* [Buildroot] [ PATCH Selinux v11] policycoreutils: new package
@ 2016-03-16 11:42 Niranjan Reddy
2016-03-22 22:02 ` Thomas Petazzoni
0 siblings, 1 reply; 6+ messages in thread
From: Niranjan Reddy @ 2016-03-16 11:42 UTC (permalink / raw)
To: buildroot
From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
This package contains the core policy utilities that are required
for basic operation of an SELinux system.Four patchs are included
in this package.
Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
Allow-CFLAGS-to-be-overwritten.patch
Change-sepolicy-python-install-arguments-to-be-a-var.patch
disable-dbus.patch
Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Niranjan Reddy <niranjan.reddy@rockwellcollins.com>
---
Changes v10 -> v11:
- Removed LDFLAGS="-Wl,-rpath,$(HOST_DIR)/usr/lib" as it is overriding LDFLAGS.
- Removed patch PREFIX number in the subject line .
- Replaced line LDFLAGS="-Wl,-rpath,$(HOST_DIR)/usr/lib" with LDFLAGS="$(HOST_LDFLAGS)".
- Added patch to disable dbuslib flags in policycoreutils .
- Added libglib2 dependency for restorecond.
Changes v9 -> v10:
- Added LDFLAGS for HOST_POLICYCOREUTILS_MAKE_OPTS:LDFLAGS="-Wl,-rpath,$(HOST_DIR)/usr/lib"
Changes v8 -> v9:
- Cleaned up DESTDIR references in patches to use PREFIX instead
(suggested by Samuel)
- Added the use of the ARCH to pass the host and target architectures
to the build (Suggested by Samuel)
Changes v7 -> v8:
- Cleaned up indentations in policycoreutils.mk (Suggested by
Thomas P.)
- Fixed sed separator (Suggested by Thomas P.)
- Cleaned up cross compile patches and make options (Suggested by
Thomas P.)
- Changed dbus-glib dependency to a select and cleaned up the
dependencies (Suggested by Thomas P.)
Changes v6 -> v7:
- No changes
Changes v5 -> v6:
- No changes
Changes v4 -> v5:
- Updated depends and removed glibc dependency (Matt W.)
- Updated site to github (Matt W.)
- Added host python 2/3 support (Matt W.)
- Removed sandbox and mctrans support (Matt W.)
- Removed restorcon init script (Matt W.)
- Agree as optional settings were removed so menu isn't needed
(Suggested by Ryan B. and Thomas P.)
- added Config.in select for LIBCAP_NG (Suggested by Thomas P.)
- cleaned up pam/audit ifeq (Suggested by Thomas P.)
- fixed CFLAGS to include target_cflags instead of += (Suggested by
Thomas P.)
- Refactored lists of build/install steps into loops (Suggested by
Thomas P.)
- Removed += on first host depends assignment (Suggested by Thomas P.)
- Refactored host make opts assignments (Suggested by Thomas P.)
- Limited to glibc because of fts.h, some uclibc toolchains have it
others don't. Eventually this would be good to fix with the updated
method of file traversal. (Matt W.)
- Gettext fixups for uclibc support. Counter productive as we
now limit to glibc only. (Matt W.)
- Added musl as possible lib type (Matt W.)
- Removed largefile dependency (Clayton S.)
- Changed dbus-glib select to a depends on in the Config.in (suggested
by Ryan B.)
Changes v3 -> v4:
- Add a select for the libselinux Python bindings when debugging
is enabled. This will cause Python to be built for the target
(suggested by Thomas P.)
- Cleaned up the configure comments (suggested by Thomas).
- Added a dependency on BR2_USE_MMU for the debugging option
because python requires it (suggested by Thomas P.)
- Removed the dependencies on audit and linux-pam. Both packages
are now optional dependencies based on whether or not the package
has been selected
- Moved the dependency on dbus-glib to only the restorecond option
where it is used
- Added a INSTALL_INIT_SYSV for the restorecond daemon rather than
just installing it directly
- Adding a dependency on glibc
- Removed the clean commands
Changes v2 -> v3:
- Added dependencies on BR2_TOOLCHAIN_HAS_THREADS and BR2_LARGEFILE
(suggested by Thomas P.)
- Changes patch naming convention (suggested by Thomas P.)
- Added selects for linux-pam and audit
Changes v1 -> v2:
- General cleanup to the mk file to conform to the standard format
- Fixed the patch naming to avoid using the version number
- Cleaned up the patch to include a signed-off-by line
- Changed package dependencies into selects in the config
---
package/Config.in | 1 +
...IR-to-all-paths-that-use-an-absolute-path.patch | 275 +++++++++++++++++++++
.../0002-Allow-CFLAGS-to-be-overwritten.patch | 57 +++++
...licy-python-install-arguments-to-be-a-var.patch | 42 ++++
package/policycoreutils/0004-disable-dbus.patch | 14 ++
package/policycoreutils/Config.in | 57 +++++
package/policycoreutils/policycoreutils.hash | 2 +
package/policycoreutils/policycoreutils.mk | 108 ++++++++
8 files changed, 556 insertions(+)
create mode 100644 package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
create mode 100644 package/policycoreutils/0002-Allow-CFLAGS-to-be-overwritten.patch
create mode 100644 package/policycoreutils/0003-Change-sepolicy-python-install-arguments-to-be-a-var.patch
create mode 100644 package/policycoreutils/0004-disable-dbus.patch
create mode 100644 package/policycoreutils/Config.in
create mode 100644 package/policycoreutils/policycoreutils.hash
create mode 100644 package/policycoreutils/policycoreutils.mk
diff --git a/package/Config.in b/package/Config.in
index 09c2b40..2c7dc37 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1511,6 +1511,7 @@ menu "Real-Time"
endmenu
menu "Security"
+ source "package/policycoreutils/Config.in"
source "package/setools/Config.in"
endmenu
diff --git a/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch b/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
new file mode 100644
index 0000000..0192e5c
--- /dev/null
+++ b/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
@@ -0,0 +1,275 @@
+From 92d7cc3539f8bfc68b2f2bf688375647abf73ee7 Mon Sep 17 00:00:00 2001
+From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+Date: Fri, 10 Jul 2015 11:44:08 -0500
+Subject: Add DESTDIR to all paths that use an absolute path
+
+To aid in cross compiling, add the DESTDIR variable to the start of all
+of the paths used during compilation. Most paths already used DESTDIR.
+
+Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+---
+ Makefile | 4 ++--
+ audit2allow/Makefile | 2 +-
+ load_policy/Makefile | 2 +-
+ mcstrans/src/Makefile | 22 +++++++++++++---------
+ mcstrans/utils/Makefile | 11 +++++++----
+ newrole/Makefile | 12 ++++++------
+ restorecond/Makefile | 6 ++++--
+ run_init/Makefile | 12 ++++++------
+ sepolicy/Makefile | 2 +-
+ setfiles/Makefile | 4 ++--
+ 10 files changed, 43 insertions(+), 34 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 3980799..0fca022 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,8 +1,8 @@
+ SUBDIRS = sepolicy setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool scripts po man gui
+
+-INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
++INOTIFYH = $(shell ls $(DESTDIR)/usr/include/sys/inotify.h 2>/dev/null)
+
+-ifeq (${INOTIFYH}, /usr/include/sys/inotify.h)
++ifeq (${INOTIFYH}, $(DESTDIR)/usr/include/sys/inotify.h)
+ SUBDIRS += restorecond
+ endif
+
+diff --git a/audit2allow/Makefile b/audit2allow/Makefile
+index 88635d4..1647b5a 100644
+--- a/audit2allow/Makefile
++++ b/audit2allow/Makefile
+@@ -3,7 +3,7 @@ PREFIX ?= $(DESTDIR)/usr
+ BINDIR ?= $(PREFIX)/bin
+ LIBDIR ?= $(PREFIX)/lib
+ MANDIR ?= $(PREFIX)/share/man
+-LOCALEDIR ?= /usr/share/locale
++LOCALEDIR ?= $(PREFIX)/share/locale
+
+ all: ;
+
+diff --git a/load_policy/Makefile b/load_policy/Makefile
+index 7c5bab0..5cd0bbb 100644
+--- a/load_policy/Makefile
++++ b/load_policy/Makefile
+@@ -3,7 +3,7 @@ PREFIX ?= $(DESTDIR)/usr
+ SBINDIR ?= $(DESTDIR)/sbin
+ USRSBINDIR ?= $(PREFIX)/sbin
+ MANDIR ?= $(PREFIX)/share/man
+-LOCALEDIR ?= /usr/share/locale
++LOCALEDIR ?= $(PREFIX)/share/locale
+
+ CFLAGS ?= -Werror -Wall -W
+ override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
+diff --git a/mcstrans/src/Makefile b/mcstrans/src/Makefile
+index fb44490..a0666f1 100644
+--- a/mcstrans/src/Makefile
++++ b/mcstrans/src/Makefile
+@@ -1,22 +1,26 @@
+-ARCH = $(shell uname -i)
++# Installation directories.
++PREFIX ?= $(DESTDIR)/usr
++SBINDIR ?= $(DESTDIR)/sbin
++INITDIR ?= $(DESTDIR)/etc/rc.d/init.d
++
++ARCH ?= $(shell uname -i)
+ ifeq "$(ARCH)" "x86_64"
+ # In case of 64 bit system, use these lines
+- LIBDIR=/usr/lib64
+-else
++ LIBDIR=$(PREFIX)/lib64
++else
+ ifeq "$(ARCH)" "i686"
+ # In case of 32 bit system, use these lines
+- LIBDIR=/usr/lib
++ LIBDIR=$(PREFIX)/lib
+ else
+ ifeq "$(ARCH)" "i386"
+ # In case of 32 bit system, use these lines
+- LIBDIR=/usr/lib
++ LIBDIR=$(PREFIX)/lib
++else
++ # Default to these lines if arch is unknown
++ LIBDIR=$(PREFIX)/lib
+ endif
+ endif
+ endif
+-# Installation directories.
+-PREFIX ?= $(DESTDIR)/usr
+-SBINDIR ?= $(DESTDIR)/sbin
+-INITDIR ?= $(DESTDIR)/etc/rc.d/init.d
+
+ PROG_SRC=mcstrans.c mcscolor.c mcstransd.c mls_level.c
+ PROG_OBJS= $(patsubst %.c,%.o,$(PROG_SRC))
+diff --git a/mcstrans/utils/Makefile b/mcstrans/utils/Makefile
+index 1ffb027..da5c152 100644
+--- a/mcstrans/utils/Makefile
++++ b/mcstrans/utils/Makefile
+@@ -2,18 +2,21 @@
+ PREFIX ?= $(DESTDIR)/usr
+ BINDIR ?= $(PREFIX)/sbin
+
+-ARCH = $(shell uname -i)
++ARCH ?= $(shell uname -i)
+ ifeq "$(ARCH)" "x86_64"
+ # In case of 64 bit system, use these lines
+- LIBDIR=/usr/lib64
++ LIBDIR=$(PREFIX)/lib64
+ else
+ ifeq "$(ARCH)" "i686"
+ # In case of 32 bit system, use these lines
+- LIBDIR=/usr/lib
++ LIBDIR=$(PREFIX)/lib
+ else
+ ifeq "$(ARCH)" "i386"
+ # In case of 32 bit system, use these lines
+- LIBDIR=/usr/lib
++ LIBDIR=$(PREFIX)/lib
++else
++ # Default to these lines if arch is unknown
++ LIBDIR=$(PREFIX)/lib
+ endif
+ endif
+ endif
+diff --git a/newrole/Makefile b/newrole/Makefile
+index 646cd4d..045e3b7 100644
+--- a/newrole/Makefile
++++ b/newrole/Makefile
+@@ -3,9 +3,9 @@ PREFIX ?= $(DESTDIR)/usr
+ BINDIR ?= $(PREFIX)/bin
+ MANDIR ?= $(PREFIX)/share/man
+ ETCDIR ?= $(DESTDIR)/etc
+-LOCALEDIR = /usr/share/locale
+-PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
+-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
++LOCALEDIR = $(PREFIX)/share/locale
++PAMH = $(shell ls $(PREFIX)/include/security/pam_appl.h 2>/dev/null)
++AUDITH = $(shell ls $(PREFIX)/include/libaudit.h 2>/dev/null)
+ # Enable capabilities to permit newrole to generate audit records.
+ # This will make newrole a setuid root program.
+ # The capabilities used are: CAP_AUDIT_WRITE.
+@@ -24,7 +24,7 @@ CFLAGS ?= -Werror -Wall -W
+ EXTRA_OBJS =
+ override CFLAGS += -DVERSION=\"$(VERSION)\" $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
+ LDLIBS += -lselinux -L$(PREFIX)/lib
+-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
++ifeq ($(PAMH), $(PREFIX)/include/security/pam_appl.h)
+ override CFLAGS += -DUSE_PAM
+ EXTRA_OBJS += hashtab.o
+ LDLIBS += -lpam -lpam_misc
+@@ -32,7 +32,7 @@ else
+ override CFLAGS += -D_XOPEN_SOURCE=500
+ LDLIBS += -lcrypt
+ endif
+-ifeq ($(AUDITH), /usr/include/libaudit.h)
++ifeq ($(AUDITH), $(PREFIX)/include/libaudit.h)
+ override CFLAGS += -DUSE_AUDIT
+ LDLIBS += -laudit
+ endif
+@@ -66,7 +66,7 @@ install: all
+ test -d $(MANDIR)/man1 || install -m 755 -d $(MANDIR)/man1
+ install -m $(MODE) newrole $(BINDIR)
+ install -m 644 newrole.1 $(MANDIR)/man1/
+-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
++ifeq ($(PAMH), $(PREFIX)/include/security/pam_appl.h)
+ test -d $(ETCDIR)/pam.d || install -m 755 -d $(ETCDIR)/pam.d
+ ifeq ($(LSPP_PRIV),y)
+ install -m 644 newrole-lspp.pamd $(ETCDIR)/pam.d/newrole
+diff --git a/restorecond/Makefile b/restorecond/Makefile
+index 3074542..7c40f95 100644
+--- a/restorecond/Makefile
++++ b/restorecond/Makefile
+@@ -10,11 +10,13 @@ autostart_DATA = sealertauto.desktop
+ INITDIR = $(DESTDIR)/etc/rc.d/init.d
+ SELINUXDIR = $(DESTDIR)/etc/selinux
+
+-DBUSFLAGS = -DHAVE_DBUS -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include -I/usr/lib/dbus-1.0/include
++DBUSFLAGS = -DHAVE_DBUS -I$(PREFIX)/include/dbus-1.0 -I$(PREFIX)/lib64/dbus-1.0/include \
++ -I$(PREFIX)/lib/dbus-1.0/include
+ DBUSLIB = -ldbus-glib-1 -ldbus-1
+
+ CFLAGS ?= -g -Werror -Wall -W
+-override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS) -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/lib/glib-2.0/include
++override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS) -I$(PREFIX)/include/glib-2.0 \
++ -I$(PREFIX)/lib64/glib-2.0/include -I$(PREFIX)/lib/glib-2.0/include
+
+ LDLIBS += -lselinux $(DBUSLIB) -lglib-2.0 -L$(LIBDIR)
+
+diff --git a/run_init/Makefile b/run_init/Makefile
+index 12b39b4..da49c41 100644
+--- a/run_init/Makefile
++++ b/run_init/Makefile
+@@ -4,21 +4,21 @@ PREFIX ?= $(DESTDIR)/usr
+ SBINDIR ?= $(PREFIX)/sbin
+ MANDIR ?= $(PREFIX)/share/man
+ ETCDIR ?= $(DESTDIR)/etc
+-LOCALEDIR ?= /usr/share/locale
+-PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
+-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
++LOCALEDIR ?= $(PREFIX)/share/locale
++PAMH = $(shell ls $(PREFIX)/include/security/pam_appl.h 2>/dev/null)
++AUDITH = $(shell ls $(PREFIX)/include/libaudit.h 2>/dev/null)
+
+ CFLAGS ?= -Werror -Wall -W
+ override CFLAGS += -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
+ LDLIBS += -lselinux -L$(PREFIX)/lib
+-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
++ifeq ($(PAMH), $(PREFIX)/include/security/pam_appl.h)
+ override CFLAGS += -DUSE_PAM
+ LDLIBS += -lpam -lpam_misc
+ else
+ override CFLAGS += -D_XOPEN_SOURCE=500
+ LDLIBS += -lcrypt
+ endif
+-ifeq ($(AUDITH), /usr/include/libaudit.h)
++ifeq ($(AUDITH), $(PREFIX)/include/libaudit.h)
+ override CFLAGS += -DUSE_AUDIT
+ LDLIBS += -laudit
+ endif
+@@ -38,7 +38,7 @@ install: all
+ install -m 755 open_init_pty $(SBINDIR)
+ install -m 644 run_init.8 $(MANDIR)/man8/
+ install -m 644 open_init_pty.8 $(MANDIR)/man8/
+-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
++ifeq ($(PAMH), $(PREFIX)/include/security/pam_appl.h)
+ install -m 644 run_init.pamd $(ETCDIR)/pam.d/run_init
+ endif
+
+diff --git a/sepolicy/Makefile b/sepolicy/Makefile
+index 11b534f..1249546 100644
+--- a/sepolicy/Makefile
++++ b/sepolicy/Makefile
+@@ -5,7 +5,7 @@ LIBDIR ?= $(PREFIX)/lib
+ BINDIR ?= $(PREFIX)/bin
+ SBINDIR ?= $(PREFIX)/sbin
+ MANDIR ?= $(PREFIX)/share/man
+-LOCALEDIR ?= /usr/share/locale
++LOCALEDIR ?= $(PREFIX)/share/locale
+ PYTHON ?= /usr/bin/python
+ BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
+ SHAREDIR ?= $(PREFIX)/share/sandbox
+diff --git a/setfiles/Makefile b/setfiles/Makefile
+index 4b44b3c..ebc22c8 100644
+--- a/setfiles/Makefile
++++ b/setfiles/Makefile
+@@ -3,7 +3,7 @@ PREFIX ?= $(DESTDIR)/usr
+ SBINDIR ?= $(DESTDIR)/sbin
+ MANDIR = $(PREFIX)/share/man
+ LIBDIR ?= $(PREFIX)/lib
+-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
++AUDITH = $(shell ls $(PREFIX)/include/libaudit.h 2>/dev/null)
+
+ PROGRESS_STEP=$(shell grep "^\#define STAR_COUNT" restore.h | awk -S '{ print $$3 }')
+ ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk -S '{ print $$3 }')
+@@ -12,7 +12,7 @@ CFLAGS = -g -Werror -Wall -W
+ override CFLAGS += -I$(PREFIX)/include
+ LDLIBS = -lselinux -lsepol -L$(LIBDIR)
+
+-ifeq ($(AUDITH), /usr/include/libaudit.h)
++ifeq ($(AUDITH), $(PREFIX)/include/libaudit.h)
+ override CFLAGS += -DUSE_AUDIT
+ LDLIBS += -laudit
+ endif
+--
+1.9.1
+
diff --git a/package/policycoreutils/0002-Allow-CFLAGS-to-be-overwritten.patch b/package/policycoreutils/0002-Allow-CFLAGS-to-be-overwritten.patch
new file mode 100644
index 0000000..b6e6d99
--- /dev/null
+++ b/package/policycoreutils/0002-Allow-CFLAGS-to-be-overwritten.patch
@@ -0,0 +1,57 @@
+From cfce1180f96cca5e7444d94b2ebc39213d7dac75 Mon Sep 17 00:00:00 2001
+From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+Date: Fri, 10 Jul 2015 11:47:09 -0500
+Subject: Allow CFLAGS to be overwritten
+
+Allow all CFLAGS declarations to be overwritten to aid in cross
+compiling.
+
+Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+---
+ sepolicy/Makefile | 2 +-
+ sestatus/Makefile | 2 +-
+ setfiles/Makefile | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/sepolicy/Makefile b/sepolicy/Makefile
+index 1249546..a52667a 100644
+--- a/sepolicy/Makefile
++++ b/sepolicy/Makefile
+@@ -9,7 +9,7 @@ LOCALEDIR ?= $(PREFIX)/share/locale
+ PYTHON ?= /usr/bin/python
+ BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
+ SHAREDIR ?= $(PREFIX)/share/sandbox
+-override CFLAGS = $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared
++override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared
+
+ BASHCOMPLETIONS=sepolicy-bash-completion.sh
+
+diff --git a/sestatus/Makefile b/sestatus/Makefile
+index c5db7a3..c04ff00 100644
+--- a/sestatus/Makefile
++++ b/sestatus/Makefile
+@@ -5,7 +5,7 @@ MANDIR = $(PREFIX)/share/man
+ ETCDIR ?= $(DESTDIR)/etc
+ LIBDIR ?= $(PREFIX)/lib
+
+-CFLAGS = -Werror -Wall -W
++CFLAGS ?= -Werror -Wall -W
+ override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64
+ LDLIBS = -lselinux -L$(LIBDIR)
+
+diff --git a/setfiles/Makefile b/setfiles/Makefile
+index ebc22c8..7c48814 100644
+--- a/setfiles/Makefile
++++ b/setfiles/Makefile
+@@ -8,7 +8,7 @@ AUDITH = $(shell ls $(PREFIX)/include/libaudit.h 2>/dev/null)
+ PROGRESS_STEP=$(shell grep "^\#define STAR_COUNT" restore.h | awk -S '{ print $$3 }')
+ ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk -S '{ print $$3 }')
+
+-CFLAGS = -g -Werror -Wall -W
++CFLAGS ?= -g -Werror -Wall -W
+ override CFLAGS += -I$(PREFIX)/include
+ LDLIBS = -lselinux -lsepol -L$(LIBDIR)
+
+--
+1.9.1
+
diff --git a/package/policycoreutils/0003-Change-sepolicy-python-install-arguments-to-be-a-var.patch b/package/policycoreutils/0003-Change-sepolicy-python-install-arguments-to-be-a-var.patch
new file mode 100644
index 0000000..5bbfb76
--- /dev/null
+++ b/package/policycoreutils/0003-Change-sepolicy-python-install-arguments-to-be-a-var.patch
@@ -0,0 +1,42 @@
+From 4bb3e6bda68fe52fcd2df4f27c5900f4b0d50fa1 Mon Sep 17 00:00:00 2001
+From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+Date: Fri, 10 Jul 2015 11:56:49 -0500
+Subject: Change sepolicy python install arguments to be a variable
+
+To allow the python install arguments to be overwritten, change the
+arguments to be a variable. This also cleans up the DESTDIR detection a
+little bit.
+
+Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+---
+ sepolicy/Makefile | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/sepolicy/Makefile b/sepolicy/Makefile
+index a52667a..4a10df6 100644
+--- a/sepolicy/Makefile
++++ b/sepolicy/Makefile
+@@ -7,6 +7,11 @@ SBINDIR ?= $(PREFIX)/sbin
+ MANDIR ?= $(PREFIX)/share/man
+ LOCALEDIR ?= $(PREFIX)/share/locale
+ PYTHON ?= /usr/bin/python
++ifneq (,$(DESTDIR))
++PYTHON_INSTALL_ARGS ?= --root $(DESTDIR)
++else
++PYTHON_INSTALL_ARGS ?=
++endif
+ BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
+ SHAREDIR ?= $(PREFIX)/share/sandbox
+ override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared
+@@ -23,7 +28,7 @@ clean:
+ -rm -rf build *~ \#* *pyc .#*
+
+ install:
+- $(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
++ $(PYTHON) setup.py install $(PYTHON_INSTALL_ARGS)
+ [ -d $(BINDIR) ] || mkdir -p $(BINDIR)
+ install -m 755 sepolicy.py $(BINDIR)/sepolicy
+ -mkdir -p $(MANDIR)/man8
+--
+1.9.1
+
diff --git a/package/policycoreutils/0004-disable-dbus.patch b/package/policycoreutils/0004-disable-dbus.patch
new file mode 100644
index 0000000..b685d0a
--- /dev/null
+++ b/package/policycoreutils/0004-disable-dbus.patch
@@ -0,0 +1,14 @@
+--- a/restorecond/Makefile 2016-02-25 13:23:23.286671669 -0600
++++ b/restorecond/Makefile 2016-03-03 12:44:25.032118694 -0600
+@@ -10,9 +10,11 @@
+ INITDIR = $(DESTDIR)/etc/rc.d/init.d
+ SELINUXDIR = $(DESTDIR)/etc/selinux
+
++ifdef ENABLE_DBUS
+ DBUSFLAGS = -DHAVE_DBUS -I$(PREFIX)/include/dbus-1.0 -I$(PREFIX)/lib64/dbus-1.0/include \
+ -I$(PREFIX)/lib/dbus-1.0/include
+ DBUSLIB = -ldbus-glib-1 -ldbus-1
++endif
+
+ CFLAGS ?= -g -Werror -Wall -W
+ override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS) -I$(PREFIX)/include/glib-2.0 \
diff --git a/package/policycoreutils/Config.in b/package/policycoreutils/Config.in
new file mode 100644
index 0000000..3131a02
--- /dev/null
+++ b/package/policycoreutils/Config.in
@@ -0,0 +1,57 @@
+config BR2_PACKAGE_POLICYCOREUTILS
+ bool "policycoreutils"
+ select BR2_PACKAGE_LIBSEMANAGE
+ select BR2_PACKAGE_LIBCAP_NG
+ select BR2_PACKAGE_GETTEXT if BR2_NEEDS_GETTEXT
+ depends on BR2_TOOLCHAIN_HAS_THREADS # libsemanage
+ depends on BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL # uses fts.h
+ help
+ Policycoreutils is a collection of policy utilities (originally
+ the "core" set of utilities needed to use SELinux, although it
+ has grown a bit over time), which have different dependencies.
+ sestatus, secon, run_init, and newrole only use libselinux.
+ load_policy and setfiles only use libselinux and libsepol.
+ semodule and semanage use libsemanage (and thus bring in
+ dependencies on libsepol and libselinux as well). setsebool
+ uses libselinux to make non-persistent boolean changes (via
+ the kernel interface) and uses libsemanage to make persistent
+ boolean changes.
+
+ The base package will install the following utilities:
+ load_policy
+ newrole
+ restorecond
+ run_init
+ secon
+ semodule
+ semodule_deps
+ semodule_expand
+ semodule_link
+ semodule_package
+ sepolgen-ifgen
+ sestatus
+ setfiles
+ setsebool
+
+ http://selinuxproject.org/page/Main_Page
+
+comment "policycoreutils needs a glibc or musl toolchain w/ threads"
+ depends on !BR2_TOOLCHAIN_HAS_THREADS \
+ || !(BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL)
+
+if BR2_PACKAGE_POLICYCOREUTILS
+
+config BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND
+ bool "restorecond Utility"
+ select BR2_PACKAGE_LIBGLIB2 #glib2
+ depends on BR2_USE_WCHAR # glib2
+ depends on BR2_TOOLCHAIN_HAS_THREADS # glib2
+ depends on BR2_USE_MMU # glib2
+ help
+ Enable restorecond to be built
+
+comment "restorecond needs a toolchain w/ wchar, threads"
+ depends on BR2_USE_MMU
+ depends on !BR2_USE_WCHAR || !BR2_TOOLCHAIN_HAS_THREADS
+
+endif
diff --git a/package/policycoreutils/policycoreutils.hash b/package/policycoreutils/policycoreutils.hash
new file mode 100644
index 0000000..575dd25
--- /dev/null
+++ b/package/policycoreutils/policycoreutils.hash
@@ -0,0 +1,2 @@
+# https://github.com/SELinuxProject/selinux/wiki/Releases
+sha256 b6881741f9f9988346a73bfeccb0299941dc117349753f0ef3f23ee86f06c1b5 policycoreutils-2.1.14.tar.gz
diff --git a/package/policycoreutils/policycoreutils.mk b/package/policycoreutils/policycoreutils.mk
new file mode 100644
index 0000000..aed2705
--- /dev/null
+++ b/package/policycoreutils/policycoreutils.mk
@@ -0,0 +1,108 @@
+################################################################################
+#
+# policycoreutils
+#
+################################################################################
+
+POLICYCOREUTILS_VERSION = 2.1.14
+POLICYCOREUTILS_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20130423
+POLICYCOREUTILS_LICENSE = GPLv2
+POLICYCOREUTILS_LICENSE_FILES = COPYING
+
+# gettext for load_policy.c use of libintl_* functions
+POLICYCOREUTILS_DEPENDENCIES = libsemanage libcap-ng $(if $(BR2_NEEDS_GETTEXT),gettext)
+
+ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
+POLICYCOREUTILS_DEPENDENCIES += linux-pam
+POLICYCOREUTILS_MAKE_OPTS += NAMESPACE_PRIV=y
+define POLICYCOREUTILS_INSTALL_TARGET_LINUX_PAM_CONFS
+ $(INSTALL) -D -m 0644 $(@D)/newrole/newrole-lspp.pamd $(TARGET_DIR)/etc/pam.d/newrole
+ $(INSTALL) -D -m 0644 $(@D)/run_init/run_init.pamd $(TARGET_DIR)/etc/pam.d/run_init
+endef
+endif
+
+ifeq ($(BR2_PACKAGE_AUDIT),y)
+POLICYCOREUTILS_DEPENDENCIES += audit
+POLICYCOREUTILS_MAKE_OPTS += AUDIT_LOG_PRIV=y
+endif
+
+# Enable LSPP_PRIV if both audit and linux pam are enabled
+ifeq ($(BR2_PACKAGE_LINUX_PAM)$(BR2_PACKAGE_AUDIT),yy)
+POLICYCOREUTILS_MAKE_OPTS += LSPP_PRIV=y
+endif
+
+# Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h
+# large file support.
+# See https://bugzilla.redhat.com/show_bug.cgi?id=574992 for more information
+POLICYCOREUTILS_MAKE_OPTS += \
+ CC="$(TARGET_CC)" \
+ CFLAGS="$(TARGET_CFLAGS) -U_FILE_OFFSET_BITS" \
+ LDFLAGS="$(TARGET_LDFLAGS) $(if $(BR2_NEEDS_GETTEXT),-lintl)" \
+ ARCH="$(BR2_ARCH)"
+
+POLICYCOREUTILS_MAKE_DIRS = load_policy newrole run_init \
+ secon semodule semodule_deps semodule_expand semodule_link \
+ semodule_package sepolgen-ifgen sestatus setfiles setsebool
+
+ifeq ($(BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND),y)
+POLICYCOREUTILS_MAKE_DIRS += restorecond
+endif
+
+define POLICYCOREUTILS_BUILD_CMDS
+ for dir in $(POLICYCOREUTILS_MAKE_DIRS) ; do \
+ $(MAKE) -C $(@D)/$${dir} $(POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(STAGING_DIR) all || exit 1 ; \
+ done
+endef
+
+define POLICYCOREUTILS_INSTALL_TARGET_CMDS
+ for dir in $(POLICYCOREUTILS_MAKE_DIRS) ; do \
+ $(MAKE) -C $(@D)/$${dir} $(POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(TARGET_DIR) install || exit 1 ; \
+ done
+endef
+
+HOST_POLICYCOREUTILS_DEPENDENCIES = host-libsemanage host-dbus-glib host-sepolgen host-setools
+
+# Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h
+# large file support.
+# See https://bugzilla.redhat.com/show_bug.cgi?id=574992 for more information
+HOST_POLICYCOREUTILS_MAKE_OPTS = \
+ CC="$(HOSTCC)" \
+ CFLAGS="$(HOST_CFLAGS) -U_FILE_OFFSET_BITS" \
+ PYTHON="$(HOST_DIR)/usr/bin/python" \
+ PYTHON_INSTALL_ARGS="$(HOST_PKG_PYTHON_DISTUTILS_INSTALL_OPTS)" \
+ ARCH="$(HOSTARCH)" \
+ LDFLAGS="$(HOST_LDFLAGS)"
+
+ifeq ($(BR2_PACKAGE_PYTHON3),y)
+HOST_POLICYCOREUTILS_DEPENDENCIES += host-python3
+HOST_POLICYCOREUTILS_MAKE_OPTS += \
+ PYLIBVER="python$(PYTHON3_VERSION_MAJOR)"
+else
+HOST_POLICYCOREUTILS_DEPENDENCIES += host-python
+HOST_POLICYCOREUTILS_MAKE_OPTS += \
+ PYLIBVER="python$(PYTHON_VERSION_MAJOR)"
+endif
+
+# Note: We are only building the programs required by the refpolicy build
+HOST_POLICYCOREUTILS_MAKE_DIRS = load_policy semodule semodule_deps semodule_expand semodule_link \
+ semodule_package setfiles restorecond audit2allow audit2why scripts semanage sepolicy
+
+define HOST_POLICYCOREUTILS_BUILD_CMDS
+ for dir in $(HOST_POLICYCOREUTILS_MAKE_DIRS) ; do \
+ $(MAKE) -C $(@D)/$${dir} $(HOST_POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(HOST_DIR) all || exit 1 ; \
+ done
+endef
+
+define HOST_POLICYCOREUTILS_INSTALL_CMDS
+ for dir in $(HOST_POLICYCOREUTILS_MAKE_DIRS) ; do \
+ $(MAKE) -C $(@D)/$${dir} $(HOST_POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(HOST_DIR) install || exit 1 ; \
+ done
+ # Fix python paths
+ $(SED) 's%/usr/bin/%$(HOST_DIR)/usr/bin/%g' $(HOST_DIR)/usr/bin/audit2allow
+ $(SED) 's%/usr/bin/%$(HOST_DIR)/usr/bin/%g' $(HOST_DIR)/usr/bin/audit2why
+ $(SED) 's%/usr/bin/%$(HOST_DIR)/usr/bin/%g' $(HOST_DIR)/usr/bin/sepolgen-ifgen
+ $(SED) 's%/usr/bin/%$(HOST_DIR)/usr/bin/%g' $(HOST_DIR)/usr/bin/sepolicy
+endef
+
+$(eval $(generic-package))
+$(eval $(host-generic-package))
--
2.5.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [Buildroot] [ PATCH Selinux v11] policycoreutils: new package
2016-03-16 11:42 [Buildroot] [ PATCH Selinux v11] policycoreutils: new package Niranjan Reddy
@ 2016-03-22 22:02 ` Thomas Petazzoni
2016-04-01 12:26 ` Niranjan Reddy
2016-04-08 3:00 ` Matthew Weber
0 siblings, 2 replies; 6+ messages in thread
From: Thomas Petazzoni @ 2016-03-22 22:02 UTC (permalink / raw)
To: buildroot
Hello,
I really wanted to apply this patch and finally get the remaining
SELinux support in, but there are still some really wrong things in
there.
On Wed, 16 Mar 2016 17:12:14 +0530, Niranjan Reddy wrote:
> From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
>
> This package contains the core policy utilities that are required
> for basic operation of an SELinux system.Four patchs are included
> in this package.
Minor typos: space after ".", patchs -> patches.
> Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
> Allow-CFLAGS-to-be-overwritten.patch
> Change-sepolicy-python-install-arguments-to-be-a-var.patch
> disable-dbus.patch
Completely useless to just give the filenames, especially when they are
wrong.
> diff --git a/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch b/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
> new file mode 100644
> index 0000000..0192e5c
> --- /dev/null
> +++ b/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
> @@ -0,0 +1,275 @@
> +From 92d7cc3539f8bfc68b2f2bf688375647abf73ee7 Mon Sep 17 00:00:00 2001
> +From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> +Date: Fri, 10 Jul 2015 11:44:08 -0500
> +Subject: Add DESTDIR to all paths that use an absolute path
> +
> +To aid in cross compiling, add the DESTDIR variable to the start of all
> +of the paths used during compilation. Most paths already used DESTDIR.
> +
> +Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
This patch does a *LOT* more than adding DESTDIR. Just check by
yourself. Read your own patch! It should be split in several patches.
> +---
> + Makefile | 4 ++--
> + audit2allow/Makefile | 2 +-
> + load_policy/Makefile | 2 +-
> + mcstrans/src/Makefile | 22 +++++++++++++---------
> + mcstrans/utils/Makefile | 11 +++++++----
> + newrole/Makefile | 12 ++++++------
> + restorecond/Makefile | 6 ++++--
> + run_init/Makefile | 12 ++++++------
> + sepolicy/Makefile | 2 +-
> + setfiles/Makefile | 4 ++--
> + 10 files changed, 43 insertions(+), 34 deletions(-)
> +
> +diff --git a/Makefile b/Makefile
> +index 3980799..0fca022 100644
> +--- a/Makefile
> ++++ b/Makefile
> +@@ -1,8 +1,8 @@
> + SUBDIRS = sepolicy setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool scripts po man gui
> +
> +-INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
> ++INOTIFYH = $(shell ls $(DESTDIR)/usr/include/sys/inotify.h 2>/dev/null)
This is not super great, as it assumes DESTDIR is passed at build time,
which is not very standard. But OK, that's the easiest solution. But it
should *definitely* be explained in the description of the patch, as
it's non trivial.
> +
> +-ifeq (${INOTIFYH}, /usr/include/sys/inotify.h)
> ++ifeq (${INOTIFYH}, $(DESTDIR)/usr/include/sys/inotify.h)
> + SUBDIRS += restorecond
> + endif
> +
> +diff --git a/audit2allow/Makefile b/audit2allow/Makefile
> +index 88635d4..1647b5a 100644
> +--- a/audit2allow/Makefile
> ++++ b/audit2allow/Makefile
> +@@ -3,7 +3,7 @@ PREFIX ?= $(DESTDIR)/usr
> + BINDIR ?= $(PREFIX)/bin
> + LIBDIR ?= $(PREFIX)/lib
> + MANDIR ?= $(PREFIX)/share/man
> +-LOCALEDIR ?= /usr/share/locale
> ++LOCALEDIR ?= $(PREFIX)/share/locale
This is not about adding DESTDIR, but about changing an hardcoded /usr
to $(PREFIX).
In addition, in the INOTIFYH fix above, you don't change usr/ to
$(PREFIX).
> +
> + all: ;
> +
> +diff --git a/load_policy/Makefile b/load_policy/Makefile
> +index 7c5bab0..5cd0bbb 100644
> +--- a/load_policy/Makefile
> ++++ b/load_policy/Makefile
> +@@ -3,7 +3,7 @@ PREFIX ?= $(DESTDIR)/usr
> + SBINDIR ?= $(DESTDIR)/sbin
> + USRSBINDIR ?= $(PREFIX)/sbin
> + MANDIR ?= $(PREFIX)/share/man
> +-LOCALEDIR ?= /usr/share/locale
> ++LOCALEDIR ?= $(PREFIX)/share/locale
This is also changing /usr to PREFIX, which has nothing to do with
using DESTDIR.
> +
> + CFLAGS ?= -Werror -Wall -W
> + override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
> +diff --git a/mcstrans/src/Makefile b/mcstrans/src/Makefile
> +index fb44490..a0666f1 100644
> +--- a/mcstrans/src/Makefile
> ++++ b/mcstrans/src/Makefile
> +@@ -1,22 +1,26 @@
> +-ARCH = $(shell uname -i)
> ++# Installation directories.
> ++PREFIX ?= $(DESTDIR)/usr
> ++SBINDIR ?= $(DESTDIR)/sbin
> ++INITDIR ?= $(DESTDIR)/etc/rc.d/init.d
This has nothing to do with adding DESTDIR, and there is no explanation
why adding those variable definitions here is necessary. Thos
definitions are normally below, why are you moving there up here?
> ++
> ++ARCH ?= $(shell uname -i)
Looks good, but needs to be explained in the patch description (and in
a separate patch).
> + ifeq "$(ARCH)" "x86_64"
> + # In case of 64 bit system, use these lines
> +- LIBDIR=/usr/lib64
> +-else
> ++ LIBDIR=$(PREFIX)/lib64
> ++else
> + ifeq "$(ARCH)" "i686"
> + # In case of 32 bit system, use these lines
> +- LIBDIR=/usr/lib
> ++ LIBDIR=$(PREFIX)/lib
> + else
> + ifeq "$(ARCH)" "i386"
> + # In case of 32 bit system, use these lines
> +- LIBDIR=/usr/lib
> ++ LIBDIR=$(PREFIX)/lib
> ++else
> ++ # Default to these lines if arch is unknown
> ++ LIBDIR=$(PREFIX)/lib
This is all /usr -> $(PREFIX) replacement, nothing to do with DESTDIR.
> + endif
> + endif
> + endif
> +-# Installation directories.
> +-PREFIX ?= $(DESTDIR)/usr
> +-SBINDIR ?= $(DESTDIR)/sbin
> +-INITDIR ?= $(DESTDIR)/etc/rc.d/init.d
> +
> + PROG_SRC=mcstrans.c mcscolor.c mcstransd.c mls_level.c
> + PROG_OBJS= $(patsubst %.c,%.o,$(PROG_SRC))
> +diff --git a/mcstrans/utils/Makefile b/mcstrans/utils/Makefile
> +index 1ffb027..da5c152 100644
> +--- a/mcstrans/utils/Makefile
> ++++ b/mcstrans/utils/Makefile
> +@@ -2,18 +2,21 @@
> + PREFIX ?= $(DESTDIR)/usr
> + BINDIR ?= $(PREFIX)/sbin
> +
> +-ARCH = $(shell uname -i)
> ++ARCH ?= $(shell uname -i)
> + ifeq "$(ARCH)" "x86_64"
> + # In case of 64 bit system, use these lines
> +- LIBDIR=/usr/lib64
> ++ LIBDIR=$(PREFIX)/lib64
> + else
> + ifeq "$(ARCH)" "i686"
> + # In case of 32 bit system, use these lines
> +- LIBDIR=/usr/lib
> ++ LIBDIR=$(PREFIX)/lib
> + else
> + ifeq "$(ARCH)" "i386"
> + # In case of 32 bit system, use these lines
> +- LIBDIR=/usr/lib
> ++ LIBDIR=$(PREFIX)/lib
> ++else
> ++ # Default to these lines if arch is unknown
> ++ LIBDIR=$(PREFIX)/lib
Same comments as above;
> + endif
> + endif
> + endif
> +diff --git a/newrole/Makefile b/newrole/Makefile
> +index 646cd4d..045e3b7 100644
> +--- a/newrole/Makefile
> ++++ b/newrole/Makefile
> +@@ -3,9 +3,9 @@ PREFIX ?= $(DESTDIR)/usr
> + BINDIR ?= $(PREFIX)/bin
> + MANDIR ?= $(PREFIX)/share/man
> + ETCDIR ?= $(DESTDIR)/etc
> +-LOCALEDIR = /usr/share/locale
> +-PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
> +-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
> ++LOCALEDIR = $(PREFIX)/share/locale
> ++PAMH = $(shell ls $(PREFIX)/include/security/pam_appl.h 2>/dev/null)
> ++AUDITH = $(shell ls $(PREFIX)/include/libaudit.h 2>/dev/null)
This is *completely* wrong. It will look at /usr/include/libaudit.h
and /usr/include/security/pam_appl.h on your build machine to decide
where pam and audit support is available. If you follow the fix done
earlier for INOTIFYH, you should do:
AUDITH = $(shell ls $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)
> + # Enable capabilities to permit newrole to generate audit records.
> + # This will make newrole a setuid root program.
> + # The capabilities used are: CAP_AUDIT_WRITE.
> +@@ -24,7 +24,7 @@ CFLAGS ?= -Werror -Wall -W
> + EXTRA_OBJS =
> + override CFLAGS += -DVERSION=\"$(VERSION)\" $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
> + LDLIBS += -lselinux -L$(PREFIX)/lib
> +-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
> ++ifeq ($(PAMH), $(PREFIX)/include/security/pam_appl.h)
Same comment as above.
> + override CFLAGS += -DUSE_PAM
> + EXTRA_OBJS += hashtab.o
> + LDLIBS += -lpam -lpam_misc
> +@@ -32,7 +32,7 @@ else
> + override CFLAGS += -D_XOPEN_SOURCE=500
> + LDLIBS += -lcrypt
> + endif
> +-ifeq ($(AUDITH), /usr/include/libaudit.h)
> ++ifeq ($(AUDITH), $(PREFIX)/include/libaudit.h)
Ditto.
> + override CFLAGS += -DUSE_AUDIT
> + LDLIBS += -laudit
> + endif
> +@@ -66,7 +66,7 @@ install: all
> + test -d $(MANDIR)/man1 || install -m 755 -d $(MANDIR)/man1
> + install -m $(MODE) newrole $(BINDIR)
> + install -m 644 newrole.1 $(MANDIR)/man1/
> +-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
> ++ifeq ($(PAMH), $(PREFIX)/include/security/pam_appl.h)
Ditto.
> + test -d $(ETCDIR)/pam.d || install -m 755 -d $(ETCDIR)/pam.d
> + ifeq ($(LSPP_PRIV),y)
> + install -m 644 newrole-lspp.pamd $(ETCDIR)/pam.d/newrole
> +diff --git a/restorecond/Makefile b/restorecond/Makefile
> +index 3074542..7c40f95 100644
> +--- a/restorecond/Makefile
> ++++ b/restorecond/Makefile
> +@@ -10,11 +10,13 @@ autostart_DATA = sealertauto.desktop
> + INITDIR = $(DESTDIR)/etc/rc.d/init.d
> + SELINUXDIR = $(DESTDIR)/etc/selinux
> +
> +-DBUSFLAGS = -DHAVE_DBUS -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include -I/usr/lib/dbus-1.0/include
> ++DBUSFLAGS = -DHAVE_DBUS -I$(PREFIX)/include/dbus-1.0 -I$(PREFIX)/lib64/dbus-1.0/include \
> ++ -I$(PREFIX)/lib/dbus-1.0/include
Completely wrong. This will add -I/usr/include/dbus-1.0 when
cross-compiling. Bad.
> + DBUSLIB = -ldbus-glib-1 -ldbus-1
> +
> + CFLAGS ?= -g -Werror -Wall -W
> +-override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS) -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/lib/glib-2.0/include
> ++override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS) -I$(PREFIX)/include/glib-2.0 \
> ++ -I$(PREFIX)/lib64/glib-2.0/include -I$(PREFIX)/lib/glib-2.0/include
Same.
> +
> + LDLIBS += -lselinux $(DBUSLIB) -lglib-2.0 -L$(LIBDIR)
> +
> +diff --git a/run_init/Makefile b/run_init/Makefile
> +index 12b39b4..da49c41 100644
> +--- a/run_init/Makefile
> ++++ b/run_init/Makefile
> +@@ -4,21 +4,21 @@ PREFIX ?= $(DESTDIR)/usr
> + SBINDIR ?= $(PREFIX)/sbin
> + MANDIR ?= $(PREFIX)/share/man
> + ETCDIR ?= $(DESTDIR)/etc
> +-LOCALEDIR ?= /usr/share/locale
> +-PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
> +-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
> ++LOCALEDIR ?= $(PREFIX)/share/locale
> ++PAMH = $(shell ls $(PREFIX)/include/security/pam_appl.h 2>/dev/null)
> ++AUDITH = $(shell ls $(PREFIX)/include/libaudit.h 2>/dev/null)
Also wrong.
> +
> + CFLAGS ?= -Werror -Wall -W
> + override CFLAGS += -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
> + LDLIBS += -lselinux -L$(PREFIX)/lib
> +-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
> ++ifeq ($(PAMH), $(PREFIX)/include/security/pam_appl.h)
Ditto.
> + override CFLAGS += -DUSE_PAM
> + LDLIBS += -lpam -lpam_misc
> + else
> + override CFLAGS += -D_XOPEN_SOURCE=500
> + LDLIBS += -lcrypt
> + endif
> +-ifeq ($(AUDITH), /usr/include/libaudit.h)
> ++ifeq ($(AUDITH), $(PREFIX)/include/libaudit.h)
Ditto.
> + override CFLAGS += -DUSE_AUDIT
> + LDLIBS += -laudit
> + endif
> +@@ -38,7 +38,7 @@ install: all
> + install -m 755 open_init_pty $(SBINDIR)
> + install -m 644 run_init.8 $(MANDIR)/man8/
> + install -m 644 open_init_pty.8 $(MANDIR)/man8/
> +-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
> ++ifeq ($(PAMH), $(PREFIX)/include/security/pam_appl.h)
Ditto.
> + install -m 644 run_init.pamd $(ETCDIR)/pam.d/run_init
> + endif
> +
> +diff --git a/sepolicy/Makefile b/sepolicy/Makefile
> +index 11b534f..1249546 100644
> +--- a/sepolicy/Makefile
> ++++ b/sepolicy/Makefile
> +@@ -5,7 +5,7 @@ LIBDIR ?= $(PREFIX)/lib
> + BINDIR ?= $(PREFIX)/bin
> + SBINDIR ?= $(PREFIX)/sbin
> + MANDIR ?= $(PREFIX)/share/man
> +-LOCALEDIR ?= /usr/share/locale
> ++LOCALEDIR ?= $(PREFIX)/share/locale
> + PYTHON ?= /usr/bin/python
> + BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
> + SHAREDIR ?= $(PREFIX)/share/sandbox
> +diff --git a/setfiles/Makefile b/setfiles/Makefile
> +index 4b44b3c..ebc22c8 100644
> +--- a/setfiles/Makefile
> ++++ b/setfiles/Makefile
> +@@ -3,7 +3,7 @@ PREFIX ?= $(DESTDIR)/usr
> + SBINDIR ?= $(DESTDIR)/sbin
> + MANDIR = $(PREFIX)/share/man
> + LIBDIR ?= $(PREFIX)/lib
> +-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
> ++AUDITH = $(shell ls $(PREFIX)/include/libaudit.h 2>/dev/null)
Still wrong.
> +
> + PROGRESS_STEP=$(shell grep "^\#define STAR_COUNT" restore.h | awk -S '{ print $$3 }')
> + ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk -S '{ print $$3 }')
> +@@ -12,7 +12,7 @@ CFLAGS = -g -Werror -Wall -W
> + override CFLAGS += -I$(PREFIX)/include
> + LDLIBS = -lselinux -lsepol -L$(LIBDIR)
> +
> +-ifeq ($(AUDITH), /usr/include/libaudit.h)
> ++ifeq ($(AUDITH), $(PREFIX)/include/libaudit.h)
Here as well.
> + override CFLAGS += -DUSE_AUDIT
> + LDLIBS += -laudit
> + endif
> +--
> +1.9.1
> +
> diff --git a/package/policycoreutils/0002-Allow-CFLAGS-to-be-overwritten.patch b/package/policycoreutils/0002-Allow-CFLAGS-to-be-overwritten.patch
> new file mode 100644
> index 0000000..b6e6d99
> --- /dev/null
> +++ b/package/policycoreutils/0002-Allow-CFLAGS-to-be-overwritten.patch
> @@ -0,0 +1,57 @@
> +From cfce1180f96cca5e7444d94b2ebc39213d7dac75 Mon Sep 17 00:00:00 2001
> +From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> +Date: Fri, 10 Jul 2015 11:47:09 -0500
> +Subject: Allow CFLAGS to be overwritten
> +
> +Allow all CFLAGS declarations to be overwritten to aid in cross
> +compiling.
> +
> +Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> +---
> + sepolicy/Makefile | 2 +-
> + sestatus/Makefile | 2 +-
> + setfiles/Makefile | 2 +-
> + 3 files changed, 3 insertions(+), 3 deletions(-)
> +
> +diff --git a/sepolicy/Makefile b/sepolicy/Makefile
> +index 1249546..a52667a 100644
> +--- a/sepolicy/Makefile
> ++++ b/sepolicy/Makefile
> +@@ -9,7 +9,7 @@ LOCALEDIR ?= $(PREFIX)/share/locale
> + PYTHON ?= /usr/bin/python
> + BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
> + SHAREDIR ?= $(PREFIX)/share/sandbox
> +-override CFLAGS = $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared
> ++override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared
-I$(PREFIX)/include -> bad, as it will add -I/usr/include when
cross-compiling.
> +
> + BASHCOMPLETIONS=sepolicy-bash-completion.sh
> +
> +diff --git a/sestatus/Makefile b/sestatus/Makefile
> +index c5db7a3..c04ff00 100644
> +--- a/sestatus/Makefile
> ++++ b/sestatus/Makefile
> +@@ -5,7 +5,7 @@ MANDIR = $(PREFIX)/share/man
> + ETCDIR ?= $(DESTDIR)/etc
> + LIBDIR ?= $(PREFIX)/lib
> +
> +-CFLAGS = -Werror -Wall -W
> ++CFLAGS ?= -Werror -Wall -W
> + override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64
Again here.
> + LDLIBS = -lselinux -L$(LIBDIR)
> +
> +diff --git a/setfiles/Makefile b/setfiles/Makefile
> +index ebc22c8..7c48814 100644
> +--- a/setfiles/Makefile
> ++++ b/setfiles/Makefile
> +@@ -8,7 +8,7 @@ AUDITH = $(shell ls $(PREFIX)/include/libaudit.h 2>/dev/null)
> + PROGRESS_STEP=$(shell grep "^\#define STAR_COUNT" restore.h | awk -S '{ print $$3 }')
> + ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk -S '{ print $$3 }')
> +
> +-CFLAGS = -g -Werror -Wall -W
> ++CFLAGS ?= -g -Werror -Wall -W
> + override CFLAGS += -I$(PREFIX)/include
And here.
Please build with BR2_COMPILER_PARANOID_UNSAFE_PATH=y to detect such
problems.
> + LDLIBS = -lselinux -lsepol -L$(LIBDIR)
> +
> +--
> +1.9.1
> +
> diff --git a/package/policycoreutils/0003-Change-sepolicy-python-install-arguments-to-be-a-var.patch b/package/policycoreutils/0003-Change-sepolicy-python-install-arguments-to-be-a-var.patch
> new file mode 100644
> index 0000000..5bbfb76
> --- /dev/null
> +++ b/package/policycoreutils/0003-Change-sepolicy-python-install-arguments-to-be-a-var.patch
> @@ -0,0 +1,42 @@
> +From 4bb3e6bda68fe52fcd2df4f27c5900f4b0d50fa1 Mon Sep 17 00:00:00 2001
> +From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> +Date: Fri, 10 Jul 2015 11:56:49 -0500
> +Subject: Change sepolicy python install arguments to be a variable
> +
> +To allow the python install arguments to be overwritten, change the
> +arguments to be a variable. This also cleans up the DESTDIR detection a
> +little bit.
> +
> +Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> +---
> + sepolicy/Makefile | 7 ++++++-
> + 1 file changed, 6 insertions(+), 1 deletion(-)
> +
> +diff --git a/sepolicy/Makefile b/sepolicy/Makefile
> +index a52667a..4a10df6 100644
> +--- a/sepolicy/Makefile
> ++++ b/sepolicy/Makefile
> +@@ -7,6 +7,11 @@ SBINDIR ?= $(PREFIX)/sbin
> + MANDIR ?= $(PREFIX)/share/man
> + LOCALEDIR ?= $(PREFIX)/share/locale
> + PYTHON ?= /usr/bin/python
> ++ifneq (,$(DESTDIR))
> ++PYTHON_INSTALL_ARGS ?= --root $(DESTDIR)
> ++else
> ++PYTHON_INSTALL_ARGS ?=
> ++endif
Sounds good, but could be a bit simpler:
ifneq ($(DESTDIR),)
PYTHON_INSTALL_ARGS ?= --root $(DESTDIR)
endif
> + BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
> + SHAREDIR ?= $(PREFIX)/share/sandbox
> + override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared
> +@@ -23,7 +28,7 @@ clean:
> + -rm -rf build *~ \#* *pyc .#*
> +
> + install:
> +- $(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
> ++ $(PYTHON) setup.py install $(PYTHON_INSTALL_ARGS)
> + [ -d $(BINDIR) ] || mkdir -p $(BINDIR)
> + install -m 755 sepolicy.py $(BINDIR)/sepolicy
> + -mkdir -p $(MANDIR)/man8
> +--
> +1.9.1
> +
> diff --git a/package/policycoreutils/0004-disable-dbus.patch b/package/policycoreutils/0004-disable-dbus.patch
> new file mode 100644
> index 0000000..b685d0a
> --- /dev/null
> +++ b/package/policycoreutils/0004-disable-dbus.patch
> @@ -0,0 +1,14 @@
> +--- a/restorecond/Makefile 2016-02-25 13:23:23.286671669 -0600
> ++++ b/restorecond/Makefile 2016-03-03 12:44:25.032118694 -0600
Missing description + Signed-off-by in this patch.
> +@@ -10,9 +10,11 @@
> + INITDIR = $(DESTDIR)/etc/rc.d/init.d
> + SELINUXDIR = $(DESTDIR)/etc/selinux
> +
> ++ifdef ENABLE_DBUS
> + DBUSFLAGS = -DHAVE_DBUS -I$(PREFIX)/include/dbus-1.0 -I$(PREFIX)/lib64/dbus-1.0/include \
> + -I$(PREFIX)/lib/dbus-1.0/include
> + DBUSLIB = -ldbus-glib-1 -ldbus-1
> ++endif
> +
> + CFLAGS ?= -g -Werror -Wall -W
> + override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS) -I$(PREFIX)/include/glib-2.0 \
> diff --git a/package/policycoreutils/Config.in b/package/policycoreutils/Config.in
> new file mode 100644
> index 0000000..3131a02
> --- /dev/null
> +++ b/package/policycoreutils/Config.in
> @@ -0,0 +1,57 @@
> +config BR2_PACKAGE_POLICYCOREUTILS
> + bool "policycoreutils"
> + select BR2_PACKAGE_LIBSEMANAGE
libsemanage has lots of other dependencies:
depends on BR2_TOOLCHAIN_HAS_THREADS
depends on !BR2_STATIC_LIBS
depends on !BR2_arc
You need to take them into account.
> + select BR2_PACKAGE_LIBCAP_NG
> + select BR2_PACKAGE_GETTEXT if BR2_NEEDS_GETTEXT
> + depends on BR2_TOOLCHAIN_HAS_THREADS # libsemanage
> + depends on BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL # uses fts.h
> + help
> + Policycoreutils is a collection of policy utilities (originally
> + the "core" set of utilities needed to use SELinux, although it
> + has grown a bit over time), which have different dependencies.
> + sestatus, secon, run_init, and newrole only use libselinux.
> + load_policy and setfiles only use libselinux and libsepol.
> + semodule and semanage use libsemanage (and thus bring in
> + dependencies on libsepol and libselinux as well). setsebool
> + uses libselinux to make non-persistent boolean changes (via
> + the kernel interface) and uses libsemanage to make persistent
> + boolean changes.
> +
> + The base package will install the following utilities:
> + load_policy
> + newrole
> + restorecond
> + run_init
> + secon
> + semodule
> + semodule_deps
> + semodule_expand
> + semodule_link
> + semodule_package
> + sepolgen-ifgen
> + sestatus
> + setfiles
> + setsebool
> +
> + http://selinuxproject.org/page/Main_Page
> +
> +comment "policycoreutils needs a glibc or musl toolchain w/ threads"
> + depends on !BR2_TOOLCHAIN_HAS_THREADS \
> + || !(BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL)
> +
> +if BR2_PACKAGE_POLICYCOREUTILS
> +
> +config BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND
> + bool "restorecond Utility"
> + select BR2_PACKAGE_LIBGLIB2 #glib2
> + depends on BR2_USE_WCHAR # glib2
> + depends on BR2_TOOLCHAIN_HAS_THREADS # glib2
> + depends on BR2_USE_MMU # glib2
> + help
> + Enable restorecond to be built
> +
> +comment "restorecond needs a toolchain w/ wchar, threads"
> + depends on BR2_USE_MMU
> + depends on !BR2_USE_WCHAR || !BR2_TOOLCHAIN_HAS_THREADS
> +
> +endif
> diff --git a/package/policycoreutils/policycoreutils.hash b/package/policycoreutils/policycoreutils.hash
> new file mode 100644
> index 0000000..575dd25
> --- /dev/null
> +++ b/package/policycoreutils/policycoreutils.hash
> @@ -0,0 +1,2 @@
> +# https://github.com/SELinuxProject/selinux/wiki/Releases
> +sha256 b6881741f9f9988346a73bfeccb0299941dc117349753f0ef3f23ee86f06c1b5 policycoreutils-2.1.14.tar.gz
> diff --git a/package/policycoreutils/policycoreutils.mk b/package/policycoreutils/policycoreutils.mk
> new file mode 100644
> index 0000000..aed2705
> --- /dev/null
> +++ b/package/policycoreutils/policycoreutils.mk
> @@ -0,0 +1,108 @@
> +################################################################################
> +#
> +# policycoreutils
> +#
> +################################################################################
> +
> +POLICYCOREUTILS_VERSION = 2.1.14
> +POLICYCOREUTILS_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20130423
> +POLICYCOREUTILS_LICENSE = GPLv2
> +POLICYCOREUTILS_LICENSE_FILES = COPYING
> +
> +# gettext for load_policy.c use of libintl_* functions
> +POLICYCOREUTILS_DEPENDENCIES = libsemanage libcap-ng $(if $(BR2_NEEDS_GETTEXT),gettext)
> +
> +ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
> +POLICYCOREUTILS_DEPENDENCIES += linux-pam
> +POLICYCOREUTILS_MAKE_OPTS += NAMESPACE_PRIV=y
> +define POLICYCOREUTILS_INSTALL_TARGET_LINUX_PAM_CONFS
> + $(INSTALL) -D -m 0644 $(@D)/newrole/newrole-lspp.pamd $(TARGET_DIR)/etc/pam.d/newrole
> + $(INSTALL) -D -m 0644 $(@D)/run_init/run_init.pamd $(TARGET_DIR)/etc/pam.d/run_init
> +endef
> +endif
> +
> +ifeq ($(BR2_PACKAGE_AUDIT),y)
> +POLICYCOREUTILS_DEPENDENCIES += audit
> +POLICYCOREUTILS_MAKE_OPTS += AUDIT_LOG_PRIV=y
> +endif
> +
> +# Enable LSPP_PRIV if both audit and linux pam are enabled
> +ifeq ($(BR2_PACKAGE_LINUX_PAM)$(BR2_PACKAGE_AUDIT),yy)
> +POLICYCOREUTILS_MAKE_OPTS += LSPP_PRIV=y
> +endif
> +
> +# Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h
> +# large file support.
> +# See https://bugzilla.redhat.com/show_bug.cgi?id=574992 for more information
> +POLICYCOREUTILS_MAKE_OPTS += \
> + CC="$(TARGET_CC)" \
> + CFLAGS="$(TARGET_CFLAGS) -U_FILE_OFFSET_BITS" \
> + LDFLAGS="$(TARGET_LDFLAGS) $(if $(BR2_NEEDS_GETTEXT),-lintl)" \
> + ARCH="$(BR2_ARCH)"
> +
> +POLICYCOREUTILS_MAKE_DIRS = load_policy newrole run_init \
> + secon semodule semodule_deps semodule_expand semodule_link \
> + semodule_package sepolgen-ifgen sestatus setfiles setsebool
> +
> +ifeq ($(BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND),y)
> +POLICYCOREUTILS_MAKE_DIRS += restorecond
> +endif
> +
> +define POLICYCOREUTILS_BUILD_CMDS
> + for dir in $(POLICYCOREUTILS_MAKE_DIRS) ; do \
> + $(MAKE) -C $(@D)/$${dir} $(POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(STAGING_DIR) all || exit 1 ; \
> + done
Please add a comment above this that explains why you're passing
DESTDIR=$(STAGING_DIR) at build time.
> +endef
> +
> +define POLICYCOREUTILS_INSTALL_TARGET_CMDS
> + for dir in $(POLICYCOREUTILS_MAKE_DIRS) ; do \
> + $(MAKE) -C $(@D)/$${dir} $(POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(TARGET_DIR) install || exit 1 ; \
> + done
> +endef
> +
> +HOST_POLICYCOREUTILS_DEPENDENCIES = host-libsemanage host-dbus-glib host-sepolgen host-setools
> +
> +# Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h
> +# large file support.
> +# See https://bugzilla.redhat.com/show_bug.cgi?id=574992 for more information
> +HOST_POLICYCOREUTILS_MAKE_OPTS = \
> + CC="$(HOSTCC)" \
> + CFLAGS="$(HOST_CFLAGS) -U_FILE_OFFSET_BITS" \
> + PYTHON="$(HOST_DIR)/usr/bin/python" \
> + PYTHON_INSTALL_ARGS="$(HOST_PKG_PYTHON_DISTUTILS_INSTALL_OPTS)" \
> + ARCH="$(HOSTARCH)" \
> + LDFLAGS="$(HOST_LDFLAGS)"
> +
> +ifeq ($(BR2_PACKAGE_PYTHON3),y)
> +HOST_POLICYCOREUTILS_DEPENDENCIES += host-python3
> +HOST_POLICYCOREUTILS_MAKE_OPTS += \
> + PYLIBVER="python$(PYTHON3_VERSION_MAJOR)"
> +else
> +HOST_POLICYCOREUTILS_DEPENDENCIES += host-python
> +HOST_POLICYCOREUTILS_MAKE_OPTS += \
> + PYLIBVER="python$(PYTHON_VERSION_MAJOR)"
> +endif
> +
> +# Note: We are only building the programs required by the refpolicy build
> +HOST_POLICYCOREUTILS_MAKE_DIRS = load_policy semodule semodule_deps semodule_expand semodule_link \
> + semodule_package setfiles restorecond audit2allow audit2why scripts semanage sepolicy
> +
> +define HOST_POLICYCOREUTILS_BUILD_CMDS
> + for dir in $(HOST_POLICYCOREUTILS_MAKE_DIRS) ; do \
> + $(MAKE) -C $(@D)/$${dir} $(HOST_POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(HOST_DIR) all || exit 1 ; \
DESTDIR=$(HOST_DIR) is wrong. You should instead use PREFIX=$(HOST_DIR)/usr.
> +define HOST_POLICYCOREUTILS_INSTALL_CMDS
> + for dir in $(HOST_POLICYCOREUTILS_MAKE_DIRS) ; do \
> + $(MAKE) -C $(@D)/$${dir} $(HOST_POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(HOST_DIR) install || exit 1 ; \
Ditto.
> + done
> + # Fix python paths
> + $(SED) 's%/usr/bin/%$(HOST_DIR)/usr/bin/%g' $(HOST_DIR)/usr/bin/audit2allow
> + $(SED) 's%/usr/bin/%$(HOST_DIR)/usr/bin/%g' $(HOST_DIR)/usr/bin/audit2why
> + $(SED) 's%/usr/bin/%$(HOST_DIR)/usr/bin/%g' $(HOST_DIR)/usr/bin/sepolgen-ifgen
> + $(SED) 's%/usr/bin/%$(HOST_DIR)/usr/bin/%g' $(HOST_DIR)/usr/bin/sepolicy
Sadly, this means more hardcoded paths, but I guess it's OK for now, I
prefer to sort out the other issues. This one can be solved later.
Could you rework your patch to solve the other issues raised above?
Thomas
--
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Buildroot] [ PATCH Selinux v11] policycoreutils: new package
2016-03-22 22:02 ` Thomas Petazzoni
@ 2016-04-01 12:26 ` Niranjan Reddy
2016-04-08 3:00 ` Matthew Weber
1 sibling, 0 replies; 6+ messages in thread
From: Niranjan Reddy @ 2016-04-01 12:26 UTC (permalink / raw)
To: buildroot
Hi Thomas,
Appreciate your feedback . I guess you are confused with the naming
convention for the DESTDIR patch , actually it should be
"Add-PREFIX-to-all-paths-that-use-an-absolute-path". As per your comments I
had build it with BR2_COMPILER_PARANOID_UNSAFE_PATH=y to find any unsafe
paths during build, but everything went well.
In the policycoreutils.mk file the DESTDIR variable changes based on the
macro variables as below
When defined for POLICYCOREUTILS_BUILD_CMDS
DESTDIR = BUILDROOTDIR/output/host/usr/i686-buildroot-linux-gnu/sysroot
(ie STAGING_DIR)
when defined for POLICYCOREUTILS_INSTALL_TARGET_CMDS
DESTDIR= BUILDROOTDIR/output/target (ie TARGET_DIR)
when defined for HOST_POLICYCOREUTILS_BUILD_CMDS
DESTDIR = BUILDROOTDIR/output/host (HOST_DIR)
The patch "Add-DESTDIR-to-all-paths-that-use-an-absolute-path" was added
to change the make files of policycoreutils so that it replaces the
absolute path "/usr" to $PREFIX ,which means PREFIX = $(DESTDIR)/usr
I guess no changes are required to the patch if I change to PREFIX instead
of DESTDIR in INOTIFY.
Please let me know .
Thanks,
Niranjan
On Wed, Mar 23, 2016 at 3:32 AM, Thomas Petazzoni <
thomas.petazzoni@free-electrons.com> wrote:
> Hello,
>
> I really wanted to apply this patch and finally get the remaining
> SELinux support in, but there are still some really wrong things in
> there.
>
> On Wed, 16 Mar 2016 17:12:14 +0530, Niranjan Reddy wrote:
> > From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> >
> > This package contains the core policy utilities that are required
> > for basic operation of an SELinux system.Four patchs are included
> > in this package.
>
> Minor typos: space after ".", patchs -> patches.
>
> > Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
> > Allow-CFLAGS-to-be-overwritten.patch
> > Change-sepolicy-python-install-arguments-to-be-a-var.patch
> > disable-dbus.patch
>
> Completely useless to just give the filenames, especially when they are
> wrong.
>
>
> > diff --git
> a/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
> b/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
> > new file mode 100644
> > index 0000000..0192e5c
> > --- /dev/null
> > +++
> b/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
> > @@ -0,0 +1,275 @@
> > +From 92d7cc3539f8bfc68b2f2bf688375647abf73ee7 Mon Sep 17 00:00:00 2001
> > +From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> > +Date: Fri, 10 Jul 2015 11:44:08 -0500
> > +Subject: Add DESTDIR to all paths that use an absolute path
> > +
> > +To aid in cross compiling, add the DESTDIR variable to the start of all
> > +of the paths used during compilation. Most paths already used DESTDIR.
> > +
> > +Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
>
> This patch does a *LOT* more than adding DESTDIR. Just check by
> yourself. Read your own patch! It should be split in several patches.
>
> > +---
> > + Makefile | 4 ++--
> > + audit2allow/Makefile | 2 +-
> > + load_policy/Makefile | 2 +-
> > + mcstrans/src/Makefile | 22 +++++++++++++---------
> > + mcstrans/utils/Makefile | 11 +++++++----
> > + newrole/Makefile | 12 ++++++------
> > + restorecond/Makefile | 6 ++++--
> > + run_init/Makefile | 12 ++++++------
> > + sepolicy/Makefile | 2 +-
> > + setfiles/Makefile | 4 ++--
> > + 10 files changed, 43 insertions(+), 34 deletions(-)
> > +
> > +diff --git a/Makefile b/Makefile
> > +index 3980799..0fca022 100644
> > +--- a/Makefile
> > ++++ b/Makefile
> > +@@ -1,8 +1,8 @@
> > + SUBDIRS = sepolicy setfiles semanage load_policy newrole run_init
> sandbox secon audit2allow audit2why sestatus semodule_package semodule
> semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool
> scripts po man gui
> > +
> > +-INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
> > ++INOTIFYH = $(shell ls $(DESTDIR)/usr/include/sys/inotify.h 2>/dev/null)
>
> This is not super great, as it assumes DESTDIR is passed at build time,
> which is not very standard. But OK, that's the easiest solution. But it
> should *definitely* be explained in the description of the patch, as
> it's non trivial.
>
> > +
> > +-ifeq (${INOTIFYH}, /usr/include/sys/inotify.h)
> > ++ifeq (${INOTIFYH}, $(DESTDIR)/usr/include/sys/inotify.h)
> > + SUBDIRS += restorecond
> > + endif
> > +
> > +diff --git a/audit2allow/Makefile b/audit2allow/Makefile
> > +index 88635d4..1647b5a 100644
> > +--- a/audit2allow/Makefile
> > ++++ b/audit2allow/Makefile
> > +@@ -3,7 +3,7 @@ PREFIX ?= $(DESTDIR)/usr
> > + BINDIR ?= $(PREFIX)/bin
> > + LIBDIR ?= $(PREFIX)/lib
> > + MANDIR ?= $(PREFIX)/share/man
> > +-LOCALEDIR ?= /usr/share/locale
> > ++LOCALEDIR ?= $(PREFIX)/share/locale
>
> This is not about adding DESTDIR, but about changing an hardcoded /usr
> to $(PREFIX).
>
> In addition, in the INOTIFYH fix above, you don't change usr/ to
> $(PREFIX).
>
> > +
> > + all: ;
> > +
> > +diff --git a/load_policy/Makefile b/load_policy/Makefile
> > +index 7c5bab0..5cd0bbb 100644
> > +--- a/load_policy/Makefile
> > ++++ b/load_policy/Makefile
> > +@@ -3,7 +3,7 @@ PREFIX ?= $(DESTDIR)/usr
> > + SBINDIR ?= $(DESTDIR)/sbin
> > + USRSBINDIR ?= $(PREFIX)/sbin
> > + MANDIR ?= $(PREFIX)/share/man
> > +-LOCALEDIR ?= /usr/share/locale
> > ++LOCALEDIR ?= $(PREFIX)/share/locale
>
> This is also changing /usr to PREFIX, which has nothing to do with
> using DESTDIR.
>
> > +
> > + CFLAGS ?= -Werror -Wall -W
> > + override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS
> -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
> > +diff --git a/mcstrans/src/Makefile b/mcstrans/src/Makefile
> > +index fb44490..a0666f1 100644
> > +--- a/mcstrans/src/Makefile
> > ++++ b/mcstrans/src/Makefile
> > +@@ -1,22 +1,26 @@
> > +-ARCH = $(shell uname -i)
> > ++# Installation directories.
> > ++PREFIX ?= $(DESTDIR)/usr
> > ++SBINDIR ?= $(DESTDIR)/sbin
> > ++INITDIR ?= $(DESTDIR)/etc/rc.d/init.d
>
> This has nothing to do with adding DESTDIR, and there is no explanation
> why adding those variable definitions here is necessary. Thos
> definitions are normally below, why are you moving there up here?
>
> > ++
> > ++ARCH ?= $(shell uname -i)
>
> Looks good, but needs to be explained in the patch description (and in
> a separate patch).
>
> > + ifeq "$(ARCH)" "x86_64"
> > + # In case of 64 bit system, use these lines
> > +- LIBDIR=/usr/lib64
> > +-else
> > ++ LIBDIR=$(PREFIX)/lib64
> > ++else
> > + ifeq "$(ARCH)" "i686"
> > + # In case of 32 bit system, use these lines
> > +- LIBDIR=/usr/lib
> > ++ LIBDIR=$(PREFIX)/lib
> > + else
> > + ifeq "$(ARCH)" "i386"
> > + # In case of 32 bit system, use these lines
> > +- LIBDIR=/usr/lib
> > ++ LIBDIR=$(PREFIX)/lib
> > ++else
> > ++ # Default to these lines if arch is unknown
> > ++ LIBDIR=$(PREFIX)/lib
>
> This is all /usr -> $(PREFIX) replacement, nothing to do with DESTDIR.
>
> > + endif
> > + endif
> > + endif
> > +-# Installation directories.
> > +-PREFIX ?= $(DESTDIR)/usr
> > +-SBINDIR ?= $(DESTDIR)/sbin
> > +-INITDIR ?= $(DESTDIR)/etc/rc.d/init.d
> > +
> > + PROG_SRC=mcstrans.c mcscolor.c mcstransd.c mls_level.c
> > + PROG_OBJS= $(patsubst %.c,%.o,$(PROG_SRC))
> > +diff --git a/mcstrans/utils/Makefile b/mcstrans/utils/Makefile
> > +index 1ffb027..da5c152 100644
> > +--- a/mcstrans/utils/Makefile
> > ++++ b/mcstrans/utils/Makefile
> > +@@ -2,18 +2,21 @@
> > + PREFIX ?= $(DESTDIR)/usr
> > + BINDIR ?= $(PREFIX)/sbin
> > +
> > +-ARCH = $(shell uname -i)
> > ++ARCH ?= $(shell uname -i)
> > + ifeq "$(ARCH)" "x86_64"
> > + # In case of 64 bit system, use these lines
> > +- LIBDIR=/usr/lib64
> > ++ LIBDIR=$(PREFIX)/lib64
> > + else
> > + ifeq "$(ARCH)" "i686"
> > + # In case of 32 bit system, use these lines
> > +- LIBDIR=/usr/lib
> > ++ LIBDIR=$(PREFIX)/lib
> > + else
> > + ifeq "$(ARCH)" "i386"
> > + # In case of 32 bit system, use these lines
> > +- LIBDIR=/usr/lib
> > ++ LIBDIR=$(PREFIX)/lib
> > ++else
> > ++ # Default to these lines if arch is unknown
> > ++ LIBDIR=$(PREFIX)/lib
>
> Same comments as above;
>
> > + endif
> > + endif
> > + endif
> > +diff --git a/newrole/Makefile b/newrole/Makefile
> > +index 646cd4d..045e3b7 100644
> > +--- a/newrole/Makefile
> > ++++ b/newrole/Makefile
> > +@@ -3,9 +3,9 @@ PREFIX ?= $(DESTDIR)/usr
> > + BINDIR ?= $(PREFIX)/bin
> > + MANDIR ?= $(PREFIX)/share/man
> > + ETCDIR ?= $(DESTDIR)/etc
> > +-LOCALEDIR = /usr/share/locale
> > +-PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
> > +-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
> > ++LOCALEDIR = $(PREFIX)/share/locale
> > ++PAMH = $(shell ls $(PREFIX)/include/security/pam_appl.h 2>/dev/null)
> > ++AUDITH = $(shell ls $(PREFIX)/include/libaudit.h 2>/dev/null)
>
> This is *completely* wrong. It will look at /usr/include/libaudit.h
> and /usr/include/security/pam_appl.h on your build machine to decide
> where pam and audit support is available. If you follow the fix done
> earlier for INOTIFYH, you should do:
>
> AUDITH = $(shell ls $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)
>
> > + # Enable capabilities to permit newrole to generate audit records.
> > + # This will make newrole a setuid root program.
> > + # The capabilities used are: CAP_AUDIT_WRITE.
> > +@@ -24,7 +24,7 @@ CFLAGS ?= -Werror -Wall -W
> > + EXTRA_OBJS =
> > + override CFLAGS += -DVERSION=\"$(VERSION)\" $(LDFLAGS)
> -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\""
> -DPACKAGE="\"policycoreutils\""
> > + LDLIBS += -lselinux -L$(PREFIX)/lib
> > +-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
> > ++ifeq ($(PAMH), $(PREFIX)/include/security/pam_appl.h)
>
> Same comment as above.
>
> > + override CFLAGS += -DUSE_PAM
> > + EXTRA_OBJS += hashtab.o
> > + LDLIBS += -lpam -lpam_misc
> > +@@ -32,7 +32,7 @@ else
> > + override CFLAGS += -D_XOPEN_SOURCE=500
> > + LDLIBS += -lcrypt
> > + endif
> > +-ifeq ($(AUDITH), /usr/include/libaudit.h)
> > ++ifeq ($(AUDITH), $(PREFIX)/include/libaudit.h)
>
> Ditto.
>
> > + override CFLAGS += -DUSE_AUDIT
> > + LDLIBS += -laudit
> > + endif
> > +@@ -66,7 +66,7 @@ install: all
> > + test -d $(MANDIR)/man1 || install -m 755 -d $(MANDIR)/man1
> > + install -m $(MODE) newrole $(BINDIR)
> > + install -m 644 newrole.1 $(MANDIR)/man1/
> > +-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
> > ++ifeq ($(PAMH), $(PREFIX)/include/security/pam_appl.h)
>
> Ditto.
>
> > + test -d $(ETCDIR)/pam.d || install -m 755 -d $(ETCDIR)/pam.d
> > + ifeq ($(LSPP_PRIV),y)
> > + install -m 644 newrole-lspp.pamd $(ETCDIR)/pam.d/newrole
> > +diff --git a/restorecond/Makefile b/restorecond/Makefile
> > +index 3074542..7c40f95 100644
> > +--- a/restorecond/Makefile
> > ++++ b/restorecond/Makefile
> > +@@ -10,11 +10,13 @@ autostart_DATA = sealertauto.desktop
> > + INITDIR = $(DESTDIR)/etc/rc.d/init.d
> > + SELINUXDIR = $(DESTDIR)/etc/selinux
> > +
> > +-DBUSFLAGS = -DHAVE_DBUS -I/usr/include/dbus-1.0
> -I/usr/lib64/dbus-1.0/include -I/usr/lib/dbus-1.0/include
> > ++DBUSFLAGS = -DHAVE_DBUS -I$(PREFIX)/include/dbus-1.0
> -I$(PREFIX)/lib64/dbus-1.0/include \
> > ++ -I$(PREFIX)/lib/dbus-1.0/include
>
> Completely wrong. This will add -I/usr/include/dbus-1.0 when
> cross-compiling. Bad.
>
> > + DBUSLIB = -ldbus-glib-1 -ldbus-1
> > +
> > + CFLAGS ?= -g -Werror -Wall -W
> > +-override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS)
> -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include
> -I/usr/lib/glib-2.0/include
> > ++override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS)
> -I$(PREFIX)/include/glib-2.0 \
> > ++ -I$(PREFIX)/lib64/glib-2.0/include
> -I$(PREFIX)/lib/glib-2.0/include
>
> Same.
>
> > +
> > + LDLIBS += -lselinux $(DBUSLIB) -lglib-2.0 -L$(LIBDIR)
> > +
> > +diff --git a/run_init/Makefile b/run_init/Makefile
> > +index 12b39b4..da49c41 100644
> > +--- a/run_init/Makefile
> > ++++ b/run_init/Makefile
> > +@@ -4,21 +4,21 @@ PREFIX ?= $(DESTDIR)/usr
> > + SBINDIR ?= $(PREFIX)/sbin
> > + MANDIR ?= $(PREFIX)/share/man
> > + ETCDIR ?= $(DESTDIR)/etc
> > +-LOCALEDIR ?= /usr/share/locale
> > +-PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
> > +-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
> > ++LOCALEDIR ?= $(PREFIX)/share/locale
> > ++PAMH = $(shell ls $(PREFIX)/include/security/pam_appl.h 2>/dev/null)
> > ++AUDITH = $(shell ls $(PREFIX)/include/libaudit.h 2>/dev/null)
>
> Also wrong.
>
> > +
> > + CFLAGS ?= -Werror -Wall -W
> > + override CFLAGS += -I$(PREFIX)/include -DUSE_NLS
> -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
> > + LDLIBS += -lselinux -L$(PREFIX)/lib
> > +-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
> > ++ifeq ($(PAMH), $(PREFIX)/include/security/pam_appl.h)
>
> Ditto.
>
> > + override CFLAGS += -DUSE_PAM
> > + LDLIBS += -lpam -lpam_misc
> > + else
> > + override CFLAGS += -D_XOPEN_SOURCE=500
> > + LDLIBS += -lcrypt
> > + endif
> > +-ifeq ($(AUDITH), /usr/include/libaudit.h)
> > ++ifeq ($(AUDITH), $(PREFIX)/include/libaudit.h)
>
> Ditto.
>
> > + override CFLAGS += -DUSE_AUDIT
> > + LDLIBS += -laudit
> > + endif
> > +@@ -38,7 +38,7 @@ install: all
> > + install -m 755 open_init_pty $(SBINDIR)
> > + install -m 644 run_init.8 $(MANDIR)/man8/
> > + install -m 644 open_init_pty.8 $(MANDIR)/man8/
> > +-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
> > ++ifeq ($(PAMH), $(PREFIX)/include/security/pam_appl.h)
>
> Ditto.
>
> > + install -m 644 run_init.pamd $(ETCDIR)/pam.d/run_init
> > + endif
> > +
> > +diff --git a/sepolicy/Makefile b/sepolicy/Makefile
> > +index 11b534f..1249546 100644
> > +--- a/sepolicy/Makefile
> > ++++ b/sepolicy/Makefile
> > +@@ -5,7 +5,7 @@ LIBDIR ?= $(PREFIX)/lib
> > + BINDIR ?= $(PREFIX)/bin
> > + SBINDIR ?= $(PREFIX)/sbin
> > + MANDIR ?= $(PREFIX)/share/man
> > +-LOCALEDIR ?= /usr/share/locale
> > ++LOCALEDIR ?= $(PREFIX)/share/locale
> > + PYTHON ?= /usr/bin/python
> > + BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
> > + SHAREDIR ?= $(PREFIX)/share/sandbox
> > +diff --git a/setfiles/Makefile b/setfiles/Makefile
> > +index 4b44b3c..ebc22c8 100644
> > +--- a/setfiles/Makefile
> > ++++ b/setfiles/Makefile
> > +@@ -3,7 +3,7 @@ PREFIX ?= $(DESTDIR)/usr
> > + SBINDIR ?= $(DESTDIR)/sbin
> > + MANDIR = $(PREFIX)/share/man
> > + LIBDIR ?= $(PREFIX)/lib
> > +-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
> > ++AUDITH = $(shell ls $(PREFIX)/include/libaudit.h 2>/dev/null)
>
> Still wrong.
>
> > +
> > + PROGRESS_STEP=$(shell grep "^\#define STAR_COUNT" restore.h | awk -S
> '{ print $$3 }')
> > + ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c |
> awk -S '{ print $$3 }')
> > +@@ -12,7 +12,7 @@ CFLAGS = -g -Werror -Wall -W
> > + override CFLAGS += -I$(PREFIX)/include
> > + LDLIBS = -lselinux -lsepol -L$(LIBDIR)
> > +
> > +-ifeq ($(AUDITH), /usr/include/libaudit.h)
> > ++ifeq ($(AUDITH), $(PREFIX)/include/libaudit.h)
>
> Here as well.
>
> > + override CFLAGS += -DUSE_AUDIT
> > + LDLIBS += -laudit
> > + endif
> > +--
> > +1.9.1
> > +
> > diff --git
> a/package/policycoreutils/0002-Allow-CFLAGS-to-be-overwritten.patch
> b/package/policycoreutils/0002-Allow-CFLAGS-to-be-overwritten.patch
> > new file mode 100644
> > index 0000000..b6e6d99
> > --- /dev/null
> > +++ b/package/policycoreutils/0002-Allow-CFLAGS-to-be-overwritten.patch
> > @@ -0,0 +1,57 @@
> > +From cfce1180f96cca5e7444d94b2ebc39213d7dac75 Mon Sep 17 00:00:00 2001
> > +From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> > +Date: Fri, 10 Jul 2015 11:47:09 -0500
> > +Subject: Allow CFLAGS to be overwritten
> > +
> > +Allow all CFLAGS declarations to be overwritten to aid in cross
> > +compiling.
> > +
> > +Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> > +---
> > + sepolicy/Makefile | 2 +-
> > + sestatus/Makefile | 2 +-
> > + setfiles/Makefile | 2 +-
> > + 3 files changed, 3 insertions(+), 3 deletions(-)
> > +
> > +diff --git a/sepolicy/Makefile b/sepolicy/Makefile
> > +index 1249546..a52667a 100644
> > +--- a/sepolicy/Makefile
> > ++++ b/sepolicy/Makefile
> > +@@ -9,7 +9,7 @@ LOCALEDIR ?= $(PREFIX)/share/locale
> > + PYTHON ?= /usr/bin/python
> > + BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
> > + SHAREDIR ?= $(PREFIX)/share/sandbox
> > +-override CFLAGS = $(LDFLAGS) -I$(PREFIX)/include
> -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared
> > ++override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include
> -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared
>
> -I$(PREFIX)/include -> bad, as it will add -I/usr/include when
> cross-compiling.
>
> > +
> > + BASHCOMPLETIONS=sepolicy-bash-completion.sh
> > +
> > +diff --git a/sestatus/Makefile b/sestatus/Makefile
> > +index c5db7a3..c04ff00 100644
> > +--- a/sestatus/Makefile
> > ++++ b/sestatus/Makefile
> > +@@ -5,7 +5,7 @@ MANDIR = $(PREFIX)/share/man
> > + ETCDIR ?= $(DESTDIR)/etc
> > + LIBDIR ?= $(PREFIX)/lib
> > +
> > +-CFLAGS = -Werror -Wall -W
> > ++CFLAGS ?= -Werror -Wall -W
> > + override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64
>
> Again here.
>
> > + LDLIBS = -lselinux -L$(LIBDIR)
> > +
> > +diff --git a/setfiles/Makefile b/setfiles/Makefile
> > +index ebc22c8..7c48814 100644
> > +--- a/setfiles/Makefile
> > ++++ b/setfiles/Makefile
> > +@@ -8,7 +8,7 @@ AUDITH = $(shell ls $(PREFIX)/include/libaudit.h
> 2>/dev/null)
> > + PROGRESS_STEP=$(shell grep "^\#define STAR_COUNT" restore.h | awk -S
> '{ print $$3 }')
> > + ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c |
> awk -S '{ print $$3 }')
> > +
> > +-CFLAGS = -g -Werror -Wall -W
> > ++CFLAGS ?= -g -Werror -Wall -W
> > + override CFLAGS += -I$(PREFIX)/include
>
> And here.
>
> Please build with BR2_COMPILER_PARANOID_UNSAFE_PATH=y to detect such
> problems.
>
> > + LDLIBS = -lselinux -lsepol -L$(LIBDIR)
> > +
> > +--
> > +1.9.1
> > +
> > diff --git
> a/package/policycoreutils/0003-Change-sepolicy-python-install-arguments-to-be-a-var.patch
> b/package/policycoreutils/0003-Change-sepolicy-python-install-arguments-to-be-a-var.patch
> > new file mode 100644
> > index 0000000..5bbfb76
> > --- /dev/null
> > +++
> b/package/policycoreutils/0003-Change-sepolicy-python-install-arguments-to-be-a-var.patch
> > @@ -0,0 +1,42 @@
> > +From 4bb3e6bda68fe52fcd2df4f27c5900f4b0d50fa1 Mon Sep 17 00:00:00 2001
> > +From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> > +Date: Fri, 10 Jul 2015 11:56:49 -0500
> > +Subject: Change sepolicy python install arguments to be a variable
> > +
> > +To allow the python install arguments to be overwritten, change the
> > +arguments to be a variable. This also cleans up the DESTDIR detection a
> > +little bit.
> > +
> > +Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> > +---
> > + sepolicy/Makefile | 7 ++++++-
> > + 1 file changed, 6 insertions(+), 1 deletion(-)
> > +
> > +diff --git a/sepolicy/Makefile b/sepolicy/Makefile
> > +index a52667a..4a10df6 100644
> > +--- a/sepolicy/Makefile
> > ++++ b/sepolicy/Makefile
> > +@@ -7,6 +7,11 @@ SBINDIR ?= $(PREFIX)/sbin
> > + MANDIR ?= $(PREFIX)/share/man
> > + LOCALEDIR ?= $(PREFIX)/share/locale
> > + PYTHON ?= /usr/bin/python
> > ++ifneq (,$(DESTDIR))
> > ++PYTHON_INSTALL_ARGS ?= --root $(DESTDIR)
> > ++else
> > ++PYTHON_INSTALL_ARGS ?=
> > ++endif
>
> Sounds good, but could be a bit simpler:
>
> ifneq ($(DESTDIR),)
> PYTHON_INSTALL_ARGS ?= --root $(DESTDIR)
> endif
>
> > + BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
> > + SHAREDIR ?= $(PREFIX)/share/sandbox
> > + override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include
> -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared
> > +@@ -23,7 +28,7 @@ clean:
> > + -rm -rf build *~ \#* *pyc .#*
> > +
> > + install:
> > +- $(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root
> $(DESTDIR)`
> > ++ $(PYTHON) setup.py install $(PYTHON_INSTALL_ARGS)
> > + [ -d $(BINDIR) ] || mkdir -p $(BINDIR)
> > + install -m 755 sepolicy.py $(BINDIR)/sepolicy
> > + -mkdir -p $(MANDIR)/man8
> > +--
> > +1.9.1
> > +
> > diff --git a/package/policycoreutils/0004-disable-dbus.patch
> b/package/policycoreutils/0004-disable-dbus.patch
> > new file mode 100644
> > index 0000000..b685d0a
> > --- /dev/null
> > +++ b/package/policycoreutils/0004-disable-dbus.patch
> > @@ -0,0 +1,14 @@
> > +--- a/restorecond/Makefile 2016-02-25 13:23:23.286671669 -0600
> > ++++ b/restorecond/Makefile 2016-03-03 12:44:25.032118694 -0600
>
> Missing description + Signed-off-by in this patch.
>
> > +@@ -10,9 +10,11 @@
> > + INITDIR = $(DESTDIR)/etc/rc.d/init.d
> > + SELINUXDIR = $(DESTDIR)/etc/selinux
> > +
> > ++ifdef ENABLE_DBUS
> > + DBUSFLAGS = -DHAVE_DBUS -I$(PREFIX)/include/dbus-1.0
> -I$(PREFIX)/lib64/dbus-1.0/include \
> > + -I$(PREFIX)/lib/dbus-1.0/include
> > + DBUSLIB = -ldbus-glib-1 -ldbus-1
> > ++endif
> > +
> > + CFLAGS ?= -g -Werror -Wall -W
> > + override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS)
> -I$(PREFIX)/include/glib-2.0 \
> > diff --git a/package/policycoreutils/Config.in
> b/package/policycoreutils/Config.in
> > new file mode 100644
> > index 0000000..3131a02
> > --- /dev/null
> > +++ b/package/policycoreutils/Config.in
> > @@ -0,0 +1,57 @@
> > +config BR2_PACKAGE_POLICYCOREUTILS
> > + bool "policycoreutils"
> > + select BR2_PACKAGE_LIBSEMANAGE
>
> libsemanage has lots of other dependencies:
>
> depends on BR2_TOOLCHAIN_HAS_THREADS
> depends on !BR2_STATIC_LIBS
> depends on !BR2_arc
>
> You need to take them into account.
>
> > + select BR2_PACKAGE_LIBCAP_NG
> > + select BR2_PACKAGE_GETTEXT if BR2_NEEDS_GETTEXT
> > + depends on BR2_TOOLCHAIN_HAS_THREADS # libsemanage
> > + depends on BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL #
> uses fts.h
> > + help
> > + Policycoreutils is a collection of policy utilities (originally
> > + the "core" set of utilities needed to use SELinux, although it
> > + has grown a bit over time), which have different dependencies.
> > + sestatus, secon, run_init, and newrole only use libselinux.
> > + load_policy and setfiles only use libselinux and libsepol.
> > + semodule and semanage use libsemanage (and thus bring in
> > + dependencies on libsepol and libselinux as well). setsebool
> > + uses libselinux to make non-persistent boolean changes (via
> > + the kernel interface) and uses libsemanage to make persistent
> > + boolean changes.
> > +
> > + The base package will install the following utilities:
> > + load_policy
> > + newrole
> > + restorecond
> > + run_init
> > + secon
> > + semodule
> > + semodule_deps
> > + semodule_expand
> > + semodule_link
> > + semodule_package
> > + sepolgen-ifgen
> > + sestatus
> > + setfiles
> > + setsebool
> > +
> > + http://selinuxproject.org/page/Main_Page
> > +
> > +comment "policycoreutils needs a glibc or musl toolchain w/ threads"
> > + depends on !BR2_TOOLCHAIN_HAS_THREADS \
> > + || !(BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL)
> > +
> > +if BR2_PACKAGE_POLICYCOREUTILS
> > +
> > +config BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND
> > + bool "restorecond Utility"
> > + select BR2_PACKAGE_LIBGLIB2 #glib2
> > + depends on BR2_USE_WCHAR # glib2
> > + depends on BR2_TOOLCHAIN_HAS_THREADS # glib2
> > + depends on BR2_USE_MMU # glib2
> > + help
> > + Enable restorecond to be built
> > +
> > +comment "restorecond needs a toolchain w/ wchar, threads"
> > + depends on BR2_USE_MMU
> > + depends on !BR2_USE_WCHAR || !BR2_TOOLCHAIN_HAS_THREADS
> > +
> > +endif
> > diff --git a/package/policycoreutils/policycoreutils.hash
> b/package/policycoreutils/policycoreutils.hash
> > new file mode 100644
> > index 0000000..575dd25
> > --- /dev/null
> > +++ b/package/policycoreutils/policycoreutils.hash
> > @@ -0,0 +1,2 @@
> > +# https://github.com/SELinuxProject/selinux/wiki/Releases
> > +sha256
> b6881741f9f9988346a73bfeccb0299941dc117349753f0ef3f23ee86f06c1b5
> policycoreutils-2.1.14.tar.gz
> > diff --git a/package/policycoreutils/policycoreutils.mk
> b/package/policycoreutils/policycoreutils.mk
> > new file mode 100644
> > index 0000000..aed2705
> > --- /dev/null
> > +++ b/package/policycoreutils/policycoreutils.mk
> > @@ -0,0 +1,108 @@
> >
> +################################################################################
> > +#
> > +# policycoreutils
> > +#
> >
> +################################################################################
> > +
> > +POLICYCOREUTILS_VERSION = 2.1.14
> > +POLICYCOREUTILS_SITE =
> https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20130423
> > +POLICYCOREUTILS_LICENSE = GPLv2
> > +POLICYCOREUTILS_LICENSE_FILES = COPYING
> > +
> > +# gettext for load_policy.c use of libintl_* functions
> > +POLICYCOREUTILS_DEPENDENCIES = libsemanage libcap-ng $(if
> $(BR2_NEEDS_GETTEXT),gettext)
> > +
> > +ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
> > +POLICYCOREUTILS_DEPENDENCIES += linux-pam
> > +POLICYCOREUTILS_MAKE_OPTS += NAMESPACE_PRIV=y
> > +define POLICYCOREUTILS_INSTALL_TARGET_LINUX_PAM_CONFS
> > + $(INSTALL) -D -m 0644 $(@D)/newrole/newrole-lspp.pamd
> $(TARGET_DIR)/etc/pam.d/newrole
> > + $(INSTALL) -D -m 0644 $(@D)/run_init/run_init.pamd
> $(TARGET_DIR)/etc/pam.d/run_init
> > +endef
> > +endif
> > +
> > +ifeq ($(BR2_PACKAGE_AUDIT),y)
> > +POLICYCOREUTILS_DEPENDENCIES += audit
> > +POLICYCOREUTILS_MAKE_OPTS += AUDIT_LOG_PRIV=y
> > +endif
> > +
> > +# Enable LSPP_PRIV if both audit and linux pam are enabled
> > +ifeq ($(BR2_PACKAGE_LINUX_PAM)$(BR2_PACKAGE_AUDIT),yy)
> > +POLICYCOREUTILS_MAKE_OPTS += LSPP_PRIV=y
> > +endif
> > +
> > +# Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h
> > +# large file support.
> > +# See https://bugzilla.redhat.com/show_bug.cgi?id=574992 for more
> information
> > +POLICYCOREUTILS_MAKE_OPTS += \
> > + CC="$(TARGET_CC)" \
> > + CFLAGS="$(TARGET_CFLAGS) -U_FILE_OFFSET_BITS" \
> > + LDFLAGS="$(TARGET_LDFLAGS) $(if $(BR2_NEEDS_GETTEXT),-lintl)" \
> > + ARCH="$(BR2_ARCH)"
> > +
> > +POLICYCOREUTILS_MAKE_DIRS = load_policy newrole run_init \
> > + secon semodule semodule_deps semodule_expand semodule_link \
> > + semodule_package sepolgen-ifgen sestatus setfiles setsebool
> > +
> > +ifeq ($(BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND),y)
> > +POLICYCOREUTILS_MAKE_DIRS += restorecond
> > +endif
> > +
> > +define POLICYCOREUTILS_BUILD_CMDS
> > + for dir in $(POLICYCOREUTILS_MAKE_DIRS) ; do \
> > + $(MAKE) -C $(@D)/$${dir} $(POLICYCOREUTILS_MAKE_OPTS)
> DESTDIR=$(STAGING_DIR) all || exit 1 ; \
> > + done
>
> Please add a comment above this that explains why you're passing
> DESTDIR=$(STAGING_DIR) at build time.
>
> > +endef
> > +
> > +define POLICYCOREUTILS_INSTALL_TARGET_CMDS
> > + for dir in $(POLICYCOREUTILS_MAKE_DIRS) ; do \
> > + $(MAKE) -C $(@D)/$${dir} $(POLICYCOREUTILS_MAKE_OPTS)
> DESTDIR=$(TARGET_DIR) install || exit 1 ; \
> > + done
> > +endef
> > +
> > +HOST_POLICYCOREUTILS_DEPENDENCIES = host-libsemanage host-dbus-glib
> host-sepolgen host-setools
> > +
> > +# Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h
> > +# large file support.
> > +# See https://bugzilla.redhat.com/show_bug.cgi?id=574992 for more
> information
> > +HOST_POLICYCOREUTILS_MAKE_OPTS = \
> > + CC="$(HOSTCC)" \
> > + CFLAGS="$(HOST_CFLAGS) -U_FILE_OFFSET_BITS" \
> > + PYTHON="$(HOST_DIR)/usr/bin/python" \
> > + PYTHON_INSTALL_ARGS="$(HOST_PKG_PYTHON_DISTUTILS_INSTALL_OPTS)" \
> > + ARCH="$(HOSTARCH)" \
> > + LDFLAGS="$(HOST_LDFLAGS)"
> > +
> > +ifeq ($(BR2_PACKAGE_PYTHON3),y)
> > +HOST_POLICYCOREUTILS_DEPENDENCIES += host-python3
> > +HOST_POLICYCOREUTILS_MAKE_OPTS += \
> > + PYLIBVER="python$(PYTHON3_VERSION_MAJOR)"
> > +else
> > +HOST_POLICYCOREUTILS_DEPENDENCIES += host-python
> > +HOST_POLICYCOREUTILS_MAKE_OPTS += \
> > + PYLIBVER="python$(PYTHON_VERSION_MAJOR)"
> > +endif
> > +
> > +# Note: We are only building the programs required by the refpolicy
> build
> > +HOST_POLICYCOREUTILS_MAKE_DIRS = load_policy semodule semodule_deps
> semodule_expand semodule_link \
> > + semodule_package setfiles restorecond audit2allow audit2why
> scripts semanage sepolicy
> > +
> > +define HOST_POLICYCOREUTILS_BUILD_CMDS
> > + for dir in $(HOST_POLICYCOREUTILS_MAKE_DIRS) ; do \
> > + $(MAKE) -C $(@D)/$${dir} $(HOST_POLICYCOREUTILS_MAKE_OPTS)
> DESTDIR=$(HOST_DIR) all || exit 1 ; \
>
> DESTDIR=$(HOST_DIR) is wrong. You should instead use
> PREFIX=$(HOST_DIR)/usr.
>
> > +define HOST_POLICYCOREUTILS_INSTALL_CMDS
> > + for dir in $(HOST_POLICYCOREUTILS_MAKE_DIRS) ; do \
> > + $(MAKE) -C $(@D)/$${dir} $(HOST_POLICYCOREUTILS_MAKE_OPTS)
> DESTDIR=$(HOST_DIR) install || exit 1 ; \
>
> Ditto.
>
> > + done
> > + # Fix python paths
> > + $(SED) 's%/usr/bin/%$(HOST_DIR)/usr/bin/%g'
> $(HOST_DIR)/usr/bin/audit2allow
> > + $(SED) 's%/usr/bin/%$(HOST_DIR)/usr/bin/%g'
> $(HOST_DIR)/usr/bin/audit2why
> > + $(SED) 's%/usr/bin/%$(HOST_DIR)/usr/bin/%g'
> $(HOST_DIR)/usr/bin/sepolgen-ifgen
> > + $(SED) 's%/usr/bin/%$(HOST_DIR)/usr/bin/%g'
> $(HOST_DIR)/usr/bin/sepolicy
>
> Sadly, this means more hardcoded paths, but I guess it's OK for now, I
> prefer to sort out the other issues. This one can be solved later.
>
> Could you rework your patch to solve the other issues raised above?
>
> Thomas
> --
> Thomas Petazzoni, CTO, Free Electrons
> Embedded Linux, Kernel and Android engineering
> http://free-electrons.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20160401/8dc30798/attachment.html>
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Buildroot] [ PATCH Selinux v11] policycoreutils: new package
2016-03-22 22:02 ` Thomas Petazzoni
2016-04-01 12:26 ` Niranjan Reddy
@ 2016-04-08 3:00 ` Matthew Weber
2016-04-14 11:13 ` Niranjan Reddy
1 sibling, 1 reply; 6+ messages in thread
From: Matthew Weber @ 2016-04-08 3:00 UTC (permalink / raw)
To: buildroot
Niranjan,
On Tue, Mar 22, 2016 at 5:02 PM, Thomas Petazzoni
<thomas.petazzoni@free-electrons.com> wrote:
> Hello,
>
> I really wanted to apply this patch and finally get the remaining
> SELinux support in, but there are still some really wrong things in
> there.
>
> On Wed, 16 Mar 2016 17:12:14 +0530, Niranjan Reddy wrote:
>> From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
>>
>> This package contains the core policy utilities that are required
>> for basic operation of an SELinux system.Four patchs are included
>> in this package.
>
> Minor typos: space after ".", patchs -> patches.
>
>> Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
>> Allow-CFLAGS-to-be-overwritten.patch
>> Change-sepolicy-python-install-arguments-to-be-a-var.patch
>> disable-dbus.patch
>
> Completely useless to just give the filenames, especially when they are
> wrong.
Valid point, need to fix typo and provide a description of what the
patches are doing after the "Four patches are included...." statement.
Remove the list of patch names.
>
>
>> diff --git a/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch b/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
>> new file mode 100644
>> index 0000000..0192e5c
>> --- /dev/null
>> +++ b/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
>> @@ -0,0 +1,275 @@
>> +From 92d7cc3539f8bfc68b2f2bf688375647abf73ee7 Mon Sep 17 00:00:00 2001
>> +From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
>> +Date: Fri, 10 Jul 2015 11:44:08 -0500
>> +Subject: Add DESTDIR to all paths that use an absolute path
>> +
>> +To aid in cross compiling, add the DESTDIR variable to the start of all
>> +of the paths used during compilation. Most paths already used DESTDIR.
Add note that "The addition of this patch makes the use of DESTDIR
mandatory as there are conditional checks which would fail if it's not
defined."
>> +
>> +Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
>
> This patch does a *LOT* more than adding DESTDIR. Just check by
> yourself. Read your own patch! It should be split in several patches.
I have put comments in below noting what to put in the creation of the
following new patches. Some suggested descriptions for the new
patches are below too.
1) DESTDIR
2) PREFIX
3) Removal of ARCH
>
>> +---
>> + Makefile | 4 ++--
>> + audit2allow/Makefile | 2 +-
>> + load_policy/Makefile | 2 +-
>> + mcstrans/src/Makefile | 22 +++++++++++++---------
>> + mcstrans/utils/Makefile | 11 +++++++----
>> + newrole/Makefile | 12 ++++++------
>> + restorecond/Makefile | 6 ++++--
>> + run_init/Makefile | 12 ++++++------
>> + sepolicy/Makefile | 2 +-
>> + setfiles/Makefile | 4 ++--
>> + 10 files changed, 43 insertions(+), 34 deletions(-)
>> +
>> +diff --git a/Makefile b/Makefile
>> +index 3980799..0fca022 100644
>> +--- a/Makefile
>> ++++ b/Makefile
>> +@@ -1,8 +1,8 @@
>> + SUBDIRS = sepolicy setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool scripts po man gui
>> +
>> +-INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
>> ++INOTIFYH = $(shell ls $(DESTDIR)/usr/include/sys/inotify.h 2>/dev/null)
>
> This is not super great, as it assumes DESTDIR is passed at build time,
> which is not very standard. But OK, that's the easiest solution. But it
> should *definitely* be explained in the description of the patch, as
> it's non trivial.
>
Move to patch #1
I added a note about this above and suggested a statement to add.
>> +
>> +-ifeq (${INOTIFYH}, /usr/include/sys/inotify.h)
>> ++ifeq (${INOTIFYH}, $(DESTDIR)/usr/include/sys/inotify.h)
>> + SUBDIRS += restorecond
>> + endif
Move to patch #2
Change to use PREFIX.
For patch two, the description could be something like....
"Updates the remaining hardcoded host paths used in the build to be
prefixed with a PREFIX path to allow cross compilation."
>> +
>> +diff --git a/audit2allow/Makefile b/audit2allow/Makefile
>> +index 88635d4..1647b5a 100644
>> +--- a/audit2allow/Makefile
>> ++++ b/audit2allow/Makefile
>> +@@ -3,7 +3,7 @@ PREFIX ?= $(DESTDIR)/usr
>> + BINDIR ?= $(PREFIX)/bin
>> + LIBDIR ?= $(PREFIX)/lib
>> + MANDIR ?= $(PREFIX)/share/man
>> +-LOCALEDIR ?= /usr/share/locale
>> ++LOCALEDIR ?= $(PREFIX)/share/locale
>
> This is not about adding DESTDIR, but about changing an hardcoded /usr
> to $(PREFIX).
Move to patch #2
>
> In addition, in the INOTIFYH fix above, you don't change usr/ to
> $(PREFIX).
Resolved above.
>
>> +
>> + all: ;
>> +
>> +diff --git a/load_policy/Makefile b/load_policy/Makefile
>> +index 7c5bab0..5cd0bbb 100644
>> +--- a/load_policy/Makefile
>> ++++ b/load_policy/Makefile
>> +@@ -3,7 +3,7 @@ PREFIX ?= $(DESTDIR)/usr
>> + SBINDIR ?= $(DESTDIR)/sbin
>> + USRSBINDIR ?= $(PREFIX)/sbin
>> + MANDIR ?= $(PREFIX)/share/man
>> +-LOCALEDIR ?= /usr/share/locale
>> ++LOCALEDIR ?= $(PREFIX)/share/locale
>
> This is also changing /usr to PREFIX, which has nothing to do with
> using DESTDIR.
Move to patch #2
>
>> +
>> + CFLAGS ?= -Werror -Wall -W
>> + override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
>> +diff --git a/mcstrans/src/Makefile b/mcstrans/src/Makefile
>> +index fb44490..a0666f1 100644
>> +--- a/mcstrans/src/Makefile
>> ++++ b/mcstrans/src/Makefile
>> +@@ -1,22 +1,26 @@
>> +-ARCH = $(shell uname -i)
Move the above line to patch #3
>> ++# Installation directories.
>> ++PREFIX ?= $(DESTDIR)/usr
>> ++SBINDIR ?= $(DESTDIR)/sbin
>> ++INITDIR ?= $(DESTDIR)/etc/rc.d/init.d
>
> This has nothing to do with adding DESTDIR, and there is no explanation
> why adding those variable definitions here is necessary. Thos
> definitions are normally below, why are you moving there up here?
Niranjan, why did they move, I don't have the complete file in front
of me to check?
>
>> ++
>> ++ARCH ?= $(shell uname -i)
>
> Looks good, but needs to be explained in the patch description (and in
> a separate patch).
Move to patch #3
Use a description that's something like this in the patch....
"Allow the ARCH value to be passed in as original configuration was
solely based on host architecture."
>
>> + ifeq "$(ARCH)" "x86_64"
>> + # In case of 64 bit system, use these lines
>> +- LIBDIR=/usr/lib64
>> +-else
>> ++ LIBDIR=$(PREFIX)/lib64
>> ++else
>> + ifeq "$(ARCH)" "i686"
>> + # In case of 32 bit system, use these lines
>> +- LIBDIR=/usr/lib
>> ++ LIBDIR=$(PREFIX)/lib
>> + else
>> + ifeq "$(ARCH)" "i386"
>> + # In case of 32 bit system, use these lines
>> +- LIBDIR=/usr/lib
>> ++ LIBDIR=$(PREFIX)/lib
>> ++else
>> ++ # Default to these lines if arch is unknown
>> ++ LIBDIR=$(PREFIX)/lib
>
> This is all /usr -> $(PREFIX) replacement, nothing to do with DESTDIR.
Move above changes to patch #2
>
>> + endif
>> + endif
>> + endif
>> +-# Installation directories.
>> +-PREFIX ?= $(DESTDIR)/usr
>> +-SBINDIR ?= $(DESTDIR)/sbin
>> +-INITDIR ?= $(DESTDIR)/etc/rc.d/init.d
Like previous comment, why did these get removed from here and moved above?
>> +
>> + PROG_SRC=mcstrans.c mcscolor.c mcstransd.c mls_level.c
>> + PROG_OBJS= $(patsubst %.c,%.o,$(PROG_SRC))
>> +diff --git a/mcstrans/utils/Makefile b/mcstrans/utils/Makefile
>> +index 1ffb027..da5c152 100644
>> +--- a/mcstrans/utils/Makefile
>> ++++ b/mcstrans/utils/Makefile
>> +@@ -2,18 +2,21 @@
>> + PREFIX ?= $(DESTDIR)/usr
>> + BINDIR ?= $(PREFIX)/sbin
>> +
>> +-ARCH = $(shell uname -i)
>> ++ARCH ?= $(shell uname -i)
Move the above two lines to patch #3
>> + ifeq "$(ARCH)" "x86_64"
>> + # In case of 64 bit system, use these lines
>> +- LIBDIR=/usr/lib64
>> ++ LIBDIR=$(PREFIX)/lib64
>> + else
>> + ifeq "$(ARCH)" "i686"
>> + # In case of 32 bit system, use these lines
>> +- LIBDIR=/usr/lib
>> ++ LIBDIR=$(PREFIX)/lib
>> + else
>> + ifeq "$(ARCH)" "i386"
>> + # In case of 32 bit system, use these lines
>> +- LIBDIR=/usr/lib
>> ++ LIBDIR=$(PREFIX)/lib
>> ++else
>> ++ # Default to these lines if arch is unknown
>> ++ LIBDIR=$(PREFIX)/lib
>
Move to patch #2
> Same comments as above;
>
>> + endif
>> + endif
>> + endif
>> +diff --git a/newrole/Makefile b/newrole/Makefile
>> +index 646cd4d..045e3b7 100644
>> +--- a/newrole/Makefile
>> ++++ b/newrole/Makefile
>> +@@ -3,9 +3,9 @@ PREFIX ?= $(DESTDIR)/usr
>> + BINDIR ?= $(PREFIX)/bin
>> + MANDIR ?= $(PREFIX)/share/man
>> + ETCDIR ?= $(DESTDIR)/etc
>> +-LOCALEDIR = /usr/share/locale
>> +-PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
>> +-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
>> ++LOCALEDIR = $(PREFIX)/share/locale
>> ++PAMH = $(shell ls $(PREFIX)/include/security/pam_appl.h 2>/dev/null)
>> ++AUDITH = $(shell ls $(PREFIX)/include/libaudit.h 2>/dev/null)
>
> This is *completely* wrong. It will look at /usr/include/libaudit.h
> and /usr/include/security/pam_appl.h on your build machine to decide
> where pam and audit support is available. If you follow the fix done
> earlier for INOTIFYH, you should do:
>
> AUDITH = $(shell ls $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)
The variable DESTDIR when used in PREFIX isn't expanded because you're
in a shell in that "shell ls" command. So you have to use
$(DESTDIR)/usr.
Move to patch #1 and update as noted to use $(DESTDIR)/usr/ for PAMH=, AUDITD=
>
>> + # Enable capabilities to permit newrole to generate audit records.
>> + # This will make newrole a setuid root program.
>> + # The capabilities used are: CAP_AUDIT_WRITE.
>> +@@ -24,7 +24,7 @@ CFLAGS ?= -Werror -Wall -W
>> + EXTRA_OBJS =
>> + override CFLAGS += -DVERSION=\"$(VERSION)\" $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
>> + LDLIBS += -lselinux -L$(PREFIX)/lib
>> +-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
>> ++ifeq ($(PAMH), $(PREFIX)/include/security/pam_appl.h)
>
Move to patch #2
> Same comment as above.
>
>> + override CFLAGS += -DUSE_PAM
>> + EXTRA_OBJS += hashtab.o
>> + LDLIBS += -lpam -lpam_misc
>> +@@ -32,7 +32,7 @@ else
>> + override CFLAGS += -D_XOPEN_SOURCE=500
>> + LDLIBS += -lcrypt
>> + endif
>> +-ifeq ($(AUDITH), /usr/include/libaudit.h)
>> ++ifeq ($(AUDITH), $(PREFIX)/include/libaudit.h)
>
> Ditto.
Move to patch #2
>
>> + override CFLAGS += -DUSE_AUDIT
>> + LDLIBS += -laudit
>> + endif
>> +@@ -66,7 +66,7 @@ install: all
>> + test -d $(MANDIR)/man1 || install -m 755 -d $(MANDIR)/man1
>> + install -m $(MODE) newrole $(BINDIR)
>> + install -m 644 newrole.1 $(MANDIR)/man1/
>> +-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
>> ++ifeq ($(PAMH), $(PREFIX)/include/security/pam_appl.h)
>
> Ditto.
Move to patch #2
>
>> + test -d $(ETCDIR)/pam.d || install -m 755 -d $(ETCDIR)/pam.d
>> + ifeq ($(LSPP_PRIV),y)
>> + install -m 644 newrole-lspp.pamd $(ETCDIR)/pam.d/newrole
>> +diff --git a/restorecond/Makefile b/restorecond/Makefile
>> +index 3074542..7c40f95 100644
>> +--- a/restorecond/Makefile
>> ++++ b/restorecond/Makefile
>> +@@ -10,11 +10,13 @@ autostart_DATA = sealertauto.desktop
>> + INITDIR = $(DESTDIR)/etc/rc.d/init.d
>> + SELINUXDIR = $(DESTDIR)/etc/selinux
>> +
>> +-DBUSFLAGS = -DHAVE_DBUS -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include -I/usr/lib/dbus-1.0/include
>> ++DBUSFLAGS = -DHAVE_DBUS -I$(PREFIX)/include/dbus-1.0 -I$(PREFIX)/lib64/dbus-1.0/include \
>> ++ -I$(PREFIX)/lib/dbus-1.0/include
>
> Completely wrong. This will add -I/usr/include/dbus-1.0 when
> cross-compiling. Bad.
>
Same as other case of variable expansion. Update all use of PREFIX to
be $(DESTDIR)/usr/
Move to patch #1
>> + DBUSLIB = -ldbus-glib-1 -ldbus-1
>> +
>> + CFLAGS ?= -g -Werror -Wall -W
>> +-override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS) -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/lib/glib-2.0/include
>> ++override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS) -I$(PREFIX)/include/glib-2.0 \
>> ++ -I$(PREFIX)/lib64/glib-2.0/include -I$(PREFIX)/lib/glib-2.0/include
>
> Same.
Same as other case of variable expansion. Update all use of PREFIX to
be $(DESTDIR)/usr/
Move to patch #1
>
>> +
>> + LDLIBS += -lselinux $(DBUSLIB) -lglib-2.0 -L$(LIBDIR)
>> +
>> +diff --git a/run_init/Makefile b/run_init/Makefile
>> +index 12b39b4..da49c41 100644
>> +--- a/run_init/Makefile
>> ++++ b/run_init/Makefile
>> +@@ -4,21 +4,21 @@ PREFIX ?= $(DESTDIR)/usr
>> + SBINDIR ?= $(PREFIX)/sbin
>> + MANDIR ?= $(PREFIX)/share/man
>> + ETCDIR ?= $(DESTDIR)/etc
>> +-LOCALEDIR ?= /usr/share/locale
>> +-PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
>> +-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
>> ++LOCALEDIR ?= $(PREFIX)/share/locale
>> ++PAMH = $(shell ls $(PREFIX)/include/security/pam_appl.h 2>/dev/null)
>> ++AUDITH = $(shell ls $(PREFIX)/include/libaudit.h 2>/dev/null)
>
> Also wrong.
>
Same as other case of variable expansion. Update all use of PREFIX
when used in a "shell ls" to be $(DESTDIR)/usr/
Move to patch #1
>> +
>> + CFLAGS ?= -Werror -Wall -W
>> + override CFLAGS += -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
>> + LDLIBS += -lselinux -L$(PREFIX)/lib
>> +-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
>> ++ifeq ($(PAMH), $(PREFIX)/include/security/pam_appl.h)
>
> Ditto.
Move to patch #2
>
>> + override CFLAGS += -DUSE_PAM
>> + LDLIBS += -lpam -lpam_misc
>> + else
>> + override CFLAGS += -D_XOPEN_SOURCE=500
>> + LDLIBS += -lcrypt
>> + endif
>> +-ifeq ($(AUDITH), /usr/include/libaudit.h)
>> ++ifeq ($(AUDITH), $(PREFIX)/include/libaudit.h)
>
> Ditto.
Move to patch #2
>
>> + override CFLAGS += -DUSE_AUDIT
>> + LDLIBS += -laudit
>> + endif
>> +@@ -38,7 +38,7 @@ install: all
>> + install -m 755 open_init_pty $(SBINDIR)
>> + install -m 644 run_init.8 $(MANDIR)/man8/
>> + install -m 644 open_init_pty.8 $(MANDIR)/man8/
>> +-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
>> ++ifeq ($(PAMH), $(PREFIX)/include/security/pam_appl.h)
>
> Ditto.
Move to patch #2
>
>> + install -m 644 run_init.pamd $(ETCDIR)/pam.d/run_init
>> + endif
>> +
>> +diff --git a/sepolicy/Makefile b/sepolicy/Makefile
>> +index 11b534f..1249546 100644
>> +--- a/sepolicy/Makefile
>> ++++ b/sepolicy/Makefile
>> +@@ -5,7 +5,7 @@ LIBDIR ?= $(PREFIX)/lib
>> + BINDIR ?= $(PREFIX)/bin
>> + SBINDIR ?= $(PREFIX)/sbin
>> + MANDIR ?= $(PREFIX)/share/man
>> +-LOCALEDIR ?= /usr/share/locale
>> ++LOCALEDIR ?= $(PREFIX)/share/locale
Move to patch #2
>> + PYTHON ?= /usr/bin/python
>> + BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
>> + SHAREDIR ?= $(PREFIX)/share/sandbox
>> +diff --git a/setfiles/Makefile b/setfiles/Makefile
>> +index 4b44b3c..ebc22c8 100644
>> +--- a/setfiles/Makefile
>> ++++ b/setfiles/Makefile
>> +@@ -3,7 +3,7 @@ PREFIX ?= $(DESTDIR)/usr
>> + SBINDIR ?= $(DESTDIR)/sbin
>> + MANDIR = $(PREFIX)/share/man
>> + LIBDIR ?= $(PREFIX)/lib
>> +-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
>> ++AUDITH = $(shell ls $(PREFIX)/include/libaudit.h 2>/dev/null)
>
> Still wrong.
Same as other case of variable expansion. Update all use of PREFIX
when used in a "shell ls" to be $(DESTDIR)/usr/
Move to patch #1
>
>> +
>> + PROGRESS_STEP=$(shell grep "^\#define STAR_COUNT" restore.h | awk -S '{ print $$3 }')
>> + ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk -S '{ print $$3 }')
>> +@@ -12,7 +12,7 @@ CFLAGS = -g -Werror -Wall -W
>> + override CFLAGS += -I$(PREFIX)/include
>> + LDLIBS = -lselinux -lsepol -L$(LIBDIR)
>> +
>> +-ifeq ($(AUDITH), /usr/include/libaudit.h)
>> ++ifeq ($(AUDITH), $(PREFIX)/include/libaudit.h)
>
> Here as well.
Move to patch #2
>
>> + override CFLAGS += -DUSE_AUDIT
>> + LDLIBS += -laudit
>> + endif
>> +--
>> +1.9.1
>> +
>> diff --git a/package/policycoreutils/0002-Allow-CFLAGS-to-be-overwritten.patch b/package/policycoreutils/0002-Allow-CFLAGS-to-be-overwritten.patch
>> new file mode 100644
>> index 0000000..b6e6d99
>> --- /dev/null
>> +++ b/package/policycoreutils/0002-Allow-CFLAGS-to-be-overwritten.patch
>> @@ -0,0 +1,57 @@
>> +From cfce1180f96cca5e7444d94b2ebc39213d7dac75 Mon Sep 17 00:00:00 2001
>> +From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
>> +Date: Fri, 10 Jul 2015 11:47:09 -0500
>> +Subject: Allow CFLAGS to be overwritten
>> +
>> +Allow all CFLAGS declarations to be overwritten to aid in cross
>> +compiling.
>> +
>> +Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
>> +---
>> + sepolicy/Makefile | 2 +-
>> + sestatus/Makefile | 2 +-
>> + setfiles/Makefile | 2 +-
>> + 3 files changed, 3 insertions(+), 3 deletions(-)
>> +
>> +diff --git a/sepolicy/Makefile b/sepolicy/Makefile
>> +index 1249546..a52667a 100644
>> +--- a/sepolicy/Makefile
>> ++++ b/sepolicy/Makefile
>> +@@ -9,7 +9,7 @@ LOCALEDIR ?= $(PREFIX)/share/locale
>> + PYTHON ?= /usr/bin/python
>> + BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
>> + SHAREDIR ?= $(PREFIX)/share/sandbox
>> +-override CFLAGS = $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared
>> ++override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared
>
> -I$(PREFIX)/include -> bad, as it will add -I/usr/include when
> cross-compiling.
Update to instead be $(DESTDIR)/usr
>
>> +
>> + BASHCOMPLETIONS=sepolicy-bash-completion.sh
>> +
>> +diff --git a/sestatus/Makefile b/sestatus/Makefile
>> +index c5db7a3..c04ff00 100644
>> +--- a/sestatus/Makefile
>> ++++ b/sestatus/Makefile
>> +@@ -5,7 +5,7 @@ MANDIR = $(PREFIX)/share/man
>> + ETCDIR ?= $(DESTDIR)/etc
>> + LIBDIR ?= $(PREFIX)/lib
>> +
>> +-CFLAGS = -Werror -Wall -W
>> ++CFLAGS ?= -Werror -Wall -W
>> + override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64
>
> Again here.
Update to instead be $(DESTDIR)/usr
>
>> + LDLIBS = -lselinux -L$(LIBDIR)
>> +
>> +diff --git a/setfiles/Makefile b/setfiles/Makefile
>> +index ebc22c8..7c48814 100644
>> +--- a/setfiles/Makefile
>> ++++ b/setfiles/Makefile
>> +@@ -8,7 +8,7 @@ AUDITH = $(shell ls $(PREFIX)/include/libaudit.h 2>/dev/null)
>> + PROGRESS_STEP=$(shell grep "^\#define STAR_COUNT" restore.h | awk -S '{ print $$3 }')
>> + ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk -S '{ print $$3 }')
>> +
>> +-CFLAGS = -g -Werror -Wall -W
>> ++CFLAGS ?= -g -Werror -Wall -W
>> + override CFLAGS += -I$(PREFIX)/include
>
> And here.
Update to instead be $(DESTDIR)/usr
>
> Please build with BR2_COMPILER_PARANOID_UNSAFE_PATH=y to detect such
> problems.
>
>> + LDLIBS = -lselinux -lsepol -L$(LIBDIR)
>> +
>> +--
>> +1.9.1
>> +
>> diff --git a/package/policycoreutils/0003-Change-sepolicy-python-install-arguments-to-be-a-var.patch b/package/policycoreutils/0003-Change-sepolicy-python-install-arguments-to-be-a-var.patch
>> new file mode 100644
>> index 0000000..5bbfb76
>> --- /dev/null
>> +++ b/package/policycoreutils/0003-Change-sepolicy-python-install-arguments-to-be-a-var.patch
>> @@ -0,0 +1,42 @@
>> +From 4bb3e6bda68fe52fcd2df4f27c5900f4b0d50fa1 Mon Sep 17 00:00:00 2001
>> +From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
>> +Date: Fri, 10 Jul 2015 11:56:49 -0500
>> +Subject: Change sepolicy python install arguments to be a variable
>> +
>> +To allow the python install arguments to be overwritten, change the
>> +arguments to be a variable. This also cleans up the DESTDIR detection a
>> +little bit.
>> +
>> +Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
>> +---
>> + sepolicy/Makefile | 7 ++++++-
>> + 1 file changed, 6 insertions(+), 1 deletion(-)
>> +
>> +diff --git a/sepolicy/Makefile b/sepolicy/Makefile
>> +index a52667a..4a10df6 100644
>> +--- a/sepolicy/Makefile
>> ++++ b/sepolicy/Makefile
>> +@@ -7,6 +7,11 @@ SBINDIR ?= $(PREFIX)/sbin
>> + MANDIR ?= $(PREFIX)/share/man
>> + LOCALEDIR ?= $(PREFIX)/share/locale
>> + PYTHON ?= /usr/bin/python
>> ++ifneq (,$(DESTDIR))
>> ++PYTHON_INSTALL_ARGS ?= --root $(DESTDIR)
>> ++else
>> ++PYTHON_INSTALL_ARGS ?=
>> ++endif
>
> Sounds good, but could be a bit simpler:
>
> ifneq ($(DESTDIR),)
> PYTHON_INSTALL_ARGS ?= --root $(DESTDIR)
> endif
Update as noted
>
>> + BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
>> + SHAREDIR ?= $(PREFIX)/share/sandbox
>> + override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared
>> +@@ -23,7 +28,7 @@ clean:
>> + -rm -rf build *~ \#* *pyc .#*
>> +
>> + install:
>> +- $(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
>> ++ $(PYTHON) setup.py install $(PYTHON_INSTALL_ARGS)
>> + [ -d $(BINDIR) ] || mkdir -p $(BINDIR)
>> + install -m 755 sepolicy.py $(BINDIR)/sepolicy
>> + -mkdir -p $(MANDIR)/man8
>> +--
>> +1.9.1
>> +
>> diff --git a/package/policycoreutils/0004-disable-dbus.patch b/package/policycoreutils/0004-disable-dbus.patch
>> new file mode 100644
>> index 0000000..b685d0a
>> --- /dev/null
>> +++ b/package/policycoreutils/0004-disable-dbus.patch
>> @@ -0,0 +1,14 @@
>> +--- a/restorecond/Makefile 2016-02-25 13:23:23.286671669 -0600
>> ++++ b/restorecond/Makefile 2016-03-03 12:44:25.032118694 -0600
>
> Missing description + Signed-off-by in this patch.
Update as noted.
Description...
" Adds a condition to prevent linking against dbus when at build time
dbus has not been enabled"
>
>> +@@ -10,9 +10,11 @@
>> + INITDIR = $(DESTDIR)/etc/rc.d/init.d
>> + SELINUXDIR = $(DESTDIR)/etc/selinux
>> +
>> ++ifdef ENABLE_DBUS
>> + DBUSFLAGS = -DHAVE_DBUS -I$(PREFIX)/include/dbus-1.0 -I$(PREFIX)/lib64/dbus-1.0/include \
>> + -I$(PREFIX)/lib/dbus-1.0/include
>> + DBUSLIB = -ldbus-glib-1 -ldbus-1
>> ++endif
>> +
>> + CFLAGS ?= -g -Werror -Wall -W
>> + override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS) -I$(PREFIX)/include/glib-2.0 \
>> diff --git a/package/policycoreutils/Config.in b/package/policycoreutils/Config.in
>> new file mode 100644
>> index 0000000..3131a02
>> --- /dev/null
>> +++ b/package/policycoreutils/Config.in
>> @@ -0,0 +1,57 @@
>> +config BR2_PACKAGE_POLICYCOREUTILS
>> + bool "policycoreutils"
>> + select BR2_PACKAGE_LIBSEMANAGE
>
> libsemanage has lots of other dependencies:
>
> depends on BR2_TOOLCHAIN_HAS_THREADS
> depends on !BR2_STATIC_LIBS
> depends on !BR2_arc
>
> You need to take them into account.
>
Noted, add those three.
>> + select BR2_PACKAGE_LIBCAP_NG
>> + select BR2_PACKAGE_GETTEXT if BR2_NEEDS_GETTEXT
>> + depends on BR2_TOOLCHAIN_HAS_THREADS # libsemanage
>> + depends on BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL # uses fts.h
>> + help
>> + Policycoreutils is a collection of policy utilities (originally
>> + the "core" set of utilities needed to use SELinux, although it
>> + has grown a bit over time), which have different dependencies.
>> + sestatus, secon, run_init, and newrole only use libselinux.
>> + load_policy and setfiles only use libselinux and libsepol.
>> + semodule and semanage use libsemanage (and thus bring in
>> + dependencies on libsepol and libselinux as well). setsebool
>> + uses libselinux to make non-persistent boolean changes (via
>> + the kernel interface) and uses libsemanage to make persistent
>> + boolean changes.
>> +
>> + The base package will install the following utilities:
>> + load_policy
>> + newrole
>> + restorecond
>> + run_init
>> + secon
>> + semodule
>> + semodule_deps
>> + semodule_expand
>> + semodule_link
>> + semodule_package
>> + sepolgen-ifgen
>> + sestatus
>> + setfiles
>> + setsebool
>> +
>> + http://selinuxproject.org/page/Main_Page
>> +
>> +comment "policycoreutils needs a glibc or musl toolchain w/ threads"
>> + depends on !BR2_TOOLCHAIN_HAS_THREADS \
>> + || !(BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL)
>> +
>> +if BR2_PACKAGE_POLICYCOREUTILS
>> +
>> +config BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND
>> + bool "restorecond Utility"
>> + select BR2_PACKAGE_LIBGLIB2 #glib2
>> + depends on BR2_USE_WCHAR # glib2
>> + depends on BR2_TOOLCHAIN_HAS_THREADS # glib2
>> + depends on BR2_USE_MMU # glib2
>> + help
>> + Enable restorecond to be built
>> +
>> +comment "restorecond needs a toolchain w/ wchar, threads"
>> + depends on BR2_USE_MMU
>> + depends on !BR2_USE_WCHAR || !BR2_TOOLCHAIN_HAS_THREADS
>> +
>> +endif
>> diff --git a/package/policycoreutils/policycoreutils.hash b/package/policycoreutils/policycoreutils.hash
>> new file mode 100644
>> index 0000000..575dd25
>> --- /dev/null
>> +++ b/package/policycoreutils/policycoreutils.hash
>> @@ -0,0 +1,2 @@
>> +# https://github.com/SELinuxProject/selinux/wiki/Releases
>> +sha256 b6881741f9f9988346a73bfeccb0299941dc117349753f0ef3f23ee86f06c1b5 policycoreutils-2.1.14.tar.gz
>> diff --git a/package/policycoreutils/policycoreutils.mk b/package/policycoreutils/policycoreutils.mk
>> new file mode 100644
>> index 0000000..aed2705
>> --- /dev/null
>> +++ b/package/policycoreutils/policycoreutils.mk
>> @@ -0,0 +1,108 @@
>> +################################################################################
>> +#
>> +# policycoreutils
>> +#
>> +################################################################################
>> +
>> +POLICYCOREUTILS_VERSION = 2.1.14
>> +POLICYCOREUTILS_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20130423
>> +POLICYCOREUTILS_LICENSE = GPLv2
>> +POLICYCOREUTILS_LICENSE_FILES = COPYING
>> +
>> +# gettext for load_policy.c use of libintl_* functions
>> +POLICYCOREUTILS_DEPENDENCIES = libsemanage libcap-ng $(if $(BR2_NEEDS_GETTEXT),gettext)
>> +
>> +ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
>> +POLICYCOREUTILS_DEPENDENCIES += linux-pam
>> +POLICYCOREUTILS_MAKE_OPTS += NAMESPACE_PRIV=y
>> +define POLICYCOREUTILS_INSTALL_TARGET_LINUX_PAM_CONFS
>> + $(INSTALL) -D -m 0644 $(@D)/newrole/newrole-lspp.pamd $(TARGET_DIR)/etc/pam.d/newrole
>> + $(INSTALL) -D -m 0644 $(@D)/run_init/run_init.pamd $(TARGET_DIR)/etc/pam.d/run_init
>> +endef
>> +endif
>> +
>> +ifeq ($(BR2_PACKAGE_AUDIT),y)
>> +POLICYCOREUTILS_DEPENDENCIES += audit
>> +POLICYCOREUTILS_MAKE_OPTS += AUDIT_LOG_PRIV=y
>> +endif
>> +
>> +# Enable LSPP_PRIV if both audit and linux pam are enabled
>> +ifeq ($(BR2_PACKAGE_LINUX_PAM)$(BR2_PACKAGE_AUDIT),yy)
>> +POLICYCOREUTILS_MAKE_OPTS += LSPP_PRIV=y
>> +endif
>> +
>> +# Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h
>> +# large file support.
>> +# See https://bugzilla.redhat.com/show_bug.cgi?id=574992 for more information
>> +POLICYCOREUTILS_MAKE_OPTS += \
>> + CC="$(TARGET_CC)" \
>> + CFLAGS="$(TARGET_CFLAGS) -U_FILE_OFFSET_BITS" \
>> + LDFLAGS="$(TARGET_LDFLAGS) $(if $(BR2_NEEDS_GETTEXT),-lintl)" \
>> + ARCH="$(BR2_ARCH)"
>> +
>> +POLICYCOREUTILS_MAKE_DIRS = load_policy newrole run_init \
>> + secon semodule semodule_deps semodule_expand semodule_link \
>> + semodule_package sepolgen-ifgen sestatus setfiles setsebool
>> +
>> +ifeq ($(BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND),y)
>> +POLICYCOREUTILS_MAKE_DIRS += restorecond
>> +endif
>> +
>> +define POLICYCOREUTILS_BUILD_CMDS
>> + for dir in $(POLICYCOREUTILS_MAKE_DIRS) ; do \
>> + $(MAKE) -C $(@D)/$${dir} $(POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(STAGING_DIR) all || exit 1 ; \
>> + done
>
> Please add a comment above this that explains why you're passing
> DESTDIR=$(STAGING_DIR) at build time.
Add the following
" The source has been patched to require a DESTDIR path which is
prefixed to all filesystem paths which were by default hardcoded to
host system paths."
>
>> +endef
>> +
>> +define POLICYCOREUTILS_INSTALL_TARGET_CMDS
>> + for dir in $(POLICYCOREUTILS_MAKE_DIRS) ; do \
>> + $(MAKE) -C $(@D)/$${dir} $(POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(TARGET_DIR) install || exit 1 ; \
>> + done
>> +endef
>> +
>> +HOST_POLICYCOREUTILS_DEPENDENCIES = host-libsemanage host-dbus-glib host-sepolgen host-setools
>> +
>> +# Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h
>> +# large file support.
>> +# See https://bugzilla.redhat.com/show_bug.cgi?id=574992 for more information
>> +HOST_POLICYCOREUTILS_MAKE_OPTS = \
>> + CC="$(HOSTCC)" \
>> + CFLAGS="$(HOST_CFLAGS) -U_FILE_OFFSET_BITS" \
>> + PYTHON="$(HOST_DIR)/usr/bin/python" \
>> + PYTHON_INSTALL_ARGS="$(HOST_PKG_PYTHON_DISTUTILS_INSTALL_OPTS)" \
>> + ARCH="$(HOSTARCH)" \
>> + LDFLAGS="$(HOST_LDFLAGS)"
>> +
>> +ifeq ($(BR2_PACKAGE_PYTHON3),y)
>> +HOST_POLICYCOREUTILS_DEPENDENCIES += host-python3
>> +HOST_POLICYCOREUTILS_MAKE_OPTS += \
>> + PYLIBVER="python$(PYTHON3_VERSION_MAJOR)"
>> +else
>> +HOST_POLICYCOREUTILS_DEPENDENCIES += host-python
>> +HOST_POLICYCOREUTILS_MAKE_OPTS += \
>> + PYLIBVER="python$(PYTHON_VERSION_MAJOR)"
>> +endif
>> +
>> +# Note: We are only building the programs required by the refpolicy build
>> +HOST_POLICYCOREUTILS_MAKE_DIRS = load_policy semodule semodule_deps semodule_expand semodule_link \
>> + semodule_package setfiles restorecond audit2allow audit2why scripts semanage sepolicy
>> +
>> +define HOST_POLICYCOREUTILS_BUILD_CMDS
>> + for dir in $(HOST_POLICYCOREUTILS_MAKE_DIRS) ; do \
>> + $(MAKE) -C $(@D)/$${dir} $(HOST_POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(HOST_DIR) all || exit 1 ; \
>
> DESTDIR=$(HOST_DIR) is wrong. You should instead use PREFIX=$(HOST_DIR)/usr.
>
Thomas, I believe this is correct. PREFIX is set to $(DESTDIR)/usr in
the Makefile. (See non-host build cmd above)
>> +define HOST_POLICYCOREUTILS_INSTALL_CMDS
>> + for dir in $(HOST_POLICYCOREUTILS_MAKE_DIRS) ; do \
>> + $(MAKE) -C $(@D)/$${dir} $(HOST_POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(HOST_DIR) install || exit 1 ; \
>
> Ditto.
Same comment as previous about PREFIX.
>
>> + done
>> + # Fix python paths
>> + $(SED) 's%/usr/bin/%$(HOST_DIR)/usr/bin/%g' $(HOST_DIR)/usr/bin/audit2allow
>> + $(SED) 's%/usr/bin/%$(HOST_DIR)/usr/bin/%g' $(HOST_DIR)/usr/bin/audit2why
>> + $(SED) 's%/usr/bin/%$(HOST_DIR)/usr/bin/%g' $(HOST_DIR)/usr/bin/sepolgen-ifgen
>> + $(SED) 's%/usr/bin/%$(HOST_DIR)/usr/bin/%g' $(HOST_DIR)/usr/bin/sepolicy
>
> Sadly, this means more hardcoded paths, but I guess it's OK for now, I
> prefer to sort out the other issues. This one can be solved later.
>
Sorry about that. I agree it isn't the best approach for those python files.
> Could you rework your patch to solve the other issues raised above?
>
Thomas, definitely.
Niranjan, let me know if you have more questions tomorrow.
--
Thanks,
Matt
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Buildroot] [ PATCH Selinux v11] policycoreutils: new package
2016-04-08 3:00 ` Matthew Weber
@ 2016-04-14 11:13 ` Niranjan Reddy
2016-04-14 13:09 ` Matthew Weber
0 siblings, 1 reply; 6+ messages in thread
From: Niranjan Reddy @ 2016-04-14 11:13 UTC (permalink / raw)
To: buildroot
Hello Matthew,
On Fri, Apr 8, 2016 at 8:30 AM, Matthew Weber <matt@thewebers.ws> wrote:
> Niranjan,
>
> On Tue, Mar 22, 2016 at 5:02 PM, Thomas Petazzoni
> <thomas.petazzoni@free-electrons.com> wrote:
> > Hello,
> >
> > I really wanted to apply this patch and finally get the remaining
> > SELinux support in, but there are still some really wrong things in
> > there.
> >
> > On Wed, 16 Mar 2016 17:12:14 +0530, Niranjan Reddy wrote:
> >> From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> >>
> >> This package contains the core policy utilities that are required
> >> for basic operation of an SELinux system.Four patchs are included
> >> in this package.
> >
> > Minor typos: space after ".", patchs -> patches.
> >
> >> Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
> >> Allow-CFLAGS-to-be-overwritten.patch
> >> Change-sepolicy-python-install-arguments-to-be-a-var.patch
> >> disable-dbus.patch
> >
> > Completely useless to just give the filenames, especially when they are
> > wrong.
>
> Valid point, need to fix typo and provide a description of what the
> patches are doing after the "Four patches are included...." statement.
> Remove the list of patch names.
>
> >
> >
> >> diff --git
> a/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
> b/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
> >> new file mode 100644
> >> index 0000000..0192e5c
> >> --- /dev/null
> >> +++
> b/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
> >> @@ -0,0 +1,275 @@
> >> +From 92d7cc3539f8bfc68b2f2bf688375647abf73ee7 Mon Sep 17 00:00:00 2001
> >> +From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> >> +Date: Fri, 10 Jul 2015 11:44:08 -0500
> >> +Subject: Add DESTDIR to all paths that use an absolute path
> >> +
> >> +To aid in cross compiling, add the DESTDIR variable to the start of all
> >> +of the paths used during compilation. Most paths already used DESTDIR.
>
> Add note that "The addition of this patch makes the use of DESTDIR
> mandatory as there are conditional checks which would fail if it's not
> defined."
>
> >> +
> >> +Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> >
> > This patch does a *LOT* more than adding DESTDIR. Just check by
> > yourself. Read your own patch! It should be split in several patches.
>
> I have put comments in below noting what to put in the creation of the
> following new patches. Some suggested descriptions for the new
> patches are below too.
>
> 1) DESTDIR
> 2) PREFIX
> 3) Removal of ARCH
>
> >
> >> +---
> >> + Makefile | 4 ++--
> >> + audit2allow/Makefile | 2 +-
> >> + load_policy/Makefile | 2 +-
> >> + mcstrans/src/Makefile | 22 +++++++++++++---------
> >> + mcstrans/utils/Makefile | 11 +++++++----
> >> + newrole/Makefile | 12 ++++++------
> >> + restorecond/Makefile | 6 ++++--
> >> + run_init/Makefile | 12 ++++++------
> >> + sepolicy/Makefile | 2 +-
> >> + setfiles/Makefile | 4 ++--
> >> + 10 files changed, 43 insertions(+), 34 deletions(-)
> >> +
> >> +diff --git a/Makefile b/Makefile
> >> +index 3980799..0fca022 100644
> >> +--- a/Makefile
> >> ++++ b/Makefile
> >> +@@ -1,8 +1,8 @@
> >> + SUBDIRS = sepolicy setfiles semanage load_policy newrole run_init
> sandbox secon audit2allow audit2why sestatus semodule_package semodule
> semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool
> scripts po man gui
> >> +
> >> +-INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
> >> ++INOTIFYH = $(shell ls $(DESTDIR)/usr/include/sys/inotify.h
> 2>/dev/null)
> >
> > This is not super great, as it assumes DESTDIR is passed at build time,
> > which is not very standard. But OK, that's the easiest solution. But it
> > should *definitely* be explained in the description of the patch, as
> > it's non trivial.
> >
>
> Move to patch #1
>
> I added a note about this above and suggested a statement to add.
>
> >> +
> >> +-ifeq (${INOTIFYH}, /usr/include/sys/inotify.h)
> >> ++ifeq (${INOTIFYH}, $(DESTDIR)/usr/include/sys/inotify.h)
> >> + SUBDIRS += restorecond
> >> + endif
>
> Move to patch #2
>
> Change to use PREFIX.
>
> For patch two, the description could be something like....
> "Updates the remaining hardcoded host paths used in the build to be
> prefixed with a PREFIX path to allow cross compilation."
>
> >> +
> >> +diff --git a/audit2allow/Makefile b/audit2allow/Makefile
> >> +index 88635d4..1647b5a 100644
> >> +--- a/audit2allow/Makefile
> >> ++++ b/audit2allow/Makefile
> >> +@@ -3,7 +3,7 @@ PREFIX ?= $(DESTDIR)/usr
> >> + BINDIR ?= $(PREFIX)/bin
> >> + LIBDIR ?= $(PREFIX)/lib
> >> + MANDIR ?= $(PREFIX)/share/man
> >> +-LOCALEDIR ?= /usr/share/locale
> >> ++LOCALEDIR ?= $(PREFIX)/share/locale
> >
> > This is not about adding DESTDIR, but about changing an hardcoded /usr
> > to $(PREFIX).
>
> Move to patch #2
>
> >
> > In addition, in the INOTIFYH fix above, you don't change usr/ to
> > $(PREFIX).
>
> Resolved above.
>
> >
> >> +
> >> + all: ;
> >> +
> >> +diff --git a/load_policy/Makefile b/load_policy/Makefile
> >> +index 7c5bab0..5cd0bbb 100644
> >> +--- a/load_policy/Makefile
> >> ++++ b/load_policy/Makefile
> >> +@@ -3,7 +3,7 @@ PREFIX ?= $(DESTDIR)/usr
> >> + SBINDIR ?= $(DESTDIR)/sbin
> >> + USRSBINDIR ?= $(PREFIX)/sbin
> >> + MANDIR ?= $(PREFIX)/share/man
> >> +-LOCALEDIR ?= /usr/share/locale
> >> ++LOCALEDIR ?= $(PREFIX)/share/locale
> >
> > This is also changing /usr to PREFIX, which has nothing to do with
> > using DESTDIR.
>
> Move to patch #2
>
> >
> >> +
> >> + CFLAGS ?= -Werror -Wall -W
> >> + override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS
> -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
> >> +diff --git a/mcstrans/src/Makefile b/mcstrans/src/Makefile
> >> +index fb44490..a0666f1 100644
> >> +--- a/mcstrans/src/Makefile
> >> ++++ b/mcstrans/src/Makefile
> >> +@@ -1,22 +1,26 @@
> >> +-ARCH = $(shell uname -i)
>
> Move the above line to patch #3
>
> >> ++# Installation directories.
> >> ++PREFIX ?= $(DESTDIR)/usr
> >> ++SBINDIR ?= $(DESTDIR)/sbin
> >> ++INITDIR ?= $(DESTDIR)/etc/rc.d/init.d
> >
> > This has nothing to do with adding DESTDIR, and there is no explanation
> > why adding those variable definitions here is necessary. Thos
> > definitions are normally below, why are you moving there up here?
>
> Niranjan, why did they move, I don't have the complete file in front
> of me to check?
>
> >
> >> ++
> >> ++ARCH ?= $(shell uname -i)
> >
> > Looks good, but needs to be explained in the patch description (and in
> > a separate patch).
>
> Move to patch #3
>
> Use a description that's something like this in the patch....
> "Allow the ARCH value to be passed in as original configuration was
> solely based on host architecture."
>
> >
> >> + ifeq "$(ARCH)" "x86_64"
> >> + # In case of 64 bit system, use these lines
> >> +- LIBDIR=/usr/lib64
> >> +-else
> >> ++ LIBDIR=$(PREFIX)/lib64
> >> ++else
> >> + ifeq "$(ARCH)" "i686"
> >> + # In case of 32 bit system, use these lines
> >> +- LIBDIR=/usr/lib
> >> ++ LIBDIR=$(PREFIX)/lib
> >> + else
> >> + ifeq "$(ARCH)" "i386"
> >> + # In case of 32 bit system, use these lines
> >> +- LIBDIR=/usr/lib
> >> ++ LIBDIR=$(PREFIX)/lib
> >> ++else
> >> ++ # Default to these lines if arch is unknown
> >> ++ LIBDIR=$(PREFIX)/lib
> >
> > This is all /usr -> $(PREFIX) replacement, nothing to do with DESTDIR.
>
> Move above changes to patch #2
>
> >
> >> + endif
> >> + endif
> >> + endif
> >> +-# Installation directories.
> >> +-PREFIX ?= $(DESTDIR)/usr
> >> +-SBINDIR ?= $(DESTDIR)/sbin
> >> +-INITDIR ?= $(DESTDIR)/etc/rc.d/init.d
>
> Like previous comment, why did these get removed from here and moved above?
>
In the original file if we replace /usr to $PREFIX the replacement is
happening before the PREFIX is defined . To
have visible to complete file we have removed it from the bottom and placed
at the top.
Original file :
ifeq "$(ARCH)" "x86_64"
# In case of 64 bit system, use these lines
LIBDIR=/usr/lib64 ( *replacing /usr --> $PREFIX* )
else
PREFIX ?= $(DESTDIR)/usr ( *defined after *)
>
> >> +
> >> + PROG_SRC=mcstrans.c mcscolor.c mcstransd.c mls_level.c
> >> + PROG_OBJS= $(patsubst %.c,%.o,$(PROG_SRC))
> >> +diff --git a/mcstrans/utils/Makefile b/mcstrans/utils/Makefile
> >> +index 1ffb027..da5c152 100644
> >> +--- a/mcstrans/utils/Makefile
> >> ++++ b/mcstrans/utils/Makefile
> >> +@@ -2,18 +2,21 @@
> >> + PREFIX ?= $(DESTDIR)/usr
> >> + BINDIR ?= $(PREFIX)/sbin
> >> +
> >> +-ARCH = $(shell uname -i)
> >> ++ARCH ?= $(shell uname -i)
>
> Move the above two lines to patch #3
>
> >> + ifeq "$(ARCH)" "x86_64"
> >> + # In case of 64 bit system, use these lines
> >> +- LIBDIR=/usr/lib64
> >> ++ LIBDIR=$(PREFIX)/lib64
> >> + else
> >> + ifeq "$(ARCH)" "i686"
> >> + # In case of 32 bit system, use these lines
> >> +- LIBDIR=/usr/lib
> >> ++ LIBDIR=$(PREFIX)/lib
> >> + else
> >> + ifeq "$(ARCH)" "i386"
> >> + # In case of 32 bit system, use these lines
> >> +- LIBDIR=/usr/lib
> >> ++ LIBDIR=$(PREFIX)/lib
> >> ++else
> >> ++ # Default to these lines if arch is unknown
> >> ++ LIBDIR=$(PREFIX)/lib
> >
>
> Move to patch #2
>
> > Same comments as above;
> >
> >> + endif
> >> + endif
> >> + endif
> >> +diff --git a/newrole/Makefile b/newrole/Makefile
> >> +index 646cd4d..045e3b7 100644
> >> +--- a/newrole/Makefile
> >> ++++ b/newrole/Makefile
> >> +@@ -3,9 +3,9 @@ PREFIX ?= $(DESTDIR)/usr
> >> + BINDIR ?= $(PREFIX)/bin
> >> + MANDIR ?= $(PREFIX)/share/man
> >> + ETCDIR ?= $(DESTDIR)/etc
> >> +-LOCALEDIR = /usr/share/locale
> >> +-PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
> >> +-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
> >> ++LOCALEDIR = $(PREFIX)/share/locale
> >> ++PAMH = $(shell ls $(PREFIX)/include/security/pam_appl.h 2>/dev/null)
> >> ++AUDITH = $(shell ls $(PREFIX)/include/libaudit.h 2>/dev/null)
> >
> > This is *completely* wrong. It will look at /usr/include/libaudit.h
> > and /usr/include/security/pam_appl.h on your build machine to decide
> > where pam and audit support is available. If you follow the fix done
> > earlier for INOTIFYH, you should do:
> >
> > AUDITH = $(shell ls $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)
>
> The variable DESTDIR when used in PREFIX isn't expanded because you're
> in a shell in that "shell ls" command. So you have to use
> $(DESTDIR)/usr.
>
> Move to patch #1 and update as noted to use $(DESTDIR)/usr/ for PAMH=,
> AUDITD=
>
> >
> >> + # Enable capabilities to permit newrole to generate audit records.
> >> + # This will make newrole a setuid root program.
> >> + # The capabilities used are: CAP_AUDIT_WRITE.
> >> +@@ -24,7 +24,7 @@ CFLAGS ?= -Werror -Wall -W
> >> + EXTRA_OBJS =
> >> + override CFLAGS += -DVERSION=\"$(VERSION)\" $(LDFLAGS)
> -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\""
> -DPACKAGE="\"policycoreutils\""
> >> + LDLIBS += -lselinux -L$(PREFIX)/lib
> >> +-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
> >> ++ifeq ($(PAMH), $(PREFIX)/include/security/pam_appl.h)
> >
>
> Move to patch #2
>
> > Same comment as above.
> >
> >> + override CFLAGS += -DUSE_PAM
> >> + EXTRA_OBJS += hashtab.o
> >> + LDLIBS += -lpam -lpam_misc
> >> +@@ -32,7 +32,7 @@ else
> >> + override CFLAGS += -D_XOPEN_SOURCE=500
> >> + LDLIBS += -lcrypt
> >> + endif
> >> +-ifeq ($(AUDITH), /usr/include/libaudit.h)
> >> ++ifeq ($(AUDITH), $(PREFIX)/include/libaudit.h)
> >
> > Ditto.
>
> Move to patch #2
>
> >
> >> + override CFLAGS += -DUSE_AUDIT
> >> + LDLIBS += -laudit
> >> + endif
> >> +@@ -66,7 +66,7 @@ install: all
> >> + test -d $(MANDIR)/man1 || install -m 755 -d $(MANDIR)/man1
> >> + install -m $(MODE) newrole $(BINDIR)
> >> + install -m 644 newrole.1 $(MANDIR)/man1/
> >> +-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
> >> ++ifeq ($(PAMH), $(PREFIX)/include/security/pam_appl.h)
> >
> > Ditto.
>
> Move to patch #2
>
> >
> >> + test -d $(ETCDIR)/pam.d || install -m 755 -d $(ETCDIR)/pam.d
> >> + ifeq ($(LSPP_PRIV),y)
> >> + install -m 644 newrole-lspp.pamd $(ETCDIR)/pam.d/newrole
> >> +diff --git a/restorecond/Makefile b/restorecond/Makefile
> >> +index 3074542..7c40f95 100644
> >> +--- a/restorecond/Makefile
> >> ++++ b/restorecond/Makefile
> >> +@@ -10,11 +10,13 @@ autostart_DATA = sealertauto.desktop
> >> + INITDIR = $(DESTDIR)/etc/rc.d/init.d
> >> + SELINUXDIR = $(DESTDIR)/etc/selinux
> >> +
> >> +-DBUSFLAGS = -DHAVE_DBUS -I/usr/include/dbus-1.0
> -I/usr/lib64/dbus-1.0/include -I/usr/lib/dbus-1.0/include
> >> ++DBUSFLAGS = -DHAVE_DBUS -I$(PREFIX)/include/dbus-1.0
> -I$(PREFIX)/lib64/dbus-1.0/include \
> >> ++ -I$(PREFIX)/lib/dbus-1.0/include
> >
> > Completely wrong. This will add -I/usr/include/dbus-1.0 when
> > cross-compiling. Bad.
> >
>
> Same as other case of variable expansion. Update all use of PREFIX to
> be $(DESTDIR)/usr/
>
> Move to patch #1
>
> >> + DBUSLIB = -ldbus-glib-1 -ldbus-1
> >> +
> >> + CFLAGS ?= -g -Werror -Wall -W
> >> +-override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS)
> -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include
> -I/usr/lib/glib-2.0/include
> >> ++override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS)
> -I$(PREFIX)/include/glib-2.0 \
> >> ++ -I$(PREFIX)/lib64/glib-2.0/include
> -I$(PREFIX)/lib/glib-2.0/include
> >
> > Same.
>
>
> Same as other case of variable expansion. Update all use of PREFIX to
> be $(DESTDIR)/usr/
>
> Move to patch #1
>
> >
> >> +
> >> + LDLIBS += -lselinux $(DBUSLIB) -lglib-2.0 -L$(LIBDIR)
> >> +
> >> +diff --git a/run_init/Makefile b/run_init/Makefile
> >> +index 12b39b4..da49c41 100644
> >> +--- a/run_init/Makefile
> >> ++++ b/run_init/Makefile
> >> +@@ -4,21 +4,21 @@ PREFIX ?= $(DESTDIR)/usr
> >> + SBINDIR ?= $(PREFIX)/sbin
> >> + MANDIR ?= $(PREFIX)/share/man
> >> + ETCDIR ?= $(DESTDIR)/etc
> >> +-LOCALEDIR ?= /usr/share/locale
> >> +-PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
> >> +-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
> >> ++LOCALEDIR ?= $(PREFIX)/share/locale
> >> ++PAMH = $(shell ls $(PREFIX)/include/security/pam_appl.h 2>/dev/null)
> >> ++AUDITH = $(shell ls $(PREFIX)/include/libaudit.h 2>/dev/null)
> >
> > Also wrong.
> >
>
> Same as other case of variable expansion. Update all use of PREFIX
> when used in a "shell ls" to be $(DESTDIR)/usr/
>
> Move to patch #1
>
> >> +
> >> + CFLAGS ?= -Werror -Wall -W
> >> + override CFLAGS += -I$(PREFIX)/include -DUSE_NLS
> -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
> >> + LDLIBS += -lselinux -L$(PREFIX)/lib
> >> +-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
> >> ++ifeq ($(PAMH), $(PREFIX)/include/security/pam_appl.h)
> >
> > Ditto.
>
> Move to patch #2
>
> >
> >> + override CFLAGS += -DUSE_PAM
> >> + LDLIBS += -lpam -lpam_misc
> >> + else
> >> + override CFLAGS += -D_XOPEN_SOURCE=500
> >> + LDLIBS += -lcrypt
> >> + endif
> >> +-ifeq ($(AUDITH), /usr/include/libaudit.h)
> >> ++ifeq ($(AUDITH), $(PREFIX)/include/libaudit.h)
> >
> > Ditto.
>
> Move to patch #2
>
> >
> >> + override CFLAGS += -DUSE_AUDIT
> >> + LDLIBS += -laudit
> >> + endif
> >> +@@ -38,7 +38,7 @@ install: all
> >> + install -m 755 open_init_pty $(SBINDIR)
> >> + install -m 644 run_init.8 $(MANDIR)/man8/
> >> + install -m 644 open_init_pty.8 $(MANDIR)/man8/
> >> +-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
> >> ++ifeq ($(PAMH), $(PREFIX)/include/security/pam_appl.h)
> >
> > Ditto.
>
> Move to patch #2
>
> >
> >> + install -m 644 run_init.pamd $(ETCDIR)/pam.d/run_init
> >> + endif
> >> +
> >> +diff --git a/sepolicy/Makefile b/sepolicy/Makefile
> >> +index 11b534f..1249546 100644
> >> +--- a/sepolicy/Makefile
> >> ++++ b/sepolicy/Makefile
> >> +@@ -5,7 +5,7 @@ LIBDIR ?= $(PREFIX)/lib
> >> + BINDIR ?= $(PREFIX)/bin
> >> + SBINDIR ?= $(PREFIX)/sbin
> >> + MANDIR ?= $(PREFIX)/share/man
> >> +-LOCALEDIR ?= /usr/share/locale
> >> ++LOCALEDIR ?= $(PREFIX)/share/locale
>
> Move to patch #2
>
> >> + PYTHON ?= /usr/bin/python
> >> + BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
> >> + SHAREDIR ?= $(PREFIX)/share/sandbox
> >> +diff --git a/setfiles/Makefile b/setfiles/Makefile
> >> +index 4b44b3c..ebc22c8 100644
> >> +--- a/setfiles/Makefile
> >> ++++ b/setfiles/Makefile
> >> +@@ -3,7 +3,7 @@ PREFIX ?= $(DESTDIR)/usr
> >> + SBINDIR ?= $(DESTDIR)/sbin
> >> + MANDIR = $(PREFIX)/share/man
> >> + LIBDIR ?= $(PREFIX)/lib
> >> +-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
> >> ++AUDITH = $(shell ls $(PREFIX)/include/libaudit.h 2>/dev/null)
> >
> > Still wrong.
>
> Same as other case of variable expansion. Update all use of PREFIX
> when used in a "shell ls" to be $(DESTDIR)/usr/
>
> Move to patch #1
>
> >
> >> +
> >> + PROGRESS_STEP=$(shell grep "^\#define STAR_COUNT" restore.h | awk -S
> '{ print $$3 }')
> >> + ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c |
> awk -S '{ print $$3 }')
> >> +@@ -12,7 +12,7 @@ CFLAGS = -g -Werror -Wall -W
> >> + override CFLAGS += -I$(PREFIX)/include
> >> + LDLIBS = -lselinux -lsepol -L$(LIBDIR)
> >> +
> >> +-ifeq ($(AUDITH), /usr/include/libaudit.h)
> >> ++ifeq ($(AUDITH), $(PREFIX)/include/libaudit.h)
> >
> > Here as well.
>
> Move to patch #2
>
> >
> >> + override CFLAGS += -DUSE_AUDIT
> >> + LDLIBS += -laudit
> >> + endif
> >> +--
> >> +1.9.1
> >> +
> >> diff --git
> a/package/policycoreutils/0002-Allow-CFLAGS-to-be-overwritten.patch
> b/package/policycoreutils/0002-Allow-CFLAGS-to-be-overwritten.patch
> >> new file mode 100644
> >> index 0000000..b6e6d99
> >> --- /dev/null
> >> +++ b/package/policycoreutils/0002-Allow-CFLAGS-to-be-overwritten.patch
> >> @@ -0,0 +1,57 @@
> >> +From cfce1180f96cca5e7444d94b2ebc39213d7dac75 Mon Sep 17 00:00:00 2001
> >> +From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> >> +Date: Fri, 10 Jul 2015 11:47:09 -0500
> >> +Subject: Allow CFLAGS to be overwritten
> >> +
> >> +Allow all CFLAGS declarations to be overwritten to aid in cross
> >> +compiling.
> >> +
> >> +Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> >> +---
> >> + sepolicy/Makefile | 2 +-
> >> + sestatus/Makefile | 2 +-
> >> + setfiles/Makefile | 2 +-
> >> + 3 files changed, 3 insertions(+), 3 deletions(-)
> >> +
> >> +diff --git a/sepolicy/Makefile b/sepolicy/Makefile
> >> +index 1249546..a52667a 100644
> >> +--- a/sepolicy/Makefile
> >> ++++ b/sepolicy/Makefile
> >> +@@ -9,7 +9,7 @@ LOCALEDIR ?= $(PREFIX)/share/locale
> >> + PYTHON ?= /usr/bin/python
> >> + BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
> >> + SHAREDIR ?= $(PREFIX)/share/sandbox
> >> +-override CFLAGS = $(LDFLAGS) -I$(PREFIX)/include
> -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared
> >> ++override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include
> -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared
> >
> > -I$(PREFIX)/include -> bad, as it will add -I/usr/include when
> > cross-compiling.
>
> Update to instead be $(DESTDIR)/usr
>
> >
> >> +
> >> + BASHCOMPLETIONS=sepolicy-bash-completion.sh
> >> +
> >> +diff --git a/sestatus/Makefile b/sestatus/Makefile
> >> +index c5db7a3..c04ff00 100644
> >> +--- a/sestatus/Makefile
> >> ++++ b/sestatus/Makefile
> >> +@@ -5,7 +5,7 @@ MANDIR = $(PREFIX)/share/man
> >> + ETCDIR ?= $(DESTDIR)/etc
> >> + LIBDIR ?= $(PREFIX)/lib
> >> +
> >> +-CFLAGS = -Werror -Wall -W
> >> ++CFLAGS ?= -Werror -Wall -W
> >> + override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64
> >
> > Again here.
>
> Update to instead be $(DESTDIR)/usr
>
> >
> >> + LDLIBS = -lselinux -L$(LIBDIR)
> >> +
> >> +diff --git a/setfiles/Makefile b/setfiles/Makefile
> >> +index ebc22c8..7c48814 100644
> >> +--- a/setfiles/Makefile
> >> ++++ b/setfiles/Makefile
> >> +@@ -8,7 +8,7 @@ AUDITH = $(shell ls $(PREFIX)/include/libaudit.h
> 2>/dev/null)
> >> + PROGRESS_STEP=$(shell grep "^\#define STAR_COUNT" restore.h | awk -S
> '{ print $$3 }')
> >> + ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c |
> awk -S '{ print $$3 }')
> >> +
> >> +-CFLAGS = -g -Werror -Wall -W
> >> ++CFLAGS ?= -g -Werror -Wall -W
> >> + override CFLAGS += -I$(PREFIX)/include
> >
> > And here.
>
>
> Update to instead be $(DESTDIR)/usr
>
> >
> > Please build with BR2_COMPILER_PARANOID_UNSAFE_PATH=y to detect such
> > problems.
> >
> >> + LDLIBS = -lselinux -lsepol -L$(LIBDIR)
> >> +
> >> +--
> >> +1.9.1
> >> +
> >> diff --git
> a/package/policycoreutils/0003-Change-sepolicy-python-install-arguments-to-be-a-var.patch
> b/package/policycoreutils/0003-Change-sepolicy-python-install-arguments-to-be-a-var.patch
> >> new file mode 100644
> >> index 0000000..5bbfb76
> >> --- /dev/null
> >> +++
> b/package/policycoreutils/0003-Change-sepolicy-python-install-arguments-to-be-a-var.patch
> >> @@ -0,0 +1,42 @@
> >> +From 4bb3e6bda68fe52fcd2df4f27c5900f4b0d50fa1 Mon Sep 17 00:00:00 2001
> >> +From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> >> +Date: Fri, 10 Jul 2015 11:56:49 -0500
> >> +Subject: Change sepolicy python install arguments to be a variable
> >> +
> >> +To allow the python install arguments to be overwritten, change the
> >> +arguments to be a variable. This also cleans up the DESTDIR detection a
> >> +little bit.
> >> +
> >> +Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> >> +---
> >> + sepolicy/Makefile | 7 ++++++-
> >> + 1 file changed, 6 insertions(+), 1 deletion(-)
> >> +
> >> +diff --git a/sepolicy/Makefile b/sepolicy/Makefile
> >> +index a52667a..4a10df6 100644
> >> +--- a/sepolicy/Makefile
> >> ++++ b/sepolicy/Makefile
> >> +@@ -7,6 +7,11 @@ SBINDIR ?= $(PREFIX)/sbin
> >> + MANDIR ?= $(PREFIX)/share/man
> >> + LOCALEDIR ?= $(PREFIX)/share/locale
> >> + PYTHON ?= /usr/bin/python
> >> ++ifneq (,$(DESTDIR))
> >> ++PYTHON_INSTALL_ARGS ?= --root $(DESTDIR)
> >> ++else
> >> ++PYTHON_INSTALL_ARGS ?=
> >> ++endif
> >
> > Sounds good, but could be a bit simpler:
> >
> > ifneq ($(DESTDIR),)
> > PYTHON_INSTALL_ARGS ?= --root $(DESTDIR)
> > endif
>
> Update as noted
>
> >
> >> + BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
> >> + SHAREDIR ?= $(PREFIX)/share/sandbox
> >> + override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include
> -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared
> >> +@@ -23,7 +28,7 @@ clean:
> >> + -rm -rf build *~ \#* *pyc .#*
> >> +
> >> + install:
> >> +- $(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root
> $(DESTDIR)`
> >> ++ $(PYTHON) setup.py install $(PYTHON_INSTALL_ARGS)
> >> + [ -d $(BINDIR) ] || mkdir -p $(BINDIR)
> >> + install -m 755 sepolicy.py $(BINDIR)/sepolicy
> >> + -mkdir -p $(MANDIR)/man8
> >> +--
> >> +1.9.1
> >> +
> >> diff --git a/package/policycoreutils/0004-disable-dbus.patch
> b/package/policycoreutils/0004-disable-dbus.patch
> >> new file mode 100644
> >> index 0000000..b685d0a
> >> --- /dev/null
> >> +++ b/package/policycoreutils/0004-disable-dbus.patch
> >> @@ -0,0 +1,14 @@
> >> +--- a/restorecond/Makefile 2016-02-25 13:23:23.286671669 -0600
> >> ++++ b/restorecond/Makefile 2016-03-03 12:44:25.032118694 -0600
> >
> > Missing description + Signed-off-by in this patch.
>
> Update as noted.
>
> Description...
> " Adds a condition to prevent linking against dbus when at build time
> dbus has not been enabled"
>
> >
> >> +@@ -10,9 +10,11 @@
> >> + INITDIR = $(DESTDIR)/etc/rc.d/init.d
> >> + SELINUXDIR = $(DESTDIR)/etc/selinux
> >> +
> >> ++ifdef ENABLE_DBUS
> >> + DBUSFLAGS = -DHAVE_DBUS -I$(PREFIX)/include/dbus-1.0
> -I$(PREFIX)/lib64/dbus-1.0/include \
> >> + -I$(PREFIX)/lib/dbus-1.0/include
> >> + DBUSLIB = -ldbus-glib-1 -ldbus-1
> >> ++endif
> >> +
> >> + CFLAGS ?= -g -Werror -Wall -W
> >> + override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS)
> -I$(PREFIX)/include/glib-2.0 \
> >> diff --git a/package/policycoreutils/Config.in
> b/package/policycoreutils/Config.in
> >> new file mode 100644
> >> index 0000000..3131a02
> >> --- /dev/null
> >> +++ b/package/policycoreutils/Config.in
> >> @@ -0,0 +1,57 @@
> >> +config BR2_PACKAGE_POLICYCOREUTILS
> >> + bool "policycoreutils"
> >> + select BR2_PACKAGE_LIBSEMANAGE
> >
> > libsemanage has lots of other dependencies:
> >
> > depends on BR2_TOOLCHAIN_HAS_THREADS
> > depends on !BR2_STATIC_LIBS
> > depends on !BR2_arc
> >
> > You need to take them into account.
> >
>
> Noted, add those three.
>
> >> + select BR2_PACKAGE_LIBCAP_NG
> >> + select BR2_PACKAGE_GETTEXT if BR2_NEEDS_GETTEXT
> >> + depends on BR2_TOOLCHAIN_HAS_THREADS # libsemanage
> >> + depends on BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL #
> uses fts.h
> >> + help
> >> + Policycoreutils is a collection of policy utilities (originally
> >> + the "core" set of utilities needed to use SELinux, although it
> >> + has grown a bit over time), which have different dependencies.
> >> + sestatus, secon, run_init, and newrole only use libselinux.
> >> + load_policy and setfiles only use libselinux and libsepol.
> >> + semodule and semanage use libsemanage (and thus bring in
> >> + dependencies on libsepol and libselinux as well). setsebool
> >> + uses libselinux to make non-persistent boolean changes (via
> >> + the kernel interface) and uses libsemanage to make persistent
> >> + boolean changes.
> >> +
> >> + The base package will install the following utilities:
> >> + load_policy
> >> + newrole
> >> + restorecond
> >> + run_init
> >> + secon
> >> + semodule
> >> + semodule_deps
> >> + semodule_expand
> >> + semodule_link
> >> + semodule_package
> >> + sepolgen-ifgen
> >> + sestatus
> >> + setfiles
> >> + setsebool
> >> +
> >> + http://selinuxproject.org/page/Main_Page
> >> +
> >> +comment "policycoreutils needs a glibc or musl toolchain w/ threads"
> >> + depends on !BR2_TOOLCHAIN_HAS_THREADS \
> >> + || !(BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL)
> >> +
> >> +if BR2_PACKAGE_POLICYCOREUTILS
> >> +
> >> +config BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND
> >> + bool "restorecond Utility"
> >> + select BR2_PACKAGE_LIBGLIB2 #glib2
> >> + depends on BR2_USE_WCHAR # glib2
> >> + depends on BR2_TOOLCHAIN_HAS_THREADS # glib2
> >> + depends on BR2_USE_MMU # glib2
> >> + help
> >> + Enable restorecond to be built
> >> +
> >> +comment "restorecond needs a toolchain w/ wchar, threads"
> >> + depends on BR2_USE_MMU
> >> + depends on !BR2_USE_WCHAR || !BR2_TOOLCHAIN_HAS_THREADS
> >> +
> >> +endif
> >> diff --git a/package/policycoreutils/policycoreutils.hash
> b/package/policycoreutils/policycoreutils.hash
> >> new file mode 100644
> >> index 0000000..575dd25
> >> --- /dev/null
> >> +++ b/package/policycoreutils/policycoreutils.hash
> >> @@ -0,0 +1,2 @@
> >> +# https://github.com/SELinuxProject/selinux/wiki/Releases
> >> +sha256
> b6881741f9f9988346a73bfeccb0299941dc117349753f0ef3f23ee86f06c1b5
> policycoreutils-2.1.14.tar.gz
> >> diff --git a/package/policycoreutils/policycoreutils.mk
> b/package/policycoreutils/policycoreutils.mk
> >> new file mode 100644
> >> index 0000000..aed2705
> >> --- /dev/null
> >> +++ b/package/policycoreutils/policycoreutils.mk
> >> @@ -0,0 +1,108 @@
> >>
> +################################################################################
> >> +#
> >> +# policycoreutils
> >> +#
> >>
> +################################################################################
> >> +
> >> +POLICYCOREUTILS_VERSION = 2.1.14
> >> +POLICYCOREUTILS_SITE =
> https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20130423
> >> +POLICYCOREUTILS_LICENSE = GPLv2
> >> +POLICYCOREUTILS_LICENSE_FILES = COPYING
> >> +
> >> +# gettext for load_policy.c use of libintl_* functions
> >> +POLICYCOREUTILS_DEPENDENCIES = libsemanage libcap-ng $(if
> $(BR2_NEEDS_GETTEXT),gettext)
> >> +
> >> +ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
> >> +POLICYCOREUTILS_DEPENDENCIES += linux-pam
> >> +POLICYCOREUTILS_MAKE_OPTS += NAMESPACE_PRIV=y
> >> +define POLICYCOREUTILS_INSTALL_TARGET_LINUX_PAM_CONFS
> >> + $(INSTALL) -D -m 0644 $(@D)/newrole/newrole-lspp.pamd
> $(TARGET_DIR)/etc/pam.d/newrole
> >> + $(INSTALL) -D -m 0644 $(@D)/run_init/run_init.pamd
> $(TARGET_DIR)/etc/pam.d/run_init
> >> +endef
> >> +endif
> >> +
> >> +ifeq ($(BR2_PACKAGE_AUDIT),y)
> >> +POLICYCOREUTILS_DEPENDENCIES += audit
> >> +POLICYCOREUTILS_MAKE_OPTS += AUDIT_LOG_PRIV=y
> >> +endif
> >> +
> >> +# Enable LSPP_PRIV if both audit and linux pam are enabled
> >> +ifeq ($(BR2_PACKAGE_LINUX_PAM)$(BR2_PACKAGE_AUDIT),yy)
> >> +POLICYCOREUTILS_MAKE_OPTS += LSPP_PRIV=y
> >> +endif
> >> +
> >> +# Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h
> >> +# large file support.
> >> +# See https://bugzilla.redhat.com/show_bug.cgi?id=574992 for more
> information
> >> +POLICYCOREUTILS_MAKE_OPTS += \
> >> + CC="$(TARGET_CC)" \
> >> + CFLAGS="$(TARGET_CFLAGS) -U_FILE_OFFSET_BITS" \
> >> + LDFLAGS="$(TARGET_LDFLAGS) $(if $(BR2_NEEDS_GETTEXT),-lintl)" \
> >> + ARCH="$(BR2_ARCH)"
> >> +
> >> +POLICYCOREUTILS_MAKE_DIRS = load_policy newrole run_init \
> >> + secon semodule semodule_deps semodule_expand semodule_link \
> >> + semodule_package sepolgen-ifgen sestatus setfiles setsebool
> >> +
> >> +ifeq ($(BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND),y)
> >> +POLICYCOREUTILS_MAKE_DIRS += restorecond
> >> +endif
> >> +
> >> +define POLICYCOREUTILS_BUILD_CMDS
> >> + for dir in $(POLICYCOREUTILS_MAKE_DIRS) ; do \
> >> + $(MAKE) -C $(@D)/$${dir} $(POLICYCOREUTILS_MAKE_OPTS)
> DESTDIR=$(STAGING_DIR) all || exit 1 ; \
> >> + done
> >
> > Please add a comment above this that explains why you're passing
> > DESTDIR=$(STAGING_DIR) at build time.
>
> Add the following
> " The source has been patched to require a DESTDIR path which is
> prefixed to all filesystem paths which were by default hardcoded to
> host system paths."
>
> >
> >> +endef
> >> +
> >> +define POLICYCOREUTILS_INSTALL_TARGET_CMDS
> >> + for dir in $(POLICYCOREUTILS_MAKE_DIRS) ; do \
> >> + $(MAKE) -C $(@D)/$${dir} $(POLICYCOREUTILS_MAKE_OPTS)
> DESTDIR=$(TARGET_DIR) install || exit 1 ; \
> >> + done
> >> +endef
> >> +
> >> +HOST_POLICYCOREUTILS_DEPENDENCIES = host-libsemanage host-dbus-glib
> host-sepolgen host-setools
> >> +
> >> +# Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h
> >> +# large file support.
> >> +# See https://bugzilla.redhat.com/show_bug.cgi?id=574992 for more
> information
> >> +HOST_POLICYCOREUTILS_MAKE_OPTS = \
> >> + CC="$(HOSTCC)" \
> >> + CFLAGS="$(HOST_CFLAGS) -U_FILE_OFFSET_BITS" \
> >> + PYTHON="$(HOST_DIR)/usr/bin/python" \
> >> + PYTHON_INSTALL_ARGS="$(HOST_PKG_PYTHON_DISTUTILS_INSTALL_OPTS)" \
> >> + ARCH="$(HOSTARCH)" \
> >> + LDFLAGS="$(HOST_LDFLAGS)"
> >> +
> >> +ifeq ($(BR2_PACKAGE_PYTHON3),y)
> >> +HOST_POLICYCOREUTILS_DEPENDENCIES += host-python3
> >> +HOST_POLICYCOREUTILS_MAKE_OPTS += \
> >> + PYLIBVER="python$(PYTHON3_VERSION_MAJOR)"
> >> +else
> >> +HOST_POLICYCOREUTILS_DEPENDENCIES += host-python
> >> +HOST_POLICYCOREUTILS_MAKE_OPTS += \
> >> + PYLIBVER="python$(PYTHON_VERSION_MAJOR)"
> >> +endif
> >> +
> >> +# Note: We are only building the programs required by the refpolicy
> build
> >> +HOST_POLICYCOREUTILS_MAKE_DIRS = load_policy semodule semodule_deps
> semodule_expand semodule_link \
> >> + semodule_package setfiles restorecond audit2allow audit2why
> scripts semanage sepolicy
> >> +
> >> +define HOST_POLICYCOREUTILS_BUILD_CMDS
> >> + for dir in $(HOST_POLICYCOREUTILS_MAKE_DIRS) ; do \
> >> + $(MAKE) -C $(@D)/$${dir}
> $(HOST_POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(HOST_DIR) all || exit 1 ; \
> >
> > DESTDIR=$(HOST_DIR) is wrong. You should instead use
> PREFIX=$(HOST_DIR)/usr.
> >
>
> Thomas, I believe this is correct. PREFIX is set to $(DESTDIR)/usr in
> the Makefile. (See non-host build cmd above)
>
> >> +define HOST_POLICYCOREUTILS_INSTALL_CMDS
> >> + for dir in $(HOST_POLICYCOREUTILS_MAKE_DIRS) ; do \
> >> + $(MAKE) -C $(@D)/$${dir}
> $(HOST_POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(HOST_DIR) install || exit 1 ; \
> >
> > Ditto.
>
> Same comment as previous about PREFIX.
>
> >
> >> + done
> >> + # Fix python paths
> >> + $(SED) 's%/usr/bin/%$(HOST_DIR)/usr/bin/%g'
> $(HOST_DIR)/usr/bin/audit2allow
> >> + $(SED) 's%/usr/bin/%$(HOST_DIR)/usr/bin/%g'
> $(HOST_DIR)/usr/bin/audit2why
> >> + $(SED) 's%/usr/bin/%$(HOST_DIR)/usr/bin/%g'
> $(HOST_DIR)/usr/bin/sepolgen-ifgen
> >> + $(SED) 's%/usr/bin/%$(HOST_DIR)/usr/bin/%g'
> $(HOST_DIR)/usr/bin/sepolicy
> >
> > Sadly, this means more hardcoded paths, but I guess it's OK for now, I
> > prefer to sort out the other issues. This one can be solved later.
> >
>
> Sorry about that. I agree it isn't the best approach for those python
> files.
>
> > Could you rework your patch to solve the other issues raised above?
> >
>
> Thomas, definitely.
>
> Niranjan, let me know if you have more questions tomorrow.
>
> --
> Thanks,
> Matt
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
Thanks,
Niranjan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20160414/627a7208/attachment-0001.html>
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Buildroot] [ PATCH Selinux v11] policycoreutils: new package
2016-04-14 11:13 ` Niranjan Reddy
@ 2016-04-14 13:09 ` Matthew Weber
0 siblings, 0 replies; 6+ messages in thread
From: Matthew Weber @ 2016-04-14 13:09 UTC (permalink / raw)
To: buildroot
Niranjan,
On Thu, Apr 14, 2016 at 6:13 AM, Niranjan Reddy
<niranjan.reddy@rockwellcollins.com> wrote:
>
> Hello Matthew,
>
>
> On Fri, Apr 8, 2016 at 8:30 AM, Matthew Weber <matt@thewebers.ws> wrote:
>>
>> Niranjan,
>>
>> On Tue, Mar 22, 2016 at 5:02 PM, Thomas Petazzoni
>> <thomas.petazzoni@free-electrons.com> wrote:
>> > Hello,
>> >
>> > I really wanted to apply this patch and finally get the remaining
>> > SELinux support in, but there are still some really wrong things in
>> > there.
>> >
>> > On Wed, 16 Mar 2016 17:12:14 +0530, Niranjan Reddy wrote:
>> >> From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
>> >>
>> >> This package contains the core policy utilities that are required
>> >> for basic operation of an SELinux system.Four patchs are included
>> >> in this package.
>> >
>> > Minor typos: space after ".", patchs -> patches.
>> >
>> >> Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
>> >> Allow-CFLAGS-to-be-overwritten.patch
>> >> Change-sepolicy-python-install-arguments-to-be-a-var.patch
>> >> disable-dbus.patch
>> >
>> > Completely useless to just give the filenames, especially when they are
>> > wrong.
>>
>> Valid point, need to fix typo and provide a description of what the
>> patches are doing after the "Four patches are included...." statement.
>> Remove the list of patch names.
>>
>> >
>> >
>> >> diff --git a/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch b/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
>> >> new file mode 100644
>> >> index 0000000..0192e5c
>> >> --- /dev/null
>> >> +++ b/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
>> >> @@ -0,0 +1,275 @@
>> >> +From 92d7cc3539f8bfc68b2f2bf688375647abf73ee7 Mon Sep 17 00:00:00 2001
>> >> +From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
>> >> +Date: Fri, 10 Jul 2015 11:44:08 -0500
>> >> +Subject: Add DESTDIR to all paths that use an absolute path
>> >> +
>> >> +To aid in cross compiling, add the DESTDIR variable to the start of all
>> >> +of the paths used during compilation. Most paths already used DESTDIR.
>>
>> Add note that "The addition of this patch makes the use of DESTDIR
>> mandatory as there are conditional checks which would fail if it's not
>> defined."
>>
>> >> +
>> >> +Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
>> >
>> > This patch does a *LOT* more than adding DESTDIR. Just check by
>> > yourself. Read your own patch! It should be split in several patches.
>>
>> I have put comments in below noting what to put in the creation of the
>> following new patches. Some suggested descriptions for the new
>> patches are below too.
>>
>> 1) DESTDIR
>> 2) PREFIX
>> 3) Removal of ARCH
>>
>> >
>> >> +---
>> >> + Makefile | 4 ++--
>> >> + audit2allow/Makefile | 2 +-
>> >> + load_policy/Makefile | 2 +-
>> >> + mcstrans/src/Makefile | 22 +++++++++++++---------
>> >> + mcstrans/utils/Makefile | 11 +++++++----
>> >> + newrole/Makefile | 12 ++++++------
>> >> + restorecond/Makefile | 6 ++++--
>> >> + run_init/Makefile | 12 ++++++------
>> >> + sepolicy/Makefile | 2 +-
>> >> + setfiles/Makefile | 4 ++--
>> >> + 10 files changed, 43 insertions(+), 34 deletions(-)
>> >> +
>> >> +diff --git a/Makefile b/Makefile
>> >> +index 3980799..0fca022 100644
>> >> +--- a/Makefile
>> >> ++++ b/Makefile
>> >> +@@ -1,8 +1,8 @@
>> >> + SUBDIRS = sepolicy setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool scripts po man gui
>> >> +
>> >> +-INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
>> >> ++INOTIFYH = $(shell ls $(DESTDIR)/usr/include/sys/inotify.h 2>/dev/null)
>> >
>> > This is not super great, as it assumes DESTDIR is passed at build time,
>> > which is not very standard. But OK, that's the easiest solution. But it
>> > should *definitely* be explained in the description of the patch, as
>> > it's non trivial.
>> >
>>
>> Move to patch #1
>>
>> I added a note about this above and suggested a statement to add.
>>
>> >> +
>> >> +-ifeq (${INOTIFYH}, /usr/include/sys/inotify.h)
>> >> ++ifeq (${INOTIFYH}, $(DESTDIR)/usr/include/sys/inotify.h)
>> >> + SUBDIRS += restorecond
>> >> + endif
>>
>> Move to patch #2
>>
>> Change to use PREFIX.
>>
>> For patch two, the description could be something like....
>> "Updates the remaining hardcoded host paths used in the build to be
>> prefixed with a PREFIX path to allow cross compilation."
>>
>> >> +
>> >> +diff --git a/audit2allow/Makefile b/audit2allow/Makefile
>> >> +index 88635d4..1647b5a 100644
>> >> +--- a/audit2allow/Makefile
>> >> ++++ b/audit2allow/Makefile
>> >> +@@ -3,7 +3,7 @@ PREFIX ?= $(DESTDIR)/usr
>> >> + BINDIR ?= $(PREFIX)/bin
>> >> + LIBDIR ?= $(PREFIX)/lib
>> >> + MANDIR ?= $(PREFIX)/share/man
>> >> +-LOCALEDIR ?= /usr/share/locale
>> >> ++LOCALEDIR ?= $(PREFIX)/share/locale
>> >
>> > This is not about adding DESTDIR, but about changing an hardcoded /usr
>> > to $(PREFIX).
>>
>> Move to patch #2
>>
>> >
>> > In addition, in the INOTIFYH fix above, you don't change usr/ to
>> > $(PREFIX).
>>
>> Resolved above.
>>
>> >
>> >> +
>> >> + all: ;
>> >> +
>> >> +diff --git a/load_policy/Makefile b/load_policy/Makefile
>> >> +index 7c5bab0..5cd0bbb 100644
>> >> +--- a/load_policy/Makefile
>> >> ++++ b/load_policy/Makefile
>> >> +@@ -3,7 +3,7 @@ PREFIX ?= $(DESTDIR)/usr
>> >> + SBINDIR ?= $(DESTDIR)/sbin
>> >> + USRSBINDIR ?= $(PREFIX)/sbin
>> >> + MANDIR ?= $(PREFIX)/share/man
>> >> +-LOCALEDIR ?= /usr/share/locale
>> >> ++LOCALEDIR ?= $(PREFIX)/share/locale
>> >
>> > This is also changing /usr to PREFIX, which has nothing to do with
>> > using DESTDIR.
>>
>> Move to patch #2
>>
>> >
>> >> +
>> >> + CFLAGS ?= -Werror -Wall -W
>> >> + override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
>> >> +diff --git a/mcstrans/src/Makefile b/mcstrans/src/Makefile
>> >> +index fb44490..a0666f1 100644
>> >> +--- a/mcstrans/src/Makefile
>> >> ++++ b/mcstrans/src/Makefile
>> >> +@@ -1,22 +1,26 @@
>> >> +-ARCH = $(shell uname -i)
>>
>> Move the above line to patch #3
>>
>> >> ++# Installation directories.
>> >> ++PREFIX ?= $(DESTDIR)/usr
>> >> ++SBINDIR ?= $(DESTDIR)/sbin
>> >> ++INITDIR ?= $(DESTDIR)/etc/rc.d/init.d
>> >
>> > This has nothing to do with adding DESTDIR, and there is no explanation
>> > why adding those variable definitions here is necessary. Thos
>> > definitions are normally below, why are you moving there up here?
>>
>> Niranjan, why did they move, I don't have the complete file in front
>> of me to check?
>>
>> >
>> >> ++
>> >> ++ARCH ?= $(shell uname -i)
>> >
>> > Looks good, but needs to be explained in the patch description (and in
>> > a separate patch).
>>
>> Move to patch #3
>>
>> Use a description that's something like this in the patch....
>> "Allow the ARCH value to be passed in as original configuration was
>> solely based on host architecture."
>>
>> >
>> >> + ifeq "$(ARCH)" "x86_64"
>> >> + # In case of 64 bit system, use these lines
>> >> +- LIBDIR=/usr/lib64
>> >> +-else
>> >> ++ LIBDIR=$(PREFIX)/lib64
>> >> ++else
>> >> + ifeq "$(ARCH)" "i686"
>> >> + # In case of 32 bit system, use these lines
>> >> +- LIBDIR=/usr/lib
>> >> ++ LIBDIR=$(PREFIX)/lib
>> >> + else
>> >> + ifeq "$(ARCH)" "i386"
>> >> + # In case of 32 bit system, use these lines
>> >> +- LIBDIR=/usr/lib
>> >> ++ LIBDIR=$(PREFIX)/lib
>> >> ++else
>> >> ++ # Default to these lines if arch is unknown
>> >> ++ LIBDIR=$(PREFIX)/lib
>> >
>> > This is all /usr -> $(PREFIX) replacement, nothing to do with DESTDIR.
>>
>> Move above changes to patch #2
>>
>> >
>> >> + endif
>> >> + endif
>> >> + endif
>> >> +-# Installation directories.
>> >> +-PREFIX ?= $(DESTDIR)/usr
>> >> +-SBINDIR ?= $(DESTDIR)/sbin
>> >> +-INITDIR ?= $(DESTDIR)/etc/rc.d/init.d
>>
>> Like previous comment, why did these get removed from here and moved above?
>
>
>
> In the original file if we replace /usr to $PREFIX the replacement is happening before the PREFIX is defined . To
> have visible to complete file we have removed it from the bottom and placed at the top.
>
> Original file :
>
> ifeq "$(ARCH)" "x86_64"
> # In case of 64 bit system, use these lines
> LIBDIR=/usr/lib64 ( replacing /usr --> $PREFIX )
> else
>
>
> PREFIX ?= $(DESTDIR)/usr ( defined after )
Please use plain text email.
Since the PREFIX moved, why did we also move the ARCH conditionals
around? Couldn't those have remained in place?
For the movement of the PREFIX definition, add a comment above that
line that states exactly what you mentioned (something like below).
# Moved up so that PREFIX can be applied file wide
>
>>
>>
>> >> +
>> >> + PROG_SRC=mcstrans.c mcscolor.c mcstransd.c mls_level.c
>> >> + PROG_OBJS= $(patsubst %.c,%.o,$(PROG_SRC))
>> >> +diff --git a/mcstrans/utils/Makefile b/mcstrans/utils/Makefile
>> >> +index 1ffb027..da5c152 100644
>> >> +--- a/mcstrans/utils/Makefile
>> >> ++++ b/mcstrans/utils/Makefile
>> >> +@@ -2,18 +2,21 @@
>> >> + PREFIX ?= $(DESTDIR)/usr
>> >> + BINDIR ?= $(PREFIX)/sbin
>> >> +
>> >> +-ARCH = $(shell uname -i)
>> >> ++ARCH ?= $(shell uname -i)
>>
>> Move the above two lines to patch #3
>>
>> >> + ifeq "$(ARCH)" "x86_64"
>> >> + # In case of 64 bit system, use these lines
>> >> +- LIBDIR=/usr/lib64
>> >> ++ LIBDIR=$(PREFIX)/lib64
>> >> + else
>> >> + ifeq "$(ARCH)" "i686"
>> >> + # In case of 32 bit system, use these lines
>> >> +- LIBDIR=/usr/lib
>> >> ++ LIBDIR=$(PREFIX)/lib
>> >> + else
>> >> + ifeq "$(ARCH)" "i386"
>> >> + # In case of 32 bit system, use these lines
>> >> +- LIBDIR=/usr/lib
>> >> ++ LIBDIR=$(PREFIX)/lib
>> >> ++else
>> >> ++ # Default to these lines if arch is unknown
>> >> ++ LIBDIR=$(PREFIX)/lib
>> >
>>
>> Move to patch #2
>>
>> > Same comments as above;
>> >
>> >> + endif
>> >> + endif
>> >> + endif
>> >> +diff --git a/newrole/Makefile b/newrole/Makefile
>> >> +index 646cd4d..045e3b7 100644
>> >> +--- a/newrole/Makefile
>> >> ++++ b/newrole/Makefile
>> >> +@@ -3,9 +3,9 @@ PREFIX ?= $(DESTDIR)/usr
>> >> + BINDIR ?= $(PREFIX)/bin
>> >> + MANDIR ?= $(PREFIX)/share/man
>> >> + ETCDIR ?= $(DESTDIR)/etc
>> >> +-LOCALEDIR = /usr/share/locale
>> >> +-PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
>> >> +-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
>> >> ++LOCALEDIR = $(PREFIX)/share/locale
>> >> ++PAMH = $(shell ls $(PREFIX)/include/security/pam_appl.h 2>/dev/null)
>> >> ++AUDITH = $(shell ls $(PREFIX)/include/libaudit.h 2>/dev/null)
>> >
>> > This is *completely* wrong. It will look at /usr/include/libaudit.h
>> > and /usr/include/security/pam_appl.h on your build machine to decide
>> > where pam and audit support is available. If you follow the fix done
>> > earlier for INOTIFYH, you should do:
>> >
>> > AUDITH = $(shell ls $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)
>>
>> The variable DESTDIR when used in PREFIX isn't expanded because you're
>> in a shell in that "shell ls" command. So you have to use
>> $(DESTDIR)/usr.
>>
>> Move to patch #1 and update as noted to use $(DESTDIR)/usr/ for PAMH=, AUDITD=
>>
>> >
>> >> + # Enable capabilities to permit newrole to generate audit records.
>> >> + # This will make newrole a setuid root program.
>> >> + # The capabilities used are: CAP_AUDIT_WRITE.
>> >> +@@ -24,7 +24,7 @@ CFLAGS ?= -Werror -Wall -W
>> >> + EXTRA_OBJS =
>> >> + override CFLAGS += -DVERSION=\"$(VERSION)\" $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
>> >> + LDLIBS += -lselinux -L$(PREFIX)/lib
>> >> +-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
>> >> ++ifeq ($(PAMH), $(PREFIX)/include/security/pam_appl.h)
>> >
>>
>> Move to patch #2
>>
>> > Same comment as above.
>> >
>> >> + override CFLAGS += -DUSE_PAM
>> >> + EXTRA_OBJS += hashtab.o
>> >> + LDLIBS += -lpam -lpam_misc
>> >> +@@ -32,7 +32,7 @@ else
>> >> + override CFLAGS += -D_XOPEN_SOURCE=500
>> >> + LDLIBS += -lcrypt
>> >> + endif
>> >> +-ifeq ($(AUDITH), /usr/include/libaudit.h)
>> >> ++ifeq ($(AUDITH), $(PREFIX)/include/libaudit.h)
>> >
>> > Ditto.
>>
>> Move to patch #2
>>
>> >
>> >> + override CFLAGS += -DUSE_AUDIT
>> >> + LDLIBS += -laudit
>> >> + endif
>> >> +@@ -66,7 +66,7 @@ install: all
>> >> + test -d $(MANDIR)/man1 || install -m 755 -d $(MANDIR)/man1
>> >> + install -m $(MODE) newrole $(BINDIR)
>> >> + install -m 644 newrole.1 $(MANDIR)/man1/
>> >> +-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
>> >> ++ifeq ($(PAMH), $(PREFIX)/include/security/pam_appl.h)
>> >
>> > Ditto.
>>
>> Move to patch #2
>>
>> >
>> >> + test -d $(ETCDIR)/pam.d || install -m 755 -d $(ETCDIR)/pam.d
>> >> + ifeq ($(LSPP_PRIV),y)
>> >> + install -m 644 newrole-lspp.pamd $(ETCDIR)/pam.d/newrole
>> >> +diff --git a/restorecond/Makefile b/restorecond/Makefile
>> >> +index 3074542..7c40f95 100644
>> >> +--- a/restorecond/Makefile
>> >> ++++ b/restorecond/Makefile
>> >> +@@ -10,11 +10,13 @@ autostart_DATA = sealertauto.desktop
>> >> + INITDIR = $(DESTDIR)/etc/rc.d/init.d
>> >> + SELINUXDIR = $(DESTDIR)/etc/selinux
>> >> +
>> >> +-DBUSFLAGS = -DHAVE_DBUS -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include -I/usr/lib/dbus-1.0/include
>> >> ++DBUSFLAGS = -DHAVE_DBUS -I$(PREFIX)/include/dbus-1.0 -I$(PREFIX)/lib64/dbus-1.0/include \
>> >> ++ -I$(PREFIX)/lib/dbus-1.0/include
>> >
>> > Completely wrong. This will add -I/usr/include/dbus-1.0 when
>> > cross-compiling. Bad.
>> >
>>
>> Same as other case of variable expansion. Update all use of PREFIX to
>> be $(DESTDIR)/usr/
>>
>> Move to patch #1
>>
>> >> + DBUSLIB = -ldbus-glib-1 -ldbus-1
>> >> +
>> >> + CFLAGS ?= -g -Werror -Wall -W
>> >> +-override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS) -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/lib/glib-2.0/include
>> >> ++override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS) -I$(PREFIX)/include/glib-2.0 \
>> >> ++ -I$(PREFIX)/lib64/glib-2.0/include -I$(PREFIX)/lib/glib-2.0/include
>> >
>> > Same.
>>
>>
>> Same as other case of variable expansion. Update all use of PREFIX to
>> be $(DESTDIR)/usr/
>>
>> Move to patch #1
>>
>> >
>> >> +
>> >> + LDLIBS += -lselinux $(DBUSLIB) -lglib-2.0 -L$(LIBDIR)
>> >> +
>> >> +diff --git a/run_init/Makefile b/run_init/Makefile
>> >> +index 12b39b4..da49c41 100644
>> >> +--- a/run_init/Makefile
>> >> ++++ b/run_init/Makefile
>> >> +@@ -4,21 +4,21 @@ PREFIX ?= $(DESTDIR)/usr
>> >> + SBINDIR ?= $(PREFIX)/sbin
>> >> + MANDIR ?= $(PREFIX)/share/man
>> >> + ETCDIR ?= $(DESTDIR)/etc
>> >> +-LOCALEDIR ?= /usr/share/locale
>> >> +-PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
>> >> +-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
>> >> ++LOCALEDIR ?= $(PREFIX)/share/locale
>> >> ++PAMH = $(shell ls $(PREFIX)/include/security/pam_appl.h 2>/dev/null)
>> >> ++AUDITH = $(shell ls $(PREFIX)/include/libaudit.h 2>/dev/null)
>> >
>> > Also wrong.
>> >
>>
>> Same as other case of variable expansion. Update all use of PREFIX
>> when used in a "shell ls" to be $(DESTDIR)/usr/
>>
>> Move to patch #1
>>
>> >> +
>> >> + CFLAGS ?= -Werror -Wall -W
>> >> + override CFLAGS += -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
>> >> + LDLIBS += -lselinux -L$(PREFIX)/lib
>> >> +-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
>> >> ++ifeq ($(PAMH), $(PREFIX)/include/security/pam_appl.h)
>> >
>> > Ditto.
>>
>> Move to patch #2
>>
>> >
>> >> + override CFLAGS += -DUSE_PAM
>> >> + LDLIBS += -lpam -lpam_misc
>> >> + else
>> >> + override CFLAGS += -D_XOPEN_SOURCE=500
>> >> + LDLIBS += -lcrypt
>> >> + endif
>> >> +-ifeq ($(AUDITH), /usr/include/libaudit.h)
>> >> ++ifeq ($(AUDITH), $(PREFIX)/include/libaudit.h)
>> >
>> > Ditto.
>>
>> Move to patch #2
>>
>> >
>> >> + override CFLAGS += -DUSE_AUDIT
>> >> + LDLIBS += -laudit
>> >> + endif
>> >> +@@ -38,7 +38,7 @@ install: all
>> >> + install -m 755 open_init_pty $(SBINDIR)
>> >> + install -m 644 run_init.8 $(MANDIR)/man8/
>> >> + install -m 644 open_init_pty.8 $(MANDIR)/man8/
>> >> +-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
>> >> ++ifeq ($(PAMH), $(PREFIX)/include/security/pam_appl.h)
>> >
>> > Ditto.
>>
>> Move to patch #2
>>
>> >
>> >> + install -m 644 run_init.pamd $(ETCDIR)/pam.d/run_init
>> >> + endif
>> >> +
>> >> +diff --git a/sepolicy/Makefile b/sepolicy/Makefile
>> >> +index 11b534f..1249546 100644
>> >> +--- a/sepolicy/Makefile
>> >> ++++ b/sepolicy/Makefile
>> >> +@@ -5,7 +5,7 @@ LIBDIR ?= $(PREFIX)/lib
>> >> + BINDIR ?= $(PREFIX)/bin
>> >> + SBINDIR ?= $(PREFIX)/sbin
>> >> + MANDIR ?= $(PREFIX)/share/man
>> >> +-LOCALEDIR ?= /usr/share/locale
>> >> ++LOCALEDIR ?= $(PREFIX)/share/locale
>>
>> Move to patch #2
>>
>> >> + PYTHON ?= /usr/bin/python
>> >> + BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
>> >> + SHAREDIR ?= $(PREFIX)/share/sandbox
>> >> +diff --git a/setfiles/Makefile b/setfiles/Makefile
>> >> +index 4b44b3c..ebc22c8 100644
>> >> +--- a/setfiles/Makefile
>> >> ++++ b/setfiles/Makefile
>> >> +@@ -3,7 +3,7 @@ PREFIX ?= $(DESTDIR)/usr
>> >> + SBINDIR ?= $(DESTDIR)/sbin
>> >> + MANDIR = $(PREFIX)/share/man
>> >> + LIBDIR ?= $(PREFIX)/lib
>> >> +-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
>> >> ++AUDITH = $(shell ls $(PREFIX)/include/libaudit.h 2>/dev/null)
>> >
>> > Still wrong.
>>
>> Same as other case of variable expansion. Update all use of PREFIX
>> when used in a "shell ls" to be $(DESTDIR)/usr/
>>
>> Move to patch #1
>>
>> >
>> >> +
>> >> + PROGRESS_STEP=$(shell grep "^\#define STAR_COUNT" restore.h | awk -S '{ print $$3 }')
>> >> + ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk -S '{ print $$3 }')
>> >> +@@ -12,7 +12,7 @@ CFLAGS = -g -Werror -Wall -W
>> >> + override CFLAGS += -I$(PREFIX)/include
>> >> + LDLIBS = -lselinux -lsepol -L$(LIBDIR)
>> >> +
>> >> +-ifeq ($(AUDITH), /usr/include/libaudit.h)
>> >> ++ifeq ($(AUDITH), $(PREFIX)/include/libaudit.h)
>> >
>> > Here as well.
>>
>> Move to patch #2
>>
>> >
>> >> + override CFLAGS += -DUSE_AUDIT
>> >> + LDLIBS += -laudit
>> >> + endif
>> >> +--
>> >> +1.9.1
>> >> +
>> >> diff --git a/package/policycoreutils/0002-Allow-CFLAGS-to-be-overwritten.patch b/package/policycoreutils/0002-Allow-CFLAGS-to-be-overwritten.patch
>> >> new file mode 100644
>> >> index 0000000..b6e6d99
>> >> --- /dev/null
>> >> +++ b/package/policycoreutils/0002-Allow-CFLAGS-to-be-overwritten.patch
>> >> @@ -0,0 +1,57 @@
>> >> +From cfce1180f96cca5e7444d94b2ebc39213d7dac75 Mon Sep 17 00:00:00 2001
>> >> +From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
>> >> +Date: Fri, 10 Jul 2015 11:47:09 -0500
>> >> +Subject: Allow CFLAGS to be overwritten
>> >> +
>> >> +Allow all CFLAGS declarations to be overwritten to aid in cross
>> >> +compiling.
>> >> +
>> >> +Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
>> >> +---
>> >> + sepolicy/Makefile | 2 +-
>> >> + sestatus/Makefile | 2 +-
>> >> + setfiles/Makefile | 2 +-
>> >> + 3 files changed, 3 insertions(+), 3 deletions(-)
>> >> +
>> >> +diff --git a/sepolicy/Makefile b/sepolicy/Makefile
>> >> +index 1249546..a52667a 100644
>> >> +--- a/sepolicy/Makefile
>> >> ++++ b/sepolicy/Makefile
>> >> +@@ -9,7 +9,7 @@ LOCALEDIR ?= $(PREFIX)/share/locale
>> >> + PYTHON ?= /usr/bin/python
>> >> + BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
>> >> + SHAREDIR ?= $(PREFIX)/share/sandbox
>> >> +-override CFLAGS = $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared
>> >> ++override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared
>> >
>> > -I$(PREFIX)/include -> bad, as it will add -I/usr/include when
>> > cross-compiling.
>>
>> Update to instead be $(DESTDIR)/usr
>>
>> >
>> >> +
>> >> + BASHCOMPLETIONS=sepolicy-bash-completion.sh
>> >> +
>> >> +diff --git a/sestatus/Makefile b/sestatus/Makefile
>> >> +index c5db7a3..c04ff00 100644
>> >> +--- a/sestatus/Makefile
>> >> ++++ b/sestatus/Makefile
>> >> +@@ -5,7 +5,7 @@ MANDIR = $(PREFIX)/share/man
>> >> + ETCDIR ?= $(DESTDIR)/etc
>> >> + LIBDIR ?= $(PREFIX)/lib
>> >> +
>> >> +-CFLAGS = -Werror -Wall -W
>> >> ++CFLAGS ?= -Werror -Wall -W
>> >> + override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64
>> >
>> > Again here.
>>
>> Update to instead be $(DESTDIR)/usr
>>
>> >
>> >> + LDLIBS = -lselinux -L$(LIBDIR)
>> >> +
>> >> +diff --git a/setfiles/Makefile b/setfiles/Makefile
>> >> +index ebc22c8..7c48814 100644
>> >> +--- a/setfiles/Makefile
>> >> ++++ b/setfiles/Makefile
>> >> +@@ -8,7 +8,7 @@ AUDITH = $(shell ls $(PREFIX)/include/libaudit.h 2>/dev/null)
>> >> + PROGRESS_STEP=$(shell grep "^\#define STAR_COUNT" restore.h | awk -S '{ print $$3 }')
>> >> + ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk -S '{ print $$3 }')
>> >> +
>> >> +-CFLAGS = -g -Werror -Wall -W
>> >> ++CFLAGS ?= -g -Werror -Wall -W
>> >> + override CFLAGS += -I$(PREFIX)/include
>> >
>> > And here.
>>
>>
>> Update to instead be $(DESTDIR)/usr
>>
>> >
>> > Please build with BR2_COMPILER_PARANOID_UNSAFE_PATH=y to detect such
>> > problems.
>> >
>> >> + LDLIBS = -lselinux -lsepol -L$(LIBDIR)
>> >> +
>> >> +--
>> >> +1.9.1
>> >> +
>> >> diff --git a/package/policycoreutils/0003-Change-sepolicy-python-install-arguments-to-be-a-var.patch b/package/policycoreutils/0003-Change-sepolicy-python-install-arguments-to-be-a-var.patch
>> >> new file mode 100644
>> >> index 0000000..5bbfb76
>> >> --- /dev/null
>> >> +++ b/package/policycoreutils/0003-Change-sepolicy-python-install-arguments-to-be-a-var.patch
>> >> @@ -0,0 +1,42 @@
>> >> +From 4bb3e6bda68fe52fcd2df4f27c5900f4b0d50fa1 Mon Sep 17 00:00:00 2001
>> >> +From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
>> >> +Date: Fri, 10 Jul 2015 11:56:49 -0500
>> >> +Subject: Change sepolicy python install arguments to be a variable
>> >> +
>> >> +To allow the python install arguments to be overwritten, change the
>> >> +arguments to be a variable. This also cleans up the DESTDIR detection a
>> >> +little bit.
>> >> +
>> >> +Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
>> >> +---
>> >> + sepolicy/Makefile | 7 ++++++-
>> >> + 1 file changed, 6 insertions(+), 1 deletion(-)
>> >> +
>> >> +diff --git a/sepolicy/Makefile b/sepolicy/Makefile
>> >> +index a52667a..4a10df6 100644
>> >> +--- a/sepolicy/Makefile
>> >> ++++ b/sepolicy/Makefile
>> >> +@@ -7,6 +7,11 @@ SBINDIR ?= $(PREFIX)/sbin
>> >> + MANDIR ?= $(PREFIX)/share/man
>> >> + LOCALEDIR ?= $(PREFIX)/share/locale
>> >> + PYTHON ?= /usr/bin/python
>> >> ++ifneq (,$(DESTDIR))
>> >> ++PYTHON_INSTALL_ARGS ?= --root $(DESTDIR)
>> >> ++else
>> >> ++PYTHON_INSTALL_ARGS ?=
>> >> ++endif
>> >
>> > Sounds good, but could be a bit simpler:
>> >
>> > ifneq ($(DESTDIR),)
>> > PYTHON_INSTALL_ARGS ?= --root $(DESTDIR)
>> > endif
>>
>> Update as noted
>>
>> >
>> >> + BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
>> >> + SHAREDIR ?= $(PREFIX)/share/sandbox
>> >> + override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared
>> >> +@@ -23,7 +28,7 @@ clean:
>> >> + -rm -rf build *~ \#* *pyc .#*
>> >> +
>> >> + install:
>> >> +- $(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
>> >> ++ $(PYTHON) setup.py install $(PYTHON_INSTALL_ARGS)
>> >> + [ -d $(BINDIR) ] || mkdir -p $(BINDIR)
>> >> + install -m 755 sepolicy.py $(BINDIR)/sepolicy
>> >> + -mkdir -p $(MANDIR)/man8
>> >> +--
>> >> +1.9.1
>> >> +
>> >> diff --git a/package/policycoreutils/0004-disable-dbus.patch b/package/policycoreutils/0004-disable-dbus.patch
>> >> new file mode 100644
>> >> index 0000000..b685d0a
>> >> --- /dev/null
>> >> +++ b/package/policycoreutils/0004-disable-dbus.patch
>> >> @@ -0,0 +1,14 @@
>> >> +--- a/restorecond/Makefile 2016-02-25 13:23:23.286671669 -0600
>> >> ++++ b/restorecond/Makefile 2016-03-03 12:44:25.032118694 -0600
>> >
>> > Missing description + Signed-off-by in this patch.
>>
>> Update as noted.
>>
>> Description...
>> " Adds a condition to prevent linking against dbus when at build time
>> dbus has not been enabled"
>>
>> >
>> >> +@@ -10,9 +10,11 @@
>> >> + INITDIR = $(DESTDIR)/etc/rc.d/init.d
>> >> + SELINUXDIR = $(DESTDIR)/etc/selinux
>> >> +
>> >> ++ifdef ENABLE_DBUS
>> >> + DBUSFLAGS = -DHAVE_DBUS -I$(PREFIX)/include/dbus-1.0 -I$(PREFIX)/lib64/dbus-1.0/include \
>> >> + -I$(PREFIX)/lib/dbus-1.0/include
>> >> + DBUSLIB = -ldbus-glib-1 -ldbus-1
>> >> ++endif
>> >> +
>> >> + CFLAGS ?= -g -Werror -Wall -W
>> >> + override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS) -I$(PREFIX)/include/glib-2.0 \
>> >> diff --git a/package/policycoreutils/Config.in b/package/policycoreutils/Config.in
>> >> new file mode 100644
>> >> index 0000000..3131a02
>> >> --- /dev/null
>> >> +++ b/package/policycoreutils/Config.in
>> >> @@ -0,0 +1,57 @@
>> >> +config BR2_PACKAGE_POLICYCOREUTILS
>> >> + bool "policycoreutils"
>> >> + select BR2_PACKAGE_LIBSEMANAGE
>> >
>> > libsemanage has lots of other dependencies:
>> >
>> > depends on BR2_TOOLCHAIN_HAS_THREADS
>> > depends on !BR2_STATIC_LIBS
>> > depends on !BR2_arc
>> >
>> > You need to take them into account.
>> >
>>
>> Noted, add those three.
>>
>> >> + select BR2_PACKAGE_LIBCAP_NG
>> >> + select BR2_PACKAGE_GETTEXT if BR2_NEEDS_GETTEXT
>> >> + depends on BR2_TOOLCHAIN_HAS_THREADS # libsemanage
>> >> + depends on BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL # uses fts.h
>> >> + help
>> >> + Policycoreutils is a collection of policy utilities (originally
>> >> + the "core" set of utilities needed to use SELinux, although it
>> >> + has grown a bit over time), which have different dependencies.
>> >> + sestatus, secon, run_init, and newrole only use libselinux.
>> >> + load_policy and setfiles only use libselinux and libsepol.
>> >> + semodule and semanage use libsemanage (and thus bring in
>> >> + dependencies on libsepol and libselinux as well). setsebool
>> >> + uses libselinux to make non-persistent boolean changes (via
>> >> + the kernel interface) and uses libsemanage to make persistent
>> >> + boolean changes.
>> >> +
>> >> + The base package will install the following utilities:
>> >> + load_policy
>> >> + newrole
>> >> + restorecond
>> >> + run_init
>> >> + secon
>> >> + semodule
>> >> + semodule_deps
>> >> + semodule_expand
>> >> + semodule_link
>> >> + semodule_package
>> >> + sepolgen-ifgen
>> >> + sestatus
>> >> + setfiles
>> >> + setsebool
>> >> +
>> >> + http://selinuxproject.org/page/Main_Page
>> >> +
>> >> +comment "policycoreutils needs a glibc or musl toolchain w/ threads"
>> >> + depends on !BR2_TOOLCHAIN_HAS_THREADS \
>> >> + || !(BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL)
>> >> +
>> >> +if BR2_PACKAGE_POLICYCOREUTILS
>> >> +
>> >> +config BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND
>> >> + bool "restorecond Utility"
>> >> + select BR2_PACKAGE_LIBGLIB2 #glib2
>> >> + depends on BR2_USE_WCHAR # glib2
>> >> + depends on BR2_TOOLCHAIN_HAS_THREADS # glib2
>> >> + depends on BR2_USE_MMU # glib2
>> >> + help
>> >> + Enable restorecond to be built
>> >> +
>> >> +comment "restorecond needs a toolchain w/ wchar, threads"
>> >> + depends on BR2_USE_MMU
>> >> + depends on !BR2_USE_WCHAR || !BR2_TOOLCHAIN_HAS_THREADS
>> >> +
>> >> +endif
>> >> diff --git a/package/policycoreutils/policycoreutils.hash b/package/policycoreutils/policycoreutils.hash
>> >> new file mode 100644
>> >> index 0000000..575dd25
>> >> --- /dev/null
>> >> +++ b/package/policycoreutils/policycoreutils.hash
>> >> @@ -0,0 +1,2 @@
>> >> +# https://github.com/SELinuxProject/selinux/wiki/Releases
>> >> +sha256 b6881741f9f9988346a73bfeccb0299941dc117349753f0ef3f23ee86f06c1b5 policycoreutils-2.1.14.tar.gz
>> >> diff --git a/package/policycoreutils/policycoreutils.mk b/package/policycoreutils/policycoreutils.mk
>> >> new file mode 100644
>> >> index 0000000..aed2705
>> >> --- /dev/null
>> >> +++ b/package/policycoreutils/policycoreutils.mk
>> >> @@ -0,0 +1,108 @@
>> >> +################################################################################
>> >> +#
>> >> +# policycoreutils
>> >> +#
>> >> +################################################################################
>> >> +
>> >> +POLICYCOREUTILS_VERSION = 2.1.14
>> >> +POLICYCOREUTILS_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20130423
>> >> +POLICYCOREUTILS_LICENSE = GPLv2
>> >> +POLICYCOREUTILS_LICENSE_FILES = COPYING
>> >> +
>> >> +# gettext for load_policy.c use of libintl_* functions
>> >> +POLICYCOREUTILS_DEPENDENCIES = libsemanage libcap-ng $(if $(BR2_NEEDS_GETTEXT),gettext)
>> >> +
>> >> +ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
>> >> +POLICYCOREUTILS_DEPENDENCIES += linux-pam
>> >> +POLICYCOREUTILS_MAKE_OPTS += NAMESPACE_PRIV=y
>> >> +define POLICYCOREUTILS_INSTALL_TARGET_LINUX_PAM_CONFS
>> >> + $(INSTALL) -D -m 0644 $(@D)/newrole/newrole-lspp.pamd $(TARGET_DIR)/etc/pam.d/newrole
>> >> + $(INSTALL) -D -m 0644 $(@D)/run_init/run_init.pamd $(TARGET_DIR)/etc/pam.d/run_init
>> >> +endef
>> >> +endif
>> >> +
>> >> +ifeq ($(BR2_PACKAGE_AUDIT),y)
>> >> +POLICYCOREUTILS_DEPENDENCIES += audit
>> >> +POLICYCOREUTILS_MAKE_OPTS += AUDIT_LOG_PRIV=y
>> >> +endif
>> >> +
>> >> +# Enable LSPP_PRIV if both audit and linux pam are enabled
>> >> +ifeq ($(BR2_PACKAGE_LINUX_PAM)$(BR2_PACKAGE_AUDIT),yy)
>> >> +POLICYCOREUTILS_MAKE_OPTS += LSPP_PRIV=y
>> >> +endif
>> >> +
>> >> +# Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h
>> >> +# large file support.
>> >> +# See https://bugzilla.redhat.com/show_bug.cgi?id=574992 for more information
>> >> +POLICYCOREUTILS_MAKE_OPTS += \
>> >> + CC="$(TARGET_CC)" \
>> >> + CFLAGS="$(TARGET_CFLAGS) -U_FILE_OFFSET_BITS" \
>> >> + LDFLAGS="$(TARGET_LDFLAGS) $(if $(BR2_NEEDS_GETTEXT),-lintl)" \
>> >> + ARCH="$(BR2_ARCH)"
>> >> +
>> >> +POLICYCOREUTILS_MAKE_DIRS = load_policy newrole run_init \
>> >> + secon semodule semodule_deps semodule_expand semodule_link \
>> >> + semodule_package sepolgen-ifgen sestatus setfiles setsebool
>> >> +
>> >> +ifeq ($(BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND),y)
>> >> +POLICYCOREUTILS_MAKE_DIRS += restorecond
>> >> +endif
>> >> +
>> >> +define POLICYCOREUTILS_BUILD_CMDS
>> >> + for dir in $(POLICYCOREUTILS_MAKE_DIRS) ; do \
>> >> + $(MAKE) -C $(@D)/$${dir} $(POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(STAGING_DIR) all || exit 1 ; \
>> >> + done
>> >
>> > Please add a comment above this that explains why you're passing
>> > DESTDIR=$(STAGING_DIR) at build time.
>>
>> Add the following
>> " The source has been patched to require a DESTDIR path which is
>> prefixed to all filesystem paths which were by default hardcoded to
>> host system paths."
>>
>> >
>> >> +endef
>> >> +
>> >> +define POLICYCOREUTILS_INSTALL_TARGET_CMDS
>> >> + for dir in $(POLICYCOREUTILS_MAKE_DIRS) ; do \
>> >> + $(MAKE) -C $(@D)/$${dir} $(POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(TARGET_DIR) install || exit 1 ; \
>> >> + done
>> >> +endef
>> >> +
>> >> +HOST_POLICYCOREUTILS_DEPENDENCIES = host-libsemanage host-dbus-glib host-sepolgen host-setools
>> >> +
>> >> +# Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h
>> >> +# large file support.
>> >> +# See https://bugzilla.redhat.com/show_bug.cgi?id=574992 for more information
>> >> +HOST_POLICYCOREUTILS_MAKE_OPTS = \
>> >> + CC="$(HOSTCC)" \
>> >> + CFLAGS="$(HOST_CFLAGS) -U_FILE_OFFSET_BITS" \
>> >> + PYTHON="$(HOST_DIR)/usr/bin/python" \
>> >> + PYTHON_INSTALL_ARGS="$(HOST_PKG_PYTHON_DISTUTILS_INSTALL_OPTS)" \
>> >> + ARCH="$(HOSTARCH)" \
>> >> + LDFLAGS="$(HOST_LDFLAGS)"
>> >> +
>> >> +ifeq ($(BR2_PACKAGE_PYTHON3),y)
>> >> +HOST_POLICYCOREUTILS_DEPENDENCIES += host-python3
>> >> +HOST_POLICYCOREUTILS_MAKE_OPTS += \
>> >> + PYLIBVER="python$(PYTHON3_VERSION_MAJOR)"
>> >> +else
>> >> +HOST_POLICYCOREUTILS_DEPENDENCIES += host-python
>> >> +HOST_POLICYCOREUTILS_MAKE_OPTS += \
>> >> + PYLIBVER="python$(PYTHON_VERSION_MAJOR)"
>> >> +endif
>> >> +
>> >> +# Note: We are only building the programs required by the refpolicy build
>> >> +HOST_POLICYCOREUTILS_MAKE_DIRS = load_policy semodule semodule_deps semodule_expand semodule_link \
>> >> + semodule_package setfiles restorecond audit2allow audit2why scripts semanage sepolicy
>> >> +
>> >> +define HOST_POLICYCOREUTILS_BUILD_CMDS
>> >> + for dir in $(HOST_POLICYCOREUTILS_MAKE_DIRS) ; do \
>> >> + $(MAKE) -C $(@D)/$${dir} $(HOST_POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(HOST_DIR) all || exit 1 ; \
>> >
>> > DESTDIR=$(HOST_DIR) is wrong. You should instead use PREFIX=$(HOST_DIR)/usr.
>> >
>>
>> Thomas, I believe this is correct. PREFIX is set to $(DESTDIR)/usr in
>> the Makefile. (See non-host build cmd above)
>>
>> >> +define HOST_POLICYCOREUTILS_INSTALL_CMDS
>> >> + for dir in $(HOST_POLICYCOREUTILS_MAKE_DIRS) ; do \
>> >> + $(MAKE) -C $(@D)/$${dir} $(HOST_POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(HOST_DIR) install || exit 1 ; \
>> >
>> > Ditto.
>>
>> Same comment as previous about PREFIX.
>>
>> >
>> >> + done
>> >> + # Fix python paths
>> >> + $(SED) 's%/usr/bin/%$(HOST_DIR)/usr/bin/%g' $(HOST_DIR)/usr/bin/audit2allow
>> >> + $(SED) 's%/usr/bin/%$(HOST_DIR)/usr/bin/%g' $(HOST_DIR)/usr/bin/audit2why
>> >> + $(SED) 's%/usr/bin/%$(HOST_DIR)/usr/bin/%g' $(HOST_DIR)/usr/bin/sepolgen-ifgen
>> >> + $(SED) 's%/usr/bin/%$(HOST_DIR)/usr/bin/%g' $(HOST_DIR)/usr/bin/sepolicy
>> >
>> > Sadly, this means more hardcoded paths, but I guess it's OK for now, I
>> > prefer to sort out the other issues. This one can be solved later.
>> >
>>
>> Sorry about that. I agree it isn't the best approach for those python files.
>>
>> > Could you rework your patch to solve the other issues raised above?
>> >
>>
>> Thomas, definitely.
>>
>> Niranjan, let me know if you have more questions tomorrow.
>>
>> --
>> Thanks,
>> Matt
>> _______________________________________________
>> buildroot mailing list
>> buildroot at busybox.net
>> http://lists.busybox.net/mailman/listinfo/buildroot
>
>
>
>
> Thanks,
> Niranjan
>
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
--
Matthew L Weber / Pr Software Engineer
Airborne Information Systems / Security Systems and Software / Secure Platforms
MS 131-100, C Ave NE, Cedar Rapids, IA, 52498, USA
www.rockwellcollins.com
Note: Any Export License Required Information and License Restricted
Third Party Intellectual Property (TPIP) content must be encrypted and
sent to matthew.weber at corp.rockwellcollins.com.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2016-04-14 13:09 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-03-16 11:42 [Buildroot] [ PATCH Selinux v11] policycoreutils: new package Niranjan Reddy
2016-03-22 22:02 ` Thomas Petazzoni
2016-04-01 12:26 ` Niranjan Reddy
2016-04-08 3:00 ` Matthew Weber
2016-04-14 11:13 ` Niranjan Reddy
2016-04-14 13:09 ` Matthew Weber
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.