[Buildroot] [PATCH 00/29] SELinux Buildroot Additions

[Buildroot] [PATCH 00/29] SELinux Buildroot Additions

[Matt Weber]

### What's SELinux?

Security-Enhanced Linux (SELinux) is a Linux feature that provides
a variety of security policies, including U.S. Department of Defense
style mandatory access controls (MAC), through the use of Linux
Security Modules (LSM) in the Linux kernel. It is not a Linux
distribution, but rather a set of modifications that can be applied
to Unix-like operating systems, such as Linux and BSD.

Running SELinux under a Linux distribution requires three things:
An SELinux enabled kernel, SELinux Userspace tools and libraries,
and SELinux Policies (mostly based on the Reference Policy). Some
common Linux programs will also need to be patched/compiled with
SELinux features. (Credit Archlinux wiki)

### What's in this patchset?

This patchset adds the required userspace tools, libraries, example
QEMU target, existing package modifications, and initial policy
to Buildroot.
The design approach took a minimalist view to the selinux capability.
The necessary packages have been added but all the ways in which they
could be used (target vs host) are not exposed.  One example is
the audit2allow framework that requires python.  This is currently
setup for "host only use" to post analyze audit service output.  It
could also be setup for target use but it would require the target
to have python and other supporting libs present.
Another aspect that utilized known SELinux capable applications
was for init and logging.  We choose to use sysvinit and rsyslog
instead of the busybox applet version.  This simplified getting
this initial configuration pulled together.  Use of busybox
applications is definitely an area where things could slim down
with more time and testing.
Lastly, the building of libselinux was limited to a set of
architectures and libraries that have been tested.  An area for
future work will be to enable broader use.

Some references to help with the review of this patchset.
Arch and Gentoo implementation and design details:
  https://wiki.archlinux.org/index.php/SELinux
  http://wiki.gentoo.org/wiki/SELinux
  http://wiki.gentoo.org/wiki/SELinux/Installation

### Details of changes from previous patchsets

This is a new round of patches based on the v5 patchset from
last year.  The changes since v5 consist of:
  * The removal of on target policy debugging using audit2allow.
    The host tools have been setup to provide a offline capability
    for analyzing audit output.
  * The example qemu configuration defaults to using full versions
    of applications instead of the busybox applets.  This simplified
    the configuration but as a side affect grew the filesystem size.
    There is definitely opportunity to slim down the approach to
    just using busybox applets (I've still included the patches
    that enable the capability to create individual applets).
  * Added documentation of the qemu target to that targets readme
  * Updated for structural changes (OPTS vs OPT, patch naming,
    improvements to existing packages)
  * Autobuilder was modified to run against our upstreaming
    branch (over 600 tests so far).  It identified the issues
    noted below.

### Known issues:

  * libselinux/libsemanage/setools have been limited to just
    glibc and arm/ppc/x86 archs for now until QEMU targets
    are configured to test against additional configurations.
    * libselinux]
      - error: dlfcn.h: No such file or directory -
        (bfin-buildroot-uclinux-uclibc)
      - #error Sorry... uClibc was built without large file
        support - (powerpc-buildroot-linux-uclibc)
      - /crtbeginT.o: relocation R_MIPS_HI16 against `a local
        symbol' can not be used when making a shared object;
        recompile with -fPIC - (mipsel-buildroot-linux-uclibc)
    * setools]
      - configure: error: SETools requires a C99-compliant
        C compiler to build. - (i486-ctng-linux-uclibc-gcc)
    * shadow]
      - (configure: error: posix_spawn is needed for nscd
        support) (mipsel-ctng-linux-uclibc)

Since Refpolicy is heavily tailored for a projects use, the
package exposed options of using the provided version with
patches or a custom GIT repo. Here's a bit more detail on
those assumptions.
  * Refpolicy as the package defines with default patches
    plus possibly some global patches applied.  Using a default
    modules config file provided in the package folder or
    provided by the user.
  * Refpolicy looking at specific git repo revisions.  Using a
    modules config file from within that git repo.
  * Repolicy using src override which assumes the same as the
    git repo case for where the modules config file originates.

### What's next:

* Testing out support for using busybox applets instead of
  sysvinit/util-linux/etc.
* Updating the qemu example to use a auto generated busybox config
  based on package selections and selinux being enabled.
* qemu targets for ARM and PPC



Clayton Shotwell (14):
  libselinux: new package
  ustr: new package
  libsemanage: new package
  checkpolicy: new package
  sepolgen: new package
  sqlite: Add host build support
  setools: new package
  python-pyparsing: Add host build option
  audit: new package
  policycoreutils: new package
  python-pyxml: new package
  refpolicy: new package
  shadow: new package
  qemu_x86_selinux_defconfig: base SELinux QEMU image for x86

Matt Weber (15):
  repolicy: base policy modifications for embedded target
  refpolicy: custom git repo
  busybox: applets as individual binaries
  busybox: selinux support
  busybox: added linux-pam support
  busybox: default selinux config which disables init and uses sysvinit
  linux-pam: selinux support
  sysvinit: added libselinux dependency
  dbus: selinux file context support
  logrotate: selinux support
  openssh: selinux and pam support
  util-linux: selinux, audit, and pam support
  vim: selinux support
  rsyslog: fix config file comment style
  qemu x86 readme: documented selinux target

 board/qemu/x86/busybox-selinux.config              | 1038 ++++++++++++++
 board/qemu/x86/linux-3.12-selinux.config           |   77 ++
 board/qemu/x86/readme.txt                          |   18 +
 configs/qemu_x86_selinux_defconfig                 |   53 +
 package/Config.in                                  |   20 +
 package/Config.in.host                             |    1 +
 .../0001-cross-compile-header-creation-fix.patch   | 1424 ++++++++++++++++++++
 package/audit/0002-remove-zos-plugin.patch         |   35 +
 package/audit/Config.in                            |   14 +
 package/audit/S01auditd                            |  172 +++
 package/audit/audit.mk                             |   57 +
 package/busybox/Config.in                          |   10 +
 ...s-Add-installation-of-individual-binaries.patch |  103 ++
 ...ags-strip-non-l-arguments-returned-by-pkg.patch |   28 +
 package/busybox/busybox.mk                         |   52 +
 package/checkpolicy/Config.in.host                 |   10 +
 package/checkpolicy/checkpolicy.mk                 |   26 +
 package/dbus/S30dbus                               |    4 +
 package/dbus/dbus.mk                               |   14 +
 package/libselinux/Config.in                       |   19 +
 package/libselinux/libselinux.mk                   |   70 +
 .../libsemanage/0001-execption-lib-path-fix.patch  |   14 +
 package/libsemanage/Config.in                      |   30 +
 package/libsemanage/libsemanage.mk                 |   72 +
 .../linux-pam-08-audit-log-acct_message_ret.patch  |   16 +
 package/linux-pam/linux-pam.mk                     |   58 +-
 package/linux-pam/system-auth.pamd                 |   15 +
 package/logrotate/logrotate.mk                     |   11 +-
 package/openssh/openssh.mk                         |   12 +
 .../policycoreutils/0001-cross-compile-fixes.patch |  332 +++++
 package/policycoreutils/Config.in                  |   73 +
 package/policycoreutils/S15restorecond             |   85 ++
 package/policycoreutils/policycoreutils.mk         |  224 +++
 package/python-pyparsing/python-pyparsing.mk       |    1 +
 package/python-pyxml/Config.in                     |   11 +
 package/python-pyxml/python-xml.mk                 |   50 +
 package/refpolicy-contrib/Config.in                |   20 +
 package/refpolicy-contrib/refpolicy-contrib.mk     |   19 +
 package/refpolicy/0001-gentoo-hardened-fixes.patch | 1250 +++++++++++++++++
 package/refpolicy/0002-baseDirectoryChanges.patch  |   39 +
 package/refpolicy/0003-filesChanges.patch          |   69 +
 package/refpolicy/0004-initChanges.patch           |   20 +
 package/refpolicy/0005-selinuxutilChanges.patch    |  103 ++
 package/refpolicy/0006-sshChanges.patch            |   22 +
 package/refpolicy/0007-loggingChanges.patch        |   87 ++
 package/refpolicy/0008-mountChanges.patch          |   11 +
 package/refpolicy/0009-sysadmChanges.patch         |   24 +
 package/refpolicy/0010-authloginChanges.patch      |   14 +
 package/refpolicy/0011-localloginChanges.patch     |   20 +
 package/refpolicy/0012-udevChanges.patch           |   21 +
 package/refpolicy/0013-netutilsChanges.patch       |   20 +
 package/refpolicy/0014-devicesChanges.patch        |   55 +
 package/refpolicy/0015-awk-fix.patch               |   37 +
 .../refpolicy/0016-enablePolyinstantiation.patch   |   11 +
 package/refpolicy/Config.in                        |   94 ++
 package/refpolicy/S12selinux                       |  137 ++
 package/refpolicy/config                           |    8 +
 package/refpolicy/modules.conf                     |  406 ++++++
 package/refpolicy/refpolicy.mk                     |  109 ++
 package/rsyslog/rsyslog.mk                         |    4 +
 package/sepolgen/Config.in                         |   15 +
 package/sepolgen/sepolgen.mk                       |   25 +
 package/setools/0001-cross-compile-fixes.patch     |  121 ++
 .../setools/0002-swig-typedef-python-fixes.patch   | 1014 ++++++++++++++
 package/setools/Config.in                          |   23 +
 package/setools/setools.mk                         |   69 +
 package/shadow/Config.in                           |   13 +
 package/shadow/shadow.mk                           |   50 +
 package/sqlite/sqlite.mk                           |    1 +
 .../sysvinit-0010-fix-WITH-SELINUX-define.patch    |   24 +
 package/sysvinit/sysvinit.mk                       |   11 +-
 .../ustr/0001-cross-compile-modifications.patch    |  144 ++
 package/ustr/Config.in                             |   11 +
 package/ustr/ustr.mk                               |   48 +
 package/util-linux/util-linux.mk                   |   21 +
 package/vim/vim.mk                                 |    7 +
 76 files changed, 8443 insertions(+), 3 deletions(-)
 create mode 100644 board/qemu/x86/busybox-selinux.config
 create mode 100644 board/qemu/x86/linux-3.12-selinux.config
 create mode 100644 configs/qemu_x86_selinux_defconfig
 create mode 100644 package/audit/0001-cross-compile-header-creation-fix.patch
 create mode 100644 package/audit/0002-remove-zos-plugin.patch
 create mode 100644 package/audit/Config.in
 create mode 100644 package/audit/S01auditd
 create mode 100644 package/audit/audit.mk
 create mode 100644 package/busybox/busybox-0007-applets-Add-installation-of-individual-binaries.patch
 create mode 100644 package/busybox/busybox-0008-Makefile.flags-strip-non-l-arguments-returned-by-pkg.patch
 create mode 100644 package/checkpolicy/Config.in.host
 create mode 100644 package/checkpolicy/checkpolicy.mk
 mode change 100755 => 100644 package/dbus/S30dbus
 create mode 100644 package/libselinux/Config.in
 create mode 100644 package/libselinux/libselinux.mk
 create mode 100644 package/libsemanage/0001-execption-lib-path-fix.patch
 create mode 100644 package/libsemanage/Config.in
 create mode 100644 package/libsemanage/libsemanage.mk
 create mode 100644 package/linux-pam/linux-pam-08-audit-log-acct_message_ret.patch
 create mode 100644 package/linux-pam/system-auth.pamd
 create mode 100644 package/policycoreutils/0001-cross-compile-fixes.patch
 create mode 100644 package/policycoreutils/Config.in
 create mode 100644 package/policycoreutils/S15restorecond
 create mode 100644 package/policycoreutils/policycoreutils.mk
 create mode 100644 package/python-pyxml/Config.in
 create mode 100644 package/python-pyxml/python-xml.mk
 create mode 100644 package/refpolicy-contrib/Config.in
 create mode 100644 package/refpolicy-contrib/refpolicy-contrib.mk
 create mode 100644 package/refpolicy/0001-gentoo-hardened-fixes.patch
 create mode 100644 package/refpolicy/0002-baseDirectoryChanges.patch
 create mode 100644 package/refpolicy/0003-filesChanges.patch
 create mode 100644 package/refpolicy/0004-initChanges.patch
 create mode 100644 package/refpolicy/0005-selinuxutilChanges.patch
 create mode 100644 package/refpolicy/0006-sshChanges.patch
 create mode 100644 package/refpolicy/0007-loggingChanges.patch
 create mode 100644 package/refpolicy/0008-mountChanges.patch
 create mode 100644 package/refpolicy/0009-sysadmChanges.patch
 create mode 100644 package/refpolicy/0010-authloginChanges.patch
 create mode 100644 package/refpolicy/0011-localloginChanges.patch
 create mode 100644 package/refpolicy/0012-udevChanges.patch
 create mode 100644 package/refpolicy/0013-netutilsChanges.patch
 create mode 100644 package/refpolicy/0014-devicesChanges.patch
 create mode 100644 package/refpolicy/0015-awk-fix.patch
 create mode 100644 package/refpolicy/0016-enablePolyinstantiation.patch
 create mode 100644 package/refpolicy/Config.in
 create mode 100644 package/refpolicy/S12selinux
 create mode 100644 package/refpolicy/config
 create mode 100644 package/refpolicy/modules.conf
 create mode 100644 package/refpolicy/refpolicy.mk
 create mode 100644 package/sepolgen/Config.in
 create mode 100644 package/sepolgen/sepolgen.mk
 create mode 100644 package/setools/0001-cross-compile-fixes.patch
 create mode 100644 package/setools/0002-swig-typedef-python-fixes.patch
 create mode 100644 package/setools/Config.in
 create mode 100644 package/setools/setools.mk
 create mode 100644 package/shadow/Config.in
 create mode 100644 package/shadow/shadow.mk
 create mode 100644 package/sysvinit/sysvinit-0010-fix-WITH-SELINUX-define.patch
 create mode 100644 package/ustr/0001-cross-compile-modifications.patch
 create mode 100644 package/ustr/Config.in
 create mode 100644 package/ustr/ustr.mk

-- 
1.9.1

[Buildroot] [PATCH 01/30] libselinux: new package

[Matt Weber]

From: Clayton Shotwell <clshotwe@rockwellcollins.com>

Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
---
 package/Config.in                |  1 +
 package/libselinux/Config.in     | 25 ++++++++++++++
 package/libselinux/libselinux.mk | 70 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 96 insertions(+)
 create mode 100644 package/libselinux/Config.in
 create mode 100644 package/libselinux/libselinux.mk

diff --git a/package/Config.in b/package/Config.in
index f41e332..0944542 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -936,6 +936,7 @@ menu "Other"
 endmenu
 
 menu "Security"
+	source "package/libselinux/Config.in"
 	source "package/libsepol/Config.in"
 endmenu
 
diff --git a/package/libselinux/Config.in b/package/libselinux/Config.in
new file mode 100644
index 0000000..239f31e
--- /dev/null
+++ b/package/libselinux/Config.in
@@ -0,0 +1,25 @@
+config BR2_PACKAGE_LIBSELINUX
+	bool "libselinux"
+	select BR2_PACKAGE_LIBSEPOL
+	select BR2_PACKAGE_PCRE
+	depends on BR2_TOOLCHAIN_HAS_THREADS
+	depends on BR2_LARGEFILE
+	# No direct limitation to build other arch or libc(s).
+	# Limiting based on qemu tested arch(s).
+	depends on BR2_powerpc || BR2_powerpc64 || \
+		BR2_i386 || BR2_x86_64 || BR2_arm
+	depends on BR2_TOOLCHAIN_USES_GLIBC # UCLIBC needs testing
+
+	help
+	  libselinux is the runtime SELinux library that provides
+	  interfaces (e.g. library functions for the SELinux kernel
+	  APIs like getcon(), other support functions like
+	  getseuserbyname()) to SELinux-aware applications. libselinux
+	  may use the shared libsepol to manipulate the binary policy
+	  if necessary (e.g. to downgrade the policy format to an
+	  older version supported by the kernel) when loading policy.
+
+	  http://selinuxproject.org/page/Main_Page
+
+comment "libselinux needs a toolchain w/ largefile, threads"
+        depends on !BR2_TOOLCHAIN_HAS_THREADS || !BR2_LARGEFILE
diff --git a/package/libselinux/libselinux.mk b/package/libselinux/libselinux.mk
new file mode 100644
index 0000000..9e2b438
--- /dev/null
+++ b/package/libselinux/libselinux.mk
@@ -0,0 +1,70 @@
+################################################################################
+#
+# libselinux
+#
+################################################################################
+
+LIBSELINUX_VERSION = 2.1.13
+LIBSELINUX_SITE = http://userspace.selinuxproject.org/releases/20130423/
+LIBSELINUX_LICENSE = PublicDomain
+LIBSELINUX_LICENSE_FILES = LICENSE
+
+LIBSELINUX_DEPENDENCIES = libsepol pcre
+
+LIBSELINUX_INSTALL_STAGING = YES
+
+LIBSELINUX_MAKE_OPTS = \
+	$(TARGET_CONFIGURE_OPTS) \
+	LDFLAGS="$(TARGET_LDFLAGS) -lpcre -lpthread"
+
+define LIBSELINUX_BUILD_CMDS
+	# DESTDIR is needed during the compile to compute library and
+	# header paths.
+	$(MAKE) -C $(@D) $(LIBSELINUX_MAKE_OPTS) DESTDIR=$(STAGING_DIR) all
+endef
+
+define LIBSELINUX_INSTALL_STAGING_CMDS
+	$(MAKE) -C $(@D) install $(LIBSELINUX_MAKE_OPTS) DESTDIR=$(STAGING_DIR)
+endef
+
+define LIBSELINUX_INSTALL_TARGET_CMDS
+	$(MAKE) -C $(@D) install $(LIBSELINUX_MAKE_OPTS) DESTDIR=$(TARGET_DIR)
+	# Create the selinuxfs mount point
+	if [ ! -d "$(TARGET_DIR)/selinux" ]; then mkdir $(TARGET_DIR)/selinux; fi
+	if ! grep -q "selinuxfs" $(TARGET_DIR)/etc/fstab; then \
+		echo "none /selinux selinuxfs noauto 0 0" >> $(TARGET_DIR)/etc/fstab ; fi
+endef
+
+HOST_LIBSELINUX_DEPENDENCIES = host-libsepol host-pcre host-python host-swig
+
+HOST_LIBSELINUX_MAKE_OPTS = $(HOST_CONFIGURE_OPTS) \
+	LDFLAGS="$(HOST_LDFLAGS) -lpcre -lpthread" \
+	PYINC="-I$(HOST_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)/" \
+	PYTHONLIBDIR="-L$(HOST_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/" \
+	PYLIBVER="python$(PYTHON_VERSION_MAJOR)" \
+	SWIG_LIB="$(HOST_DIR)/usr/share/swig/$(SWIG_VERSION)/"
+
+define HOST_LIBSELINUX_BUILD_CMDS
+	# DESTDIR is needed during the compile to compute library and
+	# header paths.
+	$(MAKE) -C $(@D) $(HOST_LIBSELINUX_MAKE_OPTS) DESTDIR=$(HOST_DIR) all
+	# Generate python interface wrapper
+	$(MAKE) -C $(@D) $(HOST_LIBSELINUX_MAKE_OPTS) DESTDIR=$(HOST_DIR) swigify pywrap
+endef
+
+define HOST_LIBSELINUX_INSTALL_CMDS
+	$(MAKE) -C $(@D) install $(HOST_LIBSELINUX_MAKE_OPTS) DESTDIR=$(HOST_DIR)
+	mv $(HOST_DIR)/lib/libselinux.so.1 $(HOST_DIR)/usr/lib
+	(cd $(HOST_DIR)/usr/lib; rm -f libselinux.so; \
+		ln -s libselinux.so.1 libselinux.so)
+	-rmdir $(HOST_DIR)/lib
+	(if [ -f $(HOST_DIR)/sbin/matchpathcon ]; then \
+		mv $(HOST_DIR)/sbin/matchpathcon $(HOST_DIR)/usr/sbin/; \
+		-rmdir $(HOST_DIR)/sbin; \
+	fi)
+	# Install python interface wrapper
+	$(MAKE) -C $(@D) install-pywrap $(HOST_LIBSELINUX_MAKE_OPTS) DESTDIR=$(HOST_DIR)
+endef
+
+$(eval $(generic-package))
+$(eval $(host-generic-package))
-- 
1.9.1

[Buildroot] [PATCH 02/30] ustr: new package

[Matt Weber]

From: Clayton Shotwell <clshotwe@rockwellcollins.com>

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
---
 package/Config.in                                  |   1 +
 .../ustr/0001-cross-compile-modifications.patch    | 144 +++++++++++++++++++++
 package/ustr/Config.in                             |  11 ++
 package/ustr/ustr.mk                               |  48 +++++++
 4 files changed, 204 insertions(+)
 create mode 100644 package/ustr/0001-cross-compile-modifications.patch
 create mode 100644 package/ustr/Config.in
 create mode 100644 package/ustr/ustr.mk

diff --git a/package/Config.in b/package/Config.in
index 0944542..10a3409 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -957,6 +957,7 @@ menu "Text and terminal handling"
 	source "package/readline/Config.in"
 	source "package/slang/Config.in"
 	source "package/tclap/Config.in"
+	source "package/ustr/Config.in"
 endmenu
 
 endmenu
diff --git a/package/ustr/0001-cross-compile-modifications.patch b/package/ustr/0001-cross-compile-modifications.patch
new file mode 100644
index 0000000..cdf17c5
--- /dev/null
+++ b/package/ustr/0001-cross-compile-modifications.patch
@@ -0,0 +1,144 @@
+Changes are to allow ustr verion 1.0.4 to cross compile in buildroot.
+
+Signed-off-by Clayton Shotwell <clshotwe@rockwellcollins.com>
+
+diff -urN a/ustr-compiler.h b/ustr-compiler.h
+--- a/ustr-compiler.h	2008-02-15 14:12:28.000000000 -0600
++++ b/ustr-compiler.h	2012-06-15 11:04:55.000000000 -0500
+@@ -13,10 +13,10 @@
+ 
+ /* We assume this is enough,
+  * C99 specifies that va_copy() exists and is a macro */
+-#ifdef va_copy
++#if defined va_copy
+ # define USTR_CONF_HAVE_VA_COPY 1
+ # define USTR__VA_COPY(x, y)   va_copy(x, y)
+-#elif __va_copy
++#elif defined __va_copy
+ # define USTR_CONF_HAVE_VA_COPY 1
+ # define USTR__VA_COPY(x, y) __va_copy(x, y)
+ #else
+diff -urN a/Makefile b/Makefile
+--- a/Makefile	2008-03-05 21:38:00.000000000 -0600
++++ b/Makefile	2013-09-10 16:54:45.916874387 -0500
+@@ -8,8 +8,8 @@
+ VERS_ESONAME =1
+ VERS_ESO     =$(VERS_ESONAME).0.4
+ 
+-DESTDIR =
+-prefix=/usr
++DESTDIR ?= 
++prefix ?= /usr
+ datadir=$(prefix)/share
+ libdir=$(prefix)/lib
+ libexecdir=$(prefix)/libexec
+@@ -18,7 +18,7 @@
+ SHRDIR=$(datadir)/ustr-$(VERS_FULL)
+ DOCSHRDIR=$(datadir)/doc/ustr-devel-$(VERS_FULL)
+ EXAMDIR=$(SHRDIR)/examples
+-mandir=$(datadir)/doc/man
++mandir=$(datadir)/man
+ MBINDIR=$(libexecdir)/ustr-$(VERS_FULL)
+ 
+ ###############################################################################
+@@ -28,12 +28,12 @@
+ ###############################################################################
+ HIDE=@
+ 
+-CC = cc
+-AR = ar
+-RANLIB = ranlib
+-LDCONFIG = /sbin/ldconfig
++CC ?= cc
++AR ?= ar
++RANLIB ?= ranlib
+ 
+-CFLAGS  = -O2 -g
++CFLAGS ?= -O2 -g
++LDFLAGS ?= 
+ 
+ # Debug versions...
+ WARNS = -W -Wall -Wundef -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wwrite-strings -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -Wno-format-zero-length -Wformat-nonliteral -Wformat-security # -Wfloat-equal -- no floats
+@@ -376,7 +376,7 @@
+ all-shared: all $(LIB_SHARED)
+ 		$(HIDE)echo Done shared
+ 
+-install: all-shared ustr.pc ustr-debug.pc
++install: all ustr.pc ustr-debug.pc
+ 		$(HIDE)echo Making directories
+ 		install -d $(DESTDIR)$(libdir)
+ 		install -d $(DESTDIR)$(includedir)
+@@ -389,16 +389,6 @@
+ 		install -d $(DESTDIR)$(libdir)/pkgconfig
+ 		$(HIDE)echo Installing files
+ 		install -m 644 -t $(DESTDIR)$(libdir) $(LIB_STATIC)
+-		install -m 755 -t $(DESTDIR)$(libdir) $(LIB_SHARED)
+-		-rm -f $(DESTDIR)$(libdir)/$(OPT_LIB_SHARED_NAME)
+-		ln -s $(OPT_LIB_SHARED) $(DESTDIR)$(libdir)/$(OPT_LIB_SHARED_NAME)
+-		-rm -f $(DESTDIR)$(libdir)/$(OPT_LIB_SHAREDEV)
+-		ln -s $(OPT_LIB_SHARED_NAME) $(DESTDIR)$(libdir)/$(OPT_LIB_SHAREDEV)
+-		-rm -f $(DESTDIR)$(libdir)/$(DBG_LIB_SHARED_NAME)
+-		ln -s $(DBG_LIB_SHARED) $(DESTDIR)$(libdir)/$(DBG_LIB_SHARED_NAME)
+-		-rm -f $(DESTDIR)$(libdir)/$(DBG_LIB_SHAREDEV)
+-		ln -s $(DBG_LIB_SHARED_NAME) $(DESTDIR)$(libdir)/$(DBG_LIB_SHAREDEV)
+-		$(LDCONFIG) -n $(DESTDIR)$(libdir)
+ 		install -pm 644 -t $(DESTDIR)$(includedir) $(SRC_HDRS)
+ 		install -pm 644 -t $(DESTDIR)$(SHRDIR) $(SRC_SRCS)
+ 		install -pm 644 -t $(DESTDIR)$(SHRDIR) $(XSRC_SRCS)
+@@ -409,13 +399,24 @@
+ 		install -m 755 -t $(DESTDIR)$(bindir) ustr-import
+ 		install -pm 644 -t $(DESTDIR)$(libdir)/pkgconfig ustr.pc ustr-debug.pc
+ 
++install-shared: all-shared install
++		$(HIDE)echo Installing files
++		install -m 755 -t $(DESTDIR)$(libdir) $(LIB_SHARED)
++		-rm -f $(DESTDIR)$(libdir)/$(OPT_LIB_SHARED_NAME)
++		ln -s $(OPT_LIB_SHARED) $(DESTDIR)$(libdir)/$(OPT_LIB_SHARED_NAME)
++		-rm -f $(DESTDIR)$(libdir)/$(OPT_LIB_SHAREDEV)
++		ln -s $(OPT_LIB_SHARED_NAME) $(DESTDIR)$(libdir)/$(OPT_LIB_SHAREDEV)
++		-rm -f $(DESTDIR)$(libdir)/$(DBG_LIB_SHARED_NAME)
++		ln -s $(DBG_LIB_SHARED) $(DESTDIR)$(libdir)/$(DBG_LIB_SHARED_NAME)
++		-rm -f $(DESTDIR)$(libdir)/$(DBG_LIB_SHAREDEV)
++		ln -s $(DBG_LIB_SHARED_NAME) $(DESTDIR)$(libdir)/$(DBG_LIB_SHAREDEV)
++
+ ustr-import-multilib: ustr-import-multilib.in
+ 		sed -e 's, at INCLUDEDIR@,$(includedir),g' -e 's, at MBINDIR@,$(MBINDIR),g' < $< > $@
+ 
+ install-multilib-linux: install autoconf_64b ustr-import-multilib
+ 		install -d $(DESTDIR)$(MBINDIR)
+-		$(HIDE)mlib=`./autoconf_64b`; \
+-                   if test "x$$mlib" = "x1"; then mlib=64; else mlib=32; fi; \
++		$(HIDE))if test "`echo "__SIZEOF_SIZE_T__" | $(CC) -E -x c - | tail -n 1`" = 8; then mlib=64; else mlib=32; fi; \
+                    mv -f $(DESTDIR)$(includedir)/ustr-conf-debug.h \
+                          $(DESTDIR)$(includedir)/ustr-conf-debug-$$mlib.h; \
+                    mv -f $(DESTDIR)$(includedir)/ustr-conf.h \
+@@ -451,7 +452,8 @@
+ 
+ ustr-import: ustr-import.in autoconf_64b autoconf_vsnprintf
+ 		$(HIDE)echo Creating $@
+-		$(HIDE)sz64=`./autoconf_64b`; vsnp=`./autoconf_vsnprintf`; \
++		$(HIDE)if test "`echo "__SIZEOF_SIZE_T__" | $(CC) -E -x c - | tail -n 1`" = 8; then sz64=1; else sz64=0; fi; \
++		if test "`./autoconf_vsnprintf`" = 0; then vsnp=0; else vsnp=1; fi; \
+ 		sed -e 's, at INCLUDEDIR@,$(includedir),g' -e 's, at SHRDIR@,$(SHRDIR),g' -e 's, at VERS@,$(VERS),g'  -e 's, at VERS_FULL@,$(VERS_FULL),g' -e "s, at HAVE_64bit_SIZE_MAX@,$$sz64,g" -e "s, at HAVE_RETARDED_VSNPRINTF@,$$vsnp,g" < $< > $@
+ 		$(HIDE)chmod 755 $@
+ 
+@@ -485,7 +487,8 @@
+ ustr-conf.h: ustr-conf.h.in autoconf_64b autoconf_vsnprintf
+ 		$(HIDE)echo Creating $@
+ 		$(HIDE)have_stdint_h=0; dbg1=0; dbg2=0; \
+-                sz64=`./autoconf_64b`; vsnp=`./autoconf_vsnprintf`; \
++                if test "`echo "__SIZEOF_SIZE_T__" | $(CC) -E -x c - | tail -n 1`" = 8; then sz64=1; else sz64=0; fi; \
++                if test "`./autoconf_vsnprintf`" = 0; then vsnp=0; else vsnp=1; fi; \
+                 if test -f "/usr/include/stdint.h"; then have_stdint_h=1; fi; \
+                 if test -f "$(prefix)/include/stdint.h"; then have_stdint_h=1; fi; \
+                 if test -f "$(includedir)/stdint.h"; then have_stdint_h=1; fi; \
+@@ -494,7 +497,8 @@
+ ustr-conf-debug.h: ustr-conf.h.in autoconf_64b autoconf_vsnprintf
+ 		$(HIDE)echo Creating $@
+ 		$(HIDE)have_stdint_h=0; dbg1=1; dbg2=1; \
+-                sz64=`./autoconf_64b`; vsnp=`./autoconf_vsnprintf`; \
++                if test "`echo "__SIZEOF_SIZE_T__" | $(CC) -E -x c - | tail -n 1`" = 8; then sz64=1; else sz64=0; fi; \
++                if test "`./autoconf_vsnprintf`" = 0; then vsnp=0; else vsnp=1; fi; \
+                 if test -f "/usr/include/stdint.h"; then have_stdint_h=1; fi; \
+                 if test -f "$(prefix)/include/stdint.h"; then have_stdint_h=1; fi; \
+                 if test -f "$(includedir)/stdint.h"; then have_stdint_h=1; fi; \
diff --git a/package/ustr/Config.in b/package/ustr/Config.in
new file mode 100644
index 0000000..0aa2251
--- /dev/null
+++ b/package/ustr/Config.in
@@ -0,0 +1,11 @@
+config BR2_PACKAGE_USTR
+	bool "ustr"
+	depends on BR2_LARGEFILE
+	help
+	  A small, safe string library.
+	  
+	  http://www.and.org/ustr/
+
+comment "ustr requires a toolchain with large file support"
+	depends on !BR2_LARGEFILE
+
diff --git a/package/ustr/ustr.mk b/package/ustr/ustr.mk
new file mode 100644
index 0000000..6610b49
--- /dev/null
+++ b/package/ustr/ustr.mk
@@ -0,0 +1,48 @@
+################################################################################
+#
+# ustr
+#
+################################################################################
+
+USTR_VERSION = 1.0.4
+USTR_SOURCE = ustr-$(USTR_VERSION).tar.bz2
+USTR_SITE = http://www.and.org/ustr/$(USTR_VERSION)/
+USTR_LICENSE = BSD-2c MIT LGPLv2+
+USTR_LICENSE_FILES = LICENCE LICENSE_BSD LICENSE_LGPL LICENSE_MIT
+
+USTR_INSTALL_STAGING = YES
+
+ifeq ($(BR2_PREFER_STATIC_LIB),y)
+	USTR_BUILD_CMD = all
+	USTR_INSTALL_CMD = install
+else
+	USTR_BUILD_CMD = all all-shared
+	USTR_INSTALL_CMD = install install-shared
+endif
+
+define USTR_BUILD_CMDS
+	$(MAKE) -C $(@D) $(USTR_BUILD_CMD) $(TARGET_CONFIGURE_OPTS)
+endef
+
+define USTR_INSTALL_STAGING_CMDS
+	$(MAKE) -C $(@D) $(USTR_INSTALL_CMD) $(TARGET_CONFIGURE_OPTS) \
+		DESTDIR=$(STAGING_DIR)
+endef
+
+define USTR_INSTALL_TARGET_CMDS
+	$(MAKE) -C $(@D) $(USTR_INSTALL_CMD) $(TARGET_CONFIGURE_OPTS) \
+		DESTDIR=$(TARGET_DIR)
+	$(RM) -r $(TARGET_DIR)/usr/share/ustr-$(USTR_VERSION)
+endef
+
+define HOST_USTR_BUILD_CMDS
+	$(MAKE) -C $(@D) $(USTR_BUILD_CMD) $(HOST_CONFIGURE_OPTS)
+endef
+
+define HOST_USTR_INSTALL_CMDS
+	$(MAKE) -C $(@D) $(USTR_INSTALL_CMD) $(HOST_CONFIGURE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+endef
+
+$(eval $(generic-package))
+$(eval $(host-generic-package))
-- 
1.9.1

[Buildroot] [PATCH 03/30] libsemanage: new package

[Matt Weber]

From: Clayton Shotwell <clshotwe@rockwellcollins.com>

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
---
 package/Config.in                                  |  1 +
 .../libsemanage/0001-execption-lib-path-fix.patch  | 14 +++++
 package/libsemanage/Config.in                      | 30 +++++++++
 package/libsemanage/libsemanage.mk                 | 72 ++++++++++++++++++++++
 4 files changed, 117 insertions(+)
 create mode 100644 package/libsemanage/0001-execption-lib-path-fix.patch
 create mode 100644 package/libsemanage/Config.in
 create mode 100644 package/libsemanage/libsemanage.mk

diff --git a/package/Config.in b/package/Config.in
index 10a3409..a325cba 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -937,6 +937,7 @@ endmenu
 
 menu "Security"
 	source "package/libselinux/Config.in"
+	source "package/libsemanage/Config.in"
 	source "package/libsepol/Config.in"
 endmenu
 
diff --git a/package/libsemanage/0001-execption-lib-path-fix.patch b/package/libsemanage/0001-execption-lib-path-fix.patch
new file mode 100644
index 0000000..cbcbea5
--- /dev/null
+++ b/package/libsemanage/0001-execption-lib-path-fix.patch
@@ -0,0 +1,14 @@
+Patch to correct a missing header file issue.
+
+Signed-off-by Clayton Shotwell <clshotwe@rockwellcollins.com>
+
+--- a/src/exception.sh	2011-12-21 11:46:04.000000000 -0600
++++ b/src/exception.sh	2012-08-27 11:29:58.000000000 -0500
+@@ -9,6 +9,6 @@
+ }
+ "
+ }
+-gcc -x c -c - -aux-info temp.aux < ../include/semanage/semanage.h
++gcc -x c -c - -aux-info temp.aux -I../include < ../include/semanage/semanage.h
+ for i in `awk '/extern int/ { print $6 }' temp.aux`; do except $i ; done
+ rm -f -- temp.aux -.o
diff --git a/package/libsemanage/Config.in b/package/libsemanage/Config.in
new file mode 100644
index 0000000..e4013cd
--- /dev/null
+++ b/package/libsemanage/Config.in
@@ -0,0 +1,30 @@
+config BR2_PACKAGE_LIBSEMANAGE
+	bool "libsemanage"
+	select BR2_PACKAGE_LIBSELINUX
+	select BR2_PACKAGE_USTR
+	select BR2_PACKAGE_BZIP2
+	depends on BR2_TOOLCHAIN_HAS_THREADS
+	depends on BR2_LARGEFILE
+	help
+	  libsemanage is the policy management library. It uses
+	  libsepol for binary policy manipulation and libselinux for
+	  interacting with the SELinux system. It also exec's helper
+	  programs for loading policy and for checking whether the
+	  file_contexts configuration is valid (load_policy and
+	  setfiles from policycoreutils) presently, although this may
+	  change@least for the bootstrapping case (for rpm).
+
+	  http://selinuxproject.org/page/Main_Page
+
+comment "libsemanage needs a toolchain w/ largefile, threads"
+	depends on !BR2_TOOLCHAIN_HAS_THREADS || !BR2_LARGEFILE
+
+if BR2_PACKAGE_LIBSEMANAGE
+
+config BR2_PACKAGE_LIBSEMANAGE_PYTHON_BINDINGS
+	select BR2_PACKAGE_PYTHON
+	bool "python bindings"
+	help
+	  enable building python bindings
+
+endif
diff --git a/package/libsemanage/libsemanage.mk b/package/libsemanage/libsemanage.mk
new file mode 100644
index 0000000..55e5705
--- /dev/null
+++ b/package/libsemanage/libsemanage.mk
@@ -0,0 +1,72 @@
+################################################################################
+#
+# libsemanage
+#
+################################################################################
+
+LIBSEMANAGE_VERSION = 2.1.10
+LIBSEMANAGE_SITE = http://userspace.selinuxproject.org/releases/20130423/
+LIBSEPOL_LICENSE = LGPLv2.1+
+LIBSEPOL_LICENSE_FILES = COPYING
+
+LIBSEMANAGE_DEPENDENCIES = host-bison host-flex libselinux ustr bzip2
+
+LIBSEMANAGE_INSTALL_STAGING = YES
+
+LIBSEMANAGE_MAKE_OPTS = $(TARGET_CONFIGURE_OPTS)
+
+ifeq ($(BR2_PACKAGE_LIBSEMANAGE_PYTHON_BINDINGS),y)
+
+LIBSEMANAGE_DEPENDENCIES += python host-swig host-python
+LIBSEMANAGE_MAKE_OPTS += \
+	PYINC="-I$(STAGING_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)/" \
+	PYTHONLIBDIR="-L$(STAGING_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/" \
+	PYLIBVER="python$(PYTHON_VERSION_MAJOR)" \
+	SWIG_LIB="$(HOST_DIR)/usr/share/swig/$(SWIG_VERSION)/"
+
+define LIBSEMANAGE_PYTHON_BUILD_CMDS
+	$(MAKE) -C $(@D) $(LIBSEMANAGE_MAKE_OPTS) DESTDIR=$(STAGING_DIR) swigify pywrap
+endef
+
+define LIBSEMANAGE_PYTHON_INSTALL_STAGING_CMDS
+	$(MAKE) -C $(@D) install-pywrap $(LIBSEMANAGE_MAKE_OPTS) DESTDIR=$(STAGING_DIR)
+endef
+
+define LIBSEMANAGE_PYTHON_INSTALL_TARGET_CMDS
+	$(MAKE) -C $(@D) install-pywrap $(LIBSEMANAGE_MAKE_OPTS) DESTDIR=$(TARGET_DIR)
+endef
+
+endif # End of BR2_PACKAGE_PYTHON
+
+define LIBSEMANAGE_BUILD_CMDS
+	# DESTDIR is needed during the compile to compute library and 
+	# header paths.
+	$(MAKE) -C $(@D) $(LIBSEMANAGE_MAKE_OPTS) DESTDIR=$(STAGING_DIR) all
+	$(LIBSEMANAGE_PYTHON_BUILD_CMDS)
+endef
+
+define LIBSEMANAGE_INSTALL_STAGING_CMDS
+	$(MAKE) -C $(@D) install $(LIBSEMANAGE_MAKE_OPTS) DESTDIR=$(STAGING_DIR)
+	$(LIBSEMANAGE_PYTHON_INSTALL_STAGING_CMDS)
+endef
+
+define LIBSEMANAGE_INSTALL_TARGET_CMDS
+	$(MAKE) -C $(@D) install $(LIBSEMANAGE_MAKE_OPTS) DESTDIR=$(TARGET_DIR)
+	$(LIBSEMANAGE_PYTHON_INSTALL_TARGET_CMDS)
+endef
+
+HOST_LIBSEMANAGE_DEPENDENCIES = host-bison host-libsepol \
+	host-libselinux host-ustr host-bzip2
+
+define HOST_LIBSEMANAGE_BUILD_CMDS
+	# DESTDIR is needed during the compile to compute library and 
+	# header paths.
+	$(MAKE) -C $(@D) all $(HOST_CONFIGURE_OPTS) DESTDIR=$(HOST_DIR)
+endef
+
+define HOST_LIBSEMANAGE_INSTALL_CMDS
+	$(MAKE) -C $(@D) install $(HOST_CONFIGURE_OPTS) DESTDIR=$(HOST_DIR)
+endef
+
+$(eval $(generic-package))
+$(eval $(host-generic-package))
-- 
1.9.1

[Buildroot] [PATCH 04/30] checkpolicy: new package

[Matt Weber]

From: Clayton Shotwell <clshotwe@rockwellcollins.com>

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
---
 package/Config.in.host             |  1 +
 package/checkpolicy/Config.in.host | 10 ++++++++++
 package/checkpolicy/checkpolicy.mk | 26 ++++++++++++++++++++++++++
 3 files changed, 37 insertions(+)
 create mode 100644 package/checkpolicy/Config.in.host
 create mode 100644 package/checkpolicy/checkpolicy.mk

diff --git a/package/Config.in.host b/package/Config.in.host
index 0b7bc36..af25e12 100644
--- a/package/Config.in.host
+++ b/package/Config.in.host
@@ -1,5 +1,6 @@
 menu "Host utilities"
 
+	source "package/checkpolicy/Config.in.host"
 	source "package/cramfs/Config.in.host"
 	source "package/dfu-util/Config.in.host"
 	source "package/dos2unix/Config.in.host"
diff --git a/package/checkpolicy/Config.in.host b/package/checkpolicy/Config.in.host
new file mode 100644
index 0000000..75794be
--- /dev/null
+++ b/package/checkpolicy/Config.in.host
@@ -0,0 +1,10 @@
+config BR2_PACKAGE_HOST_CHECKPOLICY
+	bool "host checkpolicy"
+	help
+	  checkpolicy is the policy compiler. It uses libsepol to 
+	  generate the binary policy. checkpolicy uses the static 
+	  libsepol since it deals with low level details of the policy 
+	  that have not been encapsulated/abstracted by a proper 
+	  shared library interface. 
+	  
+	  http://selinuxproject.org/page/Main_Page
diff --git a/package/checkpolicy/checkpolicy.mk b/package/checkpolicy/checkpolicy.mk
new file mode 100644
index 0000000..0d91794
--- /dev/null
+++ b/package/checkpolicy/checkpolicy.mk
@@ -0,0 +1,26 @@
+################################################################################
+#
+# checkpolicy
+#
+################################################################################
+
+CHECKPOLICY_VERSION = 2.1.12
+CHECKPOLICY_SITE = http://userspace.selinuxproject.org/releases/20130423/
+CHECKPOLICY_LICENSE = GPLv2
+CHECKPOLICY_LICENSE_FILES = COPYING
+
+HOST_CHECKPOLICY_DEPENDENCIES = host-libselinux host-flex host-bison
+
+HOST_CHECKPOLICY_MAKE_OPTS = $(HOST_CONFIGURE_OPTS) \
+	LEX="$(HOST_DIR)/usr/bin/flex" \
+	YACC="$(HOST_DIR)/usr/bin/bison -y"
+
+define HOST_CHECKPOLICY_BUILD_CMDS
+	$(MAKE) -C $(@D) $(HOST_CHECKPOLICY_MAKE_OPTS) DESTDIR=$(HOST_DIR)
+endef
+
+define HOST_CHECKPOLICY_INSTALL_CMDS
+	$(MAKE) -C $(@D) install $(HOST_CHECKPOLICY_MAKE_OPTS) DESTDIR=$(HOST_DIR)
+endef
+
+$(eval $(host-generic-package))
-- 
1.9.1

[Buildroot] [PATCH 05/30] sepolgen: new package

[Matt Weber]

From: Clayton Shotwell <clshotwe@rockwellcollins.com>

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
---
 package/Config.in            |  4 ++++
 package/sepolgen/Config.in   | 15 +++++++++++++++
 package/sepolgen/sepolgen.mk | 25 +++++++++++++++++++++++++
 3 files changed, 44 insertions(+)
 create mode 100644 package/sepolgen/Config.in
 create mode 100644 package/sepolgen/sepolgen.mk

diff --git a/package/Config.in b/package/Config.in
index a325cba..63373f7 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1181,6 +1181,10 @@ menu "Real-Time"
 	source "package/xenomai/Config.in"
 endmenu
 
+menu "Security"
+	source "package/sepolgen/Config.in"
+endmenu
+
 menu "Shell and utilities"
 comment "Shells"
 if BR2_PACKAGE_BUSYBOX_SHOW_OTHERS
diff --git a/package/sepolgen/Config.in b/package/sepolgen/Config.in
new file mode 100644
index 0000000..c499762
--- /dev/null
+++ b/package/sepolgen/Config.in
@@ -0,0 +1,15 @@
+config BR2_PACKAGE_SEPOLGEN
+	bool "sepolgen"
+	select BR2_PACKAGE_PYTHON
+	select BR2_PACKAGE_PYTHON_PY_PYC
+	depends on BR2_USE_WCHAR # python
+	depends on BR2_USE_MMU # python
+	help
+	  sepolgen is a python module/library that forms the core
+	  of the modern audit2allow (a rewrite).
+
+	  http://selinuxproject.org/page/Main_Page
+
+comment "sepolgen needs a toolchain w/ wchar"
+	depends on BR2_USE_MMU
+	depends on !BR2_USE_WCHAR
diff --git a/package/sepolgen/sepolgen.mk b/package/sepolgen/sepolgen.mk
new file mode 100644
index 0000000..b330e20
--- /dev/null
+++ b/package/sepolgen/sepolgen.mk
@@ -0,0 +1,25 @@
+################################################################################
+#
+# sepolgen
+#
+################################################################################
+
+SEPOLGEN_VERSION = 1.1.9
+SEPOLGEN_SITE = http://userspace.selinuxproject.org/releases/20130423/
+SEPOLGEN_LICENSE = GPLv2
+SEPOLGEN_LICENSE_FILES = COPYING
+
+HOST_SEPOLGEN_DEPENDENCIES = host-python
+
+HOST_SEPOLGEN_MAKE_CMDS = $(HOST_CONFIGURE_OPTS) \
+	PYTHONLIBDIR=/usr/lib/python$(PYTHON_VERSION_MAJOR)/site-packages
+
+define HOST_SEPOLGEN_BUILD_CMDS
+	$(MAKE) -C $(@D) $(HOST_SEPOLGEN_MAKE_CMDS) DESTDIR=$(HOST_DIR)
+endef
+
+define HOST_SEPOLGEN_INSTALL_CMDS
+	$(MAKE) -C $(@D) install $(HOST_SEPOLGEN_MAKE_CMDS) DESTDIR=$(HOST_DIR)
+endef
+
+$(eval $(host-generic-package))
-- 
1.9.1

[Buildroot] [PATCH 06/30] sqlite: Add host build support

[Matt Weber]

From: Clayton Shotwell <clshotwe@rockwellcollins.com>

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
---
 package/sqlite/sqlite.mk | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package/sqlite/sqlite.mk b/package/sqlite/sqlite.mk
index f010ee3..43902e8 100644
--- a/package/sqlite/sqlite.mk
+++ b/package/sqlite/sqlite.mk
@@ -57,3 +57,4 @@ SQLITE_CONF_OPTS += --disable-readline
 endif
 
 $(eval $(autotools-package))
+$(eval $(host-autotools-package))
-- 
1.9.1

[Buildroot] [PATCH 07/30] setools: new package

[Matt Weber]

From: Clayton Shotwell <clshotwe@rockwellcollins.com>

Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
---
 package/Config.in                                  |    1 +
 package/setools/0001-cross-compile-fixes.patch     |  121 +++
 .../setools/0002-swig-typedef-python-fixes.patch   | 1014 ++++++++++++++++++++
 package/setools/Config.in                          |   23 +
 package/setools/setools.mk                         |   69 ++
 5 files changed, 1228 insertions(+)
 create mode 100644 package/setools/0001-cross-compile-fixes.patch
 create mode 100644 package/setools/0002-swig-typedef-python-fixes.patch
 create mode 100644 package/setools/Config.in
 create mode 100644 package/setools/setools.mk

diff --git a/package/Config.in b/package/Config.in
index 63373f7..8cbcd80 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1183,6 +1183,7 @@ endmenu
 
 menu "Security"
 	source "package/sepolgen/Config.in"
+	source "package/setools/Config.in"
 endmenu
 
 menu "Shell and utilities"
diff --git a/package/setools/0001-cross-compile-fixes.patch b/package/setools/0001-cross-compile-fixes.patch
new file mode 100644
index 0000000..c931039
--- /dev/null
+++ b/package/setools/0001-cross-compile-fixes.patch
@@ -0,0 +1,121 @@
+Correct build issues to enable cross compiling.  These rechanges require the
+package to be auto reconfigured.  
+
+Signed-off-by Clayton Shotwell <clshotwe@rockwellcollins.com>
+
+diff -urN a/configure.ac b/configure.ac
+--- a/configure.ac	2013-01-16 10:36:24.000000000 -0600
++++ b/configure.ac	2013-07-12 08:22:10.380255248 -0500
+@@ -448,8 +448,9 @@
+               sepol_srcdir="")
+ if test "x${sepol_srcdir}" = "x"; then
+    sepol_srcdir=${sepol_devel_libdir}
+-   AC_CHECK_FILE([${sepol_srcdir}/libsepol.a],,
+-      AC_MSG_ERROR([make sure libsepol-static is installed]))
++   if test ! -f ${sepol_srcdir}/libsepol.a; then
++      AC_MSG_ERROR([could not find precompiled libsepol.a])
++   fi
+ else
+    AC_MSG_CHECKING([for compatible sepol source tree])
+    sepol_version=${sepol_srcdir}/VERSION
+@@ -484,8 +485,9 @@
+    AC_CHECK_HEADER([sepol/policydb/policydb.h], , AC_MSG_ERROR([could not find sepol source tree]))
+    CFLAGS="${sepol_src_save_CFLAGS}"
+    CPPFLAGS="${sepol_src_save_CPPFLAGS}"
+-   AC_CHECK_FILE([${sepol_srcdir}/libsepol.a],,
+-      AC_MSG_ERROR([could not find precompiled libsepol.a]))
++   if test ! -f ${sepol_srcdir}/libsepol.a; then
++      AC_MSG_ERROR([could not find precompiled libsepol.a])
++   fi
+    sepol_devel_incdir="${sepol_srcdir}/../include"
+ fi
+ SELINUX_CFLAGS="-I${sepol_devel_incdir} -I${selinux_devel_incdir}"
+@@ -578,12 +580,13 @@
+                          [AC_LANG_SOURCE([
+ #include <sepol/policydb/expand.h>
+ int main () {
+-  return expand_module_avrules(NULL, NULL, NULL, NULL, NULL, 0, 0);
++  return expand_module_avrules(NULL, NULL, NULL, NULL, NULL, 0, 0, 0, 0);
+ }])],
+                          AC_MSG_RESULT([yes]),
+                          AC_MSG_ERROR([this version of libsepol is incompatible with SETools]))
+     fi
+     sepol_new_expand_boolmap="yes"
++    sepol_new_user_role_mapping="yes"
+ else
+     sepol_new_expand_boolmap="no"
+ fi
+@@ -607,7 +610,8 @@
+     exit(EXIT_FAILURE);
+ }])],
+     sepol_policy_version_max=`cat conftest.data`,
+-    AC_MSG_FAILURE([could not determine maximum libsepol policy version]))
++    AC_MSG_FAILURE([could not determine maximum libsepol policy version]),
++    sepol_policy_version_max="26")
+ AC_DEFINE_UNQUOTED(SEPOL_POLICY_VERSION_MAX, ${sepol_policy_version_max}, [maximum policy version supported by libsepol])
+ CFLAGS="${sepol_save_CFLAGS}"
+ CPPFLAGS="${sepol_save_CPPFLAGS}"
+@@ -631,7 +635,7 @@
+     changequote([,])dnl
+     selinux_save_CFLAGS="${CFLAGS}"
+     CFLAGS="${SELINUX_CFLAGS} ${SELINUX_LIB_FLAG} -lselinux -lsepol ${CFLAGS}"
+-    gcc ${CFLAGS} -o conftest conftest.c >&5
++    ${CC} ${CFLAGS} -o conftest conftest.c >&5
+     selinux_policy_dir=`./conftest`
+     AC_MSG_RESULT(${selinux_policy_dir})
+     CFLAGS="${selinux_save_CFLAGS}"
+diff -urN a/libqpol/src/policy_define.c b/libqpol/src/policy_define.c
+--- a/libqpol/src/policy_define.c	2013-01-16 10:36:24.000000000 -0600
++++ b/libqpol/src/policy_define.c	2013-07-12 08:22:10.380255248 -0500
+@@ -2135,7 +2135,7 @@
+ #ifdef HAVE_SEPOL_ROLE_ATTRS
+ 	if (role_set_expand(&roles, &e_roles, policydbp, NULL, NULL))
+ #elif HAVE_SEPOL_USER_ROLE_MAPPING
+-	if (role_set_expand(&roles, &e_roles, policydbp, NULL))
++	if (role_set_expand(&roles, &e_roles, policydbp, NULL, NULL))
+ #else
+ 	if (role_set_expand(&roles, &e_roles, policydbp))
+ #endif
+diff -urN a/m4/ac_python_devel.m4 b/m4/ac_python_devel.m4
+--- a/m4/ac_python_devel.m4	2013-01-16 10:36:22.000000000 -0600
++++ b/m4/ac_python_devel.m4	2013-07-12 08:22:10.380255248 -0500
+@@ -234,7 +234,7 @@
+ 	AC_MSG_CHECKING([consistency of all components of python development environment])
+ 	AC_LANG_PUSH([C])
+ 	# save current global flags
+-	LIBS="$ac_save_LIBS $PYTHON_LDFLAGS"
++	LIBS="$ac_save_LIBS $PYTHON_EXTRA_LIBS $PYTHON_LDFLAGS"
+ 	CPPFLAGS="$ac_save_CPPFLAGS $PYTHON_CPPFLAGS"
+ 	AC_TRY_LINK([
+ 		#include <Python.h>
+diff -urN a/python/setools/Makefile.am b/python/setools/Makefile.am
+--- a/python/setools/Makefile.am	2013-01-16 10:36:22.000000000 -0600
++++ b/python/setools/Makefile.am	2013-07-12 08:22:19.200251011 -0500
+@@ -22,13 +22,13 @@
+ python-build: sesearch.c seinfo.c
+ 	@mkdir -p setools
+ 	@cp __init__.py setools
+-	LIBS="$(QPOL_LIB_FLAG) $(APOL_LIB_FLAG)" INCLUDES="$(QPOL_CFLAGS) $(APOL_CFLAGS)" $(PYTHON) setup.py build
++	LIBS="$(QPOL_LIB_FLAG) $(APOL_LIB_FLAG)" LIBDIRS="$(PYTHON_LDFLAGS)" INCLUDES="$(PYTHON_CPPFLAGS) $(QPOL_CFLAGS) $(APOL_CFLAGS)" CC="$(CC)" CFLAGS="$(CFLAGS)" LDSHARED="$(CC) -shared" LDFLAGS="$(LDFLAGS)" $(PYTHON) setup.py build_ext
+ 
+ install-exec-hook:
+-	$(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
++	$(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --prefix=$(DESTDIR)/usr`
+ 
+ uninstall-hook: 
+-	$(PYTHON) setup.py uninstall `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
++	$(PYTHON) setup.py uninstall `test -n "$(DESTDIR)" && echo --prefix=$(DESTDIR)/usr`
+ 
+ clean-local:
+ 	$(PYTHON) setup.py clean -a 
+--- a/python/setools/setup.py	2013-01-16 10:36:22.000000000 -0600
++++ b/python/setools/setup.py	2013-09-04 09:17:48.452916991 -0500
+@@ -8,7 +8,7 @@
+ try:
+     inc=os.getenv("INCLUDES").split(" ")    
+     INCLUDES=map(lambda x: x[2:], inc)
+-    LIBDIRS=map(lambda x: "/".join(x.split("/")[:-1]), os.getenv("LIBS").split())
++    LIBDIRS=map(lambda x: "/".join(x.split("/")[:-1]), os.getenv("LIBS").split()) + map(lambda x: x[2:], os.getenv("LIBDIRS").split())
+ except:
+     INCLUDES=""
+     LIBDIRS=""
diff --git a/package/setools/0002-swig-typedef-python-fixes.patch b/package/setools/0002-swig-typedef-python-fixes.patch
new file mode 100644
index 0000000..999fed4
--- /dev/null
+++ b/package/setools/0002-swig-typedef-python-fixes.patch
@@ -0,0 +1,1014 @@
+Correct swig typdef naming convention errors that cause the build to break. 
+
+Signed-off-by Clayton Shotwell <clshotwe@rockwellcollins.com>
+
+--- a/libapol/swig/apol.i	2010-04-23 11:22:08.000000000 -0500
++++ b/libapol/swig/apol.i	2012-08-29 08:04:29.000000000 -0500
+@@ -232,7 +232,7 @@
+ %newobject wrap_apol_str_to_internal_ip(char*);
+ %rename(apol_str_to_internal_ip) wrap_apol_str_to_internal_ip;
+ %inline %{
+-	typedef struct apol_ip {
++	typedef struct {
+ 		uint32_t ip[4];
+ 		int proto;
+ 	} apol_ip_t;
+@@ -301,7 +301,7 @@
+ %inline %{
+ 	typedef struct apol_string_vector apol_string_vector_t;
+ %}
+-typedef struct apol_vector {} apol_vector_t;
++typedef struct {} apol_vector_t;
+ %extend apol_vector_t {
+ 	apol_vector_t() {
+ 		return apol_vector_create(NULL);
+@@ -377,7 +377,7 @@
+ 		return apol_vector_compare(a, b, NULL, NULL, &idx);
+ 	}
+ %}
+-typedef struct apol_string_vector {} apol_string_vector_t;
++typedef struct {} apol_string_vector_t;
+ %extend apol_string_vector_t {
+ 	apol_string_vector_t() {
+ 		return (apol_string_vector_t*)apol_vector_create(free);
+@@ -460,7 +460,7 @@
+ 	APOL_POLICY_PATH_TYPE_MONOLITHIC = 0,
+ 	APOL_POLICY_PATH_TYPE_MODULAR
+ } apol_policy_path_type_e;
+-typedef struct apol_policy_path {} apol_policy_path_t;
++typedef struct {} apol_policy_path_t;
+ %extend apol_policy_path_t {
+ 	apol_policy_path_t(apol_policy_path_type_e type, char * primary, apol_string_vector_t *modules = NULL) {
+ 		apol_policy_path_t *p;
+@@ -540,7 +540,7 @@
+ int apol_file_is_policy_path_list(const char *filename);
+ 
+ /* apol policy */
+-typedef struct apol_policy {} apol_policy_t;
++typedef struct {} apol_policy_t;
+ #define APOL_PERMMAP_MAX_WEIGHT 10
+ #define APOL_PERMMAP_MIN_WEIGHT 1
+ #define APOL_PERMMAP_UNMAPPED	0x00
+@@ -650,7 +650,7 @@
+ };
+ 
+ /* apol type query */
+-typedef struct apol_type_query {} apol_type_query_t;
++typedef struct {} apol_type_query_t;
+ %extend apol_type_query_t {
+ 	apol_type_query_t() {
+ 		apol_type_query_t *tq;
+@@ -692,7 +692,7 @@
+ };
+ 
+ /* apol attribute query */
+-typedef struct apol_attr_query {} apol_attr_query_t;
++typedef struct {} apol_attr_query_t;
+ %extend apol_attr_query_t {
+ 	apol_attr_query_t() {
+ 		apol_attr_query_t *aq;
+@@ -734,7 +734,7 @@
+ };
+ 
+ /* apol role query */
+-typedef struct apol_role_query {} apol_role_query_t;
++typedef struct {} apol_role_query_t;
+ %extend apol_role_query_t {
+ 	apol_role_query_t() {
+ 		apol_role_query_t *rq;
+@@ -786,7 +786,7 @@
+ int apol_role_has_type(apol_policy_t * p, qpol_role_t * r, qpol_type_t * t);
+ 
+ /* apol class query */
+-typedef struct apol_class_query {} apol_class_query_t;
++typedef struct {} apol_class_query_t;
+ %extend apol_class_query_t {
+ 	apol_class_query_t() {
+ 		apol_class_query_t *cq;
+@@ -837,7 +837,7 @@
+ };
+ 
+ /* apol common query */
+-typedef struct apol_common_query {} apol_common_query_t;
++typedef struct {} apol_common_query_t;
+ %extend apol_common_query_t {
+ 	apol_common_query_t() {
+ 		apol_common_query_t *cq;
+@@ -879,7 +879,7 @@
+ };
+ 
+ /* apol perm query */
+-typedef struct apol_perm_query {} apol_perm_query_t;
++typedef struct {} apol_perm_query_t;
+ %extend apol_perm_query_t {
+ 	apol_perm_query_t() {
+ 		apol_perm_query_t *pq;
+@@ -921,7 +921,7 @@
+ };
+ 
+ /* apol bool query */
+-typedef struct apol_bool_query {} apol_bool_query_t;
++typedef struct {} apol_bool_query_t;
+ %extend apol_bool_query_t {
+ 	apol_bool_query_t() {
+ 		apol_bool_query_t *bq;
+@@ -963,7 +963,7 @@
+ };
+ 
+ /* apol mls level */
+-typedef struct apol_mls_level {} apol_mls_level_t;
++typedef struct {} apol_mls_level_t;
+ %extend apol_mls_level_t {
+ 	apol_mls_level_t() {
+ 		apol_mls_level_t *aml;
+@@ -1122,11 +1122,11 @@
+ %typemap(in) apol_mls_level_t *lvl {
+ 	void *x = NULL;
+ 	Py_IncRef($input);
+-	SWIG_ConvertPtr($input, &x,SWIGTYPE_p_apol_mls_level, 0 |  0 );
++	SWIG_ConvertPtr($input, &x,SWIGTYPE_p_apol_mls_level_t, 0 |  0 );
+ 	$1 = (apol_mls_level_t*)x;
+ }
+ #endif
+-typedef struct apol_mls_range {} apol_mls_range_t;
++typedef struct {} apol_mls_range_t;
+ %extend apol_mls_range_t {
+ 	apol_mls_range_t() {
+ 		apol_mls_range_t *amr;
+@@ -1276,7 +1276,7 @@
+ %}
+ 
+ /* apol level query */
+-typedef struct apol_level_query {} apol_level_query_t;
++typedef struct {} apol_level_query_t;
+ %extend apol_level_query_t {
+ 	apol_level_query_t() {
+ 		apol_level_query_t * alq;
+@@ -1327,7 +1327,7 @@
+ };
+ 
+ /* apol cat query */
+-typedef struct apol_cat_query {} apol_cat_query_t;
++typedef struct {} apol_cat_query_t;
+ %extend apol_cat_query_t {
+ 	apol_cat_query_t() {
+ 		apol_cat_query_t * acq;
+@@ -1373,11 +1373,11 @@
+ %typemap(in) apol_mls_range_t *rng {
+ 	void *x = NULL;
+ 	Py_IncRef($input);
+-	SWIG_ConvertPtr($input, &x,SWIGTYPE_p_apol_mls_range, 0 |  0 );
++	SWIG_ConvertPtr($input, &x,SWIGTYPE_p_apol_mls_range_t, 0 |  0 );
+ 	$1 = (apol_mls_range_t*)x;
+ }
+ #endif
+-typedef struct apol_user_query {} apol_user_query_t;
++typedef struct {} apol_user_query_t;
+ %extend apol_user_query_t {
+ 	apol_user_query_t() {
+ 		apol_user_query_t *auq;
+@@ -1446,7 +1446,7 @@
+ };
+ 
+ /* apol context */
+-typedef struct apol_context {} apol_context_t;
++typedef struct {} apol_context_t;
+ %extend apol_context_t {
+ 	apol_context_t() {
+ 		apol_context_t *ctx;
+@@ -1581,7 +1581,7 @@
+ int apol_context_compare(apol_policy_t * p, apol_context_t * target, apol_context_t * search, unsigned int range_compare_type);
+ 
+ /* apol constraint query */
+-typedef struct apol_constraint_query {} apol_constraint_query_t;
++typedef struct {} apol_constraint_query_t;
+ %extend apol_constraint_query_t {
+ 	apol_constraint_query_t() {
+ 		apol_constraint_query_t *acq;
+@@ -1632,7 +1632,7 @@
+ };
+ 
+ /* apol validatetrans query */
+-typedef struct apol_validatetrans_query {} apol_validatetrans_query_t;
++typedef struct {} apol_validatetrans_query_t;
+ %extend apol_validatetrans_query_t {
+ 	apol_validatetrans_query_t() {
+ 		apol_validatetrans_query_t *avq;
+@@ -1678,11 +1678,11 @@
+ %typemap(in) apol_context_t *ctx {
+ 	void *x = NULL;
+ 	Py_IncRef($input);
+-	SWIG_ConvertPtr($input, &x,SWIGTYPE_p_apol_context, 0 |  0 );
++	SWIG_ConvertPtr($input, &x,SWIGTYPE_p_apol_context_t, 0 |  0 );
+ 	$1 = (apol_context_t*)x;
+ }
+ #endif
+-typedef struct apol_genfscon_query {} apol_genfscon_query_t;
++typedef struct {} apol_genfscon_query_t;
+ %extend apol_genfscon_query_t {
+ 	apol_genfscon_query_t() {
+ 		apol_genfscon_query_t *agq;
+@@ -1744,7 +1744,7 @@
+ char *apol_genfscon_render(apol_policy_t * p, qpol_genfscon_t * genfscon);
+ 
+ /* apol fs_use query */
+-typedef struct apol_fs_use_query {} apol_fs_use_query_t;
++typedef struct {} apol_fs_use_query_t;
+ %extend apol_fs_use_query_t {
+ 	apol_fs_use_query_t() {
+ 		apol_fs_use_query_t *afq;
+@@ -1797,7 +1797,7 @@
+ char *apol_fs_use_render(apol_policy_t * p, qpol_fs_use_t * fsuse);
+ 
+ /* apol initial sid query */
+-typedef struct apol_isid_query {} apol_isid_query_t;
++typedef struct {} apol_isid_query_t;
+ %extend apol_isid_query_t {
+ 	apol_isid_query_t() {
+ 		apol_isid_query_t *aiq;
+@@ -1839,7 +1839,7 @@
+ };
+ 
+ /* apol portcon query */
+-typedef struct apol_portcon_query {} apol_portcon_query_t;
++typedef struct {} apol_portcon_query_t;
+ %extend apol_portcon_query_t {
+ 	apol_portcon_query_t() {
+ 		apol_portcon_query_t *apq;
+@@ -1883,7 +1883,7 @@
+ char *apol_portcon_render(apol_policy_t * p, qpol_portcon_t * portcon);
+ 
+ /* apol netifcon query */
+-typedef struct apol_netifcon_query {} apol_netifcon_query_t;
++typedef struct {} apol_netifcon_query_t;
+ %extend apol_netifcon_query_t {
+ 	apol_netifcon_query_t() {
+ 		apol_netifcon_query_t *anq;
+@@ -1930,7 +1930,7 @@
+ char *apol_netifcon_render(apol_policy_t * p, qpol_netifcon_t * netifcon);
+ 
+ /* apol nodecon query */
+-typedef struct apol_nodecon_query {} apol_nodecon_query_t;
++typedef struct {} apol_nodecon_query_t;
+ %extend apol_nodecon_query_t {
+ 	apol_nodecon_query_t() {
+ 		apol_nodecon_query_t *anq;
+@@ -2010,7 +2010,7 @@
+ char *apol_nodecon_render(apol_policy_t * p, qpol_nodecon_t * nodecon);
+ 
+ /* apol avrule query */
+-typedef struct apol_avrule_query {} apol_avrule_query_t;
++typedef struct {} apol_avrule_query_t;
+ %extend apol_avrule_query_t {
+ 	apol_avrule_query_t() {
+ 		apol_avrule_query_t *avq;
+@@ -2161,7 +2161,7 @@
+ %}
+ 
+ /* apol terule query */
+-typedef struct apol_terule_query {} apol_terule_query_t;
++typedef struct {} apol_terule_query_t;
+ %extend apol_terule_query_t {
+ 	apol_terule_query_t() {
+ 		apol_terule_query_t *atq;
+@@ -2285,7 +2285,7 @@
+ apol_vector_t *apol_terule_list_to_syn_terules(apol_policy_t * p, apol_vector_t * rules);
+ 
+ /* apol cond rule query */
+-typedef struct apol_cond_query {} apol_cond_query_t;
++typedef struct {} apol_cond_query_t;
+ %extend apol_cond_query_t {
+ 	apol_cond_query_t() {
+ 		apol_cond_query_t *acq;
+@@ -2329,7 +2329,7 @@
+ char *apol_cond_expr_render(apol_policy_t * p, qpol_cond_t * cond);
+ 
+ /* apol role allow query */
+-typedef struct apol_role_allow_query {} apol_role_allow_query_t;
++typedef struct {} apol_role_allow_query_t;
+ %extend apol_role_allow_query_t {
+ 	apol_role_allow_query_t() {
+ 		apol_role_allow_query_t *arq;
+@@ -2385,7 +2385,7 @@
+ char *apol_role_allow_render(apol_policy_t * policy, qpol_role_allow_t * rule);
+ 
+ /* apol role transition rule query */
+-typedef struct apol_role_trans_query {} apol_role_trans_query_t;
++typedef struct {} apol_role_trans_query_t;
+ %extend apol_role_trans_query_t {
+ 	apol_role_trans_query_t() {
+ 		apol_role_trans_query_t *arq;
+@@ -2450,7 +2450,7 @@
+ char *apol_role_trans_render(apol_policy_t * policy, qpol_role_trans_t * rule);
+ 
+ /* apol range transition rule query */
+-typedef struct apol_range_trans_query {} apol_range_trans_query_t;
++typedef struct {} apol_range_trans_query_t;
+ %extend apol_range_trans_query_t {
+ 	apol_range_trans_query_t() {
+ 		apol_range_trans_query_t *arq;
+@@ -2529,7 +2529,7 @@
+ #define APOL_DOMAIN_TRANS_SEARCH_VALID		0x01
+ #define APOL_DOMAIN_TRANS_SEARCH_INVALID	0x02
+ #define APOL_DOMAIN_TRANS_SEARCH_BOTH		(APOL_DOMAIN_TRANS_SEARCH_VALID|APOL_DOMAIN_TRANS_SEARCH_INVALID)
+-typedef struct apol_domain_trans_analysis {} apol_domain_trans_analysis_t;
++typedef struct {} apol_domain_trans_analysis_t;
+ %extend apol_domain_trans_analysis_t {
+ 	apol_domain_trans_analysis_t() {
+ 		apol_domain_trans_analysis_t *dta;
+@@ -2620,7 +2620,7 @@
+ 		return v;
+ 	};
+ };
+-typedef struct apol_domain_trans_result {} apol_domain_trans_result_t;
++typedef struct {} apol_domain_trans_result_t;
+ %extend apol_domain_trans_result_t {
+ 	apol_domain_trans_result_t(apol_domain_trans_result_t *in) {
+ 		apol_domain_trans_result_t *dtr;
+@@ -2703,7 +2703,7 @@
+ 		*in = NULL;
+ 	}
+ %}
+-typedef struct apol_infoflow {} apol_infoflow_t;
++typedef struct {} apol_infoflow_t;
+ %extend apol_infoflow_t {
+ 	apol_infoflow_t() {
+ 		BEGIN_EXCEPTION
+@@ -2728,7 +2728,7 @@
+ 		return v;
+ 	};
+ };
+-typedef struct apol_infoflow_analysis {} apol_infoflow_analysis_t;
++typedef struct {} apol_infoflow_analysis_t;
+ %extend apol_infoflow_analysis_t {
+ 	apol_infoflow_analysis_t() {
+ 		apol_infoflow_analysis_t *aia;
+@@ -2821,7 +2821,7 @@
+ 		return;
+ 	};
+ };
+-typedef struct apol_infoflow_graph {} apol_infoflow_graph_t;
++typedef struct {} apol_infoflow_graph_t;
+ %extend apol_infoflow_graph_t {
+ 	apol_infoflow_graph_t() {
+ 		BEGIN_EXCEPTION
+@@ -2865,7 +2865,7 @@
+ 		return retval;
+ 	};
+ };
+-typedef struct apol_infoflow_result {} apol_infoflow_result_t;
++typedef struct {} apol_infoflow_result_t;
+ %extend apol_infoflow_result_t {
+ 	apol_infoflow_result_t() {
+ 		BEGIN_EXCEPTION
+@@ -2899,7 +2899,7 @@
+ 		return (apol_infoflow_result_t*)x;
+ 	};
+ %}
+-typedef struct apol_infoflow_step {} apol_infoflow_step_t;
++typedef struct {} apol_infoflow_step_t;
+ %extend apol_infoflow_step_t {
+ 	apol_infoflow_step_t() {
+ 		BEGIN_EXCEPTION
+@@ -2936,7 +2936,7 @@
+ #define APOL_RELABEL_DIR_FROM    0x02
+ #define APOL_RELABEL_DIR_BOTH    (APOL_RELABEL_DIR_TO|APOL_RELABEL_DIR_FROM)
+ #define APOL_RELABEL_DIR_SUBJECT 0x04
+-typedef struct apol_relabel_analysis {} apol_relabel_analysis_t;
++typedef struct {} apol_relabel_analysis_t;
+ %extend apol_relabel_analysis_t {
+ 	apol_relabel_analysis_t() {
+ 		apol_relabel_analysis_t *ara;
+@@ -3009,7 +3009,7 @@
+ 		return;
+ 	};
+ };
+-typedef struct apol_relabel_result {} apol_relabel_result_t;
++typedef struct {} apol_relabel_result_t;
+ %extend apol_relabel_result_t {
+ 	apol_relabel_result_t() {
+ 		BEGIN_EXCEPTION
+@@ -3040,7 +3040,7 @@
+ 		return (apol_relabel_result_t*)x;
+ 	};
+ %}
+-typedef struct apol_relabel_result_pair {} apol_relabel_result_pair_t;
++typedef struct {} apol_relabel_result_pair_t;
+ %extend apol_relabel_result_pair_t {
+ 	apol_relabel_result_pair_t() {
+ 		BEGIN_EXCEPTION
+@@ -3082,7 +3082,7 @@
+ #define APOL_TYPES_RELATION_DIRECT_FLOW 0x1000
+ #define APOL_TYPES_RELATION_TRANS_FLOW_AB 0x4000
+ #define APOL_TYPES_RELATION_TRANS_FLOW_BA 0x8000
+-typedef struct apol_types_relation_analysis {} apol_types_relation_analysis_t;
++typedef struct {} apol_types_relation_analysis_t;
+ %extend apol_types_relation_analysis_t {
+ 	apol_types_relation_analysis_t() {
+ 		apol_types_relation_analysis_t *atr;
+@@ -3137,7 +3137,7 @@
+ 		return;
+ 	};
+ };
+-typedef struct apol_types_relation_result {} apol_types_relation_result_t;
++typedef struct {} apol_types_relation_result_t;
+ %extend apol_types_relation_result_t {
+ 	apol_types_relation_result_t() {
+ 		BEGIN_EXCEPTION
+@@ -3192,7 +3192,7 @@
+ 		return apol_types_relation_result_get_domainsBA(self);
+ 	};
+ };
+-typedef struct apol_types_relation_access {} apol_types_relation_access_t;
++typedef struct {} apol_types_relation_access_t;
+ %extend apol_types_relation_access_t {
+ 	apol_types_relation_access_t() {
+ 		BEGIN_EXCEPTION
+--- a/libqpol/swig/qpol.i	2010-04-30 11:23:28.000000000 -0500
++++ b/libqpol/swig/qpol.i	2012-08-29 07:52:17.000000000 -0500
+@@ -226,7 +226,7 @@
+ #define QPOL_MODULE_UNKNOWN 0
+ #define QPOL_MODULE_BASE    1
+ #define QPOL_MODULE_OTHER   2
+-typedef struct qpol_module {} qpol_module_t;
++typedef struct {} qpol_module_t;
+ %extend qpol_module_t {
+ 	qpol_module_t(const char *path) {
+ 		qpol_module_t *m;
+@@ -310,7 +310,7 @@
+ #define QPOL_POLICY_OPTION_NO_NEVERALLOWS 0x00000001
+ #define QPOL_POLICY_OPTION_NO_RULES       0x00000002
+ #define QPOL_POLICY_OPTION_MATCH_SYSTEM   0x00000004
+-typedef struct qpol_policy {} qpol_policy_t;
++typedef struct {} qpol_policy_t;
+ typedef void (*qpol_callback_fn_t) (void *varg, struct qpol_policy * policy, int level, const char *fmt, va_list va_args);
+ #define QPOL_POLICY_UNKNOWN       -1
+ #define QPOL_POLICY_KERNEL_SOURCE  0
+@@ -684,7 +684,7 @@
+ };
+ 
+ /* qpol iterator */
+-typedef struct qpol_iterator {} qpol_iterator_t;
++typedef struct {} qpol_iterator_t;
+ %extend qpol_iterator_t {
+ 	/* user never directly creates, but SWIG expects a constructor */
+ 	qpol_iterator_t() {
+@@ -734,7 +734,7 @@
+ };
+ 
+ /* qpol type */
+-typedef struct qpol_type {} qpol_type_t;
++typedef struct {} qpol_type_t;
+ %extend qpol_type_t {
+ 	qpol_type_t(qpol_policy_t *p, const char *name) {
+ 		BEGIN_EXCEPTION
+@@ -849,7 +849,7 @@
+ %}
+ 
+ /* qpol role */
+-typedef struct qpol_role {} qpol_role_t;
++typedef struct {} qpol_role_t;
+ %extend qpol_role_t {
+ 	qpol_role_t(qpol_policy_t *p, const char *name) {
+ 		const qpol_role_t *r;
+@@ -917,7 +917,7 @@
+ %}
+ 
+ /* qpol level */
+-typedef struct qpol_level {} qpol_level_t;
++typedef struct {} qpol_level_t;
+ %extend qpol_level_t {
+ 	qpol_level_t(qpol_policy_t *p, const char *name) {
+ 		const qpol_level_t *l;
+@@ -995,7 +995,7 @@
+ %}
+ 
+ /* qpol cat */
+-typedef struct qpol_cat {} qpol_cat_t;
++typedef struct {} qpol_cat_t;
+ %extend qpol_cat_t {
+ 	qpol_cat_t(qpol_policy_t *p, const char *name) {
+ 		const qpol_cat_t *c;
+@@ -1062,7 +1062,7 @@
+ %}
+ 
+ /* qpol mls range */
+-typedef struct qpol_mls_range {} qpol_mls_range_t;
++typedef struct {} qpol_mls_range_t;
+ %extend qpol_mls_range_t {
+ 	qpol_mls_range_t() {
+ 		BEGIN_EXCEPTION
+@@ -1103,7 +1103,7 @@
+ %}
+ 
+ /* qpol mls level */
+-typedef struct qpol_mls_level {} qpol_mls_level_t;
++typedef struct {} qpol_mls_level_t;
+ %extend qpol_mls_level_t {
+ 	qpol_mls_level_t() {
+ 		BEGIN_EXCEPTION
+@@ -1145,7 +1145,7 @@
+ %}
+ 
+ /* qpol user */
+-typedef struct qpol_user {} qpol_user_t;
++typedef struct {} qpol_user_t;
+ %extend qpol_user_t {
+ 	qpol_user_t(qpol_policy_t *p, const char *name) {
+ 		const qpol_user_t *u;
+@@ -1221,7 +1221,7 @@
+ %}
+ 
+ /* qpol bool */
+-typedef struct qpol_bool {} qpol_bool_t;
++typedef struct {} qpol_bool_t;
+ %extend qpol_bool_t {
+ 	qpol_bool_t(qpol_policy_t *p, const char *name) {
+ 		qpol_bool_t *b;
+@@ -1293,7 +1293,7 @@
+ %}
+ 
+ /* qpol context */
+-typedef struct qpol_context {} qpol_context_t;
++typedef struct {} qpol_context_t;
+ %extend qpol_context_t {
+ 	qpol_context_t() {
+ 		BEGIN_EXCEPTION
+@@ -1354,7 +1354,7 @@
+ %}
+ 
+ /* qpol class */
+-typedef struct qpol_class {} qpol_class_t;
++typedef struct {} qpol_class_t;
+ %extend qpol_class_t {
+ 	qpol_class_t(qpol_policy_t *p, const char *name) {
+ 		const qpol_class_t *c;
+@@ -1441,7 +1441,7 @@
+ %}
+ 
+ /* qpol common */
+-typedef struct qpol_common {} qpol_common_t;
++typedef struct {} qpol_common_t;
+ %extend qpol_common_t {
+ 	qpol_common_t(qpol_policy_t *p, const char *name) {
+ 		const qpol_common_t *c;
+@@ -1514,7 +1514,7 @@
+ #define QPOL_FS_USE_NONE  5U
+ #define QPOL_FS_USE_PSID  6U
+ #endif
+-typedef struct qpol_fs_use {} qpol_fs_use_t;
++typedef struct {} qpol_fs_use_t;
+ %extend qpol_fs_use_t {
+ 	qpol_fs_use_t(qpol_policy_t *p, const char *name) {
+ 		const qpol_fs_use_t *f;
+@@ -1592,7 +1592,7 @@
+ #define QPOL_CLASS_LNK_FILE   9U
+ #define QPOL_CLASS_SOCK_FILE 12U
+ #endif
+-typedef struct qpol_genfscon {} qpol_genfscon_t;
++typedef struct {} qpol_genfscon_t;
+ %extend qpol_genfscon_t {
+ 	qpol_genfscon_t(qpol_policy_t *p, const char *name, const char *path) {
+ 		qpol_genfscon_t *g;
+@@ -1655,7 +1655,7 @@
+ %}
+ 
+ /* qpol isid */
+-typedef struct qpol_isid {} qpol_isid_t;
++typedef struct {} qpol_isid_t;
+ %extend qpol_isid_t {
+ 	qpol_isid_t(qpol_policy_t *p, const char *name) {
+ 		const qpol_isid_t *i;
+@@ -1699,7 +1699,7 @@
+ %}
+ 
+ /* qpol netifcon */
+-typedef struct qpol_netifcon {} qpol_netifcon_t;
++typedef struct {} qpol_netifcon_t;
+ %extend qpol_netifcon_t {
+ 	qpol_netifcon_t(qpol_policy_t *p, const char *name) {
+ 		const qpol_netifcon_t *n;
+@@ -1755,7 +1755,7 @@
+ /* qpol nodecon */
+ #define QPOL_IPV4 0
+ #define QPOL_IPV6 1
+-typedef struct qpol_nodecon {} qpol_nodecon_t;
++typedef struct {} qpol_nodecon_t;
+ %extend qpol_nodecon_t {
+ 	qpol_nodecon_t(qpol_policy_t *p, int addr[4], int mask[4], int protocol) {
+ 		uint32_t a[4], m[4];
+@@ -1828,7 +1828,7 @@
+ /* from netinet/in.h */
+ #define IPPROTO_TCP 6
+ #define IPPROTO_UDP 17
+-typedef struct qpol_portcon {} qpol_portcon_t;
++typedef struct {} qpol_portcon_t;
+ %extend qpol_portcon_t {
+ 	qpol_portcon_t(qpol_policy_t *p, uint16_t low, uint16_t high, uint8_t protocol) {
+ 		const qpol_portcon_t *qp;
+@@ -1892,7 +1892,7 @@
+ %}
+ 
+ /* qpol constraint */
+-typedef struct qpol_constraint {} qpol_constraint_t;
++typedef struct {} qpol_constraint_t;
+ %extend qpol_constraint_t {
+ 	qpol_constraint_t() {
+ 		BEGIN_EXCEPTION
+@@ -1944,7 +1944,7 @@
+ %}
+ 
+ /* qpol validatetrans */
+-typedef struct qpol_validatetrans {} qpol_validatetrans_t;
++typedef struct {} qpol_validatetrans_t;
+ %extend qpol_validatetrans_t {
+ 	qpol_validatetrans_t() {
+ 		BEGIN_EXCEPTION
+@@ -2009,7 +2009,7 @@
+ #define QPOL_CEXPR_OP_DOM    3
+ #define QPOL_CEXPR_OP_DOMBY  4
+ #define QPOL_CEXPR_OP_INCOMP 5
+-typedef struct qpol_constraint_expr_node {} qpol_constraint_expr_node_t;
++typedef struct {} qpol_constraint_expr_node_t;
+ %extend qpol_constraint_expr_node_t {
+ 	qpol_constraint_expr_node_t() {
+ 		BEGIN_EXCEPTION
+@@ -2071,7 +2071,7 @@
+ %}
+ 
+ /* qpol role allow */
+-typedef struct qpol_role_allow {} qpol_role_allow_t;
++typedef struct {} qpol_role_allow_t;
+ %extend qpol_role_allow_t {
+ 	qpol_role_allow_t() {
+ 		BEGIN_EXCEPTION
+@@ -2112,7 +2112,7 @@
+ %}
+ 
+ /* qpol role trans */
+-typedef struct qpol_role_trans {} qpol_role_trans_t;
++typedef struct {} qpol_role_trans_t;
+ %extend qpol_role_trans_t {
+ 	qpol_role_trans_t() {
+ 		BEGIN_EXCEPTION
+@@ -2163,7 +2163,7 @@
+ %}
+ 
+ /* qpol range trans */
+-typedef struct qpol_range_trans {} qpol_range_trans_t;
++typedef struct {} qpol_range_trans_t;
+ %extend qpol_range_trans_t {
+ 	qpol_range_trans_t() {
+ 		BEGIN_EXCEPTION
+@@ -2226,7 +2226,7 @@
+ #define QPOL_RULE_NEVERALLOW  128
+ #define QPOL_RULE_AUDITALLOW    2
+ #define QPOL_RULE_DONTAUDIT     4
+-typedef struct qpol_avrule {} qpol_avrule_t;
++typedef struct {} qpol_avrule_t;
+ %extend qpol_avrule_t {
+ 	qpol_avrule_t() {
+ 		BEGIN_EXCEPTION
+@@ -2346,7 +2346,7 @@
+ #define QPOL_RULE_TYPE_TRANS   16
+ #define QPOL_RULE_TYPE_CHANGE  64
+ #define QPOL_RULE_TYPE_MEMBER  32
+-typedef struct qpol_terule {} qpol_terule_t;
++typedef struct {} qpol_terule_t;
+ %extend qpol_terule_t {
+ 	qpol_terule_t() {
+ 		BEGIN_EXCEPTION
+@@ -2462,7 +2462,7 @@
+ %}
+ 
+ /* qpol conditional */
+-typedef struct qpol_cond {} qpol_cond_t;
++typedef struct {} qpol_cond_t;
+ %extend qpol_cond_t {
+ 	qpol_cond_t() {
+ 		BEGIN_EXCEPTION
+@@ -2555,7 +2555,7 @@
+ #define QPOL_COND_EXPR_XOR  5      /* bool ^ bool */
+ #define QPOL_COND_EXPR_EQ   6      /* bool == bool */
+ #define QPOL_COND_EXPR_NEQ  7      /* bool != bool */
+-typedef struct qpol_cond_expr_node {} qpol_cond_expr_node_t;
++typedef struct {} qpol_cond_expr_node_t;
+ %extend qpol_cond_expr_node_t {
+ 	qpol_cond_expr_node_t() {
+ 		BEGIN_EXCEPTION
+@@ -2600,7 +2600,7 @@
+ %}
+ 
+ /* qpol type set */
+-typedef struct qpol_type_set {} qpol_type_set_t;
++typedef struct {} qpol_type_set_t;
+ %extend qpol_type_set_t {
+ 	qpol_type_set_t() {
+ 		BEGIN_EXCEPTION
+@@ -2663,7 +2663,7 @@
+ %}
+ 
+ /* qpol syn av rule */
+-typedef struct qpol_syn_avrule {} qpol_syn_avrule_t;
++typedef struct {} qpol_syn_avrule_t;
+ %extend qpol_syn_avrule_t {
+ 	qpol_syn_avrule_t() {
+ 		BEGIN_EXCEPTION
+@@ -2776,7 +2776,7 @@
+ %}
+ 
+ /* qpol syn te rule */
+-typedef struct qpol_syn_terule {} qpol_syn_terule_t;
++typedef struct {} qpol_syn_terule_t;
+ %extend qpol_syn_terule_t {
+ 	qpol_syn_terule_t() {
+ 		BEGIN_EXCEPTION
+--- a/libpoldiff/swig/poldiff.i	2007-10-31 16:03:33.000000000 -0500
++++ b/libpoldiff/swig/poldiff.i	2012-08-29 08:08:02.000000000 -0500
+@@ -258,7 +258,7 @@
+ 
+ /* for handling the get_stats function */
+ %{
+-	typedef struct poldiff_stats {
++	typedef struct {
+ 		size_t stats[5];
+ 	} poldiff_stats_t;
+ 	poldiff_stats_t *poldiff_stats_create() {
+@@ -271,7 +271,7 @@
+ 		*x = NULL;
+ 	}
+ %}
+-typedef struct poldiff_stats {} poldiff_stats_t;
++typedef struct {} poldiff_stats_t;
+ %extend poldiff_stats_t {
+ 	poldiff_stats_t() {
+ 		poldiff_stats_t *s;
+@@ -336,17 +336,17 @@
+ %typemap(in) apol_policy_t *op {
+ 	void *x = NULL;
+ 	Py_IncRef($input);
+-	SWIG_ConvertPtr($input, &x,SWIGTYPE_p_apol_policy, 0 |  0 );
++	SWIG_ConvertPtr($input, &x,SWIGTYPE_p_apol_policy_t, 0 |  0 );
+ 	$1 = (apol_policy_t*)x;
+ }
+ %typemap(in) apol_policy_t *mp {
+ 	void *x = NULL;
+ 	Py_IncRef($input);
+-	SWIG_ConvertPtr($input, &x,SWIGTYPE_p_apol_policy, 0 |  0 );
++	SWIG_ConvertPtr($input, &x,SWIGTYPE_p_apol_policy_t, 0 |  0 );
+ 	$1 = (apol_policy_t*)x;
+ }
+ #endif
+-typedef struct poldiff {} poldiff_t;
++typedef struct {} poldiff_t;
+ %extend poldiff_t {
+ 	poldiff_t(apol_policy_t *op, apol_policy_t *mp) {
+ 		poldiff_t *p;
+@@ -476,7 +476,7 @@
+ };
+ 
+ /* attribute diff */
+-typedef struct poldiff_attrib {} poldiff_attrib_t;
++typedef struct {} poldiff_attrib_t;
+ %extend poldiff_attrib_t {
+    poldiff_attrib_t () {
+       BEGIN_EXCEPTION
+@@ -521,7 +521,7 @@
+ %}
+ 
+ /* av rule diff */
+-typedef struct poldiff_avrule {} poldiff_avrule_t;
++typedef struct {} poldiff_avrule_t;
+ %extend poldiff_avrule_t {
+    poldiff_avrule_t() {
+       BEGIN_EXCEPTION
+@@ -629,7 +629,7 @@
+ %}
+ 
+ /* boolean diff */
+-typedef struct poldiff_bool {} poldiff_bool_t;
++typedef struct {} poldiff_bool_t;
+ %extend poldiff_bool_t {
+ 	poldiff_bool_t() {
+       BEGIN_EXCEPTION
+@@ -668,7 +668,7 @@
+ %}
+ 
+ /* category diff */
+-typedef struct poldiff_cat {} poldiff_cat_t;
++typedef struct {} poldiff_cat_t;
+ %extend poldiff_cat_t {
+ 	poldiff_cat_t() {
+       BEGIN_EXCEPTION
+@@ -707,7 +707,7 @@
+ %}
+ 
+ /* class diff */
+-typedef struct poldiff_class {} poldiff_class_t;
++typedef struct {} poldiff_class_t;
+ %extend poldiff_class_t {
+ 	poldiff_class_t() {
+       BEGIN_EXCEPTION
+@@ -752,7 +752,7 @@
+ %}
+ 
+ /* common diff */
+-typedef struct poldiff_common {} poldiff_common_t;
++typedef struct {} poldiff_common_t;
+ %extend poldiff_common_t {
+ 	poldiff_common_t() {
+       BEGIN_EXCEPTION
+@@ -797,7 +797,7 @@
+ %}
+ 
+ /* level diff */
+-typedef struct poldiff_level {} poldiff_level_t;
++typedef struct {} poldiff_level_t;
+ %extend poldiff_level_t {
+ 	poldiff_level_t() {
+       BEGIN_EXCEPTION
+@@ -857,7 +857,7 @@
+ %}
+ 
+ /* range diff */
+-typedef struct poldiff_range {} poldiff_range_t;
++typedef struct {} poldiff_range_t;
+ %extend poldiff_range_t {
+ 	poldiff_range_t() {
+       BEGIN_EXCEPTION
+@@ -908,7 +908,7 @@
+ %}
+ 
+ /* range_transition rule diff */
+-typedef struct poldiff_range_trans {} poldiff_range_trans_t;
++typedef struct {} poldiff_range_trans_t;
+ %extend poldiff_range_trans_t {
+ 	poldiff_range_trans_t() {
+       BEGIN_EXCEPTION
+@@ -956,7 +956,7 @@
+ %}
+ 
+ /* role allow rule diff */
+-typedef struct poldiff_role_allow {} poldiff_role_allow_t;
++typedef struct {} poldiff_role_allow_t;
+ %extend poldiff_role_allow_t {
+ 	poldiff_role_allow_t() {
+       BEGIN_EXCEPTION
+@@ -1004,7 +1004,7 @@
+ %}
+ 
+ /* role_transition rule diff */
+-typedef struct poldiff_role_trans {} poldiff_role_trans_t;
++typedef struct {} poldiff_role_trans_t;
+ %extend poldiff_role_trans_t {
+ 	poldiff_role_trans_t() {
+       BEGIN_EXCEPTION
+@@ -1052,7 +1052,7 @@
+ %}
+ 
+ /* role diff */
+-typedef struct poldiff_role {} poldiff_role_t;
++typedef struct {} poldiff_role_t;
+ %extend poldiff_role_t {
+ 	poldiff_role_t() {
+       BEGIN_EXCEPTION
+@@ -1097,7 +1097,7 @@
+ %}
+ 
+ /* te rule diff */
+-typedef struct poldiff_terule {} poldiff_terule_t;
++typedef struct {} poldiff_terule_t;
+ %extend poldiff_terule_t {
+ 	poldiff_terule_t() {
+       BEGIN_EXCEPTION
+@@ -1178,7 +1178,7 @@
+ %}
+ 
+ /* type diff */
+-typedef struct poldiff_type {} poldiff_type_t;
++typedef struct {} poldiff_type_t;
+ %extend poldiff_type_t {
+ 	poldiff_type_t() {
+       BEGIN_EXCEPTION
+@@ -1223,7 +1223,7 @@
+ %}
+ 
+ /* user diff */
+-typedef struct poldiff_user {} poldiff_user_t;
++typedef struct {} poldiff_user_t;
+ %extend poldiff_user_t {
+ 	poldiff_user_t() {
+       BEGIN_EXCEPTION
+@@ -1280,7 +1280,7 @@
+ %}
+ 
+ /* type remap */
+-typedef struct poldiff_type_remap_entry {} poldiff_type_remap_entry_t;
++typedef struct {} poldiff_type_remap_entry_t;
+ %extend poldiff_type_remap_entry_t {
+ 	poldiff_type_remap_entry_t() {
+       BEGIN_EXCEPTION
+--- a/libseaudit/swig/seaudit.i	2007-10-31 16:03:33.000000000 -0500
++++ b/libseaudit/swig/seaudit.i	2012-08-29 08:11:39.000000000 -0500
+@@ -240,7 +240,7 @@
+ %{
+ 	typedef struct tm tm_t;
+ %}
+-typedef struct tm {
++typedef struct {
+ 	int tm_sec;   /* seconds */
+ 	int tm_min;   /* minutes */
+ 	int tm_hour;  /* hours */
+@@ -278,7 +278,7 @@
+ 	SEAUDIT_LOG_TYPE_SYSLOG,
+ 	SEAUDIT_LOG_TYPE_AUDITD
+ } seaudit_log_type_e;
+-typedef struct seaudit_log {} seaudit_log_t;
++typedef struct {} seaudit_log_t;
+ %extend seaudit_log_t {
+ 	seaudit_log_t() {
+ 		seaudit_log_t *slog;
+@@ -355,7 +355,7 @@
+ 	SEAUDIT_MESSAGE_TYPE_AVC,
+ 	SEAUDIT_MESSAGE_TYPE_LOAD
+ } seaudit_message_type_e;
+-typedef struct seaudit_message {} seaudit_message_t;
++typedef struct {} seaudit_message_t;
+ %extend seaudit_message_t {
+ 	seaudit_message_t() {
+ 		BEGIN_EXCEPTION
+@@ -427,7 +427,7 @@
+ %}
+ 
+ /* seaudit load message */
+-typedef struct seaudit_load_message {} seaudit_load_message_t;
++typedef struct {} seaudit_load_message_t;
+ %extend seaudit_load_message_t {
+ 	seaudit_load_message_t() {
+ 		BEGIN_EXCEPTION
+@@ -448,7 +448,7 @@
+ %}
+ 
+ /* seaudit bool message */
+-typedef struct seaudit_bool_message {} seaudit_bool_message_t;
++typedef struct {} seaudit_bool_message_t;
+ %extend seaudit_bool_message_t {
+ 	seaudit_bool_message_t(void *msg) {
+ 		BEGIN_EXCEPTION
+@@ -475,7 +475,7 @@
+ 	SEAUDIT_AVC_DENIED,
+ 	SEAUDIT_AVC_GRANTED
+ } seaudit_avc_message_type_e;
+-typedef struct seaudit_avc_message {} seaudit_avc_message_t;
++typedef struct {} seaudit_avc_message_t;
+ %extend seaudit_avc_message_t {
+ 	seaudit_avc_message_t() {
+ 		BEGIN_EXCEPTION
+@@ -606,7 +606,7 @@
+ 	SEAUDIT_FILTER_DATE_MATCH_AFTER,
+ 	SEAUDIT_FILTER_DATE_MATCH_BETWEEN
+ } seaudit_filter_date_match_e;
+-typedef struct seaudit_filter {} seaudit_filter_t;
++typedef struct {} seaudit_filter_t;
+ %extend seaudit_filter_t {
+ 	seaudit_filter_t(char *name = NULL) {
+ 		seaudit_filter_t *sf = NULL;
+@@ -1012,7 +1012,7 @@
+ %}
+ 
+ /* seaudit sort */
+-typedef struct seaudit_sort {} seaudit_sort_t;
++typedef struct {} seaudit_sort_t;
+ %extend seaudit_sort_t {
+ 	seaudit_sort_t() {
+ 		BEGIN_EXCEPTION
+@@ -1101,17 +1101,17 @@
+ %typemap(in) seaudit_filter_t *filter {
+ 	void *x = NULL;
+ 	Py_IncRef($input);
+-	SWIG_ConvertPtr($input, &x,SWIGTYPE_p_seaudit_filter, 0 |  0 );
++	SWIG_ConvertPtr($input, &x,SWIGTYPE_p_seaudit_filter_t, 0 |  0 );
+ 	$1 = (seaudit_filter_t*)x;
+ }
+ %typemap(in) seaudit_sort_t *ssort {
+ 	void *x = NULL;
+ 	Py_IncRef($input);
+-	SWIG_ConvertPtr($input, &x,SWIGTYPE_p_seaudit_sort, 0 |  0 );
++	SWIG_ConvertPtr($input, &x,SWIGTYPE_p_seaudit_sort_t, 0 |  0 );
+ 	$1 = (seaudit_sort_t*)x;
+ }
+ #endif
+-typedef struct seaudit_model {} seaudit_model_t;
++typedef struct {} seaudit_model_t;
+ %extend seaudit_model_t {
+ 	seaudit_model_t(char *name = NULL, seaudit_log_t *slog = NULL) {
+ 		seaudit_model_t *smod;
+@@ -1309,7 +1309,7 @@
+ 	SEAUDIT_REPORT_FORMAT_TEXT,
+ 	SEAUDIT_REPORT_FORMAT_HTML
+ } seaudit_report_format_e;
+-typedef struct seaudit_report {} seaudit_report_t;
++typedef struct {} seaudit_report_t;
+ %extend seaudit_report_t {
+ 	seaudit_report_t(seaudit_model_t *m) {
+ 		seaudit_report_t *sr;
diff --git a/package/setools/Config.in b/package/setools/Config.in
new file mode 100644
index 0000000..ba432b3
--- /dev/null
+++ b/package/setools/Config.in
@@ -0,0 +1,23 @@
+config BR2_PACKAGE_SETOOLS
+	bool "setools"
+	select BR2_PACKAGE_LIBSELINUX
+	select BR2_PACKAGE_SQLITE
+	select BR2_PACKAGE_LIBXML2
+	select BR2_PACKAGE_BZIP2
+	depends on BR2_TOOLCHAIN_HAS_THREADS
+	depends on BR2_LARGEFILE
+	help
+	  SETools is an open source project designed to facilitate
+	  SELinux policy analysis. The primary tools are:
+	   * apol - analyze a SELinux policy.
+	   * seaudit - analyze audit messages from SELinux.
+	   * seaudit-report - generate highly-customized audit log
+	     reports.
+	   * sechecker - command line tool for performing modular
+	     checks on an SELinux policy.
+	   * sediff - semantic policy difference tool for SELinux.
+	   * secmds - command-line tools to analyze and search SELinux
+             policy.
+
+comment "setools needs a toolchain w/ largefile, threads"
+	depends on !BR2_TOOLCHAIN_HAS_THREADS || !BR2_LARGEFILE
diff --git a/package/setools/setools.mk b/package/setools/setools.mk
new file mode 100644
index 0000000..bdae372
--- /dev/null
+++ b/package/setools/setools.mk
@@ -0,0 +1,69 @@
+################################################################################
+#
+# setools
+#
+################################################################################
+
+SETOOLS_VERSION = 3.3.8
+SETOOLS_SOURCE = setools-$(SETOOLS_VERSION).tar.bz2
+SETOOLS_SITE = http://oss.tresys.com/projects/setools/chrome/site/dists/setools-$(SETOOLS_VERSION)/
+SETOOLS_DEPENDENCIES = libselinux sqlite libxml2 bzip2
+
+SETOOLS_INSTALL_STAGING = YES
+
+SETOOLS_AUTORECONF = YES
+SETOOLS_AUTORECONF_OPTS = -i -s
+SETOOLS_LIBTOOL_PATCH = NO
+
+# Notes: Need "disable-selinux-check" so the configure does not check to see if host has
+#        selinux enabled.
+SETOOLS_CONF_OPTS = \
+	--disable-debug \
+	--disable-gui \
+	--disable-bwidget-check \
+	--disable-selinux-check \
+	--disable-swig-java \
+	--disable-swig-python \
+	--disable-swig-tcl \
+	--with-sepol-devel="$(STAGING_DIR)/usr" \
+	--with-selinux-devel="$(STAGING_DIR)/usr"
+
+
+HOST_SETOOLS_DEPENDENCIES = host-libselinux host-libsepol host-sqlite \
+	host-libxml2 host-bzip2
+
+HOST_SETOOLS_AUTORECONF = YES
+HOST_SETOOLS_AUTORECONF_OPTS = -i -s
+
+# Notes: Need "disable-selinux-check" so the configure does not check to see if host has
+#        selinux enabled.
+HOST_SETOOLS_CONF_OPTS = \
+	--disable-debug \
+	--disable-gui \
+	--disable-bwidget-check \
+	--disable-selinux-check \
+	--disable-swig-java \
+	--disable-swig-python \
+	--disable-swig-tcl \
+	--with-sepol-devel="$(HOST_DIR)/usr" \
+	--with-selinux-devel="$(HOST_DIR)/usr"
+
+# python related conf options
+HOST_SETOOLS_DEPENDENCIES += host-python host-swig
+HOST_SETOOLS_CONF_ENV += \
+	am_cv_pathless_PYTHON=python \
+	ac_cv_path_PYTHON=$(HOST_DIR)/usr/bin/python \
+	am_cv_python_version=$(PYTHON_VERSION) \
+	am_cv_python_platform=linux2 \
+	am_cv_python_pythondir=$(HOST_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/site-packages \
+	am_cv_python_pyexecdir=$(HOST_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/site-packages \
+	am_cv_python_includes=-I$(HOST_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)
+HOST_SETOOLS_CONF_OPTS += \
+	--enable-swig-python \
+	PYTHON_CPPFLAGS="-I$(HOST_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)" \
+	PYTHON_LDFLAGS="-L$(HOST_DIR)/usr/lib/" \
+	PYTHON_SITE_PKG="$(HOST_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/site-packages" \
+	PYTHON_EXTRA_LIBS="-lpthread -ldl -lutil -lpython$(PYTHON_VERSION_MAJOR)"
+
+$(eval $(autotools-package))
+$(eval $(host-autotools-package))
-- 
1.9.1

[Buildroot] [PATCH 08/30] python-pyparsing: Add host build option

[Matt Weber]

From: Clayton Shotwell <clshotwe@rockwellcollins.com>

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
---
 package/python-pyparsing/python-pyparsing.mk | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package/python-pyparsing/python-pyparsing.mk b/package/python-pyparsing/python-pyparsing.mk
index 8e83f34..0f5fb71 100644
--- a/package/python-pyparsing/python-pyparsing.mk
+++ b/package/python-pyparsing/python-pyparsing.mk
@@ -12,3 +12,4 @@ PYTHON_PYPARSING_LICENSE_FILES = LICENSE
 PYTHON_PYPARSING_SETUP_TYPE = distutils
 
 $(eval $(python-package))
+$(eval $(host-python-package))
-- 
1.9.1

[Buildroot] [PATCH 09/30] audit: new package

[Matt Weber]

From: Clayton Shotwell <clshotwe@rockwellcollins.com>

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
---
 package/Config.in                                  |    1 +
 .../0001-cross-compile-header-creation-fix.patch   | 1424 ++++++++++++++++++++
 package/audit/0002-remove-zos-plugin.patch         |   35 +
 package/audit/Config.in                            |   14 +
 package/audit/S01auditd                            |  172 +++
 package/audit/audit.mk                             |   57 +
 6 files changed, 1703 insertions(+)
 create mode 100644 package/audit/0001-cross-compile-header-creation-fix.patch
 create mode 100644 package/audit/0002-remove-zos-plugin.patch
 create mode 100644 package/audit/Config.in
 create mode 100644 package/audit/S01auditd
 create mode 100644 package/audit/audit.mk

diff --git a/package/Config.in b/package/Config.in
index 8cbcd80..0623d37 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1221,6 +1221,7 @@ endmenu
 menu "System tools"
 	source "package/acl/Config.in"
 	source "package/attr/Config.in"
+	source "package/audit/Config.in"
 if BR2_PACKAGE_BUSYBOX_SHOW_OTHERS
 	source "package/bootutils/Config.in"
 	source "package/coreutils/Config.in"
diff --git a/package/audit/0001-cross-compile-header-creation-fix.patch b/package/audit/0001-cross-compile-header-creation-fix.patch
new file mode 100644
index 0000000..65d98d5
--- /dev/null
+++ b/package/audit/0001-cross-compile-header-creation-fix.patch
@@ -0,0 +1,1424 @@
+Rework the build system to generate the required header files using a 
+Python script rather than compiling executables.  This change has
+to be made because the executables that are generated are built for
+the target architecture and are generally not compilable on the host
+build machine.  
+
+The code has been submitted to the audit maintainers for review.
+The first of three patches can be seen at the following link.
+https://www.redhat.com/archives/linux-audit/2013-August/msg00043.html
+
+Signed-off-by Clayton Shotwell <clshotwe@rockwellcollins.com>
+
+diff -urN a/configure.ac b/configure.ac
+--- a/configure.ac	2013-07-29 16:37:01.000000000 -0500
++++ b/configure.ac	2013-08-21 13:29:55.760585744 -0500
+@@ -51,11 +51,14 @@
+ AC_PROG_CC
+ AC_PROG_INSTALL
+ AC_PROG_AWK
++AM_PATH_PYTHON
++AC_PYTHON_MODULE(pyparsing, 1)
+ 
+ echo .
+ echo Checking for header files
+ AC_HEADER_STDC
+ AC_HEADER_TIME
++AC_CHECK_HEADER([Python.h])
+ 
+ AC_C_CONST
+ AC_C_INLINE
+@@ -89,14 +92,13 @@
+ 	AC_MSG_RESULT(no)
+ else
+ AC_MSG_RESULT(testing)
+-AM_PATH_PYTHON
+-if test -f /usr/include/python${am_cv_python_version}/Python.h ; then
++if test x$ac_cv_header_Python_h != x ; then
+ 	python_found="yes"
+ 	AC_MSG_NOTICE(Python bindings will be built)
+ else
+ 	python_found="no"
+ 	if test x$use_python = xyes ; then
+-		AC_MSG_ERROR([Python explicitly required and python headers found])
++		AC_MSG_ERROR([Python explicitly required and python headers not found])
+ 	else
+ 		AC_MSG_WARN("Python headers not found - python bindings will not be made")
+ 	fi
+diff -urN a/bindings/python/Makefile.am b/bindings/python/Makefile.am
+--- a/bindings/python/Makefile.am	2013-07-29 16:37:00.000000000 -0500
++++ b/bindings/python/Makefile.am	2013-09-11 08:18:41.437704969 -0500
+@@ -26,6 +26,6 @@
+ pyexec_LTLIBRARIES = auparse.la
+ 
+ auparse_la_SOURCES = auparse_python.c
+-auparse_la_CPPFLAGS = -I$(top_srcdir)/auparse $(AM_CPPFLAGS) -I/usr/include/python$(PYTHON_VERSION) -fno-strict-aliasing
++auparse_la_CPPFLAGS = -I$(top_srcdir)/auparse $(AM_CPPFLAGS) -fno-strict-aliasing
+ auparse_la_LDFLAGS = -module -avoid-version -Wl,-z,relro
+ auparse_la_LIBADD = ../../auparse/libauparse.la ../../lib/libaudit.la
+diff -urN /dev/null b/m4/ax_python_module.m4
+--- /dev/null	2013-06-19 11:25:31.230442052 -0500
++++ b/m4/ax_python_module.m4	2013-08-21 12:43:56.829882655 -0500
+@@ -0,0 +1,49 @@
++# ===========================================================================
++#     http://www.gnu.org/software/autoconf-archive/ax_python_module.html
++# ===========================================================================
++#
++# SYNOPSIS
++#
++#   AX_PYTHON_MODULE(modname[, fatal])
++#
++# DESCRIPTION
++#
++#   Checks for Python module.
++#
++#   If fatal is non-empty then absence of a module will trigger an error.
++#
++# LICENSE
++#
++#   Copyright (c) 2008 Andrew Collier
++#
++#   Copying and distribution of this file, with or without modification, are
++#   permitted in any medium without royalty provided the copyright notice
++#   and this notice are preserved. This file is offered as-is, without any
++#   warranty.
++
++#serial 6
++
++AU_ALIAS([AC_PYTHON_MODULE], [AX_PYTHON_MODULE])
++AC_DEFUN([AX_PYTHON_MODULE],[
++    if test -z $PYTHON;
++    then
++        PYTHON="python"
++    fi
++    PYTHON_NAME=`basename $PYTHON`
++    AC_MSG_CHECKING($PYTHON_NAME module: $1)
++	$PYTHON -c "import $1" 2>/dev/null
++	if test $? -eq 0;
++	then
++		AC_MSG_RESULT(yes)
++		eval AS_TR_CPP(HAVE_PYMOD_$1)=yes
++	else
++		AC_MSG_RESULT(no)
++		eval AS_TR_CPP(HAVE_PYMOD_$1)=no
++		#
++		if test -n "$2"
++		then
++			AC_MSG_ERROR(failed to find required module $1)
++			exit 1
++		fi
++	fi
++])
+diff -urN a/auparse/Makefile.am b/auparse/Makefile.am
+--- a/auparse/Makefile.am	2013-07-29 16:37:01.000000000 -0500
++++ b/auparse/Makefile.am	2013-08-19 14:37:31.230510790 -0500
+@@ -52,8 +52,8 @@
+ 	rlimittabs.h recvtabs.h schedtabs.h seccomptabs.h \
+ 	seektabs.h shm_modetabs.h signaltabs.h sockoptnametabs.h \
+ 	socktabs.h sockleveltabs.h socktypetabs.h \
+-	tcpoptnametabs.h typetabs.h umounttabs.h
+-noinst_PROGRAMS = gen_accesstabs_h gen_captabs_h gen_clock_h \
++	tcpoptnametabs.h typetabs.h umounttabs.h \
++	gen_accesstabs_h gen_captabs_h gen_clock_h \
+ 	gen_clone-flagtabs_h \
+ 	gen_epoll_ctls_h gen_famtabs_h \
+ 	gen_fcntl-cmdtabs_h gen_flagtabs_h \
+@@ -69,187 +69,184 @@
+ 	gen_socktypetabs_h gen_tcpoptnametabs_h gen_typetabs_h \
+ 	gen_umounttabs_h
+ 
+-gen_accesstabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h accesstab.h
+-gen_accesstabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="accesstab.h"'
++gen_accesstabs_h: ../lib/gen_tables.c ../lib/gen_tables.h accesstab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"accesstab.h\" -E -o $@ ../lib/gen_tables.c
+ accesstabs.h: gen_accesstabs_h Makefile
+-	./gen_accesstabs_h --i2s-transtab access > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s-transtab access gen_accesstabs_h $@
+ 
+-gen_captabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h captab.h
+-gen_captabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="captab.h"'
++gen_captabs_h: ../lib/gen_tables.c ../lib/gen_tables.h captab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"captab.h\" -E -o $@ ../lib/gen_tables.c
+ captabs.h: gen_captabs_h Makefile
+-	./gen_captabs_h --i2s cap > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s cap gen_captabs_h $@
+ 
+-gen_clock_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h clocktab.h
+-gen_clock_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="clocktab.h"'
++gen_clock_h: ../lib/gen_tables.c ../lib/gen_tables.h clocktab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"clocktab.h\" -E -o $@ ../lib/gen_tables.c
+ clocktabs.h: gen_clock_h Makefile
+-	./gen_clock_h --i2s clock > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s clock gen_clock_h $@
+ 
+-gen_clone_flagtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h \
+-	clone-flagtab.h
+-gen_clone_flagtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="clone-flagtab.h"'
++gen_clone-flagtabs_h: ../lib/gen_tables.c ../lib/gen_tables.h clone-flagtab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"clone-flagtab.h\" -E -o $@ ../lib/gen_tables.c
+ clone-flagtabs.h: gen_clone-flagtabs_h Makefile
+-	./gen_clone-flagtabs_h --i2s-transtab clone_flag > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s-transtab clone_flag gen_clone-flagtabs_h $@
+ 
+-gen_epoll_ctls_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h epoll_ctl.h
+-gen_epoll_ctls_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="epoll_ctl.h"'
++gen_epoll_ctls_h: ../lib/gen_tables.c ../lib/gen_tables.h epoll_ctl.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"epoll_ctl.h\" -E -o $@ ../lib/gen_tables.c
+ epoll_ctls.h: gen_epoll_ctls_h Makefile
+-	./gen_epoll_ctls_h --i2s epoll_ctl > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s epoll_ctl gen_epoll_ctls_h $@
+ 
+-gen_famtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h famtab.h
+-gen_famtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="famtab.h"'
++gen_famtabs_h: ../lib/gen_tables.c ../lib/gen_tables.h famtab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"famtab.h\" -E -o $@ ../lib/gen_tables.c
+ famtabs.h: gen_famtabs_h Makefile
+-	./gen_famtabs_h --i2s fam > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s fam gen_famtabs_h $@
+ 
+-gen_flagtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h flagtab.h
+ # ../auparse/ is used to avoid using ../lib/flagtab.h
+-gen_flagtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="../auparse/flagtab.h"'
++gen_flagtabs_h: ../lib/gen_tables.c ../lib/gen_tables.h ../auparse/flagtab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"../auparse/flagtab.h\" -E -o $@ ../lib/gen_tables.c
+ flagtabs.h: gen_flagtabs_h Makefile
+-	./gen_flagtabs_h --i2s-transtab flag > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s-transtab flag gen_flagtabs_h $@
+ 
+-gen_fcntl_cmdtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h \
+-	fcntl-cmdtab.h
+-gen_fcntl_cmdtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="fcntl-cmdtab.h"'
++gen_fcntl-cmdtabs_h: ../lib/gen_tables.c ../lib/gen_tables.h fcntl-cmdtab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"fcntl-cmdtab.h\" -E -o $@ ../lib/gen_tables.c
+ fcntl-cmdtabs.h: gen_fcntl-cmdtabs_h Makefile
+-	./gen_fcntl-cmdtabs_h --i2s fcntl > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s fcntl gen_fcntl-cmdtabs_h $@
+ 
+-gen_icmptypetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h icmptypetab.h
+-gen_icmptypetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="icmptypetab.h"'
++gen_icmptypetabs_h: ../lib/gen_tables.c ../lib/gen_tables.h icmptypetab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"icmptypetab.h\" -E -o $@ ../lib/gen_tables.c
+ icmptypetabs.h: gen_icmptypetabs_h Makefile
+-	./gen_icmptypetabs_h --i2s icmptype > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s icmptype gen_icmptypetabs_h $@
+ 
+-gen_ipctabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ipctab.h
+-gen_ipctabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ipctab.h"'
++gen_ipctabs_h: ../lib/gen_tables.c ../lib/gen_tables.h ipctab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"ipctab.h\" -E -o $@ ../lib/gen_tables.c
+ ipctabs.h: gen_ipctabs_h Makefile
+-	./gen_ipctabs_h --i2s ipc > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s ipc gen_ipctabs_h $@
+ 
+-gen_ipccmdtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ipccmdtab.h
+-gen_ipccmdtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ipccmdtab.h"'
++gen_ipccmdtabs_h: ../lib/gen_tables.c ../lib/gen_tables.h ipccmdtab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"ipccmdtab.h\" -E -o $@ ../lib/gen_tables.c
+ ipccmdtabs.h: gen_ipccmdtabs_h Makefile
+-	./gen_ipccmdtabs_h --i2s-transtab ipccmd > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s-transtab ipccmd gen_ipccmdtabs_h $@
+ 
+-gen_ipoptnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ipoptnametab.h
+-gen_ipoptnametabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ipoptnametab.h"'
++gen_ipoptnametabs_h: ../lib/gen_tables.c ../lib/gen_tables.h ipoptnametab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"ipoptnametab.h\" -E -o $@ ../lib/gen_tables.c
+ ipoptnametabs.h: gen_ipoptnametabs_h Makefile
+-	./gen_ipoptnametabs_h --i2s ipoptname > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s ipoptname gen_ipoptnametabs_h $@
+ 
+-gen_ip6optnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ip6optnametab.h
+-gen_ip6optnametabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ip6optnametab.h"'
++gen_ip6optnametabs_h: ../lib/gen_tables.c ../lib/gen_tables.h ip6optnametab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"ip6optnametab.h\" -E -o $@ ../lib/gen_tables.c
+ ip6optnametabs.h: gen_ip6optnametabs_h Makefile
+-	./gen_ip6optnametabs_h --i2s ip6optname > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s ip6optname gen_ip6optnametabs_h $@
+ 
+-gen_mmaptabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h mmaptab.h
+-gen_mmaptabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="mmaptab.h"'
++gen_mmaptabs_h: ../lib/gen_tables.c ../lib/gen_tables.h mmaptab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"mmaptab.h\" -E -o $@ ../lib/gen_tables.c
+ mmaptabs.h: gen_mmaptabs_h Makefile
+-	./gen_mmaptabs_h --i2s-transtab mmap > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s-transtab mmap gen_mmaptabs_h $@
+ 
+-gen_mounttabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h mounttab.h
+-gen_mounttabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="mounttab.h"'
++gen_mounttabs_h: ../lib/gen_tables.c ../lib/gen_tables.h mounttab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"mounttab.h\" -E -o $@ ../lib/gen_tables.c
+ mounttabs.h: gen_mounttabs_h Makefile
+-	./gen_mounttabs_h --i2s-transtab mount > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s-transtab mount gen_mounttabs_h $@
+ 
+-gen_nfprototabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h nfprototab.h
+-gen_nfprototabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="nfprototab.h"'
++gen_nfprototabs_h: ../lib/gen_tables.c ../lib/gen_tables.h nfprototab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"nfprototab.h\" -E -o $@ ../lib/gen_tables.c
+ nfprototabs.h: gen_nfprototabs_h Makefile
+-	./gen_nfprototabs_h --i2s nfproto > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s nfproto gen_nfprototabs_h $@
+ 
+-gen_open_flagtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h \
+-	open-flagtab.h
+-gen_open_flagtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="open-flagtab.h"'
++gen_open-flagtabs_h: ../lib/gen_tables.c ../lib/gen_tables.h open-flagtab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"open-flagtab.h\" -E -o $@ ../lib/gen_tables.c
+ open-flagtabs.h: gen_open-flagtabs_h Makefile
+-	./gen_open-flagtabs_h --i2s-transtab open_flag > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s-transtab open_flag gen_open-flagtabs_h $@
+ 
+-gen_persontabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h persontab.h
+-gen_persontabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="persontab.h"'
++gen_persontabs_h: ../lib/gen_tables.c ../lib/gen_tables.h persontab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"persontab.h\" -E -o $@ ../lib/gen_tables.c
+ persontabs.h: gen_persontabs_h Makefile
+-	./gen_persontabs_h --i2s person > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s person gen_persontabs_h $@
+ 
+-gen_ptracetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ptracetab.h
+-gen_ptracetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ptracetab.h"'
++gen_ptracetabs_h: ../lib/gen_tables.c ../lib/gen_tables.h ptracetab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"ptracetab.h\" -E -o $@ ../lib/gen_tables.c
+ ptracetabs.h: gen_ptracetabs_h Makefile
+-	./gen_ptracetabs_h --i2s ptrace > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s ptrace gen_ptracetabs_h $@
+ 
+-gen_prctl_opttabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h prctl-opt-tab.h
+-gen_prctl_opttabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="prctl-opt-tab.h"'
++gen_prctl_opttabs_h: ../lib/gen_tables.c ../lib/gen_tables.h prctl-opt-tab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"prctl-opt-tab.h\" -E -o $@ ../lib/gen_tables.c
+ prctl_opttabs.h: gen_prctl_opttabs_h Makefile
+-	./gen_prctl_opttabs_h --i2s prctl_opt > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s prctl_opt gen_prctl_opttabs_h $@
+ 
+-gen_pktoptnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h pktoptnametab.h
+-gen_pktoptnametabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="pktoptnametab.h"'
++gen_pktoptnametabs_h: ../lib/gen_tables.c ../lib/gen_tables.h pktoptnametab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"pktoptnametab.h\" -E -o $@ ../lib/gen_tables.c
+ pktoptnametabs.h: gen_pktoptnametabs_h Makefile
+-	./gen_pktoptnametabs_h --i2s pktoptname > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s pktoptname gen_pktoptnametabs_h $@
+ 
+-gen_prottabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h prottab.h
+-gen_prottabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="prottab.h"'
++gen_prottabs_h: ../lib/gen_tables.c ../lib/gen_tables.h prottab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"prottab.h\" -E -o $@ ../lib/gen_tables.c
+ prottabs.h: gen_prottabs_h Makefile
+-	./gen_prottabs_h --i2s-transtab prot > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s-transtab prot gen_prottabs_h $@
+ 
+-gen_recvtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h recvtab.h
+-gen_recvtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="recvtab.h"'
++gen_recvtabs_h: ../lib/gen_tables.c ../lib/gen_tables.h recvtab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"recvtab.h\" -E -o $@ ../lib/gen_tables.c
+ recvtabs.h: gen_recvtabs_h Makefile
+-	./gen_recvtabs_h --i2s-transtab recv > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s-transtab recv gen_recvtabs_h $@
+ 
+-gen_rlimit_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h rlimittab.h
+-gen_rlimit_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="rlimittab.h"'
++gen_rlimit_h: ../lib/gen_tables.c ../lib/gen_tables.h rlimittab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"rlimittab.h\" -E -o $@ ../lib/gen_tables.c
+ rlimittabs.h: gen_rlimit_h Makefile
+-	./gen_rlimit_h --i2s rlimit > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s rlimit gen_rlimit_h $@
+ 
+-gen_schedtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h schedtab.h
+-gen_schedtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="schedtab.h"'
++gen_schedtabs_h: ../lib/gen_tables.c ../lib/gen_tables.h schedtab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"schedtab.h\" -E -o $@ ../lib/gen_tables.c
+ schedtabs.h: gen_schedtabs_h Makefile
+-	./gen_schedtabs_h --i2s sched > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s sched gen_schedtabs_h $@
+ 
+-gen_seccomptabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h seccomptab.h
+-gen_seccomptabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="seccomptab.h"'
++gen_seccomptabs_h: ../lib/gen_tables.c ../lib/gen_tables.h seccomptab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"seccomptab.h\" -E -o $@ ../lib/gen_tables.c
+ seccomptabs.h: gen_seccomptabs_h Makefile
+-	./gen_seccomptabs_h --i2s seccomp > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s seccomp gen_seccomptabs_h $@
+ 
+-gen_seektabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h seektab.h
+-gen_seektabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="seektab.h"'
++gen_seektabs_h: ../lib/gen_tables.c ../lib/gen_tables.h seektab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"seektab.h\" -E -o $@ ../lib/gen_tables.c
+ seektabs.h: gen_seektabs_h Makefile
+-	./gen_seektabs_h --i2s seek > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s seek gen_seektabs_h $@
+ 
+-gen_shm_modetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h shm_modetab.h
+-gen_shm_modetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="shm_modetab.h"'
++gen_shm_modetabs_h: ../lib/gen_tables.c ../lib/gen_tables.h shm_modetab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"shm_modetab.h\" -E -o $@ ../lib/gen_tables.c
+ shm_modetabs.h: gen_shm_modetabs_h Makefile
+-	./gen_shm_modetabs_h --i2s-transtab shm_mode > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s-transtab shm_mode gen_shm_modetabs_h $@
+ 
+-gen_signals_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h signaltab.h
+-gen_signals_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="signaltab.h"'
++gen_signals_h: ../lib/gen_tables.c ../lib/gen_tables.h signaltab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"signaltab.h\" -E -o $@ ../lib/gen_tables.c
+ signaltabs.h: gen_signals_h Makefile
+-	./gen_signals_h --i2s signal > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s signal gen_signals_h $@
+ 
+-gen_sockleveltabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h sockleveltab.h
+-gen_sockleveltabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="sockleveltab.h"'
++gen_sockleveltabs_h: ../lib/gen_tables.c ../lib/gen_tables.h sockleveltab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"sockleveltab.h\" -E -o $@ ../lib/gen_tables.c
+ sockleveltabs.h: gen_sockleveltabs_h Makefile
+-	./gen_sockleveltabs_h --i2s socklevel > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s socklevel gen_sockleveltabs_h $@
+ 
+-gen_sockoptnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h sockoptnametab.h
+-gen_sockoptnametabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="sockoptnametab.h"'
++gen_sockoptnametabs_h: ../lib/gen_tables.c ../lib/gen_tables.h sockoptnametab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"sockoptnametab.h\" -E -o $@ ../lib/gen_tables.c
+ sockoptnametabs.h: gen_sockoptnametabs_h Makefile
+-	./gen_sockoptnametabs_h --i2s sockoptname > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s sockoptname gen_sockoptnametabs_h $@
+ 
+-gen_socktabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h socktab.h
+-gen_socktabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="socktab.h"'
++gen_socktabs_h: ../lib/gen_tables.c ../lib/gen_tables.h socktab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"socktab.h\" -E -o $@ ../lib/gen_tables.c
+ socktabs.h: gen_socktabs_h Makefile
+-	./gen_socktabs_h --i2s sock > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s sock gen_socktabs_h $@
+ 
+-gen_socktypetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h socktypetab.h
+-gen_socktypetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="socktypetab.h"'
++gen_socktypetabs_h: ../lib/gen_tables.c ../lib/gen_tables.h socktypetab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"socktypetab.h\" -E -o $@ ../lib/gen_tables.c
+ socktypetabs.h: gen_socktypetabs_h Makefile
+-	./gen_socktypetabs_h --i2s sock_type > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s sock_type gen_socktypetabs_h $@
+ 
+-gen_tcpoptnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h tcpoptnametab.h
+-gen_tcpoptnametabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="tcpoptnametab.h"'
++gen_tcpoptnametabs_h: ../lib/gen_tables.c ../lib/gen_tables.h tcpoptnametab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"tcpoptnametab.h\" -E -o $@ ../lib/gen_tables.c
+ tcpoptnametabs.h: gen_tcpoptnametabs_h Makefile
+-	./gen_tcpoptnametabs_h --i2s tcpoptname > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s tcpoptname gen_tcpoptnametabs_h $@
+ 
+-gen_typetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h typetab.h
+-gen_typetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="typetab.h"'
++gen_typetabs_h: ../lib/gen_tables.c ../lib/gen_tables.h typetab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"typetab.h\" -E -o $@ ../lib/gen_tables.c
+ typetabs.h: gen_typetabs_h Makefile
+-	./gen_typetabs_h --s2i type > $@
++	$(PYTHON) ../lib/gen_tables.py --s2i type gen_typetabs_h $@
+ 
+-gen_umounttabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h umounttab.h
+-gen_umounttabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="umounttab.h"'
++gen_umounttabs_h: ../lib/gen_tables.c ../lib/gen_tables.h umounttab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"umounttab.h\" -E -o $@ ../lib/gen_tables.c
+ umounttabs.h: gen_umounttabs_h Makefile
+-	./gen_umounttabs_h --i2s-transtab umount > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s-transtab umount gen_umounttabs_h $@
+ 
+diff -urN a/lib/gen_tables.c b/lib/gen_tables.c
+--- a/lib/gen_tables.c	2013-07-29 16:37:01.000000000 -0500
++++ b/lib/gen_tables.c	2013-08-19 10:09:03.060041420 -0500
+@@ -54,19 +54,6 @@
+ #define SHMGET          23
+ #define SHMCTL          24
+ 
+-
+-/* The ratio of table size to number of non-empty elements allowed for a
+-   "direct" s2i table; if the ratio would be bigger, bsearch tables are used
+-   instead.
+-
+-   2 looks like a lot at a first glance, but the bsearch tables need twice as
+-   much space per element, so with the ratio equal to 2 the direct table uses
+-   no more memory and is faster. */
+-#define DIRECT_THRESHOLD 2
+-
+-/* Allow more than one string defined for a single integer value */
+-static bool allow_duplicate_ints; /* = false; */
+-
+ struct value {
+ 	int val;
+ 	const char *s;
+@@ -83,335 +70,11 @@
+ 
+ #define NUM_VALUES (sizeof(values) / sizeof(*values))
+ 
+-/* Compare two "struct value" members by name. */
+-static int
+-cmp_value_strings(const void *xa, const void *xb)
+-{
+-	const struct value *a, *b;
+-
+-	a = xa;
+-	b = xb;
+-	return strcmp(a->s, b->s);
+-}
+-
+-/* Compare two "struct value" members by value. */
+-static int
+-cmp_value_vals(const void *xa, const void *xb)
+-{
+-	const struct value *a, *b;
+-
+-	a = xa;
+-	b = xb;
+-	if (a->val > b->val)
+-		return 1;
+-	if (a->val < b->val)
+-		return -1;
+-	/* Preserve the original order if there is an ambiguity, to always use
+-	   the first specified value. */
+-	if (a->orig_index > b->orig_index)
+-		return 1;
+-	if (a->orig_index < b->orig_index)
+-		return -1;
+-	return 0;
+-}
+-
+-/* Compare two "struct value" members by orig_index. */
+-static int
+-cmp_value_orig_index(const void *xa, const void *xb)
+-{
+-	const struct value *a, *b;
+-
+-	a = xa;
+-	b = xb;
+-	if (a->orig_index > b->orig_index)
+-		return 1;
+-	if (a->orig_index < b->orig_index)
+-		return -1;
+-	return 0;
+-}
+-
+-/* Output the string table, initialize values[*]->s_offset. */
+-static void
+-output_strings(const char *prefix)
+-{
+-	size_t i, offset;
+-
+-	offset = 0;
+-	for (i = 0; i < NUM_VALUES; i++) {
+-		values[i].s_offset = offset;
+-		offset += strlen(values[i].s) + 1;
+-	}
+-	printf("static const char %s_strings[] = \"", prefix);
+-	assert(NUM_VALUES > 0);
+-	for (i = 0; i < NUM_VALUES; i++) {
+-		const char *c;
+-
+-		if (i != 0 && i % 10 == 0)
+-			fputs("\"\n"
+-			      "\t\"", stdout);
+-		for (c = values[i].s; *c != '\0'; c++) {
+-			assert(*c != '"' && *c != '\\'
+-			       && isprint((unsigned char)*c));
+-			putc(*c, stdout);
+-		}
+-		if (i != NUM_VALUES - 1)
+-			fputs("\\0", stdout);
+-	}
+-	fputs("\";\n", stdout);
+-}
+-
+-/* Output the string to integer mapping code.
+-   Assume strings are all uppsercase or all lowercase if specified by
+-   parameters; in that case, make the search case-insensitive.
+-   values must be sorted by strings. */
+-static void
+-output_s2i(const char *prefix, bool uppercase, bool lowercase)
+-{
+-	size_t i;
+-
+-	for (i = 0; i < NUM_VALUES - 1; i++) {
+-		assert(strcmp(values[i].s, values[i + 1].s) <= 0);
+-		if (strcmp(values[i].s, values[i + 1].s) == 0) {
+-			fprintf(stderr, "Duplicate value `%s': %d, %d\n",
+-				values[i].s, values[i].val, values[i + 1].val);
+-			abort();
+-		}
+-	}
+-	printf("static const unsigned %s_s2i_s[] = {", prefix);
+-	for (i = 0; i < NUM_VALUES; i++) {
+-		if (i % 10 == 0)
+-			fputs("\n\t", stdout);
+-		assert(values[i].s_offset <= UINT_MAX);
+-		printf("%zu,", values[i].s_offset);
+-	}
+-	printf("\n"
+-	       "};\n"
+-	       "static const int %s_s2i_i[] = {", prefix);
+-	for (i = 0; i < NUM_VALUES; i++) {
+-		if (i % 10 == 0)
+-			fputs("\n\t", stdout);
+-		printf("%d,", values[i].val);
+-	}
+-	fputs("\n"
+-	      "};\n", stdout);
+-	assert(!(uppercase && lowercase));
+-	if (uppercase) {
+-		for (i = 0; i < NUM_VALUES; i++) {
+-			const char *c;
+-
+-			for (c = values[i].s; *c != '\0'; c++)
+-				assert(isascii((unsigned char)*c)
+-				       && !GT_ISLOWER(*c));
+-		}
+-	} else if (lowercase) {
+-		for (i = 0; i < NUM_VALUES; i++) {
+-			const char *c;
+-
+-			for (c = values[i].s; *c != '\0'; c++)
+-				assert(isascii((unsigned char)*c)
+-				       && !GT_ISUPPER(*c));
+-		}
+-	}
+-	if (uppercase || lowercase) {
+-		printf("static int %s_s2i(const char *s, int *value) {\n"
+-		       "\tsize_t len, i;\n"
+-		       "\tlen = strlen(s);\n"
+-		       "\t{ char copy[len + 1];\n"
+-		       "\tfor (i = 0; i < len; i++) {\n"
+-		       "\t\tchar c = s[i];\n", prefix);
+-		if (uppercase)
+-			fputs("\t\tcopy[i] = GT_ISLOWER(c) ? c - 'a' + 'A' "
+-							  ": c;\n", stdout);
+-		else
+-			fputs("\t\tcopy[i] = GT_ISUPPER(c) ? c - 'A' + 'a' "
+-							  ": c;\n", stdout);
+-		printf("\t}\n"
+-		       "\tcopy[i] = 0;\n"
+-		       "\treturn s2i__(%s_strings, %s_s2i_s, %s_s2i_i, %zu, "
+-				      "copy, value);\n"
+-		       "\t}\n"
+-		       "}\n", prefix, prefix, prefix, NUM_VALUES);
+-	} else
+-		printf("static int %s_s2i(const char *s, int *value) {\n"
+-		       "\treturn s2i__(%s_strings, %s_s2i_s, %s_s2i_i, %zu, s, "
+-				      "value);\n"
+-		       "}\n", prefix, prefix, prefix, prefix, NUM_VALUES);
+-}
+-
+-/* Output the string to integer mapping table.
+-   values must be sorted by strings. */
+-static void
+-output_i2s(const char *prefix)
+-{
+-	struct value *unique_values;
+-	int min_val, max_val;
+-	size_t i, n;
+-
+-	assert(NUM_VALUES > 0);
+-	for (i = 0; i < NUM_VALUES - 1; i++) {
+-		assert(values[i].val <= values[i + 1].val);
+-		if (!allow_duplicate_ints
+-		    && values[i].val == values[i + 1].val) {
+-			fprintf(stderr, "Duplicate value %d: `%s', `%s'\n",
+-				values[i].val, values[i].s, values[i + 1].s);
+-			abort();
+-		}
+-	}
+-
+-	unique_values = malloc(NUM_VALUES * sizeof(*unique_values));
+-	assert(unique_values != NULL);
+-	n = 0;
+-	for (i = 0; i < NUM_VALUES; i++) {
+-		if (n == 0 || unique_values[n - 1].val != values[i].val) {
+-			unique_values[n] = values[i];
+-			n++;
+-		}
+-	}
+-
+-	min_val = unique_values[0].val;
+-	max_val = unique_values[n - 1].val;
+-	if (((double)max_val - (double)min_val) / n <= DIRECT_THRESHOLD) {
+-		int next_index;
+-
+-		printf("static const unsigned %s_i2s_direct[] = {", prefix);
+-		next_index = min_val;
+-		i = 0;
+-		for (;;) {
+-			if ((next_index - min_val) % 10 == 0)
+-				fputs("\n\t", stdout);
+-			while (unique_values[i].val < next_index)
+-				/* This can happen if (allow_duplicate_ints) */
+-				i++;
+-			if (unique_values[i].val == next_index) {
+-				assert(unique_values[i].s_offset <= UINT_MAX);
+-				printf("%zu,", unique_values[i].s_offset);
+-			} else
+-				fputs("-1u,", stdout);
+-			if (next_index == max_val)
+-				/* Done like this to avoid integer overflow */
+-				break;
+-			next_index++;
+-		}
+-		printf("\n"
+-		       "};\n"
+-		       "static const char *%s_i2s(int v) {\n"
+-		       "\treturn i2s_direct__(%s_strings, %s_i2s_direct, %d, "
+-					     "%d, v);\n"
+-		       "}\n", prefix, prefix, prefix, min_val, max_val);
+-	} else {
+-		printf("static const int %s_i2s_i[] = {", prefix);
+-		for (i = 0; i < n; i++) {
+-			if (i % 10 == 0)
+-				fputs("\n\t", stdout);
+-			printf("%d,", unique_values[i].val);
+-		}
+-		printf("\n"
+-		       "};\n"
+-		       "static const unsigned %s_i2s_s[] = {", prefix);
+-		for (i = 0; i < n; i++) {
+-			if (i % 10 == 0)
+-				fputs("\n\t", stdout);
+-			assert(unique_values[i].s_offset <= UINT_MAX);
+-			printf("%zu,", unique_values[i].s_offset);
+-		}
+-		printf("\n"
+-		       "};\n"
+-		       "static const char *%s_i2s(int v) {\n"
+-		       "\treturn i2s_bsearch__(%s_strings, %s_i2s_i, %s_i2s_s, "
+-			      "%zu, v);\n"
+-		       "}\n", prefix, prefix, prefix, prefix, n);
+-	}
+-	free(unique_values);
+-}
+-
+-/* Output the string to integer mapping table as a transtab[].
+-   values must be sorted in the desired order. */
+-static void
+-output_i2s_transtab(const char *prefix)
+-{
+-	size_t i;
+-	char *uc_prefix;
+-
+-	printf("static const struct transtab %s_table[] = {", prefix);
+-	for (i = 0; i < NUM_VALUES; i++) {
+-		if (i % 10 == 0)
+-			fputs("\n\t", stdout);
+-		printf("{%d,%zu},", values[i].val, values[i].s_offset);
+-	}
+-	uc_prefix = strdup(prefix);
+-	assert(uc_prefix != NULL);
+-	for (i = 0; uc_prefix[i] != '\0'; i++)
+-		uc_prefix[i] = toupper((unsigned char)uc_prefix[i]);
+-	printf("\n"
+-	       "};\n"
+-	       "#define %s_NUM_ENTRIES "
+-	       "(sizeof(%s_table) / sizeof(*%s_table))\n", uc_prefix, prefix,
+-	       prefix);
+-	free(uc_prefix);
+-}
+-
+ int
+ main(int argc, char **argv)
+ {
+-	bool gen_i2s, gen_i2s_transtab, gen_s2i, uppercase, lowercase;
+-	char *prefix;
+-	size_t i;
+-
+ 	/* This is required by gen_tables.h */
+ 	assert(NUM_VALUES <= (SSIZE_MAX / 2 + 1));
+ 
+-	/* To make sure GT_ISUPPER and GT_ISLOWER work. */
+-	assert('Z' == 'A' + 25 && 'z' == 'a' + 25);
+-	gen_i2s = false;
+-	gen_i2s_transtab = false;
+-	gen_s2i = false;
+-	uppercase = false;
+-	lowercase = false;
+-	prefix = NULL;
+-	assert (argc > 1);
+-	for (i = 1; i < (size_t)argc; i++) {
+-		if (strcmp(argv[i], "--i2s") == 0)
+-			gen_i2s = true;
+-		else if (strcmp(argv[i], "--i2s-transtab") == 0)
+-			gen_i2s_transtab = true;
+-		else if (strcmp(argv[i], "--s2i") == 0)
+-			gen_s2i = true;
+-		else if (strcmp(argv[i], "--uppercase") == 0)
+-			uppercase = true;
+-		else if (strcmp(argv[i], "--lowercase") == 0)
+-			lowercase = true;
+-		else if (strcmp(argv[i], "--duplicate-ints") == 0)
+-			allow_duplicate_ints = true;
+-		else {
+-			assert(*argv[i] != '-');
+-			assert(prefix == NULL);
+-			prefix = argv[i];
+-		}
+-	}
+-	assert(prefix != NULL);
+-	assert(!(uppercase && lowercase));
+-
+-	printf("/* This is a generated file, see Makefile.am for its "
+-	       "inputs. */\n");
+-	for (i = 0; i < NUM_VALUES; i++)
+-		values[i].orig_index = i;
+-	qsort(values, NUM_VALUES, sizeof(*values), cmp_value_strings);
+-	/* FIXME? if (gen_s2i), sort the strings in some other order
+-	   (e.g. "first 4 nodes in BFS of the bsearch tree first") to use the
+-	   cache better. */
+-	/* FIXME? If the only thing generated is a transtab, keep the strings
+-	   in the original order to use the cache better. */
+-	output_strings(prefix);
+-	if (gen_s2i)
+-		output_s2i(prefix, uppercase, lowercase);
+-	if (gen_i2s) {
+-		qsort(values, NUM_VALUES, sizeof(*values), cmp_value_vals);
+-		output_i2s(prefix);
+-	}
+-	if (gen_i2s_transtab) {
+-		qsort(values, NUM_VALUES, sizeof(*values),
+-		      cmp_value_orig_index);
+-		output_i2s_transtab(prefix);
+-	}
+ 	return EXIT_SUCCESS;
+ }
+diff -urN /dev/null b/lib/gen_tables.py
+--- /dev/null	2013-06-19 11:25:31.230442052 -0500
++++ b/lib/gen_tables.py	2013-08-19 14:27:55.639872141 -0500
+@@ -0,0 +1,458 @@
++#!/usr/bin/python
++################################################################################
++# Copyright 2013-2014, Rockwell Collins.  All rights reserved.
++# 
++# This library is free software; you can redistribute it and/or
++# modify it under the terms of the GNU Lesser General Public
++# License as published by the Free Software Foundation; either
++# version 2.1 of the License, or (at your option) any later version.
++# 
++# This library is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++# Lesser General Public License for more details.
++# 
++# You should have received a copy of the GNU Lesser General Public
++# License along with this library; if not, write to the Free Software
++# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
++# 
++# Authors:
++#      Clayton Shotwell <clshotwe@rockwellcollins.com>
++#
++# Description:
++#      Generator of lookup tables to replace the gen_tables.c method developed
++#      Miloslav Trmac <mitr@redhat.com> to make audit package cross compilable.
++#      The logic in this script mimics the logic in gen_tables.c before the last
++#      modification.
++#
++# Usage: gen_tables.py [-h] [--i2s] [--i2s-transtab] [--s2i]
++#                             [--uppercase | --lowercase] [--duplicate-ints]
++#                             prefix header source output
++#
++#        Generate tables header files.
++#
++#        positional arguments:
++#          prefix            The prefix of the output file to use
++#          header            The header file to parse table values from
++#          source            The source of the preprocessor from the compiler
++#          output            The output header file
++#
++#        optional arguments:
++#          -h, --help        show this help message and exit
++#          --i2s             Generate i2s tables
++#          --i2s-transtab    Generate transtab tables
++#          --s2i             Generate s2i tables
++#          --uppercase       All characters are uppercase
++#          --lowercase       All characters are lowercase
++#          --duplicate-ints  Allow duplicate integers
++
++import argparse
++import ctypes
++import os
++import re
++import sys
++from operator import attrgetter
++from pyparsing import Group, Word, Suppress, alphas, alphanums, nums, cppStyleComment, \
++		Optional, ZeroOrMore
++
++# Number of entries to print per line
++NUM_ENTIRES_IN_LINE = 10
++
++# Global table entries variable that is used everywhere
++ENTRIES = []
++
++# The ratio of table size to number of non-empty elements allowed for a
++# "direct" s2i table; if the ratio would be bigger, bsearch tables are used
++# instead.
++# 
++# 2 looks like a lot at a first glance, but the bsearch tables need twice as
++# much space per element, so with the ratio equal to 2 the direct table uses
++# no more memory and is faster.
++DIRECT_THRESHOLD = 2
++
++# Set to True to enable some debug output
++DEBUG = False
++
++class Entry:
++	def __init__(self, new_s, val):
++		self.st = new_s
++		self.val = val
++		self.offset = 0
++		self.orig_index = 0
++	
++	def set_position(self, offset):
++		self.offset = offset
++	
++	def set_orig_index(self, orig_index):
++		self.orig_index = orig_index
++	
++	def get_str(self):
++		return self.st
++	
++	def __repr__(self):
++		return "<Entry st=%s val=%s>" % (self.st, self.val)
++	
++	def __str__(self):
++		return "Entry of st=%s, val=%s, offset=%d, orig_index=%d" % \
++				(self.st, self.val, self.offset, self.orig_index)
++
++def output_strings(prefix, outfile):
++	try:
++		# Calculate the position each entry will be in the string
++		index = 0
++		for i in range(len(ENTRIES)):
++			ENTRIES[i].set_position(index)
++			# Increment the index by the length of the name plus 1 for the null
++			# character at the end.
++			index += len(ENTRIES[i].get_str()) + 1
++		# Write out the strings
++		outfile.write("static const char %s_strings[] = \"" % prefix)
++		for i in range(len(ENTRIES)):
++			if (i != 0) and (i % NUM_ENTIRES_IN_LINE == 0):
++				outfile.write('"\n\t"')
++			outfile.write(ENTRIES[i].get_str())
++			if (i != (len(ENTRIES) - 1)):
++				outfile.write('\\0')
++		outfile.write('";\n')
++	except:
++		# If an error is found, raise the exception so the main function can close
++		# and delete the outfile
++		exc_type, exc_obj, exc_tb = sys.exc_info()
++		fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1]
++		print("Unexpected error in output_strings:", exc_type, fname, exc_tb.tb_lineno)
++		raise
++
++def output_s2i(prefix, outfile, uppercase, lowercase):
++	try:
++		# Check for duplicate values
++		for i in range(len(ENTRIES) - 1):
++			assert (ENTRIES[i].get_str() <= ENTRIES[i + 1].get_str()), "Entries not in the correct order"
++			if (ENTRIES[i].get_str() == ENTRIES[i + 1].get_str()):
++				print("Duplicate value %s: %d, %d" % \
++						(ENTRIES[i].get_str(), ENTRIES[i].val, ENTRIES[i + 1].val))
++				raise
++		
++		# Write out the index to value index values
++		outfile.write("static const unsigned %s_s2i_s[] = {" % prefix)
++		for i in range(len(ENTRIES)):
++			if (i % NUM_ENTIRES_IN_LINE == 0):
++				outfile.write('\n\t')
++			outfile.write("%i," % ENTRIES[i].offset)
++		outfile.write('\n};\n')
++		
++		# Write out the string to value actual values
++		outfile.write("static const int %s_s2i_i[] = {" % prefix)
++		for i in range(len(ENTRIES)):
++			if (i % NUM_ENTIRES_IN_LINE == 0):
++				outfile.write('\n\t')
++			outfile.write("%i," % ENTRIES[i].val)
++		outfile.write('\n};\n')
++		
++		# Verify the strings are all uppercase or lowercase depending on the arguments
++		# passed in
++		if uppercase:
++			for i in range(len(ENTRIES)):
++				assert (all(ord(c) < 128 for c in ENTRIES[i].get_str()) and \
++						ENTRIES[i].get_str().isupper()), "String %s is not uppercase" % ENTRIES[i].get_str()
++		if lowercase:
++			for i in range(len(ENTRIES)):
++				assert (all(ord(c) < 128 for c in ENTRIES[i].get_str()) and \
++						ENTRIES[i].get_str().islower()), "String %s is not lowercase" % ENTRIES[i].get_str()
++		if uppercase or lowercase:
++			outfile.write("static int %s_s2i(const char *s, int *value) {\n" \
++					"\tsize_t len, i;\n" \
++					"\tlen = strlen(s);\n" \
++					"\t{ char copy[len + 1];\n" \
++					"\tfor (i = 0; i < len; i++) {\n" \
++					"\t\tchar c = s[i];\n" % prefix)
++			if uppercase:
++				outfile.write("\t\tcopy[i] = GT_ISLOWER(c) ? c - 'a' + 'A' : c;\n")
++			else:
++				outfile.write("\t\tcopy[i] = GT_ISUPPER(c) ? c - 'A' + 'a' : c;\n")
++			outfile.write("\t}\n" \
++					"\tcopy[i] = 0;\n" \
++					"\treturn s2i__(%s_strings, %s_s2i_s, %s_s2i_i, %d, copy, value);\n" \
++					"\t}\n" \
++					"}\n" % (prefix, prefix, prefix, len(ENTRIES)))
++		else:
++			outfile.write("static int %s_s2i(const char *s, int *value) {\n" \
++					"\treturn s2i__(%s_strings, %s_s2i_s, %s_s2i_i, %d, s, value);\n" \
++					"}\n" % (prefix, prefix, prefix, prefix, len(ENTRIES)))
++	except:
++		# If an error is found, raise the exception so the main function can close
++		# and delete the outfile
++		exc_type, exc_obj, exc_tb = sys.exc_info()
++		fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1]
++		print("Unexpected error in output_s2i:", exc_type, fname, exc_tb.tb_lineno)
++		raise
++
++def output_i2s(prefix, outfile, allow_duplicate_ints):
++	try:
++		# Check for duplicate values
++		for i in range(len(ENTRIES) - 1):
++			assert (ENTRIES[i].val <= ENTRIES[i + 1].val), "Entries not in the correct order"
++			if (not allow_duplicate_ints) and (ENTRIES[i].val == ENTRIES[i + 1].val):
++				print("Duplicate value %d: %s, %s" % (ENTRIES[i].val, ENTRIES[i].get_str(), \
++						ENTRIES[i + 1].get_str()))
++				raise
++		
++		# Find all of the unique values
++		unique_entries = []
++		for i in range(len(ENTRIES)):
++			# If the unique_entries is empty or the last unique_entries entry is different from the 
++			# entry being compared, append the entry
++			if (len(unique_entries) == 0) or (unique_entries[-1].val != ENTRIES[i].val):
++				unique_entries.append(ENTRIES[i])
++		
++		# Determine which mapping to use based on the treshold
++		max_val = unique_entries[-1].val
++		min_val = unique_entries[0].val
++		if ((float(max_val - min_val)/len(unique_entries)) <= DIRECT_THRESHOLD):
++			outfile.write("static const unsigned %s_i2s_direct[] = {" % prefix)
++			next_index = min_val
++			i = 0
++			while True:
++				if (((next_index - min_val) % 10) == 0):
++					outfile.write("\n\t")
++				while (unique_entries[i].val < next_index):
++					# This can happen if (allow_duplicate_ints)
++					i += 1
++				if (unique_entries[i].val == next_index):
++					assert(unique_entries[i].offset <= sys.maxint)
++					outfile.write("%i," % unique_entries[i].offset)
++				else:
++					outfile.write("-1u,")
++				if (next_index == max_val):
++					break
++				next_index += 1
++			outfile.write("\n};\nstatic const char *%s_i2s(int v) {\n" \
++					"\treturn i2s_direct__(%s_strings, %s_i2s_direct, %d, %d, v);\n" \
++					"}\n" % (prefix, prefix, prefix, min_val, max_val))
++		else:
++			outfile.write("static const int %s_i2s_i[] = {" % prefix)
++			for i in range(len(unique_entries)):
++				if (i % 10 == 0):
++					outfile.write("\n\t")
++				outfile.write("%i," % unique_entries[i].val)
++			outfile.write("\n};\nstatic const unsigned %s_i2s_s[] = {" % prefix)
++			for i in range(len(unique_entries)):
++				if (i % 10 == 0):
++					outfile.write("\n\t")
++				assert(unique_entries[i].offset <= sys.maxint)
++				outfile.write("%i," % unique_entries[i].offset)
++			outfile.write("\n };\n static const char *%s_i2s(int v) {\n" \
++					"\treturn i2s_bsearch__(%s_strings, %s_i2s_i, %s_i2s_s, %u, v);\n" \
++					"}\n" % (prefix, prefix, prefix, prefix, len(unique_entries)))
++	except:
++		# If an error is found, raise the exception so the main function can close
++		# and delete the outfile
++		exc_type, exc_obj, exc_tb = sys.exc_info()
++		fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1]
++		print("Unexpected error in output_i2s:", exc_type, fname, exc_tb.tb_lineno)
++		raise
++
++def output_i2s_transtab(prefix, outfile):
++	"""
++		Output the string to integer mapping table as a transtab[].
++		values must be sorted in the desired order. 
++	"""
++	try:
++		outfile.write("static const struct transtab %s_table[] = {" % prefix)
++		for i in range(len(ENTRIES)):
++			if (i % NUM_ENTIRES_IN_LINE == 0):
++				outfile.write('\n\t')
++			outfile.write("{%i,%u}," % (ENTRIES[i].val, ENTRIES[i].offset))
++		outfile.write("\n};\n#define %s_NUM_ENTRIES (sizeof(%s_table) / sizeof(*%s_table))\n" % \
++				(prefix.upper(), prefix, prefix))
++	except:
++		# If an error is found, raise the exception so the main function can close
++		# and delete the outfile
++		exc_type, exc_obj, exc_tb = sys.exc_info()
++		fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1]
++		print("Unexpected error in output_i2s_transtab:", exc_type, fname, exc_tb.tb_lineno)
++		raise
++
++def lookup_enum(look_str, buf):
++	try:
++		# Pull all of the enums out of the preprocessor output out only once
++		# to help speed up all of the lookups
++		if not hasattr(lookup_enum, "enums"):
++			if DEBUG:
++				print("Pulling out the enums from the preprocessor output")
++			# Regex pattern to parse out the enums from the preprocessor output
++			enum_regex = "enum.*?{(?P<s>.*?)}"
++			lookup_enum.enums = re.findall(enum_regex, buf, flags=(re.M | re.S))
++		
++		# find which enum contains the string we are looking for
++		for i in range(len(lookup_enum.enums)):
++			if look_str in lookup_enum.enums[i]:
++				# Determine the value of the variable in the enum
++				enum_string = "enum preproc { " + lookup_enum.enums[i] + " }"
++				enum_string = "".join([line.strip() for line in enum_string])
++				if DEBUG:
++					print("Found %s in %s" % (look_str, enum_string))
++				
++				identifier = Word(alphas, alphanums+'_')
++				opt_value = Word(nums, nums+'x+<>/*')
++				
++				enum_value = Group(identifier('name') + Optional(Suppress('=') + opt_value('value')))
++				enum_list = Group(enum_value + ZeroOrMore(Suppress(',') + enum_value))
++				enum = Suppress('enum') + identifier('enum') + Suppress('{') + enum_list('list') + \
++						Suppress('}')
++				enum.ignore(cppStyleComment)
++				
++				for item, start, stop in enum.scanString(enum_string):
++					temp = 0
++					for entry in item.list:
++						if DEBUG:
++							print("Checking %s against %s" % (look_str, entry.name))
++						if entry.name == look_str:
++							if entry.value != '':
++								# Need to call eval becuase some enums have math in them
++								try:
++									value = eval(entry.value)
++								except:
++									print("Found invalid value %s" % entry.value)
++							else:
++								value = temp
++							if DEBUG:
++								print("Matched the enum name to value %d" % value)
++							return value
++						temp += 1
++	except:
++		exc_type, exc_obj, exc_tb = sys.exc_info()
++		fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1]
++		print("Unexpected error in output_i2s_transtab:", exc_type, fname, exc_tb.tb_lineno)
++	print("Unable to find enum value")
++	return None
++
++def evaluate_string(eval_str, buf):
++	if DEBUG:
++		print("Evaluating string %s" % eval_str)
++	
++	# Regex expression for pulling apart the values in the preprocessor output
++	eval_regex = "(?P<val>\w+)"
++	# Since the string can be anything, it must be parsed into individual parts
++	# and evaluated separately to find any enum values
++	matches = re.findall(eval_regex, eval_str)
++	if len(matches) <= 0:
++		print("Could not find any matches")
++	
++	local_s = eval_str
++	value = None
++	i = 0
++	for i in range(len(matches)):
++		try:
++			# If the current item is abled to evaled, there is nothing to do
++			val = eval(matches[i])
++		except:
++			try:
++				# Need to check to see if the last character is a "U" and remove it
++				# if this does not except, a valid number was found
++				if matches[i][-1] == 'U':
++					val = eval(matches[i][:-1])
++					local_s = local_s.replace(matches[i], "%d" % val)
++				else:
++					# Need to do a enum look up for anything that doesnt translate into a number
++					val = lookup_enum(matches[i], buf)
++					if val is not None:
++						local_s = local_s.replace(matches[i], "%d" % val)
++			except:
++				# This case will be hit if the "U" removal fails
++				val = lookup_enum(matches[i], buf)
++				if val is not None:
++					local_s = local_s.replace(matches[i], "%d" % val)
++	try:
++		# This will fail if all of the enums were not found rather
++		# than handling the failues in the above steps
++		# Also, need to convert to a signed 32 bit int for the output value
++		value = ctypes.c_int32(eval(local_s)).value
++		if DEBUG:
++			print("Found value %d for %s" % (value, matches[i]))
++	except:
++		print("Could not parse string %s" % local_s)
++	
++	# Verify the mess above resulted in a number being found
++	if value is None:
++		print("Failed to find value for %s" % eval_str)
++		raise
++	return value
++	
++def remove_output(outfile):
++	path = outfile.name
++	outfile.close()
++	os.remove(path)
++	sys.exit(1)
++
++def main():
++	
++	# Setup the argument parser and parse the arguments given
++	parser = argparse.ArgumentParser(description='Generate tables header files.')
++	parser.add_argument('--i2s', dest='gen_i2s', action='store_true', 
++			help='Generate i2s tables')
++	parser.add_argument('--i2s-transtab', dest='gen_i2s_transtab', action='store_true', 
++			help='Generate transtab tables')
++	parser.add_argument('--s2i', dest='gen_s2i', action='store_true', 
++			help='Generate s2i tables')
++	# Make sure uppercase and lowercase are mutually exclusive
++	group = parser.add_mutually_exclusive_group()
++	group.add_argument('--uppercase', dest='uppercase', action='store_true', 
++			help='All characters are uppercase')
++	group.add_argument('--lowercase', dest='lowercase', action='store_true', 
++			help='All characters are lowercase')
++	parser.add_argument('--duplicate-ints', dest='allow_duplicate_ints', action='store_true', 
++			help='Allow duplicate integers')
++	parser.add_argument('prefix', help='The prefix of the output file to use')
++	parser.add_argument('source', type=argparse.FileType('r'), 
++			help='The source of the preprocessor from the compiler')
++	parser.add_argument('output', type=argparse.FileType('w'), 
++			help='The output header file')
++	args = parser.parse_args()
++	
++	# Regex pattern to parse out the macro and string from the _S calls
++	source_regex = "{ \((?P<val>.*?)\), \(\"(?P<s>\S+)\"\), 0, 0 }"
++	
++	# First parse the header file for all of the preprocessor source that need to
++	# be looked up
++	buf = args.source.read()
++	matches = re.findall(source_regex, buf, flags=re.MULTILINE)
++	
++	# Check to make sure we have matches
++	if (len(matches) <= 0):
++		print("Failed to find valid source")
++		remove_output(args.output)
++		sys.exit(1)
++	
++	try:
++		# Create all of the entry structures
++		global ENTRIES
++		for i in range(len(matches)):
++			ENTRIES.append(Entry(matches[i][1], evaluate_string(matches[i][0], buf)))
++			ENTRIES[i].set_orig_index(i)
++			if DEBUG:
++				print(ENTRIES[i])
++		
++		# Sort the entries alphabetically
++		ENTRIES = sorted(ENTRIES, key=attrgetter('st'))
++		# Print out the output header
++		args.output.write("/* This is a generated file, see Makefile.am for its inputs. */\n")
++		output_strings(args.prefix, args.output)
++		if args.gen_s2i:
++			output_s2i(args.prefix, args.output, args.uppercase, args.lowercase)
++		if args.gen_i2s:
++			ENTRIES = sorted(ENTRIES, key=attrgetter('val'))
++			output_i2s(args.prefix, args.output, args.allow_duplicate_ints)
++		if args.gen_i2s_transtab:
++			ENTRIES = sorted(ENTRIES, key=attrgetter('orig_index'))
++			output_i2s_transtab(args.prefix, args.output)
++	except:
++		# On an error, close and remove the file before returning an error
++		print("Failed to write the output file correctly")
++		exc_type, exc_obj, exc_tb = sys.exc_info()
++		fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1]
++		print("Unexpected error:", exc_type, fname, exc_tb.tb_lineno)
++		remove_output(args.output)
++		sys.exit(1)
++
++if __name__ == '__main__':
++	main()
+diff -urN a/lib/Makefile.am b/lib/Makefile.am
+--- a/lib/Makefile.am	2013-07-29 16:37:01.000000000 -0500
++++ b/lib/Makefile.am	2013-08-19 14:39:58.280509378 -0500
+@@ -40,119 +40,109 @@
+ BUILT_SOURCES = actiontabs.h errtabs.h fieldtabs.h flagtabs.h \
+ 	ftypetabs.h i386_tables.h ia64_tables.h machinetabs.h \
+ 	msg_typetabs.h optabs.h ppc_tables.h s390_tables.h \
+-	s390x_tables.h x86_64_tables.h
+-if USE_ALPHA
+-BUILT_SOURCES += alpha_tables.h
+-endif
+-if USE_ARMEB
+-BUILT_SOURCES += armeb_tables.h
+-endif
+-if USE_AARCH64
+-BUILT_SOURCES += aarch64_tables.h
+-endif
+-noinst_PROGRAMS = gen_actiontabs_h gen_errtabs_h gen_fieldtabs_h \
++	s390x_tables.h x86_64_tables.h \
++	gen_actiontabs_h gen_errtabs_h gen_fieldtabs_h \
+ 	gen_flagtabs_h gen_ftypetabs_h gen_i386_tables_h \
+ 	gen_ia64_tables_h gen_machinetabs_h gen_msg_typetabs_h \
+ 	gen_optabs_h gen_ppc_tables_h gen_s390_tables_h \
+-	gen_s390x_tables_h gen_x86_64_tables_h
++	gen_s390x_tables_h gen_x86_64_tables_h 
+ if USE_ALPHA
+-noinst_PROGRAMS += gen_alpha_tables_h
++BUILT_SOURCES += alpha_tables.h gen_alpha_tables_h
+ endif
+ if USE_ARMEB
+-noinst_PROGRAMS += gen_armeb_tables_h
++BUILT_SOURCES += armeb_tables.h gen_armeb_tables_h
+ endif
+ if USE_AARCH64
+-noinst_PROGRAMS += gen_aarch64_tables_h
++BUILT_SOURCES += aarch64_tables.h gen_aarch64_tables_h
+ endif
+-gen_actiontabs_h_SOURCES = gen_tables.c gen_tables.h actiontab.h
+-gen_actiontabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="actiontab.h"'
++
++gen_actiontabs_h: gen_tables.c gen_tables.h actiontab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"actiontab.h\" -E -o $@ gen_tables.c
+ actiontabs.h: gen_actiontabs_h Makefile
+-	./gen_actiontabs_h --lowercase --i2s --s2i action > $@
++	$(PYTHON) gen_tables.py --lowercase --i2s --s2i action gen_actiontabs_h $@
+ 
+ if USE_ALPHA
+-gen_alpha_tables_h_SOURCES = gen_tables.c gen_tables.h alpha_table.h
+-gen_alpha_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="alpha_table.h"'
++gen_alpha_tables_h: gen_tables.c gen_tables.h alpha_table.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"alpha_table.h\" -E -o $@ gen_tables.c
+ alpha_tables.h: gen_alpha_tables_h Makefile
+-	./gen_alpha_tables_h --lowercase --i2s --s2i alpha_syscall > $@
++	$(PYTHON) gen_tables.py --lowercase --i2s --s2i alpha_syscall gen_alpha_tables_h $@
+ endif
+ 
+ if USE_ARMEB
+-gen_armeb_tables_h_SOURCES = gen_tables.c gen_tables.h armeb_table.h
+-gen_armeb_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="armeb_table.h"'
+-armeb_tables.h: gen_armeb_tables_h Makefile
+-	./gen_armeb_tables_h --lowercase --i2s --s2i armeb_syscall > $@
++gen_armeb_tables_h: gen_tables.c gen_tables.h armeb_table.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"armeb_table.h\" -E -o $@ gen_tables.c
++armeb_tables.h: gen_armeb_tables_h Makefile
++	$(PYTHON) gen_tables.py --lowercase --i2s --s2i armeb_syscall gen_armeb_tables_h $@
+ endif
+ 
+ if USE_AARCH64
+-gen_aarch64_tables_h_SOURCES = gen_tables.c gen_tables.h aarch64_table.h
+-gen_aarch64_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="aarch64_table.h"'
++gen_aarch64_tables_h: gen_tables.c gen_tables.h aarch64_table.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"aarch64_table.h\" -E -o $@ gen_tables.c
+ aarch64_tables.h: gen_aarch64_tables_h Makefile
+-	./gen_aarch64_tables_h --lowercase --i2s --s2i aarch64_syscall > $@
++	$(PYTHON) gen_tables.py --lowercase --i2s --s2i aarch64_syscall gen_aarch64_tables_h $@
+ endif
+ 
+-gen_errtabs_h_SOURCES = gen_tables.c gen_tables.h errtab.h
+-gen_errtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="errtab.h"'
++gen_errtabs_h: gen_tables.c gen_tables.h errtab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"errtab.h\" -E -o $@ gen_tables.c
+ errtabs.h: gen_errtabs_h Makefile
+-	./gen_errtabs_h --duplicate-ints --uppercase --i2s --s2i err > $@
++	$(PYTHON) gen_tables.py --duplicate-ints --uppercase --i2s --s2i err gen_errtabs_h $@
+ 
+-gen_fieldtabs_h_SOURCES = gen_tables.c gen_tables.h fieldtab.h
+-gen_fieldtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="fieldtab.h"'
++gen_fieldtabs_h: gen_tables.c gen_tables.h fieldtab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"fieldtab.h\" -E -o $@ gen_tables.c
+ fieldtabs.h: gen_fieldtabs_h Makefile
+-	./gen_fieldtabs_h --duplicate-ints --lowercase --i2s --s2i field > $@
++	$(PYTHON) gen_tables.py --duplicate-ints --lowercase --i2s --s2i field gen_fieldtabs_h $@
+ 
+-gen_flagtabs_h_SOURCES = gen_tables.c gen_tables.h flagtab.h
+-gen_flagtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="flagtab.h"'
++gen_flagtabs_h: gen_tables.c gen_tables.h flagtab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"flagtab.h\" -E -o $@ gen_tables.c
+ flagtabs.h: gen_flagtabs_h Makefile
+-	./gen_flagtabs_h --lowercase --i2s --s2i flag > $@
++	$(PYTHON) gen_tables.py --lowercase --i2s --s2i flag gen_flagtabs_h $@
+ 
+-gen_ftypetabs_h_SOURCES = gen_tables.c gen_tables.h ftypetab.h
+-gen_ftypetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ftypetab.h"'
++gen_ftypetabs_h: gen_tables.c gen_tables.h ftypetab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"ftypetab.h\" -E -o $@ gen_tables.c
+ ftypetabs.h: gen_ftypetabs_h Makefile
+-	./gen_ftypetabs_h --lowercase --i2s --s2i ftype > $@
++	$(PYTHON) gen_tables.py --lowercase --i2s --s2i ftype gen_ftypetabs_h $@
+ 
+-gen_i386_tables_h_SOURCES = gen_tables.c gen_tables.h i386_table.h
+-gen_i386_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="i386_table.h"'
++gen_i386_tables_h: gen_tables.c gen_tables.h i386_table.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"i386_table.h\" -E -o $@ gen_tables.c
+ i386_tables.h: gen_i386_tables_h Makefile
+-	./gen_i386_tables_h --duplicate-ints --lowercase --i2s --s2i \
+-		i386_syscall > $@
++	$(PYTHON) gen_tables.py --duplicate-ints --lowercase --i2s --s2i i386_syscall gen_i386_tables_h $@
+ 
+-gen_ia64_tables_h_SOURCES = gen_tables.c gen_tables.h ia64_table.h
+-gen_ia64_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ia64_table.h"'
++gen_ia64_tables_h: gen_tables.c gen_tables.h ia64_table.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"ia64_table.h\" -E -o $@ gen_tables.c
+ ia64_tables.h: gen_ia64_tables_h Makefile
+-	./gen_ia64_tables_h --lowercase --i2s --s2i ia64_syscall > $@
++	$(PYTHON) gen_tables.py --lowercase --i2s --s2i ia64_syscall gen_ia64_tables_h $@
+ 
+-gen_machinetabs_h_SOURCES = gen_tables.c gen_tables.h machinetab.h
+-gen_machinetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="machinetab.h"'
++gen_machinetabs_h: gen_tables.c gen_tables.h machinetab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"machinetab.h\" -E -o $@ gen_tables.c
+ machinetabs.h: gen_machinetabs_h Makefile
+-	./gen_machinetabs_h --duplicate-ints --lowercase --i2s --s2i machine \
+-		> $@
++	$(PYTHON) gen_tables.py --duplicate-ints --lowercase --i2s --s2i machine gen_machinetabs_h $@
+ 
+-gen_msg_typetabs_h_SOURCES = gen_tables.c gen_tables.h msg_typetab.h
+-gen_msg_typetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="msg_typetab.h"'
++gen_msg_typetabs_h: gen_tables.c gen_tables.h msg_typetab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"msg_typetab.h\" -E -o $@ gen_tables.c
+ msg_typetabs.h: gen_msg_typetabs_h Makefile
+-	./gen_msg_typetabs_h --uppercase --i2s --s2i msg_type > $@
++	$(PYTHON) gen_tables.py --uppercase --i2s --s2i msg_type gen_msg_typetabs_h $@
+ 
+-gen_optabs_h_SOURCES = gen_tables.c gen_tables.h optab.h
+-gen_optabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="optab.h"'
++gen_optabs_h: gen_tables.c gen_tables.h optab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"optab.h\" -E -o $@ gen_tables.c
+ optabs.h: gen_optabs_h Makefile
+-	./gen_optabs_h --i2s op > $@
++	$(PYTHON) gen_tables.py --i2s op gen_optabs_h $@
+ 
+-gen_ppc_tables_h_SOURCES = gen_tables.c gen_tables.h ppc_table.h
+-gen_ppc_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ppc_table.h"'
++gen_ppc_tables_h: gen_tables.c gen_tables.h ppc_table.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"ppc_table.h\" -E -o $@ gen_tables.c
+ ppc_tables.h: gen_ppc_tables_h Makefile
+-	./gen_ppc_tables_h --lowercase --i2s --s2i ppc_syscall > $@
++	$(PYTHON) gen_tables.py --lowercase --i2s --s2i ppc_syscall gen_ppc_tables_h $@
+ 
+-gen_s390_tables_h_SOURCES = gen_tables.c gen_tables.h s390_table.h
+-gen_s390_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="s390_table.h"'
++gen_s390_tables_h: gen_tables.c gen_tables.h s390_table.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"s390_table.h\" -E -o $@ gen_tables.c
+ s390_tables.h: gen_s390_tables_h Makefile
+-	./gen_s390_tables_h --lowercase --i2s --s2i s390_syscall > $@
++	$(PYTHON) gen_tables.py --lowercase --i2s --s2i s390_syscall gen_s390_tables_h $@
+ 
+-gen_s390x_tables_h_SOURCES = gen_tables.c gen_tables.h s390x_table.h
+-gen_s390x_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="s390x_table.h"'
++gen_s390x_tables_h: gen_tables.c gen_tables.h s390x_table.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"s390x_table.h\" -E -o $@ gen_tables.c
+ s390x_tables.h: gen_s390x_tables_h Makefile
+-	./gen_s390x_tables_h --lowercase --i2s --s2i s390x_syscall > $@
++	$(PYTHON) gen_tables.py --lowercase --i2s --s2i s390x_syscall gen_s390x_tables_h $@
+ 
+-gen_x86_64_tables_h_SOURCES = gen_tables.c gen_tables.h x86_64_table.h
+-gen_x86_64_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="x86_64_table.h"'
++gen_x86_64_tables_h: gen_tables.c gen_tables.h x86_64_table.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"x86_64_table.h\" -E -o $@ gen_tables.c
+ x86_64_tables.h: gen_x86_64_tables_h Makefile
+-	./gen_x86_64_tables_h --lowercase --i2s --s2i x86_64_syscall > $@
++	$(PYTHON) gen_tables.py --lowercase --i2s --s2i x86_64_syscall gen_x86_64_tables_h $@
diff --git a/package/audit/0002-remove-zos-plugin.patch b/package/audit/0002-remove-zos-plugin.patch
new file mode 100644
index 0000000..576d8fa
--- /dev/null
+++ b/package/audit/0002-remove-zos-plugin.patch
@@ -0,0 +1,35 @@
+Removed the step to build the zos-remote.
+
+Signed-off-by Clayton Shotwell <clshotwe@rockwellcollins.com>
+---
+--- a/audisp/plugins/Makefile.am	2012-08-28 10:33:03.582396601 -0500
++++ b/audisp/plugins/Makefile.am	2012-08-28 10:33:14.162399662 -0500
+@@ -22,7 +22,7 @@
+ 
+ CONFIG_CLEAN_FILES = *.loT *.rej *.orig
+ 
+-SUBDIRS = builtins zos-remote remote
++SUBDIRS = builtins remote
+ #SUBDIRS = builtins zos-remote
+ if HAVE_PRELUDE
+ SUBDIRS += prelude
+--- a/audisp/plugins/Makefile.in	2012-08-28 10:33:03.592380390 -0500
++++ b/audisp/plugins/Makefile.in	2012-08-28 10:35:38.482397668 -0500
+@@ -84,7 +84,7 @@
+ 	distdir
+ ETAGS = etags
+ CTAGS = ctags
+-DIST_SUBDIRS = builtins zos-remote remote prelude
++DIST_SUBDIRS = builtins remote prelude
+ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ am__relativize = \
+   dir0=`pwd`; \
+@@ -242,7 +242,7 @@
+ top_builddir = @top_builddir@
+ top_srcdir = @top_srcdir@
+ CONFIG_CLEAN_FILES = *.loT *.rej *.orig
+-SUBDIRS = builtins zos-remote remote $(am__append_1)
++SUBDIRS = builtins remote $(am__append_1)
+ all: all-recursive
+ 
+ .SUFFIXES:
diff --git a/package/audit/Config.in b/package/audit/Config.in
new file mode 100644
index 0000000..4c65d51
--- /dev/null
+++ b/package/audit/Config.in
@@ -0,0 +1,14 @@
+config BR2_PACKAGE_AUDIT
+	bool "audit"
+	depends on BR2_TOOLCHAIN_USES_GLIBC
+	help
+	  The audit package contains the user space utilities for
+	  storing and searching the audit records generate by
+	  the audit subsystem in the Linux 2.6 kernel
+	  
+	  Note: The z/OS remote plugin is disabled in this package
+	  
+	  http://people.redhat.com/sgrubb/audit/
+
+comment "audit needs an (e)glibc toolchain"
+        depends on !BR2_TOOLCHAIN_USES_GLIBC
diff --git a/package/audit/S01auditd b/package/audit/S01auditd
new file mode 100644
index 0000000..23a7761
--- /dev/null
+++ b/package/audit/S01auditd
@@ -0,0 +1,172 @@
+#!/bin/sh
+#
+# auditd        This starts and stops auditd
+#
+# description: This starts the Linux Auditing System Daemon, \
+#              which collects security related events in a dedicated \
+#              audit log. If this daemon is turned off, audit events \
+#              will be sent to syslog.
+#
+# processname: /sbin/auditd
+# config: /etc/sysconfig/auditd
+# config: /etc/audit/auditd.conf
+# pidfile: /var/run/auditd.pid
+#
+# Return values according to LSB for all commands but status:
+# 0 - success
+# 1 - generic or unspecified error
+# 3 - unimplemented feature (e.g. "reload")
+# 4 - insufficient privilege
+# 5 - program is not installed
+# 6 - program is not configured
+# 7 - program is not running
+#
+prog="auditd"
+
+# Check that we are root ... so non-root users stop here
+test $EUID=0  ||  exit 4
+
+# Check config
+test -f /etc/sysconfig/auditd && . /etc/sysconfig/auditd
+
+RETVAL=0
+LOCK=/var/lock/subsys/auditd
+
+start(){
+   echo -n "Initializing $prog: "
+
+   if [ ! -e $LOCK ]; then
+      test -x /sbin/auditd  || exit 5
+      test -f /etc/audit/auditd.conf  || exit 6
+   
+      # Create dir to store log files in if one doesn't exist
+      test -d /var/log/audit || mkdir -p /var/log/audit && /sbin/restorecon /var/log/audit
+   
+      # Run audit daemon executable
+      $prog
+      RETVAL=$?
+      if test $RETVAL = 0 ; then
+         test -d /var/lock/subsys || mkdir -p /var/lock/subsys
+         touch $LOCK
+         # Load the default rules
+         test -f /etc/audit/audit.rules && /sbin/auditctl -R /etc/audit/audit.rules >/dev/null
+         echo "OK"
+      else
+         echo "FAILED: auditd failed to start"
+      fi
+   else
+      echo "FAILED: auditd already started, stop first"
+      RETVAL=1
+   fi
+   return $RETVAL
+}
+
+stop(){
+   echo -n "Uninitializing $prog: "
+   if [ -e $LOCK ]; then
+      killall -TERM $prog
+      RETVAL=$?
+      if [ $RETVAL ]; then
+         rm -f $LOCK
+         # Remove watches so shutdown works cleanly
+         if test x"$AUDITD_CLEAN_STOP" != "x" ; then
+            if test "`echo $AUDITD_CLEAN_STOP | tr 'NO' 'no'`" != "no"
+            then
+               /sbin/auditctl -D >/dev/null
+            fi
+         fi
+         if test x"$AUDITD_STOP_DISABLE" != "x" ; then
+            if test "`echo $AUDITD_STOP_DISABLE | tr 'NO' 'no'`" != "no"
+            then
+               /sbin/auditctl -e 0 >/dev/null
+            fi
+         fi
+         echo "OK"
+      else
+         echo "FAILED: auditd not stopped"
+      fi
+   else
+      echo "FAILED: auditd not started"
+      RETVAL=1
+   fi
+   return $RETVAL
+}
+
+reload(){
+   echo -n "Reloading auditd configuration: "
+   if [ -e $LOCK ]; then
+      test -f /etc/audit/auditd.conf  || exit 6
+      echo -n "Reloading configuration: " 
+      killall -HUP $prog
+      RETVAL=$?
+      if [ $RETVAL ]; then
+         echo "OK"
+      else
+         echo "FAILED"
+      fi
+   else
+      echo "FAILED: auditd not started"
+      RETVAL=1
+   fi
+   return $RETVAL
+}
+
+rotate(){
+   echo -n "Rotating auditd logs: "  
+   if [ -e $LOCK ]; then
+      killall -USR1 $prog
+      RETVAL=$?
+      if [ $RETVAL ]; then
+         echo "OK"
+      else
+         echo "FAILED"
+      fi
+   else
+      echo "FAILED: auditd not started"
+      RETVAL=1
+   fi
+   return $RETVAL
+}
+
+restart(){
+   test -f /etc/audit/auditd.conf  || exit 6
+   stop
+   start
+   return $RETVAL
+}
+
+condrestart(){
+   [ -e $LOCK ] && restart
+   return 0
+}
+
+# See how we were called.
+case "$1" in
+   start)
+      start
+      ;;
+   stop)
+      stop
+      ;;
+   restart)
+      restart
+      ;;
+   reload)
+      reload
+      ;;
+   rotate)
+      rotate
+      ;;
+   resume)
+      resume
+      ;;
+   condrestart)
+      condrestart
+      ;;
+   *)
+      echo "Usage: $0 {start|stop|restart|condrestart|reload|rotate}"
+      RETVAL=3
+      ;;
+esac
+
+exit $RETVAL
diff --git a/package/audit/audit.mk b/package/audit/audit.mk
new file mode 100644
index 0000000..d6ccf03
--- /dev/null
+++ b/package/audit/audit.mk
@@ -0,0 +1,57 @@
+################################################################################
+#
+# audit
+#
+################################################################################
+
+AUDIT_VERSION:=2.3.2
+AUDIT_SITE:=http://people.redhat.com/sgrubb/audit/
+AUDIT_DEPENDENCIES = host-python-pyparsing
+AUDIT_LICENSE = GPLv2
+AUDIT_LICENSE_FILES = COPYING
+
+AUDIT_INSTALL_STAGING = YES
+
+AUDIT_AUTORECONF = YES
+AUDIT_AUTORECONF_OPTS = -i -s -I m4
+AUDIT_LIBTOOL_PATCH = NO
+
+# Audit will be looking for applications to be in the root
+# /sbin folder rather than in /usr/sbin folder
+AUDIT_CONF_OPTS = --sbindir=/sbin
+
+AUDIT_CONF_ENV += CFLAGS="$(TARGET_CFLAGS) -I$(STAGING_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)"
+AUDIT_CONF_OPTS += --with-python=no
+
+ifeq ($(BR2_PACKAGE_LIBCAP_NG),y)
+	AUDIT_DEPENDENCIES += libcap-ng
+	AUDIT_CONF_OPTS += --with-libcap-ng=yes
+else
+	AUDIT_CONF_OPTS += --with-libcap-ng=no
+endif
+
+ifeq ($(BR2_armeb),y)
+	AUDIT_CONF_OPT += --with-armeb
+endif
+ifeq ($(BR2_arm),y)
+	AUDIT_CONF_OPT += --with-armeb
+endif
+ifeq ($(BR2_aarch64),y)
+	AUDIT_CONF_OPT += --with-aarch64
+endif
+
+ifeq ($(BR2_PREFER_STATIC_LIB),y)
+	AUDIT_CONF_OPTS += --enable-shared=no
+endif
+
+define AUDIT_INSTALL_INIT_SYSV
+	$(INSTALL) -m 755 package/audit/S01auditd $(TARGET_DIR)/etc/init.d/
+endef
+
+define AUDIT_REMOVE_STARTUP_SCRIPT_DIR
+	$(RM) -rf $(TARGET_DIR)/etc/rc.d
+endef
+
+AUDIT_POST_INSTALL_TARGET_HOOKS += AUDIT_REMOVE_STARTUP_SCRIPT_DIR
+
+$(eval $(autotools-package))
-- 
1.9.1

[Buildroot] [PATCH 10/30] policycoreutils: new package

[Matt Weber]

From: Clayton Shotwell <clshotwe@rockwellcollins.com>

Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
---
 package/Config.in                                  |   7 +
 .../policycoreutils/0001-cross-compile-fixes.patch | 332 +++++++++++++++++++++
 package/policycoreutils/Config.in                  |  73 +++++
 package/policycoreutils/S15restorecond             |  85 ++++++
 package/policycoreutils/policycoreutils.mk         | 229 ++++++++++++++
 5 files changed, 726 insertions(+)
 create mode 100644 package/policycoreutils/0001-cross-compile-fixes.patch
 create mode 100644 package/policycoreutils/Config.in
 create mode 100644 package/policycoreutils/S15restorecond
 create mode 100644 package/policycoreutils/policycoreutils.mk

diff --git a/package/Config.in b/package/Config.in
index 0623d37..bf4d772 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1182,6 +1182,13 @@ menu "Real-Time"
 endmenu
 
 menu "Security"
+menu "policycoreutils"
+	source "package/policycoreutils/Config.in"
+endmenu
+menu "refpolicy"
+	source "package/refpolicy/Config.in"
+	source "package/refpolicy-contrib/Config.in"
+endmenu
 	source "package/sepolgen/Config.in"
 	source "package/setools/Config.in"
 endmenu
diff --git a/package/policycoreutils/0001-cross-compile-fixes.patch b/package/policycoreutils/0001-cross-compile-fixes.patch
new file mode 100644
index 0000000..8f47907
--- /dev/null
+++ b/package/policycoreutils/0001-cross-compile-fixes.patch
@@ -0,0 +1,332 @@
+Patch to enable cross compile build and install.
+
+Signed-off-by Clayton Shotwell <clshotwe@rockwellcollins.com>
+
+diff -urN a/audit2allow/Makefile b/audit2allow/Makefile
+--- a/audit2allow/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/audit2allow/Makefile	2013-08-23 09:16:21.282917254 -0500
+@@ -3,7 +3,7 @@
+ BINDIR ?= $(PREFIX)/bin
+ LIBDIR ?= $(PREFIX)/lib
+ MANDIR ?= $(PREFIX)/share/man
+-LOCALEDIR ?= /usr/share/locale
++LOCALEDIR ?= $(DESTDIR)/usr/share/locale
+ 
+ all: ;
+ 
+diff -urN a/load_policy/Makefile b/load_policy/Makefile
+--- a/load_policy/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/load_policy/Makefile	2013-08-23 09:16:21.282917254 -0500
+@@ -3,7 +3,7 @@
+ SBINDIR ?= $(DESTDIR)/sbin
+ USRSBINDIR ?= $(PREFIX)/sbin
+ MANDIR ?= $(PREFIX)/share/man
+-LOCALEDIR ?= /usr/share/locale
++LOCALEDIR ?= $(DESTDIR)/usr/share/locale
+ 
+ CFLAGS ?= -Werror -Wall -W
+ override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
+diff -urN a/Makefile b/Makefile
+--- a/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/Makefile	2013-08-23 09:16:21.292985286 -0500
+@@ -1,8 +1,8 @@
+ SUBDIRS = sepolicy setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool scripts po man gui
+ 
+-INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
++INOTIFYH = $(shell ls $(DESTDIR)/usr/include/sys/inotify.h 2>/dev/null)
+ 
+-ifeq (${INOTIFYH}, /usr/include/sys/inotify.h)
++ifeq (${INOTIFYH}, $(DESTDIR)/usr/include/sys/inotify.h)
+ 	SUBDIRS += restorecond
+ endif
+ 
+diff -urN a/mcstrans/src/Makefile b/mcstrans/src/Makefile
+--- a/mcstrans/src/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/mcstrans/src/Makefile	2013-08-23 09:41:18.782916946 -0500
+@@ -1,22 +1,8 @@
+-ARCH = $(shell uname -i)
+-ifeq "$(ARCH)" "x86_64"
+-	# In case of 64 bit system, use these lines
+-	LIBDIR=/usr/lib64
+-else 
+-ifeq "$(ARCH)" "i686"
+-	# In case of 32 bit system, use these lines
+-	LIBDIR=/usr/lib
+-else
+-ifeq "$(ARCH)" "i386"
+-	# In case of 32 bit system, use these lines
+-	LIBDIR=/usr/lib
+-endif
+-endif
+-endif
+ # Installation directories.
+ PREFIX  ?= $(DESTDIR)/usr
+-SBINDIR ?= $(DESTDIR)/sbin
+-INITDIR ?= $(DESTDIR)/etc/rc.d/init.d
++LIBDIR  ?= $(PREFIX)/lib
++SBINDIR ?= $(PREFIX)/sbin
++INITDIR ?= $(DESTDIR)/etc/init.d
+ 
+ PROG_SRC=mcstrans.c  mcscolor.c  mcstransd.c  mls_level.c
+ PROG_OBJS= $(patsubst %.c,%.o,$(PROG_SRC))
+@@ -40,5 +26,5 @@
+ 	install -m 755 $(INITSCRIPT).init $(INITDIR)/$(INITSCRIPT)
+ 
+ clean: 
+-	-rm -f $(OBJS) $(LOBJS) $(TARGET) $(PROG) $(PROG_OBJS) *~ \#*
++	-rm -f $(PROG) $(PROG_OBJS) *.o *~ \#*
+ 
+diff -urN a/mcstrans/utils/Makefile b/mcstrans/utils/Makefile
+--- a/mcstrans/utils/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/mcstrans/utils/Makefile	2013-08-23 09:16:21.292985286 -0500
+@@ -1,24 +1,8 @@
+ # Installation directories.
+ PREFIX ?= $(DESTDIR)/usr
++LIBDIR  ?= $(PREFIX)/lib
+ BINDIR ?= $(PREFIX)/sbin
+ 
+-ARCH = $(shell uname -i)
+-ifeq "$(ARCH)" "x86_64"
+-        # In case of 64 bit system, use these lines
+-        LIBDIR=/usr/lib64
+-else
+-ifeq "$(ARCH)" "i686"
+-        # In case of 32 bit system, use these lines
+-        LIBDIR=/usr/lib
+-else
+-ifeq "$(ARCH)" "i386"
+-        # In case of 32 bit system, use these lines
+-        LIBDIR=/usr/lib
+-endif
+-endif
+-endif
+-
+-
+ CFLAGS ?= -Wall
+ override CFLAGS += -I../src -D_GNU_SOURCE
+ LDLIBS += -L../src ../src/mcstrans.o ../src/mls_level.o -lselinux -lpcre $(LIBDIR)/libsepol.a
+diff -urN a/newrole/Makefile b/newrole/Makefile
+--- a/newrole/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/newrole/Makefile	2013-08-23 09:16:21.292985286 -0500
+@@ -3,9 +3,9 @@
+ BINDIR ?= $(PREFIX)/bin
+ MANDIR ?= $(PREFIX)/share/man
+ ETCDIR ?= $(DESTDIR)/etc
+-LOCALEDIR = /usr/share/locale
+-PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
+-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
++LOCALEDIR = $(DESTDIR)/usr/share/locale
++PAMH = $(shell ls $(DESTDIR)/usr/include/security/pam_appl.h 2>/dev/null)
++AUDITH = $(shell ls $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)
+ # Enable capabilities to permit newrole to generate audit records.
+ # This will make newrole a setuid root program.
+ # The capabilities used are: CAP_AUDIT_WRITE.
+@@ -24,7 +24,7 @@
+ EXTRA_OBJS =
+ override CFLAGS += -DVERSION=\"$(VERSION)\" $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
+ LDLIBS += -lselinux -L$(PREFIX)/lib
+-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
++ifeq ($(PAMH), $(DESTDIR)/usr/include/security/pam_appl.h)
+ 	override CFLAGS += -DUSE_PAM
+ 	EXTRA_OBJS += hashtab.o
+ 	LDLIBS += -lpam -lpam_misc
+@@ -32,7 +32,7 @@
+ 	override CFLAGS += -D_XOPEN_SOURCE=500
+ 	LDLIBS += -lcrypt
+ endif
+-ifeq ($(AUDITH), /usr/include/libaudit.h)
++ifeq ($(AUDITH), $(DESTDIR)/usr/include/libaudit.h)
+ 	override CFLAGS += -DUSE_AUDIT
+ 	LDLIBS += -laudit
+ endif
+@@ -66,7 +66,7 @@
+ 	test -d $(MANDIR)/man1 || install -m 755 -d $(MANDIR)/man1
+ 	install -m $(MODE) newrole $(BINDIR)
+ 	install -m 644 newrole.1 $(MANDIR)/man1/
+-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
++ifeq ($(PAMH), $(DESTDIR)/usr/include/security/pam_appl.h)
+ 	test -d $(ETCDIR)/pam.d || install -m 755 -d $(ETCDIR)/pam.d
+ ifeq ($(LSPP_PRIV),y)
+ 	install -m 644 newrole-lspp.pamd $(ETCDIR)/pam.d/newrole
+diff -urN a/restorecond/Makefile b/restorecond/Makefile
+--- a/restorecond/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/restorecond/Makefile	2013-08-23 09:16:21.292985286 -0500
+@@ -2,24 +2,29 @@
+ PREFIX ?= $(DESTDIR)/usr
+ SBINDIR ?= $(PREFIX)/sbin
+ LIBDIR ?= $(PREFIX)/lib
+-MANDIR = $(PREFIX)/share/man
++MANDIR ?= $(PREFIX)/share/man
+ AUTOSTARTDIR = $(DESTDIR)/etc/xdg/autostart
+ DBUSSERVICEDIR = $(DESTDIR)/usr/share/dbus-1/services
+ 
+ autostart_DATA = sealertauto.desktop
+-INITDIR = $(DESTDIR)/etc/rc.d/init.d
++INITDIR = $(DESTDIR)/etc/init.d
+ SELINUXDIR = $(DESTDIR)/etc/selinux
+ 
+-DBUSFLAGS = -DHAVE_DBUS -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include -I/usr/lib/dbus-1.0/include
++DBUSFLAGS = -DHAVE_DBUS -I$(PREFIX)/include/dbus-1.0 -I$(PREFIX)/lib64/dbus-1.0/include \
++		-I$(PREFIX)/lib/dbus-1.0/include
+ DBUSLIB = -ldbus-glib-1 -ldbus-1
+ 
+ CFLAGS ?= -g -Werror -Wall -W
+-override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS) -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/lib/glib-2.0/include
++override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS) -I$(PREFIX)/include/glib-2.0 \
++		-I$(PREFIX)/lib64/glib-2.0/include -I$(PREFIX)/lib/glib-2.0/include
+ 
+ LDLIBS += -lselinux $(DBUSLIB) -lglib-2.0 -L$(LIBDIR)
+ 
+ all: restorecond
+ 
++%.o: %.c
++	$(CC) $(CFLAGS) -c -o $@ $<
++
+ restorecond.o utmpwatcher.o stringslist.o user.o watch.o: restorecond.h
+ 
+ restorecond:  ../setfiles/restore.o restorecond.o utmpwatcher.o stringslist.o user.o watch.o
+diff -urN a/run_init/Makefile b/run_init/Makefile
+--- a/run_init/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/run_init/Makefile	2013-08-23 09:16:21.292985286 -0500
+@@ -4,21 +4,21 @@
+ SBINDIR ?= $(PREFIX)/sbin
+ MANDIR ?= $(PREFIX)/share/man
+ ETCDIR ?= $(DESTDIR)/etc
+-LOCALEDIR ?= /usr/share/locale
+-PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
+-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
++LOCALEDIR ?= $(DESTDIR)/usr/share/locale
++PAMH = $(shell ls $(DESTDIR)/usr/include/security/pam_appl.h 2>/dev/null)
++AUDITH = $(shell ls $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)
+ 
+ CFLAGS ?= -Werror -Wall -W
+ override CFLAGS += -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
+ LDLIBS += -lselinux -L$(PREFIX)/lib
+-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
++ifeq ($(PAMH), $(DESTDIR)/usr/include/security/pam_appl.h)
+ 	override CFLAGS += -DUSE_PAM
+ 	LDLIBS += -lpam -lpam_misc
+ else
+ 	override CFLAGS += -D_XOPEN_SOURCE=500
+ 	LDLIBS += -lcrypt
+ endif
+-ifeq ($(AUDITH), /usr/include/libaudit.h)
++ifeq ($(AUDITH), $(DESTDIR)/usr/include/libaudit.h)
+ 	override CFLAGS += -DUSE_AUDIT
+ 	LDLIBS += -laudit
+ endif
+@@ -38,7 +38,7 @@
+ 	install -m 755 open_init_pty $(SBINDIR)
+ 	install -m 644 run_init.8 $(MANDIR)/man8/
+ 	install -m 644 open_init_pty.8 $(MANDIR)/man8/
+-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
++ifeq ($(PAMH), $(DESTDIR)/usr/include/security/pam_appl.h)
+ 	install -m 644 run_init.pamd $(ETCDIR)/pam.d/run_init
+ endif
+ 
+diff -urN a/semodule/Makefile b/semodule/Makefile
+--- a/semodule/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/semodule/Makefile	2013-08-23 09:16:21.302924109 -0500
+@@ -2,7 +2,7 @@
+ PREFIX ?= $(DESTDIR)/usr
+ INCLUDEDIR ?= $(PREFIX)/include
+ SBINDIR ?= $(PREFIX)/sbin
+-MANDIR = $(PREFIX)/share/man
++MANDIR ?= $(PREFIX)/share/man
+ LIBDIR ?= $(PREFIX)/lib
+ 
+ CFLAGS ?= -Werror -Wall -W
+diff -urN a/sepolicy/Makefile b/sepolicy/Makefile
+--- a/sepolicy/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/sepolicy/Makefile	2013-08-23 09:16:21.302924109 -0500
+@@ -5,25 +5,32 @@
+ BINDIR ?= $(PREFIX)/bin
+ SBINDIR ?= $(PREFIX)/sbin
+ MANDIR ?= $(PREFIX)/share/man
+-LOCALEDIR ?= /usr/share/locale
++LOCALEDIR ?= $(DESTDIR)/usr/share/locale
+ PYTHON ?= /usr/bin/python
+ BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
+ SHAREDIR ?= $(PREFIX)/share/sandbox
+-override CFLAGS = $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W  -DSHARED -shared
++override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W  -DSHARED -shared
+ 
+ BASHCOMPLETIONS=sepolicy-bash-completion.sh 
+ 
++PYTHON_ARGS = LDSHARED="$(CC) -shared" \
++		CROSS_COMPILING=yes              \
++		_python_sysroot=$(DESTDIR)       \
++		_python_srcdir=$(PYTHON_SRC)     \
++		_python_prefix=/usr              \
++		_python_exec_prefix=/usr
++
+ all: python-build
+ 
+ python-build: info.c search.c common.h policy.h policy.c
+-	$(PYTHON) setup.py build
++	$(PYTHON_ARGS) $(PYTHON) setup.py build
+ 
+ clean:
+ 	$(PYTHON) setup.py clean
+ 	-rm -rf build *~ \#* *pyc .#*
+ 
+ install:
+-	$(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
++	$(PYTHON_ARGS) $(PYTHON) setup.py install --prefix=$(PREFIX)
+ 	[ -d $(BINDIR) ] || mkdir -p $(BINDIR)
+ 	install -m 755 sepolicy.py $(BINDIR)/sepolicy
+ 	-mkdir -p $(MANDIR)/man8
+diff -urN a/sestatus/Makefile b/sestatus/Makefile
+--- a/sestatus/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/sestatus/Makefile	2013-08-23 09:16:21.302924109 -0500
+@@ -1,11 +1,11 @@
+ # Installation directories.
+ PREFIX ?= $(DESTDIR)/usr
+ SBINDIR ?= $(PREFIX)/sbin
+-MANDIR = $(PREFIX)/share/man
++MANDIR ?= $(PREFIX)/share/man
+ ETCDIR ?= $(DESTDIR)/etc
+ LIBDIR ?= $(PREFIX)/lib
+ 
+-CFLAGS = -Werror -Wall -W
++CFLAGS ?= -Werror -Wall -W
+ override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64
+ LDLIBS = -lselinux -L$(LIBDIR)
+ 
+diff -urN a/setfiles/Makefile b/setfiles/Makefile
+--- a/setfiles/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/setfiles/Makefile	2013-08-23 09:16:21.302924109 -0500
+@@ -1,24 +1,27 @@
+ # Installation directories.
+ PREFIX ?= $(DESTDIR)/usr
+ SBINDIR ?= $(DESTDIR)/sbin
+-MANDIR = $(PREFIX)/share/man
++MANDIR ?= $(PREFIX)/share/man
+ LIBDIR ?= $(PREFIX)/lib
+-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
++AUDITH = $(shell ls $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)
+ 
+-PROGRESS_STEP=$(shell grep "^\#define STAR_COUNT" restore.h | awk -S '{ print $$3 }')
+-ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk -S '{ print $$3 }')
++PROGRESS_STEP=$(shell grep "^\#define STAR_COUNT" restore.h | awk '{ print $$3 }')
++ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk '{ print $$3 }')
+ 
+-CFLAGS = -g -Werror -Wall -W
++CFLAGS ?= -g -Werror -Wall -W
+ override CFLAGS += -I$(PREFIX)/include
+ LDLIBS = -lselinux -lsepol -L$(LIBDIR)
+ 
+-ifeq ($(AUDITH), /usr/include/libaudit.h)
++ifeq ($(AUDITH), $(DESTDIR)/usr/include/libaudit.h)
+ 	override CFLAGS += -DUSE_AUDIT
+ 	LDLIBS += -laudit
+ endif
+ 
+ all: setfiles restorecon man
+ 
++%.o: %.c
++	$(CC) $(CFLAGS) -c -o $@ $<
++
+ setfiles:  setfiles.o restore.o
+ 
+ restorecon: setfiles
diff --git a/package/policycoreutils/Config.in b/package/policycoreutils/Config.in
new file mode 100644
index 0000000..51fb1b0
--- /dev/null
+++ b/package/policycoreutils/Config.in
@@ -0,0 +1,73 @@
+config BR2_PACKAGE_POLICYCOREUTILS
+	bool "policycoreutils"
+	select BR2_PACKAGE_LIBSEMANAGE
+	select BR2_PACKAGE_SEPOLGEN # host python bindings
+	depends on BR2_TOOLCHAIN_USES_GLIBC
+	depends on BR2_TOOLCHAIN_HAS_THREADS # libsemanage
+	depends on BR2_LARGEFILE # libsemanage
+	help
+	  Policycoreutils is a collection of policy utilities (originally
+	  the "core" set of utilities needed to use SELinux, although it
+	  has grown a bit over time), which have different dependencies.
+	  sestatus, secon, run_init, and newrole only use libselinux.
+	  load_policy and setfiles only use libselinux and libsepol.
+	  semodule and semanage use libsemanage (and thus bring in
+	  dependencies on libsepol and libselinux as well). setsebool
+	  uses libselinux to make non-persistent boolean changes (via
+	  the kernel interface) and uses libsemanage to make persistent
+	  boolean changes.
+
+	  The base package will install the following utilities:
+	      load_policy
+	      newrole
+	      restorecond
+	      run_init
+	      secon
+	      semodule
+	      semodule_deps
+	      semodule_expand
+	      semodule_link
+	      semodule_package
+	      sepolgen-ifgen
+	      sestatus
+	      setfiles
+	      setsebool
+
+	  http://selinuxproject.org/page/Main_Page
+
+comment "policycoreutils needs a toolchain w/ (e)glibc, wchar, largefile"
+	depends on !BR2_TOOLCHAIN_USES_GLIBC || !BR2_TOOLCHAIN_HAS_THREADS \
+		|| !BR2_LARGEFILE
+
+if BR2_PACKAGE_POLICYCOREUTILS
+
+config BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND
+	bool "restorecond Utility"
+	select BR2_PACKAGE_DBUS_GLIB
+	depends on BR2_USE_WCHAR # dbus-glib
+	depends on BR2_USE_MMU # dbus-glib
+	help
+	  Enable restorecond to be built
+
+comment "restorecond needs a toolchain w/ wchar, threads, mmu"
+	depends on !BR2_USE_WCHAR || !BR2_USE_MMU
+
+config BR2_PACKAGE_POLICYCOREUTILS_MCSTRANS
+	bool "mcstrans Utility"
+	select BR2_PACKAGE_PCRE
+	select BR2_PACKAGE_LIBCAP
+	help
+	  Enable mcstrans to be built
+
+config BR2_PACKAGE_POLICYCOREUTILS_SANDBOX
+	bool "sandbox Utility"
+	select BR2_PACKAGE_POLICYCOREUTILS_POLICY_DEBUGGING
+	select BR2_PACKAGE_LIBCGROUP
+	depends on BR2_INSTALL_LIBSTDCPP # libcgroup
+	help
+	  Enable sandbox to be built
+
+comment "policycoreutils sandbox needs an toolchain w/ C++"
+	depends on !BR2_INSTALL_LIBSTDCPP
+
+endif
diff --git a/package/policycoreutils/S15restorecond b/package/policycoreutils/S15restorecond
new file mode 100644
index 0000000..e408281
--- /dev/null
+++ b/package/policycoreutils/S15restorecond
@@ -0,0 +1,85 @@
+#!/bin/sh
+#
+# restorecond:		Daemon used to maintain path file context
+#
+# description:	restorecond uses inotify to look for creation of new files \
+# listed in the /etc/selinux/restorecond.conf file, and restores the \
+# correct security context.
+#
+# processname: /usr/sbin/restorecond
+# config: /etc/selinux/restorecond.conf 
+# pidfile: /var/run/restorecond.pid
+#
+# Return values according to LSB for all commands but status:
+# 0 - success
+# 1 - generic or unspecified error
+# 2 - invalid or excess argument(s)
+# 3 - unimplemented feature (e.g. "reload")
+# 4 - insufficient privilege
+# 5 - program is not installed
+# 6 - program is not configured
+# 7 - program is not running
+
+PATH=/sbin:/bin:/usr/bin:/usr/sbin
+
+[ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled || exit 7
+
+# Check that we are root ... so non-root users stop here
+test $EUID = 0  || exit 4
+
+test -x /usr/sbin/restorecond  || exit 5
+test -f /etc/selinux/restorecond.conf  || exit 6
+
+RETVAL=0
+
+start() 
+{
+	echo -n $"Starting restorecond: "
+	unset HOME MAIL USER USERNAME
+	/usr/sbin/restorecond 
+	RETVAL=$?
+	touch /var/lock/subsys/restorecond
+	echo
+	return $RETVAL
+}
+
+stop() 
+{
+	echo -n $"Shutting down restorecond: "
+	killproc restorecond
+	RETVAL=$?
+	rm -f  /var/lock/subsys/restorecond
+	echo
+	return $RETVAL
+}
+
+restart() 
+{
+	stop
+	start
+}
+
+# See how we were called.
+case "$1" in
+  start)
+	start
+	;;
+  stop)
+	stop
+	;;
+  status)
+	status restorecond
+	RETVAL=$?
+	;;
+  force-reload|restart|reload)
+	restart
+	;;
+  condrestart)
+	[ -e /var/lock/subsys/restorecond ] && restart || :
+	;;
+  *)
+	echo $"Usage: $0 {start|stop|restart|force-reload|status|condrestart}"
+	RETVAL=3
+esac
+
+exit $RETVAL
diff --git a/package/policycoreutils/policycoreutils.mk b/package/policycoreutils/policycoreutils.mk
new file mode 100644
index 0000000..c8b9875
--- /dev/null
+++ b/package/policycoreutils/policycoreutils.mk
@@ -0,0 +1,229 @@
+################################################################################
+#
+# policycoreutils
+#
+################################################################################
+
+POLICYCOREUTILS_VERSION = 2.1.14
+POLICYCOREUTILS_SITE = http://userspace.selinuxproject.org/releases/20130423/
+POLICYCOREUTILS_LICENSE = GPLv2
+POLICYCOREUTILS_LICENSE_FILES = COPYING
+
+POLICYCOREUTILS_DEPENDENCIES = libsemanage libcap-ng
+
+ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
+	POLICYCOREUTILS_DEPENDENCIES += linux-pam
+	POLICYCOREUTILS_MAKE_OPTS += NAMESPACE_PRIV=y
+define POLICYCOREUTILS_INSTALL_TARGET_LINUX_PAM_CONFS
+	$(INSTALL) -D -m 0644 $(@D)/newrole/newrole-lspp.pamd $(TARGET_DIR)/etc/pam.d/newrole
+	$(INSTALL) -D -m 0644 $(@D)/run_init/run_init.pamd $(TARGET_DIR)/etc/pam.d/run_init
+endef
+endif
+
+ifeq ($(BR2_PACKAGE_AUDIT),y)
+	POLICYCOREUTILS_DEPENDENCIES += audit
+	POLICYCOREUTILS_MAKE_OPTS += AUDIT_LOG_PRIV=y
+endif
+
+# Enable LSPP_PRIV if both audit and linux pam are enabled
+ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
+ifeq ($(BR2_PACKAGE_AUDIT),y)
+	POLICYCOREUTILS_MAKE_OPTS += LSPP_PRIV=y
+endif
+endif
+
+# Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h 
+# large file support.
+# See https://bugzilla.redhat.com/show_bug.cgi?id=574992 for more information
+POLICYCOREUTILS_MAKE_OPTS = \
+	$(TARGET_CONFIGURE_OPTS) \
+	CFLAGS+="-U_FILE_OFFSET_BITS"
+
+ifeq ($(BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND),y)
+
+POLICYCOREUTILS_DEPENDENCIES += dbus-glib
+
+define POLICYCOREUTILS_RESTORECOND_BUILD_CMDS
+	$(MAKE) -C $(@D)/restorecond $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+endef
+
+define POLICYCOREUTILS_RESTORECOND_INSTALL_TARGET_CMDS
+	$(MAKE) -C $(@D)/restorecond $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(TARGET_DIR)" install
+	rm $(TARGET_DIR)/etc/init.d/restorecond
+endef
+
+define POLICYCOREUTILS_RESTORECOND_INSTALL_INIT_SYSV
+	$(INSTALL) -m 0755 package/policycoreutils/S15restorecond \
+		$(TARGET_DIR)/etc/init.d/
+endef
+
+endif # End of BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND
+
+ifeq ($(BR2_PACKAGE_POLICYCOREUTILS_MCSTRANS),y)
+
+POLICYCOREUTILS_DEPENDENCIES += pcre libcap
+
+define POLICYCOREUTILS_MCSTRANS_BUILD_CMDS
+	$(MAKE) -C $(@D)/mcstrans $(TARGET_CONFIGURE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+endef
+
+define POLICYCOREUTILS_MCSTRANS_INSTALL_TARGET_CMDS
+	$(MAKE) -C $(@D)/mcstrans $(TARGET_CONFIGURE_OPTS) \
+		DESTDIR="$(TARGET_DIR)" install
+endef
+
+endif # End of BR2_PACKAGE_POLICYCOREUTILS_MCSTRANS
+
+ifeq ($(BR2_PACKAGE_POLICYCOREUTILS_SANDBOX),y)
+
+POLICYCOREUTILS_DEPENDENCIES += libcgroup
+
+define POLICYCOREUTILS_SANDBOX_BUILD_CMDS
+	$(MAKE) -C $(@D)/sandbox $(TARGET_CONFIGURE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+endef
+
+define POLICYCOREUTILS_SANDBOX_INSTALL_TARGET_CMDS
+	$(MAKE) -C $(@D)/sandbox $(TARGET_CONFIGURE_OPTS) \
+		DESTDIR="$(TARGET_DIR)" install
+endef
+
+endif # End of BR2_PACKAGE_POLICYCOREUTILS_SANDBOX
+
+define POLICYCOREUTILS_BUILD_CMDS
+	$(MAKE) -C $(@D)/load_policy $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/newrole $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/run_init $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/secon $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/semodule $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/semodule_deps $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/semodule_expand $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/semodule_link $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/semodule_package $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/sepolgen-ifgen $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/sestatus $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/setfiles $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/setsebool $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(POLICYCOREUTILS_RESTORECOND_BUILD_CMDS)
+	$(POLICYCOREUTILS_MCSTRANS_BUILD_CMDS)
+	$(POLICYCOREUTILS_SANDBOX_BUILD_CMDS)
+endef
+
+define POLICYCOREUTILS_INSTALL_TARGET_CMDS
+	$(MAKE) -C $(@D)/load_policy      DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/newrole          DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/run_init         DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/secon            DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/semodule         DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/semodule_deps    DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/semodule_expand  DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/semodule_link    DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/semodule_package DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/sepolgen-ifgen   DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/sestatus         DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/setfiles         DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/setsebool        DESTDIR="$(TARGET_DIR)" install
+	$(POLICYCOREUTILS_RESTORECOND_INSTALL_TARGET_CMDS)
+	$(POLICYCOREUTILS_MCSTRANS_INSTALL_TARGET_CMDS)
+	$(POLICYCOREUTILS_SANDBOX_INSTALL_TARGET_CMDS)
+	$(POLICYCOREUTILS_INSTALL_TARGET_LINUX_PAM_CONFS)
+endef
+
+define POLICYCOREUTILS_INSTALL_INIT_SYSV
+	$(POLICYCOREUTILS_RESTORECOND_INSTALL_INIT_SYSV)
+endef
+
+HOST_POLICYCOREUTILS_DEPENDENCIES += host-libsemanage host-dbus-glib host-python host-sepolgen host-setools
+
+# Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h 
+# large file support.
+# See https://bugzilla.redhat.com/show_bug.cgi?id=574992 for more information
+HOST_POLICYCOREUTILS_MAKE_OPTS = \
+	$(HOST_CONFIGURE_OPTS) \
+	CFLAGS+="-U_FILE_OFFSET_BITS" \
+	PYTHON="$(HOST_DIR)/usr/bin/python" \
+	PYLIBVER="python$(PYTHON_VERSION_MAJOR)" \
+	PYTHON_SRC="$(BUILD_DIR)/host-python$(PYTHON_VERSION)"
+
+# Note: We are only building the programs required by the refpolicy build
+define HOST_POLICYCOREUTILS_BUILD_CMDS
+	$(MAKE) -C $(@D)/semodule $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	$(MAKE) -C $(@D)/semodule_package $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	$(MAKE) -C $(@D)/semodule_link $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	$(MAKE) -C $(@D)/semodule_expand $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	$(MAKE) -C $(@D)/semodule_deps $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	$(MAKE) -C $(@D)/load_policy $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	$(MAKE) -C $(@D)/setfiles $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	$(MAKE) -C $(@D)/restorecond $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(HOST_DIR)" all
+	$(MAKE) -C $(@D)/audit2allow $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(HOST_DIR)" all
+	$(MAKE) -C $(@D)/audit2why $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(HOST_DIR)" all
+	$(MAKE) -C $(@D)/scripts $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(HOST_DIR)" all
+	$(MAKE) -C $(@D)/semanage $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(HOST_DIR)" all
+	$(MAKE) -C $(@D)/sepolicy $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(HOST_DIR)" all
+endef
+
+define HOST_POLICYCOREUTILS_INSTALL_CMDS
+	$(MAKE) -C $(@D)/semodule install $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	$(MAKE) -C $(@D)/semodule_package install $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	$(MAKE) -C $(@D)/semodule_link install $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	$(MAKE) -C $(@D)/semodule_expand install $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	$(MAKE) -C $(@D)/semodule_deps install $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	$(MAKE) -C $(@D)/load_policy install $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	$(MAKE) -C $(@D)/setfiles install $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	$(MAKE) -C $(@D)/restorecond install $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	$(MAKE) -C $(@D)/audit2allow install $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	$(MAKE) -C $(@D)/audit2why install $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	$(MAKE) -C $(@D)/scripts install $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	$(MAKE) -C $(@D)/semanage install $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	$(MAKE) -C $(@D)/sepolicy install $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	# Fix python paths
+	$(SED) 's~/usr/bin/~$(HOST_DIR)/usr/bin/~g' $(HOST_DIR)/usr/bin/audit2allow
+	$(SED) 's~/usr/bin/~$(HOST_DIR)/usr/bin/~g' $(HOST_DIR)/usr/bin/audit2why
+	$(SED) 's~/usr/bin/~$(HOST_DIR)/usr/bin/~g' $(HOST_DIR)/usr/bin/sepolgen-ifgen
+	$(SED) 's~/usr/bin/~$(HOST_DIR)/usr/bin/~g' $(HOST_DIR)/usr/bin/sepolicy
+endef
+
+$(eval $(generic-package))
+$(eval $(host-generic-package))
-- 
1.9.1

[Buildroot] [PATCH 11/30] python-pyxml: new package

[Matt Weber]

From: Clayton Shotwell <clshotwe@rockwellcollins.com>

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
---
 package/Config.in                  |  1 +
 package/python-pyxml/Config.in     | 11 +++++++++
 package/python-pyxml/python-xml.mk | 50 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 62 insertions(+)
 create mode 100644 package/python-pyxml/Config.in
 create mode 100644 package/python-pyxml/python-xml.mk

diff --git a/package/Config.in b/package/Config.in
index bf4d772..c02e665 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -531,6 +531,7 @@ menu "external python modules"
 	source "package/python-pysnmp-apps/Config.in"
 	source "package/python-pysnmp-mibs/Config.in"
 	source "package/python-pyusb/Config.in"
+	source "package/python-pyxml/Config.in"
 	source "package/python-pyzmq/Config.in"
 	source "package/python-requests/Config.in"
 	source "package/python-rtslib-fb/Config.in"
diff --git a/package/python-pyxml/Config.in b/package/python-pyxml/Config.in
new file mode 100644
index 0000000..420f3ad
--- /dev/null
+++ b/package/python-pyxml/Config.in
@@ -0,0 +1,11 @@
+config BR2_PACKAGE_PYTHON_PYXML
+	bool "python-pyxml"
+	depends on BR2_PACKAGE_PYTHON
+	help
+	  This is the Python XML package.  The distribution contains a
+	  validating XML parser, an implementation of the SAX and DOM
+	  programming interfaces, an interface to the Expat parser (and the
+	  Expat parser itself), and a C helper module that can speed up
+	  xmllib.py by a factor of 5.  There's even documentation!
+
+	  http://pyxml.sourceforge.net/topics/index.html
diff --git a/package/python-pyxml/python-xml.mk b/package/python-pyxml/python-xml.mk
new file mode 100644
index 0000000..bdf6a71
--- /dev/null
+++ b/package/python-pyxml/python-xml.mk
@@ -0,0 +1,50 @@
+################################################################################
+#
+# python-pyxml
+#
+################################################################################
+
+PYTHON_PYXML_VERSION = 0.8.4
+PYTHON_PYXML_SOURCE  = PyXML-$(PYTHON_PYXML_VERSION).tar.gz
+PYTHON_PYXML_SITE    = http://downloads.sourceforge.net/project/pyxml/pyxml/0.8.4/
+PYTHON_PYXML_LICENSE = BSD-3c
+PYTHON_PYXML_LICENSE_FILES = LICENSE
+
+PYTHON_PYXML_DEPENDENCIES = host-python python expat
+
+PYTHON_PYXML_INSTALL_STAGING = NO
+
+define PYTHON_PYXML_BUILD_CMDS
+	(cd $(@D); \
+		CC="$(TARGET_CC)" \
+		CFLAGS="$(TARGET_CFLAGS) -I$(STAGING_DIR)/usr/include" \
+		LDSHARED="$(TARGET_CC) -shared" \
+		LDFLAGS="$(TARGET_LDFLAGS) -L$(STAGING_DIR)/lib -L$(STAGING_DIR)/usr/lib" \
+		$(HOST_DIR)/usr/bin/python setup.py build_ext \
+		--include-dirs=$(STAGING_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR) \
+		--with-libexpat=$(STAGING_DIR)/usr \
+	)
+	(cd $(@D); $(HOST_DIR)/usr/bin/python setup.py build)
+endef
+
+define PYTHON_PYXML_INSTALL_STAGING_CMDS
+	(cd $(@D); $(HOST_DIR)/usr/bin/python setup.py install --prefix=$(STAGING_DIR)/usr)
+endef
+
+define PYTHON_PYXML_INSTALL_TARGET_CMDS
+	(cd $(@D); $(HOST_DIR)/usr/bin/python setup.py install --prefix=$(TARGET_DIR)/usr)
+endef
+
+HOST_PYTHON_PYXML_DEPENDENCIES = host-python
+
+define HOST_PYTHON_PYXML_BUILD_CMDS
+	(cd $(@D); $(HOST_DIR)/usr/bin/python setup.py build_ext --with-libexpat=$(HOST_DIR)/usr)
+	(cd $(@D); $(HOST_DIR)/usr/bin/python setup.py build)
+endef
+
+define HOST_PYTHON_PYXML_INSTALL_CMDS
+	(cd $(@D); $(HOST_DIR)/usr/bin/python setup.py install --prefix=$(HOST_DIR)/usr)
+endef
+
+$(eval $(generic-package))
+$(eval $(host-generic-package))
-- 
1.9.1

[Buildroot] [PATCH 12/30] refpolicy: new package

[Matt Weber]

From: Clayton Shotwell <clshotwe@rockwellcollins.com>

Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
---
 package/refpolicy/0001-gentoo-hardened-fixes.patch | 1250 ++++++++++++++++++++
 package/refpolicy/0002-awk-fix.patch               |   37 +
 package/refpolicy/Config.in                        |   74 ++
 package/refpolicy/S12selinux                       |  137 +++
 package/refpolicy/config                           |    8 +
 package/refpolicy/modules.conf                     |  406 +++++++
 package/refpolicy/refpolicy.mk                     |   87 ++
 7 files changed, 1999 insertions(+)
 create mode 100644 package/refpolicy/0001-gentoo-hardened-fixes.patch
 create mode 100644 package/refpolicy/0002-awk-fix.patch
 create mode 100644 package/refpolicy/Config.in
 create mode 100644 package/refpolicy/S12selinux
 create mode 100644 package/refpolicy/config
 create mode 100644 package/refpolicy/modules.conf
 create mode 100644 package/refpolicy/refpolicy.mk

diff --git a/package/refpolicy/0001-gentoo-hardened-fixes.patch b/package/refpolicy/0001-gentoo-hardened-fixes.patch
new file mode 100644
index 0000000..c1c398f
--- /dev/null
+++ b/package/refpolicy/0001-gentoo-hardened-fixes.patch
@@ -0,0 +1,1250 @@
+From: Dominick Grift <dominick.grift@gmail.com>
+Date: Fri, 16 Aug 2013 07:07:37 +0000 (+0200)
+Subject: Fix monolithic built
+X-Git-Url: http://git.overlays.gentoo.org/gitweb/?p=proj%2Fhardened-refpolicy.git;a=commitdiff_plain;h=86500de7
+
+Fix monolithic built
+
+Make unconfined_cronjob_t declaration mandatory, because else monolithic
+built fails due to duplicate declaration
+
+Deprecate kerberos_keytab_template:
+
+Keytab type declarations have to be mandatory, because else monolithic
+built fails due to out-of-scope
+
+This keytab solution does not make sense in its current implementation,
+as many corresponding file context specs are missing, and there are no
+type transtion rules
+
+Replaced two deprecated interface calls
+
+Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
+---
+
+diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if
+index a1d1131..655cbe1 100644
+--- a/policy/modules/contrib/apache.if
++++ b/policy/modules/contrib/apache.if
+@@ -1203,9 +1203,9 @@ interface(`apache_admin',`
+ 		attribute httpd_script_domains, httpd_htaccess_type;
+ 		type httpd_t, httpd_config_t, httpd_log_t;
+ 		type httpd_modules_t, httpd_lock_t, httpd_helper_t;
+-		type httpd_var_run_t, httpd_keytab_t, httpd_passwd_t;
++		type httpd_var_run_t, httpd_passwd_t, httpd_suexec_t;
+ 		type httpd_suexec_tmp_t, httpd_tmp_t, httpd_rotatelogs_t;
+-		type httpd_initrc_exec_t, httpd_suexec_t;
++		type httpd_initrc_exec_t, httpd_keytab_t;
+ 	')
+ 
+ 	allow $1 { httpd_script_domains httpd_t httpd_helper_t }:process { ptrace signal_perms };
+@@ -1222,7 +1222,7 @@ interface(`apache_admin',`
+ 	miscfiles_manage_public_files($1)
+ 
+ 	files_search_etc($1)
+-	admin_pattern($1, { httpd_config_t httpd_keytab_t })
++	admin_pattern($1, { httpd_keytab_t httpd_config_t })
+ 
+ 	logging_search_logs($1)
+ 	admin_pattern($1, httpd_log_t)
+diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
+index 0da7cc3..99bb9b5 100644
+--- a/policy/modules/contrib/apache.te
++++ b/policy/modules/contrib/apache.te
+@@ -1,4 +1,4 @@
+-policy_module(apache, 2.7.0)
++policy_module(apache, 2.7.1)
+ 
+ ########################################
+ #
+@@ -283,6 +283,9 @@ role httpd_helper_roles types httpd_helper_t;
+ type httpd_initrc_exec_t;
+ init_script_file(httpd_initrc_exec_t)
+ 
++type httpd_keytab_t;
++files_type(httpd_keytab_t)
++
+ type httpd_lock_t;
+ files_lock_file(httpd_lock_t)
+ 
+@@ -391,6 +394,8 @@ allow httpd_t httpd_config_t:dir list_dir_perms;
+ read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
+ read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
+ 
++allow httpd_t httpd_keytab_t:file read_file_perms;
++
+ allow httpd_t httpd_lock_t:file manage_file_perms;
+ files_lock_filetrans(httpd_t, httpd_lock_t, file)
+ 
+@@ -781,10 +786,11 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(httpd, httpd_t)
+ 	kerberos_manage_host_rcache(httpd_t)
++	kerberos_read_keytab(httpd_t)
+ 	kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_23")
+ 	kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_48")
++	kerberos_use(httpd_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/automount.if b/policy/modules/contrib/automount.if
+index 089430a..f24e369 100644
+--- a/policy/modules/contrib/automount.if
++++ b/policy/modules/contrib/automount.if
+@@ -153,6 +153,7 @@ interface(`automount_admin',`
+ 	gen_require(`
+ 		type automount_t, automount_lock_t, automount_tmp_t;
+ 		type automount_var_run_t, automount_initrc_exec_t;
++		type automount_keytab_t;
+ 	')
+ 
+ 	allow $1 automount_t:process { ptrace signal_perms };
+@@ -163,6 +164,9 @@ interface(`automount_admin',`
+ 	role_transition $2 automount_initrc_exec_t system_r;
+ 	allow $2 system_r;
+ 
++	files_list_etc($1)
++	admin_pattern($1, automount_keytab_t)
++
+ 	files_list_var($1)
+ 	admin_pattern($1, automount_lock_t)
+ 
+diff --git a/policy/modules/contrib/automount.te b/policy/modules/contrib/automount.te
+index d4e58ea..27d2f40 100644
+--- a/policy/modules/contrib/automount.te
++++ b/policy/modules/contrib/automount.te
+@@ -1,4 +1,4 @@
+-policy_module(automount, 1.14.0)
++policy_module(automount, 1.14.1)
+ 
+ ########################################
+ #
+@@ -12,8 +12,8 @@ init_daemon_domain(automount_t, automount_exec_t)
+ type automount_initrc_exec_t;
+ init_script_file(automount_initrc_exec_t)
+ 
+-type automount_var_run_t;
+-files_pid_file(automount_var_run_t)
++type automount_keytab_t;
++files_type(automount_keytab_t)
+ 
+ type automount_lock_t;
+ files_lock_file(automount_lock_t)
+@@ -22,6 +22,9 @@ type automount_tmp_t;
+ files_tmp_file(automount_tmp_t)
+ files_mountpoint(automount_tmp_t)
+ 
++type automount_var_run_t;
++files_pid_file(automount_var_run_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -36,6 +39,8 @@ allow automount_t self:rawip_socket create_socket_perms;
+ 
+ can_exec(automount_t, automount_exec_t)
+ 
++allow automount_t automount_keytab_t:file read_file_perms;
++
+ allow automount_t automount_lock_t:file manage_file_perms;
+ files_lock_filetrans(automount_t, automount_lock_t, file)
+ 
+@@ -143,8 +148,9 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(automount, automount_t)
+ 	kerberos_read_config(automount_t)
++	kerberos_read_keytab(automount_t)
++	kerberos_use(automount_t)
+ 	kerberos_dontaudit_write_config(automount_t)
+ ')
+ 
+diff --git a/policy/modules/contrib/bind.if b/policy/modules/contrib/bind.if
+index 866a1e2..531a8f2 100644
+--- a/policy/modules/contrib/bind.if
++++ b/policy/modules/contrib/bind.if
+@@ -364,6 +364,7 @@ interface(`bind_admin',`
+ 		type named_t, named_tmp_t, named_log_t;
+ 		type named_cache_t, named_zone_t, named_initrc_exec_t;
+ 		type dnssec_t, ndc_t, named_conf_t, named_var_run_t;
++		type named_keytab_t;
+ 	')
+ 
+ 	allow $1 { named_t ndc_t }:process { ptrace signal_perms };
+@@ -381,7 +382,7 @@ interface(`bind_admin',`
+ 	admin_pattern($1, named_log_t)
+ 
+ 	files_list_etc($1)
+-	admin_pattern($1, named_conf_t)
++	admin_pattern($1, { named_keytab_t named_conf_t })
+ 
+ 	files_list_var($1)
+ 	admin_pattern($1, { dnssec_t named_cache_t named_zone_t })
+diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
+index b01e493..1241123 100644
+--- a/policy/modules/contrib/bind.te
++++ b/policy/modules/contrib/bind.te
+@@ -1,4 +1,4 @@
+-policy_module(bind, 1.13.0)
++policy_module(bind, 1.13.1)
+ 
+ ########################################
+ #
+@@ -44,6 +44,9 @@ files_type(named_cache_t)
+ type named_initrc_exec_t;
+ init_script_file(named_initrc_exec_t)
+ 
++type named_keytab_t;
++files_type(named_keytab_t)
++
+ type named_log_t;
+ logging_log_file(named_log_t)
+ 
+@@ -84,7 +87,7 @@ read_lnk_files_pattern(named_t, named_conf_t, named_conf_t)
+ manage_files_pattern(named_t, named_cache_t, named_cache_t)
+ manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t)
+ 
+-can_exec(named_t, named_exec_t)
++allow named_t named_keytab_t:file read_file_perms;
+ 
+ append_files_pattern(named_t, named_log_t, named_log_t)
+ create_files_pattern(named_t, named_log_t, named_log_t)
+@@ -100,6 +103,8 @@ manage_files_pattern(named_t, named_var_run_t, named_var_run_t)
+ manage_sock_files_pattern(named_t, named_var_run_t, named_var_run_t)
+ files_pid_filetrans(named_t, named_var_run_t, { dir file sock_file })
+ 
++can_exec(named_t, named_exec_t)
++
+ allow named_t named_zone_t:dir list_dir_perms;
+ read_files_pattern(named_t, named_zone_t, named_zone_t)
+ read_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
+@@ -182,7 +187,8 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(named, named_t)
++	kerberos_read_keytab(named_t)
++	kerberos_use(named_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
+index d865049..41bb279 100644
+--- a/policy/modules/contrib/cron.te
++++ b/policy/modules/contrib/cron.te
+@@ -1,4 +1,4 @@
+-policy_module(cron, 2.6.0)
++policy_module(cron, 2.6.1)
+ 
+ gen_require(`
+ 	class passwd rootok;
+@@ -701,22 +701,22 @@ optional_policy(`
+ # Unconfined local policy
+ #
+ 
+-optional_policy(`
+-	type unconfined_cronjob_t;
+-	domain_type(unconfined_cronjob_t)
+-	domain_cron_exemption_target(unconfined_cronjob_t)
++type unconfined_cronjob_t;
++domain_type(unconfined_cronjob_t)
++domain_cron_exemption_target(unconfined_cronjob_t)
+ 
+-	dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh };
++dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh };
+ 
+-	unconfined_domain(unconfined_cronjob_t)
++tunable_policy(`cron_userdomain_transition',`
++	dontaudit crond_t unconfined_cronjob_t:process transition;
++	dontaudit crond_t unconfined_cronjob_t:fd use;
++	dontaudit crond_t unconfined_cronjob_t:key manage_key_perms;
++',`
++	allow crond_t unconfined_cronjob_t:process transition;
++	allow crond_t unconfined_cronjob_t:fd use;
++	allow crond_t unconfined_cronjob_t:key manage_key_perms;
++')
+ 
+-	tunable_policy(`cron_userdomain_transition',`
+-		dontaudit crond_t unconfined_cronjob_t:process transition;
+-		dontaudit crond_t unconfined_cronjob_t:fd use;
+-		dontaudit crond_t unconfined_cronjob_t:key manage_key_perms;
+-	',`
+-		allow crond_t unconfined_cronjob_t:process transition;
+-		allow crond_t unconfined_cronjob_t:fd use;
+-		allow crond_t unconfined_cronjob_t:key manage_key_perms;
+-	')
++optional_policy(`
++	unconfined_domain(unconfined_cronjob_t)
+ ')
+diff --git a/policy/modules/contrib/cvs.if b/policy/modules/contrib/cvs.if
+index 9fa7ffb..64775fd 100644
+--- a/policy/modules/contrib/cvs.if
++++ b/policy/modules/contrib/cvs.if
+@@ -59,7 +59,7 @@ interface(`cvs_exec',`
+ interface(`cvs_admin',`
+ 	gen_require(`
+ 		type cvs_t, cvs_tmp_t, cvs_initrc_exec_t;
+-		type cvs_data_t, cvs_var_run_t;
++		type cvs_data_t, cvs_var_run_t, cvs_keytab_t;
+ 	')
+ 
+ 	allow $1 cvs_t:process { ptrace signal_perms };
+@@ -70,6 +70,9 @@ interface(`cvs_admin',`
+ 	role_transition $2 cvs_initrc_exec_t system_r;
+ 	allow $2 system_r;
+ 
++	files_search_etc($1)
++	admin_pattern($1, cvs_keytab_t)
++
+ 	files_list_tmp($1)
+ 	admin_pattern($1, cvs_tmp_t)
+ 
+diff --git a/policy/modules/contrib/cvs.te b/policy/modules/contrib/cvs.te
+index 6c544e5..17df324 100644
+--- a/policy/modules/contrib/cvs.te
++++ b/policy/modules/contrib/cvs.te
+@@ -1,4 +1,4 @@
+-policy_module(cvs, 1.10.0)
++policy_module(cvs, 1.10.1)
+ 
+ ########################################
+ #
+@@ -24,6 +24,9 @@ files_type(cvs_data_t)
+ type cvs_initrc_exec_t;
+ init_script_file(cvs_initrc_exec_t)
+ 
++type cvs_keytab_t;
++files_type(cvs_keytab_t)
++
+ type cvs_tmp_t;
+ files_tmp_file(cvs_tmp_t)
+ 
+@@ -44,6 +47,8 @@ manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
+ manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
+ manage_lnk_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
+ 
++allow cvs_t cvs_keytab_t:file read_file_perms;
++
+ manage_dirs_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t)
+ manage_files_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t)
+ files_tmp_filetrans(cvs_t, cvs_tmp_t, { dir file })
+@@ -87,8 +92,9 @@ tunable_policy(`allow_cvs_read_shadow',`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(cvs, cvs_t)
+ 	kerberos_read_config(cvs_t)
++	kerberos_read_keytab(cvs_t)
++	kerberos_use(cvs_t)
+ 	kerberos_dontaudit_write_config(cvs_t)
+ ')
+ 
+diff --git a/policy/modules/contrib/cyrus.if b/policy/modules/contrib/cyrus.if
+index 6508280..83bfda6 100644
+--- a/policy/modules/contrib/cyrus.if
++++ b/policy/modules/contrib/cyrus.if
+@@ -61,6 +61,7 @@ interface(`cyrus_admin',`
+ 	gen_require(`
+ 		type cyrus_t, cyrus_tmp_t, cyrus_var_lib_t;
+ 		type cyrus_var_run_t, cyrus_initrc_exec_t;
++		type cyrus_keytab_t;
+ 	')
+ 
+ 	allow $1 cyrus_t:process { ptrace signal_perms };
+@@ -71,6 +72,9 @@ interface(`cyrus_admin',`
+ 	role_transition $2 cyrus_initrc_exec_t system_r;
+ 	allow $2 system_r;
+ 
++	files_list_etc($1)
++	admin_pattern($1, cyrus_keytab_t)
++
+ 	files_list_tmp($1)
+ 	admin_pattern($1, cyrus_tmp_t)
+ 
+diff --git a/policy/modules/contrib/cyrus.te b/policy/modules/contrib/cyrus.te
+index 0cef3ef..4283f2d 100644
+--- a/policy/modules/contrib/cyrus.te
++++ b/policy/modules/contrib/cyrus.te
+@@ -1,4 +1,4 @@
+-policy_module(cyrus, 1.13.0)
++policy_module(cyrus, 1.13.1)
+ 
+ ########################################
+ #
+@@ -12,6 +12,9 @@ init_daemon_domain(cyrus_t, cyrus_exec_t)
+ type cyrus_initrc_exec_t;
+ init_script_file(cyrus_initrc_exec_t)
+ 
++type cyrus_keytab_t;
++files_type(cyrus_keytab_t)
++
+ type cyrus_tmp_t;
+ files_tmp_file(cyrus_tmp_t)
+ 
+@@ -41,6 +44,8 @@ allow cyrus_t self:unix_dgram_socket sendto;
+ allow cyrus_t self:unix_stream_socket { accept connectto listen };
+ allow cyrus_t self:tcp_socket { accept listen };
+ 
++allow cyrus_t cyrus_keytab_t:file read_file_perms;
++
+ manage_dirs_pattern(cyrus_t, cyrus_tmp_t, cyrus_tmp_t)
+ manage_files_pattern(cyrus_t, cyrus_tmp_t, cyrus_tmp_t)
+ files_tmp_filetrans(cyrus_t, cyrus_tmp_t, { dir file })
+@@ -116,7 +121,8 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(cyrus, cyrus_t)
++	kerberos_read_keytab(cyrus_t)
++	kerberos_use(cyrus_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/dovecot.if b/policy/modules/contrib/dovecot.if
+index dbcac59..d5badb7 100644
+--- a/policy/modules/contrib/dovecot.if
++++ b/policy/modules/contrib/dovecot.if
+@@ -143,6 +143,7 @@ interface(`dovecot_admin',`
+ 		type dovecot_spool_t, dovecot_var_lib_t, dovecot_initrc_exec_t;
+ 		type dovecot_var_run_t, dovecot_cert_t, dovecot_passwd_t;
+ 		type dovecot_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t;
++		type dovecot_keytab_t;
+ 	')
+ 
+ 	allow $1 dovecot_t:process { ptrace signal_perms };
+@@ -154,7 +155,7 @@ interface(`dovecot_admin',`
+ 	allow $2 system_r;
+ 
+ 	files_list_etc($1)
+-	admin_pattern($1, dovecot_etc_t)
++	admin_pattern($1, { dovecot_keytab_t dovecot_etc_t })
+ 
+ 	logging_list_logs($1)
+ 	admin_pattern($1, dovecot_var_log_t)
+diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te
+index 3a6e733..0aabc7e 100644
+--- a/policy/modules/contrib/dovecot.te
++++ b/policy/modules/contrib/dovecot.te
+@@ -1,4 +1,4 @@
+-policy_module(dovecot, 1.16.0)
++policy_module(dovecot, 1.16.1)
+ 
+ ########################################
+ #
+@@ -38,6 +38,9 @@ files_config_file(dovecot_etc_t)
+ type dovecot_initrc_exec_t;
+ init_script_file(dovecot_initrc_exec_t)
+ 
++type dovecot_keytab_t;
++files_type(dovecot_keytab_t)
++
+ type dovecot_passwd_t;
+ files_type(dovecot_passwd_t)
+ 
+@@ -99,6 +102,8 @@ allow dovecot_t dovecot_cert_t:dir list_dir_perms;
+ allow dovecot_t dovecot_cert_t:file read_file_perms;
+ allow dovecot_t dovecot_cert_t:lnk_file read_lnk_file_perms;
+ 
++allow dovecot_t dovecot_keytab_t:file read_file_perms;
++
+ manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
+ manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
+ files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })
+@@ -182,9 +187,10 @@ tunable_policy(`use_samba_home_dirs',`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(dovecot, dovecot_t)
+ 	kerberos_manage_host_rcache(dovecot_t)
++	kerberos_read_keytab(dovecot_t)
+ 	kerberos_tmp_filetrans_host_rcache(dovecot_t, file, "imap_0")
++	kerberos_use(dovecot_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/exim.if b/policy/modules/contrib/exim.if
+index 6041113..94a8269 100644
+--- a/policy/modules/contrib/exim.if
++++ b/policy/modules/contrib/exim.if
+@@ -244,6 +244,7 @@ interface(`exim_admin',`
+ 	gen_require(`
+ 		type exim_t, exim_spool_t, exim_log_t;
+ 		type exim_var_run_t, exim_initrc_exec_t, exim_tmp_t;
++		type exim_keytab_t;
+ 	')
+ 
+ 	allow $1 exim_t:process { ptrace signal_perms };
+@@ -254,6 +255,9 @@ interface(`exim_admin',`
+ 	role_transition $2 exim_initrc_exec_t system_r;
+ 	allow $2 system_r;
+ 
++	files_search_etc($1)
++	admin_pattern($1, exim_keytab_t)
++
+ 	files_search_spool($1)
+ 	admin_pattern($1, exim_spool_t)
+ 
+diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
+index c9c04ee..7e8cf42 100644
+--- a/policy/modules/contrib/exim.te
++++ b/policy/modules/contrib/exim.te
+@@ -1,4 +1,4 @@
+-policy_module(exim, 1.6.0)
++policy_module(exim, 1.6.1)
+ 
+ ########################################
+ #
+@@ -45,6 +45,9 @@ mta_agent_executable(exim_exec_t)
+ type exim_initrc_exec_t;
+ init_script_file(exim_initrc_exec_t)
+ 
++type exim_keytab_t;
++files_type(exim_keytab_t)
++
+ type exim_log_t;
+ logging_log_file(exim_log_t)
+ 
+@@ -68,6 +71,8 @@ allow exim_t self:fifo_file rw_fifo_file_perms;
+ allow exim_t self:unix_stream_socket { accept listen };
+ allow exim_t self:tcp_socket { accept listen };
+ 
++allow exim_t exim_keytab_t:file read_file_perms;
++
+ append_files_pattern(exim_t, exim_log_t, exim_log_t)
+ create_files_pattern(exim_t, exim_log_t, exim_log_t)
+ setattr_files_pattern(exim_t, exim_log_t, exim_log_t)
+@@ -188,7 +193,8 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(exim, exim_t)
++	kerberos_read_keytab(exim_t)
++	kerberos_use(exim_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/ftp.if b/policy/modules/contrib/ftp.if
+index d062080..4498143 100644
+--- a/policy/modules/contrib/ftp.if
++++ b/policy/modules/contrib/ftp.if
+@@ -176,6 +176,7 @@ interface(`ftp_admin',`
+ 		type ftpd_etc_t, ftpd_lock_t, sftpd_t;
+ 		type ftpd_var_run_t, xferlog_t, anon_sftpd_t;
+ 		type ftpd_initrc_exec_t, ftpdctl_tmp_t;
++		type ftpd_keytab_t;
+ 	')
+ 
+ 	allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd }:process { ptrace signal_perms };
+@@ -192,7 +193,7 @@ interface(`ftp_admin',`
+ 	admin_pattern($1, { ftpd_tmp_t ftpdctl_tmp_t })
+ 
+ 	files_list_etc($1)
+-	admin_pattern($1, ftpd_etc_t)
++	admin_pattern($1, { ftpd_etc_t ftpd_keytab_t })
+ 
+ 	files_list_var($1)
+ 	admin_pattern($1, ftpd_lock_t)
+diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
+index 544c512..36838c2 100644
+--- a/policy/modules/contrib/ftp.te
++++ b/policy/modules/contrib/ftp.te
+@@ -1,4 +1,4 @@
+-policy_module(ftp, 1.15.0)
++policy_module(ftp, 1.15.1)
+ 
+ ########################################
+ #
+@@ -124,6 +124,9 @@ files_config_file(ftpd_etc_t)
+ type ftpd_initrc_exec_t;
+ init_script_file(ftpd_initrc_exec_t)
+ 
++type ftpd_keytab_t;
++files_type(ftpd_keytab_t)
++
+ type ftpd_lock_t;
+ files_lock_file(ftpd_lock_t)
+ 
+@@ -176,6 +179,8 @@ allow ftpd_t self:key manage_key_perms;
+ 
+ allow ftpd_t ftpd_etc_t:file read_file_perms;
+ 
++allow ftpd_t ftpd_keytab_t:file read_file_perms;
++
+ allow ftpd_t ftpd_lock_t:file manage_file_perms;
+ files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
+ 
+@@ -359,8 +364,9 @@ optional_policy(`
+ optional_policy(`
+ 	selinux_validate_context(ftpd_t)
+ 
+-	kerberos_keytab_template(ftpd, ftpd_t)
++	kerberos_read_keytab(ftpd_t)
+ 	kerberos_tmp_filetrans_host_rcache(ftpd_t, file, "host_0")
++	kerberos_use(ftpd_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/kerberos.if b/policy/modules/contrib/kerberos.if
+index f9de9fc..f6c00d8 100644
+--- a/policy/modules/contrib/kerberos.if
++++ b/policy/modules/contrib/kerberos.if
+@@ -354,22 +354,7 @@ interface(`kerberos_etc_filetrans_keytab',`
+ ## </param>
+ #
+ template(`kerberos_keytab_template',`
+-
+-	########################################
+-	#
+-	# Declarations
+-	#
+-
+-	type $1_keytab_t;
+-	files_type($1_keytab_t)
+-
+-	########################################
+-	#
+-	# Policy
+-	#
+-
+-	allow $2 $1_keytab_t:file read_file_perms;
+-
++	refpolicywarn(`$0($*) has been deprecated.')
+ 	kerberos_read_keytab($2)
+ 	kerberos_use($2)
+ ')
+diff --git a/policy/modules/contrib/ldap.if b/policy/modules/contrib/ldap.if
+index de2508e..7f09b4a 100644
+--- a/policy/modules/contrib/ldap.if
++++ b/policy/modules/contrib/ldap.if
+@@ -116,7 +116,7 @@ interface(`ldap_admin',`
+ 		type slapd_t, slapd_tmp_t, slapd_replog_t;
+ 		type slapd_lock_t, slapd_etc_t, slapd_var_run_t;
+ 		type slapd_initrc_exec_t, slapd_log_t, slapd_cert_t;
+-		type slapd_db_t;
++		type slapd_db_t, slapd_keytab_t;
+ 	')
+ 
+ 	allow $1 slapd_t:process { ptrace signal_perms };
+@@ -128,7 +128,7 @@ interface(`ldap_admin',`
+ 	allow $2 system_r;
+ 
+ 	files_list_etc($1)
+-	admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t })
++	admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t slapd_keytab_t })
+ 
+ 	files_list_locks($1)
+ 	admin_pattern($1, slapd_lock_t)
+diff --git a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te
+index 71b00f8..131dc88 100644
+--- a/policy/modules/contrib/ldap.te
++++ b/policy/modules/contrib/ldap.te
+@@ -1,4 +1,4 @@
+-policy_module(ldap, 1.11.0)
++policy_module(ldap, 1.11.1)
+ 
+ ########################################
+ #
+@@ -21,6 +21,9 @@ files_config_file(slapd_etc_t)
+ type slapd_initrc_exec_t;
+ init_script_file(slapd_initrc_exec_t)
+ 
++type slapd_keytab_t;
++files_type(slapd_keytab_t)
++
+ type slapd_lock_t;
+ files_lock_file(slapd_lock_t)
+ 
+@@ -60,6 +63,8 @@ manage_lnk_files_pattern(slapd_t, slapd_db_t, slapd_db_t)
+ 
+ allow slapd_t slapd_etc_t:file read_file_perms;
+ 
++allow slapd_t slapd_keytab_t:file read_file_perms;
++
+ allow slapd_t slapd_lock_t:file manage_file_perms;
+ files_lock_filetrans(slapd_t, slapd_lock_t, file)
+ 
+@@ -131,11 +136,12 @@ ifdef(`distro_gentoo',`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(slapd, slapd_t)
+ 	kerberos_manage_host_rcache(slapd_t)
++	kerberos_read_keytab(slapd_t)
+ 	kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldapmap1_0")
+ 	kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldap_487")
+ 	kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldap_55")
++	kerberos_use(slapd_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/postfix.if b/policy/modules/contrib/postfix.if
+index 6e26d71..8e7d1e7 100644
+--- a/policy/modules/contrib/postfix.if
++++ b/policy/modules/contrib/postfix.if
+@@ -714,6 +714,7 @@ interface(`postfix_admin',`
+ 		type postfix_initrc_exec_t, postfix_prng_t, postfix_etc_t;
+ 		type postfix_data_t, postfix_var_run_t, postfix_public_t;
+ 		type postfix_private_t, postfix_map_tmp_t, postfix_exec_t;
++		type postfix_keytab_t;
+ 	')
+ 
+ 	allow $1 postfix_domain:process { ptrace signal_perms };
+@@ -725,7 +726,7 @@ interface(`postfix_admin',`
+ 	allow $2 system_r;
+ 
+ 	files_search_etc($1)
+-	admin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t })
++	admin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t postfix_keytab_t })
+ 
+ 	files_search_spool($1)
+ 	admin_pattern($1, { postfix_public_t postfix_private_t postfix_spool_type })
+diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
+index 0cb7938..dd7259f 100644
+--- a/policy/modules/contrib/postfix.te
++++ b/policy/modules/contrib/postfix.te
+@@ -1,4 +1,4 @@
+-policy_module(postfix, 1.15.0)
++policy_module(postfix, 1.15.1)
+ 
+ ########################################
+ #
+@@ -36,6 +36,9 @@ files_config_file(postfix_etc_t)
+ type postfix_exec_t;
+ application_executable_file(postfix_exec_t)
+ 
++type postfix_keytab_t;
++files_type(postfix_keytab_t)
++
+ postfix_server_domain_template(local)
+ mta_mailserver_delivery(postfix_local_t)
+ 
+@@ -209,6 +212,8 @@ allow postfix_master_t postfix_etc_t:file rw_file_perms;
+ allow postfix_master_t postfix_data_t:dir manage_dir_perms;
+ allow postfix_master_t postfix_data_t:file manage_file_perms;
+ 
++allow postfix_master_t postfix_keytab_t:file read_file_perms;
++
+ allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock };
+ 
+ allow postfix_master_t { postfix_postdrop_exec_t postfix_postqueue_exec_t }:file getattr_file_perms;
+@@ -314,7 +319,8 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(postfix, postfix_t)
++	kerberos_read_keytab(postfix_master_t)
++	kerberos_use(postfix_master_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/procmail.te b/policy/modules/contrib/procmail.te
+index fbbc398..cc426e6 100644
+--- a/policy/modules/contrib/procmail.te
++++ b/policy/modules/contrib/procmail.te
+@@ -1,4 +1,4 @@
+-policy_module(procmail, 1.13.0)
++policy_module(procmail, 1.13.1)
+ 
+ ########################################
+ #
+@@ -122,7 +122,7 @@ optional_policy(`
+ 	postfix_read_spool_files(procmail_t)
+ 	postfix_read_local_state(procmail_t)
+ 	postfix_read_master_state(procmail_t)
+-	postfix_rw_master_pipes(procmail_t)
++	postfix_rw_inherited_master_pipes(procmail_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/qmail.te b/policy/modules/contrib/qmail.te
+index 83cccf9..8742944 100644
+--- a/policy/modules/contrib/qmail.te
++++ b/policy/modules/contrib/qmail.te
+@@ -1,4 +1,4 @@
+-policy_module(qmail, 1.6.0)
++policy_module(qmail, 1.6.1)
+ 
+ ########################################
+ #
+@@ -42,6 +42,9 @@ qmail_child_domain_template(qmail_send, qmail_start_t)
+ qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t)
+ qmail_child_domain_template(qmail_splogger, qmail_start_t)
+ 
++type qmail_keytab_t;
++files_type(qmail_keytab_t)
++
+ type qmail_spool_t;
+ files_type(qmail_spool_t)
+ 
+@@ -241,6 +244,8 @@ allow qmail_smtpd_t self:process signal_perms;
+ allow qmail_smtpd_t self:fifo_file write_fifo_file_perms;
+ allow qmail_smtpd_t self:tcp_socket create_socket_perms;
+ 
++allow qmail_smtpd_t qmail_keytab_t:file read_file_perms;
++
+ allow qmail_smtpd_t qmail_queue_exec_t:file read_file_perms;
+ 
+ dev_read_rand(qmail_smtpd_t)
+@@ -253,7 +258,8 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(qmail, qmail_smtpd_t)
++	kerberos_read_keytab(qmail_smtpd_t)
++	kerberos_use(qmail_smtpd_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/rlogin.te b/policy/modules/contrib/rlogin.te
+index 20696cc..5916f81 100644
+--- a/policy/modules/contrib/rlogin.te
++++ b/policy/modules/contrib/rlogin.te
+@@ -1,4 +1,4 @@
+-policy_module(rlogin, 1.11.0)
++policy_module(rlogin, 1.11.1)
+ 
+ ########################################
+ #
+@@ -16,6 +16,9 @@ term_login_pty(rlogind_devpts_t)
+ type rlogind_home_t;
+ userdom_user_home_content(rlogind_home_t)
+ 
++type rlogind_keytab_t;
++files_type(rlogind_keytab_t)
++
+ type rlogind_tmp_t;
+ files_tmp_file(rlogind_tmp_t)
+ 
+@@ -37,6 +40,8 @@ term_create_pty(rlogind_t, rlogind_devpts_t)
+ 
+ allow rlogind_t rlogind_home_t:file read_file_perms;
+ 
++allow rlogind_t rlogind_keytab_t:file read_file_perms;
++
+ manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
+ manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
+ files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { dir file })
+@@ -98,9 +103,10 @@ tunable_policy(`use_samba_home_dirs',`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(rlogind, rlogind_t)
++	kerberos_read_keytab(rlogind_t)
+ 	kerberos_tmp_filetrans_host_rcache(rlogind_t, file, "host_0")
+ 	kerberos_manage_host_rcache(rlogind_t)
++	kerberos_use(rlogind_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/rpc.if b/policy/modules/contrib/rpc.if
+index 07f5eb0..157afd9 100644
+--- a/policy/modules/contrib/rpc.if
++++ b/policy/modules/contrib/rpc.if
+@@ -394,7 +394,7 @@ interface(`rpc_admin',`
+ 		attribute rpc_domain;
+ 		type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t;
+ 		type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t;
+-		type nfsd_ro_t, nfsd_rw_t;
++		type nfsd_ro_t, nfsd_rw_t, gssd_keytab_t;
+ 	')
+ 
+ 	allow $1 rpc_domain:process { ptrace signal_perms };
+@@ -406,7 +406,7 @@ interface(`rpc_admin',`
+  	allow $2 system_r;
+ 
+ 	files_list_etc($1)
+-	admin_pattern($1, exports_t)
++	admin_pattern($1, { gssd_keytab_t exports_t })
+ 
+ 	files_list_var_lib($1)
+ 	admin_pattern($1, var_lib_nfs_t)
+diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
+index 1e6b44d..a8de8bd 100644
+--- a/policy/modules/contrib/rpc.te
++++ b/policy/modules/contrib/rpc.te
+@@ -1,4 +1,4 @@
+-policy_module(rpc, 1.15.0)
++policy_module(rpc, 1.15.1)
+ 
+ ########################################
+ #
+@@ -30,6 +30,9 @@ files_config_file(exports_t)
+ 
+ rpc_domain_template(gssd)
+ 
++type gssd_keytab_t;
++files_type(gssd_keytab_t)
++
+ type gssd_tmp_t;
+ files_tmp_file(gssd_tmp_t)
+ 
+@@ -271,6 +274,8 @@ allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
+ allow gssd_t self:process { getsched setsched };
+ allow gssd_t self:fifo_file rw_fifo_file_perms;
+ 
++allow gssd_t gssd_keytab_t:file read_file_perms;
++
+ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+ manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+ files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
+@@ -309,9 +314,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(gssd, gssd_t)
+ 	kerberos_manage_host_rcache(gssd_t)
++	kerberos_read_keytab(gssd_t)
+ 	kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0")
++	kerberos_use(gssd_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/rshd.te b/policy/modules/contrib/rshd.te
+index 575e3e3..864e089 100644
+--- a/policy/modules/contrib/rshd.te
++++ b/policy/modules/contrib/rshd.te
+@@ -1,4 +1,4 @@
+-policy_module(rshd, 1.8.0)
++policy_module(rshd, 1.8.1)
+ 
+ ########################################
+ #
+@@ -10,6 +10,9 @@ type rshd_exec_t;
+ auth_login_pgm_domain(rshd_t)
+ inetd_tcp_service_domain(rshd_t, rshd_exec_t)
+ 
++type rshd_keytab_t;
++files_type(rshd_keytab_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -20,6 +23,8 @@ allow rshd_t self:process { signal_perms setsched setpgid setexec };
+ allow rshd_t self:fifo_file rw_fifo_file_perms;
+ allow rshd_t self:tcp_socket create_stream_socket_perms;
+ 
++allow rshd_t rshd_keytab_t:file read_file_perms;
++
+ kernel_read_kernel_sysctls(rshd_t)
+ 
+ corenet_all_recvfrom_unlabeled(rshd_t)
+@@ -54,9 +59,10 @@ tunable_policy(`use_samba_home_dirs',`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(rshd, rshd_t)
+ 	kerberos_manage_host_rcache(rshd_t)
++	kerberos_read_keytab(rshd_t)
+ 	kerberos_tmp_filetrans_host_rcache(rshd_t, file, "host_0")
++	kerberos_use(rshd_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/samba.if b/policy/modules/contrib/samba.if
+index aee75af..50d07fb 100644
+--- a/policy/modules/contrib/samba.if
++++ b/policy/modules/contrib/samba.if
+@@ -689,6 +689,7 @@ interface(`samba_admin',`
+ 		type samba_etc_t, samba_share_t, samba_initrc_exec_t;
+ 		type swat_var_run_t, swat_tmp_t, winbind_log_t;
+ 		type winbind_var_run_t, winbind_tmp_t;
++		type smbd_keytab_t;
+ 	')
+ 
+ 	allow $1 { nmbd_t smbd_t }:process { ptrace signal_perms };
+@@ -700,7 +701,7 @@ interface(`samba_admin',`
+ 	allow $2 system_r;
+ 
+ 	files_list_etc($1)
+-	admin_pattern($1, samba_etc_t)
++	admin_pattern($1, { samba_etc_t smbd_keytab_t })
+ 
+ 	logging_list_logs($1)
+ 	admin_pattern($1, { samba_log_t winbind_log_t })
+diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
+index 54b89a6..98daaef 100644
+--- a/policy/modules/contrib/samba.te
++++ b/policy/modules/contrib/samba.te
+@@ -1,4 +1,4 @@
+-policy_module(samba, 1.16.0)
++policy_module(samba, 1.16.1)
+ 
+ #################################
+ #
+@@ -142,6 +142,9 @@ type smbd_t;
+ type smbd_exec_t;
+ init_daemon_domain(smbd_t, smbd_exec_t)
+ 
++type smbd_keytab_t;
++files_type(smbd_keytab_t)
++
+ type smbd_tmp_t;
+ files_tmp_file(smbd_tmp_t)
+ 
+@@ -271,6 +274,8 @@ allow smbd_t { swat_t winbind_t smbcontrol_t nmbd_t }:process { signal signull }
+ 
+ allow smbd_t samba_etc_t:file { rw_file_perms setattr_file_perms };
+ 
++allow smbd_t smbd_keytab_t:file read_file_perms;
++
+ manage_dirs_pattern(smbd_t, samba_log_t, samba_log_t)
+ append_files_pattern(smbd_t, samba_log_t, samba_log_t)
+ create_files_pattern(smbd_t, samba_log_t, samba_log_t)
+@@ -468,8 +473,8 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	kerberos_read_keytab(smbd_t)
+ 	kerberos_use(smbd_t)
+-	kerberos_keytab_template(smbd, smbd_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/sasl.if b/policy/modules/contrib/sasl.if
+index b2f388a..8c3c151 100644
+--- a/policy/modules/contrib/sasl.if
++++ b/policy/modules/contrib/sasl.if
+@@ -39,6 +39,7 @@ interface(`sasl_connect',`
+ interface(`sasl_admin',`
+ 	gen_require(`
+ 		type saslauthd_t, saslauthd_var_run_t, saslauthd_initrc_exec_t;
++		type saslauthd_keytab_t;
+ 	')
+ 
+ 	allow $1 saslauthd_t:process { ptrace signal_perms };
+@@ -49,6 +50,9 @@ interface(`sasl_admin',`
+ 	role_transition $2 saslauthd_initrc_exec_t system_r;
+ 	allow $2 system_r;
+ 
++	files_list_etc($1)
++	admin_pattern($1, saslauthd_keytab_t)
++
+ 	files_list_pids($1)
+ 	admin_pattern($1, saslauthd_var_run_t)
+ ')
+diff --git a/policy/modules/contrib/sasl.te b/policy/modules/contrib/sasl.te
+index 20ebffb..6c3bc20 100644
+--- a/policy/modules/contrib/sasl.te
++++ b/policy/modules/contrib/sasl.te
+@@ -1,4 +1,4 @@
+-policy_module(sasl, 1.15.0)
++policy_module(sasl, 1.15.1)
+ 
+ ########################################
+ #
+@@ -20,6 +20,9 @@ init_daemon_domain(saslauthd_t, saslauthd_exec_t)
+ type saslauthd_initrc_exec_t;
+ init_script_file(saslauthd_initrc_exec_t)
+ 
++type saslauthd_keytab_t;
++files_type(saslauthd_keytab_t)
++
+ type saslauthd_var_run_t;
+ files_pid_file(saslauthd_var_run_t)
+ 
+@@ -34,6 +37,8 @@ allow saslauthd_t self:process { setsched signal_perms };
+ allow saslauthd_t self:fifo_file rw_fifo_file_perms;
+ allow saslauthd_t self:unix_stream_socket { accept listen };
+ 
++allow saslauthd_t saslauthd_keytab_t:file read_file_perms;
++
+ manage_dirs_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
+ manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
+ manage_sock_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
+@@ -92,9 +97,10 @@ tunable_policy(`allow_saslauthd_read_shadow',`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(saslauthd, saslauthd_t)
++	kerberos_read_keytab(saslauthd_t)
+ 	kerberos_manage_host_rcache(saslauthd_t)
+ 	kerberos_tmp_filetrans_host_rcache(saslauthd_t, file, "host_0")
++	kerberos_use(saslauthd_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/sendmail.if b/policy/modules/contrib/sendmail.if
+index 88e753f..35ad2a7 100644
+--- a/policy/modules/contrib/sendmail.if
++++ b/policy/modules/contrib/sendmail.if
+@@ -354,6 +354,7 @@ interface(`sendmail_admin',`
+ 	gen_require(`
+ 		type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t;
+ 		type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t;
++		type sendmail_keytab_t;
+ 	')
+ 
+ 	allow $1 { unconfined_sendmail_t sendmail_t }:process { ptrace signal_perms };
+@@ -363,6 +364,9 @@ interface(`sendmail_admin',`
+ 	domain_system_change_exemption($1)
+ 	role_transition $2 sendmail_initrc_exec_t system_r;
+ 
++	files_list_etc($1)
++	admin_pattern($1, sendmail_keytab_t)
++
+ 	logging_list_logs($1)
+ 	admin_pattern($1, sendmail_log_t)
+ 
+diff --git a/policy/modules/contrib/sendmail.te b/policy/modules/contrib/sendmail.te
+index 320db21..12700b4 100644
+--- a/policy/modules/contrib/sendmail.te
++++ b/policy/modules/contrib/sendmail.te
+@@ -1,4 +1,4 @@
+-policy_module(sendmail, 1.12.0)
++policy_module(sendmail, 1.12.1)
+ 
+ ########################################
+ #
+@@ -13,6 +13,9 @@ roleattribute system_r sendmail_unconfined_roles;
+ type sendmail_initrc_exec_t;
+ init_script_file(sendmail_initrc_exec_t)
+ 
++type sendmail_keytab_t;
++files_type(sendmail_keytab_t)
++
+ type sendmail_log_t;
+ logging_log_file(sendmail_log_t)
+ 
+@@ -43,6 +46,8 @@ allow sendmail_t self:fifo_file rw_fifo_file_perms;
+ allow sendmail_t self:unix_stream_socket { accept listen };
+ allow sendmail_t self:tcp_socket { accept listen };
+ 
++allow sendmail_t sendmail_keytab_t:file read_file_perms;
++
+ allow sendmail_t sendmail_log_t:dir setattr_dir_perms;
+ append_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t)
+ create_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t)
+@@ -154,7 +159,8 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(sendmail, sendmail_t)
++	kerberos_read_keytab(sendmail_t)
++	kerberos_use(sendmail_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te
+index 02fba54..cc58e35 100644
+--- a/policy/modules/contrib/spamassassin.te
++++ b/policy/modules/contrib/spamassassin.te
+@@ -1,4 +1,4 @@
+-policy_module(spamassassin, 2.6.0)
++policy_module(spamassassin, 2.6.1)
+ 
+ ########################################
+ #
+@@ -262,7 +262,7 @@ optional_policy(`
+ 	postfix_domtrans_postdrop(spamc_t)
+ 	postfix_search_spool(spamc_t)
+ 	postfix_rw_local_pipes(spamc_t)
+-	postfix_rw_master_pipes(spamc_t)
++	postfix_rw_inherited_master_pipes(spamc_t)
+ ')
+ 
+ ########################################
+diff --git a/policy/modules/contrib/telnet.te b/policy/modules/contrib/telnet.te
+index b9e2061..bcef8b5 100644
+--- a/policy/modules/contrib/telnet.te
++++ b/policy/modules/contrib/telnet.te
+@@ -1,4 +1,4 @@
+-policy_module(telnet, 1.11.0)
++policy_module(telnet, 1.11.1)
+ 
+ ########################################
+ #
+@@ -12,6 +12,9 @@ inetd_service_domain(telnetd_t, telnetd_exec_t)
+ type telnetd_devpts_t;
+ term_login_pty(telnetd_devpts_t)
+ 
++type telnetd_keytab_t;
++files_type(telnetd_keytab_t)
++
+ type telnetd_tmp_t;
+ files_tmp_file(telnetd_tmp_t)
+ 
+@@ -30,6 +33,8 @@ allow telnetd_t self:fifo_file rw_fifo_file_perms;
+ allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+ term_create_pty(telnetd_t, telnetd_devpts_t)
+ 
++allow telnetd_t telnetd_keytab_t:file read_file_perms;
++
+ manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
+ manage_files_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
+ files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir })
+@@ -85,9 +90,10 @@ tunable_policy(`use_samba_home_dirs',`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(telnetd, telnetd_t)
++	kerberos_read_keytab(telnetd_t)
+ 	kerberos_tmp_filetrans_host_rcache(telnetd_t, file, "host_0")
+ 	kerberos_manage_host_rcache(telnetd_t)
++	kerberos_use(telnetd_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/virt.if b/policy/modules/contrib/virt.if
+index e30a42e..c8bc302 100644
+--- a/policy/modules/contrib/virt.if
++++ b/policy/modules/contrib/virt.if
+@@ -1148,7 +1148,7 @@ interface(`virt_admin',`
+ 		type virt_bridgehelper_t, virt_qmf_t, virt_var_lib_t;
+ 		type virt_var_run_t, virt_tmp_t, virt_log_t;
+ 		type virt_lock_t, svirt_var_run_t, virt_etc_rw_t;
+-		type virt_etc_t, svirt_cache_t;
++		type virt_etc_t, svirt_cache_t, virtd_keytab_t;
+ 	')
+ 
+ 	allow $1 { virt_domain svirt_lxc_domain virtd_t }:process { ptrace signal_perms };
+@@ -1168,7 +1168,7 @@ interface(`virt_admin',`
+ 	admin_pattern($1, { virt_tmp_type virt_tmp_t })
+ 
+ 	files_search_etc($1)
+-	admin_pattern($1, { virt_etc_t virt_etc_rw_t })
++	admin_pattern($1, { virt_etc_t virt_etc_rw_t virtd_keytab_t })
+ 
+ 	logging_search_logs($1)
+ 	admin_pattern($1, virt_log_t)
+diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
+index 9230f0d..f2916f7 100644
+--- a/policy/modules/contrib/virt.te
++++ b/policy/modules/contrib/virt.te
+@@ -1,4 +1,4 @@
+-policy_module(virt, 1.7.0)
++policy_module(virt, 1.7.1)
+ 
+ ########################################
+ #
+@@ -142,6 +142,9 @@ domain_subj_id_change_exemption(virtd_t)
+ type virtd_initrc_exec_t;
+ init_script_file(virtd_initrc_exec_t)
+ 
++type virtd_keytab_t;
++files_type(virtd_keytab_t)
++
+ ifdef(`enable_mcs',`
+ 	init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
+ ')
+@@ -438,6 +441,8 @@ manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t)
+ manage_files_pattern(virtd_t, virt_content_t, virt_content_t)
+ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos")
+ 
++allow virtd_t virtd_keytab_t:file read_file_perms;
++
+ allow virtd_t svirt_var_run_t:file relabel_file_perms;
+ manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
+ manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
+@@ -700,7 +705,8 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(virtd, virtd_t)
++	kerberos_read_keytab(virtd_t)
++	kerberos_use(virtd_t)
+ ')
+ 
+ optional_policy(`
diff --git a/package/refpolicy/0002-awk-fix.patch b/package/refpolicy/0002-awk-fix.patch
new file mode 100644
index 0000000..cc742a5
--- /dev/null
+++ b/package/refpolicy/0002-awk-fix.patch
@@ -0,0 +1,37 @@
+Use AWK variable instead of the hardcoded awk
+
+The refpolicy build system uses some awk expressions that need GNU
+awk, and not some other version of awk. Unfortunately, while the
+Makefile nicely defines a AWK variable pointing to gawk by default,
+there are several places where it hardcodes the usage of 'awk' without
+the variable. This patch fixes those instances by using the AWK
+vairable everywhere.
+
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+
+Index: refpolicy-2.20130424/Makefile
+===================================================================
+--- refpolicy-2.20130424.orig/Makefile	2013-02-25 16:29:33.000000000 +0100
++++ refpolicy-2.20130424/Makefile	2013-11-24 22:29:19.000000000 +0100
+@@ -292,9 +292,9 @@
+ cmdline_off := $(addsuffix .te,$(APPS_OFF))
+ 
+ # extract settings from modules.conf
+-mod_conf_base := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configbase)") print $$1 }' $(mod_conf) 2> /dev/null)))
+-mod_conf_mods := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configmod)") print $$1 }' $(mod_conf) 2> /dev/null)))
+-mod_conf_off := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configoff)") print $$1 }' $(mod_conf) 2> /dev/null)))
++mod_conf_base := $(addsuffix .te,$(sort $(shell $(AWK) '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configbase)") print $$1 }' $(mod_conf) 2> /dev/null)))
++mod_conf_mods := $(addsuffix .te,$(sort $(shell $(AWK) '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configmod)") print $$1 }' $(mod_conf) 2> /dev/null)))
++mod_conf_off := $(addsuffix .te,$(sort $(shell $(AWK) '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configoff)") print $$1 }' $(mod_conf) 2> /dev/null)))
+ 
+ base_mods := $(cmdline_base)
+ mod_mods := $(cmdline_mods)
+@@ -308,7 +308,7 @@
+ off_mods += $(filter-out $(base_mods) $(mod_mods) $(off_mods),$(notdir $(detected_mods)))
+ 
+ # filesystems to be used in labeling targets
+-filesystems = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[234]|btrfs| xfs| jfs).*rw/{print $$3}';)
++filesystems = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | $(AWK) '/(ext[234]|btrfs| xfs| jfs).*rw/{print $$3}';)
+ fs_names := "btrfs ext2 ext3 ext4 xfs jfs"
+ 
+ ########################################
diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in
new file mode 100644
index 0000000..5f4046e
--- /dev/null
+++ b/package/refpolicy/Config.in
@@ -0,0 +1,74 @@
+config BR2_PACKAGE_REFPOLICY
+	bool "refpolicy"
+	select BR2_PACKAGE_POLICYCOREUTILS
+	select BR2_PACKAGE_BUSYBOX_SELINUX
+#TODO, test impacts of this.....	select BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES
+	depends on BR2_TOOLCHAIN_HAS_THREADS # policycoreutils
+	depends on BR2_LARGEFILE # policycoreutils
+	depends on BR2_ENABLE_LOCALE # policycoreutils
+	depends on BR2_USE_WCHAR # policycoreutils
+	depends on BR2_TOOLCHAIN_USES_GLIBC # policycoreutils
+	help
+	  The SELinux Reference Policy project (refpolicy) is a
+	  complete SELinux policy that can be used as the system
+	  policy for a variety of systems and used as the basis
+	  for creating other policies. Reference Policy was originally
+	  based on the NSA example policy, but aims to accomplish
+	  many additional goals.
+
+	  The current refpolicy does not fully support Buildroot
+	  and needs modifications to work with the default system
+	  file layout.  These changes should be added as patches to
+	  the refpolicy that modify a single SELinux policy.
+
+comment "refpolicy needs a toolchain w/ wchar, locale, threads, largefile, glibc"
+	depends on !BR2_TOOLCHAIN_HAS_THREADS || !BR2_LARGEFILE \
+		|| !BR2_ENABLE_LOCALE || !BR2_USE_WCHAR \
+		|| !BR2_TOOLCHAIN_USES_GLIBC
+
+if BR2_PACKAGE_REFPOLICY
+
+choice
+	prompt "SELinux policy type"
+	default BR2_PACKAGE_REFPOLICY_TYPE_STANDARD
+
+	config BR2_PACKAGE_REFPOLICY_TYPE_STANDARD
+		bool "Standard"
+		help
+		  Standard SELinux policy
+
+	config BR2_PACKAGE_REFPOLICY_TYPE_MCS
+		bool "MCS"
+		help
+		  SELinux policy with multi-catagory support
+
+	config BR2_PACKAGE_REFPOLICY_TYPE_MLS
+		bool "MLS"
+		help
+		  SELinux policy with multi-catagory and multi-level support
+endchoice
+
+config BR2_PACKAGE_REFPOLICY_TYPE
+	string
+	default "standard" if BR2_PACKAGE_REFPOLICY_TYPE_STANDARD
+	default "mcs" if BR2_PACKAGE_REFPOLICY_TYPE_MCS
+	default "mls" if BR2_PACKAGE_REFPOLICY_TYPE_MLS
+
+config BR2_PACKAGE_REFPOLICY_MODULES_FILE
+	string
+	default "package/refpolicy/modules.conf"
+	help
+	  Location of a custom modules.conf file that lists the
+	  SELinux policy modules to be included in the compiled
+	  policy. See policy/modules.conf in the refpolicy sources for
+	  the complete list of available modules.
+
+config BR2_PACKAGE_REFPOLICY_MODULAR
+	bool "Build a modular SELinux policy"
+	help
+	  Select Y to build a modular SELinux policy. By default,
+	  a monolithing policy will be built to save space on the
+	  target. A modular policy can also be built if policies
+	  need to be modified without reloading the target.
+
+endif
diff --git a/package/refpolicy/S12selinux b/package/refpolicy/S12selinux
new file mode 100644
index 0000000..f570bd3
--- /dev/null
+++ b/package/refpolicy/S12selinux
@@ -0,0 +1,137 @@
+#!/bin/sh
+################################################################################
+#
+# This file labels the security contexts of memory based filesystems such as
+# /dev/ and checks for auto relabel request if '/.autorelabel' file exists.
+# The 'stop' argument drops the security mode to 'permissive'.
+#
+# This script is a heavily stripped down and modified version of the one used
+# in CentOS 6.2
+#
+################################################################################
+
+# Get SELinux config env vars
+. /etc/selinux/config || failed "Failed to source the SELinux config"
+
+failed()
+{
+   echo $1
+   exit 1
+}
+
+setup_selinux() {
+   # Create required directories
+   mkdir -p /etc/selinux/${SELINUXTYPE}/policy/ || 
+         failed "Failed to create the policy folder"
+   mkdir -p /etc/selinux/${SELINUXTYPE}/modules/active/modules || \
+         failed "Failed to create the modules folder"
+   if [ ! -f /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts.local ]
+   then
+      touch /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts.local || \
+            failed "Failed to create the file_contexts.local file"
+   fi
+   
+   # Install modules
+   semodule -v -s ${SELINUXTYPE} -b /usr/share/selinux/${SELINUXTYPE}/base.pp \
+         -i $(ls /usr/share/selinux/${SELINUXTYPE}/*.pp | grep -v base) || \
+         failed "Failed to install the base policy"
+   
+   # Load the policy to activate it
+   load_policy -i || failed "Failed to load the SELinux policy"
+}
+
+relabel_selinux() {
+   # if /sbin/init is not labeled correctly this process is running in the
+   # wrong context, so a reboot will be required after relabel
+   AUTORELABEL=
+
+   # Switch to Permissive mode
+   echo "0" > /selinux/enforce || failed "Failed to disable enforcing mode"
+
+   echo
+   echo "*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required."
+   echo "*** Relabeling could take a very long time, depending on file"
+   echo "*** system size and speed of hard drives."
+
+   # Relabel mount points
+   restorecon $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// { print $2 }' /etc/fstab) \
+         >/dev/null 2>&1 || failed "Failed to relabel the mount points"
+   
+   # Relabel file system
+   echo "Relabeling file systems"
+   restorecon -R -F / || failed "Failed to relabel the file system"
+
+   # Remove label
+   rm -f  /.autorelabel || failed "Failed to remove the autorelabel flag"
+   
+   # Reboot to activate relabeled file system
+   echo "Automatic reboot in progress."
+   reboot -f
+}
+
+start() {
+   echo -n "Initializing SELinux: "
+
+   # Check to see if the default policy has been installed
+   if [ "`sestatus | grep "SELinux status" | grep enabled`" == "" ]; then
+      if [ ! -f /etc/selinux/${SELINUXTYPE}/policy/policy.* ]
+      then
+         setup_selinux
+      else
+         echo "SELinux policy install failed. Check kernel and init config"
+         exit 1
+      fi
+   fi
+
+   # Check SELinux status
+   SELINUX_STATE=
+   if [ -e "/selinux/enforce" ] && [ "$(cat /proc/self/attr/current)" != "kernel" ]; then
+      if [ -r "/selinux/enforce" ] ; then
+         SELINUX_STATE=$(cat "/selinux/enforce")
+      else
+         # assume enforcing if you can't read it
+         SELINUX_STATE=1
+      fi
+   fi
+
+   # Context Label /dev/
+   if [ -n "$SELINUX_STATE" -a -x /sbin/restorecon ] && fgrep " /dev " /proc/mounts >/dev/null 2>&1 ; then
+      /sbin/restorecon -R -F /dev 2>/dev/null
+   fi
+
+   # Context Label tmpfs mounts
+   if [ -n "$SELINUX_STATE" -a -x /sbin/restorecon ]; then
+      /sbin/restorecon -R -F $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// && $3 =="tmpfs" { print $2 }' /etc/fstab) >/dev/null 2>&1
+   fi
+
+   # Clean up SELinux labels
+   if [ -n "$SELINUX_STATE" -a -x /sbin/restorecon ]; then
+      restorecon -F /etc/mtab /etc/ld.so.cache /etc/resolv.conf >/dev/null 2>&1
+   fi
+
+   # Check for filesystem relabel request
+   if [ -f /.autorelabel ] ; then
+      relabel_selinux
+   fi
+
+   echo "OK"
+}  
+stop() {
+   # There is nothing to do
+   echo "OK" 
+}
+
+case "$1" in
+   start)
+      start
+      ;;
+   stop)
+      stop
+      ;;
+   *)
+      echo "Usage: $0 {start|stop}"
+      exit 1
+      ;;
+esac
+
+exit $?
diff --git a/package/refpolicy/config b/package/refpolicy/config
new file mode 100644
index 0000000..5eee807
--- /dev/null
+++ b/package/refpolicy/config
@@ -0,0 +1,8 @@
+# This file controls the state of SELinux on the system.
+# SELINUX= can take one of these three values:
+#     enforcing - SELinux security policy is enforced.
+#     permissive - SELinux prints warnings instead of enforcing.
+#     disabled - No SELinux policy is loaded.
+SELINUX=permissive
+# SELINUXTYPE= name of the selinux policy to use
+SELINUXTYPE=refpolicy
diff --git a/package/refpolicy/modules.conf b/package/refpolicy/modules.conf
new file mode 100644
index 0000000..58282d8
--- /dev/null
+++ b/package/refpolicy/modules.conf
@@ -0,0 +1,406 @@
+#
+# This file contains a listing of available modules.
+# To prevent a module from  being used in policy
+# creation, set the module name to "off".
+#
+# For monolithic policies, modules set to "base" and "module"
+# will be built into the policy.
+#
+# For modular policies, modules set to "base" will be
+# included in the base module.  "module" will be compiled
+# as individual loadable modules.
+#
+
+# Layer: kernel
+# Module: corecommands
+# Required in base
+#
+# Core policy for shells, and generic programs
+# in /bin, /sbin, /usr/bin, and /usr/sbin.
+#
+corecommands = base
+
+# Layer: kernel
+# Module: corenetwork
+# Required in base
+#
+# Policy controlling access to network objects
+#
+corenetwork = base
+
+# Layer: kernel
+# Module: devices
+# Required in base
+#
+# Device nodes and interfaces for many basic system devices.
+#
+devices = base
+
+# Layer: kernel
+# Module: domain
+# Required in base
+#
+# Core policy for domains.
+#
+domain = base
+
+# Layer: kernel
+# Module: files
+# Required in base
+#
+# Basic filesystem types and interfaces.
+#
+files = base
+
+# Layer: kernel
+# Module: filesystem
+# Required in base
+#
+# Policy for filesystems.
+#
+filesystem = base
+
+# Layer: kernel
+# Module: kernel
+# Required in base
+#
+# Policy for kernel threads, proc filesystem,
+# and unlabeled processes and objects.
+#
+kernel = base
+
+# Layer: kernel
+# Module: mcs
+# Required in base
+#
+# Multicategory security policy
+#
+mcs = base
+
+# Layer: kernel
+# Module: mls
+# Required in base
+#
+# Multilevel security policy
+#
+mls = base
+
+# Layer: kernel
+# Module: selinux
+# Required in base
+#
+# Policy for kernel security interface, in particular, selinuxfs.
+#
+selinux = base
+
+# Layer: kernel
+# Module: terminal
+# Required in base
+#
+# Policy for terminals.
+#
+terminal = base
+
+# Layer: kernel
+# Module: ubac
+# Required in base
+#
+# User-based access control policy
+#
+ubac = base
+
+# Layer: admin
+# Module: bootloader
+#
+# Policy for the kernel modules, kernel image, and bootloader.
+#
+bootloader = module
+
+# Layer: admin
+# Module: consoletype
+#
+# Determine of the console connected to the controlling terminal.
+#
+consoletype = module
+
+# Layer: admin
+# Module: dmesg
+#
+# Policy for dmesg.
+#
+dmesg = module
+
+# Layer: admin
+# Module: netutils
+#
+# Network analysis utilities
+#
+netutils = module
+
+# Layer: admin
+# Module: su
+#
+# Run shells with substitute user and group
+#
+su = module
+
+# Layer: admin
+# Module: sudo
+#
+# Execute a command with a substitute user
+#
+sudo = module
+
+# Layer: admin
+# Module: usermanage
+#
+# Policy for managing user accounts.
+#
+usermanage = module
+
+# Layer: apps
+# Module: seunshare
+#
+# Filesystem namespacing/polyinstantiation application.
+#
+seunshare = module
+
+# Layer: kernel
+# Module: storage
+#
+# Policy controlling access to storage devices
+#
+storage = module
+
+# Layer: roles
+# Module: auditadm
+#
+# Audit administrator role
+#
+auditadm = module
+
+# Layer: roles
+# Module: logadm
+#
+# Log administrator role
+#
+logadm = module
+
+# Layer: roles
+# Module: secadm
+#
+# Security administrator role
+#
+secadm = module
+
+# Layer: roles
+# Module: staff
+#
+# Administrator's unprivileged user role
+#
+staff = module
+
+# Layer: roles
+# Module: sysadm
+#
+# General system administration role
+#
+sysadm = module
+
+# Layer: roles
+# Module: unprivuser
+#
+# Generic unprivileged user role
+#
+unprivuser = module
+
+# Layer: services
+# Module: postgresql
+#
+# PostgreSQL relational database
+#
+postgresql = module
+
+# Layer: services
+# Module: ssh
+#
+# Secure shell client and server policy.
+#
+ssh = module
+
+# Layer: services
+# Module: xserver
+#
+# X Windows Server
+#
+xserver = module
+
+# Layer: system
+# Module: application
+#
+# Policy for user executable applications.
+#
+application = module
+
+# Layer: system
+# Module: authlogin
+#
+# Common policy for authentication and user login.
+#
+authlogin = module
+
+# Layer: system
+# Module: clock
+#
+# Policy for reading and setting the hardware clock.
+#
+clock = module
+
+# Layer: system
+# Module: fstools
+#
+# Tools for filesystem management, such as mkfs and fsck.
+#
+fstools = module
+
+# Layer: system
+# Module: getty
+#
+# Policy for getty.
+#
+getty = module
+
+# Layer: system
+# Module: hostname
+#
+# Policy for changing the system host name.
+#
+hostname = module
+
+# Layer: system
+# Module: hotplug
+#
+# Policy for hotplug system, for supporting the
+# connection and disconnection of devices at runtime.
+#
+hotplug = module
+
+# Layer: system
+# Module: init
+#
+# System initialization programs (init and init scripts).
+#
+init = module
+
+# Layer: system
+# Module: ipsec
+#
+# TCP/IP encryption
+#
+ipsec = module
+
+# Layer: system
+# Module: iptables
+#
+# Policy for iptables.
+#
+iptables = module
+
+# Layer: system
+# Module: libraries
+#
+# Policy for system libraries.
+#
+libraries = module
+
+# Layer: system
+# Module: locallogin
+#
+# Policy for local logins.
+#
+locallogin = module
+
+# Layer: system
+# Module: logging
+#
+# Policy for the kernel message logger and system logging daemon.
+#
+logging = module
+
+# Layer: system
+# Module: lvm
+#
+# Policy for logical volume management programs.
+#
+lvm = module
+
+# Layer: system
+# Module: miscfiles
+#
+# Miscelaneous files.
+#
+miscfiles = module
+
+# Layer: system
+# Module: modutils
+#
+# Policy for kernel module utilities
+#
+modutils = module
+
+# Layer: system
+# Module: mount
+#
+# Policy for mount.
+#
+mount = module
+
+# Layer: system
+# Module: netlabel
+#
+# NetLabel/CIPSO labeled networking management
+#
+netlabel = module
+
+# Layer: system
+# Module: selinuxutil
+#
+# Policy for SELinux policy and userland applications.
+#
+selinuxutil = module
+
+# Layer: system
+# Module: setrans
+#
+# SELinux MLS/MCS label translation service.
+#
+setrans = module
+
+# Layer: system
+# Module: sysnetwork
+#
+# Policy for network configuration: ifconfig and dhcp client.
+#
+sysnetwork = module
+
+# Layer: system
+# Module: udev
+#
+# Policy for udev.
+#
+udev = module
+
+# Layer: system
+# Module: unconfined
+#
+# The unconfined domain.
+#
+unconfined = module
+
+# Layer: system
+# Module: userdomain
+#
+# Policy for user domains
+#
+userdomain = module
+
diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
new file mode 100644
index 0000000..81e104c
--- /dev/null
+++ b/package/refpolicy/refpolicy.mk
@@ -0,0 +1,87 @@
+################################################################################
+#
+# refpolicy
+#
+################################################################################
+
+REFPOLICY_VERSION = 2.20130424
+REFPOLICY_SOURCE = refpolicy-$(REFPOLICY_VERSION).tar.bz2
+REFPOLICY_SITE = http://oss.tresys.com/files/refpolicy/
+REFPOLICY_LICENSE = GPLv2
+REFPOLICY_LICENSE_FILES = COPYING
+
+# Cannot use multiple threads to build the reference policy
+REFPOLICY_MAKE = $(TARGET_MAKE_ENV) $(MAKE1)
+
+REFPOLICY_DEPENDENCIES = host-m4 host-checkpolicy host-policycoreutils \
+	host-setools host-python-pyxml host-gawk policycoreutils
+
+REFPOLICY_INSTALL_STAGING = YES
+
+REFPOLICY_POLICY_NAME = br_policy
+
+# To apply board specific customizations, create a refpolicy folder in
+# BR2_GLOBAL_PATCH_DIR.  These patches will be applied after the patches
+# in package/refpolicy
+
+# Pointing to the host compiler to build a sort application during the build.
+# The host compiler tools are not used for any part of the refpolicy build.
+# Note, the TEST_TOOLCHAIN option will also set the
+# LD_LIBRARY_PATH at run time.
+REFPOLICY_MAKE_CMDS = $(HOST_CONFIGURE_OPTS) \
+	TEST_TOOLCHAIN="$(HOST_DIR)"
+
+ifeq ($(BR2_PACKAGE_REFPOLICY_MODULAR),y)
+	REFPOLICY_MONOLITHIC = n
+else
+	REFPOLICY_MONOLITHIC = y
+endif
+
+define REFPOLICY_CONFIGURE_CMDS
+	$(REFPOLICY_GIT_SUBMODULE_SETUP)
+	# If an external repo is used to build refpolicy, this preserves the
+	# custom modules.conf which defines the enabled components.
+	[ -f $(@D)/policy/modules.conf ] && mv $(@D)/policy/modules.conf $(@D)/modules.conf.bk
+	$(REFPOLICY_MAKE) -C $(@D) bare $(REFPOLICY_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
+	$(SED) "/TYPE/c\TYPE = $(BR2_PACKAGE_REFPOLICY_TYPE)" $(@D)/build.conf
+	$(SED) "/MONOLITHIC/c\MONOLITHIC = $(REFPOLICY_MONOLITHIC)" $(@D)/build.conf
+	$(SED) "/NAME/c\NAME = $(REFPOLICY_POLICY_NAME)" $(@D)/build.conf
+	$(REFPOLICY_MAKE) -C $(@D) conf $(REFPOLICY_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
+	[ -f $(@D)/modules.conf.bk ] &&  echo "[Preserved modules.conf]" && \
+		mv $(@D)/modules.conf.bk $(@D)/policy/modules.conf
+endef
+
+define REFPOLICY_INSTALL_STAGING_CMDS
+	$(REFPOLICY_MAKE) -C $(@D) install-src install-headers \
+		$(if $(BR2_HAVE_DOCUMENTATION),install-docs) \
+		$(REFPOLICY_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
+endef
+
+REFPOLICY_MODULES_FILE = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_MODULES_FILE))
+
+define REFPOLICY_INSTALL_TARGET_CMDS
+	$(REFPOLICY_MAKE) -C $(@D) install $(REFPOLICY_MAKE_CMDS) DESTDIR=$(TARGET_DIR)
+	$(INSTALL) -m 0755 -D package/refpolicy/config $(TARGET_DIR)/etc/selinux/config
+	$(SED) "/^SELINUXTYPE/c\SELINUXTYPE=$(REFPOLICY_POLICY_NAME)" \
+		$(TARGET_DIR)/etc/selinux/config
+	touch $(TARGET_DIR)/.autorelabel
+	$(RM) $(TARGET_DIR)/etc/selinux/$(REFPOLICY_POLICY_NAME)/booleans
+endef
+
+define REFPOLICY_INSTALL_INIT_SYSV
+	$(INSTALL) -m 0755 -D package/refpolicy/S12selinux \
+		$(TARGET_DIR)/etc/init.d/S12selinux
+endef
+
+define REFPOLICY_POLICY_COMPILE
+	$(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/selinux/$(REFPOLICY_POLICY_NAME)/policy
+	$(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/selinux/$(REFPOLICY_POLICY_NAME)/modules/active/modules
+	$(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/selinux/$(REFPOLICY_POLICY_NAME)/contexts/files
+	touch $(TARGET_DIR)/etc/selinux/$(REFPOLICY_POLICY_NAME)/contexts/files/file_contexts.local
+endef
+
+ifeq ($(BR2_PACKAGE_REFPOLICY_MODULAR),y)
+	REFPOLICY_POST_INSTALL_TARGET_HOOKS += REFPOLICY_POLICY_COMPILE
+endif
+
+$(eval $(generic-package))
-- 
1.9.1

[Buildroot] [PATCH 13/30] repolicy: base policy modifications for embedded target

[Matt Weber]

Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
---
 package/refpolicy/0002-baseDirectoryChanges.patch  |  39 ++++++++
 package/refpolicy/0003-filesChanges.patch          |  69 ++++++++++++++
 package/refpolicy/0004-initChanges.patch           |  20 ++++
 package/refpolicy/0005-selinuxutilChanges.patch    | 103 +++++++++++++++++++++
 package/refpolicy/0006-sshChanges.patch            |  22 +++++
 package/refpolicy/0007-loggingChanges.patch        |  87 +++++++++++++++++
 package/refpolicy/0008-mountChanges.patch          |  11 +++
 package/refpolicy/0009-sysadmChanges.patch         |  24 +++++
 package/refpolicy/0010-authloginChanges.patch      |  14 +++
 package/refpolicy/0011-localloginChanges.patch     |  20 ++++
 package/refpolicy/0012-udevChanges.patch           |  21 +++++
 package/refpolicy/0013-netutilsChanges.patch       |  20 ++++
 package/refpolicy/0014-devicesChanges.patch        |  55 +++++++++++
 .../{0002-awk-fix.patch => 0015-awk-fix.patch}     |   0
 .../refpolicy/0016-enablePolyinstantiation.patch   |  11 +++
 15 files changed, 516 insertions(+)
 create mode 100644 package/refpolicy/0002-baseDirectoryChanges.patch
 create mode 100644 package/refpolicy/0003-filesChanges.patch
 create mode 100644 package/refpolicy/0004-initChanges.patch
 create mode 100644 package/refpolicy/0005-selinuxutilChanges.patch
 create mode 100644 package/refpolicy/0006-sshChanges.patch
 create mode 100644 package/refpolicy/0007-loggingChanges.patch
 create mode 100644 package/refpolicy/0008-mountChanges.patch
 create mode 100644 package/refpolicy/0009-sysadmChanges.patch
 create mode 100644 package/refpolicy/0010-authloginChanges.patch
 create mode 100644 package/refpolicy/0011-localloginChanges.patch
 create mode 100644 package/refpolicy/0012-udevChanges.patch
 create mode 100644 package/refpolicy/0013-netutilsChanges.patch
 create mode 100644 package/refpolicy/0014-devicesChanges.patch
 rename package/refpolicy/{0002-awk-fix.patch => 0015-awk-fix.patch} (100%)
 create mode 100644 package/refpolicy/0016-enablePolyinstantiation.patch

diff --git a/package/refpolicy/0002-baseDirectoryChanges.patch b/package/refpolicy/0002-baseDirectoryChanges.patch
new file mode 100644
index 0000000..ede657a
--- /dev/null
+++ b/package/refpolicy/0002-baseDirectoryChanges.patch
@@ -0,0 +1,39 @@
+################################################################################
+# Copyright 2012, Rockwell Collins.  All rights reserved.
+#
+# Information contained herein is privileged or confidential information
+# of Rockwell Collins within the meaning of 5 USC 552, and as such
+# is exempt from the public disclosure provisions thereof.
+#
+# Security classification: UNCLASSIFIED
+#
+################################################################################
+#
+# Making changes for base folders in our build.  
+#
+# /data - usr_t
+# /apps - usr_t
+# /lib64 - lib_t
+#
+diff -urN output/build/refpolicy-2.20120725/policy/modules/kernel/files.fc output/build/refpolicy-2.20120725-changes/policy/modules/kernel/files.fc
+diff -urN output/build/refpolicy-2.20120725/policy/modules/system/libraries.fc output/build/refpolicy-2.20120725-changes/policy/modules/system/libraries.fc
+--- a/policy/modules/system/libraries.fc	2012-05-10 09:26:34.000000000 -0500
++++ b/policy/modules/system/libraries.fc	2012-09-06 12:52:25.000000000 -0500
+@@ -36,6 +36,7 @@
+ # /lib(64)?
+ #
+ /lib					-d	gen_context(system_u:object_r:lib_t,s0)
++/lib64					-l	gen_context(system_u:object_r:lib_t,s0)
+ /lib/.*						gen_context(system_u:object_r:lib_t,s0)
+ /lib/ld-[^/]*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:ld_so_t,s0)
+ 
+--- a/policy/modules/system/sysnetwork.fc	2012-09-11 08:28:21.954620259 -0500
++++ b/policy/modules/system/sysnetwork.fc	2012-09-11 08:28:32.133742548 -0500
+@@ -24,6 +24,7 @@
+ /etc/hosts\.deny.*	--	gen_context(system_u:object_r:net_conf_t,s0)
+ /etc/denyhosts.*	--	gen_context(system_u:object_r:net_conf_t,s0)
+ /etc/resolv\.conf.*	--	gen_context(system_u:object_r:net_conf_t,s0)
++/tmp/resolv\.conf.*	--	gen_context(system_u:object_r:net_conf_t,s0)
+ /etc/yp\.conf.*		--	gen_context(system_u:object_r:net_conf_t,s0)
+ 
+ /etc/dhcp3(/.*)?		gen_context(system_u:object_r:dhcp_etc_t,s0)
diff --git a/package/refpolicy/0003-filesChanges.patch b/package/refpolicy/0003-filesChanges.patch
new file mode 100644
index 0000000..2fcd66c
--- /dev/null
+++ b/package/refpolicy/0003-filesChanges.patch
@@ -0,0 +1,69 @@
+################################################################################
+# Copyright 2012, Rockwell Collins.  All rights reserved.
+#
+# Information contained herein is privileged or confidential information
+# of Rockwell Collins within the meaning of 5 USC 552, and as such
+# is exempt from the public disclosure provisions thereof.
+#
+# Security classification: UNCLASSIFIED
+#
+################################################################################
+--- a/policy/modules/kernel/files.fc	2012-06-26 08:46:32.000000000 -0500
++++ b/policy/modules/kernel/files.fc	2012-10-17 15:28:41.000000000 -0500
+@@ -36,6 +36,11 @@
+ /boot/System\.map(-.*)?	--	gen_context(system_u:object_r:system_map_t,s0)
+ 
+ #
++# /data
++#
++/data			-d	gen_context(system_u:object_r:usr_t,s0)
++
++#
+ # /emul
+ #
+ /emul			-d	gen_context(system_u:object_r:usr_t,s0)
+@@ -48,6 +53,7 @@
+ /etc/.*				gen_context(system_u:object_r:etc_t,s0)
+ /etc/\.fstab\.hal\..+	--	gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/blkid(/.*)?		gen_context(system_u:object_r:etc_runtime_t,s0)
++/etc/blkid.tab(.*)?	--	gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/cmtab		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/fstab\.REVOKE	--	gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/ioctl\.save	--	gen_context(system_u:object_r:etc_runtime_t,s0)
+@@ -164,7 +170,7 @@
+ #
+ # /run
+ #
+-/run			-d	gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
++/run			-l	gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
+ /run/.*				gen_context(system_u:object_r:var_run_t,s0)
+ /run/.*\.*pid			<<none>>
+ /run/lock(/.*)?			gen_context(system_u:object_r:var_lock_t,s0)
+--- a/policy/modules/kernel/files.if	2012-07-24 07:48:06.000000000 -0500
++++ b/policy/modules/kernel/files.if	2012-10-17 15:14:13.000000000 -0500
+@@ -6264,6 +6264,25 @@
+ 
+ ########################################
+ ## <summary>
++##	Read the contents of generic spool
++##	symlinks (/var/spool).
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_read_spool_lnk',`
++	gen_require(`
++		type var_t, var_spool_t;
++	')
++
++	read_lnk_files_pattern($1, var_t, var_spool_t)
++')
++
++########################################
++## <summary>
+ ##	Do not audit attempts to search generic
+ ##	spool directories.
+ ## </summary>
diff --git a/package/refpolicy/0004-initChanges.patch b/package/refpolicy/0004-initChanges.patch
new file mode 100644
index 0000000..33c06f8
--- /dev/null
+++ b/package/refpolicy/0004-initChanges.patch
@@ -0,0 +1,20 @@
+--- a/policy/modules/system/init.te	2012-07-25 13:33:04.000000000 -0500
++++ b/policy/modules/system/init.te	2012-09-07 09:41:21.000000000 -0500
+@@ -96,6 +96,7 @@
+ 
+ # Use capabilities. old rule:
+ allow init_t self:capability ~sys_module;
++allow init_t self:capability2 syslog;
+ # is ~sys_module really needed? observed:
+ # sys_boot
+ # sys_tty_config
+--- a/policy/modules/system/init.fc	2012-05-10 09:18:41.000000000 -0500
++++ b/policy/modules/system/init.fc	2012-09-07 15:15:31.000000000 -0500
+@@ -58,6 +58,7 @@
+ # /var
+ #
+ /var/run/utmp		--	gen_context(system_u:object_r:initrc_var_run_t,s0)
++/tmp/utmp		--	gen_context(system_u:object_r:initrc_var_run_t,s0)
+ /var/run/runlevel\.dir		gen_context(system_u:object_r:initrc_var_run_t,s0)
+ /var/run/random-seed	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
+ /var/run/setmixer_flag	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
diff --git a/package/refpolicy/0005-selinuxutilChanges.patch b/package/refpolicy/0005-selinuxutilChanges.patch
new file mode 100644
index 0000000..6a97d9c
--- /dev/null
+++ b/package/refpolicy/0005-selinuxutilChanges.patch
@@ -0,0 +1,103 @@
+################################################################################
+# Copyright 2012, Rockwell Collins.  All rights reserved.
+#
+# Information contained herein is privileged or confidential information
+# of Rockwell Collins within the meaning of 5 USC 552, and as such
+# is exempt from the public disclosure provisions thereof.
+#
+# Security classification: UNCLASSIFIED
+#
+################################################################################
+--- a/policy/modules/system/selinuxutil.fc	2012-05-10 09:27:24.000000000 -0500
++++ b/policy/modules/system/selinuxutil.fc	2012-10-17 13:42:40.961227129 -0500
+@@ -51,3 +51,4 @@
+ # /var/run
+ #
+ /var/run/restorecond\.pid	--	gen_context(system_u:object_r:restorecond_var_run_t,s0)
++/tmp/restorecond\.pid	--	gen_context(system_u:object_r:restorecond_var_run_t,s0)
+--- a/policy/modules/system/selinuxutil.te	2012-07-25 13:33:04.000000000 -0500
++++ b/policy/modules/system/selinuxutil.te	2012-10-17 15:14:28.000000000 -0500
+@@ -144,7 +144,7 @@
+ # directory search permissions for path to source and binary policy files
+ files_search_etc(checkpolicy_t)
+ 
+-fs_getattr_xattr_fs(checkpolicy_t)
++fs_getattr_all_fs(checkpolicy_t)
+ 
+ term_use_console(checkpolicy_t)
+ 
+@@ -176,7 +176,7 @@
+ files_read_etc_files(load_policy_t)
+ files_read_etc_runtime_files(load_policy_t)
+ 
+-fs_getattr_xattr_fs(load_policy_t)
++fs_getattr_all_fs(load_policy_t)
+ 
+ mls_file_read_all_levels(load_policy_t)
+ 
+@@ -244,6 +244,7 @@
+ corecmd_read_bin_symlinks(newrole_t)
+ 
+ dev_read_urand(newrole_t)
++dev_search_sysfs(newrole_t)
+ 
+ domain_use_interactive_fds(newrole_t)
+ # for when the user types "exec newrole" at the command line:
+@@ -253,7 +254,7 @@
+ files_read_var_files(newrole_t)
+ files_read_var_symlinks(newrole_t)
+ 
+-fs_getattr_xattr_fs(newrole_t)
++fs_getattr_all_fs(newrole_t)
+ fs_search_auto_mountpoints(newrole_t)
+ 
+ mls_file_read_all_levels(newrole_t)
+@@ -323,6 +324,7 @@
+ 
+ allow restorecond_t restorecond_var_run_t:file manage_file_perms;
+ files_pid_filetrans(restorecond_t, restorecond_var_run_t, file)
++files_tmp_filetrans(restorecond_t, restorecond_var_run_t, file)
+ 
+ kernel_use_fds(restorecond_t)
+ kernel_rw_pipes(restorecond_t)
+@@ -330,7 +332,7 @@
+ 
+ fs_relabelfrom_noxattr_fs(restorecond_t)
+ fs_dontaudit_list_nfs(restorecond_t)
+-fs_getattr_xattr_fs(restorecond_t)
++fs_getattr_all_fs(restorecond_t)
+ fs_list_inotifyfs(restorecond_t)
+ 
+ selinux_validate_context(restorecond_t)
+@@ -388,7 +390,7 @@
+ files_read_etc_files(run_init_t)
+ files_dontaudit_search_all_dirs(run_init_t)
+ 
+-fs_getattr_xattr_fs(run_init_t)
++fs_getattr_all_fs(run_init_t)
+ 
+ mls_rangetrans_source(run_init_t)
+ 
+@@ -543,6 +545,13 @@
+ kernel_dontaudit_list_all_sysctls(setfiles_t)
+ 
+ dev_relabel_all_dev_nodes(setfiles_t)
++dev_search_sysfs(setfiles_t)
++
++# Need to be able to write to /dev/console before it is relabeled
++dev_rw_generic_chr_files(setfiles_t)
++
++# Need for the /var/spool symlink configuration
++files_read_spool_lnk(setfiles_t);
+ 
+ domain_use_interactive_fds(setfiles_t)
+ domain_dontaudit_search_all_domains_state(setfiles_t)
+@@ -553,7 +562,7 @@
+ files_relabel_all_files(setfiles_t)
+ files_read_usr_symlinks(setfiles_t)
+ 
+-fs_getattr_xattr_fs(setfiles_t)
++fs_getattr_all_fs(setfiles_t)
+ fs_list_all(setfiles_t)
+ fs_search_auto_mountpoints(setfiles_t)
+ fs_relabelfrom_noxattr_fs(setfiles_t)
diff --git a/package/refpolicy/0006-sshChanges.patch b/package/refpolicy/0006-sshChanges.patch
new file mode 100644
index 0000000..a942812
--- /dev/null
+++ b/package/refpolicy/0006-sshChanges.patch
@@ -0,0 +1,22 @@
+--- a/policy/modules/services/ssh.te	2012-03-30 07:48:20.000000000 -0500
++++ b/policy/modules/services/ssh.te	2012-09-07 15:37:30.000000000 -0500
+@@ -10,7 +10,7 @@
+ ## allow host key based authentication
+ ## </p>
+ ## </desc>
+-gen_tunable(allow_ssh_keysign, false)
++gen_tunable(allow_ssh_keysign, true)
+ 
+ ## <desc>
+ ## <p>
+@@ -233,6 +233,10 @@
+ manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
+ files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
+ 
++logging_send_syslog_msg(sshd_t)
++
++init_manage_utmp(sshd_t)
++
+ kernel_search_key(sshd_t)
+ kernel_link_key(sshd_t)
+ 
diff --git a/package/refpolicy/0007-loggingChanges.patch b/package/refpolicy/0007-loggingChanges.patch
new file mode 100644
index 0000000..8cc2373
--- /dev/null
+++ b/package/refpolicy/0007-loggingChanges.patch
@@ -0,0 +1,87 @@
+################################################################################
+# Copyright 2012, Rockwell Collins.  All rights reserved.
+#
+# Information contained herein is privileged or confidential information
+# of Rockwell Collins within the meaning of 5 USC 552, and as such
+# is exempt from the public disclosure provisions thereof.
+#
+# Security classification: UNCLASSIFIED
+#
+################################################################################
+--- a/policy/modules/system/logging.fc	2012-05-04 08:14:47.000000000 -0500
++++ b/policy/modules/system/logging.fc	2012-10-16 08:44:24.000000000 -0500
+@@ -56,21 +56,21 @@
+ /var/named/chroot/dev/log -s	gen_context(system_u:object_r:devlog_t,s0)
+ ')
+ 
+-/var/run/audit_events	-s	gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
+-/var/run/audispd_events	-s	gen_context(system_u:object_r:audisp_var_run_t,mls_systemhigh)
+-/var/run/auditd\.pid	--	gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
+-/var/run/auditd_sock	-s	gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
+-/var/run/klogd\.pid	--	gen_context(system_u:object_r:klogd_var_run_t,s0)
+-/var/run/log		-s	gen_context(system_u:object_r:devlog_t,s0)
+-/var/run/metalog\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,s0)
+-/var/run/syslogd\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
+-/var/run/syslog-ng.ctl	--	gen_context(system_u:object_r:syslogd_var_run_t,s0)
+-/var/run/syslog-ng(/.*)?	gen_context(system_u:object_r:syslogd_var_run_t,s0)
++/tmp/audit_events	-s	gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
++/tmp/audispd_events	-s	gen_context(system_u:object_r:audisp_var_run_t,mls_systemhigh)
++/tmp/auditd\.pid	--	gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
++/tmp/auditd_sock	-s	gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
++/tmp/klogd\.pid	--	gen_context(system_u:object_r:klogd_tmp_t,s0)
++/tmp/log		-s	gen_context(system_u:object_r:devlog_t,s0)
++/tmp/metalog\.pid	--	gen_context(system_u:object_r:syslogd_tmp_t,s0)
++/tmp/syslogd\.pid	--	gen_context(system_u:object_r:syslogd_tmp_t,mls_systemhigh)
++/tmp/syslog-ng.ctl	--	gen_context(system_u:object_r:syslogd_tmp_t,s0)
++/tmp/syslog-ng(/.*)?	gen_context(system_u:object_r:syslogd_tmp_t,s0)
+ 
+-/var/spool/audit(/.*)?		gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
+-/var/spool/bacula/log(/.*)? 	gen_context(system_u:object_r:var_log_t,s0)
+-/var/spool/postfix/pid	-d	gen_context(system_u:object_r:var_run_t,s0)
+-/var/spool/plymouth/boot\.log	gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+-/var/spool/rsyslog(/.*)? 	gen_context(system_u:object_r:var_log_t,s0)
++/tmp/audit(/.*)?		gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
++/tmp/bacula/log(/.*)? 	gen_context(system_u:object_r:var_log_t,s0)
++/tmp/postfix/pid	-d	gen_context(system_u:object_r:var_run_t,s0)
++/tmp/plymouth/boot\.log	gen_context(system_u:object_r:var_log_t,mls_systemhigh)
++/tmp/rsyslog(/.*)? 	gen_context(system_u:object_r:var_log_t,s0)
+ 
+ /var/tinydns/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
+--- a/policy/modules/system/logging.te	2012-07-25 13:33:04.000000000 -0500
++++ b/policy/modules/system/logging.te	2012-09-18 08:25:54.000000000 -0500
+@@ -50,7 +50,7 @@
+ 
+ type klogd_t;
+ type klogd_exec_t;
+-init_daemon_domain(klogd_t, klogd_exec_t)
++init_domain(klogd_t, klogd_exec_t)
+ 
+ type klogd_tmp_t;
+ files_tmp_file(klogd_tmp_t)
+@@ -63,7 +63,7 @@
+ 
+ type syslogd_t;
+ type syslogd_exec_t;
+-init_daemon_domain(syslogd_t, syslogd_exec_t)
++init_domain(syslogd_t, syslogd_exec_t)
+ 
+ type syslogd_initrc_exec_t;
+ init_script_file(syslogd_initrc_exec_t)
+@@ -97,6 +97,9 @@
+ read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
+ allow auditctl_t auditd_etc_t:dir list_dir_perms;
+ 
++# Need for the /var/spool symlink configuration
++files_read_spool_lnk(auditctl_t);
++
+ # Needed for adding watches
+ files_getattr_all_dirs(auditctl_t)
+ files_getattr_all_files(auditctl_t)
+@@ -143,6 +146,7 @@
+ manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
+ manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
+ files_pid_filetrans(auditd_t, auditd_var_run_t, { file sock_file })
++files_tmp_filetrans(auditd_t, auditd_var_run_t, { file sock_file })
+ 
+ kernel_read_kernel_sysctls(auditd_t)
+ # Needs to be able to run dispatcher.  see /etc/audit/auditd.conf
diff --git a/package/refpolicy/0008-mountChanges.patch b/package/refpolicy/0008-mountChanges.patch
new file mode 100644
index 0000000..35a5398
--- /dev/null
+++ b/package/refpolicy/0008-mountChanges.patch
@@ -0,0 +1,11 @@
+--- a/policy/modules/system/mount.te	2012-07-25 13:33:04.000000000 -0500
++++ b/policy/modules/system/mount.te	2012-09-17 09:14:29.000000000 -0500
+@@ -92,7 +92,7 @@
+ files_dontaudit_write_all_mountpoints(mount_t)
+ files_dontaudit_setattr_all_mountpoints(mount_t)
+ 
+-fs_getattr_xattr_fs(mount_t)
++fs_getattr_all_fs(mount_t)
+ fs_getattr_cifs(mount_t)
+ fs_mount_all_fs(mount_t)
+ fs_unmount_all_fs(mount_t)
diff --git a/package/refpolicy/0009-sysadmChanges.patch b/package/refpolicy/0009-sysadmChanges.patch
new file mode 100644
index 0000000..bbb5b52
--- /dev/null
+++ b/package/refpolicy/0009-sysadmChanges.patch
@@ -0,0 +1,24 @@
+--- a/policy/modules/roles/sysadm.te	2012-07-25 13:33:05.000000000 -0500
++++ b/policy/modules/roles/sysadm.te	2012-09-18 15:27:15.000000000 -0500
+@@ -39,6 +39,10 @@
+ userdom_manage_user_home_dirs(sysadm_t)
+ userdom_home_filetrans_user_home_dir(sysadm_t)
+ 
++# Add blk and chr files for dataloading
++files_manage_isid_type_blk_files(sysadm_t)
++files_manage_isid_type_chr_files(sysadm_t)
++
+ ifdef(`direct_sysadm_daemon',`
+ 	optional_policy(`
+ 		init_run_daemon(sysadm_t, sysadm_r)
+@@ -270,6 +274,10 @@
+ ')
+ 
+ optional_policy(`
++	ppp_run(sysadm_t, sysadm_r)
++')
++
++optional_policy(`
+ 	pyzor_role(sysadm_r, sysadm_t)
+ ')
+ 
diff --git a/package/refpolicy/0010-authloginChanges.patch b/package/refpolicy/0010-authloginChanges.patch
new file mode 100644
index 0000000..aa8334e
--- /dev/null
+++ b/package/refpolicy/0010-authloginChanges.patch
@@ -0,0 +1,14 @@
+--- a/policy/modules/system/authlogin.te	2012-07-25 13:33:04.000000000 -0500
++++ b/policy/modules/system/authlogin.te	2012-09-18 07:11:17.000000000 -0500
+@@ -109,8 +109,10 @@
+ files_read_etc_files(chkpwd_t)
+ # for nscd
+ files_dontaudit_search_var(chkpwd_t)
++files_dontaudit_search_tmp(chkpwd_t)
++dev_dontaudit_search_sysfs(chkpwd_t)
+ 
+-fs_dontaudit_getattr_xattr_fs(chkpwd_t)
++fs_dontaudit_getattr_all_fs(chkpwd_t)
+ 
+ term_dontaudit_use_console(chkpwd_t)
+ term_dontaudit_use_unallocated_ttys(chkpwd_t)
diff --git a/package/refpolicy/0011-localloginChanges.patch b/package/refpolicy/0011-localloginChanges.patch
new file mode 100644
index 0000000..ffdfd1b
--- /dev/null
+++ b/package/refpolicy/0011-localloginChanges.patch
@@ -0,0 +1,20 @@
+################################################################################
+# Copyright 2012, Rockwell Collins.  All rights reserved.
+#
+# Information contained herein is privileged or confidential information
+# of Rockwell Collins within the meaning of 5 USC 552, and as such
+# is exempt from the public disclosure provisions thereof.
+#
+# Security classification: UNCLASSIFIED
+#
+################################################################################
+--- a/policy/modules/system/locallogin.te	2012-05-04 08:14:47.000000000 -0500
++++ b/policy/modules/system/locallogin.te	2012-10-18 08:38:32.000000000 -0500
+@@ -86,6 +86,7 @@
+ dev_dontaudit_setattr_misc_dev(local_login_t)
+ dev_dontaudit_getattr_scanner_dev(local_login_t)
+ dev_dontaudit_setattr_scanner_dev(local_login_t)
++dev_dontaudit_getattr_sysfs_fs(local_login_t)
+ dev_dontaudit_search_sysfs(local_login_t)
+ dev_dontaudit_getattr_video_dev(local_login_t)
+ dev_dontaudit_setattr_video_dev(local_login_t)
diff --git a/package/refpolicy/0012-udevChanges.patch b/package/refpolicy/0012-udevChanges.patch
new file mode 100644
index 0000000..369f99d
--- /dev/null
+++ b/package/refpolicy/0012-udevChanges.patch
@@ -0,0 +1,21 @@
+################################################################################
+# Copyright 2012, Rockwell Collins.  All rights reserved.
+#
+# Information contained herein is privileged or confidential information
+# of Rockwell Collins within the meaning of 5 USC 552, and as such
+# is exempt from the public disclosure provisions thereof.
+#
+# Security classification: UNCLASSIFIED
+#
+################################################################################
+--- a/policy/modules/system/udev.fc	2012-05-04 08:14:47.000000000 -0500
++++ b/policy/modules/system/udev.fc	2012-10-17 15:02:24.000000000 -0500
+@@ -29,7 +29,7 @@
+ /usr/bin/udevinfo --	gen_context(system_u:object_r:udev_exec_t,s0)
+ 
+ /var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
+-/var/run/udev(/.*)?	gen_context(system_u:object_r:udev_tbl_t,s0)
++/tmp/udev(/.*)?	gen_context(system_u:object_r:udev_var_run_t,s0)
+ 
+ ifdef(`distro_debian',`
+ /var/run/xen-hotplug -d	gen_context(system_u:object_r:udev_var_run_t,s0)
diff --git a/package/refpolicy/0013-netutilsChanges.patch b/package/refpolicy/0013-netutilsChanges.patch
new file mode 100644
index 0000000..e991062
--- /dev/null
+++ b/package/refpolicy/0013-netutilsChanges.patch
@@ -0,0 +1,20 @@
+################################################################################
+# Copyright 2012, Rockwell Collins.  All rights reserved.
+#
+# Information contained herein is privileged or confidential information
+# of Rockwell Collins within the meaning of 5 USC 552, and as such
+# is exempt from the public disclosure provisions thereof.
+#
+# Security classification: UNCLASSIFIED
+#
+################################################################################
+--- a/policy/modules/admin/netutils.te	2012-05-04 08:14:47.000000000 -0500
++++ b/policy/modules/admin/netutils.te	2012-10-18 07:25:25.000000000 -0500
+@@ -105,6 +105,7 @@
+ 
+ allow ping_t self:capability { setuid net_raw };
+ dontaudit ping_t self:capability sys_tty_config;
++allow ping_t self:process { getcap setcap };
+ allow ping_t self:tcp_socket create_socket_perms;
+ allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
+ allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
diff --git a/package/refpolicy/0014-devicesChanges.patch b/package/refpolicy/0014-devicesChanges.patch
new file mode 100644
index 0000000..1cef7d0
--- /dev/null
+++ b/package/refpolicy/0014-devicesChanges.patch
@@ -0,0 +1,55 @@
+################################################################################
+# Copyright 2012, Rockwell Collins.  All rights reserved.
+#
+# Information contained herein is privileged or confidential information
+# of Rockwell Collins within the meaning of 5 USC 552, and as such
+# is exempt from the public disclosure provisions thereof.
+#
+# Security classification: UNCLASSIFIED
+#
+################################################################################
+--- a/policy/modules/kernel/devices.if	2012-05-10 08:25:34.000000000 -0500
++++ b/policy/modules/kernel/devices.if	2012-10-18 08:40:43.000000000 -0500
+@@ -3836,6 +3836,42 @@
+ 
+ ########################################
+ ## <summary>
++##	Get attributes of sysfs filesystems.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_getattr_sysfs_fs',`
++	gen_require(`
++		type sysfs_t;
++	')
++
++	allow $1 sysfs_t:filesystem getattr;
++')
++
++########################################
++## <summary>
++##	Don't audit get attributes of sysfs filesystems.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_dontaudit_getattr_sysfs_fs',`
++	gen_require(`
++		type sysfs_t;
++	')
++
++	dontaudit $1 sysfs_t:filesystem getattr;
++')
++
++########################################
++## <summary>
+ ##	Search the sysfs directories.
+ ## </summary>
+ ## <param name="domain">
diff --git a/package/refpolicy/0002-awk-fix.patch b/package/refpolicy/0015-awk-fix.patch
similarity index 100%
rename from package/refpolicy/0002-awk-fix.patch
rename to package/refpolicy/0015-awk-fix.patch
diff --git a/package/refpolicy/0016-enablePolyinstantiation.patch b/package/refpolicy/0016-enablePolyinstantiation.patch
new file mode 100644
index 0000000..d91b4b1
--- /dev/null
+++ b/package/refpolicy/0016-enablePolyinstantiation.patch
@@ -0,0 +1,11 @@
+--- a/policy/global_tunables	2012-03-30 07:48:20.000000000 -0500
++++ b/policy/global_tunables	2012-09-13 09:31:38.000000000 -0500
+@@ -37,7 +37,7 @@
+ ## Enable polyinstantiated directory support.
+ ## </p>
+ ## </desc>
+-gen_tunable(allow_polyinstantiation,false)
++gen_tunable(allow_polyinstantiation,true)
+ 
+ ## <desc>
+ ## <p>
-- 
1.9.1

[Buildroot] [PATCH 14/30] refpolicy: custom git repo

[Matt Weber]

Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
---
 package/refpolicy-contrib/Config.in            | 20 +++++++++++++++++
 package/refpolicy-contrib/refpolicy-contrib.mk | 19 ++++++++++++++++
 package/refpolicy/Config.in                    | 22 +++++++++++++++++++
 package/refpolicy/refpolicy.mk                 | 30 ++++++++++++++++++++++----
 4 files changed, 87 insertions(+), 4 deletions(-)
 create mode 100644 package/refpolicy-contrib/Config.in
 create mode 100644 package/refpolicy-contrib/refpolicy-contrib.mk

diff --git a/package/refpolicy-contrib/Config.in b/package/refpolicy-contrib/Config.in
new file mode 100644
index 0000000..1fc0c31
--- /dev/null
+++ b/package/refpolicy-contrib/Config.in
@@ -0,0 +1,20 @@
+if BR2_REFPOLICY_CUSTOM_GIT
+
+comment "A refpolicy contrib repository is required if using a refpolicy repo. (Contrib is a GIT submodule of refpolicy)"
+
+config BR2_PACKAGE_REFPOLICY_CONTRIB
+	bool "refpolicy-contrib"
+	help
+	  A GIT submodule of the refpolicy package.
+
+
+config BR2_REFPOLICY_CONTRIB_CUSTOM_REPO_URL
+	string "URL of custom contrib submodule repository"
+
+config BR2_REFPOLICY_CONTRIB_CUSTOM_REPO_VERSION
+	string "Custom contrib submodule repository version"
+	help
+	  Revision to use in the typical format used by Git
+	  e.g. a SHA id, a tag, branch, ..
+
+endif
diff --git a/package/refpolicy-contrib/refpolicy-contrib.mk b/package/refpolicy-contrib/refpolicy-contrib.mk
new file mode 100644
index 0000000..e13a3ff
--- /dev/null
+++ b/package/refpolicy-contrib/refpolicy-contrib.mk
@@ -0,0 +1,19 @@
+################################################################################
+#
+# refpolicy-contrib
+#
+################################################################################
+
+ifeq ($(BR2_REFPOLICY_CUSTOM_GIT),y)
+REFPOLICY_CONTRIB_SITE = $(call qstrip,$(BR2_REFPOLICY_CONTRIB_CUSTOM_REPO_URL))
+REFPOLICY_CONTRIB_VERSION = $(call qstrip,$(BR2_REFPOLICY_CONTRIB_CUSTOM_REPO_VERSION))
+REFPOLICY_CONTRIB_SITE_METHOD = git
+
+# Inherits license from refpolicy as normally this is a submodule
+REFPOLICY_CONTRIB_LICENSE = GPLv2
+REFPOLICY_CONTRIB_LICENSE_FILES = COPYING
+endif
+
+# If refpolicy is from release archive, this contrib content is part of it.
+
+$(eval $(generic-package))
diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in
index 5f4046e..79b958e 100644
--- a/package/refpolicy/Config.in
+++ b/package/refpolicy/Config.in
@@ -62,6 +62,8 @@ config BR2_PACKAGE_REFPOLICY_MODULES_FILE
 	  SELinux policy modules to be included in the compiled
 	  policy. See policy/modules.conf in the refpolicy sources for
 	  the complete list of available modules.
+	  NOTE: This file is only used if a Custom GIT repo is
+	  not specified.
 
 config BR2_PACKAGE_REFPOLICY_MODULAR
 	bool "Build a modular SELinux policy"
@@ -71,4 +73,24 @@ config BR2_PACKAGE_REFPOLICY_MODULAR
 	  target. A modular policy can also be built if policies
 	  need to be modified without reloading the target.
 
+config BR2_PACKAGE_REFPOLICY_CUSTOM_GIT
+	bool "Custom Git repository"
+	select BR2_PACKAGE_REFPOLICY_CONTRIB
+	help
+	 This option allows Buildroot to get the refpolicy source
+	 code from a Git repository.
+
+if BR2_PACKAGE_REFPOLICY_CUSTOM_GIT
+
+config BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL
+	string "URL of custom repository"
+
+config BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION
+	string "Custom repository version"
+	help
+	  Revision to use in the typical format used by Git
+	  e.g. a SHA id, a tag, branch, ..
+
+endif
+
 endif
diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
index 81e104c..382f141 100644
--- a/package/refpolicy/refpolicy.mk
+++ b/package/refpolicy/refpolicy.mk
@@ -4,16 +4,23 @@
 #
 ################################################################################
 
+ifeq ($(BR2_PACKAGE_REFPOLICY_CUSTOM_GIT),y)
+REFPOLICY_SITE = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL))
+REFPOLICY_VERSION = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION))
+REFPOLICY_SITE_METHOD = git
+REFPOLICY_DEPENDENCIES += refpolicy-contrib
+else
 REFPOLICY_VERSION = 2.20130424
 REFPOLICY_SOURCE = refpolicy-$(REFPOLICY_VERSION).tar.bz2
 REFPOLICY_SITE = http://oss.tresys.com/files/refpolicy/
+endif
 REFPOLICY_LICENSE = GPLv2
 REFPOLICY_LICENSE_FILES = COPYING
 
 # Cannot use multiple threads to build the reference policy
 REFPOLICY_MAKE = $(TARGET_MAKE_ENV) $(MAKE1)
 
-REFPOLICY_DEPENDENCIES = host-m4 host-checkpolicy host-policycoreutils \
+REFPOLICY_DEPENDENCIES += host-m4 host-checkpolicy host-policycoreutils \
 	host-setools host-python-pyxml host-gawk policycoreutils
 
 REFPOLICY_INSTALL_STAGING = YES
@@ -37,18 +44,33 @@ else
 	REFPOLICY_MONOLITHIC = y
 endif
 
+ifeq ($(BR2_PACKAGE_REFPOLICY_CUSTOM_GIT),y)
+define REFPOLICY_GIT_SUBMODULE_SETUP
+	rsync -ar $(REFPOLICY_CONTRIB_DIR)/* $(@D)/policy/modules/contrib/
+endef
+else
+define REFPOLICY_CUSTOM_MODULES_CONF
+	cp -f $(REFPOLICY_MODULES_FILE) $(@D)/policy/modules.conf
+endef
+endif
+
 define REFPOLICY_CONFIGURE_CMDS
 	$(REFPOLICY_GIT_SUBMODULE_SETUP)
 	# If an external repo is used to build refpolicy, this preserves the
 	# custom modules.conf which defines the enabled components.
-	[ -f $(@D)/policy/modules.conf ] && mv $(@D)/policy/modules.conf $(@D)/modules.conf.bk
+	if [ -f $(@D)/policy/modules.conf ]; then \
+		mv $(@D)/policy/modules.conf $(@D)/modules.conf.bk ; \
+	fi
 	$(REFPOLICY_MAKE) -C $(@D) bare $(REFPOLICY_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
 	$(SED) "/TYPE/c\TYPE = $(BR2_PACKAGE_REFPOLICY_TYPE)" $(@D)/build.conf
 	$(SED) "/MONOLITHIC/c\MONOLITHIC = $(REFPOLICY_MONOLITHIC)" $(@D)/build.conf
 	$(SED) "/NAME/c\NAME = $(REFPOLICY_POLICY_NAME)" $(@D)/build.conf
 	$(REFPOLICY_MAKE) -C $(@D) conf $(REFPOLICY_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
-	[ -f $(@D)/modules.conf.bk ] &&  echo "[Preserved modules.conf]" && \
-		mv $(@D)/modules.conf.bk $(@D)/policy/modules.conf
+	if [ -f $(@D)/modules.conf.bk ]; then \
+		echo "[Preserved modules.conf]" ; \
+		mv $(@D)/modules.conf.bk $(@D)/policy/modules.conf ; \
+	fi
+	$(REFPOLICY_CUSTOM_MODULES_CONF)
 endef
 
 define REFPOLICY_INSTALL_STAGING_CMDS
-- 
1.9.1

[Buildroot] [PATCH 15/30] shadow: new package

[Matt Weber]

From: Clayton Shotwell <clshotwe@rockwellcollins.com>

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
---
 package/Config.in        |  3 +++
 package/shadow/Config.in | 13 +++++++++++++
 package/shadow/shadow.mk | 50 ++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 66 insertions(+)
 create mode 100644 package/shadow/Config.in
 create mode 100644 package/shadow/shadow.mk

diff --git a/package/Config.in b/package/Config.in
index c02e665..a4fdb62 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1215,6 +1215,9 @@ comment "Utilities"
 	source "package/logsurfer/Config.in"
 	source "package/pinentry/Config.in"
 	source "package/screen/Config.in"
+if BR2_PACKAGE_BUSYBOX_SHOW_OTHERS
+	source "package/shadow/Config.in"
+endif
 	source "package/sudo/Config.in"
 if BR2_PACKAGE_BUSYBOX_SHOW_OTHERS
 	source "package/time/Config.in"
diff --git a/package/shadow/Config.in b/package/shadow/Config.in
new file mode 100644
index 0000000..5692ac6
--- /dev/null
+++ b/package/shadow/Config.in
@@ -0,0 +1,13 @@
+config BR2_PACKAGE_SHADOW
+	bool "shadow"
+	help
+	  The shadow-utils package includes the necessary programs for
+	  converting UNIX password files to the shadow password format, plus
+	  programs for managing user and group accounts. The pwconv command
+	  converts passwords to the shadow password format. The pwunconv command
+	  unconverts shadow passwords and generates an npasswd file (a standard
+	  UNIX password file). The pwck command checks the integrity of password
+	  and shadow files. The lastlog command prints out the last login times
+	  for all users. The useradd, userdel, and usermod commands are used for
+	  managing user accounts. The groupadd, groupdel, and groupmod commands
+	  are used for managing group accounts.
diff --git a/package/shadow/shadow.mk b/package/shadow/shadow.mk
new file mode 100644
index 0000000..ced78b2
--- /dev/null
+++ b/package/shadow/shadow.mk
@@ -0,0 +1,50 @@
+################################################################################
+#
+# shadow
+#
+################################################################################
+
+SHADOW_VERSION = 4.1.5.1
+SHADOW_SOURCE = shadow-$(SHADOW_VERSION).tar.bz2
+SHADOW_SITE = http://pkg-shadow.alioth.debian.org/releases/
+SHADOW_LICENSE = BSD
+SHADOW_LICENSE_FILES = COPYING
+SHADOW_DEPENDENCIES = acl attr busybox
+
+SHADOW_INSTALL_STAGING = NO
+
+SHADOW_CONF_OPTS = --disable-nls
+
+# Shadow configuration to support audit
+ifeq ($(BR2_PACKAGE_AUDIT),y)
+SHADOW_DEPENDENCIES += audit
+SHADOW_CONF_OPTS += --with-audit=yes
+endif
+
+# Shadow with linux-pam support
+ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
+SHADOW_DEPENDENCIES += linux-pam
+SHADOW_CONF_OPTS += --with-libpam=yes
+
+# Comment out all config entries that conflict with using PAM
+define SHADOW_LOGIN_CONFIGURATION
+        for FUNCTION in FAIL_DELAY FAILLOG_ENAB LASTLOG_ENAB MAIL_CHECK_ENAB \
+                OBSCURE_CHECKS_ENAB PORTTIME_CHECKS_ENAB QUOTAS_ENAB CONSOLE MOTD_FILE \
+                FTMP_FILE NOLOGINS_FILE ENV_HZ PASS_MIN_LEN SU_WHEEL_ONLY CRACKLIB_DICTPATH \
+                PASS_CHANGE_TRIES PASS_ALWAYS_WARN CHFN_AUTH ENCRYPT_METHOD ENVIRON_FILE ; \
+        do \
+                sed -i "s/^$${FUNCTION}/# &/" $(TARGET_DIR)/etc/login.defs ; \
+        done
+endef
+
+SHADOW_POST_INSTALL_TARGET_HOOKS += SHADOW_LOGIN_CONFIGURATION
+
+endif
+
+# Shadow with selinux support
+ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
+SHADOW_DEPENDENCIES += libselinux libsemanage
+SHADOW_CONF_OPTS += --with-selinux=yes
+endif
+
+$(eval $(autotools-package))
-- 
1.9.1

[Buildroot] [PATCH 16/30] busybox: applets as individual binaries

[Matt Weber]

The individual binaries option of busybox allows for the applets
that would usually be symlinks to be built as individual applications
that link against a shared library.

This feature is needed for SELinux to allow the applications to run
under the correct SELinux context.

The patch being added allows the individual applications to be
installed and will be upstreamed to the busybox developers.

The initial work for this change was done by Thomas Petazzoni
<thomas.petazzoni@free-electrons.com>.

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
---
 package/busybox/Config.in                          |   7 ++
 ...s-Add-installation-of-individual-binaries.patch | 103 +++++++++++++++++++++
 package/busybox/busybox.mk                         |  34 +++++++
 3 files changed, 144 insertions(+)
 create mode 100644 package/busybox/busybox-0007-applets-Add-installation-of-individual-binaries.patch

diff --git a/package/busybox/Config.in b/package/busybox/Config.in
index f2f2990..2344c4e 100644
--- a/package/busybox/Config.in
+++ b/package/busybox/Config.in
@@ -26,6 +26,13 @@ config BR2_PACKAGE_BUSYBOX_SHOW_OTHERS
 	  Show packages in menuconfig that are potentially also provided
 	  by busybox.
 
+config BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES
+	bool "Individual binaries"
+	depends on !BR2_PREFER_STATIC_LIB
+
+comment "Busybox individual binaries depends on dynamic libraries"
+	depends on BR2_PREFER_STATIC_LIB
+
 config BR2_PACKAGE_BUSYBOX_WATCHDOG
 	bool "Install the watchdog daemon startup script"
 	help
diff --git a/package/busybox/busybox-0007-applets-Add-installation-of-individual-binaries.patch b/package/busybox/busybox-0007-applets-Add-installation-of-individual-binaries.patch
new file mode 100644
index 0000000..e7b9178
--- /dev/null
+++ b/package/busybox/busybox-0007-applets-Add-installation-of-individual-binaries.patch
@@ -0,0 +1,103 @@
+From 3451b55054a6fe2073a21301938802a27dec835d Mon Sep 17 00:00:00 2001
+From: Clayton Shotwell <clshotwe@rockwellcollins.com>
+Date: Mon, 16 Dec 2013 14:45:33 -0600
+Subject: [PATCH 5/5] applets: Add installation of individual binaries
+
+Adding support to install individual binaries if the option is
+enabled. This also installs the shared libbusybox.so.* library.
+
+Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
+---
+ Makefile.custom    |    4 ++++
+ applets/install.sh |   26 ++++++++++++++++++++++++--
+ 2 files changed, 28 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile.custom b/Makefile.custom
+index 6da79e6..e4dc4dc 100644
+--- a/Makefile.custom
++++ b/Makefile.custom
+@@ -23,6 +23,10 @@ ifeq ($(CONFIG_INSTALL_SH_APPLET_SCRIPT_WRAPPER),y)
+ INSTALL_OPTS:= --scriptwrapper
+ endif
+ endif
++ifeq ($(CONFIG_FEATURE_INDIVIDUAL),y)
++INSTALL_OPTS:= --binaries
++LIBBUSYBOX_SONAME:= 0_lib/libbusybox.so.$(BB_VER)
++endif
+ install: $(srctree)/applets/install.sh busybox busybox.links
+ 	$(Q)DO_INSTALL_LIBS="$(strip $(LIBBUSYBOX_SONAME) $(DO_INSTALL_LIBS))" \
+ 		$(SHELL) $< $(CONFIG_PREFIX) $(INSTALL_OPTS)
+diff --git a/applets/install.sh b/applets/install.sh
+index 95b4719..d01c98d 100755
+--- a/applets/install.sh
++++ b/applets/install.sh
+@@ -5,19 +5,26 @@ export LC_CTYPE=POSIX
+ 
+ prefix=$1
+ if [ -z "$prefix" ]; then
+-	echo "usage: applets/install.sh DESTINATION [--symlinks/--hardlinks/--scriptwrapper]"
++	echo "usage: applets/install.sh DESTINATION [--symlinks/--hardlinks/--binaries/--scriptwrapper]"
+ 	exit 1
+ fi
+ 
++# Source the configuration
++. ./.config
++
+ h=`sort busybox.links | uniq`
+ 
++sharedlib_dir="0_lib"
++
+ linkopts=""
+ scriptwrapper="n"
++binaries="n"
+ cleanup="0"
+ noclobber="0"
+ case "$2" in
+ 	--hardlinks)     linkopts="-f";;
+ 	--symlinks)      linkopts="-fs";;
++	--binaries)      binaries="y";;
+ 	--scriptwrapper) scriptwrapper="y";swrapall="y";;
+ 	--sw-sh-hard)    scriptwrapper="y";linkopts="-f";;
+ 	--sw-sh-sym)     scriptwrapper="y";linkopts="-fs";;
+@@ -40,8 +47,9 @@ if [ -n "$DO_INSTALL_LIBS" ] && [ "$DO_INSTALL_LIBS" != "n" ]; then
+ 	for i in $DO_INSTALL_LIBS; do
+ 		rm -f "$prefix/$libdir/$i" || exit 1
+ 		if [ -f "$i" ]; then
++			echo "   Installing $i to the target@$prefix/$libdir/"
+ 			cp -pPR "$i" "$prefix/$libdir/" || exit 1
+-			chmod 0644 "$prefix/$libdir/$i" || exit 1
++			chmod 0644 "$prefix/$libdir/`basename $i`" || exit 1
+ 		fi
+ 	done
+ fi
+@@ -68,6 +76,7 @@ install -m 755 busybox "$prefix/bin/busybox" || exit 1
+ 
+ for i in $h; do
+ 	appdir=`dirname "$i"`
++	app=`basename "$i"`
+ 	mkdir -p "$prefix/$appdir" || exit 1
+ 	if [ "$scriptwrapper" = "y" ]; then
+ 		if [ "$swrapall" != "y" ] && [ "$i" = "/bin/sh" ]; then
+@@ -78,6 +87,19 @@ for i in $h; do
+ 			chmod +x "$prefix/$i"
+ 		fi
+ 		echo "	$prefix/$i"
++	elif [ "$binaries" = "y" ]; then
++		# Copy the binary over rather
++		if [ -e $sharedlib_dir/$app ]; then
++			if [ "$noclobber" = "0" ] || [ ! -e "$prefix/$i" ]; then
++				echo "   Copying $sharedlib_dir/$app to $prefix/$i"
++				cp -a $sharedlib_dir/$app $prefix/$i || exit 1
++			else
++				echo "  $prefix/$i already exists"
++			fi
++		else
++			echo "Error: Could not find $sharedlib_dir/$app"
++			exit 1
++		fi
+ 	else
+ 		if [ "$2" = "--hardlinks" ]; then
+ 			bb_path="$prefix/bin/busybox"
+-- 
+1.7.1
+
diff --git a/package/busybox/busybox.mk b/package/busybox/busybox.mk
index 9fb389d..e689d2d 100644
--- a/package/busybox/busybox.mk
+++ b/package/busybox/busybox.mk
@@ -49,10 +49,31 @@ BUSYBOX_KCONFIG_FILE = $(BUSYBOX_CONFIG_FILE)
 BUSYBOX_KCONFIG_EDITORS = menuconfig xconfig gconfig
 BUSYBOX_KCONFIG_OPTS = $(BUSYBOX_MAKE_OPTS)
 
+ifeq ($(BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES),y)
+define BUSYBOX_PERMISSIONS
+# Applets with BB_SUID_REQUIRE
+/usr/bin/crontab		 f 4755	0 0 - - - - -
+/bin/login			 f 4755	0 0 - - - - -
+/usr/bin/passwd		 f 4755	0 0 - - - - -
+/bin/su			 f 4755	0 0 - - - - -
+/usr/bin/vlock			 f 4755	0 0 - - - - -
+/usr/bin/wall			 f 4755	0 0 - - - - -
+# Applets with BB_SUID_MAYBE
+/bin/ping			 f 4755	0 0 - - - - -
+/bin/ping6			 f 4755	0 0 - - - - -
+/sbin/findfs			 f 4755	0 0 - - - - -
+/bin/mount			 f 4755	0 0 - - - - -
+/usr/bin/traceroute		 f 4755	0 0 - - - - -
+/usr/bin/traceroute6		 f 4755	0 0 - - - - -
+# Other files
+/usr/share/udhcpc/default.script f 755  0 0 - - - - -
+endef
+else
 define BUSYBOX_PERMISSIONS
 	/bin/busybox                     f 4755 0  0 - - - - -
 	/usr/share/udhcpc/default.script f 755  0  0 - - - - -
 endef
+endif
 
 # If mdev will be used for device creation enable it and copy S10mdev to /etc/init.d
 ifeq ($(BR2_ROOTFS_DEVICE_CREATION_DYNAMIC_MDEV),y)
@@ -161,6 +182,17 @@ define BUSYBOX_SET_INIT
 endef
 endif
 
+ifeq ($(BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES),y)
+define BUSYBOX_CONFIGURE_INDIVIDUAL_BINARIES
+	$(call KCONFIG_ENABLE_OPT,CONFIG_BUILD_LIBBUSYBOX,$(BUSYBOX_BUILD_CONFIG))
+	$(call KCONFIG_ENABLE_OPT,CONFIG_FEATURE_INDIVIDUAL,$(BUSYBOX_BUILD_CONFIG))
+endef
+
+define BUSYBOX_INSTALL_INDIVIDUAL_BINARIES
+	rm -f $(TARGET_DIR)/bin/busybox
+endef
+endif
+
 define BUSYBOX_INSTALL_LOGGING_SCRIPT
 	if grep -q CONFIG_SYSLOGD=y $(@D)/.config; then \
 		$(INSTALL) -m 0755 -D package/busybox/S01logging \
@@ -198,6 +230,7 @@ define BUSYBOX_KCONFIG_FIXUP_CMDS
 	$(BUSYBOX_INTERNAL_SHADOW_PASSWORDS)
 	$(BUSYBOX_SET_INIT)
 	$(BUSYBOX_SET_WATCHDOG)
+	$(BUSYBOX_CONFIGURE_INDIVIDUAL_BINARIES)
 endef
 
 define BUSYBOX_CONFIGURE_CMDS
@@ -219,6 +252,7 @@ define BUSYBOX_INSTALL_INIT_SYSV
 	$(BUSYBOX_INSTALL_MDEV_SCRIPT)
 	$(BUSYBOX_INSTALL_LOGGING_SCRIPT)
 	$(BUSYBOX_INSTALL_WATCHDOG_SCRIPT)
+	$(BUSYBOX_INSTALL_INDIVIDUAL_BINARIES)
 endef
 
 $(eval $(kconfig-package))
-- 
1.9.1

[Buildroot] [PATCH 17/30] busybox: selinux support

[Matt Weber]

Add a configure option to enable the SELinux support in the
busybox configuration from the Buildroot menuconfig.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
---
 package/busybox/Config.in                          |  3 +++
 ...ags-strip-non-l-arguments-returned-by-pkg.patch | 28 ++++++++++++++++++++++
 package/busybox/busybox.mk                         |  8 +++++++
 3 files changed, 39 insertions(+)
 create mode 100644 package/busybox/busybox-0008-Makefile.flags-strip-non-l-arguments-returned-by-pkg.patch

diff --git a/package/busybox/Config.in b/package/busybox/Config.in
index 2344c4e..6a0e5d1 100644
--- a/package/busybox/Config.in
+++ b/package/busybox/Config.in
@@ -33,6 +33,9 @@ config BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES
 comment "Busybox individual binaries depends on dynamic libraries"
 	depends on BR2_PREFER_STATIC_LIB
 
+config BR2_PACKAGE_BUSYBOX_SELINUX
+	bool "Enable SELinux support"
+
 config BR2_PACKAGE_BUSYBOX_WATCHDOG
 	bool "Install the watchdog daemon startup script"
 	help
diff --git a/package/busybox/busybox-0008-Makefile.flags-strip-non-l-arguments-returned-by-pkg.patch b/package/busybox/busybox-0008-Makefile.flags-strip-non-l-arguments-returned-by-pkg.patch
new file mode 100644
index 0000000..105626c
--- /dev/null
+++ b/package/busybox/busybox-0008-Makefile.flags-strip-non-l-arguments-returned-by-pkg.patch
@@ -0,0 +1,28 @@
+From 67eb23d2be8aba3c474dac81a15b0fa11e5847b7 Mon Sep 17 00:00:00 2001
+From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+Date: Mon, 25 Nov 2013 22:51:53 +0100
+Subject: [PATCH] Makefile.flags: strip non -l arguments returned by pkg-config
+
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+---
+ Makefile.flags | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/Makefile.flags b/Makefile.flags
+index 307afa7..885e323 100644
+--- a/Makefile.flags
++++ b/Makefile.flags
+@@ -141,7 +141,9 @@ ifeq ($(CONFIG_SELINUX),y)
+ SELINUX_PC_MODULES = libselinux libsepol
+ $(eval $(call pkg_check_modules,SELINUX,$(SELINUX_PC_MODULES)))
+ CPPFLAGS += $(SELINUX_CFLAGS)
+-LDLIBS += $(if $(SELINUX_LIBS),$(SELINUX_LIBS:-l%=%),$(SELINUX_PC_MODULES:lib%=%))
++LDLIBS += $(if $(SELINUX_LIBS),\
++       $(patsubst -l%,%,$(filter -l%,$(SELINUX_LIBS))),\
++       $(SELINUX_PC_MODULES:lib%=%))
+ endif
+ 
+ ifeq ($(CONFIG_EFENCE),y)
+-- 
+1.8.1.2
+
diff --git a/package/busybox/busybox.mk b/package/busybox/busybox.mk
index e689d2d..cc7a711 100644
--- a/package/busybox/busybox.mk
+++ b/package/busybox/busybox.mk
@@ -193,6 +193,13 @@ define BUSYBOX_INSTALL_INDIVIDUAL_BINARIES
 endef
 endif
 
+ifeq ($(BR2_PACKAGE_BUSYBOX_SELINUX),y)
+BUSYBOX_DEPENDENCIES += host-pkgconf libselinux libsepol
+define BUSYBOX_SET_SELINUX
+	$(call KCONFIG_ENABLE_OPT,CONFIG_SELINUX,$(BUSYBOX_BUILD_CONFIG))
+endef
+endif
+
 define BUSYBOX_INSTALL_LOGGING_SCRIPT
 	if grep -q CONFIG_SYSLOGD=y $(@D)/.config; then \
 		$(INSTALL) -m 0755 -D package/busybox/S01logging \
@@ -231,6 +238,7 @@ define BUSYBOX_KCONFIG_FIXUP_CMDS
 	$(BUSYBOX_SET_INIT)
 	$(BUSYBOX_SET_WATCHDOG)
 	$(BUSYBOX_CONFIGURE_INDIVIDUAL_BINARIES)
+	$(BUSYBOX_SET_SELINUX)
 endef
 
 define BUSYBOX_CONFIGURE_CMDS
-- 
1.9.1

[Buildroot] [PATCH 18/30] busybox: added linux-pam support

[Matt Weber]

From: Matt Weber <Matthew.Weber@rockwellcollins.com>

Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
---
 package/busybox/busybox.mk | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/package/busybox/busybox.mk b/package/busybox/busybox.mk
index cc7a711..8c8011e 100644
--- a/package/busybox/busybox.mk
+++ b/package/busybox/busybox.mk
@@ -193,10 +193,19 @@ define BUSYBOX_INSTALL_INDIVIDUAL_BINARIES
 endef
 endif
 
+ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
+define BUSYBOX_LINUX_PAM
+	$(call KCONFIG_ENABLE_OPT,CONFIG_PAM,$(BUSYBOX_BUILD_CONFIG))
+endef
+BUSYBOX_DEPENDENCIES += linux-pam
+endif
+
 ifeq ($(BR2_PACKAGE_BUSYBOX_SELINUX),y)
 BUSYBOX_DEPENDENCIES += host-pkgconf libselinux libsepol
 define BUSYBOX_SET_SELINUX
 	$(call KCONFIG_ENABLE_OPT,CONFIG_SELINUX,$(BUSYBOX_BUILD_CONFIG))
+	$(call KCONFIG_ENABLE_OPT,CONFIG_SELINUXENABLED,$(BUSYBOX_BUILD_CONFIG))
+
 endef
 endif
 
@@ -234,6 +243,7 @@ define BUSYBOX_KCONFIG_FIXUP_CMDS
 	$(BUSYBOX_SET_CRYPT_SHA)
 	$(BUSYBOX_NETKITBASE)
 	$(BUSYBOX_NETKITTELNET)
+	$(BUSYBOX_LINUX_PAM)
 	$(BUSYBOX_INTERNAL_SHADOW_PASSWORDS)
 	$(BUSYBOX_SET_INIT)
 	$(BUSYBOX_SET_WATCHDOG)
-- 
1.9.1

[Buildroot] [PATCH 19/30] busybox: default selinux config which disables init and uses sysvinit

[Matt Weber]

From: Matt Weber <Matthew.Weber@rockwellcollins.com>

Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
---
 board/qemu/x86/busybox-selinux.config | 1038 +++++++++++++++++++++++++++++++++
 1 file changed, 1038 insertions(+)
 create mode 100644 board/qemu/x86/busybox-selinux.config

diff --git a/board/qemu/x86/busybox-selinux.config b/board/qemu/x86/busybox-selinux.config
new file mode 100644
index 0000000..2b365a4
--- /dev/null
+++ b/board/qemu/x86/busybox-selinux.config
@@ -0,0 +1,1038 @@
+#
+# Automatically generated make config: don't edit
+# Busybox version: 1.22.1
+# Tue Sep 16 07:34:52 2014
+#
+CONFIG_HAVE_DOT_CONFIG=y
+
+#
+# Busybox Settings
+#
+
+#
+# General Configuration
+#
+CONFIG_DESKTOP=y
+# CONFIG_EXTRA_COMPAT is not set
+CONFIG_INCLUDE_SUSv2=y
+# CONFIG_USE_PORTABLE_CODE is not set
+CONFIG_PLATFORM_LINUX=y
+CONFIG_FEATURE_BUFFERS_USE_MALLOC=y
+# CONFIG_FEATURE_BUFFERS_GO_ON_STACK is not set
+# CONFIG_FEATURE_BUFFERS_GO_IN_BSS is not set
+CONFIG_SHOW_USAGE=y
+CONFIG_FEATURE_VERBOSE_USAGE=y
+# CONFIG_FEATURE_COMPRESS_USAGE is not set
+CONFIG_FEATURE_INSTALLER=y
+# CONFIG_INSTALL_NO_USR is not set
+# CONFIG_LOCALE_SUPPORT is not set
+# CONFIG_UNICODE_SUPPORT is not set
+# CONFIG_UNICODE_USING_LOCALE is not set
+# CONFIG_FEATURE_CHECK_UNICODE_IN_ENV is not set
+CONFIG_SUBST_WCHAR=0
+CONFIG_LAST_SUPPORTED_WCHAR=0
+# CONFIG_UNICODE_COMBINING_WCHARS is not set
+# CONFIG_UNICODE_WIDE_WCHARS is not set
+# CONFIG_UNICODE_BIDI_SUPPORT is not set
+# CONFIG_UNICODE_NEUTRAL_TABLE is not set
+# CONFIG_UNICODE_PRESERVE_BROKEN is not set
+CONFIG_LONG_OPTS=y
+CONFIG_FEATURE_DEVPTS=y
+CONFIG_FEATURE_CLEAN_UP=y
+CONFIG_FEATURE_UTMP=y
+CONFIG_FEATURE_WTMP=y
+# CONFIG_FEATURE_PIDFILE is not set
+CONFIG_PID_FILE_PATH=""
+CONFIG_FEATURE_SUID=y
+# CONFIG_FEATURE_SUID_CONFIG is not set
+# CONFIG_FEATURE_SUID_CONFIG_QUIET is not set
+CONFIG_SELINUX=y
+# CONFIG_FEATURE_PREFER_APPLETS is not set
+CONFIG_BUSYBOX_EXEC_PATH="/proc/self/exe"
+CONFIG_FEATURE_SYSLOG=y
+CONFIG_FEATURE_HAVE_RPC=y
+
+#
+# Build Options
+#
+# CONFIG_STATIC is not set
+# CONFIG_PIE is not set
+# CONFIG_NOMMU is not set
+CONFIG_BUILD_LIBBUSYBOX=y
+CONFIG_FEATURE_INDIVIDUAL=y
+# CONFIG_FEATURE_SHARED_BUSYBOX is not set
+CONFIG_LFS=y
+CONFIG_CROSS_COMPILER_PREFIX=""
+CONFIG_SYSROOT=""
+CONFIG_EXTRA_CFLAGS=""
+CONFIG_EXTRA_LDFLAGS=""
+CONFIG_EXTRA_LDLIBS=""
+
+#
+# Debugging Options
+#
+# CONFIG_DEBUG is not set
+# CONFIG_DEBUG_PESSIMIZE is not set
+# CONFIG_WERROR is not set
+CONFIG_NO_DEBUG_LIB=y
+# CONFIG_DMALLOC is not set
+# CONFIG_EFENCE is not set
+
+#
+# Installation Options ("make install" behavior)
+#
+CONFIG_INSTALL_APPLET_SYMLINKS=y
+# CONFIG_INSTALL_APPLET_HARDLINKS is not set
+# CONFIG_INSTALL_APPLET_SCRIPT_WRAPPERS is not set
+# CONFIG_INSTALL_APPLET_DONT is not set
+# CONFIG_INSTALL_SH_APPLET_SYMLINK is not set
+# CONFIG_INSTALL_SH_APPLET_HARDLINK is not set
+# CONFIG_INSTALL_SH_APPLET_SCRIPT_WRAPPER is not set
+CONFIG_PREFIX="./_install"
+
+#
+# Busybox Library Tuning
+#
+# CONFIG_FEATURE_SYSTEMD is not set
+CONFIG_FEATURE_RTMINMAX=y
+CONFIG_PASSWORD_MINLEN=6
+CONFIG_MD5_SMALL=1
+CONFIG_SHA3_SMALL=1
+# CONFIG_FEATURE_FAST_TOP is not set
+# CONFIG_FEATURE_ETC_NETWORKS is not set
+CONFIG_FEATURE_USE_TERMIOS=y
+CONFIG_FEATURE_EDITING=y
+CONFIG_FEATURE_EDITING_MAX_LEN=1024
+CONFIG_FEATURE_EDITING_VI=y
+CONFIG_FEATURE_EDITING_HISTORY=999
+CONFIG_FEATURE_EDITING_SAVEHISTORY=y
+# CONFIG_FEATURE_EDITING_SAVE_ON_EXIT is not set
+CONFIG_FEATURE_REVERSE_SEARCH=y
+CONFIG_FEATURE_TAB_COMPLETION=y
+# CONFIG_FEATURE_USERNAME_COMPLETION is not set
+CONFIG_FEATURE_EDITING_FANCY_PROMPT=y
+# CONFIG_FEATURE_EDITING_ASK_TERMINAL is not set
+CONFIG_FEATURE_NON_POSIX_CP=y
+# CONFIG_FEATURE_VERBOSE_CP_MESSAGE is not set
+CONFIG_FEATURE_COPYBUF_KB=4
+CONFIG_FEATURE_SKIP_ROOTFS=y
+CONFIG_MONOTONIC_SYSCALL=y
+CONFIG_IOCTL_HEX2STR_ERROR=y
+CONFIG_FEATURE_HWIB=y
+
+#
+# Applets
+#
+
+#
+# Archival Utilities
+#
+# CONFIG_FEATURE_SEAMLESS_XZ is not set
+# CONFIG_FEATURE_SEAMLESS_LZMA is not set
+# CONFIG_FEATURE_SEAMLESS_BZ2 is not set
+# CONFIG_FEATURE_SEAMLESS_GZ is not set
+# CONFIG_FEATURE_SEAMLESS_Z is not set
+CONFIG_AR=y
+# CONFIG_FEATURE_AR_LONG_FILENAMES is not set
+CONFIG_FEATURE_AR_CREATE=y
+# CONFIG_UNCOMPRESS is not set
+CONFIG_GUNZIP=y
+CONFIG_BUNZIP2=y
+CONFIG_UNLZMA=y
+# CONFIG_FEATURE_LZMA_FAST is not set
+CONFIG_LZMA=y
+CONFIG_UNXZ=y
+CONFIG_XZ=y
+# CONFIG_BZIP2 is not set
+CONFIG_CPIO=y
+# CONFIG_FEATURE_CPIO_O is not set
+# CONFIG_FEATURE_CPIO_P is not set
+# CONFIG_DPKG is not set
+# CONFIG_DPKG_DEB is not set
+# CONFIG_FEATURE_DPKG_DEB_EXTRACT_ONLY is not set
+CONFIG_GZIP=y
+# CONFIG_FEATURE_GZIP_LONG_OPTIONS is not set
+CONFIG_GZIP_FAST=0
+# CONFIG_LZOP is not set
+# CONFIG_LZOP_COMPR_HIGH is not set
+# CONFIG_RPM is not set
+# CONFIG_RPM2CPIO is not set
+CONFIG_TAR=y
+CONFIG_FEATURE_TAR_CREATE=y
+# CONFIG_FEATURE_TAR_AUTODETECT is not set
+CONFIG_FEATURE_TAR_FROM=y
+# CONFIG_FEATURE_TAR_OLDGNU_COMPATIBILITY is not set
+# CONFIG_FEATURE_TAR_OLDSUN_COMPATIBILITY is not set
+CONFIG_FEATURE_TAR_GNU_EXTENSIONS=y
+CONFIG_FEATURE_TAR_LONG_OPTIONS=y
+CONFIG_FEATURE_TAR_TO_COMMAND=y
+# CONFIG_FEATURE_TAR_UNAME_GNAME is not set
+# CONFIG_FEATURE_TAR_NOPRESERVE_TIME is not set
+CONFIG_FEATURE_TAR_SELINUX=y
+CONFIG_UNZIP=y
+
+#
+# Coreutils
+#
+CONFIG_BASENAME=y
+CONFIG_CAT=y
+CONFIG_DATE=y
+CONFIG_FEATURE_DATE_ISOFMT=y
+# CONFIG_FEATURE_DATE_NANO is not set
+CONFIG_FEATURE_DATE_COMPAT=y
+CONFIG_HOSTID=y
+CONFIG_ID=y
+CONFIG_GROUPS=y
+CONFIG_TEST=y
+CONFIG_FEATURE_TEST_64=y
+CONFIG_TOUCH=y
+CONFIG_FEATURE_TOUCH_NODEREF=y
+CONFIG_FEATURE_TOUCH_SUSV3=y
+CONFIG_TR=y
+CONFIG_FEATURE_TR_CLASSES=y
+CONFIG_FEATURE_TR_EQUIV=y
+# CONFIG_BASE64 is not set
+CONFIG_WHO=y
+CONFIG_USERS=y
+# CONFIG_CAL is not set
+CONFIG_CATV=y
+CONFIG_CHGRP=y
+CONFIG_CHMOD=y
+CONFIG_CHOWN=y
+# CONFIG_FEATURE_CHOWN_LONG_OPTIONS is not set
+CONFIG_CHROOT=y
+CONFIG_CKSUM=y
+# CONFIG_COMM is not set
+CONFIG_CP=y
+# CONFIG_FEATURE_CP_LONG_OPTIONS is not set
+CONFIG_CUT=y
+CONFIG_DD=y
+CONFIG_FEATURE_DD_SIGNAL_HANDLING=y
+# CONFIG_FEATURE_DD_THIRD_STATUS_LINE is not set
+CONFIG_FEATURE_DD_IBS_OBS=y
+CONFIG_DF=y
+# CONFIG_FEATURE_DF_FANCY is not set
+CONFIG_DIRNAME=y
+CONFIG_DOS2UNIX=y
+CONFIG_UNIX2DOS=y
+CONFIG_DU=y
+CONFIG_FEATURE_DU_DEFAULT_BLOCKSIZE_1K=y
+CONFIG_ECHO=y
+CONFIG_FEATURE_FANCY_ECHO=y
+CONFIG_ENV=y
+# CONFIG_FEATURE_ENV_LONG_OPTIONS is not set
+# CONFIG_EXPAND is not set
+# CONFIG_FEATURE_EXPAND_LONG_OPTIONS is not set
+CONFIG_EXPR=y
+CONFIG_EXPR_MATH_SUPPORT_64=y
+CONFIG_FALSE=y
+CONFIG_FOLD=y
+# CONFIG_FSYNC is not set
+CONFIG_HEAD=y
+CONFIG_FEATURE_FANCY_HEAD=y
+CONFIG_INSTALL=y
+CONFIG_FEATURE_INSTALL_LONG_OPTIONS=y
+CONFIG_LN=y
+CONFIG_LOGNAME=y
+CONFIG_LS=y
+CONFIG_FEATURE_LS_FILETYPES=y
+CONFIG_FEATURE_LS_FOLLOWLINKS=y
+CONFIG_FEATURE_LS_RECURSIVE=y
+CONFIG_FEATURE_LS_SORTFILES=y
+CONFIG_FEATURE_LS_TIMESTAMPS=y
+CONFIG_FEATURE_LS_USERNAME=y
+CONFIG_FEATURE_LS_COLOR=y
+CONFIG_FEATURE_LS_COLOR_IS_DEFAULT=y
+CONFIG_MD5SUM=y
+CONFIG_MKDIR=y
+CONFIG_FEATURE_MKDIR_LONG_OPTIONS=y
+CONFIG_MKFIFO=y
+CONFIG_MKNOD=y
+CONFIG_MV=y
+CONFIG_FEATURE_MV_LONG_OPTIONS=y
+CONFIG_NICE=y
+CONFIG_NOHUP=y
+CONFIG_OD=y
+CONFIG_PRINTENV=y
+CONFIG_PRINTF=y
+CONFIG_PWD=y
+CONFIG_READLINK=y
+CONFIG_FEATURE_READLINK_FOLLOW=y
+CONFIG_REALPATH=y
+CONFIG_RM=y
+CONFIG_RMDIR=y
+# CONFIG_FEATURE_RMDIR_LONG_OPTIONS is not set
+CONFIG_SEQ=y
+CONFIG_SHA1SUM=y
+CONFIG_SHA256SUM=y
+CONFIG_SHA512SUM=y
+CONFIG_SHA3SUM=y
+CONFIG_SLEEP=y
+CONFIG_FEATURE_FANCY_SLEEP=y
+CONFIG_FEATURE_FLOAT_SLEEP=y
+CONFIG_SORT=y
+CONFIG_FEATURE_SORT_BIG=y
+# CONFIG_SPLIT is not set
+# CONFIG_FEATURE_SPLIT_FANCY is not set
+# CONFIG_STAT is not set
+# CONFIG_FEATURE_STAT_FORMAT is not set
+CONFIG_STTY=y
+# CONFIG_SUM is not set
+CONFIG_SYNC=y
+# CONFIG_TAC is not set
+CONFIG_TAIL=y
+CONFIG_FEATURE_FANCY_TAIL=y
+CONFIG_TEE=y
+CONFIG_FEATURE_TEE_USE_BLOCK_IO=y
+CONFIG_TRUE=y
+CONFIG_TTY=y
+CONFIG_UNAME=y
+# CONFIG_UNEXPAND is not set
+# CONFIG_FEATURE_UNEXPAND_LONG_OPTIONS is not set
+CONFIG_UNIQ=y
+CONFIG_USLEEP=y
+CONFIG_UUDECODE=y
+CONFIG_UUENCODE=y
+CONFIG_WC=y
+# CONFIG_FEATURE_WC_LARGE is not set
+CONFIG_WHOAMI=y
+CONFIG_YES=y
+
+#
+# Common options for cp and mv
+#
+CONFIG_FEATURE_PRESERVE_HARDLINKS=y
+
+#
+# Common options for ls, more and telnet
+#
+CONFIG_FEATURE_AUTOWIDTH=y
+
+#
+# Common options for df, du, ls
+#
+CONFIG_FEATURE_HUMAN_READABLE=y
+
+#
+# Common options for md5sum, sha1sum, sha256sum, sha512sum, sha3sum
+#
+CONFIG_FEATURE_MD5_SHA1_SUM_CHECK=y
+
+#
+# Console Utilities
+#
+CONFIG_CHVT=y
+# CONFIG_FGCONSOLE is not set
+CONFIG_CLEAR=y
+CONFIG_DEALLOCVT=y
+CONFIG_DUMPKMAP=y
+# CONFIG_KBD_MODE is not set
+CONFIG_LOADFONT=y
+CONFIG_LOADKMAP=y
+CONFIG_OPENVT=y
+CONFIG_RESET=y
+CONFIG_RESIZE=y
+CONFIG_FEATURE_RESIZE_PRINT=y
+CONFIG_SETCONSOLE=y
+# CONFIG_FEATURE_SETCONSOLE_LONG_OPTIONS is not set
+# CONFIG_SETFONT is not set
+# CONFIG_FEATURE_SETFONT_TEXTUAL_MAP is not set
+CONFIG_DEFAULT_SETFONT_DIR=""
+CONFIG_SETKEYCODES=y
+CONFIG_SETLOGCONS=y
+# CONFIG_SHOWKEY is not set
+
+#
+# Common options for loadfont and setfont
+#
+CONFIG_FEATURE_LOADFONT_PSF2=y
+CONFIG_FEATURE_LOADFONT_RAW=y
+
+#
+# Debian Utilities
+#
+CONFIG_MKTEMP=y
+CONFIG_PIPE_PROGRESS=y
+CONFIG_RUN_PARTS=y
+CONFIG_FEATURE_RUN_PARTS_LONG_OPTIONS=y
+# CONFIG_FEATURE_RUN_PARTS_FANCY is not set
+CONFIG_START_STOP_DAEMON=y
+CONFIG_FEATURE_START_STOP_DAEMON_FANCY=y
+CONFIG_FEATURE_START_STOP_DAEMON_LONG_OPTIONS=y
+CONFIG_WHICH=y
+
+#
+# Editors
+#
+CONFIG_AWK=y
+# CONFIG_FEATURE_AWK_LIBM is not set
+CONFIG_FEATURE_AWK_GNU_EXTENSIONS=y
+CONFIG_CMP=y
+CONFIG_DIFF=y
+# CONFIG_FEATURE_DIFF_LONG_OPTIONS is not set
+CONFIG_FEATURE_DIFF_DIR=y
+# CONFIG_ED is not set
+CONFIG_PATCH=y
+CONFIG_SED=y
+CONFIG_VI=y
+CONFIG_FEATURE_VI_MAX_LEN=4096
+CONFIG_FEATURE_VI_8BIT=y
+CONFIG_FEATURE_VI_COLON=y
+CONFIG_FEATURE_VI_YANKMARK=y
+CONFIG_FEATURE_VI_SEARCH=y
+# CONFIG_FEATURE_VI_REGEX_SEARCH is not set
+CONFIG_FEATURE_VI_USE_SIGNALS=y
+CONFIG_FEATURE_VI_DOT_CMD=y
+CONFIG_FEATURE_VI_READONLY=y
+CONFIG_FEATURE_VI_SETOPTS=y
+CONFIG_FEATURE_VI_SET=y
+CONFIG_FEATURE_VI_WIN_RESIZE=y
+CONFIG_FEATURE_VI_ASK_TERMINAL=y
+CONFIG_FEATURE_ALLOW_EXEC=y
+
+#
+# Finding Utilities
+#
+CONFIG_FIND=y
+CONFIG_FEATURE_FIND_PRINT0=y
+CONFIG_FEATURE_FIND_MTIME=y
+CONFIG_FEATURE_FIND_MMIN=y
+CONFIG_FEATURE_FIND_PERM=y
+CONFIG_FEATURE_FIND_TYPE=y
+CONFIG_FEATURE_FIND_XDEV=y
+CONFIG_FEATURE_FIND_MAXDEPTH=y
+CONFIG_FEATURE_FIND_NEWER=y
+# CONFIG_FEATURE_FIND_INUM is not set
+CONFIG_FEATURE_FIND_EXEC=y
+CONFIG_FEATURE_FIND_USER=y
+CONFIG_FEATURE_FIND_GROUP=y
+CONFIG_FEATURE_FIND_NOT=y
+CONFIG_FEATURE_FIND_DEPTH=y
+CONFIG_FEATURE_FIND_PAREN=y
+CONFIG_FEATURE_FIND_SIZE=y
+CONFIG_FEATURE_FIND_PRUNE=y
+# CONFIG_FEATURE_FIND_DELETE is not set
+CONFIG_FEATURE_FIND_PATH=y
+CONFIG_FEATURE_FIND_REGEX=y
+# CONFIG_FEATURE_FIND_CONTEXT is not set
+# CONFIG_FEATURE_FIND_LINKS is not set
+CONFIG_GREP=y
+CONFIG_FEATURE_GREP_EGREP_ALIAS=y
+CONFIG_FEATURE_GREP_FGREP_ALIAS=y
+CONFIG_FEATURE_GREP_CONTEXT=y
+CONFIG_XARGS=y
+# CONFIG_FEATURE_XARGS_SUPPORT_CONFIRMATION is not set
+CONFIG_FEATURE_XARGS_SUPPORT_QUOTES=y
+CONFIG_FEATURE_XARGS_SUPPORT_TERMOPT=y
+CONFIG_FEATURE_XARGS_SUPPORT_ZERO_TERM=y
+
+#
+# Init Utilities
+#
+# CONFIG_BOOTCHARTD is not set
+# CONFIG_FEATURE_BOOTCHARTD_BLOATED_HEADER is not set
+# CONFIG_FEATURE_BOOTCHARTD_CONFIG_FILE is not set
+# CONFIG_HALT is not set
+# CONFIG_FEATURE_CALL_TELINIT is not set
+CONFIG_TELINIT_PATH=""
+# CONFIG_INIT is not set
+# CONFIG_FEATURE_USE_INITTAB is not set
+# CONFIG_FEATURE_KILL_REMOVED is not set
+CONFIG_FEATURE_KILL_DELAY=0
+# CONFIG_FEATURE_INIT_SCTTY is not set
+# CONFIG_FEATURE_INIT_SYSLOG is not set
+# CONFIG_FEATURE_EXTRA_QUIET is not set
+# CONFIG_FEATURE_INIT_COREDUMPS is not set
+# CONFIG_FEATURE_INITRD is not set
+CONFIG_INIT_TERMINAL_TYPE=""
+CONFIG_MESG=y
+CONFIG_FEATURE_MESG_ENABLE_ONLY_GROUP=y
+
+#
+# Login/Password Management Utilities
+#
+# CONFIG_ADD_SHELL is not set
+# CONFIG_REMOVE_SHELL is not set
+# CONFIG_FEATURE_SHADOWPASSWDS is not set
+# CONFIG_USE_BB_PWD_GRP is not set
+# CONFIG_USE_BB_SHADOW is not set
+# CONFIG_USE_BB_CRYPT is not set
+# CONFIG_USE_BB_CRYPT_SHA is not set
+# CONFIG_ADDUSER is not set
+# CONFIG_FEATURE_ADDUSER_LONG_OPTIONS is not set
+# CONFIG_FEATURE_CHECK_NAMES is not set
+CONFIG_FIRST_SYSTEM_ID=0
+CONFIG_LAST_SYSTEM_ID=0
+# CONFIG_ADDGROUP is not set
+# CONFIG_FEATURE_ADDGROUP_LONG_OPTIONS is not set
+# CONFIG_FEATURE_ADDUSER_TO_GROUP is not set
+# CONFIG_DELUSER is not set
+# CONFIG_DELGROUP is not set
+# CONFIG_FEATURE_DEL_USER_FROM_GROUP is not set
+CONFIG_GETTY=y
+CONFIG_LOGIN=y
+CONFIG_LOGIN_SESSION_AS_CHILD=y
+CONFIG_PAM=y
+CONFIG_LOGIN_SCRIPTS=y
+CONFIG_FEATURE_NOLOGIN=y
+CONFIG_FEATURE_SECURETTY=y
+# CONFIG_PASSWD is not set
+# CONFIG_FEATURE_PASSWD_WEAK_CHECK is not set
+# CONFIG_CRYPTPW is not set
+# CONFIG_CHPASSWD is not set
+CONFIG_FEATURE_DEFAULT_PASSWD_ALGO=""
+# CONFIG_SU is not set
+# CONFIG_FEATURE_SU_SYSLOG is not set
+# CONFIG_FEATURE_SU_CHECKS_SHELLS is not set
+# CONFIG_SULOGIN is not set
+# CONFIG_VLOCK is not set
+
+#
+# Linux Ext2 FS Progs
+#
+# CONFIG_CHATTR is not set
+# CONFIG_FSCK is not set
+# CONFIG_LSATTR is not set
+# CONFIG_TUNE2FS is not set
+
+#
+# Linux Module Utilities
+#
+# CONFIG_MODINFO is not set
+# CONFIG_MODPROBE_SMALL is not set
+# CONFIG_FEATURE_MODPROBE_SMALL_OPTIONS_ON_CMDLINE is not set
+# CONFIG_FEATURE_MODPROBE_SMALL_CHECK_ALREADY_LOADED is not set
+# CONFIG_INSMOD is not set
+# CONFIG_RMMOD is not set
+# CONFIG_LSMOD is not set
+# CONFIG_FEATURE_LSMOD_PRETTY_2_6_OUTPUT is not set
+# CONFIG_MODPROBE is not set
+# CONFIG_FEATURE_MODPROBE_BLACKLIST is not set
+# CONFIG_DEPMOD is not set
+
+#
+# Options common to multiple modutils
+#
+# CONFIG_FEATURE_2_4_MODULES is not set
+# CONFIG_FEATURE_INSMOD_TRY_MMAP is not set
+# CONFIG_FEATURE_INSMOD_VERSION_CHECKING is not set
+# CONFIG_FEATURE_INSMOD_KSYMOOPS_SYMBOLS is not set
+# CONFIG_FEATURE_INSMOD_LOADINKMEM is not set
+# CONFIG_FEATURE_INSMOD_LOAD_MAP is not set
+# CONFIG_FEATURE_INSMOD_LOAD_MAP_FULL is not set
+# CONFIG_FEATURE_CHECK_TAINTED_MODULE is not set
+# CONFIG_FEATURE_MODUTILS_ALIAS is not set
+# CONFIG_FEATURE_MODUTILS_SYMBOLS is not set
+CONFIG_DEFAULT_MODULES_DIR=""
+CONFIG_DEFAULT_DEPMOD_FILE=""
+
+#
+# Linux System Utilities
+#
+# CONFIG_BLOCKDEV is not set
+CONFIG_FSTRIM=y
+CONFIG_MDEV=y
+CONFIG_FEATURE_MDEV_CONF=y
+CONFIG_FEATURE_MDEV_RENAME=y
+# CONFIG_FEATURE_MDEV_RENAME_REGEXP is not set
+CONFIG_FEATURE_MDEV_EXEC=y
+# CONFIG_FEATURE_MDEV_LOAD_FIRMWARE is not set
+# CONFIG_REV is not set
+# CONFIG_ACPID is not set
+# CONFIG_FEATURE_ACPID_COMPAT is not set
+CONFIG_BLKID=y
+# CONFIG_FEATURE_BLKID_TYPE is not set
+CONFIG_DMESG=y
+CONFIG_FEATURE_DMESG_PRETTY=y
+# CONFIG_FBSET is not set
+# CONFIG_FEATURE_FBSET_FANCY is not set
+# CONFIG_FEATURE_FBSET_READMODE is not set
+CONFIG_FDFLUSH=y
+CONFIG_FDFORMAT=y
+CONFIG_FDISK=y
+# CONFIG_FDISK_SUPPORT_LARGE_DISKS is not set
+CONFIG_FEATURE_FDISK_WRITABLE=y
+# CONFIG_FEATURE_AIX_LABEL is not set
+# CONFIG_FEATURE_SGI_LABEL is not set
+# CONFIG_FEATURE_SUN_LABEL is not set
+# CONFIG_FEATURE_OSF_LABEL is not set
+CONFIG_FEATURE_GPT_LABEL=y
+CONFIG_FEATURE_FDISK_ADVANCED=y
+# CONFIG_FINDFS is not set
+# CONFIG_FLOCK is not set
+CONFIG_FREERAMDISK=y
+# CONFIG_FSCK_MINIX is not set
+# CONFIG_MKFS_EXT2 is not set
+# CONFIG_MKFS_MINIX is not set
+# CONFIG_FEATURE_MINIX2 is not set
+# CONFIG_MKFS_REISER is not set
+# CONFIG_MKFS_VFAT is not set
+CONFIG_GETOPT=y
+CONFIG_FEATURE_GETOPT_LONG=y
+CONFIG_HEXDUMP=y
+# CONFIG_FEATURE_HEXDUMP_REVERSE is not set
+# CONFIG_HD is not set
+CONFIG_HWCLOCK=y
+CONFIG_FEATURE_HWCLOCK_LONG_OPTIONS=y
+CONFIG_FEATURE_HWCLOCK_ADJTIME_FHS=y
+CONFIG_IPCRM=y
+CONFIG_IPCS=y
+CONFIG_LOSETUP=y
+CONFIG_LSPCI=y
+CONFIG_LSUSB=y
+CONFIG_MKSWAP=y
+# CONFIG_FEATURE_MKSWAP_UUID is not set
+CONFIG_MORE=y
+CONFIG_MOUNT=y
+# CONFIG_FEATURE_MOUNT_FAKE is not set
+CONFIG_FEATURE_MOUNT_VERBOSE=y
+CONFIG_FEATURE_MOUNT_HELPERS=y
+CONFIG_FEATURE_MOUNT_LABEL=y
+CONFIG_FEATURE_MOUNT_NFS=y
+CONFIG_FEATURE_MOUNT_CIFS=y
+CONFIG_FEATURE_MOUNT_FLAGS=y
+CONFIG_FEATURE_MOUNT_FSTAB=y
+# CONFIG_PIVOT_ROOT is not set
+CONFIG_RDATE=y
+# CONFIG_RDEV is not set
+CONFIG_READPROFILE=y
+# CONFIG_RTCWAKE is not set
+# CONFIG_SCRIPT is not set
+# CONFIG_SCRIPTREPLAY is not set
+CONFIG_SETARCH=y
+CONFIG_SWAPONOFF=y
+# CONFIG_FEATURE_SWAPON_PRI is not set
+CONFIG_SWITCH_ROOT=y
+CONFIG_UMOUNT=y
+CONFIG_FEATURE_UMOUNT_ALL=y
+
+#
+# Common options for mount/umount
+#
+CONFIG_FEATURE_MOUNT_LOOP=y
+CONFIG_FEATURE_MOUNT_LOOP_CREATE=y
+# CONFIG_FEATURE_MTAB_SUPPORT is not set
+CONFIG_VOLUMEID=y
+
+#
+# Filesystem/Volume identification
+#
+# CONFIG_FEATURE_VOLUMEID_BTRFS is not set
+# CONFIG_FEATURE_VOLUMEID_CRAMFS is not set
+CONFIG_FEATURE_VOLUMEID_EXFAT=y
+CONFIG_FEATURE_VOLUMEID_EXT=y
+CONFIG_FEATURE_VOLUMEID_F2FS=y
+CONFIG_FEATURE_VOLUMEID_FAT=y
+# CONFIG_FEATURE_VOLUMEID_HFS is not set
+# CONFIG_FEATURE_VOLUMEID_ISO9660 is not set
+# CONFIG_FEATURE_VOLUMEID_JFS is not set
+# CONFIG_FEATURE_VOLUMEID_LINUXRAID is not set
+# CONFIG_FEATURE_VOLUMEID_LINUXSWAP is not set
+# CONFIG_FEATURE_VOLUMEID_LUKS is not set
+# CONFIG_FEATURE_VOLUMEID_NILFS is not set
+# CONFIG_FEATURE_VOLUMEID_NTFS is not set
+# CONFIG_FEATURE_VOLUMEID_OCFS2 is not set
+# CONFIG_FEATURE_VOLUMEID_REISERFS is not set
+# CONFIG_FEATURE_VOLUMEID_ROMFS is not set
+# CONFIG_FEATURE_VOLUMEID_SQUASHFS is not set
+# CONFIG_FEATURE_VOLUMEID_SYSV is not set
+# CONFIG_FEATURE_VOLUMEID_UDF is not set
+# CONFIG_FEATURE_VOLUMEID_XFS is not set
+
+#
+# Miscellaneous Utilities
+#
+# CONFIG_CONSPY is not set
+CONFIG_LESS=y
+CONFIG_FEATURE_LESS_MAXLINES=9999999
+CONFIG_FEATURE_LESS_BRACKETS=y
+CONFIG_FEATURE_LESS_FLAGS=y
+# CONFIG_FEATURE_LESS_MARKS is not set
+CONFIG_FEATURE_LESS_REGEXP=y
+# CONFIG_FEATURE_LESS_WINCH is not set
+# CONFIG_FEATURE_LESS_ASK_TERMINAL is not set
+# CONFIG_FEATURE_LESS_DASHCMD is not set
+# CONFIG_FEATURE_LESS_LINENUMS is not set
+# CONFIG_NANDWRITE is not set
+# CONFIG_NANDDUMP is not set
+# CONFIG_RFKILL is not set
+CONFIG_SETSERIAL=y
+# CONFIG_UBIATTACH is not set
+# CONFIG_UBIDETACH is not set
+# CONFIG_UBIMKVOL is not set
+# CONFIG_UBIRMVOL is not set
+# CONFIG_UBIRSVOL is not set
+# CONFIG_UBIUPDATEVOL is not set
+# CONFIG_WALL is not set
+# CONFIG_ADJTIMEX is not set
+# CONFIG_BBCONFIG is not set
+# CONFIG_FEATURE_COMPRESS_BBCONFIG is not set
+# CONFIG_BEEP is not set
+CONFIG_FEATURE_BEEP_FREQ=0
+CONFIG_FEATURE_BEEP_LENGTH_MS=0
+# CONFIG_CHAT is not set
+# CONFIG_FEATURE_CHAT_NOFAIL is not set
+# CONFIG_FEATURE_CHAT_TTY_HIFI is not set
+# CONFIG_FEATURE_CHAT_IMPLICIT_CR is not set
+# CONFIG_FEATURE_CHAT_SWALLOW_OPTS is not set
+# CONFIG_FEATURE_CHAT_SEND_ESCAPES is not set
+# CONFIG_FEATURE_CHAT_VAR_ABORT_LEN is not set
+# CONFIG_FEATURE_CHAT_CLR_ABORT is not set
+CONFIG_CHRT=y
+CONFIG_CROND=y
+# CONFIG_FEATURE_CROND_D is not set
+# CONFIG_FEATURE_CROND_CALL_SENDMAIL is not set
+CONFIG_FEATURE_CROND_DIR="/var/spool/cron"
+CONFIG_CRONTAB=y
+CONFIG_DC=y
+# CONFIG_FEATURE_DC_LIBM is not set
+# CONFIG_DEVFSD is not set
+# CONFIG_DEVFSD_MODLOAD is not set
+# CONFIG_DEVFSD_FG_NP is not set
+# CONFIG_DEVFSD_VERBOSE is not set
+# CONFIG_FEATURE_DEVFS is not set
+CONFIG_DEVMEM=y
+CONFIG_EJECT=y
+# CONFIG_FEATURE_EJECT_SCSI is not set
+# CONFIG_FBSPLASH is not set
+# CONFIG_FLASHCP is not set
+# CONFIG_FLASH_LOCK is not set
+# CONFIG_FLASH_UNLOCK is not set
+# CONFIG_FLASH_ERASEALL is not set
+# CONFIG_IONICE is not set
+# CONFIG_INOTIFYD is not set
+CONFIG_LAST=y
+CONFIG_FEATURE_LAST_SMALL=y
+# CONFIG_FEATURE_LAST_FANCY is not set
+CONFIG_HDPARM=y
+CONFIG_FEATURE_HDPARM_GET_IDENTITY=y
+# CONFIG_FEATURE_HDPARM_HDIO_SCAN_HWIF is not set
+# CONFIG_FEATURE_HDPARM_HDIO_UNREGISTER_HWIF is not set
+# CONFIG_FEATURE_HDPARM_HDIO_DRIVE_RESET is not set
+# CONFIG_FEATURE_HDPARM_HDIO_TRISTATE_HWIF is not set
+# CONFIG_FEATURE_HDPARM_HDIO_GETSET_DMA is not set
+CONFIG_MAKEDEVS=y
+# CONFIG_FEATURE_MAKEDEVS_LEAF is not set
+CONFIG_FEATURE_MAKEDEVS_TABLE=y
+# CONFIG_MAN is not set
+CONFIG_MICROCOM=y
+CONFIG_MOUNTPOINT=y
+CONFIG_MT=y
+# CONFIG_RAIDAUTORUN is not set
+# CONFIG_READAHEAD is not set
+CONFIG_RUNLEVEL=y
+# CONFIG_RX is not set
+CONFIG_SETSID=y
+CONFIG_STRINGS=y
+# CONFIG_TASKSET is not set
+# CONFIG_FEATURE_TASKSET_FANCY is not set
+CONFIG_TIME=y
+# CONFIG_TIMEOUT is not set
+# CONFIG_TTYSIZE is not set
+# CONFIG_VOLNAME is not set
+CONFIG_WATCHDOG=y
+
+#
+# Networking Utilities
+#
+CONFIG_NAMEIF=y
+# CONFIG_FEATURE_NAMEIF_EXTENDED is not set
+# CONFIG_NBDCLIENT is not set
+# CONFIG_NC is not set
+# CONFIG_NC_SERVER is not set
+# CONFIG_NC_EXTRA is not set
+# CONFIG_NC_110_COMPAT is not set
+CONFIG_PING=y
+# CONFIG_PING6 is not set
+CONFIG_FEATURE_FANCY_PING=y
+# CONFIG_WHOIS is not set
+CONFIG_FEATURE_IPV6=y
+# CONFIG_FEATURE_UNIX_LOCAL is not set
+# CONFIG_FEATURE_PREFER_IPV4_ADDRESS is not set
+# CONFIG_VERBOSE_RESOLUTION_ERRORS is not set
+# CONFIG_ARP is not set
+CONFIG_ARPING=y
+# CONFIG_BRCTL is not set
+# CONFIG_FEATURE_BRCTL_FANCY is not set
+# CONFIG_FEATURE_BRCTL_SHOW is not set
+CONFIG_DNSD=y
+CONFIG_ETHER_WAKE=y
+# CONFIG_FAKEIDENTD is not set
+# CONFIG_FTPD is not set
+# CONFIG_FEATURE_FTP_WRITE is not set
+# CONFIG_FEATURE_FTPD_ACCEPT_BROKEN_LIST is not set
+# CONFIG_FTPGET is not set
+# CONFIG_FTPPUT is not set
+# CONFIG_FEATURE_FTPGETPUT_LONG_OPTIONS is not set
+CONFIG_HOSTNAME=y
+# CONFIG_HTTPD is not set
+# CONFIG_FEATURE_HTTPD_RANGES is not set
+# CONFIG_FEATURE_HTTPD_USE_SENDFILE is not set
+# CONFIG_FEATURE_HTTPD_SETUID is not set
+# CONFIG_FEATURE_HTTPD_BASIC_AUTH is not set
+# CONFIG_FEATURE_HTTPD_AUTH_MD5 is not set
+# CONFIG_FEATURE_HTTPD_CGI is not set
+# CONFIG_FEATURE_HTTPD_CONFIG_WITH_SCRIPT_INTERPR is not set
+# CONFIG_FEATURE_HTTPD_SET_REMOTE_PORT_TO_ENV is not set
+# CONFIG_FEATURE_HTTPD_ENCODE_URL_STR is not set
+# CONFIG_FEATURE_HTTPD_ERROR_PAGES is not set
+# CONFIG_FEATURE_HTTPD_PROXY is not set
+# CONFIG_FEATURE_HTTPD_GZIP is not set
+CONFIG_IFCONFIG=y
+CONFIG_FEATURE_IFCONFIG_STATUS=y
+CONFIG_FEATURE_IFCONFIG_SLIP=y
+CONFIG_FEATURE_IFCONFIG_MEMSTART_IOADDR_IRQ=y
+CONFIG_FEATURE_IFCONFIG_HW=y
+# CONFIG_FEATURE_IFCONFIG_BROADCAST_PLUS is not set
+# CONFIG_IFENSLAVE is not set
+# CONFIG_IFPLUGD is not set
+CONFIG_IFUPDOWN=y
+CONFIG_IFUPDOWN_IFSTATE_PATH="/var/run/ifstate"
+CONFIG_FEATURE_IFUPDOWN_IP=y
+# CONFIG_FEATURE_IFUPDOWN_IP_BUILTIN is not set
+# CONFIG_FEATURE_IFUPDOWN_IFCONFIG_BUILTIN is not set
+CONFIG_FEATURE_IFUPDOWN_IPV4=y
+CONFIG_FEATURE_IFUPDOWN_IPV6=y
+CONFIG_FEATURE_IFUPDOWN_MAPPING=y
+# CONFIG_FEATURE_IFUPDOWN_EXTERNAL_DHCP is not set
+# CONFIG_INETD is not set
+# CONFIG_FEATURE_INETD_SUPPORT_BUILTIN_ECHO is not set
+# CONFIG_FEATURE_INETD_SUPPORT_BUILTIN_DISCARD is not set
+# CONFIG_FEATURE_INETD_SUPPORT_BUILTIN_TIME is not set
+# CONFIG_FEATURE_INETD_SUPPORT_BUILTIN_DAYTIME is not set
+# CONFIG_FEATURE_INETD_SUPPORT_BUILTIN_CHARGEN is not set
+# CONFIG_FEATURE_INETD_RPC is not set
+CONFIG_IP=y
+CONFIG_FEATURE_IP_ADDRESS=y
+CONFIG_FEATURE_IP_LINK=y
+CONFIG_FEATURE_IP_ROUTE=y
+CONFIG_FEATURE_IP_TUNNEL=y
+CONFIG_FEATURE_IP_RULE=y
+CONFIG_FEATURE_IP_SHORT_FORMS=y
+# CONFIG_FEATURE_IP_RARE_PROTOCOLS is not set
+CONFIG_IPADDR=y
+CONFIG_IPLINK=y
+CONFIG_IPROUTE=y
+CONFIG_IPTUNNEL=y
+CONFIG_IPRULE=y
+# CONFIG_IPCALC is not set
+# CONFIG_FEATURE_IPCALC_FANCY is not set
+# CONFIG_FEATURE_IPCALC_LONG_OPTIONS is not set
+CONFIG_NETSTAT=y
+# CONFIG_FEATURE_NETSTAT_WIDE is not set
+# CONFIG_FEATURE_NETSTAT_PRG is not set
+CONFIG_NSLOOKUP=y
+# CONFIG_NTPD is not set
+# CONFIG_FEATURE_NTPD_SERVER is not set
+# CONFIG_PSCAN is not set
+CONFIG_ROUTE=y
+# CONFIG_SLATTACH is not set
+# CONFIG_TCPSVD is not set
+CONFIG_TELNET=y
+CONFIG_FEATURE_TELNET_TTYPE=y
+CONFIG_FEATURE_TELNET_AUTOLOGIN=y
+# CONFIG_TELNETD is not set
+# CONFIG_FEATURE_TELNETD_STANDALONE is not set
+# CONFIG_FEATURE_TELNETD_INETD_WAIT is not set
+CONFIG_TFTP=y
+# CONFIG_TFTPD is not set
+
+#
+# Common options for tftp/tftpd
+#
+CONFIG_FEATURE_TFTP_GET=y
+CONFIG_FEATURE_TFTP_PUT=y
+CONFIG_FEATURE_TFTP_BLOCKSIZE=y
+# CONFIG_FEATURE_TFTP_PROGRESS_BAR is not set
+# CONFIG_TFTP_DEBUG is not set
+CONFIG_TRACEROUTE=y
+# CONFIG_TRACEROUTE6 is not set
+# CONFIG_FEATURE_TRACEROUTE_VERBOSE is not set
+# CONFIG_FEATURE_TRACEROUTE_SOURCE_ROUTE is not set
+# CONFIG_FEATURE_TRACEROUTE_USE_ICMP is not set
+# CONFIG_TUNCTL is not set
+# CONFIG_FEATURE_TUNCTL_UG is not set
+# CONFIG_UDHCPC6 is not set
+# CONFIG_UDHCPD is not set
+# CONFIG_DHCPRELAY is not set
+# CONFIG_DUMPLEASES is not set
+# CONFIG_FEATURE_UDHCPD_WRITE_LEASES_EARLY is not set
+# CONFIG_FEATURE_UDHCPD_BASE_IP_ON_MAC is not set
+CONFIG_DHCPD_LEASES_FILE=""
+CONFIG_UDHCPC=y
+CONFIG_FEATURE_UDHCPC_ARPING=y
+# CONFIG_FEATURE_UDHCP_PORT is not set
+CONFIG_UDHCP_DEBUG=0
+# CONFIG_FEATURE_UDHCP_RFC3397 is not set
+CONFIG_FEATURE_UDHCP_8021Q=y
+CONFIG_UDHCPC_DEFAULT_SCRIPT="/usr/share/udhcpc/default.script"
+CONFIG_UDHCPC_SLACK_FOR_BUGGY_SERVERS=80
+CONFIG_IFUPDOWN_UDHCPC_CMD_OPTIONS="-R -n"
+# CONFIG_UDPSVD is not set
+CONFIG_VCONFIG=y
+CONFIG_WGET=y
+CONFIG_FEATURE_WGET_STATUSBAR=y
+CONFIG_FEATURE_WGET_AUTHENTICATION=y
+CONFIG_FEATURE_WGET_LONG_OPTIONS=y
+CONFIG_FEATURE_WGET_TIMEOUT=y
+# CONFIG_ZCIP is not set
+
+#
+# Print Utilities
+#
+# CONFIG_LPD is not set
+# CONFIG_LPR is not set
+# CONFIG_LPQ is not set
+
+#
+# Mail Utilities
+#
+# CONFIG_MAKEMIME is not set
+CONFIG_FEATURE_MIME_CHARSET=""
+# CONFIG_POPMAILDIR is not set
+# CONFIG_FEATURE_POPMAILDIR_DELIVERY is not set
+# CONFIG_REFORMIME is not set
+# CONFIG_FEATURE_REFORMIME_COMPAT is not set
+# CONFIG_SENDMAIL is not set
+
+#
+# Process Utilities
+#
+# CONFIG_IOSTAT is not set
+CONFIG_LSOF=y
+# CONFIG_MPSTAT is not set
+# CONFIG_NMETER is not set
+# CONFIG_PMAP is not set
+# CONFIG_POWERTOP is not set
+# CONFIG_PSTREE is not set
+# CONFIG_PWDX is not set
+# CONFIG_SMEMCAP is not set
+CONFIG_TOP=y
+CONFIG_FEATURE_TOP_CPU_USAGE_PERCENTAGE=y
+CONFIG_FEATURE_TOP_CPU_GLOBAL_PERCENTS=y
+# CONFIG_FEATURE_TOP_SMP_CPU is not set
+# CONFIG_FEATURE_TOP_DECIMALS is not set
+# CONFIG_FEATURE_TOP_SMP_PROCESS is not set
+# CONFIG_FEATURE_TOPMEM is not set
+CONFIG_UPTIME=y
+# CONFIG_FEATURE_UPTIME_UTMP_SUPPORT is not set
+CONFIG_FREE=y
+CONFIG_FUSER=y
+CONFIG_KILL=y
+CONFIG_KILLALL=y
+CONFIG_KILLALL5=y
+# CONFIG_PGREP is not set
+CONFIG_PIDOF=y
+CONFIG_FEATURE_PIDOF_SINGLE=y
+CONFIG_FEATURE_PIDOF_OMIT=y
+# CONFIG_PKILL is not set
+CONFIG_PS=y
+# CONFIG_FEATURE_PS_WIDE is not set
+# CONFIG_FEATURE_PS_LONG is not set
+# CONFIG_FEATURE_PS_TIME is not set
+# CONFIG_FEATURE_PS_ADDITIONAL_COLUMNS is not set
+# CONFIG_FEATURE_PS_UNUSUAL_SYSTEMS is not set
+CONFIG_RENICE=y
+CONFIG_BB_SYSCTL=y
+# CONFIG_FEATURE_SHOW_THREADS is not set
+CONFIG_WATCH=y
+
+#
+# Runit Utilities
+#
+# CONFIG_RUNSV is not set
+# CONFIG_RUNSVDIR is not set
+# CONFIG_FEATURE_RUNSVDIR_LOG is not set
+# CONFIG_SV is not set
+CONFIG_SV_DEFAULT_SERVICE_DIR=""
+# CONFIG_SVLOGD is not set
+# CONFIG_CHPST is not set
+# CONFIG_SETUIDGID is not set
+# CONFIG_ENVUIDGID is not set
+# CONFIG_ENVDIR is not set
+# CONFIG_SOFTLIMIT is not set
+
+#
+# SELinux Utilities
+#
+# CONFIG_CHCON is not set
+# CONFIG_FEATURE_CHCON_LONG_OPTIONS is not set
+# CONFIG_GETENFORCE is not set
+# CONFIG_GETSEBOOL is not set
+# CONFIG_LOAD_POLICY is not set
+# CONFIG_MATCHPATHCON is not set
+# CONFIG_RESTORECON is not set
+# CONFIG_RUNCON is not set
+# CONFIG_FEATURE_RUNCON_LONG_OPTIONS is not set
+# CONFIG_SELINUXENABLED is not set
+# CONFIG_SETENFORCE is not set
+# CONFIG_SETFILES is not set
+# CONFIG_FEATURE_SETFILES_CHECK_OPTION is not set
+# CONFIG_SETSEBOOL is not set
+# CONFIG_SESTATUS is not set
+
+#
+# Shells
+#
+CONFIG_ASH=y
+CONFIG_ASH_BASH_COMPAT=y
+CONFIG_ASH_IDLE_TIMEOUT=y
+CONFIG_ASH_JOB_CONTROL=y
+CONFIG_ASH_ALIAS=y
+CONFIG_ASH_GETOPTS=y
+CONFIG_ASH_BUILTIN_ECHO=y
+CONFIG_ASH_BUILTIN_PRINTF=y
+CONFIG_ASH_BUILTIN_TEST=y
+CONFIG_ASH_CMDCMD=y
+# CONFIG_ASH_MAIL is not set
+CONFIG_ASH_OPTIMIZE_FOR_SIZE=y
+CONFIG_ASH_RANDOM_SUPPORT=y
+CONFIG_ASH_EXPAND_PRMT=y
+# CONFIG_CTTYHACK is not set
+# CONFIG_HUSH is not set
+# CONFIG_HUSH_BASH_COMPAT is not set
+# CONFIG_HUSH_BRACE_EXPANSION is not set
+# CONFIG_HUSH_HELP is not set
+# CONFIG_HUSH_INTERACTIVE is not set
+# CONFIG_HUSH_SAVEHISTORY is not set
+# CONFIG_HUSH_JOB is not set
+# CONFIG_HUSH_TICK is not set
+# CONFIG_HUSH_IF is not set
+# CONFIG_HUSH_LOOPS is not set
+# CONFIG_HUSH_CASE is not set
+# CONFIG_HUSH_FUNCTIONS is not set
+# CONFIG_HUSH_LOCAL is not set
+# CONFIG_HUSH_RANDOM_SUPPORT is not set
+# CONFIG_HUSH_EXPORT_N is not set
+# CONFIG_HUSH_MODE_X is not set
+# CONFIG_MSH is not set
+CONFIG_FEATURE_SH_IS_ASH=y
+# CONFIG_FEATURE_SH_IS_HUSH is not set
+# CONFIG_FEATURE_SH_IS_NONE is not set
+CONFIG_FEATURE_BASH_IS_ASH=y
+# CONFIG_FEATURE_BASH_IS_HUSH is not set
+# CONFIG_FEATURE_BASH_IS_NONE is not set
+CONFIG_SH_MATH_SUPPORT=y
+# CONFIG_SH_MATH_SUPPORT_64 is not set
+CONFIG_FEATURE_SH_EXTRA_QUIET=y
+# CONFIG_FEATURE_SH_STANDALONE is not set
+# CONFIG_FEATURE_SH_NOFORK is not set
+# CONFIG_FEATURE_SH_HISTFILESIZE is not set
+
+#
+# System Logging Utilities
+#
+# CONFIG_SYSLOGD is not set
+# CONFIG_FEATURE_ROTATE_LOGFILE is not set
+# CONFIG_FEATURE_REMOTE_LOG is not set
+# CONFIG_FEATURE_SYSLOGD_DUP is not set
+# CONFIG_FEATURE_SYSLOGD_CFG is not set
+CONFIG_FEATURE_SYSLOGD_READ_BUFFER_SIZE=0
+# CONFIG_FEATURE_IPC_SYSLOG is not set
+CONFIG_FEATURE_IPC_SYSLOG_BUFFER_SIZE=0
+# CONFIG_LOGREAD is not set
+# CONFIG_FEATURE_LOGREAD_REDUCED_LOCKING is not set
+# CONFIG_FEATURE_KMSG_SYSLOG is not set
+# CONFIG_KLOGD is not set
+# CONFIG_FEATURE_KLOGD_KLOGCTL is not set
+CONFIG_LOGGER=y
-- 
1.9.1

[Buildroot] [PATCH 20/30] qemu_x86_selinux_defconfig: base SELinux QEMU image for x86

[Matt Weber]

From: Clayton Shotwell <clshotwe@rockwellcollins.com>

This will build a base SELinux system that boots with SELinux
in permissive mode.

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
---
 board/qemu/x86/linux-3.12-selinux.config | 77 ++++++++++++++++++++++++++++++++
 configs/qemu_x86_selinux_defconfig       | 53 ++++++++++++++++++++++
 2 files changed, 130 insertions(+)
 create mode 100644 board/qemu/x86/linux-3.12-selinux.config
 create mode 100644 configs/qemu_x86_selinux_defconfig

diff --git a/board/qemu/x86/linux-3.12-selinux.config b/board/qemu/x86/linux-3.12-selinux.config
new file mode 100644
index 0000000..89ab0dc
--- /dev/null
+++ b/board/qemu/x86/linux-3.12-selinux.config
@@ -0,0 +1,77 @@
+# CONFIG_LOCALVERSION_AUTO is not set
+# CONFIG_SWAP is not set
+CONFIG_AUDIT=y
+# CONFIG_COMPAT_BRK is not set
+CONFIG_MODULES=y
+# CONFIG_BLK_DEV_BSG is not set
+# CONFIG_IOSCHED_DEADLINE is not set
+# CONFIG_IOSCHED_CFQ is not set
+# CONFIG_X86_EXTENDED_PLATFORM is not set
+# CONFIG_SCHED_OMIT_FRAME_POINTER is not set
+# CONFIG_MTRR_SANITIZER is not set
+# CONFIG_SECCOMP is not set
+# CONFIG_RELOCATABLE is not set
+CONFIG_NET=y
+CONFIG_PACKET=y
+CONFIG_UNIX=y
+CONFIG_INET=y
+CONFIG_IP_PNP=y
+# CONFIG_INET_XFRM_MODE_TRANSPORT is not set
+# CONFIG_INET_XFRM_MODE_TUNNEL is not set
+# CONFIG_INET_XFRM_MODE_BEET is not set
+# CONFIG_INET_LRO is not set
+# CONFIG_INET_DIAG is not set
+# CONFIG_IPV6 is not set
+# CONFIG_WIRELESS is not set
+CONFIG_DEVTMPFS=y
+CONFIG_DEVTMPFS_MOUNT=y
+# CONFIG_PREVENT_FIRMWARE_BUILD is not set
+# CONFIG_FIRMWARE_IN_KERNEL is not set
+# CONFIG_BLK_DEV is not set
+CONFIG_BLK_DEV_SD=y
+CONFIG_ATA=y
+CONFIG_ATA_PIIX=y
+CONFIG_NETDEVICES=y
+CONFIG_NE2K_PCI=y
+CONFIG_8139CP=y
+# CONFIG_WLAN is not set
+# CONFIG_INPUT_MOUSEDEV_PSAUX is not set
+# CONFIG_INPUT_MOUSE is not set
+# CONFIG_SERIO_SERPORT is not set
+# CONFIG_LEGACY_PTYS is not set
+# CONFIG_DEVKMEM is not set
+CONFIG_SERIAL_8250=y
+CONFIG_SERIAL_8250_CONSOLE=y
+# CONFIG_HW_RANDOM is not set
+# CONFIG_HWMON is not set
+CONFIG_SOUND=y
+CONFIG_SND=y
+CONFIG_SND_HDA_INTEL=y
+# CONFIG_USB_SUPPORT is not set
+# CONFIG_X86_PLATFORM_DEVICES is not set
+# CONFIG_DMIID is not set
+CONFIG_EXT2_FS=y
+CONFIG_EXT2_FS_XATTR=y
+CONFIG_EXT2_FS_POSIX_ACL=y
+CONFIG_EXT2_FS_SECURITY=y
+CONFIG_EXT3_FS=y
+CONFIG_EXT3_FS_POSIX_ACL=y
+CONFIG_EXT3_FS_SECURITY=y
+# CONFIG_DNOTIFY is not set
+# CONFIG_INOTIFY_USER is not set
+CONFIG_TMPFS=y
+CONFIG_TMPFS_POSIX_ACL=y
+# CONFIG_MISC_FILESYSTEMS is not set
+CONFIG_NFS_FS=y
+CONFIG_ROOT_NFS=y
+# CONFIG_ENABLE_WARN_DEPRECATED is not set
+# CONFIG_ENABLE_MUST_CHECK is not set
+# CONFIG_UNUSED_SYMBOLS is not set
+# CONFIG_FRAME_POINTER is not set
+# CONFIG_X86_VERBOSE_BOOTUP is not set
+CONFIG_SECURITY=y
+CONFIG_SECURITY_NETWORK=y
+CONFIG_SECURITY_SELINUX=y
+CONFIG_SECURITY_SELINUX_BOOTPARAM=y
+CONFIG_CRYPTO_ANSI_CPRNG=y
+# CONFIG_VIRTUALIZATION is not set
diff --git a/configs/qemu_x86_selinux_defconfig b/configs/qemu_x86_selinux_defconfig
new file mode 100644
index 0000000..9d603cf
--- /dev/null
+++ b/configs/qemu_x86_selinux_defconfig
@@ -0,0 +1,53 @@
+# Architecture
+BR2_x86_pentiumpro=y
+
+# Default to the latest Code Sourcery
+BR2_TOOLCHAIN_EXTERNAL=y
+
+# Select SYSV init to provide selinux enabled init
+BR2_INIT_SYSV=y
+
+# Default password to allow PAM login
+BR2_TARGET_GENERIC_ROOT_PASSWD="root"
+
+# Lock to a kernel that's been tested against selinux libs
+BR2_LINUX_KERNEL=y
+BR2_LINUX_KERNEL_CUSTOM_VERSION=y
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="3.12.5"
+BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
+BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/x86/linux-3.12-selinux.config"
+
+# Customized busybox config providing a tailored
+# balance of applets vs full apps
+BR2_PACKAGE_BUSYBOX_CONFIG="board/qemu/x86/busybox-selinux.config"
+
+# Audit service and depends
+BR2_PACKAGE_PYTHON_PY_PYC=y
+BR2_PACKAGE_AUDIT=y
+
+# Enhanced authentication with selinux hooks
+BR2_PACKAGE_LINUX_PAM=y
+BR2_PACKAGE_SHADOW=y
+
+# Dependency of libselinux
+BR2_PACKAGE_PCRE_UCP=y
+
+# SSH daemon for secure login
+BR2_PACKAGE_OPENSSH=y
+
+# Provides tools for fs security context relabeling
+BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND=y
+
+# SELinux policy config/definition
+BR2_PACKAGE_REFPOLICY=y
+
+# log daemon
+BR2_PACKAGE_RSYSLOG=y
+
+#rootfs with spare space for fs relabel activity
+BR2_TARGET_ROOTFS_EXT2=y
+BR2_TARGET_ROOTFS_EXT2_RESBLKS=5
+# BR2_TARGET_ROOTFS_TAR is not set
+
+# Offline tools for policy analysis/building
+BR2_PACKAGE_HOST_CHECKPOLICY=y
-- 
1.9.1

[Buildroot] [PATCH 21/30] linux-pam: selinux support

[Matt Weber]

Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
---
 .../linux-pam-08-audit-log-acct_message_ret.patch  | 16 ++++++
 package/linux-pam/linux-pam.mk                     | 58 +++++++++++++++++++++-
 package/linux-pam/system-auth.pamd                 | 15 ++++++
 3 files changed, 88 insertions(+), 1 deletion(-)
 create mode 100644 package/linux-pam/linux-pam-08-audit-log-acct_message_ret.patch
 create mode 100644 package/linux-pam/system-auth.pamd

diff --git a/package/linux-pam/linux-pam-08-audit-log-acct_message_ret.patch b/package/linux-pam/linux-pam-08-audit-log-acct_message_ret.patch
new file mode 100644
index 0000000..d819f08
--- /dev/null
+++ b/package/linux-pam/linux-pam-08-audit-log-acct_message_ret.patch
@@ -0,0 +1,16 @@
+--- a/libpam/pam_audit.c	2011-06-21 04:04:56.000000000 -0500
++++ b/libpam/pam_audit.c	2012-09-12 08:55:26.000000000 -0500
+@@ -41,11 +41,11 @@
+      an official errno number, but must not. It can also be a audit
+      internal error code. Which makes errno useless :-((. Try the
+      best to fix it. */
+-  errno = -rc;
++  errno = rc;
+ 
+   pamh->audit_state |= PAMAUDIT_LOGGED;
+ 
+-  if (rc < 0) {
++  if (rc <= 0) {
+       if (rc == -EPERM && getuid() != 0)
+           return 0;
+       if (errno != old_errno) {
diff --git a/package/linux-pam/linux-pam.mk b/package/linux-pam/linux-pam.mk
index 3dce25c..db6161d 100644
--- a/package/linux-pam/linux-pam.mk
+++ b/package/linux-pam/linux-pam.mk
@@ -8,6 +8,9 @@ LINUX_PAM_VERSION = 1.1.8
 LINUX_PAM_SOURCE = Linux-PAM-$(LINUX_PAM_VERSION).tar.bz2
 LINUX_PAM_SITE = http://linux-pam.org/library
 LINUX_PAM_INSTALL_STAGING = YES
+
+# lckpwdf is included with shadow
+# cracklib and libdb are not currently present in buildroot
 LINUX_PAM_CONF_OPTS = \
 	--disable-prelude \
 	--disable-isadir \
@@ -15,8 +18,10 @@ LINUX_PAM_CONF_OPTS = \
 	--disable-db \
 	--disable-regenerate-docu \
 	--enable-securedir=/lib/security \
+	--disable-cracklib \
 	--libdir=/lib
-LINUX_PAM_DEPENDENCIES = flex host-flex host-pkgconf
+
+LINUX_PAM_DEPENDENCIES = flex host-flex host-pkgconf host-linux-pam
 LINUX_PAM_AUTORECONF = YES
 LINUX_PAM_LICENSE = BSD-3c
 LINUX_PAM_LICENSE_FILES = Copyright
@@ -26,12 +31,63 @@ ifeq ($(BR2_NEEDS_GETTEXT_IF_LOCALE),y)
 	LINUX_PAM_MAKE_OPTS += LIBS=-lintl
 endif
 
+ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
+	LINUX_PAM_CONF_OPTS += --enable-selinux
+	LINUX_PAM_DEPENDENCIES += libselinux
+else
+	LINUX_PAM_CONF_OPTS += --disable-selinux
+endif
+
+ifeq ($(BR2_PACKAGE_AUDIT),y)
+	LINUX_PAM_CONF_OPTS += --enable-audit
+	LINUX_PAM_DEPENDENCIES += audit
+else
+	LINUX_PAM_CONF_OPTS += --disable-audit
+endif
+
 # Install default pam config (deny everything)
 define LINUX_PAM_INSTALL_CONFIG
 	$(INSTALL) -m 0644 -D package/linux-pam/other.pam \
 		$(TARGET_DIR)/etc/pam.d/other
 endef
 
+# Use the host-pam pam_conv1 app to create the pam.d files
+define LINUX_PAM_CONFIG_FILE_TARGET_INSTALL
+	( \
+		if [ -d $(TARGET_DIR)/etc/pam.d/ ]; then \
+			mv $(TARGET_DIR)/etc/pam.d/ $(TARGET_DIR)/etc/pam.d.orig/; \
+		fi; \
+		cd $(TARGET_DIR)/etc/ && \
+		cat $(@D)/conf/pam.conf | $(HOST_DIR)/usr/bin/pam_conv1; \
+		if [ -d pam.d.orig ]; then \
+			cp -a pam.d/* pam.d.orig/; \
+			rm -rf pam.d/; \
+			mv pam.d.orig/ pam.d/; \
+		fi; \
+	)
+	$(INSTALL) -D -m 0644 package/linux-pam/system-auth.pamd $(TARGET_DIR)/etc/pam.d/system-auth
+endef
+
+LINUX_PAM_POST_INSTALL_TARGET_HOOKS += LINUX_PAM_CONFIG_FILE_TARGET_INSTALL
 LINUX_PAM_POST_INSTALL_TARGET_HOOKS += LINUX_PAM_INSTALL_CONFIG
 
+HOST_LINUX_PAM_DEPENDENCIES = host-autoconf host-flex
+
+HOST_LINUX_PAM_CONF_OPTS = --disable-rpath \
+               --enable-read-both-confs \
+               --disable-regenerate-docu \
+               --disable-isadir \
+               --disable-nis \
+               --enable-securedir=/lib/security \
+               --disable-prelude \
+               --disable-cracklib \
+               --disable-lckpwdf \
+               --enable-db=no \
+               --disable-selinux \
+               --disable-audit \
+
+define HOST_LINUX_PAM_INSTALL_CMDS
+	$(INSTALL) -m 755 $(@D)/conf/pam_conv1/pam_conv1 $(HOST_DIR)/usr/bin/
+endef
 $(eval $(autotools-package))
+$(eval $(host-autotools-package))
diff --git a/package/linux-pam/system-auth.pamd b/package/linux-pam/system-auth.pamd
new file mode 100644
index 0000000..2fa116a
--- /dev/null
+++ b/package/linux-pam/system-auth.pamd
@@ -0,0 +1,15 @@
+#%PAM-1.0
+auth        required      pam_env.so
+auth        sufficient    pam_unix.so
+auth        required      pam_deny.so
+
+account     required      pam_unix.so
+
+#password    required      pam_cracklib.so try_first_pass retry=3
+password    sufficient    pam_unix.so md5 shadow try_first_pass
+password    required      pam_deny.so
+
+session     optional      pam_keyinit.so revoke
+session     required      pam_limits.so
+session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session     required      pam_unix.so
-- 
1.9.1

[Buildroot] [PATCH 22/30] sysvinit: added libselinux dependency

[Matt Weber]

Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
---
 .../sysvinit-0010-fix-WITH-SELINUX-define.patch    | 24 ++++++++++++++++++++++
 package/sysvinit/sysvinit.mk                       | 11 +++++++++-
 2 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 package/sysvinit/sysvinit-0010-fix-WITH-SELINUX-define.patch

diff --git a/package/sysvinit/sysvinit-0010-fix-WITH-SELINUX-define.patch b/package/sysvinit/sysvinit-0010-fix-WITH-SELINUX-define.patch
new file mode 100644
index 0000000..4d9c10a
--- /dev/null
+++ b/package/sysvinit/sysvinit-0010-fix-WITH-SELINUX-define.patch
@@ -0,0 +1,24 @@
+--- a/src/Makefile	2010-04-11 04:30:27.000000000 -0500
++++ b/src/Makefile	2014-09-16 14:07:31.404952266 -0500
+@@ -104,7 +104,7 @@
+ 
+ runlevel:	runlevel.o
+ 
+-sulogin:	LDLIBS += $(SULOGINLIBS) $(STATIC)
++sulogin:	LDLIBS += $(SULOGINLIBS) $(INITLIBS) $(STATIC)
+ sulogin:	sulogin.o
+ 
+ wall:		dowall.o wall.o
+@@ -114,10 +115,10 @@
+ bootlogd:	LDLIBS += -lutil
+ bootlogd:	bootlogd.o
+ 
+-sulogin.o:	CPPFLAGS += $(SELINUX_DEF)
++sulogin.o:	CFLAGS += $(SELINUX_DEF)
+ sulogin.o:	sulogin.c 
+ 
+-init.o:		CPPFLAGS += $(SELINUX_DEF)
++init.o:		CFLAGS += $(SELINUX_DEF)
+ init.o:		init.c init.h set.h reboot.h initreq.h
+ 
+ utmp.o:		utmp.c init.h
diff --git a/package/sysvinit/sysvinit.mk b/package/sysvinit/sysvinit.mk
index 53640a4..253ea9b 100644
--- a/package/sysvinit/sysvinit.mk
+++ b/package/sysvinit/sysvinit.mk
@@ -13,7 +13,16 @@ SYSVINIT_LICENSE_FILES = COPYING
 
 # Override BusyBox implementations if BusyBox is enabled.
 ifeq ($(BR2_PACKAGE_BUSYBOX),y)
-SYSVINIT_DEPENDENCIES = busybox
+SYSVINIT_DEPENDENCIES += busybox
+endif
+
+ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
+SYSVINIT_DEPENDENCIES += libselinux
+TARGET_CONFIGURE_OPTS += WITH_SELINUX="yes" ROOT="$(TARGET_DIR)"
+endif
+
+ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
+TARGET_CONFIGURE_OPTS += WITH_SELINUX="yes" ROOT="$(TARGET_DIR)"
 endif
 
 define SYSVINIT_DEBIAN_PATCHES
-- 
1.9.1

[Buildroot] [PATCH 23/30] dbus: selinux file context support

[Matt Weber]

Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
---
 package/dbus/S30dbus |  4 ++++
 package/dbus/dbus.mk | 14 ++++++++++++++
 2 files changed, 18 insertions(+)
 mode change 100755 => 100644 package/dbus/S30dbus

diff --git a/package/dbus/S30dbus b/package/dbus/S30dbus
old mode 100755
new mode 100644
index 0d15c73..be51807
--- a/package/dbus/S30dbus
+++ b/package/dbus/S30dbus
@@ -17,6 +17,10 @@
 [ -d /var/run/dbus ] || mkdir -p /var/run/dbus
 [ -d /var/lock/subsys ] || mkdir -p /var/lock/subsys
 [ -d /tmp/dbus ] || mkdir -p /tmp/dbus
+[ -d /var/lib/dbus ] || mkdir -p /var/lib/dbus
+if [ -e /sbin/restorecon ]; then
+   restorecon -R /var/run/dbus /var/lock/subsys /tmp/dbus /var/lib/dbus
+fi
 
 RETVAL=0
 
diff --git a/package/dbus/dbus.mk b/package/dbus/dbus.mk
index 2d5d2c8..5fb2c3e 100644
--- a/package/dbus/dbus.mk
+++ b/package/dbus/dbus.mk
@@ -43,6 +43,20 @@ ifeq ($(BR2_microblaze),y)
 DBUS_CONF_OPTS += --disable-inotify
 endif
 
+ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
+DBUS_CONF_OPTS += --enable-selinux
+DBUS_DEPENDENCIES += libselinux
+else
+DBUS_CONF_OPTS += --disable-selinux
+endif
+
+ifeq ($(BR2_PACKAGE_AUDIT),y)
+DBUS_CONF_OPTS += --enable-libaudit
+DBUS_DEPENDENCIES += audit libcap-ng
+else
+DBUS_CONF_OPTS += --disable-libaudit
+endif
+
 ifeq ($(BR2_PACKAGE_XLIB_LIBX11),y)
 DBUS_CONF_OPTS += --with-x
 DBUS_DEPENDENCIES += xlib_libX11
-- 
1.9.1

[Buildroot] [PATCH 24/30] logrotate: selinux support

[Matt Weber]

Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
---
 package/logrotate/logrotate.mk | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/package/logrotate/logrotate.mk b/package/logrotate/logrotate.mk
index dc26d85..a7f8290 100644
--- a/package/logrotate/logrotate.mk
+++ b/package/logrotate/logrotate.mk
@@ -11,8 +11,17 @@ LOGROTATE_LICENSE_FILES = COPYING
 
 LOGROTATE_DEPENDENCIES = popt
 
+LOGROTATE_CFLAGS = $(TARGET_CFLAGS)
+LOGROTATE_LDFLAGS = $(TARGET_LDFLAGS)
+
+ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
+LOGROTATE_DEPENDENCIES += libselinux
+LOGROTATE_CFLAGS += -DWITH_SELINUX=yes
+LOGROTATE_LDFLAGS += -lselinux
+endif
+
 define LOGROTATE_BUILD_CMDS
-	$(MAKE) CC="$(TARGET_CC) $(TARGET_CFLAGS)" LDFLAGS="$(LDFLAGS)" -C $(@D)
+	$(MAKE) CC="$(TARGET_CC) $(LOGROTATE_CFLAGS)" LDFLAGS="$(LOGROTATE_LDFLAGS)" -C $(@D)
 endef
 
 define LOGROTATE_INSTALL_TARGET_CMDS
-- 
1.9.1

[Buildroot] [PATCH 25/30] openssh: selinux and pam support

[Matt Weber]

Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
---
 package/openssh/openssh.mk | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
index d08b468..2488e59 100644
--- a/package/openssh/openssh.mk
+++ b/package/openssh/openssh.mk
@@ -23,9 +23,21 @@ endif
 
 OPENSSH_DEPENDENCIES = zlib openssl
 
+define OPENSSH_INSTALL_PAM_CONF
+	$(INSTALL) -D -m 644 $(@D)/contrib/sshd.pam.generic $(TARGET_DIR)/etc/pam.d/sshd
+	sed -i '/password   required     \/lib\/security\/pam_cracklib.so/d' $(TARGET_DIR)/etc/pam.d/sshd
+	sed -i -e 's/\#UsePAM no/UsePAM yes/' $(TARGET_DIR)/etc/ssh/sshd_config
+endef
+
 ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
 OPENSSH_DEPENDENCIES += linux-pam
 OPENSSH_CONF_OPTS += --with-pam
+OPENSSH_POST_INSTALL_TARGET_HOOKS += OPENSSH_INSTALL_PAM_CONF
+endif
+
+ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
+OPENSSH_DEPENDENCIES += libselinux
+OPENSSH_CONF_OPTS += --with-selinux
 endif
 
 define OPENSSH_INSTALL_INIT_SYSTEMD
-- 
1.9.1

[Buildroot] [PATCH 26/30] util-linux: selinux, audit, and pam support

[Matt Weber]

Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
---
 package/util-linux/util-linux.mk | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/package/util-linux/util-linux.mk b/package/util-linux/util-linux.mk
index e06fa9a..b31afdc 100644
--- a/package/util-linux/util-linux.mk
+++ b/package/util-linux/util-linux.mk
@@ -51,6 +51,27 @@ ifeq ($(BR2_PACKAGE_LIBCAP_NG),y)
 UTIL_LINUX_DEPENDENCIES += libcap-ng
 endif
 
+ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
+UTIL_LINUX_DEPENDENCIES += libselinux
+UTIL_LINUX_CONF_OPTS += --with-selinux
+else
+UTIL_LINUX_CONF_OPTS += --without-selinux
+endif
+
+ifeq ($(BR2_PACKAGE_PAM),y)
+UTIL_LINUX_DEPENDENCIES += pam
+UTIL_LINUX_CONF_OPTS += --with-pam
+else
+UTIL_LINUX_CONF_OPTS += --without-pam
+endif
+
+ifeq ($(BR2_PACKAGE_AUDIT),y)
+UTIL_LINUX_DEPENDENCIES += audit
+UTIL_LINUX_CONF_OPTS += --with-audit
+else
+UTIL_LINUX_CONF_OPTS += --without-audit
+endif
+
 # Used by cramfs utils
 UTIL_LINUX_DEPENDENCIES += $(if $(BR2_PACKAGE_ZLIB),zlib)
 
-- 
1.9.1

[Buildroot] [PATCH 27/30] vim: selinux support

[Matt Weber]

Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
---
 package/vim/vim.mk | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/package/vim/vim.mk b/package/vim/vim.mk
index 7a07ef8..a8ab755 100644
--- a/package/vim/vim.mk
+++ b/package/vim/vim.mk
@@ -26,6 +26,13 @@ VIM_CONF_OPTS = --with-tlib=ncurses --enable-gui=no --without-x
 VIM_LICENSE = Charityware
 VIM_LICENSE_FILES = README.txt
 
+ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
+VIM_CONF_OPTS += --enable-selinux
+VIM_DEPENDENCIES += libselinux
+else
+VIM_CONF_OPTS += --disable-selinux
+endif
+
 define VIM_INSTALL_TARGET_CMDS
 	cd $(@D)/src; \
 		$(MAKE) DESTDIR=$(TARGET_DIR) installvimbin; \
-- 
1.9.1

[Buildroot] [PATCH 28/30] rsyslog: fix config file comment style

[Matt Weber]

Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
---
 package/rsyslog/rsyslog.mk | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/package/rsyslog/rsyslog.mk b/package/rsyslog/rsyslog.mk
index 6b72bb5..88e777c 100644
--- a/package/rsyslog/rsyslog.mk
+++ b/package/rsyslog/rsyslog.mk
@@ -46,6 +46,10 @@ endef
 define RSYSLOG_INSTALL_CONF
 	$(INSTALL) -m 0644 -D $(@D)/platform/redhat/rsyslog.conf \
 		$(TARGET_DIR)/etc/rsyslog.conf
+	# Fix invalid config file comment style
+	$(SED) 's~\/\* ~#  ~g' $(TARGET_DIR)/etc/rsyslog.conf
+	$(SED) 's~ \*\/~# ~g' $(TARGET_DIR)/etc/rsyslog.conf
+	$(SED) 's~ \*~# ~g' $(TARGET_DIR)/etc/rsyslog.conf
 	mkdir -p $(TARGET_DIR)/etc/rsyslog.d
 endef
 
-- 
1.9.1

[Buildroot] [PATCH 29/30] qemu x86 readme: documented selinux target

[Matt Weber]

Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
---
 board/qemu/x86/readme.txt | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/board/qemu/x86/readme.txt b/board/qemu/x86/readme.txt
index c702557..faa4804 100644
--- a/board/qemu/x86/readme.txt
+++ b/board/qemu/x86/readme.txt
@@ -5,3 +5,21 @@ Run the emulation with:
 The login prompt will appear in the graphical window.
 
 Tested with QEMU 2.1.2
+
+-------------------------------------------------------------------
+
+Run the SElinux target emulation with:
+
+  qemu-system-i386 -M pc -kernel output/images/bzImage -drive file=output/images/rootfs.ext2,if=ide -append "root=/dev/sda rw console=ttyS0 selinux=1" -net nic,model=rtl8139 -net user -display vnc=localhost:1 -serial stdio
+
+The emulation should reboot once the first time for relabeling and then
+provide a login prompt.  The login is username root and password root
+because PAM requires a password in this secure configuration.
+To enable SELinux enforcing at boot, login and edit the /etc/selinux/config
+and set SELINUX to enforcing.  Save and make sure to "sync" before restarting
+the emulation as the ext2 fs would otherwise corrupt when the emulation
+exits.  After enforcing is default, the selinux= provided as part of the
+qemu "append" above can be used to turn enforcing on/off.  Currently
+the enforcing policy configuration doesn't allow getty login, only ssh login.
+This configuration would be tailored as part of a targets refpolicy
+customization.
-- 
1.9.1

[Buildroot] [PATCH 30/30] readline: host support for host-sqlite

[Matt Weber]

Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
---
 package/readline/readline.mk | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package/readline/readline.mk b/package/readline/readline.mk
index d670a71..2dc04a1 100644
--- a/package/readline/readline.mk
+++ b/package/readline/readline.mk
@@ -19,4 +19,5 @@ endef
 
 READLINE_POST_INSTALL_TARGET_HOOKS += READLINE_PURGE_EXAMPLES
 
+$(eval $(host-autotools-package))
 $(eval $(autotools-package))
-- 
1.9.1

[Buildroot] [PATCH 01/30] libselinux: new package

[Thomas Petazzoni]

Dear Matt Weber,

On Mon, 15 Dec 2014 21:53:53 -0600, Matt Weber wrote:
> From: Clayton Shotwell <clshotwe@rockwellcollins.com>
> 
> Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
> ---
>  package/Config.in                |  1 +
>  package/libselinux/Config.in     | 25 ++++++++++++++
>  package/libselinux/libselinux.mk | 70 ++++++++++++++++++++++++++++++++++++++++
>  3 files changed, 96 insertions(+)
>  create mode 100644 package/libselinux/Config.in
>  create mode 100644 package/libselinux/libselinux.mk

Thanks, applied after doing a number of changes:

[Thomas:
  - Add hash file.
  - Enable on all architectures, and enable on uClibc. The
    autobuilders will let us know if there are any problems.
  - Use "Public Domain" as the license instead of "PublicDomain"
  - Handle Python 2 vs. Python 3 for the host package. Either can be
    used by libselinux.
  - Change the trick used to get the library and programs installed in
    usr/lib/ and usr/sbin/ instead of lib/ and sbin/.]

See the final commit at
http://git.buildroot.net/buildroot/commit/?id=9d9f54ac654b15bcffd2a20fe57ad01a494cc4c7.

Best regards,

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

[Buildroot] [PATCH 02/30] ustr: new package

[Thomas Petazzoni]

Dear Matt Weber,

On Mon, 15 Dec 2014 21:53:54 -0600, Matt Weber wrote:
> From: Clayton Shotwell <clshotwe@rockwellcollins.com>
> 
> Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
> Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
> ---
>  package/Config.in                                  |   1 +
>  .../ustr/0001-cross-compile-modifications.patch    | 144 +++++++++++++++++++++
>  package/ustr/Config.in                             |  11 ++
>  package/ustr/ustr.mk                               |  48 +++++++
>  4 files changed, 204 insertions(+)
>  create mode 100644 package/ustr/0001-cross-compile-modifications.patch
>  create mode 100644 package/ustr/Config.in
>  create mode 100644 package/ustr/ustr.mk

Thanks, applied after doing a bunch of changes:

[Thomas:
 - Fix typo in patch description.
 - Remove trailing whitespace in Config.in.
 - Fix Config.in comment to match what's specified in the Buildroot
   manual.
 - Adjust .mk logic to use BR2_STATIC_LIBS vs. BR2_SHARED_LIBS instead
   of BR2_PREFER_STATIC_LIB, and therefore support the installation of
   only the shared library.
 - Remove the libustr-debug library from the target and staging
   directories, it's the same as libustr, except that it's compiled
   with debugging symbols.
 - Always install only the shared variant of the library for
   host-ustr.]

Could you work with upstream to submit the
0001-cross-compile-modifications.patch stuff? Their build system is
really completely brain-damaged. Making them use autoconf/automake
would be a vast improvement over the crappy manual Makefile they are
using today.

See
http://git.buildroot.net/buildroot/commit/?id=5cefca4cc3da4fc5e6649aa3ae3a828df3d09a44
for the final commit.

Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

[Buildroot] [PATCH 03/30] libsemanage: new package

[Thomas Petazzoni]

Dear Matt Weber,

On Mon, 15 Dec 2014 21:53:55 -0600, Matt Weber wrote:
> From: Clayton Shotwell <clshotwe@rockwellcollins.com>
> 
> Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
> Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
> ---
>  package/Config.in                                  |  1 +
>  .../libsemanage/0001-execption-lib-path-fix.patch  | 14 +++++
>  package/libsemanage/Config.in                      | 30 +++++++++
>  package/libsemanage/libsemanage.mk                 | 72 ++++++++++++++++++++++
>  4 files changed, 117 insertions(+)
>  create mode 100644 package/libsemanage/0001-execption-lib-path-fix.patch
>  create mode 100644 package/libsemanage/Config.in
>  create mode 100644 package/libsemanage/libsemanage.mk

Patch applied. On this one, I did a mistake, and forgot to squash my
changes into your original commit, so you have three separate commits:

  http://git.buildroot.net/buildroot/commit/?id=77872678accd4d98cd3aa3d95a34738861844e31
  http://git.buildroot.net/buildroot/commit/?id=a963685245d4ad25b40520b251024720c3b18e11
  http://git.buildroot.net/buildroot/commit/?id=27d6b6ad5fd028bb650ad10ea163f8adcbf1383e

One thing to add would be Python 3 support, but I'll reply to your
cover letter with a more generic question about those packages.

Thanks,

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

[Buildroot] [PATCH 00/29] SELinux Buildroot Additions

[Thomas Petazzoni]

Dear Matt Weber,

On Mon, 15 Dec 2014 21:53:52 -0600, Matt Weber wrote:

> ### What's in this patchset?
> 
> This patchset adds the required userspace tools, libraries, example
> QEMU target, existing package modifications, and initial policy
> to Buildroot.

Thanks for this patch series. As you've seen, I've started integrating
the first patches. However, the tarballs are not located where
specified by your .mk file (the build worked in my
case because I had the tarballs locally). And the selinuxproject.org
site is down currently, so I can't fix anything. This is causing some
build failures such as:

  http://autobuild.buildroot.org/results/a95/a95412f8e78a64bbbf5a7981db35cdea0108e8b4/build-end.log

If we can't find an upstream location with those tarballs quickly, then
I'll disable those packages for now.

Also, it seems that Debian has libselinux 2.3, while your package is
still using 2.1. Would it be possible to bump to 2.3 at some point?

Finally, I have found what appears to be the new Git repository for the
SELinux development at https://github.com/SELinuxProject/selinux. And
it seems that now all components are in a single Git repository. Are
they still doing separate tarballs for each component? I have the
feeling that packaging separately checkpolicy, libselinux, libsemanage,
libsepol, policycoreutils and sepolgen is maybe not the way to go.

Can you clarify this before I spend more time merging more of your
patches?

Thanks,

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

[Buildroot] [PATCH 00/29] SELinux Buildroot Additions

[Matthew Weber]

Thomas,

On Jan 1, 2015 3:47 PM, "Thomas Petazzoni" <
thomas.petazzoni@free-electrons.com> wrote:
>
> Dear Matt Weber,
>
> On Mon, 15 Dec 2014 21:53:52 -0600, Matt Weber wrote:
>
> > ### What's in this patchset?
> >
> > This patchset adds the required userspace tools, libraries, example
> > QEMU target, existing package modifications, and initial policy
> > to Buildroot.
>
> Thanks for this patch series. As you've seen, I've started integrating
> the first patches. However, the tarballs are not located where
> specified by your .mk file (the build worked in my
> case because I had the tarballs locally). And the selinuxproject.org
> site is down currently, so I can't fix anything. This is causing some
> build failures such as:
>
>
http://autobuild.buildroot.org/results/a95/a95412f8e78a64bbbf5a7981db35cdea0108e8b4/build-end.log
>
> If we can't find an upstream location with those tarballs quickly, then
> I'll disable those packages for now.
>

Oops, yeah i was working off a mirror.

Looks like a patch moving to the new repo was submitted earlier today.
I'll go through and retest with those locations. Plus see if any of the
other patches have the same issue.

> Also, it seems that Debian has libselinux 2.3, while your package is
> still using 2.1. Would it be possible to bump to 2.3 at some point?

Comment below.

>
> Finally, I have found what appears to be the new Git repository for the
> SELinux development at https://github.com/SELinuxProject/selinux. And
> it seems that now all components are in a single Git repository. Are
> they still doing separate tarballs for each component? I have the
> feeling that packaging separately checkpolicy, libselinux, libsemanage,
> libsepol, policycoreutils and sepolgen is maybe not the way to go.
>
> Can you clarify this before I spend more time merging more of your
> patches?

Definitely.  In general we errored on the side of using older stable libs
when we pulled our selinux config together.  (Didn't realize the possible
change in how the libs/tools were organized) I'll take a look at pulling
things to the latest and see how that impacts how those packages are
built.  I know that there were cross compile issues with a couple of the
packages that we worked around so I'll see how things look porting wise.

Thank you for the review and pulling this in.  I'll spend some time Monday
figuring out if we should merge these patches or update to match the new
repo layout.

Matt
>
> Thanks,
>
> Thomas
> --
> Thomas Petazzoni, CTO, Free Electrons
> Embedded Linux, Kernel and Android engineering
> http://free-electrons.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20150102/a4e82df2/attachment.html>

[Buildroot] [PATCH 00/29] SELinux Buildroot Additions

[Matthew Weber]

Dear Thomas,

On Fri, Jan 2, 2015 at 2:59 PM, Matthew Weber
<matthew.weber@rockwellcollins.com> wrote:
> Thomas,
>
> On Jan 1, 2015 3:47 PM, "Thomas Petazzoni"
> <thomas.petazzoni@free-electrons.com> wrote:
>>
>> Dear Matt Weber,
>>
>> On Mon, 15 Dec 2014 21:53:52 -0600, Matt Weber wrote:
>>
>> > ### What's in this patchset?
>> >
>> > This patchset adds the required userspace tools, libraries, example
>> > QEMU target, existing package modifications, and initial policy
>> > to Buildroot.
>>
<snip>
>>
>> Finally, I have found what appears to be the new Git repository for the
>> SELinux development at https://github.com/SELinuxProject/selinux. And
>> it seems that now all components are in a single Git repository. Are
>> they still doing separate tarballs for each component? I have the
>> feeling that packaging separately checkpolicy, libselinux, libsemanage,
>> libsepol, policycoreutils and sepolgen is maybe not the way to go.
>>
>> Can you clarify this before I spend more time merging more of your
>> patches?
>
> Definitely.  In general we errored on the side of using older stable libs
> when we pulled our selinux config together.  (Didn't realize the possible
> change in how the libs/tools were organized) I'll take a look at pulling
> things to the latest and see how that impacts how those packages are built.
> I know that there were cross compile issues with a couple of the packages
> that we worked around so I'll see how things look porting wise.
>
> Thank you for the review and pulling this in.  I'll spend some time Monday
> figuring out if we should merge these patches or update to match the new
> repo layout.
>

It looks like they have set things up to support backwards
compatibility with separate releases for the different packages,
however I'd rather refactor the patchset to use the new approach.
This would allow us to closely track the development and make it much
easier to update as things would be a single package with a single
version to bump.  I did notice that since they converted it from an
autotools based build to static Makefiles, it looks like we may have
lost some of the capability to turn off features.  So I guess worst
case we also would have some patching needed to add back in that
capability.

I'll can get started on rev2 of the patchset using the single package
approach. Would it work to revert the initial 3 packages that were
added and I will plan to pull in any updates that were made as part of
those initial commits (I believe libsemanage had a misc patch)?


Thanks,
Matt

[Buildroot] [PATCH 00/29] SELinux Buildroot Additions

[Matthew Weber]

Dear Thomas,

On Mon, Jan 5, 2015 at 9:15 PM, Matthew Weber
<matthew.weber@rockwellcollins.com> wrote:
> Dear Thomas,
>
> On Fri, Jan 2, 2015 at 2:59 PM, Matthew Weber
> <matthew.weber@rockwellcollins.com> wrote:
>> Thomas,
>>
>> On Jan 1, 2015 3:47 PM, "Thomas Petazzoni"
>> <thomas.petazzoni@free-electrons.com> wrote:
>>>
>>> Dear Matt Weber,
>>>
>>> On Mon, 15 Dec 2014 21:53:52 -0600, Matt Weber wrote:
>>>
>>> > ### What's in this patchset?
>>> >
>>> > This patchset adds the required userspace tools, libraries, example
>>> > QEMU target, existing package modifications, and initial policy
>>> > to Buildroot.
>>>
> <snip>
>>>
>>> Finally, I have found what appears to be the new Git repository for the
>>> SELinux development at https://github.com/SELinuxProject/selinux. And
>>> it seems that now all components are in a single Git repository. Are
>>> they still doing separate tarballs for each component? I have the
>>> feeling that packaging separately checkpolicy, libselinux, libsemanage,
>>> libsepol, policycoreutils and sepolgen is maybe not the way to go.
>>>
>>> Can you clarify this before I spend more time merging more of your
>>> patches?
>>
>> Definitely.  In general we errored on the side of using older stable libs
>> when we pulled our selinux config together.  (Didn't realize the possible
>> change in how the libs/tools were organized) I'll take a look at pulling
>> things to the latest and see how that impacts how those packages are built.
>> I know that there were cross compile issues with a couple of the packages
>> that we worked around so I'll see how things look porting wise.
>>
>> Thank you for the review and pulling this in.  I'll spend some time Monday
>> figuring out if we should merge these patches or update to match the new
>> repo layout.
>>
>
> It looks like they have set things up to support backwards
> compatibility with separate releases for the different packages,
> however I'd rather refactor the patchset to use the new approach.

I just noticed that the release script they use is intentionally
packaging each folder/package separately, so it does look like that's
their current approach (even in a single repo).  I think we still
should consolidate it into a single package.  For every disadvantage I
can think of for having it as one package, I can see resolving those
through a temporary patch or the way the Kconfig exposes what's built.

> This would allow us to closely track the development and make it much
> easier to update as things would be a single package with a single
> version to bump.  I did notice that since they converted it from an
> autotools based build to static Makefiles, it looks like we may have
> lost some of the capability to turn off features.  So I guess worst
> case we also would have some patching needed to add back in that
> capability.
>
> I'll can get started on rev2 of the patchset using the single package
> approach. Would it work to revert the initial 3 packages that were
> added and I will plan to pull in any updates that were made as part of
> those initial commits (I believe libsemanage had a misc patch)?
>
>
Thanks,
Matt

[Buildroot] [PATCH 00/29] SELinux Buildroot Additions

[Thomas Petazzoni]

Dear Matthew Weber,

On Mon, 5 Jan 2015 21:37:29 -0600, Matthew Weber wrote:

> > It looks like they have set things up to support backwards
> > compatibility with separate releases for the different packages,
> > however I'd rather refactor the patchset to use the new approach.
> 
> I just noticed that the release script they use is intentionally
> packaging each folder/package separately, so it does look like that's
> their current approach (even in a single repo).  I think we still
> should consolidate it into a single package.  For every disadvantage I
> can think of for having it as one package, I can see resolving those
> through a temporary patch or the way the Kconfig exposes what's built.

I disagree: they are still shipping the thing as separate tarballs for
each component, so we should continue to have separate packages in
Buildroot.

Best regards,

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

[Buildroot] [PATCH 00/29] SELinux Buildroot Additions

[Matthew Weber]

Dear Thomas,

On Tue, Jan 6, 2015 at 2:34 AM, Thomas Petazzoni
<thomas.petazzoni@free-electrons.com> wrote:
> Dear Matthew Weber,
>
> On Mon, 5 Jan 2015 21:37:29 -0600, Matthew Weber wrote:
>
>> > It looks like they have set things up to support backwards
>> > compatibility with separate releases for the different packages,
>> > however I'd rather refactor the patchset to use the new approach.
>>
>> I just noticed that the release script they use is intentionally
>> packaging each folder/package separately, so it does look like that's
>> their current approach (even in a single repo).  I think we still
>> should consolidate it into a single package.  For every disadvantage I
>> can think of for having it as one package, I can see resolving those
>> through a temporary patch or the way the Kconfig exposes what's built.
>
> I disagree: they are still shipping the thing as separate tarballs for
> each component, so we should continue to have separate packages in
> Buildroot.

Ok, that works.  I'll update the rest of the patchset with hash files
and similar cleanup like you've done in the Config.in of the
libselinux/libsemanage/libsepol.  I'd hold off merging until v2.


>
> Best regards,
>
> Thomas
> --
> Thomas Petazzoni, CTO, Free Electrons
> Embedded Linux, Kernel and Android engineering
> http://free-electrons.com



-- 
Matthew L Weber / Pr Software Engineer
Airborne Information Systems / Security Systems and Software
MS 131-100, C Ave NE, Cedar Rapids, IA, 52498, USA
www.rockwellcollins.com

Note: Any Export License Required Information and License Restricted
Third Party Intellectual Property (TPIP) content must be encrypted and
sent to matthew.weber at corp.rockwellcollins.com.