All of lore.kernel.org
 help / color / mirror / Atom feed
* [RFC PATCH] newrole: do not rely on hard-coded audith and pamh paths
@ 2020-09-01 11:04 Dominick Grift
  2020-09-01 15:48 ` Stephen Smalley
  0 siblings, 1 reply; 5+ messages in thread
From: Dominick Grift @ 2020-09-01 11:04 UTC (permalink / raw)
  To: selinux; +Cc: Dominick Grift

This causes issue with cross-compiling as the headers might not exist on the host

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
---
I was attempting to build a OpenWRT image with SELinux when I hit the above. The aforementioned headers did not exist on the host and instead were located in %{buildroot}/usr/lib
I managed to get around this issue by installing the headers on the host.
Eventually I was unable to build the image though as there was some "ld undefined symbol" issue when it tried to compile busybox with SELinux support.
I must have done something wrong.

 policycoreutils/newrole/Makefile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policycoreutils/newrole/Makefile b/policycoreutils/newrole/Makefile
index 73ebd413..f508e242 100644
--- a/policycoreutils/newrole/Makefile
+++ b/policycoreutils/newrole/Makefile
@@ -5,8 +5,8 @@ BINDIR ?= $(PREFIX)/bin
 MANDIR ?= $(PREFIX)/share/man
 ETCDIR ?= /etc
 LOCALEDIR = $(DESTDIR)$(PREFIX)/share/locale
-PAMH ?= $(shell test -f /usr/include/security/pam_appl.h && echo y)
-AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y)
+PAMH ?= y
+AUDITH ?= y
 # Enable capabilities to permit newrole to generate audit records.
 # This will make newrole a setuid root program.
 # The capabilities used are: CAP_AUDIT_WRITE.
-- 
2.28.0


^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [RFC PATCH] newrole: do not rely on hard-coded audith and pamh paths
  2020-09-01 11:04 [RFC PATCH] newrole: do not rely on hard-coded audith and pamh paths Dominick Grift
@ 2020-09-01 15:48 ` Stephen Smalley
  2020-09-01 16:16   ` [PATCH] newrole: support cross-compilation with PAM and audit Dominick Grift
  0 siblings, 1 reply; 5+ messages in thread
From: Stephen Smalley @ 2020-09-01 15:48 UTC (permalink / raw)
  To: Dominick Grift; +Cc: SElinux list

On Tue, Sep 1, 2020 at 10:56 AM Dominick Grift
<dominick.grift@defensec.nl> wrote:
>
> This causes issue with cross-compiling as the headers might not exist on the host
>
> Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
> ---
> I was attempting to build a OpenWRT image with SELinux when I hit the above. The aforementioned headers did not exist on the host and instead were located in %{buildroot}/usr/lib
> I managed to get around this issue by installing the headers on the host.
> Eventually I was unable to build the image though as there was some "ld undefined symbol" issue when it tried to compile busybox with SELinux support.
> I must have done something wrong.
>
>  policycoreutils/newrole/Makefile | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/policycoreutils/newrole/Makefile b/policycoreutils/newrole/Makefile
> index 73ebd413..f508e242 100644
> --- a/policycoreutils/newrole/Makefile
> +++ b/policycoreutils/newrole/Makefile
> @@ -5,8 +5,8 @@ BINDIR ?= $(PREFIX)/bin
>  MANDIR ?= $(PREFIX)/share/man
>  ETCDIR ?= /etc
>  LOCALEDIR = $(DESTDIR)$(PREFIX)/share/locale
> -PAMH ?= $(shell test -f /usr/include/security/pam_appl.h && echo y)
> -AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y)
> +PAMH ?= y
> +AUDITH ?= y

Maybe define an INCLUDEDIR as in some of the other Makefiles and use
it instead of /usr/include, ala:
INCLUDEDIR ?= $(PREFIX)/include
PAMH ?= $(shell test -f $(INCLUDEDIR)/security/pam_appl.h && echo y)
AUDITH ?= $(shell test -f $(INCLUDEDIR)/libaudit.h && echo y)

^ permalink raw reply	[flat|nested] 5+ messages in thread
* [PATCH] newrole: support cross-compilation with PAM and audit
  2020-09-01 15:48 ` Stephen Smalley
@ 2020-09-01 16:16   ` Dominick Grift
  2020-09-03 14:22     ` Stephen Smalley
  0 siblings, 1 reply; 5+ messages in thread
From: Dominick Grift @ 2020-09-01 16:16 UTC (permalink / raw)
  To: selinux; +Cc: Dominick Grift

Compilation of newrole with PAM and audit support currently requires that you have the respective headers installed on the host. Instead make the header location customizable to accomodate cross-compilation.

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
---
 policycoreutils/newrole/Makefile | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/policycoreutils/newrole/Makefile b/policycoreutils/newrole/Makefile
index 73ebd413..0e7ebce3 100644
--- a/policycoreutils/newrole/Makefile
+++ b/policycoreutils/newrole/Makefile
@@ -5,8 +5,9 @@ BINDIR ?= $(PREFIX)/bin
 MANDIR ?= $(PREFIX)/share/man
 ETCDIR ?= /etc
 LOCALEDIR = $(DESTDIR)$(PREFIX)/share/locale
-PAMH ?= $(shell test -f /usr/include/security/pam_appl.h && echo y)
-AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y)
+INCLUDEDIR ?= $(PREFIX)/include
+PAMH ?= $(shell test -f $(INCLUDEDIR)/security/pam_appl.h && echo y)
+AUDITH ?= $(shell test -f $(INCLUDEDIR)/libaudit.h && echo y)
 # Enable capabilities to permit newrole to generate audit records.
 # This will make newrole a setuid root program.
 # The capabilities used are: CAP_AUDIT_WRITE.
-- 
2.28.0


^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH] newrole: support cross-compilation with PAM and audit
  2020-09-01 16:16   ` [PATCH] newrole: support cross-compilation with PAM and audit Dominick Grift
@ 2020-09-03 14:22     ` Stephen Smalley
  2020-09-08 13:18       ` Stephen Smalley
  0 siblings, 1 reply; 5+ messages in thread
From: Stephen Smalley @ 2020-09-03 14:22 UTC (permalink / raw)
  To: Dominick Grift; +Cc: SElinux list

On Tue, Sep 1, 2020 at 12:17 PM Dominick Grift
<dominick.grift@defensec.nl> wrote:
>
> Compilation of newrole with PAM and audit support currently requires that you have the respective headers installed on the host. Instead make the header location customizable to accomodate cross-compilation.
>
> Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>

Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH] newrole: support cross-compilation with PAM and audit
  2020-09-03 14:22     ` Stephen Smalley
@ 2020-09-08 13:18       ` Stephen Smalley
  0 siblings, 0 replies; 5+ messages in thread
From: Stephen Smalley @ 2020-09-08 13:18 UTC (permalink / raw)
  To: Dominick Grift; +Cc: SElinux list

On Thu, Sep 3, 2020 at 10:22 AM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Tue, Sep 1, 2020 at 12:17 PM Dominick Grift
> <dominick.grift@defensec.nl> wrote:
> >
> > Compilation of newrole with PAM and audit support currently requires that you have the respective headers installed on the host. Instead make the header location customizable to accomodate cross-compilation.
> >
> > Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
>
> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>

Applied.

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-09-08 19:55 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-01 11:04 [RFC PATCH] newrole: do not rely on hard-coded audith and pamh paths Dominick Grift
2020-09-01 15:48 ` Stephen Smalley
2020-09-01 16:16   ` [PATCH] newrole: support cross-compilation with PAM and audit Dominick Grift
2020-09-03 14:22     ` Stephen Smalley
2020-09-08 13:18       ` Stephen Smalley

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.