[Buildroot] [PATCH 1/4] sepolgen: allow compiling for target

[Buildroot] [PATCH 1/4] sepolgen: allow compiling for target

[Adam Duskett]

Sepolgen is currently a host-only package, however it is a dependency
of audit2allow.  This patch allows for sepolgen to be compiled for the
target.

Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
---
 package/Config.in            |  1 +
 package/sepolgen/Config.in   |  9 +++++++++
 package/sepolgen/sepolgen.mk | 19 +++++++++++++++++++
 3 files changed, 29 insertions(+)
 create mode 100644 package/sepolgen/Config.in

diff --git a/package/Config.in b/package/Config.in
index d1c517a..9fedc23 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1707,6 +1707,7 @@ endmenu
 
 menu "Security"
 	source "package/policycoreutils/Config.in"
+	source "package/sepolgen/Config.in"
 	source "package/setools/Config.in"
 endmenu
 
diff --git a/package/sepolgen/Config.in b/package/sepolgen/Config.in
new file mode 100644
index 0000000..87621b6
--- /dev/null
+++ b/package/sepolgen/Config.in
@@ -0,0 +1,9 @@
+config BR2_PACKAGE_SEPOLGEN
+	bool "sepolgen"
+    select BR2_PACKAGE_PYTHON3 if !BR2_PACKAGE_PYTHON
+	help
+	  This package contains a Python module that forms the core of the 
+	  modern audit2allow (which is a part of the package policycoreutils). 
+	  It contains infrastructure for parsing SELinux related messages as 
+	  produced by the audit system. 
+	  It has facilities for generating policy based on required access.
diff --git a/package/sepolgen/sepolgen.mk b/package/sepolgen/sepolgen.mk
index 137eaed..ce3f683 100644
--- a/package/sepolgen/sepolgen.mk
+++ b/package/sepolgen/sepolgen.mk
@@ -10,6 +10,24 @@ SEPOLGEN_LICENSE = GPLv2
 SEPOLGEN_LICENSE_FILES = COPYING
 
 ifeq ($(BR2_PACKAGE_PYTHON3),y)
+SEPOLGEN_DEPENDENCIES = python3
+SEPOLGEN_MAKE_CMDS = $(TARGET_CONFIGURE_OPTS) \
+	PYTHONLIBDIR=/usr/lib/python$(PYTHON3_VERSION_MAJOR)/site-packages
+else
+SEPOLGEN_DEPENDENCIES = python
+SEPOLGEN_MAKE_CMDS = $(TARGET_CONFIGURE_OPTS) \
+	PYTHONLIBDIR=/usr/lib/python$(PYTHON_VERSION_MAJOR)/site-packages
+endif
+
+define SEPOLGEN_BUILD_CMDS
+	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) $(TARGET_SEPOLGEN_MAKE_CMDS) DESTDIR=$(TARGET_DIR)
+endef
+
+define SEPOLGEN_INSTALL_TARGET_CMDS
+	$(MAKE_ENV) $(MAKE) -C $(@D) $(SEPOLGEN_MAKE_CMDS) DESTDIR=$(TARGET_DIR) install
+endef
+
+ifeq ($(BR2_PACKAGE_PYTHON3),y)
 HOST_SEPOLGEN_DEPENDENCIES = host-python3
 HOST_SEPOLGEN_MAKE_CMDS = $(HOST_CONFIGURE_OPTS) \
 	PYTHONLIBDIR=/usr/lib/python$(PYTHON3_VERSION_MAJOR)/site-packages
@@ -27,4 +45,5 @@ define HOST_SEPOLGEN_INSTALL_CMDS
 	$(HOST_MAKE_ENV) $(MAKE) -C $(@D) $(HOST_SEPOLGEN_MAKE_CMDS) DESTDIR=$(HOST_DIR) install
 endef
 
+$(eval $(generic-package))
 $(eval $(host-generic-package))
-- 
2.9.3

[Buildroot] [PATCH 2/4] checkpolicy: allow compiling for target

[Adam Duskett]

checkpolicy is currently a host-only package, however it is a dependency
of audit2allow.  This patch allows for checkpolicy to be compiled for the
target.

Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
---
 package/Config.in                  |  1 +
 package/checkpolicy/Config.in      | 11 +++++++++++
 package/checkpolicy/checkpolicy.mk | 23 +++++++++++++++++++++++
 3 files changed, 35 insertions(+)
 create mode 100644 package/checkpolicy/Config.in

diff --git a/package/Config.in b/package/Config.in
index 9fedc23..90d9273 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1706,6 +1706,7 @@ menu "Real-Time"
 endmenu
 
 menu "Security"
+	source "package/checkpolicy/Config.in"
 	source "package/policycoreutils/Config.in"
 	source "package/sepolgen/Config.in"
 	source "package/setools/Config.in"
diff --git a/package/checkpolicy/Config.in b/package/checkpolicy/Config.in
new file mode 100644
index 0000000..894ce39
--- /dev/null
+++ b/package/checkpolicy/Config.in
@@ -0,0 +1,11 @@
+config BR2_PACKAGE_CHECKPOLICY
+	bool "checkpolicy"
+	select BR2_PACKAGE_FLEX
+	help
+	  checkpolicy is the SELinux policy compiler. It uses libsepol
+	  to generate the binary policy. checkpolicy uses the static
+	  libsepol since it deals with low level details of the policy
+	  that have not been encapsulated/abstracted by a proper
+	  shared library interface.
+
+	  http://selinuxproject.org/page/Main_Page
diff --git a/package/checkpolicy/checkpolicy.mk b/package/checkpolicy/checkpolicy.mk
index 8328b39..7af5edf 100644
--- a/package/checkpolicy/checkpolicy.mk
+++ b/package/checkpolicy/checkpolicy.mk
@@ -8,6 +8,28 @@ CHECKPOLICY_VERSION = 2.6
 CHECKPOLICY_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20161014
 CHECKPOLICY_LICENSE = GPLv2
 CHECKPOLICY_LICENSE_FILES = COPYING
+LIBSELINUX_INSTALL_STAGING = YES
+
+CHECKPOLICY_DEPENDENCIES = libselinux host-bison flex
+
+TARGET_CHECKPOLICY_MAKE_OPTS = $(TARGET_CONFIGURE_OPTS) \
+	LEX="$(HOST_DIR)/usr/bin/flex" \
+	YACC="$(HOST_DIR)/usr/bin/bison -y"
+	
+
+# DESTDIR is used at build time to find libselinux
+define CHECKPOLICY_BUILD_CMDS
+	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) $(TARGET_CHECKPOLICY_MAKE_OPTS) DESTDIR=$(STAGING_DIR)
+endef
+
+define CHECKPOLICY_STAGING_CMDS
+	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) $(TARGET_CHECKPOLICY_MAKE_OPTS) DESTDIR=$(STAGING_DIR) install
+
+endef
+
+define CHECKPOLICY_INSTALL_TARGET_CMDS
+	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) $(TARGET_CHECKPOLICY_MAKE_OPTS) DESTDIR=$(TARGET_DIR) install
+endef
 
 HOST_CHECKPOLICY_DEPENDENCIES = host-libselinux host-flex host-bison
 
@@ -24,4 +46,5 @@ define HOST_CHECKPOLICY_INSTALL_CMDS
 	$(HOST_MAKE_ENV) $(MAKE) -C $(@D) $(HOST_CHECKPOLICY_MAKE_OPTS) DESTDIR=$(HOST_DIR) install
 endef
 
+$(eval $(generic-package))
 $(eval $(host-generic-package))
-- 
2.9.3

[Buildroot] [PATCH 3/4] libselinux: allow compiling python wrapper module for target

[Adam Duskett]

libselinux currently does not compile it's python wrapper module
for the target.  This is needed for audit2allow to function properly.

This patch allows for the python wrapper to be built.  The current
makefile will try to install the python wrapper to the host directory
unless the PYSITEDIR variable is set.  I wrapped the build of the
python wrapper in a check for AUDIT2ALLOW because of the extra python
dependency, as I am sure many users don't want to have to install
python if they don't have to.

Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
---
 package/libselinux/libselinux.mk | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/package/libselinux/libselinux.mk b/package/libselinux/libselinux.mk
index 44120c4..fba5d41 100644
--- a/package/libselinux/libselinux.mk
+++ b/package/libselinux/libselinux.mk
@@ -30,6 +30,7 @@ endef
 define LIBSELINUX_INSTALL_STAGING_CMDS
 	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) \
 		$(LIBSELINUX_MAKE_OPTS) DESTDIR=$(STAGING_DIR) install
+		
 endef
 
 define LIBSELINUX_INSTALL_TARGET_CMDS
@@ -39,8 +40,39 @@ define LIBSELINUX_INSTALL_TARGET_CMDS
 	if [ ! -d "$(TARGET_DIR)/selinux" ]; then mkdir $(TARGET_DIR)/selinux; fi
 	if ! grep -q "selinuxfs" $(TARGET_DIR)/etc/fstab; then \
 		echo "none /selinux selinuxfs noauto 0 0" >> $(TARGET_DIR)/etc/fstab ; fi
+		
 endef
 
+ifeq ($(BR2_PACKAGE_POLICYCOREUTILS_AUDIT2ALLOW),y)
+LIBSELINUX_DEPENDENCIES += host-swig
+
+ifeq ($(BR2_PACKAGE_PYTHON3),y)
+LIBSELINUX_DEPENDENCIES += python3
+LIBSELINUX_PYTHONLIBDIR = -L$(TARGET_DIR)/usr/lib/python$(PYTHON3_VERSION_MAJOR)
+LIBSELINUX_PYINC = -I$(STAGING_DIR)/usr/include/python$(PYTHON3_VERSION_MAJOR)m
+LIBSELINUX_PYLIBVER = python$(PYTHON3_VERSION_MAJOR)
+else
+LIBSELINUX_DEPENDENCIES += python
+LIBSELINUX_PYTHONLIBDIR = -L$(TARGET_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)
+LIBSELINUX_PYINC = -I$(STAGING_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)
+LIBSELINUX_PYLIBVER = python$(PYTHON_VERSION_MAJOR)
+endif
+
+LIBSELINUX_MAKE_OPTS += \
+	PYINC="$(LIBSELINUX_PYINC)" \
+	PYTHONLIBDIR="$(LIBSELINUX_PYTHONLIBDIR)" \
+	PYLIBVER="$(LIBSELINUX_PYLIBVER)" \
+	PYSITEDIR=$(TARGET_DIR)/usr/lib/$(LIBSELINUX_PYLIBVER)/site-packages \
+	SWIG_LIB="$(HOST_DIR)/usr/share/swig/$(SWIG_VERSION)/"
+
+LIBSELINUX_BUILD_CMDS += $(TARGET_MAKE_ENV) $(MAKE1) -C $(@D) \
+	$(LIBSELINUX_MAKE_OPTS) DESTDIR=$(TARGET_DIR) swigify pywrap
+
+LIBSELINUX_INSTALL_TARGET_CMDS += $(TARGET_MAKE_ENV) $(MAKE) -C $(@D) \
+	$(LIBSELINUX_MAKE_OPTS) install-pywrap
+
+endif
+
 HOST_LIBSELINUX_DEPENDENCIES = \
 	host-libsepol host-pcre host-swig
 
-- 
2.9.3

[Buildroot] [PATCH 4/4] policycoreutils: add option to build audit2allow

[Adam Duskett]

This python utility scans the logs for messages logged when the system
denied permission for operations, and  generates  a snippet of policy
rules which, if loaded into policy, might have allowed  those operations
to succeed.  However, this utility only generates Type Enforcement (TE)
allow rules.

Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
---
 package/policycoreutils/Config.in          |  8 ++++++++
 package/policycoreutils/policycoreutils.mk | 14 ++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/package/policycoreutils/Config.in b/package/policycoreutils/Config.in
index 53238b4..f8c3dcf 100644
--- a/package/policycoreutils/Config.in
+++ b/package/policycoreutils/Config.in
@@ -45,6 +45,14 @@ config BR2_PACKAGE_POLICYCOREUTILS
 
 if BR2_PACKAGE_POLICYCOREUTILS
 
+config BR2_PACKAGE_POLICYCOREUTILS_AUDIT2ALLOW
+	bool "audit2allow utility"
+	select BR2_PACKAGE_SEPOLGEN
+	select BR2_PACKAGE_CHECKPOLICY
+	select BR2_PACKAGE_PYTHON3 if !BR2_PACKAGE_PYTHON
+	help
+	  Enable audit2allow to be built
+  
 config BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND
 	bool "restorecond"
 	select BR2_PACKAGE_LIBGLIB2
diff --git a/package/policycoreutils/policycoreutils.mk b/package/policycoreutils/policycoreutils.mk
index 6076bb9..2e30fd4 100644
--- a/package/policycoreutils/policycoreutils.mk
+++ b/package/policycoreutils/policycoreutils.mk
@@ -50,6 +50,20 @@ ifeq ($(BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND),y)
 POLICYCOREUTILS_MAKE_DIRS += restorecond
 POLICYCOREUTILS_DEPENDENCIES += libglib2
 endif
+
+ifeq ($(BR2_PACKAGE_POLICYCOREUTILS_AUDIT2ALLOW),y)
+ifeq ($(BR2_PACKAGE_PYTHON3),y)
+POLICYCOREUTILS_DEPENDENCIES += python3
+POLICYCOREUTILS_MAKE_OPTS += PYLIBVER="python$(PYTHON3_VERSION_MAJOR)"
+else
+POLICYCOREUTILS_DEPENDENCIES += python
+POLICYCOREUTILS_MAKE_OPTS += PYLIBVER="python$(PYTHON_VERSION_MAJOR)"
+endif
+
+POLICYCOREUTILS_DEPENDENCIES += sepolgen checkpolicy
+POLICYCOREUTILS_MAKE_DIRS += audit2allow
+endif
+
 # We need to pass DESTDIR at build time because it's used by
 # policycoreutils build system to find headers and libraries.
 define POLICYCOREUTILS_BUILD_CMDS
-- 
2.9.3

[Buildroot] [PATCH 2/4] checkpolicy: allow compiling for target

[Matthew Weber]

Adam,

On Thu, Feb 2, 2017 at 4:45 PM, Adam Duskett <aduskett@gmail.com> wrote:
> checkpolicy is currently a host-only package, however it is a dependency
> of audit2allow.  This patch allows for checkpolicy to be compiled for the
> target.
>
> Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
> ---
>  package/Config.in                  |  1 +
>  package/checkpolicy/Config.in      | 11 +++++++++++
>  package/checkpolicy/checkpolicy.mk | 23 +++++++++++++++++++++++
>  3 files changed, 35 insertions(+)
>  create mode 100644 package/checkpolicy/Config.in
>
> diff --git a/package/Config.in b/package/Config.in
> index 9fedc23..90d9273 100644
> --- a/package/Config.in
> +++ b/package/Config.in
> @@ -1706,6 +1706,7 @@ menu "Real-Time"
>  endmenu
>
>  menu "Security"
> +       source "package/checkpolicy/Config.in"
>         source "package/policycoreutils/Config.in"
>         source "package/sepolgen/Config.in"
>         source "package/setools/Config.in"
> diff --git a/package/checkpolicy/Config.in b/package/checkpolicy/Config.in
> new file mode 100644
> index 0000000..894ce39
> --- /dev/null
> +++ b/package/checkpolicy/Config.in
> @@ -0,0 +1,11 @@
> +config BR2_PACKAGE_CHECKPOLICY
> +       bool "checkpolicy"
> +       select BR2_PACKAGE_FLEX
> +       help
> +         checkpolicy is the SELinux policy compiler. It uses libsepol
> +         to generate the binary policy. checkpolicy uses the static
> +         libsepol since it deals with low level details of the policy
> +         that have not been encapsulated/abstracted by a proper
> +         shared library interface.
> +
> +         http://selinuxproject.org/page/Main_Page
> diff --git a/package/checkpolicy/checkpolicy.mk b/package/checkpolicy/checkpolicy.mk
> index 8328b39..7af5edf 100644
> --- a/package/checkpolicy/checkpolicy.mk
> +++ b/package/checkpolicy/checkpolicy.mk
> @@ -8,6 +8,28 @@ CHECKPOLICY_VERSION = 2.6
>  CHECKPOLICY_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20161014
>  CHECKPOLICY_LICENSE = GPLv2
>  CHECKPOLICY_LICENSE_FILES = COPYING
> +LIBSELINUX_INSTALL_STAGING = YES

I'd suggest moving the staging install to the libselinux package and
have it selectively set if Checkpolicy's target package is enabled.

<snip>

Thanks,
Matt

[Buildroot] [PATCH 3/4] libselinux: allow compiling python wrapper module for target

[Matthew Weber]

Adam,

On Thu, Feb 2, 2017 at 4:45 PM, Adam Duskett <aduskett@gmail.com> wrote:
> libselinux currently does not compile it's python wrapper module
> for the target.  This is needed for audit2allow to function properly.
>
> This patch allows for the python wrapper to be built.  The current
> makefile will try to install the python wrapper to the host directory
> unless the PYSITEDIR variable is set.  I wrapped the build of the
> python wrapper in a check for AUDIT2ALLOW because of the extra python
> dependency, as I am sure many users don't want to have to install
> python if they don't have to.
>
> Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
> ---
>  package/libselinux/libselinux.mk | 32 ++++++++++++++++++++++++++++++++
>  1 file changed, 32 insertions(+)
>
> diff --git a/package/libselinux/libselinux.mk b/package/libselinux/libselinux.mk
> index 44120c4..fba5d41 100644
> --- a/package/libselinux/libselinux.mk
> +++ b/package/libselinux/libselinux.mk
> @@ -30,6 +30,7 @@ endef
>  define LIBSELINUX_INSTALL_STAGING_CMDS
>         $(TARGET_MAKE_ENV) $(MAKE) -C $(@D) \
>                 $(LIBSELINUX_MAKE_OPTS) DESTDIR=$(STAGING_DIR) install
> +

<snip>

>         if ! grep -q "selinuxfs" $(TARGET_DIR)/etc/fstab; then \
>                 echo "none /selinux selinuxfs noauto 0 0" >> $(TARGET_DIR)/etc/fstab ; fi
> +

Any reason for the two newlines above?

>  endef
>
> +ifeq ($(BR2_PACKAGE_POLICYCOREUTILS_AUDIT2ALLOW),y)
> +LIBSELINUX_DEPENDENCIES += host-swig
> +
> +ifeq ($(BR2_PACKAGE_PYTHON3),y)
> +LIBSELINUX_DEPENDENCIES += python3
> +LIBSELINUX_PYTHONLIBDIR = -L$(TARGET_DIR)/usr/lib/python$(PYTHON3_VERSION_MAJOR)
> +LIBSELINUX_PYINC = -I$(STAGING_DIR)/usr/include/python$(PYTHON3_VERSION_MAJOR)m
> +LIBSELINUX_PYLIBVER = python$(PYTHON3_VERSION_MAJOR)
> +else
> +LIBSELINUX_DEPENDENCIES += python
> +LIBSELINUX_PYTHONLIBDIR = -L$(TARGET_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)
> +LIBSELINUX_PYINC = -I$(STAGING_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)
> +LIBSELINUX_PYLIBVER = python$(PYTHON_VERSION_MAJOR)
> +endif
> +
> +LIBSELINUX_MAKE_OPTS += \
> +       PYINC="$(LIBSELINUX_PYINC)" \
> +       PYTHONLIBDIR="$(LIBSELINUX_PYTHONLIBDIR)" \
> +       PYLIBVER="$(LIBSELINUX_PYLIBVER)" \
> +       PYSITEDIR=$(TARGET_DIR)/usr/lib/$(LIBSELINUX_PYLIBVER)/site-packages \
> +       SWIG_LIB="$(HOST_DIR)/usr/share/swig/$(SWIG_VERSION)/"
> +
> +LIBSELINUX_BUILD_CMDS += $(TARGET_MAKE_ENV) $(MAKE1) -C $(@D) \
> +       $(LIBSELINUX_MAKE_OPTS) DESTDIR=$(TARGET_DIR) swigify pywrap
> +
> +LIBSELINUX_INSTALL_TARGET_CMDS += $(TARGET_MAKE_ENV) $(MAKE) -C $(@D) \
> +       $(LIBSELINUX_MAKE_OPTS) install-pywrap
> +
> +endif
> +

I need to build and test this.  This was in the original libselinux
patchset and I believe we had issues in swig.

>  HOST_LIBSELINUX_DEPENDENCIES = \
>         host-libsepol host-pcre host-swig
>
> --
> 2.9.3
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot



-- 
Matthew L Weber / Pr Software Engineer
Airborne Information Systems / Security Systems and Software / Secure Platforms
MS 131-100, C Ave NE, Cedar Rapids, IA, 52498, USA
www.rockwellcollins.com

Note: Any Export License Required Information and License Restricted
Third Party Intellectual Property (TPIP) content must be encrypted and
sent to matthew.weber at corp.rockwellcollins.com.

[Buildroot] [PATCH 4/4] policycoreutils: add option to build audit2allow

[Matthew Weber]

Adam,

On Thu, Feb 2, 2017 at 4:45 PM, Adam Duskett <aduskett@gmail.com> wrote:
> This python utility scans the logs for messages logged when the system
> denied permission for operations, and  generates  a snippet of policy
> rules which, if loaded into policy, might have allowed  those operations
> to succeed.  However, this utility only generates Type Enforcement (TE)
> allow rules.
>
> Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
> ---
>  package/policycoreutils/Config.in          |  8 ++++++++
>  package/policycoreutils/policycoreutils.mk | 14 ++++++++++++++
>  2 files changed, 22 insertions(+)
>
> diff --git a/package/policycoreutils/Config.in b/package/policycoreutils/Config.in
> index 53238b4..f8c3dcf 100644
> --- a/package/policycoreutils/Config.in
> +++ b/package/policycoreutils/Config.in
> @@ -45,6 +45,14 @@ config BR2_PACKAGE_POLICYCOREUTILS
>
>  if BR2_PACKAGE_POLICYCOREUTILS
>
> +config BR2_PACKAGE_POLICYCOREUTILS_AUDIT2ALLOW
> +       bool "audit2allow utility"
> +       select BR2_PACKAGE_SEPOLGEN
> +       select BR2_PACKAGE_CHECKPOLICY
> +       select BR2_PACKAGE_PYTHON3 if !BR2_PACKAGE_PYTHON
> +       help
> +         Enable audit2allow to be built
> +
>  config BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND
>         bool "restorecond"
>         select BR2_PACKAGE_LIBGLIB2
> diff --git a/package/policycoreutils/policycoreutils.mk b/package/policycoreutils/policycoreutils.mk
> index 6076bb9..2e30fd4 100644
> --- a/package/policycoreutils/policycoreutils.mk
> +++ b/package/policycoreutils/policycoreutils.mk
> @@ -50,6 +50,20 @@ ifeq ($(BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND),y)
>  POLICYCOREUTILS_MAKE_DIRS += restorecond
>  POLICYCOREUTILS_DEPENDENCIES += libglib2
>  endif
> +
> +ifeq ($(BR2_PACKAGE_POLICYCOREUTILS_AUDIT2ALLOW),y)
> +ifeq ($(BR2_PACKAGE_PYTHON3),y)
> +POLICYCOREUTILS_DEPENDENCIES += python3
> +POLICYCOREUTILS_MAKE_OPTS += PYLIBVER="python$(PYTHON3_VERSION_MAJOR)"
> +else
> +POLICYCOREUTILS_DEPENDENCIES += python
> +POLICYCOREUTILS_MAKE_OPTS += PYLIBVER="python$(PYTHON_VERSION_MAJOR)"
> +endif
> +
> +POLICYCOREUTILS_DEPENDENCIES += sepolgen checkpolicy
> +POLICYCOREUTILS_MAKE_DIRS += audit2allow
> +endif
> +
>  # We need to pass DESTDIR at build time because it's used by
>  # policycoreutils build system to find headers and libraries.
>  define POLICYCOREUTILS_BUILD_CMDS
> --
> 2.9.3
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

Running some test builds on this and will respond once complete.
Otherwise looks ok.

Thanks,
Matt

[Buildroot] [PATCH 1/4] sepolgen: allow compiling for target

[Matthew Weber]

Adam,

On Thu, Feb 2, 2017 at 4:45 PM, Adam Duskett <aduskett@gmail.com> wrote:
> Sepolgen is currently a host-only package, however it is a dependency
> of audit2allow.  This patch allows for sepolgen to be compiled for the
> target.
>
> Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
> ---
>  package/Config.in            |  1 +
>  package/sepolgen/Config.in   |  9 +++++++++
>  package/sepolgen/sepolgen.mk | 19 +++++++++++++++++++
>  3 files changed, 29 insertions(+)
>  create mode 100644 package/sepolgen/Config.in
>
> diff --git a/package/Config.in b/package/Config.in
> index d1c517a..9fedc23 100644
> --- a/package/Config.in
> +++ b/package/Config.in
> @@ -1707,6 +1707,7 @@ endmenu
>
>  menu "Security"
>         source "package/policycoreutils/Config.in"
> +       source "package/sepolgen/Config.in"
>         source "package/setools/Config.in"
>  endmenu
>
> diff --git a/package/sepolgen/Config.in b/package/sepolgen/Config.in
> new file mode 100644
> index 0000000..87621b6
> --- /dev/null
> +++ b/package/sepolgen/Config.in
> @@ -0,0 +1,9 @@
> +config BR2_PACKAGE_SEPOLGEN
> +       bool "sepolgen"
> +    select BR2_PACKAGE_PYTHON3 if !BR2_PACKAGE_PYTHON
> +       help
> +         This package contains a Python module that forms the core of the
> +         modern audit2allow (which is a part of the package policycoreutils).
> +         It contains infrastructure for parsing SELinux related messages as
> +         produced by the audit system.

Remove extra space from the 4 lines above this.

> +         It has facilities for generating policy based on required access.
> diff --git a/package/sepolgen/sepolgen.mk b/package/sepolgen/sepolgen.mk
> index 137eaed..ce3f683 100644
> --- a/package/sepolgen/sepolgen.mk
> +++ b/package/sepolgen/sepolgen.mk
> @@ -10,6 +10,24 @@ SEPOLGEN_LICENSE = GPLv2
>  SEPOLGEN_LICENSE_FILES = COPYING
>
>  ifeq ($(BR2_PACKAGE_PYTHON3),y)
> +SEPOLGEN_DEPENDENCIES = python3
> +SEPOLGEN_MAKE_CMDS = $(TARGET_CONFIGURE_OPTS) \
> +       PYTHONLIBDIR=/usr/lib/python$(PYTHON3_VERSION_MAJOR)/site-packages
> +else
> +SEPOLGEN_DEPENDENCIES = python
> +SEPOLGEN_MAKE_CMDS = $(TARGET_CONFIGURE_OPTS) \
> +       PYTHONLIBDIR=/usr/lib/python$(PYTHON_VERSION_MAJOR)/site-packages
> +endif
> +
> +define SEPOLGEN_BUILD_CMDS
> +       $(TARGET_MAKE_ENV) $(MAKE) -C $(@D) $(TARGET_SEPOLGEN_MAKE_CMDS) DESTDIR=$(TARGET_DIR)
> +endef
> +
> +define SEPOLGEN_INSTALL_TARGET_CMDS
> +       $(MAKE_ENV) $(MAKE) -C $(@D) $(SEPOLGEN_MAKE_CMDS) DESTDIR=$(TARGET_DIR) install
> +endef
> +
> +ifeq ($(BR2_PACKAGE_PYTHON3),y)
>  HOST_SEPOLGEN_DEPENDENCIES = host-python3
>  HOST_SEPOLGEN_MAKE_CMDS = $(HOST_CONFIGURE_OPTS) \
>         PYTHONLIBDIR=/usr/lib/python$(PYTHON3_VERSION_MAJOR)/site-packages
> @@ -27,4 +45,5 @@ define HOST_SEPOLGEN_INSTALL_CMDS
>         $(HOST_MAKE_ENV) $(MAKE) -C $(@D) $(HOST_SEPOLGEN_MAKE_CMDS) DESTDIR=$(HOST_DIR) install
>  endef
>
> +$(eval $(generic-package))

I did a build test but didn't have hardware available to execute the
scripts which use this lib.  I did however verify the lib's arch and
location were correct in the target install.

Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>

[Buildroot] [PATCH 2/4] checkpolicy: allow compiling for target

[Matthew Weber]

Adam,

On Mon, Mar 27, 2017 at 12:04 PM, Matthew Weber
<matthew.weber@rockwellcollins.com> wrote:
> Adam,
>
> On Thu, Feb 2, 2017 at 4:45 PM, Adam Duskett <aduskett@gmail.com> wrote:
>> checkpolicy is currently a host-only package, however it is a dependency
>> of audit2allow.  This patch allows for checkpolicy to be compiled for the
>> target.
>>
>> Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
>> ---
>>  package/Config.in                  |  1 +
>>  package/checkpolicy/Config.in      | 11 +++++++++++
>>  package/checkpolicy/checkpolicy.mk | 23 +++++++++++++++++++++++
>>  3 files changed, 35 insertions(+)
>>  create mode 100644 package/checkpolicy/Config.in
>>
>> diff --git a/package/Config.in b/package/Config.in
>> index 9fedc23..90d9273 100644
>> --- a/package/Config.in
>> +++ b/package/Config.in
>> @@ -1706,6 +1706,7 @@ menu "Real-Time"
>>  endmenu
>>
>>  menu "Security"
>> +       source "package/checkpolicy/Config.in"
>>         source "package/policycoreutils/Config.in"
>>         source "package/sepolgen/Config.in"
>>         source "package/setools/Config.in"
>> diff --git a/package/checkpolicy/Config.in b/package/checkpolicy/Config.in
>> new file mode 100644
>> index 0000000..894ce39
>> --- /dev/null
>> +++ b/package/checkpolicy/Config.in
>> @@ -0,0 +1,11 @@
>> +config BR2_PACKAGE_CHECKPOLICY
>> +       bool "checkpolicy"
>> +       select BR2_PACKAGE_FLEX
>> +       help
>> +         checkpolicy is the SELinux policy compiler. It uses libsepol
>> +         to generate the binary policy. checkpolicy uses the static
>> +         libsepol since it deals with low level details of the policy
>> +         that have not been encapsulated/abstracted by a proper
>> +         shared library interface.
>> +
>> +         http://selinuxproject.org/page/Main_Page
>> diff --git a/package/checkpolicy/checkpolicy.mk b/package/checkpolicy/checkpolicy.mk
>> index 8328b39..7af5edf 100644
>> --- a/package/checkpolicy/checkpolicy.mk
>> +++ b/package/checkpolicy/checkpolicy.mk
>> @@ -8,6 +8,28 @@ CHECKPOLICY_VERSION = 2.6
>>  CHECKPOLICY_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20161014
>>  CHECKPOLICY_LICENSE = GPLv2
>>  CHECKPOLICY_LICENSE_FILES = COPYING
>> +LIBSELINUX_INSTALL_STAGING = YES
>
> I'd suggest moving the staging install to the libselinux package and
> have it selectively set if Checkpolicy's target package is enabled.
>

I did a build test but didn't have hardware available to execute.  I
did however verify the checkpolicy app's arch and location in the
target folder were correct.

Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>

[Buildroot] [PATCH 3/4] libselinux: allow compiling python wrapper module for target

[Matthew Weber]

Adam,

On Mon, Mar 27, 2017 at 12:21 PM, Matthew Weber
<matthew.weber@rockwellcollins.com> wrote:
> Adam,
>
> On Thu, Feb 2, 2017 at 4:45 PM, Adam Duskett <aduskett@gmail.com> wrote:
>> libselinux currently does not compile it's python wrapper module
>> for the target.  This is needed for audit2allow to function properly.
>>
>> This patch allows for the python wrapper to be built.  The current
>> makefile will try to install the python wrapper to the host directory
>> unless the PYSITEDIR variable is set.  I wrapped the build of the
>> python wrapper in a check for AUDIT2ALLOW because of the extra python
>> dependency, as I am sure many users don't want to have to install
>> python if they don't have to.
>>
>> Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
>> ---
>>  package/libselinux/libselinux.mk | 32 ++++++++++++++++++++++++++++++++
>>  1 file changed, 32 insertions(+)
>>
>> diff --git a/package/libselinux/libselinux.mk b/package/libselinux/libselinux.mk
>> index 44120c4..fba5d41 100644
>> --- a/package/libselinux/libselinux.mk
>> +++ b/package/libselinux/libselinux.mk
>> @@ -30,6 +30,7 @@ endef
>>  define LIBSELINUX_INSTALL_STAGING_CMDS
>>         $(TARGET_MAKE_ENV) $(MAKE) -C $(@D) \
>>                 $(LIBSELINUX_MAKE_OPTS) DESTDIR=$(STAGING_DIR) install
>> +
>
> <snip>
>
>>         if ! grep -q "selinuxfs" $(TARGET_DIR)/etc/fstab; then \
>>                 echo "none /selinux selinuxfs noauto 0 0" >> $(TARGET_DIR)/etc/fstab ; fi
>> +
>
> Any reason for the two newlines above?
>
>>  endef
>>
>> +ifeq ($(BR2_PACKAGE_POLICYCOREUTILS_AUDIT2ALLOW),y)
>> +LIBSELINUX_DEPENDENCIES += host-swig
>> +
>> +ifeq ($(BR2_PACKAGE_PYTHON3),y)
>> +LIBSELINUX_DEPENDENCIES += python3
>> +LIBSELINUX_PYTHONLIBDIR = -L$(TARGET_DIR)/usr/lib/python$(PYTHON3_VERSION_MAJOR)
>> +LIBSELINUX_PYINC = -I$(STAGING_DIR)/usr/include/python$(PYTHON3_VERSION_MAJOR)m
>> +LIBSELINUX_PYLIBVER = python$(PYTHON3_VERSION_MAJOR)
>> +else
>> +LIBSELINUX_DEPENDENCIES += python
>> +LIBSELINUX_PYTHONLIBDIR = -L$(TARGET_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)
>> +LIBSELINUX_PYINC = -I$(STAGING_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)
>> +LIBSELINUX_PYLIBVER = python$(PYTHON_VERSION_MAJOR)
>> +endif
>> +
>> +LIBSELINUX_MAKE_OPTS += \
>> +       PYINC="$(LIBSELINUX_PYINC)" \
>> +       PYTHONLIBDIR="$(LIBSELINUX_PYTHONLIBDIR)" \
>> +       PYLIBVER="$(LIBSELINUX_PYLIBVER)" \
>> +       PYSITEDIR=$(TARGET_DIR)/usr/lib/$(LIBSELINUX_PYLIBVER)/site-packages \
>> +       SWIG_LIB="$(HOST_DIR)/usr/share/swig/$(SWIG_VERSION)/"
>> +
>> +LIBSELINUX_BUILD_CMDS += $(TARGET_MAKE_ENV) $(MAKE1) -C $(@D) \
>> +       $(LIBSELINUX_MAKE_OPTS) DESTDIR=$(TARGET_DIR) swigify pywrap
>> +
>> +LIBSELINUX_INSTALL_TARGET_CMDS += $(TARGET_MAKE_ENV) $(MAKE) -C $(@D) \
>> +       $(LIBSELINUX_MAKE_OPTS) install-pywrap
>> +
>> +endif
>> +
>
> I need to build and test this.  This was in the original libselinux
> patchset and I believe we had issues in swig.
>

I did a build test but didn't have hardware available to execute.  I
did verify the libselinux installed correctly to staging and that the
swig related (selinux.py) item built/installed correctly
(target/usr/lib/python3.5/site-packages/selinux/).

Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>

[Buildroot] [PATCH 4/4] policycoreutils: add option to build audit2allow

[Matthew Weber]

Adam,

On Mon, Mar 27, 2017 at 12:22 PM, Matthew Weber
<matthew.weber@rockwellcollins.com> wrote:
> Adam,
>
> On Thu, Feb 2, 2017 at 4:45 PM, Adam Duskett <aduskett@gmail.com> wrote:
>> This python utility scans the logs for messages logged when the system
>> denied permission for operations, and  generates  a snippet of policy
>> rules which, if loaded into policy, might have allowed  those operations
>> to succeed.  However, this utility only generates Type Enforcement (TE)
>> allow rules.
>>
>> Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
>> ---
>>  package/policycoreutils/Config.in          |  8 ++++++++
>>  package/policycoreutils/policycoreutils.mk | 14 ++++++++++++++
>>  2 files changed, 22 insertions(+)
>>
>> diff --git a/package/policycoreutils/Config.in b/package/policycoreutils/Config.in
>> index 53238b4..f8c3dcf 100644
>> --- a/package/policycoreutils/Config.in
>> +++ b/package/policycoreutils/Config.in
>> @@ -45,6 +45,14 @@ config BR2_PACKAGE_POLICYCOREUTILS
>>
>>  if BR2_PACKAGE_POLICYCOREUTILS
>>
>> +config BR2_PACKAGE_POLICYCOREUTILS_AUDIT2ALLOW
>> +       bool "audit2allow utility"
>> +       select BR2_PACKAGE_SEPOLGEN
>> +       select BR2_PACKAGE_CHECKPOLICY
>> +       select BR2_PACKAGE_PYTHON3 if !BR2_PACKAGE_PYTHON
>> +       help
>> +         Enable audit2allow to be built
>> +
>>  config BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND
>>         bool "restorecond"
>>         select BR2_PACKAGE_LIBGLIB2
>> diff --git a/package/policycoreutils/policycoreutils.mk b/package/policycoreutils/policycoreutils.mk
>> index 6076bb9..2e30fd4 100644
>> --- a/package/policycoreutils/policycoreutils.mk
>> +++ b/package/policycoreutils/policycoreutils.mk
>> @@ -50,6 +50,20 @@ ifeq ($(BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND),y)
>>  POLICYCOREUTILS_MAKE_DIRS += restorecond
>>  POLICYCOREUTILS_DEPENDENCIES += libglib2
>>  endif
>> +
>> +ifeq ($(BR2_PACKAGE_POLICYCOREUTILS_AUDIT2ALLOW),y)
>> +ifeq ($(BR2_PACKAGE_PYTHON3),y)
>> +POLICYCOREUTILS_DEPENDENCIES += python3
>> +POLICYCOREUTILS_MAKE_OPTS += PYLIBVER="python$(PYTHON3_VERSION_MAJOR)"
>> +else
>> +POLICYCOREUTILS_DEPENDENCIES += python
>> +POLICYCOREUTILS_MAKE_OPTS += PYLIBVER="python$(PYTHON_VERSION_MAJOR)"
>> +endif
>> +
>> +POLICYCOREUTILS_DEPENDENCIES += sepolgen checkpolicy
>> +POLICYCOREUTILS_MAKE_DIRS += audit2allow
>> +endif
>> +
>>  # We need to pass DESTDIR at build time because it's used by
>>  # policycoreutils build system to find headers and libraries.
>>  define POLICYCOREUTILS_BUILD_CMDS
>> --
>> 2.9.3
>>
>> _______________________________________________
>> buildroot mailing list
>> buildroot at busybox.net
>> http://lists.busybox.net/mailman/listinfo/buildroot
>
> Running some test builds on this and will respond once complete.
> Otherwise looks ok.
>

I did a build test but didn't have hardware available to execute.  I
did verify the audit2allow installed correctly to target and that the
python include path in that script didn't include the build path.

Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>

[Buildroot] [PATCH 2/4] checkpolicy: allow compiling for target

[Adam Duskett]

Matthew;

On Mon, Mar 27, 2017 at 3:13 PM, Matthew Weber
<matthew.weber@rockwellcollins.com> wrote:
> Adam,
>
> On Mon, Mar 27, 2017 at 12:04 PM, Matthew Weber
> <matthew.weber@rockwellcollins.com> wrote:
>> Adam,
>>
>> On Thu, Feb 2, 2017 at 4:45 PM, Adam Duskett <aduskett@gmail.com> wrote:
>>> checkpolicy is currently a host-only package, however it is a dependency
>>> of audit2allow.  This patch allows for checkpolicy to be compiled for the
>>> target.
>>>
>>> Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
>>> ---
>>>  package/Config.in                  |  1 +
>>>  package/checkpolicy/Config.in      | 11 +++++++++++
>>>  package/checkpolicy/checkpolicy.mk | 23 +++++++++++++++++++++++
>>>  3 files changed, 35 insertions(+)
>>>  create mode 100644 package/checkpolicy/Config.in
>>>
>>> diff --git a/package/Config.in b/package/Config.in
>>> index 9fedc23..90d9273 100644
>>> --- a/package/Config.in
>>> +++ b/package/Config.in
>>> @@ -1706,6 +1706,7 @@ menu "Real-Time"
>>>  endmenu
>>>
>>>  menu "Security"
>>> +       source "package/checkpolicy/Config.in"
>>>         source "package/policycoreutils/Config.in"
>>>         source "package/sepolgen/Config.in"
>>>         source "package/setools/Config.in"
>>> diff --git a/package/checkpolicy/Config.in b/package/checkpolicy/Config.in
>>> new file mode 100644
>>> index 0000000..894ce39
>>> --- /dev/null
>>> +++ b/package/checkpolicy/Config.in
>>> @@ -0,0 +1,11 @@
>>> +config BR2_PACKAGE_CHECKPOLICY
>>> +       bool "checkpolicy"
>>> +       select BR2_PACKAGE_FLEX
>>> +       help
>>> +         checkpolicy is the SELinux policy compiler. It uses libsepol
>>> +         to generate the binary policy. checkpolicy uses the static
>>> +         libsepol since it deals with low level details of the policy
>>> +         that have not been encapsulated/abstracted by a proper
>>> +         shared library interface.
>>> +
>>> +         http://selinuxproject.org/page/Main_Page
>>> diff --git a/package/checkpolicy/checkpolicy.mk b/package/checkpolicy/checkpolicy.mk
>>> index 8328b39..7af5edf 100644
>>> --- a/package/checkpolicy/checkpolicy.mk
>>> +++ b/package/checkpolicy/checkpolicy.mk
>>> @@ -8,6 +8,28 @@ CHECKPOLICY_VERSION = 2.6
>>>  CHECKPOLICY_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20161014
>>>  CHECKPOLICY_LICENSE = GPLv2
>>>  CHECKPOLICY_LICENSE_FILES = COPYING
>>> +LIBSELINUX_INSTALL_STAGING = YES
>>
>> I'd suggest moving the staging install to the libselinux package and
>> have it selectively set if Checkpolicy's target package is enabled.
>>
Gladly!  Just to make sure I got this right:
In the libselinux package, check to see if audit2allow is selected
and if so, build checkpolicy.

This would keep checkpolicy out of the menuconfig which is what would
be desired yes?

>
> I did a build test but didn't have hardware available to execute.  I
> did however verify the checkpolicy app's arch and location in the
> target folder were correct.
>
> Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>

Thanks!

Adam

[Buildroot] [PATCH 2/4] checkpolicy: allow compiling for target

[Matthew Weber]

Adam,

On Mon, Apr 3, 2017 at 8:14 AM, Adam Duskett <aduskett@gmail.com> wrote:
> Matthew;
>
> On Mon, Mar 27, 2017 at 3:13 PM, Matthew Weber
> <matthew.weber@rockwellcollins.com> wrote:
>> Adam,
>>
>> On Mon, Mar 27, 2017 at 12:04 PM, Matthew Weber
>> <matthew.weber@rockwellcollins.com> wrote:
>>> Adam,
>>>
>>> On Thu, Feb 2, 2017 at 4:45 PM, Adam Duskett <aduskett@gmail.com> wrote:
>>>> checkpolicy is currently a host-only package, however it is a dependency
>>>> of audit2allow.  This patch allows for checkpolicy to be compiled for the
>>>> target.
>>>>
>>>> Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
>>>> ---
>>>>  package/Config.in                  |  1 +
>>>>  package/checkpolicy/Config.in      | 11 +++++++++++
>>>>  package/checkpolicy/checkpolicy.mk | 23 +++++++++++++++++++++++
>>>>  3 files changed, 35 insertions(+)
>>>>  create mode 100644 package/checkpolicy/Config.in
>>>>
>>>> diff --git a/package/Config.in b/package/Config.in
>>>> index 9fedc23..90d9273 100644
>>>> --- a/package/Config.in
>>>> +++ b/package/Config.in
>>>> @@ -1706,6 +1706,7 @@ menu "Real-Time"
>>>>  endmenu
>>>>
>>>>  menu "Security"
>>>> +       source "package/checkpolicy/Config.in"
>>>>         source "package/policycoreutils/Config.in"
>>>>         source "package/sepolgen/Config.in"
>>>>         source "package/setools/Config.in"
>>>> diff --git a/package/checkpolicy/Config.in b/package/checkpolicy/Config.in
>>>> new file mode 100644
>>>> index 0000000..894ce39
>>>> --- /dev/null
>>>> +++ b/package/checkpolicy/Config.in
>>>> @@ -0,0 +1,11 @@
>>>> +config BR2_PACKAGE_CHECKPOLICY
>>>> +       bool "checkpolicy"
>>>> +       select BR2_PACKAGE_FLEX
>>>> +       help
>>>> +         checkpolicy is the SELinux policy compiler. It uses libsepol
>>>> +         to generate the binary policy. checkpolicy uses the static
>>>> +         libsepol since it deals with low level details of the policy
>>>> +         that have not been encapsulated/abstracted by a proper
>>>> +         shared library interface.
>>>> +
>>>> +         http://selinuxproject.org/page/Main_Page
>>>> diff --git a/package/checkpolicy/checkpolicy.mk b/package/checkpolicy/checkpolicy.mk
>>>> index 8328b39..7af5edf 100644
>>>> --- a/package/checkpolicy/checkpolicy.mk
>>>> +++ b/package/checkpolicy/checkpolicy.mk
>>>> @@ -8,6 +8,28 @@ CHECKPOLICY_VERSION = 2.6
>>>>  CHECKPOLICY_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20161014
>>>>  CHECKPOLICY_LICENSE = GPLv2
>>>>  CHECKPOLICY_LICENSE_FILES = COPYING
>>>> +LIBSELINUX_INSTALL_STAGING = YES
>>>
>>> I'd suggest moving the staging install to the libselinux package and
>>> have it selectively set if Checkpolicy's target package is enabled.
>>>
> Gladly!  Just to make sure I got this right:
> In the libselinux package, check to see if audit2allow is selected
> and if so, build checkpolicy.
>
> This would keep checkpolicy out of the menuconfig which is what would
> be desired yes?

Related to the staging install, in libselinux.mk where you have the
conditional for BR2_PACKAGE_POLICYCOREUTILS_AUDIT2ALLOW, set the
LIBSELINUX_INSTALL_STAGING = YES.

For having the sepolgen/checkpolicy appear in the menu vs not, I'd
leave them as is and have the autobuilders workout any weird
dependencies.  The other option would be putting conditions around
them and adding comments for when disabled mentioning the audit2allow
dependency.

-Matt

[Buildroot] [PATCH 3/4] libselinux: allow compiling python wrapper module for target

[Matthew Weber]

Adam,


On Mon, Mar 27, 2017 at 2:19 PM, Matthew Weber
<matthew.weber@rockwellcollins.com> wrote:
>
> Adam,
>
> On Mon, Mar 27, 2017 at 12:21 PM, Matthew Weber
> <matthew.weber@rockwellcollins.com> wrote:
> > Adam,
> >
> > On Thu, Feb 2, 2017 at 4:45 PM, Adam Duskett <aduskett@gmail.com> wrote:
> >> libselinux currently does not compile it's python wrapper module
> >> for the target.  This is needed for audit2allow to function properly.
> >>
> >> This patch allows for the python wrapper to be built.  The current
> >> makefile will try to install the python wrapper to the host directory
> >> unless the PYSITEDIR variable is set.  I wrapped the build of the
> >> python wrapper in a check for AUDIT2ALLOW because of the extra python
> >> dependency, as I am sure many users don't want to have to install
> >> python if they don't have to.
> >>
> >> Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
> >> ---
> >>  package/libselinux/libselinux.mk | 32 ++++++++++++++++++++++++++++++++
> >>  1 file changed, 32 insertions(+)
> >>
> >> diff --git a/package/libselinux/libselinux.mk b/package/libselinux/libselinux.mk
> >> index 44120c4..fba5d41 100644
> >> --- a/package/libselinux/libselinux.mk
> >> +++ b/package/libselinux/libselinux.mk
> >> @@ -30,6 +30,7 @@ endef
> >>  define LIBSELINUX_INSTALL_STAGING_CMDS
> >>         $(TARGET_MAKE_ENV) $(MAKE) -C $(@D) \
> >>                 $(LIBSELINUX_MAKE_OPTS) DESTDIR=$(STAGING_DIR) install
> >> +
> >
> > <snip>
> >
> >>         if ! grep -q "selinuxfs" $(TARGET_DIR)/etc/fstab; then \
> >>                 echo "none /selinux selinuxfs noauto 0 0" >> $(TARGET_DIR)/etc/fstab ; fi
> >> +
> >
> > Any reason for the two newlines above?
> >
> >>  endef
> >>
> >> +ifeq ($(BR2_PACKAGE_POLICYCOREUTILS_AUDIT2ALLOW),y)
> >> +LIBSELINUX_DEPENDENCIES += host-swig
> >> +
> >> +ifeq ($(BR2_PACKAGE_PYTHON3),y)
> >> +LIBSELINUX_DEPENDENCIES += python3
> >> +LIBSELINUX_PYTHONLIBDIR = -L$(TARGET_DIR)/usr/lib/python$(PYTHON3_VERSION_MAJOR)
> >> +LIBSELINUX_PYINC = -I$(STAGING_DIR)/usr/include/python$(PYTHON3_VERSION_MAJOR)m
> >> +LIBSELINUX_PYLIBVER = python$(PYTHON3_VERSION_MAJOR)
> >> +else
> >> +LIBSELINUX_DEPENDENCIES += python
> >> +LIBSELINUX_PYTHONLIBDIR = -L$(TARGET_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)
> >> +LIBSELINUX_PYINC = -I$(STAGING_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)
> >> +LIBSELINUX_PYLIBVER = python$(PYTHON_VERSION_MAJOR)
> >> +endif
> >> +
> >> +LIBSELINUX_MAKE_OPTS += \
> >> +       PYINC="$(LIBSELINUX_PYINC)" \
> >> +       PYTHONLIBDIR="$(LIBSELINUX_PYTHONLIBDIR)" \

Please incorporate similar changes to the following I sent out
tonight.  You already had the PYSITEDIR added, but the PYLIBVER /
LIBSELINUX_PYTHONLIBDIR / PYTHONLIBDIR were removed when we bumped to
version 2.6
https://patchwork.ozlabs.org/patch/746684/

> >> +       PYLIBVER="$(LIBSELINUX_PYLIBVER)" \
> >> +       PYSITEDIR=$(TARGET_DIR)/usr/lib/$(LIBSELINUX_PYLIBVER)/site-packages \
> >> +       SWIG_LIB="$(HOST_DIR)/usr/share/swig/$(SWIG_VERSION)/"
> >> +
> >> +LIBSELINUX_BUILD_CMDS += $(TARGET_MAKE_ENV) $(MAKE1) -C $(@D) \
> >> +       $(LIBSELINUX_MAKE_OPTS) DESTDIR=$(TARGET_DIR) swigify pywrap
> >> +
> >> +LIBSELINUX_INSTALL_TARGET_CMDS += $(TARGET_MAKE_ENV) $(MAKE) -C $(@D) \
> >> +       $(LIBSELINUX_MAKE_OPTS) install-pywrap
> >> +
> >> +endif
> >> +
> >
> > I need to build and test this.  This was in the original libselinux
> > patchset and I believe we had issues in swig.
> >
>
> I did a build test but didn't have hardware available to execute.  I
> did verify the libselinux installed correctly to staging and that the
> swig related (selinux.py) item built/installed correctly
> (target/usr/lib/python3.5/site-packages/selinux/).
>
> Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>




-- 
Matthew L Weber / Pr Software Engineer
Airborne Information Systems / Security Systems and Software / Secure Platforms
MS 131-100, C Ave NE, Cedar Rapids, IA, 52498, USA
www.rockwellcollins.com

Note: Any Export License Required Information and License Restricted
Third Party Intellectual Property (TPIP) content must be encrypted and
sent to matthew.weber at corp.rockwellcollins.com.

[Buildroot] [PATCH 1/4] sepolgen: allow compiling for target

[Thomas Petazzoni]

Hello,

On Thu,  2 Feb 2017 17:45:02 -0500, Adam Duskett wrote:
> Sepolgen is currently a host-only package, however it is a dependency
> of audit2allow.  This patch allows for sepolgen to be compiled for the
> target.
> 
> Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
> ---
>  package/Config.in            |  1 +
>  package/sepolgen/Config.in   |  9 +++++++++
>  package/sepolgen/sepolgen.mk | 19 +++++++++++++++++++
>  3 files changed, 29 insertions(+)
>  create mode 100644 package/sepolgen/Config.in

Applied to master with the following changes:

    [Thomas:
     - fix formatting of Config.in file
     - add missing dependencies inherited from the fact that the package
       selects python3.]

Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

[Buildroot] [PATCH 2/4] checkpolicy: allow compiling for target

[Thomas Petazzoni]

Hello,

On Thu,  2 Feb 2017 17:45:03 -0500, Adam Duskett wrote:
> checkpolicy is currently a host-only package, however it is a dependency
> of audit2allow.  This patch allows for checkpolicy to be compiled for the
> target.
> 
> Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
> ---
>  package/Config.in                  |  1 +
>  package/checkpolicy/Config.in      | 11 +++++++++++
>  package/checkpolicy/checkpolicy.mk | 23 +++++++++++++++++++++++
>  3 files changed, 35 insertions(+)
>  create mode 100644 package/checkpolicy/Config.in

Applied to master with the following changes:

    [Thomas:
     - remove LIBSELINUX_INSTALL_STAGING = YES, doing it in
       checkpolicy.mk is wrong, and libselinux is already installed to
       staging
     - add "select BR2_PACKAGE_LIBSELINUX" in Config.in, and propagate the
       necessary dependencies
     - add host-flex in dependencies, since it is also needed (in addition
       to target flex).]

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

[Buildroot] [PATCH 3/4] libselinux: allow compiling python wrapper module for target

[Thomas Petazzoni]

Hello,

On Thu,  2 Feb 2017 17:45:04 -0500, Adam Duskett wrote:
> libselinux currently does not compile it's python wrapper module
> for the target.  This is needed for audit2allow to function properly.
> 
> This patch allows for the python wrapper to be built.  The current
> makefile will try to install the python wrapper to the host directory
> unless the PYSITEDIR variable is set.  I wrapped the build of the
> python wrapper in a check for AUDIT2ALLOW because of the extra python
> dependency, as I am sure many users don't want to have to install
> python if they don't have to.
> 
> Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
> ---
>  package/libselinux/libselinux.mk | 32 ++++++++++++++++++++++++++++++++
>  1 file changed, 32 insertions(+)

Applied to master with the following changes:

    [Thomas:
     - Remove useless empty lines, as noted by Matt Weber
     - Move code related to python bindings before builds/install
       commands, since those commands will use variables defined by the
       python bindings logic.
     - Instead of enabling the python bindings when
       BR2_PACKAGE_POLICYCOREUTILS_AUDIT2ALLOW is set, enable the python
       bindings when python is available. We generally try to avoid
       looking at options of other packages to decide what to install.
     - Introduce LIBSELINUX_MAKE_TARGETS and
       LIBSELINUX_MAKE_INSTALL_TARGETS variable, in order to avoid
       duplicate the make/make install commands.
     - As suggested by Matt Weber, remove LIBSELINUX_PYTHONLIBDIR
       definitions, and don't pass PYLIBVER and PYTHONLIBDIR in
    MAKE_OPTS.]

Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

[Buildroot] [PATCH 4/4] policycoreutils: add option to build audit2allow

[Thomas Petazzoni]

Hello,

On Thu,  2 Feb 2017 17:45:05 -0500, Adam Duskett wrote:
> This python utility scans the logs for messages logged when the system
> denied permission for operations, and  generates  a snippet of policy
> rules which, if loaded into policy, might have allowed  those operations
> to succeed.  However, this utility only generates Type Enforcement (TE)
> allow rules.
> 
> Signed-off-by: Adam Duskett <Adamduskett@outlook.com>

Applied to master with the following changes:

    [Thomas: adjust Config.in to propagate the dependencies of sepolgen,
    checkpolicy and python3.]

Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux and Kernel engineering
http://free-electrons.com

[Buildroot] [PATCH 3/4] libselinux: allow compiling python wrapper module for target

[Thomas Petazzoni]

Hello,

On Thu,  2 Feb 2017 17:45:04 -0500, Adam Duskett wrote:
> libselinux currently does not compile it's python wrapper module
> for the target.  This is needed for audit2allow to function properly.
> 
> This patch allows for the python wrapper to be built.  The current
> makefile will try to install the python wrapper to the host directory
> unless the PYSITEDIR variable is set.  I wrapped the build of the
> python wrapper in a check for AUDIT2ALLOW because of the extra python
> dependency, as I am sure many users don't want to have to install
> python if they don't have to.
> 
> Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
> ---
>  package/libselinux/libselinux.mk | 32 ++++++++++++++++++++++++++++++++
>  1 file changed, 32 insertions(+)

This causes some build failures:
http://autobuild.buildroot.net/results/db1/db1e6f3054092fc5576ccab8e04a3b9d74ca9a8c/build-end.log.

Could you have a look ?

Thanks a lot!

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

[Buildroot] [PATCH 3/4] libselinux: allow compiling python wrapper module for target

[Matthew Weber]

Thomas

On Tue, Apr 11, 2017 at 7:40 AM, Thomas Petazzoni <thomas.petazzoni@free-
electrons.com> wrote:

> Hello,
>
> On Thu,  2 Feb 2017 17:45:04 -0500, Adam Duskett wrote:
> > libselinux currently does not compile it's python wrapper module
> > for the target.  This is needed for audit2allow to function properly.
> >
> > This patch allows for the python wrapper to be built.  The current
> > makefile will try to install the python wrapper to the host directory
> > unless the PYSITEDIR variable is set.  I wrapped the build of the
> > python wrapper in a check for AUDIT2ALLOW because of the extra python
> > dependency, as I am sure many users don't want to have to install
> > python if they don't have to.
> >
> > Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
> > ---
> >  package/libselinux/libselinux.mk | 32 ++++++++++++++++++++++++++++++++
> >  1 file changed, 32 insertions(+)
>
> This causes some build failures:
> http://autobuild.buildroot.net/results/db1/db1e6f3054092fc55
> 76ccab8e04a3b9d74ca9a8c/build-end.log.
>
> Could you have a look ?
> <http://free-electrons.com>
>

Yep, will take a look this morning.

-Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20170412/a183cf54/attachment.html>

[Buildroot] [PATCH 3/4] libselinux: allow compiling python wrapper module for target

[Matthew Weber]

Thomas,

On Wed, Apr 12, 2017 at 7:53 AM, Matthew Weber
<matthew.weber@rockwellcollins.com> wrote:
> Thomas
>
> On Tue, Apr 11, 2017 at 7:40 AM, Thomas Petazzoni
> <thomas.petazzoni@free-electrons.com> wrote:
>>
>> Hello,
>>
>> On Thu,  2 Feb 2017 17:45:04 -0500, Adam Duskett wrote:
>> > libselinux currently does not compile it's python wrapper module
>> > for the target.  This is needed for audit2allow to function properly.
>> >
>> > This patch allows for the python wrapper to be built.  The current
>> > makefile will try to install the python wrapper to the host directory
>> > unless the PYSITEDIR variable is set.  I wrapped the build of the
>> > python wrapper in a check for AUDIT2ALLOW because of the extra python
>> > dependency, as I am sure many users don't want to have to install
>> > python if they don't have to.
>> >
>> > Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
>> > ---
>> >  package/libselinux/libselinux.mk | 32 ++++++++++++++++++++++++++++++++
>> >  1 file changed, 32 insertions(+)
>>
>> This causes some build failures:
>>
>> http://autobuild.buildroot.net/results/db1/db1e6f3054092fc5576ccab8e04a3b9d74ca9a8c/build-end.log.
>>

Oh fun, a new circular dependency.  Any ideas/examples for how this
has been handling in the past? ( I'm assuming other python/busybox
cases have come up.)
Recursion detected for  : busybox
which is a dependency of: ncurses
which is a dependency of: python
which is a dependency of: libselinux
which is a dependency of: busybox
make: *** [graph-depends] Error 1

[Buildroot] [PATCH 3/4] libselinux: allow compiling python wrapper module for target

[Matthew Weber]

Thomas

On Wed, Apr 12, 2017 at 8:54 AM, Matthew Weber
<matthew.weber@rockwellcollins.com> wrote:
> Thomas,
>
> On Wed, Apr 12, 2017 at 7:53 AM, Matthew Weber
> <matthew.weber@rockwellcollins.com> wrote:
>> Thomas
>>
>> On Tue, Apr 11, 2017 at 7:40 AM, Thomas Petazzoni
>> <thomas.petazzoni@free-electrons.com> wrote:
>>>
>>> Hello,
>>>
>>> On Thu,  2 Feb 2017 17:45:04 -0500, Adam Duskett wrote:
>>> > libselinux currently does not compile it's python wrapper module
>>> > for the target.  This is needed for audit2allow to function properly.
>>> >
>>> > This patch allows for the python wrapper to be built.  The current
>>> > makefile will try to install the python wrapper to the host directory
>>> > unless the PYSITEDIR variable is set.  I wrapped the build of the
>>> > python wrapper in a check for AUDIT2ALLOW because of the extra python
>>> > dependency, as I am sure many users don't want to have to install
>>> > python if they don't have to.
>>> >
>>> > Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
>>> > ---
>>> >  package/libselinux/libselinux.mk | 32 ++++++++++++++++++++++++++++++++
>>> >  1 file changed, 32 insertions(+)
>>>
>>> This causes some build failures:
>>>
>>> http://autobuild.buildroot.net/results/db1/db1e6f3054092fc5576ccab8e04a3b9d74ca9a8c/build-end.log.
>>>
>
> Oh fun, a new circular dependency.  Any ideas/examples for how this
> has been handling in the past? ( I'm assuming other python/busybox
> cases have come up.)
> Recursion detected for  : busybox
> which is a dependency of: ncurses
> which is a dependency of: python
> which is a dependency of: libselinux
> which is a dependency of: busybox
> make: *** [graph-depends] Error 1

Maybe the ncurses ordering dependency can check for python and if set,
use that as it's item to depend-on/install after?
<from ncurses.mk>
# Install after busybox for the full-blown versions
ifeq ($(BR2_PACKAGE_BUSYBOX),y)
NCURSES_DEPENDENCIES += busybox
endif

-Matt

[Buildroot] [PATCH 3/4] libselinux: allow compiling python wrapper module for target

[Matthew Weber]

Thomas,

On Wed, Apr 12, 2017 at 9:00 AM, Matthew Weber
<matthew.weber@rockwellcollins.com> wrote:
>
> Thomas
>
> On Wed, Apr 12, 2017 at 8:54 AM, Matthew Weber
> <matthew.weber@rockwellcollins.com> wrote:
> > Thomas,
> >
> > On Wed, Apr 12, 2017 at 7:53 AM, Matthew Weber
> > <matthew.weber@rockwellcollins.com> wrote:
> >> Thomas
> >>
> >> On Tue, Apr 11, 2017 at 7:40 AM, Thomas Petazzoni
> >> <thomas.petazzoni@free-electrons.com> wrote:
> >>>
> >>> Hello,
> >>>
> >>> On Thu,  2 Feb 2017 17:45:04 -0500, Adam Duskett wrote:
> >>> > libselinux currently does not compile it's python wrapper module
> >>> > for the target.  This is needed for audit2allow to function properly.
> >>> >
> >>> > This patch allows for the python wrapper to be built.  The current
> >>> > makefile will try to install the python wrapper to the host directory
> >>> > unless the PYSITEDIR variable is set.  I wrapped the build of the
> >>> > python wrapper in a check for AUDIT2ALLOW because of the extra python
> >>> > dependency, as I am sure many users don't want to have to install
> >>> > python if they don't have to.
> >>> >
> >>> > Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
> >>> > ---
> >>> >  package/libselinux/libselinux.mk | 32 ++++++++++++++++++++++++++++++++
> >>> >  1 file changed, 32 insertions(+)
> >>>
> >>> This causes some build failures:
> >>>
> >>> http://autobuild.buildroot.net/results/db1/db1e6f3054092fc5576ccab8e04a3b9d74ca9a8c/build-end.log.
> >>>
>

Proposing this fix.
https://patchwork.ozlabs.org/patch/750170/