab, keep the strings
+-	   in the original order to use the cache better. */
+-	output_strings(prefix);
+-	if (gen_s2i)
+-		output_s2i(prefix, uppercase, lowercase);
+-	if (gen_i2s) {
+-		qsort(values, NUM_VALUES, sizeof(*values), cmp_value_vals);
+-		output_i2s(prefix);
+-	}
+-	if (gen_i2s_transtab) {
+-		qsort(values, NUM_VALUES, sizeof(*values),
+-		      cmp_value_orig_index);
+-		output_i2s_transtab(prefix);
+-	}
+ 	return EXIT_SUCCESS;
+ }
+diff -urN /dev/null b/lib/gen_tables.py
+--- /dev/null	2013-06-19 11:25:31.230442052 -0500
++++ b/lib/gen_tables.py	2013-08-19 14:27:55.639872141 -0500
+@@ -0,0 +1,458 @@
++#!/usr/bin/python
++################################################################################
++# Copyright 2013, Rockwell Collins.  All rights reserved.
++# 
++# This library is free software; you can redistribute it and/or
++# modify it under the terms of the GNU Lesser General Public
++# License as published by the Free Software Foundation; either
++# version 2.1 of the License, or (at your option) any later version.
++# 
++# This library is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++# Lesser General Public License for more details.
++# 
++# You should have received a copy of the GNU Lesser General Public
++# License along with this library; if not, write to the Free Software
++# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
++# 
++# Authors:
++#      Clayton Shotwell <clshotwe@rockwellcollins.com>
++#
++# Description:
++#      Generator of lookup tables to replace the gen_tables.c method developed
++#      Miloslav Trmac <mitr@redhat.com> to make audit package cross compilable.
++#      The logic in this script mimics the logic in gen_tables.c before the last
++#      modification.
++#
++# Usage: gen_tables.py [-h] [--i2s] [--i2s-transtab] [--s2i]
++#                             [--uppercase | --lowercase] [--duplicate-ints]
++#                             prefix header source output
++#
++#        Generate tables header files.
++#
++#        positional arguments:
++#          prefix            The prefix of the output file to use
++#          header            The header file to parse table values from
++#          source            The source of the preprocessor from the compiler
++#          output            The output header file
++#
++#        optional arguments:
++#          -h, --help        show this help message and exit
++#          --i2s             Generate i2s tables
++#          --i2s-transtab    Generate transtab tables
++#          --s2i             Generate s2i tables
++#          --uppercase       All characters are uppercase
++#          --lowercase       All characters are lowercase
++#          --duplicate-ints  Allow duplicate integers
++
++import argparse
++import ctypes
++import os
++import re
++import sys
++from operator import attrgetter
++from pyparsing import Group, Word, Suppress, alphas, alphanums, nums, cppStyleComment, \
++		Optional, ZeroOrMore
++
++# Number of entries to print per line
++NUM_ENTIRES_IN_LINE = 10
++
++# Global table entries variable that is used everywhere
++ENTRIES = []
++
++# The ratio of table size to number of non-empty elements allowed for a
++# "direct" s2i table; if the ratio would be bigger, bsearch tables are used
++# instead.
++# 
++# 2 looks like a lot at a first glance, but the bsearch tables need twice as
++# much space per element, so with the ratio equal to 2 the direct table uses
++# no more memory and is faster.
++DIRECT_THRESHOLD = 2
++
++# Set to True to enable some debug output
++DEBUG = False
++
++class Entry:
++	def __init__(self, new_s, val):
++		self.st = new_s
++		self.val = val
++		self.offset = 0
++		self.orig_index = 0
++	
++	def set_position(self, offset):
++		self.offset = offset
++	
++	def set_orig_index(self, orig_index):
++		self.orig_index = orig_index
++	
++	def get_str(self):
++		return self.st
++	
++	def __repr__(self):
++		return "<Entry st=%s val=%s>" % (self.st, self.val)
++	
++	def __str__(self):
++		return "Entry of st=%s, val=%s, offset=%d, orig_index=%d" % \
++				(self.st, self.val, self.offset, self.orig_index)
++
++def output_strings(prefix, outfile):
++	try:
++		# Calculate the position each entry will be in the string
++		index = 0
++		for i in range(len(ENTRIES)):
++			ENTRIES[i].set_position(index)
++			# Increment the index by the length of the name plus 1 for the null
++			# character at the end.
++			index += len(ENTRIES[i].get_str()) + 1
++		# Write out the strings
++		outfile.write("static const char %s_strings[] = \"" % prefix)
++		for i in range(len(ENTRIES)):
++			if (i != 0) and (i % NUM_ENTIRES_IN_LINE == 0):
++				outfile.write('"\n\t"')
++			outfile.write(ENTRIES[i].get_str())
++			if (i != (len(ENTRIES) - 1)):
++				outfile.write('\\0')
++		outfile.write('";\n')
++	except:
++		# If an error is found, raise the exception so the main function can close
++		# and delete the outfile
++		exc_type, exc_obj, exc_tb = sys.exc_info()
++		fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1]
++		print("Unexpected error in output_strings:", exc_type, fname, exc_tb.tb_lineno)
++		raise
++
++def output_s2i(prefix, outfile, uppercase, lowercase):
++	try:
++		# Check for duplicate values
++		for i in range(len(ENTRIES) - 1):
++			assert (ENTRIES[i].get_str() <= ENTRIES[i + 1].get_str()), "Entries not in the correct order"
++			if (ENTRIES[i].get_str() == ENTRIES[i + 1].get_str()):
++				print("Duplicate value %s: %d, %d" % \
++						(ENTRIES[i].get_str(), ENTRIES[i].val, ENTRIES[i + 1].val))
++				raise
++		
++		# Write out the index to value index values
++		outfile.write("static const unsigned %s_s2i_s[] = {" % prefix)
++		for i in range(len(ENTRIES)):
++			if (i % NUM_ENTIRES_IN_LINE == 0):
++				outfile.write('\n\t')
++			outfile.write("%i," % ENTRIES[i].offset)
++		outfile.write('\n};\n')
++		
++		# Write out the string to value actual values
++		outfile.write("static const int %s_s2i_i[] = {" % prefix)
++		for i in range(len(ENTRIES)):
++			if (i % NUM_ENTIRES_IN_LINE == 0):
++				outfile.write('\n\t')
++			outfile.write("%i," % ENTRIES[i].val)
++		outfile.write('\n};\n')
++		
++		# Verify the strings are all uppercase or lowercase depending on the arguments
++		# passed in
++		if uppercase:
++			for i in range(len(ENTRIES)):
++				assert (all(ord(c) < 128 for c in ENTRIES[i].get_str()) and \
++						ENTRIES[i].get_str().isupper()), "String %s is not uppercase" % ENTRIES[i].get_str()
++		if lowercase:
++			for i in range(len(ENTRIES)):
++				assert (all(ord(c) < 128 for c in ENTRIES[i].get_str()) and \
++						ENTRIES[i].get_str().islower()), "String %s is not lowercase" % ENTRIES[i].get_str()
++		if uppercase or lowercase:
++			outfile.write("static int %s_s2i(const char *s, int *value) {\n" \
++					"\tsize_t len, i;\n" \
++					"\tlen = strlen(s);\n" \
++					"\t{ char copy[len + 1];\n" \
++					"\tfor (i = 0; i < len; i++) {\n" \
++					"\t\tchar c = s[i];\n" % prefix)
++			if uppercase:
++				outfile.write("\t\tcopy[i] = GT_ISLOWER(c) ? c - 'a' + 'A' : c;\n")
++			else:
++				outfile.write("\t\tcopy[i] = GT_ISUPPER(c) ? c - 'A' + 'a' : c;\n")
++			outfile.write("\t}\n" \
++					"\tcopy[i] = 0;\n" \
++					"\treturn s2i__(%s_strings, %s_s2i_s, %s_s2i_i, %d, copy, value);\n" \
++					"\t}\n" \
++					"}\n" % (prefix, prefix, prefix, len(ENTRIES)))
++		else:
++			outfile.write("static int %s_s2i(const char *s, int *value) {\n" \
++					"\treturn s2i__(%s_strings, %s_s2i_s, %s_s2i_i, %d, s, value);\n" \
++					"}\n" % (prefix, prefix, prefix, prefix, len(ENTRIES)))
++	except:
++		# If an error is found, raise the exception so the main function can close
++		# and delete the outfile
++		exc_type, exc_obj, exc_tb = sys.exc_info()
++		fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1]
++		print("Unexpected error in output_s2i:", exc_type, fname, exc_tb.tb_lineno)
++		raise
++
++def output_i2s(prefix, outfile, allow_duplicate_ints):
++	try:
++		# Check for duplicate values
++		for i in range(len(ENTRIES) - 1):
++			assert (ENTRIES[i].val <= ENTRIES[i + 1].val), "Entries not in the correct order"
++			if (not allow_duplicate_ints) and (ENTRIES[i].val == ENTRIES[i + 1].val):
++				print("Duplicate value %d: %s, %s" % (ENTRIES[i].val, ENTRIES[i].get_str(), \
++						ENTRIES[i + 1].get_str()))
++				raise
++		
++		# Find all of the unique values
++		unique_entries = []
++		for i in range(len(ENTRIES)):
++			# If the unique_entries is empty or the last unique_entries entry is different from the 
++			# entry being compared, append the entry
++			if (len(unique_entries) == 0) or (unique_entries[-1].val != ENTRIES[i].val):
++				unique_entries.append(ENTRIES[i])
++		
++		# Determine which mapping to use based on the treshold
++		max_val = unique_entries[-1].val
++		min_val = unique_entries[0].val
++		if ((float(max_val - min_val)/len(unique_entries)) <= DIRECT_THRESHOLD):
++			outfile.write("static const unsigned %s_i2s_direct[] = {" % prefix)
++			next_index = min_val
++			i = 0
++			while True:
++				if (((next_index - min_val) % 10) == 0):
++					outfile.write("\n\t")
++				while (unique_entries[i].val < next_index):
++					# This can happen if (allow_duplicate_ints)
++					i += 1
++				if (unique_entries[i].val == next_index):
++					assert(unique_entries[i].offset <= sys.maxint)
++					outfile.write("%i," % unique_entries[i].offset)
++				else:
++					outfile.write("-1u,")
++				if (next_index == max_val):
++					break
++				next_index += 1
++			outfile.write("\n};\nstatic const char *%s_i2s(int v) {\n" \
++					"\treturn i2s_direct__(%s_strings, %s_i2s_direct, %d, %d, v);\n" \
++					"}\n" % (prefix, prefix, prefix, min_val, max_val))
++		else:
++			outfile.write("static const int %s_i2s_i[] = {" % prefix)
++			for i in range(len(unique_entries)):
++				if (i % 10 == 0):
++					outfile.write("\n\t")
++				outfile.write("%i," % unique_entries[i].val)
++			outfile.write("\n};\nstatic const unsigned %s_i2s_s[] = {" % prefix)
++			for i in range(len(unique_entries)):
++				if (i % 10 == 0):
++					outfile.write("\n\t")
++				assert(unique_entries[i].offset <= sys.maxint)
++				outfile.write("%i," % unique_entries[i].offset)
++			outfile.write("\n };\n static const char *%s_i2s(int v) {\n" \
++					"\treturn i2s_bsearch__(%s_strings, %s_i2s_i, %s_i2s_s, %u, v);\n" \
++					"}\n" % (prefix, prefix, prefix, prefix, len(unique_entries)))
++	except:
++		# If an error is found, raise the exception so the main function can close
++		# and delete the outfile
++		exc_type, exc_obj, exc_tb = sys.exc_info()
++		fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1]
++		print("Unexpected error in output_i2s:", exc_type, fname, exc_tb.tb_lineno)
++		raise
++
++def output_i2s_transtab(prefix, outfile):
++	"""
++		Output the string to integer mapping table as a transtab[].
++		values must be sorted in the desired order. 
++	"""
++	try:
++		outfile.write("static const struct transtab %s_table[] = {" % prefix)
++		for i in range(len(ENTRIES)):
++			if (i % NUM_ENTIRES_IN_LINE == 0):
++				outfile.write('\n\t')
++			outfile.write("{%i,%u}," % (ENTRIES[i].val, ENTRIES[i].offset))
++		outfile.write("\n};\n#define %s_NUM_ENTRIES (sizeof(%s_table) / sizeof(*%s_table))\n" % \
++				(prefix.upper(), prefix, prefix))
++	except:
++		# If an error is found, raise the exception so the main function can close
++		# and delete the outfile
++		exc_type, exc_obj, exc_tb = sys.exc_info()
++		fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1]
++		print("Unexpected error in output_i2s_transtab:", exc_type, fname, exc_tb.tb_lineno)
++		raise
++
++def lookup_enum(look_str, buf):
++	try:
++		# Pull all of the enums out of the preprocessor output out only once
++		# to help speed up all of the lookups
++		if not hasattr(lookup_enum, "enums"):
++			if DEBUG:
++				print("Pulling out the enums from the preprocessor output")
++			# Regex pattern to parse out the enums from the preprocessor output
++			enum_regex = "enum.*?{(?P<s>.*?)}"
++			lookup_enum.enums = re.findall(enum_regex, buf, flags=(re.M | re.S))
++		
++		# find which enum contains the string we are looking for
++		for i in range(len(lookup_enum.enums)):
++			if look_str in lookup_enum.enums[i]:
++				# Determine the value of the variable in the enum
++				enum_string = "enum preproc { " + lookup_enum.enums[i] + " }"
++				enum_string = "".join([line.strip() for line in enum_string])
++				if DEBUG:
++					print("Found %s in %s" % (look_str, enum_string))
++				
++				identifier = Word(alphas, alphanums+'_')
++				opt_value = Word(nums, nums+'x+<>/*')
++				
++				enum_value = Group(identifier('name') + Optional(Suppress('=') + opt_value('value')))
++				enum_list = Group(enum_value + ZeroOrMore(Suppress(',') + enum_value))
++				enum = Suppress('enum') + identifier('enum') + Suppress('{') + enum_list('list') + \
++						Suppress('}')
++				enum.ignore(cppStyleComment)
++				
++				for item, start, stop in enum.scanString(enum_string):
++					temp = 0
++					for entry in item.list:
++						if DEBUG:
++							print("Checking %s against %s" % (look_str, entry.name))
++						if entry.name == look_str:
++							if entry.value != '':
++								# Need to call eval becuase some enums have math in them
++								try:
++									value = eval(entry.value)
++								except:
++									print("Found invalid value %s" % entry.value)
++							else:
++								value = temp
++							if DEBUG:
++								print("Matched the enum name to value %d" % value)
++							return value
++						temp += 1
++	except:
++		exc_type, exc_obj, exc_tb = sys.exc_info()
++		fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1]
++		print("Unexpected error in output_i2s_transtab:", exc_type, fname, exc_tb.tb_lineno)
++	print("Unable to find enum value")
++	return None
++
++def evaluate_string(eval_str, buf):
++	if DEBUG:
++		print("Evaluating string %s" % eval_str)
++	
++	# Regex expression for pulling apart the values in the preprocessor output
++	eval_regex = "(?P<val>\w+)"
++	# Since the string can be anything, it must be parsed into individual parts
++	# and evaluated separately to find any enum values
++	matches = re.findall(eval_regex, eval_str)
++	if len(matches) <= 0:
++		print("Could not find any matches")
++	
++	local_s = eval_str
++	value = None
++	i = 0
++	for i in range(len(matches)):
++		try:
++			# If the current item is abled to evaled, there is nothing to do
++			val = eval(matches[i])
++		except:
++			try:
++				# Need to check to see if the last character is a "U" and remove it
++				# if this does not except, a valid number was found
++				if matches[i][-1] == 'U':
++					val = eval(matches[i][:-1])
++					local_s = local_s.replace(matches[i], "%d" % val)
++				else:
++					# Need to do a enum look up for anything that doesnt translate into a number
++					val = lookup_enum(matches[i], buf)
++					if val is not None:
++						local_s = local_s.replace(matches[i], "%d" % val)
++			except:
++				# This case will be hit if the "U" removal fails
++				val = lookup_enum(matches[i], buf)
++				if val is not None:
++					local_s = local_s.replace(matches[i], "%d" % val)
++	try:
++		# This will fail if all of the enums were not found rather
++		# than handling the failues in the above steps
++		# Also, need to convert to a signed 32 bit int for the output value
++		value = ctypes.c_int32(eval(local_s)).value
++		if DEBUG:
++			print("Found value %d for %s" % (value, matches[i]))
++	except:
++		print("Could not parse string %s" % local_s)
++	
++	# Verify the mess above resulted in a number being found
++	if value is None:
++		print("Failed to find value for %s" % eval_str)
++		raise
++	return value
++	
++def remove_output(outfile):
++	path = outfile.name
++	outfile.close()
++	os.remove(path)
++	sys.exit(1)
++
++def main():
++	
++	# Setup the argument parser and parse the arguments given
++	parser = argparse.ArgumentParser(description='Generate tables header files.')
++	parser.add_argument('--i2s', dest='gen_i2s', action='store_true', 
++			help='Generate i2s tables')
++	parser.add_argument('--i2s-transtab', dest='gen_i2s_transtab', action='store_true', 
++			help='Generate transtab tables')
++	parser.add_argument('--s2i', dest='gen_s2i', action='store_true', 
++			help='Generate s2i tables')
++	# Make sure uppercase and lowercase are mutually exclusive
++	group = parser.add_mutually_exclusive_group()
++	group.add_argument('--uppercase', dest='uppercase', action='store_true', 
++			help='All characters are uppercase')
++	group.add_argument('--lowercase', dest='lowercase', action='store_true', 
++			help='All characters are lowercase')
++	parser.add_argument('--duplicate-ints', dest='allow_duplicate_ints', action='store_true', 
++			help='Allow duplicate integers')
++	parser.add_argument('prefix', help='The prefix of the output file to use')
++	parser.add_argument('source', type=argparse.FileType('r'), 
++			help='The source of the preprocessor from the compiler')
++	parser.add_argument('output', type=argparse.FileType('w'), 
++			help='The output header file')
++	args = parser.parse_args()
++	
++	# Regex pattern to parse out the macro and string from the _S calls
++	source_regex = "{ \((?P<val>.*?)\), \(\"(?P<s>\S+)\"\), 0, 0 }"
++	
++	# First parse the header file for all of the preprocessor source that need to
++	# be looked up
++	buf = args.source.read()
++	matches = re.findall(source_regex, buf, flags=re.MULTILINE)
++	
++	# Check to make sure we have matches
++	if (len(matches) <= 0):
++		print("Failed to find valid source")
++		remove_output(args.output)
++		sys.exit(1)
++	
++	try:
++		# Create all of the entry structures
++		global ENTRIES
++		for i in range(len(matches)):
++			ENTRIES.append(Entry(matches[i][1], evaluate_string(matches[i][0], buf)))
++			ENTRIES[i].set_orig_index(i)
++			if DEBUG:
++				print(ENTRIES[i])
++		
++		# Sort the entries alphabetically
++		ENTRIES = sorted(ENTRIES, key=attrgetter('st'))
++		# Print out the output header
++		args.output.write("/* This is a generated file, see Makefile.am for its inputs. */\n")
++		output_strings(args.prefix, args.output)
++		if args.gen_s2i:
++			output_s2i(args.prefix, args.output, args.uppercase, args.lowercase)
++		if args.gen_i2s:
++			ENTRIES = sorted(ENTRIES, key=attrgetter('val'))
++			output_i2s(args.prefix, args.output, args.allow_duplicate_ints)
++		if args.gen_i2s_transtab:
++			ENTRIES = sorted(ENTRIES, key=attrgetter('orig_index'))
++			output_i2s_transtab(args.prefix, args.output)
++	except:
++		# On an error, close and remove the file before returning an error
++		print("Failed to write the output file correctly")
++		exc_type, exc_obj, exc_tb = sys.exc_info()
++		fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1]
++		print("Unexpected error:", exc_type, fname, exc_tb.tb_lineno)
++		remove_output(args.output)
++		sys.exit(1)
++
++if __name__ == '__main__':
++	main()
+diff -urN a/lib/Makefile.am b/lib/Makefile.am
+--- a/lib/Makefile.am	2013-07-29 16:37:01.000000000 -0500
++++ b/lib/Makefile.am	2013-08-19 14:39:58.280509378 -0500
+@@ -40,119 +40,109 @@
+ BUILT_SOURCES = actiontabs.h errtabs.h fieldtabs.h flagtabs.h \
+ 	ftypetabs.h i386_tables.h ia64_tables.h machinetabs.h \
+ 	msg_typetabs.h optabs.h ppc_tables.h s390_tables.h \
+-	s390x_tables.h x86_64_tables.h
+-if USE_ALPHA
+-BUILT_SOURCES += alpha_tables.h
+-endif
+-if USE_ARMEB
+-BUILT_SOURCES += armeb_tables.h
+-endif
+-if USE_AARCH64
+-BUILT_SOURCES += aarch64_tables.h
+-endif
+-noinst_PROGRAMS = gen_actiontabs_h gen_errtabs_h gen_fieldtabs_h \
++	s390x_tables.h x86_64_tables.h \
++	gen_actiontabs_h gen_errtabs_h gen_fieldtabs_h \
+ 	gen_flagtabs_h gen_ftypetabs_h gen_i386_tables_h \
+ 	gen_ia64_tables_h gen_machinetabs_h gen_msg_typetabs_h \
+ 	gen_optabs_h gen_ppc_tables_h gen_s390_tables_h \
+-	gen_s390x_tables_h gen_x86_64_tables_h
++	gen_s390x_tables_h gen_x86_64_tables_h 
+ if USE_ALPHA
+-noinst_PROGRAMS += gen_alpha_tables_h
++BUILT_SOURCES += alpha_tables.h gen_alpha_tables_h
+ endif
+ if USE_ARMEB
+-noinst_PROGRAMS += gen_armeb_tables_h
++BUILT_SOURCES += armeb_tables.h gen_armeb_tables_h
+ endif
+ if USE_AARCH64
+-noinst_PROGRAMS += gen_aarch64_tables_h
++BUILT_SOURCES += aarch64_tables.h gen_aarch64_tables_h
+ endif
+-gen_actiontabs_h_SOURCES = gen_tables.c gen_tables.h actiontab.h
+-gen_actiontabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="actiontab.h"'
++
++gen_actiontabs_h: gen_tables.c gen_tables.h actiontab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"actiontab.h\" -E -o $@ gen_tables.c
+ actiontabs.h: gen_actiontabs_h Makefile
+-	./gen_actiontabs_h --lowercase --i2s --s2i action > $@
++	$(PYTHON) gen_tables.py --lowercase --i2s --s2i action gen_actiontabs_h $@
+ 
+ if USE_ALPHA
+-gen_alpha_tables_h_SOURCES = gen_tables.c gen_tables.h alpha_table.h
+-gen_alpha_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="alpha_table.h"'
++gen_alpha_tables_h: gen_tables.c gen_tables.h alpha_table.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"alpha_table.h\" -E -o $@ gen_tables.c
+ alpha_tables.h: gen_alpha_tables_h Makefile
+-	./gen_alpha_tables_h --lowercase --i2s --s2i alpha_syscall > $@
++	$(PYTHON) gen_tables.py --lowercase --i2s --s2i alpha_syscall gen_alpha_tables_h $@
+ endif
+ 
+ if USE_ARMEB
+-gen_armeb_tables_h_SOURCES = gen_tables.c gen_tables.h armeb_table.h
+-gen_armeb_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="armeb_table.h"'
+-armeb_tables.h: gen_armeb_tables_h Makefile
+-	./gen_armeb_tables_h --lowercase --i2s --s2i armeb_syscall > $@
++gen_armeb_tables_h: gen_tables.c gen_tables.h armeb_table.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"armeb_table.h\" -E -o $@ gen_tables.c
++armeb_tables.h: gen_armeb_tables_h Makefile
++	$(PYTHON) gen_tables.py --lowercase --i2s --s2i armeb_syscall gen_armeb_tables_h $@
+ endif
+ 
+ if USE_AARCH64
+-gen_aarch64_tables_h_SOURCES = gen_tables.c gen_tables.h aarch64_table.h
+-gen_aarch64_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="aarch64_table.h"'
++gen_aarch64_tables_h: gen_tables.c gen_tables.h aarch64_table.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"aarch64_table.h\" -E -o $@ gen_tables.c
+ aarch64_tables.h: gen_aarch64_tables_h Makefile
+-	./gen_aarch64_tables_h --lowercase --i2s --s2i aarch64_syscall > $@
++	$(PYTHON) gen_tables.py --lowercase --i2s --s2i aarch64_syscall gen_aarch64_tables_h $@
+ endif
+ 
+-gen_errtabs_h_SOURCES = gen_tables.c gen_tables.h errtab.h
+-gen_errtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="errtab.h"'
++gen_errtabs_h: gen_tables.c gen_tables.h errtab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"errtab.h\" -E -o $@ gen_tables.c
+ errtabs.h: gen_errtabs_h Makefile
+-	./gen_errtabs_h --duplicate-ints --uppercase --i2s --s2i err > $@
++	$(PYTHON) gen_tables.py --duplicate-ints --uppercase --i2s --s2i err gen_errtabs_h $@
+ 
+-gen_fieldtabs_h_SOURCES = gen_tables.c gen_tables.h fieldtab.h
+-gen_fieldtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="fieldtab.h"'
++gen_fieldtabs_h: gen_tables.c gen_tables.h fieldtab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"fieldtab.h\" -E -o $@ gen_tables.c
+ fieldtabs.h: gen_fieldtabs_h Makefile
+-	./gen_fieldtabs_h --duplicate-ints --lowercase --i2s --s2i field > $@
++	$(PYTHON) gen_tables.py --duplicate-ints --lowercase --i2s --s2i field gen_fieldtabs_h $@
+ 
+-gen_flagtabs_h_SOURCES = gen_tables.c gen_tables.h flagtab.h
+-gen_flagtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="flagtab.h"'
++gen_flagtabs_h: gen_tables.c gen_tables.h flagtab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"flagtab.h\" -E -o $@ gen_tables.c
+ flagtabs.h: gen_flagtabs_h Makefile
+-	./gen_flagtabs_h --lowercase --i2s --s2i flag > $@
++	$(PYTHON) gen_tables.py --lowercase --i2s --s2i flag gen_flagtabs_h $@
+ 
+-gen_ftypetabs_h_SOURCES = gen_tables.c gen_tables.h ftypetab.h
+-gen_ftypetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ftypetab.h"'
++gen_ftypetabs_h: gen_tables.c gen_tables.h ftypetab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"ftypetab.h\" -E -o $@ gen_tables.c
+ ftypetabs.h: gen_ftypetabs_h Makefile
+-	./gen_ftypetabs_h --lowercase --i2s --s2i ftype > $@
++	$(PYTHON) gen_tables.py --lowercase --i2s --s2i ftype gen_ftypetabs_h $@
+ 
+-gen_i386_tables_h_SOURCES = gen_tables.c gen_tables.h i386_table.h
+-gen_i386_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="i386_table.h"'
++gen_i386_tables_h: gen_tables.c gen_tables.h i386_table.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"i386_table.h\" -E -o $@ gen_tables.c
+ i386_tables.h: gen_i386_tables_h Makefile
+-	./gen_i386_tables_h --duplicate-ints --lowercase --i2s --s2i \
+-		i386_syscall > $@
++	$(PYTHON) gen_tables.py --duplicate-ints --lowercase --i2s --s2i i386_syscall gen_i386_tables_h $@
+ 
+-gen_ia64_tables_h_SOURCES = gen_tables.c gen_tables.h ia64_table.h
+-gen_ia64_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ia64_table.h"'
++gen_ia64_tables_h: gen_tables.c gen_tables.h ia64_table.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"ia64_table.h\" -E -o $@ gen_tables.c
+ ia64_tables.h: gen_ia64_tables_h Makefile
+-	./gen_ia64_tables_h --lowercase --i2s --s2i ia64_syscall > $@
++	$(PYTHON) gen_tables.py --lowercase --i2s --s2i ia64_syscall gen_ia64_tables_h $@
+ 
+-gen_machinetabs_h_SOURCES = gen_tables.c gen_tables.h machinetab.h
+-gen_machinetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="machinetab.h"'
++gen_machinetabs_h: gen_tables.c gen_tables.h machinetab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"machinetab.h\" -E -o $@ gen_tables.c
+ machinetabs.h: gen_machinetabs_h Makefile
+-	./gen_machinetabs_h --duplicate-ints --lowercase --i2s --s2i machine \
+-		> $@
++	$(PYTHON) gen_tables.py --duplicate-ints --lowercase --i2s --s2i machine gen_machinetabs_h $@
+ 
+-gen_msg_typetabs_h_SOURCES = gen_tables.c gen_tables.h msg_typetab.h
+-gen_msg_typetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="msg_typetab.h"'
++gen_msg_typetabs_h: gen_tables.c gen_tables.h msg_typetab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"msg_typetab.h\" -E -o $@ gen_tables.c
+ msg_typetabs.h: gen_msg_typetabs_h Makefile
+-	./gen_msg_typetabs_h --uppercase --i2s --s2i msg_type > $@
++	$(PYTHON) gen_tables.py --uppercase --i2s --s2i msg_type gen_msg_typetabs_h $@
+ 
+-gen_optabs_h_SOURCES = gen_tables.c gen_tables.h optab.h
+-gen_optabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="optab.h"'
++gen_optabs_h: gen_tables.c gen_tables.h optab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"optab.h\" -E -o $@ gen_tables.c
+ optabs.h: gen_optabs_h Makefile
+-	./gen_optabs_h --i2s op > $@
++	$(PYTHON) gen_tables.py --i2s op gen_optabs_h $@
+ 
+-gen_ppc_tables_h_SOURCES = gen_tables.c gen_tables.h ppc_table.h
+-gen_ppc_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ppc_table.h"'
++gen_ppc_tables_h: gen_tables.c gen_tables.h ppc_table.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"ppc_table.h\" -E -o $@ gen_tables.c
+ ppc_tables.h: gen_ppc_tables_h Makefile
+-	./gen_ppc_tables_h --lowercase --i2s --s2i ppc_syscall > $@
++	$(PYTHON) gen_tables.py --lowercase --i2s --s2i ppc_syscall gen_ppc_tables_h $@
+ 
+-gen_s390_tables_h_SOURCES = gen_tables.c gen_tables.h s390_table.h
+-gen_s390_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="s390_table.h"'
++gen_s390_tables_h: gen_tables.c gen_tables.h s390_table.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"s390_table.h\" -E -o $@ gen_tables.c
+ s390_tables.h: gen_s390_tables_h Makefile
+-	./gen_s390_tables_h --lowercase --i2s --s2i s390_syscall > $@
++	$(PYTHON) gen_tables.py --lowercase --i2s --s2i s390_syscall gen_s390_tables_h $@
+ 
+-gen_s390x_tables_h_SOURCES = gen_tables.c gen_tables.h s390x_table.h
+-gen_s390x_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="s390x_table.h"'
++gen_s390x_tables_h: gen_tables.c gen_tables.h s390x_table.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"s390x_table.h\" -E -o $@ gen_tables.c
+ s390x_tables.h: gen_s390x_tables_h Makefile
+-	./gen_s390x_tables_h --lowercase --i2s --s2i s390x_syscall > $@
++	$(PYTHON) gen_tables.py --lowercase --i2s --s2i s390x_syscall gen_s390x_tables_h $@
+ 
+-gen_x86_64_tables_h_SOURCES = gen_tables.c gen_tables.h x86_64_table.h
+-gen_x86_64_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="x86_64_table.h"'
++gen_x86_64_tables_h: gen_tables.c gen_tables.h x86_64_table.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"x86_64_table.h\" -E -o $@ gen_tables.c
+ x86_64_tables.h: gen_x86_64_tables_h Makefile
+-	./gen_x86_64_tables_h --lowercase --i2s --s2i x86_64_syscall > $@
++	$(PYTHON) gen_tables.py --lowercase --i2s --s2i x86_64_syscall gen_x86_64_tables_h $@
diff --git a/package/audit/audit-0002-remove-zos-plugin.patch b/package/audit/audit-0002-remove-zos-plugin.patch
new file mode 100644
index 0000000..576d8fa
--- /dev/null
+++ b/package/audit/audit-0002-remove-zos-plugin.patch
@@ -0,0 +1,35 @@
+Removed the step to build the zos-remote.
+
+Signed-off-by Clayton Shotwell <clshotwe@rockwellcollins.com>
+---
+--- a/audisp/plugins/Makefile.am	2012-08-28 10:33:03.582396601 -0500
++++ b/audisp/plugins/Makefile.am	2012-08-28 10:33:14.162399662 -0500
+@@ -22,7 +22,7 @@
+ 
+ CONFIG_CLEAN_FILES = *.loT *.rej *.orig
+ 
+-SUBDIRS = builtins zos-remote remote
++SUBDIRS = builtins remote
+ #SUBDIRS = builtins zos-remote
+ if HAVE_PRELUDE
+ SUBDIRS += prelude
+--- a/audisp/plugins/Makefile.in	2012-08-28 10:33:03.592380390 -0500
++++ b/audisp/plugins/Makefile.in	2012-08-28 10:35:38.482397668 -0500
+@@ -84,7 +84,7 @@
+ 	distdir
+ ETAGS = etags
+ CTAGS = ctags
+-DIST_SUBDIRS = builtins zos-remote remote prelude
++DIST_SUBDIRS = builtins remote prelude
+ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ am__relativize = \
+   dir0=`pwd`; \
+@@ -242,7 +242,7 @@
+ top_builddir = @top_builddir@
+ top_srcdir = @top_srcdir@
+ CONFIG_CLEAN_FILES = *.loT *.rej *.orig
+-SUBDIRS = builtins zos-remote remote $(am__append_1)
++SUBDIRS = builtins remote $(am__append_1)
+ all: all-recursive
+ 
+ .SUFFIXES:
diff --git a/package/audit/audit.mk b/package/audit/audit.mk
new file mode 100644
index 0000000..e32b55f
--- /dev/null
+++ b/package/audit/audit.mk
@@ -0,0 +1,58 @@
+################################################################################
+#
+# audit
+#
+################################################################################
+
+AUDIT_VERSION:=2.3.2
+AUDIT_SITE:=http://people.redhat.com/sgrubb/audit/
+AUDIT_DEPENDENCIES = host-python-pyparsing
+AUDIT_LICENSE = GPLv2
+AUDIT_LICENSE_FILES = COPYING
+
+AUDIT_INSTALL_STAGING = YES
+
+AUDIT_AUTORECONF = YES
+AUDIT_AUTORECONF_OPT = -i -s -I m4
+
+# Audit will be looking for applications to be in the root
+# /sbin folder rather than in /usr/sbin folder
+AUDIT_CONF_OPT = --sbindir=/sbin
+
+ifeq ($(BR2_PACKAGE_PYTHON),y)
+	AUDIT_DEPENDENCIES += python host-python host-swig
+	AUDIT_CONF_OPT += --with-python=yes
+	AUDIT_CONF_ENV += CFLAGS="$(TARGET_CFLAGS) -I$(STAGING_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)"
+else
+	AUDIT_CONF_OPT += --with-python=no
+endif
+
+ifeq ($(BR2_PACKAGE_LIBCAP_NG),y)
+	AUDIT_DEPENDENCIES += libcap-ng
+	AUDIT_CONF_OPT += --with-libcap-ng=yes
+else
+	AUDIT_CONF_OPT += --with-libcap-ng=no
+endif
+
+ifeq ($(BR2_armeb),y)
+	AUDIT_CONF_OPT += --with-armeb
+endif
+ifeq ($(BR2_arm),y)
+	AUDIT_CONF_OPT += --with-armeb
+endif
+ifeq ($(BR2_aarch64),y)
+	AUDIT_CONF_OPT += --with-aarch64
+endif
+
+ifeq ($(BR2_PREFER_STATIC_LIB),y)
+	AUDIT_CONF_OPT += --enable-shared=no
+endif
+
+define AUDIT_REPLACE_STARTUP_SCRIPT
+	$(INSTALL) -m 755 package/audit/S14auditd $(TARGET_DIR)/etc/init.d/
+	rm -rf $(TARGET_DIR)/etc/rc.d/
+endef
+
+AUDIT_POST_INSTALL_TARGET_HOOKS += AUDIT_REPLACE_STARTUP_SCRIPT
+
+$(eval $(autotools-package))
-- 
1.7.1

[Buildroot] [PATCH v2 14/17] shadow: new package

[Clayton Shotwell]

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v1 -> v2:
  - General cleanup to the mk file to conform to the standard format.

 package/Config.in        |    3 ++
 package/shadow/Config.in |   13 ++++++++++++
 package/shadow/shadow.mk |   49 ++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 65 insertions(+), 0 deletions(-)
 create mode 100644 package/shadow/Config.in
 create mode 100644 package/shadow/shadow.mk

diff --git a/package/Config.in b/package/Config.in
index b5b4a6e..b9b0d3e 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -929,6 +929,9 @@ source "package/lockfile-progs/Config.in"
 source "package/logrotate/Config.in"
 source "package/logsurfer/Config.in"
 source "package/screen/Config.in"
+if BR2_PACKAGE_BUSYBOX_SHOW_OTHERS
+source "package/shadow/Config.in"
+endif
 source "package/sudo/Config.in"
 if BR2_PACKAGE_BUSYBOX_SHOW_OTHERS
 source "package/time/Config.in"
diff --git a/package/shadow/Config.in b/package/shadow/Config.in
new file mode 100644
index 0000000..5692ac6
--- /dev/null
+++ b/package/shadow/Config.in
@@ -0,0 +1,13 @@
+config BR2_PACKAGE_SHADOW
+	bool "shadow"
+	help
+	  The shadow-utils package includes the necessary programs for
+	  converting UNIX password files to the shadow password format, plus
+	  programs for managing user and group accounts. The pwconv command
+	  converts passwords to the shadow password format. The pwunconv command
+	  unconverts shadow passwords and generates an npasswd file (a standard
+	  UNIX password file). The pwck command checks the integrity of password
+	  and shadow files. The lastlog command prints out the last login times
+	  for all users. The useradd, userdel, and usermod commands are used for
+	  managing user accounts. The groupadd, groupdel, and groupmod commands
+	  are used for managing group accounts.
diff --git a/package/shadow/shadow.mk b/package/shadow/shadow.mk
new file mode 100644
index 0000000..8783533
--- /dev/null
+++ b/package/shadow/shadow.mk
@@ -0,0 +1,49 @@
+################################################################################
+#
+# shadow
+#
+################################################################################
+
+SHADOW_VERSION = 4.1.5.1
+SHADOW_SOURCE = shadow-$(SHADOW_VERSION).tar.bz2
+SHADOW_SITE = http://pkg-shadow.alioth.debian.org/releases/
+SHADOW_LICENSE = BSD
+SHADOW_LICENSE_FILES = COPYING
+SHADOW_DEPENDENCIES = acl attr busybox
+
+SHADOW_INSTALL_STAGING = NO
+
+SHADOW_CONF_OPT = --disable-nls
+
+# Shadow configuration to support audit
+ifeq ($(BR2_PACKAGE_AUDIT),y)
+SHADOW_DEPENDENCIES += audit
+SHADOW_CONF_OPT += --with-audit=yes
+endif
+
+# Shawdow with linux-pam support
+ifeq ($(BR2_PACKAGE_LINUX_PAM),y) 
+SHADOW_DEPENDENCIES += linux-pam
+SHADOW_CONF_OPT += --with-libpam=yes
+endif
+
+# Shadow with selinux support
+ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
+SHADOW_DEPENDENCIES += libselinux libsemanage
+SHADOW_CONF_OPT += --with-selinux=yes
+endif
+
+# Comment out all config entries that conflict with using PAM
+define SHADOW_LOGIN_CONFIGURATION
+	for FUNCTION in FAIL_DELAY FAILLOG_ENAB LASTLOG_ENAB MAIL_CHECK_ENAB \
+		OBSCURE_CHECKS_ENAB PORTTIME_CHECKS_ENAB QUOTAS_ENAB CONSOLE MOTD_FILE \
+		FTMP_FILE NOLOGINS_FILE ENV_HZ PASS_MIN_LEN SU_WHEEL_ONLY CRACKLIB_DICTPATH \
+		PASS_CHANGE_TRIES PASS_ALWAYS_WARN CHFN_AUTH ENCRYPT_METHOD ENVIRON_FILE ; \
+	do \
+		sed -i "s/^$${FUNCTION}/# &/" $(TARGET_DIR)/etc/login.defs ; \
+	done
+endef
+
+SHADOW_POST_INSTALL_TARGET_HOOKS += SHADOW_LOGIN_CONFIGURATION
+
+$(eval $(autotools-package))
-- 
1.7.1

[Buildroot] [PATCH v2 15/17] pcre: Add host build support

[Clayton Shotwell]

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v1 -> v2:
  - No changes

 package/pcre/pcre.mk |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/package/pcre/pcre.mk b/package/pcre/pcre.mk
index bf86a3d..1b59dbc 100644
--- a/package/pcre/pcre.mk
+++ b/package/pcre/pcre.mk
@@ -21,3 +21,4 @@ PCRE_CONF_OPT += $(if $(BR2_PACKAGE_PCRE_16),--enable-pcre16,--disable-pcre16)
 PCRE_CONF_OPT += $(if $(BR2_PACKAGE_PCRE_32),--enable-pcre32,--disable-pcre32)
 
 $(eval $(autotools-package))
+$(eval $(host-autotools-package))
-- 
1.7.1

[Buildroot] [PATCH v2 16/17] bzip2: Add host build shared library installation

[Clayton Shotwell]

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v1 -> v2:
  - No changes

 package/bzip2/bzip2.mk |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/package/bzip2/bzip2.mk b/package/bzip2/bzip2.mk
index 45d5108..5876837 100644
--- a/package/bzip2/bzip2.mk
+++ b/package/bzip2/bzip2.mk
@@ -71,6 +71,8 @@ endef
 define HOST_BZIP2_INSTALL_CMDS
 	$(HOST_MAKE_ENV) \
 		$(MAKE) PREFIX=$(HOST_DIR)/usr -C $(@D) install
+	$(HOST_MAKE_ENV) $(MAKE) \
+		-f Makefile-libbz2_so PREFIX=$(HOST_DIR)/usr -C $(@D) install
 endef
 
 $(eval $(generic-package))
-- 
1.7.1

[Buildroot] [PATCH v2 17/17] sqlite: Add host build support

[Clayton Shotwell]

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v1 -> v2:
  - No changes

 package/sqlite/sqlite.mk |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/package/sqlite/sqlite.mk b/package/sqlite/sqlite.mk
index d474619..4d93172 100644
--- a/package/sqlite/sqlite.mk
+++ b/package/sqlite/sqlite.mk
@@ -68,3 +68,4 @@ define SQLITE_UNINSTALL_STAGING_CMDS
 endef
 
 $(eval $(autotools-package))
+$(eval $(host-autotools-package))
\ No newline at end of file
-- 
1.7.1

[Buildroot] [PATCH v2 01/17] libsepol: new package

[Thomas Petazzoni]

Dear Clayton Shotwell,

On Wed, 11 Sep 2013 16:59:21 -0500, Clayton Shotwell wrote:
> 
> Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>

Acked-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>

I've tested this with a minimal uClibc toolchain, and it builds fine, I
believe this patch can be applied now.

Thanks,

Thomas
-- 
Thomas Petazzoni, Free Electrons
Kernel, drivers, real-time and embedded Linux
development, consulting, training and support.
http://free-electrons.com

[Buildroot] [PATCH v2 02/17] libselinux: new package

[Thomas Petazzoni]

Dear Clayton Shotwell,

On Wed, 11 Sep 2013 16:59:22 -0500, Clayton Shotwell wrote:
> 
> Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>

After testing this package, it turns out that:

 *) By default it needs large file support, because src/Makefile forces
 -D_FILE_OFFSET_BITS=64. If you remove this from the Makefile, then it
 builds fine with a toolchain that does not have large file support. So
 your options are: remove this flag from the Makefile, or make the
 package (and all its reverse dependencies depend on large file
 support).

 *) It needs thread support. So you should add a 'depends on
 BR2_TOOLCHAIN_HAS_THREADS', a comment when no thread support is
 available, and propagate this to all the reverse dependencies of
 libselinux.

Best regards,

Thomas
-- 
Thomas Petazzoni, Free Electrons
Kernel, drivers, real-time and embedded Linux
development, consulting, training and support.
http://free-electrons.com

[Buildroot] [PATCH v2 03/17] ustr: new package

[Thomas Petazzoni]

Dear Clayton Shotwell,

On Wed, 11 Sep 2013 16:59:23 -0500, Clayton Shotwell wrote:

>  .../ustr/ustr-0001-crossCompileModifications.patch |  144 ++++++++++++++++++++

Please name the patch:

ustr-0001-cross-compile-modifications.patch

The naming of patch files should be fixed globally in the patch series.
We use lower case names, with '-' as the separator between words in the
patch description.

Also, this package doesn't build properly when the toolchain does not
have large file support. Just like libselinux, the Makefile hardcodes
-D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE. Your options are either to
make ustr depend on large file support in the toolchain, or to modify
the Makefile.

Other than that, looks good.

Thanks!

Thomas
-- 
Thomas Petazzoni, Free Electrons
Kernel, drivers, real-time and embedded Linux
development, consulting, training and support.
http://free-electrons.com

[Buildroot] [PATCH v2 03/17] ustr: new package

[clshotwe at rockwellcollins.com]

Thomas,

Thomas Petazzoni <thomas.petazzoni@free-electrons.com> wrote on 09/12/2013 
02:34:30 PM:

> The naming of patch files should be fixed globally in the 
> patch series.
> We use lower case names, with '-' as the separator between
> words in the
> patch description.
> 
> Also, this package doesn't build properly when the 
> toolchain does not
> have large file support. Just like libselinux, the 
> Makefile hardcodes
> -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE. Your options 
> are either to
> make ustr depend on large file support in the toolchain, 
> or to modify
> the Makefile.
> 
I will correct all of the patch names since I forgot to make that change 
in my last revision.  I will also add the large file support dependency 
where needed and get a new set of patches sent out. Do I need to continue 
sending out all of the patches until they are all submitted even if they 
have no changes?

Thanks,
Clayton

Clayton Shotwell
Software Engineer
clshotwe at rockwellcollins.com
www.rockwellcollins.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20130917/7cc3498a/attachment.html>

[Buildroot] [PATCH v2 03/17] ustr: new package

[Thomas Petazzoni]

Clayton,

On Tue, 17 Sep 2013 21:15:31 -0500, clshotwe at rockwellcollins.com wrote:

> I will correct all of the patch names since I forgot to make that change 
> in my last revision.  I will also add the large file support dependency 
> where needed and get a new set of patches sent out. Do I need to continue 
> sending out all of the patches until they are all submitted even if they 
> have no changes?

I do still have a bunch of comments to make on the remaining patches of
the series, just haven't had the time to come to that (busy giving a
training this week). But this doesn't prevent you from resending the
patch series entirely, so that we could potentially start applying the
first patches.

Best regards,

Thomas
-- 
Thomas Petazzoni, Free Electrons
Kernel, drivers, real-time and embedded Linux
development, consulting, training and support.
http://free-electrons.com

[Buildroot] [PATCH v2 13/17] audit: new package

[Thomas Petazzoni]

Dear Clayton Shotwell,

On Wed, 11 Sep 2013 16:59:33 -0500, Clayton Shotwell wrote:

> diff --git a/package/audit/audit-0001-crossCompileHeaderCreationFix.patch b/package/audit/audit-0001-crossCompileHeaderCreationFix.patch
> new file mode 100644
> index 0000000..11ab393
> --- /dev/null
> +++ b/package/audit/audit-0001-crossCompileHeaderCreationFix.patch
> @@ -0,0 +1,1420 @@
> +Rework the build system to generate the required header files using a 
> +Python script rather than compiling executables.  This change has
> +to be made because the executables that are generated are built for
> +the target architecture and are generally not compilable on the host
> +build machine.  
> +
> +Signed-off-by Clayton Shotwell <clshotwe@rockwellcollins.com>

In this patch for 'audit', you are replacing a nice C program by a
Python script, with the argument that it helps cross-compilation. I
must say I quite disagree with that: building a small C program for the
host has always been easier than programs that require executing a
Python script at build time.

Why not keeping the existing C program, and just adjust the way it is
built to get it built by the native compiler?

There is a fairly standardized way of doing that with the autotools,
that consists in using the CC_FOR_BUILD variable instead of CC to build
this tool. In native compilation, CC_FOR_BUILD == CC == gcc, while in
cross-compilation, CC_FOR_BUILD == gcc and CC == <arch-tuple>-gcc.

See http://www.sourceware.org/autobook/autobook/autobook_270.html.

There is apparently even an existing m4 macro to define CC_FOR_BUILD:
http://ac-archive.sourceforge.net/ac-archive/ac_prog_cc_for_build.html.

Or maybe the Python script approach is something that has been agreed
upon with the audit/SELinux community?

Best regards,

Thomas Petazzoni
-- 
Thomas Petazzoni, Free Electrons
Kernel, drivers, real-time and embedded Linux
development, consulting, training and support.
http://free-electrons.com

[Buildroot] [PATCH v2 11/17] refpolicy: new package

[Thomas Petazzoni]

Dear Clayton Shotwell,

On Wed, 11 Sep 2013 16:59:31 -0500, Clayton Shotwell wrote:

> +config BR2_PACKAGE_REFPOLICY_PATCH_FOLDER
> +	string "Build specific refpolicy patches folder"
> +	default ""
> +	help
> +	  A path to a folder containing board specific 
> +	  configuration patch files.  These will get applied
> +	  after the patches in the package folder.

We already have the BR2_GLOBAL_PATCH_DIR mechanism to allow people to
provide custom patches for all packages. See
http://buildroot.org/downloads/manual/manual.html#_global_patch_directory.
So there shouldn't be a need to add a refpolicy specific mechanism for
this.

> +choice
> +	prompt "SELinux policy type"
> +	default BR2_PACKAGE_REFPOLICY_TYPE_STANDARD
> +
> +	config BR2_PACKAGE_REFPOLICY_TYPE_STANDARD
> +		bool "Standard"
> +		help
> +		  Standard SELinux policy
> +	
> +	config BR2_PACKAGE_REFPOLICY_TYPE_MCS
> +		bool "MCS"
> +		help
> +		  SELinux policy with multi-catagory support
> +	
> +	config BR2_PACKAGE_REFPOLICY_TYPE_MLS
> +		bool "MLS"
> +		help
> +		  SELinux policy with multi-catagory and multi-level support
> +endchoice
> +
> +config BR2_PACKAGE_REFPOLICY_TYPE
> +	string
> +	default "standard" if BR2_PACKAGE_REFPOLICY_TYPE_STANDARD
> +	default "mcs" if BR2_PACKAGE_REFPOLICY_TYPE_MCS
> +	default "mls" if BR2_PACKAGE_REFPOLICY_TYPE_MLS
> +
> +choice
> +	prompt "SELinux Policy Distribution"
> +	default BR2_PACKAGE_REFPOLICY_DIST_REDHAT
> +	
> +	config BR2_PACKAGE_REFPOLICY_DIST_REDHAT
> +		bool "redhat"
> +
> +	config BR2_PACKAGE_REFPOLICY_DIST_GENTOO
> +		bool "gentoo"
> +
> +	config BR2_PACKAGE_REFPOLICY_DIST_DEBIAN
> +		bool "debian"
> +
> +	config BR2_PACKAGE_REFPOLICY_DIST_SUSE
> +		bool "suse"
> +
> +	config BR2_PACKAGE_REFPOLICY_DIST_REDHAT14
> +		bool "redhat 14"
> +endchoice

Do we really need to provide a distribution choice here? Isn't
'Buildroot' considered a distribution? I must admit that as a Buildroot
user, I would be somewhat confused by a choice that allows me to select
between debian, suse, gentoo, redhat, etc. This Buildroot is "sort" of
a distribution, shouldn't we just make one choice that happens to work
for Buildroot ?

> +config BR2_PACKAGE_REFPOLICY_MONOLITHIC
> +	bool "Build a monolithic SELinux policy"
> +	default y
> +	help
> +	  Select Y to build a monolithic SELinux policy otherwise
> +	  a modular policy will be built. Note, this is suggested
> +	  for embedded systems.

For a non-english speaker, the wording of "Note, this is suggested for
embedded systems" might suggest that what is recommended is to build a
modular policy.

Also, what about inverting the logic of this option? I.e:

config BR2_PACKAGE_REFPOLICY_MODULAR
	bool "Build a modular SELinux policy"
	help
	  Select Y to build a modular SELinux policy. By default,
	  SELinux builds a monolithic policy, which is the best
	  solution for embedded systems for space/performance reasons
	  (FIXME), but building a modular policy might be useful in
	  (FIXME).

> +config BR2_PACKAGE_REFPOLICY_NAME
> +	string "Name for the SELinux policy"
> +	default "refpolicy"

Is this something that is actually useful to change?

> +endif
> diff --git a/package/refpolicy/S12selinux b/package/refpolicy/S12selinux
> new file mode 100644
> index 0000000..24aec7a
> --- /dev/null
> +++ b/package/refpolicy/S12selinux
> @@ -0,0 +1,134 @@
> +#!/bin/sh
> +################################################################################
> +#
> +# This file labels the security contexts of memory based filesystems such as
> +# /dev/ and checks for auto relabel request if '/.autorelabel' file exists.
> +# The 'stop' argument drops the security mode to 'permissive'.
> +#
> +# This script is a heavily stripped down and modified version of the one use

Minor nit: use -> used

> diff --git a/package/refpolicy/config b/package/refpolicy/config
> new file mode 100755
> index 0000000..c482b3f
> --- /dev/null
> +++ b/package/refpolicy/config
> @@ -0,0 +1,10 @@
> +# This file controls the state of SELinux on the system.
> +# SELINUX= can take one of these three values:
> +#     enforcing - SELinux security policy is enforced.
> +#     permissive - SELinux prints warnings instead of enforcing.
> +#     disabled - No SELinux policy is loaded.
> +SELINUX=permissive
> +# SELINUXTYPE= can take one of these two values:
> +#     targeted - Targeted processes are protected,
> +#     mls - Multi Level Security protection.
> +SELINUXTYPE=refpolicy

So the default value for SELINUXTYPE is not one of the two accepted
values? Seems odd.

> diff --git a/package/refpolicy/refpolicy-0001-gentoo_hardened_fixes.patch b/package/refpolicy/refpolicy-0001-gentoo_hardened_fixes.patch
> new file mode 100644
> index 0000000..c1c398f
> --- /dev/null
> +++ b/package/refpolicy/refpolicy-0001-gentoo_hardened_fixes.patch
> @@ -0,0 +1,1250 @@
> +From: Dominick Grift <dominick.grift@gmail.com>
> +Date: Fri, 16 Aug 2013 07:07:37 +0000 (+0200)
> +Subject: Fix monolithic built
> +X-Git-Url: http://git.overlays.gentoo.org/gitweb/?p=proj%2Fhardened-refpolicy.git;a=commitdiff_plain;h=86500de7
> +
> +Fix monolithic built

Do we have a chance of getting this patch merged upstream? We don't
like to carry feature patches in Buildroot, so if a feature doesn't
exist upstream, or is so broken upstream and never going to be fixed,
then we prefer to not support it at all.

If fixing this upstream is an on-going effort, then no problem to carry
the patch in Buildroot.

> --- /dev/null
> +++ b/package/refpolicy/refpolicy.mk
> @@ -0,0 +1,86 @@
> +################################################################################
> +#
> +# refpolicy
> +#
> +################################################################################
> +
> +REFPOLICY_VERSION = 2.20130424
> +REFPOLICY_SOURCE = refpolicy-$(REFPOLICY_VERSION).tar.bz2
> +REFPOLICY_SITE = http://oss.tresys.com/files/refpolicy/
> +REFPOLICY_LICENSE = GPLv2
> +REFPOLICY_LICENSE_FILES = COPYING
> +
> +# Cannot use multiple threads to build the reference policy
> +REFPOLICY_MAKE=$(MAKE1)
> +
> +REFPOLICY_DEPENDENCIES = host-m4 host-checkpolicy host-policycoreutils \
> +	host-setools host-python-pyxml policycoreutils

Do we really need all those dependencies? I've tried to draw a diagram
of all the host and target dependencies between all these SELinux
packages, but I must admit I get a bit lost. If you could give some
general comments on why the various target/host variants of each
package are needed, that'd be really great.

> +
> +REFPOLICY_INSTALL_STAGING = YES
> +
> +define REFPOLICY_BUILD_SPECIFIC_PATCH_CMDS
> +	@echo "Applying board specific patches"
> +	$(ifneq $(BR2_PACKAGE_REFPOLICY_PATCH_FOLDER) "", \
> +		toolchain/patch-kernel.sh $(@D) \
> +		$(call qstrip,$(BR2_PACKAGE_REFPOLICY_PATCH_FOLDER)) refpolicy-\*.patch)
> +endef
> +
> +REFPOLICY_POST_PATCH_HOOKS += REFPOLICY_BUILD_SPECIFIC_PATCH_CMDS

This part would become unneeded, as per the above suggestions.

> +# Pointing to the host compiled SELinux applications while using the target 
> +# cross compiler.  Note, the TEST_TOOLCHAIN option will also set the 
> +# LD_LIBRARY_PATH at run time.
> +REFPOLICY_MAKE_CMDS = $(HOST_CONFIGURE_OPTS) \

I'm not really a big fan of passing $(HOST_CONFIGURE_OPTS) when
building a target package. If all you need is that the PATH contains
output/host/usr/bin so that the host SELinux applications are used,
then just use $(TARGET_MAKE_ENV) :

	$(TARGET_MAKE_ENV) $(MAKE1) ...

> +	TEST_TOOLCHAIN="$(HOST_DIR)" \
> +	PYTHON="$(HOST_DIR)/usr/bin/python" \
> +	M4="$(HOST_DIR)/usr/bin/m4"

Those two last lines should then be unneeded.

> +define REFPOLICY_CONFIGURE_CMDS
> +	$(REFPOLICY_MAKE) -C $(@D) bare $(REFPOLICY_MAKE_CMDS) DESTDIR=$(STAGING_DIR)

so:

	$(TARGET_MAKE_ENV) -C $(@D) bare $(REFPOLICY_MAKE_CMDS) ...

> +	sed -i "/TYPE/c\TYPE = $(BR2_PACKAGE_REFPOLICY_TYPE)" $(@D)/build.conf
> +	sed -i "/NAME/c\NAME = $(BR2_PACKAGE_REFPOLICY_NAME)" $(@D)/build.conf
> +	sed -i "/DISTRO/c\DISTRO = $(BR2_PACKAGE_REFPOLICY_DIST)" $(@D)/build.conf
> +	sed -i "/MONOLITHIC/c\MONOLITHIC = $(BR2_PACKAGE_REFPOLICY_MONOLITHIC)" $(@D)/build.conf

Use $(SED) instead of sed -i

> +	$(REFPOLICY_MAKE) -C $(@D) conf $(REFPOLICY_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
> +endef
> +
> +define REFPOLICY_BUILD_CMDS
> +	$(REFPOLICY_MAKE) -C $(@D) $(REFPOLICY_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
> +endef
> +
> +define REFPOLICY_CLEAN_CMDS
> +	$(REFPOLICY_MAKE) -C $(@D) clean $(REFPOLICY_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
> +endef
> +
> +define REFPOLICY_INSTALL_STAGING_CMDS
> +	$(REFPOLICY_MAKE) -C $(@D) install-src install-headers install-docs \
> +		$(REFPOLICY_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
> +endef
> +
> +define REFPOLICY_INSTALL_TARGET_CMDS
> +	$(REFPOLICY_MAKE) -C $(@D) install $(REFPOLICY_MAKE_CMDS) DESTDIR=$(TARGET_DIR)
> +	$(INSTALL) -m 0755 package/refpolicy/config $(TARGET_DIR)/etc/selinux/

Use -D and specify the destination path entirely.

> +	sed -i "/^SELINUXTYPE/c\SELINUXTYPE=$(BR2_PACKAGE_REFPOLICY_NAME)" $(TARGET_DIR)/etc/selinux/config

$(SED).

> +	$(INSTALL) -m 0755 package/refpolicy/S12selinux $(TARGET_DIR)/etc/init.d/

Should be using the INIT_SYSV mechanism (look at other packages and/or
documentation), use -D and specific the destination path entirely.

> +endef
> +
> +define REFPOLICY_POLICY_COMPILE
> +	$(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/selinux/$(BR2_PACKAGE_REFPOLICY_NAME)/policy
> +	$(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/selinux/$(BR2_PACKAGE_REFPOLICY_NAME)/modules/active/modules
> +	if [ ! -f $(TARGET_DIR)/etc/selinux/$(BR2_PACKAGE_REFPOLICY_NAME)/contexts/files/file_contexts.local ]; \
> +	then \
> +		touch $(TARGET_DIR)/etc/selinux/$(BR2_PACKAGE_REFPOLICY_NAME)/contexts/files/file_contexts.local; \
> +	fi

Why not just touch it? If it exists, it will just update its timestamp,
so no big deal.

> +	# Currently, semodule is unabled to compile the policy during the build so 
> +	# the modules must be compiled into the policy during the first boot.  This 
> +	# is done by the S12selinux startup script.
> +	#( export PATH=$(TARGET_PATH); \
> +	#	$(HOST_DIR)/usr/sbin/semodule -v -n -p $(TARGET_DIR) -s $(BR2_PACKAGE_REFPOLICY_NAME) \
> +	#		-b $(@D)/base.pp -i $(shell ls $(@D)/*.pp | grep -v base); \
> +	#)

So if this was done at build time, we could avoid having a bunch of
tools on the target?

> +endef
> +ifeq ($(BR2_PACKAGE_REFPOLICY_MONOLITHIC),)
> +	REFPOLICY_POST_INSTALL_TARGET_HOOKS += REFPOLICY_POLICY_COMPILE
> +endif
> +
> +$(eval $(generic-package))



-- 
Thomas Petazzoni, Free Electrons
Kernel, drivers, real-time and embedded Linux
development, consulting, training and support.
http://free-electrons.com

[Buildroot] [PATCH v2 15/17] pcre: Add host build support

[Thomas Petazzoni]

Dear Clayton Shotwell,

On Wed, 11 Sep 2013 16:59:35 -0500, Clayton Shotwell wrote:
> 
> Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
> ---
> Changes v1 -> v2:
>   - No changes
> 
>  package/pcre/pcre.mk |    1 +
>  1 files changed, 1 insertions(+), 0 deletions(-)
> 
> diff --git a/package/pcre/pcre.mk b/package/pcre/pcre.mk
> index bf86a3d..1b59dbc 100644
> --- a/package/pcre/pcre.mk
> +++ b/package/pcre/pcre.mk
> @@ -21,3 +21,4 @@ PCRE_CONF_OPT += $(if $(BR2_PACKAGE_PCRE_16),--enable-pcre16,--disable-pcre16)
>  PCRE_CONF_OPT += $(if $(BR2_PACKAGE_PCRE_32),--enable-pcre32,--disable-pcre32)
>  
>  $(eval $(autotools-package))
> +$(eval $(host-autotools-package))

This comment applies to patches 15, 16 and 17. Since the host variant
of those packages are used by earlier patches in your series, then
these patches should appear before they are used. Otherwise, your
patch series is not bisectable.

Thanks,

Thomas
-- 
Thomas Petazzoni, Free Electrons
Kernel, drivers, real-time and embedded Linux
development, consulting, training and support.
http://free-electrons.com

[Buildroot] [PATCH v2 01/17] libsepol: new package

[Peter Korsgaard]

>>>>> "Clayton" == Clayton Shotwell <clshotwe@rockwellcollins.com> writes:

 Clayton> Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
 Clayton> ---
 Clayton> Changes v1 -> v2:
 Clayton>   - Move Config.in entry into the libraries section since this is a
 Clayton>     library.
 Clayton>   - General cleanup to the mk file to conform to the standard format.
 Clayton>   - Fixed the license version to be LGPLv2.1+ to match the headers in
 Clayton>     the source files (suggested by Thomas)

Committed with some minor whitespace fixes, thanks.

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH v2 11/17] refpolicy: new package

[Clayton Shotwell]

Thomas,

Thomas Petazzoni <thomas.petazzoni@free-electrons.com> wrote on 09/18/2013 
12:18:04 AM:

> We already have the BR2_GLOBAL_PATCH_DIR mechanism to 
> allow people to
> provide custom patches for all packages. See
> http://buildroot.org/downloads/manual/
> manual.html#_global_patch_directory.
> So there shouldn't be a need to add a refpolicy specific 
> mechanism for
> this.

I will go ahead and remove this option from the config.

> Do we really need to provide a distribution choice here? Isn't
> 'Buildroot' considered a distribution? I must admit that 
> as a Buildroot
> user, I would be somewhat confused by a choice that allows
> me to select
> between debian, suse, gentoo, redhat, etc. This Buildroot 
> is "sort" of
> a distribution, shouldn't we just make one choice that 
> happens to work
> for Buildroot ?

The different distributions add a few changes that are specific to the 
distribution. I looked through the distributions and none of them really 
fit with the way buildroot works so I am going to remove this option from 
the config.

> For a non-english speaker, the wording of "Note, this is 
> suggested for
> embedded systems" might suggest that what is recommended 
> is to build a
> modular policy.
> 
> Also, what about inverting the logic of this option? I.e:
> 
> config BR2_PACKAGE_REFPOLICY_MODULAR
>    bool "Build a modular SELinux policy"
>    help
>      Select Y to build a modular SELinux policy. By default,
>      SELinux builds a monolithic policy, which is the best
>      solution for embedded systems for space/performance reasons
>      (FIXME), but building a modular policy might be useful in
>      (FIXME).
> 

That would clean things up quite a bit.  I'll switch the logic and change 
the comment.

> > +config BR2_PACKAGE_REFPOLICY_NAME
> > +   string "Name for the SELinux policy"
> > +   default "refpolicy"
> 
> Is this something that is actually useful to change?
> 

Not really.  I'll remove it.

> > diff --git a/package/refpolicy/config b/package/refpolicy/config
> > new file mode 100755
> > index 0000000..c482b3f
> > --- /dev/null
> > +++ b/package/refpolicy/config
> > @@ -0,0 +1,10 @@
> > +# This file controls the state of SELinux on the system.
> > +# SELINUX= can take one of these three values:
> > +#     enforcing - SELinux security policy is enforced.
> > +#     permissive - SELinux prints warnings instead of enforcing.
> > +#     disabled - No SELinux policy is loaded.
> > +SELINUX=permissive
> > +# SELINUXTYPE= can take one of these two values:
> > +#     targeted - Targeted processes are protected,
> > +#     mls - Multi Level Security protection.
> > +SELINUXTYPE=refpolicy
> 
> So the default value for SELINUXTYPE is not one of the two accepted
> values? Seems odd.

I corrected the comment to accurately represent what is doing.

> 
> > diff --git a/package/refpolicy/refpolicy-0001-
> gentoo_hardened_fixes.patch b/package/refpolicy/
> refpolicy-0001-gentoo_hardened_fixes.patch
> 
> Do we have a chance of getting this patch merged upstream? We don't
> like to carry feature patches in Buildroot, so if a feature doesn't
> exist upstream, or is so broken upstream and never going 
> to be fixed,
> then we prefer to not support it at all.
> 
> If fixing this upstream is an on-going effort, then no 
> problem to carry
> the patch in Buildroot.

There has been work on the upstream in relation to these fixes. I have 
pulled down the latest upstream software and it builds without any 
problems. This patch will be able to be removed when the next version is 
released. There are many changes that need to be made for things to work 
with buildroot that I have not made yet. I don't have the resources to 
customize the refpolicy to work completely, as is, with buildroot. 
Currently, a lot of the paths listed in the policy do not match the way 
buildroot works. This is especially true with the init scripts. Would it 
be best to make a bunch of modifications to the refpolicy to make it work 
for buildroot? I'm not sure the best way to proceed with this.

> > +REFPOLICY_DEPENDENCIES = host-m4 host-checkpolicy host-
> policycoreutils \
> > +   host-setools host-python-pyxml policycoreutils
> 
> Do we really need all those dependencies? I've tried to 
> draw a diagram
> of all the host and target dependencies between all these SELinux
> packages, but I must admit I get a bit lost. If you could give some
> general comments on why the various target/host variants of each
> package are needed, that'd be really great.

I will create a diagram and submit it with the documentation that needs to 
be created.  Hopefully that will be done by the end of the week but I am 
pretty busy with several things right now. 

> > +define REFPOLICY_BUILD_SPECIFIC_PATCH_CMDS
> > +   @echo "Applying board specific patches"
> > +   $(ifneq $(BR2_PACKAGE_REFPOLICY_PATCH_FOLDER) "", \
> > +      toolchain/patch-kernel.sh $(@D) \
> > +      $(call qstrip,$
> (BR2_PACKAGE_REFPOLICY_PATCH_FOLDER)) refpolicy-\*.patch)
> > +endef
> > +
> > +REFPOLICY_POST_PATCH_HOOKS += REFPOLICY_BUILD_SPECIFIC_PATCH_CMDS
> 
> This part would become unneeded, as per the above suggestions.

I'll remove it.

> > +# Pointing to the host compiled SELinux applications 
> while using the target 
> > +# cross compiler.  Note, the TEST_TOOLCHAIN option will
> also set the 
> > +# LD_LIBRARY_PATH at run time.
> > +REFPOLICY_MAKE_CMDS = $(HOST_CONFIGURE_OPTS) \
> 
> I'm not really a big fan of passing $(HOST_CONFIGURE_OPTS) when
> building a target package. If all you need is that the PATH contains
> output/host/usr/bin so that the host SELinux applications are used,
> then just use $(TARGET_MAKE_ENV) :
> 
>    $(TARGET_MAKE_ENV) $(MAKE1) ...

I'll add that to the REFPOLICY_MAKE variable and change the 
HOST_CONFIGURE_OPTS to TARGET_CONFIGURE_OPTS.

> > +   TEST_TOOLCHAIN="$(HOST_DIR)" \
> > +   PYTHON="$(HOST_DIR)/usr/bin/python" \
> > +   M4="$(HOST_DIR)/usr/bin/m4"
> 
> Those two last lines should then be unneeded.

I'll remove them

> > +   sed -i "/TYPE/c\TYPE = $
> (BR2_PACKAGE_REFPOLICY_TYPE)" $(@D)/build.conf
> > +   sed -i "/NAME/c\NAME = $
> (BR2_PACKAGE_REFPOLICY_NAME)" $(@D)/build.conf
> > +   sed -i "/DISTRO/c\DISTRO = $
> (BR2_PACKAGE_REFPOLICY_DIST)" $(@D)/build.conf
> > +   sed -i "/MONOLITHIC/c\MONOLITHIC = $
> (BR2_PACKAGE_REFPOLICY_MONOLITHIC)" $(@D)/build.conf
> 
> Use $(SED) instead of sed -i

Agreed.

> > +define REFPOLICY_INSTALL_TARGET_CMDS
> > +   $(REFPOLICY_MAKE) -C $(@D) install $
> (REFPOLICY_MAKE_CMDS) DESTDIR=$(TARGET_DIR)
> > +   $(INSTALL) -m 0755 package/refpolicy/config $
> (TARGET_DIR)/etc/selinux/
> 
> Use -D and specify the destination path entirely.

I'll make that change.

> > +   $(INSTALL) -m 0755 package/refpolicy/S12selinux $
> (TARGET_DIR)/etc/init.d/
> 
> Should be using the INIT_SYSV mechanism (look at other 
> packages and/or
> documentation), use -D and specific the destination path entirely.

Agreed.

> > +   if [ ! -f $(TARGET_DIR)/etc/selinux/$
> (BR2_PACKAGE_REFPOLICY_NAME)/contexts/files/file_contexts.local ]; \
> > +   then \
> > +      touch $(TARGET_DIR)/etc/selinux/$
> (BR2_PACKAGE_REFPOLICY_NAME)/contexts/files/file_contexts.local; \
> > +   fi
> 
> Why not just touch it? If it exists, it will just update 
> its timestamp,
> so no big deal.

Good point.  I'll make that change.

> > +   # Currently, semodule is unabled to compile the 
> policy during the build so 
> > +   # the modules must be compiled into the policy 
> during the first boot.  This 
> > +   # is done by the S12selinux startup script.
> > +   #( export PATH=$(TARGET_PATH); \
> > +   #   $(HOST_DIR)/usr/sbin/semodule -v -n -p $
> (TARGET_DIR) -s $(BR2_PACKAGE_REFPOLICY_NAME) \
> > +   #      -b $(@D)/base.pp -i $(shell ls $(@D)/*.pp | 
> grep -v base); \
> > +   #)
> 
> So if this was done at build time, we could avoid having a bunch of
> tools on the target?

This is only for the modular policy.  The monolithic policy will be 
completely built on the host and saved to the target.  I could probably go 
through and pair down a bunch of dependencies based on that.  I'll look 
into that and make some changes.

Thanks,
Clayton

Clayton Shotwell
Software Engineer
clshotwe at rockwellcollins.com
www.rockwellcollins.com 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20130923/45ea7681/attachment-0001.html>

[Buildroot] [PATCH v2 15/17] pcre: Add host build support

[Clayton Shotwell]

Thomas,


Thomas Petazzoni <thomas.petazzoni@free-electrons.com> wrote on 09/18/2013 
12:18:54 AM:
 
> This comment applies to patches 15, 16 and 17. Since the 
> host variant
> of those packages are used by earlier patches in your series, then
> these patches should appear before they are used. Otherwise, your
> patch series is not bisectable.

I will reorder the patches to they apply in the order of dependence.

Thanks,
Clayton

Clayton Shotwell
Software Engineer
clshotwe at rockwellcollins.com
www.rockwellcollins.com 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20130923/a8c15553/attachment.html>

[Buildroot] [PATCH v2 11/17] refpolicy: new package

[Thomas Petazzoni]

Dear Clayton Shotwell,

On Mon, 23 Sep 2013 16:52:32 -0500, Clayton Shotwell wrote:

> The different distributions add a few changes that are specific to
> the distribution. I looked through the distributions and none of them
> really fit with the way buildroot works so I am going to remove this
> option from the config.

Ok.


> > Do we have a chance of getting this patch merged upstream? We don't
> > like to carry feature patches in Buildroot, so if a feature doesn't
> > exist upstream, or is so broken upstream and never going 
> > to be fixed,
> > then we prefer to not support it at all.
> > 
> > If fixing this upstream is an on-going effort, then no 
> > problem to carry
> > the patch in Buildroot.
> 
> There has been work on the upstream in relation to these fixes. I
> have pulled down the latest upstream software and it builds without
> any problems. This patch will be able to be removed when the next
> version is released.

Ok, perfect.

> There are many changes that need to be made for
> things to work with buildroot that I have not made yet. I don't have
> the resources to customize the refpolicy to work completely, as is,
> with buildroot. Currently, a lot of the paths listed in the policy do
> not match the way buildroot works. This is especially true with the
> init scripts. Would it be best to make a bunch of modifications to
> the refpolicy to make it work for buildroot? I'm not sure the best
> way to proceed with this.

I believe we can merge the refpolicy in its current state (i.e not
fully perfect for Buildroot usage), with a clear comment in the
Config.in that says so. And then you can continue the development and
add more fixes to the refpolicy package as you progress towards making
it fully usable in a Buildroot environment.

The thing I'm more worried about is that if we need Buildroot-specific
changes, will we have to keep them as patches within Buildroot forever?

> > Do we really need all those dependencies? I've tried to 
> > draw a diagram
> > of all the host and target dependencies between all these SELinux
> > packages, but I must admit I get a bit lost. If you could give some
> > general comments on why the various target/host variants of each
> > package are needed, that'd be really great.
> 
> I will create a diagram and submit it with the documentation that
> needs to be created.  Hopefully that will be done by the end of the
> week but I am pretty busy with several things right now. 

No problem. Note that I had a look at the SELinux handbook (but it's
*very* long), and especially the diagram that they have. It was
certainly helpful, but it does not clarify an aspect that is essential
in a Buildroot context: what component is used on the target, what
component is used only on the build machine.


> > > +   # Currently, semodule is unabled to compile the 
> > policy during the build so 
> > > +   # the modules must be compiled into the policy 
> > during the first boot.  This 
> > > +   # is done by the S12selinux startup script.
> > > +   #( export PATH=$(TARGET_PATH); \
> > > +   #   $(HOST_DIR)/usr/sbin/semodule -v -n -p $
> > (TARGET_DIR) -s $(BR2_PACKAGE_REFPOLICY_NAME) \
> > > +   #      -b $(@D)/base.pp -i $(shell ls $(@D)/*.pp | 
> > grep -v base); \
> > > +   #)
> > 
> > So if this was done at build time, we could avoid having a bunch of
> > tools on the target?
> 
> This is only for the modular policy.  The monolithic policy will be 
> completely built on the host and saved to the target.  I could
> probably go through and pair down a bunch of dependencies based on
> that.  I'll look into that and make some changes.

That'd be great, I believe. Especially since you're stating earlier
that the monolithic policy is the most efficient one, and recommended
for usage on embedded systems, I believe it'd be good to not have the
tools to build policies on the target if they are not needed.

Best regards,

Thomas
-- 
Thomas Petazzoni, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

[Buildroot] [PATCH v2 11/17] refpolicy: new package

[Clayton Shotwell]

Thomas,

Thomas Petazzoni <thomas.petazzoni@free-electrons.com> wrote on 09/24/2013 
01:30:28 AM:

> I believe we can merge the refpolicy in its current state (i.e not
> fully perfect for Buildroot usage), with a clear comment in the
> Config.in that says so. And then you can continue the 
> development and
> add more fixes to the refpolicy package as you progress 
> towards making
> it fully usable in a Buildroot environment.
> 
> The thing I'm more worried about is that if we need 
> Buildroot-specific
> changes, will we have to keep them as patches within 
> Buildroot forever?

We might be able to work with the refpolicy maintainers to add a 
"buildroot" distro to the build system.  I think a lot of that will depend 
on how extensive the changes are. I'll start making the changes and see 
how bad it is before I contact the maintainers.

Thanks,
Clayton

Clayton Shotwell
Software Engineer
clshotwe at rockwellcollins.com
www.rockwellcollins.com 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20130924/a06833e0/attachment.html>

[Buildroot] [PATCH v2 11/17] refpolicy: new package

[Thomas Petazzoni]

Dear Clayton Shotwell,

On Tue, 24 Sep 2013 09:47:16 -0500, Clayton Shotwell wrote:

> > I believe we can merge the refpolicy in its current state (i.e not
> > fully perfect for Buildroot usage), with a clear comment in the
> > Config.in that says so. And then you can continue the 
> > development and
> > add more fixes to the refpolicy package as you progress 
> > towards making
> > it fully usable in a Buildroot environment.
> > 
> > The thing I'm more worried about is that if we need 
> > Buildroot-specific
> > changes, will we have to keep them as patches within 
> > Buildroot forever?
> 
> We might be able to work with the refpolicy maintainers to add a 
> "buildroot" distro to the build system.  I think a lot of that will
> depend on how extensive the changes are. I'll start making the
> changes and see how bad it is before I contact the maintainers.

Ok. The problem is that the "Buildroot" distribution is not something
that exists really. Depending on the Buildroot configuration, the
contents of the filesystem and the base system can be very different.
It could be Busybox based, or Systemd+coreutils based, or something
else. How does it work in real distributions? Is each package coming
with the SELinux rules for itself? Or should be in the context of
Buildroot just provide the tools and leave it entirely to the user to
write the proper SELinux policy?

Best regards,

Thomas
-- 
Thomas Petazzoni, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

[Buildroot] [PATCH v2 13/17] audit: new package

[Clayton Shotwell]

Thomas,

Thomas Petazzoni <thomas.petazzoni@free-electrons.com> wrote on 09/18/2013 
12:00:20 AM:

> In this patch for 'audit', you are replacing a nice C program by a
> Python script, with the argument that it helps cross-compilation. I
> must say I quite disagree with that: building a small C 
> program for the
> host has always been easier than programs that require executing a
> Python script at build time.
> 
> Why not keeping the existing C program, and just adjust 
> the way it is
> built to get it built by the native compiler?
> 
> There is a fairly standardized way of doing that with the autotools,
> that consists in using the CC_FOR_BUILD variable instead 
> of CC to build
> this tool. In native compilation, CC_FOR_BUILD == CC == 
> gcc, while in
> cross-compilation, CC_FOR_BUILD == gcc and CC == <arch-tuple>-gcc.
> 
> See http://www.sourceware.org/autobook/autobook/autobook_270.html.
> 
> There is apparently even an existing m4 macro to define 
> CC_FOR_BUILD:
> http://ac-archive.sourceforge.net/ac-archive/
> ac_prog_cc_for_build.html.
> 
> Or maybe the Python script approach is something that has 
> been agreed
> upon with the audit/SELinux community?

I have been working with the audit community to get this patch accepted. 
There is an issue with the C program not pulling in the correct headers 
when you build it for this host.  The python script is able to get around 
this issue. 

Thanks,
Clayton

Clayton Shotwell
Software Engineer
clshotwe at rockwellcollins.com
www.rockwellcollins.com 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20130924/de93ba9d/attachment.html>

[Buildroot] [PATCH v2 11/17] refpolicy: new package

[Clayton Shotwell]

Thomas,

Thomas Petazzoni <thomas.petazzoni@free-electrons.com> wrote on 09/24/2013 
10:18:26 AM:

> Ok. The problem is that the "Buildroot" distribution is 
> not something
> that exists really. Depending on the Buildroot configuration, the
> contents of the filesystem and the base system can be verydifferent.
> It could be Busybox based, or Systemd+coreutils based, or something
> else. How does it work in real distributions? Is each package coming
> with the SELinux rules for itself? Or should be in the context of
> Buildroot just provide the tools and leave it entirely to 
> the user to
> write the proper SELinux policy?

Most distributions provide the base refpolicy that is customized to work 
with the distribution.  Fedora, for instance, applies a 166450 line patch 
file to the refpolicy to make it work with all of the Fedora packages. The 
refpolicy always seem to be constantly evolving package in these 
distributions that always has bugs against it.  I would like to see 
Buildroot just supply the ability to build a SELinux policy and maybe 
support for a select few packages.  It will be a huge undertaking to make 
sure all of the policy is able to work with all of the package in 
Buildroot. During my development, I will work to get a base, minimal 
configuration working in enforcing mode right out of the box.  I think 
this would be a reasonable place to start that would hopefully allow other 
people to expand the functionality.

Thanks,
Clayton

Clayton Shotwell
Software Engineer
clshotwe at rockwellcollins.com
www.rockwellcollins.com 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20130924/4a5c67d9/attachment.html>

[Buildroot] [PATCH v2 13/17] audit: new package

[Thomas Petazzoni]

Dear Clayton Shotwell,

On Tue, 24 Sep 2013 12:47:59 -0500, Clayton Shotwell wrote:

> I have been working with the audit community to get this patch
> accepted. There is an issue with the C program not pulling in the
> correct headers when you build it for this host.  The python script
> is able to get around this issue. 

Hum this is strange because with CFLAGS_FOR_BUILD, you're supposed to
receive the correct -I arguments even for building host tools. I really
believe adding Python as a build dependency for something that already
has a nice C program to be built is not the nicest move. Of course, if
that's upstream choice, then we'll follow it, but I believe it's not
the best choice.

Best regards,

Thomas
-- 
Thomas Petazzoni, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

[Buildroot] [PATCH v2 13/17] audit: new package

[Clayton Shotwell]

Thomas,

Thomas Petazzoni <thomas.petazzoni@free-electrons.com> wrote on 09/24/2013 
04:57:15 PM:

> Hum this is strange because with CFLAGS_FOR_BUILD, you're supposed to
> receive the correct -I arguments even for building host tools. I really
> believe adding Python as a build dependency for something that already
> has a nice C program to be built is not the nicest move. Of course, if
> that's upstream choice, then we'll follow it, but I believe it's not
> the best choice.

I guess I should give a little more detail on what the C program is doing. 
 That program takes kernel syscall numbers and generates lookup tables to 
reference the number to a string.  This is used in decoding the audit log 
information and presenting it in a method that is human readable.  The 
issue I am seeing with building it for the host is incorrect tables are 
generated.  I do not know of a way to get a C program to compile using 
different kernel headers and preprocessor values.  Do you know of a way to 
do this?

Thanks,
Clayton

Clayton Shotwell
Software Engineer
clshotwe at rockwellcollins.com
www.rockwellcollins.com